Bug 1420060, NSS_3_35_BETA1, r=franziskus
authorKai Engert <kaie@kuix.de>
Thu, 11 Jan 2018 14:09:34 +0100
changeset 453298 92dcb99abd054bd9a502ae3b9da2af983d137aad
parent 453297 86d41b5efe074f6988085082df9ef537eee0813a
child 453299 ddfff454c810d25532d60ca8a60f0d7a86edb1f8
push id1648
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 12:45:47 +0000
treeherdermozilla-release@cbb9688c2eeb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfranziskus
bugs1420060
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1420060, NSS_3_35_BETA1, r=franziskus UPGRADE_NSS_RELEASE
security/nss/TAG-INFO
security/nss/automation/clang-format/setup.sh
security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
security/nss/automation/taskcluster/docker-hacl/setup.sh
security/nss/automation/taskcluster/docker/setup.sh
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/automation/taskcluster/graph/src/try_syntax.js
security/nss/cmd/certutil/certutil.c
security/nss/coreconf/config.gypi
security/nss/coreconf/coreconf.dep
security/nss/gtests/freebl_gtest/rsa_unittest.cc
security/nss/gtests/softoken_gtest/softoken_gtest.cc
security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sdb.h
security/nss/lib/softoken/sftkdb.c
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslt.h
security/nss/lib/ssl/tls13con.c
security/nss/lib/util/nssutil.def
security/nss/lib/util/utilmod.c
security/nss/lib/util/utilpars.c
security/nss/lib/util/utilpars.h
security/nss/lib/util/utilparst.h
security/nss/readme.md
security/nss/tests/all.sh
security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt
security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt
security/nss/tests/cert/cert.sh
security/nss/tests/fips/fips.sh
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-04fc9a90997b
+NSS_3_35_BETA1
--- a/security/nss/automation/clang-format/setup.sh
+++ b/security/nss/automation/clang-format/setup.sh
@@ -12,18 +12,18 @@ apt_packages+=('ca-certificates')
 apt_packages+=('curl')
 apt_packages+=('xz-utils')
 apt_packages+=('mercurial')
 apt_packages+=('git')
 apt_packages+=('locales')
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
-curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
+curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
+curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify clang.tar.xz.sig
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 
 # Cleanup.
 function cleanup() {
--- a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
+++ b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
@@ -20,18 +20,18 @@ apt_packages+=('mercurial')
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
 echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
 
 # Install packages.
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 # Cleanup.
 rm *.tar.xz*
 
--- a/security/nss/automation/taskcluster/docker-hacl/setup.sh
+++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh
@@ -5,18 +5,18 @@ set -v -e -x
 # Update packages.
 export DEBIAN_FRONTEND=noninteractive
 apt-get -qq update
 apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales
 update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
 update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
 
 # Get clang-format-3.9
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 # Cleanup.
 rm *.tar.xz*
 
--- a/security/nss/automation/taskcluster/docker/setup.sh
+++ b/security/nss/automation/taskcluster/docker/setup.sh
@@ -43,18 +43,18 @@ apt_packages+=('g++-4.8-multilib')
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
 echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
 
 # Install packages.
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 # Cleanup.
 rm *.tar.xz*
 
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -77,18 +77,18 @@ queue.filter(task => {
   }
 
   // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
   if (task.tests == "chains" && task.collection != "make") {
     return false;
   }
 
   if (task.group == "Test") {
-    // Don't run test builds on old make platforms
-    if (task.collection == "make") {
+    // Don't run test builds on old make platforms, and not for fips gyp.
+    if (task.collection == "make" || task.collection == "fips") {
       return false;
     }
   }
 
   // Don't run additional hardware tests on ARM (we don't have anything there).
   if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
       (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
        || task.env.NSS_DISABLE_AVX == "1")) {
@@ -191,16 +191,22 @@ export default async function main() {
       CCC: "clang++",
     },
     platform: "linux64",
     collection: "asan",
     image: LINUX_IMAGE,
     features: ["allowPtrace"],
   }, "--ubsan --asan");
 
+  await scheduleLinux("Linux 64 (FIPS opt)", {
+    platform: "linux64",
+    collection: "fips",
+    image: LINUX_IMAGE,
+  }, "--enable-fips --opt");
+
   await scheduleWindows("Windows 2012 64 (debug, make)", {
     platform: "windows2012-64",
     collection: "make",
     env: {USE_64: "1"}
   }, "build.sh");
 
   await scheduleWindows("Windows 2012 32 (debug, make)", {
     platform: "windows2012-32",
@@ -363,17 +369,16 @@ async function scheduleLinux(name, base,
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh"
       ],
       parent: extra_build,
       symbol: "Certs-F",
       group: "FIPS",
-      env: { NSS_TEST_ENABLE_FIPS: "1" }
     }));
 
     // Schedule FIPS tests.
     queue.scheduleTask(merge(base, {
       parent: task_cert,
       name: "FIPS",
       command: [
         "/bin/bash",
@@ -806,17 +811,16 @@ async function scheduleWindows(name, bas
       name: "Certificates",
       command: [
         WINDOWS_CHECKOUT_CMD,
         "bash -c nss/automation/taskcluster/windows/gen_certs.sh"
       ],
       parent: extra_build,
       symbol: "Certs-F",
       group: "FIPS",
-      env: { NSS_TEST_ENABLE_FIPS: "1" }
     }));
 
     // Schedule FIPS tests.
     queue.scheduleTask(merge(base, {
       parent: task_cert,
       name: "FIPS",
       command: [
         WINDOWS_CHECKOUT_CMD,
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -17,17 +17,17 @@ function parseOptions(opts) {
   let builds = intersect(opts.build.split(""), ["d", "o"]);
 
   // If the given value is nonsense default to debug and opt builds.
   if (builds.length == 0) {
     builds = ["d", "o"];
   }
 
   // Parse platforms.
-  let allPlatforms = ["linux", "linux64", "linux64-asan",
+  let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips",
                       "win", "win64", "win-make", "win64-make",
                       "linux64-make", "linux-make", "linux-fuzz",
                       "linux64-fuzz", "aarch64", "mac"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.
   if (platforms.length == 0 && opts.platform != "none") {
     platforms = allPlatforms;
@@ -106,31 +106,34 @@ function filter(opts) {
     let coll = name => name == (task.collection || "opt");
 
     // Filter by platform.
     let found = opts.platforms.some(platform => {
       let aliases = {
         "linux": "linux32",
         "linux-fuzz": "linux32",
         "linux64-asan": "linux64",
+        "linux64-fips": "linux64",
         "linux64-fuzz": "linux64",
         "linux64-make": "linux64",
         "linux-make": "linux32",
         "win64-make": "windows2012-64",
         "win-make": "windows2012-32",
         "win64": "windows2012-64",
         "win": "windows2012-32"
       };
 
       // Check the platform name.
       let keep = (task.platform == (aliases[platform] || platform));
 
       // Additional checks.
       if (platform == "linux64-asan") {
         keep &= coll("asan");
+      } else if (platform == "linux64-fips") {
+        keep &= coll("fips");
       } else if (platform == "linux64-make" || platform == "linux-make" ||
                  platform == "win64-make" || platform == "win-make") {
         keep &= coll("make");
       } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") {
         keep &= coll("fuzz");
       } else {
         keep &= coll("opt") || coll("debug");
       }
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1049,16 +1049,28 @@ ListModules(void)
         PORT_Free(token_uri);
     }
     PK11_FreeSlotList(list);
 
     return SECSuccess;
 }
 
 static void
+PrintBuildFlags()
+{
+#ifdef NSS_FIPS_DISABLED
+    PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n");
+#endif
+#ifdef NSS_NO_INIT_SUPPORT
+    PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n");
+#endif
+    exit(0);
+}
+
+static void
 PrintSyntax(char *progName)
 {
 #define FPS fprintf(stderr,
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
         "\t\t [-f pwfile] [-0 SSO-password]\n", progName);
     FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
@@ -1095,16 +1107,17 @@ PrintSyntax(char *progName)
     FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
     FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
         progName);
     FPS "\t\t [-P targetDBPrefix] [--source-prefix sourceDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
     FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
         progName);
     FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
+    FPS "\t%s --build-flags\n", progName);
     FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
         progName);
     FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
     FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
         "\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
         "\t\t [-g key-size] [-Z hashAlg]\n",
         progName);
     FPS "\t%s -V -n cert-name -u usage [-b time] [-e] [-a]\n"
@@ -1808,29 +1821,42 @@ luS(enum usage_level ul, const char *com
         "   --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...", "", "");
     FPS "%-20s - OID (example): 1.2.3.4\n", "");
     FPS "%-20s - critical-flag: critical or not-critical\n", "");
     FPS "%-20s - filename: full path to a file containing an encoded extension\n", "");
     FPS "\n");
 }
 
 static void
+luBuildFlags(enum usage_level ul, const char *command)
+{
+    int is_my_command = (command && 0 == strcmp(command, "build-flags"));
+    if (ul == usage_all || !command || is_my_command)
+    FPS "%-15s Print enabled build flags relevant for NSS test execution\n",
+        "--build-flags");
+    if (ul == usage_selected && !is_my_command)
+        return;
+    FPS "\n");
+}
+
+static void
 LongUsage(char *progName, enum usage_level ul, const char *command)
 {
     luA(ul, command);
     luB(ul, command);
     luE(ul, command);
     luC(ul, command);
     luG(ul, command);
     luD(ul, command);
     luRename(ul, command);
     luF(ul, command);
     luU(ul, command);
     luK(ul, command);
     luL(ul, command);
+    luBuildFlags(ul, command);
     luM(ul, command);
     luN(ul, command);
     luT(ul, command);
     luO(ul, command);
     luR(ul, command);
     luV(ul, command);
     luW(ul, command);
     luUpgradeMerge(ul, command);
@@ -2396,16 +2422,17 @@ enum {
     cmd_ListModules,
     cmd_CheckCertValidity,
     cmd_ChangePassword,
     cmd_Version,
     cmd_Batch,
     cmd_Merge,
     cmd_UpgradeMerge, /* test only */
     cmd_Rename,
+    cmd_BuildFlags,
     max_cmd
 };
 
 /*  Certutil options */
 enum certutilOpts {
     opt_SSOPass = 0,
     opt_AddKeyUsageExt,
     opt_AddBasicConstraintExt,
@@ -2498,17 +2525,19 @@ static const secuCommandFlag commands_in
       { /* cmd_CheckCertValidity   */ 'V', PR_FALSE, 0, PR_FALSE },
       { /* cmd_ChangePassword      */ 'W', PR_FALSE, 0, PR_FALSE },
       { /* cmd_Version             */ 'Y', PR_FALSE, 0, PR_FALSE },
       { /* cmd_Batch               */ 'B', PR_FALSE, 0, PR_FALSE },
       { /* cmd_Merge               */ 0, PR_FALSE, 0, PR_FALSE, "merge" },
       { /* cmd_UpgradeMerge        */ 0, PR_FALSE, 0, PR_FALSE,
         "upgrade-merge" },
       { /* cmd_Rename              */ 0, PR_FALSE, 0, PR_FALSE,
-        "rename" }
+        "rename" },
+      { /* cmd_BuildFlags          */ 0, PR_FALSE, 0, PR_FALSE,
+        "build-flags" }
     };
 #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
 
 static const secuCommandFlag options_init[] =
     {
       { /* opt_SSOPass             */ '0', PR_TRUE, 0, PR_FALSE },
       { /* opt_AddKeyUsageExt      */ '1', PR_FALSE, 0, PR_FALSE },
       { /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
@@ -2685,16 +2714,20 @@ certutil_main(int argc, char **argv, PRB
                 }
                 break;
             }
         }
         LongUsage(progName, (command ? usage_selected : usage_all), command);
         exit(1);
     }
 
+    if (certutil.commands[cmd_BuildFlags].activated) {
+        PrintBuildFlags();
+    }
+
     if (certutil.options[opt_PasswordFile].arg) {
         pwdata.source = PW_FROMFILE;
         pwdata.data = certutil.options[opt_PasswordFile].arg;
     }
     if (certutil.options[opt_NewPasswordFile].arg) {
         pwdata2.source = PW_FROMFILE;
         pwdata2.data = certutil.options[opt_NewPasswordFile].arg;
     }
@@ -3133,17 +3166,17 @@ certutil_main(int argc, char **argv, PRB
     }
 
     /* if we are going to modify the cert database,
      * make sure it's initialized */
     if (certutil.commands[cmd_ModifyCertTrust].activated ||
         certutil.commands[cmd_CreateAndAddCert].activated ||
         certutil.commands[cmd_AddCert].activated ||
         certutil.commands[cmd_AddEmailCert].activated) {
-        if (PK11_NeedUserInit(slot)) {
+        if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             char *password = NULL;
             /* fetch the password from the command line or the file
              * if no password is supplied, initialize the password to NULL */
             if (pwdata.source == PW_FROMFILE) {
                 password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data);
             } else if (pwdata.source == PW_PLAINTEXT) {
                 password = PL_strdup(pwdata.data);
             }
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -123,16 +123,17 @@
     'include_dirs': [
       '<(nspr_include_dir)',
       '<(nss_dist_dir)/private/<(module)',
     ],
     'conditions': [
       [ 'disable_fips==1', {
         'defines': [
           'NSS_FIPS_DISABLED',
+          'NSS_NO_INIT_SUPPORT',
         ],
       }],
       [ 'OS!="android" and OS!="mac" and OS!="win"', {
         'libraries': [
           '-lpthread',
         ],
       }],
       [ 'OS=="linux"', {
@@ -294,17 +295,16 @@
       }],
     ],
     'default_configuration': 'Debug',
     'configurations': {
       # Common settings for Debug+Release should go here.
       'Common': {
         'abstract': 1,
         'defines': [
-          'NSS_NO_INIT_SUPPORT',
           'USE_UTIL_DIRECTLY',
           'NO_NSPR_10_SUPPORT',
           'SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES',
         ],
         'msvs_configuration_attributes': {
           'OutputDirectory': '$(SolutionDir)$(ConfigurationName)',
           'IntermediateDirectory': '$(OutDir)\\obj\\$(ProjectName)',
         },
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/gtests/freebl_gtest/rsa_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
@@ -48,10 +48,14 @@ TEST_F(RSANewKeyTest, expFourTest) {
 }
 TEST_F(RSANewKeyTest, WrongKeysizeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
   ASSERT_TRUE(key == nullptr);
 }
 
 TEST_F(RSANewKeyTest, expThreeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
+#ifdef NSS_FIPS_DISABLED
   ASSERT_TRUE(key != nullptr);
+#else
+  ASSERT_TRUE(key == nullptr);
+#endif
 }
--- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc
+++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
@@ -1,9 +1,13 @@
 #include <cstdlib>
+#if defined(_WIN32)
+#include <windows.h>
+#include <codecvt>
+#endif
 
 #include "cert.h"
 #include "certdb.h"
 #include "nspr.h"
 #include "nss.h"
 #include "pk11pub.h"
 #include "secerr.h"
 
@@ -29,23 +33,25 @@ namespace nss_test {
 class ScopedUniqueDirectory {
  public:
   explicit ScopedUniqueDirectory(const std::string &prefix);
 
   // NB: the directory must be empty upon destruction
   ~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); }
 
   const std::string &GetPath() { return mPath; }
+  const std::string &GetUTF8Path() { return mUTF8Path; }
 
  private:
   static const int RETRY_LIMIT = 5;
   static void GenerateRandomName(/*in/out*/ std::string &prefix);
   static bool TryMakingDirectory(/*in/out*/ std::string &prefix);
 
   std::string mPath;
+  std::string mUTF8Path;
 };
 
 ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
   std::string path;
   const char *workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
   if (workingDirectory) {
     path.assign(workingDirectory);
   }
@@ -55,16 +61,28 @@ ScopedUniqueDirectory::ScopedUniqueDirec
     // TryMakingDirectory will modify its input. If it fails, we want to throw
     // away the modified result.
     if (TryMakingDirectory(pathCopy)) {
       mPath.assign(pathCopy);
       break;
     }
   }
   assert(mPath.length() > 0);
+#if defined(_WIN32)
+  // sqldb always uses UTF-8 regardless of the current system locale.
+  DWORD len =
+      MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), nullptr, 0);
+  std::vector<wchar_t> buf(len, L'\0');
+  MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), buf.data(),
+                      buf.size());
+  std::wstring_convert<std::codecvt_utf8_utf16<wchar_t>> converter;
+  mUTF8Path = converter.to_bytes(std::wstring(buf.begin(), buf.end()));
+#else
+  mUTF8Path = mPath;
+#endif
 }
 
 void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) {
   std::stringstream ss;
   ss << prefix;
   // RAND_MAX is at least 32767.
   ss << std::setfill('0') << std::setw(4) << std::hex << rand() << rand();
   // This will overwrite the value of prefix. This is a little inefficient, but
@@ -79,20 +97,21 @@ bool ScopedUniqueDirectory::TryMakingDir
 #else
   return mkdir(prefix.c_str(), 0777) == 0;
 #endif
 }
 
 class SoftokenTest : public ::testing::Test {
  protected:
   SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {}
+  SoftokenTest(const std::string &prefix) : mNSSDBDir(prefix) {}
 
   virtual void SetUp() {
     std::string nssInitArg("sql:");
-    nssInitArg.append(mNSSDBDir.GetPath());
+    nssInitArg.append(mNSSDBDir.GetUTF8Path());
     ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
                                          NSS_INIT_NOROOTINIT));
   }
 
   virtual void TearDown() {
     ASSERT_EQ(SECSuccess, NSS_Shutdown());
     const std::string &nssDBDirPath = mNSSDBDir.GetPath();
     ASSERT_EQ(0, unlink((nssDBDirPath + "/cert9.db").c_str()));
@@ -197,16 +216,29 @@ TEST_F(SoftokenTest, CreateObjectChangeT
   EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError());
   ScopedPK11GenericObject obj(PK11_CreateGenericObject(
       slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
   // Because there's no password we can't logout and the operation should have
   // succeeded.
   EXPECT_NE(nullptr, obj);
 }
 
+class SoftokenNonAsciiTest : public SoftokenTest {
+ protected:
+  SoftokenNonAsciiTest() : SoftokenTest("SoftokenTest.\xF7-") {}
+};
+
+TEST_F(SoftokenNonAsciiTest, NonAsciiPathWorking) {
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+  EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+}
+
 // This is just any X509 certificate. Its contents don't matter.
 static unsigned char certDER[] = {
     0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01,
     0x02, 0x02, 0x14, 0x49, 0xC4, 0xC4, 0x4A, 0xB6, 0x86, 0x07, 0xA3, 0x06,
     0xDC, 0x4D, 0xC8, 0xC3, 0xFE, 0xC7, 0x21, 0x3A, 0x2D, 0xE4, 0xDA, 0x30,
     0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
     0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
     0x04, 0x74, 0x65, 0x73, 0x74, 0x30, 0x22, 0x18, 0x0F, 0x32, 0x30, 0x31,
--- a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
@@ -26,33 +26,33 @@ static const uint8_t kD13 = TLS_1_3_DRAF
 const static uint8_t kCannedTls13ClientHello[] = {
     0x01, 0x00, 0x00, 0xcf, 0x03, 0x03, 0x6c, 0xb3, 0x46, 0x81, 0xc8, 0x1a,
     0xf9, 0xd2, 0x05, 0x97, 0x48, 0x7c, 0xa8, 0x31, 0x03, 0x1c, 0x06, 0xa8,
     0x62, 0xb1, 0x90, 0xd6, 0x21, 0x44, 0x7f, 0xc1, 0x9b, 0x87, 0x3e, 0xad,
     0x91, 0x85, 0x00, 0x00, 0x06, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02, 0x01,
     0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06,
     0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
     0x0a, 0x00, 0x12, 0x00, 0x10, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01,
-    0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x28, 0x00,
+    0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x33, 0x00,
     0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x86, 0x4a, 0xb9, 0xdc,
     0x6a, 0x38, 0xa7, 0xce, 0xe7, 0xc2, 0x4f, 0xa6, 0x28, 0xb9, 0xdc, 0x65,
     0xbf, 0x73, 0x47, 0x3c, 0x9c, 0x65, 0x8c, 0x47, 0x6d, 0x57, 0x22, 0x8a,
     0xc2, 0xb3, 0xc6, 0x80, 0x72, 0x86, 0x08, 0x86, 0x8f, 0x52, 0xc5, 0xcb,
     0xbf, 0x2a, 0xb5, 0x59, 0x64, 0xcc, 0x0c, 0x49, 0x95, 0x36, 0xe4, 0xd9,
     0x2f, 0xd4, 0x24, 0x66, 0x71, 0x6f, 0x5d, 0x70, 0xe2, 0xa0, 0xea, 0x26,
     0x00, 0x2b, 0x00, 0x03, 0x02, 0x7f, kD13, 0x00, 0x0d, 0x00, 0x20, 0x00,
     0x1e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08,
     0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01, 0x04,
     0x02, 0x05, 0x02, 0x06, 0x02, 0x02, 0x02};
 
 const static uint8_t kCannedTls13ServerHello[] = {
     0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
     0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b,
     0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76,
-    0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x24,
+    0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24,
     0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
     0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
     0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,
     0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x7f, kD13};
 static const char *k0RttData = "ABCDEF";
 
 TEST_P(TlsAgentTest, EarlyFinished) {
   DataBuffer buffer;
--- a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
@@ -45,16 +45,17 @@ SECStatus NoopExtensionHandler(PRFileDes
 
 // All of the (current) set of supported extensions, plus a few extra.
 static const uint16_t kManyExtensions[] = {
     ssl_server_name_xtn,
     ssl_cert_status_xtn,
     ssl_supported_groups_xtn,
     ssl_ec_point_formats_xtn,
     ssl_signature_algorithms_xtn,
+    ssl_signature_algorithms_cert_xtn,
     ssl_use_srtp_xtn,
     ssl_app_layer_protocol_xtn,
     ssl_signed_cert_timestamp_xtn,
     ssl_padding_xtn,
     ssl_extended_master_secret_xtn,
     ssl_session_ticket_xtn,
     ssl_tls13_key_share_xtn,
     ssl_tls13_pre_shared_key_xtn,
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -3651,17 +3651,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \141\155\142\145\162\163\151\147\156\056\157\162\147\061\042\060
 \040\006\003\125\004\003\023\031\103\150\141\155\142\145\162\163
 \040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
 \164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Camerfirma Global Chambersign Root"
 #
 # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
@@ -3810,17 +3810,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \013\023\032\150\164\164\160\072\057\057\167\167\167\056\143\150
 \141\155\142\145\162\163\151\147\156\056\157\162\147\061\040\060
 \036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
 \150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
@@ -5105,159 +5105,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \100\153
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "DST ACES CA X6"
-#
-# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
-# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Not Valid Before: Thu Nov 20 21:19:58 2003
-# Not Valid After : Mon Nov 20 21:19:58 2017
-# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
-# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "DST ACES CA X6"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
-\025\331
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\011\060\202\002\361\240\003\002\001\002\002\020\015
-\136\231\012\326\235\267\170\354\330\007\126\073\206\025\331\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\133
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040\060
-\036\006\003\125\004\012\023\027\104\151\147\151\164\141\154\040
-\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164\061
-\021\060\017\006\003\125\004\013\023\010\104\123\124\040\101\103
-\105\123\061\027\060\025\006\003\125\004\003\023\016\104\123\124
-\040\101\103\105\123\040\103\101\040\130\066\060\036\027\015\060
-\063\061\061\062\060\062\061\061\071\065\070\132\027\015\061\067
-\061\061\062\060\062\061\061\071\065\070\132\060\133\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003
-\125\004\012\023\027\104\151\147\151\164\141\154\040\123\151\147
-\156\141\164\165\162\145\040\124\162\165\163\164\061\021\060\017
-\006\003\125\004\013\023\010\104\123\124\040\101\103\105\123\061
-\027\060\025\006\003\125\004\003\023\016\104\123\124\040\101\103
-\105\123\040\103\101\040\130\066\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\271\075\365\054\311\224\334
-\165\212\225\135\143\350\204\167\166\146\271\131\221\134\106\335
-\222\076\237\371\016\003\264\075\141\222\275\043\046\265\143\356
-\222\322\236\326\074\310\015\220\137\144\201\261\250\010\015\114
-\330\371\323\005\050\122\264\001\045\305\225\034\014\176\076\020
-\204\165\317\301\031\221\143\317\350\250\221\210\271\103\122\273
-\200\261\125\211\213\061\372\320\267\166\276\101\075\060\232\244
-\042\045\027\163\350\036\342\323\254\052\275\133\070\041\325\052
-\113\327\125\175\343\072\125\275\327\155\153\002\127\153\346\107
-\174\010\310\202\272\336\247\207\075\241\155\270\060\126\302\263
-\002\201\137\055\365\342\232\060\030\050\270\146\323\313\001\226
-\157\352\212\105\125\326\340\235\377\147\053\027\002\246\116\032
-\152\021\013\176\267\173\347\230\326\214\166\157\301\073\333\120
-\223\176\345\320\216\037\067\270\275\272\306\237\154\351\174\063
-\362\062\074\046\107\372\047\044\002\311\176\035\133\210\102\023
-\152\065\174\175\065\351\056\146\221\162\223\325\062\046\304\164
-\365\123\243\263\135\232\366\011\313\002\003\001\000\001\243\201
-\310\060\201\305\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\306\060\037\006\003\125\035\021\004\030\060\026
-\201\024\160\153\151\055\157\160\163\100\164\162\165\163\164\144
-\163\164\056\143\157\155\060\142\006\003\125\035\040\004\133\060
-\131\060\127\006\012\140\206\110\001\145\003\002\001\001\001\060
-\111\060\107\006\010\053\006\001\005\005\007\002\001\026\073\150
-\164\164\160\072\057\057\167\167\167\056\164\162\165\163\164\144
-\163\164\056\143\157\155\057\143\145\162\164\151\146\151\143\141
-\164\145\163\057\160\157\154\151\143\171\057\101\103\105\123\055
-\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035
-\016\004\026\004\024\011\162\006\116\030\103\017\345\326\314\303
-\152\213\061\173\170\217\250\203\270\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\243\330\216
-\326\262\333\316\005\347\062\315\001\323\004\003\345\166\344\126
-\053\234\231\220\350\010\060\154\337\175\075\356\345\277\265\044
-\100\204\111\341\321\050\256\304\302\072\123\060\210\361\365\167
-\156\121\312\372\377\231\257\044\137\033\240\375\362\254\204\312
-\337\251\360\137\004\056\255\026\277\041\227\020\201\075\343\377
-\207\215\062\334\224\345\107\212\136\152\023\311\224\225\075\322
-\356\310\064\225\320\200\324\255\062\010\200\124\074\340\275\122
-\123\327\122\174\262\151\077\177\172\317\152\164\312\372\004\052
-\234\114\132\006\245\351\040\255\105\146\017\151\361\335\277\351
-\343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
-\370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
-\256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
-\150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
-\064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
-\367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
-\363\267\240\247\315\345\172\063\066\152\372\232\053
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "DST ACES CA X6"
-# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
-# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Not Valid Before: Thu Nov 20 21:19:58 2003
-# Not Valid After : Mon Nov 20 21:19:58 2017
-# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
-# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "DST ACES CA X6"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\100\124\332\157\034\077\100\164\254\355\017\354\315\333\171\321
-\123\373\220\035
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\330\114\202\053\231\011\063\242\353\024\044\215\216\137\350
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
-\025\331
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "SwissSign Platinum CA - G2"
 #
 # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4e:b2:00:67:0c:03:5d:4f
 # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
 # Not Valid Before: Wed Oct 25 08:36:00 2006
 # Not Valid After : Sat Oct 25 08:36:00 2036
 # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
@@ -6912,152 +6769,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \231\052
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Security Communication EV RootCA1"
-#
-# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Serial Number: 0 (0x0)
-# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Not Valid Before: Wed Jun 06 02:12:32 2007
-# Not Valid After : Sat Jun 06 02:12:32 2037
-# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
-# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication EV RootCA1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045
-\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124
-\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056
-\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041
-\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151
-\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101
-\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063
-\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062
-\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120
-\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115
-\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103
-\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013
-\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165
-\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164
-\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171
-\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215
-\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204
-\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007
-\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111
-\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016
-\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130
-\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355
-\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071
-\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035
-\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265
-\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305
-\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017
-\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124
-\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065
-\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061
-\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006
-\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202
-\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
-\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227
-\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326
-\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350
-\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376
-\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231
-\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045
-\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031
-\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333
-\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117
-\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174
-\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
-\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
-\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
-\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
-\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
-\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
-\164
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Security Communication EV RootCA1"
-# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Serial Number: 0 (0x0)
-# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Not Valid Before: Wed Jun 06 02:12:32 2007
-# Not Valid After : Sat Jun 06 02:12:32 2037
-# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
-# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication EV RootCA1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050
-\206\145\144\175
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "OISTE WISeKey Global Root GA CA"
 #
 # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
 # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
 # Not Valid Before: Sun Dec 11 16:03:44 2005
 # Not Valid After : Fri Dec 11 16:09:51 2037
 # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
@@ -14474,179 +14195,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \147\266
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "CA Disig Root R1"
-#
-# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Serial Number:00:c3:03:9a:ee:50:90:6e:28
-# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Not Valid Before: Thu Jul 19 09:06:56 2012
-# Not Valid After : Sat Jul 19 09:06:56 2042
-# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
-# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA Disig Root R1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\011\000\303\003\232\356\120\220\156\050
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000
-\303\003\232\356\120\220\156\050\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\060\122\061\013\060\011\006\003\125
-\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023
-\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006
-\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056
-\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151
-\163\151\147\040\122\157\157\164\040\122\061\060\036\027\015\061
-\062\060\067\061\071\060\071\060\066\065\066\132\027\015\064\062
-\060\067\061\071\060\071\060\066\065\066\132\060\122\061\013\060
-\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003
-\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061
-\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040
-\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103
-\101\040\104\151\163\151\147\040\122\157\157\164\040\122\061\060
-\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000
-\252\303\170\367\334\230\243\247\132\136\167\030\262\335\004\144
-\017\143\375\233\226\011\200\325\350\252\245\342\234\046\224\072
-\350\231\163\214\235\337\327\337\203\363\170\117\100\341\177\322
-\247\322\345\312\023\223\347\355\306\167\137\066\265\224\257\350
-\070\216\333\233\345\174\273\314\215\353\165\163\341\044\315\346
-\247\055\031\056\330\326\212\153\024\353\010\142\012\330\334\263
-\000\115\303\043\174\137\103\010\043\062\022\334\355\014\255\300
-\175\017\245\172\102\331\132\160\331\277\247\327\001\034\366\233
-\253\216\267\112\206\170\240\036\126\061\256\357\202\012\200\101
-\367\033\311\256\253\062\046\324\054\153\355\175\153\344\342\136
-\042\012\105\313\204\061\115\254\376\333\321\107\272\371\140\227
-\071\261\145\307\336\373\231\344\012\042\261\055\115\345\110\046
-\151\253\342\252\363\373\374\222\051\062\351\263\076\115\037\047
-\241\315\216\271\027\373\045\076\311\156\363\167\332\015\022\366
-\135\307\273\066\020\325\124\326\363\340\342\107\110\346\336\024
-\332\141\122\257\046\264\365\161\117\311\327\322\006\337\143\312
-\377\041\350\131\006\340\010\325\204\025\123\367\103\345\174\305
-\240\211\230\153\163\306\150\316\145\336\275\177\005\367\261\356
-\366\127\241\140\225\305\314\352\223\072\276\231\256\233\002\243
-\255\311\026\265\316\335\136\231\170\176\032\071\176\262\300\005
-\244\300\202\245\243\107\236\214\352\134\266\274\147\333\346\052
-\115\322\004\334\243\256\105\367\274\213\234\034\247\326\325\003
-\334\010\313\056\026\312\134\100\063\350\147\303\056\347\246\104
-\352\021\105\034\065\145\055\036\105\141\044\033\202\056\245\235
-\063\135\145\370\101\371\056\313\224\077\037\243\014\061\044\104
-\355\307\136\255\120\272\306\101\233\254\360\027\145\300\370\135
-\157\133\240\012\064\074\356\327\352\210\237\230\371\257\116\044
-\372\227\262\144\166\332\253\364\355\343\303\140\357\325\371\002
-\310\055\237\203\257\147\151\006\247\061\125\325\317\113\157\377
-\004\005\307\130\254\137\026\033\345\322\243\353\061\333\037\063
-\025\115\320\362\245\123\365\313\341\075\116\150\055\330\022\335
-\252\362\346\115\233\111\345\305\050\241\272\260\132\306\240\265
-\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035
-\016\004\026\004\024\211\012\264\070\223\032\346\253\356\233\221
-\030\371\365\074\076\065\320\323\202\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\002\001\000\062\213\366
-\235\112\311\276\024\345\214\254\070\312\072\011\324\033\316\206
-\263\335\353\324\272\050\276\022\256\105\054\004\164\254\023\121
-\305\130\030\146\115\202\332\325\334\223\300\047\341\276\174\237
-\122\236\022\126\366\325\234\251\364\165\234\372\067\022\217\034
-\223\354\127\376\007\017\253\325\022\367\017\256\141\136\126\200
-\111\365\374\060\365\233\117\037\101\057\034\204\323\211\307\342
-\332\002\166\355\011\317\154\301\270\034\203\034\026\372\224\315
-\175\240\310\030\322\310\235\156\365\275\151\324\155\075\065\350
-\036\242\117\140\327\007\051\374\262\243\244\235\156\025\222\126
-\031\114\012\260\351\174\322\031\115\102\106\354\275\375\366\127
-\133\335\230\176\244\115\314\162\003\203\130\135\357\223\072\101
-\172\143\252\174\072\250\365\254\244\321\335\242\055\266\052\374
-\237\001\216\342\020\261\304\312\344\147\333\125\045\031\077\375
-\350\066\176\263\341\341\201\257\021\026\213\120\227\140\031\202
-\000\300\153\115\163\270\321\023\007\076\352\266\061\117\360\102
-\232\155\342\021\164\345\224\254\215\204\225\074\041\257\305\332
-\107\310\337\071\142\142\313\133\120\013\327\201\100\005\234\233
-\355\272\266\213\036\004\157\226\040\071\355\244\175\051\333\110
-\316\202\334\324\002\215\035\004\061\132\307\113\360\154\141\122
-\327\264\121\302\201\154\315\341\373\247\241\322\222\166\317\261
-\017\067\130\244\362\122\161\147\077\014\210\170\200\211\301\310
-\265\037\222\143\276\247\172\212\126\054\032\250\246\234\265\135
-\263\143\320\023\040\241\353\221\154\320\215\175\257\337\013\344
-\027\271\206\236\070\261\224\014\130\214\340\125\252\073\143\155
-\232\211\140\270\144\052\222\306\067\364\176\103\103\267\163\350
-\001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
-\153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
-\243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
-\200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
-\103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
-\016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
-\360\343\355\144\236\075\057\226\122\117\200\123\213
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "CA Disig Root R1"
-# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Serial Number:00:c3:03:9a:ee:50:90:6e:28
-# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Not Valid Before: Thu Jul 19 09:06:56 2012
-# Not Valid After : Sat Jul 19 09:06:56 2042
-# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
-# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA Disig Root R1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\216\034\164\370\246\040\271\345\212\364\141\372\354\053\107\126
-\121\032\122\306
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\276\354\021\223\232\365\151\041\274\327\301\300\147\211\314\052
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\011\000\303\003\232\356\120\220\156\050
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "CA Disig Root R2"
 #
 # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:92:b8:88:db:b0:8a:c1:63
 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Not Valid Before: Thu Jul 19 09:15:30 2012
 # Not Valid After : Sat Jul 19 09:15:30 2042
 # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
@@ -17668,198 +17226,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \112\330\154
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-#
-# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
-# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Not Valid Before: Thu Mar 26 00:00:00 2009
-# Not Valid After : Sun Mar 24 23:59:59 2019
-# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
-# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003
-\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163
-\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167
-\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160
-\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003
-\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163
-\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162
-\040\103\101\040\055\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
-\005\256
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057
-\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013
-\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164
-\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004
-\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151
-\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162
-\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040
-\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126
-\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040
-\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060
-\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071
-\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006
-\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040
-\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126
-\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145
-\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062
-\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040
-\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
-\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051
-\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162
-\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145
-\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055
-\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225
-\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214
-\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327
-\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237
-\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260
-\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150
-\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377
-\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374
-\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141
-\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061
-\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375
-\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053
-\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133
-\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324
-\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376
-\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211
-\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001
-\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
-\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040
-\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103
-\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062
-\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316
-\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060
-\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206
-\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053
-\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057
-\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163
-\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027
-\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056
-\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050
-\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057
-\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141
-\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004
-\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011
-\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024
-\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242
-\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167
-\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232
-\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137
-\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277
-\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115
-\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003
-\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012
-\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127
-\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
-\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
-\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
-\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
-\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
-\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
-\145\110\041\012\057\327\334\176\240\314\145\176\171
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
-# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Not Valid Before: Thu Mar 26 00:00:00 2009
-# Not Valid After : Sun Mar 24 23:59:59 2019
-# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
-# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046
-\037\051\216\073
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
-\005\256
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Staat der Nederlanden Root CA - G3"
 #
 # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Serial Number: 10003001 (0x98a239)
 # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
 # Not Valid Before: Thu Nov 14 11:28:42 2013
 # Not Valid After : Mon Nov 13 23:00:00 2028
 # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 20
-#define NSS_BUILTINS_LIBRARY_VERSION "2.20"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
+#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -1979,60 +1979,66 @@ sec_GetHashMechanismByOidTag(SECOidTag t
 {
     switch (tag) {
         case SEC_OID_SHA512:
             return CKM_SHA512;
         case SEC_OID_SHA384:
             return CKM_SHA384;
         case SEC_OID_SHA256:
             return CKM_SHA256;
+        case SEC_OID_SHA224:
+            return CKM_SHA224;
+        case SEC_OID_SHA1:
+            return CKM_SHA_1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return CKM_INVALID_MECHANISM;
     }
-    return CKM_SHA_1;
 }
 
 static CK_RSA_PKCS_MGF_TYPE
 sec_GetMgfTypeByOidTag(SECOidTag tag)
 {
     switch (tag) {
         case SEC_OID_SHA512:
             return CKG_MGF1_SHA512;
         case SEC_OID_SHA384:
             return CKG_MGF1_SHA384;
         case SEC_OID_SHA256:
             return CKG_MGF1_SHA256;
+        case SEC_OID_SHA224:
+            return CKG_MGF1_SHA224;
+        case SEC_OID_SHA1:
+            return CKG_MGF1_SHA1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return 0;
     }
-    return CKG_MGF1_SHA1;
 }
 
 SECStatus
 sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
                             const SECKEYRSAPSSParams *params)
 {
     SECStatus rv = SECSuccess;
     SECOidTag hashAlgTag;
     unsigned long saltLength;
+    unsigned long trailerField;
 
     PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
 
     if (params->hashAlg) {
         hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg);
     } else {
         hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
     }
     mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
+    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+        return SECFailure;
+    }
 
     if (params->maskAlg) {
         SECAlgorithmID maskHashAlg;
         SECOidTag maskHashAlgTag;
         PORTCheapArenaPool tmpArena;
 
         if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) {
             /* only MGF1 is known to PKCS#11 */
@@ -2045,24 +2051,40 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
                                     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
                                     &params->maskAlg->parameters);
         PORT_DestroyCheapArena(&tmpArena);
         if (rv != SECSuccess) {
             return rv;
         }
         maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
         mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
+        if (mech->mgf == 0) {
+            return SECFailure;
+        }
     } else {
         mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
     }
 
     if (params->saltLength.data) {
         rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
         if (rv != SECSuccess) {
             return rv;
         }
     } else {
         saltLength = 20; /* default, 20 */
     }
     mech->sLen = saltLength;
 
+    if (params->trailerField.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        if (trailerField != 1) {
+            /* the value must be 1, which represents the trailer field
+             * with hexadecimal value 0xBC */
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+    }
+
     return rv;
 }
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -535,17 +535,20 @@ CK_RV
 FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 {
     CK_RV crv;
 
     CHECK_FORK();
 
     crv = NSC_GetTokenInfo(slotID, pInfo);
     if (crv == CKR_OK) {
-        if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
+        /* use the global database to figure out if we are running in 
+         * FIPS 140 Level 1 or Level 2 */
+        if (slotID == FIPS_SLOT_ID &&
+            (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
             isLevel2 = PR_FALSE;
         }
     }
     return crv;
 }
 
 /*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
 CK_RV
@@ -611,17 +614,18 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
 
     if (sftk_fatalError)
         return CKR_DEVICE_ERROR;
     /* NSC_InitPIN will only work once per database. We can either initialize
      * it to level1 (pin len == 0) or level2. If we initialize to level 2, then
      * we need to make sure the pin meets FIPS requirements */
     if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
         rv = NSC_InitPIN(hSession, pPin, ulPinLen);
-        if (rv == CKR_OK) {
+        if ((rv == CKR_OK) &&
+            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
             isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
         }
     }
     if (sftk_audit_enabled) {
         char msg[128];
         NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
         PR_snprintf(msg, sizeof msg,
                     "C_InitPIN(hSession=0x%08lX)=0x%08lX",
@@ -639,17 +643,18 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK
 {
     CK_RV rv;
 
     CHECK_FORK();
 
     if ((rv = sftk_fipsCheck()) == CKR_OK &&
         (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
         rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
-        if (rv == CKR_OK) {
+        if ((rv == CKR_OK) &&
+            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
             /* if we set the password in level1 we now go
              * to level2. NOTE: we don't allow the user to
              * go from level2 to level1 */
             isLevel2 = PR_TRUE;
         }
     }
     if (sftk_audit_enabled) {
         char msg[128];
@@ -700,21 +705,33 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSes
 {
     CK_RV rv;
     SFTK_FIPSFATALCHECK();
 
     CHECK_FORK();
 
     rv = NSC_GetSessionInfo(hSession, pInfo);
     if (rv == CKR_OK) {
-        if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
-            pInfo->state = CKS_RO_USER_FUNCTIONS;
-        }
-        if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
-            pInfo->state = CKS_RW_USER_FUNCTIONS;
+        /* handle the case where the auxilary slot doesn't require login.
+         * piggy back on the main token's login state */
+        if (isLoggedIn &&
+            ((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
+             (pInfo->state == CKS_RW_PUBLIC_SESSION))) {
+            CK_RV crv;
+            CK_TOKEN_INFO tInfo;
+            crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
+                                   &tInfo);
+            /* if the token doesn't login, use our global login state */
+            if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
+                if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
+                    pInfo->state = CKS_RO_USER_FUNCTIONS;
+                } else {
+                    pInfo->state = CKS_RW_USER_FUNCTIONS;
+                }
+            }
         }
     }
     return rv;
 }
 
 /* FC_Login logs a user into a token. */
 CK_RV
 FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -2359,27 +2359,32 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBoo
     slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index],
                                                (void *)slotID);
     /* cleared slots shouldn't 'show up' */
     if (slot && !all && !slot->present)
         slot = NULL;
     return slot;
 }
 
-SFTKSlot *
-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+CK_SLOT_ID
+sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
 {
     CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
     CK_ULONG moduleIndex = (handle >> 31) & 1;
 
     if (slotIDIndex >= nscSlotCount[moduleIndex]) {
-        return NULL;
-    }
-
-    return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
+        return (CK_SLOT_ID)-1;
+    }
+    return nscSlotList[moduleIndex][slotIDIndex];
+}
+
+SFTKSlot *
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+    return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
 }
 
 static CK_RV
 sftk_RegisterSlot(SFTKSlot *slot, int moduleIndex)
 {
     PLHashEntry *entry;
     unsigned int index;
 
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -662,16 +662,17 @@ extern CK_RV sftk_searchObjectList(SFTKS
 extern SFTKObjectListElement *sftk_FreeObjectListElement(
     SFTKObjectListElement *objectList);
 extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
 extern void sftk_FreeSearch(SFTKSearchResults *search);
 extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
 
 extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
 extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
 extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
 extern void sftk_FreeSession(SFTKSession *session);
 extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
                                     CK_VOID_PTR pApplication, CK_FLAGS flags);
 extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session);
 extern void sftk_update_all_states(SFTKSlot *slot);
 extern void sftk_FreeContext(SFTKSessionContext *context);
 extern void sftk_InitFreeLists(void);
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -32,16 +32,17 @@
 #include "prsystem.h" /* for PR_GetDirectorySeparator() */
 #include <sys/stat.h>
 #if defined(_WIN32)
 #include <io.h>
 #include <windows.h>
 #elif defined(XP_UNIX)
 #include <unistd.h>
 #endif
+#include "utilpars.h"
 
 #ifdef SQLITE_UNSAFE_THREADS
 #include "prlock.h"
 /*
  * SQLite can be compiled to be thread safe or not.
  * turn on SQLITE_UNSAFE_THREADS if the OS does not support
  * a thread safe version of sqlite.
  */
@@ -185,16 +186,44 @@ sdb_done(int err, int *count)
     }
     /* err == SQLITE_BUSY, Dont' retry forever in this case */
     if (++(*count) >= SDB_MAX_BUSY_RETRIES) {
         return 1;
     }
     return 0;
 }
 
+#if defined(_WIN32)
+/*
+ * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that
+ * sqlite3 expects.
+ */
+
+static int
+sdb_chmod(const char *filename, int pmode)
+{
+    int result;
+
+    if (!filename) {
+        return -1;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return -1;
+    }
+    result = _wchmod(filenameWide, pmode);
+    PORT_Free(filenameWide);
+
+    return result;
+}
+#else
+#define sdb_chmod(filename, pmode) chmod((filename), (pmode))
+#endif
+
 /*
  * find out where sqlite stores the temp tables. We do this by replicating
  * the logic from sqlite.
  */
 #if defined(_WIN32)
 static char *
 sdb_getFallbackTempDir(void)
 {
@@ -1734,34 +1763,34 @@ sdb_init(char *dbname, char *table, sdbD
     *pSdb = NULL;
     *inUpdate = 0;
 
     /* sqlite3 doesn't have a flag to specify that we want to
      * open the database read only. If the db doesn't exist,
      * sqlite3 will always create it.
      */
     LOCK_SQLITE();
-    create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
+    create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
     if ((flags == SDB_RDONLY) && create) {
         error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
         goto loser;
     }
     sqlerr = sdb_openDB(dbname, &sqlDB, flags);
     if (sqlerr != SQLITE_OK) {
         error = sdb_mapSQLError(type, sqlerr);
         goto loser;
     }
 
     /*
      * SQL created the file, but it doesn't set appropriate modes for
      * a database.
      *
      * NO NSPR call for chmod? :(
      */
-    if (create && chmod(dbname, 0600) != 0) {
+    if (create && sdb_chmod(dbname, 0600) != 0) {
         error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
         goto loser;
     }
 
     if (flags != SDB_RDONLY) {
         sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL);
         if (sqlerr != SQLITE_OK) {
             error = sdb_mapSQLError(type, sqlerr);
--- a/security/nss/lib/softoken/sdb.h
+++ b/security/nss/lib/softoken/sdb.h
@@ -78,16 +78,20 @@ struct SDBStr {
 };
 
 CK_RV s_open(const char *directory, const char *certPrefix,
              const char *keyPrefix,
              int cert_version, int key_version,
              int flags, SDB **certdb, SDB **keydb, int *newInit);
 CK_RV s_shutdown();
 
+#if defined(_WIN32)
+wchar_t *sdb_UTF8ToWide(const char *buf);
+#endif
+
 /* flags */
 #define SDB_RDONLY 1
 #define SDB_RDWR 2
 #define SDB_CREATE 4
 #define SDB_HAS_META 8
 #define SDB_FIPS 0x10
 
 #endif
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -23,16 +23,19 @@
 #include "pkcs11i.h"
 #include "sdb.h"
 #include "prprf.h"
 #include "pratom.h"
 #include "lgglue.h"
 #include "utilpars.h"
 #include "secerr.h"
 #include "softoken.h"
+#if defined(_WIN32)
+#include <windows.h>
+#endif
 
 /*
  * We want all databases to have the same binary representation independent of
  * endianness or length of the host architecture. In general PKCS #11 attributes
  * are endian/length independent except those attributes that pass CK_ULONG.
  *
  * The following functions fixes up the CK_ULONG type attributes so that the data
  * base sees a machine independent view. CK_ULONGs are stored as 4 byte network
@@ -2504,16 +2507,63 @@ sftk_oldVersionExists(const char *dir, i
         PR_smprintf_free(file);
         if (exists == PR_SUCCESS) {
             return PR_TRUE;
         }
     }
     return PR_FALSE;
 }
 
+#if defined(_WIN32)
+/*
+ * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the
+ * current system codepage). Fails if the path contains a character outside
+ * the current system codepage.
+ */
+static char *
+sftk_legacyPathFromSDBPath(const char *confdir)
+{
+    wchar_t *confdirWide;
+    DWORD size;
+    char *nconfdir;
+    BOOL unmappable;
+
+    if (!confdir) {
+        return NULL;
+    }
+    confdirWide = _NSSUTIL_UTF8ToWide(confdir);
+    if (!confdirWide) {
+        return NULL;
+    }
+
+    size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+                               NULL, 0, NULL, &unmappable);
+    if (size == 0 || unmappable) {
+        PORT_Free(confdirWide);
+        return NULL;
+    }
+    nconfdir = PORT_Alloc(sizeof(char) * size);
+    if (!nconfdir) {
+        PORT_Free(confdirWide);
+        return NULL;
+    }
+    size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+                               nconfdir, size, NULL, &unmappable);
+    PORT_Free(confdirWide);
+    if (size == 0 || unmappable) {
+        PORT_Free(nconfdir);
+        return NULL;
+    }
+
+    return nconfdir;
+}
+#else
+#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir))
+#endif
+
 static PRBool
 sftk_hasLegacyDB(const char *confdir, const char *certPrefix,
                  const char *keyPrefix, int certVersion, int keyVersion)
 {
     char *dir;
     PRBool exists;
 
     if (certPrefix == NULL) {
@@ -2563,16 +2613,17 @@ sftk_DBInit(const char *configdir, const
     const char *confdir;
     NSSDBType dbType = NSS_DB_TYPE_NONE;
     char *appName = NULL;
     SDB *keySDB, *certSDB;
     CK_RV crv = CKR_OK;
     int flags = SDB_RDONLY;
     PRBool newInit = PR_FALSE;
     PRBool needUpdate = PR_FALSE;
+    char *nconfdir = NULL;
 
     if (!readOnly) {
         flags = SDB_CREATE;
     }
     if (isFIPS) {
         flags |= SDB_FIPS;
     }
 
@@ -2601,21 +2652,24 @@ sftk_DBInit(const char *configdir, const
             crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags,
                          noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
 
             /*
              * if we failed to open the DB's read only, use the old ones if
              * the exists.
              */
             if (crv != CKR_OK) {
-                if (((flags & SDB_RDONLY) == SDB_RDONLY) &&
-                    sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+                if ((flags & SDB_RDONLY) == SDB_RDONLY) {
+                    nconfdir = sftk_legacyPathFromSDBPath(confdir);
+                }
+                if (nconfdir &&
+                    sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
                     /* we have legacy databases, if we failed to open the new format
                      * DB's read only, just use the legacy ones */
-                    crv = sftkdbCall_open(confdir, certPrefix,
+                    crv = sftkdbCall_open(nconfdir, certPrefix,
                                           keyPrefix, 8, 3, flags,
                                           noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
                 }
                 /* Handle the database merge case.
                  *
                  * For the merge case, we need help from the application. Only
                  * the application knows where the old database is, and what unique
                  * identifier it has associated with it.
@@ -2634,17 +2688,20 @@ sftk_DBInit(const char *configdir, const
                 confdir = updatedir;
                 certPrefix = updCertPrefix;
                 keyPrefix = updKeyPrefix;
                 needUpdate = PR_TRUE;
             } else if (newInit) {
                 /* if the new format DB was also a newly created DB, and we
                  * succeeded, then need to update that new database with data
                  * from the existing legacy DB */
-                if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+                nconfdir = sftk_legacyPathFromSDBPath(confdir);
+                if (nconfdir &&
+                    sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
+                    confdir = nconfdir;
                     needUpdate = PR_TRUE;
                 }
             }
             break;
         default:
             crv = CKR_GENERAL_ERROR; /* can't happen, EvaluationConfigDir MUST
                                       * return one of the types we already
                                       * specified. */
@@ -2707,16 +2764,19 @@ sftk_DBInit(const char *configdir, const
                 sftkdb_Update(*certDB, NULL);
             }
         }
     }
 done:
     if (appName) {
         PORT_Free(appName);
     }
+    if (nconfdir) {
+        PORT_Free(nconfdir);
+    }
     return forceOpen ? CKR_OK : crv;
 }
 
 CK_RV
 sftkdb_Shutdown(void)
 {
     s_shutdown();
     sftkdbCall_Shutdown();
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -11,17 +11,17 @@
 #define __ssl3proto_h_
 
 typedef PRUint16 SSL3ProtocolVersion;
 /* version numbers are defined in sslproto.h */
 
 /* The TLS 1.3 draft version. Used to avoid negotiating
  * between incompatible pre-standard TLS 1.3 drafts.
  * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
-#define TLS_1_3_DRAFT_VERSION 22
+#define TLS_1_3_DRAFT_VERSION 23
 
 typedef PRUint16 ssl3CipherSuite;
 /* The cipher suites are defined in sslproto.h */
 
 #define MAX_CERT_TYPES 10
 #define MAX_MAC_LENGTH 64
 #define MAX_PADDING_LENGTH 64
 #define MAX_KEY_LENGTH 64
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -420,36 +420,38 @@ typedef enum {
     ssl_signature_algorithms_xtn = 13,
     ssl_use_srtp_xtn = 14,
     ssl_app_layer_protocol_xtn = 16,
     /* signed_certificate_timestamp extension, RFC 6962 */
     ssl_signed_cert_timestamp_xtn = 18,
     ssl_padding_xtn = 21,
     ssl_extended_master_secret_xtn = 23,
     ssl_session_ticket_xtn = 35,
-    ssl_tls13_key_share_xtn = 40,
+    /* 40 was used in draft versions of TLS 1.3; it is now reserved. */
     ssl_tls13_pre_shared_key_xtn = 41,
     ssl_tls13_early_data_xtn = 42,
     ssl_tls13_supported_versions_xtn = 43,
     ssl_tls13_cookie_xtn = 44,
     ssl_tls13_psk_key_exchange_modes_xtn = 45,
     ssl_tls13_ticket_early_data_info_xtn = 46, /* Deprecated. */
     ssl_tls13_certificate_authorities_xtn = 47,
+    ssl_signature_algorithms_cert_xtn = 50,
+    ssl_tls13_key_share_xtn = 51,
     ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
     ssl_renegotiation_info_xtn = 0xff01,
     ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */
 } SSLExtensionType;
 
 /* This is the old name for the supported_groups extensions. */
 #define ssl_elliptic_curves_xtn ssl_supported_groups_xtn
 
 /* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are
  * supported for any single message type.  That is, a ClientHello; ServerHello
  * and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */
-#define SSL_MAX_EXTENSIONS 19
+#define SSL_MAX_EXTENSIONS 20
 
 /* Deprecated */
 typedef enum {
     ssl_dhe_group_none = 0,
     ssl_ff_dhe_2048_group = 1,
     ssl_ff_dhe_3072_group = 2,
     ssl_ff_dhe_4096_group = 3,
     ssl_ff_dhe_6144_group = 4,
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -4720,16 +4720,18 @@ tls13_HandleNewSessionTicket(sslSocket *
 
 static const struct {
     PRUint16 ex_value;
     PRUint32 messages;
 } KnownExtensions[] = {
     { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) },
+    { ssl_signature_algorithms_cert_xtn, _M2(client_hello,
+                                             certificate_request) },
     { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_padding_xtn, _M1(client_hello) },
     { ssl_tls13_key_share_xtn, _M3(client_hello, server_hello,
                                    hello_retry_request) },
     { ssl_tls13_pre_shared_key_xtn, _M2(client_hello, server_hello) },
     { ssl_tls13_psk_key_exchange_modes_xtn, _M1(client_hello) },
     { ssl_tls13_early_data_xtn, _M3(client_hello, encrypted_extensions,
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -310,8 +310,16 @@ PK11URI_GetQueryAttribute;
 ;+NSSUTIL_3.33 {         # NSS Utilities 3.33 release
 ;+    global:
 PORT_ZAllocAligned_Util;
 PORT_ZAllocAlignedOffset_Util;
 NSS_SecureMemcmpZero;
 ;+    local:
 ;+       *;
 ;+};
+;-NSSUTIL_3.35 {         # NSS Utilities 3.35 release
+;-    global:
+;-# private exports for softoken
+_NSSUTIL_UTF8ToWide;-
+_NSSUTIL_Access;-
+;-    local:
+;-       *;
+;-};
--- a/security/nss/lib/util/utilmod.c
+++ b/security/nss/lib/util/utilmod.c
@@ -19,43 +19,215 @@
 #include "prprf.h"
 #include "prsystem.h"
 #include "secport.h"
 #include "utilpars.h"
 #include "secerr.h"
 
 #if defined(_WIN32)
 #include <io.h>
+#include <windows.h>
 #endif
 #ifdef XP_UNIX
 #include <unistd.h>
 #endif
 
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
 #if defined(_WIN32)
-#define os_open _open
 #define os_fdopen _fdopen
-#define os_stat _stat
 #define os_truncate_open_flags _O_CREAT | _O_RDWR | _O_TRUNC
 #define os_append_open_flags _O_CREAT | _O_RDWR | _O_APPEND
 #define os_open_permissions_type int
 #define os_open_permissions_default _S_IREAD | _S_IWRITE
 #define os_stat_type struct _stat
+
+/*
+ * Convert a UTF8 string to Unicode wide character
+ */
+LPWSTR
+_NSSUTIL_UTF8ToWide(const char *buf)
+{
+    DWORD size;
+    LPWSTR wide;
+
+    if (!buf) {
+        return NULL;
+    }
+
+    size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
+    if (size == 0) {
+        return NULL;
+    }
+    wide = PORT_Alloc(sizeof(WCHAR) * size);
+    if (!wide) {
+        return NULL;
+    }
+    size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
+    if (size == 0) {
+        PORT_Free(wide);
+        return NULL;
+    }
+    return wide;
+}
+
+static int
+os_open(const char *filename, int oflag, int pmode)
+{
+    int fd;
+
+    if (!filename) {
+        return -1;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return -1;
+    }
+    fd = _wopen(filenameWide, oflag, pmode);
+    PORT_Free(filenameWide);
+
+    return fd;
+}
+
+static int
+os_stat(const char *path, os_stat_type *buffer)
+{
+    int result;
+
+    if (!path) {
+        return -1;
+    }
+
+    wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
+    if (!pathWide) {
+        return -1;
+    }
+    result = _wstat(pathWide, buffer);
+    PORT_Free(pathWide);
+
+    return result;
+}
+
+static FILE *
+os_fopen(const char *filename, const char *mode)
+{
+    FILE *fp;
+
+    if (!filename || !mode) {
+        return NULL;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return NULL;
+    }
+    wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode);
+    if (!modeWide) {
+        PORT_Free(filenameWide);
+        return NULL;
+    }
+    fp = _wfopen(filenameWide, modeWide);
+    PORT_Free(filenameWide);
+    PORT_Free(modeWide);
+
+    return fp;
+}
+
+PRStatus
+_NSSUTIL_Access(const char *path, PRAccessHow how)
+{
+    int result;
+
+    if (!path) {
+        return PR_FAILURE;
+    }
+
+    int mode;
+    switch (how) {
+        case PR_ACCESS_WRITE_OK:
+            mode = 2;
+            break;
+        case PR_ACCESS_READ_OK:
+            mode = 4;
+            break;
+        case PR_ACCESS_EXISTS:
+            mode = 0;
+            break;
+        default:
+            return PR_FAILURE;
+    }
+
+    wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
+    if (!pathWide) {
+        return PR_FAILURE;
+    }
+    result = _waccess(pathWide, mode);
+    PORT_Free(pathWide);
+
+    return result < 0 ? PR_FAILURE : PR_SUCCESS;
+}
+
+static PRStatus
+nssutil_Delete(const char *name)
+{
+    BOOL result;
+
+    if (!name) {
+        return PR_FAILURE;
+    }
+
+    wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name);
+    if (!nameWide) {
+        return PR_FAILURE;
+    }
+    result = DeleteFileW(nameWide);
+    PORT_Free(nameWide);
+
+    return result ? PR_SUCCESS : PR_FAILURE;
+}
+
+static PRStatus
+nssutil_Rename(const char *from, const char *to)
+{
+    BOOL result;
+
+    if (!from || !to) {
+        return PR_FAILURE;
+    }
+
+    wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from);
+    if (!fromWide) {
+        return PR_FAILURE;
+    }
+    wchar_t *toWide = _NSSUTIL_UTF8ToWide(to);
+    if (!toWide) {
+        PORT_Free(fromWide);
+        return PR_FAILURE;
+    }
+    result = MoveFileW(fromWide, toWide);
+    PORT_Free(fromWide);
+    PORT_Free(toWide);
+
+    return result ? PR_SUCCESS : PR_FAILURE;
+}
 #else
+#define os_fopen fopen
 #define os_open open
 #define os_fdopen fdopen
 #define os_stat stat
 #define os_truncate_open_flags O_CREAT | O_RDWR | O_TRUNC
 #define os_append_open_flags O_CREAT | O_RDWR | O_APPEND
 #define os_open_permissions_type mode_t
 #define os_open_permissions_default 0600
 #define os_stat_type struct stat
+#define nssutil_Delete PR_Delete
+#define nssutil_Rename PR_Rename
 #endif
 
 /****************************************************************
  *
  * Secmod database.
  *
  * The new secmod database is simply a text file with each of the module
  * entries in the following form:
@@ -214,17 +386,17 @@ nssutil_ReadSecmodDB(const char *appName
     if (moduleList == NULL)
         return NULL;
 
     if (dbname == NULL) {
         goto return_default;
     }
 
     /* do we really want to use streams here */
-    fd = fopen(dbname, "r");
+    fd = os_fopen(dbname, "r");
     if (fd == NULL)
         goto done;
 
     /*
      * the following loop takes line separated config lines and collapses
      * the lines to a single string, escaping and quoting as necessary.
      */
     /* loop state variables */
@@ -398,17 +570,17 @@ done:
         PRStatus status;
 
         /* couldn't get the old name */
         if (!olddbname) {
             goto bail;
         }
 
         /* old one exists */
-        status = PR_Access(olddbname, PR_ACCESS_EXISTS);
+        status = _NSSUTIL_Access(olddbname, PR_ACCESS_EXISTS);
         if (status == PR_SUCCESS) {
             PR_smprintf_free(olddbname);
             PORT_ZFree(moduleList, useCount * sizeof(char *));
             PORT_SetError(SEC_ERROR_LEGACY_DATABASE);
             return NULL;
         }
 
     bail:
@@ -527,17 +699,17 @@ nssutil_DeleteSecmodDBEntry(const char *
     /* get the permissions of the existing file, or use the default */
     if (!os_stat(dbname, &stat_existing)) {
         file_mode = stat_existing.st_mode;
     } else {
         file_mode = os_open_permissions_default;
     }
 
     /* do we really want to use streams here */
-    fd = fopen(dbname, "r");
+    fd = os_fopen(dbname, "r");
     if (fd == NULL)
         goto loser;
 
     fd2 = lfopen(dbname2, lfopen_truncate, file_mode);
 
     if (fd2 == NULL)
         goto loser;
 
@@ -597,36 +769,36 @@ nssutil_DeleteSecmodDBEntry(const char *
         }
         /* we are definately not in a deleted block anymore */
         skip = PR_FALSE;
     }
     fclose(fd);
     fclose(fd2);
     if (found) {
         /* rename dbname2 to dbname */
-        PR_Delete(dbname);
-        PR_Rename(dbname2, dbname);
+        nssutil_Delete(dbname);
+        nssutil_Rename(dbname2, dbname);
     } else {
-        PR_Delete(dbname2);
+        nssutil_Delete(dbname2);
     }
     PORT_Free(dbname2);
     PORT_Free(lib);
     PORT_Free(name);
     PORT_Free(block);
     return SECSuccess;
 
 loser:
     if (fd != NULL) {
         fclose(fd);
     }
     if (fd2 != NULL) {
         fclose(fd2);
     }
     if (dbname2) {
-        PR_Delete(dbname2);
+        nssutil_Delete(dbname2);
         PORT_Free(dbname2);
     }
     PORT_Free(lib);
     PORT_Free(name);
     return SECFailure;
 }
 
 /*
--- a/security/nss/lib/util/utilpars.c
+++ b/security/nss/lib/util/utilpars.c
@@ -584,16 +584,17 @@ struct nssutilArgSlotFlagTable {
 };
 
 #define NSSUTIL_ARG_ENTRY(arg, flag) \
     {                                \
         #arg, sizeof(#arg) - 1, flag \
     }
 static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
     NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG),
+    NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG),
     NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG),
     NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG),
     NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG),
     NSSUTIL_ARG_ENTRY(DES, SECMOD_DES_FLAG),
     NSSUTIL_ARG_ENTRY(DH, SECMOD_DH_FLAG),
     NSSUTIL_ARG_ENTRY(FORTEZZA, SECMOD_FORTEZZA_FLAG),
     NSSUTIL_ARG_ENTRY(RC5, SECMOD_RC5_FLAG),
     NSSUTIL_ARG_ENTRY(SHA1, SECMOD_SHA1_FLAG),
--- a/security/nss/lib/util/utilpars.h
+++ b/security/nss/lib/util/utilpars.h
@@ -54,10 +54,16 @@ char *NSSUTIL_MkNSSString(char **slotStr
                           unsigned long cipherOrder, unsigned long ssl0, unsigned long ssl1);
 
 /*
  * private functions for softoken.
  */
 char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType,
                              char **appName, char **filename, PRBool *rw);
 const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app);
+#if defined(_WIN32)
+wchar_t *_NSSUTIL_UTF8ToWide(const char *buf);
+PRStatus _NSSUTIL_Access(const char *path, PRAccessHow how);
+#else
+#define _NSSUTIL_Access(path, how) PR_Access((path), (how))
+#endif
 
 #endif /* _UTILPARS_H_ */
--- a/security/nss/lib/util/utilparst.h
+++ b/security/nss/lib/util/utilparst.h
@@ -38,17 +38,17 @@
 /* default module configuration strings */
 #define NSSUTIL_DEFAULT_INTERNAL_INIT1 \
     "library= name=\"NSS Internal PKCS #11 Module\" parameters="
 #define NSSUTIL_DEFAULT_INTERNAL_INIT2 \
     " NSS=\"Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={"
 #define NSSUTIL_DEFAULT_INTERNAL_INIT3 \
     " askpw=any timeout=30})\""
 #define NSSUTIL_DEFAULT_SFTKN_FLAGS \
-    "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
+    "slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
 
 #define NSSUTIL_DEFAULT_CIPHER_ORDER 0
 #define NSSUTIL_DEFAULT_TRUST_ORDER 50
 #define NSSUTIL_ARG_ESCAPE '\\'
 
 /* hold slot default flags until we initialize a slot. This structure is only
  * useful between the time we define a module (either by hand or from the
  * database) and the time the module is loaded. Not reference counted  */
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -132,8 +132,55 @@ The nss directory contains the following
 
 - `test` and `gtests` contain the NSS test suite. While `test` contains shell
   scripts to drive test programs in `cmd`, `gtests` holds a set of
   [gtests](https://github.com/google/googletest).
 
 A more comprehensible overview of the NSS folder structure and API guidelines
 can be found
 [here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_API_Guidelines).
+
+## Build mechanisms related to FIPS compliance
+
+NSS supports build configurations for FIPS-140 compliance, and alternative build
+configurations that disable functionality specific to FIPS-140 compliance.
+
+This section documents the environment variables and build parameters that
+control these configurations.
+
+### Build FIPS startup tests
+
+The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests.
+If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
+
+The legacy build system (make) by default disables these tests.
+To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
+
+The gyp build system by default disables these tests.
+To enable these tests, pass parameter --enable-fips to build.sh.
+
+### Building either FIPS compliant or alternative compliant code
+
+The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code
+and enable alternative implementations.
+
+The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses
+the FIPS compliant code.
+
+The gyp build system by default defines NSS_FIPS_DISABLED.
+To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
+
+### Test execution
+
+The NSS test suite may contain tests that are included, excluded, or are
+different based on the FIPS build configuration. To execute the correct tests,
+it's necessary to determine which build configuration was used.
+
+The legacy build system (make) uses environment variables to control all
+aspects of the build configuration, including FIPS build configuration.
+
+Because the gyp build system doesn't use environment variables to control the
+build configuration, the NSS tests cannot rely on environment variables to
+determine the build configuration.
+
+A helper binary named nss-build-flags is produced as part of the NSS build,
+which prints the C macro symbols that were defined at build time, and which are
+relevant to test execution.
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -290,32 +290,32 @@ cd `dirname $0`
 if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
     cd common
     . ./init.sh
 fi
 
 cycles="standard pkix upgradedb sharedb"
 CYCLES=${NSS_CYCLES:-$cycles}
 
-if [ -n "$NSS_FORCE_FIPS" ]; then
+NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT`
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
     RUN_FIPS="fips"
-    export NSS_TEST_ENABLE_FIPS=1
 fi
 
 tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
 # Don't run chains tests when we have a gyp build.
 if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
   tests="$tests chains"
 fi
 TESTS=${NSS_TESTS:-$tests}
 
 ALL_TESTS=${TESTS}
 
 nss_ssl_tests="crl iopr policy"
-if [ -n "$NSS_FORCE_FIPS" ]; then
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
     nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
 fi
 NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
 
 nss_ssl_run="cov auth stapling stress"
 NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
 
 # NOTE:
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
+IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
+GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
+Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
+U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
+ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
+AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
+yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
+SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
+xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
+/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
+Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
+BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
+OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
+ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
+HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
+nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
+pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
+hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
+uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
+GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
+EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
+IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
+NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
+UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
+DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
+7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
+Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
+sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
+eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
+aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
+hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
+AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
+fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
+difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
+4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
+g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
+0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
+-----END CERTIFICATE-----
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -1354,17 +1354,17 @@ MODSCRIPT
   fi
 
 }
 
 ########################## cert_rsa_exponent #################################
 # local shell function to verify small rsa exponent can be used (only
 # run if FIPS has not been turned on in the build).
 ##############################################################################
-cert_rsa_exponent()
+cert_rsa_exponent_nonfips()
 {
   echo "$SCRIPTNAME: Verify that small RSA exponents still work  =============="
   CU_ACTION="Attempt to generate a key with exponent of 3"
   certu -G -k rsa -g 2048 -y 3 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 
   CU_ACTION="Attempt to generate a key with exponent of 17"
   certu -G -k rsa -g 2048 -y 17 -d "${CLIENTDIR}" -z ${R_NOISE_FILE} -f "${R_PWFILE}" 
 }
 
@@ -2090,16 +2090,30 @@ cert_test_rsapss()
 
   CU_ACTION="Verify RSA-PSS CA Cert"
   certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
 
   CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
   certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
         -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
 
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
+  certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
+  certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
   CERTSERIAL=200
 
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
   CERTNAME="TestUser-rsa-pss1"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
@@ -2426,26 +2440,22 @@ cert_cleanup()
 ################## main #################################################
 
 cert_init
 cert_all_CA
 cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
 cert_smime_client
-if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
-    cert_fips
+IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
+if [ $IS_FIPS_DISABLED -ne 0 ]; then
+  cert_rsa_exponent_nonfips
+else
+  cert_fips
 fi
-# We currently have difficulties to know if the build is a non-FIPS build,
-# because of differences between the "make" and "gyp" build systems.
-# As soon as we have a reliable way to detect that based on a variable,
-# we should enable the following test call. See bug 1409516.
-# if SYMBOL_THAT_TELLS_US_FIPS_IS_DISABLED
-#   cert_rsa_exponent
-# fi
 cert_eccurves
 cert_extensions
 cert_san_and_generic_extensions
 cert_test_password
 cert_test_distrust
 cert_test_ocspresp
 cert_test_rsapss
 
--- a/security/nss/tests/fips/fips.sh
+++ b/security/nss/tests/fips/fips.sh
@@ -18,17 +18,16 @@
 #
 ########################################################################
 
 ############################## fips_init ##############################
 # local shell function to initialize this script 
 ########################################################################
 fips_init()
 {
-  export NSS_TEST_ENABLE_FIPS=1
   SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
 
   if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for
       CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
   fi
 
   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
       cd ../common