Add m-esr52 at 52.6.0

10 files changed, 1215 insertions, 0 deletions

diff --git a/security/nss/gtests/pk11_gtest/Makefile b/security/nss/gtests/pk11_gtest/Makefile
new file mode 100644
index 000000000..0d547e080
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn
new file mode 100644
index 000000000..934d4cf33
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -0,0 +1,28 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      pk11_aeskeywrap_unittest.cc \
+      pk11_chacha20poly1305_unittest.cc \
+      pk11_export_unittest.cc \
+      pk11_pbkdf2_unittest.cc \
+      pk11_prf_unittest.cc \
+      pk11_prng_unittest.cc \
+      pk11_rsapss_unittest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/gtests/common
+
+REQUIRES = nspr nss libdbm gtest
+
+PROGRAM = pk11_gtest
+
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
+             ../common/$(OBJDIR)/gtests$(OBJ_SUFFIX)
+
diff --git a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
new file mode 100644
index 000000000..a0226e6df
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
@@ -0,0 +1,132 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// Test vectors from https://tools.ietf.org/html/rfc3394#section-4.1 to 4.6
+unsigned char kKEK1[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
+
+unsigned char kKD1[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+                        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF};
+
+unsigned char kC1[] = {0x1F, 0xA6, 0x8B, 0x0A, 0x81, 0x12, 0xB4, 0x47,
+                       0xAE, 0xF3, 0x4B, 0xD8, 0xFB, 0x5A, 0x7B, 0x82,
+                       0x9D, 0x3E, 0x86, 0x23, 0x71, 0xD2, 0xCF, 0xE5};
+
+unsigned char kKEK2[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+                         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
+
+unsigned char kC2[] = {0x96, 0x77, 0x8B, 0x25, 0xAE, 0x6C, 0xA4, 0x35,
+                       0xF9, 0x2B, 0x5B, 0x97, 0xC0, 0x50, 0xAE, 0xD2,
+                       0x46, 0x8A, 0xB8, 0xA1, 0x7A, 0xD8, 0x4E, 0x5D};
+
+unsigned char kKEK3[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                         0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+                         0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+                         0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F};
+
+unsigned char kC3[] = {0x64, 0xE8, 0xC3, 0xF9, 0xCE, 0x0F, 0x5B, 0xA2,
+                       0x63, 0xE9, 0x77, 0x79, 0x05, 0x81, 0x8A, 0x2A,
+                       0x93, 0xC8, 0x19, 0x1E, 0x7D, 0x6E, 0x8A, 0xE7};
+
+unsigned char kKD4[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+                        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+                        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
+
+unsigned char kC4[] = {0x03, 0x1D, 0x33, 0x26, 0x4E, 0x15, 0xD3, 0x32,
+                       0x68, 0xF2, 0x4E, 0xC2, 0x60, 0x74, 0x3E, 0xDC,
+                       0xE1, 0xC6, 0xC7, 0xDD, 0xEE, 0x72, 0x5A, 0x93,
+                       0x6B, 0xA8, 0x14, 0x91, 0x5C, 0x67, 0x62, 0xD2};
+
+unsigned char kC5[] = {0xA8, 0xF9, 0xBC, 0x16, 0x12, 0xC6, 0x8B, 0x3F,
+                       0xF6, 0xE6, 0xF4, 0xFB, 0xE3, 0x0E, 0x71, 0xE4,
+                       0x76, 0x9C, 0x8B, 0x80, 0xA3, 0x2C, 0xB8, 0x95,
+                       0x8C, 0xD5, 0xD1, 0x7D, 0x6B, 0x25, 0x4D, 0xA1};
+
+unsigned char kKD6[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+                        0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
+                        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
+
+unsigned char kC6[] = {0x28, 0xC9, 0xF4, 0x04, 0xC4, 0xB8, 0x10, 0xF4,
+                       0xCB, 0xCC, 0xB3, 0x5C, 0xFB, 0x87, 0xF8, 0x26,
+                       0x3F, 0x57, 0x86, 0xE2, 0xD8, 0x0E, 0xD3, 0x26,
+                       0xCB, 0xC7, 0xF0, 0xE7, 0x1A, 0x99, 0xF4, 0x3B,
+                       0xFB, 0x98, 0x8B, 0x9B, 0x7A, 0x02, 0xDD, 0x21};
+
+class Pkcs11AESKeyWrapTest : public ::testing::Test {
+ protected:
+  CK_MECHANISM_TYPE mechanism = CKM_NSS_AES_KEY_WRAP;
+
+  void WrapUnwrap(unsigned char* kek, unsigned int kekLen,
+                  unsigned char* keyData, unsigned int keyDataLen,
+                  unsigned char* expectedCiphertext) {
+    unsigned char wrappedKey[40];
+    unsigned int wrappedKeyLen;
+    unsigned char unwrappedKey[40];
+    unsigned int unwrappedKeyLen = 0;
+    SECStatus rv;
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ASSERT_NE(nullptr, slot);
+
+    // Import encryption key.
+    SECItem keyItem = {siBuffer, kek, kekLen};
+    ScopedPK11SymKey encryptionKey(
+        PK11_ImportSymKey(slot.get(), CKM_NSS_AES_KEY_WRAP, PK11_OriginUnwrap,
+                          CKA_ENCRYPT, &keyItem, nullptr));
+    EXPECT_TRUE(!!encryptionKey);
+
+    // Wrap key
+    rv = PK11_Encrypt(encryptionKey.get(), mechanism, nullptr /* param */,
+                      wrappedKey, &wrappedKeyLen, sizeof(wrappedKey), keyData,
+                      keyDataLen);
+    EXPECT_EQ(rv, SECSuccess) << "CKM_NSS_AES_KEY_WRAP encrypt failed";
+    EXPECT_TRUE(!memcmp(expectedCiphertext, wrappedKey, wrappedKeyLen));
+
+    // Unwrap key
+    rv = PK11_Decrypt(encryptionKey.get(), mechanism, nullptr /* param */,
+                      unwrappedKey, &unwrappedKeyLen, sizeof(unwrappedKey),
+                      wrappedKey, wrappedKeyLen);
+    EXPECT_EQ(rv, SECSuccess) << " CKM_NSS_AES_KEY_WRAP decrypt failed\n";
+    EXPECT_TRUE(!memcmp(keyData, unwrappedKey, unwrappedKeyLen));
+  }
+};
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest1) {
+  WrapUnwrap(kKEK1, sizeof(kKEK1), kKD1, sizeof(kKD1), kC1);
+}
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest2) {
+  WrapUnwrap(kKEK2, sizeof(kKEK2), kKD1, sizeof(kKD1), kC2);
+}
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest3) {
+  WrapUnwrap(kKEK3, sizeof(kKEK3), kKD1, sizeof(kKD1), kC3);
+}
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest4) {
+  WrapUnwrap(kKEK2, sizeof(kKEK2), kKD4, sizeof(kKD4), kC4);
+}
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest5) {
+  WrapUnwrap(kKEK3, sizeof(kKEK3), kKD4, sizeof(kKD4), kC5);
+}
+
+TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest6) {
+  WrapUnwrap(kKEK3, sizeof(kKEK3), kKD6, sizeof(kKD6), kC6);
+}
+
+} /* nss_test */
\ No newline at end of file
diff --git a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
new file mode 100644
index 000000000..1d6ff0118
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -0,0 +1,263 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// ChaCha20/Poly1305 Test Vector 1, RFC 7539
+// <http://tools.ietf.org/html/rfc7539#section-2.8.2>
+const uint8_t kTestVector1Data[] = {
+    0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47,
+    0x65, 0x6e, 0x74, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+    0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x6f, 0x66,
+    0x20, 0x27, 0x39, 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+    0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79,
+    0x6f, 0x75, 0x20, 0x6f, 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+    0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x74, 0x68, 0x65, 0x20,
+    0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+    0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20,
+    0x62, 0x65, 0x20, 0x69, 0x74, 0x2e};
+const uint8_t kTestVector1AAD[] = {0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1,
+                                   0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7};
+const uint8_t kTestVector1Key[] = {
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a,
+    0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95,
+    0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f};
+const uint8_t kTestVector1IV[] = {0x07, 0x00, 0x00, 0x00, 0x40, 0x41,
+                                  0x42, 0x43, 0x44, 0x45, 0x46, 0x47};
+const uint8_t kTestVector1CT[] = {
+    0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc,
+    0x53, 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+    0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e,
+    0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+    0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6,
+    0x7e, 0xcd, 0x3b, 0x36, 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+    0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4,
+    0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+    0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65,
+    0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09,
+    0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91};
+
+// ChaCha20/Poly1305 Test Vector 2, RFC 7539
+// <http://tools.ietf.org/html/rfc7539#appendix-A.5>
+const uint8_t kTestVector2Data[] = {
+    0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
+    0x66, 0x74, 0x73, 0x20, 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
+    0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20,
+    0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
+    0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20, 0x6f, 0x66, 0x20, 0x73,
+    0x69, 0x78, 0x20, 0x6d, 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
+    0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65, 0x20, 0x75, 0x70, 0x64,
+    0x61, 0x74, 0x65, 0x64, 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
+    0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f, 0x62, 0x73, 0x6f, 0x6c,
+    0x65, 0x74, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
+    0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x20,
+    0x61, 0x74, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
+    0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69, 0x6e, 0x61, 0x70, 0x70,
+    0x72, 0x6f, 0x70, 0x72, 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
+    0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
+    0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
+    0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x20, 0x6d, 0x61, 0x74,
+    0x65, 0x72, 0x69, 0x61, 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
+    0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65, 0x6d, 0x20, 0x6f, 0x74,
+    0x68, 0x65, 0x72, 0x20, 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
+    0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x69, 0x6e, 0x20,
+    0x70, 0x72, 0x6f, 0x67, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
+    0x9d};
+const uint8_t kTestVector2AAD[] = {0xf3, 0x33, 0x88, 0x86, 0x00, 0x00,
+                                   0x00, 0x00, 0x00, 0x00, 0x4e, 0x91};
+const uint8_t kTestVector2Key[] = {
+    0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, 0xf3, 0x33, 0x88,
+    0x86, 0x04, 0xf6, 0xb5, 0xf0, 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b,
+    0x80, 0x09, 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0};
+const uint8_t kTestVector2IV[] = {0x00, 0x00, 0x00, 0x00, 0x01, 0x02,
+                                  0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+const uint8_t kTestVector2CT[] = {
+    0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4, 0x60, 0xf0, 0x62, 0xc7,
+    0x9b, 0xe6, 0x43, 0xbd, 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
+    0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2, 0x4c, 0x6c, 0xfc, 0x18,
+    0x75, 0x5d, 0x43, 0xee, 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
+    0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00, 0xd4, 0xf0, 0x3b, 0x7f,
+    0x35, 0x58, 0x94, 0xcf, 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
+    0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81, 0x14, 0xad, 0x17, 0x6e,
+    0x00, 0x8d, 0x33, 0xbd, 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
+    0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61, 0xc1, 0x86, 0x32, 0x4e,
+    0x2b, 0x35, 0x06, 0x38, 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
+    0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4, 0xb9, 0x16, 0x6c, 0x76,
+    0x7b, 0x80, 0x4d, 0x46, 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
+    0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e, 0xe2, 0x82, 0xa1, 0xb0,
+    0xa0, 0x6c, 0x52, 0x3e, 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
+    0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a, 0x0d, 0x07, 0x2b, 0x04,
+    0xb3, 0x56, 0x4e, 0xea, 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
+    0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99, 0x19, 0x55, 0xeb, 0xd6,
+    0x31, 0x59, 0x43, 0x4e, 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
+    0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10, 0x49, 0xe6, 0x17, 0xd9,
+    0x1d, 0x36, 0x10, 0x94, 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
+    0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf, 0x99, 0x7b, 0x71, 0x4d,
+    0x6c, 0x6f, 0x2c, 0x29, 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
+    0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb, 0x22, 0x39, 0x23, 0x36,
+    0xfe, 0xa1, 0x85, 0x1f, 0x38};
+
+class Pkcs11ChaCha20Poly1305Test : public ::testing::Test {
+ public:
+  void EncryptDecrypt(PK11SymKey* symKey, const uint8_t* data, size_t data_len,
+                      const uint8_t* aad, size_t aad_len, const uint8_t* iv,
+                      size_t iv_len, const uint8_t* ct = nullptr,
+                      size_t ct_len = 0) {
+    // Prepare AEAD params.
+    CK_NSS_AEAD_PARAMS aead_params;
+    aead_params.pNonce = toUcharPtr(iv);
+    aead_params.ulNonceLen = iv_len;
+    aead_params.pAAD = toUcharPtr(aad);
+    aead_params.ulAADLen = aad_len;
+    aead_params.ulTagLen = 16;
+
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+                      sizeof(aead_params)};
+
+    // Encrypt.
+    unsigned int outputLen = 0;
+    std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+    SECStatus rv = PK11_Encrypt(symKey, mech, &params, &output[0], &outputLen,
+                                output.size(), data, data_len);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Check ciphertext and tag.
+    if (ct) {
+      EXPECT_TRUE(!memcmp(ct, &output[0], outputLen));
+    }
+
+    // Decrypt.
+    unsigned int decryptedLen = 0;
+    std::vector<uint8_t> decrypted(data_len);
+    rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                      decrypted.size(), &output[0], outputLen);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Check the plaintext.
+    EXPECT_TRUE(!memcmp(data, &decrypted[0], decryptedLen));
+
+    // Decrypt with bogus data.
+    {
+      std::vector<uint8_t> bogusCiphertext(output);
+      bogusCiphertext[0] ^= 0xff;
+      rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                        decrypted.size(), &bogusCiphertext[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus tag.
+    {
+      std::vector<uint8_t> bogusTag(output);
+      bogusTag[outputLen - 1] ^= 0xff;
+      rv = PK11_Decrypt(symKey, mech, &params, &decrypted[0], &decryptedLen,
+                        decrypted.size(), &bogusTag[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus IV.
+    {
+      SECItem bogusParams(params);
+      CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
+      bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
+
+      std::vector<uint8_t> bogusIV(iv, iv + iv_len);
+      bogusAeadParams.pNonce = toUcharPtr(&bogusIV[0]);
+      bogusIV[0] ^= 0xff;
+
+      rv = PK11_Decrypt(symKey, mech, &bogusParams, &decrypted[0],
+                        &decryptedLen, data_len, &output[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+
+    // Decrypt with bogus additional data.
+    {
+      SECItem bogusParams(params);
+      CK_NSS_AEAD_PARAMS bogusAeadParams(aead_params);
+      bogusParams.data = reinterpret_cast<unsigned char*>(&bogusAeadParams);
+
+      std::vector<uint8_t> bogusAAD(aad, aad + aad_len);
+      bogusAeadParams.pAAD = toUcharPtr(&bogusAAD[0]);
+      bogusAAD[0] ^= 0xff;
+
+      rv = PK11_Decrypt(symKey, mech, &bogusParams, &decrypted[0],
+                        &decryptedLen, data_len, &output[0], outputLen);
+      EXPECT_NE(rv, SECSuccess);
+    }
+  }
+
+  void EncryptDecrypt(const uint8_t* key, size_t key_len, const uint8_t* data,
+                      size_t data_len, const uint8_t* aad, size_t aad_len,
+                      const uint8_t* iv, size_t iv_len, const uint8_t* ct,
+                      size_t ct_len) {
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    SECItem keyItem = {siBuffer, toUcharPtr(key),
+                       static_cast<unsigned int>(key_len)};
+
+    // Import key.
+    ScopedPK11SymKey symKey(PK11_ImportSymKey(
+        slot.get(), mech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, nullptr));
+    EXPECT_TRUE(!!symKey);
+
+    // Check.
+    EncryptDecrypt(symKey.get(), data, data_len, aad, aad_len, iv, iv_len, ct,
+                   ct_len);
+  }
+
+ protected:
+  CK_MECHANISM_TYPE mech = CKM_NSS_CHACHA20_POLY1305;
+
+  unsigned char* toUcharPtr(const uint8_t* v) {
+    return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
+  }
+};
+
+#define ENCRYPT_DECRYPT(v)                                                 \
+  EncryptDecrypt(v##Key, sizeof(v##Key), v##Data, sizeof(v##Data), v##AAD, \
+                 sizeof(v##AAD), v##IV, sizeof(v##IV), v##CT, sizeof(v##CT));
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, GenerateEncryptDecrypt) {
+  // Generate a random key.
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  ScopedPK11SymKey symKey(PK11_KeyGen(slot.get(), mech, nullptr, 32, nullptr));
+  EXPECT_TRUE(!!symKey);
+
+  // Generate random data.
+  std::vector<uint8_t> data(512);
+  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), &data[0], data.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Generate random AAD.
+  std::vector<uint8_t> aad(16);
+  rv = PK11_GenerateRandomOnSlot(slot.get(), &aad[0], aad.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Generate random IV.
+  std::vector<uint8_t> iv(12);
+  rv = PK11_GenerateRandomOnSlot(slot.get(), &iv[0], iv.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Check.
+  EncryptDecrypt(symKey.get(), &data[0], data.size(), &aad[0], aad.size(),
+                 &iv[0], iv.size());
+}
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, CheckTestVector1) {
+  ENCRYPT_DECRYPT(kTestVector1);
+}
+
+TEST_F(Pkcs11ChaCha20Poly1305Test, CheckTestVector2) {
+  ENCRYPT_DECRYPT(kTestVector2);
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
new file mode 100644
index 000000000..e5d5ae8e9
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
@@ -0,0 +1,66 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+class Pkcs11ExportTest : public ::testing::Test {
+ public:
+  void Derive(bool is_export) {
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    EXPECT_TRUE(slot.get());
+
+    uint8_t keyData[48] = {0};
+    SECItem keyItem = {siBuffer, (unsigned char*)keyData, sizeof(keyData)};
+
+    CK_MECHANISM_TYPE mechanism = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+    ScopedPK11SymKey baseKey(PK11_ImportSymKey(
+        slot.get(), mechanism, PK11_OriginUnwrap, CKA_WRAP, &keyItem, nullptr));
+    EXPECT_TRUE(baseKey.get());
+
+    CK_SSL3_KEY_MAT_OUT kmo;
+    kmo.hClientMacSecret = CK_INVALID_HANDLE;
+    kmo.hServerMacSecret = CK_INVALID_HANDLE;
+    kmo.hClientKey = CK_INVALID_HANDLE;
+    kmo.hServerKey = CK_INVALID_HANDLE;
+
+    CK_BYTE iv[8];
+    kmo.pIVClient = iv;
+    kmo.pIVServer = iv;
+
+    CK_SSL3_KEY_MAT_PARAMS kmp;
+    kmp.ulMacSizeInBits = 256;
+    kmp.ulKeySizeInBits = 128;
+    kmp.ulIVSizeInBits = 64;
+    kmp.pReturnedKeyMaterial = &kmo;
+    kmp.bIsExport = is_export;
+
+    unsigned char random[32] = {0};
+    kmp.RandomInfo.pClientRandom = random;
+    kmp.RandomInfo.ulClientRandomLen = sizeof(random);
+    kmp.RandomInfo.pServerRandom = random;
+    kmp.RandomInfo.ulServerRandomLen = sizeof(random);
+
+    SECItem params = {siBuffer, (unsigned char*)&kmp, sizeof(kmp)};
+    ScopedPK11SymKey symKey(PK11_Derive(baseKey.get(), mechanism, &params,
+                                        CKM_SHA512_HMAC, CKA_SIGN, 16));
+
+    // Deriving must fail when is_export=true.
+    EXPECT_EQ(!symKey.get(), is_export);
+  }
+};
+
+TEST_F(Pkcs11ExportTest, DeriveNonExport) { Derive(false); }
+
+TEST_F(Pkcs11ExportTest, DeriveExport) { Derive(true); }
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
new file mode 100644
index 000000000..09bce728d
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -0,0 +1,38 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'pk11_gtest',
+      'type': 'executable',
+      'sources': [
+        'pk11_aeskeywrap_unittest.cc',
+        'pk11_chacha20poly1305_unittest.cc',
+        'pk11_pbkdf2_unittest.cc',
+        'pk11_prf_unittest.cc',
+        'pk11_prng_unittest.cc',
+        'pk11_rsapss_unittest.cc',
+        '<(DEPTH)/gtests/common/gtests.cc'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/lib/freebl/freebl.gyp:<(freebl_name)',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+      ],
+    }
+  ],
+  'target_defaults': {
+    'include_dirs': [
+      '../../gtests/google_test/gtest/include',
+      '../../gtests/common'
+    ]
+  },
+  'variables': {
+    'module': 'nss'
+  }
+}
diff --git a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
new file mode 100644
index 000000000..d72f94c2c
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -0,0 +1,96 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+static unsigned char* ToUcharPtr(std::string& str) {
+  return const_cast<unsigned char*>(
+      reinterpret_cast<const unsigned char*>(str.c_str()));
+}
+
+class Pkcs11Pbkdf2Test : public ::testing::Test {
+ public:
+  void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg) {
+    // Shared between test vectors.
+    const unsigned int iterations = 4096;
+    std::string pass("passwordPASSWORDpassword");
+    std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt");
+
+    // Derivation must succeed with the right values.
+    EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the password is bogus.
+    std::string bogusPass("PasswordPASSWORDpassword");
+    EXPECT_FALSE(DeriveBytes(bogusPass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the salt is bogus.
+    std::string bogusSalt("SaltSALTsaltSALTsaltSALTsaltSALTsalt");
+    EXPECT_FALSE(DeriveBytes(pass, bogusSalt, derived, hash_alg, iterations));
+
+    // Derivation must fail when using the wrong hash function.
+    SECOidTag next_hash_alg = static_cast<SECOidTag>(hash_alg + 1);
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, iterations));
+
+    // Derivation must fail when using the wrong number of iterations.
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, iterations + 1));
+  }
+
+ private:
+  bool DeriveBytes(std::string& pass, std::string& salt,
+                   std::vector<uint8_t>& derived, SECOidTag hash_alg,
+                   unsigned int iterations) {
+    SECItem passItem = {siBuffer, ToUcharPtr(pass),
+                        static_cast<unsigned int>(pass.length())};
+    SECItem saltItem = {siBuffer, ToUcharPtr(salt),
+                        static_cast<unsigned int>(salt.length())};
+
+    // Set up PBKDF2 params.
+    ScopedSECAlgorithmID alg_id(
+        PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
+                                    derived.size(), iterations, &saltItem));
+
+    // Derive.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ScopedPK11SymKey symKey(
+        PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
+
+    SECStatus rv = PK11_ExtractKeyValue(symKey.get());
+    EXPECT_EQ(rv, SECSuccess);
+
+    SECItem* keyData = PK11_GetKeyData(symKey.get());
+    return !memcmp(&derived[0], keyData->data, keyData->len);
+  }
+};
+
+// RFC 6070 <http://tools.ietf.org/html/rfc6070>
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
+  std::vector<uint8_t> derived = {0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84,
+                                  0x9b, 0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0,
+                                  0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c,
+                                  0xf2, 0xf0, 0x70, 0x38};
+
+  Derive(derived, SEC_OID_HMAC_SHA1);
+}
+
+// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
+  std::vector<uint8_t> derived = {
+      0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8,
+      0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e,
+      0xbc, 0x18, 0x00, 0x18, 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd,
+      0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9};
+
+  Derive(derived, SEC_OID_HMAC_SHA256);
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_prf_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_prf_unittest.cc
new file mode 100644
index 000000000..f2d4cf3b7
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_prf_unittest.cc
@@ -0,0 +1,229 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const size_t kPmsSize = 48;
+const size_t kMasterSecretSize = 48;
+const size_t kPrfSeedSizeSha256 = 32;
+const size_t kPrfSeedSizeTlsPrf = 36;
+
+// This is not the right size for anything
+const size_t kIncorrectSize = 17;
+
+const uint8_t kPmsData[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+    0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+    0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f};
+
+const uint8_t kPrfSeed[] = {
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+    0xfc, 0xfd, 0xfe, 0xff, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+    0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xd0, 0xd1, 0xd2, 0xd3};
+
+const uint8_t kExpectedOutputEmsSha256[] = {
+    0x75, 0xa7, 0xa5, 0x98, 0xef, 0xab, 0x90, 0xe7, 0x7c, 0x67, 0x80, 0xde,
+    0xab, 0x3a, 0x11, 0xf3, 0x5d, 0xb2, 0xf8, 0x47, 0xff, 0x09, 0x01, 0xec,
+    0xf8, 0x93, 0x89, 0xfc, 0x98, 0x2e, 0x6e, 0xf9, 0x2c, 0xf5, 0x9b, 0x04,
+    0x04, 0x6f, 0xd7, 0x28, 0x6e, 0xea, 0xe3, 0x83, 0xc4, 0x4a, 0xff, 0x03};
+
+const uint8_t kExpectedOutputEmsTlsPrf[] = {
+    0x06, 0xbf, 0x29, 0x86, 0x5d, 0xf3, 0x3e, 0x38, 0xfd, 0xfa, 0x91, 0x10,
+    0x2a, 0x20, 0xff, 0xd6, 0xb9, 0xd5, 0x72, 0x5a, 0x6d, 0x42, 0x20, 0x16,
+    0xde, 0xa4, 0xa0, 0x51, 0xe5, 0x53, 0xc1, 0x28, 0x04, 0x99, 0xbc, 0xb1,
+    0x2c, 0x9d, 0xe8, 0x0b, 0x18, 0xa2, 0x0e, 0x48, 0x52, 0x8d, 0x61, 0x13};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
+}
+
+class TlsPrfTest : public ::testing::Test {
+ public:
+  TlsPrfTest()
+      : params_({siBuffer, nullptr, 0}),
+        pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize}),
+        key_mech_(0),
+        slot_(nullptr),
+        pms_(nullptr),
+        ms_(nullptr),
+        pms_version_({0, 0}) {}
+
+  ~TlsPrfTest() {
+    if (slot_) {
+      PK11_FreeSlot(slot_);
+    }
+    ClearTempVars();
+  }
+
+  void ClearTempVars() {
+    if (pms_) {
+      PK11_FreeSymKey(pms_);
+    }
+    if (ms_) {
+      PK11_FreeSymKey(ms_);
+    }
+  }
+
+  void Init() {
+    params_.type = siBuffer;
+
+    pms_item_.type = siBuffer;
+    pms_item_.data =
+        const_cast<unsigned char*>(static_cast<const unsigned char*>(kPmsData));
+
+    slot_ = PK11_GetInternalSlot();
+    ASSERT_NE(nullptr, slot_);
+  }
+
+  void CheckForError(CK_MECHANISM_TYPE hash_mech, size_t seed_len,
+                     size_t pms_len, size_t output_len) {
+    // Error tests don't depend on the derivation mechansim
+    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech, seed_len, pms_len,
+          output_len, nullptr, nullptr);
+  }
+
+  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
+                          CK_MECHANISM_TYPE hash_mech, CK_VERSION* version,
+                          const uint8_t* expected) {
+    // Infer seed length from mechanism
+    int seed_len = 0;
+    switch (hash_mech) {
+      case CKM_TLS_PRF:
+        seed_len = kPrfSeedSizeTlsPrf;
+        break;
+      case CKM_SHA256:
+        seed_len = kPrfSeedSizeSha256;
+        break;
+      default:
+        ASSERT_TRUE(false);
+    }
+
+    Inner(derive_mech, hash_mech, seed_len, kPmsSize, 0, version, expected);
+  }
+
+  // Set output == nullptr to test when errors occur
+  void Inner(CK_MECHANISM_TYPE derive_mech, CK_MECHANISM_TYPE hash_mech,
+             size_t seed_len, size_t pms_len, size_t output_len,
+             CK_VERSION* version, const uint8_t* expected) {
+    ClearTempVars();
+
+    // Infer the key mechanism from the hash type
+    switch (hash_mech) {
+      case CKM_TLS_PRF:
+        key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE;
+        break;
+      case CKM_SHA256:
+        key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+        break;
+      default:
+        ASSERT_TRUE(false);
+    }
+
+    // Import the params
+    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
+        hash_mech, toUcharPtr(kPrfSeed), static_cast<CK_ULONG>(seed_len),
+        version};
+    params_.data = reinterpret_cast<unsigned char*>(&master_params);
+    params_.len = sizeof(master_params);
+
+    // Import the PMS
+    pms_item_.len = pms_len;
+    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap, CKA_DERIVE,
+                             &pms_item_, NULL);
+    ASSERT_NE(nullptr, pms_);
+
+    // Compute the EMS
+    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
+                               CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
+
+    // Verify the EMS has the expected value (null or otherwise)
+    if (!expected) {
+      EXPECT_EQ(nullptr, ms_);
+    } else {
+      ASSERT_NE(nullptr, ms_);
+
+      SECStatus rv = PK11_ExtractKeyValue(ms_);
+      ASSERT_EQ(SECSuccess, rv);
+
+      SECItem* msData = PK11_GetKeyData(ms_);
+      ASSERT_NE(nullptr, msData);
+
+      ASSERT_EQ(kMasterSecretSize, msData->len);
+      EXPECT_EQ(0, memcmp(msData->data, expected, kMasterSecretSize));
+    }
+  }
+
+ protected:
+  SECItem params_;
+  SECItem pms_item_;
+  CK_MECHANISM_TYPE key_mech_;
+  PK11SlotInfo* slot_;
+  PK11SymKey* pms_;
+  PK11SymKey* ms_;
+  CK_VERSION pms_version_;
+};
+
+TEST_F(TlsPrfTest, ExtendedMsParamErr) {
+  Init();
+
+  // This should fail; it's the correct set from which the below are derived
+  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
+  // kPrfSeedSizeTlsPrf, kPmsSize, 0);
+
+  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
+
+  // not-DH && pms size != SSL3_PMS_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
+
+  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
+  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
+
+  // !CKM_TLS_PRF && seed length != hash output length
+  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
+}
+
+// Test matrix:
+//
+//            DH  RSA
+//  TLS_PRF   1   2
+//  SHA256    3   4
+TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_TLS_PRF,
+                     nullptr, kExpectedOutputEmsTlsPrf);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF,
+                     &pms_version_, kExpectedOutputEmsTlsPrf);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, CKM_SHA256,
+                     nullptr, kExpectedOutputEmsSha256);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_SHA256,
+                     &pms_version_, kExpectedOutputEmsSha256);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_prng_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_prng_unittest.cc
new file mode 100644
index 000000000..fd2865169
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_prng_unittest.cc
@@ -0,0 +1,78 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "blapi.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+class PK11PrngTest : public ::testing::Test {};
+
+#ifdef UNSAFE_FUZZER_MODE
+
+// Test that two consecutive calls to the RNG return two distinct values.
+TEST_F(PK11PrngTest, Fuzz_DetPRNG) {
+  std::vector<uint8_t> rnd1(2048, 0);
+  std::vector<uint8_t> rnd2(2048, 0);
+
+  SECStatus rv = PK11_GenerateRandom(rnd1.data(), rnd1.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  rv = PK11_GenerateRandom(rnd2.data(), rnd2.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  EXPECT_NE(rnd1, rnd2);
+}
+
+// Test that two consecutive calls to the RNG return two equal values
+// when the RNG's internal state is reset before each call.
+TEST_F(PK11PrngTest, Fuzz_DetPRNG_Reset) {
+  std::vector<uint8_t> rnd1(2048, 0);
+  std::vector<uint8_t> rnd2(2048, 0);
+
+  RNG_ResetForFuzzing();
+
+  SECStatus rv = PK11_GenerateRandom(rnd1.data(), rnd1.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  RNG_ResetForFuzzing();
+
+  rv = PK11_GenerateRandom(rnd2.data(), rnd2.size());
+  EXPECT_EQ(rv, SECSuccess);
+
+  EXPECT_EQ(rnd1, rnd2);
+}
+
+// Test that the RNG's internal state progresses in a consistent manner.
+TEST_F(PK11PrngTest, Fuzz_DetPRNG_StatefulReset) {
+  std::vector<uint8_t> rnd1(2048, 0);
+  std::vector<uint8_t> rnd2(2048, 0);
+
+  RNG_ResetForFuzzing();
+
+  SECStatus rv = PK11_GenerateRandom(rnd1.data(), rnd1.size() - 1024);
+  EXPECT_EQ(rv, SECSuccess);
+
+  rv = PK11_GenerateRandom(rnd1.data() + 1024, rnd1.size() - 1024);
+  EXPECT_EQ(rv, SECSuccess);
+
+  RNG_ResetForFuzzing();
+
+  rv = PK11_GenerateRandom(rnd2.data(), rnd2.size() - 1024);
+  EXPECT_EQ(rv, SECSuccess);
+
+  rv = PK11_GenerateRandom(rnd2.data() + 1024, rnd2.size() - 1024);
+  EXPECT_EQ(rv, SECSuccess);
+
+  EXPECT_EQ(rnd1, rnd2);
+}
+
+#endif
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
new file mode 100644
index 000000000..3e860a549
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -0,0 +1,242 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector1Spki[] = {
+    0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+    0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
+    0x89, 0x02, 0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17,
+    0x58, 0x9a, 0x51, 0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec,
+    0x0e, 0x36, 0xad, 0x52, 0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9,
+    0x91, 0xd8, 0xc5, 0x10, 0x56, 0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2,
+    0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94, 0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91,
+    0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0, 0xb1, 0xdf, 0xd5, 0xcd, 0x95,
+    0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5, 0xd6, 0x71, 0xef, 0x63,
+    0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70, 0xe2, 0x59, 0x8e,
+    0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0, 0xcb, 0x35,
+    0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22, 0xe1,
+    0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
+    0x37, 0x02, 0x03, 0x01, 0x00, 0x01};
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1
+const uint8_t kTestVector1Data[] = {
+    0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb,
+    0xbc, 0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54,
+    0x75, 0xcc, 0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c,
+    0xe2, 0x39, 0x2e, 0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15,
+    0x6a, 0x0d, 0x8d, 0x52, 0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09,
+    0x57, 0x86, 0xcb, 0x76, 0x97, 0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe,
+    0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5, 0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2,
+    0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67, 0x69, 0x3f, 0x90, 0xdf, 0xb0,
+    0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44, 0x72, 0xc0, 0x0e, 0x5f,
+    0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06, 0xce, 0x78, 0xe0,
+    0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0, 0x31, 0x7e,
+    0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38, 0x08,
+    0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
+    0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41,
+    0x62, 0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9,
+    0xea, 0x8f, 0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16,
+    0xbe, 0x02, 0x54, 0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26,
+    0x76, 0xe0, 0x8a, 0xed, 0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67,
+    0xd0};
+const uint8_t kTestVector1Sig[] = {
+    0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38,
+    0x8e, 0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1,
+    0x85, 0xdf, 0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd,
+    0x44, 0xdc, 0x86, 0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2,
+    0x26, 0xf3, 0xec, 0x22, 0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31,
+    0xf5, 0x05, 0x12, 0x15, 0xdf, 0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa,
+    0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14, 0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4,
+    0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa, 0x35, 0x42, 0xff, 0xee, 0x65,
+    0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d, 0xeb, 0x27, 0xdc, 0xa1,
+    0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00, 0xf1, 0xff, 0x2b,
+    0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c};
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector2Spki[] = {
+    0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+    0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00,
+    0x30, 0x82, 0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a,
+    0xc4, 0xcb, 0x02, 0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70,
+    0xef, 0x99, 0x1c, 0x56, 0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa,
+    0x89, 0x37, 0xce, 0xa5, 0x7b, 0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00,
+    0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22, 0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27,
+    0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80, 0x90, 0xfe, 0xe2, 0xa7, 0xad,
+    0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49, 0x97, 0xc7, 0xa4, 0x2d,
+    0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f, 0xe5, 0x21, 0xc1,
+    0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e, 0x4c, 0x7e,
+    0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57, 0x7e,
+    0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
+    0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc,
+    0x95, 0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79,
+    0x25, 0xfe, 0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea,
+    0x45, 0x49, 0xc5, 0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9,
+    0x1f, 0xff, 0x58, 0x73, 0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70,
+    0x5a, 0x33, 0xe3, 0x91, 0x90, 0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1,
+    0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c, 0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17,
+    0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d, 0xce, 0x09, 0xcb, 0x4a, 0xd0,
+    0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98, 0xee, 0x27, 0xcf, 0x55,
+    0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec, 0x8b, 0x17, 0x4b,
+    0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21, 0xae, 0x05,
+    0x02, 0x03, 0x01, 0x00, 0x01};
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1
+const uint8_t kTestVector2Data[] = {
+    0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9,
+    0x68, 0x03, 0x27, 0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f,
+    0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a, 0x3a, 0xd6, 0x09};
+const uint8_t kTestVector2Sig[] = {
+    0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b,
+    0x19, 0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f,
+    0xce, 0x54, 0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd,
+    0xfd, 0xac, 0xe1, 0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14,
+    0x8e, 0xba, 0xd7, 0xa0, 0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5,
+    0x72, 0x7d, 0x05, 0xf2, 0x1e, 0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20,
+    0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a, 0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6,
+    0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59, 0x61, 0xc8, 0xbf, 0xad, 0x74,
+    0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39, 0x3e, 0x72, 0x23, 0x73,
+    0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55, 0x5b, 0x0e, 0xc0,
+    0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76, 0x14, 0xce,
+    0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95, 0x16,
+    0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
+    0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8,
+    0xfe, 0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77,
+    0x55, 0x92, 0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00,
+    0x0b, 0xe2, 0x5b, 0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86,
+    0x18, 0x4d, 0xd1, 0xc8, 0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f,
+    0x60, 0x66, 0x3d, 0xe7, 0xf5, 0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f,
+    0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4, 0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1,
+    0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2, 0x38, 0x52, 0x30, 0xd0, 0x70,
+    0xd0, 0x7e, 0x16, 0x66};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(static_cast<const unsigned char*>(v));
+}
+
+class Pkcs11RsaPssTest : public ::testing::Test {};
+
+class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
+ public:
+  void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data,
+              size_t data_len, const uint8_t* sig, size_t sig_len) {
+    // Verify data signed with PSS/SHA-1.
+    SECOidTag hashOid = SEC_OID_SHA1;
+    CK_MECHANISM_TYPE hashMech = CKM_SHA_1;
+    CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA1;
+
+    // Set up PSS parameters.
+    unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+    CK_RSA_PKCS_PSS_PARAMS rsaPssParams = {hashMech, mgf, hLen};
+    SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
+                      sizeof(rsaPssParams)};
+
+    // Import public key.
+    SECItem spkiItem = {siBuffer, toUcharPtr(spki),
+                        static_cast<unsigned int>(spki_len)};
+    ScopedCERTSubjectPublicKeyInfo certSpki(
+        SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+    ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+
+    // Hash the data.
+    std::vector<uint8_t> hashBuf(hLen);
+    SECItem hash = {siBuffer, &hashBuf[0],
+                    static_cast<unsigned int>(hashBuf.size())};
+    SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data), data_len);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Verify.
+    CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+    SECItem sigItem = {siBuffer, toUcharPtr(sig),
+                       static_cast<unsigned int>(sig_len)};
+    rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sigItem, &hash,
+                                  nullptr);
+    EXPECT_EQ(rv, SECSuccess);
+  }
+};
+
+#define PSS_TEST_VECTOR_VERIFY(spki, data, sig) \
+  Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig));
+
+TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
+  // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
+  SECOidTag hashOid = SEC_OID_SHA256;
+  CK_MECHANISM_TYPE hashMech = CKM_SHA256;
+  CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
+  PK11RSAGenParams rsaGenParams = {1024, 0x10001};
+
+  // Generate RSA key pair.
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  SECKEYPublicKey* pubKeyRaw = nullptr;
+  ScopedSECKEYPrivateKey privKey(
+      PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaGenParams,
+                           &pubKeyRaw, false, false, nullptr));
+  ASSERT_TRUE(!!privKey && pubKeyRaw);
+  ScopedSECKEYPublicKey pubKey(pubKeyRaw);
+
+  // Generate random data to sign.
+  uint8_t dataBuf[50];
+  SECItem data = {siBuffer, dataBuf, sizeof(dataBuf)};
+  unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), data.data, data.len);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Allocate memory for the signature.
+  std::vector<uint8_t> sigBuf(PK11_SignatureLen(privKey.get()));
+  SECItem sig = {siBuffer, &sigBuf[0],
+                 static_cast<unsigned int>(sigBuf.size())};
+
+  // Set up PSS parameters.
+  CK_RSA_PKCS_PSS_PARAMS rsaPssParams = {hashMech, mgf, hLen};
+  SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
+                    sizeof(rsaPssParams)};
+
+  // Sign.
+  CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+  rv = PK11_SignWithMechanism(privKey.get(), mech, &params, &sig, &data);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verify.
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verification with modified data must fail.
+  data.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+
+  // Verification with original data but the wrong signature must fail.
+  data.data[0] ^= 0xff;  // Revert previous changes.
+  sig.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig);
+}
+
+}  // namespace nss_test