Bug 967153: Update NSS to NSS 3.16 beta 1 (NSS_3_16_BETA1), r=me, a=sylvestre
authorBrian Smith <brian@briansmith.org>
Wed, 12 Feb 2014 00:22:32 -0800
changeset 176986 51497c942865bf0991bc86c3a268f66522d52659
parent 176985 7a6043b28459dd9063a34c8b4976d9ba91b0b9be
child 176987 a7b083b7ddaa30dad5f643be7bbf1b6b3e43781c
push id5225
push userbrian@briansmith.org
push dateWed, 12 Feb 2014 08:24:03 +0000
treeherdermozilla-aurora@a7b083b7ddaa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, sylvestre
bugs967153
milestone29.0a2
Bug 967153: Update NSS to NSS 3.16 beta 1 (NSS_3_16_BETA1), r=me, a=sylvestre
security/nss/TAG-INFO
security/nss/coreconf/config.mk
security/nss/coreconf/coreconf.dep
security/nss/lib/certhigh/certvfy.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/rsapkcs.c
security/nss/lib/freebl/sysrand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/libpkix/include/pkix_sample_modules.h
security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
security/nss/lib/libpkix/pkix/top/pkix_build.h
security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
security/nss/lib/nss/nss.h
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/nss/tests/chains/scenarios/nameconstraints.cfg
security/nss/tests/libpkix/certs/NameConstraints.ca.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate2.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate3.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate4.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate5.cert
security/nss/tests/libpkix/certs/NameConstraints.intermediate6.cert
security/nss/tests/libpkix/certs/NameConstraints.ncca.cert
security/nss/tests/libpkix/certs/NameConstraints.server1.cert
security/nss/tests/libpkix/certs/NameConstraints.server10.cert
security/nss/tests/libpkix/certs/NameConstraints.server11.cert
security/nss/tests/libpkix/certs/NameConstraints.server12.cert
security/nss/tests/libpkix/certs/NameConstraints.server13.cert
security/nss/tests/libpkix/certs/NameConstraints.server14.cert
security/nss/tests/libpkix/certs/NameConstraints.server15.cert
security/nss/tests/libpkix/certs/NameConstraints.server16.cert
security/nss/tests/libpkix/certs/NameConstraints.server17.cert
security/nss/tests/libpkix/certs/NameConstraints.server2.cert
security/nss/tests/libpkix/certs/NameConstraints.server3.cert
security/nss/tests/libpkix/certs/NameConstraints.server4.cert
security/nss/tests/libpkix/certs/NameConstraints.server5.cert
security/nss/tests/libpkix/certs/NameConstraints.server6.cert
security/nss/tests/libpkix/certs/NameConstraints.server7.cert
security/nss/tests/libpkix/certs/NameConstraints.server8.cert
security/nss/tests/libpkix/certs/NameConstraints.server9.cert
security/nss/tests/libpkix/certs/make-nc
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_15_5_RC0
+NSS_3_16_BETA1
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@@ -161,16 +161,20 @@ endif
 ifdef BUILD_LIBPKIX_TESTS
 DEFINES += -DBUILD_LIBPKIX_TESTS
 endif
 
 ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif
 
+ifdef NSS_PKIX_NO_LDAP
+DEFINES += -DNSS_PKIX_NO_LDAP
+endif
+
 # Avoid building object leak test code for optimized library
 ifndef BUILD_OPT
 ifdef PKIX_OBJECT_LEAK_TEST
 DEFINES += -DPKIX_OBJECT_LEAK_TEST
 endif
 endif
 
 # This allows all library and tools code to use the util function
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -501,17 +501,28 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 	    pathLengthLimit = basicConstraint.pathLenConstraint;
 	    isca = PR_TRUE;
 	}    
 	/* make sure that the path len constraint is properly set.*/
 	if (pathLengthLimit >= 0 && currentPathLen > pathLengthLimit) {
 	    PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
 	    LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
 	}
-	
+
+        /* make sure that the entire chain is within the name space of the
+         * current issuer certificate.
+         */
+        rv = CERT_CompareNameSpace(issuerCert, namesList, certsList,
+                                   arena, &badCert);
+        if (rv != SECSuccess || badCert != NULL) {
+            PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
+            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
+            goto loser;
+        }
+
 	/* XXX - the error logging may need to go down into CRL stuff at some
 	 * point
 	 */
 	/* check revoked list (issuer) */
         rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
         if (rv == SECFailure) {
             if (revoked) {
                 *revoked = PR_TRUE;
@@ -623,26 +634,16 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 
 	    /* make sure key usage allows cert signing */
 	    if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
 		PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
 		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
 	    }
 	}
 
-	/* make sure that the entire chain is within the name space of the 
-	** current issuer certificate.
-	*/
-	rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, 
-	                           arena, &badCert);
-	if (rv != SECSuccess || badCert != NULL) {
-	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
-	    goto loser;
-	}
 	/* make sure that the issuer is not self signed.  If it is, then
 	 * stop here to prevent looping.
 	 */
 	if (issuerCert->isRoot) {
 	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
 	    LOG_ERROR(log, issuerCert, count+1, 0);
 	    goto loser;
 	} 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,135 +65,16 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
-# Certificate "GTE CyberTrust Global Root"
-#
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
-\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
-\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
-\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
-\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
-\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
-\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
-\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
-\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
-\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
-\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
-\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
-\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
-\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
-\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
-\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
-\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
-\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
-\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
-\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
-\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
-\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
-\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
-\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
-\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
-\037\042\265\315\225\255\272\247\314\371\253\013\172\177
-END
-
-# Trust for Certificate "GTE CyberTrust Global Root"
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
-\066\176\364\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Thawte Server CA"
 #
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
@@ -1669,436 +1550,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ValiCert Class 1 VA"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Fri Jun 25 22:23:48 1999
-# Not Valid After : Tue Jun 25 22:23:48 2019
-# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
-# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
-\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
-\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
-\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
-\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
-\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
-\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
-\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
-\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
-\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
-\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
-\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
-\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
-\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
-\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
-\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
-\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
-\161\202\053\231\317\072\267\365\055\162\310
-END
-
-# Trust for Certificate "ValiCert Class 1 VA"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Fri Jun 25 22:23:48 1999
-# Not Valid After : Tue Jun 25 22:23:48 2019
-# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
-# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 1 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
-\020\237\344\216
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "ValiCert Class 2 VA"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:19:54 1999
-# Not Valid After : Wed Jun 26 00:19:54 2019
-# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
-# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
-\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
-\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
-\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
-\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
-\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
-\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
-\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
-\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
-\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
-\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
-\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
-\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
-\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
-\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
-\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
-\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
-\276\355\164\114\274\133\325\142\037\103\335
-END
-
-# Trust for Certificate "ValiCert Class 2 VA"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:19:54 1999
-# Not Valid After : Wed Jun 26 00:19:54 2019
-# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
-# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ValiCert Class 2 VA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
-\330\361\374\246
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "RSA Root Certificate 1"
-#
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:22:33 1999
-# Not Valid After : Wed Jun 26 00:22:33 2019
-# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
-# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
-\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
-\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
-\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
-\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
-\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
-\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
-\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
-\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
-\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
-\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
-\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
-\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
-\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
-\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
-\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
-\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
-\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
-\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
-\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
-\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
-\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
-\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
-\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
-\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
-\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
-\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
-\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
-\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
-\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
-\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
-\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
-\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
-\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
-\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
-\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
-\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
-\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
-\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
-\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
-\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
-\040\017\105\176\153\242\177\243\214\025\356
-END
-
-# Trust for Certificate "RSA Root Certificate 1"
-# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Serial Number: 1 (0x1)
-# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
-# Not Valid Before: Sat Jun 26 00:22:33 1999
-# Not Valid After : Wed Jun 26 00:22:33 2019
-# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
-# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "RSA Root Certificate 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
-\354\252\065\373
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
-\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
-\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
-\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
-\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
-\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
-\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
-\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
-\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
-\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
-\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
-\157\100\166\141\154\151\143\145\162\164\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -2745,190 +2206,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \224\136\327
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Entrust.net Secure Server CA"
-#
-# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Serial Number: 927650371 (0x374ad243)
-# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Not Valid Before: Tue May 25 16:09:40 1999
-# Not Valid After : Sat May 25 16:39:40 2019
-# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
-# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
-\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
-\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
-\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
-\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
-\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
-\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
-\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
-\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
-\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
-\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
-\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
-\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
-\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
-\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
-\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
-\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
-\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
-\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
-\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
-\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
-\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
-\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
-\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
-\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
-\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
-\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
-\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
-\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
-\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
-\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
-\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
-\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
-\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
-\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
-\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
-\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
-\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
-\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
-\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
-\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
-\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
-\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
-\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
-\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
-\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
-\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
-\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
-\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
-\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
-\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
-\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
-\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
-\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
-\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
-\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
-\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
-\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
-\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
-\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
-\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
-\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
-\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
-\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
-\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
-\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
-\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
-\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
-\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
-\155\055\105\013\367\012\223\352\355\006\371\262
-END
-
-# Trust for Certificate "Entrust.net Secure Server CA"
-# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Serial Number: 927650371 (0x374ad243)
-# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
-# Not Valid Before: Tue May 25 16:09:40 1999
-# Not Valid After : Sat May 25 16:39:40 2019
-# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
-# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Entrust.net Secure Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
-\061\176\025\071
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
-\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
-\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
-\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
-\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
-\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
-\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
-\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
-\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
-\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\067\112\322\103
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Entrust.net Premium 2048 Secure Server CA"
 #
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -7231,167 +6518,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\314\245\114
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "TDC OCES Root CA"
-#
-# Issuer: CN=TDC OCES CA,O=TDC,C=DK
-# Serial Number: 1044954564 (0x3e48bdc4)
-# Subject: CN=TDC OCES CA,O=TDC,C=DK
-# Not Valid Before: Tue Feb 11 08:39:30 2003
-# Not Valid After : Wed Feb 11 09:09:30 2037
-# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
-# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\031\060\202\004\001\240\003\002\001\002\002\004\076
-\110\275\304\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\061\061\013\060\011\006\003\125\004\006\023\002\104
-\113\061\014\060\012\006\003\125\004\012\023\003\124\104\103\061
-\024\060\022\006\003\125\004\003\023\013\124\104\103\040\117\103
-\105\123\040\103\101\060\036\027\015\060\063\060\062\061\061\060
-\070\063\071\063\060\132\027\015\063\067\060\062\061\061\060\071
-\060\071\063\060\132\060\061\061\013\060\011\006\003\125\004\006
-\023\002\104\113\061\014\060\012\006\003\125\004\012\023\003\124
-\104\103\061\024\060\022\006\003\125\004\003\023\013\124\104\103
-\040\117\103\105\123\040\103\101\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\254\142\366\141\040\262\317
-\300\306\205\327\343\171\346\314\355\362\071\222\244\227\056\144
-\243\204\133\207\234\114\375\244\363\304\137\041\275\126\020\353
-\333\056\141\354\223\151\343\243\314\275\231\303\005\374\006\270
-\312\066\034\376\220\216\111\114\304\126\232\057\126\274\317\173
-\014\361\157\107\246\015\103\115\342\351\035\071\064\315\215\054
-\331\022\230\371\343\341\301\112\174\206\070\304\251\304\141\210
-\322\136\257\032\046\115\325\344\240\042\107\204\331\144\267\031
-\226\374\354\031\344\262\227\046\116\112\114\313\217\044\213\124
-\030\034\110\141\173\325\210\150\332\135\265\352\315\032\060\301
-\200\203\166\120\252\117\321\324\335\070\360\357\026\364\341\014
-\120\006\277\352\373\172\111\241\050\053\034\366\374\025\062\243
-\164\152\217\251\303\142\051\161\061\345\073\244\140\027\136\164
-\346\332\023\355\351\037\037\033\321\262\150\163\306\020\064\165
-\106\020\020\343\220\000\166\100\313\213\267\103\011\041\377\253
-\116\223\306\130\351\245\202\333\167\304\072\231\261\162\225\111
-\004\360\267\053\372\173\131\216\335\002\003\001\000\001\243\202
-\002\067\060\202\002\063\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\201\354\006\003\125\035\040\004
-\201\344\060\201\341\060\201\336\006\010\052\201\120\201\051\001
-\001\001\060\201\321\060\057\006\010\053\006\001\005\005\007\002
-\001\026\043\150\164\164\160\072\057\057\167\167\167\056\143\145
-\162\164\151\146\151\153\141\164\056\144\153\057\162\145\160\157
-\163\151\164\157\162\171\060\201\235\006\010\053\006\001\005\005
-\007\002\002\060\201\220\060\012\026\003\124\104\103\060\003\002
-\001\001\032\201\201\103\145\162\164\151\146\151\153\141\164\145
-\162\040\146\162\141\040\144\145\156\156\145\040\103\101\040\165
-\144\163\164\145\144\145\163\040\165\156\144\145\162\040\117\111
-\104\040\061\056\062\056\062\060\070\056\061\066\071\056\061\056
-\061\056\061\056\040\103\145\162\164\151\146\151\143\141\164\145
-\163\040\146\162\157\155\040\164\150\151\163\040\103\101\040\141
-\162\145\040\151\163\163\165\145\144\040\165\156\144\145\162\040
-\117\111\104\040\061\056\062\056\062\060\070\056\061\066\071\056
-\061\056\061\056\061\056\060\021\006\011\140\206\110\001\206\370
-\102\001\001\004\004\003\002\000\007\060\201\201\006\003\125\035
-\037\004\172\060\170\060\110\240\106\240\104\244\102\060\100\061
-\013\060\011\006\003\125\004\006\023\002\104\113\061\014\060\012
-\006\003\125\004\012\023\003\124\104\103\061\024\060\022\006\003
-\125\004\003\023\013\124\104\103\040\117\103\105\123\040\103\101
-\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060
-\054\240\052\240\050\206\046\150\164\164\160\072\057\057\143\162
-\154\056\157\143\145\163\056\143\145\162\164\151\146\151\153\141
-\164\056\144\153\057\157\143\145\163\056\143\162\154\060\053\006
-\003\125\035\020\004\044\060\042\200\017\062\060\060\063\060\062
-\061\061\060\070\063\071\063\060\132\201\017\062\060\063\067\060
-\062\061\061\060\071\060\071\063\060\132\060\037\006\003\125\035
-\043\004\030\060\026\200\024\140\265\205\354\126\144\176\022\031
-\047\147\035\120\025\113\163\256\073\371\022\060\035\006\003\125
-\035\016\004\026\004\024\140\265\205\354\126\144\176\022\031\047
-\147\035\120\025\113\163\256\073\371\022\060\035\006\011\052\206
-\110\206\366\175\007\101\000\004\020\060\016\033\010\126\066\056
-\060\072\064\056\060\003\002\004\220\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\012\272\046
-\046\106\323\163\250\011\363\153\013\060\231\375\212\341\127\172
-\021\323\270\224\327\011\020\156\243\261\070\003\321\266\362\103
-\101\051\142\247\162\330\373\174\005\346\061\160\047\124\030\116
-\212\174\116\345\321\312\214\170\210\317\033\323\220\213\346\043
-\370\013\016\063\103\175\234\342\012\031\217\311\001\076\164\135
-\164\311\213\034\003\345\030\310\001\114\077\313\227\005\135\230
-\161\246\230\157\266\174\275\067\177\276\341\223\045\155\157\360
-\012\255\027\030\341\003\274\007\051\310\255\046\350\370\141\360
-\375\041\011\176\232\216\251\150\175\110\142\162\275\000\352\001
-\231\270\006\202\121\201\116\361\365\264\221\124\271\043\172\000
-\232\237\135\215\340\074\144\271\032\022\222\052\307\202\104\162
-\071\334\342\074\306\330\125\365\025\116\310\005\016\333\306\320
-\142\246\354\025\264\265\002\202\333\254\214\242\201\360\233\231
-\061\365\040\040\250\210\141\012\007\237\224\374\320\327\033\314
-\056\027\363\004\047\166\147\353\124\203\375\244\220\176\006\075
-\004\243\103\055\332\374\013\142\352\057\137\142\123
-END
-
-# Trust for Certificate "TDC OCES Root CA"
-# Issuer: CN=TDC OCES CA,O=TDC,C=DK
-# Serial Number: 1044954564 (0x3e48bdc4)
-# Subject: CN=TDC OCES CA,O=TDC,C=DK
-# Not Valid Before: Tue Feb 11 08:39:30 2003
-# Not Valid After : Wed Feb 11 09:09:30 2037
-# Fingerprint (MD5): 93:7F:90:1C:ED:84:67:17:A4:65:5F:9B:CB:30:02:97
-# Fingerprint (SHA1): 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TDC OCES Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\207\201\302\132\226\275\302\373\114\145\006\117\371\071\013\046
-\004\212\016\001
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\177\220\034\355\204\147\027\244\145\137\233\313\060\002\227
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\061\061\013\060\011\006\003\125\004\006\023\002\104\113\061
-\014\060\012\006\003\125\004\012\023\003\124\104\103\061\024\060
-\022\006\003\125\004\003\023\013\124\104\103\040\117\103\105\123
-\040\103\101
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\076\110\275\304
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "UTN DATACorp SGC Root CA"
 #
 # Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:44:be:0c:8b:50:00:21:b4:11:d3:2a:68:06:a9:ad:69
 # Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Thu Jun 24 18:57:21 1999
 # Not Valid After : Mon Jun 24 19:06:30 2019
 # Fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06
@@ -8922,19 +8058,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
 \003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
 \151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
 \163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Express (Class C) Root"
 #
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
@@ -9095,19 +8231,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
 \003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
 \163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
 \156\165\163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
@@ -9910,173 +9046,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \136\366
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Firmaprofesional Root CA"
-#
-# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Serial Number: 1 (0x1)
-# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Not Valid Before: Wed Oct 24 22:00:00 2001
-# Not Valid After : Thu Oct 24 22:00:00 2013
-# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
-# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Firmaprofesional Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\127\060\202\003\077\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165\156
-\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145\154
-\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101\165
-\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160\162
-\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101\066
-\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206\110
-\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155\141
-\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155\060
-\036\027\015\060\061\061\060\062\064\062\062\060\060\060\060\132
-\027\015\061\063\061\060\062\064\062\062\060\060\060\060\132\060
-\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123\061
-\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165\156
-\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145\154
-\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101\165
-\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160\162
-\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101\066
-\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206\110
-\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155\141
-\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155\060
-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-\347\043\003\157\157\043\245\136\170\316\225\054\355\224\036\156
-\012\236\001\307\352\060\321\054\235\335\067\350\233\230\171\126
-\323\374\163\337\320\212\336\125\217\121\371\132\352\336\265\160
-\304\355\244\355\377\243\015\156\017\144\120\061\257\001\047\130
-\256\376\154\247\112\057\027\055\323\163\325\023\034\217\131\245
-\064\054\035\124\004\105\315\150\270\240\300\003\245\317\205\102
-\107\225\050\133\317\357\200\154\340\220\227\212\001\074\035\363
-\207\020\060\046\110\175\327\374\351\235\221\161\377\101\232\251
-\100\265\067\234\051\040\117\037\122\343\240\175\023\155\124\267
-\012\336\351\152\116\007\254\254\031\137\334\176\142\164\366\262
-\005\000\272\205\240\375\035\070\156\313\132\273\206\274\224\147
-\063\065\203\054\037\043\315\370\310\221\161\314\227\213\357\256
-\017\334\051\003\033\300\071\353\160\355\301\156\016\330\147\013
-\211\251\274\065\344\357\266\064\264\245\266\304\055\245\276\320
-\303\224\044\110\333\337\226\323\000\265\146\032\213\146\005\017
-\335\077\077\313\077\252\136\232\112\370\264\112\357\225\067\033
-\002\003\001\000\001\243\201\237\060\201\234\060\052\006\003\125
-\035\021\004\043\060\041\206\037\150\164\164\160\072\057\057\167
-\167\167\056\146\151\162\155\141\160\162\157\146\145\163\151\157
-\156\141\154\056\143\157\155\060\022\006\003\125\035\023\001\001
-\377\004\010\060\006\001\001\377\002\001\001\060\053\006\003\125
-\035\020\004\044\060\042\200\017\062\060\060\061\061\060\062\064
-\062\062\060\060\060\060\132\201\017\062\060\061\063\061\060\062
-\064\062\062\060\060\060\060\132\060\016\006\003\125\035\017\001
-\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004
-\026\004\024\063\013\240\146\321\352\332\316\336\142\223\004\050
-\122\265\024\177\070\150\267\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\107\163\376\215\047
-\124\360\365\324\167\234\047\171\127\127\267\025\126\354\307\330
-\130\267\001\002\364\063\355\223\120\210\236\174\106\261\275\077
-\024\157\361\263\107\110\213\214\227\006\327\352\176\243\134\052
-\273\115\057\107\342\370\071\006\311\234\056\061\032\003\170\364
-\274\070\306\042\213\063\061\360\026\004\004\175\371\166\344\113
-\327\300\346\203\354\131\314\077\336\377\117\153\267\147\176\246
-\206\201\062\043\003\235\310\367\137\301\112\140\245\222\251\261
-\244\240\140\303\170\207\263\042\363\052\353\133\251\355\005\253
-\067\017\261\342\323\225\166\143\126\164\214\130\162\033\067\345
-\144\241\276\115\014\223\230\014\227\366\207\155\263\077\347\313
-\200\246\355\210\307\137\120\142\002\350\231\164\026\320\346\264
-\071\361\047\313\310\100\326\343\206\020\251\043\022\222\340\151
-\101\143\247\257\045\013\300\305\222\313\036\230\243\132\272\305
-\063\017\240\227\001\335\177\340\173\326\006\124\317\241\342\115
-\070\353\113\120\265\313\046\364\312\332\160\112\152\241\342\171
-\252\341\247\063\366\375\112\037\366\331\140
-END
-
-# Trust for Certificate "Firmaprofesional Root CA"
-# Issuer: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Serial Number: 1 (0x1)
-# Subject: E=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES
-# Not Valid Before: Wed Oct 24 22:00:00 2001
-# Not Valid After : Thu Oct 24 22:00:00 2013
-# Fingerprint (MD5): 11:92:79:40:3C:B1:83:40:E5:AB:66:4A:67:92:80:DF
-# Fingerprint (SHA1): A9:62:8F:4B:98:A9:1B:48:35:BA:D2:C1:46:32:86:BB:66:64:6A:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Firmaprofesional Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\251\142\217\113\230\251\033\110\065\272\322\301\106\062\206\273
-\146\144\152\214
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\021\222\171\100\074\261\203\100\345\253\146\112\147\222\200\337
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\235\061\013\060\011\006\003\125\004\006\023\002\105\123
-\061\042\060\040\006\003\125\004\007\023\031\103\057\040\115\165
-\156\164\141\156\145\162\040\062\064\064\040\102\141\162\143\145
-\154\157\156\141\061\102\060\100\006\003\125\004\003\023\071\101
-\165\164\157\162\151\144\141\144\040\144\145\040\103\145\162\164
-\151\146\151\143\141\143\151\157\156\040\106\151\162\155\141\160
-\162\157\146\145\163\151\157\156\141\154\040\103\111\106\040\101
-\066\062\066\063\064\060\066\070\061\046\060\044\006\011\052\206
-\110\206\367\015\001\011\001\026\027\143\141\100\146\151\162\155
-\141\160\162\157\146\145\163\151\157\156\141\154\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Swisscom Root CA 1"
 #
 # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
 # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Not Valid Before: Thu Aug 18 12:06:20 2005
 # Not Valid After : Mon Aug 18 22:06:20 2025
 # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
@@ -28964,8 +27943,627 @@ CKA_ISSUER MULTILINE_OCTAL
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\014\276
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "TeliaSonera Root CA v1"
+#
+# Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
+# Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Not Valid Before: Thu Oct 18 12:00:50 2007
+# Not Valid After : Mon Oct 18 12:00:50 2032
+# Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
+# Fingerprint (SHA1): 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TeliaSonera Root CA v1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\225\276\026\240\367\056\106\361\173\071\202\162\372
+\213\315\226
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\070\060\202\003\040\240\003\002\001\002\002\021\000
+\225\276\026\240\367\056\106\361\173\071\202\162\372\213\315\226
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154\151
+\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004\003
+\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122\157
+\157\164\040\103\101\040\166\061\060\036\027\015\060\067\061\060
+\061\070\061\062\060\060\065\060\132\027\015\063\062\061\060\061
+\070\061\062\060\060\065\060\132\060\067\061\024\060\022\006\003
+\125\004\012\014\013\124\145\154\151\141\123\157\156\145\162\141
+\061\037\060\035\006\003\125\004\003\014\026\124\145\154\151\141
+\123\157\156\145\162\141\040\122\157\157\164\040\103\101\040\166
+\061\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002
+\001\000\302\276\353\047\360\041\243\363\151\046\125\176\235\305
+\125\026\221\134\375\357\041\277\123\200\172\055\322\221\214\143
+\061\360\354\044\360\303\245\322\162\174\020\155\364\067\267\345
+\346\174\171\352\214\265\202\213\256\110\266\254\000\334\145\165
+\354\052\115\137\301\207\365\040\145\053\201\250\107\076\211\043
+\225\060\026\220\177\350\127\007\110\347\031\256\277\105\147\261
+\067\033\006\052\376\336\371\254\175\203\373\136\272\344\217\227
+\147\276\113\216\215\144\007\127\070\125\151\064\066\075\023\110
+\357\117\342\323\146\036\244\317\032\267\136\066\063\324\264\006
+\275\030\001\375\167\204\120\000\105\365\214\135\350\043\274\176
+\376\065\341\355\120\173\251\060\215\031\323\011\216\150\147\135
+\277\074\227\030\123\273\051\142\305\312\136\162\301\307\226\324
+\333\055\240\264\037\151\003\354\352\342\120\361\014\074\360\254
+\363\123\055\360\034\365\355\154\071\071\163\200\026\310\122\260
+\043\315\340\076\334\335\074\107\240\273\065\212\342\230\150\213
+\276\345\277\162\356\322\372\245\355\022\355\374\230\030\251\046
+\166\334\050\113\020\040\034\323\177\026\167\055\355\157\200\367
+\111\273\123\005\273\135\150\307\324\310\165\026\077\211\132\213
+\367\027\107\324\114\361\322\211\171\076\115\075\230\250\141\336
+\072\036\322\370\136\003\340\301\311\034\214\323\215\115\323\225
+\066\263\067\137\143\143\233\063\024\360\055\046\153\123\174\211
+\214\062\302\156\354\075\041\000\071\311\241\150\342\120\203\056
+\260\072\053\363\066\240\254\057\344\157\141\302\121\011\071\076
+\213\123\271\273\147\332\334\123\271\166\131\066\235\103\345\040
+\340\075\062\140\205\042\121\267\307\063\273\335\025\057\244\170
+\246\007\173\201\106\066\004\206\335\171\065\307\225\054\073\260
+\243\027\065\345\163\037\264\134\131\357\332\352\020\145\173\172
+\320\177\237\263\264\052\067\073\160\213\233\133\271\053\267\354
+\262\121\022\227\123\051\132\324\360\022\020\334\117\002\273\022
+\222\057\142\324\077\151\103\174\015\326\374\130\165\001\210\235
+\130\026\113\336\272\220\377\107\001\211\006\152\366\137\262\220
+\152\263\002\246\002\210\277\263\107\176\052\331\325\372\150\170
+\065\115\002\003\001\000\001\243\077\060\075\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\013\006\003
+\125\035\017\004\004\003\002\001\006\060\035\006\003\125\035\016
+\004\026\004\024\360\217\131\070\000\263\365\217\232\226\014\325
+\353\372\173\252\027\350\023\022\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\002\001\000\276\344\134\142
+\116\044\364\014\010\377\360\323\014\150\344\223\111\042\077\104
+\047\157\273\155\336\203\146\316\250\314\015\374\365\232\006\345
+\167\024\221\353\235\101\173\231\052\204\345\377\374\041\301\135
+\360\344\037\127\267\165\251\241\137\002\046\377\327\307\367\116
+\336\117\370\367\034\106\300\172\117\100\054\042\065\360\031\261
+\320\153\147\054\260\250\340\300\100\067\065\366\204\134\134\343
+\257\102\170\376\247\311\015\120\352\015\204\166\366\121\357\203
+\123\306\172\377\016\126\111\056\217\172\326\014\346\047\124\343
+\115\012\140\162\142\315\221\007\326\245\277\310\231\153\355\304
+\031\346\253\114\021\070\305\157\061\342\156\111\310\077\166\200
+\046\003\046\051\340\066\366\366\040\123\343\027\160\064\027\235
+\143\150\036\153\354\303\115\206\270\023\060\057\135\106\015\107
+\103\325\033\252\131\016\271\134\215\006\110\255\164\207\137\307
+\374\061\124\101\023\342\307\041\016\236\340\036\015\341\300\173
+\103\205\220\305\212\130\306\145\012\170\127\362\306\043\017\001
+\331\040\113\336\017\373\222\205\165\052\134\163\215\155\173\045
+\221\312\356\105\256\006\113\000\314\323\261\131\120\332\072\210
+\073\051\103\106\136\227\053\124\316\123\157\215\112\347\226\372
+\277\161\016\102\213\174\375\050\240\320\110\312\332\304\201\114
+\273\242\163\223\046\310\353\014\326\046\210\266\300\044\317\273
+\275\133\353\165\175\351\010\216\206\063\054\171\167\011\151\245
+\211\374\263\160\220\207\166\217\323\042\273\102\316\275\163\013
+\040\046\052\320\233\075\160\036\044\154\315\207\166\251\027\226
+\267\317\015\222\373\216\030\251\230\111\321\236\376\140\104\162
+\041\271\031\355\302\365\061\361\071\110\210\220\044\165\124\026
+\255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
+\034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
+\130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
+\306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
+\110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
+\141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
+\245\240\314\277\323\366\165\244\165\226\155\126
+END
+
+# Trust for "TeliaSonera Root CA v1"
+# Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
+# Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
+# Not Valid Before: Thu Oct 18 12:00:50 2007
+# Not Valid After : Mon Oct 18 12:00:50 2032
+# Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
+# Fingerprint (SHA1): 43:13:BB:96:F1:D5:86:9B:C1:4E:6A:92:F6:CF:F6:34:69:87:82:37
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TeliaSonera Root CA v1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\103\023\273\226\361\325\206\233\301\116\152\222\366\317\366\064
+\151\207\202\067
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\067\101\111\033\030\126\232\046\365\255\302\146\373\100\245\114
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\067\061\024\060\022\006\003\125\004\012\014\013\124\145\154
+\151\141\123\157\156\145\162\141\061\037\060\035\006\003\125\004
+\003\014\026\124\145\154\151\141\123\157\156\145\162\141\040\122
+\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\225\276\026\240\367\056\106\361\173\071\202\162\372
+\213\315\226
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "E-Tugra Certification Authority"
+#
+# Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Serial Number:6a:68:3e:9c:51:9b:cb:53
+# Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Not Valid Before: Tue Mar 05 12:09:48 2013
+# Not Valid After : Fri Mar 03 12:09:48 2023
+# Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
+# Fingerprint (SHA1): 51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Tugra Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\152\150\076\234\121\233\313\123
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\113\060\202\004\063\240\003\002\001\002\002\010\152
+\150\076\234\121\233\313\123\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\201\262\061\013\060\011\006\003\125
+\004\006\023\002\124\122\061\017\060\015\006\003\125\004\007\014
+\006\101\156\153\141\162\141\061\100\060\076\006\003\125\004\012
+\014\067\105\055\124\165\304\237\162\141\040\105\102\107\040\102
+\151\154\151\305\237\151\155\040\124\145\153\156\157\154\157\152
+\151\154\145\162\151\040\166\145\040\110\151\172\155\145\164\154
+\145\162\151\040\101\056\305\236\056\061\046\060\044\006\003\125
+\004\013\014\035\105\055\124\165\147\162\141\040\123\145\162\164
+\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145\172
+\151\061\050\060\046\006\003\125\004\003\014\037\105\055\124\165
+\147\162\141\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\061
+\063\060\063\060\065\061\062\060\071\064\070\132\027\015\062\063
+\060\063\060\063\061\062\060\071\064\070\132\060\201\262\061\013
+\060\011\006\003\125\004\006\023\002\124\122\061\017\060\015\006
+\003\125\004\007\014\006\101\156\153\141\162\141\061\100\060\076
+\006\003\125\004\012\014\067\105\055\124\165\304\237\162\141\040
+\105\102\107\040\102\151\154\151\305\237\151\155\040\124\145\153
+\156\157\154\157\152\151\154\145\162\151\040\166\145\040\110\151
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\061\046
+\060\044\006\003\125\004\013\014\035\105\055\124\165\147\162\141
+\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040\115
+\145\162\153\145\172\151\061\050\060\046\006\003\125\004\003\014
+\037\105\055\124\165\147\162\141\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\342\365\077\223\005\121\036\205\142\124\136\172\013\365\030
+\007\203\256\176\257\174\367\324\212\153\245\143\103\071\271\113
+\367\303\306\144\211\075\224\056\124\200\122\071\071\007\113\113
+\335\205\007\166\207\314\277\057\225\114\314\175\247\075\274\107
+\017\230\160\370\214\205\036\164\216\222\155\033\100\321\231\015
+\273\165\156\310\251\153\232\300\204\061\257\312\103\313\353\053
+\064\350\217\227\153\001\233\325\016\112\010\252\133\222\164\205
+\103\323\200\256\241\210\133\256\263\352\136\313\026\232\167\104
+\310\241\366\124\150\316\336\217\227\053\272\133\100\002\014\144
+\027\300\265\223\315\341\361\023\146\316\014\171\357\321\221\050
+\253\137\240\022\122\060\163\031\216\217\341\214\007\242\303\273
+\112\360\352\037\025\250\356\045\314\244\106\370\033\042\357\263
+\016\103\272\054\044\270\305\054\134\324\034\370\135\144\275\303
+\223\136\050\247\077\047\361\216\036\323\052\120\005\243\125\331
+\313\347\071\123\300\230\236\214\124\142\213\046\260\367\175\215
+\174\344\306\236\146\102\125\202\107\347\262\130\215\146\367\007
+\174\056\066\346\120\034\077\333\103\044\305\277\206\107\171\263
+\171\034\367\132\364\023\354\154\370\077\342\131\037\225\356\102
+\076\271\255\250\062\205\111\227\106\376\113\061\217\132\313\255
+\164\107\037\351\221\267\337\050\004\042\240\324\017\135\342\171
+\117\352\154\205\206\275\250\246\316\344\372\303\341\263\256\336
+\074\121\356\313\023\174\001\177\204\016\135\121\224\236\023\014
+\266\056\245\114\371\071\160\066\157\226\312\056\014\104\125\305
+\312\372\135\002\243\337\326\144\214\132\263\001\012\251\265\012
+\107\027\377\357\221\100\052\216\241\106\072\061\230\345\021\374
+\314\273\111\126\212\374\271\320\141\232\157\145\154\346\303\313
+\076\165\111\376\217\247\342\211\305\147\327\235\106\023\116\061
+\166\073\044\263\236\021\145\206\253\177\357\035\324\370\274\347
+\254\132\134\267\132\107\134\125\316\125\264\042\161\133\133\013
+\360\317\334\240\141\144\352\251\327\150\012\143\247\340\015\077
+\240\257\323\252\322\176\357\121\240\346\121\053\125\222\025\027
+\123\313\267\146\016\146\114\370\371\165\114\220\347\022\160\307
+\105\002\003\001\000\001\243\143\060\141\060\035\006\003\125\035
+\016\004\026\004\024\056\343\333\262\111\320\234\124\171\134\372
+\047\052\376\314\116\322\350\116\124\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035
+\043\004\030\060\026\200\024\056\343\333\262\111\320\234\124\171
+\134\372\047\052\376\314\116\322\350\116\124\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011\052
+\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\005
+\067\072\364\115\267\105\342\105\165\044\217\266\167\122\350\034
+\330\020\223\145\363\362\131\006\244\076\036\051\354\135\321\320
+\253\174\340\012\220\110\170\355\116\230\003\231\376\050\140\221
+\035\060\035\270\143\174\250\346\065\265\372\323\141\166\346\326
+\007\113\312\151\232\262\204\172\167\223\105\027\025\237\044\320
+\230\023\022\377\273\240\056\375\116\114\207\370\316\134\252\230
+\033\005\340\000\106\112\202\200\245\063\213\050\334\355\070\323
+\337\345\076\351\376\373\131\335\141\204\117\322\124\226\023\141
+\023\076\217\200\151\276\223\107\265\065\103\322\132\273\075\134
+\357\263\102\107\315\073\125\023\006\260\011\333\375\143\366\072
+\210\012\231\157\176\341\316\033\123\152\104\146\043\121\010\173
+\274\133\122\242\375\006\067\070\100\141\217\112\226\270\220\067
+\370\146\307\170\220\000\025\056\213\255\121\065\123\007\250\153
+\150\256\371\116\074\007\046\315\010\005\160\314\071\077\166\275
+\245\323\147\046\001\206\246\123\322\140\073\174\103\177\125\212
+\274\225\032\301\050\071\114\037\103\322\221\364\162\131\212\271
+\126\374\077\264\235\332\160\234\166\132\214\103\120\356\216\060
+\162\115\337\377\111\367\306\251\147\331\155\254\002\021\342\072
+\026\045\247\130\010\313\157\123\101\234\110\070\107\150\063\321
+\327\307\217\324\164\041\324\303\005\220\172\377\316\226\210\261
+\025\051\135\043\253\320\140\241\022\117\336\364\027\315\062\345
+\311\277\310\103\255\375\056\216\361\257\342\364\230\372\022\037
+\040\330\300\247\014\205\305\220\364\073\055\226\046\261\054\276
+\114\253\353\261\322\212\311\333\170\023\017\036\011\235\155\217
+\000\237\002\332\301\372\037\172\172\011\304\112\346\210\052\227
+\237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
+\264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
+\313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
+\176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
+\015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
+\064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
+\243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
+END
+
+# Trust for "E-Tugra Certification Authority"
+# Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Serial Number:6a:68:3e:9c:51:9b:cb:53
+# Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+# Not Valid Before: Tue Mar 05 12:09:48 2013
+# Not Valid After : Fri Mar 03 12:09:48 2023
+# Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
+# Fingerprint (SHA1): 51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Tugra Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\121\306\347\010\111\006\156\363\222\324\134\240\015\155\243\142
+\217\303\122\071
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\270\241\003\143\260\275\041\161\160\212\157\023\072\273\171\111
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\013\060\011\006\003\125\004\006\023\002\124\122
+\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+\141\061\100\060\076\006\003\125\004\012\014\067\105\055\124\165
+\304\237\162\141\040\105\102\107\040\102\151\154\151\305\237\151
+\155\040\124\145\153\156\157\154\157\152\151\154\145\162\151\040
+\166\145\040\110\151\172\155\145\164\154\145\162\151\040\101\056
+\305\236\056\061\046\060\044\006\003\125\004\013\014\035\105\055
+\124\165\147\162\141\040\123\145\162\164\151\146\151\153\141\163
+\171\157\156\040\115\145\162\153\145\172\151\061\050\060\046\006
+\003\125\004\003\014\037\105\055\124\165\147\162\141\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\152\150\076\234\121\233\313\123
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "T-TeleSec GlobalRoot Class 2"
+#
+# Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Serial Number: 1 (0x1)
+# Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Not Valid Before: Wed Oct 01 10:40:14 2008
+# Not Valid After : Sat Oct 01 23:59:59 2033
+# Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
+# Fingerprint (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\303\060\202\002\253\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163\164
+\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040\123
+\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060\035
+\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155\163
+\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045\060
+\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123\145
+\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154\141
+\163\163\040\062\060\036\027\015\060\070\061\060\060\061\061\060
+\064\060\061\064\132\027\015\063\063\061\060\060\061\062\063\065
+\071\065\071\132\060\201\202\061\013\060\011\006\003\125\004\006
+\023\002\104\105\061\053\060\051\006\003\125\004\012\014\042\124
+\055\123\171\163\164\145\155\163\040\105\156\164\145\162\160\162
+\151\163\145\040\123\145\162\166\151\143\145\163\040\107\155\142
+\110\061\037\060\035\006\003\125\004\013\014\026\124\055\123\171
+\163\164\145\155\163\040\124\162\165\163\164\040\103\145\156\164
+\145\162\061\045\060\043\006\003\125\004\003\014\034\124\055\124
+\145\154\145\123\145\143\040\107\154\157\142\141\154\122\157\157
+\164\040\103\154\141\163\163\040\062\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\252\137\332\033\137\350
+\163\221\345\332\134\364\242\346\107\345\363\150\125\140\005\035
+\002\244\263\233\131\363\036\212\257\064\255\374\015\302\331\110
+\031\356\151\217\311\040\374\041\252\007\031\355\260\134\254\145
+\307\137\355\002\174\173\174\055\033\326\272\271\200\302\030\202
+\026\204\372\146\260\010\306\124\043\201\344\315\271\111\077\366
+\117\156\067\110\050\070\017\305\276\347\150\160\375\071\227\115
+\322\307\230\221\120\252\304\104\263\043\175\071\107\351\122\142
+\326\022\223\136\267\061\226\102\005\373\166\247\036\243\365\302
+\374\351\172\305\154\251\161\117\352\313\170\274\140\257\307\336
+\364\331\313\276\176\063\245\156\224\203\360\064\372\041\253\352
+\216\162\240\077\244\336\060\133\357\206\115\152\225\133\103\104
+\250\020\025\034\345\001\127\305\230\361\346\006\050\221\252\040
+\305\267\123\046\121\103\262\013\021\225\130\341\300\017\166\331
+\300\215\174\201\363\162\160\236\157\376\032\216\331\137\065\306
+\262\157\064\174\276\110\117\342\132\071\327\330\235\170\236\237
+\206\076\003\136\031\213\104\242\325\307\002\003\001\000\001\243
+\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
+\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\277
+\131\040\066\000\171\240\240\042\153\214\325\362\141\322\270\054
+\313\202\112\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\061\003\242\141\013\037\164\350\162
+\066\306\155\371\115\236\372\042\250\341\201\126\317\315\273\237
+\352\253\221\031\070\257\252\174\025\115\363\266\243\215\245\364
+\216\366\104\251\247\350\041\225\255\076\000\142\026\210\360\002
+\272\374\141\043\346\063\233\060\172\153\066\142\173\255\004\043
+\204\130\145\342\333\053\212\347\045\123\067\142\123\137\274\332
+\001\142\051\242\246\047\161\346\072\042\176\301\157\035\225\160
+\040\112\007\064\337\352\377\025\200\345\272\327\172\330\133\165
+\174\005\172\051\107\176\100\250\061\023\167\315\100\073\264\121
+\107\172\056\021\343\107\021\336\235\146\320\213\325\124\146\372
+\203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
+\057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
+\014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
+\366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
+\251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
+\332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
+\005\047\216\023\241\156\302
+END
+
+# Trust for "T-TeleSec GlobalRoot Class 2"
+# Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Serial Number: 1 (0x1)
+# Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+# Not Valid Before: Wed Oct 01 10:40:14 2008
+# Not Valid After : Sat Oct 01 23:59:59 2033
+# Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
+# Fingerprint (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "T-TeleSec GlobalRoot Class 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\131\015\055\175\210\117\100\056\141\176\245\142\062\027\145\317
+\027\330\224\351
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\053\233\236\344\173\154\037\000\162\032\314\301\167\171\337\152
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\202\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\053\060\051\006\003\125\004\012\014\042\124\055\123\171\163
+\164\145\155\163\040\105\156\164\145\162\160\162\151\163\145\040
+\123\145\162\166\151\143\145\163\040\107\155\142\110\061\037\060
+\035\006\003\125\004\013\014\026\124\055\123\171\163\164\145\155
+\163\040\124\162\165\163\164\040\103\145\156\164\145\162\061\045
+\060\043\006\003\125\004\003\014\034\124\055\124\145\154\145\123
+\145\143\040\107\154\157\142\141\154\122\157\157\164\040\103\154
+\141\163\163\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Atos TrustedRoot 2011"
+#
+# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Serial Number:5c:33:cb:62:2c:5f:b3:32
+# Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Not Valid Before: Thu Jul 07 14:58:30 2011
+# Not Valid After : Tue Dec 31 23:59:59 2030
+# Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
+# Fingerprint (SHA1): 2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Atos TrustedRoot 2011"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\134\063\313\142\054\137\263\062
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\167\060\202\002\137\240\003\002\001\002\002\010\134
+\063\313\142\054\137\263\062\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\060\074\061\036\060\034\006\003\125\004
+\003\014\025\101\164\157\163\040\124\162\165\163\164\145\144\122
+\157\157\164\040\062\060\061\061\061\015\060\013\006\003\125\004
+\012\014\004\101\164\157\163\061\013\060\011\006\003\125\004\006
+\023\002\104\105\060\036\027\015\061\061\060\067\060\067\061\064
+\065\070\063\060\132\027\015\063\060\061\062\063\061\062\063\065
+\071\065\071\132\060\074\061\036\060\034\006\003\125\004\003\014
+\025\101\164\157\163\040\124\162\165\163\164\145\144\122\157\157
+\164\040\062\060\061\061\061\015\060\013\006\003\125\004\012\014
+\004\101\164\157\163\061\013\060\011\006\003\125\004\006\023\002
+\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\225\205\073\227\157\052\073\056\073\317\246\363\051
+\065\276\317\030\254\076\252\331\370\115\240\076\032\107\271\274
+\232\337\362\376\314\076\107\350\172\226\302\044\216\065\364\251
+\014\374\202\375\155\301\162\142\047\275\352\153\353\347\212\314
+\124\076\220\120\317\200\324\225\373\350\265\202\324\024\305\266
+\251\125\045\127\333\261\120\366\260\140\144\131\172\151\317\003
+\267\157\015\276\312\076\157\164\162\352\252\060\052\163\142\276
+\111\221\141\310\021\376\016\003\052\367\152\040\334\002\025\015
+\136\025\152\374\343\202\301\265\305\235\144\011\154\243\131\230
+\007\047\307\033\226\053\141\164\161\154\103\361\367\065\211\020
+\340\236\354\125\241\067\042\242\207\004\005\054\107\175\264\034
+\271\142\051\146\050\312\267\341\223\365\244\224\003\231\271\160
+\205\265\346\110\352\215\120\374\331\336\314\157\007\016\335\013
+\162\235\200\060\026\007\225\077\050\016\375\305\165\117\123\326
+\164\232\264\044\056\216\002\221\317\166\305\233\036\125\164\234
+\170\041\261\360\055\361\013\237\302\325\226\030\037\360\124\042
+\172\214\007\002\003\001\000\001\243\175\060\173\060\035\006\003
+\125\035\016\004\026\004\024\247\245\006\261\054\246\011\140\356
+\321\227\351\160\256\274\073\031\154\333\041\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003
+\125\035\043\004\030\060\026\200\024\247\245\006\261\054\246\011
+\140\356\321\227\351\160\256\274\073\031\154\333\041\060\030\006
+\003\125\035\040\004\021\060\017\060\015\006\013\053\006\001\004
+\001\260\055\003\004\001\001\060\016\006\003\125\035\017\001\001
+\377\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367
+\015\001\001\013\005\000\003\202\001\001\000\046\167\064\333\224
+\110\206\052\101\235\054\076\006\220\140\304\214\254\013\124\270
+\037\271\173\323\007\071\344\372\076\173\262\075\116\355\237\043
+\275\227\363\153\134\357\356\375\100\246\337\241\223\241\012\206
+\254\357\040\320\171\001\275\170\367\031\330\044\061\064\004\001
+\246\272\025\232\303\047\334\330\117\017\314\030\143\377\231\017
+\016\221\153\165\026\341\041\374\330\046\307\107\267\246\317\130
+\162\161\176\272\341\115\225\107\073\311\257\155\241\264\301\354
+\211\366\264\017\070\265\342\144\334\045\317\246\333\353\232\134
+\231\241\305\010\336\375\346\332\325\326\132\105\014\304\267\302
+\265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
+\247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
+\226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
+\236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
+\132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
+\052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
+\035\362\376\011\021\260\360\207\173\247\235
+END
+
+# Trust for "Atos TrustedRoot 2011"
+# Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Serial Number:5c:33:cb:62:2c:5f:b3:32
+# Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+# Not Valid Before: Thu Jul 07 14:58:30 2011
+# Not Valid After : Tue Dec 31 23:59:59 2030
+# Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
+# Fingerprint (SHA1): 2B:B1:F5:3E:55:0C:1D:C5:F1:D4:E6:B7:6A:46:4B:55:06:02:AC:21
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Atos TrustedRoot 2011"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\053\261\365\076\125\014\035\305\361\324\346\267\152\106\113\125
+\006\002\254\041
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\256\271\304\062\113\254\177\135\146\314\167\224\273\052\167\126
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\074\061\036\060\034\006\003\125\004\003\014\025\101\164\157
+\163\040\124\162\165\163\164\145\144\122\157\157\164\040\062\060
+\061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
+\163\061\013\060\011\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\010\134\063\313\142\054\137\263\062
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96
-#define NSS_BUILTINS_LIBRARY_VERSION "1.96"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
+#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -49,19 +49,19 @@ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
 SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
 
 RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
 ifdef NS_USE_GCC
-OS_LIBS += -lshell32
+OS_LIBS += -ladvapi32
 else
-OS_LIBS += shell32.lib
+OS_LIBS += advapi32.lib
 endif
 
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@@ -19,26 +19,24 @@
 #define RSA_BLOCK_MIN_PAD_LEN            8
 #define RSA_BLOCK_FIRST_OCTET            0x00
 #define RSA_BLOCK_PRIVATE_PAD_OCTET      0xff
 #define RSA_BLOCK_AFTER_PAD_OCTET        0x00
 
 /*
  * RSA block types
  *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
+ * The values of RSA_BlockPrivate and RSA_BlockPublic are fixed.
+ * The value of RSA_BlockRaw isn't fixed by definition, but we are keeping
+ * the value that NSS has been using in the past.
  */
 typedef enum {
-    RSA_BlockUnused = 0,    /* unused */
     RSA_BlockPrivate = 1,   /* pad for a private-key operation */
     RSA_BlockPublic = 2,    /* pad for a public-key operation */
-    RSA_BlockRaw = 4,       /* simply justify the block appropriately */
-    RSA_BlockTotal
+    RSA_BlockRaw = 4        /* simply justify the block appropriately */
 } RSA_BlockType;
 
 /* Needed for RSA-PSS functions */
 static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
 
 /* Constant time comparison of a single byte.
  * Returns 1 iff a == b, otherwise returns 0.
  * Note: For ranges of bytes, use constantTimeCompare.
--- a/security/nss/lib/freebl/sysrand.c
+++ b/security/nss/lib/freebl/sysrand.c
@@ -3,28 +3,31 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "seccomon.h"
 
+#ifndef XP_WIN
 static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen);
+#endif
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unix_rand.c"
 #endif
 #ifdef XP_WIN
 #include "win_rand.c"
 #endif
 #ifdef XP_OS2
 #include "os2_rand.c"
 #endif
 
+#ifndef XP_WIN
 /*
  * Normal RNG_SystemRNG() isn't available, use the system noise to collect
  * the required amount of entropy.
  */
 static size_t 
 rng_systemFromNoise(unsigned char *dest, size_t maxLen) 
 {
    size_t retBytes = maxLen;
@@ -38,9 +41,9 @@ rng_systemFromNoise(unsigned char *dest,
 	maxLen -= nbytes;
 
 	/* some hw op to try to introduce more entropy into the next
 	 * RNG_GetNoise call */
 	rng_systemJitter();
    }
    return retBytes;
 }
-
+#endif
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -1,31 +1,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secrng.h"
-#include "secerr.h"
 
 #ifdef XP_WIN
 #include <windows.h>
-#include <shlobj.h>     /* for CSIDL constants */
 #include <time.h>
-#include <io.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include "prio.h"
-#include "prerror.h"
-
-static PRInt32  filesToRead;
-static DWORD    totalFileBytes;
-static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
-static DWORD    dwNumFiles, dwReadEvery, dwFileToRead;
-static PRBool   usedWindowsPRNG;
 
 static BOOL
 CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
 {
     LARGE_INTEGER   liCount;
 
     if (!QueryPerformanceCounter(&liCount))
         return FALSE;
@@ -79,178 +65,16 @@ size_t RNG_GetNoise(void *buf, size_t ma
     time(&sTime);
     nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
     memcpy(((char *)buf) + n, &sTime, nBytes);
     n += nBytes;
 
     return n;
 }
 
-typedef PRInt32 (* Handler)(const PRUnichar *);
-#define MAX_DEPTH 2
-#define MAX_FOLDERS 4
-#define MAX_FILES 1024
-
-static void
-EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) 
-{
-    int                 iContinue;
-    unsigned int        uFolders  = 0;
-    unsigned int        uFiles    = 0;
-    HANDLE              lFindHandle;
-    WIN32_FIND_DATAW    fdData;
-    PRUnichar           szFileName[_MAX_PATH];
-
-    if (maxDepth < 0)
-    	return;
-    // append *.* so we actually look for files.
-    _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir);
-    szFileName[_MAX_PATH - 1] = L'\0';
-
-    lFindHandle = FindFirstFileW(szFileName, &fdData);
-    if (lFindHandle == INVALID_HANDLE_VALUE)
-        return;
-    do {
-	iContinue = 1;
-	if (wcscmp(fdData.cFileName, L".") == 0 ||
-            wcscmp(fdData.cFileName, L"..") == 0) {
-	    // skip "." and ".."
-	} else {
-	    // pass the full pathname to the callback
-	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
-		       fdData.cFileName);
-	    szFileName[_MAX_PATH - 1] = L'\0';
-	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
-		if (++uFolders <= MAX_FOLDERS)
-		    EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
-	    } else {
-		iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName);
-	    }
-	}
-	if (iContinue)
-	    iContinue = FindNextFileW(lFindHandle, &fdData);
-    } while (iContinue);
-    FindClose(lFindHandle);
-}
-
-static BOOL
-EnumSystemFiles(Handler func)
-{
-    PRUnichar szSysDir[_MAX_PATH];
-    static const int folders[] = {
-    	CSIDL_BITBUCKET,  
-	CSIDL_RECENT,
-	CSIDL_INTERNET_CACHE, 
-	CSIDL_HISTORY,
-	0
-    };
-    int i = 0;
-    if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
-        if (i > 0 && szSysDir[i-1] == L'\\')
-	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
-        EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-    }
-    for(i = 0; folders[i]; i++) {
-        DWORD rv = SHGetSpecialFolderPathW(NULL, szSysDir, folders[i], 0);
-        if (szSysDir[0])
-            EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-        szSysDir[0] =  L'\0';
-    }
-    return PR_TRUE;
-}
-
-static PRInt32
-CountFiles(const PRUnichar *file)
-{
-    dwNumFiles++;
-    return 0;
-}
-
-static int
-ReadSingleFile(const char *filename)
-{
-    PRFileDesc *    file;
-    unsigned char   buffer[1024];
-
-    file = PR_Open(filename, PR_RDONLY, 0);
-    if (file != NULL) {
-	while (PR_Read(file, buffer, sizeof buffer) > 0)
-	    ;
-        PR_Close(file);
-    }
-    return (file != NULL);
-}
-
-static PRInt32
-ReadOneFile(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if (dwNumFiles == dwFileToRead) {
-	int success = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-					  narrowFileName, _MAX_PATH, 
-					  NULL, NULL);
-	if (success)
-	    success = ReadSingleFile(narrowFileName);
-    	if (!success)
-	    dwFileToRead++; /* couldn't read this one, read the next one. */
-    }
-    dwNumFiles++;
-    return dwNumFiles > dwFileToRead;
-}
-
-static PRInt32
-ReadFiles(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if ((dwNumFiles % dwReadEvery) == 0) {
-	++filesToRead;
-    }
-    if (filesToRead) {
-	DWORD prevFileBytes = totalFileBytes;
-	int   iContinue     = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-						  narrowFileName, _MAX_PATH, 
-						  NULL, NULL);
-	if (iContinue) {
-	    RNG_FileForRNG(narrowFileName);
-	}
-	if (prevFileBytes < totalFileBytes) {
-	    --filesToRead;
-	}
-    }
-    dwNumFiles++;
-    return (totalFileBytes >= maxFileBytes);
-}
-
-static void
-ReadSystemFiles(void)
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read the first 10 readable files, then 10 or 11 files
-    // spread throughout the system directory
-    filesToRead = 10;
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    totalFileBytes = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
     char            buffer[256];
     int             nBytes;
     MEMORYSTATUS    sMem;
     HANDLE          hVal;
     DWORD           dwSerialNum;
@@ -303,96 +127,33 @@ void RNG_SystemInfoForRNG(void)
     if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, 
                          &dwNumClusters)) {
         RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
         RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
         RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
 
-    // Skip the potentially slow file scanning if the OS's PRNG worked.
-    if (!usedWindowsPRNG)
-	ReadSystemFiles();
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-static void rng_systemJitter(void)
-{   
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadOneFile);
-    dwFileToRead++;
-    if (dwFileToRead >= dwNumFiles) {
-	dwFileToRead = 0;
-    }
-}
-
-
-void RNG_FileForRNG(const char *filename)
-{
-    FILE*           file;
-    int             nBytes;
-    struct stat     stat_buf;
-    unsigned char   buffer[1024];
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&stat_buf, 0, sizeof stat_buf);
-
-    if (stat((char *)filename, &stat_buf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-
-    file = fopen((char *)filename, "r");
-    if (file != NULL) {
-        for (;;) {
-            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
-
-            if (bytes == 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        fclose(file);
-    }
-
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
 
 /*
- * Windows XP and Windows Server 2003 and later have RtlGenRandom,
- * which must be looked up by the name SystemFunction036.
+ * The RtlGenRandom function is declared in <ntsecapi.h>, but the
+ * declaration is missing a calling convention specifier. So we
+ * declare it manually here.
  */
-typedef BOOLEAN
-(APIENTRY *RtlGenRandomFn)(
+#define RtlGenRandom SystemFunction036
+DECLSPEC_IMPORT BOOLEAN WINAPI RtlGenRandom(
     PVOID RandomBuffer,
     ULONG RandomBufferLength);
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
-    HMODULE hModule;
-    RtlGenRandomFn pRtlGenRandom;
     size_t bytes = 0;
 
-    usedWindowsPRNG = PR_FALSE;
-    hModule = LoadLibrary("advapi32.dll");
-    if (hModule == NULL) {
-	return bytes;
+    if (RtlGenRandom(dest, maxLen)) {
+	bytes = maxLen;
     }
-    pRtlGenRandom = (RtlGenRandomFn)
-	GetProcAddress(hModule, "SystemFunction036");
-    if (pRtlGenRandom && pRtlGenRandom(dest, maxLen)) {
-	bytes = maxLen;
-	usedWindowsPRNG = PR_TRUE;
-    }
-    FreeLibrary(hModule);
     return bytes;
 }
 #endif  /* is XP_WIN */
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -571,17 +571,19 @@ PKIX_ERRORENTRY(ILLEGALUSEOFAMP,Illegal 
 PKIX_ERRORENTRY(IMPOSSIBLECRITERIONFORCRLQUERY,Impossible criterion for Crl Query,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INDEXOUTOFBOUNDS,Index out of bounds,SEC_ERROR_LIBPKIX_INTERNAL),
 PKIX_ERRORENTRY(INESCAPEDASCII,in EscapedASCII,0),
 PKIX_ERRORENTRY(INFOACCESSCREATEFAILED,pkix_pl_InfoAccess_Create failed,0),
 PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0),
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+#endif
 PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
 PKIX_ERRORENTRY(INITIALIZECHECKERSFAILED,pkix_InitializeCheckers failed,0),
 PKIX_ERRORENTRY(INITIALIZEFAILED,PKIX_PL_Initialize failed,0),
 PKIX_ERRORENTRY(INPUTLISTMUSTBEHEADER,Input List must be header,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INPUTLISTSMUSTBELISTHEADERS,Input Lists must be list headers,SEC_ERROR_INVALID_ARGS),
 PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCERTQUERY,Insufficient criteria for Cert query,0),
 PKIX_ERRORENTRY(INSUFFICIENTCRITERIAFORCRLQUERY,Insufficient criteria for Crl Query,0),
 PKIX_ERRORENTRY(INTRUSTEDCERT,in Trusted Cert,0),
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -1264,29 +1264,33 @@ PKIX_PL_Cert_AreCertPoliciesCritical(
  *  does nothing.
  *
  * PARAMETERS:
  *  "cert"
  *      Address of Cert whose subject names are to be checked.
  *      Must be non-NULL.
  *  "nameConstraints"
  *      Address of CertNameConstraints that need to be satisfied.
+ *  "treatCommonNameAsDNSName"
+ *      PKIX_TRUE if the subject common name should be considered a dNSName
+ *      when evaluating name constraints.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Cert Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_PL_Cert_MergeNameConstraints
  * DESCRIPTION:
  *
  *  Merges the CertNameConstraints pointed to by "firstNC" and the
  *  CertNameConstraints pointed to by "secondNC" and stores the merged
@@ -1822,17 +1826,19 @@ PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert
 
 #define PKIX_INFOACCESS_OCSP          1
 #define PKIX_INFOACCESS_CA_ISSUERS    2
 #define PKIX_INFOACCESS_TIMESTAMPING  3
 #define PKIX_INFOACCESS_CA_REPOSITORY 5
 
 #define PKIX_INFOACCESS_LOCATION_UNKNOWN 0
 #define PKIX_INFOACCESS_LOCATION_HTTP    1
+#ifndef NSS_PKIX_NO_LDAP
 #define PKIX_INFOACCESS_LOCATION_LDAP    2
+#endif
 
 /*
  * FUNCTION: PKIX_PL_InfoAccess_GetMethod
  * DESCRIPTION:
  *
  *  Stores the method of the Information Access from "infoAccess" and
  *  returns in "pMethod".
  *
--- a/security/nss/lib/libpkix/include/pkix_sample_modules.h
+++ b/security/nss/lib/libpkix/include/pkix_sample_modules.h
@@ -112,16 +112,17 @@ PKIX_PL_CollectionCertStore_Create(
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_Pk11CertStore_Create(
         PKIX_CertStore **pPk11CertStore,
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 /* PKIX_PL_LdapCertStore
  *
  * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server
  * over a socket connection. It used the LDAP protocol as described in RFC1777.
  *
  * Once the caller has created the LdapCertStore object, the caller can call
  * pkix_pl_LdapCertStore_GetCert or pkix_pl_LdapCertStore_GetCert to obtain
  * a List of PKIX_PL_Certs or PKIX_PL_CRL objects, respectively.
@@ -244,16 +245,17 @@ PKIX_PL_LdapDefaultClient_CreateByName(
  *  Returns a CertStore Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_LdapCertStore_Create(
         PKIX_PL_LdapClient *client,
         PKIX_CertStore **pCertStore,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* PKIX_PL_NssContext
  *
  * A PKIX_PL_NssContext provides an example showing how the "plContext"
  * argument, that is part of every libpkix function call, can be used.
  * The "plContext" is the Portability Layer Context, which can be used
  * to communicate layer-specific information from the application to the
  * underlying Portability Layer (while bypassing the Portable Code, which
--- a/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
+++ b/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
@@ -420,19 +420,23 @@ pkix_CertSelector_Match_NameConstraints(
         PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_Match_NameConstraints");
         PKIX_NULLCHECK_THREE(params, cert, pResult);
 
         PKIX_CHECK(PKIX_ComCertSelParams_GetNameConstraints
                 (params, &nameConstraints, plContext),
                 PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
 
         if (nameConstraints != NULL) {
-
+                /* As only the end-entity certificate should have
+                 * the common name constrained as if it was a dNSName,
+                 * do not constrain the common name when building a
+                 * forward path.
+                 */
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, nameConstraints, plContext),
+                    (cert, nameConstraints, PKIX_FALSE, plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
             *pResult = PKIX_FALSE;
         }
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c
@@ -162,41 +162,44 @@ pkix_NameConstraintsChecker_Check(
         PKIX_List *unresolvedCriticalExtensions,
         void **pNBIOContext,
         void *plContext)
 {
         pkix_NameConstraintsCheckerState *state = NULL;
         PKIX_PL_CertNameConstraints *nameConstraints = NULL;
         PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
         PKIX_Boolean selfIssued = PKIX_FALSE;
+        PKIX_Boolean lastCert = PKIX_FALSE;
 
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
 
         *pNBIOContext = NULL; /* we never block on pending I/O */
 
         PKIX_CHECK(PKIX_CertChainChecker_GetCertChainCheckerState
                     (checker, (PKIX_PL_Object **)&state, plContext),
                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
 
         state->certsRemaining--;
+        lastCert = state->certsRemaining == 0;
 
         /* Get status of self issued */
         PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
                     PKIX_ISCERTSELFISSUEDFAILED);
 
         /* Check on non self-issued and if so only for last cert */
         if (selfIssued == PKIX_FALSE ||
-            (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+            (selfIssued == PKIX_TRUE && lastCert)) {
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, state->nameConstraints, plContext),
+                    (cert, state->nameConstraints, lastCert,
+                      plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
-        if (state->certsRemaining != 0) {
+        if (!lastCert) {
 
             PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
                     (cert, &nameConstraints, plContext),
                     PKIX_CERTGETNAMECONSTRAINTSFAILED);
 
             /* Merge with previous name constraints kept in state */
 
             if (nameConstraints != NULL) {
--- a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
@@ -364,17 +364,21 @@ PKIX_TrustAnchor_CreateWithCert(
             PKIX_PL_Cert_SetAsTrustAnchor(cert, plContext),
             PKIX_CERTSETASTRUSTANCHORFAILED);
 
         PKIX_INCREF(cert);
         anchor->trustedCert = cert;
 
         anchor->caName = NULL;
         anchor->caPubKey = NULL;
-        anchor->nameConstraints = NULL;
+
+        PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (anchor->trustedCert, &anchor->nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
 
         *pAnchor = anchor;
         anchor = NULL;
 
 cleanup:
 
         PKIX_DECREF(anchor);
 
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.h
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.h
@@ -6,17 +6,19 @@
  *
  * Header file for buildChain function
  *
  */
 
 #ifndef _PKIX_BUILD_H
 #define _PKIX_BUILD_H
 #include "pkix_tools.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif
 #include "pkix_ekuchecker.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 typedef enum {
         BUILD_SHORTCUTPENDING,
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/config.mk
@@ -8,8 +8,28 @@
 #  are specifed as dependencies within rules.mk.
 #
 
 TARGETS        = $(LIBRARY)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
+ifdef NSS_PKIX_NO_LDAP
+LDAP_HEADERS =
+LDAP_CSRCS =
+else
+LDAP_HEADERS = \
+	pkix_pl_ldapt.h \
+	pkix_pl_ldapcertstore.h \
+	pkix_pl_ldapresponse.h \
+	pkix_pl_ldaprequest.h \
+	pkix_pl_ldapdefaultclient.h \
+ 	$(NULL)
+ 
+LDAP_CSRCS = \
+	pkix_pl_ldaptemplates.c \
+	pkix_pl_ldapcertstore.c \
+	pkix_pl_ldapresponse.c \
+	pkix_pl_ldaprequest.c \
+	pkix_pl_ldapdefaultclient.c \
+ 	$(NULL)
+endif
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
@@ -7,40 +7,32 @@ CORE_DEPTH = ../../../..
 EXPORTS = \
 	$(NULL)
 
 PRIVATE_EXPORTS = \
 	pkix_pl_aiamgr.h \
 	pkix_pl_colcertstore.h \
 	pkix_pl_httpcertstore.h \
 	pkix_pl_httpdefaultclient.h \
-	pkix_pl_ldapt.h \
-	pkix_pl_ldapcertstore.h \
-	pkix_pl_ldapresponse.h \
-	pkix_pl_ldaprequest.h \
-	pkix_pl_ldapdefaultclient.h \
+	$(LDAP_HEADERS) \
 	pkix_pl_nsscontext.h \
 	pkix_pl_pk11certstore.h \
 	pkix_pl_socket.h \
 	$(NULL)
 
 MODULE = nss
 
 DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
 
 
 CSRCS = \
 	pkix_pl_aiamgr.c \
 	pkix_pl_colcertstore.c \
 	pkix_pl_httpcertstore.c \
 	pkix_pl_httpdefaultclient.c \
-	pkix_pl_ldaptemplates.c \
-	pkix_pl_ldapcertstore.c \
-	pkix_pl_ldapresponse.c \
-	pkix_pl_ldaprequest.c \
-	pkix_pl_ldapdefaultclient.c \
+	$(LDAP_CSRCS) \
 	pkix_pl_nsscontext.c \
 	pkix_pl_pk11certstore.c \
 	pkix_pl_socket.c \
 	$(NULL)
 
 LIBRARY_NAME = pkixmodule
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
@@ -6,16 +6,17 @@
  *
  * AIAMgr Object Definitions
  *
  */
 
 #include "pkix_pl_aiamgr.h"
 extern PKIX_PL_HashTable *aiaConnectionCache;
 
+#ifndef NSS_PKIX_NO_LDAP
 /* --Virtual-LdapClient-Functions------------------------------------ */
 
 PKIX_Error *
 PKIX_PL_LdapClient_InitiateRequest(
         PKIX_PL_LdapClient *client,
         LDAPRequestParams *requestParams,
         void **pNBIO,
         PKIX_List **pResponse,
@@ -46,16 +47,17 @@ PKIX_PL_LdapClient_ResumeRequest(
         PKIX_CHECK(client->resumeFcn
                 (client, pNBIO, pResponse, plContext),
                 PKIX_LDAPCLIENTRESUMEREQUESTFAILED);
 cleanup:
 
         PKIX_RETURN(LDAPCLIENT);
 
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* --Private-AIAMgr-Functions----------------------------------*/
 
 /*
  * FUNCTION: pkix_pl_AIAMgr_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_pki.h)
  */
 static PKIX_Error *
@@ -76,17 +78,19 @@ pkix_pl_AIAMgr_Destroy(
         /* pointer to cert cache */
         /* pointer to crl cache */
         aiaMgr->method = 0;
         aiaMgr->aiaIndex = 0;
         aiaMgr->numAias = 0;
         PKIX_DECREF(aiaMgr->aia);
         PKIX_DECREF(aiaMgr->location);
         PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
         PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
 
 cleanup:
 
         PKIX_RETURN(AIAMGR);
 }
 
 /*
  * FUNCTION: pkix_pl_AIAMgr_RegisterSelf
@@ -109,16 +113,17 @@ pkix_pl_AIAMgr_RegisterSelf(void *plCont
 
         entry->description = "AIAMgr";
         entry->typeObjectSize = sizeof(PKIX_PL_AIAMgr);
         entry->destructor = pkix_pl_AIAMgr_Destroy;
 
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_AiaMgr_FindLDAPClient
  * DESCRIPTION:
  *
  *  This function checks the collection of LDAPClient connections held by the
  *  AIAMgr pointed to by "aiaMgr" for one matching the domain name given by
  *  "domainName". The string may include a port number: e.g., "betty.nist.gov"
  *  or "nss.red.iplanet.com:1389". If a match is found, that LDAPClient is
@@ -207,16 +212,17 @@ pkix_pl_AiaMgr_FindLDAPClient(
         *pClient = (PKIX_PL_LdapClient *)client;
 
 cleanup:
 
         PKIX_DECREF(domainString);
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 PKIX_Error *
 pkix_pl_AIAMgr_GetHTTPCerts(
         PKIX_PL_AIAMgr *aiaMgr,
 	PKIX_PL_InfoAccess *ia,
 	void **pNBIOContext,
 	PKIX_List **pCerts,
         void *plContext)
@@ -383,16 +389,17 @@ cleanup:
         }
         if (path) {
             PORT_Free(path);
         }
 
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_AIAMgr_GetLDAPCerts(
         PKIX_PL_AIAMgr *aiaMgr,
 	PKIX_PL_InfoAccess *ia,
 	void **pNBIOContext,
 	PKIX_List **pCerts,
         void *plContext)
 {
@@ -491,16 +498,17 @@ cleanup:
         if (PKIX_ERROR_RECEIVED) {
 	        PKIX_DECREF(aiaMgr->client.ldapClient);
 	}
 
         PKIX_DECREF(location);
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /*
  * FUNCTION: PKIX_PL_AIAMgr_Create
  * DESCRIPTION:
  *
  *  This function creates an AIAMgr, storing the result at "pAIAMgr".
  *
  * PARAMETERS:
@@ -627,20 +635,22 @@ PKIX_PL_AIAMgr_GetAIACerts(
                 PKIX_CHECK(PKIX_PL_InfoAccess_GetLocationType
                         (ia, &iaType, plContext),
                         PKIX_INFOACCESSGETLOCATIONTYPEFAILED);
 
                 if (iaType == PKIX_INFOACCESS_LOCATION_HTTP) {
 			PKIX_CHECK(pkix_pl_AIAMgr_GetHTTPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETHTTPCERTSFAILED);
+#ifndef NSS_PKIX_NO_LDAP
                 } else if (iaType == PKIX_INFOACCESS_LOCATION_LDAP) {
 			PKIX_CHECK(pkix_pl_AIAMgr_GetLDAPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETLDAPCERTSFAILED);
+#endif
                 } else {
                         /* We only support http and ldap requests. */
                         PKIX_DECREF(ia);
                         continue;
                 }
 
                 if (nbio != NULL) { /* WOULDBLOCK */
                         aiaMgr->aiaIndex = aiaIndex;
@@ -672,16 +682,18 @@ PKIX_PL_AIAMgr_GetAIACerts(
         *pCerts = aiaMgr->results;
         aiaMgr->results = NULL;
 
 cleanup:
 
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(aiaMgr->aia);
                 PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
                 PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
         }
 
         PKIX_DECREF(certs);
         PKIX_DECREF(ia);
 
         PKIX_RETURN(AIAMGR);
 }
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h
@@ -22,40 +22,44 @@ struct PKIX_PL_AIAMgrStruct {
         /* pointer to crl cache */
         PKIX_UInt32 method;
         PKIX_UInt32 aiaIndex;
         PKIX_UInt32 numAias;
         PKIX_List *aia;
         PKIX_PL_GeneralName *location;
         PKIX_List *results;
 	union {
+#ifndef NSS_PKIX_NO_LDAP
 	        PKIX_PL_LdapClient *ldapClient;
+#endif
 		struct {
 		        const SEC_HttpClientFcn *httpClient;
 			SEC_HTTP_SERVER_SESSION serverSession;
 			SEC_HTTP_REQUEST_SESSION requestSession;
 			char *path;
 		} hdata;
 	} client;
 };
 
 /* see source file for function documentation */
 
 PKIX_Error *pkix_pl_AIAMgr_RegisterSelf(void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *PKIX_PL_LdapClient_InitiateRequest(
         PKIX_PL_LdapClient *client,
         LDAPRequestParams *requestParams,
         void **pPollDesc,
         PKIX_List **pResponse,
         void *plContext);
 
 PKIX_Error *PKIX_PL_LdapClient_ResumeRequest(
         PKIX_PL_LdapClient *client,
         void **pPollDesc,
         PKIX_List **pResponse,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_PL_AIAMGR_H */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3130,37 +3130,41 @@ cleanup:
 /*
  * FUNCTION: PKIX_PL_Cert_CheckNameConstraints
  * (see comments in pkix_pl_pki.h)
  */
 PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext)
 {
         PKIX_Boolean checkPass = PKIX_TRUE;
         CERTGeneralName *nssSubjectNames = NULL;
         PLArenaPool *arena = NULL;
 
         PKIX_ENTER(CERT, "PKIX_PL_Cert_CheckNameConstraints");
         PKIX_NULLCHECK_ONE(cert);
 
         if (nameConstraints != NULL) {
 
                 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
                 if (arena == NULL) {
                         PKIX_ERROR(PKIX_OUTOFMEMORY);
                 }
 
-                /* This NSS call returns both Subject and  Subject Alt Names */
+                /* This NSS call returns Subject Alt Names. If
+                 * treatCommonNameAsDNSName is true, it also returns the
+                 * Subject Common Name
+                 */
                 PKIX_CERT_DEBUG
                     ("\t\tCalling CERT_GetConstrainedCertificateNames\n");
                 nssSubjectNames = CERT_GetConstrainedCertificateNames
-                        (cert->nssCert, arena, PR_TRUE);
+                        (cert->nssCert, arena, treatCommonNameAsDNSName);
 
                 PKIX_CHECK(pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
                         (nssSubjectNames,
                         nameConstraints,
                         &checkPass,
                         plContext),
                         PKIX_CERTNAMECONSTRAINTSCHECKNAMESPACENSSNAMESFAILED);
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -476,34 +476,37 @@ PKIX_PL_InfoAccess_GetLocationType(
                 PKIX_TOSTRING(infoAccess->location, &locationString, plContext,
                     PKIX_GENERALNAMETOSTRINGFAILED);
 
                 PKIX_CHECK(PKIX_PL_String_GetEncoded
                     (locationString, PKIX_ESCASCII, &location, &len, plContext),
                     PKIX_STRINGGETENCODEDFAILED);
 
                 PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
+#ifndef NSS_PKIX_NO_LDAP
                 if (PORT_Strncmp(location, "ldap:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_LDAP;
                 } else
+#endif
                 if (PORT_Strncmp(location, "http:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_HTTP;
                 }
         }
 
         *pType = type;
 
 cleanup:
 
         PKIX_PL_Free(location, plContext);
         PKIX_DECREF(locationString);
 
         PKIX_RETURN(INFOACCESS);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_InfoAccess_ParseTokens
  * DESCRIPTION:
  *
  *  This function parses the string beginning at "startPos" into tokens using
  *  the separator contained in "separator" and the terminator contained in
  *  "terminator", copying the tokens into space allocated from the arena
  *  pointed to by "arena". It stores in "tokens" a null-terminated array of
@@ -863,8 +866,9 @@ pkix_pl_InfoAccess_ParseLocation(
 
 cleanup:
 
         PKIX_PL_Free(locationAscii, plContext);
         PKIX_DECREF(locationString);
 
         PKIX_RETURN(INFOACCESS);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h
@@ -27,21 +27,23 @@ struct PKIX_PL_InfoAccessStruct{
 PKIX_Error *pkix_pl_InfoAccess_RegisterSelf(void *plContext);
 
 PKIX_Error *
 pkix_pl_InfoAccess_CreateList(
         CERTAuthInfoAccess **authInfoAccess,
         PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_InfoAccess_ParseLocation(
         PKIX_PL_GeneralName *generalName,
         PLArenaPool *arena,
         LDAPRequestParams *request,
         char **pDomainName,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* _PKIX_PL_INFOACCESS_H */
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h
@@ -33,17 +33,19 @@
 #include "prio.h"
 
 /* NSPR headers */
 #include "nspr.h"
 
 /* private PKIX_PL_NSS system headers */
 #include "pkix_pl_object.h"
 #include "pkix_pl_string.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_aiamgr.h"
 #include "pkix_pl_bigint.h"
 #include "pkix_pl_oid.h"
 #include "pkix_pl_x500name.h"
 #include "pkix_pl_generalname.h"
 #include "pkix_pl_publickey.h"
 #include "pkix_pl_bytearray.h"
 #include "pkix_pl_date.h"
@@ -57,19 +59,21 @@
 #include "pkix_pl_crldp.h"
 #include "pkix_pl_crl.h"
 #include "pkix_pl_crlentry.h"
 #include "pkix_pl_nameconstraints.h"
 #include "pkix_pl_ocsprequest.h"
 #include "pkix_pl_ocspresponse.h"
 #include "pkix_pl_pk11certstore.h"
 #include "pkix_pl_socket.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_nsscontext.h"
 #include "pkix_pl_httpcertstore.h"
 #include "pkix_pl_httpdefaultclient.h"
 #include "pkix_pl_infoaccess.h"
 #include "pkix_sample_modules.h"
 
 #define MAX_DIGITS_32 (PKIX_UInt32) 10
 
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -199,19 +199,21 @@ PKIX_PL_Initialize(
         pkix_BasicConstraintsCheckerState_RegisterSelf(plContext);
         pkix_PolicyCheckerState_RegisterSelf(plContext);
 
         pkix_pl_CollectionCertStoreContext_RegisterSelf(plContext); /* 41-50 */
         pkix_CrlChecker_RegisterSelf(plContext);
         pkix_ForwardBuilderState_RegisterSelf(plContext);
         pkix_SignatureCheckerState_RegisterSelf(plContext);
         pkix_NameConstraintsCheckerState_RegisterSelf(plContext);
+#ifndef NSS_PKIX_NO_LDAP
         pkix_pl_LdapRequest_RegisterSelf(plContext);
         pkix_pl_LdapResponse_RegisterSelf(plContext);
         pkix_pl_LdapDefaultClient_RegisterSelf(plContext);
+#endif
         pkix_pl_Socket_RegisterSelf(plContext);
 
         pkix_ResourceLimits_RegisterSelf(plContext); /* 51-59 */
         pkix_pl_MonitorLock_RegisterSelf(plContext);
         pkix_pl_InfoAccess_RegisterSelf(plContext);
         pkix_pl_AIAMgr_RegisterSelf(plContext);
         pkix_OcspChecker_RegisterSelf(plContext);
         pkix_pl_OcspCertID_RegisterSelf(plContext);
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h
@@ -28,20 +28,22 @@
 #include "pkix_pl_date.h"
 #include "pkix_pl_basicconstraints.h"
 #include "pkix_pl_certpolicyinfo.h"
 #include "pkix_pl_certpolicymap.h"
 #include "pkix_pl_certpolicyqualifier.h"
 #include "pkix_pl_crlentry.h"
 #include "pkix_pl_crl.h"
 #include "pkix_pl_colcertstore.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldapdefaultclient.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_socket.h"
 #include "pkix_pl_infoaccess.h"
 #include "pkix_store.h"
 #include "pkix_error.h"
 #include "pkix_logger.h"
 #include "pkix_list.h"
 #include "pkix_trustanchor.h"
 #include "pkix_procparams.h"
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,20 +28,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.15.5" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.16" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   15
-#define NSS_VPATCH   5
+#define NSS_VMINOR   16
+#define NSS_VPATCH   0
 #define NSS_VBUILD   0
 #define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -2007,17 +2007,27 @@ s_open(const char *directory, const char
 	    error = CKR_HOST_MEMORY;
 	    goto loser;
 	}
     }
 #endif
 
     /* how long does it take to test for a non-existant file in our working
      * directory? Allows us to test if we may be on a network file system */
-    accessOps = sdb_measureAccess(directory);
+    accessOps = 1;
+    {
+        char *env;
+        env = PR_GetEnv("NSS_SDB_USE_CACHE");
+        /* If the environment variable is set to yes or no, sdb_init() will
+         * ignore the value of accessOps, and we can skip the measuring.*/
+        if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
+                     (PORT_Strcasecmp(env, "yes") != 0))){
+           accessOps = sdb_measureAccess(directory);
+        }
+    }
 
     /*
      * open the cert data base
      */
     if (certdb) {
 	/* initialize Certificate database */
 	error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate,
 			 newInit, flags, accessOps, certdb);
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.15.5" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.16" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   15
-#define SOFTOKEN_VPATCH   5
+#define SOFTOKEN_VMINOR   16
+#define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -1343,20 +1343,23 @@ ssl_ImportFD(PRFileDesc *model, PRFileDe
     	return NULL;
 
     rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
     if (rv != PR_SUCCESS) {
 	ssl_FreeSocket(ns);
 	SET_ERROR_CODE
 	return NULL;
     }
-    ns = ssl_FindSocket(fd);
-    PORT_Assert(ns);
-    if (ns)
-	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
+#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
+    {
+	sslSocket * ss = ssl_FindSocket(fd);
+	PORT_Assert(ss == ns);
+    }
+#endif
+    ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
     return fd;
 }
 
 PRFileDesc *
 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
 {
     return ssl_ImportFD(model, fd, ssl_variant_stream);
 }
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.15.5 Beta"
+#define NSSUTIL_VERSION  "3.16 Beta"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   15
-#define NSSUTIL_VPATCH   5
+#define NSSUTIL_VMINOR   16
+#define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
--- a/security/nss/tests/chains/scenarios/nameconstraints.cfg
+++ b/security/nss/tests/chains/scenarios/nameconstraints.cfg
@@ -2,21 +2,152 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 scenario TrustAnchors
 
 db trustanchors
 
 import NameConstraints.ca:x:CT,C,C
+import NameConstraints.ncca:x:CT,C,C
+# Name Constrained CA:  Name constrained to permited DNSName ".example"
 
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server1:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
 verify NameConstraints.server2:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
 verify NameConstraints.server3:x
   cert NameConstraints.intermediate:x
   result pass
 
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server5:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+#                 and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+#  Fail: CN not in name constraints
+verify NameConstraints.server10:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+#   Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3.
+#                 Intermediate 5's subject is not in Intermediate 3's permitted
+#                 names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+#   Fail: Org matches Intermediate 5's name constraints, but does not match
+#         Intermediate 3' name constraints
+verify NameConstraints.server13:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+#  Fail: Matches Intermediate 5's name constraints, but fails because
+#        Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+#                 No name constraints present
+#                 Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server16:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+  cert NameConstraints.intermediate6:x
+  result pass
+
+
+
index 9e859a0aa00112279ac86c30416915f18bccff52..6d2e8469dd5565cd2be6e184a713807506fae355
GIT binary patch
literal 626
zc$_n6V#+gUV!Xb9nTe5!iILHOmyJ`a&7<u*FC!x>D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4$ab81XLn8wd14APtQ;R5ZUL#~Kom|m4AKCYe
ztPISJy$lA8olK353^x`f#!P7{S?h4|)wW%io_g~Ay2EkMfKTq!rrSF2TU43rC2kwN
zxhYZFYqY0r@~cTb#~&?KNoi*8l%Kw8nNxQ365e%zU16IySnymk+P;uAcw=chk8zm>
zli5SQ8`;Yf%+#uH&Ro3lZQ|0ucYKT&WE98moA#jc=&1tD$$`Ad<_Av}GBGnUFfKMQ
z&;xp%Goj6cvF(QwBO?n7GZO>50T0kKvcfE^2F#3%{|&f7JbsWABO6+DG6Q`wQ(ILl
z(Q0kE)1)`dx7$4wSGJ`$*v-5ve0^200Hbd$v-X8P=I#yKEx1*LN?a#Qow@DW+(){*
zH2NdMr4PDHUvR_Vva?0TbWMlzDv6pozPT#@ie*f6_wmYff6jT$bN#}xn4(jTB?ggG
e=1yga%=(pj>PuTu*Mi7xhN^2{XnnXCJ{17L?ZZa^
index 6fe77d198a640ce72c1b15c1d42235fb749fdc7e..a310aa1acd189597bb386504888c3bbf2bf334f0
GIT binary patch
literal 662
zc$_n6Vwz;o#Q1vwGZP~d6QhU$FB_*;n@8JsUPeY%RtAF<Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$6fqD2i7^Xv19=J|sl_D<&W;9h;=G0?28ISeY-D6=5hc!RWNe7w8st#f6*2}=
z5LXC;T;Z8ll3J9Tnv$7Vk_vK7<9y^$U}R-rZtP_+XzXNaY-BjZ_xQFz_0&0s8IHY{
z+IBg|bbG+=5Pdt2lszoF{+Hjql>FI!&q?tZ$GEe+SN^jlEmao}zmdQDY3`Qg(w79p
zxG$V$zV~CV^<Uw>@O+sa8^o7csg)=nzW0ddbdh*0kIKIDrPgosg5`foFYb?<|141C
z;4ihfsTpBWh0Xg_7AswE5oTg$WMEwEW8ei00?vds55~41PK=B!EX+&{>|jsH%CP{0
zX92$fZxe@JYDHphK~8D|BZC1CNKTlA)qt6i@xK8#h{q4o#>j>i<;*}|HYzb%%-p@k
zkfC1Op6N|qbhVl3S)Rw*;V*BV_`|(6Lix1Yyy@#i8@?>~v_?_r_0mXH&$EdddO7^w
z<~z3qO`56iGJTVc<E!QBg|`={3Lg&O3O})1<&3zM`t|o!AJ!cc&WqY)b#HTX`Oax+
c>vpaB`o&O)>7WYN%3?!{|JxtP>wee^06zrIJpcdz
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..fc4b7c1c1b13e50bceb9e66e6ac3a8e7402e6b16
GIT binary patch
literal 644
zc$_n6VrnpGVtl!PnTe5!iBZ&mmyJ`a&7<u*FC!x>D}zCfA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${0w2#F&MJfjkAzypq(S+|-oJ#FA76XGa4$ab81XLn8wd14APtQ;R5ZUL$0#
zK^~P|BWEB3ag8Vz*C-enG|op34@Oo7=EhzIgT_v##zuyNZ$k>!t^9uSOtw{N#rD-H
z#lk-?PKoKzEJ)0|xZ-?TNv4R<D$$Hh-2!s6?N6WmFQ_H_E|0zW)25=${q@TOQY}_4
z-k$o6Z%P}V*R11NjHy$WEALR^;R(riR@8DfiMDY)xsUts7uV??TK*4?NA`)I{+B4M
zrk<ef6g*X0d-Ao(^-Ro+42+8n4D^73z?snI!Pxf0iII_og_((g-GB$^Em>g}Rs&{6
z#{UM~ARa$RijfU1f|-Fn(a7q3bgm)9{rtq>`u}|Dt~E(zw_7TGML!rNX<JR1^1M=B
z`X=**^NRobGLMOA&bZhS6j-#-<ITgmrnkAL6ZI|!>(AGyeAkwewW9f+;q9-p?`@v8
zBrSiNqITF-gA?fzznc!N{21VR`BvK!Kcfb(!j!8@!lnM78zmic6sC&WUwQ}tCZx+&
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..051e55e560daa28af0883e70aa6be06d324a4e22
GIT binary patch
literal 716
zc$_n6Vme{a#ALXDnTe5!iBZ&mmyJ`a&7<u*FC!x>D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4$ab80c149EKHZn4`h!W>DGB!kT4RWdM3Rweb
zh$}=uuJFt&NiE7vP036wNd>yb*r0JfaxgHmGB7vxG8i;=GBq|bJgnU_+sN>HsfgT$
zj(J!7d!`%ZeZG_UFnaQljIs;DtyxKbH`cu}^qQ{f*|6AW?d)foyfb7T`)b@-XHs*2
zYMH=lh6d3~2@bxx8`ZweJ;$T=KS=xHu4P#^V)IzJbaU3X|4iC2%UQ(6V||*t%T=ZS
z&N=m*9?!0PHJ!ohrO%WirsvAU%*epFxUs>Y4j2fW32h#XZ9kkC8Ch7EnHbm&{D9t)
zm1A)?a9!YRAkf5}mY=VeT9KGrkdxZL$Y7wqM9V+}DJ)BiVH^%&rsPCJ9s@2&STVch
z=YurxfXowSVKrc8Wc+Wy4dU^GtYTzCODN31pb=g--%o;(?S9Vh)X0EY>8z#-DK&3n
zX5YANzcF_E#*Uo3OKvlyZB|#DX4CAp;GRsg@x{Ar{~Jyxi~XF#T*Ii!Zo2)d${+nN
znojyJ0+TYo-hTUE(emk=I8GhizHsv&3StkUGe3I0pYubj^Ly5e(!25ZtS#ye%BvO2
M>xsQL>i50~05~7j-T(jq
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..6e7efd53e3a8cceb376c976a68361fddff4b1ead
GIT binary patch
literal 607
zc$_n6Vv06sVmz{dnTe5!iP6@8myJ`a&7<u*FC!x>D}zC<A-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${I+6#F&LefIJ1yypq(S+|-oJ#FA76XGdcLIdNV?V?!eY69YpdBU6hgab6>2
zu7L-tbD$g!VJ2rsLmmSzh;__v`T2%&1~L$fM6p<;U}VrZAK9yntPISJy$lA8olK35
z410LqFF&dwlC*5fO3k&CYZUgTooSrrpd2XwZtBr~jTKVg>&o(%S#I8L)ZGyJYgJn3
z9K-ivatd$D=DVf~Ci9)Vwd2X+jj#5JJ$S-tbUJpD(WBiDN)|ksm8_(2TV#c+*AmX2
z<r8{~jM;B4ZMt3|{l3Jy?R1rA533gUUe?#YR{lSr&BV;ez_{4JKo1z&oC$3njBP)h
z7#Ueun3)*Z4S0awk`-oQHDG3B{BOVw;_-u|7}?O`jv43^mp>VA<Yk02ql>wCPb`y3
zmj5)Z{_PEyhsRYkc06pJb5t-o^L2r5U))4pe&gqgC!~xgTKTMQ{69<n#gtzkJ{+0d
z{nmd;W9`;7-RCR*2|i<NHFUGQX=?E2SnM1NQG*%hwOg`h3rzK~n02!3Y1GQ~Ino`m
Tp~1K2Pvm*Vr_9-V@s}U~9p%JC
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..823eccc05435bb5a0a07d4968b767cda82a11489
GIT binary patch
literal 612
zc$_n6VoES*Vm!HknTe5!iP6r0myJ`a&7<u*FC!x>D}zC<A-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${I+6#F&LefIJ1yypq(S+|-oJ#FA76XGdcLIdNV?V?!eY69YpdBU8&Lab6>2
zu7NMAbD$g!VJ2rsLqP+6h;<zPB^jwj{zd7Aat1OG+eES0reI{yI3L-+jI0dIjlB#8
zjh#%5jSTN~V|-nIhOl$933uc&Z+^jbP9l)m|50j~+G^Gx%UAD@G%I|*)OX^InZ6O5
ziq3T<1Uz0AV`unMu5AC2AN&;)QW9G4*sXb6u;C?BnRYAZ{u$58!q+}Y{(I`_o5=#k
z@haQxX8dUSEbw3B<DP)I#WySuTvqwGj4yf5jsK78y%uV|uVrFpWMEuuV4w#Ka?XS{
z55~41PK=B!EX+&{>;^nQZ^;U?uo^HkGX6K<2J!eoQjBb95y%Ym$(?AYXE!HGc5gg#
zSvFk!Lh>bx+?sTDm;Hejr;~J(mQ{#1E$Dt+dMV&yemTF+tyddo3t5GoNM75vs*Axa
z=54F1YFoo+i#OW(>1C1|GMK+s&VL+v_X)q)3g1)F({Hz!O&6^{oq0?9`5vE77Y}mr
X$tEY9+{tu)Yl^Zy_Z;Icxo`^rq-w@m
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..a2f17054ed2db8ca6c764ae24b48be9641837ef7
GIT binary patch
literal 611
zc$_n6Vv09tVmz^cnTe5!iP7GGmyJ`a&7<u*FC!x>D}zC<A-4f18*?ZNn=n&oFpR??
z%;fB7C}to6;;;+z`sSDBl_X~7DTHOFmKzEg2!O=7ggKr3-9v*F{DOlGRSlFuV$8xa
zK%RnMVs5H}bADcNNfA(2YKlToetwC9v!j8WIIp3xp^<@!fuWI+sb!QnuMslWzz2_W
z1P%Bh)^hllWTY1P7o{7@8c0KI6#?1mnOBlpl$)B8nOFj}-O<dTaXzwl8Ce;a8+#cH
z8atU98yU`D(Xp{P5g+z-*2$)eA|5M*MGgnMe)!<7w(3xlWp=1^$c@voc5hgpD@aQm
zxV22{bHJQKy?ZMs^q!4bdxDjd<ww-=;E-9|OFaLn^?Xy2i<h_}+GQD<`TCboxyGB*
zn{K~ne>HD$Vc|yY%vB0g0-sq`a4;HvOFtkcl;ZnjuawU3!%WPK42+8n4D<{H**Fv0
zJQ&-4I59G^urM<*up96IeI+Z*!fL?G$oSuY8^q%WNinja#UC@!Cr0yj@K_Y9D3w}<
zo?3Ts>dp)EZyyqIKeypgKWqM#>4(?Hh|g)d5@6ZP?s=wo=i7(x))ejvtq!aW5_g?)
z+cWpX9xh*dp>OlAd!A&Ta75L@pzvO^*T;>ooin_4PxuoVxNuoN^WL8AMoDJzP9Jvt
Zvpm_>efXzX!xHtUhqGHMqxM<p0s!L7#kBwc
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ecb24c7d5006ded15e110714f0cc3c70bdebbfcb
GIT binary patch
literal 672
zc$_n6Vwz*n#KgLQnTe4JhzxkyIJMe5+P?ELGP1HV7~~pq8*s8QhqAB<Gld4jI2^)E
z&W?s+1|lF1yD+bBeraAwVrHH~SY~Rup^$+9NSsTU)5+gGG+4neIM`6tKp7;)EGz@$
zDflJkrYbn+=M|R}0d=LOC<Nu_mnb+p8pw(B8k!gw8UV48k*Q^rIIoehA%aV9=QPeo
z4i83F2Ij_I27|^<rp88wNB53AUe5V=b8Eq~TYJ{4XdGBG(_-DLokmN;=gO3`sT?WH
zOfH`8;$k}gk$GY7-uEoNXBHT8|GAwTQE*Zt(c;^#Q_}DF9&VXgF}0%jQMzL8%1>UJ
zGKpM@JQoXiE&fa`ZS{QM{XjZ%S}*(0b%meLtC}pll)U?b>NNgC%jyrg+rE`%VrFDu
zT<l}uWgy7Lnb79J*!IJTk&%UknTdhjKnmzPSveMA1HlFS2E0uidZ`tOxdl0?4U7y1
zJRmt?7FGjhM#ldJ+#nu5NE;&?TI4eWec2LnI)*D*gym*_@-?MS*NMj0KBpaFI}?9l
z;+z+05l1`i1v1`nq&2WU`lfnQRN`yb>_X-B4VAAKPf@#`5a45d->pFZN?`8JM{B}0
zw2mIpl|FI0*E!2?h5B6Ym2=nyFZspIxc!FdQOUA~m3x0PKPumQUzul@_CA+q3b}s2
IDjoey0315hO8@`>
index 23088d1c82019e05069245854dfa1dff568048c9..60e8a1c698539c2806b32be68cbf65644fe8bb84
GIT binary patch
literal 660
zc$_n6Vwzyk#Q1XoGZP~d6QhO!FB_*;n@8JsUPeY%RtAF{Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrfM3i7^Wc19=Lbc_pbuxv43ci6yBD&W;9h;=G0?21W)Z28KpPrWR4+yhg?b
zmT;~?DwSO$Y9I`84NpmGafx1LUK!Aw6obb3$icwK%D~*%%V5yh$<)}$@WOnq%B%g7
zee*&B=ej4P?%t(-SH3Xe(vb$okjHD^Pn^5r!!g&jxxd)hQWviEQq@;HRNT$*=(y4}
zf%>~1%N<pC`t0XyiMf~XI^b5>Q^(hlt7djN{@hS$b2I$=4uPcjZFgmRzP0Sn3@??v
znII;4!L6^dgF&>F>(=ov4K7M*FYdN7F*7nSF7`BVHxLIpT~?4qz<{p_)%k*KoC$3n
zjBP)h7#Ueun3>oP81R793NtePXJIm6FyIF9_(4+4JJ2GW8R*3tU7MGsN_y{&kC>^j
zr0i3<dxJ$FpqAU6J8oHVE3e@aN5#v57Weal7aseT|MAPcmjM>3J&Y417?o`pA9buh
zpU;1*=UTx@2FuT_8a;=51fHfxi{(hq^|?`f>#5>Ajk$#({u^4teNNO)ESYALUi>X8
Vb@x>%11C;{L(}$ZhwhCl0RWap(CGjG
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..21d9e876799ac65ec5deb3c584aee2e9b5cf4ac9
GIT binary patch
literal 560
zc$_n6V$v~aVw}2wnTe5!iBZRZmyJ`a&7<u*FC!x>D}#ZDA-4f18*?ZNn=n&oFpR??
z%;fB7$Ya0-;&2HwyXEH_${EOjc+A40e!;;Co_QsyMY*XdnTaK-3eJuSMh0@?yoM$Q
zMg}GZhDJuFmQmuoM#ct~aIS$J(Kd+~2tjP(PD(7&ORY%EEyzhVXq=Dic1BhP=EhzI
zgT_v##zuxYhd!JttC=$|Md#=(zd-RArI^RZPU+0pxL7jyyb|}eZC1O_ocWPzUaD81
z@hQ#bO!Os_YPR-oHP=1wb%dM#-xS@sVTxg1H|L+{mCx?oTIRbm(DMyvhSr&h`vb3V
zPM(y$HS_wcqkCGMoeOyOKPdCzc;Ed;wpPL<`Of<->4tWpH+-3x85tNC8yM&r2(ob|
zw0SVL{cvJrWMN@uVmn~K1N4lnFeBrC7A6A*18xwHA0)-R11&O`fj;5&;n;pEuVSic
zj)~t~(Z=`$%a+8r`IgMfmv?Xem87=n{p#MwNm_<R7c?XnC>`wgc*Hm%fLS)ON{03B
z9o=?`OUCLK6V#6-Z20+a(dkta)W2rBP1$(-M`VoC#ba)X87EaDlvMw!gzG$rx+-N<
ZU+R-?{;AKs@#(cA&FfNEC>2dU0RS0Kw*mkF
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..c458c8ce73bbe8eec153983fa92ef314bc6d7947
GIT binary patch
literal 585
zc$_n6VsbTTVqCX?nTe5!iBZ>pmyJ`a&7<u*FC!x>D}#ZDA-4f18*?ZNn=n&oFpR??
z%;fB7$Ya0-;&2HwyXEH_${EOjc+A40e!;;Co_QsyMY*XdnTaK-3eJuSMh0@?yoM$Q
zMg}GZhDJuFmQmuoM#ct~aIS$p(Kd-12t#b*Db6fO)l02N%q_@CHE5iV?08022Ij_I
z27|^<rp88wZEnjq_i6t35H69{nm(^b*K4NrG%saq=2F&Es{`2Cw{KptL4)VT<>_x!
zjMtv|5)cx@-MXqHOMT0e6(T$?yS8mA(|vbpSG?k*H%ImIzlYyio-f|?IxN_Q%WhjS
zJ2S)Y|DU)v&4{SkY##5+I)&+8Sk{M=dP-tuG98Cly{C41t(wln%*epF*u%ihKn&<~
zSwR+l1KuX?wETRy>jl|36WTl&+kQAPGP1BRGqD{o-~lNWW@P-&!eqc;zzyQ@gQS>u
zpv4k1(1(eNiQY%F#kQHg%)D&9&*AA>P9YPmnYt4%Y`ost^*!QL<jI{SZ>Dd#<+LT&
zV)m^Vze%yIx4)lt@=#%3JZDkhxx`6-6hsU1Ua95XpFQ=0V4POkj(fRB*8k(~l5V#@
qW%M^;x$>Ue%)^!!G!umGw|DN`tv~O#eB+)gkDQu+h=lI376kxgh`N^m
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..1a4e6fec2a9bb5267f6919e27a72ba594dcb0b41
GIT binary patch
literal 562
zc$_n6V$w5cVw}E!nTe5!iBZphmyJ`a&7<u*FC!x>D}#ZDA-4f18*?ZNn=n&oFpR??
z%;fB7$Ya0-;&2HwyXEH_${EOjc+A40e!;;Co_QsyMY*XdnTaK-3eJuSMh0@?yoM$Q
zMg}GZhDJuFmQmuoM#ct~aIS#^(Kd-0h(K)O^~ldlEiO@TOwIsWWzaYu+4YR949tza
z3<iyzOpT2UM`NSHy_%mc-C<fY)#=K{g%A9*<hmL9H%&8fdiWq}gJI8R&ST<CQ?}i4
zIHalMtK5)2`(2lkLA<PpUEkLoyMHX%y3^~%#B=Kt%_=Ske=2yK7!}q#<%Yka<(J4e
z2fBJ$ozt%!IcKi(<Ycu1^B-Z=Bhpn*k1(3wymnahs`C78M*c6Em>C%u7aJJp83?j*
zCbW4lw*7EoWMpAsW@0;FzytJ-tS}?ve-<VK1_N#oj~^t(yaO#dn1Mbi{A3`KCcgD)
z(EUAs)c;HtWpLWhm#?(-(3JS+XKD_MPU5OAJL;F+@S9a<zs|JWC8w)=?#p*|n&`PF
z2JH^o_;kt1U7fdk=PmlXOaJUTm5IA}J~Lm^V0ovg?Q|x$Uuk=bfcNaDRVzHs`5Z{T
b-u=+(TwVX`gG?-GYlF<PMDGTBhcW;F1Maui
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..8b7295fb28789b1f73ea9cb69488384bec30e2e5
GIT binary patch
literal 574
zc$_n6VzM%5VqCm{nTe5!iBZ#lmyJ`a&7<u*FC!x>D}#ZrA-4f18*?ZNn=n&oFpR??
z%;fB7C}_YB;&2Ib_?Kj)7Wo&Y8_F5TfP|QZMg4+<6+H7wQj2m^Q!*1vQWcyX6^snz
z#CZ)(42%p+3=EBoOf93td5w$>Ea6-OchanrFc5=S$Dfo~qL-GRua{bpm|KvOYS1_z
z*(Z#w49tza3<iyzOpT2U*V$j}`y#G>a^HqIvm5t^<cay|3a^Um?|3&O|M!=orE`Pk
zKjumPvF2sy_UoRWx2|o`_fB7H-JYBHs;%|>m-&Ym-r(K#Q((@gV)er5wo2@8_DpUS
zoUh69+Uab@v3p_9rbioV<QthsMlfFf)&5HO{<|mBC3vsN{gCjNdBs(K;y{Nk6Eh<N
z<6;8?Jp(~D&V)7(#<m|$jEpQS%uH+t40wPZk`-oT{LjK<z+k`);_-u|n0KH>4KvUu
z4oX+=^V&H!Uq124KCNTol}#;-b``!mww)K6a^p=z)UjO)pC$&$9%K{R@M!k5x@TQ=
zHk)7DUgff0z~<V1Z*BR1li#}+%QuKl=yy&k&aFSkQKWNI`@?y)+gy<=rmkP~e1232
kr-Dk=%7m(-cO9P{Pk$|Bo*XBX_Ic0L-nSkz@(x=903bxdg#Z8m
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..8a989f996ad6ad5f84d1946d521da448a2608746
GIT binary patch
literal 574
zc$_n6VzM%5VqCm{nTe5!iHY%*0WTY;R+~rLcV0$DR#pZBUqfyKPB!LH7B*p~&|nyc
zLzv0g(NNHUAH?Aj=I}4cNG<X&N;i}<kO2uX3yb;%2P=5ym82Hsrlw>jmZT~;J1Q6%
z$cghBniv=vm>3uu8JSu}iSrs68(6}*25xw)<1yfZSjX&^pKmB*AO*2WI596DWW8Qm
ze!gC6MPhD2PO3rUd}NO>vNA9?_A(eWb}}_KG8|dc&o1e$A-lBfwnfDig_#E)-78ph
zt(ar}kK-q%A5*?2oH#A^hNxU=tI3od2D02!N(>j8TvD0M@I^W|P9y8*7Z;U?Pp?~#
zi8MS9)vcZyB*dg@s~fB0WfT2Z+`=Y)v*mW{ed{$p{c0^^{cu43?ZIaU_r_!;?!Hx?
z5o3Ff`TzZ|Ow5c7jEfBn^b7>qI1}1D7~6h0F*35SFf*|oFyH}tN>-SW@jnZb0fPZI
zh{q3-V%~ukGt5Ar2u?in|78BP6}Lq9{i@eB+R$Bp=tiN|g<k1%0-dF9AEPfe-;C+o
zA~D}PgJ0y?Q=wDl$sBy_iI0mHvmZ?7c1$z59<X=cve%B4d`#CZEbPB1UtFh|{3_`4
vQKOT;FRCb{zkQkM5^M8XQ%g%*Ec@q&6YTcsiLruvgO|@=+0s<fnjr`Pl1;iz
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..69d057c9ad703542fd9b36bd8788aae1b8e8a40d
GIT binary patch
literal 634
zc$_n6Vk$FeV!XeAnTe5!iP6D;myJ`a&7<u*FC!x>D}#ZLA-4f18*?ZNn=n&oFpR??
z%;fB7C}_YB;&2Ib_?Kj)7Wo&Y8_F6;gM^rcMf`$;6+H7wQj2m^Q!*1vQWcyX%?#wk
zc@0erj0{W+42_ITEu+MFjf@Q};ar0ZRNI6N1R=I@IVa|1rsWsqWhNSm8Hj)c*@bz1
z^Gowe5;OA@!ZK6K4TTH@Ag<wb@^=pnRscG{P{KeA;vD{x)Z&t~{CvI4yfUCsDF%)6
zk$uX@%D~*%%V5yh$<)}$uzPRs(chkyE6?|M|J_=>bM}N%o6|XG47}DW$M!|3@6HjG
zeQ~ySvTRuATyOskj?)gZ&)(pF;f%}Ib&3-tTz1bmpQN6Cl;hiinAaBD*C!p6@wwm7
zusL6Rit|m?kKT%}*t|_;`WAket8g*r>W$!5lk=x^zvrx7elBt4+cf6_o=clUnV1<F
z7#I5(co|3mT`w!h0t|;H3?B%xaVE5RFt+`0Vq|1tVP;}GV88=XF3iaIpM}YQ!GIgY
z;|EDG??8)IW}q(}qL<g7>X6WBW;ygUi}!v?zomR<ZtdI`a=B*552z_fnOtvROBVdQ
zVqc?>{DccH-V|H>J;c@%f9=6p-|y@G8|be(urn|Afy5PC*T<<T3+@=5ntc7>?AC_z
uKQi;VV{6nz*|m?YW2l+Je~&-zee;43IZJXAT-iF8FWYhW!R5X?;XeV(B+~W(
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0b24d7abb5179de92dfa1ea1693f53025037c355
GIT binary patch
literal 612
zc$_n6VoES*Vm!HknTe5!iP6!3myJ`a&7<u*FC!x>D}#ZLA-4f18*?ZNn=n&oFpR??
z%;fB7C}_YB;&2Ib_?Kj)7Wo&Y8_F6;gM^rcMf`$;6+H7wQj2m^Q!*1vQWcyX%?#wk
zc@0erj0{W+42_ITEu+MFjf@Q};ar0}RNI6N1R=I@IVa|1rsWsqWhNSm8Hj)c*@bz1
z^Gowe5;OA@!ZK6K4TTH@Ag<wb@^=pnRscG{P|iRG>>M7^#Jqfv8{<n-i%X34GV{uS
z2BsJ^&PVnyBP#=QV=se2V<%H%Bg4lJ=fk62Q=JrD5>)@MN-y|!k7t9%nG>O(6PLQg
z{hoR04!`>9<d2~TH9sEAxbK%X{rr^IsyZ9`^(OC_>gutzp0Bs__6BRyv$xi6vpsP@
zpYP>tBbjw8f3a}ST)uDStsi>Vy_tDmwST`nORYKbiestcUyD^r5tDq^KArxk)JOaC
zotI3^j0}v64Gi>vfxwy2=E2zZ!-<iRg@u`k?SKIf&|9*?jEw(Tm<$*UxIsLAkQDO{
zv<PGd`h;0rTqjc8Rd-(JG^do=tq!Gzem6L@Q|6rvI9gpYUzfAGxNV|eX&RHBjd7!z
zLdN?vKgR17(MyiCTv9u`&*q8A9lIGP3)j38KE1x|hk~(5_>}IeJOSI3UPOIwVi&Si
oTDhv&<xBeR&fN#r-#NkjKd&WB_%F9&%>ureRwdUz=q85%0REWBe*gdg
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..2fc9437cd1bec3c99d2fbc3713ca5a7a5487f4be
GIT binary patch
literal 630
zc$_n6Vk$CdV!XY8nTe5!iP6b`myJ`a&7<u*FC!x>D}#ZLA-4f18*?ZNn=n&oFpR??
z%;fB7C}_YB;&2Ib_?Kj)7Wo&Y8_F6;gM^rcMf`$;6+H7wQj2m^Q!*1vQWcyX%?#wk
zc@0erj0{W+42_ITEu+MFjf@Q};ar0>RNI6N1R=I@IVa|1rsWsqWhNSm8Hj)c*@bz1
z^Gowe5;OA@!ZK6K4TTH@Ag<wb@^=pnRscExrj}Wlw<NW=#6&N(A~ClhC)J>FKC(X<
zSs9ocdl?KGJDD0A8SZ<_Fz4)Ab9Y+LeDf0dRA-5I4^{;~<bKCnx2x;Nv;+L-6F1fE
zI=}6aThh(d$|*dP1b$C?da|Sa|3UX7&y`i@NZ++LU;A>g57*Xkm+A}89&=CC`jpEP
zx%%b}S3gBAY2CluJ#YAE+@7{dk0ZTYVs2NX(5-|EhN%~4oI5MI_1x>4>rBjy42+At
z3_J`ZfNqx+WB~?q6Po)4**Fv0JQ&-4I59G^urM>R9WdYlDHdjA{LjK<z+k`);_-u|
zn0KH>DKpTI=dC8DF&CV89C%y!pIhCM>Dy<8T)EJ`&1~a_v~|S_Y2k0v(#2d1>$(4&
zda&{E+U8e6XPGlzUOH8`)*>xkL(OIX2Cq`~Wxu~n%KsPOB_W+Dw~~D?^XeDkkC<nd
se)o0u6Wfx+7yI}`$UK3wveWYqF57l|ns1Ke=MLUTrTcB`D}`190KoLmlK=n!
index feac1139294801703731fb01204b5de0165fae2d..1c6e5510dd8bfd2dfbcf5c3c20f5245dc7444cbc
GIT binary patch
literal 643
zc$_n6VyZW2VtlcHnTe5!iBZ#lmyJ`a&7<u*FC!x>D}zCfA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${0w2#F&MJfjkAzypq(S+|-oJ#FA76XGa4$ab80c10w?y14APtQ;R5ZUL#`z
zOE}jcm&&e@HIN3ohDRhZFTW%swJ5$MwYWqtGp`J2UW!5EeB|I@WMyD(>}4=$>||<e
zWH^5H&!#NTv$HFAewcnK?qg75#DWjMW|n=Bdh<l&QsVk69TA`HpPuV{Yv%7<7#la;
z_;!}>?#Z7FFTE=*%s#-eM!5gmXFsunt4~FSG%GIK@~K!szB8yz?DM8S=M*2mY__Y}
zwVH!br{lcFZZ;R6>mO`v(@Sy`oh0Iu{_J>BeEVgNGZQl-1LI-?13h3Ea3-{QFt+`0
zVq|1tVP;}GV88?Pm8>u$<9`+=0|o<b5RV@u#k>P8ewl$jS$q75^lITXVevaXum768
z_u@^CMauVYUOcp$^%CdjhV^cff1K85d6>xCxvkT*K;(0m;GeuBdV6$(72EQ9mK;7m
zODp)s%eL>_*~gaXv-E2#b$q#fui5bbX127hlc%H}EXn>YkvTIk?%k~qwPksks!0Nk
U&6A(&>L1>fsKvLe-gUJQ0RB$e?EnA(
index 5e69183e6d5f918c3a55ec66aabc6312455600e4..bd93572ddd17eef4cdae447bb1063dd45fb35771
GIT binary patch
literal 660
zc$_n6Vwzyk#Q1XoGZP~d6Qh;^FB_*;n@8JsUPeY%RtAF{Lv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrfM3i7^Wc19=Lbc_pbuxv43ci6yBD&W;9h;=G0?21W)Z28KpPrWR4+yhg?b
zmT;~?DwSO$Y9I`84NpmGafx1PMPhD2PO3rUeB@wYWMyD(>}4=$>||<eWZ1o1rR>zD
zAGfA62Xx(=66M&PXyEY5;ayO&Laku!zT739(@fPH^jwZb#?^*pema>~dHgo}ogMFZ
z+_k#C^R4<<u_5F{$Hwj(`zzDfj$X_^yla2wtnFeN_iFBUEm#@1Y;~%<#vVgXIbY7b
z$4^zqn;x-rYT{0{j5D7<JD%eXbMALVCT2zk#>Jin?grvOr^^bm2pI4+p*mlXjWeOm
zgR$+06C)!F3o{ej0RtY8T46@U|13-f3<lgF9zRHmc?VjAGXuRS{)ClrC!dg|;o{1z
zTS5%=Ywd)Br*4ir?-QW(_d$$vLCIa6t<Fnjg7YJdgjjB^nDxsme06#Lt>eP$HfD4l
znRs~O^x8CK>C{%+cLCClPgh%sePhnM|J`h-+JmgaS+NzK9`a_6QMY7d)pyK__#4l_
VbL_Kpnrze`!-;F;Jt|o(vjKSY&7A-M
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ca9d1b1c327abb8190859bc9c6e36568117b6ac1
GIT binary patch
literal 663
zc$_n6Vw!Bw#Q0|cGZP~d6Qhv<FB_*;n@8JsUPeY%RtAGSLv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrxY4i7^X{0(lCac_pbuxv43ci6yBD&W;L326E!Oh9(9^1||lEMn<L<QR2Kt
z#s-#fu0a}=-2+w2EX-SyT3lkJmzh@vG$_TOaXxZLFtRc*H}*0ZG<GsIHZmMmXgzLc
zq#>vB^IOS2WiI{~3E~$2@)&r8G`}p{aXq#9@tv<-6>J#>f(iGh3T%EEqrm@xQ|?W=
z+n0cuHlaGNCi<Al9%~7llWgk9r+#o*w&l;}EyrC1HGYe<RcPLvy0ydC^qu*7zQ>BO
zm%ggC?=9GHkR$EL-TOyR#lPU$^(dWJkcpX*fpM{?fxCe?(CxB<ECL36O*|m?!<{e4
z#+lIO!Pxf0iII_og_()%fB_FktuQ0we-<VK1_N#oj~^t(yaO%HnSoxM{BPw-UMtb%
z^ViJLpPYOlLcw;*{WS(vB5!3co35Oou0AX5QM%hFBi%x)M^hM0%SE?XUE)1<bnfi%
zGhz}VniG@nH>xg5>;0V}bn?Y{J=wf&@k*_brJG6^LzSJfw&b}=_;6&z3hZgAje9et
a>Wuh;ho@Cb+!spfvYlbvJiG9Clo|j>@60y<
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..1798de766455ea33b8be0c1e8a9dd810dcc801f8
GIT binary patch
literal 646
zc$_n6VrnvIVtl=TnTe5!iP6}AmyJ`a&7<u*FC!x>D}zCvA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?W${EOj#F&LefjkAzypq(S+|-oJ#FA76XGaAi137VCLlXld0}}&7BO_CbC~;mR
zV*^V#muBwa5lzg?FUd$PiZ4kmE-})}%qs&Lm}1a4A2~!ASs9ocdl?KGJDD0A8BTD%
zSrIhdXd0U@GvnP09sPbE#2-e4M9lB0R(S4qdyZ;GmQ;F5ZK?F?g>6=18j014!l687
zG22*=_G>q-ij3qHyBW26lklVWyG>oxSDcw$&GWGS0&ApX!d<QFIiFVWN-aHmX+c+)
zFFR9(erxAj%T<q_R4g$){ExTa`1M4A%dbM2m>C%u7aJJp0Rw?Eq0NJ_?S~U1BMS>N
z6Waj;9-y~mg&7(DvoIMj7;uAl{2(dj9cWR^4D?B9;q{eF<#!jDT#?x{YnMk)%uK6m
z9Rb(=UjN)$y1U+e-GL3d<{H^kPw$bxce;*u{to#7r{w)FO=66<eArbv|Mi+?``v}J
z|I95+t=rXoNNYRarFcsV*VuV&eG`9YUr4Iddyvc-s}uZl&UfyKl05aEq08($gW1+h
OIlKLT(>xWk<r)C^sL*Es
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5698f8ebdba62ca9a0fa87bacf2d342cc1634bff
GIT binary patch
literal 663
zc$_n6Vw!Bw#Q0|cGZP~d6QhX%FB_*;n@8JsUPeY%RtAGSLv903Hs(+kHesgFU_)U8
zK@f*Sn9DgaCo?U-C@(Y7P|QFCB*-qz>ziMiSCW{Srx2EzT5c$0AOI5Q66SRBcMlC#
z@Cyz$lrxY4i7^X{0(lCac_pbuxv43ci6yBD&W;L326E!Oh9(9^1||lEMn<L<QR2Kt
z#s-#fu0a}=-2+w2EX-SyT3lkJms*jSTac4#&^RACBp6v4m>YW;3>rI`8XFnT{ktP{
zoqK_9=<81p&vKo<el~Dhs?fKK+xs_{em|Q&sh_i@MqJo$#tD-qo*E&6qXvK39>0B`
zq&=tSSe%qlSb}qnqmY!$%eNcdM4vb=V-}TZK6PTUVolsK!S&6zlA?qT7qBXxp7+dm
z)2bYw^_4F#ZaU1dhWC3-&*!v_(jupW)owB|GcqtP_B3!e5C^(lR**%&fUk)M<bJsG
z1=%<g+B_KBemF5Qvam2Su^lkr0jU*cWc<&<WWZp+4dU^Gq?mW0#W^$3i_6mY&Eig4
z`%R!m@j8F=cIkaah3Tu7smb{Mob*BK=WVV3Kf*K}S4eHv+aPXuL9koutmh2h-!m?^
zSk7H8Z7R;R#wMmnX!m>p8TnIHy)U0wn=ei|#&@u_aff35)<u_=uW7qEzqd>ExAtz~
d;|Aw-6+dlwY|+GbN%G6u6;Bp#+UC510RZ1I)x-b*
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..3cf85d04777a07ab8738b23cbe8e4104a1be5c4e
GIT binary patch
literal 578
zc$_n6VzM)6VqCs}nTe5!iBZ#lmyJ`a&7<u*FC!x>D}#ZDA-4f18*?ZNn=n&oFpR??
z%;fB7$Ya0-;&2HwyXEH_${EOjc+A40e!;;Co_QsyMY*XdnTaK-3eJuSMh0@?yoM$Q
zMg}GZhDJuF7E$87M#ct~aIQfB(KbPO+``OBiA9DI24WC<`I8b$^wRS4^-?Pma|?1(
z4I1Yo`-YK~fw{4l!Jx5|sj-paw3Xn#(=5HyXK(w_IxpM$lF_UEb535BO5fi4(mMTi
zjM-P8Pb!K#w#w`}_b20|yklefyp!wy{GQ3FdzIJWj9l%~Y`(eHdRvyxw&<&PI)DG#
zCvmIOXGyFK6u#Q&AT)E8#j@_yg92I`1E;**Gk<Q3gLUlhq-#Gei8pX3I<&^jZ#Z(4
ziJ6gsaj}7co`E16XF{6?W7`iWMn)DEW+t`+20TCy$qF+v{%2t_U@+hY@%TYf%sbGc
zhZ*RT{?N%Q`L7>xn<%`;YR3YrS5hZ-tyvgiFfYJ#-uAqw(KEi5eR`U{^G!op%fDXr
zyAqwXiyw1Dmu*^oW%YzkjiW1`>rVAEIDGNjp@W`|Hk=F@)!Z`1>zMp=x682p^xdDd
o{KpT&Gg>9fEYGdk(5A%V;8-`uEHh>5S=I{ngA8lVhA*`P0N$y-djJ3c
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..f0694ed0390d4027bee4913d7438c4b2b45d4d3f
GIT binary patch
literal 564
zc$_n6VlpsjVw|~vnTe5!iBZddmyJ`a&7<u*FC!x>D}#ZDA-4f18*?ZNn=n&oFpR??
z%;fB7$Ya0-;&2HwyXEH_${EOjc+A40e!;;Co_QsyMY*XdnTaK-3eJuSMh0@?yoM$Q
zMg}GZhDJuF7E$87M#ct~aIS$9(KbmKh(T=PPf9G&OUuvKORY%EEyzhVXq=DienwUX
z=EhzIgT_v##zuy>9U58>H;FWy-|?4uA~W;XE)j*d#&<r<+!HS+`ciJ2oBuzfkoUX$
zYDDsMm#+SN;z9c3eWzYupW*M=s{N|s&*lbZy~a~&Ta#0Eg~wf8>6yZRG`%YF&6!hT
z=6qA^eSS`ys~SD8K5}zEH^Z3^X2Bij)2=!cUaMK2^X9W+c<`eZ-rY>hj0}v64Gi=Q
z1lc$f+B_KBemF5Qvam2Su^lkr0eVPQn33^63zGqZ0XK-p50YZuffgamK%W@OuUd5K
zk<qM|DM~EG+|17&8S9$dP3ekLd-t!|y}ER=<%e(jOcP4Egm(FzioI*MTQcHUai+0g
zbZopQn@z};K!>xNK9uAznEg7oPW|DL35P=#>&{#ord>7N{Qe6Ix#t>RUbhD~L`-3_
d6Muia;;yfjZU4P542s3qeC`xox@)jT4*-*lxTydD
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..517c0ae311a354e6e83d0b805152acef7924b269
GIT binary patch
literal 551
zc$_n6Vp29}V(eMK%*4pV#Hek+%f_kI=F#?@mywZ`mBGNnklTQhjX9KsO_(V(7{=ic
zW^#5k<T2m^akzw;-SYDd<qTv%JZ520zu;g6&%Bb<qTJM!%*2vZ1!qSEBLg{cUPBWD
zBLfoyLn9+o%P4VPBVz+gIM=`w)h1NKB@DzMhVv&SmguGB=j)|bB<2?6q#88NM|LtJ
zD+6<5FM~m2CsSi1!xM?LDLyW{pRAkn%t!6R?bGg`Hymv@ms#bpVaf+#1+lH~HzaV%
z{!QlJUYqr4<(IR;y519;<~V!o;GF9HOv}dLc+(f*dyALE-&*}=Z;y$s!&)7$|1Bm_
z2hX0F6S!RH^qye8?WX7C_CC?-7n0Jp`M#9zkHu@Ihi^i@8rXX}r5Hb$%*4#dz_{4J
zK+iysjWeOmgR$+06C)!F3o{ej0RtYOhh&8r8UM2|888@dgLwQPDdrt$alj1piJ*j*
z{NxYQCu^rUDE2IiU3Sp-SWwxvmJ+QU8#2OL+^rTGC$Dz?`)T3FV=kG#?L{~KH|RfB
ziHsA9vFZ&fw_&?Hap#Z5+ND7oujr=#+GmlYzx;R2X^TrUB4SrbWOnep-(jN4Zx<!d
fVeRVbf9P>W`VLk-EBmuSYT^rjeYgC?vQYp4QfIXI
--- a/security/nss/tests/libpkix/certs/make-nc
+++ b/security/nss/tests/libpkix/certs/make-nc
@@ -89,15 +89,366 @@ n
 
 y
 0
 1
 9
 n
 CERTSCRIPT
 
+certutil -S -z noise -g 1024 -d . -n ica2 -s "CN=NSS Intermediate CA 2,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica -m 21 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server4 -s "CN=test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 50 -v 115 -1 -2 -5 -8 test.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server5 -s "CN=another_test2.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 51 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
+certutil -S -z noise -g 1024 -d . -n server6 -s "CN=test2.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica2 -m 52 -v 115 -1 -2 -5 -8 test.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica3 -s "CN=NSS Intermediate CA3,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 21 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+foo.example
+1
+y
+5
+O=Foo,st=ca,c=us
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica4 -s "CN=NSS Intermediate CA 2,O=Foo,ST=CA,C=US" -t ,, -c ica3 -m 61 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server7 -s "CN=bat.foo.example,ou=bar,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server8 -s "CN=bat.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 42 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server9 -s "CN=bat.foo.example,O=Foo,C=US" -t ,, -c ica4 -m 43 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server10 -s "CN=bar.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 44 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server11 -s "CN=site.example,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 45 -v 115 -1 -2 -5 -8 foo.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica5 -s "CN=NSS Intermediate CA 2,O=OtherOrg,ST=CA,C=US" -t ,, -c ica3 -m 62 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server13 -s "CN=bat.foo.example,O=OtherOrg,ST=CA,C=US" -t ,, -c ica5 -m 41 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server14 -s "CN=another.foo.example,O=Foo,ST=CA,C=US" -t ,, -c ica5 -m 490 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ncca -s "CN=NSS Name Constrained Root CA,O=BOGUS NSS,L=Mountain View,ST=CA,C=US" -t C,C,C -x -m 2 -w -1 -v 118 -1 -2 -5 --extNC <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+3
+.example
+1
+n
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n ica6 -s "CN=NSS Intermediate CA6,O=OtherOrg,ST=CA,C=US" -t ,, -c ncca -m 63 -w -2 -v 120 -1 -2 -5 <<CERTSCRIPT
+5
+6
+9
+n
+y
+
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server15 -s "CN=testfoo.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 64 -v 115 -1 -2 -5 -8 testfoo.invalid <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server16 -s "CN=another_test3.invalid,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 65 -v 115 -1 -2 -5 <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+certutil -S -z noise -g 1024 -d . -n server17 -s "CN=test4.example,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ica6 -m 66 -v 115 -1 -2 -5 -8 test4.example <<CERTSCRIPT
+0
+2
+3
+4
+9
+n
+n
+
+y
+0
+1
+9
+n
+CERTSCRIPT
+
+
 certutil -d . -L -n ca -r > NameConstraints.ca.cert
 certutil -d . -L -n ica -r > NameConstraints.intermediate.cert
 certutil -d . -L -n server1 -r > NameConstraints.server1.cert
 certutil -d . -L -n server2 -r > NameConstraints.server2.cert
 certutil -d . -L -n server3 -r > NameConstraints.server3.cert
+certutil -d . -L -n ica2 -r > NameConstraints.intermediate2.cert
+certutil -d . -L -n server4 -r > NameConstraints.server4.cert
+certutil -d . -L -n server5 -r > NameConstraints.server5.cert
+certutil -d . -L -n server6 -r > NameConstraints.server6.cert
+certutil -d . -L -n ica3 -r > NameConstraints.intermediate3.cert
+certutil -d . -L -n ica4 -r > NameConstraints.intermediate4.cert
+certutil -d . -L -n server7 -r > NameConstraints.server7.cert
+certutil -d . -L -n server8 -r > NameConstraints.server8.cert
+certutil -d . -L -n server9 -r > NameConstraints.server9.cert
+certutil -d . -L -n server10 -r > NameConstraints.server10.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server11 -r > NameConstraints.server11.cert
+certutil -d . -L -n server12 -r > NameConstraints.server12.cert
+certutil -d . -L -n ica5 -r > NameConstraints.intermediate5.cert
+certutil -d . -L -n server13 -r > NameConstraints.server13.cert
+certutil -d . -L -n server14 -r > NameConstraints.server14.cert
+certutil -d . -L -n ncca -r > NameConstraints.ncca.cert
+certutil -d . -L -n ica6 -r > NameConstraints.intermediate6.cert
+certutil -d . -L -n server15 -r > NameConstraints.server15.cert
+certutil -d . -L -n server16 -r > NameConstraints.server16.cert
+certutil -d . -L -n server17 -r > NameConstraints.server17.cert
 
-echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert"
+echo "Created multiple files in subdirectory tmp: NameConstraints.ca.cert NameConstraints.intermediate.cert NameConstraints.server1.cert NameConstraints.server2.cert NameConstraints.server3.cert NameConstraints.intermediate2.cert NameConstraints.server4.cert NameConstraints.server5.cert NameConstraints.server6.cert"