diff --git a/.gitignore b/.gitignore
index 839452c..a5df990 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/nss-util-3.36.0.tar.gz
+SOURCES/nss-util-3.44.tar.gz
diff --git a/.nss-util.metadata b/.nss-util.metadata
index 62e7ea4..1aba32d 100644
--- a/.nss-util.metadata
+++ b/.nss-util.metadata
@@ -1 +1 @@
-7ab0a46211636f0bc2e449cbd4276bbc0f7a4e5b SOURCES/nss-util-3.36.0.tar.gz
+0082a63b26f7cf067441ef6de90a1af9cc4e4e21 SOURCES/nss-util-3.44.tar.gz
diff --git a/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch
deleted file mode 100644
index d7aeaac..0000000
--- a/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-diff --git a/lib/util/secoid.c b/lib/util/secoid.c
---- a/lib/util/secoid.c
-+++ b/lib/util/secoid.c
-@@ -117,17 +117,19 @@ const char __nss_util_version[] = "Versi
- /* for DH algorithm */
- /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
- /* need real OID person to look at this, copied the above line
-  * and added 6 to second to last value (and changed '4' to '2' */
- #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
- 
- #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
- 
--#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
-+#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
-+
-+#define PKIX INTERNET_SECURITY_MECH, 0x07
- #define PKIX_CERT_EXTENSIONS PKIX, 1
- #define PKIX_POLICY_QUALIFIERS PKIX, 2
- #define PKIX_KEY_USAGE PKIX, 3
- #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
- #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1
- #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2
- 
- #define PKIX_ID_PKIP PKIX, 5
-@@ -355,16 +357,17 @@ CONST_OID x509CertificatePolicies[] = { 
- CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 };
- CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 };
- CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 };
- CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
- CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
- CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
- 
- CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
-+CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
- 
- CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
- CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
- 
- CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 };
- CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 };
- 
- /* pkcs 12 additions */
-@@ -449,18 +452,23 @@ CONST_OID pkixRegInfoUTF8Pairs[] = { PKI
- CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 };
- 
- CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 };
- CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 };
- CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
- CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
- CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
- CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
-+/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
-+CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
- CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
- 
-+CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
-+CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
-+
- /* OIDs for Netscape defined algorithms */
- CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
- 
- /* Fortezza algorithm OIDs */
- CONST_OID skipjackCBC[] = { MISSI, 0x04 };
- CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
- 
- CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 };
-@@ -1749,16 +1757,32 @@ const static SECOidData oids[SEC_OID_TOT
-     ODE(SEC_OID_TLS_FFDHE_8192,
-         "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-     ODE(SEC_OID_TLS_DHE_CUSTOM,
-         "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-     OD(curve25519, SEC_OID_CURVE25519,
-        "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-     ODE(SEC_OID_TLS13_KEA_ANY,
-         "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-+
-+    OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
-+       "Any Extended Key Usage",
-+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-+    OD(pkixExtendedKeyUsageIPsecIKE,
-+       SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
-+       "IPsec IKE Certificate",
-+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-+    OD(ipsecIKEEnd,
-+       SEC_OID_IPSEC_IKE_END,
-+       "IPsec IKE End",
-+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-+    OD(ipsecIKEIntermediate,
-+       SEC_OID_IPSEC_IKE_INTERMEDIATE,
-+       "IPsec IKE Intermediate",
-+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
- };
- 
- /* PRIVATE EXTENDED SECOID Table
-  * This table is private. Its structure is opaque to the outside.
-  * It is indexed by the same SECOidTag as the oids table above.
-  * Every member of this struct must have accessor functions (set, get)
-  * and those functions must operate by value, not by reference.
-  * The addresses of the contents of this table must not be exposed
-diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
---- a/lib/util/secoidt.h
-+++ b/lib/util/secoidt.h
-@@ -489,16 +489,21 @@ typedef enum {
-     SEC_OID_TLS_FFDHE_6144 = 352,
-     SEC_OID_TLS_FFDHE_8192 = 353,
-     SEC_OID_TLS_DHE_CUSTOM = 354,
- 
-     SEC_OID_CURVE25519 = 355,
- 
-     SEC_OID_TLS13_KEA_ANY = 356,
- 
-+    SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
-+    SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
-+    SEC_OID_IPSEC_IKE_END = 359,
-+    SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
-+
-     SEC_OID_TOTAL
- } SECOidTag;
- 
- #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
- #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
- #define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE
- 
- /* fake OID for DSS sign/verify */
diff --git a/SOURCES/nss-util-fix-public-key-from-priv.patch b/SOURCES/nss-util-fix-public-key-from-priv.patch
new file mode 100644
index 0000000..820c508
--- /dev/null
+++ b/SOURCES/nss-util-fix-public-key-from-priv.patch
@@ -0,0 +1,31 @@
+diff -up ./nss/lib/util/pkcs11n.h.pub_priv_mech ./nss/lib/util/pkcs11n.h
+--- ./nss/lib/util/pkcs11n.h.pub_priv_mech	2019-06-05 09:59:18.446315784 -0700
++++ ./nss/lib/util/pkcs11n.h	2019-06-05 10:15:13.388806330 -0700
+@@ -152,11 +152,6 @@
+ #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
+ #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
+ 
+-/* IKE mechanism (to be proposed to PKCS #11 */
+-#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7)
+-#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8)
+-#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9)
+-#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10)
+ 
+ /* J-PAKE round 1 key generation mechanisms.
+  *
+@@ -238,6 +233,15 @@
+ 
+ #define CKM_NSS_CHACHA20_CTR (CKM_NSS + 33)
+ 
++/* IKE mechanism (to be proposed to PKCS #11 */
++#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 34)
++#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 35)
++#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 36)
++#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 37)
++
++/* Derive a public key from a bare private key */
++#define CKM_NSS_PUB_FROM_PRIV (CKM_NSS + 40)
++
+ /*
+  * HISTORICAL:
+  * Do not attempt to use these. They are only used by NETSCAPE's internal
diff --git a/SOURCES/nss-util-ike-patch.patch b/SOURCES/nss-util-ike-patch.patch
new file mode 100644
index 0000000..0c38bfa
--- /dev/null
+++ b/SOURCES/nss-util-ike-patch.patch
@@ -0,0 +1,131 @@
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -147,16 +147,22 @@
+ #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2)
+ 
+ /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */
+ #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3)
+ #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4)
+ #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
+ #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
+ 
++/* IKE mechanism (to be proposed to PKCS #11 */
++#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7)
++#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8)
++#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9)
++#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10)
++
+ /* J-PAKE round 1 key generation mechanisms.
+  *
+  * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE,
+  *                               CKA_NSS_JPAKE_SIGNERID
+  * Output key type: CKK_NSS_JPAKE_ROUND1
+  * Output key class: CKO_PRIVATE_KEY
+  * Parameter type: CK_NSS_JPAKERound1Params
+  *
+@@ -337,16 +343,82 @@ typedef struct CK_NSS_HKDFParams {
+     CK_BYTE_PTR pSalt;
+     CK_ULONG ulSaltLen;
+     CK_BBOOL bExpand;
+     CK_BYTE_PTR pInfo;
+     CK_ULONG ulInfoLen;
+ } CK_NSS_HKDFParams;
+ 
+ /*
++ * CK_NSS_IKE_PRF_PLUS_PARAMS is a structure that provides the parameters to
++ * the CKM_NSS_IKE_PRF_PLUS_DERIVE mechanism.
++ * The fields of the structure have the following meanings:
++ *      prfMechanism    underlying MAC mechanism used to generate the prf.
++ *      bHasSeedKey     hSeed key is present.
++ *      hSeedKey        optional seed from key
++ *      pSeedData       optional seed from data.
++ *      ulSeedDataLen   length of optional seed data.
++ *        If no seed data is present this value is NULL.
++ */
++typedef struct CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS {
++    CK_MECHANISM_TYPE prfMechanism;
++    CK_BBOOL bHasSeedKey;
++    CK_OBJECT_HANDLE hSeedKey;
++    CK_BYTE_PTR pSeedData;
++    CK_ULONG ulSeedDataLen;
++} CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS;
++
++/* CK_NSS_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to
++ *  the CKM_NSS_IKE_PRF_DERIVE mechanism.
++ *
++ * The fields of the structure have the following meanings:
++ *     prfMechanism underlying MAC mechanism used to generate the prf.
++ *     bRekey       hNewKey is present.
++ *     pNi          Ni value
++ *     ulNiLen      length of Ni
++ *     pNr          Nr value
++ *     ulNrLen      length of Nr
++ *     hNewKey      New key value to drive the rekey.
++ */
++typedef struct CK_NSS_IKE_PRF_DERIVE_PARAMS {
++    CK_MECHANISM_TYPE prfMechanism;
++    CK_BBOOL bDataAsKey;
++    CK_BBOOL bRekey;
++    CK_BYTE_PTR pNi;
++    CK_ULONG ulNiLen;
++    CK_BYTE_PTR pNr;
++    CK_ULONG ulNrLen;
++    CK_OBJECT_HANDLE hNewKey;
++} CK_NSS_IKE_PRF_DERIVE_PARAMS;
++
++/* CK_NSS_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters
++ * to the CKM_NSS_IKE_PRF_DERIVE mechanism.
++ *
++ * The fields of the structure have the following meanings:
++ *     prfMechanism  underlying MAC mechanism used to generate the prf.
++ *     bRekey        hNewKey is present.
++ *     pCKYi         CKYi value
++ *     ulCKYiLen     length of CKYi
++ *     pCKYr         CKYr value
++ *     ulCKYrLen     length of CKYr
++ *     hNewKey       New key value to drive the rekey.
++ */
++typedef struct CK_NSS_IKE1_PRF_DERIVE_PARAMS {
++    CK_MECHANISM_TYPE prfMechanism;
++    CK_BBOOL bHasPrevKey;
++    CK_OBJECT_HANDLE hKeygxy;
++    CK_OBJECT_HANDLE hPrevKey;
++    CK_BYTE_PTR pCKYi;
++    CK_ULONG ulCKYiLen;
++    CK_BYTE_PTR pCKYr;
++    CK_ULONG ulCKYrLen;
++    CK_BYTE keyNumber;
++} CK_NSS_IKE1_PRF_DERIVE_PARAMS;
++
++/*
+  * Parameter for the TLS extended master secret key derivation mechanisms:
+  *
+  *  * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE
+  *  * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH
+  *
+  * For the TLS 1.2 PRF, the prfHashMechanism parameter determines the hash
+  * function used. For earlier versions of the PRF, set the prfHashMechanism
+  * value to CKM_TLS_PRF.
+diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
+--- a/lib/util/pkcs11t.h
++++ b/lib/util/pkcs11t.h
+@@ -877,16 +877,18 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
+ #define CKM_AES_MAC_GENERAL 0x00001084
+ #define CKM_AES_CBC_PAD 0x00001085
+ /* new for v2.20 amendment 3 */
+ #define CKM_AES_CTR 0x00001086
+ /* new for v2.30 */
+ #define CKM_AES_GCM 0x00001087
+ #define CKM_AES_CCM 0x00001088
+ #define CKM_AES_CTS 0x00001089
++#define CKM_AES_XCBC_MAC 0x0000108C
++#define CKM_AES_XCBC_MAC_96 0x0000108D
+ 
+ /* BlowFish and TwoFish are new for v2.20 */
+ #define CKM_BLOWFISH_KEY_GEN 0x00001090
+ #define CKM_BLOWFISH_CBC 0x00001091
+ #define CKM_TWOFISH_KEY_GEN 0x00001092
+ #define CKM_TWOFISH_CBC 0x00001093
+ 
+ /* Camellia is proposed for v2.20 Amendment 3 */
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index 0b10a2c..ab912b4 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -1,11 +1,20 @@
-%global nspr_version 4.19.0
+%global nspr_version 4.21.0
 # adjust to the very latest build needed
 %global nspr_build_version -1
+%global nss_util_version 3.44.0
+
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_util_archive_version %s",
+           string.gsub(rpm.expand("%nss_util_version"), "(.*)%.0$", "%1")))
+}
 
 Summary:          Network Security Services Utilities Library
 Name:             nss-util
-Version:          3.36.0
-Release:          1.1%{?dist}
+Version:          %{nss_util_version}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -18,7 +27,7 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl
 
-Source0:          %{name}-%{version}.tar.gz
+Source0:          %{name}-%{nss_util_archive_version}.tar.gz
 # The nss-util tar ball is a subset of nss-{version}.tar.gz.
 # We use the nss-split-util.sh script for keeping only what we need
 # nss-util is produced via via nss-split-util.sh {version}
@@ -42,8 +51,10 @@ Patch8: nss-util-3.19.1-tls12-mechanisms.patch
 # To revert the change in:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1377940
 Patch9: nss-util-sql-default.patch
-# revert when rebase to 3.40
-Patch10: nss-util-3.36-ipsec_cert_vfy.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229
+Patch10: nss-util-ike-patch.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
+Patch11: nss-util-fix-public-key-from-priv.patch
 
 %description
 Utilities for Network Security Services and the Softoken module
@@ -63,14 +74,15 @@ Header and library files for doing development with Network Security Services.
 
 
 %prep
-%setup -q
+%setup -q -n %{name}-%{nss_util_archive_version}
 %patch2 -p0 -b .prtypes
 %patch7 -p0 -b .include_prtypes
 %patch8 -p1 -b .tls12_mechs
 pushd nss
 %patch9 -p1 -R -b .sql-default
-%patch10 -p1 -b .ipsec_vfy
+%patch10 -p1 -b .ike_mechs
 popd
+%patch11 -p1 -b .pub_priv_mechs
 
 
 %build
@@ -243,7 +255,20 @@ done
 %{_includedir}/nss3/templates/templates.c
 
 %changelog
-* Mon Nov 12 2018 Bob Relyea <rrelyea@redhat.com> - 3.36.0-1.1
+* Wed Jun 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-3
+- Add pub from priv mechanism
+- ike mechanisms should not overlap with JPAKE
+
+* Wed May 22 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-2
+- Add ike mechanisms
+
+* Wed May 15 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
+- Rebase to NSS 3.44
+
+* Thu Mar 21 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-1
+- Rebase to NSS 3.43
+
+* Mon Nov 12 2018 Bob Relyea <rrelyea@redhat.com> - 3.36.0-2
 - Update the cert verify code to allow a new ipsec usage and follow RFC 4945
 
 * Mon Mar  5 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1