commit 5ed2c19f42866b7a79cc5de54a9f025824060896
parent c6e3b41d76869c0f5cf48e2fb894afd7539256ee
Author: Dennis Jackson <djackson@mozilla.com>
Date: Fri, 3 Oct 2025 15:38:16 +0000
Bug 1988290 - Update to NSS 3.117. r=jschanck UPGRADE_NSS_RELEASE
Differential Revision: https://phabricator.services.mozilla.com/D267398
Diffstat:
15 files changed, 754 insertions(+), 60 deletions(-)
diff --git a/security/manager/ssl/RootHashes.inc b/security/manager/ssl/RootHashes.inc
@@ -604,6 +604,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
99 /* Bin Number */
},
{
+ /* OISTE Server Root RSA G1 */
+ { 0x9a, 0xe3, 0x62, 0x32, 0xa5, 0x18, 0x9f, 0xfd, 0xdb, 0x35, 0x3d, 0xfd, 0x26, 0x52, 0x0c, 0x01,
+ 0x53, 0x95, 0xd2, 0x27, 0x77, 0xda, 0xc5, 0x9d, 0xb5, 0x7b, 0x98, 0xc0, 0x89, 0xa6, 0x51, 0xe6 },
+ 150 /* Bin Number */
+ },
+ {
/* UCA Global G2 Root */
{ 0x9b, 0xea, 0x11, 0xc9, 0x76, 0xfe, 0x01, 0x47, 0x64, 0xc1, 0xbe, 0x56, 0xa6, 0xf9, 0x14, 0xb5,
0xa5, 0x60, 0x31, 0x7a, 0xbd, 0x99, 0x88, 0x39, 0x33, 0x82, 0xe5, 0x16, 0x1a, 0xa0, 0x49, 0x3c },
@@ -838,6 +844,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
136 /* Bin Number */
},
{
+ /* OISTE Server Root ECC G1 */
+ { 0xee, 0xc9, 0x97, 0xc0, 0xc3, 0x0f, 0x21, 0x6f, 0x7e, 0x3b, 0x8b, 0x30, 0x7d, 0x2b, 0xae, 0x42,
+ 0x41, 0x2d, 0x75, 0x3f, 0xc8, 0x21, 0x9d, 0xaf, 0xd1, 0x52, 0x0b, 0x25, 0x72, 0x85, 0x0f, 0x49 },
+ 151 /* Bin Number */
+ },
+ {
/* Telekom Security TLS RSA Root 2023 */
{ 0xef, 0xc6, 0x5c, 0xad, 0xbb, 0x59, 0xad, 0xb6, 0xef, 0xe8, 0x4d, 0xa2, 0x23, 0x11, 0xb3, 0x56,
0x24, 0xb7, 0x1b, 0x3b, 0x1e, 0xa0, 0xda, 0x8b, 0x66, 0x55, 0x17, 0x4e, 0xc8, 0x97, 0x86, 0x46 },
diff --git a/security/manager/tools/KnownRootHashes.txt b/security/manager/tools/KnownRootHashes.txt
@@ -145,3 +145,5 @@ wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U= 146 ePKI Root Certification Authori
BsCNfa/YdpcesRJP5n+EfsDHoVjT6lPL6UDi6peR9MM= 147 TrustAsia TLS RSA Root CA
GTFE9DHg/dt0BxfU3pJqVxEziEtDYNMOJykTy+ZgzkE= 148 SwissSign RSA TLS Root CA 2022 - 1
wAdrnvBTH7GmVtZ8Tr6XzV26pB70RZiswkiYeMkthxE= 149 TrustAsia TLS ECC Root CA
+muNiMqUYn/3bNT39JlIMAVOV0id32sWdtXuYwImmUeY= 150 OISTE Server Root RSA G1
+7smXwMMPIW9+O4swfSuuQkEtdT/IIZ2v0VILJXKFD0k= 151 OISTE Server Root ECC G1
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_116_RTM
-\ No newline at end of file
+NSS_3_117_RTM
+\ No newline at end of file
diff --git a/security/nss/cmd/dbtool/dbtool.c b/security/nss/cmd/dbtool/dbtool.c
@@ -809,5 +809,26 @@ main(int argc, char **argv)
/* now dump the objects in the cert database */
dumpDB(certdb, "CertDB", keydb, PR_FALSE);
dumpDB(keydb, "KeyDB", keydb, PR_TRUE);
+
+ crv = sdb_Close(certdb);
+ if (crv != CKR_OK) {
+ PR_fprintf(PR_STDERR,
+ "Couldn't close cert database in %s, error=%s (0x%08x)\n",
+ dbDir, ErrorName(crv), (int)crv);
+ }
+
+ crv = sdb_Close(keydb);
+ if (crv != CKR_OK) {
+ PR_fprintf(PR_STDERR,
+ "Couldn't close key database in %s, error=%s (0x%08x)\n",
+ dbDir, ErrorName(crv), (int)crv);
+ }
+
+ crv = s_shutdown();
+ if (crv != CKR_OK) {
+ PR_fprintf(PR_STDERR,
+ "Error in s_shutdown, error=%s (0x%08x)\n",
+ ErrorName(crv), (int)crv);
+ }
return 0;
}
diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
@@ -8,6 +8,7 @@ Release Notes
:glob:
:hidden:
+ nss_3_117.rst
nss_3_116.rst
nss_3_115_1.rst
nss_3_115.rst
@@ -18,10 +19,8 @@ Release Notes
nss_3_112.rst
nss_3_111.rst
nss_3_110.rst
- nss_3_101_4.rst
nss_3_109.rst
nss_3_108.rst
- nss_3_101_3.rst
nss_3_107.rst
nss_3_106.rst
nss_3_105.rst
@@ -29,6 +28,8 @@ Release Notes
nss_3_103.rst
nss_3_102_1.rst
nss_3_102.rst
+ nss_3_101_4.rst
+ nss_3_101_3.rst
nss_3_101_2.rst
nss_3_101_1.rst
nss_3_101.rst
@@ -93,33 +94,8 @@ Release Notes
.. note::
- **NSS 3.116** is the latest version of NSS.
- Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_116_release_notes`
+ **NSS 3.117** is the latest version of NSS.
+ Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_117_release_notes`
**NSS 3.112.1 (ESR)** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_1_release_notes`
-
-.. container::
-
- Changes in 3.116 included in this release:
-
- - Bug 1983308 - disable DSA in NSS script tests.
- - Bug 1983308 - Disabling of some algorithms: generic cert.sh.
- - Bug 1981046 - Need to update to new mechanisms.
- - Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities.
- - Bug 1986802 - note embedded scts before revocation checks are performed.
- - Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface.
- - Bug 1983320 - Add support for ML-DSA key type and public key structure.
- - Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag.
- - Bug 1983308 - disable kyber.
- - Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature).
- - Bug 1983308 - Disable dsa - gtests.
- - Bug 1983313 - make group and scheme support in test tools generic.
- - Bug 1983770 - Create GH workflow to automatically close PRs.
- - Bug 1983308 - Disable dsa - base code.
- - Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode.
- - Bug 1983308 - Disable seed and RC2 bug fixes.
- - Bug 1982742 - restore support for finding certificates by decoded serial number.
- - Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.
- - Bug 1983399 - lib/softtoken/{sdb.c,sftkdbti.h}: Align sftkdb_known_attributes_size type.
- - Bug 1965329 - Use PKCS #11 v3.2 KEM mechanisms and functions.
diff --git a/security/nss/doc/rst/releases/nss_3_117.rst b/security/nss/doc/rst/releases/nss_3_117.rst
@@ -0,0 +1,53 @@
+.. _mozilla_projects_nss_nss_3_117_release_notes:
+
+NSS 3.117 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.117 was released on *3 October 2025**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_117_RTM. NSS 3.117 requires NSPR 4.37 or newer.
+
+ NSS 3.117 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_117_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.117:
+
+`Changes in NSS 3.117 <#changes_in_nss_3.117>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc.
+ - Bug 1988913 - Add OISTE roots.
+ - Bug 1976051 - Add runbook for certdata.txt changes.
+ - Bug 1991666 - dbtool: close databases before shutdown.
+ - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates.
+ - Bug 1956754 - don't flush base64 when buffer is null.
+ - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds.
+ - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs.
+ - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls.
+ - Bug 1962321 - Revert removing out/ directory after ossfuzz build.
+ - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build.
+ - Bug 1984704 - Add PKCS#11 trust tests.
+ - Bug 1983308 - final disable dsa patch cert.sh.
+ - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures.
+ - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function.
+ - Bug 1983320 - ml-dsa: softoken changes.
+ - Bug 1983320 - ml-dsa: der key decode.
+ - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi.
+ - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function.
+
diff --git a/security/nss/gtests/der_gtest/der_gtest.gyp b/security/nss/gtests/der_gtest/der_gtest.gyp
@@ -14,6 +14,7 @@
'der_getint_unittest.cc',
'der_quickder_unittest.cc',
'p12_import_unittest.cc',
+ 'secasn1decode_unittest.cc',
'<(DEPTH)/gtests/common/gtests.cc'
],
'dependencies': [
diff --git a/security/nss/gtests/der_gtest/secasn1decode_unittest.cc b/security/nss/gtests/der_gtest/secasn1decode_unittest.cc
@@ -0,0 +1,86 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs_util.h"
+
+#include "nss.h"
+#include "prerror.h"
+#include "secasn1.h"
+#include "secasn1t.h"
+#include "secerr.h"
+#include "secport.h"
+
+class SECASN1DecodeTest : public ::testing::Test {};
+
+struct Item {
+ SECItem value;
+};
+
+const SEC_ASN1Template ItemTemplate[] = {
+ {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Item)}, {0}};
+
+static const SEC_ASN1Template ItemsTemplate[] = {
+ {SEC_ASN1_SEQUENCE_OF, 0, ItemTemplate}, {0}};
+
+struct Container {
+ struct Item** items;
+};
+
+const SEC_ASN1Template ContainerTemplate[] = {
+ {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Container)},
+ {SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0,
+ offsetof(struct Container, items), ItemsTemplate},
+ {0}};
+
+// clang-format off
+const unsigned char kEndOfContentsInDefiniteLengthContext[] = {
+ 0x30, 0x06,
+ 0xa0, 0x04,
+ 0x30, 0x00,
+ 0x00, 0x00, // EOC in definite length context
+};
+// clang-format on
+
+TEST_F(SECASN1DecodeTest, EndOfContentsInDefiniteLengthContext) {
+ ScopedPLArenaPool pool(PORT_NewArena(1024));
+ struct Container* decoded = reinterpret_cast<struct Container*>(
+ PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
+ SEC_ASN1DecoderContext* ctx =
+ SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
+ ASSERT_TRUE(ctx);
+ ASSERT_EQ(
+ SEC_ASN1DecoderUpdate(
+ ctx,
+ reinterpret_cast<const char*>(kEndOfContentsInDefiniteLengthContext),
+ sizeof(kEndOfContentsInDefiniteLengthContext)),
+ SECFailure);
+ ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
+ ASSERT_EQ(SECSuccess, SEC_ASN1DecoderFinish(ctx));
+}
+
+// clang-format off
+const unsigned char kContentsTooShort[] = {
+ 0x30, 0x06,
+ 0xa0, 0x04,
+ 0x30, 0x00, // There should be two more bytes after this
+};
+// clang-format on
+
+TEST_F(SECASN1DecodeTest, ContentsTooShort) {
+ ScopedPLArenaPool pool(PORT_NewArena(1024));
+ struct Container* decoded = reinterpret_cast<struct Container*>(
+ PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
+ SEC_ASN1DecoderContext* ctx =
+ SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
+ ASSERT_TRUE(ctx);
+ ASSERT_EQ(SEC_ASN1DecoderUpdate(
+ ctx, reinterpret_cast<const char*>(kContentsTooShort),
+ sizeof(kContentsTooShort)),
+ SECFailure);
+ ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
+ ASSERT_EQ(SECSuccess, SEC_ASN1DecoderFinish(ctx));
+}
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -26748,3 +26748,561 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE Client Root ECC G1"
+#
+# Issuer: CN=OISTE Client Root ECC G1,O=OISTE Foundation,C=CH
+# Serial Number:54:ec:97:d6:8b:b4:c4:0b:21:6e:0e:b2:d0:53:c8:7a
+# Subject: CN=OISTE Client Root ECC G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:31:40 2023
+# Not Valid After : Sun May 24 14:31:39 2048
+# Fingerprint (SHA-256): D9:A3:24:85:A8:CC:A8:55:39:CE:F1:2F:FF:FF:71:13:78:A1:78:51:D7:3D:A2:73:2A:B4:30:2D:76:3B:D6:2B
+# Fingerprint (SHA1): C0:2B:13:F9:1D:77:56:ED:6C:92:83:F1:86:DF:2A:D5:1E:6E:F2:BC
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Client Root ECC G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\124\354\227\326\213\264\304\013\041\156\016\262\320\123
+\310\172
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\064\060\202\001\272\240\003\002\001\002\002\020\124
+\354\227\326\213\264\304\013\041\156\016\262\320\123\310\172\060
+\012\006\010\052\206\110\316\075\004\003\003\060\113\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\031\060\027\006\003
+\125\004\012\014\020\117\111\123\124\105\040\106\157\165\156\144
+\141\164\151\157\156\061\041\060\037\006\003\125\004\003\014\030
+\117\111\123\124\105\040\103\154\151\145\156\164\040\122\157\157
+\164\040\105\103\103\040\107\061\060\036\027\015\062\063\060\065
+\063\061\061\064\063\061\064\060\132\027\015\064\070\060\065\062
+\064\061\064\063\061\063\071\132\060\113\061\013\060\011\006\003
+\125\004\006\023\002\103\110\061\031\060\027\006\003\125\004\012
+\014\020\117\111\123\124\105\040\106\157\165\156\144\141\164\151
+\157\156\061\041\060\037\006\003\125\004\003\014\030\117\111\123
+\124\105\040\103\154\151\145\156\164\040\122\157\157\164\040\105
+\103\103\040\107\061\060\166\060\020\006\007\052\206\110\316\075
+\002\001\006\005\053\201\004\000\042\003\142\000\004\210\116\150
+\037\311\236\276\072\004\133\025\303\065\364\314\120\305\010\255
+\070\156\250\074\322\002\272\314\253\045\375\165\100\375\147\031
+\237\033\012\135\366\313\026\173\371\134\036\202\334\025\104\324
+\234\074\155\141\223\105\364\117\317\142\271\337\076\123\215\232
+\324\112\336\210\252\013\246\361\324\141\326\036\164\325\030\262
+\305\115\114\357\200\173\354\015\353\203\071\124\226\243\143\060
+\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
+\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024\231
+\127\073\071\261\055\000\214\041\146\214\225\151\234\155\165\354
+\214\077\372\060\035\006\003\125\035\016\004\026\004\024\231\127
+\073\071\261\055\000\214\041\146\214\225\151\234\155\165\354\214
+\077\372\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\206\060\012\006\010\052\206\110\316\075\004\003\003\003\150
+\000\060\145\002\061\000\226\377\344\202\116\026\042\133\240\205
+\030\074\075\072\217\040\006\010\045\347\365\221\066\031\255\173
+\264\337\133\146\022\067\163\160\355\315\005\050\007\136\010\316
+\015\102\137\031\221\002\002\060\147\111\207\256\006\101\035\040
+\323\061\246\252\046\067\361\047\212\141\015\376\232\006\103\247
+\056\236\046\107\243\062\030\213\350\136\120\005\361\260\172\110
+\166\336\333\241\142\112\272\167
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "OISTE Client Root ECC G1"
+# Issuer: CN=OISTE Client Root ECC G1,O=OISTE Foundation,C=CH
+# Serial Number:54:ec:97:d6:8b:b4:c4:0b:21:6e:0e:b2:d0:53:c8:7a
+# Subject: CN=OISTE Client Root ECC G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:31:40 2023
+# Not Valid After : Sun May 24 14:31:39 2048
+# Fingerprint (SHA-256): D9:A3:24:85:A8:CC:A8:55:39:CE:F1:2F:FF:FF:71:13:78:A1:78:51:D7:3D:A2:73:2A:B4:30:2D:76:3B:D6:2B
+# Fingerprint (SHA1): C0:2B:13:F9:1D:77:56:ED:6C:92:83:F1:86:DF:2A:D5:1E:6E:F2:BC
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Client Root ECC G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\300\053\023\371\035\167\126\355\154\222\203\361\206\337\052\325
+\036\156\362\274
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\121\257\341\070\170\021\354\345\310\237\135\233\065\362\114\054
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\124\354\227\326\213\264\304\013\041\156\016\262\320\123
+\310\172
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE Client Root RSA G1"
+#
+# Issuer: CN=OISTE Client Root RSA G1,O=OISTE Foundation,C=CH
+# Serial Number:34:17:6f:59:01:88:1b:aa:a5:dd:c8:48:bb:b4:3b:73
+# Subject: CN=OISTE Client Root RSA G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:23:29 2023
+# Not Valid After : Sun May 24 14:23:28 2048
+# Fingerprint (SHA-256): D0:2A:0F:99:4A:86:8C:66:39:5F:2E:7A:88:0D:F5:09:BD:0C:29:C9:6D:E1:60:15:A0:FD:50:1E:DA:4F:96:A9
+# Fingerprint (SHA1): BD:A8:13:20:E0:BF:97:ED:A2:8E:9E:18:5F:F2:D5:FE:E5:2B:13:D5
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Client Root RSA G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\064\027\157\131\001\210\033\252\245\335\310\110\273\264
+\073\163
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\203\060\202\003\153\240\003\002\001\002\002\020\064
+\027\157\131\001\210\033\252\245\335\310\110\273\264\073\163\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\113
+\061\013\060\011\006\003\125\004\006\023\002\103\110\061\031\060
+\027\006\003\125\004\012\014\020\117\111\123\124\105\040\106\157
+\165\156\144\141\164\151\157\156\061\041\060\037\006\003\125\004
+\003\014\030\117\111\123\124\105\040\103\154\151\145\156\164\040
+\122\157\157\164\040\122\123\101\040\107\061\060\036\027\015\062
+\063\060\065\063\061\061\064\062\063\062\071\132\027\015\064\070
+\060\065\062\064\061\064\062\063\062\070\132\060\113\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\031\060\027\006\003
+\125\004\012\014\020\117\111\123\124\105\040\106\157\165\156\144
+\141\164\151\157\156\061\041\060\037\006\003\125\004\003\014\030
+\117\111\123\124\105\040\103\154\151\145\156\164\040\122\157\157
+\164\040\122\123\101\040\107\061\060\202\002\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000
+\060\202\002\012\002\202\002\001\000\272\117\376\376\124\023\265
+\204\074\274\340\323\061\361\035\156\334\304\123\161\372\344\071
+\121\103\166\175\222\037\201\177\000\153\101\302\346\332\334\030
+\115\154\027\131\160\011\063\142\354\151\210\055\260\335\131\371
+\141\140\140\126\361\266\264\357\353\207\320\023\376\303\317\157
+\217\176\071\130\121\263\211\002\216\124\225\036\042\137\253\050
+\005\103\047\370\105\364\011\102\046\224\376\275\023\170\273\221
+\362\020\020\234\015\147\174\332\144\040\353\172\060\032\272\110
+\015\170\124\052\231\061\064\253\313\246\152\347\014\147\071\146
+\244\046\250\047\050\347\363\346\074\163\344\053\314\157\061\056
+\023\164\141\313\150\346\322\063\316\122\274\176\145\044\132\041
+\201\061\103\252\262\234\321\030\347\141\074\122\257\200\211\351
+\064\106\336\371\115\231\132\155\035\275\306\045\321\223\125\216
+\370\047\222\103\072\214\225\105\100\343\211\030\247\206\301\131
+\230\312\333\046\034\023\300\214\201\271\230\260\255\151\255\156
+\030\343\173\142\101\365\255\066\376\013\264\173\040\137\237\251
+\156\371\231\202\022\122\322\212\304\124\170\264\174\367\101\233
+\003\347\007\136\263\302\271\111\144\147\222\026\304\140\220\016
+\260\202\175\063\255\320\066\352\321\166\153\174\210\107\230\254
+\033\371\264\120\214\141\201\151\330\061\363\215\372\076\362\365
+\113\257\316\303\035\357\137\050\033\353\030\326\240\130\122\062
+\276\102\157\315\111\227\042\301\160\271\323\343\140\117\336\203
+\202\240\116\060\275\163\123\302\275\027\375\240\300\230\217\352
+\016\027\007\346\103\225\040\116\333\021\250\371\343\323\270\047
+\107\014\047\333\022\353\201\125\314\165\333\237\323\027\103\304
+\373\353\212\050\155\351\257\104\120\132\103\373\361\071\342\223
+\120\317\230\374\104\226\130\070\245\245\355\105\303\122\102\005
+\247\357\345\074\244\254\075\347\326\251\126\005\252\260\303\247
+\031\344\345\075\327\127\104\155\224\021\037\312\160\310\374\271
+\114\314\101\132\203\164\123\220\170\317\326\324\056\117\261\252
+\115\056\365\321\010\133\072\144\357\310\247\250\172\141\354\354
+\246\325\210\116\266\124\324\130\221\302\045\144\221\274\012\024
+\075\222\024\232\265\013\006\351\057\002\003\001\000\001\243\143
+\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024
+\051\202\045\065\012\072\276\222\053\344\011\003\344\354\217\215
+\070\162\071\313\060\035\006\003\125\035\016\004\026\004\024\051
+\202\045\065\012\072\276\222\053\344\011\003\344\354\217\215\070
+\162\071\313\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001\014
+\005\000\003\202\002\001\000\155\043\206\302\377\365\340\310\300
+\125\212\140\061\314\227\103\107\160\103\323\343\354\122\372\323
+\302\236\373\211\062\032\312\106\223\117\004\227\053\333\320\234
+\204\015\225\007\102\124\376\357\151\041\337\222\003\056\217\067
+\041\043\167\251\167\067\154\240\304\256\234\247\130\071\112\025
+\227\142\106\203\121\040\355\077\302\243\361\303\142\047\320\254
+\023\036\376\074\122\035\220\325\143\361\251\136\352\177\347\347
+\353\226\132\121\354\324\251\033\343\014\224\146\254\313\210\222
+\111\276\163\134\212\340\152\274\246\201\315\263\134\324\043\222
+\310\115\371\040\214\160\224\113\150\155\362\217\036\154\065\367
+\350\137\324\327\275\040\067\122\146\377\053\273\111\146\267\161
+\250\054\137\163\017\007\222\347\116\137\245\006\333\311\212\074
+\227\305\102\352\175\017\201\033\127\353\236\014\017\377\243\047
+\040\111\123\246\263\072\114\313\155\060\065\332\362\360\232\376
+\120\337\155\134\044\075\115\167\152\175\206\137\114\320\341\246
+\264\256\004\023\001\220\361\200\150\204\007\224\202\007\203\353
+\221\345\223\016\165\221\256\243\043\040\111\144\324\272\071\226
+\127\160\356\125\064\050\174\326\257\312\251\236\346\311\001\311
+\007\301\320\104\261\200\264\121\120\252\217\366\234\345\147\163
+\320\033\352\203\065\027\057\120\306\336\126\307\273\243\003\313
+\342\241\030\350\370\316\121\006\243\322\003\100\141\032\247\147
+\127\203\374\321\022\271\050\252\332\116\153\325\234\330\205\067
+\332\275\042\327\064\131\234\032\246\316\170\326\224\170\007\006
+\017\261\223\041\240\111\307\020\236\012\256\121\167\032\371\161
+\220\303\255\230\017\212\051\152\140\001\252\117\255\040\003\055
+\152\216\243\013\152\326\375\223\014\212\141\313\275\050\361\137
+\161\375\270\063\071\326\112\361\366\262\150\122\076\145\217\103
+\235\201\044\044\366\050\114\065\247\375\063\012\245\170\301\004
+\037\354\111\152\304\256\325\104\026\246\247\215\177\332\041\226
+\076\250\272\026\147\324\251\241\347\302\232\370\020\331\073\232
+\356\150\366\057\000\356\313\273\146\215\042\070\206\364\277\137
+\170\251\310\240\035\132\273\165\120\371\122\013\017\035\002\054
+\024\032\363\207\152\167\363
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "OISTE Client Root RSA G1"
+# Issuer: CN=OISTE Client Root RSA G1,O=OISTE Foundation,C=CH
+# Serial Number:34:17:6f:59:01:88:1b:aa:a5:dd:c8:48:bb:b4:3b:73
+# Subject: CN=OISTE Client Root RSA G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:23:29 2023
+# Not Valid After : Sun May 24 14:23:28 2048
+# Fingerprint (SHA-256): D0:2A:0F:99:4A:86:8C:66:39:5F:2E:7A:88:0D:F5:09:BD:0C:29:C9:6D:E1:60:15:A0:FD:50:1E:DA:4F:96:A9
+# Fingerprint (SHA1): BD:A8:13:20:E0:BF:97:ED:A2:8E:9E:18:5F:F2:D5:FE:E5:2B:13:D5
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Client Root RSA G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\275\250\023\040\340\277\227\355\242\216\236\030\137\362\325\376
+\345\053\023\325
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\232\033\325\012\267\026\352\272\241\212\331\361\036\015\371\023
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\103\154\151\145\156
+\164\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\064\027\157\131\001\210\033\252\245\335\310\110\273\264
+\073\163
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE Server Root ECC G1"
+#
+# Issuer: CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH
+# Serial Number:23:f9:c3:d6:35:af:8f:28:4b:1f:f0:54:ea:7e:97:9d
+# Subject: CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:42:28 2023
+# Not Valid After : Sun May 24 14:42:27 2048
+# Fingerprint (SHA-256): EE:C9:97:C0:C3:0F:21:6F:7E:3B:8B:30:7D:2B:AE:42:41:2D:75:3F:C8:21:9D:AF:D1:52:0B:25:72:85:0F:49
+# Fingerprint (SHA1): 3B:F6:8B:09:AE:2A:92:7B:BA:E3:8D:3F:11:95:D9:E6:44:0C:45:E2
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Server Root ECC G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\043\371\303\326\065\257\217\050\113\037\360\124\352\176
+\227\235
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\065\060\202\001\272\240\003\002\001\002\002\020\043
+\371\303\326\065\257\217\050\113\037\360\124\352\176\227\235\060
+\012\006\010\052\206\110\316\075\004\003\003\060\113\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\031\060\027\006\003
+\125\004\012\014\020\117\111\123\124\105\040\106\157\165\156\144
+\141\164\151\157\156\061\041\060\037\006\003\125\004\003\014\030
+\117\111\123\124\105\040\123\145\162\166\145\162\040\122\157\157
+\164\040\105\103\103\040\107\061\060\036\027\015\062\063\060\065
+\063\061\061\064\064\062\062\070\132\027\015\064\070\060\065\062
+\064\061\064\064\062\062\067\132\060\113\061\013\060\011\006\003
+\125\004\006\023\002\103\110\061\031\060\027\006\003\125\004\012
+\014\020\117\111\123\124\105\040\106\157\165\156\144\141\164\151
+\157\156\061\041\060\037\006\003\125\004\003\014\030\117\111\123
+\124\105\040\123\145\162\166\145\162\040\122\157\157\164\040\105
+\103\103\040\107\061\060\166\060\020\006\007\052\206\110\316\075
+\002\001\006\005\053\201\004\000\042\003\142\000\004\027\057\372
+\022\274\254\030\363\012\364\104\326\166\102\236\263\350\037\267
+\171\251\130\266\370\145\321\072\041\117\250\353\243\276\244\062
+\162\363\266\001\311\053\375\167\205\156\123\335\255\352\252\056
+\045\222\266\351\041\021\250\257\265\114\013\363\226\140\232\073
+\347\352\032\170\056\264\075\345\050\336\034\200\272\134\156\015
+\333\031\245\343\077\234\052\270\100\113\335\346\117\243\143\060
+\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
+\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024\067
+\115\210\145\317\374\075\212\325\243\361\111\300\116\014\020\157
+\102\264\234\060\035\006\003\125\035\016\004\026\004\024\067\115
+\210\145\317\374\075\212\325\243\361\111\300\116\014\020\157\102
+\264\234\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\206\060\012\006\010\052\206\110\316\075\004\003\003\003\151
+\000\060\146\002\061\000\251\052\060\035\320\302\237\220\121\121
+\100\076\225\124\041\315\026\146\367\123\154\010\026\071\320\022
+\174\177\143\033\337\343\070\000\071\331\055\123\040\105\013\034
+\140\147\061\103\045\355\002\061\000\222\211\256\351\134\142\203
+\142\141\371\055\127\253\126\271\021\335\045\276\152\116\112\032
+\202\153\334\317\323\274\112\263\074\327\056\233\333\370\050\151
+\274\153\055\354\061\241\072\343\127
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "OISTE Server Root ECC G1"
+# Issuer: CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH
+# Serial Number:23:f9:c3:d6:35:af:8f:28:4b:1f:f0:54:ea:7e:97:9d
+# Subject: CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:42:28 2023
+# Not Valid After : Sun May 24 14:42:27 2048
+# Fingerprint (SHA-256): EE:C9:97:C0:C3:0F:21:6F:7E:3B:8B:30:7D:2B:AE:42:41:2D:75:3F:C8:21:9D:AF:D1:52:0B:25:72:85:0F:49
+# Fingerprint (SHA1): 3B:F6:8B:09:AE:2A:92:7B:BA:E3:8D:3F:11:95:D9:E6:44:0C:45:E2
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE Server Root ECC G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\073\366\213\011\256\052\222\173\272\343\215\077\021\225\331\346
+\104\014\105\342
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\102\247\322\065\256\002\222\333\031\166\010\336\057\005\264\324
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\105\103\103\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\043\371\303\326\065\257\217\050\113\037\360\124\352\176
+\227\235
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate " OISTE Server Root RSA G1"
+#
+# Issuer: CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH
+# Serial Number:55:a5:d9:67:94:28:c6:ed:0c:fa:27:dd:5b:01:4d:18
+# Subject: CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:37:16 2023
+# Not Valid After : Sun May 24 14:37:15 2048
+# Fingerprint (SHA-256): 9A:E3:62:32:A5:18:9F:FD:DB:35:3D:FD:26:52:0C:01:53:95:D2:27:77:DA:C5:9D:B5:7B:98:C0:89:A6:51:E6
+# Fingerprint (SHA1): F7:00:34:25:94:88:68:31:E4:34:87:3F:70:FE:86:B3:86:9F:F0:6E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 " OISTE Server Root RSA G1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\125\245\331\147\224\050\306\355\014\372\047\335\133\001
+\115\030
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\203\060\202\003\153\240\003\002\001\002\002\020\125
+\245\331\147\224\050\306\355\014\372\047\335\133\001\115\030\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\113
+\061\013\060\011\006\003\125\004\006\023\002\103\110\061\031\060
+\027\006\003\125\004\012\014\020\117\111\123\124\105\040\106\157
+\165\156\144\141\164\151\157\156\061\041\060\037\006\003\125\004
+\003\014\030\117\111\123\124\105\040\123\145\162\166\145\162\040
+\122\157\157\164\040\122\123\101\040\107\061\060\036\027\015\062
+\063\060\065\063\061\061\064\063\067\061\066\132\027\015\064\070
+\060\065\062\064\061\064\063\067\061\065\132\060\113\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\031\060\027\006\003
+\125\004\012\014\020\117\111\123\124\105\040\106\157\165\156\144
+\141\164\151\157\156\061\041\060\037\006\003\125\004\003\014\030
+\117\111\123\124\105\040\123\145\162\166\145\162\040\122\157\157
+\164\040\122\123\101\040\107\061\060\202\002\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000
+\060\202\002\012\002\202\002\001\000\252\256\364\253\202\317\373
+\345\067\013\347\325\226\255\220\350\113\051\334\125\140\343\314
+\274\263\274\055\222\271\344\243\172\361\201\264\236\162\162\103
+\337\077\253\013\046\264\356\173\032\151\373\050\320\162\134\112
+\155\151\231\360\143\036\014\322\261\377\326\214\064\320\356\333
+\254\110\271\352\260\024\216\330\007\251\044\230\335\351\011\276
+\250\042\033\131\071\321\047\207\334\034\315\370\373\263\353\351
+\223\170\355\017\316\067\174\046\167\156\241\330\054\041\114\344
+\212\117\307\023\074\156\307\325\023\227\262\250\333\044\151\203
+\126\323\151\313\202\022\273\235\033\362\370\064\362\230\053\052
+\216\004\147\366\343\207\241\035\255\156\316\066\164\016\136\063
+\073\313\333\121\227\224\152\225\074\316\030\132\156\113\306\374
+\007\217\056\032\271\112\367\144\064\051\334\246\215\120\341\215
+\213\113\345\110\033\156\056\200\020\077\344\237\033\145\077\021
+\264\352\127\151\237\264\000\353\205\044\231\044\365\041\235\227
+\252\373\064\177\002\153\025\220\255\273\236\132\031\177\244\214
+\330\372\155\050\374\070\307\343\114\255\152\316\331\116\223\222
+\216\314\014\147\277\013\113\226\316\146\147\123\150\313\027\021
+\216\131\367\254\234\033\271\216\150\104\267\030\257\346\345\017
+\145\334\225\011\260\223\022\265\037\076\224\245\307\210\165\041
+\261\336\011\044\052\114\342\274\354\114\147\107\302\051\210\271
+\012\272\371\301\164\316\214\030\046\145\332\367\157\306\214\173
+\150\134\013\356\143\300\136\113\361\116\314\237\057\017\341\350
+\232\172\223\361\340\310\333\277\047\346\145\051\173\066\340\063
+\025\163\362\235\153\204\010\150\053\066\007\053\047\314\170\330
+\152\207\016\107\164\364\252\240\023\135\144\176\364\333\024\256
+\373\072\344\057\301\145\343\271\172\100\154\360\006\267\173\050
+\233\327\341\137\070\163\224\254\331\160\223\055\334\204\257\106
+\034\242\172\054\077\201\046\102\347\324\330\305\154\204\146\021
+\213\167\153\124\034\243\265\330\020\360\256\051\367\147\010\210
+\027\134\270\227\171\317\352\053\052\356\130\063\345\155\351\051
+\252\145\001\015\202\023\354\045\013\135\054\100\162\025\051\323
+\220\054\367\032\103\325\152\360\151\002\003\001\000\001\243\143
+\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024
+\362\311\301\017\015\143\000\273\354\105\016\112\037\265\261\263
+\066\315\016\215\060\035\006\003\125\035\016\004\026\004\024\362
+\311\301\017\015\143\000\273\354\105\016\112\037\265\261\263\066
+\315\016\215\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001\014
+\005\000\003\202\002\001\000\064\147\171\262\072\306\345\075\367
+\043\162\271\011\357\222\255\047\037\240\116\012\262\365\332\027
+\014\242\205\322\176\222\121\375\025\145\327\134\153\144\026\356
+\212\105\312\014\103\066\104\065\331\177\376\171\072\034\350\306
+\344\075\153\167\324\041\020\343\366\363\040\116\251\276\211\363
+\034\234\251\337\274\060\072\027\321\062\103\320\252\212\162\034
+\121\050\114\335\066\310\344\055\147\175\221\207\034\235\274\374
+\253\050\226\136\141\134\270\042\063\030\110\026\120\352\312\057
+\351\245\111\334\177\074\244\031\274\066\255\222\342\271\364\113
+\325\353\010\255\347\170\376\027\300\135\207\167\350\147\167\117
+\000\146\257\364\261\003\072\276\022\174\101\065\345\364\246\033
+\107\213\313\171\367\326\277\027\156\116\145\360\370\332\127\301
+\224\201\345\172\126\015\273\106\177\157\221\375\175\346\027\344
+\201\047\273\005\210\126\335\040\245\367\230\055\221\031\151\061
+\137\233\060\362\231\255\162\100\226\314\330\167\146\233\264\325
+\016\262\020\376\024\252\303\200\161\235\075\215\350\175\024\154
+\141\144\206\106\246\327\124\305\266\327\220\026\106\245\205\312
+\236\072\343\346\023\026\266\025\043\314\251\051\122\375\000\306
+\366\220\216\126\217\211\010\335\226\252\346\323\152\251\206\065
+\366\325\105\170\102\112\106\374\003\310\136\330\146\366\105\145
+\044\264\276\207\173\125\040\235\367\235\265\052\374\271\142\031
+\313\154\073\257\323\155\070\154\253\173\246\036\215\374\351\236
+\376\153\025\271\333\202\232\313\230\337\163\241\220\240\240\305
+\340\350\001\250\243\024\234\310\301\232\254\025\120\063\215\355
+\174\052\213\163\225\100\103\046\374\201\244\052\137\071\220\267
+\047\313\121\167\370\226\223\036\317\362\167\175\037\106\223\242
+\131\036\225\104\305\055\165\144\260\326\371\340\074\151\352\004
+\265\034\013\342\106\104\115\103\073\227\111\161\021\275\044\266
+\302\255\162\124\006\376\153\030\371\167\333\051\054\122\236\155
+\167\173\142\375\017\115\216\230\062\060\060\161\022\326\045\065
+\343\237\370\157\234\265\353\152\033\255\352\020\323\226\026\162
+\006\041\045\306\114\274\217\160\273\014\344\136\042\203\055\322
+\276\376\205\133\264\344\275
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for " OISTE Server Root RSA G1"
+# Issuer: CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH
+# Serial Number:55:a5:d9:67:94:28:c6:ed:0c:fa:27:dd:5b:01:4d:18
+# Subject: CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH
+# Not Valid Before: Wed May 31 14:37:16 2023
+# Not Valid After : Sun May 24 14:37:15 2048
+# Fingerprint (SHA-256): 9A:E3:62:32:A5:18:9F:FD:DB:35:3D:FD:26:52:0C:01:53:95:D2:27:77:DA:C5:9D:B5:7B:98:C0:89:A6:51:E6
+# Fingerprint (SHA1): F7:00:34:25:94:88:68:31:E4:34:87:3F:70:FE:86:B3:86:9F:F0:6E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 " OISTE Server Root RSA G1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\367\000\064\045\224\210\150\061\344\064\207\077\160\376\206\263
+\206\237\360\156
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\043\247\236\324\160\270\271\024\127\101\212\176\104\131\342\150
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\113\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\031\060\027\006\003\125\004\012\014\020\117\111\123\124\105\040
+\106\157\165\156\144\141\164\151\157\156\061\041\060\037\006\003
+\125\004\003\014\030\117\111\123\124\105\040\123\145\162\166\145
+\162\040\122\157\157\164\040\122\123\101\040\107\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\125\245\331\147\224\050\306\355\014\372\047\335\133\001
+\115\030
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
-#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 82
+#define NSS_BUILTINS_LIBRARY_VERSION "2.82"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
@@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.117" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.117" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 117
#define NSS_VPATCH 0
#define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
@@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.117" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.117" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 117
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
@@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.117 Beta"
+#define NSSUTIL_VERSION "3.117"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 117
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
@@ -2398,24 +2398,9 @@ sec_asn1d_absorb_child(sec_asn1d_state *state)
* consumed should be what was left pending.
*/
if (state->pending != state->child->consumed) {
- if (state->pending < state->child->consumed) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- state->top->status = decodeError;
- return;
- }
- /*
- * Okay, this is a hack. It *should* be an error whether
- * pending is too big or too small, but it turns out that
- * we had a bug in our *old* DER encoder that ended up
- * counting an explicit header twice in the case where
- * the underlying type was an ANY. So, because we cannot
- * prevent receiving these (our own certificate server can
- * send them to us), we need to be lenient and accept them.
- * To do so, we need to pretend as if we read all of the
- * bytes that the header said we would find, even though
- * we actually came up short.
- */
- state->consumed += (state->pending - state->child->consumed);
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ state->top->status = decodeError;
+ return;
}
state->pending = 0;
}
diff --git a/security/nss/moz.yaml b/security/nss/moz.yaml
@@ -9,8 +9,8 @@ origin:
description: nss
url: https://hg-edge.mozilla.org/projects/nss
- release: 63de5a30b6378d66fe9c4b06790cf2290af81531 (2025-09-29T16:56:28Z).
- revision: 63de5a30b6378d66fe9c4b06790cf2290af81531
+ release: 11dc5f9349ad12af08b792a3f705166056547950 (2025-10-03T11:12:45Z).
+ revision: 11dc5f9349ad12af08b792a3f705166056547950
license: MPL-2.0
license-file: COPYING
@@ -42,4 +42,4 @@ updatebot:
- type: vendoring
enabled: true
frequency: 1 week
- blocking: 1988290
+ blocking: 1992446
