diff --git a/SOURCES/nss-util-mozilla-ca-policy.patch b/SOURCES/nss-util-mozilla-ca-policy.patch
new file mode 100644
index 0000000..de662f2
--- /dev/null
+++ b/SOURCES/nss-util-mozilla-ca-policy.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1486667455 -3600
+# Thu Feb 09 20:10:55 2017 +0100
+# Node ID 29858a467f45b3964c7403ab4e41daf5c5bc18ad
+# Parent 867f6176020d098a5c069bf43f06ef5c68e4c3cd
+Bug 1334976, use a new attribute in the builtins root CA list, to distinguish between Mozilla policy CAs and other CAs, code changes, r=rrelyea
+
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -93,6 +93,8 @@
+ #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32)
+ #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
+
++#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
++
+ /*
+ * Trust attributes:
+ *
diff --git a/SOURCES/nss-util-pkcs12.patch b/SOURCES/nss-util-pkcs12.patch
new file mode 100644
index 0000000..c5994b3
--- /dev/null
+++ b/SOURCES/nss-util-pkcs12.patch
@@ -0,0 +1,45 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1481829086 -3600
+# Thu Dec 15 20:11:26 2016 +0100
+# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057
+# Parent 35ecce23718136f99ca9537007481b4774c57e68
+Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea
+
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -222,6 +222,12 @@
+ #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27)
+ #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28)
+
++/* Additional PKCS #12 PBE algorithms defined in v1.1 */
++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKM_NSS + 29)
++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKM_NSS + 30)
++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKM_NSS + 31)
++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKM_NSS + 32)
++
+ /*
+ * HISTORICAL:
+ * Do not attempt to use these. They are only used by NETSCAPE's internal
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1485768835 -3600
+# Mon Jan 30 10:33:55 2017 +0100
+# Node ID 09d1a0757431fa52ae025138da654c698141971b
+# Parent 806c3106536feea0827ec54729a52b5cbac8a496
+Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea
+
+diff --git a/lib/util/ciferfam.h b/lib/util/ciferfam.h
+--- a/lib/util/ciferfam.h
++++ b/lib/util/ciferfam.h
+@@ -52,6 +52,9 @@
+ #define PKCS12_RC4_128 (CIPHER_FAMILYID_PKCS12 | 0012)
+ #define PKCS12_DES_56 (CIPHER_FAMILYID_PKCS12 | 0021)
+ #define PKCS12_DES_EDE3_168 (CIPHER_FAMILYID_PKCS12 | 0022)
++#define PKCS12_AES_CBC_128 (CIPHER_FAMILYID_PKCS12 | 0031)
++#define PKCS12_AES_CBC_192 (CIPHER_FAMILYID_PKCS12 | 0032)
++#define PKCS12_AES_CBC_256 (CIPHER_FAMILYID_PKCS12 | 0033)
+
+ /* SMIME version numbers are negative, to avoid colliding with SSL versions */
+ #define SMIME_LIBRARY_VERSION_1_0 -0x0100
diff --git a/SOURCES/nss-util-policy-double-newline.patch b/SOURCES/nss-util-policy-double-newline.patch
new file mode 100644
index 0000000..c627990
--- /dev/null
+++ b/SOURCES/nss-util-policy-double-newline.patch
@@ -0,0 +1,68 @@
+diff --git a/lib/util/utilmod.c b/lib/util/utilmod.c
+--- a/lib/util/utilmod.c
++++ b/lib/util/utilmod.c
+@@ -227,20 +227,25 @@ nssutil_ReadSecmodDB(const char *appName
+ * the following loop takes line separated config lines and collapses
+ * the lines to a single string, escaping and quoting as necessary.
+ */
+ /* loop state variables */
+ moduleString = NULL; /* current concatenated string */
+ internal = PR_FALSE; /* is this an internal module */
+ skipParams = PR_FALSE; /* did we find an override parameter block*/
+ paramsValue = NULL; /* the current parameter block value */
+- while (fgets(line, sizeof(line), fd) != NULL) {
+- int len = PORT_Strlen(line);
++ do {
++ int len;
++
++ if (fgets(line, sizeof(line), fd) == NULL) {
++ goto endloop;
++ }
+
+ /* remove the ending newline */
++ len = PORT_Strlen(line);
+ if (len && line[len - 1] == '\n') {
+ len--;
+ line[len] = 0;
+ }
+ if (*line == '#') {
+ continue;
+ }
+ if (*line != 0) {
+@@ -339,16 +344,17 @@ nssutil_ReadSecmodDB(const char *appName
+ }
+ }
+ continue;
+ }
+ if ((moduleString == NULL) || (*moduleString == 0)) {
+ continue;
+ }
+
++ endloop:
+ /*
+ * if we are here, we have found a complete stanza. Now write out
+ * any param section we may have found.
+ */
+ if (paramsValue) {
+ /* we had an override */
+ if (!skipParams) {
+ moduleString = nssutil_DupnCat(moduleString, " parameters=", 12);
+@@ -374,17 +380,17 @@ nssutil_ReadSecmodDB(const char *appName
+ moduleList[0] = moduleString;
+ } else {
+ moduleList[moduleCount] = moduleString;
+ moduleCount++;
+ }
+ moduleString = NULL;
+ internal = PR_FALSE;
+ skipParams = PR_FALSE;
+- }
++ } while (!feof(fd));
+
+ if (moduleString) {
+ PORT_Free(moduleString);
+ moduleString = NULL;
+ }
+ done:
+ /* if we couldn't open a pkcs11 database, look for the old one */
+ if (fd == NULL) {
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index e930077..51c76ef 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -5,7 +5,7 @@
Summary: Network Security Services Utilities Library
Name: nss-util
Version: 3.28.4
-Release: 1.0%{?dist}
+Release: 3%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -39,6 +39,13 @@ Patch7: pkcs1sig-include-prtypes.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
Patch8: nss-util-3.19.1-tls12-mechanisms.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
+Patch9: nss-util-mozilla-ca-policy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141
+Patch10: nss-util-pkcs12.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1319856
+Patch11: nss-util-policy-double-newline.patch
%description
Utilities for Network Security Services and the Softoken module
@@ -62,6 +69,11 @@ Header and library files for doing development with Network Security Services.
%patch2 -p0 -b .prtypes
%patch7 -p0 -b .include_prtypes
%patch8 -p1 -b .tls12_mechs
+pushd nss
+%patch9 -p1 -b .mozilla_ca_policy
+%patch10 -p1 -b .pkcs12
+%patch11 -p1 -b .policy_double_newline
+popd
%build
@@ -233,8 +245,17 @@ done
%{_includedir}/nss3/templates/templates.c
%changelog
-* Fri Apr 7 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.0
-- Rebase to nss-3.28.4 to accommodate base64 encoding issue
+* Mon May 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-3
+- Backport patch to allow empty line at the end of policy file
+
+* Thu Apr 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-2
+- Rebase to nss-3.28.4
+
+* Thu Mar 9 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-3
+- Backport necessary constant definitions
+
+* Thu Mar 2 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-2
+- Rebase to nss-3.28.3
* Fri Feb 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.1
- Prevent ABI incompatibility of SECKEYECPublicKey structure
@@ -244,9 +265,6 @@ done
- Remove upstreamed build-nss-util-only.patch
- Package new header eccutil.h
-* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.21.3-1.1
-- rebuild
-
* Mon Oct 24 2016 Daiki Ueno <dueno@redhat.com> - 3.21.3-1
- Rebase to nss-3.21.3
- Remove patch for CVE-2016-1950, which is included in the release