Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall, a=lsblakk
authorKai Engert <kaie@kuix.de>
Wed, 11 Mar 2015 20:13:42 +0100
changeset 257596 758a094c8b7e66c67cd2998b30d0f2d89c4d74e4
parent 257595 bb6535c6211b51f9d10628f092e9d44354b493a4
child 257597 1adf44fcb513fd289f513df089ee72c86f498c8b
push id4610
push userjlund@mozilla.com
push dateMon, 30 Mar 2015 18:32:55 +0000
treeherdermozilla-beta@4df54044d9ef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnss-confcall, lsblakk
bugs1137470, 1132496
milestone38.0a2
Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall, a=lsblakk
CLOBBER
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/external_tests/ssl_gtest/databuffer.h
security/nss/external_tests/ssl_gtest/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/external_tests/ssl_gtest/test_io.cc
security/nss/external_tests/ssl_gtest/test_io.h
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/external_tests/ssl_gtest/tls_connect.cc
security/nss/external_tests/ssl_gtest/tls_connect.h
security/nss/external_tests/ssl_gtest/tls_filter.cc
security/nss/external_tests/ssl_gtest/tls_filter.h
security/nss/external_tests/ssl_gtest/tls_parser.cc
security/nss/external_tests/ssl_gtest/tls_parser.h
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pkcs12/p12local.c
security/nss/lib/pki/tdcache.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/nssutil.h
security/patches/reverted-bug-1132496.patch
--- a/CLOBBER
+++ b/CLOBBER
@@ -17,9 +17,9 @@
 #
 # Modifying this file will now automatically clobber the buildbot machines \o/
 #
 
 # Are you updating CLOBBER because you think it's needed for your WebIDL
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Merge day clobber
\ No newline at end of file
+Bug 1137470 NSS update required a clobber to fully rebuild
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA7
+NSS_3_18_RC0
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -2,38 +2,147 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef databuffer_h__
 #define databuffer_h__
 
+#include <algorithm>
+#include <cassert>
+#include <cstring>
+#include <iomanip>
+#include <iostream>
+
+namespace nss_test {
+
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
   DataBuffer(const uint8_t *data, size_t len) : data_(nullptr), len_(0) {
     Assign(data, len);
   }
+  explicit DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
+    Assign(other.data(), other.len());
+  }
   ~DataBuffer() { delete[] data_; }
 
-  void Assign(const uint8_t *data, size_t len) {
-    Allocate(len);
-    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  DataBuffer& operator=(const DataBuffer& other) {
+    if (&other != this) {
+      Assign(other.data(), other.len());
+    }
+    return *this;
   }
 
   void Allocate(size_t len) {
     delete[] data_;
-    data_ = new unsigned char[len ? len : 1];  // Don't depend on new [0].
+    data_ = new uint8_t[len ? len : 1];  // Don't depend on new [0].
     len_ = len;
   }
 
+  void Truncate(size_t len) {
+    len_ = std::min(len_, len);
+  }
+
+  void Assign(const uint8_t* data, size_t len) {
+    Allocate(len);
+    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+  }
+
+  // Write will do a new allocation and expand the size of the buffer if needed.
+  void Write(size_t index, const uint8_t* val, size_t count) {
+    if (index + count > len_) {
+      size_t newlen = index + count;
+      uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
+      memcpy(static_cast<void*>(tmp),
+             static_cast<const void*>(data_), len_);
+      if (index > len_) {
+        memset(static_cast<void*>(tmp + len_), 0, index - len_);
+      }
+      delete[] data_;
+      data_ = tmp;
+      len_ = newlen;
+    }
+    memcpy(static_cast<void*>(data_ + index),
+           static_cast<const void*>(val), count);
+  }
+
+  void Write(size_t index, const DataBuffer& buf) {
+    Write(index, buf.data(), buf.len());
+  }
+
+  // Write an integer, also performing host-to-network order conversion.
+  void Write(size_t index, uint32_t val, size_t count) {
+    assert(count <= sizeof(uint32_t));
+    uint32_t nvalue = htonl(val);
+    auto* addr = reinterpret_cast<const uint8_t*>(&nvalue);
+    Write(index, addr + sizeof(uint32_t) - count, count);
+  }
+
+  // Starting at |index|, remove |remove| bytes and replace them with the
+  // contents of |buf|.
+  void Splice(const DataBuffer& buf, size_t index, size_t remove = 0) {
+    Splice(buf.data(), buf.len(), index, remove);
+  }
+
+  void Splice(const uint8_t* ins, size_t ins_len, size_t index, size_t remove = 0) {
+    uint8_t* old_value = data_;
+    size_t old_len = len_;
+
+    // The amount of stuff remaining from the tail of the old.
+    size_t tail_len = old_len - std::min(old_len, index + remove);
+    // The new length: the head of the old, the new, and the tail of the old.
+    len_ = index + ins_len + tail_len;
+    data_ = new uint8_t[len_ ? len_ : 1];
+
+    // The head of the old.
+    Write(0, old_value, std::min(old_len, index));
+    // Maybe a gap.
+    if (index > old_len) {
+      memset(old_value + index, 0, index - old_len);
+    }
+    // The new.
+    Write(index, ins, ins_len);
+    // The tail of the old.
+    if (tail_len > 0) {
+      Write(index + ins_len,
+            old_value + index + remove, tail_len);
+    }
+
+    delete[] old_value;
+  }
+
+  void Append(const DataBuffer& buf) { Splice(buf, len_); }
+
   const uint8_t *data() const { return data_; }
-  uint8_t *data() { return data_; }
+  uint8_t* data() { return data_; }
   size_t len() const { return len_; }
-  const bool empty() const { return len_ != 0; }
+  bool empty() const { return len_ == 0; }
 
  private:
-  uint8_t *data_;
+  uint8_t* data_;
   size_t len_;
 };
 
+#ifdef DEBUG
+static const size_t kMaxBufferPrint = 10000;
+#else
+static const size_t kMaxBufferPrint = 32;
 #endif
+
+inline std::ostream& operator<<(std::ostream& stream, const DataBuffer& buf) {
+  stream << "[" << buf.len() << "] ";
+  for (size_t i = 0; i < buf.len(); ++i) {
+    if (i >= kMaxBufferPrint) {
+      stream << "...";
+      break;
+    }
+    stream << std::hex << std::setfill('0') << std::setw(2)
+           << static_cast<unsigned>(buf.data()[i]);
+  }
+  stream << std::dec;
+  return stream;
+}
+
+} // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -1,20 +1,23 @@
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       ssl_loopback_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
+      tls_agent.cc \
+      tls_connect.cc \
+      tls_filter.cc \
       tls_parser.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include
 
 REQUIRES = nspr nss libdbm gtest
 
 PROGRAM = ssl_gtest
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -1,604 +1,50 @@
-#include "prio.h"
-#include "prerror.h"
-#include "prlog.h"
-#include "pk11func.h"
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
 #include "ssl.h"
-#include "sslerr.h"
 #include "sslproto.h"
-#include "keyhi.h"
 
 #include <memory>
 
-#include "test_io.h"
 #include "tls_parser.h"
-
-#define GTEST_HAS_RTTI 0
-#include "gtest/gtest.h"
-#include "gtest_utils.h"
-
-extern std::string g_working_dir_path;
+#include "tls_filter.h"
+#include "tls_connect.h"
 
 namespace nss_test {
 
-enum SessionResumptionMode {
-  RESUME_NONE = 0,
-  RESUME_SESSIONID = 1,
-  RESUME_TICKET = 2,
-  RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
-};
-
-#define LOG(a) std::cerr << name_ << ": " << a << std::endl;
-
-// Inspector that parses out DTLS records and passes
-// them on.
-class TlsRecordInspector : public Inspector {
- public:
-  virtual void Inspect(DummyPrSocket* adapter, const void* data, size_t len) {
-    TlsRecordParser parser(static_cast<const unsigned char*>(data), len);
-
-    uint8_t content_type;
-    std::auto_ptr<DataBuffer> buf;
-    while (parser.NextRecord(&content_type, &buf)) {
-      OnRecord(adapter, content_type, buf->data(), buf->len());
-    }
-  }
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* record, size_t len) = 0;
-};
-
-// Inspector that injects arbitrary packets based on
-// DTLS records of various types.
-class TlsInspectorInjector : public TlsRecordInspector {
- public:
-  TlsInspectorInjector(uint8_t packet_type, uint8_t handshake_type,
-                       const unsigned char* data, size_t len)
-      : packet_type_(packet_type),
-        handshake_type_(handshake_type),
-        injected_(false),
-        data_(data, len) {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only inject once.
-    if (injected_) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != packet_type_) {
-      return;
-    }
-
-    if (handshake_type_ != 0xff) {
-      // Check that the packet is plausibly long enough.
-      if (len < 1) {
-        return;
-      }
-
-      // Check that the handshake type is as requested.
-      if (data[0] != handshake_type_) {
-        return;
-      }
-    }
-
-    adapter->WriteDirect(data_.data(), data_.len());
-  }
-
- private:
-  uint8_t packet_type_;
-  uint8_t handshake_type_;
-  bool injected_;
-  DataBuffer data_;
-};
-
-// Make a copy of the first instance of a message.
-class TlsInspectorRecordHandshakeMessage : public TlsRecordInspector {
- public:
-  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
-      : handshake_type_(handshake_type), buffer_() {}
-
-  virtual void OnRecord(DummyPrSocket* adapter, uint8_t content_type,
-                        const unsigned char* data, size_t len) {
-    // Only do this once.
-    if (buffer_.len()) {
-      return;
-    }
-
-    // Check that the first byte is as requested.
-    if (content_type != kTlsHandshakeType) {
-      return;
-    }
-
-    TlsParser parser(data, len);
-    while (parser.remaining()) {
-      unsigned char message_type;
-      // Read the content type.
-      if (!parser.Read(&message_type)) {
-        // Malformed.
-        return;
-      }
-
-      // Read the record length.
-      uint32_t length;
-      if (!parser.Read(&length, 3)) {
-        // Malformed.
-        return;
-      }
-
-      if (adapter->mode() == DGRAM) {
-        // DTLS
-        uint32_t message_seq;
-        if (!parser.Read(&message_seq, 2)) {
-          return;
-        }
-
-        uint32_t fragment_offset;
-        if (!parser.Read(&fragment_offset, 3)) {
-          return;
-        }
-
-        uint32_t fragment_length;
-        if (!parser.Read(&fragment_length, 3)) {
-          return;
-        }
-
-        if ((fragment_offset != 0) || (fragment_length != length)) {
-          // This shouldn't happen because all current tests where we
-          // are using this code don't fragment.
-          return;
-        }
-      }
-
-      unsigned char* dest = nullptr;
-
-      if (message_type == handshake_type_) {
-        buffer_.Allocate(length);
-        dest = buffer_.data();
-      }
-
-      if (!parser.Read(dest, length)) {
-        // Malformed
-        return;
-      }
-
-      if (dest) return;
-    }
-  }
-
-  const DataBuffer& buffer() { return buffer_; }
-
- private:
-  uint8_t handshake_type_;
-  DataBuffer buffer_;
-};
-
 class TlsServerKeyExchangeECDHE {
  public:
-  bool Parse(const unsigned char* data, size_t len) {
-    TlsParser parser(data, len);
+  bool Parse(const DataBuffer& buffer) {
+    TlsParser parser(buffer);
 
     uint8_t curve_type;
     if (!parser.Read(&curve_type)) {
       return false;
     }
 
     if (curve_type != 3) {  // named_curve
       return false;
     }
 
     uint32_t named_curve;
     if (!parser.Read(&named_curve, 2)) {
       return false;
     }
 
-    uint32_t point_length;
-    if (!parser.Read(&point_length, 1)) {
-      return false;
-    }
-
-    public_key_.Allocate(point_length);
-    if (!parser.Read(public_key_.data(), point_length)) {
-      return false;
-    }
-
-    return true;
+    return parser.ReadVariable(&public_key_, 1);
   }
 
   DataBuffer public_key_;
 };
 
-class TlsAgent : public PollTarget {
- public:
-  enum Role { CLIENT, SERVER };
-  enum State { INIT, CONNECTING, CONNECTED, ERROR };
-
-  TlsAgent(const std::string& name, Role role, Mode mode)
-      : name_(name),
-        mode_(mode),
-        pr_fd_(nullptr),
-        adapter_(nullptr),
-        ssl_fd_(nullptr),
-        role_(role),
-        state_(INIT) {
-      memset(&info_, 0, sizeof(info_));
-      memset(&csinfo_, 0, sizeof(csinfo_));
-  }
-
-  ~TlsAgent() {
-    if (pr_fd_) {
-      PR_Close(pr_fd_);
-    }
-
-    if (ssl_fd_) {
-      PR_Close(ssl_fd_);
-    }
-  }
-
-  bool Init() {
-    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
-    if (!pr_fd_) return false;
-
-    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
-    if (!adapter_) return false;
-
-    return true;
-  }
-
-  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
-
-  void SetInspector(Inspector* inspector) { adapter_->SetInspector(inspector); }
-
-  void StartConnect() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    SECStatus rv;
-    rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
-    ASSERT_EQ(SECSuccess, rv);
-    SetState(CONNECTING);
-  }
-
-  void EnableSomeECDHECiphers() {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    const uint32_t EnabledCiphers[] = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
-
-    for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
-      SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EnabledCiphers[i], PR_TRUE);
-      ASSERT_EQ(SECSuccess, rv);
-    }
-  }
-
-  bool EnsureTlsSetup() {
-    // Don't set up twice
-    if (ssl_fd_) return true;
-
-    if (adapter_->mode() == STREAM) {
-      ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
-    } else {
-      ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
-    }
-
-    EXPECT_NE(nullptr, ssl_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
-    if (role_ == SERVER) {
-      CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
-      EXPECT_NE(nullptr, cert);
-      if (!cert) return false;
-
-      SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
-      EXPECT_NE(nullptr, priv);
-      if (!priv) return false;  // Leak cert.
-
-      SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
-      EXPECT_EQ(SECSuccess, rv);
-      if (rv != SECSuccess) return false;  // Leak cert and key.
-
-      SECKEY_DestroyPrivateKey(priv);
-      CERT_DestroyCertificate(cert);
-    } else {
-      SECStatus rv = SSL_SetURL(ssl_fd_, "server");
-      EXPECT_EQ(SECSuccess, rv);
-      if (rv != SECSuccess) return false;
-    }
-
-    SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
-                                           reinterpret_cast<void*>(this));
-    EXPECT_EQ(SECSuccess, rv);
-    if (rv != SECSuccess) return false;
-
-    return true;
-  }
-
-  void SetVersionRange(uint16_t minver, uint16_t maxver) {
-    SSLVersionRange range = {minver, maxver};
-    ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
-  }
-
-  State state() const { return state_; }
-
-  const char* state_str() const { return state_str(state()); }
-
-  const char* state_str(State state) const { return states[state]; }
-
-  PRFileDesc* ssl_fd() { return ssl_fd_; }
-
-  bool version(uint16_t* version) const {
-    if (state_ != CONNECTED) return false;
-
-    *version = info_.protocolVersion;
-
-    return true;
-  }
-
-  bool cipher_suite(int16_t* cipher_suite) const {
-    if (state_ != CONNECTED) return false;
-
-    *cipher_suite = info_.cipherSuite;
-    return true;
-  }
-
-  std::string cipher_suite_name() const {
-    if (state_ != CONNECTED) return "UNKNOWN";
-
-    return csinfo_.cipherSuiteName;
-  }
-
-  void CheckKEAType(SSLKEAType type) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(type, csinfo_.keaType);
-  }
-
-  void CheckVersion(uint16_t version) const {
-    ASSERT_EQ(CONNECTED, state_);
-    ASSERT_EQ(version, info_.protocolVersion);
-  }
-
-
-  void Handshake() {
-    SECStatus rv = SSL_ForceHandshake(ssl_fd_);
-    if (rv == SECSuccess) {
-      LOG("Handshake success");
-      SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
-      ASSERT_EQ(SECSuccess, rv);
-
-      SetState(CONNECTED);
-      return;
-    }
-
-    int32_t err = PR_GetError();
-    switch (err) {
-      case PR_WOULD_BLOCK_ERROR:
-        LOG("Would have blocked");
-        // TODO(ekr@rtfm.com): set DTLS timeouts
-        Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
-                                 &TlsAgent::ReadableCallback);
-        return;
-        break;
-
-      // TODO(ekr@rtfm.com): needs special case for DTLS
-      case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
-      default:
-        LOG("Handshake failed with error " << err);
-        SetState(ERROR);
-        return;
-    }
-  }
-
-  std::vector<uint8_t> GetSessionId() {
-    return std::vector<uint8_t>(info_.sessionID,
-                                info_.sessionID + info_.sessionIDLength);
-  }
-
-  void ConfigureSessionCache(SessionResumptionMode mode) {
-    ASSERT_TRUE(EnsureTlsSetup());
-
-    SECStatus rv = SSL_OptionSet(ssl_fd_,
-                                 SSL_NO_CACHE,
-                                 mode & RESUME_SESSIONID ?
-                                 PR_FALSE : PR_TRUE);
-    ASSERT_EQ(SECSuccess, rv);
-
-    rv = SSL_OptionSet(ssl_fd_,
-                       SSL_ENABLE_SESSION_TICKETS,
-                       mode & RESUME_TICKET ?
-                       PR_TRUE : PR_FALSE);
-    ASSERT_EQ(SECSuccess, rv);
-  }
-
- private:
-  const static char* states[];
-
-  void SetState(State state) {
-    if (state_ == state) return;
-
-    LOG("Changing state from " << state_str(state_) << " to "
-                               << state_str(state));
-    state_ = state;
-  }
-
-  // Dummy auth certificate hook.
-  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
-                                       PRBool checksig, PRBool isServer) {
-    return SECSuccess;
-  }
-
-  static void ReadableCallback(PollTarget* self, Event event) {
-    TlsAgent* agent = static_cast<TlsAgent*>(self);
-    agent->ReadableCallback_int(event);
-  }
-
-  void ReadableCallback_int(Event event) {
-    LOG("Readable");
-    Handshake();
-  }
-
-  const std::string name_;
-  Mode mode_;
-  PRFileDesc* pr_fd_;
-  DummyPrSocket* adapter_;
-  PRFileDesc* ssl_fd_;
-  Role role_;
-  State state_;
-  SSLChannelInfo info_;
-  SSLCipherSuiteInfo csinfo_;
-};
-
-const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
-
-class TlsConnectTestBase : public ::testing::Test {
- public:
-  TlsConnectTestBase(Mode mode)
-      : mode_(mode),
-        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
-        server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
-
-  ~TlsConnectTestBase() {
-    delete client_;
-    delete server_;
-  }
-
-  void SetUp() {
-    // Configure a fresh session cache.
-    SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
-
-    // Clear statistics.
-    SSL3Statistics* stats = SSL_GetStatistics();
-    memset(stats, 0, sizeof(*stats));
-
-    Init();
-  }
-
-  void TearDown() {
-    client_ = nullptr;
-    server_ = nullptr;
-
-    SSL_ClearSessionCache();
-    SSL_ShutdownServerSessionIDCache();
-  }
-
-  void Init() {
-    ASSERT_TRUE(client_->Init());
-    ASSERT_TRUE(server_->Init());
-
-    client_->SetPeer(server_);
-    server_->SetPeer(client_);
-  }
-
-  void Reset() {
-    delete client_;
-    delete server_;
-
-    client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_);
-    server_ = new TlsAgent("server", TlsAgent::SERVER, mode_);
-
-    Init();
-  }
-
-  void EnsureTlsSetup() {
-    ASSERT_TRUE(client_->EnsureTlsSetup());
-    ASSERT_TRUE(server_->EnsureTlsSetup());
-  }
-
-  void Connect() {
-    server_->StartConnect();  // Server
-    client_->StartConnect();  // Client
-    client_->Handshake();
-    server_->Handshake();
-
-    ASSERT_TRUE_WAIT(client_->state() != TlsAgent::CONNECTING &&
-                         server_->state() != TlsAgent::CONNECTING,
-                     5000);
-    ASSERT_EQ(TlsAgent::CONNECTED, server_->state());
-
-    int16_t cipher_suite1, cipher_suite2;
-    bool ret = client_->cipher_suite(&cipher_suite1);
-    ASSERT_TRUE(ret);
-    ret = server_->cipher_suite(&cipher_suite2);
-    ASSERT_TRUE(ret);
-    ASSERT_EQ(cipher_suite1, cipher_suite2);
-
-    std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
-              << std::endl;
-
-    // Check and store session ids.
-    std::vector<uint8_t> sid_c1 = client_->GetSessionId();
-    ASSERT_EQ(32, sid_c1.size());
-    std::vector<uint8_t> sid_s1 = server_->GetSessionId();
-    ASSERT_EQ(32, sid_s1.size());
-    ASSERT_EQ(sid_c1, sid_s1);
-    session_ids_.push_back(sid_c1);
-  }
-
-  void EnableSomeECDHECiphers() {
-    client_->EnableSomeECDHECiphers();
-    server_->EnableSomeECDHECiphers();
-  }
-
-  void ConfigureSessionCache(SessionResumptionMode client,
-                             SessionResumptionMode server) {
-    client_->ConfigureSessionCache(client);
-    server_->ConfigureSessionCache(server);
-  }
-
-  void CheckResumption(SessionResumptionMode expected) {
-    ASSERT_NE(RESUME_BOTH, expected);
-
-    int resume_ct = expected != 0;
-    int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
-
-    SSL3Statistics* stats = SSL_GetStatistics();
-    ASSERT_EQ(resume_ct, stats->hch_sid_cache_hits);
-    ASSERT_EQ(resume_ct, stats->hsh_sid_cache_hits);
-
-    ASSERT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
-    ASSERT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
-
-    if (resume_ct) {
-      // Check that the last two session ids match.
-      ASSERT_GE(2, session_ids_.size());
-      ASSERT_EQ(session_ids_[session_ids_.size()-1],
-                session_ids_[session_ids_.size()-2]);
-    }
-  }
-
- protected:
-  Mode mode_;
-  TlsAgent* client_;
-  TlsAgent* server_;
-  std::vector<std::vector<uint8_t>> session_ids_;
-};
-
-class TlsConnectTest : public TlsConnectTestBase {
- public:
-  TlsConnectTest() : TlsConnectTestBase(STREAM) {}
-};
-
-class DtlsConnectTest : public TlsConnectTestBase {
- public:
-  DtlsConnectTest() : TlsConnectTestBase(DGRAM) {}
-};
-
-class TlsConnectGeneric : public TlsConnectTestBase,
-                          public ::testing::WithParamInterface<std::string> {
- public:
-  TlsConnectGeneric()
-      : TlsConnectTestBase((GetParam() == "TLS") ? STREAM : DGRAM) {
-    std::cerr << "Variant: " << GetParam() << std::endl;
-  }
-};
-
 TEST_P(TlsConnectGeneric, SetupOnly) {}
 
 TEST_P(TlsConnectGeneric, Connect) {
   Connect();
 
   // Check that we negotiated the expected version.
   if (mode_ == STREAM) {
     client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_0);
@@ -724,78 +170,91 @@ TEST_P(TlsConnectGeneric, ConnectTLS_1_2
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   Connect();
   client_->CheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
 }
 
+TEST_P(TlsConnectGeneric, ConnectAlpn) {
+  EnableAlpn();
+  Connect();
+  client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a");
+  server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a");
+}
+
+TEST_F(DtlsConnectTest, ConnectSrtp) {
+  EnableSrtp();
+  Connect();
+  CheckSrtp();
+}
+
 TEST_F(TlsConnectTest, ConnectECDHE) {
   EnableSomeECDHECiphers();
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 }
 
 TEST_F(TlsConnectTest, ConnectECDHETwiceReuseKey) {
   EnableSomeECDHECiphers();
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
   TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
   Reset();
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
+  server_->SetPacketFilter(i2);
   EnableSomeECDHECiphers();
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are the same.
   ASSERT_EQ(dhe1.public_key_.len(), dhe2.public_key_.len());
   ASSERT_TRUE(!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                       dhe1.public_key_.len()));
 }
 
 TEST_F(TlsConnectTest, ConnectECDHETwiceNewKey) {
   EnableSomeECDHECiphers();
   SECStatus rv =
       SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i1 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i1);
+  server_->SetPacketFilter(i1);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
   TlsServerKeyExchangeECDHE dhe1;
-  ASSERT_TRUE(dhe1.Parse(i1->buffer().data(), i1->buffer().len()));
+  ASSERT_TRUE(dhe1.Parse(i1->buffer()));
 
   // Restart
   Reset();
   EnableSomeECDHECiphers();
   rv = SSL_OptionSet(server_->ssl_fd(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
   ASSERT_EQ(SECSuccess, rv);
   TlsInspectorRecordHandshakeMessage* i2 =
       new TlsInspectorRecordHandshakeMessage(kTlsHandshakeServerKeyExchange);
-  server_->SetInspector(i2);
+  server_->SetPacketFilter(i2);
   ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
   Connect();
   client_->CheckKEAType(ssl_kea_ecdh);
 
   TlsServerKeyExchangeECDHE dhe2;
-  ASSERT_TRUE(dhe2.Parse(i2->buffer().data(), i2->buffer().len()));
+  ASSERT_TRUE(dhe2.Parse(i2->buffer()));
 
   // Make sure they are different.
   ASSERT_FALSE((dhe1.public_key_.len() == dhe2.public_key_.len()) &&
                (!memcmp(dhe1.public_key_.data(), dhe2.public_key_.data(),
                         dhe1.public_key_.len())));
 }
 
 INSTANTIATE_TEST_CASE_P(Variants, TlsConnectGeneric,
--- a/security/nss/external_tests/ssl_gtest/test_io.cc
+++ b/security/nss/external_tests/ssl_gtest/test_io.cc
@@ -1,50 +1,53 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include <assert.h>
+#include "test_io.h"
 
+#include <algorithm>
+#include <cassert>
 #include <iostream>
 #include <memory>
 
 #include "prerror.h"
-#include "prio.h"
 #include "prlog.h"
 #include "prthread.h"
 
-#include "test_io.h"
+#include "databuffer.h"
 
 namespace nss_test {
 
 static PRDescIdentity test_fd_identity = PR_INVALID_IO_LAYER;
 
-#define UNIMPLEMENTED()                                                 \
-  fprintf(stderr, "Call to unimplemented function %s\n", __FUNCTION__); \
-  PR_ASSERT(PR_FALSE);                                                  \
+#define UNIMPLEMENTED()                          \
+  std::cerr << "Call to unimplemented function " \
+            << __FUNCTION__ << std::endl;        \
+  PR_ASSERT(PR_FALSE);                           \
   PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
 
 #define LOG(a) std::cerr << name_ << ": " << a << std::endl;
 
-struct Packet {
-  Packet() : data_(nullptr), len_(0), offset_(0) {}
+class Packet : public DataBuffer {
+ public:
+  Packet(const DataBuffer& buf) : DataBuffer(buf), offset_(0) {}
 
-  void Assign(const void *data, int32_t len) {
-    data_ = new uint8_t[len];
-    memcpy(data_, data, len);
-    len_ = len;
+  void Advance(size_t delta) {
+    PR_ASSERT(offset_ + delta <= len());
+    offset_ = std::min(len(), offset_ + delta);
   }
 
-  ~Packet() { delete data_; }
-  uint8_t *data_;
-  int32_t len_;
-  int32_t offset_;
+  size_t offset() const { return offset_; }
+  size_t remaining() const { return len() - offset_; }
+
+ private:
+  size_t offset_;
 };
 
 // Implementation of NSPR methods
 static PRStatus DummyClose(PRFileDesc *f) {
   f->secret = nullptr;
   return PR_SUCCESS;
 }
 
@@ -241,16 +244,26 @@ static PRStatus DummyConnectContinue(PRF
   return PR_FAILURE;
 }
 
 static int32_t DummyReserved(PRFileDesc *f) {
   UNIMPLEMENTED();
   return -1;
 }
 
+DummyPrSocket::~DummyPrSocket() {
+  delete filter_;
+  while (!input_.empty())
+  {
+    Packet* front = input_.front();
+    input_.pop();
+    delete front;
+  }
+}
+
 static const struct PRIOMethods DummyMethods = {
     PR_DESC_LAYERED,  DummyClose,           DummyRead,
     DummyWrite,       DummyAvailable,       DummyAvailable64,
     DummySync,        DummySeek,            DummySeek64,
     DummyFileInfo,    DummyFileInfo64,      DummyWritev,
     DummyConnect,     DummyAccept,          DummyBind,
     DummyListen,      DummyShutdown,        DummyRecv,
     DummySend,        DummyRecvfrom,        DummySendto,
@@ -270,19 +283,18 @@ PRFileDesc *DummyPrSocket::CreateFD(cons
 
   return fd;
 }
 
 DummyPrSocket *DummyPrSocket::GetAdapter(PRFileDesc *fd) {
   return reinterpret_cast<DummyPrSocket *>(fd->secret);
 }
 
-void DummyPrSocket::PacketReceived(const void *data, int32_t len) {
-  input_.push(new Packet());
-  input_.back()->Assign(data, len);
+void DummyPrSocket::PacketReceived(const DataBuffer& packet) {
+  input_.push(new Packet(packet));
 }
 
 int32_t DummyPrSocket::Read(void *data, int32_t len) {
   PR_ASSERT(mode_ == STREAM);
 
   if (mode_ != STREAM) {
     PR_SetError(PR_INVALID_METHOD_ERROR, 0);
     return -1;
@@ -290,68 +302,80 @@ int32_t DummyPrSocket::Read(void *data, 
 
   if (input_.empty()) {
     LOG("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  int32_t to_read = std::min(len, front->len_ - front->offset_);
-  memcpy(data, front->data_ + front->offset_, to_read);
-  front->offset_ += to_read;
+  size_t to_read = std::min(static_cast<size_t>(len),
+                            front->len() - front->offset());
+  memcpy(data, static_cast<const void*>(front->data() + front->offset()),
+         to_read);
+  front->Advance(to_read);
 
-  if (front->offset_ == front->len_) {
+  if (!front->remaining()) {
     input_.pop();
     delete front;
   }
 
-  return to_read;
+  return static_cast<int32_t>(to_read);
 }
 
 int32_t DummyPrSocket::Recv(void *buf, int32_t buflen) {
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
   }
 
   Packet *front = input_.front();
-  if (buflen < front->len_) {
+  if (buflen < front->len()) {
     PR_ASSERT(false);
     PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
     return -1;
   }
 
-  int32_t count = front->len_;
-  memcpy(buf, front->data_, count);
+  size_t count = front->len();
+  memcpy(buf, front->data(), count);
 
   input_.pop();
   delete front;
 
-  return count;
+  return static_cast<int32_t>(count);
 }
 
 int32_t DummyPrSocket::Write(const void *buf, int32_t length) {
-  if (inspector_) {
-    inspector_->Inspect(this, buf, length);
+  DataBuffer packet(static_cast<const uint8_t*>(buf),
+                    static_cast<size_t>(length));
+  if (filter_) {
+    DataBuffer filtered;
+    if (filter_->Filter(packet, &filtered)) {
+      if (WriteDirect(filtered) != filtered.len()) {
+        PR_SetError(PR_IO_ERROR, 0);
+        return -1;
+      }
+      LOG("Wrote: " << packet);
+      // libssl can't handle if this reports something other than the length of
+      // what was passed in (or less, but we're not doing partial writes).
+      return packet.len();
+    }
   }
 
-  return WriteDirect(buf, length);
+  return WriteDirect(packet);
 }
 
-int32_t DummyPrSocket::WriteDirect(const void *buf, int32_t length) {
+int32_t DummyPrSocket::WriteDirect(const DataBuffer& packet) {
   if (!peer_) {
     PR_SetError(PR_IO_ERROR, 0);
     return -1;
   }
 
-  LOG("Wrote " << length);
-
-  peer_->PacketReceived(buf, length);
-  return length;
+  peer_->PacketReceived(packet);
+  return static_cast<int32_t>(packet.len()); // ignore truncation
 }
 
 Poller *Poller::instance;
 
 Poller *Poller::Instance() {
   if (!instance) instance = new Poller();
 
   return instance;
--- a/security/nss/external_tests/ssl_gtest/test_io.h
+++ b/security/nss/external_tests/ssl_gtest/test_io.h
@@ -8,67 +8,74 @@
 #define test_io_h_
 
 #include <string.h>
 #include <map>
 #include <memory>
 #include <queue>
 #include <string>
 
+#include "prio.h"
+
 namespace nss_test {
 
-struct Packet;
+class DataBuffer;
+class Packet;
 class DummyPrSocket;  // Fwd decl.
 
 // Allow us to inspect a packet before it is written.
-class Inspector {
+class PacketFilter {
  public:
-  virtual ~Inspector() {}
+  virtual ~PacketFilter() {}
 
-  virtual void Inspect(DummyPrSocket* adapter, const void* data,
-                       size_t len) = 0;
+  // The packet filter takes input and has the option of mutating it.
+  //
+  // A filter that modifies the data places the modified data in *output and
+  // returns true.  A filter that does not modify data returns false, in which
+  // case the value in *output is ignored.
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output) = 0;
 };
 
 enum Mode { STREAM, DGRAM };
 
 class DummyPrSocket {
  public:
-  ~DummyPrSocket() { delete inspector_; }
+  ~DummyPrSocket();
 
   static PRFileDesc* CreateFD(const std::string& name,
                               Mode mode);  // Returns an FD.
   static DummyPrSocket* GetAdapter(PRFileDesc* fd);
 
   void SetPeer(DummyPrSocket* peer) { peer_ = peer; }
 
-  void SetInspector(Inspector* inspector) { inspector_ = inspector; }
+  void SetPacketFilter(PacketFilter* filter) { filter_ = filter; }
 
-  void PacketReceived(const void* data, int32_t len);
+  void PacketReceived(const DataBuffer& data);
   int32_t Read(void* data, int32_t len);
   int32_t Recv(void* buf, int32_t buflen);
   int32_t Write(const void* buf, int32_t length);
-  int32_t WriteDirect(const void* buf, int32_t length);
+  int32_t WriteDirect(const DataBuffer& data);
 
   Mode mode() const { return mode_; }
-  bool readable() { return !input_.empty(); }
+  bool readable() const { return !input_.empty(); }
   bool writable() { return true; }
 
  private:
   DummyPrSocket(const std::string& name, Mode mode)
       : name_(name),
         mode_(mode),
         peer_(nullptr),
         input_(),
-        inspector_(nullptr) {}
+        filter_(nullptr) {}
 
   const std::string name_;
   Mode mode_;
   DummyPrSocket* peer_;
   std::queue<Packet*> input_;
-  Inspector* inspector_;
+  PacketFilter* filter_;
 };
 
 // Marker interface.
 class PollTarget {};
 
 enum Event { READABLE_EVENT, TIMER_EVENT /* Must be last */ };
 
 typedef void (*PollCallback)(PollTarget*, Event);
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -0,0 +1,208 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_agent.h"
+
+#include "pk11func.h"
+#include "ssl.h"
+#include "sslerr.h"
+#include "sslproto.h"
+#include "keyhi.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const char* TlsAgent::states[] = {"INIT", "CONNECTING", "CONNECTED", "ERROR"};
+
+bool TlsAgent::EnsureTlsSetup() {
+  // Don't set up twice
+  if (ssl_fd_) return true;
+
+  if (adapter_->mode() == STREAM) {
+    ssl_fd_ = SSL_ImportFD(nullptr, pr_fd_);
+  } else {
+    ssl_fd_ = DTLS_ImportFD(nullptr, pr_fd_);
+  }
+
+  EXPECT_NE(nullptr, ssl_fd_);
+  if (!ssl_fd_) return false;
+  pr_fd_ = nullptr;
+
+  if (role_ == SERVER) {
+    CERTCertificate* cert = PK11_FindCertFromNickname(name_.c_str(), nullptr);
+    EXPECT_NE(nullptr, cert);
+    if (!cert) return false;
+
+    SECKEYPrivateKey* priv = PK11_FindKeyByAnyCert(cert, nullptr);
+    EXPECT_NE(nullptr, priv);
+    if (!priv) return false;  // Leak cert.
+
+    SECStatus rv = SSL_ConfigSecureServer(ssl_fd_, cert, priv, kt_rsa);
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;  // Leak cert and key.
+
+    SECKEY_DestroyPrivateKey(priv);
+    CERT_DestroyCertificate(cert);
+
+    rv = SSL_SNISocketConfigHook(ssl_fd_, SniHook,
+                                 reinterpret_cast<void*>(this));
+    EXPECT_EQ(SECSuccess, rv);  // don't abort, just fail
+  } else {
+    SECStatus rv = SSL_SetURL(ssl_fd_, "server");
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;
+  }
+
+  SECStatus rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook,
+                                         reinterpret_cast<void*>(this));
+  EXPECT_EQ(SECSuccess, rv);
+  if (rv != SECSuccess) return false;
+
+  return true;
+}
+
+void TlsAgent::StartConnect() {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv;
+  rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+  SetState(CONNECTING);
+}
+
+void TlsAgent::EnableSomeECDHECiphers() {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  const uint32_t EnabledCiphers[] = {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                                     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA};
+
+  for (size_t i = 0; i < PR_ARRAY_SIZE(EnabledCiphers); ++i) {
+    SECStatus rv = SSL_CipherPrefSet(ssl_fd_, EnabledCiphers[i], PR_TRUE);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+}
+
+void TlsAgent::SetSessionTicketsEnabled(bool en) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS,
+                               en ? PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetSessionCacheEnabled(bool en) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE,
+                               en ? PR_FALSE : PR_TRUE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+void TlsAgent::SetVersionRange(uint16_t minver, uint16_t maxver) {
+  SSLVersionRange range = {minver, maxver};
+  ASSERT_EQ(SECSuccess, SSL_VersionRangeSet(ssl_fd_, &range));
+}
+
+void TlsAgent::CheckKEAType(SSLKEAType type) const {
+  ASSERT_EQ(CONNECTED, state_);
+  ASSERT_EQ(type, csinfo_.keaType);
+}
+
+void TlsAgent::CheckVersion(uint16_t version) const {
+  ASSERT_EQ(CONNECTED, state_);
+  ASSERT_EQ(version, info_.protocolVersion);
+}
+
+void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  ASSERT_EQ(SECSuccess, SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE));
+  ASSERT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd_, val, len));
+}
+
+void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
+                         const std::string& expected) {
+  SSLNextProtoState state;
+  char chosen[10];
+  unsigned int chosen_len;
+  SECStatus rv = SSL_GetNextProto(ssl_fd_, &state,
+                                  reinterpret_cast<unsigned char*>(chosen),
+                                  &chosen_len, sizeof(chosen));
+  ASSERT_EQ(SECSuccess, rv);
+  ASSERT_EQ(expected_state, state);
+  ASSERT_EQ(expected, std::string(chosen, chosen_len));
+}
+
+void TlsAgent::EnableSrtp() {
+  ASSERT_TRUE(EnsureTlsSetup());
+  const uint16_t ciphers[] = {
+    SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32
+  };
+  ASSERT_EQ(SECSuccess, SSL_SetSRTPCiphers(ssl_fd_, ciphers,
+                                           PR_ARRAY_SIZE(ciphers)));
+
+}
+
+void TlsAgent::CheckSrtp() {
+  uint16_t actual;
+  ASSERT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
+  ASSERT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
+}
+
+
+void TlsAgent::Handshake() {
+  SECStatus rv = SSL_ForceHandshake(ssl_fd_);
+  if (rv == SECSuccess) {
+    LOG("Handshake success");
+    SECStatus rv = SSL_GetChannelInfo(ssl_fd_, &info_, sizeof(info_));
+    ASSERT_EQ(SECSuccess, rv);
+
+    rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
+    ASSERT_EQ(SECSuccess, rv);
+
+    SetState(CONNECTED);
+    return;
+  }
+
+  int32_t err = PR_GetError();
+  switch (err) {
+    case PR_WOULD_BLOCK_ERROR:
+      LOG("Would have blocked");
+      // TODO(ekr@rtfm.com): set DTLS timeouts
+      Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
+                               &TlsAgent::ReadableCallback);
+      return;
+      break;
+
+      // TODO(ekr@rtfm.com): needs special case for DTLS
+    case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
+    default:
+      LOG("Handshake failed with error " << err);
+      SetState(ERROR);
+      return;
+  }
+}
+
+void TlsAgent::ConfigureSessionCache(SessionResumptionMode mode) {
+  ASSERT_TRUE(EnsureTlsSetup());
+
+  SECStatus rv = SSL_OptionSet(ssl_fd_,
+                               SSL_NO_CACHE,
+                               mode & RESUME_SESSIONID ?
+                               PR_FALSE : PR_TRUE);
+  ASSERT_EQ(SECSuccess, rv);
+
+  rv = SSL_OptionSet(ssl_fd_,
+                     SSL_ENABLE_SESSION_TICKETS,
+                     mode & RESUME_TICKET ?
+                     PR_TRUE : PR_FALSE);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_agent_h_
+#define tls_agent_h_
+
+#include "prio.h"
+#include "ssl.h"
+
+#include <iostream>
+
+#include "test_io.h"
+
+namespace nss_test {
+
+#define LOG(msg) std::cerr << name_ << ": " << msg << std::endl
+
+enum SessionResumptionMode {
+  RESUME_NONE = 0,
+  RESUME_SESSIONID = 1,
+  RESUME_TICKET = 2,
+  RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
+};
+
+class TlsAgent : public PollTarget {
+ public:
+  enum Role { CLIENT, SERVER };
+  enum State { INIT, CONNECTING, CONNECTED, ERROR };
+
+  TlsAgent(const std::string& name, Role role, Mode mode)
+      : name_(name),
+        mode_(mode),
+        pr_fd_(nullptr),
+        adapter_(nullptr),
+        ssl_fd_(nullptr),
+        role_(role),
+        state_(INIT) {
+      memset(&info_, 0, sizeof(info_));
+      memset(&csinfo_, 0, sizeof(csinfo_));
+  }
+
+  ~TlsAgent() {
+    if (pr_fd_) {
+      PR_Close(pr_fd_);
+    }
+
+    if (ssl_fd_) {
+      PR_Close(ssl_fd_);
+    }
+  }
+
+  bool Init() {
+    pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
+    if (!pr_fd_) return false;
+
+    adapter_ = DummyPrSocket::GetAdapter(pr_fd_);
+    if (!adapter_) return false;
+
+    return true;
+  }
+
+  void SetPeer(TlsAgent* peer) { adapter_->SetPeer(peer->adapter_); }
+
+  void SetPacketFilter(PacketFilter* filter) {
+    adapter_->SetPacketFilter(filter);
+  }
+
+
+  void StartConnect();
+  void CheckKEAType(SSLKEAType type) const;
+  void CheckVersion(uint16_t version) const;
+
+  void Handshake();
+  void EnableSomeECDHECiphers();
+  bool EnsureTlsSetup();
+
+  void ConfigureSessionCache(SessionResumptionMode mode);
+  void SetSessionTicketsEnabled(bool en);
+  void SetSessionCacheEnabled(bool en);
+  void SetVersionRange(uint16_t minver, uint16_t maxver);
+  void EnableAlpn(const uint8_t* val, size_t len);
+  void CheckAlpn(SSLNextProtoState expected_state,
+                 const std::string& expected);
+  void EnableSrtp();
+  void CheckSrtp();
+
+  State state() const { return state_; }
+
+  const char* state_str() const { return state_str(state()); }
+
+  const char* state_str(State state) const { return states[state]; }
+
+  PRFileDesc* ssl_fd() { return ssl_fd_; }
+
+  bool version(uint16_t* version) const {
+    if (state_ != CONNECTED) return false;
+
+    *version = info_.protocolVersion;
+
+    return true;
+  }
+
+  bool cipher_suite(int16_t* cipher_suite) const {
+    if (state_ != CONNECTED) return false;
+
+    *cipher_suite = info_.cipherSuite;
+    return true;
+  }
+
+  std::string cipher_suite_name() const {
+    if (state_ != CONNECTED) return "UNKNOWN";
+
+    return csinfo_.cipherSuiteName;
+  }
+
+  std::vector<uint8_t> session_id() const {
+    return std::vector<uint8_t>(info_.sessionID,
+                                info_.sessionID + info_.sessionIDLength);
+  }
+
+ private:
+  const static char* states[];
+
+  void SetState(State state) {
+    if (state_ == state) return;
+
+    LOG("Changing state from " << state_str(state_) << " to "
+                               << state_str(state));
+    state_ = state;
+  }
+
+  // Dummy auth certificate hook.
+  static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
+                                       PRBool checksig, PRBool isServer) {
+    return SECSuccess;
+  }
+
+  static void ReadableCallback(PollTarget* self, Event event) {
+    TlsAgent* agent = static_cast<TlsAgent*>(self);
+    agent->ReadableCallback_int();
+  }
+
+  void ReadableCallback_int() {
+    LOG("Readable");
+    Handshake();
+  }
+
+  static PRInt32 SniHook(PRFileDesc *fd, const SECItem *srvNameArr,
+                         PRUint32 srvNameArrSize,
+                         void *arg) {
+    return SSL_SNI_CURRENT_CONFIG_IS_USED;
+  }
+
+  const std::string name_;
+  Mode mode_;
+  PRFileDesc* pr_fd_;
+  DummyPrSocket* adapter_;
+  PRFileDesc* ssl_fd_;
+  Role role_;
+  State state_;
+  SSLChannelInfo info_;
+  SSLCipherSuiteInfo csinfo_;
+};
+
+}  // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.cc
@@ -0,0 +1,170 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_connect.h"
+
+#include <iostream>
+
+#include "gtest_utils.h"
+
+extern std::string g_working_dir_path;
+
+namespace nss_test {
+
+TlsConnectTestBase::TlsConnectTestBase(Mode mode)
+      : mode_(mode),
+        client_(new TlsAgent("client", TlsAgent::CLIENT, mode_)),
+        server_(new TlsAgent("server", TlsAgent::SERVER, mode_)) {}
+
+TlsConnectTestBase::~TlsConnectTestBase() {
+  delete client_;
+  delete server_;
+}
+
+void TlsConnectTestBase::SetUp() {
+  // Configure a fresh session cache.
+  SSL_ConfigServerSessionIDCache(1024, 0, 0, g_working_dir_path.c_str());
+
+  // Clear statistics.
+  SSL3Statistics* stats = SSL_GetStatistics();
+  memset(stats, 0, sizeof(*stats));
+
+  Init();
+}
+
+void TlsConnectTestBase::TearDown() {
+  client_ = nullptr;
+  server_ = nullptr;
+
+  SSL_ClearSessionCache();
+  SSL_ShutdownServerSessionIDCache();
+}
+
+void TlsConnectTestBase::Init() {
+  ASSERT_TRUE(client_->Init());
+  ASSERT_TRUE(server_->Init());
+
+  client_->SetPeer(server_);
+  server_->SetPeer(client_);
+}
+
+void TlsConnectTestBase::Reset() {
+  delete client_;
+  delete server_;
+
+  client_ = new TlsAgent("client", TlsAgent::CLIENT, mode_);
+  server_ = new TlsAgent("server", TlsAgent::SERVER, mode_);
+
+  Init();
+}
+
+void TlsConnectTestBase::EnsureTlsSetup() {
+  ASSERT_TRUE(client_->EnsureTlsSetup());
+  ASSERT_TRUE(server_->EnsureTlsSetup());
+}
+
+void TlsConnectTestBase::Handshake() {
+  server_->StartConnect();
+  client_->StartConnect();
+  client_->Handshake();
+  server_->Handshake();
+
+  ASSERT_TRUE_WAIT(client_->state() != TlsAgent::CONNECTING &&
+                   server_->state() != TlsAgent::CONNECTING,
+                   5000);
+}
+
+void TlsConnectTestBase::Connect() {
+  Handshake();
+
+  ASSERT_EQ(TlsAgent::CONNECTED, client_->state());
+  ASSERT_EQ(TlsAgent::CONNECTED, server_->state());
+
+  int16_t cipher_suite1, cipher_suite2;
+  bool ret = client_->cipher_suite(&cipher_suite1);
+  ASSERT_TRUE(ret);
+  ret = server_->cipher_suite(&cipher_suite2);
+  ASSERT_TRUE(ret);
+  ASSERT_EQ(cipher_suite1, cipher_suite2);
+
+  std::cerr << "Connected with cipher suite " << client_->cipher_suite_name()
+            << std::endl;
+
+  // Check and store session ids.
+  std::vector<uint8_t> sid_c1 = client_->session_id();
+  ASSERT_EQ(32, sid_c1.size());
+  std::vector<uint8_t> sid_s1 = server_->session_id();
+  ASSERT_EQ(32, sid_s1.size());
+  ASSERT_EQ(sid_c1, sid_s1);
+  session_ids_.push_back(sid_c1);
+}
+
+void TlsConnectTestBase::ConnectExpectFail() {
+  Handshake();
+
+  ASSERT_EQ(TlsAgent::ERROR, client_->state());
+  ASSERT_EQ(TlsAgent::ERROR, server_->state());
+}
+
+void TlsConnectTestBase::EnableSomeECDHECiphers() {
+  client_->EnableSomeECDHECiphers();
+  server_->EnableSomeECDHECiphers();
+}
+
+
+void TlsConnectTestBase::ConfigureSessionCache(SessionResumptionMode client,
+                                               SessionResumptionMode server) {
+  client_->ConfigureSessionCache(client);
+  server_->ConfigureSessionCache(server);
+}
+
+void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
+  ASSERT_NE(RESUME_BOTH, expected);
+
+  int resume_ct = expected ? 1 : 0;
+  int stateless_ct = (expected & RESUME_TICKET) ? 1 : 0;
+
+  SSL3Statistics* stats = SSL_GetStatistics();
+  ASSERT_EQ(resume_ct, stats->hch_sid_cache_hits);
+  ASSERT_EQ(resume_ct, stats->hsh_sid_cache_hits);
+
+  ASSERT_EQ(stateless_ct, stats->hch_sid_stateless_resumes);
+  ASSERT_EQ(stateless_ct, stats->hsh_sid_stateless_resumes);
+
+  if (resume_ct) {
+    // Check that the last two session ids match.
+    ASSERT_GE(2, session_ids_.size());
+    ASSERT_EQ(session_ids_[session_ids_.size()-1],
+              session_ids_[session_ids_.size()-2]);
+  }
+}
+
+void TlsConnectTestBase::EnableAlpn() {
+  // A simple value of "a", "b".  Note that the preferred value of "a" is placed
+  // at the end, because the NSS API follows the now defunct NPN specification,
+  // which places the preferred (and default) entry at the end of the list.
+  // NSS will move this final entry to the front when used with ALPN.
+  static const uint8_t val[] = { 0x01, 0x62, 0x01, 0x61 };
+  client_->EnableAlpn(val, sizeof(val));
+  server_->EnableAlpn(val, sizeof(val));
+}
+
+void TlsConnectTestBase::EnableSrtp() {
+  client_->EnableSrtp();
+  server_->EnableSrtp();
+}
+
+void TlsConnectTestBase::CheckSrtp() {
+  client_->CheckSrtp();
+  server_->CheckSrtp();
+}
+
+TlsConnectGeneric::TlsConnectGeneric()
+    : TlsConnectTestBase((GetParam() == "TLS") ? STREAM : DGRAM) {
+  std::cerr << "Variant: " << GetParam() << std::endl;
+}
+
+} // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_connect.h
@@ -0,0 +1,79 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_connect_h_
+#define tls_connect_h_
+
+#include "sslt.h"
+
+#include "tls_agent.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+// A generic TLS connection test base.
+class TlsConnectTestBase : public ::testing::Test {
+ public:
+  TlsConnectTestBase(Mode mode);
+  virtual ~TlsConnectTestBase();
+
+  void SetUp();
+  void TearDown();
+
+  // Initialize client and server.
+  void Init();
+  // Re-initialize client and server.
+  void Reset();
+  // Make sure TLS is configured for a connection.
+  void EnsureTlsSetup();
+
+  // Run the handshake.
+  void Handshake();
+  // Connect and check that it works.
+  void Connect();
+  // Connect and expect it to fail.
+  void ConnectExpectFail();
+
+  void EnableSomeECDHECiphers();
+  void ConfigureSessionCache(SessionResumptionMode client,
+                             SessionResumptionMode server);
+  void CheckResumption(SessionResumptionMode expected);
+  void EnableAlpn();
+  void EnableSrtp();
+  void CheckSrtp();
+
+ protected:
+  Mode mode_;
+  TlsAgent* client_;
+  TlsAgent* server_;
+  std::vector<std::vector<uint8_t>> session_ids_;
+};
+
+// A TLS-only test base.
+class TlsConnectTest : public TlsConnectTestBase {
+ public:
+  TlsConnectTest() : TlsConnectTestBase(STREAM) {}
+};
+
+// A DTLS-only test base.
+class DtlsConnectTest : public TlsConnectTestBase {
+ public:
+  DtlsConnectTest() : TlsConnectTestBase(DGRAM) {}
+};
+
+// A generic test class that can be either STREAM or DGRAM.  This is configured
+// in ssl_loopback_unittest.cc.  All uses of this should use TEST_P().
+class TlsConnectGeneric : public TlsConnectTestBase,
+                          public ::testing::WithParamInterface<std::string> {
+ public:
+  TlsConnectGeneric();
+};
+
+} // namespace nss_test
+
+#endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.cc
@@ -0,0 +1,226 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "tls_filter.h"
+
+#include <iostream>
+
+namespace nss_test {
+
+bool TlsRecordFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len());
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t content_type;
+    if (!parser.Read(&content_type)) {
+      return false;
+    }
+    uint32_t version;
+    if (!parser.Read(&version, 2)) {
+      return false;
+    }
+
+    if (IsDtls(version)) {
+      if (!parser.Skip(8)) {
+        return false;
+      }
+    }
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer record;
+    if (!parser.ReadVariable(&record, 2)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the record it wrote to the output, so we need to skip
+    // over the content type and version for the value passed to it.
+    output_offset = ApplyFilter(content_type, version, record, output,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+
+  // Record how many packets we actually touched.
+  if (changed) {
+    ++count_;
+  }
+
+  return changed;
+}
+
+size_t TlsRecordFilter::ApplyFilter(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& record,
+                                    DataBuffer* output,
+                                    size_t offset, bool* changed) {
+  const DataBuffer* source = &record;
+  DataBuffer filtered;
+  if (FilterRecord(content_type, version, record, &filtered) &&
+      filtered.len() < 0x10000) {
+    *changed = true;
+    std::cerr << "record old: " << record << std::endl;
+    std::cerr << "record old: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  output->Write(offset, source->len(), 2);
+  output->Write(offset + 2, *source);
+  return offset + 2 + source->len();
+}
+
+bool TlsHandshakeFilter::FilterRecord(uint8_t content_type, uint16_t version,
+                                      const DataBuffer& input,
+                                      DataBuffer* output) {
+  // Check that the first byte is as requested.
+  if (content_type != kTlsHandshakeType) {
+    return false;
+  }
+
+  bool changed = false;
+  size_t output_offset = 0U;
+  output->Allocate(input.len()); // Preallocate a little.
+
+  TlsParser parser(input);
+  while (parser.remaining()) {
+    size_t start = parser.consumed();
+    uint8_t handshake_type;
+    if (!parser.Read(&handshake_type)) {
+      return false; // malformed
+    }
+    uint32_t length;
+    if (!parser.Read(&length, 3)) {
+      return false; // malformed
+    }
+
+    if (IsDtls(version) && !CheckDtls(parser, length)) {
+      return false;
+    }
+
+    size_t header_len = parser.consumed() - start;
+    output->Write(output_offset, input.data() + start, header_len);
+
+    DataBuffer handshake;
+    if (!parser.Read(&handshake, length)) {
+      return false;
+    }
+
+    // Move the offset in the output forward.  ApplyFilter() returns the index
+    // of the end of the message it wrote to the output, so we need to identify
+    // offsets from the start of the message for length and the handshake
+    // message.
+    output_offset = ApplyFilter(version, handshake_type, handshake,
+                                output, output_offset + 1,
+                                output_offset + header_len,
+                                &changed);
+  }
+  output->Truncate(output_offset);
+  return changed;
+}
+
+bool TlsHandshakeFilter::CheckDtls(TlsParser& parser, size_t length) {
+  // Read and check DTLS parameters
+  if (!parser.Skip(2)) { // sequence number
+    return false;
+  }
+
+  uint32_t fragment_offset;
+  if (!parser.Read(&fragment_offset, 3)) {
+    return false;
+  }
+
+  uint32_t fragment_length;
+  if (!parser.Read(&fragment_length, 3)) {
+    return false;
+  }
+
+  // All current tests where we are using this code don't fragment.
+  return (fragment_offset == 0 && fragment_length == length);
+}
+
+size_t TlsHandshakeFilter::ApplyFilter(
+    uint16_t version, uint8_t handshake_type, const DataBuffer& handshake,
+    DataBuffer* output, size_t length_offset, size_t value_offset,
+    bool* changed) {
+  const DataBuffer* source = &handshake;
+  DataBuffer filtered;
+  if (FilterHandshake(version, handshake_type, handshake, &filtered) &&
+      filtered.len() < 0x1000000) {
+    *changed = true;
+    std::cerr << "handshake old: " << handshake << std::endl;
+    std::cerr << "handshake new: " << filtered << std::endl;
+    source = &filtered;
+  }
+
+  // Back up and overwrite the (two) length field(s): the handshake message
+  // length and the DTLS fragment length.
+  output->Write(length_offset, source->len(), 3);
+  if (IsDtls(version)) {
+    output->Write(length_offset + 8, source->len(), 3);
+  }
+  output->Write(value_offset, *source);
+  return value_offset + source->len();
+}
+
+bool TlsInspectorRecordHandshakeMessage::FilterHandshake(
+    uint16_t version, uint8_t handshake_type,
+    const DataBuffer& input, DataBuffer* output) {
+  // Only do this once.
+  if (buffer_.len()) {
+    return false;
+  }
+
+  if (handshake_type == handshake_type_) {
+    buffer_ = input;
+  }
+  return false;
+}
+
+bool TlsAlertRecorder::FilterRecord(uint8_t content_type, uint16_t version,
+                                    const DataBuffer& input, DataBuffer* output) {
+  if (level_ == kTlsAlertFatal) { // already fatal
+    return false;
+  }
+  if (content_type != kTlsAlertType) {
+    return false;
+  }
+
+  TlsParser parser(input);
+  uint8_t lvl;
+  if (!parser.Read(&lvl)) {
+    return false;
+  }
+  if (lvl == kTlsAlertWarning) { // not strong enough
+    return false;
+  }
+  level_ = lvl;
+  (void)parser.Read(&description_);
+  return false;
+}
+
+ChainedPacketFilter::~ChainedPacketFilter() {
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    delete *it;
+  }
+}
+
+bool ChainedPacketFilter::Filter(const DataBuffer& input, DataBuffer* output) {
+  DataBuffer in(input);
+  bool changed = false;
+  for (auto it = filters_.begin(); it != filters_.end(); ++it) {
+    if ((*it)->Filter(in, output)) {
+      in = *output;
+      changed = true;
+    }
+  }
+  return changed;
+}
+
+}  // namespace nss_test
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/tls_filter.h
@@ -0,0 +1,113 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef tls_filter_h_
+#define tls_filter_h_
+
+#include <memory>
+#include <vector>
+
+#include "test_io.h"
+#include "tls_parser.h"
+
+namespace nss_test {
+
+// Abstract filter that operates on entire (D)TLS records.
+class TlsRecordFilter : public PacketFilter {
+ public:
+  TlsRecordFilter() : count_(0) {}
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Report how many packets were altered by the filter.
+  size_t filtered_packets() const { return count_; }
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& data, DataBuffer* changed) = 0;
+ private:
+  size_t ApplyFilter(uint8_t content_type, uint16_t version,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t offset, bool* changed);
+
+  size_t count_;
+};
+
+// Abstract filter that operates on handshake messages rather than records.
+// This assumes that the handshake messages are written in a block as entire
+// records and that they don't span records or anything crazy like that.
+class TlsHandshakeFilter : public TlsRecordFilter {
+ public:
+  TlsHandshakeFilter() {}
+
+ protected:
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output) = 0;
+
+ private:
+  bool CheckDtls(TlsParser& parser, size_t length);
+  size_t ApplyFilter(uint16_t version, uint8_t handshake_type,
+                     const DataBuffer& record, DataBuffer* output,
+                     size_t length_offset, size_t value_offset, bool* changed);
+};
+
+// Make a copy of the first instance of a handshake message.
+class TlsInspectorRecordHandshakeMessage : public TlsHandshakeFilter {
+ public:
+  TlsInspectorRecordHandshakeMessage(uint8_t handshake_type)
+      : handshake_type_(handshake_type), buffer_() {}
+
+  virtual bool FilterHandshake(uint16_t version, uint8_t handshake_type,
+                               const DataBuffer& input, DataBuffer* output);
+
+  const DataBuffer& buffer() const { return buffer_; }
+
+ private:
+  uint8_t handshake_type_;
+  DataBuffer buffer_;
+};
+
+// Records an alert.  If an alert has already been recorded, it won't save the
+// new alert unless the old alert is a warning and the new one is fatal.
+class TlsAlertRecorder : public TlsRecordFilter {
+ public:
+  TlsAlertRecorder() : level_(255), description_(255) {}
+
+  virtual bool FilterRecord(uint8_t content_type, uint16_t version,
+                            const DataBuffer& input, DataBuffer* output);
+
+  uint8_t level() const { return level_; }
+  uint8_t description() const { return description_; }
+
+ private:
+  uint8_t level_;
+  uint8_t description_;
+};
+
+// Runs multiple packet filters in series.
+class ChainedPacketFilter : public PacketFilter {
+ public:
+  ChainedPacketFilter() {}
+  ChainedPacketFilter(const std::vector<PacketFilter*> filters)
+      : filters_(filters.begin(), filters.end()) {}
+  virtual ~ChainedPacketFilter();
+
+  virtual bool Filter(const DataBuffer& input, DataBuffer* output);
+
+  // Takes ownership of the filter.
+  void Add(PacketFilter* filter) {
+    filters_.push_back(filter);
+  }
+
+ private:
+  std::vector<PacketFilter*> filters_;
+};
+
+}  // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/ssl_gtest/tls_parser.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.cc
@@ -1,57 +1,71 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "tls_parser.h"
 
-// Process DTLS Records
-#define CHECK_LENGTH(expected)                \
-  do {                                        \
-    if (remaining() < expected) return false; \
-  } while (0)
+namespace nss_test {
 
-bool TlsParser::Read(unsigned char* val) {
+bool TlsParser::Read(uint8_t* val) {
   if (remaining() < 1) {
     return false;
   }
   *val = *ptr();
   consume(1);
   return true;
 }
 
-bool TlsParser::Read(unsigned char* val, size_t len) {
+bool TlsParser::Read(uint32_t* val, size_t size) {
+  if (size > sizeof(uint32_t)) {
+    return false;
+  }
+
+  uint32_t v = 0;
+  for (size_t i = 0; i < size; ++i) {
+    uint8_t tmp;
+    if (!Read(&tmp)) {
+      return false;
+    }
+
+    v = (v << 8) | tmp;
+  }
+
+  *val = v;
+  return true;
+}
+
+bool TlsParser::Read(DataBuffer* val, size_t len) {
   if (remaining() < len) {
     return false;
   }
 
-  if (val) {
-    memcpy(val, ptr(), len);
-  }
+  val->Assign(ptr(), len);
   consume(len);
-
   return true;
 }
 
-bool TlsRecordParser::NextRecord(uint8_t* ct,
-                                 std::auto_ptr<DataBuffer>* buffer) {
-  if (!remaining()) return false;
-
-  CHECK_LENGTH(5U);
-  const uint8_t* ctp = reinterpret_cast<const uint8_t*>(ptr());
-  consume(3);  // ct + version
+bool TlsParser::ReadVariable(DataBuffer* val, size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Read(val, len);
+}
 
-  const uint16_t* tmp = reinterpret_cast<const uint16_t*>(ptr());
-  size_t length = ntohs(*tmp);
-  consume(2);
-
-  CHECK_LENGTH(length);
-  DataBuffer* db = new DataBuffer(ptr(), length);
-  consume(length);
-
-  *ct = *ctp;
-  buffer->reset(db);
-
+bool TlsParser::Skip(size_t len) {
+  if (len > remaining()) { return false; }
+  consume(len);
   return true;
 }
+
+bool TlsParser::SkipVariable(size_t len_size) {
+  uint32_t len;
+  if (!Read(&len, len_size)) {
+    return false;
+  }
+  return Skip(len);
+}
+
+} // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/tls_parser.h
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.h
@@ -3,81 +3,95 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef tls_parser_h_
 #define tls_parser_h_
 
 #include <memory>
-#include <stdint.h>
-#include <string.h>
+#include <cstdint>
+#include <cstring>
 #include <arpa/inet.h>
 #include "databuffer.h"
 
+namespace nss_test {
+
 const uint8_t kTlsChangeCipherSpecType = 0x14;
+const uint8_t kTlsAlertType = 0x15;
 const uint8_t kTlsHandshakeType = 0x16;
 
+const uint8_t kTlsHandshakeClientHello = 0x01;
+const uint8_t kTlsHandshakeServerHello = 0x02;
 const uint8_t kTlsHandshakeCertificate = 0x0b;
 const uint8_t kTlsHandshakeServerKeyExchange = 0x0c;
 
+const uint8_t kTlsAlertWarning = 1;
+const uint8_t kTlsAlertFatal = 2;
+
+const uint8_t kTlsAlertHandshakeFailure = 0x28;
+const uint8_t kTlsAlertIllegalParameter = 0x2f;
+const uint8_t kTlsAlertDecodeError = 0x32;
+const uint8_t kTlsAlertUnsupportedExtension = 0x6e;
+const uint8_t kTlsAlertNoApplicationProtocol = 0x78;
+
 const uint8_t kTlsFakeChangeCipherSpec[] = {
     kTlsChangeCipherSpecType,        // Type
     0xfe,                     0xff,  // Version
     0x00,                     0x00, 0x00, 0x00,
     0x00,                     0x00, 0x00, 0x10,  // Fictitious sequence #
     0x00,                     0x01,              // Length
     0x01                                         // Value
 };
 
+inline bool IsDtls(uint16_t version) {
+  return (version & 0x8000) == 0x8000;
+}
+
+inline uint16_t NormalizeTlsVersion(uint16_t version) {
+  if (version == 0xfeff) {
+    return 0x0302; // special: DTLS 1.0 == TLS 1.1
+  }
+  if (IsDtls(version)) {
+    return (version ^ 0xffff) + 0x0201;
+  }
+  return version;
+}
+
+inline void WriteVariable(DataBuffer* target, size_t index,
+                          const DataBuffer& buf, size_t len_size) {
+  target->Write(index, static_cast<uint32_t>(buf.len()), len_size);
+  target->Write(index + len_size, buf.data(), buf.len());
+}
+
 class TlsParser {
  public:
-  TlsParser(const unsigned char *data, size_t len)
+  TlsParser(const uint8_t* data, size_t len)
       : buffer_(data, len), offset_(0) {}
-
-  bool Read(unsigned char *val);
-
-  // Read an integral type of specified width.
-  bool Read(uint32_t *val, size_t len) {
-    if (len > sizeof(uint32_t)) return false;
-
-    *val = 0;
+  explicit TlsParser(const DataBuffer& buf)
+      : buffer_(buf), offset_(0) {}
 
-    for (size_t i = 0; i < len; ++i) {
-      unsigned char tmp;
-
-      (*val) <<= 8;
-      if (!Read(&tmp)) return false;
+  bool Read(uint8_t* val);
+  // Read an integral type of specified width.
+  bool Read(uint32_t* val, size_t size);
+  // Reads len bytes into dest buffer, overwriting it.
+  bool Read(DataBuffer* dest, size_t len);
+  // Reads bytes into dest buffer, overwriting it.  The number of bytes is
+  // determined by reading from len_size bytes from the stream first.
+  bool ReadVariable(DataBuffer* dest, size_t len_size);
 
-      *val += tmp;
-    }
+  bool Skip(size_t len);
+  bool SkipVariable(size_t len_size);
 
-    return true;
-  }
-
-  bool Read(unsigned char *val, size_t len);
+  size_t consumed() const { return offset_; }
   size_t remaining() const { return buffer_.len() - offset_; }
 
  private:
   void consume(size_t len) { offset_ += len; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
+  const uint8_t* ptr() const { return buffer_.data() + offset_; }
 
   DataBuffer buffer_;
   size_t offset_;
 };
 
-class TlsRecordParser {
- public:
-  TlsRecordParser(const unsigned char *data, size_t len)
-      : buffer_(data, len), offset_(0) {}
-
-  bool NextRecord(uint8_t *ct, std::auto_ptr<DataBuffer> *buffer);
-
- private:
-  size_t remaining() const { return buffer_.len() - offset_; }
-  const uint8_t *ptr() const { return buffer_.data() + offset_; }
-  void consume(size_t len) { offset_ += len; }
-
-  DataBuffer buffer_;
-  size_t offset_;
-};
+} // namespace nss_test
 
 #endif
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1059,14 +1059,15 @@ CERT_AddExtensionByOID;
 CERT_GetGeneralNameTypeFromString;
 PK11_PubEncrypt;
 PK11_PrivDecrypt;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.18 { 	# NSS 3.18 release
 ;+    global:
+__PK11_SetCertificateNickname;
 CERT_FindCertURLExtension;
 SEC_CheckCrlTimes;
 SEC_GetCrlTimes;
 ;+    local:
 ;+       *;
 ;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,22 +28,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   18
 #define NSS_VPATCH   0
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -2677,8 +2677,30 @@ PK11_GetAllSlotsForCert(CERTCertificate 
 	PK11_FreeSlotList(slotList);
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
 	slotList = NULL;
     }
 
     nssCryptokiObjectArray_Destroy(instances);
     return slotList;
 }
+
+/*
+ * Using __PK11_SetCertificateNickname is *DANGEROUS*.
+ *
+ * The API will update the NSS database, but it *will NOT* update the in-memory data.
+ * As a result, after calling this API, there will be INCONSISTENCY between
+ * in-memory data and the database.
+ *
+ * Use of the API should be limited to short-lived tools, which will exit immediately
+ * after using this API.
+ *
+ * If you ignore this warning, your process is TAINTED and will most likely misbehave.
+ */
+SECStatus
+__PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname)
+{
+    /* Can't set nickname of temp cert. */
+    if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) {
+        return SEC_ERROR_INVALID_ARGS;
+    }
+    return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname);
+}
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -454,16 +454,31 @@ char * PK11_GetSymKeyNickname(PK11SymKey
 char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
 char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
 SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
 SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
 							const char *nickname);
 SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
 							const char *nickname);
 
+/*
+ * Using __PK11_SetCertificateNickname is *DANGEROUS*.
+ *
+ * The API will update the NSS database, but it *will NOT* update the in-memory data.
+ * As a result, after calling this API, there will be INCONSISTENCY between
+ * in-memory data and the database.
+ *
+ * Use of the API should be limited to short-lived tools, which will exit immediately
+ * after using this API.
+ *
+ * If you ignore this warning, your process is TAINTED and will most likely misbehave.
+ */
+SECStatus __PK11_SetCertificateNickname(CERTCertificate *cert,
+                                      const char *nickname);
+
 /* size to hold key in bytes */
 unsigned int PK11_GetKeyLength(PK11SymKey *key);
 /* size of actual secret parts of key in bits */
 /* algid is because RC4 strength is determined by the effective bits as well
  * as the key bits */
 unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
 SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
 SECItem * PK11_GetKeyData(PK11SymKey *symKey);
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre
 	if(!arena) {
 	    PORT_Free(dest->data);
 	    dest->data = NULL;
 	    dest->len = 0;
 	}
 	return PR_FALSE;
     }
 
-    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
+    if ((dest->len >= 2) &&
+	(dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
 	if(dest->len + 2 > 3 * src->len) {
 	    if(arena) {
 		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
 						     dest->data, dest->len,
 						     dest->len + 2);
 	    } else {
 		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
 							  dest->len + 2);
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -432,27 +432,31 @@ nssTrustDomain_RemoveTokenCertsFromCache
 	return PR_FAILURE;
     }
     dtor.cache = td->cache;
     dtor.token = token;
     dtor.certs = certs;
     dtor.numCerts = 0;
     dtor.arrSize = arrSize;
     PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor);
+    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
     for (i=0; i<dtor.numCerts; i++) {
 	if (dtor.certs[i]->object.numInstances == 0) {
 	    nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
 	    dtor.certs[i] = NULL;  /* skip this cert in the second for loop */
+	} else {
+	    /* make sure it doesn't disappear on us before we finish */
+	    nssCertificate_AddRef(dtor.certs[i]);
 	}
     }
     PZ_Unlock(td->cache->lock);
     for (i=0; i<dtor.numCerts; i++) {
 	if (dtor.certs[i]) {
 	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+	    nssCertificate_Destroy(dtor.certs[i]);
 	}
     }
     nss_ZFreeIf(dtor.certs);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssTrustDomain_UpdateCachedTokenCerts (
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   18
 #define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_TRUE
+#define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
     PR_FALSE    /* enableFallbackSCSV */
 };
 
 /*
  * default range of enabled SSL/TLS protocols
  */
 static SSLVersionRange versions_defaults_stream = {
     SSL_LIBRARY_VERSION_3_0,
-    SSL_LIBRARY_VERSION_TLS_1_0
+    SSL_LIBRARY_VERSION_TLS_1_2
 };
 
 static SSLVersionRange versions_defaults_datagram = {
     SSL_LIBRARY_VERSION_TLS_1_1,
-    SSL_LIBRARY_VERSION_TLS_1_1
+    SSL_LIBRARY_VERSION_TLS_1_2
 };
 
 #define VERSIONS_DEFAULTS(variant) \
     (variant == ssl_variant_stream ? &versions_defaults_stream : \
                                      &versions_defaults_datagram)
 
 sslSessionIDLookupFunc  ssl_sid_lookup;
 sslSessionIDCacheFunc   ssl_sid_cache;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.18 Beta"
+#define NSSUTIL_VERSION  "3.18"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   18
 #define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
new file mode 100644
--- /dev/null
+++ b/security/patches/reverted-bug-1132496.patch
@@ -0,0 +1,1384 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1424971034 -3600
+# Node ID 484e72583add151908d4e34ff9b2f811df719f54
+# Parent  483fbe78c2b2707a53185e63ab37d72af4883aa5
+Bug 1132496 - February 2015 batch of root CA changes, r=rrelyea
+
+diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
+--- a/lib/ckfw/builtins/certdata.txt
++++ b/lib/ckfw/builtins/certdata.txt
+@@ -182,19 +182,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+ \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+ \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+ \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\065\336\364\317
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
+ # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+ # Serial Number: 1407252 (0x157914)
+ # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+ # Not Valid Before: Mon Feb 01 14:54:04 2010
+ # Not Valid After : Tue Sep 30 00:00:00 2014
+@@ -2452,19 +2452,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
+ \053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
+ \123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
+ \165\163\151\156\145\163\163\040\103\101\055\061
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\001\001
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+ # Certificate "Equifax Secure eBusiness CA 1"
+ #
+ # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+ # Serial Number: 4 (0x4)
+ # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
+@@ -13169,19 +13169,19 @@ CKA_ISSUER MULTILINE_OCTAL
+ \103\145\156\164\145\162\040\103\154\141\163\163\040\063\040\103
+ \101\061\045\060\043\006\003\125\004\003\023\034\124\103\040\124
+ \162\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163
+ \040\063\040\103\101\040\111\111
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+ # Certificate "TC TrustCenter Universal CA I"
+ #
+ # Issuer: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+ # Serial Number:1d:a2:00:01:00:02:ec:b7:60:80:78:8d:b6:06
+ # Subject: CN=TC TrustCenter Universal CA I,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
+@@ -30315,8 +30315,1278 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+ \005\256
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Staat der Nederlanden Root CA - G3"
++#
++# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Serial Number: 10003001 (0x98a239)
++# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Thu Nov 14 11:28:42 2013
++# Not Valid After : Mon Nov 13 23:00:00 2028
++# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
++# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\242\071
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\164\060\202\003\134\240\003\002\001\002\002\004\000
++\230\242\071\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
++\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\061\053\060\051\006\003\125\004\003\014\042\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\040\122\157\157\164\040\103\101\040\055\040\107\063\060\036
++\027\015\061\063\061\061\061\064\061\061\062\070\064\062\132\027
++\015\062\070\061\061\061\063\062\063\060\060\060\060\132\060\132
++\061\013\060\011\006\003\125\004\006\023\002\116\114\061\036\060
++\034\006\003\125\004\012\014\025\123\164\141\141\164\040\144\145
++\162\040\116\145\144\145\162\154\141\156\144\145\156\061\053\060
++\051\006\003\125\004\003\014\042\123\164\141\141\164\040\144\145
++\162\040\116\145\144\145\162\154\141\156\144\145\156\040\122\157
++\157\164\040\103\101\040\055\040\107\063\060\202\002\042\060\015
++\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
++\017\000\060\202\002\012\002\202\002\001\000\276\062\242\124\017
++\160\373\054\134\131\353\154\304\244\121\350\205\052\263\314\112
++\064\362\260\137\363\016\307\034\075\123\036\210\010\150\330\157
++\075\255\302\236\314\202\147\007\047\207\150\161\072\237\165\226
++\042\106\005\260\355\255\307\133\236\052\336\234\374\072\306\225
++\247\365\027\147\030\347\057\111\010\014\134\317\346\314\064\355
++\170\373\120\261\334\153\062\360\242\376\266\074\344\354\132\227
++\307\077\036\160\010\060\240\334\305\263\155\157\320\202\162\021
++\253\322\201\150\131\202\027\267\170\222\140\372\314\336\077\204
++\353\215\070\063\220\012\162\043\372\065\314\046\161\061\321\162
++\050\222\331\133\043\155\146\265\155\007\102\353\246\063\316\222
++\333\300\366\154\143\170\315\312\116\075\265\345\122\233\361\276
++\073\346\124\140\260\146\036\011\253\007\376\124\211\021\102\321
++\367\044\272\140\170\032\230\367\311\021\375\026\301\065\032\124
++\165\357\103\323\345\256\116\316\347\173\303\306\116\141\121\113
++\253\232\105\113\241\037\101\275\110\123\025\161\144\013\206\263
++\345\056\276\316\244\033\301\051\204\242\265\313\010\043\166\103
++\042\044\037\027\004\324\156\234\306\374\177\053\146\032\354\212
++\345\326\317\115\365\143\011\267\025\071\326\173\254\353\343\174
++\351\116\374\165\102\310\355\130\225\014\006\102\242\234\367\344
++\160\263\337\162\157\132\067\100\211\330\205\244\327\361\013\336
++\103\031\324\112\130\054\214\212\071\236\277\204\207\361\026\073
++\066\014\351\323\264\312\154\031\101\122\011\241\035\260\152\277
++\202\357\160\121\041\062\334\005\166\214\313\367\144\344\003\120
++\257\214\221\147\253\305\362\356\130\330\336\276\367\347\061\317
++\154\311\073\161\301\325\210\265\145\274\300\350\027\027\007\022
++\265\134\322\253\040\223\264\346\202\203\160\066\305\315\243\215
++\255\213\354\243\301\103\207\346\103\342\064\276\225\213\065\355
++\007\071\332\250\035\172\237\066\236\022\260\014\145\022\220\025
++\140\331\046\100\104\343\126\140\245\020\324\152\074\375\101\334
++\016\132\107\266\357\227\141\165\117\331\376\307\262\035\324\355
++\135\111\263\251\152\313\146\204\023\325\134\240\334\337\156\167
++\006\321\161\165\310\127\157\257\017\167\133\002\003\001\000\001
++\243\102\060\100\060\017\006\003\125\035\023\001\001\377\004\005
++\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
++\004\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024
++\124\255\372\307\222\127\256\312\065\234\056\022\373\344\272\135
++\040\334\224\127\060\015\006\011\052\206\110\206\367\015\001\001
++\013\005\000\003\202\002\001\000\060\231\235\005\062\310\136\016
++\073\230\001\072\212\244\347\007\367\172\370\347\232\337\120\103
++\123\227\052\075\312\074\107\230\056\341\025\173\361\222\363\141
++\332\220\045\026\145\300\237\124\135\016\003\073\133\167\002\234
++\204\266\015\230\137\064\335\073\143\302\303\050\201\302\234\051
++\056\051\342\310\303\001\362\063\352\052\252\314\011\010\367\145
++\147\306\315\337\323\266\053\247\275\314\321\016\160\137\270\043
++\321\313\221\116\012\364\310\172\345\331\143\066\301\324\337\374
++\042\227\367\140\135\352\051\057\130\262\275\130\275\215\226\117
++\020\165\277\110\173\075\121\207\241\074\164\042\302\374\007\177
++\200\334\304\254\376\152\301\160\060\260\351\216\151\342\054\151
++\201\224\011\272\335\376\115\300\203\214\224\130\300\106\040\257
++\234\037\002\370\065\125\111\057\106\324\300\360\240\226\002\017
++\063\305\161\363\236\043\175\224\267\375\072\323\011\203\006\041
++\375\140\075\256\062\300\322\356\215\246\360\347\264\202\174\012
++\314\160\311\171\200\370\376\114\367\065\204\031\212\061\373\012
++\331\327\177\233\360\242\232\153\303\005\112\355\101\140\024\060
++\321\252\021\102\156\323\043\002\004\013\306\145\335\335\122\167
++\332\201\153\262\250\372\001\070\271\226\352\052\154\147\227\211
++\224\236\274\341\124\325\344\152\170\357\112\275\053\232\075\100
++\176\306\300\165\322\156\373\150\060\354\354\213\235\371\111\065
++\232\032\054\331\263\225\071\325\036\222\367\246\271\145\057\345
++\075\155\072\110\114\010\334\344\050\022\050\276\175\065\134\352
++\340\026\176\023\033\152\327\076\327\236\374\055\165\262\301\024
++\325\043\003\333\133\157\013\076\170\057\015\336\063\215\026\267
++\110\347\203\232\201\017\173\301\103\115\125\004\027\070\112\121
++\325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
++\157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
++\321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
++\100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
++\307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
++\254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
++\367\200\173\041\147\047\060\131
++END
++
++# Trust for "Staat der Nederlanden Root CA - G3"
++# Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Serial Number: 10003001 (0x98a239)
++# Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Thu Nov 14 11:28:42 2013
++# Not Valid After : Mon Nov 13 23:00:00 2028
++# Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
++# Fingerprint (SHA1): D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden Root CA - G3"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\330\353\153\101\121\222\131\340\363\347\205\000\300\075\266\210
++\227\311\356\374
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\013\106\147\007\333\020\057\031\214\065\120\140\321\013\364\067
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\053\060\051\006\003\125\004\003\014\042\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\122\157\157\164\040\103\101\040\055\040\107\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\242\071
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Staat der Nederlanden EV Root CA"
++#
++# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000013 (0x98968d)
++# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Dec 08 11:19:29 2010
++# Not Valid After : Thu Dec 08 11:10:28 2022
++# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
++# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\226\215
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\160\060\202\003\130\240\003\002\001\002\002\004\000
++\230\226\215\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\130\061\013\060\011\006\003\125\004\006\023\002\116
++\114\061\036\060\034\006\003\125\004\012\014\025\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\061\051\060\047\006\003\125\004\003\014\040\123\164\141\141
++\164\040\144\145\162\040\116\145\144\145\162\154\141\156\144\145
++\156\040\105\126\040\122\157\157\164\040\103\101\060\036\027\015
++\061\060\061\062\060\070\061\061\061\071\062\071\132\027\015\062
++\062\061\062\060\070\061\061\061\060\062\070\132\060\130\061\013
++\060\011\006\003\125\004\006\023\002\116\114\061\036\060\034\006
++\003\125\004\012\014\025\123\164\141\141\164\040\144\145\162\040
++\116\145\144\145\162\154\141\156\144\145\156\061\051\060\047\006
++\003\125\004\003\014\040\123\164\141\141\164\040\144\145\162\040
++\116\145\144\145\162\154\141\156\144\145\156\040\105\126\040\122
++\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
++\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
++\002\012\002\202\002\001\000\343\307\176\211\371\044\113\072\322
++\063\203\065\054\151\354\334\011\244\343\121\250\045\053\171\270
++\010\075\340\221\272\204\205\306\205\244\312\346\311\056\123\244
++\311\044\036\375\125\146\161\135\054\305\140\150\004\267\331\302
++\122\046\070\210\244\326\073\100\246\302\315\077\315\230\223\263
++\124\024\130\226\125\325\120\376\206\255\244\143\177\134\207\366
++\216\346\047\222\147\027\222\002\003\054\334\326\146\164\355\335
++\147\377\301\141\215\143\117\017\233\155\027\060\046\357\253\322
++\037\020\240\371\305\177\026\151\201\003\107\355\036\150\215\162
++\241\115\262\046\306\272\154\137\155\326\257\321\261\023\216\251
++\255\363\136\151\165\046\030\076\101\053\041\177\356\213\135\007
++\006\235\103\304\051\012\053\374\052\076\206\313\074\203\072\371
++\311\015\332\305\231\342\274\170\101\063\166\341\277\057\135\345
++\244\230\120\014\025\335\340\372\234\177\070\150\320\262\246\172
++\247\321\061\275\176\212\130\047\103\263\272\063\221\323\247\230
++\025\134\232\346\323\017\165\331\374\101\230\227\076\252\045\333
++\217\222\056\260\173\014\137\361\143\251\067\371\233\165\151\114
++\050\046\045\332\325\362\022\160\105\125\343\337\163\136\067\365
++\041\154\220\216\065\132\311\323\043\353\323\300\276\170\254\102
++\050\130\146\245\106\155\160\002\327\020\371\113\124\374\135\206
++\112\207\317\177\312\105\254\021\132\265\040\121\215\057\210\107
++\227\071\300\317\272\300\102\001\100\231\110\041\013\153\247\322
++\375\226\325\321\276\106\235\111\340\013\246\240\042\116\070\320
++\301\074\060\274\160\217\054\165\314\320\305\214\121\073\075\224
++\010\144\046\141\175\271\303\145\217\024\234\041\320\252\375\027
++\162\003\217\275\233\214\346\136\123\236\271\235\357\202\273\341
++\274\342\162\101\133\041\224\323\105\067\224\321\337\011\071\135
++\347\043\252\232\035\312\155\250\012\206\205\212\202\276\102\007
++\326\362\070\202\163\332\207\133\345\074\323\236\076\247\073\236
++\364\003\263\371\361\175\023\164\002\377\273\241\345\372\000\171
++\034\246\146\101\210\134\140\127\246\056\011\304\272\375\232\317
++\247\037\100\303\273\314\132\012\125\113\073\070\166\121\270\143
++\213\204\224\026\346\126\363\002\003\001\000\001\243\102\060\100
++\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
++\377\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
++\006\060\035\006\003\125\035\016\004\026\004\024\376\253\000\220
++\230\236\044\374\251\314\032\212\373\047\270\277\060\156\250\073
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
++\202\002\001\000\317\167\054\156\126\276\116\263\266\204\000\224
++\253\107\311\015\322\166\307\206\237\035\007\323\266\264\273\010
++\170\257\151\322\013\111\336\063\305\254\255\302\210\002\175\006
++\267\065\002\301\140\311\277\304\350\224\336\324\323\251\023\045
++\132\376\156\242\256\175\005\334\175\363\154\360\176\246\215\356
++\331\327\316\130\027\350\251\051\256\163\110\207\347\233\312\156
++\051\241\144\137\031\023\367\256\006\020\377\121\306\233\115\125
++\045\117\223\231\020\001\123\165\361\023\316\307\246\101\101\322
++\277\210\245\177\105\374\254\270\245\265\063\014\202\304\373\007
++\366\152\345\045\204\137\006\312\301\206\071\021\333\130\315\167
++\073\054\302\114\017\136\232\343\360\253\076\141\033\120\044\302
++\300\364\361\031\360\021\051\266\245\030\002\233\327\143\114\160
++\214\107\243\003\103\134\271\135\106\240\015\157\377\131\216\276
++\335\237\162\303\133\053\337\214\133\316\345\014\106\154\222\262
++\012\243\114\124\102\030\025\022\030\275\332\374\272\164\156\377
++\301\266\240\144\330\251\137\125\256\237\134\152\166\226\330\163
++\147\207\373\115\177\134\356\151\312\163\020\373\212\251\375\236
++\275\066\070\111\111\207\364\016\024\360\351\207\270\077\247\117
++\172\132\216\171\324\223\344\273\150\122\204\254\154\351\363\230
++\160\125\162\062\371\064\253\053\111\265\315\040\142\344\072\172
++\147\143\253\226\334\155\256\227\354\374\237\166\126\210\056\146
++\317\133\266\311\244\260\327\005\272\341\047\057\223\273\046\052
++\242\223\260\033\363\216\276\035\100\243\271\066\217\076\202\032
++\032\136\210\352\120\370\131\342\203\106\051\013\343\104\134\341
++\225\266\151\220\232\024\157\227\256\201\317\150\357\231\232\276
++\265\347\341\177\370\372\023\107\026\114\314\155\010\100\347\213
++\170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
++\040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
++\136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
++\025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
++\342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
++\220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
++\356\354\327\056
++END
++
++# Trust for "Staat der Nederlanden EV Root CA"
++# Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Serial Number: 10000013 (0x98968d)
++# Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
++# Not Valid Before: Wed Dec 08 11:19:29 2010
++# Not Valid After : Thu Dec 08 11:10:28 2022
++# Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
++# Fingerprint (SHA1): 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Staat der Nederlanden EV Root CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\166\342\176\301\117\333\202\301\300\246\165\265\005\276\075\051
++\264\355\333\273
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\374\006\257\173\350\032\361\232\264\350\322\160\037\300\365\272
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\130\061\013\060\011\006\003\125\004\006\023\002\116\114\061
++\036\060\034\006\003\125\004\012\014\025\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\061
++\051\060\047\006\003\125\004\003\014\040\123\164\141\141\164\040
++\144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
++\105\126\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\000\230\226\215
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "IdenTrust Commercial Root CA 1"
++#
++# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
++# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 18:12:23 2014
++# Not Valid After : Mon Jan 16 18:12:23 2034
++# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
++# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
++\000\002
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\140\060\202\003\110\240\003\002\001\002\002\020\012
++\001\102\200\000\000\001\105\043\310\104\265\000\000\000\002\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\112
++\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
++\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
++\164\061\047\060\045\006\003\125\004\003\023\036\111\144\145\156
++\124\162\165\163\164\040\103\157\155\155\145\162\143\151\141\154
++\040\122\157\157\164\040\103\101\040\061\060\036\027\015\061\064
++\060\061\061\066\061\070\061\062\062\063\132\027\015\063\064\060
++\061\061\066\061\070\061\062\062\063\132\060\112\061\013\060\011
++\006\003\125\004\006\023\002\125\123\061\022\060\020\006\003\125
++\004\012\023\011\111\144\145\156\124\162\165\163\164\061\047\060
++\045\006\003\125\004\003\023\036\111\144\145\156\124\162\165\163
++\164\040\103\157\155\155\145\162\143\151\141\154\040\122\157\157
++\164\040\103\101\040\061\060\202\002\042\060\015\006\011\052\206
++\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
++\002\012\002\202\002\001\000\247\120\031\336\077\231\075\324\063
++\106\361\157\121\141\202\262\251\117\217\147\211\135\204\331\123
++\335\014\050\331\327\360\377\256\225\103\162\231\371\265\135\174
++\212\301\102\341\061\120\164\321\201\015\174\315\233\041\253\103
++\342\254\255\136\206\156\363\011\212\037\132\062\275\242\353\224
++\371\350\134\012\354\377\230\322\257\161\263\264\123\237\116\207
++\357\222\274\275\354\117\062\060\210\113\027\136\127\304\123\302
++\366\002\227\215\331\142\053\277\044\037\142\215\337\303\270\051
++\113\111\170\074\223\140\210\042\374\231\332\066\310\302\242\324
++\054\124\000\147\065\156\163\277\002\130\360\244\335\345\260\242
++\046\172\312\340\066\245\031\026\365\375\267\357\256\077\100\365
++\155\132\004\375\316\064\312\044\334\164\043\033\135\063\023\022
++\135\304\001\045\366\060\335\002\135\237\340\325\107\275\264\353
++\033\241\273\111\111\330\237\133\002\363\212\344\044\220\344\142
++\117\117\301\257\213\016\164\027\250\321\162\210\152\172\001\111
++\314\264\106\171\306\027\261\332\230\036\007\131\372\165\041\205
++\145\335\220\126\316\373\253\245\140\235\304\235\371\122\260\213
++\275\207\371\217\053\043\012\043\166\073\367\063\341\311\000\363
++\151\371\113\242\340\116\274\176\223\071\204\007\367\104\160\176
++\376\007\132\345\261\254\321\030\314\362\065\345\111\111\010\312
++\126\311\075\373\017\030\175\213\073\301\023\302\115\217\311\117
++\016\067\351\037\241\016\152\337\142\056\313\065\006\121\171\054
++\310\045\070\364\372\113\247\211\134\234\322\343\015\071\206\112
++\164\174\325\131\207\302\077\116\014\134\122\364\075\367\122\202
++\361\352\243\254\375\111\064\032\050\363\101\210\072\023\356\350
++\336\377\231\035\137\272\313\350\036\362\271\120\140\300\061\323
++\163\345\357\276\240\355\063\013\164\276\040\040\304\147\154\360
++\010\003\172\125\200\177\106\116\226\247\364\036\076\341\366\330
++\011\341\063\144\053\143\327\062\136\237\371\300\173\017\170\157
++\227\274\223\232\371\234\022\220\170\172\200\207\025\327\162\164
++\234\125\164\170\261\272\341\156\160\004\272\117\240\272\150\303
++\173\377\061\360\163\075\075\224\052\261\013\101\016\240\376\115
++\210\145\153\171\063\264\327\002\003\001\000\001\243\102\060\100
++\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
++\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
++\377\060\035\006\003\125\035\016\004\026\004\024\355\104\031\300
++\323\360\006\213\356\244\173\276\102\347\046\124\310\216\066\166
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
++\202\002\001\000\015\256\220\062\366\246\113\174\104\166\031\141
++\036\047\050\315\136\124\357\045\274\343\010\220\371\051\327\256
++\150\010\341\224\000\130\357\056\056\176\123\122\214\266\134\007
++\352\210\272\231\213\120\224\327\202\200\337\141\011\000\223\255
++\015\024\346\316\301\362\067\224\170\260\137\234\263\242\163\270
++\217\005\223\070\315\215\076\260\270\373\300\317\261\362\354\055
++\055\033\314\354\252\232\263\252\140\202\033\055\073\303\204\075
++\127\212\226\036\234\165\270\323\060\315\140\010\203\220\323\216
++\124\361\115\146\300\135\164\003\100\243\356\205\176\302\037\167
++\234\006\350\301\247\030\135\122\225\355\311\335\045\236\155\372
++\251\355\243\072\064\320\131\173\332\355\120\363\065\277\355\353
++\024\115\061\307\140\364\332\361\207\234\342\110\342\306\305\067
++\373\006\020\372\165\131\146\061\107\051\332\166\232\034\351\202
++\256\357\232\271\121\367\210\043\232\151\225\142\074\345\125\200
++\066\327\124\002\377\361\271\135\316\324\043\157\330\105\204\112
++\133\145\357\211\014\335\024\247\040\313\030\245\045\264\015\371
++\001\360\242\322\364\000\310\164\216\241\052\110\216\145\333\023
++\304\342\045\027\175\353\276\207\133\027\040\124\121\223\112\123
++\003\013\354\135\312\063\355\142\375\105\307\057\133\334\130\240
++\200\071\346\372\327\376\023\024\246\355\075\224\112\102\164\324
++\303\167\131\163\315\217\106\276\125\070\357\372\350\221\062\352
++\227\130\004\042\336\070\303\314\274\155\311\063\072\152\012\151
++\077\240\310\352\162\217\214\143\206\043\275\155\074\226\236\225
++\340\111\114\252\242\271\052\033\234\066\201\170\355\303\350\106
++\342\046\131\104\165\036\331\165\211\121\315\020\204\235\141\140
++\313\135\371\227\042\115\216\230\346\343\177\366\133\273\256\315
++\312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
++\231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
++\153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
++\237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
++\357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
++\037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
++\272\204\156\207
++END
++
++# Trust for "IdenTrust Commercial Root CA 1"
++# Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
++# Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 18:12:23 2014
++# Not Valid After : Mon Jan 16 18:12:23 2034
++# Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
++# Fingerprint (SHA1): DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Commercial Root CA 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\337\161\176\252\112\331\116\311\125\204\231\140\055\110\336\137
++\274\360\072\045
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\263\076\167\163\165\356\240\323\343\176\111\143\111\131\273\307
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\112\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\047\060\045\006\003\125\004\003\023\036\111\144
++\145\156\124\162\165\163\164\040\103\157\155\155\145\162\143\151
++\141\154\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\310\104\265\000\000
++\000\002
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "IdenTrust Public Sector Root CA 1"
++#
++# Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
++# Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 17:53:32 2014
++# Not Valid After : Mon Jan 16 17:53:32 2034
++# Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
++# Fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\317\106\174\000\000
++\000\002
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\146\060\202\003\116\240\003\002\001\002\002\020\012
++\001\102\200\000\000\001\105\043\317\106\174\000\000\000\002\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\115
++\061\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060
++\020\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163
++\164\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156
++\124\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143
++\164\157\162\040\122\157\157\164\040\103\101\040\061\060\036\027
++\015\061\064\060\061\061\066\061\067\065\063\063\062\132\027\015
++\063\064\060\061\061\066\061\067\065\063\063\062\132\060\115\061
++\013\060\011\006\003\125\004\006\023\002\125\123\061\022\060\020
++\006\003\125\004\012\023\011\111\144\145\156\124\162\165\163\164
++\061\052\060\050\006\003\125\004\003\023\041\111\144\145\156\124
++\162\165\163\164\040\120\165\142\154\151\143\040\123\145\143\164
++\157\162\040\122\157\157\164\040\103\101\040\061\060\202\002\042
++\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
++\202\002\017\000\060\202\002\012\002\202\002\001\000\266\042\224
++\374\244\110\257\350\107\153\012\373\047\166\344\362\077\212\073
++\172\112\054\061\052\214\215\260\251\303\061\153\250\167\166\204
++\046\266\254\201\102\015\010\353\125\130\273\172\370\274\145\175
++\362\240\155\213\250\107\351\142\166\036\021\356\010\024\321\262
++\104\026\364\352\320\372\036\057\136\333\313\163\101\256\274\000
++\260\112\053\100\262\254\341\073\113\302\055\235\344\241\233\354
++\032\072\036\360\010\263\320\344\044\065\007\237\234\264\311\122
++\155\333\007\312\217\265\133\360\203\363\117\307\055\245\310\255
++\313\225\040\244\061\050\127\130\132\344\215\033\232\253\236\015
++\014\362\012\063\071\042\071\012\227\056\363\123\167\271\104\105
++\375\204\313\066\040\201\131\055\232\157\155\110\110\141\312\114
++\337\123\321\257\122\274\104\237\253\057\153\203\162\357\165\200
++\332\006\063\033\135\310\332\143\306\115\315\254\146\061\315\321
++\336\076\207\020\066\341\271\244\172\357\140\120\262\313\312\246
++\126\340\067\257\253\064\023\071\045\350\071\146\344\230\172\252
++\022\230\234\131\146\206\076\255\361\260\312\076\006\017\173\360
++\021\113\067\240\104\155\173\313\250\214\161\364\325\265\221\066
++\314\360\025\306\053\336\121\027\261\227\114\120\075\261\225\131
++\174\005\175\055\041\325\000\277\001\147\242\136\173\246\134\362
++\367\042\361\220\015\223\333\252\104\121\146\314\175\166\003\353
++\152\250\052\070\031\227\166\015\153\212\141\371\274\366\356\166
++\375\160\053\335\051\074\370\012\036\133\102\034\213\126\057\125
++\033\034\241\056\265\307\026\346\370\252\074\222\216\151\266\001
++\301\265\206\235\211\017\013\070\224\124\350\352\334\236\075\045
++\274\123\046\355\325\253\071\252\305\100\114\124\253\262\264\331
++\331\370\327\162\333\034\274\155\275\145\137\357\210\065\052\146
++\057\356\366\263\145\360\063\215\174\230\101\151\106\017\103\034
++\151\372\233\265\320\141\152\315\312\113\331\114\220\106\253\025
++\131\241\107\124\051\056\203\050\137\034\302\242\253\162\027\000
++\006\216\105\354\213\342\063\075\177\332\031\104\344\142\162\303
++\337\042\306\362\126\324\335\137\225\162\355\155\137\367\110\003
++\133\375\305\052\240\366\163\043\204\020\033\001\347\002\003\001
++\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
++\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
++\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
++\004\024\343\161\340\236\330\247\102\331\333\161\221\153\224\223
++\353\303\243\321\024\243\060\015\006\011\052\206\110\206\367\015
++\001\001\013\005\000\003\202\002\001\000\107\372\335\012\260\021
++\221\070\255\115\135\367\345\016\227\124\031\202\110\207\124\214
++\252\144\231\330\132\376\210\001\305\130\245\231\261\043\124\043
++\267\152\035\040\127\345\001\142\101\027\323\011\333\165\313\156
++\124\220\165\376\032\237\201\012\302\335\327\367\011\320\133\162
++\025\344\036\011\152\075\063\363\041\232\346\025\176\255\121\325
++\015\020\355\175\102\300\217\356\300\232\010\325\101\326\134\016
++\041\151\156\200\141\016\025\300\270\317\305\111\022\122\314\276
++\072\314\324\056\070\005\336\065\375\037\157\270\200\150\230\075
++\115\240\312\100\145\322\163\174\365\213\331\012\225\077\330\077
++\043\155\032\321\052\044\031\331\205\263\027\357\170\156\251\130
++\321\043\323\307\023\355\162\045\177\135\261\163\160\320\177\006
++\227\011\204\051\200\141\035\372\136\377\163\254\240\343\211\270
++\034\161\025\306\336\061\177\022\334\341\155\233\257\347\350\237
++\165\170\114\253\106\073\232\316\277\005\030\135\115\025\074\026
++\232\031\120\004\232\262\232\157\145\213\122\137\074\130\004\050
++\045\300\146\141\061\176\271\340\165\271\032\250\201\326\162\027
++\263\305\003\061\065\021\170\170\242\340\351\060\214\177\200\337
++\130\337\074\272\047\226\342\200\064\155\343\230\323\144\047\254
++\110\176\050\167\134\306\045\141\045\370\205\014\145\372\304\062
++\057\245\230\005\344\370\013\147\026\026\306\202\270\062\031\371
++\371\271\171\334\037\315\353\257\253\016\335\033\333\105\344\172
++\347\002\342\225\135\374\151\360\123\151\141\225\165\171\013\136
++\125\346\070\034\224\251\131\063\236\310\161\164\171\177\121\211
++\266\310\152\270\060\310\152\070\303\156\236\341\067\026\352\005
++\142\114\133\022\107\355\247\264\263\130\126\307\111\363\177\022
++\150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
++\031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
++\164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
++\216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
++\361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
++\113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
++\267\254\266\255\267\312\076\001\357\234
++END
++
++# Trust for "IdenTrust Public Sector Root CA 1"
++# Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
++# Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
++# Not Valid Before: Thu Jan 16 17:53:32 2014
++# Not Valid After : Mon Jan 16 17:53:32 2034
++# Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
++# Fingerprint (SHA1): BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "IdenTrust Public Sector Root CA 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\272\051\101\140\167\230\077\364\363\357\362\061\005\073\056\352
++\155\115\105\375
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\067\006\245\260\374\211\235\272\364\153\214\032\144\315\325\272
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
++\022\060\020\006\003\125\004\012\023\011\111\144\145\156\124\162
++\165\163\164\061\052\060\050\006\003\125\004\003\023\041\111\144
++\145\156\124\162\165\163\164\040\120\165\142\154\151\143\040\123
++\145\143\164\157\162\040\122\157\157\164\040\103\101\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\012\001\102\200\000\000\001\105\043\317\106\174\000\000
++\000\002
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "S-TRUST Universal Root CA"
++#
++# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
++# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Not Valid Before: Tue Oct 22 00:00:00 2013
++# Not Valid After : Thu Oct 21 23:59:59 2038
++# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
++# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "S-TRUST Universal Root CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
++\036\036
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\003\330\060\202\002\300\240\003\002\001\002\002\020\140
++\126\305\113\043\100\133\144\324\355\045\332\331\326\036\036\060
++\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201
++\205\061\013\060\011\006\003\125\004\006\023\002\104\105\061\051
++\060\047\006\003\125\004\012\023\040\104\145\165\164\163\143\150
++\145\162\040\123\160\141\162\153\141\163\163\145\156\040\126\145
++\162\154\141\147\040\107\155\142\110\061\047\060\045\006\003\125
++\004\013\023\036\123\055\124\122\125\123\124\040\103\145\162\164
++\151\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143
++\145\163\061\042\060\040\006\003\125\004\003\023\031\123\055\124
++\122\125\123\124\040\125\156\151\166\145\162\163\141\154\040\122
++\157\157\164\040\103\101\060\036\027\015\061\063\061\060\062\062
++\060\060\060\060\060\060\132\027\015\063\070\061\060\062\061\062
++\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
++\004\006\023\002\104\105\061\051\060\047\006\003\125\004\012\023
++\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
++\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
++\110\061\047\060\045\006\003\125\004\013\023\036\123\055\124\122
++\125\123\124\040\103\145\162\164\151\146\151\143\141\164\151\157
++\156\040\123\145\162\166\151\143\145\163\061\042\060\040\006\003
++\125\004\003\023\031\123\055\124\122\125\123\124\040\125\156\151
++\166\145\162\163\141\154\040\122\157\157\164\040\103\101\060\202
++\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
++\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\250
++\343\013\337\021\067\205\202\232\265\154\146\174\141\077\300\107
++\032\035\106\343\260\125\144\345\270\202\071\050\007\176\027\377
++\364\233\212\360\221\201\352\070\077\041\170\154\110\354\153\057
++\242\323\212\162\262\247\327\331\352\177\264\300\111\153\060\045
++\211\214\353\267\325\100\141\230\342\334\074\040\222\315\145\112
++\162\237\032\216\214\372\045\025\277\363\041\203\050\015\213\257
++\131\021\202\103\134\233\115\045\121\177\130\030\143\140\073\263
++\265\212\213\130\143\067\110\110\220\104\302\100\335\135\367\103
++\151\051\230\134\022\145\136\253\220\222\113\146\337\325\165\022
++\123\124\030\246\336\212\326\273\127\003\071\131\231\030\005\014
++\371\375\025\306\220\144\106\027\202\327\302\112\101\075\375\000
++\276\127\162\030\224\167\033\123\132\211\001\366\063\162\016\223
++\072\334\350\036\375\005\005\326\274\163\340\210\334\253\117\354
++\265\030\206\117\171\204\016\110\052\146\052\335\062\310\170\145
++\310\013\235\130\001\005\161\355\201\365\150\027\156\313\015\264
++\113\330\241\354\256\070\353\034\130\057\241\145\003\064\057\002
++\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023\001
++\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017
++\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016
++\004\026\004\024\232\175\327\353\353\177\124\230\105\051\264\040
++\253\155\013\226\043\031\244\302\060\015\006\011\052\206\110\206
++\367\015\001\001\013\005\000\003\202\001\001\000\116\226\022\333
++\176\167\136\222\047\236\041\027\030\202\166\330\077\274\245\011
++\004\146\210\211\255\333\125\263\063\152\306\145\304\217\115\363
++\062\066\334\171\004\226\251\167\062\321\227\365\030\153\214\272
++\355\316\021\320\104\307\222\361\264\104\216\355\210\122\110\236
++\325\375\131\370\243\036\121\373\001\122\345\137\345\172\335\252
++\044\117\042\213\335\166\106\366\245\240\017\065\330\312\017\230
++\271\060\135\040\157\302\201\036\275\275\300\376\025\323\070\052
++\011\223\230\047\033\223\173\320\053\064\136\150\245\025\117\321
++\122\303\240\312\240\203\105\035\365\365\267\131\163\135\131\001
++\217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
++\043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
++\367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
++\032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
++\054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
++\052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
++\073\303\035\374\377\262\117\250\342\366\060\036
++END
++
++# Trust for "S-TRUST Universal Root CA"
++# Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
++# Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
++# Not Valid Before: Tue Oct 22 00:00:00 2013
++# Not Valid After : Thu Oct 21 23:59:59 2038
++# Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
++# Fingerprint (SHA1): 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "S-TRUST Universal Root CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\033\075\021\024\352\172\017\225\130\124\101\225\277\153\045\202
++\253\100\316\232
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\130\366\101\001\256\365\133\121\231\116\134\041\350\117\324\146
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\205\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\051\060\047\006\003\125\004\012\023\040\104\145\165\164\163
++\143\150\145\162\040\123\160\141\162\153\141\163\163\145\156\040
++\126\145\162\154\141\147\040\107\155\142\110\061\047\060\045\006
++\003\125\004\013\023\036\123\055\124\122\125\123\124\040\103\145
++\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162\166
++\151\143\145\163\061\042\060\040\006\003\125\004\003\023\031\123
++\055\124\122\125\123\124\040\125\156\151\166\145\162\163\141\154
++\040\122\157\157\164\040\103\101
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\020\140\126\305\113\043\100\133\144\324\355\045\332\331\326
++\036\036
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Entrust Root Certification Authority - G2"
++#
++# Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number: 1246989352 (0x4a538c28)
++# Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Jul 07 17:25:54 2009
++# Not Valid After : Sat Dec 07 17:55:54 2030
++# Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
++# Fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - G2"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\112\123\214\050
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\076\060\202\003\046\240\003\002\001\002\002\004\112
++\123\214\050\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\201\276\061\013\060\011\006\003\125\004\006\023\002
++\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156\164
++\162\165\163\164\054\040\111\156\143\056\061\050\060\046\006\003
++\125\004\013\023\037\123\145\145\040\167\167\167\056\145\156\164
++\162\165\163\164\056\156\145\164\057\154\145\147\141\154\055\164
++\145\162\155\163\061\071\060\067\006\003\125\004\013\023\060\050
++\143\051\040\062\060\060\071\040\105\156\164\162\165\163\164\054
++\040\111\156\143\056\040\055\040\146\157\162\040\141\165\164\150
++\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061
++\062\060\060\006\003\125\004\003\023\051\105\156\164\162\165\163
++\164\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
++\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055
++\040\107\062\060\036\027\015\060\071\060\067\060\067\061\067\062
++\065\065\064\132\027\015\063\060\061\062\060\067\061\067\065\065
++\065\064\132\060\201\276\061\013\060\011\006\003\125\004\006\023
++\002\125\123\061\026\060\024\006\003\125\004\012\023\015\105\156
++\164\162\165\163\164\054\040\111\156\143\056\061\050\060\046\006
++\003\125\004\013\023\037\123\145\145\040\167\167\167\056\145\156
++\164\162\165\163\164\056\156\145\164\057\154\145\147\141\154\055
++\164\145\162\155\163\061\071\060\067\006\003\125\004\013\023\060
++\050\143\051\040\062\060\060\071\040\105\156\164\162\165\163\164
++\054\040\111\156\143\056\040\055\040\146\157\162\040\141\165\164
++\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
++\061\062\060\060\006\003\125\004\003\023\051\105\156\164\162\165
++\163\164\040\122\157\157\164\040\103\145\162\164\151\146\151\143
++\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
++\055\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206
++\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
++\002\202\001\001\000\272\204\266\162\333\236\014\153\342\231\351
++\060\001\247\166\352\062\270\225\101\032\311\332\141\116\130\162
++\317\376\366\202\171\277\163\141\006\012\245\047\330\263\137\323
++\105\116\034\162\326\116\062\362\162\212\017\367\203\031\320\152
++\200\200\000\105\036\260\307\347\232\277\022\127\047\034\243\150
++\057\012\207\275\152\153\016\136\145\363\034\167\325\324\205\215
++\160\041\264\263\062\347\213\242\325\206\071\002\261\270\322\107
++\316\344\311\111\304\073\247\336\373\124\175\127\276\360\350\156
++\302\171\262\072\013\125\342\120\230\026\062\023\134\057\170\126
++\301\302\224\263\362\132\344\047\232\237\044\327\306\354\320\233
++\045\202\343\314\302\304\105\305\214\227\172\006\153\052\021\237
++\251\012\156\110\073\157\333\324\021\031\102\367\217\007\277\365
++\123\137\234\076\364\027\054\346\151\254\116\062\114\142\167\352
++\267\350\345\273\064\274\031\213\256\234\121\347\267\176\265\123
++\261\063\042\345\155\317\160\074\032\372\342\233\147\266\203\364
++\215\245\257\142\114\115\340\130\254\144\064\022\003\370\266\215
++\224\143\044\244\161\002\003\001\000\001\243\102\060\100\060\016
++\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
++\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
++\035\006\003\125\035\016\004\026\004\024\152\162\046\172\320\036
++\357\175\347\073\151\121\324\154\215\237\220\022\146\253\060\015
++\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
++\001\000\171\237\035\226\306\266\171\077\042\215\207\323\207\003
++\004\140\152\153\232\056\131\211\163\021\254\103\321\365\023\377
++\215\071\053\300\362\275\117\160\214\251\057\352\027\304\013\124
++\236\324\033\226\230\063\074\250\255\142\242\000\166\253\131\151
++\156\006\035\176\304\271\104\215\230\257\022\324\141\333\012\031
++\106\107\363\353\367\143\301\100\005\100\245\322\267\364\265\232
++\066\277\251\210\166\210\004\125\004\053\234\207\177\032\067\074
++\176\055\245\032\330\324\211\136\312\275\254\075\154\330\155\257
++\325\363\166\017\315\073\210\070\042\235\154\223\232\304\075\277
++\202\033\145\077\246\017\135\252\374\345\262\025\312\265\255\306
++\274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
++\234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
++\103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
++\010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
++\124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
++\261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
++\105\366
++END
++
++# Trust for "Entrust Root Certification Authority - G2"
++# Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number: 1246989352 (0x4a538c28)
++# Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Jul 07 17:25:54 2009
++# Not Valid After : Sat Dec 07 17:55:54 2030
++# Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
++# Fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - G2"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\214\364\047\375\171\014\072\321\146\006\215\350\036\127\357\273
++\223\042\162\324
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\113\342\311\221\226\145\014\364\016\132\223\222\240\012\376\262
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\276\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\060\071\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\062\060
++\060\006\003\125\004\003\023\051\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
++\062
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\112\123\214\050
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Entrust Root Certification Authority - EC1"
++#
++# Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
++# Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Dec 18 15:25:36 2012
++# Not Valid After : Fri Dec 18 15:55:36 2037
++# Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
++# Fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\002\371\060\202\002\200\240\003\002\001\002\002\015\000
++\246\213\171\051\000\000\000\000\120\320\221\371\060\012\006\010
++\052\206\110\316\075\004\003\003\060\201\277\061\013\060\011\006
++\003\125\004\006\023\002\125\123\061\026\060\024\006\003\125\004
++\012\023\015\105\156\164\162\165\163\164\054\040\111\156\143\056
++\061\050\060\046\006\003\125\004\013\023\037\123\145\145\040\167
++\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\154
++\145\147\141\154\055\164\145\162\155\163\061\071\060\067\006\003
++\125\004\013\023\060\050\143\051\040\062\060\061\062\040\105\156
++\164\162\165\163\164\054\040\111\156\143\056\040\055\040\146\157
++\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145
++\040\157\156\154\171\061\063\060\061\006\003\125\004\003\023\052
++\105\156\164\162\165\163\164\040\122\157\157\164\040\103\145\162
++\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
++\162\151\164\171\040\055\040\105\103\061\060\036\027\015\061\062
++\061\062\061\070\061\065\062\065\063\066\132\027\015\063\067\061
++\062\061\070\061\065\065\065\063\066\132\060\201\277\061\013\060
++\011\006\003\125\004\006\023\002\125\123\061\026\060\024\006\003
++\125\004\012\023\015\105\156\164\162\165\163\164\054\040\111\156
++\143\056\061\050\060\046\006\003\125\004\013\023\037\123\145\145
++\040\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
++\057\154\145\147\141\154\055\164\145\162\155\163\061\071\060\067
++\006\003\125\004\013\023\060\050\143\051\040\062\060\061\062\040
++\105\156\164\162\165\163\164\054\040\111\156\143\056\040\055\040
++\146\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165
++\163\145\040\157\156\154\171\061\063\060\061\006\003\125\004\003
++\023\052\105\156\164\162\165\163\164\040\122\157\157\164\040\103
++\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
++\150\157\162\151\164\171\040\055\040\105\103\061\060\166\060\020
++\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042
++\003\142\000\004\204\023\311\320\272\155\101\173\342\154\320\353
++\125\137\146\002\032\044\364\133\211\151\107\343\270\302\175\361
++\362\002\305\237\240\366\133\325\213\006\031\206\117\123\020\155
++\007\044\047\241\240\370\325\107\031\141\114\175\312\223\047\352
++\164\014\357\157\226\011\376\143\354\160\135\066\255\147\167\256
++\311\235\174\125\104\072\242\143\121\037\365\343\142\324\251\107
++\007\076\314\040\243\102\060\100\060\016\006\003\125\035\017\001
++\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
++\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016
++\004\026\004\024\267\143\347\032\335\215\351\010\246\125\203\244
++\340\152\120\101\145\021\102\111\060\012\006\010\052\206\110\316
++\075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
++\107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
++\003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
++\373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
++\205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
++\216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
++\231\267\046\101\133\045\140\256\320\110\032\356\006
++END
++
++# Trust for "Entrust Root Certification Authority - EC1"
++# Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
++# Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
++# Not Valid Before: Tue Dec 18 15:25:36 2012
++# Not Valid After : Fri Dec 18 15:55:36 2037
++# Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
++# Fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Entrust Root Certification Authority - EC1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\040\330\006\100\337\233\045\365\022\045\072\021\352\367\131\212
++\353\024\265\107
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\266\176\035\360\130\305\111\154\044\073\075\355\230\030\355\274
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\277\061\013\060\011\006\003\125\004\006\023\002\125\123
++\061\026\060\024\006\003\125\004\012\023\015\105\156\164\162\165
++\163\164\054\040\111\156\143\056\061\050\060\046\006\003\125\004
++\013\023\037\123\145\145\040\167\167\167\056\145\156\164\162\165
++\163\164\056\156\145\164\057\154\145\147\141\154\055\164\145\162
++\155\163\061\071\060\067\006\003\125\004\013\023\060\050\143\051
++\040\062\060\061\062\040\105\156\164\162\165\163\164\054\040\111
++\156\143\056\040\055\040\146\157\162\040\141\165\164\150\157\162
++\151\172\145\144\040\165\163\145\040\157\156\154\171\061\063\060
++\061\006\003\125\004\003\023\052\105\156\164\162\165\163\164\040
++\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\151
++\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
++\103\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "CFCA EV ROOT"
++#
++# Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Serial Number: 407555286 (0x184accd6)
++# Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Not Valid Before: Wed Aug 08 03:07:01 2012
++# Not Valid After : Mon Dec 31 03:07:01 2029
++# Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
++# Fingerprint (SHA1): E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CFCA EV ROOT"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\030\112\314\326
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\005\215\060\202\003\165\240\003\002\001\002\002\004\030
++\112\314\326\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\126\061\013\060\011\006\003\125\004\006\023\002\103
++\116\061\060\060\056\006\003\125\004\012\014\047\103\150\151\156
++\141\040\106\151\156\141\156\143\151\141\154\040\103\145\162\164
++\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
++\151\164\171\061\025\060\023\006\003\125\004\003\014\014\103\106
++\103\101\040\105\126\040\122\117\117\124\060\036\027\015\061\062
++\060\070\060\070\060\063\060\067\060\061\132\027\015\062\071\061
++\062\063\061\060\063\060\067\060\061\132\060\126\061\013\060\011
++\006\003\125\004\006\023\002\103\116\061\060\060\056\006\003\125
++\004\012\014\047\103\150\151\156\141\040\106\151\156\141\156\143
++\151\141\154\040\103\145\162\164\151\146\151\143\141\164\151\157
++\156\040\101\165\164\150\157\162\151\164\171\061\025\060\023\006
++\003\125\004\003\014\014\103\106\103\101\040\105\126\040\122\117
++\117\124\060\202\002\042\060\015\006\011\052\206\110\206\367\015
++\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
++\002\001\000\327\135\153\315\020\077\037\005\131\325\005\115\067
++\261\016\354\230\053\216\025\035\372\223\113\027\202\041\161\020
++\122\327\121\144\160\026\302\125\151\115\216\025\155\237\277\014
++\033\302\340\243\147\326\014\254\317\042\256\257\167\124\052\113
++\114\212\123\122\172\303\356\056\336\263\161\045\301\351\135\075
++\356\241\057\243\367\052\074\311\043\035\152\253\035\241\247\361
++\363\354\240\325\104\317\025\317\162\057\035\143\227\350\231\371
++\375\223\244\124\200\114\122\324\122\253\056\111\337\220\315\270
++\137\276\077\336\241\312\115\040\324\045\350\204\051\123\267\261
++\210\037\377\372\332\220\237\012\251\055\101\077\261\361\030\051
++\356\026\131\054\064\111\032\250\006\327\250\210\322\003\162\172
++\062\342\352\150\115\156\054\226\145\173\312\131\372\362\342\335
++\356\060\054\373\314\106\254\304\143\353\157\177\066\053\064\163
++\022\224\177\337\314\046\236\361\162\135\120\145\131\217\151\263
++\207\136\062\157\303\030\212\265\225\217\260\172\067\336\132\105
++\073\307\066\341\357\147\321\071\323\227\133\163\142\031\110\055
++\207\034\006\373\164\230\040\111\163\360\005\322\033\261\240\243
++\267\033\160\323\210\151\271\132\326\070\364\142\334\045\213\170
++\277\370\350\176\270\134\311\225\117\137\247\055\271\040\153\317
++\153\335\365\015\364\202\267\364\262\146\056\020\050\366\227\132
++\173\226\026\217\001\031\055\154\156\177\071\130\006\144\203\001
++\203\203\303\115\222\335\062\306\207\244\067\351\026\316\252\055
++\150\257\012\201\145\072\160\301\233\255\115\155\124\312\052\055
++\113\205\033\263\200\346\160\105\015\153\136\065\360\177\073\270
++\234\344\004\160\211\022\045\223\332\012\231\042\140\152\143\140
++\116\166\006\230\116\275\203\255\035\130\212\045\205\322\307\145
++\036\055\216\306\337\266\306\341\177\212\004\041\025\051\164\360
++\076\234\220\235\014\056\361\212\076\132\252\014\011\036\307\325
++\074\243\355\227\303\036\064\372\070\371\010\016\343\300\135\053
++\203\321\126\152\311\266\250\124\123\056\170\062\147\075\202\177
++\164\320\373\341\266\005\140\271\160\333\216\013\371\023\130\157
++\161\140\020\122\020\271\301\101\011\357\162\037\147\061\170\377
++\226\005\215\002\003\001\000\001\243\143\060\141\060\037\006\003
++\125\035\043\004\030\060\026\200\024\343\376\055\375\050\320\013
++\265\272\266\242\304\277\006\252\005\214\223\373\057\060\017\006
++\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016
++\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\035
++\006\003\125\035\016\004\026\004\024\343\376\055\375\050\320\013
++\265\272\266\242\304\277\006\252\005\214\223\373\057\060\015\006
++\011\052\206\110\206\367\015\001\001\013\005\000\003\202\002\001
++\000\045\306\272\153\353\207\313\336\202\071\226\075\360\104\247
++\153\204\163\003\336\235\053\117\272\040\177\274\170\262\317\227
++\260\033\234\363\327\171\056\365\110\266\322\373\027\210\346\323
++\172\077\355\123\023\320\342\057\152\171\313\000\043\050\346\036
++\067\127\065\211\204\302\166\117\064\066\255\147\303\316\101\006
++\210\305\367\356\330\032\270\326\013\177\120\377\223\252\027\113
++\214\354\355\122\140\262\244\006\352\116\353\364\153\031\375\353
++\365\032\340\045\052\232\334\307\101\066\367\310\164\005\204\071
++\225\071\326\013\073\244\047\372\010\330\134\036\370\004\140\122
++\021\050\050\003\377\357\123\146\000\245\112\064\026\146\174\375
++\011\244\256\236\147\032\157\101\013\153\006\023\233\217\206\161
++\005\264\057\215\211\146\063\051\166\124\232\021\370\047\372\262
++\077\221\340\316\015\033\363\060\032\255\277\042\135\033\323\277
++\045\005\115\341\222\032\177\231\237\074\104\223\312\324\100\111
++\154\200\207\327\004\072\303\062\122\065\016\126\370\245\335\175
++\304\213\015\021\037\123\313\036\262\027\266\150\167\132\340\324
++\313\310\007\256\365\072\056\216\067\267\320\001\113\103\051\167
++\214\071\227\217\202\132\370\121\345\211\240\030\347\150\177\135
++\012\056\373\243\107\016\075\246\043\172\306\001\307\217\310\136
++\277\155\200\126\276\212\044\272\063\352\237\341\062\021\236\361
++\322\117\200\366\033\100\257\070\236\021\120\171\163\022\022\315
++\346\154\235\054\210\162\074\060\201\006\221\042\352\131\255\332
++\031\056\042\302\215\271\214\207\340\146\274\163\043\137\041\144
++\143\200\110\365\240\074\030\075\224\310\110\101\035\100\272\136
++\376\376\126\071\241\310\317\136\236\031\144\106\020\332\027\221
++\267\005\200\254\213\231\222\175\347\242\330\007\013\066\047\347
++\110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
++\000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
++\171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
++\313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
++\346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
++\226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
++\056
++END
++
++# Trust for "CFCA EV ROOT"
++# Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Serial Number: 407555286 (0x184accd6)
++# Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
++# Not Valid Before: Wed Aug 08 03:07:01 2012
++# Not Valid After : Mon Dec 31 03:07:01 2029
++# Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
++# Fingerprint (SHA1): E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CFCA EV ROOT"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\342\270\051\113\125\204\253\153\130\302\220\106\154\254\077\270
++\071\217\204\203
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\164\341\266\355\046\172\172\104\060\063\224\253\173\047\201\060
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\126\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\060\060\056\006\003\125\004\012\014\047\103\150\151\156\141\040
++\106\151\156\141\156\143\151\141\154\040\103\145\162\164\151\146
++\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
++\171\061\025\060\023\006\003\125\004\003\014\014\103\106\103\101
++\040\105\126\040\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\030\112\314\326
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
+--- a/lib/ckfw/builtins/nssckbi.h
++++ b/lib/ckfw/builtins/nssckbi.h
+@@ -40,18 +40,18 @@
+  *     ...
+  *   - NSS 3.29 branch: 250-255
+  *
+  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+  * whether we may use its full range (0-255) or only 0-99 because
+  * of the comment in the CK_VERSION type definition.
+  */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.2"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3
++#define NSS_BUILTINS_LIBRARY_VERSION "2.3"
+ 
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+ 
+ /* These version numbers detail the semantic changes to ckbi itself 
+  * (new PKCS #11 objects), etc. */
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+