Bug 1539227 - land NSS 67c41e385581 UPGRADE_NSS_RELEASE, r=me
authorJ.C. Jones <jc@mozilla.com>
Tue, 26 Mar 2019 18:48:46 +0000
changeset 525091 19ede4b24924b2893bce5f19e405ad53da493065
parent 525090 8ce913be1b325fddaaf1299a42a5f648c3128614
child 525092 c8f3f0b484e54853854424d16e4261e7a586027e
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1539227
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1539227 - land NSS 67c41e385581 UPGRADE_NSS_RELEASE, r=me
old-configure.in
security/nss/.taskcluster.yml
security/nss/TAG-INFO
security/nss/automation/abi-check/expected-report-libnss3.so.txt
security/nss/automation/abi-check/expected-report-libssl3.so.txt
security/nss/automation/abi-check/previous-nss-release
security/nss/coreconf/coreconf.dep
security/nss/gtests/certdb_gtest/cert_unittest.cc
security/nss/gtests/certdb_gtest/certdb_gtest.gyp
security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
security/nss/gtests/certdb_gtest/manifest.mn
security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/freebl/blinit.c
security/nss/lib/freebl/crypto_primitives.c
security/nss/lib/freebl/crypto_primitives.h
security/nss/lib/freebl/freebl.gyp
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pkcs7/certread.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/tls13con.c
security/nss/lib/util/nssutil.h
security/nss/tests/cert/cert.sh
security/nss/tests/common/certsetup.sh
security/nss/tests/crmf/crmf.sh
security/nss/tests/gtests/gtests.sh
security/nss/tests/iopr/cert_iopr.sh
security/nss/tests/iopr/server_scr/cert_gen.sh
security/nss/tests/libpkix/certs/TestCA.ca.cert
security/nss/tests/libpkix/certs/TestUser50.cert
security/nss/tests/libpkix/certs/TestUser51.cert
security/nss/tests/libpkix/certs/make-ca-u50-u51
security/nss/tests/libpkix/certs/nss2alice
security/nss/tests/smime/bob.txt
security/nss/tests/smime/smime.sh
--- a/old-configure.in
+++ b/old-configure.in
@@ -1533,17 +1533,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.42, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.44, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
 if test -z "$MOZ_SYSTEM_NSS"; then
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
         WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
             ;;
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -19,34 +19,33 @@ tasks:
       # ensure there's no trailing `/` on the repo URL
       repoUrl:
         $if: 'repository.url[-1] == "/"'
         then: {$eval: 'repository.url[:-1]'}
         else: {$eval: 'repository.url'}
     in:
       taskId: '${ownTaskId}'
       taskGroupId: '${ownTaskId}'
-      schedulerId: 'gecko-level-nss'
+      schedulerId: 'nss-level-${repository.level}'
       created: {$fromNow: ''}
       deadline: {$fromNow: '1 day'}
       expires: {$fromNow: '14 days'}
 
       metadata:
         owner: mozilla-taskcluster-maintenance@mozilla.com
         source: "${repository.url}"
         name: "NSS Decision Task"
         description: |
             The task that creates all of the other tasks in the task graph
 
       workerType: "hg-worker"
       provisionerId: "aws-provisioner-v1"
 
       scopes:
         - 'assume:repo:${repoUrl[8:]}:branch:default'
-        - 'queue:route:notify.email.${ownerEmail}.*'
       tags:
         createdForUser: "${ownerEmail}"
 
       routes:
         - "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
         - "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
 
       payload:
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_43_RTM
+67c41e385581
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -1,5 +1,5 @@
 
 1 Added function:
 
-  'function SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType)'    {HASH_GetHashOidTagByHashType@@NSS_3.43}
+  'function SECStatus CERT_GetCertificateDer(const CERTCertificate*, SECItem*)'    {CERT_GetCertificateDer@@NSS_3.44}
 
--- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
@@ -1,20 +0,0 @@
-
-2 functions with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_GetCipherSuiteInfo(PRUint16, SSLCipherSuiteInfo*, PRUintn)' at sslinfo.c:326:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLCipherSuiteInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLCipherSuiteInfo' at sslt.h:433:1:
-        underlying type 'struct SSLCipherSuiteInfoStr' at sslt.h:366:1 changed:
-          type size changed from 768 to 832 (in bits)
-          1 data member insertion:
-            'SSLHashType SSLCipherSuiteInfoStr::kdfHash', at offset 768 (in bits) at sslt.h:429:1
-
-  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:111:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:379:1:
-        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:333:1 changed:
-          type size changed from 160 to 192 (in bits)
-          1 data member insertion:
-            'PRUint16 SSLPreliminaryChannelInfoStr::zeroRttCipherSuite', at offset 160 (in bits) at sslt.h:375:1
-
-
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1,1 +1,1 @@
-NSS_3_42_BRANCH
+NSS_3_43_BRANCH
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/cert_unittest.cc
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "nss.h"
+#include "secerr.h"
+#include "pk11pub.h"
+#include "nss_scoped_ptrs.h"
+
+namespace nss_test {
+
+class CertTest : public ::testing::Test {};
+
+// Tests CERT_GetCertificateDer for the certs we have.
+TEST_F(CertTest, GetCertDer) {
+  // Listing all the certs should get us the default trust anchors.
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+
+  for (PRCList* cursor = PR_NEXT_LINK(&certs->list); cursor != &certs->list;
+       cursor = PR_NEXT_LINK(cursor)) {
+    CERTCertListNode* node = (CERTCertListNode*)cursor;
+    SECItem der;
+    ASSERT_EQ(SECSuccess, CERT_GetCertificateDer(node->cert, &der));
+    ASSERT_EQ(0, SECITEM_CompareItem(&der, &node->cert->derCert));
+  }
+}
+
+TEST_F(CertTest, GetCertDerBad) {
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+  CERTCertListNode* node = (CERTCertListNode*)PR_NEXT_LINK(&certs->list);
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(node->cert, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  SECItem der;
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, &der));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+}
+}
--- a/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
+++ b/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
@@ -7,23 +7,26 @@
     '../common/gtest.gypi',
   ],
   'targets': [
     {
       'target_name': 'certdb_gtest',
       'type': 'executable',
       'sources': [
         'alg1485_unittest.cc',
+        'cert_unittest.cc',
+        'decode_certs_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
         '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime3',
       ]
     }
   ],
   'variables': {
     'module': 'nss'
   }
 }
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
@@ -0,0 +1,28 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "cert.h"
+#include "prerror.h"
+#include "secerr.h"
+
+class DecodeCertsTest : public ::testing::Test {};
+
+TEST_F(DecodeCertsTest, EmptyCertPackage) {
+  // This represents a PKCS#7 ContentInfo with a contentType of
+  // '2.16.840.1.113730.2.5' (Netscape data-type cert-sequence) and a content
+  // consisting of an empty SEQUENCE. This is valid ASN.1, but it contains no
+  // certificates, so CERT_DecodeCertFromPackage should just return a null
+  // pointer.
+  unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+                                      0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+                                      0x05, 0xa0, 0x02, 0x30, 0x00};
+  EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+                         reinterpret_cast<char*>(emptyCertPackage),
+                         sizeof(emptyCertPackage)));
+  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
--- a/security/nss/gtests/certdb_gtest/manifest.mn
+++ b/security/nss/gtests/certdb_gtest/manifest.mn
@@ -3,16 +3,18 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       alg1485_unittest.cc \
+      cert_unittest.cc \
+      decode_certs_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
             -I$(CORE_DEPTH)/gtests/common \
             -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest
 
--- a/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
@@ -437,16 +437,58 @@ TEST_P(TlsConnectStream, ReplaceRecordLa
     server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
   }
   CheckKeys();
 
   // Reading and writing application data should work.
   SendForwardReceive(client_, client_stage, server_);
 }
 
+TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncPostHandshake) {
+  StartConnect();
+  client_->SetServerKeyBits(server_->server_key_bits());
+
+  BadPrSocket bad_layer_client(client_);
+  BadPrSocket bad_layer_server(server_);
+  StagedRecords client_stage(client_);
+  StagedRecords server_stage(server_);
+
+  client_->SetAuthCertificateCallback(AuthCompleteBlock);
+
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+  client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTING);
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+
+  ASSERT_TRUE(client_stage.empty());
+  client_->Handshake();
+  ASSERT_TRUE(client_stage.empty());
+  EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
+
+  // Now declare the certificate good.
+  EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
+  client_->Handshake();
+  ASSERT_FALSE(client_stage.empty());
+
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+  } else {
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+    server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
+  }
+  CheckKeys();
+
+  // Reading and writing application data should work.
+  SendForwardReceive(client_, client_stage, server_);
+
+  // Post-handshake messages should work here.
+  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
+  SendForwardReceive(server_, server_stage, client_);
+}
+
 // This test ensures that data is correctly forwarded when the handshake is
 // resumed after asynchronous server certificate authentication, when
 // SSL_AuthCertificateComplete() is called.  The logic for resuming the
 // handshake involves a different code path than the usual one, so this test
 // exercises that code fully.
 TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncEarlyAuth) {
   StartConnect();
   client_->SetServerKeyBits(server_->server_key_bits());
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -210,16 +210,22 @@ extern CERTCertificate *CERT_CreateCerti
 extern void CERT_DestroyCertificate(CERTCertificate *cert);
 
 /*
 ** Make a shallow copy of a certificate "c". Just increments the
 ** reference count on "c".
 */
 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 
+/* Access the DER of the certificate. This only creates a reference to the DER
+ * in the outparam not a copy.  To avoid the pointer becoming invalid, use
+ * CERT_DupCertificate() and keep a reference to the duplicate alive.
+ */
+extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
+
 /*
 ** Create a new certificate request. This result must be wrapped with an
 ** CERTSignedData to create a signed certificate request.
 **	"name" the subject name (who the certificate request is from)
 **	"spki" describes/defines the public key the certificate is for
 **	"attributes" if non-zero, some optional attribute data
 */
 extern CERTCertificateRequest *CERT_CreateCertificateRequest(
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1309,16 +1309,27 @@ CERT_DupCertificate(CERTCertificate *c)
 {
     if (c) {
         NSSCertificate *tmp = STAN_GetNSSCertificate(c);
         nssCertificate_AddRef(tmp);
     }
     return c;
 }
 
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+    if (!c || !der) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *der = c->derCert;
+    return SECSuccess;
+}
+
 /*
  * Allow use of default cert database, so that apps(such as mozilla) don't
  * have to pass the handle all over the place.
  */
 static CERTCertDBHandle *default_cert_db_handle = 0;
 
 void
 CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@@ -87,33 +87,42 @@ CheckX86CPUSupport()
     avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
                    disable_avx == NULL;
     ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
                               disable_ssse3 == NULL);
 }
 #endif /* NSS_X86_OR_X64 */
 
 /* clang-format off */
-#if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#if defined(__aarch64__) || defined(__arm__)
 #ifndef __has_include
 #define __has_include(x) 0
 #endif
 #if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
     defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
+/* This might be conflict with host compiler */
+#if !defined(__ANDROID__)
 #include <sys/auxv.h>
+#endif
 extern unsigned long getauxval(unsigned long type) __attribute__((weak));
 #else
 static unsigned long (*getauxval)(unsigned long) = NULL;
-#define AT_HWCAP2 0
-#define AT_HWCAP 0
 #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
-#endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
+
+#ifndef AT_HWCAP2
+#define AT_HWCAP2 26
+#endif
+#ifndef AT_HWCAP
+#define AT_HWCAP 16
+#endif
+
+#endif /* defined(__aarch64__) || defined(__arm__) */
 /* clang-format on */
 
-#if defined(__aarch64__) && !defined(__ANDROID__)
+#if defined(__aarch64__)
 // Defines from hwcap.h in Linux kernel - ARM64
 #ifndef HWCAP_AES
 #define HWCAP_AES (1 << 3)
 #endif
 #ifndef HWCAP_PMULL
 #define HWCAP_PMULL (1 << 4)
 #endif
 #ifndef HWCAP_SHA1
@@ -133,19 +142,19 @@ CheckARMSupport()
         arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL;
         arm_pmull_support_ = hwcaps & HWCAP_PMULL;
         arm_sha1_support_ = hwcaps & HWCAP_SHA1;
         arm_sha2_support_ = hwcaps & HWCAP_SHA2;
     }
     /* aarch64 must support NEON. */
     arm_neon_support_ = disable_arm_neon == NULL;
 }
-#endif /* defined(__aarch64__) && !defined(__ANDROID__) */
+#endif /* defined(__aarch64__) */
 
-#if defined(__arm__) && !defined(__ANDROID__)
+#if defined(__arm__)
 // Defines from hwcap.h in Linux kernel - ARM
 /*
  * HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
  */
 #ifndef HWCAP_NEON
 #define HWCAP_NEON (1 << 12)
 #endif
 
@@ -160,33 +169,68 @@ CheckARMSupport()
 #endif
 #ifndef HWCAP2_SHA1
 #define HWCAP2_SHA1 (1 << 2)
 #endif
 #ifndef HWCAP2_SHA2
 #define HWCAP2_SHA2 (1 << 3)
 #endif
 
+PRBool
+GetNeonSupport()
+{
+    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
+    if (disable_arm_neon) {
+        return PR_FALSE;
+    }
+#if defined(__ARM_NEON) || defined(__ARM_NEON__)
+    // Compiler generates NEON instruction as default option.
+    // If no getauxval, compiler generate NEON instruction by default,
+    // we should allow NOEN support.
+    return PR_TRUE;
+#elif !defined(__ANDROID__)
+    // Android's cpu-features.c detects features by the following logic
+    //
+    // - Call getauxval(AT_HWCAP)
+    // - Parse /proc/self/auxv if getauxval is nothing or returns 0
+    // - Parse /proc/cpuinfo if both cannot detect features
+    //
+    // But we don't use it for Android since Android document
+    // (https://developer.android.com/ndk/guides/cpu-features) says
+    // one problem with AT_HWCAP sometimes devices (Nexus 4 and emulator)
+    // are mistaken for IDIV.
+    if (getauxval) {
+        return (getauxval(AT_HWCAP) & HWCAP_NEON);
+    }
+#endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */
+    return PR_FALSE;
+}
+
 void
 CheckARMSupport()
 {
-    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     if (getauxval) {
+        // Android's cpu-features.c uses AT_HWCAP2 for newer features.
+        // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust
+        // it since cpu-features.c doesn't have workaround / fallback.
+        // Also, AT_HWCAP2 is supported by glibc 2.18+ on Linux/arm, If
+        // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will
+        // returns 0.
         long hwcaps = getauxval(AT_HWCAP2);
         arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
         arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
         arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
         arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
-        arm_neon_support_ = hwcaps & HWCAP_NEON && disable_arm_neon == NULL;
     }
+    arm_neon_support_ = GetNeonSupport();
 }
-#endif /* defined(__arm__) && !defined(__ANDROID__) */
+#endif /* defined(__arm__) */
 
-// Enable when Firefox can use it.
+// Enable when Firefox can use it for Android API 16 and 17.
 // #if defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__))
 // #include <cpu-features.h>
 // void
 // CheckARMSupport()
 // {
 //     char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
 //     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 //     AndroidCpuFamily family = android_getCpuFamily();
@@ -257,17 +301,17 @@ arm_sha2_support()
     return arm_sha2_support_;
 }
 
 static PRStatus
 FreeblInit(void)
 {
 #ifdef NSS_X86_OR_X64
     CheckX86CPUSupport();
-#elif (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#elif (defined(__aarch64__) || defined(__arm__))
     CheckARMSupport();
 #endif
     return PR_SUCCESS;
 }
 
 SECStatus
 BL_Init()
 {
--- a/security/nss/lib/freebl/crypto_primitives.c
+++ b/security/nss/lib/freebl/crypto_primitives.c
@@ -17,17 +17,17 @@
 __inline__ PRUint64
 swap8b(PRUint64 value)
 {
     __asm__("bswapq %0"
             : "+r"(value));
     return (value);
 }
 
-#elif !defined(_MSC_VER)
+#elif !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64)
 
 PRUint64
 swap8b(PRUint64 x)
 {
     PRUint64 t1 = x;
     t1 = ((t1 & SHA_MASK8) << 8) | ((t1 >> 8) & SHA_MASK8);
     t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16);
     return (t1 >> 32) | (t1 << 32);
--- a/security/nss/lib/freebl/crypto_primitives.h
+++ b/security/nss/lib/freebl/crypto_primitives.h
@@ -6,16 +6,21 @@
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include <stdlib.h>
 #include "prtypes.h"
 
+/* For non-clang platform */
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
 /* Unfortunately this isn't always set when it should be. */
 #if defined(HAVE_LONG_LONG)
 
 /*
  * ROTR64/ROTL64(x, n): rotate a 64-bit integer x by n bites to the right/left.
  */
 #if defined(_MSC_VER)
 #pragma intrinsic(_rotr64, _rotl64)
@@ -24,28 +29,37 @@
 #else
 #define ROTR64(x, n) (((x) >> (n)) | ((x) << (64 - (n))))
 #define ROTL64(x, n) (((x) << (n)) | ((x) >> (64 - (n))))
 #endif
 
 /*
  * FREEBL_HTONLL(x): swap bytes in a 64-bit integer.
  */
+#if defined(IS_LITTLE_ENDIAN)
 #if defined(_MSC_VER)
 
 #pragma intrinsic(_byteswap_uint64)
 #define FREEBL_HTONLL(x) _byteswap_uint64(x)
 
+#elif __has_builtin(__builtin_bswap64)
+
+#define FREEBL_HTONLL(x) __builtin_bswap64(x)
+
 #elif defined(__GNUC__) && (defined(__x86_64__) || defined(__x86_64))
 
 PRUint64 swap8b(PRUint64 value);
 #define FREEBL_HTONLL(x) swap8b(x)
 
 #else
 
 #define SHA_MASK16 0x0000FFFF0000FFFFULL
 #define SHA_MASK8 0x00FF00FF00FF00FFULL
 PRUint64 swap8b(PRUint64 x);
 #define FREEBL_HTONLL(x) swap8b(x)
 
 #endif /* _MSC_VER */
 
-#endif /* HAVE_LONG_LONG */
\ No newline at end of file
+#else /* IS_LITTLE_ENDIAN */
+#define FREEBL_HTONLL(x) (x)
+#endif
+
+#endif /* HAVE_LONG_LONG */
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -71,21 +71,21 @@
           'cflags_mozilla': [
             '-mssse3'
           ],
           # GCC doesn't define this.
           'defines': [
             '__SSSE3__',
           ],
         }],
-        [ 'OS=="android"', {
-          # On Android we can't use any of the hardware acceleration :(
-          'defines!': [
-            '__ARM_NEON__',
-            '__ARM_NEON',
+        [ 'target_arch=="arm"', {
+          # Gecko doesn't support non-NEON platform on Android, but tier-3
+          # platform such as Linux/arm will need it
+          'cflags_mozilla': [
+            '-mfpu=neon'
           ],
         }],
       ],
     },
     {
       'target_name': 'gcm-aes-x86_c_lib',
       'type': 'static_library',
       'sources': [
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1140,8 +1140,14 @@ CERT_GetCertKeyType;
 ;+       *;
 ;+};
 ;+NSS_3.43 { 	# NSS 3.43 release
 ;+    global:
 HASH_GetHashOidTagByHashType;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.44 { 	# NSS 3.44 release
+;+    global:
+CERT_GetCertificateDer;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,22 +17,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.43" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.44" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 43
+#define NSS_VMINOR 44
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -487,24 +487,26 @@ loser:
 typedef struct {
     PLArenaPool *arena;
     SECItem cert;
 } collect_args;
 
 static SECStatus
 collect_certs(void *arg, SECItem **certs, int numcerts)
 {
-    SECStatus rv;
-    collect_args *collectArgs;
-
-    collectArgs = (collect_args *)arg;
-
-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
-
-    return (rv);
+    collect_args *collectArgs = (collect_args *)arg;
+    if (!collectArgs || !collectArgs->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (numcerts < 1 || !certs || !*certs) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
+    }
+    return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
 }
 
 /*
  * read an old style ascii or binary certificate
  */
 CERTCertificate *
 CERT_DecodeCertFromPackage(char *certbuf, int certlen)
 {
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -853,82 +853,98 @@ sdb_FindObjectsFinal(SDB *sdb, SDBFind *
         sdb_closeDBLocal(sdb_p, sqlDB);
     }
     PORT_Free(sdbFind);
 
     UNLOCK_SQLITE()
     return sdb_mapSQLError(sdb_p->type, sqlerr);
 }
 
-static const char GET_ATTRIBUTE_CMD[] = "SELECT ALL %s FROM %s WHERE id=$ID;";
 CK_RV
 sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
                             CK_ATTRIBUTE *template, CK_ULONG count)
 {
     SDBPrivate *sdb_p = sdb->private;
     sqlite3 *sqlDB = NULL;
     sqlite3_stmt *stmt = NULL;
-    char *getStr = NULL;
-    char *newStr = NULL;
     const char *table = NULL;
     int sqlerr = SQLITE_OK;
     CK_RV error = CKR_OK;
     int found = 0;
     int retry = 0;
     unsigned int i;
 
+    if (count == 0) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
+
     /* open a new db if necessary */
     error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
     if (error != CKR_OK) {
         goto loser;
     }
 
+    char *columns = NULL;
     for (i = 0; i < count; i++) {
-        getStr = sqlite3_mprintf("a%x", template[i].type);
-
-        if (getStr == NULL) {
-            error = CKR_HOST_MEMORY;
-            goto loser;
+        char *newColumns;
+        if (columns) {
+            newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type);
+            sqlite3_free(columns);
+            columns = NULL;
+        } else {
+            newColumns = sqlite3_mprintf("a%x", template[i].type);
         }
-
-        newStr = sqlite3_mprintf(GET_ATTRIBUTE_CMD, getStr, table);
-        sqlite3_free(getStr);
-        getStr = NULL;
-        if (newStr == NULL) {
+        if (!newColumns) {
             error = CKR_HOST_MEMORY;
             goto loser;
         }
+        columns = newColumns;
+    }
+    if (!columns) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
 
-        sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
-        sqlite3_free(newStr);
-        newStr = NULL;
-        if (sqlerr == SQLITE_ERROR) {
-            template[i].ulValueLen = -1;
-            error = CKR_ATTRIBUTE_TYPE_INVALID;
-            continue;
-        } else if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
+    char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;",
+                                      columns, table);
+    sqlite3_free(columns);
+    columns = NULL;
+    if (!statement) {
+        error = CKR_HOST_MEMORY;
+        goto loser;
+    }
 
-        sqlerr = sqlite3_bind_int(stmt, 1, object_id);
-        if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
+    sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL);
+    sqlite3_free(statement);
+    statement = NULL;
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
 
-        do {
-            sqlerr = sqlite3_step(stmt);
-            if (sqlerr == SQLITE_BUSY) {
-                PR_Sleep(SDB_BUSY_RETRY_TIME);
-            }
-            if (sqlerr == SQLITE_ROW) {
+    // NB: indices in sqlite3_bind_int are 1-indexed
+    sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
+
+    do {
+        sqlerr = sqlite3_step(stmt);
+        if (sqlerr == SQLITE_BUSY) {
+            PR_Sleep(SDB_BUSY_RETRY_TIME);
+        }
+        if (sqlerr == SQLITE_ROW) {
+            PORT_Assert(!found);
+            for (i = 0; i < count; i++) {
                 unsigned int blobSize;
                 const char *blobData;
 
-                blobSize = sqlite3_column_bytes(stmt, 0);
-                blobData = sqlite3_column_blob(stmt, 0);
+                // NB: indices in sqlite_column_{bytes,blob} are 0-indexed
+                blobSize = sqlite3_column_bytes(stmt, i);
+                blobData = sqlite3_column_blob(stmt, i);
                 if (blobData == NULL) {
                     template[i].ulValueLen = -1;
                     error = CKR_ATTRIBUTE_TYPE_INVALID;
                     break;
                 }
                 /* If the blob equals our explicit NULL value, then the
                  * attribute is a NULL. */
                 if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) &&
@@ -940,23 +956,23 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK
                     if (template[i].ulValueLen < blobSize) {
                         template[i].ulValueLen = -1;
                         error = CKR_BUFFER_TOO_SMALL;
                         break;
                     }
                     PORT_Memcpy(template[i].pValue, blobData, blobSize);
                 }
                 template[i].ulValueLen = blobSize;
-                found = 1;
             }
-        } while (!sdb_done(sqlerr, &retry));
-        sqlite3_reset(stmt);
-        sqlite3_finalize(stmt);
-        stmt = NULL;
-    }
+            found = 1;
+        }
+    } while (!sdb_done(sqlerr, &retry));
+    sqlite3_reset(stmt);
+    sqlite3_finalize(stmt);
+    stmt = NULL;
 
 loser:
     /* fix up the error if necessary */
     if (error == CKR_OK) {
         error = sdb_mapSQLError(sdb_p->type, sqlerr);
         if (!found && error == CKR_OK) {
             error = CKR_OBJECT_HANDLE_INVALID;
         }
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -854,217 +854,156 @@ sftkdb_PWCached(SFTKDBHandle *keydb)
 {
     return keydb->passwordKey.data ? SECSuccess : SECFailure;
 }
 
 static CK_RV
 sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
                 CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_ATTRIBUTE authAttrs[] = {
-        { CKA_MODULUS, NULL, 0 },
-        { CKA_PUBLIC_EXPONENT, NULL, 0 },
-        { CKA_CERT_SHA1_HASH, NULL, 0 },
-        { CKA_CERT_MD5_HASH, NULL, 0 },
-        { CKA_TRUST_SERVER_AUTH, NULL, 0 },
-        { CKA_TRUST_CLIENT_AUTH, NULL, 0 },
-        { CKA_TRUST_EMAIL_PROTECTION, NULL, 0 },
-        { CKA_TRUST_CODE_SIGNING, NULL, 0 },
-        { CKA_TRUST_STEP_UP_APPROVED, NULL, 0 },
-        { CKA_NSS_OVERRIDE_EXTENSIONS, NULL, 0 },
-    };
-    CK_ULONG authAttrCount = sizeof(authAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
     SFTKDBHandle *keyHandle = handle;
     SDB *keyTarget = NULL;
-
-    id &= SFTK_OBJ_ID_MASK;
-
     if (handle->type != SFTK_KEYDB_TYPE) {
         keyHandle = handle->peerDB;
     }
-
     if (keyHandle == NULL) {
         return CKR_OK;
     }
-
-    /* old DB's don't have meta data, finished with MACs */
+    // Old DBs don't have metadata, so we can return early here.
     keyTarget = SFTK_GET_SDB(keyHandle);
     if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
         return CKR_OK;
     }
 
-    /*
-     * STEP 1: find the MACed attributes of this object
-     */
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    count = 0;
-    /* allocate space for the attributes */
-    for (i = 0; i < authAttrCount; i++) {
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
+    id &= SFTK_OBJ_ID_MASK;
+
+    CK_ATTRIBUTE_TYPE authAttrTypes[] = {
+        CKA_MODULUS,
+        CKA_PUBLIC_EXPONENT,
+        CKA_CERT_SHA1_HASH,
+        CKA_CERT_MD5_HASH,
+        CKA_TRUST_SERVER_AUTH,
+        CKA_TRUST_CLIENT_AUTH,
+        CKA_TRUST_EMAIL_PROTECTION,
+        CKA_TRUST_CODE_SIGNING,
+        CKA_TRUST_STEP_UP_APPROVED,
+        CKA_NSS_OVERRIDE_EXTENSIONS,
+    };
+    const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]);
+
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
+    for (i = 0; i < authAttrTypeCount; i++) {
+        CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
+        CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
+            continue;
+        }
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
             continue;
         }
-        count++;
-        authAttrs[i].pValue = PORT_ArenaAlloc(arena, authAttrs[i].ulValueLen);
-        if (authAttrs[i].pValue == NULL) {
-            break;
+        authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
+        if (authAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
+        }
+        rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
+            return rv;
         }
-    }
-
-    /* if count was zero, none were found, finished with MACs */
-    if (count == 0) {
-        return CKR_OK;
-    }
-
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    /* ignore error code, we expect some possible errors */
-
-    /* GetAttributeValue just verified the old macs, safe to write
-     * them out then... */
-    for (i = 0; i < authAttrCount; i++) {
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+            return CKR_GENERAL_ERROR;
+        }
+        // GetAttributeValue just verified the old macs, so it is safe to write
+        // them out now.
+        if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
+            sftkdb_isULONGAttribute(authAttr.type)) {
+            CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
+            sftk_ULong2SDBULong(authAttr.pValue, value);
+            authAttr.ulValueLen = SDB_ULONG_SIZE;
+        }
         SECItem *signText;
         SECItem plainText;
-        SECStatus rv;
-
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
-            continue;
-        }
-
-        if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) &&
-            sftkdb_isULONGAttribute(authAttrs[i].type)) {
-            CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue;
-            sftk_ULong2SDBULong(authAttrs[i].pValue, value);
-            authAttrs[i].ulValueLen = SDB_ULONG_SIZE;
-        }
-
-        plainText.data = authAttrs[i].pValue;
-        plainText.len = authAttrs[i].ulValueLen;
-        rv = sftkdb_SignAttribute(arena, newKey, id,
-                                  authAttrs[i].type, &plainText, &signText);
-        if (rv != SECSuccess) {
+        plainText.data = authAttr.pValue;
+        plainText.len = authAttr.ulValueLen;
+        if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText,
+                                 &signText) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
-        rv = sftkdb_PutAttributeSignature(handle, keyTarget, id,
-                                          authAttrs[i].type, signText);
-        if (rv != SECSuccess) {
+        if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type,
+                                         signText) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
     }
 
     return CKR_OK;
 }
 
 static CK_RV
 sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
                      CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_RV crv = CKR_OK;
-    CK_RV crv2;
-    CK_ATTRIBUTE *first, *last;
-    CK_ATTRIBUTE privAttrs[] = {
-        { CKA_VALUE, NULL, 0 },
-        { CKA_PRIVATE_EXPONENT, NULL, 0 },
-        { CKA_PRIME_1, NULL, 0 },
-        { CKA_PRIME_2, NULL, 0 },
-        { CKA_EXPONENT_1, NULL, 0 },
-        { CKA_EXPONENT_2, NULL, 0 },
-        { CKA_COEFFICIENT, NULL, 0 }
+    CK_ATTRIBUTE_TYPE privAttrTypes[] = {
+        CKA_VALUE,
+        CKA_PRIVATE_EXPONENT,
+        CKA_PRIME_1,
+        CKA_PRIME_2,
+        CKA_EXPONENT_1,
+        CKA_EXPONENT_2,
+        CKA_COEFFICIENT,
     };
-    CK_ULONG privAttrCount = sizeof(privAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
-
-    /*
-     * STEP 1. Read the old attributes in the clear.
-     */
+    const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
 
-    /* Get the attribute sizes.
-     *  ignore the error code, we will have unknown attributes here */
-    crv2 = sftkdb_GetAttributeValue(keydb, id, privAttrs, privAttrCount);
-
-    /*
-     * find the valid block of attributes and fill allocate space for
-     * their data */
-    first = last = NULL;
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
     for (i = 0; i < privAttrCount; i++) {
-        /* find the block of attributes that are appropriate for this
-          * objects. There should only be once contiguous block, if not
-          * there's an error.
-          *
-          * find the first and last good entry.
-          */
-        if ((privAttrs[i].ulValueLen == -1) || (privAttrs[i].ulValueLen == 0)) {
-            if (!first)
-                continue;
-            if (!last) {
-                /* previous entry was last good entry */
-                last = &privAttrs[i - 1];
-            }
+        // Read the old attribute in the clear.
+        CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+        CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
+            continue;
+        }
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
             continue;
         }
-        if (!first) {
-            first = &privAttrs[i];
+        privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
+        if (privAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
+        }
+        crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
+            return crv;
+        }
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+            return CKR_GENERAL_ERROR;
         }
-        if (last) {
-            /* OOPS, we've found another good entry beyond the end of the
-             * last good entry, we need to fail here. */
-            crv = CKR_GENERAL_ERROR;
-            break;
+        SECItem plainText;
+        SECItem *result;
+        plainText.data = privAttr.pValue;
+        plainText.len = privAttr.ulValueLen;
+        if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
+            return CKR_GENERAL_ERROR;
         }
-        privAttrs[i].pValue = PORT_ArenaAlloc(arena, privAttrs[i].ulValueLen);
-        if (privAttrs[i].pValue == NULL) {
-            crv = CKR_HOST_MEMORY;
-            break;
+        privAttr.pValue = result->data;
+        privAttr.ulValueLen = result->len;
+        // Clear sensitive data.
+        PORT_Memset(plainText.data, 0, plainText.len);
+
+        // Write the newly encrypted attributes out directly.
+        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
+        keydb->newKey = newKey;
+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+        keydb->newKey = NULL;
+        if (crv != CKR_OK) {
+            return crv;
         }
     }
-    if (first == NULL) {
-        /* no valid entries found, return error based on crv2 */
-        return crv2;
-    }
-    if (last == NULL) {
-        last = &privAttrs[privAttrCount - 1];
-    }
-    if (crv != CKR_OK) {
-        return crv;
-    }
-    /* read the attributes */
-    count = (last - first) + 1;
-    crv = sftkdb_GetAttributeValue(keydb, id, first, count);
-    if (crv != CKR_OK) {
-        return crv;
-    }
 
-    /*
-     * STEP 2: read the encrypt the attributes with the new key.
-     */
-    for (i = 0; i < count; i++) {
-        SECItem plainText;
-        SECItem *result;
-        SECStatus rv;
-
-        plainText.data = first[i].pValue;
-        plainText.len = first[i].ulValueLen;
-        rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
-        if (rv != SECSuccess) {
-            return CKR_GENERAL_ERROR;
-        }
-        first[i].pValue = result->data;
-        first[i].ulValueLen = result->len;
-        /* clear our sensitive data out */
-        PORT_Memset(plainText.data, 0, plainText.len);
-    }
-
-    /*
-     * STEP 3: write the newly encrypted attributes out directly
-     */
-    id &= SFTK_OBJ_ID_MASK;
-    keydb->newKey = newKey;
-    crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
-    keydb->newKey = NULL;
-
-    return crv;
+    return CKR_OK;
 }
 
 static CK_RV
 sftk_convertAttributes(SFTKDBHandle *handle,
                        CK_OBJECT_HANDLE id, SECItem *newKey)
 {
     CK_RV crv = CKR_OK;
     PLArenaPool *arena = NULL;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -12,16 +12,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.43" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.44" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 43
+#define SOFTOKEN_VMINOR 44
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -8620,16 +8620,55 @@ ssl3_HandleClientHello(sslSocket *ss, PR
 alert_loser:
     (void)SSL3_SendAlert(ss, level, desc);
 /* FALLTHRU */
 loser:
     PORT_SetError(errCode);
     return SECFailure;
 }
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ * up in the correct token for the master secret */
+PK11SymKey *
+ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                 CK_MECHANISM_TYPE wrapType, SECItem *param,
+                 SECItem *wrappedKey,
+                 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                 int keySize, CK_FLAGS keyFlags, void *pinArg)
+{
+    PK11SymKey *unwrappedKey;
+
+    /* unwrap the master secret. */
+    unwrappedKey = PK11_UnwrapSymKeyWithFlags(wrapKey, wrapType, param,
+                                              wrappedKey, target, operation, keySize,
+                                              keyFlags);
+    if (!unwrappedKey) {
+        PK11SlotInfo *targetSlot = PK11_GetBestSlot(target, pinArg);
+        PK11SymKey *newWrapKey;
+
+        /* it's possible that we failed to unwrap because the wrapKey is in
+         * a slot that can't handle target. Move the wrapKey to a slot that
+         * can handle this mechanism and retry the operation */
+        if (targetSlot == NULL) {
+            return NULL;
+        }
+        newWrapKey = PK11_MoveSymKey(targetSlot, CKA_UNWRAP, 0,
+                                     PR_FALSE, wrapKey);
+        PK11_FreeSlot(targetSlot);
+        if (newWrapKey == NULL) {
+            return NULL;
+        }
+        unwrappedKey = PK11_UnwrapSymKeyWithFlags(newWrapKey, wrapType, param,
+                                                  wrappedKey, target, operation, keySize,
+                                                  keyFlags);
+        PK11_FreeSymKey(newWrapKey);
+    }
+    return unwrappedKey;
+}
+
 static SECStatus
 ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
 {
     PK11SymKey *wrapKey;
     CK_FLAGS keyFlags = 0;
     SECItem wrappedMS = {
         siBuffer,
         sid->u.ssl3.keys.wrapped_master_secret,
@@ -8641,22 +8680,24 @@ ssl3_UnwrapMasterSecretServer(sslSocket 
     if (!wrapKey) {
         return SECFailure;
     }
 
     if (ss->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
         keyFlags = CKF_SIGN | CKF_VERIFY;
     }
 
-    /* unwrap the master secret. */
-    *ms = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
-                                     NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-                                     CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH, keyFlags);
+    *ms = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, NULL,
+                           &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+                           CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH,
+                           keyFlags, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!*ms) {
+        SSL_TRC(10, ("%d: SSL3[%d]: server wrapping key found, but couldn't unwrap MasterSecret. wrapMech=0x%0lx",
+                     SSL_GETPID(), ss->fd, sid->u.ssl3.masterWrapMech));
         return SECFailure;
     }
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_HandleClientHelloPart2(sslSocket *ss,
                             SECItem *suites,
@@ -11869,17 +11910,17 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
                 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
             if (ss->ssl3.hs.header_bytes < 4)
                 continue;
 
 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
             if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
                 (void)ssl3_DecodeError(ss);
                 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
-                return SECFailure;
+                goto loser;
             }
 #undef MAX_HANDSHAKE_MSG_LEN
 
             /* If msg_len is zero, be sure we fall through,
             ** even if buf.len is zero.
             */
             if (ss->ssl3.hs.msg_len > 0)
                 continue;
@@ -11894,30 +11935,30 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
             /* handle it from input buffer */
             rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len,
                                              buf.len == ss->ssl3.hs.msg_len);
             buf.buf += ss->ssl3.hs.msg_len;
             buf.len -= ss->ssl3.hs.msg_len;
             ss->ssl3.hs.msg_len = 0;
             ss->ssl3.hs.header_bytes = 0;
             if (rv != SECSuccess) {
-                return rv;
+                goto loser;
             }
         } else {
             /* must be copied to msg_body and dealt with from there */
             unsigned int bytes;
 
             PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
             bytes = PR_MIN(buf.len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
 
             /* Grow the buffer if needed */
             rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
             if (rv != SECSuccess) {
                 /* sslBuffer_Grow has set a memory error code. */
-                return SECFailure;
+                goto loser;
             }
 
             PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
                         buf.buf, bytes);
             ss->ssl3.hs.msg_body.len += bytes;
             buf.buf += bytes;
             buf.len -= bytes;
 
@@ -11927,27 +11968,38 @@ ssl3_HandleHandshake(sslSocket *ss, sslB
             if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
                 rv = ssl3_HandleHandshakeMessage(
                     ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len,
                     buf.len == 0);
                 ss->ssl3.hs.msg_body.len = 0;
                 ss->ssl3.hs.msg_len = 0;
                 ss->ssl3.hs.header_bytes = 0;
                 if (rv != SECSuccess) {
-                    return rv;
+                    goto loser;
                 }
             } else {
                 PORT_Assert(buf.len == 0);
                 break;
             }
         }
     } /* end loop */
 
     origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
     return SECSuccess;
+
+loser : {
+    /* Make sure to remove any data that was consumed. */
+    unsigned int consumed = origBuf->len - buf.len;
+    PORT_Assert(consumed == buf.buf - origBuf->buf);
+    if (consumed > 0) {
+        memmove(origBuf->buf, origBuf->buf + consumed, buf.len);
+        origBuf->len = buf.len;
+    }
+}
+    return SECFailure;
 }
 
 /* These macros return the given value with the MSB copied to all the other
  * bits. They use the fact that arithmetic shift shifts-in the sign bit.
  * However, this is not ensured by the C standard so you may need to replace
  * them with something else for odd compilers. */
 #define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1)))
 #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1729,16 +1729,24 @@ PRBool ssl_AlpnTagAllowed(const sslSocke
 
 void ssl_Trace(const char *format, ...);
 
 void ssl_CacheExternalToken(sslSocket *ss);
 SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTicket,
                                     PRUint32 encodedTicketLen);
 PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ *  * up in the correct token for the master secret */
+PK11SymKey *ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                             CK_MECHANISM_TYPE wrapType, SECItem *param,
+                             SECItem *wrappedKey,
+                             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                             int keySize, CK_FLAGS keyFlags, void *pinArg);
+
 /* Remove when stable. */
 
 SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
                                             SSLResumptionTokenCallback cb,
                                             void *ctx);
 SECStatus SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
                                     unsigned int len);
 
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -976,23 +976,23 @@ tls13_RecoverWrappedSharedSecret(sslSock
     if (!wrapKey) {
         return SECFailure;
     }
 
     wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
     wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
 
     /* unwrap the "master secret" which is actually RMS. */
-    ss->ssl3.hs.resumptionMasterSecret = PK11_UnwrapSymKeyWithFlags(
+    ss->ssl3.hs.resumptionMasterSecret = ssl_unwrapSymKey(
         wrapKey, sid->u.ssl3.masterWrapMech,
         NULL, &wrappedMS,
         CKM_SSL3_MASTER_KEY_DERIVE,
         CKA_DERIVE,
         tls13_GetHashSizeForHash(hashType),
-        CKF_SIGN | CKF_VERIFY);
+        CKF_SIGN | CKF_VERIFY, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!ss->ssl3.hs.resumptionMasterSecret) {
         return SECFailure;
     }
 
     PRINT_KEY(50, (ss, "Recovered RMS", ss->ssl3.hs.resumptionMasterSecret));
 
     return SECSuccess;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.43"
+#define NSSUTIL_VERSION "3.44 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 43
+#define NSSUTIL_VMINOR 44
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -312,17 +312,17 @@ cert_create_cert()
 #     generate request
 #     sign request
 #     import Cert
 #
 ########################################################################
 cert_add_cert()
 {
     CU_ACTION="Generate Cert Request for $CERTNAME"
-    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
     fi
 
     CU_ACTION="Sign ${CERTNAME}'s Request"
     certu -C -c "TestCA" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
           -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
@@ -338,17 +338,17 @@ cert_add_cert()
     fi
 
     cert_log "SUCCESS: $CERTNAME's Cert Created"
 
 #
 #   Generate and add DSA cert
 #
 	CU_ACTION="Generate DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s DSA Request"
 	certu -C -c "TestCA-dsa" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
@@ -362,17 +362,17 @@ cert_add_cert()
 	    -f "${R_PWFILE}" -i "${CERTNAME}-dsa.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's DSA Cert Created"
 
 #    Generate DSA certificate signed with RSA
 	CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s DSA Request with RSA"
 # Avoid conflicting serial numbers with TestCA issuer by keeping
@@ -393,17 +393,17 @@ cert_add_cert()
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
 
 #
 #   Generate and add EC cert
 #
 	CURVE="secp384r1"
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s EC Request"
 	certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
@@ -417,17 +417,17 @@ cert_add_cert()
 	    -f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's EC Cert Created"
 
 #    Generate EC certificate signed with RSA
 	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 	CU_ACTION="Sign ${CERTNAME}'s EC Request with RSA"
 # Avoid conflicting serial numbers with TestCA issuer by keeping
@@ -450,17 +450,17 @@ cert_add_cert()
 
 	echo "Importing RSA-PSS server certificate"
 	pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
 	# Let's get the key ID of the imported private key.
 	KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
 		grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
 
 	CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
 	-z "${R_NOISE_FILE}" -o req 2>&1
 
 	CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
 	NEWSERIAL=`expr ${CERTSERIAL} + 30000`
 	certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
 	      -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
 
@@ -868,35 +868,35 @@ cert_smime_client()
 
   echo "$SCRIPTNAME: Creating Dave's Certificate -------------------------"
   cert_create_cert "${DAVEDIR}" Dave 50 ${D_DAVE}
 
 ## XXX With this new script merging ECC and non-ECC tests, the
 ## call to cert_create_cert ends up creating two separate certs
 ## one for Eve and another for Eve-ec but they both end up with
 ## the same Subject Alt Name Extension, i.e., both the cert for
-## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
-## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
+## Eve@example.com and the cert for Eve-ec@example.com end up 
+## listing eve@example.net in the Certificate Subject Alt Name extension. 
 ## This can cause a problem later when cmsutil attempts to create
 ## enveloped data and accidently picks up the ECC cert (NSS currently
 ## does not support ECC for enveloped data creation). This script
 ## avoids the problem by ensuring that these conflicting certs are
 ## never added to the same cert database (see comment marked XXXX).
   echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
-  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@example.net,eve@example.org,beve@example.com"
 
   #echo "************* Copying CA files to ${SERVERDIR}"
   #cp ${CADIR}/*.db .
   #hw_acc
 
   #########################################################################
   #
   #cd ${CERTDIR}
   #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
-  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
   #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
   #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
 
   #CU_ACTION="Export Dave's Cert"
   #cd ${DAVEDIR}
   #certu -L -n "Dave" -r -d ${P_R_DAVE} -o Dave.cert
 
   ################# Importing Certificates for S/MIME tests ###############
@@ -970,17 +970,17 @@ cert_extended_ssl()
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${SERVER_CADIR}
   certu -C -c "chain-2-serverCA" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
@@ -990,17 +990,17 @@ cert_extended_ssl()
   CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
   certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
 
 #
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA-dsa" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1012,17 +1012,17 @@ cert_extended_ssl()
       certu -A -n "clientCA-dsa" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${CLIENT_CADIR}/clientCA-dsa.ca.cert" 2>&1
 #
 #     done with DSA certs
 #
 #     Repeat again for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA" -m 202 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1035,17 +1035,17 @@ cert_extended_ssl()
 #	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
 #	  2>&1
 
 #
 #     Repeat the above for EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA-ec" -m 200 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1058,17 +1058,17 @@ cert_extended_ssl()
           -i "${CLIENT_CADIR}/clientCA-ec.ca.cert" 2>&1
 #
 #     done with EC certs
 #
 #     Repeat again for mixed EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
       cp ${CERTDIR}/req ${SERVER_CADIR}
       certu -C -c "chain-2-serverCA" -m 201 -v 60 -d "${P_SERVER_CADIR}" \
           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1119,17 +1119,17 @@ cert_extended_ssl()
 
   CU_ACTION="Initializing ${CERTNAME}'s Cert DB (ext.)"
   certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
       -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
   cp ${CERTDIR}/req ${CLIENT_CADIR}
   certu -C -c "chain-2-clientCA" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1139,17 +1139,17 @@ cert_extended_ssl()
   CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
   certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
 
 #
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s DSA Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA-dsa" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-dsa.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1162,17 +1162,17 @@ cert_extended_ssl()
 	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
 #
 # done with DSA certs
 #
 #
 #     Repeat the above for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed DSA Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA" -m 302 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-dsamixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1186,17 +1186,17 @@ cert_extended_ssl()
 #
 # done with mixed DSA certs
 #
 
 #
 #     Repeat the above for EC certs
 #
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s EC Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA-ec" -m 300 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1209,17 +1209,17 @@ cert_extended_ssl()
 	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
 #
 # done with EC certs
 #
 #
 #     Repeat the above for mixed EC certs
 #
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
       CU_ACTION="Sign ${CERTNAME}'s mixed EC Request (ext)"
       cp ${CERTDIR}/req ${CLIENT_CADIR}
       certu -C -c "chain-2-clientCA" -m 301 -v 60 -d "${P_CLIENT_CADIR}" \
           -i req -o "${CERTNAME}-ecmixed.cert" -f "${R_PWFILE}" 2>&1
 
@@ -1382,17 +1382,17 @@ MODSCRIPT
   certu -W -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -@ "${R_FIPSBADPWFILE}" 2>&1
   CU_ACTION="Attempt to generate a key with exponent of 3 (too small)"
   certu -G -k rsa -g 2048 -y 3 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
   CU_ACTION="Attempt to generate a key with exponent of 17 (too small)"
   certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" 
   RETEXPECTED=0
 
   CU_ACTION="Generate Certificate for ${CERTNAME}"
-  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
   certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: FIPS passed"
   fi
 
 }
 
 ########################## cert_rsa_exponent #################################
@@ -1434,17 +1434,17 @@ cert_eccurves()
     CERTSERIAL=2000
 
     for CURVE in ${CURVE_LIST}
     do
 	CERTFAILED=0
 	CERTNAME="Curve-${CURVE}"
 	CERTSERIAL=`expr $CERTSERIAL + 1 `
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 		-z "${R_NOISE_FILE}" -o req  2>&1
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Sign ${CERTNAME}'s EC Request"
 	  certu -C -c "TestCA-ec" -m "$CERTSERIAL" -v 60 -d "${P_R_CADIR}" \
 		-i req -o "${CERTNAME}-ec.cert" -f "${R_PWFILE}" "$1" 2>&1
 	fi
@@ -1459,17 +1459,17 @@ cert_eccurves()
 
 ########################### cert_extensions_test #############################
 # local shell function to test cert extensions generation
 ##############################################################################
 cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
     CERTNAME=TestExt${COUNT}
-    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 
     echo
     echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
         -t "u,u,u" -o ${CERT_EXTENSIONS_DIR}/tempcert -s "${CU_SUBJECT}" -x -f ${R_PWFILE} \
         -z "${R_NOISE_FILE}" -${OPT} \< ${TARG_FILE}
     echo "certutil options:"
     cat ${TARG_FILE}
     ${BINDIR}/certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
@@ -2021,17 +2021,17 @@ cert_test_password()
   cert_CA ${DBPASSDIR} PasswordCA -x "CTu,CTu,CTu" ${D_DBPASS} "1"
 
   # now change the password
   CU_ACTION="Changing password on ${CERTNAME}'s Cert DB"
   certu -W -d "${PROFILEDIR}" -f "${R_PWFILE}" -@ "${R_FIPSPWFILE}" 2>&1
 
   # finally make sure we can use the old key with the new password
   CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
-  CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: PASSWORD passed"
   fi
   CU_ACTION="Verify Certificate for ${CERTNAME} with new password"
   certu -V -n PasswordCert -u S -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
 }
 
@@ -2050,27 +2050,27 @@ cert_test_password()
 cert_test_distrust()
 {
   echo "$SCRIPTNAME: Creating Distrusted Certificate"
   cert_create_cert ${DISTRUSTDIR} "Distrusted" 2000 ${D_DISTRUST}
   CU_ACTION="Mark CERT as unstrusted"
   certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
   echo "$SCRIPTNAME: Creating Distrusted Intermediate"
   CERTNAME="DistrustedCA"
-  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
   CU_ACTION="Import Distrusted Intermediate"
   certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${R_CADIR}/DistrustedCA.ca.cert" 2>&1
 
   # now create the last leaf signed by our distrusted CA
   # since it's not signed by TestCA it requires more steps.
   CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
   CERTNAME="LeafChainedToDistrustedCA"
-  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   cp ${CERTDIR}/req ${CADIR}
   certu -C -c "DistrustedCA" -m 100 -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u"
@@ -2200,17 +2200,17 @@ cert_test_rsapss()
   CERTSERIAL=200
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss1"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2231,17 +2231,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
   CERTNAME="TestUser-rsa-pss2"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2262,17 +2262,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS
   CERTNAME="TestUser-rsa-pss3"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2293,17 +2293,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss4"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2324,17 +2324,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss5"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2355,17 +2355,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (implicit, without --pss-sign)
   CERTNAME="TestUser-rsa-pss6"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   # Sign without --pss-sign nor -Z option
   certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2387,34 +2387,34 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with conflicting hash algorithm)
   CERTNAME="TestUser-rsa-pss7"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   RETEXPECTED=255
   certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   RETEXPECTED=0
 
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with compatible hash algorithm)
   CERTNAME="TestUser-rsa-pss8"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2435,17 +2435,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
   CERTNAME="TestUser-rsa-pss9"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -2466,17 +2466,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
   CERTNAME="TestUser-rsa-pss10"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   # Sign without --pss-sign nor -Z option
   certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2498,17 +2498,17 @@ EOF
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
   CERTNAME="TestUser-rsa-pss11"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   RETEXPECTED=255
   certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   RETEXPECTED=0
 }
@@ -2566,17 +2566,17 @@ cert_test_rsapss_policy()
   CERTSERIAL=`expr $CERTSERIAL + 1`
 
   CERTNAME="TestUser-rsa-pss-policy"
 
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
   certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
 
   CU_ACTION="Import $CERTNAME's Cert"
   certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
--- a/security/nss/tests/common/certsetup.sh
+++ b/security/nss/tests/common/certsetup.sh
@@ -42,16 +42,17 @@ make_cert() {
     p521) type_args=(-q secp521r1);type=ec ;;
     rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;;
     rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;;
     rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;;
     rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;;
     rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
     ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
   esac
+  msg="create certificate: $@"
   shift 2
   counter=$(($counter + 1))
   certscript $@ | ${BINDIR}/certutil -S \
-    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -z "$R_NOISE_FILE" -d "$PROFILEDIR" \
     -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
     -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
-  html_msg $? 0 "create certificate: $@"
+  html_msg $? 0 "$msg"
 }
--- a/security/nss/tests/crmf/crmf.sh
+++ b/security/nss/tests/crmf/crmf.sh
@@ -53,22 +53,22 @@ crmf_init()
 
 ############################## crmf_main ##############################
 # local shell function to test basic CRMF request and CMMF responses
 # from 1 --> 2"
 ########################################################################
 crmf_main()
 {
   echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode
   html_msg $? 0 "CRMF test" "."
 
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf 
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf 
   html_msg $? 0 "CMMF test" "."
 
 # Add tests for key recovery and challange as crmftest's capabilities increase
 
 }
   
 ############################## crmf_cleanup ###########################
 # local shell function to finish this script (no exit since it might be
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -18,76 +18,82 @@
 ########################################################################
 
 ############################## gtest_init ##############################
 # local shell function to initialize this script
 ########################################################################
 gtest_init()
 {
   cd "$(dirname "$1")"
+  pwd
   SOURCE_DIR="$PWD"/../..
   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
       cd ../common
       . ./init.sh
   fi
 
   SCRIPTNAME=gtests.sh
+  . "${QADIR}"/common/certsetup.sh
 
   if [ -z "${CLEANUP}" ] ; then   # if nobody else is responsible for
     CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
   fi
 
+  mkdir -p "${GTESTDIR}"
+  cd "${GTESTDIR}"
 }
 
 ########################## gtest_start #############################
 # Local function to actually start the test
 ####################################################################
 gtest_start()
 {
   echo "gtests: ${GTESTS}"
   for i in ${GTESTS}; do
     if [ ! -f "${BINDIR}/$i" ]; then
       html_unknown "Skipping $i (not built)"
       continue
     fi
-    GTESTDIR="${HOSTDIR}/$i"
+    DIR="${GTESTDIR}/$i"
     html_head "$i"
-    if [ ! -d "$GTESTDIR" ]; then
-      mkdir -p "$GTESTDIR"
-      echo "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
-      "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
+    if [ ! -d "$DIR" ]; then
+      mkdir -p "$DIR"
+      echo "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+      "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+
+      PROFILEDIR="$DIR" make_cert dummy p256 sign
     fi
-    cd "$GTESTDIR"
-    GTESTREPORT="$GTESTDIR/report.xml"
-    PARSED_REPORT="$GTESTDIR/report.parsed"
+    pushd "$DIR"
+    GTESTREPORT="$DIR/report.xml"
+    PARSED_REPORT="$DIR/report.parsed"
     echo "executing $i"
     "${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-                 -d "$GTESTDIR" -w --gtest_output=xml:"${GTESTREPORT}" \
-                                   --gtest_filter="${GTESTFILTER:-*}"
+                 -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
+                              --gtest_filter="${GTESTFILTER:-*}"
     html_msg $? 0 "$i run successfully"
     echo "test output dir: ${GTESTREPORT}"
     echo "executing sed to parse the xml report"
     sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT"
     echo "processing the parsed report"
     cat "$PARSED_REPORT" | while read result name; do
       if [ "$result" = "notrun" ]; then
         echo "$name" SKIPPED
       elif [ "$result" = "run" ]; then
         html_passed_ignore_core "$name"
       else
         html_failed_ignore_core "$name"
       fi
     done
+    popd
   done
 }
 
 gtest_cleanup()
 {
   html "</TABLE><BR>"
-  cd "${QADIR}"
-  . common/cleanup.sh
+  . "${QADIR}"/common/cleanup.sh
 }
 
 ################## main #################################################
 GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
 gtest_init "$0"
 gtest_start
 gtest_cleanup
--- a/security/nss/tests/iopr/cert_iopr.sh
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -247,17 +247,17 @@ download_install_certs() {
             fi
             
             #=======================================================
             # Creating server cert
             #
             CERTNAME=$HOSTADDR
             
             CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
-            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
                         L=Mountain View, ST=California, C=US"
             certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
                 -o $sslServerDir/req 2>&1
             tmpFiles="$tmpFiles $sslServerDir/req"
 
             # NOTE:
             # For possible time synchronization problems (bug 444308) we generate
             # certificates valid also some time in past (-w -1)
--- a/security/nss/tests/iopr/server_scr/cert_gen.sh
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -111,17 +111,17 @@ createSignedCert() {
     certName=$3
     certSN=$4
     certSubj=$5
     keyType=$6
     extList=$7
 
     echo Creating cert $certName-$keyType with SN=$certSN
 
-    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
                   -k $keyType -o $dir/req  2>&1
     [ "$RET" -ne 0 ] && return $RET
 
     signCert $dir $dir $certName-$keyType $certSN $dir/req "" $extList
     ret=$?
     [ "$ret" -ne 0 ] && return $ret
@@ -262,17 +262,17 @@ generateAndExportOCSPCerts() {
 
 generateAndExportCACert() {
     dir=$1
     certDirL=$2
     caName=$3
 
     certName=TestCA
     [ "$caName" ] && certName=$caName
-    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
         -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
 5
 6
 9
 n
 y
index 929b793d39d6cfab9f32a288cb31e798fa0428d2..627aead0e2cf314720058b69ac54d411c8d6a25a
GIT binary patch
literal 628
zc$_n6Vk$6bV!XM4nTe5!iILHOmyJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81910w?yLrYU5Q{yNJej@`jWC1$4qj5g6
z{~1{sm>YW;3>rI`8XFnb9=O}Z*gM^4wcf{nS`G*5c?1G^qgSc5%u3I0I`(Ii|LpE>
z=cc`zeS)>bqboUm&D9Q>-lGNc=CViK_{W;RFfd{hkJGKfL+$QdXT5%#Jd$teX*?<7
z;r;D}yrJBUXBJlBW)>4|+Kk`y>TeNC+udP%bMA^z#lEm5H-b_Rhg5xDdY_4zk%4is
zfq@>->zoN~9*k{2oERBdSeTg@*bR7qo{<%1VKrc8Wc+Wy4dU^Gq!`)IB9s~E6E=BM
z#hN>!;UeDq-?#fNIM%RR*LSajQch_@2zzQywU5J6{YCeFb-w<!FRDhkc!_FtT#Z8b
zw)AC7j~-%h?_V{&VzNbLhUxox|4;i$3rhDdo89yKXFW%ucg-`M>X&C7=k;W)OqrQw
g)_hZJ`|s&b?|prmIrByL-UThb?T)t7PyfjV01tG^i2wiq
index ed71727fa26eea01b41a688ac474f5f9ffafe14e..0ce25bb5de5d6328fb25485aa3606fde95b4f31b
GIT binary patch
literal 617
zc$_n6VoEh=Vm!BinTe5!iP6Y_myJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81917iadLrYU5Q{yNJej@`jO9Ml=fI(vy
zl^vpLpbYmZC!?4c$SI-4sYRv+4yhH1xdl0?ddc~@FngGVxey8r8s{Si6C*1Fb7L=q
zL1QOVV<W>_o>Qzk9W|Gd>cva%$Y0pNuA6@Uq;koue;<~IeYy6?P{lm^N=bEIp^Zu3
z)FTd0xaSFrOgQ-b#`C8Nk(1s%)wfwR`K?$K<KCB3_DmJGXZo<%`^T4McPy9#X2)0D
zu~GWop0Q>vkJ3vmx1~E)y?V^SGxxx||E*Q2hnl`i?JZ-Ta;uk#nUR4JEf$%9?y6|m
zlEIV~KC8K4^5dJwytg<$eE->9Kf(Os+LRKpYdSYrB40;T>4yIOy0MX^)uxy|I_}TM
z`4cws`{!8top8Q(beXHmgy>j<ExV*Uc6!g>p=fh#vDlNWXG@Mx-PmzJgZDhgXJ=(c
hfioZ08gd#%FWmBQcE;Dz)-9{oKHl|W?MaiH)c}RT)7k(4
index 1b45db286f34cb0ebf0bb2572ec3251af4721dbe..12c74e9f9792cd25a77e9c0fa8f630dfc9f027a9
GIT binary patch
literal 617
zc$_n6VoEh=Vm!BinTe5!iP6}AmyJ`a&7<u*FC!y2D}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4Cab81917iadLrYU5Q<EqOej@`jO9Ml=fI(vy
zl^vpLpbYmZC!?4c$SI-4sYRxS4yhH1xdl0?ddc~@FngGVxey8r8s{Si6C*1Fb7L=q
zL1QOVV<W@ylP?6e8LzMW`h92Io{Lu;ZFcJSdT&m6Wf(h!Ba3gn-_L~ssVd2GwG$5(
zP5Dw1KTG)jsZ$THWf>Lc_ul?ic6Gyh^~9{-{9Skc)OTt*>r{N3z`I26N^DHT@AAsk
z{eGuUmfP1@FG<#O@>VaM*s{cVuCt*iV_T{8v1ju6XZ6f(CNnWJGBBdWA~Vok^8;UY
zH8?FU)o+ksV-7T8dMs2fy6Wte6$$KV!QO3qdjEg>DcAkOJf*j9Z|^O?jwbg#8y0yx
zc<=tD8NqJs{XA{kf$a<bU)!~lw=I~*rO21_{i5Ww(`~Oxk8ZhW{^z#EOinT0{raLG
fM2{XnpmpLoPv-C2Iwo<ElPvb9+|j-3e1;nUn6l3o
--- a/security/nss/tests/libpkix/certs/make-ca-u50-u51
+++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51
@@ -21,17 +21,17 @@ y
 n
 5
 6
 7
 9
 n
 CERTSCRIPT
 
-certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
+certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
 
-certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
+certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
 
 certutil -d . -L -n ca -r > TestCA.ca.cert
 certutil -d . -L -n u50 -r > TestUser50.cert
 certutil -d . -L -n u51 -r > TestUser51.cert
 
 echo "Created multiple files in subdirectory tmp: TestCA.ca.cert TestUser50.cert TestUser51.cert"
old mode 100755
new mode 100644
index 48172a5ed51a3e364dc18ab8a8f02a8f980df5e0..07ebff7ab2be829ef9b4ba8174a49176f7911658
GIT binary patch
literal 605
zc$_n6Vv00qVm!2fnTe5!iILfWmyJ`a&7<u*FC!xhD}zCbA-4f18*?ZNn=n&ou%WPl
zAc(^u%;lVzlbM!Zl$V)kC}to65@Z+V_02EMD@n}EQwYmUEjJW05CDmD33EF6yN3oV
z_yq?WiWmri#F&M-fjotf)Z!8aXGa4$ab5#sLqkJjLo*XI1LG(l*V4cU&NXOkpt3U*
z4CLVc<YW{Rbj-<2PIXAFNX#wBN!3fv&o$&T;DI=l6)b1aI3GD^7+D#Z8+#cH8atU9
z8yP;$N%DCV{XgfrZsn0!r{dB^o5q)`vm8VdTce+y<URUx!~cKJ=RHb@5V{l-(LcRd
zXj{7+Gh4*;wACy**Y5P$zrL87&#V>q+T}|B^mV+Ut1jn1pKiHi&57Kfdv2JgZ5I3c
zq%7a`_P=wbEBr#*9)H>T^xE|stNZRRx%PhJD*-=^Xk8{|Mg~T-m}3UItGDCnQ4P<z
zvzE<FGG;!%r25Il{V#89Y<>67{;$eSuPs|XEw&0+8o;qCJZ%BThD#z5J1kZ#%u+sY
zRDF8q3dMTcgICq>#Pj^Km@Fh#_cPLdPRqm6W(F;fbNl`ToiJU$p_h5lzIE&h^HTQD
d-uiQcnO)|L)ptWo+~@O(bGe(PE5BUw9RLs+(%b+5
--- a/security/nss/tests/smime/bob.txt
+++ b/security/nss/tests/smime/bob.txt
@@ -1,6 +1,6 @@
 Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
-From: bob@bogus.com
+From: bob@example.com
 Subject: message Bob --> Alice
-To: alice@bogus.com
+To: alice@example.com
 
 This is a test message from Bob to Alice.
--- a/security/nss/tests/smime/smime.sh
+++ b/security/nss/tests/smime/smime.sh
@@ -102,18 +102,18 @@ cms_sign()
   html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
 
   echo "diff alice.txt alice-ec.data.${HASH}"
   diff alice.txt alice-ec.data.${HASH}
   html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
 }
 
 header_mime_from_to_subject="MIME-Version: 1.0
-From: Alice@bogus.com
-To: Bob@bogus.com
+From: Alice@example.com
+To: Bob@example.com
 Subject: "
 
 header_opaque_signed="Content-Type: application/pkcs7-mime; name=smime.p7m;
     smime-type=signed-data
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename=smime.p7m
 Content-Description: S/MIME Cryptographic Signature
 "
@@ -162,17 +162,17 @@ mime_init()
   OUT="tb/alice.textplain"
   echo "${header_plaintext}" >>${OUT}
   cat alice.txt >>${OUT}
   sed -i"" "s/\$/${CR}/" ${OUT}
 }
 
 smime_enveloped()
 {
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
 
   OUT="tb/alice.env.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "enveloped ${SIG}" >>${OUT}
   echo "${header_enveloped}" >>${OUT}
   cat "tb/alice.mime.env" | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
   echo >>${OUT}
   sed -i"" "s/\$/${CR}/" ${OUT}
@@ -186,17 +186,17 @@ smime_signed_enveloped()
 
   OUT="tb/alice.d${SIG}.multipart"
   echo "${multipart_start}" | sed "s/HASHHASH/${HASH}/" >>${OUT}
   cat tb/alice.mime | sed 's/\r$//' >>${OUT}
   echo "${multipart_middle}" >>${OUT}
   cat tb/alice.mime.d${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
   echo "${multipart_end}" >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.d${SIG}.multipart.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "clear-signed ${SIG}" >>${OUT}
   cat "tb/alice.d${SIG}.multipart" >>${OUT}
   sed -i"" "s/\$/$CR/" ${OUT}
 
   OUT="tb/alice.d${SIG}.multipart.env.eml"
@@ -208,17 +208,17 @@ smime_signed_enveloped()
   sed -i"" "s/\$/$CR/" ${OUT}
 
   ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.textplain.${SIG}
 
   OUT="tb/alice.${SIG}.opaque"
   echo "$header_opaque_signed" >>${OUT}
   cat tb/alice.textplain.${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.${SIG}.opaque.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
   echo "opaque-signed $SIG" >>${OUT}
   cat "tb/alice.${SIG}.opaque" >>${OUT}
   echo >>${OUT}
   sed -i"" "s/\$/$CR/" ${OUT}
 
@@ -296,49 +296,49 @@ smime_main()
   HASH="384"
   cms_sign
   smime_signed_enveloped
   HASH="512"
   cms_sign
   smime_signed_enveloped
 
   echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
-  echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+  echo "cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
   echo "        -o alice.env"
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
   html_msg $? 0 "Create Enveloped Data Alice" "."
 
   echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1
   html_msg $? 0 "Decode Enveloped Data Alice" "."
 
   echo "diff alice.txt alice.data1"
   diff alice.txt alice.data1
   html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
 
   # multiple recip
   echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
-  echo "        -r bob@bogus.com,dave@bogus.com"
+  echo "        -r bob@example.com,dave@example.com"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
-          -r bob@bogus.com,dave@bogus.com
+          -r bob@example.com,dave@example.com
   ret=$?
   html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
   if [ $ret != 0 ] ; then
 	echo "certutil -L -d ${P_R_ALICEDIR}"
 	${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
-	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
-	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@example.com"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@example.com
   fi
 
   echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
-  echo "        -r eve@bogus.net"
+  echo "        -r eve@example.net"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
-          -r eve@bogus.net
+          -r eve@example.net
   ret=$?
   html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
 
   echo "cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alicecc.env -d ${P_R_BOBDIR} -p nss -o alice.data2
   html_msg $? 0 "Decode Multiple Recipients Enveloped Data Alice by Bob" "."
 
   echo "cmsutil -D -i alicecc.env -d ${P_R_DAVEDIR} -p nss -o alice.data3"
@@ -354,30 +354,30 @@ smime_main()
 
   diff alice.txt alice.data3
   html_msg $? 0 "Compare Decoded Mult. Recipients Enveloped Data Alice/Dave" "."
 
   diff alice.txt alice.data4
   html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
   
   echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
-  echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+  echo "cmsutil -O -r \"Alice,bob@example.com,dave@example.com\" \\"
   echo "        -d ${P_R_ALICEDIR} > co.der"
-  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@example.com,dave@example.com" -d ${P_R_ALICEDIR} > co.der
   html_msg $? 0 "Create Certs-Only Alice" "."
 
   echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i co.der -d ${P_R_BOBDIR}
   html_msg $? 0 "Verify Certs-Only by CA" "."
 
   echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
   echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
-  echo "        -r \"bob@bogus.com\" > alice.enc"
+  echo "        -r \"bob@example.com\" > alice.enc"
   ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
-          -r "bob@bogus.com" > alice.enc
+          -r "bob@example.com" > alice.enc
   html_msg $? 0 "Create Encrypted-Data" "."
 
   echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
   echo "        -o alice.data2"
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss -o alice.data2
   html_msg $? 0 "Decode Encrypted-Data" "."
 
   diff alice.txt alice.data2