diff --git a/blank-cert9.db b/blank-cert9.db
new file mode 100644
index 0000000000000000000000000000000000000000..1763264e7842df0b349d57432012b11a394513ba
Binary files /dev/null and b/blank-cert9.db differ
diff --git a/blank-key4.db b/blank-key4.db
new file mode 100644
index 0000000000000000000000000000000000000000..6bd60cb0d04855281c86be3ba969c19ec863eb54
Binary files /dev/null and b/blank-key4.db differ
diff --git a/cert9.db.xml b/cert9.db.xml
new file mode 100644
index 0000000000000000000000000000000000000000..815d3f92fe5b471ec639041e5aa490b090cfa65a
--- /dev/null
+++ b/cert9.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert9.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>cert9.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cert9.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
+  <para>This certificate database is the sqlite-based shared database with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>
diff --git a/iquote.patch b/iquote.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6e4adcd71f4f5acfeea5aef25878136b3fe3facb
--- /dev/null
+++ b/iquote.patch
@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
+ endif
+ 
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included
diff --git a/key4.db.xml b/key4.db.xml
new file mode 100644
index 0000000000000000000000000000000000000000..9b65f41884c41b3d0450d25ea525af634df7d252
--- /dev/null
+++ b/key4.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key4.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>key4.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>key4.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
+  <para>This key database is the sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/key4.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>
diff --git a/nss-3.75.tar.gz b/nss-3.75.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..f81b3910475b1be4041917ed7b8bdcff4a919b70
Binary files /dev/null and b/nss-3.75.tar.gz differ
diff --git a/nss-539183.patch b/nss-539183.patch
new file mode 100644
index 0000000000000000000000000000000000000000..267e71e47a1446fabdc0c79a7b6a880a35f0d1ed
--- /dev/null
+++ b/nss-539183.patch
@@ -0,0 +1,62 @@
+--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
++    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++        errExit("PR_SetNetAddr");
++    }
+ 
+-    listen_sock = PR_NewTCPSocket();
++    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSockett");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
++    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++        errExit("PR_SetNetAddr");
++    }
+ 
+-    listen_sock = PR_NewTCPSocket();
++    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSocket error");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
diff --git a/nss-config.in b/nss-config.in
new file mode 100644
index 0000000000000000000000000000000000000000..f8f893e71a709c2e0a689b80950d993aad1a4685
--- /dev/null
+++ b/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nss
+	nssutil
+	ssl
+	smime
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    ssl)
+      lib_ssl=yes
+      ;;
+    smime)
+      lib_smime=yes
+      ;;
+    nss)
+      lib_nss=yes
+      ;;
+    nssutil)
+      lib_nssutil=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_ssl"; then
+	libdirs="$libdirs -lssl${major_version}"
+      fi
+      if test -n "$lib_smime"; then
+	libdirs="$libdirs -lsmime${major_version}"
+      fi
+      if test -n "$lib_nss"; then
+	libdirs="$libdirs -lnss${major_version}"
+      fi
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi      
+
diff --git a/nss-config.xml b/nss-config.xml
new file mode 100644
index 0000000000000000000000000000000000000000..f9518c9e715228ac3202fea39c468eb4317a26b1
--- /dev/null
+++ b/nss-config.xml
@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nss-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-config</refname>
+    <refpurpose>Return meta information about nss libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+
+    <para><command>nss-config</command> is a shell scrip
+    tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
+
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+    
+      <programlisting>
+        /usr/bin/nss-config --cflags --libs
+      </programlisting>
+
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nss-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+
diff --git a/nss-fix-PayPal-upstream.patch b/nss-fix-PayPal-upstream.patch
new file mode 100644
index 0000000000000000000000000000000000000000..71e78cbd9f00e2c510e8465316edd46600227688
--- /dev/null
+++ b/nss-fix-PayPal-upstream.patch
@@ -0,0 +1,42 @@
+diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh
+--- a/tests/chains/chains.sh
++++ b/tests/chains/chains.sh
+@@ -917,7 +917,7 @@
+     done
+ 
+     VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}"
+-    VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
++    VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${VFY_TIME_OPT} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}"
+ 
+     TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}"
+     echo "${SCRIPTNAME}: ${TESTNAME}"
+@@ -1118,6 +1118,7 @@
+             ;;
+         "verify")
+             VERIFY="${VALUE}"
++            VFY_TIME_OPT=
+             TRUST=
+             TRUST_AND_DB=
+             POLICY=
+@@ -1126,6 +1127,9 @@
+             REV_OPTS=
+             USAGE_OPT=
+             ;;
++        "at_time")
++            VFY_TIME_OPT="-b ${VALUE}"
++            ;;
+         "cert")
+             VERIFY="${VERIFY} ${VALUE}"
+             ;;
+diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
+--- a/tests/chains/scenarios/realcerts.cfg
++++ b/tests/chains/scenarios/realcerts.cfg
+@@ -22,6 +22,7 @@
+ 
+ verify PayPalEE:x
+   policy OID.2.16.840.1.114412.2.1 
++  at_time 2201010000Z
+   result pass
+ 
+ verify BrAirWaysBadSig:x
+
diff --git a/nss-no-dbm-man-page.patch b/nss-no-dbm-man-page.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2a1a9d29d3dcefb628b9ba31c0020505e6ac7655
--- /dev/null
+++ b/nss-no-dbm-man-page.patch
@@ -0,0 +1,120 @@
+diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
+--- ./doc/certutil.xml.no-dbm	2021-05-29 10:26:21.853386165 -0700
++++ ./doc/certutil.xml	2021-05-29 10:31:15.057058619 -0700
+@@ -205,8 +205,7 @@ If this option is not used, the validity
+           <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
+           <para>NSS recognizes the following prefixes:</para>
+           <itemizedlist>
+-            <listitem><para><command>sql:</command> requests the newer database</para></listitem>
+-	    <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
++            <listitem><para><command>sql:</command> requests the sql-lite database</para></listitem>
+           </itemizedlist>
+           <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>sql:</command> is the default.</para>
+         </listitem>
+@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
+ 	</listitem>
+ </itemizedlist>
+ 
+-<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
++<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. </para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>$ certutil -L -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
+--- ./doc/modutil.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/modutil.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -151,7 +151,7 @@
+       <varlistentry>
+         <term>-dbdir directory</term>
+ 	  <listitem><para>Specify the database directory in which to access or create security module database files.</para>
+-	<para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in SQLite format.</para></listitem>
++	<para><command>modutil</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>modutil -create -dbdir dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para> 
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
+--- ./doc/pk12util.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/pk12util.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -90,7 +90,7 @@
+       <varlistentry>
+         <term>-d directory</term>
+         <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
+-	<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>pk12util</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
+--- ./doc/signver.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/signver.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -66,7 +66,7 @@
+       <varlistentry>
+         <term>-d <emphasis>directory</emphasis></term>
+         <listitem><para>Specify the database directory which contains the certificates and keys.</para>
+-	<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>signver</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+       <varlistentry>
+         <term>-a</term>
+@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># signver -A -s <replaceable>signature</replaceable> -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>
diff --git a/nss-p11-kit.config b/nss-p11-kit.config
new file mode 100644
index 0000000000000000000000000000000000000000..0ebf0735d89b1e535244e51f84974605db1f6936
--- /dev/null
+++ b/nss-p11-kit.config
@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+
diff --git a/nss-signtool-format.patch b/nss-signtool-format.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5f146f1aadc35cf330ccc3e2b2d13a32d4114d3f
--- /dev/null
+++ b/nss-signtool-format.patch
@@ -0,0 +1,85 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -138,6 +138,12 @@ rm_dash_r(char *path)
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+             sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
++) >= sizeof(filename)) {
++                errorCount++;
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 
diff --git a/nss-softokn-config.in b/nss-softokn-config.in
new file mode 100644
index 0000000000000000000000000000000000000000..c7abe2908bc1c5d410e41f40b062f10874e6e412
--- /dev/null
+++ b/nss-softokn-config.in
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi
+
diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh
new file mode 100644
index 0000000000000000000000000000000000000000..010ec18ab271219237fe936b543b255a2c9c66f8
--- /dev/null
+++ b/nss-softokn-dracut-module-setup.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so
+}
diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf
new file mode 100644
index 0000000000000000000000000000000000000000..2d9232e0241382bfe16def3cefd5d68631c4229b
--- /dev/null
+++ b/nss-softokn-dracut.conf
@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "
diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in
new file mode 100644
index 0000000000000000000000000000000000000000..022ebbf1be59a158ce9eaab418aa0d5170a77bc6
--- /dev/null
+++ b/nss-softokn.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}
diff --git a/nss-util-config.in b/nss-util-config.in
new file mode 100644
index 0000000000000000000000000000000000000000..532abbe1ff796dffd57996b6abd1887c6672fc16
--- /dev/null
+++ b/nss-util-config.in
@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nssutil
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi
+
diff --git a/nss-util.pc.in b/nss-util.pc.in
new file mode 100644
index 0000000000000000000000000000000000000000..1310248e94af65ccda242632d9b63fc038fd71d2
--- /dev/null
+++ b/nss-util.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}
diff --git a/nss.pc.in b/nss.pc.in
new file mode 100644
index 0000000000000000000000000000000000000000..69823cb3c1c8b61c7571ef48315eba6f52deb8a4
--- /dev/null
+++ b/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/nss.spec b/nss.spec
new file mode 100644
index 0000000000000000000000000000000000000000..879c380a4295ce851431be878d1e4fab6aeb8c52
--- /dev/null
+++ b/nss.spec
@@ -0,0 +1,756 @@
+%global nspr_version 4.32.0
+%global nss_version 3.75.0
+%global baserelease 1
+%global nss_release %baserelease
+%global crypto_policies_version 20210118
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global saved_files_dir %{_libdir}/nss/saved
+%global dracutlibdir %{_prefix}/lib/dracut
+%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
+%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
+
+%bcond_without tests
+%bcond_with dbm
+
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
+    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
+    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
+    %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
+%{nil}
+
+%{lua:
+rpm.define(string.format("nspr_archive_version %s",
+           string.gsub(rpm.expand("%nspr_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_release_tag NSS_%s_RTM",
+           string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
+}
+
+Summary:          Network Security Services
+Name:             nss
+Version:          %{nss_version} 
+Release:          1%{?dist} 
+License:          MPLv2.0
+URL:              http://www.mozilla.org/projects/security/pki/nss/
+Requires:         nspr >= %{nspr_version}
+Requires:         nss-util >= %{nss_version}
+Requires:         nss-softokn%{_isa} >= %{nss_version}
+Requires:         nss-system-init
+Requires:         p11-kit-trust
+Requires:         /usr/bin/update-crypto-policies
+Requires:         crypto-policies >= %{crypto_policies_version}
+BuildRequires:    make
+BuildRequires:    nss-softokn
+BuildRequires:    sqlite-devel
+BuildRequires:    zlib-devel
+BuildRequires:    pkgconfig
+BuildRequires:    gawk
+BuildRequires:    psmisc
+BuildRequires:    perl-interpreter
+BuildRequires:    gcc-c++
+BuildRequires:    nspr-devel >= %{nss_version} 
+
+Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source1:          nss-util.pc.in
+Source2:          nss-util-config.in
+Source3:          nss-softokn.pc.in
+Source4:          nss-softokn-config.in
+Source6:          nss-softokn-dracut-module-setup.sh
+Source7:          nss-softokn-dracut.conf
+Source8:          nss.pc.in
+Source9:          nss-config.in
+%if %{with dbm}
+Source10:         blank-cert8.db
+Source11:         blank-key3.db
+Source12:         blank-secmod.db
+%endif
+Source13:         blank-cert9.db
+Source14:         blank-key4.db
+Source15:         system-pkcs11.txt
+Source16:         setup-nsssysinit.sh
+Source20:         nss-config.xml
+Source21:         setup-nsssysinit.xml
+Source22:         pkcs11.txt.xml
+Source24:         cert9.db.xml
+Source26:         key4.db.xml
+%if %{with dbm}
+Source23:         cert8.db.xml
+Source25:         key3.db.xml
+Source27:         secmod.db.xml
+%endif
+Source28:         nss-p11-kit.config
+
+Patch2:           nss-539183.patch
+Patch4:           iquote.patch
+Patch12:          nss-signtool-format.patch
+Patch40:          nss-no-dbm-man-page.patch
+Patch45:          nss-fix-PayPal-upstream.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary:          Tools for the Network Security Services
+Requires:         %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary:          System NSS Initialization
+Provides:         nss-system-init
+Requires:         nss%{?_isa} = %{version}-%{release}
+Requires(post):   coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary:          Development libraries for Network Security Services
+Provides:         nss-static = %{version}-%{release}
+Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss-util-devel
+Requires:         nss-softokn-devel
+Requires:         nspr-devel >= %{nspr_version}
+Requires:         pkgconfig
+BuildRequires:    xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
+Provides:         nss-pkcs11-devel-static = %{version}-%{release}
+Requires:         nss-devel = %{version}-%{release}
+Requires:         nss-softokn-freebl-devel = %{version}-%{release}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%package util
+Summary:          Network Security Services Utilities Library
+Requires:         nspr >= %{nspr_version}
+
+%description util
+Utilities for Network Security Services and the Softoken module
+
+%package util-devel
+Summary:          Development libraries for Network Security Services Utilities
+Requires:         nss-util%{?_isa} = %{version}-%{release}
+Requires:         nspr-devel >= %{nspr_version}
+Requires:         pkgconfig
+
+%description util-devel
+Header and library files for doing development with Network Security Services.
+
+
+%package softokn
+Summary:          Network Security Services Softoken Module
+Requires:         nspr >= %{nspr_version}
+Requires:         nss-util >= %{version}-%{release}
+Requires:         nss-softokn-freebl%{_isa} >= %{version}-%{release}
+
+%description softokn
+Network Security Services Softoken Cryptographic Module
+
+%package softokn-freebl
+Summary:          Freebl library for the Network Security Services
+Requires:         nspr >= 4.12
+Requires:         nss-util >= 3.33
+Conflicts:        nss < 3.12.2.99.3-5
+Conflicts:        filesystem < 3
+
+%description softokn-freebl
+NSS Softoken Cryptographic Module Freebl Library
+
+Install the nss-softokn-freebl package if you need the freebl library.
+
+%package softokn-freebl-devel
+Summary:          Header and Library files for doing development with the Freebl library for NSS
+Provides:         nss-softokn-freebl-static = %{version}-%{release}
+Requires:         nss-softokn-freebl%{?_isa} = %{version}-%{release}
+
+%description softokn-freebl-devel
+NSS Softoken Cryptographic Module Freebl Library Development Tools
+This package supports special needs of some PKCS #11 module developers and
+is otherwise considered private to NSS. As such, the programming interfaces
+may change and the usual NSS binary compatibility commitments do not apply.
+Developers should rely only on the officially supported NSS public API.
+
+%package softokn-devel
+Summary:          Development libraries for Network Security Services
+Requires:         nss-softokn%{?_isa} = %{version}-%{release}
+Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
+Requires:         nspr-devel >= %{nspr_version}
+Requires:         nss-util-devel >= %{version}-%{release}
+Requires:         pkgconfig
+
+%description softokn-devel
+Header and library files for doing development with Network Security Services.
+
+
+%prep
+
+%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
+pushd nss
+%autopatch -p1 -M 99
+popd
+find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+
+
+%build
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+export NSS_FORCE_FIPS=1
+export BUILD_OPT=1
+export XCFLAGS=$RPM_OPT_FLAGS
+export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+export LDFLAGS=$RPM_LD_FLAGS
+export DSO_LDOPTS=$RPM_LD_FLAGS
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+export NSPR_LIB_DIR=%{_libdir}
+export NSS_USE_SYSTEM_SQLITE=1
+export NSS_ALLOW_SSLKEYLOGFILE=1
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
+%if %{with dbm}
+%else
+export NSS_DISABLE_DBM=1
+%endif
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+export POLICY_FILE="nss.config"
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+
+%{__make} -C ./nss all
+%{__make} -C ./nss latest
+
+pushd ./nss
+%{__make} clean_docs build_docs
+popd
+
+mkdir -p ./dist/docs/nroff
+cp ./nss/doc/nroff/* ./dist/docs/nroff
+
+mkdir -p ./dist/pkgconfig
+
+cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+                          -e "s,%%prefix%%,%{_prefix},g" \
+                          -e "s,%%exec_prefix%%,%{_prefix},g" \
+                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" > \
+                          ./dist/pkgconfig/nss-util.pc
+
+NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
+NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
+NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+                          -e "s,@prefix@,%{_prefix},g" \
+                          -e "s,@exec_prefix@,%{_prefix},g" \
+                          -e "s,@includedir@,%{_includedir}/nss3,g" \
+                          -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \
+                          -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \
+                          -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \
+                          > ./dist/pkgconfig/nss-util-config
+
+chmod 755 ./dist/pkgconfig/nss-util-config
+
+cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+                          -e "s,%%prefix%%,%{_prefix},g" \
+                          -e "s,%%exec_prefix%%,%{_prefix},g" \
+                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+                          ./dist/pkgconfig/nss-softokn.pc
+
+SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
+SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
+SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+                          -e "s,@prefix@,%{_prefix},g" \
+                          -e "s,@exec_prefix@,%{_prefix},g" \
+                          -e "s,@includedir@,%{_includedir}/nss3,g" \
+                          -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \
+                          -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \
+                          -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \
+                          > ./dist/pkgconfig/nss-softokn-config
+
+chmod 755 ./dist/pkgconfig/nss-softokn-config
+
+cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+                          -e "s,%%prefix%%,%{_prefix},g" \
+                          -e "s,%%exec_prefix%%,%{_prefix},g" \
+                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+                          -e "s,%%NSS_VERSION%%,%{nss_version},g" \
+                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+                          ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+                          -e "s,@prefix@,%{_prefix},g" \
+                          -e "s,@exec_prefix@,%{_prefix},g" \
+                          -e "s,@includedir@,%{_includedir}/nss3,g" \
+                          -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+                          -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+                          -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+                          > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{nss_version} > version.xml
+
+%if %{with dbm}
+%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}
+%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt
+%else
+%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
+%global dbfiles cert9.db key4.db pkcs11.txt
+%endif
+for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
+  cp ${m} .
+done
+%global configFiles nss-config setup-nsssysinit
+for m in %{configFiles}  %{dbfiles}; do
+  xmlto man ${m}.xml
+done
+
+
+%check
+%if %{with tests}
+
+export FREEBL_NO_DEPEND=1
+export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+export NSS_IGNORE_SYSTEM_POLICY=1
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+  echo "error: filenames containing space are not supported (xargs)"
+  exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd "$DISTBINDIR"
+ln -s selfserv $RANDSERV
+popd
+find ./nss/tests -type f |\
+  grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+  grep -vw CVS  |xargs grep -lw selfserv |\
+  xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd nss/tests
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+popd
+
+killall $RANDSERV || :
+%endif
+
+%install
+
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+mkdir -p $RPM_BUILD_ROOT/%{_bindir}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+
+install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%if %{with dbm}
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%endif
+install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
+do
+  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+for file in dist/public/nss/*.h
+do
+  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+for file in blapi.h alghmac.h cmac.h
+do
+  install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+for file in libfreebl.a
+do
+install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+for file in dist/private/nss/templates.c dist/private/nss/nssck.api
+do
+  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+for f in %{configFiles}; do
+   install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do
+  install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+
+for f in %{dbfiles}; do
+   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+%if %{with dbm}
+%else
+if test $1 -eq 2; then
+    for dbdir in %{_sysconfdir}/pki/nssdb; do
+        if test ! -e ${dbdir}/pkcs11.txt; then
+            /usr/bin/certutil --merge -d ${dbdir} --source-dir ${dbdir}
+        fi
+    done
+fi
+%endif
+
+%posttrans
+update-crypto-policies &> /dev/null || :
+
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%dir %{_sysconfdir}/pki/nssdb
+%if %{with dbm}
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%endif
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%if %{with dbm}
+%doc %{_mandir}/man5/cert8.db.5*
+%doc %{_mandir}/man5/key3.db.5*
+%doc %{_mandir}/man5/secmod.db.5*
+%endif
+%doc %{_mandir}/man5/cert9.db.5*
+%doc %{_mandir}/man5/key4.db.5*
+%doc %{_mandir}/man5/pkcs11.txt.5*
+
+%files sysinit
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%doc %{_mandir}/man1/setup-nsssysinit.1*
+
+%files tools
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/nss-policy-check
+%{_bindir}/pk12util
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/signtool
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+%doc %{_mandir}/man1/certutil.1*
+%doc %{_mandir}/man1/cmsutil.1*
+%doc %{_mandir}/man1/crlutil.1*
+%doc %{_mandir}/man1/modutil.1*
+%doc %{_mandir}/man1/pk12util.1*
+%doc %{_mandir}/man1/signver.1*
+%doc %{_mandir}/man1/derdump.1*
+%doc %{_mandir}/man1/signtool.1*
+%dir %{_datadir}/doc/nss-tools
+%doc %{_datadir}/doc/nss-tools/pp.1
+%doc %{_mandir}/man1/ssltap.1*
+%doc %{_mandir}/man1/vfychain.1*
+%doc %{_mandir}/man1/vfyserv.1*
+
+%files devel
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%doc %{_mandir}/man1/nss-config.1*
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11hpke.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+%files pkcs11-devel
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+%files util
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnssutil3.so
+
+%files util-devel
+%{_libdir}/pkgconfig/nss-util.pc
+%{_bindir}/nss-util-config
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/base64.h
+%{_includedir}/nss3/ciferfam.h
+%{_includedir}/nss3/eccutil.h
+%{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/nssb64.h
+%{_includedir}/nss3/nssb64t.h
+%{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nssilock.h
+%{_includedir}/nss3/nssilckt.h
+%{_includedir}/nss3/nssrwlk.h
+%{_includedir}/nss3/nssrwlkt.h
+%{_includedir}/nss3/nssutil.h
+%{_includedir}/nss3/pkcs1sig.h
+%{_includedir}/nss3/pkcs11.h
+%{_includedir}/nss3/pkcs11f.h
+%{_includedir}/nss3/pkcs11n.h
+%{_includedir}/nss3/pkcs11p.h
+%{_includedir}/nss3/pkcs11t.h
+%{_includedir}/nss3/pkcs11u.h
+%{_includedir}/nss3/pkcs11uri.h
+%{_includedir}/nss3/portreg.h
+%{_includedir}/nss3/secasn1.h
+%{_includedir}/nss3/secasn1t.h
+%{_includedir}/nss3/seccomon.h
+%{_includedir}/nss3/secder.h
+%{_includedir}/nss3/secdert.h
+%{_includedir}/nss3/secdig.h
+%{_includedir}/nss3/secdigt.h
+%{_includedir}/nss3/secerr.h
+%{_includedir}/nss3/secitem.h
+%{_includedir}/nss3/secoid.h
+%{_includedir}/nss3/secoidt.h
+%{_includedir}/nss3/secport.h
+%{_includedir}/nss3/utilmodt.h
+%{_includedir}/nss3/utilpars.h
+%{_includedir}/nss3/utilparst.h
+%{_includedir}/nss3/utilrename.h
+%{_includedir}/nss3/templates/templates.c
+
+%files softokn
+%if %{with dbm}
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssdbm3.chk
+%endif
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libsoftokn3.chk
+%dir %{_libdir}/nss
+%dir %{saved_files_dir}
+%dir %{unsupported_tools_directory}
+%{unsupported_tools_directory}/bltest
+%{unsupported_tools_directory}/ecperf
+%{unsupported_tools_directory}/fbectest
+%{unsupported_tools_directory}/fipstest
+%{unsupported_tools_directory}/shlibsign
+
+%files softokn-freebl
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libfreebl3.so
+%{_libdir}/libfreebl3.chk
+%{_libdir}/libfreeblpriv3.so
+%{_libdir}/libfreeblpriv3.chk
+%dir %{dracut_modules_dir}
+%{dracut_modules_dir}/module-setup.sh
+%{dracut_conf_dir}/50-nss-softokn.conf
+
+%files softokn-freebl-devel
+%{_libdir}/libfreebl.a
+%{_includedir}/nss3/blapi.h
+%{_includedir}/nss3/blapit.h
+%{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/cmac.h
+%{_includedir}/nss3/lowkeyi.h
+%{_includedir}/nss3/lowkeyti.h
+
+%files softokn-devel
+%{_libdir}/pkgconfig/nss-softokn.pc
+%{_bindir}/nss-softokn-config
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/ecl-exp.h
+%{_includedir}/nss3/nsslowhash.h
+%{_includedir}/nss3/shsign.h
+
+%changelog
+* Thu Mar 17 2022 forrest_ly <flin@linux.alibaba.com> - 3.75.0-1 
+- Init for Anolis OS 23
diff --git a/pkcs11.txt.xml b/pkcs11.txt.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d30e4690a8dede6857242a602bf27ae327f5a9bf
--- /dev/null
+++ b/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>pkcs11.txt</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>pkcs11.txt</refname>
+    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+  </refnamediv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+    </para>
+    <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+    </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+
diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh
new file mode 100755
index 0000000000000000000000000000000000000000..8e1f5f7dc474cf877986364d368c7ba9b80391e5
--- /dev/null
+++ b/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+  cat <<EOF
+Usage: setup-nsssysinit [on|off]
+  on     - turns on nsssysinit
+  off    - turns off nsssysinit
+  status - reports whether nsssysinit is turned on or off
+EOF
+  exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+  usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+  echo "Could not find ${p11conf}"
+  exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+  grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+  on | ON )
+    if sysinit_enabled; then 
+      exit 0 
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=$/library=libnsssysinit.so/' \
+        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+        ${p11conf}.on
+    mv ${p11conf}.on ${p11conf}
+    ;;
+  off | OFF )
+    if ! sysinit_enabled; then
+      exit 0
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=libnsssysinit.so/library=/' \
+        -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+        ${p11conf}.off
+    mv ${p11conf}.off ${p11conf}
+    ;;
+  status )
+    echo -n 'NSS sysinit is '
+    sysinit_enabled && echo 'enabled' || echo 'disabled'
+    ;;
+  * )
+    usage 1 1>&2
+    ;;
+esac
diff --git a/setup-nsssysinit.xml b/setup-nsssysinit.xml
new file mode 100644
index 0000000000000000000000000000000000000000..5b9827f43920437f103f500fe0b44887061f8645
--- /dev/null
+++ b/setup-nsssysinit.xml
@@ -0,0 +1,106 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="setup-nsssysinit">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>setup-nsssysinit</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>setup-nsssysinit</refname>
+    <refpurpose>Query or enable the nss-sysinit module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>setup-nsssysinit</command>
+      <arg><option>on</option></arg>
+      <arg><option>off</option></arg>
+      <arg><option>status</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
+  <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+  </para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>on</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>off</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>status</option></term>
+        <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for the status of nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit status
+      </programlisting>
+    </para>
+
+    <para>The following example, when run as superuser, will turn on nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit on
+      </programlisting>
+    </para>
+
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+
diff --git a/system-pkcs11.txt b/system-pkcs11.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c2f5704fae6494999f67e8db7578282ec2d43f18
--- /dev/null
+++ b/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+