From c6cc0bd916da8b68d672d2e90834f525c5e5534b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 01 2017 03:33:58 +0000
Subject: import nss-3.28.4-8.el7


---

diff --git a/.gitignore b/.gitignore
index dac23b7..2eebac8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,6 +11,5 @@ SOURCES/key3.db.xml
 SOURCES/key4.db.xml
 SOURCES/nss-3.28.4.tar.gz
 SOURCES/nss-config.xml
-SOURCES/nss-pem-20140125.tar.bz2
 SOURCES/secmod.db.xml
 SOURCES/setup-nsssysinit.xml
diff --git a/.nss.metadata b/.nss.metadata
index abcc374..cf37dcc 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -11,6 +11,5 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
 f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz
 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
-66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
 bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
diff --git a/SOURCES/disable-ems-gtests.patch b/SOURCES/disable-ems-gtests.patch
deleted file mode 100644
index 8824841..0000000
--- a/SOURCES/disable-ems-gtests.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff -up nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests nss/gtests/pk11_gtest/pk11_prf_unittest.cc
---- nss/gtests/pk11_gtest/pk11_prf_unittest.cc.disable_ems_gtests	2017-01-16 10:19:10.073459080 +0100
-+++ nss/gtests/pk11_gtest/pk11_prf_unittest.cc	2017-01-16 10:21:40.408011066 +0100
-@@ -193,37 +193,4 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) {
-   CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
- }
- 
--// Test matrix:
--//
--//            DH  RSA
--//  TLS_PRF   1   2
--//  SHA256    3   4
--TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
--  Init();
--  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF,
--                     nullptr, kExpectedOutputEmsTlsPrf);
--}
--
--TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
--  Init();
--  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
--                     &pms_version_, kExpectedOutputEmsTlsPrf);
--  EXPECT_EQ(0, pms_version_.major);
--  EXPECT_EQ(1, pms_version_.minor);
--}
--
--TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
--  Init();
--  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256,
--                     nullptr, kExpectedOutputEmsSha256);
--}
--
--TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
--  Init();
--  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256,
--                     &pms_version_, kExpectedOutputEmsSha256);
--  EXPECT_EQ(0, pms_version_.major);
--  EXPECT_EQ(1, pms_version_.minor);
--}
--
- }  // namespace nss_test
-diff -up nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests nss/gtests/ssl_gtest/manifest.mn
---- nss/gtests/ssl_gtest/manifest.mn.disable_ems_gtests	2017-01-16 10:20:33.838983251 +0100
-+++ nss/gtests/ssl_gtest/manifest.mn	2017-01-16 10:20:36.802895453 +0100
-@@ -21,7 +21,6 @@ CPPSRCS = \
-       ssl_dhe_unittest.cc \
-       ssl_drop_unittest.cc \
-       ssl_ecdh_unittest.cc \
--      ssl_ems_unittest.cc \
-       ssl_exporter_unittest.cc \
-       ssl_extension_unittest.cc \
-       ssl_fuzz_unittest.cc \
-diff -up nss/gtests/ssl_gtest/ssl_ems_unittest.cc.disable_ems_gtests nss/gtests/ssl_gtest/ssl_ems_unittest.cc
diff --git a/SOURCES/disable-extended-master-secret-with-old-softoken.patch b/SOURCES/disable-extended-master-secret-with-old-softoken.patch
deleted file mode 100644
index fdcc416..0000000
--- a/SOURCES/disable-extended-master-secret-with-old-softoken.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.disable-ems nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.disable-ems	2017-01-13 17:33:07.226905929 +0100
-+++ nss/lib/ssl/sslsock.c	2017-01-13 17:35:19.175659702 +0100
-@@ -75,6 +75,7 @@ static sslOptions ssl_defaults = {
-     PR_TRUE,               /* reuseServerECDHEKey */
-     PR_FALSE,              /* enableFallbackSCSV */
-     PR_TRUE,               /* enableServerDhe */
-+/* Keep extended-master-secret disabled until we have a compatible softokn. */
-     PR_FALSE,              /* enableExtendedMS    */
-     PR_FALSE,              /* enableSignedCertTimestamps */
-     PR_FALSE,              /* requireDHENamedGroups */
-@@ -766,7 +767,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
-             break;
- 
-         case SSL_ENABLE_EXTENDED_MASTER_SECRET:
-+#if 0
-+/* No-Op until we have a compatible softokn. */
-             ss->opt.enableExtendedMS = on;
-+#endif
-             break;
- 
-         case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-@@ -1199,7 +1203,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
-             break;
- 
-         case SSL_ENABLE_EXTENDED_MASTER_SECRET:
-+#if 0
-+/* No-Op until we have a compatible softokn. */
-             ssl_defaults.enableExtendedMS = on;
-+#endif
-             break;
- 
-         case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
diff --git a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch
new file mode 100644
index 0000000..db6be92
--- /dev/null
+++ b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch
@@ -0,0 +1,4522 @@
+diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c
+--- a/cmd/addbuiltin/addbuiltin.c
++++ b/cmd/addbuiltin/addbuiltin.c
+@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len)
+         if ((i != 0) && ((i & 0xf) == 0)) {
+             printf("\n");
+         }
+         printf("\\%03o", buf[i]);
+     }
+     printf("\n");
+ }
+ 
++int
++hasPositiveTrust(unsigned int trust)
++{
++    if (trust & CERTDB_TRUSTED) {
++        if (trust & CERTDB_TRUSTED_CA) {
++            return PR_TRUE;
++        } else {
++            return PR_FALSE;
++        }
++    } else {
++        if (trust & CERTDB_TRUSTED_CA) {
++            return PR_TRUE;
++        } else if (trust & CERTDB_VALID_CA) {
++            return PR_TRUE;
++        } else if (trust & CERTDB_TERMINAL_RECORD) {
++            return PR_FALSE;
++        } else {
++            return PR_FALSE;
++        }
++    }
++    return PR_FALSE;
++}
++
+ char *
+ getTrustString(unsigned int trust)
+ {
+     if (trust & CERTDB_TRUSTED) {
+         if (trust & CERTDB_TRUSTED_CA) {
+             return "CKT_NSS_TRUSTED_DELEGATOR";
+         } else {
+             return "CKT_NSS_TRUSTED";
+@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char 
+         dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
+         printf("END\n");
+         printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
+         dumpbytes(serial->data, serial->len);
+         printf("END\n");
+         printf("CKA_VALUE MULTILINE_OCTAL\n");
+         dumpbytes(sdder->data, sdder->len);
+         printf("END\n");
++        if (hasPositiveTrust(trust->sslFlags) ||
++            hasPositiveTrust(trust->emailFlags) ||
++            hasPositiveTrust(trust->objectSigningFlags)) {
++            printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
++        }
+     }
+ 
+     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
+         CERTDB_TERMINAL_RECORD)
+         trust_info = "Distrust";
+     else
+         trust_info = "Trust for";
+ 
+diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
+--- a/cmd/lib/secutil.c
++++ b/cmd/lib/secutil.c
+@@ -27,17 +27,17 @@
+ #include <unistd.h>
+ #endif
+ 
+ /* for SEC_TraverseNames */
+ #include "cert.h"
+ #include "certt.h"
+ #include "certdb.h"
+ 
+-/* #include "secmod.h" */
++#include "secmod.h"
+ #include "pk11func.h"
+ #include "secoid.h"
+ 
+ static char consoleName[] = {
+ #ifdef XP_UNIX
+     "/dev/tty"
+ #else
+ #ifdef XP_OS2
+@@ -3224,25 +3224,58 @@ SECU_PrintSignedContent(FILE *out, SECIt
+ SECStatus
+ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
+                              const char *label,
+                              CERTCertTrust *trust)
+ {
+     SECStatus rv;
+     SECItem data;
+     CERTCertTrust certTrust;
++    PK11SlotList *slotList;
++    PRBool falseAttributeFound = PR_FALSE;
++    PRBool trueAttributeFound = PR_FALSE;
++    const char *moz_policy_ca_info = NULL;
+ 
+     data.data = cert->derCert.data;
+     data.len = cert->derCert.len;
+ 
+     rv = SECU_PrintSignedData(stdout, &data, label, 0,
+                               (SECU_PPFunc)SECU_PrintCertificate);
+     if (rv) {
+         return (SECFailure);
+     }
++
++    slotList = PK11_GetAllSlotsForCert(cert, NULL);
++    if (slotList) {
++        PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
++        for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
++            CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
++            if (handle != CK_INVALID_HANDLE) {
++                PORT_SetError(0);
++                if (PK11_HasAttributeSet(se->slot, handle,
++                                         CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
++                    trueAttributeFound = PR_TRUE;
++                } else if (!PORT_GetError()) {
++                    falseAttributeFound = PR_TRUE;
++                }
++            }
++        }
++        PK11_FreeSlotList(slotList);
++    }
++
++    if (trueAttributeFound) {
++        moz_policy_ca_info = "true (attribute present)";
++    } else if (falseAttributeFound) {
++        moz_policy_ca_info = "false (attribute present)";
++    } else {
++        moz_policy_ca_info = "false (attribute missing)";
++    }
++    SECU_Indent(stdout, 1);
++    printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
++
+     if (trust) {
+         SECU_PrintTrustFlags(stdout, trust,
+                              "Certificate Trust Flags", 1);
+     } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
+         SECU_PrintTrustFlags(stdout, &certTrust,
+                              "Certificate Trust Flags", 1);
+     }
+ 
+diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
+--- a/lib/ckfw/builtins/certdata.txt
++++ b/lib/ckfw/builtins/certdata.txt
+@@ -186,16 +186,17 @@
+ \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156
+ \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235
+ \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341
+ \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364
+ \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004
+ \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146
+ \125\342\374\110\311\051\046\151\340
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GlobalSign Root CA"
+ # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+ # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
+ # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
+ # Not Valid Before: Tue Sep 01 12:00:00 1998
+ # Not Valid After : Fri Jan 28 12:00:00 2028
+ # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
+@@ -319,16 +320,17 @@
+ \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135
+ \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202
+ \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014
+ \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373
+ \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373
+ \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214
+ \152\374\176\102\070\100\144\022\367\236\201\341\223\056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GlobalSign Root CA - R2"
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+ # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
+ # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
+ # Not Valid Before: Fri Dec 15 08:00:00 2006
+ # Not Valid After : Wed Dec 15 08:00:00 2021
+ # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
+@@ -474,16 +476,17 @@
+ \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
+ \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
+ \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
+ \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
+ \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
+ \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
+ \113\336\006\226\161\054\362\333\266\037\244\357\077\356
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+ # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
+ # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Fri Oct 01 00:00:00 1999
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+@@ -638,16 +641,17 @@
+ \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
+ \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
+ \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
+ \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
+ \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
+ \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
+ \311\130\020\371\252\357\132\266\317\113\113\337\052
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+ # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
+ # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Fri Oct 01 00:00:00 1999
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
+@@ -802,16 +806,17 @@
+ \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
+ \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
+ \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
+ \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
+ \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
+ \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
+ \153\271\012\172\116\117\113\204\356\113\361\175\335\021
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+ # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+ # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Fri Oct 01 00:00:00 1999
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
+@@ -1076,16 +1081,17 @@
+ \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320
+ \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304
+ \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376
+ \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171
+ \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227
+ \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053
+ \174\136\232\166\351\131\220\305\174\203\065\021\145\121
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Entrust.net Premium 2048 Secure Server CA"
+ # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+ # Serial Number: 946069240 (0x3863def8)
+ # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
+ # Not Valid Before: Fri Dec 24 17:50:51 1999
+ # Not Valid After : Tue Jul 24 14:15:12 2029
+ # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
+@@ -1213,16 +1219,17 @@
+ \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
+ \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
+ \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
+ \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
+ \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
+ \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
+ \347\201\035\031\303\044\102\352\143\071\251
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Baltimore CyberTrust Root"
+ # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+ # Serial Number: 33554617 (0x20000b9)
+ # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
+ # Not Valid Before: Fri May 12 18:46:00 2000
+ # Not Valid After : Mon May 12 23:59:00 2025
+ # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
+@@ -1356,16 +1363,17 @@
+ \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
+ \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
+ \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
+ \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
+ \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
+ \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
+ \065\341\035\026\034\320\274\053\216\326\161\331
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AddTrust Low-Value Services Root"
+ # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Not Valid Before: Tue May 30 10:38:31 2000
+ # Not Valid After : Sat May 30 10:38:31 2020
+ # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
+@@ -1504,16 +1512,17 @@
+ \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
+ \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
+ \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
+ \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
+ \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
+ \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
+ \027\132\173\320\274\307\217\116\206\004
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AddTrust External Root"
+ # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+ # Not Valid Before: Tue May 30 10:48:38 2000
+ # Not Valid After : Sat May 30 10:48:38 2020
+ # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
+@@ -1649,16 +1658,17 @@
+ \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
+ \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
+ \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
+ \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
+ \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
+ \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
+ \116\072\063\014\053\263\055\220\006
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AddTrust Public Services Root"
+ # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Not Valid Before: Tue May 30 10:41:50 2000
+ # Not Valid After : Sat May 30 10:41:50 2020
+ # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
+@@ -1794,16 +1804,17 @@
+ \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
+ \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
+ \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
+ \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
+ \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
+ \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
+ \306\241
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AddTrust Qualified Certificates Root"
+ # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
+ # Not Valid Before: Tue May 30 10:44:50 2000
+ # Not Valid After : Sat May 30 10:44:50 2020
+ # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
+@@ -1956,16 +1967,17 @@
+ \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354
+ \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377
+ \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231
+ \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140
+ \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146
+ \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376
+ \036\177\132\264\074
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Entrust Root Certification Authority"
+ # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+ # Serial Number: 1164660820 (0x456b5054)
+ # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
+ # Not Valid Before: Mon Nov 27 20:23:42 2006
+ # Not Valid After : Fri Nov 27 20:53:42 2026
+ # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
+@@ -2089,16 +2101,17 @@
+ \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047
+ \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002
+ \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115
+ \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325
+ \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013
+ \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355
+ \302\005\146\200\241\313\346\063
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Global CA"
+ # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+ # Serial Number: 144470 (0x23456)
+ # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Tue May 21 04:00:00 2002
+ # Not Valid After : Sat May 21 04:00:00 2022
+ # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
+@@ -2216,16 +2229,17 @@
+ \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
+ \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
+ \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
+ \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
+ \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
+ \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
+ \342\042\051\256\175\203\100\250\272\154
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Global CA 2"
+ # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+ # Serial Number: 1 (0x1)
+ # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Thu Mar 04 05:00:00 2004
+ # Not Valid After : Mon Mar 04 05:00:00 2019
+ # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
+@@ -2375,16 +2389,17 @@
+ \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055
+ \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247
+ \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225
+ \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346
+ \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305
+ \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157
+ \244\346\216\330\371\051\110\212\316\163\376\054
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Universal CA"
+ # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+ # Serial Number: 1 (0x1)
+ # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Thu Mar 04 05:00:00 2004
+ # Not Valid After : Sun Mar 04 05:00:00 2029
+ # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
+@@ -2534,16 +2549,17 @@
+ \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207
+ \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202
+ \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262
+ \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027
+ \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306
+ \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246
+ \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Universal CA 2"
+ # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+ # Serial Number: 1 (0x1)
+ # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Thu Mar 04 05:00:00 2004
+ # Not Valid After : Sun Mar 04 05:00:00 2029
+ # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
+@@ -2670,16 +2686,17 @@
+ \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
+ \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
+ \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
+ \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
+ \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
+ \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
+ \222\340\134\366\007\017
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Visa eCommerce Root"
+ # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+ # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
+ # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
+ # Not Valid Before: Wed Jun 26 02:18:36 2002
+ # Not Valid After : Fri Jun 24 00:16:12 2022
+ # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
+@@ -2792,16 +2809,17 @@
+ \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
+ \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
+ \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
+ \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
+ \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
+ \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
+ \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Certum Root CA"
+ # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+ # Serial Number: 65568 (0x10020)
+ # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
+ # Not Valid Before: Tue Jun 11 10:46:39 2002
+ # Not Valid After : Fri Jun 11 10:46:39 2027
+ # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
+@@ -2937,16 +2955,17 @@
+ \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217
+ \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042
+ \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242
+ \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362
+ \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267
+ \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237
+ \225\351\066\226\230\156
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Comodo AAA Services root"
+ # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number: 1 (0x1)
+ # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Jan 01 00:00:00 2004
+ # Not Valid After : Sun Dec 31 23:59:59 2028
+ # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
+@@ -3087,16 +3106,17 @@
+ \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
+ \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
+ \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
+ \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
+ \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
+ \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
+ \354\375\051
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Comodo Secure Services root"
+ # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Jan 01 00:00:00 2004
+ # Not Valid After : Sun Dec 31 23:59:59 2028
+ # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
+@@ -3239,16 +3259,17 @@
+ \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
+ \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
+ \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
+ \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
+ \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
+ \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
+ \160\136\310\304\170\260\142
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Comodo Trusted Services root"
+ # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Jan 01 00:00:00 2004
+ # Not Valid After : Sun Dec 31 23:59:59 2028
+ # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
+@@ -3417,16 +3438,17 @@
+ \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106
+ \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060
+ \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026
+ \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050
+ \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240
+ \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212
+ \112\164\066\371
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "QuoVadis Root CA"
+ # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+ # Serial Number: 985026699 (0x3ab6508b)
+ # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Mon Mar 19 18:33:33 2001
+ # Not Valid After : Wed Mar 17 18:33:33 2021
+ # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
+@@ -3585,16 +3607,17 @@
+ \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335
+ \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162
+ \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026
+ \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271
+ \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332
+ \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122
+ \020\005\145\325\202\020\352\302\061\315\056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "QuoVadis Root CA 2"
+ # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+ # Serial Number: 1289 (0x509)
+ # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Fri Nov 24 18:27:00 2006
+ # Not Valid After : Mon Nov 24 18:23:33 2031
+ # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
+@@ -3764,16 +3787,17 @@
+ \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313
+ \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223
+ \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067
+ \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164
+ \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312
+ \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022
+ \332
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "QuoVadis Root CA 3"
+ # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+ # Serial Number: 1478 (0x5c6)
+ # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Fri Nov 24 19:11:23 2006
+ # Not Valid After : Mon Nov 24 19:06:44 2031
+ # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
+@@ -3892,16 +3916,17 @@
+ \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124
+ \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101
+ \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260
+ \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055
+ \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003
+ \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026
+ \057\317\246\356\311\160\042\024\275\375\276\154\013\003
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Security Communication Root CA"
+ # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
+ # Not Valid Before: Tue Sep 30 04:20:49 2003
+ # Not Valid After : Sat Sep 30 04:20:49 2023
+ # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
+@@ -4014,16 +4039,17 @@
+ \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272
+ \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143
+ \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165
+ \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366
+ \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032
+ \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132
+ \160\254\337\114
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Sonera Class 2 Root CA"
+ # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
+ # Serial Number: 29 (0x1d)
+ # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
+ # Not Valid Before: Fri Apr 06 07:29:40 2001
+ # Not Valid After : Tue Apr 06 07:29:40 2021
+ # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
+@@ -4175,16 +4201,17 @@
+ \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246
+ \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254
+ \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174
+ \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044
+ \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266
+ \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303
+ \005\323\312\003\112\124
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "UTN USERFirst Email Root CA"
+ # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
+ # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Not Valid Before: Fri Jul 09 17:28:50 1999
+ # Not Valid After : Tue Jul 09 17:36:58 2019
+ # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
+@@ -4338,16 +4365,17 @@
+ \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
+ \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
+ \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
+ \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
+ \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
+ \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
+ \062\234\036\273\235\370\146\250
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "UTN USERFirst Hardware Root CA"
+ # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
+ # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Not Valid Before: Fri Jul 09 18:10:42 1999
+ # Not Valid After : Tue Jul 09 18:19:22 2019
+ # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
+@@ -4498,16 +4526,17 @@
+ \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
+ \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
+ \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
+ \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
+ \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
+ \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
+ \275\023\122\035\250\076\315\000\037\310
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "UTN USERFirst Object Root CA"
+ # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
+ # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
+ # Not Valid Before: Fri Jul 09 18:31:20 1999
+ # Not Valid After : Tue Jul 09 18:40:36 2019
+ # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
+@@ -4661,16 +4690,17 @@
+ \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312
+ \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064
+ \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110
+ \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335
+ \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356
+ \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370
+ \334
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Camerfirma Chambers of Commerce Root"
+ # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+ # Not Valid Before: Tue Sep 30 16:13:43 2003
+ # Not Valid After : Wed Sep 30 16:13:44 2037
+ # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
+@@ -4820,16 +4850,17 @@
+ \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015
+ \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334
+ \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075
+ \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316
+ \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177
+ \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111
+ \166\135\165\220\032\365\046\217\360
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Camerfirma Global Chambersign Root"
+ # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
+ # Not Valid Before: Tue Sep 30 16:14:18 2003
+ # Not Valid After : Wed Sep 30 16:14:18 2037
+ # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
+@@ -4972,16 +5003,17 @@
+ \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273
+ \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262
+ \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341
+ \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330
+ \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020
+ \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311
+ \264\003\045\274
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "XRamp Global CA Root"
+ # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+ # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
+ # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
+ # Not Valid Before: Mon Nov 01 17:14:04 2004
+ # Not Valid After : Mon Jan 01 05:37:19 2035
+ # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
+@@ -5118,16 +5150,17 @@
+ \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274
+ \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021
+ \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002
+ \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245
+ \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237
+ \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035
+ \177\333\275\237
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Go Daddy Class 2 CA"
+ # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
+ # Not Valid Before: Tue Jun 29 17:06:20 2004
+ # Not Valid After : Thu Jun 29 17:06:20 2034
+ # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
+@@ -5262,16 +5295,17 @@
+ \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351
+ \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101
+ \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064
+ \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030
+ \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155
+ \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057
+ \037\027\224
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Starfield Class 2 CA"
+ # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
+ # Not Valid Before: Tue Jun 29 17:39:16 2004
+ # Not Valid After : Thu Jun 29 17:39:16 2034
+ # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
+@@ -5467,16 +5501,17 @@
+ \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001
+ \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225
+ \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354
+ \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204
+ \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241
+ \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060
+ \152\263\364\210\034\200\015\374\162\212\350\203\136
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "StartCom Certification Authority"
+ # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+ # Serial Number: 1 (0x1)
+ # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+ # Not Valid Before: Sun Sep 17 19:46:36 2006
+ # Not Valid After : Wed Sep 17 19:46:36 2036
+ # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
+@@ -5631,16 +5666,17 @@
+ \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011
+ \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107
+ \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336
+ \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246
+ \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316
+ \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045
+ \245\206\054\174\364\022
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Taiwan GRCA"
+ # Issuer: O=Government Root Certification Authority,C=TW
+ # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
+ # Subject: O=Government Root Certification Authority,C=TW
+ # Not Valid Before: Thu Dec 05 13:23:33 2002
+ # Not Valid After : Sun Dec 05 13:23:33 2032
+ # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
+@@ -5803,16 +5839,17 @@
+ \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
+ \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
+ \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
+ \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
+ \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
+ \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
+ \060\032\365\232\154\364\016\123\371\072\133\321\034
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Swisscom Root CA 1"
+ # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
+ # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Not Valid Before: Thu Aug 18 12:06:20 2005
+ # Not Valid After : Mon Aug 18 22:06:20 2025
+ # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
+@@ -5943,16 +5980,17 @@
+ \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361
+ \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106
+ \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337
+ \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036
+ \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241
+ \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056
+ \346\120\262\247\372\012\105\057\242\360\362
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "DigiCert Assured ID Root CA"
+ # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
+ # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Fri Nov 10 00:00:00 2006
+ # Not Valid After : Mon Nov 10 00:00:00 2031
+ # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
+@@ -6083,16 +6121,17 @@
+ \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154
+ \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025
+ \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167
+ \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044
+ \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230
+ \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225
+ \225\155\336
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "DigiCert Global Root CA"
+ # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
+ # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Fri Nov 10 00:00:00 2006
+ # Not Valid After : Mon Nov 10 00:00:00 2031
+ # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
+@@ -6224,16 +6263,17 @@
+ \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214
+ \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052
+ \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236
+ \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134
+ \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143
+ \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251
+ \370\351\056\023\243\167\350\037\112
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "DigiCert High Assurance EV Root CA"
+ # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
+ # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Fri Nov 10 00:00:00 2006
+ # Not Valid After : Mon Nov 10 00:00:00 2031
+ # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
+@@ -6356,16 +6396,17 @@
+ \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157
+ \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330
+ \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201
+ \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366
+ \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056
+ \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273
+ \227\277\242\216\264\124
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Certplus Class 2 Primary CA"
+ # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
+ # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
+ # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
+ # Not Valid Before: Wed Jul 07 17:05:00 1999
+ # Not Valid After : Sat Jul 06 23:59:59 2019
+ # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
+@@ -6482,16 +6523,17 @@
+ \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122
+ \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071
+ \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011
+ \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221
+ \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050
+ \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221
+ \013\004\216\007\333\051\266\012\356\235\202\065\065\020
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "DST Root CA X3"
+ # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
+ # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
+ # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
+ # Not Valid Before: Sat Sep 30 21:12:19 2000
+ # Not Valid After : Thu Sep 30 14:01:15 2021
+ # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
+@@ -6623,16 +6665,17 @@
+ \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
+ \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
+ \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
+ \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
+ \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
+ \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
+ \363\267\240\247\315\345\172\063\066\152\372\232\053
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "DST ACES CA X6"
+ # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+ # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
+ # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
+ # Not Valid Before: Thu Nov 20 21:19:58 2003
+ # Not Valid After : Mon Nov 20 21:19:58 2017
+ # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
+@@ -6790,16 +6833,17 @@
+ \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161
+ \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323
+ \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007
+ \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031
+ \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265
+ \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251
+ \205\206\171\145\322
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "SwissSign Platinum CA - G2"
+ # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+ # Serial Number:4e:b2:00:67:0c:03:5d:4f
+ # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
+ # Not Valid Before: Wed Oct 25 08:36:00 2006
+ # Not Valid After : Sat Oct 25 08:36:00 2036
+ # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
+@@ -6954,16 +6998,17 @@
+ \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300
+ \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260
+ \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111
+ \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272
+ \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155
+ \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362
+ \111\044\133\311\260\320\127\301\372\076\172\341\227\311
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "SwissSign Gold CA - G2"
+ # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+ # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
+ # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
+ # Not Valid Before: Wed Oct 25 08:30:35 2006
+ # Not Valid After : Sat Oct 25 08:30:35 2036
+ # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
+@@ -7119,16 +7164,17 @@
+ \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076
+ \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345
+ \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353
+ \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362
+ \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152
+ \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056
+ \156
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "SwissSign Silver CA - G2"
+ # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+ # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
+ # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
+ # Not Valid Before: Wed Oct 25 08:32:46 2006
+ # Not Valid After : Sat Oct 25 08:32:46 2036
+ # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
+@@ -7250,16 +7296,17 @@
+ \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132
+ \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143
+ \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252
+ \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370
+ \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024
+ \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215
+ \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Primary Certification Authority"
+ # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+ # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
+ # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Mon Nov 27 00:00:00 2006
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
+@@ -7404,16 +7451,17 @@
+ \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067
+ \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004
+ \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077
+ \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056
+ \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107
+ \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173
+ \215\126\214\150
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "thawte Primary Root CA"
+ # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+ # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
+ # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+ # Not Valid Before: Fri Nov 17 00:00:00 2006
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
+@@ -7578,16 +7626,17 @@
+ \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031
+ \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121
+ \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016
+ \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015
+ \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266
+ \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362
+ \254\021\326\250\355\143\152
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+ # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
+ # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Wed Nov 08 00:00:00 2006
+ # Not Valid After : Wed Jul 16 23:59:59 2036
+ # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
+@@ -7720,16 +7769,17 @@
+ \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322
+ \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332
+ \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366
+ \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321
+ \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051
+ \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050
+ \113\035\236\054\302\270\150\274\355\002\356\061
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "SecureTrust CA"
+ # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+ # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
+ # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
+ # Not Valid Before: Tue Nov 07 19:31:18 2006
+ # Not Valid After : Mon Dec 31 19:40:55 2029
+ # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
+@@ -7854,16 +7904,17 @@
+ \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330
+ \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111
+ \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171
+ \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134
+ \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000
+ \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362
+ \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Secure Global CA"
+ # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+ # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
+ # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
+ # Not Valid Before: Tue Nov 07 19:42:28 2006
+ # Not Valid After : Mon Dec 31 19:52:06 2029
+ # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
+@@ -8003,16 +8054,17 @@
+ \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127
+ \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365
+ \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135
+ \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005
+ \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041
+ \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001
+ \145
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "COMODO Certification Authority"
+ # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
+ # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Fri Dec 01 00:00:00 2006
+ # Not Valid After : Mon Dec 31 23:59:59 2029
+ # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
+@@ -8148,16 +8200,17 @@
+ \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157
+ \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157
+ \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004
+ \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315
+ \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245
+ \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313
+ \244\140\114\260\125\240\240\173\127\262
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Network Solutions Certificate Authority"
+ # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+ # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
+ # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
+ # Not Valid Before: Fri Dec 01 00:00:00 2006
+ # Not Valid After : Mon Dec 31 23:59:59 2029
+ # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
+@@ -8188,177 +8241,16 @@
+ \150\340
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "WellsSecure Public Root Certificate Authority"
+-#
+-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Serial Number: 1 (0x1)
+-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Not Valid Before: Thu Dec 13 17:07:54 2007
+-# Not Valid After : Wed Dec 14 00:07:54 2022
+-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\001
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+-\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040
+-\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162
+-\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154
+-\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061
+-\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123
+-\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157
+-\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
+-\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061
+-\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064
+-\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003
+-\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012
+-\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145
+-\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125
+-\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040
+-\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003
+-\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165
+-\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146
+-\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060
+-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
+-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
+-\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253
+-\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210
+-\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051
+-\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324
+-\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122
+-\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060
+-\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054
+-\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344
+-\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264
+-\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143
+-\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050
+-\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204
+-\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237
+-\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005
+-\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300
+-\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145
+-\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006
+-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071
+-\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206
+-\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056
+-\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167
+-\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017
+-\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016
+-\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031
+-\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043
+-\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227
+-\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244
+-\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002
+-\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154
+-\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145
+-\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127
+-\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040
+-\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154
+-\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040
+-\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145
+-\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006
+-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+-\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173
+-\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355
+-\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035
+-\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225
+-\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045
+-\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101
+-\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344
+-\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255
+-\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247
+-\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163
+-\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
+-\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
+-\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
+-\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
+-\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
+-\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
+-\333
+-END
+-
+-# Trust for Certificate "WellsSecure Public Root Certificate Authority"
+-# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Serial Number: 1 (0x1)
+-# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
+-# Not Valid Before: Thu Dec 13 17:07:54 2007
+-# Not Valid After : Wed Dec 14 00:07:54 2022
+-# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
+-# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364
+-\175\117\350\356
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
+-\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
+-\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
+-\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
+-\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
+-\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
+-\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
+-\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
+-\165\164\150\157\162\151\164\171
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\001
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "COMODO ECC Certification Authority"
+ #
+ # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
+ # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Mar 06 00:00:00 2008
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
+@@ -8434,16 +8326,17 @@
+ \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
+ \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
+ \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
+ \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
+ \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
+ \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
+ \334\335\363\377\035\054\072\026\127\331\222\071\326
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "COMODO ECC Certification Authority"
+ # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
+ # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Thu Mar 06 00:00:00 2008
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
+@@ -8741,16 +8634,17 @@
+ \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
+ \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
+ \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
+ \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
+ \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
+ \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
+ \164
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Security Communication EV RootCA1"
+ # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Not Valid Before: Wed Jun 06 02:12:32 2007
+ # Not Valid After : Sat Jun 06 02:12:32 2037
+ # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
+@@ -8888,16 +8782,17 @@
+ \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
+ \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
+ \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
+ \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
+ \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
+ \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
+ \374\276\337\012\015
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "OISTE WISeKey Global Root GA CA"
+ # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+ # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
+ # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
+ # Not Valid Before: Sun Dec 11 16:03:44 2005
+ # Not Valid After : Fri Dec 11 16:09:51 2037
+ # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
+@@ -8930,222 +8825,16 @@
+ \337\232
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "Microsec e-Szigno Root CA"
+-#
+-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Not Valid Before: Wed Apr 06 12:28:44 2005
+-# Not Valid After : Thu Apr 06 12:28:44 2017
+-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
+-\054\017\021
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000
+-\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021
+-\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163
+-\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162
+-\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125
+-\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061
+-\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163
+-\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164
+-\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062
+-\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070
+-\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002
+-\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144
+-\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015
+-\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060
+-\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157
+-\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151
+-\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040
+-\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052
+-\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
+-\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070
+-\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207
+-\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256
+-\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167
+-\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331
+-\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376
+-\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006
+-\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254
+-\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300
+-\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140
+-\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270
+-\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364
+-\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341
+-\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111
+-\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161
+-\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346
+-\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004
+-\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001
+-\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060
+-\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060
+-\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164
+-\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157
+-\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017
+-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+-\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146
+-\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001
+-\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007
+-\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057
+-\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202
+-\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156
+-\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171
+-\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145
+-\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040
+-\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147
+-\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172
+-\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147
+-\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123
+-\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141
+-\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141
+-\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141
+-\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164
+-\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154
+-\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150
+-\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167
+-\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147
+-\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132
+-\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201
+-\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150
+-\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147
+-\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154
+-\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145
+-\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151
+-\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156
+-\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125
+-\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117
+-\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056
+-\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125
+-\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157
+-\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162
+-\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
+-\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201
+-\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150
+-\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032
+-\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156
+-\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003
+-\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110
+-\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003
+-\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060
+-\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125
+-\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141
+-\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166
+-\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110
+-\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141
+-\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115
+-\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022
+-\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040
+-\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143
+-\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122
+-\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032
+-\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016
+-\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322
+-\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206
+-\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146
+-\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154
+-\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240
+-\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247
+-\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345
+-\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172
+-\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250
+-\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332
+-\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133
+-\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323
+-\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
+-\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
+-\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
+-\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
+-\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
+-\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
+-\103\307\003\340\067\116\135\012\334\131\040\045
+-END
+-
+-# Trust for Certificate "Microsec e-Szigno Root CA"
+-# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
+-# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
+-# Not Valid Before: Wed Apr 06 12:28:44 2005
+-# Not Valid After : Thu Apr 06 12:28:44 2017
+-# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
+-# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326
+-\045\354\031\015
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
+-\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
+-\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
+-\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
+-\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
+-\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
+-\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
+-\164\040\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
+-\054\017\021
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Certigna"
+ #
+ # Issuer: CN=Certigna,O=Dhimyotis,C=FR
+ # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
+ # Subject: CN=Certigna,O=Dhimyotis,C=FR
+ # Not Valid Before: Fri Jun 29 15:13:05 2007
+ # Not Valid After : Tue Jun 29 15:13:05 2027
+ # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
+@@ -9228,16 +8917,17 @@
+ \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347
+ \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260
+ \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004
+ \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043
+ \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060
+ \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225
+ \300\226\130\057\352\273\106\327\273\344\331\056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Certigna"
+ # Issuer: CN=Certigna,O=Dhimyotis,C=FR
+ # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
+ # Subject: CN=Certigna,O=Dhimyotis,C=FR
+ # Not Valid Before: Fri Jun 29 15:13:05 2007
+ # Not Valid After : Tue Jun 29 15:13:05 2027
+ # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
+@@ -9409,16 +9099,17 @@
+ \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
+ \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
+ \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
+ \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
+ \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
+ \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
+ \005\211\374\170\326\134\054\046\103\251
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AC Raiz Certicamara S.A."
+ # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+ # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
+ # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
+ # Not Valid Before: Mon Nov 27 20:46:29 2006
+ # Not Valid After : Tue Apr 02 21:42:02 2030
+ # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
+@@ -9566,16 +9257,17 @@
+ \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
+ \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
+ \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
+ \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
+ \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
+ \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
+ \016\121\075\157\373\226\126\200\342\066\027\321\334\344
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "TC TrustCenter Class 3 CA II"
+ # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+ # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
+ # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
+ # Not Valid Before: Thu Jan 12 14:41:57 2006
+ # Not Valid After : Wed Dec 31 22:59:59 2025
+ # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
+@@ -9706,16 +9398,17 @@
+ \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124
+ \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376
+ \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257
+ \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143
+ \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224
+ \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005
+ \126\144\127
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Deutsche Telekom Root CA 2"
+ # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+ # Serial Number: 38 (0x26)
+ # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
+ # Not Valid Before: Fri Jul 09 12:11:00 1999
+ # Not Valid After : Tue Jul 09 23:59:00 2019
+ # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
+@@ -9838,16 +9531,17 @@
+ \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
+ \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
+ \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
+ \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
+ \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
+ \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
+ \000\147\240\161\000\202\110
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "ComSign CA"
+ # Issuer: C=IL,O=ComSign,CN=ComSign CA
+ # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
+ # Subject: C=IL,O=ComSign,CN=ComSign CA
+ # Not Valid Before: Wed Mar 24 11:32:18 2004
+ # Not Valid After : Mon Mar 19 15:02:18 2029
+ # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
+@@ -9968,16 +9662,17 @@
+ \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
+ \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
+ \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
+ \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
+ \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
+ \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
+ \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "ComSign Secured CA"
+ # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
+ # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
+ # Subject: C=IL,O=ComSign,CN=ComSign Secured CA
+ # Not Valid Before: Wed Mar 24 11:37:20 2004
+ # Not Valid After : Fri Mar 16 15:04:56 2029
+ # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
+@@ -10097,16 +9792,17 @@
+ \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354
+ \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034
+ \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327
+ \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006
+ \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326
+ \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264
+ \246\210\070\316\125
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Cybertrust Global Root"
+ # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+ # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
+ # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
+ # Not Valid Before: Fri Dec 15 08:00:00 2006
+ # Not Valid After : Wed Dec 15 08:00:00 2021
+ # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
+@@ -10263,16 +9959,17 @@
+ \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374
+ \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304
+ \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156
+ \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143
+ \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203
+ \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352
+ \201\370\021\234
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "ePKI Root Certification Authority"
+ # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+ # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
+ # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
+ # Not Valid Before: Mon Dec 20 02:31:27 2004
+ # Not Valid After : Wed Dec 20 02:31:27 2034
+ # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
+@@ -10447,16 +10144,17 @@
+ \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112
+ \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307
+ \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147
+ \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154
+ \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204
+ \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054
+ \311\234\220\332\354\251\102\074\255\266\002
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+ # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+ # Serial Number: 17 (0x11)
+ # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
+ # Not Valid Before: Fri Aug 24 11:37:07 2007
+ # Not Valid After : Mon Aug 21 11:37:07 2017
+ # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
+@@ -10583,16 +10281,17 @@
+ \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240
+ \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240
+ \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160
+ \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302
+ \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210
+ \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115
+ \366\356\260\132\116\111\104\124\130\137\102\203
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "certSIGN ROOT CA"
+ # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+ # Serial Number:20:06:05:16:70:02
+ # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
+ # Not Valid Before: Tue Jul 04 17:20:04 2006
+ # Not Valid After : Fri Jul 04 17:20:04 2031
+ # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
+@@ -10706,16 +10405,17 @@
+ \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
+ \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
+ \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
+ \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
+ \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
+ \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
+ \011\333\212\101\202\236\146\233\021
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "CNNIC ROOT"
+ # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
+ # Serial Number: 1228079105 (0x49330001)
+ # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
+ # Not Valid Before: Mon Apr 16 07:09:14 2007
+ # Not Valid After : Fri Apr 16 07:09:14 2027
+ # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
+@@ -10742,147 +10442,16 @@
+ \002\004\111\063\000\001
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "ApplicationCA - Japanese Government"
+-#
+-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Serial Number: 49 (0x31)
+-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Not Valid Before: Wed Dec 12 15:00:00 2007
+-# Not Valid After : Tue Dec 12 15:00:00 2017
+-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\061
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+-\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034
+-\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163
+-\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024
+-\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151
+-\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065
+-\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060
+-\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023
+-\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141
+-\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156
+-\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154
+-\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006
+-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+-\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207
+-\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005
+-\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212
+-\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212
+-\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240
+-\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006
+-\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171
+-\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004
+-\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155
+-\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060
+-\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214
+-\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005
+-\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155
+-\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331
+-\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060
+-\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046
+-\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243
+-\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024
+-\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320
+-\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004
+-\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244
+-\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120
+-\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234
+-\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003
+-\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202
+-\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060
+-\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
+-\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017
+-\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172
+-\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011
+-\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234
+-\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026
+-\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176
+-\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221
+-\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217
+-\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124
+-\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210
+-\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
+-\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
+-\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
+-\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
+-\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
+-\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
+-\262\033\211\124
+-END
+-
+-# Trust for Certificate "ApplicationCA - Japanese Government"
+-# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Serial Number: 49 (0x31)
+-# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
+-# Not Valid Before: Wed Dec 12 15:00:00 2007
+-# Not Valid After : Tue Dec 12 15:00:00 2017
+-# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
+-# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214
+-\323\065\374\164
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+-\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
+-\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
+-\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
+-\151\157\156\103\101
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\001\061
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "GeoTrust Primary Certification Authority - G3"
+ #
+ # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
+ # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Wed Apr 02 00:00:00 2008
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
+@@ -10984,16 +10553,17 @@
+ \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346
+ \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007
+ \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032
+ \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212
+ \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206
+ \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031
+ \021\055
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
+ # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
+ # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Wed Apr 02 00:00:00 2008
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
+@@ -11112,16 +10682,17 @@
+ \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247
+ \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167
+ \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002
+ \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374
+ \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061
+ \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022
+ \367\130\077\056\162\002\127\243\217\241\024\056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "thawte Primary Root CA - G2"
+ # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+ # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
+ # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
+ # Not Valid Before: Mon Nov 05 00:00:00 2007
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
+@@ -11271,16 +10842,17 @@
+ \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364
+ \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324
+ \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314
+ \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005
+ \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157
+ \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156
+ \061\324\100\032\142\064\066\077\065\001\256\254\143\240
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "thawte Primary Root CA - G3"
+ # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+ # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
+ # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
+ # Not Valid Before: Wed Apr 02 00:00:00 2008
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
+@@ -11406,16 +10978,17 @@
+ \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221
+ \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223
+ \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066
+ \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137
+ \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063
+ \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004
+ \017\212
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
+ # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
+ # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
+ # Not Valid Before: Mon Nov 05 00:00:00 2007
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
+@@ -11575,16 +11148,17 @@
+ \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342
+ \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072
+ \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321
+ \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176
+ \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360
+ \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267
+ \354\315\202\141\361\070\346\117\227\230\052\132\215
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "VeriSign Universal Root Certification Authority"
+ # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
+ # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Wed Apr 02 00:00:00 2008
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
+@@ -11729,16 +11303,17 @@
+ \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102
+ \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204
+ \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110
+ \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032
+ \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307
+ \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252
+ \055\247\330\206\052\335\056\020
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
+ # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
+ # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Mon Nov 05 00:00:00 2007
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
+@@ -11888,16 +11463,17 @@
+ \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205
+ \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204
+ \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366
+ \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266
+ \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221
+ \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233
+ \330\316\304\143\165\077\131\107\261
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
+ # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+ # Serial Number:49:41:2c:e4:00:10
+ # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
+ # Not Valid Before: Thu Dec 11 15:08:21 2008
+ # Not Valid After : Wed Dec 06 15:08:21 2028
+ # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
+@@ -12061,16 +11637,17 @@
+ \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102
+ \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367
+ \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232
+ \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331
+ \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356
+ \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265
+ \370\161\012\334\271\374\175\062\140\346\353\257\212\001
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Staat der Nederlanden Root CA - G2"
+ # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+ # Serial Number: 10000012 (0x98968c)
+ # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
+ # Not Valid Before: Wed Mar 26 11:18:17 2008
+ # Not Valid After : Wed Mar 25 11:03:10 2020
+ # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
+@@ -12186,16 +11763,17 @@
+ \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105
+ \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203
+ \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116
+ \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321
+ \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206
+ \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342
+ \002\153\331\132
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Hongkong Post Root CA 1"
+ # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+ # Serial Number: 1000 (0x3e8)
+ # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
+ # Not Valid Before: Thu May 15 05:13:14 2003
+ # Not Valid After : Mon May 15 04:52:29 2023
+ # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
+@@ -12316,16 +11894,17 @@
+ \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310
+ \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371
+ \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154
+ \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055
+ \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215
+ \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003
+ \362
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "SecureSign RootCA11"
+ # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+ # Serial Number: 1 (0x1)
+ # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
+ # Not Valid Before: Wed Apr 08 04:56:47 2009
+ # Not Valid After : Sun Apr 08 04:56:47 2029
+ # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
+@@ -12481,16 +12060,17 @@
+ \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125
+ \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255
+ \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351
+ \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235
+ \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112
+ \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176
+ \113\076\053\070\007\125\230\136\244
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "ACEDICOM Root"
+ # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+ # Serial Number:61:8d:c7:86:3b:01:82:05
+ # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
+ # Not Valid Before: Fri Apr 18 16:24:22 2008
+ # Not Valid After : Thu Apr 13 16:24:22 2028
+ # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
+@@ -12627,16 +12207,17 @@
+ \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207
+ \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334
+ \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141
+ \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070
+ \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155
+ \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311
+ \202\042\055\172\124\253\160\303\175\042\145\202\160\226
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Microsec e-Szigno Root CA 2009"
+ # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+ # Serial Number:00:c2:7e:43:04:4e:47:3f:19
+ # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
+ # Not Valid Before: Tue Jun 16 11:30:18 2009
+ # Not Valid After : Sun Dec 30 11:30:18 2029
+ # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
+@@ -12758,16 +12339,17 @@
+ \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125
+ \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213
+ \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054
+ \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057
+ \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162
+ \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107
+ \130\077\137
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "GlobalSign Root CA - R3"
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+ # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
+ # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+ # Not Valid Before: Wed Mar 18 10:00:00 2009
+ # Not Valid After : Sun Mar 18 10:00:00 2029
+ # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
+@@ -12930,16 +12512,17 @@
+ \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336
+ \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063
+ \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136
+ \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064
+ \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001
+ \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156
+ \156\117\022\176\012\074\235\225
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+ # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+ # Serial Number:53:ec:3b:ee:fb:b2:48:5f
+ # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
+ # Not Valid Before: Wed May 20 08:38:15 2009
+ # Not Valid After : Tue Dec 31 08:38:15 2030
+ # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
+@@ -13098,16 +12681,17 @@
+ \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076
+ \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006
+ \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041
+ \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154
+ \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124
+ \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154
+ \333\374\046\210\307
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Izenpe.com"
+ # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+ # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
+ # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
+ # Not Valid Before: Thu Dec 13 13:08:28 2007
+ # Not Valid After : Sun Dec 13 08:27:25 2037
+ # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
+@@ -13302,16 +12886,17 @@
+ \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373
+ \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031
+ \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140
+ \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221
+ \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246
+ \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331
+ \167\110\320
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Chambers of Commerce Root - 2008"
+ # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+ # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
+ # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+ # Not Valid Before: Fri Aug 01 12:29:50 2008
+ # Not Valid After : Sat Jul 31 12:29:50 2038
+ # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
+@@ -13510,16 +13095,17 @@
+ \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036
+ \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351
+ \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150
+ \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231
+ \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060
+ \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364
+ \351\233\256\325\124\300\164\200\321\013\102\237\301
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Global Chambersign Root - 2008"
+ # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+ # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
+ # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
+ # Not Valid Before: Fri Aug 01 12:31:40 2008
+ # Not Valid After : Sat Jul 31 12:31:40 2038
+ # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
+@@ -15376,16 +14962,17 @@
+ \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333
+ \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075
+ \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316
+ \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006
+ \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324
+ \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210
+ \342\342\104\276\134\367\352\034\365
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
+ # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Not Valid Before: Tue Sep 01 00:00:00 2009
+ # Not Valid After : Thu Dec 31 23:59:59 2037
+ # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
+@@ -15525,16 +15112,17 @@
+ \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312
+ \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011
+ \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042
+ \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365
+ \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045
+ \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151
+ \364
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Starfield Root Certificate Authority - G2"
+ # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Not Valid Before: Tue Sep 01 00:00:00 2009
+ # Not Valid After : Thu Dec 31 23:59:59 2037
+ # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
+@@ -15676,16 +15264,17 @@
+ \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372
+ \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046
+ \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247
+ \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060
+ \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250
+ \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215
+ \261\050\272
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
+ # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
+ # Not Valid Before: Tue Sep 01 00:00:00 2009
+ # Not Valid After : Thu Dec 31 23:59:59 2037
+ # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
+@@ -15806,16 +15395,17 @@
+ \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302
+ \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140
+ \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162
+ \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111
+ \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002
+ \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236
+ \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AffirmTrust Commercial"
+ # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+ # Serial Number:77:77:06:27:26:a9:b1:7c
+ # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
+ # Not Valid Before: Fri Jan 29 14:06:06 2010
+ # Not Valid After : Tue Dec 31 14:06:06 2030
+ # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
+@@ -15931,16 +15521,17 @@
+ \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110
+ \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056
+ \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313
+ \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221
+ \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074
+ \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064
+ \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AffirmTrust Networking"
+ # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+ # Serial Number:7c:4f:04:39:1c:d4:99:2d
+ # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
+ # Not Valid Before: Fri Jan 29 14:08:24 2010
+ # Not Valid After : Tue Dec 31 14:08:24 2030
+ # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
+@@ -16088,16 +15679,17 @@
+ \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303
+ \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027
+ \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216
+ \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317
+ \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052
+ \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236
+ \051\340\266\270\011\150\031\034\030\103
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AffirmTrust Premium"
+ # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+ # Serial Number:6d:8c:14:46:b1:a6:0a:ee
+ # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
+ # Not Valid Before: Fri Jan 29 14:10:36 2010
+ # Not Valid After : Mon Dec 31 14:10:36 2040
+ # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
+@@ -16193,16 +15785,17 @@
+ \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154
+ \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306
+ \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161
+ \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210
+ \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131
+ \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002
+ \214\171
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "AffirmTrust Premium ECC"
+ # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+ # Serial Number:74:97:25:8a:c7:3f:7a:54
+ # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
+ # Not Valid Before: Fri Jan 29 14:20:24 2010
+ # Not Valid After : Mon Dec 31 14:20:24 2040
+ # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
+@@ -16331,16 +15924,17 @@
+ \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230
+ \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132
+ \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130
+ \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110
+ \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232
+ \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106
+ \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Certum Trusted Network CA"
+ # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+ # Serial Number: 279744 (0x444c0)
+ # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+ # Not Valid Before: Wed Oct 22 12:07:37 2008
+ # Not Valid After : Mon Dec 31 12:07:37 2029
+ # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
+@@ -16500,16 +16094,17 @@
+ \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133
+ \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333
+ \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027
+ \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164
+ \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126
+ \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143
+ \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Certinomis - Autorité Racine"
+ # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
+ # Not Valid Before: Wed Sep 17 08:28:59 2008
+ # Not Valid After : Sun Sep 17 08:28:59 2028
+ # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
+@@ -16634,16 +16229,17 @@
+ \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106
+ \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347
+ \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066
+ \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332
+ \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031
+ \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316
+ \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "TWCA Root Certification Authority"
+ # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+ # Serial Number: 1 (0x1)
+ # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
+ # Not Valid Before: Thu Aug 28 07:24:33 2008
+ # Not Valid After : Tue Dec 31 15:59:59 2030
+ # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
+@@ -18024,16 +17620,17 @@
+ \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164
+ \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162
+ \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354
+ \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051
+ \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077
+ \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136
+ \201\050\174\247\175\047\353\000\256\215\067
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Security Communication RootCA2"
+ # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Serial Number: 0 (0x0)
+ # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
+ # Not Valid Before: Fri May 29 05:00:39 2009
+ # Not Valid After : Tue May 29 05:00:39 2029
+ # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
+@@ -18206,16 +17803,17 @@
+ \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210
+ \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222
+ \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023
+ \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201
+ \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145
+ \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133
+ \371\210\075\176\270\157\156\003\344\102
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "EC-ACC"
+ # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+ # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
+ # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
+ # Not Valid Before: Tue Jan 07 23:00:00 2003
+ # Not Valid After : Tue Jan 07 22:59:59 2031
+ # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
+@@ -18368,16 +17966,17 @@
+ \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117
+ \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254
+ \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063
+ \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271
+ \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310
+ \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071
+ \113\321\047\327\270
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
+ # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
+ # Not Valid Before: Tue Dec 06 13:49:52 2011
+ # Not Valid After : Mon Dec 01 13:49:52 2031
+ # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
+@@ -18603,16 +18202,17 @@
+ \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146
+ \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124
+ \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024
+ \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263
+ \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223
+ \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056
+ \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Actalis Authentication Root CA"
+ # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
+ # Serial Number:57:0a:11:97:42:c4:e3:cc
+ # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
+ # Not Valid Before: Thu Sep 22 11:22:02 2011
+ # Not Valid After : Sun Sep 22 11:22:02 2030
+ # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6
+@@ -18733,16 +18333,17 @@
+ \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341
+ \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377
+ \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005
+ \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053
+ \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272
+ \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015
+ \145\353\127\331\363\127\226\273\110\315\201
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Trustis FPS Root CA"
+ # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
+ # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
+ # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
+ # Not Valid Before: Tue Dec 23 12:14:06 2003
+ # Not Valid After : Sun Jan 21 11:36:54 2024
+ # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D
+@@ -18933,16 +18534,17 @@
+ \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340
+ \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135
+ \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331
+ \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212
+ \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217
+ \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346
+ \177\045\245\362\110\000\300\244\001\332\077
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "StartCom Certification Authority"
+ # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+ # Serial Number: 45 (0x2d)
+ # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
+ # Not Valid Before: Sun Sep 17 19:46:37 2006
+ # Not Valid After : Wed Sep 17 19:46:36 2036
+ # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
+@@ -19097,16 +18699,17 @@
+ \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050
+ \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355
+ \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311
+ \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153
+ \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303
+ \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123
+ \127\055\366\320\341\327\110
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "StartCom Certification Authority G2"
+ # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
+ # Serial Number: 59 (0x3b)
+ # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
+ # Not Valid Before: Fri Jan 01 01:00:01 2010
+ # Not Valid After : Sat Dec 31 23:59:01 2039
+ # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
+@@ -19256,16 +18859,17 @@
+ \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040
+ \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141
+ \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011
+ \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314
+ \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363
+ \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277
+ \327\201\011\361\311\307\046\015\254\230\026\126\240
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Buypass Class 2 Root CA"
+ # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
+ # Serial Number: 2 (0x2)
+ # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
+ # Not Valid Before: Tue Oct 26 08:38:03 2010
+ # Not Valid After : Fri Oct 26 08:38:03 2040
+ # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29
+@@ -19414,16 +19018,17 @@
+ \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065
+ \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303
+ \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170
+ \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346
+ \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152
+ \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351
+ \061\356\006\274\163\277\023\142\012\237\307\271\227
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Buypass Class 3 Root CA"
+ # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
+ # Serial Number: 2 (0x2)
+ # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
+ # Not Valid Before: Tue Oct 26 08:28:58 2010
+ # Not Valid After : Fri Oct 26 08:28:58 2040
+ # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC
+@@ -19555,16 +19160,17 @@
+ \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157
+ \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011
+ \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245
+ \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032
+ \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202
+ \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051
+ \116\223\303\244\124\024\133
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "T-TeleSec GlobalRoot Class 3"
+ # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+ # Not Valid Before: Wed Oct 01 10:29:56 2008
+ # Not Valid After : Sat Oct 01 23:59:59 2033
+ # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF
+@@ -19703,16 +19309,17 @@
+ \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072
+ \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026
+ \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123
+ \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356
+ \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357
+ \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220
+ \307\314\165\301\226\305\235
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "EE Certification Centre Root CA"
+ # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
+ # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a
+ # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
+ # Not Valid Before: Sat Oct 30 10:10:30 2010
+ # Not Valid After : Tue Dec 17 23:59:59 2030
+ # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F
+@@ -19932,16 +19539,17 @@
+ \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
+ \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
+ \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
+ \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
+ \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
+ \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
+ \175
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "TURKTRUST Certificate Services Provider Root 2007"
+ # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+ # Serial Number: 1 (0x1)
+ # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
+ # Not Valid Before: Tue Dec 25 18:37:19 2007
+ # Not Valid After : Fri Dec 22 18:37:19 2017
+ # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
+@@ -20080,16 +19688,17 @@
+ \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133
+ \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274
+ \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227
+ \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366
+ \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330
+ \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136
+ \164\145\327\134\376\243\342
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "D-TRUST Root Class 3 CA 2 2009"
+ # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+ # Serial Number: 623603 (0x983f3)
+ # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
+ # Not Valid Before: Thu Nov 05 08:35:58 2009
+ # Not Valid After : Mon Nov 05 08:35:58 2029
+ # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
+@@ -20223,16 +19832,17 @@
+ \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332
+ \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046
+ \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063
+ \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227
+ \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327
+ \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041
+ \352\237\026\361\054\124\265
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "D-TRUST Root Class 3 CA 2 EV 2009"
+ # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+ # Serial Number: 623604 (0x983f4)
+ # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
+ # Not Valid Before: Thu Nov 05 08:50:46 2009
+ # Not Valid After : Mon Nov 05 08:50:46 2029
+ # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
+@@ -20472,16 +20082,17 @@
+ \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
+ \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
+ \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
+ \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
+ \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
+ \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
+ \376\206\364\274\340\032\161\263\142\246
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "PSCProcert"
+ # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
+ # Serial Number: 11 (0xb)
+ # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
+ # Not Valid Before: Tue Dec 28 16:51:00 2010
+ # Not Valid After : Fri Dec 25 23:59:59 2020
+ # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
+@@ -20630,16 +20241,17 @@
+ \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
+ \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
+ \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
+ \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
+ \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
+ \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
+ \303\055\375\024\052\220\231\271\007\314\237
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "China Internet Network Information Center EV Certificates Root"
+ # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+ # Serial Number: 1218379777 (0x489f0001)
+ # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
+ # Not Valid Before: Tue Aug 31 07:11:25 2010
+ # Not Valid After : Sat Aug 31 07:11:25 2030
+ # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
+@@ -20805,16 +20417,17 @@
+ \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114
+ \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164
+ \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166
+ \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335
+ \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224
+ \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071
+ \301\053\022\236\246\236\033\305\346\016\331\061\331
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Swisscom Root CA 2"
+ # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
+ # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Not Valid Before: Fri Jun 24 08:38:14 2011
+ # Not Valid After : Wed Jun 25 07:38:14 2031
+ # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
+@@ -20980,16 +20593,17 @@
+ \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
+ \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
+ \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
+ \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
+ \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
+ \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
+ \046\277\242\367
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Swisscom Root EV CA 2"
+ # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
+ # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
+ # Not Valid Before: Fri Jun 24 09:45:08 2011
+ # Not Valid After : Wed Jun 25 08:45:08 2031
+ # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
+@@ -21144,16 +20758,17 @@
+ \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
+ \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
+ \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
+ \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
+ \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
+ \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
+ \360\343\355\144\236\075\057\226\122\117\200\123\213
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "CA Disig Root R1"
+ # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+ # Serial Number:00:c3:03:9a:ee:50:90:6e:28
+ # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
+ # Not Valid Before: Thu Jul 19 09:06:56 2012
+ # Not Valid After : Sat Jul 19 09:06:56 2042
+ # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
+@@ -21306,16 +20921,17 @@
+ \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254
+ \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123
+ \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302
+ \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061
+ \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146
+ \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375
+ \363\154\033\165\106\243\345\112\027\351\244\327\013
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "CA Disig Root R2"
+ # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+ # Serial Number:00:92:b8:88:db:b0:8a:c1:63
+ # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
+ # Not Valid Before: Thu Jul 19 09:15:30 2012
+ # Not Valid After : Sat Jul 19 09:15:30 2042
+ # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
+@@ -21505,16 +21121,17 @@
+ \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
+ \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
+ \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
+ \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
+ \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
+ \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
+ \125\064\106\052\213\206\073
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "ACCVRAIZ1"
+ # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+ # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
+ # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
+ # Not Valid Before: Thu May 05 09:37:37 2011
+ # Not Valid After : Tue Dec 31 09:37:37 2030
+ # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
+@@ -21664,16 +21281,17 @@
+ \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
+ \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
+ \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
+ \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
+ \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
+ \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
+ \053\006\320\004\315
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "TWCA Global Root CA"
+ # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+ # Serial Number: 3262 (0xcbe)
+ # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
+ # Not Valid Before: Wed Jun 27 06:28:33 2012
+ # Not Valid After : Tue Dec 31 15:59:59 2030
+ # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
+@@ -21820,16 +21438,17 @@
+ \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
+ \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
+ \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
+ \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
+ \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
+ \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
+ \245\240\314\277\323\366\165\244\165\226\155\126
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "TeliaSonera Root CA v1"
+ # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
+ # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
+ # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
+ # Not Valid Before: Thu Oct 18 12:00:50 2007
+ # Not Valid After : Mon Oct 18 12:00:50 2032
+ # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
+@@ -22007,16 +21626,17 @@
+ \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
+ \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
+ \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
+ \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
+ \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
+ \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
+ \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "E-Tugra Certification Authority"
+ # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+ # Serial Number:6a:68:3e:9c:51:9b:cb:53
+ # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
+ # Not Valid Before: Tue Mar 05 12:09:48 2013
+ # Not Valid After : Fri Mar 03 12:09:48 2023
+ # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
+@@ -22155,16 +21775,17 @@
+ \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
+ \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
+ \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
+ \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
+ \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
+ \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
+ \005\047\216\023\241\156\302
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "T-TeleSec GlobalRoot Class 2"
+ # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+ # Serial Number: 1 (0x1)
+ # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
+ # Not Valid Before: Wed Oct 01 10:40:14 2008
+ # Not Valid After : Sat Oct 01 23:59:59 2033
+ # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
+@@ -22285,16 +21906,17 @@
+ \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
+ \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
+ \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
+ \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
+ \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
+ \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
+ \035\362\376\011\021\260\360\207\173\247\235
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Atos TrustedRoot 2011"
+ # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+ # Serial Number:5c:33:cb:62:2c:5f:b3:32
+ # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
+ # Not Valid Before: Thu Jul 07 14:58:30 2011
+ # Not Valid After : Tue Dec 31 23:59:59 2030
+ # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
+@@ -22444,16 +22066,17 @@
+ \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151
+ \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025
+ \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264
+ \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155
+ \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326
+ \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207
+ \063\140\345\303
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "QuoVadis Root CA 1 G3"
+ # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
+ # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
+ # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Thu Jan 12 17:27:44 2012
+ # Not Valid After : Sun Jan 12 17:27:44 2042
+ # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74
+@@ -22605,16 +22228,17 @@
+ \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214
+ \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045
+ \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202
+ \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270
+ \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152
+ \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151
+ \203\336\177\214
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "QuoVadis Root CA 2 G3"
+ # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
+ # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
+ # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Thu Jan 12 18:59:32 2012
+ # Not Valid After : Sun Jan 12 18:59:32 2042
+ # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
+@@ -22766,16 +22390,17 @@
+ \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315
+ \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165
+ \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353
+ \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177
+ \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047
+ \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375
+ \130\371\230\364
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "QuoVadis Root CA 3 G3"
+ # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
+ # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
+ # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
+ # Not Valid Before: Thu Jan 12 20:26:32 2012
+ # Not Valid After : Sun Jan 12 20:26:32 2042
+ # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46
+@@ -22902,16 +22527,17 @@
+ \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015
+ \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127
+ \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257
+ \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336
+ \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067
+ \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050
+ \042\023\163\154\317\046\365\212\051\347
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "DigiCert Assured ID Root G2"
+ # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
+ # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Thu Aug 01 12:00:00 2013
+ # Not Valid After : Fri Jan 15 12:00:00 2038
+ # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
+@@ -23019,16 +22645,17 @@
+ \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113
+ \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221
+ \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130
+ \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345
+ \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161
+ \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057
+ \352\226\143\152\145\105\222\225\001\264
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "DigiCert Assured ID Root G3"
+ # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
+ # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Thu Aug 01 12:00:00 2013
+ # Not Valid After : Fri Jan 15 12:00:00 2038
+ # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
+@@ -23157,16 +22784,17 @@
+ \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020
+ \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016
+ \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336
+ \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236
+ \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137
+ \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345
+ \062\266
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "DigiCert Global Root G2"
+ # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
+ # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Thu Aug 01 12:00:00 2013
+ # Not Valid After : Fri Jan 15 12:00:00 2038
+ # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
+@@ -23274,16 +22902,17 @@
+ \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163
+ \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236
+ \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177
+ \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111
+ \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210
+ \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174
+ \263\047\027
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "DigiCert Global Root G3"
+ # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
+ # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Thu Aug 01 12:00:00 2013
+ # Not Valid After : Fri Jan 15 12:00:00 2038
+ # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
+@@ -23444,16 +23073,17 @@
+ \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065
+ \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301
+ \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350
+ \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246
+ \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344
+ \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274
+ \317\363\146\176
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "DigiCert Trusted Root G4"
+ # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
+ # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
+ # Not Valid Before: Thu Aug 01 12:00:00 2013
+ # Not Valid After : Fri Jan 15 12:00:00 2038
+ # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
+@@ -23610,16 +23240,17 @@
+ \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221
+ \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244
+ \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045
+ \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110
+ \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246
+ \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223
+ \171\356\104\206\276\327\036\344\036\373
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "WoSign"
+ # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
+ # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
+ # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
+ # Not Valid Before: Sat Aug 08 01:00:01 2009
+ # Not Valid After : Mon Aug 08 01:00:01 2039
+ # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
+@@ -23771,16 +23402,17 @@
+ \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215
+ \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336
+ \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117
+ \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010
+ \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165
+ \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327
+ \234\313\051\213\070\112\013\016\220\215\272\241
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "WoSign China"
+ # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
+ # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
+ # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
+ # Not Valid Before: Sat Aug 08 01:00:01 2009
+ # Not Valid After : Mon Aug 08 01:00:01 2039
+ # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
+@@ -23947,16 +23579,17 @@
+ \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
+ \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
+ \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
+ \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
+ \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
+ \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
+ \065\123\205\006\112\135\237\255\273\033\137\164
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "COMODO RSA Certification Authority"
+ # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
+ # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+ # Not Valid Before: Tue Jan 19 00:00:00 2010
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
+@@ -24128,16 +23761,17 @@
+ \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
+ \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
+ \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
+ \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
+ \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
+ \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
+ \250\375
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "USERTrust RSA Certification Authority"
+ # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+ # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
+ # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+ # Not Valid Before: Mon Feb 01 00:00:00 2010
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
+@@ -24256,16 +23890,17 @@
+ \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
+ \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
+ \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
+ \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
+ \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
+ \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
+ \127\152\030
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "USERTrust ECC Certification Authority"
+ # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+ # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
+ # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+ # Not Valid Before: Mon Feb 01 00:00:00 2010
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
+@@ -24367,16 +24002,17 @@
+ \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
+ \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
+ \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
+ \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
+ \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
+ \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
+ \173\013\370\237\204
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "GlobalSign ECC Root CA - R4"
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+ # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
+ # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+ # Not Valid Before: Tue Nov 13 00:00:00 2012
+ # Not Valid After : Tue Jan 19 03:14:07 2038
+ # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
+@@ -24479,16 +24115,17 @@
+ \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
+ \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
+ \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
+ \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
+ \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
+ \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
+ \220\067
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "GlobalSign ECC Root CA - R5"
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+ # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
+ # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+ # Not Valid Before: Tue Nov 13 00:00:00 2012
+ # Not Valid After : Tue Jan 19 03:14:07 2038
+ # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
+@@ -24653,16 +24290,17 @@
+ \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
+ \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
+ \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
+ \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
+ \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
+ \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
+ \145\110\041\012\057\327\334\176\240\314\145\176\171
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+ # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
+ # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Thu Mar 26 00:00:00 2009
+ # Not Valid After : Sun Mar 24 23:59:59 2019
+ # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+@@ -24824,16 +24462,17 @@
+ \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
+ \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
+ \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
+ \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
+ \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
+ \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
+ \367\200\173\041\147\047\060\131
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Staat der Nederlanden Root CA - G3"
+ # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+ # Serial Number: 10003001 (0x98a239)
+ # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
+ # Not Valid Before: Thu Nov 14 11:28:42 2013
+ # Not Valid After : Mon Nov 13 23:00:00 2028
+ # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
+@@ -24987,16 +24626,17 @@
+ \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
+ \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
+ \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
+ \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
+ \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
+ \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
+ \356\354\327\056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Staat der Nederlanden EV Root CA"
+ # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+ # Serial Number: 10000013 (0x98968d)
+ # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
+ # Not Valid Before: Wed Dec 08 11:19:29 2010
+ # Not Valid After : Thu Dec 08 11:10:28 2022
+ # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
+@@ -25148,16 +24788,17 @@
+ \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
+ \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
+ \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
+ \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
+ \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
+ \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
+ \272\204\156\207
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "IdenTrust Commercial Root CA 1"
+ # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+ # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
+ # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
+ # Not Valid Before: Thu Jan 16 18:12:23 2014
+ # Not Valid After : Mon Jan 16 18:12:23 2034
+ # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
+@@ -25309,16 +24950,17 @@
+ \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
+ \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
+ \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
+ \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
+ \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
+ \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
+ \267\254\266\255\267\312\076\001\357\234
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "IdenTrust Public Sector Root CA 1"
+ # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
+ # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
+ # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
+ # Not Valid Before: Thu Jan 16 17:53:32 2014
+ # Not Valid After : Mon Jan 16 17:53:32 2034
+ # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
+@@ -25453,16 +25095,17 @@
+ \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
+ \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
+ \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
+ \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
+ \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
+ \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
+ \073\303\035\374\377\262\117\250\342\366\060\036
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "S-TRUST Universal Root CA"
+ # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
+ # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
+ # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
+ # Not Valid Before: Tue Oct 22 00:00:00 2013
+ # Not Valid After : Thu Oct 21 23:59:59 2038
+ # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
+@@ -25615,16 +25258,17 @@
+ \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
+ \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
+ \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
+ \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
+ \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
+ \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
+ \105\366
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Entrust Root Certification Authority - G2"
+ # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
+ # Serial Number: 1246989352 (0x4a538c28)
+ # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
+ # Not Valid Before: Tue Jul 07 17:25:54 2009
+ # Not Valid After : Sat Dec 07 17:55:54 2030
+ # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
+@@ -25759,16 +25403,17 @@
+ \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
+ \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
+ \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
+ \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
+ \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
+ \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
+ \231\267\046\101\133\045\140\256\320\110\032\356\006
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Entrust Root Certification Authority - EC1"
+ # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
+ # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
+ # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
+ # Not Valid Before: Tue Dec 18 15:25:36 2012
+ # Not Valid After : Fri Dec 18 15:55:36 2037
+ # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
+@@ -25931,16 +25576,17 @@
+ \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
+ \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
+ \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
+ \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
+ \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
+ \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
+ \056
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "CFCA EV ROOT"
+ # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
+ # Serial Number: 407555286 (0x184accd6)
+ # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
+ # Not Valid Before: Wed Aug 08 03:07:01 2012
+ # Not Valid After : Mon Dec 31 03:07:01 2029
+ # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
+@@ -26228,16 +25874,17 @@
+ \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
+ \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
+ \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
+ \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
+ \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
+ \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
+ \372\253\101\341\113\266\065\013\300\233\025
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+ # Serial Number:00:8e:17:fe:24:20:81
+ # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+ # Not Valid Before: Tue Apr 30 08:07:01 2013
+ # Not Valid After : Fri Apr 28 08:07:01 2023
+ # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
+@@ -26272,176 +25919,16 @@
+ \002\007\000\216\027\376\044\040\201
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-#
+-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Serial Number:7d:a1:f2:65:ec:8a
+-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Not Valid Before: Wed Dec 18 09:04:10 2013
+-# Not Valid After : Sat Dec 16 09:04:10 2023
+-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\006\175\241\362\145\354\212
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175
+-\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001
+-\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006
+-\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101
+-\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104
+-\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151
+-\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102
+-\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151
+-\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101
+-\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124
+-\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
+-\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
+-\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
+-\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062
+-\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061
+-\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006
+-\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004
+-\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125
+-\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102
+-\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040
+-\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166
+-\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145
+-\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004
+-\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154
+-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
+-\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141
+-\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042
+-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+-\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150
+-\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161
+-\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063
+-\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157
+-\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275
+-\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324
+-\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327
+-\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200
+-\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324
+-\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330
+-\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051
+-\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315
+-\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136
+-\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251
+-\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171
+-\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143
+-\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001
+-\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004
+-\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000
+-\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004
+-\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
+-\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015
+-\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252
+-\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122
+-\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024
+-\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002
+-\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066
+-\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356
+-\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062
+-\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226
+-\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024
+-\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003
+-\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
+-\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
+-\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
+-\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
+-\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
+-\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
+-\264\013\230\113\050\136\257\210\130\313
+-END
+-
+-# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Serial Number:7d:a1:f2:65:ec:8a
+-# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
+-# Not Valid Before: Wed Dec 18 09:04:10 2013
+-# Not Valid After : Sat Dec 16 09:04:10 2023
+-# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
+-# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260
+-\355\345\057\340
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
+-\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
+-\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
+-\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
+-\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
+-\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
+-\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
+-\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
+-\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
+-\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
+-\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
+-\261\040\110\066
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\006\175\241\362\145\354\212
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Certinomis - Root CA"
+ #
+ # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Not Valid Before: Mon Oct 21 09:17:18 2013
+ # Not Valid After : Fri Oct 21 09:17:18 2033
+ # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
+@@ -26559,16 +26046,17 @@
+ \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120
+ \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026
+ \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156
+ \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326
+ \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270
+ \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305
+ \153\206\102\006\271\101
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Certinomis - Root CA"
+ # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Serial Number: 1 (0x1)
+ # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
+ # Not Valid Before: Mon Oct 21 09:17:18 2013
+ # Not Valid After : Fri Oct 21 09:17:18 2033
+ # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
+@@ -26697,16 +26185,17 @@
+ \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337
+ \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004
+ \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332
+ \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034
+ \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307
+ \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176
+ \065\255\201\307\116\161\272\210\023
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "OISTE WISeKey Global Root GB CA"
+ # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+ # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0
+ # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+ # Not Valid Before: Mon Dec 01 15:00:32 2014
+ # Not Valid After : Thu Dec 01 15:10:31 2039
+ # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6
+@@ -26831,16 +26320,17 @@
+ \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310
+ \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340
+ \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060
+ \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102
+ \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273
+ \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340
+ \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Certification Authority of WoSign G2"
+ # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
+ # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
+ # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
+ # Not Valid Before: Sat Nov 08 00:58:58 2014
+ # Not Valid After : Tue Nov 08 00:58:58 2044
+ # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
+@@ -26939,16 +26429,17 @@
+ \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201
+ \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153
+ \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312
+ \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367
+ \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073
+ \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046
+ \056\153\361\221\262\220\145\364\232\346\220\356\112
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "CA WoSign ECC Root"
+ # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
+ # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
+ # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
+ # Not Valid Before: Sat Nov 08 00:58:58 2014
+ # Not Valid After : Tue Nov 08 00:58:58 2044
+ # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
+@@ -27071,16 +26562,17 @@
+ \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353
+ \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262
+ \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076
+ \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227
+ \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240
+ \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212
+ \326\040\036\343\163\267
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "SZAFIR ROOT CA2"
+ # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
+ # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
+ # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
+ # Not Valid Before: Mon Oct 19 07:43:30 2015
+ # Not Valid After : Fri Oct 19 07:43:30 2035
+ # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
+@@ -27248,16 +26740,17 @@
+ \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304
+ \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022
+ \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317
+ \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030
+ \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336
+ \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342
+ \016\265\271\276\044\217
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Certum Trusted Network CA 2"
+ # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+ # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9
+ # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
+ # Not Valid Before: Thu Oct 06 08:39:56 2011
+ # Not Valid After : Sat Oct 06 08:39:56 2046
+ # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
+@@ -27434,16 +26927,17 @@
+ \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101
+ \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203
+ \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312
+ \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253
+ \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100
+ \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264
+ \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Hellenic Academic and Research Institutions RootCA 2015"
+ # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
+ # Not Valid Before: Tue Jul 07 10:11:21 2015
+ # Not Valid After : Sat Jun 30 10:11:21 2040
+ # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
+@@ -27569,16 +27063,17 @@
+ \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251
+ \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004
+ \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057
+ \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037
+ \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145
+ \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312
+ \342\174\352\002\130\042\221
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015"
+ # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
+ # Serial Number: 0 (0x0)
+ # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
+ # Not Valid Before: Tue Jul 07 10:37:12 2015
+ # Not Valid After : Sat Jun 30 10:37:12 2040
+ # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
+@@ -27733,16 +27228,17 @@
+ \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
+ \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
+ \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
+ \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
+ \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
+ \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
+ \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Certplus Root CA G1"
+ # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
+ # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
+ # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
+ # Not Valid Before: Mon May 26 00:00:00 2014
+ # Not Valid After : Fri Jan 15 00:00:00 2038
+ # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
+@@ -27838,16 +27334,17 @@
+ \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
+ \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
+ \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
+ \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
+ \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
+ \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
+ \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Certplus Root CA G2"
+ # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
+ # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
+ # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
+ # Not Valid Before: Mon May 26 00:00:00 2014
+ # Not Valid After : Fri Jan 15 00:00:00 2038
+ # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
+@@ -27999,16 +27496,17 @@
+ \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
+ \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
+ \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
+ \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
+ \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
+ \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
+ \326\214\161
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "OpenTrust Root CA G1"
+ # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
+ # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
+ # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
+ # Not Valid Before: Mon May 26 08:45:50 2014
+ # Not Valid After : Fri Jan 15 00:00:00 2038
+ # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
+@@ -28161,16 +27659,17 @@
+ \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
+ \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
+ \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
+ \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
+ \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
+ \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
+ \113\122\012
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "OpenTrust Root CA G2"
+ # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
+ # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
+ # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
+ # Not Valid Before: Mon May 26 00:00:00 2014
+ # Not Valid After : Fri Jan 15 00:00:00 2038
+ # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
+@@ -28270,16 +27769,17 @@
+ \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
+ \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
+ \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
+ \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
+ \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
+ \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
+ \315\215\361\373\301
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "OpenTrust Root CA G3"
+ # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
+ # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
+ # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
+ # Not Valid Before: Mon May 26 00:00:00 2014
+ # Not Valid After : Fri Jan 15 00:00:00 2038
+ # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
+@@ -28433,16 +27933,17 @@
+ \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300
+ \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044
+ \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172
+ \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335
+ \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006
+ \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137
+ \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "ISRG Root X1"
+ # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
+ # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
+ # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
+ # Not Valid Before: Thu Jun 04 11:04:38 2015
+ # Not Valid After : Mon Jun 04 11:04:38 2035
+ # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
+@@ -28595,16 +28096,17 @@
+ \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125
+ \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044
+ \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360
+ \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004
+ \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057
+ \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121
+ \072\117\110\366\213\266\263
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "AC RAIZ FNMT-RCM"
+ # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
+ # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
+ # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
+ # Not Valid Before: Wed Oct 29 15:59:56 2008
+ # Not Valid After : Tue Jan 01 00:00:00 2030
+ # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
+@@ -28719,16 +28221,17 @@
+ \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127
+ \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324
+ \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136
+ \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223
+ \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162
+ \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353
+ \304\220\276\361\271
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Amazon Root CA 1"
+ # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
+ # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
+ # Subject: CN=Amazon Root CA 1,O=Amazon,C=US
+ # Not Valid Before: Tue May 26 00:00:00 2015
+ # Not Valid After : Sun Jan 17 00:00:00 2038
+ # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
+@@ -28875,16 +28378,17 @@
+ \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264
+ \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357
+ \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007
+ \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045
+ \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321
+ \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323
+ \340\373\011\140\154
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Amazon Root CA 2"
+ # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
+ # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
+ # Subject: CN=Amazon Root CA 2,O=Amazon,C=US
+ # Not Valid Before: Tue May 26 00:00:00 2015
+ # Not Valid After : Sat May 26 00:00:00 2040
+ # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
+@@ -28974,16 +28478,17 @@
+ \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031
+ \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003
+ \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053
+ \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170
+ \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234
+ \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214
+ \143\044\110\034\337\060\175\325\150\073
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Amazon Root CA 3"
+ # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
+ # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
+ # Subject: CN=Amazon Root CA 3,O=Amazon,C=US
+ # Not Valid Before: Tue May 26 00:00:00 2015
+ # Not Valid After : Sat May 26 00:00:00 2040
+ # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
+@@ -29077,16 +28582,17 @@
+ \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057
+ \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160
+ \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065
+ \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221
+ \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226
+ \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265
+ \012\166\324\245\274\020
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Amazon Root CA 4"
+ # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
+ # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
+ # Subject: CN=Amazon Root CA 4,O=Amazon,C=US
+ # Not Valid Before: Tue May 26 00:00:00 2015
+ # Not Valid After : Sat May 26 00:00:00 2040
+ # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
+@@ -29243,16 +28749,17 @@
+ \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376
+ \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377
+ \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175
+ \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072
+ \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125
+ \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154
+ \045\307\043\200\203\012\353
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "LuxTrust Global Root 2"
+ # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
+ # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
+ # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
+ # Not Valid Before: Thu Mar 05 13:21:57 2015
+ # Not Valid After : Mon Mar 05 13:21:57 2035
+ # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
+@@ -29391,16 +28898,17 @@
+ \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126
+ \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104
+ \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100
+ \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013
+ \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043
+ \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364
+ \322\063\340\377\275\321\124\071\051\017
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Symantec Class 1 Public Primary Certification Authority - G6"
+ # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
+ # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Not Valid Before: Tue Oct 18 00:00:00 2011
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
+@@ -29544,16 +29052,17 @@
+ \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113
+ \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231
+ \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246
+ \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035
+ \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326
+ \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376
+ \157\374\132\344\202\125\131\257\061\251
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Symantec Class 2 Public Primary Certification Authority - G6"
+ # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
+ # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Not Valid Before: Tue Oct 18 00:00:00 2011
+ # Not Valid After : Tue Dec 01 23:59:59 2037
+ # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
+@@ -29676,16 +29185,17 @@
+ \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230
+ \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161
+ \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271
+ \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332
+ \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154
+ \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150
+ \362\014\105\111\071\277\231\004\034\323\020\240
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Symantec Class 1 Public Primary Certification Authority - G4"
+ # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
+ # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Not Valid Before: Wed Oct 05 00:00:00 2011
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
+@@ -29808,16 +29318,17 @@
+ \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265
+ \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177
+ \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172
+ \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206
+ \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216
+ \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377
+ \051\246\330\107\331\240\226\030\333\362\105\263
+ END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+ 
+ # Trust for "Symantec Class 2 Public Primary Certification Authority - G4"
+ # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
+ # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
+ # Not Valid Before: Wed Oct 05 00:00:00 2011
+ # Not Valid After : Mon Jan 18 23:59:59 2038
+ # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
+@@ -29849,8 +29360,318 @@
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
+ \246\036
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "D-TRUST Root CA 3 2013"
++#
++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Serial Number: 1039788 (0xfddac)
++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Not Valid Before: Fri Sep 20 08:25:51 2013
++# Not Valid After : Wed Sep 20 08:25:51 2028
++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\017\335\254
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017
++\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005
++\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105
++\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
++\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003
++\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103
++\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071
++\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062
++\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003
++\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012
++\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037
++\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124
++\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060
++\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
++\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
++\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337
++\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341
++\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046
++\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154
++\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340
++\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011
++\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274
++\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323
++\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352
++\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121
++\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075
++\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256
++\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077
++\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357
++\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174
++\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263
++\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006
++\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
++\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157
++\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006
++\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276
++\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240
++\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164
++\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057
++\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157
++\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061
++\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155
++\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143
++\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163
++\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057
++\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057
++\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164
++\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015
++\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
++\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234
++\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237
++\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317
++\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175
++\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040
++\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065
++\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210
++\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157
++\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246
++\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303
++\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115
++\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223
++\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113
++\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147
++\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155
++\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111
++\137\134
++END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
++
++# Trust for "D-TRUST Root CA 3 2013"
++# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Serial Number: 1039788 (0xfddac)
++# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
++# Not Valid Before: Fri Sep 20 08:25:51 2013
++# Not Valid After : Wed Sep 20 08:25:51 2028
++# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
++# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170
++\337\157\357\227
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
++\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
++\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
++\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
++\040\063\040\062\060\061\063
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\017\335\254
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++#
++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 1 (0x1)
++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Mon Nov 25 08:25:55 2013
++# Not Valid After : Sun Oct 25 08:25:55 2043
++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\001\001
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001
++\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
++\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061
++\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040
++\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125
++\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151
++\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152
++\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162
++\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060
++\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162
++\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145
++\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064
++\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113
++\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123
++\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162
++\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070
++\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062
++\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006
++\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107
++\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102
++\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145
++\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153
++\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155
++\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124
++\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155
++\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040
++\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123
++\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111
++\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040
++\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040
++\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006
++\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
++\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273
++\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377
++\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372
++\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253
++\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154
++\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320
++\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153
++\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000
++\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116
++\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227
++\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332
++\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311
++\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177
++\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054
++\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352
++\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037
++\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243
++\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077
++\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107
++\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002
++\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
++\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230
++\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175
++\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341
++\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260
++\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355
++\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337
++\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027
++\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235
++\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270
++\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226
++\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223
++\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334
++\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177
++\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255
++\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237
++\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302
++\237\042\136\242\017\241\343
++END
++CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
++
++# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Serial Number: 1 (0x1)
++# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
++# Not Valid Before: Mon Nov 25 08:25:55 2013
++# Not Valid After : Sun Oct 25 08:25:55 2043
++# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
++# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350
++\221\335\356\312
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
++\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
++\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
++\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
++\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
++\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
++\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
++\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
++\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
++\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
++\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
++\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
++\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
++\162\165\155\040\061
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\001\001
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
+--- a/lib/ckfw/builtins/nssckbi.h
++++ b/lib/ckfw/builtins/nssckbi.h
+@@ -17,41 +17,42 @@
+  */
+ #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+ #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+ 
+ /* These version numbers detail the changes
+  * to the list of trusted certificates.
+  *
+  * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+- * for each NSS minor release AND whenever we change the list of
+- * trusted certificates.  10 minor versions are allocated for each
+- * NSS 3.x branch as follows, allowing us to change the list of
+- * trusted certificates up to 9 times on each branch.
+- *   - NSS 3.5 branch:  3-9
+- *   - NSS 3.6 branch:  10-19
+- *   - NSS 3.7 branch:  20-29
+- *   - NSS 3.8 branch:  30-39
+- *   - NSS 3.9 branch:  40-49
+- *   - NSS 3.10 branch: 50-59
+- *   - NSS 3.11 branch: 60-69
+- *     ...
+- *   - NSS 3.12 branch: 70-89
+- *   - NSS 3.13 branch: 90-99
+- *   - NSS 3.14 branch: 100-109
+- *     ...
+- *   - NSS 3.29 branch: 250-255
++ * whenever we change the list of trusted certificates.
++ *
++ * Please use the following rules when increasing the version number:
++ *
++ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
++ *   must always be an EVEN number (e.g. 16, 18, 20 etc.)
++ *
++ * - whenever possible, if older branches require a modification to the
++ *   list, these changes should be made on the main line of development (trunk),
++ *   and the older branches should update to the most recent list.
++ * 
++ * - ODD minor version numbers are reserved to indicate a snapshot that has
++ *   deviated from the main line of development, e.g. if it was necessary
++ *   to modify the list on a stable branch.
++ *   Once the version has been changed to an odd number (e.g. 2.13) on a branch,
++ *   it should remain unchanged on that branch, even if further changes are
++ *   made on that branch.
+  *
+  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+  * whether we may use its full range (0-255) or only 0-99 because
+  * of the comment in the CK_VERSION type definition.
++ * It's recommend to switch back to 0 after having reached version 98/99.
+  */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
++#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
+ 
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+ 
+ /* These version numbers detail the semantic changes to ckbi itself
+  * (new PKCS #11 objects), etc. */
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+
+diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
+--- a/lib/certdb/genname.c
++++ b/lib/certdb/genname.c
+@@ -1583,19 +1583,19 @@ done:
+ 
+ #define NAME_CONSTRAINTS_ENTRY(CA)                   \
+     {                                                \
+         STRING_TO_SECITEM(CA##_SUBJECT_DN)           \
+         ,                                            \
+             STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \
+     }
+ 
+-/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
++/* clang-format off */
+ 
+-/* clang-format off */
++/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
+ 
+ #define ANSSI_SUBJECT_DN                                                       \
+     "\x30\x81\x85"                                                             \
+     "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR"       /* C */          \
+     "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France"   /* ST */         \
+     "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris"    /* L */          \
+     "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN"  /* O */          \
+     "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI"    /* OU */         \
+@@ -1614,20 +1614,49 @@ done:
+     "\x30\x05\x82\x03" ".pm"                                                   \
+     "\x30\x05\x82\x03" ".bl"                                                   \
+     "\x30\x05\x82\x03" ".mf"                                                   \
+     "\x30\x05\x82\x03" ".wf"                                                   \
+     "\x30\x05\x82\x03" ".pf"                                                   \
+     "\x30\x05\x82\x03" ".nc"                                                   \
+     "\x30\x05\x82\x03" ".tf"
+ 
++/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */
++
++#define TUBITAK1_SUBJECT_DN                                                    \
++    "\x30\x81\xd2"                                                             \
++    "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02"                             \
++    /* C */ "TR"                                                               \
++    "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f"                             \
++    /* L */ "Gebze - Kocaeli"                                                  \
++    "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39"                             \
++    /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK"        \
++    "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24"                             \
++    /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM"                            \
++    "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d"                             \
++    /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
++
++#define TUBITAK1_NAME_CONSTRAINTS                                              \
++    "\x30\x65\xa0\x63"                                                         \
++    "\x30\x09\x82\x07" ".gov.tr"                                               \
++    "\x30\x09\x82\x07" ".k12.tr"                                               \
++    "\x30\x09\x82\x07" ".pol.tr"                                               \
++    "\x30\x09\x82\x07" ".mil.tr"                                               \
++    "\x30\x09\x82\x07" ".tsk.tr"                                               \
++    "\x30\x09\x82\x07" ".kep.tr"                                               \
++    "\x30\x09\x82\x07" ".bel.tr"                                               \
++    "\x30\x09\x82\x07" ".edu.tr"                                               \
++    "\x30\x09\x82\x07" ".org.tr"
++
+ /* clang-format on */
+ 
+-static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY(
+-    ANSSI) };
++static const SECItem builtInNameConstraints[][2] = {
++    NAME_CONSTRAINTS_ENTRY(ANSSI),
++    NAME_CONSTRAINTS_ENTRY(TUBITAK1)
++};
+ 
+ SECStatus
+ CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions)
+ {
+     size_t i;
+ 
+     if (!extensions) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+
+diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h
+--- a/lib/cryptohi/keythi.h
++++ b/lib/cryptohi/keythi.h
+@@ -204,17 +204,17 @@ typedef struct SECKEYPublicKeyStr SECKEY
+ 
+ #define SECKEY_ATTRIBUTE_VALUE(key, attribute) \
+     (0 != (key->staticflags & SECKEY_##attribute))
+ 
+ #define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \
+     (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)
+ 
+ #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
+-    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
++    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
+ 
+ /*
+ ** A generic key structure
+ */
+ struct SECKEYPrivateKeyStr {
+     PLArenaPool *arena;
+     KeyType keyType;
+     PK11SlotInfo *pkcs11Slot;  /* pkcs11 slot this key lives in */
+diff --git a/lib/nss/nss.def b/lib/nss/nss.def
+--- a/lib/nss/nss.def
++++ b/lib/nss/nss.def
+@@ -1092,8 +1092,15 @@ SECMOD_CreateModuleEx;
+ ;+};
+ ;+NSS_3.22 { 	# NSS 3.22 release
+ ;+    global:
+ PK11_SignWithMechanism;
+ PK11_VerifyWithMechanism;
+ ;+    local:
+ ;+       *;
+ ;+};
++;+NSS_3.30 { 	# NSS 3.30 release
++;+    global:
++CERT_CompareAVA;
++PK11_HasAttributeSet;
++;+    local:
++;+       *;
++;+};
+diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c
+--- a/lib/pk11wrap/pk11obj.c
++++ b/lib/pk11wrap/pk11obj.c
+@@ -151,18 +151,18 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl
+     }
+     return value;
+ }
+ 
+ /*
+  * check to see if a bool has been set.
+  */
+ CK_BBOOL
+-PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+-                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
++pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
++                          CK_ATTRIBUTE_TYPE type, PRBool haslock)
+ {
+     CK_BBOOL ckvalue = CK_FALSE;
+     CK_ATTRIBUTE theTemplate;
+     CK_RV crv;
+ 
+     /* Prepare to retrieve the attribute. */
+     PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL));
+ 
+@@ -176,16 +176,24 @@ PK11_HasAttributeSet(PK11SlotInfo *slot,
+     if (crv != CKR_OK) {
+         PORT_SetError(PK11_MapError(crv));
+         return CK_FALSE;
+     }
+ 
+     return ckvalue;
+ }
+ 
++CK_BBOOL
++PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
++                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
++{
++    PR_ASSERT(haslock == PR_FALSE);
++    return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE);
++}
++
+ /*
+  * returns a full list of attributes. Allocate space for them. If an arena is
+  * provided, allocate space out of the arena.
+  */
+ CK_RV
+ PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
+                    CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count)
+ {
+diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h
+--- a/lib/pk11wrap/pk11priv.h
++++ b/lib/pk11wrap/pk11priv.h
+@@ -113,20 +113,20 @@ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo
+ SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot,
+                                          SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg);
+ SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
+ CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
+                                                PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
+                                                void *wincx);
+ CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
+                                 CK_OBJECT_CLASS o_class);
+-CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
+-                              CK_OBJECT_HANDLE id,
+-                              CK_ATTRIBUTE_TYPE type,
+-                              PRBool haslock);
++CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot,
++                                   CK_OBJECT_HANDLE id,
++                                   CK_ATTRIBUTE_TYPE type,
++                                   PRBool haslock);
+ CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
+                          CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
+ int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
+ SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
+                                        SECStatus (*callback)(CERTCertificate *, void *), void *arg);
+ SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
+                                   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
+ SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
+--- a/lib/pk11wrap/pk11pub.h
++++ b/lib/pk11wrap/pk11pub.h
+@@ -681,16 +681,20 @@ CK_OBJECT_HANDLE PK11_FindCertInSlot(PK1
+                                      void *wincx);
+ SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
+                                               PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *),
+                                               void *arg);
+ CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
+ CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
+ CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
+                               int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
++CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
++                              CK_OBJECT_HANDLE id,
++                              CK_ATTRIBUTE_TYPE type,
++                              PRBool haslock /* must be set to PR_FALSE */);
+ 
+ /**********************************************************************
+  *                   Sign/Verify
+  **********************************************************************/
+ 
+ /*
+  * Return the length in bytes of a signature generated with the
+  * private key.
diff --git a/SOURCES/nss-alert-handler.patch b/SOURCES/nss-alert-handler.patch
new file mode 100644
index 0000000..ca0b434
--- /dev/null
+++ b/SOURCES/nss-alert-handler.patch
@@ -0,0 +1,461 @@
+diff -up nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc	2017-03-14 11:01:42.563689719 +0100
+@@ -24,6 +24,8 @@ namespace nss_test {
+ 
+ TEST_P(TlsConnectTls13, ZeroRtt) {
+   SetupForZeroRtt();
++  client_->SetExpectedAlertSentCount(1);
++  server_->SetExpectedAlertReceivedCount(1);
+   client_->Set0RttEnabled(true);
+   server_->Set0RttEnabled(true);
+   ExpectResumption(RESUME_TICKET);
+@@ -103,6 +105,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
+   EnableAlpn();
+   SetupForZeroRtt();
+   EnableAlpn();
++  client_->SetExpectedAlertSentCount(1);
++  server_->SetExpectedAlertReceivedCount(1);
+   client_->Set0RttEnabled(true);
+   server_->Set0RttEnabled(true);
+   ExpectResumption(RESUME_TICKET);
+diff -up nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_exporter_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_exporter_unittest.cc	2017-03-14 11:01:42.563689719 +0100
+@@ -90,6 +90,8 @@ int32_t RegularExporterShouldFail(TlsAge
+ 
+ TEST_P(TlsConnectTls13, EarlyExporter) {
+   SetupForZeroRtt();
++  client_->SetExpectedAlertSentCount(1);
++  server_->SetExpectedAlertReceivedCount(1);
+   client_->Set0RttEnabled(true);
+   server_->Set0RttEnabled(true);
+   ExpectResumption(RESUME_TICKET);
+diff -up nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler	2017-03-14 11:01:42.563689719 +0100
++++ nss/gtests/ssl_gtest/ssl_extension_unittest.cc	2017-03-14 11:06:39.215006989 +0100
+@@ -167,27 +167,69 @@ class TlsExtensionTestBase : public TlsC
+       : TlsConnectTestBase(mode, version) {}
+ 
+   void ClientHelloErrorTest(PacketFilter* filter,
+-                            uint8_t alert = kTlsAlertDecodeError) {
++                            uint8_t desc = kTlsAlertDecodeError) {
++    SSLAlert alert;
++
+     auto alert_recorder = new TlsAlertRecorder();
+     server_->SetPacketFilter(alert_recorder);
+     if (filter) {
+       client_->SetPacketFilter(filter);
+     }
+     ConnectExpectFail();
++
+     EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+-    EXPECT_EQ(alert, alert_recorder->description());
++    EXPECT_EQ(desc, alert_recorder->description());
++
++    // verify no alerts received by the server
++    EXPECT_EQ(0U, server_->alert_received_count());
++
++    // verify the alert sent by the server
++    EXPECT_EQ(1U, server_->alert_sent_count());
++    EXPECT_TRUE(server_->GetLastAlertSent(&alert));
++    EXPECT_EQ(kTlsAlertFatal, alert.level);
++    EXPECT_EQ(desc, alert.description);
++
++    // verify the alert received by the client
++    EXPECT_EQ(1U, client_->alert_received_count());
++    EXPECT_TRUE(client_->GetLastAlertReceived(&alert));
++    EXPECT_EQ(kTlsAlertFatal, alert.level);
++    EXPECT_EQ(desc, alert.description);
++
++    // verify no alerts sent by the client
++    EXPECT_EQ(0U, client_->alert_sent_count());
+   }
+ 
+   void ServerHelloErrorTest(PacketFilter* filter,
+-                            uint8_t alert = kTlsAlertDecodeError) {
++                            uint8_t desc = kTlsAlertDecodeError) {
++    SSLAlert alert;
++
+     auto alert_recorder = new TlsAlertRecorder();
+     client_->SetPacketFilter(alert_recorder);
+     if (filter) {
+       server_->SetPacketFilter(filter);
+     }
+     ConnectExpectFail();
++
+     EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
+-    EXPECT_EQ(alert, alert_recorder->description());
++    EXPECT_EQ(desc, alert_recorder->description());
++
++    // verify no alerts received by the client
++    EXPECT_EQ(0U, client_->alert_received_count());
++
++    // verify the alert sent by the client
++    EXPECT_EQ(1U, client_->alert_sent_count());
++    EXPECT_TRUE(client_->GetLastAlertSent(&alert));
++    EXPECT_EQ(kTlsAlertFatal, alert.level);
++    EXPECT_EQ(desc, alert.description);
++
++    // verify the alert received by the server
++    EXPECT_EQ(1U, server_->alert_received_count());
++    EXPECT_TRUE(server_->GetLastAlertReceived(&alert));
++    EXPECT_EQ(kTlsAlertFatal, alert.level);
++    EXPECT_EQ(desc, alert.description);
++
++    // verify no alerts sent by the server
++    EXPECT_EQ(0U, server_->alert_sent_count());
+   }
+ 
+   static void InitSimpleSni(DataBuffer* extension) {
+diff -up nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_version_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_version_unittest.cc	2017-03-14 11:01:42.563689719 +0100
+@@ -225,6 +225,7 @@ TEST_F(TlsConnectTest, Tls13RejectsRehan
+ 
+ TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
+   EnsureTlsSetup();
++  client_->SetExpectedAlertReceivedCount(1);
+   client_->StartConnect();
+   server_->StartConnect();
+   client_->Handshake();  // Send ClientHello.
+diff -up nss/gtests/ssl_gtest/tls_agent.cc.alert-handler nss/gtests/ssl_gtest/tls_agent.cc
+--- nss/gtests/ssl_gtest/tls_agent.cc.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/tls_agent.cc	2017-03-14 11:07:22.414890511 +0100
+@@ -61,6 +61,12 @@ TlsAgent::TlsAgent(const std::string& na
+       can_falsestart_hook_called_(false),
+       sni_hook_called_(false),
+       auth_certificate_hook_called_(false),
++      alert_received_count_(0),
++      expected_alert_received_count_(0),
++      last_alert_received_({0, 0}),
++      alert_sent_count_(0),
++      expected_alert_sent_count_(0),
++      last_alert_sent_({0, 0}),
+       handshake_callback_called_(false),
+       error_code_(0),
+       send_ctr_(0),
+@@ -165,6 +171,14 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
+   EXPECT_EQ(SECSuccess, rv);
+   if (rv != SECSuccess) return false;
+ 
++  rv = SSL_AlertReceivedCallback(ssl_fd(), AlertReceivedCallback, this);
++  EXPECT_EQ(SECSuccess, rv);
++  if (rv != SECSuccess) return false;
++
++  rv = SSL_AlertSentCallback(ssl_fd(), AlertSentCallback, this);
++  EXPECT_EQ(SECSuccess, rv);
++  if (rv != SECSuccess) return false;
++
+   rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this);
+   EXPECT_EQ(SECSuccess, rv);
+   if (rv != SECSuccess) return false;
+@@ -578,6 +592,11 @@ void TlsAgent::CheckErrorCode(int32_t ex
+       << PORT_ErrorToName(expected) << std::endl;
+ }
+ 
++void TlsAgent::CheckAlerts() const {
++  EXPECT_EQ(expected_alert_received_count_, alert_received_count_);
++  EXPECT_EQ(expected_alert_sent_count_, alert_sent_count_);
++}
++
+ void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const {
+   ASSERT_EQ(0, error_code_);
+   WAIT_(error_code_ != 0, delay);
+diff -up nss/gtests/ssl_gtest/tls_agent.h.alert-handler nss/gtests/ssl_gtest/tls_agent.h
+--- nss/gtests/ssl_gtest/tls_agent.h.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/tls_agent.h	2017-03-14 11:01:42.564689693 +0100
+@@ -139,6 +139,7 @@ class TlsAgent : public PollTarget {
+   void EnableSrtp();
+   void CheckSrtp() const;
+   void CheckErrorCode(int32_t expected) const;
++  void CheckAlerts() const;
+   void WaitForErrorCode(int32_t expected, uint32_t delay) const;
+   // Send data on the socket, encrypting it.
+   void SendData(size_t bytes, size_t blocksize = 1024);
+@@ -239,6 +240,34 @@ class TlsAgent : public PollTarget {
+     sni_callback_ = sni_callback;
+   }
+ 
++  size_t alert_received_count() const { return alert_received_count_; }
++
++  void SetExpectedAlertReceivedCount(size_t count) {
++    expected_alert_received_count_ = count;
++  }
++
++  bool GetLastAlertReceived(SSLAlert* alert) const {
++    if (!alert_received_count_) {
++      return false;
++    }
++    *alert = last_alert_received_;
++    return true;
++  }
++
++  size_t alert_sent_count() const { return alert_sent_count_; }
++
++  void SetExpectedAlertSentCount(size_t count) {
++    expected_alert_sent_count_ = count;
++  }
++
++  bool GetLastAlertSent(SSLAlert* alert) const {
++    if (!alert_sent_count_) {
++      return false;
++    }
++    *alert = last_alert_sent_;
++    return true;
++  }
++
+  private:
+   const static char* states[];
+ 
+@@ -320,6 +349,30 @@ class TlsAgent : public PollTarget {
+     return SECSuccess;
+   }
+ 
++  static void AlertReceivedCallback(const PRFileDesc* fd, void* arg,
++                                    const SSLAlert* alert) {
++    TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
++
++    std::cerr << agent->role_str()
++              << ": Alert received: level=" << static_cast<int>(alert->level)
++              << " desc=" << static_cast<int>(alert->description) << std::endl;
++
++    ++agent->alert_received_count_;
++    agent->last_alert_received_ = *alert;
++  }
++
++  static void AlertSentCallback(const PRFileDesc* fd, void* arg,
++                                const SSLAlert* alert) {
++    TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
++
++    std::cerr << agent->role_str()
++              << ": Alert sent: level=" << static_cast<int>(alert->level)
++              << " desc=" << static_cast<int>(alert->description) << std::endl;
++
++    ++agent->alert_sent_count_;
++    agent->last_alert_sent_ = *alert;
++  }
++
+   static void HandshakeCallback(PRFileDesc* fd, void* arg) {
+     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
+     agent->handshake_callback_called_ = true;
+@@ -352,6 +405,12 @@ class TlsAgent : public PollTarget {
+   bool can_falsestart_hook_called_;
+   bool sni_hook_called_;
+   bool auth_certificate_hook_called_;
++  size_t alert_received_count_;
++  size_t expected_alert_received_count_;
++  SSLAlert last_alert_received_;
++  size_t alert_sent_count_;
++  size_t expected_alert_sent_count_;
++  SSLAlert last_alert_sent_;
+   bool handshake_callback_called_;
+   SSLChannelInfo info_;
+   SSLCipherSuiteInfo csinfo_;
+diff -up nss/gtests/ssl_gtest/tls_connect.cc.alert-handler nss/gtests/ssl_gtest/tls_connect.cc
+--- nss/gtests/ssl_gtest/tls_connect.cc.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/tls_connect.cc	2017-03-14 11:01:42.564689693 +0100
+@@ -309,6 +309,9 @@ void TlsConnectTestBase::CheckConnected(
+   CheckResumption(expected_resumption_mode_);
+   client_->CheckSecretsDestroyed();
+   server_->CheckSecretsDestroyed();
++
++  client_->CheckAlerts();
++  server_->CheckAlerts();
+ }
+ 
+ void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, SSLNamedGroup kea_group,
+diff -up nss/lib/ssl/ssl3con.c.alert-handler nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.alert-handler	2017-03-14 11:01:42.551690030 +0100
++++ nss/lib/ssl/ssl3con.c	2017-03-14 11:03:45.319510356 +0100
+@@ -3143,6 +3143,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL
+     }
+     ssl_ReleaseXmitBufLock(ss);
+     ssl_ReleaseSSL3HandshakeLock(ss);
++    if (rv == SECSuccess && ss->alertSentCallback) {
++        SSLAlert alert = { level, desc };
++        ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert);
++    }
+     return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
+ }
+ 
+@@ -3255,6 +3259,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
+     SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
+                 SSL_GETPID(), ss->fd, level, desc));
+ 
++    if (ss->alertReceivedCallback) {
++        SSLAlert alert = { level, desc };
++        ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert);
++    }
++
+     switch (desc) {
+         case close_notify:
+             ss->recvdCloseNotify = 1;
+diff -up nss/lib/ssl/ssl.def.alert-handler nss/lib/ssl/ssl.def
+--- nss/lib/ssl/ssl.def.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/lib/ssl/ssl.def	2017-03-14 11:01:42.564689693 +0100
+@@ -221,3 +221,10 @@ SSL_SignatureSchemePrefGet;
+ ;+    local:
+ ;+*;
+ ;+};
++;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release
++;+    global:
++SSL_AlertReceivedCallback;
++SSL_AlertSentCallback;
++;+    local:
++;+*;
++;+};
+diff -up nss/lib/ssl/ssl.h.alert-handler nss/lib/ssl/ssl.h
+--- nss/lib/ssl/ssl.h.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/lib/ssl/ssl.h	2017-03-14 11:01:42.564689693 +0100
+@@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PR
+ SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
+ 
+ /*
++** These are callbacks for dealing with SSL alerts.
++ */
++
++typedef PRUint8 SSLAlertLevel;
++typedef PRUint8 SSLAlertDescription;
++
++typedef struct {
++    SSLAlertLevel level;
++    SSLAlertDescription description;
++} SSLAlert;
++
++typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg,
++                                            const SSLAlert *alert);
++
++SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb,
++                                               void *arg);
++SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb,
++                                           void *arg);
++/*
+ ** This is a callback for dealing with server certs that are not authenticated
+ ** by the client.  The client app can decide that it actually likes the
+ ** cert by some external means and restart the connection.
+diff -up nss/lib/ssl/sslimpl.h.alert-handler nss/lib/ssl/sslimpl.h
+--- nss/lib/ssl/sslimpl.h.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/lib/ssl/sslimpl.h	2017-03-14 11:01:42.566689641 +0100
+@@ -1121,6 +1121,10 @@ struct sslSocketStr {
+     void *getClientAuthDataArg;
+     SSLSNISocketConfig sniSocketConfig;
+     void *sniSocketConfigArg;
++    SSLAlertCallback alertReceivedCallback;
++    void *alertReceivedCallbackArg;
++    SSLAlertCallback alertSentCallback;
++    void *alertSentCallbackArg;
+     SSLBadCertHandler handleBadCert;
+     void *badCertArg;
+     SSLHandshakeCallback handshakeCallback;
+diff -up nss/lib/ssl/sslsecur.c.alert-handler nss/lib/ssl/sslsecur.c
+--- nss/lib/ssl/sslsecur.c.alert-handler	2017-02-17 14:20:06.000000000 +0100
++++ nss/lib/ssl/sslsecur.c	2017-03-14 11:01:42.566689641 +0100
+@@ -994,6 +994,42 @@ ssl_SecureWrite(sslSocket *ss, const uns
+ }
+ 
+ SECStatus
++SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
++{
++    sslSocket *ss;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++        SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback",
++                 SSL_GETPID(), fd));
++        return SECFailure;
++    }
++
++    ss->alertReceivedCallback = cb;
++    ss->alertReceivedCallbackArg = arg;
++
++    return SECSuccess;
++}
++
++SECStatus
++SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
++{
++    sslSocket *ss;
++
++    ss = ssl_FindSocket(fd);
++    if (!ss) {
++        SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback",
++                 SSL_GETPID(), fd));
++        return SECFailure;
++    }
++
++    ss->alertSentCallback = cb;
++    ss->alertSentCallbackArg = arg;
++
++    return SECSuccess;
++}
++
++SECStatus
+ SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
+ {
+     sslSocket *ss;
+diff -up nss/lib/ssl/sslsock.c.alert-handler nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.alert-handler	2017-03-14 11:01:42.538690367 +0100
++++ nss/lib/ssl/sslsock.c	2017-03-14 11:01:42.566689641 +0100
+@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os)
+         ss->getClientAuthDataArg = os->getClientAuthDataArg;
+         ss->sniSocketConfig = os->sniSocketConfig;
+         ss->sniSocketConfigArg = os->sniSocketConfigArg;
++        ss->alertReceivedCallback = os->alertReceivedCallback;
++        ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg;
++        ss->alertSentCallback = os->alertSentCallback;
++        ss->alertSentCallbackArg = os->alertSentCallbackArg;
+         ss->handleBadCert = os->handleBadCert;
+         ss->badCertArg = os->badCertArg;
+         ss->handshakeCallback = os->handshakeCallback;
+@@ -2149,6 +2153,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+         ss->sniSocketConfig = sm->sniSocketConfig;
+     if (sm->sniSocketConfigArg)
+         ss->sniSocketConfigArg = sm->sniSocketConfigArg;
++    if (ss->alertReceivedCallback) {
++        ss->alertReceivedCallback = sm->alertReceivedCallback;
++        ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
++    }
++    if (ss->alertSentCallback) {
++        ss->alertSentCallback = sm->alertSentCallback;
++        ss->alertSentCallbackArg = sm->alertSentCallbackArg;
++    }
+     if (sm->handleBadCert)
+         ss->handleBadCert = sm->handleBadCert;
+     if (sm->badCertArg)
+@@ -3691,6 +3703,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+     ss->sniSocketConfig = NULL;
+     ss->sniSocketConfigArg = NULL;
+     ss->getClientAuthData = NULL;
++    ss->alertReceivedCallback = NULL;
++    ss->alertReceivedCallbackArg = NULL;
++    ss->alertSentCallback = NULL;
++    ss->alertSentCallbackArg = NULL;
+     ss->handleBadCert = NULL;
+     ss->badCertArg = NULL;
+     ss->pkcs11PinArg = NULL;
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1493741561 -7200
+#      Tue May 02 18:12:41 2017 +0200
+# Node ID 8804a0c65a08ee53096c07cc091536c7cf102b58
+# Parent  769f9ae07b103494af809620478e60256a344adc
+Bug 1360207, Fix incorrect if (ss->...) in SSL_ReconfigFD, Patch contributed by Ian Goldberg, r=ttaubert
+
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+         ss->sniSocketConfig = sm->sniSocketConfig;
+     if (sm->sniSocketConfigArg)
+         ss->sniSocketConfigArg = sm->sniSocketConfigArg;
+-    if (ss->alertReceivedCallback) {
++    if (sm->alertReceivedCallback) {
+         ss->alertReceivedCallback = sm->alertReceivedCallback;
+         ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
+     }
+-    if (ss->alertSentCallback) {
++    if (sm->alertSentCallback) {
+         ss->alertSentCallback = sm->alertSentCallback;
+         ss->alertSentCallbackArg = sm->alertSentCallbackArg;
+     }
diff --git a/SOURCES/nss-ca-2.14.patch b/SOURCES/nss-ca-2.14.patch
deleted file mode 100644
index b571fa6..0000000
--- a/SOURCES/nss-ca-2.14.patch
+++ /dev/null
@@ -1,1190 +0,0 @@
-diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
---- a/lib/ckfw/builtins/certdata.txt
-+++ b/lib/ckfw/builtins/certdata.txt
-@@ -8188,177 +8188,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \150\340
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
- 
- #
--# Certificate "WellsSecure Public Root Certificate Authority"
--#
--# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Serial Number: 1 (0x1)
--# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Not Valid Before: Thu Dec 13 17:07:54 2007
--# Not Valid After : Wed Dec 14 00:07:54 2022
--# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
--# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\001
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061
--\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040
--\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162
--\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154
--\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061
--\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123
--\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157
--\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
--\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061
--\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064
--\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003
--\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012
--\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145
--\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125
--\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040
--\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003
--\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165
--\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146
--\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060
--\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
--\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
--\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253
--\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210
--\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051
--\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324
--\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122
--\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060
--\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054
--\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344
--\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264
--\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143
--\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050
--\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204
--\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237
--\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005
--\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300
--\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145
--\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006
--\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071
--\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206
--\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056
--\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167
--\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017
--\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016
--\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031
--\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043
--\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227
--\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244
--\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002
--\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154
--\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145
--\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127
--\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040
--\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154
--\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040
--\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145
--\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006
--\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
--\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173
--\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355
--\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035
--\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225
--\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045
--\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101
--\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344
--\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255
--\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247
--\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163
--\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
--\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
--\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
--\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
--\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
--\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
--\333
--END
--
--# Trust for Certificate "WellsSecure Public Root Certificate Authority"
--# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Serial Number: 1 (0x1)
--# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Not Valid Before: Thu Dec 13 17:07:54 2007
--# Not Valid After : Wed Dec 14 00:07:54 2022
--# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
--# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364
--\175\117\350\356
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\001
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "COMODO ECC Certification Authority"
- #
- # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
- # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Mar 06 00:00:00 2008
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
-@@ -8930,222 +8769,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \337\232
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
- 
- #
--# Certificate "Microsec e-Szigno Root CA"
--#
--# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
--# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Not Valid Before: Wed Apr 06 12:28:44 2005
--# Not Valid After : Thu Apr 06 12:28:44 2017
--# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
--# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
--\054\017\021
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000
--\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021
--\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163
--\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162
--\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125
--\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061
--\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163
--\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164
--\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062
--\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070
--\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002
--\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144
--\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015
--\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060
--\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157
--\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151
--\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040
--\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052
--\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
--\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070
--\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207
--\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256
--\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167
--\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331
--\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376
--\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006
--\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254
--\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300
--\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140
--\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270
--\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364
--\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341
--\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111
--\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161
--\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346
--\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004
--\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001
--\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060
--\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145
--\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060
--\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164
--\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157
--\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017
--\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
--\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146
--\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001
--\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007
--\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145
--\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057
--\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202
--\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156
--\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171
--\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145
--\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040
--\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147
--\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172
--\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147
--\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123
--\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141
--\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141
--\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141
--\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164
--\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154
--\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150
--\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167
--\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147
--\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132
--\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201
--\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150
--\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147
--\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154
--\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145
--\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151
--\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156
--\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125
--\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117
--\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056
--\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125
--\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157
--\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162
--\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
--\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201
--\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150
--\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032
--\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156
--\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003
--\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110
--\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003
--\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060
--\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125
--\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141
--\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166
--\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110
--\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141
--\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115
--\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022
--\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040
--\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143
--\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122
--\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032
--\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016
--\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322
--\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206
--\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146
--\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154
--\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240
--\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247
--\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345
--\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172
--\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250
--\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332
--\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133
--\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323
--\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
--\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
--\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
--\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
--\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
--\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
--\103\307\003\340\067\116\135\012\334\131\040\045
--END
--
--# Trust for Certificate "Microsec e-Szigno Root CA"
--# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
--# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Not Valid Before: Wed Apr 06 12:28:44 2005
--# Not Valid After : Thu Apr 06 12:28:44 2017
--# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
--# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326
--\045\354\031\015
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
--\054\017\021
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "Certigna"
- #
- # Issuer: CN=Certigna,O=Dhimyotis,C=FR
- # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
- # Subject: CN=Certigna,O=Dhimyotis,C=FR
- # Not Valid Before: Fri Jun 29 15:13:05 2007
- # Not Valid After : Tue Jun 29 15:13:05 2027
- # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
-@@ -10742,147 +10375,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\004\111\063\000\001
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
- 
- #
--# Certificate "ApplicationCA - Japanese Government"
--#
--# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
--# Serial Number: 49 (0x31)
--# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
--# Not Valid Before: Wed Dec 12 15:00:00 2007
--# Not Valid After : Tue Dec 12 15:00:00 2017
--# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
--# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\061
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034
--\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163
--\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024
--\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151
--\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065
--\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060
--\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023
--\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141
--\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156
--\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154
--\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006
--\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
--\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207
--\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005
--\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212
--\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212
--\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240
--\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006
--\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171
--\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004
--\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155
--\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060
--\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214
--\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005
--\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155
--\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331
--\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060
--\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046
--\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243
--\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024
--\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320
--\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004
--\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244
--\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120
--\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234
--\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003
--\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202
--\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060
--\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
--\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017
--\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172
--\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011
--\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234
--\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026
--\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176
--\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221
--\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217
--\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124
--\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210
--\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
--\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
--\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
--\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
--\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
--\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
--\262\033\211\124
--END
--
--# Trust for Certificate "ApplicationCA - Japanese Government"
--# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
--# Serial Number: 49 (0x31)
--# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
--# Not Valid Before: Wed Dec 12 15:00:00 2007
--# Not Valid After : Tue Dec 12 15:00:00 2017
--# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
--# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214
--\323\065\374\164
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\061
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "GeoTrust Primary Certification Authority - G3"
- #
- # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
- # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Not Valid Before: Wed Apr 02 00:00:00 2008
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
-@@ -26272,176 +25774,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\007\000\216\027\376\044\040\201
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
- 
- #
--# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--#
--# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Serial Number:7d:a1:f2:65:ec:8a
--# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Not Valid Before: Wed Dec 18 09:04:10 2013
--# Not Valid After : Sat Dec 16 09:04:10 2023
--# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
--# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\006\175\241\362\145\354\212
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175
--\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001
--\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006
--\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101
--\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104
--\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151
--\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102
--\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151
--\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101
--\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124
--\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
--\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
--\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
--\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062
--\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061
--\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006
--\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004
--\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125
--\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102
--\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040
--\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166
--\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145
--\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004
--\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154
--\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
--\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141
--\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042
--\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
--\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150
--\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161
--\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063
--\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157
--\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275
--\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324
--\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327
--\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200
--\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324
--\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330
--\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051
--\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315
--\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136
--\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251
--\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171
--\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143
--\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001
--\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004
--\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000
--\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004
--\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
--\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015
--\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252
--\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122
--\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024
--\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002
--\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066
--\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356
--\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062
--\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226
--\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024
--\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003
--\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
--\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
--\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
--\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
--\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
--\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
--\264\013\230\113\050\136\257\210\130\313
--END
--
--# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Serial Number:7d:a1:f2:65:ec:8a
--# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Not Valid Before: Wed Dec 18 09:04:10 2013
--# Not Valid After : Sat Dec 16 09:04:10 2023
--# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
--# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260
--\355\345\057\340
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\006\175\241\362\145\354\212
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "Certinomis - Root CA"
- #
- # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Serial Number: 1 (0x1)
- # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Not Valid Before: Mon Oct 21 09:17:18 2013
- # Not Valid After : Fri Oct 21 09:17:18 2033
- # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
-@@ -29849,8 +29191,316 @@ END
- CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
- \246\036
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "D-TRUST Root CA 3 2013"
-+#
-+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Serial Number: 1039788 (0xfddac)
-+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Not Valid Before: Fri Sep 20 08:25:51 2013
-+# Not Valid After : Wed Sep 20 08:25:51 2028
-+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
-+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\017\335\254
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017
-+\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-+\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105
-+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
-+\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003
-+\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103
-+\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071
-+\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062
-+\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003
-+\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012
-+\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037
-+\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124
-+\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060
-+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-+\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337
-+\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341
-+\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046
-+\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154
-+\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340
-+\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011
-+\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274
-+\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323
-+\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352
-+\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121
-+\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075
-+\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256
-+\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077
-+\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357
-+\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174
-+\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263
-+\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006
-+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
-+\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157
-+\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006
-+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276
-+\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240
-+\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164
-+\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057
-+\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157
-+\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061
-+\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155
-+\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143
-+\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163
-+\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057
-+\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057
-+\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164
-+\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015
-+\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
-+\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234
-+\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237
-+\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317
-+\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175
-+\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040
-+\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065
-+\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210
-+\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157
-+\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246
-+\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303
-+\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115
-+\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223
-+\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113
-+\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147
-+\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155
-+\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111
-+\137\134
-+END
-+
-+# Trust for "D-TRUST Root CA 3 2013"
-+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Serial Number: 1039788 (0xfddac)
-+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Not Valid Before: Fri Sep 20 08:25:51 2013
-+# Not Valid After : Wed Sep 20 08:25:51 2028
-+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
-+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170
-+\337\157\357\227
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\017\335\254
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+#
-+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Serial Number: 1 (0x1)
-+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Not Valid Before: Mon Nov 25 08:25:55 2013
-+# Not Valid After : Sun Oct 25 08:25:55 2043
-+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
-+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\001\001
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001
-+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-+\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-+\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040
-+\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125
-+\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151
-+\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152
-+\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162
-+\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060
-+\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162
-+\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145
-+\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064
-+\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113
-+\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123
-+\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162
-+\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070
-+\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062
-+\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006
-+\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107
-+\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102
-+\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145
-+\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153
-+\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155
-+\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124
-+\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155
-+\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040
-+\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123
-+\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111
-+\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040
-+\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040
-+\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006
-+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-+\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273
-+\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377
-+\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372
-+\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253
-+\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154
-+\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320
-+\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153
-+\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000
-+\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116
-+\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227
-+\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332
-+\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311
-+\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177
-+\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054
-+\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352
-+\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037
-+\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243
-+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077
-+\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107
-+\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002
-+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
-+\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230
-+\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175
-+\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341
-+\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260
-+\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355
-+\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337
-+\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027
-+\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235
-+\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270
-+\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226
-+\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223
-+\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334
-+\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177
-+\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255
-+\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237
-+\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302
-+\237\042\136\242\017\241\343
-+END
-+
-+# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Serial Number: 1 (0x1)
-+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Not Valid Before: Mon Nov 25 08:25:55 2013
-+# Not Valid After : Sun Oct 25 08:25:55 2043
-+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
-+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350
-+\221\335\356\312
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\001\001
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
---- a/lib/ckfw/builtins/nssckbi.h
-+++ b/lib/ckfw/builtins/nssckbi.h
-@@ -17,41 +17,42 @@
-  */
- #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
- #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
- 
- /* These version numbers detail the changes
-  * to the list of trusted certificates.
-  *
-  * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
-- * for each NSS minor release AND whenever we change the list of
-- * trusted certificates.  10 minor versions are allocated for each
-- * NSS 3.x branch as follows, allowing us to change the list of
-- * trusted certificates up to 9 times on each branch.
-- *   - NSS 3.5 branch:  3-9
-- *   - NSS 3.6 branch:  10-19
-- *   - NSS 3.7 branch:  20-29
-- *   - NSS 3.8 branch:  30-39
-- *   - NSS 3.9 branch:  40-49
-- *   - NSS 3.10 branch: 50-59
-- *   - NSS 3.11 branch: 60-69
-- *     ...
-- *   - NSS 3.12 branch: 70-89
-- *   - NSS 3.13 branch: 90-99
-- *   - NSS 3.14 branch: 100-109
-- *     ...
-- *   - NSS 3.29 branch: 250-255
-+ * whenever we change the list of trusted certificates.
-+ *
-+ * Please use the following rules when increasing the version number:
-+ *
-+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
-+ *   must always be an EVEN number (e.g. 16, 18, 20 etc.)
-+ *
-+ * - whenever possible, if older branches require a modification to the
-+ *   list, these changes should be made on the main line of development (trunk),
-+ *   and the older branches should update to the most recent list.
-+ * 
-+ * - ODD minor version numbers are reserved to indicate a snapshot that has
-+ *   deviated from the main line of development, e.g. if it was necessary
-+ *   to modify the list on a stable branch.
-+ *   Once the version has been changed to an odd number (e.g. 2.13) on a branch,
-+ *   it should remain unchanged on that branch, even if further changes are
-+ *   made on that branch.
-  *
-  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
-  * whether we may use its full range (0-255) or only 0-99 because
-  * of the comment in the CK_VERSION type definition.
-+ * It's recommend to switch back to 0 after having reached version 98/99.
-  */
- #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
--#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
--#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
-+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
-+#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
- 
- /* These version numbers detail the semantic changes to the ckfw engine. */
- #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
- #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
- 
- /* These version numbers detail the semantic changes to ckbi itself
-  * (new PKCS #11 objects), etc. */
- #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
-
-diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
---- a/lib/certdb/genname.c
-+++ b/lib/certdb/genname.c
-@@ -1583,19 +1583,19 @@ done:
- 
- #define NAME_CONSTRAINTS_ENTRY(CA)                   \
-     {                                                \
-         STRING_TO_SECITEM(CA##_SUBJECT_DN)           \
-         ,                                            \
-             STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \
-     }
- 
--/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
-+/* clang-format off */
- 
--/* clang-format off */
-+/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
- 
- #define ANSSI_SUBJECT_DN                                                       \
-     "\x30\x81\x85"                                                             \
-     "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR"       /* C */          \
-     "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France"   /* ST */         \
-     "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris"    /* L */          \
-     "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN"  /* O */          \
-     "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI"    /* OU */         \
-@@ -1614,20 +1614,49 @@ done:
-     "\x30\x05\x82\x03" ".pm"                                                   \
-     "\x30\x05\x82\x03" ".bl"                                                   \
-     "\x30\x05\x82\x03" ".mf"                                                   \
-     "\x30\x05\x82\x03" ".wf"                                                   \
-     "\x30\x05\x82\x03" ".pf"                                                   \
-     "\x30\x05\x82\x03" ".nc"                                                   \
-     "\x30\x05\x82\x03" ".tf"
- 
-+/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */
-+
-+#define TUBITAK1_SUBJECT_DN                                                    \
-+    "\x30\x81\xd2"                                                             \
-+    "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02"                             \
-+    /* C */ "TR"                                                               \
-+    "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f"                             \
-+    /* L */ "Gebze - Kocaeli"                                                  \
-+    "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39"                             \
-+    /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK"        \
-+    "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24"                             \
-+    /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM"                            \
-+    "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d"                             \
-+    /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+
-+#define TUBITAK1_NAME_CONSTRAINTS                                              \
-+    "\x30\x65\xa0\x63"                                                         \
-+    "\x30\x09\x82\x07" ".gov.tr"                                               \
-+    "\x30\x09\x82\x07" ".k12.tr"                                               \
-+    "\x30\x09\x82\x07" ".pol.tr"                                               \
-+    "\x30\x09\x82\x07" ".mil.tr"                                               \
-+    "\x30\x09\x82\x07" ".tsk.tr"                                               \
-+    "\x30\x09\x82\x07" ".kep.tr"                                               \
-+    "\x30\x09\x82\x07" ".bel.tr"                                               \
-+    "\x30\x09\x82\x07" ".edu.tr"                                               \
-+    "\x30\x09\x82\x07" ".org.tr"
-+
- /* clang-format on */
- 
--static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY(
--    ANSSI) };
-+static const SECItem builtInNameConstraints[][2] = {
-+    NAME_CONSTRAINTS_ENTRY(ANSSI),
-+    NAME_CONSTRAINTS_ENTRY(TUBITAK1)
-+};
- 
- SECStatus
- CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions)
- {
-     size_t i;
- 
-     if (!extensions) {
-         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-
diff --git a/SOURCES/nss-check-policy-file.patch b/SOURCES/nss-check-policy-file.patch
new file mode 100644
index 0000000..898ffef
--- /dev/null
+++ b/SOURCES/nss-check-policy-file.patch
@@ -0,0 +1,49 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-02-28 10:49:53.811343156 +0100
++++ nss/lib/pk11wrap/pk11pars.c	2017-02-28 10:59:41.178647490 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+                                                  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
+ 
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+         }
++	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
++	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
++	}
+         /* additional moduleDB flags could be added here in the future */
+         mod->isModuleDB = (PRBool)flags;
+     }
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
+ }
+ 
+ PRBool
++secmod_PolicyOnly(SECMODModule *mod)
++{
++   char flags = (char) mod->isModuleDB;
++
++   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
++}
++
++PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+     char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
+     if (!module) {
+         goto loser;
+     }
++
++    /* a policy only stanza doesn't actually get 'loaded'. policy has already
++     * been parsed as a side effect of the CreateModuleEx call */
++    if (secmod_PolicyOnly(module)) {
++	return module;
++    }
+     if (parent) {
+         module->parent = SECMOD_ReferenceModule(parent);
+         if (module->internal && secmod_IsInternalKeySlot(parent)) {
diff --git a/SOURCES/nss-disable-chacha20-gtests.patch b/SOURCES/nss-disable-chacha20-gtests.patch
deleted file mode 100644
index ff221d3..0000000
--- a/SOURCES/nss-disable-chacha20-gtests.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-diff -up nss/gtests/pk11_gtest/manifest.mn.disable-chacha20 nss/gtests/pk11_gtest/manifest.mn
---- nss/gtests/pk11_gtest/manifest.mn.disable-chacha20	2017-01-30 02:06:08.000000000 +0100
-+++ nss/gtests/pk11_gtest/manifest.mn	2017-02-17 11:40:26.749019359 +0100
-@@ -8,7 +8,6 @@ MODULE = nss
- 
- CPPSRCS = \
-       pk11_aeskeywrap_unittest.cc \
--      pk11_chacha20poly1305_unittest.cc \
-       pk11_export_unittest.cc \
-       pk11_pbkdf2_unittest.cc \
-       pk11_prf_unittest.cc \
-diff -up nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
---- nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable-chacha20	2017-01-30 02:06:08.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc	2017-02-17 11:40:26.749019359 +0100
-@@ -326,10 +326,7 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12
-                           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                           TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-                           TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
--                          TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
--                          TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
--                          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
--                          TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
-+                          TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
- INSTANTIATE_CIPHER_TEST_P(
-     CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams,
-     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
-@@ -361,7 +358,7 @@ INSTANTIATE_CIPHER_TEST_P(
- INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
-                           ::testing::ValuesIn(kFasterDHEGroups),
-                           ::testing::ValuesIn(kSignatureSchemesParamsArr),
--                          TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
-+                          TLS_AES_128_GCM_SHA256,
-                           TLS_AES_256_GCM_SHA384);
- INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
-                           ::testing::ValuesIn(kAllDHEGroups),
-@@ -446,9 +443,7 @@ static const SecStatusParams kSecStatusT
-     {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_128_GCM_SHA256,
-      "AES-128-GCM", 128},
-     {SSL_LIBRARY_VERSION_TLS_1_2, TLS_RSA_WITH_AES_256_GCM_SHA384,
--     "AES-256-GCM", 256},
--    {SSL_LIBRARY_VERSION_TLS_1_2, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
--     "ChaCha20-Poly1305", 256}};
-+     "AES-256-GCM", 256}};
- INSTANTIATE_TEST_CASE_P(TestSecurityStatus, SecurityStatusTest,
-                         ::testing::ValuesIn(kSecStatusTestValuesArr));
- 
-diff -up nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_drop_unittest.cc
---- nss/gtests/ssl_gtest/ssl_drop_unittest.cc.disable-chacha20	2017-01-30 02:06:08.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_drop_unittest.cc	2017-02-17 11:41:03.656247032 +0100
-@@ -65,69 +65,4 @@ TEST_P(TlsConnectDatagram, DropServerSec
-   Connect();
- }
- 
--static void GetCipherAndLimit(uint16_t version, uint16_t* cipher,
--                              uint64_t* limit = nullptr) {
--  uint64_t l;
--  if (!limit) limit = &l;
--
--  if (version < SSL_LIBRARY_VERSION_TLS_1_2) {
--    *cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
--    *limit = 0x5aULL << 28;
--  } else if (version == SSL_LIBRARY_VERSION_TLS_1_2) {
--    *cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
--    *limit = (1ULL << 48) - 1;
--  } else {
--    *cipher = TLS_CHACHA20_POLY1305_SHA256;
--    *limit = (1ULL << 48) - 1;
--  }
--}
--
--// This simulates a huge number of drops on one side.
--TEST_P(TlsConnectDatagram, MissLotsOfPackets) {
--  uint16_t cipher;
--  uint64_t limit;
--
--  GetCipherAndLimit(version_, &cipher, &limit);
--
--  EnsureTlsSetup();
--  server_->EnableSingleCipher(cipher);
--  Connect();
--
--  // Note that the limit for ChaCha is 2^48-1.
--  EXPECT_EQ(SECSuccess,
--            SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), limit - 10));
--  SendReceive();
--}
--
--class TlsConnectDatagram12Plus : public TlsConnectDatagram {
-- public:
--  TlsConnectDatagram12Plus() : TlsConnectDatagram() {}
--};
--
--// This simulates missing a window's worth of packets.
--TEST_P(TlsConnectDatagram12Plus, MissAWindow) {
--  EnsureTlsSetup();
--  uint16_t cipher;
--  GetCipherAndLimit(version_, &cipher);
--  server_->EnableSingleCipher(cipher);
--  Connect();
--
--  EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 0));
--  SendReceive();
--}
--
--TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) {
--  EnsureTlsSetup();
--  uint16_t cipher;
--  GetCipherAndLimit(version_, &cipher);
--  server_->EnableSingleCipher(cipher);
--  Connect();
--
--  EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 1));
--  SendReceive();
--}
--
--INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus,
--                        TlsConnectTestBase::kTlsV12Plus);
--
- }  // namespace nss_test
-diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-chacha20	2017-02-17 11:40:26.747019401 +0100
-+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc	2017-02-17 11:40:26.749019359 +0100
-@@ -50,17 +50,6 @@ TEST_P(TlsConnectGeneric, ConnectEcdhe)
-   CheckKeys();
- }
- 
--// If we pick a 256-bit cipher suite and use a P-384 certificate, the server
--// should choose P-384 for key exchange too.  Only valid for TLS == 1.2 because
--// we don't have 256-bit ciphers before then and 1.3 doesn't try to couple
--// DHE size to symmetric size.
--TEST_P(TlsConnectTls12, ConnectEcdheP384) {
--  Reset(TlsAgent::kServerEcdsa384);
--  ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
--  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
--            ssl_sig_ecdsa_secp256r1_sha256);
--}
--
- TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
-   EnsureTlsSetup();
-   const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
diff --git a/SOURCES/nss-disable-chacha20-tests.patch b/SOURCES/nss-disable-chacha20-tests.patch
deleted file mode 100644
index 8ad0b4f..0000000
--- a/SOURCES/nss-disable-chacha20-tests.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up nss/tests/ssl/sslcov.txt.disable-chacha20 nss/tests/ssl/sslcov.txt
---- nss/tests/ssl/sslcov.txt.disable-chacha20	2017-01-30 02:06:08.000000000 +0100
-+++ nss/tests/ssl/sslcov.txt	2017-02-17 11:40:26.749019359 +0100
-@@ -65,7 +65,7 @@
-   noECC  TLS12 :009C  TLS12_RSA_WITH_AES_128_GCM_SHA256
-   noECC  TLS12 :009E  TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
-   noECC  TLS12 :00A2  TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
--  noECC  TLS12 :CCAA  TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-+#  noECC  TLS12 :CCAA  TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- #
- # ECC ciphers (TLS)
- #
-@@ -139,5 +139,5 @@
-    ECC   TLS12  :C02C TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-    ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
--   ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
--   ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-+#   ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-+#   ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch
index f54e4b7..b593479 100644
--- a/SOURCES/nss-disable-cipher-suites.patch
+++ b/SOURCES/nss-disable-cipher-suites.patch
@@ -1,9 +1,9 @@
 diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.disable-cipher-suites	2017-02-20 16:29:09.760163465 +0100
-+++ nss/lib/ssl/ssl3con.c	2017-02-20 16:30:32.948137315 +0100
-@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+--- nss/lib/ssl/ssl3con.c.disable-cipher-suites	2017-04-26 11:53:57.980039632 +0200
++++ nss/lib/ssl/ssl3con.c	2017-04-26 11:55:56.374264466 +0200
+@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
   { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
@@ -13,9 +13,9 @@ diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
   { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-@@ -104,7 +107,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
   { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
diff --git a/SOURCES/nss-disable-curve25519-gtests.patch b/SOURCES/nss-disable-curve25519-gtests.patch
deleted file mode 100644
index 4d1eb35..0000000
--- a/SOURCES/nss-disable-curve25519-gtests.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519 nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-curve25519	2017-02-17 11:35:40.794056778 +0100
-+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc	2017-02-17 11:35:50.905842897 +0100
-@@ -287,20 +287,6 @@ TEST_P(TlsConnectStreamPre13, Configured
-             ssl_sig_rsa_pss_sha256);
- }
- 
--TEST_P(TlsKeyExchangeTest, Curve25519) {
--  Reset(TlsAgent::kServerEcdsa256);
--  const std::vector<SSLNamedGroup> groups = {
--      ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp521r1};
--  EnsureKeyShareSetup();
--  ConfigNamedGroups(groups);
--  Connect();
--
--  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_ecdsa,
--            ssl_sig_ecdsa_secp256r1_sha256);
--  const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
--  CheckKEXDetails(groups, shares);
--}
--
- TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) {
-   EnsureTlsSetup();
-   client_->DisableAllCiphers();
diff --git a/SOURCES/nss-disable-curve25519-tests.patch b/SOURCES/nss-disable-curve25519-tests.patch
deleted file mode 100644
index bfd9081..0000000
--- a/SOURCES/nss-disable-curve25519-tests.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- nss/tests/ec/ectest.sh.disable-curve25519	2017-01-30 02:06:08.000000000 +0100
-+++ nss/tests/ec/ectest.sh	2017-02-17 11:35:24.937392173 +0100
-@@ -46,7 +46,6 @@ ectest_genkeydb_test()
-     return $?
-   fi
-   curves=( \
--    "curve25519" \
-     "secp256r1" \
-     "secp384r1" \
-     "secp521r1" \
diff --git a/SOURCES/nss-disable-curve25519.patch b/SOURCES/nss-disable-curve25519.patch
deleted file mode 100644
index e6925af..0000000
--- a/SOURCES/nss-disable-curve25519.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.disable-curve25519 nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.disable-curve25519	2017-02-17 11:35:24.922392490 +0100
-+++ nss/lib/ssl/sslsock.c	2017-02-17 11:35:24.936392194 +0100
-@@ -152,7 +152,7 @@ static const PRUint16 srtpCiphers[] = {
- const sslNamedGroupDef ssl_named_groups[] = {
-     /* Note that 256 for 25519 is a lie, but we only use it for checking bit
-      * security and expect 256 bits there (not 255). */
--    { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE },
-+    { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_FALSE },
-     ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE),
-     ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE),
-     ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE),
-diff -up nss/tests/ec/ectest.sh.disable-curve25519 nss/tests/ec/ectest.sh
diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch
index 0f090e4..2371c45 100644
--- a/SOURCES/nss-disable-pss-gtests.patch
+++ b/SOURCES/nss-disable-pss-gtests.patch
@@ -1,7 +1,7 @@
-diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss	2017-02-17 11:45:24.866780893 +0100
-+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc	2017-02-17 11:47:16.774439092 +0100
-@@ -58,7 +58,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
+diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests	2017-02-17 14:20:06.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc	2017-03-24 17:45:58.439916101 +0100
+@@ -69,7 +69,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
    server_->ConfigNamedGroups(groups);
    Connect();
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -10,7 +10,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  }
  
  // This causes a HelloRetryRequest in TLS 1.3.  Earlier versions don't care.
-@@ -71,7 +71,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
+@@ -82,7 +82,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
    server_->ConfigNamedGroups(groups);
    Connect();
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -19,7 +19,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
              hrr_capture->buffer().len() != 0);
  }
-@@ -101,7 +101,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority)
+@@ -112,7 +112,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority)
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -28,7 +28,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  
    std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
    CheckKEXDetails(groups, shares);
-@@ -118,7 +118,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou
+@@ -129,7 +129,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -37,7 +37,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  
    std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
    std::vector<SSLNamedGroup> expectedGroups = {ssl_grp_ec_secp384r1,
-@@ -136,7 +136,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD
+@@ -147,7 +147,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -46,7 +46,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  
    if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
      std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
-@@ -161,7 +161,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
+@@ -172,7 +172,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -55,7 +55,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  }
  
  TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
-@@ -177,7 +177,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
+@@ -188,7 +188,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
@@ -64,7 +64,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  }
  
  class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
-@@ -265,7 +265,7 @@ TEST_P(TlsConnectStreamPre13, Configured
+@@ -276,7 +276,7 @@ TEST_P(TlsConnectStreamPre13, Configured
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -73,7 +73,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    CheckConnected();
  
    // The renegotiation has to use the same preferences as the original session.
-@@ -273,7 +273,7 @@ TEST_P(TlsConnectStreamPre13, Configured
+@@ -284,7 +284,7 @@ TEST_P(TlsConnectStreamPre13, Configured
    client_->StartRenegotiate();
    Handshake();
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -81,8 +81,8 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
 +            ssl_sig_rsa_pkcs1_sha256);
  }
  
- TEST_P(TlsConnectGenericPre13, GroupPreferenceServerPriority) {
-@@ -293,7 +293,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref
+ TEST_P(TlsKeyExchangeTest, Curve25519) {
+@@ -318,7 +318,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
@@ -91,7 +91,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
  }
  
  #ifndef NSS_DISABLE_TLS_1_3
-@@ -312,7 +312,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
+@@ -337,7 +337,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -100,7 +100,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp256r1};
    CheckKEXDetails(client_groups, shares);
  }
-@@ -332,7 +332,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
+@@ -357,7 +357,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
@@ -109,7 +109,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
    CheckKEXDetails(client_groups, shares);
  }
-@@ -354,7 +354,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori
+@@ -379,7 +379,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -118,7 +118,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
    CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
  }
-@@ -376,7 +376,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri
+@@ -401,7 +401,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -127,7 +127,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
    CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
  }
-@@ -398,7 +398,7 @@ TEST_P(TlsKeyExchangeTest13,
+@@ -423,7 +423,7 @@ TEST_P(TlsKeyExchangeTest13,
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -136,7 +136,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
    CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
  }
-@@ -420,7 +420,7 @@ TEST_P(TlsKeyExchangeTest13,
+@@ -445,7 +445,7 @@ TEST_P(TlsKeyExchangeTest13,
    Connect();
  
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
@@ -145,7 +145,7 @@ diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable_pss nss/gtests/ssl_gt
    const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
    CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
  }
-@@ -482,7 +482,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli
+@@ -507,7 +507,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli
  
    // The server would accept 25519 but its preferred group (P256) has to win.
    CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
diff --git a/SOURCES/nss-disable-unsupported-gtests.patch b/SOURCES/nss-disable-unsupported-gtests.patch
deleted file mode 100644
index 983b8e4..0000000
--- a/SOURCES/nss-disable-unsupported-gtests.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_export_unittest.cc
---- nss/gtests/pk11_gtest/pk11_export_unittest.cc.disable_unsupported_gtests	2017-01-30 02:06:08.000000000 +0100
-+++ nss/gtests/pk11_gtest/pk11_export_unittest.cc	2017-02-17 12:02:00.023957459 +0100
-@@ -61,6 +61,4 @@ class Pkcs11ExportTest : public ::testin
- 
- TEST_F(Pkcs11ExportTest, DeriveNonExport) { Derive(false); }
- 
--TEST_F(Pkcs11ExportTest, DeriveExport) { Derive(true); }
--
- }  // namespace nss_test
-diff -up nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
---- nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc.disable_unsupported_gtests	2017-02-17 12:09:06.448036028 +0100
-+++ nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc	2017-02-17 12:10:03.479842833 +0100
-@@ -72,25 +72,4 @@ class Pkcs11Pbkdf2Test : public ::testin
-   }
- };
- 
--// RFC 6070 <http://tools.ietf.org/html/rfc6070>
--TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
--  std::vector<uint8_t> derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84,
--                                  0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0,
--                                  0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c,
--                                  0xf2, 0xf0, 0x70, 0x38};
--
--  Derive(derived, SEC_OID_HMAC_SHA1);
--}
--
--// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
--TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
--  std::vector<uint8_t> derived = {
--      0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8,
--      0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e,
--      0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd,
--      0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9};
--
--  Derive(derived, SEC_OID_HMAC_SHA256);
--}
--
- }  // namespace nss_test
diff --git a/SOURCES/nss-disable-unsupported-tests.patch b/SOURCES/nss-disable-unsupported-tests.patch
deleted file mode 100644
index 9b57e20..0000000
--- a/SOURCES/nss-disable-unsupported-tests.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up nss/tests/ec/ectest.sh.disable_unsupported_tests nss/tests/ec/ectest.sh
---- nss/tests/ec/ectest.sh.disable_unsupported_tests	2017-02-17 12:33:08.137805278 +0100
-+++ nss/tests/ec/ectest.sh	2017-02-17 12:43:50.000297523 +0100
-@@ -81,7 +81,8 @@ if [ -f ${BINDIR}/fbectest ]; then
-   fi
- fi
- if [ -f ${BINDIR}/pk11ectest ]; then
--  PK11_ECTEST_OUT=$(pk11ectest -n -d 2>&1)
-+  PK11_ECTEST_OUT=$(pk11ectest -n 2>&1)
-+  echo $PK11_ECTEST_OUT
-   PK11_ECTEST_OUT=`echo $PK11_ECTEST_OUT | grep -i 'not okay\|Assertion failure'`
-   if [ -n "$PK11_ECTEST_OUT" ] ; then
-     html_failed "pk11 ec tests"
diff --git a/SOURCES/nss-enable-pem.patch b/SOURCES/nss-enable-pem.patch
deleted file mode 100644
index 723039a..0000000
--- a/SOURCES/nss-enable-pem.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
---- nss/lib/ckfw/manifest.mn.libpem	2013-05-28 14:43:24.000000000 -0700
-+++ nss/lib/ckfw/manifest.mn	2013-05-30 22:14:49.247459672 -0700
-@@ -5,7 +5,7 @@
- 
- CORE_DEPTH = ../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \
diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch
new file mode 100644
index 0000000..6f6fcb9
--- /dev/null
+++ b/SOURCES/nss-is-token-present-race.patch
@@ -0,0 +1,76 @@
+# HG changeset patch
+# User Kamil Dudka <kdudka@redhat.com>
+# Date 1484568851 -3600
+#      Mon Jan 16 13:14:11 2017 +0100
+# Node ID 754a4a1f6220fa99e72197408726da14419fc187
+# Parent  b6a26d34c0e354344f81a73137deeb682c7961e0
+Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused spurious SEC_ERROR_NO_TOKEN, r=rrelyea
+
+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
+--- a/lib/dev/devslot.c
++++ b/lib/dev/devslot.c
+@@ -91,7 +91,7 @@ nssSlot_ResetDelay(
+ }
+ 
+ static PRBool
+-within_token_delay_period(NSSSlot *slot)
++within_token_delay_period(const NSSSlot *slot)
+ {
+     PRIntervalTime time, lastTime;
+     /* Set the delay time for checking the token presence */
+@@ -103,7 +103,6 @@ within_token_delay_period(NSSSlot *slot)
+     if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
+         return PR_TRUE;
+     }
+-    slot->lastTokenPing = time;
+     return PR_FALSE;
+ }
+ 
+@@ -136,6 +135,7 @@ nssSlot_IsTokenPresent(
+     nssSlot_ExitMonitor(slot);
+     if (ckrv != CKR_OK) {
+         slot->token->base.name[0] = 0; /* XXX */
++        slot->lastTokenPing = PR_IntervalNow();
+         return PR_FALSE;
+     }
+     slot->ckFlags = slotInfo.flags;
+@@ -143,6 +143,7 @@ nssSlot_IsTokenPresent(
+     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+         if (!slot->token) {
+             /* token was never present */
++            slot->lastTokenPing = PR_IntervalNow();
+             return PR_FALSE;
+         }
+         session = nssToken_GetDefaultSession(slot->token);
+@@ -165,6 +166,7 @@ nssSlot_IsTokenPresent(
+         slot->token->base.name[0] = 0; /* XXX */
+         /* clear the token cache */
+         nssToken_Remove(slot->token);
++        slot->lastTokenPing = PR_IntervalNow();
+         return PR_FALSE;
+     }
+     /* token is present, use the session info to determine if the card
+@@ -187,8 +189,10 @@ nssSlot_IsTokenPresent(
+         isPresent = session->handle != CK_INVALID_SESSION;
+         nssSession_ExitMonitor(session);
+         /* token not removed, finished */
+-        if (isPresent)
++        if (isPresent) {
++            slot->lastTokenPing = PR_IntervalNow();
+             return PR_TRUE;
++        }
+     }
+     /* the token has been removed, and reinserted, or the slot contains
+      * a token it doesn't recognize. invalidate all the old
+@@ -201,8 +205,11 @@ nssSlot_IsTokenPresent(
+     if (nssrv != PR_SUCCESS) {
+         slot->token->base.name[0] = 0; /* XXX */
+         slot->ckFlags &= ~CKF_TOKEN_PRESENT;
++        /* TODO: insert a barrier here to avoid reordering of the assingments */
++        slot->lastTokenPing = PR_IntervalNow();
+         return PR_FALSE;
+     }
++    slot->lastTokenPing = PR_IntervalNow();
+     return PR_TRUE;
+ }
+ 
diff --git a/SOURCES/nss-old-pkcs11-num.patch b/SOURCES/nss-old-pkcs11-num.patch
deleted file mode 100644
index dbfdf05..0000000
--- a/SOURCES/nss-old-pkcs11-num.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -up nss/lib/ssl/ssl3con.c.old_pkcs11_num nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.old_pkcs11_num	2017-01-04 15:24:24.000000000 +0100
-+++ nss/lib/ssl/ssl3con.c	2017-01-16 10:42:14.993429316 +0100
-@@ -11054,8 +11054,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, s
-     tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
-     param.data = (unsigned char *)&tls_mac_params;
-     param.len = sizeof(tls_mac_params);
--    prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
--                                             spec->master_secret, &param);
-+    /* RHEL 7.2 had the wrong number for CKM_TLS12_MACH instead of CKM_TLS_MAC. In the new scheme that
-+     * number matches with CKM_TLS_KDF, so until softoken gets updated, use CKM_TLS_KDF on RHEL7 */
-+    prf_context = PK11_CreateContextBySymKey(CKM_TLS_KDF, CKA_SIGN,
-+ 					     spec->master_secret, &param);
-     if (!prf_context)
-         return SECFailure;
- 
diff --git a/SOURCES/nss-pk12util.patch b/SOURCES/nss-pk12util.patch
new file mode 100644
index 0000000..e2f7f99
--- /dev/null
+++ b/SOURCES/nss-pk12util.patch
@@ -0,0 +1,765 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1481829086 -3600
+#      Thu Dec 15 20:11:26 2016 +0100
+# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057
+# Parent  35ecce23718136f99ca9537007481b4774c57e68
+Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea
+
+diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
+--- a/lib/pk11wrap/pk11mech.c
++++ b/lib/pk11wrap/pk11mech.c
+@@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
+         case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+         case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+         case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
++        case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+         case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+         case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+         case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -1335,11 +1335,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12
+         case SEC_OID_MD2:
+             integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
+             break;
++        case SEC_OID_SHA224:
++            integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN;
++            break;
++        case SEC_OID_SHA256:
++            integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN;
++            break;
++        case SEC_OID_SHA384:
++            integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN;
++            break;
++        case SEC_OID_SHA512:
++            integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN;
++            break;
+         default:
+             goto loser;
+     }
+ 
+-    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
++    symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL);
+     PK11_DestroyPBEParams(params);
+     params = NULL;
+     if (!symKey)
+diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
+--- a/lib/softoken/lowpbe.c
++++ b/lib/softoken/lowpbe.c
+@@ -408,7 +408,6 @@ loser:
+     return result;
+ }
+ 
+-#define HMAC_BUFFER 64
+ #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y))
+ #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y))
+ /*
+@@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
+     int iter;
+     unsigned char *iterBuf;
+     void *hash = NULL;
++    unsigned int bufferLength;
+ 
+     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+     if (!arena) {
+@@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
+     /* how many hash object lengths are needed */
+     c = (bytesNeeded + (hashLength - 1)) / hashLength;
+ 
++    /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */
++    bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64);
++
+     /* initialize our buffers */
+-    D.len = HMAC_BUFFER;
++    D.len = bufferLength;
+     /* B and D are the same length, use one alloc go get both */
+     D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2);
+     B.len = D.len;
+@@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
+         goto loser;
+     }
+ 
+-    SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER);
+-    PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER);
++    SLen = NSSPBE_ROUNDUP(salt->len, bufferLength);
++    PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength);
+     I.len = SLen + PLen;
+     I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len);
+     if (I.data == NULL) {
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1485768835 -3600
+#      Mon Jan 30 10:33:55 2017 +0100
+# Node ID 09d1a0757431fa52ae025138da654c698141971b
+# Parent  806c3106536feea0827ec54729a52b5cbac8a496
+Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea
+
+diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
+--- a/cmd/pk12util/pk12util.c
++++ b/cmd/pk12util/pk12util.c
+@@ -861,6 +861,9 @@ p12u_EnableAllCiphers()
+     SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
+     SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
+     SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
++    SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1);
++    SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1);
++    SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1);
+     SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
+ }
+ 
+diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
+--- a/lib/pk11wrap/pk11pbe.c
++++ b/lib/pk11wrap/pk11pbe.c
+@@ -4,6 +4,7 @@
+ 
+ #include "plarena.h"
+ 
++#include "blapit.h"
+ #include "seccomon.h"
+ #include "secitem.h"
+ #include "secport.h"
+@@ -301,17 +302,49 @@ SEC_PKCS5GetPBEAlgorithm(SECOidTag algTa
+     return SEC_OID_UNKNOWN;
+ }
+ 
++static PRBool
++sec_pkcs5_is_algorithm_v2_aes_algorithm(SECOidTag algorithm)
++{
++    switch (algorithm) {
++        case SEC_OID_AES_128_CBC:
++        case SEC_OID_AES_192_CBC:
++        case SEC_OID_AES_256_CBC:
++            return PR_TRUE;
++        default:
++            return PR_FALSE;
++    }
++}
++
++static int
++sec_pkcs5v2_aes_key_length(SECOidTag algorithm)
++{
++    switch (algorithm) {
++        /* The key length for the AES-CBC-Pad algorithms are
++         * determined from the undelying cipher algorithm.  */
++        case SEC_OID_AES_128_CBC:
++            return AES_128_KEY_LENGTH;
++        case SEC_OID_AES_192_CBC:
++            return AES_192_KEY_LENGTH;
++        case SEC_OID_AES_256_CBC:
++            return AES_256_KEY_LENGTH;
++        default:
++            break;
++    }
++    return 0;
++}
++
+ /*
+  * get the key length in bytes from a PKCS5 PBE
+  */
+-int
+-sec_pkcs5v2_key_length(SECAlgorithmID *algid)
++static int
++sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
+ {
+     SECOidTag algorithm;
+     PLArenaPool *arena = NULL;
+     SEC_PKCS5PBEParameter p5_param;
+     SECStatus rv;
+     int length = -1;
++    SECOidTag cipherAlg = SEC_OID_UNKNOWN;
+ 
+     algorithm = SECOID_GetAlgorithmTag(algid);
+     /* sanity check, they should all be PBKDF2 here */
+@@ -330,7 +363,12 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a
+         goto loser;
+     }
+ 
+-    if (p5_param.keyLength.data != NULL) {
++    if (cipherAlgId)
++        cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
++
++    if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
++        length = sec_pkcs5v2_aes_key_length(cipherAlg);
++    } else if (p5_param.keyLength.data != NULL) {
+         length = DER_GetInteger(&p5_param.keyLength);
+     }
+ 
+@@ -375,14 +413,15 @@ SEC_PKCS5GetKeyLength(SECAlgorithmID *al
+         case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+             return 16;
+         case SEC_OID_PKCS5_PBKDF2:
+-            return sec_pkcs5v2_key_length(algid);
++            return sec_pkcs5v2_key_length(algid, NULL);
+         case SEC_OID_PKCS5_PBES2:
+         case SEC_OID_PKCS5_PBMAC1: {
+             sec_pkcs5V2Parameter *pbeV2_param;
+             int length = -1;
+             pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
+             if (pbeV2_param != NULL) {
+-                length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId);
++                length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId,
++                                                &pbeV2_param->cipherAlgId);
+                 sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
+             }
+             return length;
+@@ -614,6 +653,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
+             SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+             if (hashAlg != SEC_OID_UNKNOWN) {
+                 keyLength = HASH_ResultLenByOidTag(hashAlg);
++            } else if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlgorithm)) {
++                keyLength = sec_pkcs5v2_aes_key_length(cipherAlgorithm);
+             } else {
+                 CK_MECHANISM_TYPE cryptoMech;
+                 cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm);
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -177,6 +177,9 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
+     PK11SlotInfo *slot;
+     PK11SymKey *bulkKey;
++    SECItem *pwitem;
++    SECItem decodedPwitem = { 0 };
++    SECOidTag algorithm;
+ 
+     if (!p12dcx) {
+         return NULL;
+@@ -189,7 +192,24 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+         slot = PK11_GetInternalKeySlot();
+     }
+ 
+-    bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
++    algorithm = SECOID_GetAlgorithmTag(algid);
++    pwitem = p12dcx->pwitem;
++
++    /* here we assume that the password is already encoded into
++     * BMPString by the caller.  if the encryption scheme is not the
++     * one defined in PKCS #12, decode the password back into
++     * UTF-8. */
++    if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) {
++        if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem,
++                                                p12dcx->pwitem,
++                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
++            PORT_SetError(SEC_ERROR_NO_MEMORY);
++            return NULL;
++        }
++        pwitem = &decodedPwitem;
++    }
++
++    bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+                              PR_FALSE, p12dcx->wincx);
+     /* some tokens can't generate PBE keys on their own, generate the
+      * key in the internal slot, and let the Import code deal with it,
+@@ -198,7 +218,7 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+     if (!bulkKey && !PK11_IsInternal(slot)) {
+         PK11_FreeSlot(slot);
+         slot = PK11_GetInternalKeySlot();
+-        bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
++        bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+                                  PR_FALSE, p12dcx->wincx);
+     }
+     PK11_FreeSlot(slot);
+@@ -208,6 +228,10 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+         PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL);
+     }
+ 
++    if (decodedPwitem.data) {
++        SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE);
++    }
++
+     return bulkKey;
+ }
+ 
+diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c
+--- a/lib/pkcs12/p12e.c
++++ b/lib/pkcs12/p12e.c
+@@ -10,6 +10,7 @@
+ #include "seccomon.h"
+ #include "secport.h"
+ #include "cert.h"
++#include "secpkcs5.h"
+ #include "secpkcs7.h"
+ #include "secasn1.h"
+ #include "secerr.h"
+@@ -378,19 +379,36 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC
+     safeInfo->itemCount = 0;
+ 
+     /* create the encrypted safe */
+-    safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn,
+-                                                   p12ctxt->pwfnarg);
++    if (!SEC_PKCS5IsAlgorithmPBEAlgTag(privAlg) &&
++        PK11_AlgtagToMechanism(privAlg) == CKM_AES_CBC) {
++        safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2,
++                                                                privAlg,
++                                                                SEC_OID_UNKNOWN,
++                                                                0,
++                                                                p12ctxt->pwfn,
++                                                                p12ctxt->pwfnarg);
++    } else {
++        safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn,
++                                                       p12ctxt->pwfnarg);
++    }
+     if (!safeInfo->cinfo) {
+         PORT_SetError(SEC_ERROR_NO_MEMORY);
+         goto loser;
+     }
+     safeInfo->arena = p12ctxt->arena;
+ 
+-    /* convert the password to unicode */
+-    if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
+-                                            PR_TRUE, PR_TRUE, PR_TRUE)) {
+-        PORT_SetError(SEC_ERROR_NO_MEMORY);
+-        goto loser;
++    if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) {
++        /* convert the password to unicode */
++        if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
++                                                PR_TRUE, PR_TRUE, PR_TRUE)) {
++            PORT_SetError(SEC_ERROR_NO_MEMORY);
++            goto loser;
++        }
++    } else {
++        if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) {
++            PORT_SetError(SEC_ERROR_NO_MEMORY);
++            goto loser;
++        }
+     }
+     if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
+         PORT_SetError(SEC_ERROR_NO_MEMORY);
+diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
+--- a/lib/pkcs12/p12local.c
++++ b/lib/pkcs12/p12local.c
+@@ -949,6 +949,33 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+     return PR_TRUE;
+ }
+ 
++PRBool
++sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
++{
++    switch (algorithm) {
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
++        case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
++        case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
++        case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
++        case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
++        case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
++        case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
++        /* those are actually PKCS #5 v1.5 PBEs, but we
++         * historically treat them in the same way as PKCS #12
++         * PBEs */
++        case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
++        case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
++        case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
++            return PR_TRUE;
++        default:
++            return PR_FALSE;
++    }
++}
++
+ /* pkcs 12 templates */
+ static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
+     sec_pkcs12_choose_shroud_type;
+diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h
+--- a/lib/pkcs12/p12local.h
++++ b/lib/pkcs12/p12local.h
+@@ -55,4 +55,6 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo
+                               void *wincx, SEC_PKCS12SafeContents *safe,
+                               SEC_PKCS12Baggage *baggage);
+ 
++extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm);
++
+ #endif
+diff --git a/lib/pkcs12/p12plcy.c b/lib/pkcs12/p12plcy.c
+--- a/lib/pkcs12/p12plcy.c
++++ b/lib/pkcs12/p12plcy.c
+@@ -24,6 +24,9 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] 
+     { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE },
+     { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE },
+     { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE },
++    { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE },
++    { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE },
++    { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE },
+     { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE },
+     { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE }
+ };
+diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
+--- a/lib/pkcs7/p7create.c
++++ b/lib/pkcs7/p7create.c
+@@ -1245,3 +1245,56 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a
+ 
+     return cinfo;
+ }
++
++SEC_PKCS7ContentInfo *
++SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm,
++                                      SECOidTag cipher_algorithm,
++                                      SECOidTag prf_algorithm,
++                                      int keysize,
++                                      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
++{
++    SEC_PKCS7ContentInfo *cinfo;
++    SECAlgorithmID *algid;
++    SEC_PKCS7EncryptedData *enc_data;
++    SECStatus rv;
++
++    PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm));
++
++    cinfo = sec_pkcs7_create_content_info(SEC_OID_PKCS7_ENCRYPTED_DATA,
++                                          PR_FALSE, pwfn, pwfn_arg);
++    if (cinfo == NULL)
++        return NULL;
++
++    enc_data = cinfo->content.encryptedData;
++    algid = &(enc_data->encContentInfo.contentEncAlg);
++
++    SECAlgorithmID *pbe_algid;
++    pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm,
++                                            cipher_algorithm,
++                                            prf_algorithm,
++                                            keysize,
++                                            NSS_PBE_DEFAULT_ITERATION_COUNT,
++                                            NULL);
++    if (pbe_algid == NULL) {
++        rv = SECFailure;
++    } else {
++        rv = SECOID_CopyAlgorithmID(cinfo->poolp, algid, pbe_algid);
++        SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE);
++    }
++
++    if (rv != SECSuccess) {
++        SEC_PKCS7DestroyContentInfo(cinfo);
++        return NULL;
++    }
++
++    rv = sec_pkcs7_init_encrypted_content_info(&(enc_data->encContentInfo),
++                                               cinfo->poolp,
++                                               SEC_OID_PKCS7_DATA, PR_FALSE,
++                                               cipher_algorithm, keysize);
++    if (rv != SECSuccess) {
++        SEC_PKCS7DestroyContentInfo(cinfo);
++        return NULL;
++    }
++
++    return cinfo;
++}
+diff --git a/lib/pkcs7/secpkcs7.h b/lib/pkcs7/secpkcs7.h
+--- a/lib/pkcs7/secpkcs7.h
++++ b/lib/pkcs7/secpkcs7.h
+@@ -287,6 +287,26 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a
+                              SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+ 
+ /*
++ * Create an empty PKCS7 encrypted content info.
++ *
++ * Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of
++ * creating encrypted content for PKCS #5 v2 algorithms.
++ *
++ * "pbe_algorithm" specifies the PBE algorithm to use.
++ * "cipher_algorithm" specifies the bulk encryption algorithm to use.
++ * "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses.
++ *
++ * An error results in a return value of NULL and an error set.
++ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
++ */
++extern SEC_PKCS7ContentInfo *
++SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm,
++                                      SECOidTag cipher_algorithm,
++                                      SECOidTag prf_algorithm,
++                                      int keysize,
++                                      SECKEYGetPasswordKey pwfn, void *pwfn_arg);
++
++/*
+  * All of the following things return SECStatus to signal success or failure.
+  * Failure should have a more specific error status available via
+  * PORT_GetError()/XP_GetError().
+diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
+--- a/tests/tools/tools.sh
++++ b/tests/tools/tools.sh
+@@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2
+     CAMELLIA-256-CBC; do
+ 
+ #---------------------------------------------------------------
+-# Bug 452464 - pk12util -o fails when -C option specifies AES or
++# Bug 452464 - pk12util -o fails when -C option specifies
+ # Camellia ciphers
+ # FIXME Restore these to the list
+-#    AES-128-CBC, \
+-#    AES-192-CBC, \
+-#    AES-256-CBC, \
+ #    CAMELLIA-128-CBC, \
+ #    CAMELLIA-192-CBC, \
+ #    CAMELLIA-256-CBC, \
+@@ -287,6 +284,9 @@ tools_p12_export_list_import_all_pkcs5v2
+     for cert_cipher in \
+       RC2-CBC \
+       DES-EDE3-CBC \
++      AES-128-CBC \
++      AES-192-CBC \
++      AES-256-CBC \
+       null; do
+ 	  export_list_import ${key_cipher} ${cert_cipher}
+ 	done
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1491303138 -7200
+#      Tue Apr 04 12:52:18 2017 +0200
+# Node ID ef11922df67881332f1fa200c7ae21b9c30cec76
+# Parent  7228445b43ac095ebc0eee330d6a351b898ebbdd
+Bug 1353325, pkcs12: don't encode password if non-PKCS12 PBEs is used, r=rrelyea
+
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -177,8 +177,7 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
+     PK11SlotInfo *slot;
+     PK11SymKey *bulkKey;
+-    SECItem *pwitem;
+-    SECItem decodedPwitem = { 0 };
++    SECItem pwitem = { 0 };
+     SECOidTag algorithm;
+ 
+     if (!p12dcx) {
+@@ -193,24 +192,10 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+     }
+ 
+     algorithm = SECOID_GetAlgorithmTag(algid);
+-    pwitem = p12dcx->pwitem;
+-
+-    /* here we assume that the password is already encoded into
+-     * BMPString by the caller.  if the encryption scheme is not the
+-     * one defined in PKCS #12, decode the password back into
+-     * UTF-8. */
+-    if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) {
+-        if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem,
+-                                                p12dcx->pwitem,
+-                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
+-            PORT_SetError(SEC_ERROR_NO_MEMORY);
+-            return NULL;
+-        }
+-        pwitem = &decodedPwitem;
+-    }
+-
+-    bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+-                             PR_FALSE, p12dcx->wincx);
++    if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem))
++        return NULL;
++
++    bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
+     /* some tokens can't generate PBE keys on their own, generate the
+      * key in the internal slot, and let the Import code deal with it,
+      * (if the slot can't generate PBEs, then we need to use the internal
+@@ -218,8 +203,7 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+     if (!bulkKey && !PK11_IsInternal(slot)) {
+         PK11_FreeSlot(slot);
+         slot = PK11_GetInternalKeySlot();
+-        bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+-                                 PR_FALSE, p12dcx->wincx);
++        bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
+     }
+     PK11_FreeSlot(slot);
+ 
+@@ -228,8 +212,8 @@ sec_pkcs12_decoder_get_decrypt_key(void 
+         PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL);
+     }
+ 
+-    if (decodedPwitem.data) {
+-        SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE);
++    if (pwitem.data) {
++        SECITEM_ZfreeItem(&pwitem, PR_FALSE);
+     }
+ 
+     return bulkKey;
+@@ -2476,13 +2460,25 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke
+                                            nickName, publicValue, PR_TRUE, PR_TRUE,
+                                            keyUsage, wincx);
+             break;
+-        case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
++        case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: {
++            SECItem pwitem = { 0 };
++            SECAlgorithmID *algid =
++                &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm;
++            SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
++
++            if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
++                                            key->pwitem))
++                return SECFailure;
+             rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
+                                                     key->safeBagContent.pkcs8ShroudedKeyBag,
+-                                                    key->pwitem, nickName, publicValue,
++                                                    &pwitem, nickName, publicValue,
+                                                     PR_TRUE, PR_TRUE, keyType, keyUsage,
+                                                     wincx);
++            if (pwitem.data) {
++                SECITEM_ZfreeItem(&pwitem, PR_FALSE);
++            }
+             break;
++        }
+         default:
+             key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
+             key->problem = PR_TRUE;
+diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c
+--- a/lib/pkcs12/p12e.c
++++ b/lib/pkcs12/p12e.c
+@@ -397,18 +397,9 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC
+     }
+     safeInfo->arena = p12ctxt->arena;
+ 
+-    if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) {
+-        /* convert the password to unicode */
+-        if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
+-                                                PR_TRUE, PR_TRUE, PR_TRUE)) {
+-            PORT_SetError(SEC_ERROR_NO_MEMORY);
+-            goto loser;
+-        }
+-    } else {
+-        if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) {
+-            PORT_SetError(SEC_ERROR_NO_MEMORY);
+-            goto loser;
+-        }
++    if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) {
++        PORT_SetError(SEC_ERROR_NO_MEMORY);
++        goto loser;
+     }
+     if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
+         PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -1221,8 +1212,8 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12Export
+         SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+         PK11SlotInfo *slot = NULL;
+ 
+-        if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
+-                                                pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
++        if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm,
++                                        pwitem)) {
+             PORT_SetError(SEC_ERROR_NO_MEMORY);
+             goto loser;
+         }
+diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
+--- a/lib/pkcs12/p12local.c
++++ b/lib/pkcs12/p12local.c
+@@ -976,6 +976,46 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
+     }
+ }
+ 
++/* this function decodes a password from Unicode if necessary,
++ * according to the PBE algorithm.
++ *
++ * we assume that the pwitem is already encoded in Unicode by the
++ * caller.  if the encryption scheme is not the one defined in PKCS
++ * #12, decode the pwitem back into UTF-8. */
++PRBool
++sec_pkcs12_decode_password(PLArenaPool *arena,
++                           SECItem *result,
++                           SECOidTag algorithm,
++                           const SECItem *pwitem)
++{
++    if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
++        return sec_pkcs12_convert_item_to_unicode(arena, result,
++                                                  (SECItem *)pwitem,
++                                                  PR_TRUE, PR_FALSE, PR_FALSE);
++
++    return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
++}
++
++/* this function encodes a password into Unicode if necessary,
++ * according to the PBE algorithm.
++ *
++ * we assume that the pwitem holds a raw password.  if the encryption
++ * scheme is the one defined in PKCS #12, encode the password into
++ * BMPString. */
++PRBool
++sec_pkcs12_encode_password(PLArenaPool *arena,
++                           SECItem *result,
++                           SECOidTag algorithm,
++                           const SECItem *pwitem)
++{
++    if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
++        return sec_pkcs12_convert_item_to_unicode(arena, result,
++                                                  (SECItem *)pwitem,
++                                                  PR_TRUE, PR_TRUE, PR_TRUE);
++
++    return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
++}
++
+ /* pkcs 12 templates */
+ static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
+     sec_pkcs12_choose_shroud_type;
+diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h
+--- a/lib/pkcs12/p12local.h
++++ b/lib/pkcs12/p12local.h
+@@ -57,4 +57,13 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo
+ 
+ extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm);
+ 
++extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena,
++                                         SECItem *result,
++                                         SECOidTag algorithm,
++                                         const SECItem *pwitem);
++extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena,
++                                         SECItem *result,
++                                         SECOidTag algorithm,
++                                         const SECItem *pwitem);
++
+ #endif
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1491397923 -7200
+#      Wed Apr 05 15:12:03 2017 +0200
+# Node ID c9af3144ac8cd7e2203817a334a9f814649e86b0
+# Parent  769f9ae07b103494af809620478e60256a344adc
+fix key length calculation for PKCS#5 DES-EDE3-CBC-Pad
+
+diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
+--- a/lib/pk11wrap/pk11pbe.c
++++ b/lib/pk11wrap/pk11pbe.c
+@@ -370,6 +370,13 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a
+         length = sec_pkcs5v2_aes_key_length(cipherAlg);
+     } else if (p5_param.keyLength.data != NULL) {
+         length = DER_GetInteger(&p5_param.keyLength);
++    } else {
++        CK_MECHANISM_TYPE cipherMech;
++        cipherMech = PK11_AlgtagToMechanism(cipherAlg);
++        if (cipherMech == CKM_INVALID_MECHANISM) {
++            goto loser;
++        }
++        length = PK11_GetMaxKeyLength(cipherMech);
+     }
+ 
+ loser:
+diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h
+--- a/lib/pk11wrap/pk11priv.h
++++ b/lib/pk11wrap/pk11priv.h
+@@ -106,6 +106,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
+                                         void *wincx, PK11SlotInfo **pSlot);
+ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+                             CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
++unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
+ 
+ /**********************************************************************
+  *                   Certs
+diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
+--- a/lib/pk11wrap/pk11slot.c
++++ b/lib/pk11wrap/pk11slot.c
+@@ -2291,6 +2291,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE m
+             }
+         }
+     }
++
++    /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */
++    if (keyLength == 0) {
++        CK_KEY_TYPE keyType;
++        keyType = PK11_GetKeyType(mechanism, 0);
++        keyLength = pk11_GetPredefinedKeyLength(keyType);
++    }
++
+     if (le)
+         PK11_FreeSlotListElement(list, le);
+     if (freeit)
diff --git a/SOURCES/nss-prevent-abi-issue.patch b/SOURCES/nss-prevent-abi-issue.patch
deleted file mode 100644
index 22df86e..0000000
--- a/SOURCES/nss-prevent-abi-issue.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up nss/lib/ssl/sslinfo.c.abi_lib nss/lib/ssl/sslinfo.c
---- nss/lib/ssl/sslinfo.c.abi_lib	2016-10-10 16:44:06.661038110 +0200
-+++ nss/lib/ssl/sslinfo.c	2016-10-10 16:44:54.436814398 +0200
-@@ -74,7 +74,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
-             inf.creationTime = sid->creationTime;
-             inf.lastAccessTime = sid->lastAccessTime;
-             inf.expirationTime = sid->expirationTime;
--            inf.extendedMasterSecretUsed =
-+            inf.reservedNotSupported =
-                 (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
-                  sid->u.ssl3.keys.extendedMasterSecretUsed)
-                     ? PR_TRUE
-diff -up nss/lib/ssl/sslt.h.abi_lib nss/lib/ssl/sslt.h
---- nss/lib/ssl/sslt.h.abi_lib	2016-10-03 16:55:58.000000000 +0200
-+++ nss/lib/ssl/sslt.h	2016-10-10 16:44:06.661038110 +0200
-@@ -188,7 +188,7 @@ typedef struct SSLChannelInfoStr {
-      * This field only has meaning in TLS < 1.3 and will be set to
-      *  PR_FALSE in TLS 1.3.
-      */
--    PRBool extendedMasterSecretUsed;
-+    PRBool reservedNotSupported;
- 
-     /* The following fields were added in NSS 3.25.
-      * This field only has meaning in TLS >= 1.3, and indicates on the
diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch
index f08ca2f..9806190 100644
--- a/SOURCES/nss-reorder-cipher-suites.patch
+++ b/SOURCES/nss-reorder-cipher-suites.patch
@@ -1,7 +1,7 @@
-diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.reorder_cipher_suites	2017-02-15 13:11:24.960624359 +0100
-+++ nss/lib/ssl/ssl3con.c	2017-02-15 13:12:55.378720030 +0100
-@@ -91,83 +91,64 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites	2017-04-26 11:47:33.690047402 +0200
++++ nss/lib/ssl/ssl3con.c	2017-04-26 11:51:51.103013632 +0200
+@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
  /* clang-format off */
  static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
     /*      cipher_suite                     policy       enabled   isPresent */
@@ -22,6 +22,7 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c
   { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
@@ -34,48 +35,46 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c
   { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 -
-- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-- { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
   { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
   { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 -
-- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s
   { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
@@ -107,23 +106,20 @@ diff -up nss/lib/ssl/ssl3con.c.reorder_cipher_suites nss/lib/ssl/ssl3con.c
   { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
-@@ -175,6 +156,12 @@ static ssl3CipherSuiteCfg cipherSuites[s
+@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s
   { TLS_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
 + { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
 + { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
-+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
  };
  /* clang-format on */
  
-diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c
---- nss/lib/ssl/sslenum.c.reorder_cipher_suites	2017-02-15 13:11:35.724397659 +0100
-+++ nss/lib/ssl/sslenum.c	2017-02-15 13:12:26.332331787 +0100
-@@ -55,81 +55,64 @@
+diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c
+--- nss/lib/ssl/sslenum.c.reorder-cipher-suites	2017-04-26 11:46:50.215066457 +0200
++++ nss/lib/ssl/sslenum.c	2017-04-26 11:47:09.362617638 +0200
+@@ -55,53 +55,44 @@
   * the third one.
   */
  const PRUint16 SSL_ImplementedCiphers[] = {
@@ -143,6 +139,7 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 +    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 +    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 -    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
@@ -155,48 +152,46 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 -    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
 +    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 +    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 +    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 -    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
      TLS_ECDHE_RSA_WITH_RC4_128_SHA,
 -
--    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
--    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
--    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
-     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
--    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
--    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
--    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
--    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
--    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
--    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-+    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
-+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
-+    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-+    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
++    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
++    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
++    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
++    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+-    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+-    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+     TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+     TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+-    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+-    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+-    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
      TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
      TLS_DHE_DSS_WITH_RC4_128_SHA,
 -
--    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
--    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
-+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[]
      TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
      TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
      TLS_ECDH_RSA_WITH_RC4_128_SHA,
@@ -227,16 +222,13 @@ diff -up nss/lib/ssl/sslenum.c.reorder_cipher_suites nss/lib/ssl/sslenum.c
      TLS_ECDHE_ECDSA_WITH_NULL_SHA,
      TLS_ECDHE_RSA_WITH_NULL_SHA,
      TLS_ECDH_RSA_WITH_NULL_SHA,
-@@ -137,6 +120,12 @@ const PRUint16 SSL_ImplementedCiphers[]
+@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[]
      TLS_RSA_WITH_NULL_SHA,
      TLS_RSA_WITH_NULL_SHA256,
      TLS_RSA_WITH_NULL_MD5,
 +    TLS_AES_128_GCM_SHA256,
 +    TLS_CHACHA20_POLY1305_SHA256,
 +    TLS_AES_256_GCM_SHA384,
-+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-+    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
  
      0
  };
diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config
new file mode 100644
index 0000000..be6d690
--- /dev/null
+++ b/SOURCES/nss-rhel7.config
@@ -0,0 +1,7 @@
+# To re-enable legacy algorithms, edit this file
+# Note that the last empty line in this file must be preserved
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+
diff --git a/SOURCES/nss-tests-prevent-abi-issue.patch b/SOURCES/nss-tests-prevent-abi-issue.patch
deleted file mode 100644
index 766f2d7..0000000
--- a/SOURCES/nss-tests-prevent-abi-issue.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -up nss/cmd/selfserv/selfserv.c.abi_tests nss/cmd/selfserv/selfserv.c
---- nss/cmd/selfserv/selfserv.c.abi_tests	2016-08-16 12:36:23.695996680 +0200
-+++ nss/cmd/selfserv/selfserv.c	2016-08-16 12:39:00.006879649 +0200
-@@ -425,7 +425,7 @@ printSecurityInfo(PRFileDesc *fd)
-                     channel.authKeyBits, suite.authAlgorithmName,
-                     channel.keaKeyBits, suite.keaTypeName,
-                     channel.compressionMethodName,
--                    channel.extendedMasterSecretUsed ? "Yes" : "No");
-+		    channel.reservedNotSupported ? "Yes": "No");
-         }
-     }
-     if (verbose) {
-diff -up nss/cmd/tstclnt/tstclnt.c.abi_tests nss/cmd/tstclnt/tstclnt.c
---- nss/cmd/tstclnt/tstclnt.c.abi_tests	2016-08-16 12:36:23.696996653 +0200
-+++ nss/cmd/tstclnt/tstclnt.c	2016-08-16 12:39:24.460235581 +0200
-@@ -129,7 +129,7 @@ printSecurityInfo(PRFileDesc *fd)
-                     channel.authKeyBits, suite.authAlgorithmName,
-                     channel.keaKeyBits, suite.keaTypeName,
-                     channel.compressionMethodName,
--                    channel.extendedMasterSecretUsed ? "Yes" : "No");
-+		    channel.reservedNotSupported ? "Yes": "No");
-         }
-     }
-     cert = SSL_RevealCert(fd);
-diff -up nss/external_tests/ssl_gtest/tls_agent.cc.abi_tests nss/external_tests/ssl_gtest/tls_agent.cc
---- nss/gtests/ssl_gtest/tls_agent.cc.abi_tests	2016-08-16 12:36:23.696996653 +0200
-+++ nss/gtests/ssl_gtest/tls_agent.cc	2016-08-16 12:39:45.167690174 +0200
-@@ -571,7 +571,7 @@ void TlsAgent::CheckExtendedMasterSecret
-   if (version() >= SSL_LIBRARY_VERSION_TLS_1_3) {
-     expected = PR_TRUE;
-   }
--  ASSERT_EQ(expected, info_.extendedMasterSecretUsed != PR_FALSE)
-+  ASSERT_EQ(expected, info_.reservedNotSupported != PR_FALSE)
-       << "unexpected extended master secret state for " << name_;
- }
- 
diff --git a/SOURCES/nss-tools-sha256-default.patch b/SOURCES/nss-tools-sha256-default.patch
new file mode 100644
index 0000000..288d5d8
--- /dev/null
+++ b/SOURCES/nss-tools-sha256-default.patch
@@ -0,0 +1,107 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1489096275 -3600
+#      Thu Mar 09 22:51:15 2017 +0100
+# Node ID 848abc2061a45b8387893891e814b80db1e2bd53
+# Parent  482e9cbb16f13cd22f9ef7b5a73a4e3ea68ecf82
+Bug 1345106, Don't use SHA1 by default for signatures in the NSS library and in certutil, crlutil and cmsutil, r=rrelyea
+
+diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c
+--- a/cmd/smimetools/cmsutil.c
++++ b/cmd/smimetools/cmsutil.c
+@@ -84,7 +84,7 @@ Usage(char *progName)
+             "               where id can be a certificate nickname or email address\n"
+             " -S            create a CMS signed data message\n"
+             "  -G           include a signing time attribute\n"
+-            "  -H hash      use hash (default:SHA1)\n"
++            "  -H hash      use hash (default:SHA256)\n"
+             "  -N nick      use certificate named \"nick\" for signing\n"
+             "  -P           include a SMIMECapabilities attribute\n"
+             "  -T           do not include content in CMS message\n"
+@@ -1097,7 +1097,7 @@ main(int argc, char **argv)
+     signOptions.signingTime = PR_FALSE;
+     signOptions.smimeProfile = PR_FALSE;
+     signOptions.encryptionKeyPreferenceNick = NULL;
+-    signOptions.hashAlgTag = SEC_OID_SHA1;
++    signOptions.hashAlgTag = SEC_OID_SHA256;
+     envelopeOptions.recipients = NULL;
+     encryptOptions.recipients = NULL;
+     encryptOptions.envmsg = NULL;
+diff --git a/cmd/smimetools/smime b/cmd/smimetools/smime
+--- a/cmd/smimetools/smime
++++ b/cmd/smimetools/smime
+@@ -199,8 +199,8 @@ sub signentity($$)
+     # construct a new multipart/signed MIME entity consisting of the original content and
+     # the signature
+     #
+-    # (we assume that cmsutil generates a SHA1 digest)
+-    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
++    # (we assume that cmsutil generates a SHA256 digest)
++    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
+     $out .= "\n";		# end of entity header
+     $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
+     $out .= "\n--${boundary}\n";
+diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
+--- a/lib/cryptohi/secsign.c
++++ b/lib/cryptohi/secsign.c
+@@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECI
+     if (algID == SEC_OID_UNKNOWN) {
+         switch (pk->keyType) {
+             case rsaKey:
+-                algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
++                algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+                 break;
+             case dsaKey:
+                 /* get Signature length (= q_len*2) and work from there */
+                 switch (PK11_SignatureLen(pk)) {
++                    case 320:
++                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
++                        break;
+                     case 448:
+                         algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
+                         break;
+                     case 512:
++                    default:
+                         algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
+                         break;
+-                    default:
+-                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+-                        break;
+                 }
+                 break;
+             case ecKey:
+-                algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
++                algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
+                 break;
+             default:
+                 PORT_SetError(SEC_ERROR_INVALID_KEY);
+@@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
+             break;
+         case dsaKey:
+             switch (hashAlgTag) {
+-                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
+                 case SEC_OID_SHA1:
+                     sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+                     break;
+                 case SEC_OID_SHA224:
+                     sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
+                     break;
++                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
+                 case SEC_OID_SHA256:
+                     sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
+                     break;
+@@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType 
+             break;
+         case ecKey:
+             switch (hashAlgTag) {
+-                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
+                 case SEC_OID_SHA1:
+                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE;
+                     break;
+                 case SEC_OID_SHA224:
+                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE;
+                     break;
++                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
+                 case SEC_OID_SHA256:
+                     sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
+                     break;
diff --git a/SOURCES/nsspem-use-system-freebl.patch b/SOURCES/nsspem-use-system-freebl.patch
deleted file mode 100644
index 115b49c..0000000
--- a/SOURCES/nsspem-use-system-freebl.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
---- nss/lib/ckfw/pem/config.mk.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/config.mk	2013-04-04 16:02:33.805744145 -0700
-@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
- #  are specifed as dependencies within rules.mk.
- #
- 
-+
-+EXTRA_LIBS += \
-+	$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
-+	$(NULL)
-+
- TARGETS        = $(SHARED_LIBRARY)
- LIBRARY        =
- IMPORT_LIBRARY =
-@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
- MKSHLIB += -R '$$ORIGIN'
- endif
- 
-+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
-+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_NSSUTIL
-+OS_LIBS += $(NSSUTIL_LIBS)
-+else
-+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(NSSUTIL_LIBS)
-+endif
-+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
-+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_FREEBL
-+OS_LIBS += $(FREEBL_LIBS)
-+else
-+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(FREEBL_LIBS)
-+endif
-+
-diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
---- nss/lib/ckfw/pem/Makefile.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/Makefile	2013-04-04 16:02:33.806744154 -0700
-@@ -43,8 +43,7 @@ include config.mk
- EXTRA_LIBS = \
- 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
- 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
-+	$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- 	$(NULL)
- 
- # can't do this in manifest.mn because OS_TARGET isn't defined there.
-@@ -56,6 +55,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3
- 	$(NULL)
- else 
- EXTRA_SHARED_LIBS += \
-@@ -74,6 +76,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3 \
- 	$(NULL)
- endif
- 
-diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
---- nss/lib/ckfw/pem/manifest.mn.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/manifest.mn	2013-04-04 16:02:33.807744163 -0700
-@@ -65,4 +65,4 @@ REQUIRES = nspr
- 
- LIBRARY_NAME = nsspem
- 
--#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
-+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3
diff --git a/SOURCES/pem-compile-with-Werror.patch b/SOURCES/pem-compile-with-Werror.patch
deleted file mode 100644
index 392d74a..0000000
--- a/SOURCES/pem-compile-with-Werror.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
---- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
-@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
- };
- typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
- 
-+/* NOTE: Discrepancy with the the way callers use of the return value as a count
-+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
-+ */
- SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
- const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
- void pem_PopulateModulusExponent(pemInternalObject *io);
-diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
---- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
-@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
-     char *ivstring = NULL;
-     int cipher;
- 
--    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+    /* TODO: Fix discrepancy between our usage of the return value as
-+     * as an int (a count) and the declaration as a SECStatus. */
-+    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-     if (nobjs <= 0) {
-         nss_ZFreeIf(objs);
-         return CKR_GENERAL_ERROR;
-@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
-         if (keyfile) {          /* add the private key */
-             SECItem **keyobjs = NULL;
-             int kobjs = 0;
-+            /* TODO: Fix discrepancy between our usage of the return value as
-+             * as an int and the declaration as a SECStatus. */
-             kobjs =
--                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-+                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-                                 &ivstring, PR_FALSE);
-             if (kobjs < 1) {
-                 error = CKR_GENERAL_ERROR;
-diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
---- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
-@@ -630,6 +630,11 @@ pem_DestroyInternalObject
-         if (io->u.key.ivstring)
-             free(io->u.key.ivstring);
-         break;
-+    case pemAll:
-+        /* pemAll is not used, keep the compiler happy
-+         * TODO: investigate a proper solution
-+         */
-+        return;
-     }
- 
-     if (NULL != gobj)
-@@ -1044,7 +1049,9 @@ pem_CreateObject
-     int nobjs = 0;
-     int i;
-     int objid;
-+#if 0
-     pemToken *token;
-+#endif
-     int cipher;
-     char *ivstring = NULL;
-     pemInternalObject *listObj = NULL;
-@@ -1073,7 +1080,9 @@ pem_CreateObject
-     }
-     slotID = nssCKFWSlot_GetSlotID(fwSlot);
- 
-+#if 0
-     token = (pemToken *) mdToken->etc;
-+#endif
- 
-     /*
-      * only create keys and certs.
-@@ -1114,7 +1123,11 @@ pem_CreateObject
-     }
- 
-     if (objClass == CKO_CERTIFICATE) {
--        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+        /* TODO: Fix discrepancy between our usage of the return value as
-+         * as an int and the declaration as a SECStatus. Typecasting as a
-+         * temporary workaround.
-+         */
-+        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-         if (nobjs < 1)
-             goto loser;
- 
-diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
---- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
-@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
-     return 0;
- }
- 
-+/* unused functions */
-+#if 0
- static SHA1Context *SHA1_CloneContext(SHA1Context * original)
- {
-     SHA1Context *clone = NULL;
-@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
- 
-     return SECSuccess;
- }
-+#endif /* unused functions */
- 
- /*
-  * Format one block of data for public/private key encryption using
-diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
---- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
-@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
-     return SECFailure;
- }
- 
--int
-+/* FIX: Returns a SECStatus yet callers take result as a count */
-+SECStatus
- ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
- 		int *cipher, char **ivstring, PRBool certsonly)
- {
-@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 		    goto loser;
- 		}
-                 if ((certsonly && !key) || (!certsonly && key)) {
-+		    error = CKR_OK;
- 		    PUT_Object(der, error);
-+		    if (error != CKR_OK) {
-+			free(der);
-+			goto loser;
-+		    }
-                 } else {
-                     free(der->data);
-                     free(der);
-@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 	    }
- 
- 	    /* NOTE: This code path has never been tested. */
-+	    error = CKR_OK;
- 	    PUT_Object(der, error);
-+	    if (error != CKR_OK) {
-+		free(der);
-+		goto loser;
-+	    }
- 	}
- 
- 	nss_ZFreeIf(filedata.data);
diff --git a/SOURCES/ssl-server-min-key-sizes.patch b/SOURCES/ssl-server-min-key-sizes.patch
deleted file mode 100644
index e66e8cb..0000000
--- a/SOURCES/ssl-server-min-key-sizes.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff -up nss/lib/nss/nssoptions.h.min_key_sizes nss/lib/nss/nssoptions.h
---- nss/lib/nss/nssoptions.h.min_key_sizes	2017-02-20 16:42:23.456894585 +0100
-+++ nss/lib/nss/nssoptions.h	2017-02-20 16:43:02.687942525 +0100
-@@ -16,5 +16,5 @@
- /* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
-  * only 1023 bits and similar.  We don't have good data on whether this
-  * happens because NSS used to count bit lengths incorrectly. */
--#define SSL_DH_MIN_P_BITS 1023
-+#define SSL_DH_MIN_P_BITS 768
- #define SSL_DSA_MIN_P_BITS 1023
-diff -up nss/lib/ssl/ssl3con.c.min_key_sizes nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.min_key_sizes	2017-02-20 16:42:23.459894513 +0100
-+++ nss/lib/ssl/ssl3con.c	2017-02-20 16:43:42.744970411 +0100
-@@ -7093,7 +7093,7 @@ ssl_HandleDHServerKeyExchange(sslSocket
-         minDH = SSL_DH_MIN_P_BITS;
-     }
-     dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
--    if (dh_p_bits < minDH) {
-+    if (dh_p_bits < SSL_DH_MIN_P_BITS) {
-         errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
-         goto alert_loser;
-     }
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 5199c33..aaaa8d1 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,13 +1,13 @@
 %global nspr_version 4.13.1
-%global nss_util_version 3.28.2
-%global nss_util_build -1.1
+%global nss_util_version 3.28.4
+%global nss_util_build -2
 # adjust to the version that gets submitted for FIPS validation
 %global nss_softokn_fips_version 3.16.2
-%global nss_softokn_version 3.16.2.3
+%global nss_softokn_version 3.28.3
 # Attention: Separate softokn versions for build and runtime.
-%global runtime_required_softokn_build_version -14.2
+%global runtime_required_softokn_build_version -4
 # Building NSS doesn't require the softokn -13 build.
-%global build_required_softokn_build_version -13
+%global build_required_softokn_build_version -4
 
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -27,7 +27,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.28.4
-Release:          1.2%{?dist}
+Release:          8%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -51,6 +51,12 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl
 
+# nss-pem used to be bundled with the nss package on Fedora -- make sure that
+# programs relying on that continue to work until they are fixed to require
+# nss-pem instead.  Once all of them are fixed, the following line can be
+# removed.  See https://bugzilla.redhat.com/1346806 for details.
+Requires:         nss-pem%{?_isa}
+
 %if %{defined nss_ckbi_suffix}
 %define full_nss_version %{version}%{nss_ckbi_suffix}
 %else
@@ -68,7 +74,6 @@ Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
 Source10:         PayPalEE.cert
-Source12:         %{name}-pem-20140125.tar.bz2
 Source17:         TestCA.ca.cert
 Source18:         TestUser50.cert
 Source19:         TestUser51.cert
@@ -82,15 +87,12 @@ Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source30:         PayPalRootCA.cert
 Source31:         PayPalICA.cert
+Source32:         nss-rhel7.config
 
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
-Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
 Patch18:          nss-646045.patch
-# must statically link pem against the freebl in the buildroot
-# Needed only when sources on tree have new APIS
-Patch25:          nsspem-use-system-freebl.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
@@ -104,13 +106,6 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 # headers are older. Such is the case when starting an update with API changes or even private export changes.
 # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-# As of nss-3.21 we compile NSS with -Werror.
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
-# This requires a cleanup of the PEM module as we have it here.
-# TODO: submit a patch to the interim nss-pem upstream project
-# The submission will be very different from this patch as
-# cleanup there is already in progress there.
-Patch51:          pem-compile-with-Werror.patch
 Patch52:          Bug-1001841-disable-sslv2-libssl.patch
 Patch53:          Bug-1001841-disable-sslv2-tests.patch
 Patch55:          enable-fips-when-system-is-in-fips-mode.patch
@@ -122,39 +117,40 @@ Patch62: nss-fix-deadlock-squash.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
 Patch74: race.patch
 Patch94: nss-3.16-token-init-race.patch
-Patch99: ssl-server-min-key-sizes.patch
 Patch100: fix-min-library-version-in-SSLVersionRange.patch
-Patch106: nss-old-pkcs11-num.patch
 Patch108: nss-sni-c-v-fix.patch
-# Local: keep as long nss-softokn lacks support
-Patch113: disable-extended-master-secret-with-old-softoken.patch
-Patch115: nss-prevent-abi-issue.patch
-Patch116: nss-tests-prevent-abi-issue.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1298692
-Patch122: disable-ems-gtests.patch
 Patch123: nss-skip-util-gtest.patch
-# Disable X25519 and ChaCha20, until nss-softokn is rebased
-Patch124: nss-disable-curve25519.patch
 Patch126: nss-reorder-cipher-suites.patch
 Patch127: nss-disable-cipher-suites.patch
 Patch128: nss-enable-cipher-suites.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932
 Patch129: moz-1320932.patch
-# Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6
-# for rhbz#1390161)
+# Disable RSA-PSS until the feature is complete
 Patch130: disable-pss.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
 Patch132: nss-tstclnt-optspec.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1336487
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345083
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
+Patch133: nss-1334976-1336487-1345083-ca-2.14.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=956866
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1360207
+Patch134: nss-alert-handler.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch135: nss-check-policy-file.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345106
+Patch136: nss-tools-sha256-default.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1297397
+Patch137: nss-is-token-present-race.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1353724
+Patch138: nss-pk12util.patch
+Patch139: nss-disable-pss-gtests.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122
-Patch133: nss-ssl3gthr.patch
-Patch134: nss-ca-2.14.patch
-Patch200: nss-disable-curve25519-gtests.patch
-Patch201: nss-disable-curve25519-tests.patch
-Patch202: nss-disable-chacha20-gtests.patch
-Patch203: nss-disable-chacha20-tests.patch
-Patch204: nss-disable-pss-gtests.patch
-Patch205: nss-disable-unsupported-gtests.patch
-Patch206: nss-disable-unsupported-tests.patch
+Patch140: nss-ssl3gthr.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -231,54 +227,42 @@ low level services.
 %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
 %{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
 %{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
-%setup -q -T -D -n %{name}-%{version} -a 12
+%setup -q -T -D -n %{name}-%{version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
-%patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
-# link pem against buildroot's freebl, essential when mixing and matching
-%patch25 -p0 -b .systemfreebl
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
-%patch51 -p1 -b -Werror
 pushd nss
 %patch52 -p1 -b .disableSSL2libssl
 %patch53 -p1 -b .disableSSL2tests
 %patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
 %patch56 -p1 -b .1026677_ignore_set_policy
 %patch62 -p1 -b .fix_deadlock
-%patch99 -p1 -b .min_key_sizes
 %patch100 -p0 -b .1171318
-%patch113 -p1 -b .disable-ems
-%patch115 -p1 -b .abi_lib
-%patch116 -p1 -b .abi_tests
 %patch74 -p1 -b .race
 popd
 %patch94 -p0 -b .init-token-race
-%patch106 -p0 -b .old_pkcs11_num
 %patch108 -p0 -b .sni_c_v_fix
 pushd nss
-%patch122 -p1 -b .disable_ems_gtests
 %patch123 -p1 -b .skip-util-gtests
-%patch124 -p1 -b .disable-curve25519
 %patch126 -p1 -b .reorder-cipher-suites
 %patch127 -p1 -b .disable-cipher-suites
 %patch128 -p1 -b .enable-cipher-suites
 %patch129 -p1 -b .fix_ssl_sh_typo
 %patch130 -p1 -b .disable_pss
 %patch132 -p1 -b .tstclnt-optspec
-%patch133 -p1 -b .ssl3gthr
-%patch134 -p1 -b .ca-2.14.patch
-%patch200 -p1 -b .disable-curve25519-gtests
-%patch201 -p1 -b .disable-curve25519-tests
-%patch202 -p1 -b .disable-chacha20-gtests
-%patch203 -p1 -b .disable-chacha20-tests
-%patch204 -p1 -b .disable-pss-gtests
-%patch205 -p1 -b .disable-unsupported-gtests
-%patch206 -p1 -b .disable-unsupported-tests
+%patch133 -p1 -b .mozilla-ca-policy-plus-ca-2.14
+%patch134 -p1 -b .alert-handler
+%patch135 -p1 -b .check_policy_file
+%patch136 -p1 -b .tools-sha256-default
+%patch137 -p1 -b .is-token-present-race
+%patch138 -p1 -b .pk12util
+%patch139 -p1 -b .disable-pss-gtests
+%patch140 -p1 -b .ssl3gthr
 popd
 
 #########################################################
@@ -287,11 +271,6 @@ popd
 # until fixed upstream we must copy some headers locally
 #########################################################
 
-pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
-for file in ${pemNeedsFromSoftoken}; do
-    %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
-done
-
 # Copying these header until the upstream bug is accepted
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
@@ -390,6 +369,12 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
 
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss-rhel7.config"
+# location of the policy file
+export POLICY_PATH="/etc/pki/nss-legacy"
+
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
 # need nss/lib/util/verref.h which  is exported privately,
 # copy the one we saved during prep so it they can find it.
@@ -611,7 +596,7 @@ touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
 %{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
 
 # Copy the binary libraries we want
-for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
   %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -683,6 +668,9 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
+%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy
+%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
 %clean
 %{__rm} -rf $RPM_BUILD_ROOT
 
@@ -729,7 +717,6 @@ fi
 %{_libdir}/libsmime3.so
 %ghost %{_libdir}/libnssckbi.so
 %{_libdir}/nss/libnssckbi.so
-%{_libdir}/libnsspem.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
@@ -743,6 +730,8 @@ fi
 %attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
 %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
 %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%dir %{_sysconfdir}/pki/nss-legacy
+%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
 
 %files sysinit
 %defattr(-,root,root)
@@ -820,7 +809,6 @@ fi
 %{_includedir}/nss3/keythi.h
 %{_includedir}/nss3/nss.h
 %{_includedir}/nss3/nssckbi.h
-%{_includedir}/nss3/nsspem.h
 %{_includedir}/nss3/ocsp.h
 %{_includedir}/nss3/ocspt.h
 %{_includedir}/nss3/p12.h
@@ -865,37 +853,66 @@ fi
 
 
 %changelog
-* Tue May 16 2017 Kai Engert <kaie@redhat.com> - 3.28.4-1.2
+* Fri May  5 2017 Kai Engert <kaie@redhat.com> - 3.28.4-8
 - Include CKBI 2.14 and updated CA constraints from NSS 3.28.5
 
-* Mon May 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.1
-- Fix zero-length record treatment in SSL3_GatherData
+* Fri May  5 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-7
+- Update nss-pk12util.patch to include fix from mozbz#1353724.
 
-* Fri Apr  7 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-1.0
-- Rebase to NSS 3.28.4
+* Wed May  3 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-6
+- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207.
 
-* Mon Feb 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.6
-- Restore ssl-server-min-key-sizes.patch
+* Fri Apr 28 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-5
+- Fix zero-length record treatment for stream ciphers and SSLv2
+
+* Thu Apr 27 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-4
+- Correctly set policy file location when building
+
+* Wed Apr 26 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-3
+- Reorder ChaCha20-Poly1305 cipher suites, as suggested in:
+  https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9
+
+* Thu Apr 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-2
+- Rebase to NSS 3.28.4
+- Update nss-pk12util.patch with backport of mozbz#1353325
+
+* Thu Mar 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-5
+- Switch default hash algorithm used by tools from SHA-1 to SHA-256
+- Avoid race condition in nssSlot_IsTokenPresent()
+- Enable SHA-2 and AES in pk12util
+- Disable RSA-PSS for now
+
+* Fri Mar 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-4
+- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert
+- Backport changes adding SSL alert callbacks from upstream
+- Add nss-check-policy-file.patch from Fedora
+- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config
+
+* Mon Mar  6 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-3
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+  multlib environment, patch by Kamil Dudka
+- Enable new algorithms supported by the new nss-softokn
+
+* Mon Mar  6 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-2
+- Rebase to NSS 3.28.3
+- Bump required version of nss-softokn
+
+* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-3
+- Remove %%nss_cycles setting, which was also mistakenly added
+- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+- Prevent ABI incompatibilty of SECKEYECPublicKey
 - Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
 - Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
   patch in the previous release
 - Fix crash with tstclnt -W
-
-* Fri Feb 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.5
 - Always enable gtests for supported features
-- Prevent ABI incompatibilty of SECKEYECPublicKey
-
-* Thu Feb 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.4
 - Add patch to fix bash syntax error in tests/ssl.sh
 - Build with support for SSLKEYLOGFILE
 - Disable the use of RSA-PSS with SSL/TLS
 
-* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.3
-- Remove %%nss_cycles setting, which was also mistakenly added
-
-* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.2
-- Reorder cipher suites for compatibility
-- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+* Tue Feb 14 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-2
+- Decouple nss-pem from the nss package
+- Resolves: #1316546
 
 * Mon Feb 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.1
 - Remove mistakenly added R: nss-pem
@@ -922,12 +939,6 @@ fi
   fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch,
   call-restartmodules-in-nssinit.patch
 
-* Tue Nov 08 2016 Kai Engert <kaie@redhat.com> - 3.21.3-2
-- Mozilla #1314604 / Red Hat CVE-2016-8635
-
-* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.21.3-1.1
-- rebuild
-
 * Wed Oct 26 2016 Daiki Ueno <dueno@redhat.com> - 3.21.3-1
 - Rebase to NSS 3.21.3
 - Resolves: #1383887