Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH NSS_TLS13_DRAFT19_BRANCH
authorMartin Thomson <martin.thomson@gmail.com>
Mon, 06 Nov 2017 15:15:55 +1100
branchNSS_TLS13_DRAFT19_BRANCH
changeset 14132 ffea4d7db357b1991f696f4ed02b73df76873a99
parent 14091 12b9406a5c6707209322378ae8c9af7fc7e8d809 (current diff)
parent 14086 72ddcd9b1621dac3571bb228dd49f244b21c3549 (diff)
child 14133 fd1de2519693cc8e758518ddd749252a7c068538
push id2893
push usermartin.thomson@gmail.com
push dateMon, 20 Nov 2017 23:20:16 +0000
Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH
cpputil/databuffer.cc
cpputil/databuffer.h
fuzz/tls_mutators.cc
gtests/pk11_gtest/pk11_ecdsa_unittest.cc
gtests/pk11_gtest/pk11_signature_test.h
gtests/softoken_gtest/softoken_gtest.cc
gtests/ssl_gtest/libssl_internals.c
gtests/ssl_gtest/manifest.mn
gtests/ssl_gtest/ssl_alths_unittest.cc
gtests/ssl_gtest/ssl_auth_unittest.cc
gtests/ssl_gtest/ssl_extension_unittest.cc
gtests/ssl_gtest/ssl_gtest.gyp
gtests/ssl_gtest/ssl_loopback_unittest.cc
gtests/ssl_gtest/tls_agent.cc
gtests/ssl_gtest/tls_agent.h
gtests/ssl_gtest/tls_filter.cc
gtests/ssl_gtest/tls_filter.h
lib/cryptohi/seckey.c
lib/softoken/pkcs11c.c
lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c
lib/ssl/ssl3exthandle.c
lib/ssl/ssl3gthr.c
lib/ssl/ssl3prot.h
lib/ssl/sslexp.h
lib/ssl/sslimpl.h
lib/ssl/sslinfo.c
lib/ssl/sslsock.c
lib/ssl/tls13con.c
lib/ssl/tls13con.h
lib/ssl/tls13exthandle.c
lib/ssl/tls13exthandle.h
--- a/.hgtags
+++ b/.hgtags
@@ -1585,8 +1585,9 @@ 4346b9e3b7184975765f705805e54396cde5d7fc
 bdf702cc0f766757d8221b1bb9a8a5a12f0183da NSS_3_25_BETA1
 2c9ec9e42631adeb82ee486a373313df9fcc05fb NSS_3_25_RC0
 98a35207af80f780de09b5e67570add9ca4b6e7e NSS_3.26_BETA1
 2530cf04ae825a678b2917376e50df6cace2ce81 NSS_3.26_BETA2
 929f77302ec909cbc1cb1d340549cee91d8d10aa NSS_3_26_RC0
 cc982d5a9904b9ec478eced92a3eea8ee0ee313a NSS_3_27_BETA1
 d36a5c8225914f92c12f8e182d83f5b4727d327b NSS_3_27_BETA2
 06ed5314230a8abc5436bdca2cc79e7de7f2828f NSS_3_27_BETA3
+32c9bbad265504522441f601333f0b89861a15d1 NSS_3_34_BETA1
--- a/automation/abi-check/previous-nss-release
+++ b/automation/abi-check/previous-nss-release
@@ -1,1 +1,1 @@
-NSS_3_33_BRANCH
+NSS_3_34_BRANCH
--- a/automation/buildbot-slave/build.sh
+++ b/automation/buildbot-slave/build.sh
@@ -251,36 +251,51 @@ check_abi()
     RET=$?
     print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
     if [ ${RET} -ne 0 ]; then
         tail -100 ${LOG_ALL}
         return ${RET}
     fi
     popd
 
+    ABI_PROBLEM_FOUND=0
     ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
     rm -f ${ABI_REPORT}
     PREVDIST=${HGDIR}/baseline/dist
     NEWDIST=${HGDIR}/dist
     ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
     for SO in ${ALL_SOs}; do
-        if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
-            touch nss/automation/abi-check/expected-report-$SO.txt
+        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
+            touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
         fi
         abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
             $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
-            > nss/automation/abi-check/new-report-$SO.txt
-        diff -u nss/automation/abi-check/expected-report-$SO.txt \
-                nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
+            > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
+        if [ $? -ne 0 ]; then
+            ABI_PROBLEM_FOUND=1
+        fi
+        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
+            ABI_PROBLEM_FOUND=1
+        fi
+
+        diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
+                ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
+        if [ ! -f ${ABI_REPORT} ]; then
+            ABI_PROBLEM_FOUND=1
+        fi
     done
 
     if [ -s ${ABI_REPORT} ]; then
         print_log "FAILED: there are new unexpected ABI changes"
         cat ${ABI_REPORT}
         return 1
+    elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then
+        print_log "FAILED: failure executing the ABI checks"
+        cat ${ABI_REPORT}
+        return 1
     fi
 
     return 0
 }
 
 test_jss()
 {
     print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -189,16 +189,18 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
     CERTSubjectPublicKeyInfo *spki;
     CERTCertificateRequest *cr;
     SECItem *encoding;
     SECOidTag signAlgTag;
     SECStatus rv;
     PLArenaPool *arena;
     void *extHandle;
     SECItem signedReq = { siBuffer, NULL, 0 };
+    SECAlgorithmID signAlg;
+    SECItem *params = NULL;
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (!arena) {
         SECU_PrintError(progName, "out of memory");
         return SECFailure;
     }
 
     /* Create info about public key */
@@ -206,21 +208,35 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
     if (!spki) {
         PORT_FreeArena(arena, PR_FALSE);
         SECU_PrintError(progName, "unable to create subject public key");
         return SECFailure;
     }
 
     /* Change cert type to RSA-PSS, if desired. */
     if (pssCertificate) {
+        params = SEC_CreateSignatureAlgorithmParameters(arena,
+                                                        NULL,
+                                                        SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+                                                        hashAlgTag,
+                                                        NULL,
+                                                        privk);
+        if (!params) {
+            PORT_FreeArena(arena, PR_FALSE);
+            SECKEY_DestroySubjectPublicKeyInfo(spki);
+            SECU_PrintError(progName, "unable to create RSA-PSS parameters");
+            return SECFailure;
+        }
+
         spki->algorithm.parameters.data = NULL;
         rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-                                   SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
+                                   SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
         if (rv != SECSuccess) {
             PORT_FreeArena(arena, PR_FALSE);
+            SECKEY_DestroySubjectPublicKeyInfo(spki);
             SECU_PrintError(progName, "unable to set algorithm ID");
             return SECFailure;
         }
     }
 
     /* Generate certificate request */
     cr = CERT_CreateCertificateRequest(subject, spki, NULL);
     SECKEY_DestroySubjectPublicKeyInfo(spki);
@@ -251,26 +267,44 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
                                   SEC_ASN1_GET(CERT_CertificateRequestTemplate));
     CERT_DestroyCertificateRequest(cr);
     if (encoding == NULL) {
         PORT_FreeArena(arena, PR_FALSE);
         SECU_PrintError(progName, "der encoding of request failed");
         return SECFailure;
     }
 
+    PORT_Memset(&signAlg, 0, sizeof(signAlg));
+    if (pssCertificate) {
+        rv = SECOID_SetAlgorithmID(arena, &signAlg,
+                                   SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
+        if (rv != SECSuccess) {
+            PORT_FreeArena(arena, PR_FALSE);
+            SECU_PrintError(progName, "unable to set algorithm ID");
+            return SECFailure;
+        }
+    } else {
+        signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
+        if (signAlgTag == SEC_OID_UNKNOWN) {
+            PORT_FreeArena(arena, PR_FALSE);
+            SECU_PrintError(progName, "unknown Key or Hash type");
+            return SECFailure;
+        }
+        rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0);
+        if (rv != SECSuccess) {
+            PORT_FreeArena(arena, PR_FALSE);
+            SECU_PrintError(progName, "unable to set algorithm ID");
+            return SECFailure;
+        }
+    }
+
     /* Sign the request */
-    signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
-    if (signAlgTag == SEC_OID_UNKNOWN) {
-        PORT_FreeArena(arena, PR_FALSE);
-        SECU_PrintError(progName, "unknown Key or Hash type");
-        return SECFailure;
-    }
-
-    rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len,
-                         privk, signAlgTag);
+    rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq,
+                                        encoding->data, encoding->len,
+                                        privk, &signAlg);
     if (rv) {
         PORT_FreeArena(arena, PR_FALSE);
         SECU_PrintError(progName, "signing of data failed");
         return SECFailure;
     }
 
     /* Encode request in specified format */
     if (ascii) {
@@ -1178,16 +1212,18 @@ luC(enum usage_level ul, const char *com
     FPS "%-20s The nickname of the issuer cert\n",
         "   -c issuer-name");
     FPS "%-20s The BINARY certificate request file\n",
         "   -i cert-request ");
     FPS "%-20s Output binary cert to this file (default is stdout)\n",
         "   -o output-cert");
     FPS "%-20s Self sign\n",
         "   -x");
+    FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+        "   --pss-sign");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",
         "   -w warp-months");
     FPS "%-20s Months valid (default is 3)\n",
         "   -v months-valid");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
@@ -1511,16 +1547,18 @@ luR(enum usage_level ul, const char *com
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
         "   -k key-type-or-id");
     FPS "%-20s or nickname of the cert key to use \n",
         "");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
+        "   --pss");
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
@@ -1688,24 +1726,28 @@ luS(enum usage_level ul, const char *com
     FPS "%-20s Set the certificate trust attributes (see -A above)\n",
         "   -t trustargs");
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
         "   -k key-type-or-id");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
+        "   --pss");
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
     FPS "%-20s Self sign\n",
         "   -x");
+    FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+        "   --pss-sign");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",
         "   -w warp-months");
     FPS "%-20s Months valid (default is 3)\n",
         "   -v months-valid");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
@@ -1860,56 +1902,129 @@ MakeV1Cert(CERTCertDBHandle *handle,
     if (issuerCert) {
         CERT_DestroyCertificate(issuerCert);
     }
 
     return (cert);
 }
 
 static SECStatus
+SetSignatureAlgorithm(PLArenaPool *arena,
+                      SECAlgorithmID *signAlg,
+                      SECAlgorithmID *spkiAlg,
+                      SECOidTag hashAlgTag,
+                      SECKEYPrivateKey *privKey,
+                      PRBool pssSign)
+{
+    SECStatus rv;
+
+    if (pssSign ||
+        SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+        SECItem *srcParams;
+        SECItem *params;
+
+        if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+            srcParams = &spkiAlg->parameters;
+        } else {
+            /* If the issuer's public key is RSA, the parameter field
+             * of the SPKI should be NULL, which can't be used as a
+             * basis of RSA-PSS parameters. */
+            srcParams = NULL;
+        }
+        params = SEC_CreateSignatureAlgorithmParameters(arena,
+                                                        NULL,
+                                                        SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+                                                        hashAlgTag,
+                                                        srcParams,
+                                                        privKey);
+        if (!params) {
+            SECU_PrintError(progName, "Could not create RSA-PSS parameters");
+            return SECFailure;
+        }
+        rv = SECOID_SetAlgorithmID(arena, signAlg,
+                                   SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+                                   params);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "Could not set signature algorithm id.");
+            return rv;
+        }
+    } else {
+        KeyType keyType = SECKEY_GetPrivateKeyType(privKey);
+        SECOidTag algID;
+
+        algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
+        if (algID == SEC_OID_UNKNOWN) {
+            SECU_PrintError(progName, "Unknown key or hash type for issuer.");
+            return SECFailure;
+        }
+        rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "Could not set signature algorithm id.");
+            return rv;
+        }
+    }
+    return SECSuccess;
+}
+
+static SECStatus
 SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
          SECOidTag hashAlgTag,
          SECKEYPrivateKey *privKey, char *issuerNickName,
-         int certVersion, void *pwarg)
+         int certVersion, PRBool pssSign, void *pwarg)
 {
     SECItem der;
     SECKEYPrivateKey *caPrivateKey = NULL;
     SECStatus rv;
     PLArenaPool *arena;
-    SECOidTag algID;
+    CERTCertificate *issuer;
     void *dummy;
 
-    if (!selfsign) {
-        CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
+    arena = cert->arena;
+
+    if (selfsign) {
+        issuer = cert;
+    } else {
+        issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
         if ((CERTCertificate *)NULL == issuer) {
             SECU_PrintError(progName, "unable to find issuer with nickname %s",
                             issuerNickName);
-            return SECFailure;
+            rv = SECFailure;
+            goto done;
         }
-
         privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
-        CERT_DestroyCertificate(issuer);
         if (caPrivateKey == NULL) {
             SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
-            return SECFailure;
+            rv = SECFailure;
+            CERT_DestroyCertificate(issuer);
+            goto done;
         }
     }
 
-    arena = cert->arena;
-
-    algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
-    if (algID == SEC_OID_UNKNOWN) {
-        fprintf(stderr, "Unknown key or hash type for issuer.");
+    if (pssSign &&
+        (SECKEY_GetPrivateKeyType(privKey) != rsaKey &&
+         SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) {
+        SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s",
+                        issuerNickName);
         rv = SECFailure;
+        if (!selfsign) {
+            CERT_DestroyCertificate(issuer);
+        }
         goto done;
     }
 
-    rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
+    rv = SetSignatureAlgorithm(arena,
+                               &cert->signature,
+                               &issuer->subjectPublicKeyInfo.algorithm,
+                               hashAlgTag,
+                               privKey,
+                               pssSign);
+    if (!selfsign) {
+        CERT_DestroyCertificate(issuer);
+    }
     if (rv != SECSuccess) {
-        fprintf(stderr, "Could not set signature algorithm id.");
         goto done;
     }
 
     switch (certVersion) {
         case (SEC_CERTIFICATE_VERSION_1):
             /* The initial version for x509 certificates is version one
          * and this default value must be an implicit DER encoding. */
             cert->version.data = NULL;
@@ -1918,30 +2033,32 @@ SignCert(CERTCertDBHandle *handle, CERTC
         case (SEC_CERTIFICATE_VERSION_2):
         case (SEC_CERTIFICATE_VERSION_3):
         case 3: /* unspecified format (would be version 4 certificate). */
             *(cert->version.data) = certVersion;
             cert->version.len = 1;
             break;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
-            return SECFailure;
+            rv = SECFailure;
+            goto done;
     }
 
     der.len = 0;
     der.data = NULL;
     dummy = SEC_ASN1EncodeItem(arena, &der, cert,
                                SEC_ASN1_GET(CERT_CertificateTemplate));
     if (!dummy) {
         fprintf(stderr, "Could not encode certificate.\n");
         rv = SECFailure;
         goto done;
     }
 
-    rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID);
+    rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len,
+                                        privKey, &cert->signature);
     if (rv != SECSuccess) {
         fprintf(stderr, "Could not sign encoded certificate data.\n");
         /* result allocated out of the arena, it will be freed
          * when the arena is freed */
         goto done;
     }
 done:
     if (caPrivateKey) {
@@ -1964,16 +2081,17 @@ CreateCert(
     int validityMonths,
     const char *emailAddrs,
     const char *dnsNames,
     PRBool ascii,
     PRBool selfsign,
     certutilExtnList extnList,
     const char *extGeneric,
     int certVersion,
+    PRBool pssSign,
     SECItem *certDER)
 {
     void *extHandle = NULL;
     CERTCertificate *subjectCert = NULL;
     CERTCertificateRequest *certReq = NULL;
     SECStatus rv = SECSuccess;
     CERTCertExtension **CRexts;
 
@@ -2024,17 +2142,17 @@ CreateCert(
                 fprintf(stderr, "Failed to locate private key.\n");
                 rv = SECFailure;
                 break;
             }
         }
 
         rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
                       *selfsignprivkey, issuerNickName,
-                      certVersion, pwarg);
+                      certVersion, pssSign, pwarg);
         if (rv != SECSuccess)
             break;
 
         rv = SECFailure;
         if (ascii) {
             char *asciiDER = BTOA_DataToAscii(subjectCert->derCert.data,
                                               subjectCert->derCert.len);
             if (asciiDER) {
@@ -2347,16 +2465,17 @@ enum certutilOpts {
     opt_KeyAttrFlags,
     opt_EmptyPassword,
     opt_CertVersion,
     opt_AddSubjectAltNameExt,
     opt_DumpExtensionValue,
     opt_GenericExtensions,
     opt_NewNickname,
     opt_Pss,
+    opt_PssSign,
     opt_Help
 };
 
 static const secuCommandFlag commands_init[] =
     {
       { /* cmd_AddCert             */ 'A', PR_FALSE, 0, PR_FALSE },
       { /* cmd_CreateNewCert       */ 'C', PR_FALSE, 0, PR_FALSE },
       { /* cmd_DeleteCert          */ 'D', PR_FALSE, 0, PR_FALSE },
@@ -2467,16 +2586,18 @@ static const secuCommandFlag options_ini
       { /* opt_DumpExtensionValue  */ 0, PR_TRUE, 0, PR_FALSE,
         "dump-ext-val" },
       { /* opt_GenericExtensions   */ 0, PR_TRUE, 0, PR_FALSE,
         "extGeneric" },
       { /* opt_NewNickname         */ 0, PR_TRUE, 0, PR_FALSE,
         "new-n" },
       { /* opt_Pss                 */ 0, PR_FALSE, 0, PR_FALSE,
         "pss" },
+      { /* opt_PssSign             */ 0, PR_FALSE, 0, PR_FALSE,
+        "pss-sign" },
     };
 #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
 
 static secuCommandFlag certutil_commands[NUM_COMMANDS];
 static secuCommandFlag certutil_options[NUM_OPTIONS];
 
 static const secuCommand certutil = {
     NUM_COMMANDS,
@@ -3358,16 +3479,35 @@ certutil_main(int argc, char **argv, PRB
         if (keytype != rsaKey) {
             PR_fprintf(PR_STDERR,
                        "%s -%c: --pss only works with RSA keys.\n",
                        progName, commandToRun);
             return 255;
         }
     }
 
+    /* --pss-sign is to sign a certificate with RSA-PSS, even if the
+     * issuer's key is an RSA key.  If the key is an RSA-PSS key, the
+     * generated signature is always RSA-PSS. */
+    if (certutil.options[opt_PssSign].activated) {
+        if (!certutil.commands[cmd_CreateNewCert].activated &&
+            !certutil.commands[cmd_CreateAndAddCert].activated) {
+            PR_fprintf(PR_STDERR,
+                       "%s -%c: --pss-sign only works with -C or -S.\n",
+                       progName, commandToRun);
+            return 255;
+        }
+        if (keytype != rsaKey) {
+            PR_fprintf(PR_STDERR,
+                       "%s -%c: --pss-sign only works with RSA keys.\n",
+                       progName, commandToRun);
+            return 255;
+        }
+    }
+
     /* If we need a list of extensions convert the flags into list format */
     if (certutil.commands[cmd_CertReq].activated ||
         certutil.commands[cmd_CreateAndAddCert].activated ||
         certutil.commands[cmd_CreateNewCert].activated) {
         certutil_extns[ext_keyUsage].activated =
             certutil.options[opt_AddCmdKeyUsageExt].activated;
         if (!certutil_extns[ext_keyUsage].activated) {
             certutil_extns[ext_keyUsage].activated =
@@ -3495,16 +3635,17 @@ certutil_main(int argc, char **argv, PRB
                         certutil.options[opt_ExtendedDNSNames].arg,
                         certutil.options[opt_ASCIIForIO].activated &&
                             certutil.commands[cmd_CreateNewCert].activated,
                         certutil.options[opt_SelfSign].activated,
                         certutil_extns,
                         (certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
                                                                            : NULL),
                         certVersion,
+                        certutil.options[opt_PssSign].activated,
                         &certDER);
         if (rv)
             goto shutdown;
     }
 
     /*
      * Adding a cert to the database (or slot)
      */
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1307,25 +1307,22 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
                 break;
             default:
                 secu_PrintPBEParams(out, &a->parameters, "Parameters", level + 1);
                 break;
         }
         return;
     }
 
-    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
-        secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
-        return;
-    }
-
     if (a->parameters.len == 0 ||
         (a->parameters.len == 2 &&
          PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
         /* No arguments or NULL argument */
+    } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+        secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
     } else {
         /* Print args to algorithm */
         SECU_PrintAsHex(out, &a->parameters, "Args", level + 1);
     }
 }
 
 static void
 secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
--- a/cmd/listsuites/listsuites.c
+++ b/cmd/listsuites/listsuites.c
@@ -5,25 +5,64 @@
 /* This program demonstrates the use of SSL_GetCipherSuiteInfo to avoid
  * all compiled-in knowledge of SSL cipher suites.
  *
  * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
  */
 
 #include <errno.h>
 #include <stdio.h>
+#include "nss.h"
 #include "secport.h"
+#include "secutil.h"
 #include "ssl.h"
 
 int
 main(int argc, char **argv)
 {
     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
     int i;
     int errCount = 0;
+    SECStatus rv;
+    PRErrorCode err;
+    char *certDir = NULL;
+
+    /* load policy from $SSL_DIR/pkcs11.txt, for testing */
+    certDir = SECU_DefaultSSLDir();
+    if (certDir) {
+        rv = NSS_Init(certDir);
+    } else {
+        rv = NSS_NoDB_Init(NULL);
+    }
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
+        goto out;
+    }
+
+    /* apply policy */
+    rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
+                PORT_ErrorToString(err));
+        goto out;
+    }
+
+    /* update the default cipher suites according to the policy */
+    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
+                PORT_ErrorToString(err));
+        goto out;
+    }
 
     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
 
     /* disable all the SSL3 cipher suites */
     for (i = 0; i < SSL_NumImplementedCiphers; i++) {
         PRUint16 suite = cipherSuites[i];
         SECStatus rv;
         PRBool enabled;
@@ -53,10 +92,19 @@ main(int argc, char **argv)
                 "  0x%04hx %-5s %-5s %-8s %3hd %-6s %-8s %-4s Domestic %-11s\n",
                 info.cipherSuiteName, info.cipherSuite,
                 info.keaTypeName, info.authAlgorithmName, info.symCipherName,
                 info.effectiveKeyBits, info.macAlgorithmName,
                 enabled ? "Enabled" : "Disabled",
                 info.isFIPS ? "FIPS" : "",
                 info.nonStandard ? "nonStandard" : "");
     }
+
+out:
+    rv = NSS_Shutdown();
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
+    }
+
     return errCount;
 }
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -58,16 +58,17 @@ NSS_SRCDIRS = \
  pk12util \
  pk11ectest \
  pk11gcmtest \
  pk11mode \
  pk1sign  \
  pp  \
  pwdecrypt \
  rsaperf \
+ rsapoptst \
  sdrtest \
  selfserv  \
  signtool \
  signver \
  smimetools  \
  ssltap  \
  strsclnt \
  symkeyutil \
--- a/cmd/rsapoptst/rsapoptst.c
+++ b/cmd/rsapoptst/rsapoptst.c
@@ -18,17 +18,17 @@ struct test_args {
 };
 
 static const struct test_args test_array[] = {
     { "all", 0x1f, "run all the tests" },
     { "e_n_p", 0x01, "public exponent, modulus, prime1" },
     { "d_n_q", 0x02, "private exponent, modulus, prime2" },
     { "d_p_q", 0x04, "private exponent, prime1, prime2" },
     { "e_d_q", 0x08, "public exponent, private exponent, prime2" },
-    { "e_d_n", 0x10, "public exponent, private exponent, moduls" }
+    { "e_d_n", 0x10, "public exponent, private exponent, modulus" }
 };
 static const int test_array_size =
     (sizeof(test_array) / sizeof(struct test_args));
 
 static void
 Usage(char *progName)
 {
     int i;
@@ -53,16 +53,17 @@ Usage(char *progName)
  */
 
 const static CK_ATTRIBUTE rsaTemplate[] = {
     { CKA_CLASS, NULL, 0 },
     { CKA_KEY_TYPE, NULL, 0 },
     { CKA_TOKEN, NULL, 0 },
     { CKA_SENSITIVE, NULL, 0 },
     { CKA_PRIVATE, NULL, 0 },
+    { CKA_ID, NULL, 0 },
     { CKA_MODULUS, NULL, 0 },
     { CKA_PUBLIC_EXPONENT, NULL, 0 },
     { CKA_PRIVATE_EXPONENT, NULL, 0 },
     { CKA_PRIME_1, NULL, 0 },
     { CKA_PRIME_2, NULL, 0 },
     { CKA_EXPONENT_1, NULL, 0 },
     { CKA_EXPONENT_2, NULL, 0 },
     { CKA_COEFFICIENT, NULL, 0 },
@@ -118,56 +119,87 @@ readKey(PK11ObjectType objType, void *ob
 
 fail:
     resetTemplate(template, start, i);
     return rv;
 }
 
 #define ATTR_STRING(x) getNameFromAttribute(x)
 
-void
-dumpTemplate(CK_ATTRIBUTE *template, int start, int end)
+static void
+dumphex(FILE *file, const unsigned char *cpval, int start, int end)
 {
-    int i, j;
-    for (i = 0; i < end; i++) {
+    int i;
+    for (i = start; i < end; i++) {
+        if ((i % 16) == 0)
+            fprintf(file, "\n ");
+        fprintf(file, " %02x", cpval[i]);
+    }
+    return;
+}
+
+void
+dumpTemplate(FILE *file, const CK_ATTRIBUTE *template, int start, int end)
+{
+    int i;
+    for (i = start; i < end; i++) {
         unsigned char cval;
         CK_ULONG ulval;
-        unsigned char *cpval;
+        const unsigned char *cpval;
 
-        fprintf(stderr, "%s:", ATTR_STRING(template[i].type));
+        fprintf(file, "%s:", ATTR_STRING(template[i].type));
         switch (template[i].ulValueLen) {
             case 1:
                 cval = *(unsigned char *)template[i].pValue;
                 switch (cval) {
                     case 0:
-                        fprintf(stderr, " false");
+                        fprintf(file, " false");
                         break;
                     case 1:
-                        fprintf(stderr, " true");
+                        fprintf(file, " true");
                         break;
                     default:
-                        fprintf(stderr, " %d (=0x%02x,'%c')", cval, cval, cval);
+                        fprintf(file, " %d (=0x%02x,'%c')", cval, cval, cval);
                         break;
                 }
                 break;
             case sizeof(CK_ULONG):
                 ulval = *(CK_ULONG *)template[i].pValue;
-                fprintf(stderr, " %ld (=0x%04lx)", ulval, ulval);
+                fprintf(file, " %ld (=0x%04lx)", ulval, ulval);
                 break;
             default:
-                cpval = (unsigned char *)template[i].pValue;
-                for (j = 0; j < template[i].ulValueLen; j++) {
-                    if ((j % 16) == 0)
-                        fprintf(stderr, "\n ");
-                    fprintf(stderr, " %02x", cpval[j]);
-                }
+                cpval = (const unsigned char *)template[i].pValue;
+                dumphex(file, cpval, 0, template[i].ulValueLen);
                 break;
         }
-        fprintf(stderr, "\n");
+        fprintf(file, "\n");
+    }
+}
+
+void
+dumpItem(FILE *file, const SECItem *item)
+{
+    const unsigned char *cpval;
+
+    if (item == NULL) {
+        fprintf(file, " pNULL ");
+        return;
     }
+    if (item->data == NULL) {
+        fprintf(file, " NULL ");
+        return;
+    }
+    if (item->len == 0) {
+        fprintf(file, " Empty ");
+        return;
+    }
+    cpval = item->data;
+    dumphex(file, cpval, 0, item->len);
+    fprintf(file, " ");
+    return;
 }
 
 PRBool
 rsaKeysAreEqual(PK11ObjectType srcType, void *src,
                 PK11ObjectType destType, void *dest)
 {
 
     CK_ATTRIBUTE srcTemplate[RSA_ATTRIBUTES];
@@ -186,53 +218,63 @@ rsaKeysAreEqual(PK11ObjectType srcType, 
     }
     readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES);
     if (rv != SECSuccess) {
         printf("Could read dest key\n");
         return PR_FALSE;
     }
 
     for (i = 0; i < RSA_ATTRIBUTES; i++) {
+        if (srcTemplate[i].type == CKA_ID) {
+            continue; /* we purposefully make the CKA_ID different */
+        }
         if (srcTemplate[i].ulValueLen != destTemplate[i].ulValueLen) {
             printf("key->%s not equal src_len = %ld, dest_len=%ld\n",
                    ATTR_STRING(srcTemplate[i].type),
                    srcTemplate[i].ulValueLen, destTemplate[i].ulValueLen);
             areEqual = 0;
         } else if (memcmp(srcTemplate[i].pValue, destTemplate[i].pValue,
                           destTemplate[i].ulValueLen) != 0) {
             printf("key->%s not equal.\n", ATTR_STRING(srcTemplate[i].type));
             areEqual = 0;
         }
     }
     if (!areEqual) {
         fprintf(stderr, "original key:\n");
-        dumpTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
+        dumpTemplate(stderr, srcTemplate, 0, RSA_ATTRIBUTES);
         fprintf(stderr, "created key:\n");
-        dumpTemplate(destTemplate, 0, RSA_ATTRIBUTES);
+        dumpTemplate(stderr, destTemplate, 0, RSA_ATTRIBUTES);
     }
+    resetTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
+    resetTemplate(destTemplate, 0, RSA_ATTRIBUTES);
     return areEqual;
 }
 
 static int exp_exp_prime_fail_count = 0;
 
+#define LEAK_ID 0xf
+
 static int
 doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
-                  int mask, void *pwarg)
+                  int mask, int round, void *pwarg)
 {
     SECKEYPrivateKey *rsaPrivKey;
     SECKEYPublicKey *rsaPubKey;
     PK11GenericObject *tstPrivKey;
     CK_ATTRIBUTE tstTemplate[RSA_ATTRIBUTES];
     int tstHeaderCount;
     PK11SlotInfo *slot = NULL;
     PK11RSAGenParams rsaParams;
     CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY;
     CK_KEY_TYPE key_type = CKK_RSA;
     CK_BBOOL ck_false = CK_FALSE;
+    CK_BYTE cka_id[2] = { 0, 0 };
     int failed = 0;
+    int leak_found;      /* did we find the expected leak */
+    int expect_leak = 0; /* are we expecting a leak? */
 
     rsaParams.pe = exponent;
     rsaParams.keySizeInBits = keySize;
 
     slot = PK11_GetInternalSlot();
     if (slot == NULL) {
         fprintf(stderr, "Couldn't get the internal slot for the test \n");
         return -1;
@@ -254,158 +296,217 @@ doRSAPopulateTest(unsigned int keySize, 
     tstTemplate[1].pValue = &key_type;
     tstTemplate[1].ulValueLen = sizeof(key_type);
     tstTemplate[2].pValue = &ck_false;
     tstTemplate[2].ulValueLen = sizeof(ck_false);
     tstTemplate[3].pValue = &ck_false;
     tstTemplate[3].ulValueLen = sizeof(ck_false);
     tstTemplate[4].pValue = &ck_false;
     tstTemplate[4].ulValueLen = sizeof(ck_false);
-    tstHeaderCount = 5;
+    tstTemplate[5].pValue = &cka_id[0];
+    tstTemplate[5].ulValueLen = sizeof(cka_id);
+    tstHeaderCount = 6;
+    cka_id[0] = round;
 
     if (mask & 1) {
         printf("%s\n", test_array[1].description);
         resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+        cka_id[1] = 0;
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount, CKA_PUBLIC_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 1, CKA_MODULUS);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 2, CKA_PRIME_1);
 
-        tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
-                                              tstHeaderCount +
-                                                  3,
-                                              PR_FALSE);
+        tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+                                                     tstHeaderCount +
+                                                         3,
+                                                     PR_FALSE);
         if (tstPrivKey == NULL) {
             fprintf(stderr, "RSA Populate failed: pubExp mod p\n");
             failed = 1;
         } else if (!rsaKeysAreEqual(PK11_TypePrivKey, rsaPrivKey,
                                     PK11_TypeGeneric, tstPrivKey)) {
             fprintf(stderr, "RSA Populate key mismatch: pubExp mod p\n");
             failed = 1;
         }
         if (tstPrivKey)
             PK11_DestroyGenericObject(tstPrivKey);
     }
     if (mask & 2) {
         printf("%s\n", test_array[2].description);
         /* test the basic2 case, public exponent, modulus, prime2 */
         resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+        cka_id[1] = 1;
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount, CKA_PUBLIC_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 1, CKA_MODULUS);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 2, CKA_PRIME_2);
         /* test with q in the prime1 position */
         tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
 
-        tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
-                                              tstHeaderCount +
-                                                  3,
-                                              PR_FALSE);
+        tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+                                                     tstHeaderCount +
+                                                         3,
+                                                     PR_FALSE);
         if (tstPrivKey == NULL) {
             fprintf(stderr, "RSA Populate failed: pubExp mod q\n");
             failed = 1;
         } else if (!rsaKeysAreEqual(PK11_TypePrivKey, rsaPrivKey,
                                     PK11_TypeGeneric, tstPrivKey)) {
             fprintf(stderr, "RSA Populate key mismatch: pubExp mod q\n");
             failed = 1;
         }
         if (tstPrivKey)
             PK11_DestroyGenericObject(tstPrivKey);
     }
     if (mask & 4) {
         printf("%s\n", test_array[3].description);
         /* test the medium case, private exponent, prime1, prime2 */
         resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+        cka_id[1] = 2;
 
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount, CKA_PRIVATE_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 1, CKA_PRIME_1);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 2, CKA_PRIME_2);
         /* test with p & q swapped. Underlying code should swap these back */
         tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
         tstTemplate[tstHeaderCount + 1].type = CKA_PRIME_2;
 
-        tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
-                                              tstHeaderCount +
-                                                  3,
-                                              PR_FALSE);
+        tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+                                                     tstHeaderCount +
+                                                         3,
+                                                     PR_FALSE);
         if (tstPrivKey == NULL) {
             fprintf(stderr, "RSA Populate failed: privExp p q\n");
             failed = 1;
         } else if (!rsaKeysAreEqual(PK11_TypePrivKey, rsaPrivKey,
                                     PK11_TypeGeneric, tstPrivKey)) {
             fprintf(stderr, "RSA Populate key mismatch: privExp p q\n");
             failed = 1;
         }
         if (tstPrivKey)
             PK11_DestroyGenericObject(tstPrivKey);
     }
     if (mask & 8) {
         printf("%s\n", test_array[4].description);
         /* test the advanced case, public exponent, private exponent, prime2 */
         resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+        cka_id[1] = 3;
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount, CKA_PRIVATE_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 1, CKA_PUBLIC_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 2, CKA_PRIME_2);
 
-        tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
-                                              tstHeaderCount +
-                                                  3,
-                                              PR_FALSE);
+        tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+                                                     tstHeaderCount +
+                                                         3,
+                                                     PR_FALSE);
         if (tstPrivKey == NULL) {
             fprintf(stderr, "RSA Populate failed: pubExp privExp q\n");
             fprintf(stderr, " this is expected periodically. It means we\n");
             fprintf(stderr, " had more than one key that meets the "
                             "specification\n");
             exp_exp_prime_fail_count++;
         } else if (!rsaKeysAreEqual(PK11_TypePrivKey, rsaPrivKey,
                                     PK11_TypeGeneric, tstPrivKey)) {
             fprintf(stderr, "RSA Populate key mismatch: pubExp privExp q\n");
             failed = 1;
         }
         if (tstPrivKey)
             PK11_DestroyGenericObject(tstPrivKey);
     }
-    if (mask & 16) {
+    if (mask & 0x10) {
         printf("%s\n", test_array[5].description);
         /* test the advanced case2, public exponent, private exponent, modulus
          */
         resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+        cka_id[1] = LEAK_ID;
 
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount, CKA_PRIVATE_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 1, CKA_PUBLIC_EXPONENT);
         copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
                       tstHeaderCount + 2, CKA_MODULUS);
 
+        /* purposefully use the old version. This will create a leak */
         tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
                                               tstHeaderCount +
                                                   3,
                                               PR_FALSE);
         if (tstPrivKey == NULL) {
             fprintf(stderr, "RSA Populate failed: pubExp privExp mod\n");
             failed = 1;
         } else if (!rsaKeysAreEqual(PK11_TypePrivKey, rsaPrivKey,
                                     PK11_TypeGeneric, tstPrivKey)) {
             fprintf(stderr, "RSA Populate key mismatch: pubExp privExp mod\n");
             failed = 1;
         }
+        expect_leak = 1;
         if (tstPrivKey)
             PK11_DestroyGenericObject(tstPrivKey);
     }
+    resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+    SECKEY_DestroyPrivateKey(rsaPrivKey);
+    SECKEY_DestroyPublicKey(rsaPubKey);
+
+    /* make sure we didn't leak */
+    leak_found = 0;
+    tstPrivKey = PK11_FindGenericObjects(slot, CKO_PRIVATE_KEY);
+    if (tstPrivKey) {
+        SECStatus rv;
+        PK11GenericObject *thisKey;
+        int i;
+
+        fprintf(stderr, "Leaking keys...\n");
+        for (i = 0, thisKey = tstPrivKey; thisKey; i++,
+            thisKey = PK11_GetNextGenericObject(thisKey)) {
+            SECItem id = { 0, NULL, 0 };
+
+            rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisKey,
+                                       CKA_ID, &id);
+            if (rv != SECSuccess) {
+                fprintf(stderr, "Key %d: couldn't read CKA_ID: %s\n",
+                        i, PORT_ErrorToString(PORT_GetError()));
+                continue;
+            }
+            fprintf(stderr, "id = { ");
+            dumpItem(stderr, &id);
+            fprintf(stderr, "};");
+            if (id.data[1] == LEAK_ID) {
+                fprintf(stderr, " ---> leak expected\n");
+                if (id.data[0] == round)
+                    leak_found = 1;
+            } else {
+                if (id.len != sizeof(cka_id)) {
+                    fprintf(stderr,
+                            " ---> ERROR unexpected leak in generated key\n");
+                } else {
+                    fprintf(stderr,
+                            " ---> ERROR unexpected leak in constructed key\n");
+                }
+                failed = 1;
+            }
+            SECITEM_FreeItem(&id, PR_FALSE);
+        }
+        PK11_DestroyGenericObjects(tstPrivKey);
+    }
+    if (expect_leak && !leak_found) {
+        fprintf(stderr, "ERROR expected leak not found\n");
+        failed = 1;
+    }
 
     PK11_FreeSlot(slot);
     return failed ? -1 : 0;
 }
 
 /* populate options */
 enum {
     opt_Exponent = 0,
@@ -512,24 +613,28 @@ main(int argc, char **argv)
             Usage(progName);
             return -1;
         }
     }
 
     exp_exp_prime_fail_count = 0;
     for (i = 0; i < repeat; i++) {
         printf("Running RSA Populate test run %d\n", i);
-        ret = doRSAPopulateTest(keySize, exponent, mask, NULL);
+        ret = doRSAPopulateTest(keySize, exponent, mask, i, NULL);
         if (ret != 0) {
             i++;
             break;
         }
     }
     if (ret != 0) {
         fprintf(stderr, "RSA Populate test round %d: FAILED\n", i);
     }
     if (repeat > 1) {
         printf(" pub priv prime test:  %d failures out of %d runs (%f %%)\n",
                exp_exp_prime_fail_count, i,
                (((double)exp_exp_prime_fail_count) * 100.0) / (double)i);
     }
+    if (NSS_Shutdown() != SECSuccess) {
+        fprintf(stderr, "Shutdown failed\n");
+        ret = -1;
+    }
     return ret;
 }
new file mode 100644
--- /dev/null
+++ b/cmd/rsapoptst/rsapoptst.gyp
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../../cmd/platlibs.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'rsapoptst',
+      'type': 'executable',
+      'sources': [
+        'rsapoptst.c'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:dbm_exports',
+        '<(DEPTH)/exports.gyp:nss_exports',
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss',
+  }
+}
--- a/cpputil/cpputil.gyp
+++ b/cpputil/cpputil.gyp
@@ -5,16 +5,17 @@
   'includes': [
     '../coreconf/config.gypi',
   ],
   'targets': [
     {
       'target_name': 'cpputil',
       'type': 'static_library',
       'sources': [
+        'databuffer.cc',
         'dummy_io.cc',
         'dummy_io_fwd.cc',
         'tls_parser.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
       ],
       'direct_dependent_settings': {
new file mode 100644
--- /dev/null
+++ b/cpputil/databuffer.cc
@@ -0,0 +1,127 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "databuffer.h"
+#include <algorithm>
+#include <cassert>
+#include <cstring>
+#include <iomanip>
+#include <iostream>
+#if defined(WIN32) || defined(WIN64)
+#include <winsock2.h>
+#else
+#include <arpa/inet.h>
+#endif
+
+namespace nss_test {
+
+void DataBuffer::Assign(const uint8_t* data, size_t len) {
+  if (data) {
+    Allocate(len);
+    memcpy(static_cast<void*>(data_), static_cast<const void*>(data), len);
+  } else {
+    assert(len == 0);
+    data_ = nullptr;
+    len_ = 0;
+  }
+}
+
+// Write will do a new allocation and expand the size of the buffer if needed.
+// Returns the offset of the end of the write.
+size_t DataBuffer::Write(size_t index, const uint8_t* val, size_t count) {
+  assert(val);
+  if (index + count > len_) {
+    size_t newlen = index + count;
+    uint8_t* tmp = new uint8_t[newlen];  // Always > 0.
+    if (data_) {
+      memcpy(static_cast<void*>(tmp), static_cast<const void*>(data_), len_);
+    }
+    if (index > len_) {
+      memset(static_cast<void*>(tmp + len_), 0, index - len_);
+    }
+    delete[] data_;
+    data_ = tmp;
+    len_ = newlen;
+  }
+  if (data_) {
+    memcpy(static_cast<void*>(data_ + index), static_cast<const void*>(val),
+           count);
+  }
+  return index + count;
+}
+
+// Write an integer, also performing host-to-network order conversion.
+// Returns the offset of the end of the write.
+size_t DataBuffer::Write(size_t index, uint32_t val, size_t count) {
+  assert(count <= sizeof(uint32_t));
+  uint32_t nvalue = htonl(val);
+  auto* addr = reinterpret_cast<const uint8_t*>(&nvalue);
+  return Write(index, addr + sizeof(uint32_t) - count, count);
+}
+
+void DataBuffer::Splice(const uint8_t* ins, size_t ins_len, size_t index,
+                        size_t remove) {
+  assert(ins);
+  uint8_t* old_value = data_;
+  size_t old_len = len_;
+
+  // The amount of stuff remaining from the tail of the old.
+  size_t tail_len = old_len - (std::min)(old_len, index + remove);
+  // The new length: the head of the old, the new, and the tail of the old.
+  len_ = index + ins_len + tail_len;
+  data_ = new uint8_t[len_ ? len_ : 1];
+
+  // The head of the old.
+  if (old_value) {
+    Write(0, old_value, (std::min)(old_len, index));
+  }
+  // Maybe a gap.
+  if (old_value && index > old_len) {
+    memset(old_value + index, 0, index - old_len);
+  }
+  // The new.
+  Write(index, ins, ins_len);
+  // The tail of the old.
+  if (tail_len > 0) {
+    Write(index + ins_len, old_value + index + remove, tail_len);
+  }
+
+  delete[] old_value;
+}
+
+// This can't use the same trick as Write(), since we might be reading from a
+// smaller data source.
+bool DataBuffer::Read(size_t index, size_t count, uint64_t* val) const {
+  assert(count <= sizeof(uint64_t));
+  assert(val);
+  if ((index > len()) || (count > (len() - index))) {
+    return false;
+  }
+  *val = 0;
+  for (size_t i = 0; i < count; ++i) {
+    *val = (*val << 8) | data()[index + i];
+  }
+  return true;
+}
+
+bool DataBuffer::Read(size_t index, size_t count, uint32_t* val) const {
+  assert(count <= sizeof(uint32_t));
+  uint64_t tmp;
+
+  if (!Read(index, count, &tmp)) {
+    return false;
+  }
+  *val = tmp & 0xffffffff;
+  return true;
+}
+
+size_t DataBuffer::logging_limit = 32;
+
+/* static */ void DataBuffer::SetLogLimit(size_t limit) {
+  DataBuffer::logging_limit = limit;
+}
+
+}  // namespace nss_test
--- a/cpputil/databuffer.h
+++ b/cpputil/databuffer.h
@@ -3,27 +3,19 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef databuffer_h__
 #define databuffer_h__
 
 #include <algorithm>
-#include <cassert>
 #include <cstring>
 #include <iomanip>
 #include <iostream>
-#if defined(WIN32) || defined(WIN64)
-#include <winsock2.h>
-#else
-#include <arpa/inet.h>
-#endif
-
-extern bool g_ssl_gtest_verbose;
 
 namespace nss_test {
 
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
   DataBuffer(const uint8_t* data, size_t len) : data_(nullptr), len_(0) {
     Assign(data, len);
@@ -45,145 +37,60 @@ class DataBuffer {
     data_ = new uint8_t[len ? len : 1];  // Don't depend on new [0].
     len_ = len;
   }
 
   void Truncate(size_t len) { len_ = (std::min)(len_, len); }
 
   void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
 
-  void Assign(const uint8_t* data, size_t len) {
-    if (data) {
-      Allocate(len);
-      memcpy(static_cast<void*>(data_), static_cast<const void*>(data), len);
-    } else {
-      assert(len == 0);
-      data_ = nullptr;
-      len_ = 0;
-    }
-  }
+  void Assign(const uint8_t* data, size_t len);
 
   // Write will do a new allocation and expand the size of the buffer if needed.
   // Returns the offset of the end of the write.
-  size_t Write(size_t index, const uint8_t* val, size_t count) {
-    assert(val);
-    if (index + count > len_) {
-      size_t newlen = index + count;
-      uint8_t* tmp = new uint8_t[newlen];  // Always > 0.
-      if (data_) {
-        memcpy(static_cast<void*>(tmp), static_cast<const void*>(data_), len_);
-      }
-      if (index > len_) {
-        memset(static_cast<void*>(tmp + len_), 0, index - len_);
-      }
-      delete[] data_;
-      data_ = tmp;
-      len_ = newlen;
-    }
-    if (data_) {
-      memcpy(static_cast<void*>(data_ + index), static_cast<const void*>(val),
-             count);
-    }
-    return index + count;
-  }
-
+  size_t Write(size_t index, const uint8_t* val, size_t count);
   size_t Write(size_t index, const DataBuffer& buf) {
     return Write(index, buf.data(), buf.len());
   }
 
   // Write an integer, also performing host-to-network order conversion.
   // Returns the offset of the end of the write.
-  size_t Write(size_t index, uint32_t val, size_t count) {
-    assert(count <= sizeof(uint32_t));
-    uint32_t nvalue = htonl(val);
-    auto* addr = reinterpret_cast<const uint8_t*>(&nvalue);
-    return Write(index, addr + sizeof(uint32_t) - count, count);
-  }
-
-  // This can't use the same trick as Write(), since we might be reading from a
-  // smaller data source.
-  bool Read(size_t index, size_t count, uint64_t* val) const {
-    assert(count <= sizeof(uint64_t));
-    assert(val);
-    if ((index > len()) || (count > (len() - index))) {
-      return false;
-    }
-    *val = 0;
-    for (size_t i = 0; i < count; ++i) {
-      *val = (*val << 8) | data()[index + i];
-    }
-    return true;
-  }
-
-  // Overload because we have a lot of places where we are doing uint32_t
-  bool Read(size_t index, size_t count, uint32_t* val) const {
-    assert(count <= sizeof(uint32_t));
-    uint64_t tmp;
-
-    if (!Read(index, count, &tmp)) {
-      return false;
-    }
-    *val = tmp & 0xffffffff;
-    return true;
-  }
+  size_t Write(size_t index, uint32_t val, size_t count);
 
   // Starting at |index|, remove |remove| bytes and replace them with the
   // contents of |buf|.
   void Splice(const DataBuffer& buf, size_t index, size_t remove = 0) {
     Splice(buf.data(), buf.len(), index, remove);
   }
 
   void Splice(const uint8_t* ins, size_t ins_len, size_t index,
-              size_t remove = 0) {
-    assert(ins);
-    uint8_t* old_value = data_;
-    size_t old_len = len_;
-
-    // The amount of stuff remaining from the tail of the old.
-    size_t tail_len = old_len - (std::min)(old_len, index + remove);
-    // The new length: the head of the old, the new, and the tail of the old.
-    len_ = index + ins_len + tail_len;
-    data_ = new uint8_t[len_ ? len_ : 1];
+              size_t remove = 0);
+  void Append(const DataBuffer& buf) { Splice(buf, len_); }
 
-    // The head of the old.
-    if (old_value) {
-      Write(0, old_value, (std::min)(old_len, index));
-    }
-    // Maybe a gap.
-    if (old_value && index > old_len) {
-      memset(old_value + index, 0, index - old_len);
-    }
-    // The new.
-    Write(index, ins, ins_len);
-    // The tail of the old.
-    if (tail_len > 0) {
-      Write(index + ins_len, old_value + index + remove, tail_len);
-    }
-
-    delete[] old_value;
-  }
-
-  void Append(const DataBuffer& buf) { Splice(buf, len_); }
+  bool Read(size_t index, size_t count, uint64_t* val) const;
+  bool Read(size_t index, size_t count, uint32_t* val) const;
 
   const uint8_t* data() const { return data_; }
   uint8_t* data() { return data_; }
   size_t len() const { return len_; }
   bool empty() const { return len_ == 0; }
 
+  static void SetLogLimit(size_t limit);
+  friend std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf);
+
  private:
+  static size_t logging_limit;
   uint8_t* data_;
   size_t len_;
 };
 
-static const size_t kMaxBufferPrint = 32;
-
 inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
   stream << "[" << buf.len() << "] ";
   for (size_t i = 0; i < buf.len(); ++i) {
-    if (!g_ssl_gtest_verbose && i >= kMaxBufferPrint) {
+    if (i >= DataBuffer::logging_limit) {
       stream << "...";
       break;
     }
     stream << std::hex << std::setfill('0') << std::setw(2)
            << static_cast<unsigned>(buf.data()[i]);
   }
   stream << std::dec;
   return stream;
--- a/cpputil/manifest.mn
+++ b/cpputil/manifest.mn
@@ -8,16 +8,17 @@ DEPTH      = ..
 MODULE = nss
 LIBRARY_NAME = cpputil
 
 ifeq ($(NSS_BUILD_UTIL_ONLY),1)
 CPPSRCS = \
       $(NULL)
 else
 CPPSRCS = \
+      databuffer.cc \
       dummy_io.cc \
       dummy_io_fwd.cc \
       tls_parser.cc \
       $(NULL)
 endif
 
 EXPORTS = \
       $(NULL)
--- a/doc/certutil.xml
+++ b/doc/certutil.xml
@@ -451,16 +451,26 @@ of the attribute codes:
       </varlistentry>
 
       <varlistentry>
         <term>-y exp</term>
         <listitem><para>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>--pss</term>
+        <listitem><para>Restrict the generated certificate (with the <option>-S</option> option) or certificate request (with the <option>-R</option> option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--pss-sign</term>
+        <listitem><para>Sign the generated certificate with the RSA-PSS signature scheme (with the <option>-C</option> or <option>-S</option> option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-z noise-file</term>
         <listitem><para>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-Z hashAlg</term>
         <listitem>
         <para>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</para>
--- a/doc/html/certutil.html
+++ b/doc/html/certutil.html
@@ -1,9 +1,9 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139774553663312"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
 <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
 </p><p>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
@@ -15,35 +15,36 @@ Add one or multiple extensions that cert
            </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
  unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
            The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
-          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>If a token is available that supports more curves, the foolowing curves are supported as well:
-          sect163k1, nistk163, sect163r1, sect163r2,
-          nistb163,  sect193r1, sect193r2, sect233k1, nistk233,
-          sect233r1, nistb233, sect239k1, sect283k1, nistk283,
-          sect283r1, nistb283, sect409k1, nistk409, sect409r1,
-          nistb409,  sect571k1, nistk571, sect571r1, nistb571,
-          secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
-          nistp192,  secp224k1, secp224r1, nistp224, secp256k1,
-          secp256r1, secp384r1, secp521r1,
-          prime192v1, prime192v2, prime192v3,
-          prime239v1, prime239v2, prime239v3, c2pnb163v1,
-          c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
-          c2tnb191v2, c2tnb191v3,
-          c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
-          c2pnb272w1, c2pnb304w1,
-          c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
-          secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
-          sect131r1, sect131r2</p>
-          </dd><dt><span class="term">-r </span></dt><dd><p>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</p></dd><dt><span class="term">-s subject</span></dt><dd><p>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</p></dd><dt><span class="term">-t trustargs</span></dt><dd><p>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <span class="emphasis"><em>SSL, email, object signing</em></span> for each trust setting. In each category position, use none, any, or all
+          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
+           If a token is available that supports more curves, the foolowing curves are supported as well:
+           sect163k1, nistk163, sect163r1, sect163r2,
+           nistb163,  sect193r1, sect193r2, sect233k1, nistk233,
+           sect233r1, nistb233, sect239k1, sect283k1, nistk283,
+           sect283r1, nistb283, sect409k1, nistk409, sect409r1,
+           nistb409,  sect571k1, nistk571, sect571r1, nistb571,
+           secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
+           nistp192,  secp224k1, secp224r1, nistp224, secp256k1,
+           secp256r1, secp384r1, secp521r1,
+           prime192v1, prime192v2, prime192v3,
+           prime239v1, prime239v2, prime239v3, c2pnb163v1,
+           c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
+           c2tnb191v2, c2tnb191v3,
+           c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
+           c2pnb272w1, c2pnb304w1,
+           c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
+           secp112r2, secp128r1, secp128r2, sect113r1, sect113r2,
+           sect131r1, sect131r2
+        </p></dd><dt><span class="term">-r </span></dt><dd><p>Display a certificate's binary DER encoding when listing information about that certificate with the -L option.</p></dd><dt><span class="term">-s subject</span></dt><dd><p>Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.</p></dd><dt><span class="term">-t trustargs</span></dt><dd><p>Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order <span class="emphasis"><em>SSL, email, object signing</em></span> for each trust setting. In each category position, use none, any, or all
 of the attribute codes: 
 	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		<span class="command"><strong>p</strong></span> - Valid peer
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>P</strong></span> - Trusted peer (implies p)
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>c</strong></span> - Valid CA
 	</p></li><li class="listitem"><p>
@@ -54,17 +55,17 @@ of the attribute codes:
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
 	</p><p><span class="command"><strong>-t "TC,C,T"</strong></span></p><p>
 	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p><p>
 	Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
  for the beginning of a certificate's validity period. Use when creating 
  the certificate or adding it to a database. Express the offset in integers, 
  using a minus sign (-) to indicate a negative offset. If this argument is 
  not used, the validity period begins at the current system time. The length 
- of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-Z hashAlg</span></dt><dd><p>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>MD2</p></li><li class="listitem"><p>MD4</p></li><li class="listitem"><p>MD5</p></li><li class="listitem"><p>SHA1</p></li><li class="listitem"><p>SHA224</p></li><li class="listitem"><p>SHA256</p></li><li class="listitem"><p>SHA384</p></li><li class="listitem"><p>SHA512</p></li></ul></div></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">--pss</span></dt><dd><p>Restrict the generated certificate (with the <code class="option">-S</code> option) or certificate request (with the <code class="option">-R</code> option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.</p></dd><dt><span class="term">--pss-sign</span></dt><dd><p>Sign the generated certificate with the RSA-PSS signature scheme (with the <code class="option">-C</code> or <code class="option">-S</code> option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-Z hashAlg</span></dt><dd><p>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>MD2</p></li><li class="listitem"><p>MD4</p></li><li class="listitem"><p>MD5</p></li><li class="listitem"><p>SHA1</p></li><li class="listitem"><p>SHA224</p></li><li class="listitem"><p>SHA256</p></li><li class="listitem"><p>SHA384</p></li><li class="listitem"><p>SHA512</p></li></ul></div></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		digitalSignature
 	</p></li><li class="listitem"><p>
 		nonRepudiation
 	</p></li><li class="listitem"><p>
 		keyEncipherment
 	</p></li><li class="listitem"><p>
 		dataEncipherment
 	</p></li><li class="listitem"><p>
--- a/doc/html/pk12util.html
+++ b/doc/html/pk12util.html
@@ -1,23 +1,23 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm233250345408"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
-          Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm139975398059856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
+          Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS #12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
     </p><p>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
     </p><p>For example:</p><p> </p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
 
 Enter a password which will be used to encrypt your keys.
 The password should be at least 8 characters long,
 and should contain at least one non-alphabetic character.
 
 Enter new password: 
 Re-enter password: 
 Enter password for PKCS12 file: 
-pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
     </p><p>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
 Enter password for PKCS12 file: 
 Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file.
     </p><p>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12
 
 Enter password for PKCS12 file: 
 Key(shrouded):
     Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
@@ -43,17 +43,17 @@ Key(shrouded):
     Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
         Parameters:
             Salt:
                 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
             Iteration Count: 1 (0x1)
 Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
 
 Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
-    </pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>DES-CBC</p></li><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
+    </pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <strong class="userinput"><code>"NONE"</code></strong> as the argument of the <code class="option">-C</code> option.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PKCS #5 password-based encryption</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PBES2 with AES-CBC-Pad as underlying encryption scheme (<strong class="userinput"><code>"AES-128-CBC"</code></strong>, <strong class="userinput"><code>"AES-192-CBC"</code></strong>, and <strong class="userinput"><code>"AES-256-CBC"</code></strong>)</p></li></ul></div></dd><dt><span class="term">PKCS #12 password-based encryption</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>SHA-1 and 128-bit RC4 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"</code></strong> or <strong class="userinput"><code>"RC4"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 40-bit RC4 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"</code></strong>) (used by default for certificate encryption in non-FIPS mode)</p></li><li class="listitem"><p>SHA-1 and 3-key triple-DES (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"</code></strong> or <strong class="userinput"><code>"DES-EDE3-CBC"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 128-bit RC2 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"</code></strong> or <strong class="userinput"><code>"RC2-CBC"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 40-bit RC2 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"</code></strong>)</p></li></ul></div></dd></dl></div><p>With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
 The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			cert8.db for certificates
 		</p></li><li class="listitem"><p>
 			key3.db for keys
 		</p></li><li class="listitem"><p>
 			secmod.db for PKCS #11 module information
 		</p></li></ul></div><p>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
 some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
@@ -63,15 +63,15 @@ BerkleyDB. These new databases provide m
 		</p></li><li class="listitem"><p>
 			key4.db for keys
 		</p></li><li class="listitem"><p>
 			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
 		</p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. 
 Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB
-		</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>modutil (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		</p></li></ul></div></div><div class="refsection"><a name="compatibility"></a><h2>Compatibility Notes</h2><p>The exporting behavior of <span class="command"><strong>pk12util</strong></span> has changed over time, while importing files exported with older versions of NSS is still supported.</p><p>Until the 3.30 release, <span class="command"><strong>pk12util</strong></span> used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.</p><p>Until the 3.31 release, even when <strong class="userinput"><code>"AES-128-CBC"</code></strong> or <strong class="userinput"><code>"AES-192-CBC"</code></strong> is given from the command line, <span class="command"><strong>pk12util</strong></span> always used 256-bit AES as the underlying encryption scheme.</p><p>For historical reasons, <span class="command"><strong>pk12util</strong></span> accepts password-based encryption schemes not listed in this document.  However, those schemes are not officially supported and may have issues in interoperability with other tools.</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>modutil (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB
 		</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</p><p>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
     </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </p></div></div><div class="navfooter"><hr></div></body></html>
--- a/doc/nroff/certutil.1
+++ b/doc/nroff/certutil.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  8 September 2016
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\"      Date: 27 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "8 September 2016" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -366,19 +366,19 @@ Specify a contact telephone number to in
 .RE
 .PP
 \-q pqgfile or curve\-name
 .RS 4
 Read an alternate PQG value from the specified file when generating DSA key pairs\&. If this argument is not used,
 \fBcertutil\fR
 generates its own PQG value\&. PQG files are created with a separate DSA utility\&.
 .sp
-Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.
+Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519\&.
 .sp
-If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163,  sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409,  sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192,  secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
+If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
 .RE
 .PP
 \-r
 .RS 4
 Display a certificate\*(Aqs binary DER encoding when listing information about that certificate with the \-L option\&.
 .RE
 .PP
 \-s subject
@@ -604,16 +604,34 @@ Use
 to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA\&.
 .RE
 .PP
 \-y exp
 .RS 4
 Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&.
 .RE
 .PP
+\-\-pss
+.RS 4
+Restrict the generated certificate (with the
+\fB\-S\fR
+option) or certificate request (with the
+\fB\-R\fR
+option) to be used with the RSA\-PSS signature scheme\&. This only works when the private key of the certificate or certificate request is RSA\&.
+.RE
+.PP
+\-\-pss\-sign
+.RS 4
+Sign the generated certificate with the RSA\-PSS signature scheme (with the
+\fB\-C\fR
+or
+\fB\-S\fR
+option)\&. This only works when the private key of the signer\*(Aqs certificate is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not necessary to specify this option\&.
+.RE
+.PP
 \-z noise\-file
 .RS 4
 Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&.
 .RE
 .PP
 \-Z hashAlg
 .RS 4
 Specify the hash algorithm to use with the \-C, \-S or \-R command options\&. Possible keywords:
@@ -1507,43 +1525,46 @@ There are ways to narrow the keys listed
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 To return a specific key, use the
-\fB\-n\fR\fIname\fR
+\fB\-n\fR
+\fIname\fR
 argument with the name of the key\&.
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 If there are multiple security devices loaded, then the
-\fB\-h\fR\fItokenname\fR
+\fB\-h\fR
+\fItokenname\fR
 argument can search a specific token or all tokens\&.
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 If there are multiple key types available, then the
-\fB\-k\fR\fIkey\-type\fR
+\fB\-k\fR
+\fIkey\-type\fR
 argument can search a specific type of key, like RSA, DSA, or ECC\&.
 .RE
 .PP
 \fBListing Security Modules\fR
 .PP
 The devices that can be used to store certificates \-\- both internal databases and external devices like smart cards \-\- are recognized and used by loading security modules\&. The
 \fB\-U\fR
 command option lists all of the security modules listed in the
--- a/doc/nroff/pk12util.1
+++ b/doc/nroff/pk12util.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: PK12UTIL
 .\"    Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\"      Date: 27 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -34,46 +34,46 @@ pk12util \- Export and import keys and c
 \fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-d\ [sql:]directory] [\-h\ tokenname] [\-P\ dbprefix] [\-r] [\-v] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword]
 .SH "STATUS"
 .PP
 This documentation is still work in progress\&. Please contribute to the initial review in
 \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
 .SH "DESCRIPTION"
 .PP
 The PKCS #12 utility,
-\fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&.
+\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&.
 .SH "OPTIONS AND ARGUMENTS"
 .PP
 \fBOptions\fR
 .PP
 \-i p12file
 .RS 4
-Import keys and certificates from a PKCS#12 file into a security database\&.
+Import keys and certificates from a PKCS #12 file into a security database\&.
 .RE
 .PP
 \-l p12file
 .RS 4
-List the keys and certificates in PKCS#12 file\&.
+List the keys and certificates in PKCS #12 file\&.
 .RE
 .PP
 \-o p12file
 .RS 4
-Export keys and certificates from the security database to a PKCS#12 file\&.
+Export keys and certificates from the security database to a PKCS #12 file\&.
 .RE
 .PP
 \fBArguments\fR
 .PP
 \-c keyCipher
 .RS 4
 Specify the key encryption algorithm\&.
 .RE
 .PP
 \-C certCipher
 .RS 4
-Specify the key cert (overall package) encryption algorithm\&.
+Specify the certiticate encryption algorithm\&.
 .RE
 .PP
 \-d [sql:]directory
 .RS 4
 Specify the database directory into which to import to or export from certificates and keys\&.
 .sp
 \fBpk12util\fR
 supports two types of databases: the legacy security databases (cert8\&.db,
@@ -427,17 +427,17 @@ 28 \- PKCS12 add cert and key error
 29 \- PKCS12 encode error
 .RE
 .SH "EXAMPLES"
 .PP
 \fBImporting Keys and Certificates\fR
 .PP
 The most basic usage of
 \fBpk12util\fR
-for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
+for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
 \fB\-d\fR
 for a directory or
 \fB\-h\fR
 for a token)\&.
 .PP
 pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
 .PP
 For example:
@@ -462,17 +462,17 @@ pk12util: PKCS12 IMPORT SUCCESSFUL
 .if n \{\
 .RE
 .\}
 .PP
 \fBExporting Keys and Certificates\fR
 .PP
 Using the
 \fBpk12util\fR
-command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
+command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
 .PP
 pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
 .PP
 For example:
 .sp
 .if n \{\
 .RS 4
 .\}
@@ -554,303 +554,109 @@ Certificate    Friendly Name: Thawte Per
 Certificate    Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
     
 .fi
 .if n \{\
 .RE
 .\}
 .SH "PASSWORD ENCRYPTION"
 .PP
-PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using
-\fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR
-for private key encryption\&.
-\fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR
-is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&.
+PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify
+\fB"NONE"\fR
+as the argument of the
+\fB\-C\fR
+option\&.
 .PP
 The private key is always protected with strong encryption by default\&.
 .PP
 Several types of ciphers are supported\&.
 .PP
-Symmetric CBC ciphers for PKCS#5 V2
+PKCS #5 password\-based encryption
 .RS 4
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-DES\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-RC2\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-RC5\-CBCPad
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-DES\-EDE3\-CBC (the default for key encryption)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-128\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-192\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-256\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-128\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-192\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-256\-CBC
+PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR,
+\fB"AES\-192\-CBC"\fR, and
+\fB"AES\-256\-CBC"\fR)
 .RE
 .RE
 .PP
-PKCS#12 PBE ciphers
+PKCS #12 password\-based encryption
 .RS 4
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and 128 Bit RC4
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #12 PBE with Sha1 and 40 Bit RC4
+SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR
+or
+\fB"RC4"\fR)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and Triple DES CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 128 Bit RC4
+SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc
+SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR
+or
+\fB"DES\-EDE3\-CBC"\fR)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
+SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR
+or
+\fB"RC2\-CBC"\fR)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
+SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR)
 .RE
 .RE
 .PP
-PKCS#5 PBE ciphers
-.RS 4
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with MD2 and DES CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with MD5 and DES CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with SHA1 and DES CBC
-.RE
-.RE
-.PP
-With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
+With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
 \fIno security module can perform the requested operation\fR\&.
 .SH "NSS DATABASE TYPES"
 .PP
 NSS originally used BerkeleyDB databases to store security information\&. The last versions of these
 \fIlegacy\fR
 databases are:
 .sp
 .RS 4
@@ -982,16 +788,37 @@ For an engineering draft on the changes 
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 https://wiki\&.mozilla\&.org/NSS_Shared_DB
 .RE
+.SH "COMPATIBILITY NOTES"
+.PP
+The exporting behavior of
+\fBpk12util\fR
+has changed over time, while importing files exported with older versions of NSS is still supported\&.
+.PP
+Until the 3\&.30 release,
+\fBpk12util\fR
+used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&.
+.PP
+Until the 3\&.31 release, even when
+\fB"AES\-128\-CBC"\fR
+or
+\fB"AES\-192\-CBC"\fR
+is given from the command line,
+\fBpk12util\fR
+always used 256\-bit AES as the underlying encryption scheme\&.
+.PP
+For historical reasons,
+\fBpk12util\fR
+accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&.
 .SH "SEE ALSO"
 .PP
 certutil (1)
 .PP
 modutil (1)
 .PP
 The NSS wiki has information on the new database design and how to configure applications to use it\&.
 .sp
--- a/doc/pk12util.xml
+++ b/doc/pk12util.xml
@@ -41,49 +41,49 @@
   <refsection>
     <title>STATUS</title>
     <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
     </para>
   </refsection>
 
   <refsection id="description">
     <title>Description</title>
-    <para>The PKCS #12 utility, <command>pk12util</command>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</para>
+    <para>The PKCS #12 utility, <command>pk12util</command>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</para>
   </refsection>
   
   <refsection id="options">
     <title>Options and Arguments</title>
     <para><command>Options</command></para>
     <variablelist>
       <varlistentry>
         <term>-i p12file</term>
-        <listitem><para>Import keys and certificates from a PKCS#12 file into a security database.</para></listitem>
+        <listitem><para>Import keys and certificates from a PKCS #12 file into a security database.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-l p12file</term>
-        <listitem><para>List the keys and certificates in PKCS#12 file.</para></listitem>
+        <listitem><para>List the keys and certificates in PKCS #12 file.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-o p12file</term>
-        <listitem><para>Export keys and certificates from the security database to a PKCS#12 file.</para></listitem>
+        <listitem><para>Export keys and certificates from the security database to a PKCS #12 file.</para></listitem>
       </varlistentry>
     </variablelist>
 
     <para><command>Arguments</command></para>
     <variablelist>
       <varlistentry>
         <term>-c keyCipher</term>
         <listitem><para>Specify the key encryption algorithm.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-C certCipher</term>
-        <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
+        <listitem><para>Specify the certiticate encryption algorithm.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-d [sql:]directory</term>
         <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
 	<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
       </varlistentry>
 
@@ -228,17 +228,17 @@
         <para> 29 - PKCS12 encode error</para>
 	</listitem>
 	</itemizedlist>
   </refsection>
 
   <refsection id="examples">
     <title>Examples</title>
     <para><command>Importing Keys and Certificates</command></para>
-    <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
+    <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS #12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
     </para>
     <para>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
     </para>
     <para>For example:</para>
     <para> </para>
     <programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
 
@@ -247,17 +247,17 @@ The password should be at least 8 charac
 and should contain at least one non-alphabetic character.
 
 Enter new password: 
 Re-enter password: 
 Enter password for PKCS12 file: 
 pk12util: PKCS12 IMPORT SUCCESSFUL</programlisting>
 
     <para><command>Exporting Keys and Certificates</command></para>
-    <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+    <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
     </para>
     <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
     <para>For example:</para>
     <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
 Enter password for PKCS12 file: 
 Re-enter password: </programlisting>
 
     <para><command>Listing Keys and Certificates</command></para>
@@ -299,68 +299,44 @@ Key(shrouded):
 Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
 
 Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
     </programlisting>
   </refsection>
 
   <refsection id="encryption">
     <title>Password Encryption</title>
-    <para>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <command>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</command> for private key encryption. <command>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</command> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</para>
+    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
     <para>The private key is always protected with strong encryption by default.</para>
     <para>Several types of ciphers are supported.</para>
     <variablelist>
     
       <varlistentry>
-        <term>Symmetric CBC ciphers for PKCS#5 V2</term>
+        <term>PKCS #5 password-based encryption</term>
         <listitem>
-	     <itemizedlist>
-	       <listitem><para>DES-CBC</para></listitem>
-	       <listitem><para>RC2-CBC</para></listitem>
-	       <listitem><para>RC5-CBCPad</para></listitem>
-	       <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem>
-	       <listitem><para>AES-128-CBC</para></listitem>
-	       <listitem><para>AES-192-CBC</para></listitem>
-	       <listitem><para>AES-256-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-128-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-192-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-256-CBC</para></listitem>
-	     </itemizedlist>
+	  <itemizedlist>
+	    <listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
+	  </itemizedlist>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>PKCS#12 PBE ciphers</term>
+        <term>PKCS #12 password-based encryption</term>
         <listitem>
-	     <itemizedlist>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
-	     </itemizedlist>
-        </listitem>
-      </varlistentry>
-        <varlistentry><term>PKCS#5 PBE ciphers</term>
-        <listitem>
-	     <itemizedlist>
-	       <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem>
-	       <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem>
-	       <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
-	     </itemizedlist>
+	  <itemizedlist>
+	    <listitem><para>SHA-1 and 128-bit RC4 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"</userinput> or <userinput>"RC4"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 40-bit RC4 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"</userinput>) (used by default for certificate encryption in non-FIPS mode)</para></listitem>
+	    <listitem><para>SHA-1 and 3-key triple-DES (<userinput>"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"</userinput> or <userinput>"DES-EDE3-CBC"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 128-bit RC2 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"</userinput> or <userinput>"RC2-CBC"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 40-bit RC2 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"</userinput>)</para></listitem>
+	  </itemizedlist>
         </listitem>
       </varlistentry>
     </variablelist>
-    <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
+    <para>With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
   </refsection>
 
 <refsection id="databases"><title>NSS Database Types</title>
 <para>NSS originally used BerkeleyDB databases to store security information. 
 The last versions of these <emphasis>legacy</emphasis> databases are:</para>
 <itemizedlist>
 	<listitem>
 		<para>
@@ -427,16 +403,24 @@ Using the SQLite databases must be manua
 	<listitem>
 		<para>
 			https://wiki.mozilla.org/NSS_Shared_DB
 		</para>
 	</listitem>
 </itemizedlist>
 </refsection>
 
+  <refsection id="compatibility">
+    <title>Compatibility Notes</title>
+    <para>The exporting behavior of <command>pk12util</command> has changed over time, while importing files exported with older versions of NSS is still supported.</para>
+    <para>Until the 3.30 release, <command>pk12util</command> used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.</para>
+    <para>Until the 3.31 release, even when <userinput>"AES-128-CBC"</userinput> or <userinput>"AES-192-CBC"</userinput> is given from the command line, <command>pk12util</command> always used 256-bit AES as the underlying encryption scheme.</para>
+    <para>For historical reasons, <command>pk12util</command> accepts password-based encryption schemes not listed in this document.  However, those schemes are not officially supported and may have issues in interoperability with other tools.</para>
+  </refsection>
+
   <refsection id="seealso">
     <title>See Also</title>
     <para>certutil (1)</para>
     <para>modutil (1)</para>
 
 	<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
 <itemizedlist>
 	<listitem>
--- a/fuzz/tls_mutators.cc
+++ b/fuzz/tls_mutators.cc
@@ -1,12 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include <algorithm>
 #include "shared.h"
 #include "tls_parser.h"
 
 #include "ssl.h"
 extern "C" {
 #include "sslimpl.h"
 }
 
--- a/gtests/common/util.h
+++ b/gtests/common/util.h
@@ -5,17 +5,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef util_h__
 #define util_h__
 
 #include <cassert>
 #include <vector>
 
-std::vector<uint8_t> hex_string_to_bytes(std::string s) {
+static inline std::vector<uint8_t> hex_string_to_bytes(std::string s) {
   std::vector<uint8_t> bytes;
   for (size_t i = 0; i < s.length(); i += 2) {
     bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
   }
   return bytes;
 }
 
 #endif  // util_h__
new file mode 100644
--- /dev/null
+++ b/gtests/cryptohi_gtest/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
new file mode 100644
--- /dev/null
+++ b/gtests/cryptohi_gtest/cryptohi_gtest.gyp
@@ -0,0 +1,29 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'cryptohi_gtest',
+      'type': 'executable',
+      'sources': [
+        'cryptohi_unittest.cc',
+        '<(DEPTH)/gtests/common/gtests.cc'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil3',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+        '<(DEPTH)/lib/nss/nss.gyp:nss3',
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
new file mode 100644
--- /dev/null
+++ b/gtests/cryptohi_gtest/cryptohi_unittest.cc
@@ -0,0 +1,373 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "scoped_ptrs.h"
+#include "cryptohi.h"
+#include "secitem.h"
+#include "secerr.h"
+
+namespace nss_test {
+
+class SignParamsTestF : public ::testing::Test {
+ protected:
+  ScopedPLArenaPool arena_;
+  ScopedSECKEYPrivateKey privk_;
+  ScopedSECKEYPublicKey pubk_;
+  ScopedSECKEYPrivateKey ecPrivk_;
+  ScopedSECKEYPublicKey ecPubk_;
+
+  void SetUp() {
+    arena_.reset(PORT_NewArena(2048));
+
+    SECKEYPublicKey *pubk;
+    SECKEYPrivateKey *privk = SECKEY_CreateRSAPrivateKey(1024, &pubk, NULL);
+    ASSERT_NE(nullptr, pubk);
+    pubk_.reset(pubk);
+    ASSERT_NE(nullptr, privk);
+    privk_.reset(privk);
+
+    SECKEYECParams ecParams = {siBuffer, NULL, 0};
+    SECOidData *oidData;
+    oidData = SECOID_FindOIDByTag(SEC_OID_CURVE25519);
+    ASSERT_NE(nullptr, oidData);
+    ASSERT_NE(nullptr,
+              SECITEM_AllocItem(NULL, &ecParams, (2 + oidData->oid.len)))
+        << "Couldn't allocate memory for OID.";
+    ecParams.data[0] = SEC_ASN1_OBJECT_ID; /* we have to prepend 0x06 */
+    ecParams.data[1] = oidData->oid.len;
+    memcpy(ecParams.data + 2, oidData->oid.data, oidData->oid.len);
+    SECKEYPublicKey *ecPubk;
+    SECKEYPrivateKey *ecPrivk =
+        SECKEY_CreateECPrivateKey(&ecParams, &ecPubk, NULL);
+    ASSERT_NE(nullptr, ecPubk);
+    ecPubk_.reset(ecPubk);
+    ASSERT_NE(nullptr, ecPrivk);
+    ecPrivk_.reset(ecPrivk);
+  }
+
+  void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) {
+    PORT_Memset(params, 0, sizeof(SECKEYRSAPSSParams));
+
+    params->hashAlg = (SECAlgorithmID *)PORT_ArenaZAlloc(
+        arena_.get(), sizeof(SECAlgorithmID));
+    ASSERT_NE(nullptr, params->hashAlg);
+    SECStatus rv =
+        SECOID_SetAlgorithmID(arena_.get(), params->hashAlg, hashAlgTag, NULL);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag,
+                       SECOidTag maskHashAlgTag) {
+    CreatePssParams(params, hashAlgTag);
+
+    SECAlgorithmID maskHashAlg;
+    PORT_Memset(&maskHashAlg, 0, sizeof(maskHashAlg));
+    SECStatus rv =
+        SECOID_SetAlgorithmID(arena_.get(), &maskHashAlg, maskHashAlgTag, NULL);
+    ASSERT_EQ(SECSuccess, rv);
+
+    SECItem *maskHashAlgItem =
+        SEC_ASN1EncodeItem(arena_.get(), NULL, &maskHashAlg,
+                           SEC_ASN1_GET(SECOID_AlgorithmIDTemplate));
+
+    params->maskAlg = (SECAlgorithmID *)PORT_ArenaZAlloc(
+        arena_.get(), sizeof(SECAlgorithmID));
+    ASSERT_NE(nullptr, params->maskAlg);
+
+    rv = SECOID_SetAlgorithmID(arena_.get(), params->maskAlg,
+                               SEC_OID_PKCS1_MGF1, maskHashAlgItem);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void CreatePssParams(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag,
+                       SECOidTag maskHashAlgTag, unsigned long saltLength) {
+    CreatePssParams(params, hashAlgTag, maskHashAlgTag);
+
+    SECItem *saltLengthItem =
+        SEC_ASN1EncodeInteger(arena_.get(), &params->saltLength, saltLength);
+    ASSERT_EQ(&params->saltLength, saltLengthItem);
+  }
+
+  void CheckHashAlg(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) {
+    // If hash algorithm is SHA-1, it must be omitted in the parameters
+    if (hashAlgTag == SEC_OID_SHA1) {
+      EXPECT_EQ(nullptr, params->hashAlg);
+    } else {
+      EXPECT_NE(nullptr, params->hashAlg);
+      EXPECT_EQ(hashAlgTag, SECOID_GetAlgorithmTag(params->hashAlg));
+    }
+  }
+
+  void CheckMaskAlg(SECKEYRSAPSSParams *params, SECOidTag hashAlgTag) {
+    SECStatus rv;
+
+    // If hash algorithm is SHA-1, it must be omitted in the parameters
+    if (hashAlgTag == SEC_OID_SHA1)
+      EXPECT_EQ(nullptr, params->hashAlg);
+    else {
+      EXPECT_NE(nullptr, params->maskAlg);
+      EXPECT_EQ(SEC_OID_PKCS1_MGF1, SECOID_GetAlgorithmTag(params->maskAlg));
+
+      SECAlgorithmID hashAlg;
+      rv = SEC_QuickDERDecodeItem(arena_.get(), &hashAlg,
+                                  SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+                                  &params->maskAlg->parameters);
+      ASSERT_EQ(SECSuccess, rv);
+
+      EXPECT_EQ(hashAlgTag, SECOID_GetAlgorithmTag(&hashAlg));
+    }
+  }
+
+  void CheckSaltLength(SECKEYRSAPSSParams *params, SECOidTag hashAlg) {
+    // If the salt length parameter is missing, that means it is 20 (default)
+    if (!params->saltLength.data) {
+      return;
+    }
+
+    unsigned long value;
+    SECStatus rv = SEC_ASN1DecodeInteger(&params->saltLength, &value);
+    ASSERT_EQ(SECSuccess, rv);
+
+    // The salt length are usually the same as the hash length,
+    // except for the case where the hash length exceeds the limit
+    // set by the key length
+    switch (hashAlg) {
+      case SEC_OID_SHA1:
+        EXPECT_EQ(20UL, value);
+        break;
+      case SEC_OID_SHA224:
+        EXPECT_EQ(28UL, value);
+        break;
+      case SEC_OID_SHA256:
+        EXPECT_EQ(32UL, value);
+        break;
+      case SEC_OID_SHA384:
+        EXPECT_EQ(48UL, value);
+        break;
+      case SEC_OID_SHA512:
+        // Truncated from 64, because our private key is 1024-bit
+        EXPECT_EQ(62UL, value);
+        break;
+      default:
+        FAIL();
+    }
+  }
+};
+
+class SignParamsTest
+    : public SignParamsTestF,
+      public ::testing::WithParamInterface<std::tuple<SECOidTag, SECOidTag>> {};
+
+class SignParamsSourceTest : public SignParamsTestF,
+                             public ::testing::WithParamInterface<SECOidTag> {};
+
+TEST_P(SignParamsTest, CreateRsa) {
+  SECOidTag hashAlg = std::get<0>(GetParam());
+  SECOidTag srcHashAlg = std::get<1>(GetParam());
+
+  SECItem *srcParams;
+  if (srcHashAlg != SEC_OID_UNKNOWN) {
+    SECKEYRSAPSSParams pssParams;
+    ASSERT_NO_FATAL_FAILURE(
+        CreatePssParams(&pssParams, srcHashAlg, srcHashAlg));
+    srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                   SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+    ASSERT_NE(nullptr, srcParams);
+  } else {
+    srcParams = NULL;
+  }
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_ENCRYPTION, hashAlg, srcParams,
+      privk_.get());
+
+  // PKCS#1 RSA actually doesn't take any parameters, but if it is
+  // given, return a copy of it
+  if (srcHashAlg != SEC_OID_UNKNOWN) {
+    EXPECT_EQ(srcParams->len, params->len);
+    EXPECT_EQ(0, memcmp(params->data, srcParams->data, srcParams->len));
+  } else {
+    EXPECT_EQ(nullptr, params);
+  }
+}
+
+TEST_P(SignParamsTest, CreateRsaPss) {
+  SECOidTag hashAlg = std::get<0>(GetParam());
+  SECOidTag srcHashAlg = std::get<1>(GetParam());
+
+  SECItem *srcParams;
+  if (srcHashAlg != SEC_OID_UNKNOWN) {
+    SECKEYRSAPSSParams pssParams;
+    ASSERT_NO_FATAL_FAILURE(
+        CreatePssParams(&pssParams, srcHashAlg, srcHashAlg));
+    srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                   SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+    ASSERT_NE(nullptr, srcParams);
+  } else {
+    srcParams = NULL;
+  }
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg,
+      srcParams, privk_.get());
+
+  if (hashAlg != SEC_OID_UNKNOWN && srcHashAlg != SEC_OID_UNKNOWN &&
+      hashAlg != srcHashAlg) {
+    EXPECT_EQ(nullptr, params);
+    return;
+  }
+
+  EXPECT_NE(nullptr, params);
+
+  SECKEYRSAPSSParams pssParams;
+  PORT_Memset(&pssParams, 0, sizeof(pssParams));
+  SECStatus rv =
+      SEC_QuickDERDecodeItem(arena_.get(), &pssParams,
+                             SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate), params);
+  ASSERT_EQ(SECSuccess, rv);
+
+  if (hashAlg == SEC_OID_UNKNOWN) {
+    if (!pssParams.hashAlg) {
+      hashAlg = SEC_OID_SHA1;
+    } else {
+      hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg);
+    }
+
+    if (srcHashAlg == SEC_OID_UNKNOWN) {
+      // If both hashAlg and srcHashAlg is unset, NSS will decide the hash
+      // algorithm based on the key length; in this case it's SHA256
+      EXPECT_EQ(SEC_OID_SHA256, hashAlg);
+    } else {
+      EXPECT_EQ(srcHashAlg, hashAlg);
+    }
+  }
+
+  ASSERT_NO_FATAL_FAILURE(CheckHashAlg(&pssParams, hashAlg));
+  ASSERT_NO_FATAL_FAILURE(CheckMaskAlg(&pssParams, hashAlg));
+  ASSERT_NO_FATAL_FAILURE(CheckSaltLength(&pssParams, hashAlg));
+
+  // The default trailer field (1) must be omitted
+  EXPECT_EQ(nullptr, pssParams.trailerField.data);
+}
+
+TEST_P(SignParamsTest, CreateRsaPssWithECPrivateKey) {
+  SECOidTag hashAlg = std::get<0>(GetParam());
+  SECOidTag srcHashAlg = std::get<1>(GetParam());
+
+  SECItem *srcParams;
+  if (srcHashAlg != SEC_OID_UNKNOWN) {
+    SECKEYRSAPSSParams pssParams;
+    ASSERT_NO_FATAL_FAILURE(
+        CreatePssParams(&pssParams, srcHashAlg, srcHashAlg));
+    srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                   SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+    ASSERT_NE(nullptr, srcParams);
+  } else {
+    srcParams = NULL;
+  }
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg,
+      srcParams, ecPrivk_.get());
+
+  EXPECT_EQ(nullptr, params);
+}
+
+TEST_P(SignParamsTest, CreateRsaPssWithInvalidHashAlg) {
+  SECOidTag srcHashAlg = std::get<1>(GetParam());
+
+  SECItem *srcParams;
+  if (srcHashAlg != SEC_OID_UNKNOWN) {
+    SECKEYRSAPSSParams pssParams;
+    ASSERT_NO_FATAL_FAILURE(
+        CreatePssParams(&pssParams, srcHashAlg, srcHashAlg));
+    srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                   SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+    ASSERT_NE(nullptr, srcParams);
+  } else {
+    srcParams = NULL;
+  }
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, SEC_OID_MD5,
+      srcParams, privk_.get());
+
+  EXPECT_EQ(nullptr, params);
+}
+
+TEST_P(SignParamsSourceTest, CreateRsaPssWithInvalidHashAlg) {
+  SECOidTag hashAlg = GetParam();
+
+  SECItem *srcParams;
+  SECKEYRSAPSSParams pssParams;
+  ASSERT_NO_FATAL_FAILURE(
+      CreatePssParams(&pssParams, SEC_OID_MD5, SEC_OID_MD5));
+  srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                 SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+  ASSERT_NE(nullptr, srcParams);
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg,
+      srcParams, privk_.get());
+
+  EXPECT_EQ(nullptr, params);
+}
+
+TEST_P(SignParamsSourceTest, CreateRsaPssWithInvalidSaltLength) {
+  SECOidTag hashAlg = GetParam();
+
+  SECItem *srcParams;
+  SECKEYRSAPSSParams pssParams;
+  ASSERT_NO_FATAL_FAILURE(
+      CreatePssParams(&pssParams, SEC_OID_SHA512, SEC_OID_SHA512, 100));
+  srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                 SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+  ASSERT_NE(nullptr, srcParams);
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg,
+      srcParams, privk_.get());
+
+  EXPECT_EQ(nullptr, params);
+}
+
+TEST_P(SignParamsSourceTest, CreateRsaPssWithHashMismatch) {
+  SECOidTag hashAlg = GetParam();
+
+  SECItem *srcParams;
+  SECKEYRSAPSSParams pssParams;
+  ASSERT_NO_FATAL_FAILURE(
+      CreatePssParams(&pssParams, SEC_OID_SHA256, SEC_OID_SHA512));
+  srcParams = SEC_ASN1EncodeItem(arena_.get(), nullptr, &pssParams,
+                                 SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
+  ASSERT_NE(nullptr, srcParams);
+
+  SECItem *params = SEC_CreateSignatureAlgorithmParameters(
+      arena_.get(), nullptr, SEC_OID_PKCS1_RSA_PSS_SIGNATURE, hashAlg,
+      srcParams, privk_.get());
+
+  EXPECT_EQ(nullptr, params);
+}
+
+INSTANTIATE_TEST_CASE_P(
+    SignParamsTestCases, SignParamsTest,
+    ::testing::Combine(::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1,
+                                         SEC_OID_SHA224, SEC_OID_SHA256,
+                                         SEC_OID_SHA384, SEC_OID_SHA512),
+                       ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1,
+                                         SEC_OID_SHA224, SEC_OID_SHA256,
+                                         SEC_OID_SHA384, SEC_OID_SHA512)));
+
+INSTANTIATE_TEST_CASE_P(SignParamsSourceTestCases, SignParamsSourceTest,
+                        ::testing::Values(SEC_OID_UNKNOWN, SEC_OID_SHA1,
+                                          SEC_OID_SHA224, SEC_OID_SHA256,
+                                          SEC_OID_SHA384, SEC_OID_SHA512));
+
+}  // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/gtests/cryptohi_gtest/manifest.mn
@@ -0,0 +1,22 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      cryptohi_unittest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
+
+REQUIRES = nspr gtest
+
+PROGRAM = cryptohi_gtest
+
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
+             $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
--- a/gtests/manifest.mn
+++ b/gtests/manifest.mn
@@ -16,16 +16,17 @@ UTIL_SRCDIRS = \
 	$(NULL)
 endif
 
 ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
+	cryptohi_gtest \
 	der_gtest \
 	pk11_gtest \
 	softoken_gtest \
 	ssl_gtest \
 	nss_bogo_shim \
 	$(NULL)
 endif
 endif
--- a/gtests/pk11_gtest/manifest.mn
+++ b/gtests/pk11_gtest/manifest.mn
@@ -6,27 +6,30 @@ CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       pk11_aeskeywrap_unittest.cc \
       pk11_chacha20poly1305_unittest.cc \
       pk11_curve25519_unittest.cc \
       pk11_ecdsa_unittest.cc \
+      pk11_encrypt_derive_unittest.cc \
       pk11_export_unittest.cc \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_prng_unittest.cc \
       pk11_rsapss_unittest.cc \
       pk11_der_private_key_import_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
             -I$(CORE_DEPTH)/gtests/common \
             -I$(CORE_DEPTH)/cpputil
 
-REQUIRES = nspr nss libdbm gtest
+REQUIRES = nspr nss libdbm gtest cpputil
 
 PROGRAM = pk11_gtest
 
-EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
-             $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+             $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
+             $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \
+             $(NULL)
 
--- a/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
+++ b/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
@@ -10,148 +10,159 @@
 #include "gtest/gtest.h"
 #include "scoped_ptrs.h"
 
 #include "pk11_ecdsa_vectors.h"
 #include "pk11_signature_test.h"
 
 namespace nss_test {
 
-class Pkcs11EcdsaTest : public Pk11SignatureTest {
+class Pkcs11EcdsaTestBase : public Pk11SignatureTest {
  protected:
-  CK_MECHANISM_TYPE mechanism() { return CKM_ECDSA; }
-  SECItem* parameters() { return nullptr; }
+  Pkcs11EcdsaTestBase(SECOidTag hash_oid)
+      : Pk11SignatureTest(CKM_ECDSA, hash_oid) {}
 };
 
-class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTest {
- protected:
-  SECOidTag hashOID() { return SEC_OID_SHA256; }
+struct Pkcs11EcdsaTestParams {
+  SECOidTag hash_oid_;
+  Pkcs11SignatureTestParams sig_params_;
 };
 
-class Pkcs11EcdsaSha384Test : public Pkcs11EcdsaTest {
- protected:
-  SECOidTag hashOID() { return SEC_OID_SHA384; }
-};
-
-class Pkcs11EcdsaSha512Test : public Pkcs11EcdsaTest {
- protected:
-  SECOidTag hashOID() { return SEC_OID_SHA512; }
+class Pkcs11EcdsaTest
+    : public Pkcs11EcdsaTestBase,
+      public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
+ public:
+  Pkcs11EcdsaTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
 };
 
-TEST_F(Pkcs11EcdsaSha256Test, VerifyP256) {
-  SIG_TEST_VECTOR_VERIFY(kP256Spki, kP256Data, kP256Signature);
-}
+TEST_P(Pkcs11EcdsaTest, Verify) { Verify(GetParam().sig_params_); }
 
-TEST_F(Pkcs11EcdsaSha256Test, SignAndVerifyP256) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kP256Pkcs8, kP256Spki, kP256Data);
-}
-
-TEST_F(Pkcs11EcdsaSha384Test, VerifyP384) {
-  SIG_TEST_VECTOR_VERIFY(kP384Spki, kP384Data, kP384Signature);
+TEST_P(Pkcs11EcdsaTest, SignAndVerify) {
+  SignAndVerify(GetParam().sig_params_);
 }
 
-TEST_F(Pkcs11EcdsaSha384Test, SignAndVerifyP384) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kP384Pkcs8, kP384Spki, kP384Data);
-}
+static const Pkcs11EcdsaTestParams kEcdsaVectors[] = {
+    {SEC_OID_SHA256,
+     {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)),
+      DataBuffer(kP256Spki, sizeof(kP256Spki)),
+      DataBuffer(kP256Data, sizeof(kP256Data)),
+      DataBuffer(kP256Signature, sizeof(kP256Signature))}},
+    {SEC_OID_SHA384,
+     {DataBuffer(kP384Pkcs8, sizeof(kP384Pkcs8)),
+      DataBuffer(kP384Spki, sizeof(kP384Spki)),
+      DataBuffer(kP384Data, sizeof(kP384Data)),
+      DataBuffer(kP384Signature, sizeof(kP384Signature))}},
+    {SEC_OID_SHA512,
+     {DataBuffer(kP521Pkcs8, sizeof(kP521Pkcs8)),
+      DataBuffer(kP521Spki, sizeof(kP521Spki)),
+      DataBuffer(kP521Data, sizeof(kP521Data)),
+      DataBuffer(kP521Signature, sizeof(kP521Signature))}}};
 
-TEST_F(Pkcs11EcdsaSha512Test, VerifyP521) {
-  SIG_TEST_VECTOR_VERIFY(kP521Spki, kP521Data, kP521Signature);
-}
+INSTANTIATE_TEST_CASE_P(EcdsaSignVerify, Pkcs11EcdsaTest,
+                        ::testing::ValuesIn(kEcdsaVectors));
 
-TEST_F(Pkcs11EcdsaSha512Test, SignAndVerifyP521) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kP521Pkcs8, kP521Spki, kP521Data);
-}
+class Pkcs11EcdsaSha256Test : public Pkcs11EcdsaTestBase {
+ public:
+  Pkcs11EcdsaSha256Test() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {}
+};
 
 // Importing a private key in PKCS#8 format must fail when the outer AlgID
 // struct contains neither id-ecPublicKey nor a namedCurve parameter.
 TEST_F(Pkcs11EcdsaSha256Test, ImportNoCurveOIDOrAlgorithmParams) {
-  EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8NoCurveOIDOrAlgorithmParams,
-                                sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams)));
+  DataBuffer k(kP256Pkcs8NoCurveOIDOrAlgorithmParams,
+               sizeof(kP256Pkcs8NoCurveOIDOrAlgorithmParams));
+  EXPECT_FALSE(ImportPrivateKey(k));
 };
 
 // Importing a private key in PKCS#8 format must succeed when only the outer
 // AlgID struct contains the namedCurve parameters.
 TEST_F(Pkcs11EcdsaSha256Test, ImportOnlyAlgorithmParams) {
-  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(
-      kP256Pkcs8OnlyAlgorithmParams, sizeof(kP256Pkcs8OnlyAlgorithmParams),
-      kP256Data, sizeof(kP256Data)));
+  DataBuffer k(kP256Pkcs8OnlyAlgorithmParams,
+               sizeof(kP256Pkcs8OnlyAlgorithmParams));
+  DataBuffer data(kP256Data, sizeof(kP256Data));
+  DataBuffer sig;
+  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig));
 };
 
 // Importing a private key in PKCS#8 format must succeed when the outer AlgID
 // struct and the inner ECPrivateKey contain the same namedCurve parameters.
 // The inner curveOID is always ignored, so only the outer one will be used.
 TEST_F(Pkcs11EcdsaSha256Test, ImportMatchingCurveOIDAndAlgorithmParams) {
-  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(
-      kP256Pkcs8MatchingCurveOIDAndAlgorithmParams,
-      sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams), kP256Data,
-      sizeof(kP256Data)));
+  DataBuffer k(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams,
+               sizeof(kP256Pkcs8MatchingCurveOIDAndAlgorithmParams));
+  DataBuffer data(kP256Data, sizeof(kP256Data));
+  DataBuffer sig;
+  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig));
 };
 
 // Importing a private key in PKCS#8 format must succeed when the outer AlgID
 // struct and the inner ECPrivateKey contain dissimilar namedCurve parameters.
 // The inner curveOID is always ignored, so only the outer one will be used.
 TEST_F(Pkcs11EcdsaSha256Test, ImportDissimilarCurveOIDAndAlgorithmParams) {
-  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(
-      kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams,
-      sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams), kP256Data,
-      sizeof(kP256Data)));
+  DataBuffer k(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams,
+               sizeof(kP256Pkcs8DissimilarCurveOIDAndAlgorithmParams));
+  DataBuffer data(kP256Data, sizeof(kP256Data));
+  DataBuffer sig;
+  EXPECT_TRUE(ImportPrivateKeyAndSignHashedData(k, data, &sig));
 };
 
 // Importing a private key in PKCS#8 format must fail when the outer ASN.1
 // AlgorithmID struct contains only id-ecPublicKey but no namedCurve parameter.
 TEST_F(Pkcs11EcdsaSha256Test, ImportNoAlgorithmParams) {
-  EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8NoAlgorithmParams,
-                                sizeof(kP256Pkcs8NoAlgorithmParams)));
+  DataBuffer k(kP256Pkcs8NoAlgorithmParams,
+               sizeof(kP256Pkcs8NoAlgorithmParams));
+  EXPECT_FALSE(ImportPrivateKey(k));
 };
 
 // Importing a private key in PKCS#8 format must fail when id-ecPublicKey is
 // given (so we know it's an EC key) but the namedCurve parameter is unknown.
 TEST_F(Pkcs11EcdsaSha256Test, ImportInvalidAlgorithmParams) {
-  EXPECT_FALSE(ImportPrivateKey(kP256Pkcs8InvalidAlgorithmParams,
-                                sizeof(kP256Pkcs8InvalidAlgorithmParams)));
+  DataBuffer k(kP256Pkcs8InvalidAlgorithmParams,
+               sizeof(kP256Pkcs8InvalidAlgorithmParams));
+  EXPECT_FALSE(ImportPrivateKey(k));
 };
 
 // Importing a private key in PKCS#8 format with a point not on the curve will
 // succeed. Using the contained public key however will fail when trying to
 // import it before using it for any operation.
 TEST_F(Pkcs11EcdsaSha256Test, ImportPointNotOnCurve) {
-  ScopedSECKEYPrivateKey privKey(ImportPrivateKey(
-      kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve)));
+  DataBuffer k(kP256Pkcs8PointNotOnCurve, sizeof(kP256Pkcs8PointNotOnCurve));
+  ScopedSECKEYPrivateKey privKey(ImportPrivateKey(k));
   ASSERT_TRUE(privKey);
 
   ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get()));
   ASSERT_TRUE(pubKey);
 
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   ASSERT_TRUE(slot);
 
   auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false);
   EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
 };
 
 // Importing a private key in PKCS#8 format must fail when no point is given.
 // PK11 currently offers no APIs to derive raw public keys from private values.
 TEST_F(Pkcs11EcdsaSha256Test, ImportNoPublicKey) {
-  EXPECT_FALSE(
-      ImportPrivateKey(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey)));
+  DataBuffer k(kP256Pkcs8NoPublicKey, sizeof(kP256Pkcs8NoPublicKey));
+  EXPECT_FALSE(ImportPrivateKey(k));
 };
 
 // Importing a public key in SPKI format must fail when id-ecPublicKey is
 // given (so we know it's an EC key) but the namedCurve parameter is missing.
 TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiNoAlgorithmParams) {
-  EXPECT_FALSE(ImportPublicKey(kP256SpkiNoAlgorithmParams,
-                               sizeof(kP256SpkiNoAlgorithmParams)));
+  DataBuffer k(kP256SpkiNoAlgorithmParams, sizeof(kP256SpkiNoAlgorithmParams));
+  EXPECT_FALSE(ImportPublicKey(k));
 }
 
 // Importing a public key in SPKI format with a point not on the curve will
 // succeed. Using the public key however will fail when trying to import
 // it before using it for any operation.
 TEST_F(Pkcs11EcdsaSha256Test, ImportSpkiPointNotOnCurve) {
-  ScopedSECKEYPublicKey pubKey(ImportPublicKey(
-      kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve)));
+  DataBuffer k(kP256SpkiPointNotOnCurve, sizeof(kP256SpkiPointNotOnCurve));
+  ScopedSECKEYPublicKey pubKey(ImportPublicKey(k));
   ASSERT_TRUE(pubKey);
 
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   ASSERT_TRUE(slot);
 
   auto handle = PK11_ImportPublicKey(slot.get(), pubKey.get(), false);
   EXPECT_EQ(handle, static_cast<decltype(handle)>(CK_INVALID_HANDLE));
 }
new file mode 100644
--- /dev/null
+++ b/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
@@ -0,0 +1,210 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pk11pub.h"
+#include "nssutil.h"
+#include <stdio.h>
+#include "prerror.h"
+#include "nss.h"
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+#include "cpputil.h"
+#include "databuffer.h"
+#include "util.h"
+
+#define MAX_KEY_SIZE 24
+
+namespace nss_test {
+
+static const uint8_t kIv[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+                              0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+                              0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
+static const uint8_t kInput[] = {
+    0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, 0xff, 0xee, 0xdd, 0xcc,
+    0xbb, 0xaa, 0x99, 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00};
+
+class EncryptDeriveTest
+    : public ::testing::Test,
+      public ::testing::WithParamInterface<CK_MECHANISM_TYPE> {
+ public:
+  void TestEncryptDerive() {
+    ScopedPK11SymKey derived_key(PK11_Derive(key_.get(), derive_mech(),
+                                             derive_param(), encrypt_mech(),
+                                             CKA_DECRYPT, keysize()));
+    ASSERT_TRUE(derived_key);
+
+    uint8_t derived_key_data[MAX_KEY_SIZE];
+    ASSERT_GE(sizeof(derived_key_data), keysize());
+    GetKeyData(derived_key, derived_key_data, keysize());
+    RemoveChecksum(derived_key_data);
+
+    uint8_t reference_key_data[MAX_KEY_SIZE];
+    unsigned int reference_len = 0;
+    SECStatus rv = PK11_Encrypt(key_.get(), encrypt_mech(), encrypt_param(),
+                                reference_key_data, &reference_len, keysize(),
+                                kInput, keysize());
+    ASSERT_EQ(SECSuccess, rv);
+    ASSERT_EQ(keysize(), static_cast<size_t>(reference_len));
+    RemoveChecksum(reference_key_data);
+
+    EXPECT_EQ(DataBuffer(reference_key_data, keysize()),
+              DataBuffer(derived_key_data, keysize()));
+  }
+
+ protected:
+  unsigned int keysize() const { return 16; }
+
+ private:
+  CK_MECHANISM_TYPE encrypt_mech() const { return GetParam(); }
+
+  CK_MECHANISM_TYPE derive_mech() const {
+    switch (encrypt_mech()) {
+      case CKM_DES3_ECB:
+        return CKM_DES3_ECB_ENCRYPT_DATA;
+      case CKM_DES3_CBC:
+        return CKM_DES3_CBC_ENCRYPT_DATA;
+      case CKM_AES_ECB:
+        return CKM_AES_ECB_ENCRYPT_DATA;
+      case CKM_AES_CBC:
+        return CKM_AES_CBC_ENCRYPT_DATA;
+      case CKM_CAMELLIA_ECB:
+        return CKM_CAMELLIA_ECB_ENCRYPT_DATA;
+      case CKM_CAMELLIA_CBC:
+        return CKM_CAMELLIA_CBC_ENCRYPT_DATA;
+      case CKM_SEED_ECB:
+        return CKM_SEED_ECB_ENCRYPT_DATA;
+      case CKM_SEED_CBC:
+        return CKM_SEED_CBC_ENCRYPT_DATA;
+      default:
+        ADD_FAILURE() << "Unknown mechanism";
+        break;
+    }
+    return CKM_INVALID_MECHANISM;
+  }
+
+  SECItem* derive_param() const {
+    static CK_AES_CBC_ENCRYPT_DATA_PARAMS aes_data;
+    static CK_DES_CBC_ENCRYPT_DATA_PARAMS des_data;
+    static CK_KEY_DERIVATION_STRING_DATA string_data;
+    static SECItem param = {siBuffer, NULL, 0};
+
+    switch (encrypt_mech()) {
+      case CKM_DES3_ECB:
+      case CKM_AES_ECB:
+      case CKM_CAMELLIA_ECB:
+      case CKM_SEED_ECB:
+        string_data.pData = toUcharPtr(kInput);
+        string_data.ulLen = keysize();
+        param.data = reinterpret_cast<uint8_t*>(&string_data);
+        param.len = sizeof(string_data);
+        break;
+
+      case CKM_DES3_CBC:
+        des_data.pData = toUcharPtr(kInput);
+        des_data.length = keysize();
+        PORT_Memcpy(des_data.iv, kIv, 8);
+        param.data = reinterpret_cast<uint8_t*>(&des_data);
+        param.len = sizeof(des_data);
+        break;
+
+      case CKM_AES_CBC:
+      case CKM_CAMELLIA_CBC:
+      case CKM_SEED_CBC:
+        aes_data.pData = toUcharPtr(kInput);
+        aes_data.length = keysize();
+        PORT_Memcpy(aes_data.iv, kIv, keysize());
+        param.data = reinterpret_cast<uint8_t*>(&aes_data);
+        param.len = sizeof(aes_data);
+        break;
+
+      default:
+        ADD_FAILURE() << "Unknown mechanism";
+        break;
+    }
+    return &param;
+  }
+
+  SECItem* encrypt_param() const {
+    static SECItem param = {siBuffer, NULL, 0};
+
+    switch (encrypt_mech()) {
+      case CKM_DES3_ECB:
+      case CKM_AES_ECB:
+      case CKM_CAMELLIA_ECB:
+      case CKM_SEED_ECB:
+        // No parameter needed here.
+        break;
+
+      case CKM_DES3_CBC:
+      case CKM_AES_CBC:
+      case CKM_CAMELLIA_CBC:
+      case CKM_SEED_CBC:
+        param.data = toUcharPtr(kIv);
+        param.len = keysize();
+        break;
+
+      default:
+        ADD_FAILURE() << "Unknown mechanism";
+        break;
+    }
+    return &param;
+  }
+
+  virtual void SetUp() {
+    slot_.reset(PK11_GetBestSlot(derive_mech(), NULL));
+    ASSERT_TRUE(slot_);
+
+    key_.reset(PK11_TokenKeyGenWithFlags(slot_.get(), encrypt_mech(), NULL,
+                                         keysize(), NULL,
+                                         CKF_ENCRYPT | CKF_DERIVE, 0, NULL));
+    ASSERT_TRUE(key_);
+  }
+
+  void GetKeyData(ScopedPK11SymKey& key, uint8_t* buf, size_t max_len) const {
+    ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(key.get()));
+    SECItem* data = PK11_GetKeyData(key.get());
+    ASSERT_TRUE(data);
+    ASSERT_EQ(max_len, static_cast<size_t>(data->len));
+    PORT_Memcpy(buf, data->data, data->len);
+  }
+
+  // Remove checksum if the key is a 3DES key.
+  void RemoveChecksum(uint8_t* key_data) const {
+    if (encrypt_mech() != CKM_DES3_CBC && encrypt_mech() != CKM_DES3_ECB) {
+      return;
+    }
+    for (size_t i = 0; i < keysize(); ++i) {
+      key_data[i] &= 0xfe;
+    }
+  }
+
+  ScopedPK11SlotInfo slot_;
+  ScopedPK11SymKey key_;
+};
+
+TEST_P(EncryptDeriveTest, Test) { TestEncryptDerive(); }
+
+static const CK_MECHANISM_TYPE kEncryptDeriveMechanisms[] = {
+    CKM_DES3_ECB,     CKM_DES3_CBC,     CKM_AES_ECB,  CKM_AES_ECB, CKM_AES_CBC,
+    CKM_CAMELLIA_ECB, CKM_CAMELLIA_CBC, CKM_SEED_ECB, CKM_SEED_CBC};
+
+INSTANTIATE_TEST_CASE_P(EncryptDeriveTests, EncryptDeriveTest,
+                        ::testing::ValuesIn(kEncryptDeriveMechanisms));
+
+// This class handles the case where 3DES takes a 192-bit key
+// where all 24 octets will be used.
+class EncryptDerive3Test : public EncryptDeriveTest {
+ protected:
+  unsigned int keysize() const { return 24; }
+};
+
+TEST_P(EncryptDerive3Test, Test) { TestEncryptDerive(); }
+
+static const CK_MECHANISM_TYPE kDES3EncryptDeriveMechanisms[] = {CKM_DES3_ECB,
+                                                                 CKM_DES3_CBC};
+
+INSTANTIATE_TEST_CASE_P(Encrypt3DeriveTests, EncryptDerive3Test,
+                        ::testing::ValuesIn(kDES3EncryptDeriveMechanisms));
+
+}  // namespace nss_test
--- a/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/gtests/pk11_gtest/pk11_gtest.gyp
@@ -11,26 +11,28 @@
       'target_name': 'pk11_gtest',
       'type': 'executable',
       'sources': [
         'pk11_aeskeywrap_unittest.cc',
         'pk11_aes_gcm_unittest.cc',
         'pk11_chacha20poly1305_unittest.cc',
         'pk11_curve25519_unittest.cc',
         'pk11_ecdsa_unittest.cc',
+        'pk11_encrypt_derive_unittest.cc',
         'pk11_pbkdf2_unittest.cc',
         'pk11_prf_unittest.cc',
         'pk11_prng_unittest.cc',
         'pk11_rsapss_unittest.cc',
         'pk11_der_private_key_import_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
       ],
       'conditions': [
         [ 'test_build==1', {
           'dependencies': [
             '<(DEPTH)/lib/nss/nss.gyp:nss_static',
             '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
             '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
--- a/gtests/pk11_gtest/pk11_rsapss_unittest.cc
+++ b/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -7,44 +7,42 @@
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "gtest/gtest.h"
 #include "scoped_ptrs.h"
 
+#include "pk11_signature_test.h"
 #include "pk11_rsapss_vectors.h"
-#include "pk11_signature_test.h"
 
 namespace nss_test {
 
-class Pkcs11RsaPssVectorTest : public Pk11SignatureTest {
+class Pkcs11RsaPssTest : public Pk11SignatureTest {
  public:
-  Pkcs11RsaPssVectorTest() {
+  Pkcs11RsaPssTest() : Pk11SignatureTest(CKM_RSA_PKCS_PSS, SEC_OID_SHA1) {
     rsaPssParams_.hashAlg = CKM_SHA_1;
     rsaPssParams_.mgf = CKG_MGF1_SHA1;
     rsaPssParams_.sLen = HASH_ResultLenByOidTag(SEC_OID_SHA1);
 
     params_.type = siBuffer;
     params_.data = reinterpret_cast<unsigned char*>(&rsaPssParams_);
     params_.len = sizeof(rsaPssParams_);
   }
 
  protected:
-  CK_MECHANISM_TYPE mechanism() { return CKM_RSA_PKCS_PSS; }
-  SECItem* parameters() { return &params_; }
-  SECOidTag hashOID() { return SEC_OID_SHA1; }
+  const SECItem* parameters() const { return &params_; }
 
  private:
   CK_RSA_PKCS_PSS_PARAMS rsaPssParams_;
   SECItem params_;
 };
 
-TEST_F(Pkcs11RsaPssVectorTest, GenerateAndSignAndVerify) {
+TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
   // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
   SECOidTag hashOid = SEC_OID_SHA256;
   CK_MECHANISM_TYPE hashMech = CKM_SHA256;
   CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
   PK11RSAGenParams rsaGenParams = {1024, 0x10001};
 
   // Generate RSA key pair.
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
@@ -90,110 +88,61 @@ TEST_F(Pkcs11RsaPssVectorTest, GenerateA
   // Verification with original data but the wrong signature must fail.
   data.data[0] ^= 0xff;  // Revert previous changes.
   sig.data[0] ^= 0xff;
   rv = PK11_VerifyWithMechanism(pubKey.get(), mechanism(), &params, &sig, &data,
                                 nullptr);
   EXPECT_EQ(rv, SECFailure);
 }
 
-// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify1) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector1Pkcs8, kTestVector1Spki,
-                              kTestVector1Data);
-}
+class Pkcs11RsaPssVectorTest
+    : public Pkcs11RsaPssTest,
+      public ::testing::WithParamInterface<Pkcs11SignatureTestParams> {};
 
-// RSA-PSS test vectors, pss-vect.txt, Example 2.1: A 1025-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify2) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector2Pkcs8, kTestVector2Spki,
-                              kTestVector2Data);
-}
+TEST_P(Pkcs11RsaPssVectorTest, Verify) { Verify(GetParam()); }
+
+TEST_P(Pkcs11RsaPssVectorTest, SignAndVerify) { SignAndVerify(GetParam()); }
 
-// RSA-PSS test vectors, pss-vect.txt, Example 3.1: A 1026-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature3) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector3Spki, kTestVector3Data, kTestVector3Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify3) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector3Pkcs8, kTestVector3Spki,
-                              kTestVector3Data);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 4.1: A 1027-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature4) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector4Spki, kTestVector4Data, kTestVector4Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify4) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector4Pkcs8, kTestVector4Spki,
-                              kTestVector4Data);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 5.1: A 1028-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature5) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector5Spki, kTestVector5Data, kTestVector5Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify5) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector5Pkcs8, kTestVector5Spki,
-                              kTestVector5Data);
-}
+#define VECTOR(pkcs8, spki, data, sig)                                \
+  {                                                                   \
+    DataBuffer(pkcs8, sizeof(pkcs8)), DataBuffer(spki, sizeof(spki)), \
+        DataBuffer(data, sizeof(data)), DataBuffer(sig, sizeof(sig))  \
+  }
+#define VECTOR_N(n)                                                         \
+  VECTOR(kTestVector##n##Pkcs8, kTestVector##n##Spki, kTestVector##n##Data, \
+         kTestVector##n##Sig)
 
-// RSA-PSS test vectors, pss-vect.txt, Example 6.1: A 1029-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature6) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector6Spki, kTestVector6Data, kTestVector6Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify6) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector6Pkcs8, kTestVector6Spki,
-                              kTestVector6Data);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 7.1: A 1030-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature7) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector7Spki, kTestVector7Data, kTestVector7Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify7) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector7Pkcs8, kTestVector7Spki,
-                              kTestVector7Data);
-}
+static const Pkcs11SignatureTestParams kRsaPssVectors[] = {
+    // RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(1),
+    // RSA-PSS test vectors, pss-vect.txt, Example 2.1: A 1025-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(2),
+    // RSA-PSS test vectors, pss-vect.txt, Example 3.1: A 1026-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(3),
+    // RSA-PSS test vectors, pss-vect.txt, Example 4.1: A 1027-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(4),
+    // RSA-PSS test vectors, pss-vect.txt, Example 5.1: A 1028-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(5),
+    // RSA-PSS test vectors, pss-vect.txt, Example 6.1: A 1029-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(6),
+    // RSA-PSS test vectors, pss-vect.txt, Example 7.1: A 1030-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(7),
+    // RSA-PSS test vectors, pss-vect.txt, Example 8.1: A 1031-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(8),
+    // RSA-PSS test vectors, pss-vect.txt, Example 9.1: A 1536-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(9),
+    // RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
+    // <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+    VECTOR_N(10)};
 
-// RSA-PSS test vectors, pss-vect.txt, Example 8.1: A 1031-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature8) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector8Spki, kTestVector8Data, kTestVector8Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify8) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector8Pkcs8, kTestVector8Spki,
-                              kTestVector8Data);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 9.1: A 1536-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature9) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector9Spki, kTestVector9Data, kTestVector9Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify9) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector9Pkcs8, kTestVector9Spki,
-                              kTestVector9Data);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature10) {
-  SIG_TEST_VECTOR_VERIFY(kTestVector10Spki, kTestVector10Data,
-                         kTestVector10Sig);
-}
-TEST_F(Pkcs11RsaPssVectorTest, SignAndVerify10) {
-  SIG_TEST_VECTOR_SIGN_VERIFY(kTestVector10Pkcs8, kTestVector10Spki,
-                              kTestVector10Data);
-}
+INSTANTIATE_TEST_CASE_P(RsaPssSignVerify, Pkcs11RsaPssVectorTest,
+                        ::testing::ValuesIn(kRsaPssVectors));
 
 }  // namespace nss_test
--- a/gtests/pk11_gtest/pk11_signature_test.h
+++ b/gtests/pk11_gtest/pk11_signature_test.h
@@ -4,135 +4,133 @@
 
 #include <memory>
 #include "nss.h"
 #include "pk11pub.h"
 #include "sechash.h"
 
 #include "cpputil.h"
 #include "scoped_ptrs.h"
+#include "databuffer.h"
 
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
+// For test vectors.
+struct Pkcs11SignatureTestParams {
+  const DataBuffer pkcs8_;
+  const DataBuffer spki_;
+  const DataBuffer data_;
+  const DataBuffer signature_;
+};
+
 class Pk11SignatureTest : public ::testing::Test {
  protected:
-  virtual CK_MECHANISM_TYPE mechanism() = 0;
-  virtual SECItem* parameters() = 0;
-  virtual SECOidTag hashOID() = 0;
+  Pk11SignatureTest(CK_MECHANISM_TYPE mechanism, SECOidTag hash_oid)
+      : mechanism_(mechanism), hash_oid_(hash_oid) {}
 
-  ScopedSECKEYPrivateKey ImportPrivateKey(const uint8_t* pkcs8,
-                                          size_t pkcs8_len) {
+  virtual const SECItem* parameters() const { return nullptr; }
+  CK_MECHANISM_TYPE mechanism() const { return mechanism_; }
+
+  ScopedSECKEYPrivateKey ImportPrivateKey(const DataBuffer& pkcs8) {
     ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
     if (!slot) {
+      ADD_FAILURE() << "No slot";
       return nullptr;
     }
 
-    SECItem pkcs8Item = {siBuffer, toUcharPtr(pkcs8),
-                         static_cast<unsigned int>(pkcs8_len)};
+    SECItem pkcs8Item = {siBuffer, toUcharPtr(pkcs8.data()),
+                         static_cast<unsigned int>(pkcs8.len())};
 
     SECKEYPrivateKey* key = nullptr;
     SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
         slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL, &key,
         nullptr);
 
     if (rv != SECSuccess) {
       return nullptr;
     }
 
     return ScopedSECKEYPrivateKey(key);
   }
 
-  ScopedSECKEYPublicKey ImportPublicKey(const uint8_t* spki, size_t spki_len) {
-    SECItem spkiItem = {siBuffer, toUcharPtr(spki),
-                        static_cast<unsigned int>(spki_len)};
+  ScopedSECKEYPublicKey ImportPublicKey(const DataBuffer& spki) {
+    SECItem spkiItem = {siBuffer, toUcharPtr(spki.data()),
+                        static_cast<unsigned int>(spki.len())};
 
     ScopedCERTSubjectPublicKeyInfo certSpki(
         SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
 
     return ScopedSECKEYPublicKey(SECKEY_ExtractPublicKey(certSpki.get()));
   }
 
-  ScopedSECItem ComputeHash(const uint8_t* data, size_t len) {
-    unsigned int hLen = HASH_ResultLenByOidTag(hashOID());
-    ScopedSECItem hash(SECITEM_AllocItem(nullptr, nullptr, hLen));
-    if (!hash) {
-      return nullptr;
-    }
-
-    SECStatus rv = PK11_HashBuf(hashOID(), hash->data, data, len);
-    if (rv != SECSuccess) {
-      return nullptr;
-    }
-
-    return hash;
+  bool ComputeHash(const DataBuffer& data, DataBuffer* hash) {
+    hash->Allocate(static_cast<size_t>(HASH_ResultLenByOidTag(hash_oid_)));
+    SECStatus rv =
+        PK11_HashBuf(hash_oid_, hash->data(), data.data(), data.len());
+    return rv == SECSuccess;
   }
 
-  ScopedSECItem SignHashedData(ScopedSECKEYPrivateKey& privKey,
-                               ScopedSECItem& hash) {
-    unsigned int sLen = PK11_SignatureLen(privKey.get());
-    ScopedSECItem sig(SECITEM_AllocItem(nullptr, nullptr, sLen));
-    if (!sig) {
-      return nullptr;
-    }
-
-    SECStatus rv = PK11_SignWithMechanism(privKey.get(), mechanism(),
-                                          parameters(), sig.get(), hash.get());
-    if (rv != SECSuccess) {
-      return nullptr;
-    }
-
-    return sig;
+  bool SignHashedData(ScopedSECKEYPrivateKey& privKey, const DataBuffer& hash,
+                      DataBuffer* sig) {
+    SECItem hashItem = {siBuffer, toUcharPtr(hash.data()),
+                        static_cast<unsigned int>(hash.len())};
+    int sigLen = PK11_SignatureLen(privKey.get());
+    EXPECT_LT(0, sigLen);
+    sig->Allocate(static_cast<size_t>(sigLen));
+    SECItem sigItem = {siBuffer, toUcharPtr(sig->data()),
+                       static_cast<unsigned int>(sig->len())};
+    SECStatus rv = PK11_SignWithMechanism(privKey.get(), mechanism_,
+                                          parameters(), &sigItem, &hashItem);
+    return rv == SECSuccess;
   }
 
-  ScopedSECItem ImportPrivateKeyAndSignHashedData(const uint8_t* pkcs8,
-                                                  size_t pkcs8_len,
-                                                  const uint8_t* data,
-                                                  size_t data_len) {
-    ScopedSECKEYPrivateKey privKey(ImportPrivateKey(pkcs8, pkcs8_len));
+  bool ImportPrivateKeyAndSignHashedData(const DataBuffer& pkcs8,
+                                         const DataBuffer& data,
+                                         DataBuffer* sig) {
+    ScopedSECKEYPrivateKey privKey(ImportPrivateKey(pkcs8));
     if (!privKey) {
-      return nullptr;
-    }
-
-    ScopedSECItem hash(ComputeHash(data, data_len));
-    if (!hash) {
-      return nullptr;
+      return false;
     }
 
-    return ScopedSECItem(SignHashedData(privKey, hash));
+    DataBuffer hash;
+    if (!ComputeHash(data, &hash)) {
+      ADD_FAILURE() << "Failed to compute hash";
+      return false;
+    }
+    return SignHashedData(privKey, hash, sig);
   }
 
-  void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data,
-              size_t data_len, const uint8_t* sig, size_t sig_len) {
-    ScopedSECKEYPublicKey pubKey(ImportPublicKey(spki, spki_len));
+  void Verify(const Pkcs11SignatureTestParams& params, const DataBuffer& sig) {
+    ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_));
     ASSERT_TRUE(pubKey);
 
-    ScopedSECItem hash(ComputeHash(data, data_len));
-    ASSERT_TRUE(hash);
-
-    SECItem sigItem = {siBuffer, toUcharPtr(sig),
-                       static_cast<unsigned int>(sig_len)};
+    DataBuffer hash;
+    ASSERT_TRUE(ComputeHash(params.data_, &hash));
 
     // Verify.
+    SECItem hashItem = {siBuffer, toUcharPtr(hash.data()),
+                        static_cast<unsigned int>(hash.len())};
+    SECItem sigItem = {siBuffer, toUcharPtr(sig.data()),
+                       static_cast<unsigned int>(sig.len())};
     SECStatus rv = PK11_VerifyWithMechanism(
-        pubKey.get(), mechanism(), parameters(), &sigItem, hash.get(), nullptr);
+        pubKey.get(), mechanism_, parameters(), &sigItem, &hashItem, nullptr);
     EXPECT_EQ(rv, SECSuccess);
   }
 
-  void SignAndVerify(const uint8_t* pkcs8, size_t pkcs8_len,
-                     const uint8_t* spki, size_t spki_len, const uint8_t* data,
-                     size_t data_len) {
-    ScopedSECItem sig(
-        ImportPrivateKeyAndSignHashedData(pkcs8, pkcs8_len, data, data_len));
-    ASSERT_TRUE(sig);
+  void Verify(const Pkcs11SignatureTestParams& params) {
+    Verify(params, params.signature_);
+  }
 
-    Verify(spki, spki_len, data, data_len, sig->data, sig->len);
+  void SignAndVerify(const Pkcs11SignatureTestParams& params) {
+    DataBuffer sig;
+    ASSERT_TRUE(
+        ImportPrivateKeyAndSignHashedData(params.pkcs8_, params.data_, &sig));
+    Verify(params, sig);
   }
+
+ private:
+  CK_MECHANISM_TYPE mechanism_;
+  SECOidTag hash_oid_;
 };
 
-#define SIG_TEST_VECTOR_VERIFY(spki, data, sig) \
-  Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig))
-
-#define SIG_TEST_VECTOR_SIGN_VERIFY(pkcs8, spki, data) \
-  SignAndVerify(pkcs8, sizeof(pkcs8), spki, sizeof(spki), data, sizeof(data))
-
 }  // namespace nss_test
--- a/gtests/softoken_gtest/softoken_gtest.cc
+++ b/gtests/softoken_gtest/softoken_gtest.cc
@@ -1,10 +1,12 @@
 #include <cstdlib>
 
+#include "cert.h"
+#include "certdb.h"
 #include "nspr.h"
 #include "nss.h"
 #include "pk11pub.h"
 #include "secerr.h"
 
 #include "scoped_ptrs.h"
 
 #define GTEST_HAS_RTTI 0
@@ -195,16 +197,120 @@ TEST_F(SoftokenTest, CreateObjectChangeT
   EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError());
   ScopedPK11GenericObject obj(PK11_CreateGenericObject(
       slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
   // Because there's no password we can't logout and the operation should have
   // succeeded.
   EXPECT_NE(nullptr, obj);
 }
 
+// This is just any X509 certificate. Its contents don't matter.
+static unsigned char certDER[] = {
+    0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x49, 0xC4, 0xC4, 0x4A, 0xB6, 0x86, 0x07, 0xA3, 0x06,
+    0xDC, 0x4D, 0xC8, 0xC3, 0xFE, 0xC7, 0x21, 0x3A, 0x2D, 0xE4, 0xDA, 0x30,
+    0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+    0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
+    0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31,
+    0x35, 0x31, 0x31, 0x32, 0x38, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5A,
+    0x18, 0x0F, 0x32, 0x30, 0x31, 0x38, 0x30, 0x32, 0x30, 0x35, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x5A, 0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06,
+    0x03, 0x55, 0x04, 0x03, 0x0C, 0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x82,
+    0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+    0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+    0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBA, 0x88, 0x51, 0xA8, 0x44,
+    0x8E, 0x16, 0xD6, 0x41, 0xFD, 0x6E, 0xB6, 0x88, 0x06, 0x36, 0x10, 0x3D,
+    0x3C, 0x13, 0xD9, 0xEA, 0xE4, 0x35, 0x4A, 0xB4, 0xEC, 0xF5, 0x68, 0x57,
+    0x6C, 0x24, 0x7B, 0xC1, 0xC7, 0x25, 0xA8, 0xE0, 0xD8, 0x1F, 0xBD, 0xB1,
+    0x9C, 0x06, 0x9B, 0x6E, 0x1A, 0x86, 0xF2, 0x6B, 0xE2, 0xAF, 0x5A, 0x75,
+    0x6B, 0x6A, 0x64, 0x71, 0x08, 0x7A, 0xA5, 0x5A, 0xA7, 0x45, 0x87, 0xF7,
+    0x1C, 0xD5, 0x24, 0x9C, 0x02, 0x7E, 0xCD, 0x43, 0xFC, 0x1E, 0x69, 0xD0,
+    0x38, 0x20, 0x29, 0x93, 0xAB, 0x20, 0xC3, 0x49, 0xE4, 0xDB, 0xB9, 0x4C,
+    0xC2, 0x6B, 0x6C, 0x0E, 0xED, 0x15, 0x82, 0x0F, 0xF1, 0x7E, 0xAD, 0x69,
+    0x1A, 0xB1, 0xD3, 0x02, 0x3A, 0x8B, 0x2A, 0x41, 0xEE, 0xA7, 0x70, 0xE0,
+    0x0F, 0x0D, 0x8D, 0xFD, 0x66, 0x0B, 0x2B, 0xB0, 0x24, 0x92, 0xA4, 0x7D,
+    0xB9, 0x88, 0x61, 0x79, 0x90, 0xB1, 0x57, 0x90, 0x3D, 0xD2, 0x3B, 0xC5,
+    0xE0, 0xB8, 0x48, 0x1F, 0xA8, 0x37, 0xD3, 0x88, 0x43, 0xEF, 0x27, 0x16,
+    0xD8, 0x55, 0xB7, 0x66, 0x5A, 0xAA, 0x7E, 0x02, 0x90, 0x2F, 0x3A, 0x7B,
+    0x10, 0x80, 0x06, 0x24, 0xCC, 0x1C, 0x6C, 0x97, 0xAD, 0x96, 0x61, 0x5B,
+    0xB7, 0xE2, 0x96, 0x12, 0xC0, 0x75, 0x31, 0xA3, 0x0C, 0x91, 0xDD, 0xB4,
+    0xCA, 0xF7, 0xFC, 0xAD, 0x1D, 0x25, 0xD3, 0x09, 0xEF, 0xB9, 0x17, 0x0E,
+    0xA7, 0x68, 0xE1, 0xB3, 0x7B, 0x2F, 0x22, 0x6F, 0x69, 0xE3, 0xB4, 0x8A,
+    0x95, 0x61, 0x1D, 0xEE, 0x26, 0xD6, 0x25, 0x9D, 0xAB, 0x91, 0x08, 0x4E,
+    0x36, 0xCB, 0x1C, 0x24, 0x04, 0x2C, 0xBF, 0x16, 0x8B, 0x2F, 0xE5, 0xF1,
+    0x8F, 0x99, 0x17, 0x31, 0xB8, 0xB3, 0xFE, 0x49, 0x23, 0xFA, 0x72, 0x51,
+    0xC4, 0x31, 0xD5, 0x03, 0xAC, 0xDA, 0x18, 0x0A, 0x35, 0xED, 0x8D, 0x02,
+    0x03, 0x01, 0x00, 0x01, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+    0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20,
+    0x5C, 0x75, 0x51, 0x9F, 0x13, 0x11, 0x50, 0xCD, 0x5D, 0x8A, 0xDE, 0x20,
+    0xA3, 0xBC, 0x06, 0x30, 0x91, 0xFF, 0xB2, 0x73, 0x75, 0x5F, 0x31, 0x64,
+    0xEC, 0xFD, 0xCB, 0x42, 0x80, 0x0A, 0x70, 0xE6, 0x02, 0x21, 0x00, 0x82,
+    0x12, 0xF7, 0xE5, 0xEA, 0x40, 0x27, 0xFD, 0xF7, 0xC0, 0x0E, 0x25, 0xF3,
+    0x3E, 0x34, 0x95, 0x80, 0xB9, 0xA3, 0x38, 0xE0, 0x56, 0x68, 0xDA, 0xE5,
+    0xC1, 0xF5, 0x37, 0xC7, 0xB5, 0xCE, 0x0D};
+
+struct PasswordPair {
+  const char *mInitialPassword;
+  const char *mSecondPassword;
+};
+
+class SoftokenPasswordChangeTest
+    : public SoftokenTest,
+      public ::testing::WithParamInterface<PasswordPair> {};
+
+TEST_P(SoftokenPasswordChangeTest, KeepTrustAfterPasswordChange) {
+  const PasswordPair &passwords = GetParam();
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+  // Set a password.
+  EXPECT_EQ(SECSuccess,
+            PK11_InitPin(slot.get(), nullptr, passwords.mInitialPassword));
+  SECItem certDERItem = {siBuffer, certDER, sizeof(certDER)};
+  // Import a certificate.
+  ScopedCERTCertificate cert(CERT_NewTempCertificate(
+      CERT_GetDefaultCertDB(), &certDERItem, nullptr, true, true));
+  EXPECT_TRUE(cert);
+  SECStatus result =
+      PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, "test", false);
+  EXPECT_EQ(SECSuccess, result);
+  // Set a trust value.
+  CERTCertTrust trust = {CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA |
+                             CERTDB_TRUSTED_CA | CERTDB_VALID_CA,
+                         0, 0};
+  result = CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
+  EXPECT_EQ(SECSuccess, result);
+  // Release the certificate to ensure we get it from the DB rather than an
+  // in-memory cache, below.
+  cert = nullptr;
+  // Change the password.
+  result = PK11_ChangePW(slot.get(), passwords.mInitialPassword,
+                         passwords.mSecondPassword);
+  EXPECT_EQ(SECSuccess, result);
+  // Look up the certificate again.
+  ScopedCERTCertificate newCert(
+      PK11_FindCertFromDERCertItem(slot.get(), &certDERItem, nullptr));
+  EXPECT_TRUE(newCert.get());
+  // The trust should be the same as before.
+  CERTCertTrust newTrust = {0, 0, 0};
+  result = CERT_GetCertTrust(newCert.get(), &newTrust);
+  EXPECT_EQ(SECSuccess, result);
+  EXPECT_EQ(trust.sslFlags, newTrust.sslFlags);
+  EXPECT_EQ(trust.emailFlags, newTrust.emailFlags);
+  EXPECT_EQ(trust.objectSigningFlags, newTrust.objectSigningFlags);
+}
+
+static const PasswordPair PASSWORD_CHANGE_TESTS[] = {
+    {"password", ""},           // non-empty to empty password
+    {"", "password"},           // empty to non-empty password
+    {"password", "password2"},  // non-empty to non-empty password
+};
+
+INSTANTIATE_TEST_CASE_P(SoftokenPasswordChangeTests, SoftokenPasswordChangeTest,
+                        ::testing::ValuesIn(PASSWORD_CHANGE_TESTS));
+
 class SoftokenNoDBTest : public ::testing::Test {};
 
 TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
   ASSERT_EQ(SECSuccess, NSS_NoDB_Init("."));
   ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
   ASSERT_TRUE(slot);
   EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
 
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -24,17 +24,35 @@ namespace nss_test {
 
 TEST_P(TlsConnectGeneric, ServerAuthBigRsa) {
   Reset(TlsAgent::kRsa2048);
   Connect();
   CheckKeys();
 }
 
 TEST_P(TlsConnectGeneric, ServerAuthRsaChain) {
-  Reset(TlsAgent::kServerRsaChain);
+  Reset("rsa_chain");
+  Connect();
+  CheckKeys();
+  size_t chain_length;
+  EXPECT_TRUE(client_->GetPeerChainLength(&chain_length));
+  EXPECT_EQ(2UL, chain_length);
+}
+
+TEST_P(TlsConnectGeneric, ServerAuthRsaPssChain) {
+  Reset("rsa_pss_chain");
+  Connect();
+  CheckKeys();
+  size_t chain_length;
+  EXPECT_TRUE(client_->GetPeerChainLength(&chain_length));
+  EXPECT_EQ(2UL, chain_length);
+}
+
+TEST_P(TlsConnectGeneric, ServerAuthRsaCARsaPssChain) {
+  Reset("rsa_ca_rsa_pss_chain");
   Connect();
   CheckKeys();
   size_t chain_length;
   EXPECT_TRUE(client_->GetPeerChainLength(&chain_length));
   EXPECT_EQ(2UL, chain_length);
 }
 
 TEST_P(TlsConnectGeneric, ClientAuth) {
--- a/gtests/ssl_gtest/ssl_gtest.cc
+++ b/gtests/ssl_gtest/ssl_gtest.cc
@@ -1,16 +1,17 @@
 #include "nspr.h"
 #include "nss.h"
 #include "prenv.h"
 #include "ssl.h"
 
 #include <cstdlib>
 
 #include "test_io.h"
+#include "databuffer.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
 std::string g_working_dir_path;
 bool g_ssl_gtest_verbose;
 
 int main(int argc, char** argv) {
@@ -23,16 +24,17 @@ int main(int argc, char** argv) {
   if (workdir) g_working_dir_path = workdir;
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
       g_working_dir_path = argv[i + 1];
       ++i;
     } else if (!strcmp(argv[i], "-v")) {
       g_ssl_gtest_verbose = true;
+      nss_test::DataBuffer::SetLogLimit(16384);
     }
   }
 
   if (NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB,
                      NSS_INIT_READONLY) != SECSuccess) {
     return 1;
   }
   if (NSS_SetDomesticPolicy() != SECSuccess) {
--- a/gtests/ssl_gtest/tls_agent.cc
+++ b/gtests/ssl_gtest/tls_agent.cc
@@ -31,17 +31,16 @@ namespace nss_test {
 const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
 
 const std::string TlsAgent::kClient = "client";    // both sign and encrypt
 const std::string TlsAgent::kRsa2048 = "rsa2048";  // bigger
 const std::string TlsAgent::kServerRsa = "rsa";    // both sign and encrypt
 const std::string TlsAgent::kServerRsaSign = "rsa_sign";
 const std::string TlsAgent::kServerRsaPss = "rsa_pss";
 const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt";
-const std::string TlsAgent::kServerRsaChain = "rsa_chain";
 const std::string TlsAgent::kServerEcdsa256 = "ecdsa256";
 const std::string TlsAgent::kServerEcdsa384 = "ecdsa384";
 const std::string TlsAgent::kServerEcdsa521 = "ecdsa521";
 const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
 const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
 const std::string TlsAgent::kServerDsa = "dsa";
 
 TlsAgent::TlsAgent(const std::string& name, Role role,
--- a/gtests/ssl_gtest/tls_agent.h
+++ b/gtests/ssl_gtest/tls_agent.h
@@ -61,17 +61,16 @@ class TlsAgent : public PollTarget {
   enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
 
   static const std::string kClient;     // the client key is sign only
   static const std::string kRsa2048;    // bigger sign and encrypt for either
   static const std::string kServerRsa;  // both sign and encrypt
   static const std::string kServerRsaSign;
   static const std::string kServerRsaPss;
   static const std::string kServerRsaDecrypt;
-  static const std::string kServerRsaChain;  // A cert that requires a chain.
   static const std::string kServerEcdsa256;
   static const std::string kServerEcdsa384;
   static const std::string kServerEcdsa521;
   static const std::string kServerEcdhEcdsa;
   static const std::string kServerEcdhRsa;
   static const std::string kServerDsa;
 
   TlsAgent(const std::string& name, Role role, SSLProtocolVariant variant);
--- a/gtests/ssl_gtest/tls_filter.h
+++ b/gtests/ssl_gtest/tls_filter.h
@@ -287,20 +287,20 @@ class TlsHeaderRecorder : public TlsReco
                                             const DataBuffer& input,
                                             DataBuffer* output);
   const TlsRecordHeader* header(size_t index);
 
  private:
   std::vector<TlsRecordHeader> headers_;
 };
 
-// Runs multiple packet filters in series.
 typedef std::initializer_list<std::shared_ptr<PacketFilter>>
     ChainedPacketFilterInit;
 
+// Runs multiple packet filters in series.
 class ChainedPacketFilter : public PacketFilter {
  public:
   ChainedPacketFilter() {}
   ChainedPacketFilter(const std::vector<std::shared_ptr<PacketFilter>> filters)
       : filters_(filters.begin(), filters.end()) {}
   ChainedPacketFilter(ChainedPacketFilterInit il) : filters_(il) {}
   virtual ~ChainedPacketFilter() {}
 
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -1187,16 +1187,17 @@ CERT_CheckKeyUsage(CERTCertificate *cert
         KeyType keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
         /* turn off the special bit */
         requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
 
         switch (keyType) {
             case rsaKey:
                 requiredUsage |= KU_KEY_ENCIPHERMENT;
                 break;
+            case rsaPssKey:
             case dsaKey:
                 requiredUsage |= KU_DIGITAL_SIGNATURE;
                 break;
             case dhKey:
                 requiredUsage |= KU_KEY_AGREEMENT;
                 break;
             case ecKey:
                 /* Accept either signature or agreement. */
--- a/lib/ckfw/builtins/certdata.txt
+++ b/lib/ckfw/builtins/certdata.txt
@@ -2308,135 +2308,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \034\142
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Certum Root CA"
-#
-# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
-# Serial Number: 65568 (0x10020)
-# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
-# Not Valid Before: Tue Jun 11 10:46:39 2002
-# Not Valid After : Fri Jun 11 10:46:39 2027
-# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
-# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certum Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\001\000\040
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\014\060\202\001\364\240\003\002\001\002\002\003\001
-\000\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114
-\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145
-\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060
-\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103
-\101\060\036\027\015\060\062\060\066\061\061\061\060\064\066\063
-\071\132\027\015\062\067\060\066\061\061\061\060\064\066\063\071
-\132\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114
-\061\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145
-\164\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060
-\020\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103
-\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\316\261\301\056\323\117\174\315\045\316\030\076\117\304
-\214\157\200\152\163\310\133\121\370\233\322\334\273\000\134\261
-\240\374\165\003\356\201\360\210\356\043\122\351\346\025\063\215
-\254\055\011\305\166\371\053\071\200\211\344\227\113\220\245\250
-\170\370\163\103\173\244\141\260\330\130\314\341\154\146\176\234
-\363\011\136\125\143\204\325\250\357\363\261\056\060\150\263\304
-\074\330\254\156\215\231\132\220\116\064\334\066\232\217\201\210
-\120\267\155\226\102\011\363\327\225\203\015\101\113\260\152\153
-\370\374\017\176\142\237\147\304\355\046\137\020\046\017\010\117
-\360\244\127\050\316\217\270\355\105\366\156\356\045\135\252\156
-\071\276\344\223\057\331\107\240\162\353\372\246\133\257\312\123
-\077\342\016\306\226\126\021\156\367\351\146\251\046\330\177\225
-\123\355\012\205\210\272\117\051\245\102\214\136\266\374\205\040
-\000\252\150\013\241\032\205\001\234\304\106\143\202\210\266\042
-\261\356\376\252\106\131\176\317\065\054\325\266\332\135\367\110
-\063\024\124\266\353\331\157\316\315\210\326\253\033\332\226\073
-\035\131\002\003\001\000\001\243\023\060\021\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
-\270\215\316\357\347\024\272\317\356\260\104\222\154\264\071\076
-\242\204\156\255\270\041\167\322\324\167\202\207\346\040\101\201
-\356\342\370\021\267\143\321\027\067\276\031\166\044\034\004\032
-\114\353\075\252\147\157\055\324\315\376\145\061\160\305\033\246
-\002\012\272\140\173\155\130\302\232\111\376\143\062\013\153\343
-\072\300\254\253\073\260\350\323\011\121\214\020\203\306\064\340
-\305\053\340\032\266\140\024\047\154\062\167\214\274\262\162\230
-\317\315\314\077\271\310\044\102\024\326\127\374\346\046\103\251
-\035\345\200\220\316\003\124\050\076\367\077\323\370\115\355\152
-\012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
-\345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
-\362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
-\073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
-\256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
-\355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
-\350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Certum Root CA"
-# Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
-# Serial Number: 65568 (0x10020)
-# Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
-# Not Valid Before: Tue Jun 11 10:46:39 2002
-# Not Valid After : Fri Jun 11 10:46:39 2027
-# Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
-# Fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certum Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\142\122\334\100\367\021\103\242\057\336\236\367\064\216\006\102
-\121\261\201\030
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\054\217\237\146\035\030\220\261\107\046\235\216\206\202\214\251
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\120\114\061
-\033\060\031\006\003\125\004\012\023\022\125\156\151\172\145\164
-\157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
-\006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\003\001\000\040
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Comodo AAA Services root"
 #
 # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Thu Jan 01 00:00:00 2004
 # Not Valid After : Sun Dec 31 23:59:59 2028
 # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
@@ -4288,223 +4169,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "StartCom Certification Authority"
-#
-# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Serial Number: 1 (0x1)
-# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Not Valid Before: Sun Sep 17 19:46:36 2006
-# Not Valid After : Wed Sep 17 19:46:36 2036
-# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
-# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\311\060\202\005\261\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026
-\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157
-\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023
-\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040
-\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156
-\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164
-\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036
-\027\015\060\066\060\071\061\067\061\071\064\066\063\066\132\027
-\015\063\066\060\071\061\067\061\071\064\066\063\066\132\060\175
-\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026\060
-\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157\155
-\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023\042
-\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040\103
-\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156\151
-\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164\141
-\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202\002
-\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\002\017\000\060\202\002\012\002\202\002\001\000\301\210
-\333\011\274\154\106\174\170\237\225\173\265\063\220\362\162\142
-\326\301\066\040\042\044\136\316\351\167\362\103\012\242\006\144
-\244\314\216\066\370\070\346\043\360\156\155\261\074\335\162\243
-\205\034\241\323\075\264\063\053\323\057\257\376\352\260\101\131
-\147\266\304\006\175\012\236\164\205\326\171\114\200\067\172\337
-\071\005\122\131\367\364\033\106\103\244\322\205\205\322\303\161
-\363\165\142\064\272\054\212\177\036\217\356\355\064\320\021\307
-\226\315\122\075\272\063\326\335\115\336\013\073\112\113\237\302
-\046\057\372\265\026\034\162\065\167\312\074\135\346\312\341\046
-\213\032\066\166\134\001\333\164\024\045\376\355\265\240\210\017
-\335\170\312\055\037\007\227\060\001\055\162\171\372\106\326\023
-\052\250\271\246\253\203\111\035\345\362\357\335\344\001\216\030
-\012\217\143\123\026\205\142\251\016\031\072\314\265\146\246\302
-\153\164\007\344\053\341\166\076\264\155\330\366\104\341\163\142
-\037\073\304\276\240\123\126\045\154\121\011\367\252\253\312\277
-\166\375\155\233\363\235\333\277\075\146\274\014\126\252\257\230
-\110\225\072\113\337\247\130\120\331\070\165\251\133\352\103\014
-\002\377\231\353\350\154\115\160\133\051\145\234\335\252\135\314
-\257\001\061\354\014\353\322\215\350\352\234\173\346\156\367\047
-\146\014\032\110\327\156\102\343\077\336\041\076\173\341\015\160
-\373\143\252\250\154\032\124\264\134\045\172\311\242\311\213\026
-\246\273\054\176\027\136\005\115\130\156\022\035\001\356\022\020
-\015\306\062\177\030\377\374\364\372\315\156\221\350\066\111\276
-\032\110\151\213\302\226\115\032\022\262\151\027\301\012\220\326
-\372\171\042\110\277\272\173\151\370\160\307\372\172\067\330\330
-\015\322\166\117\127\377\220\267\343\221\322\335\357\302\140\267
-\147\072\335\376\252\234\360\324\213\177\162\042\316\306\237\227
-\266\370\257\212\240\020\250\331\373\030\306\266\265\134\122\074
-\211\266\031\052\163\001\012\017\003\263\022\140\362\172\057\201
-\333\243\156\377\046\060\227\365\213\335\211\127\266\255\075\263
-\257\053\305\267\166\002\360\245\326\053\232\206\024\052\162\366
-\343\063\214\135\011\113\023\337\273\214\164\023\122\113\002\003
-\001\000\001\243\202\002\122\060\202\002\116\060\014\006\003\125
-\035\023\004\005\060\003\001\001\377\060\013\006\003\125\035\017
-\004\004\003\002\001\256\060\035\006\003\125\035\016\004\026\004
-\024\116\013\357\032\244\100\133\245\027\151\207\060\312\064\150
-\103\320\101\256\362\060\144\006\003\125\035\037\004\135\060\133
-\060\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143
-\145\162\164\056\163\164\141\162\164\143\157\155\056\157\162\147
-\057\163\146\163\143\141\055\143\162\154\056\143\162\154\060\053
-\240\051\240\047\206\045\150\164\164\160\072\057\057\143\162\154
-\056\163\164\141\162\164\143\157\155\056\157\162\147\057\163\146
-\163\143\141\055\143\162\154\056\143\162\154\060\202\001\135\006
-\003\125\035\040\004\202\001\124\060\202\001\120\060\202\001\114
-\006\013\053\006\001\004\001\201\265\067\001\001\001\060\202\001
-\073\060\057\006\010\053\006\001\005\005\007\002\001\026\043\150
-\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162\164
-\143\157\155\056\157\162\147\057\160\157\154\151\143\171\056\160
-\144\146\060\065\006\010\053\006\001\005\005\007\002\001\026\051
-\150\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162
-\164\143\157\155\056\157\162\147\057\151\156\164\145\162\155\145
-\144\151\141\164\145\056\160\144\146\060\201\320\006\010\053\006
-\001\005\005\007\002\002\060\201\303\060\047\026\040\123\164\141
-\162\164\040\103\157\155\155\145\162\143\151\141\154\040\050\123
-\164\141\162\164\103\157\155\051\040\114\164\144\056\060\003\002
-\001\001\032\201\227\114\151\155\151\164\145\144\040\114\151\141
-\142\151\154\151\164\171\054\040\162\145\141\144\040\164\150\145
-\040\163\145\143\164\151\157\156\040\052\114\145\147\141\154\040
-\114\151\155\151\164\141\164\151\157\156\163\052\040\157\146\040
-\164\150\145\040\123\164\141\162\164\103\157\155\040\103\145\162
-\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
-\162\151\164\171\040\120\157\154\151\143\171\040\141\166\141\151
-\154\141\142\154\145\040\141\164\040\150\164\164\160\072\057\057
-\143\145\162\164\056\163\164\141\162\164\143\157\155\056\157\162
-\147\057\160\157\154\151\143\171\056\160\144\146\060\021\006\011
-\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007\060
-\070\006\011\140\206\110\001\206\370\102\001\015\004\053\026\051
-\123\164\141\162\164\103\157\155\040\106\162\145\145\040\123\123
-\114\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\002\001\000\026\154\231
-\364\146\014\064\365\320\205\136\175\012\354\332\020\116\070\034
-\136\337\246\045\005\113\221\062\301\350\073\361\075\335\104\011
-\133\007\111\212\051\313\146\002\267\261\232\367\045\230\011\074
-\216\033\341\335\066\207\053\113\273\150\323\071\146\075\240\046
-\307\362\071\221\035\121\253\202\173\176\325\316\132\344\342\003
-\127\160\151\227\010\371\136\130\246\012\337\214\006\232\105\026
-\026\070\012\136\127\366\142\307\172\002\005\346\274\036\265\362
-\236\364\251\051\203\370\262\024\343\156\050\207\104\303\220\032
-\336\070\251\074\254\103\115\144\105\316\335\050\251\134\362\163
-\173\004\370\027\350\253\261\363\056\134\144\156\163\061\072\022
-\270\274\263\021\344\175\217\201\121\232\073\215\211\364\115\223
-\146\173\074\003\355\323\232\035\232\363\145\120\365\240\320\165
-\237\057\257\360\352\202\103\230\370\151\234\211\171\304\103\216
-\106\162\343\144\066\022\257\367\045\036\070\211\220\167\176\303
-\153\152\271\303\313\104\113\254\170\220\213\347\307\054\036\113
-\021\104\310\064\122\047\315\012\135\237\205\301\211\325\032\170
-\362\225\020\123\062\335\200\204\146\165\331\265\150\050\373\141
-\056\276\204\250\070\300\231\022\206\245\036\147\144\255\006\056
-\057\251\160\205\307\226\017\174\211\145\365\216\103\124\016\253
-\335\245\200\071\224\140\300\064\311\226\160\054\243\022\365\037
-\110\173\275\034\176\153\267\235\220\364\042\073\256\370\374\052
-\312\372\202\122\240\357\257\113\125\223\353\301\265\360\042\213
-\254\064\116\046\042\004\241\207\054\165\112\267\345\175\023\327
-\270\014\144\300\066\322\311\057\206\022\214\043\011\301\033\202
-\073\163\111\243\152\127\207\224\345\326\170\305\231\103\143\343
-\115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001
-\126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225
-\272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354
-\165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204
-\103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241
-\064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060
-\152\263\364\210\034\200\015\374\162\212\350\203\136
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "StartCom Certification Authority"
-# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Serial Number: 1 (0x1)
-# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Not Valid Before: Sun Sep 17 19:46:36 2006
-# Not Valid After : Wed Sep 17 19:46:36 2036
-# Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
-# Fingerprint (SHA1): 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\076\053\367\362\003\033\226\363\214\346\304\330\250\135\076\055
-\130\107\152\017
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\042\115\217\212\374\367\065\302\273\127\064\220\173\213\042\026
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Taiwan GRCA"
 #
 # Issuer: O=Government Root Certification Authority,C=TW
 # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
 # Subject: O=Government Root Certification Authority,C=TW
 # Not Valid Before: Thu Dec 05 13:23:33 2002
 # Not Valid After : Sun Dec 05 13:23:33 2032
 # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
@@ -8646,213 +8320,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \274\235
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
-#
-# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
-# Serial Number: 17 (0x11)
-# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
-# Not Valid Before: Fri Aug 24 11:37:07 2007
-# Not Valid After : Mon Aug 21 11:37:07 2017
-# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
-# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "T\xc3\x9c\x42\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1 - S\xC3\xBCr\xC3\xBCm 3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172
-\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006
-\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102
-\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157
-\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155
-\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304
-\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125
-\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153
-\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101
-\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151
-\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043
-\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145
-\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303
-\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303
-\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
-\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
-\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172
-\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006
-\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102
-\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157
-\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155
-\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304
-\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125
-\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153
-\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101
-\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151
-\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043
-\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145
-\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303
-\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303
-\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
-\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
-\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\021
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\027\060\202\003\377\240\003\002\001\002\002\001\021
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124\122
-\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172\145
-\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006\003
-\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102\151
-\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154
-\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155\141
-\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304\260
-\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125\154
-\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153\040
-\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101\162
-\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151\164
-\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043\060
-\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145\162
-\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145
-\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303\234
-\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303\266
-\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155
-\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163
-\304\261\040\055\040\123\303\274\162\303\274\155\040\063\060\036
-\027\015\060\067\060\070\062\064\061\061\063\067\060\067\132\027
-\015\061\067\060\070\062\061\061\061\063\067\060\067\132\060\202
-\001\053\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\030\060\026\006\003\125\004\007\014\017\107\145\142\172\145\040
-\055\040\113\157\143\141\145\154\151\061\107\060\105\006\003\125
-\004\012\014\076\124\303\274\162\153\151\171\145\040\102\151\154
-\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-\152\151\153\040\101\162\141\305\237\164\304\261\162\155\141\040
-\113\165\162\165\155\165\040\055\040\124\303\234\102\304\260\124
-\101\113\061\110\060\106\006\003\125\004\013\014\077\125\154\165
-\163\141\154\040\105\154\145\153\164\162\157\156\151\153\040\166
-\145\040\113\162\151\160\164\157\154\157\152\151\040\101\162\141
-\305\237\164\304\261\162\155\141\040\105\156\163\164\151\164\303
-\274\163\303\274\040\055\040\125\105\113\101\105\061\043\060\041
-\006\003\125\004\013\014\032\113\141\155\165\040\123\145\162\164
-\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145\172
-\151\061\112\060\110\006\003\125\004\003\014\101\124\303\234\102
-\304\260\124\101\113\040\125\105\113\101\105\040\113\303\266\153
-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
-\261\040\055\040\123\303\274\162\303\274\155\040\063\060\202\001
-\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\001\017\000\060\202\001\012\002\202\001\001\000\212\155
-\113\377\020\210\072\303\366\176\224\350\352\040\144\160\256\041
-\201\276\072\173\074\333\361\035\122\177\131\372\363\042\114\225
-\240\220\274\110\116\021\253\373\267\265\215\172\203\050\214\046
-\106\330\116\225\100\207\141\237\305\236\155\201\207\127\154\212
-\073\264\146\352\314\100\374\343\252\154\262\313\001\333\062\277
-\322\353\205\317\241\015\125\303\133\070\127\160\270\165\306\171
-\321\024\060\355\033\130\133\153\357\065\362\241\041\116\305\316
-\174\231\137\154\271\270\042\223\120\247\315\114\160\152\276\152
-\005\177\023\234\053\036\352\376\107\316\004\245\157\254\223\056
-\174\053\237\236\171\023\221\350\352\236\312\070\165\216\142\260
-\225\223\052\345\337\351\136\227\156\040\137\137\204\172\104\071
-\031\100\034\272\125\053\373\060\262\201\357\204\343\334\354\230
-\070\071\003\205\010\251\124\003\005\051\360\311\217\213\352\013
-\206\145\031\021\323\351\011\043\336\150\223\003\311\066\034\041
-\156\316\214\146\361\231\060\330\327\263\303\035\370\201\056\250
-\275\202\013\146\376\202\313\341\340\032\202\303\100\201\002\003
-\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026
-\004\024\275\210\207\311\217\366\244\012\013\252\353\305\376\221
-\043\235\253\112\212\062\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\035\174\372\111\217
-\064\351\267\046\222\026\232\005\164\347\113\320\155\071\154\303
-\046\366\316\270\061\274\304\337\274\052\370\067\221\030\334\004
-\310\144\231\053\030\155\200\003\131\311\256\370\130\320\076\355
-\303\043\237\151\074\206\070\034\236\357\332\047\170\321\204\067
-\161\212\074\113\071\317\176\105\006\326\055\330\212\115\170\022
-\326\255\302\323\313\322\320\101\363\046\066\112\233\225\154\014
-\356\345\321\103\047\146\301\210\367\172\263\040\154\352\260\151
-\053\307\040\350\014\003\304\101\005\231\342\077\344\153\370\240
-\206\201\307\204\306\037\325\113\201\022\262\026\041\054\023\241
-\200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112
-\057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307
-\060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147
-\240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154
-\301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204
-\202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054
-\311\234\220\332\354\251\102\074\255\266\002
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
-# Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
-# Serial Number: 17 (0x11)
-# Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
-# Not Valid Before: Fri Aug 24 11:37:07 2007
-# Not Valid After : Mon Aug 21 11:37:07 2017
-# Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
-# Fingerprint (SHA1): 1B:4B:39:61:26:27:6B:64:91:A2:68:6D:D7:02:43:21:2D:1F:1D:96
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "T\xc3\x9c\x42\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1 - S\xC3\xBCr\xC3\xBCm 3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\033\113\071\141\046\047\153\144\221\242\150\155\327\002\103\041
-\055\037\035\226
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\355\101\365\214\120\305\053\234\163\346\356\154\353\302\250\046
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\053\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\030\060\026\006\003\125\004\007\014\017\107\145\142\172
-\145\040\055\040\113\157\143\141\145\154\151\061\107\060\105\006
-\003\125\004\012\014\076\124\303\274\162\153\151\171\145\040\102
-\151\154\151\155\163\145\154\040\166\145\040\124\145\153\156\157
-\154\157\152\151\153\040\101\162\141\305\237\164\304\261\162\155
-\141\040\113\165\162\165\155\165\040\055\040\124\303\234\102\304
-\260\124\101\113\061\110\060\106\006\003\125\004\013\014\077\125
-\154\165\163\141\154\040\105\154\145\153\164\162\157\156\151\153
-\040\166\145\040\113\162\151\160\164\157\154\157\152\151\040\101
-\162\141\305\237\164\304\261\162\155\141\040\105\156\163\164\151
-\164\303\274\163\303\274\040\055\040\125\105\113\101\105\061\043
-\060\041\006\003\125\004\013\014\032\113\141\155\165\040\123\145
-\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-\145\172\151\061\112\060\110\006\003\125\004\003\014\101\124\303
-\234\102\304\260\124\101\113\040\125\105\113\101\105\040\113\303
-\266\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
-\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
-\163\304\261\040\055\040\123\303\274\162\303\274\155\040\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\021
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "certSIGN ROOT CA"
 #
 # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Serial Number:20:06:05:16:70:02
 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Not Valid Before: Tue Jul 04 17:20:04 2006
 # Not Valid After : Fri Jul 04 17:20:04 2031
 # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
@@ -10456,182 +9933,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ACEDICOM Root"
-#
-# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
-# Serial Number:61:8d:c7:86:3b:01:82:05
-# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
-# Not Valid Before: Fri Apr 18 16:24:22 2008
-# Not Valid After : Thu Apr 13 16:24:22 2028
-# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
-# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ACEDICOM Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105
-\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003
-\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004
-\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125
-\004\006\023\002\105\123
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105
-\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003
-\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004
-\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125
-\004\006\023\002\105\123
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\010\141\215\307\206\073\001\202\005
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\265\060\202\003\235\240\003\002\001\002\002\010\141
-\215\307\206\073\001\202\005\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\060\104\061\026\060\024\006\003\125\004
-\003\014\015\101\103\105\104\111\103\117\115\040\122\157\157\164
-\061\014\060\012\006\003\125\004\013\014\003\120\113\111\061\017
-\060\015\006\003\125\004\012\014\006\105\104\111\103\117\115\061
-\013\060\011\006\003\125\004\006\023\002\105\123\060\036\027\015
-\060\070\060\064\061\070\061\066\062\064\062\062\132\027\015\062
-\070\060\064\061\063\061\066\062\064\062\062\132\060\104\061\026
-\060\024\006\003\125\004\003\014\015\101\103\105\104\111\103\117
-\115\040\122\157\157\164\061\014\060\012\006\003\125\004\013\014
-\003\120\113\111\061\017\060\015\006\003\125\004\012\014\006\105
-\104\111\103\117\115\061\013\060\011\006\003\125\004\006\023\002
-\105\123\060\202\002\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
-\002\001\000\377\222\225\341\150\006\166\264\054\310\130\110\312
-\375\200\124\051\125\143\044\377\220\145\233\020\165\173\303\152
-\333\142\002\001\362\030\206\265\174\132\070\261\344\130\271\373
-\323\330\055\237\275\062\067\277\054\025\155\276\265\364\041\322
-\023\221\331\007\255\001\005\326\363\275\167\316\137\102\201\012
-\371\152\343\203\000\250\053\056\125\023\143\201\312\107\034\173
-\134\026\127\172\033\203\140\004\072\076\145\303\315\001\336\336
-\244\326\014\272\216\336\331\004\356\027\126\042\233\217\143\375
-\115\026\013\267\173\167\214\371\045\265\321\155\231\022\056\117
-\032\270\346\352\004\222\256\075\021\271\121\102\075\207\260\061
-\205\257\171\132\234\376\347\116\136\222\117\103\374\253\072\255
-\245\022\046\146\271\342\014\327\230\316\324\130\245\225\100\012
-\267\104\235\023\164\053\302\245\353\042\025\230\020\330\213\305
-\004\237\035\217\140\345\006\033\233\317\271\171\240\075\242\043
-\077\102\077\153\372\034\003\173\060\215\316\154\300\277\346\033
-\137\277\147\270\204\031\325\025\357\173\313\220\066\061\142\311
-\274\002\253\106\137\233\376\032\150\224\064\075\220\216\255\366
-\344\035\011\177\112\210\070\077\276\147\375\064\226\365\035\274
-\060\164\313\070\356\325\154\253\324\374\364\000\267\000\133\205
-\062\026\166\063\351\330\243\231\235\005\000\252\026\346\363\201
-\175\157\175\252\206\155\255\025\164\323\304\242\161\252\364\024
-\175\347\062\270\037\274\325\361\116\275\157\027\002\071\327\016
-\225\102\072\307\000\076\351\046\143\021\352\013\321\112\377\030
-\235\262\327\173\057\072\331\226\373\350\036\222\256\023\125\310
-\331\047\366\334\110\033\260\044\301\205\343\167\235\232\244\363
-\014\021\035\015\310\264\024\356\265\202\127\011\277\040\130\177
-\057\042\043\330\160\313\171\154\311\113\362\251\052\310\374\207
-\053\327\032\120\370\047\350\057\103\343\072\275\330\127\161\375
-\316\246\122\133\371\335\115\355\345\366\157\211\355\273\223\234
-\166\041\165\360\222\114\051\367\057\234\001\056\376\120\106\236
-\144\014\024\263\007\133\305\302\163\154\361\007\134\105\044\024
-\065\256\203\361\152\115\211\172\372\263\330\055\146\360\066\207
-\365\053\123\002\003\001\000\001\243\201\252\060\201\247\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\037\006\003\125\035\043\004\030\060\026\200\024\246\263\341\053
-\053\111\266\327\163\241\252\224\365\001\347\163\145\114\254\120
-\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206
-\060\035\006\003\125\035\016\004\026\004\024\246\263\341\053\053
-\111\266\327\163\241\252\224\365\001\347\163\145\114\254\120\060
-\104\006\003\125\035\040\004\075\060\073\060\071\006\004\125\035
-\040\000\060\061\060\057\006\010\053\006\001\005\005\007\002\001
-\026\043\150\164\164\160\072\057\057\141\143\145\144\151\143\157
-\155\056\145\144\151\143\157\155\147\162\157\165\160\056\143\157
-\155\057\144\157\143\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\002\001\000\316\054\013\122\121\142\046
-\175\014\047\203\217\305\366\332\240\150\173\117\222\136\352\244
-\163\062\021\123\104\262\104\313\235\354\017\171\102\263\020\246
-\307\015\235\313\266\372\077\072\174\352\277\210\123\033\074\367
-\202\372\005\065\063\341\065\250\127\300\347\375\215\117\077\223
-\062\117\170\146\003\167\007\130\351\225\310\176\076\320\171\000
-\214\362\033\121\063\233\274\224\351\072\173\156\122\055\062\236
-\043\244\105\373\266\056\023\260\213\030\261\335\316\325\035\247
-\102\177\125\276\373\133\273\107\324\374\044\315\004\256\226\005
-\025\326\254\316\060\363\312\013\305\272\342\042\340\246\255\042
-\344\002\356\164\021\177\114\377\170\035\065\332\346\002\064\353
-\030\022\141\167\006\011\026\143\352\030\255\242\207\037\362\307
-\200\011\011\165\116\020\250\217\075\206\270\165\021\300\044\142
-\212\226\173\112\105\351\354\131\305\276\153\203\346\341\350\254
-\265\060\036\376\005\007\200\371\341\043\015\120\217\005\230\377
-\054\137\350\073\266\255\317\201\265\041\207\312\010\052\043\047
-\060\040\053\317\355\224\133\254\262\172\322\307\050\241\212\013
-\233\115\112\054\155\205\077\011\162\074\147\342\331\334\007\272
-\353\145\173\132\001\143\326\220\133\117\027\146\075\177\013\031
-\243\223\143\020\122\052\237\024\026\130\342\334\245\364\241\026
-\213\016\221\213\201\312\233\131\372\330\153\221\007\145\125\137
-\122\037\257\072\373\220\335\151\245\133\234\155\016\054\266\372
-\316\254\245\174\062\112\147\100\334\060\064\043\335\327\004\043
-\146\360\374\125\200\247\373\146\031\202\065\147\142\160\071\136
-\157\307\352\220\100\104\010\036\270\262\326\333\356\131\247\015
-\030\171\064\274\124\030\136\123\312\064\121\355\105\012\346\216
-\307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125
-\207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255
-\257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351
-\032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235
-\350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112
-\147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176
-\113\076\053\070\007\125\230\136\244
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "ACEDICOM Root"
-# Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
-# Serial Number:61:8d:c7:86:3b:01:82:05
-# Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
-# Not Valid Before: Fri Apr 18 16:24:22 2008
-# Not Valid After : Thu Apr 13 16:24:22 2028
-# Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
-# Fingerprint (SHA1): E0:B4:32:2E:B2:F6:A5:68:B6:54:53:84:48:18:4A:50:36:87:43:84
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ACEDICOM Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\340\264\062\056\262\366\245\150\266\124\123\204\110\030\112\120
-\066\207\103\204
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\102\201\240\342\034\343\125\020\336\125\211\102\145\226\042\346
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\026\060\024\006\003\125\004\003\014\015\101\103\105
-\104\111\103\117\115\040\122\157\157\164\061\014\060\012\006\003
-\125\004\013\014\003\120\113\111\061\017\060\015\006\003\125\004
-\012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125
-\004\006\023\002\105\123
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\010\141\215\307\206\073\001\202\005
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-
-#
 # Certificate "Microsec e-Szigno Root CA 2009"
 #
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
 # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Tue Jun 16 11:30:18 2009
 # Not Valid After : Sun Dec 30 11:30:18 2029
 # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
@@ -14488,185 +13799,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\004\104\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Certinomis - Autorité Racine"
-#
-# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
-# Serial Number: 1 (0x1)
-# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
-# Not Valid Before: Wed Sep 17 08:28:59 2008
-# Not Valid After : Sun Sep 17 08:28:59 2028
-# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
-# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certinomis - Autorité Racine"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156
-\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060
-\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060
-\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155
-\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122
-\141\143\151\156\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156
-\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060
-\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060
-\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155
-\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122
-\141\143\151\156\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\234\060\202\003\204\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061\023
-\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156\157
-\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060\060
-\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060\044
-\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155\151
-\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122\141
-\143\151\156\145\060\036\027\015\060\070\060\071\061\067\060\070
-\062\070\065\071\132\027\015\062\070\060\071\061\067\060\070\062
-\070\065\071\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\106\122\061\023\060\021\006\003\125\004\012\023\012\103\145
-\162\164\151\156\157\155\151\163\061\027\060\025\006\003\125\004
-\013\023\016\060\060\060\062\040\064\063\063\071\071\070\071\060
-\063\061\046\060\044\006\003\125\004\003\014\035\103\145\162\164
-\151\156\157\155\151\163\040\055\040\101\165\164\157\162\151\164
-\303\251\040\122\141\143\151\156\145\060\202\002\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017
-\000\060\202\002\012\002\202\002\001\000\235\205\237\206\323\343
-\257\307\262\153\156\063\340\236\267\102\064\125\235\371\201\276
-\143\330\043\166\016\227\124\315\231\114\032\361\071\307\210\330
-\027\120\014\236\141\332\300\116\125\336\347\132\270\172\116\167
-\207\015\345\270\353\372\236\136\173\036\304\317\050\164\307\223
-\365\024\306\042\050\004\371\221\303\253\047\163\152\016\056\115
-\363\056\050\037\160\337\125\057\116\355\307\161\157\011\162\056
-\355\325\062\227\320\361\130\167\321\140\274\116\136\333\232\204
-\366\107\141\105\053\366\120\246\177\152\161\047\110\204\065\236
-\254\376\151\251\236\172\136\065\045\372\264\247\111\065\167\226
-\247\066\133\341\315\337\043\160\330\135\114\245\010\203\361\246
-\044\070\023\250\354\057\250\241\147\307\246\055\206\107\356\212
-\374\354\233\016\164\364\053\111\002\173\220\165\214\374\231\071
-\001\071\326\112\211\345\236\166\253\076\226\050\070\046\213\335
-\215\214\300\366\001\036\157\245\061\022\070\175\225\302\161\356
-\355\164\256\344\066\242\103\165\325\361\000\233\342\344\327\314
-\102\003\113\170\172\345\175\273\270\256\056\040\223\323\344\141
-\337\161\341\166\147\227\077\266\337\152\163\132\144\042\345\102
-\333\317\201\003\223\330\364\343\020\340\162\366\000\160\254\360
-\301\172\017\005\177\317\064\151\105\265\223\344\031\333\122\026
-\043\005\211\016\215\110\344\045\157\263\170\277\142\365\007\372
-\225\044\302\226\262\350\243\043\302\135\003\374\303\323\345\174
-\311\165\043\327\364\365\274\336\344\337\315\200\277\221\210\175
-\247\023\264\071\272\054\272\275\321\153\314\363\245\050\355\104
-\236\175\122\243\157\226\056\031\176\034\363\133\307\026\216\273
-\140\175\167\146\107\124\202\000\021\140\154\062\301\250\070\033
-\353\156\230\023\326\356\070\365\360\237\016\357\376\061\201\301
-\322\044\225\057\123\172\151\242\360\017\206\105\216\130\202\053
-\114\042\324\136\240\347\175\046\047\110\337\045\106\215\112\050
-\174\206\236\371\233\032\131\271\145\277\005\335\266\102\135\075
-\346\000\110\202\136\040\367\021\202\336\312\330\237\346\067\107
-\046\036\353\170\367\141\303\101\144\130\002\101\371\332\340\321
-\370\371\350\375\122\070\266\365\211\337\002\003\001\000\001\243
-\133\060\131\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\015
-\214\266\141\332\104\270\321\024\175\303\276\175\136\110\360\316
-\312\152\260\060\027\006\003\125\035\040\004\020\060\016\060\014
-\006\012\052\201\172\001\126\002\002\000\001\001\060\015\006\011
-\052\206\110\206\367\015\001\001\005\005\000\003\202\002\001\000
-\044\076\140\006\176\035\357\072\076\333\352\257\034\232\054\001
-\013\364\305\265\331\111\061\364\135\101\215\211\014\116\377\154
-\242\375\377\342\006\310\071\237\361\132\251\335\042\130\025\250
-\212\323\261\346\062\011\202\003\154\327\077\010\307\370\271\272
-\000\155\271\326\374\122\062\135\244\177\244\061\224\273\266\114
-\070\177\050\060\065\377\237\043\123\267\266\356\024\160\000\100
-\053\332\107\253\064\176\136\247\126\060\141\053\213\103\254\375
-\266\210\050\365\153\266\076\140\112\272\102\220\064\147\215\352
-\353\137\105\124\073\027\254\213\344\306\145\017\356\320\214\135
-\146\071\316\062\247\330\020\227\300\176\064\234\237\224\363\366
-\206\037\317\033\163\255\224\171\207\150\160\303\063\245\160\347
-\330\325\070\224\157\143\171\353\277\012\016\010\347\305\057\017
-\102\240\053\024\100\377\041\340\005\305\047\341\204\021\023\272
-\326\206\035\101\013\023\043\211\323\311\013\350\212\272\172\243
-\243\163\067\065\200\175\022\270\063\167\100\070\300\372\136\060
-\322\362\266\243\261\326\242\225\227\201\233\122\355\151\114\377
-\200\344\123\333\124\133\003\155\124\137\261\270\357\044\275\157
-\237\021\303\307\144\302\017\050\142\205\146\136\032\173\262\267
-\357\256\065\311\031\063\250\270\047\333\063\125\277\150\341\165
-\110\104\126\373\315\323\110\273\107\211\072\254\151\365\200\306
-\344\104\120\057\124\304\252\103\305\061\061\130\275\226\305\352
-\165\154\232\165\261\115\370\367\227\377\226\026\362\227\115\350
-\366\363\021\371\072\175\212\070\156\004\313\341\323\105\025\252
-\245\321\035\235\135\143\350\044\346\066\024\342\207\255\033\131
-\365\104\233\373\327\167\174\037\001\160\142\241\040\032\242\305
-\032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133
-\166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333
-\240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027
-\366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164
-\004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126
-\331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143
-\377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Certinomis - Autorité Racine"
-# Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
-# Serial Number: 1 (0x1)
-# Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
-# Not Valid Before: Wed Sep 17 08:28:59 2008
-# Not Valid After : Sun Sep 17 08:28:59 2028
-# Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
-# Fingerprint (SHA1): 2E:14:DA:EC:28:F0:FA:1E:8E:38:9A:4E:AB:EB:26:C0:0A:D3:83:C3
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certinomis - Autorité Racine"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\056\024\332\354\050\360\372\036\216\070\232\116\253\353\046\300
-\012\323\203\303
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\177\060\170\214\003\343\312\311\012\342\311\352\036\252\125\032
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\023\060\021\006\003\125\004\012\023\012\103\145\162\164\151\156
-\157\155\151\163\061\027\060\025\006\003\125\004\013\023\016\060
-\060\060\062\040\064\063\063\071\071\070\071\060\063\061\046\060
-\044\006\003\125\004\003\014\035\103\145\162\164\151\156\157\155
-\151\163\040\055\040\101\165\164\157\162\151\164\303\251\040\122
-\141\143\151\156\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "TWCA Root Certification Authority"
 #
 # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 1 (0x1)
 # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
 # Not Valid Before: Thu Aug 28 07:24:33 2008
 # Not Valid After : Tue Dec 31 15:59:59 2030
 # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
@@ -16895,382 +16037,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \240\131
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "StartCom Certification Authority"
-#
-# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Serial Number: 45 (0x2d)
-# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Not Valid Before: Sun Sep 17 19:46:37 2006
-# Not Valid After : Wed Sep 17 19:46:36 2036
-# Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
-# Fingerprint (SHA1): A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\055
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\007\207\060\202\005\157\240\003\002\001\002\002\001\055
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026
-\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157
-\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023
-\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040
-\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156
-\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164
-\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036
-\027\015\060\066\060\071\061\067\061\071\064\066\063\067\132\027
-\015\063\066\060\071\061\067\061\071\064\066\063\066\132\060\175
-\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026\060
-\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157\155
-\040\114\164\144\056\061\053\060\051\006\003\125\004\013\023\042
-\123\145\143\165\162\145\040\104\151\147\151\164\141\154\040\103
-\145\162\164\151\146\151\143\141\164\145\040\123\151\147\156\151
-\156\147\061\051\060\047\006\003\125\004\003\023\040\123\164\141
-\162\164\103\157\155\040\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202\002
-\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\202\002\017\000\060\202\002\012\002\202\002\001\000\301\210
-\333\011\274\154\106\174\170\237\225\173\265\063\220\362\162\142
-\326\301\066\040\042\044\136\316\351\167\362\103\012\242\006\144
-\244\314\216\066\370\070\346\043\360\156\155\261\074\335\162\243
-\205\034\241\323\075\264\063\053\323\057\257\376\352\260\101\131
-\147\266\304\006\175\012\236\164\205\326\171\114\200\067\172\337
-\071\005\122\131\367\364\033\106\103\244\322\205\205\322\303\161
-\363\165\142\064\272\054\212\177\036\217\356\355\064\320\021\307
-\226\315\122\075\272\063\326\335\115\336\013\073\112\113\237\302
-\046\057\372\265\026\034\162\065\167\312\074\135\346\312\341\046
-\213\032\066\166\134\001\333\164\024\045\376\355\265\240\210\017
-\335\170\312\055\037\007\227\060\001\055\162\171\372\106\326\023
-\052\250\271\246\253\203\111\035\345\362\357\335\344\001\216\030
-\012\217\143\123\026\205\142\251\016\031\072\314\265\146\246\302
-\153\164\007\344\053\341\166\076\264\155\330\366\104\341\163\142
-\037\073\304\276\240\123\126\045\154\121\011\367\252\253\312\277
-\166\375\155\233\363\235\333\277\075\146\274\014\126\252\257\230
-\110\225\072\113\337\247\130\120\331\070\165\251\133\352\103\014
-\002\377\231\353\350\154\115\160\133\051\145\234\335\252\135\314
-\257\001\061\354\014\353\322\215\350\352\234\173\346\156\367\047
-\146\014\032\110\327\156\102\343\077\336\041\076\173\341\015\160
-\373\143\252\250\154\032\124\264\134\045\172\311\242\311\213\026
-\246\273\054\176\027\136\005\115\130\156\022\035\001\356\022\020
-\015\306\062\177\030\377\374\364\372\315\156\221\350\066\111\276
-\032\110\151\213\302\226\115\032\022\262\151\027\301\012\220\326
-\372\171\042\110\277\272\173\151\370\160\307\372\172\067\330\330
-\015\322\166\117\127\377\220\267\343\221\322\335\357\302\140\267
-\147\072\335\376\252\234\360\324\213\177\162\042\316\306\237\227
-\266\370\257\212\240\020\250\331\373\030\306\266\265\134\122\074
-\211\266\031\052\163\001\012\017\003\263\022\140\362\172\057\201
-\333\243\156\377\046\060\227\365\213\335\211\127\266\255\075\263
-\257\053\305\267\166\002\360\245\326\053\232\206\024\052\162\366
-\343\063\214\135\011\113\023\337\273\214\164\023\122\113\002\003
-\001\000\001\243\202\002\020\060\202\002\014\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003
-\125\035\016\004\026\004\024\116\013\357\032\244\100\133\245\027
-\151\207\060\312\064\150\103\320\101\256\362\060\037\006\003\125
-\035\043\004\030\060\026\200\024\116\013\357\032\244\100\133\245
-\027\151\207\060\312\064\150\103\320\101\256\362\060\202\001\132
-\006\003\125\035\040\004\202\001\121\060\202\001\115\060\202\001
-\111\006\013\053\006\001\004\001\201\265\067\001\001\001\060\202
-\001\070\060\056\006\010\053\006\001\005\005\007\002\001\026\042
-\150\164\164\160\072\057\057\167\167\167\056\163\164\141\162\164
-\163\163\154\056\143\157\155\057\160\157\154\151\143\171\056\160
-\144\146\060\064\006\010\053\006\001\005\005\007\002\001\026\050
-\150\164\164\160\072\057\057\167\167\167\056\163\164\141\162\164
-\163\163\154\056\143\157\155\057\151\156\164\145\162\155\145\144
-\151\141\164\145\056\160\144\146\060\201\317\006\010\053\006\001
-\005\005\007\002\002\060\201\302\060\047\026\040\123\164\141\162
-\164\040\103\157\155\155\145\162\143\151\141\154\040\050\123\164
-\141\162\164\103\157\155\051\040\114\164\144\056\060\003\002\001
-\001\032\201\226\114\151\155\151\164\145\144\040\114\151\141\142
-\151\154\151\164\171\054\040\162\145\141\144\040\164\150\145\040
-\163\145\143\164\151\157\156\040\052\114\145\147\141\154\040\114
-\151\155\151\164\141\164\151\157\156\163\052\040\157\146\040\164
-\150\145\040\123\164\141\162\164\103\157\155\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\120\157\154\151\143\171\040\141\166\141\151\154
-\141\142\154\145\040\141\164\040\150\164\164\160\072\057\057\167
-\167\167\056\163\164\141\162\164\163\163\154\056\143\157\155\057
-\160\157\154\151\143\171\056\160\144\146\060\021\006\011\140\206
-\110\001\206\370\102\001\001\004\004\003\002\000\007\060\070\006
-\011\140\206\110\001\206\370\102\001\015\004\053\026\051\123\164
-\141\162\164\103\157\155\040\106\162\145\145\040\123\123\114\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\060\015\006\011\052\206\110\206\367
-\015\001\001\013\005\000\003\202\002\001\000\216\217\347\334\224
-\171\174\361\205\177\237\111\157\153\312\135\373\214\376\004\305
-\301\142\321\175\102\212\274\123\267\224\003\146\060\077\261\347
-\012\247\120\040\125\045\177\166\172\024\015\353\004\016\100\346
-\076\330\210\253\007\047\203\251\165\246\067\163\307\375\113\322
-\115\255\027\100\310\106\276\073\177\121\374\303\266\005\061\334
-\315\205\042\116\161\267\362\161\136\260\032\306\272\223\213\170
-\222\112\205\370\170\017\203\376\057\255\054\367\344\244\273\055
-\320\347\015\072\270\076\316\366\170\366\256\107\044\312\243\065
-\066\316\307\306\207\230\332\354\373\351\262\316\047\233\210\303
-\004\241\366\013\131\150\257\311\333\020\017\115\366\144\143\134
-\245\022\157\222\262\223\224\307\210\027\016\223\266\176\142\213
-\220\177\253\116\237\374\343\165\024\117\052\062\337\133\015\340
-\365\173\223\015\253\241\317\207\341\245\004\105\350\074\022\245
-\011\305\260\321\267\123\363\140\024\272\205\151\152\041\174\037
-\165\141\027\040\027\173\154\073\101\051\134\341\254\132\321\315
-\214\233\353\140\035\031\354\367\345\260\332\371\171\030\245\105
-\077\111\103\127\322\335\044\325\054\243\375\221\215\047\265\345
-\353\024\006\232\114\173\041\273\072\255\060\006\030\300\330\301
-\153\054\177\131\134\135\221\261\160\042\127\353\212\153\110\112
-\325\017\051\354\306\100\300\057\210\114\150\001\027\167\364\044
-\031\117\275\372\341\262\040\041\113\335\032\330\051\175\252\270
-\336\124\354\041\125\200\154\036\365\060\310\243\020\345\262\346
-\052\024\061\303\205\055\214\230\261\206\132\117\211\131\055\271
-\307\367\034\310\212\177\300\235\005\112\346\102\117\142\243\155
-\051\244\037\205\253\333\345\201\310\255\052\075\114\135\133\204
-\046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340
-\124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135
-\016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331
-\361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212
-\362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217
-\266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346
-\177\045\245\362\110\000\300\244\001\332\077
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "StartCom Certification Authority"
-# Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Serial Number: 45 (0x2d)
-# Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
-# Not Valid Before: Sun Sep 17 19:46:37 2006
-# Not Valid After : Wed Sep 17 19:46:36 2036
-# Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
-# Fingerprint (SHA1): A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\243\361\063\077\342\102\277\317\305\321\116\217\071\102\230\100
-\150\020\321\240
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\311\073\015\204\101\374\244\166\171\043\010\127\336\020\031\026
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\175\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\053\060\051\006\003\125\004\013
-\023\042\123\145\143\165\162\145\040\104\151\147\151\164\141\154
-\040\103\145\162\164\151\146\151\143\141\164\145\040\123\151\147
-\156\151\156\147\061\051\060\047\006\003\125\004\003\023\040\123
-\164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
-\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\055
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "StartCom Certification Authority G2"
-#
-# Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
-# Serial Number: 59 (0x3b)
-# Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
-# Not Valid Before: Fri Jan 01 01:00:01 2010
-# Not Valid After : Sat Dec 31 23:59:01 2039
-# Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
-# Fingerprint (SHA1): 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003
-\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003
-\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\073
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\143\060\202\003\113\240\003\002\001\002\002\001\073
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061\026
-\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103\157
-\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003\023
-\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\040\107\062\060\036\027\015\061\060\060\061\060\061\060\061
-\060\060\060\061\132\027\015\063\071\061\062\063\061\062\063\065
-\071\060\061\132\060\123\061\013\060\011\006\003\125\004\006\023
-\002\111\114\061\026\060\024\006\003\125\004\012\023\015\123\164
-\141\162\164\103\157\155\040\114\164\144\056\061\054\060\052\006
-\003\125\004\003\023\043\123\164\141\162\164\103\157\155\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\040\107\062\060\202\002\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017
-\000\060\202\002\012\002\202\002\001\000\266\211\066\133\007\267
-\040\066\275\202\273\341\026\040\003\225\172\257\016\243\125\311
-\045\231\112\305\320\126\101\207\220\115\041\140\244\024\207\073
-\315\375\262\076\264\147\003\152\355\341\017\113\300\221\205\160
-\105\340\102\236\336\051\043\324\001\015\240\020\171\270\333\003
-\275\363\251\057\321\306\340\017\313\236\212\024\012\270\275\366
-\126\142\361\305\162\266\062\045\331\262\363\275\145\305\015\054
-\156\325\222\157\030\213\000\101\024\202\157\100\040\046\172\050
-\017\365\036\177\047\367\224\261\067\075\267\307\221\367\342\001
-\354\375\224\211\341\314\156\323\066\326\012\031\171\256\327\064
-\202\145\377\174\102\273\266\335\013\246\064\257\113\140\376\177
-\103\111\006\213\214\103\270\126\362\331\177\041\103\027\352\247
-\110\225\001\165\165\352\053\245\103\225\352\025\204\235\010\215
-\046\156\125\233\253\334\322\071\322\061\035\140\342\254\314\126
-\105\044\365\034\124\253\356\206\335\226\062\205\370\114\117\350
-\225\166\266\005\335\066\043\147\274\377\025\342\312\073\346\246
-\354\073\354\046\021\064\110\215\366\200\053\032\043\002\353\212
-\034\072\166\052\173\126\026\034\162\052\263\252\343\140\245\000
-\237\004\233\342\157\036\024\130\133\245\154\213\130\074\303\272
-\116\072\134\367\341\226\053\076\357\007\274\244\345\135\314\115
-\237\015\341\334\252\273\341\156\032\354\217\341\266\114\115\171
-\162\135\027\065\013\035\327\301\107\332\226\044\340\320\162\250
-\132\137\146\055\020\334\057\052\023\256\046\376\012\034\031\314
-\320\076\013\234\310\011\056\371\133\226\172\107\234\351\172\363
-\005\120\164\225\163\236\060\011\363\227\202\136\346\217\071\010
-\036\131\345\065\024\102\023\377\000\234\367\276\252\120\317\342
-\121\110\327\270\157\257\370\116\176\063\230\222\024\142\072\165
-\143\317\173\372\336\202\073\251\273\071\342\304\275\054\000\016
-\310\027\254\023\357\115\045\216\330\263\220\057\251\332\051\175
-\035\257\164\072\262\047\300\301\036\076\165\243\026\251\257\172
-\042\135\237\023\032\317\247\240\353\343\206\012\323\375\346\226
-\225\327\043\310\067\335\304\174\252\066\254\230\032\022\261\340
-\116\350\261\073\365\326\157\361\060\327\002\003\001\000\001\243
-\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\113
-\305\264\100\153\255\034\263\245\034\145\156\106\066\211\207\005
-\014\016\266\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\003\202\002\001\000\163\127\077\054\325\225\062\176\067
-\333\226\222\353\031\136\176\123\347\101\354\021\266\107\357\265
-\336\355\164\134\305\361\216\111\340\374\156\231\023\315\237\212
-\332\315\072\012\330\072\132\011\077\137\064\320\057\003\322\146
-\035\032\275\234\220\067\310\014\216\007\132\224\105\106\052\346
-\276\172\332\241\251\244\151\022\222\260\175\066\324\104\207\327
-\121\361\051\143\326\165\315\026\344\047\211\035\370\302\062\110
-\375\333\231\320\217\137\124\164\314\254\147\064\021\142\331\014
-\012\067\207\321\243\027\110\216\322\027\035\366\327\375\333\145
-\353\375\250\324\365\326\117\244\133\165\350\305\322\140\262\333
-\011\176\045\213\173\272\122\222\236\076\350\305\167\241\074\340
-\112\163\153\141\317\206\334\103\377\377\041\376\043\135\044\112
-\365\323\155\017\142\004\005\127\202\332\156\244\063\045\171\113
-\056\124\031\213\314\054\075\060\351\321\006\377\350\062\106\276
-\265\063\166\167\250\001\135\226\301\301\325\276\256\045\300\311
-\036\012\011\040\210\241\016\311\363\157\115\202\124\000\040\247
-\322\217\344\071\124\027\056\215\036\270\033\273\033\275\232\116
-\073\020\064\334\234\210\123\357\242\061\133\130\117\221\142\310
-\302\232\232\315\025\135\070\251\326\276\370\023\265\237\022\151
-\362\120\142\254\373\027\067\364\356\270\165\147\140\020\373\203
-\120\371\104\265\165\234\100\027\262\376\375\171\135\156\130\130
-\137\060\374\000\256\257\063\301\016\116\154\272\247\246\241\177
-\062\333\070\340\261\162\027\012\053\221\354\152\143\046\355\211
-\324\170\314\164\036\005\370\153\376\214\152\166\071\051\256\145
-\043\022\225\010\042\034\227\316\133\006\356\014\342\273\274\037
-\104\223\366\330\070\105\005\041\355\344\255\253\022\266\003\244
-\102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050
-\205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355
-\173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311
-\062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153
-\262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303
-\301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123
-\127\055\366\320\341\327\110
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "StartCom Certification Authority G2"
-# Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
-# Serial Number: 59 (0x3b)
-# Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
-# Not Valid Before: Fri Jan 01 01:00:01 2010
-# Not Valid After : Sat Dec 31 23:59:01 2039
-# Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
-# Fingerprint (SHA1): 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "StartCom Certification Authority G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\061\361\375\150\042\143\040\356\306\073\077\235\352\112\076\123
-\174\174\071\027
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\170\113\373\236\144\202\012\323\270\114\142\363\144\362\220\144
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\111\114\061
-\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164\103
-\157\155\040\114\164\144\056\061\054\060\052\006\003\125\004\003
-\023\043\123\164\141\162\164\103\157\155\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\073
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Buypass Class 2 Root CA"
 #
 # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Not Valid Before: Tue Oct 26 08:38:03 2010
 # Not Valid After : Fri Oct 26 08:38:03 2040
 # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29
@@ -17942,182 +16718,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\010\144
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "TURKTRUST Certificate Services Provider Root 2007"
-#
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Serial Number: 1 (0x1)
-# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Not Valid Before: Tue Dec 25 18:37:19 2007
-# Not Valid After : Fri Dec 22 18:37:19 2017
-# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
-# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
-\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
-\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
-\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
-\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
-\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
-\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
-\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
-\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
-\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
-\060\067
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
-\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
-\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
-\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
-\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
-\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
-\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
-\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
-\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
-\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
-\060\067
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\075\060\202\003\045\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303\234
-\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157\156
-\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
-\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
-\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124\122
-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
-\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234\122
-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
-\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060\060
-\067\060\036\027\015\060\067\061\062\062\065\061\070\063\067\061
-\071\132\027\015\061\067\061\062\062\062\061\070\063\067\061\071
-\132\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124
-\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
-\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
-\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
-\304\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002
-\124\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153
-\141\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303
-\234\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304
-\260\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154
-\151\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237
-\151\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305
-\236\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062
-\060\060\067\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\253\267\076\012\214\310\245\130\025\346\212\357
-\047\075\112\264\350\045\323\315\063\302\040\334\031\356\210\077
-\115\142\360\335\023\167\217\141\251\052\265\324\362\271\061\130
-\051\073\057\077\152\234\157\163\166\045\356\064\040\200\356\352
-\267\360\304\012\315\053\206\224\311\343\140\261\104\122\262\132
-\051\264\221\227\203\330\267\246\024\057\051\111\242\363\005\006
-\373\264\117\332\241\154\232\146\237\360\103\011\312\352\162\217
-\353\000\327\065\071\327\126\027\107\027\060\364\276\277\077\302
-\150\257\066\100\301\251\364\251\247\350\020\153\010\212\367\206
-\036\334\232\052\025\006\366\243\360\364\340\307\024\324\121\177
-\317\264\333\155\257\107\226\027\233\167\161\330\247\161\235\044
-\014\366\224\077\205\061\022\117\272\356\116\202\270\271\076\217
-\043\067\136\314\242\252\165\367\030\157\011\323\256\247\124\050
-\064\373\341\340\073\140\175\240\276\171\211\206\310\237\055\371
-\012\113\304\120\242\347\375\171\026\307\172\013\030\317\316\114
-\357\175\326\007\157\230\361\257\261\301\172\327\201\065\270\252
-\027\264\340\313\002\003\001\000\001\243\102\060\100\060\035\006
-\003\125\035\016\004\026\004\024\051\305\220\253\045\257\021\344
-\141\277\243\377\210\141\221\346\016\376\234\201\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
-\000\020\015\332\370\072\354\050\321\024\225\202\261\022\054\121
-\172\101\045\066\114\237\354\077\037\204\235\145\124\134\250\026
-\002\100\372\156\032\067\204\357\162\235\206\012\125\235\126\050
-\254\146\054\320\072\126\223\064\007\045\255\010\260\217\310\017
-\011\131\312\235\230\034\345\124\370\271\105\177\152\227\157\210
-\150\115\112\006\046\067\210\002\016\266\306\326\162\231\316\153
-\167\332\142\061\244\126\037\256\137\215\167\332\135\366\210\374
-\032\331\236\265\201\360\062\270\343\210\320\234\363\152\240\271
-\233\024\131\065\066\117\317\363\216\136\135\027\255\025\225\330
-\335\262\325\025\156\000\116\263\113\317\146\224\344\340\315\265
-\005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
-\135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
-\242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
-\354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
-\253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
-\062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
-\175
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "TURKTRUST Certificate Services Provider Root 2007"
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Serial Number: 1 (0x1)
-# Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Not Valid Before: Tue Dec 25 18:37:19 2007
-# Not Valid After : Fri Dec 22 18:37:19 2017
-# Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
-# Fingerprint (SHA1): F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TURKTRUST Certificate Services Provider Root 2007"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\361\177\157\266\061\334\231\343\243\310\177\376\034\361\201\020
-\210\331\140\063
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\053\160\040\126\206\202\240\030\310\007\123\022\050\160\041\162
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\277\061\077\060\075\006\003\125\004\003\014\066\124\303
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
-\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151
-\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304
-\261\163\304\261\061\013\060\011\006\003\125\004\006\023\002\124
-\122\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141
-\162\141\061\136\060\134\006\003\125\004\012\014\125\124\303\234
-\122\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260
-\154\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151
-\305\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151
-\040\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236
-\056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
-\060\067
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "D-TRUST Root Class 3 CA 2 2009"
 #
 # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623603 (0x983f3)
 # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Not Valid Before: Thu Nov 05 08:35:58 2009
 # Not Valid After : Mon Nov 05 08:35:58 2029
 # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
@@ -18394,279 +17004,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\011\203\364
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "PSCProcert"
-#
-# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
-# Serial Number: 11 (0xb)
-# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
-# Not Valid Before: Tue Dec 28 16:51:00 2010
-# Not Valid After : Fri Dec 25 23:59:59 2020
-# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
-# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "PSCProcert"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015\001
-\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162\157
-\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015\006
-\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060\016
-\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061\052
-\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145\144
-\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141\144
-\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006\003
-\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141\143
-\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146\151
-\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156\151
-\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105\061
-\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162\157
-\143\145\162\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144
-\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157
-\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126
-\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141
-\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151
-\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066
-\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141
-\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162
-\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164
-\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023
-\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151
-\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144
-\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040
-\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006
-\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141
-\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
-\166\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\013
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\011\206\060\202\007\156\240\003\002\001\002\002\001\013
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165
-\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145
-\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154
-\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105
-\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143
-\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163
-\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060
-\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040
-\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162
-\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072
-\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141
-\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145
-\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105
-\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011
-\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151
-\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166
-\145\060\036\027\015\061\060\061\062\062\070\061\066\065\061\060
-\060\132\027\015\062\060\061\062\062\065\062\063\065\071\065\071
-\132\060\201\321\061\046\060\044\006\011\052\206\110\206\367\015
-\001\011\001\026\027\143\157\156\164\141\143\164\157\100\160\162
-\157\143\145\162\164\056\156\145\164\056\166\145\061\017\060\015
-\006\003\125\004\007\023\006\103\150\141\143\141\157\061\020\060
-\016\006\003\125\004\010\023\007\115\151\162\141\156\144\141\061
-\052\060\050\006\003\125\004\013\023\041\120\162\157\166\145\145
-\144\157\162\040\144\145\040\103\145\162\164\151\146\151\143\141
-\144\157\163\040\120\122\117\103\105\122\124\061\066\060\064\006
-\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116\141
-\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151\146
-\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157\156
-\151\143\141\061\013\060\011\006\003\125\004\006\023\002\126\105
-\061\023\060\021\006\003\125\004\003\023\012\120\123\103\120\162
-\157\143\145\162\164\060\202\002\042\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002
-\012\002\202\002\001\000\325\267\364\243\224\063\241\106\251\125
-\141\111\015\250\207\163\136\221\055\160\301\006\032\224\332\075
-\354\025\102\301\365\214\256\152\027\361\212\255\374\200\225\352
-\203\104\242\133\172\125\316\117\247\245\325\272\270\037\240\047
-\300\120\123\076\215\271\300\016\270\025\334\326\154\370\236\370
-\004\045\337\200\217\020\205\335\175\057\173\200\335\127\000\144
-\043\370\156\311\276\225\117\341\165\354\340\176\136\225\315\261
-\357\276\172\102\330\311\054\323\353\032\032\042\213\267\177\006
-\211\345\074\365\022\300\273\323\013\231\137\220\174\216\055\057
-\167\063\222\112\041\106\250\251\010\254\361\366\021\002\331\225
-\026\236\215\057\226\346\002\335\165\302\024\052\132\326\311\175
-\045\302\301\374\252\147\205\342\354\276\321\174\074\372\257\325
-\156\377\123\101\324\365\062\070\261\342\137\304\371\216\020\357
-\006\251\002\211\377\343\014\156\227\340\337\235\333\041\320\364
-\076\010\151\154\330\324\344\066\370\203\266\262\066\217\234\357
-\072\067\026\175\277\242\151\327\073\133\162\320\257\252\077\134
-\146\223\254\012\042\141\266\322\240\231\310\124\223\135\250\266
-\321\275\135\012\136\167\224\242\055\300\202\216\274\312\003\052
-\064\256\163\361\324\265\014\275\276\147\233\124\353\341\372\240
-\132\354\070\176\076\301\314\242\307\104\061\165\352\077\345\007
-\322\253\241\045\226\366\346\344\240\135\067\030\071\141\000\063
-\135\106\324\000\304\264\312\074\361\242\243\076\363\072\377\151
-\060\056\100\335\366\237\234\046\311\226\067\255\347\071\242\277
-\352\151\333\125\042\225\123\052\224\265\337\255\026\070\201\165
-\146\343\307\054\033\223\234\252\214\243\312\331\154\074\027\155
-\234\334\174\123\340\040\047\103\066\371\022\341\074\134\275\146
-\277\242\151\043\070\270\231\140\231\016\126\123\072\234\176\024
-\214\260\006\157\361\206\166\220\257\375\257\376\220\306\217\237
-\177\213\222\043\234\347\025\166\217\325\213\224\023\162\151\373
-\053\141\143\210\357\346\244\136\346\243\027\152\130\107\313\161
-\117\024\013\136\310\002\010\046\242\313\351\257\153\212\031\307
-\313\024\126\365\341\332\265\331\374\277\163\070\332\371\347\257
-\156\244\067\342\007\047\002\003\001\000\001\243\202\003\027\060
-\202\003\023\060\022\006\003\125\035\023\001\001\377\004\010\060
-\006\001\001\377\002\001\001\060\067\006\003\125\035\022\004\060
-\060\056\202\017\163\165\163\143\145\162\164\145\056\147\157\142
-\056\166\145\240\033\006\005\140\206\136\002\002\240\022\014\020
-\122\111\106\055\107\055\062\060\060\060\064\060\063\066\055\060
-\060\035\006\003\125\035\016\004\026\004\024\101\017\031\070\252
-\231\177\102\013\244\327\047\230\124\242\027\114\055\121\124\060
-\202\001\120\006\003\125\035\043\004\202\001\107\060\202\001\103
-\200\024\255\273\042\035\306\340\322\001\250\375\166\120\122\223
-\355\230\301\115\256\323\241\202\001\046\244\202\001\042\060\202
-\001\036\061\076\060\074\006\003\125\004\003\023\065\101\165\164
-\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151\146
-\151\143\141\143\151\157\156\040\122\141\151\172\040\144\145\154
-\040\105\163\164\141\144\157\040\126\145\156\145\172\157\154\141
-\156\157\061\013\060\011\006\003\125\004\006\023\002\126\105\061
-\020\060\016\006\003\125\004\007\023\007\103\141\162\141\143\141
-\163\061\031\060\027\006\003\125\004\010\023\020\104\151\163\164
-\162\151\164\157\040\103\141\160\151\164\141\154\061\066\060\064
-\006\003\125\004\012\023\055\123\151\163\164\145\155\141\040\116
-\141\143\151\157\156\141\154\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\105\154\145\143\164\162\157
-\156\151\143\141\061\103\060\101\006\003\125\004\013\023\072\123
-\165\160\145\162\151\156\164\145\156\144\145\156\143\151\141\040
-\144\145\040\123\145\162\166\151\143\151\157\163\040\144\145\040
-\103\145\162\164\151\146\151\143\141\143\151\157\156\040\105\154
-\145\143\164\162\157\156\151\143\141\061\045\060\043\006\011\052
-\206\110\206\367\015\001\011\001\026\026\141\143\162\141\151\172
-\100\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145
-\202\001\012\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\115\006\003\125\035\021\004\106\060\104\202\016
-\160\162\157\143\145\162\164\056\156\145\164\056\166\145\240\025
-\006\005\140\206\136\002\001\240\014\014\012\120\123\103\055\060
-\060\060\060\060\062\240\033\006\005\140\206\136\002\002\240\022
-\014\020\122\111\106\055\112\055\063\061\066\063\065\063\067\063
-\055\067\060\166\006\003\125\035\037\004\157\060\155\060\106\240
-\104\240\102\206\100\150\164\164\160\072\057\057\167\167\167\056
-\163\165\163\143\145\162\164\145\056\147\157\142\056\166\145\057
-\154\143\162\057\103\105\122\124\111\106\111\103\101\104\117\055
-\122\101\111\132\055\123\110\101\063\070\064\103\122\114\104\105
-\122\056\143\162\154\060\043\240\041\240\037\206\035\154\144\141
-\160\072\057\057\141\143\162\141\151\172\056\163\165\163\143\145
-\162\164\145\056\147\157\142\056\166\145\060\067\006\010\053\006
-\001\005\005\007\001\001\004\053\060\051\060\047\006\010\053\006
-\001\005\005\007\060\001\206\033\150\164\164\160\072\057\057\157
-\143\163\160\056\163\165\163\143\145\162\164\145\056\147\157\142
-\056\166\145\060\101\006\003\125\035\040\004\072\060\070\060\066
-\006\006\140\206\136\003\001\002\060\054\060\052\006\010\053\006
-\001\005\005\007\002\001\026\036\150\164\164\160\072\057\057\167
-\167\167\056\163\165\163\143\145\162\164\145\056\147\157\142\056
-\166\145\057\144\160\143\060\015\006\011\052\206\110\206\367\015
-\001\001\013\005\000\003\202\002\001\000\053\131\353\042\231\273
-\204\252\117\336\220\306\321\206\161\043\236\113\003\221\107\160
-\273\300\222\140\354\340\324\347\155\306\323\355\147\203\167\122
-\325\362\345\167\247\066\262\343\124\276\331\273\012\233\021\357
-\141\364\306\231\063\231\365\257\000\071\215\203\277\246\275\065
-\176\054\134\061\064\157\154\333\363\144\001\230\252\224\054\101
-\335\025\206\312\153\051\116\026\300\111\374\327\203\110\023\007
-\121\204\061\122\210\273\206\027\307\153\057\212\040\255\305\013
-\217\160\076\052\273\033\161\217\271\244\240\375\330\225\331\257
-\131\277\045\053\230\351\143\223\057\140\036\304\252\370\167\365
-\213\154\057\355\176\056\265\117\100\015\356\274\127\167\347\331
-\266\324\077\225\047\072\040\325\345\256\253\154\065\237\301\241
-\035\131\334\204\201\356\115\007\342\110\266\236\113\225\055\101
-\261\341\350\336\176\057\005\036\150\356\277\273\220\145\072\310
-\356\352\261\030\067\034\142\223\244\240\061\354\161\154\221\346
-\244\171\211\132\024\247\024\120\005\114\244\000\127\060\054\301
-\265\141\226\334\076\036\204\257\071\102\317\345\320\054\261\044
-\274\337\100\303\355\177\143\112\275\341\117\022\144\206\225\363
-\260\347\310\267\341\123\275\222\346\363\014\226\271\353\350\346
-\222\355\247\201\011\024\013\374\225\172\317\217\326\064\117\066
-\022\334\136\321\064\165\306\106\200\057\225\004\214\307\206\304
-\250\046\211\250\077\031\233\201\273\121\244\112\206\253\013\021
-\017\261\256\143\123\155\050\352\335\063\126\070\034\262\255\200
-\323\327\162\275\232\154\231\143\350\000\273\101\166\005\267\133
-\231\030\212\303\270\022\134\126\317\126\014\175\350\342\317\355
-\274\164\107\373\356\323\027\116\042\117\126\377\120\363\056\346
-\071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
-\242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
-\154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
-\261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
-\142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
-\316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
-\376\206\364\274\340\032\161\263\142\246
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "PSCProcert"
-# Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
-# Serial Number: 11 (0xb)
-# Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
-# Not Valid Before: Tue Dec 28 16:51:00 2010
-# Not Valid After : Fri Dec 25 23:59:59 2020
-# Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
-# Fingerprint (SHA1): 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "PSCProcert"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\160\301\215\164\264\050\201\012\344\375\245\165\327\001\237\231
-\260\075\120\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\346\044\351\022\001\256\014\336\216\205\304\316\243\022\335\354
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\202\001\036\061\076\060\074\006\003\125\004\003\023\065\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\122\141\151\172\040\144
-\145\154\040\105\163\164\141\144\157\040\126\145\156\145\172\157
-\154\141\156\157\061\013\060\011\006\003\125\004\006\023\002\126
-\105\061\020\060\016\006\003\125\004\007\023\007\103\141\162\141
-\143\141\163\061\031\060\027\006\003\125\004\010\023\020\104\151
-\163\164\162\151\164\157\040\103\141\160\151\164\141\154\061\066
-\060\064\006\003\125\004\012\023\055\123\151\163\164\145\155\141
-\040\116\141\143\151\157\156\141\154\040\144\145\040\103\145\162
-\164\151\146\151\143\141\143\151\157\156\040\105\154\145\143\164
-\162\157\156\151\143\141\061\103\060\101\006\003\125\004\013\023
-\072\123\165\160\145\162\151\156\164\145\156\144\145\156\143\151
-\141\040\144\145\040\123\145\162\166\151\143\151\157\163\040\144
-\145\040\103\145\162\164\151\146\151\143\141\143\151\157\156\040
-\105\154\145\143\164\162\157\156\151\143\141\061\045\060\043\006
-\011\052\206\110\206\367\015\001\011\001\026\026\141\143\162\141
-\151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
-\166\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\013
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Swisscom Root CA 2"
 #
 # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
 # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Fri Jun 24 08:38:14 2011
 # Not Valid After : Wed Jun 25 07:38:14 2031
 # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
@@ -21312,343 +19659,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \165\134
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "WoSign"
-#
-# Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
-# Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
-# Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Aug 08 01:00:01 2009
-# Not Valid After : Mon Aug 08 01:00:01 2039
-# Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
-# Fingerprint (SHA1): B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "WoSign"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006
-\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006
-\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311
-\305\221
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\166\060\202\003\136\240\003\002\001\002\002\020\136
-\150\326\021\161\224\143\120\126\000\150\363\076\311\305\221\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\125
-\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060
-\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103
-\101\040\114\151\155\151\164\145\144\061\052\060\050\006\003\125
-\004\003\023\041\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\040\157\146\040\127
-\157\123\151\147\156\060\036\027\015\060\071\060\070\060\070\060
-\061\060\060\060\061\132\027\015\063\071\060\070\060\070\060\061
-\060\060\060\061\132\060\125\061\013\060\011\006\003\125\004\006
-\023\002\103\116\061\032\060\030\006\003\125\004\012\023\021\127
-\157\123\151\147\156\040\103\101\040\114\151\155\151\164\145\144
-\061\052\060\050\006\003\125\004\003\023\041\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\157\146\040\127\157\123\151\147\156\060\202\002\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\002\017\000\060\202\002\012\002\202\002\001\000\275\312\215
-\254\270\221\025\126\227\173\153\134\172\302\336\153\331\241\260
-\303\020\043\372\247\241\262\314\061\372\076\331\246\051\157\026
-\075\340\153\370\270\100\137\333\071\250\000\172\213\240\115\124
-\175\302\042\170\374\216\011\270\250\205\327\314\225\227\113\164
-\330\236\176\360\000\344\016\211\256\111\050\104\032\020\231\062
-\017\045\210\123\244\015\263\017\022\010\026\013\003\161\047\034
-\177\341\333\322\375\147\150\304\005\135\012\016\135\160\327\330
-\227\240\274\123\101\232\221\215\364\236\066\146\172\176\126\301
-\220\137\346\261\150\040\066\244\214\044\054\054\107\013\131\166
-\146\060\265\276\336\355\217\370\235\323\273\001\060\346\362\363
-\016\340\054\222\200\363\205\371\050\212\264\124\056\232\355\367
-\166\374\025\150\026\353\112\154\353\056\022\217\324\317\376\014
-\307\134\035\013\176\005\062\276\136\260\011\052\102\325\311\116
-\220\263\131\015\273\172\176\315\325\010\132\264\177\330\034\151
-\021\371\047\017\173\006\257\124\203\030\173\341\335\124\172\121
-\150\156\167\374\306\277\122\112\146\106\241\262\147\032\273\243
-\117\167\240\276\135\377\374\126\013\103\162\167\220\312\236\371
-\362\071\365\015\251\364\352\327\347\263\020\057\060\102\067\041
-\314\060\160\311\206\230\017\314\130\115\203\273\175\345\032\245
-\067\215\266\254\062\227\000\072\143\161\044\036\236\067\304\377
-\164\324\067\300\342\376\210\106\140\021\335\010\077\120\066\253
-\270\172\244\225\142\152\156\260\312\152\041\132\151\363\363\373
-\035\160\071\225\363\247\156\246\201\211\241\210\305\073\161\312
-\243\122\356\203\273\375\240\167\364\344\157\347\102\333\155\112
-\231\212\064\110\274\027\334\344\200\010\042\266\362\061\300\077
-\004\076\353\237\040\171\326\270\006\144\144\002\061\327\251\315
-\122\373\204\105\151\011\000\052\334\125\213\304\006\106\113\300
-\112\035\011\133\071\050\375\251\253\316\000\371\056\110\113\046
-\346\060\114\245\130\312\264\104\202\117\347\221\036\063\303\260
-\223\377\021\374\201\322\312\037\161\051\335\166\117\222\045\257
-\035\201\267\017\057\214\303\006\314\057\047\243\112\344\016\231
-\272\174\036\105\037\177\252\031\105\226\375\374\075\002\003\001
-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
-\004\024\341\146\317\016\321\361\263\113\267\006\040\024\376\207
-\022\325\366\376\373\076\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\002\001\000\250\313\162\100\262\166
-\301\176\173\374\255\144\343\062\173\314\074\266\135\106\323\365
-\054\342\160\135\310\056\330\006\175\230\321\013\041\240\211\131
-\044\001\235\371\257\011\175\012\043\202\064\325\374\174\162\231
-\271\243\327\124\364\352\122\160\016\305\365\326\073\341\072\011
-\062\346\041\071\223\275\263\025\352\117\152\364\365\213\077\057
-\174\215\130\056\305\341\071\240\076\307\075\112\163\236\100\172
-\300\053\141\251\147\311\363\044\271\263\155\125\054\132\035\236
-\045\162\316\013\255\252\307\125\142\013\276\373\143\263\141\104
-\043\243\313\341\032\016\367\232\006\115\336\324\043\116\041\226
-\133\071\133\127\035\057\135\010\136\011\171\377\174\227\265\115
-\203\256\015\326\346\243\171\340\063\320\231\226\002\060\247\076
-\377\322\243\103\077\005\132\006\352\104\002\332\174\370\110\320
-\063\251\371\007\307\225\341\365\076\365\135\161\272\362\225\251
-\164\210\141\131\343\277\312\132\023\272\162\264\214\135\066\207
-\351\246\305\074\023\277\336\320\104\046\356\267\354\056\160\372
-\327\235\267\254\345\305\100\132\346\327\154\173\054\303\126\233
-\107\315\013\316\372\033\264\041\327\267\146\270\364\045\060\213
-\134\015\271\352\147\262\364\155\256\325\241\236\117\330\237\351
-\047\002\260\035\006\326\217\343\373\110\022\237\177\021\241\020
-\076\114\121\072\226\260\321\023\361\307\330\046\256\072\312\221
-\304\151\235\337\001\051\144\121\157\150\332\024\354\010\101\227
-\220\215\320\262\200\362\317\302\075\277\221\150\305\200\147\036
-\304\140\023\125\325\141\231\127\174\272\225\017\141\111\072\312
-\165\274\311\012\223\077\147\016\022\362\050\342\061\033\300\127
-\026\337\010\174\031\301\176\017\037\205\036\012\066\174\133\176
-\047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221
-\103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244
-\063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045
-\072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110
-\246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246
-\376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223
-\171\356\104\206\276\327\036\344\036\373
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "WoSign"
-# Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
-# Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
-# Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Aug 08 01:00:01 2009
-# Not Valid After : Mon Aug 08 01:00:01 2039
-# Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
-# Fingerprint (SHA1): B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "WoSign"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\271\102\224\277\221\352\217\266\113\346\020\227\307\373\000\023
-\131\266\166\313
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\241\362\371\265\322\310\172\164\270\363\005\361\327\341\204\215
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\125\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\052\060\050\006
-\003\125\004\003\023\041\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311
-\305\221
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "WoSign China"
-#
-# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
-# Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
-# Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Aug 08 01:00:01 2009
-# Not Valid After : Mon Aug 08 01:00:01 2039
-# Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
-# Fingerprint (SHA1): 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "WoSign China"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346
-\240\271\350\257\201\344\271\246
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346
-\240\271\350\257\201\344\271\246
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021
-\110\215
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\130\060\202\003\100\240\003\002\001\002\002\020\120
-\160\153\315\330\023\374\033\116\073\063\162\322\021\110\215\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\106
-\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060
-\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103
-\101\040\114\151\155\151\164\145\144\061\033\060\031\006\003\125
-\004\003\014\022\103\101\040\346\262\203\351\200\232\346\240\271
-\350\257\201\344\271\246\060\036\027\015\060\071\060\070\060\070
-\060\061\060\060\060\061\132\027\015\063\071\060\070\060\070\060
-\061\060\060\060\061\132\060\106\061\013\060\011\006\003\125\004
-\006\023\002\103\116\061\032\060\030\006\003\125\004\012\023\021
-\127\157\123\151\147\156\040\103\101\040\114\151\155\151\164\145
-\144\061\033\060\031\006\003\125\004\003\014\022\103\101\040\346
-\262\203\351\200\232\346\240\271\350\257\201\344\271\246\060\202
-\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\320
-\111\041\036\045\374\207\301\052\302\254\333\166\206\006\116\347
-\320\164\064\334\355\145\065\374\120\326\210\077\244\360\177\353
-\017\137\171\057\211\261\375\274\143\130\067\223\233\070\370\267
-\133\251\372\330\161\307\264\274\200\227\215\154\113\361\120\325
-\052\051\252\250\031\172\226\346\225\216\164\355\227\012\127\165
-\364\005\333\155\013\071\271\001\177\252\366\326\332\154\346\005
-\340\244\115\122\374\333\320\164\267\021\214\173\215\117\377\207
-\203\256\377\005\003\023\127\120\067\376\214\226\122\020\114\137
-\277\224\161\151\331\226\076\014\103\117\276\060\300\237\071\164
-\117\006\105\135\243\326\126\071\150\007\314\207\117\120\167\223
-\161\331\104\010\261\212\064\351\211\254\333\233\116\341\331\344
-\122\105\214\056\024\037\221\153\031\035\150\051\054\126\304\342
-\036\023\127\144\360\141\343\271\021\337\260\341\127\240\033\255
-\327\137\321\257\333\053\055\077\320\150\216\017\352\237\017\213
-\065\130\033\023\034\364\336\065\241\012\135\326\352\337\022\157
-\300\373\151\007\106\162\334\201\366\004\043\027\340\115\165\341
-\162\157\260\050\353\233\341\341\203\241\237\112\135\257\314\233
-\372\002\040\266\030\142\167\221\073\243\325\145\255\334\174\220
-\167\034\104\101\244\112\213\353\225\162\351\366\011\144\334\250
-\055\237\164\170\350\301\242\011\143\234\357\240\333\117\235\225
-\253\040\117\267\260\367\207\134\246\240\344\067\070\307\134\343
-\065\017\054\255\243\200\242\354\056\135\300\317\355\213\005\302
-\346\163\156\366\211\325\365\322\106\216\352\155\143\033\036\212
-\311\175\246\370\234\353\345\325\143\205\115\163\146\151\021\376
-\310\016\364\301\307\146\111\123\176\344\031\153\361\351\172\131
-\243\155\176\305\027\346\047\306\357\033\333\157\374\015\115\006
-\001\264\016\134\060\106\125\140\257\070\145\072\312\107\272\254
-\054\314\106\037\262\106\226\077\363\355\046\005\356\167\241\152
-\153\176\055\155\130\134\112\324\216\147\270\361\332\325\106\212
-\047\371\021\362\311\102\376\116\336\337\037\134\304\244\206\207
-\026\063\241\247\027\030\245\015\344\005\345\053\302\053\013\242
-\225\220\271\375\140\074\116\211\076\347\234\356\037\273\001\002
-\003\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001
-\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
-\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016
-\004\026\004\024\340\115\277\334\233\101\135\023\350\144\360\247
-\351\025\244\341\201\301\272\061\060\015\006\011\052\206\110\206
-\367\015\001\001\013\005\000\003\202\002\001\000\152\212\160\070
-\131\266\332\213\030\310\276\052\323\266\031\325\146\051\172\135
-\315\133\057\163\034\046\116\243\175\157\253\267\051\115\246\351
-\245\021\203\247\071\163\257\020\104\222\346\045\135\117\141\372
-\310\006\276\116\113\357\376\363\061\376\306\174\160\012\101\130
-\332\350\231\113\226\311\170\274\230\174\002\051\355\011\200\346
-\012\072\202\002\052\342\311\057\310\126\031\046\356\170\034\043
-\375\367\223\145\116\347\363\230\230\257\315\335\331\236\100\210
-\061\050\072\253\056\013\260\254\014\044\372\172\046\230\363\022
-\141\020\364\135\027\367\176\342\170\227\124\342\214\350\051\272
-\214\020\062\275\335\063\153\070\206\176\071\075\016\003\162\247
-\135\171\217\105\212\131\256\133\041\156\061\106\325\131\215\317
-\025\137\335\061\045\317\333\140\326\201\104\162\051\002\127\366
-\226\324\326\377\352\051\333\071\305\270\054\212\032\215\316\313
-\347\102\061\206\005\150\016\236\024\335\000\220\272\151\105\010
-\333\156\220\201\206\247\052\005\077\346\204\071\370\267\371\127
-\137\114\244\171\132\020\014\136\325\153\377\065\137\005\121\036
-\154\243\165\251\317\120\203\323\174\364\146\367\202\215\075\014
-\175\350\337\173\250\016\033\054\234\256\100\160\207\332\355\247
-\026\202\132\276\065\154\040\116\042\141\331\274\121\172\315\172
-\141\334\113\021\371\376\147\064\317\056\004\146\141\134\127\227
-\043\214\363\206\033\110\337\052\257\247\301\377\330\216\076\003
-\273\330\052\260\372\024\045\262\121\153\206\103\205\056\007\043
-\026\200\215\114\373\264\143\073\314\303\164\355\033\243\036\376
-\065\017\137\174\035\026\206\365\016\303\225\361\057\257\135\045
-\073\121\346\327\166\101\070\321\113\003\071\050\245\036\221\162
-\324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215
-\034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336
-\211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117
-\302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010
-\364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165
-\330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327
-\234\313\051\213\070\112\013\016\220\215\272\241
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "WoSign China"
-# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
-# Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
-# Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Aug 08 01:00:01 2009
-# Not Valid After : Mon Aug 08 01:00:01 2039
-# Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
-# Fingerprint (SHA1): 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "WoSign China"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\026\062\107\215\211\371\041\072\222\000\205\143\365\244\247\323
-\022\100\212\326
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\170\203\133\122\026\166\304\044\073\203\170\350\254\332\232\223
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\014\022\103\101\040\346\262\203\351\200\232\346
-\240\271\350\257\201\344\271\246
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021
-\110\215
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "COMODO RSA Certification Authority"
 #
 # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
 # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Not Valid Before: Tue Jan 19 00:00:00 2010
 # Not Valid After : Mon Jan 18 23:59:59 2038
 # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
@@ -24424,258 +22444,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \302\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Certification Authority of WoSign G2"
-#
-# Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
-# Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
-# Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Nov 08 00:58:58 2014
-# Not Valid After : Tue Nov 08 00:58:58 2044
-# Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
-# Fingerprint (SHA1): FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certification Authority of WoSign G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006
-\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006
-\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141
-\105\104
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\174\060\202\002\144\240\003\002\001\002\002\020\153
-\045\332\212\210\235\174\274\017\005\263\261\172\141\105\104\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\130
-\061\013\060\011\006\003\125\004\006\023\002\103\116\061\032\060
-\030\006\003\125\004\012\023\021\127\157\123\151\147\156\040\103
-\101\040\114\151\155\151\164\145\144\061\055\060\053\006\003\125
-\004\003\023\044\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\040\157\146\040\127
-\157\123\151\147\156\040\107\062\060\036\027\015\061\064\061\061
-\060\070\060\060\065\070\065\070\132\027\015\064\064\061\061\060
-\070\060\060\065\070\065\070\132\060\130\061\013\060\011\006\003
-\125\004\006\023\002\103\116\061\032\060\030\006\003\125\004\012
-\023\021\127\157\123\151\147\156\040\103\101\040\114\151\155\151
-\164\145\144\061\055\060\053\006\003\125\004\003\023\044\103\145
-\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
-\157\162\151\164\171\040\157\146\040\127\157\123\151\147\156\040
-\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\276\305\304\240\042\200\111\117\277\331\207\021\306
-\123\341\273\017\275\140\177\257\366\202\016\037\334\260\216\075
-\227\340\120\074\217\072\357\146\073\105\007\233\040\370\343\327
-\045\206\065\220\026\242\135\157\060\031\010\207\013\177\006\262
-\235\142\217\336\257\222\245\140\324\053\200\232\122\077\365\232
-\203\351\064\132\313\331\325\142\134\346\016\340\337\006\230\016
-\200\174\312\264\035\023\210\153\016\250\044\167\003\320\356\133
-\363\312\151\221\065\071\126\305\155\343\367\075\117\136\223\070
-\044\312\030\351\044\313\222\003\335\314\034\075\011\160\344\040
-\344\361\256\254\273\163\151\243\143\072\017\105\017\241\112\232
-\302\321\143\254\313\020\370\075\346\116\050\267\353\304\225\261
-\254\375\136\253\372\101\313\135\235\113\334\364\174\166\357\147
-\177\000\172\215\322\240\032\134\115\042\341\265\332\335\166\263
-\324\166\337\136\270\213\230\310\024\124\314\153\027\222\267\340
-\112\277\111\224\141\013\070\220\217\135\044\154\045\173\073\171
-\331\342\176\235\255\237\230\241\006\374\170\024\140\127\370\356
-\200\167\261\002\003\001\000\001\243\102\060\100\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006
-\003\125\035\016\004\026\004\024\372\140\251\353\145\305\335\026
-\024\010\116\014\017\215\233\340\367\144\257\147\060\015\006\011
-\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001\000
-\127\303\172\066\202\234\215\230\342\253\100\252\107\217\307\247
-\133\355\174\347\075\146\132\073\061\273\337\363\026\063\221\374
-\174\173\245\302\246\146\343\252\260\267\047\230\077\111\327\140
-\147\147\077\066\117\112\313\361\024\372\132\207\050\034\355\217
-\101\062\306\225\371\175\332\275\173\133\302\260\041\343\217\106
-\334\041\070\103\164\114\373\060\370\027\162\301\062\374\310\221
-\027\304\314\130\067\116\013\314\132\367\041\065\050\203\154\140
-\055\104\353\122\214\120\075\265\154\022\327\372\011\273\154\262
-\112\261\305\211\344\374\323\122\330\141\027\376\172\224\204\217
-\171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310
-\237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340
-\054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060
-\132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102
-\111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273
-\135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340
-\217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Certification Authority of WoSign G2"
-# Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
-# Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
-# Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Nov 08 00:58:58 2014
-# Not Valid After : Tue Nov 08 00:58:58 2044
-# Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
-# Fingerprint (SHA1): FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certification Authority of WoSign G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\373\355\334\220\145\267\047\040\067\274\125\014\234\126\336\273
-\362\170\224\341
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\310\034\175\031\252\313\161\223\362\120\370\122\250\036\272\140
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\130\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\055\060\053\006
-\003\125\004\003\023\044\103\145\162\164\151\146\151\143\141\164
-\151\157\156\040\101\165\164\150\157\162\151\164\171\040\157\146
-\040\127\157\123\151\147\156\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141
-\105\104
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "CA WoSign ECC Root"
-#
-# Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
-# Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
-# Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Nov 08 00:58:58 2014
-# Not Valid After : Tue Nov 08 00:58:58 2044
-# Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
-# Fingerprint (SHA1): D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA WoSign ECC Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040
-\105\103\103\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040
-\105\103\103\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260
-\220\220
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\011\060\202\001\217\240\003\002\001\002\002\020\150
-\112\130\160\200\153\360\217\002\372\366\336\350\260\220\220\060
-\012\006\010\052\206\110\316\075\004\003\003\060\106\061\013\060
-\011\006\003\125\004\006\023\002\103\116\061\032\060\030\006\003
-\125\004\012\023\021\127\157\123\151\147\156\040\103\101\040\114
-\151\155\151\164\145\144\061\033\060\031\006\003\125\004\003\023
-\022\103\101\040\127\157\123\151\147\156\040\105\103\103\040\122
-\157\157\164\060\036\027\015\061\064\061\061\060\070\060\060\065
-\070\065\070\132\027\015\064\064\061\061\060\070\060\060\065\070
-\065\070\132\060\106\061\013\060\011\006\003\125\004\006\023\002
-\103\116\061\032\060\030\006\003\125\004\012\023\021\127\157\123
-\151\147\156\040\103\101\040\114\151\155\151\164\145\144\061\033
-\060\031\006\003\125\004\003\023\022\103\101\040\127\157\123\151
-\147\156\040\105\103\103\040\122\157\157\164\060\166\060\020\006
-\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003
-\142\000\004\341\375\216\270\103\044\253\226\173\205\302\272\013
-\255\215\340\072\343\044\271\322\261\276\210\072\312\277\112\270
-\371\357\054\057\257\121\120\074\107\165\154\370\224\267\233\374
-\050\036\305\124\314\143\235\026\113\123\301\347\040\253\315\254
-\045\322\177\217\302\301\132\202\136\060\213\172\124\316\003\265
-\221\177\252\224\320\321\212\110\314\202\005\046\241\325\121\022
-\326\173\066\243\102\060\100\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004
-\026\004\024\252\375\325\132\243\366\207\213\062\205\375\321\062
-\133\200\105\223\363\003\270\060\012\006\010\052\206\110\316\075
-\004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201
-\325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153
-\371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312
-\205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367
-\151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073
-\177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046
-\056\153\361\221\262\220\145\364\232\346\220\356\112
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "CA WoSign ECC Root"
-# Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
-# Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
-# Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
-# Not Valid Before: Sat Nov 08 00:58:58 2014
-# Not Valid After : Tue Nov 08 00:58:58 2044
-# Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
-# Fingerprint (SHA1): D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA WoSign ECC Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\322\172\322\276\355\224\300\241\074\307\045\041\352\135\161\276
-\201\031\363\053
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\200\306\123\356\141\202\050\162\360\377\041\271\027\312\262\040
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\106\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\032\060\030\006\003\125\004\012\023\021\127\157\123\151\147\156
-\040\103\101\040\114\151\155\151\164\145\144\061\033\060\031\006
-\003\125\004\003\023\022\103\101\040\127\157\123\151\147\156\040
-\105\103\103\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260
-\220\220
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "SZAFIR ROOT CA2"
 #
 # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Not Valid Before: Mon Oct 19 07:43:30 2015
 # Not Valid After : Fri Oct 19 07:43:30 2035
 # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
@@ -27868,8 +25646,1289 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GDCA TrustAUTH R5 ROOT"
+#
+# Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN
+# Serial Number:7d:09:97:fe:f0:47:ea:7a
+# Subject: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN
+# Not Valid Before: Wed Nov 26 05:13:15 2014
+# Not Valid After : Mon Dec 31 15:59:59 2040
+# Fingerprint (SHA-256): BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
+# Fingerprint (SHA1): 0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040
+\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105
+\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114
+\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104
+\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040
+\122\117\117\124
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040
+\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105
+\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114
+\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104
+\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040
+\122\117\117\124
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\175\011\227\376\360\107\352\172
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\210\060\202\003\160\240\003\002\001\002\002\010\175
+\011\227\376\360\107\352\172\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\142\061\013\060\011\006\003\125\004
+\006\023\002\103\116\061\062\060\060\006\003\125\004\012\014\051
+\107\125\101\116\107\040\104\117\116\107\040\103\105\122\124\111
+\106\111\103\101\124\105\040\101\125\124\110\117\122\111\124\131
+\040\103\117\056\054\114\124\104\056\061\037\060\035\006\003\125
+\004\003\014\026\107\104\103\101\040\124\162\165\163\164\101\125
+\124\110\040\122\065\040\122\117\117\124\060\036\027\015\061\064
+\061\061\062\066\060\065\061\063\061\065\132\027\015\064\060\061
+\062\063\061\061\065\065\071\065\071\132\060\142\061\013\060\011
+\006\003\125\004\006\023\002\103\116\061\062\060\060\006\003\125
+\004\012\014\051\107\125\101\116\107\040\104\117\116\107\040\103
+\105\122\124\111\106\111\103\101\124\105\040\101\125\124\110\117
+\122\111\124\131\040\103\117\056\054\114\124\104\056\061\037\060
+\035\006\003\125\004\003\014\026\107\104\103\101\040\124\162\165
+\163\164\101\125\124\110\040\122\065\040\122\117\117\124\060\202
+\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\331
+\243\026\360\310\164\164\167\233\357\063\015\073\006\176\125\374
+\265\140\217\166\206\022\102\175\126\146\076\210\202\355\162\143
+\016\236\213\335\064\054\002\121\121\303\031\375\131\124\204\311
+\361\153\263\114\260\351\350\106\135\070\306\242\247\056\021\127
+\272\202\025\242\234\217\155\260\231\112\012\362\353\211\160\143
+\116\171\304\267\133\275\242\135\261\362\101\002\053\255\251\072
+\243\354\171\012\354\137\072\343\375\357\200\074\255\064\233\032
+\253\210\046\173\126\242\202\206\037\353\065\211\203\177\137\256
+\051\116\075\266\156\354\256\301\360\047\233\256\343\364\354\357
+\256\177\367\206\075\162\172\353\245\373\131\116\247\353\225\214
+\042\071\171\341\055\010\217\314\274\221\270\101\367\024\301\043
+\251\303\255\232\105\104\263\262\327\054\315\306\051\342\120\020
+\256\134\313\202\216\027\030\066\175\227\346\210\232\260\115\064
+\011\364\054\271\132\146\052\260\027\233\236\036\166\235\112\146
+\061\101\337\077\373\305\006\357\033\266\176\032\106\066\367\144
+\143\073\343\071\030\043\347\147\165\024\325\165\127\222\067\275
+\276\152\033\046\120\362\066\046\006\220\305\160\001\144\155\166
+\146\341\221\333\156\007\300\141\200\056\262\056\057\214\160\247
+\321\073\074\263\221\344\156\266\304\073\160\362\154\222\227\011
+\315\107\175\030\300\363\273\236\017\326\213\256\007\266\132\017
+\316\013\014\107\247\345\076\270\275\175\307\233\065\240\141\227
+\072\101\165\027\314\053\226\167\052\222\041\036\331\225\166\040
+\147\150\317\015\275\337\326\037\011\152\232\342\314\163\161\244
+\057\175\022\200\267\123\060\106\136\113\124\231\017\147\311\245
+\310\362\040\301\202\354\235\021\337\302\002\373\032\073\321\355
+\040\232\357\145\144\222\020\015\052\342\336\160\361\030\147\202
+\214\141\336\270\274\321\057\234\373\017\320\053\355\033\166\271
+\344\071\125\370\370\241\035\270\252\200\000\114\202\347\262\177
+\011\270\274\060\240\057\015\365\122\236\216\367\222\263\012\000
+\035\000\124\227\006\340\261\007\331\307\017\134\145\175\074\155
+\131\127\344\355\245\215\351\100\123\237\025\113\240\161\366\032
+\041\343\332\160\006\041\130\024\207\205\167\171\252\202\171\002
+\003\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004
+\026\004\024\342\311\100\237\115\316\350\232\241\174\317\016\077
+\145\305\051\210\152\031\121\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
+\001\377\004\004\003\002\001\206\060\015\006\011\052\206\110\206
+\367\015\001\001\013\005\000\003\202\002\001\000\321\111\127\340
+\247\314\150\130\272\001\017\053\031\315\215\260\141\105\254\021
+\355\143\120\151\370\037\177\276\026\217\375\235\353\013\252\062
+\107\166\322\147\044\355\275\174\063\062\227\052\307\005\206\146
+\015\027\175\024\025\033\324\353\375\037\232\366\136\227\151\267
+\032\045\244\012\263\221\077\137\066\254\213\354\127\250\076\347
+\201\212\030\127\071\205\164\032\102\307\351\133\023\137\217\371
+\010\351\222\164\215\365\107\322\253\073\326\373\170\146\116\066
+\175\371\351\222\351\004\336\375\111\143\374\155\373\024\161\223
+\147\057\107\112\267\271\377\036\052\163\160\106\060\277\132\362
+\057\171\245\341\215\014\331\371\262\143\067\214\067\145\205\160
+\152\134\133\011\162\271\255\143\074\261\335\370\374\062\277\067
+\206\344\273\216\230\047\176\272\037\026\341\160\021\362\003\337
+\045\142\062\047\046\030\062\204\237\377\000\072\023\272\232\115
+\364\117\270\024\160\042\261\312\053\220\316\051\301\160\364\057
+\235\177\362\220\036\326\132\337\267\106\374\346\206\372\313\340
+\040\166\172\272\246\313\365\174\336\142\245\261\213\356\336\202
+\146\212\116\072\060\037\077\200\313\255\047\272\014\136\327\320
+\261\126\312\167\161\262\265\165\241\120\251\100\103\027\302\050
+\331\317\122\213\133\310\143\324\102\076\240\063\172\106\056\367
+\012\040\106\124\176\152\117\061\361\201\176\102\164\070\145\163
+\047\356\306\174\270\216\327\245\072\327\230\241\234\214\020\125
+\323\333\113\354\100\220\362\315\156\127\322\142\016\174\127\223
+\261\247\155\315\235\203\273\052\347\345\266\073\161\130\255\375
+\321\105\274\132\221\356\123\025\157\323\105\011\165\156\272\220
+\135\036\004\317\067\337\036\250\146\261\214\346\040\152\357\374
+\110\116\164\230\102\257\051\157\056\152\307\373\175\321\146\061
+\042\314\206\000\176\146\203\014\102\364\275\064\222\303\032\352
+\117\312\176\162\115\013\160\214\246\110\273\246\241\024\366\373
+\130\104\231\024\256\252\013\223\151\240\051\045\112\245\313\053
+\335\212\146\007\026\170\025\127\161\033\354\365\107\204\363\236
+\061\067\172\325\177\044\255\344\274\375\375\314\156\203\350\014
+\250\267\101\154\007\335\275\074\206\227\057\322
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GDCA TrustAUTH R5 ROOT"
+# Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN
+# Serial Number:7d:09:97:fe:f0:47:ea:7a
+# Subject: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN
+# Not Valid Before: Wed Nov 26 05:13:15 2014
+# Not Valid After : Mon Dec 31 15:59:59 2040
+# Fingerprint (SHA-256): BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
+# Fingerprint (SHA1): 0F:36:38:5B:81:1A:25:C3:9B:31:4E:83:CA:E9:34:66:70:CC:74:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GDCA TrustAUTH R5 ROOT"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\017\066\070\133\201\032\045\303\233\061\116\203\312\351\064\146
+\160\314\164\264
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\143\314\331\075\064\065\134\157\123\243\342\010\160\110\037\264
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\142\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\062\060\060\006\003\125\004\012\014\051\107\125\101\116\107\040
+\104\117\116\107\040\103\105\122\124\111\106\111\103\101\124\105
+\040\101\125\124\110\117\122\111\124\131\040\103\117\056\054\114
+\124\104\056\061\037\060\035\006\003\125\004\003\014\026\107\104
+\103\101\040\124\162\165\163\164\101\125\124\110\040\122\065\040
+\122\117\117\124
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\175\011\227\376\360\107\352\172
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TrustCor RootCert CA-1"
+#
+# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:00:da:9b:ec:71:f3:03:b0:19
+# Subject: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:16 2016
+# Not Valid After : Mon Dec 31 17:23:16 2029
+# Fingerprint (SHA-256): D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
+# Fingerprint (SHA1): FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor RootCert CA-1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\332\233\354\161\363\003\260\031
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\060\060\202\003\030\240\003\002\001\002\002\011\000
+\332\233\354\161\363\003\260\031\060\015\006\011\052\206\110\206
+\367\015\001\001\013\005\000\060\201\244\061\013\060\011\006\003
+\125\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010
+\014\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004
+\007\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044
+\060\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157
+\162\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040
+\122\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124
+\162\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143
+\141\164\145\040\101\165\164\150\157\162\151\164\171\061\037\060
+\035\006\003\125\004\003\014\026\124\162\165\163\164\103\157\162
+\040\122\157\157\164\103\145\162\164\040\103\101\055\061\060\036
+\027\015\061\066\060\062\060\064\061\062\063\062\061\066\132\027
+\015\062\071\061\062\063\061\061\067\062\063\061\066\132\060\201
+\244\061\013\060\011\006\003\125\004\006\023\002\120\101\061\017
+\060\015\006\003\125\004\010\014\006\120\141\156\141\155\141\061
+\024\060\022\006\003\125\004\007\014\013\120\141\156\141\155\141
+\040\103\151\164\171\061\044\060\042\006\003\125\004\012\014\033
+\124\162\165\163\164\103\157\162\040\123\171\163\164\145\155\163
+\040\123\056\040\144\145\040\122\056\114\056\061\047\060\045\006
+\003\125\004\013\014\036\124\162\165\163\164\103\157\162\040\103
+\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157
+\162\151\164\171\061\037\060\035\006\003\125\004\003\014\026\124
+\162\165\163\164\103\157\162\040\122\157\157\164\103\145\162\164
+\040\103\101\055\061\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\277\216\267\225\342\302\046\022\153\063
+\031\307\100\130\012\253\131\252\215\000\243\374\200\307\120\173
+\216\324\040\046\272\062\022\330\043\124\111\045\020\042\230\235
+\106\322\301\311\236\116\033\056\054\016\070\363\032\045\150\034
+\246\132\005\346\036\213\110\277\230\226\164\076\151\312\351\265
+\170\245\006\274\325\000\136\011\012\362\047\172\122\374\055\325
+\261\352\264\211\141\044\363\032\023\333\251\317\122\355\014\044
+\272\271\236\354\176\000\164\372\223\255\154\051\222\256\121\264
+\273\323\127\277\263\363\250\215\234\364\044\113\052\326\231\236
+\364\236\376\300\176\102\072\347\013\225\123\332\267\150\016\220
+\114\373\160\077\217\112\054\224\363\046\335\143\151\251\224\330
+\020\116\305\107\010\220\231\033\027\115\271\154\156\357\140\225
+\021\216\041\200\265\275\240\163\330\320\262\167\304\105\352\132
+\046\373\146\166\166\370\006\037\141\155\017\125\305\203\267\020
+\126\162\006\007\245\363\261\032\003\005\144\016\235\132\212\326
+\206\160\033\044\336\376\050\212\053\320\152\260\374\172\242\334
+\262\171\016\213\145\017\002\003\001\000\001\243\143\060\141\060
+\035\006\003\125\035\016\004\026\004\024\356\153\111\074\172\077
+\015\343\261\011\267\212\310\253\031\237\163\063\120\347\060\037
+\006\003\125\035\043\004\030\060\026\200\024\356\153\111\074\172
+\077\015\343\261\011\267\212\310\253\031\237\163\063\120\347\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
+\202\001\001\000\045\030\324\221\217\023\356\217\036\035\021\123
+\332\055\104\051\031\240\036\153\061\236\115\016\236\255\075\134
+\101\157\225\053\044\241\171\230\072\070\066\373\273\146\236\110
+\377\220\220\357\075\324\270\233\264\207\165\077\040\233\316\162
+\317\241\125\301\115\144\242\031\006\241\007\063\014\013\051\345
+\361\352\253\243\354\265\012\164\220\307\175\162\362\327\134\237
+\221\357\221\213\267\334\355\146\242\317\216\146\073\274\237\072
+\002\340\047\335\026\230\300\225\324\012\244\344\201\232\165\224
+\065\234\220\137\210\067\006\255\131\225\012\260\321\147\323\031
+\312\211\347\062\132\066\034\076\202\250\132\223\276\306\320\144
+\221\266\317\331\266\030\317\333\176\322\145\243\246\304\216\027
+\061\301\373\176\166\333\323\205\343\130\262\167\172\166\073\154
+\057\120\034\347\333\366\147\171\037\365\202\225\232\007\247\024
+\257\217\334\050\041\147\011\322\326\115\132\034\031\034\216\167
+\134\303\224\044\075\062\153\113\176\324\170\224\203\276\067\115
+\316\137\307\036\116\074\340\211\063\225\013\017\245\062\326\074
+\132\171\054\031
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "TrustCor RootCert CA-1"
+# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:00:da:9b:ec:71:f3:03:b0:19
+# Subject: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:16 2016
+# Not Valid After : Mon Dec 31 17:23:16 2029
+# Fingerprint (SHA-256): D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
+# Fingerprint (SHA1): FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor RootCert CA-1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\377\275\315\347\202\310\103\136\074\157\046\206\134\312\250\072
+\105\133\303\012
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\156\205\361\334\032\000\323\042\325\262\262\254\153\067\005\105
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\332\233\354\161\363\003\260\031
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TrustCor RootCert CA-2"
+#
+# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:25:a1:df:ca:33:cb:59:02
+# Subject: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:23 2016
+# Not Valid After : Sun Dec 31 17:26:39 2034
+# Fingerprint (SHA-256): 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
+# Fingerprint (SHA1): B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor RootCert CA-2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\045\241\337\312\063\313\131\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\057\060\202\004\027\240\003\002\001\002\002\010\045
+\241\337\312\063\313\131\002\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\201\244\061\013\060\011\006\003\125
+\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010\014
+\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004\007
+\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044\060
+\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157\162
+\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040\122
+\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124\162
+\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143\141
+\164\145\040\101\165\164\150\157\162\151\164\171\061\037\060\035
+\006\003\125\004\003\014\026\124\162\165\163\164\103\157\162\040
+\122\157\157\164\103\145\162\164\040\103\101\055\062\060\036\027
+\015\061\066\060\062\060\064\061\062\063\062\062\063\132\027\015
+\063\064\061\062\063\061\061\067\062\066\063\071\132\060\201\244
+\061\013\060\011\006\003\125\004\006\023\002\120\101\061\017\060
+\015\006\003\125\004\010\014\006\120\141\156\141\155\141\061\024
+\060\022\006\003\125\004\007\014\013\120\141\156\141\155\141\040
+\103\151\164\171\061\044\060\042\006\003\125\004\012\014\033\124
+\162\165\163\164\103\157\162\040\123\171\163\164\145\155\163\040
+\123\056\040\144\145\040\122\056\114\056\061\047\060\045\006\003
+\125\004\013\014\036\124\162\165\163\164\103\157\162\040\103\145
+\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162
+\151\164\171\061\037\060\035\006\003\125\004\003\014\026\124\162
+\165\163\164\103\157\162\040\122\157\157\164\103\145\162\164\040
+\103\101\055\062\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\247\040\156\302\052\242\142\044\225\220\166
+\310\070\176\200\322\253\301\233\145\005\224\364\301\012\020\325
+\002\254\355\237\223\307\207\310\260\047\053\102\014\075\012\076
+\101\132\236\165\335\215\312\340\233\354\150\062\244\151\222\150
+\214\013\201\016\126\240\076\032\335\054\045\024\202\057\227\323
+\144\106\364\124\251\334\072\124\055\061\053\231\202\362\331\052
+\327\357\161\000\270\061\244\276\172\044\007\303\102\040\362\212
+\324\222\004\033\145\126\114\154\324\373\266\141\132\107\043\264
+\330\151\264\267\072\320\164\074\014\165\241\214\116\166\241\351
+\333\052\245\073\372\316\260\377\176\152\050\375\047\034\310\261
+\351\051\361\127\156\144\264\320\301\025\155\016\276\056\016\106
+\310\136\364\121\376\357\016\143\072\073\161\272\317\157\131\312
+\014\343\233\135\111\270\114\342\127\261\230\212\102\127\234\166
+\357\357\275\321\150\250\322\364\011\273\167\065\276\045\202\010
+\304\026\054\104\040\126\251\104\021\167\357\135\264\035\252\136
+\153\076\213\062\366\007\057\127\004\222\312\365\376\235\302\351
+\350\263\216\114\113\002\061\331\344\074\110\202\047\367\030\202
+\166\110\072\161\261\023\241\071\325\056\305\064\302\035\142\205
+\337\003\376\115\364\257\075\337\134\133\215\372\160\341\245\176
+\047\307\206\056\152\217\022\306\204\136\103\121\120\234\031\233
+\170\346\374\366\355\107\176\173\075\146\357\023\023\210\137\074
+\241\143\373\371\254\207\065\237\363\202\236\244\077\012\234\061
+\151\213\231\244\210\112\216\156\146\115\357\026\304\017\171\050
+\041\140\015\205\026\175\327\124\070\361\222\126\375\265\063\114
+\203\334\327\020\237\113\375\306\370\102\275\272\174\163\002\340
+\377\175\315\133\341\324\254\141\173\127\325\112\173\133\324\205
+\130\047\135\277\370\053\140\254\240\046\256\024\041\047\306\167
+\232\063\200\074\136\106\077\367\303\261\243\206\063\306\350\136
+\015\271\065\054\252\106\301\205\002\165\200\240\353\044\373\025
+\252\344\147\177\156\167\077\364\004\212\057\174\173\343\027\141
+\360\335\011\251\040\310\276\011\244\320\176\104\303\262\060\112
+\070\252\251\354\030\232\007\202\053\333\270\234\030\255\332\340
+\106\027\254\317\135\002\003\001\000\001\243\143\060\141\060\035
+\006\003\125\035\016\004\026\004\024\331\376\041\100\156\224\236
+\274\233\075\234\175\230\040\031\345\214\060\142\262\060\037\006
+\003\125\035\043\004\030\060\026\200\024\331\376\041\100\156\224
+\236\274\233\075\234\175\230\040\031\345\214\060\142\262\060\017
+\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
+\002\001\000\236\105\236\014\073\266\357\341\072\310\174\321\000
+\075\317\342\352\006\265\262\072\273\006\113\150\172\320\043\227
+\164\247\054\360\010\330\171\132\327\132\204\212\330\022\232\033
+\331\175\134\115\160\305\245\371\253\345\243\211\211\335\001\372
+\354\335\371\351\222\227\333\260\106\102\363\323\142\252\225\376
+\061\147\024\151\130\220\012\252\013\356\067\043\307\120\121\264
+\365\176\236\343\173\367\344\314\102\062\055\111\014\313\377\111
+\014\233\036\064\375\156\156\226\212\171\003\266\157\333\011\313
+\375\137\145\024\067\341\070\365\363\141\026\130\344\265\155\015
+\013\004\033\077\120\055\177\263\307\172\032\026\200\140\370\212
+\037\351\033\052\306\371\272\001\032\151\277\322\130\307\124\127
+\010\217\341\071\140\167\113\254\131\204\032\210\361\335\313\117
+\170\327\347\341\063\055\374\356\101\372\040\260\276\313\367\070
+\224\300\341\320\205\017\273\355\054\163\253\355\376\222\166\032
+\144\177\133\015\063\011\007\063\173\006\077\021\244\134\160\074
+\205\300\317\343\220\250\203\167\372\333\346\305\214\150\147\020
+\147\245\122\055\360\304\231\217\177\277\321\153\342\265\107\326
+\331\320\205\231\115\224\233\017\113\215\356\000\132\107\035\021
+\003\254\101\030\257\207\267\157\014\072\217\312\317\334\003\301
+\242\011\310\345\375\200\136\310\140\102\001\033\032\123\132\273
+\067\246\267\274\272\204\351\036\154\032\324\144\332\324\103\376
+\223\213\113\362\054\171\026\020\324\223\013\210\217\241\330\206
+\024\106\221\107\233\050\044\357\127\122\116\134\102\234\252\367
+\111\354\047\350\100\036\263\246\211\042\162\234\365\015\063\264
+\130\243\060\073\335\324\152\124\223\276\032\115\363\223\224\367
+\374\204\013\077\204\040\134\064\003\104\305\332\255\274\012\301
+\002\317\036\345\224\331\363\216\133\330\114\360\235\354\141\027
+\273\024\062\124\014\002\051\223\036\222\206\366\177\357\347\222
+\005\016\131\335\231\010\056\056\372\234\000\122\323\305\146\051
+\344\247\227\104\244\016\050\201\023\065\305\366\157\144\346\101
+\304\325\057\314\064\105\045\317\101\000\226\075\112\056\302\226
+\230\117\116\112\234\227\267\333\037\222\062\310\377\017\121\156
+\326\354\011
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "TrustCor RootCert CA-2"
+# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:25:a1:df:ca:33:cb:59:02
+# Subject: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:23 2016
+# Not Valid After : Sun Dec 31 17:26:39 2034
+# Fingerprint (SHA-256): 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
+# Fingerprint (SHA1): B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor RootCert CA-2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\270\276\155\313\126\361\125\271\143\324\022\312\116\006\064\307
+\224\262\034\300
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\242\341\370\030\013\272\105\325\307\101\052\273\067\122\105\144
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\244\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\037\060\035\006\003\125\004\003\014
+\026\124\162\165\163\164\103\157\162\040\122\157\157\164\103\145
+\162\164\040\103\101\055\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\045\241\337\312\063\313\131\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TrustCor ECA-1"
+#
+# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:00:84:82:2c:5f:1c:62:d0:40
+# Subject: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:33 2016
+# Not Valid After : Mon Dec 31 17:28:07 2029
+# Fingerprint (SHA-256): 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
+# Fingerprint (SHA1): 58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor ECA-1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014
+\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014
+\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\204\202\054\137\034\142\320\100
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\040\060\202\003\010\240\003\002\001\002\002\011\000
+\204\202\054\137\034\142\320\100\060\015\006\011\052\206\110\206
+\367\015\001\001\013\005\000\060\201\234\061\013\060\011\006\003
+\125\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010
+\014\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004
+\007\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044
+\060\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157
+\162\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040
+\122\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124
+\162\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143
+\141\164\145\040\101\165\164\150\157\162\151\164\171\061\027\060
+\025\006\003\125\004\003\014\016\124\162\165\163\164\103\157\162
+\040\105\103\101\055\061\060\036\027\015\061\066\060\062\060\064
+\061\062\063\062\063\063\132\027\015\062\071\061\062\063\061\061
+\067\062\070\060\067\132\060\201\234\061\013\060\011\006\003\125
+\004\006\023\002\120\101\061\017\060\015\006\003\125\004\010\014
+\006\120\141\156\141\155\141\061\024\060\022\006\003\125\004\007
+\014\013\120\141\156\141\155\141\040\103\151\164\171\061\044\060
+\042\006\003\125\004\012\014\033\124\162\165\163\164\103\157\162
+\040\123\171\163\164\145\155\163\040\123\056\040\144\145\040\122
+\056\114\056\061\047\060\045\006\003\125\004\013\014\036\124\162
+\165\163\164\103\157\162\040\103\145\162\164\151\146\151\143\141
+\164\145\040\101\165\164\150\157\162\151\164\171\061\027\060\025
+\006\003\125\004\003\014\016\124\162\165\163\164\103\157\162\040
+\105\103\101\055\061\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\317\217\340\021\265\237\250\166\166\333
+\337\017\124\357\163\143\051\202\255\107\306\243\153\355\376\137
+\063\370\103\121\351\032\063\221\061\027\240\164\304\324\247\001
+\346\262\222\076\152\235\355\016\371\164\230\100\323\077\003\200
+\006\202\100\350\261\342\247\121\247\035\203\046\153\253\336\372
+\027\221\053\330\306\254\036\261\236\031\001\325\227\246\352\015
+\267\304\125\037\047\174\322\010\325\166\037\051\025\207\100\071
+\335\070\105\021\165\320\232\247\064\340\277\315\310\122\035\271
+\107\176\015\270\273\306\014\366\163\127\026\132\176\103\221\037
+\125\072\306\155\104\004\252\234\251\234\247\114\211\027\203\256
+\243\004\136\122\200\213\036\022\045\021\031\327\014\175\175\061
+\104\101\352\333\257\260\034\357\201\320\054\305\232\041\233\075
+\355\102\073\120\046\362\354\316\161\141\006\142\041\124\116\177
+\301\235\076\177\040\214\200\313\052\330\227\142\310\203\063\221
+\175\260\242\132\017\127\350\073\314\362\045\262\324\174\057\354
+\115\306\241\072\025\172\347\266\135\065\365\366\110\112\066\105
+\146\324\272\230\130\301\002\003\001\000\001\243\143\060\141\060
+\035\006\003\125\035\016\004\026\004\024\104\236\110\365\314\155
+\110\324\240\113\177\376\131\044\057\203\227\231\232\206\060\037
+\006\003\125\035\043\004\030\060\026\200\024\104\236\110\365\314
+\155\110\324\240\113\177\376\131\044\057\203\227\231\232\206\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\206
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
+\202\001\001\000\005\076\065\134\025\160\233\311\307\163\141\157
+\162\053\324\302\217\362\103\135\002\316\304\224\271\224\021\203
+\147\135\342\147\154\165\166\277\273\014\252\066\306\255\107\223
+\143\334\036\176\326\336\056\376\351\031\062\070\003\177\024\366
+\000\163\054\131\261\041\006\341\373\254\030\225\014\243\377\231
+\226\367\053\047\233\325\044\314\035\335\301\072\340\230\104\260
+\304\344\076\167\261\163\251\144\054\366\034\001\174\077\135\105
+\205\300\205\347\045\217\225\334\027\363\074\237\032\156\260\312
+\343\035\052\351\114\143\372\044\141\142\326\332\176\266\034\154
+\365\002\035\324\052\335\125\220\353\052\021\107\074\056\136\164
+\262\202\042\245\175\123\037\105\354\047\221\175\347\042\026\350
+\300\150\066\330\306\361\117\200\104\062\371\341\321\321\035\252
+\336\250\253\234\004\257\255\040\016\144\230\115\245\153\300\110
+\130\226\151\115\334\007\214\121\223\242\337\237\017\075\213\140
+\264\202\215\252\010\116\142\105\340\371\013\322\340\340\074\133
+\336\134\161\047\045\302\346\003\201\213\020\123\343\307\125\242
+\264\237\327\346
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "TrustCor ECA-1"
+# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Serial Number:00:84:82:2c:5f:1c:62:d0:40
+# Subject: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
+# Not Valid Before: Thu Feb 04 12:32:33 2016
+# Not Valid After : Mon Dec 31 17:28:07 2029
+# Fingerprint (SHA-256): 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
+# Fingerprint (SHA1): 58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TrustCor ECA-1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\130\321\337\225\225\147\153\143\300\360\133\034\027\115\213\204
+\013\310\170\275
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\047\222\043\035\012\365\100\174\351\346\153\235\330\365\347\154
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\234\061\013\060\011\006\003\125\004\006\023\002\120\101
+\061\017\060\015\006\003\125\004\010\014\006\120\141\156\141\155
+\141\061\024\060\022\006\003\125\004\007\014\013\120\141\156\141
+\155\141\040\103\151\164\171\061\044\060\042\006\003\125\004\012
+\014\033\124\162\165\163\164\103\157\162\040\123\171\163\164\145
+\155\163\040\123\056\040\144\145\040\122\056\114\056\061\047\060
+\045\006\003\125\004\013\014\036\124\162\165\163\164\103\157\162
+\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
+\150\157\162\151\164\171\061\027\060\025\006\003\125\004\003\014
+\016\124\162\165\163\164\103\157\162\040\105\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\011\000\204\202\054\137\034\142\320\100
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "SSL.com Root Certification Authority RSA"
+#
+# Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:7b:2c:9b:d3:16:80:32:99
+# Subject: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 17:39:39 2016
+# Not Valid After : Tue Feb 12 17:39:39 2041
+# Fingerprint (SHA-256): 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
+# Fingerprint (SHA1): B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\122\123\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\122\123\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\173\054\233\323\026\200\062\231
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\335\060\202\003\305\240\003\002\001\002\002\010\173
+\054\233\323\026\200\062\231\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\174\061\013\060\011\006\003\125\004
+\006\023\002\125\123\061\016\060\014\006\003\125\004\010\014\005
+\124\145\170\141\163\061\020\060\016\006\003\125\004\007\014\007
+\110\157\165\163\164\157\156\061\030\060\026\006\003\125\004\012
+\014\017\123\123\114\040\103\157\162\160\157\162\141\164\151\157
+\156\061\061\060\057\006\003\125\004\003\014\050\123\123\114\056
+\143\157\155\040\122\157\157\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\122\123\101\060\036\027\015\061\066\060\062\061\062\061\067
+\063\071\063\071\132\027\015\064\061\060\062\061\062\061\067\063
+\071\063\071\132\060\174\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145
+\170\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157
+\165\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017
+\123\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061
+\061\060\057\006\003\125\004\003\014\050\123\123\114\056\143\157
+\155\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122
+\123\101\060\202\002\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
+\002\001\000\371\017\335\243\053\175\313\320\052\376\354\147\205
+\246\347\056\033\272\167\341\343\365\257\244\354\372\112\135\221
+\304\127\107\153\030\167\153\166\362\375\223\344\075\017\302\026
+\236\013\146\303\126\224\236\027\203\205\316\126\357\362\026\375
+\000\142\365\042\011\124\350\145\027\116\101\271\340\117\106\227
+\252\033\310\270\156\142\136\151\261\137\333\052\002\176\374\154
+\312\363\101\330\355\320\350\374\077\141\110\355\260\003\024\035
+\020\016\113\031\340\273\116\354\206\145\377\066\363\136\147\002
+\013\235\206\125\141\375\172\070\355\376\342\031\000\267\157\241
+\120\142\165\164\074\240\372\310\045\222\264\156\172\042\307\370
+\036\241\343\262\335\221\061\253\053\035\004\377\245\112\004\067
+\351\205\244\063\053\375\342\326\125\064\174\031\244\112\150\307
+\262\250\323\267\312\241\223\210\353\301\227\274\214\371\035\331
+\042\204\044\164\307\004\075\152\251\051\223\314\353\270\133\341
+\376\137\045\252\064\130\310\301\043\124\235\033\230\021\303\070
+\234\176\075\206\154\245\017\100\206\174\002\364\134\002\117\050
+\313\256\161\237\017\072\310\063\376\021\045\065\352\374\272\305
+\140\075\331\174\030\325\262\251\323\165\170\003\162\042\312\072
+\303\037\357\054\345\056\251\372\236\054\266\121\106\375\257\003
+\326\352\140\150\352\205\026\066\153\205\351\036\300\263\335\304
+\044\334\200\052\201\101\155\224\076\310\340\311\201\101\000\236
+\136\277\177\305\010\230\242\030\054\102\100\263\371\157\070\047
+\113\116\200\364\075\201\107\340\210\174\352\034\316\265\165\134
+\121\056\034\053\177\032\162\050\347\000\265\321\164\306\327\344
+\237\255\007\223\266\123\065\065\374\067\344\303\366\135\026\276
+\041\163\336\222\012\370\240\143\152\274\226\222\152\076\370\274
+\145\125\233\336\365\015\211\046\004\374\045\032\246\045\151\313
+\302\155\312\174\342\131\137\227\254\353\357\056\310\274\327\033
+\131\074\053\314\362\031\310\223\153\047\143\031\317\374\351\046
+\370\312\161\233\177\223\376\064\147\204\116\231\353\374\263\170
+\011\063\160\272\146\246\166\355\033\163\353\032\245\015\304\042
+\023\040\224\126\012\116\054\154\116\261\375\317\234\011\272\242
+\063\355\207\002\003\001\000\001\243\143\060\141\060\035\006\003
+\125\035\016\004\026\004\024\335\004\011\007\242\365\172\175\122
+\123\022\222\225\356\070\200\045\015\246\131\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003
+\125\035\043\004\030\060\026\200\024\335\004\011\007\242\365\172
+\175\122\123\022\222\225\356\070\200\045\015\246\131\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\206\060\015\006
+\011\052\206\110\206\367\015\001\001\013\005\000\003\202\002\001
+\000\040\030\021\224\051\373\046\235\034\036\036\160\141\361\225
+\162\223\161\044\255\150\223\130\216\062\257\033\263\160\003\374
+\045\053\164\205\220\075\170\152\364\271\213\245\227\073\265\030
+\221\273\036\247\371\100\133\221\371\125\231\257\036\021\320\134
+\035\247\146\343\261\224\007\014\062\071\246\352\033\260\171\330
+\035\234\160\104\343\212\335\304\371\225\037\212\070\103\077\001
+\205\245\107\247\075\106\262\274\345\042\150\367\173\234\330\054
+\076\012\041\310\055\063\254\277\305\201\231\061\164\301\165\161
+\305\276\261\360\043\105\364\235\153\374\031\143\235\243\274\004
+\306\030\013\045\273\123\211\017\263\200\120\336\105\356\104\177
+\253\224\170\144\230\323\366\050\335\207\330\160\145\164\373\016
+\271\023\353\247\017\141\251\062\226\314\336\273\355\143\114\030
+\273\251\100\367\240\124\156\040\210\161\165\030\352\172\264\064
+\162\340\043\047\167\134\266\220\352\206\045\100\253\357\063\017
+\313\237\202\276\242\040\373\366\265\055\032\346\302\205\261\164
+\017\373\310\145\002\244\122\001\107\335\111\042\301\277\330\353
+\153\254\176\336\354\143\063\025\267\043\010\217\306\017\215\101
+\132\335\216\305\271\217\345\105\077\170\333\272\322\033\100\261
+\376\161\115\077\340\201\242\272\136\264\354\025\340\223\335\010
+\037\176\341\125\231\013\041\336\223\236\012\373\346\243\111\275
+\066\060\376\347\167\262\240\165\227\265\055\201\210\027\145\040
+\367\332\220\000\237\311\122\314\062\312\065\174\365\075\017\330
+\053\327\365\046\154\311\006\064\226\026\352\160\131\032\062\171
+\171\013\266\210\177\017\122\110\075\277\154\330\242\104\056\321
+\116\267\162\130\323\211\023\225\376\104\253\370\327\213\033\156
+\234\274\054\240\133\325\152\000\257\137\067\341\325\372\020\013
+\230\234\206\347\046\217\316\360\354\156\212\127\013\200\343\116
+\262\300\240\143\141\220\272\125\150\067\164\152\266\222\333\237
+\241\206\042\266\145\047\016\354\266\237\102\140\344\147\302\265
+\332\101\013\304\323\213\141\033\274\372\037\221\053\327\104\007
+\136\272\051\254\331\305\351\357\123\110\132\353\200\361\050\130
+\041\315\260\006\125\373\047\077\123\220\160\251\004\036\127\047
+\271
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "SSL.com Root Certification Authority RSA"
+# Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:7b:2c:9b:d3:16:80:32:99
+# Subject: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 17:39:39 2016
+# Not Valid After : Tue Feb 12 17:39:39 2041
+# Fingerprint (SHA-256): 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
+# Fingerprint (SHA1): B7:AB:33:08:D1:EA:44:77:BA:14:80:12:5A:6F:BD:A9:36:49:0C:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com Root Certification Authority RSA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\267\253\063\010\321\352\104\167\272\024\200\022\132\157\275\251
+\066\111\014\273
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\206\151\022\300\160\361\354\254\254\302\325\274\245\133\241\051
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\122\123\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\173\054\233\323\026\200\062\231
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "SSL.com Root Certification Authority ECC"
+#
+# Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:75:e6:df:cb:c1:68:5b:a8
+# Subject: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 18:14:03 2016
+# Not Valid After : Tue Feb 12 18:14:03 2041
+# Fingerprint (SHA-256): 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
+# Fingerprint (SHA1): C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\105\103\103
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\105\103\103
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\165\346\337\313\301\150\133\250
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\215\060\202\002\024\240\003\002\001\002\002\010\165
+\346\337\313\301\150\133\250\060\012\006\010\052\206\110\316\075
+\004\003\002\060\174\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145\170
+\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157\165
+\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017\123
+\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061\061
+\060\057\006\003\125\004\003\014\050\123\123\114\056\143\157\155
+\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103
+\103\060\036\027\015\061\066\060\062\061\062\061\070\061\064\060
+\063\132\027\015\064\061\060\062\061\062\061\070\061\064\060\063
+\132\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163
+\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164
+\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114
+\040\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057
+\006\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122
+\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\105\103\103\060
+\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201
+\004\000\042\003\142\000\004\105\156\251\120\304\246\043\066\236
+\137\050\215\027\313\226\042\144\077\334\172\216\035\314\010\263
+\242\161\044\272\216\111\271\004\033\107\226\130\253\055\225\310
+\355\236\010\065\310\047\353\211\214\123\130\353\142\212\376\360
+\133\017\153\061\122\143\101\073\211\315\354\354\266\215\031\323
+\064\007\334\273\306\006\177\302\105\225\354\313\177\250\043\340
+\011\351\201\372\363\107\323\243\143\060\141\060\035\006\003\125
+\035\016\004\026\004\024\202\321\205\163\060\347\065\004\323\216
+\002\222\373\345\244\321\304\041\350\315\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125
+\035\043\004\030\060\026\200\024\202\321\205\163\060\347\065\004
+\323\216\002\222\373\345\244\321\304\041\350\315\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\206\060\012\006\010
+\052\206\110\316\075\004\003\002\003\147\000\060\144\002\060\157
+\347\353\131\021\244\140\317\141\260\226\173\355\005\371\057\023
+\221\334\355\345\374\120\153\021\106\106\263\034\041\000\142\273
+\276\303\347\350\315\007\231\371\015\013\135\162\076\304\252\002
+\060\037\274\272\013\342\060\044\373\174\155\200\125\012\231\076
+\200\015\063\345\146\243\263\243\273\245\325\213\217\011\054\246
+\135\176\342\360\007\010\150\155\322\174\151\156\137\337\345\152
+\145
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "SSL.com Root Certification Authority ECC"
+# Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:75:e6:df:cb:c1:68:5b:a8
+# Subject: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 18:14:03 2016
+# Not Valid After : Tue Feb 12 18:14:03 2041
+# Fingerprint (SHA-256): 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
+# Fingerprint (SHA1): C3:19:7C:39:24:E6:54:AF:1B:C4:AB:20:95:7A:E2:C3:0E:13:02:6A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com Root Certification Authority ECC"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\303\031\174\071\044\346\124\257\033\304\253\040\225\172\342\303
+\016\023\002\152
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\056\332\344\071\177\234\217\067\321\160\237\046\027\121\072\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\174\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\061\060\057\006
+\003\125\004\003\014\050\123\123\114\056\143\157\155\040\122\157
+\157\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\105\103\103
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\165\346\337\313\301\150\133\250
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "SSL.com EV Root Certification Authority RSA R2"
+#
+# Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:56:b6:29:cd:34:bc:78:f6
+# Subject: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Wed May 31 18:14:37 2017
+# Not Valid After : Fri May 30 18:14:37 2042
+# Fingerprint (SHA-256): 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
+# Fingerprint (SHA1): 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163
+\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164
+\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114
+\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065
+\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105
+\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122
+\123\101\040\122\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163
+\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164
+\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114
+\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065
+\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105
+\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122
+\123\101\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\126\266\051\315\064\274\170\366
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\353\060\202\003\323\240\003\002\001\002\002\010\126
+\266\051\315\064\274\170\366\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\201\202\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\016\060\014\006\003\125\004\010\014
+\005\124\145\170\141\163\061\020\060\016\006\003\125\004\007\014
+\007\110\157\165\163\164\157\156\061\030\060\026\006\003\125\004
+\012\014\017\123\123\114\040\103\157\162\160\157\162\141\164\151
+\157\156\061\067\060\065\006\003\125\004\003\014\056\123\123\114
+\056\143\157\155\040\105\126\040\122\157\157\164\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+\162\151\164\171\040\122\123\101\040\122\062\060\036\027\015\061
+\067\060\065\063\061\061\070\061\064\063\067\132\027\015\064\062
+\060\065\063\060\061\070\061\064\063\067\132\060\201\202\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\016\060\014\006
+\003\125\004\010\014\005\124\145\170\141\163\061\020\060\016\006
+\003\125\004\007\014\007\110\157\165\163\164\157\156\061\030\060
+\026\006\003\125\004\012\014\017\123\123\114\040\103\157\162\160
+\157\162\141\164\151\157\156\061\067\060\065\006\003\125\004\003
+\014\056\123\123\114\056\143\157\155\040\105\126\040\122\157\157
+\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\040\122\123\101\040\122\062
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\217\066\145\100\341\326\115\300\327\264\351\106\332\153\352
+\063\107\315\114\371\175\175\276\275\055\075\360\333\170\341\206
+\245\331\272\011\127\150\355\127\076\240\320\010\101\203\347\050
+\101\044\037\343\162\025\320\001\032\373\136\160\043\262\313\237
+\071\343\317\305\116\306\222\155\046\306\173\273\263\332\047\235
+\012\206\351\201\067\005\376\360\161\161\354\303\034\351\143\242
+\027\024\235\357\033\147\323\205\125\002\002\326\111\311\314\132
+\341\261\367\157\062\237\311\324\073\210\101\250\234\275\313\253
+\333\155\173\011\037\242\114\162\220\332\053\010\374\317\074\124
+\316\147\017\250\317\135\226\031\013\304\343\162\353\255\321\175
+\035\047\357\222\353\020\277\133\353\073\257\317\200\335\301\322
+\226\004\133\172\176\244\251\074\070\166\244\142\216\240\071\136
+\352\167\317\135\000\131\217\146\054\076\007\242\243\005\046\021
+\151\227\352\205\267\017\226\013\113\310\100\341\120\272\056\212
+\313\367\017\232\042\347\177\232\067\023\315\362\115\023\153\041
+\321\300\314\042\362\241\106\366\104\151\234\312\141\065\007\000
+\157\326\141\010\021\352\272\270\366\351\263\140\345\115\271\354
+\237\024\146\311\127\130\333\315\207\151\370\212\206\022\003\107
+\277\146\023\166\254\167\175\064\044\205\203\315\327\252\234\220
+\032\237\041\054\177\170\267\144\270\330\350\246\364\170\263\125
+\313\204\322\062\304\170\256\243\217\141\335\316\010\123\255\354
+\210\374\025\344\232\015\346\237\032\167\316\114\217\270\024\025
+\075\142\234\206\070\006\000\146\022\344\131\166\132\123\300\002
+\230\242\020\053\150\104\173\216\171\316\063\112\166\252\133\201
+\026\033\265\212\330\320\000\173\136\142\264\011\326\206\143\016
+\246\005\225\111\272\050\213\210\223\262\064\034\330\244\125\156
+\267\034\320\336\231\125\073\043\364\042\340\371\051\146\046\354
+\040\120\167\333\112\013\217\276\345\002\140\160\101\136\324\256
+\120\071\042\024\046\313\262\073\163\164\125\107\007\171\201\071
+\250\060\023\104\345\004\212\256\226\023\045\102\017\271\123\304
+\233\374\315\344\034\336\074\372\253\326\006\112\037\147\246\230
+\060\034\335\054\333\334\030\225\127\146\306\377\134\213\126\365
+\167\002\003\001\000\001\243\143\060\141\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125
+\035\043\004\030\060\026\200\024\371\140\273\324\343\325\064\366
+\270\365\006\200\045\247\163\333\106\151\250\236\060\035\006\003
+\125\035\016\004\026\004\024\371\140\273\324\343\325\064\366\270
+\365\006\200\045\247\163\333\106\151\250\236\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\001\206\060\015\006\011\052
+\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\126
+\263\216\313\012\235\111\216\277\244\304\221\273\146\027\005\121
+\230\165\373\345\120\054\172\236\361\024\372\253\323\212\076\377
+\221\051\217\143\213\330\264\251\124\001\015\276\223\206\057\371
+\112\155\307\136\365\127\371\312\125\034\022\276\107\017\066\305
+\337\152\267\333\165\302\107\045\177\271\361\143\370\150\055\125
+\004\321\362\215\260\244\317\274\074\136\037\170\347\245\240\040
+\160\260\004\305\267\367\162\247\336\042\015\275\063\045\106\214
+\144\222\046\343\076\056\143\226\332\233\214\075\370\030\011\327
+\003\314\175\206\202\340\312\004\007\121\120\327\377\222\325\014
+\357\332\206\237\231\327\353\267\257\150\342\071\046\224\272\150
+\267\277\203\323\352\172\147\075\142\147\256\045\345\162\350\342
+\344\354\256\022\366\113\053\074\237\351\260\100\363\070\124\263
+\375\267\150\310\332\306\217\121\074\262\373\221\334\034\347\233
+\235\341\267\015\162\217\342\244\304\251\170\371\353\024\254\306
+\103\005\302\145\071\050\030\002\303\202\262\235\005\276\145\355
+\226\137\145\164\074\373\011\065\056\173\234\023\375\033\017\135
+\307\155\201\072\126\017\314\073\341\257\002\057\042\254\106\312
+\106\074\240\034\114\326\104\264\136\056\134\025\146\011\341\046
+\051\376\306\122\141\272\261\163\377\303\014\234\345\154\152\224
+\077\024\312\100\026\225\204\363\131\251\254\137\114\141\223\155
+\321\073\314\242\225\014\042\246\147\147\104\056\271\331\322\212
+\101\263\146\013\132\373\175\043\245\362\032\260\377\336\233\203
+\224\056\321\077\337\222\267\221\257\005\073\145\307\240\154\261
+\315\142\022\303\220\033\343\045\316\064\274\157\167\166\261\020
+\303\367\005\032\300\326\257\164\142\110\027\167\222\151\220\141
+\034\336\225\200\164\124\217\030\034\303\363\003\320\277\244\103
+\165\206\123\030\172\012\056\011\034\066\237\221\375\202\212\042
+\113\321\016\120\045\335\313\003\014\027\311\203\000\010\116\065
+\115\212\213\355\360\002\224\146\054\104\177\313\225\047\226\027
+\255\011\060\254\266\161\027\156\213\027\366\034\011\324\055\073
+\230\245\161\323\124\023\331\140\363\365\113\146\117\372\361\356
+\040\022\215\264\254\127\261\105\143\241\254\166\251\302\373
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "SSL.com EV Root Certification Authority RSA R2"
+# Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:56:b6:29:cd:34:bc:78:f6
+# Subject: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Wed May 31 18:14:37 2017
+# Not Valid After : Fri May 30 18:14:37 2042
+# Fingerprint (SHA-256): 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
+# Fingerprint (SHA1): 74:3A:F0:52:9B:D0:32:A0:F4:4A:83:CD:D4:BA:A9:7B:7C:2E:C4:9A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com EV Root Certification Authority RSA R2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\164\072\360\122\233\320\062\240\364\112\203\315\324\272\251\173
+\174\056\304\232
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\341\036\061\130\032\256\124\123\002\366\027\152\021\173\115\225
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163
+\061\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164
+\157\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114
+\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060\065
+\006\003\125\004\003\014\056\123\123\114\056\143\157\155\040\105
+\126\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\122
+\123\101\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\126\266\051\315\064\274\170\366
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "SSL.com EV Root Certification Authority ECC"
+#
+# Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:2c:29:9c:5b:16:ed:05:95
+# Subject: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 18:15:23 2016
+# Not Valid After : Tue Feb 12 18:15:23 2041
+# Fingerprint (SHA-256): 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
+# Fingerprint (SHA1): 4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006
+\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126
+\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103
+\103
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006
+\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126
+\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103
+\103
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\054\051\234\133\026\355\005\225
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\224\060\202\002\032\240\003\002\001\002\002\010\054
+\051\234\133\026\355\005\225\060\012\006\010\052\206\110\316\075
+\004\003\002\060\177\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145\170
+\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157\165
+\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017\123
+\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061\064
+\060\062\006\003\125\004\003\014\053\123\123\114\056\143\157\155
+\040\105\126\040\122\157\157\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\105\103\103\060\036\027\015\061\066\060\062\061\062\061\070
+\061\065\062\063\132\027\015\064\061\060\062\061\062\061\070\061
+\065\062\063\132\060\177\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\016\060\014\006\003\125\004\010\014\005\124\145
+\170\141\163\061\020\060\016\006\003\125\004\007\014\007\110\157
+\165\163\164\157\156\061\030\060\026\006\003\125\004\012\014\017
+\123\123\114\040\103\157\162\160\157\162\141\164\151\157\156\061
+\064\060\062\006\003\125\004\003\014\053\123\123\114\056\143\157
+\155\040\105\126\040\122\157\157\164\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\040\105\103\103\060\166\060\020\006\007\052\206\110\316\075
+\002\001\006\005\053\201\004\000\042\003\142\000\004\252\022\107
+\220\230\033\373\357\303\100\007\203\040\116\361\060\202\242\006
+\321\362\222\206\141\362\366\041\150\312\000\304\307\352\103\000
+\124\206\334\375\037\337\000\270\101\142\134\334\160\026\062\336
+\037\231\324\314\305\007\310\010\037\141\026\007\121\075\175\134
+\007\123\343\065\070\214\337\315\237\331\056\015\112\266\031\056
+\132\160\132\006\355\276\360\241\260\312\320\011\051\243\143\060
+\141\060\035\006\003\125\035\016\004\026\004\024\133\312\136\345
+\336\322\201\252\315\250\055\144\121\266\331\162\233\227\346\117
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\037\006\003\125\035\043\004\030\060\026\200\024\133\312
+\136\345\336\322\201\252\315\250\055\144\121\266\331\162\233\227
+\346\117\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\206\060\012\006\010\052\206\110\316\075\004\003\002\003\150
+\000\060\145\002\061\000\212\346\100\211\067\353\351\325\023\331
+\312\324\153\044\363\260\075\207\106\130\032\354\261\337\157\373
+\126\272\160\153\307\070\314\350\261\214\117\017\367\361\147\166
+\016\203\320\036\121\217\002\060\075\366\043\050\046\114\306\140
+\207\223\046\233\262\065\036\272\326\367\074\321\034\316\372\045
+\074\246\032\201\025\133\363\022\017\154\356\145\212\311\207\250
+\371\007\340\142\232\214\134\112
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "SSL.com EV Root Certification Authority ECC"
+# Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Serial Number:2c:29:9c:5b:16:ed:05:95
+# Subject: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US
+# Not Valid Before: Fri Feb 12 18:15:23 2016
+# Not Valid After : Tue Feb 12 18:15:23 2041
+# Fingerprint (SHA-256): 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
+# Fingerprint (SHA1): 4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "SSL.com EV Root Certification Authority ECC"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\114\335\121\243\321\365\040\062\024\260\306\305\062\043\003\221
+\307\106\102\155
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\131\123\042\145\203\102\001\124\300\316\102\271\132\174\362\220
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\016\060\014\006\003\125\004\010\014\005\124\145\170\141\163\061
+\020\060\016\006\003\125\004\007\014\007\110\157\165\163\164\157
+\156\061\030\060\026\006\003\125\004\012\014\017\123\123\114\040
+\103\157\162\160\157\162\141\164\151\157\156\061\064\060\062\006
+\003\125\004\003\014\053\123\123\114\056\143\157\155\040\105\126
+\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\105\103
+\103
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\054\051\234\133\026\355\005\225
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/lib/ckfw/builtins/nssckbi.h
+++ b/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 16
-#define NSS_BUILTINS_LIBRARY_VERSION "2.16"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 18
+#define NSS_BUILTINS_LIBRARY_VERSION "2.18"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/lib/cryptohi/cryptohi.h
+++ b/lib/cryptohi/cryptohi.h
@@ -55,16 +55,24 @@ extern SECItem *DSAU_DecodeDerSigToLen(c
 /*
 ** Create a new signature context used for signing a data stream.
 **      "alg" the signature algorithm to use (e.g. SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION)
 **	"privKey" the private key to use
 */
 extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
 
 /*
+** Create a new signature context from an algorithmID.
+**      "alg" the signature algorithm to use
+**	"privKey" the private key to use
+*/
+extern SGNContext *SGN_NewContextWithAlgorithmID(SECAlgorithmID *alg,
+                                                 SECKEYPrivateKey *privKey);
+
+/*
 ** Destroy a signature-context object
 **	"cx" the object
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
 
 /*
 ** Reset the signing context "cx" to its initial state, preparing it for
@@ -101,16 +109,31 @@ extern SECStatus SGN_End(SGNContext *cx,
 **	"algid" the signature/hash algorithm to sign with
 **		(must be compatible with the key type).
 */
 extern SECStatus SEC_SignData(SECItem *result,
                               const unsigned char *buf, int len,
                               SECKEYPrivateKey *pk, SECOidTag algid);
 
 /*
+** Sign a single block of data using private key encryption and given
+** signature/hash algorithm with parameters from an algorithmID.
+**	"result" the final signature data (memory is allocated)
+**	"buf" the input data to sign
+**	"len" the amount of data to sign
+**	"pk" the private key to encrypt with
+**	"algid" the signature/hash algorithm to sign with
+**		(must be compatible with the key type).
+*/
+extern SECStatus SEC_SignDataWithAlgorithmID(SECItem *result,
+                                             const unsigned char *buf, int len,
+                                             SECKEYPrivateKey *pk,
+                                             SECAlgorithmID *algid);
+
+/*
 ** Sign a pre-digested block of data using private key encryption, encoding
 **  The given signature/hash algorithm.
 **	"result" the final signature data (memory is allocated)
 **	"digest" the digest to sign
 **	"privKey" the private key to encrypt with
 **	"algtag" The algorithm tag to encode (need for RSA only)
 */
 extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
@@ -127,30 +150,68 @@ extern SECStatus SGN_Digest(SECKEYPrivat
 ** 	"len" the amount of data to sign
 ** 	"pk" the private key to encrypt with
 */
 extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result,
                                  const unsigned char *buf, int len,
                                  SECKEYPrivateKey *pk, SECOidTag algid);
 
 /*
+** DER sign a single block of data using private key encryption and
+** the given signature/hash algorithm with parameters from an
+** algorithmID. This routine first computes a digital signature using
+** SEC_SignData, then wraps it with an CERTSignedData and then der
+** encodes the result.
+**	"arena" is the memory arena to use to allocate data from
+** 	"result" the final der encoded data (memory is allocated)
+** 	"buf" the input data to sign
+** 	"len" the amount of data to sign
+** 	"pk" the private key to encrypt with
+**	"algid" the signature/hash algorithm to sign with
+**		(must be compatible with the key type).
+*/
+extern SECStatus SEC_DerSignDataWithAlgorithmID(PLArenaPool *arena,
+                                                SECItem *result,
+                                                const unsigned char *buf,
+                                                int len,
+                                                SECKEYPrivateKey *pk,
+                                                SECAlgorithmID *algid);
+
+/*
 ** Destroy a signed-data object.
 **	"sd" the object
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
 
 /*
 ** Get the signature algorithm tag number for the given key type and hash
 ** algorithm tag. Returns SEC_OID_UNKNOWN if key type and hash algorithm
 ** do not match or are not supported.
 */
 extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType,
                                                  SECOidTag hashAlgTag);
 
+/*
+** Create algorithm parameters for signing. Return a new item
+** allocated from arena, or NULL on failure.
+**	"arena" is the memory arena to use to allocate data from
+**	"result" the encoded parameters (memory is allocated)
+**	"signAlgTag" is the signing algorithm
+**	"hashAlgTag" is the preferred hash algorithm
+**	"params" is the default parameters
+**	"key" is the private key
+*/
+extern SECItem *SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena,
+                                                       SECItem *result,
+                                                       SECOidTag signAlgTag,
+                                                       SECOidTag hashAlgTag,
+                                                       const SECItem *params,
+                                                       const SECKEYPrivateKey *key);
+
 /****************************************/
 /*
 ** Signature verification operations
 */
 
 /*
 ** Create a signature verification context. This version is deprecated,
 **  This function is deprecated. Use VFY_CreateContextDirect or
--- a/lib/cryptohi/keyi.h
+++ b/lib/cryptohi/keyi.h
@@ -12,11 +12,14 @@ SEC_BEGIN_PROTOS
 KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
 
 /* extract the 'encryption' (could be signing) and hash oids from and
  * algorithm, key and parameters (parameters is the parameters field
  * of a algorithm ID structure (SECAlgorithmID)*/
 SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
                            const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
 
+SECStatus sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
+                                      const SECKEYRSAPSSParams *params);
+
 SEC_END_PROTOS
 
 #endif /* _KEYHI_H_ */
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -1041,16 +1041,17 @@ SECKEY_PublicKeyStrengthInBits(const SEC
 unsigned
 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
 {
     unsigned char b0;
     unsigned size;
 
     switch (pubk->keyType) {
         case rsaKey:
+        case rsaPssKey:
             b0 = pubk->u.rsa.modulus.data[0];
             return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
         case dsaKey:
             return pubk->u.dsa.params.subPrime.len * 2;
         case ecKey:
             /* Get the base point order length in bits and adjust */
             size = SECKEY_ECParamsToBasePointOrderLen(
                 &pubk->u.ec.DEREncodedParams);
@@ -1967,8 +1968,97 @@ SECKEY_GetECCOid(const SECKEYECParams *p
         return 0;
     oid.len = params->len - 2;
     oid.data = params->data + 2;
     if ((oidData = SECOID_FindOID(&oid)) == NULL)
         return 0;
 
     return oidData->offset;
 }
+
+static CK_MECHANISM_TYPE
+sec_GetHashMechanismByOidTag(SECOidTag tag)
+{
+    switch (tag) {
+        case SEC_OID_SHA512:
+            return CKM_SHA512;
+        case SEC_OID_SHA384:
+            return CKM_SHA384;
+        case SEC_OID_SHA256:
+            return CKM_SHA256;
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        /* fallthrough */
+        case SEC_OID_SHA1:
+            break;
+    }
+    return CKM_SHA_1;
+}
+
+static CK_RSA_PKCS_MGF_TYPE
+sec_GetMgfTypeByOidTag(SECOidTag tag)
+{
+    switch (tag) {
+        case SEC_OID_SHA512:
+            return CKG_MGF1_SHA512;
+        case SEC_OID_SHA384:
+            return CKG_MGF1_SHA384;
+        case SEC_OID_SHA256:
+            return CKG_MGF1_SHA256;
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        /* fallthrough */
+        case SEC_OID_SHA1:
+            break;
+    }
+    return CKG_MGF1_SHA1;
+}
+
+SECStatus
+sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
+                            const SECKEYRSAPSSParams *params)
+{
+    SECStatus rv = SECSuccess;
+    SECOidTag hashAlgTag;
+    unsigned long saltLength;
+
+    PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+
+    if (params->hashAlg) {
+        hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg);
+    } else {
+        hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
+    }
+    mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
+
+    if (params->maskAlg) {
+        SECAlgorithmID maskHashAlg;
+        SECOidTag maskHashAlgTag;
+        PORTCheapArenaPool tmpArena;
+
+        if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) {
+            /* only MGF1 is known to PKCS#11 */
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+            return SECFailure;
+        }
+
+        PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+        rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &maskHashAlg,
+                                    SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+                                    &params->maskAlg->parameters);
+        PORT_DestroyCheapArena(&tmpArena);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
+        mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
+    } else {
+        mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+    }
+
+    rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    mech->sLen = saltLength;
+
+    return rv;
+}
--- a/lib/cryptohi/secsign.c
+++ b/lib/cryptohi/secsign.c
@@ -17,57 +17,73 @@
 #include "keyi.h"
 
 struct SGNContextStr {
     SECOidTag signalg;
     SECOidTag hashalg;
     void *hashcx;
     const SECHashObject *hashobj;
     SECKEYPrivateKey *key;
+    SECItem *params;
 };
 
-SGNContext *
-SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
+static SGNContext *
+sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
 {
     SGNContext *cx;
     SECOidTag hashalg, signalg;
     KeyType keyType;
     SECStatus rv;
 
     /* OK, map a PKCS #7 hash and encrypt algorithm into
      * a standard hashing algorithm. Why did we pass in the whole
      * PKCS #7 algTag if we were just going to change here you might
      * ask. Well the answer is for some cards we may have to do the
      * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
      * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS.
      */
     /* we have a private key, not a public key, so don't pass it in */
-    rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg);
+    rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg);
     if (rv != SECSuccess) {
         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
         return 0;
     }
     keyType = seckey_GetKeyType(signalg);
 
     /* verify our key type */
     if (key->keyType != keyType &&
-        !((key->keyType == dsaKey) && (keyType == fortezzaKey))) {
+        !((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
+        !((key->keyType == rsaKey) && (keyType == rsaPssKey))) {
         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
         return 0;
     }
 
     cx = (SGNContext *)PORT_ZAlloc(sizeof(SGNContext));
     if (cx) {
         cx->hashalg = hashalg;
         cx->signalg = signalg;
         cx->key = key;
+        cx->params = params;
     }
     return cx;
 }
 
+SGNContext *
+SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
+{
+    return sgn_NewContext(alg, NULL, key);
+}
+
+SGNContext *
+SGN_NewContextWithAlgorithmID(SECAlgorithmID *alg, SECKEYPrivateKey *key)
+{
+    SECOidTag tag = SECOID_GetAlgorithmTag(alg);
+    return sgn_NewContext(tag, &alg->parameters, key);
+}
+
 void
 SGN_DestroyContext(SGNContext *cx, PRBool freeit)
 {
     if (cx) {
         if (cx->hashcx != NULL) {
             (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
             cx->hashcx = NULL;
         }
@@ -143,25 +159,27 @@ SGN_End(SGNContext *cx, SECItem *result)
     SECStatus rv;
     SECItem digder, sigitem;
     PLArenaPool *arena = 0;
     SECKEYPrivateKey *privKey = cx->key;
     SGNDigestInfo *di = 0;
 
     result->data = 0;
     digder.data = 0;
+    sigitem.data = 0;
 
     /* Finish up digest function */
     if (cx->hashcx == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest));
 
-    if (privKey->keyType == rsaKey) {
+    if (privKey->keyType == rsaKey &&
+        cx->signalg != SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
 
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (!arena) {
             rv = SECFailure;
             goto loser;
         }
 
         /* Construct digest info */
@@ -195,57 +213,92 @@ SGN_End(SGNContext *cx, SECItem *result)
     sigitem.len = signatureLen;
     sigitem.data = (unsigned char *)PORT_Alloc(signatureLen);
 
     if (sigitem.data == NULL) {
         rv = SECFailure;
         goto loser;
     }
 
-    rv = PK11_Sign(privKey, &sigitem, &digder);
-    if (rv != SECSuccess) {
-        PORT_Free(sigitem.data);
-        sigitem.data = NULL;
-        goto loser;
+    if (cx->signalg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+        CK_RSA_PKCS_PSS_PARAMS mech;
+        SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) };
+
+        PORT_Memset(&mech, 0, sizeof(mech));
+
+        if (cx->params && cx->params->data) {
+            SECKEYRSAPSSParams params;
+
+            arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+            if (!arena) {
+                rv = SECFailure;
+                goto loser;
+            }
+
+            PORT_Memset(&params, 0, sizeof(params));
+            rv = SEC_QuickDERDecodeItem(arena, &params,
+                                        SECKEY_RSAPSSParamsTemplate,
+                                        cx->params);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+            rv = sec_RSAPSSParamsToMechanism(&mech, &params);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+        } else {
+            mech.hashAlg = CKM_SHA_1;
+            mech.mgf = CKG_MGF1_SHA1;
+            mech.sLen = digder.len;
+        }
+        rv = PK11_SignWithMechanism(privKey, CKM_RSA_PKCS_PSS, &mechItem,
+                                    &sigitem, &digder);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+    } else {
+        rv = PK11_Sign(privKey, &sigitem, &digder);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
     }
 
     if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
         (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
         /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */
         rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len);
-        PORT_Free(sigitem.data);
         if (rv != SECSuccess)
             goto loser;
+        SECITEM_FreeItem(&sigitem, PR_FALSE);
     } else {
         result->len = sigitem.len;
         result->data = sigitem.data;
     }
 
 loser:
+    if (rv != SECSuccess) {
+        SECITEM_FreeItem(&sigitem, PR_FALSE);
+    }