diff --git a/.gitignore b/.gitignore
index 63bb458..7286e8d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
-SOURCES/nss-3.28.4.tar.gz
+SOURCES/nss-3.34.0.tar.gz
SOURCES/nss-config.xml
SOURCES/secmod.db.xml
SOURCES/setup-nsssysinit.xml
diff --git a/.nss.metadata b/.nss.metadata
index 17a1a7d..7b7738a 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -10,7 +10,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz
+01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index 3defed5..40e3e6d 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,7 +1,7 @@
diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
---- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-01-04 15:24:24.000000000 +0100
-+++ nss/tests/ssl/ssl.sh 2017-01-13 16:51:20.759277059 +0100
-@@ -63,8 +63,14 @@ ssl_init()
+--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-09-20 08:47:27.000000000 +0200
++++ nss/tests/ssl/ssl.sh 2017-10-06 16:19:10.812108552 +0200
+@@ -69,8 +69,14 @@ ssl_init()
# Test case files
SSLCOV=${QADIR}/ssl/sslcov.txt
@@ -17,7 +17,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
-@@ -129,7 +135,11 @@ is_selfserv_alive()
+@@ -128,7 +134,11 @@ is_selfserv_alive()
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
@@ -29,8 +29,8 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
echo "selfserv with PID ${PID} found at `date`"
}
-@@ -153,7 +163,11 @@ wait_for_selfserv()
- ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+@@ -152,7 +162,11 @@ wait_for_selfserv()
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
@@ -41,16 +41,16 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
fi
fi
is_selfserv_alive
-@@ -272,7 +286,7 @@ ssl_cov()
+@@ -275,7 +289,7 @@ ssl_cov()
start_selfserv # Launch the server
VMIN="ssl3"
- VMAX="tls1.1"
+ VMAX="tls1.2"
- exec < ${SSLCOV}
+ ignore_blank_lines ${SSLCOV} | \
while read ectype testmax param testname
-@@ -280,6 +294,12 @@ ssl_cov()
+@@ -283,6 +297,12 @@ ssl_cov()
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
@@ -60,6 +60,6 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
+ continue
+ fi
+
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
- elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+ else
diff --git a/SOURCES/disable-pss.patch b/SOURCES/disable-pss.patch
deleted file mode 100644
index 1ae9630..0000000
--- a/SOURCES/disable-pss.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100
-+++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100
-@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS
- ssl_sig_ecdsa_secp384r1_sha384,
- ssl_sig_ecdsa_secp521r1_sha512,
- ssl_sig_ecdsa_sha1,
-+#if 0
-+ /* Disable, while we are waiting for an upstream fix to
-+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
-+ * (NSS does not check if token supports RSA-PSS before using it to sign)
-+ **/
- ssl_sig_rsa_pss_sha256,
- ssl_sig_rsa_pss_sha384,
- ssl_sig_rsa_pss_sha512,
-+#endif
- ssl_sig_rsa_pkcs1_sha256,
- ssl_sig_rsa_pkcs1_sha384,
- ssl_sig_rsa_pkcs1_sha512,
-@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat
- case ssl_sig_rsa_pkcs1_sha256:
- case ssl_sig_rsa_pkcs1_sha384:
- case ssl_sig_rsa_pkcs1_sha512:
-+ return PR_TRUE;
-+ /* Disable, while we are waiting for an upstream fix to
-+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
-+ * (NSS does not check if token supports RSA-PSS before using it to sign)
-+ **/
- case ssl_sig_rsa_pss_sha256:
- case ssl_sig_rsa_pss_sha384:
- case ssl_sig_rsa_pss_sha512:
-+ return PR_FALSE;
-+
- case ssl_sig_ecdsa_secp256r1_sha256:
- case ssl_sig_ecdsa_secp384r1_sha384:
- case ssl_sig_ecdsa_secp521r1_sha512:
-diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c
---- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100
-+++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100
-@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
- PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
-
- if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
-+#if 0
-+ /* Disable, while we are waiting for an upstream fix to
-+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
-+ * (NSS does not check if token supports RSA-PSS before using it to sign)
-+ **/
- (data->authType == ssl_auth_rsa_pss && ku_sig) ||
-+#endif
- (data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
- return ssl_ConfigCert(ss, cert, keyPair, data);
- }
-@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
- return rv;
- }
-
-+#if 0
-+ /* Disable, while we are waiting for an upstream fix to
-+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
-+ * (NSS does not check if token supports RSA-PSS before using it to sign)
-+ **/
- /* This certificate is RSA, assume that it's also PSS. */
- data->authType = ssl_auth_rsa_pss;
- rv = ssl_ConfigCert(ss, cert, keyPair, data);
- if (rv != SECSuccess) {
- return rv;
- }
-+#endif
- }
-
- if (ku_enc) {
diff --git a/SOURCES/moz-1320932.patch b/SOURCES/moz-1320932.patch
deleted file mode 100644
index 8f8602d..0000000
--- a/SOURCES/moz-1320932.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-changeset: 12916:6f35dc12506a
-branch: wip/dueno/typo-fix
-tag: tip
-parent: 12913:f2a9e4d85b64
-user: Daiki Ueno <dueno@redhat.com>
-date: Tue Nov 29 14:18:08 2016 +0100
-files: tests/ssl/ssl.sh
-description:
-Use correct shell conditional for NSS_DISABLE_LIBPKIX check
-
-
-diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
---- a/tests/ssl/ssl.sh
-+++ b/tests/ssl/ssl.sh
-@@ -1006,7 +1006,7 @@ ssl_run()
- do
- case "${SSL_RUN}" in
- "stapling")
-- if [ -nz "$NSS_DISABLE_LIBPKIX" ]; then
-+ if [ -z "$NSS_DISABLE_LIBPKIX" ]; then
- ssl_stapling
- fi
- ;;
-
diff --git a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch b/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch
deleted file mode 100644
index db6be92..0000000
--- a/SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch
+++ /dev/null
@@ -1,4522 +0,0 @@
-diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c
---- a/cmd/addbuiltin/addbuiltin.c
-+++ b/cmd/addbuiltin/addbuiltin.c
-@@ -26,16 +26,39 @@ dumpbytes(unsigned char *buf, int len)
- if ((i != 0) && ((i & 0xf) == 0)) {
- printf("\n");
- }
- printf("\\%03o", buf[i]);
- }
- printf("\n");
- }
-
-+int
-+hasPositiveTrust(unsigned int trust)
-+{
-+ if (trust & CERTDB_TRUSTED) {
-+ if (trust & CERTDB_TRUSTED_CA) {
-+ return PR_TRUE;
-+ } else {
-+ return PR_FALSE;
-+ }
-+ } else {
-+ if (trust & CERTDB_TRUSTED_CA) {
-+ return PR_TRUE;
-+ } else if (trust & CERTDB_VALID_CA) {
-+ return PR_TRUE;
-+ } else if (trust & CERTDB_TERMINAL_RECORD) {
-+ return PR_FALSE;
-+ } else {
-+ return PR_FALSE;
-+ }
-+ }
-+ return PR_FALSE;
-+}
-+
- char *
- getTrustString(unsigned int trust)
- {
- if (trust & CERTDB_TRUSTED) {
- if (trust & CERTDB_TRUSTED_CA) {
- return "CKT_NSS_TRUSTED_DELEGATOR";
- } else {
- return "CKT_NSS_TRUSTED";
-@@ -197,16 +220,21 @@ ConvertCertificate(SECItem *sdder, char
- dumpbytes(cert->derIssuer.data, cert->derIssuer.len);
- printf("END\n");
- printf("CKA_SERIAL_NUMBER MULTILINE_OCTAL\n");
- dumpbytes(serial->data, serial->len);
- printf("END\n");
- printf("CKA_VALUE MULTILINE_OCTAL\n");
- dumpbytes(sdder->data, sdder->len);
- printf("END\n");
-+ if (hasPositiveTrust(trust->sslFlags) ||
-+ hasPositiveTrust(trust->emailFlags) ||
-+ hasPositiveTrust(trust->objectSigningFlags)) {
-+ printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
-+ }
- }
-
- if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
- CERTDB_TERMINAL_RECORD)
- trust_info = "Distrust";
- else
- trust_info = "Trust for";
-
-diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
---- a/cmd/lib/secutil.c
-+++ b/cmd/lib/secutil.c
-@@ -27,17 +27,17 @@
- #include <unistd.h>
- #endif
-
- /* for SEC_TraverseNames */
- #include "cert.h"
- #include "certt.h"
- #include "certdb.h"
-
--/* #include "secmod.h" */
-+#include "secmod.h"
- #include "pk11func.h"
- #include "secoid.h"
-
- static char consoleName[] = {
- #ifdef XP_UNIX
- "/dev/tty"
- #else
- #ifdef XP_OS2
-@@ -3224,25 +3224,58 @@ SECU_PrintSignedContent(FILE *out, SECIt
- SECStatus
- SEC_PrintCertificateAndTrust(CERTCertificate *cert,
- const char *label,
- CERTCertTrust *trust)
- {
- SECStatus rv;
- SECItem data;
- CERTCertTrust certTrust;
-+ PK11SlotList *slotList;
-+ PRBool falseAttributeFound = PR_FALSE;
-+ PRBool trueAttributeFound = PR_FALSE;
-+ const char *moz_policy_ca_info = NULL;
-
- data.data = cert->derCert.data;
- data.len = cert->derCert.len;
-
- rv = SECU_PrintSignedData(stdout, &data, label, 0,
- (SECU_PPFunc)SECU_PrintCertificate);
- if (rv) {
- return (SECFailure);
- }
-+
-+ slotList = PK11_GetAllSlotsForCert(cert, NULL);
-+ if (slotList) {
-+ PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
-+ for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
-+ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
-+ if (handle != CK_INVALID_HANDLE) {
-+ PORT_SetError(0);
-+ if (PK11_HasAttributeSet(se->slot, handle,
-+ CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
-+ trueAttributeFound = PR_TRUE;
-+ } else if (!PORT_GetError()) {
-+ falseAttributeFound = PR_TRUE;
-+ }
-+ }
-+ }
-+ PK11_FreeSlotList(slotList);
-+ }
-+
-+ if (trueAttributeFound) {
-+ moz_policy_ca_info = "true (attribute present)";
-+ } else if (falseAttributeFound) {
-+ moz_policy_ca_info = "false (attribute present)";
-+ } else {
-+ moz_policy_ca_info = "false (attribute missing)";
-+ }
-+ SECU_Indent(stdout, 1);
-+ printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
-+
- if (trust) {
- SECU_PrintTrustFlags(stdout, trust,
- "Certificate Trust Flags", 1);
- } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
- SECU_PrintTrustFlags(stdout, &certTrust,
- "Certificate Trust Flags", 1);
- }
-
-diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
---- a/lib/ckfw/builtins/certdata.txt
-+++ b/lib/ckfw/builtins/certdata.txt
-@@ -186,16 +186,17 @@
- \034\161\142\356\312\310\227\254\027\135\212\302\370\107\206\156
- \052\304\126\061\225\320\147\211\205\053\371\154\246\135\106\235
- \014\252\202\344\231\121\335\160\267\333\126\075\141\344\152\341
- \134\326\366\376\075\336\101\314\007\256\143\122\277\123\123\364
- \053\351\307\375\266\367\202\137\205\322\101\030\333\201\263\004
- \034\305\037\244\200\157\025\040\311\336\014\210\012\035\326\146
- \125\342\374\110\311\051\046\151\340
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GlobalSign Root CA"
- # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
- # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
- # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
- # Not Valid Before: Tue Sep 01 12:00:00 1998
- # Not Valid After : Fri Jan 28 12:00:00 2028
- # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
-@@ -319,16 +320,17 @@
- \176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135
- \001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202
- \301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014
- \345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373
- \114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373
- \035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214
- \152\374\176\102\070\100\144\022\367\236\201\341\223\056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GlobalSign Root CA - R2"
- # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
- # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
- # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
- # Not Valid Before: Fri Dec 15 08:00:00 2006
- # Not Valid After : Wed Dec 15 08:00:00 2021
- # Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
-@@ -474,16 +476,17 @@
- \114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
- \245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
- \274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
- \171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
- \023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
- \363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
- \113\336\006\226\161\054\362\333\266\037\244\357\077\356
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
- # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Fri Oct 01 00:00:00 1999
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
-@@ -638,16 +641,17 @@
- \301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
- \260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
- \106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
- \342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
- \162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
- \377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
- \311\130\020\371\252\357\132\266\317\113\113\337\052
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
- # Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Fri Oct 01 00:00:00 1999
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
-@@ -802,16 +806,17 @@
- \022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
- \027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
- \124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
- \352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
- \117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
- \200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
- \153\271\012\172\116\117\113\204\356\113\361\175\335\021
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:00:9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
- # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Fri Oct 01 00:00:00 1999
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
-@@ -1076,16 +1081,17 @@
- \273\377\043\357\150\031\313\022\223\047\134\003\055\157\060\320
- \036\266\032\254\336\132\367\321\252\250\047\246\376\171\201\304
- \171\231\063\127\272\022\260\251\340\102\154\223\312\126\336\376
- \155\204\013\010\213\176\215\352\327\230\041\306\363\347\074\171
- \057\136\234\321\114\025\215\341\354\042\067\314\232\103\013\227
- \334\200\220\215\263\147\233\157\110\010\025\126\317\277\361\053
- \174\136\232\166\351\131\220\305\174\203\065\021\145\121
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Entrust.net Premium 2048 Secure Server CA"
- # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
- # Serial Number: 946069240 (0x3863def8)
- # Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
- # Not Valid Before: Fri Dec 24 17:50:51 1999
- # Not Valid After : Tue Jul 24 14:15:12 2029
- # Fingerprint (MD5): EE:29:31:BC:32:7E:9A:E6:E8:B5:F7:51:B4:34:71:90
-@@ -1213,16 +1219,17 @@
- \056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
- \144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
- \222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
- \356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
- \365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
- \107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
- \347\201\035\031\303\044\102\352\143\071\251
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Baltimore CyberTrust Root"
- # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
- # Serial Number: 33554617 (0x20000b9)
- # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
- # Not Valid Before: Fri May 12 18:46:00 2000
- # Not Valid After : Mon May 12 23:59:00 2025
- # Fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
-@@ -1356,16 +1363,17 @@
- \213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
- \247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
- \062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
- \054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
- \132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
- \213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
- \065\341\035\026\034\320\274\053\216\326\161\331
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AddTrust Low-Value Services Root"
- # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Serial Number: 1 (0x1)
- # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Not Valid Before: Tue May 30 10:38:31 2000
- # Not Valid After : Sat May 30 10:38:31 2020
- # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
-@@ -1504,16 +1512,17 @@
- \335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
- \142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
- \163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
- \216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
- \111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
- \232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
- \027\132\173\320\274\307\217\116\206\004
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AddTrust External Root"
- # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
- # Serial Number: 1 (0x1)
- # Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
- # Not Valid Before: Tue May 30 10:48:38 2000
- # Not Valid After : Sat May 30 10:48:38 2020
- # Fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
-@@ -1649,16 +1658,17 @@
- \330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
- \341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
- \200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
- \305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
- \136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
- \137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
- \116\072\063\014\053\263\055\220\006
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AddTrust Public Services Root"
- # Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Serial Number: 1 (0x1)
- # Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Not Valid Before: Tue May 30 10:41:50 2000
- # Not Valid After : Sat May 30 10:41:50 2020
- # Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
-@@ -1794,16 +1804,17 @@
- \077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
- \011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
- \365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
- \211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
- \340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
- \074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
- \306\241
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AddTrust Qualified Certificates Root"
- # Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Serial Number: 1 (0x1)
- # Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
- # Not Valid Before: Tue May 30 10:44:50 2000
- # Not Valid After : Sat May 30 10:44:50 2020
- # Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
-@@ -1956,16 +1967,17 @@
- \175\352\261\355\060\045\301\204\332\064\322\133\170\203\126\354
- \234\066\303\046\342\021\366\147\111\035\222\253\214\373\353\377
- \172\356\205\112\247\120\200\360\247\134\112\224\056\137\005\231
- \074\122\101\340\315\264\143\317\001\103\272\234\203\334\217\140
- \073\363\132\264\264\173\256\332\013\220\070\165\357\201\035\146
- \322\367\127\160\066\263\277\374\050\257\161\045\205\133\023\376
- \036\177\132\264\074
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Entrust Root Certification Authority"
- # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
- # Serial Number: 1164660820 (0x456b5054)
- # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
- # Not Valid Before: Mon Nov 27 20:23:42 2006
- # Not Valid After : Fri Nov 27 20:53:42 2026
- # Fingerprint (MD5): D6:A5:C3:ED:5D:DD:3E:00:C1:3D:87:92:1F:1D:3F:E4
-@@ -2089,16 +2101,17 @@
- \270\234\344\035\266\253\346\224\245\301\307\203\255\333\365\047
- \207\016\004\154\325\377\335\240\135\355\207\122\267\053\025\002
- \256\071\246\152\164\351\332\304\347\274\115\064\036\251\134\115
- \063\137\222\011\057\210\146\135\167\227\307\035\166\023\251\325
- \345\361\026\011\021\065\325\254\333\044\161\160\054\230\126\013
- \331\027\264\321\343\121\053\136\165\350\325\320\334\117\064\355
- \302\005\146\200\241\313\346\063
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Global CA"
- # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
- # Serial Number: 144470 (0x23456)
- # Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
- # Not Valid Before: Tue May 21 04:00:00 2002
- # Not Valid After : Sat May 21 04:00:00 2022
- # Fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
-@@ -2216,16 +2229,17 @@
- \151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
- \136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
- \000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
- \043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
- \105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
- \107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
- \342\042\051\256\175\203\100\250\272\154
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Global CA 2"
- # Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
- # Serial Number: 1 (0x1)
- # Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
- # Not Valid Before: Thu Mar 04 05:00:00 2004
- # Not Valid After : Mon Mar 04 05:00:00 2019
- # Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
-@@ -2375,16 +2389,17 @@
- \121\173\327\251\234\006\241\066\335\325\211\224\274\331\344\055
- \014\136\011\154\010\227\174\243\075\174\223\377\077\241\024\247
- \317\265\135\353\333\333\034\304\166\337\210\271\275\105\005\225
- \033\256\374\106\152\114\257\110\343\316\256\017\322\176\353\346
- \154\234\117\201\152\172\144\254\273\076\325\347\313\166\056\305
- \247\110\301\134\220\017\313\310\077\372\346\062\341\215\033\157
- \244\346\216\330\371\051\110\212\316\163\376\054
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Universal CA"
- # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
- # Serial Number: 1 (0x1)
- # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
- # Not Valid Before: Thu Mar 04 05:00:00 2004
- # Not Valid After : Sun Mar 04 05:00:00 2029
- # Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
-@@ -2534,16 +2549,17 @@
- \227\124\167\332\075\022\267\340\036\357\010\006\254\371\205\207
- \351\242\334\257\176\030\022\203\375\126\027\101\056\325\051\202
- \175\231\364\061\366\161\251\317\054\001\047\245\005\271\252\262
- \110\116\052\357\237\223\122\121\225\074\122\163\216\126\114\027
- \100\300\011\050\344\213\152\110\123\333\354\315\125\125\361\306
- \370\351\242\054\114\246\321\046\137\176\257\132\114\332\037\246
- \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Universal CA 2"
- # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
- # Serial Number: 1 (0x1)
- # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
- # Not Valid Before: Thu Mar 04 05:00:00 2004
- # Not Valid After : Sun Mar 04 05:00:00 2029
- # Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
-@@ -2670,16 +2686,17 @@
- \022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
- \004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
- \373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
- \115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
- \346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
- \337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
- \222\340\134\366\007\017
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Visa eCommerce Root"
- # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
- # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
- # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
- # Not Valid Before: Wed Jun 26 02:18:36 2002
- # Not Valid After : Fri Jun 24 00:16:12 2022
- # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-@@ -2792,16 +2809,17 @@
- \012\072\223\023\233\073\024\043\023\143\234\077\321\207\047\171
- \345\114\121\343\001\255\205\135\032\073\261\325\163\020\244\323
- \362\274\156\144\365\132\126\220\250\307\016\114\164\017\056\161
- \073\367\310\107\364\151\157\025\362\021\136\203\036\234\174\122
- \256\375\002\332\022\250\131\147\030\333\274\160\335\233\261\151
- \355\200\316\211\100\110\152\016\065\312\051\146\025\041\224\054
- \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Certum Root CA"
- # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
- # Serial Number: 65568 (0x10020)
- # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
- # Not Valid Before: Tue Jun 11 10:46:39 2002
- # Not Valid After : Fri Jun 11 10:46:39 2027
- # Fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9
-@@ -2937,16 +2955,17 @@
- \154\354\351\041\163\354\233\003\241\340\067\255\240\025\030\217
- \372\272\002\316\247\054\251\020\023\054\324\345\010\046\253\042
- \227\140\370\220\136\164\324\242\232\123\275\362\251\150\340\242
- \156\302\327\154\261\243\017\236\277\353\150\347\126\362\256\362
- \343\053\070\072\011\201\265\153\205\327\276\055\355\077\032\267
- \262\143\342\365\142\054\202\324\152\000\101\120\361\071\203\237
- \225\351\066\226\230\156
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Comodo AAA Services root"
- # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number: 1 (0x1)
- # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Jan 01 00:00:00 2004
- # Not Valid After : Sun Dec 31 23:59:59 2028
- # Fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0
-@@ -3087,16 +3106,17 @@
- \223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
- \150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
- \243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
- \145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
- \213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
- \241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
- \354\375\051
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Comodo Secure Services root"
- # Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number: 1 (0x1)
- # Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Jan 01 00:00:00 2004
- # Not Valid After : Sun Dec 31 23:59:59 2028
- # Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
-@@ -3239,16 +3259,17 @@
- \201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
- \306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
- \115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
- \172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
- \164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
- \005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
- \160\136\310\304\170\260\142
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Comodo Trusted Services root"
- # Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number: 1 (0x1)
- # Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Jan 01 00:00:00 2004
- # Not Valid After : Sun Dec 31 23:59:59 2028
- # Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
-@@ -3417,16 +3438,17 @@
- \231\003\072\212\314\124\045\071\061\201\173\023\042\121\272\106
- \154\241\273\236\372\004\154\111\046\164\217\322\163\353\314\060
- \242\346\352\131\042\207\370\227\365\016\375\352\314\222\244\026
- \304\122\030\352\041\316\261\361\346\204\201\345\272\251\206\050
- \362\103\132\135\022\235\254\036\331\250\345\012\152\247\177\240
- \207\051\317\362\211\115\324\354\305\342\346\172\320\066\043\212
- \112\164\066\371
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "QuoVadis Root CA"
- # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
- # Serial Number: 985026699 (0x3ab6508b)
- # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
- # Not Valid Before: Mon Mar 19 18:33:33 2001
- # Not Valid After : Wed Mar 17 18:33:33 2021
- # Fingerprint (MD5): 27:DE:36:FE:72:B7:00:03:00:9D:F4:F0:1E:6C:04:24
-@@ -3585,16 +3607,17 @@
- \226\136\234\307\357\047\142\010\342\221\031\134\322\361\041\335
- \272\027\102\202\227\161\201\123\061\251\237\366\175\142\277\162
- \341\243\223\035\314\212\046\132\011\070\320\316\327\015\200\026
- \264\170\245\072\207\114\215\212\245\325\106\227\362\054\020\271
- \274\124\042\300\001\120\151\103\236\364\262\357\155\370\354\332
- \361\343\261\357\337\221\217\124\052\013\045\301\046\031\304\122
- \020\005\145\325\202\020\352\302\061\315\056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "QuoVadis Root CA 2"
- # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
- # Serial Number: 1289 (0x509)
- # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
- # Not Valid Before: Fri Nov 24 18:27:00 2006
- # Not Valid After : Mon Nov 24 18:23:33 2031
- # Fingerprint (MD5): 5E:39:7B:DD:F8:BA:EC:82:E9:AC:62:BA:0C:54:00:2B
-@@ -3764,16 +3787,17 @@
- \340\164\053\262\353\175\276\101\033\265\300\106\305\241\042\313
- \137\116\301\050\222\336\030\272\325\052\050\273\021\213\027\223
- \230\231\140\224\134\043\317\132\047\227\136\013\005\006\223\067
- \036\073\151\066\353\251\236\141\035\217\062\332\216\014\326\164
- \076\173\011\044\332\001\167\107\304\073\315\064\214\231\365\312
- \341\045\141\063\262\131\033\342\156\327\067\127\266\015\251\022
- \332
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "QuoVadis Root CA 3"
- # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
- # Serial Number: 1478 (0x5c6)
- # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
- # Not Valid Before: Fri Nov 24 19:11:23 2006
- # Not Valid After : Mon Nov 24 19:06:44 2031
- # Fingerprint (MD5): 31:85:3C:62:94:97:63:B9:AA:FD:89:4E:AF:6F:E0:CF
-@@ -3892,16 +3916,17 @@
- \161\245\062\252\057\306\211\166\103\100\023\023\147\075\242\124
- \045\020\313\361\072\362\331\372\333\111\126\273\246\376\247\101
- \065\303\340\210\141\311\210\307\337\066\020\042\230\131\352\260
- \112\373\126\026\163\156\254\115\367\042\241\117\255\035\172\055
- \105\047\345\060\301\136\362\332\023\313\045\102\121\225\107\003
- \214\154\041\314\164\102\355\123\377\063\213\217\017\127\001\026
- \057\317\246\356\311\160\042\024\275\375\276\154\013\003
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Security Communication Root CA"
- # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
- # Serial Number: 0 (0x0)
- # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
- # Not Valid Before: Tue Sep 30 04:20:49 2003
- # Not Valid After : Sat Sep 30 04:20:49 2023
- # Fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4A
-@@ -4014,16 +4039,17 @@
- \066\276\246\133\015\152\154\232\037\221\173\371\371\357\102\272
- \116\116\236\314\014\215\224\334\331\105\234\136\354\102\120\143
- \256\364\135\304\261\022\334\312\073\250\056\235\024\132\005\165
- \267\354\327\143\342\272\065\266\004\010\221\350\332\235\234\366
- \146\265\030\254\012\246\124\046\064\063\322\033\301\324\177\032
- \072\216\013\252\062\156\333\374\117\045\237\331\062\307\226\132
- \160\254\337\114
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Sonera Class 2 Root CA"
- # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
- # Serial Number: 29 (0x1d)
- # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
- # Not Valid Before: Fri Apr 06 07:29:40 2001
- # Not Valid After : Tue Apr 06 07:29:40 2021
- # Fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FB
-@@ -4175,16 +4201,17 @@
- \211\272\061\035\305\020\150\122\236\337\242\205\305\134\010\246
- \170\346\123\117\261\350\267\323\024\236\223\246\303\144\343\254
- \176\161\315\274\237\351\003\033\314\373\351\254\061\301\257\174
- \025\164\002\231\303\262\107\246\302\062\141\327\307\157\110\044
- \121\047\241\325\207\125\362\173\217\230\075\026\236\356\165\266
- \370\320\216\362\363\306\256\050\133\247\360\363\066\027\374\303
- \005\323\312\003\112\124
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "UTN USERFirst Email Root CA"
- # Issuer: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:25:25:67:c9:89
- # Subject: CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Not Valid Before: Fri Jul 09 17:28:50 1999
- # Not Valid After : Tue Jul 09 17:36:58 2019
- # Fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7
-@@ -4338,16 +4365,17 @@
- \370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
- \335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
- \176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
- \225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
- \052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
- \152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
- \062\234\036\273\235\370\146\250
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "UTN USERFirst Hardware Root CA"
- # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
- # Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Not Valid Before: Fri Jul 09 18:10:42 1999
- # Not Valid After : Tue Jul 09 18:19:22 2019
- # Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
-@@ -4498,16 +4526,17 @@
- \261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
- \064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
- \363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
- \306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
- \213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
- \122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
- \275\023\122\035\250\076\315\000\037\310
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "UTN USERFirst Object Root CA"
- # Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
- # Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
- # Not Valid Before: Fri Jul 09 18:31:20 1999
- # Not Valid After : Tue Jul 09 18:40:36 2019
- # Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
-@@ -4661,16 +4690,17 @@
- \210\351\007\106\101\316\357\101\201\256\130\337\203\242\256\312
- \327\167\037\347\000\074\235\157\216\344\062\011\035\115\170\064
- \170\064\074\224\233\046\355\117\161\306\031\172\275\040\042\110
- \132\376\113\175\003\267\347\130\276\306\062\116\164\036\150\335
- \250\150\133\263\076\356\142\175\331\200\350\012\165\172\267\356
- \264\145\232\041\220\340\252\320\230\274\070\265\163\074\213\370
- \334
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Camerfirma Chambers of Commerce Root"
- # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
- # Serial Number: 0 (0x0)
- # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
- # Not Valid Before: Tue Sep 30 16:13:43 2003
- # Not Valid After : Wed Sep 30 16:13:44 2037
- # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
-@@ -4820,16 +4850,17 @@
- \222\025\323\137\076\306\000\111\072\156\130\262\321\321\047\015
- \045\310\062\370\040\021\315\175\062\063\110\224\124\114\335\334
- \171\304\060\237\353\216\270\125\265\327\210\134\305\152\044\075
- \262\323\005\003\121\306\007\357\314\024\162\164\075\156\162\316
- \030\050\214\112\240\167\345\011\053\105\104\107\254\267\147\177
- \001\212\005\132\223\276\241\301\377\370\347\016\147\244\107\111
- \166\135\165\220\032\365\046\217\360
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Camerfirma Global Chambersign Root"
- # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
- # Serial Number: 0 (0x0)
- # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
- # Not Valid Before: Tue Sep 30 16:14:18 2003
- # Not Valid After : Wed Sep 30 16:14:18 2037
- # Fingerprint (MD5): C5:E6:7B:BF:06:D0:4F:43:ED:C4:7A:65:8A:FB:6B:19
-@@ -4972,16 +5003,17 @@
- \212\144\101\061\270\016\154\220\044\244\233\134\161\217\272\273
- \176\034\033\333\152\200\017\041\274\351\333\246\267\100\364\262
- \213\251\261\344\357\232\032\320\075\151\231\356\250\050\243\341
- \074\263\360\262\021\234\317\174\100\346\335\347\103\175\242\330
- \072\265\251\215\362\064\231\304\324\020\341\006\375\011\204\020
- \073\356\304\114\364\354\047\174\102\302\164\174\202\212\011\311
- \264\003\045\274
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "XRamp Global CA Root"
- # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
- # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
- # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
- # Not Valid Before: Mon Nov 01 17:14:04 2004
- # Not Valid After : Mon Jan 01 05:37:19 2035
- # Fingerprint (MD5): A1:0B:44:B3:CA:10:D8:00:6E:9D:0F:D8:0F:92:0A:D1
-@@ -5118,16 +5150,17 @@
- \216\222\204\162\071\353\040\352\203\355\203\315\227\156\010\274
- \353\116\046\266\163\053\344\323\366\114\376\046\161\342\141\021
- \164\112\377\127\032\207\017\165\110\056\317\121\151\027\240\002
- \022\141\225\325\321\100\262\020\114\356\304\254\020\103\246\245
- \236\012\325\225\142\232\015\317\210\202\305\062\014\344\053\237
- \105\346\015\237\050\234\261\271\052\132\127\255\067\017\257\035
- \177\333\275\237
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Go Daddy Class 2 CA"
- # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
- # Serial Number: 0 (0x0)
- # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
- # Not Valid Before: Tue Jun 29 17:06:20 2004
- # Not Valid After : Thu Jun 29 17:06:20 2034
- # Fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
-@@ -5262,16 +5295,17 @@
- \055\225\276\365\161\220\103\314\215\037\232\000\012\207\051\351
- \125\042\130\000\043\352\343\022\103\051\133\107\010\335\214\101
- \152\145\006\250\345\041\252\101\264\225\041\225\271\175\321\064
- \253\023\326\255\274\334\342\075\071\315\275\076\165\160\241\030
- \131\003\311\042\264\217\234\325\136\052\327\245\266\324\012\155
- \370\267\100\021\106\232\037\171\016\142\277\017\227\354\340\057
- \037\027\224
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Starfield Class 2 CA"
- # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
- # Serial Number: 0 (0x0)
- # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
- # Not Valid Before: Tue Jun 29 17:39:16 2004
- # Not Valid After : Thu Jun 29 17:39:16 2034
- # Fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24
-@@ -5467,16 +5501,17 @@
- \115\340\167\055\341\145\231\162\151\004\032\107\011\346\017\001
- \126\044\373\037\277\016\171\251\130\056\271\304\011\001\176\225
- \272\155\000\006\076\262\352\112\020\071\330\320\053\365\277\354
- \165\277\227\002\305\011\033\010\334\125\067\342\201\373\067\204
- \103\142\040\312\347\126\113\145\352\376\154\301\044\223\044\241
- \064\353\005\377\232\042\256\233\175\077\361\145\121\012\246\060
- \152\263\364\210\034\200\015\374\162\212\350\203\136
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "StartCom Certification Authority"
- # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
- # Serial Number: 1 (0x1)
- # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
- # Not Valid Before: Sun Sep 17 19:46:36 2006
- # Not Valid After : Wed Sep 17 19:46:36 2036
- # Fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
-@@ -5631,16 +5666,17 @@
- \262\304\060\231\043\116\135\362\110\241\022\014\334\022\220\011
- \220\124\221\003\074\107\345\325\311\145\340\267\113\175\354\107
- \323\263\013\076\255\236\320\164\000\016\353\275\121\255\300\336
- \054\300\303\152\376\357\334\013\247\372\106\337\140\333\234\246
- \131\120\165\043\151\163\223\262\371\374\002\323\107\346\161\316
- \020\002\356\047\214\204\377\254\105\015\023\134\203\062\340\045
- \245\206\054\174\364\022
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Taiwan GRCA"
- # Issuer: O=Government Root Certification Authority,C=TW
- # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
- # Subject: O=Government Root Certification Authority,C=TW
- # Not Valid Before: Thu Dec 05 13:23:33 2002
- # Not Valid After : Sun Dec 05 13:23:33 2032
- # Fingerprint (MD5): 37:85:44:53:32:45:1F:20:F0:F3:95:E1:25:C4:43:4E
-@@ -5803,16 +5839,17 @@
- \204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
- \062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
- \262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
- \316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
- \376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
- \201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
- \060\032\365\232\154\364\016\123\371\072\133\321\034
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Swisscom Root CA 1"
- # Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
- # Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Not Valid Before: Thu Aug 18 12:06:20 2005
- # Not Valid After : Mon Aug 18 22:06:20 2025
- # Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
-@@ -5943,16 +5980,17 @@
- \102\267\372\214\036\335\142\361\276\120\147\267\154\275\363\361
- \037\153\014\066\007\026\177\067\174\251\133\155\172\361\022\106
- \140\203\327\047\004\276\113\316\227\276\303\147\052\150\021\337
- \200\347\014\063\146\277\023\015\024\156\363\177\037\143\020\036
- \372\215\033\045\155\154\217\245\267\141\001\261\322\243\046\241
- \020\161\235\255\342\303\371\303\231\121\267\053\007\010\316\056
- \346\120\262\247\372\012\105\057\242\360\362
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "DigiCert Assured ID Root CA"
- # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
- # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Fri Nov 10 00:00:00 2006
- # Not Valid After : Mon Nov 10 00:00:00 2031
- # Fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
-@@ -6083,16 +6121,17 @@
- \076\052\271\066\123\317\072\120\006\367\056\350\304\127\111\154
- \141\041\030\325\004\255\170\074\054\072\200\153\247\353\257\025
- \024\351\330\211\301\271\070\154\342\221\154\212\377\144\271\167
- \045\127\060\300\033\044\243\341\334\351\337\107\174\265\264\044
- \010\005\060\354\055\275\013\277\105\277\120\271\251\363\353\230
- \001\022\255\310\210\306\230\064\137\215\012\074\306\351\325\225
- \225\155\336
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "DigiCert Global Root CA"
- # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
- # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Fri Nov 10 00:00:00 2006
- # Not Valid After : Mon Nov 10 00:00:00 2031
- # Fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
-@@ -6224,16 +6263,17 @@
- \143\070\275\104\244\177\344\046\053\012\304\227\151\015\351\214
- \342\300\020\127\270\310\166\022\221\125\362\110\151\330\274\052
- \002\133\017\104\324\040\061\333\364\272\160\046\135\220\140\236
- \274\113\027\011\057\264\313\036\103\150\311\007\047\301\322\134
- \367\352\041\271\150\022\234\074\234\277\236\374\200\134\233\143
- \315\354\107\252\045\047\147\240\067\363\000\202\175\124\327\251
- \370\351\056\023\243\167\350\037\112
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "DigiCert High Assurance EV Root CA"
- # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
- # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Fri Nov 10 00:00:00 2006
- # Not Valid After : Mon Nov 10 00:00:00 2031
- # Fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A
-@@ -6356,16 +6396,17 @@
- \311\273\211\176\156\200\210\036\057\024\264\003\044\250\062\157
- \003\232\107\054\060\276\126\306\247\102\002\160\033\352\100\330
- \272\005\003\160\007\244\226\377\375\110\063\012\341\334\245\201
- \220\233\115\335\175\347\347\262\315\134\310\152\225\370\245\366
- \215\304\135\170\010\276\173\006\326\111\317\031\066\120\043\056
- \010\346\236\005\115\107\030\325\026\351\261\326\266\020\325\273
- \227\277\242\216\264\124
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Certplus Class 2 Primary CA"
- # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
- # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
- # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
- # Not Valid Before: Wed Jul 07 17:05:00 1999
- # Not Valid After : Sat Jul 06 23:59:59 2019
- # Fingerprint (MD5): 88:2C:8C:52:B8:A2:3C:F3:F7:BB:03:EA:AE:AC:42:0B
-@@ -6482,16 +6523,17 @@
- \162\062\207\306\360\104\273\123\162\155\103\365\046\110\232\122
- \147\267\130\253\376\147\166\161\170\333\015\242\126\024\023\071
- \044\061\205\242\250\002\132\060\107\341\335\120\007\274\002\011
- \220\000\353\144\143\140\233\026\274\210\311\022\346\322\175\221
- \213\371\075\062\215\145\264\351\174\261\127\166\352\305\266\050
- \071\277\025\145\034\310\366\167\226\152\012\215\167\013\330\221
- \013\004\216\007\333\051\266\012\356\235\202\065\065\020
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "DST Root CA X3"
- # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
- # Serial Number:44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
- # Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
- # Not Valid Before: Sat Sep 30 21:12:19 2000
- # Not Valid After : Thu Sep 30 14:01:15 2021
- # Fingerprint (MD5): 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5
-@@ -6623,16 +6665,17 @@
- \343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
- \370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
- \256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
- \150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
- \064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
- \367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
- \363\267\240\247\315\345\172\063\066\152\372\232\053
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "DST ACES CA X6"
- # Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
- # Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
- # Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
- # Not Valid Before: Thu Nov 20 21:19:58 2003
- # Not Valid After : Mon Nov 20 21:19:58 2017
- # Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
-@@ -6790,16 +6833,17 @@
- \137\373\140\130\321\373\304\301\155\211\242\273\040\037\235\161
- \221\313\062\233\023\075\076\175\222\122\065\254\222\224\242\323
- \030\302\174\307\352\257\166\005\026\335\147\047\302\176\034\007
- \042\041\363\100\012\033\064\007\104\023\302\204\152\216\337\031
- \132\277\177\353\035\342\032\070\321\134\257\107\222\153\200\265
- \060\245\311\215\330\253\061\201\037\337\302\146\067\323\223\251
- \205\206\171\145\322
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "SwissSign Platinum CA - G2"
- # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
- # Serial Number:4e:b2:00:67:0c:03:5d:4f
- # Subject: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH
- # Not Valid Before: Wed Oct 25 08:36:00 2006
- # Not Valid After : Sat Oct 25 08:36:00 2036
- # Fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6
-@@ -6954,16 +6998,17 @@
- \001\320\277\150\236\143\140\153\065\115\013\155\272\241\075\300
- \223\340\177\043\263\125\255\162\045\116\106\371\322\026\357\260
- \144\301\001\236\351\312\240\152\230\016\317\330\140\362\057\111
- \270\344\102\341\070\065\026\364\310\156\117\367\201\126\350\272
- \243\276\043\257\256\375\157\003\340\002\073\060\166\372\033\155
- \101\317\001\261\351\270\311\146\364\333\046\363\072\244\164\362
- \111\044\133\311\260\320\127\301\372\076\172\341\227\311
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "SwissSign Gold CA - G2"
- # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
- # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
- # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
- # Not Valid Before: Wed Oct 25 08:30:35 2006
- # Not Valid After : Sat Oct 25 08:30:35 2036
- # Fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
-@@ -7119,16 +7164,17 @@
- \212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076
- \204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345
- \000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353
- \233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362
- \264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152
- \036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056
- \156
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "SwissSign Silver CA - G2"
- # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
- # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
- # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
- # Not Valid Before: Wed Oct 25 08:32:46 2006
- # Not Valid After : Sat Oct 25 08:32:46 2036
- # Fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13
-@@ -7250,16 +7296,17 @@
- \254\257\031\240\163\022\055\374\302\101\272\201\221\332\026\132
- \061\267\371\264\161\200\022\110\231\162\163\132\131\123\301\143
- \122\063\355\247\311\322\071\002\160\372\340\261\102\146\051\252
- \233\121\355\060\124\042\024\137\331\253\035\301\344\224\360\370
- \365\053\367\352\312\170\106\326\270\221\375\246\015\053\032\024
- \001\076\200\360\102\240\225\007\136\155\315\314\113\244\105\215
- \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Primary Certification Authority"
- # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
- # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
- # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
- # Not Valid Before: Mon Nov 27 00:00:00 2006
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): 02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
-@@ -7404,16 +7451,17 @@
- \376\254\100\171\345\254\020\157\075\217\033\171\166\213\304\067
- \263\041\030\204\345\066\000\353\143\040\231\271\351\376\063\004
- \273\101\310\301\002\371\104\143\040\236\201\316\102\323\326\077
- \054\166\323\143\234\131\335\217\246\341\016\240\056\101\367\056
- \225\107\317\274\375\063\363\366\013\141\176\176\221\053\201\107
- \302\047\060\356\247\020\135\067\217\134\071\053\344\004\360\173
- \215\126\214\150
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "thawte Primary Root CA"
- # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
- # Serial Number:34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
- # Subject: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
- # Not Valid Before: Fri Nov 17 00:00:00 2006
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
-@@ -7578,16 +7626,17 @@
- \336\375\250\202\052\155\050\037\015\013\304\345\347\032\046\031
- \341\364\021\157\020\265\225\374\347\102\005\062\333\316\235\121
- \136\050\266\236\205\323\133\357\245\175\105\100\162\216\267\016
- \153\016\006\373\063\065\110\161\270\235\047\213\304\145\137\015
- \206\166\234\104\172\366\225\134\366\135\062\010\063\244\124\266
- \030\077\150\134\362\102\112\205\070\124\203\137\321\350\054\362
- \254\021\326\250\355\143\152
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
- # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Wed Nov 08 00:00:00 2006
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
-@@ -7720,16 +7769,17 @@
- \144\122\066\137\140\147\331\234\305\005\164\013\347\147\043\322
- \010\374\210\351\256\213\177\341\060\364\067\176\375\306\062\332
- \055\236\104\060\060\154\356\007\336\322\064\374\322\377\100\366
- \113\364\146\106\006\124\246\362\062\012\143\046\060\153\233\321
- \334\213\107\272\341\271\325\142\320\242\240\364\147\005\170\051
- \143\032\157\004\326\370\306\114\243\232\261\067\264\215\345\050
- \113\035\236\054\302\270\150\274\355\002\356\061
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "SecureTrust CA"
- # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
- # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
- # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
- # Not Valid Before: Tue Nov 07 19:31:18 2006
- # Not Valid After : Mon Dec 31 19:40:55 2029
- # Fingerprint (MD5): DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
-@@ -7854,16 +7904,17 @@
- \103\265\113\055\024\237\371\334\046\015\277\246\107\164\006\330
- \210\321\072\051\060\204\316\322\071\200\142\033\250\307\127\111
- \274\152\125\121\147\025\112\276\065\007\344\325\165\230\067\171
- \060\024\333\051\235\154\305\151\314\107\125\242\060\367\314\134
- \177\302\303\230\034\153\116\026\200\353\172\170\145\105\242\000
- \032\257\014\015\125\144\064\110\270\222\271\361\264\120\051\362
- \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Secure Global CA"
- # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
- # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
- # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
- # Not Valid Before: Tue Nov 07 19:42:28 2006
- # Not Valid After : Mon Dec 31 19:52:06 2029
- # Fingerprint (MD5): CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
-@@ -8003,16 +8054,17 @@
- \314\225\122\223\360\160\045\131\234\040\147\304\356\371\213\127
- \141\364\222\166\175\077\204\215\125\267\350\345\254\325\361\365
- \031\126\246\132\373\220\034\257\223\353\345\034\324\147\227\135
- \004\016\276\013\203\246\027\203\271\060\022\240\305\063\025\005
- \271\015\373\307\005\166\343\330\112\215\374\064\027\243\306\041
- \050\276\060\105\061\036\307\170\276\130\141\070\254\073\342\001
- \145
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "COMODO Certification Authority"
- # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
- # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Fri Dec 01 00:00:00 2006
- # Not Valid After : Mon Dec 31 23:59:59 2029
- # Fingerprint (MD5): 5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
-@@ -8148,16 +8200,17 @@
- \056\044\137\313\130\017\353\050\354\257\021\226\363\334\173\157
- \300\247\210\362\123\167\263\140\136\256\256\050\332\065\054\157
- \064\105\323\046\341\336\354\133\117\047\153\026\174\275\104\004
- \030\202\263\211\171\027\020\161\075\172\242\026\116\365\001\315
- \244\154\145\150\241\111\166\134\103\311\330\274\066\147\154\245
- \224\265\324\314\271\275\152\065\126\041\336\330\303\353\373\313
- \244\140\114\260\125\240\240\173\127\262
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Network Solutions Certificate Authority"
- # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
- # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
- # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
- # Not Valid Before: Fri Dec 01 00:00:00 2006
- # Not Valid After : Mon Dec 31 23:59:59 2029
- # Fingerprint (MD5): D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
-@@ -8188,177 +8241,16 @@
- \150\340
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
--# Certificate "WellsSecure Public Root Certificate Authority"
--#
--# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Serial Number: 1 (0x1)
--# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Not Valid Before: Thu Dec 13 17:07:54 2007
--# Not Valid After : Wed Dec 14 00:07:54 2022
--# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
--# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\001
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\004\275\060\202\003\245\240\003\002\001\002\002\001\001
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123\061
--\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163\040
--\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165\162
--\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154\154
--\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101\061
--\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163\123
--\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157\157
--\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
--\164\150\157\162\151\164\171\060\036\027\015\060\067\061\062\061
--\063\061\067\060\067\065\064\132\027\015\062\062\061\062\061\064
--\060\060\060\067\065\064\132\060\201\205\061\013\060\011\006\003
--\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004\012
--\014\027\127\145\154\154\163\040\106\141\162\147\157\040\127\145
--\154\154\163\123\145\143\165\162\145\061\034\060\032\006\003\125
--\004\013\014\023\127\145\154\154\163\040\106\141\162\147\157\040
--\102\141\156\153\040\116\101\061\066\060\064\006\003\125\004\003
--\014\055\127\145\154\154\163\123\145\143\165\162\145\040\120\165
--\142\154\151\143\040\122\157\157\164\040\103\145\162\164\151\146
--\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060
--\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
--\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
--\356\157\264\275\171\342\217\010\041\236\070\004\101\045\357\253
--\133\034\123\222\254\155\236\335\302\304\056\105\224\003\065\210
--\147\164\127\343\337\214\270\247\166\217\073\367\250\304\333\051
--\143\016\221\150\066\212\227\216\212\161\150\011\007\344\350\324
--\016\117\370\326\053\114\244\026\371\357\103\230\217\263\236\122
--\337\155\221\071\217\070\275\167\213\103\143\353\267\223\374\060
--\114\034\001\223\266\023\373\367\241\037\277\045\341\164\067\054
--\036\244\136\074\150\370\113\277\015\271\036\056\066\350\251\344
--\247\370\017\313\202\165\174\065\055\042\326\302\277\013\363\264
--\374\154\225\141\036\127\327\004\201\062\203\122\171\346\203\143
--\317\267\313\143\213\021\342\275\136\353\366\215\355\225\162\050
--\264\254\022\142\351\112\063\346\203\062\256\005\165\225\275\204
--\225\333\052\134\233\216\056\014\270\201\053\101\346\070\126\237
--\111\233\154\166\372\212\135\367\001\171\201\174\301\203\100\005
--\376\161\375\014\077\314\116\140\011\016\145\107\020\057\001\300
--\005\077\217\370\263\101\357\132\102\176\131\357\322\227\014\145
--\002\003\001\000\001\243\202\001\064\060\202\001\060\060\017\006
--\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\071
--\006\003\125\035\037\004\062\060\060\060\056\240\054\240\052\206
--\050\150\164\164\160\072\057\057\143\162\154\056\160\153\151\056
--\167\145\154\154\163\146\141\162\147\157\056\143\157\155\057\167
--\163\160\162\143\141\056\143\162\154\060\016\006\003\125\035\017
--\001\001\377\004\004\003\002\001\306\060\035\006\003\125\035\016
--\004\026\004\024\046\225\031\020\331\350\241\227\221\377\334\031
--\331\265\004\076\322\163\012\152\060\201\262\006\003\125\035\043
--\004\201\252\060\201\247\200\024\046\225\031\020\331\350\241\227
--\221\377\334\031\331\265\004\076\322\163\012\152\241\201\213\244
--\201\210\060\201\205\061\013\060\011\006\003\125\004\006\023\002
--\125\123\061\040\060\036\006\003\125\004\012\014\027\127\145\154
--\154\163\040\106\141\162\147\157\040\127\145\154\154\163\123\145
--\143\165\162\145\061\034\060\032\006\003\125\004\013\014\023\127
--\145\154\154\163\040\106\141\162\147\157\040\102\141\156\153\040
--\116\101\061\066\060\064\006\003\125\004\003\014\055\127\145\154
--\154\163\123\145\143\165\162\145\040\120\165\142\154\151\143\040
--\122\157\157\164\040\103\145\162\164\151\146\151\143\141\164\145
--\040\101\165\164\150\157\162\151\164\171\202\001\001\060\015\006
--\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
--\000\271\025\261\104\221\314\043\310\053\115\167\343\370\232\173
--\047\015\315\162\273\231\000\312\174\146\031\120\306\325\230\355
--\253\277\003\132\345\115\345\036\310\117\161\227\206\325\343\035
--\375\220\311\074\165\167\127\172\175\370\336\364\324\325\367\225
--\346\164\156\035\074\256\174\235\333\002\003\005\054\161\113\045
--\076\007\343\136\232\365\146\027\051\210\032\070\237\317\252\101
--\003\204\227\153\223\070\172\312\060\104\033\044\104\063\320\344
--\321\334\050\070\364\023\103\065\065\051\143\250\174\242\265\255
--\070\244\355\255\375\306\232\037\377\227\163\376\373\263\065\247
--\223\206\306\166\221\000\346\254\121\026\304\047\062\134\333\163
--\332\245\223\127\216\076\155\065\046\010\131\325\347\104\327\166
--\040\143\347\254\023\147\303\155\261\160\106\174\325\226\021\075
--\211\157\135\250\241\353\215\012\332\303\035\063\154\243\352\147
--\031\232\231\177\113\075\203\121\052\035\312\057\206\014\242\176
--\020\055\053\324\026\225\013\007\252\056\024\222\111\267\051\157
--\330\155\061\175\365\374\241\020\007\207\316\057\131\334\076\130
--\333
--END
--
--# Trust for Certificate "WellsSecure Public Root Certificate Authority"
--# Issuer: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Serial Number: 1 (0x1)
--# Subject: CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
--# Not Valid Before: Thu Dec 13 17:07:54 2007
--# Not Valid After : Wed Dec 14 00:07:54 2022
--# Fingerprint (MD5): 15:AC:A5:C2:92:2D:79:BC:E8:7F:CB:67:ED:02:CF:36
--# Fingerprint (SHA1): E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "WellsSecure Public Root Certificate Authority"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\347\264\366\235\141\354\220\151\333\176\220\247\100\032\074\364
--\175\117\350\356
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\025\254\245\302\222\055\171\274\350\177\313\147\355\002\317\066
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\205\061\013\060\011\006\003\125\004\006\023\002\125\123
--\061\040\060\036\006\003\125\004\012\014\027\127\145\154\154\163
--\040\106\141\162\147\157\040\127\145\154\154\163\123\145\143\165
--\162\145\061\034\060\032\006\003\125\004\013\014\023\127\145\154
--\154\163\040\106\141\162\147\157\040\102\141\156\153\040\116\101
--\061\066\060\064\006\003\125\004\003\014\055\127\145\154\154\163
--\123\145\143\165\162\145\040\120\165\142\154\151\143\040\122\157
--\157\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101
--\165\164\150\157\162\151\164\171
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\001
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "COMODO ECC Certification Authority"
- #
- # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
- # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Mar 06 00:00:00 2008
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
-@@ -8434,16 +8326,17 @@
- \004\003\003\003\150\000\060\145\002\061\000\357\003\133\172\254
- \267\170\012\162\267\210\337\377\265\106\024\011\012\372\240\346
- \175\010\306\032\207\275\030\250\163\275\046\312\140\014\235\316
- \231\237\317\134\017\060\341\276\024\061\352\002\060\024\364\223
- \074\111\247\063\172\220\106\107\263\143\175\023\233\116\267\157
- \030\067\200\123\376\335\040\340\065\232\066\321\307\001\271\346
- \334\335\363\377\035\054\072\026\127\331\222\071\326
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "COMODO ECC Certification Authority"
- # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number:1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
- # Subject: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Thu Mar 06 00:00:00 2008
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 7C:62:FF:74:9D:31:53:5E:68:4A:D5:78:AA:1E:BF:23
-@@ -8741,16 +8634,17 @@
- \250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
- \102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
- \067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
- \340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
- \124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
- \310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
- \164
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Security Communication EV RootCA1"
- # Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
- # Serial Number: 0 (0x0)
- # Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
- # Not Valid Before: Wed Jun 06 02:12:32 2007
- # Not Valid After : Sat Jun 06 02:12:32 2037
- # Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
-@@ -8888,16 +8782,17 @@
- \204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
- \113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
- \267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
- \026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
- \156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
- \130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
- \374\276\337\012\015
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "OISTE WISeKey Global Root GA CA"
- # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
- # Serial Number:41:3d:72:c7:f4:6b:1f:81:43:7d:f1:d2:28:54:df:9a
- # Subject: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH
- # Not Valid Before: Sun Dec 11 16:03:44 2005
- # Not Valid After : Fri Dec 11 16:09:51 2037
- # Fingerprint (MD5): BC:6C:51:33:A7:E9:D3:66:63:54:15:72:1B:21:92:93
-@@ -8930,222 +8825,16 @@
- \337\232
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
--# Certificate "Microsec e-Szigno Root CA"
--#
--# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
--# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Not Valid Before: Wed Apr 06 12:28:44 2005
--# Not Valid After : Thu Apr 06 12:28:44 2017
--# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
--# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
--\054\017\021
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\007\250\060\202\006\220\240\003\002\001\002\002\021\000
--\314\270\347\277\116\051\032\375\242\334\146\245\034\054\017\021
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061\021
--\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145\163
--\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143\162
--\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003\125
--\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101\061
--\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157\163
--\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157\164
--\040\103\101\060\036\027\015\060\065\060\064\060\066\061\062\062
--\070\064\064\132\027\015\061\067\060\064\060\066\061\062\062\070
--\064\064\132\060\162\061\013\060\011\006\003\125\004\006\023\002
--\110\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144
--\141\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015
--\115\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060
--\022\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157
--\040\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151
--\143\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040
--\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011\052
--\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
--\202\001\012\002\202\001\001\000\355\310\000\325\201\173\315\070
--\000\107\314\333\204\301\041\151\054\164\220\014\041\331\123\207
--\355\076\103\104\123\257\253\370\200\233\074\170\215\324\215\256
--\270\357\323\021\334\201\346\317\073\226\214\326\157\025\306\167
--\176\241\057\340\137\222\266\047\327\166\232\035\103\074\352\331
--\354\057\356\071\363\152\147\113\213\202\317\042\370\145\125\376
--\054\313\057\175\110\172\075\165\371\252\240\047\273\170\302\006
--\312\121\302\176\146\113\257\315\242\247\115\002\202\077\202\254
--\205\306\341\017\220\107\231\224\012\161\162\223\052\311\246\300
--\276\074\126\114\163\222\047\361\153\265\365\375\374\060\005\140
--\222\306\353\226\176\001\221\302\151\261\036\035\173\123\105\270
--\334\101\037\311\213\161\326\124\024\343\213\124\170\077\276\364
--\142\073\133\365\243\354\325\222\164\342\164\060\357\001\333\341
--\324\253\231\233\052\153\370\275\246\034\206\043\102\137\354\111
--\336\232\213\133\364\162\072\100\305\111\076\245\276\216\252\161
--\353\154\372\365\032\344\152\375\173\175\125\100\357\130\156\346
--\331\325\274\044\253\301\357\267\002\003\001\000\001\243\202\004
--\067\060\202\004\063\060\147\006\010\053\006\001\005\005\007\001
--\001\004\133\060\131\060\050\006\010\053\006\001\005\005\007\060
--\001\206\034\150\164\164\160\163\072\057\057\162\143\141\056\145
--\055\163\172\151\147\156\157\056\150\165\057\157\143\163\160\060
--\055\006\010\053\006\001\005\005\007\060\002\206\041\150\164\164
--\160\072\057\057\167\167\167\056\145\055\163\172\151\147\156\157
--\056\150\165\057\122\157\157\164\103\101\056\143\162\164\060\017
--\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
--\202\001\163\006\003\125\035\040\004\202\001\152\060\202\001\146
--\060\202\001\142\006\014\053\006\001\004\001\201\250\030\002\001
--\001\001\060\202\001\120\060\050\006\010\053\006\001\005\005\007
--\002\001\026\034\150\164\164\160\072\057\057\167\167\167\056\145
--\055\163\172\151\147\156\157\056\150\165\057\123\132\123\132\057
--\060\202\001\042\006\010\053\006\001\005\005\007\002\002\060\202
--\001\024\036\202\001\020\000\101\000\040\000\164\000\141\000\156
--\000\372\000\163\000\355\000\164\000\166\000\341\000\156\000\171
--\000\040\000\351\000\162\000\164\000\145\000\154\000\155\000\145
--\000\172\000\351\000\163\000\351\000\150\000\145\000\172\000\040
--\000\351\000\163\000\040\000\145\000\154\000\146\000\157\000\147
--\000\141\000\144\000\341\000\163\000\341\000\150\000\157\000\172
--\000\040\000\141\000\040\000\123\000\172\000\157\000\154\000\147
--\000\341\000\154\000\164\000\141\000\164\000\363\000\040\000\123
--\000\172\000\157\000\154\000\147\000\341\000\154\000\164\000\141
--\000\164\000\341\000\163\000\151\000\040\000\123\000\172\000\141
--\000\142\000\341\000\154\000\171\000\172\000\141\000\164\000\141
--\000\040\000\163\000\172\000\145\000\162\000\151\000\156\000\164
--\000\040\000\153\000\145\000\154\000\154\000\040\000\145\000\154
--\000\152\000\341\000\162\000\156\000\151\000\072\000\040\000\150
--\000\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167
--\000\167\000\056\000\145\000\055\000\163\000\172\000\151\000\147
--\000\156\000\157\000\056\000\150\000\165\000\057\000\123\000\132
--\000\123\000\132\000\057\060\201\310\006\003\125\035\037\004\201
--\300\060\201\275\060\201\272\240\201\267\240\201\264\206\041\150
--\164\164\160\072\057\057\167\167\167\056\145\055\163\172\151\147
--\156\157\056\150\165\057\122\157\157\164\103\101\056\143\162\154
--\206\201\216\154\144\141\160\072\057\057\154\144\141\160\056\145
--\055\163\172\151\147\156\157\056\150\165\057\103\116\075\115\151
--\143\162\157\163\145\143\045\062\060\145\055\123\172\151\147\156
--\157\045\062\060\122\157\157\164\045\062\060\103\101\054\117\125
--\075\145\055\123\172\151\147\156\157\045\062\060\103\101\054\117
--\075\115\151\143\162\157\163\145\143\045\062\060\114\164\144\056
--\054\114\075\102\165\144\141\160\145\163\164\054\103\075\110\125
--\077\143\145\162\164\151\146\151\143\141\164\145\122\145\166\157
--\143\141\164\151\157\156\114\151\163\164\073\142\151\156\141\162
--\171\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
--\006\060\201\226\006\003\125\035\021\004\201\216\060\201\213\201
--\020\151\156\146\157\100\145\055\163\172\151\147\156\157\056\150
--\165\244\167\060\165\061\043\060\041\006\003\125\004\003\014\032
--\115\151\143\162\157\163\145\143\040\145\055\123\172\151\147\156
--\303\263\040\122\157\157\164\040\103\101\061\026\060\024\006\003
--\125\004\013\014\015\145\055\123\172\151\147\156\303\263\040\110
--\123\132\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\113\146\164\056\061\021\060\017\006\003
--\125\004\007\023\010\102\165\144\141\160\145\163\164\061\013\060
--\011\006\003\125\004\006\023\002\110\125\060\201\254\006\003\125
--\035\043\004\201\244\060\201\241\200\024\307\240\111\165\026\141
--\204\333\061\113\204\322\361\067\100\220\357\116\334\367\241\166
--\244\164\060\162\061\013\060\011\006\003\125\004\006\023\002\110
--\125\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141
--\160\145\163\164\061\026\060\024\006\003\125\004\012\023\015\115
--\151\143\162\157\163\145\143\040\114\164\144\056\061\024\060\022
--\006\003\125\004\013\023\013\145\055\123\172\151\147\156\157\040
--\103\101\061\042\060\040\006\003\125\004\003\023\031\115\151\143
--\162\157\163\145\143\040\145\055\123\172\151\147\156\157\040\122
--\157\157\164\040\103\101\202\021\000\314\270\347\277\116\051\032
--\375\242\334\146\245\034\054\017\021\060\035\006\003\125\035\016
--\004\026\004\024\307\240\111\165\026\141\204\333\061\113\204\322
--\361\067\100\220\357\116\334\367\060\015\006\011\052\206\110\206
--\367\015\001\001\005\005\000\003\202\001\001\000\323\023\234\146
--\143\131\056\312\134\160\014\374\203\274\125\261\364\216\007\154
--\146\047\316\301\073\040\251\034\273\106\124\160\356\132\314\240
--\167\352\150\104\047\353\362\051\335\167\251\325\373\343\324\247
--\004\304\225\270\013\341\104\150\140\007\103\060\061\102\141\345
--\356\331\345\044\325\033\337\341\112\033\252\237\307\137\370\172
--\021\352\023\223\000\312\212\130\261\356\355\016\115\264\327\250
--\066\046\174\340\072\301\325\127\202\361\165\266\375\211\137\332
--\363\250\070\237\065\006\010\316\042\225\276\315\325\374\276\133
--\336\171\153\334\172\251\145\146\276\261\045\132\137\355\176\323
--\254\106\155\114\364\062\207\264\040\004\340\154\170\260\167\321
--\205\106\113\246\022\267\165\350\112\311\126\154\327\222\253\235
--\365\111\070\322\117\123\343\125\220\021\333\230\226\306\111\362
--\076\364\237\033\340\367\210\334\045\142\231\104\330\163\277\077
--\060\363\014\067\076\324\302\050\200\163\261\001\267\235\132\226
--\024\001\113\251\021\235\051\152\056\320\135\201\300\317\262\040
--\103\307\003\340\067\116\135\012\334\131\040\045
--END
--
--# Trust for Certificate "Microsec e-Szigno Root CA"
--# Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
--# Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
--# Not Valid Before: Wed Apr 06 12:28:44 2005
--# Not Valid After : Thu Apr 06 12:28:44 2017
--# Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
--# Fingerprint (SHA1): 23:88:C9:D3:71:CC:9E:96:3D:FF:7D:3C:A7:CE:FC:D6:25:EC:19:0D
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "Microsec e-Szigno Root CA"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\043\210\311\323\161\314\236\226\075\377\175\074\247\316\374\326
--\045\354\031\015
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\360\226\266\057\305\020\325\147\216\203\045\062\350\136\056\345
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\162\061\013\060\011\006\003\125\004\006\023\002\110\125\061
--\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145
--\163\164\061\026\060\024\006\003\125\004\012\023\015\115\151\143
--\162\157\163\145\143\040\114\164\144\056\061\024\060\022\006\003
--\125\004\013\023\013\145\055\123\172\151\147\156\157\040\103\101
--\061\042\060\040\006\003\125\004\003\023\031\115\151\143\162\157
--\163\145\143\040\145\055\123\172\151\147\156\157\040\122\157\157
--\164\040\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
--\054\017\021
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "Certigna"
- #
- # Issuer: CN=Certigna,O=Dhimyotis,C=FR
- # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
- # Subject: CN=Certigna,O=Dhimyotis,C=FR
- # Not Valid Before: Fri Jun 29 15:13:05 2007
- # Not Valid After : Tue Jun 29 15:13:05 2027
- # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
-@@ -9228,16 +8917,17 @@
- \013\221\003\165\054\154\162\265\141\225\232\015\213\271\015\347
- \365\337\124\315\336\346\330\326\011\010\227\143\345\301\056\260
- \267\104\046\300\046\300\257\125\060\236\073\325\066\052\031\004
- \364\134\036\377\317\054\267\377\320\375\207\100\021\325\021\043
- \273\110\300\041\251\244\050\055\375\025\370\260\116\053\364\060
- \133\041\374\021\221\064\276\101\357\173\235\227\165\377\227\225
- \300\226\130\057\352\273\106\327\273\344\331\056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Certigna"
- # Issuer: CN=Certigna,O=Dhimyotis,C=FR
- # Serial Number:00:fe:dc:e3:01:0f:c9:48:ff
- # Subject: CN=Certigna,O=Dhimyotis,C=FR
- # Not Valid Before: Fri Jun 29 15:13:05 2007
- # Not Valid After : Tue Jun 29 15:13:05 2027
- # Fingerprint (MD5): AB:57:A6:5B:7D:42:82:19:B5:D8:58:26:28:5E:FD:FF
-@@ -9409,16 +9099,17 @@
- \104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
- \147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
- \302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
- \060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
- \107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
- \053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
- \005\211\374\170\326\134\054\046\103\251
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AC Raiz Certicamara S.A."
- # Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
- # Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
- # Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
- # Not Valid Before: Mon Nov 27 20:46:29 2006
- # Not Valid After : Tue Apr 02 21:42:02 2030
- # Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
-@@ -9566,16 +9257,17 @@
- \334\071\361\305\162\243\021\003\375\073\102\122\051\333\350\001
- \367\233\136\214\326\215\206\116\031\372\274\034\276\305\041\245
- \207\236\170\056\066\333\011\161\243\162\064\370\154\343\006\011
- \362\136\126\245\323\335\230\372\324\346\006\364\360\266\040\143
- \113\352\051\275\252\202\146\036\373\201\252\247\067\255\023\030
- \346\222\303\201\301\063\273\210\036\241\347\342\264\275\061\154
- \016\121\075\157\373\226\126\200\342\066\027\321\334\344
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "TC TrustCenter Class 3 CA II"
- # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
- # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
- # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
- # Not Valid Before: Thu Jan 12 14:41:57 2006
- # Not Valid After : Wed Dec 31 22:59:59 2025
- # Fingerprint (MD5): 56:5F:AA:80:61:12:17:F6:67:21:E6:2B:6D:61:56:8E
-@@ -9706,16 +9398,17 @@
- \332\347\212\067\041\276\131\143\340\362\205\210\061\123\324\124
- \024\205\160\171\364\056\006\167\047\165\057\037\270\212\371\376
- \305\272\330\066\344\203\354\347\145\267\277\143\132\363\106\257
- \201\224\067\324\101\214\326\043\326\036\317\365\150\033\104\143
- \242\132\272\247\065\131\241\345\160\005\233\016\043\127\231\224
- \012\155\272\071\143\050\206\222\363\030\204\330\373\321\317\005
- \126\144\127
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Deutsche Telekom Root CA 2"
- # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
- # Serial Number: 38 (0x26)
- # Subject: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
- # Not Valid Before: Fri Jul 09 12:11:00 1999
- # Not Valid After : Tue Jul 09 23:59:00 2019
- # Fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
-@@ -9838,16 +9531,17 @@
- \205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
- \157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
- \023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
- \105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
- \055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
- \214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
- \000\147\240\161\000\202\110
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "ComSign CA"
- # Issuer: C=IL,O=ComSign,CN=ComSign CA
- # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
- # Subject: C=IL,O=ComSign,CN=ComSign CA
- # Not Valid Before: Wed Mar 24 11:32:18 2004
- # Not Valid After : Mon Mar 19 15:02:18 2029
- # Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
-@@ -9968,16 +9662,17 @@
- \275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
- \035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
- \205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
- \256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
- \237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
- \072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
- \316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "ComSign Secured CA"
- # Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
- # Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
- # Subject: C=IL,O=ComSign,CN=ComSign Secured CA
- # Not Valid Before: Wed Mar 24 11:37:20 2004
- # Not Valid After : Fri Mar 16 15:04:56 2029
- # Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
-@@ -10097,16 +9792,17 @@
- \017\124\335\203\273\237\321\217\247\123\163\303\313\377\060\354
- \174\004\270\330\104\037\223\137\161\011\042\267\156\076\352\034
- \003\116\235\032\040\141\373\201\067\354\136\374\012\105\253\327
- \347\027\125\320\240\352\140\233\246\366\343\214\133\051\302\006
- \140\024\235\055\227\114\251\223\025\235\141\304\001\137\110\326
- \130\275\126\061\022\116\021\310\041\340\263\021\221\145\333\264
- \246\210\070\316\125
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Cybertrust Global Root"
- # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
- # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
- # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
- # Not Valid Before: Fri Dec 15 08:00:00 2006
- # Not Valid After : Wed Dec 15 08:00:00 2021
- # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
-@@ -10263,16 +9959,17 @@
- \115\343\061\325\307\354\350\362\260\376\222\036\026\012\032\374
- \331\363\370\047\266\311\276\035\264\154\144\220\177\364\344\304
- \133\327\067\256\102\016\335\244\032\157\174\210\124\305\026\156
- \341\172\150\056\370\072\277\015\244\074\211\073\170\247\116\143
- \203\004\041\010\147\215\362\202\111\320\133\375\261\315\017\203
- \204\324\076\040\205\367\112\075\053\234\375\052\012\011\115\352
- \201\370\021\234
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "ePKI Root Certification Authority"
- # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
- # Serial Number:15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
- # Subject: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW
- # Not Valid Before: Mon Dec 20 02:31:27 2004
- # Not Valid After : Wed Dec 20 02:31:27 2034
- # Fingerprint (MD5): 1B:2E:00:CA:26:06:90:3D:AD:FE:6F:15:68:D3:6B:B3
-@@ -10447,16 +10144,17 @@
- \200\262\136\014\112\023\236\040\330\142\100\253\220\352\144\112
- \057\254\015\001\022\171\105\250\057\207\031\150\310\342\205\307
- \060\262\165\371\070\077\262\300\223\264\153\342\003\104\316\147
- \240\337\211\326\255\214\166\243\023\303\224\141\053\153\331\154
- \301\007\012\042\007\205\154\205\044\106\251\276\077\213\170\204
- \202\176\044\014\235\375\201\067\343\045\250\355\066\116\225\054
- \311\234\220\332\354\251\102\074\255\266\002
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
- # Serial Number: 17 (0x11)
- # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
- # Not Valid Before: Fri Aug 24 11:37:07 2007
- # Not Valid After : Mon Aug 21 11:37:07 2017
- # Fingerprint (MD5): ED:41:F5:8C:50:C5:2B:9C:73:E6:EE:6C:EB:C2:A8:26
-@@ -10583,16 +10281,17 @@
- \045\335\141\047\043\034\265\061\007\004\066\264\032\220\275\240
- \164\161\120\211\155\274\024\343\017\206\256\361\253\076\307\240
- \011\314\243\110\321\340\333\144\347\222\265\317\257\162\103\160
- \213\371\303\204\074\023\252\176\222\233\127\123\223\372\160\302
- \221\016\061\371\233\147\135\351\226\070\136\137\263\163\116\210
- \025\147\336\236\166\020\142\040\276\125\151\225\103\000\071\115
- \366\356\260\132\116\111\104\124\130\137\102\203
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "certSIGN ROOT CA"
- # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
- # Serial Number:20:06:05:16:70:02
- # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
- # Not Valid Before: Tue Jul 04 17:20:04 2006
- # Not Valid After : Fri Jul 04 17:20:04 2031
- # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
-@@ -10706,16 +10405,17 @@
- \125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
- \156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
- \343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
- \022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
- \330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
- \056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
- \011\333\212\101\202\236\146\233\021
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "CNNIC ROOT"
- # Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
- # Serial Number: 1228079105 (0x49330001)
- # Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
- # Not Valid Before: Mon Apr 16 07:09:14 2007
- # Not Valid After : Fri Apr 16 07:09:14 2027
- # Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
-@@ -10742,147 +10442,16 @@
- \002\004\111\063\000\001
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
--# Certificate "ApplicationCA - Japanese Government"
--#
--# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
--# Serial Number: 49 (0x31)
--# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
--# Not Valid Before: Wed Dec 12 15:00:00 2007
--# Not Valid After : Tue Dec 12 15:00:00 2017
--# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
--# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\061
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\003\240\060\202\002\210\240\003\002\001\002\002\001\061
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
--\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061\034
--\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145\163
--\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060\024
--\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164\151
--\157\156\103\101\060\036\027\015\060\067\061\062\061\062\061\065
--\060\060\060\060\132\027\015\061\067\061\062\061\062\061\065\060
--\060\060\060\132\060\103\061\013\060\011\006\003\125\004\006\023
--\002\112\120\061\034\060\032\006\003\125\004\012\023\023\112\141
--\160\141\156\145\163\145\040\107\157\166\145\162\156\155\145\156
--\164\061\026\060\024\006\003\125\004\013\023\015\101\160\160\154
--\151\143\141\164\151\157\156\103\101\060\202\001\042\060\015\006
--\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
--\000\060\202\001\012\002\202\001\001\000\247\155\340\164\116\207
--\217\245\006\336\150\242\333\206\231\113\144\015\161\360\012\005
--\233\216\252\341\314\056\322\152\073\301\172\264\227\141\215\212
--\276\306\232\234\006\264\206\121\344\067\016\164\170\176\137\212
--\177\224\244\327\107\010\375\120\132\126\344\150\254\050\163\240
--\173\351\177\030\222\100\117\055\235\365\256\104\110\163\066\006
--\236\144\054\073\064\043\333\134\046\344\161\171\217\324\156\171
--\042\271\223\301\312\315\301\126\355\210\152\327\240\071\041\004
--\127\054\242\365\274\107\101\117\136\064\042\225\265\037\051\155
--\136\112\363\115\162\276\101\126\040\207\374\351\120\107\327\060
--\024\356\134\214\125\272\131\215\207\374\043\336\223\320\004\214
--\375\357\155\275\320\172\311\245\072\152\162\063\306\112\015\005
--\027\052\055\173\261\247\330\326\360\276\364\077\352\016\050\155
--\101\141\043\166\170\303\270\145\244\363\132\256\314\302\252\331
--\347\130\336\266\176\235\205\156\237\052\012\157\237\003\051\060
--\227\050\035\274\267\317\124\051\116\121\061\371\047\266\050\046
--\376\242\143\346\101\026\360\063\230\107\002\003\001\000\001\243
--\201\236\060\201\233\060\035\006\003\125\035\016\004\026\004\024
--\124\132\313\046\077\161\314\224\106\015\226\123\352\153\110\320
--\223\376\102\165\060\016\006\003\125\035\017\001\001\377\004\004
--\003\002\001\006\060\131\006\003\125\035\021\004\122\060\120\244
--\116\060\114\061\013\060\011\006\003\125\004\006\023\002\112\120
--\061\030\060\026\006\003\125\004\012\014\017\346\227\245\346\234
--\254\345\233\275\346\224\277\345\272\234\061\043\060\041\006\003
--\125\004\013\014\032\343\202\242\343\203\227\343\203\252\343\202
--\261\343\203\274\343\202\267\343\203\247\343\203\263\103\101\060
--\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
--\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
--\202\001\001\000\071\152\104\166\167\070\072\354\243\147\106\017
--\371\213\006\250\373\152\220\061\316\176\354\332\321\211\174\172
--\353\056\014\275\231\062\347\260\044\326\303\377\365\262\210\011
--\207\054\343\124\341\243\246\262\010\013\300\205\250\310\322\234
--\161\366\035\237\140\374\070\063\023\341\236\334\013\137\332\026
--\120\051\173\057\160\221\017\231\272\064\064\215\225\164\305\176
--\170\251\146\135\275\312\041\167\102\020\254\146\046\075\336\221
--\253\375\025\360\157\355\154\137\020\370\363\026\366\003\212\217
--\247\022\021\014\313\375\077\171\301\234\375\142\356\243\317\124
--\014\321\053\137\027\076\343\076\277\300\053\076\011\233\376\210
--\246\176\264\222\027\374\043\224\201\275\156\247\305\214\302\353
--\021\105\333\370\101\311\226\166\352\160\137\171\022\153\344\243
--\007\132\005\357\047\111\317\041\237\212\114\011\160\146\251\046
--\301\053\021\116\063\322\016\374\326\154\322\016\062\144\150\377
--\255\005\170\137\003\035\250\343\220\254\044\340\017\100\247\113
--\256\213\050\267\202\312\030\007\346\267\133\164\351\040\031\177
--\262\033\211\124
--END
--
--# Trust for Certificate "ApplicationCA - Japanese Government"
--# Issuer: OU=ApplicationCA,O=Japanese Government,C=JP
--# Serial Number: 49 (0x31)
--# Subject: OU=ApplicationCA,O=Japanese Government,C=JP
--# Not Valid Before: Wed Dec 12 15:00:00 2007
--# Not Valid After : Tue Dec 12 15:00:00 2017
--# Fingerprint (MD5): 7E:23:4E:5B:A7:A5:B4:25:E9:00:07:74:11:62:AE:D6
--# Fingerprint (SHA1): 7F:8A:B0:CF:D0:51:87:6A:66:F3:36:0F:47:C8:8D:8C:D3:35:FC:74
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "ApplicationCA - Japanese Government"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\177\212\260\317\320\121\207\152\146\363\066\017\107\310\215\214
--\323\065\374\164
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\176\043\116\133\247\245\264\045\351\000\007\164\021\142\256\326
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\103\061\013\060\011\006\003\125\004\006\023\002\112\120\061
--\034\060\032\006\003\125\004\012\023\023\112\141\160\141\156\145
--\163\145\040\107\157\166\145\162\156\155\145\156\164\061\026\060
--\024\006\003\125\004\013\023\015\101\160\160\154\151\143\141\164
--\151\157\156\103\101
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\001\061
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "GeoTrust Primary Certification Authority - G3"
- #
- # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
- # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Not Valid Before: Wed Apr 02 00:00:00 2008
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
-@@ -10984,16 +10553,17 @@
- \207\174\015\015\317\056\010\134\112\100\015\076\354\201\141\346
- \044\333\312\340\016\055\007\262\076\126\334\215\365\101\205\007
- \110\233\014\013\313\111\077\175\354\267\375\313\215\147\211\032
- \253\355\273\036\243\000\010\010\027\052\202\134\061\135\106\212
- \055\017\206\233\164\331\105\373\324\100\261\172\252\150\055\206
- \262\231\042\341\301\053\307\234\370\363\137\250\202\022\353\031
- \021\055
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
- # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
- # Subject: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Not Valid Before: Wed Apr 02 00:00:00 2008
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (MD5): B5:E8:34:36:C9:10:44:58:48:70:6D:2E:83:D4:B8:05
-@@ -11112,16 +10682,17 @@
- \003\003\151\000\060\146\002\061\000\335\370\340\127\107\133\247
- \346\012\303\275\365\200\212\227\065\015\033\211\074\124\206\167
- \050\312\241\364\171\336\265\346\070\260\360\145\160\214\177\002
- \124\302\277\377\330\241\076\331\317\002\061\000\304\215\224\374
- \334\123\322\334\235\170\026\037\025\063\043\123\122\343\132\061
- \135\235\312\256\275\023\051\104\015\047\133\250\347\150\234\022
- \367\130\077\056\162\002\127\243\217\241\024\056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "thawte Primary Root CA - G2"
- # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
- # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
- # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
- # Not Valid Before: Mon Nov 05 00:00:00 2007
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 74:9D:EA:60:24:C4:FD:22:53:3E:CC:3A:72:D9:29:4F
-@@ -11271,16 +10842,17 @@
- \051\101\221\042\074\151\247\273\002\362\266\134\047\003\211\364
- \006\352\233\344\162\202\343\241\011\301\351\000\031\323\076\324
- \160\153\272\161\246\252\130\256\364\273\351\154\266\357\207\314
- \233\273\377\071\346\126\141\323\012\247\304\134\114\140\173\005
- \167\046\172\277\330\007\122\054\142\367\160\143\331\071\274\157
- \034\302\171\334\166\051\257\316\305\054\144\004\136\210\066\156
- \061\324\100\032\142\064\066\077\065\001\256\254\143\240
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "thawte Primary Root CA - G3"
- # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
- # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
- # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
- # Not Valid Before: Wed Apr 02 00:00:00 2008
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (MD5): FB:1B:5D:43:8A:94:CD:44:C6:76:F2:43:4B:47:E7:31
-@@ -11406,16 +10978,17 @@
- \144\226\131\246\350\011\336\213\272\372\132\210\210\360\037\221
- \323\106\250\362\112\114\002\143\373\154\137\070\333\056\101\223
- \251\016\346\235\334\061\034\262\240\247\030\034\171\341\307\066
- \002\060\072\126\257\232\164\154\366\373\203\340\063\323\010\137
- \241\234\302\133\237\106\326\266\313\221\006\143\242\006\347\063
- \254\076\250\201\022\320\313\272\320\222\013\266\236\226\252\004
- \017\212
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
- # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
- # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
- # Not Valid Before: Mon Nov 05 00:00:00 2007
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 01:5E:D8:6B:BD:6F:3D:8E:A1:31:F8:12:E0:98:73:6A
-@@ -11575,16 +11148,17 @@
- \007\021\360\325\333\335\345\214\360\325\062\260\203\346\127\342
- \217\277\276\241\252\277\075\035\265\324\070\352\327\260\134\072
- \117\152\077\217\300\146\154\143\252\351\331\244\026\364\201\321
- \225\024\016\175\315\225\064\331\322\217\160\163\201\173\234\176
- \275\230\141\330\105\207\230\220\305\353\206\060\306\065\277\360
- \377\303\125\210\203\113\357\005\222\006\161\362\270\230\223\267
- \354\315\202\141\361\070\346\117\227\230\052\132\215
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "VeriSign Universal Root Certification Authority"
- # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
- # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Wed Apr 02 00:00:00 2008
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (MD5): 8E:AD:B5:01:AA:4D:81:E4:8C:1D:D1:E1:14:00:95:19
-@@ -11729,16 +11303,17 @@
- \000\060\145\002\060\146\041\014\030\046\140\132\070\173\126\102
- \340\247\374\066\204\121\221\040\054\166\115\103\075\304\035\204
- \043\320\254\326\174\065\006\316\315\151\275\220\015\333\154\110
- \102\035\016\252\102\002\061\000\234\075\110\071\043\071\130\032
- \025\022\131\152\236\357\325\131\262\035\122\054\231\161\315\307
- \051\337\033\052\141\173\161\321\336\363\300\345\015\072\112\252
- \055\247\330\206\052\335\056\020
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
- # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Mon Nov 05 00:00:00 2007
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (MD5): 3A:52:E1:E7:FD:6F:3A:E3:6F:F3:6F:99:1B:F9:22:41
-@@ -11888,16 +11463,17 @@
- \276\245\025\143\241\324\225\207\361\236\271\363\211\363\075\205
- \270\270\333\276\265\271\051\371\332\067\005\000\111\224\003\204
- \104\347\277\103\061\317\165\213\045\321\364\246\144\365\222\366
- \253\005\353\075\351\245\013\066\142\332\314\006\137\066\213\266
- \136\061\270\052\373\136\366\161\337\104\046\236\304\346\015\221
- \264\056\165\225\200\121\152\113\060\246\260\142\241\223\361\233
- \330\316\304\143\165\077\131\107\261
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "NetLock Arany (Class Gold) FÅ‘tanúsÃtvány"
- # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
- # Serial Number:49:41:2c:e4:00:10
- # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
- # Not Valid Before: Thu Dec 11 15:08:21 2008
- # Not Valid After : Wed Dec 06 15:08:21 2028
- # Fingerprint (MD5): C5:A1:B7:FF:73:DD:D6:D7:34:32:18:DF:FC:3C:AD:88
-@@ -12061,16 +11637,17 @@
- \120\346\105\020\107\170\266\116\322\145\311\303\067\337\341\102
- \143\260\127\067\105\055\173\212\234\277\005\352\145\125\063\367
- \071\020\305\050\052\041\172\033\212\304\044\371\077\025\310\232
- \025\040\365\125\142\226\355\155\223\120\274\344\252\170\255\331
- \313\012\145\207\246\146\301\304\201\243\167\072\130\036\013\356
- \203\213\235\036\322\122\244\314\035\157\260\230\155\224\061\265
- \370\161\012\334\271\374\175\062\140\346\353\257\212\001
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Staat der Nederlanden Root CA - G2"
- # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
- # Serial Number: 10000012 (0x98968c)
- # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
- # Not Valid Before: Wed Mar 26 11:18:17 2008
- # Not Valid After : Wed Mar 25 11:03:10 2020
- # Fingerprint (MD5): 7C:A5:0F:F8:5B:9A:7D:6D:30:AE:54:5A:E3:42:A2:8A
-@@ -12186,16 +11763,17 @@
- \022\024\344\141\215\254\020\220\236\204\120\273\360\226\157\105
- \237\212\363\312\154\117\372\021\072\025\025\106\303\315\037\203
- \133\055\101\022\355\120\147\101\023\075\041\253\224\212\252\116
- \174\301\261\373\247\326\265\047\057\227\253\156\340\035\342\321
- \034\054\037\104\342\374\276\221\241\234\373\326\051\123\163\206
- \237\123\330\103\016\135\326\143\202\161\035\200\164\312\366\342
- \002\153\331\132
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Hongkong Post Root CA 1"
- # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
- # Serial Number: 1000 (0x3e8)
- # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
- # Not Valid Before: Thu May 15 05:13:14 2003
- # Not Valid After : Mon May 15 04:52:29 2023
- # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
-@@ -12316,16 +11894,17 @@
- \143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310
- \122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371
- \244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154
- \017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055
- \015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215
- \101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003
- \362
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "SecureSign RootCA11"
- # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
- # Serial Number: 1 (0x1)
- # Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
- # Not Valid Before: Wed Apr 08 04:56:47 2009
- # Not Valid After : Sun Apr 08 04:56:47 2029
- # Fingerprint (MD5): B7:52:74:E2:92:B4:80:93:F2:75:E4:CC:D7:F2:EA:26
-@@ -12481,16 +12060,17 @@
- \307\202\066\076\247\070\143\251\060\054\027\020\140\222\237\125
- \207\022\131\020\302\017\147\151\021\314\116\036\176\112\232\255
- \257\100\250\165\254\126\220\164\270\240\234\245\171\157\334\351
- \032\310\151\005\351\272\372\003\263\174\344\340\116\302\316\235
- \350\266\106\015\156\176\127\072\147\224\302\313\037\234\167\112
- \147\116\151\206\103\223\070\373\266\333\117\203\221\324\140\176
- \113\076\053\070\007\125\230\136\244
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "ACEDICOM Root"
- # Issuer: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
- # Serial Number:61:8d:c7:86:3b:01:82:05
- # Subject: C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root
- # Not Valid Before: Fri Apr 18 16:24:22 2008
- # Not Valid After : Thu Apr 13 16:24:22 2028
- # Fingerprint (MD5): 42:81:A0:E2:1C:E3:55:10:DE:55:89:42:65:96:22:E6
-@@ -12627,16 +12207,17 @@
- \255\234\032\303\004\074\355\002\141\326\036\006\363\137\072\207
- \362\053\361\105\207\345\075\254\321\307\127\204\275\153\256\334
- \330\371\266\033\142\160\013\075\066\311\102\362\062\327\172\141
- \346\322\333\075\317\310\251\311\233\334\333\130\104\327\157\070
- \257\177\170\323\243\255\032\165\272\034\301\066\174\217\036\155
- \034\303\165\106\256\065\005\246\366\134\075\041\356\126\360\311
- \202\042\055\172\124\253\160\303\175\042\145\202\160\226
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Microsec e-Szigno Root CA 2009"
- # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
- # Serial Number:00:c2:7e:43:04:4e:47:3f:19
- # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
- # Not Valid Before: Tue Jun 16 11:30:18 2009
- # Not Valid After : Sun Dec 30 11:30:18 2029
- # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
-@@ -12758,16 +12339,17 @@
- \231\302\037\172\016\343\055\010\255\012\034\054\377\074\253\125
- \016\017\221\176\066\353\303\127\111\276\341\056\055\174\140\213
- \303\101\121\023\043\235\316\367\062\153\224\001\250\231\347\054
- \063\037\072\073\045\322\206\100\316\073\054\206\170\311\141\057
- \024\272\356\333\125\157\337\204\356\005\011\115\275\050\330\162
- \316\323\142\120\145\036\353\222\227\203\061\331\263\265\312\107
- \130\077\137
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "GlobalSign Root CA - R3"
- # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
- # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
- # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
- # Not Valid Before: Wed Mar 18 10:00:00 2009
- # Not Valid After : Sun Mar 18 10:00:00 2029
- # Fingerprint (MD5): C5:DF:B8:49:CA:05:13:55:EE:2D:BA:1A:C3:3E:B0:28
-@@ -12930,16 +12512,17 @@
- \330\153\044\254\227\130\104\107\255\131\030\361\041\145\160\336
- \316\064\140\250\100\361\363\074\244\303\050\043\214\376\047\063
- \103\100\240\027\074\353\352\073\260\162\246\243\271\112\113\136
- \026\110\364\262\274\310\214\222\305\235\237\254\162\066\274\064
- \200\064\153\251\213\222\300\270\027\355\354\166\123\365\044\001
- \214\263\042\350\113\174\125\306\235\372\243\024\273\145\205\156
- \156\117\022\176\012\074\235\225
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
- # Serial Number:53:ec:3b:ee:fb:b2:48:5f
- # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
- # Not Valid Before: Wed May 20 08:38:15 2009
- # Not Valid After : Tue Dec 31 08:38:15 2030
- # Fingerprint (MD5): 73:3A:74:7A:EC:BB:A3:96:A6:C2:E4:E2:C8:9B:C0:C3
-@@ -13098,16 +12681,17 @@
- \150\103\110\262\333\353\163\044\347\221\177\124\244\266\200\076
- \235\243\074\114\162\302\127\304\240\324\314\070\047\316\325\006
- \236\242\110\331\351\237\316\202\160\066\223\232\073\337\226\041
- \343\131\267\014\332\221\067\360\375\131\132\263\231\310\151\154
- \103\046\001\065\143\140\125\211\003\072\165\330\272\112\331\124
- \377\356\336\200\330\055\321\070\325\136\055\013\230\175\076\154
- \333\374\046\210\307
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Izenpe.com"
- # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
- # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
- # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
- # Not Valid Before: Thu Dec 13 13:08:28 2007
- # Not Valid After : Sun Dec 13 08:27:25 2037
- # Fingerprint (MD5): A6:B0:CD:85:80:DA:5C:50:34:A3:39:90:2F:55:67:73
-@@ -13302,16 +12886,17 @@
- \176\030\230\265\105\073\366\171\264\350\367\032\173\006\203\373
- \320\213\332\273\307\275\030\253\010\157\074\200\153\100\077\031
- \031\272\145\212\346\276\325\134\323\066\327\357\100\122\044\140
- \070\147\004\061\354\217\363\202\306\336\271\125\363\073\061\221
- \132\334\265\010\025\255\166\045\012\015\173\056\207\342\014\246
- \006\274\046\020\155\067\235\354\335\170\214\174\200\305\360\331
- \167\110\320
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Chambers of Commerce Root - 2008"
- # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
- # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
- # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
- # Not Valid Before: Fri Aug 01 12:29:50 2008
- # Not Valid After : Sat Jul 31 12:29:50 2038
- # Fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7
-@@ -13510,16 +13095,17 @@
- \223\256\231\240\357\045\152\163\230\211\133\072\056\023\210\036
- \277\300\222\224\064\033\343\047\267\213\036\157\102\377\347\351
- \067\233\120\035\055\242\371\002\356\313\130\130\072\161\274\150
- \343\252\301\257\034\050\037\242\334\043\145\077\201\352\256\231
- \323\330\060\317\023\015\117\025\311\204\274\247\110\055\370\060
- \043\167\330\106\113\171\155\366\214\355\072\177\140\021\170\364
- \351\233\256\325\124\300\164\200\321\013\102\237\301
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Global Chambersign Root - 2008"
- # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
- # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
- # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
- # Not Valid Before: Fri Aug 01 12:31:40 2008
- # Not Valid After : Sat Jul 31 12:31:40 2038
- # Fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3
-@@ -15376,16 +14962,17 @@
- \330\144\363\054\176\024\374\002\352\237\315\377\007\150\027\333
- \042\220\070\055\172\215\321\124\361\151\343\137\063\312\172\075
- \173\012\343\312\177\137\071\345\342\165\272\305\166\030\063\316
- \054\360\057\114\255\367\261\347\316\117\250\304\233\112\124\006
- \305\177\175\325\010\017\342\034\376\176\027\270\254\136\366\324
- \026\262\103\011\014\115\366\247\153\264\231\204\145\312\172\210
- \342\342\104\276\134\367\352\034\365
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
- # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Serial Number: 0 (0x0)
- # Subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Not Valid Before: Tue Sep 01 00:00:00 2009
- # Not Valid After : Thu Dec 31 23:59:59 2037
- # Fingerprint (MD5): 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
-@@ -15525,16 +15112,17 @@
- \037\305\354\372\234\176\317\176\261\361\007\055\266\374\277\312
- \244\277\320\227\005\112\274\352\030\050\002\220\275\124\170\011
- \041\161\323\321\175\035\331\026\260\251\141\075\320\012\000\042
- \374\307\173\313\011\144\105\013\073\100\201\367\175\174\062\365
- \230\312\130\216\175\052\356\220\131\163\144\371\066\164\136\045
- \241\365\146\005\056\177\071\025\251\052\373\120\213\216\205\151
- \364
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Starfield Root Certificate Authority - G2"
- # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Serial Number: 0 (0x0)
- # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Not Valid Before: Tue Sep 01 00:00:00 2009
- # Not Valid After : Thu Dec 31 23:59:59 2037
- # Fingerprint (MD5): D6:39:81:C6:52:7E:96:69:FC:FC:CA:66:ED:05:F2:96
-@@ -15676,16 +15264,17 @@
- \210\100\317\175\106\035\377\036\307\341\316\377\043\333\306\372
- \215\125\116\251\002\347\107\021\106\076\364\375\275\173\051\046
- \273\251\141\142\067\050\266\055\052\366\020\206\144\311\160\247
- \322\255\267\051\160\171\352\074\332\143\045\237\375\150\267\060
- \354\160\373\165\212\267\155\140\147\262\036\310\271\351\330\250
- \157\002\213\147\015\115\046\127\161\332\040\374\301\112\120\215
- \261\050\272
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
- # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Serial Number: 0 (0x0)
- # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
- # Not Valid Before: Tue Sep 01 00:00:00 2009
- # Not Valid After : Thu Dec 31 23:59:59 2037
- # Fingerprint (MD5): 17:35:74:AF:7B:61:1C:EB:F4:F9:3C:E2:EE:40:F9:A2
-@@ -15806,16 +15395,17 @@
- \265\063\252\262\157\323\012\242\120\343\366\073\350\056\104\302
- \333\146\070\251\063\126\110\361\155\033\063\215\015\214\077\140
- \067\235\323\312\155\176\064\176\015\237\162\166\213\033\237\162
- \375\122\065\101\105\002\226\057\034\262\232\163\111\041\261\111
- \107\105\107\264\357\152\064\021\311\115\232\314\131\267\326\002
- \236\132\116\145\265\224\256\033\337\051\260\026\361\277\000\236
- \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AffirmTrust Commercial"
- # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
- # Serial Number:77:77:06:27:26:a9:b1:7c
- # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
- # Not Valid Before: Fri Jan 29 14:06:06 2010
- # Not Valid After : Tue Dec 31 14:06:06 2030
- # Fingerprint (MD5): 82:92:BA:5B:EF:CD:8A:6F:A6:3D:55:F9:84:F6:D6:B7
-@@ -15931,16 +15521,17 @@
- \115\207\165\155\267\130\226\132\335\155\322\000\240\364\233\110
- \276\303\067\244\272\066\340\174\207\205\227\032\025\242\336\056
- \242\133\275\257\030\371\220\120\315\160\131\370\047\147\107\313
- \307\240\007\072\175\321\054\135\154\031\072\146\265\175\375\221
- \157\202\261\276\010\223\333\024\107\361\242\067\307\105\236\074
- \307\167\257\144\250\223\337\366\151\203\202\140\362\111\102\064
- \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AffirmTrust Networking"
- # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US
- # Serial Number:7c:4f:04:39:1c:d4:99:2d
- # Subject: CN=AffirmTrust Networking,O=AffirmTrust,C=US
- # Not Valid Before: Fri Jan 29 14:08:24 2010
- # Not Valid After : Tue Dec 31 14:08:24 2030
- # Fingerprint (MD5): 42:65:CA:BE:01:9A:9A:4C:A9:8C:41:49:CD:C0:D5:7F
-@@ -16088,16 +15679,17 @@
- \030\246\265\250\136\264\203\154\153\151\100\323\237\334\361\303
- \151\153\271\341\155\011\364\361\252\120\166\012\172\175\172\027
- \241\125\226\102\231\061\011\335\140\021\215\005\060\176\346\216
- \106\321\235\024\332\307\027\344\005\226\214\304\044\265\033\317
- \024\007\262\100\370\243\236\101\206\274\004\320\153\226\310\052
- \200\064\375\277\357\006\243\335\130\305\205\075\076\217\376\236
- \051\340\266\270\011\150\031\034\030\103
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AffirmTrust Premium"
- # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US
- # Serial Number:6d:8c:14:46:b1:a6:0a:ee
- # Subject: CN=AffirmTrust Premium,O=AffirmTrust,C=US
- # Not Valid Before: Fri Jan 29 14:10:36 2010
- # Not Valid After : Mon Dec 31 14:10:36 2040
- # Fingerprint (MD5): C4:5D:0E:48:B6:AC:28:30:4E:0A:BC:F9:38:16:87:57
-@@ -16193,16 +15785,17 @@
- \027\011\363\207\210\120\132\257\310\300\102\277\107\137\365\154
- \152\206\340\304\047\164\344\070\123\327\005\177\033\064\343\306
- \057\263\312\011\074\067\235\327\347\270\106\361\375\241\342\161
- \002\060\102\131\207\103\324\121\337\272\323\011\062\132\316\210
- \176\127\075\234\137\102\153\365\007\055\265\360\202\223\371\131
- \157\256\144\372\130\345\213\036\343\143\276\265\201\315\157\002
- \214\171
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "AffirmTrust Premium ECC"
- # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
- # Serial Number:74:97:25:8a:c7:3f:7a:54
- # Subject: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
- # Not Valid Before: Fri Jan 29 14:20:24 2010
- # Not Valid After : Mon Dec 31 14:20:24 2040
- # Fingerprint (MD5): 64:B0:09:55:CF:B1:D5:99:E2:BE:13:AB:A6:5D:EA:4D
-@@ -16331,16 +15924,17 @@
- \227\306\166\350\047\226\243\146\335\341\256\362\101\133\312\230
- \126\203\163\160\344\206\032\322\061\101\272\057\276\055\023\132
- \166\157\116\350\116\201\016\077\133\003\042\240\022\276\146\130
- \021\112\313\003\304\264\052\052\055\226\027\340\071\124\274\110
- \323\166\047\235\232\055\006\246\311\354\071\322\253\333\237\232
- \013\047\002\065\051\261\100\225\347\371\350\234\125\210\031\106
- \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Certum Trusted Network CA"
- # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
- # Serial Number: 279744 (0x444c0)
- # Subject: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
- # Not Valid Before: Wed Oct 22 12:07:37 2008
- # Not Valid After : Mon Dec 31 12:07:37 2029
- # Fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78
-@@ -16500,16 +16094,17 @@
- \032\050\364\041\003\356\056\331\301\200\352\271\331\202\326\133
- \166\302\313\073\265\322\000\360\243\016\341\255\156\100\367\333
- \240\264\320\106\256\025\327\104\302\115\065\371\322\013\362\027
- \366\254\146\325\044\262\117\321\034\231\300\156\365\175\353\164
- \004\270\371\115\167\011\327\264\317\007\060\011\361\270\000\126
- \331\027\026\026\012\053\206\337\217\001\031\032\345\273\202\143
- \377\276\013\166\026\136\067\067\346\330\164\227\242\231\105\171
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Certinomis - Autorité Racine"
- # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
- # Serial Number: 1 (0x1)
- # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
- # Not Valid Before: Wed Sep 17 08:28:59 2008
- # Not Valid After : Sun Sep 17 08:28:59 2028
- # Fingerprint (MD5): 7F:30:78:8C:03:E3:CA:C9:0A:E2:C9:EA:1E:AA:55:1A
-@@ -16634,16 +16229,17 @@
- \172\162\132\203\263\171\157\357\264\374\320\012\245\130\117\106
- \337\373\155\171\131\362\204\042\122\256\017\314\373\174\073\347
- \152\312\107\141\303\172\370\323\222\004\037\270\040\204\341\066
- \124\026\307\100\336\073\212\163\334\337\306\011\114\337\354\332
- \377\324\123\102\241\311\362\142\035\042\203\074\227\305\371\031
- \142\047\254\145\042\327\323\074\306\345\216\262\123\314\111\316
- \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "TWCA Root Certification Authority"
- # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
- # Serial Number: 1 (0x1)
- # Subject: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
- # Not Valid Before: Thu Aug 28 07:24:33 2008
- # Not Valid After : Tue Dec 31 15:59:59 2030
- # Fingerprint (MD5): AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
-@@ -18024,16 +17620,17 @@
- \273\233\051\126\074\376\000\067\317\043\154\361\116\252\266\164
- \106\022\154\221\356\064\325\354\232\221\347\104\276\220\061\162
- \325\111\002\366\002\345\364\037\353\174\331\226\125\251\377\354
- \212\371\231\107\377\065\132\002\252\004\313\212\133\207\161\051
- \221\275\244\264\172\015\275\232\365\127\043\000\007\041\027\077
- \112\071\321\005\111\013\247\266\067\201\245\135\214\252\063\136
- \201\050\174\247\175\047\353\000\256\215\067
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Security Communication RootCA2"
- # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
- # Serial Number: 0 (0x0)
- # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
- # Not Valid Before: Fri May 29 05:00:39 2009
- # Not Valid After : Tue May 29 05:00:39 2029
- # Fingerprint (MD5): 6C:39:7D:A4:0E:55:59:B2:3F:D6:41:B1:12:50:DE:43
-@@ -18206,16 +17803,17 @@
- \234\211\333\151\070\276\354\134\016\126\307\145\121\345\120\210
- \210\277\102\325\053\075\345\371\272\236\056\263\312\364\163\222
- \002\013\276\114\146\353\040\376\271\313\265\231\177\346\266\023
- \372\312\113\115\331\356\123\106\006\073\306\116\255\223\132\201
- \176\154\052\113\152\005\105\214\362\041\244\061\220\207\154\145
- \234\235\245\140\225\072\122\177\365\321\253\010\156\363\356\133
- \371\210\075\176\270\157\156\003\344\102
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "EC-ACC"
- # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
- # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
- # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
- # Not Valid Before: Tue Jan 07 23:00:00 2003
- # Not Valid After : Tue Jan 07 22:59:59 2031
- # Fingerprint (MD5): EB:F5:9D:29:0D:61:F9:42:1F:7C:C2:BA:6D:E3:15:09
-@@ -18368,16 +17966,17 @@
- \372\363\003\022\226\170\006\215\261\147\355\216\077\276\237\117
- \002\365\263\011\057\363\114\207\337\052\313\225\174\001\314\254
- \066\172\277\242\163\172\367\217\301\265\232\241\024\262\217\063
- \237\015\357\042\334\146\173\204\275\105\027\006\075\074\312\271
- \167\064\217\312\352\317\077\061\076\343\210\343\200\111\045\310
- \227\265\235\232\231\115\260\074\370\112\000\233\144\335\237\071
- \113\321\047\327\270
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011"
- # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
- # Serial Number: 0 (0x0)
- # Subject: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
- # Not Valid Before: Tue Dec 06 13:49:52 2011
- # Not Valid After : Mon Dec 01 13:49:52 2031
- # Fingerprint (MD5): 73:9F:4C:4B:73:5B:79:E9:FA:BA:1C:EF:6E:CB:D5:C9
-@@ -18603,16 +18202,17 @@
- \177\244\101\041\220\101\167\246\071\037\352\236\343\237\320\146
- \157\005\354\252\166\176\277\153\026\240\353\265\307\374\222\124
- \057\053\021\047\045\067\170\114\121\152\260\363\314\130\135\024
- \361\152\110\025\377\302\007\266\261\215\017\216\134\120\106\263
- \075\277\001\230\117\262\131\124\107\076\064\173\170\155\126\223
- \056\163\352\146\050\170\315\035\024\277\240\217\057\056\270\056
- \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Actalis Authentication Root CA"
- # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
- # Serial Number:57:0a:11:97:42:c4:e3:cc
- # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
- # Not Valid Before: Thu Sep 22 11:22:02 2011
- # Not Valid After : Sun Sep 22 11:22:02 2030
- # Fingerprint (MD5): 69:C1:0D:4F:07:A3:1B:C3:FE:56:3D:04:BC:11:F6:A6
-@@ -18733,16 +18333,17 @@
- \177\124\365\243\340\217\360\174\125\042\217\051\266\201\243\341
- \155\116\054\033\200\147\354\255\040\237\014\142\141\325\227\377
- \103\355\055\301\332\135\051\052\205\077\254\145\356\206\017\005
- \215\220\137\337\356\237\364\277\356\035\373\230\344\177\220\053
- \204\170\020\016\154\111\123\357\025\133\145\106\112\135\257\272
- \373\072\162\035\315\366\045\210\036\227\314\041\234\051\001\015
- \145\353\127\331\363\127\226\273\110\315\201
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Trustis FPS Root CA"
- # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
- # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
- # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
- # Not Valid Before: Tue Dec 23 12:14:06 2003
- # Not Valid After : Sun Jan 21 11:36:54 2024
- # Fingerprint (MD5): 30:C9:E7:1E:6B:E6:14:EB:65:B2:16:69:20:31:67:4D
-@@ -18933,16 +18534,17 @@
- \046\161\304\205\136\161\044\312\245\033\154\330\141\323\032\340
- \124\333\316\272\251\062\265\042\366\163\101\011\135\270\027\135
- \016\017\231\220\326\107\332\157\012\072\142\050\024\147\202\331
- \361\320\200\131\233\313\061\330\233\017\214\167\116\265\150\212
- \362\154\366\044\016\055\154\160\305\163\321\336\024\320\161\217
- \266\323\173\002\366\343\270\324\011\156\153\236\165\204\071\346
- \177\045\245\362\110\000\300\244\001\332\077
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "StartCom Certification Authority"
- # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
- # Serial Number: 45 (0x2d)
- # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
- # Not Valid Before: Sun Sep 17 19:46:37 2006
- # Not Valid After : Wed Sep 17 19:46:36 2036
- # Fingerprint (MD5): C9:3B:0D:84:41:FC:A4:76:79:23:08:57:DE:10:19:16
-@@ -19097,16 +18699,17 @@
- \102\056\055\304\011\072\003\147\151\204\232\341\131\220\212\050
- \205\325\135\164\261\321\016\040\130\233\023\245\260\143\246\355
- \173\107\375\105\125\060\244\356\232\324\346\342\207\357\230\311
- \062\202\021\051\042\274\000\012\061\136\055\017\300\216\351\153
- \262\217\056\006\330\321\221\307\306\022\364\114\375\060\027\303
- \301\332\070\133\343\251\352\346\241\272\171\357\163\330\266\123
- \127\055\366\320\341\327\110
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "StartCom Certification Authority G2"
- # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
- # Serial Number: 59 (0x3b)
- # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
- # Not Valid Before: Fri Jan 01 01:00:01 2010
- # Not Valid After : Sat Dec 31 23:59:01 2039
- # Fingerprint (MD5): 78:4B:FB:9E:64:82:0A:D3:B8:4C:62:F3:64:F2:90:64
-@@ -19256,16 +18859,17 @@
- \112\220\136\303\372\047\004\261\171\025\164\231\314\276\255\040
- \336\046\140\034\353\126\121\246\243\352\344\243\077\247\377\141
- \334\361\132\115\154\062\043\103\356\254\250\356\356\112\022\011
- \074\135\161\302\276\171\372\302\207\150\035\013\375\134\151\314
- \006\320\232\175\124\231\052\311\071\032\031\257\113\052\103\363
- \143\135\132\130\342\057\343\035\344\251\326\320\012\320\236\277
- \327\201\011\361\311\307\046\015\254\230\026\126\240
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Buypass Class 2 Root CA"
- # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
- # Serial Number: 2 (0x2)
- # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
- # Not Valid Before: Tue Oct 26 08:38:03 2010
- # Not Valid After : Fri Oct 26 08:38:03 2040
- # Fingerprint (MD5): 46:A7:D2:FE:45:FB:64:5A:A8:59:90:9B:78:44:9B:29
-@@ -19414,16 +19018,17 @@
- \105\310\114\161\331\274\311\231\122\127\106\057\120\317\275\065
- \151\364\075\025\316\006\245\054\017\076\366\201\272\224\273\303
- \273\277\145\170\322\206\171\377\111\073\032\203\014\360\336\170
- \354\310\362\115\114\032\336\202\051\370\301\132\332\355\356\346
- \047\136\350\105\320\235\034\121\250\150\253\104\343\320\213\152
- \343\370\073\273\334\115\327\144\362\121\276\346\252\253\132\351
- \061\356\006\274\163\277\023\142\012\237\307\271\227
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Buypass Class 3 Root CA"
- # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
- # Serial Number: 2 (0x2)
- # Subject: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
- # Not Valid Before: Tue Oct 26 08:28:58 2010
- # Not Valid After : Fri Oct 26 08:28:58 2040
- # Fingerprint (MD5): 3D:3B:18:9E:2C:64:5A:E8:D5:88:CE:0E:F9:37:C2:EC
-@@ -19555,16 +19160,17 @@
- \367\124\076\201\075\332\111\152\232\263\357\020\075\346\353\157
- \321\310\042\107\313\314\317\001\061\222\331\030\343\042\276\011
- \036\032\076\132\262\344\153\014\124\172\175\103\116\270\211\245
- \173\327\242\075\226\206\314\362\046\064\055\152\222\235\232\032
- \320\060\342\135\116\004\260\137\213\040\176\167\301\075\225\202
- \321\106\232\073\074\170\270\157\241\320\015\144\242\170\036\051
- \116\223\303\244\124\024\133
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "T-TeleSec GlobalRoot Class 3"
- # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
- # Serial Number: 1 (0x1)
- # Subject: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
- # Not Valid Before: Wed Oct 01 10:29:56 2008
- # Not Valid After : Sat Oct 01 23:59:59 2033
- # Fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EF
-@@ -19703,16 +19309,17 @@
- \346\164\163\224\135\026\230\023\225\376\373\333\261\104\345\072
- \160\254\067\153\346\263\063\162\050\311\263\127\240\366\002\026
- \210\006\013\266\246\113\040\050\324\336\075\213\255\067\005\123
- \164\376\156\314\274\103\027\161\136\371\305\314\032\251\141\356
- \367\166\014\363\162\364\162\255\317\162\002\066\007\107\317\357
- \031\120\211\140\314\351\044\225\017\302\313\035\362\157\166\220
- \307\314\165\301\226\305\235
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "EE Certification Centre Root CA"
- # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
- # Serial Number:54:80:f9:a0:73:ed:3f:00:4c:ca:89:d8:e3:71:e6:4a
- # Subject: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE
- # Not Valid Before: Sat Oct 30 10:10:30 2010
- # Not Valid After : Tue Dec 17 23:59:59 2030
- # Fingerprint (MD5): 43:5E:88:D4:7D:1A:4A:7E:FD:84:2E:52:EB:01:D4:6F
-@@ -19932,16 +19539,17 @@
- \005\332\143\127\213\345\263\252\333\300\056\034\220\104\333\032
- \135\030\244\356\276\004\133\231\325\161\137\125\145\144\142\325
- \242\233\004\131\206\310\142\167\347\174\202\105\152\075\027\277
- \354\235\165\014\256\243\157\132\323\057\230\066\364\360\365\031
- \253\021\135\310\246\343\052\130\152\102\011\303\275\222\046\146
- \062\015\135\010\125\164\377\214\230\320\012\246\204\152\321\071
- \175
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "TURKTRUST Certificate Services Provider Root 2007"
- # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
- # Serial Number: 1 (0x1)
- # Subject: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,L=Ankara,C=TR,CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s..
- # Not Valid Before: Tue Dec 25 18:37:19 2007
- # Not Valid After : Fri Dec 22 18:37:19 2017
- # Fingerprint (MD5): 2B:70:20:56:86:82:A0:18:C8:07:53:12:28:70:21:72
-@@ -20080,16 +19688,17 @@
- \310\154\353\202\123\004\246\344\114\042\115\215\214\272\316\133
- \163\354\144\124\120\155\321\234\125\373\151\303\066\303\214\274
- \074\205\246\153\012\046\015\340\223\230\140\256\176\306\044\227
- \212\141\137\221\216\146\222\011\207\066\315\213\233\055\076\366
- \121\324\120\324\131\050\275\203\362\314\050\173\123\206\155\330
- \046\210\160\327\352\221\315\076\271\312\300\220\156\132\306\136
- \164\145\327\134\376\243\342
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "D-TRUST Root Class 3 CA 2 2009"
- # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
- # Serial Number: 623603 (0x983f3)
- # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
- # Not Valid Before: Thu Nov 05 08:35:58 2009
- # Not Valid After : Mon Nov 05 08:35:58 2029
- # Fingerprint (MD5): CD:E0:25:69:8D:47:AC:9C:89:35:90:F7:FD:51:3D:2F
-@@ -20223,16 +19832,17 @@
- \173\360\171\121\327\103\075\247\323\201\323\360\311\117\271\332
- \306\227\206\320\202\303\344\102\155\376\260\342\144\116\016\046
- \347\100\064\046\265\010\211\327\010\143\143\070\047\165\036\063
- \352\156\250\335\237\231\117\164\115\201\211\200\113\335\232\227
- \051\134\057\276\201\101\271\214\377\352\175\140\006\236\315\327
- \075\323\056\243\025\274\250\346\046\345\157\303\334\270\003\041
- \352\237\026\361\054\124\265
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "D-TRUST Root Class 3 CA 2 EV 2009"
- # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
- # Serial Number: 623604 (0x983f4)
- # Subject: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
- # Not Valid Before: Thu Nov 05 08:50:46 2009
- # Not Valid After : Mon Nov 05 08:50:46 2029
- # Fingerprint (MD5): AA:C6:43:2C:5E:2D:CD:C4:34:C0:50:4F:11:02:4F:B6
-@@ -20472,16 +20082,17 @@
- \071\246\202\326\161\312\336\267\325\272\150\010\355\231\314\375
- \242\222\313\151\270\235\371\012\244\246\076\117\223\050\052\141
- \154\007\046\000\377\226\137\150\206\270\270\316\312\125\340\253
- \261\075\177\230\327\063\016\132\075\330\170\302\304\140\057\307
- \142\360\141\221\322\070\260\366\236\125\333\100\200\005\022\063
- \316\035\222\233\321\151\263\377\277\361\222\012\141\065\077\335
- \376\206\364\274\340\032\161\263\142\246
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "PSCProcert"
- # Issuer: E=acraiz@suscerte.gob.ve,OU=Superintendencia de Servicios de Certificacion Electronica,O=Sistema Nacional de Certificacion Electronica,ST=Distrito Capital,L=Caracas,C=VE,CN=Autoridad de Certificacion Raiz del Estado Venezolano
- # Serial Number: 11 (0xb)
- # Subject: CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,E=contacto@procert.net.ve
- # Not Valid Before: Tue Dec 28 16:51:00 2010
- # Not Valid After : Fri Dec 25 23:59:59 2020
- # Fingerprint (MD5): E6:24:E9:12:01:AE:0C:DE:8E:85:C4:CE:A3:12:DD:EC
-@@ -20630,16 +20241,17 @@
- \146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
- \135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
- \172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
- \316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
- \256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
- \126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
- \303\055\375\024\052\220\231\271\007\314\237
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "China Internet Network Information Center EV Certificates Root"
- # Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
- # Serial Number: 1218379777 (0x489f0001)
- # Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
- # Not Valid Before: Tue Aug 31 07:11:25 2010
- # Not Valid After : Sat Aug 31 07:11:25 2030
- # Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
-@@ -20805,16 +20417,17 @@
- \361\377\246\100\005\205\005\134\312\007\031\134\013\023\050\114
- \130\177\302\245\357\105\332\140\323\256\145\141\235\123\203\164
- \302\256\362\134\302\026\355\222\076\204\076\163\140\210\274\166
- \364\054\317\320\175\175\323\270\136\321\221\022\020\351\315\335
- \312\045\343\325\355\231\057\276\165\201\113\044\371\105\106\224
- \311\051\041\123\234\046\105\252\023\027\344\347\315\170\342\071
- \301\053\022\236\246\236\033\305\346\016\331\061\331
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Swisscom Root CA 2"
- # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
- # Subject: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Not Valid Before: Fri Jun 24 08:38:14 2011
- # Not Valid After : Wed Jun 25 07:38:14 2031
- # Fingerprint (MD5): 5B:04:69:EC:A5:83:94:63:18:A7:86:D0:E4:F2:6E:19
-@@ -20980,16 +20593,17 @@
- \234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
- \042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
- \174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
- \361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
- \344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
- \043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
- \046\277\242\367
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Swisscom Root EV CA 2"
- # Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
- # Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
- # Not Valid Before: Fri Jun 24 09:45:08 2011
- # Not Valid After : Wed Jun 25 08:45:08 2031
- # Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
-@@ -21144,16 +20758,17 @@
- \001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
- \153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
- \243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
- \200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
- \103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
- \016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
- \360\343\355\144\236\075\057\226\122\117\200\123\213
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "CA Disig Root R1"
- # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
- # Serial Number:00:c3:03:9a:ee:50:90:6e:28
- # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
- # Not Valid Before: Thu Jul 19 09:06:56 2012
- # Not Valid After : Sat Jul 19 09:06:56 2042
- # Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
-@@ -21306,16 +20921,17 @@
- \233\116\166\300\216\175\375\244\045\307\107\355\377\037\163\254
- \314\303\245\351\157\012\216\233\145\302\120\205\265\243\240\123
- \022\314\125\207\141\363\201\256\020\106\141\275\104\041\270\302
- \075\164\317\176\044\065\372\034\007\016\233\075\042\312\357\061
- \057\214\254\022\275\357\100\050\374\051\147\237\262\023\117\146
- \044\304\123\031\351\036\051\025\357\346\155\260\177\055\147\375
- \363\154\033\165\106\243\345\112\027\351\244\327\013
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "CA Disig Root R2"
- # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
- # Serial Number:00:92:b8:88:db:b0:8a:c1:63
- # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
- # Not Valid Before: Thu Jul 19 09:15:30 2012
- # Not Valid After : Sat Jul 19 09:15:30 2042
- # Fingerprint (MD5): 26:01:FB:D8:27:A7:17:9A:45:54:38:1A:43:01:3B:03
-@@ -21505,16 +21121,17 @@
- \346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
- \167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
- \040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
- \013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
- \244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
- \302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
- \125\064\106\052\213\206\073
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "ACCVRAIZ1"
- # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
- # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
- # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
- # Not Valid Before: Thu May 05 09:37:37 2011
- # Not Valid After : Tue Dec 31 09:37:37 2030
- # Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
-@@ -21664,16 +21281,17 @@
- \301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
- \225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
- \272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
- \150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
- \246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
- \311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
- \053\006\320\004\315
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "TWCA Global Root CA"
- # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
- # Serial Number: 3262 (0xcbe)
- # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
- # Not Valid Before: Wed Jun 27 06:28:33 2012
- # Not Valid After : Tue Dec 31 15:59:59 2030
- # Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
-@@ -21820,16 +21438,17 @@
- \255\316\364\370\151\024\144\071\373\243\270\272\160\100\307\047
- \034\277\304\126\123\372\143\145\320\363\034\016\026\365\153\206
- \130\115\030\324\344\015\216\245\235\133\221\334\166\044\120\077
- \306\052\373\331\267\234\265\326\346\320\331\350\031\213\025\161
- \110\255\267\352\330\131\210\324\220\277\026\263\331\351\254\131
- \141\124\310\034\272\312\301\312\341\271\040\114\217\072\223\211
- \245\240\314\277\323\366\165\244\165\226\155\126
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "TeliaSonera Root CA v1"
- # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
- # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
- # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
- # Not Valid Before: Thu Oct 18 12:00:50 2007
- # Not Valid After : Mon Oct 18 12:00:50 2032
- # Fingerprint (MD5): 37:41:49:1B:18:56:9A:26:F5:AD:C2:66:FB:40:A5:4C
-@@ -22007,16 +21626,17 @@
- \237\211\213\375\067\137\137\072\316\070\131\206\113\257\161\013
- \264\330\362\160\117\237\062\023\343\260\247\127\345\332\332\103
- \313\204\064\362\050\304\352\155\364\052\357\301\153\166\332\373
- \176\273\205\074\322\123\302\115\276\161\341\105\321\375\043\147
- \015\023\165\373\317\145\147\042\235\256\260\011\321\011\377\035
- \064\277\376\043\227\067\322\071\372\075\015\006\013\264\333\073
- \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "E-Tugra Certification Authority"
- # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
- # Serial Number:6a:68:3e:9c:51:9b:cb:53
- # Subject: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR
- # Not Valid Before: Tue Mar 05 12:09:48 2013
- # Not Valid After : Fri Mar 03 12:09:48 2023
- # Fingerprint (MD5): B8:A1:03:63:B0:BD:21:71:70:8A:6F:13:3A:BB:79:49
-@@ -22155,16 +21775,17 @@
- \203\125\352\174\302\051\211\033\351\157\263\316\342\005\204\311
- \057\076\170\205\142\156\311\137\301\170\143\164\130\300\110\030
- \014\231\071\353\244\314\032\265\171\132\215\025\234\330\024\015
- \366\172\007\127\307\042\203\005\055\074\233\045\046\075\030\263
- \251\103\174\310\310\253\144\217\016\243\277\234\033\235\060\333
- \332\320\031\056\252\074\361\373\063\200\166\344\315\255\031\117
- \005\047\216\023\241\156\302
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "T-TeleSec GlobalRoot Class 2"
- # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
- # Serial Number: 1 (0x1)
- # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
- # Not Valid Before: Wed Oct 01 10:40:14 2008
- # Not Valid After : Sat Oct 01 23:59:59 2033
- # Fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6A
-@@ -22285,16 +21906,17 @@
- \265\024\357\264\021\377\016\025\265\365\365\333\306\275\353\132
- \247\360\126\042\251\074\145\124\306\025\250\275\206\236\315\203
- \226\150\172\161\201\211\341\013\341\352\021\033\150\010\314\151
- \236\354\236\101\236\104\062\046\172\342\207\012\161\075\353\344
- \132\244\322\333\305\315\306\336\140\177\271\363\117\104\222\357
- \052\267\030\076\247\031\331\013\175\261\067\101\102\260\272\140
- \035\362\376\011\021\260\360\207\173\247\235
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Atos TrustedRoot 2011"
- # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011
- # Serial Number:5c:33:cb:62:2c:5f:b3:32
- # Subject: C=DE,O=Atos,CN=Atos TrustedRoot 2011
- # Not Valid Before: Thu Jul 07 14:58:30 2011
- # Not Valid After : Tue Dec 31 23:59:59 2030
- # Fingerprint (MD5): AE:B9:C4:32:4B:AC:7F:5D:66:CC:77:94:BB:2A:77:56
-@@ -22444,16 +22066,17 @@
- \353\134\237\336\263\257\147\003\263\037\335\155\135\151\150\151
- \253\136\072\354\174\151\274\307\073\205\116\236\025\271\264\025
- \117\303\225\172\130\327\311\154\351\154\271\363\051\143\136\264
- \054\360\055\075\355\132\145\340\251\133\100\302\110\231\201\155
- \236\037\006\052\074\022\264\213\017\233\242\044\360\246\215\326
- \172\340\113\266\144\226\143\225\204\302\112\315\034\056\044\207
- \063\140\345\303
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "QuoVadis Root CA 1 G3"
- # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
- # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
- # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
- # Not Valid Before: Thu Jan 12 17:27:44 2012
- # Not Valid After : Sun Jan 12 17:27:44 2042
- # Fingerprint (SHA-256): 8A:86:6F:D1:B2:76:B5:7E:57:8E:92:1C:65:82:8A:2B:ED:58:E9:F2:F2:88:05:41:34:B7:F1:F4:BF:C9:CC:74
-@@ -22605,16 +22228,17 @@
- \374\267\003\111\002\133\310\045\346\342\124\070\365\171\207\214
- \035\123\262\116\205\173\006\070\307\054\370\370\260\162\215\045
- \345\167\122\364\003\034\110\246\120\137\210\040\060\156\362\202
- \103\253\075\227\204\347\123\373\041\301\117\017\042\232\206\270
- \131\052\366\107\075\031\210\055\350\205\341\236\354\205\010\152
- \261\154\064\311\035\354\110\053\073\170\355\146\304\216\171\151
- \203\336\177\214
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "QuoVadis Root CA 2 G3"
- # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
- # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
- # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
- # Not Valid Before: Thu Jan 12 18:59:32 2012
- # Not Valid After : Sun Jan 12 18:59:32 2042
- # Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
-@@ -22766,16 +22390,17 @@
- \046\350\354\266\013\055\247\205\065\315\375\131\310\237\321\315
- \076\132\051\064\271\075\204\316\261\145\324\131\221\221\126\165
- \041\301\167\236\371\172\341\140\235\323\255\004\030\364\174\353
- \136\223\217\123\112\042\051\370\110\053\076\115\206\254\133\177
- \313\006\231\131\140\330\130\145\225\215\104\321\367\177\176\047
- \177\175\256\200\365\007\114\266\076\234\161\124\231\004\113\375
- \130\371\230\364
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "QuoVadis Root CA 3 G3"
- # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
- # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
- # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
- # Not Valid Before: Thu Jan 12 20:26:32 2012
- # Not Valid After : Sun Jan 12 20:26:32 2042
- # Fingerprint (SHA-256): 88:EF:81:DE:20:2E:B0:18:45:2E:43:F8:64:72:5C:EA:5F:BD:1F:C2:D9:D2:05:73:07:09:C5:D8:B8:69:0F:46
-@@ -22902,16 +22527,17 @@
- \007\234\242\272\331\001\162\134\363\115\301\335\016\261\034\015
- \304\143\276\255\364\024\373\211\354\242\101\016\114\314\310\127
- \100\320\156\003\252\315\014\216\211\231\231\154\360\074\060\257
- \070\337\157\274\243\276\051\040\047\253\164\377\023\042\170\336
- \227\122\125\036\203\265\124\040\003\356\256\300\117\126\336\067
- \314\303\177\252\004\047\273\323\167\270\142\333\027\174\234\050
- \042\023\163\154\317\046\365\212\051\347
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "DigiCert Assured ID Root G2"
- # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
- # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Thu Aug 01 12:00:00 2013
- # Not Valid After : Fri Jan 15 12:00:00 2038
- # Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
-@@ -23019,16 +22645,17 @@
- \003\003\147\000\060\144\002\060\045\244\201\105\002\153\022\113
- \165\164\117\310\043\343\160\362\165\162\336\174\211\360\317\221
- \162\141\236\136\020\222\131\126\271\203\307\020\347\070\351\130
- \046\066\175\325\344\064\206\071\002\060\174\066\123\360\060\345
- \142\143\072\231\342\266\243\073\233\064\372\036\332\020\222\161
- \136\221\023\247\335\244\156\222\314\062\326\365\041\146\307\057
- \352\226\143\152\145\105\222\225\001\264
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "DigiCert Assured ID Root G3"
- # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
- # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Thu Aug 01 12:00:00 2013
- # Not Valid After : Fri Jan 15 12:00:00 2038
- # Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
-@@ -23157,16 +22784,17 @@
- \362\261\216\231\241\157\023\261\101\161\376\210\052\310\117\020
- \040\125\327\363\024\105\345\340\104\364\352\207\225\062\223\016
- \376\123\106\372\054\235\377\213\042\271\113\331\011\105\244\336
- \244\270\232\130\335\033\175\122\237\216\131\103\210\201\244\236
- \046\325\157\255\335\015\306\067\175\355\003\222\033\345\167\137
- \166\356\074\215\304\135\126\133\242\331\146\156\263\065\067\345
- \062\266
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "DigiCert Global Root G2"
- # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
- # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Thu Aug 01 12:00:00 2013
- # Not Valid After : Fri Jan 15 12:00:00 2038
- # Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
-@@ -23274,16 +22902,17 @@
- \000\255\274\362\154\077\022\112\321\055\071\303\012\011\227\163
- \364\210\066\214\210\047\273\346\210\215\120\205\247\143\371\236
- \062\336\146\223\017\361\314\261\011\217\335\154\253\372\153\177
- \240\002\060\071\146\133\302\144\215\270\236\120\334\250\325\111
- \242\355\307\334\321\111\177\027\001\270\310\206\217\116\214\210
- \053\250\232\251\212\305\321\000\275\370\124\342\232\345\133\174
- \263\047\027
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "DigiCert Global Root G3"
- # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
- # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Thu Aug 01 12:00:00 2013
- # Not Valid After : Fri Jan 15 12:00:00 2038
- # Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
-@@ -23444,16 +23073,17 @@
- \102\154\311\012\274\356\103\372\072\161\245\310\115\046\245\065
- \375\211\135\274\205\142\035\062\322\240\053\124\355\232\127\301
- \333\372\020\317\031\267\213\112\033\217\001\266\047\225\123\350
- \266\211\155\133\274\150\324\043\350\213\121\242\126\371\360\246
- \200\240\326\036\263\274\017\017\123\165\051\252\352\023\167\344
- \336\214\201\041\255\007\020\107\021\255\207\075\007\321\165\274
- \317\363\146\176
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "DigiCert Trusted Root G4"
- # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
- # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
- # Not Valid Before: Thu Aug 01 12:00:00 2013
- # Not Valid After : Fri Jan 15 12:00:00 2038
- # Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
-@@ -23610,16 +23240,17 @@
- \047\274\172\277\340\333\364\332\122\275\336\014\124\160\061\221
- \103\225\310\274\360\076\335\011\176\060\144\120\355\177\001\244
- \063\147\115\150\117\276\025\357\260\366\002\021\242\033\023\045
- \072\334\302\131\361\343\134\106\273\147\054\002\106\352\036\110
- \246\346\133\331\265\274\121\242\222\226\333\252\306\067\042\246
- \376\314\040\164\243\055\251\056\153\313\300\202\021\041\265\223
- \171\356\104\206\276\327\036\344\036\373
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "WoSign"
- # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
- # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
- # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
- # Not Valid Before: Sat Aug 08 01:00:01 2009
- # Not Valid After : Mon Aug 08 01:00:01 2039
- # Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
-@@ -23771,16 +23402,17 @@
- \324\175\253\227\063\304\323\076\340\151\266\050\171\240\011\215
- \034\321\377\101\162\110\006\374\232\056\347\040\371\233\242\336
- \211\355\256\074\011\257\312\127\263\222\211\160\100\344\057\117
- \302\160\203\100\327\044\054\153\347\011\037\323\325\307\301\010
- \364\333\016\073\034\007\013\103\021\204\041\206\351\200\324\165
- \330\253\361\002\142\301\261\176\125\141\317\023\327\046\260\327
- \234\313\051\213\070\112\013\016\220\215\272\241
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "WoSign China"
- # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
- # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
- # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
- # Not Valid Before: Sat Aug 08 01:00:01 2009
- # Not Valid After : Mon Aug 08 01:00:01 2039
- # Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
-@@ -23947,16 +23579,17 @@
- \100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
- \274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
- \166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
- \320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
- \372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
- \265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
- \065\123\205\006\112\135\237\255\273\033\137\164
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "COMODO RSA Certification Authority"
- # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
- # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
- # Not Valid Before: Tue Jan 19 00:00:00 2010
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
-@@ -24128,16 +23761,17 @@
- \245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
- \260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
- \057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
- \173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
- \231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
- \216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
- \250\375
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "USERTrust RSA Certification Authority"
- # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
- # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
- # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
- # Not Valid Before: Mon Feb 01 00:00:00 2010
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
-@@ -24256,16 +23890,17 @@
- \066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
- \317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
- \372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
- \002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
- \104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
- \242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
- \127\152\030
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "USERTrust ECC Certification Authority"
- # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
- # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
- # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
- # Not Valid Before: Mon Feb 01 00:00:00 2010
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
-@@ -24367,16 +24002,17 @@
- \270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
- \012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
- \002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
- \220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
- \242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
- \322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
- \173\013\370\237\204
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "GlobalSign ECC Root CA - R4"
- # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
- # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
- # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
- # Not Valid Before: Tue Nov 13 00:00:00 2012
- # Not Valid After : Tue Jan 19 03:14:07 2038
- # Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
-@@ -24479,16 +24115,17 @@
- \345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
- \232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
- \347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
- \002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
- \073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
- \307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
- \220\067
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "GlobalSign ECC Root CA - R5"
- # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
- # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
- # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
- # Not Valid Before: Tue Nov 13 00:00:00 2012
- # Not Valid After : Tue Jan 19 03:14:07 2038
- # Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
-@@ -24653,16 +24290,17 @@
- \107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
- \264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
- \366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
- \134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
- \354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
- \013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
- \145\110\041\012\057\327\334\176\240\314\145\176\171
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
- # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
- # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Thu Mar 26 00:00:00 2009
- # Not Valid After : Sun Mar 24 23:59:59 2019
- # Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
-@@ -24824,16 +24462,17 @@
- \325\131\242\211\164\323\237\276\036\113\327\306\155\267\210\044
- \157\140\221\244\202\205\133\126\101\274\320\104\253\152\023\276
- \321\054\130\267\022\063\130\262\067\143\334\023\365\224\035\077
- \100\121\365\117\365\072\355\310\305\353\302\036\035\026\225\172
- \307\176\102\161\223\156\113\025\267\060\337\252\355\127\205\110
- \254\035\152\335\071\151\344\341\171\170\276\316\005\277\241\014
- \367\200\173\041\147\047\060\131
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Staat der Nederlanden Root CA - G3"
- # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
- # Serial Number: 10003001 (0x98a239)
- # Subject: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL
- # Not Valid Before: Thu Nov 14 11:28:42 2013
- # Not Valid After : Mon Nov 13 23:00:00 2028
- # Fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
-@@ -24987,16 +24626,17 @@
- \170\157\120\202\104\120\077\146\006\212\253\103\204\126\112\017
- \040\055\206\016\365\322\333\322\172\212\113\315\245\350\116\361
- \136\046\045\001\131\043\240\176\322\366\176\041\127\327\047\274
- \025\127\114\244\106\301\340\203\036\014\114\115\037\117\006\031
- \342\371\250\364\072\202\241\262\171\103\171\326\255\157\172\047
- \220\003\244\352\044\207\077\331\275\331\351\362\137\120\111\034
- \356\354\327\056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Staat der Nederlanden EV Root CA"
- # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
- # Serial Number: 10000013 (0x98968d)
- # Subject: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
- # Not Valid Before: Wed Dec 08 11:19:29 2010
- # Not Valid After : Thu Dec 08 11:10:28 2022
- # Fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
-@@ -25148,16 +24788,17 @@
- \312\112\201\153\136\013\363\121\341\164\053\351\176\047\247\331
- \231\111\116\370\245\200\333\045\017\034\143\142\212\311\063\147
- \153\074\020\203\306\255\336\250\315\026\216\215\360\007\067\161
- \237\362\253\374\101\365\301\213\354\000\067\135\011\345\116\200
- \357\372\261\134\070\006\245\033\112\341\334\070\055\074\334\253
- \037\220\032\325\112\234\356\321\160\154\314\356\364\127\370\030
- \272\204\156\207
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "IdenTrust Commercial Root CA 1"
- # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
- # Serial Number:0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
- # Subject: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US
- # Not Valid Before: Thu Jan 16 18:12:23 2014
- # Not Valid After : Mon Jan 16 18:12:23 2034
- # Fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
-@@ -25309,16 +24950,17 @@
- \150\011\061\161\360\155\370\116\107\373\326\205\356\305\130\100
- \031\244\035\247\371\113\103\067\334\150\132\117\317\353\302\144
- \164\336\264\025\331\364\124\124\032\057\034\327\227\161\124\220
- \216\331\040\235\123\053\177\253\217\342\352\060\274\120\067\357
- \361\107\265\175\174\054\004\354\150\235\264\111\104\020\364\162
- \113\034\144\347\374\346\153\220\335\151\175\151\375\000\126\245
- \267\254\266\255\267\312\076\001\357\234
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "IdenTrust Public Sector Root CA 1"
- # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
- # Serial Number:0a:01:42:80:00:00:01:45:23:cf:46:7c:00:00:00:02
- # Subject: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US
- # Not Valid Before: Thu Jan 16 17:53:32 2014
- # Not Valid After : Mon Jan 16 17:53:32 2034
- # Fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
-@@ -25453,16 +25095,17 @@
- \217\252\302\107\057\024\161\325\051\343\020\265\107\223\045\314
- \043\051\332\267\162\330\221\324\354\033\110\212\042\344\301\052
- \367\072\150\223\237\105\031\156\103\267\314\376\270\221\232\141
- \032\066\151\143\144\222\050\363\157\141\222\205\023\237\311\007
- \054\213\127\334\353\236\171\325\302\336\010\325\124\262\127\116
- \052\062\215\241\342\072\321\020\040\042\071\175\064\105\157\161
- \073\303\035\374\377\262\117\250\342\366\060\036
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "S-TRUST Universal Root CA"
- # Issuer: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
- # Serial Number:60:56:c5:4b:23:40:5b:64:d4:ed:25:da:d9:d6:1e:1e
- # Subject: CN=S-TRUST Universal Root CA,OU=S-TRUST Certification Services,O=Deutscher Sparkassen Verlag GmbH,C=DE
- # Not Valid Before: Tue Oct 22 00:00:00 2013
- # Not Valid After : Thu Oct 21 23:59:59 2038
- # Fingerprint (SHA-256): D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31
-@@ -25615,16 +25258,17 @@
- \274\075\320\204\350\352\006\162\260\115\071\062\170\277\076\021
- \234\013\244\235\232\041\363\360\233\013\060\170\333\301\334\207
- \103\376\274\143\232\312\305\302\034\311\307\215\377\073\022\130
- \010\346\266\075\354\172\054\116\373\203\226\316\014\074\151\207
- \124\163\244\163\302\223\377\121\020\254\025\124\001\330\374\005
- \261\211\241\177\164\203\232\111\327\334\116\173\212\110\157\213
- \105\366
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Entrust Root Certification Authority - G2"
- # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
- # Serial Number: 1246989352 (0x4a538c28)
- # Subject: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
- # Not Valid Before: Tue Jul 07 17:25:54 2009
- # Not Valid After : Sat Dec 07 17:55:54 2030
- # Fingerprint (SHA-256): 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
-@@ -25759,16 +25403,17 @@
- \075\004\003\003\003\147\000\060\144\002\060\141\171\330\345\102
- \107\337\034\256\123\231\027\266\157\034\175\341\277\021\224\321
- \003\210\165\344\215\211\244\212\167\106\336\155\141\357\002\365
- \373\265\337\314\376\116\377\376\251\346\247\002\060\133\231\327
- \205\067\006\265\173\010\375\353\047\213\112\224\371\341\372\247
- \216\046\010\350\174\222\150\155\163\330\157\046\254\041\002\270
- \231\267\046\101\133\045\140\256\320\110\032\356\006
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Entrust Root Certification Authority - EC1"
- # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
- # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
- # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
- # Not Valid Before: Tue Dec 18 15:25:36 2012
- # Not Valid After : Fri Dec 18 15:55:36 2037
- # Fingerprint (SHA-256): 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
-@@ -25931,16 +25576,17 @@
- \110\171\140\212\303\327\023\134\370\162\100\337\112\313\317\231
- \000\012\000\013\021\225\332\126\105\003\210\012\237\147\320\325
- \171\261\250\215\100\155\015\302\172\100\372\363\137\144\107\222
- \313\123\271\273\131\316\117\375\320\025\123\001\330\337\353\331
- \346\166\357\320\043\273\073\251\171\263\325\002\051\315\211\243
- \226\017\112\065\347\116\102\300\165\315\007\317\346\054\353\173
- \056
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "CFCA EV ROOT"
- # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
- # Serial Number: 407555286 (0x184accd6)
- # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
- # Not Valid Before: Wed Aug 08 03:07:01 2012
- # Not Valid After : Mon Dec 31 03:07:01 2029
- # Fingerprint (SHA-256): 5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD
-@@ -26228,16 +25874,17 @@
- \245\346\025\204\067\360\302\362\145\226\222\220\167\360\255\364
- \220\351\021\170\327\223\211\300\075\013\272\051\364\350\231\235
- \162\216\355\235\057\356\222\175\241\361\377\135\272\063\140\205
- \142\376\007\002\241\204\126\106\276\226\012\232\023\327\041\114
- \267\174\007\237\116\116\077\221\164\373\047\235\021\314\335\346
- \261\312\161\115\023\027\071\046\305\051\041\053\223\051\152\226
- \372\253\101\341\113\266\065\013\300\233\025
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
- # Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
- # Serial Number:00:8e:17:fe:24:20:81
- # Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H5,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
- # Not Valid Before: Tue Apr 30 08:07:01 2013
- # Not Valid After : Fri Apr 28 08:07:01 2023
- # Fingerprint (SHA-256): 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78
-@@ -26272,176 +25919,16 @@
- \002\007\000\216\027\376\044\040\201
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
--# Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--#
--# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Serial Number:7d:a1:f2:65:ec:8a
--# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Not Valid Before: Wed Dec 18 09:04:10 2013
--# Not Valid After : Sat Dec 16 09:04:10 2023
--# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
--# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
--CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
--CKA_SUBJECT MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_ID UTF8 "0"
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\006\175\241\362\145\354\212
--END
--CKA_VALUE MULTILINE_OCTAL
--\060\202\004\046\060\202\003\016\240\003\002\001\002\002\006\175
--\241\362\145\354\212\060\015\006\011\052\206\110\206\367\015\001
--\001\013\005\000\060\201\261\061\013\060\011\006\003\125\004\006
--\023\002\124\122\061\017\060\015\006\003\125\004\007\014\006\101
--\156\153\141\162\141\061\115\060\113\006\003\125\004\012\014\104
--\124\303\234\122\113\124\122\125\123\124\040\102\151\154\147\151
--\040\304\260\154\145\164\151\305\237\151\155\040\166\145\040\102
--\151\154\151\305\237\151\155\040\107\303\274\166\145\156\154\151
--\304\237\151\040\110\151\172\155\145\164\154\145\162\151\040\101
--\056\305\236\056\061\102\060\100\006\003\125\004\003\014\071\124
--\303\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162
--\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040\110
--\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261\143
--\304\261\163\304\261\040\110\066\060\036\027\015\061\063\061\062
--\061\070\060\071\060\064\061\060\132\027\015\062\063\061\062\061
--\066\060\071\060\064\061\060\132\060\201\261\061\013\060\011\006
--\003\125\004\006\023\002\124\122\061\017\060\015\006\003\125\004
--\007\014\006\101\156\153\141\162\141\061\115\060\113\006\003\125
--\004\012\014\104\124\303\234\122\113\124\122\125\123\124\040\102
--\151\154\147\151\040\304\260\154\145\164\151\305\237\151\155\040
--\166\145\040\102\151\154\151\305\237\151\155\040\107\303\274\166
--\145\156\154\151\304\237\151\040\110\151\172\155\145\164\154\145
--\162\151\040\101\056\305\236\056\061\102\060\100\006\003\125\004
--\003\014\071\124\303\234\122\113\124\122\125\123\124\040\105\154
--\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
--\153\141\040\110\151\172\155\145\164\040\123\141\304\237\154\141
--\171\304\261\143\304\261\163\304\261\040\110\066\060\202\001\042
--\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
--\202\001\017\000\060\202\001\012\002\202\001\001\000\235\260\150
--\326\350\275\024\226\243\000\012\232\361\364\307\314\221\115\161
--\170\167\271\367\041\046\025\163\121\026\224\011\107\005\342\063
--\365\150\232\065\377\334\113\057\062\307\260\355\342\202\345\157
--\332\332\352\254\306\006\317\045\015\101\201\366\301\070\042\275
--\371\261\245\246\263\001\274\077\120\027\053\366\351\146\125\324
--\063\263\134\370\103\040\170\223\125\026\160\031\062\346\211\327
--\144\353\275\110\120\375\366\320\101\003\302\164\267\375\366\200
--\317\133\305\253\244\326\225\022\233\347\227\023\062\003\351\324
--\253\103\133\026\355\063\042\144\051\266\322\223\255\057\154\330
--\075\266\366\035\016\064\356\322\175\251\125\017\040\364\375\051
--\273\221\133\034\175\306\102\070\155\102\050\155\324\001\373\315
--\210\227\111\176\270\363\203\370\265\230\057\263\047\013\110\136
--\126\347\116\243\063\263\104\326\245\362\030\224\355\034\036\251
--\225\134\142\112\370\015\147\121\251\257\041\325\370\062\235\171
--\272\032\137\345\004\125\115\023\106\377\362\317\164\307\032\143
--\155\303\037\027\022\303\036\020\076\140\010\263\061\002\003\001
--\000\001\243\102\060\100\060\035\006\003\125\035\016\004\026\004
--\024\335\125\027\023\366\254\350\110\041\312\357\265\257\321\000
--\062\355\236\214\265\060\016\006\003\125\035\017\001\001\377\004
--\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
--\005\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015
--\001\001\013\005\000\003\202\001\001\000\157\130\015\227\103\252
--\026\124\076\277\251\337\222\105\077\205\013\273\126\323\014\122
--\314\310\277\166\147\136\346\252\263\247\357\271\254\264\020\024
--\015\164\176\075\155\255\321\175\320\232\251\245\312\030\073\002
--\100\056\052\234\120\024\213\376\127\176\127\134\021\011\113\066
--\105\122\367\075\254\024\375\104\337\213\227\043\324\303\301\356
--\324\123\225\376\054\112\376\015\160\252\273\213\057\055\313\062
--\243\202\362\124\337\330\362\335\327\110\162\356\112\243\051\226
--\303\104\316\156\265\222\207\166\244\273\364\222\154\316\054\024
--\011\146\216\215\255\026\265\307\033\011\141\073\343\040\242\003
--\200\216\255\176\121\000\116\307\226\206\373\103\230\167\175\050
--\307\217\330\052\156\347\204\157\227\101\051\000\026\136\115\342
--\023\352\131\300\143\147\072\104\373\230\374\004\323\060\162\246
--\366\207\011\127\255\166\246\035\143\232\375\327\145\310\170\203
--\053\165\073\245\133\270\015\135\177\276\043\256\126\125\224\130
--\357\037\201\214\052\262\315\346\233\143\236\030\274\345\153\006
--\264\013\230\113\050\136\257\210\130\313
--END
--
--# Trust for "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--# Issuer: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Serial Number:7d:a1:f2:65:ec:8a
--# Subject: CN=T..RKTRUST Elektronik Sertifika Hizmet Sa..lay..c..s.. H6,O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A....,L=Ankara,C=TR
--# Not Valid Before: Wed Dec 18 09:04:10 2013
--# Not Valid After : Sat Dec 16 09:04:10 2023
--# Fingerprint (SHA-256): 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00
--# Fingerprint (SHA1): 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
--CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
--CKA_TOKEN CK_BBOOL CK_TRUE
--CKA_PRIVATE CK_BBOOL CK_FALSE
--CKA_MODIFIABLE CK_BBOOL CK_FALSE
--CKA_LABEL UTF8 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
--CKA_CERT_SHA1_HASH MULTILINE_OCTAL
--\212\134\214\356\245\003\346\005\126\272\330\033\324\366\311\260
--\355\345\057\340
--END
--CKA_CERT_MD5_HASH MULTILINE_OCTAL
--\370\305\356\052\153\276\225\215\010\367\045\112\352\161\076\106
--END
--CKA_ISSUER MULTILINE_OCTAL
--\060\201\261\061\013\060\011\006\003\125\004\006\023\002\124\122
--\061\017\060\015\006\003\125\004\007\014\006\101\156\153\141\162
--\141\061\115\060\113\006\003\125\004\012\014\104\124\303\234\122
--\113\124\122\125\123\124\040\102\151\154\147\151\040\304\260\154
--\145\164\151\305\237\151\155\040\166\145\040\102\151\154\151\305
--\237\151\155\040\107\303\274\166\145\156\154\151\304\237\151\040
--\110\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056
--\061\102\060\100\006\003\125\004\003\014\071\124\303\234\122\113
--\124\122\125\123\124\040\105\154\145\153\164\162\157\156\151\153
--\040\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145
--\164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
--\261\040\110\066
--END
--CKA_SERIAL_NUMBER MULTILINE_OCTAL
--\002\006\175\241\362\145\354\212
--END
--CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
--CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
--CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--
--#
- # Certificate "Certinomis - Root CA"
- #
- # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Serial Number: 1 (0x1)
- # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Not Valid Before: Mon Oct 21 09:17:18 2013
- # Not Valid After : Fri Oct 21 09:17:18 2033
- # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
-@@ -26559,16 +26046,17 @@
- \307\132\141\315\217\201\140\025\115\200\335\220\342\175\304\120
- \362\214\073\156\112\307\306\346\200\053\074\201\274\021\200\026
- \020\047\327\360\315\077\171\314\163\052\303\176\123\221\326\156
- \370\365\363\307\320\121\115\216\113\245\133\346\031\027\073\326
- \201\011\334\042\334\356\216\271\304\217\123\341\147\273\063\270
- \210\025\106\317\355\151\065\377\165\015\106\363\316\161\341\305
- \153\206\102\006\271\101
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Certinomis - Root CA"
- # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Serial Number: 1 (0x1)
- # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
- # Not Valid Before: Mon Oct 21 09:17:18 2013
- # Not Valid After : Fri Oct 21 09:17:18 2033
- # Fingerprint (SHA-256): 2A:99:F5:BC:11:74:B7:3C:BB:1D:62:08:84:E0:1C:34:E5:1C:CB:39:78:DA:12:5F:0E:33:26:88:83:BF:41:58
-@@ -26697,16 +26185,17 @@
- \265\253\226\300\264\113\242\035\227\236\172\362\156\100\161\337
- \150\361\145\115\316\174\005\337\123\145\251\245\360\261\227\004
- \160\025\106\003\230\324\322\277\124\264\240\130\175\122\157\332
- \126\046\142\324\330\333\211\061\157\034\360\042\302\323\142\034
- \065\315\114\151\025\124\032\220\230\336\353\036\137\312\167\307
- \313\216\075\103\151\234\232\130\320\044\073\337\033\100\226\176
- \065\255\201\307\116\161\272\210\023
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "OISTE WISeKey Global Root GB CA"
- # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
- # Serial Number:76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0
- # Subject: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
- # Not Valid Before: Mon Dec 01 15:00:32 2014
- # Not Valid After : Thu Dec 01 15:10:31 2039
- # Fingerprint (SHA-256): 6B:9C:08:E8:6E:B0:F7:67:CF:AD:65:CD:98:B6:21:49:E5:49:4A:67:F5:84:5E:7B:D1:ED:01:9F:27:B8:6B:D6
-@@ -26831,16 +26320,17 @@
- \171\266\063\131\272\017\304\013\342\160\240\113\170\056\372\310
- \237\375\257\221\145\012\170\070\025\345\227\027\024\335\371\340
- \054\064\370\070\320\204\042\000\300\024\121\030\053\002\334\060
- \132\360\350\001\174\065\072\043\257\010\344\257\252\216\050\102
- \111\056\360\365\231\064\276\355\017\113\030\341\322\044\074\273
- \135\107\267\041\362\215\321\012\231\216\343\156\076\255\160\340
- \217\271\312\314\156\201\061\366\173\234\172\171\344\147\161\030
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Certification Authority of WoSign G2"
- # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
- # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
- # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
- # Not Valid Before: Sat Nov 08 00:58:58 2014
- # Not Valid After : Tue Nov 08 00:58:58 2044
- # Fingerprint (SHA-256): D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
-@@ -26939,16 +26429,17 @@
- \004\003\003\003\150\000\060\145\002\061\000\344\244\204\260\201
- \325\075\260\164\254\224\244\350\016\075\000\164\114\241\227\153
- \371\015\121\074\241\331\073\364\015\253\251\237\276\116\162\312
- \205\324\331\354\265\062\105\030\157\253\255\002\060\175\307\367
- \151\143\057\241\341\230\357\023\020\321\171\077\321\376\352\073
- \177\336\126\364\220\261\025\021\330\262\042\025\320\057\303\046
- \056\153\361\221\262\220\145\364\232\346\220\356\112
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "CA WoSign ECC Root"
- # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
- # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
- # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
- # Not Valid Before: Sat Nov 08 00:58:58 2014
- # Not Valid After : Tue Nov 08 00:58:58 2044
- # Fingerprint (SHA-256): 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
-@@ -27071,16 +26562,17 @@
- \322\324\141\372\325\025\333\327\237\207\121\124\353\245\343\353
- \311\205\240\045\040\067\373\216\316\014\064\204\341\074\201\262
- \167\116\103\245\210\137\206\147\241\075\346\264\134\141\266\076
- \333\376\267\050\305\242\007\256\265\312\312\215\052\022\357\227
- \355\302\060\244\311\052\172\373\363\115\043\033\231\063\064\240
- \056\365\251\013\077\324\135\341\317\204\237\342\031\302\137\212
- \326\040\036\343\163\267
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "SZAFIR ROOT CA2"
- # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
- # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
- # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
- # Not Valid Before: Mon Oct 19 07:43:30 2015
- # Not Valid After : Fri Oct 19 07:43:30 2035
- # Fingerprint (SHA-256): A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE
-@@ -27248,16 +26740,17 @@
- \134\002\312\054\330\157\112\007\331\311\065\332\100\165\362\304
- \247\031\157\236\102\020\230\165\346\225\213\140\274\355\305\022
- \327\212\316\325\230\134\126\226\003\305\356\167\006\065\377\317
- \344\356\077\023\141\356\333\332\055\205\360\315\256\235\262\030
- \011\105\303\222\241\162\027\374\107\266\240\013\054\361\304\336
- \103\150\010\152\137\073\360\166\143\373\314\006\054\246\306\342
- \016\265\271\276\044\217
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Certum Trusted Network CA 2"
- # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
- # Serial Number:21:d6:d0:4a:4f:25:0f:c9:32:37:fc:aa:5e:12:8d:e9
- # Subject: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
- # Not Valid Before: Thu Oct 06 08:39:56 2011
- # Not Valid After : Sat Oct 06 08:39:56 2046
- # Fingerprint (SHA-256): B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04
-@@ -27434,16 +26927,17 @@
- \245\314\073\330\167\067\060\242\117\331\157\321\362\100\255\101
- \172\027\305\326\112\065\211\267\101\325\174\206\177\125\115\203
- \112\245\163\040\300\072\257\220\361\232\044\216\331\216\161\312
- \173\270\206\332\262\217\231\076\035\023\015\022\021\356\324\253
- \360\351\025\166\002\344\340\337\252\040\036\133\141\205\144\100
- \251\220\227\015\255\123\322\132\035\207\152\000\227\145\142\264
- \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Hellenic Academic and Research Institutions RootCA 2015"
- # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
- # Serial Number: 0 (0x0)
- # Subject: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
- # Not Valid Before: Tue Jul 07 10:11:21 2015
- # Not Valid After : Sat Jun 30 10:11:21 2040
- # Fingerprint (SHA-256): A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36
-@@ -27569,16 +27063,17 @@
- \000\060\144\002\060\147\316\026\142\070\242\254\142\105\247\251
- \225\044\300\032\047\234\062\073\300\300\325\272\251\347\370\004
- \103\123\205\356\122\041\336\235\365\045\203\076\236\130\113\057
- \327\147\023\016\041\002\060\005\341\165\001\336\150\355\052\037
- \115\114\011\010\015\354\113\255\144\027\050\347\165\316\105\145
- \162\041\027\313\042\101\016\214\023\230\070\232\124\155\233\312
- \342\174\352\002\130\042\221
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015"
- # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
- # Serial Number: 0 (0x0)
- # Subject: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
- # Not Valid Before: Tue Jul 07 10:37:12 2015
- # Not Valid After : Sat Jun 30 10:37:12 2040
- # Fingerprint (SHA-256): 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33
-@@ -27733,16 +27228,17 @@
- \040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
- \203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
- \141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
- \202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
- \373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
- \244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
- \014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Certplus Root CA G1"
- # Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
- # Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
- # Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
- # Not Valid Before: Mon May 26 00:00:00 2014
- # Not Valid After : Fri Jan 15 00:00:00 2038
- # Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
-@@ -27838,16 +27334,17 @@
- \110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
- \013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
- \230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
- \247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
- \206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
- \345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
- \123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Certplus Root CA G2"
- # Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
- # Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
- # Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
- # Not Valid Before: Mon May 26 00:00:00 2014
- # Not Valid After : Fri Jan 15 00:00:00 2038
- # Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
-@@ -27999,16 +27496,17 @@
- \076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
- \021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
- \212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
- \003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
- \262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
- \315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
- \326\214\161
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "OpenTrust Root CA G1"
- # Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
- # Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
- # Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
- # Not Valid Before: Mon May 26 08:45:50 2014
- # Not Valid After : Fri Jan 15 00:00:00 2038
- # Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
-@@ -28161,16 +27659,17 @@
- \210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
- \237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
- \010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
- \130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
- \170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
- \174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
- \113\122\012
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "OpenTrust Root CA G2"
- # Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
- # Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
- # Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
- # Not Valid Before: Mon May 26 00:00:00 2014
- # Not Valid After : Fri Jan 15 00:00:00 2038
- # Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
-@@ -28270,16 +27769,17 @@
- \061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
- \001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
- \217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
- \221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
- \132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
- \342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
- \315\215\361\373\301
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "OpenTrust Root CA G3"
- # Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
- # Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
- # Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
- # Not Valid Before: Mon May 26 00:00:00 2014
- # Not Valid After : Fri Jan 15 00:00:00 2038
- # Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
-@@ -28433,16 +27933,17 @@
- \242\320\141\070\341\226\270\254\135\213\067\327\165\325\063\300
- \231\021\256\235\101\301\162\165\204\276\002\101\102\137\147\044
- \110\224\321\233\047\276\007\077\271\270\117\201\164\121\341\172
- \267\355\235\043\342\276\340\325\050\004\023\074\061\003\236\335
- \172\154\217\306\007\030\306\177\336\107\216\077\050\236\004\006
- \317\245\124\064\167\275\354\211\233\351\027\103\337\133\333\137
- \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "ISRG Root X1"
- # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
- # Serial Number:00:82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
- # Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
- # Not Valid Before: Thu Jun 04 11:04:38 2015
- # Not Valid After : Mon Jun 04 11:04:38 2035
- # Fingerprint (SHA-256): 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6
-@@ -28595,16 +28096,17 @@
- \152\260\272\061\222\102\100\152\276\072\323\162\341\152\067\125
- \274\254\035\225\267\151\141\362\103\221\164\346\240\323\012\044
- \106\241\010\257\326\332\105\031\226\324\123\035\133\204\171\360
- \300\367\107\357\213\217\305\006\256\235\114\142\235\377\106\004
- \370\323\311\266\020\045\100\165\376\026\252\311\112\140\206\057
- \272\357\060\167\344\124\342\270\204\231\130\200\252\023\213\121
- \072\117\110\366\213\266\263
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "AC RAIZ FNMT-RCM"
- # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
- # Serial Number:5d:93:8d:30:67:36:c8:06:1d:1a:c7:54:84:69:07
- # Subject: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES
- # Not Valid Before: Wed Oct 29 15:59:56 2008
- # Not Valid After : Tue Jan 01 00:00:00 2030
- # Fingerprint (SHA-256): EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA
-@@ -28719,16 +28221,17 @@
- \331\017\110\160\232\331\165\170\161\321\162\103\064\165\156\127
- \131\302\002\134\046\140\051\317\043\031\026\216\210\103\245\324
- \344\313\010\373\043\021\103\350\103\051\162\142\241\251\135\136
- \010\324\220\256\270\330\316\024\302\320\125\362\206\366\304\223
- \103\167\146\141\300\271\350\101\327\227\170\140\003\156\112\162
- \256\245\321\175\272\020\236\206\154\033\212\271\131\063\370\353
- \304\220\276\361\271
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Amazon Root CA 1"
- # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US
- # Serial Number:06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
- # Subject: CN=Amazon Root CA 1,O=Amazon,C=US
- # Not Valid Before: Tue May 26 00:00:00 2015
- # Not Valid After : Sun Jan 17 00:00:00 2038
- # Fingerprint (SHA-256): 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
-@@ -28875,16 +28378,17 @@
- \357\242\245\134\214\167\051\247\150\300\153\256\100\322\250\264
- \352\315\360\215\113\070\234\031\232\033\050\124\270\211\220\357
- \312\165\201\076\036\362\144\044\307\030\257\116\377\107\236\007
- \366\065\145\244\323\012\126\377\365\027\144\154\357\250\042\045
- \111\223\266\337\000\027\332\130\176\135\356\305\033\260\321\321
- \137\041\020\307\371\363\272\002\012\047\007\305\361\326\307\323
- \340\373\011\140\154
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Amazon Root CA 2"
- # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US
- # Serial Number:06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
- # Subject: CN=Amazon Root CA 2,O=Amazon,C=US
- # Not Valid Before: Tue May 26 00:00:00 2015
- # Not Valid After : Sat May 26 00:00:00 2040
- # Fingerprint (SHA-256): 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
-@@ -28974,16 +28478,17 @@
- \266\333\327\006\236\067\254\060\206\007\221\160\307\234\304\031
- \261\170\300\060\012\006\010\052\206\110\316\075\004\003\002\003
- \111\000\060\106\002\041\000\340\205\222\243\027\267\215\371\053
- \006\245\223\254\032\230\150\141\162\372\341\241\320\373\034\170
- \140\246\103\231\305\270\304\002\041\000\234\002\357\361\224\234
- \263\226\371\353\306\052\370\266\054\376\072\220\024\026\327\214
- \143\044\110\034\337\060\175\325\150\073
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Amazon Root CA 3"
- # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US
- # Serial Number:06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
- # Subject: CN=Amazon Root CA 3,O=Amazon,C=US
- # Not Valid Before: Tue May 26 00:00:00 2015
- # Not Valid After : Sat May 26 00:00:00 2040
- # Fingerprint (SHA-256): 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
-@@ -29077,16 +28582,17 @@
- \145\002\060\072\213\041\361\275\176\021\255\320\357\130\226\057
- \326\353\235\176\220\215\053\317\146\125\303\054\343\050\251\160
- \012\107\016\360\067\131\022\377\055\231\224\050\116\052\117\065
- \115\063\132\002\061\000\352\165\000\116\073\304\072\224\022\221
- \311\130\106\235\041\023\162\247\210\234\212\344\114\112\333\226
- \324\254\213\153\153\111\022\123\063\255\327\344\276\044\374\265
- \012\166\324\245\274\020
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Amazon Root CA 4"
- # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US
- # Serial Number:06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
- # Subject: CN=Amazon Root CA 4,O=Amazon,C=US
- # Not Valid Before: Tue May 26 00:00:00 2015
- # Not Valid After : Sat May 26 00:00:00 2040
- # Fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
-@@ -29243,16 +28749,17 @@
- \105\111\231\164\221\260\004\157\343\004\132\261\253\052\253\376
- \307\320\226\266\332\341\112\144\006\156\140\115\275\102\116\377
- \170\332\044\312\033\264\327\226\071\154\256\361\016\252\247\175
- \110\213\040\114\317\144\326\270\227\106\260\116\321\052\126\072
- \240\223\275\257\200\044\340\012\176\347\312\325\312\350\205\125
- \334\066\052\341\224\150\223\307\146\162\104\017\200\041\062\154
- \045\307\043\200\203\012\353
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "LuxTrust Global Root 2"
- # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
- # Serial Number:0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
- # Subject: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU
- # Not Valid Before: Thu Mar 05 13:21:57 2015
- # Not Valid After : Mon Mar 05 13:21:57 2035
- # Fingerprint (SHA-256): 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5
-@@ -29391,16 +28898,17 @@
- \347\066\321\041\150\113\055\070\346\123\256\034\045\126\010\126
- \003\147\204\235\306\303\316\044\142\307\114\066\317\260\006\104
- \267\365\137\002\335\331\124\351\057\220\116\172\310\116\203\100
- \014\232\227\074\067\277\277\354\366\360\264\205\167\050\301\013
- \310\147\202\020\027\070\242\267\006\352\233\277\072\370\351\043
- \007\277\164\340\230\070\025\125\170\356\162\000\134\031\243\364
- \322\063\340\377\275\321\124\071\051\017
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Symantec Class 1 Public Primary Certification Authority - G6"
- # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Serial Number:24:32:75:f2:1d:2f:d2:09:33:f7:b4:6a:ca:d0:f3:98
- # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Not Valid Before: Tue Oct 18 00:00:00 2011
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (SHA-256): 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9
-@@ -29544,16 +29052,17 @@
- \111\315\245\243\214\151\171\045\256\270\114\154\213\100\146\113
- \026\077\317\002\032\335\341\154\153\007\141\152\166\025\051\231
- \177\033\335\210\200\301\277\265\217\163\305\246\226\043\204\246
- \050\206\044\063\152\001\056\127\163\045\266\136\277\217\346\035
- \141\250\100\051\147\035\207\233\035\177\233\237\231\315\061\326
- \124\276\142\273\071\254\150\022\110\221\040\245\313\261\335\376
- \157\374\132\344\202\125\131\257\061\251
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Symantec Class 2 Public Primary Certification Authority - G6"
- # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Serial Number:64:82:9e:fc:37:1e:74:5d:fc:97:ff:97:c8:b1:ff:41
- # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Not Valid Before: Tue Oct 18 00:00:00 2011
- # Not Valid After : Tue Dec 01 23:59:59 2037
- # Fingerprint (SHA-256): CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0
-@@ -29676,16 +29185,17 @@
- \003\003\151\000\060\146\002\061\000\245\256\343\106\123\370\230
- \066\343\042\372\056\050\111\015\356\060\176\063\363\354\077\161
- \136\314\125\211\170\231\254\262\375\334\034\134\063\216\051\271
- \153\027\310\021\150\265\334\203\007\002\061\000\234\310\104\332
- \151\302\066\303\124\031\020\205\002\332\235\107\357\101\347\154
- \046\235\011\075\367\155\220\321\005\104\057\260\274\203\223\150
- \362\014\105\111\071\277\231\004\034\323\020\240
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Symantec Class 1 Public Primary Certification Authority - G4"
- # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Serial Number:21:6e:33:a5:cb:d3:88:a4:6f:29:07:b4:27:3c:c4:d8
- # Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Not Valid Before: Wed Oct 05 00:00:00 2011
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (SHA-256): 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF
-@@ -29808,16 +29318,17 @@
- \003\003\151\000\060\146\002\061\000\310\246\251\257\101\177\265
- \311\021\102\026\150\151\114\134\270\047\030\266\230\361\300\177
- \220\155\207\323\214\106\027\360\076\117\374\352\260\010\304\172
- \113\274\010\057\307\342\247\157\145\002\061\000\326\131\336\206
- \316\137\016\312\124\325\306\320\025\016\374\213\224\162\324\216
- \000\130\123\317\176\261\113\015\345\120\206\353\236\153\337\377
- \051\246\330\107\331\240\226\030\333\362\105\263
- END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
- # Trust for "Symantec Class 2 Public Primary Certification Authority - G4"
- # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Serial Number:34:17:65:12:40:3b:b7:56:80:2d:80:cb:79:55:a6:1e
- # Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
- # Not Valid Before: Wed Oct 05 00:00:00 2011
- # Not Valid After : Mon Jan 18 23:59:59 2038
- # Fingerprint (SHA-256): FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92
-@@ -29849,8 +29360,318 @@
- CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125
- \246\036
- END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "D-TRUST Root CA 3 2013"
-+#
-+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Serial Number: 1039788 (0xfddac)
-+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Not Valid Before: Fri Sep 20 08:25:51 2013
-+# Not Valid After : Wed Sep 20 08:25:51 2028
-+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
-+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\017\335\254
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\004\016\060\202\002\366\240\003\002\001\002\002\003\017
-+\335\254\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-+\000\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105
-+\061\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165
-+\163\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003
-+\014\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103
-+\101\040\063\040\062\060\061\063\060\036\027\015\061\063\060\071
-+\062\060\060\070\062\065\065\061\132\027\015\062\070\060\071\062
-+\060\060\070\062\065\065\061\132\060\105\061\013\060\011\006\003
-+\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012
-+\014\014\104\055\124\162\165\163\164\040\107\155\142\110\061\037
-+\060\035\006\003\125\004\003\014\026\104\055\124\122\125\123\124
-+\040\122\157\157\164\040\103\101\040\063\040\062\060\061\063\060
-+\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-+\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-+\304\173\102\222\202\037\354\355\124\230\216\022\300\312\011\337
-+\223\156\072\223\134\033\344\020\167\236\116\151\210\154\366\341
-+\151\362\366\233\242\141\261\275\007\040\164\230\145\361\214\046
-+\010\315\250\065\312\200\066\321\143\155\350\104\172\202\303\154
-+\136\336\273\350\066\322\304\150\066\214\237\062\275\204\042\340
-+\334\302\356\020\106\071\155\257\223\071\256\207\346\303\274\011
-+\311\054\153\147\133\331\233\166\165\114\013\340\273\305\327\274
-+\076\171\362\137\276\321\220\127\371\256\366\146\137\061\277\323
-+\155\217\247\272\112\363\043\145\273\267\357\243\045\327\012\352
-+\130\266\357\210\372\372\171\262\122\130\325\360\254\214\241\121
-+\164\051\225\252\121\073\220\062\003\237\034\162\164\220\336\075
-+\355\141\322\345\343\375\144\107\345\271\267\112\251\367\037\256
-+\226\206\004\254\057\343\244\201\167\267\132\026\377\330\017\077
-+\366\267\170\314\244\257\372\133\074\022\133\250\122\211\162\357
-+\210\363\325\104\201\206\225\043\237\173\335\274\331\064\357\174
-+\224\074\252\300\101\302\343\235\120\032\300\344\031\042\374\263
-+\002\003\001\000\001\243\202\001\005\060\202\001\001\060\017\006
-+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
-+\006\003\125\035\016\004\026\004\024\077\220\310\175\307\025\157
-+\363\044\217\251\303\057\113\242\017\041\262\057\347\060\016\006
-+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\201\276
-+\006\003\125\035\037\004\201\266\060\201\263\060\164\240\162\240
-+\160\206\156\154\144\141\160\072\057\057\144\151\162\145\143\164
-+\157\162\171\056\144\055\164\162\165\163\164\056\156\145\164\057
-+\103\116\075\104\055\124\122\125\123\124\045\062\060\122\157\157
-+\164\045\062\060\103\101\045\062\060\063\045\062\060\062\060\061
-+\063\054\117\075\104\055\124\162\165\163\164\045\062\060\107\155
-+\142\110\054\103\075\104\105\077\143\145\162\164\151\146\151\143
-+\141\164\145\162\145\166\157\143\141\164\151\157\156\154\151\163
-+\164\060\073\240\071\240\067\206\065\150\164\164\160\072\057\057
-+\143\162\154\056\144\055\164\162\165\163\164\056\156\145\164\057
-+\143\162\154\057\144\055\164\162\165\163\164\137\162\157\157\164
-+\137\143\141\137\063\137\062\060\061\063\056\143\162\154\060\015
-+\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001
-+\001\000\016\131\016\130\344\164\110\043\104\317\064\041\265\234
-+\024\032\255\232\113\267\263\210\155\134\251\027\160\360\052\237
-+\215\173\371\173\205\372\307\071\350\020\010\260\065\053\137\317
-+\002\322\323\234\310\013\036\356\005\124\256\067\223\004\011\175
-+\154\217\302\164\274\370\034\224\276\061\001\100\055\363\044\040
-+\267\204\125\054\134\310\365\164\112\020\031\213\243\307\355\065
-+\326\011\110\323\016\300\272\071\250\260\106\002\260\333\306\210
-+\131\302\276\374\173\261\053\317\176\142\207\125\226\314\001\157
-+\233\147\041\225\065\213\370\020\374\161\033\267\113\067\151\246
-+\073\326\354\213\356\301\260\363\045\311\217\222\175\241\352\303
-+\312\104\277\046\245\164\222\234\343\164\353\235\164\331\313\115
-+\207\330\374\264\151\154\213\240\103\007\140\170\227\351\331\223
-+\174\302\106\274\233\067\122\243\355\212\074\023\251\173\123\113
-+\111\232\021\005\054\013\156\126\254\037\056\202\154\340\151\147
-+\265\016\155\055\331\344\300\025\361\077\372\030\162\341\025\155
-+\047\133\055\060\050\053\237\110\232\144\053\231\357\362\165\111
-+\137\134
-+END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-+
-+# Trust for "D-TRUST Root CA 3 2013"
-+# Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Serial Number: 1039788 (0xfddac)
-+# Subject: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE
-+# Not Valid Before: Fri Sep 20 08:25:51 2013
-+# Not Valid After : Wed Sep 20 08:25:51 2028
-+# Fingerprint (SHA-256): A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57
-+# Fingerprint (SHA1): 6C:7C:CC:E7:D4:AE:51:5F:99:08:CD:3F:F6:E8:C3:78:DF:6F:EF:97
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "D-TRUST Root CA 3 2013"
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\154\174\314\347\324\256\121\137\231\010\315\077\366\350\303\170
-+\337\157\357\227
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\267\042\146\230\176\326\003\340\301\161\346\165\315\126\105\277
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\105\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-+\025\060\023\006\003\125\004\012\014\014\104\055\124\162\165\163
-+\164\040\107\155\142\110\061\037\060\035\006\003\125\004\003\014
-+\026\104\055\124\122\125\123\124\040\122\157\157\164\040\103\101
-+\040\063\040\062\060\061\063
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\017\335\254
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+#
-+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Serial Number: 1 (0x1)
-+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Not Valid Before: Mon Nov 25 08:25:55 2013
-+# Not Valid After : Sun Oct 25 08:25:55 2043
-+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
-+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\001\001
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\004\143\060\202\003\113\240\003\002\001\002\002\001\001
-+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-+\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-+\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145\040
-+\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003\125
-+\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154\151
-+\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157\152
-+\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165\162
-+\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055\060
-+\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145\162
-+\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153\145
-+\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060\064
-+\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040\113
-+\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040\123
-+\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165\162
-+\165\155\040\061\060\036\027\015\061\063\061\061\062\065\060\070
-+\062\065\065\065\132\027\015\064\063\061\060\062\065\060\070\062
-+\065\065\065\132\060\201\322\061\013\060\011\006\003\125\004\006
-+\023\002\124\122\061\030\060\026\006\003\125\004\007\023\017\107
-+\145\142\172\145\040\055\040\113\157\143\141\145\154\151\061\102
-+\060\100\006\003\125\004\012\023\071\124\165\162\153\151\171\145
-+\040\102\151\154\151\155\163\145\154\040\166\145\040\124\145\153
-+\156\157\154\157\152\151\153\040\101\162\141\163\164\151\162\155
-+\141\040\113\165\162\165\155\165\040\055\040\124\125\102\111\124
-+\101\113\061\055\060\053\006\003\125\004\013\023\044\113\141\155
-+\165\040\123\145\162\164\151\146\151\153\141\163\171\157\156\040
-+\115\145\162\153\145\172\151\040\055\040\113\141\155\165\040\123
-+\115\061\066\060\064\006\003\125\004\003\023\055\124\125\102\111
-+\124\101\113\040\113\141\155\165\040\123\115\040\123\123\114\040
-+\113\157\153\040\123\145\162\164\151\146\151\153\141\163\151\040
-+\055\040\123\165\162\165\155\040\061\060\202\001\042\060\015\006
-+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-+\000\060\202\001\012\002\202\001\001\000\257\165\060\063\252\273
-+\153\323\231\054\022\067\204\331\215\173\227\200\323\156\347\377
-+\233\120\225\076\220\225\126\102\327\031\174\046\204\215\222\372
-+\001\035\072\017\342\144\070\267\214\274\350\210\371\213\044\253
-+\056\243\365\067\344\100\216\030\045\171\203\165\037\073\377\154
-+\250\305\306\126\370\264\355\212\104\243\253\154\114\374\035\320
-+\334\357\150\275\317\344\252\316\360\125\367\242\064\324\203\153
-+\067\174\034\302\376\265\003\354\127\316\274\264\265\305\355\000
-+\017\123\067\052\115\364\117\014\203\373\206\317\313\376\214\116
-+\275\207\371\247\213\041\127\234\172\337\003\147\211\054\235\227
-+\141\247\020\270\125\220\177\016\055\047\070\164\337\347\375\332
-+\116\022\343\115\025\042\002\310\340\340\374\017\255\212\327\311
-+\124\120\314\073\017\312\026\200\204\320\121\126\303\216\126\177
-+\211\042\063\057\346\205\012\275\245\250\033\066\336\323\334\054
-+\155\073\307\023\275\131\043\054\346\345\244\367\330\013\355\352
-+\220\100\104\250\225\273\223\325\320\200\064\266\106\170\016\037
-+\000\223\106\341\356\351\371\354\117\027\002\003\001\000\001\243
-+\102\060\100\060\035\006\003\125\035\016\004\026\004\024\145\077
-+\307\212\206\306\074\335\074\124\134\065\370\072\355\122\014\107
-+\127\310\060\016\006\003\125\035\017\001\001\377\004\004\003\002
-+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-+\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
-+\005\000\003\202\001\001\000\052\077\341\361\062\216\256\341\230
-+\134\113\136\317\153\036\152\011\322\042\251\022\307\136\127\175
-+\163\126\144\200\204\172\223\344\011\271\020\315\237\052\047\341
-+\000\167\276\110\310\065\250\201\237\344\270\054\311\177\016\260
-+\322\113\067\135\352\271\325\013\136\064\275\364\163\051\303\355
-+\046\025\234\176\010\123\212\130\215\320\113\050\337\301\263\337
-+\040\363\371\343\343\072\337\314\234\224\330\116\117\303\153\027
-+\267\367\162\350\255\146\063\265\045\123\253\340\370\114\251\235
-+\375\362\015\272\256\271\331\252\306\153\371\223\273\256\253\270
-+\227\074\003\032\272\103\306\226\271\105\162\070\263\247\241\226
-+\075\221\173\176\300\041\123\114\207\355\362\013\124\225\121\223
-+\325\042\245\015\212\361\223\016\076\124\016\260\330\311\116\334
-+\362\061\062\126\352\144\371\352\265\235\026\146\102\162\363\177
-+\323\261\061\103\374\244\216\027\361\155\043\253\224\146\370\255
-+\373\017\010\156\046\055\177\027\007\011\262\214\373\120\300\237
-+\226\215\317\266\375\000\235\132\024\232\277\002\104\365\301\302
-+\237\042\136\242\017\241\343
-+END
-+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-+
-+# Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+# Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Serial Number: 1 (0x1)
-+# Subject: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-+# Not Valid Before: Mon Nov 25 08:25:55 2013
-+# Not Valid After : Sun Oct 25 08:25:55 2043
-+# Fingerprint (SHA-256): 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16
-+# Fingerprint (SHA1): 31:43:64:9B:EC:CE:27:EC:ED:3A:3F:0B:8F:0D:E4:E8:91:DD:EE:CA
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\061\103\144\233\354\316\047\354\355\072\077\013\217\015\344\350
-+\221\335\356\312
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\334\000\201\334\151\057\076\057\260\073\366\075\132\221\216\111
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\201\322\061\013\060\011\006\003\125\004\006\023\002\124\122
-+\061\030\060\026\006\003\125\004\007\023\017\107\145\142\172\145
-+\040\055\040\113\157\143\141\145\154\151\061\102\060\100\006\003
-+\125\004\012\023\071\124\165\162\153\151\171\145\040\102\151\154
-+\151\155\163\145\154\040\166\145\040\124\145\153\156\157\154\157
-+\152\151\153\040\101\162\141\163\164\151\162\155\141\040\113\165
-+\162\165\155\165\040\055\040\124\125\102\111\124\101\113\061\055
-+\060\053\006\003\125\004\013\023\044\113\141\155\165\040\123\145
-+\162\164\151\146\151\153\141\163\171\157\156\040\115\145\162\153
-+\145\172\151\040\055\040\113\141\155\165\040\123\115\061\066\060
-+\064\006\003\125\004\003\023\055\124\125\102\111\124\101\113\040
-+\113\141\155\165\040\123\115\040\123\123\114\040\113\157\153\040
-+\123\145\162\164\151\146\151\153\141\163\151\040\055\040\123\165
-+\162\165\155\040\061
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\001\001
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-diff --git a/lib/ckfw/builtins/nssckbi.h b/lib/ckfw/builtins/nssckbi.h
---- a/lib/ckfw/builtins/nssckbi.h
-+++ b/lib/ckfw/builtins/nssckbi.h
-@@ -17,41 +17,42 @@
- */
- #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
- #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
-
- /* These version numbers detail the changes
- * to the list of trusted certificates.
- *
- * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
-- * for each NSS minor release AND whenever we change the list of
-- * trusted certificates. 10 minor versions are allocated for each
-- * NSS 3.x branch as follows, allowing us to change the list of
-- * trusted certificates up to 9 times on each branch.
-- * - NSS 3.5 branch: 3-9
-- * - NSS 3.6 branch: 10-19
-- * - NSS 3.7 branch: 20-29
-- * - NSS 3.8 branch: 30-39
-- * - NSS 3.9 branch: 40-49
-- * - NSS 3.10 branch: 50-59
-- * - NSS 3.11 branch: 60-69
-- * ...
-- * - NSS 3.12 branch: 70-89
-- * - NSS 3.13 branch: 90-99
-- * - NSS 3.14 branch: 100-109
-- * ...
-- * - NSS 3.29 branch: 250-255
-+ * whenever we change the list of trusted certificates.
-+ *
-+ * Please use the following rules when increasing the version number:
-+ *
-+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
-+ * must always be an EVEN number (e.g. 16, 18, 20 etc.)
-+ *
-+ * - whenever possible, if older branches require a modification to the
-+ * list, these changes should be made on the main line of development (trunk),
-+ * and the older branches should update to the most recent list.
-+ *
-+ * - ODD minor version numbers are reserved to indicate a snapshot that has
-+ * deviated from the main line of development, e.g. if it was necessary
-+ * to modify the list on a stable branch.
-+ * Once the version has been changed to an odd number (e.g. 2.13) on a branch,
-+ * it should remain unchanged on that branch, even if further changes are
-+ * made on that branch.
- *
- * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
- * whether we may use its full range (0-255) or only 0-99 because
- * of the comment in the CK_VERSION type definition.
-+ * It's recommend to switch back to 0 after having reached version 98/99.
- */
- #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
--#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 11
--#define NSS_BUILTINS_LIBRARY_VERSION "2.11"
-+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
-+#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
-
- /* These version numbers detail the semantic changes to the ckfw engine. */
- #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
- #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
-
- /* These version numbers detail the semantic changes to ckbi itself
- * (new PKCS #11 objects), etc. */
- #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
-
-diff --git a/lib/certdb/genname.c b/lib/certdb/genname.c
---- a/lib/certdb/genname.c
-+++ b/lib/certdb/genname.c
-@@ -1583,19 +1583,19 @@ done:
-
- #define NAME_CONSTRAINTS_ENTRY(CA) \
- { \
- STRING_TO_SECITEM(CA##_SUBJECT_DN) \
- , \
- STRING_TO_SECITEM(CA##_NAME_CONSTRAINTS) \
- }
-
--/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
-+/* clang-format off */
-
--/* clang-format off */
-+/* Agence Nationale de la Securite des Systemes d'Information (ANSSI) */
-
- #define ANSSI_SUBJECT_DN \
- "\x30\x81\x85" \
- "\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02" "FR" /* C */ \
- "\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06" "France" /* ST */ \
- "\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05" "Paris" /* L */ \
- "\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07" "PM/SGDN" /* O */ \
- "\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05" "DCSSI" /* OU */ \
-@@ -1614,20 +1614,49 @@ done:
- "\x30\x05\x82\x03" ".pm" \
- "\x30\x05\x82\x03" ".bl" \
- "\x30\x05\x82\x03" ".mf" \
- "\x30\x05\x82\x03" ".wf" \
- "\x30\x05\x82\x03" ".pf" \
- "\x30\x05\x82\x03" ".nc" \
- "\x30\x05\x82\x03" ".tf"
-
-+/* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 */
-+
-+#define TUBITAK1_SUBJECT_DN \
-+ "\x30\x81\xd2" \
-+ "\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02" \
-+ /* C */ "TR" \
-+ "\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0f" \
-+ /* L */ "Gebze - Kocaeli" \
-+ "\x31\x42\x30\x40\x06\x03\x55\x04\x0a\x13\x39" \
-+ /* O */ "Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK" \
-+ "\x31\x2d\x30\x2b\x06\x03\x55\x04\x0b\x13\x24" \
-+ /* OU */ "Kamu Sertifikasyon Merkezi - Kamu SM" \
-+ "\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2d" \
-+ /* CN */ "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
-+
-+#define TUBITAK1_NAME_CONSTRAINTS \
-+ "\x30\x65\xa0\x63" \
-+ "\x30\x09\x82\x07" ".gov.tr" \
-+ "\x30\x09\x82\x07" ".k12.tr" \
-+ "\x30\x09\x82\x07" ".pol.tr" \
-+ "\x30\x09\x82\x07" ".mil.tr" \
-+ "\x30\x09\x82\x07" ".tsk.tr" \
-+ "\x30\x09\x82\x07" ".kep.tr" \
-+ "\x30\x09\x82\x07" ".bel.tr" \
-+ "\x30\x09\x82\x07" ".edu.tr" \
-+ "\x30\x09\x82\x07" ".org.tr"
-+
- /* clang-format on */
-
--static const SECItem builtInNameConstraints[][2] = { NAME_CONSTRAINTS_ENTRY(
-- ANSSI) };
-+static const SECItem builtInNameConstraints[][2] = {
-+ NAME_CONSTRAINTS_ENTRY(ANSSI),
-+ NAME_CONSTRAINTS_ENTRY(TUBITAK1)
-+};
-
- SECStatus
- CERT_GetImposedNameConstraints(const SECItem *derSubject, SECItem *extensions)
- {
- size_t i;
-
- if (!extensions) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-
-diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h
---- a/lib/cryptohi/keythi.h
-+++ b/lib/cryptohi/keythi.h
-@@ -204,17 +204,17 @@ typedef struct SECKEYPublicKeyStr SECKEY
-
- #define SECKEY_ATTRIBUTE_VALUE(key, attribute) \
- (0 != (key->staticflags & SECKEY_##attribute))
-
- #define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \
- (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)
-
- #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
-- (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
-+ (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
-
- /*
- ** A generic key structure
- */
- struct SECKEYPrivateKeyStr {
- PLArenaPool *arena;
- KeyType keyType;
- PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */
-diff --git a/lib/nss/nss.def b/lib/nss/nss.def
---- a/lib/nss/nss.def
-+++ b/lib/nss/nss.def
-@@ -1092,8 +1092,15 @@ SECMOD_CreateModuleEx;
- ;+};
- ;+NSS_3.22 { # NSS 3.22 release
- ;+ global:
- PK11_SignWithMechanism;
- PK11_VerifyWithMechanism;
- ;+ local:
- ;+ *;
- ;+};
-+;+NSS_3.30 { # NSS 3.30 release
-+;+ global:
-+CERT_CompareAVA;
-+PK11_HasAttributeSet;
-+;+ local:
-+;+ *;
-+;+};
-diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c
---- a/lib/pk11wrap/pk11obj.c
-+++ b/lib/pk11wrap/pk11obj.c
-@@ -151,18 +151,18 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl
- }
- return value;
- }
-
- /*
- * check to see if a bool has been set.
- */
- CK_BBOOL
--PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-- CK_ATTRIBUTE_TYPE type, PRBool haslock)
-+pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-+ CK_ATTRIBUTE_TYPE type, PRBool haslock)
- {
- CK_BBOOL ckvalue = CK_FALSE;
- CK_ATTRIBUTE theTemplate;
- CK_RV crv;
-
- /* Prepare to retrieve the attribute. */
- PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL));
-
-@@ -176,16 +176,24 @@ PK11_HasAttributeSet(PK11SlotInfo *slot,
- if (crv != CKR_OK) {
- PORT_SetError(PK11_MapError(crv));
- return CK_FALSE;
- }
-
- return ckvalue;
- }
-
-+CK_BBOOL
-+PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-+ CK_ATTRIBUTE_TYPE type, PRBool haslock)
-+{
-+ PR_ASSERT(haslock == PR_FALSE);
-+ return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE);
-+}
-+
- /*
- * returns a full list of attributes. Allocate space for them. If an arena is
- * provided, allocate space out of the arena.
- */
- CK_RV
- PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
- CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count)
- {
-diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h
---- a/lib/pk11wrap/pk11priv.h
-+++ b/lib/pk11wrap/pk11priv.h
-@@ -113,20 +113,20 @@ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo
- SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot,
- SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg);
- SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
- CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
- PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
- void *wincx);
- CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
- CK_OBJECT_CLASS o_class);
--CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
-- CK_OBJECT_HANDLE id,
-- CK_ATTRIBUTE_TYPE type,
-- PRBool haslock);
-+CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot,
-+ CK_OBJECT_HANDLE id,
-+ CK_ATTRIBUTE_TYPE type,
-+ PRBool haslock);
- CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
- CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
- int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
- SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
- SECStatus (*callback)(CERTCertificate *, void *), void *arg);
- SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
- PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
- SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
-diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
---- a/lib/pk11wrap/pk11pub.h
-+++ b/lib/pk11wrap/pk11pub.h
-@@ -681,16 +681,20 @@ CK_OBJECT_HANDLE PK11_FindCertInSlot(PK1
- void *wincx);
- SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
- PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *),
- void *arg);
- CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
- CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
- CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
- int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
-+CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
-+ CK_OBJECT_HANDLE id,
-+ CK_ATTRIBUTE_TYPE type,
-+ PRBool haslock /* must be set to PR_FALSE */);
-
- /**********************************************************************
- * Sign/Verify
- **********************************************************************/
-
- /*
- * Return the length in bytes of a signature generated with the
- * private key.
diff --git a/SOURCES/nss-3.16-token-init-race.patch b/SOURCES/nss-3.16-token-init-race.patch
deleted file mode 100644
index f47f13f..0000000
--- a/SOURCES/nss-3.16-token-init-race.patch
+++ /dev/null
@@ -1,363 +0,0 @@
-diff -up nss/lib/pk11wrap/dev3hack.c.init-token-race nss/lib/pk11wrap/dev3hack.c
---- nss/lib/pk11wrap/dev3hack.c.init-token-race 2017-01-13 17:58:55.485868744 +0100
-+++ nss/lib/pk11wrap/dev3hack.c 2017-01-13 18:02:27.126675831 +0100
-@@ -231,6 +231,16 @@ nssSlot_Refresh(NSSSlot *slot)
- if (slot->token && slot->token->base.name[0] == 0) {
- doit = PR_TRUE;
- }
-+ /* invalidate the session in the nss3slot if we haven't done an init
-+ * token since we noticed that the token->default session is invalid.
-+ * This works because the monitor lock and the token session lock are the
-+ * same locks */
-+ PK11_EnterSlotMonitor(nss3slot);
-+ if ((slot->token == NULL) || (slot->token->defaultSession == NULL) ||
-+ (slot->token->defaultSession->handle == CK_INVALID_SESSION)) {
-+ nss3slot->session = CK_INVALID_SESSION;
-+ }
-+ PK11_ExitSlotMonitor(nss3slot);
- if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
- return PR_FAILURE;
- }
-@@ -238,7 +248,8 @@ nssSlot_Refresh(NSSSlot *slot)
- nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain,
- slot->token);
- }
-- return nssToken_Refresh(slot->token);
-+ /* no need to call nssToken_Refresh since PK11_Init has already done so */
-+ return PR_SUCCESS;
- }
-
- NSS_IMPLEMENT PRStatus
-diff -up nss/lib/pk11wrap/pk11auth.c.init-token-race nss/lib/pk11wrap/pk11auth.c
---- nss/lib/pk11wrap/pk11auth.c.init-token-race 2017-01-13 17:58:55.485868744 +0100
-+++ nss/lib/pk11wrap/pk11auth.c 2017-01-13 18:05:07.650739842 +0100
-@@ -73,8 +73,6 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- (unsigned char *)pw, len);
- slot->lastLoginCheck = 0;
- mustRetry = PR_FALSE;
-- if (!alreadyLocked)
-- PK11_ExitSlotMonitor(slot);
- switch (crv) {
- /* if we're already logged in, we're good to go */
- case CKR_OK:
-@@ -101,7 +99,16 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- break;
- }
- if (retry++ == 0) {
-+ /* we already know the this session is invalid */
-+ slot->session = CK_INVALID_SESSION;
-+ /* can't enter PK11_InitToken holding the lock
-+ * This is safe because the only places that tries to
-+ * hold the slot monitor over this call pass their own
-+ * session, which would have failed above.
-+ * (session != slot->session) */
-+ PK11_ExitSlotMonitor(slot);
- rv = PK11_InitToken(slot, PR_FALSE);
-+ PK11_EnterSlotMonitor(slot);
- if (rv == SECSuccess) {
- if (slot->session != CK_INVALID_SESSION) {
- session = slot->session; /* we should have
-@@ -119,6 +126,8 @@ pk11_CheckPassword(PK11SlotInfo *slot, C
- PORT_SetError(PK11_MapError(crv));
- rv = SECFailure; /* some failure we can't fix by retrying */
- }
-+ if (!alreadyLocked)
-+ PK11_ExitSlotMonitor(slot);
- } while (mustRetry);
- return rv;
- }
-@@ -465,14 +474,18 @@ done:
- slot->lastLoginCheck = 0;
- PK11_RestoreROSession(slot, rwsession);
- if (rv == SECSuccess) {
-+ PK11_EnterSlotMonitor(slot);
- /* update our view of the world */
-+ if (slot->session != CK_INVALID_SESSION) {
-+ PK11_GETTAB(slot)->C_CloseSession(slot->session);
-+ slot->session = CK_INVALID_SESSION;
-+ }
-+ PK11_ExitSlotMonitor(slot);
- PK11_InitToken(slot, PR_TRUE);
- if (slot->needLogin) {
-- PK11_EnterSlotMonitor(slot);
- PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER,
- (unsigned char *)userpw, len);
- slot->lastLoginCheck = 0;
-- PK11_ExitSlotMonitor(slot);
- }
- }
- return rv;
-@@ -520,7 +533,7 @@ PK11_ChangePW(PK11SlotInfo *slot, const
- PK11_RestoreROSession(slot, rwsession);
-
- /* update our view of the world */
-- PK11_InitToken(slot, PR_TRUE);
-+ /* PK11_InitToken(slot,PR_TRUE); */
- return rv;
- }
-
-diff -up nss/lib/pk11wrap/pk11slot.c.init-token-race nss/lib/pk11wrap/pk11slot.c
---- nss/lib/pk11wrap/pk11slot.c.init-token-race 2017-01-13 17:58:55.486868720 +0100
-+++ nss/lib/pk11wrap/pk11slot.c 2017-01-13 18:12:50.869381900 +0100
-@@ -1085,6 +1085,7 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
- CK_ULONG count;
- CK_RV crv;
- PRUint32 i;
-+ char mechanismBits[sizeof(slot->mechanismBits)];
-
- if (slot->mechanismList) {
- PORT_Free(slot->mechanismList);
-@@ -1092,12 +1093,8 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
- }
- slot->mechanismCount = 0;
-
-- if (!slot->isThreadSafe)
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count);
- if (crv != CKR_OK) {
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
- }
-@@ -1105,14 +1102,10 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
- slot->mechanismList = (CK_MECHANISM_TYPE *)
- PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE));
- if (slot->mechanismList == NULL) {
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
- return SECFailure;
- }
- crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
- slot->mechanismList, &count);
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
- if (crv != CKR_OK) {
- PORT_Free(slot->mechanismList);
- slot->mechanismList = NULL;
-@@ -1120,14 +1113,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
- return SECSuccess;
- }
- slot->mechanismCount = count;
-- PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
-+ PORT_Memset(mechanismBits, 0, sizeof(slot->mechanismBits));
-
- for (i = 0; i < count; i++) {
- CK_MECHANISM_TYPE mech = slot->mechanismList[i];
- if (mech < 0x7ff) {
-- slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
-+ mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
- }
- }
-+ PORT_Memcpy(slot->mechanismBits, mechanismBits,
-+ sizeof(slot->mechanismBits));
- return SECSuccess;
- }
-
-@@ -1144,14 +1139,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- CK_RV crv;
- SECStatus rv;
- PRStatus status;
-+ CK_SESSION_HANDLE session;
-+
-+ PK11_EnterSlotMonitor(slot);
-+ if (slot->session != CK_INVALID_SESSION) {
-+ /* The reason for doing an InitToken has already been satisfied by
-+ * another thread. Just return */
-+ PK11_ExitSlotMonitor(slot);
-+ return SECSuccess;
-+ }
-
- /* set the slot flags to the current token values */
-- if (!slot->isThreadSafe)
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo);
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
- if (crv != CKR_OK) {
-+ PK11_ExitSlotMonitor(slot);
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
- }
-@@ -1186,8 +1187,10 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- slot->defRWSession = (PRBool)((!slot->readOnly) &&
- (tokenInfo.ulMaxSessionCount == 1));
- rv = PK11_ReadMechanismList(slot);
-- if (rv != SECSuccess)
-- return rv;
-+ if (rv != SECSuccess) {
-+ PK11_ExitSlotMonitor(slot);
-+ return rv;
-+ }
-
- slot->hasRSAInfo = PR_FALSE;
- slot->RSAInfoFlags = 0;
-@@ -1202,56 +1205,23 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2;
- }
-
-- /* Make sure our session handle is valid */
-- if (slot->session == CK_INVALID_SESSION) {
-- /* we know we don't have a valid session, go get one */
-- CK_SESSION_HANDLE session;
--
-- /* session should be Readonly, serial */
-- if (!slot->isThreadSafe)
-- PK11_EnterSlotMonitor(slot);
-- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-+ /* we know we don't have a valid session, go get one */
-+ /* session should be Readonly, serial */
-+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
- slot, pk11_notify, &session);
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
-- if (crv != CKR_OK) {
-- PORT_SetError(PK11_MapError(crv));
-- return SECFailure;
-- }
-- slot->session = session;
-- } else {
-- /* The session we have may be defunct (the token associated with it)
-- * has been removed */
-- CK_SESSION_INFO sessionInfo;
--
-- if (!slot->isThreadSafe)
-- PK11_EnterSlotMonitor(slot);
-- crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
-- if (crv == CKR_DEVICE_ERROR) {
-- PK11_GETTAB(slot)
-- ->C_CloseSession(slot->session);
-- crv = CKR_SESSION_CLOSED;
-- }
-- if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) {
-- crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
-- (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
-- slot, pk11_notify, &slot->session);
-- if (crv != CKR_OK) {
-- PORT_SetError(PK11_MapError(crv));
-- slot->session = CK_INVALID_SESSION;
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
-- return SECFailure;
-- }
-- }
-- if (!slot->isThreadSafe)
-- PK11_ExitSlotMonitor(slot);
-+ if (crv != CKR_OK) {
-+ PK11_ExitSlotMonitor(slot);
-+ PORT_SetError(PK11_MapError(crv));
-+ return SECFailure;
- }
-+ slot->session = session;
-
- status = nssToken_Refresh(slot->nssToken);
-- if (status != PR_SUCCESS)
-+ if (status != PR_SUCCESS) {
-+ PK11_ExitSlotMonitor(slot);
- return SECFailure;
-+ }
-
- if (!(slot->isInternal) && (slot->hasRandom)) {
- /* if this slot has a random number generater, use it to add entropy
-@@ -1264,28 +1234,20 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- /* if this slot can issue random numbers, get some entropy from
- * that random number generater and give it to our internal token.
- */
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(slot);
- if (crv == CKR_OK) {
-- PK11_EnterSlotMonitor(int_slot);
- PK11_GETTAB(int_slot)
- ->C_SeedRandom(int_slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(int_slot);
- }
-
- /* Now return the favor and send entropy to the token's random
- * number generater */
-- PK11_EnterSlotMonitor(int_slot);
- crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(int_slot);
- if (crv == CKR_OK) {
-- PK11_EnterSlotMonitor(slot);
- crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,
- random_bytes, sizeof(random_bytes));
-- PK11_ExitSlotMonitor(slot);
- }
- PK11_FreeSlot(int_slot);
- }
-@@ -1318,6 +1280,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
- ->C_CloseSession(session);
- }
- }
-+ PK11_ExitSlotMonitor(slot);
-
- return SECSuccess;
- }
-@@ -1433,6 +1396,8 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
- }
- /* if the token is present, initialize it */
- if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
-+ /* session was initialized to CK_INVALID_SESSION when the slot
-+ * was created */
- rv = PK11_InitToken(slot, PR_TRUE);
- /* the only hard failures are on permanent devices, or function
- * verify failures... function verify failures are already handled
-@@ -1888,10 +1853,14 @@ PK11_DoesMechanism(PK11SlotInfo *slot, C
- return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE;
- }
-
-+ PK11_EnterSlotMonitor(slot);
- for (i = 0; i < (int)slot->mechanismCount; i++) {
-- if (slot->mechanismList[i] == type)
-- return PR_TRUE;
-+ if (slot->mechanismList[i] == type) {
-+ PK11_ExitSlotMonitor(slot);
-+ return PR_TRUE;
-+ }
- }
-+ PK11_ExitSlotMonitor(slot);
- return PR_FALSE;
- }
-
-diff -up nss/lib/pk11wrap/pk11util.c.init-token-race nss/lib/pk11wrap/pk11util.c
---- nss/lib/pk11wrap/pk11util.c.init-token-race 2017-01-13 17:58:55.487868695 +0100
-+++ nss/lib/pk11wrap/pk11util.c 2017-01-13 18:01:21.280291292 +0100
-@@ -1624,6 +1624,11 @@ SECMOD_RestartModules(PRBool force)
- * older modules require it, and it doesn't hurt (compliant modules
- * will return CKR_NOT_INITIALIZED */
- (void)PK11_GETTAB(mod)->C_Finalize(NULL);
-+ /* finalize clears the session, mark them dead in the
-+ * slot as well */
-+ for (i=0; i < mod->slotCount; i++) {
-+ mod->slots[i]->session = CK_INVALID_SESSION;
-+ }
- /* now initialize the module, this function reinitializes
- * a module in place, preserving existing slots (even if they
- * no longer exist) */
-@@ -1643,17 +1648,18 @@ SECMOD_RestartModules(PRBool force)
- /* get new token sessions, bump the series up so that
- * we refresh other old sessions. This will tell much of
- * NSS to flush cached handles it may hold as well */
-- rv = PK11_InitToken(mod->slots[i], PR_TRUE);
-+ PK11SlotInfo *slot = mod->slots[i];
-+ rv = PK11_InitToken(slot,PR_TRUE);
- /* PK11_InitToken could fail if the slot isn't present.
- * If it is present, though, something is wrong and we should
- * disable the slot and let the caller know. */
-- if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) {
-+ if (rv != SECSuccess && PK11_IsPresent(slot)) {
- /* save the last error code */
- lastError = PORT_GetError();
- rrv = rv;
- /* disable the token */
-- mod->slots[i]->disabled = PR_TRUE;
-- mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
-+ slot->disabled = PR_TRUE;
-+ slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
- }
- }
- }
diff --git a/SOURCES/nss-alert-handler.patch b/SOURCES/nss-alert-handler.patch
deleted file mode 100644
index ca0b434..0000000
--- a/SOURCES/nss-alert-handler.patch
+++ /dev/null
@@ -1,461 +0,0 @@
-diff -up nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
---- nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc 2017-03-14 11:01:42.563689719 +0100
-@@ -24,6 +24,8 @@ namespace nss_test {
-
- TEST_P(TlsConnectTls13, ZeroRtt) {
- SetupForZeroRtt();
-+ client_->SetExpectedAlertSentCount(1);
-+ server_->SetExpectedAlertReceivedCount(1);
- client_->Set0RttEnabled(true);
- server_->Set0RttEnabled(true);
- ExpectResumption(RESUME_TICKET);
-@@ -103,6 +105,8 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRtt
- EnableAlpn();
- SetupForZeroRtt();
- EnableAlpn();
-+ client_->SetExpectedAlertSentCount(1);
-+ server_->SetExpectedAlertReceivedCount(1);
- client_->Set0RttEnabled(true);
- server_->Set0RttEnabled(true);
- ExpectResumption(RESUME_TICKET);
-diff -up nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_exporter_unittest.cc
---- nss/gtests/ssl_gtest/ssl_exporter_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_exporter_unittest.cc 2017-03-14 11:01:42.563689719 +0100
-@@ -90,6 +90,8 @@ int32_t RegularExporterShouldFail(TlsAge
-
- TEST_P(TlsConnectTls13, EarlyExporter) {
- SetupForZeroRtt();
-+ client_->SetExpectedAlertSentCount(1);
-+ server_->SetExpectedAlertReceivedCount(1);
- client_->Set0RttEnabled(true);
- server_->Set0RttEnabled(true);
- ExpectResumption(RESUME_TICKET);
-diff -up nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_extension_unittest.cc
---- nss/gtests/ssl_gtest/ssl_extension_unittest.cc.alert-handler 2017-03-14 11:01:42.563689719 +0100
-+++ nss/gtests/ssl_gtest/ssl_extension_unittest.cc 2017-03-14 11:06:39.215006989 +0100
-@@ -167,27 +167,69 @@ class TlsExtensionTestBase : public TlsC
- : TlsConnectTestBase(mode, version) {}
-
- void ClientHelloErrorTest(PacketFilter* filter,
-- uint8_t alert = kTlsAlertDecodeError) {
-+ uint8_t desc = kTlsAlertDecodeError) {
-+ SSLAlert alert;
-+
- auto alert_recorder = new TlsAlertRecorder();
- server_->SetPacketFilter(alert_recorder);
- if (filter) {
- client_->SetPacketFilter(filter);
- }
- ConnectExpectFail();
-+
- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-- EXPECT_EQ(alert, alert_recorder->description());
-+ EXPECT_EQ(desc, alert_recorder->description());
-+
-+ // verify no alerts received by the server
-+ EXPECT_EQ(0U, server_->alert_received_count());
-+
-+ // verify the alert sent by the server
-+ EXPECT_EQ(1U, server_->alert_sent_count());
-+ EXPECT_TRUE(server_->GetLastAlertSent(&alert));
-+ EXPECT_EQ(kTlsAlertFatal, alert.level);
-+ EXPECT_EQ(desc, alert.description);
-+
-+ // verify the alert received by the client
-+ EXPECT_EQ(1U, client_->alert_received_count());
-+ EXPECT_TRUE(client_->GetLastAlertReceived(&alert));
-+ EXPECT_EQ(kTlsAlertFatal, alert.level);
-+ EXPECT_EQ(desc, alert.description);
-+
-+ // verify no alerts sent by the client
-+ EXPECT_EQ(0U, client_->alert_sent_count());
- }
-
- void ServerHelloErrorTest(PacketFilter* filter,
-- uint8_t alert = kTlsAlertDecodeError) {
-+ uint8_t desc = kTlsAlertDecodeError) {
-+ SSLAlert alert;
-+
- auto alert_recorder = new TlsAlertRecorder();
- client_->SetPacketFilter(alert_recorder);
- if (filter) {
- server_->SetPacketFilter(filter);
- }
- ConnectExpectFail();
-+
- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-- EXPECT_EQ(alert, alert_recorder->description());
-+ EXPECT_EQ(desc, alert_recorder->description());
-+
-+ // verify no alerts received by the client
-+ EXPECT_EQ(0U, client_->alert_received_count());
-+
-+ // verify the alert sent by the client
-+ EXPECT_EQ(1U, client_->alert_sent_count());
-+ EXPECT_TRUE(client_->GetLastAlertSent(&alert));
-+ EXPECT_EQ(kTlsAlertFatal, alert.level);
-+ EXPECT_EQ(desc, alert.description);
-+
-+ // verify the alert received by the server
-+ EXPECT_EQ(1U, server_->alert_received_count());
-+ EXPECT_TRUE(server_->GetLastAlertReceived(&alert));
-+ EXPECT_EQ(kTlsAlertFatal, alert.level);
-+ EXPECT_EQ(desc, alert.description);
-+
-+ // verify no alerts sent by the server
-+ EXPECT_EQ(0U, server_->alert_sent_count());
- }
-
- static void InitSimpleSni(DataBuffer* extension) {
-diff -up nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler nss/gtests/ssl_gtest/ssl_version_unittest.cc
---- nss/gtests/ssl_gtest/ssl_version_unittest.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_version_unittest.cc 2017-03-14 11:01:42.563689719 +0100
-@@ -225,6 +225,7 @@ TEST_F(TlsConnectTest, Tls13RejectsRehan
-
- TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
- EnsureTlsSetup();
-+ client_->SetExpectedAlertReceivedCount(1);
- client_->StartConnect();
- server_->StartConnect();
- client_->Handshake(); // Send ClientHello.
-diff -up nss/gtests/ssl_gtest/tls_agent.cc.alert-handler nss/gtests/ssl_gtest/tls_agent.cc
---- nss/gtests/ssl_gtest/tls_agent.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/tls_agent.cc 2017-03-14 11:07:22.414890511 +0100
-@@ -61,6 +61,12 @@ TlsAgent::TlsAgent(const std::string& na
- can_falsestart_hook_called_(false),
- sni_hook_called_(false),
- auth_certificate_hook_called_(false),
-+ alert_received_count_(0),
-+ expected_alert_received_count_(0),
-+ last_alert_received_({0, 0}),
-+ alert_sent_count_(0),
-+ expected_alert_sent_count_(0),
-+ last_alert_sent_({0, 0}),
- handshake_callback_called_(false),
- error_code_(0),
- send_ctr_(0),
-@@ -165,6 +171,14 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc
- EXPECT_EQ(SECSuccess, rv);
- if (rv != SECSuccess) return false;
-
-+ rv = SSL_AlertReceivedCallback(ssl_fd(), AlertReceivedCallback, this);
-+ EXPECT_EQ(SECSuccess, rv);
-+ if (rv != SECSuccess) return false;
-+
-+ rv = SSL_AlertSentCallback(ssl_fd(), AlertSentCallback, this);
-+ EXPECT_EQ(SECSuccess, rv);
-+ if (rv != SECSuccess) return false;
-+
- rv = SSL_HandshakeCallback(ssl_fd_, HandshakeCallback, this);
- EXPECT_EQ(SECSuccess, rv);
- if (rv != SECSuccess) return false;
-@@ -578,6 +592,11 @@ void TlsAgent::CheckErrorCode(int32_t ex
- << PORT_ErrorToName(expected) << std::endl;
- }
-
-+void TlsAgent::CheckAlerts() const {
-+ EXPECT_EQ(expected_alert_received_count_, alert_received_count_);
-+ EXPECT_EQ(expected_alert_sent_count_, alert_sent_count_);
-+}
-+
- void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const {
- ASSERT_EQ(0, error_code_);
- WAIT_(error_code_ != 0, delay);
-diff -up nss/gtests/ssl_gtest/tls_agent.h.alert-handler nss/gtests/ssl_gtest/tls_agent.h
---- nss/gtests/ssl_gtest/tls_agent.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/tls_agent.h 2017-03-14 11:01:42.564689693 +0100
-@@ -139,6 +139,7 @@ class TlsAgent : public PollTarget {
- void EnableSrtp();
- void CheckSrtp() const;
- void CheckErrorCode(int32_t expected) const;
-+ void CheckAlerts() const;
- void WaitForErrorCode(int32_t expected, uint32_t delay) const;
- // Send data on the socket, encrypting it.
- void SendData(size_t bytes, size_t blocksize = 1024);
-@@ -239,6 +240,34 @@ class TlsAgent : public PollTarget {
- sni_callback_ = sni_callback;
- }
-
-+ size_t alert_received_count() const { return alert_received_count_; }
-+
-+ void SetExpectedAlertReceivedCount(size_t count) {
-+ expected_alert_received_count_ = count;
-+ }
-+
-+ bool GetLastAlertReceived(SSLAlert* alert) const {
-+ if (!alert_received_count_) {
-+ return false;
-+ }
-+ *alert = last_alert_received_;
-+ return true;
-+ }
-+
-+ size_t alert_sent_count() const { return alert_sent_count_; }
-+
-+ void SetExpectedAlertSentCount(size_t count) {
-+ expected_alert_sent_count_ = count;
-+ }
-+
-+ bool GetLastAlertSent(SSLAlert* alert) const {
-+ if (!alert_sent_count_) {
-+ return false;
-+ }
-+ *alert = last_alert_sent_;
-+ return true;
-+ }
-+
- private:
- const static char* states[];
-
-@@ -320,6 +349,30 @@ class TlsAgent : public PollTarget {
- return SECSuccess;
- }
-
-+ static void AlertReceivedCallback(const PRFileDesc* fd, void* arg,
-+ const SSLAlert* alert) {
-+ TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
-+
-+ std::cerr << agent->role_str()
-+ << ": Alert received: level=" << static_cast<int>(alert->level)
-+ << " desc=" << static_cast<int>(alert->description) << std::endl;
-+
-+ ++agent->alert_received_count_;
-+ agent->last_alert_received_ = *alert;
-+ }
-+
-+ static void AlertSentCallback(const PRFileDesc* fd, void* arg,
-+ const SSLAlert* alert) {
-+ TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
-+
-+ std::cerr << agent->role_str()
-+ << ": Alert sent: level=" << static_cast<int>(alert->level)
-+ << " desc=" << static_cast<int>(alert->description) << std::endl;
-+
-+ ++agent->alert_sent_count_;
-+ agent->last_alert_sent_ = *alert;
-+ }
-+
- static void HandshakeCallback(PRFileDesc* fd, void* arg) {
- TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
- agent->handshake_callback_called_ = true;
-@@ -352,6 +405,12 @@ class TlsAgent : public PollTarget {
- bool can_falsestart_hook_called_;
- bool sni_hook_called_;
- bool auth_certificate_hook_called_;
-+ size_t alert_received_count_;
-+ size_t expected_alert_received_count_;
-+ SSLAlert last_alert_received_;
-+ size_t alert_sent_count_;
-+ size_t expected_alert_sent_count_;
-+ SSLAlert last_alert_sent_;
- bool handshake_callback_called_;
- SSLChannelInfo info_;
- SSLCipherSuiteInfo csinfo_;
-diff -up nss/gtests/ssl_gtest/tls_connect.cc.alert-handler nss/gtests/ssl_gtest/tls_connect.cc
---- nss/gtests/ssl_gtest/tls_connect.cc.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/tls_connect.cc 2017-03-14 11:01:42.564689693 +0100
-@@ -309,6 +309,9 @@ void TlsConnectTestBase::CheckConnected(
- CheckResumption(expected_resumption_mode_);
- client_->CheckSecretsDestroyed();
- server_->CheckSecretsDestroyed();
-+
-+ client_->CheckAlerts();
-+ server_->CheckAlerts();
- }
-
- void TlsConnectTestBase::CheckKeys(SSLKEAType kea_type, SSLNamedGroup kea_group,
-diff -up nss/lib/ssl/ssl3con.c.alert-handler nss/lib/ssl/ssl3con.c
---- nss/lib/ssl/ssl3con.c.alert-handler 2017-03-14 11:01:42.551690030 +0100
-+++ nss/lib/ssl/ssl3con.c 2017-03-14 11:03:45.319510356 +0100
-@@ -3143,6 +3143,10 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertL
- }
- ssl_ReleaseXmitBufLock(ss);
- ssl_ReleaseSSL3HandshakeLock(ss);
-+ if (rv == SECSuccess && ss->alertSentCallback) {
-+ SSLAlert alert = { level, desc };
-+ ss->alertSentCallback(ss->fd, ss->alertSentCallbackArg, &alert);
-+ }
- return rv; /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
- }
-
-@@ -3255,6 +3259,11 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
- SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
- SSL_GETPID(), ss->fd, level, desc));
-
-+ if (ss->alertReceivedCallback) {
-+ SSLAlert alert = { level, desc };
-+ ss->alertReceivedCallback(ss->fd, ss->alertReceivedCallbackArg, &alert);
-+ }
-+
- switch (desc) {
- case close_notify:
- ss->recvdCloseNotify = 1;
-diff -up nss/lib/ssl/ssl.def.alert-handler nss/lib/ssl/ssl.def
---- nss/lib/ssl/ssl.def.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/lib/ssl/ssl.def 2017-03-14 11:01:42.564689693 +0100
-@@ -221,3 +221,10 @@ SSL_SignatureSchemePrefGet;
- ;+ local:
- ;+*;
- ;+};
-+;+NSS_3.30.0.1 { # Additional symbols for NSS 3.30 release
-+;+ global:
-+SSL_AlertReceivedCallback;
-+SSL_AlertSentCallback;
-+;+ local:
-+;+*;
-+;+};
-diff -up nss/lib/ssl/ssl.h.alert-handler nss/lib/ssl/ssl.h
---- nss/lib/ssl/ssl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/lib/ssl/ssl.h 2017-03-14 11:01:42.564689693 +0100
-@@ -820,6 +820,25 @@ SSL_IMPORT PRFileDesc *SSL_ReconfigFD(PR
- SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
-
- /*
-+** These are callbacks for dealing with SSL alerts.
-+ */
-+
-+typedef PRUint8 SSLAlertLevel;
-+typedef PRUint8 SSLAlertDescription;
-+
-+typedef struct {
-+ SSLAlertLevel level;
-+ SSLAlertDescription description;
-+} SSLAlert;
-+
-+typedef void(PR_CALLBACK *SSLAlertCallback)(const PRFileDesc *fd, void *arg,
-+ const SSLAlert *alert);
-+
-+SSL_IMPORT SECStatus SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb,
-+ void *arg);
-+SSL_IMPORT SECStatus SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb,
-+ void *arg);
-+/*
- ** This is a callback for dealing with server certs that are not authenticated
- ** by the client. The client app can decide that it actually likes the
- ** cert by some external means and restart the connection.
-diff -up nss/lib/ssl/sslimpl.h.alert-handler nss/lib/ssl/sslimpl.h
---- nss/lib/ssl/sslimpl.h.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/lib/ssl/sslimpl.h 2017-03-14 11:01:42.566689641 +0100
-@@ -1121,6 +1121,10 @@ struct sslSocketStr {
- void *getClientAuthDataArg;
- SSLSNISocketConfig sniSocketConfig;
- void *sniSocketConfigArg;
-+ SSLAlertCallback alertReceivedCallback;
-+ void *alertReceivedCallbackArg;
-+ SSLAlertCallback alertSentCallback;
-+ void *alertSentCallbackArg;
- SSLBadCertHandler handleBadCert;
- void *badCertArg;
- SSLHandshakeCallback handshakeCallback;
-diff -up nss/lib/ssl/sslsecur.c.alert-handler nss/lib/ssl/sslsecur.c
---- nss/lib/ssl/sslsecur.c.alert-handler 2017-02-17 14:20:06.000000000 +0100
-+++ nss/lib/ssl/sslsecur.c 2017-03-14 11:01:42.566689641 +0100
-@@ -994,6 +994,42 @@ ssl_SecureWrite(sslSocket *ss, const uns
- }
-
- SECStatus
-+SSL_AlertReceivedCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
-+{
-+ sslSocket *ss;
-+
-+ ss = ssl_FindSocket(fd);
-+ if (!ss) {
-+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertReceivedCallback",
-+ SSL_GETPID(), fd));
-+ return SECFailure;
-+ }
-+
-+ ss->alertReceivedCallback = cb;
-+ ss->alertReceivedCallbackArg = arg;
-+
-+ return SECSuccess;
-+}
-+
-+SECStatus
-+SSL_AlertSentCallback(PRFileDesc *fd, SSLAlertCallback cb, void *arg)
-+{
-+ sslSocket *ss;
-+
-+ ss = ssl_FindSocket(fd);
-+ if (!ss) {
-+ SSL_DBG(("%d: SSL[%d]: unable to find socket in SSL_AlertSentCallback",
-+ SSL_GETPID(), fd));
-+ return SECFailure;
-+ }
-+
-+ ss->alertSentCallback = cb;
-+ ss->alertSentCallbackArg = arg;
-+
-+ return SECSuccess;
-+}
-+
-+SECStatus
- SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
- {
- sslSocket *ss;
-diff -up nss/lib/ssl/sslsock.c.alert-handler nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.alert-handler 2017-03-14 11:01:42.538690367 +0100
-+++ nss/lib/ssl/sslsock.c 2017-03-14 11:01:42.566689641 +0100
-@@ -330,6 +330,10 @@ ssl_DupSocket(sslSocket *os)
- ss->getClientAuthDataArg = os->getClientAuthDataArg;
- ss->sniSocketConfig = os->sniSocketConfig;
- ss->sniSocketConfigArg = os->sniSocketConfigArg;
-+ ss->alertReceivedCallback = os->alertReceivedCallback;
-+ ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg;
-+ ss->alertSentCallback = os->alertSentCallback;
-+ ss->alertSentCallbackArg = os->alertSentCallbackArg;
- ss->handleBadCert = os->handleBadCert;
- ss->badCertArg = os->badCertArg;
- ss->handshakeCallback = os->handshakeCallback;
-@@ -2149,6 +2153,14 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
- ss->sniSocketConfig = sm->sniSocketConfig;
- if (sm->sniSocketConfigArg)
- ss->sniSocketConfigArg = sm->sniSocketConfigArg;
-+ if (ss->alertReceivedCallback) {
-+ ss->alertReceivedCallback = sm->alertReceivedCallback;
-+ ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
-+ }
-+ if (ss->alertSentCallback) {
-+ ss->alertSentCallback = sm->alertSentCallback;
-+ ss->alertSentCallbackArg = sm->alertSentCallbackArg;
-+ }
- if (sm->handleBadCert)
- ss->handleBadCert = sm->handleBadCert;
- if (sm->badCertArg)
-@@ -3691,6 +3703,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
- ss->sniSocketConfig = NULL;
- ss->sniSocketConfigArg = NULL;
- ss->getClientAuthData = NULL;
-+ ss->alertReceivedCallback = NULL;
-+ ss->alertReceivedCallbackArg = NULL;
-+ ss->alertSentCallback = NULL;
-+ ss->alertSentCallbackArg = NULL;
- ss->handleBadCert = NULL;
- ss->badCertArg = NULL;
- ss->pkcs11PinArg = NULL;
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1493741561 -7200
-# Tue May 02 18:12:41 2017 +0200
-# Node ID 8804a0c65a08ee53096c07cc091536c7cf102b58
-# Parent 769f9ae07b103494af809620478e60256a344adc
-Bug 1360207, Fix incorrect if (ss->...) in SSL_ReconfigFD, Patch contributed by Ian Goldberg, r=ttaubert
-
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
- ss->sniSocketConfig = sm->sniSocketConfig;
- if (sm->sniSocketConfigArg)
- ss->sniSocketConfigArg = sm->sniSocketConfigArg;
-- if (ss->alertReceivedCallback) {
-+ if (sm->alertReceivedCallback) {
- ss->alertReceivedCallback = sm->alertReceivedCallback;
- ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
- }
-- if (ss->alertSentCallback) {
-+ if (sm->alertSentCallback) {
- ss->alertSentCallback = sm->alertSentCallback;
- ss->alertSentCallbackArg = sm->alertSentCallbackArg;
- }
diff --git a/SOURCES/nss-certutil-suppress-password.patch b/SOURCES/nss-certutil-suppress-password.patch
new file mode 100644
index 0000000..985ac21
--- /dev/null
+++ b/SOURCES/nss-certutil-suppress-password.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1513770602 -3600
+# Wed Dec 20 12:50:02 2017 +0100
+# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b
+# Parent 5a14f42384eb22b67e0465949c03555eff41e4af
+Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea
+
+diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
+--- a/cmd/certutil/certutil.c
++++ b/cmd/certutil/certutil.c
+@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB
+ certutil.commands[cmd_CreateAndAddCert].activated ||
+ certutil.commands[cmd_AddCert].activated ||
+ certutil.commands[cmd_AddEmailCert].activated) {
+- if (PK11_NeedUserInit(slot)) {
++ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
+ char *password = NULL;
+ /* fetch the password from the command line or the file
+ * if no password is supplied, initialize the password to NULL */
diff --git a/SOURCES/nss-disable-pss-gtests.patch b/SOURCES/nss-disable-pss-gtests.patch
deleted file mode 100644
index 2371c45..0000000
--- a/SOURCES/nss-disable-pss-gtests.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-diff -up nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
---- nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc.disable-pss-gtests 2017-02-17 14:20:06.000000000 +0100
-+++ nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc 2017-03-24 17:45:58.439916101 +0100
-@@ -69,7 +69,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
- server_->ConfigNamedGroups(groups);
- Connect();
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- }
-
- // This causes a HelloRetryRequest in TLS 1.3. Earlier versions don't care.
-@@ -82,7 +82,7 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP3
- server_->ConfigNamedGroups(groups);
- Connect();
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
- hrr_capture->buffer().len() != 0);
- }
-@@ -112,7 +112,7 @@ TEST_P(TlsKeyExchangeTest, P384Priority)
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
-
- std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
- CheckKEXDetails(groups, shares);
-@@ -129,7 +129,7 @@ TEST_P(TlsKeyExchangeTest, DuplicateGrou
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
-
- std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
- std::vector<SSLNamedGroup> expectedGroups = {ssl_grp_ec_secp384r1,
-@@ -147,7 +147,7 @@ TEST_P(TlsKeyExchangeTest, P384PriorityD
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
-
- if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
- std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp384r1};
-@@ -172,7 +172,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- }
-
- TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
-@@ -188,7 +188,7 @@ TEST_P(TlsConnectGenericPre13, P384Prior
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- }
-
- class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
-@@ -276,7 +276,7 @@ TEST_P(TlsConnectStreamPre13, Configured
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- CheckConnected();
-
- // The renegotiation has to use the same preferences as the original session.
-@@ -284,7 +284,7 @@ TEST_P(TlsConnectStreamPre13, Configured
- client_->StartRenegotiate();
- Handshake();
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- }
-
- TEST_P(TlsKeyExchangeTest, Curve25519) {
-@@ -318,7 +318,7 @@ TEST_P(TlsConnectGenericPre13, GroupPref
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- }
-
- #ifndef NSS_DISABLE_TLS_1_3
-@@ -337,7 +337,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_secp256r1};
- CheckKEXDetails(client_groups, shares);
- }
-@@ -357,7 +357,7 @@ TEST_P(TlsKeyExchangeTest13, Curve25519P
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
- CheckKEXDetails(client_groups, shares);
- }
-@@ -379,7 +379,7 @@ TEST_P(TlsKeyExchangeTest13, EqualPriori
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
- CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
- }
-@@ -401,7 +401,7 @@ TEST_P(TlsKeyExchangeTest13, NotEqualPri
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
- CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
- }
-@@ -423,7 +423,7 @@ TEST_P(TlsKeyExchangeTest13,
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
- CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
- }
-@@ -445,7 +445,7 @@ TEST_P(TlsKeyExchangeTest13,
- Connect();
-
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519};
- CheckKEXDetails(client_groups, shares, ssl_grp_ec_secp256r1);
- }
-@@ -507,7 +507,7 @@ TEST_P(TlsKeyExchangeTest13, MultipleCli
-
- // The server would accept 25519 but its preferred group (P256) has to win.
- CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp256r1, ssl_auth_rsa_sign,
-- ssl_sig_rsa_pss_sha256);
-+ ssl_sig_rsa_pkcs1_sha256);
- const std::vector<SSLNamedGroup> shares = {ssl_grp_ec_curve25519,
- ssl_grp_ec_secp256r1};
- CheckKEXDetails(client_groups, shares);
diff --git a/SOURCES/nss-disable-tls13-gtests.patch b/SOURCES/nss-disable-tls13-gtests.patch
new file mode 100644
index 0000000..cc7b661
--- /dev/null
+++ b/SOURCES/nss-disable-tls13-gtests.patch
@@ -0,0 +1,12 @@
+diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200
++++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200
+@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P(
+ INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+ TlsConnectTestBase::kTlsV11V12));
++#if 0
+ INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest,
+ TlsConnectTestBase::kTlsVariantsAll);
++#endif
+ } // namespace nss_test
diff --git a/SOURCES/nss-increase-pkcs12-iterations.patch b/SOURCES/nss-increase-pkcs12-iterations.patch
new file mode 100644
index 0000000..72fedd4
--- /dev/null
+++ b/SOURCES/nss-increase-pkcs12-iterations.patch
@@ -0,0 +1,26 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1511356939 -3600
+# Wed Nov 22 14:22:19 2017 +0100
+# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1
+# Parent 6a27e4b4c92c8c3694132b75a1a54c23688789bd
+Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer
+
+diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
+--- a/lib/pkcs7/p7create.c
++++ b/lib/pkcs7/p7create.c
+@@ -18,7 +18,13 @@
+ #include "secder.h"
+ #include "secpkcs5.h"
+
+-const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */
++const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */
++#ifdef DEBUG
++ 10000
++#else
++ 1000000
++#endif
++ ;
+
+ static SECStatus
+ sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch
index 6f6fcb9..9c85f74 100644
--- a/SOURCES/nss-is-token-present-race.patch
+++ b/SOURCES/nss-is-token-present-race.patch
@@ -1,76 +1,191 @@
# HG changeset patch
-# User Kamil Dudka <kdudka@redhat.com>
-# Date 1484568851 -3600
-# Mon Jan 16 13:14:11 2017 +0100
-# Node ID 754a4a1f6220fa99e72197408726da14419fc187
-# Parent b6a26d34c0e354344f81a73137deeb682c7961e0
-Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused spurious SEC_ERROR_NO_TOKEN, r=rrelyea
+# User Robert Relyea <rrelyea@redhat.com>
+# Date 1516007838 -3600
+# Mon Jan 15 10:17:18 2018 +0100
+# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670
+# Parent db32ef3be38eb06a91babbcbb48285284d704dbd
+Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi
diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
--- a/lib/dev/devslot.c
+++ b/lib/dev/devslot.c
-@@ -91,7 +91,7 @@ nssSlot_ResetDelay(
- }
-
- static PRBool
--within_token_delay_period(NSSSlot *slot)
-+within_token_delay_period(const NSSSlot *slot)
- {
- PRIntervalTime time, lastTime;
- /* Set the delay time for checking the token presence */
-@@ -103,7 +103,6 @@ within_token_delay_period(NSSSlot *slot)
- if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
- return PR_TRUE;
+@@ -33,6 +33,8 @@ nssSlot_Destroy(
+ if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) {
+ PK11_FreeSlot(slot->pk11slot);
+ PZ_DestroyLock(slot->base.lock);
++ PZ_DestroyCondVar(slot->isPresentCondition);
++ PZ_DestroyLock(slot->isPresentLock);
+ return nssArena_Destroy(slot->base.arena);
+ }
}
-- slot->lastTokenPing = time;
- return PR_FALSE;
- }
+@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent(
+ nssSession *session;
+ CK_SLOT_INFO slotInfo;
+ void *epv;
++ PRBool isPresent = PR_FALSE;
++
+ /* permanent slots are always present unless they're disabled */
+ if (nssSlot_IsPermanent(slot)) {
+ return !PK11_IsDisabled(slot->pk11slot);
+ }
++
+ /* avoid repeated calls to check token status within set interval */
++ PZ_Lock(slot->isPresentLock);
+ if (within_token_delay_period(slot)) {
+- return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
++ CK_FLAGS ckFlags = slot->ckFlags;
++ PZ_Unlock(slot->isPresentLock);
++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
+ }
++ PZ_Unlock(slot->isPresentLock);
-@@ -136,6 +135,7 @@ nssSlot_IsTokenPresent(
+- /* First obtain the slot info */
++ /* First obtain the slot epv before we set up the condition
++ * variable, so we can just return if we couldn't get it. */
+ epv = slot->epv;
+ if (!epv) {
+ return PR_FALSE;
+ }
++
++ /* set up condition so only one thread is active in this part of the code at a time */
++ PZ_Lock(slot->isPresentLock);
++ while (slot->inIsPresent) {
++ PR_WaitCondVar(slot->isPresentCondition, 0);
++ }
++ /* if we were one of multiple threads here, the first thread will have
++ * given us the answer, no need to make more queries of the token. */
++ if (within_token_delay_period(slot)) {
++ CK_FLAGS ckFlags = slot->ckFlags;
++ PZ_Unlock(slot->isPresentLock);
++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
++ }
++ /* this is the winning thread, block all others until we've determined
++ * if the token is present and that it needs initialization. */
++ slot->inIsPresent = PR_TRUE;
++ PZ_Unlock(slot->isPresentLock);
++
+ nssSlot_EnterMonitor(slot);
+ ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
nssSlot_ExitMonitor(slot);
if (ckrv != CKR_OK) {
slot->token->base.name[0] = 0; /* XXX */
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_FALSE;
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
}
slot->ckFlags = slotInfo.flags;
-@@ -143,6 +143,7 @@ nssSlot_IsTokenPresent(
+ /* check for the presence of the token */
if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
if (!slot->token) {
/* token was never present */
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_FALSE;
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
}
session = nssToken_GetDefaultSession(slot->token);
-@@ -165,6 +166,7 @@ nssSlot_IsTokenPresent(
+ if (session) {
+@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent(
slot->token->base.name[0] = 0; /* XXX */
/* clear the token cache */
nssToken_Remove(slot->token);
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_FALSE;
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
}
/* token is present, use the session info to determine if the card
-@@ -187,8 +189,10 @@ nssSlot_IsTokenPresent(
- isPresent = session->handle != CK_INVALID_SESSION;
+ * has been removed and reinserted.
+ */
+ session = nssToken_GetDefaultSession(slot->token);
+ if (session) {
+- PRBool isPresent = PR_FALSE;
++ PRBool tokenRemoved;
+ nssSession_EnterMonitor(session);
+ if (session->handle != CK_INVALID_SESSION) {
+ CK_SESSION_INFO sessionInfo;
+@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent(
+ session->handle = CK_INVALID_SESSION;
+ }
+ }
+- isPresent = session->handle != CK_INVALID_SESSION;
++ tokenRemoved = (session->handle == CK_INVALID_SESSION);
nssSession_ExitMonitor(session);
/* token not removed, finished */
-- if (isPresent)
-+ if (isPresent) {
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_TRUE;
-+ }
+- if (isPresent) {
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_TRUE;
++ if (!tokenRemoved) {
++ isPresent = PR_TRUE;
++ goto done;
+ }
}
/* the token has been removed, and reinserted, or the slot contains
- * a token it doesn't recognize. invalidate all the old
-@@ -201,8 +205,11 @@ nssSlot_IsTokenPresent(
+@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent(
+ nssToken_Remove(slot->token);
+ /* token has been removed, need to refresh with new session */
+ nssrv = nssSlot_Refresh(slot);
++ isPresent = PR_TRUE;
if (nssrv != PR_SUCCESS) {
slot->token->base.name[0] = 0; /* XXX */
slot->ckFlags &= ~CKF_TOKEN_PRESENT;
-+ /* TODO: insert a barrier here to avoid reordering of the assingments */
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_FALSE;
+- /* TODO: insert a barrier here to avoid reordering of the assingments */
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
}
-+ slot->lastTokenPing = PR_IntervalNow();
- return PR_TRUE;
++done:
++ /* Once we've set up the condition variable,
++ * Before returning, it's necessary to:
++ * 1) Set the lastTokenPing time so that any other threads waiting on this
++ * initialization and any future calls within the initialization window
++ * return the just-computed status.
++ * 2) Indicate we're complete, waking up all other threads that may still
++ * be waiting on initialization can progress.
++ */
++ PZ_Lock(slot->isPresentLock);
+ slot->lastTokenPing = PR_IntervalNow();
+- return PR_TRUE;
++ slot->inIsPresent = PR_FALSE;
++ PR_NotifyAllCondVar(slot->isPresentCondition);
++ PZ_Unlock(slot->isPresentLock);
++ return isPresent;
+ }
+
+ NSS_IMPLEMENT void *
+@@ -229,7 +269,7 @@ nssSlot_GetToken(
+
+ if (nssSlot_IsTokenPresent(slot)) {
+ /* Even if a token should be present, check `slot->token` too as it
+- * might be gone already. This would happen mostly on shutdown. */
++ * might be gone already. This would happen mostly on shutdown. */
+ nssSlot_EnterMonitor(slot);
+ if (slot->token)
+ rvToken = nssToken_AddRef(slot->token);
+diff --git a/lib/dev/devt.h b/lib/dev/devt.h
+--- a/lib/dev/devt.h
++++ b/lib/dev/devt.h
+@@ -81,6 +81,9 @@ struct NSSSlotStr {
+ PZLock *lock;
+ void *epv;
+ PK11SlotInfo *pk11slot;
++ PZLock *isPresentLock;
++ PRCondVar *isPresentCondition;
++ PRBool inIsPresent;
+ };
+
+ struct nssSessionStr {
+diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c
+--- a/lib/pk11wrap/dev3hack.c
++++ b/lib/pk11wrap/dev3hack.c
+@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
+ /* Grab the slot name from the PKCS#11 fixed-length buffer */
+ rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena);
+ rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
++ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
++ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
++ rvSlot->inIsPresent = PR_FALSE;
+ return rvSlot;
}
diff --git a/SOURCES/nss-modutil-suppress-password.patch b/SOURCES/nss-modutil-suppress-password.patch
new file mode 100644
index 0000000..160f995
--- /dev/null
+++ b/SOURCES/nss-modutil-suppress-password.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1510244757 -3600
+# Thu Nov 09 17:25:57 2017 +0100
+# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24
+# Parent 54be8a4501d454b2b7454e4a44ea013738e0b693
+Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie
+
+diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
+--- a/cmd/modutil/pk11.c
++++ b/cmd/modutil/pk11.c
+@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile,
+ ret = BAD_PW_ERR;
+ goto loser;
+ }
+- } else {
++ } else if (PK11_NeedLogin(slot)) {
+ for (matching = PR_FALSE; !matching;) {
+ oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
+ if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
diff --git a/SOURCES/nss-pk12util-force-unicode.patch b/SOURCES/nss-pk12util-force-unicode.patch
deleted file mode 100644
index 8aba8e7..0000000
--- a/SOURCES/nss-pk12util-force-unicode.patch
+++ /dev/null
@@ -1,408 +0,0 @@
-diff -up nss/cmd/pk12util/pk12util.c.pk12util-force-unicode nss/cmd/pk12util/pk12util.c
---- nss/cmd/pk12util/pk12util.c.pk12util-force-unicode 2017-09-21 09:49:22.371039588 +0200
-+++ nss/cmd/pk12util/pk12util.c 2017-09-21 09:49:22.389039181 +0200
-@@ -23,6 +23,7 @@
- static char *progName;
- PRBool pk12_debugging = PR_FALSE;
- PRBool dumpRawFile;
-+static PRBool pk12uForceUnicode;
-
- PRIntn pk12uErrno = 0;
-
-@@ -357,6 +358,7 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
- SECItem p12file = { 0 };
- SECStatus rv = SECFailure;
- PRBool swapUnicode = PR_FALSE;
-+ PRBool forceUnicode = pk12uForceUnicode;
- PRBool trypw;
- int error;
-
-@@ -424,6 +426,18 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
- SEC_PKCS12DecoderFinish(p12dcx);
- uniPwp->len = 0;
- trypw = PR_TRUE;
-+ } else if (forceUnicode == pk12uForceUnicode) {
-+ /* try again with a different password encoding */
-+ forceUnicode = !pk12uForceUnicode;
-+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
-+ forceUnicode);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
-+ pk12uErrno = PK12UERR_DECODEVERIFY;
-+ break;
-+ }
-+ SEC_PKCS12DecoderFinish(p12dcx);
-+ trypw = PR_TRUE;
- } else {
- SECU_PrintError(progName, "PKCS12 decode not verified");
- pk12uErrno = PK12UERR_DECODEVERIFY;
-@@ -431,6 +445,15 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
- }
- }
- } while (trypw == PR_TRUE);
-+
-+ /* revert the option setting */
-+ if (forceUnicode != pk12uForceUnicode) {
-+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
-+ pk12uErrno = PK12UERR_DECODEVERIFY;
-+ }
-+ }
- /* rv has been set at this point */
-
- done:
-@@ -470,6 +493,8 @@ P12U_ImportPKCS12Object(char *in_file, P
- {
- SEC_PKCS12DecoderContext *p12dcx = NULL;
- SECItem uniPwitem = { 0 };
-+ PRBool forceUnicode = pk12uForceUnicode;
-+ PRBool trypw;
- SECStatus rv = SECFailure;
-
- rv = P12U_InitSlot(slot, slotPw);
-@@ -480,31 +505,62 @@ P12U_ImportPKCS12Object(char *in_file, P
- return rv;
- }
-
-- rv = SECFailure;
-- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
-+ do {
-+ trypw = PR_FALSE; /* normally we do this once */
-+ rv = SECFailure;
-+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
-
-- if (p12dcx == NULL) {
-- goto loser;
-- }
-+ if (p12dcx == NULL) {
-+ goto loser;
-+ }
-
-- /* make sure the bags are okey dokey -- nicknames correct, etc. */
-- rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
-- if (rv != SECSuccess) {
-- if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
-- pk12uErrno = PK12UERR_CERTALREADYEXISTS;
-- } else {
-- pk12uErrno = PK12UERR_DECODEVALIBAGS;
-+ /* make sure the bags are okey dokey -- nicknames correct, etc. */
-+ rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
-+ if (rv != SECSuccess) {
-+ if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
-+ pk12uErrno = PK12UERR_CERTALREADYEXISTS;
-+ } else {
-+ pk12uErrno = PK12UERR_DECODEVALIBAGS;
-+ }
-+ SECU_PrintError(progName, "PKCS12 decode validate bags failed");
-+ goto loser;
- }
-- SECU_PrintError(progName, "PKCS12 decode validate bags failed");
-- goto loser;
-- }
-
-- /* stuff 'em in */
-- rv = SEC_PKCS12DecoderImportBags(p12dcx);
-- if (rv != SECSuccess) {
-- SECU_PrintError(progName, "PKCS12 decode import bags failed");
-- pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-- goto loser;
-+ /* stuff 'em in */
-+ if (forceUnicode != pk12uForceUnicode) {
-+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
-+ forceUnicode);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName, "PKCS12 decode set option failed");
-+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-+ goto loser;
-+ }
-+ }
-+ rv = SEC_PKCS12DecoderImportBags(p12dcx);
-+ if (rv != SECSuccess) {
-+ if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY &&
-+ forceUnicode == pk12uForceUnicode) {
-+ /* try again with a different password encoding */
-+ forceUnicode = !pk12uForceUnicode;
-+ SEC_PKCS12DecoderFinish(p12dcx);
-+ SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
-+ trypw = PR_TRUE;
-+ } else {
-+ SECU_PrintError(progName, "PKCS12 decode import bags failed");
-+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-+ goto loser;
-+ }
-+ }
-+ } while (trypw);
-+
-+ /* revert the option setting */
-+ if (forceUnicode != pk12uForceUnicode) {
-+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName, "PKCS12 decode set option failed");
-+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
-+ goto loser;
-+ }
- }
-
- fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName);
-@@ -951,6 +1007,7 @@ main(int argc, char **argv)
- int keyLen = 0;
- int certKeyLen = 0;
- secuCommand pk12util;
-+ PRInt32 forceUnicode;
-
- #ifdef _CRTDBG_MAP_ALLOC
- _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
-@@ -982,6 +1039,14 @@ main(int argc, char **argv)
- Usage(progName);
- }
-
-+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName,
-+ "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option");
-+ Usage(progName);
-+ }
-+ pk12uForceUnicode = forceUnicode;
-+
- slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
-
- import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List)
-diff -up nss/lib/nss/nss.h.pk12util-force-unicode nss/lib/nss/nss.h
---- nss/lib/nss/nss.h.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200
-+++ nss/lib/nss/nss.h 2017-09-21 09:49:22.387039226 +0200
-@@ -291,6 +291,15 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
- #define NSS_DTLS_VERSION_MIN_POLICY 0x00a
- #define NSS_DTLS_VERSION_MAX_POLICY 0x00b
-
-+/* Until NSS 3.30, the PKCS#12 implementation used BMPString encoding
-+ * for all passwords. This changed to use UTF-8 for non-PKCS#12 PBEs
-+ * in NSS 3.31.
-+ *
-+ * For backward compatibility, this option reverts the behavior to the
-+ * old NSS versions. This option might be removed in the future NSS
-+ * releases; don't rely on it. */
-+#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c
-+
- /*
- * Set and get global options for the NSS library.
- */
-diff -up nss/lib/nss/nssoptions.c.pk12util-force-unicode nss/lib/nss/nssoptions.c
---- nss/lib/nss/nssoptions.c.pk12util-force-unicode 2017-04-05 14:23:56.000000000 +0200
-+++ nss/lib/nss/nssoptions.c 2017-09-21 09:49:22.387039226 +0200
-@@ -23,6 +23,7 @@ struct nssOps {
- PRInt32 tlsVersionMaxPolicy;
- PRInt32 dtlsVersionMinPolicy;
- PRInt32 dtlsVersionMaxPolicy;
-+ PRInt32 pkcs12DecodeForceUnicode;
- };
-
- static struct nssOps nss_ops = {
-@@ -33,6 +34,7 @@ static struct nssOps nss_ops = {
- 0xffff, /* set TLS max to more than the largest legal SSL value */
- 1,
- 0xffff,
-+ PR_FALSE
- };
-
- SECStatus
-@@ -62,6 +64,9 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
- case NSS_DTLS_VERSION_MAX_POLICY:
- nss_ops.dtlsVersionMaxPolicy = value;
- break;
-+ case __NSS_PKCS12_DECODE_FORCE_UNICODE:
-+ nss_ops.pkcs12DecodeForceUnicode = value;
-+ break;
- default:
- rv = SECFailure;
- }
-@@ -96,6 +101,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
- case NSS_DTLS_VERSION_MAX_POLICY:
- *value = nss_ops.dtlsVersionMaxPolicy;
- break;
-+ case __NSS_PKCS12_DECODE_FORCE_UNICODE:
-+ *value = nss_ops.pkcs12DecodeForceUnicode;
-+ break;
- default:
- rv = SECFailure;
- }
-diff -up nss/lib/pkcs12/p12d.c.pk12util-force-unicode nss/lib/pkcs12/p12d.c
---- nss/lib/pkcs12/p12d.c.pk12util-force-unicode 2017-09-21 09:49:22.374039520 +0200
-+++ nss/lib/pkcs12/p12d.c 2017-09-21 09:49:22.388039203 +0200
-@@ -3,6 +3,7 @@
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
- #include "nssrenam.h"
-+#include "nss.h"
- #include "p12t.h"
- #include "p12.h"
- #include "plarena.h"
-@@ -126,6 +127,7 @@ struct SEC_PKCS12DecoderContextStr {
- SECKEYGetPasswordKey pwfn;
- void *pwfnarg;
- PRBool swapUnicodeBytes;
-+ PRBool forceUnicode;
-
- /* import information */
- PRBool bagsVerified;
-@@ -192,8 +194,18 @@ sec_pkcs12_decoder_get_decrypt_key(void
- }
-
- algorithm = SECOID_GetAlgorithmTag(algid);
-- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem))
-- return NULL;
-+
-+ if (p12dcx->forceUnicode) {
-+ if (SECITEM_CopyItem(NULL, &pwitem, p12dcx->pwitem) != SECSuccess) {
-+ PK11_FreeSlot(slot);
-+ return NULL;
-+ }
-+ } else {
-+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem)) {
-+ PK11_FreeSlot(slot);
-+ return NULL;
-+ }
-+ }
-
- bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
- /* some tokens can't generate PBE keys on their own, generate the
-@@ -1164,6 +1176,8 @@ SEC_PKCS12DecoderStart(SECItem *pwitem,
- {
- SEC_PKCS12DecoderContext *p12dcx;
- PLArenaPool *arena;
-+ PRInt32 forceUnicode = PR_FALSE;
-+ SECStatus rv;
-
- arena = PORT_NewArena(2048); /* different size? */
- if (!arena) {
-@@ -1196,6 +1210,11 @@ SEC_PKCS12DecoderStart(SECItem *pwitem,
- #else
- p12dcx->swapUnicodeBytes = PR_FALSE;
- #endif
-+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
-+ if (rv != SECSuccess) {
-+ goto loser;
-+ }
-+ p12dcx->forceUnicode = forceUnicode;
- p12dcx->errorValue = 0;
- p12dcx->error = PR_FALSE;
-
-@@ -2428,7 +2447,7 @@ sec_pkcs12_get_public_value_and_type(SEC
- static SECStatus
- sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECKEYPublicKey *pubKey,
- unsigned int keyUsage,
-- SECItem *nickName, void *wincx)
-+ SECItem *nickName, PRBool forceUnicode, void *wincx)
- {
- SECStatus rv;
- SECItem *publicValue = NULL;
-@@ -2466,9 +2485,21 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke
- &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm;
- SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
-
-- if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
-- key->pwitem))
-- return SECFailure;
-+ if (forceUnicode) {
-+ if (SECITEM_CopyItem(NULL, &pwitem, key->pwitem) != SECSuccess) {
-+ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-+ key->problem = PR_TRUE;
-+ return SECFailure;
-+ }
-+ } else {
-+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
-+ key->pwitem)) {
-+ key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
-+ key->problem = PR_TRUE;
-+ return SECFailure;
-+ }
-+ }
-+
- rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
- key->safeBagContent.pkcs8ShroudedKeyBag,
- &pwitem, nickName, publicValue,
-@@ -2923,7 +2954,8 @@ sec_pkcs12_get_public_value_and_type(SEC
- * two passes in sec_pkcs12_validate_bags.
- */
- static SECStatus
--sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx)
-+sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, PRBool forceUnicode,
-+ void *wincx)
- {
- sec_PKCS12SafeBag **keyList;
- int i;
-@@ -2976,7 +3008,8 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa
- key->problem = PR_TRUE;
- rv = SECFailure;
- } else {
-- rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName, wincx);
-+ rv = sec_pkcs12_add_key(key, pubKey, keyUsage, nickName,
-+ forceUnicode, wincx);
- }
- if (pubKey) {
- SECKEY_DestroyPublicKey(pubKey);
-@@ -3053,6 +3086,9 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBa
- SECStatus
- SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
- {
-+ PRBool forceUnicode = PR_FALSE;
-+ SECStatus rv;
-+
- if (!p12dcx || p12dcx->error) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
-@@ -3062,7 +3098,16 @@ SEC_PKCS12DecoderImportBags(SEC_PKCS12De
- return SECFailure;
- }
-
-- return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
-+ /* We need to check the option here as well as in
-+ * SEC_PKCS12DecoderStart, because different PBE's could be used
-+ * for PKCS #7 and PKCS #8 */
-+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
-+ if (rv != SECSuccess) {
-+ return SECFailure;
-+ }
-+
-+ return sec_pkcs12_install_bags(p12dcx->safeBags, forceUnicode,
-+ p12dcx->wincx);
- }
-
- PRBool
-diff -up nss/tests/tools/tools.sh.pk12util-force-unicode nss/tests/tools/tools.sh
---- nss/tests/tools/tools.sh.pk12util-force-unicode 2017-09-21 09:49:22.373039542 +0200
-+++ nss/tests/tools/tools.sh 2017-09-21 09:50:06.593062871 +0200
-@@ -106,6 +106,8 @@ tools_init()
- cp ${ALICEDIR}/* ${SIGNDIR}/
- mkdir -p ${TOOLSDIR}/html
- cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
-+ mkdir -p ${TOOLSDIR}/data
-+ cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
-
- cd ${TOOLSDIR}
- }
-@@ -398,6 +400,16 @@ tools_p12_export_list_import_with_defaul
- fi
- }
-
-+tools_p12_import_old_files()
-+{
-+ echo "$SCRIPTNAME: Importing CA cert & key created with NSS 3.21 --------------"
-+ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
-+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
-+ ret=$?
-+ html_msg $ret 0 "Importing CA cert & key created with NSS 3.21"
-+ check_tmpfile
-+}
-+
- ############################## tools_p12 ###############################
- # local shell function to test basic functionality of pk12util
- ########################################################################
-@@ -408,6 +420,7 @@ tools_p12()
- tools_p12_export_list_import_all_pkcs5pbe_ciphers
- tools_p12_export_list_import_all_pkcs12v2pbe_ciphers
- tools_p12_export_with_null_ciphers
-+ tools_p12_import_old_files
- }
-
- ############################## tools_sign ##############################
diff --git a/SOURCES/nss-pk12util.patch b/SOURCES/nss-pk12util.patch
deleted file mode 100644
index e2f7f99..0000000
--- a/SOURCES/nss-pk12util.patch
+++ /dev/null
@@ -1,765 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1481829086 -3600
-# Thu Dec 15 20:11:26 2016 +0100
-# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057
-# Parent 35ecce23718136f99ca9537007481b4774c57e68
-Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea
-
-diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
---- a/lib/pk11wrap/pk11mech.c
-+++ b/lib/pk11wrap/pk11mech.c
-@@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE
- case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
- case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
- case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
-+ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
-+ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
-+ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
-+ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
- case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
- case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
- case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
-diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
---- a/lib/pkcs12/p12d.c
-+++ b/lib/pkcs12/p12d.c
-@@ -1335,11 +1335,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12
- case SEC_OID_MD2:
- integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
- break;
-+ case SEC_OID_SHA224:
-+ integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN;
-+ break;
-+ case SEC_OID_SHA256:
-+ integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN;
-+ break;
-+ case SEC_OID_SHA384:
-+ integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN;
-+ break;
-+ case SEC_OID_SHA512:
-+ integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN;
-+ break;
- default:
- goto loser;
- }
-
-- symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
-+ symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL);
- PK11_DestroyPBEParams(params);
- params = NULL;
- if (!symKey)
-diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
---- a/lib/softoken/lowpbe.c
-+++ b/lib/softoken/lowpbe.c
-@@ -408,7 +408,6 @@ loser:
- return result;
- }
-
--#define HMAC_BUFFER 64
- #define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y))
- #define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y))
- /*
-@@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
- int iter;
- unsigned char *iterBuf;
- void *hash = NULL;
-+ unsigned int bufferLength;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (!arena) {
-@@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
- /* how many hash object lengths are needed */
- c = (bytesNeeded + (hashLength - 1)) / hashLength;
-
-+ /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */
-+ bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64);
-+
- /* initialize our buffers */
-- D.len = HMAC_BUFFER;
-+ D.len = bufferLength;
- /* B and D are the same length, use one alloc go get both */
- D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2);
- B.len = D.len;
-@@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject *
- goto loser;
- }
-
-- SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER);
-- PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER);
-+ SLen = NSSPBE_ROUNDUP(salt->len, bufferLength);
-+ PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength);
- I.len = SLen + PLen;
- I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len);
- if (I.data == NULL) {
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1485768835 -3600
-# Mon Jan 30 10:33:55 2017 +0100
-# Node ID 09d1a0757431fa52ae025138da654c698141971b
-# Parent 806c3106536feea0827ec54729a52b5cbac8a496
-Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea
-
-diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
---- a/cmd/pk12util/pk12util.c
-+++ b/cmd/pk12util/pk12util.c
-@@ -861,6 +861,9 @@ p12u_EnableAllCiphers()
- SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
- SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
- SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
-+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1);
-+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1);
-+ SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1);
- SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
- }
-
-diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
---- a/lib/pk11wrap/pk11pbe.c
-+++ b/lib/pk11wrap/pk11pbe.c
-@@ -4,6 +4,7 @@
-
- #include "plarena.h"
-
-+#include "blapit.h"
- #include "seccomon.h"
- #include "secitem.h"
- #include "secport.h"
-@@ -301,17 +302,49 @@ SEC_PKCS5GetPBEAlgorithm(SECOidTag algTa
- return SEC_OID_UNKNOWN;
- }
-
-+static PRBool
-+sec_pkcs5_is_algorithm_v2_aes_algorithm(SECOidTag algorithm)
-+{
-+ switch (algorithm) {
-+ case SEC_OID_AES_128_CBC:
-+ case SEC_OID_AES_192_CBC:
-+ case SEC_OID_AES_256_CBC:
-+ return PR_TRUE;
-+ default:
-+ return PR_FALSE;
-+ }
-+}
-+
-+static int
-+sec_pkcs5v2_aes_key_length(SECOidTag algorithm)
-+{
-+ switch (algorithm) {
-+ /* The key length for the AES-CBC-Pad algorithms are
-+ * determined from the undelying cipher algorithm. */
-+ case SEC_OID_AES_128_CBC:
-+ return AES_128_KEY_LENGTH;
-+ case SEC_OID_AES_192_CBC:
-+ return AES_192_KEY_LENGTH;
-+ case SEC_OID_AES_256_CBC:
-+ return AES_256_KEY_LENGTH;
-+ default:
-+ break;
-+ }
-+ return 0;
-+}
-+
- /*
- * get the key length in bytes from a PKCS5 PBE
- */
--int
--sec_pkcs5v2_key_length(SECAlgorithmID *algid)
-+static int
-+sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
- {
- SECOidTag algorithm;
- PLArenaPool *arena = NULL;
- SEC_PKCS5PBEParameter p5_param;
- SECStatus rv;
- int length = -1;
-+ SECOidTag cipherAlg = SEC_OID_UNKNOWN;
-
- algorithm = SECOID_GetAlgorithmTag(algid);
- /* sanity check, they should all be PBKDF2 here */
-@@ -330,7 +363,12 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a
- goto loser;
- }
-
-- if (p5_param.keyLength.data != NULL) {
-+ if (cipherAlgId)
-+ cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
-+
-+ if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
-+ length = sec_pkcs5v2_aes_key_length(cipherAlg);
-+ } else if (p5_param.keyLength.data != NULL) {
- length = DER_GetInteger(&p5_param.keyLength);
- }
-
-@@ -375,14 +413,15 @@ SEC_PKCS5GetKeyLength(SECAlgorithmID *al
- case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
- return 16;
- case SEC_OID_PKCS5_PBKDF2:
-- return sec_pkcs5v2_key_length(algid);
-+ return sec_pkcs5v2_key_length(algid, NULL);
- case SEC_OID_PKCS5_PBES2:
- case SEC_OID_PKCS5_PBMAC1: {
- sec_pkcs5V2Parameter *pbeV2_param;
- int length = -1;
- pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid);
- if (pbeV2_param != NULL) {
-- length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId);
-+ length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId,
-+ &pbeV2_param->cipherAlgId);
- sec_pkcs5_v2_destroy_v2_param(pbeV2_param);
- }
- return length;
-@@ -614,6 +653,8 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
- if (hashAlg != SEC_OID_UNKNOWN) {
- keyLength = HASH_ResultLenByOidTag(hashAlg);
-+ } else if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlgorithm)) {
-+ keyLength = sec_pkcs5v2_aes_key_length(cipherAlgorithm);
- } else {
- CK_MECHANISM_TYPE cryptoMech;
- cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm);
-diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
---- a/lib/pkcs12/p12d.c
-+++ b/lib/pkcs12/p12d.c
-@@ -177,6 +177,9 @@ sec_pkcs12_decoder_get_decrypt_key(void
- SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
- PK11SlotInfo *slot;
- PK11SymKey *bulkKey;
-+ SECItem *pwitem;
-+ SECItem decodedPwitem = { 0 };
-+ SECOidTag algorithm;
-
- if (!p12dcx) {
- return NULL;
-@@ -189,7 +192,24 @@ sec_pkcs12_decoder_get_decrypt_key(void
- slot = PK11_GetInternalKeySlot();
- }
-
-- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
-+ algorithm = SECOID_GetAlgorithmTag(algid);
-+ pwitem = p12dcx->pwitem;
-+
-+ /* here we assume that the password is already encoded into
-+ * BMPString by the caller. if the encryption scheme is not the
-+ * one defined in PKCS #12, decode the password back into
-+ * UTF-8. */
-+ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) {
-+ if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem,
-+ p12dcx->pwitem,
-+ PR_TRUE, PR_FALSE, PR_FALSE)) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ return NULL;
-+ }
-+ pwitem = &decodedPwitem;
-+ }
-+
-+ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
- PR_FALSE, p12dcx->wincx);
- /* some tokens can't generate PBE keys on their own, generate the
- * key in the internal slot, and let the Import code deal with it,
-@@ -198,7 +218,7 @@ sec_pkcs12_decoder_get_decrypt_key(void
- if (!bulkKey && !PK11_IsInternal(slot)) {
- PK11_FreeSlot(slot);
- slot = PK11_GetInternalKeySlot();
-- bulkKey = PK11_PBEKeyGen(slot, algid, p12dcx->pwitem,
-+ bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
- PR_FALSE, p12dcx->wincx);
- }
- PK11_FreeSlot(slot);
-@@ -208,6 +228,10 @@ sec_pkcs12_decoder_get_decrypt_key(void
- PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL);
- }
-
-+ if (decodedPwitem.data) {
-+ SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE);
-+ }
-+
- return bulkKey;
- }
-
-diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c
---- a/lib/pkcs12/p12e.c
-+++ b/lib/pkcs12/p12e.c
-@@ -10,6 +10,7 @@
- #include "seccomon.h"
- #include "secport.h"
- #include "cert.h"
-+#include "secpkcs5.h"
- #include "secpkcs7.h"
- #include "secasn1.h"
- #include "secerr.h"
-@@ -378,19 +379,36 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC
- safeInfo->itemCount = 0;
-
- /* create the encrypted safe */
-- safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn,
-- p12ctxt->pwfnarg);
-+ if (!SEC_PKCS5IsAlgorithmPBEAlgTag(privAlg) &&
-+ PK11_AlgtagToMechanism(privAlg) == CKM_AES_CBC) {
-+ safeInfo->cinfo = SEC_PKCS7CreateEncryptedDataWithPBEV2(SEC_OID_PKCS5_PBES2,
-+ privAlg,
-+ SEC_OID_UNKNOWN,
-+ 0,
-+ p12ctxt->pwfn,
-+ p12ctxt->pwfnarg);
-+ } else {
-+ safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn,
-+ p12ctxt->pwfnarg);
-+ }
- if (!safeInfo->cinfo) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto loser;
- }
- safeInfo->arena = p12ctxt->arena;
-
-- /* convert the password to unicode */
-- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
-- PR_TRUE, PR_TRUE, PR_TRUE)) {
-- PORT_SetError(SEC_ERROR_NO_MEMORY);
-- goto loser;
-+ if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) {
-+ /* convert the password to unicode */
-+ if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
-+ PR_TRUE, PR_TRUE, PR_TRUE)) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ goto loser;
-+ }
-+ } else {
-+ if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ goto loser;
-+ }
- }
- if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
-diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
---- a/lib/pkcs12/p12local.c
-+++ b/lib/pkcs12/p12local.c
-@@ -949,6 +949,33 @@ sec_pkcs12_convert_item_to_unicode(PLAre
- return PR_TRUE;
- }
-
-+PRBool
-+sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
-+{
-+ switch (algorithm) {
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
-+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
-+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
-+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
-+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
-+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
-+ /* those are actually PKCS #5 v1.5 PBEs, but we
-+ * historically treat them in the same way as PKCS #12
-+ * PBEs */
-+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-+ case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
-+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-+ return PR_TRUE;
-+ default:
-+ return PR_FALSE;
-+ }
-+}
-+
- /* pkcs 12 templates */
- static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
- sec_pkcs12_choose_shroud_type;
-diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h
---- a/lib/pkcs12/p12local.h
-+++ b/lib/pkcs12/p12local.h
-@@ -55,4 +55,6 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo
- void *wincx, SEC_PKCS12SafeContents *safe,
- SEC_PKCS12Baggage *baggage);
-
-+extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm);
-+
- #endif
-diff --git a/lib/pkcs12/p12plcy.c b/lib/pkcs12/p12plcy.c
---- a/lib/pkcs12/p12plcy.c
-+++ b/lib/pkcs12/p12plcy.c
-@@ -24,6 +24,9 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
- { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE },
- { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE },
- { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE },
-+ { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE },
-+ { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE },
-+ { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE },
- { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE },
- { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE }
- };
-diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
---- a/lib/pkcs7/p7create.c
-+++ b/lib/pkcs7/p7create.c
-@@ -1245,3 +1245,56 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a
-
- return cinfo;
- }
-+
-+SEC_PKCS7ContentInfo *
-+SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm,
-+ SECOidTag cipher_algorithm,
-+ SECOidTag prf_algorithm,
-+ int keysize,
-+ SECKEYGetPasswordKey pwfn, void *pwfn_arg)
-+{
-+ SEC_PKCS7ContentInfo *cinfo;
-+ SECAlgorithmID *algid;
-+ SEC_PKCS7EncryptedData *enc_data;
-+ SECStatus rv;
-+
-+ PORT_Assert(SEC_PKCS5IsAlgorithmPBEAlgTag(pbe_algorithm));
-+
-+ cinfo = sec_pkcs7_create_content_info(SEC_OID_PKCS7_ENCRYPTED_DATA,
-+ PR_FALSE, pwfn, pwfn_arg);
-+ if (cinfo == NULL)
-+ return NULL;
-+
-+ enc_data = cinfo->content.encryptedData;
-+ algid = &(enc_data->encContentInfo.contentEncAlg);
-+
-+ SECAlgorithmID *pbe_algid;
-+ pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm,
-+ cipher_algorithm,
-+ prf_algorithm,
-+ keysize,
-+ NSS_PBE_DEFAULT_ITERATION_COUNT,
-+ NULL);
-+ if (pbe_algid == NULL) {
-+ rv = SECFailure;
-+ } else {
-+ rv = SECOID_CopyAlgorithmID(cinfo->poolp, algid, pbe_algid);
-+ SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE);
-+ }
-+
-+ if (rv != SECSuccess) {
-+ SEC_PKCS7DestroyContentInfo(cinfo);
-+ return NULL;
-+ }
-+
-+ rv = sec_pkcs7_init_encrypted_content_info(&(enc_data->encContentInfo),
-+ cinfo->poolp,
-+ SEC_OID_PKCS7_DATA, PR_FALSE,
-+ cipher_algorithm, keysize);
-+ if (rv != SECSuccess) {
-+ SEC_PKCS7DestroyContentInfo(cinfo);
-+ return NULL;
-+ }
-+
-+ return cinfo;
-+}
-diff --git a/lib/pkcs7/secpkcs7.h b/lib/pkcs7/secpkcs7.h
---- a/lib/pkcs7/secpkcs7.h
-+++ b/lib/pkcs7/secpkcs7.h
-@@ -287,6 +287,26 @@ SEC_PKCS7CreateEncryptedData(SECOidTag a
- SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-
- /*
-+ * Create an empty PKCS7 encrypted content info.
-+ *
-+ * Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of
-+ * creating encrypted content for PKCS #5 v2 algorithms.
-+ *
-+ * "pbe_algorithm" specifies the PBE algorithm to use.
-+ * "cipher_algorithm" specifies the bulk encryption algorithm to use.
-+ * "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses.
-+ *
-+ * An error results in a return value of NULL and an error set.
-+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
-+ */
-+extern SEC_PKCS7ContentInfo *
-+SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm,
-+ SECOidTag cipher_algorithm,
-+ SECOidTag prf_algorithm,
-+ int keysize,
-+ SECKEYGetPasswordKey pwfn, void *pwfn_arg);
-+
-+/*
- * All of the following things return SECStatus to signal success or failure.
- * Failure should have a more specific error status available via
- * PORT_GetError()/XP_GetError().
-diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
---- a/tests/tools/tools.sh
-+++ b/tests/tools/tools.sh
-@@ -273,12 +273,9 @@ tools_p12_export_list_import_all_pkcs5v2
- CAMELLIA-256-CBC; do
-
- #---------------------------------------------------------------
--# Bug 452464 - pk12util -o fails when -C option specifies AES or
-+# Bug 452464 - pk12util -o fails when -C option specifies
- # Camellia ciphers
- # FIXME Restore these to the list
--# AES-128-CBC, \
--# AES-192-CBC, \
--# AES-256-CBC, \
- # CAMELLIA-128-CBC, \
- # CAMELLIA-192-CBC, \
- # CAMELLIA-256-CBC, \
-@@ -287,6 +284,9 @@ tools_p12_export_list_import_all_pkcs5v2
- for cert_cipher in \
- RC2-CBC \
- DES-EDE3-CBC \
-+ AES-128-CBC \
-+ AES-192-CBC \
-+ AES-256-CBC \
- null; do
- export_list_import ${key_cipher} ${cert_cipher}
- done
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1491303138 -7200
-# Tue Apr 04 12:52:18 2017 +0200
-# Node ID ef11922df67881332f1fa200c7ae21b9c30cec76
-# Parent 7228445b43ac095ebc0eee330d6a351b898ebbdd
-Bug 1353325, pkcs12: don't encode password if non-PKCS12 PBEs is used, r=rrelyea
-
-diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
---- a/lib/pkcs12/p12d.c
-+++ b/lib/pkcs12/p12d.c
-@@ -177,8 +177,7 @@ sec_pkcs12_decoder_get_decrypt_key(void
- SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
- PK11SlotInfo *slot;
- PK11SymKey *bulkKey;
-- SECItem *pwitem;
-- SECItem decodedPwitem = { 0 };
-+ SECItem pwitem = { 0 };
- SECOidTag algorithm;
-
- if (!p12dcx) {
-@@ -193,24 +192,10 @@ sec_pkcs12_decoder_get_decrypt_key(void
- }
-
- algorithm = SECOID_GetAlgorithmTag(algid);
-- pwitem = p12dcx->pwitem;
--
-- /* here we assume that the password is already encoded into
-- * BMPString by the caller. if the encryption scheme is not the
-- * one defined in PKCS #12, decode the password back into
-- * UTF-8. */
-- if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) {
-- if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem,
-- p12dcx->pwitem,
-- PR_TRUE, PR_FALSE, PR_FALSE)) {
-- PORT_SetError(SEC_ERROR_NO_MEMORY);
-- return NULL;
-- }
-- pwitem = &decodedPwitem;
-- }
--
-- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
-- PR_FALSE, p12dcx->wincx);
-+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem))
-+ return NULL;
-+
-+ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
- /* some tokens can't generate PBE keys on their own, generate the
- * key in the internal slot, and let the Import code deal with it,
- * (if the slot can't generate PBEs, then we need to use the internal
-@@ -218,8 +203,7 @@ sec_pkcs12_decoder_get_decrypt_key(void
- if (!bulkKey && !PK11_IsInternal(slot)) {
- PK11_FreeSlot(slot);
- slot = PK11_GetInternalKeySlot();
-- bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
-- PR_FALSE, p12dcx->wincx);
-+ bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
- }
- PK11_FreeSlot(slot);
-
-@@ -228,8 +212,8 @@ sec_pkcs12_decoder_get_decrypt_key(void
- PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL);
- }
-
-- if (decodedPwitem.data) {
-- SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE);
-+ if (pwitem.data) {
-+ SECITEM_ZfreeItem(&pwitem, PR_FALSE);
- }
-
- return bulkKey;
-@@ -2476,13 +2460,25 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke
- nickName, publicValue, PR_TRUE, PR_TRUE,
- keyUsage, wincx);
- break;
-- case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
-+ case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: {
-+ SECItem pwitem = { 0 };
-+ SECAlgorithmID *algid =
-+ &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm;
-+ SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
-+
-+ if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
-+ key->pwitem))
-+ return SECFailure;
- rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
- key->safeBagContent.pkcs8ShroudedKeyBag,
-- key->pwitem, nickName, publicValue,
-+ &pwitem, nickName, publicValue,
- PR_TRUE, PR_TRUE, keyType, keyUsage,
- wincx);
-+ if (pwitem.data) {
-+ SECITEM_ZfreeItem(&pwitem, PR_FALSE);
-+ }
- break;
-+ }
- default:
- key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
- key->problem = PR_TRUE;
-diff --git a/lib/pkcs12/p12e.c b/lib/pkcs12/p12e.c
---- a/lib/pkcs12/p12e.c
-+++ b/lib/pkcs12/p12e.c
-@@ -397,18 +397,9 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC
- }
- safeInfo->arena = p12ctxt->arena;
-
-- if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) {
-- /* convert the password to unicode */
-- if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
-- PR_TRUE, PR_TRUE, PR_TRUE)) {
-- PORT_SetError(SEC_ERROR_NO_MEMORY);
-- goto loser;
-- }
-- } else {
-- if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) {
-- PORT_SetError(SEC_ERROR_NO_MEMORY);
-- goto loser;
-- }
-+ if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ goto loser;
- }
- if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
-@@ -1221,8 +1212,8 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12Export
- SECKEYEncryptedPrivateKeyInfo *epki = NULL;
- PK11SlotInfo *slot = NULL;
-
-- if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
-- pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
-+ if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm,
-+ pwitem)) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto loser;
- }
-diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
---- a/lib/pkcs12/p12local.c
-+++ b/lib/pkcs12/p12local.c
-@@ -976,6 +976,46 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
- }
- }
-
-+/* this function decodes a password from Unicode if necessary,
-+ * according to the PBE algorithm.
-+ *
-+ * we assume that the pwitem is already encoded in Unicode by the
-+ * caller. if the encryption scheme is not the one defined in PKCS
-+ * #12, decode the pwitem back into UTF-8. */
-+PRBool
-+sec_pkcs12_decode_password(PLArenaPool *arena,
-+ SECItem *result,
-+ SECOidTag algorithm,
-+ const SECItem *pwitem)
-+{
-+ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
-+ return sec_pkcs12_convert_item_to_unicode(arena, result,
-+ (SECItem *)pwitem,
-+ PR_TRUE, PR_FALSE, PR_FALSE);
-+
-+ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
-+}
-+
-+/* this function encodes a password into Unicode if necessary,
-+ * according to the PBE algorithm.
-+ *
-+ * we assume that the pwitem holds a raw password. if the encryption
-+ * scheme is the one defined in PKCS #12, encode the password into
-+ * BMPString. */
-+PRBool
-+sec_pkcs12_encode_password(PLArenaPool *arena,
-+ SECItem *result,
-+ SECOidTag algorithm,
-+ const SECItem *pwitem)
-+{
-+ if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
-+ return sec_pkcs12_convert_item_to_unicode(arena, result,
-+ (SECItem *)pwitem,
-+ PR_TRUE, PR_TRUE, PR_TRUE);
-+
-+ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
-+}
-+
- /* pkcs 12 templates */
- static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
- sec_pkcs12_choose_shroud_type;
-diff --git a/lib/pkcs12/p12local.h b/lib/pkcs12/p12local.h
---- a/lib/pkcs12/p12local.h
-+++ b/lib/pkcs12/p12local.h
-@@ -57,4 +57,13 @@ sec_PKCS12ConvertOldSafeToNew(PLArenaPoo
-
- extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm);
-
-+extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena,
-+ SECItem *result,
-+ SECOidTag algorithm,
-+ const SECItem *pwitem);
-+extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena,
-+ SECItem *result,
-+ SECOidTag algorithm,
-+ const SECItem *pwitem);
-+
- #endif
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1491397923 -7200
-# Wed Apr 05 15:12:03 2017 +0200
-# Node ID c9af3144ac8cd7e2203817a334a9f814649e86b0
-# Parent 769f9ae07b103494af809620478e60256a344adc
-fix key length calculation for PKCS#5 DES-EDE3-CBC-Pad
-
-diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
---- a/lib/pk11wrap/pk11pbe.c
-+++ b/lib/pk11wrap/pk11pbe.c
-@@ -370,6 +370,13 @@ sec_pkcs5v2_key_length(SECAlgorithmID *a
- length = sec_pkcs5v2_aes_key_length(cipherAlg);
- } else if (p5_param.keyLength.data != NULL) {
- length = DER_GetInteger(&p5_param.keyLength);
-+ } else {
-+ CK_MECHANISM_TYPE cipherMech;
-+ cipherMech = PK11_AlgtagToMechanism(cipherAlg);
-+ if (cipherMech == CKM_INVALID_MECHANISM) {
-+ goto loser;
-+ }
-+ length = PK11_GetMaxKeyLength(cipherMech);
- }
-
- loser:
-diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h
---- a/lib/pk11wrap/pk11priv.h
-+++ b/lib/pk11wrap/pk11priv.h
-@@ -106,6 +106,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
- void *wincx, PK11SlotInfo **pSlot);
- PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
- CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
-+unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
-
- /**********************************************************************
- * Certs
-diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
---- a/lib/pk11wrap/pk11slot.c
-+++ b/lib/pk11wrap/pk11slot.c
-@@ -2291,6 +2291,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE m
- }
- }
- }
-+
-+ /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */
-+ if (keyLength == 0) {
-+ CK_KEY_TYPE keyType;
-+ keyType = PK11_GetKeyType(mechanism, 0);
-+ keyLength = pk11_GetPredefinedKeyLength(keyType);
-+ }
-+
- if (le)
- PK11_FreeSlotListElement(list, le);
- if (freeit)
diff --git a/SOURCES/nss-pss-fixes.patch b/SOURCES/nss-pss-fixes.patch
new file mode 100644
index 0000000..964e792
--- /dev/null
+++ b/SOURCES/nss-pss-fixes.patch
@@ -0,0 +1,649 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1510136005 -3600
+# Wed Nov 08 11:13:25 2017 +0100
+# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62
+# Parent d515199921dd703087f7e0e03eb71058a015934d
+Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt
+
+Reviewers: mt, rrelyea
+
+Reviewed By: mt
+
+Bug #: 1415171
+
+Differential Revision: https://phabricator.services.mozilla.com/D202
+
+diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
+--- a/cmd/lib/secutil.c
++++ b/cmd/lib/secutil.c
+@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte
+ SECU_Indent(out, level + 1);
+ fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+ } else {
+- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1);
++ SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1);
+ }
+ } else {
+ SECU_Indent(out, level + 1);
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+ }
+
+- rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
+- if (rv != SECSuccess) {
+- return rv;
++ if (params->saltLength.data) {
++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ } else {
++ saltLength = 20; /* default, 20 */
+ }
+ mech->sLen = saltLength;
+
+diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
+--- a/lib/cryptohi/secsign.c
++++ b/lib/cryptohi/secsign.c
+@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ SECKEYRSAPSSParams pssParams;
+ int modBytes, hashLength;
+ unsigned long saltLength;
++ PRBool defaultSHA1 = PR_FALSE;
+ SECStatus rv;
+
+ if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
+@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ if (rv != SECSuccess) {
+ return NULL;
+ }
++ defaultSHA1 = PR_TRUE;
+ }
+
+ if (pssParams.trailerField.data) {
+@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ /* Determine the hash algorithm to use, based on hashAlgTag and
+ * pssParams.hashAlg; there are four cases */
+ if (hashAlgTag != SEC_OID_UNKNOWN) {
++ SECOidTag tag = SEC_OID_UNKNOWN;
++
+ if (pssParams.hashAlg) {
+- if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) {
+- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+- return NULL;
+- }
++ tag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
++ } else if (defaultSHA1) {
++ tag = SEC_OID_SHA1;
++ }
++
++ if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) {
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return NULL;
+ }
+ } else if (hashAlgTag == SEC_OID_UNKNOWN) {
+ if (pssParams.hashAlg) {
+ hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
++ } else if (defaultSHA1) {
++ hashAlgTag = SEC_OID_SHA1;
+ } else {
+ /* Find a suitable hash algorithm based on the NIST recommendation */
+ if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */
+@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return NULL;
+ }
++ } else if (defaultSHA1) {
++ if (hashAlgTag != SEC_OID_SHA1) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return NULL;
++ }
+ }
+
+ hashLength = HASH_ResultLenByOidTag(hashAlgTag);
+@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
++ } else if (defaultSHA1) {
++ saltLength = 20;
+ }
+
+ /* Fill in the parameters */
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -516,6 +516,9 @@ cert_all_CA()
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
+ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
+
++ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
++ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
+
+ #
+ # Create EC version of TestCA
+@@ -2054,7 +2057,7 @@ check_sign_algo()
+ {
+ certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
+ sed -n '/^ *Data:/,/^$/{
+-/^ Signature Algorithm/,/^ *Salt Length/s/^ //p
++/^ Signature Algorithm/,/^ *Salt length/s/^ //p
+ }' > ${TMP}/signalgo.txt
+
+ diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
+@@ -2088,6 +2091,12 @@ cert_test_rsapss()
+ CU_ACTION="Verify RSA-PSS CA Cert"
+ certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
++ CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
++ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
++
++ CERTSERIAL=200
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+@@ -2098,7 +2107,7 @@ cert_test_rsapss()
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
+@@ -2127,7 +2138,7 @@ EOF
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-512
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-512
+- Salt Length: 64 (0x40)
++ Salt length: 64 (0x40)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS
+@@ -2156,7 +2169,69 @@ EOF
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++
++ CU_ACTION="Import $CERTNAME's Cert"
++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${CERTNAME}.cert" 2>&1
++
++ CU_ACTION="Verify $CERTNAME's Cert"
++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
++ cat > ${TMP}/signalgo.exp <<EOF
++Signature Algorithm: PKCS #1 RSA-PSS Signature
++ Parameters:
++ Hash algorithm: SHA-256
++ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
++ Mask hash algorithm: SHA-256
++ Salt length: 32 (0x20)
++EOF
++ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA
++ # Signature: RSA-PSS (explicit, with --pss-sign)
++ CERTNAME="TestUser-rsa-pss4"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++
++ CU_ACTION="Import $CERTNAME's Cert"
++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${CERTNAME}.cert" 2>&1
++
++ CU_ACTION="Verify $CERTNAME's Cert"
++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
++ cat > ${TMP}/signalgo.exp <<EOF
++Signature Algorithm: PKCS #1 RSA-PSS Signature
++ Parameters:
++ Hash algorithm: SHA-256
++ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
++ Mask hash algorithm: SHA-256
++ Salt length: 32 (0x20)
++EOF
++ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (explicit, with --pss-sign)
++ CERTNAME="TestUser-rsa-pss5"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA
+- # Signature: RSA-PSS (explicit, with --pss-sign)
+- CERTNAME="TestUser-rsa-pss4"
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (implicit, without --pss-sign)
++ CERTNAME="TestUser-rsa-pss6"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \
++ # Sign without --pss-sign nor -Z option
++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (explicit, with --pss-sign)
+- CERTNAME="TestUser-rsa-pss5"
++ # Signature: RSA-PSS (with conflicting hash algorithm)
++ CERTNAME="TestUser-rsa-pss7"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \
++ RETEXPECTED=255
++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++ RETEXPECTED=0
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (with compatible hash algorithm)
++ CERTNAME="TestUser-rsa-pss8"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
+- # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (implicit, without --pss-sign)
+- CERTNAME="TestUser-rsa-pss6"
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA
++ # Issuer certificate: RSA
++ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
++ CERTNAME="TestUser-rsa-pss9"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2255,39 +2354,27 @@ EOF
+ cat > ${TMP}/signalgo.exp <<EOF
+ Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+- Hash algorithm: SHA-256
+- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+- Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Hash algorithm: default, SHA-1
++ Mask algorithm: default, MGF1
++ Mask hash algorithm: default, SHA-1
++ Salt length: default, 20 (0x14)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (with conflicting hash algorithm)
+- CERTNAME="TestUser-rsa-pss7"
++ # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
++ CERTNAME="TestUser-rsa-pss10"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- RETEXPECTED=255
+- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \
+- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+- RETEXPECTED=0
+-
+- # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (with compatible hash algorithm)
+- CERTNAME="TestUser-rsa-pss8"
+-
+- CU_ACTION="Generate Cert Request for $CERTNAME"
+- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+-
+- CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \
++ # Sign without --pss-sign nor -Z option
++ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2299,12 +2386,29 @@ EOF
+ cat > ${TMP}/signalgo.exp <<EOF
+ Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+- Hash algorithm: SHA-256
+- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+- Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Hash algorithm: default, SHA-1
++ Mask algorithm: default, MGF1
++ Mask hash algorithm: default, SHA-1
++ Salt length: default, 20 (0x14)
+ EOF
+ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
++ CERTNAME="TestUser-rsa-pss11"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ RETEXPECTED=255
++ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++ RETEXPECTED=0
+ }
+
+ ############################## cert_cleanup ############################
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1514884761 -3600
+# Tue Jan 02 10:19:21 2018 +0100
+# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af
+# Parent e577b1df8dabb31466cebad07fdbe0883290bede
+Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt
+
+Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm.
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 1423557
+
+Differential Revision: https://phabricator.services.mozilla.com/D322
+
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t
+ return CKM_SHA384;
+ case SEC_OID_SHA256:
+ return CKM_SHA256;
++ case SEC_OID_SHA224:
++ return CKM_SHA224;
++ case SEC_OID_SHA1:
++ return CKM_SHA_1;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- /* fallthrough */
+- case SEC_OID_SHA1:
+- break;
++ return CKM_INVALID_MECHANISM;
+ }
+- return CKM_SHA_1;
+ }
+
+ static CK_RSA_PKCS_MGF_TYPE
+@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
+ return CKG_MGF1_SHA384;
+ case SEC_OID_SHA256:
+ return CKG_MGF1_SHA256;
++ case SEC_OID_SHA224:
++ return CKG_MGF1_SHA224;
++ case SEC_OID_SHA1:
++ return CKG_MGF1_SHA1;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- /* fallthrough */
+- case SEC_OID_SHA1:
+- break;
++ return 0;
+ }
+- return CKG_MGF1_SHA1;
+ }
+
+ SECStatus
+@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ SECStatus rv = SECSuccess;
+ SECOidTag hashAlgTag;
+ unsigned long saltLength;
++ unsigned long trailerField;
+
+ PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+
+@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
+ }
+ mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
++ if (mech->hashAlg == CKM_INVALID_MECHANISM) {
++ return SECFailure;
++ }
+
+ if (params->maskAlg) {
+ SECAlgorithmID maskHashAlg;
+@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ }
+ maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
+ mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
++ if (mech->mgf == 0) {
++ return SECFailure;
++ }
+ } else {
+ mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+ }
+@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ }
+ mech->sLen = saltLength;
+
++ if (params->trailerField.data) {
++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ if (trailerField != 1) {
++ /* the value must be 1, which represents the trailer field
++ * with hexadecimal value 0xBC */
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return SECFailure;
++ }
++ }
++
+ return rv;
+ }
+diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/TestCA-bogus-rsa-pss1.crt
+@@ -0,0 +1,26 @@
++-----BEGIN CERTIFICATE-----
++MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
++oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
++BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
++biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
++IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
++GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
++Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
++U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
++ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
++CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
++AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
++yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
++SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
++xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
++/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
++Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
++BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
++OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
++ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
++HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
++nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
++pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
++hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
++uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/TestCA-bogus-rsa-pss2.crt
+@@ -0,0 +1,24 @@
++-----BEGIN CERTIFICATE-----
++MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
++GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
++MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
++EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
++IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
++NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
++Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
++UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
++DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
++7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
++Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
++sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
++eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
++aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
++hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
++BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
++AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
++fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
++difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
++4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
++g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
++0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -2095,6 +2095,20 @@ cert_test_rsapss()
+ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+
++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
++ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
++ RETEXPECTED=255
++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
++ RETEXPECTED=0
++
++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
++ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
++ RETEXPECTED=255
++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
++ RETEXPECTED=0
++
+ CERTSERIAL=200
+
+ # Subject certificate: RSA
diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch
new file mode 100644
index 0000000..7a75e50
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch
@@ -0,0 +1,47 @@
+diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2017-10-06 16:41:39.223713982 +0200
+@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
+ // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
+ // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
+ // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
+- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM.
++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {
+ return ssl_grp_ec_secp384r1;
+ }
+ return ssl_grp_ec_curve25519;
+@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P(
+ ::testing::Values(TlsAgent::kServerEcdsa256),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM, and that causes the following
++ // 3 TLS 1.2 tests to fail.
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa521),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
++#if 0
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P(
+ TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_sha1)));
++#endif
+ }
diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch
index 6c7fb1d..02bf308 100644
--- a/SOURCES/nss-skip-util-gtest.patch
+++ b/SOURCES/nss-skip-util-gtest.patch
@@ -1,34 +1,33 @@
diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
---- nss/gtests/manifest.mn.skip-util-gtests 2017-01-30 02:06:08.000000000 +0100
-+++ nss/gtests/manifest.mn 2017-02-17 12:55:55.064026636 +0100
-@@ -9,7 +9,6 @@ DIRS = \
- google_test \
- common \
- der_gtest \
-- util_gtest \
- pk11_gtest \
- ssl_gtest \
- nss_bogo_shim \
-diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
---- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-02-17 12:55:55.063026657 +0100
-+++ nss/gtests/ssl_gtest/manifest.mn 2017-02-17 12:55:55.064026636 +0100
-@@ -48,6 +48,6 @@ REQUIRES = nspr nss libdbm gtest
+--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -32,6 +32,5 @@ endif
- PROGRAM = ssl_gtest
- EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
-+ -lsoftokn3
+ DIRS = \
+ $(LIB_SRCDIRS) \
+- $(UTIL_SRCDIRS) \
+ $(NSS_SRCDIRS) \
+ $(NULL)
+diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest
+ EXTRA_LIBS += \
+ $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
++ -lsoftokn3
+ $(NULL)
USE_STATIC_LIBS = 1
diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh
---- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-02-17 12:56:49.434880888 +0100
-+++ nss/tests/gtests/gtests.sh 2017-02-17 12:56:54.677770408 +0100
-@@ -82,7 +82,7 @@ gtest_cleanup()
+--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200
+@@ -83,7 +83,7 @@ gtest_cleanup()
}
################## main #################################################
--GTESTS="der_gtest pk11_gtest util_gtest"
-+GTESTS="der_gtest pk11_gtest"
+-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest"
++GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest"
+ SOURCE_DIR="$PWD"/../..
gtest_init $0
gtest_start
- gtest_cleanup
diff --git a/SOURCES/nss-ssl3gthr.patch b/SOURCES/nss-ssl3gthr.patch
deleted file mode 100644
index 438b0f2..0000000
--- a/SOURCES/nss-ssl3gthr.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-diff -up nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_gather_unittest.cc
---- nss/gtests/ssl_gtest/ssl_gather_unittest.cc.ssl3gthr 2017-04-28 14:40:23.579583263 +0200
-+++ nss/gtests/ssl_gtest/ssl_gather_unittest.cc 2017-04-28 14:40:23.579583263 +0200
-@@ -0,0 +1,153 @@
-+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-+/* vim: set ts=2 et sw=2 tw=80: */
-+/* This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
-+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
-+
-+#include "gtest_utils.h"
-+#include "tls_connect.h"
-+
-+namespace nss_test {
-+
-+class GatherV2ClientHelloTest : public TlsConnectTestBase {
-+ public:
-+ GatherV2ClientHelloTest() : TlsConnectTestBase(STREAM, 0) {}
-+
-+ void ConnectExpectMalformedClientHello(const DataBuffer &data) {
-+ EnsureTlsSetup();
-+
-+ auto alert_recorder = new TlsAlertRecorder();
-+ server_->SetPacketFilter(alert_recorder);
-+
-+ client_->SendDirect(data);
-+ server_->StartConnect();
-+ server_->Handshake();
-+ ASSERT_TRUE_WAIT(
-+ (server_->error_code() == SSL_ERROR_RX_MALFORMED_CLIENT_HELLO), 2000);
-+
-+ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-+ EXPECT_EQ(illegal_parameter, alert_recorder->description());
-+ }
-+};
-+
-+// Gather a 5-byte v3 record, with a zero fragment length. The empty handshake
-+// message should be ignored, and the connection will succeed afterwards.
-+TEST_F(TlsConnectTest, GatherEmptyV3Record) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x16, 1); // handshake
-+ idx = buffer.Write(idx, 0x0301, 2); // record_version
-+ (void)buffer.Write(idx, 0U, 2); // length=0
-+
-+ EnsureTlsSetup();
-+ client_->SendDirect(buffer);
-+ Connect();
-+}
-+
-+// Gather a 5-byte v3 record, with a fragment length exceeding the maximum.
-+TEST_F(TlsConnectTest, GatherExcessiveV3Record) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x16, 1); // handshake
-+ idx = buffer.Write(idx, 0x0301, 2); // record_version
-+ (void)buffer.Write(idx, MAX_FRAGMENT_LENGTH + 2048 + 1, 2); // length=max+1
-+
-+ EnsureTlsSetup();
-+ auto alert_recorder = new TlsAlertRecorder();
-+ server_->SetPacketFilter(alert_recorder);
-+ client_->SendDirect(buffer);
-+ server_->StartConnect();
-+ server_->Handshake();
-+ ASSERT_TRUE_WAIT((server_->error_code() == SSL_ERROR_RX_RECORD_TOO_LONG),
-+ 2000);
-+
-+ EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
-+ EXPECT_EQ(record_overflow, alert_recorder->description());
-+}
-+
-+// Gather a 3-byte v2 header, with a fragment length of 2.
-+TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x0002, 2); // length=2 (long header)
-+ idx = buffer.Write(idx, 0U, 1); // padding=0
-+ (void)buffer.Write(idx, 0U, 2); // data
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 3-byte v2 header, with a fragment length of 1.
-+TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader2) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x0001, 2); // length=1 (long header)
-+ idx = buffer.Write(idx, 0U, 1); // padding=0
-+ idx = buffer.Write(idx, 0U, 1); // data
-+ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total)
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 3-byte v2 header, with a zero fragment length.
-+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordLongHeader) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0U, 2); // length=0 (long header)
-+ idx = buffer.Write(idx, 0U, 1); // padding=0
-+ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total)
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 2-byte v2 header, with a fragment length of 3.
-+TEST_F(GatherV2ClientHelloTest, GatherV2RecordShortHeader) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x8003, 2); // length=3 (short header)
-+ (void)buffer.Write(idx, 0U, 3); // data
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 2-byte v2 header, with a fragment length of 2.
-+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader2) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x8002, 2); // length=2 (short header)
-+ idx = buffer.Write(idx, 0U, 2); // data
-+ (void)buffer.Write(idx, 0U, 1); // surplus (need 5 bytes total)
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 2-byte v2 header, with a fragment length of 1.
-+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader3) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x8001, 2); // length=1 (short header)
-+ idx = buffer.Write(idx, 0U, 1); // data
-+ (void)buffer.Write(idx, 0U, 2); // surplus (need 5 bytes total)
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+// Gather a 2-byte v2 header, with a zero fragment length.
-+TEST_F(GatherV2ClientHelloTest, GatherEmptyV2RecordShortHeader) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x8000, 2); // length=0 (short header)
-+ (void)buffer.Write(idx, 0U, 3); // surplus (need 5 bytes total)
-+
-+ ConnectExpectMalformedClientHello(buffer);
-+}
-+
-+} // namespace nss_test
-diff -up nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr nss/gtests/ssl_gtest/ssl_gtest.gyp
---- nss/gtests/ssl_gtest/ssl_gtest.gyp.ssl3gthr 2017-04-28 14:40:23.579583263 +0200
-+++ nss/gtests/ssl_gtest/ssl_gtest.gyp 2017-04-28 14:42:07.853153503 +0200
-@@ -25,6 +25,7 @@
- 'ssl_exporter_unittest.cc',
- 'ssl_extension_unittest.cc',
- 'ssl_fuzz_unittest.cc',
-+ 'ssl_gather_unittest.cc',
- 'ssl_gtest.cc',
- 'ssl_hrr_unittest.cc',
- 'ssl_loopback_unittest.cc',
-diff -up nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
---- nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
-+++ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc 2017-04-28 14:40:23.579583263 +0200
-@@ -202,6 +202,28 @@ TEST_P(SSLv2ClientHelloTest, Connect) {
- Connect();
- }
-
-+// Sending a v2 ClientHello after a no-op v3 record must fail.
-+TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) {
-+ DataBuffer buffer;
-+
-+ size_t idx = 0;
-+ idx = buffer.Write(idx, 0x16, 1); // handshake
-+ idx = buffer.Write(idx, 0x0301, 2); // record_version
-+ (void)buffer.Write(idx, 0U, 2); // length=0
-+
-+ SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
-+ EnsureTlsSetup();
-+ client_->SendDirect(buffer);
-+
-+ // Need padding so the connection doesn't just time out. With a v2
-+ // ClientHello parsed as a v3 record we will use the record version
-+ // as the record length.
-+ SetPadding(255);
-+
-+ ConnectExpectFail();
-+ EXPECT_EQ(SSL_ERROR_BAD_CLIENT, server_->error_code());
-+}
-+
- // Test negotiating TLS 1.3.
- TEST_F(SSLv2ClientHelloTestF, Connect13) {
- EnsureTlsSetup();
-diff -up nss/lib/ssl/ssl3gthr.c.ssl3gthr nss/lib/ssl/ssl3gthr.c
---- nss/lib/ssl/ssl3gthr.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
-+++ nss/lib/ssl/ssl3gthr.c 2017-04-28 14:40:23.579583263 +0200
-@@ -32,6 +32,7 @@ ssl3_InitGather(sslGather *gs)
- gs->readOffset = 0;
- gs->dtlsPacketOffset = 0;
- gs->dtlsPacket.len = 0;
-+ gs->rejectV2Records = PR_FALSE;
- status = sslBuffer_Grow(&gs->buf, 4096);
- return status;
- }
-@@ -147,8 +148,11 @@ ssl3_GatherData(sslSocket *ss, sslGather
- switch (gs->state) {
- case GS_HEADER:
- /* Check for SSLv2 handshakes. Always assume SSLv3 on clients,
-- * support SSLv2 handshakes only when ssl2gs != NULL. */
-- if (!ssl2gs || ssl3_isLikelyV3Hello(gs->hdr)) {
-+ * support SSLv2 handshakes only when ssl2gs != NULL.
-+ * Always assume v3 after we received the first record. */
-+ if (!ssl2gs ||
-+ ss->gs.rejectV2Records ||
-+ ssl3_isLikelyV3Hello(gs->hdr)) {
- /* Should have a non-SSLv2 record header in gs->hdr. Extract
- * the length of the following encrypted data, and then
- * read in the rest of the record into gs->inbuf. */
-@@ -183,7 +187,7 @@ ssl3_GatherData(sslSocket *ss, sslGather
- /* This is the max length for an encrypted SSLv3+ fragment. */
- if (!v2HdrLength &&
- gs->remainder > (MAX_FRAGMENT_LENGTH + 2048)) {
-- SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-+ SSL3_SendAlert(ss, alert_fatal, record_overflow);
- gs->state = GS_INIT;
- PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
- return SECFailure;
-@@ -205,13 +209,28 @@ ssl3_GatherData(sslSocket *ss, sslGather
- * many into the gs->hdr[] buffer. Copy them over into inbuf so
- * that we can properly process the hello record later. */
- if (v2HdrLength) {
-+ /* Reject v2 records that don't even carry enough data to
-+ * resemble a valid ClientHello header. */
-+ if (gs->remainder < SSL_HL_CLIENT_HELLO_HBYTES) {
-+ SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
-+ return SECFailure;
-+ }
-+
-+ PORT_Assert(lbp);
- gs->inbuf.len = 5 - v2HdrLength;
- PORT_Memcpy(lbp, gs->hdr + v2HdrLength, gs->inbuf.len);
- gs->remainder -= gs->inbuf.len;
- lbp += gs->inbuf.len;
- }
-
-- break; /* End this case. Continue around the loop. */
-+ if (gs->remainder > 0) {
-+ break; /* End this case. Continue around the loop. */
-+ }
-+
-+ /* FALL THROUGH if (gs->remainder == 0) as we just received
-+ * an empty record and there's really no point in calling
-+ * ssl_DefRecv() with buf=NULL and len=0. */
-
- case GS_DATA:
- /*
-@@ -219,6 +238,10 @@ ssl3_GatherData(sslSocket *ss, sslGather
- */
- SSL_TRC(10, ("%d: SSL[%d]: got record of %d bytes",
- SSL_GETPID(), ss->fd, gs->inbuf.len));
-+
-+ /* reject any v2 records from now on */
-+ ss->gs.rejectV2Records = PR_TRUE;
-+
- gs->state = GS_INIT;
- return 1;
- }
-diff -up nss/lib/ssl/ssldef.c.ssl3gthr nss/lib/ssl/ssldef.c
---- nss/lib/ssl/ssldef.c.ssl3gthr 2017-04-05 14:23:56.000000000 +0200
-+++ nss/lib/ssl/ssldef.c 2017-04-28 14:40:23.579583263 +0200
-@@ -66,6 +66,8 @@ ssl_DefRecv(sslSocket *ss, unsigned char
- PRFileDesc *lower = ss->fd->lower;
- int rv;
-
-+ PORT_Assert(buf && len > 0);
-+
- rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
- if (rv < 0) {
- DEFINE_ERROR
-diff -up nss/lib/ssl/sslimpl.h.ssl3gthr nss/lib/ssl/sslimpl.h
---- nss/lib/ssl/sslimpl.h.ssl3gthr 2017-04-28 14:40:23.566583566 +0200
-+++ nss/lib/ssl/sslimpl.h 2017-04-28 14:40:23.580583240 +0200
-@@ -367,6 +367,10 @@ struct sslGatherStr {
-
- /* the start of the buffered DTLS record in dtlsPacket */
- unsigned int dtlsPacketOffset;
-+
-+ /* tracks whether we've seen a v3-type record before and must reject
-+ * any further v2-type records. */
-+ PRBool rejectV2Records;
- };
-
- /* sslGather.state */
diff --git a/SOURCES/nss-tools-sha256-default.patch b/SOURCES/nss-tools-sha256-default.patch
deleted file mode 100644
index 288d5d8..0000000
--- a/SOURCES/nss-tools-sha256-default.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-# HG changeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1489096275 -3600
-# Thu Mar 09 22:51:15 2017 +0100
-# Node ID 848abc2061a45b8387893891e814b80db1e2bd53
-# Parent 482e9cbb16f13cd22f9ef7b5a73a4e3ea68ecf82
-Bug 1345106, Don't use SHA1 by default for signatures in the NSS library and in certutil, crlutil and cmsutil, r=rrelyea
-
-diff --git a/cmd/smimetools/cmsutil.c b/cmd/smimetools/cmsutil.c
---- a/cmd/smimetools/cmsutil.c
-+++ b/cmd/smimetools/cmsutil.c
-@@ -84,7 +84,7 @@ Usage(char *progName)
- " where id can be a certificate nickname or email address\n"
- " -S create a CMS signed data message\n"
- " -G include a signing time attribute\n"
-- " -H hash use hash (default:SHA1)\n"
-+ " -H hash use hash (default:SHA256)\n"
- " -N nick use certificate named \"nick\" for signing\n"
- " -P include a SMIMECapabilities attribute\n"
- " -T do not include content in CMS message\n"
-@@ -1097,7 +1097,7 @@ main(int argc, char **argv)
- signOptions.signingTime = PR_FALSE;
- signOptions.smimeProfile = PR_FALSE;
- signOptions.encryptionKeyPreferenceNick = NULL;
-- signOptions.hashAlgTag = SEC_OID_SHA1;
-+ signOptions.hashAlgTag = SEC_OID_SHA256;
- envelopeOptions.recipients = NULL;
- encryptOptions.recipients = NULL;
- encryptOptions.envmsg = NULL;
-diff --git a/cmd/smimetools/smime b/cmd/smimetools/smime
---- a/cmd/smimetools/smime
-+++ b/cmd/smimetools/smime
-@@ -199,8 +199,8 @@ sub signentity($$)
- # construct a new multipart/signed MIME entity consisting of the original content and
- # the signature
- #
-- # (we assume that cmsutil generates a SHA1 digest)
-- $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
-+ # (we assume that cmsutil generates a SHA256 digest)
-+ $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
- $out .= "\n"; # end of entity header
- $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
- $out .= "\n--${boundary}\n";
-diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
---- a/lib/cryptohi/secsign.c
-+++ b/lib/cryptohi/secsign.c
-@@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECI
- if (algID == SEC_OID_UNKNOWN) {
- switch (pk->keyType) {
- case rsaKey:
-- algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-+ algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
- break;
- case dsaKey:
- /* get Signature length (= q_len*2) and work from there */
- switch (PK11_SignatureLen(pk)) {
-+ case 320:
-+ algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-+ break;
- case 448:
- algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
- break;
- case 512:
-+ default:
- algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
- break;
-- default:
-- algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
-- break;
- }
- break;
- case ecKey:
-- algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-+ algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_KEY);
-@@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType
- break;
- case dsaKey:
- switch (hashAlgTag) {
-- case SEC_OID_UNKNOWN: /* default for DSA if not specified */
- case SEC_OID_SHA1:
- sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
- break;
- case SEC_OID_SHA224:
- sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
- break;
-+ case SEC_OID_UNKNOWN: /* default for DSA if not specified */
- case SEC_OID_SHA256:
- sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
- break;
-@@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType
- break;
- case ecKey:
- switch (hashAlgTag) {
-- case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
- case SEC_OID_SHA1:
- sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE;
- break;
- case SEC_OID_SHA224:
- sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE;
- break;
-+ case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
- case SEC_OID_SHA256:
- sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
- break;
diff --git a/SOURCES/nss-transcript.patch b/SOURCES/nss-transcript.patch
deleted file mode 100644
index 170b3bc..0000000
--- a/SOURCES/nss-transcript.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-# HG changeset patch
-# User Martin Thomson <martin.thomson@gmail.com>
-# Date 1501813647 -36000
-# Fri Aug 04 12:27:27 2017 +1000
-# Node ID 839200ce0943166a079284bdf45dcc37bb672925
-# Parent 6254e8431392863fd0aa7e70c311add48af05775
-Bug 1377618 - Simplify handling of CertificateVerify, r=kaie
-
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -9758,13 +9758,12 @@ ssl3_HandleCertificateVerify(sslSocket *
-
- hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
-
-- if (hashes->u.pointer_to_hash_input.data) {
-- rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data,
-- hashes->u.pointer_to_hash_input.len,
-- hashAlg, &localHashes);
-- } else {
-- rv = SECFailure;
-- }
-+ /* Read from the message buffer, but we need to use only up to the end
-+ * of the previous handshake message. The length of the transcript up to
-+ * that point is saved in |hashes->u.transcriptLen|. */
-+ rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf,
-+ hashes->u.transcriptLen,
-+ hashAlg, &localHashes);
-
- if (rv == SECSuccess) {
- hashesForVerify = &localHashes;
-@@ -11664,15 +11663,15 @@ ssl3_HandleHandshakeMessage(sslSocket *s
- * additional handshake messages will have been added to the
- * buffer, e.g. the certificate_verify message itself.)
- *
-- * Therefore, we use SSL3Hashes.u.pointer_to_hash_input
-- * to signal the current state of the buffer.
-+ * Therefore, we use SSL3Hashes.u.transcriptLen to save how much
-+ * data there is and read directly from ss->ssl3.hs.messages
-+ * when calculating the hashes.
- *
- * ssl3_HandleCertificateVerify will detect
- * hashType == handshake_hash_record
- * and use that information to calculate the hash.
- */
-- hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf;
-- hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len;
-+ hashes.u.transcriptLen = ss->ssl3.hs.messages.len;
- hashesPtr = &hashes;
- } else {
- computeHashes = PR_TRUE;
-diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h
---- a/lib/ssl/ssl3prot.h
-+++ b/lib/ssl/ssl3prot.h
-@@ -236,7 +236,7 @@ typedef struct {
- union {
- PRUint8 raw[64];
- SSL3HashesIndividually s;
-- SECItem pointer_to_hash_input;
-+ unsigned int transcriptLen;
- } u;
- } SSL3Hashes;
-
diff --git a/SOURCES/nss-tstclnt-optspec.patch b/SOURCES/nss-tstclnt-optspec.patch
deleted file mode 100644
index e76dba0..0000000
--- a/SOURCES/nss-tstclnt-optspec.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1487602422 -3600
-# Mon Feb 20 15:53:42 2017 +0100
-# Branch wip/dueno/tstclnt-optstate
-# Node ID ec284d402a5a691e2694fe27d8ab2e95d525f5ab
-# Parent ec6b5abc4187459458779d1e90bc8500a011eb3a
-tstclnt: use correct option spec for -W
-
-diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
---- a/cmd/tstclnt/tstclnt.c
-+++ b/cmd/tstclnt/tstclnt.c
-@@ -1509,7 +1509,7 @@ main(int argc, char **argv)
- /* XXX: 'B' was used in the past but removed in 3.28,
- * please leave some time before resuing it. */
- optstate = PL_CreateOptState(argc, argv,
-- "46A:CDFGHI:KL:M:OR:STUV:WYZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
-+ "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
- while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
- switch (optstate->option) {
- case '?':
diff --git a/SOURCES/race.patch b/SOURCES/race.patch
deleted file mode 100644
index 3ffb787..0000000
--- a/SOURCES/race.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -up nss/lib/pk11wrap/pk11util.c.race nss/lib/pk11wrap/pk11util.c
---- nss/lib/pk11wrap/pk11util.c.race 2017-01-13 17:43:25.829686952 +0100
-+++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:47:56.374041802 +0100
-@@ -1297,7 +1297,7 @@ SECMOD_HasRemovableSlots(SECMODModule *m
- */
- static SECStatus
- secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass,
-- const char *sendSpec)
-+ const char *sendSpec, PRBool needlock)
- {
- CK_OBJECT_HANDLE dummy;
- CK_ATTRIBUTE template[2];
-@@ -1312,16 +1312,16 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O
-
- PORT_Assert(attrs - template <= 2);
-
-- PK11_EnterSlotMonitor(slot);
-+ if (needlock) PK11_EnterSlotMonitor(slot);
- crv = PK11_CreateNewObject(slot, slot->session,
- template, attrs - template, PR_FALSE, &dummy);
-- PK11_ExitSlotMonitor(slot);
-+ if (needlock) PK11_ExitSlotMonitor(slot);
-
- if (crv != CKR_OK) {
- PORT_SetError(PK11_MapError(crv));
- return SECFailure;
- }
-- return SECMOD_UpdateSlotList(slot->module);
-+ return SECSuccess;
- }
-
- /*
-@@ -1330,11 +1330,20 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_O
- static PRBool
- secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID)
- {
-- PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID);
-+ PK11SlotInfo *slot = SECMOD_FindSlotByID(mod, slotID);
- if (slot) {
-- PRBool present = PK11_IsPresent(slot);
-+ CK_SLOT_INFO slotInfo;
-+ CK_RV crv;
-+ /* check if the slot is present, skip any slot reinit stuff,
-+ * or cached present values, or locking. (we don't need to lock
-+ * even if the module is not thread safe because we are already
-+ * holding the module refLock, which is the same as the slot
-+ * sessionLock if the module isn't thread safe. */
-+ crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo);
- PK11_FreeSlot(slot);
-- if (present) {
-+ if ((crv == CKR_OK) &&
-+ ((slotInfo.flags & CKF_TOKEN_PRESENT) == CKF_TOKEN_PRESENT)) {
-+ /* slot is present, so it's not empty */
- return PR_FALSE;
- }
- }
-@@ -1390,24 +1399,29 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co
- char *sendSpec;
- SECStatus rv;
-
-+ PZ_Lock(mod->refLock); /* don't reuse a slot on the fly */
- slotID = secmod_FindFreeSlot(mod);
- if (slotID == (CK_SLOT_ID)-1) {
-+ PZ_Unlock(mod->refLock);
- return NULL;
- }
-
- if (mod->slotCount == 0) {
-+ PZ_Unlock(mod->refLock);
- return NULL;
- }
-
- /* just grab the first slot in the module, any present slot should work */
- slot = PK11_ReferenceSlot(mod->slots[0]);
- if (slot == NULL) {
-+ PZ_Unlock(mod->refLock);
- return NULL;
- }
-
- /* we've found the slot, now build the moduleSpec */
- escSpec = NSSUTIL_DoubleEscape(moduleSpec, '>', ']');
- if (escSpec == NULL) {
-+ PZ_Unlock(mod->refLock);
- PK11_FreeSlot(slot);
- return NULL;
- }
-@@ -1416,16 +1430,26 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co
-
- if (sendSpec == NULL) {
- /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */
-+ PZ_Unlock(mod->refLock);
- PK11_FreeSlot(slot);
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return NULL;
- }
-- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec);
-+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec,
-+ /* If the module isn't thread safe, the slot sessionLock == mod->refLock
-+ * since we already hold the refLock we don't need to lock the sessionLock
-+ */
-+ mod->isThreadSafe);
-+ PZ_Unlock(mod->refLock);
- PR_smprintf_free(sendSpec);
- PK11_FreeSlot(slot);
- if (rv != SECSuccess) {
- return NULL;
- }
-+ rv = SECMOD_UpdateSlotList(mod); /* don't call holding the mod->reflock */
-+ if (rv != SECSuccess) {
-+ return NULL;
-+ }
-
- slot = SECMOD_FindSlotByID(mod, slotID);
- if (slot) {
-@@ -1558,7 +1582,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot)
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-- rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec);
-+ rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec, PR_TRUE);
- PR_smprintf_free(sendSpec);
- /* if we are in the delay period for the "isPresent" call, reset
- * the delay since we know things have probably changed... */
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 635f246..ad8821b 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,13 +1,13 @@
-%global nspr_version 4.13.1
-%global nss_util_version 3.28.4
-%global nss_util_build -2
+%global nspr_version 4.17.0
+%global nss_util_version 3.34.0
+%global nss_util_build -1
# adjust to the version that gets submitted for FIPS validation
-%global nss_softokn_fips_version 3.16.2
-%global nss_softokn_version 3.28.3
+%global nss_softokn_fips_version 3.34.0
+%global nss_softokn_version 3.34.0
# Attention: Separate softokn versions for build and runtime.
-%global runtime_required_softokn_build_version -4
-# Building NSS doesn't require the softokn -13 build.
-%global build_required_softokn_build_version -4
+%global runtime_required_softokn_build_version -1
+# Building NSS doesn't require the same version of softokn built for runtime.
+%global build_required_softokn_build_version -1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -26,8 +26,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.28.4
-Release: 15%{?dist}
+Version: 3.34.0
+Release: 4%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -113,54 +113,34 @@ Patch55: enable-fips-when-system-is-in-fips-mode.patch
Patch56: p-ignore-setpolicy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
Patch62: nss-fix-deadlock-squash.patch
-# Two patches from from rhel6.8 that are also needed for rhel-7
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
-Patch74: race.patch
-Patch94: nss-3.16-token-init-race.patch
Patch100: fix-min-library-version-in-SSLVersionRange.patch
Patch108: nss-sni-c-v-fix.patch
Patch123: nss-skip-util-gtest.patch
Patch126: nss-reorder-cipher-suites.patch
Patch127: nss-disable-cipher-suites.patch
Patch128: nss-enable-cipher-suites.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932
-Patch129: moz-1320932.patch
-# Disable RSA-PSS until the feature is complete
-Patch130: disable-pss.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
-Patch132: nss-tstclnt-optspec.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1336487
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345083
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
-Patch133: nss-1334976-1336487-1345083-ca-2.14.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=956866
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1360207
-Patch134: nss-alert-handler.patch
+Patch130: nss-reorder-cipher-suites-gtests.patch
+Patch131: nss-disable-tls13-gtests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch135: nss-check-policy-file.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345106
-Patch136: nss-tools-sha256-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1297397
-Patch137: nss-is-token-present-race.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1353724
-Patch138: nss-pk12util.patch
-Patch139: nss-disable-pss-gtests.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122
-Patch140: nss-ssl3gthr.patch
# Work around for yum
# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
Patch141: nss-sysinit-getenv.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
-Patch142: nss-transcript.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867
-Patch143: nss-pk12util-force-unicode.patch
-# Not upstreamed yet:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1493911
+
+# Patches backported from 3.35:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265
Patch144: nss-pk12util-faulty-aes.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
+Patch145: nss-increase-pkcs12-iterations.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847
+Patch146: nss-modutil-suppress-password.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361
+Patch147: nss-certutil-suppress-password.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171
+Patch148: nss-pss-fixes.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
+Patch149: nss-is-token-present-race.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -254,30 +234,23 @@ pushd nss
%patch56 -p1 -b .1026677_ignore_set_policy
%patch62 -p1 -b .fix_deadlock
%patch100 -p0 -b .1171318
-%patch74 -p1 -b .race
popd
-%patch94 -p0 -b .init-token-race
%patch108 -p0 -b .sni_c_v_fix
pushd nss
%patch123 -p1 -b .skip-util-gtests
%patch126 -p1 -b .reorder-cipher-suites
%patch127 -p1 -b .disable-cipher-suites
%patch128 -p1 -b .enable-cipher-suites
-%patch129 -p1 -b .fix_ssl_sh_typo
-%patch130 -p1 -b .disable_pss
-%patch132 -p1 -b .tstclnt-optspec
-%patch133 -p1 -b .mozilla-ca-policy-plus-ca-2.14
-%patch134 -p1 -b .alert-handler
+%patch130 -p1 -b .reorder-cipher-suites-gtests
+%patch131 -p1 -b .disable-tls13-gtests
%patch135 -p1 -b .check_policy_file
-%patch136 -p1 -b .tools-sha256-default
-%patch137 -p1 -b .is-token-present-race
-%patch138 -p1 -b .pk12util
-%patch139 -p1 -b .disable-pss-gtests
-%patch140 -p1 -b .ssl3gthr
%patch141 -p1 -b .sysinit-getenv
-%patch142 -p1 -b .transcript
-%patch143 -p1 -b .pk12util-force-unicode
%patch144 -p1 -b .pk12util-faulty-aes
+%patch145 -p1 -b .increase-pkcs12-iterations
+%patch146 -p1 -b .suppress-modutil-password
+%patch147 -p1 -b .suppress-certutil-password
+%patch148 -p1 -b .pss-fixes
+%patch149 -p1 -b .is-token-present-race
popd
#########################################################
@@ -381,6 +354,9 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss
export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_DISABLE_TLS_1_3=1
+
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
@@ -492,6 +468,10 @@ export USE_64
export NSS_BLTEST_NOT_AVAILABLE=1
+export NSS_DISABLE_TLS_1_3=1
+
+export NSS_FORCE_FIPS=1
+
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
@@ -846,6 +826,7 @@ fi
%{_includedir}/nss3/smime.h
%{_includedir}/nss3/ssl.h
%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
%{_includedir}/nss3/sslproto.h
%{_includedir}/nss3/sslt.h
@@ -868,20 +849,51 @@ fi
%changelog
-* Wed Sep 27 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-15
+* Mon Jan 15 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-4
+- Re-enable nss-is-token-present-race.patch
+
+* Fri Jan 5 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-3
+- Temporarily disable nss-is-token-present-race.patch
+
+* Thu Jan 4 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-2
+- Backport necessary changes from 3.35
+
+* Fri Nov 24 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1
+- Rebase to NSS 3.34
+
+* Mon Oct 30 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-0.1.beta1
+- Rebase to NSS 3.34.BETA1
+
+* Wed Oct 25 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-3
+- Disable TLS 1.3
+
+* Wed Oct 18 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-2
+- Enable TLS 1.3
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1
+- Rebase to NSS 3.33
+- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants)
+- Temporarily disable race.patch and nss-3.16-token-init-race.patch,
+ which causes a deadlock in newly added test cases
+- Remove upstreamed patches: moz-1320932.patch,
+ nss-tstclnt-optspec.patch,
+ nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch,
+ nss-tools-sha256-default.patch, nss-is-token-present-race.patch,
+ nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
-* Thu Sep 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
- Update iquote.patch to prefer nss.h from the source
-* Wed Sep 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
- Add backward compatibility to pk12util regarding password encoding
-* Fri Aug 4 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
+* Thu Aug 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-11
- Backport patch to simplify transcript calculation for CertificateVerify
-
-* Fri Jul 14 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-11
-- Rebuild to get correct release suffix (.el7 -> .el7_4)
+- Enable TLS 1.3 and RSA-PSS
+- Disable some upstream tests failing due to downstream ciphersuites changes
* Thu Jul 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-10
- Work around yum crash due to new NSPR symbol being used in nss-sysinit,