From a881c4a1671b92e3dab714837bd12c8a96152d87 Mon Sep 17 00:00:00 2001
From: Franziskus Kiefer <franziskuskiefer@gmail.com>
Date: Mon, 8 Jan 2018 11:46:51 +0100
Subject: [PATCH] Bug 1403844 - Verify COSE signature on add-ons, r=keeler

Summary:
MozReview-Commit-ID: 6YorBs4mY8B

Check for COSE signatures in add-ons.

Reviewers: keeler

Bug #: 1403844

Differential Revision: https://phabricator.services.mozilla.com/D298

--HG--
rename : security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed.zip => security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/cose_signed.zip => security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
rename : third_party/rust/cose/src/cbor/mod.rs => third_party/rust/moz_cbor/src/lib.rs
extra : rebase_source : 0494590eb222e2c936e353e4dd6cf9fac8d822f3
---
 security/apps/AppSignatureVerification.cpp    | 699 +++++++++++++-----
 security/apps/moz.build                       |   1 +
 security/manager/ssl/security-prefs.js        |  15 +-
 security/manager/ssl/tests/gtest/CoseTest.cpp |  77 +-
 security/manager/ssl/tests/unit/sign_app.py   | 118 +--
 .../ssl/tests/unit/test_signed_apps.js        | 100 ++-
 .../cose_int_signed_with_pkcs7.zip            | Bin 0 -> 5002 bytes
 .../test_signed_apps/cose_multiple_signed.zip | Bin 4911 -> 0 bytes
 .../cose_multiple_signed_with_pkcs7.zip       | Bin 0 -> 4929 bytes
 ..._signed.zip => cose_signed_with_pkcs7.zip} | Bin 4213 -> 4222 bytes
 .../ssl/tests/unit/test_signed_apps/moz.build |  13 +-
 .../only_cose_multiple_signed.zip             | Bin 0 -> 2822 bytes
 .../test_signed_apps/only_cose_signed.zip     | Bin 0 -> 2115 bytes
 third_party/rust/cose-c/.cargo-checksum.json  |   2 +-
 third_party/rust/cose-c/Cargo.toml            |   4 +-
 third_party/rust/cose-c/include/cosec.h       |   4 +-
 third_party/rust/cose-c/src/lib.rs            |   6 +-
 third_party/rust/cose/.cargo-checksum.json    |   2 +-
 third_party/rust/cose/.travis.yml             |  12 +-
 third_party/rust/cose/Cargo.toml              |   6 +-
 third_party/rust/cose/README.md               |  11 +
 .../rust/cose/examples/sign_verify/main.rs    | 259 +++++++
 .../cose/{src => examples/sign_verify}/nss.rs |   2 +-
 .../{src => examples/sign_verify}/test_nss.rs |   9 +-
 .../cose/examples/sign_verify/test_setup.rs   | 625 ++++++++++++++++
 .../sign_verify}/util_test.rs                 |   6 +-
 third_party/rust/cose/src/cose.rs             |  30 +-
 third_party/rust/cose/src/decoder.rs          |  79 +-
 third_party/rust/cose/src/test_cose.rs        | 630 +++++++++++-----
 third_party/rust/cose/src/test_setup.rs       | 477 ------------
 third_party/rust/cose/src/util.rs             |  26 +-
 .../rust/moz_cbor/.cargo-checksum.json        |   1 +
 third_party/rust/moz_cbor/.travis.yml         |  24 +
 third_party/rust/moz_cbor/Cargo.toml          |  23 +
 third_party/rust/moz_cbor/LICENSE             | 373 ++++++++++
 third_party/rust/moz_cbor/README.md           |   8 +
 third_party/rust/moz_cbor/rustfmt.toml        |   4 +
 .../src/cbor => moz_cbor/src}/decoder.rs      |   2 +-
 .../src/cbor/mod.rs => moz_cbor/src/lib.rs}   |   0
 .../src/cbor => moz_cbor/src}/serializer.rs   |   2 +-
 .../src/cbor => moz_cbor/src}/test_decoder.rs |   4 +-
 .../cbor => moz_cbor/src}/test_serializer.rs  |   2 +-
 toolkit/library/gtest/rust/Cargo.lock         |  21 +-
 toolkit/library/rust/Cargo.lock               |  21 +-
 toolkit/library/rust/shared/Cargo.toml        |   2 +-
 45 files changed, 2663 insertions(+), 1037 deletions(-)
 create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
 delete mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed.zip
 create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
 rename security/manager/ssl/tests/unit/test_signed_apps/{cose_signed.zip => cose_signed_with_pkcs7.zip} (55%)
 create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
 create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
 create mode 100644 third_party/rust/cose/examples/sign_verify/main.rs
 rename third_party/rust/cose/{src => examples/sign_verify}/nss.rs (99%)
 rename third_party/rust/cose/{src => examples/sign_verify}/test_nss.rs (92%)
 create mode 100644 third_party/rust/cose/examples/sign_verify/test_setup.rs
 rename third_party/rust/cose/{src => examples/sign_verify}/util_test.rs (97%)
 create mode 100644 third_party/rust/moz_cbor/.cargo-checksum.json
 create mode 100644 third_party/rust/moz_cbor/.travis.yml
 create mode 100644 third_party/rust/moz_cbor/Cargo.toml
 create mode 100644 third_party/rust/moz_cbor/LICENSE
 create mode 100644 third_party/rust/moz_cbor/README.md
 create mode 100644 third_party/rust/moz_cbor/rustfmt.toml
 rename third_party/rust/{cose/src/cbor => moz_cbor/src}/decoder.rs (99%)
 rename third_party/rust/{cose/src/cbor/mod.rs => moz_cbor/src/lib.rs} (100%)
 rename third_party/rust/{cose/src/cbor => moz_cbor/src}/serializer.rs (99%)
 rename third_party/rust/{cose/src/cbor => moz_cbor/src}/test_decoder.rs (99%)
 rename third_party/rust/{cose/src/cbor => moz_cbor/src}/test_serializer.rs (99%)

diff --git a/security/apps/AppSignatureVerification.cpp b/security/apps/AppSignatureVerification.cpp
index 019e1760caf3..b8dc247b9a74 100644
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -13,6 +13,7 @@
 #include "SharedCertVerifier.h"
 #include "certdb.h"
 #include "cms.h"
+#include "cosec.h"
 #include "mozilla/Base64.h"
 #include "mozilla/Casting.h"
 #include "mozilla/Logging.h"
@@ -343,8 +344,10 @@ ReadLine(/*in/out*/ const char* & nextLineStart, /*out*/ nsCString & line,
 
 // The header strings are defined in the JAR specification.
 #define JAR_MF_SEARCH_STRING "(M|/M)ETA-INF/(M|m)(ANIFEST|anifest).(MF|mf)$"
+#define JAR_COSE_MF_SEARCH_STRING "(M|/M)ETA-INF/cose.manifest$"
 #define JAR_SF_SEARCH_STRING "(M|/M)ETA-INF/*.(SF|sf)$"
 #define JAR_RSA_SEARCH_STRING "(M|/M)ETA-INF/*.(RSA|rsa)$"
+#define JAR_COSE_SEARCH_STRING "(M|/M)ETA-INF/cose.sig$"
 #define JAR_META_DIR "META-INF"
 #define JAR_MF_HEADER "Manifest-Version: 1.0"
 #define JAR_SF_HEADER "Signature-Version: 1.0"
@@ -840,17 +843,466 @@ VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
                              &pkcs7DataOid));
 }
 
+class CoseVerificationContext
+{
+public:
+  explicit CoseVerificationContext(AppTrustedRoot aTrustedRoot)
+    : mTrustedRoot(aTrustedRoot)
+    , mCertDER(nullptr)
+    , mCertDERLen(0)
+  {
+  }
+  ~CoseVerificationContext() {}
+
+  AppTrustedRoot GetTrustedRoot() { return mTrustedRoot; }
+  nsresult SetCert(SECItem* aCertDER)
+  {
+    mCertDERLen = aCertDER->len;
+    mCertDER = MakeUnique<uint8_t[]>(mCertDERLen);
+    if (!mCertDER) {
+      return NS_ERROR_OUT_OF_MEMORY;
+    }
+    memcpy(mCertDER.get(), aCertDER->data, mCertDERLen);
+    return NS_OK;
+  }
+  uint8_t* GetCert() { return mCertDER.get(); }
+  unsigned int GetCertLen() { return mCertDERLen; }
+
+private:
+  AppTrustedRoot mTrustedRoot;
+  UniquePtr<uint8_t[]> mCertDER;
+  unsigned int mCertDERLen;
+};
+
+// Verification function called from cose-rust.
+// Returns true if everything goes well and the signature and certificate chain
+// are good, false in any other case.
+bool
+CoseVerificationCallback(const uint8_t* aPayload,
+                         size_t aPayloadLen,
+                         const uint8_t** aCertChain,
+                         size_t aCertChainLen,
+                         const size_t* aCertsLen,
+                         const uint8_t* aEECert,
+                         size_t aEECertLen,
+                         const uint8_t* aSignature,
+                         size_t aSignatureLen,
+                         uint8_t aSignatureAlgorithm,
+                         void* ctx)
+{
+  if (!ctx || !aPayload || !aEECert || !aSignature) {
+    return false;
+  }
+  // The ctx here is a pointer to a CoseVerificationContext object
+  CoseVerificationContext* context = static_cast<CoseVerificationContext*>(ctx);
+  AppTrustedRoot aTrustedRoot = context->GetTrustedRoot();
+
+  CK_MECHANISM_TYPE mechanism;
+  SECOidTag oid;
+  uint32_t hash_length;
+  SECItem param = { siBuffer, nullptr, 0 };
+  switch (aSignatureAlgorithm) {
+    case ES256:
+      mechanism = CKM_ECDSA;
+      oid = SEC_OID_SHA256;
+      hash_length = SHA256_LENGTH;
+      break;
+    case ES384:
+      mechanism = CKM_ECDSA;
+      oid = SEC_OID_SHA384;
+      hash_length = SHA384_LENGTH;
+      break;
+    case ES512:
+      mechanism = CKM_ECDSA;
+      oid = SEC_OID_SHA512;
+      hash_length = SHA512_LENGTH;
+      break;
+    default:
+      return false;
+  }
+
+  uint8_t hashBuf[HASH_LENGTH_MAX];
+  SECStatus rv = PK11_HashBuf(oid, hashBuf, aPayload, aPayloadLen);
+  if (rv != SECSuccess) {
+    return false;
+  }
+  SECItem hashItem = { siBuffer, hashBuf, hash_length };
+  CERTCertDBHandle* dbHandle = CERT_GetDefaultCertDB();
+  if (!dbHandle) {
+    return false;
+  }
+  SECItem derCert = { siBuffer,
+                      const_cast<uint8_t*>(aEECert),
+                      static_cast<unsigned int>(aEECertLen) };
+  UniqueCERTCertificate cert(
+    CERT_NewTempCertificate(dbHandle, &derCert, nullptr, false, true));
+  if (!cert) {
+    return false;
+  }
+  UniqueSECKEYPublicKey key(CERT_ExtractPublicKey(cert.get()));
+  if (!key) {
+    return false;
+  }
+  SECItem signatureItem = { siBuffer,
+                             const_cast<uint8_t*>(aSignature),
+                             static_cast<unsigned int>(aSignatureLen) };
+  rv = PK11_VerifyWithMechanism(
+    key.get(), mechanism, &param, &signatureItem, &hashItem, nullptr);
+  if (rv != SECSuccess) {
+    return false;
+  }
+
+  // Load intermediate certs into NSS so we can verify the cert chain.
+  UniqueCERTCertList tempCerts(CERT_NewCertList());
+  for (size_t i = 0; i < aCertChainLen; ++i) {
+    SECItem derCert = { siBuffer,
+                        const_cast<uint8_t*>(aCertChain[i]),
+                        static_cast<unsigned int>(aCertsLen[i]) };
+    UniqueCERTCertificate tempCert(
+      CERT_NewTempCertificate(dbHandle, &derCert, nullptr, false, true));
+    // Skip certs that we can't parse. If it was one we needed, the verification
+    // will fail later.
+    if (!tempCert) {
+      continue;
+    }
+    if (CERT_AddCertToListTail(tempCerts.get(), tempCert.get()) != SECSuccess) {
+      return false;
+    }
+    Unused << tempCert.release();
+  }
+
+  UniqueCERTCertList builtChain;
+  nsresult nrv = VerifyCertificate(cert.get(), aTrustedRoot, builtChain);
+  bool result = true;
+  if (NS_FAILED(nrv)) {
+    result = false;
+  }
+
+  // Passing back the signing certificate in form of the DER cert.
+  nrv = context->SetCert(&cert->derCert);
+  if (NS_FAILED(nrv)) {
+    result = false;
+  }
+
+  return result;
+}
+
+nsresult
+VerifyAppManifest(SECOidTag aDigestToUse, nsCOMPtr<nsIZipReader> aZip,
+                  nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+                  const SECItem& aManifestBuffer)
+{
+  // Allocate the I/O buffer only once per JAR, instead of once per entry, in
+  // order to minimize malloc/free calls and in order to avoid fragmenting
+  // memory.
+  ScopedAutoSECItem buf(128 * 1024);
+
+  nsTHashtable<nsCStringHashKey> items;
+
+  nsresult rv = ParseMF(BitwiseCast<char*, unsigned char*>(aManifestBuffer.data),
+    aZip, aDigestToUse, items, buf);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Verify every entry in the file.
+  nsCOMPtr<nsIUTF8StringEnumerator> entries;
+  rv = aZip->FindEntries(EmptyCString(), getter_AddRefs(entries));
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  if (!entries) {
+    return NS_ERROR_UNEXPECTED;
+  }
+
+  for (;;) {
+    bool hasMore;
+    rv = entries->HasMore(&hasMore);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    if (!hasMore) {
+      break;
+    }
+
+    nsAutoCString entryFilename;
+    rv = entries->GetNext(entryFilename);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    MOZ_LOG(gPIPNSSLog,
+            LogLevel::Debug,
+            ("Verifying digests for %s", entryFilename.get()));
+
+    if (entryFilename.Length() == 0) {
+      return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
+    }
+
+    // The files that comprise the signature mechanism are not covered by the
+    // signature. Ignore these files.
+    if (aIgnoredFiles.Contains(entryFilename)) {
+      continue;
+    }
+
+    // Entries with names that end in "/" are directory entries, which are not
+    // signed.
+    //
+    // Since bug 1415991 we don't support unpacked JARs. The "/" entries are
+    // therefore harmless.
+    if (entryFilename.Last() == '/') {
+      continue;
+    }
+
+    nsCStringHashKey* item = items.GetEntry(entryFilename);
+    if (!item) {
+      return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
+    }
+
+    // Remove the item so we can check for leftover items later
+    items.RemoveEntry(item);
+  }
+
+  // We verified that every entry that we require to be signed is signed. But,
+  // were there any missing entries--that is, entries that are mentioned in the
+  // manifest but missing from the archive?
+  if (items.Count() != 0) {
+    return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
+  }
+
+  return NS_OK;
+}
+
 // This corresponds to the preference "security.signed_app_signatures.policy".
-enum class SignaturePolicy {
-  PKCS7WithSHA1OrSHA256 = 0,
-  PKCS7WithSHA256 = 1,
+// The lowest order bit determines which PKCS#7 algorithms are accepted.
+// xxx_0_: SHA-1 and/or SHA-256 PKCS#7 allowed
+// xxx_1_: SHA-256 PKCS#7 allowed
+// The next two bits determine whether COSE is required and PKCS#7 is allowed
+// x_00_x: COSE disabled, ignore files, PKCS#7 must verify
+// x_01_x: COSE is verified if present, PKCS#7 must verify
+// x_10_x: COSE is required, PKCS#7 must verify if present
+// x_11_x: COSE is required, PKCS#7 disabled (fail when present)
+class SignaturePolicy
+{
+public:
+  explicit SignaturePolicy(int32_t preference)
+    : mProcessCose(true)
+    , mCoseRequired(false)
+    , mProcessPK7(true)
+    , mPK7Required(true)
+    , mSHA1Allowed(true)
+    , mSHA256Allowed(true)
+  {
+    mCoseRequired = (preference & 0b100) != 0;
+    mProcessCose = (preference & 0b110) != 0;
+    mPK7Required = (preference & 0b100) == 0;
+    mProcessPK7 = (preference & 0b110) != 0b110;
+    if ((preference & 0b1) == 0) {
+      mSHA1Allowed = true;
+      mSHA256Allowed = true;
+    } else {
+      mSHA1Allowed = false;
+      mSHA256Allowed = true;
+    }
+  }
+  ~SignaturePolicy()
+  {
+  }
+  bool ProcessCOSE() { return mProcessCose; }
+  bool COSERequired() { return mCoseRequired; }
+  bool PK7Required() { return mPK7Required; }
+  bool ProcessPK7() { return mProcessPK7; }
+  bool IsPK7HashAllowed(SECOidTag aHashAlg)
+  {
+    if (aHashAlg == SEC_OID_SHA256 && mSHA256Allowed) {
+      return true;
+    }
+    if (aHashAlg == SEC_OID_SHA1 && mSHA1Allowed) {
+      return true;
+    }
+    return false;
+  }
+
+private:
+  bool mProcessCose;
+  bool mCoseRequired;
+  bool mProcessPK7;
+  bool mPK7Required;
+  bool mSHA1Allowed;
+  bool mSHA256Allowed;
 };
 
 nsresult
-OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
+VerifyCOSESignature(AppTrustedRoot aTrustedRoot, nsIZipReader* aZip,
+                    SignaturePolicy& aPolicy,
+                    nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+                    /* out */ bool& aVerified,
+                    /* out */ UniqueSECItem* aCoseCertItem)
+{
+  NS_ENSURE_ARG_POINTER(aZip);
+  NS_ENSURE_ARG_POINTER(aCoseCertItem);
+  bool required = aPolicy.COSERequired();
+  aVerified = false;
+
+  // Read COSE signature file.
+  nsAutoCString coseFilename;
+  ScopedAutoSECItem coseBuffer;
+  nsresult rv = FindAndLoadOneEntry(
+    aZip, NS_LITERAL_CSTRING(JAR_COSE_SEARCH_STRING), coseFilename, coseBuffer);
+  if (NS_FAILED(rv)) {
+    return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : NS_OK;
+  }
+
+  // Verify COSE signature.
+  nsAutoCString mfFilename;
+  ScopedAutoSECItem manifestBuffer;
+  rv = FindAndLoadOneEntry(aZip,
+                           NS_LITERAL_CSTRING(JAR_COSE_MF_SEARCH_STRING),
+                           mfFilename,
+                           manifestBuffer);
+  if (NS_FAILED(rv)) {
+    return required ? NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE : rv;
+  }
+  MOZ_ASSERT(manifestBuffer.len >= 1);
+  MOZ_ASSERT(coseBuffer.len >= 1);
+  CoseVerificationContext context(aTrustedRoot);
+  bool coseVerification = verify_cose_signature_ffi(manifestBuffer.data,
+                                                    manifestBuffer.len - 1,
+                                                    coseBuffer.data,
+                                                    coseBuffer.len - 1,
+                                                    &context,
+                                                    CoseVerificationCallback);
+  if (!coseVerification) {
+    return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+  }
+  // CoseVerificationCallback sets the context certificate to the first cert
+  // it encounters.
+  const SECItem derCert = { siBuffer, context.GetCert(), context.GetCertLen() };
+  aCoseCertItem->reset(SECITEM_DupItem(&derCert));
+  if (!aCoseCertItem) {
+    return NS_ERROR_FAILURE;
+  }
+
+  // aIgnoredFiles contains the PKCS#7 manifest and signature files iff the
+  // PKCS#7 verification was successful.
+  aIgnoredFiles.PutEntry(mfFilename);
+  aIgnoredFiles.PutEntry(coseFilename);
+  rv = VerifyAppManifest(SEC_OID_SHA256, aZip, aIgnoredFiles, manifestBuffer);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  aVerified = true;
+  return NS_OK;
+}
+
+nsresult
+VerifyPK7Signature(AppTrustedRoot aTrustedRoot, nsIZipReader* aZip,
+                   SignaturePolicy& aPolicy,
+                   /* out */ nsTHashtable<nsCStringHashKey>& aIgnoredFiles,
+                   /* out */ bool& aVerified,
+                   /* out */ UniqueCERTCertList& aBuiltChain)
+{
+  NS_ENSURE_ARG_POINTER(aZip);
+  bool required = aPolicy.PK7Required();
+  aVerified = false;
+
+  // Signature (RSA) file
+  nsAutoCString sigFilename;
+  ScopedAutoSECItem sigBuffer;
+  nsresult rv = FindAndLoadOneEntry(
+    aZip, nsLiteralCString(JAR_RSA_SEARCH_STRING), sigFilename, sigBuffer);
+  if (NS_FAILED(rv)) {
+    return required ? NS_ERROR_SIGNED_JAR_NOT_SIGNED : NS_OK;
+  }
+
+  // Signature (SF) file
+  nsAutoCString sfFilename;
+  ScopedAutoSECItem sfBuffer;
+  rv = FindAndLoadOneEntry(
+    aZip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING), sfFilename, sfBuffer);
+  if (NS_FAILED(rv)) {
+    return required ? NS_ERROR_SIGNED_JAR_MANIFEST_INVALID : NS_OK;
+  }
+
+  // Calculate both the SHA-1 and SHA-256 hashes of the signature file - we
+  // don't know what algorithm the PKCS#7 signature used.
+  Digest sfCalculatedSHA1Digest;
+  rv = sfCalculatedSHA1Digest.DigestBuf(
+    SEC_OID_SHA1, sfBuffer.data, sfBuffer.len - 1);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+  Digest sfCalculatedSHA256Digest;
+  rv = sfCalculatedSHA256Digest.DigestBuf(
+    SEC_OID_SHA256, sfBuffer.data, sfBuffer.len - 1);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Verify PKCS#7 signature.
+  // If we get here, the signature has to verify even if PKCS#7 is not required.
+  sigBuffer.type = siBuffer;
+  SECOidTag digestToUse;
+  rv = VerifySignature(aTrustedRoot,
+                       sigBuffer,
+                       sfCalculatedSHA1Digest.get(),
+                       sfCalculatedSHA256Digest.get(),
+                       digestToUse,
+                       aBuiltChain);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Check the digest used for the signature against the policy.
+  if (!aPolicy.IsPK7HashAllowed(digestToUse)) {
+    return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
+  }
+
+  nsAutoCString mfDigest;
+  rv = ParseSF(
+    BitwiseCast<char*, unsigned char*>(sfBuffer.data), digestToUse, mfDigest);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // Read PK7 manifest (MF) file.
+  ScopedAutoSECItem manifestBuffer;
+  Digest mfCalculatedDigest;
+  nsAutoCString mfFilename;
+  rv = FindAndLoadOneEntry(aZip,
+                           NS_LITERAL_CSTRING(JAR_MF_SEARCH_STRING),
+                           mfFilename,
+                           manifestBuffer,
+                           digestToUse,
+                           &mfCalculatedDigest);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  nsDependentCSubstring calculatedDigest(
+    DigestToDependentString(mfCalculatedDigest));
+  if (!mfDigest.Equals(calculatedDigest)) {
+    return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
+  }
+
+  // Verify PKCS7 manifest file hashes.
+  aIgnoredFiles.PutEntry(sfFilename);
+  aIgnoredFiles.PutEntry(sigFilename);
+  aIgnoredFiles.PutEntry(mfFilename);
+  rv = VerifyAppManifest(digestToUse, aZip, aIgnoredFiles, manifestBuffer);
+  if (NS_FAILED(rv)) {
+    aIgnoredFiles.Clear();
+    return rv;
+  }
+
+  aVerified = true;
+  return NS_OK;
+}
+
+nsresult
+OpenSignedAppFile(AppTrustedRoot aTrustedRoot,
+                  nsIFile* aJarFile,
                   SignaturePolicy aPolicy,
-                  /*out, optional */ nsIZipReader** aZipReader,
-                  /*out, optional */ nsIX509Cert** aSignerCert)
+                  /* out, optional */ nsIZipReader** aZipReader,
+                  /* out, optional */ nsIX509Cert** aSignerCert)
 {
   NS_ENSURE_ARG_POINTER(aJarFile);
 
@@ -871,162 +1323,36 @@ OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   rv = zip->Open(aJarFile);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  // Signature (RSA) file
-  nsAutoCString sigFilename;
-  ScopedAutoSECItem sigBuffer;
-  rv = FindAndLoadOneEntry(zip, nsLiteralCString(JAR_RSA_SEARCH_STRING),
-                           sigFilename, sigBuffer);
-  if (NS_FAILED(rv)) {
-    return NS_ERROR_SIGNED_JAR_NOT_SIGNED;
-  }
+  bool pk7Verified = false;
+  bool coseVerified = false;
+  nsTHashtable<nsCStringHashKey> ignoredFiles;
+  UniqueCERTCertList pk7BuiltChain;
+  UniqueSECItem coseCertItem;
 
-  // Signature (SF) file
-  nsAutoCString sfFilename;
-  ScopedAutoSECItem sfBuffer;
-  rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
-                           sfFilename, sfBuffer);
-  if (NS_FAILED(rv)) {
-    return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
-  }
-
-  // Calculate both the SHA-1 and SHA-256 hashes of the signature file - we
-  // don't know what algorithm the PKCS#7 signature used.
-  Digest sfCalculatedSHA1Digest;
-  rv = sfCalculatedSHA1Digest.DigestBuf(SEC_OID_SHA1, sfBuffer.data,
-                                        sfBuffer.len - 1);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  Digest sfCalculatedSHA256Digest;
-  rv = sfCalculatedSHA256Digest.DigestBuf(SEC_OID_SHA256, sfBuffer.data,
-                                          sfBuffer.len - 1);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  sigBuffer.type = siBuffer;
-  UniqueCERTCertList builtChain;
-  SECOidTag digestToUse;
-  rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedSHA1Digest.get(),
-                       sfCalculatedSHA256Digest.get(), digestToUse, builtChain);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  switch (aPolicy) {
-    case SignaturePolicy::PKCS7WithSHA256:
-      if (digestToUse != SEC_OID_SHA256) {
-        return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
-      }
-      break;
-    case SignaturePolicy::PKCS7WithSHA1OrSHA256:
-      break;
-  }
-
-  nsAutoCString mfDigest;
-  rv = ParseSF(BitwiseCast<char*, unsigned char*>(sfBuffer.data), digestToUse,
-               mfDigest);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  // Manifest (MF) file
-  nsAutoCString mfFilename;
-  ScopedAutoSECItem manifestBuffer;
-  Digest mfCalculatedDigest;
-  rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_MF_SEARCH_STRING),
-                           mfFilename, manifestBuffer, digestToUse,
-                           &mfCalculatedDigest);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  nsDependentCSubstring calculatedDigest(
-    DigestToDependentString(mfCalculatedDigest));
-  if (!mfDigest.Equals(calculatedDigest)) {
-    return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
-  }
-
-  // Allocate the I/O buffer only once per JAR, instead of once per entry, in
-  // order to minimize malloc/free calls and in order to avoid fragmenting
-  // memory.
-  ScopedAutoSECItem buf(128 * 1024);
-
-  nsTHashtable<nsCStringHashKey> items;
-
-  rv = ParseMF(BitwiseCast<char*, unsigned char*>(manifestBuffer.data), zip,
-               digestToUse, items, buf);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  // Verify every entry in the file.
-  nsCOMPtr<nsIUTF8StringEnumerator> entries;
-  rv = zip->FindEntries(EmptyCString(), getter_AddRefs(entries));
-  if (NS_SUCCEEDED(rv) && !entries) {
-    rv = NS_ERROR_UNEXPECTED;
-  }
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  for (;;) {
-    bool hasMore;
-    rv = entries->HasMore(&hasMore);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    if (!hasMore) {
-      break;
+  // First we have to verify the PKCS#7 signature if there is one.
+  // This signature covers all files (except for the signature files itself),
+  // including the COSE signature files. Only when this verification is
+  // successful the respective files will be ignored in the subsequent COSE
+  // signature verification.
+  if (aPolicy.ProcessPK7()) {
+    rv = VerifyPK7Signature(
+      aTrustedRoot, zip, aPolicy, ignoredFiles, pk7Verified, pk7BuiltChain);
+    if (NS_FAILED(rv)) {
+      return rv;
     }
-
-    nsAutoCString entryFilename;
-    rv = entries->GetNext(entryFilename);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Verifying digests for %s",
-           entryFilename.get()));
-
-    // The files that comprise the signature mechanism are not covered by the
-    // signature.
-    //
-    // XXX: This is OK for a single signature, but doesn't work for
-    // multiple signatures, because the metadata for the other signatures
-    // is not signed either.
-    if (entryFilename == mfFilename ||
-        entryFilename == sfFilename ||
-        entryFilename == sigFilename) {
-      continue;
-    }
-
-    if (entryFilename.Length() == 0) {
-      return NS_ERROR_SIGNED_JAR_ENTRY_INVALID;
-    }
-
-    // Entries with names that end in "/" are directory entries, which are not
-    // signed.
-    //
-    // XXX: As long as we don't unpack the JAR into the filesystem, the "/"
-    // entries are harmless. But, it is not clear what the security
-    // implications of directory entries are if/when we were to unpackage the
-    // JAR into the filesystem.
-    if (entryFilename[entryFilename.Length() - 1] == '/') {
-      continue;
-    }
-
-    nsCStringHashKey * item = items.GetEntry(entryFilename);
-    if (!item) {
-      return NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY;
-    }
-
-    // Remove the item so we can check for leftover items later
-    items.RemoveEntry(item);
   }
 
-  // We verified that every entry that we require to be signed is signed. But,
-  // were there any missing entries--that is, entries that are mentioned in the
-  // manifest but missing from the archive?
-  if (items.Count() != 0) {
-    return NS_ERROR_SIGNED_JAR_ENTRY_MISSING;
+  if (aPolicy.ProcessCOSE()) {
+    rv = VerifyCOSESignature(
+      aTrustedRoot, zip, aPolicy, ignoredFiles, coseVerified, &coseCertItem);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+
+  if ((aPolicy.PK7Required() && !pk7Verified) ||
+      (aPolicy.COSERequired() && !coseVerified)) {
+    return NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE;
   }
 
   // Return the reader to the caller if they want it
@@ -1037,15 +1363,36 @@ OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   // Return the signer's certificate to the reader if they want it.
   // XXX: We should return an nsIX509CertList with the whole validated chain.
   if (aSignerCert) {
-    CERTCertListNode* signerCertNode = CERT_LIST_HEAD(builtChain);
-    if (!signerCertNode || CERT_LIST_END(signerCertNode, builtChain) ||
-        !signerCertNode->cert) {
-      return NS_ERROR_FAILURE;
+    // The COSE certificate is authoritative.
+    if (aPolicy.COSERequired() || (coseCertItem && coseCertItem->len != 0)) {
+      if (!coseCertItem || coseCertItem->len == 0) {
+        return NS_ERROR_FAILURE;
+      }
+      CERTCertDBHandle* dbHandle = CERT_GetDefaultCertDB();
+      if (!dbHandle) {
+        return NS_ERROR_FAILURE;
+      }
+      UniqueCERTCertificate cert(CERT_NewTempCertificate(
+        dbHandle, coseCertItem.get(), nullptr, false, true));
+      if (!cert) {
+        return NS_ERROR_FAILURE;
+      }
+      nsCOMPtr<nsIX509Cert> signerCert = nsNSSCertificate::Create(cert.get());
+      if (!signerCert) {
+        return NS_ERROR_OUT_OF_MEMORY;
+      }
+      signerCert.forget(aSignerCert);
+    } else {
+      CERTCertListNode* signerCertNode = CERT_LIST_HEAD(pk7BuiltChain);
+      if (!signerCertNode || CERT_LIST_END(signerCertNode, pk7BuiltChain) ||
+          !signerCertNode->cert) {
+        return NS_ERROR_FAILURE;
+      }
+      nsCOMPtr<nsIX509Cert> signerCert =
+        nsNSSCertificate::Create(signerCertNode->cert);
+      NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
+      signerCert.forget(aSignerCert);
     }
-    nsCOMPtr<nsIX509Cert> signerCert =
-      nsNSSCertificate::Create(signerCertNode->cert);
-    NS_ENSURE_TRUE(signerCert, NS_ERROR_OUT_OF_MEMORY);
-    signerCert.forget(aSignerCert);
   }
 
   return NS_OK;
@@ -1090,8 +1437,7 @@ private:
   nsCOMPtr<nsIX509Cert> mSignerCert; // out
 };
 
-static const SignaturePolicy sDefaultSignaturePolicy =
-  SignaturePolicy::PKCS7WithSHA1OrSHA256;
+static const int32_t sDefaultSignaturePolicy = 0b10;
 
 } // unnamed namespace
 
@@ -1105,19 +1451,10 @@ nsNSSCertificateDB::OpenSignedAppFileAsync(
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  SignaturePolicy policy =
-    static_cast<SignaturePolicy>(
-      Preferences::GetInt("security.signed_app_signatures.policy",
-                          static_cast<int32_t>(sDefaultSignaturePolicy)));
-  switch (policy) {
-    case SignaturePolicy::PKCS7WithSHA1OrSHA256:
-      break;
-    case SignaturePolicy::PKCS7WithSHA256:
-      break;
-    default:
-      policy = sDefaultSignaturePolicy;
-      break;
-  }
+  int32_t policyInt =
+    Preferences::GetInt("security.signed_app_signatures.policy",
+                        static_cast<int32_t>(sDefaultSignaturePolicy));
+  SignaturePolicy policy(policyInt);
   RefPtr<OpenSignedAppFileTask> task(new OpenSignedAppFileTask(aTrustedRoot,
                                                                aJarFile,
                                                                policy,
diff --git a/security/apps/moz.build b/security/apps/moz.build
index 773d31b9abc1..03d11cf78f62 100644
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -18,6 +18,7 @@ LOCAL_INCLUDES += [
     '/security/certverifier',
     '/security/manager/ssl',
     '/security/pkix/include',
+    '/third_party/rust/cose-c/include',
 ]
 
 DEFINES['NSS_ENABLE_ECC'] = 'True'
diff --git a/security/manager/ssl/security-prefs.js b/security/manager/ssl/security-prefs.js
index 325588629790..b67feb668fa7 100644
--- a/security/manager/ssl/security-prefs.js
+++ b/security/manager/ssl/security-prefs.js
@@ -68,10 +68,17 @@ pref("security.pki.cert_short_lifetime_in_days", 10);
 pref("security.pki.sha1_enforcement_level", 3);
 
 // This preference controls what signature algorithms are accepted for signed
-// apps (i.e. add-ons).
-// 0: SHA-1 and/or SHA-256 PKCS#7 allowed
-// 1: SHA-256 PKCS#7 allowed
-pref("security.signed_app_signatures.policy", 0);
+// apps (i.e. add-ons). The number is interpreted as a bit mask with the
+// following semantic:
+// The lowest order bit determines which PKCS#7 algorithms are accepted.
+// xxx_0_: SHA-1 and/or SHA-256 PKCS#7 allowed
+// xxx_1_: SHA-256 PKCS#7 allowed
+// The next two bits determine whether COSE is required and PKCS#7 is allowed
+// x_00_x: COSE disabled, ignore files, PKCS#7 must verify
+// x_01_x: COSE is verified if present, PKCS#7 must verify
+// x_10_x: COSE is required, PKCS#7 must verify if present
+// x_11_x: COSE is required, PKCS#7 disabled (fail when present)
+pref("security.signed_app_signatures.policy", 2);
 
 // security.pki.name_matching_mode controls how the platform matches hostnames
 // to name information in TLS certificates. The possible values are:
diff --git a/security/manager/ssl/tests/gtest/CoseTest.cpp b/security/manager/ssl/tests/gtest/CoseTest.cpp
index 64d7825e1418..d9a0622ae241 100644
--- a/security/manager/ssl/tests/gtest/CoseTest.cpp
+++ b/security/manager/ssl/tests/gtest/CoseTest.cpp
@@ -108,12 +108,12 @@ const uint8_t SIGNATURE[] = {
   0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x21,
   0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b, 0x75, 0xe2, 0x70, 0x6a,
   0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89, 0xc1, 0xcf, 0x88, 0xc2, 0xc8,
-  0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xb7, 0x50, 0xae,
-  0x12, 0x41, 0xb2, 0x62, 0x28, 0x80, 0x0b, 0xaa, 0x99, 0xec, 0x5f, 0x1c, 0x91,
-  0x2f, 0xd8, 0x65, 0xd0, 0x1c, 0x38, 0x7c, 0x37, 0x63, 0x6d, 0xfa, 0x67, 0x9d,
-  0x21, 0xff, 0x54, 0x98, 0xf8, 0x97, 0x63, 0xc2, 0x2e, 0x3c, 0xfa, 0x25, 0x28,
-  0xec, 0x2c, 0x96, 0x8c, 0xca, 0xfc, 0x94, 0xd0, 0xc2, 0x19, 0x28, 0x28, 0x43,
-  0xe6, 0x64, 0xd4, 0x09, 0x2b, 0x0f, 0x01, 0xc3, 0x6e
+  0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0x1e, 0x6e, 0x08,
+  0xdf, 0x8f, 0x4f, 0xd6, 0xab, 0x23, 0xae, 0x84, 0xaa, 0xf3, 0x43, 0x35, 0x9a,
+  0x53, 0xb9, 0x8b, 0xf9, 0x81, 0xa1, 0xbc, 0x1e, 0x5c, 0x57, 0x5c, 0x0a, 0x20,
+  0x37, 0xf4, 0x3d, 0x11, 0x08, 0xa0, 0x97, 0x4b, 0x68, 0xa4, 0x0f, 0x80, 0xe9,
+  0x96, 0x30, 0x04, 0x24, 0x0e, 0x81, 0x3d, 0x2a, 0x8a, 0x64, 0x40, 0x61, 0x5a,
+  0x19, 0x00, 0xff, 0x74, 0x40, 0x71, 0x82, 0x65, 0xe9
 };
 
 // This is a COSE signature generated with the cose rust library (see
@@ -308,12 +308,12 @@ const uint8_t SIGNATURE_ES256_PS256[] = {
   0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00,
   0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b, 0x75, 0xe2, 0x70, 0x6a, 0xac,
   0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89, 0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a,
-  0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xfa, 0xc6, 0xb7, 0xae,
-  0xec, 0x0b, 0x0b, 0xe2, 0xef, 0xae, 0xf7, 0x9d, 0x64, 0xe5, 0xaf, 0xbb, 0x2c,
-  0x4b, 0xe8, 0x7c, 0x61, 0xa9, 0x1e, 0xb9, 0x6d, 0x9c, 0xfa, 0xe3, 0x11, 0x77,
-  0xaf, 0x44, 0x9d, 0xc3, 0xa8, 0xa9, 0xbc, 0x58, 0xed, 0xc5, 0xe5, 0xa1, 0x92,
-  0x3b, 0x89, 0xa3, 0x3b, 0x1e, 0xbf, 0x6e, 0x33, 0x64, 0x21, 0x0b, 0x97, 0xee,
-  0xb7, 0xae, 0x84, 0x17, 0x5c, 0xff, 0x27, 0xa0, 0x83, 0x59, 0x02, 0xbb, 0xa2,
+  0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b, 0xa0, 0x58, 0x40, 0xa3, 0xfb, 0x49, 0xe6,
+  0x45, 0x29, 0x64, 0x76, 0xeb, 0x9d, 0xbd, 0xf5, 0x38, 0x56, 0xbe, 0x6e, 0x31,
+  0x57, 0x73, 0xc1, 0x2d, 0x3e, 0xac, 0xee, 0xba, 0x55, 0x8e, 0x37, 0xd4, 0xea,
+  0x80, 0x25, 0x31, 0x99, 0x9f, 0x4a, 0xb0, 0xf9, 0xd8, 0xb0, 0xed, 0x74, 0xfc,
+  0x8c, 0x02, 0xf0, 0x9f, 0x95, 0xf1, 0xaa, 0x71, 0xcc, 0xd2, 0xe7, 0x1a, 0x6d,
+  0xd4, 0xed, 0xff, 0xf2, 0x78, 0x09, 0x83, 0x7e, 0x83, 0x59, 0x02, 0xbb, 0xa2,
   0x01, 0x38, 0x24, 0x04, 0x59, 0x02, 0xb3, 0x30, 0x82, 0x02, 0xaf, 0x30, 0x82,
   0x01, 0x99, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x07, 0x1c, 0x3b, 0x71,
   0x08, 0xbe, 0xd7, 0x9f, 0xfd, 0xaf, 0x26, 0xb6, 0x08, 0xa3, 0x99, 0x06, 0x77,
@@ -368,26 +368,26 @@ const uint8_t SIGNATURE_ES256_PS256[] = {
   0xa0, 0x6b, 0xef, 0xd4, 0x5e, 0xa4, 0x0f, 0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37,
   0x0e, 0x75, 0xdd, 0x93, 0xe8, 0x0f, 0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb,
   0x1a, 0x42, 0x5b, 0x63, 0x2c, 0x80, 0x80, 0xa6, 0x84, 0xa0, 0x59, 0x01, 0x00,
-  0x67, 0xbe, 0xe4, 0x81, 0xed, 0x1e, 0xce, 0x7d, 0x18, 0xf5, 0x85, 0xa2, 0xcb,
-  0x1d, 0x75, 0x6f, 0x8a, 0x34, 0xaa, 0x6b, 0x58, 0x91, 0xd2, 0xa4, 0x58, 0x4f,
-  0xe1, 0x8b, 0x6a, 0x36, 0xe1, 0x67, 0x23, 0x2c, 0x5d, 0x7e, 0x05, 0xe2, 0xa0,
-  0x18, 0xa8, 0x78, 0x7d, 0x85, 0xda, 0x07, 0x60, 0xc6, 0x8e, 0x44, 0x14, 0xad,
-  0xbc, 0x35, 0x2f, 0xf3, 0xd8, 0xda, 0x34, 0x65, 0x12, 0x45, 0x6a, 0xbe, 0x46,
-  0x53, 0x09, 0xc8, 0xcc, 0x96, 0x6b, 0x07, 0xd4, 0xc3, 0x4f, 0xd2, 0x7b, 0x88,
-  0xad, 0x10, 0x3b, 0x93, 0x3c, 0x9a, 0xc4, 0x1a, 0x98, 0x12, 0x2f, 0xf9, 0xc9,
-  0xb9, 0xd2, 0xda, 0x40, 0xe9, 0x9e, 0xd8, 0x74, 0x2f, 0x02, 0xf1, 0xf0, 0x9a,
-  0x31, 0x99, 0xb4, 0x82, 0xe1, 0x25, 0xee, 0x3f, 0xf9, 0xd5, 0xbb, 0x10, 0x8b,
-  0xff, 0x03, 0x0f, 0xcb, 0x96, 0x8f, 0x29, 0x51, 0x71, 0xfc, 0xe2, 0x0e, 0x9c,
-  0xf7, 0x3d, 0xc0, 0x95, 0xc6, 0x70, 0xfd, 0x8c, 0xb7, 0xf6, 0xa7, 0xfa, 0x7d,
-  0xd6, 0x44, 0x0b, 0xa3, 0xd3, 0x97, 0xf5, 0xcd, 0x6d, 0xc9, 0x17, 0xc6, 0xcb,
-  0xd5, 0x82, 0x01, 0x0e, 0xef, 0xb3, 0xbd, 0x33, 0x6e, 0x49, 0x57, 0xb1, 0x38,
-  0x57, 0x27, 0x91, 0x22, 0x5a, 0xeb, 0x02, 0x97, 0x53, 0xeb, 0x56, 0x01, 0xdc,
-  0xf9, 0xe9, 0x6c, 0x38, 0x7c, 0x0b, 0x1c, 0x7e, 0x19, 0xc7, 0x4b, 0x9d, 0x30,
-  0xad, 0x14, 0x2a, 0xb2, 0x07, 0x99, 0x80, 0x40, 0x42, 0x82, 0x49, 0x4e, 0xb5,
-  0x1a, 0x49, 0xa3, 0x31, 0x7f, 0xd9, 0x78, 0xd1, 0x08, 0x39, 0xaf, 0x0d, 0xeb,
-  0x8a, 0x93, 0x43, 0xab, 0x3d, 0x3f, 0x9b, 0xe3, 0x25, 0x3b, 0x09, 0xa9, 0x00,
-  0xfc, 0x98, 0xb9, 0xdc, 0x73, 0x91, 0x87, 0x58, 0x53, 0xd4, 0xc1, 0x8b, 0x05,
-  0xe6, 0x85, 0xc8, 0x48, 0xb8, 0x7e, 0x23, 0xcf, 0x12
+  0x51, 0xf4, 0xe6, 0x1c, 0x18, 0x7b, 0x28, 0xa0, 0x1f, 0x63, 0xbf, 0xa5, 0xbd,
+  0x89, 0x9f, 0xd9, 0x30, 0x46, 0x4b, 0x34, 0x9b, 0x9d, 0x0f, 0xb0, 0x33, 0x11,
+  0xf8, 0xaa, 0x84, 0x4e, 0xb2, 0xca, 0x29, 0x83, 0x54, 0x28, 0x99, 0x2a, 0x43,
+  0x7f, 0xe0, 0xe6, 0xd8, 0xdc, 0xd7, 0xf4, 0xb3, 0xd7, 0xf7, 0x39, 0xd5, 0xdc,
+  0xde, 0xdc, 0x23, 0x78, 0xd7, 0x90, 0xc0, 0x52, 0xf5, 0xd2, 0x14, 0x6f, 0xf9,
+  0x24, 0x48, 0xc8, 0x75, 0x4a, 0x9a, 0x4c, 0x61, 0x2f, 0x96, 0x4e, 0xc8, 0x02,
+  0x95, 0x72, 0xef, 0xbc, 0x91, 0xae, 0xf8, 0x23, 0xfb, 0xba, 0x9f, 0xfd, 0xe0,
+  0x1a, 0x8e, 0xa9, 0x03, 0x16, 0x76, 0xf4, 0xdb, 0x81, 0x5a, 0x69, 0xeb, 0xf5,
+  0x55, 0xd7, 0x68, 0x28, 0xe4, 0xce, 0xde, 0x1b, 0xb4, 0x90, 0xac, 0x97, 0x07,
+  0x15, 0xe0, 0xce, 0x5f, 0x3f, 0x89, 0xaf, 0xc1, 0xb8, 0x46, 0x5e, 0x87, 0xa1,
+  0x8d, 0xa7, 0x44, 0x09, 0x02, 0x4e, 0xbe, 0x6b, 0xfb, 0xab, 0xeb, 0x19, 0x62,
+  0x9e, 0xb0, 0xef, 0x0a, 0x6b, 0xcf, 0xe0, 0x00, 0xa9, 0x68, 0x2a, 0x8e, 0xfe,
+  0x8a, 0xb9, 0x57, 0x52, 0xb3, 0x08, 0x80, 0x5e, 0xa6, 0x88, 0x5f, 0x31, 0xd1,
+  0xe9, 0x6d, 0xf7, 0x54, 0x4e, 0xf8, 0x17, 0xb0, 0x1c, 0xca, 0xa6, 0xa6, 0x80,
+  0xf8, 0xd8, 0xf5, 0x94, 0xa4, 0xb2, 0xd0, 0x7e, 0xbb, 0x4f, 0xdb, 0x3a, 0x91,
+  0x5f, 0xb3, 0xc1, 0xfa, 0x60, 0xe4, 0xce, 0xe3, 0xe5, 0x14, 0x1f, 0x9c, 0x01,
+  0x60, 0xff, 0xe2, 0x09, 0xe6, 0x1a, 0x82, 0x69, 0xb6, 0xeb, 0x52, 0x1e, 0x3d,
+  0xc7, 0xfd, 0x69, 0x9d, 0x2a, 0xa5, 0xdb, 0xc1, 0x6a, 0x5a, 0x7d, 0x23, 0x2a,
+  0x00, 0xe4, 0x53, 0x16, 0x8e, 0xc1, 0x56, 0xf5, 0x5a, 0x8d, 0x59, 0x1f, 0x7f,
+  0xff, 0x77, 0x6f, 0x92, 0xea, 0x5d, 0x31, 0xe9, 0x18
 };
 
 // The RSA intermediate certificate that issued the EE cert used in the
@@ -630,7 +630,8 @@ verify_callback(const uint8_t* payload,
                 size_t ee_cert_len,
                 const uint8_t* signature,
                 size_t signature_len,
-                uint8_t signature_algorithm)
+                uint8_t signature_algorithm,
+                void* ctx)
 {
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
@@ -703,8 +704,12 @@ TEST_F(psm_COSE, CoseTestingSingleSignature)
 {
   SECStatus rv = NSS_NoDB_Init(nullptr);
   ASSERT_EQ(SECSuccess, rv);
-  bool result = verify_cose_signature_ffi(
-    PAYLOAD, sizeof(PAYLOAD), SIGNATURE, sizeof(SIGNATURE), verify_callback);
+  bool result = verify_cose_signature_ffi(PAYLOAD,
+                                          sizeof(PAYLOAD),
+                                          SIGNATURE,
+                                          sizeof(SIGNATURE),
+                                          nullptr,
+                                          verify_callback);
   ASSERT_TRUE(result);
 }
 
@@ -716,6 +721,7 @@ TEST_F(psm_COSE, CoseTestingTwoSignatures)
                                           sizeof(PAYLOAD),
                                           SIGNATURE_ES256_PS256,
                                           sizeof(SIGNATURE_ES256_PS256),
+                                          nullptr,
                                           verify_callback);
   ASSERT_TRUE(result);
 }
@@ -731,6 +737,7 @@ TEST_F(psm_COSE, CoseTestingAlteredPayload)
                                           sizeof(altered_payload),
                                           SIGNATURE_ES256_PS256,
                                           sizeof(SIGNATURE_ES256_PS256),
+                                          nullptr,
                                           verify_callback);
   ASSERT_FALSE(result);
 }
diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py
index 1e32645115b4..8af56c11dd17 100755
--- a/security/manager/ssl/tests/unit/sign_app.py
+++ b/security/manager/ssl/tests/unit/sign_app.py
@@ -121,6 +121,26 @@ def addManifestEntry(filename, hashes, contents, entries):
         entry += '%s-Digest: %s\n' % (name, base64hash)
     entries.append(entry)
 
+def getCert(subject, keyName, issuerName, ee, issuerKey=""):
+    """Helper function to create an X509 cert from a specification.
+    Takes the subject, the subject key name to use, the issuer name,
+    a bool whether this is an EE cert or not, and optionally an issuer key
+    name."""
+    certSpecification = 'issuer:%s\n' % issuerName + \
+        'subject:' + subject + '\n' + \
+        'subjectKey:%s\n' % keyName
+    if ee:
+        certSpecification += 'extension:keyUsage:digitalSignature'
+    else:
+        certSpecification += 'extension:basicConstraints:cA,\n' + \
+            'extension:keyUsage:cRLSign,keyCertSign'
+    if issuerKey:
+        certSpecification += '\nissuerKey:%s' % issuerKey
+    certSpecificationStream = StringIO.StringIO()
+    print >>certSpecificationStream, certSpecification
+    certSpecificationStream.seek(0)
+    return pycert.Certificate(certSpecificationStream)
+
 def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName):
     """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer
     name, returns a (algorithm id, pykey.ECCKey, encoded certificate)
@@ -138,26 +158,20 @@ def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName):
     else:
         raise UnknownCOSEAlgorithmError(coseAlgorithm)
     key = pykey.ECCKey(keyName)
-    certSpecification = 'issuer:%s\n' % issuerName + \
-        'subject: xpcshell signed app test signer\n' + \
-        'subjectKey:%s\n' % keyName + \
-        'extension:keyUsage:digitalSignature'
-    certSpecificationStream = StringIO.StringIO()
-    print >>certSpecificationStream, certSpecification
-    certSpecificationStream.seek(0)
-    cert = pycert.Certificate(certSpecificationStream)
-    return (algId, key, cert.toDER())
+    # The subject must differ to avoid errors when importing into NSS later.
+    ee = getCert('xpcshell signed app test signer ' + keyName, keyName, issuerName, True, 'default')
+    return (algId, key, ee.toDER())
 
-def signZip(appDirectory, outputFile, issuerName, manifestHashes,
-            signatureHashes, pkcs7Hashes, doSign, coseAlgorithms):
+def signZip(appDirectory, outputFile, issuerName, rootName, manifestHashes,
+            signatureHashes, pkcs7Hashes, coseAlgorithms, emptySignerInfos):
     """Given a directory containing the files to package up,
     an output filename to write to, the name of the issuer of
-    the signing certificate, a list of hash algorithms to use in
-    the manifest file, a similar list for the signature file,
-    a similar list for the pkcs#7 signature, whether or not to
-    actually sign the resulting package, and a list of COSE
-    signature algorithms to include, packages up the files in the
-    directory and creates the output as appropriate."""
+    the signing certificate, the name of trust anchor, a list of hash algorithms
+    to use in the manifest file, a similar list for the signature file,
+    a similar list for the pkcs#7 signature, a list of COSE signature algorithms
+    to include, and whether the pkcs#7 signer info should be kept empty,
+    packages up the files in the directory and creates the output
+    as appropriate."""
     # This ensures each manifest file starts with the magic string and
     # then a blank line.
     mfEntries = ['Manifest-Version: 1.0', '']
@@ -171,46 +185,50 @@ def signZip(appDirectory, outputFile, issuerName, manifestHashes,
             # Add the entry to the manifest we're building
             addManifestEntry(internalPath, manifestHashes, contents, mfEntries)
 
-        # Just exit early if we're not actually signing.
-        if not doSign:
-            return
-
         if len(coseAlgorithms) > 0:
             coseManifest = '\n'.join(mfEntries)
             outZip.writestr('META-INF/cose.manifest', coseManifest)
             addManifestEntry('META-INF/cose.manifest', manifestHashes,
                              coseManifest, mfEntries)
+            intermediates = []
+            coseIssuerName = issuerName
+            if rootName:
+                coseIssuerName = 'xpcshell signed app test issuer'
+                intermediate = getCert(coseIssuerName, 'default', rootName, False)
+                intermediate = intermediate.toDER()
+                intermediates.append(intermediate)
             signatures = map(lambda coseAlgorithm:
-                coseAlgorithmToSignatureParams(coseAlgorithm, issuerName),
+                coseAlgorithmToSignatureParams(coseAlgorithm, coseIssuerName),
                 coseAlgorithms)
-            coseSignatureBytes = coseSig(coseManifest, [], signatures)
+            coseSignatureBytes = coseSig(coseManifest, intermediates, signatures)
             outZip.writestr('META-INF/cose.sig', coseSignatureBytes)
             addManifestEntry('META-INF/cose.sig', manifestHashes,
                              coseSignatureBytes, mfEntries)
 
-        mfContents = '\n'.join(mfEntries)
-        sfContents = 'Signature-Version: 1.0\n'
-        for (hashFunc, name) in signatureHashes:
-            base64hash = b64encode(hashFunc(mfContents).digest())
-            sfContents += '%s-Digest-Manifest: %s\n' % (name, base64hash)
+        if len(pkcs7Hashes) != 0 or emptySignerInfos:
+            mfContents = '\n'.join(mfEntries)
+            sfContents = 'Signature-Version: 1.0\n'
+            for (hashFunc, name) in signatureHashes:
+                base64hash = b64encode(hashFunc(mfContents).digest())
+                sfContents += '%s-Digest-Manifest: %s\n' % (name, base64hash)
 
-        cmsSpecification = ''
-        for name in pkcs7Hashes:
-            hashFunc, _ = hashNameToFunctionAndIdentifier(name)
-            cmsSpecification += '%s:%s\n' % (name,
-                                             hashFunc(sfContents).hexdigest())
-        cmsSpecification += 'signer:\n' + \
-            'issuer:%s\n' % issuerName + \
-            'subject:xpcshell signed app test signer\n' + \
-            'extension:keyUsage:digitalSignature'
-        cmsSpecificationStream = StringIO.StringIO()
-        print >>cmsSpecificationStream, cmsSpecification
-        cmsSpecificationStream.seek(0)
-        cms = pycms.CMS(cmsSpecificationStream)
-        p7 = cms.toDER()
-        outZip.writestr('META-INF/A.RSA', p7)
-        outZip.writestr('META-INF/A.SF', sfContents)
-        outZip.writestr('META-INF/MANIFEST.MF', mfContents)
+            cmsSpecification = ''
+            for name in pkcs7Hashes:
+                hashFunc, _ = hashNameToFunctionAndIdentifier(name)
+                cmsSpecification += '%s:%s\n' % (name,
+                                                 hashFunc(sfContents).hexdigest())
+            cmsSpecification += 'signer:\n' + \
+                'issuer:%s\n' % issuerName + \
+                'subject:xpcshell signed app test signer\n' + \
+                'extension:keyUsage:digitalSignature'
+            cmsSpecificationStream = StringIO.StringIO()
+            print >>cmsSpecificationStream, cmsSpecification
+            cmsSpecificationStream.seek(0)
+            cms = pycms.CMS(cmsSpecificationStream)
+            p7 = cms.toDER()
+            outZip.writestr('META-INF/A.RSA', p7)
+            outZip.writestr('META-INF/A.SF', sfContents)
+            outZip.writestr('META-INF/MANIFEST.MF', mfContents)
 
 class Error(Exception):
     """Base class for exceptions in this module."""
@@ -252,10 +270,10 @@ def main(outputFile, appPath, *args):
     optional arguments, signs the contents of the directory and
     writes the resulting package to the 'file'."""
     parser = argparse.ArgumentParser(description='Sign an app.')
-    parser.add_argument('-n', '--no-sign', action='store_true',
-                        help='Don\'t actually sign - only create zip')
     parser.add_argument('-i', '--issuer', action='store', help='Issuer name',
                         default='xpcshell signed apps test root')
+    parser.add_argument('-r', '--root', action='store', help='Root name',
+                        default='')
     parser.add_argument('-m', '--manifest-hash', action='append',
                         help='Hash algorithms to use in manifest',
                         default=[])
@@ -277,9 +295,7 @@ def main(outputFile, appPath, *args):
         parsed.manifest_hash.append('sha256')
     if len(parsed.signature_hash) == 0:
         parsed.signature_hash.append('sha256')
-    if len(parsed.pkcs7_hash) == 0 and not parsed.empty_signerInfos:
-        parsed.pkcs7_hash.append('sha256')
-    signZip(appPath, outputFile, parsed.issuer,
+    signZip(appPath, outputFile, parsed.issuer, parsed.root,
             map(hashNameToFunctionAndIdentifier, parsed.manifest_hash),
             map(hashNameToFunctionAndIdentifier, parsed.signature_hash),
-            parsed.pkcs7_hash, not parsed.no_sign, parsed.cose_sign)
+            parsed.pkcs7_hash, parsed.cose_sign, parsed.empty_signerInfos)
diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js
index 9e0d70c11191..b06a9b703b66 100644
--- a/security/manager/ssl/tests/unit/test_signed_apps.js
+++ b/security/manager/ssl/tests/unit/test_signed_apps.js
@@ -190,8 +190,14 @@ var hashTestcases = [
 ];
 
 // Policy values for the preference "security.signed_app_signatures.policy"
-const PKCS7WithSHA1OrSHA256 = 0;
-const PKCS7WithSHA256 = 1;
+const PKCS7WithSHA1OrSHA256 = 0b0;
+const PKCS7WithSHA256 = 0b1;
+const COSEAndPKCS7WithSHA1OrSHA256 = 0b10;
+const COSEAndPKCS7WithSHA256 = 0b11;
+const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100;
+const COSERequiredAndPKCS7WithSHA256 = 0b101;
+const COSEOnly = 0b110;
+const COSEOnlyAgain = 0b111;
 
 function add_signature_test(policy, test) {
   // First queue up a test to set the desired policy:
@@ -233,6 +239,96 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () {
                       getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)));
 });
 
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_signed_with_pkcs7"),
+    check_open_result("cose_signed_with_pkcs7", Cr.NS_OK));
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result("no COSE but correct PK#7", Cr.NS_OK));
+});
+
+add_signature_test(COSEAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-1_sf-256_p7-256"),
+    check_open_result("no COSE and wrong PK#7 hash", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID));
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result("COSE signature missing (SHA1 or 256)", Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE));
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-256_sf-256_p7-256"),
+    check_open_result("COSE signature missing (SHA256)", Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE));
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"),
+    check_open_result("COSE signature only (PK#7 allowed, not present)", Cr.NS_OK));
+});
+
+add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"),
+    check_open_result("COSE signature only (PK#7 allowed, not present)", Cr.NS_OK));
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_multiple_signed_with_pkcs7"),
+    check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK));
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_int_signed_with_pkcs7"),
+    check_open_result("COSE signed with an intermediate", Cr.NS_OK));
+});
+
+add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"),
+    check_open_result("PK7 signature missing", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED));
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_multiple_signed_with_pkcs7"),
+    check_open_result("Expected only COSE signature", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY));
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_multiple_signed"),
+    check_open_result("only Multiple COSE signatures", Cr.NS_OK));
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"),
+    check_open_result("only_cose_signed", Cr.NS_OK));
+});
+
+add_signature_test(COSEOnlyAgain, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"),
+    check_open_result("only_cose_signed (again)", Cr.NS_OK));
+});
+
+add_signature_test(COSEOnly, function () {
+  certdb.openSignedAppFileAsync(
+    Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_signed_with_pkcs7"),
+    check_open_result("COSE only expected but also PK#7 signed", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY));
+});
+
 // Sanity check to ensure a no-op tampering gives a valid result
 add_signature_test(PKCS7WithSHA1OrSHA256, function () {
   let tampered = tampered_app_path("identity_tampering");
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip
new file mode 100644
index 0000000000000000000000000000000000000000..da5a487b168a537b8d681bfd7a943dcfa2cbf884
GIT binary patch
literal 5002
zcmeHLd011|63<OSkX=PVA!0;OcJ2)U*)@>FKuicbK~Mt(2niu1VUw~LTo7=B7E3`z
zt-B&1ilQwpsJK;8R0KhwqCS*GtDq>*8;~u1{a*Xm``-6@llgM)IcMga%*=1j%wf_{
z=vfHaBb8**bb^e^8E{)hYA{8!1>A6sSYi<+ju9j)<8b<8J*(q6A~82cpl^@Eo5=<Q
z>}U@BqVEGw$B`2y9Kp!&$k@bOeb555fb^A9l$lc&?xR9xrtpF?!ocK3CX(o6pGdA4
z2Y)4z9Gr;54vXgC!ec}uuM*iZoUvsr<ir(9?G&|;2!xE(VR2z>3EPqz&5qz$2n7+F
znT+LX$~wyMfSMbX<OToc%V?TxWk(>k9f1Iv-AF{A#G<ZW%9Ie`^qSJ9w13^531r0X
zUDec`JKVdh=%4TZtOj!Q)(G|2{*2YU0NWekMrM#oT-HdZI%KEH_Xkh_0wE(Ucoyu8
zL~}O=#WFNT%&{0l0sSjJ%>72uV2^_=KxJhHj0Jn#*rXBgD0@?hcxxMT5;p?&Tzj00
zkHA&v16dOocpI<4Xxos;FcQJaKOhX0L|KPK*u;d>Av?wjH_(IZG$wEq6!MZnSRmgn
zF?P8-%T*Z5;<$q}n^*$L-`6uX4vc2FQ0N3IffF4W#dVJumoya*@)F6+C>|p)A&G4l
zU@8>Ft>7mvH>D6=S0pTVCD;b|61?qV0zHTz-_Os}Ne*}p&Qz^J1q4DyGyb49F*l+i
zWIYR|x);5Ug~EVR6cUsIoy905fJDxkFPNLZnz}H|Y1cQWDt8_Uj`#!~2h}i2CL5_6
z`_%wIMF9aCLyJK}49XXcQq@ZohKeIOd_E2qE8v9T*g_#3Dr9j%6cZx>_2+2dLC6|{
z@V4N{6FAag3*tfRuN|NXWCSi66*vFih#Qs06^r9IB6y?vlXn9sAW%|30|ECdBc%X<
zsLJ#_OxmjTh&U)XlZmmJ?&PTXr1QD8d&Qd%k^X#x<V)8L54SeV|Ea79Qz+2c_>R|p
zGBA!86&5>f?Sa5U<W2q9hXzH+)H|+U^tktIamIPaa97-(H=SE?na5Y}nl06Mn|gw)
zQ}zI9pKU_yJ|t|_P}?#Xu3}nhko#lGxlDG__A>wNPWK(Iww|TVKfL5Yrfbh)tp?x9
z@W7*~$nBQ)$<xy@2Dh>NohS0yD=XXcXI_kh_N(q_uDIF%<-|P02TDEXwABwqww+40
z)Q{o*T9Ne~dtUdVM~1tO?U=@}xrH@An^kLNTXwwNR-g@?JvHREa6sf)13g3?Z=9oS
z-L(Y?Lj~AB57Y%!VU5nyL@R(O02l^UWN#X1G;CzdWCg<JgcS%N))&n4+q9>repq`|
z{U?XV>6<<iD^8wf#2>b~d{wu$ulK{^O}!fS(3*HNy<55Ehui`ycUM*3kTz#H)Vr#N
zJLO&+2z%a*Rf%ODT{h6t7#d}X$Z9NAeUXyz?jvZ>ydZ&TVD_w`pHFu2uXKcd+e1IT
zn+YL&e^50=hCZrTKmQ(4XV2&CFFTNxO&Vcat4l(Bc5CNlQ?nkX-d{q?D|!6nX~s;I
z-og&CX^COgwSji8xS8o)x7GJ}Qg3J9)$0o6u@CNY(QAIlu6Jx1u0H$C^`6-a9)8p-
zjn+8&_6DZmpwR#E1I>*ye^SDJUZ7_bblG`N-M2lt)T0%y87ZbWI#k{j_pQrdA(!q0
z7NJ>4TTqH5z%GUTiV2lWpT=PW%%jrn4(S^d7TkV=D5;iH;@@)OzXA#Zga^S<P#FIy
zC`K?R!ihPdLO866Adm%WViaMh{^A7NdD=(=1t_9i5NMC;^XJ*EA3v2HRAwFDgl>PM
zpyJ}}*l&@$)XXD^Mh-IJ-nSz2ZE9xhQpB{Xch%PAZGT*#n{2MQAKh8(e(>Uc4Nz^8
z7b&L8DPY8l4xORTOo@JRuAHYk$A#HZP)g0lpEJ3fS2vg8B9QVME8e&K8e#^W4W3QL
z4)vT4S6z7;IzsTE91M)qb6m}{x@+)#FRk#c=$_`1rxZQ|c)j%W-kO;9fz<Q7oW6Rc
z%uDJ-Ei3;z=9A*Snzrt&ioA^-A>WuYH)A>~?dbm4%enbh-Gfcn4$bxUTDq9wY-YU2
zaKoHiT57D4;x2`*$36X_9o5gS6>296LYMfI<h89#T4?C_x-v1y?#&0)mwR=~31Mdl
zv>&PQ5SW~{koYP0<aw>)hOCc^HTLQ1EUoTpo9ppfRqJr)&Z@3P_YB&*bNehZdS9eq
zH{2}|>RPvE76&W~iu2r~IfHp8II9J>{{jZwF<dT=TMdQ18NB6^t}J{(NRw=9Hp;QT
z39)^xuses3rjp9CErUyUsuqw%)WD>v2VmpUB)!*Y1VTo#6l(kcBwBcR6G18Z<#=RP
zL>5cY4RBXI5&$3-Pzj@8s*XbH!0}pTViHg+MSg_c`#tR5Prtf1G5u$WPFW<A1m@kZ
zxKt8lGEZnLXWjow$RG7?c%%P>{Qn&C{|Y?a_&JQggT_A^ZO$d7H7&ooD0p_p_tz@y
zH*0tn{U%C#tyQ~LGw<HBp=T)<rUNa|2M*3@35{(kXnpFYr|&9mD>U}eF05-g?yMXZ
zTGHts6pkBwwD?|of9>$L__W1meGPS*_(eA!c`AK(Y+y_6;B32u7bO>rqf`4=pbXBr
zlpYEA_{n52Lb8=LG(UtgxVGD=qw$1UXlEO@^a@=!Gk@9f;eD%)#kUtzt4}uDMcBuc
zpXR+PcrujrfnAG@Y7owhrSHbyC_DpQznwFeJ!7eR@sS3F^mghc5>`9i`oxJUpZi5+
zKEbEIm2@4rx$Y=x6}Gl~*EDgpZi?p}tBi6E5t0IxusfZC0Rj^LhD#%7{TW2oY@`Al
z6dDQVA;mOs&N$ALP|#%1ftC{^Xh<K8!*1m@@6O@5Ip#kZqQ6R5={0Pc`PNrr>;M=N
zf!){6Pl7A}prrs}!;^M``D>lDt7;bOt~!%UdJmY^-|FUBsfScLnD>!CX0Hm?cq=Y2
z@;doleoK>v$2PTvX;=DsUv<R>8q5fYGuj(BteAWgjlU@2ZNFMYleQIk-8o*P7rAw4
zZj5=^C+Yhx=JebR*XQS+I+kA48L(}e)wWl9nl^y$`^>zRM=%e2L+hg4p_=wo*TdHv
z9UeA4le*zc06z-(dQb9$?a{e)XEWeKm%AbSQOc0<>3~&BqU_SVb?;vJ5^jXoOK;sJ
zy7z<j+n;_FrEO-t&+*>1-jiN6kQvF_SDG?oN0t%7^0}W~!d4n3wk|BCaM1astzpha
z)@OX?(L>UxsH$hLQl^GQYAxP62o8rbl2yo)!lF0D8%{*ok~k4(YCSL|^*0}@8SHVk
z5>KA1k4>mupr=36(%OR-?w1f97fBG2=`J2&LMBf_w{u-<OBdJ?<n!zgdkZ#|!=;Ig
zWaaz#Ht0l#8-?ucV?n2kEi`pA|5wGy*FQV1ohikeeA(k+i>HON;z<-SpBLroDq-+M
zU<`rI5>g@p)<#8&@F5A@q(oa=UqR@2AvIMpd~C=IjbK^&g+{xDQ26oT%!qhXnyGsz
zmEuF@+IWc~XkwOtP9yu_!%2`hL1tqBIScjY*D<i6N1k-p>T;Je@~rX~Dx-`DL^_ZJ
zH%BW;c^>&&lL?+$xH+|El;@SNmnV3YQIp(riUH(h$QO?jGKg>z@&{GRv&&~J6YMJR
zRnIv4Nd6+vD-Y`lUVV)zyxtUfR(U8+upXJrItiFenu6@62{8@+yo61;MOG;zeg}~k
BEcE~Y

literal 0
HcmV?d00001

diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed.zip
deleted file mode 100644
index 33a7740e46c3d7d398e64cd2590c1998c485ace1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4911
zcmeHLd011&7SBz>7GzTh7En?u`*srpg;dnAgs_ERf<Oc%KnMvTge2@w*%SpA5EQjQ
z1#v+U1w>IqDQ@5bQWZo&M2fPAC|bm}0`CTuC4K!~-}k+L`n`8^&zHF~bAB^-=KRh*
zXQ*xnq&iG;?Ty*&rsZ!`MS;o^QGz6b$>)T!L}ClBD3YIu!eI2i)NF`h2}PVpz8(RC
zGm|v%nGr1LL5~h~$2i4_S^Vkd>9*OvdY}bpfz?B8L{aAr{GN<8Gld3}h%6*)oQRGd
zPV_L22m{^XFcwD0VunPpFrksc=|{0-7}l3zETrJ_Q*GtYa2QM?$`D)#Q_QsFL@?Pb
z3jv><L8Uk=p|ns?gOUr`aSimJClPtc$SZ)TUKk8`;^Ii8#}&M4sZ@Z0s@EzylLqfD
z1k$34*LRNOOuboM@c;X7y8=6w1`6~NF6%6+gZ3Nd;zV&gWgnP2-ynw+_a8w3FqlNp
zP%p?BiRLa8l4WqDh-LAG1s<RIVZQbg8wePz1&BgXATAIvUph^b2Sp<jaaPvmjvO{*
zxde<oo$nx^W3BKMob?(;giTObh$DWvk8cPl=2``@ts_G{u(lL;7tqtm?hD{2Qb;2O
z`GGv!xF}~=KL<gSAIlYVvyQ?$`gnUqMS~F(dy)s9jAuoJaXGH+8Kn7qkVbT(a>FT%
z*m$O`uc<&7?aqsHHYE`q++&>`@HW2Qc$#e_!;=W|)~@xklOmouDgj(A1A|FK?GMW)
z;;=h{Haip}lZ)P`ruo6G4gm&8Kez>$3O4~$frUi~H~@#MYa+rMCaZ0prDZ)oc59T5
zbKm|>22_$&Fi9t;k1GLyq6`c)#u|e9vIuV^V!_flL9i%{#p7Whd_F4#!xRW0pCNG&
z!pKN5sJB=J2V$+TSey+weKDphY(N}n^|=Bx#TtW#pWrZ<e}VT2ZW><*`hkmN<)F#5
z*ueo=`RM`zkVDwRke>AyFEV>R{91Vw<#%!`vUgZU(SGHMaf_T)W}fkGPW~pGd&`}8
z*4NYu<z#!5Up4)doBi;BcA~jl338~&_2`c!Dxeam2+d=O3KEHc%Oy*_HX;=OV4nWB
zmkdSuPWHN}p;>j`L_8*K+MgRhHYvK8M7ac@w7{tr#8|<j&71_r&kpw<)RlQ?W~p-T
zc55!#h(>Js`V9`A!NxHr+a6(QT@Pzb4&L|M$-KZH=chBDOgs}!zAhX*@PpStz&JT}
z*Np+1OrpP;Q9nwqeyBlKO{qVyHGa>a!Dwz&;yU<u0bb|7vO$-T!FR)t+OitIhfgf@
zNmcG{`AD@lAvWG9P5$;D*PP48I&Ke~S^y*mTIHg?PFem_J6F5^+@sypE0@rZYr+EG
zVonHm#GvR2G9AUugL0X0Ik&AF&l=vcIRl>F*HdGqE?)*zsLT7i{T_qb`?2~wzQ}jA
zf3(-ZMQYUMfXr@8Nu4aXd#Xwly#X6CJaOAT86|k}T2sAmVd=8AvXcsLOET*=X-?^~
zy(+w@ijzljY%iR(glvy?2(ZzEjL!`+K4-}IEdM6P7Xzx!8lQ}53KFJ=2!bJt!-Njj
zrv8bGGv38(kTi-LS5@yENnZ&!*60k}rElI>v&g)(W&Z${M&TALP*iAYw=EyQ$v&@5
z!HbG@OTeCh(wlsTv`NFQcE_U-myNdFeFJ~P7}wH$awkoEf`7c_FIlEi=BRei!G<Do
zur~AMvEh-xJ-bs#)_n~xU6Lq|$j@U&Vv+T2yvR2D=AjItS>@(1e0`q0{FW}lc17Ea
zVp<H%!I#aAsG9oibV%u$uC6_Vzy%{cD{4Qycs;_8$p^E{^ILac>8RQIo>L9Bn>v)|
zX7wMw&cF{2e*GAoku9&5@m*4I*XfkQab?=N)Df}vnA`c<!9aAyI<(PULSwRa$1v-*
z*yq%SoyN2lr@Fp9-4BQ(2MC(nX2gKeF9?ktlh@cDVT-ZDF{`?g)72-Ae81vjj^DWV
zSk7K2^iY$`y;l#ezd$EF$f))XztQHF8XKikKY4cD@)ZBJz|+*8)}M=f17FD+t}G5C
z(5pMN9K@T+c`IJ5yquzm7=CCcd~=8{>-S*Ti8Qdbe?7~)CinO_?A_>@+Kr+yCHw3<
z!pPPwQ>x*ltk8b`uZy!SDvSWjJ&E^Ez6}LERq2;DC~3qMtPGm}l?u7|wEQI!29t;+
z&YAg25iQoxh+rzRf5vOd!HZIn9Z=N+H~?T3K?PYEQ)L8P3-YCkvz>sVRQLyo5x+o;
z==#hEV)A9NR%IB~5zM_;-EfL)vP57b<(K~3?$`ut1R8vD$GZQ{8>a$#b7up{z#uQF
z0)t)v1(&$X+HGE?j=Rw9#0mbnZL-#?b}JS=8tSuhtsWi=^WiN^Y-rRk?dj0HR9PUK
z&(}(S8{T`G5gpDAiIPt^!Z_x%bzG-ySpj@gv%|-woK_o*ac&vrs!Lzz1@|lAJmps!
zsVbwJ$~jt<_u+)?Cd83rf*uv6ofDyorWMO_4sX1$jTxU^>62}D@4M?g=gGRI-`?Nm
z@Y)dF;awBTII#(yZAnN}O_p7DM~AnsJde4qrZ;clkI~qY1-qYA-x~i|zC{1N!s`o~
z%E!W<ok_IRi{$)Vow=8}WW=Cdzp!k#JjMF9&N8G~J$k$4^U<sWn%MJaCSAVyP3UzE
z+lDy#crnWA)lN7R!T^7XzAn5S6vk2G!$ui7j!B))*9`(R()Qn|CS<616}%HBy+k)9
zEXr+tI{9>Cohs0c9b;kazI9`o@_V{mmg+f(p5+_UHS>S!KDiPV5`1dN$3GM^(Qeq<
zJKi*v6_aFm-dkU*lUH!F-AiF_*>5|WCNykgU!1Blj@UHrj#zfVzT&v=hhI%5*y3G&
zle$5qiG&fm=a0+Hf`^`QDz18HZ_8VKa_Z3fvY6f?a{cKiwroOl)!FcY1CJ&%$Cynz
z+z!FQD32d-H}lV78}ID+imA5Bwdi<<OmZ)|!BIyu*{Zy}mVU3Gk{)n&kNDM*TPY_H
z>vfu{3gt!h+8e!^m#0;+h}cx11~Qv75J5oVe_+yZ^*^IXU^*FKA&_v$D2v>{#WOrp
zKw#&R4z!$YL1Oig7*!)(%V==)oMYeE1M78(w1ZSPUPxIc@0;;ZrSH2}=Fg!l03cHV
zm|XAC0F>9*mHRg$cGr66;a{^YdRrIhmiS<TF!V8lhmpo_xA%`{m*EU*PI%OxEPU4d
z_9F0f*Y5*`m#yJr8?;(h$#p7v67{>~x?dPijlREnu76*bW%<5dv$g2-r2>UD3}<6y
z{m1V&H$~>Q9Uxqd%F<J!?ihC7Z=25LV&$!Hww$%cJv3^6I3~QN^h++GO5Wc<)k6@g
zUL&)Gt2TPe{77|A%VO{pBSOt;cxYYCKJl*AIllWFI)ClcR8Onx(gNSC7+J7z3-`qB
zdvaNN&H4>0gsM&-Tw(Rr*tF92r<nzpl~q_Zc;TQ8DWO%NBL0eoG3kBd$lD>>&568=
zh4bB_iLkBHA99Bhk)*M6+#-!cgMvh+I9kY>AGFVl&&|IC_5=(!*eTr2)SWAeBfG{$
zIEM!b!};#kbRx-~E?&-yi?GGo6Y*<(MGQw9>0r1d{>I@dD1VTMB*&hah6j=2LUN+f
zEj&nH2AV&a|EUb(^UKbx&b$muIydpO!MTO{#W<2gyl}3AgP0O71S9btegYEPH-Q@_
z#0AB2;^S;=y!pX1+0J}qD2SH^1!Hi2-tkch-U&4O7>bLNySJ??JJ>WDyM|4Q@({Q(
zf<OkIO0}Z!h>|@9;OdA!KQn<gdiqL+c3tWOMOsz*)Z>#P43-SUL&Z<&p0tki(Z;M!
z6I7g^*h%Y3C$+P>D8wA|oVNke7}6QuECvw@LjJJS((2L?%dC2Z!W{MK_(fV*n%1+r
sjZpA2Gc?hHMv_*QrsAwBMP-ia9AZ-4WF*HyFnQ?L4{aq*lFq{Z3ApbNg8%>k

diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip
new file mode 100644
index 0000000000000000000000000000000000000000..56111b5ce5e0f38ffab0098bc0c5a186f4350126
GIT binary patch
literal 4929
zcmeHLX;f257S2mTfFPS}iXbt9?C=r-1{5?T0m2ftunKB`K*AD25|E`q7F!WpL{U^g
z4Q_x60-}hGJ1Q<XHYy+}BCTknC}=B-0`r2(lAb=(^JC7OIWsTsp46+V`&GTF``veM
zdAJ~usxa}DDa>}!3^J&pLuIkZLlVQ}a>7{xp;@FLmYagcV6fk7)+Dg_0!}O!YlFd?
zh#R=f7#8$^WkB6A)I=eRJJ~$hHr*Esnt^6GEIJkKF>ByYPB;@|Xh5-`An~G-C~i~+
zn<KzLw~)=k@L9~T7#1cxmOuF@6c5AtK8%?JTv4XAv^pFH6N>@_7seDa%{ej52$mU-
z8?o7g?kJDeL_-boG$)D|^j{zr8S%)=fw&$R40uALkQj-@{dcQnVW3iDRp<KO{x%oL
ziYr;&`F6*|z{=wP-~Y8M@YBMzJZ$m>EtLjnzhN{gol<GPHgmQ?_Q~xzf&gGJv8Y46
zAY&w%(&!H6p|Jv%*>@JWedC9z?^ib1U~pz28cm0|V1xPIX_7o>ZzmGo(#n*=iGVEE
z24m0Ql6efAC4r8&@(PS0hOomZ1Ped^Fi;q284_U?8}5d)rn}NWcdG4oz^|l`L<$K2
zqpcI;9GwHmytn|CGw5O!N1*umc*ezpF?4$eH-Zy^6~m6?I7dt&&E|t7BGn@@iXONw
ziD~U`%;U$qMkhKNJCMk(>m11hqQ4Kp+d4MTodibv`g+<*5bsCBRDzcj#9v61|FCQV
zPDFdi26729UGyn4D*$eH5Lki?fG-6z;TB*fut0=>18}&i`Gj(E-*p2GPC;YI$^!FK
zMaU9YP#z^~w9#qfkURj$Nx?uvoIa?BLiivNa~3A@LIrGAbTkIS=d!{uOdb#N8Da;)
zkBt?A*m;V05NC<Q;fdhn6*yTz1o5Edw+fJe!-L>gIKzJc_Z4jto{tf*LV3_u@^N4Q
zsDhG)W_8yV4xnTv3kX0OVGl#PU;O!JX7}(&^-*-diA~6!H&Sx;cFTv%cC0XQPjaCK
z8F5-HsL@u9%KM~I-3t9pzvSn&?Ol*!Dt!pqCvrY|>5w8Q56VFk(pE$w5pd~riT6ij
z0st%mP2YX9CphUqk!w4y*e%;+U0a~5nr=?pV3L+M?|Dl8n%*}+Jw6z(wNQ_CeV^4H
zsUIxJS5~A~$?Uivvw4-5Z`s`JUtT-qc%Ip0qSR8*;WtNrXInz!K#P9RvQk*^g;lV6
zt)}^H7^ZPV`_ol{r<@eV7C$;i`eZzJclgPDlvgG9Ds?!!nEQh77!+OF)tg;pp>vc!
z?p2~{<S$Yjs9uwu`?}PPw&JtNdtxyR+?lmJ;(3f}4qNZ0RMnynE;ZYbNPxGbchTh=
z%0A)Ag*_eF{`T+$#|BgzMqBln!^0HVka;dyC3&R5Vl!2muG#8$UN>bVF82BA{q#Cg
zY%xvbzcMJ^^MH!7M{{sa7v@j{3fw+XBZyyv3wtwm+ddu5>-Ep<ZAjc|pn4b}@2smG
zNp`d?e618!e8>7Ds`#bex;2my1|0;5SjY+)kQI7BR!ID2h0=T11;q^BxG;RrYTj?g
zu^1y-y1K+J{HLwZf=Ga@FacDWwn8c63?vMT2!SC>*nF~;aZt*<%^#A~9Mno~tf<}k
zcB38KP_1)quAb@hIu+BhyL(>Yyy=m}bL3>3TCFQy;ZZNnWe@}<I)}jS;If-sa@M&1
zCfo8j#07)wzYV|#0*5qpp4`b29^;nZ{YxgwaaVhv(b(0Qs+oPa&}J2T={e=)139D1
zS{a9Pbd41p`HLrRw(JTj$DWSf{vtZS5UKI$VlQ`i@o{<B4q!MnSU4!3mC-`$$;&8Q
zsW1BSI$+QwVjHFNgiH<P)GJ>4X!gYeeg_Za_qgX-Kg@Vk$Ww~mk{h3vp7VQ}`#{1L
zZk}1t(({d_<#Bn^Md?by&DnmvM;;s3NY$T|ITQ73cYIlLyvf*M@6yf(wS_xiBcJD(
zV=pbJGu$4F9FkWX4qj=04O4Qe^IBe?^bZ(g+gy-iRI@3jh{)^uk&sc?iN|9GkO^Lf
ztudp-e%uD#&Rc`mySn@k+HG<_ub$WR7+Z2k<iEBbrEgclwqew^Ym$W<oC=or+Fi)d
zK)h+Q<qsTWpaLGep*p<seYu+DQ<q;p1pDy&!sbPyj;zId`UPcp|7z;h%XK|Y*A-)5
ze-5V$HG=R4cSRN)9zWdSxb__Fdpd@*zgxVW)g`ZyFql}xk<Zk3i)7~IO#(BKFQ@#d
zG+dO4Y=^2IzySa!2g;(Pj1>@YO~|{-O?LuBnebtV8oxu-c>IkTr1T3y&1$v>1<Y@$
zy<8b-q|GD#o2g-hGXR%-b<jHh#6d$7#m<}!AO(Zmr6LTfN5jQ_^IW!P86{V}l{CgZ
zlZ~=cvR$t7sPDO@bM2dtY`<vTl*>2t%DUTi&Q}+siny8^-$(VF42+M842zRVJ`z|;
z-87{2P`4PK)=d7gkaLfSG0Z=Xxk`K9S?_u!Dq5jmEmLtYt%9RjeIIVK#fbE_l-I2&
zzjZ8J&bUf<$KllaY-UnkwO^iX%d%_TXPtD)mfp`MztdN5_o)jHJeCH}Gq*`mN=ND5
z(Td((QNUbP*HbX}QatX^ob69)Zw-B^(AK*z`>tL?p_KjXREjw^mh)?E&Mv0*+a;}f
z`;Kpyp<CV7(nXqFRNrF$VsP7D4cysN<Fv)2e9uPQL&S-Wd1%Z2t#Bx)0sazwY0*E?
z1CJUWHrTv_vcA*t+LB<ktUcFjZ8j@<7JuNcf34n>tdf84>G;#s1|^^i_mPFMUFyO#
z=5{}(EyR)q&x#Bg8b!Z!ov=fPg;w_Y1%+eATJ`Vs3^h$`OIWXe)<;jXGrIU@tEcR)
z<D*-f#?-9W^;R|*#-t6oB6RERtIGX{M~ucIgt-CZIw1~Y$!~36bX1sx_C4cNU3FWK
zU9j@R#KG0a6M95W7f(L1j<AWZIUV(C@1yaYkIW{m$adb`IJf=yn?+}EH}3p2pQ*gU
zSybLGmEPlYnWCkUZdp-rj?q$F%?LidQ`mpxR>m>JYOSW4eKLZJ3sOCsEwXA@BwQv?
z2bs+&h#(;8U-0&D)jy-i+Ko;C3xR|~Mk#Uu=S}fU7J-{dI?#N&1&PBVF)@`GZJDwT
zRcqlm?>DPe;{jdV<}3M6z2A49kzGWkoSi{g06=B}u#J_U9jPD62al;&A1M#eZ+x_P
z|9kX#`@P3Zs(1T(G-wFk-IH}aGtsk?UVAW=V9;C#40SGjBemj(`Cajaqs&Bs>s!ho
z=im#!6}-_7<&cz38`^x_wx@m&_20f5e>_mwF-OgGS(Tw#?Dgif{KE(KR}OVKqz$j#
znma%m3|f<?7k=i}ODSwK?P)k5wR*m}5#GIEJXm>@UmAga_Nz|=Bgp?&Ryu*bo%HzF
z@Z!@8Qu7FzXYGzOT9&`7k(I8f&#Y2G?b3SNb3{YGTx6jzvZ~2>K*jf_{D`WDhSY}#
zkIKCk8o9Ig=Xmt_?kd%4E_4pDn(+N%oCfqTcK0a_S82?4izxin+d+^!6pJ{qo#7U}
z9lW8iktvMlvu20!vm$oW@1ed8#*gL(`q4uZDRdt}C_awiWx?=u;ye1V@Gi#Qp^gc@
zxPUNn9Ea>iAWDYE*KgUKsDUyHv52$oscE>8=rjkaH^a=$;rl?dC-Xm*Q+#{bsnwa4
zb4g|^?nJyxct8ThK@c4kNhS;FQG76#;1<Ahi11I2Wb^SM>o`e?M4}HjbSnRujSR*0
zlAyvU|43^eXKzYem^+CCvPsr#2QTw@VR$6YA|Wop$;$@^I#Q|l&?qRW@^As*s)#>7
zMS(VY@=AwxUE)kdQdROC<f|eKmJTFA#jgpVq>kia$FxopRGgjaN$N_bxzoC6#0>MC
zwE>bCk~!Zr1_=s6{;<@N>XH%5wE7j<8S0bqi=?h3t*3P#LBY?|&?GZ&2T4^)Do(4e
cRh*$ZgP0yJQsM(5m<;rL32h}soZ!O#4*C8BcmMzZ

literal 0
HcmV?d00001

diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
similarity index 55%
rename from security/manager/ssl/tests/unit/test_signed_apps/cose_signed.zip
rename to security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip
index 918c715aded14f600b7a2e615f388bfc5dcef31b..4542e8a2337e689f5db78f7e1f3b8a6f55693d26 100644
GIT binary patch
delta 1071
zcmeyW@K1p^z?+#xgaHJaN;)R;mNA2<HXjhR@v1!&h~6yDY{JM3WO%Dh3GeG?VqoZ>
z9KoWhZMTR~jU|%F+@Oic*r16~dI2*NBNLN|{(r%$SI0EOGp8L{=rB!x^K6!dK9g(N
z<9SRBjSLLfm_u2Zc{C@#V3+4oC{9f-FfuhOGMsG8+EAa)<v0E0qu9#%vwdzD&hhQg
zDZd`&BdXGM{bQv}aKV%6$??zLFzz&pHIk82^*lD$YzAwMvGXDOh7BB(F6VYe2ZgN=
z>bUsYqbqP*yN<x6X}7|8)Tdl8JM!U@dW`jQhS+`43_E2`NM2V+)K0%~KRRl&2j5@i
zo4XvpX$wtHTR+#O{>8!z>*O=1CeDpLqcQuy)Mp*DjpdgW{R>(sq7|`#|HH=kj=tB+
zeLd}e>wL19!(cF_*(Uu-u1Hsg>PglOil4nV^|P=r7N|W_Ja}9%G_7jZqgx#jPE2L)
zd)Tfk$cj94yIRfgUBAy+xa#K~<4#w0KdEcsdsV7`7Un;Ro9DOPF`sFU=j6?7%0>}Q
z&-PUGYKSahbe^((%g-uz+gYy#vge$!{K_`xxoUYlN{o3o%=a|e%)x$zxjwhLE9cO}
z+^?N>Ernr!{NBy^p(mwZzH-~eG6Ve`Zxz27aI<l0wRyCC=VfGMWNBh#2+_MFQI_M`
z9yV!_=iO<Y7pMJu=`#C)+!9;iiEGc;?)~Cm)%kUIc-}m_w0V7udD}FPU)yvb!OJ^G
zP^>=r+MTK2+g0VAZLI$Ey<cx9zcjtxR&#BCPw`aim^+O}id6iBFAJSb{Uv4>q`7YD
zjo?YfyWUSaD)I2fmvc3<x4Q?;y*ERo#aCkL+k3{Pg|Ty--93cZr#Z4a{tzp^tjyq*
zS?Bd7`9fK7dNS{h=C`jtINjX3N})aUX4)ZHMcZkw`RD)IU8A5>9=v*c<nc(4%o|y1
z6|Rk?GlY|-a0+>B;S}ebV))N@H5-GhL#&`}p`c-J#Oo)?vo3h2-hSt^>2Q<L-WM&K
z!e`r}24&2gxvM72^LW@NhqzRvhdYNEL>6a7dKMd&WCW&~W`~(YgqxIkxn`TYm=_e~
zNBH}jlqTD9p_*}O%@*m+%XpSD+PG!~X}kCZ24-YOIu@I|db?-l`6q@~h8RX>rkHxC
z1-b>9L<D;zrBq~?fDB<|5@Ckt!^!P@7NDFr`4FEWnEu9R38szs9nmsk1HX|xC~Jb!
z!D|)<1`y^0=Vu7f!1#aiMSfYZ8juHLfWjcmi=swsGOvIP2gn?d2PPW|h%wFOnY@8V
NY;wGS09zy2KmdEaoOl2L

delta 1079
zcmeyT@Ku2~z?+#xgaHJmmbFaeEn@~zZ9X7s<5hbm5WQKP*@Tf7$nf5Ji^IB&iGiVQ
zas-R2w&@~9HI_&wJ%c7DErTXTp#{uLj7&@-;>_6x|822&*xdhg`KgZ~Mn2u2StqYx
ziRaZe)HG0MV-96u=21|X{E=N@vMp<Uy?@MU*;j=T{~mb?ily#R&b{SUH)C?Fht`7K
z^?rL9xugvKpJV<y=VnW0Rn%kWOIP-+_7(3J$U1*dT((w>xlZwe5mRTnQPjVyHw}aD
zT;HWN|8it+;?BJ9d2NYz|2{1K_kQlnnezf)#D4cE?>qJ)n6)}aN8>pc`~Fu4*#vo?
zCtRqnobpob<K)8XXeR5}z#WnnVyit2KEJtnwg31mroTerO?>yx{Rwc=ay)))MT2?G
z5%;xUZ=8Oyj)$=!!E`d0Vx#fJYgy9Ix80l=aA>dCt?d~JpA=RV^^|diRI%Pzc=jcG
z7Zba8d+k>BQx=;I)=z)1-Bg5QHRA>mju`LXWn5GLY+>4AGI<Z1veA2SktaecRIaXG
z!})1(*Pc4@|MKa98v+Bk|1F(lxpS*NN<4W#R9m3BS&;n-b3OA>#&<vbrUf#~H?NyH
zdCC{gZ}O{_>@Esp``B}EHmhNh0XG|`R+~rLcV0$DMwTW<hV@Irf6Ur)mL<%vHIIF}
zh}$I}-l&OMb7OoR!e1<HFyT;_4#;`4ZR6zRcG<;yY&q@~Hy;rzPremvBYv^)o0-(D
zw+D7kzQx0w@bb>xjIAp5^OmgtDsq>7LP2$FepEnXn!&rMILYhPW^>ha(wEICQH^+d
zgL&@n;_qRbJ7##Qa9t?bTN23kd}kxS**WdNDalh$#%dZW+)fZY)1B;~U?3wE@$*P%
zyw`6QnMwBZmW8d(P~j?<*0v7$<P$k-B8%{h%bgRxX*T=%{|Vf@a?PC!{I2=l(Yc|*
z>$#Ney~^fxU;FV+;K?nyV|PM0&hWnA{eSK4<(%~mU({SJV@*4r7*6}}{_M$Ls6lya
z?X&fhHF!Mi{n8BbBMX9ZLjp@&Of6C>v%<5>vi!20TuK6~0t522-P20*jlHWX3X^?p
zxlql}kX@~_c|FfkMw_hc%=8GSs7yDb5EJiYM=uxOz{sM^yt1<Vl#r5K15e|q0MFon
zK)-O8K#(DfOd`zi+&6gwp9LttO+L+M2&Vt@S%PV6en+(I*U4`r56Y0Bbnu#mfdPd1
zz_}PgG%$Xfe2ZU}1EdD*!T<bXHoQCx48E=*j=G+HZu*XT!ER{wdxN~OiIIT;gdwhi
PnKor|pny7C1=tDz3VElF

diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
index 727ac20c7ec6..b54b92be8102 100644
--- a/security/manager/ssl/tests/unit/test_signed_apps/moz.build
+++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build
@@ -37,8 +37,8 @@ def SignedAppFile(name, flags):
 #
 # Temporarily disabled. See bug 1256495.
 #signed_app_files = (
-#    ['unknown_issuer_app.zip', '-i', 'unknown issuer'],
-#    ['unsigned_app.zip', '-n'],
+#    ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'],
+#    ['unsigned_app.zip'],
 #    ['empty_signerInfos.zip', '-e'],
 #)
 #
@@ -60,7 +60,10 @@ def SignedAppFile(name, flags):
 #                args.append('-p')
 #                args.append('sha%s' % p7_alg)
 #            SignedAppFile(filename, args)
-
+#
 # COSE test-cases
-#SignedAppFile('cose_signed.zip', ['-c', 'ES256'])
-#SignedAppFile('cose_multiple_signed.zip', ['-c', 'ES256', '-c', 'ES384'])
+#SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256'])
+#SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256'])
+#SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256'])
+#SignedAppFile('only_cose_signed.zip', ['-c', 'ES256'])
+#SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256'])
diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip
new file mode 100644
index 0000000000000000000000000000000000000000..69b03d154c5aefbd229a32d4f9b9e84276dafecc
GIT binary patch
literal 2822
zcmWIWW@Zs#00E(F4Iil(jZJ<)HVE?qac*K>W?E`-iC$K5eqJ?~f`SrEB)%-Qs5mn}
zPsvKbNCza5mzbLh<S2yzl`FVbl%(c?rNMFtwMqth26~1{T(w*QC>DS7Fx1foS_r~y
zKpf=i=;G@dl95@g07NAjsR~7@i7C0M3TgR8U~UP>npBuIdT7SYZn9(-V`5+cVLqU7
zDTyVC`kA?j>8W}JdFh=2e(t<nQd~d@UQZ8~ARs*rggHPq+b|YBVqjpr>*?YcQZeW4
zxs99*1_DPm+^&ClUWl=|aADl-ca#2qaF{cShHMD*$R!jgRqc}z-UEzp22WQ%mvv4F
zO{fX-759v#%!~{SAS?z{1x$>Nx}JV+`pNmlsd}(n;0w(kx?zyqV5MNFXTZhf2h0mr
z3NS_B%)=Gz;b>%Prt6ZK4otaL3Qi$;&IKWcrY3$yW<gQ87D*W?E+)p|5h(^GS*A(p
zX8CEphL(Olo(BG|wlD)BnF8IUq)3At%ZfsGuSn;D!pKxF18=iJ6PNJNz`|04Tt6o_
zUlR|L)ZC1$Os{mfNvQb&-9*=btZcui^2$WZ2<?KRQlFd(cWpOEXP<I+XA_HvP?KQG
z{3w4%gPgFiKwGqow?E^FL=Y=5{{pcfMz9rUrr$_vabC#Mu;5!$b0kyDB1Q`(mPn=$
zgC?c`gC<6c1<Xv0OiUv3KL7N8G~L*F>&3VE>i<7RmquA-8St`kYPET^edlFl<Yr|s
z&@@yxP-SBdWnt!#t0+h=&PdJ4Q2<(ymztuGSWo~gG(aUpQGR}jfszEjk%6I^p`nqv
z0T@Jq1uPAW3{0T{1}26^1_lu0G_e>5F%4{dkwS55a)GghNs*yJnSlTsJJ40<Y?&C@
zShX8j7?hZk7+4l&6git|$5cyney$XC6J2=ReoODWHajLw(c1}qs=80M3+t{pH{*q2
zuwT|39&XMP*DTk*Fk*YUtI?!*q5NWl2eB(o<~cY2Q*XCjS;)LkqvQMsrVmlyrR49P
zX)alnxANR#egj?uZlG&r`B_+)nb;f90*ASYk&&TX@aQ`qOZ%2<A^O)oIxk!rI&19)
z*^^i8BR*_<ls@4Ge`&~^)5m{asrE5_?Kk7_z1u7;9=0XVWY2lq7cG9Ve707wOK9wT
z744V299MgHo_i7gYkz9v^j|GUW2EaEoSgnR$}hf|&L5WQP*c$Pj>F=KZ(-mpQ7yBU
zs?#~zAzhy$Hhk1Nn?E6qm4okGVqDlajr3jG_w$Q5zH%%Lv3irRf|d1tMs9tj+$~Fs
zqC-u^Q`B28{}STf&wu+Z&&EXGh28D-!CmjFzuvszaN&*fw-@h}xi_8+wJE95Vqsf(
zuSrS6Y_k51nfGfZ{(2ZPX`<@HGmo|xuexF*Dr&^WV8gDNC$fF|f{28-Z0dFkGps_k
z+>mlEY4Mn5^UQ8vqd4=M>$XK77KN}yUU}o{_9E<gTx#g{$t%AzeD+=v**rI=a9Ze;
zc^qH5O5fgj@UY7G-dWvR+l`3_FK%LwP*lA5XU)pv=lz#l74*5+228?six|~_DcBsC
zf{lSGSQ?sw)AhVx7Ctwx-hTf_S6{J3c8ZU^30fo#bP5KRM!*ytX&{V9!5rYE%*@En
z?8Lz0zkm1c#0NiqZd}F{xu%`v(HmB7Cp(+(dXwyR{42d(W3)0a8N23~9TA+%&h~)s
z?TL$%CtRN?U9HQ$nB~<1uVn{_N~9bavsKR?ie~gkyup0k;&PSgYEPa>M*g)?K^lj?
z=X&R<1=!58-n08+Ms7a;o5c>RuTN4t*K|2z`-I!8HvIc~eox14&K%{SBqrrwTSVXO
zO5qn0D4SJyyT|$X?cUw-E2I|LlnDwKHZ9w=cw>5X?(z?J+t_XyZ8~Wkm*8_Oxhyn(
zH}Az|&+S{jbl0aXb-1*qzM(jTt#v=ciB~?en!o2WuGf{<Ofa<;c6IyZV-!C%w@f(q
zqJr+dG68Oh&FNB`*U!Fs=ia0Xdy|W8_l9fR94zJJUF9`v&Ek?*LV25mz6LX0&WjJ;
zEZBNH@6c@XxX*W@R$H9NRlMnZ*<<agiWffmTO8XLL^#Bh2F@223^*Ixbx&dO9yWuC
z|2Gwv#v7)*`Fq-_fvez|f%9IU4-7R6`Ni*lPnh%j!LIK`4Sia>R<87%#W~GA`$>Q|
zBa;X-?lv5#jst-PU`>YBqC?k;-U<V00D%U^N+1cTe$e%xH?_bTz<N#qNz{r4T`zhi
qi_pu(jH}8;Hv_%KL73slf^G(|{0{JD1-0@RSb<Ov7$S!_K|BCl3>?h>

literal 0
HcmV?d00001

diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip
new file mode 100644
index 0000000000000000000000000000000000000000..95fadc59cba10a5593a955f1cef77effd4bb4389
GIT binary patch
literal 2115
zcmWIWW@Zs#0D(!R9o|wg8k_upY!K!J;@rf%%(T?v61}YA{Jd%|1qCITNPJmpQE_H|
zo|2V<kq$^AFEKY2$WaObDpzo=C`ru&OM~SQYLyK14D<|@xN5lqP%QrDVW^`Gv=D^Z
zfH=t2(Z$y_BqOs}0f<U6QWc6)6H{_i71HvHz}ym$HK{Ob^w5l(-DJrw#>Bt?!hAsE
zQW8rN^)qu5(^K^d^3pp4{M>oDq_}_*yq+E|K|p#M2y=jJwqY!M#K6FK*VDx@q+-t7
za~nAs3<QpBxLyD9ybxn^;ljAv?<W2K;4o(t4cQRrkxM90s@f+byayQH44$rjF6*2U
znotwuEAAOfnHd=vKv)c@3YZujbv^yu^po?8Q}tlEz!#c7bi*LI!AikU&wz`|511FM
z6kv+LnTIRb!_mmpOxGnd9hh>h6r4ixoC`t>O-=la%z~nFEs`=)Tuh9^BT@`XvP_fG
z&GOTH4K4kAJPrI^ZD9sNG6lLxNs$IQmKBBWUXjiPg^{UV2Hs|cCNANjfrX_8xqeP=
zz9t?fsks?hnO^B|lTh;mx{0m<S=oM3<&}w+5!wYsr9L?o?%HmS&OYVt&L$QSp(eqW
z`BDCk203A2fwpKFPi;zgUq3L@fv_M(uoY*f-$-h4UdYn0;9FyJB$M4DMm3g5CUb)(
zCS!vpM(G92OpHuSBKrRYt6m+`5YL=;WTC?}{mrvk7Wx?QvT<s)d9;1!Wn|=LWiZe*
zR5ws%V-96u=8>x?NG{Gu&B;*!nxB`NqL5fn04y^=1w>JPeu;sS1iz7ip{b#vk%a*m
zM1ch?42%p+p#labhDHVk5aTql7zZ&8Y<!VIacXh_Fe-}-4I&MM+1P=uI%mto$i@L?
zFf+0<J29~M@87*U@xhOu8<%lKu4!j^^oEt&$<F4x-Xwb+|4MJy7_H1p#;!SLM+E1x
zvpwK@d*b5c3D;*zSL?DbW_h*1YuSOt{06)R+&~A(^0TloGqE?I`JcIok&z*t%WwM0
zN3oUjXZzeRoa5V}Q+_?lM^vTj`o~I{;DRUBljEPgVccmHYa}D5>UnIg*$mbiW9LKm
z4I4NnUC!-{4hmZ#)N%2(M_1ssb{&CB({6?Hs86|GcI3k)^%(2r46*y78FtE?ki4#t
zsGWY}est7k55B+3H+MOH(-xYZwtlY5i-i}~$!AVYoEv*aWA=fm&pKus%P%YX7qn1B
zD`ElvhmG+aeXp1MdfNZi`D8JN!C*?WP5P5uk**BYldKyQKYMTLXJKJ1P<y6$@VH=T
zTGgyaw>l!6n9AJuuw7S>6?y1(wVL6(exI{&)z3Y~ov!SDQrE)ws#O0h%zqL$&u_b9
z{v6K*5e_k>f%An01J1^F-BVb+hs|K(|4qfE@rEgH{+@Pf;3{|)(e!LjMX!d)5=Q4K
z+qe9za<`rJS|EGQ8OyJ1bDpb~#|L;bGKnzbt^h#=1PC+$ivhIi5M3*J6$a7(0u79n
zKoXL7(e<F$Q(z5XJtu%9YA!|Bi(Wz@^l~xdDzDJZK+moSGaOma%>btU0B=@M70JK~
MgnGab`48p+000^PSpWb4

literal 0
HcmV?d00001

diff --git a/third_party/rust/cose-c/.cargo-checksum.json b/third_party/rust/cose-c/.cargo-checksum.json
index b6dac98cddaf..54139175a21e 100644
--- a/third_party/rust/cose-c/.cargo-checksum.json
+++ b/third_party/rust/cose-c/.cargo-checksum.json
@@ -1 +1 @@
-{"files":{"Cargo.toml":"6689411cf004e6ebc4645105de26492adbea6f690f9184119cf1689829ff098a","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","include/cosec.h":"9e952f6bf578c812e67a93c3c810f4aaa57d365932fe8d01f36f587e8aa32538","src/lib.rs":"d10a17e4840187711d85058bf4afdbfbda88c74a9483921ee48a1bfc0cc5ff70"},"package":"07cc8bb85ec2e93541ef9369b85a4b6fb7732bc7f4854d317eab20e726b0fc2f"}
\ No newline at end of file
+{"files":{"Cargo.toml":"6e5aa986e80c9f848f8219f46d5e6d445609a3db70da9793f920c56c18814b7d","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","include/cosec.h":"0c6ebd84b6e1ee61a710f86416fc9092653292479556c713c83f193f26ac09b9","src/lib.rs":"0fef8341439e55682d7a7e50dead28427832b5fbd28ca48f60b00277c8a4b9b1"},"package":"49726015ab0ca765144fcca61e4a7a543a16b795a777fa53f554da2fffff9a94"}
\ No newline at end of file
diff --git a/third_party/rust/cose-c/Cargo.toml b/third_party/rust/cose-c/Cargo.toml
index caa174f30e23..fcd8a538d8f6 100644
--- a/third_party/rust/cose-c/Cargo.toml
+++ b/third_party/rust/cose-c/Cargo.toml
@@ -12,7 +12,7 @@
 
 [package]
 name = "cose-c"
-version = "0.1.1"
+version = "0.1.5"
 authors = ["Franziskus Kiefer <franziskuskiefer@gmail.com>"]
 description = "C API for the cose crate"
 keywords = ["cose", "jose", "cbor"]
@@ -23,4 +23,4 @@ repository = "https://github.com/franziskuskiefer/cose-c-api"
 name = "cosec"
 path = "src/lib.rs"
 [dependencies.cose]
-version = "0.1.2"
+version = "0.1.4"
diff --git a/third_party/rust/cose-c/include/cosec.h b/third_party/rust/cose-c/include/cosec.h
index ee96cdfc2f6e..6596075e1dba 100644
--- a/third_party/rust/cose-c/include/cosec.h
+++ b/third_party/rust/cose-c/include/cosec.h
@@ -22,11 +22,13 @@ typedef bool (*cose_verify_callback)(const uint8_t* payload,
                                      size_t ee_cert_len,
                                      const uint8_t* signature,
                                      size_t signature_len,
-                                     uint8_t algorithm);
+                                     uint8_t algorithm,
+                                     void* ctx);
 bool
 verify_cose_signature_ffi(const uint8_t* payload,
                           size_t payload_len,
                           const uint8_t* signature,
                           size_t signature_len,
+                          void* ctx,
                           cose_verify_callback);
 }
diff --git a/third_party/rust/cose-c/src/lib.rs b/third_party/rust/cose-c/src/lib.rs
index 526889154909..695d7908f8e2 100644
--- a/third_party/rust/cose-c/src/lib.rs
+++ b/third_party/rust/cose-c/src/lib.rs
@@ -7,6 +7,7 @@ extern crate cose;
 use std::slice;
 use cose::decoder::decode_signature;
 use cose::SignatureAlgorithm;
+use std::os::raw;
 
 unsafe fn from_raw(ptr: *const u8, len: usize) -> Vec<u8> {
     slice::from_raw_parts(ptr, len).to_vec()
@@ -21,7 +22,8 @@ type VerifyCallback = extern "C" fn(*const u8, /* payload */
                                     usize, /* signer cert len */
                                     *const u8, /* signature bytes */
                                     usize, /* signature len */
-                                    u8 /* signature algorithm */)
+                                    u8, /* signature algorithm */
+                                    *const raw::c_void /* some context of the app */)
                                     -> bool;
 
 #[no_mangle]
@@ -30,6 +32,7 @@ pub extern "C" fn verify_cose_signature_ffi(
     payload_len: usize,
     cose_signature: *const u8,
     cose_signature_len: usize,
+    ctx: *const raw::c_void,
     verify_callback: VerifyCallback,
 ) -> bool {
     if payload.is_null() || cose_signature.is_null() || payload_len == 0 ||
@@ -80,6 +83,7 @@ pub extern "C" fn verify_cose_signature_ffi(
             signature_bytes.as_ptr(),
             signature_bytes.len(),
             signature_type,
+            ctx,
         )
     });
 }
diff --git a/third_party/rust/cose/.cargo-checksum.json b/third_party/rust/cose/.cargo-checksum.json
index 2aef910f1af7..e7271441a85b 100644
--- a/third_party/rust/cose/.cargo-checksum.json
+++ b/third_party/rust/cose/.cargo-checksum.json
@@ -1 +1 @@
-{"files":{".travis.yml":"be3532bc6d5d823090206ad957c8705436960d1918a2c577342f6914a233ca98","Cargo.toml":"5eb5257aced25840b3af43757478e4dfa38e2f222cb25794ffeeb681b6a46ce2","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","README.md":"42a12b9a8944a2888ce2622bb03c06850163ab738917414e3413b63be9257a8a","build.rs":"a2b798bbeaf8ef19a9bd8c1e24b3fd3899a5b4b3e121e5e09794e4e2b35971dd","rustfmt.toml":"e97717e906fcd3eeb86dcee52ed26f13e1884597b016a27172229d9c78dd3d57","src/cbor/decoder.rs":"b9e375489131aea75fb461c9ee96e45595e08957c90179f2c449226a31b7e4c5","src/cbor/mod.rs":"f5b767eedbee01b3f697afb2dce777c6043e6fea6f9a7eab8387560caaa40100","src/cbor/serializer.rs":"d86f0123f364046c8c18b45e109437b16c24d29bc7ef01c12a7c465e89878836","src/cbor/test_decoder.rs":"6a47f0f98f54a343f12c78033c94c5892b0a5b5e62de251bef3a722f358978ab","src/cbor/test_serializer.rs":"984fbe0520e77d078fb2e2c60e4e0df077d40ede644b1b92651f3a0696377511","src/cose.rs":"1a5c23f31863c58838f4aa94c2940e9f18252929c990d2a9522490e56593710e","src/decoder.rs":"ce86fd2f72cf02185ea724d63e5cb24aaea9ff6a2f3137c20322764a3ea9d15e","src/nss.rs":"e17101aa957367ee025afd5af37d72a955d9b79098ab7db1631f93b6479230a3","src/test_cose.rs":"35798ef9ee5849204b36a69b07969c0b4f3976d0e44ccfff6f413a2e3684f76b","src/test_nss.rs":"51ececb4a8fd8ddba7e1af179b9326e38a838d4693998092f842db5f30e75703","src/test_setup.rs":"b2c8d5b4a20013fd89bcc9d5732af509331a648a1163a9e44b47e51dde2b6308","src/util.rs":"fbc1a2051230156c2504efcff5044fbf54a6f925aa7dfb97c211208348364425","src/util_test.rs":"49dde5be7202aa2fa3f7ac6d36de189739cd5538e378f5c0a27161b9185e9ca6","tools/certs/certs.md":"7a1acd946f5bb5b9b21ebd7653ef9d5746a1ea237131a69218a91dc26eda545a","tools/certs/certs.sh":"a06e1a7bf99316c7800e388d20c1630da7449937635600d9f21d8d93907011bf","tools/certs/ee-p256.certspec":"5a7246c0abf1ee08edb858ce2fd38010de7785a0e8652f2d9a0b7eee7aa39213","tools/certs/ee-p256.keyspec":"eabd2839f9e57cf2c372e686e5856cf651d7f07d0d396b3699d1d228b5931945","tools/certs/ee-p384.certspec":"d2e4fdd6d8f02f22bffa800ac2b7f899f5d826528e7b7d3248e1abea15cd33bd","tools/certs/ee-p521.certspec":"7ad1fc3cdf024dfa7213f3a2875af0ccfa2bd73fddcfaf73223aa25b24ee2cad","tools/certs/ee-rsa.certspec":"dd69ecbb1cdf322fb8ef6eb50c2f033b62e7983b5448b96f1965eee8f85b7bde","tools/certs/int-p256.certspec":"b42a2286339455626b9a8b6c0811b031bf269440c6fcef7478796d02c5491364","tools/certs/int-rsa.certspec":"a0942438c72a3ce83b54c04e4a5d4bff08036c2c9feb7d75a7105bfa4fdc5499","tools/certs/root-p256.certspec":"99c1bb07505ddfc3ada5737d8a1bf4cff7b1a70a79abda9fd45fc3a6e72061fc","tools/certs/root-rsa.certspec":"67903313b6058aa98be0d98564577b0c878c868b6f2a8758f27bb7af17616d8e"},"package":"ec10816629f38fa557f08e199a3474fab954f4c8d2645550367235afa6e5646b"}
\ No newline at end of file
+{"files":{".travis.yml":"c05a8cdd57b8969a1ab3547181b3d74079b8493132893c15cf3c4f479327359b","Cargo.toml":"40534ef8d01b0269e2ca3b00c4d14f7523222bc85611ee07afcffea45a71ef4b","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","README.md":"7b9676ec9ed5d7ac38f461b1b257eb0bd80568e732994fb26fa929ce5fe503af","build.rs":"a2b798bbeaf8ef19a9bd8c1e24b3fd3899a5b4b3e121e5e09794e4e2b35971dd","examples/sign_verify/main.rs":"fbe4b9c73b23e1ef364126f453f749fefb67ab45703bf809a5eed910a25e461e","examples/sign_verify/nss.rs":"a1d133142efc0ac6564f0b9587890587f1ecaa7404ac0c4c8907de6d43de3267","examples/sign_verify/test_nss.rs":"be41ebe0a82b6172297b10c13767e4768f0b613ac331b554f6e8c2c7a20c0bc8","examples/sign_verify/test_setup.rs":"82330118e4284d9bf788dbec9e637ab4a3b53fd4ec9c7efaed0e996ffa084de4","examples/sign_verify/util_test.rs":"48d52f3ca3e93b670a1d69f8443358260c1ae61d7977a59d922696811320d4c3","rustfmt.toml":"e97717e906fcd3eeb86dcee52ed26f13e1884597b016a27172229d9c78dd3d57","src/cose.rs":"104e06843f4cdffe2ca6f42f46c51c79d685c18d2ad92b65811e3ceffbd90e07","src/decoder.rs":"a4d2dcd44d179fabdac6ce99cc3512ece3164ba48beab9f313ad85db466c3a55","src/test_cose.rs":"849ec936a00eb438a08eb85380b3e4ba8d8c5a5cf674b272e0fd8e671ab6d5ca","src/test_setup.rs":"e26f290831343cbb4e2b2ec7d1be34c7b900eb8c87abd6f40629372a87b6e992","src/util.rs":"8cdcdc8a120e71a772af61fa63ffa2d2d2eb572d8a53da3b5f1ce9da784f2662","tools/certs/certs.md":"7a1acd946f5bb5b9b21ebd7653ef9d5746a1ea237131a69218a91dc26eda545a","tools/certs/certs.sh":"a06e1a7bf99316c7800e388d20c1630da7449937635600d9f21d8d93907011bf","tools/certs/ee-p256.certspec":"5a7246c0abf1ee08edb858ce2fd38010de7785a0e8652f2d9a0b7eee7aa39213","tools/certs/ee-p256.keyspec":"eabd2839f9e57cf2c372e686e5856cf651d7f07d0d396b3699d1d228b5931945","tools/certs/ee-p384.certspec":"d2e4fdd6d8f02f22bffa800ac2b7f899f5d826528e7b7d3248e1abea15cd33bd","tools/certs/ee-p521.certspec":"7ad1fc3cdf024dfa7213f3a2875af0ccfa2bd73fddcfaf73223aa25b24ee2cad","tools/certs/ee-rsa.certspec":"dd69ecbb1cdf322fb8ef6eb50c2f033b62e7983b5448b96f1965eee8f85b7bde","tools/certs/int-p256.certspec":"b42a2286339455626b9a8b6c0811b031bf269440c6fcef7478796d02c5491364","tools/certs/int-rsa.certspec":"a0942438c72a3ce83b54c04e4a5d4bff08036c2c9feb7d75a7105bfa4fdc5499","tools/certs/root-p256.certspec":"99c1bb07505ddfc3ada5737d8a1bf4cff7b1a70a79abda9fd45fc3a6e72061fc","tools/certs/root-rsa.certspec":"67903313b6058aa98be0d98564577b0c878c868b6f2a8758f27bb7af17616d8e"},"package":"72fa26cb151d3ae4b70f63d67d0fed57ce04220feafafbae7f503bef7aae590d"}
\ No newline at end of file
diff --git a/third_party/rust/cose/.travis.yml b/third_party/rust/cose/.travis.yml
index 5e165342024b..13c97f77bc36 100644
--- a/third_party/rust/cose/.travis.yml
+++ b/third_party/rust/cose/.travis.yml
@@ -1,4 +1,5 @@
 sudo: true
+dist: trusty
 language: rust
 cache: cargo
 rust:
@@ -12,10 +13,10 @@ addons:
       - build-essential
       - libnss3-dev
 
-install:
+#install:
 # Apparently cargo install returns a nonzero exit status if
 # caching succeeds, so just make this always "succeed".
-  - (cargo install rustfmt || true)
+#  - (cargo install rustfmt --force || true)
 
 script:
 # The NSS version in Ubuntu is too old. Get a newer one.
@@ -24,8 +25,9 @@ script:
   wget http://de.archive.ubuntu.com/ubuntu/pool/main/n/nspr/libnspr4_4.16-1ubuntu2_amd64.deb
   sudo dpkg -i libnspr4_4.16-1ubuntu2_amd64.deb
   sudo dpkg -i libnss3_3.32-1ubuntu3_amd64.deb
-- |
-  cargo fmt -- --write-mode=diff
+#- |
+#  cargo fmt -- --write-mode=diff
 - |
   cargo build --features "$FEATURES" &&
-  cargo test
+  cargo test &&
+  cargo run --example sign_verify
diff --git a/third_party/rust/cose/Cargo.toml b/third_party/rust/cose/Cargo.toml
index 711785e49fbd..5251eac5c2fc 100644
--- a/third_party/rust/cose/Cargo.toml
+++ b/third_party/rust/cose/Cargo.toml
@@ -12,17 +12,19 @@
 
 [package]
 name = "cose"
-version = "0.1.2"
+version = "0.1.4"
 authors = ["Franziskus Kiefer <franziskuskiefer@gmail.com>", "David Keeler <dkeeler@mozilla.com>"]
 build = "build.rs"
 description = "Library to use COSE (https://tools.ietf.org/html/rfc8152) in Rust"
-keywords = ["cose", "jose", "cbor"]
+keywords = ["cose", "jose"]
 license = "MPL-2.0"
 repository = "https://github.com/franziskuskiefer/cose-rust"
 
 [lib]
 name = "cose"
 path = "src/cose.rs"
+[dependencies.moz_cbor]
+version = "0.1.0"
 [dev-dependencies.scopeguard]
 version = "0.3"
 
diff --git a/third_party/rust/cose/README.md b/third_party/rust/cose/README.md
index 0547779eb0ef..5540371c016b 100644
--- a/third_party/rust/cose/README.md
+++ b/third_party/rust/cose/README.md
@@ -13,3 +13,14 @@ If NSS is not installed in the path, use `NSS_LIB_DIR` to set the library path w
 we can find the NSS libraries.
 
     cargo build
+
+### Run Tests and Examples
+
+To run tests and examples you need NSS in your library path. Tests can be run
+with
+
+    cargo test
+
+and examples with
+
+    cargo run --example sign_verify
diff --git a/third_party/rust/cose/examples/sign_verify/main.rs b/third_party/rust/cose/examples/sign_verify/main.rs
new file mode 100644
index 000000000000..0b356e41bbb8
--- /dev/null
+++ b/third_party/rust/cose/examples/sign_verify/main.rs
@@ -0,0 +1,259 @@
+extern crate moz_cbor as cbor;
+extern crate cose;
+
+#[macro_use(defer)]
+extern crate scopeguard;
+
+mod nss;
+mod test_nss;
+mod test_setup;
+mod util_test;
+
+use util_test::{sign, verify_signature};
+use test_setup as test;
+use std::str::FromStr;
+use cose::{CoseError, SignatureAlgorithm};
+
+// All keys here are from pykey.py/pycert.py from mozilla-central.
+// Certificates can be generated with tools/certs/certs.sh and mozilla-central.
+
+#[derive(Debug)]
+pub struct SignatureParameters<'a> {
+    certificate: &'a [u8],
+    algorithm: SignatureAlgorithm,
+    pkcs8: &'a [u8],
+}
+
+#[derive(Debug)]
+pub struct Signature<'a> {
+    parameter: &'a SignatureParameters<'a>,
+    signature_bytes: Vec<u8>,
+}
+
+const P256_PARAMS: SignatureParameters = SignatureParameters {
+    certificate: &test::P256_EE,
+    algorithm: SignatureAlgorithm::ES256,
+    pkcs8: &test::PKCS8_P256_EE,
+};
+const P384_PARAMS: SignatureParameters = SignatureParameters {
+    certificate: &test::P384_EE,
+    algorithm: SignatureAlgorithm::ES384,
+    pkcs8: &test::PKCS8_P384_EE,
+};
+const P521_PARAMS: SignatureParameters = SignatureParameters {
+    certificate: &test::P521_EE,
+    algorithm: SignatureAlgorithm::ES512,
+    pkcs8: &test::PKCS8_P521_EE,
+};
+
+fn test_verify(payload: &[u8], cert_chain: &[&[u8]], params_vec: Vec<SignatureParameters>) {
+    test::setup();
+    let cose_signature = sign(payload, cert_chain, &params_vec);
+    assert!(cose_signature.is_ok());
+    let cose_signature = cose_signature.unwrap();
+
+    // Verify signature.
+    assert!(verify_signature(payload, cose_signature).is_ok());
+}
+
+fn test_verify_modified_payload(
+    payload: &mut [u8],
+    cert_chain: &[&[u8]],
+    params_vec: Vec<SignatureParameters>,
+) {
+    test::setup();
+    let cose_signature = sign(payload, cert_chain, &params_vec);
+    assert!(cose_signature.is_ok());
+    let cose_signature = cose_signature.unwrap();
+
+    // Verify signature.
+    payload[0] = !payload[0];
+    let verify_result = verify_signature(payload, cose_signature);
+    assert!(verify_result.is_err());
+    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+}
+
+fn test_verify_modified_signature(
+    payload: &[u8],
+    cert_chain: &[&[u8]],
+    params_vec: Vec<SignatureParameters>,
+) {
+    test::setup();
+    let cose_signature = sign(payload, cert_chain, &params_vec);
+    assert!(cose_signature.is_ok());
+    let mut cose_signature = cose_signature.unwrap();
+
+    // Tamper with the cose signature.
+    let len = cose_signature.len();
+    cose_signature[len - 15] = !cose_signature[len - 15];
+
+    // Verify signature.
+    let verify_result = verify_signature(payload, cose_signature);
+    assert!(verify_result.is_err());
+    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+}
+
+// This can be used with inconsistent parameters that make the verification fail.
+// In particular, the signing key does not match the certificate used to verify.
+fn test_verify_verification_fails(
+    payload: &[u8],
+    cert_chain: &[&[u8]],
+    params_vec: Vec<SignatureParameters>,
+) {
+    test::setup();
+    let cose_signature = sign(payload, cert_chain, &params_vec);
+    assert!(cose_signature.is_ok());
+    let cose_signature = cose_signature.unwrap();
+
+    // Verify signature.
+    let verify_result = verify_signature(payload, cose_signature);
+    assert!(verify_result.is_err());
+    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+}
+
+fn test_cose_sign_verify() {
+    let payload = b"This is the content.";
+
+    // P256
+    let certs: [&[u8]; 2] = [&test::P256_ROOT,
+                             &test::P256_INT];
+    let params_vec = vec![P256_PARAMS];
+    test_verify(payload, &certs, params_vec);
+
+    // P256, no other certs.
+    let certs: [&[u8]; 0] = [];
+    let params_vec = vec![P256_PARAMS];
+    test_verify(payload, &certs, params_vec);
+
+    // P384
+    let params_vec = vec![P384_PARAMS];
+    test_verify(payload, &certs, params_vec);
+
+    // P521
+    let params_vec = vec![P521_PARAMS];
+    test_verify(payload, &certs, params_vec);
+}
+
+fn test_cose_verify_xpi_signature() {
+    // This signature was created with sign_app.py from m-c.
+    test::setup();
+    assert!(verify_signature(&test::XPI_PAYLOAD, test::XPI_SIGNATURE.to_vec()).is_ok());
+}
+
+fn test_cose_sign_verify_modified_payload() {
+    let mut payload = String::from_str("This is the content.")
+        .unwrap()
+        .into_bytes();
+    let certs: [&[u8]; 2] = [&test::P256_ROOT,
+                             &test::P256_INT];
+    let params_vec = vec![P256_PARAMS];
+    test_verify_modified_payload(&mut payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_wrong_cert() {
+    let payload = b"This is the content.";
+    let certs: [&[u8]; 2] = [&test::P256_ROOT,
+                             &test::P256_INT];
+    let params = SignatureParameters {
+        certificate: &test::P384_EE,
+        algorithm: SignatureAlgorithm::ES256,
+        pkcs8: &test::PKCS8_P256_EE,
+    };
+    let params_vec = vec![params];
+    test_verify_verification_fails(payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_tampered_signature() {
+    let payload = b"This is the content.";
+    let certs: [&[u8]; 2] = [&test::P256_ROOT,
+                             &test::P256_INT];
+    let params_vec = vec![P256_PARAMS];
+    test_verify_modified_signature(payload, &certs, params_vec);
+}
+
+const RSA_PARAMS: SignatureParameters = SignatureParameters {
+    certificate: &test::RSA_EE,
+    algorithm: SignatureAlgorithm::PS256,
+    pkcs8: &test::PKCS8_RSA_EE,
+};
+
+fn test_cose_sign_verify_rsa() {
+    let payload = b"This is the RSA-signed content.";
+    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![RSA_PARAMS];
+    test_verify(payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_rsa_modified_payload() {
+    let mut payload = String::from_str("This is the RSA-signed content.")
+        .unwrap()
+        .into_bytes();
+    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![RSA_PARAMS];
+    test_verify_modified_payload(&mut payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_rsa_tampered_signature() {
+    let payload = b"This is the RSA-signed content.";
+    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![RSA_PARAMS];
+    test_verify_modified_signature(payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_two_signatures() {
+    let payload = b"This is the content.";
+    let certs: [&[u8]; 4] = [&test::P256_ROOT,
+                             &test::P256_INT,
+                             &test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![P256_PARAMS,
+                          RSA_PARAMS];
+    test_verify(payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_two_signatures_tampered_payload() {
+    let mut payload = String::from_str("This is the content.")
+        .unwrap()
+        .into_bytes();
+    let certs: [&[u8]; 4] = [&test::P256_ROOT,
+                             &test::P256_INT,
+                             &test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![P256_PARAMS,
+                          RSA_PARAMS];
+    test_verify_modified_payload(&mut payload, &certs, params_vec);
+}
+
+fn test_cose_sign_verify_two_signatures_tampered_signature() {
+    let payload = b"This is the content.";
+    let certs: [&[u8]; 4] = [&test::P256_ROOT,
+                             &test::P256_INT,
+                             &test::RSA_ROOT,
+                             &test::RSA_INT];
+    let params_vec = vec![P256_PARAMS,
+                          RSA_PARAMS];
+    test_verify_modified_signature(payload, &certs, params_vec);
+}
+
+fn main() {
+    // Basic NSS exmaple usage.
+    test_nss::test_nss_sign_verify();
+    test_nss::test_nss_sign_verify_different_payload();
+    test_nss::test_nss_sign_verify_wrong_cert();
+
+    // COSE sign/verify example usages.
+    test_cose_sign_verify_two_signatures_tampered_signature();
+    test_cose_sign_verify_two_signatures_tampered_payload();
+    test_cose_sign_verify_two_signatures();
+    test_cose_sign_verify_rsa_tampered_signature();
+    test_cose_sign_verify_rsa_modified_payload();
+    test_cose_sign_verify_rsa();
+    test_cose_sign_verify_tampered_signature();
+    test_cose_sign_verify_wrong_cert();
+    test_cose_sign_verify_modified_payload();
+    test_cose_verify_xpi_signature();
+    test_cose_sign_verify();
+}
diff --git a/third_party/rust/cose/src/nss.rs b/third_party/rust/cose/examples/sign_verify/nss.rs
similarity index 99%
rename from third_party/rust/cose/src/nss.rs
rename to third_party/rust/cose/examples/sign_verify/nss.rs
index ddeee16e35c5..a5a827ceba50 100644
--- a/third_party/rust/cose/src/nss.rs
+++ b/third_party/rust/cose/examples/sign_verify/nss.rs
@@ -2,7 +2,7 @@ use std::marker::PhantomData;
 use std::{mem, ptr};
 use std::os::raw;
 use std::os::raw::c_char;
-use SignatureAlgorithm;
+use cose::SignatureAlgorithm;
 
 type SECItemType = raw::c_uint; // TODO: actually an enum - is this the right size?
 const SI_BUFFER: SECItemType = 0; // called siBuffer in NSS
diff --git a/third_party/rust/cose/src/test_nss.rs b/third_party/rust/cose/examples/sign_verify/test_nss.rs
similarity index 92%
rename from third_party/rust/cose/src/test_nss.rs
rename to third_party/rust/cose/examples/sign_verify/test_nss.rs
index a759e0b10334..5733aa01e2f4 100644
--- a/third_party/rust/cose/src/test_nss.rs
+++ b/third_party/rust/cose/examples/sign_verify/test_nss.rs
@@ -3,8 +3,7 @@ use nss;
 use nss::NSSError;
 use SignatureAlgorithm;
 
-#[test]
-fn test_nss_sign_verify() {
+pub fn test_nss_sign_verify() {
     test::setup();
     let payload = b"sample";
 
@@ -24,8 +23,7 @@ fn test_nss_sign_verify() {
     );
 }
 
-#[test]
-fn test_nss_sign_verify_different_payload() {
+pub fn test_nss_sign_verify_different_payload() {
     test::setup();
     let payload = b"sample";
 
@@ -46,8 +44,7 @@ fn test_nss_sign_verify_different_payload() {
     assert_eq!(verify_result, Err(NSSError::SignatureVerificationFailed));
 }
 
-#[test]
-fn test_nss_sign_verify_wrong_cert() {
+pub fn test_nss_sign_verify_wrong_cert() {
     test::setup();
     let payload = b"sample";
 
diff --git a/third_party/rust/cose/examples/sign_verify/test_setup.rs b/third_party/rust/cose/examples/sign_verify/test_setup.rs
new file mode 100644
index 000000000000..28ae3c1e1cf9
--- /dev/null
+++ b/third_party/rust/cose/examples/sign_verify/test_setup.rs
@@ -0,0 +1,625 @@
+use std::os::raw;
+use std::ptr;
+use std::sync::{ONCE_INIT, Once};
+static START: Once = ONCE_INIT;
+
+type SECStatus = raw::c_int;
+const SEC_SUCCESS: SECStatus = 0;
+// TODO: ugh this will probably have a platform-specific name...
+#[link(name = "nss3")]
+extern "C" {
+    fn NSS_NoDB_Init(configdir: *const u8) -> SECStatus;
+}
+
+pub fn setup() {
+    START.call_once(|| {
+        let null_ptr: *const u8 = ptr::null();
+        unsafe {
+            assert_eq!(NSS_NoDB_Init(null_ptr), SEC_SUCCESS);
+        }
+    });
+}
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const PKCS8_P256_EE: [u8; 139] = [
+    0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01,
+    0x01, 0x04, 0x20, 0x21, 0x91, 0x40, 0x3d, 0x57, 0x10, 0xbf, 0x15,
+    0xa2, 0x65, 0x81, 0x8c, 0xd4, 0x2e, 0xd6, 0xfe, 0xdf, 0x09, 0xad,
+    0xd9, 0x2d, 0x78, 0xb1, 0x8e, 0x7a, 0x1e, 0x9f, 0xeb, 0x95, 0x52,
+    0x47, 0x02, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87,
+    0x04, 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92,
+    0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33,
+    0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed,
+    0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3,
+    0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x0a
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const P256_EE: [u8; 300] = [
+    0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, 0x13, 0x92,
+    0xd6, 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13,
+    0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69,
+    0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32,
+    0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30,
+    0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70,
+    0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03,
+    0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0,
+    0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05,
+    0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b,
+    0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d,
+    0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b,
+    0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48,
+    0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50,
+    0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2,
+    0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70,
+    0xe6, 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b,
+    0x75, 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89,
+    0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const PKCS8_P384_EE: [u8; 185] = [
+    0x30, 0x81, 0xb6, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,
+    0x04, 0x81, 0x9e, 0x30, 0x81, 0x9b, 0x02, 0x01, 0x01, 0x04, 0x30, 0x03,
+    0x5c, 0x7a, 0x1b, 0x10, 0xd9, 0xfa, 0xfe, 0x83, 0x7b, 0x64, 0xad, 0x92,
+    0xf2, 0x2f, 0x5c, 0xed, 0x07, 0x89, 0x18, 0x65, 0x38, 0x66, 0x9b, 0x5c,
+    0x6d, 0x87, 0x2c, 0xec, 0x3d, 0x92, 0x61, 0x22, 0xb3, 0x93, 0x77, 0x2b,
+    0x57, 0x60, 0x2f, 0xf3, 0x13, 0x65, 0xef, 0xe1, 0x39, 0x32, 0x46, 0xa1,
+    0x64, 0x03, 0x62, 0x00, 0x04, 0xa1, 0x68, 0x72, 0x43, 0x36, 0x2b, 0x5c,
+    0x7b, 0x18, 0x89, 0xf3, 0x79, 0x15, 0x46, 0x15, 0xa1, 0xc7, 0x3f, 0xb4,
+    0x8d, 0xee, 0x86, 0x3e, 0x02, 0x29, 0x15, 0xdb, 0x60, 0x8e, 0x25, 0x2d,
+    0xe4, 0xb7, 0x13, 0x2d, 0xa8, 0xce, 0x98, 0xe8, 0x31, 0x53, 0x4e, 0x6a,
+    0x9c, 0x0c, 0x0b, 0x09, 0xc8, 0xd6, 0x39, 0xad, 0xe8, 0x32, 0x06, 0xe5,
+    0xba, 0x81, 0x34, 0x73, 0xa1, 0x1f, 0xa3, 0x30, 0xe0, 0x5d, 0xa8, 0xc9,
+    0x6e, 0x43, 0x83, 0xfe, 0x27, 0x87, 0x3d, 0xa9, 0x71, 0x03, 0xbe, 0x28,
+    0x88, 0xcf, 0xf0, 0x02, 0xf0, 0x5a, 0xf7, 0x1a, 0x1f, 0xdd, 0xcc, 0x83,
+    0x74, 0xaa, 0x6e, 0xa9, 0xce
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const PKCS8_P521_EE: [u8; 240] = [
+    0x30, 0x81, 0xed, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
+    0x04, 0x81, 0xd5, 0x30, 0x81, 0xd2, 0x02, 0x01, 0x01, 0x04, 0x42, 0x01,
+    0x4f, 0x32, 0x84, 0xfa, 0x69, 0x8d, 0xd9, 0xfe, 0x11, 0x18, 0xdd, 0x33,
+    0x18, 0x51, 0xcd, 0xfa, 0xac, 0x5a, 0x38, 0x29, 0x27, 0x8e, 0xb8, 0x99,
+    0x48, 0x39, 0xde, 0x94, 0x71, 0xc9, 0x40, 0xb8, 0x58, 0xc6, 0x9d, 0x2d,
+    0x05, 0xe8, 0xc0, 0x17, 0x88, 0xa7, 0xd0, 0xb6, 0xe2, 0x35, 0xaa, 0x5e,
+    0x78, 0x3f, 0xc1, 0xbe, 0xe8, 0x07, 0xdc, 0xc3, 0x86, 0x5f, 0x92, 0x0e,
+    0x12, 0xcf, 0x8f, 0x2d, 0x29, 0xa1, 0x81, 0x88, 0x03, 0x81, 0x85, 0x00,
+    0x04, 0x18, 0x94, 0x55, 0x0d, 0x07, 0x85, 0x93, 0x2e, 0x00, 0xea, 0xa2,
+    0x3b, 0x69, 0x4f, 0x21, 0x3f, 0x8c, 0x31, 0x21, 0xf8, 0x6d, 0xc9, 0x7a,
+    0x04, 0xe5, 0xa7, 0x16, 0x7d, 0xb4, 0xe5, 0xbc, 0xd3, 0x71, 0x12, 0x3d,
+    0x46, 0xe4, 0x5d, 0xb6, 0xb5, 0xd5, 0x37, 0x0a, 0x7f, 0x20, 0xfb, 0x63,
+    0x31, 0x55, 0xd3, 0x8f, 0xfa, 0x16, 0xd2, 0xbd, 0x76, 0x1d, 0xca, 0xc4,
+    0x74, 0xb9, 0xa2, 0xf5, 0x02, 0x3a, 0x40, 0x49, 0x31, 0x01, 0xc9, 0x62,
+    0xcd, 0x4d, 0x2f, 0xdd, 0xf7, 0x82, 0x28, 0x5e, 0x64, 0x58, 0x41, 0x39,
+    0xc2, 0xf9, 0x1b, 0x47, 0xf8, 0x7f, 0xf8, 0x23, 0x54, 0xd6, 0x63, 0x0f,
+    0x74, 0x6a, 0x28, 0xa0, 0xdb, 0x25, 0x74, 0x1b, 0x5b, 0x34, 0xa8, 0x28,
+    0x00, 0x8b, 0x22, 0xac, 0xc2, 0x3f, 0x92, 0x4f, 0xaa, 0xfb, 0xd4, 0xd3,
+    0x3f, 0x81, 0xea, 0x66, 0x95, 0x6d, 0xfe, 0xaa, 0x2b, 0xfd, 0xfc, 0xf5
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const P521_EE: [u8; 367] = [
+    0x30, 0x82, 0x01, 0x6b, 0x30, 0x82, 0x01, 0x12, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x49, 0xdb, 0x7d, 0xec, 0x87, 0x2b, 0x95, 0xfc, 0xfb,
+    0x57, 0xfb, 0xc8, 0xd5, 0x57, 0xb7, 0x3a, 0x10, 0xcc, 0xf1, 0x7a, 0x30,
+    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
+    0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08,
+    0x69, 0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10,
+    0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d,
+    0x70, 0x35, 0x32, 0x31, 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00,
+    0x23, 0x03, 0x81, 0x86, 0x00, 0x04, 0x01, 0x4c, 0xdc, 0x9c, 0xac, 0xc4,
+    0x79, 0x41, 0x09, 0x6b, 0xc9, 0xcc, 0x66, 0x75, 0x2e, 0xc2, 0x7f, 0x59,
+    0x77, 0x34, 0xfa, 0x66, 0xc6, 0x2b, 0x79, 0x2f, 0x88, 0xc5, 0x19, 0xd6,
+    0xd3, 0x7f, 0x0d, 0x16, 0xea, 0x1c, 0x48, 0x3a, 0x18, 0x27, 0xa0, 0x10,
+    0xb9, 0x12, 0x8e, 0x3a, 0x08, 0x07, 0x0c, 0xa3, 0x3e, 0xf5, 0xf5, 0x78,
+    0x35, 0xb7, 0xc1, 0xba, 0x25, 0x1f, 0x6c, 0xc3, 0x52, 0x1d, 0xc4, 0x2b,
+    0x01, 0x06, 0x53, 0x45, 0x19, 0x81, 0xb4, 0x45, 0xd3, 0x43, 0xee, 0xd3,
+    0x78, 0x2a, 0x35, 0xd6, 0xcf, 0xf0, 0xff, 0x48, 0x4f, 0x5a, 0x88, 0x3d,
+    0x20, 0x9f, 0x1b, 0x90, 0x42, 0xb7, 0x26, 0x70, 0x35, 0x68, 0xb2, 0xf3,
+    0x26, 0xe1, 0x8b, 0x83, 0x3b, 0xdd, 0x8a, 0xa0, 0x73, 0x43, 0x92, 0xbc,
+    0xd1, 0x95, 0x01, 0xe1, 0x0d, 0x69, 0x8a, 0x79, 0xf5, 0x3e, 0x11, 0xe0,
+    0xa2, 0x2b, 0xdd, 0x2a, 0xad, 0x90, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02,
+    0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde,
+    0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31,
+    0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x20, 0x35,
+    0x20, 0x7c, 0xff, 0x51, 0xf6, 0x68, 0xce, 0x1d, 0x00, 0xf9, 0xcc, 0x7f,
+    0xa7, 0xbc, 0x79, 0x52, 0xea, 0x56, 0xdf, 0xc1, 0x46, 0x7c, 0x0c, 0xa1,
+    0x2e, 0x32, 0xb1, 0x69, 0x4b, 0x20, 0xc4
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const P384_EE: [u8; 329] = [
+    0x30, 0x82, 0x01, 0x45, 0x30, 0x81, 0xec, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x79, 0xe3, 0x1c, 0x60, 0x97, 0xa4, 0x3c, 0x3b, 0x82, 0x11,
+    0x42, 0x37, 0xaf, 0x57, 0x05, 0xa8, 0xde, 0xd3, 0x40, 0x58, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13,
+    0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69,
+    0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32,
+    0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30,
+    0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70,
+    0x33, 0x38, 0x34, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03,
+    0x62, 0x00, 0x04, 0xa1, 0x68, 0x72, 0x43, 0x36, 0x2b, 0x5c, 0x7b, 0x18,
+    0x89, 0xf3, 0x79, 0x15, 0x46, 0x15, 0xa1, 0xc7, 0x3f, 0xb4, 0x8d, 0xee,
+    0x86, 0x3e, 0x02, 0x29, 0x15, 0xdb, 0x60, 0x8e, 0x25, 0x2d, 0xe4, 0xb7,
+    0x13, 0x2d, 0xa8, 0xce, 0x98, 0xe8, 0x31, 0x53, 0x4e, 0x6a, 0x9c, 0x0c,
+    0x0b, 0x09, 0xc8, 0xd6, 0x39, 0xad, 0xe8, 0x32, 0x06, 0xe5, 0xba, 0x81,
+    0x34, 0x73, 0xa1, 0x1f, 0xa3, 0x30, 0xe0, 0x5d, 0xa8, 0xc9, 0x6e, 0x43,
+    0x83, 0xfe, 0x27, 0x87, 0x3d, 0xa9, 0x71, 0x03, 0xbe, 0x28, 0x88, 0xcf,
+    0xf0, 0x02, 0xf0, 0x5a, 0xf7, 0x1a, 0x1f, 0xdd, 0xcc, 0x83, 0x74, 0xaa,
+    0x6e, 0xa9, 0xce, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+    0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75,
+    0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc,
+    0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd,
+    0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00, 0xf3, 0x04, 0x26,
+    0xf2, 0xfd, 0xbc, 0x89, 0x3f, 0x29, 0x3b, 0x70, 0xbc, 0x72, 0xa6, 0xc2,
+    0x23, 0xcc, 0x43, 0x4d, 0x84, 0x71, 0xaf, 0x53, 0xe4, 0x4b, 0x3e, 0xc0,
+    0xbf, 0xe5, 0x68, 0x86, 0x49
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const P256_INT: [u8; 332] = [
+    0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x43, 0x63, 0x59, 0xad, 0x04, 0x34, 0x56, 0x80,
+    0x43, 0xec, 0x90, 0x6a, 0xd4, 0x10, 0x64, 0x7c, 0x7f, 0x38, 0x32,
+    0xe2, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04,
+    0x03, 0x02, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
+    0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32,
+    0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x32, 0x30,
+    0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x18,
+    0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f,
+    0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69, 0x6e, 0x74, 0x2d,
+    0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a,
+    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf,
+    0xbb, 0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac,
+    0x87, 0x04, 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e,
+    0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2,
+    0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e,
+    0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07,
+    0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0xa3, 0x1d, 0x30, 0x1b,
+    0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03,
+    0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04,
+    0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86,
+    0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44,
+    0x02, 0x20, 0x63, 0x59, 0x02, 0x01, 0x89, 0xd7, 0x3e, 0x5b, 0xff,
+    0xd1, 0x16, 0x4e, 0xe3, 0xe2, 0x0a, 0xe0, 0x4a, 0xd8, 0x75, 0xaf,
+    0x77, 0x5c, 0x93, 0x60, 0xba, 0x10, 0x1f, 0x97, 0xdd, 0x27, 0x2d,
+    0x24, 0x02, 0x20, 0x3d, 0x87, 0x0f, 0xac, 0x22, 0x4d, 0x16, 0xd9,
+    0xa1, 0x95, 0xbb, 0x56, 0xe0, 0x21, 0x05, 0x93, 0xd1, 0x07, 0xb5,
+    0x25, 0x3b, 0xf4, 0x57, 0x20, 0x87, 0x13, 0xa2, 0xf7, 0x78, 0x15,
+    0x30, 0xa7
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const P256_ROOT: [u8; 334] = [
+    0x30, 0x82, 0x01, 0x4a, 0x30, 0x81, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02,
+    0x02, 0x14, 0x5f, 0x3f, 0xae, 0x90, 0x49, 0x30, 0x2f, 0x33, 0x6e, 0x95,
+    0x23, 0xa7, 0xcb, 0x23, 0xd7, 0x65, 0x4f, 0xea, 0x3c, 0xf7, 0x30, 0x0a,
+    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x14,
+    0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72,
+    0x6f, 0x6f, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x14, 0x31, 0x12,
+    0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x6f, 0x6f,
+    0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
+    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04,
+    0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c,
+    0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36,
+    0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90,
+    0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6,
+    0xc0, 0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
+    0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55,
+    0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30,
+    0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d,
+    0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75,
+    0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02,
+    0x21, 0x00, 0xc2, 0xe4, 0xc1, 0xa8, 0xe2, 0x89, 0xdc, 0xa1, 0xbb, 0xe7,
+    0xd5, 0x4f, 0x5c, 0x88, 0xad, 0xeb, 0xa4, 0x78, 0xa1, 0x19, 0xbe, 0x22,
+    0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const PKCS8_RSA_EE: [u8; 1218] = [
+    0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+    0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
+    0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
+    0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
+    0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
+    0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
+    0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
+    0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
+    0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
+    0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
+    0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
+    0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
+    0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
+    0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
+    0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
+    0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
+    0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
+    0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
+    0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
+    0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
+    0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
+    0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
+    0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
+    0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
+    0x82, 0x01, 0x01, 0x00, 0x9e, 0xcb, 0xce, 0x38, 0x61, 0xa4, 0x54, 0xec,
+    0xb1, 0xe0, 0xfe, 0x8f, 0x85, 0xdd, 0x43, 0xc9, 0x2f, 0x58, 0x25, 0xce,
+    0x2e, 0x99, 0x78, 0x84, 0xd0, 0xe1, 0xa9, 0x49, 0xda, 0xa2, 0xc5, 0xac,
+    0x55, 0x9b, 0x24, 0x04, 0x50, 0xe5, 0xac, 0x9f, 0xe0, 0xc3, 0xe3, 0x1c,
+    0x0e, 0xef, 0xa6, 0x52, 0x5a, 0x65, 0xf0, 0xc2, 0x21, 0x94, 0x00, 0x4e,
+    0xe1, 0xab, 0x46, 0x3d, 0xde, 0x9e, 0xe8, 0x22, 0x87, 0xcc, 0x93, 0xe7,
+    0x46, 0xa9, 0x19, 0x29, 0xc5, 0xe6, 0xac, 0x3d, 0x88, 0x75, 0x3f, 0x6c,
+    0x25, 0xba, 0x59, 0x79, 0xe7, 0x3e, 0x5d, 0x8f, 0xb2, 0x39, 0x11, 0x1a,
+    0x3c, 0xda, 0xb8, 0xa4, 0xb0, 0xcd, 0xf5, 0xf9, 0xca, 0xb0, 0x5f, 0x12,
+    0x33, 0xa3, 0x83, 0x35, 0xc6, 0x4b, 0x55, 0x60, 0x52, 0x5e, 0x7e, 0x3b,
+    0x92, 0xad, 0x7c, 0x75, 0x04, 0xcf, 0x1d, 0xc7, 0xcb, 0x00, 0x57, 0x88,
+    0xaf, 0xcb, 0xe1, 0xe8, 0xf9, 0x5d, 0xf7, 0x40, 0x2a, 0x15, 0x15, 0x30,
+    0xd5, 0x80, 0x83, 0x46, 0x86, 0x4e, 0xb3, 0x70, 0xaa, 0x79, 0x95, 0x6a,
+    0x58, 0x78, 0x62, 0xcb, 0x53, 0x37, 0x91, 0x30, 0x7f, 0x70, 0xd9, 0x1c,
+    0x96, 0xd2, 0x2d, 0x00, 0x1a, 0x69, 0x00, 0x9b, 0x92, 0x3c, 0x68, 0x33,
+    0x88, 0xc9, 0xf3, 0x6c, 0xb9, 0xb5, 0xeb, 0xe6, 0x43, 0x02, 0x04, 0x1c,
+    0x78, 0xd9, 0x08, 0x20, 0x6b, 0x87, 0x00, 0x9c, 0xb8, 0xca, 0xba, 0xca,
+    0xd3, 0xdb, 0xdb, 0x27, 0x92, 0xfb, 0x91, 0x1b, 0x2c, 0xf4, 0xdb, 0x66,
+    0x03, 0x58, 0x5b, 0xe9, 0xae, 0x0c, 0xa3, 0xb8, 0xe6, 0x41, 0x7a, 0xa0,
+    0x4b, 0x06, 0xe4, 0x70, 0xea, 0x1a, 0x3b, 0x58, 0x1c, 0xa0, 0x3a, 0x67,
+    0x81, 0xc9, 0x31, 0x5b, 0x62, 0xb3, 0x0e, 0x60, 0x11, 0xf2, 0x24, 0x72,
+    0x59, 0x46, 0xee, 0xc5, 0x7c, 0x6d, 0x94, 0x41, 0x02, 0x81, 0x81, 0x00,
+    0xdd, 0x6e, 0x1d, 0x4f, 0xff, 0xeb, 0xf6, 0x8d, 0x88, 0x9c, 0x4d, 0x11,
+    0x4c, 0xda, 0xaa, 0x9c, 0xaa, 0x63, 0xa5, 0x93, 0x74, 0x28, 0x6c, 0x8a,
+    0x5c, 0x29, 0xa7, 0x17, 0xbb, 0xa6, 0x03, 0x75, 0x64, 0x4d, 0x5c, 0xaa,
+    0x67, 0x4c, 0x4b, 0x8b, 0xc7, 0x32, 0x63, 0x58, 0x64, 0x62, 0x20, 0xe4,
+    0x55, 0x0d, 0x76, 0x08, 0xac, 0x27, 0xd5, 0x5b, 0x6d, 0xb7, 0x4f, 0x8d,
+    0x81, 0x27, 0xef, 0x8f, 0xa0, 0x90, 0x98, 0xb6, 0x91, 0x47, 0xde, 0x06,
+    0x55, 0x73, 0x44, 0x7e, 0x18, 0x3d, 0x22, 0xfe, 0x7d, 0x88, 0x5a, 0xce,
+    0xb5, 0x13, 0xd9, 0x58, 0x1d, 0xd5, 0xe0, 0x7c, 0x1a, 0x90, 0xf5, 0xce,
+    0x08, 0x79, 0xde, 0x13, 0x13, 0x71, 0xec, 0xef, 0xc9, 0xce, 0x72, 0xe9,
+    0xc4, 0x3d, 0xc1, 0x27, 0xd2, 0x38, 0x19, 0x0d, 0xe8, 0x11, 0x77, 0x3c,
+    0xa5, 0xd1, 0x93, 0x01, 0xf4, 0x8c, 0x74, 0x2b, 0x02, 0x81, 0x81, 0x00,
+    0xd7, 0xa7, 0x73, 0xd9, 0xeb, 0xc3, 0x80, 0xa7, 0x67, 0xd2, 0xfe, 0xc0,
+    0x93, 0x4a, 0xd4, 0xe8, 0xb5, 0x66, 0x72, 0x40, 0x77, 0x1a, 0xcd, 0xeb,
+    0xb5, 0xad, 0x79, 0x6f, 0x47, 0x8f, 0xec, 0x4d, 0x45, 0x98, 0x5e, 0xfb,
+    0xc9, 0x53, 0x29, 0x68, 0x28, 0x9c, 0x8d, 0x89, 0x10, 0x2f, 0xad, 0xf2,
+    0x1f, 0x34, 0xe2, 0xdd, 0x49, 0x40, 0xeb, 0xa8, 0xc0, 0x9d, 0x6d, 0x1f,
+    0x16, 0xdc, 0xc2, 0x97, 0x29, 0x77, 0x4c, 0x43, 0x27, 0x5e, 0x92, 0x51,
+    0xdd, 0xbe, 0x49, 0x09, 0xe1, 0xfd, 0x3b, 0xf1, 0xe4, 0xbe, 0xdf, 0x46,
+    0xa3, 0x9b, 0x8b, 0x38, 0x33, 0x28, 0xef, 0x4a, 0xe3, 0xb9, 0x5b, 0x92,
+    0xf2, 0x07, 0x0a, 0xf2, 0x6c, 0x9e, 0x7c, 0x5c, 0x9b, 0x58, 0x7f, 0xed,
+    0xde, 0x05, 0xe8, 0xe7, 0xd8, 0x6c, 0xa5, 0x78, 0x86, 0xfb, 0x16, 0x58,
+    0x10, 0xa7, 0x7b, 0x98, 0x45, 0xbc, 0x31, 0x27, 0x02, 0x81, 0x81, 0x00,
+    0x96, 0x47, 0x2b, 0x41, 0xa6, 0x10, 0xc0, 0xad, 0xe1, 0xaf, 0x22, 0x66,
+    0xc1, 0x60, 0x0e, 0x36, 0x71, 0x35, 0x5b, 0xa4, 0x2d, 0x4b, 0x5a, 0x0e,
+    0xb4, 0xe9, 0xd7, 0xeb, 0x35, 0x81, 0x40, 0x0b, 0xa5, 0xdd, 0x13, 0x2c,
+    0xdb, 0x1a, 0x5e, 0x93, 0x28, 0xc7, 0xbb, 0xc0, 0xbb, 0xb0, 0x15, 0x5e,
+    0xa1, 0x92, 0x97, 0x2e, 0xdf, 0x97, 0xd1, 0x27, 0x51, 0xd8, 0xfc, 0xf6,
+    0xae, 0x57, 0x2a, 0x30, 0xb1, 0xea, 0x30, 0x9a, 0x87, 0x12, 0xdd, 0x4e,
+    0x33, 0x24, 0x1d, 0xb1, 0xee, 0x45, 0x5f, 0xc0, 0x93, 0xf5, 0xbc, 0x9b,
+    0x59, 0x2d, 0x75, 0x6e, 0x66, 0x21, 0x47, 0x4f, 0x32, 0xc0, 0x7a, 0xf2,
+    0x2f, 0xb2, 0x75, 0xd3, 0x40, 0x79, 0x2b, 0x32, 0xba, 0x25, 0x90, 0xbb,
+    0xb2, 0x61, 0xae, 0xfb, 0x95, 0xa2, 0x58, 0xee, 0xa5, 0x37, 0x65, 0x53,
+    0x15, 0xbe, 0x9c, 0x24, 0xd1, 0x91, 0x99, 0x2d, 0x02, 0x81, 0x80, 0x28,
+    0xb4, 0x50, 0xa7, 0xa7, 0x5a, 0x85, 0x64, 0x13, 0xb2, 0xbd, 0xa6, 0xf7,
+    0xa6, 0x3e, 0x3d, 0x96, 0x4f, 0xb9, 0xec, 0xf5, 0x0e, 0x38, 0x23, 0xef,
+    0x6c, 0xc8, 0xe8, 0xfa, 0x26, 0xee, 0x41, 0x3f, 0x8b, 0x9d, 0x12, 0x05,
+    0x54, 0x0f, 0x12, 0xbb, 0xe7, 0xa0, 0xc7, 0x68, 0x28, 0xb7, 0xba, 0x65,
+    0xad, 0x83, 0xcc, 0xa4, 0xd0, 0xfe, 0x2a, 0x22, 0x01, 0x14, 0xe1, 0xb3,
+    0x5d, 0x03, 0xd5, 0xa8, 0x5b, 0xfe, 0x27, 0x06, 0xbd, 0x50, 0xfc, 0xe6,
+    0xcf, 0xcd, 0xd5, 0x71, 0xb4, 0x6c, 0xa6, 0x21, 0xb8, 0xed, 0x47, 0xd6,
+    0x05, 0xbb, 0xe7, 0x65, 0xb0, 0xaa, 0x4a, 0x06, 0x65, 0xac, 0x25, 0x36,
+    0x4d, 0xa2, 0x01, 0x54, 0x03, 0x2e, 0x12, 0x04, 0xb8, 0x55, 0x9d, 0x3e,
+    0x34, 0xfb, 0x5b, 0x17, 0x7c, 0x9a, 0x56, 0xff, 0x93, 0x51, 0x0a, 0x5a,
+    0x4a, 0x62, 0x87, 0xc1, 0x51, 0xde, 0x2d, 0x02, 0x81, 0x80, 0x28, 0x06,
+    0x7b, 0x93, 0x55, 0x80, 0x1d, 0x2e, 0xf5, 0x2d, 0xfa, 0x96, 0xd8, 0xad,
+    0xb5, 0x89, 0x67, 0x3c, 0xf8, 0xee, 0x8a, 0x9c, 0x6f, 0xf7, 0x2a, 0xee,
+    0xab, 0xe9, 0xef, 0x6b, 0xe5, 0x8a, 0x4f, 0x4a, 0xbf, 0x05, 0xf7, 0x88,
+    0x94, 0x7d, 0xc8, 0x51, 0xfd, 0xaa, 0x34, 0x54, 0x21, 0x47, 0xa7, 0x1a,
+    0x24, 0x6b, 0xfb, 0x05, 0x4e, 0xe7, 0x6a, 0xa3, 0x46, 0xab, 0xcd, 0x26,
+    0x92, 0xcf, 0xc9, 0xe4, 0x4c, 0x51, 0xe6, 0xf0, 0x69, 0xc7, 0x35, 0xe0,
+    0x73, 0xba, 0x01, 0x9f, 0x6a, 0x72, 0x14, 0x96, 0x1c, 0x91, 0xb2, 0x68,
+    0x71, 0xca, 0xea, 0xbf, 0x8f, 0x06, 0x44, 0x18, 0xa0, 0x26, 0x90, 0xe3,
+    0x9a, 0x8d, 0x5f, 0xf3, 0x06, 0x7b, 0x7c, 0xdb, 0x7f, 0x50, 0xb1, 0xf5,
+    0x34, 0x18, 0xa7, 0x03, 0x96, 0x6c, 0x4f, 0xc7, 0x74, 0xbf, 0x74, 0x02,
+    0xaf, 0x6c, 0x43, 0x24, 0x7f, 0x43
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const RSA_EE: [u8; 691] = [
+    0x30, 0x82, 0x02, 0xaf, 0x30, 0x82, 0x01, 0x99, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x07, 0x1c, 0x3b, 0x71, 0x08, 0xbe, 0xd7, 0x9f, 0xfd,
+    0xaf, 0x26, 0xb6, 0x08, 0xa3, 0x99, 0x06, 0x77, 0x69, 0x32, 0x7e, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x07, 0x69, 0x6e, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f,
+    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
+    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x11, 0x31, 0x0f,
+    0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x65, 0x65, 0x2d,
+    0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
+    0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
+    0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6,
+    0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a,
+    0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8,
+    0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2,
+    0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5,
+    0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd,
+    0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3,
+    0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82,
+    0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a,
+    0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b,
+    0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57,
+    0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3,
+    0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e,
+    0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c,
+    0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31,
+    0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3,
+    0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22,
+    0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25,
+    0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf,
+    0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe,
+    0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18,
+    0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0b, 0x06,
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82,
+    0x01, 0x01, 0x00, 0x44, 0x92, 0xbb, 0x8e, 0x83, 0x58, 0x56, 0x2e, 0x7a,
+    0x86, 0xfa, 0x1d, 0x77, 0x50, 0x3f, 0x45, 0x8d, 0x90, 0xc4, 0x62, 0x27,
+    0x21, 0x96, 0x5a, 0xef, 0x51, 0x78, 0xd7, 0x7d, 0x0d, 0x02, 0x2d, 0x5a,
+    0x0e, 0x3c, 0x82, 0x6f, 0x1d, 0x92, 0x87, 0xd5, 0x1a, 0x44, 0xae, 0xa7,
+    0x92, 0xd1, 0x8b, 0xfa, 0x16, 0x53, 0x7f, 0xa3, 0x22, 0x96, 0x1a, 0x51,
+    0x8c, 0xeb, 0xa1, 0xe6, 0xf6, 0x37, 0x11, 0xfe, 0x7d, 0x53, 0x3f, 0xae,
+    0xf0, 0x6b, 0xb9, 0xb1, 0x7a, 0x73, 0x07, 0x14, 0xcf, 0x04, 0x05, 0x93,
+    0x9e, 0xe3, 0xd2, 0x4d, 0x9d, 0x6d, 0x35, 0x68, 0xf9, 0x36, 0xe5, 0x10,
+    0x0a, 0x36, 0xd9, 0x48, 0xb0, 0x83, 0xd0, 0xb9, 0x58, 0x74, 0x53, 0xb3,
+    0xbc, 0x99, 0xab, 0xe1, 0x3e, 0xd5, 0x01, 0x8e, 0xcf, 0x3a, 0x69, 0x93,
+    0x9e, 0xa7, 0x88, 0xd4, 0xad, 0x95, 0xf9, 0x2a, 0xb4, 0x7f, 0x95, 0x97,
+    0x86, 0x50, 0x38, 0xb1, 0x04, 0x0a, 0xe4, 0x7a, 0xd5, 0x2d, 0x6c, 0xde,
+    0x3e, 0x1a, 0x47, 0x17, 0x88, 0x63, 0x20, 0x9d, 0x21, 0x3e, 0x0c, 0x6f,
+    0xfd, 0x20, 0x54, 0xd0, 0x67, 0xd2, 0x6b, 0x06, 0xfe, 0x60, 0x13, 0x42,
+    0x3d, 0xb7, 0xca, 0xcb, 0xab, 0x7b, 0x5f, 0x5d, 0x01, 0x56, 0xd3, 0x99,
+    0x80, 0x0f, 0xde, 0x7f, 0x3a, 0x61, 0x9c, 0xd3, 0x6b, 0x5e, 0xfe, 0xb5,
+    0xfc, 0x39, 0x8b, 0x8e, 0xf0, 0x8c, 0x8b, 0x65, 0x46, 0x45, 0xff, 0x47,
+    0x8f, 0xd4, 0xdd, 0xae, 0xc9, 0x72, 0xc7, 0x7f, 0x28, 0x86, 0xf1, 0xf7,
+    0x6e, 0xcb, 0x86, 0x03, 0xeb, 0x0c, 0x46, 0xe5, 0xa0, 0x6b, 0xef, 0xd4,
+    0x5e, 0xa4, 0x0f, 0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37, 0x0e, 0x75, 0xdd,
+    0x93, 0xe8, 0x0f, 0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb, 0x1a, 0x42,
+    0x5b, 0x63, 0x2c, 0x80, 0x80, 0xa6, 0x84
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const RSA_INT: [u8; 724] = [
+    0x30, 0x82, 0x02, 0xd0, 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x07, 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8,
+    0xc2, 0xcc, 0x46, 0xd7, 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
+    0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
+    0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
+    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+    0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
+    0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
+    0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
+    0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
+    0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
+    0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
+    0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
+    0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
+    0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
+    0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
+    0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
+    0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
+    0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
+    0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
+    0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
+    0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
+    0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
+    0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
+    0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
+    0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
+    0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
+    0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+    0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
+    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f,
+    0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
+    0x5e, 0xba, 0x69, 0x55, 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7,
+    0x31, 0x3e, 0x66, 0xe1, 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9,
+    0xce, 0x5e, 0x4c, 0xbe, 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38,
+    0xaa, 0x5b, 0x28, 0xb5, 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82,
+    0x86, 0x9e, 0x74, 0xd5, 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1,
+    0x24, 0x76, 0xbb, 0x95, 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44,
+    0x34, 0x10, 0x8f, 0xb1, 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f,
+    0xb3, 0x48, 0xe1, 0xcd, 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60,
+    0xc5, 0xe0, 0x45, 0x79, 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3,
+    0x19, 0xba, 0x14, 0xa1, 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54,
+    0x5b, 0x04, 0xdc, 0x1b, 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24,
+    0x52, 0x6a, 0xad, 0xe2, 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2,
+    0xbf, 0xe2, 0x20, 0x1b, 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda,
+    0x7a, 0x1a, 0x5d, 0xd3, 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51,
+    0xda, 0xd3, 0x91, 0x25, 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb,
+    0x89, 0x8a, 0xec, 0x8a, 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d,
+    0xfc, 0x6a, 0x05, 0x21, 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05,
+    0x5c, 0x22, 0x0a, 0xf6, 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d,
+    0xca, 0xf3, 0x49, 0x9c, 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc,
+    0x95, 0x22, 0x2e, 0xb1, 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03,
+    0x2a, 0x68, 0xe7, 0x2d, 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c,
+    0x87, 0xc6, 0x5c, 0x51
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const RSA_ROOT: [u8; 725] = [
+    0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
+    0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
+    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
+    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
+    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
+    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
+    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
+    0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+    0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+    0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
+    0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
+    0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
+    0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
+    0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
+    0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
+    0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
+    0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
+    0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
+    0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
+    0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
+    0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
+    0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
+    0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
+    0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
+    0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
+    0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
+    0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
+    0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
+    0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
+    0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
+    0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
+    0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+    0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
+    0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
+    0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
+    0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
+    0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
+    0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
+    0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
+    0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
+    0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
+    0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
+    0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
+    0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
+    0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
+    0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
+    0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
+    0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
+    0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
+    0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
+    0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
+    0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
+    0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
+    0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
+    0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
+    0xf0, 0xef, 0x7d, 0x94, 0xb5
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const XPI_SIGNATURE: [u8; 646] = [
+    0xd8, 0x62, 0x84, 0x43, 0xa1, 0x04, 0x80, 0xa0, 0xf6, 0x81, 0x83, 0x59,
+    0x02, 0x35, 0xa2, 0x01, 0x26, 0x04, 0x59, 0x02, 0x2e, 0x30, 0x82, 0x02,
+    0x2a, 0x30, 0x82, 0x01, 0x12, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14,
+    0x17, 0x03, 0x6b, 0xc1, 0xfe, 0xb4, 0x38, 0xe1, 0x83, 0x8f, 0xe5, 0xa7,
+    0xca, 0xf1, 0x54, 0x32, 0x4c, 0x8b, 0xf3, 0x05, 0x30, 0x0d, 0x06, 0x09,
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30,
+    0x29, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1e,
+    0x78, 0x70, 0x63, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x20, 0x73, 0x69, 0x67,
+    0x6e, 0x65, 0x64, 0x20, 0x61, 0x70, 0x70, 0x73, 0x20, 0x74, 0x65, 0x73,
+    0x74, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x30, 0x22, 0x18, 0x0f, 0x32, 0x30,
+    0x31, 0x35, 0x31, 0x31, 0x32, 0x38, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
+    0x5a, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x38, 0x30, 0x32, 0x30, 0x35, 0x30,
+    0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2b, 0x31, 0x29, 0x30, 0x27,
+    0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x20, 0x78, 0x70, 0x63, 0x73,
+    0x68, 0x65, 0x6c, 0x6c, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x20,
+    0x61, 0x70, 0x70, 0x20, 0x74, 0x65, 0x73, 0x74, 0x20, 0x73, 0x69, 0x67,
+    0x6e, 0x65, 0x72, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48,
+    0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03,
+    0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0,
+    0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05,
+    0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b,
+    0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d,
+    0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b,
+    0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0xa3, 0x0f,
+    0x30, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03,
+    0x02, 0x07, 0x80, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+    0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4f,
+    0x5c, 0xcb, 0x1d, 0xea, 0x71, 0x58, 0xfe, 0xe2, 0x49, 0x11, 0x16, 0x65,
+    0xbc, 0x23, 0x6d, 0xda, 0x46, 0x7e, 0x98, 0x93, 0x5d, 0x48, 0x2a, 0xa0,
+    0xbb, 0x7f, 0x4e, 0xbd, 0x01, 0x0a, 0x1a, 0x30, 0xff, 0xce, 0x03, 0xf5,
+    0x9c, 0xd9, 0x84, 0x69, 0x7a, 0x5a, 0xe3, 0x43, 0xd2, 0xd4, 0xbc, 0xab,
+    0x4d, 0x17, 0x8f, 0x10, 0x6a, 0xcf, 0xde, 0x17, 0x1d, 0x7d, 0x16, 0x03,
+    0x7e, 0x21, 0xf0, 0x32, 0x02, 0x89, 0x67, 0x32, 0x5a, 0xfe, 0xd5, 0xd9,
+    0x31, 0x53, 0xdc, 0xd7, 0xba, 0x2a, 0x9f, 0xd3, 0x59, 0x8d, 0x61, 0xb9,
+    0x6e, 0xf7, 0x6e, 0x86, 0x61, 0xdd, 0xfd, 0xe1, 0x73, 0xfe, 0xef, 0x9d,
+    0xe9, 0x99, 0x9e, 0x51, 0xe8, 0x5d, 0xf7, 0x48, 0x77, 0x8e, 0xc6, 0xe8,
+    0x53, 0x05, 0x7b, 0x5c, 0x2c, 0x28, 0xe7, 0x0a, 0x07, 0xbf, 0xea, 0xc1,
+    0x06, 0x11, 0x0d, 0xe7, 0x60, 0xd0, 0x79, 0x94, 0xe9, 0x26, 0xf1, 0x93,
+    0x71, 0x7b, 0x5b, 0x02, 0x3b, 0x5d, 0x51, 0xb8, 0x19, 0x38, 0x16, 0xab,
+    0x48, 0x30, 0xf3, 0xec, 0xd9, 0xd5, 0x8f, 0xc7, 0x9a, 0x02, 0xfd, 0x12,
+    0x57, 0x82, 0x0e, 0xde, 0xce, 0xfc, 0x50, 0x42, 0x2a, 0x41, 0xc7, 0xc6,
+    0xa8, 0x80, 0x37, 0x7c, 0xc4, 0x47, 0xad, 0xf5, 0xd8, 0xcb, 0xe8, 0xae,
+    0x0c, 0x01, 0x80, 0x60, 0x35, 0x93, 0x0a, 0x21, 0x81, 0x33, 0xd1, 0xd6,
+    0x6a, 0x1b, 0xe7, 0xb6, 0xd9, 0x91, 0x50, 0xc2, 0xbd, 0x16, 0xda, 0xb7,
+    0x68, 0x60, 0xf2, 0x20, 0xaa, 0x72, 0x8c, 0x76, 0x0a, 0x54, 0x7a, 0x05,
+    0xd8, 0xa1, 0xcd, 0xe9, 0x07, 0x8a, 0x02, 0x07, 0x4b, 0x87, 0x7d, 0xb5,
+    0x27, 0xca, 0x38, 0xb3, 0x30, 0xaf, 0x97, 0xe0, 0xb7, 0x35, 0x14, 0x08,
+    0xab, 0x01, 0xb0, 0x14, 0x08, 0x5c, 0x4b, 0xfb, 0x76, 0x0a, 0x95, 0xfc,
+    0xb4, 0xb8, 0x34, 0xa0, 0x58, 0x40, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11,
+    0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff,
+    0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a,
+    0x70, 0xe6, 0x82, 0x02, 0x0a, 0xe8, 0x69, 0x13, 0xd5, 0xf4, 0x1b, 0xab,
+    0xb6, 0xbb, 0x59, 0x93, 0x08, 0x48, 0x68, 0x9c, 0xbd, 0x72, 0xc7, 0xcb,
+    0x37, 0xde, 0x26, 0xbc, 0xe9, 0x83, 0x0e, 0xd8, 0x90, 0xa3
+];
+
+#[cfg_attr(rustfmt, rustfmt_skip)]
+pub const XPI_PAYLOAD: [u8; 236] = [
+    0x4E, 0x61, 0x6D, 0x65, 0x3A, 0x20, 0x6D, 0x61, 0x6E, 0x69, 0x66, 0x65,
+    0x73, 0x74, 0x2E, 0x6A, 0x73, 0x6F, 0x6E, 0x0A, 0x53, 0x48, 0x41, 0x32,
+    0x35, 0x36, 0x2D, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x3A, 0x20, 0x42,
+    0x54, 0x6E, 0x43, 0x70, 0x54, 0x31, 0x35, 0x34, 0x4E, 0x32, 0x36, 0x52,
+    0x5A, 0x6D, 0x38, 0x62, 0x68, 0x64, 0x44, 0x34, 0x33, 0x57, 0x58, 0x64,
+    0x30, 0x74, 0x6A, 0x35, 0x62, 0x67, 0x36, 0x6F, 0x66, 0x4D, 0x31, 0x39,
+    0x4E, 0x4C, 0x49, 0x30, 0x4F, 0x45, 0x3D, 0x0A, 0x0A, 0x4E, 0x61, 0x6D,
+    0x65, 0x3A, 0x20, 0x52, 0x45, 0x41, 0x44, 0x4D, 0x45, 0x0A, 0x53, 0x48,
+    0x41, 0x32, 0x35, 0x36, 0x2D, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x3A,
+    0x20, 0x62, 0x59, 0x30, 0x6C, 0x39, 0x78, 0x71, 0x47, 0x4A, 0x59, 0x43,
+    0x70, 0x71, 0x59, 0x65, 0x4A, 0x30, 0x4B, 0x36, 0x71, 0x34, 0x44, 0x57,
+    0x55, 0x51, 0x71, 0x75, 0x30, 0x6D, 0x4E, 0x42, 0x46, 0x4D, 0x34, 0x48,
+    0x34, 0x65, 0x6D, 0x68, 0x6A, 0x69, 0x4A, 0x67, 0x3D, 0x0A, 0x0A, 0x4E,
+    0x61, 0x6D, 0x65, 0x3A, 0x20, 0x64, 0x61, 0x74, 0x61, 0x2F, 0x69, 0x6D,
+    0x61, 0x67, 0x65, 0x2E, 0x70, 0x6E, 0x67, 0x0A, 0x53, 0x48, 0x41, 0x32,
+    0x35, 0x36, 0x2D, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x3A, 0x20, 0x45,
+    0x50, 0x6A, 0x6B, 0x4E, 0x5A, 0x77, 0x79, 0x61, 0x39, 0x58, 0x2B, 0x70,
+    0x72, 0x75, 0x4C, 0x6C, 0x78, 0x47, 0x2B, 0x46, 0x41, 0x43, 0x4C, 0x77,
+    0x47, 0x43, 0x34, 0x38, 0x58, 0x55, 0x34, 0x53, 0x39, 0x6F, 0x5A, 0x4F,
+    0x41, 0x30, 0x6C, 0x56, 0x56, 0x51, 0x3D, 0x0A
+];
diff --git a/third_party/rust/cose/src/util_test.rs b/third_party/rust/cose/examples/sign_verify/util_test.rs
similarity index 97%
rename from third_party/rust/cose/src/util_test.rs
rename to third_party/rust/cose/examples/sign_verify/util_test.rs
index 19a7a98d1850..c4dd26091acc 100644
--- a/third_party/rust/cose/src/util_test.rs
+++ b/third_party/rust/cose/examples/sign_verify/util_test.rs
@@ -4,9 +4,9 @@ use nss;
 use {CoseError, Signature, SignatureAlgorithm, SignatureParameters};
 use std::collections::BTreeMap;
 use cbor::CborType;
-use util::get_sig_struct_bytes;
-use decoder::decode_signature;
-use decoder::{COSE_TYPE_ES256, COSE_TYPE_ES384, COSE_TYPE_ES512, COSE_TYPE_PS256};
+use cose::util::get_sig_struct_bytes;
+use cose::decoder::decode_signature;
+use cose::decoder::{COSE_TYPE_ES256, COSE_TYPE_ES384, COSE_TYPE_ES512, COSE_TYPE_PS256};
 
 /// Converts a `SignatureAlgorithm` to its corresponding `CborType`.
 /// See RFC 8152 section 8.1 and RFC 8230 section 5.1.
diff --git a/third_party/rust/cose/src/cose.rs b/third_party/rust/cose/src/cose.rs
index 3d03c7bb63d7..d55dda8d1621 100644
--- a/third_party/rust/cose/src/cose.rs
+++ b/third_party/rust/cose/src/cose.rs
@@ -30,11 +30,10 @@
 //!     }
 //! }
 //!```
+extern crate moz_cbor as cbor;
 
-#[macro_use]
 pub mod decoder;
-mod cbor;
-mod util;
+pub mod util;
 
 /// Errors that can be returned from COSE functions.
 #[derive(Debug, PartialEq)]
@@ -67,32 +66,7 @@ pub enum SignatureAlgorithm {
     PS256,
 }
 
-#[cfg(test)]
-#[macro_use(defer)]
-extern crate scopeguard;
-
-#[cfg(test)]
-mod nss;
 #[cfg(test)]
 mod test_setup;
 #[cfg(test)]
-mod test_nss;
-#[cfg(test)]
-mod util_test;
-#[cfg(test)]
 mod test_cose;
-
-#[derive(Debug)]
-#[cfg(test)]
-pub struct SignatureParameters<'a> {
-    certificate: &'a [u8],
-    algorithm: SignatureAlgorithm,
-    pkcs8: &'a [u8],
-}
-
-#[derive(Debug)]
-#[cfg(test)]
-pub struct Signature<'a> {
-    parameter: &'a SignatureParameters<'a>,
-    signature_bytes: Vec<u8>,
-}
diff --git a/third_party/rust/cose/src/decoder.rs b/third_party/rust/cose/src/decoder.rs
index b66e98031dab..90463d5dd20f 100644
--- a/third_party/rust/cose/src/decoder.rs
+++ b/third_party/rust/cose/src/decoder.rs
@@ -4,8 +4,9 @@ use cbor::CborType;
 use cbor::decoder::decode;
 use {CoseError, SignatureAlgorithm};
 use util::get_sig_struct_bytes;
+use std::collections::BTreeMap;
 
-const COSE_SIGN_TAG: u64 = 98;
+pub const COSE_SIGN_TAG: u64 = 98;
 
 /// The result of `decode_signature` holding a decoded COSE signature.
 #[derive(Debug)]
@@ -22,6 +23,9 @@ pub const COSE_TYPE_ES384: i64 = -35;
 pub const COSE_TYPE_ES512: i64 = -36;
 pub const COSE_TYPE_PS256: i64 = -37;
 
+pub const COSE_HEADER_ALG: u64 = 1;
+pub const COSE_HEADER_KID: u64 = 4;
+
 macro_rules! unpack {
    ($to:tt, $var:ident) => (
         match *$var {
@@ -33,18 +37,25 @@ macro_rules! unpack {
     )
 }
 
-fn get_map_value(map: &CborType, key: &CborType) -> Result<CborType, CoseError> {
-    match *map {
-        CborType::Map(ref values) => {
-            match values.get(key) {
-                Some(x) => Ok(x.clone()),
-                _ => Err(CoseError::MissingHeader),
-            }
-        }
-        _ => Err(CoseError::UnexpectedType),
+fn get_map_value(
+    map: &BTreeMap<CborType, CborType>,
+    key: &CborType,
+) -> Result<CborType, CoseError> {
+    match map.get(key) {
+        Some(x) => Ok(x.clone()),
+        _ => Err(CoseError::MissingHeader),
     }
 }
 
+/// Ensure that the referenced `CborType` is an empty map.
+fn ensure_empty_map(map: &CborType) -> Result<(), CoseError> {
+    let unpacked = unpack!(Map, map);
+    if !unpacked.is_empty() {
+        return Err(CoseError::MalformedInput);
+    }
+    Ok(())
+}
+
 // This syntax is a little unintuitive. Taken together, the two previous definitions essentially
 // mean:
 //
@@ -85,11 +96,18 @@ fn decode_signature_struct(
     let protected_signature_header_bytes = unpack!(Bytes, protected_signature_header_serialized);
 
     // Parse the protected signature header.
-    let protected_signature_header = match decode(&protected_signature_header_bytes) {
+    let protected_signature_header = &match decode(protected_signature_header_bytes) {
         Err(_) => return Err(CoseError::DecodingFailure),
         Ok(value) => value,
     };
-    let signature_algorithm = get_map_value(&protected_signature_header, &CborType::Integer(1))?;
+    let protected_signature_header = unpack!(Map, protected_signature_header);
+    if protected_signature_header.len() != 2 {
+        return Err(CoseError::MalformedInput);
+    }
+    let signature_algorithm = get_map_value(
+        protected_signature_header,
+        &CborType::Integer(COSE_HEADER_ALG),
+    )?;
     let signature_algorithm = match signature_algorithm {
         CborType::SignedInteger(val) => {
             match val {
@@ -103,9 +121,15 @@ fn decode_signature_struct(
         _ => return Err(CoseError::UnexpectedType),
     };
 
-    let ee_cert = &get_map_value(&protected_signature_header, &CborType::Integer(4))?;
+    let ee_cert = &get_map_value(
+        protected_signature_header,
+        &CborType::Integer(COSE_HEADER_KID),
+    )?;
     let ee_cert = unpack!(Bytes, ee_cert).clone();
 
+    // The unprotected header section is expected to be an empty map.
+    ensure_empty_map(&cose_signature[1])?;
+
     // Build signature structure to verify.
     let signature_bytes = &cose_signature[2];
     let signature_bytes = unpack!(Bytes, signature_bytes).clone();
@@ -116,12 +140,21 @@ fn decode_signature_struct(
     );
 
     // Read intermediate certificates from protected_body_head.
-    let protected_body_head = unpack!(Bytes, protected_body_head);
-    let protected_body_head_map = match decode(protected_body_head) {
+    // Any tampering of the protected header during transport will be detected
+    // because it is input to the signature verification.
+    // Note that a protected header has to be present and hold a kid with an
+    // empty list of intermediate certificates.
+    let protected_body_head_bytes = unpack!(Bytes, protected_body_head);
+    let protected_body_head_map = &match decode(protected_body_head_bytes) {
         Ok(value) => value,
         Err(_) => return Err(CoseError::DecodingFailure),
     };
-    let intermediate_certs_array = &get_map_value(&protected_body_head_map, &CborType::Integer(4))?;
+    let protected_body_head_map = unpack!(Map, protected_body_head_map);
+    if protected_body_head_map.len() != 1 {
+        return Err(CoseError::MalformedInput);
+    }
+    let intermediate_certs_array =
+        &get_map_value(protected_body_head_map, &CborType::Integer(COSE_HEADER_KID))?;
     let intermediate_certs = unpack!(Array, intermediate_certs_array);
     let mut certs: Vec<Vec<u8>> = Vec::new();
     for cert in intermediate_certs {
@@ -154,7 +187,7 @@ fn decode_signature_struct(
 ///```
 pub fn decode_signature(bytes: &[u8], payload: &[u8]) -> Result<Vec<CoseSignature>, CoseError> {
     // This has to be a COSE_Sign object, which is a tagged array.
-    let tagged_cose_sign = match decode(&bytes) {
+    let tagged_cose_sign = match decode(bytes) {
         Err(_) => return Err(CoseError::DecodingFailure),
         Ok(value) => value,
     };
@@ -173,6 +206,16 @@ pub fn decode_signature(bytes: &[u8], payload: &[u8]) -> Result<Vec<CoseSignatur
     if cose_sign_array.len() != 4 {
         return Err(CoseError::MalformedInput);
     }
+
+    // The unprotected header section is expected to be an empty map.
+    ensure_empty_map(&cose_sign_array[1])?;
+
+    // The payload is expected to be Null (i.e. this is a detached signature).
+    match cose_sign_array[2] {
+        CborType::Null => {}
+        _ => return Err(CoseError::UnexpectedType),
+    };
+
     let signatures = &cose_sign_array[3];
     let signatures = unpack!(Array, signatures);
 
@@ -183,7 +226,7 @@ pub fn decode_signature(bytes: &[u8], payload: &[u8]) -> Result<Vec<CoseSignatur
     }
     let mut result = Vec::new();
     for cose_signature in signatures {
-        // cose_sign_array holds the protected body header.
+        // cose_sign_array[0] holds the protected body header.
         let signature = decode_signature_struct(cose_signature, payload, &cose_sign_array[0])?;
         result.push(signature);
     }
diff --git a/third_party/rust/cose/src/test_cose.rs b/third_party/rust/cose/src/test_cose.rs
index cdf70a2714e7..7c680a879c26 100644
--- a/third_party/rust/cose/src/test_cose.rs
+++ b/third_party/rust/cose/src/test_cose.rs
@@ -1,8 +1,8 @@
 use test_setup as test;
-use util_test::{sign, verify_signature};
-use {CoseError, SignatureAlgorithm, SignatureParameters};
-use std::str::FromStr;
-use decoder::decode_signature;
+use {CoseError, SignatureAlgorithm};
+use decoder::{COSE_HEADER_ALG, COSE_HEADER_KID, COSE_SIGN_TAG, COSE_TYPE_ES256, decode_signature};
+use cbor::CborType;
+use std::collections::BTreeMap;
 
 #[test]
 fn test_cose_decode() {
@@ -15,216 +15,482 @@ fn test_cose_decode() {
     assert_eq!(cose_signatures[0].certs[1], test::P256_INT.to_vec());
 }
 
-// All keys here are from pykey.py/pycert.py from mozilla-central.
-// Certificates can be generated with tools/certs/certs.sh and mozilla-central.
-
-const P256_PARAMS: SignatureParameters = SignatureParameters {
-    certificate: &test::P256_EE,
-    algorithm: SignatureAlgorithm::ES256,
-    pkcs8: &test::PKCS8_P256_EE,
-};
-const P384_PARAMS: SignatureParameters = SignatureParameters {
-    certificate: &test::P384_EE,
-    algorithm: SignatureAlgorithm::ES384,
-    pkcs8: &test::PKCS8_P384_EE,
-};
-const P521_PARAMS: SignatureParameters = SignatureParameters {
-    certificate: &test::P521_EE,
-    algorithm: SignatureAlgorithm::ES512,
-    pkcs8: &test::PKCS8_P521_EE,
-};
-
-#[cfg(test)]
-fn test_verify(payload: &[u8], cert_chain: &[&[u8]], params_vec: Vec<SignatureParameters>) {
-    test::setup();
-    let cose_signature = sign(payload, cert_chain, &params_vec);
-    assert!(cose_signature.is_ok());
-    let cose_signature = cose_signature.unwrap();
-
-    // Verify signature.
-    assert!(verify_signature(payload, cose_signature).is_ok());
+fn test_cose_format_error(bytes: &[u8], expected_error: CoseError) {
+    let payload = vec![0];
+    let result = decode_signature(bytes, &payload);
+    assert!(result.is_err());
+    assert_eq!(result.err(), Some(expected_error));
 }
 
-#[cfg(test)]
-fn test_verify_modified_payload(
-    payload: &mut [u8],
-    cert_chain: &[&[u8]],
-    params_vec: Vec<SignatureParameters>,
-) {
-    test::setup();
-    let cose_signature = sign(payload, cert_chain, &params_vec);
-    assert!(cose_signature.is_ok());
-    let cose_signature = cose_signature.unwrap();
-
-    // Verify signature.
-    payload[0] = !payload[0];
-    let verify_result = verify_signature(payload, cose_signature);
-    assert!(verify_result.is_err());
-    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+// Helper function to take a `Vec<CborType>`, wrap it in a `CborType::Array`, tag it with the
+// COSE_Sign tag (COSE_SIGN_TAG = 98), and serialize it to a `Vec<u8>`.
+fn wrap_tag_and_encode_array(array: Vec<CborType>) -> Vec<u8> {
+    CborType::Tag(COSE_SIGN_TAG, Box::new(CborType::Array(array))).serialize()
 }
 
-#[cfg(test)]
-fn test_verify_modified_signature(
-    payload: &[u8],
-    cert_chain: &[&[u8]],
-    params_vec: Vec<SignatureParameters>,
-) {
-    test::setup();
-    let cose_signature = sign(payload, cert_chain, &params_vec);
-    assert!(cose_signature.is_ok());
-    let mut cose_signature = cose_signature.unwrap();
-
-    // Tamper with the cose signature.
-    let len = cose_signature.len();
-    cose_signature[len - 15] = !cose_signature[len - 15];
-
-    // Verify signature.
-    let verify_result = verify_signature(payload, cose_signature);
-    assert!(verify_result.is_err());
-    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+// Helper function to create an encoded protected header for a COSE_Sign or COSE_Signature
+// structure.
+fn encode_test_protected_header(keys: Vec<CborType>, values: Vec<CborType>) -> Vec<u8> {
+    assert_eq!(keys.len(), values.len());
+    let mut map: BTreeMap<CborType, CborType> = BTreeMap::new();
+    for (key, value) in keys.iter().zip(values) {
+        map.insert(key.clone(), value.clone());
+    }
+    CborType::Map(map).serialize()
 }
 
-// This can be used with inconsistent parameters that make the verification fail.
-// In particular, the signing key does not match the certificate used to verify.
-#[cfg(test)]
-fn test_verify_verification_fails(
-    payload: &[u8],
-    cert_chain: &[&[u8]],
-    params_vec: Vec<SignatureParameters>,
-) {
-    test::setup();
-    let cose_signature = sign(payload, cert_chain, &params_vec);
-    assert!(cose_signature.is_ok());
-    let cose_signature = cose_signature.unwrap();
+// Helper function to create a test COSE_Signature structure with the given protected header.
+fn build_test_cose_signature(protected_header: Vec<u8>) -> CborType {
+    CborType::Array(vec![CborType::Bytes(protected_header),
+         CborType::Map(BTreeMap::new()),
+         CborType::Bytes(Vec::new())])
+}
 
-    // Verify signature.
-    let verify_result = verify_signature(payload, cose_signature);
-    assert!(verify_result.is_err());
-    assert_eq!(verify_result, Err(CoseError::VerificationFailed));
+// Helper function to create the minimally-valid COSE_Sign (i.e. "body") protected header.
+fn make_minimally_valid_cose_sign_protected_header() -> Vec<u8> {
+    encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::Array(Vec::new())],
+    )
+}
+
+// Helper function to create a minimally-valid COSE_Signature (i.e. "body").
+fn make_minimally_valid_cose_signature_protected_header() -> Vec<u8> {
+    encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Bytes(Vec::new())],
+    )
+}
+
+// This tests the minimally-valid COSE_Sign structure according to this implementation.
+// The structure must be a CBOR array of length 4 tagged with the integer 98.
+// The COSE_Sign protected header must have the `kid` integer key and no others. The value for `kid`
+// must be an array (although it may be empty). Each element of the array must be of type bytes.
+// The COSE_Sign unprotected header must be an empty map.
+// The COSE_Sign payload must be nil.
+// The COSE_Sign signatures must be an array with at least one COSE_Signature.
+// Each COSE_Signature must be an array of length 3.
+// Each COSE_Signature protected header must have the `alg` and `kid` integer keys and no others.
+// The value for `alg` must be a valid algorithm identifier. The value for `kid` must be bytes,
+// although it may be empty.
+// Each COSE_Signature unprotected header must be an empty map.
+// Each COSE_Signature signature must be of type bytes (although it may be empty).
+#[test]
+fn test_cose_sign_minimally_valid() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    let payload = vec![0];
+    let result = decode_signature(&bytes, &payload);
+    assert!(result.is_ok());
+    let decoded = result.unwrap();
+    assert_eq!(decoded.len(), 1);
+    assert_eq!(decoded[0].signer_cert.len(), 0);
+    assert_eq!(decoded[0].certs.len(), 0);
 }
 
 #[test]
-fn test_cose_sign_verify() {
-    let payload = b"This is the content.";
-
-    // P256
-    let certs: [&[u8]; 2] = [&test::P256_ROOT,
-                             &test::P256_INT];
-    let params_vec = vec![P256_PARAMS];
-    test_verify(payload, &certs, params_vec);
-
-    // P384
-    let params_vec = vec![P384_PARAMS];
-    test_verify(payload, &certs, params_vec);
-
-    // P521
-    let params_vec = vec![P521_PARAMS];
-    test_verify(payload, &certs, params_vec);
+fn test_cose_sign_not_tagged() {
+    let bytes = CborType::Array(vec![CborType::Integer(0)]).serialize();
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
 }
 
 #[test]
-fn test_cose_sign_verify_modified_payload() {
-    let mut payload = String::from_str("This is the content.")
-        .unwrap()
-        .into_bytes();
-    let certs: [&[u8]; 2] = [&test::P256_ROOT,
-                             &test::P256_INT];
-    let params_vec = vec![P256_PARAMS];
-    test_verify_modified_payload(&mut payload, &certs, params_vec);
+fn test_cose_sign_wrong_tag() {
+    // The expected COSE_Sign tag is 98.
+    let bytes = CborType::Tag(99, Box::new(CborType::Integer(0))).serialize();
+    test_cose_format_error(&bytes, CoseError::UnexpectedTag);
 }
 
 #[test]
-fn test_cose_sign_verify_wrong_cert() {
-    let payload = b"This is the content.";
-    let certs: [&[u8]; 2] = [&test::P256_ROOT,
-                             &test::P256_INT];
-    let params = SignatureParameters {
-        certificate: &test::P384_EE,
-        algorithm: SignatureAlgorithm::ES256,
-        pkcs8: &test::PKCS8_P256_EE,
-    };
-    let params_vec = vec![params];
-    test_verify_verification_fails(payload, &certs, params_vec);
+fn test_cose_sign_right_tag_wrong_contents() {
+    // The COSE_Sign tag is 98, but the contents should be an array.
+    let bytes = CborType::Tag(98, Box::new(CborType::Integer(0))).serialize();
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
 }
 
 #[test]
-fn test_cose_sign_verify_tampered_signature() {
-    let payload = b"This is the content.";
-    let certs: [&[u8]; 2] = [&test::P256_ROOT,
-                             &test::P256_INT];
-    let params_vec = vec![P256_PARAMS];
-    test_verify_modified_signature(payload, &certs, params_vec);
-}
-
-const RSA_PARAMS: SignatureParameters = SignatureParameters {
-    certificate: &test::RSA_EE,
-    algorithm: SignatureAlgorithm::PS256,
-    pkcs8: &test::PKCS8_RSA_EE,
-};
-
-#[test]
-fn test_cose_sign_verify_rsa() {
-    let payload = b"This is the RSA-signed content.";
-    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![RSA_PARAMS];
-    test_verify(payload, &certs, params_vec);
+fn test_cose_sign_too_small() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
 }
 
 #[test]
-fn test_cose_sign_verify_rsa_modified_payload() {
-    let mut payload = String::from_str("This is the RSA-signed content.")
-        .unwrap()
-        .into_bytes();
-    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![RSA_PARAMS];
-    test_verify_modified_payload(&mut payload, &certs, params_vec);
+fn test_cose_sign_too_large() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(Vec::new()),
+                      CborType::Array(Vec::new())];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
 }
 
 #[test]
-fn test_cose_sign_verify_rsa_tampered_signature() {
-    let payload = b"This is the RSA-signed content.";
-    let certs: [&[u8]; 2] = [&test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![RSA_PARAMS];
-    test_verify_modified_signature(payload, &certs, params_vec);
+fn test_cose_sign_protected_header_empty() {
+    let body_protected_header = encode_test_protected_header(Vec::new(), Vec::new());
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
 }
 
 #[test]
-fn test_cose_sign_verify_two_signatures() {
-    let payload = b"This is the content.";
-    let certs: [&[u8]; 4] = [&test::P256_ROOT,
-                             &test::P256_INT,
-                             &test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![P256_PARAMS,
-                          RSA_PARAMS];
-    test_verify(payload, &certs, params_vec);
+fn test_cose_sign_protected_header_missing_kid() {
+    let body_protected_header =
+        encode_test_protected_header(vec![CborType::Integer(2)], vec![CborType::Integer(2)]);
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MissingHeader);
 }
 
 #[test]
-fn test_cose_sign_verify_two_signatures_tampered_payload() {
-    let mut payload = String::from_str("This is the content.")
-        .unwrap()
-        .into_bytes();
-    let certs: [&[u8]; 4] = [&test::P256_ROOT,
-                             &test::P256_INT,
-                             &test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![P256_PARAMS,
-                          RSA_PARAMS];
-    test_verify_modified_payload(&mut payload, &certs, params_vec);
+fn test_cose_sign_protected_header_kid_wrong_type() {
+    let body_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::Integer(2)],
+    );
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
 }
 
 #[test]
-fn test_cose_sign_verify_two_signatures_tampered_signature() {
-    let payload = b"This is the content.";
-    let certs: [&[u8]; 4] = [&test::P256_ROOT,
-                             &test::P256_INT,
-                             &test::RSA_ROOT,
-                             &test::RSA_INT];
-    let params_vec = vec![P256_PARAMS,
-                          RSA_PARAMS];
-    test_verify_modified_signature(payload, &certs, params_vec);
+fn test_cose_sign_protected_header_extra_header_key() {
+    let body_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_KID),
+             CborType::Integer(2)],
+        vec![CborType::Bytes(Vec::new()),
+             CborType::Integer(2)],
+    );
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_sign_unprotected_header_wrong_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Integer(1),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_sign_unprotected_header_not_empty() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let mut unprotected_header_map: BTreeMap<CborType, CborType> = BTreeMap::new();
+    unprotected_header_map.insert(CborType::Integer(0), CborType::SignedInteger(-1));
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(unprotected_header_map),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_sign_payload_not_null() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Integer(0),
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signatures_not_array() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Integer(0)];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signatures_empty() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(Vec::new())];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_signature_protected_header_wrong_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature = CborType::Array(vec![CborType::Null,
+         CborType::Map(BTreeMap::new()),
+         CborType::SignedInteger(-1)]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signature_protected_header_empty() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(Vec::new(), Vec::new());
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_signature_protected_header_too_large() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = CborType::Array(vec![CborType::Bytes(signature_protected_header),
+         CborType::Map(BTreeMap::new()),
+         CborType::Bytes(Vec::new()),
+         CborType::Null]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_signature_protected_header_bad_encoding() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    // The bytes here are a truncated integer encoding.
+    let signature = CborType::Array(vec![CborType::Bytes(vec![0x1a, 0x00, 0x00]),
+         CborType::Map(BTreeMap::new()),
+         CborType::Bytes(Vec::new())]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::DecodingFailure);
+}
+
+#[test]
+fn test_cose_signature_protected_header_missing_alg() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(2),
+             CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Bytes(Vec::new())],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MissingHeader);
+}
+
+#[test]
+fn test_cose_signature_protected_header_missing_kid() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(3)],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Bytes(Vec::new())],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MissingHeader);
+}
+
+#[test]
+fn test_cose_signature_protected_header_wrong_key_types() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::SignedInteger(-1),
+             CborType::Bytes(vec![0])],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Bytes(Vec::new())],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MissingHeader);
+}
+
+#[test]
+fn test_cose_signature_protected_header_unexpected_alg_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::Integer(10),
+             CborType::Integer(4)],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signature_protected_header_unsupported_alg() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::SignedInteger(-10),
+             CborType::Bytes(Vec::new())],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedHeaderValue);
+}
+
+#[test]
+fn test_cose_signature_protected_header_unexpected_kid_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(COSE_HEADER_KID)],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Integer(0)],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signature_protected_header_extra_key() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = encode_test_protected_header(
+        vec![CborType::Integer(COSE_HEADER_ALG),
+             CborType::Integer(COSE_HEADER_KID),
+             CborType::Integer(5)],
+        vec![CborType::SignedInteger(COSE_TYPE_ES256),
+             CborType::Bytes(Vec::new()),
+             CborType::Integer(5)],
+    );
+    let signature = build_test_cose_signature(signature_protected_header);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_signature_unprotected_header_wrong_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = CborType::Array(vec![CborType::Bytes(signature_protected_header),
+         CborType::Integer(1),
+         CborType::Bytes(Vec::new())]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
+}
+
+#[test]
+fn test_cose_signature_unprotected_header_not_empty() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let mut unprotected_header_map: BTreeMap<CborType, CborType> = BTreeMap::new();
+    unprotected_header_map.insert(CborType::Integer(0), CborType::SignedInteger(-1));
+    let signature = CborType::Array(vec![CborType::Bytes(signature_protected_header),
+         CborType::Map(unprotected_header_map),
+         CborType::Bytes(Vec::new())]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::MalformedInput);
+}
+
+#[test]
+fn test_cose_signature_signature_wrong_type() {
+    let body_protected_header = make_minimally_valid_cose_sign_protected_header();
+    let signature_protected_header = make_minimally_valid_cose_signature_protected_header();
+    let signature = CborType::Array(vec![CborType::Bytes(signature_protected_header),
+         CborType::Map(BTreeMap::new()),
+         CborType::SignedInteger(-1)]);
+    let values = vec![CborType::Bytes(body_protected_header),
+                      CborType::Map(BTreeMap::new()),
+                      CborType::Null,
+                      CborType::Array(vec![signature])];
+    let bytes = wrap_tag_and_encode_array(values);
+    test_cose_format_error(&bytes, CoseError::UnexpectedType);
 }
diff --git a/third_party/rust/cose/src/test_setup.rs b/third_party/rust/cose/src/test_setup.rs
index befad9746a59..fce0676a665d 100644
--- a/third_party/rust/cose/src/test_setup.rs
+++ b/third_party/rust/cose/src/test_setup.rs
@@ -1,182 +1,3 @@
-use std::os::raw;
-use std::ptr;
-use std::sync::{ONCE_INIT, Once};
-static START: Once = ONCE_INIT;
-
-type SECStatus = raw::c_int;
-const SEC_SUCCESS: SECStatus = 0;
-// TODO: ugh this will probably have a platform-specific name...
-#[link(name = "nss3")]
-extern "C" {
-    fn NSS_NoDB_Init(configdir: *const u8) -> SECStatus;
-}
-
-pub fn setup() {
-    START.call_once(|| {
-        let null_ptr: *const u8 = ptr::null();
-        unsafe {
-            assert_eq!(NSS_NoDB_Init(null_ptr), SEC_SUCCESS);
-        }
-    });
-}
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const PKCS8_P256_EE: [u8; 139] = [
-    0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a,
-    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
-    0xce, 0x3d, 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01,
-    0x01, 0x04, 0x20, 0x21, 0x91, 0x40, 0x3d, 0x57, 0x10, 0xbf, 0x15,
-    0xa2, 0x65, 0x81, 0x8c, 0xd4, 0x2e, 0xd6, 0xfe, 0xdf, 0x09, 0xad,
-    0xd9, 0x2d, 0x78, 0xb1, 0x8e, 0x7a, 0x1e, 0x9f, 0xeb, 0x95, 0x52,
-    0x47, 0x02, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb,
-    0xbb, 0x61, 0xe0, 0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87,
-    0x04, 0xe2, 0xec, 0x05, 0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92,
-    0x3f, 0x2c, 0x4f, 0x79, 0x4b, 0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33,
-    0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d, 0x07, 0x06, 0xe0, 0x0e, 0xed,
-    0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b, 0x7b, 0x2d, 0x07, 0xa3,
-    0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x0a
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const P256_EE: [u8; 300] = [
-    0x30, 0x82, 0x01, 0x28, 0x30, 0x81, 0xcf, 0xa0, 0x03, 0x02, 0x01, 0x02,
-    0x02, 0x14, 0x2f, 0xc3, 0x5f, 0x05, 0x80, 0xb4, 0x49, 0x45, 0x13, 0x92,
-    0xd6, 0x93, 0xb7, 0x2d, 0x71, 0x19, 0xc5, 0x8c, 0x40, 0x39, 0x30, 0x0a,
-    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13,
-    0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69,
-    0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32,
-    0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30,
-    0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31,
-    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30,
-    0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70,
-    0x32, 0x35, 0x36, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48,
-    0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03,
-    0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x4f, 0xbf, 0xbb, 0xbb, 0x61, 0xe0,
-    0xf8, 0xf9, 0xb1, 0xa6, 0x0a, 0x59, 0xac, 0x87, 0x04, 0xe2, 0xec, 0x05,
-    0x0b, 0x42, 0x3e, 0x3c, 0xf7, 0x2e, 0x92, 0x3f, 0x2c, 0x4f, 0x79, 0x4b,
-    0x45, 0x5c, 0x2a, 0x69, 0xd2, 0x33, 0x45, 0x6c, 0x36, 0xc4, 0x11, 0x9d,
-    0x07, 0x06, 0xe0, 0x0e, 0xed, 0xc8, 0xd1, 0x93, 0x90, 0xd7, 0x99, 0x1b,
-    0x7b, 0x2d, 0x07, 0xa3, 0x04, 0xea, 0xa0, 0x4a, 0xa6, 0xc0, 0x30, 0x0a,
-    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48,
-    0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50,
-    0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2,
-    0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70,
-    0xe6, 0x02, 0x21, 0x00, 0xff, 0x81, 0xbe, 0xa8, 0x0d, 0x03, 0x36, 0x6b,
-    0x75, 0xe2, 0x70, 0x6a, 0xac, 0x07, 0x2e, 0x4c, 0xdc, 0xf9, 0xc5, 0x89,
-    0xc1, 0xcf, 0x88, 0xc2, 0xc8, 0x2a, 0x32, 0xf5, 0x42, 0x0c, 0xfa, 0x0b
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const PKCS8_P384_EE: [u8; 185] = [
-    0x30, 0x81, 0xb6, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
-    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,
-    0x04, 0x81, 0x9e, 0x30, 0x81, 0x9b, 0x02, 0x01, 0x01, 0x04, 0x30, 0x03,
-    0x5c, 0x7a, 0x1b, 0x10, 0xd9, 0xfa, 0xfe, 0x83, 0x7b, 0x64, 0xad, 0x92,
-    0xf2, 0x2f, 0x5c, 0xed, 0x07, 0x89, 0x18, 0x65, 0x38, 0x66, 0x9b, 0x5c,
-    0x6d, 0x87, 0x2c, 0xec, 0x3d, 0x92, 0x61, 0x22, 0xb3, 0x93, 0x77, 0x2b,
-    0x57, 0x60, 0x2f, 0xf3, 0x13, 0x65, 0xef, 0xe1, 0x39, 0x32, 0x46, 0xa1,
-    0x64, 0x03, 0x62, 0x00, 0x04, 0xa1, 0x68, 0x72, 0x43, 0x36, 0x2b, 0x5c,
-    0x7b, 0x18, 0x89, 0xf3, 0x79, 0x15, 0x46, 0x15, 0xa1, 0xc7, 0x3f, 0xb4,
-    0x8d, 0xee, 0x86, 0x3e, 0x02, 0x29, 0x15, 0xdb, 0x60, 0x8e, 0x25, 0x2d,
-    0xe4, 0xb7, 0x13, 0x2d, 0xa8, 0xce, 0x98, 0xe8, 0x31, 0x53, 0x4e, 0x6a,
-    0x9c, 0x0c, 0x0b, 0x09, 0xc8, 0xd6, 0x39, 0xad, 0xe8, 0x32, 0x06, 0xe5,
-    0xba, 0x81, 0x34, 0x73, 0xa1, 0x1f, 0xa3, 0x30, 0xe0, 0x5d, 0xa8, 0xc9,
-    0x6e, 0x43, 0x83, 0xfe, 0x27, 0x87, 0x3d, 0xa9, 0x71, 0x03, 0xbe, 0x28,
-    0x88, 0xcf, 0xf0, 0x02, 0xf0, 0x5a, 0xf7, 0x1a, 0x1f, 0xdd, 0xcc, 0x83,
-    0x74, 0xaa, 0x6e, 0xa9, 0xce
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const PKCS8_P521_EE: [u8; 240] = [
-    0x30, 0x81, 0xed, 0x02, 0x01, 0x00, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
-    0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
-    0x04, 0x81, 0xd5, 0x30, 0x81, 0xd2, 0x02, 0x01, 0x01, 0x04, 0x42, 0x01,
-    0x4f, 0x32, 0x84, 0xfa, 0x69, 0x8d, 0xd9, 0xfe, 0x11, 0x18, 0xdd, 0x33,
-    0x18, 0x51, 0xcd, 0xfa, 0xac, 0x5a, 0x38, 0x29, 0x27, 0x8e, 0xb8, 0x99,
-    0x48, 0x39, 0xde, 0x94, 0x71, 0xc9, 0x40, 0xb8, 0x58, 0xc6, 0x9d, 0x2d,
-    0x05, 0xe8, 0xc0, 0x17, 0x88, 0xa7, 0xd0, 0xb6, 0xe2, 0x35, 0xaa, 0x5e,
-    0x78, 0x3f, 0xc1, 0xbe, 0xe8, 0x07, 0xdc, 0xc3, 0x86, 0x5f, 0x92, 0x0e,
-    0x12, 0xcf, 0x8f, 0x2d, 0x29, 0xa1, 0x81, 0x88, 0x03, 0x81, 0x85, 0x00,
-    0x04, 0x18, 0x94, 0x55, 0x0d, 0x07, 0x85, 0x93, 0x2e, 0x00, 0xea, 0xa2,
-    0x3b, 0x69, 0x4f, 0x21, 0x3f, 0x8c, 0x31, 0x21, 0xf8, 0x6d, 0xc9, 0x7a,
-    0x04, 0xe5, 0xa7, 0x16, 0x7d, 0xb4, 0xe5, 0xbc, 0xd3, 0x71, 0x12, 0x3d,
-    0x46, 0xe4, 0x5d, 0xb6, 0xb5, 0xd5, 0x37, 0x0a, 0x7f, 0x20, 0xfb, 0x63,
-    0x31, 0x55, 0xd3, 0x8f, 0xfa, 0x16, 0xd2, 0xbd, 0x76, 0x1d, 0xca, 0xc4,
-    0x74, 0xb9, 0xa2, 0xf5, 0x02, 0x3a, 0x40, 0x49, 0x31, 0x01, 0xc9, 0x62,
-    0xcd, 0x4d, 0x2f, 0xdd, 0xf7, 0x82, 0x28, 0x5e, 0x64, 0x58, 0x41, 0x39,
-    0xc2, 0xf9, 0x1b, 0x47, 0xf8, 0x7f, 0xf8, 0x23, 0x54, 0xd6, 0x63, 0x0f,
-    0x74, 0x6a, 0x28, 0xa0, 0xdb, 0x25, 0x74, 0x1b, 0x5b, 0x34, 0xa8, 0x28,
-    0x00, 0x8b, 0x22, 0xac, 0xc2, 0x3f, 0x92, 0x4f, 0xaa, 0xfb, 0xd4, 0xd3,
-    0x3f, 0x81, 0xea, 0x66, 0x95, 0x6d, 0xfe, 0xaa, 0x2b, 0xfd, 0xfc, 0xf5
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const P521_EE: [u8; 367] = [
-    0x30, 0x82, 0x01, 0x6b, 0x30, 0x82, 0x01, 0x12, 0xa0, 0x03, 0x02, 0x01,
-    0x02, 0x02, 0x14, 0x49, 0xdb, 0x7d, 0xec, 0x87, 0x2b, 0x95, 0xfc, 0xfb,
-    0x57, 0xfb, 0xc8, 0xd5, 0x57, 0xb7, 0x3a, 0x10, 0xcc, 0xf1, 0x7a, 0x30,
-    0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30,
-    0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08,
-    0x69, 0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f,
-    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
-    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
-    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10,
-    0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d,
-    0x70, 0x35, 0x32, 0x31, 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a,
-    0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00,
-    0x23, 0x03, 0x81, 0x86, 0x00, 0x04, 0x01, 0x4c, 0xdc, 0x9c, 0xac, 0xc4,
-    0x79, 0x41, 0x09, 0x6b, 0xc9, 0xcc, 0x66, 0x75, 0x2e, 0xc2, 0x7f, 0x59,
-    0x77, 0x34, 0xfa, 0x66, 0xc6, 0x2b, 0x79, 0x2f, 0x88, 0xc5, 0x19, 0xd6,
-    0xd3, 0x7f, 0x0d, 0x16, 0xea, 0x1c, 0x48, 0x3a, 0x18, 0x27, 0xa0, 0x10,
-    0xb9, 0x12, 0x8e, 0x3a, 0x08, 0x07, 0x0c, 0xa3, 0x3e, 0xf5, 0xf5, 0x78,
-    0x35, 0xb7, 0xc1, 0xba, 0x25, 0x1f, 0x6c, 0xc3, 0x52, 0x1d, 0xc4, 0x2b,
-    0x01, 0x06, 0x53, 0x45, 0x19, 0x81, 0xb4, 0x45, 0xd3, 0x43, 0xee, 0xd3,
-    0x78, 0x2a, 0x35, 0xd6, 0xcf, 0xf0, 0xff, 0x48, 0x4f, 0x5a, 0x88, 0x3d,
-    0x20, 0x9f, 0x1b, 0x90, 0x42, 0xb7, 0x26, 0x70, 0x35, 0x68, 0xb2, 0xf3,
-    0x26, 0xe1, 0x8b, 0x83, 0x3b, 0xdd, 0x8a, 0xa0, 0x73, 0x43, 0x92, 0xbc,
-    0xd1, 0x95, 0x01, 0xe1, 0x0d, 0x69, 0x8a, 0x79, 0xf5, 0x3e, 0x11, 0xe0,
-    0xa2, 0x2b, 0xdd, 0x2a, 0xad, 0x90, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86,
-    0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02,
-    0x20, 0x5c, 0x75, 0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde,
-    0x20, 0xa3, 0xbc, 0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31,
-    0x64, 0xec, 0xfd, 0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x20, 0x35,
-    0x20, 0x7c, 0xff, 0x51, 0xf6, 0x68, 0xce, 0x1d, 0x00, 0xf9, 0xcc, 0x7f,
-    0xa7, 0xbc, 0x79, 0x52, 0xea, 0x56, 0xdf, 0xc1, 0x46, 0x7c, 0x0c, 0xa1,
-    0x2e, 0x32, 0xb1, 0x69, 0x4b, 0x20, 0xc4
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const P384_EE: [u8; 329] = [
-    0x30, 0x82, 0x01, 0x45, 0x30, 0x81, 0xec, 0xa0, 0x03, 0x02, 0x01, 0x02,
-    0x02, 0x14, 0x79, 0xe3, 0x1c, 0x60, 0x97, 0xa4, 0x3c, 0x3b, 0x82, 0x11,
-    0x42, 0x37, 0xaf, 0x57, 0x05, 0xa8, 0xde, 0xd3, 0x40, 0x58, 0x30, 0x0a,
-    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x13,
-    0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x69,
-    0x6e, 0x74, 0x2d, 0x70, 0x32, 0x35, 0x36, 0x30, 0x22, 0x18, 0x0f, 0x32,
-    0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30, 0x30,
-    0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33, 0x31,
-    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30,
-    0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x65, 0x65, 0x2d, 0x70,
-    0x33, 0x38, 0x34, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48,
-    0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03,
-    0x62, 0x00, 0x04, 0xa1, 0x68, 0x72, 0x43, 0x36, 0x2b, 0x5c, 0x7b, 0x18,
-    0x89, 0xf3, 0x79, 0x15, 0x46, 0x15, 0xa1, 0xc7, 0x3f, 0xb4, 0x8d, 0xee,
-    0x86, 0x3e, 0x02, 0x29, 0x15, 0xdb, 0x60, 0x8e, 0x25, 0x2d, 0xe4, 0xb7,
-    0x13, 0x2d, 0xa8, 0xce, 0x98, 0xe8, 0x31, 0x53, 0x4e, 0x6a, 0x9c, 0x0c,
-    0x0b, 0x09, 0xc8, 0xd6, 0x39, 0xad, 0xe8, 0x32, 0x06, 0xe5, 0xba, 0x81,
-    0x34, 0x73, 0xa1, 0x1f, 0xa3, 0x30, 0xe0, 0x5d, 0xa8, 0xc9, 0x6e, 0x43,
-    0x83, 0xfe, 0x27, 0x87, 0x3d, 0xa9, 0x71, 0x03, 0xbe, 0x28, 0x88, 0xcf,
-    0xf0, 0x02, 0xf0, 0x5a, 0xf7, 0x1a, 0x1f, 0xdd, 0xcc, 0x83, 0x74, 0xaa,
-    0x6e, 0xa9, 0xce, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
-    0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x20, 0x5c, 0x75,
-    0x51, 0x9f, 0x13, 0x11, 0x50, 0xcd, 0x5d, 0x8a, 0xde, 0x20, 0xa3, 0xbc,
-    0x06, 0x30, 0x91, 0xff, 0xb2, 0x73, 0x75, 0x5f, 0x31, 0x64, 0xec, 0xfd,
-    0xcb, 0x42, 0x80, 0x0a, 0x70, 0xe6, 0x02, 0x21, 0x00, 0xf3, 0x04, 0x26,
-    0xf2, 0xfd, 0xbc, 0x89, 0x3f, 0x29, 0x3b, 0x70, 0xbc, 0x72, 0xa6, 0xc2,
-    0x23, 0xcc, 0x43, 0x4d, 0x84, 0x71, 0xaf, 0x53, 0xe4, 0x4b, 0x3e, 0xc0,
-    0xbf, 0xe5, 0x68, 0x86, 0x49
-];
-
 #[cfg_attr(rustfmt, rustfmt_skip)]
 pub const P256_INT: [u8; 332] = [
     0x30, 0x82, 0x01, 0x48, 0x30, 0x81, 0xf0, 0xa0, 0x03, 0x02, 0x01,
@@ -244,304 +65,6 @@ pub const P256_ROOT: [u8; 334] = [
     0x54, 0xc8, 0x9f, 0xef, 0xb8, 0x5d, 0xa2, 0x40, 0xd9, 0x8b
 ];
 
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const PKCS8_RSA_EE: [u8; 1218] = [
-    0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
-    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
-    0x04, 0xa8, 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
-    0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
-    0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
-    0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
-    0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
-    0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
-    0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
-    0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
-    0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
-    0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
-    0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
-    0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
-    0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
-    0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
-    0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
-    0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
-    0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
-    0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
-    0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
-    0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
-    0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
-    0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
-    0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
-    0x82, 0x01, 0x01, 0x00, 0x9e, 0xcb, 0xce, 0x38, 0x61, 0xa4, 0x54, 0xec,
-    0xb1, 0xe0, 0xfe, 0x8f, 0x85, 0xdd, 0x43, 0xc9, 0x2f, 0x58, 0x25, 0xce,
-    0x2e, 0x99, 0x78, 0x84, 0xd0, 0xe1, 0xa9, 0x49, 0xda, 0xa2, 0xc5, 0xac,
-    0x55, 0x9b, 0x24, 0x04, 0x50, 0xe5, 0xac, 0x9f, 0xe0, 0xc3, 0xe3, 0x1c,
-    0x0e, 0xef, 0xa6, 0x52, 0x5a, 0x65, 0xf0, 0xc2, 0x21, 0x94, 0x00, 0x4e,
-    0xe1, 0xab, 0x46, 0x3d, 0xde, 0x9e, 0xe8, 0x22, 0x87, 0xcc, 0x93, 0xe7,
-    0x46, 0xa9, 0x19, 0x29, 0xc5, 0xe6, 0xac, 0x3d, 0x88, 0x75, 0x3f, 0x6c,
-    0x25, 0xba, 0x59, 0x79, 0xe7, 0x3e, 0x5d, 0x8f, 0xb2, 0x39, 0x11, 0x1a,
-    0x3c, 0xda, 0xb8, 0xa4, 0xb0, 0xcd, 0xf5, 0xf9, 0xca, 0xb0, 0x5f, 0x12,
-    0x33, 0xa3, 0x83, 0x35, 0xc6, 0x4b, 0x55, 0x60, 0x52, 0x5e, 0x7e, 0x3b,
-    0x92, 0xad, 0x7c, 0x75, 0x04, 0xcf, 0x1d, 0xc7, 0xcb, 0x00, 0x57, 0x88,
-    0xaf, 0xcb, 0xe1, 0xe8, 0xf9, 0x5d, 0xf7, 0x40, 0x2a, 0x15, 0x15, 0x30,
-    0xd5, 0x80, 0x83, 0x46, 0x86, 0x4e, 0xb3, 0x70, 0xaa, 0x79, 0x95, 0x6a,
-    0x58, 0x78, 0x62, 0xcb, 0x53, 0x37, 0x91, 0x30, 0x7f, 0x70, 0xd9, 0x1c,
-    0x96, 0xd2, 0x2d, 0x00, 0x1a, 0x69, 0x00, 0x9b, 0x92, 0x3c, 0x68, 0x33,
-    0x88, 0xc9, 0xf3, 0x6c, 0xb9, 0xb5, 0xeb, 0xe6, 0x43, 0x02, 0x04, 0x1c,
-    0x78, 0xd9, 0x08, 0x20, 0x6b, 0x87, 0x00, 0x9c, 0xb8, 0xca, 0xba, 0xca,
-    0xd3, 0xdb, 0xdb, 0x27, 0x92, 0xfb, 0x91, 0x1b, 0x2c, 0xf4, 0xdb, 0x66,
-    0x03, 0x58, 0x5b, 0xe9, 0xae, 0x0c, 0xa3, 0xb8, 0xe6, 0x41, 0x7a, 0xa0,
-    0x4b, 0x06, 0xe4, 0x70, 0xea, 0x1a, 0x3b, 0x58, 0x1c, 0xa0, 0x3a, 0x67,
-    0x81, 0xc9, 0x31, 0x5b, 0x62, 0xb3, 0x0e, 0x60, 0x11, 0xf2, 0x24, 0x72,
-    0x59, 0x46, 0xee, 0xc5, 0x7c, 0x6d, 0x94, 0x41, 0x02, 0x81, 0x81, 0x00,
-    0xdd, 0x6e, 0x1d, 0x4f, 0xff, 0xeb, 0xf6, 0x8d, 0x88, 0x9c, 0x4d, 0x11,
-    0x4c, 0xda, 0xaa, 0x9c, 0xaa, 0x63, 0xa5, 0x93, 0x74, 0x28, 0x6c, 0x8a,
-    0x5c, 0x29, 0xa7, 0x17, 0xbb, 0xa6, 0x03, 0x75, 0x64, 0x4d, 0x5c, 0xaa,
-    0x67, 0x4c, 0x4b, 0x8b, 0xc7, 0x32, 0x63, 0x58, 0x64, 0x62, 0x20, 0xe4,
-    0x55, 0x0d, 0x76, 0x08, 0xac, 0x27, 0xd5, 0x5b, 0x6d, 0xb7, 0x4f, 0x8d,
-    0x81, 0x27, 0xef, 0x8f, 0xa0, 0x90, 0x98, 0xb6, 0x91, 0x47, 0xde, 0x06,
-    0x55, 0x73, 0x44, 0x7e, 0x18, 0x3d, 0x22, 0xfe, 0x7d, 0x88, 0x5a, 0xce,
-    0xb5, 0x13, 0xd9, 0x58, 0x1d, 0xd5, 0xe0, 0x7c, 0x1a, 0x90, 0xf5, 0xce,
-    0x08, 0x79, 0xde, 0x13, 0x13, 0x71, 0xec, 0xef, 0xc9, 0xce, 0x72, 0xe9,
-    0xc4, 0x3d, 0xc1, 0x27, 0xd2, 0x38, 0x19, 0x0d, 0xe8, 0x11, 0x77, 0x3c,
-    0xa5, 0xd1, 0x93, 0x01, 0xf4, 0x8c, 0x74, 0x2b, 0x02, 0x81, 0x81, 0x00,
-    0xd7, 0xa7, 0x73, 0xd9, 0xeb, 0xc3, 0x80, 0xa7, 0x67, 0xd2, 0xfe, 0xc0,
-    0x93, 0x4a, 0xd4, 0xe8, 0xb5, 0x66, 0x72, 0x40, 0x77, 0x1a, 0xcd, 0xeb,
-    0xb5, 0xad, 0x79, 0x6f, 0x47, 0x8f, 0xec, 0x4d, 0x45, 0x98, 0x5e, 0xfb,
-    0xc9, 0x53, 0x29, 0x68, 0x28, 0x9c, 0x8d, 0x89, 0x10, 0x2f, 0xad, 0xf2,
-    0x1f, 0x34, 0xe2, 0xdd, 0x49, 0x40, 0xeb, 0xa8, 0xc0, 0x9d, 0x6d, 0x1f,
-    0x16, 0xdc, 0xc2, 0x97, 0x29, 0x77, 0x4c, 0x43, 0x27, 0x5e, 0x92, 0x51,
-    0xdd, 0xbe, 0x49, 0x09, 0xe1, 0xfd, 0x3b, 0xf1, 0xe4, 0xbe, 0xdf, 0x46,
-    0xa3, 0x9b, 0x8b, 0x38, 0x33, 0x28, 0xef, 0x4a, 0xe3, 0xb9, 0x5b, 0x92,
-    0xf2, 0x07, 0x0a, 0xf2, 0x6c, 0x9e, 0x7c, 0x5c, 0x9b, 0x58, 0x7f, 0xed,
-    0xde, 0x05, 0xe8, 0xe7, 0xd8, 0x6c, 0xa5, 0x78, 0x86, 0xfb, 0x16, 0x58,
-    0x10, 0xa7, 0x7b, 0x98, 0x45, 0xbc, 0x31, 0x27, 0x02, 0x81, 0x81, 0x00,
-    0x96, 0x47, 0x2b, 0x41, 0xa6, 0x10, 0xc0, 0xad, 0xe1, 0xaf, 0x22, 0x66,
-    0xc1, 0x60, 0x0e, 0x36, 0x71, 0x35, 0x5b, 0xa4, 0x2d, 0x4b, 0x5a, 0x0e,
-    0xb4, 0xe9, 0xd7, 0xeb, 0x35, 0x81, 0x40, 0x0b, 0xa5, 0xdd, 0x13, 0x2c,
-    0xdb, 0x1a, 0x5e, 0x93, 0x28, 0xc7, 0xbb, 0xc0, 0xbb, 0xb0, 0x15, 0x5e,
-    0xa1, 0x92, 0x97, 0x2e, 0xdf, 0x97, 0xd1, 0x27, 0x51, 0xd8, 0xfc, 0xf6,
-    0xae, 0x57, 0x2a, 0x30, 0xb1, 0xea, 0x30, 0x9a, 0x87, 0x12, 0xdd, 0x4e,
-    0x33, 0x24, 0x1d, 0xb1, 0xee, 0x45, 0x5f, 0xc0, 0x93, 0xf5, 0xbc, 0x9b,
-    0x59, 0x2d, 0x75, 0x6e, 0x66, 0x21, 0x47, 0x4f, 0x32, 0xc0, 0x7a, 0xf2,
-    0x2f, 0xb2, 0x75, 0xd3, 0x40, 0x79, 0x2b, 0x32, 0xba, 0x25, 0x90, 0xbb,
-    0xb2, 0x61, 0xae, 0xfb, 0x95, 0xa2, 0x58, 0xee, 0xa5, 0x37, 0x65, 0x53,
-    0x15, 0xbe, 0x9c, 0x24, 0xd1, 0x91, 0x99, 0x2d, 0x02, 0x81, 0x80, 0x28,
-    0xb4, 0x50, 0xa7, 0xa7, 0x5a, 0x85, 0x64, 0x13, 0xb2, 0xbd, 0xa6, 0xf7,
-    0xa6, 0x3e, 0x3d, 0x96, 0x4f, 0xb9, 0xec, 0xf5, 0x0e, 0x38, 0x23, 0xef,
-    0x6c, 0xc8, 0xe8, 0xfa, 0x26, 0xee, 0x41, 0x3f, 0x8b, 0x9d, 0x12, 0x05,
-    0x54, 0x0f, 0x12, 0xbb, 0xe7, 0xa0, 0xc7, 0x68, 0x28, 0xb7, 0xba, 0x65,
-    0xad, 0x83, 0xcc, 0xa4, 0xd0, 0xfe, 0x2a, 0x22, 0x01, 0x14, 0xe1, 0xb3,
-    0x5d, 0x03, 0xd5, 0xa8, 0x5b, 0xfe, 0x27, 0x06, 0xbd, 0x50, 0xfc, 0xe6,
-    0xcf, 0xcd, 0xd5, 0x71, 0xb4, 0x6c, 0xa6, 0x21, 0xb8, 0xed, 0x47, 0xd6,
-    0x05, 0xbb, 0xe7, 0x65, 0xb0, 0xaa, 0x4a, 0x06, 0x65, 0xac, 0x25, 0x36,
-    0x4d, 0xa2, 0x01, 0x54, 0x03, 0x2e, 0x12, 0x04, 0xb8, 0x55, 0x9d, 0x3e,
-    0x34, 0xfb, 0x5b, 0x17, 0x7c, 0x9a, 0x56, 0xff, 0x93, 0x51, 0x0a, 0x5a,
-    0x4a, 0x62, 0x87, 0xc1, 0x51, 0xde, 0x2d, 0x02, 0x81, 0x80, 0x28, 0x06,
-    0x7b, 0x93, 0x55, 0x80, 0x1d, 0x2e, 0xf5, 0x2d, 0xfa, 0x96, 0xd8, 0xad,
-    0xb5, 0x89, 0x67, 0x3c, 0xf8, 0xee, 0x8a, 0x9c, 0x6f, 0xf7, 0x2a, 0xee,
-    0xab, 0xe9, 0xef, 0x6b, 0xe5, 0x8a, 0x4f, 0x4a, 0xbf, 0x05, 0xf7, 0x88,
-    0x94, 0x7d, 0xc8, 0x51, 0xfd, 0xaa, 0x34, 0x54, 0x21, 0x47, 0xa7, 0x1a,
-    0x24, 0x6b, 0xfb, 0x05, 0x4e, 0xe7, 0x6a, 0xa3, 0x46, 0xab, 0xcd, 0x26,
-    0x92, 0xcf, 0xc9, 0xe4, 0x4c, 0x51, 0xe6, 0xf0, 0x69, 0xc7, 0x35, 0xe0,
-    0x73, 0xba, 0x01, 0x9f, 0x6a, 0x72, 0x14, 0x96, 0x1c, 0x91, 0xb2, 0x68,
-    0x71, 0xca, 0xea, 0xbf, 0x8f, 0x06, 0x44, 0x18, 0xa0, 0x26, 0x90, 0xe3,
-    0x9a, 0x8d, 0x5f, 0xf3, 0x06, 0x7b, 0x7c, 0xdb, 0x7f, 0x50, 0xb1, 0xf5,
-    0x34, 0x18, 0xa7, 0x03, 0x96, 0x6c, 0x4f, 0xc7, 0x74, 0xbf, 0x74, 0x02,
-    0xaf, 0x6c, 0x43, 0x24, 0x7f, 0x43
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const RSA_EE: [u8; 691] = [
-    0x30, 0x82, 0x02, 0xaf, 0x30, 0x82, 0x01, 0x99, 0xa0, 0x03, 0x02, 0x01,
-    0x02, 0x02, 0x14, 0x07, 0x1c, 0x3b, 0x71, 0x08, 0xbe, 0xd7, 0x9f, 0xfd,
-    0xaf, 0x26, 0xb6, 0x08, 0xa3, 0x99, 0x06, 0x77, 0x69, 0x32, 0x7e, 0x30,
-    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
-    0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
-    0x07, 0x69, 0x6e, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18, 0x0f,
-    0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30, 0x30,
-    0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32, 0x33,
-    0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x11, 0x31, 0x0f,
-    0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x06, 0x65, 0x65, 0x2d,
-    0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
-    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
-    0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
-    0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd, 0x6e, 0xb6,
-    0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4, 0x35, 0x4a,
-    0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7, 0x25, 0xa8,
-    0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a, 0x86, 0xf2,
-    0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08, 0x7a, 0xa5,
-    0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02, 0x7e, 0xcd,
-    0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab, 0x20, 0xc3,
-    0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed, 0x15, 0x82,
-    0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a, 0x8b, 0x2a,
-    0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66, 0x0b, 0x2b,
-    0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90, 0xb1, 0x57,
-    0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8, 0x37, 0xd3,
-    0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a, 0xaa, 0x7e,
-    0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc, 0x1c, 0x6c,
-    0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0, 0x75, 0x31,
-    0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d, 0x25, 0xd3,
-    0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b, 0x2f, 0x22,
-    0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26, 0xd6, 0x25,
-    0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04, 0x2c, 0xbf,
-    0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8, 0xb3, 0xfe,
-    0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac, 0xda, 0x18,
-    0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0b, 0x06,
-    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82,
-    0x01, 0x01, 0x00, 0x44, 0x92, 0xbb, 0x8e, 0x83, 0x58, 0x56, 0x2e, 0x7a,
-    0x86, 0xfa, 0x1d, 0x77, 0x50, 0x3f, 0x45, 0x8d, 0x90, 0xc4, 0x62, 0x27,
-    0x21, 0x96, 0x5a, 0xef, 0x51, 0x78, 0xd7, 0x7d, 0x0d, 0x02, 0x2d, 0x5a,
-    0x0e, 0x3c, 0x82, 0x6f, 0x1d, 0x92, 0x87, 0xd5, 0x1a, 0x44, 0xae, 0xa7,
-    0x92, 0xd1, 0x8b, 0xfa, 0x16, 0x53, 0x7f, 0xa3, 0x22, 0x96, 0x1a, 0x51,
-    0x8c, 0xeb, 0xa1, 0xe6, 0xf6, 0x37, 0x11, 0xfe, 0x7d, 0x53, 0x3f, 0xae,
-    0xf0, 0x6b, 0xb9, 0xb1, 0x7a, 0x73, 0x07, 0x14, 0xcf, 0x04, 0x05, 0x93,
-    0x9e, 0xe3, 0xd2, 0x4d, 0x9d, 0x6d, 0x35, 0x68, 0xf9, 0x36, 0xe5, 0x10,
-    0x0a, 0x36, 0xd9, 0x48, 0xb0, 0x83, 0xd0, 0xb9, 0x58, 0x74, 0x53, 0xb3,
-    0xbc, 0x99, 0xab, 0xe1, 0x3e, 0xd5, 0x01, 0x8e, 0xcf, 0x3a, 0x69, 0x93,
-    0x9e, 0xa7, 0x88, 0xd4, 0xad, 0x95, 0xf9, 0x2a, 0xb4, 0x7f, 0x95, 0x97,
-    0x86, 0x50, 0x38, 0xb1, 0x04, 0x0a, 0xe4, 0x7a, 0xd5, 0x2d, 0x6c, 0xde,
-    0x3e, 0x1a, 0x47, 0x17, 0x88, 0x63, 0x20, 0x9d, 0x21, 0x3e, 0x0c, 0x6f,
-    0xfd, 0x20, 0x54, 0xd0, 0x67, 0xd2, 0x6b, 0x06, 0xfe, 0x60, 0x13, 0x42,
-    0x3d, 0xb7, 0xca, 0xcb, 0xab, 0x7b, 0x5f, 0x5d, 0x01, 0x56, 0xd3, 0x99,
-    0x80, 0x0f, 0xde, 0x7f, 0x3a, 0x61, 0x9c, 0xd3, 0x6b, 0x5e, 0xfe, 0xb5,
-    0xfc, 0x39, 0x8b, 0x8e, 0xf0, 0x8c, 0x8b, 0x65, 0x46, 0x45, 0xff, 0x47,
-    0x8f, 0xd4, 0xdd, 0xae, 0xc9, 0x72, 0xc7, 0x7f, 0x28, 0x86, 0xf1, 0xf7,
-    0x6e, 0xcb, 0x86, 0x03, 0xeb, 0x0c, 0x46, 0xe5, 0xa0, 0x6b, 0xef, 0xd4,
-    0x5e, 0xa4, 0x0f, 0x53, 0xe1, 0xbc, 0xb4, 0xc9, 0x37, 0x0e, 0x75, 0xdd,
-    0x93, 0xe8, 0x0f, 0x18, 0x0a, 0x02, 0x83, 0x17, 0x74, 0xbb, 0x1a, 0x42,
-    0x5b, 0x63, 0x2c, 0x80, 0x80, 0xa6, 0x84
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const RSA_INT: [u8; 724] = [
-    0x30, 0x82, 0x02, 0xd0, 0x30, 0x82, 0x01, 0xba, 0xa0, 0x03, 0x02, 0x01,
-    0x02, 0x02, 0x14, 0x07, 0x10, 0xaf, 0xc4, 0x1a, 0x3a, 0x56, 0x4f, 0xd8,
-    0xc2, 0xcc, 0x46, 0xd7, 0x5b, 0xdf, 0x1c, 0x4e, 0x2f, 0x49, 0x3a, 0x30,
-    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
-    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
-    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
-    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
-    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
-    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x12, 0x31,
-    0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x07, 0x69, 0x6e,
-    0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
-    0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
-    0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
-    0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41, 0xfd,
-    0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea, 0xe4,
-    0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1, 0xc7,
-    0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e, 0x1a,
-    0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71, 0x08,
-    0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c, 0x02,
-    0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93, 0xab,
-    0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e, 0xed,
-    0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02, 0x3a,
-    0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd, 0x66,
-    0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79, 0x90,
-    0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f, 0xa8,
-    0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66, 0x5a,
-    0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24, 0xcc,
-    0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12, 0xc0,
-    0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad, 0x1d,
-    0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3, 0x7b,
-    0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee, 0x26,
-    0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24, 0x04,
-    0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31, 0xb8,
-    0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03, 0xac,
-    0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
-    0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,
-    0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f,
-    0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
-    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01, 0x00,
-    0x5e, 0xba, 0x69, 0x55, 0x9f, 0xf8, 0xeb, 0x16, 0x21, 0x98, 0xde, 0xb7,
-    0x31, 0x3e, 0x66, 0xe1, 0x3b, 0x0c, 0x29, 0xf7, 0x48, 0x73, 0x05, 0xd9,
-    0xce, 0x5e, 0x4c, 0xbe, 0x03, 0xc4, 0x51, 0xd6, 0x21, 0x92, 0x40, 0x38,
-    0xaa, 0x5b, 0x28, 0xb5, 0xa1, 0x10, 0x52, 0x57, 0xff, 0x91, 0x54, 0x82,
-    0x86, 0x9e, 0x74, 0xd5, 0x3d, 0x82, 0x29, 0xee, 0xd1, 0xcf, 0x93, 0xb1,
-    0x24, 0x76, 0xbb, 0x95, 0x41, 0x06, 0x7e, 0x40, 0x9b, 0xb4, 0xab, 0x44,
-    0x34, 0x10, 0x8f, 0xb1, 0x51, 0x6f, 0xc0, 0x89, 0xd1, 0xa3, 0xc4, 0x9f,
-    0xb3, 0x48, 0xe1, 0xcd, 0x73, 0xad, 0xff, 0x42, 0x5f, 0x76, 0x05, 0x60,
-    0xc5, 0xe0, 0x45, 0x79, 0x18, 0xa1, 0x19, 0xb8, 0xa7, 0x3a, 0x64, 0xb3,
-    0x19, 0xba, 0x14, 0xa1, 0xb5, 0xdc, 0x32, 0xec, 0x09, 0x39, 0x58, 0x54,
-    0x5b, 0x04, 0xdc, 0x1b, 0x66, 0x0d, 0x1d, 0x0d, 0xce, 0x7f, 0xfa, 0x24,
-    0x52, 0x6a, 0xad, 0xe2, 0xc8, 0x30, 0xaf, 0xf2, 0xaf, 0x63, 0xc5, 0xe2,
-    0xbf, 0xe2, 0x20, 0x1b, 0x9e, 0xf9, 0x3d, 0xbc, 0xfb, 0x04, 0x8e, 0xda,
-    0x7a, 0x1a, 0x5d, 0xd3, 0x13, 0xd7, 0x00, 0x8e, 0x9b, 0x5d, 0x85, 0x51,
-    0xda, 0xd3, 0x91, 0x25, 0xf5, 0x67, 0x85, 0x3e, 0x25, 0x89, 0x5e, 0xcb,
-    0x89, 0x8a, 0xec, 0x8a, 0xde, 0x8b, 0xf4, 0x33, 0x5f, 0x76, 0xdb, 0x3d,
-    0xfc, 0x6a, 0x05, 0x21, 0x43, 0xb2, 0x41, 0xd8, 0x33, 0x8d, 0xfd, 0x05,
-    0x5c, 0x22, 0x0a, 0xf6, 0x90, 0x65, 0x9c, 0x4f, 0x8c, 0x44, 0x9f, 0x2d,
-    0xca, 0xf3, 0x49, 0x9c, 0x3a, 0x14, 0x88, 0xab, 0xe4, 0xce, 0xb7, 0xbc,
-    0x95, 0x22, 0x2e, 0xb1, 0x82, 0x4c, 0xbf, 0x83, 0x3e, 0x49, 0x72, 0x03,
-    0x2a, 0x68, 0xe7, 0x2d, 0xe5, 0x2d, 0x4b, 0x61, 0xb0, 0x8d, 0x0d, 0x0c,
-    0x87, 0xc6, 0x5c, 0x51
-];
-
-#[cfg_attr(rustfmt, rustfmt_skip)]
-pub const RSA_ROOT: [u8; 725] = [
-    0x30, 0x82, 0x02, 0xd1, 0x30, 0x82, 0x01, 0xbb, 0xa0, 0x03, 0x02, 0x01,
-    0x02, 0x02, 0x14, 0x29, 0x6c, 0x1a, 0xd8, 0x20, 0xcd, 0x74, 0x6d, 0x4b,
-    0x00, 0xf3, 0x16, 0x88, 0xd9, 0x66, 0x87, 0x5f, 0x28, 0x56, 0x6a, 0x30,
-    0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
-    0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
-    0x08, 0x72, 0x6f, 0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x22, 0x18,
-    0x0f, 0x32, 0x30, 0x31, 0x32, 0x30, 0x31, 0x30, 0x33, 0x30, 0x30, 0x30,
-    0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x32, 0x31, 0x31, 0x32,
-    0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x13, 0x31,
-    0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x72, 0x6f,
-    0x6f, 0x74, 0x2d, 0x72, 0x73, 0x61, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
-    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
-    0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
-    0x01, 0x01, 0x00, 0xba, 0x88, 0x51, 0xa8, 0x44, 0x8e, 0x16, 0xd6, 0x41,
-    0xfd, 0x6e, 0xb6, 0x88, 0x06, 0x36, 0x10, 0x3d, 0x3c, 0x13, 0xd9, 0xea,
-    0xe4, 0x35, 0x4a, 0xb4, 0xec, 0xf5, 0x68, 0x57, 0x6c, 0x24, 0x7b, 0xc1,
-    0xc7, 0x25, 0xa8, 0xe0, 0xd8, 0x1f, 0xbd, 0xb1, 0x9c, 0x06, 0x9b, 0x6e,
-    0x1a, 0x86, 0xf2, 0x6b, 0xe2, 0xaf, 0x5a, 0x75, 0x6b, 0x6a, 0x64, 0x71,
-    0x08, 0x7a, 0xa5, 0x5a, 0xa7, 0x45, 0x87, 0xf7, 0x1c, 0xd5, 0x24, 0x9c,
-    0x02, 0x7e, 0xcd, 0x43, 0xfc, 0x1e, 0x69, 0xd0, 0x38, 0x20, 0x29, 0x93,
-    0xab, 0x20, 0xc3, 0x49, 0xe4, 0xdb, 0xb9, 0x4c, 0xc2, 0x6b, 0x6c, 0x0e,
-    0xed, 0x15, 0x82, 0x0f, 0xf1, 0x7e, 0xad, 0x69, 0x1a, 0xb1, 0xd3, 0x02,
-    0x3a, 0x8b, 0x2a, 0x41, 0xee, 0xa7, 0x70, 0xe0, 0x0f, 0x0d, 0x8d, 0xfd,
-    0x66, 0x0b, 0x2b, 0xb0, 0x24, 0x92, 0xa4, 0x7d, 0xb9, 0x88, 0x61, 0x79,
-    0x90, 0xb1, 0x57, 0x90, 0x3d, 0xd2, 0x3b, 0xc5, 0xe0, 0xb8, 0x48, 0x1f,
-    0xa8, 0x37, 0xd3, 0x88, 0x43, 0xef, 0x27, 0x16, 0xd8, 0x55, 0xb7, 0x66,
-    0x5a, 0xaa, 0x7e, 0x02, 0x90, 0x2f, 0x3a, 0x7b, 0x10, 0x80, 0x06, 0x24,
-    0xcc, 0x1c, 0x6c, 0x97, 0xad, 0x96, 0x61, 0x5b, 0xb7, 0xe2, 0x96, 0x12,
-    0xc0, 0x75, 0x31, 0xa3, 0x0c, 0x91, 0xdd, 0xb4, 0xca, 0xf7, 0xfc, 0xad,
-    0x1d, 0x25, 0xd3, 0x09, 0xef, 0xb9, 0x17, 0x0e, 0xa7, 0x68, 0xe1, 0xb3,
-    0x7b, 0x2f, 0x22, 0x6f, 0x69, 0xe3, 0xb4, 0x8a, 0x95, 0x61, 0x1d, 0xee,
-    0x26, 0xd6, 0x25, 0x9d, 0xab, 0x91, 0x08, 0x4e, 0x36, 0xcb, 0x1c, 0x24,
-    0x04, 0x2c, 0xbf, 0x16, 0x8b, 0x2f, 0xe5, 0xf1, 0x8f, 0x99, 0x17, 0x31,
-    0xb8, 0xb3, 0xfe, 0x49, 0x23, 0xfa, 0x72, 0x51, 0xc4, 0x31, 0xd5, 0x03,
-    0xac, 0xda, 0x18, 0x0a, 0x35, 0xed, 0x8d, 0x02, 0x03, 0x01, 0x00, 0x01,
-    0xa3, 0x1d, 0x30, 0x1b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
-    0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
-    0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0b, 0x06, 0x09, 0x2a,
-    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x03, 0x82, 0x01, 0x01,
-    0x00, 0x23, 0x2f, 0x9f, 0x72, 0xeb, 0x70, 0x6d, 0x9e, 0x3e, 0x9f, 0xd7,
-    0x9c, 0xd9, 0x19, 0x7c, 0x99, 0x07, 0xc5, 0x5c, 0x9d, 0xf5, 0x66, 0x9f,
-    0x28, 0x8d, 0xfe, 0x0e, 0x3f, 0x38, 0x75, 0xed, 0xee, 0x4e, 0x3f, 0xf6,
-    0x6e, 0x35, 0xe0, 0x95, 0x3f, 0x08, 0x4a, 0x71, 0x5a, 0xf2, 0x4f, 0xc9,
-    0x96, 0x61, 0x8d, 0x45, 0x4b, 0x97, 0x85, 0xff, 0xb0, 0xe3, 0xbb, 0xb5,
-    0xd7, 0x7e, 0xfb, 0xd2, 0xfc, 0xec, 0xfe, 0x42, 0x9f, 0x4e, 0x7b, 0xbf,
-    0x97, 0xbb, 0xb4, 0x3a, 0x93, 0x0b, 0x13, 0x61, 0x90, 0x0c, 0x3a, 0xce,
-    0xf7, 0x8e, 0xef, 0x80, 0xf5, 0x4a, 0x92, 0xc5, 0xa5, 0x03, 0x78, 0xc2,
-    0xee, 0xb8, 0x66, 0x60, 0x6b, 0x76, 0x4f, 0x32, 0x5a, 0x1a, 0xa2, 0x4b,
-    0x7e, 0x2b, 0xa6, 0x1a, 0x89, 0x01, 0xe3, 0xbb, 0x55, 0x13, 0x7c, 0x4c,
-    0xf4, 0x6a, 0x99, 0x94, 0xd1, 0xa0, 0x84, 0x1c, 0x1a, 0xc2, 0x7b, 0xb4,
-    0xa0, 0xb0, 0x3b, 0xdc, 0x5a, 0x7b, 0xc7, 0xe0, 0x44, 0xb2, 0x1f, 0x46,
-    0xd5, 0x8b, 0x39, 0x8b, 0xdc, 0x9e, 0xce, 0xa8, 0x7f, 0x85, 0x1d, 0x4b,
-    0x63, 0x06, 0x1e, 0x8e, 0xe5, 0xe5, 0x99, 0xd9, 0xf7, 0x4d, 0x89, 0x0b,
-    0x1d, 0x5c, 0x27, 0x33, 0x66, 0x21, 0xcf, 0x9a, 0xbd, 0x98, 0x68, 0x23,
-    0x3a, 0x66, 0x9d, 0xd4, 0x46, 0xed, 0x63, 0x58, 0xf3, 0x42, 0xe4, 0x1d,
-    0xe2, 0x47, 0x65, 0x13, 0x8d, 0xd4, 0x1f, 0x4b, 0x7e, 0xde, 0x11, 0x56,
-    0xf8, 0x6d, 0x01, 0x0c, 0x99, 0xbd, 0x8d, 0xca, 0x8a, 0x2e, 0xe3, 0x8a,
-    0x9c, 0x3d, 0x83, 0x8d, 0x69, 0x62, 0x8d, 0x05, 0xea, 0xb7, 0xf5, 0xa3,
-    0x4b, 0xfc, 0x96, 0xcf, 0x18, 0x21, 0x0a, 0xc7, 0xf3, 0x23, 0x7e, 0x1c,
-    0xab, 0xe2, 0xa2, 0xd1, 0x83, 0xc4, 0x25, 0x93, 0x37, 0x80, 0xca, 0xda,
-    0xf0, 0xef, 0x7d, 0x94, 0xb5
-];
-
 #[cfg_attr(rustfmt, rustfmt_skip)]
 pub const COSE_SIGNATURE_BYTES: [u8; 1062] = [
     0xd8, 0x62, 0x84, 0x59, 0x02, 0xa3, 0xa1, 0x04, 0x82, 0x59, 0x01, 0x4e,
diff --git a/third_party/rust/cose/src/util.rs b/third_party/rust/cose/src/util.rs
index 8767f1ca2966..8f1cf7e95422 100644
--- a/third_party/rust/cose/src/util.rs
+++ b/third_party/rust/cose/src/util.rs
@@ -1,17 +1,17 @@
 use cbor::CborType;
 
-// Sig_structure is a CBOR array:
-//
-// Sig_structure = [
-//   context : "Signature" / "Signature1" / "CounterSignature",
-//   body_protected : empty_or_serialized_map,
-//   ? sign_protected : empty_or_serialized_map,
-//   external_aad : bstr,
-//   payload : bstr
-// ]
-//
-// In this case, the context is "Signature". There is no external_aad, so this defaults to a
-// zero-length bstr.
+/// Sig_structure is a CBOR array:
+///
+/// Sig_structure = [
+///   context : "Signature" / "Signature1" / "CounterSignature",
+///   body_protected : empty_or_serialized_map,
+///   ? sign_protected : empty_or_serialized_map,
+///   external_aad : bstr,
+///   payload : bstr
+/// ]
+///
+/// In this case, the context is "Signature". There is no external_aad, so this defaults to a
+/// zero-length bstr.
 pub fn get_sig_struct_bytes(
     protected_body_header_serialized: CborType,
     protected_signature_header_serialized: CborType,
@@ -20,7 +20,7 @@ pub fn get_sig_struct_bytes(
     let sig_structure_array: Vec<CborType> = vec![CborType::String(String::from("Signature")),
                                                   protected_body_header_serialized,
                                                   protected_signature_header_serialized,
-                                                  CborType::Bytes(Vec::new()),
+                                                  CborType::Null,
                                                   CborType::Bytes(payload.to_vec())];
 
     CborType::Array(sig_structure_array).serialize()
diff --git a/third_party/rust/moz_cbor/.cargo-checksum.json b/third_party/rust/moz_cbor/.cargo-checksum.json
new file mode 100644
index 000000000000..4e6285327975
--- /dev/null
+++ b/third_party/rust/moz_cbor/.cargo-checksum.json
@@ -0,0 +1 @@
+{"files":{".travis.yml":"43ea459b6292b21edfd4589bf83c1c774f56e336df27b1c48066f2333a207c21","Cargo.toml":"a1d8d6927afdd25f903e6d6198fd5577165f15b5cb4a85754626124f9a34d013","LICENSE":"1f256ecad192880510e84ad60474eab7589218784b9a50bc7ceee34c2b91f1d5","README.md":"900075da16923e46236926014f2ce8a0a404dfcedceee43d9ad50e6202ab1184","rustfmt.toml":"e97717e906fcd3eeb86dcee52ed26f13e1884597b016a27172229d9c78dd3d57","src/decoder.rs":"421ade90bb4646fc2229bc0b62aea415e01576abdb64dee7d31d1836b86d6f6b","src/lib.rs":"f5b767eedbee01b3f697afb2dce777c6043e6fea6f9a7eab8387560caaa40100","src/serializer.rs":"edf3d39ef2d70cfc01968d88097897501b110d3db5f7d4e137ec1cd5f6f794d2","src/test_decoder.rs":"29a0b81e8a3e5cf85c97bc04deb421cb2071849aa7b667e9f3537e165b7bef77","src/test_serializer.rs":"3ca4b66feb7dded36ab8755fd0868bed962d689de7a401fc6ae814f12ba40e31"},"package":"9f0dc96d1e40041ad9e6f9986e72e65d45d70dc31cef9d852b47646b2970f238"}
\ No newline at end of file
diff --git a/third_party/rust/moz_cbor/.travis.yml b/third_party/rust/moz_cbor/.travis.yml
new file mode 100644
index 000000000000..1c6e45cece4d
--- /dev/null
+++ b/third_party/rust/moz_cbor/.travis.yml
@@ -0,0 +1,24 @@
+sudo: true
+language: rust
+cache: cargo
+rust:
+  - stable
+  - beta
+  - nightly
+
+addons:
+  apt:
+    packages:
+      - build-essential
+
+install:
+# Apparently cargo install returns a nonzero exit status if
+# caching succeeds, so just make this always "succeed".
+  - (cargo install rustfmt || true)
+
+script:
+- |
+  cargo fmt -- --write-mode=diff
+- |
+  cargo build &&
+  cargo test
diff --git a/third_party/rust/moz_cbor/Cargo.toml b/third_party/rust/moz_cbor/Cargo.toml
new file mode 100644
index 000000000000..48cc8f77b623
--- /dev/null
+++ b/third_party/rust/moz_cbor/Cargo.toml
@@ -0,0 +1,23 @@
+# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
+#
+# When uploading crates to the registry Cargo will automatically
+# "normalize" Cargo.toml files for maximal compatibility
+# with all versions of Cargo and also rewrite `path` dependencies
+# to registry (e.g. crates.io) dependencies
+#
+# If you believe there's an error in this file please file an
+# issue against the rust-lang/cargo repository. If you're
+# editing this file be aware that the upstream Cargo.toml
+# will likely look very different (and much more reasonable)
+
+[package]
+name = "moz_cbor"
+version = "0.1.0"
+authors = ["Franziskus Kiefer <franziskuskiefer@gmail.com>"]
+description = "Library to use CBOR (https://tools.ietf.org/html/rfc7049) in Rust"
+keywords = ["jose", "cbor"]
+license = "MPL-2.0"
+repository = "https://github.com/franziskuskiefer/cbor-rust"
+
+[features]
+default = []
diff --git a/third_party/rust/moz_cbor/LICENSE b/third_party/rust/moz_cbor/LICENSE
new file mode 100644
index 000000000000..a612ad9813b0
--- /dev/null
+++ b/third_party/rust/moz_cbor/LICENSE
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/third_party/rust/moz_cbor/README.md b/third_party/rust/moz_cbor/README.md
new file mode 100644
index 000000000000..5b8da92e6cb1
--- /dev/null
+++ b/third_party/rust/moz_cbor/README.md
@@ -0,0 +1,8 @@
+# cbor-rust
+
+A Rust library for [CBOR](https://tools.ietf.org/html/rfc7049).
+
+[![Build Status](https://travis-ci.org/franziskuskiefer/cbor-rust.svg?branch=master)](https://travis-ci.org/franziskuskiefer/cbor-rust/)
+![Maturity Level](https://img.shields.io/badge/maturity-alpha-red.svg)
+
+**THIS IS WORK IN PROGRESS. DO NOT USE YET.**
diff --git a/third_party/rust/moz_cbor/rustfmt.toml b/third_party/rust/moz_cbor/rustfmt.toml
new file mode 100644
index 000000000000..a47e18ea00a9
--- /dev/null
+++ b/third_party/rust/moz_cbor/rustfmt.toml
@@ -0,0 +1,4 @@
+array_layout = "Visual"
+array_width = 0
+reorder_imported_names = true
+array_horizontal_layout_threshold = 0
diff --git a/third_party/rust/cose/src/cbor/decoder.rs b/third_party/rust/moz_cbor/src/decoder.rs
similarity index 99%
rename from third_party/rust/cose/src/cbor/decoder.rs
rename to third_party/rust/moz_cbor/src/decoder.rs
index bb980737e37d..f3eadbee963a 100644
--- a/third_party/rust/cose/src/cbor/decoder.rs
+++ b/third_party/rust/moz_cbor/src/decoder.rs
@@ -1,6 +1,6 @@
 use std::collections::BTreeMap;
 use std::io::{Cursor, Read, Seek, SeekFrom};
-use cbor::{CborError, CborType};
+use {CborError, CborType};
 
 // We limit the length of any cbor byte array to 128MiB. This is a somewhat
 // arbitrary limit that should work on all platforms and is large enough for
diff --git a/third_party/rust/cose/src/cbor/mod.rs b/third_party/rust/moz_cbor/src/lib.rs
similarity index 100%
rename from third_party/rust/cose/src/cbor/mod.rs
rename to third_party/rust/moz_cbor/src/lib.rs
diff --git a/third_party/rust/cose/src/cbor/serializer.rs b/third_party/rust/moz_cbor/src/serializer.rs
similarity index 99%
rename from third_party/rust/cose/src/cbor/serializer.rs
rename to third_party/rust/moz_cbor/src/serializer.rs
index 70877bbd3710..9e826d8b393e 100644
--- a/third_party/rust/cose/src/cbor/serializer.rs
+++ b/third_party/rust/moz_cbor/src/serializer.rs
@@ -1,5 +1,5 @@
 use std::collections::BTreeMap;
-use cbor::CborType;
+use CborType;
 
 /// Given a vector of bytes to append to, a tag to use, and an unsigned value to encode, uses the
 /// CBOR unsigned integer encoding to represent the given value.
diff --git a/third_party/rust/cose/src/cbor/test_decoder.rs b/third_party/rust/moz_cbor/src/test_decoder.rs
similarity index 99%
rename from third_party/rust/cose/src/cbor/test_decoder.rs
rename to third_party/rust/moz_cbor/src/test_decoder.rs
index 3392926256b7..f3f7f8235346 100644
--- a/third_party/rust/cose/src/cbor/test_decoder.rs
+++ b/third_party/rust/moz_cbor/src/test_decoder.rs
@@ -1,5 +1,5 @@
-use cbor::decoder::*;
-use cbor::*;
+use {CborError, CborType};
+use decoder::{MAX_ARRAY_SIZE, decode};
 use std::collections::BTreeMap;
 
 // First test all the basic types
diff --git a/third_party/rust/cose/src/cbor/test_serializer.rs b/third_party/rust/moz_cbor/src/test_serializer.rs
similarity index 99%
rename from third_party/rust/cose/src/cbor/test_serializer.rs
rename to third_party/rust/moz_cbor/src/test_serializer.rs
index dc662128a715..3f015be72166 100644
--- a/third_party/rust/cose/src/cbor/test_serializer.rs
+++ b/third_party/rust/moz_cbor/src/test_serializer.rs
@@ -1,4 +1,4 @@
-use cbor::CborType;
+use CborType;
 use std::collections::BTreeMap;
 
 #[test]
diff --git a/toolkit/library/gtest/rust/Cargo.lock b/toolkit/library/gtest/rust/Cargo.lock
index 94a279c4942a..5144045bf180 100644
--- a/toolkit/library/gtest/rust/Cargo.lock
+++ b/toolkit/library/gtest/rust/Cargo.lock
@@ -264,15 +264,18 @@ dependencies = [
 
 [[package]]
 name = "cose"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "moz_cbor 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
 
 [[package]]
 name = "cose-c"
-version = "0.1.1"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "cose 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cose 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -561,7 +564,7 @@ version = "0.1.0"
 dependencies = [
  "audioipc-client 0.1.0",
  "audioipc-server 0.1.0",
- "cose-c 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cose-c 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "cubeb 0.3.0",
  "cubeb-backend 0.2.0",
  "cubeb-core 0.1.0",
@@ -803,6 +806,11 @@ dependencies = [
  "ws2_32-sys 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "moz_cbor"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "mp4parse"
 version = "0.9.1"
@@ -1576,8 +1584,8 @@ dependencies = [
 "checksum core-foundation-sys 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "152195421a2e6497a8179195672e9d4ee8e45ed8c465b626f1606d27a08ebcd5"
 "checksum core-graphics 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)" = "5dc0a78ab2ac23b6ea7b3fe5fe93b227900dc0956979735b8f68032417976dd4"
 "checksum core-text 8.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bcad23756dd1dc4b47bf6a914ace27aadb8fa68889db5837af2308d018d0467c"
-"checksum cose 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "ec10816629f38fa557f08e199a3474fab954f4c8d2645550367235afa6e5646b"
-"checksum cose-c 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "07cc8bb85ec2e93541ef9369b85a4b6fb7732bc7f4854d317eab20e726b0fc2f"
+"checksum cose 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "72fa26cb151d3ae4b70f63d67d0fed57ce04220feafafbae7f503bef7aae590d"
+"checksum cose-c 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "49726015ab0ca765144fcca61e4a7a543a16b795a777fa53f554da2fffff9a94"
 "checksum cssparser 0.23.2 (registry+https://github.com/rust-lang/crates.io-index)" = "8a807ac3ab7a217829c2a3b65732b926b2befe6a35f33b4bf8b503692430f223"
 "checksum cssparser-macros 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "079adec4af52bb5275eadd004292028c79eb3c5f5b4ee8086a36d4197032f6df"
 "checksum darling 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9861a8495606435477df581bc858ccf15a3469747edf175b94a4704fd9aaedac"
@@ -1624,6 +1632,7 @@ dependencies = [
 "checksum mio 0.6.9 (registry+https://github.com/rust-lang/crates.io-index)" = "9e965267d4d58496fc4f740e9861118367f13570cadf66316ed2c3f2f14d87c7"
 "checksum mio-uds 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "1731a873077147b626d89cc6c2a0db6288d607496c5d10c0cfcf3adc697ec673"
 "checksum miow 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919"
+"checksum moz_cbor 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9f0dc96d1e40041ad9e6f9986e72e65d45d70dc31cef9d852b47646b2970f238"
 "checksum mp4parse_fallible 0.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "6626c2aef76eb8f984eef02e475883d3fe9112e114720446c5810fc5f045cd30"
 "checksum net2 0.2.31 (registry+https://github.com/rust-lang/crates.io-index)" = "3a80f842784ef6c9a958b68b7516bc7e35883c614004dd94959a4dca1b716c09"
 "checksum nodrop 0.1.12 (registry+https://github.com/rust-lang/crates.io-index)" = "9a2228dca57108069a5262f2ed8bd2e82496d2e074a06d1ccc7ce1687b6ae0a2"
diff --git a/toolkit/library/rust/Cargo.lock b/toolkit/library/rust/Cargo.lock
index 43b68cfb8fcf..bdc947752946 100644
--- a/toolkit/library/rust/Cargo.lock
+++ b/toolkit/library/rust/Cargo.lock
@@ -264,15 +264,18 @@ dependencies = [
 
 [[package]]
 name = "cose"
-version = "0.1.2"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "moz_cbor 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
 
 [[package]]
 name = "cose-c"
-version = "0.1.1"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "cose 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cose 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
@@ -560,7 +563,7 @@ version = "0.1.0"
 dependencies = [
  "audioipc-client 0.1.0",
  "audioipc-server 0.1.0",
- "cose-c 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cose-c 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "cubeb 0.3.0",
  "cubeb-backend 0.2.0",
  "cubeb-core 0.1.0",
@@ -802,6 +805,11 @@ dependencies = [
  "ws2_32-sys 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "moz_cbor"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+
 [[package]]
 name = "mp4parse"
 version = "0.9.1"
@@ -1588,8 +1596,8 @@ dependencies = [
 "checksum core-foundation-sys 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "152195421a2e6497a8179195672e9d4ee8e45ed8c465b626f1606d27a08ebcd5"
 "checksum core-graphics 0.12.3 (registry+https://github.com/rust-lang/crates.io-index)" = "5dc0a78ab2ac23b6ea7b3fe5fe93b227900dc0956979735b8f68032417976dd4"
 "checksum core-text 8.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bcad23756dd1dc4b47bf6a914ace27aadb8fa68889db5837af2308d018d0467c"
-"checksum cose 0.1.2 (registry+https://github.com/rust-lang/crates.io-index)" = "ec10816629f38fa557f08e199a3474fab954f4c8d2645550367235afa6e5646b"
-"checksum cose-c 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "07cc8bb85ec2e93541ef9369b85a4b6fb7732bc7f4854d317eab20e726b0fc2f"
+"checksum cose 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "72fa26cb151d3ae4b70f63d67d0fed57ce04220feafafbae7f503bef7aae590d"
+"checksum cose-c 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "49726015ab0ca765144fcca61e4a7a543a16b795a777fa53f554da2fffff9a94"
 "checksum cssparser 0.23.2 (registry+https://github.com/rust-lang/crates.io-index)" = "8a807ac3ab7a217829c2a3b65732b926b2befe6a35f33b4bf8b503692430f223"
 "checksum cssparser-macros 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "079adec4af52bb5275eadd004292028c79eb3c5f5b4ee8086a36d4197032f6df"
 "checksum darling 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9861a8495606435477df581bc858ccf15a3469747edf175b94a4704fd9aaedac"
@@ -1636,6 +1644,7 @@ dependencies = [
 "checksum mio 0.6.9 (registry+https://github.com/rust-lang/crates.io-index)" = "9e965267d4d58496fc4f740e9861118367f13570cadf66316ed2c3f2f14d87c7"
 "checksum mio-uds 0.6.4 (registry+https://github.com/rust-lang/crates.io-index)" = "1731a873077147b626d89cc6c2a0db6288d607496c5d10c0cfcf3adc697ec673"
 "checksum miow 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8c1f2f3b1cf331de6896aabf6e9d55dca90356cc9960cca7eaaf408a355ae919"
+"checksum moz_cbor 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "9f0dc96d1e40041ad9e6f9986e72e65d45d70dc31cef9d852b47646b2970f238"
 "checksum mp4parse_fallible 0.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "6626c2aef76eb8f984eef02e475883d3fe9112e114720446c5810fc5f045cd30"
 "checksum net2 0.2.31 (registry+https://github.com/rust-lang/crates.io-index)" = "3a80f842784ef6c9a958b68b7516bc7e35883c614004dd94959a4dca1b716c09"
 "checksum nodrop 0.1.12 (registry+https://github.com/rust-lang/crates.io-index)" = "9a2228dca57108069a5262f2ed8bd2e82496d2e074a06d1ccc7ce1687b6ae0a2"
diff --git a/toolkit/library/rust/shared/Cargo.toml b/toolkit/library/rust/shared/Cargo.toml
index ad5485c93c15..8643e07af5d9 100644
--- a/toolkit/library/rust/shared/Cargo.toml
+++ b/toolkit/library/rust/shared/Cargo.toml
@@ -25,7 +25,7 @@ u2fhid = { path = "../../../../dom/webauthn/u2f-hid-rs" }
 # We have these to enforce common feature sets for said crates.
 log = {version = "0.3", features = ["release_max_level_info"]}
 syn = { version = "0.11", features = ["full", "visit", "parsing"] }
-cose-c = { version = "0.1.1" }
+cose-c = { version = "0.1.5" }
 
 [features]
 default = []