Mercurial > mozilla-central / changeset / ec5e5816593915cf9c4ce808b9006ae03457d24c
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus
authorJ.C. Jones <jjones@mozilla.com>
Mon, 23 Apr 2018 11:14:17 +0200
changeset 415089 ec5e5816593915cf9c4ce808b9006ae03457d24c
parent 415025 4ac461885d8c424010d4e442e649d06acb9d2d60
child 415090 66e90ca48094d07306202a44fa397a53b1a63d54
push id33889
push useraciure@mozilla.com
push dateTue, 24 Apr 2018 01:14:50 +0000
treeherdermozilla-central@b35a1f66c452 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, franziskus
bugs1441338, 879740, 1204543
milestone61.0a1
first release with
nightly linux32
28db2c96ac69 / 61.0a1 / 20180424013604 / files
nightly linux64
28db2c96ac69 / 61.0a1 / 20180424013604 / files
nightly mac
28db2c96ac69 / 61.0a1 / 20180424013604 / files
nightly win32
28db2c96ac69 / 61.0a1 / 20180424013604 / files
nightly win64
28db2c96ac69 / 61.0a1 / 20180424013604 / files
last release without
nightly linux32
378a8a64401f / 61.0a1 / 20180422223305 / files
nightly linux64
378a8a64401f / 61.0a1 / 20180422223305 / files
nightly mac
378a8a64401f / 61.0a1 / 20180422223305 / files
nightly win32
378a8a64401f / 61.0a1 / 20180422223305 / files
nightly win64
378a8a64401f / 61.0a1 / 20180422223305 / files
Bug 1441338 - Change pgo certificates to use certspec/keyspec files r=keeler r=franziskus (This also fixes Bug 879740 and Bug 1204543.) build/pgo/certs contains an NSS database set that has a bunch of hand-generated certificates, and many of these hand-generated certificates are specifically depended upon for a variety of unit tests. This patch changes all of these to use the "pycert.py" and "pykey.py" utilities that produce deterministic keys and certificates. The naming convention here is new, and defined in the README. It is based on the mochitest runtest.py naming convention that imports .ca and .client PEM-encoded certificates. Unfortunately, the updates to build/pgo/genpgocert.py to generate these files depends on OpenSSL in order to produce PKCS12 archives for pk11tool to import into NSS. This could be done with pure-NSS tooling, but it'd require some new command line functionality, which is out-of-scope for this change. Note that build/pgo/genpgocert.py no longer takes arguments when run. It's not run automatically anywhere that I can see, but could (reasonably) be, now. Differential Revision: https://phabricator.services.mozilla.com/D971
browser/base/content/test/general/browser_ssl_error_reports.js file | annotate | diff | comparison | revisions
browser/base/content/test/general/pinning_headers.sjs file | annotate | diff | comparison | revisions
browser/base/content/test/general/ssl_error_reports.sjs file | annotate | diff | comparison | revisions
build/pgo/certs/README file | annotate | diff | comparison | revisions
build/pgo/certs/alternateroot.ca file | annotate | diff | comparison | revisions
build/pgo/certs/alternateroot.ca.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/alternateroot.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/bug413909cert.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/cert9.db file | annotate | diff | comparison | revisions
build/pgo/certs/dynamicPinningBad.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/dynamicPinningBad.server.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/dynamicPinningGood.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/escapeattack1.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/evintermediate.ca file | annotate | diff | comparison | revisions
build/pgo/certs/evintermediate.ca.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/evintermediate.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/expired.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/imminently_distrusted.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/jartests-object.ca file | annotate | diff | comparison | revisions
build/pgo/certs/key4.db file | annotate | diff | comparison | revisions
build/pgo/certs/mochitest.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/mochitest.client file | annotate | diff | comparison | revisions
build/pgo/certs/mochitest.client.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/pgoca.ca file | annotate | diff | comparison | revisions
build/pgo/certs/pgoca.ca.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/pgoca.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/pgoca.p12 file | annotate | diff | comparison | revisions
build/pgo/certs/secmod.db file | annotate | diff | comparison | revisions
build/pgo/certs/selfsigned.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/sha1_end_entity.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/sha256_end_entity.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/staticPinningBad.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/staticPinningBad.server.keyspec file | annotate | diff | comparison | revisions
build/pgo/certs/unknown_ca.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/untrusted.certspec file | annotate | diff | comparison | revisions
build/pgo/certs/untrustedandexpired.certspec file | annotate | diff | comparison | revisions
build/pgo/genpgocert.py file | annotate | diff | comparison | revisions
npm-shrinkwrap.json file | annotate | diff | comparison | revisions
security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js file | annotate | diff | comparison | revisions
security/manager/ssl/tests/unit/pycert.py file | annotate | diff | comparison | revisions
security/manager/ssl/tests/unit/pykey.py file | annotate | diff | comparison | revisions
testing/mochitest/runtests.py file | annotate | diff | comparison | revisions 
--- a/browser/base/content/test/general/browser_ssl_error_reports.js
+++ b/browser/base/content/test/general/browser_ssl_error_reports.js
@@ -26,17 +26,16 @@ registerCleanupFunction(() => {
 });
 
 add_task(async function test_send_report_neterror() {
   await testSendReportAutomatically(URL_BAD_CHAIN, "succeed", "neterror");
   await testSendReportAutomatically(URL_NO_CERT, "nocert", "neterror");
   await testSetAutomatic(URL_NO_CERT, "nocert", "neterror");
 });
 
-
 add_task(async function test_send_report_certerror() {
   await testSendReportAutomatically(URL_BAD_CERT, "badcert", "certerror");
   await testSetAutomatic(URL_BAD_CERT, "badcert", "certerror");
 });
 
 add_task(async function test_send_disabled() {
   Services.prefs.setBoolPref(PREF_REPORT_ENABLED, false);
   Services.prefs.setBoolPref(PREF_REPORT_AUTOMATIC, true);
@@ -154,21 +153,24 @@ function isErrorStatus(status) {
 // use the observer service to see when a report is sent
 function createReportResponseStatusPromise(expectedURI) {
   return new Promise(resolve => {
     let observer = (subject, topic, data) => {
       subject.QueryInterface(Ci.nsIHttpChannel);
       let requestURI = subject.URI.spec;
       if (requestURI == expectedURI) {
         Services.obs.removeObserver(observer, "http-on-examine-response");
+        console.log(subject.responseStatus);
+        console.log(subject.URI);
+        console.log(requestURI);
         resolve(subject.responseStatus);
       }
     };
     Services.obs.addObserver(observer, "http-on-examine-response");
   });
 }
 
 function checkErrorPage(browser, suffix) {
   return ContentTask.spawn(browser, { suffix }, async function(args) {
     let uri = content.document.documentURI;
-    Assert.ok(uri.startsWith(`about:${args.suffix}`), "correct error page loaded");
+    Assert.ok(uri.startsWith(`about:${args.suffix}`), `correct error page loaded: ${args.suffix}`);
   });
 }
--- a/browser/base/content/test/general/pinning_headers.sjs
+++ b/browser/base/content/test/general/pinning_headers.sjs
@@ -1,11 +1,11 @@
 const INVALIDPIN1 = "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\";";
 const INVALIDPIN2 = "pin-sha256=\"AAAAAAAAAAAAAAAAAAAAAAAAAj0e1Md7GkYYkVoZWmM=\";";
-const VALIDPIN = "pin-sha256=\"hXweb81C3HnmM2Ai1dnUzFba40UJMhuu8qZmvN/6WWc=\";";
+const VALIDPIN = "pin-sha256=\"VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=\";";
 
 function handleRequest(request, response)
 {
   // avoid confusing cache behaviors
   response.setHeader("Cache-Control", "no-cache", false);
 
   response.setHeader("Content-Type", "text/plain; charset=utf-8", false);
   switch (request.queryString) {
--- a/browser/base/content/test/general/ssl_error_reports.sjs
+++ b/browser/base/content/test/general/ssl_error_reports.sjs
@@ -1,11 +1,11 @@
 const EXPECTED_CHAIN = [
-  "MIIDCjCCAfKgAwIBAgIENUiGYDANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtBbHRlcm5hdGUgVHJ1c3RlZCBBdXRob3JpdHkwHhcNMTQxMDAxMjExNDE5WhcNMjQxMDAxMjExNDE5WjAxMS8wLQYDVQQDEyZpbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALxYrge8C4eVfTb6/lJ4k/+/4J6wlnWpp5Szxy1MHhsLB+LJh/HRHqkO/tsigT204kTeU3dxuAfQHz0g+Td8dr6KICLLNVFUPw+XjhBV4AtxV8wcprs6EmdBhJgAjkFB4M76BL7/Ow0NfH012WNESn8TTbsp3isgkmrXjTZhWR33vIL1eDNimykp/Os/+JO+x9KVfdCtDCrPwO9Yusial5JiaW7qemRtVuUDL87NSJ7xokPEOSc9luv/fBamZ3rgqf3K6epqg+0o3nNCCcNFnfLW52G0t69+dIjr39WISHnqqZj3Sb7JPU6OmxTd13ByoLkoM3ZUQ2Lpas+RJvQyGXkCAwEAAaM1MDMwMQYDVR0RBCowKIImaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAAmzXfeoOS59FkNABRonFPRyFl7BoGpVJENUteFfTa2pdAhGYdo19Y4uILTTj+vtDAa5yryb5Uvd+YuJnExosbMMkzCrmZ9+VJCJdqUTb+idwk9/sgPl2gtGeRmefB0hXSUFHc/p1CDufSpYOmj9NCUZD2JEsybgJQNulkfAsVnS3lzDcxAwcO+RC/1uJDSiUtcBpWS4FW58liuDYE7PD67kLJHZPVUV2WCMuIl4VM2tKPtvShz1JkZ5UytOLs6jPfviNAk/ftXczaE2/RJgM2MnDX9nGzOxG6ONcVNCljL8avhFBCosutE6i5LYSZR6V14YY/xOn15WDSuWdnIsJCo=",
-  "MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtBbHRlcm5hdGUgVHJ1c3RlZCBBdXRob3JpdHkwHhcNMTQwOTI1MjEyMTU0WhcNMjQwOTI1MjEyMTU0WjAmMSQwIgYDVQQDExtBbHRlcm5hdGUgVHJ1c3RlZCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBT+BwAhO52IWgSIdZZifU9LHOs3IR/+8DCC0WP5d/OuyKlZ6Rqd0tsd3i7durhQyjHSbLf2lJStcnFjcVEbEnNI76RuvlN8xLLn5eV+2Ayr4cZYKztudwRmw+DV/iYAiMSy0hs7m3ssfX7qpoi1aNRjUanwU0VTCPQhF1bEKAC2du+C5Z8e92zN5t87w7bYr7lt+m8197XliXEu+0s9RgnGwGaZ296BIRz6NOoJYTa43n06LU1I1+Z4d6lPdzUFrSR0GBaMhUSurUBtOin3yWiMhg1VHX/KwqGc4als5GyCVXy8HGrA/0zQPOhetxrlhEVAdK/xBt7CZvByj1Rcc7AgMBAAGjEzARMA8GA1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAJq/hogSRqzPWTwX4wTn/DVSNdWwFLv53qep9YrSMJ8ZsfbfK9Es4VP4dBLRQAVMJ0Z5mW1I6d/n0KayTanuUBvemYdxPi/qQNSs8UJcllqdhqWzmzAg6a0LxrMnEeKzPBPD6q8PwQ7tYP+B4sBN9tnnsnyPgti9ZiNZn5FwXZliHXseQ7FE9/SqHlLw5LXW3YtKjuti6RmuV6fq3j+D4oeC5vb1mKgIyoTqGN6ze57v8RHi+pQ8Q+kmoUn/L3Z2YmFe4SKN/4WoyXr8TdejpThGOCGCAd3565s5gOx5QfSQX11P8NZKO8hcN0tme3VzmGpHK0Z/6MTmdpNaTwQ6odk="
+  "MIIDHjCCAgagAwIBAgIUf1y0AgcMQaVC6jwUyh6Ixiij2hYwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UEAwwbQWx0ZXJuYXRlIFRydXN0ZWQgQXV0aG9yaXR5MCIYDzIwMTYxMTI3MDAwMDAwWhgPMjAxOTAyMDUwMDAwMDBaMDExLzAtBgNVBAMMJmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABozUwMzAxBgNVHREEKjAogiZpbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAXn+yS5JdGRm8dqTCG7hUWrlgHL/85FhSTYQ4wt+m90/mb8ARr+XIZtP9GdTloHfZYepc9dRDT9E8wOC7f/nOAQWzyzLqRHrldYNpMAmQIqBmh1tJ/91aKhqbc+lvm1gAOTF5bh5wpEOJBczH0AqDkXP1rX27DI3PyCMT1lqHvFTjVXVOwiZHSOSWRsI89IqAo8Dlfs+y733bJ6/rAmnTK85IHu3Fod7nHviWXkWVDdrbsblvQ6fjMFKS0mj6Vip10++/PwX9rhXyB1seGI+0uXqZ65t3xDZR+yvPtxhc7tbwPdyiUTbVjh43vPHHMCyuK1HqmPrMbAlxZBX3EqkBHQ==",
+  "MIIC+zCCAeOgAwIBAgIUb/+pohOlRCuQgMy2GJLCUQq+HeMwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UEAwwbQWx0ZXJuYXRlIFRydXN0ZWQgQXV0aG9yaXR5MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMCYxJDAiBgNVBAMMG0FsdGVybmF0ZSBUcnVzdGVkIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAS+qy/sIFV+oia7zsyFhe3Xj3ZHSvmqJ4mxIg5KOPVP2NvDaxD/+pysxGLf69QDRjIsePBdRJz0zZoVl9pSXIn1Kpk0sjzKX2bJtAomog+ZnAZUxtLzoXy/aqaheWm8cRJ8qFOJtSMDRrLISqBXCQLOECqXIxf3Nt3S+Riu2Pam3YymFdtmqUJvLhhekWtEEnXyh/xfAsoUgS3SQ27c4dCYR7XGnFsaXrKXv93QeJmtfvrAZMXEuKaBGPSNHV6QH0S0Loh9Jed2Zp7GxnFtIPYeJ2Q5qtxa8KD/tgGFpAD74eMBdgQ4SxbA/YqqXIt1lLNcr7wm0cPRpP0vIY3hk8k="
   ];
 
 const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = -16384;
 
 function parseReport(request) {
   // read the report from the request
   let inputStream = Components.classes["@mozilla.org/scriptableinputstream;1"].createInstance(Components.interfaces.nsIScriptableInputStream);
   inputStream.init(request.bodyInputStream, 0x01, 0004, 0);
--- a/build/pgo/certs/README
+++ b/build/pgo/certs/README
@@ -1,16 +1,31 @@
-The certificate authority and server certificates here are generated by $topsrcdir/build/pgo/genpgocert.py.
+The certificate authority and server certificates here are generated by
+$topsrcdir/build/pgo/genpgocert.py.
+
+You can regenerate the certificates by running: ./mach python
+build/pgo/genpgocert.py
+
+To add a new CA, add a ${cert_name}.ca.keyspec as well as a corresponding
+${cert_name}.certspec to this folder.
 
-You can generate a new CA cert by running:
-./mach python build/pgo/genpgocert.py --gen-ca
+To add new server certificates, add a ${cert_name}.certspec file to this folder.
+If it needs a non-default private key, add a corresponding
+${cert_name}.server.keyspec.
 
-You can generate new server certificates by running:
-./mach python build/pgo/genpgocert.py --gen-server
+For new client certificates, add a ${cert_name}.client.keyspec and corresponding
+${cert_name}.certspec.
+
+The naming convention here is because the generated ".client" and ".ca" PEM
+files need to be copied into this folder for Mochitests' runtests.py to import.
 
 These commands will modify cert9.db and key4.db. The changes to these should be
 committed.
 
-WARNING: These commands do not recreate all necessary certificates; some are
-mentioned only on their tests. Before completely replacing these DBs, you should
-be careful that you include all the correct certificates. Or fix genpgocert.py
-to create the correct certs. See bug 1441338.
+Specific notes for certs:
 
+  dynamicPinningGood: Changing this keyspec will require changing
+  browser/base/content/test/general/pinning_headers.sjs . You can obtain a new
+  valid pin via:
+
+  certutil -L -d . -n dynamicPinningGood -r | openssl x509 -inform der -pubkey \
+  -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary \
+  | openssl enc -base64
--- a/build/pgo/certs/alternateroot.ca
+++ b/build/pgo/certs/alternateroot.ca
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDExtBbHRl
-cm5hdGUgVHJ1c3RlZCBBdXRob3JpdHkwHhcNMTQwOTI1MjEyMTU0WhcNMjQwOTI1
-MjEyMTU0WjAmMSQwIgYDVQQDExtBbHRlcm5hdGUgVHJ1c3RlZCBBdXRob3JpdHkw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBT+BwAhO52IWgSIdZZifU
-9LHOs3IR/+8DCC0WP5d/OuyKlZ6Rqd0tsd3i7durhQyjHSbLf2lJStcnFjcVEbEn
-NI76RuvlN8xLLn5eV+2Ayr4cZYKztudwRmw+DV/iYAiMSy0hs7m3ssfX7qpoi1aN
-RjUanwU0VTCPQhF1bEKAC2du+C5Z8e92zN5t87w7bYr7lt+m8197XliXEu+0s9Rg
-nGwGaZ296BIRz6NOoJYTa43n06LU1I1+Z4d6lPdzUFrSR0GBaMhUSurUBtOin3yW
-iMhg1VHX/KwqGc4als5GyCVXy8HGrA/0zQPOhetxrlhEVAdK/xBt7CZvByj1Rcc7
-AgMBAAGjEzARMA8GA1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAJq/
-hogSRqzPWTwX4wTn/DVSNdWwFLv53qep9YrSMJ8ZsfbfK9Es4VP4dBLRQAVMJ0Z5
-mW1I6d/n0KayTanuUBvemYdxPi/qQNSs8UJcllqdhqWzmzAg6a0LxrMnEeKzPBPD
-6q8PwQ7tYP+B4sBN9tnnsnyPgti9ZiNZn5FwXZliHXseQ7FE9/SqHlLw5LXW3YtK
-juti6RmuV6fq3j+D4oeC5vb1mKgIyoTqGN6ze57v8RHi+pQ8Q+kmoUn/L3Z2YmFe
-4SKN/4WoyXr8TdejpThGOCGCAd3565s5gOx5QfSQX11P8NZKO8hcN0tme3VzmGpH
-K0Z/6MTmdpNaTwQ6odk=
+MIIC+zCCAeOgAwIBAgIUb/+pohOlRCuQgMy2GJLCUQq+HeMwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbQWx0ZXJuYXRlIFRydXN0ZWQgQXV0aG9yaXR5MCIYDzIw
+MTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMCYxJDAiBgNVBAMMG0FsdGVy
+bmF0ZSBUcnVzdGVkIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj
+s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT
+ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF
+o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT
+H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4
+xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAS+qy/sIFV+oia7zsyFhe3X
+j3ZHSvmqJ4mxIg5KOPVP2NvDaxD/+pysxGLf69QDRjIsePBdRJz0zZoVl9pSXIn1
+Kpk0sjzKX2bJtAomog+ZnAZUxtLzoXy/aqaheWm8cRJ8qFOJtSMDRrLISqBXCQLO
+ECqXIxf3Nt3S+Riu2Pam3YymFdtmqUJvLhhekWtEEnXyh/xfAsoUgS3SQ27c4dCY
+R7XGnFsaXrKXv93QeJmtfvrAZMXEuKaBGPSNHV6QH0S0Loh9Jed2Zp7GxnFtIPYe
+J2Q5qtxa8KD/tgGFpAD74eMBdgQ4SxbA/YqqXIt1lLNcr7wm0cPRpP0vIY3hk8k=
 -----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/alternateroot.ca.keyspec
@@ -0,0 +1,1 @@
+alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/alternateroot.certspec
@@ -0,0 +1,7 @@
+issuer:Alternate Trusted Authority
+subject:Alternate Trusted Authority
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+issuerKey:alternate
+subjectKey:alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/bug413909cert.certspec
@@ -0,0 +1,3 @@
+subject:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
index 023644e48df7b605e69d62ce8645184a27ed80f4..dff0b7ef1e7c815d0568d95ad919ebe7b449df1a
GIT binary patch
literal 229376
zc%1Fs2S5|c+A!dR(0lJC^bVT<0Th%f#Rejxh(bsL1VVx-6oG`IASl=?D0b|M6)Ot%
z-h1zgy%)qkn?w<XbM)M+od16Bqgf_9GrK#pyYEhtB}7H`p>t{YBo;fJ%*DH53NTnK
z#t)CjU@-2&ha9GjjPN1-&2uc~@3~`K@H15e?=Z3>TQPYGf<3u=a|?3)giinf00000
z00000000000000000000000000000000000000000000000000000000000000000
z000000000000000000000KmVHpRBB&o*8xsok^u-Q_{$EDwD&B;3YEX6uH0w!Ttk-
z@nQXff(PS8dHDYQ@L%)sc4PuVwC^D!T0*pF2@G-~jq$aFY`Z0h^1fe!n|+Y9te%k>
zc9^I>hnJX2qj0~LkZHFBN$!tZL9qA7$?6$=X$PId;nCP%i%7Ryh&c26Wq1+nOTDpj
zdS+(WN`EdnkwN>K`!yjYS<XQJfIh+B))sb5#DK8A{sV^Kdj}7}NB0Yhj1ETE5ZJ$8
zuRdXc1M&U={Ra$m!jlo<gCKkmg%3A0Et-MOA)vFo(5GJLQ!mj|w1}5GI`Kd!By{45
zPQ1{GH##AslSJXfTeK)dJQXbwA&REr^|*_s9-=8pH1!lsy+l)Q(UdHjCW@vM(T0gP
zPrQAiG*O%uEtx1<GEuZ-qG-uP(UOUxB@;zUb`#Zd6V-AP)p8Tnaud}eiE>GzT#_i4
zB+4a;b4AM}iI(XpD(NMjih5AgQX(Qwqjia*t#wC)h@wrFBt?BKD(xmJ?ItSij)+T(
z3ySBsiKgzNsfTEauG?L-R(H`_-9`JwLsZv8RM!I$&q3=_XdZ6vZXSfTB(W{|O#%0|
zq(@tl)Ry#YOL~1xlG>_~+NzP-s*&2Nk-k(TwQUZmZF5L%n?q{b98%lnklHqf)V4XK
zw#^YHz1x!Hwq#;klG2u>wk2t8$)vAI(SaaNCbn%(BDy(L4>Cec6!o|lBGT5sB++q8
z^tLBR$?650VKL$$GJ-+p(&EWHE=%-0{_Ck4PxzX|34@<J8Ua;=4_kFtOm4tPDc*i=
z6>A$aFL@YkSwd_4ju_q`k4RdCbswGHhP_4y2m9ywP4XGneX6I5#}PsjlI9rcpkaO7
z>J0v<*=?g3Lp@!hPN>#Yjhn*70RR91000000O0>$#fWXTw6?0M=Jy%en(i1?;Xe#U
zRhX+eN*VKA5mm|KA5-!%Xc7L9!eSO-V$m7GACtr9oX}TMUOF}He68y0X}5hNWlmv*
z&^+P)4Pj+*voY!w8uQ-QlrFt>V$r2xA09m)b1|lYs+BU{={DQxv-$+DU0kUH-5f%E
zx7(#Y?s@qX<yfq}b{2N~dHr+bq3=D?&Yarsmbz@5!U$5iY}1h-^5!0q0sZuXwz@1k
zox0rXs6mSPG_%qX;kp!hPlZh5Ykkw^SwB3wZ-=dl*ZAxj#<lEKgrLWEyNBo4dr@lV
zJA}?qBrQ~BpUF9}+4|bMeUnM9pHimR?&9?sKK(#))59x<tIFpeKI&eMrPr(4%|EAX
zI8B-57VkW_s*2h(wqZ-y{bfrFA0*t&FAY_?5`ATg-Ut1Nnyt}&jukHS=8s*XS?<35
zMK*0$*&R;*we~VtjPPGEV$)^2j97C1`(2ioyRFBlY1YrS)e4+@rQAsISiZ*bn_aeL
zOyrWFO5L;mpO_oR$dc53eY7q-yzLRb{?Y4{7=~5uu6@=^uAevCURNz!#WXB=k#=)+
zEH5pUIzoQrqS)Ht(znKEtg5B>M*>?+>BqhB_LG<6o5F5i+T5oxjiLHjr%3HNe<j_p
z?vzxwu@3%EYBR2@sZ@MQQgU2lHECh~<}u`)33V|Od{1`YbG<&)Y>DToF@aBQb<am{
zN{U^^mzv<(Emyrj*6Oe^WBSTz<e{5xPSf1UBP>v!cxC;;w=FA8tWPOC-K?itn{s1a
zuB!!$ertXCRI<qvo3qxlmrs=MM>=F|CGFIpJJ$8i^YJtF2=(h)!z@3rBX<+d;8tAJ
zSM+#XA=zctUAD_yySabA%Sg#J+Z*rWT3#0#V4qZ$TVF0zN%&@$?c(hnkfczPCGU_t
z@p*k_lOXPn*BVCn5sSJ*r&)_*FFIWD-`^NkzI(yCU2n8YUm4NM{I?e@GWOAw3fePj
z;qFj3nLAqJu(HSGcg!lWP1tgG{{5FM%RLv0wKiW{?O7ar@o41fvzJdUKIF4cw)qH>
z@o2{3+lq@Op0ke?jM%dyiEiTP+`2z3Xo%9D1rNhMO|Cl^<rlBV$(%X0B*{8t`r`n)
z{1|zS06cw0d0^}9ad%4#uUKqcTz#^br)4(TQFGkQk`MXT#<C74`OkEpmmWFOuh`L}
zezF>O%Y<cP_mPvW9O^!$Cu*zc@7`IzcYG6fR17iv+|`o1(XJ+@1|}oSQ%-Fa?XtpT
ztE{iPtee-bb^5REF>N7HEq5o;9&_qpeKaaCO0+u=9fB63A&ZNa#wjaCGt-!?EG9nC
zUrJjhJVxc{(IB$d6_qiwn8P0JPdJ%?6;_LsJfhGC#v?{MvT*XVt8T9-t4U++<R7V5
zn0rzM+jw=|9dk~6>YdU%w6ZkOQgm>dV#cOowA(c`!u`M8)b9wJY9;(3Jo0!<E}O^U
z(x^z0R5Mb9JvA36g_Y{KnTU$4f<sAY$y*gHR!IiaNf#j&`f5akKq3%`p5iy!V?{H(
z5hCItnStO5riih)s?OI<aG_<B(=!+}7YZv~xG5Ijt`94N!4+ZEFv9tYQbocI|GysJ
zq;SHMWq}o9f#8MxXrdu)fan!<(wFV`8xHNhLA=X{j}wS`bGOX%_05}8_UX{^IvM2!
z2QE)sP!Q}f9jmOE+OWO0Wct0gYd=QIY_?KWoiY2i((@|=mL93Daaz_#heWCi4?6XL
z>aa04b$swgSFag0R=EzL)+Zh0EUVYbE_~L<T0^y^=f&&ne&<^Co{k*jJ7<XPJ<{S{
z(?*xL&b92f=^FFGj#anRVy*=pYKXQxA|T&;)S|MgSMYV^VK-Zk46*Oi19PL739?SZ
zX?SJ72H!^n!$yyrcamdXPZ%C@m-kpLdG3Xf<Q%n|J=ABA(r@6YPP1qxPiof;K9RVz
zXXa<y$HS7cXNNS?PH1nZKJcGO(6z^|_Z?!qmw5)Wy;o~b^ep(LbNufQ*$ywrMZOko
zSD-@bAB|`B5m(#dSt`K}u@P;)mf1jBdIpP4X6N7oX>2Y%iB2JNX?TAgH-*Kfb8`s#
zh%Q=EQA@2aYb2e)AmazpI9xh2nIJsg&>ST#qX;%DiO!(mLwIy5jf(G|!KJ6uN0Pa8
z7E?;wS`b(Bd334N@{7IWjNYg9;tiMH`D2hYE;&D4UOqLy*>wVM^#*m>+L@`%)#@g#
zW1>AHUfuW8pJvq(Ri<d3gZ7^Tra~U0-M$0Ee|MC$kGO&nMM+KynGjE7QiTt$u!E2y
zTsL97w2;Kgj#~TeIVU5Gm4C4Ne<}c*5R4E5@zJb_wvI-F==;mj*BmiJOvKSw7tt>2
zs3Y4S2BOfr#A}UCz?y^hKHgQtcsj=>()z<PnY9zB4QURKKWxk%JxX`D-HF%Sl9%4@
z4bxs3Y7>oD`i)m?o?faKY?neDaSV})sNL(wV-GDsd;;ya?r2)6#ARKUUcIug_xfU%
z-|njsmjX5J$!QFINPVOGw0QhjyCEy2`uER#t*4t<aCqygb*nC9Y|tF{V0*R2v4t6L
zhCQ62vg5^)gd3^ku!$x1vi&YR%RN-J|ILl`_1m&zInm?ds@E&-z2Arlx3XOEdccF?
z4f*S)Ec&=P%DBYh;5fgj7AN0@`E7ZVtcIK(B3EX6YN^qEuf7W|Gz8dW_NSVS$eF)!
zlY(-J+NqqOn@_}Fp0qU^J+-<%9R1B1&|xqyOvZQB*wn_O@bAZ_wAzHo+J)hxo^!Jk
z_dd|Sx{>4a_Q$Y0>8kt@k2O_q(+?~vYDs)I#mU%fSi${-o!EZ1773MV0@K48=f+5z
zi7s12%s9pG#-<6sJL=ka6kytqP08r(7a4T6Xq5U<7=&&~B5y|x{-seWksy408zjG-
zf!Gmj5G!$2ldl`&EZG!@m%kh@oe&4aP8=_Vp|j|3`m}>lE3xr4*Ul+GcpCS2WR;KY
zdn0;FOSjF3_1=+pI8GjE|8(T_08ftyZ?{dAhkFysLum!KU!CgR?S<Ust7~fa(B5LU
zxs?(QvR@S1FL!I`KF1Gxi`!bIvOJ#`z)sySV>*5reZReqnj!ag7IVLXsnYW;I#0@$
zy}EY6daK&oly$zlCO;i;%uy>Tal0Q*VPHjn1;;z;4I>ZNJiF~F^I}(!%#qs-L2mT{
zl;cewPUY;c`<OU(xck{_m<4Y}HD8mBa+^6o_k@qS!=@?Ko{W&U6j#co$_cNhVS76+
zn=$P6j;3P0!v+)eYZ|qiWaL!_t?x5Q@5SKhwZ!Yv3uBCJ4DW{Rou9H0JwJZw?Em>g
zxZ{AAZQ2&_;{IsBvkV^B7VvDoM0%XEkw1e=V>8h!#6WRt+O8B*+Jd<CQgX`vivk|{
zXdg5kv)69HMcp4G;H&)PW3f|-*K)7Dd_epp=ehB|i_Dvsv#KIydtSF{I=vsSJNovR
z9wwp)=!6*;fzfW)cJ}X%fR@2yG2(G2S9k@ZM9`T`;ngmHEDV1*Q(*{{m4v^JTKj$Y
z`^m2RsX-%w;EFhlmt{j|QW!ic&6&eXq_Wb<bSB3oL%f~86d3=nzvm?mj2?&^LJ$W=
zVT3ID+0N}CLJk+K?LBFjfx))Sg^fn_17kNQ7&o-s9z3A$D6htAi{JLY%i5{2`p*8O
zQ=be@-<g|rf&4J;_36O=Cwz8Z-zs>26f3jt5b<Hq$UD4ZI-)SaVs29D(6G-}VjT>t
zI1gA=gE8KO9Hwc;!oV__!~2da7Ek27UYWmDx#HM<ORcl9rP~JHistoev<V5lJ*`)x
z&#Ur+1v~HXkF9;0f5~=rvlRW5<Izyl$9v{oy=VGv+VJ41Di<%+ZDs}5-a-aUI+^le
zkOS}3(}tchpH}I-kQ-{MKYsn@ku#gCvUZaqKRO=Uq#yU>>@(lX^CL-TDos7NJ>Q2o
zt#XWfIOD@%hQbJ{&Rfl;SQGU8`Om_|KRC)ed|$W7*SO1G`Qyo5^~yicl)k%X8Bry*
zXZQGUm4O^J!aCm$Uin{`7e;@WrC4!#r`3yfiPtvx9p+5#y|bS8sj+qC=+?r)Nj_!e
zdPXDB{?o-&8h-!EzmWR7Lol8!dFh{#%%YHmakp3)che+sx1&aWA9w%!3w}iSpYToW
z_V{+jAKe}p4gbt&*aR^`l+d8BCM_*Iu4EBq^of?V41&XAKX(+|^>y>^S54`+RsF;j
zazyIokag1+&T(;xtRp;}oR|0L^4cLmc}}h~8qX-2e8_(_ck}1d)2KP7D;b|$ZW8UP
z@6r$6SUk1SiPO6zYl~_V=ic5YzB=AJqwHzEFY^XEehR+TKVh_L_>{*jcB(fHnNW|C
zERVMIPLnGhX1Lt;)sWMe@fTiH95q)}*zocgfpG1j@ws*WF*on8f6lS5S<2DEtvX+^
z@u>Mur=F30x*N`Rb~v|Dp?R<Mwp%`&x1Z+?Je+kj_3VIJ4V!Ipnti(Eto4kpzrAwb
z*bf!4&l>P<(aKFdNfTpDj%=t5^H}aUs!!V86%o_z%w)5rh_d+wK_#z-9x`espl4>+
zhqFJq1)Yq_4ZCVoZjurD4@Tu7H);l$kx#@G+ud=F;0^H%NZG9a<3-`j>p{U2H@kf(
z^e|dIWI%t{$^g$qONU3fQ{scBhHY6|{Cr=F{uru(=<Q$^Oa<n<QF)=_@4hCOWQ1Tu
z*92+~lbrtDxSS-sKA1|b4;{7lcaF<_3EdHI@v?}CWU5Q&qZVh$ro$Nhm&fS-NKeF9
zJVqxW?nVEkqdN%cOF{>p)#>IGR2eXD%B}S5Ar|AQrP<9N++u6y%sYR57Hxn3n`9})
z&HEc)K7AY+XLh6c?8u>>`u%Wn&q@=QOsWm(pTwcrEm_Ho&pAKiQ$DSi`-HgBBgaNe
z^*q02`>J=biMLuNHmWZ2T~beZS|2ELA?5b;3GZX`{I7H$u<*&27f&XAEbneCAdY#k
zK{mQ&K+Z&Lrov3#xqVwdG|aqiTI*z0bnJ6zUC%)i9)%d_KI&d}@aeE-#oV{2E~Qp4
z%eXy(u5M^CYrrj~#bZ|Yet4DJ-JsX-w3Q2R341Pha_Q=yI3pGY#GGfD4(%&_@dI&$
z+=dg8QLV$5&Wq0~)tKTRGEwmQQv-Tp{bzyXKRo(78N2Iu+1TB%Lbi*>?#?|FhjD9}
zCl@U?n!PY=V#(FQq!mAgX<c>cBMH2>8#W}a318N{o1CAp@HXR4eAQCY4EyW#N(bhw
zkLXh-qbCZ}hL{TF@5k<aes`EQtdPNo!t~eojB!4~;A|xc&K<S#-!XXi_%^_!Ge}<o
zyeYvLF%%!-TJZMsKOJyeAb7-79KrPvouUqVvV#!q%4#J!Ud&bA;<-@K?7iRHCq0za
z@P}`nzW-QhSA5p8mgl~fINvh2CfCZ9@pBC>`piw4w$E+}6LY9&W5s=sI>wu4^D?*5
z!-&%C0VgqjmQPM6&U}4v)HM=^=~{c!KK%qmZ_WGxy&l^?JpQT0HiI!c^_g<<l%S*@
zXPwT<GZM<_m0@xVn$PA{zBy(=&aKjzB9s0);a(UyrDp8hdj}Q!8^0S|TpxXpa$yH9
za3gJTxM^BgNFX=dWbybli*E^ZK8#P^7aVcsGrM8*p{e^bv!1V5(K63wVrX3JnI8T@
zP2K1FVO!%7>6K)Y>%9iWq}b(*WMy44aGa%=Gr?)qr%TD}@1ZAE*9W4%I|n)*DRXt(
zM#=;KXc*UHmbQg)3xfE_6K=a6hsH>9=FpRw?YCb_yLSdf|B*%DB!@YcCBwTX6Q;1n
zv40G|^p+W;RwvE6GuT&iPf?lAxGbE_nK<e7mNE-{A01ecdU%tS#_KUS9ns|rj~OQn
zzwO#R@OMXFJ!T0;{NA;&o#JK+gKvv46y25t;Evk)eE|N64*RK*@y{#=g6Gc!Pa8yh
z@(P2e5n@o(X>WEAKto+7e15P=`Cvk6T{3%?sjh|<@4=189n;1(U!v~W8?5WiF6Fe|
z!!NA%n3JJptiR3jJ-IPhImOiI;q~g}CDZMOR$N>0vSdkU`isXy3qSXsQ?hv2^-Kr<
z{6K<(vboU=>nM-L7H9SW)hnj{ca|o|HVvlV-YI|cTqSMV@Q0P}?@H^>sCu&4ZR!DA
zR{Ex9-nxn#J&CheQg=v`6)004nHu@UHBLM*t6v|D2UC|SJ<wX{>^Lt@{&Hpa>F3kb
zlB$=u6iI)w>%9e8u9)DxcbZD^`1Jl`v~L*hf9fCim`0@Pb&oT%%~~8|cmAWYLhXyi
zueR?Et-MdFzOcnjI<_WPX&(6~dS3kV5b!fKJGomyyQ}V2(5{&D_jfDwCaix<=3-(O
z^?$^7a>wd63+8kX@AB#``$)IAc@40Brla;?+y~CRbq@+#-{kl68G4Vfzxh0F-$t|2
zURsiPH@4SzcPn)J-SJMlVj@Ozw}Pl?@#wq7QWu2LW7n5>*Figf=_ZB0eq*<jsu0zF
z&wH>5$?_En4K$;$QG@E=Ziv*@Woc`r4L2mNNVJSPsj)XN@7l}xQyXG&hrG^u1u;K8
z_Y^#rW0qH+?TzixwDv|+(XeZ8$SLoZEW5k*<caIkNQd`CjU02LsanpGSm4-w(W4-f
zZoP-*SH1ptfH_`!>B6Ah4EITg2YTM|SzG>Wc|(<}V&U5XTLnkV$K5+(f5A7ha!~8b
zZifteDA48>E5ClGx@V%(vH-{UbwxXzE+ib!-*j<U_q@KP6^zHTPxpE{S7+_)Ig3Nf
zQq>P*W!@HJolehZ9GY_=>&%$rX?ItS*I9K>ur~7JLrl!4SIeERxv0%rZ5Z2JC|EfA
z+>_(Y)d6NPYq6=a=t2KWr*tQUJGom{v&&w0Ypl4`MX$RJ_6s&LKJPxe_`usc-3Kan
z=f1`j{}>46Lnk&pBi3hkJ2fV`6vJ&@;!T&{vO=5M^l|W+y~m&Fvg%qI%QQ8<ygjP^
z{p;?2zdI6Ythk8za<?qegVg?h*&f26Xd?-T9ksXXUxEMiK+=pL3>D&oSX<maxMTJo
z#9K?m95EA*B87XcsN=5eAnK0$e5s!fC1Nal2us(0e@T9~t#rX?q<U;!bCY>Pvi96<
zPeWy2)U_D*-Zv(8QT*K<5zG39A9mcl<9XxNbvBFMvX54JPFdaDbH=t|>v}%&J~sBk
zh0E0`9P5PT4_BlPF`l%bU(fgN<d<(ud;LnWCBR~R*7%p73y9}?743SmsL=DpkZAq&
z38Uv!n4UTGC{b^1`KpXTwTEcW-Tf*Oj2BxL;Qg9zj<~zZ>*$i)VM{-5D_uD{Y+$K<
zfrh5r`1PhAHgB5IqgR0awhhi<4t7;H6OAXoZ^d}b*OXF92|FOgd$5$9slDlm#b(C%
zr*|iL*4&b=s$0UajXQE)ev|#2s(Y($4$_%53_ZcRJ}CX|S<uPHRq9>!ag}PR+dufY
ziuHNve62-6juQ$FZ`7aE7^%3!<kpYz*rzgK7x~bxRW0eobKf80Jhz)X&*U{e%Yf%q
z-Zan0J>w46c<UGyHPQ9VMsyo(ySB&u?r^MHO2ml5G5Jed*(?_KyBlabYU+RXN!4Eu
zR)2O`@R8Kdd?fYjqgUx2%UvJgqxth~wjMn^di3LS<1<6T-!HQ*tFurI_j=v`{H3Ne
z_0J!wSL{x_)_fY*i|Ca7Y*<kBt0S{?re7QoSN7Urru$l-gYiiR)+^e~SDRTaJ8<vG
zm-F%(QWww5p>G?ZnYSdWY=b4P*V_Hzb7K^wj;cFMx72$}x^nWp{;KnD7GD{+Sm#pG
z(g2o={_u%uL7Kc5r7iJN2ek{GPX;nC-#9)aWW(O-p@zfPPH(t!JbUI!{)e5^J-h1{
z7wW&NFd06<ENH#Un0)JdnMrf@?j4bie`9J(^<H*4_SxLe8?mDoVm{uuh0T=q>aDx;
zQ~9#EvAikk;#P07Ini`t;U`z~iW`#;pl8N^76^W}b|;@Jsdm};R;i|E7maVp&#!vy
z?0c+~ZrWp+W~Skbx||ZTALD8Lc1)J-@<zQ6TaaUdKIK#99K1DFOSxY>`;ni0VOlrN
z1cyL;SznbLaXhV{em}m={@nppsip@;6i^d+$?gO<Z^WA->@VTiHbodzBP0Q}qqhFr
z$F}b1Z#;;PX#1~ibIE2pJEvrmQxj8Y$wcx<H!?#sD>a+U$e=PZV8HuR170tLgt&_b
zyv~SY(J%CG2hn@<bKbFj6K75O=&88r@JHpbmhz`ndv~jB3isI7s%jQ8<lV`H{OokW
zs^uY}$+#HX`f<9Ka@I@?-koml>T#%lo=yI!=o5hl11>)}d2Qc|XFK$q$6l5<DYtpH
zbeK|(gUhPLNv7Q_<NDkUwH~x*!%=e7(Cu?=6C##ZzL-6bRlUfMW^LeYDcG8SWQb{V
zMp}TwOqqPgb0_Amz?$yBDxSKuFx~!TsY$kBwARfPd0FNfjT5iU*Y#XA`kj@)ZF7vk
z$9&T6`Che24^(^d<n;|xPd%LyK4$g%(D)4>*J$-Iabm5Us<$%z%B?&5e0%F}u`4L7
zAF;r3LS>b5?e&@G_Lv`@{9w^&^fc`H(Dl#GmrmaAQ0}tpfjn2gi>?PDhIi}Jsi($M
zG(A=)sg<cIXsCq#cs&@Cw5G77?~PJ&DWSSLHR9Y_0f{y2L&l-^{adGA*EpkGe%5uy
zgkDNH;;&Gs{^1^BpWl5wkmu@QzT6_rp|LY*Y@|pIhZM;)f4L2;gLeMguLZgUZA4Ri
zY%9Ur8^0Rui*Qec<AG-3<DNL?7vZi7pIj{Zwl9k`xWe5=aQR^tvE8h%Raorg@2h;B
zMQk@qm%~dWxcs>Ew)w;#<`X+9Pwb$)37a;8C!9-R&}mFAI{NuBo6e?nlC6=ImE}U`
z(m7-<o17uqV6(ponnhNkE&sbx+8i3?#}3jL)^(BOwC^YF4(EPbzWtK4(#ec0GP~Vd
z9YxwaW)_+G-FH9~X$#v%N&D{iLyGj7EUt5hIX{+1SEwhtca6eJ7xrVj;)Y2XR8|&~
z!6H+MF6m?no0U$Z(#hhz#ug^o8EjT|PP;nFS#A_(v{9l(tD}3N-5hkk5PqCRY(L8i
z?Qy18Dv8SRaARa;rLjk(WD>o|?MoS;r5KqsXA*-<ZJ(u=PG+akxETyGh31kZJWP^U
z*`n<;`X<AfO3QR1GZ^%dtn?pieVbvJM5Z&GQ^-szCxx8We%GjTI1IOTbJW-r_jWV1
z&?4W@ROd1{?au_AbQUFrE^0##i^t_9if1b@SQIiNg~j1^G)ya2-!{`b!lbx>yCQOU
z_m=MLR90)x&re-04&QPooJH7L%U=3naOT>P&OJga9XOn;53f8sV)llU_^7x?+~yb8
z!%v@O9O=V~A4T(Pahp><lD}|&>^1DX`w?@dM9e$y`>b14-@HfZyfssppK1b_r7{XL
zEC`LI%QW@qGb3!aKPm1pzK-x#!TU<y`0yJ2m8~1@^t|sa_i^T}q=QEz^md*zsB&Fq
z>Of-0o4D2w(k~tIS}ro=;TXola=kbFb<zyOqtXtCl2fFg_ccr#Fg0oI*rx*us&W%f
zJlCPT%zJdZs&#R7Y0xLV`|2wC4Nvqu8+^vx3*X{$dz^Lu_expVNz-T77@}9lt{+i!
zb}8#*Ag0)512LI`>s>Su%aLo?^ZtE9%3hZxwKC@~oO?k_81mylY+KJM!`X#5W~`cn
zc!tcsWZOGUcElx%o|bP07;I<x^<BFz?UZwwy~39l=I-AQ#D4o12FMg#!-#MA<WR^N
zG%}Yf45<X+bvHuz!rV(T80)C5|MtPyx4*oNhV4W$GmU^A!x-^1s&g_g2Zm?=`1=R`
zx=%ZZ>`@o?><j4ma`I-KP$b~xrnQd(&kwDuC$v~;y3ag3@KfVUYZf{6Gv-;4TeE^(
z#a+dvBNvl~*j<{iyz1%m#;FHSk1yP1)l@Jd!Y!>d(p9l%k3qQ_{dt~G92>P3*Yy~8
zUp9nA51q86PHW-58+X$By<R=?{*ujpJl~aXtUgxFUq_uvKD8>WZYkx%Ez<g;ut!Jd
zPOB}^Jg`H$J1^KTHlS+e-TT$}yYs6V>F52ZekWZGKj+BR&ABtL->$VWDc&`P?kli!
zUIY(Zc79V#>#5-ma)hYm-Mba7h&--7Id^=6gXfBI^x2tl>#`NsZ_tX8yENkkxi@L#
zn!(A@trW7AV&?w!O!Rc?`VjT==S7FHz8H~ji}l6fe>B!hG2XYu`ohZuB}4&jhpd)V
zbkvt8@>)`X{sdh_8+{_DrP7zhV{*xKCVmi|mPN2c%*8!w_@zgk@xg=eR9Yf08IKNB
z@WRTHPwAAjw4-Pg9=a#+!OUbjlSX5seJ_4XO1S@=g*7ER1aBw#dWb9*o12njFI<c(
zlblZTrDcl7aLyDmL3sXrJtq{fx+atqGMho>l9_&7@j}|)&89&*ggd%4`_96M!EE~?
z7h2>LExR8tFX1i=o|cYIzEOIrET+jjr8aJ~?Abn#O75oEgznm~%*^b_r-6=@#&V+H
z1-8RXQpRYv-)F`D+1G&e`rFFFo%RkRzP@DAg#&)JXvoc_Aw|-8!ix-5a)IfnwclT0
z{<rt|PkjRTKi&m@cOm}2{!Pl_3o(MY{M84S=-px_cxgpM9+8!m7A7$rU5p)#s;mpN
z!?rro>;}~@-F0>$u4de|_(qr9JWs|sOV-0PH#BUi=}|W<lzSK~J;U4(H@|MSV#uz0
z@w0s<_sGzfGjWoZTYtRztZUU<CtTdVn}VX*f@J9(S9Y%2R8z|iIrn<Y$1V1Fe!|R6
zsfqKaAC1kbyQ-2*{(vJZ)mW=LPdIvOT=~oQZ!;&|eR06#L*8Of(it|jdsFu?W3THs
z!xL8v8p66Yj9NE)(}g1z*RSHd=$1_RI>LZ6`WG2>K5+``POINC&N)2gmbE*rR>!6}
z-=L;Qf7-rT3$FS`-7%6r<K;W4^zr4Bfu1+G1L)gUURm>UJZZ%FGS2$l@(j(7x0WA1
zj>e|{@zbf3sQSO%=nlV&{V!`2`O0?Ht5?O(nL%Cj>NU)3e1iAvnLC&ZXGGl6&1F7b
z@q*XEZIjMTd8>Qp*(B~d<+S<clCmK?qB72gH_N@OplPViSK4b|dN!miPDb?V6~R<$
zfB)+Bci*QY?7%=w2ftMw!eXJnxmX~437aArVRY2sfBQ?=Z||0nG|>5<d`}d-fJLvH
z!;v^7R{R1s3W+R29Debaor_Eye)SjB7x|tw;?`q`0kH=!sBL?^nakU}WK6_@M%l-v
z^k>CI@|AdLi%JW3DgJ|tVL{~);ags_Ib(gNzm&3{imZ}8m2PIT`CQ~y&r3e@v~Sw>
z70ljSrFUr>dwCqEu16$&>BmEbt#7Lj#Pkm>tSVbNz3BK9UcsqhBMYuy=#%*}AmB>F
z0*jbQkITIyGRq6;W%f(@Y&g*r7kTwi(V79<yfpZQ?&qS5uJoy_xjpU?jizgUxnNgr
z{x;%4ho`pOw^OYy4)*38rmNI6=4xw4JlI-W?3n0igzs^=8bhVtD?hZj&~RqI-LVOM
zUx%)0812U$fFEpo!^6hUENj#5IWx|DZp3ZlFF?=Hu8(U!dmeTC=B9)6x0i<>{usi4
zGrE0$d1&d~Mc+h)#r=3Ks2N1iH>;I?#WD|)BNRW*U#3y5d1+mB>^_UWJ1%9gF?L!c
z>=;j+<Rj&A`slUb+urK+yRQW;y(Ql|_4Q*1;Uz#y7z7`RF9BHGzdha?5eyJL@o}o&
z_e&%2;!gx2$p1``?<fe*_ANMib+z*9mAVho<XpoF&MsRn6*Vit+(XZJhU_GZ6_cN>
z&j?tpz0P%Sxt(*rgsgJ=o^RbJPfIf*4d<&oT3)H#YuLuRiy_8g<I65(++Q`J)coWg
z<y(VKq&|{TXl|wCZIQ<Bm?p1@S9+{g6MXOf&4%bP`JQq!D%sDs^dvkgh`zFZ@}l1F
z{8yJv+~zoH^ueZ@8^e`UIX#ZL#_d}%i?dqwo^#XdA;v2SJ8o@C-<!zM&|2BYdx+d@
zi~ARghdg<tnAU$>*yY;e+gkQdJXcWtJltet{Q|Gp)<c=&&FjleB0jx6R<A#{`s1pr
z-Fj)NOM4jU>P*V!smzl<VfOrZ(F@C__vp#-hoi?|9?6}2h9uQxqwx3cF<mqYm$_S)
znLgO!Xw0=G)bxrwhqq2T*z{xMO*mLRNht=2kA0;<{j@QuXLG8QEbg@O-uz(~k4z0d
zpEu|sBebkLRup+jn2Lb!N8w4oJMzAFAA}J_UV3`E@Z}zp%gBkR(m7xMI0`OCI1umo
z<&UFu(B`fW%zyp9n<K#<u@!F*KJ057@j+kPD14!dKDa+~`#l8eFYjVGiAUqsh-Hy^
z+o9v!cIf=w_<C5&0xv7-5WTbN^Omo@ZgKgvPapH0XU^<zwWALl{2^3#-{`k1$yt;;
zO%qKIOq?90&62T;sd+@tPW!ly_4dt4=3$?SQ_k!?&Ga2o*@x4A)3cQOO0je9R^jhc
zDf|_#8dIxk@r=36fjbY>8V{Q~;5gHN9Gx+4sG(8F{d1($H8(9vj)a>Zz1zQV<-vnW
z3hY^P$}Lv-x=l?oAwMv^JuymW*>sagZ}URN?Mc%=`-FeEe`?ng7A@LfLUjDfhL|-v
zw>O`h$ygL|>!WE+2H#wZe;4mj5?-WIKZ1V*f8yxO-VyZ$ZpE{L%tBsqoeSh&+MbZ@
zyLA)Ev!Y%Ff8eFu%Ny5bp=V#$N335uJvxm3io$l-^5<g&?*vZ;cLi4jrv--uje^aB
zHG*2f9Klq<I6<*sq+o;~MG!9-B<L#$5_A_31@;2GKu@45km0xRU-BRFZ}89akMZ~N
zxAWKYmkSpM0000000000000000000000000000000000000000000000000000000
z00000000000000000000000000000000000000000N}q)9w&`e@-b+!6(xuz=WRp@
z*KY3CqJ&cqYb!~@%2JfDkGN_fNn9}(C2Twj@sdP=nJ8fyJkC^-7;7R*;K^5wC5bCW
zqJ&9CsG%egVjxNwR><m05;A(CgdVe0SCS~v5hb)MCTU9&6SYJMjTM(PC5ej~qJ(Ox
zo4O=HR1+nXYI>?l5<OHz33;x*vLvCWBudB>TvwDNt|^ETQjGWVlEgbXG@<x8Ge}mF
z2$T^eT6$lVmL#s=M2YwAF;a3kX$4_okfN}MZ8;<i$B)yUL&_@7O6KNs$s95#IIBmN
zPWGDY;!J7YIqqKWOu=}834b}?JAYq(bgtgWMI+sEcIEWXzLKqxRg<|Olfa{KUvi#u
z^7B}^WnF#D0000000000000000000000000000000000000000000000000000000
z000000000000000000000000000000004llC5^*iZPAGhI<Ypwb;BY$1T92E78fmz
zQ&x;-rZHJrOnjif)nDXUj*u>-Vv$sW9bzNO)G`}LOV41j$?P0_AdStXC($WnE)DO`
z<EF6KbZ!noAJIiiDr%|qWsRgW7-alF8iz|~CKId>3p7Vb%P4})N}@Ap_z)hQN~7ZY
zXK?B1^pRvPoyD~H<7+hki}vIHBG1eT7l%b`zN`eNY~;`2(%4LN;|8*M9IkLZUpLb9
zR|=c_@jfvA<7+hfl@2ldmBI#pye;~Fe2sc`xPe&2f`CU%#T}x@p)r!2IrL;Ejp{<n
zCZ}gGXf701y6(>w)cK1eUHdQcwElS8HUIb;HGbvrQ~#C1YJa>fs(*ZqDt~;9%71)~
zN`HKfihq2K3WZeZ;&3cdc$uJtD4^wKwWOk>zC4lFk_z-E=px$a6FDuFzAPS-OQtjN
zgXpv@f+b=uUbo?wbvxsO2jQu-L|!tUE8GlWC?S|2M&ixTj-pX`=r-ennaOk}jmAc|
zl7zU6Tk0&VDcN+qop3GaS(U|Nb5nBcg^O`zlGACvv`lAovCb4S!3lAYRd6T?EqSYg
zRlw?+P*TWj2ANA{`f<ez`8E#9|DR~3+#f%BWdHaYW&ZdYrT_REaesV`QW?TED*Vw%
zCww(yo12Rf926`NjNq5>2k?>nXZbtwC+D;CgYpgYj^_=@GtRxA+mJgsKa1}nSdzOt
z-z<Md?u`7f{3bzW?qhz8;8>n{{_DImdBgc*bI0Zu3l|3f00000000000000000000
z00000000000000000000000000000000000000000000000000000000000000000
z00000006+RlEZ0Y7hz&;B|mK>Kdq&47_5~IE&_|-38sj#=<k3l>q!1aJ&pS9Uz)c>
z%UW3C!m)@6!3Z%Bm(}E?kO?%}w*}47f_N8P0v53&*dSKof+k-V>P*YdptIXA+zhQ_
z>WO1x5dy&#aTeFHp))BA9+l?I;U!X8>0~;S<B~yVGU?3ZZ!4Rim5u-SA5b?!S8Es~
zU8smfd<oqVZ}CPG6UkJU&Ntkdn!_Zg(<$FJzyMv6z7?(y7BM9lBZlGyX?4&~dT2>q
zJKR7lVnM(ors9%%92z6ZnL|%zwlA%Nmew}Hb;BY$1T92ETv{=jnZ{&gG4X-^T4(`H
zYg|7pVn#4QjKl@Bh5MA~L2AEOHPE8!PPjNMV)LbcaLPvh3@(k$MEiB1c<;9LuNqoI
zwHq!Qi?|br2qLawpU6vgC%Abd-Y(fpXXlh`a%y4<EtyCj=|*OVW~FA685vYYh6-9=
z*%;@8MRW<;h^Dx{(l^_rgqBeJ;YiEM%5q60Gt&rY8I1TD)j64$gFaV4>&O>UrHh3J
za^Yoy5~6@slhu-nj{5RMUP~&_pP-9qqfg|tRQj@n2d{7^;s?=bSp-YOTzuFVemQKM
z@xg=eRGP45c&_jW5_asD&Q#LUj-pX`Xm{X)naOk}jmAa~FcRV}K1iK~H6=$K-cE9g
zWU<)XlpK5EVqArX3eA_6>5MMcnL;KwAr7(%4ke)_Z&k1gSX~oJ3YpCybID9Uu6QBe
z?lL*Fsj@%pGRXnx+`*Y7gVvBX$MwP@Mg#*yPh3O2FN=~w7qyJSpwpOK99m2Y!6hjm
zjs$zeR@@YPSbDm!flMwV2OmV|NX~X)v(X1v*aM2fKxE6;#t7U5efb*%YX$j&>HJfI
zdx8`E1%hP$J$|@AhhM^P<-7Bf1lI%y1j_{D1w28#AXwliP~pGfU*jL*ujE(p`TXJh
z0KOC7if=4j8~^|S00000000000000000000000000000000000000000000000000
z0000000000000000000000000000000000000000008_?ki%(W7hz&;B|mK>KdmJ{
ztyFNPSRPaIx8yA)b1k%R4p>eKnGjE7QiTunkIS1&^6+{%Vp|O|lS<3ZptEUIGfBRw
zHqHsl;gY#@N(7zBq%)HP$W#+arm+G}7n_mHqL7Uwa}0HGE?8;~lbrr-c>_tVz7oz5
zD_Mb_WS*`n4v*!~7)cy@GLuHtk<8XcXY-h8OjZ^%o<i1=%+^GgFKi0YgY->fG$gs|
z8aNv)nZc#8nPlOF#p0?-a#YcrL|(Ex!Oa`-rqI}26-kaV+GWBvaA@pI8e2&+R}n2w
z<50*MG%}Y<rlb)RBsub$I6EvYlg<>bAe}~~3s)p3$&%H@A>TDVgvFxDNV28THKnsC
zDReH4!^KJFO6lWB3iR}JI#bvdMov7H&XMd4MdALo&7Xx4+!E{&)C$T3X@b52SAhoq
zCI1Y66MrT@mp_c(lW)$)<=+wL@(cJu`G*Df1qTHy1Q~(>0(bs9{zd*a{v3WH--a)r
z|1f`@pi;Ov0000000000000000000000000000000000000000000000000000000
z00000000000000000000000000000000000000000QfJ`$GKxChtD~oucEwkYTEf)
z)z#B(`$o!~vPCoUa<}yuHO>0jwpxL6uap}p9?RD_+MpSv<eKe`_i-(+3k|SOD$A`e
z7pf#!OXDzDtIn!fqPZ5G<(i|p_|9_8&|K5b)@y?18h2LL2+cL@tgZo?tKV5&Jv3Lh
zvs@iCSG%)ZEi_lNvs?`{SG}{XQbTi9JFBaL<|=oVtAyq%c9yGv=E`@r&*jiu+0N?9
Upt;hW<>Js>DLtIKLPxp(4++`IRsaA1
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/dynamicPinningBad.certspec
@@ -0,0 +1,5 @@
+subject:bad.include-subdomains.pinning-dynamic.example.com
+issuer:Alternate Trusted Authority
+extension:subjectAlternativeName:bad.include-subdomains.pinning-dynamic.example.com
+subjectKey:alternate
+issuerKey:alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/dynamicPinningBad.server.keyspec
@@ -0,0 +1,1 @@
+alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/dynamicPinningGood.certspec
@@ -0,0 +1,3 @@
+subject:dynamic-pinning.example.com
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:*.include-subdomains.pinning-dynamic.example.com,*.pinning-dynamic.example.com
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/escapeattack1.certspec
@@ -0,0 +1,3 @@
+subject:www.bank1.com\00www.bad-guy.com
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:www.bank1.com\00www.bad-guy.com
--- a/build/pgo/certs/evintermediate.ca
+++ b/build/pgo/certs/evintermediate.ca
@@ -1,34 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIF9zCCBN+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCB4TELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MSMwIQYDVQQKExpN
-b3ppbGxhIC0gRVYgZGVidWcgdGVzdCBDQTEdMBsGA1UECxMUU2VjdXJpdHkgRW5n
-aW5lZXJpbmcxJjAkBgNVBAMTHUVWIFRlc3RpbmcgKHVudHJ1c3R3b3J0aHkpIENB
-MRMwEQYDVQQpEwpldi10ZXN0LWNhMSwwKgYJKoZIhvcNAQkBFh1jaGFybGF0YW5A
-dGVzdGluZy5leGFtcGxlLmNvbTAeFw0xMzAyMTQxNzU5MDlaFw0yMzAyMTIxNzU5
-MDlaMIHRMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50
-YWluIFZpZXcxIzAhBgNVBAoTGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0w
-GwYDVQQLExRTZWN1cml0eSBFbmdpbmVlcmluZzEWMBQGA1UEAxMNaW50ZXJtZWRp
-YXRlMzETMBEGA1UEKRMKZXYtdGVzdC1jYTEsMCoGCSqGSIb3DQEJARYdY2hhcmxh
-dGFuQHRlc3RpbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDAfzrlJdawr7v8m7lslODk5FTqCiBO7tPxnWhAOEL5g05knLTZTc5J
-3ywmGoW6ae6RwPlWuqRuFd2Ea+yCawyjkUoLOpFH/xziDzvaS6LXNdJoxQqWk/LX
-8YYQVFfmxh8E11fz74IoCzX++mY1byaNONf3bLU2HU8vnVvENr1gy9Bzpm8wUuKm
-HkBYuG0SVzaeym2H/mo5PJICPVhPa+YxfEVS8EIFCigXGH7xrz/bPXnpfgsSJTnN
-4amBNkORfjf7H9x6IWkJGEkIvkVoYKT4iQ9q6/C4YDjWa9p5lA4F/qxnJefezH/I
-6hcqEODSaDsY+I6vsN8ks8r8MTTnd7BjAgMBAAGjggHGMIIBwjAdBgNVHQ4EFgQU
-fluXMAT0ZS21pV13vv46m8k7nRkwggEYBgNVHSMEggEPMIIBC4AUyJg651hwk+3B
-V0rQvQZv9n2bWPahgeekgeQwgeExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEW
-MBQGA1UEBxMNTW91bnRhaW4gVmlldzEjMCEGA1UEChMaTW96aWxsYSAtIEVWIGRl
-YnVnIHRlc3QgQ0ExHTAbBgNVBAsTFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYD
-VQQDEx1FViBUZXN0aW5nICh1bnRydXN0d29ydGh5KSBDQTETMBEGA1UEKRMKZXYt
-dGVzdC1jYTEsMCoGCSqGSIb3DQEJARYdY2hhcmxhdGFuQHRlc3RpbmcuZXhhbXBs
-ZS5jb22CCQCvxT0iZiZJMjAMBgNVHRMEBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeG
-JWh0dHA6Ly9leGFtcGxlLmNvbS9yb290LWV2LXRlc3Rlci5jcmwwPwYDVR0gBDgw
-NjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly9teXRlc3Rkb21haW4ubG9j
-YWwvY3BzOzANBgkqhkiG9w0BAQUFAAOCAQEAC4grNTV5K8yqiAJ/0f6oIkTMqyJ4
-lyHXvvKXMHTpRZ7Jdy0aq5KTSHswx64ZRN7V2ds+czzDWgxX3rBuZZAgOW1JYva3
-Ps3XRYUiaTW8eeaWjuVRFAp7ytRmSsOGeOtHbez8jDmTqPRQ1mTMsMzpY4bFD8do
-5y0xsbz4DYIeeNnX9+XGB5u2ml8t5L8Cj65wwMAx9HlsjTrfQTMIwpwbNle6GuZ3
-9FzmE2piAND73yCgU5W66K2lZg8N6vHBq0UhPDCF72y8MlHxQOpTr3/jIGr4X7k9
-uyYq0Pw5Y/LKyGbyW5iMFdLzabm1ua8IWAf7DSFMH6L3WlK8mngCfJ1icQ==
+MIIEfDCCA2SgAwIBAgIUETbLA86peOWkUFhyKYIuZVGUEygwDQYJKoZIhvcNAQEL
+BQAwgdwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRh
+aW4gVmlldzEjMCEGA1UEChMaTW96aWxsYSAtIEVWIGRlYnVnIHRlc3QgQ0ExHTAb
+BgNVBAsTFFNlY3VyaXR5IEVuZ2luZWVyaW5nMTYwNAYDVQQDEy1FViBUZXN0aW5n
+ICh1bnRydXN0d29ydGh5KSBDQS9uYW1lPWV2LXRlc3QtY2ExLDAqBgkqhkiG9w0B
+CQEWHWNoYXJsYXRhbkB0ZXN0aW5nLmV4YW1wbGUuY29tMCIYDzIwMTAwMTAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMIHcMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
+Q0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxIzAhBgNVBAoTGk1vemlsbGEgLSBF
+ViBkZWJ1ZyB0ZXN0IENBMR0wGwYDVQQLExRTZWN1cml0eSBFbmdpbmVlcmluZzE2
+MDQGA1UEAxMtRVYgVGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0EvbmFtZT1ldi10
+ZXN0LWNhMSwwKgYJKoZIhvcNAQkBFh1jaGFybGF0YW5AdGVzdGluZy5leGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVJiVydABCNEaH5
+n4ep49Gl21367PGI2le/ZBNojyzkciz/EJA4wXQCyToqRz29KGrtP9zTY89aKRR3
+Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPNRGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dx
+ShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s33iuMUTtKMReeSk4Y6eiKkiYCjakDnLV
+ecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rdGq6KoszONIoBabgOKKLXDBqWDG8zXy2g
+m5tkP1q/uknoqqmB6WDifYdIC91V3ZQX+hhQn7tVTM+BpDl+i6gSijS98nhlwYnl
+c0+yKQUCAwEAAaMwMC4wCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wEQYDVR0g
+BAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQArG5slgBRJuytlKFa4qcHW
+pAOfjN9fwi57fDds1yNv6tXhESdkbVPhIgw+GanVbrVcorGdCkfB51+dPJM+cBgH
+HSwEB7TQnNYvm/csA1zH4n+CnX9nBL7dwK63n6dyR9f1uvu6KSB+YJm3amKil85a
+d7HeDWdh+gNhC58lEC2QzuOMivP593aS5vLJHfp8pjc21XJkO8M7SRw44OJKYq9/
+v0k6v4SznbfZzSLg3gM4aSNuCLExUtUY2myxPFwJs9QQ4xx5zJTjJTRlpxUm630Z
+n4IYlseao949U+UbBNU4PZKH7dzSQzfhdFJpvK3dsPOPNnHYiXO0xAhsEvvjq8zQ
 -----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/evintermediate.ca.keyspec
@@ -0,0 +1,1 @@
+ev
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/evintermediate.certspec
@@ -0,0 +1,7 @@
+issuer:printableString/C=US/ST=CA/L=Mountain View/O=Mozilla - EV debug test CA/OU=Security Engineering/CN=EV Testing (untrustworthy) CA/name=ev-test-ca/emailAddress=charlatan@testing.example.com
+subject:printableString/C=US/ST=CA/L=Mountain View/O=Mozilla - EV debug test CA/OU=Security Engineering/CN=EV Testing (untrustworthy) CA/name=ev-test-ca/emailAddress=charlatan@testing.example.com
+subjectKey:ev
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
+extension:certificatePolicies:any
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/expired.certspec
@@ -0,0 +1,4 @@
+subject:expired.example.com
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:expired.example.com
+validity:20100105-20100106
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/imminently_distrusted.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Imminently Distrusted End Entity
+validity:20100101-20500101
+extension:subjectAlternativeName:imminently-distrusted.example.com
deleted file mode 100644
--- a/build/pgo/certs/jartests-object.ca
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQUFADBaMRMwEQYDVQQLEwpVbml0
-IFRlc3RzMRgwFgYDVQQKEw9Nb3ppbGxhIFRlc3RpbmcxKTAnBgNVBAMTIFNpZ25l
-ZCBKQVIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTA5MDExNTE0MDkwM1oXDTM0
-MDExNTE0MDkwM1owWjETMBEGA1UECxMKVW5pdCBUZXN0czEYMBYGA1UEChMPTW96
-aWxsYSBUZXN0aW5nMSkwJwYDVQQDEyBTaWduZWQgSkFSIENlcnRpZmljYXRlIEF1
-dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsQd8eUw4WSK7YoKl
-hqe+CjEgI5Rs3TirWtDsfmMtMBmTvRhJpdTeMAFTpWvlOPuXJwkKXMMFLxE8ayNX
-fO5ixCgJ7LrpguOVZ3pY4RvEyE6yh3Hv81Ztblbo120IdcrkyN4KMs5EgeauDllU
-ehhbq9lmnmQxIQs3KPcoMteqAXcCAwEAAaMjMCEwEQYJYIZIAYb4QgEBBAQDAgAH
-MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAAZHhPT133TcavAKnn37X
-0VE9davrX7t20CLb06KYpgkg7yO0BjIjTnYeJBQgaH652pZVEFT7dbi0JTn4BMXz
-EwOQ2JjzjwNUDHpWAopiCKxAnjwy/kGcZfkKUydwQHKr8m1Faywu1Cyrj0gBHClL
-b2b9ywK4pb545mE6V9pi1zg=
------END CERTIFICATE-----
index e5c08aafc61b2f6eaf5f3657b7210c73faf245f5..daedff91f957b276dba44e71e4ae4ecf232fb223
GIT binary patch
literal 294912
zc%1Cr2|QJM`!{~`JQSh~wQZCk^DJY?kjz6FVq=>!WtPxJ$XI5{ka<jnl1PM<$e4tZ
zBo#_zO8HCodAjd&&TsF1p8xChJg?vLyWSnk+Iz3{-5=NDT3_4Z7#Zj|`=AjH9$s!J
zAA~r;IRZjL0%Zh(fPmoO)*B_kZ)96<B>#4skN~%X1VV^R+R#-3iZg};XGuaI1T_cw
z2T7h;IAeI`J|6o600000000000000000000000000000000000000000000000000
z0000000000000000000000000000000000000000008_yz?Gbwg@c0-BjAIwbw#_O
zeNbvBAJiZ3DO3&BRgBdU#wv$()DeH&i{N#(N9Y@B9aAwpfjFvu0%4-7WniL?(9=bz
z>ggWQ(NZ-=7^>^*sHmzRL^%7P-9&%A6XO%6AY)PGAS7^hw?_wfpLX54*Ba&P<FS3)
z`j7FgMgLf%JWNK$!oo>tvAu!aDU`FlySKN#m$M(r2TlI3a9X-*>c<h=5B`ksdjkY7
zN>oIQPnmRk472SqTv4`Y*Wa6v{l^&F5B_BgalRuYWGrl)gx0@e``Wso?R<W3Li!(L
z{OjSrNg~RpN=(MG=Z}xZ+1uL}?e%*blK&Xy*Q0+KMMjh_N}iCMg_DyoL3R6({eJlO
z8qt3owtpW0_kmM6tY>I^5P=fedfPf~D6y?K@t^D4cl^9Z^yghNKX1zXyeYGN^XDcq
z5<eG`KNnIz7t%i$GCvoxKNqN<3)`)Q?DkM1zn0r0iimA5e?5=H_EK_tDYd<n-d@UV
zFJ-rvsO_cg_R?-U*splM@@=n+{aW81S!{b`vF(w?wnrA*9$9RAWU=j$#kcno-`-1n
zdoS_ry~MZolG=V$YWq>C?MJ1yAC>y`==PXW+ha;^Zz=O@xn05Sk5o+L*ZR+W#kSK*
zh-?wtj{L9H?OJbdExx_A`1aNkBEPo&wc)RO#J86c+e^vq<<IAq*nU=t?PrzPJ}#2m
z`$}%_D=G5po}c^Lp(Vv7#3e<4uZsO%{kIJyey>XYUX}X2D*by^=6|h9{oYOL_ij?Z
zca!?Po75k>N&Su^^*fH#?>JJw<4FCEBlSCu)bBV_zvFDJ%KlzO{a&^Gy=wP+)&BP?
z`uD2C|61MtMEJF8`#X;9&p7syC=q+x?TX8YZ2MhbsqN2OF<CxwA~F^Y&i|?f{{C9E
z7X7_Wyw#{Fes*ix02Kma>mLNxKRneOyZ$eqIsgCw0000000000000000000000000
z00000000000000000000000000000000000000000001h|CSQ92}4Pk=;#jq`2i*`
z2|9wUe{^&N1au4x5i|r0=Ly2j{_*c$ThaY|obG@3$+re2AfOhO6W@AAOi1YMgYt2<
z(|2}vcXoF?jI#f^iHNAEu!tZTu?Yz=&3<QhJ6B(Ow4k@It-XgE%Gupp$n)3MLg)aL
zo2M&U$j-w}$}zX8b%uE3D`pSjd_oM*7>3q{@F#*I0`sl^T6{YU9Vm1CDfk^PE!6ux
z2(^4GbKO<D8+oH^(4*M=1^>88XRB6BTR~0BGE>wNoAU*grgKH?@(e_3?Gc4-n&PBy
z8RH1ao>JVq9C^T|VLE?i(SxgfB%JZit7_?R^%p$`gU`nLi@W3>l6~wJ@tn<gGDTH%
zX_(JE^mO|@2WJie!5^JkYA2}M3qELlPrfm1q-@RN?U$Jv>A<6rK6lueBAR07VT5x=
zjOvf6xala&IPzBUmHu#F#(l{G3~`f@>%lziWc>XhpP3h;x`%Yb1tjZ}>3te5md8Fs
zIdb#g`0i%QM7z7~etk#c1D^;pG40`(k<%u^9DDb0oaS^IxJyVtC=x~}CBjQa%^#^5
zxk5`wLrO?2vWJA}VW){upyoaE#~;N=zYj@HAMW-mAR;6r2_vM4TRyX-Q_##bf1#D;
zprlb9<y7z2D}ps7q0yUlsN*l>Q&vYu_c{;W&bUoSy}5kdFM?wF343<0h21%Umg9#!
z51wSPs*Bq}G`s5xFO`40B*P*3&mVhumCko9j#+=-Jk@?q@OiUP%K5!7-v)j3Qdu&u
zQJ$K+lhgmGn*7NH^5_HMZTCHm4OnKI)6|;>AKNa45SkP7%s-+!n^bqG;Q>k7YMOjJ
zvvJ#85}kwemGyjsT0bGNQR5}cd8Y}P5A_7)vyH)>x$HMG__HO_%ohj}w9cJLmt$fx
z4k<z{$!=JMT(2O!8Zovq7yXsAI=h%e@)E(1<MeeN9ju?8Z2a&|iVB{+W#XB>s-P}{
zsr#G4ar51l30h=3D6r#k(W=pr<I{b4Y(EQ!i8f)OiQ053iOqe`aQx7VA;xB_*>A3I
z*($~kv``I%_&B&_`n-J<P^J2H(YE+QHa$XM$a-<^T}smKBDae#0=S7@JPqC5r4T{!
zMv^^{y~-`m=osTsWwYvAMrtpwFx`#`Ygv2r;xpaUGGfDz1KIY1{@@V;){HjFcp8>&
za@i@>Di`P5O#+n6aetrtzGgSEBh#1m&`Q5_G0*TT2*cv;U%9(47(Y0pDVZ>~Ajzv@
z=*^I#bVTYz^}#P3`x)q1W2vHJ!{q&Iosy0cPei<>IcMuCXH!abh0-DY`Ov9r?%}76
zFAna%Up_ce?Kb>1BzMKtGy6Ol|Jvz6T7m&LrjJx^uk1X8zan=WF1<vvi74UgKge#h
z@5_2M`J+!q0=#3S3sbKMuL^y+v@i7UbJtUk8qN}Fjd*|VxS;U;JLO%jw9a3-Cti$G
zITAZ0QtffDqdHz{M$j8kHdTI*55aGJBq#O7O<iWQZ#%VjnJCvxza4va)xtaHM4fU|
zg*sZrQriWI9AO?<7yO+1gkYq4p{NLB(*O9N>qbq_$ZKZZIhEX&{Y3AjKfHM6N?K!q
zei+rI>bWLdb%-Rcvi?!VRGvV7IRE6M2b`+<0te6keQw!3ew~?O5^~Hp+*aRHu=p)3
zSD}98emSJrk$?I}x@%=mE%L_3>s|7+{mes7``EhQ67|Of>37mGIpxgRw2fp|C3;hn
z+rM=CV18L%Q>x59qLJHZBmetKPj||+igs9IsLP6y-=nt$THO!g+J6Z21!W(iqKfRX
zVF^CHZ@T>z-OM`?vwY6^Cv}Lv=q~N<n;GOUm!I9rSU~vvU^-aw_qnad#aZL--K`4>
zNqE7@r-4rDAiVl3w<QI0rpMY{FXO?ILKC~{m&)u2xvvfE{7-e3qYj8(TG&~x>~H+^
zK_Mfhp}njU_54F*qv3Rpe|fhmrHjgBJZqEInilC3LO#13Le;^ht2tu6>pM%b^6S=u
zA5=7_a($f4L<X|m9gtQ&(iqgo#!(X3Y16-~GOTrNf%9cgm$Uto<0;yP++l)*TjvVG
z|LL9mq8~Aa@aNf__b+GjaP9w7r*ru|-+rCW(SFYEK4>pDw7oOR2fckV$Bc<mi%|YN
zo0BmTnHc?XgMyJrRYjCpgz4uEaz@%?9=`5ATc>w~sWaMNluLy3=lxWStj9dgIJ>%{
z5P}GGQ-nR**4Gi?gZB18Z0*b;!uE3`YDOj_w4JY)vriyG-QCgI9gX(dnjVNsiAZeE
zAs7X>_B7twXX{P`@7A+;`Fi{KdwBUc1@dhTBkYcHLo1;D1b+@IXonI#D8f%h`L8bq
zN<wB1J13NvE6NAuuI%$`kbj?eBx~pN?WUzEOFi|xgswVmO2L41;NK@6by^oJvk7*@
z@4UK}8&&qEuV~b2eRd)Gg;}#bqf_F+DX)W@J1)w!_z*pk<JVAV;&qu*8XK^CYR<>x
zPuTQ)_b|$0P4d*xK&QA%c^u_wsTi^c-D;>iiUx;uS=8<dl@Gd9$n@-S;!N8Yby}O*
z&RL1lkNwrLQ&)LD^gO(GfL10kAlLO(z%@~|Io`IDfqXJ{CHefC8B|h*bY4S&kM8ii
zT78%-CH&nfy`;rg=VbaL#|IzAS+B+9Kk1Q(A#|>%<INwYVNIj)5Vsc0%gVA>GH-6s
znkg^CytkPQj?$zaHyKZ1S>LUnd)GwgDW*_1B({_xMxyCU0J`PETW`Iae5C*N#G_g%
zVfKcO%&f-AAfD0YYl=P_HD~`d@u<?=N9(XUcKy}JOMeyPdNoF?A~Bi+0nHE9qc}1L
zo8C4=Z_;oG_xl}<cdYnUxOYF<kG&#g-pW)DqsH>yhIN*bw79>JOkM9b<QuB6b?Iup
zCG3@*+?$i`aE`z@y~`*2Nabc5q5p)u8oONo(aGg%zl}R`%|>$-9_0GzyZw>el2bQn
zW9}fx<_@xv?<GH<j&SRBh|@3arAa(2BR(~B40Uy~>!CWAzV6qn-7j|&^qbeYs!Kj<
z-p!d2<L*#g`HuLhtXOk0DanZ)J%@wHK9_zVxnb+Li|z4;8KR3^B$TFIu4x?-7=qhw
z<^9JD6yEI&A0c{>qnSWCUgIP=^2ndE#5!a4r4`w}zi-TBxjaMU`@?EP+@%wg3yhp<
zqAL7;HD<;E+h9KXH(mpN-+fJDwbg|0oeEhaGkB{L&S2DQ<JeED{w|OIjh>+^+vZ~m
zeFj(ZYP-{mEgn0b>)VVNeYMe`Qhw=KGiSrCT(n{EPPey8cQX0zsKG7nHZq?0*!_(@
z2Qc%R^0l((`xcXeRiDRh>dH7cKj8GUEe_oMsqga5!pU;^_f@wP6#hPU;la&Jh0)kg
zRNCogjti;@SFLZF{mRYZPq+L%5TjS}ZS4GkHJ?WgRtKFNx=XJnFfT_gWGFjXy&-yS
zP0uw~W5?L;r2pgmCvm#7h3SPK7516!{BlKpwZosGYAWDi8Mh<)C3(JWlOSnXB2U62
zLFdkRu?&r-D;CUB!6HO-ECapuT&d#9;+B)2<o3^<E=*nG8;rR9W;wI?6;i~{Nc!({
zuSQfVAqXr!@ZP_q%q<*2GP5w)^ecDckoNo`rhS{Oi!AYrU!J6<?mkYH@nHOgo45Pj
zX`S`nyICt973&<S-9aHtm**=_@Lj$fn&d2yHJtnC_DK3l%JTtrjkEx}r$ZE@0<5i3
zd6?66JpspTWKAmq>&h6dlaJruam4Mp$)KHXx~T(6#?A8U{*}^k=Amt57t2hqom{fY
z?7DZUH?!*Rb2CsET_H9#vg+O=-Q}@@D$SX=((o&HfX%sA8-cYitLtdXSNq;0j>+|Q
zhbbPj+3EPBEXIrd`;2B_o8hC2r3icD2LAX@@4vjU-6fsPlNVYL*q`dI>&M$7Fs(pZ
z;PO<@C&J36X#V}xt7IcO$3Ne@TE`}$ye3Jz8dyogbf;~deLy!vy7B&W=jpUy4C#5}
za@8|-5%ck>xt{(pHh1X%J~x7cPJOSyODSY`u7-aOIy#BhGVoXKjAL|tuR_FglXW;h
zW;DNfq$<F=T4@*<ZRp8s$oX8*P@vSOui;1ugOZK3H}cN;65{L@$&C3_(Fy6WbCo(C
z;V*PYv`8ndjop;48to^kJE@Y#-L78o<z2AU#pWfg(G8ysmUBe|mtCt<KUliNubq1|
z_tteeIVE|A<+O;P*xhngrPZ~x*X!T5Cm#RPJA2|8qF)ma=D$olF!ukaCLUsu!@njT
zo{k=NsO|ZNizu(i{$D5lea2`vPY*AYS0F+a?d9X_;B5Ev|6Z!%>*M6{bGjh9TZH-7
zG=u(+X~w_i38LI0$X{~{HhnJ-2WM9_Lc`bD9&L}%^Yn3cb3TLearSUO8`P*6k;e16
zu_RRRh|_B)$%^X&|9<jsh&CuyOJIJc^4<MbG?~;61$oAi4^xubwX<KH%v`yHS|0M0
zPCVb&bmIzHmOE?Yms69~=Dw#~>`zmiDKalnk6K|L;=V!@(yh9&*SS{)!IxZtc%U^k
zdPk@Alq=obt}yzAkSb@^8v{ggvHU9YC7u)XwDI2^s0FTbClv<YiADupykT}xq5n|(
zM7`#|Qt5$c)lUbQpPSrvFfR`wx+p9cwBsBZ_Y-#4^r|$J#qG&7hWoyv1vHn&Yag#{
zRB`YOP=30@LRaGSx+X{%>EZmQHYOFtF~9#APj<y63SFr#c5ae`&CIdFZx<3XSw!n=
zerR#6dl|He4iQ(r*i9ul7yn<M{F{l8pNt7dRll7o$d;u47OI43IP<TQ|JQaMe$P=7
zpM{*)a)&lt`1njO`b(`JS^MVlPA}og+gz2dm7UFQWPC*L-oB}Ny+CTAw|s7=+RCmw
zzHeLI+4A`$Oujz3Q)Nuz%|w>5yCCAbL`)s=hwnS0L#ik)`)RJ(x@$-bDKebedvddL
zrlx~?Mt>sYMAyja!^@x7)SqY_zkQ$i`0%w?IX#M_%v~Q23p$5Jx3oo`;`Z?%JDc{J
z*k0(M&fOg?`_2WW<)9`$5|vlC&b>}nzj8q~yLU9sI+Nr6z*_u6-G}{Dv3VbT47IZp
zE7tQ1Rb5NiWn7*z4VK9sv5Q)mWLKT~IKo0RzwrIs3AQ$l4&L{AK^bDq&n-9Y-!mUn
ztl!_m`CokZ{yObljb+5mt5FWK1;?`ov&gRo@ce3y%oqD!e=OdIO4+3<cgsa8WjV0+
zg94_j>__HCZA5--+q=!&)8jsba~IVn+rtkhct;XhNEJv%bzFb1Mjn?^{;}#4+8`~E
zI=NKEq>|u`yJ_v_h`r3KLa&h?@{ebk^2`(2Lcf0VSoi-PZ_55Tv(muiQh=v?LDkth
z{?wbjy%eM|#s*mok4`-P``ljNCc*>X(nayGnvOLyC&hj|Bt!5k_xkCBtWUKM&@nhy
zu^Ai7&@q+@S{a(O6VlI**^OV&P~NRg<x%K2^OO|5?+tmQl~o-(xr)u{YgR3+50~U*
zzESYVX9QW2dp><=U1>JxQ23@i@6Mn`aa7+Y4wCmzPI9K~e)mpD0@da>tzPMv$B`1Z
zp(fx#BYr^D!1(ohryYK$O(IPSP4c|o|9x&cMmoW%5X;2mp{SupgfwM$HRzxH%DsPa
z*zkVAo|a=f$*ZnPtnT_=kZ`79AyFz#tw?R=sJZ({XsT4(^3I|R$+kG}BYU|Qmbj{>
zI`jHk(1|oRLoOVl?`fSSF@G=5^5rvO8O;TG2fdHXg{tlb63Z);>$51bG>5)rLRF8v
zft(d@g_CD*5r6)$jv!T3uYbJ$WGF<(?=tcIL*L$yNB@29S5=jC!|D_ieqWCbd7tM$
zc`8+U$FJP)Q&>_fR-<1a$uZH%&Mp-JEvCzsr#alGO(gt?cRh1rrSUj%*#AqzWs$yc
z#Y@?tzBdE?;suKYr%7qg2*$}7^TdQ&TFeZ7(XhFEe`PTG*<A~bvV?Eybg>HNRBqRa
z+o`^$cak=I`?BI{KR`EPkp3-nIUAGX8J`wk`0n+tqkAjw`D?3raIyV;Zaz`{dh?4U
zs`AuKvAJf6<Bv;^Z2ro9<vhRngyR>{bmHJ|4_~`QU86@NH1Rv{U(1a_kV!@m)A2lE
z+mZ97VJ=8P_T2}IuaA|@PgE?{?B{w%+~nFEue&7CG7zRRFqV;);j^o}!0~;}HTo5w
z$4W%uJs#;v*U4-f%Fetywa|?&<_ZibeVN>b^l0iu3#3|{GAlL5e5g{0e?syK>9M(e
z^8cUS*$D{9oBwyu+yDRo0QkRxYU_<SbebS^HT2WgI{*Lx00000000000000000000
z00000000000000000000000000000000000000000000000000000000000000000
z000000002s|6vrwB!txRd%h8GuZTqs6Oj{>P*MxaiBoMoN*wxyAao;iW$PUP00000
z00000000000000000000000000000000000000000000000000000000000000000
z00000000000000000000000000PsHq2{8d7@y`VjF);xpRp=lAafmuWh<d1P$l3qf
z*#H0l000000000000000000000000000000000000000000000000000000000000
z000000000000000000000000000000007{>IVoZ<N)b^}VG%(xViOW#n*Gl1cCNnm
zXhCmZTYC>Tl(W0Hkf*b|yR*Ba5IO+m=IM$Svh#4m*pq~76N+HQM5#q6f9^@fNMvI4
z#|;WbB2^VpW)Y^JH^>=jk9qjI`)mz`Fm*=zi*ku@{=A=xk@c9z8E02l6haW8Zi=u+
z+xj{pe9+!Lh^?JDMA&|AM9s)#gtqhba`p*CsJlBlyQ9%wTTw)%L?pKJG74_(X}q=1
z)}096t!MG__4e`i@bYmA<l7oX*d67DRzUj+{v1}&4kda}grAI(KT<Ptg_e+#keS2I
z3FYOA@<F*P`}`W@-#<v=(<B&sLJ=2HUXlI3o^78o+Rf9$3*{AvP(^$BI6FAop?uH?
z6<;4GkDnPucZ)Fp`q=3I_}KmxPLx{&`RfB>)A#alaCSu_G<==y(e?;EPakJD=QAiD
zXAgIxts`;}-$O?g`iX!z^d3QIf9Tt-cK`qY000000000000000000000000000000
z0000000000000000000000000000000000000000000000000000000000000002M
ze?yGK2PwUMP(IFf`p)j|&hCzfQT7bPyo6{!XLld8mmAvN8Rdf}rX*%2^mO#FLlJH5
zv-3YjpxSyP4!uPXIurVI>m2|90000000000000000000000000000000000000000
z0000000000000000000000000000000000000000000000000000000@ZZR8VhO@z
z?VP^dv@~U@r=FM4Ri{lU7?2JS|9s$VP@`f*8qep(l2E}TPOqILE3OL=u@Fm8N;&2>
zwayT4e8ub`oKJ}18N<-p&~A+uyT61WG&f{D#3cB7F!fo7pq3!^GyZ}7fr0_i{%`yh
z{W5)*eD!?FeMr4+yzY82pFZvR#PfhhnESZ9j9aqnysOr!LYGY!bLTqe9ZshlI~+M3
z&Z39WV)pTNGj^)BIjA+1u}!rNl{Nb0{gZ4~ewKZf2Q8w^C(RX3WE@{Su4`6iMq+Ah
z(qOX7*wd)XXul!GV9Y>TKS^&+PgA$x*pFi;bZT|zkGg2LYa_IRG@ogTYQ!CRcjT~o
zw%V$ik?J*7%ER_5%_^+QzDm7H0*a9euNCCw(+_<)bWE;Pj#&1j%pDmfX%DH#QaqC9
zBt|8q#4m}>ifM@Ei+mS3E?gr_C*&;HCb;ilpum8D5dQ_fH+%}b83z^*9NQ`j00000
z00000000000000000000004mhe=tZ4HK|G%1A(`*qqQB{%g0*8R@_ch*1^tN<R?)v
zF%ir;5lb>k{z%Qp6<R`4IuSh)mESjML?lQM@_ViNnsVplK3r}5qI=Fn*i+!i!i0FI
zYfEANW?+2RXCgvEB0_`+6&b~^-H0gveVqis^Erg$iT;czBg4~>Si0&mih0($ezA`x
zWCshzYz<_tZl$Eco>Byll;s`9#dl?QO8eff*eErbJ8odF&-3tzBr;biE^EoqT?<!A
zqvChFuO3fN4PB3Ge<y7i^74D!gN2AiHtwv6)xbfEBn&5pl2qwmDNmsT{|IUOPf96R
zH8qk<BXj!HUZ(tyNWxE6^^};q@&rc9i5D`J)&!Vwg-oP5kCHg??Nnp#EzQj$rCk<!
zSsxrk&_xq2#q=MAUpZ}sq`(>ypGuNk9<sY7)ME5QW~x8_(*2&DCJ*_>ie(T1LhgNh
z6t;Z0LUOTb7S(4DP_QrVjWZ`dLVM-)l+?xPwR=`a(wn;|iVC-mH~C+Vx0sBSz05x;
z<=cU$2~p(DLyxn_U!S~~7kWK+7fn;1Rrc|xoMxF$h$UPpORpUtIUaP|_u8ckX~RpJ
z#c!kNSLo#TU*r6|<JGxcx81i=l3`DYPc1XuFN<dt>%@sVG7Cr4J{8LNT(_j^McJiI
z@P18V#ylBUN*&T#r7RTFGqan$x<kIRTKBw&rwbI@DQ-B8A~m~t7q<>L>7Nhy&ydpp
zq?Cqrlkdr*30_t<&D>qP{@~o+_vfCH5#N|ubx|o*Sxo+fD`ZCUjmIek2K!r=zjzwn
z*?nx{Z59cmw$01oi(Q`u)r>;7LXuz&iBBcJ&o~{XYbXfYQ0zar9EL8<H#ChHE0|F|
zx%BYzMf!Rau8_5@2dYR^st&a}v>4ufCOjjocCfCBo9ixdq;Z}h?}M<d<4yeM<1OYO
zjuMynN2Q$FQzdLnj9{SHJ1Mj`DWJFW8aGD=>zCSU2j{#I(R^GfAA8W{?_FJ+wJTZ=
z3!sk~*CpWd7nCa(FiyM}*k<(R+*V2=>?!f7W&I;({@%;|UFly~`xE!gbC#Gq|9n>R
zt2|$Z2DRXa%MWp-w2Tp=9r;8X*U5G3@ZO{0ldqPjTBT0;x;tjqQvWcKnB6+ygnv5V
z+abmONhxQ)Io^pJyUpsqwr;mKFE$b7Fy3{4-(KoK&xh~BM_13_3hDdeuvFMCNAZMH
z!@7mxyC>6@XnGSrA@@|H!oPghN~zfjNq{vZK9%e*x_5Y3yjtv-{7U)972)W}=iX`b
z)UUi1MOc2k8W1{*D<qrw?fH~P{YGq_#lusBrYMQoqBoWuKAJZuWd_Q3cJN}5p?^8t
zcH(F;$*o(G;!@(0vUr4?T*!Avt$3bR@Ns#3usv|0?=>;`t?33+<3n$W8I!-_{L&$c
z{el*zlIuTbXLW?tQc3S|weM7W#|`1vq$2z(dw1JnkRjMZ%HR=_dsjogY4a_vm<JNv
z;$Nu^8x@#$PMVTWt4%L$*3;}F#1(R}L|yb?k@kSO(=h2+#EV!xqk!`<_JxB_jL#CD
zdZ}WHK?Y+DX)B3G$j$mPK8bQ~y040r1-s5=?c*EXZ%jG8--n)C10j@o<1((0jB)G3
zhCRu7Jl9X0qC0Zkmakzv@rtjW+GxAyrL+Ro4h-@v_Db5~5mJe$?40c3i<9++Tn|pP
zDunw_Yj<AcVa*PS%~#Z*N#2bsr1iz{LKYJwXV7`t&*W5&k3ZcWf7+)zVt7MKdq0_U
zKo<rXguRjyc!V70{js!LORlje^49&&66=wzZ5PKG9gv}~n>i*t*+0hP3h5*(@i=#(
zEGntRMfr-QlG%6HxZc}Q(~ZPpsuA4Zv<_pCXRucig-6J)B);_nL-(wkdIx3a=UnJ)
z*>^OXrS3m-n=|kfC2Pz9Tp^_jKF$<dlJtiv-uKAsJo=DZpFn7-hWqv1bZ*HbL+V?H
zI}mF~DSTSc`xSnLOD&@WM}<{KFYgZJxGilIa=TATNKbi8;r#b9oTr@Jy@MyBJC0A4
z<ZfIvCem&_+q+KtJx|8Q<_I14CHLiF3^L#^A!Q{+?9u<E1<5@pRNS$CcO0{nUaCA&
z(vc)|P07!`ex~`Im!gN<ArD+3J>`v}_o!cb9H3(_Gq^vgTd(9oU=7*0<@X93smrOE
zdof6V>>=@KL4mRTm<Jl)OZOo9_8^AJ#$ykN^gQL<yTF}~#&9NwWaA3iOzQn3$wlq4
z&{y8`n+}?LYo$5_<UJR}+0L*n(`+c4V32-TL*mtf5=*V;d!8gP+lCDV#C3DLS#u=G
z6HPa>e2_$3?|d|CC$5l@(zm*+%{}&wM7SgzK@2@h$Y}CnCLF9As~Nc)eey>J2I-5v
zlK8YB-+bbO--w)ORQgN;&GTc|%w^118JB|h$*vpStYgcL!xggprhj>Tw1tjUKtcSh
zw*aD`)6~n=f{N#Rw(!Mgy33;&q!0E=;?sg!xN_IIH;%k1Z5~r2PTWU#dp=uJyEcq#
zpTT{pn#qGmTp>@^uY?Z~&C|acVX8GFLOu+C|M5BLG-Y?Omt5*o!rk>4q&N0T;?sgS
zCT|&=<*DePruR(Ni1gE%mF6E!m$sQ}Cnu|YMqnO*D<t!7svePBS<>&A^*<1tm&%VL
z%!*~Z{_*-r_UNuySAG!;(hF-yyjoE2j}fKF!Ef0WX;Z@uA?Mozv@W>$uDn0hm192L
zm46WDRPAhpVafGwp4aPsn)*{8?IkvE_{OY#HoVYQ)gGvBI82X0p8iY7pI_6W|D*+#
z7i+gmAy7`SW)8EX*V1V8_vDA2WE>}8dgdW<0_|puE9B;$nOaA_bZeXMlxJ(o@47Fg
zHUFsiF}TWos7A(V`9u;1>4`lgJ}u~p-`YS}^vB?k(B&rTB(Imm%W96tqe|b4+hyk@
zdrb@B3b~*ZFjdty5*i=lfYKyX?Y}dZliiKJFd{ZBcANIddsYn618YdUS`a;NdY2&2
zrOPa6YmtUe!xknP;l7uu*yRbIKfGAuC#8-nWR1bKJ4+SF7L;XhoqEyqC^I)Hb3C1w
zhToLT*%NhyFEL1W?3Ki)1*IEwhRawy-J@`AgTjKz`lx=y1S_Lw;+dCAo3AnM`*EJT
zgBy|Nm$G*)=f2D}sr$%CX<fjuR$fv|Xx=!nVb67B3WIdRUP*jfkafY@8}zH^`C`|s
ztB?C#EF5rOtgfzGZFwp!?q<5jVjr%Mw#|pzd%rjAIVCzrnZ-;exYBTn$2H=xaGY{+
zgfL^oItJ;Ay^{E}poW@Kj=+xEC@Zbgi(f-8VZy@<`bUJ19+13enyA4O>4+<&kmu01
zl|y~I#2S~GBp##}7(IA;=6y^>bl3s3%{k8Y84U6i){uC$p!J8ma&@i8(^W_XjC#%m
ztH1j8?&2w*E7_NV*b05+XFuW!X_Z1#5~BBQ*Q<|LzuL+zb$zf`d{n$i`y^O@K{WK6
z;ur?$@|Td}5|T1@|D*-2IP9sw@Y>Gj?-x<?c#cw97wJ*HRe!?e1O2U+X1nrmPSpZ?
zKa1oDP%3v)uOEB7!4-VQ9eFIb@@y*OqOjc*Qg|z*Gxm`9w4gWFSq>>ZpQ}MKv%W$)
z?R|blb%EDdgD}mtcqwjD%L?aIZ8LW|3r%j|<<d`dk?`TPWGjn;lCh=0{tFdFgoRG;
z#4$)GtReAgL1skLs?XFf^S#S|m7ZsGQBb%;SSG*&CAV7qf$cS0F$>PuS+4j+YnZBc
z*gjeR?!@rK*70mR_2ac8IetvG<0!?8))=HC_DbT@g031?-VR7VT>rzQkXf?$%jvz5
z?Y7^K&lNr!y{R>=$smC%qz}ez?8;Ks*i0|4`Z2~cWByUcgl`z#Ngu2Hc46i7g=P%W
z0edC!X+h$=R4=@iRW@Rd&Xh*1bI0^wX+D^tj<LFgwvAL}6A#6C#v!V;T5{OXlq`?*
zT>E@Ts703gj$m4x(_-4?(k1aC0Spq2y^{E}AU4I~#p5JFw<|XMMtJMmbWn5$o&`O+
zne^a(T;s<13Kv`<U7f97qUBAZC=2GoZH11RX644E6>%9*RdeP0eZ3qUi$U6B4T)C^
zda5?*AimjigPkR-v7U~1s3R+n`SiUe?k+mA;)f>~qj80dO<cZgA-P!_dRBcR_<L^7
zk!#1VNW6$azdK*Svy+#?2!piyOGptZ(SP=h*p-ZVMUl@8a$NkIPcB@DSsu8VTk_7^
zyy!yISMRsSYj5KUIYxPN{ft{~g^H#^^zwyU4hy#@Jb7ah*_=)i1>R>7%ETaTv4_O#
z8?pTbr&g;EEYVU6j@n2?);?s7e6@o=lquAg{B?9v49*t^Y)$>WZQ=rr_URrv=bie@
zH06C}<{kq2M#F&K@(*?g%rHn4){uC$Addm=JYO2kC$6{k5-Gn<`A3Y^Rji&mlzYOy
zTdNjD>WwR;>>*VRJ=d|9O95%h@mDsFu}P-ANKV&tv}9GX=FCd5z#wg~R}!BV<kOJc
zFss9J?#Cf9Ys9FzTBg0Kt6G<i${~*;vX7G^;<!Sh<)+_<+!pgHS~h>%vm8x#_<*k5
zJ{}e!3DVA6QCF%IFi30cmBgn7ksZ6-eev5%Ba*1(GpszP3~ZDrFs^lk(Kl|rNNujn
zdW$RMjfgc3G2e)Z7blWB$<1<u+bN$*^kvxA%Z|4W>|(B@!yr#$uOvP#XwkY+Zp{P3
z7oxV|+`7YmL{HD*-jK4Q*uFDjIpfd7M{tEaO}T;5QEYX(9z-xCS|WY&n#a@h$2<{y
zYUV+?bSFpqF-R+{A@OQK&yHMmPblj+eA-ZxaAL`JmNM`Qs+a59#V3N#GR4DaalVM^
z!sv1L6ZPVUn~`f;j|!f=3SKBkaeJ<$%Pn2RqQjh&i$PlcIi#q)w1|YvKWRa-HKVsa
zt?rD;%^Xvn%+%05#%~&w6IEd@&lo;6E3K7^D`cI;iy)dIk?(~fp2aulgs3}HbFZJ>
z(e1Y8_M=vxj@k}`w7?z`pBBVtOUf=C&$r4~Wv(jMm?@X}_0i3*>CfD{Wgb_yc^|IB
z6*6IVzuzU!l&_jA<j1*rsn`yD+|{TQ^o77cB8Z5&EnymiG{+heuNEW`tsnL#fb7T6
zxHyw%oqkNQxic{b<%KlPH4ATo15P;m<o;uYBYCA%)3(+}*Cu6_QS4knUFRzIXSMD#
zK1~&V=Qsv=0(&L#X+cZQmn|y?x`!MuYSxM`a_Zb^ZRHRpo$5le%?wVj%I?AWnz^y>
z=aMD#!iWLp&JOx>D@XbiO+y?tV!Q(+=S<&D&SH?qu~!nG7Id4IF^*BUi`i1!i70bX
z{Ps6fD!n_eT=I=%?TW@|DM@fva-K0Z)UD>@%_JdS!Mt_ighvXxXYP*`o9Jc9n_S;h
zh(VfRuOvP#h-cX~PwXnKe2o&7iq!|10`%PU2AM;S^3E_l6wy&BQ(PhAQ#AJNTFyH=
z>2=y3!=zC7zU<Swn59)iCYRx@Aj3j64AK;9NW5B5n(9nGvjCaWX;+7y%WgN2H|12$
zs!yKXFx4?xZ&X)u#TC*l&*)N{ctILrJJamDgR_0-R04;5d%2wT1l{@F?>;NRAWi-f
z5+!3VBK1#N(3yn>*8HXOq6$HQG}BcFSmmjCs+vxJDkB?w%1_@ELWV13VQ&H%pGQG{
zS!8My%MQu~8U9UF!r_swlj{yqJH6YAF-T+VA@ONJ$NApdbk2(EO*B37wWHTi{X8Dx
zug94jx6>+1q!$(b3Rg%u-qs#%g`RX-x(uEmKc4(5>w$~Z*@YKgv3svD?}|~yAdRqw
z#H$6hfAo8?*oz={!X!vL1sm=Ny5Z2izv-${!Yr@*to2YQu8_LqLFx&kkDsxs_aM`J
z1_ML*W$Jd2kdlh3>|_@#eRmUsG{jy>d|D6>+QE`6S=Ojnxcd7QLPTJLSyBee^^H>H
znsP3*v+8$TA<4t;ciFEVTj-cz@rkefa_tp^&iXgjpa}6NOBdAF&N^U_2G}c!PYa?-
zF3VARw4s2QxZ_IjV~6p$PeSdfdoT5TG-VE)N15Hn71DkW<(x%oL4$%@h4PCz)R$*J
zVvgN*VIzI)Ttuz2^U&5;w?6ht;?sf__P?$^_U3IN{i2P3N7U8I>TFtj#v}83{uOz0
z@2}rmz!kFKJ7@BXK%Qgz*+*$EXx>Uj?794~*pphDY%+%1GTvdUnd@N<iB}7vdpy+e
zkVdA9<#r71VB|rKovz*SOVOLH;bPwpQO9KLz!g$y>A(uBaUf3uy3LN(Zkj)9$CI}n
z8YxN=^nNJ^V#If1kh*^fDJ_MTk^UzwsHj|{WM$q?{RT~#%~NKXnA>a&(>V`^*%#4<
zGhHffxwt|im*q1Z-&s8tWSNP0+JE}1{HY+rgyl%_oq46?xf%83800bRA@ONJNi9c?
z>!7>+N4l~o-lnY`-A!Gyc}eu@OuO)KMApZm30xr$F7(G=S6O_d)8F}epYOhcL+|%Y
z)H+1In`k!R59%VS!XS09hQzA{u>|@z1Q4+7d@XTUic_c4k?g^Y%?=9wH2bEjD{|+|
z#Bhb=q{`v+DkJ4GJa7FWo0zwqnf>DqJ2_7m0Rx7aUC5lRGtN=$mBgn7?H|}Tr~aO6
zp!@bSvE2qsoF^>#gbb`~u3ZiF-9JdhW`pyhx+@p7pK7i-wV{M*QYaoyR+rAQ*ZO|a
zR6Y=KAN?tW5QEglUP*jfkjU^4=9?|Z4Vsqab5ceYk#CO{N8OLEtsV<??M~it8|M$3
zCRQIs_&)2a7X0d<Psb!ywl_!X`onaBL%O4}_G$Z4xB8?O_DbT@f)Xr#v=j-)X0hK<
zr+<0!yx8p#>fkWpnqY>bBo&-N!&10H_PjFA?V$W&UldNKptf&fz4d<cep~xyr{SuB
z<9F&S?_!XeSVQ8~g2d-+JF+=AYEllB%<#p(r)%BS8n@2%X^A;JdROA1J*+rij?OP8
z_Pr#PAItEqjiITBbY+*@p-NvdWSwz11OItJ1O}<`myi-N_OfFCqy;hcxYuauCsMDt
zcIUKLtVlSod`b8rd$z~0#fexYJPhZBo)XI6a<zsTL=BtAbq|Nzvx>0?YHfBVI<@)c
zzV(^Cwe>l91baw)T2NntQLE#izSSr8FL4P*L*XqR_9A<wa>}#Y(<2_dV0wlt<V|-A
zCml!A!KbuWbPXyi7xj6Eteq;qJU&G|wGc%^6oEmiV-1N{3)0}Idcxj1W-~&WNZ@pl
zv~=&-dE-qtoj2Sn6rDvuZ+LKpe8{cCd*^-Ie4JfsK%ItJf9*NRPP9m?BC)I6qE2%z
zF$SrIy^{E}pjX*D<S}(U*)M8R<n|qHjr?$gpZeiIgkr-Wy2G{!(}OFdVL#y)m-_IJ
zM6@5XPCd!qJ8H~LbBzBUfBlSYSbVLIGzO`Py^{E}ATz2FvfM|n)kIn5?FX(Oc3~e}
z*Npjqyo5R}BXuv#rvO(-Q5D|j3autWl%%V>qrWSQa!PgFpYT7IuJP1bXs}p18iPEH
zy^{E}pcBy)?gYV7_Fe5tuOHmL@?}`#)`L#zBb;8;{*8qDG=_17+)EI6#(Be}ZX%cy
zEsc2Iug|W`IB_T?#gRfoPGKTV0)te+8WOJ-gg90rd^cvM<{IZWs>n%QYP9&9wJV_w
zoa~<zZY_U)!H)CFfs>y_iri;uUJKlHSD<nV=eVuia-z25fj)9=Lb39;G6t#qmyn_;
zJA2!I(t?DByDL1KyEYGb+%i3`NW9ZQeIR0r_Ic+e!cHmOmYa8Rg&duKyW#dD?WS|R
z|MiesA%@FOwCu0xW$a%%>l4)CXHbhlDq#<aPYe3?x~6aBJ43mSD0fb2sC*?4FV}@C
zHH~El76B_+Zv#J^Q#Hw_2P+3J%JF@9{YYJVV7+K}!vXDxqbpfs#5;S!?pa`vidaM9
z)q-YB0%yd8)kU)cC0TB0tX$u1dA8`)0@YpgfKx(HN+-@sZq6AQHC)*fds%69HGAOJ
zxRk}>l8E*+uNXb4ff<STE(Q!z0edC!X+Z{2ey{aKSeN~~#eXcG7@rQ?>=BeUOTO~F
zOoRBv^$+VfXF<D^5VdBpiJtc_*>kPF(SE}_Jb9^)dgRt?HosR6qc<=}dF++Mrv-iK
zcyoHX8<ol8S6?`C)f%O-w{qqA&<Sn}>oQ8Bq`nWhLVnbVUMtTCl#*k-Z`WueN?w_Q
zC@N;SEnY!?T&Rw6G8uzBguRmZw4j@%OR0;u42J}=BOA^yo~t{dbm}v=s<oYPTYV2n
zeh$u`EwZzT+l$B$N<6Ke*qITnum9j_(w@Z4IoZR?FAvY(Jfeg_%3%$OR|^Vl85POh
zp(@N6UXt~>%DwCIwGItp<5RXdox8;pCdC|Zg^d2P?qU7ofv8p2$q29DHrFZHN#t23
z9&dAFUDv~@eqtD;?4Lu5Y)#a}#s5hQ(meB8F?nXpC0(n-pdmAm+jn|0I3?u7I62kk
zm?~8p&Tk*6Qao6MOd>5OwV$NxNVbH2u};;Go(`O?O;(tF`68<cgOtG@5}y`Cn)0}g
zanNRhDlX<gWwC9t`<zm5((rZLGK)KVTj}2L;|fVqU-nRKpjOc-dvNup8rKY8Bs*8N
zmFVXeHsQ%BabYSLq%_u$c(tH~&OHflsAggo1EQ%TxRvzntcL_c<fP|YFQJH*W6I`m
z{<2HR9!Yd<yPZk0+f%Dc<7_`BYX_>`<0VtRoD`mqx-o-6N@1@gJ}qdoR8o3OM|PZ`
z#b&93<&fr5hsw+A?i{9KvI}K)!u}mNuN;W?x)N+sPdMp+>{{8r-A%Ol1)Dmp*Hq6E
zDSec^u)_d@l*C?1d|FVFD#PXOt_hhJ%tr^W*~PJ+Ow$atf0-#$9M?&i&OhIZ^A!yF
z*WTaN8$6AgdcRl_A9v0vlmFt_e2i_#_f;dxm_!nTl)zp|d|HqxQB;lOG@Yf!&c>tf
zubg@DnTzpITJEL(;68(a3JmR4Tp{<R?bSdGxwRoW7ss?2yH&@82Ts^ola7r_?&jyY
zaA^gD6vrA8uND;aRp()VbnAFY@VD{=U+p6A61sfU*Tki^2t%Rh^j2D2A=f<!U2jf2
zFLbElsk*nHs)+l6sQFHc_teuDg?6S>CT)cj`%6e$SqE{4f6{_P?>9$Q(J#eD9BtU;
z-F4`W{*ZG-gJ7#^&T!A3XQxyRalVLZrsFf8(4XWPP&Vg2OvH#X99s&jc=2hu)Tz-=
zas4_5DT+NLJ}rnrwxX1EQS3*BtH#uhGcj_SZ~a?6g+6Xr^BHe6_wLESd3gh~9PQzP
z=9h;?lU1)f$Mc>iF^hYay0JqpBf!vMaV8yu6u}x2uNJf-n|+e$v3H!=iv48X4Mv^Q
zHhn4YS~_cZ?s|*wo?@QF6;iG9+!Y^g!tC)HUrTBEsa;>n)tuF)<=>=zXfvMEcG{0Y
z3S+M%J}oG0^ywZq>H#M?69;WR2ID6;=OZ@0<#vxyU7!rki@JXfSIFtUPzo>V&x10`
z3#s=UCydYai(06d=bR13j5a5oPPvak3SqA#J}u}_R-euVm63;hb&ta@aJlYIIrFNq
zCvUyy-YG<z)O-3HxI&teB)4d}PR<+-JnB8W6z*}1TgAM&OW^AO<y3DkW$ac962x9f
zd|FVM>uV9RcsI#b)Gkd)(%km*u|Jv=kC+?0nic!7t2YJb1moJ;u@`f$jVxvzr=k>(
zD_Skc%ys96xixX}_tiJ*#*Sl<2eF34s|Dq+hE|zM`Su3BqNo&8yvmAFJEN=XwlVQ4
zc8aNuga+qz=7<qRmznx!mn^jh`u9Du;vkO*G9t-2P*traMB#`CzJ@^x{3WD}w1ntC
z`k_40(epq28S41cBnA4K2(_87-FY#nPSyLW;OqGvd!qBlaD`O$Ma2$_6*u*Lv&gj_
z-uxlgH(PgPJfhubo}F{w82Kv<k{^3Wd|FV}{fY?;vRYg0s-w4*iEfD^@8t`-oX_1K
z+jQZ2ZFmpoCEV8(PnWT1$s^8)&>U};D<QwnJ$!#b=Z)Y1!@i8C4{KyFNIt9~@oGU-
z-CjDIyGU33YulCW^uFCII_N0-pnZ?d8|UQ9w)8nTFFf|rJ3zannD3l_W}VC2X5zT^
zB&C*t*<w4JU#Ljob7gZ3k{5d=@o7P&N$*^&jmY}rG;QDJn0Ycj8*pdu%}p?CZ=<a0
z3Ydw(dC84m9o3!=wW*bc+^)e(&zj!P(+ETb+0c>ZR|-V-5>jK32e4NXpBALwuau3b
zqWgB$w8%<r>K6UOu`hQsWnW&Q<LT~uE_0FtSIEYs_t)cR6L*!-H7_t$BFb*`3JGK?
zc04e;(T_^H_@o+x+>gDI__Uy&8tF2O<kiC=)y|Li<RO=vk}lA6*od5u*E-PsWtpJ{
z=j9DcQyfGtAJk;O9SFa5neSPQ-hT4fti4yGUVpwIG@SDigXF;)60a6SpfZ-Alwt9p
zd@xI|Rgd~>fabls!!%|}df(jm))Gx{UU<wQK>8?eIASoBWKP<Tpj*xM5u@~Tu~#HQ
zi`qtHNd!h1B==uJZhb|gMgB<(I<~g(r7_y3sUUDEh4!lcYU0%HT;f{Q8{97Ud9@>#
z32?sjM?@U<n(fF3>o~E*0`rsr7Uq3}+Ir6o)<#yl1a?|wV~||fL*mndqB>CJgsV2b
zrY9b=ROzxFx=+Ivf2F0Kwv#xYdT^CM8Rx5NCx~j&{kYD)y2^ntxbIqg$V<Fk>G7Gf
z!V#*WbO++)Fi0fUka)Eq%GonBCKLw4qbI-J{xtUeLhCzMB~JS=cENd#bPvJjjkrR-
z%t$dv>H9Q&w?p@hwvqdXAQ>W)gvwX}#j6vCyhe)^Fi1}9mBgn7RkYohF8hHP=Sx|;
za7NIl>*{dBVPl$67mw*L3oJIyIDhw{l1`6uH~+Es{T%$?Ml@Dl8XW)ZL34bT)1qX>
zKZ_{h7zT;JUP*jf(13*PE}f#2D8e%}t}3Ck<~=2RT-V<Usx>3&%gT(^aUSl8i|v`#
zMJv~QHuJ+WNf{bP<+;|+5O$pXKoUHfU8U@ZLGHs|Nqkz+@OO^PvG5-eca#=#EW%Dk
z)tOF9-En+R9efjWme0W`1?N;vBSL(Z;TvD}y^oez=>}G5y~DTOJ-Lu7WqHawx+IAZ
zgWQWXBwj73BQ(kQm2=M8DBFDJ-G`=rsD29$O?N@o_=_%gPM7Fg;0l?1gOKvaYLe-Z
z$4AF!FQw;HoH#&FsYeh*=bz`d*m*J)gXH*2NHHlp2ibqpf}Dc8(v766<4`tPN-xgT
zW)5PC`r=IU8!SJ(VcAJsjPoaAO=hv4tO<kW3P;3KuUa*v2Cfjh5Pd)TW+VQ!67lht
zJPeW@dq{j*P`LE;<B_oGyv=)uM8u8vbd;l?RZS)o?!T&V#45IlI}uk%$z8XZ*vt;!
z(VQ<Vbj#XnT0XK{)+10_{7mz+)kF^sAq<iYYe>9W(CexZgw%yYRI!rNhl+Ub%A|Q#
z6B1U6@iddXtd|VDj`MfKzVh$h-=vv>db_SdGi8q^4?Scr9TBZhU%+|mTB)bL4hG4J
zy^{E}poSOdGjorpFk<bTMJC6_q!))%m6CEXMGEnSCzb<>asE&~KZyOrh4E!VzM2<J
znKc+zn$84&nRk7uZ|}%Hh>?85jY00gUP*jfP$BZf(*OxsBeZX0aw_cv$6oS1>-2L3
zF;;YgeiLH6H*vnOU*vQ&c(}di%*O^%i>N#EX(jg--WLvjILoZW)y_Izj6v?kUP*jf
zkk_Mctdw7tNFIEVXhiRd$@{#dcvg*dpsAYSo1$<~|3O?KrNy3??pqDrk+{?U-smw^
z``Wlk<rhWQn?CvL(YuhhW?+ykSVQ8~f_zuv9iCHr=5QYNXE}X4C#6BdLtd%nqKG%k
zM{iE+6T!GbJ}-PO<^N{SOwx-e@qtWDJ9FvN5!4!Wh9MlrLvO=URxwECKZQg&I7mxL
zNc@u)v|{E}5PixNJr)|&Wof)O6BQ)R?-$1DGyUOeWS4*j8?KOwt?w9#y6hzhib_%x
zP20tSqYmB-u^pdkRH+<pDonbHLGHpH5}y{7e>r#GM&#gg#ZQM9I(CM8B<ee*P^A&*
zIJ{B3JTS{JkMn{$3gsqG{%|h#xM-@#j!_xy`!B1yWzJps*hJYok+^UJgJi-Q60a7-
z-*ipY*SSo1kC08C>`<1eS#s%k+vfReP4|Y^#_paI#1(RYles^(0BJ=ooOI;bzJw>i
zFFsceTA9e!wXwdx`+RO|7Q~3XlK8YBv`x*M8siL&H?L@>9>^TLN8dWUN%YR==3<qU
zPi=E(J<cDIh>B8+9X(TXJ~`^!b(3fGr|<f#|0uCi_&6^%caJEt4TEIBUP*jf(AC5}
z?Wng!OAL=K8#8xF361Ad)QHx<Ue)CoczvAdfD_K&@3x^0e&4ZHR5_9{9J%+ctu?EX
z)mY<+_qFBL3uBuEMHu8x?3Ki)1@XI|2#t097AiI&uKTF`)2S1}g%#J*?vA)I#0j7~
zYiDp?)5~SX?W>TzTSm0z)(H>ye4g-)_in+3FJ8Es7=E6e*^NQ&z#0;-7KAjlNbTR?
zyjMDY{x!-hJ`2^HevUWAdz4kWI9b*0GS1WDcLRIbjJquEvQI5b7}wM|23QC_FJ``W
z4zUR_d1fH66_WlhA?+k=|Jm<|g{g;_y=NM{dCjQDX<nY2)!s!w&_QyCu&mbFwZc^m
zoEIJ|I?tRvP*=t!mK{~79BJx3>bbD?xwR)guaQ}gnS&t-gQUYA5}y_{Kb6bC{eXb<
zNZr})p(^49t*t3KWnc~e9FZC`K{eMZu8>zTUb*$rWS?!9^UjA$IwmlV`b}Eq)|Ok`
z4(q*Gbo49+NsBckelJJ6+vQ!1ly6y`JD)^I9*t7JdP}ALiM7#1i#r<L_G>sVZ)jOj
z{}94H7v$DEKdDFlL3fR_=?*LLQqHwF25DLf5)=kWgT0dYw4nPvcYLbet4qH1(yrXQ
zD_cmR&1?>_Fm^9k*iX_uDEbnvkbZ}BiN|{lKYzEnpMIToc*G-V<H793oW=hBI*nG{
zWp@nn&wqsSPnE={1*tt*t#1^{e9%)`&J(9TBa?5o5n@Fnp7EgX#Q@jR6CYe5kH|kk
zhGb1JYTPPkE>I<;?^QT`-!L!8LNmK?hHZ`^3xoXg-=O?cCGlxNsuqqZoj2#5M4cZV
zzJa)zo`ktt7F#m)_=RrSSdQ&poHKJCMRIc2`cOpM;_i<pRjO~qcFcC2lo&**WFGUO
zI=E93gQUb760a7d_^y#@JgP>6iuLZOdSc46m5kZMn`pVCd3NES(rJBhPB7k`)zNct
zMjXo<EIRg<spdfFv%=-28we#H+Lw#Q>}YZflHxBRWyK{V|IyXa0agi&Eyd-zCDab2
zeXFyq?C6OR3*!o+Ps$fM6;1D6#})E^{j+B?xB9N{RbgzYIhJyz_2c|7akHPV1aHD~
z351I$2KnbdLHVbU__QF_b-}%8;`xi8Q+wN6Rik;nYlN=sY+Qeu(?E6aQ}A`1mE>l2
z{K&+uHTIk<IFp90eKq=>aoqZeH!>=`&B3{oueSQ+pZ@~oe}=@X1qB7zDbas+5Kbbb
z@ovxYN#Ef&I7?Wk(WON7S!oyh6P&;BJ9rl<wJ1C|pq`QG5;20B&}&iU>a|SgJ{+Y*
z;+^Fri$RiNuOvP#C{g^%bqBZ4{9P<wT`VSnOO52b983l|GIo})a?RIoyW#wt3~u@+
z8JMoK>&G6%8=<5Qn*C}6^seR~Kls}0tKR)`>#LgtdnNH{L5VhOmOl!g@styd7paMp
z2@byr>vS2@B47FOiQ#B82Io&7sH@#<`?@F_=pX-o?cG^yR8<_u@hQ`VrEIc^r3K3(
z$aZGt+}krOVi!Q6pwcS4aL-H!Dd_C`MnROelCX#@K?M?mK%%$+HbfRdk&uWI0b^1z
zQK%*=JOGNaScuG&`|yJ|WAgvJe)GGzr_1C%%{_H+_MzMZ$Nv6tp8wbC^~ZN_d1K$C
z>*1P0{TEQ`ev<d|5ma_{@`>Y3eBSssFMl|*F?{M1CDGV8^_qI4<ic*NrEkT(Zt}Zf
zd7C!x%I>_Z-?+-xwgf&qvFg(^<$rBEe{;z4BfsqUCa<PY|NWD9-{gIL1g+TLGdI+w
z%a}`t2Q>_Q>u~EeD|+lZJ9=XE>cqR#`sDfV`QN>Bo!0Qv&EXfT`Yd1DW~i}#`i7%x
zk{4}l_Zr$82QPYk{+x`gd|uPqrFp$Ur^kLW#}(hcbYJQAhRDf{!A^g!>V3}0MzMj}
z?f$*1+^h^E>zUcLq@rxAA>-)AjHYW>3v1^#H6AQ4ZN8VxPIX73E5o%Pd7>wacWxc)
z-`&<=Fw{GRA$ch|BAJ)mlME$KCD$gWC$vOKqA~Gy;#y*VVo`iqe10M`{&}Kr{9Jrn
z?7i5E_~6)Y@d@$V*q71M(Y>)Lv92+9%o4pExgPmG8jg;Pu8Yoy_KNh2WJNYbWaL1k
zCQ=%n7#<Qn8m<kW55E(x4tYWqq2EKh!tFyRLMwyogOO0T;F%B)UI~62I2hO*92K|`
zoEgjyob@;PzX;d@{R4{wWr1ve2j2yMoxj|_-M_#;)Tj8m``-6?eP8)j`6|7$yraF}
zdN+9g@HTj(o+Tc;=ceb7x4`p*XN!A>yWTUv{j+DRC&zuv^|k8*_at{m_d@qD*F{&Q
zi#ty{_c*6Hg=@9T=j!IX;#}(t{nuZ6O$Z@`5JCtcgb+dqA%qY@2qA<JLI@#*5JCtc
zgb+dqA%qY@2qA<JLI@#*5JCtcgb+dqA%qY@2qA<JLI@#*5JCtc|9`!W#jRSr!rfvs
zSsk`H>=u*RY^aBw8R`m*V{Z2aRpC2XrsuUNGs80d)y+b+i}d_e*qPxK-Q{oPqV#+z
z%FOVx?&@ZTMYHhqd<pE#u=wuF-_Dlwyar`vSX5vv&S-gco2AOEq~6Gygjpm|mP#D1
zWel!)6t1-h$|?)%vsGa&-gX^=Sp-p*N&v2<AFjC%t~D>pD)Z>`t@|~l4(5hgxKNgg
z6Rzb;aLr$YYi%LQDqEn>7On_e>R{C{i}@%^<psEw^Wd60;99FfS!H&8W~!;hpP~(B
zAyJl!2G?>fT=O|_tv!#j%4X}b$zH^`NF8hz%wi_WQkenQayne|X>hGgMOkIf>9Z#6
zOidl^S(rs7%2KI-YdHn3`7>~>J&m%;p3>(cwMwL4z&#meF$ra<l*6^02-kc9Tx(CF
ztg<KcnG3tsoI2Qen8i4hr7{+-Wf@%aQn=PiP*z#7KASX~U8WB9ILu-U%2Ig@uH|UB
z=A+<R8;P>YM(8qY{&hA#ncO*;6=oq&mP!#^OBJrU0@oTxS!EV|mR5(wkvf<eW?@2E
zDh#gWaJc5f;947svdV_&vnb-G^vC^Rn8l+gOJxvT%YkssAAxIa0Lm)sug{8LRV;O|
zelUx^C`+XfuI0mU&HKQ$)*EG&73i~BwK=S*gXP04dZ8?pJh+w*!8Pv**V=<9tE|V}
zS#vmwRL)Ze>khN%hO$(;!nN!I*Zcvv);goCvQGMJ<FduGVn>)o2b87K9<F6BT=RBt
zt+hp2Wo`7?+We55e)4Dyv&cbND%o%?v*4O%!nI~ZS!J!-8S~q?G_N=4^w|FaXPqOV
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/mochitest.certspec
@@ -0,0 +1,3 @@
+subject:Mochitest client
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+serialNumber:3
index 5d72cd2b739b3127724e12d63c0c7e79c62666ed..124d04377341d01a30d7cdac4822937e2f310de3
GIT binary patch
literal 2448
zc$`&~c{~(~7RSdJ#$a$U$TF5m-i%}<QDk36h{3gm>`aQTeTgzMV+ljZQue(f*|)J|
zjmXkm*(OT{NeF{MulxDD_wKuYoX`23?>Xns?+=ZKJO(l`qwx@PRtSoKA<&^rV5WRL
zL<fY2X#B#eXgu@i-z(O9JagwS)COb%{A%_8_k<Q@W&h8>$;6800<k4%S9Q`&g;aq+
zHo!wXb1WPK!s>|F%YS?AR-Ai|L$JyW_3+zVg|;>}%v0rScr^t0C(|or7i#xqS70wW
zD)Sk2(a$_Q?y?qH!PJ4d*I?g*Iit!U@fPY%GiCvKXFPpkTT`?<j%6>7W~2(L&(hRE
z4iq(S`8_Opq!S{>Cc$B9p@Qttx>!><uiQ_s%PE&9Ejh{^C5q*V+~`rb!5NnVKk8(>
zx`JzGgUJoP$jrT9dplPA9JiC4wvgEo(<|xDsm90gT4SCW5-;jdbuWs?xy_?0jb`tW
z#L6C;P%;iAx^faXQPzE-Et-?hfu5!jHmn}J=wx~eZNR|0m~5{7;8ymhGp|c41U>))
zqA%AL*z6<vf=dA{$5bK0l&jp$jH?Dg0yk$v&-u>YcZB-nc+1nJ29;(Wl(=l~t!2EG
z>$voM7q+8heVQXP>t)h^*El;WsfojFW*}wbM@<Q(%l6HvQ|Gu(wXWN{{b~2Kjq7uk
zETSE$ZSVI~GkFK=i{b2qYut*O&B$7UB14#T+2M`ldP3}<WWJSeuBUgLdl+ojCFZ=d
zLu|9GY|N=_+mUh;_e_CN)NtwCJbx`^=JxM2n9~H_u%*;P&D{Rp`^ixAs#mGIZmxip
zA90m&P$uP#l1jF!z<d?HajSV%zrz~+B)41JMUcDc-;knEsn%eEppPW%htcO5;<}XE
z;p%yCch>x@hKvui{Hoo6(m0FxiAei*-UE@j>PUvaQ1pBgD!*2~SoV^~&3m2epMu;T
zou_-yW|Q1q5{YJBz(hq+bmkIQ&6-V2cBxAGXoKuN!S}w|G3zj2zhd3sLEZcoo4Vz9
zJ&41iV!=zd`Z6D9=Z{x>=6hyy3p1SNXwe%cgOO508MghNLOB4W47+|z7zo`>&Wm}+
zy?Y{N)F%_ic&-g<I0B{RsEb6Q4^aU{S60OrLSh8Z<lWX@u0G;93wzkCxzOdG{UdHM
ziRkC8#$w%89-aBM&6ausI^uLS+ZrLo+gb|BO1kzv`ozskG49o?HiBMkrC7ha``$bA
z$p<cx8lL<ll=3F4keUd<2+!eojzeYObYb|~@{Q!c2wcbu;kT-1pSIv)+n3t?pH`gh
zv(foJKA5pPOuMR1uu^g?J6pCHDQ%q^I+Ai6QwNDiQ{0h#%&vW3|8~q#*t}y+F6l|x
zm?{FsXn$jTQFUT>x<`jLc#&%=8MwPx*3W}M<5}GPVLQw3AUq597dH7-hO8X_)tH?L
zn2!f-qVb^hf7s3Zm)#cHveH5MPFjE24Z?#4ZW{69!wj5%=e!jt>DYNM$?^=RJmRJG
zmT3rB06fxS+{82~&AS!)3Im9tFL6sxn2BT^ZP$CYMQ(otIhC8E5K8RGy!C~ycrono
zGSA2-PKw+|JQM~uiEzd6e@snT1q5I5<)GeTZ?mLKzC5dbEe?#@v8S?!!#8Y6N*)R5
z3QK`B#+wTtDw8i!oCPnXuK3&TytY#5?W5)%2E-!ApBo>V1~w(GfjDv(;h6}&6WEEg
zeKXjsyQ~-PsV`cgr*2fpFFQRPB2F!7VVcl*vcLB9vcn)wUrJ^C#n1{_w;EwcvNN9v
z#ZOi@xA94wGnotY>YC+yX~Ac!nj*MQX<i}K=EGH%l61&BVe8~C^qO}e&%QT3&8r17
zkxCl5QjF<tIEh>}NyMTF^wg~h*j-J*OQllZ+Q&q^pm!Mi%PlOVi;fX-NWp(``xJN%
z6*iBe`5U&dOF{F6k=%RO0fh$&lZQU1f7r~fc9^Ju6Nl{OvKFt#xN~sw@5-89YP*b%
z56xa97COMtz8J@euk=1_ZTL;6GX{<)R<a^&hJqrV+D<FzLQGy;+vhL7(7UMe=lOCn
z@n)+bG)-lc8XqJu2O~sa)wKwEsIiaW|EUis-|db(z9BQikVttJ4}0V`v;soFi@vnD
zIQvlF!ObGw8zrWHpGlV2vqO#=ZmPS=6nr^*k&!zl+%fUMZ*y7heDd^f!qW!<pUoo0
zmEVh?Qc6bYHcV@?6$t<0%7)OUpUV_*peOxKhakhWdNI>R(xXqSWc5raH&}g-cIiUy
z%BZ1#21v-_=qXVo`J^Lghv=MYm<1%srt^6WQKwJi+7Gtq^$D4nd1UfvDIf*d+sz$q
z-J#EQu}QQ(uw&BEzTcvJTj$v+r-o6U!fZc2pb$-!UiQY(woy^KR(g~X4e_8Wx*QSB
z+`$A7VxqKP%J_(Dlo?N_fClQCDznafq<cr!?J*;%>qA*2Fg2@jYF!0Q1dmQryk=Zh
zbiS${0*4vOc0E7HvB%%7Fk~Ct0%b!Le7&1Cjhzn-k1o2woEG6JVE$#O!S9}r_c?*g
z8eD5fm+Vo(QE#0J%%xE}`}{hIC#RuT-s<w9Yq?gk#L|1_)0NfW{U@-9U}*Zn{gJmV
zwMdyyUp@!RxPN*|wD#K{5R3IF2<dAacJU&PcSq3%J6$RIVFgPI<F|vDAK6h^twe=n
zoid_vMa?t*j;R;cac}D9;_YY!YX{RCQgceXdjST853n|)zN@#50yzqaSmpg=8>Jy9
z3r*CwBZ!#F0Kd-T#(xP8A77dHGwcud6hue2eedjrHYsRP4A`h&Z<(mufE;m$^8?Z)
z6L>jqDq*9Ar6V8x{Mxy>wbM*Ut9efBViQ~Puszd!L&oZ*_?EY*?fGlq%AgB5mQ@at
zKe8BuS4XxOo$8pj%my9bftWrG2MFVU;5Rld-`Z|S{@i-d(kfL|&n@b{mY`_Rh?tUI
zM~sT;;ZUR{cVvpBF}W&d@G+tcTbf_5sMr0P>^Rl65kKLZd;qB^@Xfh1JtXoInoY3}
zpZZA9baD6tdq7=KEEHCoARPxvT#KK(+K%BV?vb;YtHkEovEIF<6$u|3+7pEOEh}Kq
zlK)Fb2)_b9oELBx;0tgCcmZ&L0DwEd9}s{>{Cxsb5CHM#St$sKmw|SDC3V3H(cdB}
ze|yG@RzORlA*?L2T+BdW766DJAMNGUQ}dx!&1`OVlvb5CQVNg&v9Y4R9#-<XSo{^F
F{{}8WdprOD
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/mochitest.client.keyspec
@@ -0,0 +1,1 @@
+default
--- a/build/pgo/certs/pgoca.ca
+++ b/build/pgo/certs/pgoca.ca
@@ -1,15 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIICXTCCAcagAwIBAgIBATANBgkqhkiG9w0BAQUFADBqMSQwIgYDVQQLExtQcm9m
-aWxlIEd1aWRlZCBPcHRpbWl6YXRpb24xGDAWBgNVBAoTD01vemlsbGEgVGVzdGlu
-ZzEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0w
-ODA1MjIwMDM4MDVaFw0xODA1MjIwMDM4MDVaMGoxJDAiBgNVBAsTG1Byb2ZpbGUg
-R3VpZGVkIE9wdGltaXphdGlvbjEYMBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSgw
-JgYDVQQDEx9UZW1wb3JhcnkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQDg6iipAXGZYmgTcHfx8M2hcLqmqDalcj7sZ1A7
-a3LiCBb+1uHKKy9hUxRUe61aJF4NgMAF5oc+HpXN0hpvkiNHxqqD7R6hrkP3gAJ3
-eczEFKsFUI6AqaCL0+xpyhaaZmmarcHxU+PL2h5zq6VssxfBAsO0DkzWzk6E8vM+
-jrku7QIDAQABoxMwETAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GB
-ALPbn3Ztg0m8qDt8Vkf5You6HEqIxZe+ffDTrfq/L7ofHk/OXEpL7OWKRHU33pNG
-QS8khBG+sO461C51s6u9giW+eq2PaQv2HGASBpDbvPqc/Hf+zupZsdsXzHv6rt0V
-lu5B6nOpMse1nhA494i1ARSuBNzLv5mas38YWG8Rr6jR
+MIIDgzCCAmugAwIBAgIUQx5pxD+JMg1qPztfSg1Ucw8xsz0wDQYJKoZIhvcNAQEL
+BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAw
+MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY
+MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl
+ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
+iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
+4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
+8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
+Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
+77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
+I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAYFnzom5ROuxDR3WFQatxHs5ekni4uUbEx
+6pN8fOzcsllEfCwvmMLVCh36ffSguf/UlmR5Hq1s/S7iMiic5mnK4aaVwixzS4Z3
+ug7Dc+fG7j0VOcBTKWU983xUK/1F409ghQ5KlO38KA7hyx1kzjYjzvxLaweDXRqr
+J/RZ1ACP2fKNziEOCbXzzzEx39oc17NBV+LotPFzKZ+pcxMDrtiNts4hwCw/UUw7
+Gp0tKte2CevGJbzjPHP3/6FUzHfOatZSpxEmvAcSTDp5sjdVuOStx4v6jVrwvyAz
+VQzDPzaRWh3NtY5JNasrhExr5qxQlygfBngCMgZ9gESG9FvLG+sx
 -----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/pgoca.ca.keyspec
@@ -0,0 +1,1 @@
+default
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/pgoca.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
deleted file mode 100644
index 4867c286bbf6950a51078caedff875a945b2d93c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
index a3341f767ce01ccdc4a54adf64e82f9ef6b0c2f1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
Hc$@<O00001
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/selfsigned.certspec
@@ -0,0 +1,3 @@
+issuer:self-signed.example.com
+subject:self-signed.example.com
+extension:subjectAlternativeName:self-signed.example.com
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/sha1_end_entity.certspec
@@ -0,0 +1,4 @@
+subject:sha1ee.example.com
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:sha1ee.example.com
+signature:sha1WithRSAEncryption
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/sha256_end_entity.certspec
@@ -0,0 +1,4 @@
+subject:sha256ee.example.com
+issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
+extension:subjectAlternativeName:sha256ee.example.com
+signature:sha256WithRSAEncryption
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/staticPinningBad.certspec
@@ -0,0 +1,5 @@
+subject:include-subdomains.pinning.example.com
+issuer:Alternate Trusted Authority
+extension:subjectAlternativeName:include-subdomains.pinning.example.com
+subjectKey:alternate
+issuerKey:alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/staticPinningBad.server.keyspec
@@ -0,0 +1,1 @@
+alternate
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/unknown_ca.certspec
@@ -0,0 +1,5 @@
+issuer:Unknown CA
+subject:Unknown CA
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/untrusted.certspec
@@ -0,0 +1,3 @@
+subject:untrusted.example.com
+issuer:Unknown CA
+extension:subjectAlternativeName:untrusted.example.com
new file mode 100644
--- /dev/null
+++ b/build/pgo/certs/untrustedandexpired.certspec
@@ -0,0 +1,4 @@
+subject:untrusted-expired.example.com
+issuer:Unknown CA
+extension:subjectAlternativeName:untrusted-expired.example.com
+validity:20121012-20121012
--- a/build/pgo/genpgocert.py
+++ b/build/pgo/genpgocert.py
@@ -10,19 +10,20 @@
 import mozinfo
 import os
 import random
 import re
 import shutil
 import subprocess
 import sys
 import tempfile
+import distutils
 
 from mozbuild.base import MozbuildObject
-from mozfile import NamedTemporaryFile
+from mozfile import NamedTemporaryFile, TemporaryDirectory
 from mozprofile.permissions import ServerLocations
 
 dbFiles = [
   re.compile("^cert[0-9]+\.db$"),
   re.compile("^key[0-9]+\.db$"),
   re.compile("^secmod\.db$")
 ]
 
@@ -36,181 +37,147 @@ def unlinkDbFiles(path):
 def dbFilesExist(path):
   for root, dirs, files in os.walk(path):
     for name in files:
       for dbFile in dbFiles:
         if dbFile.match(name) and os.path.exists(os.path.join(root, name)):
           return True
   return False
 
-
-def runUtil(util, args, inputdata = None):
+def runUtil(util, args, inputdata = None, outputstream = None):
   env = os.environ.copy()
   if mozinfo.os == "linux":
     pathvar = "LD_LIBRARY_PATH"
     app_path = os.path.dirname(util)
     if pathvar in env:
       env[pathvar] = "%s%s%s" % (app_path, os.pathsep, env[pathvar])
     else:
       env[pathvar] = app_path
   proc = subprocess.Popen([util] + args, env=env,
-                          stdin=subprocess.PIPE if inputdata else None)
+                          stdin=subprocess.PIPE if inputdata else None,
+                          stdout=outputstream)
   proc.communicate(inputdata)
   return proc.returncode
 
-
 def createRandomFile(randomFile):
   for count in xrange(0, 2048):
     randomFile.write(chr(random.randint(0, 255)))
 
-
-def createCertificateAuthority(build, srcDir):
-  certutil = build.get_binary_path(what="certutil")
-  pk12util = build.get_binary_path(what="pk12util")
-
-  #TODO: mozfile.TemporaryDirectory
-  tempDbDir = tempfile.mkdtemp()
-  with NamedTemporaryFile() as pwfile, NamedTemporaryFile() as rndfile:
-    pgoCAModulePathSrc = os.path.join(srcDir, "pgoca.p12")
-    pgoCAPathSrc = os.path.join(srcDir, "pgoca.ca")
-
-    pwfile.write("\n")
-
-    # Create temporary certification database for CA generation
-    status = runUtil(certutil, ["-N", "-d", tempDbDir, "-f", pwfile.name])
-    if status:
-      return status
-
-    createRandomFile(rndfile)
-    status = runUtil(certutil, ["-S", "-d", tempDbDir, "-s", "CN=Temporary Certificate Authority, O=Mozilla Testing, OU=Profile Guided Optimization", "-t", "C,,", "-x", "-m", "1", "-v", "120", "-n", "pgo temporary ca", "-2", "-f", pwfile.name, "-z", rndfile.name], "Y\n0\nN\n")
-    if status:
-      return status
-
-    status = runUtil(certutil, ["-L", "-d", tempDbDir, "-n", "pgo temporary ca", "-a", "-o", pgoCAPathSrc, "-f", pwfile.name])
-    if status:
-      return status
-
-    status = runUtil(pk12util, ["-o", pgoCAModulePathSrc, "-n", "pgo temporary ca", "-d", tempDbDir, "-w", pwfile.name, "-k", pwfile.name])
-    if status:
-      return status
-
-  shutil.rmtree(tempDbDir)
-  return 0
-
-
-def createSSLServerCertificate(build, srcDir):
-  certutil = build.get_binary_path(what="certutil")
-  pk12util = build.get_binary_path(what="pk12util")
-
-  with NamedTemporaryFile() as pwfile, NamedTemporaryFile() as rndfile:
-    pgoCAPath = os.path.join(srcDir, "pgoca.p12")
-
-    pwfile.write("\n")
-
-    if not dbFilesExist(srcDir):
-      # Make sure all DB files from src are really deleted
-      unlinkDbFiles(srcDir)
-
-      # Create certification database for ssltunnel
-      status = runUtil(certutil, ["-N", "-d", srcDir, "-f", pwfile.name])
-      if status:
-        return status
-
-      status = runUtil(pk12util, ["-i", pgoCAPath, "-w", pwfile.name, "-d", srcDir, "-k", pwfile.name])
-      if status:
-        return status
-
-    # Generate automatic certificate
+def writeCertspecForServerLocations(fd):
     locations = ServerLocations(os.path.join(build.topsrcdir,
                                              "build", "pgo",
                                              "server-locations.txt"))
-    iterator = iter(locations)
+    SAN=[]
+    for loc in [i for i in iter(locations) if i.scheme == "https" and "nocert" not in i.options]:
+      customCertOption = False
+      customCertRE = re.compile("^cert=(?:\w+)")
+      for _ in [i for i in loc.options if customCertRE.match(i)]:
+        customCertOption = True
+        break
+
+      if not customCertOption:
+        SAN.append(loc.host)
 
-    # Skips the first entry, I don't know why: bug 879740
-    iterator.next()
+    fd.write("issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization\n")
+    fd.write("subject:{}\n".format(SAN[0]))
+    fd.write("extension:subjectAlternativeName:{}\n".format(",".join(SAN)))
+
+def constructCertDatabase(build, srcDir):
+  certutil = build.get_binary_path(what="certutil")
+  pk12util = build.get_binary_path(what="pk12util")
+  openssl = distutils.spawn.find_executable("openssl")
+  pycert = os.path.join(build.topsrcdir, "security", "manager", "ssl", "tests",
+                        "unit", "pycert.py")
+  pykey = os.path.join(build.topsrcdir, "security", "manager", "ssl", "tests",
+                        "unit", "pykey.py")
+
 
-    locationsParam = ""
-    firstLocation = ""
-    for loc in iterator:
-      if loc.scheme == "https" and "nocert" not in loc.options:
-        customCertOption = False
-        customCertRE = re.compile("^cert=(?:\w+)")
-        for option in loc.options:
-          match = customCertRE.match(option)
-          if match:
-            customCertOption = True
-            break
+  with NamedTemporaryFile() as pwfile, NamedTemporaryFile() as rndfile, TemporaryDirectory() as pemfolder:
+    pgoCAPath = os.path.join(srcDir, "pgoca.p12")
+
+    pwfile.write("\n")
+    pwfile.flush()
+
+    if dbFilesExist(srcDir):
+      # Make sure all DB files from src are really deleted
+      unlinkDbFiles(srcDir)
 
-        if not customCertOption:
-          if len(locationsParam) > 0:
-            locationsParam += ","
-          locationsParam += loc.host
+    # Copy  all .certspec and .keyspec files to a temporary directory
+    for root, dirs, files in os.walk(srcDir):
+      for spec in [i for i in files if i.endswith(".certspec") or i.endswith(".keyspec")]:
+        shutil.copyfile(os.path.join(root, spec), os.path.join(pemfolder, spec))
 
-          if firstLocation == "":
-            firstLocation = loc.host
+    # Write a certspec for the "server-locations.txt" file to that temporary directory
+    pgoserver_certspec = os.path.join(pemfolder, "pgoserver.certspec")
+    if os.path.exists(pgoserver_certspec):
+      raise Exception("{} already exists, which isn't allowed".format(pgoserver_certspec))
+    with open(pgoserver_certspec, "w") as fd:
+      writeCertspecForServerLocations(fd)
 
-    if not firstLocation:
-      print "Nothing to generate, no automatic secure hosts specified"
-    else:
-      createRandomFile(rndfile)
+    # Generate certs for all certspecs
+    for root, dirs, files in os.walk(pemfolder):
+      for certspec in [i for i in files if i.endswith(".certspec")]:
+        name = certspec.split(".certspec")[0]
+        pem = os.path.join(pemfolder, "{}.cert.pem".format(name))
 
-      runUtil(certutil, ["-D", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
-      # Ignore the result, the certificate may not be present when new database is being built
+        print("Generating public certificate {} (pem={})".format(name, pem))
 
-      status = runUtil(certutil, ["-S", "-s", "CN=%s" % firstLocation, "-t", "Pu,,", "-c", "pgo temporary ca", "-m", "2", "-8", locationsParam, "-v", "120", "-n", "pgo server certificate", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
-      if status:
-        return status
+        with open(os.path.join(root, certspec), "r") as certspec_file:
+          certspec_data = certspec_file.read()
+          with open(pem, "w") as pem_file:
+            status = runUtil(pycert, [], inputdata=certspec_data, outputstream=pem_file)
+            if status:
+              return status
 
-      status = runUtil(certutil, ["-S", "-s", "CN=Imminently Distrusted End Entity", "-t", "P,,", "-c", "pgo temporary ca", "-k", "rsa", "-g", "2048", "-Z", "SHA256", "-m", "1519140221", "-n", "imminently_distrusted", "-v", "120", "-8", "imminently-distrusted.example.com", "-d", srcDir, "-z", rndfile.name, "-f", pwfile.name])
-      if status:
-        return status
+        status = runUtil(certutil, ["-A", "-n", name, "-t", "P,,", "-i", pem, "-d", srcDir, "-f", pwfile.name])
+        if status:
+          return status
+
 
-    """
-    As of February 2018, there are 15 more certificates which are not created by
-    this script. See bug 1441338:
+      for keyspec in [i for i in files if i.endswith(".keyspec")]:
+        parts = keyspec.split(".")
+        name = parts[0]
+        key_type = parts[1]
+        if key_type not in ["ca", "client", "server"]:
+          raise Exception("{}: keyspec filenames must be of the form XXX.client.keyspec or XXX.ca.keyspec (key_type={})".format(keyspec, key_type))
+        key_pem = os.path.join(pemfolder, "{}.key.pem".format(name))
+
+        print("Generating private key {} (pem={})".format(name, key_pem))
 
-    selfsigned                                                   Pu,u,u
-    Unknown CA                                                   Cu,u,u
-    escapeattack1                                                Pu,u,u
-    untrustedandexpired                                          Pu,u,u
-    alternateTrustedAuthority                                    Cu,u,u
-    dynamicPinningGood                                           Pu,u,u
-    staticPinningBad                                             Pu,u,u
-    sha1_end_entity                                              Pu,u,u
-    bug413909cert                                                u,u,u
-    untrusted                                                    Pu,u,u
-    escapeattack2                                                Pu,u,u
-    expired                                                      Pu,u,u
-    dynamicPinningBad                                            Pu,u,u
-    sha256_end_entity                                            Pu,u,u
-    """
+        with open(os.path.join(root, keyspec), "r") as keyspec_file:
+          keyspec_data = keyspec_file.read()
+          with open(key_pem, "w") as pem_file:
+            status = runUtil(pykey, [], inputdata=keyspec_data, outputstream=pem_file)
+            if status:
+              return status
+
+        cert_pem = os.path.join(pemfolder, "{}.cert.pem".format(name))
+        if not os.path.exists(cert_pem):
+          raise Exception("There has to be a corresponding certificate named {} for the keyspec {}".format(cert_pem, keyspec))
+
+        p12 = os.path.join(pemfolder, "{}.key.p12".format(name))
+        print("Converting private key {} to PKCS12 (p12={})".format(key_pem, p12))
+        status = runUtil(openssl, ["pkcs12", "-export", "-inkey", key_pem, "-in", cert_pem, "-name", name, "-out", p12, "-passout", "file:"+pwfile.name])
+        if status:
+          return status
+
+        print("Importing private key {} to database".format(key_pem))
+        status = runUtil(pk12util, ["-i", p12, "-d", srcDir, "-w", pwfile.name, "-k", pwfile.name])
+        if status:
+          return status
+
+        if key_type == "ca":
+          shutil.copyfile(cert_pem, os.path.join(srcDir, "{}.ca".format(name)))
+        elif key_type == "client":
+          shutil.copyfile(p12, os.path.join(srcDir, "{}.client".format(name)))
+        elif key_type == "server":
+          pass # Nothing to do for server keys
+        else:
+          raise Exception("State error: Unknown keyspec key_type: {}".format(key_type))
 
   return 0
 
-if len(sys.argv) == 1:
-  print "Specify --gen-server or --gen-ca"
-  sys.exit(1)
-
 build = MozbuildObject.from_environment()
 certdir = os.path.join(build.topsrcdir, "build", "pgo", "certs")
-if sys.argv[1] == "--gen-server":
-  certificateStatus = createSSLServerCertificate(build, certdir)
-  if certificateStatus:
-    print "TEST-UNEXPECTED-FAIL | SSL Server Certificate generation"
-
-  sys.exit(certificateStatus)
-
-if sys.argv[1] == "--gen-ca":
-  certificateStatus = createCertificateAuthority(build, certdir)
-  if certificateStatus:
-    print "TEST-UNEXPECTED-FAIL | Certificate Authority generation"
-  else:
-    print "\n\n"
-    print "==================================================="
-    print " IMPORTANT:"
-    print " To use this new certificate authority in tests"
-    print " run 'make' at testing/mochitest"
-    print "==================================================="
-
-  sys.exit(certificateStatus)
-
-print "Invalid option specified"
-sys.exit(1)
+certificateStatus = constructCertDatabase(build, certdir)
+if certificateStatus:
+  print "TEST-UNEXPECTED-FAIL | SSL Server Certificate generation"
+sys.exit(certificateStatus)
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -37,17 +37,17 @@
     "ajv-keywords": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-2.1.1.tgz",
       "integrity": "sha1-YXmX/F9gV2iUxDX5QNgZ4TW4B2I="
     },
     "ansi-escapes": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.0.0.tgz",
-      "integrity": "sha512-O/klc27mWNUigtv0F8NJWbLF00OcegQalkqKURWdosW08YZKi4m6CnSUSvIZG1otNJbTWhN01Hhz389DW7mvDQ=="
+      "integrity": "sha1-7D6LTp+AZPwCw6ybZfHCdb2o75I="
     },
     "ansi-regex": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
       "integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8="
     },
     "ansi-styles": {
       "version": "2.2.1",
@@ -170,17 +170,17 @@
     "chardet": {
       "version": "0.4.2",
       "resolved": "https://registry.npmjs.org/chardet/-/chardet-0.4.2.tgz",
       "integrity": "sha1-tUc7M9yXxCTl2Y3IfVXU2KKci/I="
     },
     "circular-json": {
       "version": "0.3.3",
       "resolved": "https://registry.npmjs.org/circular-json/-/circular-json-0.3.3.tgz",
-      "integrity": "sha512-UZK3NBx2Mca+b5LsG7bY183pHWt5Y1xts4P3Pz7ENTwGVnJOUWbRb3ocjvX7hx9tq/yTAdclXm9sZ38gNuem4A=="
+      "integrity": "sha1-gVyZ6oT2gJUp0vRXkb34JxE1LWY="
     },
     "cli-cursor": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
       "integrity": "sha1-s12sN2R5+sw+lHR9QdDQ9SOP/LU=",
       "requires": {
         "restore-cursor": "2.0.0"
       }
@@ -193,17 +193,17 @@
     "co": {
       "version": "4.6.0",
       "resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz",
       "integrity": "sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ="
     },
     "color-convert": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.1.tgz",
-      "integrity": "sha512-mjGanIiwQJskCC18rPR6OmrZ6fm2Lc7PeGFYwCmy5J34wC6F1PzdGL6xeMfmgicfYcNLGuVFA3WzXtIDCQSZxQ==",
+      "integrity": "sha1-wSYRB66y8pTr/+ye2eytUppgl+0=",
       "requires": {
         "color-name": "1.1.3"
       }
     },
     "color-name": {
       "version": "1.1.3",
       "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
       "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU="
@@ -236,17 +236,17 @@
         "lru-cache": "4.1.2",
         "shebang-command": "1.2.0",
         "which": "1.3.0"
       }
     },
     "debug": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz",
-      "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==",
+      "integrity": "sha1-W7WgZyYotkFJVmuhaBnmFRjGcmE=",
       "requires": {
         "ms": "2.0.0"
       }
     },
     "deep-is": {
       "version": "0.1.3",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz",
       "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ="
@@ -263,17 +263,17 @@
         "pify": "2.3.0",
         "pinkie-promise": "2.0.1",
         "rimraf": "2.6.2"
       }
     },
     "doctrine": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-2.1.0.tgz",
-      "integrity": "sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==",
+      "integrity": "sha1-XNAfwQFiG0LEzX9dGmYkNxbT850=",
       "requires": {
         "esutils": "2.0.2"
       }
     },
     "dom-serializer": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-0.1.0.tgz",
       "integrity": "sha1-BzxpdUbOB4DOI75KKOKT5AvDDII=",
@@ -363,17 +363,17 @@
         "strip-json-comments": "2.0.1",
         "table": "4.0.2",
         "text-table": "0.2.0"
       }
     },
     "eslint-plugin-html": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/eslint-plugin-html/-/eslint-plugin-html-4.0.2.tgz",
-      "integrity": "sha512-CrQd0F8GWdNWnu4PFrYZl+LjUCXNVy2h0uhDMtnf/7VKc9HRcnkXSrlg0BSGfptZPSzmwnnwCaREAa9+fnQhYw==",
+      "integrity": "sha1-DlYUnkLC/8Pw32JhqLuWsanyKA0=",
       "requires": {
         "htmlparser2": "3.9.2"
       }
     },
     "eslint-plugin-mozilla": {
       "version": "file:tools/lint/eslint/eslint-plugin-mozilla",
       "requires": {
         "ini-parser": "0.0.2",
@@ -405,31 +405,31 @@
       "requires": {
         "esrecurse": "4.2.1",
         "estraverse": "4.2.0"
       }
     },
     "eslint-visitor-keys": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz",
-      "integrity": "sha512-qzm/XxIbxm/FHyH341ZrbnMUpe+5Bocte9xkmFMzPMjRaZMcXww+MpBptFvtU+79L362nqiLhekCxCxDPaUMBQ=="
+      "integrity": "sha1-PzGA+y4pEBdxastMnW1bXDSmqB0="
     },
     "espree": {
       "version": "3.5.4",
       "resolved": "https://registry.npmjs.org/espree/-/espree-3.5.4.tgz",
       "integrity": "sha512-yAcIQxtmMiB/jL32dzEp2enBeidsB7xWPLNiw3IIkpVds1P+h7qF9YwJq1yUNzp2OKXgAprs4F61ih66UsoD1A==",
       "requires": {
         "acorn": "5.5.3",
         "acorn-jsx": "3.0.1"
       }
     },
     "esprima": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.0.tgz",
-      "integrity": "sha512-oftTcaMu/EGrEIu904mWteKIv8vMuOgGYo7EhVJJN00R/EED9DCua/xxHRdYnKtcECzVg7xOWhflvJMnqcFZjw=="
+      "integrity": "sha1-RJnt3NERDgshi6zy+n9/WfVcqAQ="
     },
     "esquery": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.0.0.tgz",
       "integrity": "sha1-z7qLV9f7qT8XKYqKAGoEzaE9gPo=",
       "requires": {
         "estraverse": "4.2.0"
       }
@@ -450,17 +450,17 @@
     "esutils": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.2.tgz",
       "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs="
     },
     "external-editor": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/external-editor/-/external-editor-2.1.0.tgz",
-      "integrity": "sha512-E44iT5QVOUJBKij4IIV3uvxuNlbKS38Tw1HiupxEIHPv9qtC2PrDYohbXV5U+1jnfIXttny8gUhj+oZvflFlzA==",
+      "integrity": "sha1-PQJqIbf5W1cmOH1CAKwWDTcsO0g=",
       "requires": {
         "chardet": "0.4.2",
         "iconv-lite": "0.4.19",
         "tmp": "0.0.33"
       }
     },
     "fast-deep-equal": {
       "version": "1.1.0",
@@ -508,40 +508,40 @@
     "fs.realpath": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
       "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8="
     },
     "function-bind": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz",
-      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A=="
+      "integrity": "sha1-pWiZ0+o8m6uHS7l3O3xe3pL0iV0="
     },
     "functional-red-black-tree": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/functional-red-black-tree/-/functional-red-black-tree-1.0.1.tgz",
       "integrity": "sha1-GwqzvVU7Kg1jmdKcDj6gslIHgyc="
     },
     "glob": {
       "version": "7.1.2",
       "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.2.tgz",
-      "integrity": "sha512-MJTUg1kjuLeQCJ+ccE4Vpa6kKVXkPYJ2mOCQyUuKLcLQsdrMCpBPUi8qVE6+YuaJkozeA9NusTAw3hLr8Xe5EQ==",
+      "integrity": "sha1-wZyd+aAocC1nhhI4SmVSQExjbRU=",
       "requires": {
         "fs.realpath": "1.0.0",
         "inflight": "1.0.6",
         "inherits": "2.0.3",
         "minimatch": "3.0.4",
         "once": "1.4.0",
         "path-is-absolute": "1.0.1"
       }
     },
     "globals": {
       "version": "11.3.0",
       "resolved": "https://registry.npmjs.org/globals/-/globals-11.3.0.tgz",
-      "integrity": "sha512-kkpcKNlmQan9Z5ZmgqKH/SMbSmjxQ7QjyNqfXVc8VJcoBV2UEg+sxQD15GQofGRh2hfpwUb70VC31DR7Rq5Hdw=="
+      "integrity": "sha1-4E/be5eW2K2snI9kwUg3sjEzeLA="
     },
     "globby": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/globby/-/globby-5.0.0.tgz",
       "integrity": "sha1-69hGZ8oNuzMLmbz8aOrCvFQ3Dg0=",
       "requires": {
         "array-union": "1.0.2",
         "arrify": "1.0.1",
@@ -588,22 +588,22 @@
         "entities": "1.1.1",
         "inherits": "2.0.3",
         "readable-stream": "2.3.5"
       }
     },
     "iconv-lite": {
       "version": "0.4.19",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.19.tgz",
-      "integrity": "sha512-oTZqweIP51xaGPI4uPa56/Pri/480R+mo7SeU+YETByQNhDG55ycFyNLIgta9vXhILrxXDmF7ZGhqZIcuN0gJQ=="
+      "integrity": "sha1-90aPYBNfXl2tM5nAqBvpoWA6CCs="
     },
     "ignore": {
       "version": "3.3.7",
       "resolved": "https://registry.npmjs.org/ignore/-/ignore-3.3.7.tgz",
-      "integrity": "sha512-YGG3ejvBNHRqu0559EOxxNFihD0AjpvHlC/pdGKd3X3ofe+CoJkYazwNJYTNebqpPKN+VVQbh4ZFn1DivMNuHA=="
+      "integrity": "sha1-YSKJv7PCIOGGpYEYYY1b6MG6sCE="
     },
     "imurmurhash": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
       "integrity": "sha1-khi5srkoojixPcT7a21XbyMUU+o="
     },
     "inflight": {
       "version": "1.0.6",
@@ -622,17 +622,17 @@
     "ini-parser": {
       "version": "0.0.2",
       "resolved": "https://registry.npmjs.org/ini-parser/-/ini-parser-0.0.2.tgz",
       "integrity": "sha1-+kF4flZ3Y7P/Zdel2alO23QHh+8="
     },
     "inquirer": {
       "version": "3.3.0",
       "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-3.3.0.tgz",
-      "integrity": "sha512-h+xtnyk4EwKvFWHrUYsWErEVR+igKtLdchu+o0Z1RL7VU/jVMFbYir2bp6bAj8efFNxWqHX0dIss6fJQ+/+qeQ==",
+      "integrity": "sha1-ndLyrXZdyrH/BEO0kUQqILoifck=",
       "requires": {
         "ansi-escapes": "3.0.0",
         "chalk": "2.3.2",
         "cli-cursor": "2.1.0",
         "cli-width": "2.2.0",
         "external-editor": "2.1.0",
         "figures": "2.0.0",
         "lodash": "4.17.5",
@@ -674,17 +674,17 @@
     "is-promise": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
       "integrity": "sha1-eaKp7OfwlugPNtKy87wWwf9L8/o="
     },
     "is-resolvable": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/is-resolvable/-/is-resolvable-1.1.0.tgz",
-      "integrity": "sha512-qgDYXFSR5WvEfuS5dMj6oTMEbrrSaM0CrFk2Yiq/gXnBvD9pMa2jGXxyhGLfvhZpuMZe18CJpFxAt3CRs42NMg=="
+      "integrity": "sha1-+xj4fOH+uSUWnJpAfBkxijIG7Yg="
     },
     "isarray": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
       "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE="
     },
     "isexe": {
       "version": "2.0.0",
@@ -727,36 +727,36 @@
       "requires": {
         "prelude-ls": "1.1.2",
         "type-check": "0.3.2"
       }
     },
     "lodash": {
       "version": "4.17.5",
       "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz",
-      "integrity": "sha512-svL3uiZf1RwhH+cWrfZn3A4+U58wbP0tGVTLQPbjplZxZ8ROD9VLuNgsRniTlLe7OlSqR79RUehXgpBW/s0IQw=="
+      "integrity": "sha1-maktZcAnLevoyWtgV7yPv6O+1RE="
     },
     "lru-cache": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-4.1.2.tgz",
       "integrity": "sha512-wgeVXhrDwAWnIF/yZARsFnMBtdFXOg1b8RIrhilp+0iDYN4mdQcNZElDZ0e4B64BhaxeQ5zN7PMyvu7we1kPeQ==",
       "requires": {
         "pseudomap": "1.0.2",
         "yallist": "2.1.2"
       }
     },
     "mimic-fn": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-1.2.0.tgz",
-      "integrity": "sha512-jf84uxzwiuiIVKiOLpfYk7N46TSy8ubTonmneY9vrpHNAnp0QBt2BxWV9dO3/j+BoVAb+a5G6YDPW3M5HOdMWQ=="
+      "integrity": "sha1-ggyGo5M0ZA6ZUWkovQP8qIBX0CI="
     },
     "minimatch": {
       "version": "3.0.4",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "integrity": "sha1-UWbihkV/AzBgZL5Ul+jbsMPTIIM=",
       "requires": {
         "brace-expansion": "1.1.11"
       }
     },
     "minimist": {
       "version": "0.0.8",
       "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
       "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0="
@@ -849,17 +849,17 @@
       "integrity": "sha1-ITXW36ejWMBprJsXh3YogihFD/o=",
       "requires": {
         "pinkie": "2.0.4"
       }
     },
     "pluralize": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/pluralize/-/pluralize-7.0.0.tgz",
-      "integrity": "sha512-ARhBOdzS3e41FbkW/XWrTEtukqqLoK5+Z/4UeDaLuSW+39JPeFgs4gCGqsrJHVZX0fUrx//4OF0K1CUGwlIFow=="
+      "integrity": "sha1-KYuJ34uTsCIdv0Ia0rGx6iP8Z3c="
     },
     "prelude-ls": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz",
       "integrity": "sha1-IZMqVJ9eUv/ZqCf1cOBL5iqX2lQ="
     },
     "process-nextick-args": {
       "version": "2.0.0",
@@ -911,17 +911,17 @@
       "requires": {
         "onetime": "2.0.1",
         "signal-exit": "3.0.2"
       }
     },
     "rimraf": {
       "version": "2.6.2",
       "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.2.tgz",
-      "integrity": "sha512-lreewLK/BlghmxtfH36YYVg1i8IAce4TI7oao75I1g245+6BctqTVQiBP3YUJ9C6DQOXJmkYR9X9fCLtCOJc5w==",
+      "integrity": "sha1-LtgVDSShbqhlHm1u8PR8QVjOejY=",
       "requires": {
         "glob": "7.1.2"
       }
     },
     "run-async": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/run-async/-/run-async-2.3.0.tgz",
       "integrity": "sha1-A3GrSuC91yDUFm19/aZP96RFpsA=",
@@ -940,27 +940,27 @@
       "integrity": "sha1-dTuHqJoRyVRnxKwWJsTvxOBcZ74=",
       "requires": {
         "rx-lite": "4.0.8"
       }
     },
     "safe-buffer": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.1.tgz",
-      "integrity": "sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg=="
+      "integrity": "sha1-iTMSr2myEj3vcfV4iQAWce6yyFM="
     },
     "sax": {
       "version": "1.2.4",
       "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
       "integrity": "sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw=="
     },
     "semver": {
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/semver/-/semver-5.5.0.tgz",
-      "integrity": "sha512-4SJ3dm0WAwWy/NVeioZh5AntkdJoWKxHxcmyP622fOkgHa4z3R0TdBJICINyaSDE6uNwVc8gZr+ZinwZAH4xIA=="
+      "integrity": "sha1-3Eu8emyp2Rbe5dQ1FvAJK1j3uKs="
     },
     "shebang-command": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
       "integrity": "sha1-RKrGW2lbAzmJaMOfNj/uXer98eo=",
       "requires": {
         "shebang-regex": "1.0.0"
       }
@@ -973,39 +973,39 @@
     "signal-exit": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz",
       "integrity": "sha1-tf3AjxKH6hF4Yo5BXiUTK3NkbG0="
     },
     "slice-ansi": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-1.0.0.tgz",
-      "integrity": "sha512-POqxBK6Lb3q6s047D/XsDVNPnF9Dl8JSaqe9h9lURl0OdNqy/ujDrOiIHtsqXMGbWWTIomRzAMaTyawAU//Reg==",
+      "integrity": "sha1-BE8aSdiEL/MHqta1Be0Xi9lQE00=",
       "requires": {
         "is-fullwidth-code-point": "2.0.0"
       }
     },
     "sprintf-js": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
       "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw="
     },
     "string-width": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz",
-      "integrity": "sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==",
+      "integrity": "sha1-q5Pyeo3BPSjKyBXEYhQ6bZASrp4=",
       "requires": {
         "is-fullwidth-code-point": "2.0.0",
         "strip-ansi": "4.0.0"
       }
     },
     "string_decoder": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.0.3.tgz",
-      "integrity": "sha512-4AH6Z5fzNNBcH+6XDMfA/BTt87skxqJlO0lAh3Dker5zThcAxG6mKz+iGu308UKoPPQ8Dcqx/4JhujzltRa+hQ==",
+      "integrity": "sha1-D8Z9fBQYJd6UKC3VNr7GubzoYKs=",
       "requires": {
         "safe-buffer": "5.1.1"
       }
     },
     "strip-ansi": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
       "integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=",
@@ -1028,17 +1028,17 @@
     "supports-color": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz",
       "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc="
     },
     "table": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/table/-/table-4.0.2.tgz",
-      "integrity": "sha512-UUkEAPdSGxtRpiV9ozJ5cMTtYiqz7Ni1OGqLXRCynrvzdtR1p+cfOWe2RJLwvUG8hNanaSRjecIqwOjqeatDsA==",
+      "integrity": "sha1-ozRHN1OR52atNNNIbm4q7chNLjY=",
       "requires": {
         "ajv": "5.5.2",
         "ajv-keywords": "2.1.1",
         "chalk": "2.3.2",
         "lodash": "4.17.5",
         "slice-ansi": "1.0.0",
         "string-width": "2.1.1"
       }
@@ -1051,17 +1051,17 @@
     "through": {
       "version": "2.3.8",
       "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
       "integrity": "sha1-DdTJ/6q8NXlgsbckEV1+Doai4fU="
     },
     "tmp": {
       "version": "0.0.33",
       "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz",
-      "integrity": "sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==",
+      "integrity": "sha1-bTQzWIl2jSGyvNoKonfO07G/rfk=",
       "requires": {
         "os-tmpdir": "1.0.2"
       }
     },
     "type-check": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.3.2.tgz",
       "integrity": "sha1-WITKtRLPHTVeP7eE8wgEsrUg23I=",
@@ -1077,17 +1077,17 @@
     "util-deprecate": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
       "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8="
     },
     "which": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/which/-/which-1.3.0.tgz",
-      "integrity": "sha512-xcJpopdamTuY5duC/KnTTNBraPK54YwpenP4lzxU8H91GudWpFv38u0CKjclE1Wi2EH2EDz5LRcHcKbCIzqGyg==",
+      "integrity": "sha1-/wS9/AEO5UfXgL7DjhrBwnd9JTo=",
       "requires": {
         "isexe": "2.0.0"
       }
     },
     "wordwrap": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-1.0.0.tgz",
       "integrity": "sha1-J1hIEIkUVqQXHI0CJkQa3pDLyus="
--- a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
@@ -77,18 +77,18 @@ function checkDialogContents(win, notBef
     win.document.getElementById("details").value.split("\n");
   Assert.equal(subject, "Issued to: CN=Mochitest client",
                "Actual and expected subject should be equal");
   Assert.equal(serialNum, "Serial number: 03",
                "Actual and expected serial number should be equal");
   Assert.equal(validity, `Valid from ${notBefore} to ${notAfter}`,
                "Actual and expected validity should be equal");
   Assert.equal(issuer,
-               "Issued by: CN=Temporary Certificate Authority,O=Mozilla " +
-               "Testing,OU=Profile Guided Optimization",
+               "Issued by: OU=Profile Guided Optimization,O=Mozilla Testing," +
+               "CN=Temporary Certificate Authority",
                "Actual and expected issuer should be equal");
   Assert.equal(tokenName, "Stored on: Software Security Device",
                "Actual and expected token name should be equal");
 }
 
 function findCertByCommonName(commonName) {
   let certEnumerator = certDB.getCerts().getEnumerator();
   while (certEnumerator.hasMoreElements()) {
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -721,17 +721,17 @@ class Certificate(object):
 
     def toPEM(self):
         output = '-----BEGIN CERTIFICATE-----'
         der = self.toDER()
         b64 = base64.b64encode(der)
         while b64:
             output += '\n' + b64[:64]
             b64 = b64[64:]
-        output += '\n-----END CERTIFICATE-----\n'
+        output += '\n-----END CERTIFICATE-----'
         return output
 
 
 # The build harness will call this function with an output
 # file-like object and a path to a file containing a
 # specification. This will read the specification and output
 # the certificate as PEM.
 # This utility tries as hard as possible to ensure that two
--- a/security/manager/ssl/tests/unit/pykey.py
+++ b/security/manager/ssl/tests/unit/pykey.py
@@ -751,9 +751,9 @@ def keyFromSpecification(specification):
 def main(output, inputPath):
     with open(inputPath) as configStream:
         output.write(keyFromSpecification(configStream.read().strip()).toPEM())
 
 
 # When run as a standalone program, this will read a specification from
 # stdin and output the certificate as PEM to stdout.
 if __name__ == '__main__':
-    print keyFromSpecification(sys.stdin.read()).toPEM()
+    print keyFromSpecification(sys.stdin.read().strip()).toPEM()
--- a/testing/mochitest/runtests.py
+++ b/testing/mochitest/runtests.py
@@ -616,17 +616,17 @@ class SSLTunnel:
             prefix="ssltunnel", suffix=".cfg")
         with os.fdopen(configFd, "w") as config:
             config.write("httpproxy:1\n")
             config.write("certdbdir:%s\n" % self.certPath)
             config.write("forward:127.0.0.1:%s\n" % self.httpPort)
             config.write(
                 "websocketserver:%s:%s\n" %
                 (self.webServer, self.webSocketPort))
-            config.write("listen:*:%s:pgo server certificate\n" % self.sslPort)
+            config.write("listen:*:%s:pgoserver\n" % self.sslPort)
 
             for loc in locations:
                 if loc.scheme == "https" and "nocert" not in loc.options:
                     self.writeLocation(config, loc)
 
     def start(self):
         """ Starts the SSL Tunnel """
mozilla-central
Deployed from 18d8b634a3eb at 2022-06-27T19:41:41Z.