Merge mozilla-inbound to mozilla-central. a=merge
authorAndreea Pavel <apavel@mozilla.com>
Thu, 07 Mar 2019 11:49:04 +0200
changeset 520702 c89f024c023f
parent 520700 ecbfad744a66 (current diff)
parent 520701 f84b1b428d42 (diff)
child 520717 44d8a4dbe146
child 520776 1d4dcfddc3f8
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone67.0a1
first release with
nightly linux32
c89f024c023f / 67.0a1 / 20190307094951 / files
nightly linux64
c89f024c023f / 67.0a1 / 20190307094951 / files
nightly mac
c89f024c023f / 67.0a1 / 20190307094951 / files
nightly win32
c89f024c023f / 67.0a1 / 20190307094951 / files
nightly win64
c89f024c023f / 67.0a1 / 20190307094951 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge mozilla-inbound to mozilla-central. a=merge
--- a/security/manager/ssl/RootHashes.inc
+++ b/security/manager/ssl/RootHashes.inc
@@ -95,16 +95,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Class_2_Primary_CA */
     { 0x0F, 0x99, 0x3C, 0x8A, 0xEF, 0x97, 0xBA, 0xAF, 0x56, 0x87, 0x14, 0x0E, 0xD5, 0x9A, 0xD1, 0x82,
       0x1B, 0xB4, 0xAF, 0xAC, 0xF0, 0xAA, 0x9A, 0x58, 0xB5, 0xD5, 0x7A, 0x33, 0x8A, 0x3A, 0xFB, 0xCB },
       51 /* Bin Number */
   },
   {
+    /* emSign_Root_CA___C1 */
+    { 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 0x82, 0x39, 0xCB, 0x6A, 0x34,
+      0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F },
+      208 /* Bin Number */
+  },
+  {
     /* Global_Chambersign_Root___2008 */
     { 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, 0xD3, 0x24, 0xDE, 0x72, 0x28,
       0x4E, 0x07, 0x9D, 0x7B, 0x52, 0x20, 0xBB, 0x8F, 0xBD, 0x74, 0x78, 0x16, 0xEE, 0xBE, 0xBA, 0xCA },
       105 /* Bin Number */
   },
   {
     /* OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US */
     { 0x14, 0x65, 0xFA, 0x20, 0x53, 0x97, 0xB8, 0x76, 0xFA, 0xA6, 0xF0, 0xA9, 0x95, 0x8E, 0x55, 0x90,
@@ -305,16 +311,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Trusted_Certificate_Services */
     { 0x3F, 0x06, 0xE5, 0x56, 0x81, 0xD4, 0x96, 0xF5, 0xBE, 0x16, 0x9E, 0xB5, 0x38, 0x9F, 0x9F, 0x2B,
       0x8F, 0xF6, 0x1E, 0x17, 0x08, 0xDF, 0x68, 0x81, 0x72, 0x48, 0x49, 0xCD, 0x5D, 0x27, 0xCB, 0x69 },
       30 /* Bin Number */
   },
   {
+    /* emSign_Root_CA___G1 */
+    { 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 0x5A, 0x4E, 0x9C, 0xCE, 0x62,
+      0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 },
+      206 /* Bin Number */
+  },
+  {
     /* OISTE_WISeKey_Global_Root_GA_CA */
     { 0x41, 0xC9, 0x23, 0x86, 0x6A, 0xB4, 0xCA, 0xD6, 0xB7, 0xAD, 0x57, 0x80, 0x81, 0x58, 0x2E, 0x02,
       0x07, 0x97, 0xA6, 0xCB, 0xDF, 0x4F, 0xFF, 0x78, 0xCE, 0x83, 0x96, 0xB3, 0x89, 0x37, 0xD7, 0xF5 },
       69 /* Bin Number */
   },
   {
     /* Secure_Global_CA */
     { 0x42, 0x00, 0xF5, 0x04, 0x3A, 0xC8, 0x59, 0x0E, 0xBB, 0x52, 0x7D, 0x20, 0x9E, 0xD1, 0x50, 0x30,
@@ -443,16 +455,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* TWCA_Global_Root_CA */
     { 0x59, 0x76, 0x90, 0x07, 0xF7, 0x68, 0x5D, 0x0F, 0xCD, 0x50, 0x87, 0x2F, 0x9F, 0x95, 0xD5, 0x75,
       0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B },
       139 /* Bin Number */
   },
   {
+    /* Hongkong_Post_Root_CA_3 */
+    { 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 0x60, 0x4B, 0x09, 0x88, 0x44,
+      0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 },
+      210 /* Bin Number */
+  },
+  {
     /* TrustCor_ECA_1 */
     { 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB,
       0xDF, 0x03, 0x1A, 0xB2, 0xD4, 0x8E, 0x91, 0xEE, 0x15, 0x58, 0x9B, 0x42, 0x97, 0x1D, 0x03, 0x9C },
       192 /* Bin Number */
   },
   {
     /* Certum_Trusted_Network_CA */
     { 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 0x82, 0xD2, 0xB5, 0x00, 0x10,
@@ -653,16 +671,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* UTN___DATACorp_SGC */
     { 0x85, 0xFB, 0x2F, 0x91, 0xDD, 0x12, 0x27, 0x5A, 0x01, 0x45, 0xB6, 0x36, 0x53, 0x4F, 0x84, 0x02,
       0x4A, 0xD6, 0x8B, 0x69, 0xB8, 0xEE, 0x88, 0x68, 0x4F, 0xF7, 0x11, 0x37, 0x58, 0x05, 0xB3, 0x48 },
       37 /* Bin Number */
   },
   {
+    /* emSign_ECC_Root_CA___G3 */
+    { 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 0x34, 0xC6, 0x12, 0xBA, 0x34,
+      0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B },
+      207 /* Bin Number */
+  },
+  {
     /* EC_ACC */
     { 0x88, 0x49, 0x7F, 0x01, 0x60, 0x2F, 0x31, 0x54, 0x24, 0x6A, 0xE2, 0x8C, 0x4D, 0x5A, 0xEF, 0x10,
       0xF1, 0xD8, 0x7E, 0xBB, 0x76, 0x62, 0x6F, 0x4A, 0xE0, 0xB7, 0xF9, 0x5B, 0xA7, 0x96, 0x87, 0x99 },
       119 /* Bin Number */
   },
   {
     /* QuoVadis_Root_CA_3_G3 */
     { 0x88, 0xEF, 0x81, 0xDE, 0x20, 0x2E, 0xB0, 0x18, 0x45, 0x2E, 0x43, 0xF8, 0x64, 0x72, 0x5C, 0xEA,
@@ -893,16 +917,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Hellenic_Academic_and_Research_Institutions_RootCA_2011 */
     { 0xBC, 0x10, 0x4F, 0x15, 0xA4, 0x8B, 0xE7, 0x09, 0xDC, 0xA5, 0x42, 0xA7, 0xE1, 0xD4, 0xB9, 0xDF,
       0x6F, 0x05, 0x45, 0x27, 0xE8, 0x02, 0xEA, 0xA9, 0x2D, 0x59, 0x54, 0x44, 0x25, 0x8A, 0xFE, 0x71 },
       120 /* Bin Number */
   },
   {
+    /* emSign_ECC_Root_CA___C3 */
+    { 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 0x8C, 0xF4, 0xF9, 0x72, 0x6A,
+      0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 },
+      209 /* Bin Number */
+  },
+  {
     /* AffirmTrust_Premium_ECC */
     { 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 0x7A, 0xDD, 0x25, 0x81, 0xB0,
       0x7D, 0x79, 0xAD, 0xF8, 0x39, 0x7E, 0xB4, 0xEC, 0xBA, 0x9C, 0x5E, 0x84, 0x88, 0x82, 0x14, 0x23 },
       112 /* Bin Number */
   },
   {
     /* Secure_Certificate_Services */
     { 0xBD, 0x81, 0xCE, 0x3B, 0x4F, 0x65, 0x91, 0xD1, 0x1A, 0x67, 0xB5, 0xFC, 0x7A, 0x47, 0xFD, 0xEF,
--- a/security/manager/tools/KnownRootHashes.json
+++ b/security/manager/tools/KnownRootHashes.json
@@ -1028,12 +1028,37 @@
       "label": "UCA_Extended_Validation_Root",
       "binNumber": 204,
       "sha256Fingerprint": "1Dr5s1RzdVyWhPwG19jLcO5cKOdz+ylOtB7nFyKSTSQ="
     },
     {
       "label": "Certigna_Root_CA",
       "binNumber": 205,
       "sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg="
+    },
+    {
+      "label": "emSign_Root_CA___G1",
+      "binNumber": 206,
+      "sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c="
+    },
+    {
+      "label": "emSign_ECC_Root_CA___G3",
+      "binNumber": 207,
+      "sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms="
+    },
+    {
+      "label": "emSign_Root_CA___C1",
+      "binNumber": 208,
+      "sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8="
+    },
+    {
+      "label": "emSign_ECC_Root_CA___C3",
+      "binNumber": 209,
+      "sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM="
+    },
+    {
+      "label": "Hongkong_Post_Root_CA_3",
+      "binNumber": 210,
+      "sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y="
     }
   ],
-  "maxBin": 205
+  "maxBin": 210
 }
\ No newline at end of file
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-536fd7c9db5a
+a306d84e4c70
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -116,16 +116,19 @@ static PRBool disableLocking = PR_FALSE;
 static PRBool ignoreErrors = PR_FALSE;
 static PRBool enableSessionTickets = PR_FALSE;
 static PRBool enableCompression = PR_FALSE;
 static PRBool enableFalseStart = PR_FALSE;
 static PRBool enableCertStatus = PR_FALSE;
 
 PRIntervalTime maxInterval = PR_INTERVAL_NO_TIMEOUT;
 
+static const SSLSignatureScheme *enabledSigSchemes = NULL;
+static unsigned int enabledSigSchemeCount = 0;
+
 char *progName;
 
 secuPWData pwdata = { PW_NONE, 0 };
 
 int stopping;
 int verbose;
 SECItem bigBuf;
 
@@ -138,17 +141,18 @@ SECItem bigBuf;
 
 static void
 Usage(void)
 {
     fprintf(stderr,
             "Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
             "          [-BDNovqs] [-f filename] [-N | -P percentage]\n"
             "          [-w dbpasswd] [-C cipher(s)] [-t threads] [-W pwfile]\n"
-            "          [-V [min-version]:[max-version]] [-a sniHostName] hostname\n"
+            "          [-V [min-version]:[max-version]] [-a sniHostName]\n"
+            "          [-J signatureschemes] hostname\n"
             " where -v means verbose\n"
             "       -o flag is interpreted as follows:\n"
             "          1 -o   means override the result of server certificate validation.\n"
             "          2 -o's mean skip server certificate validation altogether.\n"
             "       -D means no TCP delays\n"
             "       -q means quit when server gone (timeout rather than retry forever)\n"
             "       -s means disable SSL socket locking\n"
             "       -N means no session reuse\n"
@@ -156,17 +160,27 @@ Usage(void)
             "       -V [min]:[max] restricts the set of enabled SSL/TLS protocols versions.\n"
             "          All versions are enabled by default.\n"
             "          Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
             "          Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
             "       -U means enable throttling up threads\n"
             "       -T enable the cert_status extension (OCSP stapling)\n"
             "       -u enable TLS Session Ticket extension\n"
             "       -z enable compression\n"
-            "       -g enable false start\n",
+            "       -g enable false start\n"
+            "       -J enable signature schemes\n"
+            "          This takes a comma separated list of signature schemes in preference\n"
+            "          order.\n"
+            "          Possible values are:\n"
+            "          rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+            "          ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+            "          ecdsa_secp521r1_sha512,\n"
+            "          rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+            "          rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
+            "          dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
             progName);
     exit(1);
 }
 
 static void
 errWarn(char *funcString)
 {
     PRErrorCode perr = PR_GetError();
@@ -1153,16 +1167,24 @@ client_main(
         errExit("SSL_OptionSet SSL_SECURITY");
     }
 
     rv = SSL_VersionRangeSet(model_sock, &enabledVersions);
     if (rv != SECSuccess) {
         errExit("error setting SSL/TLS version range ");
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes,
+                                        enabledSigSchemeCount);
+        if (rv < 0) {
+            errExit("SSL_SignatureSchemePrefSet");
+        }
+    }
+
     if (bigBuf.data) { /* doing FDX */
         rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
         if (rv < 0) {
             errExit("SSL_OptionSet SSL_ENABLE_FDX");
         }
     }
 
     if (NoReuse) {
@@ -1311,30 +1333,39 @@ main(int argc, char **argv)
     tmp = strrchr(argv[0], '/');
     tmp = tmp ? tmp + 1 : argv[0];
     progName = strrchr(tmp, '\\');
     progName = progName ? progName + 1 : tmp;
 
     /* XXX: 'B' was used in the past but removed in 3.28,
      *      please leave some time before resuing it. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
+                                 "C:DJ:NP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case 'C':
                 cipherString = optstate->value;
                 break;
 
             case 'D':
                 NoDelay = PR_TRUE;
                 break;
 
             case 'I': /* reserved for OCSP multi-stapling */
                 break;
 
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    Usage();
+                }
+                break;
+
             case 'N':
                 NoReuse = 1;
                 break;
 
             case 'P':
                 fullhs = PORT_Atoi(optstate->value);
                 break;
 
@@ -1511,16 +1542,18 @@ main(int argc, char **argv)
         PL_strfree(Cert_And_Key.nickname);
     }
     if (sniHostName) {
         PL_strfree(sniHostName);
     }
 
     PL_strfree(hostName);
 
+    PORT_Free((SSLSignatureScheme *)enabledSigSchemes);
+
     /* some final stats. */
     printf(
         "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"
         "          %ld stateless resumes\n",
         ssl3stats->hsh_sid_cache_hits,
         ssl3stats->hsh_sid_cache_misses,
         ssl3stats->hsh_sid_cache_not_ok,
         ssl3stats->hsh_sid_stateless_resumes);
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs_smime.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_smime_h__
+#define scoped_ptrs_smime_h__
+
+#include <memory>
+#include "smime.h"
+
+struct ScopedDeleteSmime {
+  void operator()(NSSCMSMessage* id) { NSS_CMSMessage_Destroy(id); }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSmime {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSmime del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) \
+  typedef std::unique_ptr<x, ScopedMaybeDeleteSmime<x> > Scoped##x
+
+SCOPED(NSSCMSMessage);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_smime_h__
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -16,17 +16,17 @@ COMPILE.html = xmlto -o html html
 name = nss-man
 date = `date +"%Y%m%d"`
 
 all: prepare all-man all-html
 
 prepare: date-and-version
 	mkdir -p html
 	mkdir -p nroff
-	
+
 clean:
 	rm -f date.xml version.xml *.tar.bz2
 	rm -f html/*.proc
 	rm -fr $(name) ascii
 
 date-and-version: date.xml version.xml
 
 date.xml:
@@ -40,30 +40,30 @@ version.xml:
 .PHONY : $(TXTPAGES)
 
 #--------------------------------------------------------
 # manpages
 #--------------------------------------------------------
 
 nroff/%.1 : %.xml
 	$(COMPILE.1) $<
-	
+
 MANPAGES = \
 nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
 nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
 
 all-man: prepare $(MANPAGES)
 
 #--------------------------------------------------------
 # html pages
 #--------------------------------------------------------
 
 html/%.html : %.xml
 	$(COMPILE.html) $<
 	mv html/index.html $@
 
 HTMLPAGES = \
 html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
 html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
-html/vfychain.html html/vfyserv.html
+html/vfychain.html html/vfyserv.html html/nss-policy-check.html
 
 all-html: prepare $(HTMLPAGES)
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -175,16 +175,20 @@ Use the -a argument to specify ASCII out
 	<variablelist>
       <varlistentry>
         <term>-a</term>
         <listitem><para>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+	<term>--simple-self-signed</term>
+	<listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
+      </varlistentry>
+      <varlistentry>
         <term>-b validity-time</term>
         <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
 </para>
 <para>
 If this option is not used, the validity check defaults to the current system time.</para></listitem>
       </varlistentry>
 
       <varlistentry>
new file mode 100644
--- /dev/null
+++ b/security/nss/doc/nss-policy-check.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-policy-check">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-policy-check</refname>
+    <refpurpose>nss-policy-check policy-file</refpurpose>
+  </refnamediv>
+
+ <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-policy-check</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
+
+    <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
+  </refsection>
+
+  <refsection id="basic-usage">
+    <title>Usage and Examples</title>
+    <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
+    </para>
+    <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
+NSS-POLICY-INFO: LOADED-SUCCESSFULLY
+NSS-POLICY-INFO: PRIME256V1 is enabled for KX
+NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP256R1 is enabled for KX
+NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP384R1 is enabled for KX
+NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
+...
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
+NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
+...
+NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
+...
+NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
+NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
+NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
+    </programlisting>
+    <para>If there is a failure or warning, it will be prefixed with
+    NSS-POLICY-FAIL or NSS-POLICY_WARN.
+    </para>
+    <para><command>nss-policy-check</command> exits with 2 if any
+    failure is found, 1 if any warning is found, or 0 if no errors are
+    found.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -103,17 +103,17 @@
       </varlistentry>
 
       <varlistentry>
         <term>-m | --key-len  keyLength</term>
         <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-n | --cert-key-len  certKeyLength</term>
+        <term>--cert-key-len  certKeyLength</term>
         <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-n certname</term>
         <listitem><para>Specify the nickname of the cert and private key to export.</para>
 	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
--- a/security/nss/gtests/manifest.mn
+++ b/security/nss/gtests/manifest.mn
@@ -19,16 +19,17 @@ endif
 ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
 	cryptohi_gtest \
 	der_gtest \
 	pk11_gtest \
+	smime_gtest \
 	softoken_gtest \
 	ssl_gtest \
 	$(SYSINIT_GTEST) \
 	nss_bogo_shim \
 	$(NULL)
 endif
 endif
 
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/manifest.mn
@@ -0,0 +1,22 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      smime_unittest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/gtests/common \
+            -I$(CORE_DEPTH)/cpputil
+
+REQUIRES = nspr gtest
+
+PROGRAM = smime_gtest
+
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
+             $(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/smime_gtest.gyp
@@ -0,0 +1,30 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'smime_gtest',
+      'type': 'executable',
+      'sources': [
+        'smime_unittest.cc',
+        '<(DEPTH)/gtests/common/gtests.cc'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil3',
+        '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/gtests/smime_gtest/smime_unittest.cc
@@ -0,0 +1,137 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License v. 2.0. If a copy of the MPL was not distributed with this file
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <string>
+
+#include "gtest/gtest.h"
+
+#include "scoped_ptrs_smime.h"
+#include "smime.h"
+
+namespace nss_test {
+
+// See bug 1507174; this is a CMS serialization (RFC 5652) that claims to be
+// 12336 bytes long, which ensures CMS validates the streaming decoder's
+// incorrect length.
+static const unsigned char kHugeLenAsn1[] = {
+    0x30, 0x82, 0x30, 0x30, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+    0x0D, 0x01, 0x07, 0x02, 0xA0, 0x82, 0x02, 0x30, 0x30, 0x30, 0x02,
+    0x01, 0x30, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x30, 0x0B, 0x06,
+    0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05};
+
+// secp256r1 signature with no certs and no attrs
+static unsigned char kValidSignature[] = {
+    0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+    0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
+    0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+    0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
+    0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
+    0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
+    0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
+    0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
+    0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
+    0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
+    0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
+    0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
+    0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
+    0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
+    0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
+    0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
+    0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
+    0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
+    0x2B, 0x73, 0x80, 0x4A, 0x1A};
+
+// See bug 1507135; this is a CMS signature that contains only the OID
+static unsigned char kTruncatedSignature[] = {0x30, 0x0B, 0x06, 0x09, 0x2A,
+                                              0x86, 0x48, 0x86, 0xF7, 0x0D,
+                                              0x01, 0x07, 0x02};
+
+// secp256r1 signature that's truncated by one byte.
+static unsigned char kSlightlyTruncatedSignature[] = {
+    0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+    0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
+    0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
+    0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
+    0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
+    0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
+    0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
+    0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
+    0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
+    0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
+    0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
+    0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+    0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
+    0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
+    0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
+    0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
+    0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
+    0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
+    0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
+    0x2B, 0x73, 0x80, 0x4A};
+
+class SMimeTest : public ::testing::Test {};
+
+TEST_F(SMimeTest, InvalidDER) {
+  PK11SymKey* bulk_key = nullptr;
+  NSSCMSDecoderContext* dcx =
+      NSS_CMSDecoder_Start(nullptr, nullptr, nullptr, /* content callback  */
+                           nullptr, nullptr,          /* password callback */
+                           nullptr,                   /* key callback      */
+                           bulk_key);
+  ASSERT_NE(nullptr, dcx);
+  EXPECT_EQ(SECSuccess, NSS_CMSDecoder_Update(
+                            dcx, reinterpret_cast<const char*>(kHugeLenAsn1),
+                            sizeof(kHugeLenAsn1)));
+  EXPECT_EQ(nullptr, bulk_key);
+  ASSERT_FALSE(NSS_CMSDecoder_Finish(dcx));
+}
+
+TEST_F(SMimeTest, IsSignedValid) {
+  SECItem sig_der_item = {siBuffer, kValidSignature, sizeof(kValidSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_TRUE(cms_msg);
+
+  ASSERT_TRUE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, TruncatedCmsSignature) {
+  SECItem sig_der_item = {siBuffer, kTruncatedSignature,
+                          sizeof(kTruncatedSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_TRUE(cms_msg);
+
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, SlightlyTruncatedCmsSignature) {
+  SECItem sig_der_item = {siBuffer, kSlightlyTruncatedSignature,
+                          sizeof(kSlightlyTruncatedSignature)};
+
+  ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
+      &sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
+
+  ASSERT_FALSE(cms_msg);
+
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
+}
+
+TEST_F(SMimeTest, IsSignedNull) {
+  ASSERT_FALSE(NSS_CMSMessage_IsSigned(nullptr));
+}
+
+}  // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
@@ -178,25 +178,22 @@ class TlsHkdfTest : public ::testing::Te
 
     SECStatus rv = tls13_HkdfExpandLabelRaw(prk->get(), base_hash, session_hash,
                                             session_hash_len, label, label_len,
                                             &output[0], output.size());
     ASSERT_EQ(SECSuccess, rv);
     DumpData("Output", &output[0], output.size());
     EXPECT_EQ(0, memcmp(expected.data(), &output[0], expected.len()));
 
-    if (session_hash_len > 0) {
-      return;
-    }
-
     // Verify that the public API produces the same result.
     PRUint16 cs = GetSomeCipherSuiteForHash(base_hash);
     PK11SymKey* secret;
-    rv = SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
-                              label, label_len, &secret);
+    rv = SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
+                             session_hash, session_hash_len, label, label_len,
+                             &secret);
     EXPECT_EQ(SECSuccess, rv);
     ASSERT_NE(nullptr, prk);
     VerifyKey(ScopedPK11SymKey(secret), expected);
   }
 
  protected:
   ScopedPK11SymKey k1_;
   ScopedPK11SymKey k2_;
@@ -342,61 +339,72 @@ TEST_P(TlsHkdfTest, BadExtractWrapperInp
   EXPECT_EQ(SECFailure, SSL_HkdfExtract(SSL_LIBRARY_VERSION_TLS_1_3,
                                         TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
                                         k2_.get(), nullptr));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   EXPECT_EQ(nullptr, key);
 }
 
-TEST_P(TlsHkdfTest, BadDeriveSecretWrapperInput) {
+TEST_P(TlsHkdfTest, BadExpandLabelWrapperInput) {
   PK11SymKey* key = nullptr;
   static const char* kLabel = "label";
 
   // Bad version.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                          k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Bad ciphersuite.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_RSA_WITH_NULL_MD5, k1_.get(),
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, TLS_RSA_WITH_NULL_MD5,
+                          k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Old ciphersuite.
   EXPECT_EQ(SECFailure,
-            SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                 TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
-                                 kLabel, strlen(kLabel), &key));
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
+                                nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null PRK.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
-                                             TLS_AES_128_GCM_SHA256, nullptr,
-                                             kLabel, strlen(kLabel), &key));
+  EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(
+                            SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                            nullptr, nullptr, 0, kLabel, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
+  // Null, non-zero-length handshake hash.
+  EXPECT_EQ(
+      SECFailure,
+      SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
+                          k1_.get(), nullptr, 2, kLabel, strlen(kLabel), &key));
+
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
   // Null, non-zero-length label.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             nullptr, strlen(kLabel), &key));
+  EXPECT_EQ(SECFailure,
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
+                                nullptr, strlen(kLabel), &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null, empty label.
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             nullptr, 0, &key));
+  EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                            TLS_AES_128_GCM_SHA256, k1_.get(),
+                                            nullptr, 0, nullptr, 0, &key));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   // Null key pointer..
-  EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
-                                             TLS_AES_128_GCM_SHA256, k1_.get(),
-                                             kLabel, strlen(kLabel), nullptr));
+  EXPECT_EQ(SECFailure,
+            SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
+                                TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
+                                kLabel, strlen(kLabel), nullptr));
   EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
 
   EXPECT_EQ(nullptr, key);
 }
 
 static const SSLHashType kHashTypes[] = {ssl_hash_sha256, ssl_hash_sha384};
 INSTANTIATE_TEST_CASE_P(AllHashFuncs, TlsHkdfTest,
                         ::testing::ValuesIn(kHashTypes));
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -23148,8 +23148,683 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
 \343\246\341
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign Root CA - G1"
+#
+# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
+# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
+# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\061\365\344\142\014\154\130\355\326\330
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\224\060\202\002\174\240\003\002\001\002\002\012\061
+\365\344\142\014\154\130\355\326\330\060\015\006\011\052\206\110
+\206\367\015\001\001\013\005\000\060\147\061\013\060\011\006\003
+\125\004\006\023\002\111\116\061\023\060\021\006\003\125\004\013
+\023\012\145\155\123\151\147\156\040\120\113\111\061\045\060\043
+\006\003\125\004\012\023\034\145\115\165\144\150\162\141\040\124
+\145\143\150\156\157\154\157\147\151\145\163\040\114\151\155\151
+\164\145\144\061\034\060\032\006\003\125\004\003\023\023\145\155
+\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\107
+\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034
+\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157
+\147\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032
+\006\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157
+\157\164\040\103\101\040\055\040\107\061\060\202\001\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
+\017\000\060\202\001\012\002\202\001\001\000\223\113\273\351\146
+\212\356\235\133\325\064\223\320\033\036\303\347\236\270\144\063
+\177\143\170\150\264\315\056\161\165\327\233\040\306\115\051\274
+\266\150\140\212\367\041\232\126\065\132\363\166\275\330\315\232
+\377\223\126\113\245\131\006\241\223\064\051\335\026\064\165\116
+\362\201\264\307\226\116\255\031\025\122\112\376\074\160\165\160
+\315\257\053\253\025\232\063\074\252\263\213\252\315\103\375\365
+\352\160\377\355\317\021\073\224\316\116\062\026\323\043\100\052
+\167\263\257\074\001\054\154\355\231\054\213\331\116\151\230\262
+\367\217\101\260\062\170\141\326\015\137\303\372\242\100\222\035
+\134\027\346\160\076\065\347\242\267\302\142\342\253\244\070\114
+\265\071\065\157\352\003\151\372\072\124\150\205\155\326\362\057
+\103\125\036\221\015\016\330\325\152\244\226\321\023\074\054\170
+\120\350\072\222\322\027\126\345\065\032\100\034\076\215\054\355
+\071\337\102\340\203\101\164\337\243\315\302\206\140\110\150\343
+\151\013\124\000\213\344\166\151\041\015\171\116\064\010\136\024
+\302\314\261\267\255\327\174\160\212\307\205\002\003\001\000\001
+\243\102\060\100\060\035\006\003\125\035\016\004\026\004\024\373
+\357\015\206\236\260\343\335\251\271\361\041\027\177\076\374\360
+\167\053\032\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
+\013\005\000\003\202\001\001\000\131\377\362\214\365\207\175\161
+\075\243\237\033\133\321\332\370\323\234\153\066\275\233\251\141
+\353\336\026\054\164\075\236\346\165\332\327\272\247\274\102\027
+\347\075\221\353\345\175\335\076\234\361\317\222\254\154\110\314
+\302\042\077\151\073\305\266\025\057\243\065\306\150\052\034\127
+\257\071\357\215\320\065\303\030\014\173\000\126\034\315\213\031
+\164\336\276\017\022\340\320\252\241\077\002\064\261\160\316\235
+\030\326\010\003\011\106\356\140\340\176\266\304\111\004\121\175
+\160\140\274\252\262\377\171\162\172\246\035\075\137\052\370\312
+\342\375\071\267\107\271\353\176\337\004\043\257\372\234\006\007
+\351\373\143\223\200\100\265\306\154\012\061\050\316\014\237\317
+\263\043\065\200\101\215\154\304\067\173\201\057\200\241\100\102
+\205\351\331\070\215\350\241\123\315\001\277\151\350\132\006\362
+\105\013\220\372\256\341\277\235\362\256\127\074\245\256\262\126
+\364\213\145\100\351\375\061\201\054\364\071\011\330\356\153\247
+\264\246\035\025\245\230\367\001\201\330\205\175\363\121\134\161
+\210\336\272\314\037\200\176\112
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign Root CA - G1"
+# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
+# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
+# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\212\307\255\217\163\254\116\301\265\165\115\245\100\364\374\317
+\174\265\216\214
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\234\102\204\127\335\313\013\247\056\225\255\266\363\332\274\254
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\061\365\344\142\014\154\130\355\326\330
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign ECC Root CA - G3"
+#
+# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
+# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
+# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\074\366\007\251\150\160\016\332\213\204
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\116\060\202\001\323\240\003\002\001\002\002\012\074
+\366\007\251\150\160\016\332\213\204\060\012\006\010\052\206\110
+\316\075\004\003\003\060\153\061\013\060\011\006\003\125\004\006
+\023\002\111\116\061\023\060\021\006\003\125\004\013\023\012\145
+\155\123\151\147\156\040\120\113\111\061\045\060\043\006\003\125
+\004\012\023\034\145\115\165\144\150\162\141\040\124\145\143\150
+\156\157\154\157\147\151\145\163\040\114\151\155\151\164\145\144
+\061\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147
+\156\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040
+\107\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060
+\060\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060
+\060\132\060\153\061\013\060\011\006\003\125\004\006\023\002\111
+\116\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151
+\147\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023
+\034\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154
+\157\147\151\145\163\040\114\151\155\151\164\145\144\061\040\060
+\036\006\003\125\004\003\023\027\145\155\123\151\147\156\040\105
+\103\103\040\122\157\157\164\040\103\101\040\055\040\107\063\060
+\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201
+\004\000\042\003\142\000\004\043\245\014\270\055\022\365\050\363
+\261\262\335\342\002\022\200\236\071\137\111\115\237\311\045\064
+\131\164\354\273\006\034\347\300\162\257\350\256\057\341\101\124
+\207\024\250\112\262\350\174\202\346\133\152\265\334\263\165\316
+\213\006\320\206\043\277\106\325\216\017\077\004\364\327\034\222
+\176\366\245\143\302\365\137\216\056\117\241\030\031\002\053\062
+\012\202\144\175\026\223\321\243\102\060\100\060\035\006\003\125
+\035\016\004\026\004\024\174\135\002\204\023\324\314\212\233\201
+\316\027\034\056\051\036\234\110\143\102\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\012\006\010\052
+\206\110\316\075\004\003\003\003\151\000\060\146\002\061\000\276
+\363\141\317\002\020\035\144\225\007\270\030\156\210\205\005\057
+\203\010\027\220\312\037\212\114\350\015\033\172\261\255\325\201
+\011\107\357\073\254\010\004\174\134\231\261\355\107\007\322\002
+\061\000\235\272\125\374\251\112\350\355\355\346\166\001\102\173
+\310\370\140\331\215\121\213\125\073\373\214\173\353\145\011\303
+\370\226\315\107\250\202\362\026\125\167\044\176\022\020\225\004
+\054\243
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign ECC Root CA - G3"
+# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
+# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
+# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\060\103\372\117\362\127\334\240\303\200\356\056\130\352\170\262
+\077\346\273\301
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\316\013\162\321\237\210\216\320\120\003\350\343\270\213\147\100
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
+\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
+\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\074\366\007\251\150\160\016\332\213\204
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign Root CA - C1"
+#
+# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
+# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
+# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - C1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\013\000\256\317\000\272\304\317\062\370\103\262
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\163\060\202\002\133\240\003\002\001\002\002\013\000
+\256\317\000\272\304\317\062\370\103\262\060\015\006\011\052\206
+\110\206\367\015\001\001\013\005\000\060\126\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\023\060\021\006\003\125\004
+\013\023\012\145\155\123\151\147\156\040\120\113\111\061\024\060
+\022\006\003\125\004\012\023\013\145\115\165\144\150\162\141\040
+\111\156\143\061\034\060\032\006\003\125\004\003\023\023\145\155
+\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\103
+\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
+\145\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006
+\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
+\164\040\103\101\040\055\040\103\061\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\317\353\251\271\361\231
+\005\314\330\050\041\112\363\163\064\121\204\126\020\365\240\117
+\054\022\343\372\023\232\047\320\317\371\171\032\164\137\035\171
+\071\374\133\370\160\216\340\222\122\367\344\045\371\124\203\331
+\035\323\310\132\205\077\136\307\266\007\356\076\300\316\232\257
+\254\126\102\052\071\045\160\326\277\265\173\066\255\254\366\163
+\334\315\327\035\212\203\245\373\053\220\025\067\153\034\046\107
+\334\073\051\126\223\152\263\301\152\072\235\075\365\301\227\070
+\130\005\213\034\021\343\344\264\270\135\205\035\203\376\170\137
+\013\105\150\030\110\245\106\163\064\073\376\017\310\166\273\307
+\030\363\005\321\206\363\205\355\347\271\331\062\255\125\210\316
+\246\266\221\260\117\254\176\025\043\226\366\077\360\040\064\026
+\336\012\306\304\004\105\171\177\247\375\276\322\251\245\257\234
+\305\043\052\367\074\041\154\275\257\217\116\305\072\262\363\064
+\022\374\337\200\032\111\244\324\251\225\367\236\211\136\242\211
+\254\224\313\250\150\233\257\212\145\047\315\211\356\335\214\265
+\153\051\160\103\240\151\013\344\271\017\002\003\001\000\001\243
+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\376\241
+\340\160\036\052\003\071\122\132\102\276\134\221\205\172\030\252
+\115\265\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\003\202\001\001\000\302\112\126\372\025\041\173\050\242
+\351\345\035\373\370\055\304\071\226\101\114\073\047\054\304\154
+\030\025\200\306\254\257\107\131\057\046\013\343\066\260\357\073
+\376\103\227\111\062\231\022\025\133\337\021\051\377\253\123\370
+\273\301\170\017\254\234\123\257\127\275\150\214\075\151\063\360
+\243\240\043\143\073\144\147\042\104\255\325\161\313\126\052\170
+\222\243\117\022\061\066\066\342\336\376\000\304\243\140\017\047
+\255\240\260\212\265\066\172\122\241\275\047\364\040\047\142\350
+\115\224\044\023\344\012\004\351\074\253\056\310\103\011\112\306
+\141\004\345\111\064\176\323\304\310\365\017\300\252\351\272\124
+\136\363\143\053\117\117\120\324\376\271\173\231\214\075\300\056
+\274\002\053\323\304\100\344\212\007\061\036\233\316\046\231\023
+\373\021\352\232\042\014\021\031\307\136\033\201\120\060\310\226
+\022\156\347\313\101\177\221\073\242\107\267\124\200\033\334\000
+\314\232\220\352\303\303\120\006\142\014\060\300\025\110\247\250
+\131\174\341\256\042\242\342\012\172\017\372\142\253\122\114\341
+\361\337\312\276\203\015\102
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign Root CA - C1"
+# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
+# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
+# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign Root CA - C1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\347\056\361\337\374\262\011\050\317\135\324\325\147\067\261\121
+\313\206\117\001
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\330\343\135\001\041\372\170\132\260\337\272\322\356\052\137\150
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
+\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
+\040\103\101\040\055\040\103\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\013\000\256\317\000\272\304\317\062\370\103\262
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "emSign ECC Root CA - C3"
+#
+# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
+# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
+# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - C3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\173\161\266\202\126\270\022\174\234\250
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\053\060\202\001\261\240\003\002\001\002\002\012\173
+\161\266\202\126\270\022\174\234\250\060\012\006\010\052\206\110
+\316\075\004\003\003\060\132\061\013\060\011\006\003\125\004\006
+\023\002\125\123\061\023\060\021\006\003\125\004\013\023\012\145
+\155\123\151\147\156\040\120\113\111\061\024\060\022\006\003\125
+\004\012\023\013\145\115\165\144\150\162\141\040\111\156\143\061
+\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147\156
+\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040\103
+\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
+\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
+\132\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
+\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
+\145\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006
+\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
+\040\122\157\157\164\040\103\101\040\055\040\103\063\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\375\245\141\256\173\046\020\035\351\267\042
+\060\256\006\364\201\263\261\102\161\225\071\274\323\122\343\257
+\257\371\362\227\065\222\066\106\016\207\225\215\271\071\132\351
+\273\337\320\376\310\007\101\074\273\125\157\203\243\152\373\142
+\260\201\211\002\160\175\110\305\112\343\351\042\124\042\115\223
+\273\102\014\257\167\234\043\246\175\327\141\021\316\145\307\370
+\177\376\365\362\251\243\102\060\100\060\035\006\003\125\035\016
+\004\026\004\024\373\132\110\320\200\040\100\362\250\351\000\007
+\151\031\167\247\346\303\364\317\060\016\006\003\125\035\017\001
+\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
+\001\377\004\005\060\003\001\001\377\060\012\006\010\052\206\110
+\316\075\004\003\003\003\150\000\060\145\002\061\000\264\330\057
+\002\211\375\266\114\142\272\103\116\023\204\162\265\256\335\034
+\336\326\265\334\126\217\130\100\132\055\336\040\114\042\203\312
+\223\250\176\356\022\100\307\326\207\117\370\337\205\002\060\034
+\024\144\344\174\226\203\021\234\260\321\132\141\113\246\017\111
+\323\000\374\241\374\344\245\377\177\255\327\060\320\307\167\177
+\276\201\007\125\060\120\040\024\365\127\070\012\250\061\121
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "emSign ECC Root CA - C3"
+# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
+# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
+# Not Valid Before: Sun Feb 18 18:30:00 2018
+# Not Valid After : Wed Feb 18 18:30:00 2043
+# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
+# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "emSign ECC Root CA - C3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\266\257\103\302\233\201\123\175\366\357\153\303\037\037\140\025
+\014\356\110\146
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\076\123\263\243\201\356\327\020\370\323\260\035\027\222\365\325
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
+\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
+\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
+\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
+\122\157\157\164\040\103\101\040\055\040\103\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\012\173\161\266\202\126\270\022\174\234\250
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Hongkong Post Root CA 3"
+#
+# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
+# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Not Valid Before: Sat Jun 03 02:29:46 2017
+# Not Valid After : Tue Jun 03 02:29:46 2042
+# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
+# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Hongkong Post Root CA 3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
+\256\043\270\034\132\244
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\317\060\202\003\267\240\003\002\001\002\002\024\010
+\026\137\212\114\245\354\000\311\223\100\337\304\306\256\043\270
+\034\132\244\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\157\061\013\060\011\006\003\125\004\006\023\002\110
+\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156\147
+\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023\011
+\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003\125
+\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157\163
+\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156\147
+\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040\103
+\101\040\063\060\036\027\015\061\067\060\066\060\063\060\062\062
+\071\064\066\132\027\015\064\062\060\066\060\063\060\062\062\071
+\064\066\132\060\157\061\013\060\011\006\003\125\004\006\023\002
+\110\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156
+\147\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023
+\011\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003
+\125\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157
+\163\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156
+\147\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040
+\103\101\040\063\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\263\210\327\352\316\017\040\116\276\346\326
+\003\155\356\131\374\302\127\337\051\150\241\203\016\076\150\307
+\150\130\234\034\140\113\211\103\014\271\324\025\262\356\301\116
+\165\351\265\247\357\345\351\065\231\344\314\034\347\113\137\215
+\063\060\040\063\123\331\246\273\325\076\023\216\351\037\207\111
+\255\120\055\120\312\030\276\001\130\242\023\160\226\273\211\210
+\126\200\134\370\275\054\074\341\114\127\210\273\323\271\225\357
+\313\307\366\332\061\164\050\246\346\124\211\365\101\061\312\345
+\046\032\315\202\340\160\332\073\051\273\325\003\365\231\272\125
+\365\144\321\140\016\263\211\111\270\212\057\005\322\204\105\050
+\174\217\150\120\022\170\374\013\265\123\313\302\230\034\204\243
+\236\260\276\043\244\332\334\310\053\036\332\156\105\036\211\230
+\332\371\000\056\006\351\014\073\160\325\120\045\210\231\313\315
+\163\140\367\325\377\065\147\305\241\274\136\253\315\112\270\105
+\353\310\150\036\015\015\024\106\022\343\322\144\142\212\102\230
+\274\264\306\010\010\370\375\250\114\144\234\166\001\275\057\251
+\154\063\017\330\077\050\270\074\151\001\102\206\176\151\301\311
+\006\312\345\172\106\145\351\302\326\120\101\056\077\267\344\355
+\154\327\277\046\001\021\242\026\051\112\153\064\006\220\354\023
+\322\266\373\152\166\322\074\355\360\326\055\335\341\025\354\243
+\233\057\054\311\076\053\344\151\073\377\162\045\261\066\206\133
+\307\177\153\213\125\033\112\305\040\141\075\256\313\120\341\010
+\072\276\260\217\143\101\123\060\010\131\074\230\035\167\272\143
+\221\172\312\020\120\140\277\360\327\274\225\207\217\227\305\376
+\227\152\001\224\243\174\133\205\035\052\071\072\320\124\241\321
+\071\161\235\375\041\371\265\173\360\342\340\002\217\156\226\044
+\045\054\240\036\054\250\304\211\247\357\355\231\006\057\266\012
+\114\117\333\242\314\067\032\257\107\205\055\212\137\304\064\064
+\114\000\375\030\223\147\023\321\067\346\110\264\213\006\305\127
+\173\031\206\012\171\313\000\311\122\257\102\377\067\217\341\243
+\036\172\075\120\253\143\006\347\025\265\077\266\105\067\224\067
+\261\176\362\110\303\177\305\165\376\227\215\105\217\032\247\032
+\162\050\032\100\017\002\003\001\000\001\243\143\060\141\060\017
+\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060
+\037\006\003\125\035\043\004\030\060\026\200\024\027\235\315\036
+\213\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141
+\060\035\006\003\125\035\016\004\026\004\024\027\235\315\036\213
+\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
+\002\001\000\126\325\173\156\346\042\001\322\102\233\030\325\016
+\327\146\043\134\343\376\240\307\222\322\351\224\255\113\242\306
+\354\022\174\164\325\110\322\131\024\231\300\353\271\321\353\364
+\110\060\133\255\247\127\163\231\251\323\345\267\321\056\131\044
+\130\334\150\056\056\142\330\152\344\160\013\055\040\120\040\244
+\062\225\321\000\230\273\323\375\367\062\362\111\256\306\172\340
+\107\276\156\316\313\243\162\072\055\151\135\313\310\350\105\071
+\324\372\102\301\021\114\167\135\222\373\152\377\130\104\345\353
+\201\236\257\240\231\255\276\251\001\146\313\070\035\074\337\103
+\037\364\115\156\264\272\027\106\374\175\375\207\201\171\152\015
+\063\017\372\057\370\024\271\200\263\135\115\252\227\341\371\344
+\030\305\370\325\070\214\046\074\375\362\050\342\356\132\111\210
+\054\337\171\075\216\236\220\074\275\101\112\072\335\133\366\232
+\264\316\077\045\060\177\062\175\242\003\224\320\334\172\241\122
+\336\156\223\215\030\046\375\125\254\275\217\233\322\317\257\347
+\206\054\313\037\011\157\243\157\251\204\324\163\277\115\241\164
+\033\116\043\140\362\314\016\252\177\244\234\114\045\250\262\146
+\073\070\377\331\224\060\366\162\204\276\150\125\020\017\306\163
+\054\026\151\223\007\376\261\105\355\273\242\125\152\260\332\265
+\112\002\045\047\205\327\267\267\206\104\026\211\154\200\053\076
+\227\251\234\325\176\125\114\306\336\105\020\034\352\351\073\237
+\003\123\356\356\172\001\002\026\170\324\350\302\276\106\166\210
+\023\077\042\273\110\022\035\122\000\264\002\176\041\032\036\234
+\045\364\363\075\136\036\322\034\371\263\055\266\367\067\134\306
+\313\041\116\260\367\231\107\030\205\301\053\272\125\256\006\352
+\320\007\262\334\253\320\202\226\165\316\322\120\376\231\347\317
+\057\237\347\166\321\141\052\373\041\273\061\320\252\237\107\244
+\262\042\312\026\072\120\127\304\133\103\147\305\145\142\003\111
+\001\353\103\331\330\370\236\255\317\261\143\016\105\364\240\132
+\054\233\055\305\246\300\255\250\107\364\047\114\070\015\056\033
+\111\073\122\364\350\210\203\053\124\050\324\362\065\122\264\062
+\203\142\151\144\014\221\234\237\227\352\164\026\375\037\021\006
+\232\233\364
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "Hongkong Post Root CA 3"
+# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
+# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
+# Not Valid Before: Sat Jun 03 02:29:46 2017
+# Not Valid After : Tue Jun 03 02:29:46 2042
+# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
+# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Hongkong Post Root CA 3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\130\242\320\354\040\122\201\133\301\363\370\144\002\044\116\302
+\216\002\113\002
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\021\374\237\275\163\060\002\212\375\077\363\130\271\313\040\360
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
+\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
+\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
+\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
+\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
+\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
+\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
+\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
+\256\043\270\034\132\244
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 30
-#define NSS_BUILTINS_LIBRARY_VERSION "2.30"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 32
+#define NSS_BUILTINS_LIBRARY_VERSION "2.32"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/ssl/sslexp.h
+++ b/security/nss/lib/ssl/sslexp.h
@@ -685,24 +685,25 @@ typedef struct SSLAeadContextStr SSLAead
  * use these TLS functions as a KDF. This is only supported for TLS 1.3. */
 #define SSL_HkdfExtract(version, cipherSuite, salt, ikm, keyp)      \
     SSL_EXPERIMENTAL_API("SSL_HkdfExtract",                         \
                          (PRUint16 _version, PRUint16 _cipherSuite, \
                           PK11SymKey * _salt, PK11SymKey * _ikm,    \
                           PK11SymKey * *_keyp),                     \
                          (version, cipherSuite, salt, ikm, keyp))
 
-#define SSL_HkdfDeriveSecret(version, cipherSuite, prk,               \
-                             label, labelLen, keyp)                   \
-    SSL_EXPERIMENTAL_API("SSL_HkdfDeriveSecret",                      \
-                         (PRUint16 _version, PRUint16 _cipherSuite,   \
-                          PK11SymKey * _prk,                          \
-                          const char *_label, unsigned int _labelLen, \
-                          PK11SymKey **_keyp),                        \
-                         (version, cipherSuite, prk,                  \
-                          label, labelLen, keyp))
+#define SSL_HkdfExpandLabel(version, cipherSuite, prk,                     \
+                            hsHash, hsHashLen, label, labelLen, keyp)      \
+    SSL_EXPERIMENTAL_API("SSL_HkdfExpandLabel",                            \
+                         (PRUint16 _version, PRUint16 _cipherSuite,        \
+                          PK11SymKey * _prk,                               \
+                          const PRUint8 *_hsHash, unsigned int _hsHashLen, \
+                          const char *_label, unsigned int _labelLen,      \
+                          PK11SymKey **_keyp),                             \
+                         (version, cipherSuite, prk,                       \
+                          hsHash, hsHashLen, label, labelLen, keyp))
 
 /* Deprecated experimental APIs */
 #define SSL_UseAltServerHelloType(fd, enable) SSL_DEPRECATED_EXPERIMENTAL_API
 
 SEC_END_PROTOS
 
 #endif /* __sslexp_h_ */
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1770,19 +1770,20 @@ SECStatus SSLExp_AeadEncrypt(const SSLAe
                              PRUint8 *out, unsigned int *outLen, unsigned int maxOut);
 SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter,
                              const PRUint8 *aad, unsigned int aadLen,
                              const PRUint8 *plaintext, unsigned int plaintextLen,
                              PRUint8 *out, unsigned int *outLen, unsigned int maxOut);
 
 SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
                              PK11SymKey *salt, PK11SymKey *ikm, PK11SymKey **keyp);
-SECStatus SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
-                                  const char *label, unsigned int labelLen,
-                                  PK11SymKey **key);
+SECStatus SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
+                                 const PRUint8 *hsHash, unsigned int hsHashLen,
+                                 const char *label, unsigned int labelLen,
+                                 PK11SymKey **key);
 
 SEC_END_PROTOS
 
 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
 #define SSL_GETPID getpid
 #elif defined(WIN32)
 extern int __cdecl _getpid(void);
 #define SSL_GETPID _getpid
--- a/security/nss/lib/ssl/sslprimitive.c
+++ b/security/nss/lib/ssl/sslprimitive.c
@@ -221,29 +221,30 @@ SSLExp_HkdfExtract(PRUint16 version, PRU
                                           &hash, &cipher);
     if (rv != SECSuccess) {
         return SECFailure; /* Code already set. */
     }
     return tls13_HkdfExtract(salt, ikm, hash, keyp);
 }
 
 SECStatus
-SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
-                        const char *label, unsigned int labelLen,
-                        PK11SymKey **keyp)
+SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
+                       const PRUint8 *hsHash, unsigned int hsHashLen,
+                       const char *label, unsigned int labelLen,
+                       PK11SymKey **keyp)
 {
     if (prk == NULL || keyp == NULL ||
         label == NULL || labelLen == 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     SSLHashType hash;
     const ssl3BulkCipherDef *cipher; /* Unused here. */
     SECStatus rv = tls13_GetHashAndCipher(version, cipherSuite,
                                           &hash, &cipher);
     if (rv != SECSuccess) {
         return SECFailure; /* Code already set. */
     }
-    return tls13_HkdfExpandLabel(prk, hash, NULL, 0, label, labelLen,
+    return tls13_HkdfExpandLabel(prk, hash, hsHash, hsHashLen, label, labelLen,
                                  tls13_GetHkdfMechanismForHash(hash),
                                  tls13_GetHashSizeForHash(hash), keyp);
 }
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -4048,17 +4048,17 @@ struct {
     EXP(EnableESNI),
     EXP(EncodeESNIKeys),
     EXP(GetCurrentEpoch),
     EXP(GetExtensionSupport),
     EXP(GetResumptionTokenInfo),
     EXP(HelloRetryRequestCallback),
     EXP(InstallExtensionHooks),
     EXP(HkdfExtract),
-    EXP(HkdfDeriveSecret),
+    EXP(HkdfExpandLabel),
     EXP(KeyUpdate),
     EXP(MakeAead),
     EXP(RecordLayerData),
     EXP(RecordLayerWriteCallback),
     EXP(SecretCallback),
     EXP(SendCertificateRequest),
     EXP(SendSessionTicket),
     EXP(SetESNIKeyPair),
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -198,16 +198,17 @@
             'gtests/cryptohi_gtest/cryptohi_gtest.gyp:cryptohi_gtest',
             'gtests/der_gtest/der_gtest.gyp:der_gtest',
             'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:blake2b_gtest',
             'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
             'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
+            'gtests/smime_gtest/smime_gtest.gyp:smime_gtest',
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
           ],
           'conditions': [
             [ 'OS=="linux"', {
               'dependencies': [
                 'cmd/lowhashtest/lowhashtest.gyp:lowhashtest',
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -82,12 +82,12 @@ gtest_start()
 gtest_cleanup()
 {
   html "</TABLE><BR>"
   cd "${QADIR}"
   . common/cleanup.sh
 }
 
 ################## main #################################################
-GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest}"
+GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
 gtest_init "$0"
 gtest_start
 gtest_cleanup
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -1220,16 +1220,61 @@ ssl_scheme()
             kill_selfserv
         done
     done
     NO_ECC_CERTS=0
 
     html "</TABLE><BR>"
 }
 
+############################ ssl_scheme_stress ##########################
+# local shell function to test strsclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme_stress()
+{
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+        return 0
+    fi
+
+    html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+    NO_ECC_CERTS=1
+    schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+    for sscheme in "${schemes[@]}"; do
+        for cscheme in "${schemes[@]}"; do
+            testname="ssl_scheme server='$sscheme' client='$cscheme'"
+            echo "${testname}"
+
+            start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+            echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+            echo "         -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE}"
+            ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} ${CLIENT_OPTIONS} \
+                        -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE} 2>&1
+            ret=$?
+            # If both schemes include just one option and those options don't
+            # match, then the test should fail; otherwise, assume that it works.
+            if [ "${cscheme#*,}" = "$cscheme" -a \
+                 "${sscheme#*,}" = "$sscheme" -a \
+                 "$cscheme" != "$sscheme" ]; then
+                expected=1
+            else
+                expected=0
+            fi
+            html_msg $ret $expected "${testname}" \
+                     "produced a returncode of $ret, expected is $expected"
+            kill_selfserv
+        done
+    done
+    NO_ECC_CERTS=0
+
+    html "</TABLE><BR>"
+}
+
 ############################## ssl_cleanup #############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
 ########################################################################
 ssl_cleanup()
 {
   rm $SERVERPID 2>/dev/null
   cd ${QADIR}
@@ -1262,16 +1307,17 @@ ssl_run()
         "stress")
             ssl_stress
             ;;
         "dtls")
             ssl_dtls
             ;;
         "scheme")
             ssl_scheme
+            ssl_scheme_stress
             ;;
          esac
     done
 }
 
 ############################ ssl_run_all ###############################
 # local shell function to run both standard and extended ssl tests
 ########################################################################