Bug 1420060, NSS_3_35_BETA1, r=franziskus

UPGRADE_NSS_RELEASE

security/nss/TAG-INFO

@@ -1 +1 @@
-04fc9a90997b
+NSS_3_35_BETA1

security/nss/automation/clang-format/setup.sh

@@ -17,8 +17,8 @@ apt_packages+=('locales')
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
-curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
+curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
+curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify clang.tar.xz.sig

security/nss/automation/taskcluster/docker-clang-3.9/setup.sh

@@ -25,8 +25,8 @@ apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig

security/nss/automation/taskcluster/docker-hacl/setup.sh

@@ -10,8 +10,8 @@ update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
 update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
 
 # Get clang-format-3.9
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig

security/nss/automation/taskcluster/docker/setup.sh

@@ -48,8 +48,8 @@ apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
 # Download clang.
-curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
 # Verify the signature.
 gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
 gpg --verify *.tar.xz.sig

security/nss/automation/taskcluster/graph/src/extend.js

@@ -82,8 +82,8 @@ queue.filter(task => {
   }
 
   if (task.group == "Test") {
-    // Don't run test builds on old make platforms
-    if (task.collection == "make") {
+    // Don't run test builds on old make platforms, and not for fips gyp.
+    if (task.collection == "make" || task.collection == "fips") {
       return false;
     }
   }
@@ -196,6 +196,12 @@ export default async function main() {
     features: ["allowPtrace"],
   }, "--ubsan --asan");
 
+  await scheduleLinux("Linux 64 (FIPS opt)", {
+    platform: "linux64",
+    collection: "fips",
+    image: LINUX_IMAGE,
+  }, "--enable-fips --opt");
+
   await scheduleWindows("Windows 2012 64 (debug, make)", {
     platform: "windows2012-64",
     collection: "make",
@@ -368,7 +374,6 @@ async function scheduleLinux(name, base, args = "") {
       parent: extra_build,
       symbol: "Certs-F",
       group: "FIPS",
-      env: { NSS_TEST_ENABLE_FIPS: "1" }
     }));
 
     // Schedule FIPS tests.
@@ -811,7 +816,6 @@ async function scheduleWindows(name, base, build_script) {
       parent: extra_build,
       symbol: "Certs-F",
       group: "FIPS",
-      env: { NSS_TEST_ENABLE_FIPS: "1" }
     }));
 
     // Schedule FIPS tests.

security/nss/automation/taskcluster/graph/src/try_syntax.js

@@ -22,7 +22,7 @@ function parseOptions(opts) {
   }
 
   // Parse platforms.
-  let allPlatforms = ["linux", "linux64", "linux64-asan",
+  let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips",
                       "win", "win64", "win-make", "win64-make",
                       "linux64-make", "linux-make", "linux-fuzz",
                       "linux64-fuzz", "aarch64", "mac"];
@@ -111,6 +111,7 @@ function filter(opts) {
         "linux": "linux32",
         "linux-fuzz": "linux32",
         "linux64-asan": "linux64",
+        "linux64-fips": "linux64",
         "linux64-fuzz": "linux64",
         "linux64-make": "linux64",
         "linux-make": "linux32",
@@ -126,6 +127,8 @@ function filter(opts) {
       // Additional checks.
       if (platform == "linux64-asan") {
         keep &= coll("asan");
+      } else if (platform == "linux64-fips") {
+        keep &= coll("fips");
       } else if (platform == "linux64-make" || platform == "linux-make" ||
                  platform == "win64-make" || platform == "win-make") {
         keep &= coll("make");

security/nss/cmd/certutil/certutil.c

@@ -1053,6 +1053,18 @@ ListModules(void)
     return SECSuccess;
 }
 
+static void
+PrintBuildFlags()
+{
+#ifdef NSS_FIPS_DISABLED
+    PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n");
+#endif
+#ifdef NSS_NO_INIT_SUPPORT
+    PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n");
+#endif
+    exit(0);
+}
+
 static void
 PrintSyntax(char *progName)
 {
@@ -1100,6 +1112,7 @@ PrintSyntax(char *progName)
     FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
         progName);
     FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
+    FPS "\t%s --build-flags\n", progName);
     FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
         progName);
     FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
@@ -1812,6 +1825,18 @@ luS(enum usage_level ul, const char *command)
     FPS "\n");
 }
 
+static void
+luBuildFlags(enum usage_level ul, const char *command)
+{
+    int is_my_command = (command && 0 == strcmp(command, "build-flags"));
+    if (ul == usage_all || !command || is_my_command)
+    FPS "%-15s Print enabled build flags relevant for NSS test execution\n",
+        "--build-flags");
+    if (ul == usage_selected && !is_my_command)
+        return;
+    FPS "\n");
+}
+
 static void
 LongUsage(char *progName, enum usage_level ul, const char *command)
 {
@@ -1826,6 +1851,7 @@ LongUsage(char *progName, enum usage_level ul, const char *command)
     luU(ul, command);
     luK(ul, command);
     luL(ul, command);
+    luBuildFlags(ul, command);
     luM(ul, command);
     luN(ul, command);
     luT(ul, command);
@@ -2401,6 +2427,7 @@ enum {
     cmd_Merge,
     cmd_UpgradeMerge, /* test only */
     cmd_Rename,
+    cmd_BuildFlags,
     max_cmd
 };
 
@@ -2503,7 +2530,9 @@ static const secuCommandFlag commands_init[] =
       { /* cmd_UpgradeMerge        */ 0, PR_FALSE, 0, PR_FALSE,
         "upgrade-merge" },
       { /* cmd_Rename              */ 0, PR_FALSE, 0, PR_FALSE,
-        "rename" }
+        "rename" },
+      { /* cmd_BuildFlags          */ 0, PR_FALSE, 0, PR_FALSE,
+        "build-flags" }
     };
 #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
 
@@ -2690,6 +2719,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
         exit(1);
     }
 
+    if (certutil.commands[cmd_BuildFlags].activated) {
+        PrintBuildFlags();
+    }
+
     if (certutil.options[opt_PasswordFile].arg) {
         pwdata.source = PW_FROMFILE;
         pwdata.data = certutil.options[opt_PasswordFile].arg;
@@ -3138,7 +3171,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
         certutil.commands[cmd_CreateAndAddCert].activated ||
         certutil.commands[cmd_AddCert].activated ||
         certutil.commands[cmd_AddEmailCert].activated) {
-        if (PK11_NeedUserInit(slot)) {
+        if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             char *password = NULL;
             /* fetch the password from the command line or the file
              * if no password is supplied, initialize the password to NULL */

security/nss/coreconf/config.gypi

@@ -128,6 +128,7 @@
       [ 'disable_fips==1', {
         'defines': [
           'NSS_FIPS_DISABLED',
+          'NSS_NO_INIT_SUPPORT',
         ],
       }],
       [ 'OS!="android" and OS!="mac" and OS!="win"', {
@@ -299,7 +300,6 @@
       'Common': {
         'abstract': 1,
         'defines': [
-          'NSS_NO_INIT_SUPPORT',
           'USE_UTIL_DIRECTLY',
           'NO_NSPR_10_SUPPORT',
           'SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES',

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/gtests/freebl_gtest/rsa_unittest.cc

@@ -53,5 +53,9 @@ TEST_F(RSANewKeyTest, WrongKeysizeTest) {
 
 TEST_F(RSANewKeyTest, expThreeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
+#ifdef NSS_FIPS_DISABLED
   ASSERT_TRUE(key != nullptr);
+#else
+  ASSERT_TRUE(key == nullptr);
+#endif
 }

security/nss/gtests/softoken_gtest/softoken_gtest.cc

@@ -1,4 +1,8 @@
 #include <cstdlib>
+#if defined(_WIN32)
+#include <windows.h>
+#include <codecvt>
+#endif
 
 #include "cert.h"
 #include "certdb.h"
@@ -34,6 +38,7 @@ class ScopedUniqueDirectory {
   ~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); }
 
   const std::string &GetPath() { return mPath; }
+  const std::string &GetUTF8Path() { return mUTF8Path; }
 
  private:
   static const int RETRY_LIMIT = 5;
@@ -41,6 +46,7 @@ class ScopedUniqueDirectory {
   static bool TryMakingDirectory(/*in/out*/ std::string &prefix);
 
   std::string mPath;
+  std::string mUTF8Path;
 };
 
 ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
@@ -60,6 +66,18 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
     }
   }
   assert(mPath.length() > 0);
+#if defined(_WIN32)
+  // sqldb always uses UTF-8 regardless of the current system locale.
+  DWORD len =
+      MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), nullptr, 0);
+  std::vector<wchar_t> buf(len, L'\0');
+  MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), buf.data(),
+                      buf.size());
+  std::wstring_convert<std::codecvt_utf8_utf16<wchar_t>> converter;
+  mUTF8Path = converter.to_bytes(std::wstring(buf.begin(), buf.end()));
+#else
+  mUTF8Path = mPath;
+#endif
 }
 
 void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) {
@@ -84,10 +102,11 @@ bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) {
 class SoftokenTest : public ::testing::Test {
  protected:
   SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {}
+  SoftokenTest(const std::string &prefix) : mNSSDBDir(prefix) {}
 
   virtual void SetUp() {
     std::string nssInitArg("sql:");
-    nssInitArg.append(mNSSDBDir.GetPath());
+    nssInitArg.append(mNSSDBDir.GetUTF8Path());
     ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
                                          NSS_INIT_NOROOTINIT));
   }
@@ -202,6 +221,19 @@ TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
   EXPECT_NE(nullptr, obj);
 }
 
+class SoftokenNonAsciiTest : public SoftokenTest {
+ protected:
+  SoftokenNonAsciiTest() : SoftokenTest("SoftokenTest.\xF7-") {}
+};
+
+TEST_F(SoftokenNonAsciiTest, NonAsciiPathWorking) {
+  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+  ASSERT_TRUE(slot);
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+  EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
+  EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+}
+
 // This is just any X509 certificate. Its contents don't matter.
 static unsigned char certDER[] = {
     0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01,

security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc

@@ -31,7 +31,7 @@ const static uint8_t kCannedTls13ClientHello[] = {
     0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06,
     0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
     0x0a, 0x00, 0x12, 0x00, 0x10, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01,
-    0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x28, 0x00,
+    0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x33, 0x00,
     0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x86, 0x4a, 0xb9, 0xdc,
     0x6a, 0x38, 0xa7, 0xce, 0xe7, 0xc2, 0x4f, 0xa6, 0x28, 0xb9, 0xdc, 0x65,
     0xbf, 0x73, 0x47, 0x3c, 0x9c, 0x65, 0x8c, 0x47, 0x6d, 0x57, 0x22, 0x8a,
@@ -47,7 +47,7 @@ const static uint8_t kCannedTls13ServerHello[] = {
     0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
     0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b,
     0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76,
-    0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x24,
+    0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24,
     0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
     0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
     0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,

security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc

@@ -50,6 +50,7 @@ static const uint16_t kManyExtensions[] = {
     ssl_supported_groups_xtn,
     ssl_ec_point_formats_xtn,
     ssl_signature_algorithms_xtn,
+    ssl_signature_algorithms_cert_xtn,
     ssl_use_srtp_xtn,
     ssl_app_layer_protocol_xtn,
     ssl_signed_cert_timestamp_xtn,

security/nss/lib/ckfw/builtins/certdata.txt

@@ -3656,7 +3656,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -3815,7 +3815,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -5109,149 +5109,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-#
-# Certificate "DST ACES CA X6"
-#
-# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
-# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Not Valid Before: Thu Nov 20 21:19:58 2003
-# Not Valid After : Mon Nov 20 21:19:58 2017
-# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
-# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "DST ACES CA X6"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
-\025\331
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\011\060\202\002\361\240\003\002\001\002\002\020\015
-\136\231\012\326\235\267\170\354\330\007\126\073\206\025\331\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\133
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040\060
-\036\006\003\125\004\012\023\027\104\151\147\151\164\141\154\040
-\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164\061
-\021\060\017\006\003\125\004\013\023\010\104\123\124\040\101\103
-\105\123\061\027\060\025\006\003\125\004\003\023\016\104\123\124
-\040\101\103\105\123\040\103\101\040\130\066\060\036\027\015\060
-\063\061\061\062\060\062\061\061\071\065\070\132\027\015\061\067
-\061\061\062\060\062\061\061\071\065\070\132\060\133\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003
-\125\004\012\023\027\104\151\147\151\164\141\154\040\123\151\147
-\156\141\164\165\162\145\040\124\162\165\163\164\061\021\060\017
-\006\003\125\004\013\023\010\104\123\124\040\101\103\105\123\061
-\027\060\025\006\003\125\004\003\023\016\104\123\124\040\101\103
-\105\123\040\103\101\040\130\066\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\271\075\365\054\311\224\334
-\165\212\225\135\143\350\204\167\166\146\271\131\221\134\106\335
-\222\076\237\371\016\003\264\075\141\222\275\043\046\265\143\356
-\222\322\236\326\074\310\015\220\137\144\201\261\250\010\015\114
-\330\371\323\005\050\122\264\001\045\305\225\034\014\176\076\020
-\204\165\317\301\031\221\143\317\350\250\221\210\271\103\122\273
-\200\261\125\211\213\061\372\320\267\166\276\101\075\060\232\244
-\042\045\027\163\350\036\342\323\254\052\275\133\070\041\325\052
-\113\327\125\175\343\072\125\275\327\155\153\002\127\153\346\107
-\174\010\310\202\272\336\247\207\075\241\155\270\060\126\302\263
-\002\201\137\055\365\342\232\060\030\050\270\146\323\313\001\226
-\157\352\212\105\125\326\340\235\377\147\053\027\002\246\116\032
-\152\021\013\176\267\173\347\230\326\214\166\157\301\073\333\120
-\223\176\345\320\216\037\067\270\275\272\306\237\154\351\174\063
-\362\062\074\046\107\372\047\044\002\311\176\035\133\210\102\023
-\152\065\174\175\065\351\056\146\221\162\223\325\062\046\304\164
-\365\123\243\263\135\232\366\011\313\002\003\001\000\001\243\201
-\310\060\201\305\060\017\006\003\125\035\023\001\001\377\004\005
-\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\306\060\037\006\003\125\035\021\004\030\060\026
-\201\024\160\153\151\055\157\160\163\100\164\162\165\163\164\144
-\163\164\056\143\157\155\060\142\006\003\125\035\040\004\133\060
-\131\060\127\006\012\140\206\110\001\145\003\002\001\001\001\060
-\111\060\107\006\010\053\006\001\005\005\007\002\001\026\073\150
-\164\164\160\072\057\057\167\167\167\056\164\162\165\163\164\144
-\163\164\056\143\157\155\057\143\145\162\164\151\146\151\143\141
-\164\145\163\057\160\157\154\151\143\171\057\101\103\105\123\055
-\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035
-\016\004\026\004\024\011\162\006\116\030\103\017\345\326\314\303
-\152\213\061\173\170\217\250\203\270\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\243\330\216
-\326\262\333\316\005\347\062\315\001\323\004\003\345\166\344\126
-\053\234\231\220\350\010\060\154\337\175\075\356\345\277\265\044
-\100\204\111\341\321\050\256\304\302\072\123\060\210\361\365\167
-\156\121\312\372\377\231\257\044\137\033\240\375\362\254\204\312
-\337\251\360\137\004\056\255\026\277\041\227\020\201\075\343\377
-\207\215\062\334\224\345\107\212\136\152\023\311\224\225\075\322
-\356\310\064\225\320\200\324\255\062\010\200\124\074\340\275\122
-\123\327\122\174\262\151\077\177\172\317\152\164\312\372\004\052
-\234\114\132\006\245\351\040\255\105\146\017\151\361\335\277\351
-\343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
-\370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
-\256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
-\150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
-\064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
-\367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
-\363\267\240\247\315\345\172\063\066\152\372\232\053
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "DST ACES CA X6"
-# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
-# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
-# Not Valid Before: Thu Nov 20 21:19:58 2003
-# Not Valid After : Mon Nov 20 21:19:58 2017
-# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
-# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "DST ACES CA X6"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\100\124\332\157\034\077\100\164\254\355\017\354\315\333\171\321
-\123\373\220\035
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\330\114\202\053\231\011\063\242\353\024\044\215\216\137\350
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
-\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
-\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
-\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
-\123\124\040\101\103\105\123\040\103\101\040\130\066
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
-\025\331
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 #
 # Certificate "SwissSign Platinum CA - G2"
 #
@@ -6916,142 +6773,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-#
-# Certificate "Security Communication EV RootCA1"
-#
-# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Serial Number: 0 (0x0)
-# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Not Valid Before: Wed Jun 06 02:12:32 2007
-# Not Valid After : Sat Jun 06 02:12:32 2037
-# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
-# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication EV RootCA1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045
-\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124
-\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056
-\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041
-\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151
-\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101
-\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063
-\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062
-\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120
-\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115
-\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103
-\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013
-\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165
-\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164
-\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171
-\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215
-\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204
-\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007
-\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111
-\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016
-\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130
-\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355
-\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071
-\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035
-\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265
-\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305
-\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017
-\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124
-\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065
-\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061
-\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006
-\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202
-\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
-\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227
-\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326
-\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350
-\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376
-\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231
-\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045
-\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031
-\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333
-\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117
-\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174
-\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
-\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
-\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
-\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
-\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
-\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
-\164
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Security Communication EV RootCA1"
-# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Serial Number: 0 (0x0)
-# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
-# Not Valid Before: Wed Jun 06 02:12:32 2007
-# Not Valid After : Sat Jun 06 02:12:32 2037
-# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
-# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Security Communication EV RootCA1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050
-\206\145\144\175
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
-\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
-\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
-\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
-\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
-\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
-\101\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\000
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 #
 # Certificate "OISTE WISeKey Global Root GA CA"
 #
@@ -14478,169 +14199,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-#
-# Certificate "CA Disig Root R1"
-#
-# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Serial Number:00:c3:03:9a:ee:50:90:6e:28
-# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Not Valid Before: Thu Jul 19 09:06:56 2012
-# Not Valid After : Sat Jul 19 09:06:56 2042
-# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
-# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA Disig Root R1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\011\000\303\003\232\356\120\220\156\050
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000
-\303\003\232\356\120\220\156\050\060\015\006\011\052\206\110\206
-\367\015\001\001\005\005\000\060\122\061\013\060\011\006\003\125
-\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023
-\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006
-\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056
-\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151
-\163\151\147\040\122\157\157\164\040\122\061\060\036\027\015\061
-\062\060\067\061\071\060\071\060\066\065\066\132\027\015\064\062
-\060\067\061\071\060\071\060\066\065\066\132\060\122\061\013\060
-\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003
-\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061
-\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040
-\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103
-\101\040\104\151\163\151\147\040\122\157\157\164\040\122\061\060
-\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000
-\252\303\170\367\334\230\243\247\132\136\167\030\262\335\004\144
-\017\143\375\233\226\011\200\325\350\252\245\342\234\046\224\072
-\350\231\163\214\235\337\327\337\203\363\170\117\100\341\177\322
-\247\322\345\312\023\223\347\355\306\167\137\066\265\224\257\350
-\070\216\333\233\345\174\273\314\215\353\165\163\341\044\315\346
-\247\055\031\056\330\326\212\153\024\353\010\142\012\330\334\263
-\000\115\303\043\174\137\103\010\043\062\022\334\355\014\255\300
-\175\017\245\172\102\331\132\160\331\277\247\327\001\034\366\233
-\253\216\267\112\206\170\240\036\126\061\256\357\202\012\200\101
-\367\033\311\256\253\062\046\324\054\153\355\175\153\344\342\136
-\042\012\105\313\204\061\115\254\376\333\321\107\272\371\140\227
-\071\261\145\307\336\373\231\344\012\042\261\055\115\345\110\046
-\151\253\342\252\363\373\374\222\051\062\351\263\076\115\037\047
-\241\315\216\271\027\373\045\076\311\156\363\167\332\015\022\366
-\135\307\273\066\020\325\124\326\363\340\342\107\110\346\336\024
-\332\141\122\257\046\264\365\161\117\311\327\322\006\337\143\312
-\377\041\350\131\006\340\010\325\204\025\123\367\103\345\174\305
-\240\211\230\153\163\306\150\316\145\336\275\177\005\367\261\356
-\366\127\241\140\225\305\314\352\223\072\276\231\256\233\002\243
-\255\311\026\265\316\335\136\231\170\176\032\071\176\262\300\005
-\244\300\202\245\243\107\236\214\352\134\266\274\147\333\346\052
-\115\322\004\334\243\256\105\367\274\213\234\034\247\326\325\003
-\334\010\313\056\026\312\134\100\063\350\147\303\056\347\246\104
-\352\021\105\034\065\145\055\036\105\141\044\033\202\056\245\235
-\063\135\145\370\101\371\056\313\224\077\037\243\014\061\044\104
-\355\307\136\255\120\272\306\101\233\254\360\027\145\300\370\135
-\157\133\240\012\064\074\356\327\352\210\237\230\371\257\116\044
-\372\227\262\144\166\332\253\364\355\343\303\140\357\325\371\002
-\310\055\237\203\257\147\151\006\247\061\125\325\317\113\157\377
-\004\005\307\130\254\137\026\033\345\322\243\353\061\333\037\063
-\025\115\320\362\245\123\365\313\341\075\116\150\055\330\022\335
-\252\362\346\115\233\111\345\305\050\241\272\260\132\306\240\265
-\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035
-\016\004\026\004\024\211\012\264\070\223\032\346\253\356\233\221
-\030\371\365\074\076\065\320\323\202\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\002\001\000\062\213\366
-\235\112\311\276\024\345\214\254\070\312\072\011\324\033\316\206
-\263\335\353\324\272\050\276\022\256\105\054\004\164\254\023\121
-\305\130\030\146\115\202\332\325\334\223\300\047\341\276\174\237
-\122\236\022\126\366\325\234\251\364\165\234\372\067\022\217\034
-\223\354\127\376\007\017\253\325\022\367\017\256\141\136\126\200
-\111\365\374\060\365\233\117\037\101\057\034\204\323\211\307\342
-\332\002\166\355\011\317\154\301\270\034\203\034\026\372\224\315
-\175\240\310\030\322\310\235\156\365\275\151\324\155\075\065\350
-\036\242\117\140\327\007\051\374\262\243\244\235\156\025\222\126
-\031\114\012\260\351\174\322\031\115\102\106\354\275\375\366\127
-\133\335\230\176\244\115\314\162\003\203\130\135\357\223\072\101
-\172\143\252\174\072\250\365\254\244\321\335\242\055\266\052\374
-\237\001\216\342\020\261\304\312\344\147\333\125\045\031\077\375
-\350\066\176\263\341\341\201\257\021\026\213\120\227\140\031\202
-\000\300\153\115\163\270\321\023\007\076\352\266\061\117\360\102
-\232\155\342\021\164\345\224\254\215\204\225\074\041\257\305\332
-\107\310\337\071\142\142\313\133\120\013\327\201\100\005\234\233
-\355\272\266\213\036\004\157\226\040\071\355\244\175\051\333\110
-\316\202\334\324\002\215\035\004\061\132\307\113\360\154\141\122
-\327\264\121\302\201\154\315\341\373\247\241\322\222\166\317\261
-\017\067\130\244\362\122\161\147\077\014\210\170\200\211\301\310
-\265\037\222\143\276\247\172\212\126\054\032\250\246\234\265\135
-\263\143\320\023\040\241\353\221\154\320\215\175\257\337\013\344
-\027\271\206\236\070\261\224\014\130\214\340\125\252\073\143\155
-\232\211\140\270\144\052\222\306\067\364\176\103\103\267\163\350
-\001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
-\153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
-\243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
-\200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
-\103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
-\016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
-\360\343\355\144\236\075\057\226\122\117\200\123\213
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "CA Disig Root R1"
-# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Serial Number:00:c3:03:9a:ee:50:90:6e:28
-# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
-# Not Valid Before: Thu Jul 19 09:06:56 2012
-# Not Valid After : Sat Jul 19 09:06:56 2042
-# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
-# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CA Disig Root R1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\216\034\164\370\246\040\271\345\212\364\141\372\354\053\107\126
-\121\032\122\306
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\276\354\021\223\232\365\151\041\274\327\301\300\147\211\314\052
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
-\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
-\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
-\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
-\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
-\164\040\122\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\011\000\303\003\232\356\120\220\156\050
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 #
 # Certificate "CA Disig Root R2"
 #
@@ -17672,188 +17230,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-#
-# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-#
-# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
-# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Not Valid Before: Thu Mar 26 00:00:00 2009
-# Not Valid After : Sun Mar 24 23:59:59 2019
-# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
-# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003
-\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163
-\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167
-\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160
-\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003
-\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163
-\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162
-\040\103\101\040\055\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
-\005\256
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057
-\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013
-\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164
-\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004
-\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151
-\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162
-\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040
-\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126
-\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040
-\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103
-\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
-\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060
-\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071
-\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013
-\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006
-\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040
-\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126
-\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145
-\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062
-\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040
-\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
-\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051
-\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162
-\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145
-\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055
-\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225
-\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214
-\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327
-\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237
-\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260
-\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150
-\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377
-\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374
-\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141
-\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061
-\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375
-\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053
-\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133
-\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324
-\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376
-\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211
-\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001
-\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
-\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
-\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040
-\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103
-\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062
-\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316
-\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060
-\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206
-\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053
-\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057
-\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163
-\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027
-\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056
-\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050
-\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057
-\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141
-\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004
-\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011
-\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024
-\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242
-\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167
-\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232
-\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137
-\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277
-\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115
-\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003
-\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012
-\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127
-\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
-\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
-\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
-\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
-\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
-\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
-\145\110\041\012\057\327\334\176\240\314\145\176\171
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
-# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
-# Not Valid Before: Thu Mar 26 00:00:00 2009
-# Not Valid After : Sun Mar 24 23:59:59 2019
-# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
-# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046
-\037\051\216\073
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
-\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
-\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
-\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
-\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
-\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
-\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
-\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
-\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
-\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
-\165\164\150\157\162\151\164\171\040\055\040\107\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
-\005\256
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 #
 # Certificate "Staat der Nederlanden Root CA - G3"
 #

security/nss/lib/ckfw/builtins/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 20
-#define NSS_BUILTINS_LIBRARY_VERSION "2.20"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
+#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

security/nss/lib/cryptohi/seckey.c

@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag tag)
             return CKM_SHA384;
         case SEC_OID_SHA256:
             return CKM_SHA256;
+        case SEC_OID_SHA224:
+            return CKM_SHA224;
+        case SEC_OID_SHA1:
+            return CKM_SHA_1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return CKM_INVALID_MECHANISM;
     }
-    return CKM_SHA_1;
 }
 
 static CK_RSA_PKCS_MGF_TYPE
@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
             return CKG_MGF1_SHA384;
         case SEC_OID_SHA256:
             return CKG_MGF1_SHA256;
+        case SEC_OID_SHA224:
+            return CKG_MGF1_SHA224;
+        case SEC_OID_SHA1:
+            return CKG_MGF1_SHA1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return 0;
     }
-    return CKG_MGF1_SHA1;
 }
 
 SECStatus
@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
     SECStatus rv = SECSuccess;
     SECOidTag hashAlgTag;
     unsigned long saltLength;
+    unsigned long trailerField;
 
     PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
 
@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
         hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
     }
     mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
+    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+        return SECFailure;
+    }
 
     if (params->maskAlg) {
         SECAlgorithmID maskHashAlg;
@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
         }
         maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
         mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
+        if (mech->mgf == 0) {
+            return SECFailure;
+        }
     } else {
         mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
     }
@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
     }
     mech->sLen = saltLength;
 
+    if (params->trailerField.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        if (trailerField != 1) {
+            /* the value must be 1, which represents the trailer field
+             * with hexadecimal value 0xBC */
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+    }
+
     return rv;
 }

security/nss/lib/softoken/fipstokn.c

@@ -540,7 +540,10 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 
     crv = NSC_GetTokenInfo(slotID, pInfo);
     if (crv == CKR_OK) {
-        if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
+        /* use the global database to figure out if we are running in 
+         * FIPS 140 Level 1 or Level 2 */
+        if (slotID == FIPS_SLOT_ID &&
+            (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
             isLevel2 = PR_FALSE;
         }
     }
@@ -616,7 +619,8 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
      * we need to make sure the pin meets FIPS requirements */
     if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
         rv = NSC_InitPIN(hSession, pPin, ulPinLen);
-        if (rv == CKR_OK) {
+        if ((rv == CKR_OK) &&
+            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
             isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
         }
     }
@@ -644,7 +648,8 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
     if ((rv = sftk_fipsCheck()) == CKR_OK &&
         (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
         rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
-        if (rv == CKR_OK) {
+        if ((rv == CKR_OK) &&
+            (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
             /* if we set the password in level1 we now go
              * to level2. NOTE: we don't allow the user to
              * go from level2 to level1 */
@@ -705,11 +710,23 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
 
     rv = NSC_GetSessionInfo(hSession, pInfo);
     if (rv == CKR_OK) {
-        if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
-            pInfo->state = CKS_RO_USER_FUNCTIONS;
-        }
-        if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
-            pInfo->state = CKS_RW_USER_FUNCTIONS;
+        /* handle the case where the auxilary slot doesn't require login.
+         * piggy back on the main token's login state */
+        if (isLoggedIn &&
+            ((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
+             (pInfo->state == CKS_RW_PUBLIC_SESSION))) {
+            CK_RV crv;
+            CK_TOKEN_INFO tInfo;
+            crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
+                                   &tInfo);
+            /* if the token doesn't login, use our global login state */
+            if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
+                if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
+                    pInfo->state = CKS_RO_USER_FUNCTIONS;
+                } else {
+                    pInfo->state = CKS_RW_USER_FUNCTIONS;
+                }
+            }
         }
     }
     return rv;

security/nss/lib/softoken/pkcs11.c

@@ -2364,17 +2364,22 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
     return slot;
 }
 
-SFTKSlot *
-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+CK_SLOT_ID
+sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
 {
     CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
     CK_ULONG moduleIndex = (handle >> 31) & 1;
 
     if (slotIDIndex >= nscSlotCount[moduleIndex]) {
-        return NULL;
+        return (CK_SLOT_ID)-1;
     }
+    return nscSlotList[moduleIndex][slotIDIndex];
+}
 
-    return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
+SFTKSlot *
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+    return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
 }
 
 static CK_RV

security/nss/lib/softoken/pkcs11i.h

@@ -667,6 +667,7 @@ extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
 
 extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
 extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
 extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
 extern void sftk_FreeSession(SFTKSession *session);
 extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,

security/nss/lib/softoken/sdb.c

@@ -37,6 +37,7 @@
 #elif defined(XP_UNIX)
 #include <unistd.h>
 #endif
+#include "utilpars.h"
 
 #ifdef SQLITE_UNSAFE_THREADS
 #include "prlock.h"
@@ -190,6 +191,34 @@ sdb_done(int err, int *count)
     return 0;
 }
 
+#if defined(_WIN32)
+/*
+ * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that
+ * sqlite3 expects.
+ */
+
+static int
+sdb_chmod(const char *filename, int pmode)
+{
+    int result;
+
+    if (!filename) {
+        return -1;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return -1;
+    }
+    result = _wchmod(filenameWide, pmode);
+    PORT_Free(filenameWide);
+
+    return result;
+}
+#else
+#define sdb_chmod(filename, pmode) chmod((filename), (pmode))
+#endif
+
 /*
  * find out where sqlite stores the temp tables. We do this by replicating
  * the logic from sqlite.
@@ -1739,7 +1768,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
      * sqlite3 will always create it.
      */
     LOCK_SQLITE();
-    create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
+    create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
     if ((flags == SDB_RDONLY) && create) {
         error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
         goto loser;
@@ -1756,7 +1785,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
      *
      * NO NSPR call for chmod? :(
      */
-    if (create && chmod(dbname, 0600) != 0) {
+    if (create && sdb_chmod(dbname, 0600) != 0) {
         error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
         goto loser;
     }

security/nss/lib/softoken/sdb.h

@@ -83,6 +83,10 @@ CK_RV s_open(const char *directory, const char *certPrefix,
              int flags, SDB **certdb, SDB **keydb, int *newInit);
 CK_RV s_shutdown();
 
+#if defined(_WIN32)
+wchar_t *sdb_UTF8ToWide(const char *buf);
+#endif
+
 /* flags */
 #define SDB_RDONLY 1
 #define SDB_RDWR 2

security/nss/lib/softoken/sftkdb.c

@@ -28,6 +28,9 @@
 #include "utilpars.h"
 #include "secerr.h"
 #include "softoken.h"
+#if defined(_WIN32)
+#include <windows.h>
+#endif
 
 /*
  * We want all databases to have the same binary representation independent of
@@ -2509,6 +2512,53 @@ sftk_oldVersionExists(const char *dir, int version)
     return PR_FALSE;
 }
 
+#if defined(_WIN32)
+/*
+ * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the
+ * current system codepage). Fails if the path contains a character outside
+ * the current system codepage.
+ */
+static char *
+sftk_legacyPathFromSDBPath(const char *confdir)
+{
+    wchar_t *confdirWide;
+    DWORD size;
+    char *nconfdir;
+    BOOL unmappable;
+
+    if (!confdir) {
+        return NULL;
+    }
+    confdirWide = _NSSUTIL_UTF8ToWide(confdir);
+    if (!confdirWide) {
+        return NULL;
+    }
+
+    size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+                               NULL, 0, NULL, &unmappable);
+    if (size == 0 || unmappable) {
+        PORT_Free(confdirWide);
+        return NULL;
+    }
+    nconfdir = PORT_Alloc(sizeof(char) * size);
+    if (!nconfdir) {
+        PORT_Free(confdirWide);
+        return NULL;
+    }
+    size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+                               nconfdir, size, NULL, &unmappable);
+    PORT_Free(confdirWide);
+    if (size == 0 || unmappable) {
+        PORT_Free(nconfdir);
+        return NULL;
+    }
+
+    return nconfdir;
+}
+#else
+#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir))
+#endif
+
 static PRBool
 sftk_hasLegacyDB(const char *confdir, const char *certPrefix,
                  const char *keyPrefix, int certVersion, int keyVersion)
@@ -2568,6 +2618,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
     int flags = SDB_RDONLY;
     PRBool newInit = PR_FALSE;
     PRBool needUpdate = PR_FALSE;
+    char *nconfdir = NULL;
 
     if (!readOnly) {
         flags = SDB_CREATE;
@@ -2606,11 +2657,14 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
              * the exists.
              */
             if (crv != CKR_OK) {
-                if (((flags & SDB_RDONLY) == SDB_RDONLY) &&
-                    sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+                if ((flags & SDB_RDONLY) == SDB_RDONLY) {
+                    nconfdir = sftk_legacyPathFromSDBPath(confdir);
+                }
+                if (nconfdir &&
+                    sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
                     /* we have legacy databases, if we failed to open the new format
                      * DB's read only, just use the legacy ones */
-                    crv = sftkdbCall_open(confdir, certPrefix,
+                    crv = sftkdbCall_open(nconfdir, certPrefix,
                                           keyPrefix, 8, 3, flags,
                                           noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
                 }
@@ -2639,7 +2693,10 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
                 /* if the new format DB was also a newly created DB, and we
                  * succeeded, then need to update that new database with data
                  * from the existing legacy DB */
-                if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
+                nconfdir = sftk_legacyPathFromSDBPath(confdir);
+                if (nconfdir &&
+                    sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
+                    confdir = nconfdir;
                     needUpdate = PR_TRUE;
                 }
             }
@@ -2712,6 +2769,9 @@ done:
     if (appName) {
         PORT_Free(appName);
     }
+    if (nconfdir) {
+        PORT_Free(nconfdir);
+    }
     return forceOpen ? CKR_OK : crv;
 }
 

security/nss/lib/ssl/ssl3prot.h

@@ -16,7 +16,7 @@ typedef PRUint16 SSL3ProtocolVersion;
 /* The TLS 1.3 draft version. Used to avoid negotiating
  * between incompatible pre-standard TLS 1.3 drafts.
  * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
-#define TLS_1_3_DRAFT_VERSION 22
+#define TLS_1_3_DRAFT_VERSION 23
 
 typedef PRUint16 ssl3CipherSuite;
 /* The cipher suites are defined in sslproto.h */

security/nss/lib/ssl/sslt.h

@@ -425,7 +425,7 @@ typedef enum {
     ssl_padding_xtn = 21,
     ssl_extended_master_secret_xtn = 23,
     ssl_session_ticket_xtn = 35,
-    ssl_tls13_key_share_xtn = 40,
+    /* 40 was used in draft versions of TLS 1.3; it is now reserved. */
     ssl_tls13_pre_shared_key_xtn = 41,
     ssl_tls13_early_data_xtn = 42,
     ssl_tls13_supported_versions_xtn = 43,
@@ -433,6 +433,8 @@ typedef enum {
     ssl_tls13_psk_key_exchange_modes_xtn = 45,
     ssl_tls13_ticket_early_data_info_xtn = 46, /* Deprecated. */
     ssl_tls13_certificate_authorities_xtn = 47,
+    ssl_signature_algorithms_cert_xtn = 50,
+    ssl_tls13_key_share_xtn = 51,
     ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
     ssl_renegotiation_info_xtn = 0xff01,
     ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */
@@ -444,7 +446,7 @@ typedef enum {
 /* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are
  * supported for any single message type.  That is, a ClientHello; ServerHello
  * and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */
-#define SSL_MAX_EXTENSIONS 19
+#define SSL_MAX_EXTENSIONS 20
 
 /* Deprecated */
 typedef enum {

security/nss/lib/ssl/tls13con.c

@@ -4725,6 +4725,8 @@ static const struct {
     { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) },
+    { ssl_signature_algorithms_cert_xtn, _M2(client_hello,
+                                             certificate_request) },
     { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) },
     { ssl_padding_xtn, _M1(client_hello) },

security/nss/lib/util/nssutil.def

@@ -315,3 +315,11 @@ NSS_SecureMemcmpZero;
 ;+    local:
 ;+       *;
 ;+};
+;-NSSUTIL_3.35 {         # NSS Utilities 3.35 release
+;-    global:
+;-# private exports for softoken
+_NSSUTIL_UTF8ToWide;-
+_NSSUTIL_Access;-
+;-    local:
+;-       *;
+;-};

security/nss/lib/util/utilmod.c

@@ -24,6 +24,7 @@
 
 #if defined(_WIN32)
 #include <io.h>
+#include <windows.h>
 #endif
 #ifdef XP_UNIX
 #include <unistd.h>
@@ -34,15 +35,184 @@
 #include <fcntl.h>
 
 #if defined(_WIN32)
-#define os_open _open
 #define os_fdopen _fdopen
-#define os_stat _stat
 #define os_truncate_open_flags _O_CREAT | _O_RDWR | _O_TRUNC
 #define os_append_open_flags _O_CREAT | _O_RDWR | _O_APPEND
 #define os_open_permissions_type int
 #define os_open_permissions_default _S_IREAD | _S_IWRITE
 #define os_stat_type struct _stat
+
+/*
+ * Convert a UTF8 string to Unicode wide character
+ */
+LPWSTR
+_NSSUTIL_UTF8ToWide(const char *buf)
+{
+    DWORD size;
+    LPWSTR wide;
+
+    if (!buf) {
+        return NULL;
+    }
+
+    size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
+    if (size == 0) {
+        return NULL;
+    }
+    wide = PORT_Alloc(sizeof(WCHAR) * size);
+    if (!wide) {
+        return NULL;
+    }
+    size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
+    if (size == 0) {
+        PORT_Free(wide);
+        return NULL;
+    }
+    return wide;
+}
+
+static int
+os_open(const char *filename, int oflag, int pmode)
+{
+    int fd;
+
+    if (!filename) {
+        return -1;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return -1;
+    }
+    fd = _wopen(filenameWide, oflag, pmode);
+    PORT_Free(filenameWide);
+
+    return fd;
+}
+
+static int
+os_stat(const char *path, os_stat_type *buffer)
+{
+    int result;
+
+    if (!path) {
+        return -1;
+    }
+
+    wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
+    if (!pathWide) {
+        return -1;
+    }
+    result = _wstat(pathWide, buffer);
+    PORT_Free(pathWide);
+
+    return result;
+}
+
+static FILE *
+os_fopen(const char *filename, const char *mode)
+{
+    FILE *fp;
+
+    if (!filename || !mode) {
+        return NULL;
+    }
+
+    wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+    if (!filenameWide) {
+        return NULL;
+    }
+    wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode);
+    if (!modeWide) {
+        PORT_Free(filenameWide);
+        return NULL;
+    }
+    fp = _wfopen(filenameWide, modeWide);
+    PORT_Free(filenameWide);
+    PORT_Free(modeWide);
+
+    return fp;
+}
+
+PRStatus
+_NSSUTIL_Access(const char *path, PRAccessHow how)
+{
+    int result;
+
+    if (!path) {
+        return PR_FAILURE;
+    }
+
+    int mode;
+    switch (how) {
+        case PR_ACCESS_WRITE_OK:
+            mode = 2;
+            break;
+        case PR_ACCESS_READ_OK:
+            mode = 4;
+            break;
+        case PR_ACCESS_EXISTS:
+            mode = 0;
+            break;
+        default:
+            return PR_FAILURE;
+    }
+
+    wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
+    if (!pathWide) {
+        return PR_FAILURE;
+    }
+    result = _waccess(pathWide, mode);
+    PORT_Free(pathWide);
+
+    return result < 0 ? PR_FAILURE : PR_SUCCESS;
+}
+
+static PRStatus
+nssutil_Delete(const char *name)
+{
+    BOOL result;
+
+    if (!name) {
+        return PR_FAILURE;
+    }
+
+    wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name);
+    if (!nameWide) {
+        return PR_FAILURE;
+    }
+    result = DeleteFileW(nameWide);
+    PORT_Free(nameWide);
+
+    return result ? PR_SUCCESS : PR_FAILURE;
+}
+
+static PRStatus
+nssutil_Rename(const char *from, const char *to)
+{
+    BOOL result;
+
+    if (!from || !to) {
+        return PR_FAILURE;
+    }
+
+    wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from);
+    if (!fromWide) {
+        return PR_FAILURE;
+    }
+    wchar_t *toWide = _NSSUTIL_UTF8ToWide(to);
+    if (!toWide) {
+        PORT_Free(fromWide);
+        return PR_FAILURE;
+    }
+    result = MoveFileW(fromWide, toWide);
+    PORT_Free(fromWide);
+    PORT_Free(toWide);
+
+    return result ? PR_SUCCESS : PR_FAILURE;
+}
 #else
+#define os_fopen fopen
 #define os_open open
 #define os_fdopen fdopen
 #define os_stat stat
@@ -51,6 +221,8 @@
 #define os_open_permissions_type mode_t
 #define os_open_permissions_default 0600
 #define os_stat_type struct stat
+#define nssutil_Delete PR_Delete
+#define nssutil_Rename PR_Rename
 #endif
 
 /****************************************************************
@@ -219,7 +391,7 @@ nssutil_ReadSecmodDB(const char *appName,
     }
 
     /* do we really want to use streams here */
-    fd = fopen(dbname, "r");
+    fd = os_fopen(dbname, "r");
     if (fd == NULL)
         goto done;
 
@@ -403,7 +575,7 @@ done:
         }
 
         /* old one exists */
-        status = PR_Access(olddbname, PR_ACCESS_EXISTS);
+        status = _NSSUTIL_Access(olddbname, PR_ACCESS_EXISTS);
         if (status == PR_SUCCESS) {
             PR_smprintf_free(olddbname);
             PORT_ZFree(moduleList, useCount * sizeof(char *));
@@ -532,7 +704,7 @@ nssutil_DeleteSecmodDBEntry(const char *appName,
     }
 
     /* do we really want to use streams here */
-    fd = fopen(dbname, "r");
+    fd = os_fopen(dbname, "r");
     if (fd == NULL)
         goto loser;
 
@@ -602,10 +774,10 @@ nssutil_DeleteSecmodDBEntry(const char *appName,
     fclose(fd2);
     if (found) {
         /* rename dbname2 to dbname */
-        PR_Delete(dbname);
-        PR_Rename(dbname2, dbname);
+        nssutil_Delete(dbname);
+        nssutil_Rename(dbname2, dbname);
     } else {
-        PR_Delete(dbname2);
+        nssutil_Delete(dbname2);
     }
     PORT_Free(dbname2);
     PORT_Free(lib);
@@ -621,7 +793,7 @@ loser:
         fclose(fd2);
     }
     if (dbname2) {
-        PR_Delete(dbname2);
+        nssutil_Delete(dbname2);
         PORT_Free(dbname2);
     }
     PORT_Free(lib);

security/nss/lib/util/utilpars.c

@@ -589,6 +589,7 @@ struct nssutilArgSlotFlagTable {
     }
 static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
     NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG),
+    NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG),
     NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG),
     NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG),
     NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG),

security/nss/lib/util/utilpars.h

@@ -59,5 +59,11 @@ char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
 char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType,
                              char **appName, char **filename, PRBool *rw);
 const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app);
+#if defined(_WIN32)
+wchar_t *_NSSUTIL_UTF8ToWide(const char *buf);
+PRStatus _NSSUTIL_Access(const char *path, PRAccessHow how);
+#else
+#define _NSSUTIL_Access(path, how) PR_Access((path), (how))
+#endif
 
 #endif /* _UTILPARS_H_ */

security/nss/lib/util/utilparst.h

@@ -43,7 +43,7 @@
 #define NSSUTIL_DEFAULT_INTERNAL_INIT3 \
     " askpw=any timeout=30})\""
 #define NSSUTIL_DEFAULT_SFTKN_FLAGS \
-    "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
+    "slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
 
 #define NSSUTIL_DEFAULT_CIPHER_ORDER 0
 #define NSSUTIL_DEFAULT_TRUST_ORDER 50

security/nss/readme.md

@@ -137,3 +137,50 @@ The nss directory contains the following important subdirectories:
 A more comprehensible overview of the NSS folder structure and API guidelines
 can be found
 [here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_API_Guidelines).
+
+## Build mechanisms related to FIPS compliance
+
+NSS supports build configurations for FIPS-140 compliance, and alternative build
+configurations that disable functionality specific to FIPS-140 compliance.
+
+This section documents the environment variables and build parameters that
+control these configurations.
+
+### Build FIPS startup tests
+
+The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests.
+If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
+
+The legacy build system (make) by default disables these tests.
+To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
+
+The gyp build system by default disables these tests.
+To enable these tests, pass parameter --enable-fips to build.sh.
+
+### Building either FIPS compliant or alternative compliant code
+
+The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code
+and enable alternative implementations.
+
+The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses
+the FIPS compliant code.
+
+The gyp build system by default defines NSS_FIPS_DISABLED.
+To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
+
+### Test execution
+
+The NSS test suite may contain tests that are included, excluded, or are
+different based on the FIPS build configuration. To execute the correct tests,
+it's necessary to determine which build configuration was used.
+
+The legacy build system (make) uses environment variables to control all
+aspects of the build configuration, including FIPS build configuration.
+
+Because the gyp build system doesn't use environment variables to control the
+build configuration, the NSS tests cannot rely on environment variables to
+determine the build configuration.
+
+A helper binary named nss-build-flags is produced as part of the NSS build,
+which prints the C macro symbols that were defined at build time, and which are
+relevant to test execution.

security/nss/tests/all.sh

@@ -295,9 +295,9 @@ fi
 cycles="standard pkix upgradedb sharedb"
 CYCLES=${NSS_CYCLES:-$cycles}
 
-if [ -n "$NSS_FORCE_FIPS" ]; then
+NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT`
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
     RUN_FIPS="fips"
-    export NSS_TEST_ENABLE_FIPS=1
 fi
 
 tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
@@ -310,7 +310,7 @@ TESTS=${NSS_TESTS:-$tests}
 ALL_TESTS=${TESTS}
 
 nss_ssl_tests="crl iopr policy"
-if [ -n "$NSS_FORCE_FIPS" ]; then
+if [ $NO_INIT_SUPPORT -eq 0 ]; then
     nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
 fi
 NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"

security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
+IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
+GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
+Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
+U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
+ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
+AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
+yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
+SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
+xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
+/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
+Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
+BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
+OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
+ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
+HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
+nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
+pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
+hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
+uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
+-----END CERTIFICATE-----

security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
+GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
+EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
+IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
+NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
+UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
+DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
+7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
+Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
+sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
+eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
+aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
+hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
+AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
+fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
+difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
+4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
+g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
+0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
+-----END CERTIFICATE-----

security/nss/tests/cert/cert.sh

@@ -1359,7 +1359,7 @@ MODSCRIPT
 # local shell function to verify small rsa exponent can be used (only
 # run if FIPS has not been turned on in the build).
 ##############################################################################
-cert_rsa_exponent()
+cert_rsa_exponent_nonfips()
 {
   echo "$SCRIPTNAME: Verify that small RSA exponents still work  =============="
   CU_ACTION="Attempt to generate a key with exponent of 3"
@@ -2095,6 +2095,20 @@ cert_test_rsapss()
   certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
         -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
 
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
+  certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
+  certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
   CERTSERIAL=200
 
   # Subject certificate: RSA
@@ -2431,16 +2445,12 @@ cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
 cert_smime_client
-if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
-    cert_fips
+IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
+if [ $IS_FIPS_DISABLED -ne 0 ]; then
+  cert_rsa_exponent_nonfips
+else
+  cert_fips
 fi
-# We currently have difficulties to know if the build is a non-FIPS build,
-# because of differences between the "make" and "gyp" build systems.
-# As soon as we have a reliable way to detect that based on a variable,
-# we should enable the following test call. See bug 1409516.
-# if SYMBOL_THAT_TELLS_US_FIPS_IS_DISABLED
-#   cert_rsa_exponent
-# fi
 cert_eccurves
 cert_extensions
 cert_san_and_generic_extensions

security/nss/tests/fips/fips.sh

@@ -23,7 +23,6 @@
 ########################################################################
 fips_init()
 {
-  export NSS_TEST_ENABLE_FIPS=1
   SCRIPTNAME=fips.sh      # sourced - $0 would point to all.sh
 
   if [ -z "${CLEANUP}" ] ; then     # if nobody else is responsible for