diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c

--- a/lib/softoken/legacydb/pcertdb.c

+++ b/lib/softoken/legacydb/pcertdb.c

@@ -4272,16 +4272,17 @@ CreateTrust(void)

 {

     NSSLOWCERTTrust *trust = NULL;

     nsslowcert_LockFreeList();

     trust = trustListHead;

     if (trust) {

         trustListCount--;

         trustListHead = trust->next;

+        trust->next = NULL;

     }

     PORT_Assert(trustListCount >= 0);

     nsslowcert_UnlockFreeList();

     if (trust) {

         return trust;

     }

     return PORT_ZNew(NSSLOWCERTTrust);

@@ -5155,19 +5156,21 @@ done:

 }

 PRBool

 nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)

 {

     if (trust == NULL) {

         return PR_FALSE;

     }

-    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&

-             (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&

-             (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));

+    /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then

+     * we don't have a trust record. */

+    return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&

+        ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&

+        ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0));

 }

 /*

  * This function has the logic that decides if another person's cert and

  * email profile from an S/MIME message should be saved.  It can deal with

  * the case when there is no profile.

  */

 static SECStatus

diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c

--- a/lib/softoken/sftkdb.c

+++ b/lib/softoken/sftkdb.c

@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI

         case CKA_TRUST_STEP_UP_APPROVED:

         case CKA_NSS_OVERRIDE_EXTENSIONS:

             return PR_TRUE;

         default:

             break;

     }

     return PR_FALSE;

 }

-

 /*

  * convert a native ULONG to a database ulong. Database ulong's

  * are all 4 byte big endian values.

  */

 void

 sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)

 {

     int i;

     for (i = 0; i < SDB_ULONG_SIZE; i++) {

         data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;

     }

 }

 /*

  * convert a database ulong back to a native ULONG. (reverse of the above

- * function.

+ * function).

  */

 static CK_ULONG

 sftk_SDBULong2ULong(unsigned char *data)

 {

     int i;

     CK_ULONG value = 0;

     for (i = 0; i < SDB_ULONG_SIZE; i++) {

         value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);

     }

     return value;

 }

+/* certain trust records are default values, which are the values

+ * returned if the signature check fails anyway.

+ * In those cases, we can skip the signature check. */

+PRBool

+sftkdb_isNullTrust(const CK_ATTRIBUTE *template)

+{

+    switch (template->type) {

+        case CKA_TRUST_SERVER_AUTH:

+        case CKA_TRUST_CLIENT_AUTH:

+        case CKA_TRUST_EMAIL_PROTECTION:

+        case CKA_TRUST_CODE_SIGNING:

+            if (template->ulValueLen != SDB_ULONG_SIZE) {

+                break;

+            }

+            if (sftk_SDBULong2ULong(template->pValue) == 

+                CKT_NSS_TRUST_UNKNOWN) {

+                return PR_TRUE;

+            }

+            break;

+        case CKA_TRUST_STEP_UP_APPROVED:

+            if (template->ulValueLen != 1) {

+                break;

+            }

+            if (*((unsigned char *)(template->pValue)) == 0) {

+                return PR_TRUE;

+            }

+            break;

+        default:

+            break;

+    }

+    return PR_FALSE;

+}

+

 /*

  * fix up the input templates. Our fixed up ints are stored in data and must

  * be freed by the caller. The new template must also be freed. If there are no

  * CK_ULONG attributes, the orignal template is passed in as is.

  */

 static CK_ATTRIBUTE *

 sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,

                        unsigned char **dataOut, int *dataOutSize)

@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te

             }

             /* copy the plain text back into the template */

             PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);

             template[i].ulValueLen = plainText->len;

             SECITEM_ZfreeItem(plainText, PR_TRUE);

         }

         /* make sure signed attributes are valid */

-        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {

+        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)

+            && !sftkdb_isNullTrust(&ntemplate[i])) {

             SECStatus rv;

             CK_RV local_crv;

             SECItem signText;

             SECItem plainText;

             unsigned char signData[SDB_MAX_META_DATA_LEN];

             signText.data = signData;

             signText.len = sizeof(signData);

@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle,

     crv = (*source->sdb_GetAttributeValue)(source, id,

                                            ptemplate, max_attributes);

     if (crv != CKR_OK) {

         goto loser;

     }

     objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,

                                              max_attributes);

+/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id,

+       handle->updateID?handle->updateID: "<NULL>");*/

     /*

      * Update Object updates the object template if necessary then returns

      * whether or not we need to actually write the object out to our target

      * database.

      */

     if (!handle->updateID) {

         crv = sftkdb_CreateObject(arena, handle, target, &newID,