From 33e2251220bb0593b4d4e637eb2c99be435cf433 Mon Sep 17 00:00:00 2001
From: Shane Jaroch <chown_tee@proton.me>
Date: Fri, 9 Jan 2026 05:39:01 -0500
Subject: [PATCH] master password v146 non-mixed profiles. inspect. ruff.

use --reveal-keys flag
use git-sqlite-filter for *.db files
---
 .gitattributes                   |   7 +
 Makefile                         |   6 +-
 ffpass/__init__.py               | 494 +++++++++++++++++++++++++------
 ffpass/nss.py                    | 155 ++++++++++
 requirements-dev.txt             |   2 +
 tests/conftest.py                |  20 ++
 tests/firefox-146-aes/key4.db    | Bin 294912 -> 3808 bytes
 tests/firefox-14iv/cert9.db      |   9 +
 tests/firefox-14iv/key4.db       |  13 +
 tests/firefox-14iv/logins.json   |   1 +
 tests/firefox-14iv/pkcs11.txt    |   5 +
 tests/firefox-70/key4.db         | Bin 294912 -> 2320 bytes
 tests/firefox-84/key4.db         | Bin 294912 -> 2931 bytes
 tests/firefox-mixed-keys/key4.db | Bin 16384 -> 476 bytes
 tests/firefox-mp-70/key4.db      | Bin 294912 -> 2320 bytes
 tests/firefox-mp-84/key4.db      | Bin 294912 -> 2931 bytes
 tests/firefox-mp-test/key4.db    | Bin 16384 -> 618 bytes
 tests/test_inspect.py            |  58 ++++
 tests/test_key.py                |  34 ++-
 tests/test_mixed_keys_run.py     |  21 +-
 tests/test_native_verify.py      |  44 +++
 tests/test_run.py                |  61 ++--
 tests/test_sha256_mock.py        | 218 ++++++++++++++
 23 files changed, 985 insertions(+), 163 deletions(-)
 create mode 100644 .gitattributes
 create mode 100644 ffpass/nss.py
 create mode 100644 tests/conftest.py
 create mode 100644 tests/firefox-14iv/cert9.db
 create mode 100644 tests/firefox-14iv/key4.db
 create mode 100644 tests/firefox-14iv/logins.json
 create mode 100644 tests/firefox-14iv/pkcs11.txt
 create mode 100644 tests/test_inspect.py
 create mode 100644 tests/test_native_verify.py
 create mode 100644 tests/test_sha256_mock.py

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..f42f38d
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,7 @@
+*.db filter=sqlite diff=sqlite
+
+# NOTE: you can also configure the git filter/smudge for this repo:
+# git config set --local filter.sqlite.clean=git-sqlite-clean %f
+# git config set --local filter.sqlite.smudge=git-sqlite-smudge %f
+# git config set --local filter.sqlite.required=true
+
diff --git a/Makefile b/Makefile
index 9e05248..d9951e3 100644
--- a/Makefile
+++ b/Makefile
@@ -22,7 +22,7 @@ release: build	## Upload release to PyPI (via Twine)
 
 
 
-LINT_LOCS_PY ?= ffpass/ scripts tests/
+LINT_LOCS_PY ?= ffpass/ tests/
 
 .PHONY: format
 format:	## Not phased in yet, no-op
@@ -33,6 +33,7 @@ format:	## Not phased in yet, no-op
 .PHONY: lint
 lint:	## Lint the code
 	flake8 --count --show-source --statistics
+	ruff check ${LINT_LOCS_PY}
 
 
 .PHONY: test
@@ -54,5 +55,8 @@ clean:	## Clean up build files/cache
 	find . \
 		  -name .venv -prune \
 		  -o -name __pycache__ -print \
+		  -o -name *.egg -print \
 		  -o -name .pytest_cache -print \
+		  -o -name .coverage -print \
+		  -o -name .mypy_cache -print \
 		| xargs -r rm -rf
diff --git a/ffpass/__init__.py b/ffpass/__init__.py
index 3184934..a134e2d 100755
--- a/ffpass/__init__.py
+++ b/ffpass/__init__.py
@@ -9,11 +9,11 @@ The MIT License (MIT)
 Copyright (c) 2018 Louis Abraham <louis.abraham@yahoo.fr>
 Laurent Clevy (@lorenzo2472)
 # from https://github.com/lclevy/firepwd/blob/master/firepwd.py
-\x1B[34m\033[F\033[F
+\x1b[34m\033[F\033[F
 
 ffpass can import and export passwords from Firefox Quantum.
 
-\x1B[0m\033[1m\033[F\033[F
+\x1b[0m\033[1m\033[F\033[F
 
 example of usage:
     ffpass export --file passwords.csv
@@ -28,30 +28,28 @@ If you found this code useful, add a star on <https://github.com/louisabraham/ff
 """
 
 
-import sys
-from base64 import b64decode, b64encode
-from hashlib import sha1, pbkdf2_hmac
 import argparse
-import json
-from pathlib import Path
+import binascii
 import csv
+import json
+import logging
+import os.path
 import secrets
-from getpass import getpass
-from uuid import uuid4
-from datetime import datetime
-from urllib.parse import urlparse
 import sqlite3
-import os.path
-import logging
 import string
+import sys
+from base64 import b64decode, b64encode
+from datetime import datetime
+from getpass import getpass
+from hashlib import pbkdf2_hmac, sha1, sha256, sha512
+from pathlib import Path
+from urllib.parse import urlparse
+from uuid import uuid4
 
+from Crypto.Cipher import AES, DES3
 from pyasn1.codec.der.decoder import decode as der_decode
 from pyasn1.codec.der.encoder import encode as der_encode
-from pyasn1.type.univ import Sequence, OctetString, ObjectIdentifier
-from Crypto.Cipher import AES, DES3
-
-# noqa: W503
-# line break before binary operator
+from pyasn1.type.univ import ObjectIdentifier, OctetString, Sequence
 
 MAGIC1 = b"\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
 
@@ -76,6 +74,12 @@ class WrongPassword(Exception):
     pass
 
 
+class IncompatibleCryptoError(WrongPassword):
+    """Raised when encryption parameters are detected that ffpass cannot handle (e.g. 14-byte IV), suggesting the password might be correct but verification failed."""
+
+    pass
+
+
 class NoProfile(Exception):
     pass
 
@@ -94,13 +98,13 @@ def censor(data):
 
     third = length // 3
     two_thirds = (2 * length) // 3
-    return f"{s[:third]}.....{s[two_thirds:]}"
+    return f"{s[:third]}...{s[two_thirds:]}"
 
 
 def clean_iv(iv_bytes):
     if len(iv_bytes) == 14:
-        return b'\x04\x0e' + iv_bytes
-    elif len(iv_bytes) == 18 and iv_bytes.startswith(b'\x04\x10'):
+        return b"\x04\x0e" + iv_bytes
+    elif len(iv_bytes) == 18 and iv_bytes.startswith(b"\x04\x10"):
         return iv_bytes[2:]
     return iv_bytes
 
@@ -118,6 +122,7 @@ def PKCS7unpad(b):
 
 def decrypt3DES(globalSalt, masterPassword, entrySalt, encryptedData):
     import hmac
+
     hp = sha1(globalSalt + masterPassword.encode()).digest()
     pes = entrySalt + b"\x00" * (20 - len(entrySalt))
     chp = sha1(hp + entrySalt).digest()
@@ -131,7 +136,30 @@ def decrypt3DES(globalSalt, masterPassword, entrySalt, encryptedData):
     return DES3.new(key, DES3.MODE_CBC, iv).decrypt(encryptedData)
 
 
-def decrypt_key_entry(a11, global_salt, master_password):
+def hash_password(global_salt, pwd, method):
+    if method == "sha1":
+        return sha1(global_salt + pwd.encode("utf-8")).digest()
+    elif method == "sha256":
+        return sha256(global_salt + pwd.encode("utf-8")).digest()
+    elif method == "plaintext":
+        return pwd.encode("utf-8")
+    elif method == "sha256_no_salt":
+        return sha256(pwd.encode("utf-8")).digest()
+    elif method == "sha1_no_salt":
+        return sha1(pwd.encode("utf-8")).digest()
+    elif method == "concat":
+        return global_salt + pwd.encode("utf-8")
+
+    # SHA512 Variants
+    elif method == "sha512":
+        return sha512(global_salt + pwd.encode("utf-8")).digest()
+    elif method == "sha512_no_salt":
+        return sha512(pwd.encode("utf-8")).digest()
+
+    raise ValueError(f"Unknown hashing method: {method}")
+
+
+def decrypt_key_entry(a11, global_salt, master_password, hash_method="sha1"):
     try:
         decoded, _ = der_decode(a11)
         key_oid = decoded[0][0].asTuple()
@@ -145,10 +173,12 @@ def decrypt_key_entry(a11, global_salt, master_password):
             key_len = int(pbkdf2_params[2])
 
             logging.debug(f"  > Method: PBKDF2-HMAC-SHA256 | Iterations: {iters}")
-            logging.debug(f"  > Salt: {censor(entry_salt)} (Local) + {censor(global_salt)} (Global)")
+            logging.debug(
+                f"  > Salt: {censor(entry_salt)} (Local) + {censor(global_salt)} (Global)"
+            )
 
-            enc_pwd = sha1(global_salt + master_password.encode('utf-8')).digest()
-            k = pbkdf2_hmac('sha256', enc_pwd, entry_salt, iters, dklen=key_len)
+            enc_pwd = hash_password(global_salt, master_password, hash_method)
+            k = pbkdf2_hmac("sha256", enc_pwd, entry_salt, iters, dklen=key_len)
 
             iv = clean_iv(decoded[0][1][1][1].asOctets())
             logging.debug(f"  > Cipher: AES-256-CBC | IV: {censor(iv)}")
@@ -162,19 +192,23 @@ def decrypt_key_entry(a11, global_salt, master_password):
             ciphertext = decoded[1].asOctets()
 
             logging.debug("  > Method: PKCS12-3DES-Derivation")
-            logging.debug(f"  > Salt: {censor(entry_salt)} (Local) + {censor(global_salt)} (Global)")
+            logging.debug(
+                f"  > Salt: {censor(entry_salt)} (Local) + {censor(global_salt)} (Global)"
+            )
 
-            return PKCS7unpad(decrypt3DES(global_salt, master_password, entry_salt, ciphertext))
+            return PKCS7unpad(
+                decrypt3DES(global_salt, master_password, entry_salt, ciphertext)
+            )
 
     except Exception as e:
         logging.debug(f"  > Failed: {e}")
         return None
 
 
-def verify_password(global_salt, item2, pwd):
+def verify_password(global_salt, item2, pwd):  # noqa: C901
     """
-    Verifies the master password against the metadata entry (item2).
     Raises WrongPassword on failure.
+    Returns the successful hashing method ('sha1' or 'sha256').
     """
     try:
         decodedItem2, _ = der_decode(item2)
@@ -183,27 +217,98 @@ def verify_password(global_salt, item2, pwd):
         except (IndexError, AttributeError):
             raise ValueError("Could not decode password validation data structure.")
 
-        if algorithm_oid == OID_PKCS12_3DES:
-            entrySalt = decodedItem2[0][1][0].asOctets()
-            cipherT = decodedItem2[1].asOctets()
-            clearText = decrypt3DES(global_salt, pwd, entrySalt, cipherT)
-        elif algorithm_oid == OID_PBES2:
-            algo = decodedItem2[0][1][0]
-            pbkdf2_params = algo[1]
-            entry_salt = pbkdf2_params[0].asOctets()
-            iters = int(pbkdf2_params[1])
-            key_len = int(pbkdf2_params[2])
-            enc_pwd = sha1(global_salt + pwd.encode('utf-8')).digest()
-            k = pbkdf2_hmac('sha256', enc_pwd, entry_salt, iters, dklen=key_len)
-            iv = clean_iv(decodedItem2[0][1][1][1].asOctets())
-            cipher = AES.new(k, AES.MODE_CBC, iv)
-            clearText = cipher.decrypt(decodedItem2[1].asOctets())
-        else:
-            raise ValueError(f"Unknown encryption method OID: {algorithm_oid}")
+        # Try various hashing combinations to guess the correct pre-hashing used by Firefox
+        methods_to_try = [
+            "sha1",
+            "sha256",
+            "plaintext",
+            "sha512",
+            "sha256_no_salt",
+            "sha1_no_salt",
+            "sha512_no_salt",
+        ]
+        seen_14_byte_iv = False
+        for method in methods_to_try:
+            try:
+                logging.debug(
+                    f"Attempting verification with method: {method}. Input Pwd Len: {len(pwd)}"
+                )
+                if algorithm_oid == OID_PKCS12_3DES:
+                    entrySalt = decodedItem2[0][1][0].asOctets()
+                    cipherT = decodedItem2[1].asOctets()
+                    clearText = decrypt3DES(global_salt, pwd, entrySalt, cipherT)
+                    if clearText == b"password-check\x02\x02":
+                        logging.info(f"Verified: Method={method} (3DES)")
+                        return method
+
+                elif algorithm_oid == OID_PBES2:
+                    algo = decodedItem2[0][1][0]
+                    pbkdf2_params = algo[1]
+                    entry_salt = pbkdf2_params[0].asOctets()
+                    iters = int(pbkdf2_params[1])
+                    key_len = int(pbkdf2_params[2])
+
+                    hmac_algo = "sha256"
+                    if len(pbkdf2_params) > 3:
+                        prf_oid = pbkdf2_params[3][0].asTuple()
+                        if prf_oid == (1, 2, 840, 113549, 2, 7):
+                            hmac_algo = "sha1"
+                        elif prf_oid == (1, 2, 840, 113549, 2, 9):
+                            hmac_algo = "sha256"
+                        elif prf_oid == (1, 2, 840, 113549, 2, 11):
+                            hmac_algo = "sha512"
+
+                    cipher_params = decodedItem2[0][1][1]
+                    raw_iv = cipher_params[1].asOctets()
+
+                    iv_candidates = [("standard", raw_iv)]
+                    if len(raw_iv) == 14:
+                        seen_14_byte_iv = True
+                        iv_candidates = [
+                            ("clean_iv", b"\x04\x0e" + raw_iv),
+                            ("pad_start_null", b"\x00\x00" + raw_iv),
+                            ("pad_end_null", raw_iv + b"\x00\x00"),
+                        ]
+
+                    cipherT = decodedItem2[1].asOctets()
+                    for iv_name, iv in iv_candidates:
+
+                        try:
+                            enc_pwd = hash_password(global_salt, pwd, method)
+                            k = pbkdf2_hmac(
+                                hmac_algo, enc_pwd, entry_salt, iters, dklen=key_len
+                            )
+                            cipher = AES.new(k, AES.MODE_CBC, iv)
+                            clearText = cipher.decrypt(cipherT)
+
+                            if clearText == b"password-check\x02\x02":
+                                logging.info(f"Verified: Method={method}, IV={iv_name}")
+                                if iv_name == "pad_start_null":
+                                    logging.warning(
+                                        "NOTICE: Profile uses NULL-PREFIXED IVs."
+                                    )
+                                return method
+                            else:
+                                logging.debug(
+                                    f"    Mismatch: {method} / {iv_name} -> {clearText.hex()}"
+                                )
+
+                        except Exception:
+                            continue
+                else:
+                    raise ValueError(f"Unknown OID: {algorithm_oid}")
+
+            except Exception as outer_e:
+                logging.debug(f"Method {method} skipped: {outer_e}")
+                continue
 
-        if clearText != b"password-check\x02\x02":
-            raise WrongPassword()
+        if seen_14_byte_iv:
+            raise IncompatibleCryptoError()
 
+        raise WrongPassword()
+
+    except WrongPassword:
+        raise
     except Exception as e:
         logging.debug(f"Password check failed: {e}")
         raise WrongPassword()
@@ -227,7 +332,7 @@ def get_all_keys(directory, pwd=""):
     logging.info(f"[*] Global Salt: {censor(global_salt)}")
 
     # 2. VERIFY PASSWORD EXPLICITLY
-    verify_password(global_salt, item2, pwd)
+    hash_method = verify_password(global_salt, item2, pwd)
     logging.info("[*] Password Verified Correctly")
 
     # 3. Find ALL Keys
@@ -244,10 +349,12 @@ def get_all_keys(directory, pwd=""):
     for idx, (a11, a102) in enumerate(rows):
         logging.debug(f"[*] Attempting to decrypt Key #{idx} (ID: {censor(a102)})...")
 
-        key = decrypt_key_entry(a11, global_salt, pwd)
+        key = decrypt_key_entry(a11, global_salt, pwd, hash_method)
 
         if key:
-            logging.info(f"[*] Decrypted Key #{idx}: {len(key)} bytes | ID: {a102.hex()}")
+            logging.info(
+                f"[*] Decrypted Key #{idx}: {len(key)} bytes | ID: {a102.hex()}"
+            )
             found_keys.append(key)
         else:
             logging.debug(f"[*] Key #{idx}: Failed to decrypt (Corrupt?)")
@@ -255,7 +362,9 @@ def get_all_keys(directory, pwd=""):
     if not found_keys:
         # Rows existed, but none decrypted successfully.
         # Since password was verified in step 2, this IS corruption.
-        raise Exception("Database corrupted: Password verified, but no valid master keys could be decrypted.")
+        raise Exception(
+            "Database corrupted: Password verified, but no valid master keys could be decrypted."
+        )
 
     return found_keys, global_salt
 
@@ -267,7 +376,7 @@ def try_decrypt_login(key, ciphertext, iv):
             cipher = AES.new(key, AES.MODE_CBC, iv)
             pt = cipher.decrypt(ciphertext)
             res = PKCS7unpad(pt)
-            text = res.decode('utf-8')
+            text = res.decode("utf-8")
             if is_valid_text(text):
                 return text, "AES-Standard"
         except Exception:
@@ -279,7 +388,7 @@ def try_decrypt_login(key, ciphertext, iv):
             cipher = DES3.new(key, DES3.MODE_CBC, iv[:8])
             pt = cipher.decrypt(ciphertext)
             res = PKCS7unpad(pt)
-            text = res.decode('utf-8')
+            text = res.decode("utf-8")
             if is_valid_text(text):
                 return text, "3DES-Standard"
         except Exception:
@@ -391,14 +500,20 @@ def readCSV(csv_file):
                 logging.debug(f"Breaking loop since we got an empty row at index={i}.")
                 break
             # Heuristic: if it lacks a URL (index=1) and has user,pass (index=2,3), assume it's a header and continue
-            if (
-                first_row[0].lower() in {"url", "hostname", "website", "site", "address", "link"}
-                or (
-                    first_row[1].lower() in {"username", "uname", "user", "u"}
-                    and first_row[2].lower() in {"password", "passwd", "pass", "p"}
-                )
+            if first_row[0].lower() in {
+                "url",
+                "hostname",
+                "website",
+                "site",
+                "address",
+                "link",
+            } or (
+                first_row[1].lower() in {"username", "uname", "user", "u"}
+                and first_row[2].lower() in {"password", "passwd", "pass", "p"}
             ):
-                logging.debug(f"Continuing (skipping) over first row: index=0, [is_header={True}].")
+                logging.debug(
+                    f"Continuing (skipping) over first row: index=0, [is_header={True}]."
+                )
                 continue
 
             # ~~~ END peek at first row ~~~~~~~~~~
@@ -431,9 +546,9 @@ def rawURL(url):
 def addNewLogins(key, jsonLogins, logins):
     nextId = jsonLogins["nextId"]
     timestamp = int(datetime.now().timestamp() * 1000)
-    logging.warning(f'adding {len(logins)} logins')
+    logging.warning(f"adding {len(logins)} logins")
     for i, (url, username, password) in enumerate(logins, nextId):
-        logging.info(f'adding {url} {username}')
+        logging.info(f"adding {url} {username}")
         entry = {
             "id": i,
             "hostname": url,
@@ -471,9 +586,37 @@ def getProfiles() -> list[Path]:
     return profiles
 
 
+def get_native_logins(directory, password):
+    """
+    Attempts to decrypt logins using safe, native NSS interactions via ctypes.
+    Returns list of logins or None/Empty list on failure.
+    """
+    try:
+        # Import explicitly to handle potential path issues
+        try:
+            from ffpass.nss import decrypt_logins_native
+        except ImportError:
+            try:
+                from nss import decrypt_logins_native
+            except ImportError:
+                import sys
+
+                root_dir = str(Path(__file__).resolve().parent.parent)
+                if root_dir not in sys.path:
+                    sys.path.append(root_dir)
+                from ffpass.nss import decrypt_logins_native
+
+        return decrypt_logins_native(directory, password)
+    except Exception as e:
+        logging.debug(f"Native decryption attempt failed: {e}")
+        return None
+
+
 def guessDir() -> Path:
     if sys.platform not in PROFILE_GUESS_DIRS:
-        logging.error(f"Automatic profile selection is not supported for {sys.platform}")
+        logging.error(
+            f"Automatic profile selection is not supported for {sys.platform}"
+        )
         logging.error("Please specify a profile to parse (-d path/to/profile)")
         raise NoProfile
 
@@ -484,8 +627,10 @@ def guessDir() -> Path:
         raise NoProfile
 
     if len(profiles) > 1:
-        logging.error("More than one profile detected. Please specify a profile to parse (-d path/to/profile)")
-        logging.error("valid profiles:\n\t\t" + '\n\t\t'.join(map(str, profiles)))
+        logging.error(
+            "More than one profile detected. Please specify a profile to parse (-d path/to/profile)"
+        )
+        logging.error("valid profiles:\n\t\t" + "\n\t\t".join(map(str, profiles)))
         raise NoProfile
 
     profile_path = profiles[0]
@@ -494,40 +639,189 @@ def guessDir() -> Path:
     return profile_path
 
 
-def askpass(directory):
-    password = ""
+def askpass(directory, allow_native=False):
+    # Determine initial password source
+    password = os.environ.get("FFPASS_SECRET", "")
+    is_interactive = sys.stdin.isatty() and not password
+
+    # If interactive and no env secret, prompt immediately for the first attempt
+    if is_interactive:
+        password = getpass("Master Password: ")
+
     n = 0
-    # Allow 1 automatic check + 2 user prompts = 3 attempts total.
-    # The condition "n < n_max" must allow n=0, n=1, n=2.
-    n_max = 3
+    # Max attempts: If env var set, try it once. If fails and non-interactive, stop.
+    # If interactive, allow retry.
+    # User requested trying "twice".
+    n_max = 2
+
     while True:
+        # 1. Try Python Protocol
         try:
             keys, _ = get_all_keys(directory, password)
             # Prefer 32-byte key, fallback to first
             best_key = next((k for k in keys if len(k) == 32), keys[0])
-            logging.info(f"Selected Master Key: {len(best_key)} bytes (from {len(keys)} candidates)")
-            return best_key
-        except WrongPassword:
-            n += 1
-            if n >= n_max:
-                break
-            password = getpass("Master Password: ")
+            logging.info(
+                f"Selected Master Key: {len(best_key)} bytes (from {len(keys)} candidates)"
+            )
+            return best_key, None
+        except (WrongPassword, IncompatibleCryptoError):
+            # Python protocol failed.
+            pass  # Fall through to native check
+
+        # 2. Try Native Protocol (Fallback)
+        if allow_native:
+            # We treat native failure as silent (wrong password) unless it succeeds.
+            # But we might want to log if it was attempted.
+            native_res = get_native_logins(directory, password)
+            if native_res:
+                logging.info("Successfully authenticated via Native NSS backend.")
+                return None, native_res
+
+        # 3. Handle Failure / Retry Loop
+        n += 1
+
+        # If we are non-interactive/env-var based, do NOT loop unless we are falling back to interactive?
+        # If FFPASS_SECRET was used (n=1 checked), and verification failed...
+        if os.environ.get("FFPASS_SECRET"):
+            logging.error("FFPASS_SECRET verification failed (both Python and Native).")
+            break
+
+        if n >= n_max:
+            logging.error(f"Wrong master password after {n} prompts.")
+            break
+
+        print("Wrong password. Please try again.")
+        password = getpass("Master Password: ")
+
+    return None, None
+
+
+def main_inspect(args):  # noqa: C901
+    db_path = args.directory / "key4.db"
+    if not db_path.exists():
+        logging.error(f"Error: {db_path} not found.")
+        return
+
+    print(f"Inspecting Profile: {args.directory}")
+    print(f"Database: {db_path}")
+
+    conn = sqlite3.connect(str(db_path))
+    c = conn.cursor()
+
+    print("\n[METADATA]")
+    c.execute("SELECT id, item1, item2 FROM metadata WHERE id = 'password'")
+    row = c.fetchone()
+    if row:
+        print(f"  ID: {row[0]}")
+        if args.reveal_keys:
+            print(f"  Global Salt: {binascii.hexlify(row[1]).decode()}")
+        else:
+            gs_hex = binascii.hexlify(row[1]).decode()
+            print(f"  Global Salt: {censor(gs_hex)} (Use --reveal-keys to show full)")
+        print(f"  Password Check Data ({len(row[2])} bytes)")
+
+        try:
+            decoded, _ = der_decode(row[2])
+            # Structure is typically:
+            # Sequence:
+            #   Sequence (AlgorithmIdentifier for KDF): e.g. pkcs5PBES2
+            #     OID
+            #     Sequence (PBES2-params):
+            #       Sequence (KeyDerivationFunc):
+            #         OID (pkcs5PBKDF2)
+            #         Sequence (PBKDF2-params): [salt, iters, keylen, prf]
+            #       Sequence (EncryptionScheme):
+            #         OID (aes256-cbc)
+            #         OctetString (IV)
+            #   OctetString (Ciphertext)
+
+            pbes2_params = decoded[0][1]
+            kdf_seq = pbes2_params[0]
+            kdf_oid = kdf_seq[0]
+            pbkdf2_params = kdf_seq[1]
+
+            print(f"  KDF OID: {kdf_oid} (Expected: {OID_PBES2} for PBES2)")
+
+            salt = pbkdf2_params[0]
+            iters = pbkdf2_params[1]
+            key_length = pbkdf2_params[2]
+
+            if args.reveal_keys:
+                print(f"    Salt: {binascii.hexlify(salt.asOctets()).decode()}")
+            else:
+                s_hex = binascii.hexlify(salt.asOctets()).decode()
+                print(f"    Salt: {censor(s_hex)} (Use --reveal-keys to show full)")
+            print(f"    Iterations: {iters}")
+            print(f"    Key Length: {key_length}")
+
+            hmac_algo = "Unknown (Default/SHA1)"
+            if len(pbkdf2_params) > 3:
+                prf_oid = pbkdf2_params[3][0].asTuple()
+                if prf_oid == (1, 2, 840, 113549, 2, 7):
+                    hmac_algo = "HMAC-SHA1"
+                elif prf_oid == (1, 2, 840, 113549, 2, 9):
+                    hmac_algo = "HMAC-SHA256"
+                elif prf_oid == (1, 2, 840, 113549, 2, 11):
+                    hmac_algo = "HMAC-SHA512"
+                else:
+                    hmac_algo = f"OID {prf_oid}"
+            print(f"    PRF: {hmac_algo}")
+
+            # Encryption Scheme
+            enc_scheme = pbes2_params[1]
+            enc_oid = enc_scheme[0]
+            iv = enc_scheme[1].asOctets()
+
+            print("  Encryption Scheme:")
+            print(f"    OID: {enc_oid}")
+            if args.reveal_keys:
+                print(f"    IV: {binascii.hexlify(iv).decode()} (Length: {len(iv)})")
+            else:
+                iv_hex = binascii.hexlify(iv).decode()
+                print(f"    IV: {censor(iv_hex)} (Length: {len(iv)})")
+
+            if len(iv) == 14:
+                print("\n  [!] WARNING: Non-standard 14-byte IV detected.")
+                print("  [!] This profile REQUIRES Native NSS backend for decryption.")
+            elif len(iv) == 16:
+                print("  [OK] Standard 16-byte IV.")
+
+        except Exception as e:
+
+            print(f"  [ERROR] ASN.1 Decode Failed: {e}")
+            logging.debug(e, exc_info=True)
+    else:
+        print("  No 'password' entry found via SELECT.")
+
+    print("\n[KEYS]")
+    c.execute("SELECT count(*) FROM nssPrivate")
+    count = c.fetchone()[0]
+    print(f"  nssPrivate Entries: {count}")
 
-    if n > 0:
-        logging.error(f"wrong master password after {n_max - 1} prompts!")
-    return None
+    conn.close()
 
 
 def main_export(args):
-    # Removed try/except NoDatabase here to let it bubble to main() for proper logging
-    key = askpass(args.directory)
+    # args.directory is passed. allow_native=True for export.
+    key, native_logins = askpass(args.directory, allow_native=True)
 
-    if not key:
+    if native_logins:
+        # Native backend succeeded where python failed (or was chosen)
+        # Convert to list of tuples for CSV writer
+        logins = []
+        for login in native_logins:
+            logins.append((login["hostname"], login["username"], login["password"]))
+
+    elif key:
+        # Python backend succeeded
+        jsonLogins = getJsonLogins(args.directory)
+        logins = exportLogins(key, jsonLogins)
+
+    else:
+        # Both failed or user cancelled
         logging.error("Failed to derive master key.")
         return
 
-    jsonLogins = getJsonLogins(args.directory)
-    logins = exportLogins(key, jsonLogins)
     # Hard-code to "\n" to fix Windows bug with every other row empty: [a, "", b, "", ...].
     writer = csv.writer(args.file, lineterminator="\n")
     writer.writerow(["url", "username", "password"])
@@ -536,7 +830,8 @@ def main_export(args):
 
 def main_import(args):
     # askpass handles stdin/tty detection for the password prompt automatically
-    key = askpass(args.directory)
+    # Native backend is read-only (export), so allow_native=False
+    key, _ = askpass(args.directory, allow_native=False)
 
     if not key:
         logging.error("Failed to derive master key.")
@@ -564,12 +859,28 @@ def makeParser():
         "import",
         description="imports a CSV with columns `url,username,password` (order insensitive)",
     )
+    parser_inspect = subparsers.add_parser(
+        "inspect", description="inspect key4.db metadata structures"
+    )
+    parser_inspect.add_argument(
+        "--reveal-keys",
+        action="store_true",
+        help="Show sensitive keys/salts/IVs in output",
+    )
 
     parser_import.add_argument(
-        "-f", "--file", dest="file", type=argparse.FileType("r", encoding="utf-8"), default=sys.stdin
+        "-f",
+        "--file",
+        dest="file",
+        type=argparse.FileType("r", encoding="utf-8"),
+        default=sys.stdin,
     )
     parser_export.add_argument(
-        "-f", "--file", dest="file", type=argparse.FileType("w", encoding="utf-8"), default=sys.stdout
+        "-f",
+        "--file",
+        dest="file",
+        type=argparse.FileType("w", encoding="utf-8"),
+        default=sys.stdout,
     )
 
     for sub in subparsers.choices.values():
@@ -590,12 +901,15 @@ def makeParser():
         sub.add_argument("-v", "--verbose", action="store_true")
         sub.add_argument("--debug", action="store_true")
 
+    parser_inspect.set_defaults(func=main_inspect)
+
     parser_import.set_defaults(func=main_import)
     parser_export.set_defaults(func=main_export)
 
     # Try to load argcomplete
     try:
         import argcomplete
+
         argcomplete.autocomplete(parser)
 
     except (ImportError, ModuleNotFoundError):
@@ -637,7 +951,7 @@ def main():
         try:
             args.func(args)
         except BrokenPipeError:
-            sys.stdout = os.fdopen(1, 'w')
+            sys.stdout = os.fdopen(1, "w")
 
     except NoDatabase:
         logging.error("Firefox password database is empty.")
diff --git a/ffpass/nss.py b/ffpass/nss.py
new file mode 100644
index 0000000..a68ab24
--- /dev/null
+++ b/ffpass/nss.py
@@ -0,0 +1,155 @@
+import base64
+import ctypes
+import json
+import os
+from ctypes import (
+    POINTER,
+    Structure,
+    byref,
+    c_char_p,
+    c_int,
+    c_ubyte,
+    c_uint,
+    c_void_p,
+    cast,
+)
+
+
+# --- NSS Structures ---
+class SECItem(Structure):
+    _fields_ = [
+        ("type", c_uint),
+        ("data", POINTER(c_ubyte)),
+        ("len", c_uint),
+    ]
+
+
+# --- Load Library ---
+def load_nss():
+    paths = [
+        "/usr/lib/x86_64-linux-gnu/libnss3.so",
+        "/usr/lib/libnss3.so",
+        "/usr/lib64/libnss3.so",
+        "libnss3.so",
+    ]
+    lib = None
+    for p in paths:
+        try:
+            lib = ctypes.CDLL(p)
+            break
+        except OSError:
+            pass
+    return lib
+
+
+def decrypt_sdr(lib, b64_data):
+    if not b64_data:
+        return None
+
+    try:
+        raw_data = base64.b64decode(b64_data)
+    except Exception:
+        return None
+
+    # Prepare SECItem input
+    item_in = SECItem()
+    item_in.type = 0  # SECItemTypeBuffer
+    item_in.len = len(raw_data)
+
+    # Create byte buffer matching length
+    buf = (c_ubyte * len(raw_data)).from_buffer_copy(raw_data)
+    item_in.data = cast(buf, POINTER(c_ubyte))
+
+    # Output item
+    item_out = SECItem()
+
+    ret = lib.PK11SDR_Decrypt(byref(item_in), byref(item_out), None)
+
+    if ret == 0:
+        # Success
+        content = ctypes.string_at(item_out.data, item_out.len)
+        return content.decode("utf-8", errors="replace")
+    else:
+        return None
+
+
+def decrypt_logins_native(profile_path, password):  # noqa: C901
+    """
+    Uses libnss3 to authenticate and decrypt logins.json.
+    Returns a list of dicts: {'hostname': ..., 'username': ..., 'password': ...}
+    Raises Exception on failure.
+    """
+    lib = load_nss()
+    if not lib:
+        raise ImportError("Could not load libnss3.so")
+
+    # Function Signatures
+    lib.NSS_Init.argtypes = [c_char_p]
+    lib.NSS_Init.restype = c_int
+
+    lib.PK11_GetInternalKeySlot.restype = c_void_p
+
+    lib.PK11_CheckUserPassword.argtypes = [c_void_p, c_char_p]
+    lib.PK11_CheckUserPassword.restype = c_int
+
+    lib.NSS_Shutdown.restype = c_int
+
+    lib.PK11SDR_Decrypt.argtypes = [POINTER(SECItem), POINTER(SECItem), c_void_p]
+    lib.PK11SDR_Decrypt.restype = c_int
+
+    # Initialize NSS
+    db_dir = os.path.abspath(profile_path)
+    if db_dir.endswith("/key4.db") or db_dir.endswith("/logins.json"):
+        db_dir = os.path.dirname(db_dir)
+
+    config_dir = f"sql:{db_dir}".encode("utf-8")
+
+    # We must try to init. If already inited by process?
+    # Python process usually distinct.
+    ret = lib.NSS_Init(config_dir)
+    if ret != 0:
+        raise Exception(f"NSS_Init failed (Ret: {ret})")
+
+    try:
+        # Authenticate
+        slot = lib.PK11_GetInternalKeySlot()
+        if not slot:
+            raise Exception("Could not get internal key slot")
+
+        res = lib.PK11_CheckUserPassword(slot, password.encode("utf-8"))
+        if res != 0:
+            raise ValueError("Invalid Password (NSS rejected)")
+
+        # Read logins.json
+        logins_path = os.path.join(db_dir, "logins.json")
+        if not os.path.exists(logins_path):
+            return []  # No file, empty list
+
+        with open(logins_path, "r") as f:
+            data = json.load(f)
+
+        if "logins" not in data:
+            return []
+
+        results = []
+        for login in data["logins"]:
+            hostname = login.get("hostname", "")
+            enc_user = login.get("encryptedUsername")
+            enc_pass = login.get("encryptedPassword")
+
+            dec_user = decrypt_sdr(lib, enc_user)
+            dec_pass = decrypt_sdr(lib, enc_pass)
+
+            if dec_user is None:
+                dec_user = "(error)"
+            if dec_pass is None:
+                dec_pass = "(error)"
+
+            results.append(
+                {"hostname": hostname, "username": dec_user, "password": dec_pass}
+            )
+
+        return results
+
+    finally:
+        lib.NSS_Shutdown()
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 64ce1ef..f979348 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,3 +1,5 @@
 coverage==7.13.0
 flake8==7.3.0
 pytest==9.0.2
+ruff==0.14.11
+
diff --git a/tests/conftest.py b/tests/conftest.py
new file mode 100644
index 0000000..469b634
--- /dev/null
+++ b/tests/conftest.py
@@ -0,0 +1,20 @@
+import shutil
+from pathlib import Path
+
+import pytest
+
+
+@pytest.fixture
+def clean_profile(tmp_path):
+    """
+    Copies the requested profile to a temporary directory and returns
+    the path to the new copy.
+    """
+
+    def _setup(profile_name):
+        src = Path("tests") / profile_name
+        dst = tmp_path / profile_name
+        shutil.copytree(src, dst)
+        return dst
+
+    return _setup
diff --git a/tests/firefox-146-aes/key4.db b/tests/firefox-146-aes/key4.db
index 935e417f99389fdaceb2479c489c6e32ffbeb7d2..95735f17b50ada222468ff8f3aff73cc5f9e5fc0 100644
GIT binary patch
literal 3808
zcmeHKO-~#-5WVv&TDg#wI8^zg+AWlW?Y5)Q!VEhZR^)^Rm_%&8Rt(8%|NT}~cV~bk
z8<bpwG{tMX{9JxjZM#pF@%eFVK5jQR=btt=+v^YSn`aFi?wt%BuRh#tu3x`Df3x{_
z`)pC`;a)1wXY*#YjPn;UuV#z+;a*;rxGK#mrlZol+uW}E_3gTOdVSTLEN91Y`Lg-F
zylhVAvp-HtvzRw|F|S9nylR%^<S6EH&|Kec-r?}i{C2oEo4+W_RWqBf7R{51@JaJ$
zJUT5ep6>s>-fsW-aC5bPaJFANTRSve2o8O=&gT+Rb(CXDo*SWq2ri-cS_l}>0`)-9
znHb20K(&P)5IpqU0~Q>9wKrR^4xE85yW&$DLFTB=ppV)2Xj?J`685FIianXym+YvZ
zjkd(vheQEtjRg$PhGGrR#?cXkd$I5o7BEQ^+{G~hl9#}E1g`~3XFPjEtjQQl(8f@@
zQnPV3_Y!{YQ><O<+O7lBmXa(L>U$e8b#1Es{`V!`UcZ){pW9b%ZCS;0&_CSi$N~BM
zRiz4tTEDMj@Ue?NWP>qufs#wrM_X-joy$EE2F|TbZSA3Vq2@xtJL~(N*HlyRkJIt%
z`br+b)Z$n=8_*T!eMAVh>pZY*oNGu#)uo&uhhi+3QwnX0Ehi+|K83u0Fh4yyVkz&H
z|NHIs<mUR*`gZe}7a*p^a&^$Gfqz{8Yr{XwKPS)HD6J^XK^}uV27MH_Ab!D%Au+9(
zAf^+u7IPuyl1-<4Fj%DpAwm!)gkehI;`&!BY^;e|;X@EY1YtxFN*rSxf>dTRU}ZMS
zY?Rq3vr%TF%to1wGFu&Mb*$B~R>xW$OWI4?OWI4?OGB?RlQOsJ*{Wx&o+=x^^&Bmy
zT<w6R*J%7sO530`k5KwXC=(f@19fS}=s;bX(WMz(n$e{hU79f)9ra4Bh-Qq4W{ikt
z%#~QLoL+<R!pVDqT4}MG8V-RmzxHZ}pd=pNhSbW!ohFO-2*J8cr}g1=tk<#ps&FrF
zA#6!oNLzTf(-vVP5H?aa-cl4xf_M{BE2|()J!$F*WEBLmQUX~ishFfXl9nu?@}Tmd
z@}Tmds6i-d5GoHU4=RtUO{zAj+N5fes!ggksoJD!la>%^IgwF*Rhv|8Qng7lLPq(u
z*hq_wwAe_CjkMUvst#7liLAsQ#;uRx<;Gjyf+Qa!6k$gwT8>Zz9igy|P$)+zydxBG
z2B_sc!rd?}?6Gw>jP48*VF!nH7ehP6zzdq<WjMvlaPnn%$9I~TTc>y#P7^bnCT2KI
z%ur;P7#K=!M<@v%p=5c4lIjskJ_e}o_y8|<;ao^KSAGpw7XS}Wt=(4p`D(yh7X}lE
z-~F@wA#dR1=m$Nx1{?X^@Nw9_bq^n}2Jxq_2F_JJnt%^|WOcC9OGe0iu!R&O1n5fN
zJJ08cOMJ%E7<2ZunAUkT?DDuH?f<R@h{g3S+7SD$?XpS87Xi$i;x>b`P$EJCK6Sy7
z%fWMKJ>Qn7Vg|^rZF_5TSBX7Zi^jXimmKoQmk8r?V$eq(i5R;aVpj~0&(ZLS9g}zN
zo~m*@4*LEeno@{$Ocr1F#<y|I?ZbaVmf>N>?`B`H#v|<ai(o2@v;7JEVBp^zHm%6q
z4ROGqTc+TqIKN5utK;X&>z95%px^GkJDd0AthwH9KW=X1t8TX)H&6MZ`p|Lv@#3$|
q<?R=q{4Mm*_3ip%^Y#lz`_S$3&6+<kAI{8QR^qrgKAx=(_x=MSQlw`9

literal 294912
zcmeI*Ym8h~9RTpTyVGfBVOK2Gilj1?5ZFrK-aE6miytgYAM|BQYl-FMGVN~3+Ll6h
zfi5UZkyZkP_#)ASm^6ljhfxv42p=Hu!3dI=XncOc5Tgb$C`cPXz31#~mRco#F-H44
zxpU`#&*Oj3`JJ=d{nn3dT0b^1+SsvY@9y?QqglD7k|dS$8;we(QY}CA@-tIvWf1CS
zN-`6?!*{iE&K(PSrw&)<?YpgVV=?v2<SUa8OkOp4`o7!t{plUXX(B*?009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0>{0;uDNp;E?SiA|IkEx+pf{wqZ92F?TPlx_q^qsR}O7i
z+1N64!TObrncBu#V<U}=Hm~{U(B?}T>sDUUxOl^wO&70hY~0XTzH!5<^=p=IX>4A3
z(fXm~E6;9}|HJX_Z2BwjKX+bj;qpaEW$fya(S76B?kXFH+t*F(iO<6``G>QasD44M
zws7I%<g(ad`_A^*$kpTH7wsLpzCAHIw==ml8&<5`+K7!|3bP#=XSK65?>~P|%<=J<
zV^@3I=&so=wWD&x#$$3c`&U(K3r}5~3{Ow{x^15v-99m!W6n`I#;2Q)$&#g6|MKqI
z!c%5eGd4bc-RR!gG}WWhOt&7BWiac%vnQFmaPi{gp5eG<vk7LSu1>1yZJVwCcQ$V5
zf{mNEoZV=r<)_@Yc3ys(<);;%V`Zq#LiJ#H91M?x@iBB84E+WN!mS9mrQtRhZs&zt
zJKVN~+xGHyUd)$H-(%V|B+Al|DNCnc8FFQ5NS37`Tb71&SsL<XX-Jr*A!C+?lv!tv
z)02#u^XWKd&SU00X3k^gJZ8>g<~(N3W9DWY+l*tIacnb=ZN{-hY%OAI5nGGcT1>ab
z%tg$+H1=E?doGPVBU={T^0@Xq4Xt@xdmiWCO3RXGp}G@>k)1HSD9=OMJT5KILt`G7
zmdB;#acOy6S{|2{=cBRDj(87fc^=U6JfP+INVpHgoC9$(10iQKPOllK*NoFEr%=|n
zVoj@46Xw&3o7GCg!dr2(T5*}JxXe~O9|LjhKpZ;|#}34eE@Dj)Yl==yU@T&`B4#V%
z))#T>i@5bg-1;JJeG#|5NW&_MG_15p!%B;YSwzPo9@!!b8(m~!ql+wTbdd#(A`2Qt
z7Bq@1=E-87Ear*YMbs{$b`iCUs9i+uB5D^=yNE}qh{vhOWB#aJMC~GK7jZ|5Jm!yw
zt%!%Mh=;9+hpmW*t!M_-q8W};(TqP(;drExZTsjzv(=1y)(OMLb;7VSoiKoQ!jP>K
zhLoK!<n4q3XF80>xf9L~iwC<?J3Fj++pqvT-C^nM9G1?^p<GZnW1&MC&dj$AXZn`m
z+xpJDxU8L-ZyC<KxD01rT!u3*F2lgyc}3XUP8c@06NX*xgkh^YVc3u9F#e2BhudbS
zvn@<#WT2gnY)jMrW>;<Dg^T~yKWMYRd55#vxV!wLV_x{fqqqDdH-Dm1UJ3yM1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72>izcK66^Ke?@gcU*G&n<<>3#@R|jc
zv-@JH^i?YJ%N|FUa#UYmX!`G$Work|FK1CrlKU!`ruz@2yKD6&2Uj0_y*HWDn_ig?
z%|4!(wyKR4ufI`y;p9tBsV}+xx!3M|a9;fnKiPWIx-Y)#!5<F)dScUAk9Q?WSJFs(
zYV)SEbk);SYxOG+u1-d~tI3jT-@9M@*~xeOV)E&Sk6ioAmQPjF-=FlYtxv65f8fb0
zUfuD^Qzu^d>E;jqvi1Af8Ec<?Y}3o%zWh5M_~ojh_uqTRSI@oT+5YtpZCP7R_O!!C
zyCsz*luEgR@+#XJNu{jnDWhcSaHYHy0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyaNG&Z?XK3BtsOkSr(Ah5^=75K6aoYY5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAaGm?baz+kJ>|-isW&U-r4S%MfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+0D<FDpu4+L?<rTFOdY9|mqLI50RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0tAjffm-+c`hAs4d&-q3Q!iD@OCdmj009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RqQ`z{%Zb*AE}P(xkV1?z;KW%GB2KrVt=NfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+!2guM{>5E$mfbqPGCp?I@Xpc6;pUE3yE)iO
zhtpWHEZu)gdU>tB<lyRqulFW%`qGW*(Cp)hX{*{e@W6d{Ex!NDJJ-GTwLd@lrRU%K
zz9Y@=zSX<>&EFhYe#MW@eB(e@l5{1Fw5K+2I!jmm?Qyly_1Cp`4=#A|;zRS!yJzlK
z()6)C>z+ID?$aN7;<JzM8+qhcckMqTnX{;M>w;_A<Ks8%**kJ%+2{LjAG*AC`EQ?G
z_3RT{Z>#rIA5Qo0Pj}DGt2e#!m}%a-;j$ZR&pvs<d%k|f$=9EA!lIWqF533iORHY^
z@JGJ+^T%%a+c*BnG*7M7uRORq8SSnnOR9ZexFkLF#s`bJ_y6vXPcMJIdeZZcADNi^
z+?g*wa`o;XANt-+Z}pTr-!=8q%G9gnO(8&l009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RsP50*ktrCF5gP4euPC9B%GtwVQ*jbU2MA%eqeJUR1xPJwATJp1mV~
E2Y6=K`~Uy|

diff --git a/tests/firefox-14iv/cert9.db b/tests/firefox-14iv/cert9.db
new file mode 100644
index 0000000..dbf9976
--- /dev/null
+++ b/tests/firefox-14iv/cert9.db
@@ -0,0 +1,9 @@
+PRAGMA user_version = 0;
+PRAGMA foreign_keys=OFF;
+BEGIN TRANSACTION;
+CREATE TABLE nssPublic (id PRIMARY KEY UNIQUE ON CONFLICT ABORT, a0, a1, a2, a3, a4, a10, a11, a12, a80, a81, a82, a83, a84, a85, a86, a87, a88, a89, a8a, a8b, a8c, a90, a100, a101, a102, a103, a104, a105, a106, a107, a108, a109, a10a, a10b, a10c, a110, a111, a120, a121, a122, a123, a124, a125, a126, a127, a128, a129, a130, a131, a132, a133, a134, a160, a161, a162, a163, a164, a165, a166, a170, a171, a172, a180, a181, a200, a201, a202, a210, a40000211, a40000212, a40000213, a220, a221, a222, a223, a224, a225, a226, a227, a22e, a22f, a22a, a22b, a22c, a22d, a250, a251, a252, a300, a301, a302, a400, a401, a402, a403, a404, a405, a406, a480, a481, a482, a500, a501, a502, a503, a601, a602, a603, a604, a605, a606, a607, a608, a609, a60a, a60b, a60c, a60d, a60e, a60f, a610, a611, a612, a617, a618, a619, a61a, a61b, a61c, a61d, a61e, a61f, a620, a621, a622, a623, a624, a625, a626, a627, a629, a628, a62a, a62b, a62c, a62d, a62e, a62f, a630, a631, a632, a633, a634, a635, a636, a637, a80000001, ace534351, ace534352, ace534353, ace534354, ace534355, ace534356, ace534357, ace534358, ace534364, ace534365, ace534366, ace534367, ace534368, ace534369, ace534373, ace534374, ace536351, ace536352, ace536353, ace536354, ace536355, ace536356, ace536357, ace536358, ace536359, ace53635a, ace53635b, ace53635c, ace53635d, ace53635e, ace53635f, ace536360, ace5363b4, ace5363b5, ad5a0db00);
+CREATE INDEX issuer ON nssPublic (a81);
+CREATE INDEX subject ON nssPublic (a101);
+CREATE INDEX label ON nssPublic (a3);
+CREATE INDEX ckaid ON nssPublic (a102);
+COMMIT;
diff --git a/tests/firefox-14iv/key4.db b/tests/firefox-14iv/key4.db
new file mode 100644
index 0000000..6aa5fb7
--- /dev/null
+++ b/tests/firefox-14iv/key4.db
@@ -0,0 +1,13 @@
+PRAGMA user_version = 0;
+PRAGMA foreign_keys=OFF;
+BEGIN TRANSACTION;
+CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
+INSERT INTO "metaData" VALUES('sig_key_0e5820d8_00000011',X'308181305D06092A864886F70D01050E3050304206092A864886F70D01050C303504205C16F6B2E6557B038CB674D990B6263C1BA6C802A726E55C23481ABB60F5D2A002022710020120300A06082A864886F70D0209300A06082A864886F70D0209042079183F69FC307A354FC658767A65E85B12372231AEE96991E88CF08DD8B9EC71',NULL);
+INSERT INTO "metaData" VALUES('password',X'644F4F43B2F24340237D05E7B85C14E5E212B923433D10CC7256FB84636BFC42878E1E9782A728CDDDDC0F5B25A19D76',X'308182306E06092A864886F70D01050D3061304206092A864886F70D01050C30350420C7AC67B9D422F20BC46845ACA1735D455AA3C745B0AC75D0A68643B6BC90094E02022710020120300A06082A864886F70D0209301B060960864801650304012A040E54673F250D10A73193432DE314E00410EAEF13D0C501C4AEB5CF7236D07C8906');
+CREATE TABLE nssPrivate (id PRIMARY KEY UNIQUE ON CONFLICT ABORT, a0, a1, a2, a3, a4, a10, a11, a12, a80, a81, a82, a83, a84, a85, a86, a87, a88, a89, a8a, a8b, a8c, a90, a100, a101, a102, a103, a104, a105, a106, a107, a108, a109, a10a, a10b, a10c, a110, a111, a120, a121, a122, a123, a124, a125, a126, a127, a128, a129, a130, a131, a132, a133, a134, a160, a161, a162, a163, a164, a165, a166, a170, a171, a172, a180, a181, a200, a201, a202, a210, a40000211, a40000212, a40000213, a220, a221, a222, a223, a224, a225, a226, a227, a22e, a22f, a22a, a22b, a22c, a22d, a250, a251, a252, a300, a301, a302, a400, a401, a402, a403, a404, a405, a406, a480, a481, a482, a500, a501, a502, a503, a601, a602, a603, a604, a605, a606, a607, a608, a609, a60a, a60b, a60c, a60d, a60e, a60f, a610, a611, a612, a617, a618, a619, a61a, a61b, a61c, a61d, a61e, a61f, a620, a621, a622, a623, a624, a625, a626, a627, a629, a628, a62a, a62b, a62c, a62d, a62e, a62f, a630, a631, a632, a633, a634, a635, a636, a637, a80000001, ace534351, ace534352, ace534353, ace534354, ace534355, ace534356, ace534357, ace534358, ace534364, ace534365, ace534366, ace534367, ace534368, ace534369, ace534373, ace534374, ace536351, ace536352, ace536353, ace536354, ace536355, ace536356, ace536357, ace536358, ace536359, ace53635a, ace53635b, ace53635c, ace53635d, ace53635e, ace53635f, ace536360, ace5363b4, ace5363b5, ad5a0db00);
+INSERT INTO "nssPrivate" VALUES(240656600,X'00000004',X'01',X'01',X'A5005A',NULL,NULL,X'3081A2306E06092A864886F70D01050D3061304206092A864886F70D01050C303504200A4D100BDCC7FA08A0F4757F9A1789D9F5ADF1FF3AA19092C5D8F97D918AE8ED02022710020120300A06082A864886F70D0209301B060960864801650304012A040EB179C6E4302F05738D48CFA24C40043027CD8D2097D6DFB0B4AB4D5381620E8051C6760A7F4A7E9C1B91BDDEF1CAFF72C9B0777B731C67EACF053FBE4084D35E',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'0000001F',NULL,X'F8000000000000000000000000000001',X'00',X'01',X'01',X'01',X'01',X'01',NULL,X'00',NULL,NULL,X'A5005A',X'A5005A',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'00000020',X'01',X'00',X'00',X'01',NULL,X'01',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
+CREATE INDEX issuer ON nssPrivate (a81);
+CREATE INDEX subject ON nssPrivate (a101);
+CREATE INDEX label ON nssPrivate (a3);
+CREATE INDEX ckaid ON nssPrivate (a102);
+COMMIT;
diff --git a/tests/firefox-14iv/logins.json b/tests/firefox-14iv/logins.json
new file mode 100644
index 0000000..1c9452f
--- /dev/null
+++ b/tests/firefox-14iv/logins.json
@@ -0,0 +1 @@
+{"nextId":2,"logins":[{"id":1,"hostname":"https://google.com","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MEMEEPgAAAAAAAAAAAAAAAAAAAEwHQYJYIZIAWUDBAEqBBA63Oz6jeYnP00WiDwnpJm/BBCNJ9Xc0ixY1lCgfmuyae/U","encryptedPassword":"MEMEEPgAAAAAAAAAAAAAAAAAAAEwHQYJYIZIAWUDBAEqBBBM/Qf7rAPdDR/Oey+lbM2iBBCx9dIeWLdgBe+qO1GdTk4Q","guid":"{6d4599e1-eefe-43b4-bfcd-7d22686786f5}","encType":1,"timeCreated":1767954808671,"timeLastUsed":1767954808671,"timePasswordChanged":1767954808671,"timesUsed":1,"syncCounter":1,"everSynced":false,"encryptedUnknownFields":"MEMEEPgAAAAAAAAAAAAAAAAAAAEwHQYJYIZIAWUDBAEqBBC+YISsXgHQM/LGd8pxRCRsBBBL1ixroXEdzpajpiqvsz1f"}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}
\ No newline at end of file
diff --git a/tests/firefox-14iv/pkcs11.txt b/tests/firefox-14iv/pkcs11.txt
new file mode 100644
index 0000000..f8c8cbf
--- /dev/null
+++ b/tests/firefox-14iv/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/home/shane/.mozilla/firefox/7ls4dcbd.test' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/tests/firefox-70/key4.db b/tests/firefox-70/key4.db
index 9dcdd64821c476dbbbb75da6f465e744ce8300ae..1304782625bf9fd071c2a330b144ecf8d78ec99b 100644
GIT binary patch
literal 2320
zcmd5;O^@3+487-92)$$$m;?102|*9CVi!g;PMXOS?Wu4k?jqZEW)Wvv^xv1H?YNs>
z3hW#jAoR0DK2lFI?e!+Ux{2bcZH^zlHplkx_#j>im`~Q-#K*^DbNKt=!>8tZ`*Kwj
z^GTM!Dl4(w#OgMtZMmxEleEd>HW%BNEpzduIn|5$REw*_UaU9eP29W}uk-ift}5T$
z<ziKdw5p0_nYLn+ua`09*Wz$$zR2#P{+dt9>NekOMOkfE;>AGtLcER3yZrWQ`fuH~
z-yV<q>Giv5j8=lRRyz}20m>++9oRxjz3^7$!Mj;fSx&whbkd+aILK7=&Uo*N87x3T
z0*h8_kO7P|F)EvM)Ob+~2}T#-gN;69I?ZOz8c;#23@;dk^Adv3Vj;CHio!(9nv{W*
z&0+zWb6GZ<;<Emu(?i>?kB6`IsrenHVz%0BuSE^`N1<wke@&PNXhhPGr&~|Ao^Q#;
z8#0!RBQqo8$pkVrnH`$IRM1&w1mZwd*b)mW&6ap15Rn98!sW9iE(t^?;ht<?URNJ8
zs}3`>VrIq6ikTHND`r;AtT{?^l;$YSQJSM1&pMuUJnMMYb+gRrm~+OStdC@Y6t5Kb
z59?ICQpMF8z@L&d+(Y8k?2X5RF^%9P+s?5Yq1*;2w_&9WP;SFn4QDmHFP3BR#Nn*v
z+?G|oZ>%=j(r^!nw}(XDL(0%YT4E0=R}V?R9+HY3WKnuJhOs>T=osdPFgKQia3}}i
zP!7VO9E1Ze!l4|5124j#c<IbgVjQJ|(?dEvJ)|Sl!~F=G5q>;FJ_w!fZY*a<<?L+@
z`yDIpX>WmLCtsr-pIa3!d(QZ9p1Te<4ilU=5*tZJ1BRLk$k9gJSR1F;)!lN*{l@%e
zznR65%ZR-t&+NjOECnT9N+x)3sY%&FW1sSPPP=}iz=hoCJY<Ceo09U20-Ib637d~9
zAV#MX_O;;iXfP(ZkcHr6#7<`o#$eH0<o`B<7}B1XUGy^dDqUVWy<k-BX9Y*xYY6B#
z7K#17mv}_u?DL@WmUbnc3mpo2HtC+H+&`RUeC?IhB7Y|iZTr+5=__D-#>5rAvo0Om
sr`<oz{plA^eBWNWey(@T=U*K4rQ7|d8b3)cGfSW^j<mYDDYx^<4=iy(!~g&Q

literal 294912
zcmeI*Uuaxe9S87xJCn(uHbrA4R4Ggzgk-m@cm8BHg{p0{SvR}2e`1U7`Vc3{ti(+>
zYm?eF6=Q|1KKUk8DvHX2^uZ_pfGjGzB8d7R_%4V~ix0cY!d6(&bI!~-hT<YViTNDv
z-2CRAbH4YS&%J3L`|*os*S9;>r#G)&X>V5>*_X3C&rVgVS(cT<XEc2JtrCiOt>5x~
z@eV)B*+X+9<Gc5=k)5UNi{;%{Zv5iL^&7K0ukS4F{PG><=^{XY009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5*B9|>#>4^JLDmfw7EyS=i}xzgEgKhoZA_kWJeFD;zDv{1ct
z`pnsdYX53=dVQ^WVQKMWr<b0rKC$p*_42vJi<cLw=g(E=&!2nr?Be{T>e9l6v!~}5
zj#tC~SAC_{{ZXI!;7Db1{#c%^KfBg>e(Q4^p>w%?ZF@6)U+(8G*ZS4ynM!4Haw`8+
z8nF6IdwuQMt*r}J*FWFh?hN-9w|MT6g-=#fXI#QyKy|uZE9x_+hEm2SQpQGmrL!>@
zQrVM{I`7M9%sg7IOum0AU+ymZ+RA4;tJ{N&p*<N}-R}ERYDH~kzEqh!+TYFk*4DMo
z)j>>oPfWM>zLdGz%vVq5!;@1}`Pb*uBO3$^ssp{K?qeHV|4$y==`-h-E*-D7i|`50
ztz8eFMy%6?c%>FE&Bd>C@#|dr8i&j^<7qaYTJiL7Jk7<^iFj(q(@Hp<NKr-ioDz$e
zQ7gLli7B-r#?*?KQ!8Rnt%ymrB1YAUm{lucSglx%=ic(V>r2V?Zk>|rDY>4K>nXXO
zlItnCo{}4BRwK=7q*;wLtC424Qg18uwo-2^^|rdbDYKO_A5J5aPb~q}(@yI}oLf&j
zt*6yCi_q$|c)3@`+(sJRNTVBRbm&Y&x&z~wW|C?a@!riO)l5>&bk}COYcoBU*)(@H
zrOl?a*)(^xGuvo3W@BWpjJdrsZmd_vJM_x9#a<cr*()PpuZ)V_GNJU!!L-EFyE>TG
z>Q8G8mJ`bUazfc(PAL1!31vSwl>Oy|vY#8uf60ySOuTWp8eg1V8Q-2>8DF7Zxi%;}
zgYxNrmgz<4j$IinXC*FYZMI#ktt9ce_-u>B9>+Ett@Pg3Ps}t9R3<+<_3!=(9Q>{>
z*9LVd{J|NCe{{yfC*Lh+;m`;WAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zKwzH>-26iReEG=X!xP!f>Ae(3vg3zS%MNGR#KhjtEQ?*S=f7_g!!Ip{+2uTcF?*^w
zTTE9DK5*-?TW^i$hlcV}akPA7=iBc)`K2HK@rmC|ZT#x?3t!t@et7&V2lBjJUH{96
z@4PYeyXikY`0BSF|MP2iSAU=1e)UZL>pS0UfA`R(H}Vks-g|pjmS=fvS-4j?!iYQ{
z3nTK~ds#R%0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyu<rzhOXbmt
z;g=T2!p`&Ex3h3)1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZU|$N9
zO4;aG*m=JDb`}ne009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF>`Q@C
zDH|ONJI{CjmW4wjK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk`%j=!
znizdCdulA~Jm39m77mR70RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5)`
z3xW5Pj*s5kyVHC;e9w2klZ8VgK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk|EmJa`OvZE&5`HYTU*yRuddy_ICQ!7_~wB#tDjze_lI71==Nt`{&{h-n64ar
z;MQZe-Wtyj4dtccX!*$954`gI?=AhI{E?Aw{NT>X>zz|G^&cI`^YXiH|LpbIzrXpz
z+b^H`?apgIdFH2MVdweon^`zC0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
Y1PBlyu&)FTmX3`+*WTK?zIk=+AJYN#fdBvi

diff --git a/tests/firefox-84/key4.db b/tests/firefox-84/key4.db
index 36f2e37e8133e139680ffe986776dfbd3930ffcf..762c46e63beb01b95402798e719341915990acb8 100644
GIT binary patch
literal 2931
zcmeHJOK%%T48HqUEON06_`u;jb_PZcv-1dq%91O~MRGDETM5)8b|E<_^6yJ>SC*@|
zNKjuZV5x6sI3Kwrm)wh4d~+U~FWc4T`s-@5UEkj|uNyc!y689F-)~my4|mreSKqd;
zr?s9Pb>+=y(#&UZav9TnG@YCsrCEvd(#&HwF3soF!y+#p7R|}}wz-&%&g1M|^J{t6
zTuny5U6p1!Y0`93$D=fFX60fWQ#ozc53A3r|HEI-jz*KqGMhJ}$$Z+p+7Z5Levjj;
za(QyRU4LMQu5S_A<&6o~AU~y!Pv0JE@XCV*o4`T9=$-N2)fO@+uuwFZN|$<eH)+rY
z3_^~!ZPDkHLvW#Lg$`Y@ozu3>sI<ojU|Q#FQb@|dw$XvEWKd<RTR^g=SR(lXk*v{?
zC%zzre_Ln!wM(Yh(qXQ)8Z<?lsIl!@tVmp4iGT%F7jnsn31Ueqngk`*q^<JDr<1Gk
z_{X9AbFtn2b-%gg$i-+WLe^?$qN{)gopxZWQaXE!C3x2+?8;-5l?Ioejbo-AdhQ=Z
z*+Es-K&eLQ6bs*lOmR2HLZ^+5zO>otn0%{@cM)sXVGJ#nE;`+kk3SP-)v=G10ICE~
z&az{amq@bc=u_t`CEJDwRwr+a?rcfEQhpU>PGJEkZC8`2L6_*fQQ5b-P+3@WOd<Y9
z`QL4~7n}9h#lz}nUVzw5XY<o$0d!IQFOV+HSQdCi@sj6T&$nJ~S;ZR`mW5-{vhXYd
ziv^1%i6B(aOJM}&P|(|97RtIv=25^z3YbX&Qz>9B1x%*khUMU1@1HPZkA)e98HE{z
z8HE{z8HHKPDJ`e8oYHbi%PA+jPIjH_I@xvou5dcxY(-Pzqa;8mPfB$`exf`ninoSa
z1S(!0AoJ2ID3X`8Xw#;s^op!wBvRBB1hZ`eY@3Qnq-aWBtemxC+X@@i8tL4utTyyk
z?jiFIt4|cz!m!F_2FSJs$N?N6N3n+zlmYIKNqC0U{V}&YMtyAO4#Ax}1b6Nb+_^(=
z$4hYM4#6ES!6&?2Gi;bvxo`%^)iXdYp#k3R;c5@xKSC*lUU#{7XUXo|+6CM$CE|YQ
z|HCn(ozyLc!~VB_IUk1!W!(gRr>Oz<G+?;Ffee#gMoO%WeM=oCOn7ncYaz9@P-AMf
zN-0po2{l&gr_m*=xV;!x5S<BuI&n_HwbUhbjuok{O@4XrL!xw0sF`W%el(A&@tS&?
zuG#VoLTdR=QLD|lLsxzFNQyN<XF{ivPe?bNMwJ51Jeskk)Ivk5rCF8H;t((%L^6&3
ztJoz**~b*rA>~8H4*&Yx!C@Ys=9IB`#_Uf$r8zjHdyiiH2nPg@<<-0R=;+R&oo@%n
z{=a>;koF^ZG|A;{v)*pMtTz0ixqsiA6PllgirX*CKUOyn-)Yj9+o9^G#d7uOJ4Jn{
XcJpyTU%iKx={t}Wr|0LR`PtFme8tJK

literal 294912
zcmeI*Z){y<9S87p+PmA{!W!)`)yyS#s7U94bN{sKP*S?Cu;SRCvIPgk_O`vu!p5NO
z7;H-E62}|=1dO7I223O&CQ6LP7fKM&#Kk{vNTx)MArLi!L=g-#F2r-5d+TLR5@UEH
z`#d@K^moqlJm32~pL4pt+%-G5&Mwr8Hy)VVUt1_vqPwFwjxH}2qbTZ3KZW$O-12FW
zTfRtt#;>d2sO*d`zVhLfizlPb!{gD%bBjMb@`EFXj`SaX>G1gB$KPm@`veFOAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB=EFmcYJ_j@~tE;-wEP)TZ{;_tzI{n`;ZT<)57+
z<D<j7MvJ?KH*Fm)F5fL)I6G6^F+O(n@c5qMhe!7mcW)cpxqGy@eOqy4`?f2#j*aXp
zj*srxIy^GEzL@@h)%#10ALYJFI`h3FYvO43mYMn;^SA9wJ11%f7Y>B$iRJu>(sEVU
zl+X9}u8pq`1Ez1T&Cc91Kfhyc_V(IBy`#Cfv2B}2KT-^x*%Dd<iWk;ONxARx6(Qr=
zkg=~eRo~Ydl0PjYbe@q>>ANDA?_Iq%o@gxl;M7g^>4jFtiqkUY8{KE5l#){4NPE8b
zUCX<fou5BgpKHbBPK#;uo{=(G>bvJdaYygkwee?0!Xs-1w5qmdRO7L=?*BIrZg|u7
z@m=eSwIuzd&#hKYKb5QwH?ljW?ABm*Ihb7zhRbZoU^P4SXQzSev>`hUW~YtWsg|9l
z($mHel{C&FG08GYN#lF6lv0w#l#(o`lw?7rBugqKSyU;>vPwx7R!XL`b8~r(^@Zee
zqYlaCkX#PQ<&azs$>oq-4#|};s}g2a!mLV|RSB~OLhnH69SFSxp?9Fs8!`t%=7umb
z_>=-rIqbBYWOK`5r{%EPYLd2cDZAY)v)oD;T?wNrVRYIVhBO9dW2!-_nq=Qy4N}!0
zRSn--4c}S~&!s=i?GI`FA+0~mov!y+s+ImMvRP)i%`)3qv&_DsS!P>omf1d=Wd_(R
zGsQ+3P?}|HTHtBkZA}|ko;J{0PFgN6CoPwkla|ZNNz3Kjv|L_JS}y0N<?C{@cP9Jd
z^ltXzG|TMmX_nb5)GTLOWxZA2_^&d&2#v8*t>sK*%bDq~B{Ne&d@y^qNnp>$Rx1PH
zy)AF-tF+~NuUz{^{{*&vS0_rXx;_1y)0zF<S($#~yB>?uLnA<d009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7csf&W{9qeJl>x%0Zad!nP&(>HNmw7xsEs5^>!dQR_*
zqO2?H`QKYl$D?EE>|7i_6kV4r-J9&s7uFrya_rTW@rsqnWHQ{kJU6N4inspwwaNQS
zKl}1$A9!Sc*S?*<oxS4O3&!r-^qVg%th(%x^V_a&i{rMqm~`bk8!2stWOcqUd2CBu
zZ_mZ+a@~D<Cttj0!=A#>mZ4okCvwH}|5$tB8^6Bb<kRmtc<P+7ZykSf;-}?z-+SWN
zYkz+3{qt8nHJ&c+9VbuUUmV3*i_#URM;xV>UFnE;@nn=98UX?X2oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5IE}uI@)uEo{mSyy3(D;i>IRW&<GG9K!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfWTQP(B2*uy3(D;i>IRW&<GG9K!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfWTQP(B2*uy3(D;i+_*OLnA<d009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0Rm^AK)$`F@KAJJSGx0f@lR2DXaoolAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK;WzpSk=D1aPst>#w*k7w!6L)E#8ox
zGy((&5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&Ucyk5f!ke4-Z)r>K>s+y>
zdi1<oYxDDm4$RGbedmhZ16Lhr+cZ5n@%GC;dGQzbKKWR(w3O`67uFrya_rTW@rsqn
zWHQ{kJU6N4ijyzx>V9R_Po8;c&oAdT@A&rU!+-e2rN?jEa?>T>Uw8k--<w`+i{rMq
zm~`bk8!2stWOcqUd2CBuZ_mZ+a^07H>btuS?RoH;<C{PD(c^!~y{)U~neHQ}wtw#V
zj}1TliQhl4YiVuAilL)D(fsV*iJR+pPRx{(4O7$AjT1>|rBbqVcXC5(Ro%(<GZy))
zYv(@w^DoW5+%t8{_0!irwd&}Dx!dbcT=dZA4^Ix=_tg^{{=*_)x8PjyA3yrt3m5(E
zmG?e(Rr$!=U-RcY-}db4ue^Bv<KKMZYmYyFs{fr`scqZhiD>cV^rR6WK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB=EFlE9kwp?H3F@5IgZJ11t!$%d)v>c)vA
Wv{I?#-1ar`t+o02LkH$&I{yhoOlQLY

diff --git a/tests/firefox-mixed-keys/key4.db b/tests/firefox-mixed-keys/key4.db
index 74a40c6a9f776b9642acbab45b6632d63fa41cdb..9a46863fd68002183191f99322d4bd9cdb541093 100644
GIT binary patch
literal 476
zcma)%T}#6-6o&8nD-OG9g<Z7GnoP<r(wdCo`au?DyBdK;DY90YI`Q9|+Nlgd%|%Y&
zoSf%*D?!&eg%_jy!%6q1=~`HUA3N35c<6fFJhq1?{bp7r=dqKpbyk2BwAj*AW@QmO
zsbEwxkTlsaIO;*wYEa-cHAuFTP>C$3Vh^`$KZj<}$6zYqRqSNNmI(=2AxoHjex1QR
z-Q2OQ=RPZAUc0__=Q|e@oMMhc9N;wK1dWv}#t!ibi8w}hi6eU__8m^Mu0>qfwZ>F^
zb5er_PX$&)1^y3@@1ZXfi$AZl%TtRX7LUkv#8HSoB>2+*?F6IBMcTh8H#Y17M<m3|
SQV<HqsQ;m)Wu9j;cHRMIKzt1V

literal 16384
zcmeI%&q~8E90%~E9m7A2dfTaxipYjTZS?`1qX%)q+$y+J$ksZG-8$Ro^yCxxLcW0S
zAovy@=FN0a+&p-m^8JzYm!#oG`?<C0oHs)mu&X#33ds)02BDN3F-8c{RWGQXho%Pe
zbDH1yCF^AO`Lkq9iEiu=V{E*tgn$49AOHafKmY;|fB*y_009Urvp_>HmMx2Rr07M#
zC{0^QcrWDKsL*J;b<bs9{kZ9}?;WfnY`eyUz3)^nXt8XX^l4UP7)ap@De|l>6v$Uu
zCG?r+UV5z6J~^wmyX@5M)|mQiAF8TZa;ke;vD`2z2}geLklsdWm5VzW&*nU@#O-{P
zecP{O*d^7e@kUfbKmY;|fB*y_009U<00Izz00bcL=LEKB!Q9*)i!`0Yi9d+qo``rV
zA~~M${&mp5;XSpsrrwJhA4D|-1Rwwb2tWV=5P$##AOHafKmY>&NMKzzSM&b@+4;X_
zyb$AET@Vm}00bZa0SG_<0uX=z1Rwwb2rQX^rRkMgc7)G|u^%KOe&9?OACX!#-x37_
L(SPL5;m<8!VHR+_

diff --git a/tests/firefox-mp-70/key4.db b/tests/firefox-mp-70/key4.db
index 9be3138733915e9f9d3f9ba10ae7181697f89314..ca711e3d5793f1cba64b46882aa2efb27094fbbc 100644
GIT binary patch
literal 2320
zcmeHJO>f&c5WV|X5WP4H<S_gc1)~Rwq6%Xj+3Prq_EgBRy70D57FN<l|NYL4B&%_I
zDA4N~@c4<Gd3<`LN7`(|o0}k>yY}?{OMB{$j}PLtfW>UnPkeYhwa336-hXVrcCXh}
zwU`y@&9WA|ZK!WU+%4DjVivb4?2_1pVwJ?__NghGr$$^I4`Q=j-h}Nt@q2nF?&{?q
zcS)>k5!ZFKTE?B&rp+qEbS;ig?PuBlsNWW|Wqq5rJF%>HYw>C%d?o%2tGjf2HUFpS
zx_=)}hxzr}c?ed5wN^V5Tm{M~rybZzN?m%ZQtn+ARgoxHgN_=M2M2`;-Wl&*l|cy-
zB3O)CgUrE56N@~{$~+_;ivsg=ol@yRCndcuGb@d?d6^<8tddv(mCAe(O;9QZA5&7L
z%6-%oR3KgM)f{i@g-;J%w>cfZG*9i%I2DTZc6Tirz%LrrDEw-|JU}CohCE$*y7YWW
zDc(@96dZ+&f~SyEXejJ4<V*#9WJVwkbcG|apwk?QM*<N^ASMY!C4smk5SfH~ii5mf
zA2X{SGqYl5#mtJC6*DVlR?MuqN^_OwD$P}zs~pcdo^?Fyc-Hl^%;}gj<4pEPvO$XP
z6!#BxD!x<2Y7O8=Ng5s?@oLV-<H49laFS!6*pJZK254==P8p!J4X<i=Rm1yYxfV|x
z&RSmEvdj0a)ka$y9w6}!kjMu}D-4isae%be0Lj1sl8ZfLQwBJdu|31+ROZGqH_1Ub
z%0W2FK{(1mIPxMK<sck+5q`r<XNDHWQ93vSq|-A%Izj_HOt78chco1Z(C6+aIeU_G
zunipc?6{}B1-6}Xjdpx)ResrXra$Mo>tN$Bx${P1Bk5_tP*VXp#ef@Y!~D9wTdla?
zn4j!7Cdpiv%12p&HYQIQwkDg0;0jr)<gkaiWMww?8wCbrrd=$`(paUWt)hu32Ag~B
zO&M$v^8i>8T@_;HLYAO%Ig-hwoGV}u$x44EjAlrCzU^wTd2s3Sr}qm5y!7r{9|;d0
z!V9I??+1$~^egIrRC|`yOFRo51&!K%RQvzfs^7S?5z}LDS(oXpICkB0d!o01=|3i}
y@R@a)*gfz6ZttJI%f#pHW$LG9-+uZoQD3Ire{ArT<Z@*R^u`g_H#f`OV)h?}?m^c8

literal 294912
zcmeI*OKe<M9S7ihJ>&7CNeU*_5FtzBuIv)ZorkB6)QBXmOI_SNOd@Dmm~re>E=f~j
zhlB($K_alI*s!3ggjj_|SFmFd@sx^0cC6U2DFQZ8#beQcvf!LEGfb^05@Ln$cXa3a
zfA2ZxchC9mI9}${r<OLh)@$c3Ub@iPsx`B(XL+6-snxP98xEhb@aeZoD9Zhd@H2m3
z{jhR4dvb1c@AkcH^xAUvmGbtluK(=%mFu(D{(5cs+Rq<0$$bI@2oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7e?|Chk|k&)`;WPanLTb<SO>lfCyI?r^rI{lxc^UDiIPcPI?
zA3e6TQ0w2VO>eB#PA)ILaCG^_+NTy?terW&c<RhT?Zolg{E6ewE-lWVt}QQ|Tsk_x
zaIhBszv>J1?vKXI$44vG`N=%ncy(?4>gE^Eht8GG<*ke9dZnMgQtww|$10U-bt?Z{
z8gTXtosG3uH#bjS+W1muYkj1*xW(hoEPS?>I^z-s18UQqdeN9UGMq9#lQPbCR@cuD
zhE#TBq|OI2nlsOqE7gxo<tyD~UtWD>{p{8tV|Yi#X1Du+lzLI0nJ-nU2l~6&*xbCl
zerXU>-VxL7eIRA7KJ%@o^O5S*RQ{d$^vVVSgKDT3)qQP)`~S&{J9_NI^67)MP7yxg
zy>%Ml(~Nbx5%1LFt+{wP7cb}1WgIfsil^ClYRA)4@iZ4thvKOdPpjc{C`A?Bb4n~?
zM!o1hC#KYk7*j7|PQ8dh^&%$Kix^ceVphF~VfEr{JolE@U0+IWbnBGdNXd<q+(^ld
zl-x+kjg;I>vzlpEGtFwIS<N)7oqF4;x1D<1skhzjO_}YK`BWO2eCi3Pk#^cB;@n2s
zX(O$+RfN{4$J@O!<~GylW*Xg0qeEvJ(j6Gbw31Y-h|g{%saBF|rKh&iQ(Ni1%%-`s
zDQz~T&8E3$*Jqop=4_1Yl`*$h#*OvL_=H{=x7aJ=K6_;Z?3GcmTPBoVIhdAsdUprY
z+Wl$m!E!>`Urs3d%L!$FIic+5hO)n$Q1){}`M%uvorw<)cjFhQSH^EouZ&-zUb!|X
z*9Yaff0yZt&>g!vSk7u(&f09JSX)ivbMf64i9L>OHQVWX+c-4S9I8}5IrXrA0tdgV
zEA>HL3V(A(<KLaV;gfHdvv6nx2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FoJ21#WyfzgphEZ{I|AV|pjW{_Nns)Uth9HZifYGs|LE?D_B8#K`T%FuR=Rx3ZUt
zrDD4B$P+i8yZPSUe9v%RDh`zQA3tz-`WJs`E&lo2>u>(>$G`p4%Wwa&I+W+-+L3De
z&hHl<f9(F!-CJ+Wy>RRHo5R(&|M}}zzV_(G<kUOoeiULKySH;?d6vhPg=d8$&%)(+
z7?E$^%fg`%AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5;&T_-S7DvwQ!
z++G|HJI}Z8XW`HY5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7e?t`sPh
zva#{7^L+b$77mR70RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5)`N`X=-
z8ygQh&$s`Pg+n7ifB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009EKPoPqo
z7`v6dG#+-IZ{N+rp%EZJfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D)a0
z@S)Pdv3omrn(qzQ`SuU8aA*Vw5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAVA=MRbXXkc(Qe4^tI0B=9P<=*4{cbe5U>U#i3(oKfm(9!{2=JjhBD<)8gr3y7I^q
zH=n!t-rjuAa9%17l=t8H-dErJ!=0a0zWeU)O7DF5@a6qyzJGTp&&wb9+tu68KmME7
z-~HIk>z{Zu-}uIO*m=JF_beP50RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
Z0t5&U*i8a^N|X6(oz2ZF7cZ?1{R{4~^Tq%G

diff --git a/tests/firefox-mp-84/key4.db b/tests/firefox-mp-84/key4.db
index 51017f14f12ac0f093cf39a55e405681cbae3c63..e8e4583cbce25f288536b464ceec0e37de54912f 100644
GIT binary patch
literal 2931
zcmeHJOK%%T48HqUEON06_(0BkVB|2*K&UObvRou5L$Z`WO=1_4lcN8=<m}3F6c-8V
zYXvOz?U3`4OL94TISp?vLic66+T46yZMN(CyY6)dXGfR4;{E+*wf=B-^Ktd}_VuLJ
zv!htvjK<w;8pc;4%|?^)*-@I7Fe}|G#Pia9UOmk7{9)dmte4&8baWA>@48>hyY6~C
z`t7=OlW~_O<9a?yvu;{0&qFGw-TGnm8T&u+%h}Ord{w5iZZw`vx>q~GSKaU7{JLD7
z9B<bjIG~%Q0K2$V{s!6)@%Z%Zu>^+>B<KVNya>)H=S;Pb0YO8NpekMXtTsuI3X~wJ
zwE?RmN*5pm1KCO=Gt}&@l{)wwM8ssG3qoZqDq*(Sne4Jp)`B2!$db4K0(o=a#3I1|
z+dBJCK4=7IW30hz5HVYwP@7tFHo@lVtnr$FtQ3?KE?V*g=u`;VIDLFNzCJ(yaVr0u
zZ?}KlZ<d_7z%I4c(x_l62qla(pev%xPK)B5u}Q@8m}Qh;^0Rr&q@m~jQI_dhVu)I)
z0zo2*=wvim7kb3xqKYCzF1DI1a}<=8Nc9v{lp>0fk(~TgmN9aSQ~>G(K%+S@s!JeQ
zbP=gop;a<Ia}A@n#b}>B6b@gh01+WV)KS=EH0mTNPK#A&r|dDM_?z~>+iov6>#y^N
z)z7>DAx@^V({2uQQUA{cU6OHI;1%R0$G47eUAtuyr&wqfhJ|I}Sa=q577G%-Q9&;o
zBQOU-?}u5a>P<2a0uxc|HOW*6%!R;Y2)8VU@cQ@~v*>YS7L8dnX3>~MV-}5BG-la$
z$+k<jU9#<xZI@|U)3l~(P1BlQ+c-_*w9T^R2U~*ZC7=kYFPh}NqD8BCL<r>N0kV!>
z!6tc`x~W$-*&FsN?3<=Slk8go`=(}UvRSse=*Fg-Z+d4*OT9+&cBQ3~nhgiYx&b~h
zU=PD8yBQ$+8XzZdfSko1wxkSjzpbTbSlw?kyKQD44#8bG1b5*O+=WAM$4hV*4#6ES
z!6&@jGwhgFxp4-_-7`RLp#d)UaJ7f;A7N{R-gdDMXTjkt^&FOqmT@=C|6!YwruD7x
zhx2d$ay}j=RCVQzQ%D1_rvb$S4%%VT%Rq(Ip&zNk3FBWp`&3Q2h7wc`4h#Aa1x-JU
zLV*x87)uqo_?T+-%4;Pw4IQ5mwQx=ris;3&5787u?qev0jtwGACRC9G1;S?#C_4U>
zvnfbOG?i)Gp~s3wm}GJ_-l0+^qV;4!s)SKy8mAb82q~o@VSEs^)9Am7U14xI)u;q@
zDEUya!@s_Ea9GEuHD%l)WA>+!(m6PkdyiiH2nPg@?bV0)80apbU2F&2{=a>;k@iRM
zXq?O2ZoS=pS#9`3bN{|~Cv<)u8g9QV{#e~Ud}m2tZil9y=8M&*?+oRk+3m+Uef1uC
Qrtd&DoLpRtW@ktL0J1E~AOHXW

literal 294912
zcmeI*Z){y<9S87p+S}XRLMzmnhRm5e1A&c!=l*He1rfSZ*kJ5W-4qz1y=^a~Y-Mci
z7!0L!!e%6zkVxc(Cd7n@Kw^l#Kt*(#kVwR+C<uf%hDbC<gCsBs37+%ZTQ7Bz7{eRc
z=gGOJzjL1F`QGRGoYVE?KD~YO^jy7o{oegEwYg#?x-*L7=;C5AilWZ+Q%FCHEuR*-
z#f$W3{I2@F%FgKg%O2{UKOQYRG#Y&_H~+KSe|-DF+xri_c4+j_Pu^>i`veFOAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB=CHmcX9Q&c2l^<ArnQY7=|vGxfRJCAGQQ;?HHn
zqa#B*Mv6OzHf$a#F5WGkGd)$@HoED`q0y_0SBzX;+_`1b_MIcety_x2Ten=gdDHNY
z;^@e>%|pW@Ym4dsS3Of|{3x&f#Ik(f@X9!vzG<p{>+HTgY3Eq&z}((&J+_!XR$8nI
z8}j+SzE$zAFko_bZF=ga+1YLTr*Emv)jOMu+qC79k*kWKGh0GyK=GVfDJieMxFckI
zHe~FnP1N_ahUAxIgw7K(DyuKe<@;8wipLtuJ}_}(eR8gq(Xk|Bw$Xh;N+~I=9&XR~
zow2x^>Dk!>_5H1w+>)3^?+Gb`rPW728F%)rS`~j~I6SgeK&xtNMl~K=>;8Z9;D$DA
z9o@0ESWD7R`rK;e^i#>|a3i}@%5Dv2mxI~mV7SbN3|6yKe|8$kPV2JMV0K!cood->
zB0a4SQAy(*5|b>Wlr+94ODQE;Oex87N=X(}O0uL<l0}u0EUT1cVWng;J2#itSYJpk
zH|mgF4$0+^Tn@?QkX#PQ<&aznvnpX$CCsXXS(PwrAoLD|-ht3N5PAn1y&-cTWUdP%
zgHI^{mBUWUNjA3}c3KXrttM$Jm$KW<GRv)m(UmZ|5=N(;VMt?OHl`Y+s!8_U)gV<3
zQq}OS)$py=@Lc-C-2RZ(AJY26+{t=>rCRCFBAaEF+bpw<HOuT9nq{`dW|{4?S!RIE
zGE;1n0i{{CrUjnn-PW{$#c2br<)r1}a?)~fIcd4LoU~lbP0PjQq~&66TD~hcduOsQ
zPVZ(fPP5G3o@SZ7Ld|ljRn}YO_5Uivi_jQ5(OS+#ww$T{S~4{e#0Rryn*{c3Y_&2F
z-rMr})s?n<-({=b>z}~Z@9J2oRkx>qbCzX)ce>M0e8-bfdT0a)5FkK+009C72oNAZ
zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAn<=HaQLG5*4*-*p5Ewib?GLSM{9dRi+ZA{w|8l0
z6lGmm&;Q<fJD=E;&d$a0gV8m~!oA5%zOd%V#v^Zb#~t0tcrw(wJT<B2id&y~>(5s{
z^szG@Ip=~EXSSX9+~3ao(-ZG}^}Y?ej(+3x(Jy{#TU#8r#l@s6zpRncR!COl3*$#N
z#`X4Gye8Lk`b|?W{@|~dKTv$?J8M7wg<LVWYx&WqlV`5GYu~-EP3)O@<NoEBK6cyF
z>&`g#-QWCj#Wx@QMY_0;9ACP>IEu3tr7KR4I7%<O(h>3e@hCks0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyaMB5Mw&x1Holk7)N_QU5za6EAMt}eT0t5&U
zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7
z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1WrnU_V%dImF_&Ae>+MKjQ{}x1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72%MAx?d?&aE8TfK|Bom=Gy((&5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAaL>t<lB1-4@TE?r8|%3{}QE#Mt}eT
z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1WpQp54W!^9ACQAxI4XWyW@M&
z{I%&xBS3%v0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+
z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly
zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5;&_g5e;yuW$>mbP$K
zzGG$e@ba5$v$F^H?w@*id&ka!%lEczm>eHF{ldG?zyF4xKA9{mBs2NKnj;&JyxARh
zbSLA<Q0wy4q?#+fy!(+ITe?cUk6$oz-E)uLbH#bxufFl@OT`V}Uvu`ZKfH3mvu$zQ
z78jGQ{IW($TOnDIFN`1A7}wi#@tR!Eb!%TeYxDGPkG=G@KVJPpPwuo!9(e4OQ+A#G
z)b?x3kMH~YRhKQS>gc%WaBnm_eZ$!9`fX!V<z(H&WOe;m5?ZO0EZmt~+gepmvh{>T
zR(Fmccx>>2hsU2ExbQ<S9PI!0i|2lH_m|H6^()7o|NYFDzkcvPEb?6o&J}<D;AuyH
z_||=GKRR&iGw-~7<L8gxa^JU}ef?MEd-fIMyB>b-?yl6fZT@%B{OjpSBS3%v0RjXF
z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk
z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs
z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0v{xSmF*YBv(q<>?XKT8HdRj6O-xqT
Yk0qg%N*$-RuZ(Z5&CVX&yMHSGPk+T_bN~PV

diff --git a/tests/firefox-mp-test/key4.db b/tests/firefox-mp-test/key4.db
index c8ed7d9c3c243641b99e8c7e4d45a6a06b85c377..11695abbe92a11a9a54902070bd7d6b4b20496b9 100644
GIT binary patch
literal 618
zcma)&O>5gg5Qgvm6-zF5A&1$o*%cy(+1=S78p}pjOL7VVt3{O9#d1^n@4IeDN-31i
zVdgN;dwAY$N4IMd-{$f3_&lEG>39$~0_w%~<?-ow8mG^P$1mfL`DT-Iy$F2Uw4(2*
z-BIkDO<ONw$JDdvDcrGm8qdRiI1geq?M2V`z1Vimnz{$^o*%BobRM7N%Te#@MbqxM
z>qXP{8*%j-y%Hbk?gQ^u%df*ce?Ok~%j^4PARW;7guzLdBZKh_tfh^ZmDWHZfwY+}
ztOgx5C=UohkuNci*+Bsyf-Sr7vH~NGwn1VJh5=$$>{BoiWk?i=y+uhTR%BfORZ_Af
zKq9b&V0?(tk&dV;Ae*xetW<VsS+xFW<S@_M)AT%?N3j}Yksl=d<^CIbv%hGV|J3lI
zibOf-MC8yaEgc2Sh$vOYOo*JQ^6phbK}-b;$}58ml2o=9xk#8Qaf%4esRUj@rBv}X
dh2>&tywX-%vhh-L_VBNfzpB`**G*q9egbQ>nf3qx

literal 16384
zcmeI%K}Zx)7zgn8cE)8(*IA-kIt)Cq!`N;*V|7}Cwq-zR1KZs~MVQ_)v#{ju=+2~J
zgm}mfVnpYKAo7qx5J-oha|9LLi%3rrL=a^rguOL}6ryV-|Bv_h-kTXd_<pxHFMlpu
z_8nGoYZdOZV<bi>C8ro8gh*n_Vg?Zsi|u<Fy!b<wNax(QsIpEZB|(%?<*7&r2tWV=
z5P$##AOHafKmY;|fWW^jkdeaiwl<pgd2z(4dR~96JkI@XD>;)h(*=_i(x<Z~`}GCW
zxM3t2H}vj~^E4b+RXVj*q~iG8<~|Q{Xh(tIDbva}E0_ZX)}QM;o6ZfgGv;8DiDP?3
zRBfd0j;>HRo>3_&S8eBtH#Q=kTKux_Ztbn0l4S&|#@Rm7z>bPZl{-WX1Oy-e0SG_<
z0uX=z1Rwwb2tWV=e@DQgP3rOK$SC)`3AbiHPT6yp#-?7%H(QNiw_RU+bznp9(Y0{%
zk(u6^uTk34L?!)@y#K^Qcj;Zrr`6Y4{$%mNb$;*J{M8Vpa_nGhY-#rSWKZ$d{AOyU
z>)Kw?7gatJF%S@d00bZa0SG_<0uX=z1Rwwb2<#$(W=Y)>{89LM|6eCceHS%|Rv-WY
z2tWV=5P$##AOHafKmY>&kwB5k(^^u`{^ovvw!ZNF<idE)n0&NW+PAh*`f&e7<9?sL
ma1z?#D!u#V!pBtK+cy^{jz-vRwrnQeTfOc1q2cwN{nH<5NS9s!

diff --git a/tests/test_inspect.py b/tests/test_inspect.py
new file mode 100644
index 0000000..4d810ae
--- /dev/null
+++ b/tests/test_inspect.py
@@ -0,0 +1,58 @@
+from io import StringIO
+from unittest.mock import patch
+
+from ffpass import main
+
+
+def test_inspect_output(clean_profile):
+    """
+    Verifies that the 'inspect' command runs and produces Expected output
+    including warnings for 14-byte IVs.
+    """
+    # 1. Test 14-byte IV profile (Should Warn, Default = Obscure)
+    profile_14 = clean_profile("firefox-14iv")
+
+    with patch("sys.stdout", new=StringIO()) as fake_out:
+        with patch("sys.argv", ["ffpass", "inspect", "-d", str(profile_14)]):
+            main()
+
+        output = fake_out.getvalue()
+        assert "Inspecting Profile:" in output
+        assert "WARNING: Non-standard 14-byte IV detected" in output
+        assert "REQUIRES Native NSS backend" in output
+        assert "KDF OID:" in output
+        # Verify obscuration (partial)
+        assert "(Use --reveal-keys to show full)" in output
+        # Should contain "..." for omitted middle part
+        assert "..." in output
+        # But not "[HIDDEN]" anymore
+        assert "[HIDDEN]" not in output
+
+    # 2. Test Standard Profile (AES-256) WITH --reveal-keys
+    profile_std = clean_profile("firefox-146-aes")
+
+    with patch("sys.stdout", new=StringIO()) as fake_out:
+        with patch(
+            "sys.argv", ["ffpass", "inspect", "-d", str(profile_std), "--reveal-keys"]
+        ):
+            main()
+
+        output = fake_out.getvalue()
+        # Verify basic structure exists (proving ASN.1 parsing worked)
+        assert "[METADATA]" in output
+        assert "ID: password" in output
+        assert "Encryption Scheme:" in output
+
+        # Verify it revealed keys
+        assert "(Use --reveal-keys to show full)" not in output
+        assert "Global Salt:" in output
+        # Should NOT be hidden/partial
+        assert "..." not in output
+
+    # 3. Test Legacy Profile (3DES)
+    profile_legacy = clean_profile("firefox-70")
+    with patch("sys.stdout", new=StringIO()) as fake_out:
+        with patch("sys.argv", ["ffpass", "inspect", "-d", str(profile_legacy)]):
+            main()
+        output = fake_out.getvalue()
+        assert "ID: password" in output
diff --git a/tests/test_key.py b/tests/test_key.py
index edffedb..54b1bb7 100644
--- a/tests/test_key.py
+++ b/tests/test_key.py
@@ -1,14 +1,18 @@
 #!/usr/bin/env python3
 
-import ffpass
+import shutil
+import sqlite3
 from pathlib import Path
+
 import pytest
-import sqlite3
-import shutil
+
+import ffpass
 
 # This key corresponds to the static 'tests/firefox-84' profile in your repo
-TEST_KEY = b'\xbfh\x13\x1a\xda\xb5\x9d\xe3X\x10\xe0\xa8\x8a\xc2\xe5\xbcE\xf2I\r\xa2pm\xf4'
-MASTER_PASSWORD = 'test'
+TEST_KEY = (
+    b"\xbfh\x13\x1a\xda\xb5\x9d\xe3X\x10\xe0\xa8\x8a\xc2\xe5\xbcE\xf2I\r\xa2pm\xf4"
+)
+MASTER_PASSWORD = "test"
 MAGIC1 = b"\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
 
 
@@ -30,7 +34,7 @@ def mixed_key_profile(tmp_path):
     (multiple keys present).
     """
     # 1. Base the profile on an existing valid one
-    src = Path('tests/firefox-84')
+    src = Path("tests/firefox-84")
     dst = tmp_path / "firefox-mixed"
     shutil.copytree(src, dst)
 
@@ -50,8 +54,8 @@ def mixed_key_profile(tmp_path):
         row_list = list(row)
 
         # 4. Modify the UNIQUE 'id' column to avoid IntegrityError
-        if 'id' in col_names:
-            id_idx = col_names.index('id')
+        if "id" in col_names:
+            id_idx = col_names.index("id")
             original_id = row_list[id_idx]
 
             # Increment ID if integer, or change if bytes
@@ -59,7 +63,7 @@ def mixed_key_profile(tmp_path):
                 row_list[id_idx] = original_id + 100  # Ensure uniqueness
             else:
                 # Fallback for blobs/bytes
-                row_list[id_idx] = b'\xff' * len(original_id)
+                row_list[id_idx] = b"\xff" * len(original_id)
 
         # 5. Insert the duplicate row
         placeholders = ",".join(["?"] * len(row_list))
@@ -71,33 +75,33 @@ def mixed_key_profile(tmp_path):
 
 
 def test_firefox_key():
-    key = _get_key(Path('tests/firefox-84'))
+    key = _get_key(Path("tests/firefox-84"))
     assert key == TEST_KEY
 
 
 def test_firefox_mp_key():
-    key = _get_key(Path('tests/firefox-mp-84'), MASTER_PASSWORD)
+    key = _get_key(Path("tests/firefox-mp-84"), MASTER_PASSWORD)
     assert key == TEST_KEY
 
 
 def test_firefox_wrong_masterpassword_key():
     with pytest.raises(ffpass.WrongPassword):
-        _get_key(Path('tests/firefox-mp-84'), 'wrongpassword')
+        _get_key(Path("tests/firefox-mp-84"), "wrongpassword")
 
 
 def test_legacy_firefox_key():
-    key = _get_key(Path('tests/firefox-70'))
+    key = _get_key(Path("tests/firefox-70"))
     assert key == TEST_KEY
 
 
 def test_legacy_firefox_mp_key():
-    key = _get_key(Path('tests/firefox-mp-70'), MASTER_PASSWORD)
+    key = _get_key(Path("tests/firefox-mp-70"), MASTER_PASSWORD)
     assert key == TEST_KEY
 
 
 def test_legacy_firefox_wrong_masterpassword_key():
     with pytest.raises(ffpass.WrongPassword):
-        _get_key(Path('tests/firefox-mp-70'), 'wrongpassword')
+        _get_key(Path("tests/firefox-mp-70"), "wrongpassword")
 
 
 def test_mixed_key_retrieval(mixed_key_profile):
diff --git a/tests/test_mixed_keys_run.py b/tests/test_mixed_keys_run.py
index 5d9582e..e96a23a 100644
--- a/tests/test_mixed_keys_run.py
+++ b/tests/test_mixed_keys_run.py
@@ -6,32 +6,13 @@ Created on Fri Dec 25 19:30:48 2025
 @author: shane
 """
 
-import shutil
 import sys
-from pathlib import Path
 from unittest.mock import patch
 
-import pytest
-
 HEADER = "url,username,password"
 EXPECTED_MIXED_OUTPUT = [HEADER, "http://www.mixedkeys.com,modern_user,modern_pass"]
 
 
-@pytest.fixture
-def clean_profile(tmp_path):
-    def _setup(profile_name):
-        src = Path("tests") / profile_name
-        dst = tmp_path / profile_name
-        if not src.exists():
-            pytest.fail(
-                f"Test profile '{profile_name}' not found. Run generate_mixed_profile.py first."
-            )
-        shutil.copytree(src, dst)
-        return dst
-
-    return _setup
-
-
 def run_ffpass_internal(mode, path):
     from ffpass import main
 
@@ -41,6 +22,8 @@ def run_ffpass_internal(mode, path):
     # and avoid needing complex ASN.1 mocking for the password check.
     with (
         patch("sys.argv", test_args),
+        patch("sys.stdin.isatty", return_value=False),
+        patch("sys.stdin.readline", return_value=""),
         patch("ffpass.get_all_keys") as mock_get_keys,
         patch("ffpass.try_decrypt_login") as mock_decrypt_login,
     ):
diff --git a/tests/test_native_verify.py b/tests/test_native_verify.py
new file mode 100644
index 0000000..cd86b82
--- /dev/null
+++ b/tests/test_native_verify.py
@@ -0,0 +1,44 @@
+import pytest
+
+from ffpass import get_native_logins
+
+
+@pytest.mark.xfail(
+    reason="Native libnss3 may not support legacy (3DES) profiles on modern systems"
+)
+def test_native_old_profile(clean_profile):
+    # Firefox 70 profile (legacy)
+    profile = clean_profile("firefox-native-verify")
+    # Password 'test' (from test_run.py)
+    logins = get_native_logins(str(profile), "test")
+    assert len(logins) > 0
+
+    # Expected based on test_run.py: 'http://www.stealmylogin.com'
+    found = False
+    for login in logins:
+        if login["hostname"] == "http://www.stealmylogin.com":
+            found = True
+            assert login["username"] == "test"
+            assert login["password"] == "test"
+            break
+    assert found, "Expected login not found in native export"
+
+
+def test_native_new_profile(clean_profile):
+    # Firefox 14-byte IV profile (from user)
+    profile = clean_profile("firefox-14iv")
+    # Password 'pass'
+    logins = get_native_logins(str(profile), "pass")
+
+    assert logins is not None, "Native login decryption failed for new profile"
+    assert len(logins) > 0
+
+    # Expected: https://google.com, test, pass
+    found = False
+    for login in logins:
+        if login["hostname"] == "https://google.com":
+            found = True
+            assert login["username"] == "test"
+            assert login["password"] == "pass"
+            break
+    assert found, "Expected login not found in native export"
diff --git a/tests/test_run.py b/tests/test_run.py
index 801a56a..31eed21 100644
--- a/tests/test_run.py
+++ b/tests/test_run.py
@@ -1,41 +1,26 @@
 #!/usr/bin/env python3
 
 import subprocess
-import shutil
-from pathlib import Path
 
-import pytest
-
-MASTER_PASSWORD = 'test'
-HEADER = 'url,username,password'
-IMPORT_CREDENTIAL = 'https://www.example.com,foo,bar'
-EXPECTED_EXPORT_OUTPUT = [HEADER, 'http://www.stealmylogin.com,test,test']
+MASTER_PASSWORD = "test"
+HEADER = "url,username,password"
+IMPORT_CREDENTIAL = "https://www.example.com,foo,bar"
+EXPECTED_EXPORT_OUTPUT = [HEADER, "http://www.stealmylogin.com,test,test"]
 EXPECTED_IMPORT_OUTPUT = EXPECTED_EXPORT_OUTPUT + [IMPORT_CREDENTIAL]
 
 
-@pytest.fixture
-def clean_profile(tmp_path):
-    """
-    Copies the requested profile to a temporary directory and returns
-    the path to the new copy.
-    """
-    def _setup(profile_name):
-        src = Path('tests') / profile_name
-        dst = tmp_path / profile_name
-        shutil.copytree(src, dst)
-        return dst
-    return _setup
-
-
 def run_ffpass_cmd(mode, path):
     command = ["python", "./ffpass/__init__.py", mode, "--debug", "--dir", str(path)]
 
-    if mode == 'import':
+    if mode == "import":
         ffpass_input = "\n".join([HEADER, IMPORT_CREDENTIAL])
     else:
-        ffpass_input = None
+        # Pass password via stdin to avoid interactive prompt hang and verify pipe support
+        ffpass_input = MASTER_PASSWORD
 
-    return subprocess.run(command, stdout=subprocess.PIPE, input=ffpass_input, encoding='utf-8')
+    return subprocess.run(
+        command, stdout=subprocess.PIPE, input=ffpass_input, encoding="utf-8"
+    )
 
 
 def stdout_splitter(input_text):
@@ -43,55 +28,55 @@ def stdout_splitter(input_text):
 
 
 def test_legacy_firefox_export(clean_profile):
-    r = run_ffpass_cmd('export', clean_profile('firefox-70'))
+    r = run_ffpass_cmd("export", clean_profile("firefox-70"))
     r.check_returncode()
     actual_export_output = stdout_splitter(r.stdout)
     assert actual_export_output == EXPECTED_EXPORT_OUTPUT
 
 
 def test_firefox_export(clean_profile):
-    r = run_ffpass_cmd('export', clean_profile('firefox-84'))
+    r = run_ffpass_cmd("export", clean_profile("firefox-84"))
     r.check_returncode()
     assert stdout_splitter(r.stdout) == EXPECTED_EXPORT_OUTPUT
 
 
 def test_firefox_aes_export(clean_profile):
     # This uses your new AES-encrypted profile
-    profile_path = clean_profile('firefox-146-aes')
-    r = run_ffpass_cmd('export', profile_path)
+    profile_path = clean_profile("firefox-146-aes")
+    r = run_ffpass_cmd("export", profile_path)
     r.check_returncode()
     assert stdout_splitter(r.stdout) == EXPECTED_EXPORT_OUTPUT
 
 
 def test_legacy_firefox(clean_profile):
-    profile_path = clean_profile('firefox-70')
+    profile_path = clean_profile("firefox-70")
 
     # modifies the temp file, not the original
-    r = run_ffpass_cmd('import', profile_path)
+    r = run_ffpass_cmd("import", profile_path)
     r.check_returncode()
 
-    r = run_ffpass_cmd('export', profile_path)
+    r = run_ffpass_cmd("export", profile_path)
     r.check_returncode()
     assert stdout_splitter(r.stdout) == EXPECTED_IMPORT_OUTPUT
 
 
 def test_firefox(clean_profile):
-    profile_path = clean_profile('firefox-84')
+    profile_path = clean_profile("firefox-84")
 
-    r = run_ffpass_cmd('import', profile_path)
+    r = run_ffpass_cmd("import", profile_path)
     r.check_returncode()
 
-    r = run_ffpass_cmd('export', profile_path)
+    r = run_ffpass_cmd("export", profile_path)
     r.check_returncode()
     assert stdout_splitter(r.stdout) == EXPECTED_IMPORT_OUTPUT
 
 
 def test_firefox_aes(clean_profile):
-    profile_path = clean_profile('firefox-146-aes')
+    profile_path = clean_profile("firefox-146-aes")
 
-    r = run_ffpass_cmd('import', profile_path)
+    r = run_ffpass_cmd("import", profile_path)
     r.check_returncode()
 
-    r = run_ffpass_cmd('export', profile_path)
+    r = run_ffpass_cmd("export", profile_path)
     r.check_returncode()
     assert stdout_splitter(r.stdout) == EXPECTED_IMPORT_OUTPUT
diff --git a/tests/test_sha256_mock.py b/tests/test_sha256_mock.py
new file mode 100644
index 0000000..584f9e6
--- /dev/null
+++ b/tests/test_sha256_mock.py
@@ -0,0 +1,218 @@
+#!/usr/bin/env python3
+
+import os
+import sqlite3
+from hashlib import pbkdf2_hmac, sha1, sha256
+
+from Crypto.Cipher import AES
+from pyasn1.codec.der.encoder import encode as der_encode
+from pyasn1.type.univ import Integer, ObjectIdentifier, OctetString, Sequence
+
+import ffpass
+
+# Constants from ffpass (redefined here for test generation)
+OID_PBES2 = (1, 2, 840, 113_549, 1, 5, 13)
+OID_PBKDF2 = (1, 2, 840, 113_549, 1, 5, 12)
+OID_AES256_CBC = (2, 16, 840, 1, 101, 3, 4, 1, 42)
+
+
+def PKCS7pad(b, block_size=8):
+    pad_len = (-len(b) - 1) % block_size + 1
+    return b + bytes([pad_len] * pad_len)
+
+
+def build_pbes2_sequence(
+    global_salt, master_password, entry_salt, iters, plaintext, hash_method="sha256"
+):
+    """
+    Constructs a DER-encoded PBES2 sequence just like Firefox/ffpass expects.
+    """
+    # 1. Derive Key
+    if hash_method == "sha1":
+        enc_pwd = sha1(global_salt + master_password.encode("utf-8")).digest()
+    elif hash_method == "sha256":
+        enc_pwd = sha256(global_salt + master_password.encode("utf-8")).digest()
+    elif hash_method == "plaintext":
+        enc_pwd = master_password.encode("utf-8")
+    else:
+        raise ValueError(f"Unknown hash method: {hash_method}")
+
+    key_len = 32
+    k = pbkdf2_hmac("sha256", enc_pwd, entry_salt, iters, dklen=key_len)
+
+    # 2. Encrypt
+    iv = os.urandom(16)
+    cipher = AES.new(k, AES.MODE_CBC, iv)
+    ciphertext = cipher.encrypt(PKCS7pad(plaintext, block_size=16))
+
+    # 3. Build ASN.1 Structure
+    # ... (rest is same)
+    # Re-using previous logic structure but just checking it matches
+
+    # Key Derivation Func
+    kdf_params = Sequence()
+    kdf_params.setComponentByPosition(0, OctetString(entry_salt))
+    kdf_params.setComponentByPosition(1, Integer(iters))
+    kdf_params.setComponentByPosition(2, Integer(key_len))
+
+    # Add PRF OID (AlgorithmIdentifier)
+    # 1.2.840.113549.2.9 = hmacWithSHA256
+    alg_id_prf = Sequence()
+    alg_id_prf.setComponentByPosition(0, ObjectIdentifier((1, 2, 840, 113_549, 2, 9)))
+    # Parameters matches NULL usually or excluded? Let's check spec or assume explicit NULL is safe or omitted.
+    # ffpass logic checks len(pbkdf2_params) > 3. So we must add it as 4th element.
+    kdf_params.setComponentByPosition(3, alg_id_prf)
+
+    kdf = Sequence()
+    kdf.setComponentByPosition(0, ObjectIdentifier(OID_PBKDF2))
+    kdf.setComponentByPosition(1, kdf_params)
+
+    # Encryption Scheme
+    enc_scheme = Sequence()
+    enc_scheme.setComponentByPosition(0, ObjectIdentifier(OID_AES256_CBC))
+    enc_scheme.setComponentByPosition(1, OctetString(iv))
+
+    pbes2_seq = Sequence()
+    pbes2_seq.setComponentByPosition(0, kdf)
+    pbes2_seq.setComponentByPosition(1, enc_scheme)
+
+    alg_id = Sequence()
+    alg_id.setComponentByPosition(0, ObjectIdentifier(OID_PBES2))
+    alg_id.setComponentByPosition(1, pbes2_seq)
+
+    top = Sequence()
+    top.setComponentByPosition(0, alg_id)
+    top.setComponentByPosition(1, OctetString(ciphertext))
+
+    return der_encode(top)
+
+
+def test_plaintext_decryption(tmp_path):
+    print("Setting up test_plaintext_decryption...")
+    db_path = tmp_path / "key4.db"
+
+    if db_path.exists():
+        os.remove(db_path)
+
+    conn = sqlite3.connect(str(db_path))
+    c = conn.cursor()
+    c.execute("CREATE TABLE metadata (id TEXT, item1 BLOB, item2 BLOB)")
+    c.execute("CREATE TABLE nssPrivate (a11 BLOB, a102 BLOB)")
+
+    global_salt = os.urandom(20)
+    master_password = "test-plaintext"
+
+    entry_salt_check = os.urandom(20)
+    # Use PLAINTEXT here!
+    item2 = build_pbes2_sequence(
+        global_salt,
+        master_password,
+        entry_salt_check,
+        iters=1000,
+        plaintext=b"password-check",
+        hash_method="plaintext",
+    )
+
+    c.execute(
+        "INSERT INTO metadata (id, item1, item2) VALUES (?, ?, ?)",
+        ("password", global_salt, item2),
+    )
+
+    real_master_key = b"B" * 32
+    entry_salt_key = os.urandom(20)
+
+    a11 = build_pbes2_sequence(
+        global_salt,
+        master_password,
+        entry_salt_key,
+        iters=1000,
+        plaintext=real_master_key,
+        hash_method="plaintext",
+    )
+    a102 = b"\x00" * 16
+
+    c.execute("INSERT INTO nssPrivate (a11, a102) VALUES (?, ?)", (a11, a102))
+
+    conn.commit()
+    conn.close()
+
+    print(f"Database created at {db_path}")
+
+    print("Attempting to unlock (plaintext)...")
+    keys, returned_salt = ffpass.get_all_keys(tmp_path, master_password)
+
+    print(f"Unlocked! Found {len(keys)} keys.")
+    assert len(keys) == 1
+    assert keys[0] == real_master_key
+    assert returned_salt == global_salt
+    print("SUCCESS: Master key verified correctly with PLAINTEXT hashing.")
+
+
+def test_sha256_decryption(tmp_path):
+    import logging
+
+    logging.basicConfig(level=logging.DEBUG)
+    print("Setting up test_sha256_decryption...")
+    db_path = tmp_path / "key4.db"
+
+    conn = sqlite3.connect(str(db_path))
+    c = conn.cursor()
+    c.execute("CREATE TABLE metadata (id TEXT, item1 BLOB, item2 BLOB)")
+    c.execute("CREATE TABLE nssPrivate (a11 BLOB, a102 BLOB)")
+
+    global_salt = os.urandom(20)
+    master_password = "test-new-profile"
+
+    # 1. Create 'password' metadata entry
+    # item1 = global_salt
+    # item2 = encrypted "password-check" (padded to "password-check\x02\x02")
+
+    entry_salt_check = os.urandom(20)
+    # Use SHA256 here!
+    item2 = build_pbes2_sequence(
+        global_salt,
+        master_password,
+        entry_salt_check,
+        iters=1000,
+        plaintext=b"password-check",
+        hash_method="sha256",
+    )
+
+    c.execute(
+        "INSERT INTO metadata (id, item1, item2) VALUES (?, ?, ?)",
+        ("password", global_salt, item2),
+    )
+
+    # 2. Create a 'nssPrivate' master key entry
+    # The actual master key (random 32 bytes)
+    real_master_key = b"A" * 32
+    entry_salt_key = os.urandom(20)
+
+    # Encrypt the master key using the same derived key logic
+    a11 = build_pbes2_sequence(
+        global_salt,
+        master_password,
+        entry_salt_key,
+        iters=1000,
+        plaintext=real_master_key,
+        hash_method="sha256",
+    )
+    # a102 is just the ID/Name of the key (usually looks like magic bytes)
+    a102 = b"\x00" * 16
+
+    c.execute("INSERT INTO nssPrivate (a11, a102) VALUES (?, ?)", (a11, a102))
+
+    conn.commit()
+    conn.close()
+
+    print(f"Database created at {db_path}")
+
+    # Now run ffpass logic
+    print("Attempting to unlock...")
+    keys, returned_salt = ffpass.get_all_keys(tmp_path, master_password)
+
+    print(f"Unlocked! Found {len(keys)} keys.")
+    assert len(keys) == 1
+    assert keys[0] == real_master_key
+    assert returned_salt == global_salt
+    print("SUCCESS: Master key verified correctly with SHA256 hashing.")
-- 
2.52.0