diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
--- ./lib/softoken/sftkpwd.c.orig	2021-06-10 05:33:12.000000000 -0700
+++ ./lib/softoken/sftkpwd.c	2021-07-01 14:04:34.068596942 -0700
@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
     }
 
     /* If we are using aes 256, we need to check authentication as well.*/
-    if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
+    if ((type != CKT_INVALID_TYPE) && 
+	(cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
+        (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
         SECItem signature;
         unsigned char signData[SDB_MAX_META_DATA_LEN];
+        CK_RV crv;
 
         /* if we get here from the old legacy db, there is clearly an
          * error, don't return the plaintext */
@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
 
         signature.data = signData;
         signature.len = sizeof(signData);
-        rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+        rv = SECFailure;
+        /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
+        crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
                                           &signature);
-        if (rv != SECSuccess) {
-            goto loser;
+        if (crv == CKR_OK) {
+            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+                                        type, *plain, &signature);
         }
-        rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
-                                    *plain, &signature);
         if (rv != SECSuccess) {
-            goto loser;
+            /*  handle a bug where old versions of NSS misfiled the signature
+             *  attribute on password update */
+            id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
+            signature.len = sizeof(signData);
+            crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+                                              &signature);
+            if (crv != CKR_OK) {
+                rv = SECFailure;
+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                goto loser;
+            }
+            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+                                        type, *plain, &signature);
         }
     }
 
@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
     unsigned int i;
     for (i = 0; i < privAttrCount; i++) {
         // Read the old attribute in the clear.
+        CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
         CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
         CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
         if (crv != CKR_OK) {
@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
         plainText.data = privAttr.pValue;
         plainText.len = privAttr.ulValueLen;
         if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
-                                    iterationCount, id, privAttr.type,
+                                    iterationCount, sdbId, privAttr.type,
                                     &plainText, &result) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
         PORT_Memset(plainText.data, 0, plainText.len);
 
         // Write the newly encrypted attributes out directly.
-        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
         keydb->newKey = newKey;
         keydb->newDefaultIterationCount = iterationCount;
-        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
         keydb->newKey = NULL;
         if (crv != CKR_OK) {
             return crv;