diff --git a/.gitignore b/.gitignore
index fe33249..1c02d34 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/jss-4.6.2.tar.gz
+SOURCES/jss-4.7.3.tar.gz
diff --git a/.jss.metadata b/.jss.metadata
index d14bd57..f86585b 100644
--- a/.jss.metadata
+++ b/.jss.metadata
@@ -1 +1 @@
-4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz
+c3c5fdc3003d78b26071d0c215067019ede3ad60 SOURCES/jss-4.7.3.tar.gz
diff --git a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch b/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
deleted file mode 100644
index 529b576..0000000
--- a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 29 Oct 2019 10:43:56 -0400
-Subject: [PATCH] Fix NativeProxy reference tracker
-
-In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
-setting mPointer after trying to add NativeProxy to the registry. In
-most instances this won't matter, however, if another instance exists in
-the HashSet with the same hash value, the equals comparator will be
-used, triggering a NPE.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index 1c6d1aa5..a0811f76 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public NativeProxy(byte[] pointer) {
- 		assert(pointer!=null);
--        registry.add(this);
-         mPointer = pointer;
-+        registry.add(this);
- 
-         if (saveStacktraces) {
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
-         if( ! (obj instanceof NativeProxy) ) {
-             return false;
-         }
--        if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
-+        if (((NativeProxy)obj).mPointer == null) {
-+            /* If mPointer is null, we have no way to compare the values
-+             * of the pointers, so assume they're unequal. */
-             return false;
-         }
--        for(int i=0; i < mPointer.length; i++) {
--            if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
--                return false;
--            }
--        }
--        return true;
-+        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-     }
- 
-     /**
--- 
-2.21.0
-
diff --git a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch b/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
deleted file mode 100644
index 04830df..0000000
--- a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:10:32 -0500
-Subject: [PATCH 1/2] Fix swapped parameter names with PBE
-
-Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
-related to extracting the parameter classes during PBE operations:
-previously, the classes of the underlying encryption algorithm were
-iterated over, instead of the classes of the PBE class itself. However,
-this commit iterated over the PBE parameter classes; no PBE algorithm
-accepts a IvParameterSpec, resulting in a null parameter passed to the
-later encryption or key wrap operation. This resulted in stack traces
-like the following:
-
-Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
-	at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
-
-Resolves: rh-bz#1807371
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs7/EncryptedContentInfo.java             | 2 +-
- org/mozilla/jss/pkix/cms/EncryptedContentInfo.java          | 2 +-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-index 084752c3..0344b14d 100644
---- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals(
-                       javax.crypto.spec.IvParameterSpec.class ) ) {
-diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-index a4709070..d85eb0d3 100644
---- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
-                 params = new IVParameterSpec( kg.generatePBE_IV() );
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index b35714e3..ebd269f3 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
-                 params = new IVParameterSpec( kg.generatePBE_IV() );
-@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals(
-                       javax.crypto.spec.IvParameterSpec.class ) ) {
--- 
-2.24.1
-
diff --git a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch b/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
deleted file mode 100644
index 3f598a9..0000000
--- a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:39:29 -0500
-Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
-
-When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
-called, it would always request DES3_CBC_PAD as the key wrapping
-algorithm, regardless of the input PBE key type. However, the other form
-(with an implicit token) was correctly handling this case.
-
-Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
-instead of having to convert to/from a String form.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/crypto/KeyWrapAlgorithm.java                | 5 ++++-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-index 3113f614..3a106977 100644
---- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
- 
-     public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
-         OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
-+        return fromOID(oid);
-+    }
- 
-+    public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
-         if (oid.equals(AES_KEY_WRAP_PAD_OID))
-             return AES_KEY_WRAP_PAD;
- 
-@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
-         if (oid.equals(DES_CBC_PAD_OID))
-             return DES_CBC_PAD;
- 
--        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
-+        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
-     }
- }
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index ebd269f3..abfc39a7 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-             }
-         }
- 
--        KeyWrapper wrapper = token.getKeyWrapper(
--                KeyWrapAlgorithm.DES3_CBC_PAD);
-+        // wrap the key
-+        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
-         wrapper.initWrap(key, params);
-         byte encrypted[] = wrapper.wrap(pri);
- 
--- 
-2.24.1
-
diff --git a/SOURCES/0004-Remove-token-key-checks.patch b/SOURCES/0004-Remove-token-key-checks.patch
deleted file mode 100644
index 7353cce..0000000
--- a/SOURCES/0004-Remove-token-key-checks.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 17 Mar 2020 12:54:49 -0400
-Subject: [PATCH 1/2] Remove token key checks
-
-Previously we enforced strict token key matching: the primary key used
-for the operation must strictly reside on the current PKCS#11 token,
-otherwise JSS would bail. However, NSS has the ability to move the key
-to whichever token best supports the given operation. This means that
-we'd prematurely bail when the operation would succeed if it were
-actually executed. By removing these checks, we still leave the ability
-to generate keys on a specific token, we just allow them to be used on
-whatever token supports the given operation (and the key is allowed to
-be moved to).
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs11/PK11Cipher.java        |  4 ----
- org/mozilla/jss/pkcs11/PK11KeyWrapper.java    | 22 -------------------
- org/mozilla/jss/pkcs11/PK11MessageDigest.java |  7 ------
- 3 files changed, 33 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
-index 81b600a4..aac411a4 100644
---- a/org/mozilla/jss/pkcs11/PK11Cipher.java
-+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
-@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
-         if( key==null ) {
-             throw new InvalidKeyException("Key is null");
-         }
--        if( ! key.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("Key does not reside on the "+
--                "current token");
--        }
-         if( ! (key instanceof PK11SymKey) ) {
-             throw new InvalidKeyException("Key is not a PKCS #11 key");
-         }
-diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-index 28840a87..eee2984d 100644
---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("Key is null");
-         }
-         try {
--            if( ! key.getOwningToken().equals(token) ) {
--                throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
--                    key.getOwningToken().getName());
--            }
-             if( ! (key instanceof PK11SymKey) ) {
-                 throw new InvalidKeyException("Key is not a PKCS #11 key");
-             }
-@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-         if( key==null ) {
-             throw new InvalidKeyException("Key is null");
-         }
--        if( ! key.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("Key does not reside on the "+
--                "current token");
--        }
-         if( ! (key instanceof PK11PrivKey) ) {
-             throw new InvalidKeyException("Key is not a PKCS #11 key");
-         }
-@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("key to be wrapped is not a "+
-                 "PKCS #11 key");
-         }
--/* NSS is capable of moving keys appropriately,
--   so this call is prematurely bailing
--        if( ! symKey.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("key to be wrapped does not live"+
--                " on the same token as the wrapping key");
--        }
--*/
-     }
- 
-     /**
-@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("key to be wrapped is not a "+
-                 "PKCS #11 key");
-         }
--/* NSS is capable of moving keys appropriately,
--   so this call is prematurely bailing
--        if( ! privKey.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("key to be wrapped does not live"+
--                " on the same token as the wrapping key");
--        }
--*/
-     }
- 
-     /**
-diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-index cd732788..7a1a6dad 100644
---- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
-         }
- 
-         hmacKey = (PK11SymKey) key;
--
--        if( ! key.getOwningToken().equals(token) ) {
--            hmacKey = null;
--            throw new InvalidKeyException(
--                "HMAC key does not live on the same token as this digest");
--        }
--
-         this.digestProxy = initHMAC(token, alg, hmacKey);
-     }
- 
--- 
-2.25.1
-
diff --git a/SOURCES/0005-Fix-NativeProxy-release.patch b/SOURCES/0005-Fix-NativeProxy-release.patch
deleted file mode 100644
index e279abd..0000000
--- a/SOURCES/0005-Fix-NativeProxy-release.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 8 Apr 2020 12:21:49 -0400
-Subject: [PATCH] Fix NativeProxy registry tracking
-
-When the switch was made to a HashSet-based registry in
-eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
-hashCode(...). This resulted in calls to close() (and thus, finalize())
-not invoking the releaseNativeResources() function to release the
-underlying memory.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------
- 1 file changed, 44 insertions(+), 11 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index a0811f76..385c49f9 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -9,8 +9,10 @@ import java.util.HashSet;
- import java.lang.AutoCloseable;
- import java.lang.Thread;
- import java.util.Arrays;
-+import java.util.concurrent.atomic.AtomicInteger;
- 
- import org.mozilla.jss.CryptoManager;
-+import org.mozilla.jss.netscape.security.util.Utils;
- 
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
-@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable
-      * NativeProxy instance acts as a proxy for that native data structure.
-      */
-     public NativeProxy(byte[] pointer) {
--		assert(pointer!=null);
-+        assert(pointer!=null);
-+
-         mPointer = pointer;
--        registry.add(this);
-+        mHashCode = registryIndex.getAndIncrement();
- 
-         if (saveStacktraces) {
-+            registry.add(this);
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-         }
-     }
-@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable
-      *      a different underlying native pointer.
-      */
-     public boolean equals(Object obj) {
--        if(obj==null) {
-+        if (obj == null) {
-             return false;
-         }
--        if( ! (obj instanceof NativeProxy) ) {
-+        if (!(obj instanceof NativeProxy)) {
-             return false;
-         }
--        if (((NativeProxy)obj).mPointer == null) {
--            /* If mPointer is null, we have no way to compare the values
--             * of the pointers, so assume they're unequal. */
-+        NativeProxy nObj = (NativeProxy) obj;
-+        if (this.mPointer == null || nObj.mPointer == null) {
-             return false;
-         }
--        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-+
-+        return Arrays.equals(this.mPointer, nObj.mPointer);
-+    }
-+
-+    /**
-+     * Hash code based around mPointer value.
-+     *
-+     * Note that Object.hashCode() isn't sufficient as it tries to determine
-+     * the Object's value based on all internal variables. Because we want a
-+     * single static hashCode that is unique to each instance of nativeProxy,
-+     * we construct it up front based on an incrementing counter and cache it
-+     * throughout the lifetime of this object.
-+     */
-+    public int hashCode() {
-+        return mHashCode;
-     }
- 
-     /**
-@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public final void close() throws Exception {
-         try {
--            if (registry.remove(this)) {
-+            if (mPointer != null) {
-                 releaseNativeResources();
-             }
-         } finally {
--            mPointer = null;
-+            clear();
-         }
-     }
- 
-@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public final void clear() {
-         this.mPointer = null;
--        registry.remove(this);
-+        if (saveStacktraces) {
-+            registry.remove(this);
-+        }
-     }
- 
-     /**
-      * Byte array containing native pointer bytes.
-      */
-     private byte mPointer[];
-+    private int mHashCode;
- 
-     /**
-      * String containing backtrace of pointer generation.
-@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable
-      * releaseNativeResources() gets called.
-      */
-     static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
-+    static AtomicInteger registryIndex = new AtomicInteger();
-+
-+    public String toString() {
-+        if (mPointer == null) {
-+            return this.getClass().getName() + "[" + mHashCode + "@null]";
-+        }
-+
-+        return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]";
-+    }
- 
-     /**
-      * Internal helper to check whether or not assertions are enabled in the
-@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable
-      * is thrown.
-      */
-     public synchronized static void assertRegistryEmpty() {
-+        if (!saveStacktraces) {
-+            return;
-+        }
-+
-         if (!registry.isEmpty()) {
-             logger.warn(registry.size() + " NativeProxys are still registered.");
- 
--- 
-2.25.2
-
diff --git a/SOURCES/0006-Fix-SSLSocket-closure.patch b/SOURCES/0006-Fix-SSLSocket-closure.patch
deleted file mode 100644
index f7a401c..0000000
--- a/SOURCES/0006-Fix-SSLSocket-closure.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 15 Apr 2020 08:20:37 -0400
-Subject: [PATCH] Fix SSLSocket closure
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++-
- org/mozilla/jss/ssl/common.c        | 34 +++++++++++++++++++----------
- 2 files changed, 36 insertions(+), 12 deletions(-)
-
-diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
-index 2c835913..27109369 100644
---- a/org/mozilla/jss/ssl/SocketBase.java
-+++ b/org/mozilla/jss/ssl/SocketBase.java
-@@ -106,7 +106,19 @@ class SocketBase {
-     static final int SSL_AF_INET6 = 51;
- 
-     void close() throws IOException {
--        socketClose();
-+        try {
-+            if (sockProxy != null) {
-+                socketClose();
-+                sockProxy.close();
-+            }
-+        } catch (Exception e) {
-+            String msg = "Unexpected exception while trying to finalize ";
-+            msg += "SocketProxy: " + e.getMessage();
-+
-+            throw new IOException(msg, e);
-+        } finally {
-+            sockProxy = null;
-+        }
-     }
- 
-     // SSLServerSocket and SSLSocket close methods
-diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
-index 2db9fda1..2c52a9d6 100644
---- a/org/mozilla/jss/ssl/common.c
-+++ b/org/mozilla/jss/ssl/common.c
-@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL
- Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources
-     (JNIEnv *env, jobject this)
- {
--    /* SSLSocket.close and SSLServerSocket.close call	  */
--    /* SocketBase.close to destroy all native Resources */
--    /* attached to the socket. There is no native resource */
--    /* to release after close has been called. This method  */
--    /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/
--    /* which defines releaseNativeResources as abstract and */
--    /* therefore must be implemented by SocketProxy */
-+    JSSL_SocketData *sockdata;
-+
-+    PR_ASSERT(env != NULL && this != NULL);
-+
-+    if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) {
-+        return;
-+    }
-+
-+    JSSL_DestroySocketData(env, sockdata);
- }
- 
- void
- JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
- {
--    PR_ASSERT(sd != NULL);
-+    if (sd == NULL) {
-+        return;
-+    }
- 
--    PR_Close(sd->fd);
-+    if (sd->fd != NULL) {
-+        PR_Close(sd->fd);
-+        sd->fd = NULL;
-+    }
- 
-     if( sd->socketObject != NULL ) {
-         DELETE_WEAK_GLOBAL_REF(env, sd->socketObject );
-@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
-     if( sd->lock != NULL ) {
-         PR_DestroyLock(sd->lock);
-     }
-+
-+    memset(sd, 0, sizeof(JSSL_SocketData));
-     PR_Free(sd);
- }
- 
-@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self)
-     JSSL_SocketData *sock = NULL;
- 
-     /* get the FD */
--    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
-+    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
-         /* exception was thrown */
-         return;
-     }
- 
--    JSSL_DestroySocketData(env, sock);
-+    if (sock->fd != NULL) {
-+        PR_Close(sock->fd);
-+        sock->fd = NULL;
-+    }
- }
- 
- JNIEXPORT void JNICALL
--- 
-2.25.2
-
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 172f73e..8b3f9c6 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -6,9 +6,9 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.6.2
-Release:        6%{?_timestamp}%{?_commit_id}%{?dist}
-# global         _phase -a1
+Version:        4.7.3
+Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
+#global         _phase -a1
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@@ -25,12 +25,6 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
 # Patch: jss-VERSION-RELEASE.patch
-Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
-Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
-Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
-Patch4: 0004-Remove-token-key-checks.patch
-Patch5: 0005-Fix-NativeProxy-release.patch
-Patch6: 0006-Fix-SSLSocket-closure.patch
 
 ################################################################################
 # Build Dependencies
@@ -40,11 +34,13 @@ Patch6: 0006-Fix-SSLSocket-closure.patch
 BuildRequires:  git
 BuildRequires:  make
 BuildRequires:  cmake
+BuildRequires:  zip
+BuildRequires:  unzip
 
 BuildRequires:  gcc-c++
 BuildRequires:  nspr-devel >= 4.13.1
-BuildRequires:  nss-devel >= 3.30
-BuildRequires:  nss-tools >= 3.30
+BuildRequires:  nss-devel >= 3.44
+BuildRequires:  nss-tools >= 3.44
 BuildRequires:  java-devel
 BuildRequires:  jpackage-utils
 BuildRequires:  slf4j
@@ -55,11 +51,10 @@ BuildRequires:  glassfish-jaxb-api
 BuildRequires:  slf4j-jdk14
 %endif
 BuildRequires:  apache-commons-lang
-BuildRequires:  apache-commons-codec
 
 BuildRequires:  junit
 
-Requires:       nss >= 3.30
+Requires:       nss >= 3.44
 Requires:       java-headless
 Requires:       jpackage-utils
 Requires:       slf4j
@@ -70,7 +65,6 @@ Requires:       glassfish-jaxb-api
 Requires:       slf4j-jdk14
 %endif
 Requires:       apache-commons-lang
-Requires:       apache-commons-codec
 
 Conflicts:      ldapjdk < 4.20
 Conflicts:      idm-console-framework < 1.2
@@ -114,15 +108,28 @@ export CFLAGS
 # Check if we're in FIPS mode
 modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
 
+# RHEL's CMake doesn't support -B flag.
+%if 0%{?rhel}
+%{__mkdir_p} %{_vpath_builddir}
+cd %{_vpath_builddir}
+%endif
+
 # The Makefile is not thread-safe
-rm -rf build && mkdir -p build && cd build
 %cmake \
     -DJAVA_HOME=%{java_home} \
     -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
+%if 0%{?rhel}
     ..
+%else
+    -B %{_vpath_builddir}
+%endif
+
+%if 0%{?fedora}
+cd %{_vpath_builddir}
+%endif
 
 %{__make} all
-%{__make} javadoc || true
+%{__make} javadoc
 ctest --output-on-failure
 
 ################################################################################
@@ -132,19 +139,19 @@ ctest --output-on-failure
 
 # jars
 install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
 
 # We have to use the name libjss4.so because this is dynamically
 # loaded by the jar file.
 install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
+install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
 pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
     ln -fs %{_jnidir}/jss4.jar jss4.jar
 popd
 
 # javadoc
 install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
@@ -153,7 +160,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 %files
 
 %defattr(-,root,root,-)
-%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss.html
+%license MPL-1.1.txt gpl.txt lgpl.txt
 %{_libdir}/*
 %{_jnidir}/*
 
@@ -165,14 +173,29 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
-* Wed Apr 15 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-6
-- NativeProxy never calls releaseNativeResources - Memory Leak
-  Additional patch to fix SSLSocket resource freeing
-  Bugzilla #1822402
-
-* Tue Apr 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-5
-- NativeProxy never calls releaseNativeResources - Memory Leak
-  Bugzilla #1822402
+* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
+- Rebase to upstream stable release JSS v4.7.3
+- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
+- Rebase to upstream stable release JSS v4.7.2
+- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
+- Rebase to upstream stable release JSS v4.7.1
+
+* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
+- Rebase to upstream stable release JSS v4.7.0
+- Fixed TestSSLEngine
+
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
+- Rebased to JSS 4.7.0-b4
+
+* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
+- Rebased to JSS 4.7.0-b3
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
+- Rebased to JSS 4.7.0-b1
 
 * Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
 - Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing