Bug 1166031 - Update NSS to NSS_3_19_1_RTM. a=2.1+
authorRyan VanderMeulen <ryanvm@gmail.com>
Thu, 28 May 2015 19:40:42 -0400
changeset 222108 685bd8d49ce3
parent 222107 948dcc508b8c
child 222109 f22235875dc0
push id526
push userryanvm@gmail.com
push dateSat, 30 May 2015 17:14:03 +0000
treeherdermozilla-b2g34_v2_1@e52807dee101 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewers2
bugs1166031
milestone34.0
Bug 1166031 - Update NSS to NSS_3_19_1_RTM. a=2.1+
CLOBBER
configure.in
security/nss/TAG-INFO
security/nss/cmd/certutil/certext.c
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/checkcert/checkcert.c
security/nss/cmd/crlutil/crlgen.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/modutil/install.c
security/nss/cmd/pk12util/pk12util.c
security/nss/cmd/platlibs.mk
security/nss/cmd/pp/pp.c
security/nss/cmd/rsaperf/rsaperf.c
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/tstclnt/manifest.mn
security/nss/cmd/tstclnt/tstclnt.c
security/nss/coreconf/Darwin.mk
security/nss/coreconf/command.mk
security/nss/coreconf/coreconf.dep
security/nss/coreconf/location.mk
security/nss/coreconf/rules.mk
security/nss/doc/Makefile
security/nss/doc/certutil.xml
security/nss/doc/html/certutil.html
security/nss/doc/nroff/certutil.1
security/nss/external_tests/README
security/nss/external_tests/ssl_gtest/databuffer.h
security/nss/external_tests/ssl_gtest/gtest_utils.h
security/nss/external_tests/ssl_gtest/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_skip_unittest.cc
security/nss/external_tests/ssl_gtest/test_io.cc
security/nss/external_tests/ssl_gtest/test_io.h
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/external_tests/ssl_gtest/tls_connect.cc
security/nss/external_tests/ssl_gtest/tls_connect.h
security/nss/external_tests/ssl_gtest/tls_filter.cc
security/nss/external_tests/ssl_gtest/tls_filter.h
security/nss/external_tests/ssl_gtest/tls_parser.cc
security/nss/external_tests/ssl_gtest/tls_parser.h
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/certv3.c
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/ckfw/builtins/bfind.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/config.mk
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/capi/config.mk
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/crmf/respcli.c
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/freebl/blapit.h
security/nss/lib/freebl/cts.c
security/nss/lib/freebl/ecl/README
security/nss/lib/freebl/ecl/ecp_jac.c
security/nss/lib/freebl/ecl/ecp_jm.c
security/nss/lib/freebl/mpi/README
security/nss/lib/freebl/mpi/doc/LICENSE-MPL
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/tests/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/LICENSE-MPL
security/nss/lib/freebl/mpi/utils/README
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_revchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.h
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_publickey.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_x500name.c
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pkcs12/p12.h
security/nss/lib/pkcs12/p12d.c
security/nss/lib/pkcs12/p12local.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/pki/pki3hack.h
security/nss/lib/pki/pkistore.c
security/nss/lib/pki/tdcache.c
security/nss/lib/pki/trustdomain.c
security/nss/lib/smime/cmsmessage.c
security/nss/lib/smime/smime.def
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/config.mk
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/SSLerrs.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/quickder.c
security/nss/pkg/solaris/common_files/copyright
security/nss/tests/all.sh
security/nss/tests/cert/cert.sh
security/nss/tests/chains/scenarios/realcerts.cfg
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/cipher/cipher.sh
security/nss/tests/common/init.sh
security/nss/tests/dbtests/dbtests.sh
security/nss/tests/iopr/server_scr/config
security/nss/tests/libpkix/certs/PayPalEE.cert
security/nss/tests/libpkix/certs/PayPalICA.cert
security/nss/tests/libpkix/certs/PayPalRootCA.cert
security/nss/tests/libpkix/sample_apps/README
security/nss/tests/libpkix/vfychain_test.lst
security/nss/tests/memleak/memleak.sh
security/nss/tests/ssl/sslcov.txt
--- a/CLOBBER
+++ b/CLOBBER
@@ -17,9 +17,9 @@
 #
 # Modifying this file will now automatically clobber the buildbot machines \o/
 #
 
 # Are you updating CLOBBER because you think it's needed for your WebIDL
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Merge day clobber
\ No newline at end of file
+Bug 1166031 - NSS update hit needs-clobber bustage.
--- a/configure.in
+++ b/configure.in
@@ -3501,17 +3501,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.17.2, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.19.1, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
 
    if test -z "$GNU_CC" -a "$OS_ARCH" = "WINNT"; then
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_17_2_RTM
+NSS_3_19_1_RTM
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -982,20 +982,23 @@ AddNameConstraints(void *extHandle)
         }
 
         (void) SEC_ASN1EncodeInteger(arena, &current->min, 0);
 
         if (!GetGeneralName(arena, &current->name, PR_TRUE)) {
             GEN_BREAK(SECFailure);
         }
 
-        PrintChoicesAndGetAnswer("Type of Name Constraint?\n"
+        if (PrintChoicesAndGetAnswer("Type of Name Constraint?\n"
             "\t1 - permitted\n\t2 - excluded\n\tAny"
             "other number to finish\n\tChoice",
-            buffer, sizeof(buffer));
+            buffer, sizeof(buffer)) != SECSuccess) {
+            GEN_BREAK(SECFailure);
+        }
+
         intValue = PORT_Atoi(buffer);
         switch (intValue) {
         case 1:
             if (constraints->permited == NULL) {
                 constraints->permited = last_permited = current;
             }
             last_permited->l.next = &(current->l);
             current->l.prev = &(last_permited->l);
@@ -1821,21 +1824,23 @@ AddInfoAccess(void *extHandle, PRBool ad
                     "Subject Information Access extension:\n");
                 intValue = caRepository;
             } else {
                 puts("Adding \"Time Stamping Services\" access method type for "
                     "Subject Information Access extension:\n");
                 intValue = timeStamping;
             }
         } else {
-            PrintChoicesAndGetAnswer("Enter access method type "
+            if (PrintChoicesAndGetAnswer("Enter access method type "
                 "for Authority Information Access extension:\n"
                 "\t1 - CA Issuers\n\t2 - OCSP\n\tAny"
                 "other number to finish\n\tChoice",
-                buffer, sizeof(buffer));
+                buffer, sizeof(buffer)) != SECSuccess) {
+                GEN_BREAK (SECFailure);
+            }
             intValue = PORT_Atoi(buffer);
         }
         if (addSIAExt) {
             switch (intValue) {
               case caRepository:
                   oid = SECOID_FindOIDByTag(SEC_OID_PKIX_CA_REPOSITORY);
                   break;
                   
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -35,17 +35,17 @@
 #include "secoid.h"
 #include "certdb.h"
 #include "nss.h"
 #include "certutil.h"
 
 #define MIN_KEY_BITS		512
 /* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */
 #define MAX_KEY_BITS		8192
-#define DEFAULT_KEY_BITS	1024
+#define DEFAULT_KEY_BITS	2048
 
 #define GEN_BREAK(e) rv=e; break;
 
 char *progName;
 
 static CERTCertificateRequest *
 GetCertRequest(const SECItem *reqDER)
 {
@@ -175,17 +175,17 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHa
     CERT_DestroyCertificate (cert);
     PORT_Free(trust);
 
     return rv;
 }
 
 static SECStatus
 CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
-        SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, 
+        SECOidTag hashAlgTag, CERTName *subject, const char *phone, int ascii,
 	const char *emailAddrs, const char *dnsNames,
         certutilExtnList extnList, const char *extGeneric,
         /*out*/ SECItem *result)
 {
     CERTSubjectPublicKeyInfo *spki;
     CERTCertificateRequest *cr;
     SECItem *encoding;
     SECOidTag signAlgTag;
@@ -265,17 +265,17 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
 	}
 
 	name = CERT_GetCommonName(subject);
 	if (!name) {
 	    name = PORT_Strdup("(not specified)");
 	}
 
 	if (!phone)
-	    phone = strdup("(not specified)");
+	    phone = "(not specified)";
 
 	email = CERT_GetCertEmailAddress(subject);
 	if (!email)
 	    email = PORT_Strdup("(not specified)");
 
 	org = CERT_GetOrgName(subject);
 	if (!org)
 	    org = PORT_Strdup("(not specified)");
@@ -318,16 +318,17 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
 		    PORT_Memcpy(result->data + headerLen, obuf, obufLen);
 		    PORT_Memcpy(result->data + headerLen + obufLen,
 				trailer, trailerLen);
 		}
 		PR_smprintf_free(trailer);
 	    }
 	    PR_smprintf_free(header);
 	}
+	PORT_Free(obuf);
     } else {
 	(void) SECITEM_CopyItem(NULL, result, &signedReq);
     }
 
     if (!result->data) {
 oom:    SECU_PrintError(progName, "out of memory");
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	rv = SECFailure;
@@ -966,29 +967,29 @@ ListModules(void)
 static void 
 PrintSyntax(char *progName)
 {
 #define FPS fprintf(stderr, 
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
 	"\t\t [-f pwfile] [-0 SSO-password]\n", progName);
-    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+    FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
     	progName);
     FPS "\t%s -B -i batch-file\n", progName);
     FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
 	"\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-        "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-Z hashAlg]\n"
         "\t\t [-1 | --keyUsage [keyUsageKeyword,..]] [-2] [-3] [-4]\n"
         "\t\t [-5 | --nsCertType [nsCertTypeKeyword,...]]\n"
         "\t\t [-6 | --extKeyUsage [extKeyUsageKeyword,...]] [-7 emailAddrs]\n"
         "\t\t [-8 dns-names] [-a]\n",
 	progName);
     FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
-    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
+    FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
 	progName);
     FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", 
 	progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
 	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
 #ifndef NSS_DISABLE_ECC
@@ -1005,34 +1006,35 @@ PrintSyntax(char *progName)
 	progName);
     FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
     FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
     FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
 	progName);
     FPS "\t\t [-P targetDBPrefix] [--source-prefix sourceDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
-    FPS "\t%s -L [-n cert-name] [--email email-address] [-X] [-r] [-a]\n",
+    FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
 	progName);
-    FPS "\t\t [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
+    FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
     FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
 	progName);
     FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
     FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
-	"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile] [-g key-size]\n",
+        "\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
+        "\t\t [-g key-size] [-Z hashAlg]\n",
 	progName);
     FPS "\t%s -V -n cert-name -u usage [-b time] [-e] [-a]\n"
 	"\t\t[-X] [-d certdir] [-P dbprefix]\n",
 	progName);
     FPS "Usage:  %s -W [-d certdir] [-f pwfile] [-@newpwfile]\n",
 	progName);
     FPS "\t%s -S -n cert-name -s subj [-c issuer-name | -x]  -t trustargs\n"
 	"\t\t [-k key-type-or-id] [-q key-params] [-h token-name] [-g key-size]\n"
         "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n"
-	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
+        "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-Z hashAlg]\n"
         "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
         "\t\t [-8 DNS-names]\n"
         "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
         "\t\t [--extSKID] [--extNC] [--extSAN type:name[,type:name]...]\n"
 	"\t\t [--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...]\n", progName);
     FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
     exit(1);
 }
@@ -1133,16 +1135,21 @@ static void luC(enum usage_level ul, con
         "   -v months-valid");
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
+    FPS "%-20s \n"
               "%-20s Create key usage extension. Possible keywords:\n"
               "%-20s \"digitalSignature\", \"nonRepudiation\", \"keyEncipherment\",\n"
               "%-20s \"dataEncipherment\", \"keyAgreement\", \"certSigning\",\n"
               "%-20s \"crlSigning\", \"critical\"\n",
         "   -1 | --keyUsage keyword,keyword,...", "", "", "", "");
     FPS "%-20s Create basic constraint extension\n",
         "   -2 ");
     FPS "%-20s Create authority key ID extension\n",
@@ -1331,16 +1338,18 @@ static void luK(enum usage_level ul, con
 static void luL(enum usage_level ul, const char *command)
 {
     int is_my_command = (command && 0 == strcmp(command, "L"));
     if (ul == usage_all || !command || is_my_command)
     FPS "%-15s List all certs, or print out a single named cert (or a subset)\n",
         "-L");
     if (ul == usage_selected && !is_my_command)
         return;
+    FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
+        "   -h token-name ");
     FPS "%-20s Pretty print named cert (list all if unspecified)\n",
         "   -n cert-name");
     FPS "%-20s \n"
               "%-20s Pretty print cert with email address (list all if unspecified)\n",
         "   --email email-address", "");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
@@ -1383,16 +1392,18 @@ static void luN(enum usage_level ul, con
     FPS "%-15s Create a new certificate database\n",
         "-N");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
+    FPS "%-20s Specify the password file\n",
+        "   -f password-file");
     FPS "%-20s use empty password when creating a new database\n",
         "   --empty-password");
     FPS "\n");
 }
 
 static void luT(enum usage_level ul, const char *command)
 {
     int is_my_command = (command && 0 == strcmp(command, "T"));
@@ -1468,16 +1479,21 @@ static void luR(enum usage_level ul, con
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
+    FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
     FPS "%-20s Output the cert request in ASCII (RFC1113); default is binary\n",
         "   -a");
     FPS "%-20s \n",
         "   See -S for available extension options");
     FPS "%-20s \n",
         "   See -G for available key flag options");
     FPS "\n");
 }
@@ -1629,16 +1645,21 @@ static void luS(enum usage_level ul, con
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
+    FPS "%-20s \n"
+              "%-20s Specify the hash algorithm to use. Possible keywords:\n"
+              "%-20s \"MD2\", \"MD4\", \"MD5\", \"SHA1\", \"SHA224\",\n"
+              "%-20s \"SHA256\", \"SHA384\", \"SHA512\"\n",
+        "   -Z hashAlg", "", "", "");
     FPS "%-20s Create key usage extension\n",
         "   -1 ");
     FPS "%-20s Create basic constraint extension\n",
         "   -2 ");
     FPS "%-20s Create authority key ID extension\n",
         "   -3 ");
     FPS "%-20s Create crl distribution point extension\n",
         "   -4 ");
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -489,17 +489,16 @@ getECParams(const char *curve)
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 			    int publicExponent, const char *noise, 
 			    SECKEYPublicKey **pubkeyp, const char *pqgFile,
 			    PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
 			    CK_FLAGS opFlagsOff, secuPWData *pwdata)
 {
     CK_MECHANISM_TYPE  mechanism;
-    SECOidTag          algtag;
     PK11RSAGenParams   rsaparams;
     SECKEYPQGParams  * dsaparams = NULL;
     void             * params;
     SECKEYPrivateKey * privKey = NULL;
 
     if (slot == NULL)
 	return NULL;
 
@@ -524,22 +523,20 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
 	}
     }
 
     switch (keytype) {
     case rsaKey:
 	rsaparams.keySizeInBits = size;
 	rsaparams.pe = publicExponent;
 	mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-	algtag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
 	params = &rsaparams;
 	break;
     case dsaKey:
 	mechanism = CKM_DSA_KEY_PAIR_GEN;
-	algtag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
 	if (pqgFile) {
 	    dsaparams = getpqgfromfile(size, pqgFile);
 	    if (dsaparams == NULL)
 	    	return NULL;
 	    params = dsaparams;
 	} else {
 	    /* cast away const, and don't set dsaparams */
 	    params = (void *)&default_pqg_params;
--- a/security/nss/cmd/checkcert/checkcert.c
+++ b/security/nss/cmd/checkcert/checkcert.c
@@ -215,40 +215,39 @@ CERTCertificate *createEmptyCertificate(
     if (c) {
 	c->referenceCount = 1;
 	c->arena = arena;
     } else {
 	PORT_FreeArena(arena,PR_TRUE);
     }
 
     return c;
-}    
-
-
+}
 
 
 int main(int argc, char **argv)
 {
-    int rv, verbose=0, force=0;
+    int verbose=0, force=0;
     int ascii=0, issuerAscii=0;
     char *progName=0;
     PRFileDesc *inFile=0, *issuerCertFile=0;
     SECItem derCert, derIssuerCert;
     PLArenaPool *arena=0;
     CERTSignedData *signedData=0;
     CERTCertificate *cert=0, *issuerCert=0;
     SECKEYPublicKey *rsapubkey=0;
     SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
     SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
     SECItem spk;
     int selfSigned=0;
     int invalid=0;
     char *inFileName = NULL, *issuerCertFileName = NULL;
     PLOptState *optstate;
     PLOptStatus status;
+    SECStatus rv;
 
     PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
     PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
     PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
     PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
@@ -400,27 +399,47 @@ int main(int argc, char **argv)
     }
 
 
     /* Do various checks on the cert */
 
     printf("\n");
 
     /* Check algorithms */
-    SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
+    rv = SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
 		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
 
-    SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
+    rv = SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
 		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
 
-    SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
+    rv = SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
 		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
 
-    SECOID_SetAlgorithmID(arena, &rsaEncryption,
+    rv = SECOID_SetAlgorithmID(arena, &rsaEncryption,
 		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
 
     {
 	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
 					       &md5WithRSAEncryption) == 0);
 	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
 					       &md2WithRSAEncryption) == 0);
 	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
 					       &sha1WithRSAEncryption) == 0);
--- a/security/nss/cmd/crlutil/crlgen.c
+++ b/security/nss/cmd/crlutil/crlgen.c
@@ -1164,17 +1164,17 @@ crlgen_setNextDataFn_field(CRLGENGenerat
     PORT_Assert(crlGenData);
     if (!crlGenData) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     switch (crlGenData->contextId) {
       case CRLGEN_CHANGE_RANGE_CONTEXT:
-          if (dtype != CRLGEN_TYPE_DIGIT || dtype != CRLGEN_TYPE_DIGIT_RANGE) {
+          if (dtype != CRLGEN_TYPE_DIGIT && dtype != CRLGEN_TYPE_DIGIT_RANGE) {
               crlgen_PrintError(crlGenData->parsedLineNum,
                                 "range value should have "
                                 "numeric or numeric range values.\n");
               return SECFailure;
           }
           break;
       case CRLGEN_NEXT_UPDATE_CONTEXT:
       case CRLGEN_UPDATE_CONTEXT:
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -286,16 +286,19 @@ secu_InitSlotPassword(PK11SlotInfo *slot
     PR_fprintf(PR_STDERR, 
         "Enter a password which will be used to encrypt your keys.\n"
      	"The password should be at least 8 characters long,\n"
      	"and should contain at least one non-alphabetic character.\n\n");
 
     output = fopen(consoleName, "w");
     if (output == NULL) {
 	PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
+#ifndef _WINDOWS
+	fclose(input);
+#endif
 	return NULL;
     }
 
 
     for (;;) {
 	if (p0) 
 	    PORT_Free(p0);
 	p0 = SEC_GetPassword(input, output, "Enter new password: ",
@@ -2404,16 +2407,56 @@ SECU_PrintCertificate(FILE *out, const S
 	secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1);
     SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1);
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
 }
 
 int
+SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int level)
+{
+    PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTCertificate *c;
+    int rv = SEC_ERROR_NO_MEMORY;
+    int iv;
+    
+    if (!arena)
+	return rv;
+
+    /* Decode certificate */
+    c = PORT_ArenaZNew(arena, CERTCertificate);
+    if (!c)
+	goto loser;
+    c->arena = arena;
+    rv = SEC_ASN1DecodeItem(arena, c, 
+                            SEC_ASN1_GET(CERT_CertificateTemplate), der);
+    if (rv) {
+        SECU_Indent(out, level); 
+	SECU_PrintErrMsg(out, level, "Error", "Parsing extension");
+	SECU_PrintAny(out, der, "Raw", level);
+	goto loser;
+    }
+    /* Pretty print it out */
+    SECU_Indent(out, level); fprintf(out, "%s:\n", m);
+    SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1);
+    SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1);
+    SECU_PrintName(out, &c->issuer, "Issuer", level+1);
+    if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+	SECU_Newline(out);
+    secu_PrintValidity(out, &c->validity, "Validity", level+1);
+    SECU_PrintName(out, &c->subject, "Subject", level+1);
+    if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/
+	SECU_Newline(out);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
+int
 SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level)
 {
     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     int          rv    = SEC_ERROR_NO_MEMORY;
     CERTSubjectPublicKeyInfo spki;
 
     if (!arena)
 	return rv;
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -216,16 +216,19 @@ int SECU_CheckCertNameExists(CERTCertDBH
 /* Dump contents of cert req */
 extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
 	int level);
 
 /* Dump contents of certificate */
 extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m,
                                  int level);
 
+extern int SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m,
+                                 int level);
+
 extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m,
                                  int level);
 
 /* Dump contents of a DER certificate name (issuer or subject) */
 extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
 
 /* print trust flags on a cert */
 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
--- a/security/nss/cmd/modutil/install.c
+++ b/security/nss/cmd/modutil/install.c
@@ -115,19 +115,20 @@ static char *msgStrings[] = {
 typedef struct StringNode_str {
     char *str;
     struct StringNode_str* next;
 } StringNode;
 
 StringNode* StringNode_new()
 {
 	StringNode* new_this;
-	new_this = (StringNode*)malloc(sizeof(StringNode));
-  new_this->str=NULL;
-  new_this->next=NULL;
+	new_this = (StringNode*)PR_Malloc(sizeof(StringNode));
+	PORT_Assert(new_this != NULL);
+	new_this->str = NULL;
+	new_this->next = NULL;
 	return new_this;
 }
 
 void StringNode_delete(StringNode* s) 
 {
 	if(s->str) {
 		PR_Free(s->str);
 		s->str=NULL;
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -40,17 +40,17 @@ Usage(char *progName)
     FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
     FPS "\t\t [-v]\n");
 
     FPS "Usage:	 %s -o exportfile -n certname [-d certdir] [-P dbprefix]\n",
 		progName);
     FPS "\t\t [-c key_cipher] [-C cert_cipher]\n"
         "\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n");
     FPS "\t\t [-k slotpwfile | -K slotpw]\n"
-		"\t\t [-w p12filepwfile | -W p12filefilepw]\n");
+        "\t\t [-w p12filepwfile | -W p12filepw]\n");
 
     exit(PK12UERR_USAGE);
 }
 
 static PRBool
 p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead)
 {
     if(!p12cxt || !p12cxt->filename) {
@@ -96,19 +96,16 @@ p12u_DestroyContext(p12uContext **ppCtx,
     PR_Free(*ppCtx);
     *ppCtx = NULL;
 }
 
 static p12uContext *
 p12u_InitContext(PRBool fileImport, char *filename)
 {
     p12uContext *p12cxt;
-    PRBool fileExist;
-
-    fileExist = fileImport;
 
     p12cxt = PORT_ZNew(p12uContext);
     if(!p12cxt) {
 	return NULL;
     }
 
     p12cxt->error = PR_FALSE;
     p12cxt->errorValue = 0;
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -82,18 +82,18 @@ EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
 	$(SOFTOKENLIB) \
 	$(CRYPTOLIB) \
 	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(PKIXLIB) \
 	$(DBMLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
+	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
+	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
@@ -130,17 +130,17 @@ EXTRA_LIBS += \
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
 EXTRA_SHARED_LIBS += \
-	-L$(DIST)/lib \
+	-L$(SQLITE_LIB_DIR) \
 	-l$(SQLITE_LIB_NAME) \
 	-L$(NSSUTIL_LIB_DIR) \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lplc4 \
 	-lplds4 \
 	-lnspr4 \
 	$(NULL)
@@ -148,17 +148,17 @@ endif
 
 else # USE_STATIC_LIBS
 # can't do this in manifest.mn because OS_ARCH isn't defined there.
 ifeq ($(OS_ARCH), WINNT)
 
 # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
 EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
+	$(NSSUTIL_LIB_DIR)/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
 	$(DIST)/lib/$(IMPORT_LIB_PREFIX)nss3$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4$(IMPORT_LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4$(IMPORT_LIB_SUFFIX) \
 	$(NULL)
 
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -26,18 +26,17 @@ static void Usage(char *progName)
 	    progName);
     fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
     fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
     fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
             SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
-    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
-            SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
+    fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "");
     fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
 	    "-i input");
     fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
 	    "-o output");
     fprintf(stderr, "%-14s Don't wrap long output lines\n",
 	    "-w");
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -396,18 +396,16 @@ main(int argc, char **argv)
 
     if ((doPriv && doPub) || (doIters && doTime) ||
         ((useTokenKey + useSessionKey + useBLKey) != PR_TRUE) ||
         (useTokenKey && keybits) || (useTokenKey && doKeyGen) ||
         (keybits && (keybits<MIN_KEY_BITS || keybits>MAX_KEY_BITS))) {
         Usage(progName);
     }
 
-    if (!doPriv && !doPub) doPriv = PR_TRUE;
-
     if (doIters && doTime) Usage(progName);
 
     if (!doTime) {
         doIters = PR_TRUE;
     }
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
@@ -425,19 +423,17 @@ main(int argc, char **argv)
 	if (rv != SECSuccess) {
 	    fprintf(stderr, "NSS_NoDB_Init failed.\n");
 	    exit(1);
 	}
     }
 
     if (useTokenKey) {
         CK_OBJECT_HANDLE kh = CK_INVALID_HANDLE;
-        CERTCertDBHandle* certdb = NULL;
-	certdb = CERT_GetDefaultCertDB();
-        
+
         cert = PK11_FindCertFromNickname(nickname, &pwData);
         if (cert == NULL) {
             fprintf(stderr,
                     "Can't find certificate by name \"%s\"\n", nickname);
             exit(1);
         }
         pubHighKey = CERT_ExtractPublicKey(cert);
         if (pubHighKey == NULL) {
@@ -485,19 +481,17 @@ main(int argc, char **argv)
         void             * params;
 
         slot = PK11_FindSlotByName(slotname); /* locate target slot */
         if (!slot) {
             fprintf(stderr, "Can't find slot \"%s\"\n", slotname);
             exit(1);
         }
 
-        doKeyGen = PR_TRUE; /* Always do a keygen for session keys.
-                               Import of hardcoded key is not supported */
-        /* do a temporary keygen in selected slot */        
+        /* do a temporary keygen in selected slot */
         if (!keybits) {
             keybits = DEFAULT_KEY_BITS;
         }
 
         printf("Using PKCS#11 with %ld bits session key in token %s.\n",
                keybits, PK11_GetTokenName(slot));
 
         rsaparams.keySizeInBits = keybits;
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
   case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
   case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
   case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
   case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
   case 0x00009C:    cs_str = "TLS/RSA/AES128-GCM/SHA256";	break;     
   case 0x00009E:    cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256";	break;     
 
   case 0x0000FF:    cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
+  case 0x005600:    cs_str = "TLS_FALLBACK_SCSV"; break;
 
   case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
   case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
   case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
   case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
   case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
   case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
   case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
--- a/security/nss/cmd/tstclnt/manifest.mn
+++ b/security/nss/cmd/tstclnt/manifest.mn
@@ -12,11 +12,12 @@ MODULE = nss
 # and gets translated into $LINCS in manifest.mnw
 # The MODULE is always implicitly required.
 # Listing it here in REQUIRES makes it appear twice in the cc command line.
 REQUIRES = seccmd dbm 
 
 # DIRS = 
 
 CSRCS	= tstclnt.c  
+DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\"
 
 PROGRAM	= tstclnt
 
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -27,16 +27,17 @@
 #include "nspr.h"
 #include "prio.h"
 #include "prnetdb.h"
 #include "nss.h"
 #include "ocsp.h"
 #include "ssl.h"
 #include "sslproto.h"
 #include "pk11func.h"
+#include "secmod.h"
 #include "plgetopt.h"
 #include "plstr.h"
 
 #if defined(WIN32)
 #include <fcntl.h>
 #include <io.h>
 #endif
 
@@ -92,16 +93,17 @@ int ssl3CipherSuites[] = {
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
     TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
     TLS_RSA_WITH_NULL_SHA,			/* z */
     0
 };
 
 unsigned long __cmp_umuls;
 PRBool verbose;
+int dumpServerChain = 0;
 int renegotiationsToDo = 0;
 int renegotiationsDone = 0;
 
 static char *progName;
 
 secuPWData  pwdata          = { PW_NONE, 0 };
 
 void printSecurityInfo(PRFileDesc *fd)
@@ -174,43 +176,51 @@ handshakeCallback(PRFileDesc *fd, void *
 	++renegotiationsDone;
     }
 }
 
 static void PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
-                    "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]] [-T]\n"
+                    "[-D | -d certdir] [-C] [-b | -R root-module] \n"
+		    "[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
+                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
 
 static void PrintParameterUsage(void)
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
                     "%-20s Default is host from the -h argument.\n", "-a name",
                     "", "");
     fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
     fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
     fprintf(stderr, 
             "%-20s Directory with cert database (default is ~/.netscape)\n",
 	    "-d certdir");
+    fprintf(stderr, "%-20s Run without a cert database\n", "-D");
+    fprintf(stderr, "%-20s Load the default \"builtins\" root CA module\n", "-b");
+    fprintf(stderr, "%-20s Load the given root CA module\n", "-R");
+    fprintf(stderr, "%-20s Print certificate chain information\n", "-C");
+    fprintf(stderr, "%-20s (use -C twice to print more certificate details)\n", "");
+    fprintf(stderr, "%-20s (use -C three times to include PEM format certificate dumps)\n", "");
     fprintf(stderr, "%-20s Nickname of key and cert for client auth\n", 
                     "-n nickname");
     fprintf(stderr, 
             "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
     fprintf(stderr, 
             "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
             "%-20s All versions are enabled by default.\n"
             "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
             "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
             "-V [min]:[max]", "", "", "");
+    fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
     fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
     fprintf(stderr, "%-20s Use synchronous certificate validation "
                     "(required for SSL2)\n", "-O");
     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
     fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
@@ -494,22 +504,124 @@ verifyFromSideChannel(CERTCertificate *c
             EXIT_CODE_SIDECHANNELTEST_NODATA;
         return;
     }
     
     sca->sideChannelRevocationTestResultCode = 
         EXIT_CODE_SIDECHANNELTEST_REVOKED;
 }
 
+
+static void
+dumpCertificatePEM(CERTCertificate *cert)
+{
+    SECItem data;
+    data.data = cert->derCert.data;
+    data.len = cert->derCert.len;
+    fprintf(stderr, "%s\n%s\n%s\n", NS_CERT_HEADER, 
+	    BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
+}
+
+static void
+dumpServerCertificateChain(PRFileDesc *fd)
+{
+    CERTCertList *peerCertChain = NULL;
+    CERTCertListNode *node = NULL;
+    CERTCertificate *peerCert = NULL;
+    CERTCertificateList *foundChain = NULL;
+    SECU_PPFunc dumpFunction = NULL;
+    PRBool dumpCertPEM = PR_FALSE;
+
+    if (!dumpServerChain) {
+	return;
+    }
+    else if (dumpServerChain == 1) {
+	dumpFunction = SECU_PrintCertificateBasicInfo;
+    } else {
+	dumpFunction = SECU_PrintCertificate;
+	if (dumpServerChain > 2) {
+	    dumpCertPEM = PR_TRUE;
+	}
+    }
+
+    SECU_EnableWrap(PR_FALSE);
+
+    fprintf(stderr, "==== certificate(s) sent by server: ====\n");
+    peerCertChain = SSL_PeerCertificateChain(fd);
+    if (peerCertChain) {
+        node = CERT_LIST_HEAD(peerCertChain);
+        while ( ! CERT_LIST_END(node, peerCertChain) ) {
+            CERTCertificate *cert = node->cert;
+            SECU_PrintSignedContent(stderr, &cert->derCert, "Certificate", 0,
+                                    dumpFunction);
+	    if (dumpCertPEM) {
+		dumpCertificatePEM(cert);
+	    }
+            node = CERT_LIST_NEXT(node);   
+        }
+    }
+
+    if (peerCertChain) {
+	peerCert = SSL_RevealCert(fd);
+	if (peerCert) {
+	    foundChain = CERT_CertChainFromCert(peerCert, certificateUsageSSLServer,
+						PR_TRUE);
+	}
+	if (foundChain) {
+	    int count = 0;
+	    fprintf(stderr, "==== locally found issuer certificate(s): ====\n");
+	    for(count = 0; count < (unsigned int)foundChain->len; count++) {
+		CERTCertificate *c;
+		PRBool wasSentByServer = PR_FALSE;
+		c = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &foundChain->certs[count]);
+
+		node = CERT_LIST_HEAD(peerCertChain);
+		while ( ! CERT_LIST_END(node, peerCertChain) ) {
+		    CERTCertificate *cert = node->cert;
+		    if (CERT_CompareCerts(cert, c)) {
+			wasSentByServer = PR_TRUE;
+			break;
+		    }
+		    node = CERT_LIST_NEXT(node);   
+		}
+		
+		if (!wasSentByServer) {
+		    SECU_PrintSignedContent(stderr, &c->derCert, "Certificate", 0,
+					    dumpFunction);
+		    if (dumpCertPEM) {
+			dumpCertificatePEM(c);
+		    }
+		}
+		CERT_DestroyCertificate(c);
+	    }
+	    CERT_DestroyCertificateList(foundChain);
+	}
+	if (peerCert) {
+	    CERT_DestroyCertificate(peerCert);
+	}
+
+	CERT_DestroyCertList(peerCertChain);
+	peerCertChain = NULL;
+    }
+
+    fprintf(stderr, "==== end of certificate chain information ====\n");
+    fflush(stderr);
+}
+
 static SECStatus 
 ownAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
                        PRBool isServer)
 {
     ServerCertAuth * serverCertAuth = (ServerCertAuth *) arg;
 
+    if (dumpServerChain) {
+	dumpServerCertificateChain(fd);
+    }
+
+
     if (!serverCertAuth->shouldPause) {
         CERTCertificate *cert;
         int i;
         const SECItemArray *csa;
 
         if (!serverCertAuth->testFreshStatusFromSideChannel) {
             return SSL_AuthCertificate(serverCertAuth->dbHandle, 
                                        fd, checkSig, isServer);
@@ -802,16 +914,17 @@ int main(int argc, char **argv)
     PRBool             enableSSL2 = PR_TRUE;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
     int                enableCertStatus = 0;
+    int                forceFallbackSCSV = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
     PRBool             allowIPv4 = PR_TRUE;
     PRBool             allowIPv6 = PR_TRUE;
     PRBool             pingServerFirst = PR_FALSE;
     int                pingTimeoutSeconds = -1;
     PRBool             clientSpeaksFirst = PR_FALSE;
@@ -821,16 +934,19 @@ int main(int argc, char **argv)
     int                headerSeparatorPtrnId = 0;
     int                error = 0;
     PRUint16           portno = 443;
     char *             hs1SniHostName = NULL;
     char *             hs2SniHostName = NULL;
     PLOptState *optstate;
     PLOptStatus optstatus;
     PRStatus prStatus;
+    PRBool openDB = PR_TRUE;
+    PRBool loadDefaultRootCAs = PR_FALSE;
+    char *rootModule = NULL;
 
     serverCertAuth.shouldPause = PR_TRUE;
     serverCertAuth.isPaused = PR_FALSE;
     serverCertAuth.dbHandle = NULL;
     serverCertAuth.testFreshStatusFromSideChannel = PR_FALSE;
     serverCertAuth.sideChannelRevocationTestResultCode = EXIT_CODE_HANDSHAKE_FAILED;
     serverCertAuth.requireDataForIntermediates = PR_FALSE;
     serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
@@ -847,38 +963,44 @@ int main(int argc, char **argv)
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "46BCDFKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
 
           case 'B': bypassPKCS11 = 1; 			break;
 
+          case 'C': ++dumpServerChain; 			break;
+
+          case 'D': openDB = PR_FALSE; 			break;
+
           case 'F': if (serverCertAuth.testFreshStatusFromSideChannel) {
                         /* parameter given twice or more */
                         serverCertAuth.requireDataForIntermediates = PR_TRUE;
                     }
                     serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
                     break;
 
 	  case 'I': /* reserved for OCSP multi-stapling */ break;
 
           case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
 
+          case 'K': forceFallbackSCSV = PR_TRUE; break;
+
           case 'M': switch (atoi(optstate->value)) {
                       case 1:
                           serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
                           serverCertAuth.allowCRLSideChannelData = PR_FALSE;
                           break;
                       case 2:
                           serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
                           serverCertAuth.allowCRLSideChannelData = PR_TRUE;
@@ -886,16 +1008,18 @@ int main(int argc, char **argv)
                       case 0:
                       default:
                           serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
                           serverCertAuth.allowCRLSideChannelData = PR_TRUE;
                           break;
                     };
                     break;
 
+          case 'R': rootModule = PORT_Strdup(optstate->value); break;
+
           case 'S': skipProtoHeader = PR_TRUE;                 break;
 
           case 'T': enableCertStatus = 1;               break;
 
           case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                             enabledVersions, enableSSL2,
                             &enabledVersions, &enableSSL2) != SECSuccess) {
                         Usage(progName);
@@ -908,16 +1032,18 @@ int main(int argc, char **argv)
                         hs1SniHostName = PORT_Strdup(optstate->value);
                     } else if (!hs2SniHostName) {
                         hs2SniHostName =  PORT_Strdup(optstate->value);
                     } else {
                         Usage(progName);
                     }
                     break;
 
+          case 'b': loadDefaultRootCAs = PR_TRUE;                 break;
+
           case 'c': cipherString = PORT_Strdup(optstate->value); break;
 
           case 'g': enableFalseStart = 1; 		break;
 
           case 'd': certDir = PORT_Strdup(optstate->value);   break;
 
           case 'f': clientSpeaksFirst = PR_TRUE;        break;
 
@@ -963,25 +1089,37 @@ int main(int argc, char **argv)
 	}
     }
 
     PL_DestroyOptState(optstate);
 
     if (optstatus == PL_OPT_BAD)
 	Usage(progName);
 
-    if (!host || !portno) 
+    if (!host || !portno) {
+        fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
     	Usage(progName);
+    }
 
     if (serverCertAuth.testFreshStatusFromSideChannel
         && serverCertAuth.shouldPause) {
         fprintf(stderr, "%s: -F requires the use of -O\n", progName);
         exit(1);
     }
 
+    if (certDir && !openDB) {
+        fprintf(stderr, "%s: Cannot combine parameters -D and -d\n", progName);
+        exit(1);
+    }
+
+    if (rootModule && loadDefaultRootCAs) {
+        fprintf(stderr, "%s: Cannot combine parameters -b and -R\n", progName);
+        exit(1);
+    }
+
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
     status = PR_StringToNetAddr(host, &addr);
     if (status == PR_SUCCESS) {
     	addr.inet.port = PR_htons(portno);
     } else {
@@ -1064,20 +1202,36 @@ int main(int argc, char **argv)
     if (!certDir) {
         certDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
         certDir = SECU_ConfigDirectory(certDir);
     } else {
         char *certDirTmp = certDir;
         certDir = SECU_ConfigDirectory(certDirTmp);
         PORT_Free(certDirTmp);
     }
-    rv = NSS_Init(certDir);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "unable to open cert database");
-        return 1;
+
+    if (openDB) {
+	rv = NSS_Init(certDir);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "unable to open cert database");
+	    return 1;
+	}
+    } else {
+	rv = NSS_NoDB_Init(NULL);
+	if (rv != SECSuccess) {
+	    SECU_PrintError(progName, "failed to initialize NSS");
+	    return 1;
+	}
+    }
+
+    if (loadDefaultRootCAs) {
+	SECMOD_AddNewModule("Builtins",
+			    DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
+    } else if (rootModule) {
+	SECMOD_AddNewModule("Builtins", rootModule, 0, 0);
     }
 
     /* set the policy bits true for all the cipher suites. */
     if (useExportPolicy)
         NSS_SetExportPolicy();
     else
         NSS_SetDomesticPolicy();
 
@@ -1213,16 +1367,24 @@ int main(int argc, char **argv)
 
     /* enable false start. */
     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "error enabling false start");
 	return 1;
     }
 
+    if (forceFallbackSCSV) {
+        rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "error forcing fallback scsv");
+            return 1;
+        }
+    }
+
     /* enable cert status (OCSP stapling). */
     rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
         return 1;
     }
 
     SSL_SetPKCS11PinArg(s, &pwdata);
--- a/security/nss/coreconf/Darwin.mk
+++ b/security/nss/coreconf/Darwin.mk
@@ -111,8 +111,27 @@ DLL_SUFFIX	= dylib
 ifdef MAPFILE
 	MKSHLIB += -exported_symbols_list $(MAPFILE)
 endif
 PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,_,' > $@
 
 USE_SYSTEM_ZLIB = 1
 ZLIB_LIBS	= -lz
+
+# The system sqlite library in the latest version of Mac OS X often becomes
+# newer than the sqlite library in NSS. This may result in certain Mac OS X
+# system libraries having unresolved sqlite symbols during the shlibsign step
+# of the NSS build when we set DYLD_LIBRARY_PATH to the NSS lib directory and
+# the NSS libsqlite3.dylib is used instead of the system one. So just use the
+# system sqlite library on Mac, if it's sufficiently new.
+
+SYS_SQLITE3_VERSION_FULL := $(shell /usr/bin/sqlite3 -version | awk '{print $$1}')
+SYS_SQLITE3_VERSION_MAJOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$1 }')
+SYS_SQLITE3_VERSION_MINOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$2 }')
+
+ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR))
+    ifeq (,$(filter-out 0 1 2 3 4,$(SYS_SQLITE3_VERSION_MINOR)))
+        # sqlite <= 3.4.x is too old, it doesn't provide sqlite3_file_control
+    else
+        NSS_USE_SYSTEM_SQLITE = 1
+    endif
+endif
--- a/security/nss/coreconf/command.mk
+++ b/security/nss/coreconf/command.mk
@@ -6,18 +6,17 @@
 #######################################################################
 # Master "Core Components" default command macros;                    #
 # can be overridden in <arch>.mk                                      #
 #######################################################################
 
 AS            = $(CC)
 ASFLAGS      += $(CFLAGS)
 CCF           = $(CC) $(CFLAGS)
-LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS)
-LINK_EXE      = $(LINK) $(OS_LFLAGS) $(LFLAGS)
+LINK_DLL      = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
 CFLAGS        = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
 		$(XCFLAGS)
 PERL          = perl
 RANLIB        = echo
 TAR           = /bin/tar
 #
 # For purify
 #
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/coreconf/location.mk
+++ b/security/nss/coreconf/location.mk
@@ -62,13 +62,17 @@ endif
 ifdef SOFTOKEN_INCLUDE_DIR
     INCLUDES += -I$(SOFTOKEN_INCLUDE_DIR)
 endif
 
 ifndef SOFTOKEN_LIB_DIR
     SOFTOKEN_LIB_DIR = $(DIST)/lib
 endif
 
+ifndef SQLITE_LIB_DIR
+    SQLITE_LIB_DIR = $(DIST)/lib
+endif
+
 ifndef SQLITE_LIB_NAME
     SQLITE_LIB_NAME = sqlite3
 endif
 
 MK_LOCATION = included
--- a/security/nss/coreconf/rules.mk
+++ b/security/nss/coreconf/rules.mk
@@ -236,17 +236,17 @@ endif
 alltags:
 	rm -f TAGS
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs etags -a
 	find . -name dist -prune -o \( -name '*.[hc]' -o -name '*.cp' -o -name '*.cpp' \) -print | xargs ctags -a
 
 $(PROGRAM): $(OBJS) $(EXTRA_LIBS)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
-	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
+	$(MKPROG) $(subst /,\\,$(OBJS)) -Fe$@ -link $(LDFLAGS) $(XLDFLAGS) $(subst /,\\,$(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS))
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $(OBJS) $(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
@@ -327,17 +327,17 @@ endif
 	@$(MAKE_OBJDIR)
 	$(PROCESS_MAP_FILE)
 
 
 $(OBJDIR)/$(PROG_PREFIX)%$(PROG_SUFFIX): $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX)
 	@$(MAKE_OBJDIR)
 ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
 	$(MKPROG) $< -Fe$@ -link \
-	$(LDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
+	$(LDFLAGS) $(XLDFLAGS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
 ifdef MT
 	if test -f $@.manifest; then \
 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;1; \
 		rm -f $@.manifest; \
 	fi
 endif	# MSVC with manifest tool
 else
 	$(MKPROG) -o $@ $(CFLAGS) $< \
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -34,29 +34,16 @@ date.xml:
 
 version.xml:
 	echo -n ${VERSION} > $@
 
 .PHONY : $(MANPAGES)
 .PHONY : $(HTMLPAGES)
 .PHONY : $(TXTPAGES)
 
-#------------------------------------------
-# Package a tar ball for building in fedora
-# Include the makefile and .xml files only
-# man pages will be created at build time
-#------------------------------------------
-
-tarball:
-	rm -rf $(name); \
-	mkdir -p $(name)/nroff; \
-	cp Makefile $(name); \
-	cp *.xml $(name); \
-	tar cvjf $(name)-$(date).tar.bz2 $(name)
-
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
 	
 MANPAGES = \
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -242,17 +242,17 @@ Add one or multiple extensions that cert
         <term>-f password-file</term>
         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
  unauthorized access to this file.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g keysize</term>
-        <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem>
+        <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</para></listitem>
       </varlistentry>
 
 
       <varlistentry>
         <term>-h tokenname</term>
         <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
       </varlistentry>
 
@@ -455,16 +455,33 @@ of the attribute codes:
       </varlistentry>
 
       <varlistentry>
         <term>-z noise-file</term>
         <listitem><para>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>-Z hashAlg</term>
+        <listitem>
+        <para>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</para>
+        <itemizedlist>
+          <listitem><para>MD2</para></listitem>
+          <listitem><para>MD4</para></listitem>
+          <listitem><para>MD5</para></listitem>
+          <listitem><para>SHA1</para></listitem>
+          <listitem><para>SHA224</para></listitem>
+          <listitem><para>SHA256</para></listitem>
+          <listitem><para>SHA384</para></listitem>
+          <listitem><para>SHA512</para></listitem>
+        </itemizedlist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-0 SSO_password</term>
         <listitem><para>Set a site security officer password on a token.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-1 | --keyUsage keyword,keyword</term>
         <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para>
 	<itemizedlist>
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,25 +1,25 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm226659332128"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139713586320592"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
 <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
 </p><p>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
 </p><p>
 If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity. 
  Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
  with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">--dump-ext-val OID </span></dt><dd><p>For single cert, print binary DER encoding of extension OID.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </span></dt><dd><p>
 Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
            </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
- unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
+ unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
            The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
           </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</p><p>
            If NSS has been compiled with support curves outside of SUITE B:
               sect163k1, nistk163, sect163r1, sect163r2,            
@@ -56,17 +56,17 @@ of the attribute codes:
 	</p></li></ul></div><p>
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
 	</p><p><span class="command"><strong>-t "TCu,Cu,Tu"</strong></span></p><p>
 	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
  for the beginning of a certificate's validity period. Use when creating 
  the certificate or adding it to a database. Express the offset in integers, 
  using a minus sign (-) to indicate a negative offset. If this argument is 
  not used, the validity period begins at the current system time. The length 
- of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-Z hashAlg</span></dt><dd><p>Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>MD2</p></li><li class="listitem"><p>MD4</p></li><li class="listitem"><p>MD5</p></li><li class="listitem"><p>SHA1</p></li><li class="listitem"><p>SHA224</p></li><li class="listitem"><p>SHA256</p></li><li class="listitem"><p>SHA384</p></li><li class="listitem"><p>SHA512</p></li></ul></div></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		digitalSignature
 	</p></li><li class="listitem"><p>
 		nonRepudiation
 	</p></li><li class="listitem"><p>
 		keyEncipherment
 	</p></li><li class="listitem"><p>
 		dataEncipherment
 	</p></li><li class="listitem"><p>
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 29 July 2014
+.\"      Date: 23 February 2015
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "23 February 2015" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -305,17 +305,17 @@ filename: full path to a file containing
 .PP
 \-f password\-file
 .RS 4
 Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
 .RE
 .PP
 \-g keysize
 .RS 4
-Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 1024 bits\&. Any size between the minimum and maximum is allowed\&.
+Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048 bits\&. Any size between the minimum and maximum is allowed\&.
 .RE
 .PP
 \-h tokenname
 .RS 4
 Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&.
 .RE
 .PP
 \-i input_file
@@ -614,16 +614,109 @@ to generate the signature for a certific
 Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&.
 .RE
 .PP
 \-z noise\-file
 .RS 4
 Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&.
 .RE
 .PP
+\-Z hashAlg
+.RS 4
+Specify the hash algorithm to use with the \-C, \-S or \-R command options\&. Possible keywords:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD2
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+MD5
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA1
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA224
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA256
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA384
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SHA512
+.RE
+.RE
+.PP
 \-0 SSO_password
 .RS 4
 Set a site security officer password on a token\&.
 .RE
 .PP
 \-1 | \-\-keyUsage keyword,keyword
 .RS 4
 Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are several available keywords:
--- a/security/nss/external_tests/README
+++ b/security/nss/external_tests/README
@@ -16,16 +16,16 @@ work do:
 
 This will run the certutil tests (generating a test db) and
 will finalize with a call to the ssl_gtest
 
 You should be able to run the unit tests manually as:
 
   ssl_gtest -d ${SSLGTESTDIR}
 
-Where $SSLGTESTDIR the directory created by ./all.sh or a manually
-created directory with a database containing a certificate called
-server (with its private keys)
+Where $SSLGTESTDIR is a directory with a database containing:
+ - an RSA certificate called server (with its private key)
+ - an ECDSA certificate called ecdsa (with its private key)
 
+A directory like this is created by ./all.sh and can be found
+in a directory named something like
 
-There is a very trivial set of tests that demonstrate some
-of the features.
-
+  tests_results/security/${hostname}.${NUMBER}/ssl_gtests
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -2,38 +2,147 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef databuffer_h__
 #define databuffer_h__
 
+#include <algorithm>
+#include <cassert>
+#include <cstring>
+#include <iomanip>
+#include <iostream>
+
+namespace nss_test {
+
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
   DataBuffer(const uint8_t *data, size_t len) : data_(nullptr), len_(0) {
     Assign(data, len);
   }
+  explicit DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
+    Assign(other.data(), other.len());
+  }
   ~DataBuffer() { delete[] data_; }
 
-  void Assign(const uint8_t *data, size_t len) {
-    Allocate(len);
-    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  DataBuffer& operator=(const DataBuffer& other) {
+    if (&other != this) {
+      Assign(other.data(), other.len());
+    }
+    return *this;
   }
 
   void Allocate(size_t len) {
     delete[] data_;
-    data_ = new unsigned char[len ? len : 1];  // Don't depend on new [0].
+    data_ = new uint8_t[len ? len : 1];  // Don't depend on new [0].
     len_ = len;
   }
 
+  void Truncate(size_t len) {
+    len_ = std::min(len_, len);
+  }
+
+  void Assign(const uint8_t* data, size_t len) {
+    Allocate(len);
+    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  }
+
+  // Write will do a new allocation and expand the size of the buffer if needed.
+  void Write(size_t index, const uint8_t* val, size_t count) {
+    if (index + count > len_) {
+      size_t newlen = index + count;
+      uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
+      memcpy(static_cast<void*>(tmp),
+             static_cast<const void*>(data_), len_);
+      if (index > len_) {
+        memset(static_cast<void*>(tmp + len_), 0, index - len_);
+      }
+      delete[] data_;
+      data_ = tmp;
+      len_ = newlen;
+    }
+    memcpy(static_cast<void*>(data_ + index),
+           static_cast<const void*>(val), count);
+  }
+
+  void Write(size_t index, const DataBuffer& buf) {
+    Write(index, buf.data(), buf.len());
+  }
+
+  // Write an integer, also performing host-to-network order conversion.
+  void Write(size_t index, uint32_t val, size_t count) {
+    assert(count <= sizeof(uint32_t));
+    uint32_t nvalue = htonl(val);
+    auto* addr = reinterpret_cast<const uint8_t*>(&nvalue);
+    Write(index, addr + sizeof(uint32_t) - count, count);
+  }
+
+  // Starting at |index|, remove |remove| bytes and replace them with the
+  // contents of |buf|.
+  void Splice(const DataBuffer& buf, size_t index, size_t remove = 0) {
+    Splice(buf.data(), buf.len(), index, remove);
+  }
+
+  void Splice(const uint8_t* ins, size_t ins_len, size_t index, size_t remove = 0) {
+    uint8_t* old_value = data_;
+    size_t old_len = len_;
+
+    // The amount of stuff remaining from the tail of the old.
+    size_t tail_len = old_len - std::min(old_len, index + remove);
+    // The new length: the head of the old, the new, and the tail of the old.
+    len_ = index + ins_len + tail_len;
+    data_ = new uint8_t[len_ ? len_ : 1];
+
+    // The head of the old.
+    Write(0, old_value, std::min(old_len, index));
+    // Maybe a gap.
+    if (index > old_len) {
+      memset(old_value + index, 0, index - old_len);
+    }
+    // The new.
+    Write(index, ins, ins_len);
+    // The tail of the old.
+    if (tail_len > 0) {
+      Write(index + ins_len,
+            old_value + index + remove, tail_len);
+    }
+
+    delete[] old_value;
+  }
+
+  void Append(const DataBuffer& buf) { Splice(buf, len_); }
+
   const uint8_t *data() const { return data_; }
-  uint8_t *data() { return data_; }
+  uint8_t* data() { return data_; }
   size_t len() const { return len_; }
-  const bool empty() const { return len_ != 0; }
+  bool empty() const { return len_ == 0; }
 
  private:
-  uint8_t *data_;
+  uint8_t* data_;
   size_t len_;
 };
 
+#ifdef DEBUG
+static const size_t kMaxBufferPrint = 10000;
+#else
+static const size_t kMaxBufferPrint = 32;
 #endif
+
+inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
+  stream << "[" << buf.len() << "] ";
+  for (size_t i = 0; i < buf.len(); ++i) {
+    if (i >= kMaxBufferPrint) {
+      stream << "...";
+      break;
+    }
+    stream << std::hex << std::setfill('0') << std::setw(2)
+           << static_cast<unsigned>(buf.data()[i]);
+  }
+  stream << std::dec;
+  return stream;
+}
+
+} // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/gtest_utils.h
+++ b/security/nss/external_tests/ssl_gtest/gtest_utils.h
@@ -2,25 +2,32 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef gtest_utils_h__
 #define gtest_utils_h__
 
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+#include "test_io.h"
+
 namespace nss_test {
 
 // Gtest utilities
 class Timeout : public PollTarget {
  public:
   Timeout(int32_t timer_ms) : handle_(nullptr), timed_out_(false) {
     Poller::Instance()->SetTimer(timer_ms, this, &Timeout::ExpiredCallback,
                                  &handle_);
   }
+  ~Timeout() {
+    Cancel();
+  }
 
   static void ExpiredCallback(PollTarget* target, Event event) {
     Timeout* timeout = static_cast<Timeout*>(target);
     timeout->timed_out_ = true;
   }
 
   void Cancel() { handle_->Cancel(); }
 
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -1,20 +1,25 @@
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       ssl_loopback_unittest.cc \
+      ssl_extension_unittest.cc \
+      ssl_skip_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
+      tls_agent.cc \
+      tls_connect.cc \
+      tls_filter.cc \
       tls_parser.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = ssl_gtest
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
@@ -0,0 +1,578 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "ssl.h"
+#include "sslproto.h"
+
+#include <memory>
+
+#include "tls_parser.h"
+#include "tls_filter.h"
+#include "tls_connect.h"
+
+namespace nss_test {
+
+class TlsExtensionFilter : public TlsHandshakeFilter {
+ protected:
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output) {
+    if (handshake_type == kTlsHandshakeClientHello) {
+      TlsParser parser(input);
+      if (!FindClientHelloExtensions(parser, version)) {
+        return false;
+      }
+      return FilterExtensions(parser, input, output);
+    }
+    if (handshake_type == kTlsHandshakeServerHello) {
+      TlsParser parser(input);
+      if (!FindServerHelloExtensions(parser, version)) {
+        return false;
+      }
+      return FilterExtensions(parser, input, output);
+    }
+    return false;
+  }
+
+  virtual bool FilterExtension(uint16_t extension_type,
+                               const DataBuffer& input, DataBuffer* output) = 0;
+
+ public:
+  static bool FindClientHelloExtensions(TlsParser& parser, uint16_t version) {
+    if (!parser.Skip(2 + 32)) { // version + random
+      return false;
+    }
+    if (!parser.SkipVariable(1)) { // session ID
+      return false;
+    }
+    if (IsDtls(version) && !parser.SkipVariable(1)) { // DTLS cookie
+      return false;
+    }
+    if (!parser.SkipVariable(2)) { // cipher suites
+      return false;
+    }
+    if (!parser.SkipVariable(1)) { // compression methods
+      return false;
+    }
+    return true;
+  }
+
+  static bool FindServerHelloExtensions(TlsParser& parser, uint16_t version) {
+    if (!parser.Skip(2 + 32)) { // version + random
+      return false;
+    }
+    if (!parser.SkipVariable(1)) { // session ID
+      return false;
+    }
+    if (!parser.Skip(2)) { // cipher suite
+      return false;
+    }
+    if (NormalizeTlsVersion(version) <= SSL_LIBRARY_VERSION_TLS_1_2) {
+      if (!parser.Skip(1)) { // compression method
+        return false;
+      }
+    }
+    return true;
+  }
+
+ private:
+  bool FilterExtensions(TlsParser& parser,
+                        const DataBuffer& input, DataBuffer* output) {
+    size_t length_offset = parser.consumed();
+    uint32_t all_extensions;
+    if (!parser.Read(&all_extensions, 2)) {
+      return false; // no extensions, odd but OK
+    }
+    if (all_extensions != parser.remaining()) {
+      return false; // malformed
+    }
+
+    bool changed = false;
+
+    // Write out the start of the message.
+    output->Allocate(input.len());
+    output->Write(0, input.data(), parser.consumed());
+    size_t output_offset = parser.consumed();
+
+    while (parser.remaining()) {
+      uint32_t extension_type;
+      if (!parser.Read(&extension_type, 2)) {
+        return false; // malformed
+      }
+
+      // Copy extension type.
+      output->Write(output_offset, extension_type, 2);
+
+      DataBuffer extension;
+      if (!parser.ReadVariable(&extension, 2)) {
+        return false; // malformed
+      }
+      output_offset = ApplyFilter(static_cast<uint16_t>(extension_type), extension,
+                                  output, output_offset + 2, &changed);
+    }
+    output->Truncate(output_offset);
+
+    if (changed) {
+      size_t newlen = output->len() - length_offset - 2;
+      if (newlen >= 0x10000) {
+        return false; // bad: size increased too much
+      }
+      output->Write(length_offset, newlen, 2);
+    }
+    return changed;
+  }
+
+  size_t ApplyFilter(uint16_t extension_type, const DataBuffer& extension,
+                     DataBuffer* output, size_t offset, bool* changed) {
+    const DataBuffer* source = &extension;
+    DataBuffer filtered;
+    if (FilterExtension(extension_type, extension, &filtered) &&
+        filtered.len() < 0x10000) {
+      *changed = true;
+      std::cerr << "extension old: " << extension << std::endl;
+      std::cerr << "extension new: " << filtered << std::endl;
+      source = &filtered;
+    }
+
+    output->Write(offset, source->len(), 2);
+    output->Write(offset + 2, *source);
+    return offset + 2 + source->len();
+  }
+};
+
+class TlsExtensionTruncator : public TlsExtensionFilter {
+ public:
+  TlsExtensionTruncator(uint16_t extension, size_t length)
+      : extension_(extension), length_(length) {}
+  virtual bool FilterExtension(uint16_t extension_type,
+                               const DataBuffer& input, DataBuffer* output) {
+    if (extension_type != extension_) {
+      return false;
+    }
+    if (input.len() <= length_) {
+      return false;
+    }
+
+    output->Assign(input.data(), length_);
+    return true;
+  }
+ private:
+    uint16_t extension_;
+    size_t length_;
+};
+
+class TlsExtensionDamager : public TlsExtensionFilter {
+ public:
+  TlsExtensionDamager(uint16_t extension, size_t index)
+      : extension_(extension), index_(index) {}
+  virtual bool FilterExtension(uint16_t extension_type,
+                               const DataBuffer& input, DataBuffer* output) {
+    if (extension_type != extension_) {
+      return false;
+    }
+
+    *output = input;
+    output->data()[index_] += 73; // Increment selected for maximum damage
+    return true;
+  }
+ private:
+  uint16_t extension_;
+  size_t index_;
+};
+
+class TlsExtensionReplacer : public TlsExtensionFilter {
+ public:
+  TlsExtensionReplacer(uint16_t extension, const DataBuffer& data)
+      : extension_(extension), data_(data) {}
+  virtual bool FilterExtension(uint16_t extension_type,
+                               const DataBuffer& input, DataBuffer* output) {
+    if (extension_type != extension_) {
+      return false;
+    }
+
+    *output = data_;
+    return true;
+  }
+ private:
+  uint16_t extension_;
+  DataBuffer data_;
+};
+
+class TlsExtensionInjector : public TlsHandshakeFilter {
+ public:
+  TlsExtensionInjector(uint16_t ext, DataBuffer& data)
+      : extension_(ext), data_(data) {}
+
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output) {
+    size_t offset;
+    if (handshake_type == kTlsHandshakeClientHello) {
+      TlsParser parser(input);
+      if (!TlsExtensionFilter::FindClientHelloExtensions(parser, version)) {
+        return false;
+      }
+      offset = parser.consumed();
+    } else if (handshake_type == kTlsHandshakeServerHello) {
+      TlsParser parser(input);
+      if (!TlsExtensionFilter::FindServerHelloExtensions(parser, version)) {
+        return false;
+      }
+      offset = parser.consumed();
+    } else {
+      return false;
+    }
+
+    *output = input;
+
+    std::cerr << "Pre:" << input << std::endl;
+    std::cerr << "Lof:" << offset << std::endl;
+
+    // Increase the size of the extensions.
+    uint16_t* len_addr = reinterpret_cast<uint16_t*>(output->data() + offset);
+    std::cerr << "L-p:" << ntohs(*len_addr) << std::endl;
+    *len_addr = htons(ntohs(*len_addr) + data_.len() + 4);
+    std::cerr << "L-i:" << ntohs(*len_addr) << std::endl;
+
+
+    // Insert the extension type and length.
+    DataBuffer type_length;
+    type_length.Allocate(4);
+    type_length.Write(0, extension_, 2);
+    type_length.Write(2, data_.len(), 2);
+    output->Splice(type_length, offset + 2);
+
+    // Insert the payload.
+    output->Splice(data_, offset + 6);
+
+    std::cerr << "Aft:" << *output << std::endl;
+    return true;
+  }
+
+ private:
+  uint16_t extension_;
+  DataBuffer data_;
+};
+
+class TlsExtensionTestBase : public TlsConnectTestBase {
+ protected:
+  TlsExtensionTestBase(Mode mode, uint16_t version)
+    : TlsConnectTestBase(mode, version) {}
+
+  void ClientHelloErrorTest(PacketFilter* filter,
+                            uint8_t alert = kTlsAlertDecodeError) {
+    auto alert_recorder = new TlsAlertRecorder();
+    server_->SetPacketFilter(alert_recorder);
+    if (filter) {
+      client_->SetPacketFilter(filter);
+    }
+    ConnectExpectFail();
+    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+    EXPECT_EQ(alert, alert_recorder->description());
+  }
+
+  void ServerHelloErrorTest(PacketFilter* filter,
+                            uint8_t alert = kTlsAlertDecodeError) {
+    auto alert_recorder = new TlsAlertRecorder();
+    client_->SetPacketFilter(alert_recorder);
+    if (filter) {
+      server_->SetPacketFilter(filter);
+    }
+    ConnectExpectFail();
+    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+    EXPECT_EQ(alert, alert_recorder->description());
+  }
+
+  static void InitSimpleSni(DataBuffer* extension) {
+    const char* name = "host.name";
+    const size_t namelen = PL_strlen(name);
+    extension->Allocate(namelen + 5);
+    extension->Write(0, namelen + 3, 2);
+    extension->Write(2, static_cast<uint32_t>(0), 1); // 0 == hostname
+    extension->Write(3, namelen, 2);
+    extension->Write(5, reinterpret_cast<const uint8_t*>(name), namelen);
+  }
+};
+
+class TlsExtensionTestDtls
+  : public TlsExtensionTestBase,
+    public ::testing::WithParamInterface<uint16_t> {
+ public:
+  TlsExtensionTestDtls() : TlsExtensionTestBase(DGRAM, GetParam()) {}
+};
+
+class TlsExtensionTest12Plus
+  : public TlsExtensionTestBase,
+    public ::testing::WithParamInterface<std::string> {
+ public:
+  TlsExtensionTest12Plus()
+    : TlsExtensionTestBase(TlsConnectTestBase::ToMode(GetParam()),
+                           SSL_LIBRARY_VERSION_TLS_1_2) {}
+};
+
+class TlsExtensionTestGeneric
+  : public TlsExtensionTestBase,
+    public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+ public:
+  TlsExtensionTestGeneric()
+    : TlsExtensionTestBase(TlsConnectTestBase::ToMode((std::get<0>(GetParam()))),
+                           std::get<1>(GetParam())) {}
+};
+
+TEST_P(TlsExtensionTestGeneric, DamageSniLength) {
+  ClientHelloErrorTest(new TlsExtensionDamager(ssl_server_name_xtn, 1));
+}
+
+TEST_P(TlsExtensionTestGeneric, DamageSniHostLength) {
+  ClientHelloErrorTest(new TlsExtensionDamager(ssl_server_name_xtn, 4));
+}
+
+TEST_P(TlsExtensionTestGeneric, TruncateSni) {
+  ClientHelloErrorTest(new TlsExtensionTruncator(ssl_server_name_xtn, 7));
+}
+
+// A valid extension that appears twice will be reported as unsupported.
+TEST_P(TlsExtensionTestGeneric, RepeatSni) {
+  DataBuffer extension;
+  InitSimpleSni(&extension);
+  ClientHelloErrorTest(new TlsExtensionInjector(ssl_server_name_xtn, extension),
+                       kTlsAlertIllegalParameter);
+}
+
+// An SNI entry with zero length is considered invalid (strangely, not if it is
+// the last entry, which is probably a bug).
+TEST_P(TlsExtensionTestGeneric, BadSni) {
+  DataBuffer simple;
+  InitSimpleSni(&simple);
+  DataBuffer extension;
+  extension.Allocate(simple.len() + 3);
+  extension.Write(0, static_cast<uint32_t>(0), 3);
+  extension.Write(3, simple);
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_server_name_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, EmptyAlpnExtension) {
+  EnableAlpn();
+  DataBuffer extension;
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension),
+                       kTlsAlertIllegalParameter);
+}
+
+// An empty ALPN isn't considered bad, though it does lead to there being no
+// protocol for the server to select.
+TEST_P(TlsExtensionTestGeneric, EmptyAlpnList) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension),
+                       kTlsAlertNoApplicationProtocol);
+}
+
+TEST_P(TlsExtensionTestGeneric, OneByteAlpn) {
+  EnableAlpn();
+  ClientHelloErrorTest(new TlsExtensionTruncator(ssl_app_layer_protocol_xtn, 1));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnMissingValue) {
+  EnableAlpn();
+  // This will leave the length of the second entry, but no value.
+  ClientHelloErrorTest(new TlsExtensionTruncator(ssl_app_layer_protocol_xtn, 5));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnZeroLength) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x01, 0x61, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnMismatch) {
+  const uint8_t client_alpn[] = { 0x01, 0x61 };
+  client_->EnableAlpn(client_alpn, sizeof(client_alpn));
+  const uint8_t server_alpn[] = { 0x02, 0x61, 0x62 };
+  server_->EnableAlpn(server_alpn, sizeof(server_alpn));
+
+  ClientHelloErrorTest(nullptr, kTlsAlertNoApplicationProtocol);
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedEmptyList) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedEmptyName) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x01, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedListTrailingData) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x02, 0x01, 0x61, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedExtraEntry) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x04, 0x01, 0x61, 0x01, 0x62 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedBadListLength) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x99, 0x01, 0x61, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, AlpnReturnedBadNameLength) {
+  EnableAlpn();
+  const uint8_t val[] = { 0x00, 0x02, 0x99, 0x61 };
+  DataBuffer extension(val, sizeof(val));
+  ServerHelloErrorTest(new TlsExtensionReplacer(ssl_app_layer_protocol_xtn, extension));
+}
+
+TEST_P(TlsExtensionTestDtls, SrtpShort) {
+  EnableSrtp();
+  ClientHelloErrorTest(new TlsExtensionTruncator(ssl_use_srtp_xtn, 3));
+}
+
+TEST_P(TlsExtensionTestDtls, SrtpOdd) {
+  EnableSrtp();
+  const uint8_t val[] = { 0x00, 0x01, 0xff, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_use_srtp_xtn, extension));
+}
+
+TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsBadLength) {
+  const uint8_t val[] = { 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_signature_algorithms_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
+  const uint8_t val[] = { 0x00, 0x02, 0x04, 0x01, 0x00 }; // sha-256, rsa
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_signature_algorithms_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsEmpty) {
+  const uint8_t val[] = { 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_signature_algorithms_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
+  const uint8_t val[] = { 0x00, 0x01, 0x04 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_signature_algorithms_xtn,
+                                                extension));
+}
+
+// The extension handling ignores unsupported hashes, so breaking that has no
+// effect on success rates.  However, ssl3_SendServerKeyExchange catches an
+// unsupported signature algorithm.
+
+// This actually fails with a decryption error (fatal alert 51).  That's a bad
+// to fail, since any tampering with the handshake will trigger that alert when
+// verifying the Finished message.  Thus, this test is disabled until this error
+// is turned into an alert.
+TEST_P(TlsExtensionTest12Plus, DISABLED_SignatureAlgorithmsSigUnsupported) {
+  const uint8_t val[] = { 0x00, 0x02, 0x04, 0x99 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_signature_algorithms_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedCurvesShort) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x00, 0x01, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedCurvesBadLength) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x09, 0x99, 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedCurvesTrailingData) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x00, 0x02, 0x00, 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_elliptic_curves_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedPointsEmpty) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedPointsBadLength) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x99, 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, SupportedPointsTrailingData) {
+  EnableSomeEcdheCiphers();
+  const uint8_t val[] = { 0x01, 0x00, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_ec_point_formats_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, RenegotiationInfoBadLength) {
+  const uint8_t val[] = { 0x99 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_renegotiation_info_xtn,
+                                                extension));
+}
+
+TEST_P(TlsExtensionTestGeneric, RenegotiationInfoMismatch) {
+  const uint8_t val[] = { 0x01, 0x00 };
+  DataBuffer extension(val, sizeof(val));
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_renegotiation_info_xtn,
+                                                extension));
+}
+
+// The extension has to contain a length.
+TEST_P(TlsExtensionTestGeneric, RenegotiationInfoExtensionEmpty) {
+  DataBuffer extension;
+  ClientHelloErrorTest(new TlsExtensionReplacer(ssl_renegotiation_info_xtn,
+                                                extension));
+}
+
+INSTANTIATE_TEST_CASE_P(ExtensionTls10, TlsExtensionTestGeneric,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesStream,
+                          TlsConnectTestBase::kTlsV10));
+INSTANTIATE_TEST_CASE_P(ExtensionVariants, TlsExtensionTestGeneric,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesAll,
+                          TlsConnectTestBase::kTlsV11V12));
+INSTANTIATE_TEST_CASE_P(ExtensionTls12Plus, TlsExtensionTest12Plus,
+                        TlsConnectTestBase::kTlsModesAll);
+INSTANTIATE_TEST_CASE_P(ExtensionDgram, TlsExtensionTestDtls,
+                        TlsConnectTestBase::kTlsV11V12);
+
+}  // namespace nspr_test
--- a/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
@@ -1,32 +1,39 @@
 #include "nspr.h"
 #include "nss.h"
 #include "ssl.h"
 
+#include <cstdlib>
+
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
+std::string g_working_dir_path;
+
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
-  std::string path = ".";
+  g_working_dir_path = ".";
+
+  char* workdir = getenv("NSS_GTEST_WORKDIR");
+  if (workdir)
+    g_working_dir_path = workdir;
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
-      path = argv[i + 1];
+      g_working_dir_path = argv[i + 1];
       ++i;
     }
   }
 
-  NSS_Initialize(path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
+  NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB, NSS_INIT_READONLY);
   NSS_SetDomesticPolicy();
-
   int rv = RUN_ALL_TESTS();
 
   NSS_Shutdown();
 
   nss_test::Poller::Shutdown();
 
   return rv;
 }
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -1,612 +1,272 @@
-#include "prio.h"
-#include "prerror.h"
-#include "prlog.h"
-#include "pk11func.h"
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
 #include "ssl.h"
-#include "sslerr.h"
 #include "sslproto.h"
-#include "keyhi.h"
 
 #include <memory>
 
-#include "test_io.h"
 #include "tls_parser.h"
-
-#define GTEST_HAS_RTTI 0
-#include "gtest/gtest.h"
-#include "gtest_utils.h"
+#include "tls_filter.h"
+#include "tls_connect.h"
 
 namespace nss_test {
 
-#define LOG(a) std::cerr << name_ << ": " << a << std::endl;
-
-// Inspector that parses out DTLS records and passes
-// them on.
-class TlsRecordInspector : public Inspector {
- public:
-  virtual void Inspect(DummyPrSocket* adapter, const void* data, size_t len) {
-    TlsRecordParser parser(static_cast<const unsigned char*>(data), len);
-
-    uint8_t content_type;
-    std::auto_ptr<DataBuffer> buf;
-    while (parser.NextRecord(&content_type, &buf)) {
-      OnRecord(adapter, content_type, buf->data(), buf->len());
-    }
-  }
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* record, size_t len) = 0;
-};
-
-// Inspector that injects arbitrary packets based on
-// DTLS records of various types.
-class TlsInspectorInjector : public TlsRecordInspector {
- public:
-  TlsInspectorInjector(uint8_t packet_type, uint8_t handshake_type,
-                       const unsigned char* data, size_t len)
-      : packet_type_(packet_type),
-        handshake_type_(handshake_type),
-        injected_(false),
-        data_(data, len) {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only inject once.
-    if (injected_) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != packet_type_) {
-      return;
-    }
-
-    if (handshake_type_ != 0xff) {
-      // Check that the packet is plausibly long enough.
-      if (len < 1) {
-        return;
-      }
-
-      // Check that the handshake type is as requested.
-      if (data[0] != handshake_type_) {
-        return;
-      }
-    }
-
-    adapter->WriteDirect(data_.data(), data_.len());
-  }
-
- private:
-  uint8_t packet_type_;
-  uint8_t handshake_type_;
-  bool injected_;
-  DataBuffer data_;
-};
-
-// Make a copy of the first instance of a message.
-class TlsInspectorRecordHandshakeMessage : public TlsRecordInspector {
+class TlsServerKeyExchangeEcdhe {
  public:
-  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
-      : handshake_type_(handshake_type), buffer_() {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only do this once.
-    if (buffer_.len()) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != kTlsHandshakeType) {
-      return;
-    }
-
-    TlsParser parser(data, len);
-    while (parser.remaining()) {
-      unsigned char message_type;
-      // Read the content type.
-      if (!parser.Read(&message_type)) {
-        // Malformed.
-        return;
-      }
-
-      // Read the record length.
-      uint32_t length;
-      if (!parser.Read(&length, 3)) {
-        // Malformed.
-        return;
-      }
-
-      if (adapter->mode() == DGRAM) {
-        // DTLS
-        uint32_t message_seq;
-        if (!parser.Read(&message_seq, 2)) {
-          return;
-        }
-
-        uint32_t fragment_offset;
-        if (!parser.Read(&fragment_offset, 3)) {
-          return;
-        }
-
-        uint32_t fragment_length;
-        if (!parser.Read(&fragment_length, 3)) {
-          return;
-        }
-
-        if ((fragment_offset != 0) || (fragment_length != length)) {
-          // This shouldn't happen because all current tests where we
-          // are using this code don't fragment.
-          return;
-        }
-      }
-
-      unsigned char* dest = nullptr;
-
-      if (message_type == handshake_type_) {
-        buffer_.Allocate(length);
-        dest = buffer_.data();
-      }
-
-      if (!parser.Read(dest, length)) {
-        // Malformed
-        return;
-      }
-
-      if (dest) return;
-    }
-  }
-
-  const DataBuffer& buffer() { return buffer_; }
-
- private:
-  uint8_t handshake_type_;
-  DataBuffer buffer_;
-};
-
-class TlsServerKeyExchangeECDHE {
- public:
-  bool Parse(const unsigned char* data, size_t len) {
-    TlsParser parser(data, len);
+  bool Parse(const DataBuffer& buffer) {
+    TlsParser parser(buffer);
 
     uint8_t curve_type;
     if (!parser.Read(&curve_type)) {
       return false;
     }
 
     if (curve_type != 3) {  // named_curve
       return false;
     }
 
     uint32_t named_curve;
     if (!parser.Read(&named_curve, 2)) {
       return false;
     }
 
-    uint32_t point_length;
-    if (!parser.Read(&point_length, 1)) {
-      return false;
-    }
-
-    public_key_.Allocate(point_length);
-    if (!parser.Read(public_key_.data(), point_length)) {
-      return false;
-    }
-
-    return true;
+    return parser.ReadVariable(&public_key_, 1);
   }
 
   DataBuffer public_key_;
 };
 
-class TlsAgent : public PollTarget {
- public:
-  enum Role { CLIENT, SERVER };
-  enum State { INIT, CONNECTING, CONNECTED, ERROR };
-
-  TlsAgent(const std::string& name, Role role, Mode mode)
-      : name_(name),
-        mode_(mode),
-        pr_fd_(nullptr),
-        adapter_(nullptr),
-        ssl_fd_(nullptr),
-        role_(role),
-        state_(INIT) {}
-
-  ~TlsAgent() {
-    if (pr_fd_) {
-      PR_Close(pr_fd_);
-    }
-
-    if (ssl_fd_) {
-      PR_Close(ssl_fd_);
-    }
-  }
-
-  bool Init() {
-    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
-    if (!pr_fd_) return false;
-
-    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
-    if (!adapter_) return false;
-
-    return true;
-  }
-
-  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
-
-  void SetInspector(Inspector* inspector) { adapter_->SetInspector(inspector); }
-
-  void StartConnect() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    SECStatus rv;
-    rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
-    ASSERT_EQ(SECSuccess, rv);
-    SetState(CONNECTING);
-  }
-
-  void EnableSomeECDHECiphers() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    const uint32_t EnabledCiphers[] = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
-
-    for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
-      SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EnabledCiphers[i], PR_TRUE);
-      ASSERT_EQ(SECSuccess, rv);
-    }
-  }
-
-  bool EnsureTlsSetup() {
-    // Don't set up twice
-    if (ssl_fd_) return true;
-
-    if (adapter_->mode() == STREAM) {
-      ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
-    } else {
-      ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
-    }
-
-    EXPECT_NE(nullptr, ssl_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
-    if (role_ == SERVER) {
-      CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
-      EXPECT_NE(nullptr, cert);
-      if (!cert) return false;
-
-      SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
-      EXPECT_NE(nullptr, priv);
-      if (!priv) return false;  // Leak cert.
-
-      SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
-      EXPECT_EQ(SECSuccess, rv);
-      if (rv != SECSuccess) return false;  // Leak cert and key.
-
-      SECKEY_DestroyPrivateKey(priv);
-      CERT_DestroyCertificate(cert);
-    }
-
-    SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
-                                           reinterpret_cast<void*>(this));
-    EXPECT_EQ(SECSuccess, rv);
-    if (rv != SECSuccess) return false;
-
-    return true;
-  }
-
-  void SetVersionRange(uint16_t minver, uint16_t maxver) {
-    SSLVersionRange range = {minver, maxver};
-    ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
-  }
-
-  State state() const { return state_; }
-
-  const char* state_str() const { return state_str(state()); }
-
-  const char* state_str(State state) const { return states[state]; }
-
-  PRFileDesc* ssl_fd() { return ssl_fd_; }
-
-  bool version(uint16_t* version) const {
-    if (state_ != CONNECTED) return false;
-
-    *version = info_.protocolVersion;
-
-    return true;
-  }
-
-  bool cipher_suite(int16_t* cipher_suite) const {
-    if (state_ != CONNECTED) return false;
-
-    *cipher_suite = info_.cipherSuite;
-    return true;
-  }
-
-  std::string cipher_suite_name() const {
-    if (state_ != CONNECTED) return "UNKNOWN";
-
-    return csinfo_.cipherSuiteName;
-  }
-
-  void CheckKEAType(SSLKEAType type) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(type, csinfo_.keaType);
-  }
-
-  void CheckVersion(uint16_t version) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(version, info_.protocolVersion);
-  }
-
-  void Handshake() {
-    SECStatus rv = SSL_ForceHandshake(ssl_fd_);
-    if (rv == SECSuccess) {
-      LOG("Handshake success");
-      SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      SetState(CONNECTED);
-      return;
-    }
-
-    int32_t err = PR_GetError();
-    switch (err) {
-      case PR_WOULD_BLOCK_ERROR:
-        LOG("Would have blocked");
-        // TODO(ekr@rtfm.com): set DTLS timeouts
-        Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
-                                 &TlsAgent::ReadableCallback);
-        return;
-        break;
-
-      // TODO(ekr@rtfm.com): needs special case for DTLS
-      case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
-      default:
-        LOG("Handshake failed with error " << err);
-        SetState(ERROR);
-        return;
-    }
-  }
-
- private:
-  const static char* states[];
-
-  void SetState(State state) {
-    if (state_ == state) return;
-
-    LOG("Changing state from " << state_str(state_) << " to "
-                               << state_str(state));
-    state_ = state;
-  }
-
-  // Dummy auth certificate hook.
-  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
-                                       PRBool checksig, PRBool isServer) {
-    return SECSuccess;
-  }
-
-  static void ReadableCallback(PollTarget* self, Event event) {
-    TlsAgent* agent = static_cast<TlsAgent*>(self);
-    agent->ReadableCallback_int(event);
-  }
-
-  void ReadableCallback_int(Event event) {
-    LOG("Readable");
-    Handshake();
-  }
-
-  const std::string name_;
-  Mode mode_;
-  PRFileDesc* pr_fd_;
-  DummyPrSocket* adapter_;
-  PRFileDesc* ssl_fd_;
-  Role role_;
-  State state_;
-  SSLChannelInfo info_;
-  SSLCipherSuiteInfo csinfo_;
-};
-
-const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
-
-class TlsConnectTestBase : public ::testing::Test {
- public:
-  TlsConnectTestBase(Mode mode)
-      : mode_(mode),
-        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
-        server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
-
-  ~TlsConnectTestBase() {
-    delete client_;
-    delete server_;
-  }
-
-  void SetUp() { Init(); }
-
-  void Init() {
-    ASSERT_TRUE(client_->Init());
-    ASSERT_TRUE(server_->Init());
-
-    client_->SetPeer(server_);
-    server_->SetPeer(client_);
-  }
-
-  void Reset() {
-    delete client_;
-    delete server_;
-
-    client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_);
-    server_ = new TlsAgent("server", TlsAgent::SERVER, mode_);
-
-    Init();
-  }
-
-  void EnsureTlsSetup() {
-    ASSERT_TRUE(client_->EnsureTlsSetup());
-    ASSERT_TRUE(server_->EnsureTlsSetup());
-  }
-
-  void Connect() {
-    server_->StartConnect();  // Server
-    client_->StartConnect();  // Client
-    client_->Handshake();
-    server_->Handshake();
-
-    ASSERT_TRUE_WAIT(client_->state() != TlsAgent::CONNECTING &&
-                         server_->state() != TlsAgent::CONNECTING,
-                     5000);
-    ASSERT_EQ(TlsAgent::CONNECTED, server_->state());
-
-    int16_t cipher_suite1, cipher_suite2;
-    bool ret = client_->cipher_suite(&cipher_suite1);
-    ASSERT_TRUE(ret);
-    ret = server_->cipher_suite(&cipher_suite2);
-    ASSERT_TRUE(ret);
-    ASSERT_EQ(cipher_suite1, cipher_suite2);
-
-    std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
-              << std::endl;
-  }
-
-  void EnableSomeECDHECiphers() {
-    client_->EnableSomeECDHECiphers();
-    server_->EnableSomeECDHECiphers();
-  }
-
- protected:
-  Mode mode_;
-  TlsAgent* client_;
-  TlsAgent* server_;
-};
-
-class TlsConnectTest : public TlsConnectTestBase {
- public:
-  TlsConnectTest() : TlsConnectTestBase(STREAM) {}
-};
-
-class DtlsConnectTest : public TlsConnectTestBase {
- public:
-  DtlsConnectTest() : TlsConnectTestBase(DGRAM) {}
-};
-
-class TlsConnectGeneric : public TlsConnectTestBase,
-                          public ::testing::WithParamInterface<std::string> {
- public:
-  TlsConnectGeneric()
-      : TlsConnectTestBase((GetParam() == "TLS") ? STREAM : DGRAM) {
-    std::cerr << "Variant: " << GetParam() << std::endl;
-  }
-};
-
 TEST_P(TlsConnectGeneric, SetupOnly) {}
 
 TEST_P(TlsConnectGeneric, Connect) {
   Connect();
+  client_->CheckVersion(std::get<1>(GetParam()));
+  client_->CheckAuthType(ssl_auth_rsa);
+}
 
-  // Check that we negotiated the expected version.
-  if (mode_ == STREAM) {
-    client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
-  } else {
-    client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
-  }
+TEST_P(TlsConnectGeneric, ConnectResumed) {
+  ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
+  Connect();
+
+  ResetRsa();
+  Connect();
+  CheckResumption(RESUME_SESSIONID);
+}
+
+TEST_P(TlsConnectGeneric, ConnectClientCacheDisabled) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_SESSIONID);
+  Connect();
+  ResetRsa();
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectServerCacheDisabled) {
+  ConfigureSessionCache(RESUME_SESSIONID, RESUME_NONE);
+  Connect();
+  ResetRsa();
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectSessionCacheDisabled) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+  Connect();
+  ResetRsa();
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectResumeSupportBoth) {
+  // This prefers tickets.
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+  CheckResumption(RESUME_TICKET);
 }
 
-TEST_P(TlsConnectGeneric, ConnectTLS_1_1_Only) {
+TEST_P(TlsConnectGeneric, ConnectResumeClientTicketServerBoth) {
+  // This causes no resumption because the client needs the
+  // session cache to resume even with tickets.
+  ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_TICKET, RESUME_BOTH);
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicket) {
+  // This causes a ticket resumption.
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  Connect();
+  CheckResumption(RESUME_TICKET);
+}
+
+TEST_P(TlsConnectGeneric, ConnectClientServerTicketOnly) {
+  // This causes no resumption because the client needs the
+  // session cache to resume even with tickets.
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectClientBothServerNone) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_NONE);
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ConnectClientNoneServerBoth) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
+  Connect();
+
+  ResetRsa();
+  ConfigureSessionCache(RESUME_NONE, RESUME_BOTH);
+  Connect();
+  CheckResumption(RESUME_NONE);
+}
+
+TEST_P(TlsConnectGeneric, ResumeWithHigherVersion) {
   EnsureTlsSetup();
+  ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
-
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
-
   Connect();
 
-  client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_1);
-}
-
-TEST_P(TlsConnectGeneric, ConnectTLS_1_2_Only) {
+  ResetRsa();
   EnsureTlsSetup();
-  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_2);
-  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   Connect();
+  CheckResumption(RESUME_NONE);
   client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
 }
 
-TEST_F(TlsConnectTest, ConnectECDHE) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectGeneric, ConnectAlpn) {
+  EnableAlpn();
+  Connect();
+  client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a");
+  server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
+}
+
+TEST_P(TlsConnectGeneric, ConnectEcdsa) {
+  ResetEcdsa();
+  Connect();
+  client_->CheckVersion(std::get<1>(GetParam()));
+  client_->CheckAuthType(ssl_auth_ecdsa);
+}
+
+TEST_P(TlsConnectDatagram, ConnectSrtp) {
+  EnableSrtp();
+  Connect();
+  CheckSrtp();
+}
+
+TEST_P(TlsConnectStream, ConnectEcdhe) {
+  EnableSomeEcdheCiphers();
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 }
 
-TEST_F(TlsConnectTest, ConnectECDHETwiceReuseKey) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectStream, ConnectEcdheTwiceReuseKey) {
+  EnableSomeEcdheCiphers();
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
-  TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  TlsServerKeyExchangeEcdhe dhe1;
+  EXPECT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
-  Reset();
+  ResetRsa();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
-  EnableSomeECDHECiphers();
+  server_->SetPacketFilter(i2);
+  EnableSomeEcdheCiphers();
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
-  TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  TlsServerKeyExchangeEcdhe dhe2;
+  EXPECT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are the same.
-  ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
-  ASSERT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
+  EXPECT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
+  EXPECT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                       dhe1.public_key_.len()));
 }
 
-TEST_F(TlsConnectTest, ConnectECDHETwiceNewKey) {
-  EnableSomeECDHECiphers();
+TEST_P(TlsConnectStream, ConnectEcdheTwiceNewKey) {
+  EnableSomeEcdheCiphers();
   SECStatus rv =
       SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
-  ASSERT_EQ(SECSuccess, rv);
+  EXPECT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
-  TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  TlsServerKeyExchangeEcdhe dhe1;
+  EXPECT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
-  Reset();
-  EnableSomeECDHECiphers();
+  ResetRsa();
+  EnableSomeEcdheCiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
-  ASSERT_EQ(SECSuccess, rv);
+  EXPECT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
+  server_->SetPacketFilter(i2);
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
-  TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  TlsServerKeyExchangeEcdhe dhe2;
+  EXPECT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are different.
-  ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
+  EXPECT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
                (!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                         dhe1.public_key_.len())));
 }
 
-INSTANTIATE_TEST_CASE_P(Variants, TlsConnectGeneric,
-                        ::testing::Values("TLS", "DTLS"));
+INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesStream,
+                          TlsConnectTestBase::kTlsV10));
+INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesAll,
+                          TlsConnectTestBase::kTlsV11V12));
+INSTANTIATE_TEST_CASE_P(VersionsDatagram, TlsConnectDatagram,
+                        TlsConnectTestBase::kTlsV11V12);
+INSTANTIATE_TEST_CASE_P(VersionsDatagram, TlsConnectStream,
+                        TlsConnectTestBase::kTlsV11V12);
 
 }  // namespace nspr_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/ssl_skip_unittest.cc
@@ -0,0 +1,167 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "sslerr.h"
+
+#include "tls_parser.h"
+#include "tls_filter.h"
+#include "tls_connect.h"
+
+/*
+ * The tests in this file test that the TLS state machine is robust against
+ * attacks that alter the order of handshake messages.
+ *
+ * See <https://www.smacktls.com/smack.pdf> for a description of the problems
+ * that this sort of attack can enable.
+ */
+namespace nss_test {
+
+class TlsHandshakeSkipFilter : public TlsRecordFilter {
+ public:
+  // A TLS record filter that skips handshake messages of the identified type.
+  TlsHandshakeSkipFilter(uint8_t handshake_type)
+      : handshake_type_(handshake_type),
+        skipped_(false) {}
+
+ protected:
+  // Takes a record; if it is a handshake record, it removes the first handshake
+  // message that is of handshake_type_ type.
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output) {
+    if (content_type != kTlsHandshakeType) {
+      return false;
+    }
+
+    size_t output_offset = 0U;
+    output->Allocate(input.len());
+
+    TlsParser parser(input);
+    while (parser.remaining()) {
+      size_t start = parser.consumed();
+      uint8_t handshake_type;
+      if (!parser.Read(&handshake_type)) {
+        return false;
+      }
+      uint32_t length;
+      if (!TlsHandshakeFilter::ReadLength(&parser, version, &length)) {
+        return false;
+      }
+
+      if (!parser.Skip(length)) {
+        return false;
+      }
+
+      if (skipped_ || handshake_type != handshake_type_) {
+        size_t entire_length = parser.consumed() - start;
+        output->Write(output_offset, input.data() + start,
+                      entire_length);
+        // DTLS sequence numbers need to be rewritten
+        if (skipped_ && IsDtls(version)) {
+          output->data()[start + 5] -= 1;
+        }
+        output_offset += entire_length;
+      } else {
+        std::cerr << "Dropping handshake: "
+                  << static_cast<unsigned>(handshake_type_) << std::endl;
+        // We only need to report that the output contains changed data if we
+        // drop a handshake message.  But once we've skipped one message, we
+        // have to modify all subsequent handshake messages so that they include
+        // the correct DTLS sequence numbers.
+        skipped_ = true;
+      }
+    }
+    output->Truncate(output_offset);
+    return skipped_;
+  }
+
+ private:
+  // The type of handshake message to drop.
+  uint8_t handshake_type_;
+  // Whether this filter has ever skipped a handshake message.  Track this so
+  // that sequence numbers on DTLS handshake messages can be rewritten in
+  // subsequent calls.
+  bool skipped_;
+};
+
+class TlsSkipTest
+  : public TlsConnectTestBase,
+    public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+
+ protected:
+  TlsSkipTest()
+    : TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
+                         std::get<1>(GetParam())) {}
+
+  void ServerSkipTest(PacketFilter* filter,
+                      uint8_t alert = kTlsAlertUnexpectedMessage) {
+    auto alert_recorder = new TlsAlertRecorder();
+    client_->SetPacketFilter(alert_recorder);
+    if (filter) {
+      server_->SetPacketFilter(filter);
+    }
+    ConnectExpectFail();
+    EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+    EXPECT_EQ(alert, alert_recorder->description());
+  }
+};
+
+TEST_P(TlsSkipTest, SkipCertificate) {
+  ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+}
+
+TEST_P(TlsSkipTest, SkipCertificateEcdhe) {
+  EnableSomeEcdheCiphers();
+  ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
+}
+
+TEST_P(TlsSkipTest, SkipCertificateEcdsa) {
+  ResetEcdsa();
+  ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
+}
+
+TEST_P(TlsSkipTest, SkipServerKeyExchange) {
+  // Have to enable some ephemeral suites, or ServerKeyExchange doesn't appear.
+  EnableSomeEcdheCiphers();
+  ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+}
+
+TEST_P(TlsSkipTest, SkipServerKeyExchangeEcdsa) {
+  ResetEcdsa();
+  ServerSkipTest(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+}
+
+TEST_P(TlsSkipTest, SkipCertAndKeyExch) {
+  auto chain = new ChainedPacketFilter();
+  chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
+  chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
+  ServerSkipTest(chain);
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+}
+
+TEST_P(TlsSkipTest, SkipCertAndKeyExchEcdsa) {
+  ResetEcdsa();
+  auto chain = new ChainedPacketFilter();
+  chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeCertificate));
+  chain->Add(new TlsHandshakeSkipFilter(kTlsHandshakeServerKeyExchange));
+  ServerSkipTest(chain);
+  client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+}
+
+INSTANTIATE_TEST_CASE_P(SkipTls10, TlsSkipTest,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesStream,
+                          TlsConnectTestBase::kTlsV10));
+INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
+                        ::testing::Combine(
+                          TlsConnectTestBase::kTlsModesAll,
+                          TlsConnectTestBase::kTlsV11V12));
+
+}  // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/test_io.cc
+++ b/security/nss/external_tests/ssl_gtest/test_io.cc
@@ -1,50 +1,53 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include <assert.h>
+#include "test_io.h"
 
+#include <algorithm>
+#include <cassert>
 #include <iostream>
 #include <memory>
 
 #include "prerror.h"
-#include "prio.h"
 #include "prlog.h"
 #include "prthread.h"
 
-#include "test_io.h"
+#include "databuffer.h"
 
 namespace nss_test {
 
 static PRDescIdentity test_fd_identity = PR_INVALID_IO_LAYER;
 
-#define UNIMPLEMENTED()                                                 \
-  fprintf(stderr, "Call to unimplemented function %s\n", __FUNCTION__); \
-  PR_ASSERT(PR_FALSE);                                                  \
+#define UNIMPLEMENTED()                          \
+  std::cerr << "Call to unimplemented function " \
+            << __FUNCTION__ << std::endl;        \
+  PR_ASSERT(PR_FALSE);                           \
   PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
-struct Packet {
-  Packet() : data_(nullptr), len_(0), offset_(0) {}
+class Packet : public DataBuffer {
+ public:
+  Packet(const DataBuffer& buf) : DataBuffer(buf), offset_(0) {}
 
-  void Assign(const void *data, int32_t len) {
-    data_ = new uint8_t[len];
-    memcpy(data_, data, len);
-    len_ = len;
+  void Advance(size_t delta) {
+    PR_ASSERT(offset_ + delta <= len());
+    offset_ = std::min(len(), offset_ + delta);
   }
 
-  ~Packet() { delete data_; }
-  uint8_t *data_;
-  int32_t len_;
-  int32_t offset_;
+  size_t offset() const { return offset_; }
+  size_t remaining() const { return len() - offset_; }
+
+ private:
+  size_t offset_;
 };
 
 // Implementation of NSPR methods
 static PRStatus DummyClose(PRFileDesc *f) {
   f->secret = nullptr;
   return PR_SUCCESS;
 }
 
@@ -241,16 +244,26 @@ static PRStatus DummyConnectContinue(PRF
   return PR_FAILURE;
 }
 
 static int32_t DummyReserved(PRFileDesc *f) {
   UNIMPLEMENTED();
   return -1;
 }
 
+DummyPrSocket::~DummyPrSocket() {
+  delete filter_;
+  while (!input_.empty())
+  {
+    Packet* front = input_.front();
+    input_.pop();
+    delete front;
+  }
+}
+
 static const struct PRIOMethods DummyMethods = {
     PR_DESC_LAYERED,  DummyClose,           DummyRead,
     DummyWrite,       DummyAvailable,       DummyAvailable64,
     DummySync,        DummySeek,            DummySeek64,
     DummyFileInfo,    DummyFileInfo64,      DummyWritev,
     DummyConnect,     DummyAccept,          DummyBind,
     DummyListen,      DummyShutdown,        DummyRecv,
     DummySend,        DummyRecvfrom,        DummySendto,
@@ -270,19 +283,18 @@ PRFileDesc *DummyPrSocket::CreateFD(cons
 
   return fd;
 }
 
 DummyPrSocket *DummyPrSocket::GetAdapter(PRFileDesc *fd) {
   return reinterpret_cast<DummyPrSocket *>(fd->secret);
 }
 
-void DummyPrSocket::PacketReceived(const void *data, int32_t len) {
-  input_.push(new Packet());
-  input_.back()->Assign(data, len);
+void DummyPrSocket::PacketReceived(const DataBuffer& packet) {
+  input_.push(new Packet(packet));
 }
 
 int32_t DummyPrSocket::Read(void *data, int32_t len) {
   PR_ASSERT(mode_ == STREAM);
 
   if (mode_ != STREAM) {
     PR_SetError(PR_INVALID_METHOD_ERROR, 0);
     return -1;
@@ -290,68 +302,70 @@ int32_t DummyPrSocket::Read(void *data, 
 
   if (input_.empty()) {
     LOG("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  int32_t to_read = std::min(len, front->len_ - front->offset_);
-  memcpy(data, front->data_ + front->offset_, to_read);
-  front->offset_ += to_read;
+  size_t to_read = std::min(static_cast<size_t>(len),
+                            front->len() - front->offset());
+  memcpy(data, static_cast<const void*>(front->data() + front->offset()),
+         to_read);
+  front->Advance(to_read);
 
-  if (front->offset_ == front->len_) {
+  if (!front->remaining()) {
     input_.pop();
     delete front;
   }
 
-  return to_read;
+  return static_cast<int32_t>(to_read);
 }
 
 int32_t DummyPrSocket::Recv(void *buf, int32_t buflen) {
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  if (buflen < front->len_) {
+  if (static_cast<size_t>(buflen) < front->len()) {
     PR_ASSERT(false);
     PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
     return -1;
   }
 
-  int32_t count = front->len_;
-  memcpy(buf, front->data_, count);
+  size_t count = front->len();
+  memcpy(buf, front->data(), count);
 
   input_.pop();
   delete front;
 
-  return count;
+  return static_cast<int32_t>(count);
 }
 
 int32_t DummyPrSocket::Write(const void *buf, int32_t length) {
-  if (inspector_) {
-    inspector_->Inspect(this, buf, length);
-  }
-
-  return WriteDirect(buf, length);
-}
-
-int32_t DummyPrSocket::WriteDirect(const void *buf, int32_t length) {
   if (!peer_) {
     PR_SetError(PR_IO_ERROR, 0);
     return -1;
   }
 
-  LOG("Wrote " << length);
-
-  peer_->PacketReceived(buf, length);
-  return length;
+  DataBuffer packet(static_cast<const uint8_t*>(buf),
+                    static_cast<size_t>(length));
+  DataBuffer filtered;
+  if (filter_ && filter_->Filter(packet, &filtered)) {
+    LOG("Filtered packet: " << filtered);
+    peer_->PacketReceived(filtered);
+  } else {
+    peer_->PacketReceived(packet);
+  }
+  // libssl can't handle it if this reports something other than the length
+  // of what was passed in (or less, but we're not doing partial writes).
+  return static_cast<int32_t>(packet.len());
 }
 
 Poller *Poller::instance;
 
 Poller *Poller::Instance() {
   if (!instance) instance = new Poller();
 
   return instance;
@@ -433,16 +447,18 @@ bool Poller::Poll() {
 
   // Now process anything that timed out.
   now = PR_Now();
   while (!timers_.empty()) {
     if (now < timers_.top()->deadline_) break;
 
     Timer *timer = timers_.top();
     timers_.pop();
-    timer->callback_(timer->target_, TIMER_EVENT);
+    if (timer->callback_) {
+      timer->callback_(timer->target_, TIMER_EVENT);
+    }
     delete timer;
   }
 
   return true;
 }
 
 }  // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/test_io.h
+++ b/security/nss/external_tests/ssl_gtest/test_io.h
@@ -7,68 +7,79 @@
 #ifndef test_io_h_
 #define test_io_h_
 
 #include <string.h>
 #include <map>
 #include <memory>
 #include <queue>
 #include <string>
+#include <ostream>
+
+#include "prio.h"
 
 namespace nss_test {
 
-struct Packet;
+class DataBuffer;
+class Packet;
 class DummyPrSocket;  // Fwd decl.
 
 // Allow us to inspect a packet before it is written.
-class Inspector {
+class PacketFilter {
  public:
-  virtual ~Inspector() {}
+  virtual ~PacketFilter() {}
 
-  virtual void Inspect(DummyPrSocket* adapter, const void* data,
-                       size_t len) = 0;
+  // The packet filter takes input and has the option of mutating it.
+  //
+  // A filter that modifies the data places the modified data in *output and
+  // returns true.  A filter that does not modify data returns false, in which
+  // case the value in *output is ignored.
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output) = 0;
 };
 
 enum Mode { STREAM, DGRAM };
 
+inline std::ostream& operator<<(std::ostream& os, Mode m) {
+  return os << ((m == STREAM) ? "TLS" : "DTLS");
+}
+
 class DummyPrSocket {
  public:
-  ~DummyPrSocket() { delete inspector_; }
+  ~DummyPrSocket();
 
   static PRFileDesc* CreateFD(const std::string& name,
                               Mode mode);  // Returns an FD.
   static DummyPrSocket* GetAdapter(PRFileDesc* fd);
 
   void SetPeer(DummyPrSocket* peer) { peer_ = peer; }
 
-  void SetInspector(Inspector* inspector) { inspector_ = inspector; }
+  void SetPacketFilter(PacketFilter* filter) { filter_ = filter; }
 
-  void PacketReceived(const void* data, int32_t len);
+  void PacketReceived(const DataBuffer& data);
   int32_t Read(void* data, int32_t len);
   int32_t Recv(void* buf, int32_t buflen);
   int32_t Write(const void* buf, int32_t length);
-  int32_t WriteDirect(const void* buf, int32_t length);
 
   Mode mode() const { return mode_; }
-  bool readable() { return !input_.empty(); }
+  bool readable() const { return !input_.empty(); }
   bool writable() { return true; }
 
  private:
   DummyPrSocket(const std::string& name, Mode mode)
       : name_(name),
         mode_(mode),
         peer_(nullptr),
         input_(),
-        inspector_(nullptr) {}
+        filter_(nullptr) {}
 
   const std::string name_;
   Mode mode_;
   DummyPrSocket* peer_;
   std::queue<Packet*> input_;
-  Inspector* inspector_;
+  PacketFilter* filter_;
 };
 
 // Marker interface.
 class PollTarget {};
 
 enum Event { READABLE_EVENT, TIMER_EVENT /* Must be last */ };
 
 typedef void (*PollCallback)(PollTarget*, Event);
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -0,0 +1,229 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_agent.h"
+
+#include "pk11func.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+#include "keyhi.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
+
+bool TlsAgent::EnsureTlsSetup() {
+  // Don't set up twice
+  if (ssl_fd_) return true;
+
+  if (adapter_->mode() == STREAM) {
+    ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
+  } else {
+    ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
+  }
+
+  EXPECT_NE(nullptr, ssl_fd_);
+  if (!ssl_fd_) return false;
+  pr_fd_ = nullptr;
+
+  if (role_ == SERVER) {
+    CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
+    EXPECT_NE(nullptr, cert);
+    if (!cert) return false;
+
+    SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
+    EXPECT_NE(nullptr, priv);
+    if (!priv) return false;  // Leak cert.
+
+    SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kea_);
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;  // Leak cert and key.
+
+    SECKEY_DestroyPrivateKey(priv);
+    CERT_DestroyCertificate(cert);
+
+    rv = SSL_SNISocketConfigHook(ssl_fd_, SniHook,
+                                 reinterpret_cast<void*>(this));
+    EXPECT_EQ(SECSuccess, rv);  // don't abort, just fail
+  } else {
+    SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;
+  }
+
+  SECStatus rv = SSL_VersionRangeSet(ssl_fd_, &vrange_);
+  EXPECT_EQ(SECSuccess, rv);
+  if (rv != SECSuccess) return false;
+
+  rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
+                               reinterpret_cast<void*>(this));
+  EXPECT_EQ(SECSuccess, rv);
+  if (rv != SECSuccess) return false;
+
+  return true;
+}
+
+void TlsAgent::StartConnect() {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv;
+  rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
+  EXPECT_EQ(SECSuccess, rv);
+  SetState(CONNECTING);
+}
+
+void TlsAgent::EnableSomeEcdheCiphers() {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  const uint32_t EcdheCiphers[] = {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                                   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+                                   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
+
+  for (size_t i = 0; i < PR_ARRAY_SIZE(EcdheCiphers); ++i) {
+    SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EcdheCiphers[i], PR_TRUE);
+    EXPECT_EQ(SECSuccess, rv);
+  }
+}
+
+void TlsAgent::SetSessionTicketsEnabled(bool en) {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                               en ? PR_TRUE : PR_FALSE);
+  EXPECT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetSessionCacheEnabled(bool en) {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                               en ? PR_FALSE : PR_TRUE);
+  EXPECT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
+   vrange_.min = minver;
+   vrange_.max = maxver;
+
+   if (ssl_fd_) {
+     SECStatus rv = SSL_VersionRangeSet(ssl_fd_, &vrange_);
+     EXPECT_EQ(SECSuccess, rv);
+   }
+}
+
+void TlsAgent::CheckKEAType(SSLKEAType type) const {
+  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(type, csinfo_.keaType);
+}
+
+void TlsAgent::CheckAuthType(SSLAuthType type) const {
+  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(type, csinfo_.authAlgorithm);
+}
+
+void TlsAgent::CheckVersion(uint16_t version) const {
+  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(version, info_.protocolVersion);
+}
+
+void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  EXPECT_EQ(SECSuccess, SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE));
+  EXPECT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd_, val, len));
+}
+
+void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
+                         const std::string& expected) {
+  SSLNextProtoState state;
+  char chosen[10];
+  unsigned int chosen_len;
+  SECStatus rv = SSL_GetNextProto(ssl_fd_, &state,
+                                  reinterpret_cast<unsigned char*>(chosen),
+                                  &chosen_len, sizeof(chosen));
+  EXPECT_EQ(SECSuccess, rv);
+  EXPECT_EQ(expected_state, state);
+  EXPECT_EQ(expected, std::string(chosen, chosen_len));
+}
+
+void TlsAgent::EnableSrtp() {
+  EXPECT_TRUE(EnsureTlsSetup());
+  const uint16_t ciphers[] = {
+    SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32
+  };
+  EXPECT_EQ(SECSuccess, SSL_SetSRTPCiphers(ssl_fd_, ciphers,
+                                           PR_ARRAY_SIZE(ciphers)));
+
+}
+
+void TlsAgent::CheckSrtp() {
+  uint16_t actual;
+  EXPECT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
+  EXPECT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
+}
+
+void TlsAgent::CheckErrorCode(int32_t expected) const {
+  EXPECT_EQ(ERROR, state_);
+  EXPECT_EQ(expected, error_code_);
+}
+
+void TlsAgent::Handshake() {
+  SECStatus rv = SSL_ForceHandshake(ssl_fd_);
+  if (rv == SECSuccess) {
+    LOG("Handshake success");
+    SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
+    EXPECT_EQ(SECSuccess, rv);
+
+    rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
+    EXPECT_EQ(SECSuccess, rv);
+
+    SetState(CONNECTED);
+    return;
+  }
+
+  int32_t err = PR_GetError();
+  switch (err) {
+    case PR_WOULD_BLOCK_ERROR:
+      LOG("Would have blocked");
+      // TODO(ekr@rtfm.com): set DTLS timeouts
+      Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
+                               &TlsAgent::ReadableCallback);
+      return;
+      break;
+
+      // TODO(ekr@rtfm.com): needs special case for DTLS
+    case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
+    default:
+      LOG("Handshake failed with error " << err);
+      error_code_ = err;
+      SetState(ERROR);
+      return;
+  }
+}
+
+void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
+  EXPECT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_,
+                               SSL_NO_CACHE,
+                               mode & RESUME_SESSIONID ?
+                               PR_FALSE : PR_TRUE);
+  EXPECT_EQ(SECSuccess, rv);
+
+  rv = SSL_OptionSet(ssl_fd_,
+                     SSL_ENABLE_SESSION_TICKETS,
+                     mode & RESUME_TICKET ?
+                     PR_TRUE : PR_FALSE);
+  EXPECT_EQ(SECSuccess, rv);
+}
+
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -0,0 +1,193 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_agent_h_
+#define tls_agent_h_
+
+#include "prio.h"
+#include "ssl.h"
+
+#include <iostream>
+
+#include "test_io.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+#define LOG(msg) std::cerr << name_ << ": " << msg << std::endl
+
+enum SessionResumptionMode {
+  RESUME_NONE = 0,
+  RESUME_SESSIONID = 1,
+  RESUME_TICKET = 2,
+  RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
+};
+
+class TlsAgent : public PollTarget {
+ public:
+  enum Role { CLIENT, SERVER };
+  enum State { INIT, CONNECTING, CONNECTED, ERROR };
+
+  TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea)
+      : name_(name),
+        mode_(mode),
+        kea_(kea),
+        pr_fd_(nullptr),
+        adapter_(nullptr),
+        ssl_fd_(nullptr),
+        role_(role),
+        state_(INIT),
+        error_code_(0) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+      SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
+                                                ssl_variant_stream : ssl_variant_datagram,
+                                                &vrange_);
+      EXPECT_EQ(SECSuccess, rv);
+  }
+
+  ~TlsAgent() {
+    if (pr_fd_) {
+      PR_Close(pr_fd_);
+    }
+
+    if (ssl_fd_) {
+      PR_Close(ssl_fd_);
+    }
+  }
+
+  bool Init() {
+    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
+    if (!pr_fd_) return false;
+
+    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
+    if (!adapter_) return false;
+
+    return true;
+  }
+
+  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
+
+  void SetPacketFilter(PacketFilter* filter) {
+    adapter_->SetPacketFilter(filter);
+  }
+
+
+  void StartConnect();
+  void CheckKEAType(SSLKEAType type) const;
+  void CheckAuthType(SSLAuthType type) const;
+  void CheckVersion(uint16_t version) const;
+
+  void Handshake();
+  void EnableSomeEcdheCiphers();
+  bool EnsureTlsSetup();
+
+  void ConfigureSessionCache(SessionResumptionMode mode);
+  void SetSessionTicketsEnabled(bool en);
+  void SetSessionCacheEnabled(bool en);
+  void SetVersionRange(uint16_t minver, uint16_t maxver);
+  void EnableAlpn(const uint8_t* val, size_t len);
+  void CheckAlpn(SSLNextProtoState expected_state,
+                 const std::string& expected);
+  void EnableSrtp();
+  void CheckSrtp();
+  void CheckErrorCode(int32_t expected) const;
+
+  State state() const { return state_; }
+
+  const char* state_str() const { return state_str(state()); }
+
+  const char* state_str(State state) const { return states[state]; }
+
+  PRFileDesc* ssl_fd() { return ssl_fd_; }
+
+  uint16_t min_version() const { return vrange_.min; }
+  uint16_t max_version() const { return vrange_.max; }
+
+  bool version(uint16_t* version) const {
+    if (state_ != CONNECTED) return false;
+
+    *version = info_.protocolVersion;
+
+    return true;
+  }
+
+  uint16_t version() const {
+    EXPECT_EQ(CONNECTED, state_);
+
+    return info_.protocolVersion;
+  }
+
+  bool cipher_suite(int16_t* cipher_suite) const {
+    if (state_ != CONNECTED) return false;
+
+    *cipher_suite = info_.cipherSuite;
+    return true;
+  }
+
+  std::string cipher_suite_name() const {
+    if (state_ != CONNECTED) return "UNKNOWN";
+
+    return csinfo_.cipherSuiteName;
+  }
+
+  std::vector<uint8_t> session_id() const {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
+ private:
+  const static char* states[];
+
+  void SetState(State state) {
+    if (state_ == state) return;
+
+    LOG("Changing state from " << state_str(state_) << " to "
+                               << state_str(state));
+    state_ = state;
+  }
+
+  // Dummy auth certificate hook.
+  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
+                                       PRBool checksig, PRBool isServer) {
+    return SECSuccess;
+  }
+
+  static void ReadableCallback(PollTarget* self, Event event) {
+    TlsAgent* agent = static_cast<TlsAgent*>(self);
+    agent->ReadableCallback_int();
+  }
+
+  void ReadableCallback_int() {
+    LOG("Readable");
+    Handshake();
+  }
+
+  static PRInt32 SniHook(PRFileDesc *fd, const SECItem *srvNameArr,
+                         PRUint32 srvNameArrSize,
+                         void *arg) {
+    return SSL_SNI_CURRENT_CONFIG_IS_USED;
+  }
+
+  const std::string name_;
+  Mode mode_;
+  SSLKEAType kea_;
+  PRFileDesc* pr_fd_;
+  DummyPrSocket* adapter_;
+  PRFileDesc* ssl_fd_;
+  Role role_;
+  State state_;
+  SSLChannelInfo info_;
+  SSLCipherSuiteInfo csinfo_;
+  SSLVersionRange vrange_;
+  int32_t error_code_;
+};
+
+}  // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.cc
@@ -0,0 +1,231 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_connect.h"
+
+#include <iostream>
+
+#include "sslproto.h"
+#include "gtest_utils.h"
+
+extern std::string g_working_dir_path;
+
+namespace nss_test {
+
+static const std::string kTlsModesStreamArr[] = {"TLS"};
+::testing::internal::ParamGenerator<std::string>
+  TlsConnectTestBase::kTlsModesStream = ::testing::ValuesIn(kTlsModesStreamArr);
+static const std::string kTlsModesAllArr[] = {"TLS", "DTLS"};
+::testing::internal::ParamGenerator<std::string>
+  TlsConnectTestBase::kTlsModesAll = ::testing::ValuesIn(kTlsModesAllArr);
+static const uint16_t kTlsV10Arr[] = {SSL_LIBRARY_VERSION_TLS_1_0};
+::testing::internal::ParamGenerator<uint16_t>
+  TlsConnectTestBase::kTlsV10 = ::testing::ValuesIn(kTlsV10Arr);
+static const uint16_t kTlsV11V12Arr[] = {SSL_LIBRARY_VERSION_TLS_1_1,
+                                         SSL_LIBRARY_VERSION_TLS_1_2};
+::testing::internal::ParamGenerator<uint16_t>
+  TlsConnectTestBase::kTlsV11V12 = ::testing::ValuesIn(kTlsV11V12Arr);
+// TODO: add TLS 1.3
+static const uint16_t kTlsV12PlusArr[] = {SSL_LIBRARY_VERSION_TLS_1_2};
+::testing::internal::ParamGenerator<uint16_t>
+  TlsConnectTestBase::kTlsV12Plus = ::testing::ValuesIn(kTlsV12PlusArr);
+
+static std::string VersionString(uint16_t version) {
+  switch(version) {
+  case 0:
+    return "(no version)";
+  case SSL_LIBRARY_VERSION_TLS_1_0:
+    return "1.0";
+  case SSL_LIBRARY_VERSION_TLS_1_1:
+    return "1.1";
+  case SSL_LIBRARY_VERSION_TLS_1_2:
+    return "1.2";
+  default:
+    std::cerr << "Invalid version: " << version << std::endl;
+    EXPECT_TRUE(false);
+    return "";
+  }
+}
+
+TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
+      : mode_(mode),
+        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_, ssl_kea_rsa)),
+        server_(new TlsAgent("server", TlsAgent::SERVER, mode_, ssl_kea_rsa)),
+        version_(version),
+        session_ids_() {
+  std::cerr << "Version: " << mode_ << " " << VersionString(version_) << std::endl;
+}
+
+TlsConnectTestBase::~TlsConnectTestBase() {
+  delete client_;
+  delete server_;
+}
+
+void TlsConnectTestBase::SetUp() {
+  // Configure a fresh session cache.
+  SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+  // Clear statistics.
+  SSL3Statistics* stats = SSL_GetStatistics();
+  memset(stats, 0, sizeof(*stats));
+
+  Init();
+}
+
+void TlsConnectTestBase::TearDown() {
+  client_ = nullptr;
+  server_ = nullptr;
+
+  SSL_ClearSessionCache();
+  SSL_ShutdownServerSessionIDCache();
+}
+
+void TlsConnectTestBase::Init() {
+  EXPECT_TRUE(client_->Init());
+  EXPECT_TRUE(server_->Init());
+
+  client_->SetPeer(server_);
+  server_->SetPeer(client_);
+
+  if (version_) {
+    client_->SetVersionRange(version_, version_);
+    server_->SetVersionRange(version_, version_);
+  }
+}
+
+void TlsConnectTestBase::Reset(const std::string& server_name, SSLKEAType kea) {
+  delete client_;
+  delete server_;
+
+  client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_, kea);
+  server_ = new TlsAgent(server_name, TlsAgent::SERVER, mode_, kea);
+
+  Init();
+}
+
+void TlsConnectTestBase::ResetRsa() {
+  Reset("server", ssl_kea_rsa);
+}
+
+void TlsConnectTestBase::ResetEcdsa() {
+  Reset("ecdsa", ssl_kea_ecdh);
+  EnableSomeEcdheCiphers();
+}
+
+void TlsConnectTestBase::EnsureTlsSetup() {
+  EXPECT_TRUE(client_->EnsureTlsSetup());
+  EXPECT_TRUE(server_->EnsureTlsSetup());
+}
+
+void TlsConnectTestBase::Handshake() {
+  server_->StartConnect();
+  client_->StartConnect();
+  client_->Handshake();
+  server_->Handshake();
+
+  ASSERT_TRUE_WAIT((client_->state() != TlsAgent::CONNECTING) &&
+                   (server_->state() != TlsAgent::CONNECTING),
+                   5000);
+
+}
+
+void TlsConnectTestBase::Connect() {
+  Handshake();
+
+  // Check the version is as expected
+  EXPECT_EQ(client_->version(), server_->version());
+  EXPECT_EQ(std::min(client_->max_version(),
+                     server_->max_version()),
+            client_->version());
+
+  EXPECT_EQ(TlsAgent::CONNECTED, client_->state());
+  EXPECT_EQ(TlsAgent::CONNECTED, server_->state());
+
+  int16_t cipher_suite1, cipher_suite2;
+  bool ret = client_->cipher_suite(&cipher_suite1);
+  EXPECT_TRUE(ret);
+  ret = server_->cipher_suite(&cipher_suite2);
+  EXPECT_TRUE(ret);
+  EXPECT_EQ(cipher_suite1, cipher_suite2);
+
+  std::cerr << "Connected with version " << client_->version()
+            << " cipher suite " << client_->cipher_suite_name()
+            << std::endl;
+
+  // Check and store session ids.
+  std::vector<uint8_t> sid_c1 = client_->session_id();
+  EXPECT_EQ(32U, sid_c1.size());
+  std::vector<uint8_t> sid_s1 = server_->session_id();
+  EXPECT_EQ(32U, sid_s1.size());
+  EXPECT_EQ(sid_c1, sid_s1);
+  session_ids_.push_back(sid_c1);
+}
+
+void TlsConnectTestBase::ConnectExpectFail() {
+  Handshake();
+
+  ASSERT_EQ(TlsAgent::ERROR, client_->state());
+  ASSERT_EQ(TlsAgent::ERROR, server_->state());
+}
+
+void TlsConnectTestBase::EnableSomeEcdheCiphers() {
+  client_->EnableSomeEcdheCiphers();
+  server_->EnableSomeEcdheCiphers();
+}
+
+
+void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client,
+                                               SessionResumptionMode server) {
+  client_->ConfigureSessionCache(client);
+  server_->ConfigureSessionCache(server);
+}
+
+void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
+  EXPECT_NE(RESUME_BOTH, expected);
+
+  int resume_ct = expected ? 1 : 0;
+  int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
+
+  SSL3Statistics* stats = SSL_GetStatistics();
+  EXPECT_EQ(resume_ct, stats->hch_sid_cache_hits);
+  EXPECT_EQ(resume_ct, stats->hsh_sid_cache_hits);
+
+  EXPECT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
+  EXPECT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
+
+  if (resume_ct) {
+    // Check that the last two session ids match.
+    EXPECT_GE(2U, session_ids_.size());
+    EXPECT_EQ(session_ids_[session_ids_.size()-1],
+              session_ids_[session_ids_.size()-2]);
+  }
+}
+
+void TlsConnectTestBase::EnableAlpn() {
+  // A simple value of "a", "b".  Note that the preferred value of "a" is placed
+  // at the end, because the NSS API follows the now defunct NPN specification,
+  // which places the preferred (and default) entry at the end of the list.
+  // NSS will move this final entry to the front when used with ALPN.
+  static const uint8_t val[] = { 0x01, 0x62, 0x01, 0x61 };
+  client_->EnableAlpn(val, sizeof(val));
+  server_->EnableAlpn(val, sizeof(val));
+}
+
+void TlsConnectTestBase::EnableSrtp() {
+  client_->EnableSrtp();
+  server_->EnableSrtp();
+}
+
+void TlsConnectTestBase::CheckSrtp() {
+  client_->CheckSrtp();
+  server_->CheckSrtp();
+}
+
+TlsConnectGeneric::TlsConnectGeneric()
+  : TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
+                       std::get<1>(GetParam())) {}
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.h
@@ -0,0 +1,102 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_connect_h_
+#define tls_connect_h_
+
+#include <tuple>
+
+#include "sslt.h"
+
+#include "tls_agent.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+// A generic TLS connection test base.
+class TlsConnectTestBase : public ::testing::Test {
+ public:
+  static ::testing::internal::ParamGenerator<std::string> kTlsModesStream;
+  static ::testing::internal::ParamGenerator<std::string> kTlsModesAll;
+  static ::testing::internal::ParamGenerator<uint16_t> kTlsV10;
+  static ::testing::internal::ParamGenerator<uint16_t> kTlsV11V12;
+  static ::testing::internal::ParamGenerator<uint16_t> kTlsV12Plus;
+
+  static inline Mode ToMode(const std::string& str) {
+    return str == "TLS" ? STREAM : DGRAM;
+  }
+
+  TlsConnectTestBase(Mode mode, uint16_t version);
+  virtual ~TlsConnectTestBase();
+
+  void SetUp();
+  void TearDown();
+
+  // Initialize client and server.
+  void Init();
+  // Re-initialize client and server with the default RSA cert.
+  void ResetRsa();
+  // Re-initialize client and server with an ECDSA cert on the server
+  // and some ECDHE suites.
+  void ResetEcdsa();
+  // Make sure TLS is configured for a connection.
+  void EnsureTlsSetup();
+
+  // Run the handshake.
+  void Handshake();
+  // Connect and check that it works.
+  void Connect();
+  // Connect and expect it to fail.
+  void ConnectExpectFail();
+
+  void EnableSomeEcdheCiphers();
+  void ConfigureSessionCache(SessionResumptionMode client,
+                             SessionResumptionMode server);
+  void CheckResumption(SessionResumptionMode expected);
+  void EnableAlpn();
+  void EnableSrtp();
+  void CheckSrtp();
+ protected:
+
+  Mode mode_;
+  TlsAgent* client_;
+  TlsAgent* server_;
+  uint16_t version_;
+  std::vector<std::vector<uint8_t>> session_ids_;
+
+ private:
+  void Reset(const std::string& server_name, SSLKEAType kea);
+};
+
+// A TLS-only test base.
+class TlsConnectStream : public TlsConnectTestBase,
+                         public ::testing::WithParamInterface<uint16_t> {
+ public:
+  TlsConnectStream() : TlsConnectTestBase(STREAM, GetParam()) {}
+};
+
+// A DTLS-only test base.
+class TlsConnectDatagram : public TlsConnectTestBase,
+                           public ::testing::WithParamInterface<uint16_t> {
+ public:
+  TlsConnectDatagram() : TlsConnectTestBase(DGRAM, GetParam()) {}
+};
+
+// A generic test class that can be either STREAM or DGRAM and a single version
+// of TLS.  This is configured in ssl_loopback_unittest.cc.  All uses of this
+// should use TEST_P().
+class TlsConnectGeneric
+  : public TlsConnectTestBase,
+    public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> {
+ public:
+  TlsConnectGeneric();
+};
+
+} // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.cc
@@ -0,0 +1,232 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_filter.h"
+
+#include <iostream>
+
+namespace nss_test {
+
+bool TlsRecordFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len());
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t content_type;
+    if (!parser.Read(&content_type)) {
+      return false;
+    }
+    uint32_t version;
+    if (!parser.Read(&version, 2)) {
+      return false;
+    }
+
+    if (IsDtls(version)) {
+      if (!parser.Skip(8)) {
+        return false;
+      }
+    }
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer record;
+    if (!parser.ReadVariable(&record, 2)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the record it wrote to the output, so we need to skip
+    // over the content type and version for the value passed to it.
+    output_offset = ApplyFilter(content_type, version, record, output,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+
+  // Record how many packets we actually touched.
+  if (changed) {
+    ++count_;
+  }
+
+  return changed;
+}
+
+size_t TlsRecordFilter::ApplyFilter(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& record,
+                                    DataBuffer* output,
+                                    size_t offset, bool* changed) {
+  const DataBuffer* source = &record;
+  DataBuffer filtered;
+  if (FilterRecord(content_type, version, record, &filtered) &&
+      filtered.len() < 0x10000) {
+    *changed = true;
+    std::cerr << "record old: " << record << std::endl;
+    std::cerr << "record new: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  output->Write(offset, source->len(), 2);
+  output->Write(offset + 2, *source);
+  return offset + 2 + source->len();
+}
+
+bool TlsHandshakeFilter::FilterRecord(uint8_t content_type, uint16_t version,
+                                      const DataBuffer& input,
+                                      DataBuffer* output) {
+  // Check that the first byte is as requested.
+  if (content_type != kTlsHandshakeType) {
+    return false;
+  }
+
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len()); // Preallocate a little.
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t handshake_type;
+    if (!parser.Read(&handshake_type)) {
+      return false; // malformed
+    }
+    uint32_t length;
+    if (!ReadLength(&parser, version, &length)) {
+      return false;
+    }
+
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer handshake;
+    if (!parser.Read(&handshake, length)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the message it wrote to the output, so we need to identify
+    // offsets from the start of the message for length and the handshake
+    // message.
+    output_offset = ApplyFilter(version, handshake_type, handshake,
+                                output, output_offset + 1,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+  return changed;
+}
+
+bool TlsHandshakeFilter::ReadLength(TlsParser* parser, uint16_t version, uint32_t *length) {
+  if (!parser->Read(length, 3)) {
+    return false; // malformed
+  }
+
+  if (!IsDtls(version)) {
+    return true; // nothing left to do
+  }
+
+  // Read and check DTLS parameters
+  if (!parser->Skip(2)) { // sequence number
+    return false;
+  }
+
+  uint32_t fragment_offset;
+  if (!parser->Read(&fragment_offset, 3)) {
+    return false;
+  }
+
+  uint32_t fragment_length;
+  if (!parser->Read(&fragment_length, 3)) {
+    return false;
+  }
+
+  // All current tests where we are using this code don't fragment.
+  return (fragment_offset == 0 && fragment_length == *length);
+}
+
+size_t TlsHandshakeFilter::ApplyFilter(
+    uint16_t version, uint8_t handshake_type, const DataBuffer& handshake,
+    DataBuffer* output, size_t length_offset, size_t value_offset,
+    bool* changed) {
+  const DataBuffer* source = &handshake;
+  DataBuffer filtered;
+  if (FilterHandshake(version, handshake_type, handshake, &filtered) &&
+      filtered.len() < 0x1000000) {
+    *changed = true;
+    std::cerr << "handshake old: " << handshake << std::endl;
+    std::cerr << "handshake new: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  // Back up and overwrite the (two) length field(s): the handshake message
+  // length and the DTLS fragment length.
+  output->Write(length_offset, source->len(), 3);
+  if (IsDtls(version)) {
+    output->Write(length_offset + 8, source->len(), 3);
+  }
+  output->Write(value_offset, *source);
+  return value_offset + source->len();
+}
+
+bool TlsInspectorRecordHandshakeMessage::FilterHandshake(
+    uint16_t version, uint8_t handshake_type,
+    const DataBuffer& input, DataBuffer* output) {
+  // Only do this once.
+  if (buffer_.len()) {
+    return false;
+  }
+
+  if (handshake_type == handshake_type_) {
+    buffer_ = input;
+  }
+  return false;
+}
+
+bool TlsAlertRecorder::FilterRecord(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& input, DataBuffer* output) {
+  if (level_ == kTlsAlertFatal) { // already fatal
+    return false;
+  }
+  if (content_type != kTlsAlertType) {
+    return false;
+  }
+
+  std::cerr << "Alert: " << input << std::endl;
+
+  TlsParser parser(input);
+  uint8_t lvl;
+  if (!parser.Read(&lvl)) {
+    return false;
+  }
+  if (lvl == kTlsAlertWarning) { // not strong enough
+    return false;
+  }
+  level_ = lvl;
+  (void)parser.Read(&description_);
+  return false;
+}
+
+ChainedPacketFilter::~ChainedPacketFilter() {
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    delete *it;
+  }
+}
+
+bool ChainedPacketFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  DataBuffer in(input);
+  bool changed = false;
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    if ((*it)->Filter(in, output)) {
+      in = *output;
+      changed = true;
+    }
+  }
+  return changed;
+}
+
+}  // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.h
@@ -0,0 +1,116 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_filter_h_
+#define tls_filter_h_
+
+#include <memory>
+#include <vector>
+
+#include "test_io.h"
+#include "tls_parser.h"
+
+namespace nss_test {
+
+// Abstract filter that operates on entire (D)TLS records.
+class TlsRecordFilter : public PacketFilter {
+ public:
+  TlsRecordFilter() : count_(0) {}
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Report how many packets were altered by the filter.
+  size_t filtered_packets() const { return count_; }
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& data, DataBuffer* changed) = 0;
+ private:
+  size_t ApplyFilter(uint8_t content_type, uint16_t version,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t offset, bool* changed);
+
+  size_t count_;
+};
+
+// Abstract filter that operates on handshake messages rather than records.
+// This assumes that the handshake messages are written in a block as entire
+// records and that they don't span records or anything crazy like that.
+class TlsHandshakeFilter : public TlsRecordFilter {
+ public:
+  TlsHandshakeFilter() {}
+
+  // Reads the length from the record header.
+  // This also reads the DTLS fragment information and checks it.
+  static bool ReadLength(TlsParser* parser, uint16_t version, uint32_t *length);
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output) = 0;
+
+ private:
+  size_t ApplyFilter(uint16_t version, uint8_t handshake_type,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t length_offset, size_t value_offset, bool* changed);
+};
+
+// Make a copy of the first instance of a handshake message.
+class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
+ public:
+  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
+      : handshake_type_(handshake_type), buffer_() {}
+
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output);
+
+  const DataBuffer& buffer() const { return buffer_; }
+
+ private:
+  uint8_t handshake_type_;
+  DataBuffer buffer_;
+};
+
+// Records an alert.  If an alert has already been recorded, it won't save the
+// new alert unless the old alert is a warning and the new one is fatal.
+class TlsAlertRecorder : public TlsRecordFilter {
+ public:
+  TlsAlertRecorder() : level_(255), description_(255) {}
+
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+
+  uint8_t level() const { return level_; }
+  uint8_t description() const { return description_; }
+
+ private:
+  uint8_t level_;
+  uint8_t description_;
+};
+
+// Runs multiple packet filters in series.
+class ChainedPacketFilter : public PacketFilter {
+ public:
+  ChainedPacketFilter() {}
+  ChainedPacketFilter(const std::vector<PacketFilter*> filters)
+      : filters_(filters.begin(), filters.end()) {}
+  virtual ~ChainedPacketFilter();
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Takes ownership of the filter.
+  void Add(PacketFilter* filter) {
+    filters_.push_back(filter);
+  }
+
+ private:
+  std::vector<PacketFilter*> filters_;
+};
+
+}  // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/tls_parser.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.cc
@@ -1,57 +1,71 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "tls_parser.h"
 
-// Process DTLS Records
-#define CHECK_LENGTH(expected)                \
-  do {                                        \
-    if (remaining() < expected) return false; \
-  } while (0)
+namespace nss_test {
 
-bool TlsParser::Read(unsigned char* val) {
+bool TlsParser::Read(uint8_t* val) {
   if (remaining() < 1) {
     return false;
   }
   *val = *ptr();
   consume(1);
   return true;
 }
 
-bool TlsParser::Read(unsigned char* val, size_t len) {
+bool TlsParser::Read(uint32_t* val, size_t size) {
+  if (size > sizeof(uint32_t)) {
+    return false;
+  }
+
+  uint32_t v = 0;
+  for (size_t i = 0; i < size; ++i) {
+    uint8_t tmp;
+    if (!Read(&tmp)) {
+      return false;
+    }
+
+    v = (v << 8) | tmp;
+  }
+
+  *val = v;
+  return true;
+}
+
+bool TlsParser::Read(DataBuffer* val, size_t len) {
   if (remaining() < len) {
     return false;
   }
 
-  if (val) {
-    memcpy(val, ptr(), len);
-  }
+  val->Assign(ptr(), len);
   consume(len);
-
   return true;
 }
 
-bool TlsRecordParser::NextRecord(uint8_t* ct,
-                                 std::auto_ptr<DataBuffer>* buffer) {
-  if (!remaining()) return false;
-
-  CHECK_LENGTH(5U);
-  const uint8_t* ctp = reinterpret_cast<const uint8_t*>(ptr());
-  consume(3);  // ct + version
+bool TlsParser::ReadVariable(DataBuffer* val, size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Read(val, len);
+}
 
-  const uint16_t* tmp = reinterpret_cast<const uint16_t*>(ptr());
-  size_t length = ntohs(*tmp);
-  consume(2);
-
-  CHECK_LENGTH(length);
-  DataBuffer* db = new DataBuffer(ptr(), length);
-  consume(length);
-
-  *ct = *ctp;
-  buffer->reset(db);
-
+bool TlsParser::Skip(size_t len) {
+  if (len > remaining()) { return false; }
+  consume(len);
   return true;
 }
+
+bool TlsParser::SkipVariable(size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Skip(len);
+}
+
+} // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/tls_parser.h
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.h
@@ -3,81 +3,96 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef tls_parser_h_
 #define tls_parser_h_
 
 #include <memory>
-#include <stdint.h>
-#include <string.h>
+#include <cstdint>
+#include <cstring>
 #include <arpa/inet.h>
 #include "databuffer.h"
 
-const uint8_t kTlsChangeCipherSpecType = 0x14;
-const uint8_t kTlsHandshakeType = 0x16;
+namespace nss_test {
+
+const uint8_t kTlsChangeCipherSpecType = 20;
+const uint8_t kTlsAlertType = 21;
+const uint8_t kTlsHandshakeType = 22;
 
-const uint8_t kTlsHandshakeCertificate = 0x0b;
-const uint8_t kTlsHandshakeServerKeyExchange = 0x0c;
+const uint8_t kTlsHandshakeClientHello = 1;
+const uint8_t kTlsHandshakeServerHello = 2;
+const uint8_t kTlsHandshakeCertificate = 11;
+const uint8_t kTlsHandshakeServerKeyExchange = 12;
+
+const uint8_t kTlsAlertWarning = 1;
+const uint8_t kTlsAlertFatal = 2;
+
+const uint8_t kTlsAlertUnexpectedMessage = 10;
+const uint8_t kTlsAlertHandshakeFailure = 40;
+const uint8_t kTlsAlertIllegalParameter = 47;
+const uint8_t kTlsAlertDecodeError = 50;
+const uint8_t kTlsAlertUnsupportedExtension = 110;
+const uint8_t kTlsAlertNoApplicationProtocol = 120;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
     kTlsChangeCipherSpecType,        // Type
     0xfe,                     0xff,  // Version
     0x00,                     0x00, 0x00, 0x00,
     0x00,                     0x00, 0x00, 0x10,  // Fictitious sequence #
     0x00,                     0x01,              // Length
     0x01                                         // Value
 };
 
+inline bool IsDtls(uint16_t version) {
+  return (version & 0x8000) == 0x8000;
+}
+
+inline uint16_t NormalizeTlsVersion(uint16_t version) {
+  if (version == 0xfeff) {
+    return 0x0302; // special: DTLS 1.0 == TLS 1.1
+  }
+  if (IsDtls(version)) {
+    return (version ^ 0xffff) + 0x0201;
+  }
+  return version;
+}
+
+inline void WriteVariable(DataBuffer* target, size_t index,
+                          const DataBuffer& buf, size_t len_size) {
+  target->Write(index, static_cast<uint32_t>(buf.len()), len_size);
+  target->Write(index + len_size, buf.data(), buf.len());
+}
+
 class TlsParser {
  public:
-  TlsParser(const unsigned char *data, size_t len)
+  TlsParser(const uint8_t* data, size_t len)
       : buffer_(data, len), offset_(0) {}
-
-  bool Read(unsigned char *val);
-
-  // Read an integral type of specified width.
-  bool Read(uint32_t *val, size_t len) {
-    if (len > sizeof(uint32_t)) return false;
-
-    *val = 0;
+  explicit TlsParser(const DataBuffer& buf)
+      : buffer_(buf), offset_(0) {}
 
-    for (size_t i = 0; i < len; ++i) {
-      unsigned char tmp;
-
-      (*val) <<= 8;
-      if (!Read(&tmp)) return false;
+  bool Read(uint8_t* val);
+  // Read an integral type of specified width.
+  bool Read(uint32_t* val, size_t size);
+  // Reads len bytes into dest buffer, overwriting it.
+  bool Read(DataBuffer* dest, size_t len);
+  // Reads bytes into dest buffer, overwriting it.  The number of bytes is
+  // determined by reading from len_size bytes from the stream first.
+  bool ReadVariable(DataBuffer* dest, size_t len_size);
 
-      *val += tmp;
-    }
+  bool Skip(size_t len);
+  bool SkipVariable(size_t len_size);
 
-    return true;
-  }
-
-  bool Read(unsigned char *val, size_t len);
+  size_t consumed() const { return offset_; }
   size_t remaining() const { return buffer_.len() - offset_; }
 
  private:
   void consume(size_t len) { offset_ += len; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
+  const uint8_t* ptr() const { return buffer_.data() + offset_; }
 
   DataBuffer buffer_;
   size_t offset_;
 };
 
-class TlsRecordParser {
- public:
-  TlsRecordParser(const unsigned char *data, size_t len)
-      : buffer_(data, len), offset_(0) {}
-
-  bool NextRecord(uint8_t *ct, std::auto_ptr<DataBuffer> *buffer);
-
- private:
-  size_t remaining() const { return buffer_.len() - offset_; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
-  void consume(size_t len) { offset_ += len; }
-
-  DataBuffer buffer_;
-  size_t offset_;
-};
+} // namespace nss_test
 
 #endif
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -924,25 +924,19 @@ CERT_DecodeOidSequence(const SECItem *se
 extern SECStatus CERT_FindCertExtension
    (const CERTCertificate *cert, int tag, SECItem *value);
 
 extern SECStatus CERT_FindNSCertTypeExtension
    (CERTCertificate *cert, SECItem *value);
 
 extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
 
-extern SECStatus CERT_FindIssuerCertExtension
-   (CERTCertificate *cert, int tag, SECItem *value);
-
 extern SECStatus CERT_FindCertExtensionByOID
    (CERTCertificate *cert, SECItem *oid, SECItem *value);
 
-extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
-								int catag);
-
 /* Returns the decoded value of the authKeyID extension.
 **   Note that this uses passed in the arena to allocate storage for the result
 */
 extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PLArenaPool *arena,CERTCertificate *cert);
 
 /* Returns the decoded value of the basicConstraint extension.
  */
 extern SECStatus CERT_FindBasicConstraintExten
@@ -1173,16 +1167,30 @@ extern CERTPrivKeyUsagePeriod *
 CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue);
 
 extern CERTGeneralName *
 CERT_GetNextGeneralName(CERTGeneralName *current);
 
 extern CERTGeneralName *
 CERT_GetPrevGeneralName(CERTGeneralName *current);
 
+/*
+ * Look up name constraints for some certs that do not include name constraints
+ * (Most importantly, root certificates)
+ *
+ * If a matching subject is found, |extensions| will be populated with a copy of the
+ * DER-encoded name constraints extension. The data in |extensions| will point to
+ * memory that the caller owns.
+ *
+ * There is no mechanism to configure imposed name constraints right now.  All
+ * imposed name constraints are built into NSS.
+ */
+SECStatus
+CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions);
+
 CERTNameConstraint *
 CERT_GetNextNameConstraint(CERTNameConstraint *current);
 
 CERTNameConstraint *
 CERT_GetPrevNameConstraint(CERTNameConstraint *current);
 
 void
 CERT_DestroyUserNotice(CERTUserNotice *userNotice);
@@ -1544,16 +1552,19 @@ CERT_CopyNameConstraint(PLArenaPool     
  */
 extern SECStatus
 CERT_CheckNameSpace(PLArenaPool          *arena,
 		    const CERTNameConstraints *constraints,
 		    const CERTGeneralName *currentName);
 
 /*
  * Extract and allocate the name constraints extension from the CA cert.
+ * If the certificate contains no name constraints extension, but
+ * CERT_GetImposedNameConstraints returns a name constraints extension
+ * for the subject of the certificate, then that extension will be returned.
  */
 extern SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,
 			      CERTCertificate  *cert,
 			      CERTNameConstraints **constraints);
 
 /*
  * Initialize a new GERTGeneralName fields (link)
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1046,39 +1046,46 @@ SEC_GetCrlTimes(CERTCrl *date, PRTime *n
 /* These routines should probably be combined with the cert
  * routines using an common extraction routine.
  */
 SECCertTimeValidity
 SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
     PRTime notBefore, notAfter, llPendingSlop, tmp1;
     SECStatus rv;
 
+    if (!crl) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return(secCertTimeUndetermined);
+    }
+
     rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
     
     if (rv) {
 	return(secCertTimeExpired); 
     }
 
     LL_I2L(llPendingSlop, pendingSlop);
     /* convert to micro seconds */
     LL_I2L(tmp1, PR_USEC_PER_SEC);
     LL_MUL(llPendingSlop, llPendingSlop, tmp1);
     LL_SUB(notBefore, notBefore, llPendingSlop);
     if ( LL_CMP( t, <, notBefore ) ) {
+	PORT_SetError(SEC_ERROR_CRL_EXPIRED);
 	return(secCertTimeNotValidYet);
     }
 
     /* If next update is omitted and the test for notBefore passes, then
        we assume that the crl is up to date.
      */
     if ( LL_IS_ZERO(notAfter) ) {
 	return(secCertTimeValid);
     }
 
     if ( LL_CMP( t, >, notAfter) ) {
+	PORT_SetError(SEC_ERROR_CRL_EXPIRED);
 	return(secCertTimeExpired);
     }
 
     return(secCertTimeValid);
 }
 
 PRBool
 SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
@@ -1420,27 +1427,25 @@ cert_TestHostName(char * cn, const char 
 SECStatus
 cert_VerifySubjectAltName(const CERTCertificate *cert, const char *hn)
 {
     PLArenaPool *     arena          = NULL;
     CERTGeneralName * nameList       = NULL;
     CERTGeneralName * current;
     char *            cn;
     int               cnBufLen;
-    unsigned int      hnLen;
     int               DNSextCount    = 0;
     int               IPextCount     = 0;
     PRBool            isIPaddr       = PR_FALSE;
     SECStatus         rv             = SECFailure;
     SECItem           subAltName;
     PRNetAddr         netAddr;
     char              cnbuf[128];
 
     subAltName.data = NULL;
-    hnLen    = strlen(hn);
     cn       = cnbuf;
     cnBufLen = sizeof cnbuf;
 
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
 				&subAltName);
     if (rv != SECSuccess) {
 	goto fail;
     }
@@ -2306,31 +2311,31 @@ CERT_FixupEmailAddr(const char *emailAdd
 /*
  * NOTE - don't allow encode of govt-approved or invisible bits
  */
 SECStatus
 CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
 {
     unsigned int i;
     unsigned int *pflags;
-    
+
     if (!trust) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     trust->sslFlags = 0;
     trust->emailFlags = 0;
     trust->objectSigningFlags = 0;
     if (!trusts) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
     pflags = &trust->sslFlags;
-    
+
     for (i=0; i < PORT_Strlen(trusts); i++) {
 	switch (trusts[i]) {
 	  case 'p':
 	      *pflags = *pflags | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'P':
 	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
@@ -2366,16 +2371,17 @@ CERT_DecodeTrustString(CERTCertTrust *tr
 	  case ',':
 	      if ( pflags == &trust->sslFlags ) {
 		  pflags = &trust->emailFlags;
 	      } else {
 		  pflags = &trust->objectSigningFlags;
 	      }
 	      break;
 	  default:
+              PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	      return SECFailure;
 	}
     }
 
     return SECSuccess;
 }
 
 static void
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -70,14 +70,29 @@ SECStatus
 CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
 		       CERTCertTrust *trust);
 
 SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
 
 PRBool
 SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
 
+/*
+** Extract the validity times from a CRL
+**	"crl" is the CRL
+**	"notBefore" is the start of the validity period (last update)
+**	"notAfter" is the end of the validity period (next update)
+*/
+SECStatus
+SEC_GetCrlTimes(CERTCrl *crl, PRTime *notBefore, PRTime *notAfter);
+
+/*
+** Check the validity times of a crl vs. time 't', allowing
+** some slop for broken clocks and stuff.
+**	"crl" is the certificate to be checked
+**	"t" is the time to check against
+*/
 SECCertTimeValidity
 SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
 
 SEC_END_PROTOS
 
 #endif /* _CERTDB_H_ */
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -111,21 +111,26 @@ struct CachedCrlStr {
 */
 
 struct CRLDPCacheStr {
 #ifdef DPC_RWLOCK
     NSSRWLock* lock;
 #else
     PRLock* lock;
 #endif
-    CERTCertificate* issuer;    /* issuer cert
-                                   XXX there may be multiple issuer certs,
-                                       with different validity dates. Also
-                                       need to deal with SKID/AKID . See
-                                       bugzilla 217387, 233118 */
+    SECItem *issuerDERCert;    /* issuer DER cert. Don't hold a reference
+				  to the actual cert so the trust can be
+				  updated on the cert automatically.
+				  XXX there may be multiple issuer certs,
+				  with different validity dates. Also
+				  need to deal with SKID/AKID . See
+				  bugzilla 217387, 233118 */
+
+    CERTCertDBHandle *dbHandle;
+
     SECItem* subject;           /* DER of issuer subject */
     SECItem* distributionPoint; /* DER of distribution point. This may be
                                    NULL when distribution points aren't
                                    in use (ie. the CA has a single CRL).
                                    Currently not used. */
 
     /* array of full CRLs matching this distribution point */
     PRUint32 ncrls;              /* total number of CRLs in crls */
@@ -160,25 +165,16 @@ struct CRLDPCacheStr {
     XCRL once we support multiple issuing distribution points, this object
     will be a hash table. For now, it just holds the single CRL distribution
     point cache structure.
 */
 
 struct CRLIssuerCacheStr {
     SECItem* subject;           /* DER of issuer subject */
     CRLDPCache* dpp;
-#if 0
-    /* XCRL for future use.
-       We don't need to lock at the moment because we only have one DP,
-       which gets created at the same time as this object */
-    NSSRWLock* lock;
-    CRLDPCache** dps;
-    PLHashTable* distributionpoints;
-    CERTCertificate* issuer;
-#endif
 };
 
 /*  CRL revocation cache object
     This object tracks all the issuer caches
 */
 
 struct CRLCacheStr {
 #ifdef GLOBAL_RWLOCK
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -181,17 +181,17 @@ struct CERTSubjectListStr {
 };
 
 /*
 ** An X.509 certificate object (the unsigned form)
 */
 struct CERTCertificateStr {
     /* the arena is used to allocate any data structures that have the same
      * lifetime as the cert.  This is all stuff that hangs off of the cert
-     * structure, and is all freed at the same time.  I is used when the
+     * structure, and is all freed at the same time.  It is used when the
      * cert is decoded, destroyed, and at some times when it changes
      * state
      */
     PLArenaPool *arena;
 
     /* The following fields are static after the cert has been decoded */
     char *subjectName;
     char *issuerName;
@@ -1172,26 +1172,26 @@ typedef struct {
      *     is not yet aware of the latest revocation methods
      *     (or does not want to use them).
      */ 
     PRUint64 *cert_rev_flags_per_method;
 
     /*
      * How many preferred methods are specified?
      * This is equivalent to the size of the array that 
-     *      preferred_revocation_methods points to.
+     *      preferred_methods points to.
      * It's allowed to set this value to zero,
      *      then NSS will decide which methods to prefer.
      */
     PRUint32 number_of_preferred_methods;
 
     /* Array that may specify an optional order of preferred methods.
      * Each array entry shall contain a method identifier as defined
      *   by CERTRevocationMethodIndex.
-     * The entry at index [0] specifies the method with highest preferrence.
+     * The entry at index [0] specifies the method with highest preference.
      * These methods will be tested first for locally available information.
      * Methods allowed for downloading will be attempted in the same order.
      */
     CERTRevocationMethodIndex *preferred_methods;
 
     /*
      * An integer which defines certain aspects of revocation checking
      * (independent of individual methods) by having individual
--- a/security/nss/lib/certdb/certv3.c
+++ b/security/nss/lib/certdb/certv3.c
@@ -38,152 +38,16 @@ SetExts(void *object, CERTCertExtension 
 }
 
 void *
 CERT_StartCertExtensions(CERTCertificate *cert)
 {
     return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
 }
 
-/* find the given extension in the certificate of the Issuer of 'cert' */
-SECStatus
-CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
-{
-    CERTCertificate *issuercert;
-    SECStatus rv;
-
-    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
-    if ( issuercert ) {
-	rv = cert_FindExtension(issuercert->extensions, tag, value);
-	CERT_DestroyCertificate(issuercert);
-    } else {
-	rv = SECFailure;
-    }
-    
-    return(rv);
-}
-
-/* find a URL extension in the cert or its CA
- * apply the base URL string if it exists
- */
-char *
-CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
-{
-    SECStatus rv;
-    SECItem urlitem = {siBuffer,0};
-    SECItem baseitem = {siBuffer,0};
-    SECItem urlstringitem = {siBuffer,0};
-    SECItem basestringitem = {siBuffer,0};
-    PLArenaPool *arena = NULL;
-    PRBool hasbase;
-    char *urlstring;
-    char *str;
-    int len;
-    unsigned int i;
-    
-    urlstring = NULL;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( ! arena ) {
-	goto loser;
-    }
-    
-    hasbase = PR_FALSE;
-    
-    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
-    if ( rv == SECSuccess ) {
-	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
-				   &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-	
-    } else if ( catag ) {
-	/* if the cert doesn't have the extensions, see if the issuer does */
-	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}	    
-	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
-					 &baseitem);
-	if ( rv == SECSuccess ) {
-	    hasbase = PR_TRUE;
-	}
-    } else {
-	goto loser;
-    }
-
-    rv = SEC_QuickDERDecodeItem(arena, &urlstringitem,
-                                SEC_ASN1_GET(SEC_IA5StringTemplate), &urlitem);
-
-    if ( rv != SECSuccess ) {
-	goto loser;
-    }
-    if ( hasbase ) {
-	rv = SEC_QuickDERDecodeItem(arena, &basestringitem,
-                                    SEC_ASN1_GET(SEC_IA5StringTemplate),
-                                    &baseitem);
-
-	if ( rv != SECSuccess ) {
-	    goto loser;
-	}
-    }
-    
-    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
-    
-    str = urlstring = (char *)PORT_Alloc(len);
-    if ( urlstring == NULL ) {
-	goto loser;
-    }
-    
-    /* copy the URL base first */
-    if ( hasbase ) {
-
-	/* if the urlstring has a : in it, then we assume it is an absolute
-	 * URL, and will not get the base string pre-pended
-	 */
-	for ( i = 0; i < urlstringitem.len; i++ ) {
-	    if ( urlstringitem.data[i] == ':' ) {
-		goto nobase;
-	    }
-	}
-	
-	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
-	str += basestringitem.len;
-	
-    }
-
-nobase:
-    /* copy the rest (or all) of the URL */
-    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
-    str += urlstringitem.len;
-    
-    *str = '\0';
-    goto done;
-    
-loser:
-    if ( urlstring ) {
-	PORT_Free(urlstring);
-    }
-    
-    urlstring = NULL;
-done:
-    if ( arena ) {
-	PORT_FreeArena(arena, PR_FALSE);
-    }
-    if ( baseitem.data ) {
-	PORT_Free(baseitem.data);
-    }
-    if ( urlitem.data ) {
-	PORT_Free(urlitem.data);
-    }
-
-    return(urlstring);
-}
-
 /*
  * get the value of the Netscape Certificate Type Extension
  */
 SECStatus
 CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
 {
 
     return (CERT_FindBitStringExtension
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -1118,19 +1118,19 @@ static SECStatus DPCache_Destroy(CRLDPCa
         }
     }
     /* free the array of CRLs */
     if (cache->crls)
     {
 	PORT_Free(cache->crls);
     }
     /* destroy the cert */
-    if (cache->issuer)
+    if (cache->issuerDERCert)
     {
-        CERT_DestroyCertificate(cache->issuer);
+        SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
     }
     /* free the subject */
     if (cache->subject)
     {
         SECITEM_FreeItem(cache->subject, PR_TRUE);
     }
     /* free the distribution points */
     if (cache->distributionPoint)
@@ -1566,24 +1566,30 @@ static SECStatus CachedCrl_Verify(CRLDPC
         crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
             with bogus DER. Mark it checked so we won't try again */
         PORT_SetError(SEC_ERROR_BAD_DER);
         return SECSuccess;
     }
     else
     {
         SECStatus signstatus = SECFailure;
-        if (cache->issuer)
+        if (cache->issuerDERCert)
         {
-            signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
+	    CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
+		cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
+
+	    if (issuer) {
+                signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
                                         wincx);
+		CERT_DestroyCertificate(issuer);
+	    }
         }
         if (SECSuccess != signstatus)
         {
-            if (!cache->issuer)
+            if (!cache->issuerDERCert)
             {
                 /* we tried to verify without an issuer cert . This is
                    because this CRL came through a call to SEC_FindCrlByName.
                    So, we don't cache this verification failure. We'll try
                    to verify the CRL again when a certificate from that issuer
                    becomes available */
             } else
             {
@@ -1920,36 +1926,37 @@ static SECStatus DPCache_GetUpToDate(CRL
         {
             cache->lastcheck = PR_Now();
             DPCache_UnlockWrite();
             mustunlock = PR_FALSE;
         }
     }
 
     /* add issuer certificate if it was previously unavailable */
-    if (issuer && (NULL == cache->issuer) &&
+    if (issuer && (NULL == cache->issuerDERCert) &&
         (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
     {
         /* if we didn't have a valid issuer cert yet, but we do now. add it */
         DPCache_LockWrite();
-        if (!cache->issuer)
+        if (!cache->issuerDERCert)
         {
             dirty = PR_TRUE;
-            cache->issuer = CERT_DupCertificate(issuer);    
+	    cache->dbHandle = issuer->dbhandle;
+    	    cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
         }
         DPCache_UnlockWrite();
     }
 
     /* verify CRLs that couldn't be checked when inserted into the cache
        because the issuer cert or a verification date was unavailable.
        These are CRLs that were inserted into the cache through
        SEC_FindCrlByName, or through manual insertion, rather than through a
        certificate verification (CERT_CheckCRL) */
 
-    if (cache->issuer && vfdate )
+    if (cache->issuerDERCert && vfdate )
     {
 	mustunlock = PR_FALSE;
         /* re-process all unverified CRLs */
         for (i = 0; i < cache->ncrls ; i++)
         {
             CachedCrl* savcrl = cache->crls[i];
             if (!savcrl)
             {
@@ -2196,17 +2203,18 @@ static SECStatus DPCache_Create(CRLDPCac
 #endif
     if (!cache->lock)
     {
 	PORT_Free(cache);
         return SECFailure;
     }
     if (issuer)
     {
-        cache->issuer = CERT_DupCertificate(issuer);
+	cache->dbHandle = issuer->dbhandle;
+    	cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
     }
     cache->distributionPoint = SECITEM_DupItem(dp);
     cache->subject = SECITEM_DupItem(subject);
     cache->lastfetch = 0;
     cache->lastcheck = 0;
     *returned = cache;
     return SECSuccess;
 }
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@@ -1551,86 +1551,108 @@ done:
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
     } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 
-/* Add name constraints to certain certs that do not include name constraints
- * This is the core of the implementation for bug 952572.
+/*
+ * Here we define a list of name constraints to be imposed on
+ * certain certificates, most importantly root certificates.
+ *
+ * Each entry in the name constraints list is constructed with this
+ * macro.  An entry contains two SECItems, which have names in
+ * specific forms to make the macro work:
+ *
+ *  * ${CA}_SUBJECT_DN - The subject DN for which the constraints
+ *                       should be applied
+ *  * ${CA}_NAME_CONSTRAINTS - The name constraints extension
+ *
+ * Entities subject to name constraints are identified by subject name
+ * so that we can cover all certificates for that entity, including, e.g.,
+ * cross-certificates.  We use subject rather than public key because
+ * calling methods often have easy access to that field (vs., say, a key ID),
+ * and in practice, subject names and public keys are usually in one-to-one
+ * correspondence anyway.
+ *
  */
 
-static SECStatus
-getNameExtensionsBuiltIn(CERTCertificate  *cert,
-                         SECItem *extensions)
+#define STRING_TO_SECITEM(str) \
+{ siBuffer, (unsigned char*) str, sizeof(str) - 1 }
+
+#define NAME_CONSTRAINTS_ENTRY(CA)  \
+    { \
+        STRING_TO_SECITEM(CA ## _SUBJECT_DN), \
+        STRING_TO_SECITEM(CA ## _NAME_CONSTRAINTS) \
+    }
+
+/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
+
+#define ANSSI_SUBJECT_DN \
+    "\x30\x81\x85"                                                     \
+    "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR"       /* C */  \
+    "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France"   /* ST */ \
+    "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris"    /* L */  \
+    "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN"  /* O */  \
+    "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI"    /* OU */ \
+    "\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05" "IGC/A"    /* CN */ \
+    "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01"     \
+    "\x16\x14" "igca@sgdn.pm.gouv.fr" /* emailAddress */ \
+
+#define ANSSI_NAME_CONSTRAINTS \
+    "\x30\x5D\xA0\x5B"       \
+    "\x30\x05\x82\x03" ".fr" \
+    "\x30\x05\x82\x03" ".gp" \
+    "\x30\x05\x82\x03" ".gf" \
+    "\x30\x05\x82\x03" ".mq" \
+    "\x30\x05\x82\x03" ".re" \
+    "\x30\x05\x82\x03" ".yt" \
+    "\x30\x05\x82\x03" ".pm" \
+    "\x30\x05\x82\x03" ".bl" \
+    "\x30\x05\x82\x03" ".mf" \
+    "\x30\x05\x82\x03" ".wf" \
+    "\x30\x05\x82\x03" ".pf" \
+    "\x30\x05\x82\x03" ".nc" \
+    "\x30\x05\x82\x03" ".tf" \
+
+static const SECItem builtInNameConstraints[][2] = {
+    NAME_CONSTRAINTS_ENTRY(ANSSI)
+};
+
+SECStatus
+CERT_GetImposedNameConstraints(const SECItem *derSubject,
+                               SECItem *extensions)
 {
-  const char constraintFranceGov[] = "\x30\x5D" /* sequence len = 93*/
-                                     "\xA0\x5B" /* element len =91 */
-                                     "\x30\x05" /* sequence len 5 */
-                                     "\x82\x03" /* entry len 3 */
-                                     ".fr"
-                                     "\x30\x05\x82\x03" /* sequence len5, entry len 3 */
-                                     ".gp"
-                                     "\x30\x05\x82\x03"
-                                     ".gf"
-                                     "\x30\x05\x82\x03"
-                                     ".mq"
-                                     "\x30\x05\x82\x03"
-                                     ".re"
-                                     "\x30\x05\x82\x03"
-                                     ".yt"
-                                     "\x30\x05\x82\x03"
-                                     ".pm"
-                                     "\x30\x05\x82\x03"
-                                     ".bl"
-                                     "\x30\x05\x82\x03"
-                                     ".mf"
-                                     "\x30\x05\x82\x03"
-                                     ".wf"
-                                     "\x30\x05\x82\x03"
-                                     ".pf"
-                                     "\x30\x05\x82\x03"
-                                     ".nc"
-                                     "\x30\x05\x82\x03"
-                                     ".tf";
+    size_t i;
+
+    if (!extensions) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
 
-  /* The stringified value for the subject is:
-     E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-   */
-  const char rawANSSISubject[] = "\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04"
-                                 "\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03"
-                                 "\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65"
-                                 "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05"
-                                 "\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03"
-                                 "\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44"
-                                 "\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13"
-                                 "\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06"
-                                 "\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41"
-                                 "\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7"
-                                 "\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40"
-                                 "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
-                                 "\x76\x2E\x66\x72";
+    for (i = 0; i < PR_ARRAY_SIZE(builtInNameConstraints); ++i) {
+        if (SECITEM_ItemsAreEqual(derSubject, &builtInNameConstraints[i][0])) {
+            return SECITEM_CopyItem(NULL,
+                                    extensions, 
+                                    &builtInNameConstraints[i][1]);
+        }
+    }
 
-  const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject,
-                                 sizeof(rawANSSISubject)-1};
-  const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov,
-                                     sizeof(constraintFranceGov)-1};
-
-  if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {
-    SECStatus rv;
-    rv = SECITEM_CopyItem(NULL, extensions, &permitFranceGovNC);
-    return rv;
-  }
-  PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-  return SECFailure;
+    PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+    return SECFailure;
 }
 
-/* Extract the name constraints extension from the CA cert. */
+/* 
+ * Extract the name constraints extension from the CA cert.
+ * If the certificate contains no name constraints extension, but
+ * CERT_GetImposedNameConstraints returns a name constraints extension
+ * for the subject of the certificate, then that extension will be returned.
+ */
 SECStatus
 CERT_FindNameConstraintsExten(PLArenaPool      *arena,
                               CERTCertificate  *cert,
                               CERTNameConstraints **constraints)
 {
     SECStatus            rv = SECSuccess;
     SECItem              constraintsExtension;
     void                *mark = NULL;
@@ -1638,17 +1660,18 @@ CERT_FindNameConstraintsExten(PLArenaPoo
     *constraints = NULL;
 
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
                                 &constraintsExtension);
     if (rv != SECSuccess) {
         if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
             return rv;
         }
-        rv = getNameExtensionsBuiltIn(cert, &constraintsExtension);
+        rv = CERT_GetImposedNameConstraints(&cert->derSubject,
+                                            &constraintsExtension);
         if (rv != SECSuccess) {
           if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) {
             return SECSuccess;
           }
           return rv;
         }
     }
 
--- a/security/nss/lib/ckfw/builtins/bfind.c
+++ b/security/nss/lib/ckfw/builtins/bfind.c
@@ -178,17 +178,26 @@ nss_builtins_FindObjectsInit
   CK_ULONG ulAttributeCount,
   CK_RV *pError
 )
 {
   /* This could be made more efficient.  I'm rather rushed. */
   NSSArena *arena;
   NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
   struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
-  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
+
+  /*
+   * 99% of the time we get 0 or 1 matches. So we start with a small
+   * stack-allocated array to hold the matches and switch to a heap-allocated
+   * array later if the number of matches exceeds STACK_BUF_LENGTH.
+   */
+  #define STACK_BUF_LENGTH 1
+  builtinsInternalObject *stackTemp[STACK_BUF_LENGTH];
+  builtinsInternalObject **temp = stackTemp;
+  PRBool tempIsHeapAllocated = PR_FALSE;
   PRUint32 i;
 
   arena = NSSArena_Create();
   if( (NSSArena *)NULL == arena ) {
     goto loser;
   }
 
   rv = nss_ZNEW(arena, NSSCKMDFindObjects);
@@ -206,46 +215,57 @@ nss_builtins_FindObjectsInit
   fo->arena = arena;
   /* fo->n and fo->i are already zero */
 
   rv->etc = (void *)fo;
   rv->Final = builtins_mdFindObjects_Final;
   rv->Next = builtins_mdFindObjects_Next;
   rv->null = (void *)NULL;
 
-  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
-                       nss_builtins_nObjects);
-  if( (builtinsInternalObject **)NULL == temp ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
   for( i = 0; i < nss_builtins_nObjects; i++ ) {
     builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
 
     if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
+      if( fo->n == STACK_BUF_LENGTH ) {
+        /* Switch from the small stack array to a heap-allocated array large
+         * enough to handle matches in all remaining cases. */
+        temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *,
+                             fo->n + nss_builtins_nObjects - i);
+        if( (builtinsInternalObject **)NULL == temp ) {
+          *pError = CKR_HOST_MEMORY;
+          goto loser;
+        }
+        tempIsHeapAllocated = PR_TRUE;
+        (void)nsslibc_memcpy(temp, stackTemp,
+                             sizeof(builtinsInternalObject *) * fo->n);
+      }
+
       temp[ fo->n ] = o;
       fo->n++;
     }
   }
 
   fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
   if( (builtinsInternalObject **)NULL == fo->objs ) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }
 
   (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
-  nss_ZFreeIf(temp);
-  temp = (builtinsInternalObject **)NULL;
+  if (tempIsHeapAllocated) {
+    nss_ZFreeIf(temp);
+    temp = (builtinsInternalObject **)NULL;
+  }
 
   return rv;
 
  loser:
-  nss_ZFreeIf(temp);
+  if (tempIsHeapAllocated) {
+    nss_ZFreeIf(temp);
+  }
   nss_ZFreeIf(fo);
   nss_ZFreeIf(rv);
   if ((NSSArena *)NULL != arena) {
      NSSArena_Destroy(arena);
   }
   return (NSSCKMDFindObjects *)NULL;
 }
 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,431 +65,16 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
-# Certificate "GTE CyberTrust Global Root"
-#
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
-\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
-\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
-\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
-\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
-\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
-\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
-\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
-\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
-\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
-\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
-\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
-\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
-\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
-\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
-\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
-\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
-\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
-\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
-\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
-\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
-\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
-\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
-\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
-\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
-\037\042\265\315\225\255\272\247\314\371\253\013\172\177
-END
-
-# Trust for Certificate "GTE CyberTrust Global Root"
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
-\066\176\364\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Server CA"
-#
-# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
-# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150
-\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046
-\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163
-\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167
-\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061
-\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062
-\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125
-\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023
-\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060
-\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167
-\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167
-\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143
-\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145
-\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003
-\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166
-\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367
-\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162
-\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377
-\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204
-\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165
-\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142
-\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160
-\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227
-\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155
-\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337
-\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243
-\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
-\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106
-\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121
-\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117
-\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236
-\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212
-\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325
-\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131
-\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274
-\243\377\212\043\056\160\107
-END
-
-# Trust for Certificate "Thawte Server CA"
-# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
-# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243
-\365\330\213\214
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Premium Server CA"
-#
-# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
-# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150
-\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162
-\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206
-\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163
-\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155
-\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060
-\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066
-\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004
-\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364
-\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236
-\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320
-\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014
-\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055
-\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021
-\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003
-\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
-\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302
-\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140
-\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010
-\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106
-\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274
-\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114
-\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310
-\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047
-\246\015\246\043\371\273\313\246\007\024\102
-END
-
-# Trust for Certificate "Thawte Premium Server CA"
-# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
-# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263
-\363\076\372\232
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Equifax Secure CA"
 #
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
@@ -1428,19 +1013,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
 \162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
 \167\157\162\153
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211
 \064\306
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA"
 #
 # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
@@ -2867,19 +2452,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
 \053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
 \123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
 \165\163\151\156\145\163\163\040\103\101\055\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Equifax Secure eBusiness CA 1"
 #
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
@@ -2983,19 +2568,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
 \044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
 \123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
 \040\103\101\055\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\004
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AddTrust Low-Value Services Root"
 #
 # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
@@ -4598,322 +4183,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \063\167
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "America Online Root Certification Authority 1"
-#
-# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Thu Nov 19 20:43:00 2037
-# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
-# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\244\060\202\002\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\061\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\061\061\061\071\062\060\064
-\063\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\061\060\202\001\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-\000\060\202\001\012\002\202\001\001\000\250\057\350\244\151\006
-\003\107\303\351\052\230\377\031\242\160\232\306\120\262\176\245
-\337\150\115\033\174\017\266\227\150\175\055\246\213\227\351\144
-\206\311\243\357\240\206\277\140\145\234\113\124\210\302\110\305
-\112\071\277\024\343\131\125\345\031\264\164\310\264\005\071\134
-\026\245\342\225\005\340\022\256\131\213\242\063\150\130\034\246
-\324\025\267\330\237\327\334\161\253\176\232\277\233\216\063\017
-\042\375\037\056\347\007\066\357\142\071\305\335\313\272\045\024
-\043\336\014\306\075\074\316\202\010\346\146\076\332\121\073\026
-\072\243\005\177\240\334\207\325\234\374\162\251\240\175\170\344
-\267\061\125\036\145\273\324\141\260\041\140\355\020\062\162\305
-\222\045\036\370\220\112\030\170\107\337\176\060\067\076\120\033
-\333\034\323\153\232\206\123\007\260\357\254\006\170\370\204\231
-\376\041\215\114\200\266\014\202\366\146\160\171\032\323\117\243
-\317\361\317\106\260\113\017\076\335\210\142\270\214\251\011\050
-\073\172\307\227\341\036\345\364\237\300\300\256\044\240\310\241
-\331\017\326\173\046\202\151\062\075\247\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\000
-\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327\114
-\317\063\336\060\037\006\003\125\035\043\004\030\060\026\200\024
-\000\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327
-\114\317\063\336\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\174\212\321\037\030\067\202\340
-\270\260\243\355\126\225\310\142\141\234\005\242\315\302\142\046
-\141\315\020\026\327\314\264\145\064\320\021\212\255\250\251\005
-\146\357\164\363\155\137\235\231\257\366\213\373\353\122\262\005
-\230\242\157\052\305\124\275\045\275\137\256\310\206\352\106\054
-\301\263\275\301\351\111\160\030\026\227\010\023\214\040\340\033
-\056\072\107\313\036\344\000\060\225\133\364\105\243\300\032\260
-\001\116\253\275\300\043\156\143\077\200\112\305\007\355\334\342
-\157\307\301\142\361\343\162\326\004\310\164\147\013\372\210\253
-\241\001\310\157\360\024\257\322\231\315\121\223\176\355\056\070
-\307\275\316\106\120\075\162\343\171\045\235\233\210\053\020\040
-\335\245\270\062\237\215\340\051\337\041\164\206\202\333\057\202
-\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120
-\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266
-\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154
-\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250
-\200\072\231\355\165\314\106\173
-END
-
-# Trust for Certificate "America Online Root Certification Authority 1"
-# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Thu Nov 19 20:43:00 2037
-# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
-# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330
-\005\013\126\152
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "America Online Root Certification Authority 2"
-#
-# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Tue Sep 29 14:08:00 2037
-# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
-# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\244\060\202\003\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\062\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\060\071\062\071\061\064\060
-\070\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\062\060\202\002\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017
-\000\060\202\002\012\002\202\002\001\000\314\101\105\035\351\075
-\115\020\366\214\261\101\311\340\136\313\015\267\277\107\163\323
-\360\125\115\335\306\014\372\261\146\005\152\315\170\264\334\002
-\333\116\201\363\327\247\174\161\274\165\143\240\135\343\007\014
-\110\354\045\304\003\040\364\377\016\073\022\377\233\215\341\306
-\325\033\264\155\042\343\261\333\177\041\144\257\206\274\127\042
-\052\326\107\201\127\104\202\126\123\275\206\024\001\013\374\177
-\164\244\132\256\361\272\021\265\233\130\132\200\264\067\170\011
-\063\174\062\107\003\134\304\245\203\110\364\127\126\156\201\066
-\047\030\117\354\233\050\302\324\264\327\174\014\076\014\053\337
-\312\004\327\306\216\352\130\116\250\244\245\030\034\154\105\230
-\243\101\321\055\322\307\155\215\031\361\255\171\267\201\077\275
-\006\202\047\055\020\130\005\265\170\005\271\057\333\014\153\220
-\220\176\024\131\070\273\224\044\023\345\321\235\024\337\323\202
-\115\106\360\200\071\122\062\017\343\204\262\172\103\362\136\336
-\137\077\035\335\343\262\033\240\241\052\043\003\156\056\001\025
-\207\134\246\165\165\307\227\141\276\336\206\334\324\110\333\275
-\052\277\112\125\332\350\175\120\373\264\200\027\270\224\277\001
-\075\352\332\272\174\340\130\147\027\271\130\340\210\206\106\147
-\154\235\020\107\130\062\320\065\174\171\052\220\242\132\020\021
-\043\065\255\057\314\344\112\133\247\310\047\362\203\336\136\273
-\136\167\347\350\245\156\143\302\015\135\141\320\214\322\154\132
-\041\016\312\050\243\316\052\351\225\307\110\317\226\157\035\222
-\045\310\306\306\301\301\014\005\254\046\304\322\165\322\341\052
-\147\300\075\133\245\232\353\317\173\032\250\235\024\105\345\017
-\240\232\145\336\057\050\275\316\157\224\146\203\110\051\330\352
-\145\214\257\223\331\144\237\125\127\046\277\157\313\067\061\231
-\243\140\273\034\255\211\064\062\142\270\103\041\006\162\014\241
-\134\155\106\305\372\051\317\060\336\211\334\161\133\335\266\067
-\076\337\120\365\270\007\045\046\345\274\265\376\074\002\263\267
-\370\276\103\301\207\021\224\236\043\154\027\212\270\212\047\014
-\124\107\360\251\263\300\200\214\240\047\353\035\031\343\007\216
-\167\160\312\053\364\175\166\340\170\147\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\115
-\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241\043
-\024\327\236\060\037\006\003\125\035\043\004\030\060\026\200\024
-\115\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241
-\043\024\327\236\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\002\001\000\147\153\006\271\137\105\073\052
-\113\063\263\346\033\153\131\116\042\314\271\267\244\045\311\247
-\304\360\124\226\013\144\363\261\130\117\136\121\374\262\227\173
-\047\145\302\345\312\347\015\014\045\173\142\343\372\237\264\207
-\267\105\106\257\203\245\227\110\214\245\275\361\026\053\233\166
-\054\172\065\140\154\021\200\227\314\251\222\122\346\053\346\151
-\355\251\370\066\055\054\167\277\141\110\321\143\013\271\133\122
-\355\030\260\103\102\042\246\261\167\256\336\151\305\315\307\034
-\241\261\245\034\020\373\030\276\032\160\335\301\222\113\276\051
-\132\235\077\065\276\345\175\121\370\125\340\045\165\043\207\036
-\134\334\272\235\260\254\263\151\333\027\203\311\367\336\014\274
-\010\334\221\236\250\320\327\025\067\163\245\065\270\374\176\305
-\104\100\006\303\353\370\042\200\134\107\316\002\343\021\237\104
-\377\375\232\062\314\175\144\121\016\353\127\046\166\072\343\036
-\042\074\302\246\066\335\031\357\247\374\022\363\046\300\131\061
-\205\114\234\330\317\337\244\314\314\051\223\377\224\155\166\134
-\023\010\227\362\355\245\013\115\335\350\311\150\016\146\323\000
-\016\063\022\133\274\225\345\062\220\250\263\306\154\203\255\167
-\356\213\176\176\261\251\253\323\341\361\266\300\261\352\210\300
-\347\323\220\351\050\222\224\173\150\173\227\052\012\147\055\205
-\002\070\020\344\003\141\324\332\045\066\307\010\130\055\241\247
-\121\257\060\012\111\365\246\151\207\007\055\104\106\166\216\052
-\345\232\073\327\030\242\374\234\070\020\314\306\073\322\265\027
-\072\157\375\256\045\275\365\162\131\144\261\164\052\070\137\030
-\114\337\317\161\004\132\066\324\277\057\231\234\350\331\272\261
-\225\346\002\113\041\241\133\325\301\117\217\256\151\155\123\333
-\001\223\265\134\036\030\335\144\132\312\030\050\076\143\004\021
-\375\034\215\000\017\270\067\337\147\212\235\146\251\002\152\221
-\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045
-\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073
-\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373
-\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260
-\105\217\046\221\242\216\376\251
-END
-
-# Trust for Certificate "America Online Root Certification Authority 2"
-# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Tue Sep 29 14:08:00 2037
-# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
-# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023
-\333\027\222\204
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Visa eCommerce Root"
 #
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Not Valid Before: Wed Jun 26 02:18:36 2002
 # Not Valid After : Fri Jun 24 00:16:12 2022
 # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
@@ -13890,19 +13169,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
 \101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
 \162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
 \040\063\040\103\101\040\111\111
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TC TrustCenter Universal CA I"
 #
 # Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
 # Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
 # Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
@@ -18057,159 +17336,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\302\176\103\004\116\107\077\031
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
-#
-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
-# Not Valid Before: Thu Jan 04 11:32:48 2007
-# Not Valid After : Wed Jan 04 11:32:48 2017
-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
-\141\171\151\143\151\163\151
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
-\141\171\151\143\151\163\151
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
-\254\265
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104
-\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165
-\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060
-\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156
-\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151
-\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003
-\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154
-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
-\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171
-\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061
-\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061
-\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006
-\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105
-\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040
-\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074
-\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156
-\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040
-\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164
-\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040
-\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325
-\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124
-\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363
-\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234
-\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123
-\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013
-\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213
-\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307
-\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274
-\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060
-\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002
-\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054
-\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256
-\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265
-\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224
-\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001
-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
-\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004
-\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143
-\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317
-\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012
-\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337
-\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122
-\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164
-\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147
-\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343
-\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234
-\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237
-\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227
-\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056
-\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353
-\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152
-\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010
-\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043
-\336\102\343\055\202\361\017\345\372\227
-END
-
-# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
-# Not Valid Before: Thu Jan 04 11:32:48 2007
-# Not Valid After : Wed Jan 04 11:32:48 2017
-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261
-\375\231\101\064
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
-\141\171\151\143\151\163\151
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
-\254\265
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "GlobalSign Root CA - R3"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Not Valid Before: Wed Mar 18 10:00:00 2009
 # Not Valid After : Sun Mar 18 10:00:00 2029
 # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
@@ -29990,16 +29126,725 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \110\215
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "COMODO RSA Certification Authority"
+#
+# Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
+# Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Tue Jan 19 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
+# Fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO RSA Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
+\206\235
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\330\060\202\003\300\240\003\002\001\002\002\020\114
+\252\371\312\333\143\157\340\037\367\116\330\133\003\206\235\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\201
+\205\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
+\060\031\006\003\125\004\010\023\022\107\162\145\141\164\145\162
+\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
+\003\125\004\007\023\007\123\141\154\146\157\162\144\061\032\060
+\030\006\003\125\004\012\023\021\103\117\115\117\104\117\040\103
+\101\040\114\151\155\151\164\145\144\061\053\060\051\006\003\125
+\004\003\023\042\103\117\115\117\104\117\040\122\123\101\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\060\036\027\015\061\060\060\061\061\071
+\060\060\060\060\060\060\132\027\015\063\070\060\061\061\070\062
+\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
+\004\006\023\002\107\102\061\033\060\031\006\003\125\004\010\023
+\022\107\162\145\141\164\145\162\040\115\141\156\143\150\145\163
+\164\145\162\061\020\060\016\006\003\125\004\007\023\007\123\141
+\154\146\157\162\144\061\032\060\030\006\003\125\004\012\023\021
+\103\117\115\117\104\117\040\103\101\040\114\151\155\151\164\145
+\144\061\053\060\051\006\003\125\004\003\023\042\103\117\115\117
+\104\117\040\122\123\101\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202
+\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\221
+\350\124\222\322\012\126\261\254\015\044\335\305\317\104\147\164
+\231\053\067\243\175\043\160\000\161\274\123\337\304\372\052\022
+\217\113\177\020\126\275\237\160\162\267\141\177\311\113\017\027
+\247\075\343\260\004\141\356\377\021\227\307\364\206\076\012\372
+\076\134\371\223\346\064\172\331\024\153\347\234\263\205\240\202
+\172\166\257\161\220\327\354\375\015\372\234\154\372\337\260\202
+\364\024\176\371\276\304\246\057\117\177\231\177\265\374\147\103
+\162\275\014\000\326\211\353\153\054\323\355\217\230\034\024\253
+\176\345\343\156\374\330\250\344\222\044\332\103\153\142\270\125
+\375\352\301\274\154\266\213\363\016\215\232\344\233\154\151\231
+\370\170\110\060\105\325\255\341\015\074\105\140\374\062\226\121
+\047\274\147\303\312\056\266\153\352\106\307\307\040\240\261\037
+\145\336\110\010\272\244\116\251\362\203\106\067\204\353\350\314
+\201\110\103\147\116\162\052\233\134\275\114\033\050\212\134\042
+\173\264\253\230\331\356\340\121\203\303\011\106\116\155\076\231
+\372\225\027\332\174\063\127\101\074\215\121\355\013\266\134\257
+\054\143\032\337\127\310\077\274\351\135\304\233\257\105\231\342
+\243\132\044\264\272\251\126\075\317\157\252\377\111\130\276\360
+\250\377\364\270\255\351\067\373\272\270\364\013\072\371\350\103
+\102\036\211\330\204\313\023\361\331\273\341\211\140\270\214\050
+\126\254\024\035\234\012\347\161\353\317\016\335\075\251\226\241
+\110\275\074\367\257\265\015\042\114\300\021\201\354\126\073\366
+\323\242\342\133\267\262\004\042\122\225\200\223\151\350\216\114
+\145\361\221\003\055\160\164\002\352\213\147\025\051\151\122\002
+\273\327\337\120\152\125\106\277\240\243\050\141\177\160\320\303
+\242\252\054\041\252\107\316\050\234\006\105\166\277\202\030\047
+\264\325\256\264\313\120\346\153\364\114\206\161\060\351\246\337
+\026\206\340\330\377\100\335\373\320\102\210\177\243\063\072\056
+\134\036\101\021\201\143\316\030\161\153\053\354\246\212\267\061
+\134\072\152\107\340\303\171\131\326\040\032\257\362\152\230\252
+\162\274\127\112\322\113\235\273\020\374\260\114\101\345\355\035
+\075\136\050\235\234\314\277\263\121\332\247\107\345\204\123\002
+\003\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004
+\026\004\024\273\257\176\002\075\372\246\361\074\204\216\255\356
+\070\230\354\331\062\062\324\060\016\006\003\125\035\017\001\001
+\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
+\367\015\001\001\014\005\000\003\202\002\001\000\012\361\325\106
+\204\267\256\121\273\154\262\115\101\024\000\223\114\234\313\345
+\300\124\317\240\045\216\002\371\375\260\242\015\365\040\230\074
+\023\055\254\126\242\260\326\176\021\222\351\056\272\236\056\232
+\162\261\275\031\104\154\141\065\242\232\264\026\022\151\132\214
+\341\327\076\244\032\350\057\003\364\256\141\035\020\033\052\244
+\213\172\305\376\005\246\341\300\326\310\376\236\256\217\053\272
+\075\231\370\330\163\011\130\106\156\246\234\364\327\047\323\225
+\332\067\203\162\034\323\163\340\242\107\231\003\070\135\325\111
+\171\000\051\034\307\354\233\040\034\007\044\151\127\170\262\071
+\374\072\204\240\265\234\174\215\277\056\223\142\047\267\071\332
+\027\030\256\275\074\011\150\377\204\233\074\325\326\013\003\343
+\127\236\024\367\321\353\117\310\275\207\043\267\266\111\103\171
+\205\134\272\353\222\013\241\306\350\150\250\114\026\261\032\231
+\012\350\123\054\222\273\241\011\030\165\014\145\250\173\313\043
+\267\032\302\050\205\303\033\377\320\053\142\357\244\173\011\221
+\230\147\214\024\001\315\150\006\152\143\041\165\003\200\210\212
+\156\201\306\205\362\251\244\055\347\364\245\044\020\107\203\312
+\315\364\215\171\130\261\006\233\347\032\052\331\235\001\327\224
+\175\355\003\112\312\360\333\350\251\001\076\365\126\231\311\036
+\216\111\075\273\345\011\271\340\117\111\222\075\026\202\100\314
+\314\131\306\346\072\355\022\056\151\074\154\225\261\375\252\035
+\173\177\206\276\036\016\062\106\373\373\023\217\165\177\114\213
+\113\106\143\376\000\064\100\160\301\303\271\241\335\246\160\342
+\004\263\101\274\351\200\221\352\144\234\172\341\042\003\251\234
+\156\157\016\145\117\154\207\207\136\363\156\240\371\165\245\233
+\100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
+\274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
+\166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
+\320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
+\372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
+\265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
+\065\123\205\006\112\135\237\255\273\033\137\164
+END
+
+# Trust for "COMODO RSA Certification Authority"
+# Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
+# Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Tue Jan 19 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
+# Fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO RSA Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\257\345\322\104\250\321\031\102\060\377\107\237\342\370\227\273
+\315\172\214\264
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\033\061\260\161\100\066\314\024\066\221\255\304\076\375\354\030
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
+\206\235
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust RSA Certification Authority"
+#
+# Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
+# Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
+# Fingerprint (SHA1): 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust RSA Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
+\003\055
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\336\060\202\003\306\240\003\002\001\002\002\020\001
+\375\155\060\374\243\312\121\250\033\274\144\016\065\003\055\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\201
+\210\061\013\060\011\006\003\125\004\006\023\002\125\123\061\023
+\060\021\006\003\125\004\010\023\012\116\145\167\040\112\145\162
+\163\145\171\061\024\060\022\006\003\125\004\007\023\013\112\145
+\162\163\145\171\040\103\151\164\171\061\036\060\034\006\003\125
+\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125\123
+\124\040\116\145\164\167\157\162\153\061\056\060\054\006\003\125
+\004\003\023\045\125\123\105\122\124\162\165\163\164\040\122\123
+\101\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\060\036\027\015\061\060\060
+\062\060\061\060\060\060\060\060\060\132\027\015\063\070\060\061
+\061\070\062\063\065\071\065\071\132\060\201\210\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\023\060\021\006\003\125
+\004\010\023\012\116\145\167\040\112\145\162\163\145\171\061\024
+\060\022\006\003\125\004\007\023\013\112\145\162\163\145\171\040
+\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
+\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
+\167\157\162\153\061\056\060\054\006\003\125\004\003\023\045\125
+\123\105\122\124\162\165\163\164\040\122\123\101\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+\162\151\164\171\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\200\022\145\027\066\016\303\333\010\263\320
+\254\127\015\166\355\315\047\323\114\255\120\203\141\342\252\040
+\115\011\055\144\011\334\316\211\237\314\075\251\354\366\317\301
+\334\361\323\261\326\173\067\050\021\053\107\332\071\306\274\072
+\031\264\137\246\275\175\235\243\143\102\266\166\362\251\073\053
+\221\370\342\157\320\354\026\040\220\011\076\342\350\164\311\030
+\264\221\324\142\144\333\177\243\006\361\210\030\152\220\042\074
+\274\376\023\360\207\024\173\366\344\037\216\324\344\121\306\021
+\147\106\010\121\313\206\024\124\077\274\063\376\176\154\234\377
+\026\235\030\275\121\216\065\246\247\146\310\162\147\333\041\146
+\261\324\233\170\003\300\120\072\350\314\360\334\274\236\114\376
+\257\005\226\065\037\127\132\267\377\316\371\075\267\054\266\366
+\124\335\310\347\022\072\115\256\114\212\267\134\232\264\267\040
+\075\312\177\042\064\256\176\073\150\146\001\104\347\001\116\106
+\123\233\063\140\367\224\276\123\067\220\163\103\363\062\303\123
+\357\333\252\376\164\116\151\307\153\214\140\223\336\304\307\014
+\337\341\062\256\314\223\073\121\170\225\147\213\356\075\126\376
+\014\320\151\017\033\017\363\045\046\153\063\155\367\156\107\372
+\163\103\345\176\016\245\146\261\051\174\062\204\143\125\211\304
+\015\301\223\124\060\031\023\254\323\175\067\247\353\135\072\154
+\065\134\333\101\327\022\332\251\111\013\337\330\200\212\011\223
+\142\216\265\146\317\045\210\315\204\270\261\077\244\071\017\331
+\002\236\353\022\114\225\174\363\153\005\251\136\026\203\314\270
+\147\342\350\023\235\314\133\202\323\114\263\355\133\377\336\345
+\163\254\043\073\055\000\277\065\125\164\011\111\330\111\130\032
+\177\222\066\346\121\222\016\363\046\175\034\115\027\274\311\354
+\103\046\320\277\101\137\100\251\104\104\364\231\347\127\207\236
+\120\037\127\124\250\076\375\164\143\057\261\120\145\011\346\130
+\102\056\103\032\114\264\360\045\107\131\372\004\036\223\324\046
+\106\112\120\201\262\336\276\170\267\374\147\025\341\311\127\204
+\036\017\143\326\351\142\272\326\137\125\056\352\134\306\050\010
+\004\045\071\270\016\053\251\362\114\227\034\007\077\015\122\365
+\355\357\057\202\017\002\003\001\000\001\243\102\060\100\060\035
+\006\003\125\035\016\004\026\004\024\123\171\277\132\252\053\112
+\317\124\200\341\330\233\300\235\362\262\003\146\313\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015
+\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202\002
+\001\000\134\324\174\015\317\367\001\175\101\231\145\014\163\305
+\122\237\313\370\317\231\006\177\033\332\103\025\237\236\002\125
+\127\226\024\361\122\074\047\207\224\050\355\037\072\001\067\242
+\166\374\123\120\300\204\233\306\153\116\272\214\041\117\242\216
+\125\142\221\363\151\025\330\274\210\343\304\252\013\375\357\250
+\351\113\125\052\006\040\155\125\170\051\031\356\137\060\134\113
+\044\021\125\377\044\232\156\136\052\053\356\013\115\237\177\367
+\001\070\224\024\225\103\007\011\373\140\251\356\034\253\022\214
+\240\232\136\247\230\152\131\155\213\077\010\373\310\321\105\257
+\030\025\144\220\022\017\163\050\056\305\342\044\116\374\130\354
+\360\364\105\376\042\263\353\057\216\322\331\105\141\005\301\227
+\157\250\166\162\217\213\214\066\257\277\015\005\316\161\215\346
+\246\157\037\154\246\161\142\305\330\320\203\162\014\361\147\021
+\211\014\234\023\114\162\064\337\274\325\161\337\252\161\335\341
+\271\154\214\074\022\135\145\332\275\127\022\266\103\153\377\345
+\336\115\146\021\121\317\231\256\354\027\266\350\161\221\214\336
+\111\376\335\065\161\242\025\047\224\034\317\141\343\046\273\157
+\243\147\045\041\135\346\335\035\013\056\150\033\073\202\257\354
+\203\147\205\324\230\121\164\261\271\231\200\211\377\177\170\031
+\134\171\112\140\056\222\100\256\114\067\052\054\311\307\142\310
+\016\135\367\066\133\312\340\045\045\001\264\335\032\007\234\167
+\000\077\320\334\325\354\075\324\372\273\077\314\205\326\157\177
+\251\055\337\271\002\367\365\227\232\265\065\332\303\147\260\207
+\112\251\050\236\043\216\377\134\047\153\341\260\117\363\007\356
+\000\056\324\131\207\313\122\101\225\352\364\107\327\356\144\101
+\125\174\215\131\002\225\335\142\235\302\271\356\132\050\164\204
+\245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
+\260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
+\057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
+\173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
+\231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
+\216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
+\250\375
+END
+
+# Trust for "USERTrust RSA Certification Authority"
+# Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
+# Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
+# Fingerprint (SHA1): 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust RSA Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\053\217\033\127\063\015\273\242\320\172\154\121\367\016\351\015
+\332\271\255\216
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\033\376\151\321\221\267\031\063\243\162\250\017\341\125\345\265
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
+\003\055
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust ECC Certification Authority"
+#
+# Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
+# Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
+# Fingerprint (SHA1): D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust ECC Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
+\314\046
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\217\060\202\002\025\240\003\002\001\002\002\020\134
+\213\231\305\132\224\305\322\161\126\336\315\211\200\314\046\060
+\012\006\010\052\206\110\316\075\004\003\003\060\201\210\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\023\060\021\006
+\003\125\004\010\023\012\116\145\167\040\112\145\162\163\145\171
+\061\024\060\022\006\003\125\004\007\023\013\112\145\162\163\145
+\171\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
+\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
+\145\164\167\157\162\153\061\056\060\054\006\003\125\004\003\023
+\045\125\123\105\122\124\162\165\163\164\040\105\103\103\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\060\036\027\015\061\060\060\062\060\061
+\060\060\060\060\060\060\132\027\015\063\070\060\061\061\070\062
+\063\065\071\065\071\132\060\201\210\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\023\060\021\006\003\125\004\010\023
+\012\116\145\167\040\112\145\162\163\145\171\061\024\060\022\006
+\003\125\004\007\023\013\112\145\162\163\145\171\040\103\151\164
+\171\061\036\060\034\006\003\125\004\012\023\025\124\150\145\040
+\125\123\105\122\124\122\125\123\124\040\116\145\164\167\157\162
+\153\061\056\060\054\006\003\125\004\003\023\045\125\123\105\122
+\124\162\165\163\164\040\105\103\103\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005
+\053\201\004\000\042\003\142\000\004\032\254\124\132\251\371\150
+\043\347\172\325\044\157\123\306\132\330\113\253\306\325\266\321
+\346\163\161\256\335\234\326\014\141\375\333\240\211\003\270\005
+\024\354\127\316\356\135\077\342\041\263\316\367\324\212\171\340
+\243\203\176\055\227\320\141\304\361\231\334\045\221\143\253\177
+\060\243\264\160\342\307\241\063\234\363\277\056\134\123\261\137
+\263\175\062\177\212\064\343\171\171\243\102\060\100\060\035\006
+\003\125\035\016\004\026\004\024\072\341\011\206\324\317\031\302
+\226\166\164\111\166\334\340\065\306\143\143\232\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\012\006
+\010\052\206\110\316\075\004\003\003\003\150\000\060\145\002\060
+\066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
+\317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
+\372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
+\002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
+\104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
+\242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
+\127\152\030
+END
+
+# Trust for "USERTrust ECC Certification Authority"
+# Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
+# Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
+# Fingerprint (SHA1): D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust ECC Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\321\313\312\135\262\325\052\177\151\073\147\115\345\360\132\035
+\014\225\175\360
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\372\150\274\331\265\177\255\375\311\035\006\203\050\314\044\301
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
+\314\046
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign ECC Root CA - R4"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
+# Fingerprint (SHA1): 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
+\064\230\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\001\341\060\202\001\207\240\003\002\001\002\002\021\052
+\070\244\034\226\012\004\336\102\262\050\245\013\350\064\230\002
+\060\012\006\010\052\206\110\316\075\004\003\002\060\120\061\044
+\060\042\006\003\125\004\013\023\033\107\154\157\142\141\154\123
+\151\147\156\040\105\103\103\040\122\157\157\164\040\103\101\040
+\055\040\122\064\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156\060\036
+\027\015\061\062\061\061\061\063\060\060\060\060\060\060\132\027
+\015\063\070\060\061\061\071\060\063\061\064\060\067\132\060\120
+\061\044\060\042\006\003\125\004\013\023\033\107\154\157\142\141
+\154\123\151\147\156\040\105\103\103\040\122\157\157\164\040\103
+\101\040\055\040\122\064\061\023\060\021\006\003\125\004\012\023
+\012\107\154\157\142\141\154\123\151\147\156\061\023\060\021\006
+\003\125\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+\060\131\060\023\006\007\052\206\110\316\075\002\001\006\010\052
+\206\110\316\075\003\001\007\003\102\000\004\270\306\171\323\217
+\154\045\016\237\056\071\031\034\003\244\256\232\345\071\007\011
+\026\312\143\261\271\206\370\212\127\301\127\316\102\372\163\241
+\367\145\102\377\036\301\000\262\156\163\016\377\307\041\345\030
+\244\252\331\161\077\250\324\271\316\214\035\243\102\060\100\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\035\006\003\125\035\016\004\026\004\024\124\260\173\255\105
+\270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
+\012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
+\002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
+\220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
+\242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
+\322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
+\173\013\370\237\204
+END
+
+# Trust for "GlobalSign ECC Root CA - R4"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
+# Fingerprint (SHA1): 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\151\151\126\056\100\200\364\044\241\347\031\237\024\272\363\356
+\130\253\152\273
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\040\360\047\150\321\176\240\235\016\346\052\312\337\134\211\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
+\064\230\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign ECC Root CA - R5"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
+# Fingerprint (SHA1): 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
+\112\330\154
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\036\060\202\001\244\240\003\002\001\002\002\021\140
+\131\111\340\046\056\273\125\371\012\167\212\161\371\112\330\154
+\060\012\006\010\052\206\110\316\075\004\003\003\060\120\061\044
+\060\042\006\003\125\004\013\023\033\107\154\157\142\141\154\123
+\151\147\156\040\105\103\103\040\122\157\157\164\040\103\101\040
+\055\040\122\065\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156\060\036
+\027\015\061\062\061\061\061\063\060\060\060\060\060\060\132\027
+\015\063\070\060\061\061\071\060\063\061\064\060\067\132\060\120
+\061\044\060\042\006\003\125\004\013\023\033\107\154\157\142\141
+\154\123\151\147\156\040\105\103\103\040\122\157\157\164\040\103
+\101\040\055\040\122\065\061\023\060\021\006\003\125\004\012\023
+\012\107\154\157\142\141\154\123\151\147\156\061\023\060\021\006
+\003\125\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053
+\201\004\000\042\003\142\000\004\107\105\016\226\373\175\135\277
+\351\071\321\041\370\237\013\266\325\173\036\222\072\110\131\034
+\360\142\061\055\300\172\050\376\032\247\134\263\266\314\227\347
+\105\324\130\372\321\167\155\103\242\300\207\145\064\012\037\172
+\335\353\074\063\241\305\235\115\244\157\101\225\070\177\311\036
+\204\353\321\236\111\222\207\224\207\014\072\205\112\146\237\235
+\131\223\115\227\141\006\206\112\243\102\060\100\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006
+\003\125\035\016\004\026\004\024\075\346\051\110\233\352\007\312
+\041\104\112\046\336\156\336\322\203\320\237\131\060\012\006\010
+\052\206\110\316\075\004\003\003\003\150\000\060\145\002\061\000
+\345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
+\232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
+\347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
+\002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
+\073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
+\307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
+\220\067
+END
+
+# Trust for "GlobalSign ECC Root CA - R5"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
+# Fingerprint (SHA1): 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\037\044\306\060\315\244\030\357\040\151\377\255\117\335\137\106
+\072\033\151\252
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\237\255\073\034\002\036\212\272\027\164\070\201\014\242\274\010
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
+\112\330\154
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "USERTrust-temporary-intermediate-after-1024bit-removal"
 #
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
 # Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Tue Aug 05 00:00:00 2014
 # Not Valid After : Sun Nov 01 23:59:59 2015
 # Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
@@ -30146,8 +29991,1602 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
 \225\266
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+#
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
+# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Thu Mar 26 00:00:00 2009
+# Not Valid After : Sun Mar 24 23:59:59 2019
+# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003
+\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163
+\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167
+\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160
+\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003
+\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163
+\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162
+\040\103\101\040\055\040\107\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+\005\256
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057
+\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
+\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
+\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013
+\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164
+\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004
+\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151
+\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162
+\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040
+\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126
+\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040
+\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060
+\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071
+\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006
+\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040
+\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126
+\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145
+\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062
+\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040
+\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
+\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051
+\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162
+\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145
+\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055
+\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225
+\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214
+\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327
+\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237
+\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260
+\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150
+\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377
+\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374
+\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141
+\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061
+\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375
+\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053
+\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133
+\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324
+\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376
+\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211
+\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001
+\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
+\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040
+\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103
+\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062
+\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316
+\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060
+\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206
+\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053
+\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057
+\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163
+\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027
+\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056
+\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050
+\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057
+\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141
+\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004
+\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011
+\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024
+\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242
+\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167
+\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232
+\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137
+\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277
+\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115
+\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003
+\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012
+\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127
+\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
+\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
+\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
+\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
+\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
+\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
+\145\110\041\012\057\327\334\176\240\314\145\176\171
+END
+
+# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
+# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Thu Mar 26 00:00:00 2009
+# Not Valid After : Sun Mar 24 23:59:59 2019
+# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046
+\037\051\216\073
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+\005\256
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Staat der Nederlanden Root CA - G3"
+#
+# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+# Serial Number: 10003001 (0x98a239)
+# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Thu Nov 14 11:28:42 2013
+# Not Valid After : Mon Nov 13 23:00:00 2028
+# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
+# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\000\230\242\071
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\164\060\202\003\134\240\003\002\001\002\002\004\000
+\230\242\071\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
+\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
+\156\061\053\060\051\006\003\125\004\003\014\042\123\164\141\141
+\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
+\156\040\122\157\157\164\040\103\101\040\055\040\107\063\060\036
+\027\015\061\063\061\061\061\064\061\061\062\070\064\062\132\027
+\015\062\070\061\061\061\063\062\063\060\060\060\060\132\060\132
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\036\060
+\034\006\003\125\004\012\014\025\123\164\141\141\164\040\144\145
+\162\040\116\145\144\145\162\154\141\156\144\145\156\061\053\060
+\051\006\003\125\004\003\014\042\123\164\141\141\164\040\144\145
+\162\040\116\145\144\145\162\154\141\156\144\145\156\040\122\157
+\157\164\040\103\101\040\055\040\107\063\060\202\002\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
+\017\000\060\202\002\012\002\202\002\001\000\276\062\242\124\017
+\160\373\054\134\131\353\154\304\244\121\350\205\052\263\314\112
+\064\362\260\137\363\016\307\034\075\123\036\210\010\150\330\157
+\075\255\302\236\314\202\147\007\047\207\150\161\072\237\165\226
+\042\106\005\260\355\255\307\133\236\052\336\234\374\072\306\225
+\247\365\027\147\030\347\057\111\010\014\134\317\346\314\064\355
+\170\373\120\261\334\153\062\360\242\376\266\074\344\354\132\227
+\307\077\036\160\010\060\240\334\305\263\155\157\320\202\162\021
+\253\322\201\150\131\202\027\267\170\222\140\372\314\336\077\204
+\353\215\070\063\220\012\162\043\372\065\314\046\161\061\321\162
+\050\222\331\133\043\155\146\265\155\007\102\353\246\063\316\222
+\333\300\366\154\143\170\315\312\116\075\265\345\122\233\361\276
+\073\346\124\140\260\146\036\011\253\007\376\124\211\021\102\321
+\367\044\272\140\170\032\230\367\311\021\375\026\301\065\032\124
+\165\357\103\323\345\256\116\316\347\173\303\306\116\141\121\113
+\253\232\105\113\241\037\101\275\110\123\025\161\144\013\206\263
+\345\056\276\316\244\033\301\051\204\242\265\313\010\043\166\103
+\042\044\037\027\004\324\156\234\306\374\177\053\146\032\354\212
+\345\326\317\115\365\143\011\267\025\071\326\173\254\353\343\174
+\351\116\374\165\102\310\355\130\225\014\006\102\242\234\367\344
+\160\263\337\162\157\132\067\100\211\330\205\244\327\361\013\336
+\103\031\324\112\130\054\214\212\071\236\277\204\207\361\026\073
+\066\014\351\323\264\312\154\031\101\122\011\241\035\260\152\277
+\202\357\160\121\041\062\334\005\166\214\313\367\144\344\003\120
+\257\214\221\147\253\305\362\356\130\330\336\276\367\347\061\317
+\154\311\073\161\301\325\210\265\145\274\300\350\027\027\007\022
+\265\134\322\253\040\223\264\346\202\203\160\066\305\315\243\215
+\255\213\354\243\301\103\207\346\103\342\064\276\225\213\065\355
+\007\071\332\250\035\172\237\066\236\022\260\014\145\022\220\025
+\140\331\046\100\104\343\126\140\245\020\324\152\074\375\101\334
+\016\132\107\266\357\227\141\165\117\331\376\307\262\035\324\355
+\135\111\263\251\152\313\146\204\023\325\134\240\334\337\156\167
+\006\321\161\165\310\127\157\257\017\167\133\002\003\001\000\001
+\243\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005
+\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024
+\124\255\372\307\222\127\256\312\065\234\056\022\373\344\272\135
+\040\334\224\127\060\015\006\011\052\206\110\206\367\015\001\001
+\013\005\000\003\202\002\001\000\060\231\235\005\062\310\136\016
+\073\230\001\072\212\244\347\007\367\172\370\347\232\337\120\103
+\123\227\052\075\312\074\107\230\056\341\025\173\361\222\363\141
+\332\220\045\026\145\300\237\124\135\016\003\073\133\167\002\234
+\204\266\015\230\137\064\335\073\143\302\303\050\201\302\234\051
+\056\051\342\310\303\001\362\063\352\052\252\314\011\010\367\145
+\147\306\315\337\323\266\053\247\275\314\321\016\160\137\270\043
+\321\313\221\116\012\364\310\172\345\331\143\066\301\324\337\374
+\042\227\367\140\135\352\051\057\130\262\275\130\275\215\226\117
+\020\165\277\110\173\075\121\207\241\074\164\042\302\374\007\177
+\200\334\304\254\376\152\301\160\060\260\351\216\151\342\054\151
+\201\224\011\272\335\376\115\300\203\214\224\130\300\106\040\257
+\234\037\002\370\065\125\111\057\106\324\300\360\240\226\002\017
+\063\305\161\363\236\043\175\224\267\375\072\323\011\203\006\041
+\375\140\075\256\062\300\322\356\215\246\360\347\264\202\174\012
+\314\160\311\171\200\370\376\114\367\065\204\031\212\061\373\012
+\331\327\177\233\360\242\232\153\303\005\112\355\101\140\024\060
+\321\252\021\102\156\323\043\002\004\013\306\145\335\335\122\167
+\332\201\153\262\250\372\001\070\271\226\352\052\154\147\227\211
+\224\236\274\341\124\325\344\152\170\357\112\275\053\232\075\100
+\176\306\300\165\322\156\373\150\060\354\354\213\235\371\111\065
+\232\032\054\331\263\225\071\325\036\222\367\246\271\145\057\345
+\075\155\072\110\114\010\334\344\050\022\050\276\175\065\134\352
+\340\026\176\023\033\152\327\076\327\236\374\055\165\262\301\024
+\325\043\003\333\133\157\013\076\170\057\015\336\063\215\026\267
+\110\347\203\232\201\017\173\301\103\115\125\004\027\070\112\121
+\325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
+\157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
+\321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
+\100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
+\307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
+\254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
+\367\200\173\041\147\047\060\131
+END
+
+# Trust for "Staat der Nederlanden Root CA - G3"
+# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+# Serial Number: 10003001 (0x98a239)
+# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Thu Nov 14 11:28:42 2013
+# Not Valid After : Mon Nov 13 23:00:00 2028
+# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
+# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\330\353\153\101\121\222\131\340\363\347\205\000\300\075\266\210
+\227\311\356\374
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\013\106\147\007\333\020\057\031\214\065\120\140\321\013\364\067
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\000\230\242\071
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Staat der Nederlanden EV Root CA"
+#
+# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000013 (0x98968d)
+# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Wed Dec 08 11:19:29 2010
+# Not Valid After : Thu Dec 08 11:10:28 2022
+# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
+# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\105\126\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\105\126\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\000\230\226\215
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\160\060\202\003\130\240\003\002\001\002\002\004\000
+\230\226\215\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\130\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
+\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
+\156\061\051\060\047\006\003\125\004\003\014\040\123\164\141\141
+\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
+\156\040\105\126\040\122\157\157\164\040\103\101\060\036\027\015
+\061\060\061\062\060\070\061\061\061\071\062\071\132\027\015\062
+\062\061\062\060\070\061\061\061\060\062\070\132\060\130\061\013
+\060\011\006\003\125\004\006\023\002\116\114\061\036\060\034\006
+\003\125\004\012\014\025\123\164\141\141\164\040\144\145\162\040
+\116\145\144\145\162\154\141\156\144\145\156\061\051\060\047\006
+\003\125\004\003\014\040\123\164\141\141\164\040\144\145\162\040
+\116\145\144\145\162\154\141\156\144\145\156\040\105\126\040\122
+\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
+\002\012\002\202\002\001\000\343\307\176\211\371\044\113\072\322
+\063\203\065\054\151\354\334\011\244\343\121\250\045\053\171\270
+\010\075\340\221\272\204\205\306\205\244\312\346\311\056\123\244
+\311\044\036\375\125\146\161\135\054\305\140\150\004\267\331\302
+\122\046\070\210\244\326\073\100\246\302\315\077\315\230\223\263
+\124\024\130\226\125\325\120\376\206\255\244\143\177\134\207\366
+\216\346\047\222\147\027\222\002\003\054\334\326\146\164\355\335
+\147\377\301\141\215\143\117\017\233\155\027\060\046\357\253\322
+\037\020\240\371\305\177\026\151\201\003\107\355\036\150\215\162
+\241\115\262\046\306\272\154\137\155\326\257\321\261\023\216\251
+\255\363\136\151\165\046\030\076\101\053\041\177\356\213\135\007
+\006\235\103\304\051\012\053\374\052\076\206\313\074\203\072\371
+\311\015\332\305\231\342\274\170\101\063\166\341\277\057\135\345
+\244\230\120\014\025\335\340\372\234\177\070\150\320\262\246\172
+\247\321\061\275\176\212\130\047\103\263\272\063\221\323\247\230
+\025\134\232\346\323\017\165\331\374\101\230\227\076\252\045\333
+\217\222\056\260\173\014\137\361\143\251\067\371\233\165\151\114
+\050\046\045\332\325\362\022\160\105\125\343\337\163\136\067\365
+\041\154\220\216\065\132\311\323\043\353\323\300\276\170\254\102
+\050\130\146\245\106\155\160\002\327\020\371\113\124\374\135\206
+\112\207\317\177\312\105\254\021\132\265\040\121\215\057\210\107
+\227\071\300\317\272\300\102\001\100\231\110\041\013\153\247\322
+\375\226\325\321\276\106\235\111\340\013\246\240\042\116\070\320
+\301\074\060\274\160\217\054\165\314\320\305\214\121\073\075\224
+\010\144\046\141\175\271\303\145\217\024\234\041\320\252\375\027
+\162\003\217\275\233\214\346\136\123\236\271\235\357\202\273\341
+\274\342\162\101\133\041\224\323\105\067\224\321\337\011\071\135
+\347\043\252\232\035\312\155\250\012\206\205\212\202\276\102\007
+\326\362\070\202\163\332\207\133\345\074\323\236\076\247\073\236
+\364\003\263\371\361\175\023\164\002\377\273\241\345\372\000\171
+\034\246\146\101\210\134\140\127\246\056\011\304\272\375\232\317
+\247\037\100\303\273\314\132\012\125\113\073\070\166\121\270\143
+\213\204\224\026\346\126\363\002\003\001\000\001\243\102\060\100
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
+\006\060\035\006\003\125\035\016\004\026\004\024\376\253\000\220
+\230\236\044\374\251\314\032\212\373\047\270\277\060\156\250\073
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
+\202\002\001\000\317\167\054\156\126\276\116\263\266\204\000\224
+\253\107\311\015\322\166\307\206\237\035\007\323\266\264\273\010
+\170\257\151\322\013\111\336\063\305\254\255\302\210\002\175\006
+\267\065\002\301\140\311\277\304\350\224\336\324\323\251\023\045
+\132\376\156\242\256\175\005\334\175\363\154\360\176\246\215\356
+\331\327\316\130\027\350\251\051\256\163\110\207\347\233\312\156
+\051\241\144\137\031\023\367\256\006\020\377\121\306\233\115\125
+\045\117\223\231\020\001\123\165\361\023\316\307\246\101\101\322
+\277\210\245\177\105\374\254\270\245\265\063\014\202\304\373\007
+\366\152\345\045\204\137\006\312\301\206\071\021\333\130\315\167
+\073\054\302\114\017\136\232\343\360\253\076\141\033\120\044\302
+\300\364\361\031\360\021\051\266\245\030\002\233\327\143\114\160
+\214\107\243\003\103\134\271\135\106\240\015\157\377\131\216\276
+\335\237\162\303\133\053\337\214\133\316\345\014\106\154\222\262
+\012\243\114\124\102\030\025\022\030\275\332\374\272\164\156\377
+\301\266\240\144\330\251\137\125\256\237\134\152\166\226\330\163
+\147\207\373\115\177\134\356\151\312\163\020\373\212\251\375\236
+\275\066\070\111\111\207\364\016\024\360\351\207\270\077\247\117
+\172\132\216\171\324\223\344\273\150\122\204\254\154\351\363\230
+\160\125\162\062\371\064\253\053\111\265\315\040\142\344\072\172
+\147\143\253\226\334\155\256\227\354\374\237\166\126\210\056\146
+\317\133\266\311\244\260\327\005\272\341\047\057\223\273\046\052
+\242\223\260\033\363\216\276\035\100\243\271\066\217\076\202\032
+\032\136\210\352\120\370\131\342\203\106\051\013\343\104\134\341
+\225\266\151\220\232\024\157\227\256\201\317\150\357\231\232\276
+\265\347\341\177\370\372\023\107\026\114\314\155\010\100\347\213
+\170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
+\040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
+\136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
+\025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
+\342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
+\220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
+\356\354\327\056
+END
+
+# Trust for "Staat der Nederlanden EV Root CA"
+# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+# Serial Number: 10000013 (0x98968d)
+# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+# Not Valid Before: Wed Dec 08 11:19:29 2010
+# Not Valid After : Thu Dec 08 11:10:28 2022
+# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
+# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\166\342\176\301\117\333\202\301\300\246\165\265\005\276\075\051
+\264\355\333\273
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\374\006\257\173\350\032\361\232\264\350\322\160\037\300\365\272
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
+\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
+\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
+\105\126\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\000\230\226\215
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "IdenTrust Commercial Root CA 1"
+#
+# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
+# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+# Not Valid Before: Thu Jan 16 18:12:23 2014
+# Not Valid After : Mon Jan 16 18:12:23 2034
+# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
+# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
+\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
+\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
+\141\154\040\122\157\157\164\040\103\101\040\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
+\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
+\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
+\141\154\040\122\157\157\164\040\103\101\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
+\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\140\060\202\003\110\240\003\002\001\002\002\020\012
+\001\102\200\000\000\001\105\043\310\104\265\000\000\000\002\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\112
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
+\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
+\164\061\047\060\045\006\003\125\004\003\023\036\111\144\145\156
+\124\162\165\163\164\040\103\157\155\155\145\162\143\151\141\154
+\040\122\157\157\164\040\103\101\040\061\060\036\027\015\061\064
+\060\061\061\066\061\070\061\062\062\063\132\027\015\063\064\060
+\061\061\066\061\070\061\062\062\063\132\060\112\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\022\060\020\006\003\125
+\004\012\023\011\111\144\145\156\124\162\165\163\164\061\047\060
+\045\006\003\125\004\003\023\036\111\144\145\156\124\162\165\163
+\164\040\103\157\155\155\145\162\143\151\141\154\040\122\157\157
+\164\040\103\101\040\061\060\202\002\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
+\002\012\002\202\002\001\000\247\120\031\336\077\231\075\324\063
+\106\361\157\121\141\202\262\251\117\217\147\211\135\204\331\123
+\335\014\050\331\327\360\377\256\225\103\162\231\371\265\135\174
+\212\301\102\341\061\120\164\321\201\015\174\315\233\041\253\103
+\342\254\255\136\206\156\363\011\212\037\132\062\275\242\353\224
+\371\350\134\012\354\377\230\322\257\161\263\264\123\237\116\207
+\357\222\274\275\354\117\062\060\210\113\027\136\127\304\123\302
+\366\002\227\215\331\142\053\277\044\037\142\215\337\303\270\051
+\113\111\170\074\223\140\210\042\374\231\332\066\310\302\242\324
+\054\124\000\147\065\156\163\277\002\130\360\244\335\345\260\242
+\046\172\312\340\066\245\031\026\365\375\267\357\256\077\100\365
+\155\132\004\375\316\064\312\044\334\164\043\033\135\063\023\022
+\135\304\001\045\366\060\335\002\135\237\340\325\107\275\264\353
+\033\241\273\111\111\330\237\133\002\363\212\344\044\220\344\142
+\117\117\301\257\213\016\164\027\250\321\162\210\152\172\001\111
+\314\264\106\171\306\027\261\332\230\036\007\131\372\165\041\205
+\145\335\220\126\316\373\253\245\140\235\304\235\371\122\260\213
+\275\207\371\217\053\043\012\043\166\073\367\063\341\311\000\363
+\151\371\113\242\340\116\274\176\223\071\204\007\367\104\160\176
+\376\007\132\345\261\254\321\030\314\362\065\345\111\111\010\312
+\126\311\075\373\017\030\175\213\073\301\023\302\115\217\311\117
+\016\067\351\037\241\016\152\337\142\056\313\065\006\121\171\054
+\310\045\070\364\372\113\247\211\134\234\322\343\015\071\206\112
+\164\174\325\131\207\302\077\116\014\134\122\364\075\367\122\202
+\361\352\243\254\375\111\064\032\050\363\101\210\072\023\356\350
+\336\377\231\035\137\272\313\350\036\362\271\120\140\300\061\323
+\163\345\357\276\240\355\063\013\164\276\040\040\304\147\154\360
+\010\003\172\125\200\177\106\116\226\247\364\036\076\341\366\330
+\011\341\063\144\053\143\327\062\136\237\371\300\173\017\170\157
+\227\274\223\232\371\234\022\220\170\172\200\207\025\327\162\164
+\234\125\164\170\261\272\341\156\160\004\272\117\240\272\150\303
+\173\377\061\360\163\075\075\224\052\261\013\101\016\240\376\115
+\210\145\153\171\063\264\327\002\003\001\000\001\243\102\060\100
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\035\006\003\125\035\016\004\026\004\024\355\104\031\300
+\323\360\006\213\356\244\173\276\102\347\046\124\310\216\066\166
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
+\202\002\001\000\015\256\220\062\366\246\113\174\104\166\031\141
+\036\047\050\315\136\124\357\045\274\343\010\220\371\051\327\256
+\150\010\341\224\000\130\357\056\056\176\123\122\214\266\134\007
+\352\210\272\231\213\120\224\327\202\200\337\141\011\000\223\255
+\015\024\346\316\301\362\067\224\170\260\137\234\263\242\163\270
+\217\005\223\070\315\215\076\260\270\373\300\317\261\362\354\055
+\055\033\314\354\252\232\263\252\140\202\033\055\073\303\204\075
+\127\212\226\036\234\165\270\323\060\315\140\010\203\220\323\216
+\124\361\115\146\300\135\164\003\100\243\356\205\176\302\037\167
+\234\006\350\301\247\030\135\122\225\355\311\335\045\236\155\372
+\251\355\243\072\064\320\131\173\332\355\120\363\065\277\355\353
+\024\115\061\307\140\364\332\361\207\234\342\110\342\306\305\067
+\373\006\020\372\165\131\146\061\107\051\332\166\232\034\351\202
+\256\357\232\271\121\367\210\043\232\151\225\142\074\345\125\200
+\066\327\124\002\377\361\271\135\316\324\043\157\330\105\204\112
+\133\145\357\211\014\335\024\247\040\313\030\245\045\264\015\371
+\001\360\242\322\364\000\310\164\216\241\052\110\216\145\333\023
+\304\342\045\027\175\353\276\207\133\027\040\124\121\223\112\123
+\003\013\354\135\312\063\355\142\375\105\307\057\133\334\130\240
+\200\071\346\372\327\376\023\024\246\355\075\224\112\102\164\324
+\303\167\131\163\315\217\106\276\125\070\357\372\350\221\062\352
+\227\130\004\042\336\070\303\314\274\155\311\063\072\152\012\151
+\077\240\310\352\162\217\214\143\206\043\275\155\074\226\236\225
+\340\111\114\252\242\271\052\033\234\066\201\170\355\303\350\106
+\342\046\131\104\165\036\331\165\211\121\315\020\204\235\141\140
+\313\135\371\227\042\115\216\230\346\343\177\366\133\273\256\315
+\312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
+\231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
+\153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
+\237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
+\357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
+\037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
+\272\204\156\207
+END
+
+# Trust for "IdenTrust Commercial Root CA 1"
+# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
+# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+# Not Valid Before: Thu Jan 16 18:12:23 2014
+# Not Valid After : Mon Jan 16 18:12:23 2034
+# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
+# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\337\161\176\252\112\331\116\311\125\204\231\140\055\110\336\137
+\274\360\072\045
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\263\076\167\163\165\356\240\323\343\176\111\143\111\131\273\307
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
+\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
+\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
+\141\154\040\122\157\157\164\040\103\101\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
+\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "IdenTrust Public Sector Root CA 1"
+#
+# Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
+# Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
+# Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
+# Not Valid Before: Thu Jan 16 17:53:32 2014
+# Not Valid After : Mon Jan 16 17:53:32 2034
+# Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
+# Fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
+\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
+\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
+\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
+\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
+\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
+\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\012\001\102\200\000\000\001\105\043\317\106\174\000\000
+\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\146\060\202\003\116\240\003\002\001\002\002\020\012
+\001\102\200\000\000\001\105\043\317\106\174\000\000\000\002\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\115
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
+\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
+\164\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156
+\124\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143
+\164\157\162\040\122\157\157\164\040\103\101\040\061\060\036\027
+\015\061\064\060\061\061\066\061\067\065\063\063\062\132\027\015
+\063\064\060\061\061\066\061\067\065\063\063\062\132\060\115\061
+\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060\020
+\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163\164
+\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156\124
+\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143\164
+\157\162\040\122\157\157\164\040\103\101\040\061\060\202\002\042
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\202\002\017\000\060\202\002\012\002\202\002\001\000\266\042\224
+\374\244\110\257\350\107\153\012\373\047\166\344\362\077\212\073
+\172\112\054\061\052\214\215\260\251\303\061\153\250\167\166\204
+\046\266\254\201\102\015\010\353\125\130\273\172\370\274\145\175
+\362\240\155\213\250\107\351\142\166\036\021\356\010\024\321\262
+\104\026\364\352\320\372\036\057\136\333\313\163\101\256\274\000
+\260\112\053\100\262\254\341\073\113\302\055\235\344\241\233\354
+\032\072\036\360\010\263\320\344\044\065\007\237\234\264\311\122
+\155\333\007\312\217\265\133\360\203\363\117\307\055\245\310\255
+\313\225\040\244\061\050\127\130\132\344\215\033\232\253\236\015
+\014\362\012\063\071\042\071\012\227\056\363\123\167\271\104\105
+\375\204\313\066\040\201\131\055\232\157\155\110\110\141\312\114
+\337\123\321\257\122\274\104\237\253\057\153\203\162\357\165\200
+\332\006\063\033\135\310\332\143\306\115\315\254\146\061\315\321
+\336\076\207\020\066\341\271\244\172\357\140\120\262\313\312\246
+\126\340\067\257\253\064\023\071\045\350\071\146\344\230\172\252
+\022\230\234\131\146\206\076\255\361\260\312\076\006\017\173\360
+\021\113\067\240\104\155\173\313\250\214\161\364\325\265\221\066
+\314\360\025\306\053\336\121\027\261\227\114\120\075\261\225\131
+\174\005\175\055\041\325\000\277\001\147\242\136\173\246\134\362
+\367\042\361\220\015\223\333\252\104\121\146\314\175\166\003\353
+\152\250\052\070\031\227\166\015\153\212\141\371\274\366\356\166
+\375\160\053\335\051\074\370\012\036\133\102\034\213\126\057\125
+\033\034\241\056\265\307\026\346\370\252\074\222\216\151\266\001
+\301\265\206\235\211\017\013\070\224\124\350\352\334\236\075\045
+\274\123\046\355\325\253\071\252\305\100\114\124\253\262\264\331
+\331\370\327\162\333\034\274\155\275\145\137\357\210\065\052\146
+\057\356\366\263\145\360\063\215\174\230\101\151\106\017\103\034
+\151\372\233\265\320\141\152\315\312\113\331\114\220\106\253\025
+\131\241\107\124\051\056\203\050\137\034\302\242\253\162\027\000
+\006\216\105\354\213\342\063\075\177\332\031\104\344\142\162\303
+\337\042\306\362\126\324\335\137\225\162\355\155\137\367\110\003
+\133\375\305\052\240\366\163\043\204\020\033\001\347\002\003\001
+\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
+\004\024\343\161\340\236\330\247\102\331\333\161\221\153\224\223
+\353\303\243\321\024\243\060\015\006\011\052\206\110\206\367\015
+\001\001\013\005\000\003\202\002\001\000\107\372\335\012\260\021
+\221\070\255\115\135\367\345\016\227\124\031\202\110\207\124\214
+\252\144\231\330\132\376\210\001\305\130\245\231\261\043\124\043
+\267\152\035\040\127\345\001\142\101\027\323\011\333\165\313\156
+\124\220\165\376\032\237\201\012\302\335\327\367\011\320\133\162
+\025\344\036\011\152\075\063\363\041\232\346\025\176\255\121\325
+\015\020\355\175\102\300\217\356\300\232\010\325\101\326\134\016
+\041\151\156\200\141\016\025\300\270\317\305\111\022\122\314\276
+\072\314\324\056\070\005\336\065\375\037\157\270\200\150\230\075