Bug 967153: Update to NSS 3.16 beta 3 (NSS_3_16_BETA3), r=me
authorBrian Smith <brian@briansmith.org>
Thu, 27 Feb 2014 16:06:22 -0800
changeset 188314 826695253218f029cfdb3fd7f1927cfc6b616ef7
parent 188313 3dfe2491e8ec7a9476b533fb0aecbcdcc8c6c904
child 188315 f0a561106b958c44a62eb9dc503aa50fa62c0261
push id3503
push userraliiev@mozilla.com
push dateMon, 28 Apr 2014 18:51:11 +0000
treeherdermozilla-beta@c95ac01e332e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs967153
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 967153: Update to NSS 3.16 beta 3 (NSS_3_16_BETA3), r=me
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/coreconf/coreconf.dep
security/nss/lib/certdb/certdb.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/freebl/Makefile
security/nss/lib/pki/tdcache.c
security/nss/lib/ssl/ssl3ext.c
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_16_BETA2
+NSS_3_16_BETA3
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1731,17 +1731,18 @@ MakeV1Cert(	CERTCertDBHandle *	handle,
     }
     
     return(cert);
 }
 
 static SECStatus
 SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, 
          SECOidTag hashAlgTag,
-         SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
+         SECKEYPrivateKey *privKey, char *issuerNickName,
+         int certVersion, void *pwarg)
 {
     SECItem der;
     SECKEYPrivateKey *caPrivateKey = NULL;    
     SECStatus rv;
     PLArenaPool *arena;
     SECOidTag algID;
     void *dummy;
 
@@ -1771,19 +1772,33 @@ SignCert(CERTCertDBHandle *handle, CERTC
     }
 
     rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
     if (rv != SECSuccess) {
 	fprintf(stderr, "Could not set signature algorithm id.");
 	goto done;
     }
 
-    /* we only deal with cert v3 here */
-    *(cert->version.data) = 2;
-    cert->version.len = 1;
+    switch(certVersion) {
+      case (SEC_CERTIFICATE_VERSION_1):
+        // The initial version for x509 certificates is version one
+        // and this default value must be an implicit DER encoding.
+        cert->version.data = NULL;
+        cert->version.len = 0;
+        break;
+      case (SEC_CERTIFICATE_VERSION_2):
+      case (SEC_CERTIFICATE_VERSION_3):
+      case 3: // unspecified format (would be version 4 certificate).
+        *(cert->version.data) = certVersion;
+        cert->version.len = 1;
+        break;
+      default:
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
 
     der.len = 0;
     der.data = NULL;
     dummy = SEC_ASN1EncodeItem (arena, &der, cert,
 			 	SEC_ASN1_GET(CERT_CertificateTemplate));
     if (!dummy) {
 	fprintf (stderr, "Could not encode certificate.\n");
 	rv = SECFailure;
@@ -1816,16 +1831,17 @@ CreateCert(
 	unsigned int serialNumber, 
 	int     warpmonths,
 	int     validityMonths,
 	const char *emailAddrs,
 	const char *dnsNames,
 	PRBool ascii,
 	PRBool  selfsign,
 	certutilExtnList extnList,
+        int certVersion,
 	SECItem * certDER)
 {
     void *	extHandle;
     CERTCertificate *subjectCert 	= NULL;
     CERTCertificateRequest *certReq	= NULL;
     SECStatus 	rv 			= SECSuccess;
     CERTCertExtension **CRexts;
 
@@ -1875,17 +1891,18 @@ CreateCert(
 	    if (!*selfsignprivkey) {
 		fprintf(stderr, "Failed to locate private key.\n");
 		rv = SECFailure;
 		break;
 	    }
 	}
 
 	rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
-		      *selfsignprivkey, issuerNickName, pwarg);
+		      *selfsignprivkey, issuerNickName,
+                      certVersion, pwarg);
 	if (rv != SECSuccess)
 	    break;
 
 	rv = SECFailure;
 	if (ascii) {
 	    char * asciiDER = BTOA_DataToAscii(subjectCert->derCert.data,
 					       subjectCert->derCert.len);
 	    if (asciiDER) {
@@ -2189,16 +2206,17 @@ enum certutilOpts {
     opt_SourceDir,
     opt_SourcePrefix,
     opt_UpgradeID,
     opt_UpgradeTokenName,
     opt_KeyOpFlagsOn,
     opt_KeyOpFlagsOff,
     opt_KeyAttrFlags,
     opt_EmptyPassword,
+    opt_CertVersion,
     opt_Help
 };
 
 static const
 secuCommandFlag commands_init[] =
 {
 	{ /* cmd_AddCert             */  'A', PR_FALSE, 0, PR_FALSE },
 	{ /* cmd_CreateNewCert       */  'C', PR_FALSE, 0, PR_FALSE },
@@ -2298,16 +2316,18 @@ secuCommandFlag options_init[] =
 	{ /* opt_KeyOpFlagsOn        */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyOpFlagsOn"},
 	{ /* opt_KeyOpFlagsOff       */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyOpFlagsOff"},
 	{ /* opt_KeyAttrFlags        */  0,   PR_TRUE, 0, PR_FALSE, 
                                                    "keyAttrFlags"},
 	{ /* opt_EmptyPassword       */  0,   PR_FALSE, 0, PR_FALSE, 
                                                    "empty-password"},
+        { /* opt_CertVersion         */  0,   PR_FALSE, 0, PR_FALSE,
+                                                   "certVersion"},
 };
 #define NUM_OPTIONS ((sizeof options_init)  / (sizeof options_init[0]))
 
 static secuCommandFlag certutil_commands[NUM_COMMANDS];
 static secuCommandFlag certutil_options [NUM_OPTIONS ];
 
 static const secuCommand certutil = {
     NUM_COMMANDS, 
@@ -2336,16 +2356,17 @@ certutil_main(int argc, char **argv, PRB
     char *      upgradeTokenName     = "";
     KeyType     keytype         = rsaKey;
     char *      name            = NULL;
     char *      email            = NULL;
     char *      keysource       = NULL;
     SECOidTag   hashAlgTag      = SEC_OID_UNKNOWN;
     int	        keysize	        = DEFAULT_KEY_BITS;
     int         publicExponent  = 0x010001;
+    int         certVersion     = SEC_CERTIFICATE_VERSION_3;
     unsigned int serialNumber   = 0;
     int         warpmonths      = 0;
     int         validityMonths  = 3;
     int         commandsEntered = 0;
     char        commandToRun    = '\0';
     secuPWData  pwdata          = { PW_NONE, 0 };
     secuPWData  pwdata2         = { PW_NONE, 0 };
     PRBool      readOnly        = PR_FALSE;
@@ -2564,16 +2585,29 @@ certutil_main(int argc, char **argv, PRB
 	    (publicExponent != 65537)) {
 	    PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", 
 	                           progName, publicExponent);
 	    PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
 	    return 255;
 	}
     }
 
+    /*  --certVersion */
+    if (certutil.options[opt_CertVersion].activated) {
+        certVersion = PORT_Atoi(certutil.options[opt_CertVersion].arg);
+        if (certVersion < 1 || certVersion > 4) {
+            PR_fprintf(PR_STDERR, "%s -certVersion: incorrect certificate version %d.",
+                                   progName, certVersion);
+            PR_fprintf(PR_STDERR, "Must be 1, 2, 3 or 4.\n");
+            return 255;
+        }
+        certVersion = certVersion - 1;
+    }
+
+
     /*  Check number of commands entered.  */
     commandsEntered = 0;
     for (i=0; i< certutil.numCommands; i++) {
 	if (certutil.commands[i].activated) {
 	    commandToRun = certutil.commands[i].flag;
 	    commandsEntered++;
 	}
 	if (commandsEntered > 1)
@@ -3220,16 +3254,17 @@ merge_fail:
 			&certReqDER, &privkey, &pwdata, hashAlgTag,
 	                serialNumber, warpmonths, validityMonths,
 		        certutil.options[opt_ExtendedEmailAddrs].arg,
 		        certutil.options[opt_ExtendedDNSNames].arg,
 		        certutil.options[opt_ASCIIForIO].activated &&
 			    certutil.commands[cmd_CreateNewCert].activated,
 	                certutil.options[opt_SelfSign].activated,
 	                certutil_extns,
+                        certVersion,
 			&certDER);
 	if (rv) 
 	    goto shutdown;
     }
 
     /* 
      * Adding a cert to the database (or slot)
      */
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1376,33 +1376,36 @@ cert_TestHostName(char * cn, const char 
 		rv = SECSuccess;
 	    } else {
 		PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
 		rv = SECFailure;
 	    }
 	    return rv;
 	}
     } else {
-	/* New approach conforms to RFC 2818. */
+	/* New approach conforms to RFC 6125. */
 	char *wildcard    = PORT_Strchr(cn, '*');
 	char *firstcndot  = PORT_Strchr(cn, '.');
 	char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
 	char *firsthndot  = PORT_Strchr(hn, '.');
 
 	/* For a cn pattern to be considered valid, the wildcard character...
 	 * - may occur only in a DNS name with at least 3 components, and
 	 * - may occur only as last character in the first component, and
-	 * - may be preceded by additional characters
+	 * - may be preceded by additional characters, and
+	 * - must not be preceded by an IDNA ACE prefix (xn--)
 	 */
 	if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-	    && firstcndot  - wildcard  == 1
-	    && secondcndot - firstcndot > 1
-	    && PORT_Strrchr(cn, '*') == wildcard
+	    && firstcndot  - wildcard  == 1 /* no chars between * and . */
+	    && secondcndot - firstcndot > 1 /* not .. */
+	    && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
 	    && !PORT_Strncasecmp(cn, hn, wildcard - cn)
-	    && !PORT_Strcasecmp(firstcndot, firsthndot)) {
+	    && !PORT_Strcasecmp(firstcndot, firsthndot)
+	       /* If hn starts with xn--, then cn must start with wildcard */
+	    && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
 	    /* valid wildcard pattern match */
 	    return SECSuccess;
 	}
     }
     /* String cn has no wildcard or shell expression.  
      * Compare entire string hn with cert name. 
      */
     if (PORT_Strcasecmp(hn, cn) == 0) {
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,16 +65,135 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
+# Certificate "GTE CyberTrust Global Root"
+#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
+\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
+\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
+\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
+\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
+\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
+\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
+\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
+\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
+\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
+\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
+\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
+\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
+\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
+\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
+\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
+\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
+\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
+\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
+\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
+\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
+\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
+\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
+\037\042\265\315\225\255\272\247\314\371\253\013\172\177
+END
+
+# Trust for Certificate "GTE CyberTrust Global Root"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
+\066\176\364\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Thawte Server CA"
 #
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
@@ -483,16 +602,44 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\065\336\364\317
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 1407252 (0x157914)
+# Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+# Not Valid Before: Mon Feb 01 14:54:04 2010
+# Not Valid After : Tue Sep 30 00:00:00 2014
+# Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
+# Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\003\025\171\024
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
 #
 # Certificate "Digital Signature Trust Co. Global CA 1"
 #
 # Issuer: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
 # Serial Number: 913315222 (0x36701596)
 # Subject: OU=DSTCA E1,O=Digital Signature Trust Co.,C=US
 # Not Valid Before: Thu Dec 10 18:10:23 1998
 # Not Valid After : Mon Dec 10 18:40:23 2018
@@ -1550,16 +1697,436 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "ValiCert Class 1 VA"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
+\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
+\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
+\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
+\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
+\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
+\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
+\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
+\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
+\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
+\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
+\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
+\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
+\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
+\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
+\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
+\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
+\161\202\053\231\317\072\267\365\055\162\310
+END
+
+# Trust for Certificate "ValiCert Class 1 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Fri Jun 25 22:23:48 1999
+# Not Valid After : Tue Jun 25 22:23:48 2019
+# Fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+# Fingerprint (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
+\020\237\344\216
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "ValiCert Class 2 VA"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
+\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
+\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
+\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
+\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
+\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
+\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
+\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
+\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
+\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
+\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
+\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
+\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
+\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
+\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
+\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
+\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
+\276\355\164\114\274\133\325\142\037\103\335
+END
+
+# Trust for Certificate "ValiCert Class 2 VA"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:19:54 1999
+# Not Valid After : Wed Jun 26 00:19:54 2019
+# Fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+# Fingerprint (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
+\330\361\374\246
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "RSA Root Certificate 1"
+#
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Root Certificate 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
+\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
+\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
+\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
+\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
+\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
+\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
+\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
+\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
+\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
+\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
+\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
+\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
+\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
+\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
+\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
+\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
+\040\017\105\176\153\242\177\243\214\025\356
+END
+
+# Trust for Certificate "RSA Root Certificate 1"
+# Issuer: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Serial Number: 1 (0x1)
+# Subject: E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
+# Not Valid Before: Sat Jun 26 00:22:33 1999
+# Not Valid After : Wed Jun 26 00:22:33 2019
+# Fingerprint (MD5): A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+# Fingerprint (SHA1): 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "RSA Root Certificate 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
+\354\252\065\373
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\001\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
 # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
@@ -2041,16 +2608,128 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
 \051\357\127
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
+# Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
+# Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\000\066\033\345\010\053\251\252\316\164\012\005\076
+\373\064
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51
+# Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
+# Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\076\014\236\207\151\252\225\134\352\043\330\105\236\324
+\133\121
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
+# Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+# Not Valid Before: Sun May 18 00:00:00 2008
+# Not Valid After : Thu May 17 23:59:59 2018
+# Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
+# Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\022\275\046\242\256\063\300\177\044\173\152\130\151\362
+\012\166
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
 #
 # Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
 # Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Not Valid Before: Fri Oct 01 00:00:00 1999
 # Not Valid After : Wed Jul 16 23:59:59 2036
@@ -2206,16 +2885,190 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \224\136\327
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "Entrust.net Secure Server CA"
+#
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\067\112\322\103
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
+\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
+\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
+\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
+\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
+\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
+\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
+\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
+\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
+\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
+\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
+\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
+\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
+\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
+\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
+\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
+\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
+\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
+\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
+\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
+\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
+\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
+\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
+\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
+\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
+\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
+\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
+\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
+\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
+\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
+\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
+\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
+\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
+\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
+\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
+\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
+\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
+\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
+\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
+\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
+\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
+\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
+\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
+\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
+\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
+\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
+\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
+\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
+\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
+\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
+\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
+\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
+\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
+\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
+\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
+\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
+\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
+\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
+\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
+\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
+\155\055\105\013\367\012\223\352\355\006\371\262
+END
+
+# Trust for Certificate "Entrust.net Secure Server CA"
+# Issuer: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Serial Number: 927650371 (0x374ad243)
+# Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
+# Not Valid Before: Tue May 25 16:09:40 1999
+# Not Valid After : Sat May 25 16:39:40 2019
+# Fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
+# Fingerprint (SHA1): 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
+\061\176\025\071
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\067\112\322\103
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Entrust.net Premium 2048 Secure Server CA"
 #
 # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Serial Number: 946069240 (0x3863def8)
 # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
 # Not Valid Before: Fri Dec 24 17:50:51 1999
 # Not Valid After : Tue Jul 24 14:15:12 2029
 # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
@@ -8058,19 +8911,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\062\060\060\006\003\125\004
 \003\023\051\116\145\164\114\157\143\153\040\125\172\154\145\164
 \151\040\050\103\154\141\163\163\040\102\051\040\124\141\156\165
 \163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Express (Class C) Root"
 #
 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
@@ -8231,19 +9084,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\171\153\151\141\144\157\153\061\064\060\062\006\003\125\004
 \003\023\053\116\145\164\114\157\143\153\040\105\170\160\162\145
 \163\163\172\040\050\103\154\141\163\163\040\103\051\040\124\141
 \156\165\163\151\164\166\141\156\171\153\151\141\144\157
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -190,17 +190,17 @@ ifeq ($(CPU_ARCH),x86_64)
     ASFILES += intel-aes.s intel-gcm.s
     EXTRA_SRCS += intel-gcm-wrap.c
     INTEL_GCM = 1
     MPI_SRCS += mpi_amd64.c mp_comba.c
 endif
 ifeq ($(CPU_ARCH),x86)
     ASFILES  = mpi_x86.s
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
     # The floating point ECC code doesn't work on Linux x86 (bug 311432).
     #ECL_USE_FP = 1
 endif
 ifeq ($(CPU_ARCH),arm)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
     DEFINES += -DMP_USE_UINT_DIGIT
     DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
--- a/security/nss/lib/pki/tdcache.c
+++ b/security/nss/lib/pki/tdcache.c
@@ -463,20 +463,20 @@ nssTrustDomain_UpdateCachedTokenCerts (
     PRUint32 count;
     certList = nssList_Create(NULL, PR_FALSE);
     if (!certList) return PR_FAILURE;
     (void)nssTrustDomain_GetCertsFromCache(td, certList);
     count = nssList_Count(certList);
     if (count > 0) {
 	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
 	if (!cached) {
+	    nssList_Destroy(certList);
 	    return PR_FAILURE;
 	}
 	nssList_GetArray(certList, (void **)cached, count);
-	nssList_Destroy(certList);
 	for (cp = cached; *cp; cp++) {
 	    nssCryptokiObject *instance;
 	    NSSCertificate *c = *cp;
 	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
 	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
 	                                                       token,
                                                                NULL,
                                                                &c->issuer,
@@ -485,16 +485,17 @@ nssTrustDomain_UpdateCachedTokenCerts (
                                                                NULL);
 	    if (instance) {
 		nssPKIObject_AddInstance(&c->object, instance);
 		STAN_ForceCERTCertificateUpdate(c);
 	    }
 	}
 	nssCertificateArray_Destroy(cached);
     }
+    nssList_Destroy(certList);
     return PR_SUCCESS;
 }
 
 static PRStatus
 add_issuer_and_serial_entry (
   NSSArena *arena,
   nssTDCertificateCache *cache, 
   NSSCertificate *cert
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -59,17 +59,17 @@ static SECStatus ssl3_ServerHandleNextPr
 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
 					  PRUint32 maxBytes);
 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
 					       PRUint32 maxBytes);
 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
     PRUint32 maxBytes);
 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
     SECItem *data);
-static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
+static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
     PRBool append, PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
                                                    PRUint16 ex_type,
                                                    SECItem *data);
 static PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
                                                PRUint32 maxBytes);