Bug 1049006 - Update Mozilla 33 to use NSS 3.17 final and NSPR 4.10.7 final, r=wtc, a=sylvestre
authorKai Engert <kaie@kuix.de>
Wed, 13 Aug 2014 22:05:13 +0200
changeset 217468 28ca334743079c22e294af16c31ccc7288829062
parent 217467 3dace7559a93b190f13a010dac3dfcd547c2678c
child 217469 540ac322aac8f3ba7de93e4b720e05770187723a
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc, sylvestre
bugs1049006
milestone33.0a2
Bug 1049006 - Update Mozilla 33 to use NSS 3.17 final and NSPR 4.10.7 final, r=wtc, a=sylvestre
nsprpub/TAG-INFO
nsprpub/config/prdepend.h
nsprpub/configure
nsprpub/configure.in
nsprpub/pr/include/prinit.h
nsprpub/pr/src/md/unix/unix.c
nsprpub/pr/tests/vercheck.c
security/nss/Makefile
security/nss/TAG-INFO
security/nss/cmd/lib/secutil.c
security/nss/coreconf/WIN32.mk
security/nss/coreconf/coreconf.dep
security/nss/doc/certutil.xml
security/nss/doc/html/certutil.html
security/nss/doc/html/pp.html
security/nss/doc/nroff/certutil.1
security/nss/doc/nroff/pp.1
security/nss/doc/pp.xml
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/crmf/servget.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
security/nss/lib/nss/nss.h
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/util/nssutil.h
security/nss/tests/libpkix/certs/PayPalEE.cert
--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1,1 +1,1 @@
-NSPR_4_10_7_BETA3
+NSPR_4_10_7_RTM
--- a/nsprpub/config/prdepend.h
+++ b/nsprpub/config/prdepend.h
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSPR in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -790,16 +790,17 @@ with_dist_includedir
 with_dist_libdir
 with_mozilla
 enable_optimize
 enable_debug
 enable_debug_symbols
 enable_win32_target
 enable_symbian_target
 enable_debug_rtl
+enable_static_rtl
 enable_n32
 enable_x32
 enable_64bit
 enable_mdupdate
 enable_cplus
 with_arm_kuser
 with_macos_sdk
 enable_macos_target
@@ -1450,16 +1451,17 @@ Optional Features:
   --enable-debug=DBG    Enable debugging (using compiler flags DBG)
   --enable-debug-symbols=DBG    Enable debugging symbols
                                        (using compiler flags DBG)
   --enable-win32-target=\$t
                           Specify win32 flavor. (WIN95 or WINNT)
   --enable-symbian-target=\$t
                           Specify symbian flavor. (WINSCW or GCCE)
   --enable-debug-rtl      Use the MSVC debug runtime library
+  --enable-static-rtl     Use the MSVC static runtime library
   --enable-n32            Enable n32 ABI support (IRIX only)
   --enable-x32            Enable x32 ABI support (x86_64 only)
   --enable-64bit          Enable 64-bit support (on certain platforms)
   --enable-mdupdate       Enable use of certain compilers' mdupdate feature
   --enable-cplus          Enable some c++ api routines
   --enable-macos-target=VER
                           Set the minimum MacOS version needed at runtime
                           10.2 for ppc, 10.4 for x86
@@ -2905,16 +2907,24 @@ if test "${enable_debug_rtl+set}" = set;
   enableval=$enable_debug_rtl;  if test "$enableval" = "yes"; then
 	    USE_DEBUG_RTL=1
       else
 	    USE_DEBUG_RTL=0
       fi
 fi
 
 
+# Check whether --enable-static-rtl was given.
+if test "${enable_static_rtl+set}" = set; then :
+  enableval=$enable_static_rtl;  if test "$enableval" = "yes"; then
+	    USE_STATIC_RTL=1
+      fi
+fi
+
+
 # Check whether --enable-n32 was given.
 if test "${enable_n32+set}" = set; then :
   enableval=$enable_n32;  if test "$enableval" = "yes"; then
 	USE_N32=1
       else if test "$enableval" = "no"; then
 	USE_N32=
       fi
     fi
@@ -7180,19 +7190,27 @@ tools are selected during the Xcode/Deve
             PROFILE_USE_CFLAGS="$PROFILE_USE_CFLAGS -Gw"
         fi
 
         if test -z "$MOZ_OPTIMIZE"; then
             CFLAGS="$CFLAGS -Od"
         fi
 
         if test "$USE_DEBUG_RTL" = 1; then
-            CFLAGS="$CFLAGS -MDd"
+            if test -n "$USE_STATIC_RTL"; then
+                CFLAGS="$CFLAGS -MTd"
+            else
+                CFLAGS="$CFLAGS -MDd"
+            fi
         else
-            CFLAGS="$CFLAGS -MD"
+            if test -n "$USE_STATIC_RTL"; then
+                CFLAGS="$CFLAGS -MT"
+            else
+                CFLAGS="$CFLAGS -MD"
+            fi
         fi
 
         if test -n "$MOZ_DEBUG"; then
             $as_echo "#define _DEBUG 1" >>confdefs.h
 
         else
             DEFINES="$DEFINES -U_DEBUG"
         fi
@@ -7264,16 +7282,19 @@ tools are selected during the Xcode/Deve
     case "$target_cpu" in
     i*86)
 	if test -n "$USE_64"; then
 	    $as_echo "#define _AMD64_ 1" >>confdefs.h
 
 	else
 	    $as_echo "#define _X86_ 1" >>confdefs.h
 
+            if test -z "$GNU_CC" -a "$MSC_VER" -ge "1700"; then
+                                                CFLAGS="$CFLAGS -arch:IA32"
+            fi
 	fi
         ;;
     x86_64)
 	    $as_echo "#define _AMD64_ 1" >>confdefs.h
 
 	    USE_64=1
 	    ;;
     ia64)
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -385,16 +385,22 @@ AC_ARG_ENABLE(symbian-target,
 AC_ARG_ENABLE(debug-rtl,
     [  --enable-debug-rtl      Use the MSVC debug runtime library],
     [ if test "$enableval" = "yes"; then
 	    USE_DEBUG_RTL=1
       else
 	    USE_DEBUG_RTL=0
       fi ])
 
+AC_ARG_ENABLE(static-rtl,
+    [  --enable-static-rtl     Use the MSVC static runtime library],
+    [ if test "$enableval" = "yes"; then
+	    USE_STATIC_RTL=1
+      fi ])
+
 AC_ARG_ENABLE(n32,
     [  --enable-n32            Enable n32 ABI support (IRIX only)],
     [ if test "$enableval" = "yes"; then
 	USE_N32=1
       else if test "$enableval" = "no"; then
 	USE_N32=
       fi
     fi ])
@@ -1999,19 +2005,27 @@ tools are selected during the Xcode/Deve
             PROFILE_USE_CFLAGS="$PROFILE_USE_CFLAGS -Gw"
         fi
 
         if test -z "$MOZ_OPTIMIZE"; then
             CFLAGS="$CFLAGS -Od"
         fi
 
         if test "$USE_DEBUG_RTL" = 1; then
-            CFLAGS="$CFLAGS -MDd"
+            if test -n "$USE_STATIC_RTL"; then
+                CFLAGS="$CFLAGS -MTd"
+            else
+                CFLAGS="$CFLAGS -MDd"
+            fi
         else
-            CFLAGS="$CFLAGS -MD"
+            if test -n "$USE_STATIC_RTL"; then
+                CFLAGS="$CFLAGS -MT"
+            else
+                CFLAGS="$CFLAGS -MD"
+            fi
         fi
 
         if test -n "$MOZ_DEBUG"; then
             AC_DEFINE(_DEBUG)
         else
             DEFINES="$DEFINES -U_DEBUG"
         fi
 
@@ -2076,16 +2090,21 @@ tools are selected during the Xcode/Deve
     esac
 
     case "$target_cpu" in
     i*86)
 	if test -n "$USE_64"; then
 	    AC_DEFINE(_AMD64_)
 	else		
 	    AC_DEFINE(_X86_)
+            if test -z "$GNU_CC" -a "$MSC_VER" -ge "1700"; then
+                dnl Visual C++ 2012 defaults to -arch:SSE2. Use -arch:IA32
+                dnl to avoid requiring SSE2.
+                CFLAGS="$CFLAGS -arch:IA32"
+            fi
 	fi
         ;;
     x86_64)
 	    AC_DEFINE(_AMD64_)
 	    USE_64=1
 	    ;;
     ia64)
 	    AC_DEFINE(_IA64_)
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -26,21 +26,21 @@ PR_BEGIN_EXTERN_C
 /*
 ** NSPR's version is used to determine the likelihood that the version you
 ** used to build your component is anywhere close to being compatible with
 ** what is in the underlying library.
 **
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.10.7 Beta"
+#define PR_VERSION  "4.10.7"
 #define PR_VMAJOR   4
 #define PR_VMINOR   10
 #define PR_VPATCH   7
-#define PR_BETA     PR_TRUE
+#define PR_BETA     PR_FALSE
 
 /*
 ** PRVersionCheck
 **
 ** The basic signature of the function that is called to provide version
 ** checking. The result will be a boolean that indicates the likelihood
 ** that the underling library will perform as the caller expects.
 **
--- a/nsprpub/pr/src/md/unix/unix.c
+++ b/nsprpub/pr/src/md/unix/unix.c
@@ -16,16 +16,20 @@
 #include <sys/mman.h>
 #include <unistd.h>
 #include <sys/utsname.h>
 
 #ifdef _PR_POLL_AVAILABLE
 #include <poll.h>
 #endif
 
+#if defined(ANDROID)
+#include <android/api-level.h>
+#endif
+
 /* To get FIONREAD */
 #if defined(UNIXWARE)
 #include <sys/filio.h>
 #endif
 
 #if defined(NTO)
 #include <sys/statvfs.h>
 #endif
@@ -2704,18 +2708,18 @@ static void* _MD_Unix_mmap64(
     void *addr, PRSize len, PRIntn prot, PRIntn flags,
     PRIntn fildes, PRInt64 offset)
 {
     PR_SetError(PR_FILE_TOO_BIG_ERROR, 0);
     return NULL;
 }  /* _MD_Unix_mmap64 */
 #endif /* defined(_PR_NO_LARGE_FILES) || defined(SOLARIS2_5) */
 
-/* Android doesn't have mmap64. */
-#if defined(ANDROID)
+/* Android <= 19 doesn't have mmap64. */
+#if defined(ANDROID) && __ANDROID_API__ <= 19
 extern void *__mmap2(void *, size_t, int, int, int, size_t);
 
 #define ANDROID_PAGE_SIZE 4096
 
 static void *
 mmap64(void *addr, size_t len, int prot, int flags, int fd, loff_t offset)
 {
     if (offset & (ANDROID_PAGE_SIZE - 1)) {
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -23,17 +23,17 @@
  * This release (4.10.7) is backward compatible with the
  * 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 4.5.x, 4.6.x, 4.7.x,
  * 4.8.x, 4.9.x, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4,
  * 4.10.5, and 4.10.6 releases.
  * It, of course, is compatible with itself.
  */
 static char *compatible_version[] = {
     "4.0", "4.0.1", "4.1", "4.1.1", "4.1.2", "4.1.3",
-    "4.2", "4.2.1", "4.2.2", "4.3", "4.4", " 4.4.1",
+    "4.2", "4.2.1", "4.2.2", "4.3", "4.4", "4.4.1",
     "4.5", "4.5.1",
     "4.6", "4.6.1", "4.6.2", "4.6.3", "4.6.4", "4.6.5",
     "4.6.6", "4.6.7", "4.6.8",
     "4.7", "4.7.1", "4.7.2", "4.7.3", "4.7.4", "4.7.5",
     "4.7.6",
     "4.8", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.8.5",
     "4.8.6", "4.8.7", "4.8.8", "4.8.9",
     "4.9", "4.9.1", "4.9.2", "4.9.3", "4.9.4", "4.9.5",
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -68,16 +68,19 @@ ifdef USE_64
 NSPR_CONFIGURE_OPTS += --enable-64bit
 endif
 ifeq ($(OS_TARGET),WIN95)
 NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
 endif
 ifdef USE_DEBUG_RTL
 NSPR_CONFIGURE_OPTS += --enable-debug-rtl
 endif
+ifdef USE_STATIC_RTL
+NSPR_CONFIGURE_OPTS += --enable-static-rtl
+endif
 ifdef NS_USE_GCC
 NSPR_COMPILERS = CC=gcc CXX=g++
 endif
 
 #
 # Some pwd commands on Windows (for example, the pwd
 # command in Cygwin) return a pathname that begins
 # with a (forward) slash.  When such a pathname is
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_17_BETA1
+NSS_3_17_RTM
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -87,16 +87,17 @@ SECU_GetPasswordString(void *arg, char *
     if (input == NULL) {
 	fprintf(stderr, "Error opening input terminal for read\n");
 	return NULL;
     }
 
     output = fopen(consoleName, "w");
     if (output == NULL) {
 	fprintf(stderr, "Error opening output terminal for write\n");
+	fclose(input);
 	return NULL;
     }
 
     p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword);
         
 
     fclose(input);
     fclose(output);
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -124,18 +124,36 @@ else # !NS_USE_GCC
     ifeq ($(_MSC_VER),$(_MSC_VER_6))
     ifndef MOZ_DEBUG_SYMBOLS
 	OS_DLLFLAGS += -PDB:NONE
     endif
     endif
     ifdef USE_DYNAMICBASE
 	OS_DLLFLAGS += -DYNAMICBASE
     endif
+    #
+    # Define USE_DEBUG_RTL if you want to use the debug runtime library
+    # (RTL) in the debug build.
+    # Define USE_STATIC_RTL if you want to use the static RTL.
+    #
+    ifdef USE_DEBUG_RTL
+	ifdef USE_STATIC_RTL
+		OS_CFLAGS += -MTd
+	else
+		OS_CFLAGS += -MDd
+	endif
+	OS_CFLAGS += -D_CRTDBG_MAP_ALLOC
+    else
+	ifdef USE_STATIC_RTL
+		OS_CFLAGS += -MT
+	else
+		OS_CFLAGS += -MD
+	endif
+    endif
     ifdef BUILD_OPT
-	OS_CFLAGS  += -MD
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -O1
 	else
 		OPTIMIZER += -O2
 	endif
 	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
 	DLLFLAGS   += -OUT:$@
 	ifdef MOZ_DEBUG_SYMBOLS
@@ -143,25 +161,16 @@ else # !NS_USE_GCC
 			OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd$(OBJDIR)/
 		else
 			OPTIMIZER += -Zi -Fd$(OBJDIR)/
 		endif
 		DLLFLAGS += -DEBUG -OPT:REF
 		LDFLAGS += -DEBUG -OPT:REF
 	endif
     else
-	#
-	# Define USE_DEBUG_RTL if you want to use the debug runtime library
-	# (RTL) in the debug build
-	#
-	ifdef USE_DEBUG_RTL
-		OS_CFLAGS += -MDd -D_CRTDBG_MAP_ALLOC
-	else
-		OS_CFLAGS += -MD
-	endif
 	OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
 	DLLFLAGS   += -DEBUG -OUT:$@
 	LDFLAGS    += -DEBUG 
@@ -174,21 +183,16 @@ endif
 	LDFLAGS    += /FIXED:NO
     endif
 ifneq ($(_MSC_VER),$(_MSC_VER_6))
     # Convert certain deadly warnings to errors (see list at end of file)
     OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 -we4013 \
      -we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \
      -we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715
 
-    # VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring SSE2.
-    ifeq ($(_MSC_VER_GE_11),1)
-	OS_CFLAGS += -arch:IA32
-    endif
-
     ifeq ($(_MSC_VER_GE_12),1)
 	OS_CFLAGS += -FS
     endif
 endif # !MSVC6
 endif # NS_USE_GCC
 
 ifdef USE_64
 DEFINES += -DWIN64
@@ -196,16 +200,21 @@ else
 DEFINES += -DWIN32
 endif
 
 ifeq (,$(filter-out x386 x86_64,$(CPU_ARCH)))
 ifdef USE_64
 	DEFINES += -D_AMD64_
 else
 	DEFINES += -D_X86_
+	# VS2012 defaults to -arch:SSE2. Use -arch:IA32 to avoid requiring
+	# SSE2.
+	ifeq ($(_MSC_VER_GE_11),1)
+		OS_CFLAGS += -arch:IA32
+	endif
 endif
 endif
 ifeq ($(CPU_ARCH), ALPHA)
 	DEFINES += -D_ALPHA_=1
 endif
 
 ifdef MAPFILE
 ifndef NS_USE_GCC
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -199,26 +199,51 @@ If this option is not used, the validity
             <listitem><para><command>sql:</command> requests the newer database</para></listitem>
 	    <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
           </itemizedlist>
           <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>--dump-ext-val OID </term>
+        <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-e </term>
         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>--email email-address</term>
         <listitem><para>Specify the email address of a certificate to list. Used with the -L command option.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
+        <listitem>
+          <para>
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
+           </para>
+	<itemizedlist>
+	<listitem>
+<para>OID (example): 1.2.3.4</para>
+	</listitem>
+	<listitem>
+<para>critical-flag: critical or not-critical</para>
+	</listitem>
+	<listitem>
+<para>filename: full path to a file containing an encoded extension</para>
+	</listitem>
+	</itemizedlist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-f password-file</term>
         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
  unauthorized access to this file.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-g keysize</term>
@@ -371,16 +396,25 @@ of the attribute codes:
 	<itemizedlist>
 	<listitem>
 <para><command>C</command> (as an SSL client)</para>
 	</listitem>
 	<listitem>
 <para><command>V</command> (as an SSL server)</para>
 	</listitem>
 	<listitem>
+<para><command>L</command> (as an SSL CA)</para>
+	</listitem>
+	<listitem>
+<para><command>A</command> (as Any CA)</para>
+	</listitem>
+	<listitem>
+<para><command>Y</command> (Verify CA)</para>
+	</listitem>
+	<listitem>
 <para><command>S</command> (as an email signer)</para>
 	</listitem>
 	<listitem>
 <para><command>R</command> (as an email recipient)</para>
 	</listitem>
 	<listitem>
 <para><command>O</command> (as an OCSP status responder)</para>
 	</listitem>
@@ -644,16 +678,27 @@ of the attribute codes:
       </varlistentry>
 
       <varlistentry>
         <term>--extNC</term>
         <listitem><para>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
+        <term>--extSAN type:name[,type:name]...</term>
+        <listitem><para>
+Create a Subject Alt Name extension with one or multiple names.
+          </para>
+          <para>
+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+        </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>--empty-password</term>
         <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>--keyAttrFlags attrflags</term>
         <listitem><para>
 PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,21 +1,23 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233261230240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm226659332128"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
 <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
 </p><p>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
 </p><p>
 If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity. 
  Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string 
- with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
+ with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">--dump-ext-val OID </span></dt><dd><p>For single cert, print binary DER encoding of extension OID.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </span></dt><dd><p>
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
+           </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
  unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
            The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
           </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521</p><p>
@@ -49,17 +51,17 @@ of the attribute codes:
 		<span class="command"><strong>T</strong></span> - Trusted CA (implies c)
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>C</strong></span> - trusted CA for client authentication (ssl server only)
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>u</strong></span> - user
 	</p></li></ul></div><p>
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
 	</p><p><span class="command"><strong>-t "TCu,Cu,Tu"</strong></span></p><p>
-	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
+	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
  for the beginning of a certificate's validity period. Use when creating 
  the certificate or adding it to a database. Express the offset in integers, 
  using a minus sign (-) to indicate a negative offset. If this argument is 
  not used, the validity period begins at the current system time. The length 
  of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		digitalSignature
 	</p></li><li class="listitem"><p>
 		nonRepudiation
@@ -104,17 +106,21 @@ of the attribute codes:
 	</p></li><li class="listitem"><p>
 		ocspResponder
 	</p></li><li class="listitem"><p>
 		stepUp
 	</p></li><li class="listitem"><p>
 		msTrustListSign
 	</p></li><li class="listitem"><p>
 		critical
-	</p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
+	</p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSAN type:name[,type:name]...</span></dt><dd><p>
+Create a Subject Alt Name extension with one or multiple names.
+          </p><p>
+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+        </p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
 PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyOpFlagsOn opflags, </span><span class="term">--keyOpFlagsOff opflags</span></dt><dd><p>
 PKCS #11 key Operation Flags.
 Comma separated list of one or more of the following:
 {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
           </p></dd><dt><span class="term">--source-dir certdir</span></dt><dd><p>Identify the certificate database directory to upgrade.</p></dd><dt><span class="term">--source-prefix certdir</span></dt><dd><p>Give the prefix of the certificate and key databases to upgrade.</p></dd><dt><span class="term">--upgrade-id uniqueID</span></dt><dd><p>Give the unique ID of the database to upgrade.</p></dd><dt><span class="term">--upgrade-token-name name</span></dt><dd><p>Set the name of the token to use while it is being upgraded.</p></dd><dt><span class="term">-@ pwfile</span></dt><dd><p>Give the name of a password file to use for the database being upgraded.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
 		Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the <code class="option">-H</code> option to show the complete list of arguments for each command option.
 	</p><p><span class="command"><strong>Creating New Security Databases</strong></span></p><p>
 		Certificates, keys, and security modules related to managing certificates are stored in three related databases:
--- a/security/nss/doc/html/pp.html
+++ b/security/nss/doc/html/pp.html
@@ -1,7 +1,7 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm233254308544"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="idm233250605968"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output] [-u] [-w]</code> </p></div></div><div class="refsection"><a name="idm226689875920"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="idm226686118544"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
                      pkcs7 or crl files
-    </p></div><div class="refsection"><a name="idm233250603984"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</p><p>
+    </p></div><div class="refsection"><a name="idm226686116608"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd><dt><span class="term"><code class="option">-u </code> </span></dt><dd>Use UTF-8 (default is to show non-ascii as .)</dd><dt><span class="term"><code class="option">-w </code> </span></dt><dd>Don't wrap long output lines</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</p><p>
 	Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
     </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
     </p></div></div><div class="navfooter"><hr></div></body></html>
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\"      Date: 29 July 2014
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -245,26 +245,69 @@ requests the newer database
 requests the legacy database
 .RE
 .sp
 If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then
 \fBdbm:\fR
 is the default\&.
 .RE
 .PP
+\-\-dump\-ext\-val OID
+.RS 4
+For single cert, print binary DER encoding of extension OID\&.
+.RE
+.PP
 \-e
 .RS 4
 Check a certificate\*(Aqs signature during the process of validating a certificate\&.
 .RE
 .PP
 \-\-email email\-address
 .RS 4
 Specify the email address of a certificate to list\&. Used with the \-L command option\&.
 .RE
 .PP
+\-\-extGeneric OID:critical\-flag:filename[,OID:critical\-flag:filename]\&.\&.\&.
+.RS 4
+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+OID (example): 1\&.2\&.3\&.4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+critical\-flag: critical or not\-critical
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+filename: full path to a file containing an encoded extension
+.RE
+.RE
+.PP
 \-f password\-file
 .RS 4
 Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
 .RE
 .PP
 \-g keysize
 .RS 4
 Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 1024 bits\&. Any size between the minimum and maximum is allowed\&.
@@ -456,16 +499,52 @@ The contexts are the following:
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
+\fBL\fR
+(as an SSL CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBA\fR
+(as Any CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBY\fR
+(Verify CA)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 \fBS\fR
 (as an email signer)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
@@ -909,16 +988,23 @@ Add the Inhibit Any Policy Access extens
 Add the Subject Key ID extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&.
 .RE
 .PP
 \-\-extNC
 .RS 4
 Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&.
 .RE
 .PP
+\-\-extSAN type:name[,type:name]\&.\&.\&.
+.RS 4
+Create a Subject Alt Name extension with one or multiple names\&.
+.sp
+\-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
+.RE
+.PP
 \-\-empty\-password
 .RS 4
 Use empty password when creating new certificate database with \-N\&.
 .RE
 .PP
 \-\-keyAttrFlags attrflags
 .RS 4
 PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
--- a/security/nss/doc/nroff/pp.1
+++ b/security/nss/doc/nroff/pp.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: PP
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\"      Date: 29 July 2014
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "PP" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "PP" "1" "29 July 2014" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -25,18 +25,18 @@
 .\" disable justification (adjust text to left margin only)
 .ad l
 .\" -----------------------------------------------------------------
 .\" * MAIN CONTENT STARTS HERE *
 .\" -----------------------------------------------------------------
 .SH "NAME"
 pp \- Prints certificates, keys, crls, and pkcs7 files
 .SH "SYNOPSIS"
-.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\fR\ 'u
-\fBpp \-t type [\-a] [\-i input] [\-o output]\fR
+.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\ [\-u]\ [\-w]\fR\ 'u
+\fBpp \-t type [\-a] [\-i input] [\-o output] [\-u] [\-w]\fR
 .SH "STATUS"
 .PP
 This documentation is still work in progress\&. Please contribute to the initial review in
 \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
 .SH "DESCRIPTION"
 .PP
 \fBpp \fRpretty\-prints private and public key, certificate, certificate\-request, pkcs7 or crl files
 .SH "OPTIONS"
@@ -52,20 +52,30 @@ specify the input, one of {private\-key 
 Input is in ascii encoded form (RFC1113)
 .RE
 .PP
 \fB\-i \fR \fIinputfile\fR
 .RS 4
 Define an input file to use (default is stdin)
 .RE
 .PP
-\fB\-u \fR \fIoutputfile\fR
+\fB\-o \fR \fIoutputfile\fR
 .RS 4
 Define an output file to use (default is stdout)
 .RE
+.PP
+\fB\-u \fR
+.RS 4
+Use UTF\-8 (default is to show non\-ascii as \&.)
+.RE
+.PP
+\fB\-w \fR
+.RS 4
+Don\*(Aqt wrap long output lines
+.RE
 .SH "ADDITIONAL RESOURCES"
 .PP
 NSS is maintained in conjunction with PKI and security\-related projects through Mozilla and Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at
 \m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&.
 .PP
 For information specifically about NSS, the NSS project wiki is located at
 \m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&.
 .PP
--- a/security/nss/doc/pp.xml
+++ b/security/nss/doc/pp.xml
@@ -21,17 +21,17 @@
 
   <refnamediv>
     <refname>pp</refname>
     <refpurpose>Prints certificates, keys, crls, and pkcs7 files</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>pp -t type [-a] [-i input] [-o output]</command>
+      <command>pp -t type [-a] [-i input] [-o output] [-u] [-w]</command>
     </cmdsynopsis>
   </refsynopsisdiv>
   
   <refsection>
     <title>STATUS</title>
     <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
     </para>
   </refsection>
@@ -68,22 +68,36 @@
       <varlistentry>
         <term><option>-i </option> <replaceable>inputfile</replaceable></term>
         <listitem>
           <simpara>Define an input file to use (default is stdin)</simpara>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><option>-u </option> <replaceable>outputfile</replaceable></term>
+        <term><option>-o </option> <replaceable>outputfile</replaceable></term>
         <listitem>
           <simpara>Define an output file to use (default is stdout)</simpara>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>-u </option> </term>
+        <listitem>
+          <simpara>Use UTF-8 (default is to show non-ascii as .)</simpara>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>-w </option> </term>
+        <listitem>
+          <simpara>Don't wrap long output lines</simpara>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsection>
 
   <refsection id="resources">
     <title>Additional Resources</title>
     <para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
 	<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
 	<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,16 +65,135 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
+# Certificate "GTE CyberTrust Global Root"
+#
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
+\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
+\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
+\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
+\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
+\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
+\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
+\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
+\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
+\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
+\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
+\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
+\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
+\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
+\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
+\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
+\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
+\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
+\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
+\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
+\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
+\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
+\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
+\037\042\265\315\225\255\272\247\314\371\253\013\172\177
+END
+
+# Trust for Certificate "GTE CyberTrust Global Root"
+# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Serial Number: 421 (0x1a5)
+# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
+# Not Valid Before: Thu Aug 13 00:29:00 1998
+# Not Valid After : Mon Aug 13 23:59:00 2018
+# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
+# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
+\066\176\364\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\001\245
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "Thawte Server CA"
 #
 # Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Serial Number: 1 (0x1)
 # Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
 # Not Valid Before: Thu Aug 01 00:00:00 1996
 # Not Valid After : Thu Dec 31 23:59:59 2020
 # Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
@@ -29869,8 +29988,166 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021
 \110\215
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust-temporary-intermediate-after-1024bit-removal"
+#
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
+# Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Tue Aug 05 00:00:00 2014
+# Not Valid After : Sun Nov 01 23:59:59 2015
+# Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
+# Fingerprint (SHA1): 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust-temporary-intermediate-after-1024bit-removal"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025
+\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145
+\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025
+\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145
+\164\167\157\162\153\061\052\060\050\006\003\125\004\003\023\041
+\125\123\105\122\124\162\165\163\164\040\114\145\147\141\143\171
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
+\225\266
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\231\060\202\003\201\240\003\002\001\002\002\020\135
+\040\141\216\214\016\271\064\100\223\271\261\330\143\225\266\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\157
+\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060
+\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164
+\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101\144
+\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154\040
+\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040\006
+\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040\105
+\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164\060
+\036\027\015\061\064\060\070\060\065\060\060\060\060\060\060\132
+\027\015\061\065\061\061\060\061\062\063\065\071\065\071\132\060
+\177\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
+\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
+\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
+\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
+\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
+\167\157\162\153\061\052\060\050\006\003\125\004\003\023\041\125
+\123\105\122\124\162\165\163\164\040\114\145\147\141\143\171\040
+\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\101
+\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
+\000\331\115\040\072\346\051\060\206\362\351\206\211\166\064\116
+\150\037\226\104\367\321\371\326\202\116\246\070\236\356\313\133
+\341\216\056\275\362\127\200\375\311\077\374\220\163\104\274\217
+\273\127\133\345\055\037\024\060\165\066\365\177\274\317\126\364
+\177\201\377\256\221\315\330\322\152\313\227\371\367\315\220\152
+\105\055\304\273\244\205\023\150\127\137\357\051\272\052\312\352
+\365\314\244\004\233\143\315\000\353\375\355\215\335\043\306\173
+\036\127\035\066\177\037\010\232\015\141\333\132\154\161\002\123
+\050\302\372\215\375\253\273\263\361\215\164\113\337\275\275\314
+\006\223\143\011\225\302\020\172\235\045\220\062\235\001\302\071
+\123\260\340\025\153\307\327\164\345\244\042\233\344\224\377\204
+\221\373\055\263\031\103\055\223\017\234\022\011\344\147\271\047
+\172\062\255\172\052\314\101\130\300\156\131\137\356\070\053\027
+\042\234\211\372\156\347\345\127\065\364\132\355\222\225\223\055
+\371\314\044\077\245\034\075\047\275\042\003\163\314\365\312\363
+\251\364\334\376\317\351\320\134\320\017\253\207\374\203\375\310
+\251\002\003\001\000\001\243\202\001\037\060\202\001\033\060\037
+\006\003\125\035\043\004\030\060\026\200\024\255\275\230\172\064
+\264\046\367\372\304\046\124\357\003\275\340\044\313\124\032\060
+\035\006\003\125\035\016\004\026\004\024\257\244\100\257\237\026
+\376\253\061\375\373\325\227\213\365\221\243\044\206\026\060\016
+\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\022
+\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
+\001\000\060\035\006\003\125\035\045\004\026\060\024\006\010\053
+\006\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003
+\002\060\031\006\003\125\035\040\004\022\060\020\060\016\006\014
+\053\006\001\004\001\262\061\001\002\001\003\004\060\104\006\003
+\125\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150
+\164\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162
+\165\163\164\056\143\157\155\057\101\144\144\124\162\165\163\164
+\105\170\164\145\162\156\141\154\103\101\122\157\157\164\056\143
+\162\154\060\065\006\010\053\006\001\005\005\007\001\001\004\051
+\060\047\060\045\006\010\053\006\001\005\005\007\060\001\206\031
+\150\164\164\160\072\057\057\157\143\163\160\056\165\163\145\162
+\164\162\165\163\164\056\143\157\155\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\204\256\055
+\150\070\021\154\203\121\142\300\221\302\230\274\306\073\372\245
+\305\275\073\011\346\156\140\157\060\003\206\042\032\262\213\363
+\306\316\036\273\033\171\340\026\024\115\322\232\005\113\377\217
+\354\360\050\051\352\052\004\035\075\257\021\022\325\111\230\120
+\102\237\141\146\072\266\100\231\004\014\153\020\062\351\367\317
+\206\130\117\055\315\323\254\176\350\133\152\203\174\015\240\234
+\134\120\066\165\015\155\176\102\267\337\246\334\220\134\157\043
+\116\227\035\363\042\165\277\003\065\346\135\177\307\371\233\054
+\207\366\216\326\045\226\131\235\317\352\020\036\357\156\352\132
+\233\167\030\064\314\201\167\257\232\207\302\012\345\345\236\023
+\225\123\275\275\111\032\245\166\022\366\334\362\221\267\351\032
+\341\274\115\075\225\161\175\370\215\174\076\003\117\123\355\376
+\122\375\312\137\223\341\032\001\033\002\267\163\116\272\146\351
+\170\213\120\376\021\313\321\147\320\042\117\167\352\315\024\025
+\100\256\146\135\350\056\177\036\210\157\125\171\326\271\176\343
+\265\375\221\240\300\362\046\207\113\057\235\365\240
+END
+
+# Trust for "USERTrust-temporary-intermediate-after-1024bit-removal"
+# Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+# Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
+# Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+# Not Valid Before: Tue Aug 05 00:00:00 2014
+# Not Valid After : Sun Nov 01 23:59:59 2015
+# Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
+# Fingerprint (SHA1): 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust-temporary-intermediate-after-1024bit-removal"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\174\057\221\342\273\226\150\251\306\366\275\020\031\054\153\122
+\132\033\272\110
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\131\153\146\214\004\251\341\013\017\356\105\245\220\044\037\016
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
+\225\266
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 0
-#define NSS_BUILTINS_LIBRARY_VERSION "2.0"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION "2.1"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/crmf/servget.c
+++ b/security/nss/lib/crmf/servget.c
@@ -592,17 +592,17 @@ CRMF_CertReqMsgGetPOPKeyEncipherment(CRM
 				     CRMFPOPOPrivKey **destKey)
 {
     PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
     if (inCertReqMsg == NULL || destKey == NULL ||
 	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyEncipherment) {
         return SECFailure;
     }
     *destKey = PORT_ZNew(CRMFPOPOPrivKey);
-    if (destKey == NULL) {
+    if (*destKey == NULL) {
        return SECFailure;
     }
     return crmf_copy_popoprivkey(NULL,
 				 &inCertReqMsg->pop->popChoice.keyEncipherment,
 				 *destKey);
 }
 
 SECStatus
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crldp.c
@@ -117,17 +117,17 @@ pkix_pl_CrlDp_Create(
             issuerName = &dp->crlIssuer->name.directoryName;
         } else {
             issuerName = certIssuerName;
         }
         rdnArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (!rdnArena) {
             PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
         }
-        issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName*);
+        issuerNameCopy = (CERTName *)PORT_ArenaZNew(rdnArena, CERTName);
         if (!issuerNameCopy) {
             PKIX_ERROR(PKIX_ALLOCERROR);
         }
         rv = CERT_CopyName(rdnArena, issuerNameCopy, (CERTName*)issuerName);
         if (rv == SECFailure) {
             PKIX_ERROR(PKIX_ALLOCERROR);
         }
         rv = CERT_AddRDN(issuerNameCopy, (CERTRDN*)relName);
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,22 +28,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.17" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.17" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   17
 #define NSS_VPATCH   0
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_BETA     PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/softoken/legacydb/lowcert.c
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -442,17 +442,17 @@ nsslowcert_EmailName(SECItem *derDN, cha
 	    oid=nsslowcert_dataStart(ava, ava_length, &oid_length, PR_FALSE, 
 					NULL);
 	    if (oid == NULL) { return NULL; }
 	    ava_length -= (oid-ava)+oid_length;
 	    ava = oid+oid_length;
 
 	    name=nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE, 
 					NULL);
-	    if (oid == NULL) { return NULL; }
+	    if (name == NULL) { return NULL; }
 	    ava_length -= (name-ava)+name_length;
 	    ava = name+name_length;
 
 	    oidItem.data = oid;
 	    oidItem.len = oid_length;
 	    type = SECOID_FindOIDTag(&oidItem);
 	    if ((type == SEC_OID_PKCS9_EMAIL_ADDRESS) || 
 					(type == SEC_OID_RFC1274_MAIL)) {
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.17" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.17" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   17
 #define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_TRUE
+#define SOFTOKEN_BETA     PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -26,28 +26,16 @@
 #include "prthread.h"
 
 #include "pk11func.h"
 #include "secmod.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 
-#ifdef ANDROID_STUB_H
-#include <android/log.h>
-#define androidLog(...) __android_log_print(ANDROID_LOG_VERBOSE, "GeckoNSS", __VA_ARGS__)
-#else
-#ifdef _MSC_VER
-#define androidLog(...)
-#else
-#define androidLog(...) ((void) 0)
-#endif
-#endif
-
-
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
 		(x)->pValue=(v); (x)->ulValueLen = (l);
@@ -9386,16 +9374,20 @@ skip:
         }
 	if (serverPubKey == NULL) {
 	    /* XXX Is this the right error code? */
 	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
 	    return SECFailure;
 	}
 	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 
 					      serverPubKey, serverKey);
+	if (ss->ephemeralECDHKeyPair) {
+	    ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+	    ss->ephemeralECDHKeyPair = NULL;
+	}
 	if (rv != SECSuccess) {
 	    return SECFailure;	/* error code set */
 	}
 	break;
 #endif /* NSS_DISABLE_ECC */
 
     default:
 	(void) ssl3_HandshakeFailure(ss);
@@ -9696,26 +9688,20 @@ ssl3_SendCertificateStatus(sslSocket *ss
 }
 
 /* This is used to delete the CA certificates in the peer certificate chain
  * from the cert database after they've been validated.
  */
 static void
 ssl3_CleanupPeerCerts(sslSocket *ss)
 {
-#ifndef _MSC_VER
-    androidLog("Top of ssl3_CleanupPeerCerts ss=%p", ss);
-#endif
     PLArenaPool * arena = ss->ssl3.peerCertArena;
     ssl3CertNode *certs = (ssl3CertNode *)ss->ssl3.peerCertChain;
 
     for (; certs; certs = certs->next) {
-#ifndef _MSC_VER
-        androidLog("ssl3_CleanupPeerCerts certs->cert=%p", certs->cert);
-#endif
 	CERT_DestroyCertificate(certs->cert);
     }
     if (arena) PORT_FreeArena(arena, PR_FALSE);
     ss->ssl3.peerCertArena = NULL;
     ss->ssl3.peerCertChain = NULL;
 }
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
@@ -9790,18 +9776,16 @@ ssl3_HandleCertificate(sslSocket *ss, SS
     PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
     PRBool           isTLS;
     SSL3AlertDescription desc;
     int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
     SECItem          certItem;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
 		SSL_GETPID(), ss->fd));
-    androidLog("Top of ssl3_HandleCertificate ss=%p fd=%d", ss, ss->fd);
-
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if ((ss->ssl3.hs.ws != wait_server_cert) &&
 	(ss->ssl3.hs.ws != wait_client_cert)) {
 	desc    = unexpected_message;
 	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
 	goto alert_loser;
@@ -9905,19 +9889,16 @@ ssl3_HandleCertificate(sslSocket *ss, SS
 
 	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
 	                                  PR_FALSE, PR_TRUE);
 	if (c->cert == NULL) {
 	    goto ambiguous_err;
 	}
 
 	c->next = NULL;
-
-        androidLog("ssl3_HandleCertificate ss=%p fd=%d lastcert=%p c=%p c->next=%p c->cert=%p", ss, ss->fd, lastCert, c, c->next, c->cert);
-
 	if (lastCert) {
 	    lastCert->next = c;
 	} else {
 	    ss->ssl3.peerCertChain = c;
 	}
 	lastCert = c;
     }
 
@@ -9927,46 +9908,41 @@ ssl3_HandleCertificate(sslSocket *ss, SS
     SECKEY_UpdateCertPQG(ss->sec.peerCert);
 
     if (!isServer && ssl3_ExtensionNegotiated(ss, ssl_cert_status_xtn)) {
        ss->ssl3.hs.ws = wait_certificate_status;
        rv = SECSuccess;
     } else {
        rv = ssl3_AuthCertificate(ss); /* sets ss->ssl3.hs.ws */
     }
-    androidLog("ssl3_HandleCertificate returning ss=%p fd=%d rv=%d peercertChain=%p", ss, ss->fd, rv, ss->ssl3.peerCertChain);
 
     return rv;
 
 ambiguous_err:
     errCode = PORT_GetError();
-    androidLog("ssl3_HandleCertificate amb_err ss=%p fd=%d error=%d", ss, ss->fd, errCode);
     switch (errCode) {
     case PR_OUT_OF_MEMORY_ERROR:
     case SEC_ERROR_BAD_DATABASE:
     case SEC_ERROR_NO_MEMORY:
        if (isTLS) {
            desc = internal_error;
            goto alert_loser;
        }
        goto loser;
     }
     ssl3_SendAlertForCertError(ss, errCode);
     goto loser;
 
 decode_loser:
-    androidLog("ssl3_HandleCertificate decode_loser ss=%p fd=%d", ss, ss->fd);
     desc = isTLS ? decode_error : bad_certificate;
 
 alert_loser:
-    androidLog("ssl3_HandleCertificate alert_loser ss=%p fd=%d", ss, ss->fd);
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
-    androidLog("ssl3_HandleCertificate loser ss=%p fd=%d peercertChain=%p", ss, ss->fd, ss->ssl3.peerCertChain);
     (void)ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
 static SECStatus
 ssl3_AuthCertificate(sslSocket *ss)
 {
     SECStatus        rv;
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.17 Beta"
+#define NSSUTIL_VERSION  "3.17"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   17
 #define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_TRUE
+#define NSSUTIL_BETA     PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);
 
index 17eaa64bcb10941a38b71bb13e210687b13a62d2..32b46fcebaa22bc99e6d20fd5fef2447ffc7480a
GIT binary patch
literal 1548
zc$|GyeM}Q~818+v^ut2SRXUZ*MZ~$H<#+v1E2tp|q9|Z07WwpOD^&WmyF;j8#41(C
z7G}^Hj8i6}n~v#-y2;oCHX!PB&VeS2x;QZECeeuEqD*(!2?4Y0{<`OVpZ9t1_q^}#
zfKMO<KJ-yN0z)t?6YBd-J@bpqktbe!sk@w50i*(v+Mn!yCWRnAp9i+I5E38~AQ`9t
zgELHo5=`WP7z<u)qwFSop=%bt)Me2S5kSQyBv{x;0$)Xy&<vhxV@lmrF%b)l{}QyT
zY?PD6-RtlY+J=)1Uc@jSdVWkyX=$lu16xe9#Ttv-8AEwUe5U0cFo)0sEmw?S(WB}K
z4w9yE9iCXm*j!ed6<<v{>{gPoyIr`+v>Z=}2UC?&wo*?RK;X$@p#iW`TAjgYFlGTC
zBqA^%7f7N75DNL`#=#I0IOQau92<l&;bNPEEF~!$p#oF5FA2dE>6Co~$=L8Ts*rTq
zHwHQrG7!wA`B;z+5PI#Lx#R8Qy0Jj65E~7Ij+m_lT4E$9#KZ~g5!SgWmz^Z!AcPAB
zDTF4{g)ei{HX;ltxR6L8)v{H1Do(KWniygtzydQ-Oh_la>7?WJL=+%2V7Nk(us9Vr
zm3TaEiWwOoq6p^f_K;o=>EO&}&6qZJ_z<6m_@EFT8yCYq2;zPBMbe5om(yWL*`b~H
z&5bLfJy-Vi&$)Y0eDd-2tDpdhXzF_6lx=(Fozlv*ecI=H*(0viEJz8R-qe(zI}m<8
z+>Mq0-X4{jl%E!>$-3B{b;|csQ-kfEUw3*yRaSSjyZ5<F^Fp2)nJM^a`@1D8>GwmP
zT&Sqo73IZloP2ak7z9bIKbqHv`U{i`bI%qm$Sha8hK_)Ec=&;p()IQ(Dt7K2Y$wmn
zi#;B{q^AS99=pc;@$FC4*UIi~&0TQwSg!K#-Pi7Hd<a{*8oFj@>x9)$8<A5lAFGa^
z%RBIOnGugJBGdZo9v|yik&=9|s6)2s`M#FU^`@F>gV)aw9PWh?hzB+Jpfju^&7hDq
zQ6)#$f;`_FM*2dF>@?%1yklb%m~qH576mg-dOVlKwgS={7z?*NDh!1IFR)pv5D0pO
zq6o~d4_r7^6w0lIkX=?jKL~+F-(awgOXFxh$OYK~$y$Fh<o_!X3Q`Kdau7MfgP}0x
z$o;cwXs^>!5V(344-KM5Nidi+`9Epw4FwTgpGfpA5LT%eelNY{z}cv*@{FpqJv>Xz
z{mkM75X})H(CJ_r!0V^hhx;dUQmhh9j*()4g>nG%NK*(xQ@~PI{WS)V9~)n14Hz_I
zlmP#aF!RQb4dGULgYdX@=!v9%%eQNq7aksdij<&h)}MYEs#l}?cV4=9JI;X{d;W00
zt>0V_o=C}!ZHdR!hMY5kKH<?C;fcy-+2zKW+2Knw<bM{cE89f_J}UXbr0P5R-ErwN
zN{c63THKbOGY6toUmbO!QFY(%Mm~HHvb=Vy!QbcECXKs%BDHeaFS{0H=wc!Yx5tPM
z#ka|p&H7<Sy}NeS!+BT9?gxW&H=Wlu=1ffvu5v6<Z|(wl9YdO%eJehH^)Pux_ey4o
zHc4`6qc}Ia^Me6p>n&01{o2nes`l?VvbFWvod~|{x8}4%oqKuJ=5FcTZnJs&ChTBN
R&a=Twyq(gjeTO{1{sRD!^vVDL