Bug 967153: Update to NSS 3.16 beta 3 (NSS_3_16_BETA3), r=me, a=sledru
authorBrian Smith <brian@briansmith.org>
Thu, 27 Feb 2014 16:38:10 -0800
changeset 177257 4bc0ff092aca4bd4e8a165cf6ab0bbbb528f2e60
parent 177256 836391ce81b854b72c353ca45396ddd225f7e496
child 177258 1150740733cbb14aa9f724b4673b2d9cf5c19387
push id5315
push userbrian@briansmith.org
push dateFri, 28 Feb 2014 00:38:23 +0000
treeherdermozilla-aurora@4bc0ff092aca [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, sledru
bugs967153
milestone29.0a2
Bug 967153: Update to NSS 3.16 beta 3 (NSS_3_16_BETA3), r=me, a=sledru
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/coreconf/coreconf.dep
security/nss/lib/certdb/certdb.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/freebl/Makefile
security/nss/lib/pki/tdcache.c
security/nss/lib/ssl/ssl3ext.c
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_16_BETA2
+NSS_3_16_BETA3
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1731,17 +1731,18 @@ MakeV1Cert(	CERTCertDBHandle *	handle,
     }
     
     return(cert);
 }
 
 static SECStatus
 SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, 
          SECOidTag hashAlgTag,
-         SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
+         SECKEYPrivateKey *privKey, char *issuerNickName,
+         int certVersion, void *pwarg)
 {
     SECItem der;
     SECKEYPrivateKey *caPrivateKey = NULL;    
     SECStatus rv;
     PLArenaPool *arena;
     SECOidTag algID;
     void *dummy;
 
@@ -1771,19 +1772,33 @@ SignCert(CERTCertDBHandle *handle, CERTC
     }
 
     rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
     if (rv != SECSuccess) {
 	fprintf(stderr, "Could not set signature algorithm id.");
 	goto done;
     }
 
-    /* we only deal with cert v3 here */
-    *(cert->version.data) = 2;
-    cert->version.len = 1;
+    switch(certVersion) {
+      case (SEC_CERTIFICATE_VERSION_1):
+        // The initial version for x509 certificates is version one
+        // and this default value must be an implicit DER encoding.
+        cert->version.data = NULL;
+        cert->version.len = 0;
+        break;
+      case (SEC_CERTIFICATE_VERSION_2):
+      case (SEC_CERTIFICATE_VERSION_3):
+      case 3: // unspecified format (would be version 4 certificate).
+        *(cert->version.data) = certVersion;
+        cert->version.len = 1;
+        break;
+      default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
 
     der.len = 0;
     der.data = NULL;
     dummy = SEC_ASN1EncodeItem (arena, &der, cert,
 			 	SEC_ASN1_GET(CERT_CertificateTemplate));
     if (!dummy) {
 	fprintf (stderr, "Could not encode certificate.\n");
 	rv = SECFailure;
@@ -1816,16 +1831,17 @@ CreateCert(
 	unsigned int serialNumber, 
 	int     warpmonths,
 	int     validityMonths,
 	const char *emailAddrs,
 	const char *dnsNames,
 	PRBool ascii,
 	PRBool  selfsign,
 	certutilExtnList extnList,
+        int certVersion,
 	SECItem * certDER)
 {
     void *	extHandle;
     CERTCertificate *subjectCert 	= NULL;
     CERTCertificateRequest *certReq	= NULL;
     SECStatus 	rv 			= SECSuccess;
     CERTCertExtension **CRexts;
 
@@ -1875,17 +1891,18 @@ CreateCert(
 	    if (!*selfsignprivkey) {
 		fprintf(stderr, "Failed to locate private key.\n");
 		rv = SECFailure;
 		break;
 	    }
 	}
 
 	rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
-		      *selfsignprivkey, issuerNickName, pwarg);
+		      *selfsignprivkey, issuerNickName,
+                      certVersion, pwarg);
 	if (rv != SECSuccess)
 	    break;
 
 	rv = SECFailure;
 	if (ascii) {
 	    char * asciiDER = BTOA_DataToAscii(subjectCert->derCert.data,
 					       subjectCert->derCert.len);
 	    if (asciiDER) {
@@ -2189,16 +2206,17 @@ enum certutilOpts {
     opt_SourceDir,
     opt_SourcePrefix,
     opt_UpgradeID,
     opt_UpgradeTokenName,
     opt_KeyOpFlagsOn,
     opt_KeyOpFlagsOff,
     opt_KeyAttrFlags,
     opt_EmptyPassword,
+    opt_CertVersion,
     opt_Help
 };
 
 static const
 secuCommandFlag commands_init[] =
 {
 	{ /* cmd_AddCert             */  'A', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CreateNewCert       */  'C', PR_FALSE, 0, PR_FALSE },
@@ -2298,16 +2316,18 @@ secuCommandFlag options_init[] =
 	{ /* opt_KeyOpFlagsOn        */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyOpFlagsOn"},
 	{ /* opt_KeyOpFlagsOff       */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyOpFlagsOff"},
 	{ /* opt_KeyAttrFlags        */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyAttrFlags"},
 	{ /* opt_EmptyPassword       */  0,   PR_FALSE, 0, PR_FALSE, 
                                                    "empty-password"},
+        { /* opt_CertVersion         */  0,   PR_FALSE, 0, PR_FALSE,
+                                                   "certVersion"},
 };
 #define NUM_OPTIONS ((sizeof options_init)  / (sizeof options_init[0]))
 
 static secuCommandFlag certutil_commands[NUM_COMMANDS];
 static secuCommandFlag certutil_options [NUM_OPTIONS ];
 
 static const secuCommand certutil = {
     NUM_COMMANDS, 
@@ -2336,16 +2356,17 @@ certutil_main(int argc, char **argv, PRB
     char *      upgradeTokenName     = "";
     KeyType     keytype         = rsaKey;
     char *      name            = NULL;
     char *      email            = NULL;
     char *      keysource       = NULL;
     SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
     int	        keysize	        = DEFAULT_KEY_BITS;
     int         publicExponent  = 0x010001;
+    int         certVersion     = SEC_CERTIFICATE_VERSION_3;
     unsigned int serialNumber   = 0;
     int         warpmonths      = 0;
     int         validityMonths  = 3;
     int         commandsEntered = 0;
     char        commandToRun    = '\0';
     secuPWData  pwdata          = { PW_NONE, 0 };
     secuPWData  pwdata2         = { PW_NONE, 0 };
     PRBool      readOnly        = PR_FALSE;
@@ -2564,16 +2585,29 @@ certutil_main(int argc, char **argv, PRB
 	    (publicExponent != 65537)) {
 	    PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", 
 	                           progName, publicExponent);
 	    PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
 	    return 255;
 	}
     }
 
+    /*  --certVersion */
+    if (certutil.options[opt_CertVersion].activated) {
+        certVersion = PORT_Atoi(certutil.options[opt_CertVersion].arg);
+        if (certVersion < 1 || certVersion > 4) {
+            PR_fprintf(PR_STDERR, "%s -certVersion: incorrect certificate version %d.",
+                                   progName, certVersion);
+            PR_fprintf(PR_STDERR, "Must be 1, 2, 3 or 4.\n");
+            return 255;
+        }
+        certVersion = certVersion - 1;
+    }
+
+
     /*  Check number of commands entered.  */
     commandsEntered = 0;
     for (i=0; i< certutil.numCommands; i++) {
 	if (certutil.commands[i].activated) {
 	    commandToRun = certutil.commands[i].flag;
 	    commandsEntered++;
 	}
 	if (commandsEntered > 1)
@@ -3220,16 +3254,17 @@ merge_fail:
 			&certReqDER, &privkey, &pwdata, hashAlgTag,
 	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,
 		        certutil.options[opt_ASCIIForIO].activated &&
 			    certutil.commands[cmd_CreateNewCert].activated,
 	                certutil.options[opt_SelfSign].activated,
 	                certutil_extns,
+                        certVersion,
 			&certDER);
 	if (rv) 
 	    goto shutdown;
     }
 
     /* 
      * Adding a cert to the database (or slot)
      */
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1376,33 +1376,36 @@ cert_TestHostName(char * cn, const char 
 		rv = SECSuccess;
 	    } else {
 		PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
 		rv = SECFailure;
 	    }
 	    return rv;
 	}
     } else {
-	/* New approach conforms to RFC 2818. */
+	/* New approach conforms to RFC 6125. */
 	char *wildcard    = PORT_Strchr(cn, '*');
 	char *firstcndot  = PORT_Strchr(cn, '.');
 	char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
 	char *firsthndot  = PORT_Strchr(hn, '.');
 
 	/* For a cn pattern to be considered valid, the wildcard character...
 	 * - may occur only in a DNS name with at least 3 components, and
 	 * - may occur only as last character in the first component, and
-	 * - may be preceded by additional characters
+	 * - may be preceded by additional characters, and
+	 * - must not be preceded by an IDNA ACE prefix (xn--)
 	 */
 	if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-	    && firstcndot  - wildcard  == 1
-	    && secondcndot - firstcndot > 1
-	    && PORT_Strrchr(cn, '*') == wildcard
+	    && firstcndot  - wildcard  == 1 /* no chars between * and . */
+	    && secondcndot - firstcndot > 1 /* not .. */
+	    && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
 	    && !PORT_Strncasecmp(cn, hn, wildcard - cn)
-	    && !PORT_Strcasecmp(firstcndot, firsthndot)) {
+	    && !PORT_Strcasecmp(firstcndot, firsthndot)
+	       /* If hn starts with xn--, then cn must start with wildcard */
+	    && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
 	    /* valid wildcard pattern match */
 	    return SECSuccess;
 	}
     }
     /* String cn has no wildcard or shell expression.  
      * Compare entire string hn with cert name. 
      */
     if (PORT_Strcasecmp(hn, cn) == 0) {
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,16 +65,135 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
+# Certificate "GTE CyberTrust Global Root"
+#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
+\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
+\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
+\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
+\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
+\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
+\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
+\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
+\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
+\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
+\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
+\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
+\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
+\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
+\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
+\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
+\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
+\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
+\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
+\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
+\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
+\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
+\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
+\037\042\265\315\225\255\272\247\314\371\253\013\172\177
+END
+
+# Trust for Certificate "GTE CyberTrust Global Root"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
+\066\176\364\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Thawte Server CA"
 #
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
@@ -483,16 +602,44 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\065\336\364\317
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 1407252 (0x157914)
+# Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+# Not Valid Before: Mon Feb 01 14:54:04 2010
+# Not Valid After : Tue Sep 30 00:00:00 2014
+# Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
+# Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\025\171\024
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
 #
 # Certificate "Digital Signature Trust Co. Global CA 1"
 #
 # Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
 # Serial Number: 913315222 (0x36701596)
 # Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
 # Not Valid Before: Thu Dec 10 18:10:23 1998
 # Not Valid After : Mon Dec 10 18:40:23 2018
@@ -1550,16 +1697,436 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "ValiCert Class 1 VA"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
+\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
+\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
+\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
+\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
+\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
+\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
+\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
+\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
+\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
+\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
+\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
+\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
+\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
+\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
+\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
+\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
+\161\202\053\231\317\072\267\365\055\162\310
+END
+
+# Trust for Certificate "ValiCert Class 1 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
+\020\237\344\216
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "ValiCert Class 2 VA"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
+\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
+\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
+\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
+\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
+\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
+\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
+\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
+\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
+\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
+\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
+\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
+\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
+\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
+\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
+\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
+\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
+\276\355\164\114\274\133\325\142\037\103\335
+END
+
+# Trust for Certificate "ValiCert Class 2 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
+\330\361\374\246
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "RSA Root Certificate 1"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Root Certificate 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
+\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
+\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
+\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
+\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
+\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
+\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
+\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
+\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
+\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
+\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
+\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
+\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
+\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
+\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
+\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
+\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
+\040\017\105\176\153\242\177\243\214\025\356
+END
+
+# Trust for Certificate "RSA Root Certificate 1"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Root Certificate 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
+\354\252\065\373
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -2041,16 +2608,128 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
 \051\357\127
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
+# Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
+# Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\000\066\033\345\010\053\251\252\316\164\012\005\076
+\373\064
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51
+# Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
+# Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\076\014\236\207\151\252\225\134\352\043\330\105\236\324
+\133\121
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
+# Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
+# Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\022\275\046\242\256\063\300\177\044\173\152\130\151\362
+\012\166
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
 #
 # Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
 # Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
@@ -2206,16 +2885,190 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \224\136\327
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "Entrust.net Secure Server CA"
+#
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\067\112\322\103
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
+\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
+\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
+\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
+\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
+\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
+\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
+\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
+\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
+\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
+\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
+\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
+\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
+\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
+\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
+\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
+\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
+\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
+\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
+\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
+\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
+\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
+\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
+\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
+\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
+\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
+\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
+\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
+\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
+\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
+\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
+\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
+\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
+\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
+\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
+\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
+\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
+\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
+\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
+\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
+\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
+\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
+\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
+\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
+\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
+\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
+\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
+\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
+\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
+\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
+\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
+\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
+\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
+\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
+\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
+\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
+\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
+\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
+\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
+\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
+\155\055\105\013\367\012\223\352\355\006\371\262
+END
+
+# Trust for Certificate "Entrust.net Secure Server CA"
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
+\061\176\025\071
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\067\112\322\103
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Entrust.net Premium 2048 Secure Server CA"
 #
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -8058,19 +8911,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
 \003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
 \151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
 \163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Express (Class C) Root"
 #
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
@@ -8231,19 +9084,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
 \003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
 \163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
 \156\165\163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -190,17 +190,17 @@ ifeq ($(CPU_ARCH),x86_64)
     ASFILES += intel-aes.s intel-gcm.s
     EXTRA_SRCS += intel-gcm-wrap.c
     INTEL_GCM = 1
     MPI_SRCS += mpi_amd64.c mp_comba.c
 endif
 ifeq ($(CPU_ARCH),x86)
     ASFILES  = mpi_x86.s
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
     # The floating point ECC code doesn't work on Linux x86 (bug 311432).
     #ECL_USE_FP = 1
 endif
 ifeq ($(CPU_ARCH),arm)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
     DEFINES += -DMP_USE_UINT_DIGIT
     DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -463,20 +463,20 @@ nssTrustDomain_UpdateCachedTokenCerts (
     PRUint32 count;
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) return PR_FAILURE;
     (void)nssTrustDomain_GetCertsFromCache(td, certList);
     count = nssList_Count(certList);
     if (count > 0) {
 	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
 	if (!cached) {
+	    nssList_Destroy(certList);
 	    return PR_FAILURE;
 	}
 	nssList_GetArray(certList, (void **)cached, count);
-	nssList_Destroy(certList);
 	for (cp = cached; *cp; cp++) {
 	    nssCryptokiObject *instance;
 	    NSSCertificate *c = *cp;
 	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
 	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
 	                                                       token,
                                                                NULL,
                                                                &c->issuer,
@@ -485,16 +485,17 @@ nssTrustDomain_UpdateCachedTokenCerts (
                                                                NULL);
 	    if (instance) {
 		nssPKIObject_AddInstance(&c->object, instance);
 		STAN_ForceCERTCertificateUpdate(c);
 	    }
 	}
 	nssCertificateArray_Destroy(cached);
     }
+    nssList_Destroy(certList);
     return PR_SUCCESS;
 }
 
 static PRStatus
 add_issuer_and_serial_entry (
   NSSArena *arena,
   nssTDCertificateCache *cache, 
   NSSCertificate *cert
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -59,17 +59,17 @@ static SECStatus ssl3_ServerHandleNextPr
 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
 					  PRUint32 maxBytes);
 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
 					       PRUint32 maxBytes);
 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
     PRUint32 maxBytes);
 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
     SECItem *data);
-static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
+static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
     PRBool append, PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
                                                    PRUint16 ex_type,
                                                    SECItem *data);
 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
                                                PRUint32 maxBytes);