From b903b535d3ef82fab12a9cc0fa50fccc396ced55 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 9 Jul 2025 14:08:52 -0400
Subject: [PATCH 01/37] acme: capture pebble test subprocess stdout/stderr

When spawning the pebble and pebble-challtestserv processes redirect
stdout/stderr to bytes.Buffer instances and print their content at test
end as appropriate.

The stdout/stderr content for each process is printed if the test
failed, or if testing is being done in verbose mode. Otherwise the
output is swallowed.

This makes debugging test failures much easier as output from the
subprocesses from independent tests isn't intermingled.

Updates golang/go#74437

Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest
Change-Id: Ia79a3609ce3522ef6248442de247554c39367162
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/686935
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/pebble_test.go | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/acme/pebble_test.go b/acme/pebble_test.go
index 63e6cc5836..af7aee67d2 100644
--- a/acme/pebble_test.go
+++ b/acme/pebble_test.go
@@ -776,14 +776,28 @@ func prepareBinaries(t *testing.T, pebbleDir string) string {
 func spawnServerProcess(t *testing.T, dir string, cmd string, args ...string) {
 	t.Helper()
 
+	var stdout, stderr bytes.Buffer
+
 	cmdInstance := exec.Command("./"+cmd, args...)
 	cmdInstance.Dir = dir
-	cmdInstance.Stdout = os.Stdout
-	cmdInstance.Stderr = os.Stderr
+	cmdInstance.Stdout = &stdout
+	cmdInstance.Stderr = &stderr
+
 	if err := cmdInstance.Start(); err != nil {
 		t.Fatalf("failed to start %s: %v", cmd, err)
 	}
+
 	t.Cleanup(func() {
 		cmdInstance.Process.Kill()
+
+		if t.Failed() || testing.Verbose() {
+			t.Logf("=== %s output ===", cmd)
+			if stdout.Len() > 0 {
+				t.Logf("stdout:\n%s", strings.TrimSpace(stdout.String()))
+			}
+			if stderr.Len() > 0 {
+				t.Logf("stderr:\n%s", strings.TrimSpace(stderr.String()))
+			}
+		}
 	})
 }

From 1b4c3d2e8c8be172c6af8f2f72778e69e74d2e78 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Mon, 14 Jul 2025 16:00:58 +0000
Subject: [PATCH 02/37] x509roots/fallback: update bundle

This is an automated CL which updates the NSS root bundle.

[git-generate]
go generate ./x509roots

Change-Id: Ib30b702d41dedacce835628a9dab456098be0703
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/687895
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
---
 x509roots/fallback/bundle.go | 132 +++++++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)

diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go
index 19a168c4bb..bb26698790 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle.go
@@ -3263,6 +3263,43 @@ Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
 ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
 Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
 -----END CERTIFICATE-----
+`,
+	},
+	{
+		cn:         "CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH",
+		sha256Hash: "193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41",
+		pem: `-----BEGIN CERTIFICATE-----
+MIIFkzCCA3ugAwIBAgIUQ/oMX04bgBhE79G0TzUfRPSA7cswDQYJKoZIhvcNAQEL
+BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
+AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2MDgx
+MTA4MjJaFw00NzA2MDgxMTA4MjJaMFExCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
+d2lzc1NpZ24gQUcxKzApBgNVBAMTIlN3aXNzU2lnbiBSU0EgVExTIFJvb3QgQ0Eg
+MjAyMiAtIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLKmjiC8NX
+vDVjvHClO/OMPE5Xlm7DTjak9gLKHqquuN6orx122ro10JFwB9+zBvKK8i5VUXu7
+LCTLf5ImgKO0lPaCoaTo+nUdWfMHamFk4saMla+ju45vVs9xzF6BYQ1t8qsCLqSX
+5XH8irCRIFucdFJtrhUnWXjyCcplDn/L9Ovn3KlMd/YrFgSVrpxxpT8q2kFC5zyE
+EPThPYxr4iuRR1VPuFa+Rd4iUU1OKNlfGUEGjw5NBuBwQCMBauTLE5tzrE0USJIt
+/m2n+IdreXXhvhCxqohAWVTXz8TQm0SzOGlkjIHRI36qOTw7D59Ke4LKa2/KIj4x
+0LDQKhySio/YGZxH5D4MucLNvkEM+KRHBdvBFzA4OmnczcNpI/2aDwLOEGrOyvi5
+KaM2iYauC8BPY7kGWUleDsFpswrzd34unYyzJ5jSmY0lpx+Gs6ZUcDj8fV3oT4MM
+0ZPlEuRU2j7yrTrePjxF8CgPBrnh25d7mUWe3f6VWQQvdT/TromZhqwUtKiE+shd
+OxtYk8EXlFXIC+OCeYSf8wCENO7cMdWP8vpPlkwGqnj73mSiI80fPsWMvDdUDrta
+clXvyFu1cvh43zcgTFeRc5JzrBh3Q4IgaezprClG5QtO+DdziZaKHG29777YtvTK
+wP1H8K4LWCDFyB02rpeNUIMmJCn3nTsPBQIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBRvjmKLk0Ow4UD2p8P98Q+4
+DxU4pTAdBgNVHQ4EFgQUb45ii5NDsOFA9qfD/fEPuA8VOKUwDQYJKoZIhvcNAQEL
+BQADggIBAKwsKUF9+lz1GpUYvyypiqkkVHX1uECry6gkUSsYP2OprphWKwVDIqO3
+10aewCoSPY6WlkDfDDOLazeROpW7OSltwAJsipQLBwJNGD77+3v1dj2b9l4wBlgz
+Hqp41eZUBDqyggmNzhYzWUUo8aWjlw5DI/0LIICQ/+Mmz7hkkeUFjxOgdg3XNwwQ
+iJb0Pr6VvfHDffCjw3lHC1ySFWPtUnWK50Zpy1FVCypM9fJkT6lc/2cyjlUtMoIc
+gC9qkfjLvH4YoiaoLqNTKIftV+Vlek4ASltOU8liNr3CjlvrzG4ngRhZi0Rjn9UM
+ZfQpZX+RLOV/fuiJz48gy20HQhFRJjKKLjpHE7iNvUcNCfAWpO2Whi4Z2L6MOuhF
+LhG6rlrnub+xzI/goP+4s9GFe3lmozm1O2bYQL7Pt2eLSMkZJVX8vY3PXtpOpvJp
+zv1/THfQwUY1mFwjmwJFQ5Ra3bxHrSL+ul4vkSkphnsh3m5kt8sNjzdbowhq6/Td
+Ao9QAwKxuDdollDruF/UKIqlIgyKhPBZLtU30WHlQnNYKoH3dtvi4k0NX/a3vgW0
+rk4N3hY9A4GzJl5LuEsAz/+MF7psYC0nhzck5npgL7XTgwSqT0N1osGDsieYK7EO
+gLrAhV5Cud+xYJHT6xh+cHiudoO+cVrQkOPKwRYlZ0rwtnu64ZzZ
+-----END CERTIFICATE-----
 `,
 	},
 	{
@@ -3606,6 +3643,62 @@ AwIBBjAKBggqhkjOPQQDAwNnADBkAjBe8usGzEkxn0AAbbd+NvBNEU/zy4k6LHiR
 UKNbwMp1JvK/kF0LgoxgKJ/GcJpo5PECMFxYDlZ2z1jD1xCMuo6u47xkdUfFVZDj
 /bpV6wfEU6s3qe4hsiFbYI89MvHVI5TWWA==
 -----END CERTIFICATE-----
+`,
+	},
+	{
+		cn:         "CN=TrustAsia TLS ECC Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash: "c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef44598acc2489878c92d8711",
+		pem: `-----BEGIN CERTIFICATE-----
+MIICMTCCAbegAwIBAgIUNnThTXxlE8msg1UloD5Sfi9QaMcwCgYIKoZIzj0EAwMw
+WDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
+IEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgRUNDIFJvb3QgQ0EwHhcNMjQw
+NTE1MDU0MTU2WhcNNDQwNTE1MDU0MTU1WjBYMQswCQYDVQQGEwJDTjElMCMGA1UE
+ChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1c3RB
+c2lhIFRMUyBFQ0MgUm9vdCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLh/pVs/
+AT598IhtrimY4ZtcU5nb9wj/1WrgjstEpvDBjL1P1M7UiFPoXlfXTr4sP/MSpwDp
+guMqWzJ8S5sUKZ74LYO1644xST0mYekdcouJtgq7nDM1D9rs3qlKH8kzsaNCMEAw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULIVTu7FDzTLqnqOH/qKYqKaT6RAw
+DgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMFRH18MtYYZI9HlaVQ01
+L18N9mdsd0AaRuf4aFtOJx24mH1/k78ITcTaRTChD15KeAIxAKORh/IRM4PDwYqR
+OkwrULG9IpRdNYlzg8WbGf60oenUoWa2AaU2+dhoYSi3dOGiMQ==
+-----END CERTIFICATE-----
+`,
+	},
+	{
+		cn:         "CN=TrustAsia TLS RSA Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash: "06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea53cbe940e2ea9791f4c3",
+		pem: `-----BEGIN CERTIFICATE-----
+MIIFgDCCA2igAwIBAgIUHBjYz+VTPyI1RlNUJDxsR9FcSpwwDQYJKoZIhvcNAQEM
+BQAwWDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dp
+ZXMsIEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgUlNBIFJvb3QgQ0EwHhcN
+MjQwNTE1MDU0MTU3WhcNNDQwNTE1MDU0MTU2WjBYMQswCQYDVQQGEwJDTjElMCMG
+A1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1
+c3RBc2lhIFRMUyBSU0EgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAMMWuBtqpERz5dZO9LnPWwvB0ZqB9WOwj0PBuwhaGnrhB3YmH49pVr7+
+NmDQDIPNlOrnxS1cLwUWAp4KqC/lYCZUlviYQB2srp10Zy9U+5RjmOMmSoPGlbYJ
+Q1DNDX3eRA5gEk9bNb2/mThtfWza4mhzH/kxpRkQcwUqwzIZheo0qt1CHjCNP561
+HmHVb70AcnKtEj+qpklz8oYVlQwQX1Fkzv93uMltrOXVmPGZLmzjyUT5tUMnCE32
+ft5EebuyjBza00tsLtbDeLdM1aTk2tyKjg7/D8OmYCYozza/+lcK7Fs/6TAWe8Tb
+xNRkoDD75f0dcZLdKY9BWN4ArTr9PXwaqLEX8E40eFgl1oUh63kd0Nyrz2I8sMeX
+i9bQn9P+PN7F4/w6g3CEIR0JwqH8uyghZVNgepBtljhb//HXeltt08lwSUq6HTrQ
+UNoyIBnkiz/r1RYmNzz7dZ6wB3C4FGB33PYPXFIKvF1tjVEK2sUYyJtt3LCDs3+j
+TnhMmCWr8n4uIF6CFabW2I+s5c0yhsj55NqJ4js+k8UTav/H9xj8Z7XvGCxUq0DT
+bE3txci3OE9kxJRMT6DNrqXGJyV1J23G2pyOsAWZ1SgRxSHUuPzHlqtKZFlhaxP8
+S8ySpg+kUb8OWJDZgoM5pl+z+m6Ss80zDoWo8SnTq1mt1tve1CuBAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLgHkXlcBvRG/XtZylomkadFK/hT
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQwFAAOCAgEAIZtqBSBdGBanEqT3
+Rz/NyjuujsCCztxIJXgXbODgcMTWltnZ9r96nBO7U5WS/8+S4PPFJzVXqDuiGev4
+iqME3mmL5Dw8veWv0BIb5Ylrc5tvJQJLkIKvQMKtuppgJFqBTQUYo+IzeXoLH5Pt
+7DlK9RME7I10nYEKqG/odv6LTytpEoYKNDbdgptvT+Bz3Ul/KD7JO6NXBNiT2Twp
+2xIQaOHEibgGIOcberyxk2GaGUARtWqFVwHxtlotJnMnlvm5P1vQiJ3koP26TpUJ
+g3933FEFlJ0gcXax7PqJtZwuhfG5WyRasQmr2soaB82G39tp27RIGAAtvKLEiUUj
+pQ7hRGU+isFqMB3iYPg6qocJQrmBktwliJiJ8Xw18WLK7nn4GS/+X/jbh87qqA8M
+pugLoDzga5SYnH+tBuYc6kIQX+ImFTw3OffXvO645e8D7r0i+yiGNFjEWn9hongP
+XvPKnbwbPKfILfanIhHKA9jnZwqKDss1jjQ52MjqjZ9k4DewbNfFj8GQYSbbJIwe
+SsCI3zWQzj8C9GRh3sfIB5XeMhg6j6JCQCTl1jNdfK7vsU1P1FeQNWrcrgSXSYk0
+ly4wBOeY99sLAZDBHwo/+ML+TvrbmnNzFrwFuHnYWa8G5z9nODmxfKuU4CkUpijy
+323imttUQ/hHWKNddBWcwauwxzQ=
+-----END CERTIFICATE-----
 `,
 	},
 	{
@@ -4150,6 +4243,45 @@ i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN
 -----END CERTIFICATE-----
 `,
 	},
+	{
+		cn:         "OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
+		sha256Hash: "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5",
+		pem: `-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe
+MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
+ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
+Fw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMw
+IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UECwwhZVBL
+SSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAH
+SyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh
+ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3X
+DZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1
+TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJ
+fzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffA
+sgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uU
+WH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLS
+nT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pH
+dmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJip
+NiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC
+AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQF
+MAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH
+ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGB
+uvl2ICO1J2B01GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6Yl
+PwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkP
+JXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsStZf0X4OFunHB2WyBEXYKCrC/
+gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEPNXubrjlpC2JgQCA2
+j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+rGNm6
+5ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB
+o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS
+/jQ6fbjpKdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2z
+Gp1iro2C6pSe3VkQw63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTE
+W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D
+hNQ+IIX3Sj0rnP0qCglN6oH4EZw=
+-----END CERTIFICATE-----
+`,
+		distrustAfter: "2025-04-15T23:59:59Z",
+	},
 	{
 		cn:         "SERIALNUMBER=G63287510,CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES",
 		sha256Hash: "fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599",

From 1fda73153feef7b246f24005838c387e354e5e3b Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Thu, 31 Jul 2025 13:53:34 -0400
Subject: [PATCH 03/37] acme: increase pebble test waitForServer attempts

In CI it seems that occasionally we can't connect to the test servers
within 10 tries, and the test flakes. Let's give the process more
attempts.

Updates golang/go#74437

Change-Id: I74d6cea83468a3a572ec4b52ff7314c778c664cf
Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/692075
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Mark Freeman <mark@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/pebble_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/acme/pebble_test.go b/acme/pebble_test.go
index af7aee67d2..e3738497a5 100644
--- a/acme/pebble_test.go
+++ b/acme/pebble_test.go
@@ -692,14 +692,14 @@ func startPebbleEnvironment(t *testing.T, config *environmentConfig) environment
 func waitForServer(t *testing.T, addr string) {
 	t.Helper()
 
-	for i := 0; i < 10; i++ {
+	for i := 0; i < 20; i++ {
 		if conn, err := net.Dial("tcp", addr); err == nil {
 			conn.Close()
 			return
 		}
 		time.Sleep(time.Duration(i*100) * time.Millisecond)
 	}
-	t.Fatalf("failed to connect to %q after 10 tries", addr)
+	t.Fatalf("failed to connect to %q after 20 tries", addr)
 }
 
 // fetchModule fetches the module at the given version and returns the directory

From c247dead11de7671a21a6c5169555e2aa5313caa Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Sun, 25 May 2025 16:41:48 +0200
Subject: [PATCH 04/37] x509roots/fallback: store bundle certs directly in DER
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

goos: linux
goarch: amd64
pkg: golang.org/x/crypto/x509roots/fallback
cpu: AMD Ryzen 5 4600G with Radeon Graphics
            │ /tmp/before │             /tmp/after              │
            │   sec/op    │   sec/op     vs base                │
InitTime-12   1.726m ± 0%   1.101m ± 1%  -36.20% (p=0.000 n=30)

            │  /tmp/before  │              /tmp/after              │
            │     B/op      │     B/op      vs base                │
InitTime-12   1178.2Ki ± 0%   779.8Ki ± 0%  -33.81% (p=0.000 n=30)

            │ /tmp/before │             /tmp/after             │
            │  allocs/op  │  allocs/op   vs base               │
InitTime-12   11.35k ± 0%   10.64k ± 0%  -6.32% (p=0.000 n=30)

Updates golang/go#73691

Change-Id: Ic33f2fdfc65001c41afeb3b6af8a383288d10de6
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/676217
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <mark@golang.org>
---
 x509roots/fallback/bundle.der     |  Bin 0 -> 154797 bytes
 x509roots/fallback/bundle.go      | 5139 +++++------------------------
 x509roots/fallback/bundle_test.go |   32 +
 x509roots/fallback/fallback.go    |   26 +-
 x509roots/gen_fallback_bundle.go  |   28 +-
 5 files changed, 911 insertions(+), 4314 deletions(-)
 create mode 100644 x509roots/fallback/bundle.der
 create mode 100644 x509roots/fallback/bundle_test.go

diff --git a/x509roots/fallback/bundle.der b/x509roots/fallback/bundle.der
new file mode 100644
index 0000000000000000000000000000000000000000..1abf12f5980415e088cfe616e3c01c9fb5eb2108
GIT binary patch
literal 154797
zcmc$`1za83vM-FgySwYg-JRg>?rs4BK|>%AEVz4+;BLX)f;+(>IKc_}ZIYQgyg75v
zoOkaz@1uXc_pa`>dNr%7{w1rb0fAr+fI!f*EO0PTFfbI8OIEwB?hPwFe3P$fOzH6e
zI4BspVCgRc5a8edPZoFpEEKpp1Qa@$genUv0Qrf4Lx7P~kXK_=5tC;@0w6pcf=7T9
zGj}m}Wx)YpJ<-Mp$QmMQ5~_^KtlX@e006rz3j=`e=?pjmxri8viinI3$?q2-QI$~9
zkP%l@kx&Kxlu}nwR0R-WBeHO_u(ARGJZxNSY&zJ8>}=1-{~zzn9e@G_{d0!EK%pS%
z10X=iz)e6PE}Jw}`v;3xIAv8xHxnn`SY~`TR~|D6>65C|KGl>;1p$i{$F^P+?W?Tf
z#X+jk53jb+&u0I@$sn_MCV5vaZY_>(aX;I0U(PB21zaB5d9>UHaw11e2TsKi6kH+l
zeXb}#_~-N!qJx4yLO=q*fnNY5;FJ;~KOKMoK29hA;S-Gnfdzp9+Q@v|h8k>isyHU%
zQ0z+lZNfq3`LhML1_4-rv4E7xZqN&NxuKrMmtv7GD<I%)>wly$uod^d<6c)BN|V4w
zmBXN>Qs;Ro3qFh<of!k{awBVJ^v?C{s3FOu=nH-4d|18{3t@RhoZP-*@5cC<Ndf<3
zEEBYz45+0w8kkGlH$WitBp?v7`4`8*7<AR=i}~fP0uZ5Kf%6!Ag$N1?2?+uaWkCZ@
z?N1hg6%iBDc;XQj7L=d=Bap$Mm0rj^9cDoUz(2KuLxA{6KIhP%Y{LTJ0B%og!v$m;
zHUJAN8_RFxzh#U-FtX>j4hjhZ9tegE0tf_y0}BKL1xYO`ZZnomEN4!%NO3b9n@_kO
zUEj1gCMK3*>lDvjNm(YYRr`wh+L{B^vAG{1(gufUE@~d@Gm12)-gndLXdOKYuG!p~
zAz0_e6Hu3+3ZF%J|B<^%$ARmGI;6k}iMNILR)qpP=i+uP*_}h+t>J>`AVDj#((M~$
za67wP1vqk*u!!Uueh~8W*g-fS`xk`cT=%~qY4U>y@TS9MYl>NyXxhJu_S~wi;hXy`
z7eSL<kXz6Mra(DPS9VwiPS#*cf()Qhi}zbS`T}Q>J}%7YKvtfP*8zz;;n;qfdF@>d
zCVHz>M93J6OkUjEfgJNVmV<er3hPYpD1jcdO=WPs`i=nZ4y&%v6{_L8X%JXeug<|Y
zw-u+d+&7eaGku96u?4+hVQh&;TquHxf)2EpGug=F?-<ZB9Y5vuitdZ#Y{ZLAg1)tn
zZ00*7=j?mnTg|3~mM$I$b$f(~@^5QTFh4swcwyC&{;rFqTKHsV^pd+dZFAgjYD+8i
z_07~7QtHbOn@uWAxW3~TBRaTuO;DG&DupkSA--P!sCloHt6&oPJ%r-sjc7;6%`_t|
zosP4YnawP<ktyQh7nzF);^<IT>}yxCh6$b6VB?v!mvDQpEZpBII`2bJ&cNw-#cnme
zz!pZXtZTejR$N-GF5yFUG76Fvb4Vs>r*(#FHwOa;1p&<s1RDZ!L?6Hh3WgpE$luVQ
zpb*XgM}XY#Gyp7E*vie#iI<t#!^4Bg*woaW$=sFM!rIQ<*v#JAfmy`G)XLi3(UsZM
z+{Mk>!rIi>3`n>bTYEjVWnnUPaRU(l*VRCS(SN&|qp7RY@0WW92ooVS8!KGYvFeu^
zdjVUV!{J0iE&m88#7_W14grL5e~iEE5eVw~)Pw{g5Yz^!Ml6842^0kI08juxwSYU>
z@3#a72Ba{E0zpwgL_l7GxPdr=xPVxLn1L7rcM{-k4*V1Ye!2k9S%X*rcT?awQ{eX*
zhy(DP3XnPk@%pc}c0ig0cr7vDrUCp#1N?0X?C<ci&(pbI*Hi-@GX)-X1hE6|mcVN~
zoqGk`|Ji5~z}8Rw+<^D<H2$x<Vffig21FA0tqj5r!U+NZVF7L&z+Vy|v>;4B&ntnb
z0>7W`gapJ2cm+2QClFo`X5i-Wb7T7Xf0=@~1KXQ}xB>wGHAkRW6o0`4cIKAWu6D+z
z){YK_rc73D_5k&#NhgL-0LTGkv!t^mgT?=%+rP{^hGyn2K>o4&2mOKlGz=;P5Of0&
zp14f-H@18ZctETM0v;$xA`4jNw|g;5X>p8A+K@vz8jG<gjs<z+df7zz+QsNqNG7D-
zS7WD%*2paoQuD2gwX_SV^JPWJ)06yw*o%nl!aJx4@$*5f_}6SpChrTmuBqo>8S#(%
zF{nw3%)}p=W?p`>lQ$B^l@U`jU05G(ve;4-_tKrW37{9A_WJ=!t;NuPDE;BJP(H|L
zH?1ow=W;NvVEPem82)s{VWdDBT|45OfW-zsV#{=#-uik02R;PIrI1d<o>+@vC}B}Y
z#c=YvJP6#v0JZKn^k}`!3$`3}`=wP_dFDzgUFw%0u-zsev@nJl+9h?qrI~5~GVl%}
zXS0VN+;9mvU%@a+$cLZ^i1K_Q5SOV%c1jm8>nq5=(icuHP=*}tsEf<LJLmKbO7SeY
zLeh{ynqi}y2~rZZBS9min{NGl>J*UYWYh{-o0<V3-fB!<vip%D9MwNgCnu*-W};(h
zyx@=pl_3K+|7cBpt$lA4F=!LJKIiqvWpzrZqv7@tJ>iAncp>#wj=qMV)*Ag0uQ#AB
zM<LsWgk`mFd#P5oJ5qLuz@#$i3hj$@M-L=C{F10sSoP^Pf{uEUESM8W2*1vCQO{QV
zc$oJY8Ow}<$Iw#FWPabp&A7Z1H4_n%ccCGMmCSISr%}V+V9YhpspXHKm6&~}9kGjg
zIgb27on4adeK6mXN(Tgj=l-VFHQ`VbMY}hKpR)=)P_5fOvms^Fem5AQ5g_HQ?Tj5*
z$N{84o&#!gJP}hjV>@eC5>+NACJ`oP02><zHwP<#hm(ti8bJBf2poav_eLTw-K@+V
z+<>6y1{4w!6-P%m5;2kA^gj<PE6bCy$of<N1O6cY-`>pM843lx-5+W57>>7adMcE1
z9hLbq;dBN%rMclc39@kfKGcRZ3JZNDv?7LiGtEf!F6%l<Bg#G*EG8Oj+7QMrbat)e
zGf8LV>Ko-SYk80a9Y^MNao=2|%?~45M@zSTL=sY8sT*NHGxJFaFGLub<?d-pSHnul
zYBbCvgVmy9#b}p#Bt3Hh<V_>reb6=A^(WrgO3QT@XZq{t^0o{VkO}!yv*{w$hau=g
zbHNPRO?XL>iF5P}4>Lu6r8}(mu|PC5Rwh%&-;mtc5E$byNm(q%=-1624#i&sP~Byv
z5(gAW5ku_f^29)8CQr6a?kOsz;XWjU5b>K|=HgJi2}b#*CRoVpPN5h;+OvTSb{!ih
zMbi8*g*0i^__f<BC~!kn?bX-Cw24#bRHnMmf`@PIk10`46Y)fiuVfQ<-dCbP-<Stf
z<?xJN@jv3+_MYgx*IoxJ@s1f&z);kdxI{3ZF|61Tk{BH=Pj$Qvn)J|#cPxnu$~gMm
zE*m8qdo517&LUx~q<}KF!SPxSw`Li#Ef*@YzjkDkcorK9(JS6f9nlK!4h7%DEZu%J
zKC3GZS`!gty9M&LA#;1>{d(^=--Jum9)ETv8m;eWO3v7TrfpBt&*xR8sq|G3Ydqlw
zP4Faf%ieDq9yc^1>QQ(3!cQwZ^waa;<>=?Da4u>yU;Hu@OaaEvw6x0HJKp|GPm9CQ
zGjDFExB)OQ&ar>4rT?<WpZ$VorZ!L}f5JDsw@XO7QNE1aJFRWPcUKr@()n{*a7c>i
z94j1zQ-@G2{Q-hD(_i`USdXFwP$!tqBfCtQ$So=?TOI4#(RqwM<*-x6zEoK*NH0YS
z2~}~n!Q#gyd~=;bYu<V;lrsPQOeciY*<XHWl{;0a`DPU$KN>t~j)IFbo(NV+?;>hd
zlGUQ1vw+iPn-nm1pVDf8DLsOU+1O62SF`i(N|3Xx-sGOhWZB6Rg+N+&;d35$ljWhh
zpn>Mf6u7WlK;DF+X#uP#EXEy3QK!GFB2&BYJgT?!o)=jA<US23m6lsayDOP}Z2Ucs
zPcz-dW#9%wqM-uuhq#*uhTJ)KyaxFyZpG9aLTRH{RO@H=MPn&DPEj&mGg~ciNQ;bT
z5pDY$c|JpZ@y<I7xvzUVuiauG@PkY8$W(>vN*?6gM{na;+c`4bg&ek`9kTMNavB&~
z$LZhR7g+T-fznsnxe+$F#(z7i@1y(<A_r3CTL=H1;H+IKgR*fIW|`CCk?Z4lvzi&h
z0Cnw)7+>?pNyfECh0lI@BBaqG9{D`Pdl?&<V-}8(2cO)1+ibD2_G|m@V$_)FQK>1p
zJmr*aD$a(r^f69sq%j{mq3bFmkR$b!B&!A5K$8@!wAG{p*}XmOHDZ}u_bg~UM+h<6
zvZ9!o8kizaF~Wv-YhT~mr6YV?O8`Q*9MD2#{|&x9JfNtliYj0K8NS7z!MD093kCq~
z7hJ=OSXfxQ*sHm`bai7P{>i~We8zfqltj$Y-rn5B)Y{nYCoThko)`}cJAf0w`Coq7
zZzSN~GYZi7e17{sJu}cJ&kPjknSp|WT;eNQLepnsUO<rz5rbB3xJp2Y%P=&{P-4t{
z>8dYgQ0x_9jnlkAE6_z+k0K@t#x3|%%h+g$7}i<-mg5yGV>5vX*J-7$tia%iv*E62
zYurx%@((g;v)--ZUV8gd$nQ7P@S`bP-<9&-^GSUq*Y)zcW)o^SPEOn)>6oDj9gVwf
zlsMcF#zviT`wq{tPETc%DyLaiLL%5C;RSitl4^}v=A%Gj+Rfq43k^2Fb>Am-v~%K4
z=!$uom{;5H^=e-96TP3_!xt*WT#EpXa`7fLA_4%bdHObgtbvk(*9PyD!!X|Mj|r|a
z3c6xVa55T1nU{X`Gz%}=A~%+hUa|ZFoTos-A8~^8*k0B527~27nMBB2$?=~lF5{y9
z5pezvPk@uFRdNo2G}4av2zNi#gk?zE;%$|zB{NY&$R+Pb?IQ`LFV-8(B<Na2<)au|
zRM$<HQcRkNQMnvGSsaQvXG<}4f>kz`r#I!N9C?TXS{ZBF^7-1>KP98`i>T9jkq;E5
z4|Vo~<3TkM#lpr5bvzJ0jvBuCS$)8L0D9<YClvjmWq0I&Se2eFW+>QalRJgeTDDJB
zj+1aXN*kAaJ51u8ix%8PY#P!h_V{cOh~Yv;T<Md8_P*@Ch?y?#@9{HT?o~KMB)}4w
z393?DWk@S!q$H$jj&0ac2jo+Rwd-fVGISKoYvaoBS7<A+PTD{+pn0*)Y9VULNt5B?
z`4V3r|4E)+D?;!POeHfuXUL~0$Nz%U70lf{99?X!9W4J3dE#bee=bi?<iBZ@zmun$
zpkX#_CfhhWTVs{1{oK)4adKO6{>ek?X5!{imS*cv8+u$am&~a_K}3wFM(F^B;h?wc
z45LID51hqp9vtFx90_;=oI74fbJJ4UHrDUw@0xkbUg=Dq&p0=yM3dX5)W35JK_D`0
z%wW7JR;6ERb{CA5gMkSr${{D1vMD8NN(N=JHy>)Huu!LXAuL{rKfBiXwtX2zNZ_#H
z?&O4Ab*arf(Q*EVuyce@OZ?QA)+_^R^5y&dF)Abw+I@b>?*c|`LP`@$R3ge57+j(d
zxlWpe_#uakH{M6#a2rJyp}0dLKfa1{8jr4fNcQ_&p2q}m-Y>GBxcHtSV71g>{*^pI
z6Hk0gTj+Gi5w5B5QbJL3>+b&xH~XK+(@*ybC{Ll9Rajnyo%b{Isj2LpX*H}E@&$P-
z2dxFI*J6twxW3e|GAXI!aVWTpIg=d6dMIEzF@<z>5ZW&d)lyF}XpF0<@`_Km_IKk$
zn(LUvq#cPwuq=LK-_s_Y2KAaXYcS&(88|FId;u<9kd+MTzhs`vS!S*+tr+;C-~2?A
za7&vBPRMR<{9+5X#!d|cZWU8L<fVPRR)Wq~`w5V&^Hk~9F0Q;L&ehi;Zxit_bC#KM
zbX&@CencycIB8!~TS^V}WkK`$j5Fxl;qqG4`rLnT46JO0iCx5yI?3VclgQxj^C&kf
zj9t03eiLYPDkI8%r~{(*mH>-020`y8zqD-;h}sXp{q1l1$t{sGtWU^G?Rg9nAn~s#
zClUbBFXsXKxpGo+F}JsVX-^^{CiYyKfKJ1cG_n7T8nUqeB>!E*{5O$fM1TQ4W;*y-
z_A8EhUj7)bK}>=Xle07`J!pX~wVT|TVYIz-48xsB++t=X>Fp96G0&1QuCA7<5r%E4
zb-ZoU1_35!&u+!VbL2cLIdvD?ctQmn(Rj~cF8&Yespj;wKO@I~0Dek2tyeoL2M3ih
z0Hn+2L3p}shX3yY|JkYlxFra{3=Dt`dlvFeNvFKOU9?Tg@WRd}c(t3_ZIfGd7Sa!&
zeWRDTdJvYMD}DA`gXGD5_PR3|KvX+KY)W~hX%d!I=gT`^O@TB+QQHe>#@g?Ju|KpO
z%gk=Hw%!wMn6}mij5vaYzXCd#l0Z~t`i%qZ!!aZ)^Wl!3BPs$AQAPe0CLjRd{bB<2
zzhHvr48Q_ldooXcXMmsNzhj8Ma|XN7R*DQCM81B#$PC-KELr3CO!++b-OnqFjczG|
zM7NC5@muUXr<0A<XryxPTU|?tEEEbyeVV|IM9n#ATJ*ZL)(`S4ZxK{+Qiv#W6r;Z9
zyoDb+r}dl2(>kJ(ANW-0oicyJy)3SYxpf`hKQFzGh(%3E)c@u!Wqs2pb&+9kvKNdW
zBHnL@mRt1gKGN^<mn=+Fcdc2ag<gAsXe^(r$J^aDnSC{RzXI>Ux^FT}m6F>0$>fb(
z4U`w4pSJA~N<OiXpqqt$+VHa~8g^Q;Car~sF)0f)6QxW#&gsz^y>obN6A!eE$K5eg
zOf+N!BeRG1u~-{NbIRNg*8+yqG0h_y1uDa+Xe(IehU+D$U8WR4<$`gtZny$&X}jtl
zk3Pl0nj1|sZ#_Ml#P+29F6Uaw?TOmPIqkIcPLA?$)$lIBC)~H!!dv*OC#7Gk_h0+P
z6uL{MiJA-M5p_U=>qs&-B%akzSE-X8H!aD5B;I1gQ?s@0h)GFKz$9ZC@um1qY#(y(
z9e@(?OKZr$_Q`R9WV}OacU^O|*maQt2%>DkgAb&Lg4p%M`5JeJt@s7v!E1MGvwBp2
zHnP^>xvzopW|%SKoNtjn3?laZNESucAbK8HKcyP&slbSLAK)lH%LnR~Ai4^&&SbmS
zbL3Le-1e~dsqlK~vg%b>o#kKYlJs`Vd<3$2stbwYd~+34>N$xL)4vzhXTBa#JbwCm
z)td4sCJMZpC3_77<*elW)iOHDY3?);uRdu?VozVFT-J;4z=*fu1WmyEkMyA3gQ!Cq
zhlniIQe^OV&-LFrWiWdtydmLSevNF6{_f*T&Lo)p-j$Ls8(K5<g3C>3`|QGVIRO`*
zLd?@2@8)x+3?PuOOCLnOZ&kV6hzGKX?l5XyX@r{yHHlWFA?W!snN#VhDuPsb`eq|0
zGe$HJM&@)^+#8Jn@*?{oOp3Y>IhMT=50SVHVwhu{J{F}p7WkkO`u4&|R~lIEE5lIk
zZd2N-(0)jp;Bke~Tuz3n(M?BzTI&QUY#@*YgTol>5E;A;=OFb7<UTD@`+&<48)t9B
z+fy~x92y+ElRALRTj14@{oPaY=8lVbD=g@2<pE+o+bWBhVjVUfYC3*!jUr+H^<^w%
z^P%f5<M>OS*>4n!a|(uHQ5j<xJZ<Vu(#e`EHEBn(N#F?pVk4*{eDa3?BXT?`leZs-
zaoPPHt4r`UGQWFEmrjGuTh<l1#O^U#)K)cY3h-AQ%Z2alL$?)kq^Jjf#>uZOG^lxF
zXKO7ynYnb*Wo_HIW)FLQ@=3`Z&dbLOJ6k<LG?@kVs}X7hB*1q&QgS>UW1$aw6EY#Z
zo1zwf6a%_S_&PU3B=|GLm~BEooj?11+c8w`SFN760)kNw8MLc)4X{?Y1UO<q6cqvb
zdbGcg6dlSgb2Pav9FAxGyJwi#b^@pF;B!!YirVq~pP-5iJpUA>Lx&QvH}-OLV8I1E
zg^D4-(NTUK_&owg!txVLfh%xN%f3&4PqryHfQ5zYH}ZdT>Ay2bt33Uk2R)}ZoXe&B
zmE3$B=4RiypC?;gX^|TJa0>!uE&*c<p3D;SQmD!s<7@(LjaZcKhsNfVJ3o3y-Y2-v
zby16ZEn`)&Jlp8bO=z5v_YlbWaZ6TXQ)2DMeGS%)+d^6@2M_a21&I=ro!6LuRsN6i
z11a1nC2r`YoDd$Z>!#_VAJUe9grhi51IN%@<#s@@MYe=RliGf6*M}d{OON9_07f51
zHz$tScNA9{-P#V#t|8c`tdcYhVmI}Kp9X7AGbxZ5UtBrs8CXB=#e)rThm|RDJ1*Wb
zn&9{J5vi?ttXlRXr-hKu2nmz;k@$D}%L(#PP(?zN*`@S<Li__no)+r=$x3nXGY>Eb
zXZS7q!DocHI3^hFw7x171vr>Lu><&%_ndUfr6UrZjo0I@Ohdv+j#Rcy)BNc=u1q=)
z;D>)l5%Hp?KRfZV?!?QfUp00ZhGrv)a+Eyp$1>^U>$k9_3MnsnJK=3YJ>A8naLnx@
zL?Ze8QijfJ3zTLd8Mt=9UzF||XMs6foPO`AI@GOSx{1^C$Uy(-r&1b!dL7HR{9aFY
zP)9}As2t<!#c}R!rf|GHi`t#&WS=B4dFec|v{TCbOHb!<7cusi4w~AXV0u(Ww4>y>
zSds6<K2B{8!Q7IgitUKex|n1a=^MaIMVB?qeZlA)Q$G#9?2Z-lurO|K+!2{g^fUr@
zkaa2hIPTMgk`Zi&AJ(YNcD>&n-FngpG)I6!1pZ8jCK5P;GvSc8f<3QwshY#Mp3mBo
zW%553BG$hUB6h$tnfl*c`tK}}(u7RLG+8;>fLF@N2Vq0DM#|`)<?W&FDqteM;-c8}
zQ6X^5wL6jo?Z#E6z6I~nU6kGFzm9gF*Hzq*+kxVgA5JL|K!~P~nS#PKD&Z1;^)?`|
zREKL7aX39+PQ`ssEWI9LT<KDMb$TLS=It)m?x1g(Uc9_?iclGej{Up%dG-bsJhAAC
zHap11I?wvOu}xlnG*y#F*;DUU4#*-j_Kh<$HxmW{5E&hs2UhXskgw*{V9tCCvRA|l
zBUhyA(Td0iWr1s%w(}B`&EE|}4*3~)f)|9A4_wsuU*(oAetlihMDXQqS&_qi6#3ed
z*oISClG<2zH)HgBj=Ill$}mUfnx4@hCi;6sWfZ$xL;TP9zCC4pNuVq-kMNr3DOHV{
zyT!+d?&IH&&c6f~tUB!0SZA+TU$XUDGbN&Dd<?13L<!&;P_1tEyNnr68^bw|aaeex
zm~Waa_wm-?nAFUR#L&*{E#?r{t_cD>9o7;k6YGNDi;E22OKjn|<BSh5!8fg@g*t2p
zLvCX6KkTekIQwWF@6^Hdh;K7nr1rnbNX5e|gp$F^tX>!sowPB9xj6W1KWg&+c*&Zp
zV0dsyV=^!AdO93{ZFD%YzqD8|*y9V<a;gTSc3;B?%YdyWn>4Prrfdl_ap>UdC^W$s
zpiOHr6wMQlO5{fU@O8iZe*_{G2;b!Z=a5=p()VmzD&;SNHY`;BBo03<kxzyGQAnP-
zt2t96+ZRb*e0w0^6^Tf(pLGf^8NyvciYo8?T<=YtJwJwMj{?>ZQL4~&>;o@sw*51+
zAmObxrEL3bR_g9OSY5VoZeY)|Vj1)&!e731H;+aDe^t*yZd&U31~%9#Xz=mJC{;?#
zt8XJOdcGMKU=N)Yp~c497VI#q#&jELRSbhE<LJJPFwr)xE3H{hxuv=Sp>Ee#=W<IP
zQ1aW*W)k0EpgcN|WA&)X#M^zLPtvn+PY{CDE4DM$OqC+xWKaaprMfQZO?|&Ac^X<j
zELt~2L*+34ae%j91l{OLDIBw`${r6BPt$WdhHl<GI#9?Cth@}3mpXwHVwNz+-?S+8
zWUHy>HAaQPKqax8A@`;7Ug`})4(e19BQ>5xWqFl?Gh(}z<cu}ckm^wNgRRJjh_8<v
z@@tn@UfLrDvPdPVMM<u&Ue}xtH#R^cRJrLj^f|uEjxIR=^rOv^_Z$z?gs48VRiKi#
z+%g;OR0{=H6&!%yfERk1){+PwnG1VH_@4BnW@VFLJkuNuYEN$ly*lVP=c8V@2W^2>
zyKR~9L}AU|$oGgB+-bNe_%vz_q0z^KF9QULPR%I#aLN@Pr81x|In47W;WQpEu+8j_
z3&|*DV(V5wuotv^^^bb+E5^qSNm2TKoHc>LQA78f%=AsJ-ohH$0X_OU;I8|JB{J=n
z$Y~+O2cI&(li?12D*MdA2m7DH9NT{mLD>M>0Q5gnz<y=RfrCPWi-JJVCKmLH__ZUZ
z?ttQJ^q#7GY+|fJ+nHdRy&344`(#h-8o<YwWXtoK?PHHZaHK!Bm5GF=kGK|LHP@CU
z%)Z6)zmnzkTz41OEzUw^aFqapp+7kFrFG+0dbU5GKyVolfFu|x$m-jeT<rRYAM{Wk
zV@vRotc+c5*0RTL2|SJR#gcm(x`9p7z>ZJi(y9}F?Dx`L*D*ZsMq^;jhMQ7I6RZGy
zrmcX>y`ZPS-SdwpH`~#SB1bE><?QXv(2v)F^lV`8|M`<+|Ia-+cEEoVf|)1|<5J93
zMSSQ8^L|n2E&0N<!sL<>e-Xx+bOL0@v?Yc5_B)S*{+__cfq+lBx+F;w`dEwiJ1F)W
zX{#G8hCwE0PG)RbLln$TP4BYlvR+;Xl$k(v2Q2b9&{h!LFzNl@KGw;DK3;Q&;k5<#
z6ph=ovtWD8t$^pV3vLAhFb4zh0)@E67qxWkSSx{fW<T9GI)Z-GLcNP&gQmy{P73Ke
zmp0lXV{#mg0-Yj<Jev+McW>_{hyq_XZyef(0WHaNQgoMscWGgpa<YpFQzh?hZDr6@
z*-B?OTPf~p;oPS_entTrJRU&L!SJ^jj2_#N34>uZ>vL#-au@hnhyVn?0xXy!ZjP=b
zKi7rK&3>-SvjVOE=UIEe^Uu5safzP~oCUxI;9_Ct;AZ>jG5n0bv9fXSaPa8-FR%W0
zPDA`#zC=elJ|@1={4-jP)=``i!B6wo@>zm-QjMQeR!$#=1*LYp5;`d&InIj^?gH=a
zJ6uetTlQ@Czl9B}2}Uc8`cK8*?$icOVf54$sZ(k$Rw`Xq7@28%S&xF(J0i9Y3Oc&E
z?0o{zxtg@fd@$}ueLw=IyRso!0>eZ!z_hvB2<)isNjHPF%hgVTrtZT}pf`4Nwi7$K
z;s`}q%{Wlc<|4}pfq-O?@~I(cG@-Si8LVH6y~v9LPi}O2Te~g27ol`FzdY;+jr0}X
zCEXu@1syL$gLL2XQc-orEv1HnDH80%sC!Q;k-A%&Cu!w(#uNC=&gldk;_qr?Ug6Nc
z^t}(j`<YKr@DZw#As^Q0XgqP(sq8Z!uH7Q(KSmy&CyV`M51c12gaiVZHw<JLcwinJ
z1ZV{#I0Pu@pAwIP|HMx}{S7J)_Qg2qU^<a>20^H3qweq$c(n%NM(;^zp3NIU?<xU>
z!%Xs)#4}sH<D+}w{FUt3Y`EZ(W0J8~pe>$PxN{UN>=2;&O_(WN)Jt=U$iq0MkIBeL
zA8cP@t&!f%QT0jH=Z|W+IQurO$;V6a4V2qw*K{0&Ue+LU*RGo_QI6&>?x*M_XZOG?
z-)}EW&*(@Xbk}#*VjS0?J|bb(UR*5pw(RQ^eAgf=;x||8#Vl+I&KP-<VCCf;5V{7x
zwug#u1v6}&agZUBA<jzWwH^ZJEU>?+lQ*&0Gt#?k<kxtnC?0c6SC1oDfIAQGQ^_SF
zTG3=gc=`Z~TJb%^yC5AXc9=lGP5mW$C;~}*`4$4vrdPgHn%oe_AkXmtAjiT4VE83}
zl>Z=qza_^!g}O=9<Wxz3LG8blM^+X9J1~QWhn17{XYw_W1bXmKB&*K9d9?oqlM{lq
zXt>}k$Fi0waB<f*A)$#A4|mK08!x+^mA-@_JkHj-H)q?$+P%rKa`-sk%J42;WJLdK
z<=`9BH^c3%Zu6_@c}KDe8mmdPBC#qc(-hobtd=KnXpYCTJ<Ck@xc+~Q$$!Mj-DxOi
zd{!+|ykM(r_#)Y6IVTl!{()_uhsA$kvTic%SsF`SsIA>hi^tmQZ_2(6yd$}shOe*q
zJp?zEN(;YDXd_TX0{9$Y=sF8@`hl37yn*m7x2t?ohDkDz+(Lf<1Ox4!`+P0Q)`Qk-
zkz&+bxNTx79Chd1$B!haNOY41=!lvDaary+#!#Ie-NucDzomyno9m>@$$KtKPhRN1
z#2YHABLDZi!NT%{)$G6X1~AL|U*wH{d9=UtRqOnbx?i<GhWk|HrpuGb4}BL&l-FJz
zf6xd|Je_Tcva2VLGMw(76B#-MBXZu_y)+ntp)&xSGFtQn;hSl4r@v&>=w&uOPPikH
zY}udk77}_b#SKw}|4C&9oof;kQ=!H1b$O|2->W4U@9C_qE8UkR{_4pw#;GH8*glI<
z=e0I_*s^9c7MQelU?;ZIO}T7KI+g{H>uu(BSQRLTBT8%oPD%&3krjQXZo0POy*>$z
zNif<L%e0`W=XCayn7q+8mM1l~7W1V0gYzb@B~kR2U&>f!i2itZS(ID)=niKoywP(N
z(f2k*JHsT!=1?Le$+Bu%mVdT}4+OD2ig-=9yUdPsNygWAuqwj7t}T{1TTd`*@X$X}
zYi&_;^ercMm2)0!cuXkFJLwZ)Q=BT@aGi~=N$gL>xVa4Yo727P7GAS~xcPio49w0U
zh7uX^uCbk>0i@^&v+2#TR+u;Gd4%Do0jpY2EdzBMm!bNhKT5>2hiq@KPWqGtC>E}|
zHbbU0P86d7HxjVg3+!K3(Fq`4gG{9c=LvtFUy{@GEvsj%GjLxse{Zo8F*uu4{)ICs
zJnc;~xYJp=+hH#f=eL%F4%dP>ouL@Bz<iJnr)&oX+BGfB1D)5&wv>6%y#D7T=_z0O
z7=Ki~ppAdC%Mno^BVB+jhx=jdq77x$`Jecze@L>MO!D|+jhB_g%P!xVrQt6;Yzr{|
zAjy9bH76HSr7+R6zZdKrRR_lXHQqHMedS%JM2weB9P|%8q8l;4Uc_33jakL%^Gs?!
zI}la5Ey@d=m7fc{+f=wOj_&4u$r_aTSY1I6#>Ux>675KsR=#E(dyp%^jFEXEM`teP
zf^gM!9seHV>@A7OS2fkI3`;oi){1YWoP^o5JkStw_ElJj<OT}A^c;7Mm#*4^gRoQ8
zsF89cf-V{2pS=F2e#2<x;XP?RJc(r6B=0Uh(}|fvbx_fB(LC<u)@e7=Q)_T3x2?+<
zuvlHso0xGpDp{o@5M-3>T+3FgDX}do_0k5Z0tTV1W%;TZSxX=aoMlHKP-&3a071Vd
zv6X}!`n(%$?P#`QUYpVSiUs2Q^hfazbe3yS4<rFma;o7J7fWSQuVMbTg?pqne2Y5#
zAK5cf+8I{-(`Z*$JmSW4{6!ya<aANTE=F=%%Z8Qpx~A2<5z1y7p*;N8kD>9bhP9PT
zef2DD8yDB1MRglMA+>nqH=C1kD_IZbb7vgm$RGLYY0bBxcaQ6E_r7&<6SBUG=0~S@
z7(OocfMWLuQgqo22>Q|J#=h*X7(=I8Ny)Rw|F|WXkF;f*@wj-v?Dl3QvZlId8AJY&
zC0D|g;wGMU7%dSZhr2GK;yc$}KdGNkH3h!Fdxv593M|9~!Z*Z{?Wrwd$=|vYn7$Ye
z00N;ffH-^io9&D5v^()wX6O7IU!QDW<!8n$ut*A+Uh_*4^8j;H9bK%=jLk^Q%t?Ud
zQNNP-pOU&sB!Q_@#!fDd7Ur%%(%6nfOh%GKgp-w%4VWLr{nH?32Wne377m~i{#nMt
z`Bc^N8~L9Y^6!v#Fu^u*@A~#6hhx=GZeg`cW!9$-r60_oT8yq+(WYvUK%XYX6BW-|
zTeG~DM0E2#^7e{uK6niC1?r~BEUPp3JOqMsv4FBKGW3cmq~2~@oMQ)VV0+DiazzJ!
zb19ds-r&g#P9%!rwyq$L`$DDj%5S~Q6O7ssUT_Kt)+%71IFk<UZZO^;a1js0aQV#!
zFm81>t_re0Se^@7j8C2mj~bY;BRfF}lHllkxpKj$w2O7ah|P7aMEVqhLauE{0*Nbi
zXcZZQHmH9$LthocPcph@SWeQK<?iRcb$}Oa%qIBFyGAGrIWniw#<4Mk%2CAbUB1%2
zjVb&^EEYa)RMlZ>>Ok}bD8dS^0J0!A`2cei!Z_FizWR*9SOkB$V&2(9Io%{=`YV|1
zp{M1c{^%;pa~!N#-aDzeanA%6;wE|oL;d7Z(@-4>68E{4`(lNBvQOy-+tgt`R<ya_
z!WtG(o3R;_)6pp;uX@(!G9&%^qTK9ts&-s1N{%Q{N|`Yh9vM?4ouyhuSDHZ=&;2H8
zqFA(bCkMdtYg7gu5^u$NV5l6!&YSNuX+9xNOPrze63(@IMu}MR6UCX8dBgYY%!9t;
z!AlG_6Pe}<L2$T1?ro9AXycKe$`GlGN+2{%h@Fpz@?^2f;DX}w50x<HA@9Q%&&Av#
zxQ+od|3cb;V?e;cGe5z6WWSh$2t?3#+O3_S##IUl&y4wJhTyNY2N(bpur>`0XzvH)
z|8fNaG5`UofPkdmN=5>r0L;&7A;_N<H9Tb(J{J)tQ%8GdQzut|-hXuf11J$GfG7cr
zD_ntP6^_8-i(dsGzY0Y}fkzyG=bj2d+=1UD!14_);HN0?w+pb)!~AD?$Wseo?FtC@
z&%zF_Kj{UiKMDKK7^YhY4H&%#u|=raVU!z_BtdiG^))=<n>yZt9f>gL`c*-ap*5IA
zbeL<JY>q1bYIx=LNsW{UHVK(>neVFt&|VVgI*<K{bCWm>J_*-fbIiq@VxuveqE~is
zD;62TjF9Uc<DiKM^9SBuwy<9ddzzp)@wWQB;0Y)~nMx38zBVL)CxkhztO)fwy~<kc
zj(YD|%cu2`JW^5pfs=0)p?;7KAVN~(KT>w*ZsA&3=CJm90emNpWScB^j5u1KL=}Td
zb3rX}1xp+Sl<1vBlnZz4SCV@6*4dLI(@3dTG*EYE+7gsTWNi4khJ{UZ3wQz}!h7LI
zkeKn)9~nrP3zBG#B<@Zc-hnVgi7qHlr){BIIZKGW&wwZ8f1wAtgqN8VxzIwE;WAPR
zH#D4UnM&i<ojQxh522MGm|oiF?fB@QuzMY0(}ELC_$Y%Ht-=+{%nzm?=nk*^4XaP{
zn)^q=NGh4yv1tXSy{b95tbuG+RY9Z-h&K0h-?_ipg+shj1FA2k6Sr)I-&i-RQ#<bC
z05>BBgT=Y1__n$`zCWhsV|zitC!SAplTKqyP5W^+H-_xN-%M)n!@dLF#toEHfH6DH
ze6@Vos8CmgNK(ub(O8civ)P$ByER|^^0J#n8{sIhAHj%C7Pl$Lk{bE5sD2BD8sY(=
z6O>`z=NppO>OlM34X79NezU*T9nCjt=A&)!VaM$R+wDmH#4-T2XZk@*frSb{@uVN%
z5C}yjWMpL&q)5ahRMcc7WyF95vm_$wYSM}-GHTi^gaG_sdIUpMR!oFM%FfXQs3(5&
z<$kTQ^02V7@Br9YI9Z-l1UoyBWc`i&4~_bFTH?e4re(ed(|9NdLgb@0mj_`-h4)RD
zhjcW$i`jU?>u8R2oLBEQ5<&T;0#1=~k`Ob5xK?qiqE96WVk&u!zueSIW`GCJvN;@H
zNrby|EjuK9xSI8)55b;(&v6v=!9{b)sH>~-Tc0HbxuPkY>7|9w3-tmaPcs>7w8T|8
z#7WpJRsio!X8UPc4;md4K`jK^LLN7&&2lf!r4%ojNC??ocPNe8T=+)-+%-1VU<ud#
ztAY>Mp4`c$T8CB3!=XOlY1N_T-!}Lv$%3Px>^-6HKcM+l*b;;y{%9C-(}nKrKj#=X
zGxgeaNTHblv~1&l#VilnOY0lFK-xRirwxg+cI9bhqHvTTE$NxEri6M^>LvXaodFT5
z!S0pDU9Kf-z=h_=K}}KXT|Elp<8=Uzf_Rd;qgQ9_9B$q6YpF0)1sSPDnm91{I9Y}t
zXk&^yEWUPLZTUi}JOW@?xj5C9CAvZkZ|E&~0`wYv<EG8NW<)uZ?Y!2lnYEFUp7pJs
zVvN*qR~WTEaS*qgqS%X|$i``F(R?UM=BQmn@n{f`Zkp-%c0w*VyYe=jntw{T1rDL*
z;#&meOn_U6<P`1898tR~*U)c1ZC<j(lVk&!>Z2=;uhqx$-b15u8NSJ<(#!|d^?lH?
zf-c(ins3~BR3a|!tZDzUvv-f&5+UF4`I$Zbhxy%ed^kK8LE0<5xiO2uRDcz`l?3{a
zv7~>J5&3(?f=XZsDLXOwY0lh_hH@@WlF)H3@EPmO24j?_9F`<)shx2|N+L`VgjG8A
zX-$=(>&-svTtazgFatwU2_tDe*hm?a4v3{96I-zFV*Lu~+%j$htWIk79a49ZHJlk!
zX)Rw#W>g1oifT0)-QUMsS{$_`J(L}{I@}sv-fQ>L;R}(=#!&#M`$IqPi&LZw3A8Fs
zdwq$-9x~~eUnWBGdK3$0SNUu##BbO<?_Q(&IkEa7Ob(5S{%rQkTF&EFZ>L+nZ23G>
zuzT*rcp*rqEZY^60I~Nq+K95@YH2;q0huE{ACKWFiFipC3GRrKEWzNWT*c8Bm4ooq
z!8KMveBGcPxw~BmCkutFSo9}h`<TLYO;>l8h$aq<iB6ZdjxUqljTnjIT%3F1=~(+>
z6s9F-34avf!u8+8f3YV|`UKBinxcW|7;(Y^@~#6rZ3LH-<3U|DYn7kPFu`D*b$5lW
z8A`TjF39zZ$3$<5^O{~RAwo0Uis5>$^V|ZLPL?PA`IOJT`{Ajv(?|1^$xwEj;#(KN
z*&2aYdUM3tY~J&MN(iyopX`=81DnA#Im?r%>3EdZDnc(P6MdzuP-+fb2dfjuDV8ox
zvS=o2a~sU+-<gPxrmK!5x0+c+DH5ScUro?<CD9C?vckuP(<<^Cv5r6{7$2OLKU6z0
zFy#YRAHXPq0kPuWaF+oa#>b4V{oyT+Hq>a1?Ee1|5c^Mn?ypt(-$9p~mE}3;K9T<s
z&}IGa7A?|;{69pfTGloyRf1n{$q<W>!B!}%XwA^GNA;jdV)VRcW(ay@a44KUf!zQn
z#po6jc-_I!{lZ3eWH)5h=aQ`TMpn525O%+|jDrSuDOLXsyNx<*N<=P!-zcHu9+Tit
zd7~4umCAll-^T-q6&wtU-`q)0Rebn+G5*H@8Qy2z*@vPDH6&U63HwUnrE{_A3E5;^
zG!6f&H|%R13exrv$eJtw0AuB+ba3uPC}4nWXgEZ5$ZLf}*)_VoP}g{@M~UbD?L)_g
z=XL(fi<Z=oDCDgf)r4aHe&Ge<E7ja9pn}#0Drk{ki~<VwXN|1zOd~5O{;p}^5HLhv
zzH%~lbtMr|W#r)o>Qy#2RxXx5@`ryvEoS%Bi1l}6{L@_numFG=Pu##%r=RiC=Op0Y
zJ>K7G;n_Zes}ATXk6SU)^YaVq%_COO#oS=xO>M-cZ!h1d?C%j6V@fv@LJx+QRV*c>
z?{yi)1P9W%rfEPuzA*caK*uFhyETgN`shTq*%e@ZHqHE|&UfS6MMkmFkI9qt7`L!Z
zf`k%X|J~YimXKWKyFTA+$4FI=sl*O-wirPi=9g2Y!7@Yf<!VrNb5Q6Jx{qsAxZ3R$
zO##lYqQ#Z0DB=tos!>m9MT~PrhR8XmJ5E@YP!#;mgJTbZCL=$;Xww5#fEHN72#bTu
z+jG5zSKdK~#<@W{p&wVn^x<E-s=*btG%@g4%~3z7o43ZE<}DXLl<mpb^rC*f^>X&p
z5aqWOTewAJ`B;U*tPyXfQ*BV2dc+3k0N?lA_}trYn#lr3q&vA62v}d=AFxNJ(Gh@P
zVn<lLnQ+R)ff+%ynjWxK8R?dcTB<#p({v@;jpKo6n_T8zu2DU(Cdl#aj@ra`Dm~5l
zaeIYjW?`KvqnxvjiDL;R>o;vzD__mFYP_%Cx|@W|I!pM1pGgN)<pb>L%3j1Al(6Y1
z)Xj%3t_%znq4V|OQ{&k2drR9{m9jRgVqvi?O%7Gh@2c0vqR?i&vyQ29+=!+nCgq&(
zb6nvNFGyS5KFRO7fXgiQ84{Y9_T7K|aKLtSVPE3_uv+e)p{jUk;9Ubvl9cVv+8}SI
z_%B7p2K+r%O=1EsB-75CuH?Fw8*)o|{uS>>)sXa}se)I9haslI4rJi?3&}CmX+p+s
zo|~T+)?NKY-7O}*P;q{{i#|%F^U-I;jnWcudnRY5^6rh&+!h4Xf|^I!DsL1N;sQ;P
zs`j#T2JIOsly_&O%Cvw%qu_GMV!}gS-HNzn@eL7}oQ?y+nR~^$8L2T0_`&VLT5k_u
z5n_WkeRbhH2^B&K0V0k@(d#=uZpobIeX0c{+iHT!qY03s&}_<&kBGd=z+}U)>D?bn
z)Iup36ou-l3KYT%KP2AL_Im3vHV#?T)feibDZj0S^)>NydML6nsv|^tg>XN(N8#_%
zl_+%TQ7lFV*SBAX5ERJZZz~c8)4u=Fb|o2YC~VrmAK}9)6%40z&kZ*!$0Ow%##67h
zh5N{dk3$j+#NF>y%RG?gQ`~zZ83=QmrVm)l+CP<CjeE)OPeHFsUy(&t<Yn4?iL9zJ
zI?p8=Bj1nH@v{Dk+$OA9Vymq*pPRhq@DKs|ikcjAIVRm3R$k}Z3u%B3&NiI=cGT)b
z^Y+SX2hzX}D<1ipBrOY*VcBSdt{ZBI%2$|f$-}LsB+FDr1p6Aw`MG<Wxk3ex#!DwU
z@^-A`Vn-!~M@O<~u>AVYovp8KIzy}o;qUdVhoQz&eAJTZ26*sr%U{rmotf(EXst7E
z5N;ODjKPg%w9N*<o(%L+A(kXzX=MGs0av!a0#{aU4(=zN`y06aB>zp|`p0;G2d*C%
z;Nr2AHsVhW(%o60SiMqDP~00pQfgH=M<}E!GI7j4r(E7lznY6Skt1VX<`$S)E!-tw
zSoB2QjkHq6bm==|3)#%lhu2%xgr);rjC6B((8%L_*lwFvxp!uC68zTN9k%hE2L9YV
zDf@khdKEAFUA-VRS0vd+p(5R}QL{ijPZtuXRI)yr;-c7%X7=Ha^j1_UDqZxXVtuTz
z3N8Z8bcx4z37l=sgV5fNA*QoqtTr?Hb_gfc4m|6&EKEEg)ELX$?FYCP!Du__E?DSh
zDt$#<1owe}!yp{O^D@0hCv=eg$_qBH7c=VDkP$DeD=w;OIQ1~Pm0jg+;ZNA17qNL}
zmuS3gFEY=VIux<#P|k)2clPgXi<wd~83P?4rc^*<83lsxeD79{MG5n5j~hvPuUfJS
z;_nN#Ln-El!`bcD$(iTT@JJigKRCjFc!i5lD*O)KY29lAY0gTzIS`!(MQeAC4!Rd@
zQEPF6PaQ=H64TPe7soVTQV14Fjn$wH(Zq}T*nekn{soi{mk#9^44TK3Bdk)QKtEyE
zO1K0-qj%D**y60+AR(=*`?%}1?R(x=e$_Ig0_&lfS%4RB8`I(_UPbxX7D-qk(~q4j
z5DZy249b|;_m7#Hd^JMW`V^J@8S<k=&M3ZnRghVw9FIynpy_+~3$Tj1`hN*rr5Z*a
zw;YeIs}7hIkbY2BMDp8q{VU)KLP9RW0TJCPY+`i0&LKA|RI<(<-H`3*euIUTC(XsM
z8{K)ze+`#87qHc=yFkg1SD@}p!Ft&bfBM<xI<}+=y3;UoakxM1Q>%^RnheS?%dCHM
zbN^fpl9}dS&P8Vt3+4og&A}ZRD9vbagFjKxFzQGCQ><#K^t%av((a)#DJPNa!8f=t
z4ECq`9%*41=u?~oG2geKxR&y_qf@z~^lb4ZgT+J*1wo-z)%4AMuEJciQ`B^bX~i(8
zJKrMLzVpW8i>oIzDyU8SMr*C9lN#$K2EYfOHR%`5|8!@zDLeZ?6||7#okN<Tc;k>!
z0Q-UCq|bu1;eJi@XT~A|_!5HY94iukh?%>}DCTBa7DU-#g8g+)TB?hMx$e`K#-qMv
z?xwO{!sf9d*F^r|!CS#IQAl^H3`RRx#&|h`V%{S>Mrt+}r=e7!R&S(p*medWK2)Ky
zqYCbgiQy81$3`PODhp_yi#V(eWwq`Pn2y*FZ(ehLvPwT}(NA;|N328QSXx8SZ_ZMV
z8}h~4M`g~9k?5Cmp8q_MtfDE&tTfufVSO%u`334D1G3;{KvP_ES96=W=S1+UM;Si6
zHwfRCJrDX%<>l~}18J{2bQTVewy6zvB*xMSlnbqj#W%*@+iYC(H807}nw=`QZhtD)
z*=0F``s~_<ZUUFt*O&+dS8Jf<s{G4xg$0Rec(+&))?xZ*3s&Ws1*`gk1s#C;6f1&8
zhZA)Hz7PZW>KJ$9-w(o}!--qFT3eDBGr2N7%i9OWlztum8B$XD<=g-l8-Nid9u|(D
zSvbJ*w?9b0e`3tP1KXV3ZV=d+xB86s7?+)0t{EJi&g#Aax5bi5s~xXpJhzKqY4I;S
zz9z_=O9b;2v=xEa6=`V&XOOsLHk&He&y^A|OWn0f=^e%wYHF=|&kn|vq>g(R?)b@Y
zLGFt@IBD+O1beJT!jK#S2o}E~-bjC+U4H2#OTp)ztu>38iCgd*5%U3*G9*aTUVj^F
z!2QHg^f4m!N@l$4`5NVd9oDi4H~ZfEyYU?e3}Z$S-;zELg&}3NTZ0%Jd<Y$@-hu9$
zdi1QMdQ|%Q8O`C>8Q9}Pln=oQ6igZjp7I%>X!-O7pym#*O$dX6R`%L$Yd_M(zv)s%
zMQ|mAuab-&7v=pT>=0l2*c(^skQfx{<CqcVk0@jBy6zoA)OFTzw$B9VIFCQd<qpwb
zqqB)!F!a@(cnsHlhXJyBCXIbAVaYh;1LUSS3|q%SBaHb}SrsSZeiL^S!d7a=euTx>
z<k6W>kxPh}Fj`uBTV8^1FMYtAk<Qw`wG82YO*g9Qv@oixgg6@54sJ}b5H9?NdKe%9
z{{GTZd#3{mwdL!mKbWGqu&17sQh(|;ae()xc%kmwl=Wqu>AoMl;ubG9S=C-|+ND(^
z31H_`v7^oSRu#$smnCV0TXV38S2nqbQC)AN;mpNy5MN(IfvU6lR3J8-UzB|m)qKr~
z8t!e-4W1tUD*c~;?Vkfie*~Orldpkqqr2E3nSm?)qM(t-<RE(ZCjt5y$ESiaaQbG>
z)*t9FpN7qg?`2U1dg;k$ZNR+usPKcPD~Zlnu7(0F%*P%T<0`FoaQkxxb)+0_e^HB9
z`z$At{aY7@!rmPF%Ntiyzt0Y@U<lH~GV#Jx^XHo9In*mrdy2rTHTW8XV#y4AJ1)^w
z-tRG3etzJTyJ#34ua=47o1{fb#!t91Zs6;tuk*C4A$R<KKUrn)k~lfOu;g-Kt%t??
zc3iT0;<IIqiCPovm1#w6PRfs66{hz_XvKFIMjFQ`dhfgOM3>&^njsC<ex6b6c+Kw+
zfo^~6y$={$k}vO>uKOsb>pZZ-(z?S9C7q48zBjRq#-oMz=#Lcma=U&2+79XXk^3ac
zxx3yE33H6nx`iyA{t)s~QmW*z{reQ(`oU3xZZx_Akp}O6#c@J&0y%2asaUX^S$sdu
z%N0V7rU|Y$+^XE1e4}=|KWvf4ZXtFQJ!Z{8J%bUv1W8R!{7jt@1~SDL3#oHnwmJj|
z&bII4Cm}oOu~&r+x4*^Nckrsd(#eKyD-w-4Ga^ge#K?wDRd8>Q^tsQY?2|ftBz7$s
z?)tdv2p5@Z-l_DqHaANZZCE|T_$;6dMbfxMoV1}+z-`o*g5!n&8YxwPZ19+cIlKg|
z<ye^Jj@B}>3SH5HqFWVrmxvbgc-y|hkJ0k}%ntvhWbT$M_HN!RJP>RnfMEOb7uZ7J
z$PUl^iA?|+&u|tPy9WT6e#P#o#jLCyjDgFz4#o~oFSz()dH3h*h@Rd~1YG)cd&PnY
zOcj2rlR`iclLR8Jga(O<qN3W*hyg2r8@RCn^B$i9Nx)ZQJiVvz7x^C>_wVp_R^N66
zMTi(udm2)ns}kuTi9QmO@Fw;Jb|9%Uips3AnG;s0y0v^HrhR4`0)FReuH_6u$tYP_
zxrZ9v3%M{=6|b%%rsZm9%8p%qfun5Z+$%c%0dhi{V#4f#le2@YY4K6aQ5R-H)5M+R
zANR3&YW{L6Q!2$wGAq#|4Th~k%h`kSBvX_-LA0v%mG6ijZx*66;ffeVgep&PXpgY8
z8Q5j;3ZZ5T-%WtKc(JbUS;;#vB$#^-YTul$e?0;)+zv~Yberxw`f<{;yQ0PUtqfCT
zoVe&KnQKQ`SBDs|I(FfN)y79vcyTT3NbvP>t{q#B^Gqh{x|-lhGlmdA-MS@_$hdxo
zoWQTl%B{zDntW&7s58TTZn8xA-m~p`$G1UmAYRe1fU%LpcGULk1tPG-^SsJ}35Dh|
zQO7$0D+&~s(ayn-M+?gA4d|OUUGgzsS$jkBxOTC=d}6dJhYK+0b?QhhmA6+Lq+@*X
z7Qfnm+ere^)_~)?A74Y-CWKQc8fEMPTr!!Fjj54>J5-WF%bQX{tuV^B6Mg1HjFG)7
zb-inTVGyL4v~J%8)1uQ6m`=h3bv_}$67@~<=N=|@5wYKJ|A0Z-XxFEIGp=DXP*<p?
z%H+vvDG=!AHg>yK2Wiykv=|Bh16|9}*$71irLjW<_Sl8klEw2e0W#tj-afsO=y`7E
z#slL$%@}-bQ(aDX8`LMr@Yq}CzYqQW0my&Z|5?J#?*V?w-X`1qkfG&3o&<sK;sv%r
zuHeh*^omU+exE(7MiVRW)6QmJF<nU4P26I?+n)3iI#fj;TW7X;H3ULVvrWXM$q^dV
z>8{AmS!&t!MFi?y&(+Z!Uc(H$pVDLOC+rvD2Zt&~Re4Z*3j61_xcB=Pc&n6jDNB7K
zoLBvBkU>20JTvfodDJ&Bb9zMA5JoDfG&JCk$Ep?}A7$CGEMDKk=9Ohw;yH@I+d`qI
zMg==V)-XqeTCmZ&tEHe`Q{Pnmf6RRaSXJrTHjOk0(%sFbyBq10l9mo>5Trr6LApz&
zK^mmHySuxj6#k7d!_1tSIp6u`3%rPTvDaQp*7M%a{WO2%(f|U^DFC~$iC7zFw22H-
zW;qJmBO#4PB)VrzK+?i9U=o6>l}V8mQS~xs-n}gt0fj)R7rzYSqluHo(pYa7bkR8%
zeHeSy5a?53DyI<6_;7EHONI5obj(c?4{ccbn=Ele-dqyb4$#i<uIEjbo~n&Oq_xaD
zY0FF~smCL7o}Y09iaAnI<X!9@KknbKNTGdW%LDL&iX`4qFPy=mCvFL?2?<zwQEx}0
zLu6>+DRG|8gUK7yB_W6>Q2YG$R+TfOYw&q0mZ2E(3`S%Xr00j=gedpT%qeI%Hi}IN
z7u}%NNmQ*%TY*KX-oXSASP(dr*cnw(@Hen&#zW&SrTL)(mIy7b0@tTHhT>7ZN;P%r
z19D%7o+yD%E$&WlI35m>)NvQMl#hc^^#^9fAxW`r$_jmQ=!YKMpxu2%5AcS-0|GMS
zcR)s#^`Z;%Hd=xMJK$pl6I<tf2+sGdRJ^<%ptHCTBMt!T9%~<=J{Gq%(z7?RC6oc8
zvx$)%@JGfUePp3gp_TM3URc{2GGYVn)02TUtti5BGIAnvgg|_jHnlXhH!}RC;T$Ud
z&)@w_-}x=R-vc>-4H$I=s)qZIUx55)>iYkMd;Gfu_#uJdVB6J5oC}3!9A${NqXkXP
z8$sIK0XKDT1`t*m_@UyCGO6Sfie|Yp)Jp6XUiR+`Mal@?7IaOS`8$c!slSMqe_k<0
zYa=o^!yYSS$^&S7S+00QB$F{!%jt%jnnjv&;)DM79lD!v(i6?9B9_S8F@17Ou|)pe
z=BwifwcQV{2*I<q0J9h4OJZ3zb0*Vw5E6k-3zge9#+HKH^_&e%)B0e?rTM&8?8z$(
zE2Ej@!5!5q!f%#I_;N-_InBi1gN$XA7m(c|@aN&xjw&?6WzT%zI8>1*g)|b2W|5-{
zE$kR0!Ws$dfz*2mZ704Sg!Q-qLS{fVIY;6{9r?v~(DModcm+R5ZGi(eqv()+!k#Tq
z04N}86lc>={bRr7Ka|-@0!0egr}MtY5??w`I+s7kkCYZ*x6S(u7HdOm1HEslEZ+s|
zm$a~Zx%!1ReCy5m03d(%gyDOen)DfGdy=!txd_h|Q*tz5P1t*vzx&;Je&wNx8<C>X
z)i}bk#Tj2nv|S`USeq>LOY2YJ9D0xP@x5R_F%U8c21m|Gh}Iu>EYv!hGk1Z|F^Wm=
zZ>9{siMeC`q`F1wPhLI6!LdkfKL5C{lV2P|I<o~T4rXHZmY+vVaPirSDiRNOGj25N
zG>77cgRVV#fNTtF1u4N(XVaMzFpj=h#poj&GWBFa<F<pVU^Tt7C`WgG-%ypRt@RJ%
z$LCn8xf(YSxW&=C>$qda@!AlGjc`7>7(O+C$La0NPata$ZaN_ySEr;xzp!9rbr4ZD
z0$Z=(cRDvd)8qKSy#i_ki~t4#KaqX_1c7+*JADuvd1YzP)Fguh>fb~Fz5M>$(18X(
z^^Me_68}Jl`^@^^JW0Y|9_2TLxTkr)D~IR!1tI>A+~=R9;e(66VsPm8e&ToIuoj6v
z_Fg~XoKF!BYCsUgBYqi{lm`zK;(&J~6eb>i$zkpK#wm#U99;J)TQE8adLhiqGpRF5
z`HI^&xK{iY3=A;pnmL+q%n2*4yn$C{w1;J*P}{$YGCI7>!;-+NPf6Jk6km*KlW<BH
zb@_wi><_!{4^c)&kV9}y*AG?Bu(nli7Vj#>&|qM%(>L57bzlcHVCLI3koV}qrwk;d
z4Qe3)mK)I+cfbH>XVE;8dCaa6V&dfn?x;z!Ro0m7o=Ug#giEZ6Y{Q+PH5+sDr+0X?
zT<B`kQJfP%^I;08tv>w_M(KA~J+lVZO9U6PQ<~uZDG#;PeH#A%q&(i|*Z+k)0+kgb
z(9QExV|{DS@V_FDe|4XKXR1VQDMyXKs+N90Af0a?6fw3>pkdE)C$Rx}S+BI%c1`^_
z{HX`BYD1chZIzx!_fsT{Jl@q32)%<ll=#jwe?Hi2KCP?h4HnmFH1o~ma=&zMSI6R)
z5tDmg5w4Rht`|$Z&(L09HMZq4$ay4qRDLlQwrzk1nF!o9rybo7e~XLu{`LB*)t9OK
zwJ6dVVRQXzm9IO^^%ft4PZ2{C*ODwu6E2-40HWiC%LqK8x?h;$6e#MATYKm~n(v5p
zb`qwS5*RH=JgUu>EjaNJWB1+N>hqEiHkP%ePSR?S#-R+-B7Rlz{_XU^l7dewjF_w?
zU&3`P#*7=YnjlZ8!am$btzudO>_xRM{`zh0wxnXwgq17}(u&#wRo+4CcXyJ{8jtet
z&Z-Ny*>7sA&)~SOwuFW71E+j@QIDtVmIHOGLnu{0py4IMZob?dM4aa>h|7>@;JGNS
zL?D*_gyOZQ%KdpXb49bN41!oO)-&34D@@wxI1-%B#vW`Z*!T$*FeSHca#7w)MXV`3
zi&D?SW~epu9WBv2@d3(YC{f2IZ%m4c@uG@e`3>_kY5$ji?c7Cl|D~xrf%%&up*J2`
z%v|(Z_<|^21_PKc&1v>>gQ^&{xXi?tT3ys92(gP#%-+7Utyhy8d74s({G~)%aD5+-
z_c>)sa$i%q!c3m{y06l&uAyHIjk@C3V7%A4$2`7ag$EpO_okVc#{M2X9w^$M4Rc_R
z$HjcBiWKTB%47u5K%%9Sd)GfH52llafn9wq$wW9Oe9MDM_dzwYWa2eS)HZ!>Dt)4D
zX#<vsg&u2WVg>qRQ;m@2Nxp3CEe7zjB0W509O~>~*Y;b;+~rRbUAL)4;WV|p371oL
zFwexSa+A*{DMn*w*nMnqN9~p}#S_3ew8te~K&Ws#_mT*4p-D~EoXa@BaQUWJCcA|;
z(MRi3RB_H=U=}s-z?j_mCh?3<z=5x-rJ`L7@5*&G1dvpHloWRH)2iK#g3IXGGRc=l
zFU3xP-BO~Bs>^`EbbvR?f7MG;h228w*NSsDM5BM0{R$@Xt#Jq%Xuk=RnE{alxaXT7
zE3Xc}lY(rz&9fX*WO1LK{<Bb*XQfa{o7mLTDWH=v?)%_UJx8-!1)zNAstMirVUoOc
z>o7G-a*|QJ=-vW-ed-+>T>FpdO?fP0OTWIud*$KZh>yr5c5{Oo?%*LE{8Y@~7KBB>
zrn$8yV?Nhr1)^NAe%mv0$1vG-nHanv*~%KxNX{Z4;Q6Ul`jtaYlE9Wy8AXaz%_k?K
z(7S+>h5C>~jKwNRxZx8k030@=tm8h)m-B7aGWVuVOW5d;oS{!2@fx{gV=^bLEZ|y#
z+^z{v+t$|m5%PN@qe|WU_A1d#Um$vK_78N?<tlg(HM1)DK}l(+71rVC0Mk1`fmtM=
z?mw^{ij28b9Gsa#>nb#{rm64pH$;Q?0nY$-Nc}Oy0u~kK9)a~ttt?!Ani}9hQ{(5c
z@9|C1Z;71u#dZ%Y2o|;nOTho<+y9ALU$DOPz+K$G5)be%&Hfa0=^gL66W%5DoZ9`3
zNgk*^S|q8fR%#Z8dyqd73#L2{^1=}NQ}RwMUC(Wn23;&RfeESr7@kPi&-JJz^Xjq?
z&j-7}a50sd8K-6lw?#tN9KWgc-@9o4ptpbBxu=wvy@n14RMflsMI_HS{C2yDp&$O0
zzgIjnf|Q175Vn?K>B}sX$Sqop*aRJ?y*3Nks9o?e?J+GcfUJy*!U$*?*%^8@FeRwz
zRs;qRTiEH<PTXT^F+wkq2513JXJqaCp{51`Atcz@FXx#RQf!J}sZ4>=yF(fx`d3E+
z)w(!PtuuUo^e7-<NLNoIUYZy&E1!*ta8~_hY{`B3$N$gsQT*?H{J^*WJ1siIHb$^B
z|9)-w<Hil~r+HKavsc8ZxbZwD1}~VB!7D?vy?kbz0VsoWWi*XZO<`+osExobgEL?z
z==P0e^AKz1)bs2Fy0o+B7a4A`Rq!_c^v7I>iWhyONms#*h>MI>DJEJ`x##Pruq>5#
zuQJyHGCGPefaEN4zW`VECGSYEMc|pU|Av`l`atDK$@`?wXJhoMwpVN&yHBdfLb$$=
zA(Ru_5!rW1#py+zGr(cyoE5Gd2sVJaT*rlkVt@fEu8N(pLn_#ik)a`NhRzrxf)v{Q
z$z94&-aKzVf>rL9%xwZo9udjgUv)kddv5u1*u@4{Oh;k6n|)5_wdpItMHbN|Zr`(v
zAXv6k_C9^Z<v;|=D_4?I1YX|6uPI)Kv=N_PiOAMTE+I;(M%DLL&bwd)MlR?D+DGND
zGWj*i`ei>=@1<#X4tuFQ1je2avM#x^q->jw0>uCq(yZB7nNgx-m0YbGNuX|iMRyhh
z8(+EC?g*}oW29Is9i^(knl3O!HCv?U$V~?jND3MfQmv?Z1DYMctrXXvg&uzT;vGh5
zr|wd-FeLmzlBTXTlvaQy#gza`YBF<k)jF#hqzA<S24M*9m*blmMk>kub2#5Tx#rKZ
zEtJXE2TR4!H_RxmL~?LM$R7o`-V<{{BnKz?`r9Us<mI$gI7AlEko>Ae{|lRS=^Z~=
zXqt#tGuIY<k(0D9pE3N|L%RFZpI4(+T>W@P%_rOhju{VJN#!ioW{rlogmd>gQ2*=2
z1SSLn5zG9s$<cV6#zKo{R&!{F*@e1O(G$Z#O&3U~7ds)N<_Po0>a@+wIRMWmqR^t)
zjKm+KK;9?FaD_V+7ZCR_81y`u=<GP+wfKUI@D^Dw6(y5+680q0)tnQN0no}OnYOfz
z1STTS9;4#EllGarHYP`UyPi*>Vyh>LP1#b5jB;ka5bf*e!3r_t?$Ak<$>T|lAVKVo
zs2mM$15vrAWiBUT2CXKsD-CczR3V+71*J*-%3M~67V*1;ufB^~1KZC%DFsj5H}NB;
z<Q)0Dc@VzjfM37Do)*Q|ooNfZ`a;wFDz=^a?p@%bHzShm9X!P(EWRp;JU)Cxb6n*V
znqOTW0($c$G$~H4Uj{ZLjAw1EK{wYPS(-;mZMOK6BoUiqv!@dr&xKDhU&~u<Yfx?&
zZ8+g@eZ^}8C(oK4TdsQ@M?r&kkbN^lri=={z}eACAQQ0{jw3aKyYCmvA@3qK(HtSq
zSfG_?g?G-Z8l0Cfa?(Z1932JdlnpUrMmEIwN{SIT9NNNVMzf0=EOJ70DurF;q%*ny
zCfjzMlOQ&w(YV<Lg}3hPQnG55Jf16UM91ysQ-T{O)zT}xCWO535h@ld(kHzO5zm{j
z+g|LnY}9h<1SJ#*szaC176S|DG=V-n;h#|2vyBsYtOAaZwIOKPwwk;AJDCA!JkX?K
zioa-5co-2AQ%e_XU|^f^M;}i(cvPVE!bHfz!N|hK4B)tTzcI7@65WPJ{$~9c14A@F
z3MRfqT!8Tvpqk}iW@7qQQulEA-+Jx81L1y5P9tpf(j7x|#E=-$ST~>1c24p+_(OEH
z(8;L}SwbG(J^THdvxrr6`=XC9%BIVEComLkDQClEQ-eOjU8VXa$~Z0%Q)!Kqk3jJO
zI1B8vqEvA+tfgTIEz?L`D>`Oq*YIfP$|;9XPo!nRBr}u+Qa9Ei)9HM>?%rAq?FM1{
zKEkguAvqu!w;8ZhFhxGdaBUeTW^D2H8#z&Nly@U@?e^7z`!FvgOS9>nNgCK2Q8siy
zQu{)>PCxrfNyG4!+uQ3biBzQ6qCCtqvpsrn(c&ZfOX_}C?cqidawe+d<8zC?*I-0&
zY1Y~NjVVeigYE^iZqKmemwDOQF<(%Q2(&8%g|yNQD7_(lW(YuUf44LNn=7#B{P`Th
z%@ozQet0+!Y7q3o<Ws&{9hY7qL`d{%;g_RX5li(sN%f)+i3w}~!B>vV!~t0?QT|p}
zHU~uk0kJr3t__T*V<YPcca0Kz4(HD3c)2#s9y~Z1Q8$BKJQMBFu;J$_T#m5=>TiQ!
zVx5>0eQIeTxZ)ee7#b%nk}`YTEy=r8#s^zn6d%DPK$FrLl9}fcnI@Ud+sl~8y9zeE
z$GD2XkO*hHq8o3YJ$UCQDtO(`C0c5-!6uy)p|(d-6Y!{|4dyuBpPEu;#s1SwTgdF<
zN(P4d0I9k?<BZ2wfaUbuvf1(%o$ny*4T=q<oaq0RzzSx7>XMby0VykwtX(3(#PW*E
zYntCgZvN#9MDBf*gb=&{ZUE<xIy}Zdmf_ibA57&$Z*cGW25u$#7q$#~-%48Tfpe+=
zmft;{F93!BhIG1g8h@&Xp3Vp7{5;<lIHTp>_X!+3#F!2|#h>QE35Gv+`1dluAE!S!
z<$;m*Q@zAgr^+3z#y%q6>^Bj-z*QM{16iTt3e+~?U{D~2lM3zKuG8kL)8Z|qyj@dL
zK^@G9zyZV4c_9YFOu39e8gDa-Ot5397FVY|v)L9RCv7N(rxmcOz92N5l>a(6a6TLt
zSOL7xo!tLv8*9mI3e181{RImpW#kD2tQ_mAE;;D+5K71uirGOiZ>#)hxDK-mkAJ?M
zXhaC%M_W4#l16Bwb>}FATF_6sA-FG^KKMI<#vmkbY;%SZ<SK+Dz;ik+S0r8I8mn2G
znS~Y5NUOQHsu2(N>llcIYN>PiUowg7XBi`4M$X;jnx9MP*^#J+f#ubU?3_ua94kM&
z(k-6B%x0hzopVip<F9?ny?IB)>iNY`IA&uN*SfI~k=h`Eru((u=a*Yh;IX$0;S#tS
zV^Lc)2b+wuwGd_jZ#Ua@4&C#JFF>bct^$V;6Cu^JQ{PTo)AZOh8n&opooyGlMp4bZ
zK_^Y%2_=8~QM0OVpo$&(EBW+WKhisO67a<Rl$89n=Nto*iU`&t{FbGV=8^+Jkz#gd
zpBaww?VJ#eK4gTxP&9r0)C9g0pPj-dC!`Z>4Xs}iw8XCbYexi^^@znj_rYFdW2Ufn
zFo@I(G7*~v0i;W}Cl{FmJd@8+L%c9BF@_tCoshZ4j5wPqKB&=>Dc@zz$OY+fJ}=^x
z3TXhc^n4(}jrgu!U_fr?RzZ=vCGH-omHRjm%ipV&ACoP?;UE1}9N+x5>;N`kT%MJY
z8NhlU*?GA958w6gVliDN$K4YX<tz^5-uQbJjXPS)<ohV%ddrz^=*|K}Yr3f#T?Wf-
zrEyVrn3kp_%QX5I^DAr&k<c{~gNS=BA89vPp4vPj%i;;Z!8-ARM&gLT8b!JFuQ(Zg
zj*lPL?`bi>%^3ahBz>qL_OW|TVxM`JuWAr;!6xw&CG?{{j6F4-?M&FWFbk_X$<}ic
ztA21#G;(XxK1i&>lwF)LEj(vw#C6sd(i}h}4ws3TbZ5dWhod!X3gbsZ2_!^xLaXGB
zc@%I#hCg1W3$kZTO-W`&&4+1#LB`J~LWusEyo;;|QmSIpfc7*5UFo&f4GQ+7W-<LV
z;_Bm;P}8|<u4hn-KVmWU0I!-q0^zUbBKH2RAZJ7csd^*miQ>5EXARCd6oBD9B9TC7
z12jF+{?!XIII@A3^?xD^-VcQ9_dFQ|3P#so0@VLf2sq&nIE51g`gij8t(lP@IDXX2
z&qBq^S$e6vr=O5ca>iz2HzpcQ*mz%C5l9Ce4kHm+KF?7!7<hbnNIhe{%YKUr*4fL=
zM{GW$NAEFa%R3KP#+Mer3PGAo9`*sedaFL?-cbWjC7r>Xxoga2<U1O-vhOHr6JANP
za78j9X~lz9*^$PIFF({AZe}9_rr%qHXCj#QPHju+9rOs)=W#SBxJYmZS_|7sz1T#A
z;2MO@^F`(Ug^j5Rm`Cvj>&^5fRU+h{$UhaU08+Wf*{HD~&b09F25GDAhQ0;}pp2uC
z)Jc3ID#)g!`}*XvM3&|Zph@%vC6c94@bFbiyu)35?5DVA3_EpVlXYv;z|bxjFnR;J
z`@^B)98RI-^;nTG2V#hBzSi#Sp{WnBfAEOpr5TC7X*6J*7E{p9&d9);P(;sOk5I`4
z7}mACpB5%a|1(?*2MpH&H3zV(|F>OyKQi&R;o4saBI-AS_^tgv9Ww_DF!cM4AOhnw
zz#<-YCKlFjLjaf`EdQ78>QCG^ZIof}F*VH^tqj=>*82C}b6xahR3myzPWn@&WyGAU
z>N>yma)y#Q*-J!J)AdQK*uY@GF4qRr3?$)cL4l;sdxMI3D(^elz(PwAsB$+Ty}6i6
zK-qSr+*;#SrBt}v^38qo7w(!+s2BF6j$EgK7xfbj;_eLf$U0B|;As6rR0aU9LYKRN
z+2(fGEpOFK0qkR3Y&DMa2(uxIs`)S`(s_gnS0zw?9R~)#*3kUev0@BZ`&A+2n{fAj
zGxa7io<e)BL=*6G;5i4j*)-Ya&V^o->gCQ1TT6gZ9K9_WgU4bkDo|xZjsO)y?GHgC
zni!IjBSY$DV*m2)`Qy;-hkFy@J}Tq+TVW#x5Z;IOU{SGDtV~^v?5zovjSNhztSzjK
zO^yDm(nbm(zJD`tRGc4T`J*cy;g3l!_ZbIF0Afs}ZyoXgzz`t^GbbyX#{B^nHlVTc
z^T7Xw+x$Btrs2x@a%0>R-Y~@<C(h8ApO_2Z0o48QM$0&)yHCr!AabKdXr1tB(oE8;
zngs3XB+sXlz5+B9qg%CrIzAZeJjvKY8UfOl_|Ck8B(lSNSde%>jdv+?RNX7A(7QG=
zQWMSPs?`~S97)4Bj2_`jI?JW}NMY!bx|2|$m{;$}k>68~4h<WJ;)peh1IFoXhuaNi
zHVs@vUOzP;4fLmH;ir;T45rTev=T`fSo2Bq3U7LoqVO&eEWWuzJ}L=}wxOVgMIE-u
zSL$x@wmfZjI(6wS$zHCx6FT*5Um-VccEFsN-E%B`6H&Fb2ydY}p@}2CrRFT&7g^e8
zm<MmVLor0D5||vo7!Rn(yUf8hD)mJ@*q>;Sm;{dTEyz-o90|bJ%V6}%WR~L(L21l?
zjviEVNI1Xt$2N8@Z;HERnQPcoR9!D$cX%}^7zsJ2ZMqtZAYAjsCyq1rm4&B<9I9={
zq&t<XNUdTv^|+uI4B;(t`bSMbXni33_@vEcfa2Gg!w(Ad(B-nXLohQohi|V{H!No>
z)t=6+(~>>uN~L#}y_`u-^{4GoJH=k_iVDW|j&p6Tmw#+Jg{UDG%(Y8?P160b#H&#V
zB>QsW7C_%QBKCPb%;D=vU(HZ}W*-!?Zk-Qn)pO$o@x26z<Lrzlw}m14VVo**oai;B
z1}S&{UR}h;3}sHR)^z@`p!(~vOWfRHF2t{Yz>Nn~AGk%orRu)SK^$1yZsO+{57cM_
z)4P#wN5h~CmQylE#`t37+lee0u`t_79{q;g+GYamIcNGs`1`oZ98@hYG)qJ;Zxoy$
z*$%m!d3}75MHuxnO(!_^?O?)=OITU@XSln}LxcXh-7`0y45`w(zRtWvh7&h}1ei#h
z-3~7s8nhNz0{8?=5I@&U@WY_Sp)o8Z;%U^V4zO~S=-9|SU!^)Gp|n;1_`W6N1v#!0
zEx99WFlC-;`W5#%$-E!3eRl-7YUE~dt@zmEcogE*OvxCF&8nEEwRG7t%)!#RB6k`*
z9e9RQm5gh-Jg)g_aI^b**uBRCc1{M_0oKwA9209gooOGvsMq`?T%JAWzMKW~Hg4ve
zZMA>O%Z7hN75&CUGhYOY=qPW?3xReknyrGptfvHr+%=JmATiN1^(i&~O;+Nq9n;H}
z)DGL_AQOt?HKd9*=^VZ2%Xnm90TNk3P1nonLz6zb*XK*Gk-YP*Kh|3K2s`x$MPX#5
zYC5Cyimou*&M&{{Nf_;JC;y6I0wGrPaXKla5v#GZ;{<C}3#^BB%32C~x|?-Iz~Q7V
z56e1L2>GqUMr^Qd{eJu7$)JJpw_2)k;Oz%aP^@=@YX|(OdIz&Jbbd$uMJZ*NFruwd
z8MYW-#6PCP(H^%g2%9`I)8RgHG`Q)5qRs7CL9DE4Bn<~5dL58L{FpTg4k7aCA&}pb
z{MY}DIQ~N^fTLplDUN?n^8nTW-?!lSK6(6mM(>a1|N8y?o#C;1<DO+(+j7*67I1D3
zD!XhY09|WIq3v;@Nms7Xsi5;dn<-Z>;G-3i{|Epq{&Lb(Ed!HN+sx3V162J352F-^
z+X%$SQ_3wu9d78%J{h~&(;~S})p3oyxWMbv_a<W`{^}HiFckG4tZaR70k(@vncE}F
z_6}GL)TytYC_~^(3Ud~!P`0mN*PVS@E8>u3?sN1@;}jjqPCa=XqHyW9M(1(<L1z~|
zt(0!Kwl7l1Nt&!X0yr7rsP85WKVF@0Tvv7jl5$_t1@&pI#4N*=?I>r@Ex{Cv?Rka3
zAR}n&-U138hBiU9{P1(EJkteeX38G<*sDC{US)rI(Sj?<Umf9pL3<uK_V+^Hk$!IP
z->-|PU-4xZbGY~``1+Z*m78BkJOIj@n{}r@B#{#Q+_uD7WOWX=80IU9#B~F8Ta5}t
zC303M#R8nS!O+11JiCjaCUIFwqM%l;&C=MAQ!mLV$dZLB!?Gy?!t}c)A}{%AsGR(}
zSoWcJw=3o633Q^qLF+;=llEW?7lBg=+w~M<;-R$&Vz^F&XxX?m*^F(;l=k2(cg$Gi
zIok;KRebRsj$0IQSuf_7i%tYJd)})0*x9W4V~;Qj)-p8Gp=vl<%WlbfA@Xa26Q@6J
zeDMrLsu#Sif|{Bx4r7T^xn5$_ks>9L4l1{Mk8|YxY+5251sE$;sX*-J)mE~~8!WMj
zDwgxt1DuJ|9LEY5a<o8F_UYbQ|3S*|o7Cm2yFJ;Zp)Ph+<SKttoN-UeTz|Wl|49Sj
z=cGzh^xtjehkjz9836351B}WteyimNngPEo|5xwr?<m+XU07We+m0oBWSVSr9^@Jo
zIN1QM_k~+RnjlpFepc<LSs2=8w?(SgPmLI&^Tt5U!6`AbrcxlAsi#DbBNrCAhdjYT
z204&+^0b^$vYWg7w8%zB%QnddQIzA~vwp&N#61L2O5>bE%b_JEE4Q`%5?a2__Xr=2
znjP*9Pfy8NS4&1weRCs~vC7JqLUpa%1~uA}h|rdO_K$7}Zz{*Z6M3H?@N(tniyp<w
zlBwhMzcsBJ?PKZ=J@mRQbPuen)kW<wiZxC@#rh1cI%YOXv64~fb0qbc*a;WXZUyV5
z(5F2IvBZdHOJ-p-Ibr~aFsw3+)y9Ha57lE*@X0bFN=HOCfV9iFU}9o^HES(A*NF%Y
z;hT$gvPs^KRX*YQfZMj6b0t1$qdRV?US|z+3>}2dRyo;3>dbvL8R8XSLMl=u3#q%x
zYDg^mDE1Ky4edyGXaxeudt)lfDbRB)2w*;e<E^b$n_tg}r{E%Fe%82egdE)I5`Plb
z2zwy^$ty+Nkk88(JkaqWh?(kM@MRIaqpRv-`$z?O3!dg0@1Q?o_13GM#uK^1m(tkt
z?at&G(@D3zO=W{|eDUH7Hvf)<GHxTF!Bf7;t#Sb5GrZpPCMo#RDySD?!;~M(n}#yB
z{8w6!)<rx+tS=eHiF)vGhi=*`1BSU|I~^-oB`W_d3=6rzb*Kj$O_QaUn7-0ge%Dqm
zcl}ow_LG81WR8Qt(GT(0<BnG<OX6#opRJuN39v8qp}nf<zGkg-z=$@3H1$jFm&0<_
z#PT{d;A<Vw3_oXh4(f=?PYY7hAE(GEX$c|QzK!IMuzX#v<Nf%UYv2VGDGSY3U(crL
zTtG?-%cRTjs8jVj^=G#!<kuYjd?`TzhHC2=Tq{?hHLJ|d%@I@8^Hn|yYi)fb<4|rJ
z3ZwljjGsP>)xi~h;YEg|=9Y>iI|v!`4e+F{hY5Mdg{rf~;v(OSjCD0ii9a^10H7)_
ziZGrafHf#>FX#|rG{A^CH0@=$4ncEo6UGdjK4KEs@LUnoSzm1iQP02HBCHRjMHFX&
z+fi##V*8ReR?OIc3%2fXT|)tLb$ZU-<DOPP-20~c-LN<>n^V5Jp*h9iAw}~lX{G-~
z(Q77|5*L$U&aH@Ntv>Zgv=i~W1Mtg)oikN@t^7?4b1d06G(`Qz;ZM(2cgFZP<!Wnk
zqD66E5D;A(KDS<SjA80^IJa8=9Nt---IpKdZg@kgAq8$>&e5?2E}VFwR#Q%88qIMA
zeo}YiZ4OO1tVob(2=?mji&-rh4WuF8*mNE=VW^&-*=j+y88Z>%fa2m+QIsd9kIEX+
zIpayKABzqfYs2JsKbg56$<;yCBWUvbP*GS28S}^o-vMLvC3mzuiF*1zPo#2+BS?E|
zHODNFegTv7L4Qy%G+`TWr$HHQmgAlxCI<G4GY^OK)Zch<9yUFBkQM_Eb3YbX$-vsi
zi1BA0Ej;lr#|Y&e^es#czW0y+*0K5?nCXCFJ7A_g5RqA!I2hTPSy{dTGtis&V+m|Z
z{ZC)-PdqPA*|v++p6A<44u#w6JGDM{eYgHG^Vs<-*lV@<NS9=b8pSut^$ZY=)%~B5
zhpF}|htgY*0&TGB6pY%1lUtJvQV4zcpx|<aMEp?lq`2s|CrlV5WR+;3`DGevJ~(lz
z{cF$5@12gndP2jX^*_nacVIz*h}lD2oEEt|$N(Nbho6Zv$;^v_t0ehCY~=B*TCa9z
zpI*KTwo`ec^}(46sg`J}Eq!VjeBN@HleaBecVyMJ3=H7b{`$?R{5d|^*0rp|#<RF=
zRvjFp9lb;wl1hZEq$ove)AW!~siA{l#9r~Rp->c{fZ#q55X!F!x`N`lpj<s@uLusW
zOdk1YyFa|KfB1oYt6%;pAS^!|cs~RLxMcpP1>{fLGC2dhwhZvscV8+XT|h(ka3;9P
zjwAH}0C3?iqWK0J+Wi}@N~<dPDxkYg;}}o(v*j+cWJ9T*JgXkJ_BgO0t}H2*5QS~X
zmyBuh6)u_el>#ThGB&erwyKBXWFLM*eDPlukPS?SyF=Xt-|Ta-&IKuzRVFr<^M}vj
z$2d=NJ4x4%?>8jR+!gu91R;t%g?)@1YWzGoxF@XFqW#~8Zw7XGB)v9=eXOGQ4rR#&
z4B)iI`0@kKOYjL_a(uMvQ*Q2sef2Nq(f|+j0nu$c-6x6CM;p({h@V)t1gH;{g_!|K
zAaMK(xbk-rh{gvl>E(cK&lo2Ce!M+`Dz2RqdH$hMcb{AJPweUY9OFM?2pbFQcOUO}
z5xHOfLn89<dVfdQN+gW35b%UnBP~;Wv-RR0x9qphkg#Ame%|@2qVZV;R0-*%FC<>B
zM!vTkR75rIYZB$&D|@(2A#;_1ZoRUtLIIxI8bMe{IUI7oaN$aUO26T;mvcUXr=LYT
zJu`jf<HZKj;oEdoA@HCz#c~kKo@OKFxE)-M>4Voqn+2g&+g#Fni*b-3+IN}@Rt-^Q
zrFfRSc8WF-x?%C*w#(8WV%rtJ#>AMeebEw~9sWf-yYP#=S?q^;Qs&`?Hy-}y=Vf-(
z;cmr`PO#td7kC-*H-`ka#{m*y2hYa3SoTvG>O(pFl@8+53d#&(FhY^$UQoL!Dme5e
zgl+L^HKlS>hWdaZ6{Oj&(9)F8y@&@97|K=-OVWNN%0@n6E4(}SX$N6$;PHk#M;atW
zemvi{LWcz;WiuGkHm2oXLo(D@p5&P_q`3v)co%$phu6%pr5Br0QpUq@>6&K7&d2L6
z61*X%Zml{jnaQ9(t<J=&)K{~Zt;y*C&*MTeNpWw)Ny9xdMW%(5Zmrh)()vUeA4ztD
zUp<FpjyE8m@)_muF%H|TT-)7ph^B2wCpkDp7AGv|yH90|x<14ia*ts^QHoi{1}BU3
zM<Jmr7#)@nEY;*p1FqBxYM*@WQnbwIO(t0X;+)T#m?nrekW(=b^9UEFP<4IgqhzAg
zjsd1pGA(`UUl6uGM|^he+(dh(mX@o|+$YHD)oWkZt1W-GalZM?it`2+?v@&aLS@#8
z;}%VJ+-0cUhYESowS+g_KlyLDvKk!sd3ANbZP6>TX6H&q7$|&T`2fkS2C_Y>KRQh{
zuH1-=9GP5Zd8_`_<zh#5DAhz+D4bkzMS77TK9^wx`fdKHuJ+T!XKHT_z1OdcExeva
zg$pD`i>deOIHQ*u^9jK%Qcjl?z9noFb{l?<4TC`%`bs-?`+c+SdreG3&zr&}D0jRb
z_3Be+D&r1SyyB0Q_SB9U{5KAOw3z4IIl8C4TJS4~-MW|E1n5EJ^P3bNyJWdR4b^mP
z$cd%TWD-r}bd}dXi=l?S`A|<J^tiA?D$qTtd5Ug34*V?B9=;v~uW5pv%(%ifxY(~@
zhZ;P*?}kT&)O!Uq2TuJXODGfEV}xCbmal@70z9^2RG&h2YLSkiqUkS^^UrkovW_{P
zhoLr?bHxYnNA)-t;1&-7-D>!aHhZq;%x`zJ?r7j3WQFGqUL)qoI)lgZjnM&OQIIL=
zo6^Df?w+fULL$cMD2X1L2aHSfqvyu?EH9Qroi?M*=I!AIYez&N*eY!5U7__9`-C?Y
zm%^%R&uLAr#T9Dm;>{GrmvK%*ojZb{UYbY~m9VzWsg!j$3u@p7ehRU+Pd8_lsRX6`
zT38r}!JV7vTfZB!)Ao`yzn1FiQ5l6QE0fL+=M7`xI9A`$@9<U`y@~rZXY9++;ddZ8
z{s=VTu8^|76Pte+Z-1kb8QFfr*?`M`h_n5Qw@g3=Lj3T*1p3W;j06Ha4h!ZD1`4u#
zjd)`M^0-T8`~z_tD=2rn^18aCL5|06bDP=Q2BuI9&t2`>VSQdQ5-e7<ZI8e_9DSY%
z`AwEsaHi6VXky;HmD2r<SF-d0NeIjiunX^4H(#%_z0E8lON}jOip!>XhJVO^tIr~#
zFkBHTRH!>6X%=fUKLWDSr)B{5DsEmfUNcHIcJ!*3iU3pU5|nzx0LF@RJ8)#ZlURDr
z&R-nl9m1QiB0qPj?K);TL`9pF*i|>nI88cUoeUo_?T@Qu)oyuMp13<k!gG->Y_#@n
zC&p0Sf!(uBGbT+W`*Y@nls+yDdmK3k?4ZUJiQCN6%sT8D?MLr<uboRaY12OQrRgpm
zN^D1n;zKGpW79sS)uQ}>kV%rt5)QeM$vlAKggS<pjW0yt-*0m}P5*=!udez;No}^T
z!=5S`vz*O=gC0pa<1&gMFix&+>>y>En@y+^mYaIa(1i_o`6?2e<`toGKLQqZmmm|%
za7n^)1U{$$TV>UC!Mc+}HnEp>N$?uQV<hD_9kYJ+8&#hsbE&Rp7fz$&DIioBV6EBP
zc~OgDK?-PtalI%f5B(VnicYMmd(3E+#iyv>&=)sDBRhXU$z%{ZVsAgGR-H%GryHPC
zeXVkmC-Rww>5L>_d~1vv)OpaXl|4VzXoPnCx|X>aO62p#U=Bjwi$^R$w5R_O-ii-x
zmJ;8k(4J4L>6Vw4+Qc5}xjvM#pXo^crlm3r+i7yd(I#PQL<v~~qDnY+B1#}$di{*6
zk7~UrDP5y#KIV4`r*@)}%d||bt0YHh%TKk?%-(L~#}6uUk+vEcYKb#u8L^_aM%P?i
zDa6-hAL$3QPe6^v`w$kquKP&Tl7rw2vV1~;>{B}r?lnGd()t3qYuK@(+?pyC<f?`0
zyfhk1(G;6jIz4#lNg^Y|=$lw|tM#^W`7X3aQc1z6KBd{VW!#R;f^&24a-ps9NFS$l
zIW{m%hn>+LRE=;Tld>r=tZHd{5#`O)$=+>1=ik;KP*~L2XsEcNZXZ)ins(|0s7VXE
zSaKO{1GEGWcAawU9>3XYaxYqM%O^kx!?lzLlOx9zUI<t5D}`f+)a_Q`d<>C6J@^tm
zjZHza$%Z@CIQiz4OE)L3^9QF$<-}?SSTDu+)fal^`+OYuae6Atk;)<aA*2Le-N=b{
z2{h=kwjlh<IG3Td!JB9kA4TPK_u`6L8Ng(<Q{p6TLCW4cXd#(s;u*E*FeBk39dY}g
zm&n#7U+j=U&J|`RJ;eY8cFSia!Yh1Vbk<ZvfHS(n{iWR24mXK1A`q1quNg!fCN7Z!
zXTEe0p`}9PG%j|4i7T8Xc?qNQ`9KlEYyihPzvkB@tYt<)SDSYv=Ag@>()}?5+^KY%
zZ@`GpthT!LCU{P3$|jv$KfD5>%)ODU`@_lU)*VjcJGr=n)D3Kw`&1_GA?F52Jn(Re
zi2m#n0*eYSLia63Oek)tFTwb0+yQu4QAJ6aP)PA-LMtKT{TwI2H?tU+2@4#>!^y(>
ztpJ^w^~aLses<bFccniuh&y^aDTi--&l3-Y&<K}>&8-{?ztDjDjyXn?O{#MX8kys7
zuu#|8e||i$Wx4r&jYpPW<WX=x`pe#?sD!iZNgjD+#Rxwi=NMz-EL<2YUI!Mxg?(N3
zPWTEz#Tu*i1EDN$Pz0b^3G-L!Kz5PH@9$K~HQZpx#>;9SrJKJeu>6Bh%d6vi#-djv
zz^m?GRA(E~+1onU+0$DY*)sr>6d8W3b@Xj@?(-0J4D@sub?*P>-%=P|(w)*B{Ov3Z
z^=yENl7^<XMh3uXA1?F{-$huK_s4@HV*&^%0>9iFBEWCLg1|3~z|Z@Cv~u^ay1z8=
z!2NTl73LKY<u|y`f&7-jVq|ON2&@{vPi3(%wX=UHNZ_U*fEQqlATbeisMpH|mwE<U
zg?`S;k;&E39DLY<GXm&JLXUbF!jAd8R6o6&+Q)1wDLUi3CI_B!O1aW8OOtR@rBF?p
zl^x@X&A-960<Oj!1nBkdoIpbvcQDXIi%li~9h@4s%|qe_(uo3~`4;&@yzRIF5E7cx
zGS2jNPrEbbUOYs^dmsKkAa_jn68>$FC-5sPfD^#M%Eo-(D+gGx`f~~RM<o2mmHv)C
z6y3q7M|#3anQV~qSLdyDalvw-_ji-%rANO!c^_;So^EWUJEClEpkOV@ykrZF>dw&*
z6$MSDXfEqy0WlhTJue+Ht=+8W{&bVFT*T{@Lh(FvsfpW!tn@97NlniS)3&|mY91E|
zoylx$>(II%K1uI9vN(itlhdShee@+-JLz+BMX-M@QO()WmbwOI28%B?S>(sc@WZkz
z&+98*9u(WDRR({@b{E>_f{19bx5m9bX6f=IdEB49IG6U1YMP9Wr+Qs)4(-4PK+fDJ
zm$bQGRL_Og`t$}kf`1{K-XyVx`f7Z-bmv<y-c*T>DQ1e+2YE3&D*3^@@BLaOoG|J0
zr{*%oixZW6a?S)XFG+V6Y`z>v-=;=uti@==E5ozC(y=%IAt2oYuLV1IJWCr(-1np9
zAZF;CVsJ!}`)Z-Jbsk0$;DIGYBp!k15{j#NIVk0~wqLFp+Sq1DsV&%M^?^e}j>O)+
z;Bo8cks6dI%+Qfj-0WNi0I1=1Vm3;B667VZzW5IlG}?xw;|I8i3pbB69H>7VSPsAm
zH4fL>;3gBTBQcs{On!l_SlIVW?v1JlK3`DJd<K(aAP%<-WF>;riKWx|B{&)j2nc5@
zW!kKsHC|)BrjcO14nv{smAo*KFyUw!X!b6A6Wvenvengz=ROCC^71^M;L~Pe_)Z_b
zH;VX+D4}u0(ZoU}=C~NuYpwT}sgLRnW50JF!9xO0L%Gip1cd_pWuu6PAo3?r#B>iu
z%)f6G@zYt)a#8N2Gz&nlq01pU79eui-IYN1;<Z~!rJ&w*DnQLPgVoSLW9Bs>@G3I>
z8j@yY!6GzGH{=1d+qgcEFcv=dDB3Kdxvu@f6CW!Ot<y>ep0%HCtu%QpfCxATA*2P7
z4&koIBKX)8$@IQB>g_1{#@Mj3mary$(V-f3euZ`RA%ZH}4AFZ+$5iky<khMCeBk68
z(z7W#LcYAB;NZCGZ+hnF^++|ccPQZO9ycnM!wxcGtl$S=qsK~EYAg*6!bFk3h@8sO
zLwx7u<*}vcJuI}jgok;Z?Z>w1zl5+`Kh{0LBYdnaY4zGG$+R+1Km3j2)Z{HiGf8_d
z4Om^N&h3q`AGlbfc1I5p`Q0Q~s=d_QCF+w>FEzGaBduXPMyGAE*48p6_VMGlFl&|u
zo{!!`MR|>F+l1%wm+kw9c$=|y32Ar_D`JZxJ;?z%ig{&3p~fjZ=;pD}z*_$57)yGA
zD{gSx@c?|YMOcx?%xkMz!?OWJJKFrFbHk9o&J=fho-DZ7zFS$Kr#BiEcK_x@6iUze
zr|T&n6>zuFc49FH8*>*4C~EJ-rj1>6L}F3U`gyh(mI7Atpvm}}gGaVaEKxQ-p6@x{
zshi9TWMf8@osNU|koO#pcP@o1g&l#c=I^In6*?`^7|5lz9<bLr!}zAwSlv)1L~MDE
zrjh=Ri|Bv}PPzuTNrPv7hzq^B8+xch{$r%R?_~y5XZJ~Lzvm+N<v73LBH!n@{--+O
zk5~E=E^-Vv?=MV<wHWWWMJ$yxnDVx%0+PJDcQtn;ygk+V6=PsQU?ByM5wiD}#nu$r
zBW9Ae5vFt8l0{|=?e?S6psT~0DzqLdsTQOH4+kSjYJl;X;l%{D(@bkiyq?f2$-;k!
zi+CV|qO)^lQ?AKhW?$@?Gkv_>4*tiuh>_zz!bL<?fmGwai;MK|bWl6AJa^FNWCPLF
z2yTu}=$oDu<mL`Yz~CP5lj|YANcZf$swl-#J+~eCf;9}}B9Rw>XntfdnwQx_+#*Sz
zsK6l01f3L4T{Kd|(9&gvMl`)nS<JvUi8<so_p#)J(SOH9Ovzzhdp?y;&kJ$ZSJKh2
z{-?Oe1G)PH7vTi<>bnm@{oo?^OQ1vJACT~WlZ#A+Wd(Y|m8mJt6(~uw*LWCUpdRLF
zl4zPblqA4nGzYiM<}dXz*0!AVYj0Ow;uV{<#Rg1@cgIe7L&)=bJ-S=tEiavDFZ=oi
zW;WS(j|>AXzysi%WcIB4qa7s=%SFP4$7t>)uBclfZAc9Nlrgf>YvO)cGKC{DQdX4b
z$Q^qDF9N+xYWrwX#O(+g`XjS#&5|>5Fw?E~<j>p%TJiyd4R&3qG{~s<!HM}?F?OSv
zrm#|X&7k0SE*_N<9<L6zsI1wfWA*%}t}^X{4vHA!4ov!aWhjNNL}{3C#8lADa-ULN
z)y1kdiQ(<xMdN)kDkI1cE>cZRFAX<;T%~L24A&E+wT~Z%=#wiE8_JzU)K>JY1EkEi
zf+Rc6pS5}_b?O6)<XeN-_FhW~@s$&LO#C6n_w)99S92lNxM3zFwL_=!bAv|Vc3e!I
zZnr(&#Bz;c`r<Fv`vX?C#*r}7)*)=4it!+yh_o20zLa&?O714NZ+BN8hSfx}yiIk$
z#q7Z5a+^Yc=<BZ%HF7NtuP*YH;462P$p>Fqc@2uLZh|SyTrx6Of-TH?kTX*trd8zc
zB?u~IPrjE1)zkvXZs_1lW%9NCeD_xTYR#`?`4wYIu7_<_O&cwJUxFGU5xgj9jM1(U
zOost69J6GU1kacLffBy3)Zoio$#zy-@qd$xy!#S~j1v&4gI?1l_cZc32yQ8p=O57M
zKjI<}py;o;NOW%wK?2HNB7zR>ljsiqM&wXup(CpZaq+OMD5g-G@XtX07dRjeYKB8d
z7^vChjcl>BnefiMgF4-SHPXzFtPq1EC+W5PiQ|qRBsGN~O{v##=4Szi0>s{96^W_6
z;l1*$0kjO(y_V;!*za@EL7~ES<`}YqdT1ke6~lDklQ0H*?Vz#R%v$V}58Z?n4VqDU
zT0~3FxRuULi+EOZ7Cvk#SCvJ6{ZK$~60nBRA(`(s1uJ-V!nf(f0--p+<#i&%pe&m5
zWLd6neSt*{xtqim!zNVThCtP#ujY<RL(agp)yfDO&o|?)0Nx<bvP|F&=OlrXN#&R1
z@d;y7&3yaWFM*$Nm@cwOa~-S1l@3EC!wWw8Xyn92i0Yj$fXk61<p&>u$CZ3|GW1fz
z>{ZN$P4vvM=~9`#OltUDU`mp9zvy-h7;)$ltH;(cgv(0{WuHst8b~IbXDTRiL+cdc
zFZcFmj3@MSpUNPaW_H)_5kHOTG>O4@y%I*r_pxK=oW&xI{S7q7tpCgF{#XfNt1LP1
zfJv6OR!^f{bRA5Qj<Cm-u8H7V__z59FhioWo%0-xvFgfpJhp9MR8_M|;Nj@lp0{te
zjr;WaW5m;1pjroL6iepf&GvIZ(Ce&7u_Dqvz04$q2%TCscn%iDGV@kX3)lLYqha|M
zu<G*^SYQP(Gth9v`EEFZ!}y#&#OM1kpUl7ZhQR;U8$tmf`<6`)kN?vf@|}Ks8^*%?
zEtei>FapiQ`<{H9K!*q`FrA+D+r$81D(0`tfBJHNmsvSlCN=0Pe&~=ya?QmsAuk%p
z%GF^$dpiqalD`Cwg2yiZC{0GnB!;zIX*k9pk5ILELBV;Cn)g&fLY@zHQA{P6!m<@v
z1|d>Wcq(8?Tb8Yos7HrW076IebzfEoO@RRZG@I{)#Ay^hix?qkbGAa56!xJ!zo|Bs
zhiGdjXt+W*$(C(VMZGGF$Kzhy(qgIz*lv|Rq|plOeQ{O|sr_U-2%@2P4e+RyAU)(3
zZRYSX8nH1m@`=ZHIW#XAv%5Lc7x4(HVdziuwu}|u#}X`w@l9p7_Gq*-dTvQ1rp1`v
zV$Dz4xq0=(ErjitGeH{pvTSU8RYR`Sacp8JK}Kl*j#PhI-TG@P!`B(Kwlu&3Q3JjZ
z=a=^eB$7+VzJI_fuhAb~oL+!e7qBiO{dKyVzw5v6hWW{Q?xhAuf|!Ay-@GwQz#s0V
z=fCWY5l$CO=lAD*FuC&2tT)?lUZndA>oDJYlkQ;?!1;R<?wdOq6cpHAZ5GhAn4RoS
z<mzcNfcDt*4O*<O2<V5hZGc>oe9Mce*P(z)8^-Mw)6P?yS;8m&LkLHWA3z;^2VSSi
zG*#(xC!hA<tvolG%1Vh}7tkGHBf1@`sK%JF&+-^sEO`s|!P?xMmW<Rk!{~raV|{~Z
z^JMY8<n?KUDakCv^rqIcFGgeWjeTF}Vf)CaSs^ZUBcC|%3f_?rV0BsSdMiQXu1OQi
zgoe}(Xxi-=D$83AC#&3;wz9Q`)bse|n!}PKEJeT7EqdKS8Xu&m6B+g*3MPQ9KRAhw
z@3X>~{FpjrgU?AH<trtB%PI0VHj_J%{d_e&pCYU@I-c7bO={g{t=u;b0Kx{%FR=0Z
z783yZe+xFK0hHfigXqs;14#6Kj~uMP3Y_oVJij5wx8;As75@%A5{`XYY-$;*0O?^3
zZV-cw`t=E4z2iq*VU6QBU_K+u#uD2lgw8yn+l2grWk*~U_7<d`hxbE<#m$5Z+0(+K
zKEs(ed{os)FrzH<%;);U%l%l}2bglw&x%&?C*U=oXiRZcw_zIMuQHca20F>YH%-Tw
zqsCi5&bmz~farU&r)$Et|L9fKc~kWM3r3%ij+ZO}vKTwX!I7c3s)9wt?9bUx@TQ09
z5Ex7q@)}>{260h0bYhn-qa8JJ;nfUkmYUsGl!_5%-r#fF97ex&53!3oX+QL{DWoF*
zf)Bxmn?8lqtLUTeb`Y!-8&RN^xuXX;btThAacxz&e>JIaVV?67Jb)H0DB)kZfJbA3
zr1ep$vFQ7XZG+s|CKGYzjQ<E8^FP329N;wq@Cr!x@=f>h^7r^>;NzQB^&eq~Sh`5M
zkiWoxgdsp4_E#{%vj0khCp+fNAvTHwG(-6<&o#aR`EI~xs)eQFu?|w0?dCxhoC?77
z0QN1ELhh4ny2G-kO@x$WlEb-dPApr7i;ATvop!GMoT)8^AuoweG|Y<^d1O_J%Y2Q{
z0&ARlsTmswvn&U#C1RMwtT$hVr04o#u|uDLi^9<OJGd?Cn5u!yT21BJ5<it6b9k$|
zScQ2fEG%E-D)Q>cMPX8yH*eHy^r%~|W~L+Ff5^LaO~~@LWW`Vxk$h8tg}m}n;N&9%
z0}cuYeC8di{Q0y5IeQteK+mW1iSblg42@obH6eF9?z&K^{gb?-^jS~p^Eb%Xty|}+
z!HIU#(2r@AD}fMF1@wlb{cu~uZ!WE4Oo`owuj_unIRcV}2gOGBWh6!qFa?;k_@jOM
zePG7a*z`VSoKVur;Aa^r94fMtlM}rm@K^WV`uo-ejK9|W{c;AdY}LWm$dFJ{<fp^r
z8%1Gb1d@{PANO`7aP`abf9f{=4t)v{pA4)Cduo*ioL1>xy?mTgG)Eru=H1!AIUy(I
zGhO&g&zXWJu}peAm8F!vK|ynAu<$+@uHg|Mf;L^0v>1J<KO?<mVsq?UnCHpQJT$u@
zI#JYHOe35mSSg*p#WWmwtf_PL43o89yg!5O%G_hDgoCdcr!|CmdWr$_mJ+Ev&u605
zO5~FsYaIHmdUCL%<>YbZQv{kjINO<2-J!4u)(&Tt0K$yHbxYVTNjJu~%ofDk0Ygk0
znYF0iDEpikDG6M*85`Hx)8iP74#2=VaS=bLnEz)=m#)&8H8qU3*SLr!6;ZjW<qc)=
z`|t9Os@n7UW6_81GU9e0>0mnj7^HUJ4*j?3IR1ZyM54Qy#b;5y-i&k#!FhQ^DW{fQ
zNWW>y@h@NSTRHqzGoFc9zqqo0v}$YTY8caWVf$i=X-&vMzbIh$WPEx-wLGnF0FAN+
zAzoMOvGlXGQC=TO(P#0jrr7!7JE|Qn?;lSYd-*PU!0^OuRFl&ZHt?2H243jg5wFDi
z5^NhC1}rT$8%vgJ@0P((?~?C3H@frFoK}&uTIvLXew5Tq1BFa_&r8<a_tB%}*xJA2
z+R$Xzi!NqYsOmZde_sE%QQo-9qT%$Iz#N_p8r_54tw7V#_4u)vuFoU|MB~$e_{LUa
zY7>-2&rNvd7fq-LXjZ2l1O~|X*P%FMmKNbTReGSMBU$7b$S+e0S6Z)H6BMdwpdSs;
zZ^)PBUBikpWF7(MeS*gUx9;m7TNf@GmurI4c*mHeskJ!q?CHa;dv8VjPi$TB?_+X+
z9fyD&RDrPj-N|{sVEwWDpSq2|+q%=6lnjdeY_^hbqFGKa&F~qOJ<|%61uMlD<MPLf
zJ?Uy-2OYi!=D3qyuM)%4)W>4LF*jk!2tq}GG{DOs-$GYz;#v`_FdD@-jAD%7>z~f<
zSjdO)`@+W!R`r4}^;l-0N#g|0?}L;mx)n!SlyaaBZ$EzY38Vy<24%*{hApXRz$IYL
z+hzmC-bTf=ILjohY5t>2`ALcmmCD)syI8%`ZUJk&;l}8?(Kpm}DNVK-sxP_u$4-Y~
zZz&J64yF@|!AHY&t4^XaN*e+L2>|`Ax%B$XMd)BoA{v`susnGp^e)x>5cOK=0n0eW
z3Ss?wwAYunmPcG}?}FEiV;O%;GPv)<{f9`+@AvYr7RW%WR84})N%gF5Q^D&7)yjCb
zyx)%m`L;8Aa#TWAy9BLFDe@dp4tf09tVdEhoH_7J<1(X6={YQt+#$vSb4nT6gSv_O
z-dpqs<0eitNsKVPXb$>x%D{E_X>}~pe^`DMeAdp%T8dL?e}TNS(!H2QXxKr2Rf-0z
zQ~v3a=}MdhqR0zmk?=yu-Ak7bxj0+wEGbIedhaq7i=}MP{ad)YN>OdtrUnnrU|GgB
zrN2TaXVy-G+G?H3G|wZJ;v%#eH2y#8z5=YSEa?{a1PBCocP_5M-GdX{-Ccsa1PksG
z+}$O(dqRS{OCUIecS$<abWiv6%=>5Ny`L}1$GP`}bGWB!?b=nVR+WB5y$RXR=6@<R
z+^@nnZUtU6g779JDaqoP8&J-^WZja}MoB<k>~N1l<g%C`uY~7Ut4IKTSk@t{yvR1(
z<y8bh-VAKW(3?Z|NTnb`v9}l_I}4@U0(zwgFd!TG>6uxtu5p(#YsH1iM@TX)_J31e
z_^-I-_bM?^rse;!TQdFGtX|BmmJ%VugOLVa)tiV)l|ms}$mb_V@b^d#8MS)y+D4xE
z8}r!0uJFUX3UFx=nqZ#_)fT~CoySo<jbN7u74L271!srWR{HD-Yqjd7H7-nmsOE(9
zA(P~oc9HeOf|BE(A%zD%61N{3Z!KI&gnXGL&6e%wIvRmXweJ7;sr^C<C(ZQ{1~Y#q
z>F6NaPrPPx;%K+%5pp~hZKs>Ag%qQv-00Vbw8g%oO2+znW}P{Z1K2dcs&EY0(9`Ek
zTCL0BN@2dn`-~K0s}+rszmRJcGtBtmjL@i$em7p<%uqNc4zvb{@j#h4u!LVM35IJ~
zIZ8mJGRx6yKrOmY;xWcQglD?{)9~!)Fkck(zlCR_7S?*e2|hoPN#AuqfD;{ljm3T+
zn*A4U;jgfLm1_mrZm}SDDo3SAE;|z5IcgyL-Qly*cy&-%f??3ud>KH!!i8YBDTqqi
zY6Q_j5ELJX5A5hDwqN_w2$!wM>Ib7f$Z98Yv`F`Kytvng^<p_NpFfnlA#gw$dP!*F
zx1e7Zw;fV^1Wt5yNm2_ivC<%Blx&yj*nVZXX4CGB)P4(k9`LC^2uYQ(&=F&1BD+m=
zmE7!WGSj6vj853Jb`7V0dsdNz)N7tGS#1j^txQR_==6D_P0LYKtT$#u-$trY4bc14
zDbpF-PY$oA;030O>-iZ!BTOG%`ph&(sPfigZ;Ml8+k9q#Sh%P{JCTBufi5_Zc%fD6
zl@rxfPX1$4_%DWK;EQrB$`ew}M#nj;*w|eORWBx#eiN4c;R$~bmJOw{6^WrdgS%c3
zN|lwb__|aEapvj@lS6`WD@pC&LEAXf_w8#ZzUokeWvZLQRw89Fa_yQ;X4Z&Qa8hh|
zw9RTUB2HUu;l2LMI<(GIPJ5a<?3bB0YYJcA=wI{Z&(#<$=^1^Pu;Pz6p{?C@mdHp`
zU8Pp*;3GburSKKzaaD{VOI-FAD_}c1{@|*E225W+9kD7ALT9HJ|GXm1L)FNtFvckd
zbwRh?ts-urONcQ8QR>1?!|83FzgPYob!RrDvyt6mHQFNd-k{N$R0Yt1O_H-Rzq2Ij
zQCmX-0}0rtZG~?aZkKB;Jl#tKeOB5Z+?&X(9RbJPyE79PXSoP;**8F!b^66+!8yNd
z<|7woHd7c>;=*2UJa*ZKu<SqWFaJbH_FuS#zjE1Twh`ueck_WNlc-V&$9s_`LO7U+
zGfc&Sn_yt4{0V1BG`HJkF%*{hSPAX67A%QSlU}mthnxb>Wkp8<$P&5wRDCQ9!2D-?
z%*u~=i+3NFhu-?JmF?pT$}G6kOt#X!qhBv<DCL|^%B>^aNihe}iP5>2B^1ZFFpetL
zg-VS)Y1*mTiD5LaJyqG(#2yL9EsleT6F+64jb9VDTyS2y5tpnfQGzavjH|98ZkDnX
zK0Yt3iUZW#NhyVsOQ@iF_@<56$4sF~Kp}+7O+@0swxMTj5)R(^Z6LMyy@TsErZ~4p
zMSUUS)D?spLdYy#jwp<fC!W>RoZ3^#<VP9s!)5=)a7>0skpLrZbIocK@%p;)*#Q)K
z<Zm|YKU1YT#uRU@pNi@4F)ZvFW6XrS=I#lT@Y-pcqefq<(6)D`VnpHaF&6MAJ`px%
z*$-~NjI7W_V9qTgkn-=HyJT5$`m~fM(A*~k6X?b2K=SId#S>IDmev#Tg*yC!>L;R9
zFOuk+HJWRu309J{6-1uTnWP+_0%mv^RwMk=*Frykj^|-Pd8d7RWg}-J%8#sqDbo>I
z2Gt#hf=-W3n&Eg-`6emL8l{ro_FFJjzbq1g(#KO&;f-aXue(8UjImF@DTrLtq}_)R
zHA;Sh70zAEZAeyKz<w>C@kUKB*e5rgY{t5D;YlwWP;Wg3d&61V>5x03TT@v*`;(DX
zH4EDYV;#^Nd4b_r&o3ScsifR;qLs_S(v^!iQ!H%vcwzs~yW?MnV*hb>{L?UOA^%fz
zXaoEWycgl*aa)`HDU&8v3-j(`Z%WH}-1+hFIDC_?`b!bdblQx=H~I+Z`_MLLWBzn}
zeyQ8M{FYp$Q@N;WtS)Kbf`>>b7Iuqe!TDL{wSuF@^ThYyI6134|7sXkJtvlXmDMv_
z#>zj8tZ%AE*&^Bd_-XxY-Yji7vEY3sF+t1G1qYj8|23F3Jea(BGdMynAYcC~opI49
z7V*n)C2Zt^Me(({S0)&M!$|$TK}18k+<d`|c=kcx{Dim{I%q?GV5CfVFm*w4VQ9|;
zNb9BIYVwA<M>RP*5Y&5sW>or%34xVpkeR{rr9{HJo|K7@IzI;Whd9jQe;SAVZ2d(c
z`db_(W@>Cg@I6-soZ4mheN^HPdeL8I%l^A}^H)&cJG^1Pc{AO-K}*Y+x3uBIJ1{~j
zUS~_yHS?C)I2#V9LfbTtud=(oDsntA7pRoXIW_<G1NWQ*d#=Q=G^y`}#5;v&?1!h~
zmbTHJ`gO&5+FiN+m$G^<+b(<d=h$P`pf+Hl5xOb(m2QS!g*^AP-DYW*wu61q#tCG{
zI5S{JRQHhxC+C+~f}p;FsBc2qdkL4w&rc*{s2k+NFPG=45weIWp)y0asfnXN<C!>u
z1%;MtVn5CdfufORJN3##X->;vg)Io646%V+L+SnOiz`QPHW;!8xlw&^z01iUTmgGA
zoWc8cBh5Jf&MZ>AAWbYec!Foc{LNPIFWDO;hyJgkvr3*WQ}D}nQPAl`GAtOdBYgwv
zuHQswe|W+lL}xfyPzm!NQ!}`Oji6vu2<HezFR6@++A$cN_>fdOLr>j4AsfD7xlX?o
zu1)_W#UR-by)8)drrKq6ZcV|}_QM9@ThPx+LCGWr=b=W!i>YiQ1<aMEDa8HhE=1He
zf@?~m47!*{syzYpGJx|;1~lUStyM!brlEE$?93OJgIZw>VLC7&v<Ofd^7Y+UaETMo
zwKJZzd9doUw+iKYt&>s1btjlU*$H3mKvHSwcX}4BbRuRt+d>7Vjwm!uz%ci<$%afb
zN+-QV5*?PlW(ZHvWB{7Hb5i4Cm$1>~St@sGd-|=nMvDH(zGx9Cxp5}jDTwcD#gB!T
zJ9H>H&fEABKqtlot_45y-LT8Ch9wuD`Wtz0;325!P9LMo@7ul50nZ;QWpF4@fBGcN
zL$;fafeb+My@ZB>`|}L~MJa{v-T874>WSaCPNFQ|dl7)5DGb0qgkMr)z)=<q49q`A
zUHz_|_kVo7KVboO3T2HUC&(o)68o}1kBkptq)mSDa%Pd`T6k+GfAF5`a{t=hT$Nxy
zschiZq}s7@4tBpE<xHj*4%Y}E)r>C+$E}MbK<V)g=IJug&J>HuXo`M@e{GVqYUZ0W
z#jUu3?<oIk(x~&Lu$)>k&lb(AYXYKY(B8ow$Yy_?FaA4mL<W!$vk1|x{aY&~@K44T
zWHNrecLO)nC@uAF;WdVnrl$HR`dnmkbf8(TP|;~(?eE*b0HR&b-77Prlf+{SxIMN-
zpu%WQfV}`|di^1-nEt3c?`}XFo;V4H(<uyjEFqxB%K>?FMnI&O`MKM^s&Of}_WW$d
z#1^vXF&6q5<sU{?J?3Qqiy?pdyhs7WKkNhNH}(PS%wq;{u>RBL@o&D|U$ObC$G;A^
zBB$Nm8u@Gu&#brX`|y~tyrHY#S}ebUmL3D7?ZUz*wOXir#*k=mDdFTO$P+7}v)gFh
z`+_yHl?z_Ti(E5HAA)xC7W73k{Ur)ymJ7}sie=$tzprZ8an)s>;KCbi?*+aco^aO%
zpd>P;p%qZRhsR-`&tP!YXeZCPB`>L`ZgogOr#<octXZ)_jLs7*@r-zUcPwoY9KBLN
zA`?w2*D`j8m-CR*BTY5!t4!oA7jeI3!z$$G;l2GXhOZy<DHXlPgw&<10qLj13;1sZ
z)1<v@Y@SSWPOu$Yq@{GA#;P8T@UuI%pn%7Dc&%yd%siP{^+3`qGCzLdbjq8vUD0`W
zRHPzZ5}1!sL)l65wB4YMGJF<{c0_~z#Ovt!SA^#!a1~#sp2(U>J12l<ele=AA3Yk~
z-+$*gShBXFf6<Ty(cj|Et4WJSq<kPI{w<&06+oKOWKPSQ#?_6!g-dsHGM0C{hDsBk
zNEludy@RRacLJb>vX`4l<bvAi3q{Zgr?`|)v06EoZiXUB`AAL1dq+iYd-j2(&5I!&
z(Q-RdRyv3Go@IAQT#G+4@al`Rt0Z<!ju!om2-vt0ik4P@?C7jbu=^-zZG6JVk=J*=
zm+whB2SGVxBeFYD`S4SXW)NUSKAenCh&d^93J%r5A#*f^qgX)IrjPCYx+VG5mtQjB
z9I*10qfe2Jn3|lF%MkNa^Z&IkKU#)<4v^BxD_7T6`5ZDQDOcD{%tClSt_$#wuIEJ>
zBYiW_F2ek&laLI@2Gb5NXCUZXp`bxLXTJgjTpfRNw<yS`3=9mes;8&SyCfG2<perq
zF%;UYTbk>OecW?$9Hq@KD5T>(oO;#2cFv)`E5_7=#^BRVh@MaFE3SR{WYbhZX_({n
z=N@DwyB@BvkV|ITT=Wg}&7{|WU_!PL0Q!rDla>O<Ou>1c5Xq=AOYmi!oXmLG=GQs(
zR7gUSBGAnG2Mmo6hdC+9Wt$8xUw27#xr$W{?wf<i^+<h|=CkO}5AyHbB45%0E^|RA
z130unlj5yksoP+Rd<)d!DfLEzUEm<4SM_S1bU3~c!586>m{k}*rQ@=FH*I};YP=2|
zxj=@w5}|&b6N{X()6dzZWRe`SBJae$z0%ZrBRg|cy(Q+yaO_LCR@ataY<-lmBsB)w
zpl3$>VhdK<8`~X_+qD4g#oU%lR&~z54U4-*kXXbfdw=m|mC}Yml-FS#744cZ6l^9G
z_N_DBi5f+ihg=Mtkqf(@V|VSV0_5I}&NL&XF@^5(kB$L_0w~J+gw8&(uMl?QKZy@!
z!JH&;S*Ac>kO;l;06m!}oz)6VuH=|Ii)J*N$g>H}zF5o^4j?PQ3)iGn@0XlSHUrnP
zISG)pkTjtmR6Gy=%=oR#+>e*N*As}eQ9z`1`MD)a!B$CsL&&(w0o|JK?5Od3q}BVM
z#?!xOq=BPg{0hMjEoH#6^N-b;`C)bbhZ*w!#y$KMCbw@!*_$jjuWL$h1Bd{oO#AQi
zN$Ca%Uz~)_s=Z&K%zvR;?36rG=8o<Eq#J;Lik-`jwx`^iV2N8?<$5xRJh`s@0g_uD
zQ69fH{rNl3wv0j*G&Lo=a+6q__f<`fNoMwpZzqt1km#0tPoe!c9k?uQS7{Nj4+&-l
z2ypc&X-D_9Wcp(-33XGL_aJ+<_SLak_6EjAN|^byE8UC^o%_WKj8s%I6jk3KP}j@m
z13oDq4!Ucul@7>iZLn-H41JE(ntv1N{kbkWkuS=%%cZZbvb)v{gB=_xVs@G>mk#oE
z@R=_UQnXF6k}p5w$2kalDywKv4??NwmNIN`M@<)_Pn--w$xM9hFdtuu=f2-8%rsue
zC2z@+<)}qgMZX}?5Q#Ln=rj#>N_2XmrYYbQ6p~=-CU(4>{S4bE*<o-|5^w9Ne%a>q
zQA`YH`ipsxbz#zwx?~|tYR`_hHIurQdrY5tmLwrShF{~vbwyqfR#hR_H+!ATgxk>Y
z>l9V$V+h4zIq7+xdsp0S8{{!fgg~#f)^7^tVl?DAgRUUHMIgkjQlumevDkPj|5DVU
zjjW`O-*M5cL_30apk<05`I-6#lH49c&!8O|5$uwOlq0YHKB0Cu!Ao=N%HqH<+4moW
zwbKZ0v+#O4BC{(!;mDHC)=lXXacR#!6;|PHVE>BA|3cMn|KpnPq^+ib)DoRB?^aV{
z84jZC?;PyAAV#z9r`LrRZRp+6*j-uKAQ5W@CWy*o&Sf@NcgYe-jRP(k2ngEio2Zn^
z@T}sRLi)?4sqq*_*u+m>xb9e*e^9)f<n9#YE5nsLlfRAPYEDctHSg=pFEGg^pHI6Y
zF9QTLo*PSZ@<gg}5Ge@l^=pC;9>}@9)+2=T?zcCZ$b{6<-hNk;UtVxw$&%{vD)d7(
zd(x>(*jMRE0{BIU!|)VQAG;?VsEkJdHM+88+Y{w=vjpoHIm`G66Sw3lR#Z2r6Ou+)
zWVw$pl?@?o{=~Whlp8rC*#!I_CsGYQ?UH4Mp?;LYtdirmeZebjLmY@8G4C@u%=p&-
z2@Grkj%>%FIe`OUa+!k}DS+@fD9pAJ<D#wjCkk{q>CHCj3CEK0!5jVt!FNSdU64Yu
zG^{DB*Q>$}#0nNr*2YR+BDGSyRur#X$tH6P^b#iVRu3e?TCnd#C7vu98+lf#^N(|_
zf93iLp}%wVUJ>MFW+>IbsLSxoZV&`U^=P?xaQSIWQeE|?F5+YW$d(+|I(A$dW>#Zr
zWlALo-qARstboM;T+5;0HK*;nerd9IEO#NAEdhGCjFXwviU-LmopaYnW0>_}64;TT
zb>wjh+jSw9>McN3(e1F8*~(YPdES{H@Tyx75fvOMi*`|**B8Tm2uq=nM3GB_UO-Pc
zwv3$`0Wlfu3i#Li2PQuO$qRF(1Oa}@jYnVoW?$sf{#!Uk1EBuc7(EfT`rae_%f5&L
zK=$xDJPN*op&`Ko70B?%``>$rEewryEogzW$1UxF!&cdToC%=Nrv!2h85jwE^P>o8
z34k-n34r5OOswsIy5j}}j`oHGz<ys>AY?QA2(GDq`5(Vjs{Ym<3~USjb=)xU2MG&)
z7fS=`S28lNGq5nSFg*|%nb>|D0(Fj9UjhF2|Av3E_wz>?7;m!VcV7k0HB!<x0>dKt
zsvcr0y4LXi^_LT{o{Y?M^_egz%s^QMBui)#@~q6u8Bt7Ksn>(C<hu?CN7nJM-}Luw
zG+9fHoy!K&Jd}huv-Mx%pRMUl7m7mj3=@3c`~8+c0QL6_gI@#6di^b|g@_%PJSD%}
zWivT`Lu3K*$F}xMp;gy)c0)jP38zdU3BAr5=k-cE^4kgUV8``{klavbkwr`0Be1iZ
z+NI%dGWXvKH}k;&>Pa61*r00NVea<G!zA8btz757A%ofWh%vFWpS30{Ap~nkswd-D
zC)Ft%7sEP)0@7)DfB^~F595cBPza}ZjFAtO8lSfRwAlkV{%NxZl52jLJ>@@X_CM-C
zKt>-MfQ^BT@rS$@(0PDz%nWQS4~PHzf5E>>JvRB*+0CURn6D=706_Ddb{QMu_^}2)
z>&mFwjeR@!b#1rTg@SuWK3lClB`kwu_d$m7#4Z%^!Vh!Y%-b787_XvlE4lrd3OP=W
z2|Zj;tC{&zEyGhB=b7n%2phthYR0Xw>=|H{zp`OcbaZ_{yqhb3@ka5rO55?a)qB?}
zPI#qNxkNNZ6b*V8<<9qSt5067lP718eC*vHPa*YP8-Cv{+!LPQ24zl#oKXm8CB|hv
zH;s%ba1jaJex{(E%JUVSX4AAphEYn-c^5b`zL~iNGpsE2<yO6CtwJRe(T3%i4L8>H
zYKn24-`9wD<$6-m%c>;?%+J6t>muIjljPd|8b16BE^1~+<~ELZ^m>cS^yRcgL`Kvz
zqvGGW#&^<>YX)w7Z=EYIQAE&G5IBU6nRzmuT8KSziQvQ;%6$X}b;n7otW9_!{VsYp
zykhz^c6=fecR{IMHi%QPnyD2Ou4i|nP()(+vuWKqI7|`I)4dD*PCiJ!ca!yBYm-^q
z3xl14A(SAfQ-i#)*tk7u-(k&8hiDD9mb|c-wJe`GbwV8B3T7utvxrUZe$noWZOEI4
zs9AKoQT2SVwzRk9#kl|WE|gt`GzX(gI}dUyd~RAY;puS-JiukHb3RD$TZ?}3V9$G;
zfxd`)u4k$+n{_Yt-DqTP{NhIuxJ`o;?Q`wl$KJn0DtWF5I(rLQ8ItAY;Fm1^abCtf
zRLnX|_#B8Jz~QLiuD>9Nu(_P#<B#c~EZ|e|&mqXK%i-@AO+h&Y0#kbeQ!9OII~!{|
z-G>c~o-2W!p%G9816USd_(i}O9tG{kN(x~8Eu=8e0uv11hi;JkGr;k)w!p~t&`uB3
zqynmp0@)uAhb#|={~Ld$ze0(+xH>_B>t0JLYq6!bQXDFfhh477{6MDv{<mb%$Sih>
z+Y2NSBRXk3tV%4I-ieO5;EI8JhA<}Zxq3f$9s+-@gDPc;{LAG=K3le)A<?G^R3;rn
zaeB|^L_eL4Q{Vea4wUjNO3g)i%kjd7`hx)JU@tI6Ztkeml8NKcX@t}9t$+eT2pWms
z#PWNHMK!eUthVrK&P{|T0{zspLnA8JD80Xt+6I@lwM3T4$4eHyj95ouz}%LR&X_By
zHk)bTP_!L%bMuN?c#Z4*$){P3>^<_g&Dhlo?{&i)X11r4-Zs+Z?16OYUMl73=w*92
zLllJCbvUzI*$_lmQ=eylDNy)S0DMY+m)rS+rToE|aFHN@v~F+URF(&3(BDkO2l&Eo
zjRpVVWMT*m0Gc<dNz}S=Zk~d7U!YO$mkUY38~;|zM+~e#c^j50P%QBLH8ej61W+>q
z8%CLpj)9Yz4gd}Y5%oK7`wmL6(}0SP-~?3TSNhx02#^GY+L(jxb~4kIbK~(himxzf
z5MVB<S^^5vyezrotEuL;rv1b9&k={nK%?a>zG|bc#yWJMqysqR)@pQmaE^(DB5XxV
z`mqLfQj$S*Q0{F!wUMR8v8$iUyALRSZcmFVH&32T-}$mG7_o{h#Mxfn>L*|?A6C?y
zPdRpGfCDEz(Na{BK{bBw<@NdXZsh@hwA24H^Q5|qpYnbxYZuun^0~1%ZcK6b&ECD+
zVSq%wocD3QhQwPsZO9~UdH&^*8vQX)!KPHd`A8kE(^oY$?q#3hqu3pfd~l5>FH~$;
ztJ`lW%56yl)KR|SdA+LP2FCMlz`r0rKnaN<f$*R_M8J!MKPbysS<3Qps0FZk1Wv*V
zKSzneA)ttu+F9z_*jXDH+5>}WAQw!5p8@y`A7Dfm0a2M>QCNYNpOul7i5bAk{&UzA
zI0BxCxV$vKoV=`vu!6X(48PPv52C!RtRgKxfr_xe_i_kukPmQ*4+l_5{vilwW&<{j
z1C^S-AO6?x=TAarQH5O^<Xq=Is@>BM+U`>j(Hhsmy+n<ENP5oxOtd@T!PCo37YEKX
z5<0u<)}@v;mr|j*>-dAavg{IczV_68Mk#RNe5oFx=O-LGRf|LW4eQpsDVp^PQ5cL$
zJp}b{a~_CVf47}~>?*M<g8CZVX&=Z><@eF63d?COoGu@^${)V{`vv~*>L~zRk6ibz
z5J#pJu0r8<k)55ag#jY8dQoKf+2p1#{qQz&3SiMT0cwSKxtqJh44EK69fG^n%j$Bp
zMm+oO__a;|=B(#tSHdEWY(oe=)1DY2=0%W*CRx<GfSyLTw>&`wtw3Qx$Y9`-X!FDR
zU|z!}d^;B1{k=LI;BjV6Q09Rs{$N^g2$Z5q{4$~hLbAYr1cl`l#YMygfyPF_ucRm@
zD=)67Mj$9lM<b;uME7&q14lp;6#`n>ce$vC(+K2QzMI_l>>e`^oLB+CafJ*I;|hTz
z<r#rpB`iO*H~t&<@K@QrPdRAE{SFS!DMw6CxS%|hZfkWSodTZ;yjC{i3HCj((|?*C
zw!lmS_VQ&H=AD|N|G*dXYN?8yZ4piO-t2rjWR)i0=h>-|mK8}7a3^~qHu^HI-Sz6N
z*_xFn{9x3jg`7G2u5kO>oNISS-rS|kDOkn9WbVq@zJd6AEFpeg+GUh7FY2uJ%Q}zA
zQ_9x9?jMzTT?D?cbK84&qb8HT7Z*;%;krT#6FJ-x-N1i=+DTm4Rhld;R9*FvW~7&L
zRSv04W61XnItJ_Ogw5dO3TbB8uQZLXjHoKmQ_}IA(j<%+_?LKZdZ3Q5>pZbUST79p
zxz;!^h_{R#QD+=gV%S>S%&^JiPFTsHqIzsV4J@6ER-)&upgVNE>8j}H!)@{>xVWpM
z*RAThxol1>ViI6SL|<ccoHnN;eh4dru6u<z3XdR~zroYc`noTLB~v$nliv}2m^$8>
zDuxj6Q=AilvB}tz)};^lux81t!}hkh^sk?J*DC--v?LXi5RC`k^`8)Q`tGM8FTDr5
z!Qz@YAV@wkG>AcZLbbYR^994$H(YnIp=E+T^#*aA`T*Ohah*fy@-hpzp~xFV%6F^E
z3$~#JkV*gKOg{b1MNBmu2rh_X0@QLP^rt>V4a3*mmTD^N2k#<w_!KgpOJ>@hV-c=>
zwt*s4MGXpYb}jOC{WU!Qb%VS*z?UICx}BWmG4_<#u!l0(4D;pRqs4E%J@D~L_?-j>
z)b^YZS6R*<Hc@Q?MWn_YiKx&OE<rxfmovS@_i96nyi41IFJcsRnlvUkX!T%XOrYw6
z3^aOz{u=c;_VnHze)73if@wV#X)auKG_N*mN!Y$h0ne6CD2570fCH95-;O$pcH|Yz
zPK-mundoFO*M}PyBN^7$S35B~5Q}%>`nQ%hsJ5}j^r8~=jrVv|_BJAb_E#tLuJ2YN
z5I$X1>9d8i83x#xX{f{6HJ0jgS1w%MGPbh?t~b9)B=>B>M_aK$J^^1M)ng<l!(jB!
zxCh}xX-by<D%*f+LsU6P9W_eXY4epn&Fdrz@58I5dXd}B!0Vx90w=eoyrDCXMZI^G
zVTX&pMxipC0DNBWp;GcD1g($bmCA$8wpF!`S#pJZg6QulK8?wTsrTzo3-DwzxrxwS
zz!8WjdYZ{HeDU!Va9}sICqL}<Xn6DS9p}fytkiHMrKvf|eZHuZ5i6BRy{8^3v6cCj
zBWZrkR9hQ$T(+vEcN4-buc8kXo?A}|!#Y|uMQP$ejIk}@6&O{9ZxWat-HORLBnp&M
zTGN^J-MpSKVjvn01o1TTLlF4d${f>$wJSU5X(tVD6P_p5oR@`qexoXsgj!YvA8VRP
zNh<Mfh<YK^2pY}hxr#0J{+X!%X*vU&+l&`U>3YlE-LRG4HbOx?zXkL{D|cW5J#gqB
zq%RPQ&3<4p{42@US2wbu>eq&U$4Gr#XXaOAAO;YAhhr2hLt0=5pQWK4kbPunZDk77
z^E0(F{vpMP2|#~12^<AUR7zHWU+RY(<M)>Fhrt973XDHU4}kB;3yc$g9{#3^{%^S4
zUx92HopLEQ&e3^XWTrDV^^|_3zqD{RVureKv6}l!=Bxd%P?w$s^YYg2rC4FS_Gota
zvZrWU{Pve~%@YkTmxqAL-|SY-p@?ewWFz@hqlz~Ts~sMqqdFeERrV(xn028sK`c+A
zD6-d|L+JA~l^=R&4d;c)Rk2_2>kp3Jn?{;Ejbq&yZVZPVlw4qlitiuBzf+E9o_m9{
zOVbuWr@v5C7&moC8HaM*pBVdz7ELq?*)N-uD4Rkhd+%FEI7MdO>n$n)E?;l`cl!94
z!yZ*e1@EUU*{oMRp<aFx_Q!uVN+NF%059e(6I4k=1Sr}oYg-0e=G(3i@CJWbRO4AB
z^ifdvG}|04L_9YqmpT-z+vTfCXy>{cYo#@IJhroV#Pk4^UF4X;+B|vyfy8_w`BXF+
zwJ4q`bopZT`uemve6^OxG>Nw;r74%ycF7&z-t2*`E%nK^D()VC0#OhCG{-o3WY8MM
z*X2TyCua_vzI5YOG|@Q>8eAf~?hr`ITHd&4?+mwnZ&#ti^@Ps|7Da3Vvsz-O@Er0i
zDrhdi5rPqhrtK60TXaND6V2X#X&1b*A#fgK<9Ah(*N;$tmeFI<9h_Ej0w}J}VMs78
zjYLPZ=(9f{d28P9mpq=#CJs?tiPmo+E>2sVH69*w!Y|=UNIIwgu`V^=Q^53wQ~w9Z
z{$b4ZTNH(Q6k^TO;ZNwYxvm$_%v3+KHF;rXl1lU&`qdwv@Tl(n6NRIX1;9-B4!cY`
z6zP}t^}4#!Lo*pDiu~T>D#t%V3RG@Nu$xo_c$8w!;F?(9pbE@JJUy+Qc((>7pf$fO
zq6*Cd23T%!kmwYox}U=uuPC?Zx*MuK^Rfh|Q&Uc(rDX}P`XGo-69YG-xgCxuX(Kr9
zdtWfzp8K|=EvPkgE!Mp^G6gM-+_1&1N5I!Y1A4r$GgwDxCoup``!aG66ls*S>q-YZ
zvnQcziYAyLyA`lMKHl-{ODD(L#@Xcui3R478|zNlHIOjn)tC#4DgkFZV&gtu<mXl0
z;E-+2$nJ3M1y)=4s)A!F#+lyGb-072mb?7Op0p0JH}6~8UJCUbnUIouuk~k6KimKG
zjt!U1qb7Rr^K@mr&yk6S6Owqj=Q}p<N*wuCCLgKDs|CYPs3W1Is$W-o{NBMvO<SPq
z*YYjxb=-EVdOkr#3sNMvQeL<5Z?Ir|=IP5I*!FS3BdfIRLova#Be*W4aPfGSd3Z;y
zO4%7%=BLO6(2jz_J2}XoOLCIl*SV6fHXik_p0iN8Ib8R6`9kXD!R?w<xr#zrov0K%
zXX?Fhk$55CZtnT*LS%Ph@68c#kl=RbCtJ@ugQI(6(O^|ldY(Y&)|-M2--42NQ>KC=
z48h|53Nam(9M~Lwpn&d^!s~JHRy#HwWqekTR*vX1%O~ybA7g+htO7(~-XAFZ1Ppv5
z)|#OLMLgI%8~yRB{Xj1geY76~(u;`xHhNXm+S=H{@Ru1d3Wj!0!1ii;0x2m$22{Ya
zA219rs;Kaz5F-Dh+QAAO)eVH<hc6%kGd({1_g(0(u(u8wEDUcg%Q=N>zWpsveOx{t
zch;Tn)oVs5U)%HZaIc%~xfV0JgoK=M$t&vf%BxX-+{&w-gvF!AlboHFXCYeoMe@a$
z#N<P{m8tr3ACo+f;k5Ql^1k-I5`7|##Iz<;iIUTgVIjGH3mdhRW<W_w44qXo`GQVo
zd2A9ksCh)}So-~Yx8Ts`rZF|l59N^+&=u(nUwk_|mgw><Eij+f&U%tz34_0=aLs*7
zQHtnAwow4{Eq<HZ<gLP?A7?Q2^LW^*Ww&rT#}BD{`N{^7@v<gmFB0DSM|QOEb--)1
zo(EO4Sd?JMdHF9(jl@h5>@c;+CzUhSQdW~v)rei$tqdAmZ2BTaY^S{s4ZdbK3cc08
z0=;s%bJuXbb_%-QU#fiS8mCgzN_O-CbYc$;uK5joZBI|AQt?#DZnPxjFlH_zsSMQ@
zL!oi7(V|iDn%xW!zY0G0Ey3b^i=4>UAwJhq@9t;bbd5?b*UnbI5gv2uIN+ncQ$Vc9
zpW%8^8JZ2g$WS`$yld^w^I<8P=-Fo5^(^Bpl0NE7yG6|pXtAx7CQL`1M*GmAWJ@R?
zRSaFo7q!GuL9#)-k_!my3M=C(-Zef!L;l=nA;!(O?D^!?h%)y?0%YTm<N=3dYB%qs
z5{eZ`#RuE#uboZ92iRxdeE4TU5?^rkm$@afVL-<H8sPpGYX4!s_<A`tnJpHz7<mA_
zyb;aOaR`bn&+lC2d-*z}NPuh(KBes*FFuBjC)-fMEU}4b=yfOOtS=l?@A<pM4w)b$
z*Q~2N)zqS^+D)CU<?Tv50e&WUwilxzHozn?Nx_(T?Ia&z;usP07*`LG|8mdMP!G-E
zbrzD*6do)^Jgd2?p#0m@Yab<4Jvg;OB1i@v-w%g#D$FfRaZ~8n+vM3{?lNRpZm$gL
zCQ8`8+-07!@7o<CJEjdW%SUWFnWOhE1s0RP5vO)E@<AfZ+vWLMMtbk@d~r0Kly^|i
z2JV6$)(E<v7w7hPP8hJH7u;EknAVjcv8bjd+7m>?y6KyL0N1z*of+ZoCc$kxxeA_z
z&j`JMy)H0{03xjGT?<d3M(NUer8K19!!7l-?tacpo54IOou<=VF8AXm25M^nuW_+R
zM&`XhKBt$)kY<GqE;aMnv=c1Co{N+k<SCOtm+o^UY-j0FqVVZ}6XDnO3cE*quinCG
z5NONrY3dO<E!~gmwuTeCOtOJ3zge6>W(zrQKM;r3D~s9Z!zxFG{WLC9m3`56csP4M
zk43xKz-qgC>stSobVAHtJ&R?lI?33v6O)r#RAx%x%^gEOn$hP;1n#-&Hv?Huyb;~e
zoKf5F=V0Gf#kLTrKHr(M6+B%;>H?WBpo*(||A9Bk+-c6@TX@Tf4GY425+=+1$9@t0
z8CKgem798B%lW^D*0P=m2vV$KWYVJF*~`BR@qTo>KgQDk5VSG^b9n!Fbi?T4UEa<9
zJ}NUeG}J2#wF^v^g^SKKrJ|`3uH0C=Be-kJwDaQtZ}luO`3#Pp`a_D6qah~~)W)S!
zP>Uq|ZX(=_Z+6bhH0tH+5bd&dnOMw;+Z-nQais1}S(~Pf0hp~J;onLRSa<DP?)_GQ
zUNt!?Q5^x99wr{U)TushrFBdPp!2=GZmB_s6Wa(*=}9qPtQf2TKmPnRs=?6ULPM%_
z+tWxZ>0`rtp8j!^w9><MVfPTFi%@($dH-kC@A(qeLh(hT^Bi7HURLT;AT?COHYhvu
zWs@bk_I_I;J>=QQ^qSU1d@0Gz8~%C4#$oooN!C>-!cNwzSF;kg6V#!Z%y3LFKsvcq
z7G5mbzcw*v=ElBLMR$Qh*%75I=*<?wOIRewV5ydfD|hZ`A~Afb`91Syp~@j9TSk%c
zQi(6&+YX#1TUbQ)-jjd}Qh`1qF0N;#@pQdiPS8aJ^(^8lJ2B$hPH1)v#?<kip*ekT
zm5JKTBt1b1tB4tw){})S)zmf5Kr(SsdR-DCqV7}ri)zY|Uvg-Dx-l-DQAbW=OvY}V
zX;ObTFhmMuAd+h=53&vg>)znij}IN9-Av_4Eylc?UR^qaQe31<ldOpa6#0xUV9md@
ze<EwMvr&gei0N9j83ONUFgR1(0^5m^bw90`6~KLmN&;RLG?n{ky!5{St<Cp?Z-_Hw
zlLqHjP4eD7Cr8Ko^z?VG@*P_72S*qB+Oje}kxRkPqbDMp1uwqXv{kmNO2?8(ouN)7
z(M&OSuVC_pZCxT2*-cEZ!~W*SJ*lVL32`vG+%wRRf}*rlpkEs94*Ja*urg|r0(trD
z(3K&RUzmjg&Ni1sHhiAj7h2nB{x#A!1l?-LxWkn)AH;&ozDVf;VlXmuTt9iG(OP<t
zL2th06^9a?vmo!ZGFF3V%?cBY-B8^D=YoXpfxdUQN|L9?UX6w?$W6wF&94>GR-&;6
zG_m3>8G{bM3HrfCU$uSOy{nS$rpI2=c00Qa>pf)PBz>u59AUudzLVbN+eAgXgIBXG
z29<qlT#io!W`9EfSDvOQnKg2+BU-_$d4#Rpnm`y&3pb&a#ttTG(fIY8n6x3&EScIF
z=DNF*B8p5EhI`es=;I6PCWc@*$UXAfEb+rkVMX^%a>FD7!h)QZ8;tm7d256Nzn4-w
zYO4e~J?{-;e8W$X@Slbzv^o1)@<!rnwuqCr4$C60j5-BE5chP1KU2S(^UoytB6e@!
zG2W(uHgS|x+JS#FRMx^y1Vv`>`E$ZkUW(^J1+pN6$H~KE4rVnx+<S5RwNtNVeUf$r
zG1&I1n<rHD_)m={Ba2+(6bZUs(K%4hOtfK`c9hKIj&U@-^anTG(d*FrHY=?ZzdDY5
zEyj$zpMC&|yWal+H*g4uKCr;1i8sGStqs0=1ec`bmM@HcQ$qMRg{(h%<o*k|`lp?6
z__9nvOq8Kn{)<C>gsS`@yUJ<Qk^#NAQsgaOWH0TkS2I533=RvUiiDLOc?O2>S9;Rl
z7uu#__zOeuD_K$Rl6f^pfv!nnHmxhh3&U2<SVRkz`lGx_4u9f}z<9n){s%mne;5RH
zej#hhq%8~Z8Jqe-^{ll4&iJn7@hAUt(82i%K^&^PVonqqa=U;3uC+OOI-W=(K}yEd
zlTRg6^dlaZ>U2uY?F%s%xd`(NE7`!L{%wMh(S{%zir+%t5`7yg`vK@^B|1<IYo`@F
zlFZY8V?ZY_?xUhw{T4D!$aLc&uodq2#?WDMq>q(q7bPeE_?G@%i|h|(?tj4;nEy<j
z;?%)D-y}?@Ot68a#|PjpDV}!IsXMy4DAH;^ql>{(#<yU95fTk}wa0xJ;E~Pe#8uea
z0G!FQ6%%b{zf)<)kwKY}oj9efr5b36nB{K>H8CGH&}ZKtZbrY+T|9vs`mY*;x73F{
zhkJ3>oSE6%TAm)W<F~lsk3adJ#<0zI@3#p4HKPpIEuXHjT=v`#_bF`vDDK23vwg((
z<$YSpS{gGrszem<7l1nYN)Mnh9P4uDf6eq=Bb@QawGT|CEgxh~`I6B{%(~j51D@tx
zovhryvf7O5Iygc&{kB#ds6Yq?4@8Dvrd~Wlo@{PnvYKw$Br)lE;*XoSE%^Ap03wfe
zv;x8mza$OefJwve8WRep##RJYPPF#AKZ}pxC@7EK`p(oA2KG!nP_;RLg3>?sv)@yS
ztd9==ZP)peieT!~%CY+Gba`h-=IeJN`K64Qj5W}O<b!XU5hme~`aXwLBp}$Jz=FP+
z-4)$!tMaBExutkASJILj$aY`@1LC+F3-3-RpGs^(3?;Z9L$BaJcO!}ly{-M$SaZP5
zhx?C6bpH?>7~rBJ>w42Bg(SUevp4Z8pUGm!J^tK(w#hCjMjfOag}nufMfXi=t4^mm
zhmQ`=kU*_GH)v@#d5MAme(^laU#BtbUjEHicnb~~fcpx0I$WlsQ}_LIsiI<Bcm{1Q
zoK=tnA%@Lw_VM(e<EOsCKvy$|v_NKD-~}Fr*#KkkSHSd!z>kIE!5kVt5@V$EX~U(_
zjxUiKPy8;r__sVM`TvqdJY46m!tjz32gdDc!;Pi`K{DLDkSD@Tl)+WGxcUoIoiwm2
zAskssJI2h;2v+M#xbmcvDCSx#xP|qvLm0K6q-W5$>Fe;}=T+3XL?$W5!>E?6L$&BZ
zf}ypS7Z8Kjy+v%XvUoo<lh=%}bKVJdL%3+PfL`n%aCGcIPx^J&TuD7@E^SFG2#)Wj
z6x00XVo)b|@pEV7hq4*3X>Py6k7!bU!c6Am<ALKiwC1P9ufGHoo>5Ge9-aD2;so8I
z<Z#+$ze1+|KyFKZ;6rO^<P#HAgRSZ|%nNrdA}j5paY-$<2H`)Xd0t~yZFnn?{*sKC
zVCV(vmCu188i*{GL4py?Sh)Kdbw}D2>IwE2WizyPnt*^27xv^m0W&aW3_o<4x5}4w
zzO|?E3olOFya=3m+%bvGX{PP$1yx=zUw$-|MQ4S$>WI=|6JFdzn01IKOU<@)&=hEc
zI{Rc`1%^}-QX$0!EzRdi(i58K>-r`)-<KeQ_?p~yV5yhiAyfK18f{)AT$@s#LCqFn
z*7|)N<LjGEO@%zq=eNy{9-8}?=jb^5edd@$r|!qp(C<E3xGFkXq~YXQJ>79dC?Gb=
zS;7V|WK=4;e={30Dw;PO&rX*}h9)%kiJa?JyIv&ffJj{{QfH0be$ncdl?Lxr3E!7?
zH<nlc_5PA7C(AFhp49Fg*xLV9h67xq*xo0oV7MZ0=IttLy!bt263y=%<$D<J;j(`Y
zM$@eB8AGkfG2b?en=Qa3eRY&e#U*5lSMo_XM}|9pmgHrXB2KJK_mO*SfDYL%tl08d
zbKj21WV0EA?XYVZa=~%Z-3EROeZjEGo>Mnro~VM7v`IT;?%_wWV!h9TY?7<JwHsA_
zn4Eo6bJFQBZl{N1JbE`J+d9J&eOVfQ!rj8dr|9OW0}x<5lO%brJ9wknTb*jpGjLZW
zlX)_nU}()}n^aIg`|W-USK1kuDI9iYs1!nW)2QT`LKS|Fp+|x;IV3%*;n&G}f>ir7
z*s@_oIU{5--iSlgfW}I?OwYYt#{siJxg@3pjq#w=MCn^%(-iaK*8$zGr-A2^{yK+G
z+-n(CU89v~d<3f<@ZE|?({Vp$g*A={&_U!H`ALVc)L9g;0<-=uMB@T26MPI&S#1zw
zgT@DE$KF#q1AbIQkmJx?^6d!eMbuZ#oA{BWO#u<;cwpZ&<sekXzR|WEX>?!}*JY6O
zF4>!iMbV&s<(0=;pBzH%(ls4hy~5~eV#+|xfzWKUy{LUVd(PDPs*^d)BV{3$a|<Qg
zMmM88a&NZB@si1C+QFEU%{g^zAs5j}&?r>!B;y7_z(s#z717##I_rf)LO{J32mc3x
z+i}k7>uu}q&?Z~9wy=as7Y5nttvYa&QN^?}Qng_(7HyadK4AtIDj<;u6qw}z_4_pp
z_dMf`y?X~sSe5q(@4<jNyuZk7!lPh6T0eya1%DyO^8<PC^2`h<0OTK~J-A=b`uQR_
z%A*&*ueiV=YCyLA_pgT(@`IKba1mx;2C%*Q4_r|VfC2>#WP6Ri0FDEK`Th+!C^WbL
z2t-4#>r|u#>C+544on>I+_K~i4ro}kLH)|cz{^mTPL)xCYx}GVLxFp|PLL`q`=|GP
zgc}&SMW1YW3#J=K!*T!Ba7(emy;QhimCx%2&g!O(X@EP&f9CPW4K4}-5CS70l6A0a
z)G7b6nVN|PDW~0~#bu@IaMT9c-G(8irt8ZHMnIOPsL!{^rXx4jKYNhoTgH~yk`pN<
zRme<jadZ=xLIzx2@PN-Z_s8=^)=?8*CZlUsx`J~KwY`#<wRm(<@PG0XXZiU!;T}KE
zpD+F=p7FnO#XpI!M1`Nm-@Mjr-{F`byv%^Fn{mgB;S^KDIo4yK?Qo;`hLx{TT{oPt
zB|NQqJ>hIAnB5U%$P9<?wy?*|l+}|aoome>$L=+N=f5|RE*=x~HVA<;K*A^^O)XYB
zK^H1e;tveq515U=axh+OQi`SQLJtxONsujCEl&E4XQ(}X7C+;w4bx`>R&%`!O|bkc
z370o_$*ZrQ4IFqFObtPjhADr_+|tsNf%i*QccRRMB_lM`0|VGj)<$aVa;><)1{65P
zaP@24i5)$0AS!@awdxTc?L%nE*ERie!L>p)bVYq?6vYONt+atwBKpHZ;2|E`b3h4I
z6=1R-uNM!^3Q`QeNV&nIp#SRJkKLc?rxpBjrU7K-F#-E!e!4&7<HLXR)&7d0J51^n
z<qG9Ogm%{9SLZ)Sk$wm1gxpgaY<DXHCfHXMng*dwGDIi2qT?&FB43Q)BWh!@U@)<F
zMw5f+`vQTwEa77vY9NwpGZ%`tb2!Y3_@tR0J-*g;yvb4sc^rEN)JL9yAu_cm_KOw$
zJ7iD&p7$Q9hfPB042tJboSSl;5A{<-Z={9ls<4$fpw2ria~|5!)1}^wH@Ba?09k=z
z+V-U`Q^?~)vkzb3e@ejFQInswQzaWk$EdTTGSmnWV`8$wPNw5nmEn9Jje1l@AbwlQ
z_goA(=SLS)t0Cd2)Vbau*{xl>6XhsH@8*fcvZ5(kA^2yj9luyxr(V+lU-Ul<GX9|v
zM;=Rh70?Njlu657>nDdTt}bA={LW~;GiD|E<~rnxzV#y<UBoL2i#NxE!19+=qXY(0
zKr;=RZ#pzKfzX!a!cCoh`GOeQZf`8%*C*uevRrOuVGU0ChKWPC>&<$jibc`wv-o|5
zUfOjMi^jM5H}eW6#>zZ?4Pz{XT>~cHMnAt-C>o9m-8t4236EQFQ>DP7$6Xu&VdIZH
z5VHKJK#|~iY7Bw*{9|Z*&D5e4d9D<;y}i>{^rZLrZco=}VM^g}Xzsa-m7XF-d$R6z
zsff3&(9wG6gmv-1L?KQay<jwd3tEu0MZ<*8$wfLD$T!MG6X-IaOOM)gIHzR2<bMbW
zE8R*lYd1QjCufMa7n9(}@Tt0XP*jx{=w6V1KsPi0;bKpPH=Duzn7RTC#WwGSUq1f8
z9!j)-?PaY0nwK#!1KZGk-PSTaKKwUd?XR{nanRfLgGN{TsDtj@7f)cm)Cj}V_|}N^
z?x}N^`8DvzFrnsJd+ksS_f`a(_tb?<^j6)Yj=n@C+?QCue%1RS=un#TIn;rH5qymI
zpwOcITba}R5HDF5eVG1da+U%{^wN#46w>lop;+Gam_AQEyF*(HqzG{YO+LQh4(+Kj
znu$uTXMpNyTeW0_%EP;A+$+jyXm9h?mm5FE2w7T3bUoY6#;2OJp>yAAiEXx2SQYaK
zM}lU*H>z^h^<3T!=Ps(rJwJ_;cm{2G7hV-IHlC^L+^_0TF-^>Qp~*RzJ(mW%s3}An
z^~GmICFa_*MGiurdC5E$qs^SPietTmgth+os1653CAMy{>T)%p-afm5rAYW>IgK^T
zS~2vCow5~OaL-Etq33T8b9&h0Q)Fab!Hb?kv5GqbT5Q=i^7aW~9B(&u(RiI_K1C<^
z!&yv&Njr3)9^7%<_?>8>W<gZI?|eIqT(N?$f~nRuf;Fpz;xvp`>o{h)8~98SfrT7o
z;{#Wa?1-Dr83+lIKIi>`^lBb5om@@Ii9>z&>Rr~XAL7LQ5&-!sV2nxZY|zpGmBvj~
zc1jXPyeG~8OaH0si?izRLDkY!0by6Gr$Lw+ij{_S?cpi&C_7KA8|dbZtp>u7YyD9}
zK`?FnT%!}Br?JS}+3*;lXHoUJDWuAOCCdD^qVNw<rpy8|Cl+Njdu#P0&WFBZuYO~N
z%-;}Y{_uoHM46ug5q_ix+Y@(j@+0XT5Sh`Yn;PT(i@=e^vfH9A9}E)<)eE?TJitOH
ztm@J1H?=zy6K5RSI!9KKqf3b~UM#HG3B}jMX?3{2Npe9GL{V0$&aURFb)M(5E6LeQ
zVd1HSA<Ww97G!f}Y^&W$rIBh8q)d7Pm?|M$Uc<efg=TV61R<holqR6FG5NfqaO<Zr
zm3DG3gdk*eGP%|&0)k};)<miqk;U+GK~V%pdM+vc2nz>7Bk%c<%d+b?%{iVTDW$vQ
z=Y`fQc{fWofSs;G0g;3Ev5+Cxul3z|$8CK)K(-Uhp1Lr1k=~TUWe}JzaG^v#3t#2O
z5_7Z9bT;j))9~``$NQ#=O+j5?QL1Ix0XgYjzX$C4VEYD^Vp1ZY*>!j}Jbx_bILT_7
zy6FzFWCdkfw+II-rWUm4j;iBkP-H526x}DakFj8Jq(B><w4!xl$1|qb-)g*{izp?0
zKh+2zhL(y%Y7dP6l=P}5Nd+f&xcPaALK6)n;(B*FW+evmj8t0F!3BOfNgRYr0eJJF
z&&FqMk1&a>C<oH~Y97gc8s*l${v-BPjhJKCi&Xz62U=ZF0#DD06Ip0A?J!zF`8^SY
zw<~8xqOQ&}it6~KBy2;%uVgZX#QJ9|l6s!|!=8T-7w<4^*u=86$}ITeyDiLP@d4~3
zoUtF|tASi3AOt@WTmuDpjJ)5QG5sFp5`pZP9}`3&U{Ij>fepgIE`^`C3ylJ&pl|Kq
zU~iynVaR|5!1%G_K^C<Z(lsz}eHcpcOS>`yfc^)0hC<Yu;QO1uZzVSTO(XH&Ix2zv
z3O^wGVOs?3BW42r`N1mp`TycB|0<qpx7CCBa;?UEfjxkcbKxznx<llLlGj5Z2+HOE
zWivoLgM9bgA6q7~X3i$Dj}f#Ik_TGm@awfKy&8aMs~A(+eAOHJ_7u(0o8zVX#uZDQ
zgG^zBFUooyZy~tfb#`0mb2G0+_^vukRLH^It^$a+Tp}KfPfkIMi25T;Em^~nG3uwP
zaCB<euff7crxrw@7vXsJG(Gw~ZYro1a%1#NUy?%VVhQ<#(-aEE6EBr;`XoQ4?7=DA
z(Zs7uPY1wpjD89BzLC@%X50_Z6C`B@Qzi$EuHmww;<c*WP7MZqoiTkir(mg*)=smf
zTHK&5ay#0M4bBa_C(fW@DpI}t%dEJ6LVWWvC6F^Y02;}dqVDLt6_VeIp!4l##Kqqk
z>GyalX-?C1<|;wW7+m*@Cl?fhBW)JJ8(G7knv1;Dmf0Qp@wr!rV-Df=HS7YPA>A**
z92@T5Remfx|G0=Uq=4iZDl(C9T~9}iTpU$F?tQhL@oI-Hqj-JEqB;OQ?Zqb&S=VTm
z584oW-hRc&V6?SJUuUEGAnf@L>_{^UGxpPqO`avG^hQ48gw1Ugx`TSo)|s--m~+6s
zJ!^1E<B56;wwp0>4{d@zM-;_Q>lQJg_{DThn`zMPg*)8ZpqDns#;Rjej}r#dD9tgw
zROv<K)~IYjcZ!4}RFBu|85qP>oNu1!4JBIV(`Z$Kun5xU`Q|lA{)U5Y!K<r6Z9r8v
zoHO8dMG?5Eo%<0_AsIWQML5rLnavS>y;oapAAP)!`i*R&s5}E3faSZhBG8E$T38rb
znd%ep>+2dAS^~e(wK5=(H?%j@wbM5Ns<7ERm^wH<OaQkBHW~fQet;uji}A|?dq(~y
z$M%beHBeyy7-c;WlNo^DJPbbr{&^rKKa7S4_Jjca88{mLv25ah{%-zcFU$_}tuixy
z(ygRioO8Tmxr>XU=!>1DA&6+O|7|jvd68t31q58M7W#=&&@G^Xd6ijJ1<PMy2k@!z
zB;KLxCBCXS!*HUE4swv=l-=7X*%TyFssb0<wkUqpsONV1S@qxd!hhF&^y}Vt09(Q5
z**Az8w27jYWb69OI83X--*p8BK7NM3H0&cUmR-)v1XmOu6P3Py$#<k<OM4gz)~yL{
zBc2<x+k+ZxlQ;FGqG*tYFZE`}*D4tdKrNaK-8=E#$72va9)lk{=PLj<y_T5bNd{^i
zw?eiQl<Dhhi|Ae|apBGVdXyDT3t*g{3tS|^f3Yi$!C0Il!PDM1v3*|+LfAcj=ZgQ?
zhY3`2``ga?ccujZ3QDm5YFZD6z;xMv)U^KYZvHCL4|~5=ZkPgT96#`cq;dSI!R_cO
z2?mY7m-EXZ2xQg<tpiir{PcBF*aYKF(f4D~XsmiK*dbP4`remJ)|f8P?IY(1ADWwU
zNwtSZ<l?0vH}0@sxjjWlTqVYxkkOysYTy^TF)ug&j6c;A9ju-k5;Nhm8P1`a`N34M
zuryI#)oKpz#(d1=dM#IrQ`kNcdRH6FZV};Kbw*hsZar@GZK&Fom7QVf8Q?83^r<hJ
zBuiqdLNoo~`m0ZU5xBRBNjEgPzUIeN_;28~Z8bE?1l%b@e1^btk_Lm*;rU?sndUZC
z-R{bgY&u>cen1JdrFSyDjarzawVF6dIm0qfw|*Y(b}UJeNyP3=V!@irbpnV!bwL^H
z<Yg)Tf{RRCD@c?M8dHw}wt+n1JNF!9SeLDn$|HGYys27F<j}Vyjp6c!coiH(%q9nx
z%=Ni~&MCV_Df_Muh(2l~lhy+KT&6HI78C5HbWJ{3p6S>3YLLN(0m@~PL(7ZYuW7OR
zcW&@=bR|Aep_DpHVPT|1BdX3qDfT2>7V#2<<^|+ApXc4;tR7muWuo$v^N0IC)V&2%
zU0K#GjJpMQcXyWn!QFzpySo!K5G1$<cPD6YcM0z91or^%CaJ2VtE<2I`u#n6{4ZmK
zjD5MBb8gss?z!e(Yp!j%;9GeSHz5B*O|wn%cf+1q3YVy~FI%zo@H`y!@dym*LW@VU
zMWUg;TDI26Q)@gHierk-M8A9=4HKwi#&mml4F4Ig*E<<g<u!#d{X3B!(xcH|4lVu%
zAb=4k$=Az$55sa0tJ$M^Kqk|I{N<m3;1?qQd&WC|w0N<N0UDW!C){*Icv$-Eu`J|C
z+BmANj(m$*LUb<bi()ftXg02w&<mH)w5)la>VXneiBA2H_+r-Qqqy?qn;CpBl>}~l
z6I_sbMDxZ8rQ|Q!crY(jECg}HAk281p`i@sbyb9lOO=93<6pDCF4+Q)=qX$v$T4qG
zLhOEC8r<|bmktdU6UDv&y7G(3UJ@3HOC>y=7^yy_Rq9l7lavFC6HJMsVD8wKz-l`?
z?+h=5;bNk!^)_Iql{q3{sq=BQ_K`o$M3{XMHHO)<N%2H}0-ioL#?dqGxxiD29tg)B
zJJX7>h{%tC<p$kX1On*gb;IG(<lG$us$n=?<qY20*b-M3ftFkl>wVpGQS3AZ78I8R
zbh&XiNNU`+W>C@Jb6-7>@mhSr{V~A>tu-g|b$1Qx*H*F1j@rVn(~O~JUxvyD47*)g
zOF1#ub+pFHxrr4HC&FtkXjmYXL+)#<Q9PTJzzl%X&)Vg_taDF=6C&M%sP3F}z}82L
zreRS<EZKgLG&hf{CpG@?Tq-aM{6IwiXm*==o;SwCsfAX&lL*wYs*zW~RlFbQ%d1ex
zJs+nT(Iy9Fzr9$fH8q+41eDW@-iNs7H;PMX<b(zFS!i<<NZYq+38iu!d}xBOIM^wJ
zYd7ZcS###5ES~`s)_PM_`OrlP^WBT2CcysR1^6rZ1E&E*{%0jB2%~@TFDxFg$07n?
z8&F0Bi2@<$WM*vR$n=U)=m%ft`L`&*w{BxUx%%%{0Y&+@uJZeF34lKU9ErZ$w*tO?
zvrl3C#`3>`I-uYkV4?D3`2W_2`4@EK{RhE4senMOja#M{$-zdl&}0nhf($U_Y;sQV
z)e1(I?<{u&?BY+sUy0>AaLT*HgJ?vSQ)b-J$tIuBirY$)QSD9GYp&vTICIp_-g|lo
zrCGqd*6=ciE%t*Zwesl@{cF1MXMy1-{ir2|4M-*hMo4SkLU?R@NF<C+rv7yX{YE!T
zN6`&9vr7#`3X0-M+p#Iqn0eaUr<;m)Z^49>g1#sct)yR(z2VPLlVX@PML{3}VFX`y
z23|2crY4Y)hK7Pak}5O8pxkvH6)|=o!WbeJM2J91;!IJtP95CvIsj241~_{_01{n5
zFaDUu{|I%A{`vovnf#KG|3{3<@$amMZ?yL>W-*`~n(3EW{C)WU&IkEBR?~S~B!Cn4
zm6sPxn=hKZGKSlo*F@vQnhRJ0yS9GJSB6BXJ{o8fg_<&-=`03llk%vXNN|*3;n5pe
z6Zj2cW2J8L`Z@9&KN$%A)zXUHtWZm)iqr6MOqPa45ewE!5I<5%7!b609T#f&WNuW=
z>!Bf~Pbf0Lp&W5!I6|L@0sZF_bhzi47y0*2k&KU>))@-CDkxZ+sk~F`#-RJRKf`<t
zH8ysFS#reH8hKfTJ5?7LAuT^<7FnoX-bo=Fkj=J?dP(qH?K&O8P;BE(O0nBJM832A
zWD03GCj!6Bt!~Vv=J7t+fiEpkCzPmR`jYnRyq%()TSE&kO?Z6LRn3Ii7$K^Uw3hB}
z`1Tc>KNiRA3#fXN*3XioZ&ZP}yZmo4hTgMlPvp!w<E)2M9C(NeK8j#Llu;zhcG!t6
zf6Vk(Lf)>55Z7iB#@LML^)O73qGFT{lr_N8;T=tk&hrI6OkcYV4_hWn;(K4`b25LX
zpx{kM-fyn1zgB9|K+XOF%tO9~Ik1&s$zggH4_$0a%!E+jGNGp;64)aT(ZlEp9y4UV
zJaqa#u!FnZoRaPw-b|r*Gtad*HyR;}Bb<putOFYA(B{T1bvEE@AYrluRvofv)q{u%
zdQpyXX&NNrf#nhbJ%qzia47N?-J&iy!`3P2XL6QZzs?b%EDToIpQj}M#A^OE-q@p=
z_V*98IBPqMb7ESgU)Yl>!~Q9h_@0X4+-$8ZRg9!2%6e`vi_WeMr88~SAJS4wFM7^&
z>vbUXF&15ADGLty!-BpKqMDkckwf2}NaRw{Ik`ZudqkBI6pMf5Yn0X<1+BSM7&)o5
z*GeG!a@X*B2Qoq`dtNw1M4xfEhh5JbqR-6w?lhk6=`Py_u0(J~IgzM2-n!@1ZbDlH
z1;;*zB~ZBeN11MlIw?oa!<%nNUdlLu0w&FIylLWARZmHq1<Br2+{P<PgKnvf)42^Q
zOKdwIQvFy@IZ$RYco9;Xgj!LHHc8l<l&FqU>>kq#Th_^YN5hB{^vc3qQR>@6<RgdL
zlUo{}2*vjBK;=6I{!Nv_C6lW8b=|p|2z6HV+!8sfW&+Gb=aRXh_akwf`UsE^1X7|%
zXK1bOg0y%fY5d(0Yt1ty<P&9X5MFDy$6Iu=cj1@~Tv0EHrL<O$_K@w}gElVQq1(g+
zUg1*qe<dHD#f^Slplizw_G!c|3^o#xA*Wa_8wZ&W9qJ|GnW*$^u_sgq%#}683P{vo
z*GHPc{lk7DCC<EIo;g<z#%#HH+llj+Wr7|UJu{MQVfBL3UctU9GH)dF90}XGE27U*
zNF(PX?FT&@f)}czlKJsa;E`W^nJPKmM{@z$T3an9#MjghGJ07Qod{p1G^v3XVgZzB
zY*5>3Yf*4TD|F0UR!5Z4`UwzyS^%~K#owY&y5-VQgT%Nj;l0Wc7YiM|KTR1%xnDL1
zWz|1Qs^PGO&75sa&0O^fm5r^80a7HPuq{0;p|q0`JrfQi)_16fLl!remy-A+z@#G-
z`%%)z#mEdO>Ei-qrLh7~{D<)PyPd^<{DyyrwwL(6ijK^1j$17#PB~MIh2!N?b9JlE
zVkVbfyIf%S7IuV_8e$HnDwlbC>C^Z`S*NB=!$fASuaw%}-EAx}sPuCP5ahO})oi(H
zeGq+ey~qB*d2pQKutL)kr^?-Q<i4xxEo8*yLC$_ddOFR}6rc3Mq%4tb#u?aet>Q9J
zKLQ?K*DEAJN3h~B<lt8Oj6M{cUz)gifq;5hQPha*LTGe81FojhHPI-o{W6E1ARe+3
zW0i3c2s1%C%U^04%vvdj?<-{KR1ZhM;Z{5p7G=Ps5O>a;(vf?Zp15AW!+ZH9(5N>8
z)k3Noix&GY5|@K0KQT&|Y<5<Oyb>c=dy5X4FiC`{)P7v#GbMYJ3Vl=|RLVHhHi0Cv
zmXBVY*YjD<F^<I^B+DXah9yys$PiyMYQ959#NHLrUt5<brR>e{z0S-#5?vfV!3siW
z6Aj7h%!d-p8~gS;Jf<Ta!o#7BhO6@T)i>*bQs>#{u_?qEpHXeum0JjO)X^Fp3p>1Q
zJq`BJt;95pFA!d&iq1b;FU_R2*LvqwE(^T2&APkZLKc67@I_XwD<YB81npY0rzWYt
zsjTApl+-elR0wBz9f@q3e_pM&1p<x2ThxqHJIN?=c60;uV%7L|iAGqZ4Lz|Nahg^?
zu-GB^X@}dVQ^5PnR|Zu6ouFlT+j@!P{{d}(vbl3tjC-BJr)xg@X|tvQQ8>=Iipu{@
z3@NX0>bztJw)tG_JY}Cflo3@}^tr;hPkD?R7c7~$wEM-z35#St2_6Ex*c?ZnZ3U~Z
zoWCWT+`dB|(}vsbjcgpI=1cD}OCsgqop_Ij-ob-3aamPpZHCgzyxK$-wdqp#qG8>;
zpnJuhcegR9hurWO<BFZ0o1Ko4qHYkJw0l|$Cf%30r?0VCs5Fe<gNunumIQX;Q)Cgm
zc%Mw+9E<pgohMN>id++}ISp~jh7odVNtfNsgzHTL1^L_lZmy>kBHL+);C)|%?L^se
z((#v-<IYf#EoNV!W^KHX>_l<A)<UZ@9D<X9H`_8LuxiO#UmKTW7;fXQ?mdg;wXKtb
z2X0liSL{M17sBa~`-x25nlU6qm2XJmrlG^3*m8zkH}|vZz6Vusx65B0x=NODACdi}
znkg)6Nl$}$YvCBt)WdedWg&<^W?z_H9So_-J+OWvU<~Fb#{9}IUY5z!!buZJ#QC5y
zb9{&GNj5WlnC88RrVW{1km$%naixn%tZPE+n^w*`Qdx4?;bV{2*lYV5y+&oy9zf!+
z7#d$Tqwu$)xupmBOH!+@Ok)WzEDmal1;2q6sDpQLb95)xsq!NjYn>2yjg&+aACg6o
zZiK4GMOy=;LceuYgP__SBM6ixu$Q-baQ)nWT4t?Sh*6TN{}ow*ZHw%&qSzvs3xKv`
z0JN?Dfwrhn=(=yE^NxT9VqdOy_m-11;A-Ul8F6iYL0oYuCS*pWZ(s_A0xfO}@T`ym
zeEIz~$X{RkX=VHEeU{(eD{t%Q^m{T5C<?|uy#5C$|EO5u0C-uk08kl#$=`T2^Djfj
z|M~;{9b(sn&K`^+63Vvj%z#>dQUBVhx=Ll1^#+08tj|m>4OdSpOc<_l3a$D}hphAd
z$AXjXeYWJSVccCQ-FGaEge*$)`OVY(D3SXFArfWsbn=6kt-xy8D0T_WVWF@6v~F8y
zdDo>?Lz_Q0#-9xJT`w>>QReR`hg}IW4Q`WTj|8mQE$~n^PlH}1H>q41P3R%igh@2K
zWdNTH6ruErGLuJk`wII}X{a*^H!vrovXvxvVX2=6f5AosKP+kC4u~FNACAXvTAnO4
zd1%B@?`Ha$&9o=$lTOKqWP`|IzZpI}JgO-2=A@CqTcM;+wY^YKw~vL=Mrkg<Eeu6g
zEQoUglnuP*z(T=3<{bkNgWDdW#`~Q!@`CgN^;^eQvu)(SFS608BrRDXqK{A}>mDpz
zCV7ufXXuvK(T;Lb8E6OiX|~LHo*l@l*n>6ud@aLOa3p&O_4&$&<kz9NTPvds1(g_~
z)OnNeT$>DIJO+{E_1aEnKgEYcCH6ceS^&r8cxeXVQFC#RD`!n`*{44e-F@^t-B<&O
zvPmE%qy2zSTi6{|aB`ds!B7VyEw`9G%z<4Y7DV?}x0{t!8t4%-))ZxeV@JF;9HK|n
z6Dt_TeF$hku|nvXBWgVd--A!S#1LW^?V~`Q2uB=8mCw0&mv4{rQ{p?3DC`1k2TJUh
zh(8efe`SR6s~H(a`Urmb3>S^vXRWCZ4Fr`yUwia_amx71Z~tSg{GC9*p7ylaAqJil
zO2wQ;m^C5M+I;%Z_kMCeu1qSs_Xyd`X<B?z9W}ZAuyNw>Qk+q<tU%Q<x#;tD{RF)_
zsoIhmJ-xx4#g-i`9icp7E_3_@P*U^f#~bEziSk~LHL+Hk(V-j%ZaQ=Aq5eG)uBm&W
zju+Cd+V3AMp4DD$ANprhd`K>9Edn+f;>6=!6(+cpv8ips5dG@?7~=140ndVX&v1*{
z=vSjHQ=GVdw}shrJIxtE&ii;yx$#9qB9wO3oi8#Ynzuzzl6zV6I;D10fQ-?X**hCF
zZhXljOL4^}_8lhqqe^K@RO;kd#cnX|5CODpj%`uklw+GrmJ^OFiQf4zLa}ddnlxEq
zwFwXB^L!lRwL@U5nF<nOuOltGc`W2pmB?{(wu(jN!beFEGK!$t`ugBk=wViVH2jH0
zY12L`(!DDpNVo_4Jei<MU%q$%gP^-j?RB<_x`d(#5I2h><0%5wg7^?&<EN2bUhwJQ
zPvYLy(AC{=X!Q;e$yVMZi(v+J&@`!(LmZ4lRxg!|2P8O;PRc(e?~XBK?z&9qQ$G+j
zGmRH#ise=l52AC+t9EM&oAwwRfJy)#3eV5oW|WOp86t>We$b#zrR&LWFDn$gq>$!>
zr^k`tQM}v>eM6&6Id#saSj+szz}yHfCM`4ZzzO}4-~~iV>LmcuEdh|O^aIjg00kh8
zRZhO#R0r6~HyZ|o|I>N@uY?wG+)u?w@k18`oc#eT#BGe72$hTtogK`b+<zVmiaFRi
z+cBX55{bWC6TwL+DT@6-Y_%T@nhgNZ08=<d*6&9&EWZx_fwKQcZuob2T((E*c!|n!
zk(xoHN{JiNx>Uc)869E6yQBKS?Z&w?`{~NU<{C(ja&g5h*y>emU6tV@Dzar8!Q=r`
zDv{3w3vZM7)w26)O~W(t8BvN<$J=0gb4e2ut0*5{yS6eaVu*{a_8q_S4XLR5WS=<D
z%+F$pUdiGlN_(8;axk`U=m7>{5q?f}3k>6&?>s^6h;W?G8F}xc%9j@mOAgWHIwN05
z`HaEtJ%4nizpVC@T$4s7gR^@FO7&q~iS!6%{tH$cQjKJUKv<5x!b)ifWZb2p{Sp0!
zt!9${dYBfgyOqlcPqcyi&SGu~19{Il(mKM*JW?e3L;X$RP2V;MWKtA6RQ&D+M*=*%
zbH)RLLls`?C(t_y@Hziw@LK8_!TnNTmv|V&xz*_wWCAt@N(`&Xq>e&pBUc+Sj;7I4
zbse*GUx%5n9tc4yes%t3@+;DT7X=zQ(k}@_vywj+a4XmZ^JI8C6d;4UsUPzzxS_#<
zM!g$n0I%lvl*E;C1V{ebd$1;t;w2pGR5R$b8%Y2RHO@GtY0q8@+0?<vs3l$>z>}2k
zt@k!NhbmyWspSnAPWBs6!K@kZGn~%4(?YLc9??Q^>d+;Z6qhyvi#$H8s6);Rqm_Od
zco@p(o5c+@p()~V3hj0GC(K>D&@$Pb`Ec&uWeNqG=TAmgEW&a>8T6m!iGR{BellwJ
zTJ;^zy6r7sM?a|0er&bt{ZyMjQK9c}t3sew^r^Z~ejKi94%?iNf(ois-&yOe&27N8
zIm7hzYpKQtM<n&nM2SAT()JJ4lX_)bg|G)0M6ZL+<Pp>lN7vN%n+DKMg43e{{jRt6
zW1^QZQVnoKPEFz`y=*%Vcuok$hGxns&WbAg%OAacQtpYt4xi_J4`OJDt1u9v&fl_X
zs?B``9#C#<ARm4k$`U3`7swm1`XxaXyot8?rn|mRmM5T<sh`-<@%==nUoICH5(`Oy
zG;d~bwMr6RD^+j=acahfC66k1fSt?|bYIvI45W<Jo_6HG$!JMm^G6z4kr~Nx^5JcV
zK`4v7_)WB|o8038THU;d=Tb@#`qo*`=1qIgX!OsJI-*Km9FRg0pSu&%rjtKXuf=2g
ziI+=rL5>cK<toP0G&MYwO|mF?Z{x{WPiIy23EA$vq+rv^p{$2|xBHGIdY2^gK|amh
zN_4swttP?7ClxM%yFrmoU`BKO0je|biL@{$Y@yU*9h17MP*`8{Gr<ziJC}31y?4&5
z7%WzNN)Mhxg1XO3+2i`0>j@2|+Tk3t&eJUI$uG*&1v?y^16x4^g>+3x#p5PYDOw=~
z8XM&NofOtR>W|Y&Hd@!FDZx;9nLsm^J*=X7Au)S>SHvO(C^Nty#`2U|U0aUAQui^0
zS2Y)PpCa*9vqxU0`xp=}tYA_APGE2VSr}Qr=@o*L=@SkIUkdy>Xsz}cLjJLC_dg7^
z-%T<ArJ7s-tJm*;en`$-OdL$?-^LpMX{crXS9QE2sneN$Z(xp~B`?q=`L)JeOIJ+6
z;qf5rme3zG!ciAD?De{vMB-nBMIJz`-cY0C<~H{9Ft35G;Rj%HhR=%3!C2Vr0J%PZ
zD0mak!Pul|x~`ty3m$PTIS-ma!Vw(&yLAO#LJ8$7QsO-K?{70A#;n7O960`>Zj;f|
zT~<^+u=7=jD2|BTvs&`X<zw!oN<JZ-(+uk;!5n#AV2anZtrX4>70C3?N$<V_%6P-C
zT&<@1jf>Y{X}_SRQ*h+oDdj0_QN5YHjb_pm%7nRkDhD##jgUaBv(?l@JKqKD#(IF=
zSp2u?0Rt@L2PiBMA?bhh5l~?O@+U-Ll>8;Q0_=^y1y?XA&=N+*Hs8Hh|8N0D!T;km
zfVTDBJ<$ATH+jMz`!K+Ym5CitT)@oC@=eM5b@(5>*WYcy1@c%c0?B++ETU(&3i<)n
zMRHN5VcLQ7O3QGR^RuVV<?+G}$#);Mz20^Rtux6xP58rmjieHl2yc{@=>*$cK))r>
zU~b7ijJw;@f;oClnyj#|sa4994LN!LspUwHnK4ufLr1k+sq-2n@!h-uO&ckJ!MoM2
z1}Z5DH{MviP~xx23+(-!*;BO2K&EUqj%^@nr@719mD%JTgKO-0Sm;-e^(W;5FR!dM
zz#d0g2T7NlNN}`SP>{8|fyu5JmqD~M*QUi<Y7cR;nk6LWGBrUi-fodbZyCtRbyS2S
zIAIh{ID}ew080$lin{k=R4pXoL#p3969pMBN539@D9O`H?@qr{tPF1nxr?G9fgy3>
zxnWr!0J<>0lgeI`{p1tN6$p9r%FgErQe(TSbOLkuoNZe|0&4K}0N(>5rgu0`2TG?*
z)PNiU$38(8g2k!<{SX_3f;(+L8RzA_R6&?l+T<oYSFog$*R*;_r+_S+mf|Jfjbgyr
zK~CwT1S>Y>g<vQ*%9p*B=VUzHrlCFj^G12ScBapc+b69bj#*%xS_uieO|4F$Ks{9a
zd_`pw3NG>a*RSWG*IA5c3}=~jGVj_w5#4MPKgFipr6EVVdH98(%{n-xsW`b+HLcs&
zfi=l}Xfo^ad}caz<l~E@u7VXr`0ykXYHaDwQak&9wFMu)!fO9~3K9M#*Rxe<mt46&
zlHKJ`3+DS43|}72e4Q`l^~wcHAD@D9L`V6A?9(Px^c~e~xf#@Y9FW=xJ-v^TVnm%5
z<Uwdta=3ilY=GaYJ~U8l89eIFXvaB6oLi-CT1~cNLlk%{=g2$$%7%ybv8wYUIy#);
zqvDjBV!Z$yI-agTKGnAg_-W1!pBYE=px#7(j#NIAF=^L!0)3hDCCI0fz%>nGucH7{
zTQUB4V3{n#`o8Emhnsa=-E-ks{(`OT_z+cwsZZ~6;VdL=LwuvRhvNYP>E2o0gh`BQ
z!6gNEKcM_1rBUG~lqAJG-hg*o#gBbf8RYq_QG0ZX#CA?3P*T(QBn)mDwSaI4Gmoqm
z{toywd-4*f-zhSST0GKt5v6;B48!}dHAEAGP+1{XQVA6HNPCdw*x*s5k3n-u?SmiJ
z&i(8Y3Tpl_U!0_n(^QwMy5mTcXsZh6$^Bjo^Fg8-81V{c*YGFn0Tylx7;}LS{Ra+F
z5r)AeE!MmV8S!fp(#6@0)HrGE{%*%zd!ifU>aU#f=bgh8Mvwy2_4S6d?-Ge+B9nGD
zeXli}%SQ$!{VjE1FBI0DX!d<53g(j~WN-8Q7ReBC4GrE7u$Wr%BE9J?TPYktk9>Cu
z$zh*)Uh-A&sw4aeh(jBCTh{O7zDkP|A`eG$eTkEfcd3LR8hctY?aPFn)$o@~)mzM_
zK${Q%#{Sw|^bd?36ZQHljQ!Px^<Q8tH6!JZ$cE@A#>zVzSOL-_0l^T!p7jrT>Q|WM
zU}ItVmb~yA%>EeugA40_;C6q9v~|RBUvtGP_QWh<9w=P4&IR7`cu3MRQAfP1Eb3yi
zEOd1VB(E#=7lMa6R8ed8xcy}8eg45Zyijc4zy<%s7bw(;>R0HO2jlnn3_6QLj)LW%
zfGQ<vURIZ`^GJ2lrEg`W9$|CipF-7)Z;`S=W~S8+C|WN<4n}>{JbiN^*GHGvUp5p^
zn9D?|s;05^4kx7~10L=ihJ}lm3nr2NLdmu9mB?e@5Idp2I$esbwYa$cp!BNJM1|s~
zSD7UYmTw$Roc$IcSa7ua7Yuu4MoLYXMkZGHLy*|l8*@EQ^yI6D2J>I9aa5GBqHvMz
zahYr-c@!fjrKy_)^Ov1f4)Q}FdY-<J;`s2&+H<Hd!v1plV+{N7DOxYhiULMeqO?3;
zRlK?vxHlcqG*BC`X||4MzSj8-@mVx{>|*gN1(RWK7tlkCLTXN|L>G9=xB7RVuD`fE
z+R-di@!rDVYYO3pzh+Ru!Of!o*oVGzTg>}D(!371<704o7$PiZobukmQU)K{CnfUZ
z=@PEuo|n?fCDpa_^S84Oi@2YxTa0y2LfNQI7`|NB7@xAd^GXsl7ey4tHNQ{&IIeFo
zGAK1K9W7ddrk*9HOhx~OQWv)~yTkzl2qIGCD13v3&vyaq)s}%n*D7)E`Rl1=-FSy%
zYuy`hP|e34>JQhBB!Ngcz`OrfNV{pjmN8c#G{0ycV;L8F*p)MZn)6pkD|WvOQ~4r>
zvrI<&W*Z?<87n|ML^-0^D0xofDHOOzEibu>M46=C0*_F28`wY)<1_T4^N@{lwDS{o
zraw&Q^6U-txTXWz7Cy8EAIk+%$_|=OnZh(Y(y_Ntd(@Zq6sT#z87%}Na~nT>1hn>s
zu^tIz#o<=&;VF7f@D;X40^0^Zvm`#54}&j_Cmp@6!slV)1?B`utg$DkNwMaGYA{aR
zY>Lz-NIv(W0P?hbwW}QM#(g0Yp#!P>^zrU>o*hd+Y=$-9+N1TZF!>@cty`y7?Cxbc
zyGfUb@}!Kmfn#dRpz)%oV9A4}RHxV)hb!vxs)13GwVUWO`82LMH)0q1&p2Sz^nfz4
zy>N5OUfXAk@bz0&Tjgz{NZ9aWwcbqnY(!Bi?nCLS)k~&Nb{hm|eBaH?ke39$bqi~X
zj@}#4z>IZw*XX`PFmhN?g0PIUD6-|T3$hWf{nh+b$y`6)*&S9#Wrq_tu1K9Fqu<`i
z-B%&3uHT}8vEPET%O+!;1N{KpKw1-7?6{z|M(uT<#Dy=i88nmqsr9X_*uzZFmmam3
zSh;uwcT&O}OJ*8!V~3qaPAj!&^OwrX*bKO{iT29Tk@JM<N;JMDQ5y%0pX51C&cr@?
zd(na&nWfiCyh6Hkkis?E{kmfry=?An{s{CsufDXdtbULm_#_R0v}XV|JO3M-1*)vq
zKo{3-TOYa#pT*ko{?n9U<ot!r0{UM3=AjA$2P>f=A}cRKs6;PF|9dqFC>)H0hp~;F
z@wd8>ZyDr(Y_M-B<1CDv%-_;{zn#K<9{@URY5ae<^55a-z-Ny^MEuf%;5~F>i>gi>
z5oY`N`6ndJ;fmcnci^b7uEBE^`y1C**SHIZT-sN28Shh3xwCdjqhVlPNA}E-$F0wc
zuha1_z&I@DB%>|(XNO#R+K{`3sg=zf!c_};INDe*dbkPhLxm#ygwUJ3Ftk#B;7xaE
z|3v@XS-%YLvdKMrQ)||meYNRt(;;fB{ccUBS6L+tn}rFcO0_ZPZBo|}4{J}npt+B8
zCof@-ev^XO2g2ystZ1nVS+5`w<&+6<a>2@vGI%Vl-JtzsULAIeJeSaP$`s<I4C~#c
z{QX1krIoliNRB=O->pHvl94fLUx(KSA^uc`lk-IW5$&SjYarJCQC4W}EAzlN7hw}l
z5JkhVGo33GLGt8-7!3m+A+Kq%f$^<cQOb}?KayT?#$?S%Eu1w^u84g+`{aMEZaIdf
zwEqrmNOGvi_SH6y;MjU_!Qi+><|pZQ5G)$mLEF)69}Kk6WluM=??JI^Y3*y&XjeR8
z7qJl!SBMB8Tp>U!2Tqc|wl~Vb22(ywHXdv)<aLReBd;x<USowHd)m!{%p8YcQqqEv
zO1o}}zs2t5Ntr?%ymy`ieyQ=!y)Ar9YOEN&BYvw)`Yk_3%v6=ZcEGkDST3l~yS4@2
zY{W!4xX<tpvlH76KDhm^&zdQS_2uBA+h>L7M`F3Zl>qx+Gx}cuS}*}v0Nx8Q|3XIp
zJby%U8xz}?fF6mzP10Qd7)Jj{CNV~l?}8~D|1Yx|-~u5mAxbC+=(obc0cedurzit(
zcc*{--P&EBPD~%rAlKZ3P?-skwoWL@&P=Gp$t27u`0YZ_aNL3}M*4(C##V$f#zy7<
z5!ON9#@Lon1i(80a<8#IArmX$`he_6CPu<PUGeW482nmigNJL3P<T$}SsOF9RaLdq
zqT*x){-+iEonE`;!=X!NN{4c{4<Y2CduKL^>taU18?axGU|E)yOkc-%m)l<m)F8M8
zrN-w{5Qzy%dWmyiiFnn(MJl+J#-ptCK6*D`M@yHy2kko+0v<)2tGdsAzpiIp?qLaC
z+)MSvOv04WkJN(+olDc_43~b{3cBo^sUtwPvH7mGjXFr6{bdff`d4)+UP{u%S~TZ!
z_|PVL$MzPrkZqy!L!B@9jKs-9924C{R{lq=*5o_5TS9~xVwI(D)a_{5W-8cOYe#r)
znF~)g-NGK;iO?>jHTb;5)!*gMeorfPK60N_NA-Mh?pZ`Y{~=bDW+e#p&YWW?!_5M`
zwui|r?8u`aXuZ*sccm5IJ#aMB4ne(>jXs*1X?{z@Lok;fC6yJy#8aZgC~;i0%RSve
z-Y`E&6QV`jdXDRj-5%R1IH0&=bFm-f!0Rz!p;J?ltvrdltcfj_q<}ztnN2jQ8p&)c
zkEs(zjULM%X+Ylj>wyOP=!@AeC-R|m`p*JFj^J^^(~-Qgz}#4Q1fsI8<J#N)#6%%a
zao&M*v1K!6!s6A7hmNGXF}}*Vb$<NmIlR&iovPg*riM8wMyDY%vc>23Ge-mL*ke<8
zRuhOe)$8FFVmMA8)ir98`^~L{$${An^;E(@xt-^lB<Gc%zpVJp(M@np>(Id_dGlK>
zekBj>1GHa*0jON(KR_QEsMALnOjb+)>rZoq(Ldl9xEEJpdhvZSf<eMT2{{|-+Zh86
zdw)L!hJ%+eH*~OdG&cN^kwd{q_MLCT;s5cvF`beJz_rZw52pQ1==$D`=6k2A8+c%7
zV05JKOVXIm@%vlp&78k)99)1V2!M83fc)Wa8wWENplA>vgM1(U|KlP5u557sHtNE#
zY$15AU`^;@EM_I2{5Cny(5@`Ce30d(w{?O|7Q(A9>nQ1QLW(IZ&OuJJg$Q`Db(r-L
zw1s02TK0_#M^Ae`QCkdn)rHO>bM;x<JY&g{qT_F{yxX&oapSEeFX#I5WLW5fxL!K@
zpnCZsC&~8-nl^m!(^t;7k|kJ6M}XWPXkyuYYFDA81@SAuy2@BmQ36f$gcN^He&BdZ
z+O0k;k7O8GT!dX2h#h>V+gv4YlRE)3JZ<koP=MogrDQ{_J4CZH<)vLd)7dM%4Guhi
ztopTs#Qp1iKk1wJi;orxz~inn`^Z^$*l!*Ja2hKUFI^y5ge5*a!+yN~_=Cgx`!V|b
zJ9svP*t;quJj^%rQJf?T+asU4nbqtcDy0AN4LCm_9>7if|9Lk3`FIr=7-(PuL5F^N
zxW<cr=qukdJY{?=Sby8Xh<k%@^l5JE$@vLU(x<5@ZHVhHLPv~NABu|x&nn*D3&1*B
z@E_2>^dTr$)^|UohvJwexroSY#j9G+bzc0ip^RG9giDo+d5zqZjf%R-#Mb}vxqc1Y
zMYRK0{rt9V>zK?yEAZ6EhoGkQuAb<{FevbAy8@*5_&BWo_+@F>U0}S&Ao?@-5Er`K
zA?Gw_A|cy+r4xOsfi0HhOLKR1I0kmGeCz{4=ghMn`a6@0d}IAZ1F1`kYOiK(IV*hK
zKIfESJ2&BWuzN+}TjO>)i<Yy2=U;2_5q)`mIuJli=b>C;*X2!Y9AK9KKmv7u-o5%8
z1vEM5s|Z;MuaZ1~Q)L3~Jo+Vt9F)=c7eD}nzW9u|-*-wBv>&V7*2D>*T>j{`2q-WF
zh}Nv%Q2>SR=l6dv6(AJ;qwVmowZee%0gmq$N`OVq#0gmE?5y8AP<`vY3K)L7q{e^i
zG5$s3|I{Zw5Fuwl6p|4?uwW1c28%*}16bqX>%nw<TS*gzY|#1inEN{PstB7EuaQOf
ze1_5HQG15%yb{VILok!%+xzoaB=B{AN}<hOv&$WvKt0K@ieq;~p3$@GS69Gp?K#Sf
zivN`A^*<bJ^$#UG*eSx@?zC2esZvpo2_YS`0djbtX&`{XfCD(tfWbfkO^ts2J^pav
zVN^SpIe@#<)%l`FHN<_sIKv!>CEzv9&{;JcTQ1)W&D`62>@&a~hrDGL1d)w1&Hzx$
zllReU5$<1$PvtVA$G9yjM;HUY-IX`#WUA+CYQQFjl>KU{j86DW^Kn-iP9|T@5fEP#
z0^*D4-zFFS=R|1Tx!M{rJN)8SUy+($cbsn~A^(B-^|Pe!e>1<B*#Js9U{3)gAbp=-
zfbKgi|B?Cizj=(mi(CdZTjN+FsN!SLVd7iF3_8LtlG#^9qX+Vi-7IXyV$5zSOyybd
zvhp9+wuN&7K~#aY)5Ko}C?S1n>*Fztt_z^szBC>mw#FKczw<1Wj4MM}krKuWfqah=
z?f1rrjSKAS_P$k39f5otr?I>ihG=75&_~>l7<)4!>2uZOm4n@OlI422%Qf>yUwNig
z9X<*44^*#6S>BRZfwqIU#P^Lj@|gG;ZDN<w--&^rL)4`@Ub(So_GLX#P-oSq#6-k=
z<__R@d09K6sIOp0DbUlSaXt_s(Tu7o)BkKLBaNI;cJ<^|m>4qqs6*(tlqE&{FcntT
zG%A)Trs5eT(r-!`7>{elcyc1K#^!0Xn^YOMAQQyHuhLCfp?Z;lvM5TCiJz_W>P>Fm
z;515&ltA}p=T5MGt|DWj2ceuTBB#<23mghf)J#eXbw6DduD6uJpxA^sg@bm;;k3w(
zxN&-gVsw*cHm0#Ea;6y|d&@Ge+nhM*l4b4qP9aiIet=cZCA#!0XUE*SXXEB(+`6dw
z5CV+6B}!8%B8Nsj^2ca@{MY5G#KH3elM}NFn<YHGDv$UGpPgVP7K#td8xkp_#JeGH
z6@|Gk2UXZ;EAuVd)9%jw*O4vSMdnRwMxRNt!(f!BP#dWWXOHemM#$8d-J_y4leoH}
zAUaBY5%_@ee(ak6CK^Bwsrv?3+eKk_ac#EG@3%F}RFnJ#8vL>m{_Z1ETEVZ~`63}K
zGH3VwOd?tXN_M^wJ;(?;xH`ok;a*e29`=z;VdCp@W8tbOpj5>Xl@TQ_YXj+Ucug<*
zS8Z>QqArvI{JP}0`)pna>};aP1U^^?`m#Eeg%yl8&dz2A8oh6g&nkmfVp;wIb0Db@
zX{%Dw^f6AfJi>P_Tb|5V&rfub1+3iaW0I3H*;4G*?WPJEUxRfQOfGVVd63Pj(V0^6
zx}-B<dOYIR%o6CCI_92OShcD~TwT!|1`US9w#!h*>tt?@s%LZBn3&l0Rp}fK7n!Wg
zTWfs0&-X_Umm+v5)?+v7+r$(OG{G0D&5XySGE3gCn{#SzS>3}r*3LonZ}Pt)HsfNz
zmJ7~%wNT_d(sNJ5##K4uk%m`j5{8x4o0_;^arfpYuskWf?-#9l5!0LO8#ORv!bB*D
z6ha3#(^0{iG-&kZ0Y!D9<CNDUBCq2yp6G*pN35wm@<CK6j5(H3GRf<QQfhj;R+DbH
zz?1Fpi&)@Wi|ANWscN&Fj|Nfu0udfOI*7Xw4ZU6`9FI;L{c<c0>v3GxEyxwEaI$t@
zIJWO<m}4DZp<C}=-mJy@MI~r+=3bVpz%Yiy&dC7T8;DRyaSH`%`Wn}pvMSQ0p<5Og
z&UxktN!$0q4f4O)%0H<GX4Fy0alf)N&lh}!7+gsk)5~{Iju;5Q>TCd3zx{#LsK9ZI
z_}Q?_S3NA$Rl=|AZ)fCX;Qx%*=D+X(DMco7M$+$m01i)9@U@5{p^%D_gsg~?5}~}b
zpt7i(qRe-8K>vH&N>DheAMg9&y7pUO@CR%I7{t%Q#P6Jd10WM|GIFwUe($c#@_qQb
zf5?CFQT`6M>!!|PwLZQKgDHWJ)|59akB)P~5OJ9CG}fS!DtP@ts)0esd4JxMRD;R5
z1OsD&g?s+R(o6P`)jo@Tavk-zuA6(}X-w$%{4rI7134R+qeMzMAnc4oiXhty%-UT&
zJ9l4R^o0++!Viqal&sC%Mm91ZCl4|Jt{VWsYki~8thI1khGvm`^IrLeRdc`XfXW|v
zN+~9xCPriVDcX_pfl>71AQWVuy~BXXXV%2)h)Yb#^>IE8kvj7Nst1zM&^hEZAo0R{
z#2TLW@9Ytrdcymq?=Dj#0Xd+@wmk9-YRBD`<G45$a2uaq70->JYR9?hw;|XpP=8{8
zgSF4EK^I8dxf{+@V%q@y@By=}`K<MFCL#o0=mw(k%=#ECuJEbuGeqx8{nhmJ3uTv4
zC2rvS_ku@YIZ^Q0)6j!6Ln&t`!rJX6d4gkFN_KVwq4{)EmimtJ<iYv~x;ULQ8xhmZ
z=^da#O>qmlMU{iYGB77%=AaD34`-C4ZQAn2h0)eEPL)u7rG*oR{ApjcvER_s41K(K
zmCjv&p`Va#|Jg19O{QMj@e7t#k0!t1Q>n8a502p|(DDLQv_b7Q-52o!ON?aY))2|f
zA{{X4LnLeEnUk}<a|84tKg(mj<0}HjymF}ll;gL+zyl2mYV9W6RVGs1(@Y=+`%Zyy
zi!!2gKNb6**+-L^p{rRVv@J(hJix%QEELs;dQyKPd4J&+^%p43Jm^=G&Zi8qJUK~!
znhQ(>Ybriy9l6$D3}5_?NHwaL-(zr5VM?)PDj_gWP0x25Hj?0K2?ou7o2Raxm;pKs
z1-;4&jt$DX#L(e*sr9H&b%&AAer6V_14RWmf?9Y>@NA6RL+Sl!HYhke=PF1u68${S
zWU5DdR{rfrrkzXYfkvfdXE9<8RJ1-foVxUVxLX{Tv!KA0tOewg+zq5e54ROKg~URl
zm*K%J@TWSmQtZt<gamJeUa!Mqw|R~e3)8-ec-W?{wZg@1id#eRA=*jl9O@A=s>P4<
zgd*#=9}W>w4f>o(WkCE!ArS~O(bXd9{eYLA)vA@Z<d&UuXGR0w%{Xfx;_ySkGiYm>
zUGxI%a=&$=Zi+87v*6=M_OOPv^m(zwlgaJ=9NQrRCH@z22JUfpXil$u;(*xranROQ
zkPqO?gv6V+c%iI%y*n_C(9W=@kbC9{Y<&+T{*jzq4I(tcZrKyGsDNnD!680X2YNB=
zRZ?-5M6<o(dE50fMHYKSL!E2rGIy?ZDr@u-sy1U={UOFyNWJ}d)~qYql+f(?1yizi
z>N2{uzySowt!Os!aqRVS$_{l%Rg&@<@r|X(=0>CoUdp>}h<EJus2AzV=Jk=h)4A5M
z{`F<oEk>T517=(w-lvVQ2FFC-8!4neJssv<Ij@A>H~_>OG(gDq_yeUOBm`-<fRKL0
z<?ohH1-}6EUn@7i<$A)v!O0psN!uD)5=xmk(f@8F0}Ds5tZ&oR<k(f_<kFR8<8EoL
zZ`4&|Nl5uKZ2N}KzqeGQ0+f5Re2?|uXn((+AVB4G2mFAQzM~_dn5~r&6`^QPjMG0{
z_Pe|T$Yuff<+1_J1-{kTG6RMHz30b}(f|LMPx5yfP&cWLW2=-kYFF0fW@5ArplAr6
z_lxPg(Hiz!-$BN~H=BeVo0r_5<8-mTG_Bhh<pL?LGYKR<^(MnapCexR3I}o+DujFF
z*?sj;8;MLk?h>^Mw9{U=0FEa4D$7{pvrb{Sdu+t}p<#f<@CiNoxw7GLwy?cDP8eVc
ztDc|ndYqKN&b?xhOBvqSc^*wL4!A<+==$B+bD7Z-Valx5;Zr^Vlu=H&i%J<j52YS`
z2-#k71wpToC}F*wFYk)@VuDgVm+KbxMjv{hOQI%2GZtFVt$EN@azW8KYe7+6KIm85
zU_NCp7qC>zyO-KPtbO#!&gt8spv5w`pp!x_?KmKyK!xEsB8<Y{8}H$v00TdRK`}xA
z{s937`zI*;iJZgtrm?4W4dZ$3_!ml#5lX9XW)uE2-@m&@mH2+aMK4O@RRH?X{sIcT
zAbH0YI2166&l)kyB+H)sUy{TzJUDwXP)Zq)`Uk*X>7U`+H0X04`rjL5@n{%)jx+9F
z-?0w3WgxSwCL-@}P#}n)?Fx+U(uisryDTuyJ4~8*0IwExMkBGX4Kif(JDtuTpu+96
zs+3pPj@INUgl8OU^Y$G*OMlZcAZkOHf2Xg|M8x3PnulhXH5DInmeF_-cEK0a(6HG0
zv61R-fdd>!A`Ue0)oz<G)0lHO*~DeO(bfCw67WO5{XAH9gN0!TUH0%g9i|5A2c2vC
z)mP*h-8=9xwe-&MehL;+jQN!YS+QrSbEDmc&I0OURRHSt5daM7zlGW^RfLL8r$Hg2
zHMb<#*PZQu`Y&U&{skd~#hHFHg@ZwXRFzONmNIt#y@?_$3YMIN5}=j1sI9Y&k^VR1
zC_)h%BU=YYV<RR?M)Ds555bT3{PweizY;nzA%M@+clri!=mf~NY>a^Z6M%Kj0#JCq
z4FR4IOd9{~$N9U(I)_n@D@jT{lUOylf&bvmd6INh&6Ole(eOgsbCN7BGysj<0*9%&
zP?Ly=W)4v{Q{${kW6OPpnS^FtX*gL#%TuoGQ(K56tW=^#;kEdYw<r7v5yWZ++N0oG
z@p{6`EDs#jDQ)@ZCet~RWP*Ny&6Q_cP1h<*n}z|SoAp6KQ3NXc@kWxb1OB?QH@2&7
zfn|<H&GkZ&=GRj$cs}U`4XSSyOdV#Y3LD~;Upj(bA6y<jQ3|;Vq?6!O*YWwGLQ2!i
z-Au!v!?&0SbNG-5yLY_|zLKU|h)gMi&jSky#ShxtSDH@k4+k}LJ6yw(v}tCrWHC~U
zEi-S6!Z`^L@B2Yv6d2_gVFABjJVdZ>8dC5-i?=_QDH~!xyP?iT&e0u@3EHTF;$}<=
z-~SwUez&~=2(T}uA3~~={iA)-dnzl*M?yVmnBUnn5ZS9GdY5ycR`BoM0NkOk?URzh
ziiMrrayBLO`5hx<;@0l$yX(*ql-vkrvO^d^xcsSjE6|dN7@sJkfg&c>hwgRyA8(OF
zd9vMvVlbRkU{>T!WlSato*(DiKNjY^9W}W^6doy{QS~$wwJ4@noVz?;w=ScKb`x(}
zCn?SeJNj6X&|WK*jhC3=ac=X{e%0*ESZ34<d{xP~DDSi?5zG!v6f|jSvQ4@6gPOOZ
z?ZRtvgQ>a2FeY2vQ{v9g2Doe^(&lK&*wINVhxodKu6;w1e8T2wDQe@SJgYb_6MWdp
z{QG3>n?g|li`E<<z@GfJaEYj2!<8?<mAn*bqsgY@KKNC*`!6mN;ony+z*-KFkj%x(
z$?~ms8X%N?AF^?>0EDvt9*BH@oPQz6O7F|J_aZuAewsULstMb0m&`#guv8{pRCqqP
zgeL8RCC(hOpa}4XpKPyS+Hwl886=yJa85s498bxXBJx2mFpQq$nyLzM)5T0cl*eJ?
zK(y#xnn#hzjg02lY0+eg`3phzFSz>8r63-HTDsYl5v|8PI~exmb6G^KyvbiIg`e&|
zpuY*S<bCFvOVhj6yZvwx5napf5jcj^1B!97G69l~_|<-aMP%*L8rBk2dTuBiKH`T)
z06}(<m5>?gIYk1bE_4O8Lfb0Y{vEbJ`0QFXdoV6!0Jn?MV`uj9iD#vsoEoB(5?2c#
z$p0mM8P!cqm%fY^OKOt?l8qIG@?*l3aqORW3h`fd3LzP$pRI@#oNZt08<_+8>6%*u
zPPL7GKMw#!LHpxdzuO2h5sLjN{QQRb%uF229IU@hr=LT{|J<GaE=2#(DvuPoe{S`%
z7A!5Ok!f&=ZtF!67%z@W$F3S99%*gYNzh6J?Rp2_YQT<MnOKO`k)}k4<aBe?QAnw8
zKuYitA84{7@FZJC>B6bffC=wZDG2Za>1Uoo5YdWU+|64@HJAEpglPDWr(?tScYp)4
zE`aslI}9JT!=BY<gtYc|A)BF`L8kZoeI;usY2cViW3g9N?`yx3d>)(brjS_6;7x_f
z3D>43TKmdXthC_mGlmVV^hp~WY%EJMD%>RiKI?X}57kvOnjO+Vl^^0>QOB?+ALuD>
zUlB*~<9jX#P-ugeN<DO&{AIFEP?O~gu!)x&vf;s(w%cz$Pz36LbzDWaF!FVu6q<kH
zOwG+rm@rr{ZwF2&AL>?MJ%B5ICW=&#lGNJLPbrw(r*?a%z{idDC0jkRNNc6%E}D2d
zRK$KcCfUj(laDXSOXs>3-Ry%-IV{On4a8z%7rKEgB)qN9uSlXpGkd9bX0K9e)bJS?
z!=P}Kvp*)096`C_#%t?O427lXW=qDToDdaDphFe5=u<KcIF$um&-YY?Pi!MG%jkv^
za`Q?Mumq{YFAhOF3!6JWSlWA^u69d%_vX;|$GZ<XW=G1(kUr>afwel|<WtZ|Xe4{g
zYC#j$`^GiOox$VkgbLxjsNaoQ%&@w&SdD;40xcV+JjoNgQ2H67|I@+BpG%5<uIrq{
znG2n4r1cV!OkNBl-Y>v*X~Tb7EZ_4hFz+>;zw&$Z>ALm}u8!$;A$Pyjo?<R;u$Y}j
zLlaFR$=iw6#7vgnEECEJU}6s)*?;H;OArqS?t2G3rpW@4AZp@-CwJUY*H{a$KWykT
zOYa(yfJ;qcW*MaFV#k8=v@VxV;);2X9kJJ9JTNA3Ie@Wr*!QU&jGj)E!Q7+^C+g{l
z|MOs6n+psXe32&zZqYc8E^NC$H=ogZTLGPHi%j<%RWC8-cu%PVNPs{wcQ!Y1BGWRI
zVV5&%qaG!lrr8>Lkx2lF!quVD98;?2eto*sVJQ08oi^uN3C5`7vqP*)S8OIs8B=8|
z23zC1MZP1VBc033@IgIe<q3PE%e(v>e-?HY`_o)EUD>iXL@TTk@AlM7)6ZQr*w0Ze
zE7qX<^r@|G*3!$HgC!|#>A%#vk3_R{)wtYWom!;>N8e{eU#B^Yi7j*yY_Sn4ohwhQ
z>c7bc*&yRw31X(xag0{f7U~}5lUl#S3dEbvmLC>;5Jc^2nHkW?F*E`3YXRrx5lcG)
zBA31jRcI?D@x_F!ggp)?&ocU~FL|hyxl&VM3R*+3Y^`l>W?rJhedJ~SsgEZ}HUq7(
z7EP`z-a~D6z-r&B@q)@wr<V4Vj_+8*c&$kDWv6(uzjX!y1T`;mZ8&0THtA{pyBUu)
zsXC(s!}!2X$q`(7(hwHCZGeZ{KVa-DRaR0>|FBfH^U($x9?b&sQ)kLQO`HD=@-hD-
z#&WW8eJ9$0E&ChB{uurT@AP*Vn^jI$4UD;@8Y&=qcvrD;NMgT{GNErmq+47;p|EX(
zgFZ#)EnlhR+TzBow_ya5>J^+igB@A+On~M)9gmMZw1XN5*0IW7gP!?zb6_!vb##se
zgHrTs!NBQc?X(QEgT&o=$Y#-kcb2zhH8)w2wc@MN+g6*0rF_SjX#IRpRKoM!ketx6
zvJVl@`LJY)WV`6V(?bnx{%|=wr|auqHMB?l?5%GlO89x28fN`~AMy@0YkG9_sF^-g
zaO@FsXBINk!VN>?ea?u~{v@6Br3c&0^GGRwAC)a<b;K_dPW%D)@~lm=;eI;8Ub2s%
z>`5@C=8g7w;Omn-RpC*pvWOCuw(bW_;AIk`EH$9Wu5k;LW0Xx~8owpeo%rezd}15w
zTfwRGK~%_hZ&i?c&954Q%@~w)DkqDHI+Au6H%(RgQf*4H3RUt&AjV0!7Y~iKsb9P}
z<&hh-zGUsT-+BhpxYjBs(F<}s+d`@$E1!PfjM4$O#<ft(rTVdit=NHx=MCE~)2auN
zO#?HOHy(2gnxuil*rsdNr|B0sF2JTxYl5&{hiEppxmferB^4VKimz!v-qNCy-n9vV
zw2}AsMy=U!dMnXwA1Bqs8=Cpvv0bi)_UN&_Z}&3C)sIIXKU{&W;0HqzF;<i3tPnp}
zuR}lQg^vd5wW9|v<3;<WMC9MV*yCMW7mYT(BMHskJlAFibo<n9zCSIN?-(1i>L(x!
z?PK40b667^wXRV8iO>0tQoH|Ca;m3x@%G?4%*|f)=gehOCZ8tY;yw#Op6Dqkt!h1s
z=+pjDP=mYh;|Ck+B?uW_D#S4Kw`$Vjh<kzh2fPmXu3JLop*g~8?mp#%c}nm_e0D8_
zSo*nEoL_~R*E__XZ;#Gi5HlyFbzW<lCwLOV2@9rZUaMn;uBe1^D8RaD!QkfzJ@%!C
zBDSBqfsiW4R)mFw4oLdp9gN%X>(jG0vmsC<Jesib=sP%`p=*gjC`$l&s3BLvoCG~q
zHLy5a#Ns0F=;_$v`3?|}3<c_E;s?CC(=9VlAx%+CI#$@t@=4_0VIX+1pyWpzlu^Ql
zv`DOL(W8^7bj}RuHJYP#3J*N(&|BqY?%8$4E;6idqaz*Hqf@?zpcCG9GqQG^g@D8I
zMH%x6vGv3!&{BBQE@@HQxf)&_G6;=?YvydVh#YZ7yssvo_zGaY8!wjW*@TH^`#ghc
z^hRP5#*}Cg5s+R+NxWGV|7Ij8f0+Ss*HjS@JO+7PNjmQK@VB=RA%hEitp}9=(d;MN
z*-+-Zau12XQ>vB?@`T{*qrJVYba+R$?W%YQiYuNkuNz9pXmcJQT*8+axU2L))FFpR
zoD$riPJJ!LhZRb<7qp&n6a-~aWyLyxcO*{3<92M)9qDfVX2mxGfU)%e#Ut}a&;$Yw
z{p%zF2c!~+{I6N-@9t43$p6GzzZYZz#7HJ)RzUU%2cQBIpj!a6%I`y#ZxPUc=r(_c
zr74($QgQG=bQPdfZ%+~Z`^%-Vg7Ba+OQ>E2T`>5UG2=&zw&etqW8**h;9_!XrRiZ%
zb346ZVf5Blelc`hvbHms?Q>;mi&+l?OZT|Xe*)86gS5ZYDT;Bc{g}J(oFSo+w!^YR
zns6h~q)CJ8!PYrr`cz^fA8t*lM{_c(*VPyM=^cB_h41a+3zY6OSC@|RdJqeLk0Oyb
z8{j*QuRG#6qQvbDiH|UhA>-dltw!}~z-(7;>grg&D1o~RI()T%3+8yf|D=@^aphQH
zS?e=0r3FGG&9z<~A5SL~GCN%pEnIJfa<;O3-F+J-FyValzAI+>ZRmLP(USE_Sf{al
zLO49=V_KUgdg=ScgC}>dvcrlS^r6KOGMa6Ihm_0>g<)<bIPo2XmVsIq2*sTjC_xT}
zpkQlY>@<W}AbU;)1a$+iO-`N3mP|Vk^z}k(_$La#<}Bb<P5|l~R$sYT9}CWPR1?=J
z;jXgbEoHe<Gi}jbZEr93uRU-3&B7XfcxK5$Y@$U&J4mdV%>LMV9+7~L9ffC=tIyFG
z?8q{kn2<r@9gr*SzmYZ3WU3nvnM3j73p$eLClN{MYOu+Ylj%n|g;9A6D5krZ1-K|9
zt^dQ^Ux#J2c5CA>-3`(u-QC^Y-Q6wSAtBNolF~>>H%Le~h|($D-SWFdeHP1SJ$rro
zeb@f>>v8bMb<cS_r*e&Po#PyFf_8C*6Y|?dn)7mf{^p|{+OKyzWH=wr>^3RF#0qT$
z7Ke^Bok=c!%l&-qY8OxY2VM=RU<fGtcM|3aMf0>A7(2+QMM8#|6ztQ%*ahfEEV1zf
zYX-aTbPh3?IfJP`+F#x9Rx%Gz|NM{G&dYzd%177D2ZJt~1)*J3{z8`?oZfr`RW$G;
z+r?=+8614AxQXsnjbp!9J}4%+>T7o&*PSF5e+<I;&A_Y3JIIDveOWs5s-XKBkvlhq
zfDP}Oet1|%<ttZ6NI~%=xZCBIWbvvI--rkdOuh9t$*M1zVp0@7vA<Bgh<omSndotI
zMN9U|OpU><fZd&02}z@z-!SULs`3!iS4z`(ATmd7s*t`#jbN0sWAzrM=oyWVtfz60
zO|l5jgngG32Fz8=gnAB^Vm@uM;4GwkvBGRjWP;cV-%-Ln5)j8Z_m;p)jhz}c;gG#X
z<UXBf^ylq({>@67C9cmz5%WRKMD}A>Uwb&W!9sbuns!w^ZT(Y8&TW8iuaYYgw0G|(
z?2p|n;8{(GOB+<*f{x1yVa;E;XsYF27fE_ty+>$7&i1ai+GiQ7BQxT_eg${6bx$`L
z;|Cc_h4<N4Cpa**f&+?wTko0`@@v15ow{G4LgHmpU)n}g4siEpvkxAIr#!eTjW2a{
zv%9vZC0em^kkPR0szPuq_$1h|L+f>u^wN6|$&H{^W3hB5j-M|yVF<lUei5L|Se$j?
zWAwpsB{v>#D2z-CnqzF_3%oyije9=VE1Af!{3)^I6B?w(78Rm)U<FIz%(JRP+pE3V
z<F(4erPyc{Dp=AEGOUkENZ_VZFOhaS8Hee9gU58|X&@AZbDj@Vxy1*qpxL7+R(MaH
z`S*O*KSB&J{|O!ghR?G-fyY0W|KOAU&ZSomA|RPZ?Vu$WGEu>(vH4lZ^j6z*5u?RE
zVEN?_lpa*OW_WIg<CIu4&fUN&%e?Q-$M)a}lX)mzB3+c5dC3GTvN$joQJQOq9>`r_
zBF*&r79E|#cUO3I(pjq02*wF!L9$wXq5>v3;|0%R?qEC9DKICYFb?aua&_fFcf93G
zKJ;1&vA2smuc7ya8^FcFLe4eC+i>iGpCdKi7f(<OAaOzupt6momz4=Pdr*V$vpn1o
zTKY^L7@jv(Z!(Or6Nfk&ic(5wTG+c4&;_(X%G$pl`6!ASi{=0kO^|i<%CZvSu<JF}
z?hdZuou^IM{AW<uOtL1Fg-<G+C1knGJ1zmUw8Mz<UqQzYpC#j1$8>|l#G8RUuM}Sl
ze<S7Js2W|HL*M?H*?iXbV_^-L$gcS9hDPHh+>sY`WxE4qmw*v1w}j<9F^|Nq7qmyQ
z?Q9W4%Ba61XlQ}9Sh=HzHx%e|)AITi-26(a9L7a6u*-Jmtrv?AyqZHvWGLamiR#!T
z)-JFjyvP(hUWWCn(dP2&dpt4*{+8+-_`uqcs$0EF?L%(FERrtX7b(cQw2S+KbZFop
ze#_qocUd=)ONmC*c^CT`Y>_~NhmRj3&}%!Y_(E+A{9@!2FE41zfH@(-Ze09*K1eF;
zANGIr#@+SzovRyLK>gM~nf|3Jx%mHxg6P2*Ybn|R5kA3zNY$l|A#D7T{`EIwdGxU?
zhBIolD6dpy7jjt{#hUXV9b5DbjkfY{Vc9Er>Z)%jGyFi#^ZJY8>pfpkSVlXoD8<Z9
zwQ;T2yIQIFKVQ<_*yhSy=ex+U?4^RKz!aY+bnsEi<<s=;XzK5KCSW+=_}QU!qW%c?
zYY64h$f1StSS?}LGs8E&At^Qeovyb-O$_KmxrRN?sO#2;xzBb$zoCYke4Xr=*b2Ip
z97mG%Fx!21e-_Dz?|@b|zi5ss6Y$KirG6&X?FCkVLGzJDer-DJWi*j0dAl^QEq5yX
zC%iOcbNaCZ_yMz)1o?up{ksF>Qgwb)($T7r=rO2=23It@#dY$%68Bo=#yb8j!t05m
zHbb$2R}n#{*T>lwX+-z|WNAoXu`k*o2<EdV8`TQeQfU1GGnOK#)0v`}5{`g*h^VrJ
zJL$SoI3YQ_?(~3!2u_*EJOYC*){i<AQQBeg!HD5h@@42HyQRkK><r+o@2tavNlfZr
zBb1PeYx9iyO1AcH!}QEv`XXRJO-dw>y@)$P<m6+q!u6RxAu4aSJY%jYkWd{*L?GMR
ztAnL23}zj^*X+w0ALi4dWNG9L8mTn>q!}Bl=JLG5E%VxQ#UNv{3=H$kdsi<$T3L#S
z@=Ai5Pd21f+iwseRnuTv!!$8cWc<?4m)y^%-2WU>rj9TDg-R-z^u5M)3SedwL<XQz
zAov$N?s>XN{xNv`$msrr#{g-VA0sJ#z+*tm27uuGXOILlAVWg*^dA5W4g}cch(LhP
zVL)C2ikpYjh0s;fH&P}iWe>jX_ht!mN|{z~p@*`}!E44kkH$5C36z0IGnTYO##&4h
zB47irVtdJ9=&pv<^QU4D?;4hLnide$*SFS3-`zVz!)BYe0q1CrzSuydbbY8)^AM#b
z$n;d%%B5tr$OD!~%%fvJ#QCrmja1}VqM^R264KXysy$0Hs~cs<lgl@I`*MBZM5hXz
z**=VIWDHgA;e!+$i%db+^Hv2g)!oYGj9XEBlV^*7avKoW+QGN{LY6J`tro)QYOkr-
z4P);M%H`Sz(M%KArQ;wD!N&U1L+4<<0^V2hQhhY#a<4m>_ph9oOikxHu-3A!j;x;=
zN$+gSm!?Or%(UQ!urK$?x?0>DqAX0wB^9PWJk}>$36;Ilv->iGW{1UWS;!sqI{u@w
zD(YKBcY&*h{+t7^CMBW3OtgJ)B`r<0!sNRQei+K>dHGlb)Rx7>yruBew$e1_(8Jn*
z_c%R7%6%8T2gzs^-QMm>eMcj9ZU#XG+f=TE`x?L)4Ds98;mc0OGgfg4l5#a=Qo$c{
zi5Tvn_brH=3PRyjpKEllaAi>~46MW~&p4IX_&039n#5<PM_@fvPr&WPlD!J6&RKDY
zrh!=>wzW{)o#hAj3uoFu)v^AjFR)6~S5spm|GCLWg0ILD?n`sXi+-mDe(nrX>DdQ?
z-5<X6C2%4jj~4sy06AdgJL)9_3z%UD_{<P6`Li~@O#=v&A)uQfARYn=P%IA)4haI#
zSqQ-n2owYquDCdv655*)I$Hn|9DfwOm=YQTl#?DMluVrn4ULUW9RL+A#y@X0CH%J#
zlKD?xR<H+*9Pl8dfAZn?gt~&Gp|P_i;BQfOHgq<%HMMi5W1#)lO97)lw{UiL;G(B@
zb91A6;bQOlJ?mm_V{c?=^S!y2-q^wEX`c3J5OC6ty8Kd@@AiP+oGFP_XRcuoWb98t
zz+c_)&jkU@fFR&^-}87t$(Lo*$lSD_*k78dmJqWXY*Nm4Y1dT*&Ww$%KEFLRDCE{P
zP$thwyMQ91+We61xSmd8#aJ2RNj?{Z{F=PLO^f5phtiO{1Kq$Dh@NpbYeZWTdTCFa
zLdc|nwV<rB&~UsG^hj+pj2ZN^aQ}&gt18#7I}X%$aEn5g)OM#lyZ+>J=LI70Sz4-^
zuv73#65ZulC-nZ^J4_0!D9LmkD-XxSp^6+?CuVA{n}~|Z`ATrIl8T9JydQF;;gIk`
zQf1zqIwHq^-ML7cEz&KNt<MB0cLM60B?jHP-obJ<0!kPpB5X@2)U17J)t2hvS$rZz
zqIBte-z2wDga=|*3GXk`Q9en`uHPK&O&v$K<(nVAkh=1L+@4nVo!6^xFbmRmQRie|
z?Hq*cnD-bnz2ZB*_FH1}wp+^)*&dW=$o7m0c2MugqrB4F6`i&@PXU?Co>mQmNX5#@
zb{l8NEFE$=2t2Pa;vBV6UzM4Ng+*|oz<KlG9$WZ$!0nbh+OWZr0$m79&w&c}`E>M3
zE3r1Mvq0R8F&4bjf@O=5c+0Xgb=9s<n;=eYyIA*IqCtJR4vM%%%%&+Sie}_+jQEsP
zg9IJoQ7!UhJy>vvcy@elOSawOOhdeArr9XC&(3^a&?K|KZsH%ghgl+0&j(gW4VkMn
zaaQfVu&dX>7o*GqTz3NC2m8kX1w})du8qDA{&c1j2!r2~Fci>jgunm?Fk>(%IB*qH
zcSEONB`c6{kP`MTPR@XSBTNSL?{~n!Au21&{HYU(g@Nh&6;L>8z?JVdLnx~DU)CEF
z0{WC5i&oeGI%fd#oRRhMbYuChg7$0qzyE^&AtC+_MLZ@2=k~Bm05XtJ4$$DA12KLQ
z7h-sF@!Vnn=wt7WFpx^f{5`=EP=lb6&b$LU(;`9Yr=f1hJ}3f1bVx;BA00^LHCB#@
zrQxg@I(Vr%EIKU*Er|WLqqh|UW6+ej-$$YTkr&e*&|6=e2zWPKL~Ej0H{+O=ydnSZ
zPWb6$)W7`3pA&CSrP4rt$%cn*2)t(B-JU|78Te#Pa$3RrN=yTLuX4%$R;|gwx|d^U
zt1?0!@$%T*6(Mj8Uojelf%k%#f=s5z;8i?XS`{mP)8|W`aomv`Ql0|rfM?pLD2O%(
zreXcBimoA-jow7)NCAS=T>!5*`Ey^Y)lm+!w76e9MIVm^mQPz_|1bCEPwhTXIJ*B|
z_vT}B(IYqcy<QVQNOCZ;0O;Bu)fwO0Vjq`(ZjJrldda_oZqaO}0xO?o+rQLoi_Kc^
zFpCe%T>JR6wbJq)&AG3H<j*ugt6S`=^JR}g2?lOb2$B%2IX)W$#=g~aAg&tB;#?c;
zmg|YLCF}8OuAU{&fC<?SU<dzp^y0-{7w)!k4hCArA&&WEuqp`1XUYB{t(D44d#0@Z
zPu!t`Md_`BC3Ci3&;&U$jxn>;P<Nv|DkJ8IMWeb&Sg;@09CypceelQ+<93lgXzy~r
zAN618m`DQC_Vmpw=HYP7Gm6UQ)Z1|z)dkXwHlyK#%*h2OL$*xb39d&>f|c$QSW#%A
z3md#dd_%P9_l6yH_(T@f`uTYK5Yfq7u?rE)^Z`RwNFe*qhET{mO$`^@)duUbjeA*W
zX8r0KbHlGJufjr5K*c|pp}Lm3`LK`#2M&LEmmY(i^_<4fz22l@daK~fy;^lJXoBgZ
zdwFiO;lc=%a@k(!-LtQ6;5V|c-9}`h8_=Hd8l{JDKmeJceART-Qf>!H$w8vF5b=ug
z7-5!jeWx9Oj#C>pJqF~ZXH*0IIm8&D06bB$i6T5SzKR8RI#1QE9(QapRh66gjA;3q
z(u{16P{D0Z3O2fJ9mK#vQ14T@0w)m~*<cm7le4Ngq(=Z}5d*5oI#^hF5-O<>Vx#iM
zw7cQ2xQjeDC7&Ur2+Rvo7;qP8=H@XI)y;Yybi&on-F`r~znrc7)MH#5G=Ex~V!3EI
zhwvvYbea>hEXsW1g8uUI?+)cjHT`4l86a>_tBx9k$&iftkoPgR*$e|*F~#L}U4h0k
z^BC=>WHOBJA(k@QIDERMSOplqEk1<)TFSOp?_B+QKou9IO&pP}d&#PP&ZSeF)UWZ_
z_{xG-6>R(@vLbJ^g-4ITeKS9s(4hjXyZ+L#aFGbUm6=p5!X%DtjgQVaX*Ml__X-pG
z3+Rwf$jjvcFi1s(FAs53aEG%YS*c%k>)%_fa*`!9S=4_BoZRs==QT1fCtY{kTK&3L
zj&dPQ&6BlVA#lo}Qhi@<(Kp)@t;kb#8#|A?nU=9q5APVgn)k8T{dyOzv_}}c)0C3}
z6Qt{9RR(yQ>3)*FsWZ<lG%KA~I_f<RqHeEk0GAr#5ckS^5PG6gu>mojY+RYoA~kw+
zI?v3YSI8*8^(YxORXRO%!KJU;SS9eI4G5qo2Aygam+H$H#@mi_59K7n5fzx5i_kUB
zOoRzmo55<``Vi-zU{^dWrUfR@jq@+X)yKXE=Qi!lwy7L8Lg|XZStA``X|Z>6twid&
z1jlaw{NC9}0>drNGR6>hG11>yB^ndA>lAeCL!Piph%%-p3>`EsTUPA-%P=D8aRdd@
zg+Wj_jQ&6%C^=Tyu<-pOkOVUt5x>Di@+6EhXok|d7Z`To7#FzEpJ=&L@?T7<pw1Ya
zo=cm_-y9zhqD0n|s#l5{zb$nw?z{y+kVwD}+D~`yvavMSVWD00q~;EU!TX<sA-{B!
z;V6E&`XBXCf8F!+Zy1Dy;rr0Xe_@dC%m3xK`wsv_)UH_JV*xQ+rana^#$XbW3IDuj
z6y6Y2b<PWtrYOlqFdXqDjS||#zWq!n);{vx*AdDZyGCK(j<gZ28I_C$xnB?O?bStM
zO|n4FH}^pJb&4kL4f+)kFGFt!+?<L}{sur^jt4t2Y_ft)MuEiLuIB+Jhinc1*8t=%
zzwx`j_@h7%<fnL={pPMFa-PAcVMUVHKKL~~YV7>}`kjI`vY1#k?sFic=C-cQtzpR2
zYj{{)N4}5mKo|&GnqXHMNN&At{Z(O7`TXIT*UfUPbDQ(0!lR*S3Uqx}k07BeY$v=e
z?ev${txN&<V*!9ax_@p+FPgMTbbqGQ-|@%)-kt<tk0-d8otcxF^N&6GWBI?hC%?bl
z-yx1`#D!dHpTRMzZ+qs!1)Fp@O>Qe|=kN3OZlrW$KdOscW4c+pp4`WO<wfj7&xAGW
zQcK9h2n-%kJ3K+Z2QoS*f>zlw#gG$hT$UG0euvZ7U}vOfS*brq1>$>WGjJ+6y+5{f
z$8RXHUjd4ShlC)FwcISX7h?LrcB*F%0-F({YIyI-vHxuq3#i`yt%8w@Gf(zSA8A~T
zohMQ675>|`s)bm_5^6lKhkPk8_U+(2X6pOZ&#ElmSb0(wy;Vh%^#gC?Lw7rpTOzLU
zW{84FoO{7|t%@n*hjtsZSH9_!zGKno>mXLiz)3;w;z;-94YA2b6bSJKInx1=rx+}M
zk%h?B$NUYMly&E>soQ{e#v600s(8}H9n_I%fUAq(kY=5(_$HI4PEqXsJ?Q5h1B;zt
zbT;eYZT$A?g^wij{!{^iwh4TF%l!d@K$&_U{JNo1axiIx1gfv?Imo5u{Lgp;#Fs<8
zcW_5)U33)baH;(ODhiuGwd2k`U%qCQLB`i9v$Ec?f9<-^MQ?lVv=|3-m2GU*k`!mf
z2N+(cnzncj|C$W!jug9q)N-)XcEEd8Q$M+M_mHly<qM7`5B1OqR$sg|xiQx0-8R|P
zz>74$_-`!cL2{|Pch&CD%nnUv1+M!zPP^Fo@E?g#2@}*{<Y;W<D(^?rp__7;_h0>i
zIQ|G>7Qmn(bIv_|l$2585)U~1N#P4L|7#EOm*4o^gZu^JAjCvYpu8o^z{SURFg#9l
zjDJB=W)ZIu#q=Jh+5z;Al-fBshS%NdtT8-4nY$J<wi&<hT0lGYS~c}OKJu6jUZL4q
zWdbA|6KBB=PKC!bUb=(GTG+zJ>qLSu4q<-a;C%5yUa_i{bs~#Puk>jeKA7iyw9KU+
zx&u-fojY7!bhlL=5sRK>Sl?k8XXLhk^<cu1HY>kItoBz}6g?2}D@kxSNtwK$Sa>z<
zVCsB}(1^NQh-g^Mlr*&1yl*Un*<37enXO_+82Z8mbH}rW#c`RK+)bx0W+#MHpyZGl
zaWLy;TMpsvMJ+A%MrUxPGvaNZDM+3Yu=s)`QOAerUF%Zc#XV!@XZ6HT(LIQff?5kv
z-Hp-fqWtc2O%pf*mET^-@-GMEH0jmsJzI`nfFkf+QB8$?z8IegbGwl%*~-T7ZPTqP
z+a<Y{HXszkl<;yk1}LjvX^3fn)%%<mahm$eIhjpA1WOY7j)NvPlZOXvU8o<Tk_7Ju
zo9P@8x^cOBM~%tXsEOZ1O0K?y<JhIQ&}3^*SpmJ*XJ47RL4r+557{J(9y!{x3sZ;n
zUz4k9&o(xUX;QUdcebjFo6C9|LR4o;j<8pkC1mi`yt8&z5ccC_xFJr<4M8mR7ZFIk
zCd$&8?(IWm39ViKV+xJu!xa#!x8(fFF%HFG`0C`10QbZNU@6;wICvy9(DRa8_HYaV
z?N#Bb{PB-ZkOwG(+@F!hf2KD`8Hj(-8@Ru4g^G;wclhvR*b+bh?YoRS6QIqGm645^
zndMPyn+?!X&H1<lXl?(~&-+j4fRfeern7-~1kI<YQZ`$g?SP6#xyt~WwTi@y%(A^Y
z@w0B602V?|KB~jnA&Me}?&eVIHBWHIXhKXs^+=qMhNk&_0y&aNggjWKtmIcO`Ly#*
zs4LLW%fhZWX)Kk1M|ALSHD^zwiPzEexm(oPXewT(Y7J!i<{Yr;V^5-qzr6grZU2D|
zewFX5t`Vtie~BZ}kjGD8LWBch>%1>@W|CXE#q|%(9lHIpOZ~v^bF}{@)5VI_RY`Oi
zP`=+AX)i<=-Bu^7x$h=R`H_%N)FgyUq32^6ZTvZ=kK=yv=*LoZHVP=yB_0nm-|QU#
zJa`R&2QPl^9{aZ0GN)E3fz@!?wojMZvA@HF|I1(KA45#O>-zq-fmnVFPWiQgSOCqN
z|F;|H-=6n(NBLMDw4=O0D2gE;D{<z*h4U!Amj>?$4?Ge@41Mxtgv50AG-;(w1+ol=
zlfoF0lyP&wB&FR{Ei@k)re76`Uwlga`y;jwCkL3B>D)@);#j)QrzU1oy1f=PA8>FX
za$BMWi0klsf?5?n;&65(PEhVimwVBE;JmLfT1@g1>`BjFhH$(+f=q_y3~+vb$)bs@
z4%4aKL2||j7<|){(FAhI=PjZi2!DFKKxl~$t+4t@wQkwp(bY~yyxv7svqsr@CZR{L
zOe2iZ3=uyEhf+X}e#vVCord=A!`^AlO&jJ#n&hVgaJw0n)AZv#;P7$69>nb077RHF
zFU8KgZ5>N?akFZRt7jBPjgxuLhP33HlpJzVL>GFR<Ze61E{l}NZS6d2BksH+I?!bf
z{QcUFT-yYdQJBlMID|^RAo2-Dx<WEdmAt-?GoPsxav`=m9Tuv(Q$1IHg~8p<tZ}R~
zaqXXXv~|QC&M}nN6XS=Nejh%bJ31R!XxXp8Hl+hT0VC)<XN=6=k)NF;jUR!I;#Qu(
z;)U<mX$JK5UEoewOxXyVi0ruHb_>C&75II-GXW`<fTG>bOGSaDv_>c@2#_gaT-49o
zb8|fvo`YWGX}8N$VkG-W(#F#H;L%MDc+>?qv8!=Pt$VxX$+mB3vjUjF&6#c`p!jD<
z8^B2E|2WG3OLM=aV?S66@+7Al#$v5x_I~&zBGmZA-2d|O@8<p&M|tFH+aOWQWBKar
zLyNq2yi$f1bF+#!!*wM@SZ0&lg0)B)NKKA*lq7_>z^O))Nz1FZa6(^Jv_2-ustiXD
z2rJ)HHSAoO4ghzS8CXDMabhdZEJu=E!^-6=lX?>8;f_GzEQyC!mGLc;zY3R(ASf2s
z@Jc!f#ltMG9xs4NxS5+==YX;HKw-X>(qu;$Kxke(e+_qRGkK|Kt;c#k*G{&B;v`ob
z8&iPMWkb*LDc3PUn8s*DPKSxNRmKNPJf}-?Gl@U?%_R3%<mqtG`HMOORm_3_#nY9d
zXI8t*ut#W&pBp1Yxr&gcj~dB$F9$sj!5x!oKSn1xecV!WN^h}LG;TRG#}&rbcf%sU
zyuu}=yp~L*tc&B#31qJ%j4euI*tW8%A&xf%D?vU*z*8oXRK|PDpCJ*4yy^olfBvO4
zM}yBj1D}BU+w*2@)VfLvlluw~pk5pQoK|!NLPW;^{h@@1=G2X*n8BUv9=Oi(ZmbdJ
zx7Iq%zTPbA7-dKN<-<GgQ}<|8d?QBaP}C$2F}V4q^b98Eo!MIQg^dRhwR1t#pfgEm
zRzd<IzLj9m-1Mz7VRJnML-hw{ok&R_skpK4=d=j4eMNG<{Homy=+C{57M$+=su08K
z&xhL}8#DRova8~)Z_t2S93xFbOyx^YXSp;~vYIIcGZpvp?|oE&c6<=6AI=z!FH9G5
zPj!N6s(!6bA9$B`{_E%8Ycm)WpPc9lGQav~Vc-a)9SyDQ0pg~To<@d%L)#OOCIrkS
zwfz3k<51n7XFn()wV@>_CaFZIBrmT5Xwmz@0t1?8895o)S(uq0D^#B@|0f>#cipq~
zEqn?^(!&C^BZiwv12u1F;fN}3YQ0>6+#+B{eTqVc$P~X4@&?0w)>zv-qr%LX9WN(4
z*j1iCi}{Qy1sB89bv8Q@1s}&XUs?IUvDno_tMA_k(khjKgILqm*<lX4FprbYTV1gT
zgkQuW-u!0w8!TEYThJ^#;fEXT!D4j6GERd7dY8J*<n(L4dtX_5S^C3Jc&nR*V_rML
z{A`pOS%=1vFOJ-=;|u+RaLFYdC2JqJ6Ei!8`hfSg5W--RHmeI>t$)4-r-n}!aNubw
zb<s+nlFa~tnUGF1lNN)-FfGfn2?d%bdcC}2^2xk~(Zi6Zc|dSj#|o&Aha*bk{SUV!
z#31nRA;h2E%F|3O9eS}8X6@k6xxK<EvHq3rX6aGiZ|C`ApL?y-73jRCHlFKtE|pgd
zMU`wjv;4a^m7f~El0OtDrH+U#+j`67aO6Qa9GwXw@9~RA@;kn|=DyFfr&b19e&B4h
zf<)NG!@bCHj2V2%i~KTtqB)D|{qqgukPHv3!^>tk)|jraeR;(5A(WXszUJ&Z!bE*}
zGJ0g<Ksgsk#1CoXHF(=dVBZD|qH|;#%0^dW5QocQdUd_(6(&9z-b_84`;zraQDrxO
zZMQ!-o0O3KHfjWpC1`~wpvp~7I6qWB#QZJqMvabP9pBuydW!BG$nx5Ofk-Np!{q%=
zhP-|%&)ZX3Vw_ZFmTbE7Vp#r9x+|kWS*uu``eC05@z<OHRo{;Qy5lDV5;_^0#j#`;
z(SP>Mg#xMJ>`wq%|B1PY3;ioUh>EBT82WE%ZvU^&#Xlw${<`unbpS_KQ^&_SM1ZWk
zrSXpj_(#@G6d))39Z>@s*a6V!@y~ZA1fXjPND(r#a<X!2G5n9ez<+?)t~aU0c7*%a
zU)<Ipxr^p_^*OdmR14JPKTGWF`O&`Xs_ORGOEvUE^5_N8x&~uEXJMsw8}TEIR>}o>
zy*E{uW2?O;9T%VNe-4~5e`EoPKYZ|wRH>Fw7#HW;F4l-}?xTLsAK~*j(X5Q-v9vxJ
z$GeQr2fOfHx5b9Pjdb{n=JBTp+8l_%1cZV7AWy64dGoe-a>DC;XF^*K`M%b8Jq^rT
zT5KSz{s!K$Jb4lE1YotCD`rwSp(OynhPSgq7fQEsU5E$5BzKZ!qw2g?UVfX8eXu`q
z*9nTeE2?9F#H-_%3aV|ZA^{xseIQ}jcfb8}_qasfhnIUp0^Jmo7OwP`p*=OY?*j?{
zM}L1x|Jxhr`wRRX#Ex&9VpDRN1}4tN6&I2`Fs`eAe*ZCXN`jiq8%-H$*5jVKo;L3j
z&CL$ef@Ei7E20FimsX0(`%GO%XL-mwh35--qZaZwD8{y=sWMclrxFZ?Hv!)Gg-}xS
zeAKuEm@+Tku|||#*==!4&8#PYe108-`py<G^K3{Vi9L>aUO#j*OJzplC`I_Q*?krU
zhj2HrBJ7tnVnj4uZM044wuQ64Sy1-z&zx_cD>4LD*nVM<OVW-#av&-BAR1sI4Bz^k
zi=JmY6Mm4eR)~CP);{gPgdv7=INmhiIb$uc0y8_&8pr+>Bg2sBH>2xuT_z8qS4&ny
zYFGlYBk!88Yh5K1j>)fL^8?o*s*Mr+=a*4b{R_CwYB*of_8pClqiuhMmqobHRd?*>
z#uZn~Se?2JFpL<I^^alEuK$AOGCvI_k=5Qo5n8j2J5X48tXA(ODWkbg_^c=hgz|<X
z!SanHMD#F$2O0(nT%hM7L1ps6b+S7}UY|(ZwhtM2frew62kJDket9>C5sO7t2t(9W
zjA15|%{e67aE^@KUKrc{$wulk5r;1CmUPbcnicEIKvH7$85I9@$s-rU!^mCSG!=@P
z=R9}bFb{`b)-Dg>c-dIsB{x^p0YY0GP0hFO?s=C_2bScLlPUL4G1a#7lS*5=Vp6J>
zuX8>Xhzon$j{b3${bBBEP8ueO*KybtC{$oZ9&ZJng+7=3dvkw+pnr`Vq}NI1xr5M)
zNT74rnP6g!tT|GgYJoX5$%53I>Tt3!@yuyN*t*sYrY&L@eMfPY1g>CEEa{uIn#x9r
zDk5%`p-RXzopub$)HEyb)@dj3ZM{eVLMm|D*A~Av)CAvw0(@70Hr^nJaAq=7+X3Iq
zZv+t<9A4Ogm541E$juuNL&i4&Cjm0Eut?T#Z>A{nM<E2zAG~}p^*B-Tlrw#qgpdlJ
z#}?ztVR#3%WJQc`Eo~?^vWfG@H1@WD%xmMyBS>_R2ByRCXI6qTqhOPlUJ}`mi~|c^
zX@GtswICvRqs8NGlj$OH8gOi8ZYT4y{h&!50rQaV%_Yiow)Hl6{@ZPfs}>o46nxPw
zrS{wpDC8cELySCK7hFW>pxOP=W_j8<vY!J;A+}xffMECrhgs8>S2zX@ltU<l1aU>w
zw~ES2MAt}>TITpn1#fW*k`Z?sojtDcTkzE3#ou?)XT1_D+$GaOR5PwMGOz=>T_Z;(
z+WeLp&2rwj)fMa5I^BieNOuw|qBy2L497Ah@%+Oa>aiKAu+oGB5!-OqM_d=eGGj+$
z2t)+(kqImKmRe5i?QvJnah<Q5l9IHl>=sAZTq%4i7_U^e3&<5-dlAy}KYVx_E+wAw
zK<y>T*F`C2fGJeMOxe^<*@*gjGBk`+kh}lBV4vX3z<6nbRuwoL;E7uR9w_gpH-=Or
z%G>%B_FDD~weRR^C;zE8{$8~Do0u9Q1O8*V4=M)W&~|Y&eUwxCQ`yhYSp}e|NI&lQ
zHJIkdK$`EBtAMeuoB$@{UvtG7897-2<EOO#(P#Y~UVhI?H(hF@Y6<aT9o2%QT7G)y
zx%kzw0mtjtpxdoG02xN;d7X2utxHiVkX=T@FO<wOBfZ`*?7oOiOergP$?v0k=leO5
zPUo=i6!$H9#_aOENyf{C`jQlk>6X8_d`l_Rm!wNv<7768!q3x>nK0+6n)xQ!s9Fde
z<p_=+z916(QfN%F9naus9D^ot_aeU|F1Ne05Xu1F01PR~BNLrvqqy#dRFtz1-}E~E
z{N1tAd}<1Beh4-kEAx$XJ{ZI^Tt@%HcbL|lUSDQMu9*p^&ReaRX#>D+D|9}k=dSAD
ztrZKo=y`o|JLFVp>W9I^K}nUQ50$=GFdBE-jP?}%;bQ_a7y{k^6li}9E=B_ZgTMy^
z5(W}{THN>-IN}e-^j-w4Q_xo;a88aBWN$CXb7Q1G?{Nk-9sw9F12qF>HhDH_2=UKq
zN@GVGI;Y2-<Ln41AbTvOR2CN&qyt>|i+LSS{1;#|K4NiWY$ySrJUwN2w`tFE0(e+O
zbkIXg@4mJ7RvPhW2C-E^^PzHWoMBw28!un$0<%|_kmNl>h-1}~648@Wzi}BMkQgyL
z;}IZ>OR>Q@AQ6MZs8-6K%a4s6WuLU)B!}XX!y@1+)X>2g_23WxS~y8YoI!@DVR<L+
zTQwFL9{+(-Uf9yv)m(ZMGGYVdvUa6LxK^4LE$e!o4E{rbxHH6b=r|W8L(s?sr@s+S
zQLnmWi<PRP`7^0DK$p;zOA5OO1KJ#AhE2ESkhp3N!{v~UUuRbeuC*Mx|E{OIsb~%m
z_Io&ZRTCD8hPcM#8U@M|d18WDn^FRil?7sVMeSbn-y&eM>)wv{d!33k`^w218!x-4
zabwV*+VJ<vsizUJlma6$!}A|Dj4kY81W1E_|3wf=89Er+0SuXr=7*X99>e#c?qHy(
zXg|zY8K5KZi`fPYk@^n8832-*9DrIVwjX-(PnZ7_kNi7}ZsP1<_p}hDMyuKVin^=r
zLM$6iLW{mt9@X!Yr_N2~O3EB)v%?gYkS52I^z~lxLu!A#?}zKM!YT=BNL=!BnHC2W
zx4dAL+WQ#Kueo0pH9&`vJUkAp;|WZntW8RCQP*C4^C?MRAXjFueuvqqNw%j=FtK6k
zeHh<5t)T<kzGiCA(>tKK_RUVeG_dVnmsF05lKV4k2?mpU-U?rWSeubu+M-xdCHiKt
z-5HdCC~|hDib&AqG~39zg7`cQL)t<6dD6r;=#X9r&2stjDC88cQ&^>UMr7}vFGZ0u
zdnBVvMxOIciD$7hN-{fw%fi*EMjWe0hrJpv>qbW5%r5%_HT)Yf_n#wRb(T}-Q84K#
z(v4$*IvSZ7+U@MJ-?q=A)$ujYVW3Z(paB!oa0E)1wG9M&zNt&IE?BwC=PE6$q2PM|
z1vpTW+Bj$7jR``Ej{QPZbC?PdtrY5Mxq$GTd~AIP_8w4;U_hSyja7JPwJVe(m83w|
zWLNO(6r}tNd#w8AQBPCVIrd$iFh{0j{5O<*Wsw`XIJW05*c%lVjoLW}mg3~BZ$nc3
zPno4xtn<ja4xKe^JabIy@I|^5mJvC5i<yt}PbXT9f=Z)si-)yZ*}3gth-%KBZN_SJ
zbBRnQQp~iQZaWT)A+{1!Kbt9D%M*vrTpnb<y>CsPYQw~~%;5}}!9FkX>swnjhs`*H
z+fiAXsCr*XbWFI^B7zHuVF0`n=r7*MWKIi?P;ToBrCXl@d5#wO0`1A*)Bm>bam+t%
zbu3S;jva82J{AG6J{sYV<^RMZ|1MVPp74D8IqU;E<5<c#SHhiEgB?+a(PbeF`JuuE
z9iTq~<;aG_nDh8(38`nXUWsr@Nn0p2^EA6ni9mnI+_sQTA*UlbvhFJJyrOA7W4Uc`
z>5}6_{Jh{zTq2c`rUGnECF`bXm0{IR+zZRElt=Ob0bo2;`P!eli!{x>RB<IsJTp2s
zon#M(p*ugSqs###5PLvFa_4N_g^fnHi;<*rkS_;j;ADSre}=RhA_t>&zcfqp()VEC
zf^y~N#oNnJi}duP$TmdD*y$av>-#Z_7jxSHwdR*`_GSdjNAog!1LHeQ&JfqtK`{yA
z`cY0;NV*{F4*Bg!V@Tfi-5QcL6?SiCeG<=yW<lOJ(D-;nw+SC#Q&2=g3tvGkSoej~
zkW@x0LAJW54GvgT<t@O;co_7gj>jJ}U_(xp6Ls#490x%UEu-1_@%v7^3@)87MwbiD
zHW<7}|I$|-wcnGL;sUR_rN5pS4w6?cOi6*9w}HX{EbU^AZ<gUfpYKYKCs1SC@8bcr
zH*Qs@OI4L`)@mJm=B(CrzUiVwL6iSrCZ7N4+qX=W52n7rpBbX_+0t_qZ~?h?V2Pey
z=d+&DE&)k&LuZ=z5%#S6UYJ1IY&_`-@B?woNXKN7wo5J~>@SJFY$e@4lLkrRgLF*v
zE#Z}+`!aB}w5-8TOAq#jBNzDp$m>AF=fdbwShBw}#M|AyqqQggdYb*4`8;+kB>6i+
zL-?i-#e<<YXLCiy$<-rc!@PKbGz?bemoKV-WF{vi2+)2&miJ_DlwR$LW-@ajz1<z*
z2c;y7Y(U4mAYitW*x0&Kufp+I;(i6QYSIKWU~}j@M!f4D{a}*D!k)!ynv(~_i$a{F
zp*vvwswWpRRCd$SHB5Q<Sbk6FBz`S5kDcdLgVEg49sxT)yT0&{Vn*#za%X+8l?AK_
z{<`8p{D`z&NXG;mi6$F%7ENsQ8s=O=BFuj5JA~BvB;_^3z#jA_;->ipU+f+)p}H9@
z@cB3TQ%eoA;y$w+bETY9_|`U57!iiUm9~z+U0sAgMi%IdQ?Bnqni1Y*_FNy$T){sF
z`Pxl^u8G_@W9dW{=iU&fo(6TowN9T{p;2#5h-Qm+2-D&_tvVe#OMiove;dB+$9e8Z
z9sH4|^bkulPNv!ra$c6eZXy6x=gldKdEjUoe|T0#USm-bsAu;9;Ue=aeI~Z2GyclK
zkQNu%LNzv65t?yny*NtX8=Lcu?Pt$ov4gM>5=1spqDZy<&9UZ<<B?!Z>B4TH-^k5|
zQ24wvWSvGRq`+=gT6Vv(X|k!XYkZ}*oyy97%xgkjoXrwHYD_;BuvBhLo{ujVIZx@X
zd3F7kFrtu5!0x5vuzOWsG!MShW(UEC(UE+rv^fzIrtD@v9a2<@TE93zoI(sp+!z0d
zRnX9%^>$557PeW!g@x`PIb1K)^S$~L_xO*yT-GNpmxGy!mF+v*_`~J?SpM@am-RpC
zgTpE~N18CDrdCfFKs69Wi8<4_w^NJI+Un!=mrE-V2J$wb*($#>$kew9o`XP3T<)cK
z$k6}#?zlSKc3+-ex?d_G*2Lu-@LtFCu4jU~8m6$mb->_7%WMr?9c4U}W%MJz_}_pI
zyMle?cT<^)66dYqXRiq31*s?h#039pAef<h?W-r3hYZ=O*$KH=!o;CWB_;xa;W?tX
zz5HNC3oW-Se+E7te8Flkf9_Z<<^#eYk|KuvG8o^`^0hRiv{`NDyQXY>!5Ls@E;~`K
z*Zx>uOew0yCA-FU@wO#6&<2chfP=XKuvM~uhO}@;Q94lQ`DH?WN4w;hnqyBr%lDA>
zX=gj2ME~zYS`3C~Kd>;upMu`UqP$-LEi<4a0I)e8g|YwvEek-CPU|0h(%*sKlDvTR
z#NqP`w5U$`flsUMi5lsGEAXiTBp95r%x2qdD}nEgbY73&k!TxMFC!xh;^NsIH8fu>
z76vpGNc3dkwYEhS3-UE2>{DWYikbk$13k2bH^)`~0#P>5cm56Gy&0(lSQ4ymZWDSJ
zl>E5Z6`IaTpB`|k?S1G_NKuD9qmYdfpT*!Q7RyreD@-+ivX5i)?e<HH*`2ZI*(S)+
zA}#nAn>WUbW~HuqFLL+T5-dF3@+vnG=mR`gYaK%lbF9OU5a%W}`I{VDL`c%toT@M1
ztJ4dSWfVI%0V$nG4=a0%!?Fb<m=!}MqqC@Ym|gm>?K`OS#xK)RJkxyD)clWyvqDUD
z=r>^Z-*lxtyY4S#1n{(k-~TtmS(X1zILojvFSVk<rR1nxTaastS<tM=?Y5n<Gnu8c
zENbcnKcKzppiq?nj#e(&8z~5h;*{VENBsQ01<B6<Nz3s(1)+4W(Qm=iUUw4r>>(7~
zQm7dGMPGd>*%n<*gw?}~`G(4+)E4jOD%4*!a+=jC%QK5}vB(fp>7XhO?=44Dv7sZ^
z3bUyD*;u?ts@-K0G4deD@as&J*z^s|XVSaDonbf4i6@}$LbuDq{Z<&x*nRJNm}Y4+
zMHm=t4j>mNSnehs1TLh{%)}s63Qm|{jL8_R)5hn+#hX?dr;NsOvd_%H-6@T+?ZG}@
z^~mJDsbsH-T&Ix6%cSXSuxQx_Iba0XEeF8GxBakPXrRx!Y1Qrlbi04@>xNHqN`L_N
zXXzCTDz37qu)Hkc4-!h*1E2?K3uqjbr=yWk5usxQa1TGsmgv!JEuB38@vW_`i`}o3
z(ywAIVZk2?)NBA_W@BIl^qqY-Wo8b*3^zc0`?zHI|HCW%hrCi=zP$k`Xjd!a*(63f
zb&yNx`aQ3@-528z8(^>Fq5{&_w#DrRVo>@}mkTp4O`QpBkgB%6ZXenPGo^}D>fH~y
zB28<z=JZ^D7W%60Iv>-?S}YyPgCcIL^B^gYEu~QTTV5#yck>%<zEn8WHwxsNwp_C-
z15Nthh~~eT#QHR^WC0MB0%3TjE5v(OcW}vF$+new@llLIl6g!+n97)PNVc*DKr+K~
z<m*aM-49kd>E?z)^}+!vv)W5&5p4G{bLNz{N#|6dmKBDUL=4eimPl4q1?)M!a<7r8
zGQvT*L6;?!Hg3gdp8@!NK;bsX&%$kh-qsVk=&@rg`pLclc>13Mx1mrW1syFt?d=SI
z>E=SB!YCWtJ3Bj>7}}UV-CoXyj%JpoHYS8Brp6X__BQtBmZnZLgpzi~e<-S;QUW@N
zf8O?6Yr#{MHCjUPN8053U|)df=&#)6cS&C6f8{O%{-1l}zdLwZ_d7uEE~4*1D($ti
zBxW)^R&(k>4b?Ea#OuBc@Uqgq7QTFInYI{)eUD0*UL)zoM5%V)xEHZNbmKTrZkT*<
zp%t`eht>F+W<E%J%K6q>zx#DQlG1B2)w2c{+zr34D&^8ws*dU)SXUS?G<WeSAf3B2
zB-(6h&hjcwP1rr++V{lt{8nt0WsKer6Tlibb7kD#c>tvtI**dQ6fi!ma<syNPaXJ#
z;4;L18~(aO^VrBwzgpjv;i|A+)>RANRga~8D@iRitoq0=Z@6`yiP1ZDbXgzy%KDw8
z&Uk9Vc+Q%!HneN4n$e21GhWgsvQJQ8nqw&l2pfxcU3&yE$Nxw1k2f3>LE#L8-$x&d
zT%)45BPEd9<iBm+N7e;d^M+I&)IK4V`whX%V9rmj;0byw6!Er3y3n23MV~5MIF4DY
zGQMVog^($3(2V!c+9eW7#R2a%gqeFWuA0+DB!ZIB31>(#ULe%MHP^4Q`w=w(<sx_~
z-C8$uf1LDClpBsYGl#_L;}P?O2lnaK*tFdUX25tu@)2nn>~i_U@6$V&2O&K6{e*QB
zO%y^mj!7myjsTY=ryGmt%E1wW?!B9I-%;PnV@TS%yAK0-AI6fwrCN3{DL`UcRotPU
zznBDc^Ua`F6dUr6!2l86^?D6Ln~1`43j|#Hcr%@+3}{68P#wf*I+<LvIqQ+WJvRfV
z^W%J0Om(Xe9u;f}7^wkz2r%$3KMse#Fz}TBNdxC*;QVoZF#TcRzr;6wQlbB9BKq%J
z`v1GH{&yxn1;_P~>RN8~ybUW^KPptYl7N43G>Z_`mXfOv(TC^K+Lgn2hRvWTO-~2N
zzlvVd@8Z=psc^`qC63aYn3Wf6)3oq%_7{DUGj*rfYUR{*&S<-%w`6PBO?XLkR@@p1
zuf^3KNVDS|lmlmjoYA_>Gr=slmZAi-@TBBMg=4ul)jk6`3@ROX`IK{QwlH3cUUV9a
zqH2Or`wy{*FEuX4nA(Dj(!>@NY%T_4N_v~g<#O2;*B-FYHNk^6FfWPkR$51r&ZLb5
zjEjmfB{{rW1VNA#4z9CtYBt$16fEukq_XsizL%(qY$!`p#Uksjjf(!GDz1xw0Y)&0
zDrdMK`2Uf~r|SbPy#xNjK+O@F(_kx=eu5ku_*W(`%~lZPX1TzPm1Ry0WshLke;+ij
zKg|{}JdGnrn`N-ji)}G8ZWpo=N<50XC_K8#QVo_tKsoi{O0RFKqxB%pp2_(n_9cDm
zOCirPs(L~n*%nV#l+I^6t(R7bbT-aeqqsFE-N3oQV~%`fP9?BuE^xM@^-&3>N$j=R
zW6{sV5!SW>7ozVE1%cg$$cv4FnNQfE4quGAK`i!R;e`r}`iS8@;P<WowDjhBZX#9X
zia|ETk;VAV?pwVm$(oA|jo2ybXsIrcLQMJ{3Mb0yDIGj^cxH`Bv+gbG8TK4*UBc>Z
z4a}?X`x>{Wi|j$d&EaLq)L+aJ-gQVRL{?HX0f<(>4`|LWJlHIND}1geU-9(+>i1zf
z04<GQ(mJSc%5IiUPLJ6NLGeea<Hsxp`X3*Em&E~8@d4Doe;&wefB^#l=^JJS=I^qn
z%uknp8m9Aq@tD73QQv<(@C_$HKmqjd(V~lR$HnOkH0TD!387N8n5w@N;8Q0VRtP7h
zs<*#8%o%GZ03ne=O^PN)-Js9_$`$X0C=4Q|Zf;GY_EQ}S?@%W|Ffv74;8hEAnl1OW
zZ3@8k6^bBaoe`D|x(S+7qB%t%cZ0S5fK2b`o<%p!w}Hv7Mdf%sYZMcgI6#oTUCl#1
zcnXaAL2I<57RI1;p*Gb-xgk5L+J2SHEjD7=2ni&M1u<_bj#+WBEwU-d(}2fnE{l3^
zaS@o`PIg@(WU%J_zKB5gfL6rp1hse3L0iE(%sYhqC2*yB)m|c9CadIRW7N6+IS)3k
zU@oa{rPtRan;CA!FCSEK^Iup}kAsk$RFi$Oo&{4~?||vGWnhn?`kINxtcQ-F+O1tX
z$nrYwID;(uE##-3DtCoBI5=2u*a*QdjoS+mp_jR`RZK(E7_-CmBW4+&?)4s8lldrJ
zHhl|?G~Sc4<O}xlw!kY4fPx}IX%Qqkxf^|W?}%oJkiQO!;2uRrA#?-@Yea}-&M9_N
z3_1kH;c0eA7+4!2r4|(nbQh)baxpZ!Yt_QeC-RVI!SqbGRPm6+zx<tAvi)_L&#WPT
ziW^UUY#nX{*{o>}v~9<#%39-qjEsM@o0q{G{H3}R34DYmIThQK<&_-l95;p0kH&F(
z;#e8G8`dKoKf~8jhJfO~$J&47UbRWRlJZOyeH%DW+uhCdwzxKr4*sOp{FgU~0Zui*
zWFCG7UIuOmXoFy9U`=2UU|<G12AU`HZwP;8Y#mJ<?42x~?HxVnoW7fu6Ce@zn6~}R
zA|DA`@}{)}@8k0JMU0L0>8W#-iomnxVLfm!`79T+_dHu_zITr99H2AQMmRu?SK9`|
zLnDe|y$XzWD^k9g^p=`+ye0wEYk@%<M6aTJmJdKu4IA*!8mL22(1SV|<2jNT3mUnV
z`MXHs)wC_+_PRToIe^yoFp3-Id%b}JvzWx2l!#dHm^`7?3cX3$ig~4H+h5wlG^6yr
zk|syK#;5I#=g*weC$m<Xp$j`k>k)~3R$Tv~b+G{Zpq%zr!VTkF^WJ;Rb1KCn&Y<K(
z8#|mX>W|I_9;6j8<V#C>6P%->K0?w<)in6sJ-P#`T-oWCZ=z=pt15W1UfG~fn>svG
zV#FpHwPz$&Ac&BUChl?;G{#jeLR;WlR#X^0#$ixHh^u%RJRLYlWYR+0Ksu$8(*Utk
z7MDko-4RkNg=!@}N(ZZ!s4_V6X3nanplVJKDumqa(kffX29{&wi;DtNT;~!s1Chko
zlpqJGZr-+TR!@S<nCLx2vT$@v2~2N@lYx{a?P9+B7l>J_OldwhE<#iy;IR)DnZ^dz
ztg^7SO>cSI<Cp!2t5wS!N#(?@C(sWoOgexww+FJVQV>R`4NmAK8@>vyaIm7E_1Vc^
z2B>W{<+c&OFTb}3T?XN1aJ|8?6&wYw+-~SMJDVdr<;rtDktEUXuNYJBxZ(3$N$v-D
z?|6Xs_WI$y(S&c{^yP5;F+~o?Yvfr8M9%#8|CA>CJvsfKJ?xWM{$Kw6d+W;go~vJa
z7vI}u0ABqumIqXae(#cD1aw|KY7GMtWdB<JiL?EO9{G0;evryy6}C&gh1IylA)os+
zf=5n0$*xO|E$;$k0RLTi!(!2UJlEMK*0ERz$fatClduyyRYk968j?Z3I5Pj-nuLp&
zZ}YZpT<|ncA*~EeR(m26-{&?**{hAd7}5(cgtt8@0inxFUVm{HRuN06o$jn;TmFn(
z)BOZ`z!br6@N9Q;zF5ZXf*Ktxu{`}nK0np0pwK2y5YpKSZ-n(Kb*#9me1lq>=pvD#
ztQ^IRK9(RvG=eO|vV#CIu+`T=)HJ73Su}|_+HbanSFfx+TvpnUD&K_)XsUb}{Wz8;
zQq5s$5)m*??E8+BhZ`|V%IoETwfz7QALCfX7!__@SoAbjy7*T<xW>-mHbJ<nJaO>3
z4h#kkF3b7hE=%J3H;5o3NLC{QSB;dpY_CJgVcX@68zD3$^$<ENt6@&veCaYGs>xF(
zQX@$V2|}t1R2(?&d~~<u1L4Nw*HONz%<`R-aV_%kh#pZOLNu<-C3~fcW-fe7)C8k<
z;h!vjof=Y#R#Oyo)2GXgqY>YMk)YZKyY|u}DC-m`h~;3OaVq-cMm|Xf;+^~LqDc<%
zFack8L<_qLLbH~m>S3RDt>cyZ5<8)cdaP5NQz@pK@Jm9=z3oy;v2|FvD|V;XNnyCQ
zt%q&Xb!P+Z_u@z8uo{HjeRyo;$&m_yWF(ZA8Qh3JG2>s3-1t2?|Fmh&KFTOOUbtdK
z;G(eW{ur?V@fk<{lP;RSy!>Yp<k2mc(ohQe+~}NRCt`k}DGn<pQE@qM5GWZeB2lEq
z<ToxZPf?==7beQB|00&zPKCl7m6Rl~1jih1%^u5@*vv_3+YVwAmH-P0B8$m)d+T-X
z%A0nf#{i+hjQ`GkYC{E#tLi0m<On*mrYOa6er_^?F!4Psp?}Q78rf)rN$fg!G-|dh
z{1<jOq|l@@zP7~H<1U}0+%6AsSe>|M#`{VxVVeM@XGK+5Dw*>W6ZvAD2Xm$<Ra&N(
zxc>B3u~&mFzL+^=MRd8!6tDKx*G)a;fTXnLl>3d?T05h(cZclA128qiMU1ni;7rdb
zP5okN*8P09UXMl-4%$KrAuEzGh0$?|qc%jgio-)6q37)<h0tM5w?%MmiP9lAm1}J_
zeyALZUe11Ks2&gY@-WNgtmQVF7HAu-HxHNS$0Aj|YmFS$o0Tg#u^hSglW`mC5Mxcz
zAx;Ak6;9AvXb~?X`qrdJA4^FY;`Myd&ZK@2KAK%S7s_h)Yyl)%0TiUNf!!iWVYfm5
z6Gd1)5nNc%ktW>~`?%q{kdp>gz@_Wl>Z&Zf{zZKoculz+{31FpXh1cYo^*pW(C9-1
zMw5*JE%_^Uk_}G-`r64ruy^vpE;${6Rpcqul?eV#?ZJ9NjZ2jVv6H))z7Fo?u7PbY
zw8moA20GA5&83d&yqZ?hzY}Eug$$6ApK&zs)1&*5D0@0uNksG)a|#1Tq(b|PRu#2#
zHg$Axv;>Uk`&SSwZfhj*3uD8=q5pC74@OoPP`+>K_=`^ig~L^$RWY?O1+cL{ivoXm
z?nkl8AKVxRfEWWfZ59T`?@C3?%-@&4>iPrzUwFyCi;dsu&*JEBImNEe>YU|lh_9bo
zs2YIdf#g-EX`bSTy=N)AgYTS?z&fyu?kBu^{tgmrze1<fv{!#0#M{f87Uy$Qqkkvn
zOZ1={vkIsl72<%e!;O;s7xH%O5)>SW-EEr|4)>hNvJ<^2u?p`#ic}N(aEfm$8GS~H
z*Q;kt5(2+<EyT|~2lOd=cH0!cklz_}Z!vh^yLdJ;*yhWeZ<i2w#B%ezWGBion?G-n
zLHjU7)+$k3SfmK)8SXl;dUwk41_VXyJHqaIWimzKDp=%1jg@vp*O~T6?|@TBhfMo#
z*ike3tUXosEZ%Jr@~c{$U#2tMGqXbYK=rV~MRKNoirD=(+i*T;60!k#WM>muM@*d<
zPBhRAzLffHi$2m}jG#G&umsLqj%+=)*Rq*6L`5qBYNNx=Svw`MSRC))c|Vgqt;>zf
zKa08$DK6Z4o>;~QWP~1i1k!Y8NW8(E#^7nqX5>`{MjWJJx;jT4wn?hYZltW=G7D@(
znNvXiVuOpwx5FMU(ScA3l4WV<;hFz>(-+TaZ5MBFPfBrLfg(m!w_yS98bxtWI^;ER
z<i!lLvG6GsvztKG9q&%c*Erku)g!CmLH+c6?!iWO{rVm5#?Bh;5}0tQoV$5L*tH&7
zk<Zen(cmvUA=P_{0>No{(n!g8F{_J(z5Dt~{y*y80;;ZM+ZM&$-7UB~1b2dKaDoSS
zcXxLu1Oma`2@u@f-6cSR1-HLqCu}))zyJO{@7+&pD=o!bi#c0cRlUaOqgNk>(FnP1
z8Mv8@iwk4e^hG=;w=6zRTf?Q;a^MtEsBf)0{(rEHf7sLhT*l1LzZcB^$1P(PK*8y+
z=C;7!%x!@I=C*+Th%Jus$ND7Jq-ASvP9>f#^Q6-a^>@R^LTd*uAu6xZ)0FXL;KD8@
zM{T|;*3QL)ZHfii3QE!(Q`5c#oq5r@_MG$csTL2v$cK1dy<*v6_|{`03N-`~Z!nzT
zyxAl)_LwmV_qUF>IOg`1S0jbcw5LkbooFHrL3tP9G|v}uS(N8*>~Jng(D6cI&Anf5
zcbfTBke;muiH6)`dpiab5?12E*pq5D8m-YP_vuc)#^hfgQf9G_1>wr~c6WN7Lzq;@
zSytN@?|`4xShKC0$)Ga6cJNA58pQ_ALWHOodG0Ir#YBc8$L>vC2NSpC6k2L&FV4BP
z&JARP2Rz}7KSA~X7R6Nydg;Wi=Vyjegr#%<N}SO4Ff#CW%UFf?C}Fx~!M;kZwJfGI
zg(CR@xUxbKs6l26m)HT<>*JSKrqpERS~K_y6R!Pd$y94W!7E_uh$re(hJjM4<z!$4
z{bGg5D}GhDHg7U6%59mJ-NEx{CmRREF9uF8c1s&y@PELlZ@2uq4_$tER=W$Hl}`|+
zq%afjJLC|5(YTOL2JYah;U&Q5Cq<6TXtmBS*eediHhn&Msm$lgyC7kfR(*uTyK`VY
z-bW%nI5Y~(6gQ8xNzw{UfWxOzwPg;c?B*#f+Yp-PKAXdv6f|^7&Prz%mzjn$#<-y^
z3swPWqUPn?&YS2rE|$j4<I-ULb`0Jy$Ay4OHoo(nGMXkJNdg#Pfja)!jgbU^StB}t
ze*6IQoc_VO^_z}R{t3setjdG}kV$_t+(d;|7L-sGl%)eyFMk%cU{N7|=0Z%r8>}d+
z0=O<=bs<r}`BiIc2LSW+UDE<+|NJdSVq<0gE+gdlHe_P^af0r@|BnBZ9`#%e5X?gp
zdEr~gjzn*YvxsE$_L~-QX}Wx|nTWdrt5#IRH@2gEyBe;Y2=lN%{P~h<<k;G~WSIA;
z8c)>hk}~E*PqiDaD_357WvX@%d%&mBafE7QB9P<|#9&B-k!WE*R#RmMA8$JIbua&F
z(14Uu*L-9Z{{Gbxg;K8gy55jyZN=3W``GRgd+U)eNQ5{Lqn{{ryXCOA4n|1GMQ3$W
zmq+9{*1UHON-G-F8^$0^*mNh^%WQ?gPE3tlJkAKu1}NWX5GB5@8Ls~l?eb0(>k~Oc
zWI7dP<-2+=%f=}@PCHSx%2x-+l<D<;1NWmdEQoJzld~%EGP3q{UM&_aD}Q1nrnHQ5
zJ#&nUAb(iuzUZu26;T(?tplaJfMP6yXIVeWD1;>0RM!-UUI?i-g(|3jMlS-b&Y{`6
ziFrzLVD((Fdqw$uO1~6Q;*waXP7TU+AXU^s9|bzmN2#eH4>$`}IP!FIrhK0F7xQCM
zIfjqise*RxYc|Ozq|E@DgQT*=oP?Ql(uMlt$F~e8is1eHM^3LdMCagnOB4HgL&^IP
z%ie?1-?r=A5UtykRu~a+u;^Aym(RlCb;Q`rN@9KR0<NeyKqnA^7=9<W2RGhHgtV?~
zlvSrNhT~)|q@m`-x?j(MT}JPCowVJqewm<3MHa~=T`ZF(IHp4m`U7virAL3xhW;W*
zdYT?(2I`@CwCh_Zn{3H(2&|W`!K-jQNss>a@{{!F*O4g0XtyqXgxZjyhTb5Aw~`pc
zHn8>Y17WM3>JZ;QLWRSUjTTJ#J5o0!h1A`y($UqJDiO1(&V<U?x0y!U<mwHjEfS=y
z5nWj{r;}uA2Qa14hAo@DouxD#cyM~@CT4svBpiZ~13J@)d4+9Z`3%JSL}v_!>KXTV
z5zOa8OmbxynT|Y}tM2;--%%P`mt14%LddkU)mOJ3=b^(6$$Cg;kTkv;6H)cMMB_wO
zqy+&KZ&gc*UaB!H%@5p|fMtCaA-#4G;C{wZ?5}}EE>vf!T#KR0Xi=Gc)gYLyEg>;s
z1kSbpkg4|}XufS_vWctG+bfPWsvpQ|DWzrU&<DH}gm=~GGc4%kB}M=kQ&W7x+$qXc
z*k+qh`TMD1WK4`cA$+s~p^FKDplrEk14*JPx)8(lFM;!c6O10Lz@eLJ-W6>eskOFH
zsLUPN+iHrioTl0BSG?l0Dpb@ww6UxWj^=p96Ol2pbvy!REI2fB;ZrO-B&~AZuBRSf
z!<WC%z=86Hnt3z4f%veK#t80+WF>@(TYC29p?+PwHG_}O|5ic!+~ks;IB==$L}SBa
zwtLIJ-Rz*rM`J~c&c^AgZ#y`6AUpHzHVFy^q6ja(#r{-BID@rovA2AF7xw$NZuLpm
z?S%RoIl_<vugH5!K9|{GbQcZSg~?Qm0*8b0Tg?Ih8DL=sO7#PfLEu{dv}^r=F#2DH
zU_3^gALT>T?-2a7Kljh(+yMLqG`M1C{?^wQknMa+bpXw|e_-%aDdT_BE&mCGE5H}~
z4kEg&!ibNeWHM}F2o-HUTl!@rch5@8ib@O$2-TvnT3~lLykpV{1W7&=W`R+f$cTul
zZ*X0tnKnC(dfoMf1{gAKs(K7$RsP~-`D=v1HE~@A8bBDR$VKUY<&M#V)u2BkP8K_I
zjEy2wYH&Wu@2Ep{{FV`qIy)sFz2(b2Hv92LtZ?+rzzh<Fg!IvJ`$?cp`oMmHhVY$b
zkhT3M4$;D6_THfoM}lSxh{tquKFmYCB3q9h{G3aPPw2HgGjH|IkuSlm@$Zpa#~2|y
zs4Adk$(J^B3S!L&J7Pscw6;?kZ1d2u`#l_yhin|==+g0HMebE7vmcs+%=&J$VAYm-
zq@4PSN#^Yl^S)|;g!0Q}k@$VdaZsY>RiZG(w}@h<H3T9z&|{a)6|3j>tfnimjLAvN
z85v#h+l6GsPWse9TtwxS&)FJ9B}x3+m9V<A7TS1aW(rd5jCx^*ghO}Gw+=BI@l#)-
zciYQYaJNxj^pDmn&<Vi)v#hv70(r*`>BiG3vE1(iToTFOX+T}kIMe`v@vJtWMeVH?
zMp_uhvEYBKpE!)`YlUv3r2@AGG0!^s&_?}1^P_yUpp9*Cl}tTYVL&c(dD$0p%<!tp
z2aENXh>(Kh7bAT#gJ%$<I%Y6Jl>`LN3{lxTaR?B1;3N~|>r4us%u9$rKp1d3=$}FO
z35WvtgYO)Z4y&)zQ4;?2cI`ZfK>$X3S+<SB`%7tYwm#TdO5RZ0`63p<eKcGPVxW%}
zLfBq!Of`vwR&yp6x;&DlA}jVv`o83uf~CU5<rh=X<H-271x(oxl!`yxOJ=gHoi=uf
zLJ`9(n3~$#!MCzLB!riC60ptY_#bU^_T~i=7LT$X@>4#*ou~%M_P@Nuo0`k>gmAN-
zUPW5<l_fT+tXs!)O%#O~(HR2ljRqznk?~&*ZL)bYDZx9R+cfCA6Wwnueu8@2ki`q#
zD|btK74IatqPVuMI*|$b!8z+8i|W;7yMiv^$^vW^onyW5i}>9O*PZ}vA9dY?JC~Gb
zo_K}N0x^)Qh6bdAvbNxFXA^Kjm`_L?NXqi^=TJ<gb#p<!&>T(~#KFF5WpFajtt0;s
z4LS#NDs3p%@?3vA>44P$nQ|!cr1a=$$w%$QC#i;gqmoZ|KDD)dqSqzuZ{{2K^+Te%
zPNe)%N_WBoX0kdC{ITAcHRF=%ve*nAUNWC)&AWOYWxadof7VI*1wF2kH&%{3sO7ai
zDeC^aGK2O~&j3&!B$psu*Uhf8Q?Nv$vS)r>)m%XOZ9D9w>#9w?1Tl`&I{b-xH0|8O
z+tns|V`Aim#EPbL2lTxM&LjC;wV*6=PUE{;%D~!#E?@iM+D1{LFzKF|B<vPH6jsqd
zjDZaU0Ms48F&X?F$MmgW`}A1<6F`Ien=lscUtugYBjtAtg(Losp+5rHe~B)>wQ&%1
zbTF~D18DocMYVwAXq?QPj2z4WSC+pZ>VNzJ{wb-f@Um-o2b!?+eg&E{RuWkt_`Qd^
zA)0$FGSc!x+w{j~m5o5MuWWXRS4v}o>mtA%HF%v&LKxzKEF?}<FxH6MWb$%>L9J~m
z^hm}8t;pa(;4xk5V;(L@6+T+^>%BCNgC1|nYR5C5aTvT`63U^A1H+YXcW>as?N<Q{
zXHZNpEmZl`{#aV57R*@ZdzmbHhpoy@W4$H*HC6Nh|Kut;Hw2#pPb+%Oi7ZY2DqHzc
zB*y941anVkF+|(lZQEI?XPiEWCe<WcZhV@sp{{n-4f7*6Sh<XV*>&&c(X)H=!EMBF
zPWUe{cMpguZy1@DEfkHe!+l#x*74Lpn__W8A%7>8{}|-`E^(T1YLZ8;glnA2xheZ&
zV{JmQ<u^Uuo_`$+<(YQoU04lm3WkGHHY1XcYpoFEZ6r7Jhhf+g_?S#d;m0W1AOC2!
zn-An2DwH;Zysb3CFm$>A-u18{-^CT=Ikez~1kD}CMy*u!a6kh-Z=t<2b~I`BIt!gL
z&~48TsD$7>w5f{Fq=^Dnt8!YKh+vaMD^ZiF)|Uq7;SmeMQvW0@PlQ^u=K&{_pXhS4
z+zH(5H2kYwt&eK%#$fW)<iu8QEnU@514tCh5QlC(xOdG4#PvGet|sHa2pfn3*4dRY
zdIeUv!|az<d!VIP4;LP%l!V^)pX%e2`12%pUt{Z2lo*lBPV)3@M^z~eNsN48d~io#
ziMjneffh>$Sq@lwLIC=r|7TLk&Xp9=uT`ZsJO-@Yy{!uL2RW_5lZ+C;_EIpCea|T2
z2t<q=9qbKEi~w>+3nOzt$A*6iXTLMOzlv}GTKLb`|KNQHD8w=TJU9U`J_L9qaWa4N
zNCF(301SW8x&KEV;@?PWN7^1#3)-fOE|JoPKa3;iv=|Ew#T=kx#mwgn!%>qR@X3wT
zPDCS~u`LLPgZQ*sE0E$Nn$rxt>9Ce(-sT{xBYF&hN3@h^UW9lT921xD6?$ycyUz!<
zJ-ND>jiSE;_fL}AO}inh#8mOhooYSl@xkKFrs0)0|7=tAR8srHs>M+;y#5`MT$v<N
zcvXO=(E1KFJIF$|6*fOv+k!fC)YfgxQoP|vX^o(`?#Af*K>`p)4#9}mtAge;{y>8F
z3>ug6HOAw#1-7%o0~r*gvHmaMM~5$!eajEMw~QAXV!kYs0V3gQ0FbBuoJGVL%5-}d
zhqlf)vU{C2s>x3m-ZyIEKlB~`%aaf=k-ig(fPYz-IRQ;T*jc|xbXYk7LyrIOMEc`H
z{8Q}wneDBw&)J})sb<Hmf`1wL{kqkeFN&wFz+<qZ5Eb!fUq#wgly>ZZ(Ds&Y%IRq-
z3y~S=MaU${mu>^>eqihcd3O{S5+~DkS+Up8W^CM>&(qrv<43Xgjl4o^vhD9K9=|D2
z?af$I`1~455|zFJXH!7h<pL>XZ&elhbE>kCCA?{UfuFLT+mxj>3}&m~>F82?re4&w
zrrR3ruh`&-Bgppo!x@*sr$RK**&W4ktBI8lo9D3HJ8NAn!iK2%BVSWEEW#2ClKaFF
zk6$5$@8aV<RB~s7vzUMj`n7}70Qc=i%M|a`UJRRy)b1{aAMTUY0FkK5R8&?mwPTDt
z-lGN7i{Dh8*sLsuTd=FW^QcB1?{xOosUus1@1Cf>ZfI~`<gm3B-_*sDBdv4faB0ld
zFK_9$i((jRE?e9}SHy;7xizb&lZv7Avwy$}XNz2X4`$Z7-!8+>jlmwvd{ie88Y{eZ
zno|r$zjG>$fWb;s65LMb)&E)?6Ak&@+2vc((Be6qzPDPHxt9@^eZc*4{fAw5B?>I#
zeg5P9Z}6wYS*iF2D-dq{VJX$Nsh0RX3f}bB!8GUZiD4inZM$!oxxKJ-N&(MXvLp~9
z5L&=lQ@pJ8|A^!6!bZz^PIxboOFyA*(B@MS5pO@pmY<qPqGtrEd&>|nb(5Ci!~O3G
zjNe;X-TP!eUWdT+OP)9JX^F0miV>FLe}#dk{KnsY;z{iNi@+!t(#vmk%tDucXMS5?
zBkIxQRjF~O`RoS9`6|WM56*J!l~_^ySAy)$_4q}p(yDyz;)*H#!B@?%&*{D-3-IV4
zyqZCqiP%UA7c`A$+i6TS*ROet`I<G~+@PmX_LSt48oY|&_zj%oG0QM_vn4TCS(IIE
zr{wJ?&+W?epf4M1o;8=u_ap%)f&Cn=pKAHrw6+|oqLKB1ma$&Hop*nxa}qUeyr;aN
z$z{%NeeGMxBF^G0aIILhJmo(c=#rWi-)L_vB!*19{{T~ni(_P39bJY|cOj)xMR%Ro
zcgU@u``LU<c3J@X9bw8WS6-Yt(N=}$u%^99i)B|1DuOX~L!^+G1zeg{HYwe-DDF}h
z2--uSrcv^MY>YgVn-JUee#h&nE8sGMn%2&OqX(z7oP0vDi-6B}iz8hiBhD{qBdQKN
zfpQONUt+a;VSia?I4$*0&nm`V?FnOuaNe#5KjdydYz?Xo`tb2`X?I_<tZJy1El6r?
zgTHR>3IXVg_U2`z+T&<A$0q|Ft4nBG_6`(n)ziM3;j=FwtH?`cjj93o>M{`{eF)Dw
z>dDiP&}<*#tHK(5juDWuCJW@@IQ$s)*TOQ_X`esV*4P7WUB1Y-FKMe<aRv*n$sJB-
zBjvb>iAVJn>PaDY<ajNJRMLE&u-U;xQ@Z<1Wr&R|u38=d+YSKO*7^b4h``1=6f+NQ
zn_DHV(3;>`Pf`0@wO8cH_Ae&Egu{sSWBW%2?CPd^L}I2^7J62OL~^cXOux)r;E;Y?
z`^g{^IsNcJ1PE*Z2i^db1>3iBEh~V%_}B2i=`R0-yH#WSkRLYO$IMf&Hk?g&M>5}m
ze(<w=``~LtC{0lk1=NJ$e!yr3^s(B(#H*^jcUr&NjbDBsf?b5vV1oS<T;PSU)3o$k
zT|46qN|wAqrUovOXRHmLEh;1enfqVeK}${Us(j^A#vJw|w>^gqI&&{p;yTo@*OHpM
zy9#;p9FiW&uS1Jk5;2wMTtrUboYCXfQiR^Wn<*lS8*b08PO9Px5Q_AiPTZPV{G{Kd
zR_)pyG0Dc_|HkpHB8493i8^nT{921E&#pz%!>f4^qnaqKF=W<N?KZ{tzCfMcsiLXq
z)0llQN{0q#sh&foC_x>V$G}-_0UyQ{2XW(GkGxabe%scy2tBhCszTGZ>9Ml;7`n}7
zMY(4I`%Iyb4E*55)pF&)jRlm#Q9YK0$N>4eeNQNa?{-*8#RgSRBWbm{2=doF;SOox
zZ5#H8Iu=#8M0&sMuUbgedj1z6;6d~rbQVjXVpeSN({70jD@1deUI{T^W=-n6VBn6K
z961Q|ya(;?6#XB@%%@&QE%kgtk;SK0EkgR>@ygFLKfnK!uJIg`qI4V~RGB96=3^;-
z3YrUxP!LR^eeJCSd_AB@(WQZaM^V3kHTD?R2i|m2gqOonzw_dq7;VCSfs?*?IFb_N
z3ssAaIGMUK@WG{a$yd=Oyx6iGpLHE+7TX7erhnt^Q{1#G*<x`m5)Hn%FTu~6>17C-
zBYpma7yjGJ|Cp0J!QEe+M>e<md*}o{_J9d5hUa-n$v4QQcgAP7(5F?Q0mdTbjYpr8
z4l@iFnHjB((@MN_s)~Wxy?k%B0$xp&u&<fxcY8`9_*qUk>5o4oU%g@Uz`CwcboRq{
zTAai$JZ?_|YO!>j^W44Z<;=~n*%NaGEvI)_biA@sf&=YK#R+A@=9%nQ_9!@}-LZmn
zwKiMd*^l)zg~9LiQqRdU7ei0coGcf^*Y6wgQItUD?*~KaMD^h34oh0($tHlQ30JNn
zHHJU(8*JtA9N+LR!<bP~Yg{0z^hbYt6eh!LEy#eX=$9~y)9#X^uuNlPS&wslS+QoE
ztg`5#rvwd32_n#2J$IjBW7b328Te`AGfsT=id0HY03WzBa1!rr4H0679f%tW!*p(w
zf=f9yjfjzK?LEw1`><=U9?go6s%V?>NqX$7ymyD{FOc9ldn;}_MJ&P2UF7lNk~A02
z8|a%fN4Jm7GNl;Q?CIp_y72hER`VC5BXDC2hP`W7MR{#2eWSFgdZ3>Oou#}y-oc~F
z)52MrVp!h*nx>?pt6e=OgsUZm5{7qh;MwD5+Dqa6?kfCrE8%sp)TabUXcX75ssjhG
zrID{9>T4JS-Lz`6Jnp0VL1yxvZ0xV!-*W6y_Rfu!=9wl$@3pUzUg1JA1^dovU+huN
zNh<o3pnj1@BS`55;4a|sA}G-h+(iaTY{kgFq!&AJf9_{@6F!{u6nVdKARJ6+j3__A
z7WO-!Dp^|@+3Ed~(0~FYG~Xcj$8Ud?>xi7bD;fbG{?=s-kXf;PH=G4{VE$|PzyF8-
z312%}4=9d_bI(l4UwUPBzr={ux<4XrQ}S`6n~04tU^+e|J?_k#u=7B&{K`?kz2o7!
zA5rTUUiPA{1Zc^~@sL_Zr#<+b$cV<bK%6i1St27wjQ5@@<cnSGvNloUN)B8I>W7u<
z5>NlzS4~^d$;PcxQIUp_s+=!PS=o6}UmVG8Oui;~H;PmLik)Su2BHNE_})1{9!T^&
zLVNGo2d@XV_0RI|g^Yl%HPBHe#@cN>$yiFwRQlZmuk6};lcpBwvTF!UK@ayg<WJyu
zj!Vvz=#KHuKU+M1ZtsK9r&#f9c#UsqnMXXknJsK1#U#9SyUp&)#7*93l+Sl5ScT+H
zOO#SbM0k_l7|wK`t$i*fnw7wtwM}}b`W!L%Lp8!LF~z5(PbNZL`DA!g3iMXE2qvyx
zfv&ap<3&tH%1kD*S99nX7^JhH9n+DUD|v)QFn3rT@)83*?|*BuA@5IL!9{b%o?XJQ
zWv$nt0R5aVT&c0ycwtGY(Mg>>Q+S(bjh9(BkVK)rm!)|bo#CBJKBT*^7&}<dvMXC}
zA}x1CE+*TyJz<TO`q9EZl99XHnD?9N8fp%1oA7kaMw<G=Dg~5eB`S@nV-%z%Ign<Q
zI0pSGep6u&_?bI3N8pf5H4LehrkF=@;7|y&3!SPMvucohkdU@&aWCrm=^GOlHklvz
z`b{eSmqHvYU?Srqf`Ng806+EAJ&soA1gbudPD_HDKDco&!rVhe`O`Z1&KI|CY3a+7
zeuaa2Jf4Iz*@~AS;TNH>Znj+Ue?3w#1b=s)2C?mo7JHB>=$=X)u>E*P+^&7RMW|Zu
zSol^4g#2-~_fmF6?&=ax?4z5U04)jIF?QvcxiM`;!P-Xw4z`N`Ev?ORA(w~u{qXYp
z@BvO23P=7*J#LQ(DiZY3ZZmK@6v~@2FuHd7!?BPvd2M~E=AXN;cZ#KvIlHZyHmoH2
z_?>*nLCLAs*e@=Klr}MKSTQpVObE;mJ7t0zP#GDt#o)z-r*Vta5gN53AzqX^1nczP
zF)0h8ZuAl(WUUdvuYYtG4vgszQ|mE;aZx?(d4>o)Pb9U1cpDe!NUdcbY3WWDJMcxc
z3_=QMXtGjWet|25n@U*hRWgn8h>~@r<ZjYUn=OJ+xW_$Z_SlPog)U#|<{bNY^1cJO
z8S;?2kEEl`Et&_8o}Zwif>>x>ouN(hLhq_=VuGEbCrO%xMq2D)iO8wP(s^wNNG*ng
zoeD9N>PO+@ZlkaYQzXW-9&|<Qh#Rp#cbqewJbw`qL+YrEQ9APV$`sA;`E71PlZ`+x
z1zua1iqegN(byRt0>-&{keUqE)E0bHUZ!U3k`t*se-HKTe0@gk%+A>S9(Fjo?Tga-
z{W<lJshBp5>iJJ4>Uzq3cufQC1M7`M($QS;p?TRuZIc&{?;MjXRRGwT2f)tAAJ~az
zc!6N#tY=otU9%q;&|DeXU>lG4blQBQ8#JB-uEMgvbcHYgUEwziGeLVm@cK9BbV(UW
zzCkW19PaP8{jnHFB>sbCU}6OL5CWQw0*t-Cg|pv|f<ON`{Ey!IpFsE{lb>GPRst>z
zwb58BL}4(u0?NLPVA;m4!#+%8W3}{BbUmt~oHEurt$ku__iJvm(Gmm8V5Q^Bljrr>
z!Uh#xpxUa1yCNf9Z~cuf<oPPSFdDeRK*o{?fri0}k030Ui8HW;Mc;Ps`3!WF3g}}(
z^b~zKo7uUO_j)Zv$P=FL>KY`#_J-(){~%nPFgmJxDyojQUj%G(O4yNqn!g-x$V*J8
zWYrKU>`3f5<`|LgYY1#5RZ)3hk%U@7n?W{b>`wKLvq{%AHFiKV!uol6=wTj%Jdpzd
zil99K>HNS5?OS!WkA3)J6nYxb*D{lKuCEE+pvMr?-G2^Ou>qBo;PW<RLNV<n&>C<<
z4d2^2*F_wPrw#Bvxih;<7tdTQ4dFd=a%7p6de;|zeJ-pfH`oWN9Gw^F0)}&De>xkC
zFZgD64s!%215xsBNyJ3iWJ8eWfi@tBgJ+nZA!l*-QW;c7eeyEar8nH!3}ag&Fh<nQ
zh9Oq_iqA*@7CW_{oJhl@ovlsoy~4>HGL7b1S{5ZY3>OSxyYDvraekv|UP!`@IjZ-#
zAwO@1jo5Zhpu1WC#Zs3KpK)4RZyKP7?%@umK;pdUXW*owHn=mXaf3@#wT}&FH^$59
zo|cl2%+j@F+>dz1h=C;P;IXlS&c0)T(!of!k6FUFWr>b-zQ2Rqzku-5s8?WX>-5<X
z=Rif7s`n`|BL?f@hqxzE@84ejbJY7J$o)kwkaH`n%W$4CW7X8WS~q&tl^{3uUN86R
z<0uO-$fwRCHpG(zRA*<lEIJhh5v%ncdP;)Fg+uY-WD(5EHR+CZ4-aOy*L@mwT1uj-
z8lqF+sSNbbUVbq!S)Ignd5@9+0ptj87x0PxgNE7k3WIuY?%_o6>&1HITGHaL!Y+$a
zU|rVBJAAMCs7|F!Y)OK%uPRv#oHpSD?L<gk^5c1Yx@$n+Q@knS%O!r!<`9~1*75wt
zWwfqjcXvkR@mU<bJZxbtB+FM$op%!XgGM$^doY1MQtZ4emx;=bWD6x-_I^g66wkHp
zITJz5Oc}fJU{oQ?NZ!$2cMH}x9KMlz0dx%v_HwA?nwhD~F%cr$dpwe2xw`P3UGRf?
zc$%97#xh2pKGgwN(o*<)6ZOdh=h)|0vxD=|IvNzfp4ukZ`g485U+e9}TQ!qMPD^uA
z<4Y3;<1bL46YGj+xySgC2N^NwU46EUed)A6+ql%}s+X*5iyB1tt=gGr?&CKApLpHw
zhE;DWXLCZY@vI1)c6_E!KO<zTW1rjfc^f{QYKYiTR9rc5Zk;6@8K9h6ZS@i5^_&gT
z2?QI9a6txr6B^S9k~dz^X7t4LmGfbG@d<;$ypYbCv9Dq5NixHo75N3r)nx5emwqvm
z0vU+g)v~$Kw51GVpHY(uno$V_tV7soFrc#V5>Q!K`U%u>&kP%)k`1zYlziKrWCy7o
z&}U}<P+j=Xq4W;}ynmteuVy$uQ5rD(527^dzq4gJsUGIsA`{+T!G>=3b<IK7K{o(i
z=_p>V&c`*D^6@WE9W23Iq)8g^P<*+8v(Bq>%zy!PgZ?4CS$v28OToHy#Q7xqHK%s5
zO`16ThOZ#Rfy8wM)iTSWe4e)}RRdAVKX+EjYnDtNsiyIM$F!2{ukN33Z9BN~WZnPm
z<v*|czZM%_ogP38Nie+;0J5z2Vn3EamOC2^<)U?omCx1uIN(Tr+7_b?>ldL*`KHGv
z&1CBYgi%WkLB(lQt#cMBqA99u^Mj$Ic=yYg&HJX82asJ##T<oSh^vS-b)$KiPo|$G
z%%}k-7Qp@mxc=wFVs}`V@i0Q|FY$j#md&T=#UO9e`-h38_V?RA>VLiclQ0r}-~Lgt
ze{cVPs8;<HL;@U}nAjNESebs9eEl8*e4PGscm6j8ss`^oO@3fL&*KowGOCpIbS<US
z#Y?EiX|uJcL6Q99_J|g_sgbD=rM*|Gv$CzU{AVcdfj;?dQfo4MNTs7uWnIzv*B(SM
zN$`^EeZsd34+Rk287ypw3x_L(l7#&%KRjRlvYGs*s%Zn2nk$8enfJ4DgCBBI3i9JW
z{m_`=BLV|I{*3vb&Y2&cFUsPxopgFZFTT2Jyo6_C(1E`&ws01}5!<~o(UhgYZ%Fa<
zj&FmK=~@tFe2e%>(goo8k{cU*ip=8Q*&Y_lB~2q=*+P<_%@%6!-<^*AQ1kZF)Z5o}
zz<KP~b0&I}^$zPffC&Tc0|*;Ueoh)Zthv!`C4Le%F(qYE9t-htEy;{OhmHTe-`>CK
zLVuYz-@AeTo;LtP>;K%H|0!hb#Av`ZdnaPQJtO<Iaa0qweLT(g+@K;_xV;%l1IKM0
z(utff+Ek_Wfn9eD&VM*zf47@Xivb)1Bnzg1VOy76Iq51z0KcRx)4`ZQ`8L5IWs_Xe
zzbCN{T3CJ<-g89+K^H|%ldYvKmDAGGVqwF?p75F}4;#rIoVt@4J8+-1XjzDWF_J&4
zmOyXXx&_G2t`vp8C||<<GzdKr4oOGBaOBasq2ID(dphMLmEK~rU*x)0m;y@X!fQpu
zwYe$+Z(&l(f_|pcrCxga-PXcVSQNq|VrRZCIprvO+l?yBp(g()Mhy3^#jYvCY{uK|
zdwkotWvXaFwH2UJu6te&oPtWsV_8-gHL{sN;saOwv8CcseV&Tm<nWoXH<J%ME8UxS
zT>drz#Q4x1Z||BZiH($W-C``0I5i(nX5BO`C;M$AB%AQL#^e{6iLkfA`46Ts$T@g!
z9kVJRZ5q&YotG{UwG?4KXj?`qz$|oQ^`%=bRrptX=gPWBr;rt&deIZT@<Y#`nTsyj
z9%c^eyWUy|-Qebn??yFy?7hUgGp;?tqE#*yn6!}j+}&5tDQDP~AT5_YT$a~ELFPzd
z*|U%lRRNwlO^Mu1Jk@a5n^Y`msIF&@dM7m$myh^Pp$$PTX5P>LdA?5dja6LrFbhIp
z!3ou5v3lvu;>r}w&yewN&*A)D<qeRru38XZ#qQnJ2Q<iI-;2^*Dg8zJ^*0eAak?2e
zkv0~_dz5#V;{3w{++|T8{YI8vkhx%5tgYE}%_PmwU$nVppf)Qd#yyV4t(|pKu&EYs
z=U^XPh2?^+n1*lh@U(1~kD=ghhnm}`Ta$rE#rTyAbd)xw>5^*r%7A0#Zm_tz!4k%Q
zK71~DjtX`d>5%CQQ((R4^bjsb10cd-SlO5T(yisz?3X3HDf#-jb5+6S;^%p&7EzE)
z*1JL*Ac%Hx-9A*t>!o1}AlI4&ssf+XY0#0|QzTtC@@tNTWNu~OH_0YK`+GYtDS#(r
z64^Rc9^Qo3X3z(oG-{G+R6-Xo4B$Wx2dyreF4nxj0;2nn(-kWEEDvE_#E37f-HZ``
zL-&fSC>UC((Kl|1EF>lL#Dncbf8dMj6*j|z&edY@$bJDLT>c(xHqV-QLP~~rDZ~!m
zz7Uem201zp$MehC4__L#k3he)kla!Rv8r`xc<bf3Aig>q$ozoI^S+Pn;ynrS0O;JV
zF-#c3AX^mc^SQqL$Tx;-92FL`-O=qadgP0w5d@MSLsr>hM)*O#8tSd|_CY4DFk^8=
z=LiXqZqKl2dz2kj%E(Qr#;}<!m4PKogt8{nGlK1=TrR=_$Fvi|@LzR2$lffb+1q1$
z0B>-eQ!j_u<u~ShUg=SsuttTJPkFj(xskT0EPN%dmaFZ6p3z=h(aQ?J-~|8%cl^L$
zIPgn^paqFDF*f?9s;Aid{bXUtlT907!G-*tM*@R_gOaeYFtxHawf}W^0TK>U*aYCr
zW^Bzw{N2L<3<eJC`<Csj=VV0m0^r(VYGwS(eCu~t@856vnbZsadwm!a2S9<s!t|Vl
zmFfGb@NbPde+?OZ|K~jFKcRc0wgROT4@ca%-$)C7%kXkT@hA-6y7u-`5p<&}2;Yu@
z-s&l$pFvsfWr_W`$8I%jITR4Iy7w>@bx3?LCYI0VkgA$GBtp6wotHVN+T%S35GtV|
z4<*c*_gbCcy;fg>LYqQBGwq0jV#=aH^OoL(P!8tCNgy7MA#PZT$oZI6P3>mGC;>M`
zCC55heYl%8XWtPBnQ>>(0pFvwL_XWCYK;?-o=AT8Fk$B_44Lr>neRLtN8OXqL~R)i
zh&Jg=xY{cP+hIP#ejck;u$R?!{;Ph6aAP$^1<BwwuVOEwcy&KtgW1OJp0CX-p>R3!
zya%ohBCF;rjHqF_!Wvu)C!}>XS1~^25uXB8XbvjeRMcp=z8PA)Tkt)oL|!AYr7y##
z8#2+sl(MX_e4}Xd&C7N2X{F9n*fR?_A$_vA6pnLMP$y;njE%?$!@<V^k?3|FZ;ysf
zL-d-ynl{5lz&fgeHONw<(eonW5isZLvwwNLLDB#&V1Pt&#)9u)7e;&joGN>A7uP3%
zuA6sLrt%)gy2%KVTkTLtl>ByXfy}P!0;rP2wPn*oU0*T-+?sb}XGYv0wTIN&4yCWe
zJEjIU)@HAM2Ls6#b7TcV?uDQyn`Cb2X}^@aAhM-#JyeSHHZpdZkk8U>4EWTQ{6Ong
zX>UiuEJo%IW^_6G?GHlWAJ9E@4ci!Af6=LWfww_(?_Owv2_g8uLib-qtrUBkjf%<7
z&kv<_=L=DSFbR^z_LM2P4e5yUuQF9o&0g@z_3}|ITB`Xg^9Fl91E1Q$TiW9^3hH)z
zud&Dm-r~H{OvNDp4%wNY_-4Rx`2?3{Nel)Fgy~+=1Rl~bW{2RM`fWiokM?yg6f82_
z2|pcDg7w1&Yq0;!=r%5!<pk(@1$;qvkr;&^`+M{{sC*%1)w)!T4OrKhSydDTHtY~V
z6S64|%mDOTV7sNn6-9EQ6!HzHa|-JlAZ|&$dH6wvc<Or$h@|(=(w@C|P-v;^s;E>R
zS+Ni-#W40-yyqNl<dm&y*B#8nTvf|*)2||rc1TR$(!`%YTu#ADS8sea$&{V{$hka9
zB=<>8h0C~e{310qvx&XVhap5<E~rg}%V&!NFTZI&IR$wvKwsRDpy-Q08*61owCwt6
zoE%})SyuAOS-z`TsI8n71?G!~!>{s)auS|HqMI#l0^Nd3dMXqUrrUOczLRypq1g;v
zcCHUxjBSF4z50ByQoZv`PD0n0JO+p45%zGNIQaVo9>E126dvm=f{3G|cR<-BK3S6Q
zt$`{8Me9ihOkQ*g<&-VspRQTSf~!@2jKQFO$BQJ;8m({OUzp+NNeA-DpV4EGqW_-Y
zHBbfpBr!u23x-9?XQTqinW6a6#c@--t%3fvx{OaFwzex4{21?C0cn{o;05^;-Qmr2
zp!g}Z_!JUXwV$M8AdJ4Te-G`be}#6`zd$?czlU}%M$R7z8`EE){hMK@JivvS=zj&{
z0Ua5?vADl5{@d_><TI-S`maDz2fY~K1r$=CzW)al7!p(n2+Zr&V&~bWJu}pR?v7GM
zlS3p{g-eX0&obvnN&NAGq4;;n5S#<>==wcTz|=;WMXRi_^uFy|EOAU-_t0GV{H3|V
zjDmly+k8*^zNc~EprDWtKu@TGTtSGE7|U_V1IIi`q}1w4Kx3iHr{6iKI6yrDLIk;^
zynv9cQB{WgCb+xq(R78Z^(wm_>P%#WdKHQojst{<jvO=_yv2O{LhH(CD9ExpgY|_$
z0CabxGtS0P#=65dp?D_XMf!7&LA3-XTclFF^Dz<UesVw1|7+hD3n%OU(i~%F{iZYj
z*Btvc{2%$u|AuBTUx0UHgJKc~FB46Dd4h~eFL{N;^eorQf6|*0ii;eFYc$!9(5IdP
zI(j^cu?r?0p+pU=_>$c-;n}-%n6U8TgZt-XuTNe*M3hAex@JP_j!+g(hFPA?h)$iR
z1aKN<|G%DqFAD=gC)$}?um&yiA!Yk^Gh6*)o=ynRA3|6T;J9Q_6tC<vzEW&1yXCL)
z@t`QJA`^0g?;<iX33D$x;&xx4J;<i##j2L|aM(42FdCD=RKmUbQfLroy&VJl@S0>m
z{6387(*MD&4XG82h9LTaiXcJ#D2kY4P$4DHN(vC-J`uvAp@K|r2uR0?1z{L#*EBa*
zne*MD{yEfr>JY3f3kWsYzQGs_9KE2ik(GfFk?i+AmH>lUB15A;O)gOjKyOStYb#S*
zN28~jD@UvE5co?8@J&+<s7SFg1H6pbIDYX|zlVP?DgF;V!as$kox_uNEnrH^a70|w
zA@tx<g6IBzUYF``va$^J>=!N|3grlEu3-tEN2C#rc|lAavd#y6aMTPAIi8rG%7v-2
zz&((l<tx#iO90J2WZh=$V)MKum%+7SRGvHc5zTmBn$b@NCX*J!Co5nTW<E@1+%rVC
z=CB8@3iCq##!Yy^>rgWdLEq_NKNCOD?hv_|ZI6(mt^I9p^9zh+mDwTL?DfWy#c6+R
zoWSvf<k^8-BiJ*}Yml<#3**s#{_`+eahz0ZaQOQ%d_Sf;sv#h?<XCARAUu}9B!)r3
zj&P)aPH56l!dk@nd1rB~xCC9T-c(SYhs(tGp7L*fItu+u)skKkF9xYkmG^vD_O*gs
z)YX4DM6y~i0siWbTgaEA`E1s(XLTvZb55$sZ$jbfbsL1(mMb+myK6L|Y$|?LG#mon
zW54#t`xvDBN{+K(E>f$Sz?e3lM!1OS^qIaB6@DC_P`APjTxJDYzSC9r3vD+l?5OR&
z7IxckZRrkt{!+D^QC=IFeEAfzrDxX-YJyO<ZE_6(+0j7C=y$P}YVVV{52TVPhRt){
z29>~jDDS+MeytPJN}L8FMz`hP;nO%O#kc3p1AG|$YS?>%QV2LPY$KT$iP-ZZ6R(@~
z?IA4!j3O<{OB+(&!45PwVQmW8){iYk9!a}*S$d@+lR(M8YgNB_28gtDLM6|W^LKrd
zL40rR)oU(Ai2u4TJuPMZ?I-@sSwCSWe#Ndu;8u0Z=>2WgJwz7};uS&hWRsDNeL(!l
z=ZX{|w*3zG2LpzSnnwiMO>N@`U$jh{F#66KqbJ$v1tcKh)mOriDkQ)+9%K2X>X$*H
zu6!xAhL$YLb<i?A)m-2&e4raYAtX~_H`E_oVGO=R+3N9Z?mE1x#gpYTZtK>;wX_tc
zECN&0n{jF*@g9RTdvB<8oE(|y!{6KvxoA|rlg^yhsT|*h2h}NZ>u!K7JZ^@gXXa`d
zBS#e_4&IJpYC6-y&a{4a<I|)i*L6_OTyo{8hdGOc-FPwqedH#Tsi^@w)srYoJ@N=S
zE9Zp;5psfEJD<{AX4{3g>!7Z71Q$9QPUskq1BMp&LcZ`ol?n)BlO3<`s_mF%S`e{o
zh-di|i!g935)Hw4qxLW}c6f9Ik@GA`m(WrGMmm}0Ud>Be?+TCVNn44=QN?#){7byq
z&E+gvFpRoUi<#O91ueR}`aVv+{%{dPjA9ZSa1#aP2YR+gyCnLBms*AvZ!jW^*(pTN
zq21dqkYG+KB9(<Bz?yRTk2ctPuN~H`Sp~=1?2S~3uG5X(UYn50`WUq!r9!Bm8kINn
zh&SKIxP%MZ)0e*_T;h(ivkI6T)02iDa#G!(3nW2jhd%($JeWJ^3P`>E2sgyMx9Pm#
zFA|>hlJaA?+9UuBaDh(HOZ{om0I;nAU?zlq#1%+#6ExB1hJ7qqa;$2vpV{dC8M4Kn
zM6dus!B27m1`g__mFain{iQJgco)3{*eHm)I2c(O8W|F)=vkN={_acs9hlh|S(sS9
z+j@W3X91*I-|UON{b(@$x83NU;I|MOk`fi9B6ZEMh(H*_&Au`=+mWx}W|I@h?J(4g
z2r<07BAo?PBdA9$Xu3VHS*|BTKxUxzi)m6rsV`%iM;!P8I8EA%u?8o;q&}kNiHeix
zxe`&a$0B3h8fPyvLLMANH!xmEo<R73F+wMpOEa`pyG>RPRaq5aKG%~XDsGFLt7uD^
zKDO1egC){0uA=V)>%c=+LbS;|k`0Za=i4;U!Gq4A2@chmS&+}14J(`ow~*K{aZeE{
zE#6V*+TTGF5-?*cA@9yt)6zT9zs+6oG7Ev;JB19psv1Vx-LMykZ-yG@U%!J*s3tq|
z$e$fAfAg4>b{^}V0_!~GwFfz&Uz_-R^X$YD5y2=R%s{!@r*17v%2S;DJusB^cu3Z4
zC$q?npCpWlvNxv^=+HYL7DEMf*j&F@w^xT49cR=#`U}*H>iS4zlGMJi;*i1+Ho+4&
z@yJweFJul9dTnINji(hVeTaa8YuupnW4vY8jvxht%gyp$h2M_KSEVVJcZN2p(Va7<
zRI=MW_mTj+r+P2#x&^Mfn9zu!6e(7XpQxv*;$41>p{b{4%`T4&J6A%Jh=GGZ2sO;k
zYJ{Z!dfG<^jYx+MF53mhWQKP3lQqqRBzXK?mbJO@W5|hYo~fiF2l##uM&v|S>bM^b
zcN3fArGkRmSs&!`Rt>24Z)V^({LVXYZ87q~U!p8|X@I{WU`@MRNBb-M{t;b+{<KuS
zOSae}lZS-R4XHTN$!TY9%g{|}&2expb?UAmrPcS(`uiHohMMTzmOh?W(0$}Ce`5oV
zZ1#ps4w%Yja~p1bU&CWbqPd-b+V>no$}YAqhpDk>;VzT#Oj`g1^-dNKVxSr=Mi~<u
z1?Plt7S2@T!q(+$f@dsj)M1Qr)CcRg(#3ZUhWEB<SAvjlhhw*R($><MpW7ExPn-6+
z#F8_4ZuByq+@ZNRqadJuUB*aglQMR<Q3@QWXg=eVp^bU|5xzs){L{wvbV%e3ZCf#J
zYb|9k3Z{eAo#$QjSTK17?roz*@kSOedOJ70F^F31o1-fsLfU$hbH~!r+KWeI&yHi#
zywb^=Y@Wg!?WMfzBawHlGke=xs7aXa5PZy^d+UWhIOWb6anf+IDG(zdSktqj3arx@
z!&yoSGGaZ`V1Aj}j|r&ZUmUuY(x_qQl+u#mBu2F+#b^tuc3q=^veDqtDX2od=UU<4
z>Z<{@?`S9YX@(UdEQK#8w_6x$t<LpVgZJwu6jRvDz#587k35t(aFm~ppj01lU|ooS
zB`zk|$KCF|N9X&9S#<l%id<~)=DO0(+;o&A09GHdWF8wRA;*bliZ1OlSQZ_GJ`#r_
zUZ5Q=#r9AS(;>&9fqFVDzSEEwb6Q9u6uV;cij$6$ghZ)#ixE*(e>;s6meU)RN&vcw
z0nnBHC%S5{RxW7de%5Z)Fd{MnjXC<$lwsukM|Az=QUizb4PAfox8ls-<K6F=3TW&O
zu!H*nqJTW>yF<dy;s4h^|4&HTy+dQ|aYPPIk?TvkU_A(Yotjq2+(8noCm72;*lB_b
z(Jfs_({7AOf=~1LnkqCt$E79CJUbUY$7>+II)6NZZQAh~^I}xAd)w{MIX*l3Ss4Nj
zsCVns*k^k8VzFnMkF-0=ZV4Z$(U1EhE8MtA*Jn*On0O#q#Ojoh^Ya);l&RI=fk94g
z&=rg=KHkjM;d+m&gfQT6MRGU$A+L!8jVT5f-v)Uhl9~%-vKoJg?4=8`cIAsI<iV8k
zu1MXiu+?3HJvZze5&mFl+c>d8p&7O}*HgBx?m0?H$JUUjf^$-(CRLBZ(dSY9S;}WU
z@`m|Yopt?-M5sy;*}w=c5M?5U)izZ*Zmt;O*>-X^Wun7ge(}R2jW#K__EK(4c`f}p
zL@CK7nj5PR_Ho09z4Cj4NwbAsmUEx*qr++&)#92Y<7nVi?tKoRj$ct(;o`xSN5_Yj
zF1F-m5f6l7AFkGR;v8T+xUfslSdH;v;>BQ^lQ-SEF|;A$VIk1jgGOg>vt?^+NIT-&
zu0Q8gauFEvkDrCf%G8Vw+uB}xvGt-#d{~y+k=p%~<f6Y7IyOnwEhMDmi%rS(64fRg
z9yf}t$jp1$3i7_Qd7R`}ll`MeF^CBjQMEK4I7I&jaI((lqulRUL+f2p7{t4G3zJRn
z@|}%qSKUwCjL^6ARE&Nj=^v5tZ<?R{hFagQh@tZ>#>YH3D4hs&V`2y3)zv>Oi|<H^
zYD97#MN=xWHTc+QveW7Ff)~vF<{5+AXZD4v5zC96tZf~&=s^zVw|z!+Wt_ZhxO^YD
z>%hi7TuYp%Uj}xw*A0HS>U%!Dr32Z5uAJ;JFz{Kfsmajkjc-GMsDyN+b<RQM(0FIU
zf=I{C#y-|w4j~12)9m(4;qda2Q%WQd!Z7X)XnmBA8Uh8s;%!3Cz$>HvnSg~xHrq4u
zk8;jCz7!MA+-Ydmu3s<4)+ZC1##9wrD8S*{@B2^~zgR~i(?DfTO||)mqNRn1EHLiZ
zyx;tCr0F-!H&f~ox2VN)HdlJnVD8<;PFV+n9;Qs2QGsb6HO7&P#*>l=1V;s~nI$1n
zsnfeTI7(p@#fDk0+Q&FAsM&~Cx7UG~!1O*LWytKHcAerJsQ`E{3Ppb}WT@6#Ecs(P
z(rZo}b}=0i6W-PS9#o2AC5Vz7o*)P#>q@UmDv`9@CJ9qY)9Bf4ol>wMLu;IDxNa!@
z5ue<#vqO`WR+e5&O>dtrY3a)RfUr*P2Iyfl-zKb0WmWcvMFtP?w_GfJ*J|7%a+L!h
zp<qdrCf!mE<e|+oEDZ9~4{4!ISj=(CJ(_Eo*RQtWNzyMCHu{LG^ofgt1ghu_Cw2NZ
zy^xJX3BeyWbB?MDs?R*5uiywt2<dEU8h}}y7=gB*xx81Il_w0lg*flPJ{|*bU(tXU
z`cEX)3Qz6UNa&uhRaqGh^%)|6N_qUHE``d7{Eb+ELWPkvawd{Ava>gG{dKMY5*7Bx
zFNgqLid~rq81cSy5UA+NfJ5Ccl|&Vl6<;bT6UiDmI9uD9GtmPazrRUiQOUkv``!rn
z8^`)z(W?M~?9=u&-<u@;I*R+}659X8NBuX97fy+?M&Y%|vt74oQfs9ijX9~}p6R;r
z9edld<%}6Pz5B)NP|yZ&v_sXAFWUSY#ML90Q(>-ax&B^s$zyt5C#g$hu?EH7jJY*7
z8@+E?GS1rQwUjD#sy&&#!&o<6UH^3Qn`<39XlfL@Bgx4@!f9!Zt;fJ1?JqT$zvyuO
zDy(5Qev1LMw3Q4bh%ei^ZU8*WT_l8Tn4OvM90b`_%N_s5u<;9qP<2~a2XxorR;3I;
zSo4WmPdq|VQc4!f=3+)<#_HU^$x^L_bYA7f{!v$sm~V&~m)Lk=x=g>`!nn4o85Ur3
zUjc0HJwK-;@VzDDUG9KF0qzGw1U68*rzrMKi~WE2tNy0C`TxnR{I4GMpMnk_6eCP_
zgw92%>ah}4c&E?96qC}W^8R`oMMN^tbcWDNBcX4Gcnc3NM%$N8CM##$IVh27#223T
zeBi>a(aCS|%*-_qs&hIm<fe(e+OQrw#2|`+=G)kF=*Oywozgd4^v;Di3BfXpA>sM(
zfO;H^=6<n77&Wz}(1UC&2Bk0<gr>~@f#t!=BI6Mw6RSlbiY@>B>pnZ<MdH_$Q|T_C
zALY6BhK`p$WJy1igD0^Os%q3fj$HHB)7D)mFZb=DaLJTOht+GP)zlO54tSHWmU(fT
zyapE81(p?4N@vl%OlVc&h_M$wWA0QsS}b~SkTvZ!kI;=@>FR}BU1u&Eisx2vNi+`s
z!mIKCH)e{6i+DyxZq8zPX(fJRFTCxAkoUTh%7Zz;;ALnRe0#hyBQ|Quq$kJw18pt~
zHmya$S(JrB3E0&+pD^fn{ixd4qhuk&0S%S>@17&hgJd0`NGE!nnS&R;!tftzFy7ch
z%^cG7o0P8ptogXIZC~<?n+~Xr?WF^>#GHg0j&~gUjzS#58M!B(4CaUaLt*l<HbEVM
zLJ^U#sk^GdS@MLc$_0G)4h9UB@<z}*YC`nFIMOx8Wa8>KU<C0~<YJQYzEvx&F7<cD
z=<EHe0R)H!GoSRE03~<&eXSl!C@`|;4G1)ar_#xIko@q9=bw)l{C-+6eJkw#jwzH}
z+cb)3BuABf*5}ecW}a4oz8?H%40%G1{StC(O?kkNUIKdxrW(Q7cPqXbyc$h~@Wx#b
zMt_q9@=`Sk?L?7>A~=EaGa(l+M~>5-lKjVj^d58BrU+uWoT!)jv1g{}b00!ByNY1%
zj|x6Xy`+X9vV7@6h5bc`QA>&x`Q;;Nn$;_6nlG?2Z@e#oITO$lg(0DDbql}X6{AFC
zr@eZgVy12x&JT6lH!fO^g>D#wf@n`k-@QR9d#84I{8jXUr22p%YGPhg54=6uy1>aU
zIy{2CybT_F#5Qs#-<r@O-&VhSZp_~f?!*{56fOf*+KzSg!?f*ck?rz&qeTP{inh^0
ziz-T;u=(Tmip*<dh0)ZqL(IB8+t`Q|iHBu2+Z=R?1iVqbP4Z^zTw^j~?VV+OSb7s&
zZol$Ff8)TZ6a|OM##EosM{gHwEmuih`Z$3yX%1@I{$Bk)1no<9&4D#CGT@qJ9LNl3
zApWtX=|kSBn`Zu@z!_`rLb}yPkjwMrv|6@>PUDJT$wJDkXHkz@6z1y{a%YfVfas^x
zg9jA_6ZgN0&weo!eCZLX4wAU6pV`s)MT62IATPZ>rWX!!^*of_fq90qy`lnkEkn8!
zZ{}{(v{qcqmm$Zmc+x<`rYrK1j-{zI+P&5$q>K-HRDg2st}mupJC)>IaYwD2Foa3?
zO9=jKPZW=^8UA~$6;ED_6aDLfn1Xviz##z8+iw3rcsO9?7e~bR$?EXuU@%Vt4iHA$
zCwbe8m%mssNH{1VM?*auBYOuX3`VpcwGDU~Qv*9|dw`+0w1Xi%)6Yh!dT<CTg32!d
z4(=>$oUE+RIerBqpm69$bV_c34kFgSY8pg<XoBN=uJ=uw!wfjz2yn#vRa5&l{J-%?
z|Gq4nw8R@WSK)5mL(wV{Q(3Ko?j9vf>WLGe4mj0N)$=NN4E+T`K}>0jQqIB(S4_UH
zjtO&Zkl<>tCart-gNNI~-z&QRoMrq5fM8^FsPUq97r4suk)HmTqc%pckALX$^0#mJ
z9YlbDN&qp6fe-`LsxHrly@X|74-&bVnm37TSb7!~20z8%xo>~iCSy?mc*|g34a&`K
z?cS(Y{M{K_w6&~;N6iP>syn+PP4(;DrEl#zX#jJm^2Z#4aks7WQ)xi)$S8O+gFycv
z!v~1Ieujats4zyB-#atOOG*5SSYc3Mjbt1RP3-i(byfV;j29FY^XFTC_2>ln)&hEa
z2!B7Q1?bAj3^@A==-33{RspmC%ah@M^xpp_sJze9D|07D!v9oH!dM3J)wjA*$Tso$
zhe^fF^78A`WVSeVF@)g6$j0XypPE<49{L~!d758Z`{$b7>R0%Ng4lSz=$734M50V0
z6W=TZSMHqg?Eh)*tHYw)zP9P^2I-LQ9J;$Zq#3#!=`LvjX%Ok|5D+8<0RbtIkS^)Y
zcR1=f9)IEY=Jox-#q1eop643Yy7yXZuXW#rzSG9&Bf$O(|GU$pl3#+#YhCFN0i?o5
z#am#oR`?!8>)j`#zuyr4vIoc?%FOjM%n*^cjq)a~Vv3j{&JC6GgbPy*pEcvOg>@Mh
zNae|c2a}5Z_ArF|r^1yk7DFLe2(ipoeNuwaGpomRjpYhaWhTIG@@`fO?)@vKSw8f8
z_;&=tYOpAiVx4O7AQZEzfXoG?&I~^B-CX$3U`s3=Q9eb7{LNf!egYgB#eZ%te`&t{
zFqfZ4{Yd4l?5tdYX1}waZ-ajS)_(p^Z{}YZ6h#42Gb6?+&2dfb{4xYaKsLZoMj_`N
z6^D-N?rRvrjZWvP%}VAkBI@B-#j>@VK0)hx)(xNQ+(x2dK7>)ck(`W06@ogMCQS4@
zD=>X~Y8cC;l!u28LC=N|Waf*LH1>-@`RGH0V19fbl@U0COUOh^oGEQ8`kyl>D=-#w
zP|neDY&;5qMr4)@+l*%)5em&542K&(ND?K#iTvnkO~qs&ywpBlIUJPFleC(zQn2Ho
zw`8?y+?2>}e*L=c4le3FaA7nXqY|ybcm2$J2MFJNkuoe*9CU=E;X&z#ftC!#kPk{x
zTtHT(_syaZ!74|=T6;#>F2w$!^;GjGtNPD@&|l20-$CdH?Fk5gz9|L&I{^CMy6*4j
z1xI&ES`O2o-_OvH$sW6KsDx;uo#rYrV60qWrc-|yz4Rh*H6-!^+~{36#x5nQp083}
zst3;!O$_LU3K{e_!tM!nj-*$WYl_kVs2r!>G<b7Wl%KhL9-bzO3NE;&kH_Y=A$%<L
znU7X8$-1t~nm0?}v@4ZI8#<a0ePy-2SwEC0_|DT1QNj{Wx<Jx}gYOP?!2NYU-ZAu8
z*m3CBjh0!q3XO=7!p4MZrE))Pij*^<15ys01%$pHC<!nBqT7z~l7gztUJAN%elpwk
zsyM}7-r8dhjGM&(0-0AIOOnsCBMn|gmOmdVw#=xC0#Xl0?#(}Iu%UGn%e6vWZTY9M
z^IhJOBQYH$Kvh??<4Hp3Q@m1zhTmKEPqFhK2g@KqfVZ-mSJ-6UG%vT-h^{XfdjKgS
z@_f_`J+^q*0e$6FQaa3!5m&gX_xbL`Qf1iEFtGI&(P{6?)Gl6kd7_qQs#R&VTRs!8
zVn4{wr7-0)vmh6*m~<M_r1MP7SHfWB;#yv~1MA5*LZz<At&VEoda9b&PJKd3ZL+EG
zoDy>t0cwlCjA=j&UbfE|YE6d2Z=z@56t%N-t5x0L*pyyLN%`Yli+9>Hflj722>OX0
z;ngTuR^p72$7z_?=-cV!Na*<e29E-jSq4%t>^Fu){1f<IN;RnmJo*gwK0SWByIUE?
z1c{{+Te_%N$LC8W`O9U5r>IvZWvcRD4i^VIf{{Vgf{@QaZs+qI$XQQUO^|H0zfR5k
zTo-s~__p}T>;9Wq{%_n+>i2H=e|96k^UEZ;*IVXMds%vu97!J@5qEE7H=D8hn|fN-
z4>LKrO=pnyDbThxS{g;2lcj5N>K?nd&kU#ECuzzR=)mM9anR1=aJVTR1=jbcC|2NO
ztIFQ-JGwazSJ9VYr?c~y)<u^Ni`|}XJKldCMdy1yqR56bK_N`%QCGze&S3jBjUjqg
z(dtF*d7MZ!o2T&<vSIhtOW{PKC%Eg5f}9&Ko8Fo%m%ZYVZvb#QY(rXI@v2*f+D#oX
zi)j!iAfwDoTE9ve!{lf1RNmxG9LLpM<0KF!6pUf`3Ro0f3Knr)%pZOmW+ZL7Vuh#<
z7QO0jMTYF9$N^`7_4a*DQ^mB8V^n|WUxoC)LfY$n<go1Om3a_ik>UCa-W+()6a1I_
zQs@5Y*=e}1lR$pXBfYUt7ZaH_T<sYp#ybl*46Xv%>u#T>TZ`I6aW@1KcGi671v3vv
z6U%L--@hdnvf}G)#AeRt?6agJ)T#pP$9&-I#zXQ3(<B^@#&=!lK*d=4P?{$M!BOKl
zl7%+~2MI5^XSC$k*dqg_;_GPCR$6=S<@~geNWhTpVsQBu&?MEe<F^P!QFWCG1G{x?
zniL@1&}WOlN;86#Gg?Q%86Xm4+r#Z0$Q+O-EE>8s%M-Jir#1}!#%fa+=12lD{;KlJ
zo2;WsE&hVaTFsMapzzi$Yaqi30DflArl`J<2)p3LIe6eqsPD1L6Q_uU*7qa<ezG8+
zL<I#{$>01E%ig+8r&O)u1;FCvxXmlRbvweTPk#%werZJb?qUd-n1A#;fCez^jY-8E
zm>B*@=e{$8L1Lo2KXgNo{uGP<k+Ff8c0nx;+-zJN-{`-7TK?Mc@L#{szX*|l%CeQu
zyi#OKLG3j8FNg1RG(|jaA3qm;O*9NQ=TfWZc08J?7<BUH!uWBh?Nq3qv*Y;foJswn
zT6BAjxVDKXeE*fd9@@s8@NMTzH$B^iV_{PvsRogEfWBOuh5RAfFCo$kz;MS*?X&aR
zvM&{sRo*^%b0nj`J41*0`J4Y1bF*k=&1)X^uWU8TDBEOMbvx{K`%<lHC1VO_s7~-5
z3*)yv?q`I_2JO8$r&J$JZNMH1xf6Zan(1`!^F9d;nA1;aXOf0ql_f+uI->I!nIW3M
zCuoCRDqM3|euA$cgTZ?~0xIN!$Tc7Zzng^EiWBBcoeq|M)5x=1&Rd5z=opD#L0jx6
z&<6Fv{QG~__v9ZE6ZxA}d=HNPW)Yw%$Zv_+Hv@TCviy%+<aY(sb`2lniDn`w6X@JZ
z+a||)k!?9h12my{UBYO-YV&AY=|V#C)=A;SJ@#4(op-Tq+MlAcKj0rR>-0S{)osnm
zN35<(f6|KHjIo9Edeq)FAe<Hpk|BmNeZVZZ!MYrif&DP&GlMZdfsms{Mg^Fv|0q<;
z9oJQ6Cr+iwU5dPzp9WS3LEX6B+bVbSWE;Bb=N_R3P^czErf%mp8$){Oj=O>u&<A(0
zZ~>z<bI^TQ)XZVN2h<Dq>wfIg8;Hc(W7PC&C|a_>>FbvPMmO?poND0Ksm?)FheVE>
znWy^(Z*BXf{B)m(K33ps-I3p{hJOouo0SEhq1ccLU49Cad(H*zcM@M~(^G$Gw!KAw
zFo0bAmHOSsjk=byAo6%>0lH0}`29Ae+hqjGq6Hx3EB)<Gca{kc<qKq}jOSe7E`u=I
zg%f<Aub?C`HKN{$OEs$i2$(iGmc52_WD)$^3inAMEv$9usZ5e))$q;vsZD6Z6kgfv
z-G5YUovdGumDUBrhd+d#9Z9G;-`N5vojE{>rE8oDLSwbRsne;SiDeJTk5?_NgGe^I
zM3T3>+?&KjzHriNpjxHf1L{|e?eXIx>WcLigl$u1FGItA<`Bh5m;$&~%8LZe9TiHC
z)ny#BmmU{(_9~v9WVxHJL-di$btMZan=z=bH6HNOj%xk0%|_kC(e%(QL`*w&42QI)
zubiOmEb{lh`)d#g0S-pnnkZ9Lad7C^y_$NEQ$jUqlg)9rPGEM%Yol6==1Gtv|0(Lz
zE+Mz-lBnFZt@|J)A^-zBD+itN#>?#U($eYtlGeL|T6ag~S9eVaj+40@hi=mfGOg%i
zbu+s`_d6&(Z_F5dP3>_#clCWD26ke#+-G&5uG&;dB+3t-2JG%SxK}33p~XUdPF&1A
zTd$Ov=(5Fl^q#i#60TsG8*8wp*?gZMX!YRYun5PhX|BYWKj)NnXcbKIEwgJ)&2->i
z@#EySh$?wbSUQM7Pb@nrdST72Av&Wx3&`A&XKmHa7Co#Za~x|_kVaJAPA^tFAJH4S
zijK?m>cGK<cl37qZ=}qA`Am~K6$ia?nxQyIq$~xkRy_#V2+fV`g60F~o)D5*_Sm5q
zh%o090JxJ$9_|`aH1E7LcXRC$KA*8nPg-UyVQMGLCmwL^d&T&aw2ZI0TJqLm-cVJ;
z&Ez08*JqmNmTGZ0Hv?@nx|zqoptrsdf-8^MkZ^Q4C5yK7_C=-Ymtzst>k=mClpN}n
zQWxI~0t$0)zA|7n8@L>{pukHdBzn%5eX|xAoGiocOgMFE*$PUEjC>qoU(!*KUzw-2
zjuXntGtfmx2P!!cl*~Wz_J->PL*^D<@$ptSWDYfSKRYj~Ce+gGa^9?XSrx-B(@GNc
zdEM2=D9j-|6*RQ~9SlNNn{UX9s-G0YV!<^4LqyQ89%2RiE2#4Q1ga8$PCkN~3ndj5
z)EQO96n=DiBO;-Rh>@y_$mo*(c<BL5L3*_;AUe$lJ&=cjD5%&4A}0FL{PN%W@ZW)G
zt5d*J`7nF`0ZhBjK3_tx)Hnttiq~lA!X*Sv;Sm=Zn%39r-m%e%u|-t+I_Ps;Oie1d
zBqeYpP`H%ZrQEW3i)(<7TDQ|(3<=-~%j6#+JGE~-q;}&3UBz0<Ibsxe+%00O2OL<~
zwVj^SpW4`e1Xpgx^s|-Cml-3)-)rln#RC>C-0jaJ#FK3hSR{&~y)aZ_X%i%rs7IT&
z6vpZlzS{7>eY%bq2h`)AO;??3XwQ}$71&9DhUiSGb(dE_OW{kr%JfG~TkN3Vlpuz9
za@SCtkw*2&;F!D{aJovzG|@-WV_VuwXblc6%RJuORm|~N-@ITPg6tBn3FcHW&7rtV
zUS)Gs8L!u4007S*lgO4<{2CY6t6H~rJ-<f>D8(6UP_oI1nD%;gn6xiL76#B@c|+d1
zr}2zlar?Mt<)$$$eNyzwNday&oY>mQ_j00stH3GH`>mo>O2L_XXg*EcR)Bq=T7jKm
zv-IWLORhpDnfvCHx6fefG9t8Zb{-KfFgh-$CbHy3uC!?sQ%}i#jjxElGNsaCEasda
zOl5Cd8}82<+ub)nk&TCWY+BJW%gG4a>JDTm*NXE!fqgz52$7<n4=XeI^n=#rqYX7l
zx6*1a(IHDGxGkf0fYr!JRkx;ae}(Ex_*I86sVI^i8fyJu(kiHTwwmeDlBeH5G%%PY
zFyQw%`BzYX?%R9Yvzh+L!>s6(2*mUiZj^4vA_zJt0Evx*rXg6^VW2<{!B`$><l*RH
zz@edGA;58nzUz#8cz7_Gf<||l%<b)5nSd_LW{##V%)dC*AI&qc@v@7@6p9DknJU1H
zO!AjeNTJ6rv^ENN;L9aQrr>X&EDEw-7~X<oUhSrvY=zx5nvC1aKfmsDlkfo|UDR@q
zmZOfwI9%eN$L$gyIc6UWHt#pxyK}qio!LhmSDCPpCn57%$6}cyF{-(00f{GT=P3gD
z3d|{}E#Tw6c$A6_16AO@s%YP>11^W8LSA7Xy1#z4_lmE_aKDy41s$*H9k2uMOa80R
zS9q5bZI~H=ryQ*lBG*@JQFKl8VTe}2JRQSPOo)yZF^?1Xh)==k5oV`SGwhd&@d<g!
zqLGM&D<C)K&HYYWNRc5oQ!axfJ_43<!SttJtovqLxOAt}otH)D@nY?Bw5g&*zDS1>
z4k7ZBuu9Sz*%`S|_E93VhZ4)UoZ_Rv+uDvDQ;>`~<Xg2KY`vyv%D74cr`6TgWn8)Z
zXovE+qRXD6jqL&n`U;po$HyH^zBTpPnf+G(h_v0EpW+kE`Q@V>9ka>LhR%MZH^Y$)
z@fHduPlXgKh`IrHPfuuY7Ddja1E8l-RlLg4%0BKwny*_|x3VUR3R`#ZPB?$D=GJH{
zCrWOzGCmSZa9z)xK%kV&gR7eQB!QpuQH@A1#Ot8*Txvf$t{0{<OWq{wUJ~kJ;$0&e
zm9X0#PU$;YqcG;yeHM>Z_2uS}H0^*=%xD!}CF!&1#)r8a4^ZA?_zi}^!G5t37X6=q
zS62B)3pWBLp_+u4k^<?sk(wW}wqi=4WJg_`>4ypeA|~;lq6cCQc6M&|pqX^n2c?mR
zI9E*Mn@%kN#1semVPRo^V2XQq_~-I}`|`glH+;YbsMe^~wf5=+_2{cs@`?ci<ob_N
z+UB@YrwYxU6&oC^AP}A}rV7Yap6TzBHHefAxA?i|bX*E@apdxKow1@zxF!i`1@vA<
zrVXx@S$}N!BodF-H8mv~`S#5T4@R=QI`lc$szk6i7I5k_lET=6A5s}#4|WHyW}&Ww
zyOnCm)0Tl9>vVn94~z&loH+1kAs?&<d11h~rB?m4l!T&pESe)qdpp!LY7=^VTdG6x
zVLX}Uj0vtnPh}JGHgG0mUji1NH#?Hh2u0rr8<+<32h$Ox*^DmeSo7UD;7pU;%A)Nk
z2I26QQzNMzR!mY>+dwLJG4kWgi*ryDxcxL6{TDJJgqC;!p<nn22VS72GVmNC?DGFV
zoS6I?0fNea^1S)t<t-95{YicUhzO#KX4`~&I<|1Fk%rcTvdP&`<6wI~NjL{Nq418s
zcPOgQqj-HrnKOiY_pET_?fBgLm>Z`XNZKx2eRe~$Mj&6L1D?C*>F1ZyB=|zHNjryE
zxO>BjD^M63Q){d9*MiVK%R~l!MQy1{mb|B1ObB9)Ra#F>EPa}8^P@s?%S}4y;lnu&
ztifMr&}#DEfpL#g*d8jDHo8h;*e2|8Ozx&9Y>0QnvpP@8K%7CWosjJK%%*6R-0wzR
zrb*p%>Oz!44MpjNJJBYzzp8(V+@5}_MF9p&hASis7=xBUENbKqEYN>e%5D%y<5T2I
zy#rPm!wrgnq(JV+{LS^?(ZM(x75lgtxqfv)k)K>pRq3a*J~2=WnwpH1BB`3lk2Dhz
z6Y~N0|9DnaNlE?Tq)+M_zc@Fj*Nlq=z{bt~M>_eSEAnH>@;`8i-^D?ly>9pkzT&Q~
z;ddx}DW7M+ao+ElCTt)&jPM~?5%|1asS1h>n>L8k+L<8Jxdm{GvUDhKH=>qA%rG%p
zk!_4|<0<+kOyU^Y=z+Zjh#_-@s<x;BQHey?;zpq-_C6yK%r-}Rl3T1=Ra^G*uiENL
zZVdNd?f2};wOhX`zkN@mvY%K_TUN%IF2C9X*Z27Sg;maK<^k=*lgmCFs%(mG(k=m1
zAs*rCyC89%QeA>58&hqbdhCftbSrOS^}S~V<mJw(LKHd~@5n>CV3pqcFKZ2AIKD0f
z9$UGYwkKadN*!J;t~wi2ES`;Wq8#QDXiMoiv@NMz8%4IKL9Rw=7*z50#Ofwx_P@r`
z_=28xJBg5&4Y6WkxWg&O(CoY^D4<l%@R})XIo~~QEs1Wlplsktj2z58hGe<t5Ed-w
zQpsZURu#4qPNZJ@Sxlc!Wke`SSL6<fMXyBcy&X3fy{CC_f(pIBy^4psN#3r7pkQF|
zl4glA3CYv6GSfF9xE_bde2eFq#&w)8qIhd}`3bm%{NfTvXECtMKA}Nii`;|8qzLoh
zU8S8%ZhgU<t!ZXs9Ku3Uo(Tp9@3lM`9fH=Czrs(onbOCcc>6@Xjm;(3^YqY;cqpf!
zFo*o}m`Zk#mzfbQreOZ9lCyQ$^2fDiN(}~axu^*7%)yWey6>V6|CDCoU!T?okujS0
zP3JCQ?~KU9d-ND(tJ_2V;vRoQF-8jn%^OEXL6eZ|fkQA+hvYI_o7)Ngee4F7_>f_I
zV&J2&j;nCQz|e$sbn>QC2#VOs7Ghr#Kil<os>x)6Bk01aPzZ<0iz(K7s&}#j{ZS>e
zIdU=?=vrxsV(1Hv?62NW$C&wk9OkECs83JXRygeu@1ZIs4Va<TIA0REfq8u2!gVT!
z1!?a21-<4Isi7p8Cm2})F&K@pr$aF~cw81o`uzz{{B`qKoiofkr}e;Iudj%OUPqXS
zndkZ_-jqr8(sN;k3(8@h8^Y_X#qsWr##Ncz4CoC(O{JBT9D2@3R>;FTIcH8)nTTTu
zJeM%!!D>`UH!3~r9m{}ZM9PY)vE<d1X;(8FCq)SU($Hhld@+E#o~`m-dL|Yz5GxA1
zJwHf7S4Pu%JhR4>ZOwQ|jU1&2L1uf%kED3nB;X89LiGg<-a^4Jvw!KwEkQWvT?$AD
z{=(9kHVan)EZl2#Ioy>AF9ACnnRhfOOs>jrkY*)$(Zb#p32o)>`tKBYXj?h02P1GF
zg~?cVc)`V=LExAPu6>gCL*jUMY1mjtqf%5vUn+AI1Ef`4vB4~Qp3kUa=ZPdfw73B0
zFp_UpHjy0iu|-wg**k^meVf&av_0~N{w(VB(hJPQdE!OW9L^FPuH9$N!6yQdal`ev
z2Ge!8B53;5E=HkRGUTuz7zJ^MLwx5BharW5#&LxB*-#z`!+%cmKsfqiKn)Y_2V(x2
zLt>)+c#8Bpi2jj7a)H`uI9Rzsw6+f=+J|cGpUeN=hyN}NX<~2j8=#VnZJ4X4c~q(u
zzd1%eVb(g4wE3|-%vjjkNXt?^M4`=E9Rm7(F(aL>QXe)>wwuO(|C;{F>#)D#08NcD
zKHB_UaYR{_Za&ynN2}zXo{KjFZcw0s2}2$Pu&%wA9?Y-j29jM1`Rnr4h`z)W&oF0W
zZP$m)K-tpOTJR@CafWF<H5GFaWIOS2K>^1s`C{wwL6sUbGGFzkOVD^w?&9S2G9<S}
zPOITuyFWy*H~LJwE`AOf6GL$W<WULJY<mu&FfakKo<-Z^5HddwLR($|K1YD+G&tAS
zyFgq1(E3#FdVw1Zj6jcOWjxbGkS+X0-a8fM>4kFkI;Fn~QUB21`*-Z<`>EA$=~>1c
zl}z2CPuNtgXgJ~ro7~yeUrYk>L7rT2oG_A!^X9^Be%&7!apElhj$xWj@pvBJOR7DV
zPcI2oS%wnR1`Eb{AATY)Z$&ud-3A_;E5EcoYL48;bK;4lFf;X3Q)lH#jnOO8B#4(8
z-4scRI2!J`j$U@dWF(`^jBWTU5v&(F1cC4asfDinMm>7(wPI`CZXZFw&*?ZgCt01d
zicCfDya}&u$ML!>UG0dVnm4AVAZ%cTh2p9wh;PqzbyAMBYr|SW4XZpX6YS50f1fWs
zwlrt9k=QU=<t*kHec2ttk6G%Mn4zVXbmjOq0fiMb8LGdP!ed}q=b{*aZLyH;j%GsI
zp<$IQ1_n?#+pE@9lo40gHWURFVW6u){`2Bn7=ng9&<>P(Qq`OaX0Qq~-j?;tSH@!S
zQ#1mS9t0^|e(PQ%5VLf%x3Khhpp6Di;Dhwe9*#b~wX%Iz9z;YU1A@AhzIUtrYi22s
zSApcTL2^~BY!5Vm4+K+xF8|lB|GPNm3l-{K%v=P!o5gSii7&6BUDgCM*0HJU5IC7N
z_jZUftlVQgcrjbDZ0mtZ$WtS$xc3L-t0Wue*5s^B4A@6YcVO0H_u;_427<04c{_4P
zvMAQ0RM$v&jK_r8gR>YfllebwS-gSEHCveyZIakeJvlp_Zji->(Dr?yEoam=JdK==
z$*wkLeED>8+Osa5{TwW8gh=5zPgU`*r;20L6SQCzvU79+jxd8Y>EYDCAWnJwUErBb
zFLd6X6y{VN8TE5Cgjq_y)(&w@Nfx10{+a1%>pec675a~<C@qgRU}gNd=`KAyN7cXT
zNoM5-pd^TOP3ak8wdNGYP)Z5wym98K<+A0zPaD%m(LpG)I`6E7l6a~PR@tF;*0AyA
zf<K>iyyT8d)vUMB;=m0S<~dfNMj!PmcpPq*wbOKm-1T#9Uq5vA8qsqTTfC`JcuPTl
z+cV-glZpb<Irt(Ha#0athqNfc=}RHur(V?s;ECf|0&v&`XyA->Z0^O$$aPQCuVK+V
z(H*|T^|zu@5xCN=5xx*fTO<qLOop*WsI!)G2cGec#+l&adn3>c6O0EFll3#a>9{wx
zY_fRt+EXEB#A0o=E4GQkd^s!LjpIcL7kyOv^OmgL_fa($RFO|~8=0Sx*m+SFsakf2
za4wt2n4(ZAOybwBdvO<$XQ{J(!y;=I%b%cz80oyx;^<4_V|a;94FHpekf`iS7Nmz_
z4JH&c3nYl;lLY_+WkClE1_k0;V_^i9zggg6py^Q{AqYSl6D$n01sx<97!;O7_1k^~
zO`knIPo(5aJhiSu!Wpz*9Pp2L2fi*?O$S^sS*GPMu=UcNl%j#!$n~Rj8i#=`nA&X4
zQDF@wthhB@UqP%V#-`M)_9IL>1Fwu61UidCDj^svO_%N{bLnf^KrL68!OU%%O&*KK
z^oNrTLcpX8F8$b;7-7<I{Ox_}PJwy=DwVgTva3cWl8&#gfXH(yRk$T725eUR$v3bX
zeXlVZQcnznLtCA?W^Dt}-4PI~-vp(eZwp*q?J}0oJm=G#A6H?j>}-d_e&(UdkusH0
zK0y>~jLPYqQ3<d@G%*q;<%+Ai=GtR~lO<|?lkwzYyWml-OX19g{SrHrp=Bv`_}AI4
z_{^{EE7qJ<ri*2Gv#sk}vfIj0sK!ae%Z&KTEYCR;^-&sOtMCKjq~cZNm=xwim&XxQ
z5pdIQ2&$DK*1+>kxyj_kdoong&{146VdB)8if9bP0pXgA-0h*_&%YqaF=TcphH@AW
zp*Cm8imBdl@cK4y(SCL>8DP1<ati1p=8|?L7kLsMw29{wEfOid;is)v+#G|sRb<;O
z^|g*5%cL?UX#08gybfA-#r(3u3hQM5?&eYTT_Q0K0>RDf@db6`yAGmyTeEoolhq!*
zY3@o<l=)W#4n7g;y*Tz?o?0?p@V-HQ#UIJ%S)^zh3`GWK5pxtI^Fi;nW*9X%<f9;I
z=((%_edaA40=&X@;01an2($M=m_7Xsv*C~@R@!VYZEAitm52V3zz|jp7PJR^hQ@@K
z;sVM3af6tfegbe%DgB3FB_^?mqU3`DEJy&>%-HO2yeg)klFg626A=^f;SWK1rK+*j
zQ&#dn8G#?3{iE6g1pRV$2Ri@gO8(<86TkxET6w6rv-3PaI)DY#aQc1u|I2Ou4*BPH
zZ0Og`)RTka^POMegJ)$T1{%7^v=)^gLn(TvAnu|s=@k-=JQ_z1CZuo92GtSSj8I{>
zJhc6CtOtx08y|Pc$K1>BbJUUmXIeZ@D@vSN_La1W3Km>RQ}e!B$}c41%C(i<1Jkpw
zrDnC9kKyww-NiBOGa1DJZI}Igue1e3+UwuS<PRW^r!vC=Rl$nv2dXT0Pq0!NwMaC(
z0Xg(`tH*+8oMxYp2=hYZnC0Y_87Q;tl7x2}C}P<L9V8}-BfW`7iLdm;qKAizQLP7&
z3|g|K;tpmT5fHV3xa=(ys~-5iL$XYX-b&199yKw{mYF8+my|Dd6N=R3wcsb+O?x+i
z#CvwuqwrZ*K1vlvaJQOisMrkNB>`p6jN@cs-9;A!PUdSV+4Y(m^2Ohk`+M*cQS1hl
z6fO_I$V1$fKS@hNWJZfBJn^3lcSY8bkvKbWdIF%GdLv5_eQF49Iv(yq(;$a%dQld{
z;O9ccMucdJfEx&Q-{@|zQC}lGNcMU%KxIu@)q-K%I1&~abwt#oQ`{v}Tse0R4S_M4
zFtBQsa1D$2kV^y{g4x%lXhHP7{8l8g=6O!SN60?gcX4wwgiFFN^v%;=1lTj)gZGXM
zNs^R9^ogxkz6{~-RU{U$dxs^z!X)x~5b%bJpANrNBwVpzM2^jCK3?WK9e^o|@!$Hz
zGYvo3n&ulO4JN&St9TY(!0@Dt`=_nppT7L}pf&6t&jo(1mVq`5MdFsIzT6i=_T5&U
z)=y+q%ZKRoJ$bq&)kAWU4#M#T7|bJgkVS9aAGn1IMV|!dd#&MGv~vb6AMwZf>TwO}
z27u8XjnFe3#+BMZC)qmpYwj#6Q_!qQpb2bR<X53+pvJ?S?91uAJX1UD<XmO$qHOnK
zRwO0oyCop4eucu|_|;XY88aD1WneS>@!%^xYaFt~c^9K>G`t1=!0k=EZlB1bXl226
z^kr<wVlH2Ha9e5Y>4^9=sNVPMuqSON@n12Qx1+n`^4U?lXyq{#KVfS+xi|+YpQW?=
zysRlE;BW;#85!FtQ(GbknAzr)S$)isu|^nGT!PIOmX?TsMxlwZbT%Tt{JLW<Cea1l
zoY_RM)|py@>#Kt1N^06YFQ;IEx~!^>oYCCgohQ1#>}M=5qedGu$T{rbFE2aJC{mRV
z;Muu~oKmQcTSR^5c!U_V%Qr>8pv+A0$uk9Q1vA;O&dy7PDcPkaFexq5IC0{P9l6|5
z(Zfnnno<v3oXy(YV6bY!b*hP0Wqx4yyMZ}i6^Fz+)ZRX_MlM0G4esbAcmunw^Ep3)
zb3fCajb8zVd<1)KK6@ta)53TUU=25Llt*gEKf+Gu(PEA$R;Ax)akV+{6L(ckslYZ(
o<H97XHcpV<_G^4M2p57uX#%pOc!b!bkRo5u*+XJvZcO=q0B44HPXGV_

literal 0
HcmV?d00001

diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go
index bb26698790..ee99a40a28 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle.go
@@ -4,4321 +4,882 @@ package fallback
 
 var unparsedCertificates = []unparsedCertificate{
 	{
-		cn:         "CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OU=Ceres,O=FNMT-RCM,C=ES,2.5.4.97=#130f56415445532d51323832363030344a",
-		sha256Hash: "554153b13d2cf9ddb753bfbe1a4e0ae08d0aa4187058fe60a2b862b2e4b87bcb",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw
-CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw
-FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S
-Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5
-MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL
-DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS
-QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH
-sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK
-Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
-VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu
-SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC
-MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy
-v+c=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=ACCVRAIZ1,OU=PKIACCV,O=ACCV,C=ES",
-		sha256Hash: "9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384113",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
-AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw
-CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ
-BgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUND
-VjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCb
-qau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoY
-HtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWo
-G2ioPej0RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpA
-lHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhr
-IA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/
-0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9wrqODJerWx5eH
-k6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2x/47
-4KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMO
-m3WR5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpa
-cXpkatcnYGMN285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPl
-uUsXQA+xtrn13k/c4LOsOxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYI
-KwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmls
-ZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEuY3J0MB8GCCsG
-AQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2
-VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeT
-VfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIG
-CCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUA
-cgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEA
-QwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA
-7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQA
-cgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAA
-QwBQAFMAIABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUA
-czAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2Mu
-aHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRt
-aW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4GA1Ud
-DwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEF
-BQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdp
-D70ER9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gU
-JyCpZET/LtZ1qmxNYEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+m
-AM/EKXMRNt6GGT6d7hmKG9Ww7Y49nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepD
-vV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJTS+xJlsndQAJxGJ3KQhfnlms
-tn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3sCPdK6jT2iWH
-7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h
-I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szA
-h1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xF
-d3+YJ5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2H
-pPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT",
-		sha256Hash: "55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
-BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
-MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290
-IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC
-SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
-ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv
-UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX
-4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9
-KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/
-gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb
-rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ
-51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F
-be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe
-KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F
-v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn
-fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7
-jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz
-ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt
-ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL
-e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70
-jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz
-WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V
-SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j
-pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX
-X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok
-fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R
-K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU
-ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU
-LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT
-LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=AffirmTrust Commercial,O=AffirmTrust,C=US",
-		sha256Hash: "0376ab1d54c5f9803ce4b2e201a0ee7eef7b57b636e8a93c9b8d4860c96f5fa7",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
-Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
-ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
-MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
-yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
-VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
-nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
-XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
-vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
-Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
-N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
-nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
------END CERTIFICATE-----
-`,
+		cn:           "CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS,OU=Ceres,O=FNMT-RCM,C=ES,2.5.4.97=#130f56415445532d51323832363030344a",
+		sha256Hash:   "554153b13d2cf9ddb753bfbe1a4e0ae08d0aa4187058fe60a2b862b2e4b87bcb",
+		certStartOff: 0,
+		certLength:   626,
+	},
+	{
+		cn:           "CN=ACCVRAIZ1,OU=PKIACCV,O=ACCV,C=ES",
+		sha256Hash:   "9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384113",
+		certStartOff: 626,
+		certLength:   2007,
+	},
+	{
+		cn:           "CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT",
+		sha256Hash:   "55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066",
+		certStartOff: 2633,
+		certLength:   1471,
+	},
+	{
+		cn:            "CN=AffirmTrust Commercial,O=AffirmTrust,C=US",
+		sha256Hash:    "0376ab1d54c5f9803ce4b2e201a0ee7eef7b57b636e8a93c9b8d4860c96f5fa7",
+		certStartOff:  4104,
+		certLength:    848,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=AffirmTrust Networking,O=AffirmTrust,C=US",
-		sha256Hash: "0a81ec5a929777f145904af38d5d509f66b5e2c58fcdb531058b0e17f3f0b41b",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
-YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
-kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
-QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
-6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
-yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
-QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
-tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
-QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
-Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
-olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
-x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
------END CERTIFICATE-----
-`,
+		cn:            "CN=AffirmTrust Networking,O=AffirmTrust,C=US",
+		sha256Hash:    "0a81ec5a929777f145904af38d5d509f66b5e2c58fcdb531058b0e17f3f0b41b",
+		certStartOff:  4952,
+		certLength:    848,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US",
-		sha256Hash: "bd71fdf6da97e4cf62d1647add2581b07d79adf8397eb4ecba9c5e8488821423",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
-cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
-BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
-VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
-0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
-ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
-A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
-aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
-flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
------END CERTIFICATE-----
-`,
+		cn:            "CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US",
+		sha256Hash:    "bd71fdf6da97e4cf62d1647add2581b07d79adf8397eb4ecba9c5e8488821423",
+		certStartOff:  5800,
+		certLength:    514,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=AffirmTrust Premium,O=AffirmTrust,C=US",
-		sha256Hash: "70a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
-dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
-A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
-cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
-qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
-JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
-+jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
-s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
-HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
-70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
-V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
-qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
-5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
-C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
-OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
-FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
-KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
-Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
-8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
-MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
-0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
-u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
-u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
-YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
-GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
-RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
-KeC2uAloGRwYQw==
------END CERTIFICATE-----
-`,
+		cn:            "CN=AffirmTrust Premium,O=AffirmTrust,C=US",
+		sha256Hash:    "70a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a",
+		certStartOff:  6314,
+		certLength:    1354,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=Amazon Root CA 1,O=Amazon,C=US",
-		sha256Hash: "8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
-ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
-ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
-9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
-IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
-VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
-93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
-jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
-A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
-U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
-N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
-o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
-5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
-rqXRfboQnoZsG4q5WTP468SQvvG5
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Amazon Root CA 2,O=Amazon,C=US",
-		sha256Hash: "1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
-ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK
-gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ
-W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg
-1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K
-8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r
-2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me
-z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR
-8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj
-mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz
-7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6
-+XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI
-0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
-Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm
-UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2
-LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY
-+gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS
-k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl
-7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm
-btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl
-urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+
-fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63
-n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
-76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H
-9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
-4PsJYGw=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Amazon Root CA 3,O=Amazon,C=US",
-		sha256Hash: "18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
-MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
-Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
-A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
-Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
-ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
-ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
-BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
-YyRIHN8wfdVoOw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Amazon Root CA 4,O=Amazon,C=US",
-		sha256Hash: "e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5
-MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
-Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
-A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
-Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi
-9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk
-M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB
-/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB
-MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw
-CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW
-1KyLa2tJElMzrdfkviT8tQp21KW8EA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Atos TrustedRoot 2011,O=Atos,C=DE",
-		sha256Hash: "f356bea244b7a91eb35d53ca9ad7864ace018e2d35d5f8f96ddf68a6f41aa474",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UE
-AwwVQXRvcyBUcnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQG
-EwJERTAeFw0xMTA3MDcxNDU4MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMM
-FUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UECgwEQXRvczELMAkGA1UEBhMC
-REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVhTuXbyo7LjvPpvMp
-Nb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr54rM
-VD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+
-SZFhyBH+DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ
-4J7sVaE3IqKHBAUsR320HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0L
-cp2AMBYHlT8oDv3FdU9T1nSatCQujgKRz3bFmx5VdJx4IbHwLfELn8LVlhgf8FQi
-eowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7Rl+lwrrw7GWzbITAPBgNV
-HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZbNshMBgG
-A1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
-DQEBCwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8j
-vZfza1zv7v1Apt+hk6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kP
-DpFrdRbhIfzYJsdHt6bPWHJxfrrhTZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pc
-maHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a961qn8FYiqTxlVMYVqL2Gns2D
-lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv
-KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Atos TrustedRoot Root CA ECC TLS 2021,O=Atos,C=DE",
-		sha256Hash: "b2fae53e14ccd7ab9212064701ae279c1d8988facb775fa8a008914e663988a8",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICFTCCAZugAwIBAgIQPZg7pmY9kGP3fiZXOATvADAKBggqhkjOPQQDAzBMMS4w
-LAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgRUNDIFRMUyAyMDIxMQ0w
-CwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTI2MjNaFw00MTA0
-MTcwOTI2MjJaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBDQSBF
-Q0MgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMHYwEAYHKoZI
-zj0CAQYFK4EEACIDYgAEloZYKDcKZ9Cg3iQZGeHkBQcfl+3oZIK59sRxUM6KDP/X
-tXa7oWyTbIOiaG6l2b4siJVBzV3dscqDY4PMwL502eCdpO5KTlbgmClBk1IQ1SQ4
-AjJn8ZQSb+/Xxd4u/RmAo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR2
-KCXWfeBmmnoJsmo7jjPXNtNPojAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMD
-aAAwZQIwW5kp85wxtolrbNa9d+F851F+uDrNozZffPc8dz7kUK2o59JZDCaOMDtu
-CCrCp1rIAjEAmeMM56PDr9NJLkaCI2ZdyQAUEv049OGYa3cpetskz2VAv9LcjBHo
-9H1/IISpQuQo
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Atos TrustedRoot Root CA RSA TLS 2021,O=Atos,C=DE",
-		sha256Hash: "81a9088ea59fb364c548a6f85559099b6f0405efbf18e5324ec9f457ba00112f",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFZDCCA0ygAwIBAgIQU9XP5hmTC/srBRLYwiqipDANBgkqhkiG9w0BAQwFADBM
-MS4wLAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgUlNBIFRMUyAyMDIx
-MQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTIxMTBaFw00
-MTA0MTcwOTIxMDlaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBD
-QSBSU0EgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMIICIjAN
-BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtoAOxHm9BYx9sKOdTSJNy/BBl01Z
-4NH+VoyX8te9j2y3I49f1cTYQcvyAh5x5en2XssIKl4w8i1mx4QbZFc4nXUtVsYv
-Ye+W/CBGvevUez8/fEc4BKkbqlLfEzfTFRVOvV98r61jx3ncCHvVoOX3W3WsgFWZ
-kmGbzSoXfduP9LVq6hdKZChmFSlsAvFr1bqjM9xaZ6cF4r9lthawEO3NUDPJcFDs
-GY6wx/J0W2tExn2WuZgIWWbeKQGb9Cpt0xU6kGpn8bRrZtkh68rZYnxGEFzedUln
-nkL5/nWpo63/dgpnQOPF943HhZpZnmKaau1Fh5hnstVKPNe0OwANwI8f4UDErmwh
-3El+fsqyjW22v5MvoVw+j8rtgI5Y4dtXz4U2OLJxpAmMkokIiEjxQGMYsluMWuPD
-0xeqqxmjLBvk1cbiZnrXghmmOxYsL3GHX0WelXOTwkKBIROW1527k2gV+p2kHYzy
-geBYBr3JtuP2iV2J+axEoctr+hbxx1A9JNr3w+SH1VbxT5Aw+kUJWdo0zuATHAR8
-ANSbhqRAvNncTFd+rrcztl524WWLZt+NyteYr842mIycg5kDcPOvdO3GDjbnvezB
-c6eUWsuSZIKmAMFwoW4sKeFYV+xafJlrJaSQOoD0IJ2azsct+bJLKZWD6TWNp0lI
-pw9MGZHQ9b8Q4HECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-dEmZ0f+0emhFdcN+tNzMzjkz2ggwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
-DAUAA4ICAQAjQ1MkYlxt/T7Cz1UAbMVWiLkO3TriJQ2VSpfKgInuKs1l+NsW4AmS
-4BjHeJi78+xCUvuppILXTdiK/ORO/auQxDh1MoSf/7OwKwIzNsAQkG8dnK/haZPs
-o0UvFJ/1TCplQ3IM98P4lYsU84UgYt1UU90s3BiVaU+DR3BAM1h3Egyi61IxHkzJ
-qM7F78PRreBrAwA0JrRUITWXAdxfG/F851X6LWh3e9NpzNMOa7pNdkTWwhWaJuyw
-xfW70Xp0wmzNxbVe9kzmWy2B27O3Opee7c9GslA9hGCZcbUztVdF5kJHdWoOsAgM
-rr3e97sPWD2PAzHoPYJQyi9eDF20l74gNAf0xBLh7tew2VktafcxBPTy+av5EzH4
-AXcOPUIjJsyacmdRIXrMPIWo6iFqO9taPKU0nprALN+AnCng33eU0aKAQv9qTFsR
-0PXNor6uzFFcw9VUewyu1rkGd4Di7wcaaMxZUa1+XGdrudviB0JbuAEFWDlN5LuY
-o7Ey7Nmj1m+UI/87tyll5gfp77YZ6ufCOB0yiJA8EytuzO+rdwY0d4RPcuSBhPm5
-dDTedk+SKlOxJTnbPP/lPqYO5Wue/9vsL3SD3460s6neFE3/MaNFcyT6lSnMEpcE
-oji2jbDwN/zIIX8/syQbPYtuzE2wFg2WHYMfRsCbvUOZ58SWLs5fyQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES",
-		sha256Hash: "57de0583efd2b26e0361da99da9df4648def7ee8441c3b728afa9bcde0f9b26a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIGFDCCA/ygAwIBAgIIG3Dp0v+ubHEwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UE
-BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
-cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0xNDA5MjMxNTIyMDdaFw0zNjA1
-MDUxNTIyMDdaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg
-Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9
-thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM
-cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG
-L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i
-NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h
-X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b
-m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy
-Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja
-EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T
-KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF
-6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh
-OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMB0GA1UdDgQWBBRlzeurNR4APn7VdMAc
-tHNHDhpkLzASBgNVHRMBAf8ECDAGAQH/AgEBMIGmBgNVHSAEgZ4wgZswgZgGBFUd
-IAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9mZXNpb25hbC5j
-b20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEAIABC
-AG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAw
-ADEANzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAHSHKAIrdx9m
-iWTtj3QuRhy7qPj4Cx2Dtjqn6EWKB7fgPiDL4QjbEwj4KKE1soCzC1HA01aajTNF
-Sa9J8OA9B3pFE1r/yJfY0xgsfZb43aJlQ3CTkBW6kN/oGbDbLIpgD7dvlAceHabJ
-hfa9NPhAeGIQcDq+fUs5gakQ1JZBu/hfHAsdCPKxsIl68veg4MSPi3i1O1ilI45P
-Vf42O+AMt8oqMEEgtIDNrvx2ZnOorm7hfNoD6JQg5iKj0B+QXSBTFCZX2lSX3xZE
-EAEeiGaPcjiT3SC3NL7X8e5jjkd5KAb881lFJWAiMxujX6i6KtoaPc1A6ozuBRWV
-1aUsIC+nmCjuRfzxuIgALI9C2lHVnOUTaHFFQ4ueCyE8S1wF3BqfmI7avSKecs2t
-CsvMo2ebKHTEm9caPARYpoKdrcd7b/+Alun4jWq9GJAd/0kakFI3ky88Al2CdgtR
-5xbHV/g4+afNmyJU72OwFW1TZQNKXkqgsqeOSQBZONXH9IBk9W6VULgRfhVwOEqw
-f9DEMnDAGf/JOC0ULGb0QkTmVXYbgBVX/8Cnp6o5qtjTcNAuuuuUavpfNIbnYrX9
-ivAwhZTJryQCL2/W3Wf+47BVTwSYT6RBVuKT0Gro1vP7ZeDOdcQxWQzugsgMYDNK
-GbqEZycPvEJdvSRUDewdcAZfpLz6IHxV
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=BJCA Global Root CA1,O=BEIJING CERTIFICATE AUTHORITY,C=CN",
-		sha256Hash: "f3896f88fe7c0a882766a7fa6ad2749fb57a7f3e98fb769c1fa7b09c2c44d5ae",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFdDCCA1ygAwIBAgIQVW9l47TZkGobCdFsPsBsIDANBgkqhkiG9w0BAQsFADBU
-MQswCQYDVQQGEwJDTjEmMCQGA1UECgwdQkVJSklORyBDRVJUSUZJQ0FURSBBVVRI
-T1JJVFkxHTAbBgNVBAMMFEJKQ0EgR2xvYmFsIFJvb3QgQ0ExMB4XDTE5MTIxOTAz
-MTYxN1oXDTQ0MTIxMjAzMTYxN1owVDELMAkGA1UEBhMCQ04xJjAkBgNVBAoMHUJF
-SUpJTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZMR0wGwYDVQQDDBRCSkNBIEdsb2Jh
-bCBSb290IENBMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPFmCL3Z
-xRVhy4QEQaVpN3cdwbB7+sN3SJATcmTRuHyQNZ0YeYjjlwE8R4HyDqKYDZ4/N+AZ
-spDyRhySsTphzvq3Rp4Dhtczbu33RYx2N95ulpH3134rhxfVizXuhJFyV9xgw8O5
-58dnJCNPYwpj9mZ9S1WnP3hkSWkSl+BMDdMJoDIwOvqfwPKcxRIqLhy1BDPapDgR
-at7GGPZHOiJBhyL8xIkoVNiMpTAK+BcWyqw3/XmnkRd4OJmtWO2y3syJfQOcs4ll
-5+M7sSKGjwZteAf9kRJ/sGsciQ35uMt0WwfCyPQ10WRjeulumijWML3mG90Vr4Tq
-nMfK9Q7q8l0ph49pczm+LiRvRSGsxdRpJQaDrXpIhRMsDQa4bHlW/KNnMoH1V6XK
-V0Jp6VwkYe/iMBhORJhVb3rCk9gZtt58R4oRTklH2yiUAguUSiz5EtBP6DF+bHq/
-pj+bOT0CFqMYs2esWz8sgytnOYFcuX6U1WTdno9uruh8W7TXakdI136z1C2OVnZO
-z2nxbkRs1CTqjSShGL+9V/6pmTW12xB3uD1IutbB5/EjPtffhZ0nPNRAvQoMvfXn
-jSXWgXSHRtQpdaJCbPdzied9v3pKH9MiyRVVz99vfFXQpIsHETdfg6YmV6YBW37+
-WGgHqel62bno/1Afq8K0wM7o6v0PvY1NuLxxAgMBAAGjQjBAMB0GA1UdDgQWBBTF
-7+3M2I0hxkjk49cULqcWk+WYATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAUoKsITQfI/Ki2Pm4rzc2IInRNwPWaZ+4
-YRC6ojGYWUfo0Q0lHhVBDOAqVdVXUsv45Mdpox1NcQJeXyFFYEhcCY5JEMEE3Kli
-awLwQ8hOnThJdMkycFRtwUf8jrQ2ntScvd0g1lPJGKm1Vrl2i5VnZu69mP6u775u
-+2D2/VnGKhs/I0qUJDAnyIm860Qkmss9vk/Ves6OF8tiwdneHg56/0OGNFK8YT88
-X7vZdrRTvJez/opMEi4r89fO4aL/3Xtw+zuhTaRjAv04l5U/BXCga99igUOLtFkN
-SoxUnMW7gZ/NfaXvCyUeOiDbHPwfmGcCCtRzRBPbUYQaVQNW4AB+dAb/OMRyHdOo
-P2gxXdMJxy6MW2Pg6Nwe0uxhHvLe5e/2mXZgLR6UcnHGCyoyx5JO1UbXHfmpGQrI
-+pXObSOYqgs4rZpWDW+N8TEAiMEXnM0ZNjX+VVOg4DwzX5Ze4jLp3zO7Bkqp2IRz
-znfSxqxx4VyjHQy7Ct9f4qNx2No3WqB4K/TUfet27fJhcKVlmtOJNBir+3I+17Q9
-eVzYH6Eze9mCUAyTF6ps3MKCuwJXNq+YJyo5UOGwifUll35HaBC07HPKs5fRJNz2
-YqAo07WjuGS3iGJCz51TzZm+ZGiPTx4SSPfSKcOYKMryMguTjClPPGAyzQWWYezy
-r/6zcCwupvI=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=BJCA Global Root CA2,O=BEIJING CERTIFICATE AUTHORITY,C=CN",
-		sha256Hash: "574df6931e278039667b720afdc1600fc27eb66dd3092979fb73856487212882",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICJTCCAaugAwIBAgIQLBcIfWQqwP6FGFkGz7RK6zAKBggqhkjOPQQDAzBUMQsw
-CQYDVQQGEwJDTjEmMCQGA1UECgwdQkVJSklORyBDRVJUSUZJQ0FURSBBVVRIT1JJ
-VFkxHTAbBgNVBAMMFEJKQ0EgR2xvYmFsIFJvb3QgQ0EyMB4XDTE5MTIxOTAzMTgy
-MVoXDTQ0MTIxMjAzMTgyMVowVDELMAkGA1UEBhMCQ04xJjAkBgNVBAoMHUJFSUpJ
-TkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZMR0wGwYDVQQDDBRCSkNBIEdsb2JhbCBS
-b290IENBMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABJ3LgJGNU2e1uVCxA/jlSR9B
-IgmwUVJY1is0j8USRhTFiy8shP8sbqjV8QnjAyEUxEM9fMEsxEtqSs3ph+B99iK+
-+kpRuDCK/eHeGBIK9ke35xe/J4rUQUyWPGCWwf0VHKNCMEAwHQYDVR0OBBYEFNJK
-sVF/BvDRgh9Obl+rg/xI1LCRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMAoGCCqGSM49BAMDA2gAMGUCMBq8W9f+qdJUDkpd0m2xQNz0Q9XSSpkZElaA
-94M04TVOSG0ED1cxMDAtsaqdAzjbBgIxAMvMh1PLet8gUXOQwKhbYdDFUDn9hf7B
-43j4ptZLvZuHjw/l1lOWqzzIQNph91Oj9w==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO",
-		sha256Hash: "9a114025197c5bb95d94e63d55cd43790847b646b23cdf11ada4a00eff15fb48",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
-MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
-Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1ow
-TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw
-HgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB
-BQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1g1Lr
-6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPV
-L4O2fuPn9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC91
-1K2GScuVr1QGbNgGE41b/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHx
-MlAQTn/0hpPshNOOvEu/XAFOBz3cFIqUCqTqc/sLUegTBxj6DvEr0VQVfTzh97QZ
-QmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeffawrbD02TTqigzXsu8lkB
-arcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgIzRFo1clr
-Us3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLi
-FRhnBkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRS
-P/TizPJhk9H9Z2vXUq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN
-9SG9dKpN6nIDSdvHXx1iY8f93ZHsM+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxP
-AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMmAd+BikoL1Rpzz
-uvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAU18h
-9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s
-A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3t
-OluwlN5E40EIosHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo
-+fsicdl9sz1Gv7SEr5AcD48Saq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7
-KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYdDnkM/crqJIByw5c/8nerQyIKx+u2
-DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWDLfJ6v9r9jv6ly0Us
-H8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0oyLQ
-I+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK7
-5t98biGCwWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h
-3PFaTWwyI0PurKju7koSCTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPz
-Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO",
-		sha256Hash: "edf7ebbca27a2a384d387b7d4010c666e2edb4843e4c29b4ae1d5b9332e6b24d",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
-MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
-Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow
-TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw
-HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB
-BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y
-ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E
-N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9
-tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX
-0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c
-/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X
-KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY
-zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS
-O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D
-34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP
-K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3
-AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv
-Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj
-QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV
-cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS
-IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2
-HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa
-O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv
-033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u
-dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE
-kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41
-3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD
-u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq
-4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK",
-		sha256Hash: "e23d4a036d7b70e9f595b1422079d2b91edfbb1fb651a0633eaa8a9dc5f80703",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
-BAYTAlNLMRMwEQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMu
-MRkwFwYDVQQDExBDQSBEaXNpZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQy
-MDcxOTA5MTUzMFowUjELMAkGA1UEBhMCU0sxEzARBgNVBAcTCkJyYXRpc2xhdmEx
-EzARBgNVBAoTCkRpc2lnIGEucy4xGTAXBgNVBAMTEENBIERpc2lnIFJvb3QgUjIw
-ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCio8QACdaFXS1tFPbCw3Oe
-NcJxVX6B+6tGUODBfEl45qt5WDza/3wcn9iXAng+a0EE6UG9vgMsRfYvZNSrXaNH
-PWSb6WiaxswbP7q+sos0Ai6YVRn8jG+qX9pMzk0DIaPY0jSTVpbLTAwAFjxfGs3I
-x2ymrdMxp7zo5eFm1tL7A7RBZckQrg4FY8aAamkw/dLukO8NJ9+flXP04SXabBbe
-QTg06ov80egEFGEtQX6sx3dOy1FU+16SGBsEWmjGycT6txOgmLcRK7fWV8x8nhfR
-yyX+hk4kLlYMeE2eARKmK6cBZW58Yh2EhN/qwGu1pSqVg8NTEQxzHQuyRpDRQjrO
-QG6Vrf/GlK1ul4SOfW+eioANSW1z4nuSHsPzwfPrLgVv2RvPN3YEyLRa5Beny912
-H9AZdugsBbPWnDTYltxhh5EF5EQIM8HauQhl1K6yNg3ruji6DOWbnuuNZt2Zz9aJ
-QfYEkoopKW1rOhzndX0CcQ7zwOe9yxndnWCywmZgtrEE7snmhrmaZkCo5xHtgUUD
-i/ZnWejBBhG93c+AAk9lQHhcR1DIm+YfgXvkRKhbhZri3lrVx/k6RGZL5DJUfORs
-nLMOPReisjQS1n6yqEm70XooQL6iFh/f5DcfEXP7kAplQ6INfPgGAVUzfbANuPT1
-rqVCV3w2EYx7XsQDnYx5nQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
-DwEB/wQEAwIBBjAdBgNVHQ4EFgQUtZn4r7CU9eMg1gqtzk5WpC5uQu0wDQYJKoZI
-hvcNAQELBQADggIBACYGXnDnZTPIgm7ZnBc6G3pmsgH2eDtpXi/q/075KMOYKmFM
-tCQSin1tERT3nLXK5ryeJ45MGcipvXrA1zYObYVybqjGom32+nNjf7xueQgcnYqf
-GopTpti72TVVsRHFqQOzVju5hJMiXn7B9hJSi+osZ7z+Nkz1uM/Rs0mSO9MpDpkb
-lvdhuDvEK7Z4bLQjb/D907JedR+Zlais9trhxTF7+9FGs9K8Z7RiVLoJ92Owk6Ka
-+elSLotgEqv89WBW7xBci8QaQtyDW2QOy7W81k/BfDxujRNt+3vrMNDcTa/F1bal
-TFtxyegxvug4BkihGuLq0t4SOVga/4AOgnXmt8kHbA7v/zjxmHHEt38OFdAlab0i
-nSvtBfZGR6ztwPDUO+Ls7pZbkBNOHlY667DvlruWIxG68kOGdGSVyCh13x01utI3
-gzhTODY7z2zp+WsO0PsE6E9312UBeIYMej4hYvF/Y3EMyZ9E26gnonW+boE+18Dr
-G5gPcFw0sorMwIUY6256s/daoQe/qUKS82Ail+QUoQebTnbAjn39pCXHR+3/H3Os
-zMOl6W8KjptlwlCFtaOgUxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8x
-L4ysEr3vQCj8KWefshNPZiTEUxnpHikV7+ZtsH8tZ/3zbBt1RqPlShfppNcL
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN",
-		sha256Hash: "5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJD
-TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y
-aXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkx
-MjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEwMC4GA1UECgwnQ2hpbmEgRmluYW5j
-aWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJP
-T1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnVBU03
-sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpL
-TIpTUnrD7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5
-/ZOkVIBMUtRSqy5J35DNuF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp
-7hZZLDRJGqgG16iI0gNyejLi6mhNbiyWZXvKWfry4t3uMCz7zEasxGPrb382KzRz
-EpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7xzbh72fROdOXW3NiGUgt
-hxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9fpy25IGvP
-a931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqot
-aK8KgWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNg
-TnYGmE69g60dWIolhdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfV
-PKPtl8MeNPo4+QgO48BdK4PRVmrJtqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hv
-cWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAfBgNVHSMEGDAWgBTj/i39KNAL
-tbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
-BgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB
-ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObT
-ej/tUxPQ4i9qecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdL
-jOztUmCypAbqTuv0axn96/Ua4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBS
-ESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sGE5uPhnEFtC+NiWYzKXZUmhH4J/qy
-P5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfXBDrDMlI1Dlb4pd19
-xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjnaH9d
-Ci77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN
-5mydLIhyPDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe
-/v5WOaHIz16eGWRGENoXkbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+Z
-AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ
-5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
-		sha256Hash: "0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
-gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
-BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
-MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
-YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
-RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
-UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
-2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
-Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
-+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
-DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
-nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
-/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
-PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
-QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
-SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
-IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
-RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
-zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
-BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
-ZQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
-		sha256Hash: "1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
-IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw
-MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy
-ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
-T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv
-biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR
-FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J
-cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW
-BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
-BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm
-fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv
-GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
-		sha256Hash: "52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
-hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
-BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
-MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
-EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
-Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
-dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
-6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
-pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
-9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
-/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
-Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
-+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
-qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
-SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
-u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
-Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
-crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
-FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
-/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
-wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
-4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
-2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
-FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
-CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
-boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
-jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
-S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
-QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
-0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
-NVOFBkpdn627G190
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certainly Root E1,O=Certainly,C=US",
-		sha256Hash: "b4585f22e4ac756a4e8612a1361c5d9d031a93fd84febb778fa3068b0fc42dc2",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIB9zCCAX2gAwIBAgIQBiUzsUcDMydc+Y2aub/M+DAKBggqhkjOPQQDAzA9MQsw
-CQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0YWlu
-bHkgUm9vdCBFMTAeFw0yMTA0MDEwMDAwMDBaFw00NjA0MDEwMDAwMDBaMD0xCzAJ
-BgNVBAYTAlVTMRIwEAYDVQQKEwlDZXJ0YWlubHkxGjAYBgNVBAMTEUNlcnRhaW5s
-eSBSb290IEUxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3m/4fxzf7flHh4axpMCK
-+IKXgOqPyEpeKn2IaKcBYhSRJHpcnqMXfYqGITQYUBsQ3tA3SybHGWCA6TS9YBk2
-QNYphwk8kXr2vBMj3VlOBF7PyAIcGFPBMdjaIOlEjeR2o0IwQDAOBgNVHQ8BAf8E
-BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ygYy2R17ikq6+2uI1g4
-hevIIgcwCgYIKoZIzj0EAwMDaAAwZQIxALGOWiDDshliTd6wT99u0nCK8Z9+aozm
-ut6Dacpps6kFtZaSF4fC0urQe87YQVt8rgIwRt7qy12a7DLCZRawTDBcMPPaTnOG
-BtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certainly Root R1,O=Certainly,C=US",
-		sha256Hash: "77b82cd8644c4305f7acc5cb156b45675004033d51c60c6202a8e0c33467d3a0",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFRzCCAy+gAwIBAgIRAI4P+UuQcWhlM1T01EQ5t+AwDQYJKoZIhvcNAQELBQAw
-PTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUNlcnRhaW5seTEaMBgGA1UEAxMRQ2Vy
-dGFpbmx5IFJvb3QgUjEwHhcNMjEwNDAxMDAwMDAwWhcNNDYwNDAxMDAwMDAwWjA9
-MQswCQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0
-YWlubHkgUm9vdCBSMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANA2
-1B/q3avk0bbm+yLA3RMNansiExyXPGhjZjKcA7WNpIGD2ngwEc/csiu+kr+O5MQT
-vqRoTNoCaBZ0vrLdBORrKt03H2As2/X3oXyVtwxwhi7xOu9S98zTm/mLvg7fMbed
-aFySpvXl8wo0tf97ouSHocavFwDvA5HtqRxOcT3Si2yJ9HiG5mpJoM610rCrm/b0
-1C7jcvk2xusVtyWMOvwlDbMicyF0yEqWYZL1LwsYpfSt4u5BvQF5+paMjRcCMLT5
-r3gajLQ2EBAHBXDQ9DGQilHFhiZ5shGIXsXwClTNSaa/ApzSRKft43jvRl5tcdF5
-cBxGX1HpyTfcX35pe0HfNEXgO4T0oYoKNp43zGJS4YkNKPl6I7ENPT2a/Z2B7yyQ
-wHtETrtJ4A5KVpK8y7XdeReJkd5hiXSSqOMyhb5OhaRLWcsrxXiOcVTQAjeZjOVJ
-6uBUcqQRBi8LjMFbvrWhsFNunLhgkR9Za/kt9JQKl7XsxXYDVBtlUrpMklZRNaBA
-2CnbrlJ2Oy0wQJuK0EJWtLeIAaSHO1OWzaMWj/Nmqhexx2DgwUMFDO6bW2BvBlyH
-Wyf5QBGenDPBt+U1VwV/J84XIIwc/PH72jEpSe31C4SnT8H2TsIonPru4K8H+zMR
-eiFPCyEQtkA6qyI6BJyLm4SGcprSp6XEtHWRqSsjAgMBAAGjQjBAMA4GA1UdDwEB
-/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTgqj8ljZ9EXME66C6u
-d0yEPmcM9DANBgkqhkiG9w0BAQsFAAOCAgEAuVevuBLaV4OPaAszHQNTVfSVcOQr
-PbA56/qJYv331hgELyE03fFo8NWWWt7CgKPBjcZq91l3rhVkz1t5BXdm6ozTaw3d
-8VkswTOlMIAVRQdFGjEitpIAq5lNOo93r6kiyi9jyhXWx8bwPWz8HA2YEGGeEaIi
-1wrykXprOQ4vMMM2SZ/g6Q8CRFA3lFV96p/2O7qUpUzpvD5RtOjKkjZUbVwlKNrd
-rRT90+7iIgXr0PK3aBLXWopBGsaSpVo7Y0VPv+E6dyIvXL9G+VoDhRNCX8reU9di
-taY1BMJH/5n9hN9czulegChB8n3nHpDYT3Y+gjwN/KUD+nsa2UUeYNrEjvn8K8l7
-lcUq/6qJ34IxD3L/DCfXCh5WAFAeDJDBlrXYFIW7pw0WwfgHJBu6haEaBQmAupVj
-yTrsJZ9/nbqkRxWbRHDxakvWOF5D8xh+UG7pWijmZeZ3Gzr9Hb4DJqPb1OG7fpYn
-Kx3upPvaJVQTA945xsMfTZDsjxtK0hzthZU4UHlG1sGQUDGpXJpuHfUzVounmdLy
-yCwzk5Iwx06MZTMQZBf9JBeW0Y3COmor6xOLRPIh80oat3df1+2IpHLlOR+Vnb5n
-wXARPbv0+Em34yaXOp/SX3z7wJl8OSngex2/DaeP0ik0biQVy96QXr8axGbqwua6
-OV+KmalBWQewLK8=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR",
-		sha256Hash: "d48d3d23eedb50a459e55197601c27774b9d7b18c94d5a059511a10250b93168",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZBbcTjpuEwDQYJKoZIhvcNAQELBQAw
-WjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAw
-MiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0x
-MzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIwEAYD
-VQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAX
-BgNVBAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
-ggIKAoICAQDNGDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sO
-ty3tRQgXstmzy9YXUnIo245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9M
-CiBtnyN6tMbaLOQdLNyzKNAT8kxOAkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPu
-I9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJhFwLrN1CTivngqIkicuQstDuI7pm
-TLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16XdG+RCYyKfHx9WzMfgIh
-C59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQwFsWq4NYKpkDf
-ePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBBe3Yz
-IoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWT
-Co/1VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1k
-JWumIWmbat10TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5
-hwjCxAnxl4YqKE3idMDaxIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IB
-GjCCARYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1UdIwQYMBaAFBiHVuBud+4kNTxOc5of
-1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsGAQUFBwIBFiNodHRwczov
-L3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBkMC+gLaArhilo
-dHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+gLYYr
-aHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkq
-hkiG9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L
-6btdPrtcPbEo/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRG
-HVyH41neQtGbqH6mid2PHMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH6
-0BGM+RFq7q89w1DTj18zeTyGqHNFkIwgtnJzFyO+B2XleJINugHA64wcZr+shncB
-lA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6pK0xXeXpXIs/NX2NGjVxZOob4Mkdi
-o2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hikLyhF3HqgiIZd8zvn/yk1
-gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHbugRqh5jnxV/v
-faci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3zM63
-Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayh
-jWZSaX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw
-3kAP+HwV96LOPNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certigna,O=Dhimyotis,C=FR",
-		sha256Hash: "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV
-BAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4X
-DTA3MDYyOTE1MTMwNVoXDTI3MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQ
-BgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwIQ2VydGlnbmEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7qXOEm7RFHYeGifBZ4
-QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyHGxny
-gQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbw
-zBfsV1/pogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q
-130yGLMLLGq/jj8UEYkgDncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2
-JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKfIrjxwo1p3Po6WAbfAgMBAAGjgbwwgbkw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQtCRZvgHyUtVF9lo53BEw
-ZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJBgNVBAYT
-AkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzj
-AQ/JSP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG
-9w0BAQUFAAOCAQEAhQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8h
-bV6lUmPOEvjvKtpv6zf+EwLHyzs+ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFnc
-fca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1kluPBS1xp81HlDQwY9qcEQCYsuu
-HWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY1gkIl2PlwS6w
-t0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw
-WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL",
-		sha256Hash: "6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQsw
-CQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScw
-JQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMT
-EENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2MDcyNDU0WhcNNDMwMzI2MDcyNDU0
-WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBT
-LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAX
-BgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATE
-KI6rGFtqvm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7Tm
-Fy8as10CW4kjPMIRBSqniBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68Kj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI0GZnQkdjrzife81r1HfS+8
-EF9LMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjADVS2m5hjEfO/J
-UG7BJw+ch69u1RsIGL2SKcHvlJF40jocVYli5RsJHrpka/F2tNQCMQC0QoSZ/6vn
-nvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL",
-		sha256Hash: "b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF0jCCA7qgAwIBAgIQIdbQSk8lD8kyN/yqXhKN6TANBgkqhkiG9w0BAQ0FADCB
-gDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMu
-QS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIG
-A1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMCIYDzIwMTExMDA2MDgz
-OTU2WhgPMjA0NjEwMDYwODM5NTZaMIGAMQswCQYDVQQGEwJQTDEiMCAGA1UEChMZ
-VW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5MSQwIgYDVQQDExtDZXJ0dW0gVHJ1c3RlZCBOZXR3
-b3JrIENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9+Xj45tWA
-DGSdhhuWZGc/IjoedQF97/tcZ4zJzFxrqZHmuULlIEub2pt7uZld2ZuAS9eEQCsn
-0+i6MLs+CRqnSZXvK0AkwpfHp+6bJe+oCgCXhVqqndwpyeI1B+twTUrWwbNWuKFB
-OJvR+zF/j+Bf4bE/D44WSWDXBo0Y+aomEKsq09DRZ40bRr5HMNUuctHFY9rnY3lE
-fktjJImGLjQ/KUxSiyqnwOKRKIm5wFv5HdnnJ63/mgKXwcZQkpsCLL2puTRZCr+E
-Sv/f/rOf69me4Jgj7KZrdxYq28ytOxykh9xGc14ZYmhFV+SQgkK7QtbwYeDBoz1m
-o130GO6IyY0XRSmZMnUCMe4pJshrAua1YkV/NxVaI2iJ1D7eTiew8EAMvE0Xy02i
-sx7QBlrd9pPPV3WZ9fqGGmd4s7+W/jTcvedSVuWz5XV710GRBdxdaeOVDUO5/IOW
-OZV7bIBaTxNyxtd9KXpEulKkKtVBRgkg/iKgtlswjbyJDNXXcPiHUv3a76xRLgez
-Tv7QCdpw75j6VuZt27VXS9zlLCUVyJ4ueE742pyehizKV/Ma5ciSixqClnrDvFAS
-adgOWkaLOusm+iPJtrCBvkIApPjW/jAux9JG9uWOdf3yzLnQh1vMBhBgu4M1t15n
-3kfsmUjxpKEV/q2MYo45VU85FrmxY53/twIDAQABo0IwQDAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBS2oVQ5AsOgP46KvPrU+Bym0ToO/TAOBgNVHQ8BAf8EBAMC
-AQYwDQYJKoZIhvcNAQENBQADggIBAHGlDs7k6b8/ONWJWsQCYftMxRQXLYtPU2sQ
-F/xlhMcQSZDe28cmk4gmb3DWAl45oPePq5a1pRNcgRRtDoGCERuKTsZPpd1iHkTf
-CVn0W3cLN+mLIMb4Ck4uWBzrM9DPhmDJ2vuAL55MYIR4PSFk1vtBHxgP58l1cb29
-XN40hz5BsA72udY/CROWFC/emh1auVbONTqwX3BNXuMp8SMoclm2q8KMZiYcdywm
-djWLKKdpoPk79SPdhRB0yZADVpHnr7pH1BKXESLjokmUbOe3lEu6LaTaM4tMpkT/
-WjzGHWTYtTHkpjx6qFcL2+1hGsvxznN3Y6SHb0xRONbkX8eftoEq5IVIeVheO/jb
-AoJnwTnbw3RLPTYe+SmTiGhbqEQZIfCn6IENLOiTNrQ3ssqwGyZ6miUfmpqAnksq
-P/ujmv5zMnHCnsZy4YpoJ/HkD7TETKVhk/iXEAcqMCWpuchxuO9ozC1+9eB+D4Ko
-b7a6bINDd82Kkhehnlt4Fj1F4jNy3eFmypnTycUm/Q1oBEauttmbjL4ZvrHG8hnj
-XALKLNhvSgfZyTXaQHXyxKcZb55CEJh15pWLYLztxRLXis7VmFxWlgPF7ncGNf/P
-5O4/E2Hu29othfDNrp2yGAlFw5Khchf8R7agCyzxxN5DaAhqXzvwdmP7zAYspsbi
-DrW5viSP
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL",
-		sha256Hash: "5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
-MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
-ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
-cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
-WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
-Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
-IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
-UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
-TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
-BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
-kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
-AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
-HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
-sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
-I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
-J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
-VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
-03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL",
-		sha256Hash: "fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFwDCCA6igAwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6
-MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEu
-MScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNV
-BAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwHhcNMTgwMzE2MTIxMDEzWhcNNDMw
-MzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEg
-U3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRo
-b3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZ
-n0EGze2jusDbCSzBfN8pfktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/q
-p1x4EaTByIVcJdPTsuclzxFUl6s1wB52HO8AU5853BSlLCIls3Jy/I2z5T4IHhQq
-NwuIPMqw9MjCoa68wb4pZ1Xi/K1ZXP69VyywkI3C7Te2fJmItdUDmj0VDT06qKhF
-8JVOJVkdzZhpu9PMMsmN74H+rX2Ju7pgE8pllWeg8xn2A1bUatMn4qGtg/BKEiJ3
-HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfjvqm6f1bxJAPXsiEodg42MEx51UGa
-mqi4NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87Sst4WmsXXw3Hw09Omiqi
-7VdNIuJGmj8PkTQkfVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkEth2+dv5yXMSF
-ytKAQd8FqKPVhJBPC/PgP5sZ0jeJP/J7UhyM9uH3PAeXjA6iWYEMspA90+NZRu0P
-qafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSYnjYJdmZm/Bo/6khUHL4wvYBQ
-v3y1zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHKHRzQ+8S1h9E6
-Tsd2tTVItQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1
-vALTn04uSNn5YFSqxLNP+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQAD
-ggIBAEii1QALLtA/vBzVtVRJHlpr9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4
-WxmB82M+w85bj/UvXgF2Ez8sALnNllI5SW0ETsXpD4YN4fqzX4IS8TrOZgYkNCvo
-zMrnadyHncI013nR03e4qllY/p0m+jiGPp2Kh2RX5Rc64vmNueMzeMGQ2Ljdt4NR
-5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8CYyqOhNf6DR5UMEQ
-GfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA4kZf
-5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq
-0Uc9NneoWWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7D
-P78v3DSk+yshzWePS/Tj6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTM
-qJZ9ZPskWkoDbGs4xugDQ5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP
-0ISVoDwUQwbKytu4QTbaakRnh6+v40URFWkIsr4WOZckbxJF0WddCajJFdr60qZf
-E2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CommScope Public Trust ECC Root-01,O=CommScope,C=US",
-		sha256Hash: "11437cda7bb45e41365f45b39a38986b0de00def348e0c7bb0873633800bc38b",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICHTCCAaOgAwIBAgIUQ3CCd89NXTTxyq4yLzf39H91oJ4wCgYIKoZIzj0EAwMw
-TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t
-bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMTAeFw0yMTA0MjgxNzM1NDNa
-Fw00NjA0MjgxNzM1NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv
-cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDEw
-djAQBgcqhkjOPQIBBgUrgQQAIgNiAARLNumuV16ocNfQj3Rid8NeeqrltqLxeP0C
-flfdkXmcbLlSiFS8LwS+uM32ENEp7LXQoMPwiXAZu1FlxUOcw5tjnSCDPgYLpkJE
-hRGnSjot6dZoL0hOUysHP029uax3OVejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD
-VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSOB2LAUN3GGQYARnQE9/OufXVNMDAKBggq
-hkjOPQQDAwNoADBlAjEAnDPfQeMjqEI2Jpc1XHvr20v4qotzVRVcrHgpD7oh2MSg
-2NED3W3ROT3Ek2DS43KyAjB8xX6I01D1HiXo+k515liWpDVfG2XqYZpwI7UNo5uS
-Um9poIyNStDuiw7LR47QjRE=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CommScope Public Trust ECC Root-02,O=CommScope,C=US",
-		sha256Hash: "2ffb7f813bbbb3c89ab4e8162d0f16d71509a830cc9d73c262e5140875d1ad4a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICHDCCAaOgAwIBAgIUKP2ZYEFHpgE6yhR7H+/5aAiDXX0wCgYIKoZIzj0EAwMw
-TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t
-bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMjAeFw0yMTA0MjgxNzQ0NTRa
-Fw00NjA0MjgxNzQ0NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv
-cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDIw
-djAQBgcqhkjOPQIBBgUrgQQAIgNiAAR4MIHoYx7l63FRD/cHB8o5mXxO1Q/MMDAL
-j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
-v4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD
-VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTmGHX/72DehKT1RsfeSlXjMjZ59TAKBggq
-hkjOPQQDAwNnADBkAjAmc0l6tqvmSfR9Uj/UQQSugEODZXW5hYA4O9Zv5JOGq4/n
-ich/m35rChJVYaoR4HkCMHfoMXGsPHED1oQmHhS48zs73u1Z/GtMMH9ZzkXpc2AV
-mkzw5l4lIhVtwodZ0LKOag==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CommScope Public Trust RSA Root-01,O=CommScope,C=US",
-		sha256Hash: "02bdf96e2a45dd9bf18fc7e1dbdf21a0379ba3c9c2610344cfd8d606fec1ed81",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFbDCCA1SgAwIBAgIUPgNJgXUWdDGOTKvVxZAplsU5EN0wDQYJKoZIhvcNAQEL
-BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi
-Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMTAeFw0yMTA0MjgxNjQ1
-NTRaFw00NjA0MjgxNjQ1NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t
-U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt
-MDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwSGWjDR1C45FtnYSk
-YZYSwu3D2iM0GXb26v1VWvZVAVMP8syMl0+5UMuzAURWlv2bKOx7dAvnQmtVzslh
-suitQDy6uUEKBU8bJoWPQ7VAtYXR1HHcg0Hz9kXHgKKEUJdGzqAMxGBWBB0HW0al
-DrJLpA6lfO741GIDuZNqihS4cPgugkY4Iw50x2tBt9Apo52AsH53k2NC+zSDO3Oj
-WiE260f6GBfZumbCk6SP/F2krfxQapWsvCQz0b2If4b19bJzKo98rwjyGpg/qYFl
-P8GMicWWMJoKz/TUyDTtnS+8jTiGU+6Xn6myY5QXjQ/cZip8UlF1y5mO6D1cv547
-KI2DAg+pn3LiLCuz3GaXAEDQpFSOm117RTYm1nJD68/A6g3czhLmfTifBSeolz7p
-UcZsBSjBAg/pGG3svZwG1KdJ9FQFa2ww8esD1eo9anbCyxooSU1/ZOD6K9pzg4H/
-kQO9lLvkuI6cMmPNn7togbGEW682v3fuHX/3SZtS7NJ3Wn2RnU3COS3kuoL4b/JO
-Hg9O5j9ZpSPcPYeoKFgo0fEbNttPxP/hjFtyjMcmAyejOQoBqsCyMWCDIqFPEgkB
-Ea801M/XrmLTBQe0MXXgDW1XT2mH+VepuhX2yFJtocucH+X8eKg1mp9BFM6ltM6U
-CBwJrVbl2rZJmkrqYxhTnCwuwwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUN12mmnQywsL5x6YVEFm45P3luG0wDQYJ
-KoZIhvcNAQELBQADggIBAK+nz97/4L1CjU3lIpbfaOp9TSp90K09FlxD533Ahuh6
-NWPxzIHIxgvoLlI1pKZJkGNRrDSsBTtXAOnTYtPZKdVUvhwQkZyybf5Z/Xn36lbQ
-nmhUQo8mUuJM3y+Xpi/SB5io82BdS5pYV4jvguX6r2yBS5KPQJqTRlnLX3gWsWc+
-QgvfKNmwrZggvkN80V4aCRckjXtdlemrwWCrWxhkgPut4AZ9HcpZuPN4KWfGVh2v
-trV0KnahP/t1MJ+UXjulYPPLXAziDslg+MkfFoom3ecnf+slpoq9uC02EJqxWE2a
-aE9gVOX2RhOOiKy8IUISrcZKiX2bwdgt6ZYD9KJ0DLwAHb/WNyVntHKLr4W96ioD
-j8z7PEQkguIBpQtZtjSNMgsSDesnwv1B10A8ckYpwIzqug/xBpMu95yo9GA+o/E4
-Xo4TwbM6l4c/ksp4qRyv0LAbJh6+cOx69TOY6lz/KwsETkPdY34Op054A5U+1C0w
-lREQKC6/oAI+/15Z0wUOlV9TRe9rh9VIzRamloPh37MG88EU26fsHItdkJANclHn
-YfkUyq+Dj7+vsQpZXdxc1+SWrVtgHdqul7I52Qb1dgAT+GhMIbA1xNxVssnBQVoc
-icCMb3SgazNNtQEo/a2tiRc7ppqEvOuM6sRxJKi6KfkIsidWNTJf6jn7MZrVGczw
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=CommScope Public Trust RSA Root-02,O=CommScope,C=US",
-		sha256Hash: "ffe943d793424b4f7c440c1c3d648d5363f34b82dc87aa7a9f118fc5dee101f1",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFbDCCA1SgAwIBAgIUVBa/O345lXGN0aoApYYNK496BU4wDQYJKoZIhvcNAQEL
-BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi
-Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMjAeFw0yMTA0MjgxNzE2
-NDNaFw00NjA0MjgxNzE2NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t
-U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt
-MDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDh+g77aAASyE3VrCLE
-NQE7xVTlWXZjpX/rwcRqmL0yjReA61260WI9JSMZNRTpf4mnG2I81lDnNJUDMrG0
-kyI9p+Kx7eZ7Ti6Hmw0zdQreqjXnfuU2mKKuJZ6VszKWpCtYHu8//mI0SFHRtI1C
-rWDaSWqVcN3SAOLMV2MCe5bdSZdbkk6V0/nLKR8YSvgBKtJjCW4k6YnS5cciTNxz
-hkcAqg2Ijq6FfUrpuzNPDlJwnZXjfG2WWy09X6GDRl224yW4fKcZgBzqZUPckXk2
-LHR88mcGyYnJ27/aaL8j7dxrrSiDeS/sOKUNNwFnJ5rpM9kzXzehxfCrPfp4sOcs
-n/Y+n2Dg70jpkEUeBVF4GiwSLFworA2iI540jwXmojPOEXcT1A6kHkIfhs1w/tku
-FT0du7jyU1fbzMZ0KZwYszZ1OC4PVKH4kh+Jlk+71O6d6Ts2QrUKOyrUZHk2EOH5
-kQMreyBUzQ0ZGshBMjTRsJnhkB4BQDa1t/qp5Xd1pCKBXbCL5CcSD1SIxtuFdOa3
-wNemKfrb3vOTlycEVS8KbzfFPROvCgCpLIscgSjX74Yxqa7ybrjKaixUR9gqiC6v
-wQcQeKwRoi9C8DfF8rhW3Q5iLc4tVn5V8qdE9isy9COoR+jUKgF4z2rDN6ieZdIs
-5fq6M8EGRPbmz6UNp2YINIos8wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUR9DnsSL/nSz12Vdgs7GxcJXvYXowDQYJ
-KoZIhvcNAQELBQADggIBAIZpsU0v6Z9PIpNojuQhmaPORVMbc0RTAIFhzTHjCLqB
-KCh6krm2qMhDnscTJk3C2OVVnJJdUNjCK9v+5qiXz1I6JMNlZFxHMaNlNRPDk7n3
-+VGXu6TwYofF1gbTl4MgqX67tiHCpQ2EAOHyJxCDut0DgdXdaMNmEMjRdrSzbyme
-APnCKfWxkxlSaRosTKCL4BWaMS/TiJVZbuXEs1DIFAhKm4sTg7GkcrI7djNB3Nyq
-pgdvHSQSn8h2vS/ZjvQs7rfSOBAkNlEv41xdgSGn2rtO/+YHqP65DSdsu3BaVXoT
-6fEqSWnHX4dXTEN5bTpl6TBcQe7rd6VzEojov32u5cSoHw2OHG1QAk8mGEPej1WF
-sQs3BWDJVTkSBKEqz3EWnzZRSb9wO55nnPt7eck5HHisd5FUmrh1CoFSl+NmYWvt
-PjgelmFV4ZFUjO2MJB+ByRCac5krFk5yAD9UG/iNuovnFNa2RU9g7Jauwy8CTl2d
-lklyALKrdVwPaFsdZcJfMw8eD/A7hvWwTruc9+olBdytoptLFwG+Qt81IR2tq670
-v64fG9PiO/yzcnMcmyiQiRM9HcEARwmWmjgb3bHPDcK0RPOWlc4yOo80nOAXx17O
-rg3bhzjlP1v9mxnhMUF6cKojawHhRUzNlM47ni3niAIi9G7oyOzWPPO5std3eqx7
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE",
-		sha256Hash: "e59aaa816009c22bff5b25bad37df306f049797c1f81d85ab089e657bd8f0044",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIC2zCCAmCgAwIBAgIQfMmPK4TX3+oPyWWa00tNljAKBggqhkjOPQQDAzBIMQsw
-CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS
-VVNUIEJSIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTA5NDUwMFoXDTM1MDIxMTA5
-NDQ1OVowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAG
-A1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDEgMjAyMDB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABMbLxyjR+4T1mu9CFCDhQ2tuda38KwOE1HaTJddZO0Flax7mNCq7dPYS
-zuht56vkPE4/RAiLzRZxy7+SmfSk1zxQVFKQhYN4lGdnoxwJGT11NIXe7WB9xwy0
-QVK5buXuQqOCAQ0wggEJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHOREKv/
-VbNafAkl1bK6CKBrqx9tMA4GA1UdDwEB/wQEAwIBBjCBxgYDVR0fBIG+MIG7MD6g
-PKA6hjhodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2JyX3Jvb3Rf
-Y2FfMV8yMDIwLmNybDB5oHegdYZzbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
-dC9DTj1ELVRSVVNUJTIwQlIlMjBSb290JTIwQ0ElMjAxJTIwMjAyMCxPPUQtVHJ1
-c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDAKBggqhkjO
-PQQDAwNpADBmAjEAlJAtE/rhY/hhY+ithXhUkZy4kzg+GkHaQBZTQgjKL47xPoFW
-wKrY7RjEsK70PvomAjEA8yjixtsrmfu3Ubgko6SUeho/5jbiA1czijDLgsfWFBHV
-dWNbFJWcHwHP2NVypw87
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE",
-		sha256Hash: "0552e6f83fdf65e8fa9670e666df28a4e21340b510cbe52566f97c4fb94b2bd1",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBI
-MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE
-LVRSVVNUIEJSIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUw
-OTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi
-MCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCTcfKr
-i3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNE
-gXtRr90zsWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8
-k12b9py0i4a6Ibn08OhZWiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCT
-Rphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl
-2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LULQyReS2tNZ9/WtT5PeB+U
-cSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIvx9gvdhFP
-/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bS
-uREVMweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+
-0bpwHJwh5Q8xaRfX/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4N
-DfTisl01gLmB1IRpkQLLddCNxbU9CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+
-XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZ5Dw1t61
-GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG
-OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y
-XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tI
-FoE9c+CeJyrrd6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67n
-riv6uvw8l5VAk1/DLQOj7aRvU9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTR
-VFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4nj8+AybmTNudX0KEPUUDAxxZiMrc
-LmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdijYQ6qgYF/6FKC0ULn
-4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff/vtD
-hQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsG
-koHU6XCPpz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46
-ls/pdu4D58JDUjxqgejBWoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aS
-Ecr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/5usWDiJFAbzdNpQ0qTUmiteXue4Icr80
-knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jtn/mtd+ArY0+ew+43u3gJ
-hJ65bvspmZDogNOfJA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE",
-		sha256Hash: "08170d1aa36453901a2f959245e347db0c8d37abaabc56b81aa100dc958970db",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIC2zCCAmCgAwIBAgIQXwJB13qHfEwDo6yWjfv/0DAKBggqhkjOPQQDAzBIMQsw
-CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS
-VVNUIEVWIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTEwMDAwMFoXDTM1MDIxMTA5
-NTk1OVowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAG
-A1UEAxMZRC1UUlVTVCBFViBSb290IENBIDEgMjAyMDB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABPEL3YZDIBnfl4XoIkqbz52Yv7QFJsnL46bSj8WeeHsxiamJrSc8ZRCC
-/N/DnU7wMyPE0jL1HLDfMxddxfCxivnvubcUyilKwg+pf3VlSSowZ/Rk99Yad9rD
-wpdhQntJraOCAQ0wggEJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFH8QARY3
-OqQo5FD4pPfsazK2/umLMA4GA1UdDwEB/wQEAwIBBjCBxgYDVR0fBIG+MIG7MD6g
-PKA6hjhodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2V2X3Jvb3Rf
-Y2FfMV8yMDIwLmNybDB5oHegdYZzbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
-dC9DTj1ELVRSVVNUJTIwRVYlMjBSb290JTIwQ0ElMjAxJTIwMjAyMCxPPUQtVHJ1
-c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDAKBggqhkjO
-PQQDAwNpADBmAjEAyjzGKnXCXnViOTYAYFqLwZOZzNnbQTs7h5kXO9XMT8oi96CA
-y/m0sRtW9XLS/BnRAjEAkfcwkz8QRitxpNA7RJvAKQIFskF3UfN5Wp6OFKBOQtJb
-gfM0agPnIjhQW+0ZT0MW
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE",
-		sha256Hash: "8e8221b2e7d4007836a1672f0dcc299c33bc07d316f132fa1a206d587150f1ce",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFqTCCA5GgAwIBAgIQaSYJfoBLTKCnjHhiU19abzANBgkqhkiG9w0BAQ0FADBI
-MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE
-LVRSVVNUIEVWIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA5MTAzM1oXDTM4MDUw
-OTA5MTAzMlowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi
-MCAGA1UEAxMZRC1UUlVTVCBFViBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBANiOo4mAC7JXUtypU0w3uX9jFxPvp1sjW2l1sJkK
-F8GLxNuo4MwxusLyzV3pt/gdr2rElYfXR8mV2IIEUD2BCP/kPbOx1sWy/YgJ25yE
-7CUXFId/MHibaljJtnMoPDT3mfd/06b4HEV8rSyMlD/YZxBTfiLNTiVR8CUkNRFe
-EMbsh2aJgWi6zCudR3Mfvc2RpHJqnKIbGKBv7FD0fUDCqDDPvXPIEysQEx6Lmqg6
-lHPTGGkKSv/BAQP/eX+1SH977ugpbzZMlWGG2Pmic4ruri+W7mjNPU0oQvlFKzIb
-RlUWaqZLKfm7lVa/Rh3sHZMdwGWyH6FDrlaeoLGPaxK3YG14C8qKXO0elg6DpkiV
-jTujIcSuWMYAsoS0I6SWhjW42J7YrDRJmGOVxcttSEfi8i4YHtAxq9107PncjLgc
-jmgjutDzUNzPZY9zOjLHfP7KgiJPvo5iR2blzYfi6NUPGJ/lBHJLRjwQ8kTCZFZx
-TnXonMkmdMV9WdEKWw9t/p51HBjGGjp82A0EzM23RWV6sY+4roRIPrN6TagD4uJ+
-ARZZaBhDM7DS3LAaQzXupdqpRlyuhoFBAUp0JuyfBr/CBTdkdXgpaP3F9ev+R/nk
-hbDhezGdpn9yo7nELC7MmVcOIQxFAZRl62UJxmMiCzNJkkg8/M3OsD6Onov4/knF
-NXJHAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUqvyREBuH
-kV8Wub9PS5FeAByxMoAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG
-OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfZXZfcm9vdF9jYV8y
-XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQCTy6UfmRHsmg1fLBWTxj++EI14
-QvBukEdHjqOSMo1wj/Zbjb6JzkcBahsgIIlbyIIQbODnmaprxiqgYzWRaoUlrRc4
-pZt+UPJ26oUFKidBK7GB0aL2QHWpDsvxVUjY7NHss+jOFKE17MJeNRqrphYBBo7q
-3C+jisosketSjl8MmxfPy3MHGcRqwnNU73xDUmPBEcrCRbH0O1P1aa4846XerOhU
-t7KR/aypH/KH5BfGSah82ApB9PI+53c0BFLd6IHyTS9URZ0V4U/M5d40VxDJI3IX
-cI1QcB9WbMy5/zpaT2N6w25lBx2Eof+pDGOJbbJAiDnXH3dotfyc1dZnaVuodNv8
-ifYbMvekJKZ2t0dT741Jj6m2g1qllpBFYfXeA08mD6iL8AOWsKwV0HFaanuU5nCT
-2vFp4LJiTZ6P/4mdm13NRemUAiKN4DV/6PEEeXFsVIP4M7kFMhtYVRFP0OUnR3Hs
-7dpn1mKmS00PaaLJvOwiS5THaJQXfuKOKD62xur1NGyfN4gHONuGcfrNlUhDbqNP
-gofXNJhuS5N5YHVpD/Aa1VP6IQzCP+k/HxiMkl14p3ZnGbuy6n/pcAlWVqOwDAst
-Nl7F6cTVg8uGF5csbBNvh1qvSaYd2804BC5f4ko1Di1L+KIkBI3Y4WNeApI02phh
-XBxvWHZks/wCuPWdCg==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE",
-		sha256Hash: "49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRF
-MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBD
-bGFzcyAzIENBIDIgMjAwOTAeFw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NTha
-ME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxJzAlBgNVBAMM
-HkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBANOySs96R+91myP6Oi/WUEWJNTrGa9v+2wBoqOADER03
-UAifTUpolDWzU9GUY6cgVq/eUXjsKj3zSEhQPgrfRlWLJ23DEE0NkVJD2IfgXU42
-tSHKXzlABF9bfsyjxiupQB7ZNoTWSPOSHjRGICTBpFGOShrvUD9pXRl/RcPHAY9R
-ySPocq60vFYJfxLLHLGvKZAKyVXMD9O0Gu1HNVpK7ZxzBCHQqr0ME7UAyiZsxGsM
-lFqVlNpQmvH/pStmMaTJOKDfHR+4CS7zp+hnUquVH+BGPtikw8paxTGA6Eian5Rp
-/hnd2HN8gcqW3o7tszIFZYQ05ub9VxC1X3a/L7AQDcUCAwEAAaOCARowggEWMA8G
-A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP3aFMSfMN4hvR5COfyrYyNJ4PGEMA4G
-A1UdDwEB/wQEAwIBBjCB0wYDVR0fBIHLMIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVj
-dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUy
-MENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRl
-cmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3Js
-L2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmwwDQYJKoZIhvcNAQEL
-BQADggEBAH+X2zDI36ScfSF6gHDOFBJpiBSVYEQBrLLpME+bUMJm2H6NMLVwMeni
-acfzcNsgFYbQDfC+rAF1hM5+n02/t2A7nPPKHeJeaNijnZflQGDSNiH+0LS4F9p0
-o3/U37CYAqxva2ssJSRyoWXuJVrl5jLn8t+rSfrzkGkj2wTZ51xY/GXUl77M/C4K
-zCUqNQT4YJEVdT1B/yMfGchs64JTBKbkTCJNjYy6zltz7GRUUG3RnFX7acM2w4y8
-PIWmawomDeCTmGCufsYkl4phX5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3Y
-Johw1+qRzT65ysCQblrGXnRl11z+o+I=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE",
-		sha256Hash: "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
-MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
-bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw
-NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV
-BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn
-ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0
-3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z
-qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR
-p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8
-HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw
-ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea
-HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw
-Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh
-c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
-RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt
-dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku
-Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp
-3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05
-nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF
-CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na
-xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX
-KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
-b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
-EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
-cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
-JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
-mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
-wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
-VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
-AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
-AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
-BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
-pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
-dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
-fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
-NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
-H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
-+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
-b3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQG
-EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
-cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSA
-n61UQbVH35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4Htecc
-biJVMWWXvdMX0h5i89vqbFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9Hp
-EgjAALAcKxHad3A2m67OeYfcgnDmCXRwVWmvo2ifv922ebPynXApVfSr/5Vh88lA
-bx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OPYLfykqGxvYmJHzDNw6Yu
-YjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+RnlTGNAgMB
-AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW
-BBTOw0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPI
-QW5pJ6d1Ee88hjZv0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I
-0jJmwYrA8y8678Dj1JGG0VDjA9tzd29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4Gni
-lmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAWhsI6yLETcDbYz+70CjTVW0z9
-B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWzwPDCv
-ON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo
-IhNzbM8m9Yop5w==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQsw
-CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
-ZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3Qg
-RzMwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQGEwJV
-UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
-Y29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwdjAQBgcq
-hkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8QdJ+1YlJf
-Zn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q
-RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgGGMB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQD
-AwNnADBkAjAlpIFFAmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlY
-JjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv
-6pZjamVFkpUBtA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
-CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
-nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
-43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
-T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
-gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
-TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
-DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
-hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
-06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
-PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
-YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
-CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
-MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
-2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
-1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
-q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
-tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
-vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
-5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
-1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
-NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
-Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
-8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
-pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
-MrY=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
-CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
-ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
-Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
-EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
-IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
-fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
-Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
-BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
-AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
-oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
-sycX
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
-RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
-+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
-PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
-xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
-Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
-hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
-EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
-FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
-nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
-eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
-hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
-Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
-vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
-+OkuE6N36B9K
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert TLS ECC P384 Root G5,O=DigiCert\\, Inc.,C=US",
-		sha256Hash: "018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw
-CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp
-Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2
-MDExNDIzNTk1OVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ
-bmMuMSYwJAYDVQQDEx1EaWdpQ2VydCBUTFMgRUNDIFAzODQgUm9vdCBHNTB2MBAG
-ByqGSM49AgEGBSuBBAAiA2IABMFEoc8Rl1Ca3iOCNQfN0MsYndLxf3c1TzvdlHJS
-7cI7+Oz6e2tYIOyZrsn8aLN1udsJ7MgT9U7GCh1mMEy7H0cKPGEQQil8pQgO4CLp
-0zVozptjn4S1mU1YoI71VOeVyaNCMEAwHQYDVR0OBBYEFMFRRVBZqz7nLFr6ICIS
-B4CIfBFqMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
-BAMDA2gAMGUCMQCJao1H5+z8blUD2WdsJk6Dxv3J+ysTvLd6jLRl0mlpYxNjOyZQ
-LgGheQaRnUi/wr4CMEfDFXuxoJGZSZOoPHzoRgaLLPIxAJSdYsiJvRmEFOml+wG4
-DXZDjC5Ty3zfDBeWUA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert TLS RSA4096 Root G5,O=DigiCert\\, Inc.,C=US",
-		sha256Hash: "371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFZjCCA06gAwIBAgIQCPm0eKj6ftpqMzeJ3nzPijANBgkqhkiG9w0BAQwFADBN
-MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMT
-HERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcN
-NDYwMTE0MjM1OTU5WjBNMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs
-IEluYy4xJTAjBgNVBAMTHERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCz0PTJeRGd/fxmgefM1eS87IE+
-ajWOLrfn3q/5B03PMJ3qCQuZvWxX2hhKuHisOjmopkisLnLlvevxGs3npAOpPxG0
-2C+JFvuUAT27L/gTBaF4HI4o4EXgg/RZG5Wzrn4DReW+wkL+7vI8toUTmDKdFqgp
-wgscONyfMXdcvyej/Cestyu9dJsXLfKB2l2w4SMXPohKEiPQ6s+d3gMXsUJKoBZM
-pG2T6T867jp8nVid9E6P/DsjyG244gXazOvswzH016cpVIDPRFtMbzCe88zdH5RD
-nU1/cHAN1DrRN/BsnZvAFJNY781BOHW8EwOVfH/jXOnVDdXifBBiqmvwPXbzP6Po
-sMH976pXTayGpxi0KcEsDr9kvimM2AItzVwv8n/vFfQMFawKsPHTDU9qTXeXAaDx
-Zre3zu/O7Oyldcqs4+Fj97ihBMi8ez9dLRYiVu1ISf6nL3kwJZu6ay0/nTvEF+cd
-Lvvyz6b84xQslpghjLSR6Rlgg/IwKwZzUNWYOwbpx4oMYIwo+FKbbuH2TbsGJJvX
-KyY//SovcfXWJL5/MZ4PbeiPT02jP/816t9JXkGPhvnxd3lLG7SjXi/7RgLQZhNe
-XoVPzthwiHvOAbWWl9fNff2C+MIkwcoBOU+NosEUQB+cZtUMCUbW8tDRSHZWOkPL
-tgoRObqME2wGtZ7P6wIDAQABo0IwQDAdBgNVHQ4EFgQUUTMc7TZArxfTJc1paPKv
-TiM+s0EwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN
-AQEMBQADggIBAGCmr1tfV9qJ20tQqcQjNSH/0GEwhJG3PxDPJY7Jv0Y02cEhJhxw
-GXIeo8mH/qlDZJY6yFMECrZBu8RHANmfGBg7sg7zNOok992vIGCukihfNudd5N7H
-PNtQOa27PShNlnx2xlv0wdsUpasZYgcYQF+Xkdycx6u1UQ3maVNVzDl92sURVXLF
-O4uJ+DQtpBflF+aZfTCIITfNMBc9uPK8qHWgQ9w+iUuQrm0D4ByjoJYJu32jtyoQ
-REtGBzRj7TG5BO6jm5qu5jF49OokYTurWGT/u4cnYiWB39yhL/btp/96j1EuMPik
-AdKFOV8BmZZvWltwGUb+hmA+rYAQCd05JS9Yf7vSdPD3Rh9GOUrYU9DzLjtxpdRv
-/PNn5AeP3SYZ4Y1b+qOTEZvpyDrDVWiakuFSdjjo4bq9+0/V77PnSIMx8IIh47a+
-p6tv75/fTM8BuGJqIz3nCU2AG3swpMPdB380vqQmsvZB6Akd4yCYqjdP//fx4ilw
-MUc/dNAUFvohigLVigmUdy7yWSiLfFCSCmZ4OIN1xLVaqBHG5cGdZlXPU8Sv13WF
-qUITVuwhd4GTWgzqltlJyqEI8pc7bZsEGCREjnwB8twl2F6GmrE52/WRMmrRpnCK
-ovfepEWFJqgejF0pW8hL2JpqA15w8oVPbEtoL8pU9ozaMv7Da4M/OMZ+
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US",
-		sha256Hash: "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
-RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
-UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
-Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
-ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
-xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
-ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
-DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
-jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
-CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
-EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
-fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
-uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
-chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
-9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
-ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
-SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
-+SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
-fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
-sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
-cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
-0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
-4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
-r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
-/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
-gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Entrust Root Certification Authority - EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
-		sha256Hash: "02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
-d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
-dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
-RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
-MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
-L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
-Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
-ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
-ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
-Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
-R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
-hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
------END CERTIFICATE-----
-`,
+		cn:           "CN=Amazon Root CA 1,O=Amazon,C=US",
+		sha256Hash:   "8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e",
+		certStartOff: 7668,
+		certLength:   837,
+	},
+	{
+		cn:           "CN=Amazon Root CA 2,O=Amazon,C=US",
+		sha256Hash:   "1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4",
+		certStartOff: 8505,
+		certLength:   1349,
+	},
+	{
+		cn:           "CN=Amazon Root CA 3,O=Amazon,C=US",
+		sha256Hash:   "18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4",
+		certStartOff: 9854,
+		certLength:   442,
+	},
+	{
+		cn:           "CN=Amazon Root CA 4,O=Amazon,C=US",
+		sha256Hash:   "e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092",
+		certStartOff: 10296,
+		certLength:   502,
+	},
+	{
+		cn:           "CN=Atos TrustedRoot 2011,O=Atos,C=DE",
+		sha256Hash:   "f356bea244b7a91eb35d53ca9ad7864ace018e2d35d5f8f96ddf68a6f41aa474",
+		certStartOff: 10798,
+		certLength:   891,
+	},
+	{
+		cn:           "CN=Atos TrustedRoot Root CA ECC TLS 2021,O=Atos,C=DE",
+		sha256Hash:   "b2fae53e14ccd7ab9212064701ae279c1d8988facb775fa8a008914e663988a8",
+		certStartOff: 11689,
+		certLength:   537,
+	},
+	{
+		cn:           "CN=Atos TrustedRoot Root CA RSA TLS 2021,O=Atos,C=DE",
+		sha256Hash:   "81a9088ea59fb364c548a6f85559099b6f0405efbf18e5324ec9f457ba00112f",
+		certStartOff: 12226,
+		certLength:   1384,
+	},
+	{
+		cn:           "CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES",
+		sha256Hash:   "57de0583efd2b26e0361da99da9df4648def7ee8441c3b728afa9bcde0f9b26a",
+		certStartOff: 13610,
+		certLength:   1560,
+	},
+	{
+		cn:           "CN=BJCA Global Root CA1,O=BEIJING CERTIFICATE AUTHORITY,C=CN",
+		sha256Hash:   "f3896f88fe7c0a882766a7fa6ad2749fb57a7f3e98fb769c1fa7b09c2c44d5ae",
+		certStartOff: 15170,
+		certLength:   1400,
+	},
+	{
+		cn:           "CN=BJCA Global Root CA2,O=BEIJING CERTIFICATE AUTHORITY,C=CN",
+		sha256Hash:   "574df6931e278039667b720afdc1600fc27eb66dd3092979fb73856487212882",
+		certStartOff: 16570,
+		certLength:   553,
+	},
+	{
+		cn:           "CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO",
+		sha256Hash:   "9a114025197c5bb95d94e63d55cd43790847b646b23cdf11ada4a00eff15fb48",
+		certStartOff: 17123,
+		certLength:   1373,
+	},
+	{
+		cn:           "CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO",
+		sha256Hash:   "edf7ebbca27a2a384d387b7d4010c666e2edb4843e4c29b4ae1d5b9332e6b24d",
+		certStartOff: 18496,
+		certLength:   1373,
+	},
+	{
+		cn:           "CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK",
+		sha256Hash:   "e23d4a036d7b70e9f595b1422079d2b91edfbb1fb651a0633eaa8a9dc5f80703",
+		certStartOff: 19869,
+		certLength:   1389,
+	},
+	{
+		cn:           "CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN",
+		sha256Hash:   "5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd",
+		certStartOff: 21258,
+		certLength:   1425,
+	},
+	{
+		cn:           "CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
+		sha256Hash:   "0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66",
+		certStartOff: 22683,
+		certLength:   1057,
+	},
+	{
+		cn:           "CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
+		sha256Hash:   "1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7",
+		certStartOff: 23740,
+		certLength:   653,
+	},
+	{
+		cn:           "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
+		sha256Hash:   "52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234",
+		certStartOff: 24393,
+		certLength:   1500,
+	},
+	{
+		cn:           "CN=Certainly Root E1,O=Certainly,C=US",
+		sha256Hash:   "b4585f22e4ac756a4e8612a1361c5d9d031a93fd84febb778fa3068b0fc42dc2",
+		certStartOff: 25893,
+		certLength:   507,
+	},
+	{
+		cn:           "CN=Certainly Root R1,O=Certainly,C=US",
+		sha256Hash:   "77b82cd8644c4305f7acc5cb156b45675004033d51c60c6202a8e0c33467d3a0",
+		certStartOff: 26400,
+		certLength:   1355,
+	},
+	{
+		cn:           "CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR",
+		sha256Hash:   "d48d3d23eedb50a459e55197601c27774b9d7b18c94d5a059511a10250b93168",
+		certStartOff: 27755,
+		certLength:   1631,
+	},
+	{
+		cn:           "CN=Certigna,O=Dhimyotis,C=FR",
+		sha256Hash:   "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d",
+		certStartOff: 29386,
+		certLength:   940,
+	},
+	{
+		cn:           "CN=Certum EC-384 CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL",
+		sha256Hash:   "6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6",
+		certStartOff: 30326,
+		certLength:   617,
+	},
+	{
+		cn:           "CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL",
+		sha256Hash:   "b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804",
+		certStartOff: 30943,
+		certLength:   1494,
+	},
+	{
+		cn:           "CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL",
+		sha256Hash:   "5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e",
+		certStartOff: 32437,
+		certLength:   959,
+	},
+	{
+		cn:           "CN=Certum Trusted Root CA,OU=Certum Certification Authority,O=Asseco Data Systems S.A.,C=PL",
+		sha256Hash:   "fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd",
+		certStartOff: 33396,
+		certLength:   1476,
+	},
+	{
+		cn:           "CN=CommScope Public Trust ECC Root-01,O=CommScope,C=US",
+		sha256Hash:   "11437cda7bb45e41365f45b39a38986b0de00def348e0c7bb0873633800bc38b",
+		certStartOff: 34872,
+		certLength:   545,
+	},
+	{
+		cn:           "CN=CommScope Public Trust ECC Root-02,O=CommScope,C=US",
+		sha256Hash:   "2ffb7f813bbbb3c89ab4e8162d0f16d71509a830cc9d73c262e5140875d1ad4a",
+		certStartOff: 35417,
+		certLength:   544,
+	},
+	{
+		cn:           "CN=CommScope Public Trust RSA Root-01,O=CommScope,C=US",
+		sha256Hash:   "02bdf96e2a45dd9bf18fc7e1dbdf21a0379ba3c9c2610344cfd8d606fec1ed81",
+		certStartOff: 35961,
+		certLength:   1392,
+	},
+	{
+		cn:           "CN=CommScope Public Trust RSA Root-02,O=CommScope,C=US",
+		sha256Hash:   "ffe943d793424b4f7c440c1c3d648d5363f34b82dc87aa7a9f118fc5dee101f1",
+		certStartOff: 37353,
+		certLength:   1392,
+	},
+	{
+		cn:           "CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "e59aaa816009c22bff5b25bad37df306f049797c1f81d85ab089e657bd8f0044",
+		certStartOff: 38745,
+		certLength:   735,
+	},
+	{
+		cn:           "CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "0552e6f83fdf65e8fa9670e666df28a4e21340b510cbe52566f97c4fb94b2bd1",
+		certStartOff: 39480,
+		certLength:   1453,
+	},
+	{
+		cn:           "CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "08170d1aa36453901a2f959245e347db0c8d37abaabc56b81aa100dc958970db",
+		certStartOff: 40933,
+		certLength:   735,
+	},
+	{
+		cn:           "CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "8e8221b2e7d4007836a1672f0dcc299c33bc07d316f132fa1a206d587150f1ce",
+		certStartOff: 41668,
+		certLength:   1453,
+	},
+	{
+		cn:           "CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1",
+		certStartOff: 43121,
+		certLength:   1079,
+	},
+	{
+		cn:           "CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE",
+		sha256Hash:   "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881",
+		certStartOff: 44200,
+		certLength:   1095,
+	},
+	{
+		cn:           "CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c",
+		certStartOff: 45295,
+		certLength:   955,
+	},
+	{
+		cn:           "CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185",
+		certStartOff: 46250,
+		certLength:   922,
+	},
+	{
+		cn:           "CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2",
+		certStartOff: 47172,
+		certLength:   586,
+	},
+	{
+		cn:           "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161",
+		certStartOff: 47758,
+		certLength:   947,
+	},
+	{
+		cn:           "CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f",
+		certStartOff: 48705,
+		certLength:   914,
+	},
+	{
+		cn:           "CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0",
+		certStartOff: 49619,
+		certLength:   579,
+	},
+	{
+		cn:           "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf",
+		certStartOff: 50198,
+		certLength:   969,
+	},
+	{
+		cn:           "CN=DigiCert TLS ECC P384 Root G5,O=DigiCert\\, Inc.,C=US",
+		sha256Hash:   "018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05",
+		certStartOff: 51167,
+		certLength:   541,
+	},
+	{
+		cn:           "CN=DigiCert TLS RSA4096 Root G5,O=DigiCert\\, Inc.,C=US",
+		sha256Hash:   "371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75",
+		certStartOff: 51708,
+		certLength:   1386,
+	},
+	{
+		cn:           "CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US",
+		sha256Hash:   "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988",
+		certStartOff: 53094,
+		certLength:   1428,
+	},
+	{
+		cn:            "CN=Entrust Root Certification Authority - EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
+		sha256Hash:    "02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5",
+		certStartOff:  54522,
+		certLength:    765,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=Entrust Root Certification Authority - G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
-		sha256Hash: "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
-cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
-IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
-dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
-NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
-dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
-dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
-aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
-RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
-cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
-wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
-U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
-jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
-BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
-jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
-Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
-1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
-nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
-VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
------END CERTIFICATE-----
-`,
+		cn:            "CN=Entrust Root Certification Authority - G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
+		sha256Hash:    "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339",
+		certStartOff:  55287,
+		certLength:    1090,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust\\, Inc.,O=Entrust\\, Inc.,C=US",
-		sha256Hash: "73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
-Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
-KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
-NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
-NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
-ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
-BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
-Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
-4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
-KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
-rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
-94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
-sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
-gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
-kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
-vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
-A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
-O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
-AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
-9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
-eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
-0vdXcDazv/wor3ElhVsT/h5/WrQ8
------END CERTIFICATE-----
-`,
+		cn:            "CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust\\, Inc.,O=Entrust\\, Inc.,C=US",
+		sha256Hash:    "73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c",
+		certStartOff:  56377,
+		certLength:    1173,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
-		cn:         "CN=FIRMAPROFESIONAL CA ROOT-A WEB,O=Firmaprofesional SA,C=ES,2.5.4.97=#130f56415445532d413632363334303638",
-		sha256Hash: "bef256daf26e9c69bdec1602359798f3caf71821a03e018257c53c65617f3d4a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICejCCAgCgAwIBAgIQMZch7a+JQn81QYehZ1ZMbTAKBggqhkjOPQQDAzBuMQsw
-CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE
-YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB
-IFJPT1QtQSBXRUIwHhcNMjIwNDA2MDkwMTM2WhcNNDcwMzMxMDkwMTM2WjBuMQsw
-CQYDVQQGEwJFUzEcMBoGA1UECgwTRmlybWFwcm9mZXNpb25hbCBTQTEYMBYGA1UE
-YQwPVkFURVMtQTYyNjM0MDY4MScwJQYDVQQDDB5GSVJNQVBST0ZFU0lPTkFMIENB
-IFJPT1QtQSBXRUIwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARHU+osEaR3xyrq89Zf
-e9MEkVz6iMYiuYMQYneEMy3pA4jU4DP37XcsSmDq5G+tbbT4TIqk5B/K6k84Si6C
-cyvHZpsKjECcfIr28jlgst7L7Ljkb+qbXbdTkBgyVcUgt5SjYzBhMA8GA1UdEwEB
-/wQFMAMBAf8wHwYDVR0jBBgwFoAUk+FDY1w8ndYn81LsF7Kpryz3dvgwHQYDVR0O
-BBYEFJPhQ2NcPJ3WJ/NS7Beyqa8s93b4MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO
-PQQDAwNoADBlAjAdfKR7w4l1M+E7qUW/Runpod3JIha3RxEL2Jq68cgLcFBTApFw
-hVmpHqTm6iMxoAACMQD94vizrxa5HnPEluPBMBnYfubDl94cT7iJLzPrSA8Z94dG
-XSaQpYXFuXqUPoeovQA=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.\\,LTD.,C=CN",
-		sha256Hash: "bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UE
-BhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ
-IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0
-MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMCQ04xMjAwBgNV
-BAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8w
-HQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJj
-Dp6L3TQsAlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBj
-TnnEt1u9ol2x8kECK62pOqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+u
-KU49tm7srsHwJ5uu4/Ts765/94Y9cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEj
-qcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ9Cy5WmYqsBebnh52nUpm
-MUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQxXABZG12
-ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloP
-zgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3Gk
-L30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeC
-jGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoA
-HQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkC
-AwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg
-p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZm
-DRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5
-COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ry
-L3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR8gPf
-JWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svg
-IHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io
-2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV
-09tL7ECQ8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQ
-XR4EzzffHqhmsYzmIGrv/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrq
-T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe
-MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT",
-		sha256Hash: "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
-A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw
-FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx
-MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u
-aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq
-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b
-RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z
-YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3
-QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw
-yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+
-BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ
-SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH
-r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0
-4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me
-dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw
-q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2
-nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu
-H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
-VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC
-XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd
-6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf
-+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi
-kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7
-wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB
-TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6C
-MUO+1918oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn
-4rnvyOL2NSl6dPrFf4IFYqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+I
-aFvowdlxfv1k7/9nR4hYJS8+hge9+6jlgqispdNpQ80xiEmEU5LAsTkbOYMBMMTy
-qfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
------END CERTIFICATE-----
-`,
+		cn:           "CN=FIRMAPROFESIONAL CA ROOT-A WEB,O=Firmaprofesional SA,C=ES,2.5.4.97=#130f56415445532d413632363334303638",
+		sha256Hash:   "bef256daf26e9c69bdec1602359798f3caf71821a03e018257c53c65617f3d4a",
+		certStartOff: 57550,
+		certLength:   638,
+	},
+	{
+		cn:           "CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.\\,LTD.,C=CN",
+		sha256Hash:   "bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893",
+		certStartOff: 58188,
+		certLength:   1420,
+	},
+	{
+		cn:            "CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT",
+		sha256Hash:    "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a",
+		certStartOff:  59608,
+		certLength:    1414,
 		distrustAfter: "2024-06-30T00:00:00Z",
 	},
 	{
-		cn:         "CN=GTS Root R1,O=Google Trust Services LLC,C=US",
-		sha256Hash: "d947432abde7b7fa90fc2e6b59101b1280e0e1c7e4e40fa3c6887fff57a7f4cf",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
-MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
-27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
-Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
-TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
-qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
-szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
-Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
-MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
-wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
-aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
-VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
-AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
-C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
-QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
-h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
-7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
-ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
-MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
-Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
-6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
-0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
-2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
-bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GTS Root R2,O=Google Trust Services LLC,C=US",
-		sha256Hash: "8d25cd97229dbf70356bda4eb3cc734031e24cf00fafcfd32dc76eb5841c7ea8",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFVzCCAz+gAwIBAgINAgPlrsWNBCUaqxElqjANBgkqhkiG9w0BAQwFADBHMQsw
-CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
-MBIGA1UEAxMLR1RTIFJvb3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
-MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
-Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEBAQUA
-A4ICDwAwggIKAoICAQDO3v2m++zsFDQ8BwZabFn3GTXd98GdVarTzTukk3LvCvpt
-nfbwhYBboUhSnznFt+4orO/LdmgUud+tAWyZH8QiHZ/+cnfgLFuv5AS/T3KgGjSY
-6Dlo7JUle3ah5mm5hRm9iYz+re026nO8/4Piy33B0s5Ks40FnotJk9/BW9BuXvAu
-MC6C/Pq8tBcKSOWIm8Wba96wyrQD8Nr0kLhlZPdcTK3ofmZemde4wj7I0BOdre7k
-RXuJVfeKH2JShBKzwkCX44ofR5GmdFrS+LFjKBC4swm4VndAoiaYecb+3yXuPuWg
-f9RhD1FLPD+M2uFwdNjCaKH5wQzpoeJ/u1U8dgbuak7MkogwTZq9TwtImoS1mKPV
-+3PBV2HdKFZ1E66HjucMUQkQdYhMvI35ezzUIkgfKtzra7tEscszcTJGr61K8Yzo
-dDqs5xoic4DSMPclQsciOzsSrZYuxsN2B6ogtzVJV+mSSeh2FnIxZyuWfoqjx5RW
-Ir9qS34BIbIjMt/kmkRtWVtd9QCgHJvGeJeNkP+byKq0rxFROV7Z+2et1VsRnTKa
-G73VululycslaVNVJ1zgyjbLiGH7HrfQy+4W+9OmTN6SpdTi3/UGVN4unUu0kzCq
-gc7dGtxRcw1PcOnlthYhGXmy5okLdWTK1au8CcEYof/UVKGFPP0UJAOyh9OktwID
-AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
-FgQUu//KjiOfT5nK2+JopqUVJxce2Q4wDQYJKoZIhvcNAQEMBQADggIBAB/Kzt3H
-vqGf2SdMC9wXmBFqiN495nFWcrKeGk6c1SuYJF2ba3uwM4IJvd8lRuqYnrYb/oM8
-0mJhwQTtzuDFycgTE1XnqGOtjHsB/ncw4c5omwX4Eu55MaBBRTUoCnGkJE+M3DyC
-B19m3H0Q/gxhswWV7uGugQ+o+MePTagjAiZrHYNSVc61LwDKgEDg4XSsYPWHgJ2u
-NmSRXbBoGOqKYcl3qJfEycel/FVL8/B/uWU9J2jQzGv6U53hkRrJXRqWbTKH7QMg
-yALOWr7Z6v2yTcQvG99fevX4i8buMTolUVVnjWQye+mew4K6Ki3pHrTgSAai/Gev
-HyICc/sgCq+dVEuhzf9gR7A/Xe8bVr2XIZYtCtFenTgCR2y59PYjJbigapordwj6
-xLEokCZYCDzifqrXPW+6MYgKBesntaFJ7qBFVHvmJ2WZICGoo7z7GJa7Um8M7YNR
-TOlZ4iBgxcJlkoKM8xAfDoqXvneCbT+PHV28SSe9zE8P4c52hgQjxcCMElv924Sg
-JPFI/2R80L5cFtHvma3AH/vLrrw4IgYmZNralw4/KBVEqE8AyvCazM90arQ+POuV
-7LXTWtiBmelDGDfrs7vRWGJB82bSj6p4lVQgw1oudCvV0b4YacCs1aTPObpRhANl
-6WLAYv7YTVWW4tAR+kg0Eeye7QUd5MjWHYbL
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GTS Root R3,O=Google Trust Services LLC,C=US",
-		sha256Hash: "34d8a73ee208d9bcdb0d956520934b4e40e69482596e8b6f73c8426b010a6f48",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICCTCCAY6gAwIBAgINAgPluILrIPglJ209ZjAKBggqhkjOPQQDAzBHMQswCQYD
-VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
-A1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
-WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
-IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout736G
-jOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2ADDL2
-4CejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
-BBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA9uEglRR7
-VKOQFhG/hMjqb2sXnh5GmCCbn9MN2azTL818+FsuVbu/3ZL3pAzcMeGiAjEA/Jdm
-ZuVDFhOD3cffL74UOO0BzrEXGhF16b0DjyZ+hOXJYKaV11RZt+cRLInUue4X
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GTS Root R4,O=Google Trust Services LLC,C=US",
-		sha256Hash: "349dfa4058c5e263123b398ae795573c4e1313c83fe68f93556cd5e8031b3c7d",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD
-VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG
-A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw
-WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz
-IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi
-QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR
-HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
-BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D
-9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8
-p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE",
-		sha256Hash: "cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQdmOhDMAoGCCqGSM49BAMDMEYx
-CzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYDVQQD
-ExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMyMDAw
-MDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex
-HDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA
-IgNiAAScDrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkBjtjq
-R+q+soArzfwoDdusvKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGdd
-yXqBPCCjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
-DgQWBBQxCpCPtsad0kRLgLWi5h+xEk8blTAKBggqhkjOPQQDAwNoADBlAjEA31SQ
-7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZkvLtoURMMA/cVi4RguYv/Uo7njLwcAjA8
-+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAezNIm8BZ/3Hobui3A=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE",
-		sha256Hash: "4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFWjCCA0KgAwIBAgISEdK7udcjGJ5AXwqdLdDfJWfRMA0GCSqGSIb3DQEBDAUA
-MEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRwwGgYD
-VQQDExNHbG9iYWxTaWduIFJvb3QgUjQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2MDMy
-MDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt
-c2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCsrHQy6LNl5brtQyYdpokNRbopiLKkHWPd08EsCVeJ
-OaFV6Wc0dwxu5FUdUiXSE2te4R2pt32JMl8Nnp8semNgQB+msLZ4j5lUlghYruQG
-vGIFAha/r6gjA7aUD7xubMLL1aa7DOn2wQL7Id5m3RerdELv8HQvJfTqa1VbkNud
-316HCkD7rRlr+/fKYIje2sGP1q7Vf9Q8g+7XFkyDRTNrJ9CG0Bwta/OrffGFqfUo
-0q3v84RLHIf8E6M6cqJaESvWJ3En7YEtbWaBkoe0G1h6zD8K+kZPTXhc+CtI4wSE
-y132tGqzZfxCnlEmIyDLPRT5ge1lFgBPGmSXZgjPjHvjK8Cd+RTyG/FWaha/LIWF
-zXg4mutCagI0GIMXTpRW+LaCtfOW3T3zvn8gdz57GSNrLNRyc0NXfeD412lPFzYE
-+cCQYDdF3uYM2HSNrpyibXRdQr4G9dlkbgIQrImwTDsHTUB+JMWKmIJ5jqSngiCN
-I/onccnfxkF0oE32kRbcRoxfKWMxWXEM2G/CtjJ9++ZdU6Z+Ffy7dXxd7Pj2Fxzs
-x2sZy/N78CsHpdlseVR2bJ0cpm4O6XkMqCNqo98bMDGfsVR7/mrLZqrcZdCinkqa
-ByFrgY/bxFn63iLABJzjqls2k+g9vXqhnQt2sQvHnf3PmKgGwvgqo6GDoLclcqUC
-4wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUA1yrc4GHqMywptWU4jaWSf8FmSwwDQYJKoZIhvcNAQEMBQADggIBAHx4
-7PYCLLtbfpIrXTncvtgdokIzTfnvpCo7RGkerNlFo048p9gkUbJUHJNOxO97k4Vg
-JuoJSOD1u8fpaNK7ajFxzHmuEajwmf3lH7wvqMxX63bEIaZHU1VNaL8FpO7XJqti
-2kM3S+LGteWygxk6x9PbTZ4IevPuzz5i+6zoYMzRx6Fcg0XERczzF2sUyQQCPtIk
-pnnpHs6i58FZFZ8d4kuaPp92CC1r2LpXFNqD6v6MVenQTqnMdzGxRBF6XLE+0xRF
-FRhiJBPSy03OXIPBNvIQtQ6IbbjhVp+J3pZmOUdkLG5NrmJ7v2B0GbhWrJKsFjLt
-rWhV/pi60zTe9Mlhww6G9kuEYO4Ne7UyWHmRVSyBQ7N0H3qqJZ4d16GLuc1CLgSk
-ZoNNiTW2bKg2SnkheCLQQrzRQDGQob4Ez8pn7fXwgNNgyYMqIgXQBztSvwyeqiv5
-u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP
-4vkYxboznxSjBF25cfe1lNj2M8FawTSLfJvdkzrnE6JwYZ+vj+vYxXX4M2bUdGc6
-N3ec592kD3ZDZopD8p/7DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3
-vouXsXgxT7PntgMTzlSdriVZzH81Xwj3QEUxeCp6
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign,OU=GlobalSign ECC Root CA - R4,O=GlobalSign",
-		sha256Hash: "b085d70b964f191a73e4af0d54ae7a0e07aafdaf9b71dd0862138ab7325a24a2",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIB3DCCAYOgAwIBAgINAgPlfvU/k/2lCSGypjAKBggqhkjOPQQDAjBQMSQwIgYD
-VQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2Jh
-bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTIxMTEzMDAwMDAwWhcNMzgw
-MTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0g
-UjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wWTAT
-BgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5BwkWymOx
-uYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV
-HQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/
-+wpu+74zyTyjhNUwCgYIKoZIzj0EAwIDRwAwRAIgIk90crlgr/HmnKAWBVBfw147
-bmF0774BxL4YSFlhgjICICadVGNA3jdgUM/I2O2dgq43mLyjj0xMqTQrbO/7lZsm
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign,OU=GlobalSign ECC Root CA - R5,O=GlobalSign",
-		sha256Hash: "179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEk
-MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpH
-bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
-DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD
-QSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6SFkc
-8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8ke
-hOvRnkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
-VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYI
-KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg
-515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnO
-xwy8p2Fp8fc74SrL+SvzZpA3
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign",
-		sha256Hash: "cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
-MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
-RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
-gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
-KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
-QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
-XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
-LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
-RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
-jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
-6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
-mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
-Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
-WD9f
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign",
-		sha256Hash: "2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFgzCCA2ugAwIBAgIORea7A4Mzw4VlSOb/RVEwDQYJKoZIhvcNAQEMBQAwTDEg
-MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjYxEzARBgNVBAoTCkdsb2Jh
-bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTQxMjEwMDAwMDAwWhcNMzQx
-MjEwMDAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSNjET
-MBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJUH6HPKZvnsFMp7PPcNCPG0RQssgrRI
-xutbPK6DuEGSMxSkb3/pKszGsIhrxbaJ0cay/xTOURQh7ErdG1rG1ofuTToVBu1k
-ZguSgMpE3nOUTvOniX9PeGMIyBJQbUJmL025eShNUhqKGoC3GYEOfsSKvGRMIRxD
-aNc9PIrFsmbVkJq3MQbFvuJtMgamHvm566qjuL++gmNQ0PAYid/kD3n16qIfKtJw
-LnvnvJO7bVPiSHyMEAc4/2ayd2F+4OqMPKq0pPbzlUoSB239jLKJz9CgYXfIWHSw
-1CM69106yqLbnQneXUQtkPGBzVeS+n68UARjNN9rkxi+azayOeSsJDa38O+2HBNX
-k7besvjihbdzorg1qkXy4J02oW9UivFyVm4uiMVRQkQVlO6jxTiWm05OWgtH8wY2
-SXcwvHE35absIQh1/OZhFj931dmRl4QKbNQCTXTAFO39OfuD8l4UoQSwC+n+7o/h
-bguyCLNhZglqsQY6ZZZZwPA1/cnaKI0aEYdwgQqomnUdnjqGBQCe24DWJfncBZ4n
-WUx2OVvq+aWh2IMP0f/fMBH5hc8zSPXKbWQULHpYT9NLCEnFlWQaYw55PfWzjMpY
-rZxCRXluDocZXFSxZba/jJvcE+kNb7gu3GduyYsRtYQUigAZcIN5kZeR1Bonvzce
-MgfYFGM8KEyvAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD
-AQH/MB0GA1UdDgQWBBSubAWjkxPioufi1xzWx/B/yGdToDAfBgNVHSMEGDAWgBSu
-bAWjkxPioufi1xzWx/B/yGdToDANBgkqhkiG9w0BAQwFAAOCAgEAgyXt6NH9lVLN
-nsAEoJFp5lzQhN7craJP6Ed41mWYqVuoPId8AorRbrcWc+ZfwFSY1XS+wc3iEZGt
-Ixg93eFyRJa0lV7Ae46ZeBZDE1ZXs6KzO7V33EByrKPrmzU+sQghoefEQzd5Mr61
-55wsTLxDKZmOMNOsIeDjHfrYBzN2VAAiKrlNIC5waNrlU/yDXNOd8v9EDERm8tLj
-vUYAGm0CuiVdjaExUd1URhxN25mW7xocBFymFe944Hn+Xds+qkxV/ZoVqW/hpvvf
-cDDpw+5CRu3CkwWJ+n1jez/QcYF8AOiYrg54NMMl+68KnyBr3TsTjxKM4kEaSHpz
-oHdpx7Zcf4LIHv5YGygrqGytXm3ABdJ7t+uA/iU3/gKbaKxCXcPu9czc8FB10jZp
-nOZ7BN9uBmm23goJSFmH63sUYHpkqmlD75HHTOwY3WzvUy2MmeFe8nI+z1TIvWfs
-pA9MRf/TuTAjB0yPEL+GltmZWrSZVxykzLsViVO6LAUP5MSeGbEYNNVMnbrt9x+v
-JJUEeKgDu+6B5dpffItKoZB0JaezPkvILFa9x8jvOOJckvB595yEunQtYQEgfn7R
-8k8HWV+LLUNS60YMlOH1Zkd5d9VUWx+tJDfLRVpOoERIyNiwmcUVhAn21klJwGW4
-5hpxbqCo8YLoRT5s1gLXCmeDBVrJpBA=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
-		sha256Hash: "45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
-		sha256Hash: "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICVDCCAdugAwIBAgIQZ3SdjXfYO2rbIvT/WeK/zjAKBggqhkjOPQQDAzBsMQsw
-CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh
-cmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBFQ0MgUm9v
-dCBDQSAyMDIxMB4XDTIxMDIxOTExMDExMFoXDTQ1MDIxMzExMDEwOVowbDELMAkG
-A1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj
-aCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgRUNDIFJvb3Qg
-Q0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI/rGgltJ6rK9JOtDA4MM7
-KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRYVxqEU+kw2anylnTDUR9Y
-STHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6NCMEAwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0PAQH/BAQD
-AgGGMAoGCCqGSM49BAMDA2cAMGQCMBHervjcToiwqfAircJRQO9gcS3ujwLEXQNw
-SaSS6sUUiHCm0w2wqsosQJz76YJumgIwK0eaB8bRwoF8yguWGEEbo/QwCZ61IygN
-nxS2PFOiTAZpffpskcYqSUXm7LcT4Tps
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
-		sha256Hash: "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFpDCCA4ygAwIBAgIQOcqTHO9D88aOk8f0ZIk4fjANBgkqhkiG9w0BAQsFADBs
-MQswCQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
-c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBSU0Eg
-Um9vdCBDQSAyMDIxMB4XDTIxMDIxOTEwNTUzOFoXDTQ1MDIxMzEwNTUzN1owbDEL
-MAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNl
-YXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgUlNBIFJv
-b3QgQ0EgMjAyMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIvC569l
-mwVnlskNJLnQDmT8zuIkGCyEf3dRywQRNrhe7Wlxp57kJQmXZ8FHws+RFjZiPTgE
-4VGC/6zStGndLuwRo0Xua2s7TL+MjaQenRG56Tj5eg4MmOIjHdFOY9TnuEFE+2uv
-a9of08WRiFukiZLRgeaMOVig1mlDqa2YUlhu2wr7a89o+uOkXjpFc5gH6l8Cct4M
-pbOfrqkdtx2z/IpZ525yZa31MJQjB/OCFks1mJxTuy/K5FrZx40d/JiZ+yykgmvw
-Kh+OC19xXFyuQnspiYHLA6OZyoieC0AJQTPb5lh6/a6ZcMBaD9YThnEvdmn8kN3b
-LW7R8pv1GmuebxWMevBLKKAiOIAkbDakO/IwkfN4E8/BPzWr8R0RI7VDIp4BkrcY
-AuUR0YLbFQDMYTfBKnya4dC6s1BG7oKsnTH4+yPiAwBIcKMJJnkVU2DzOFytOOqB
-AGMUuTNe3QvboEUHGjMJ+E20pwKmafTCWQWIZYVWrkvL4N48fS0ayOn7H6NhStYq
-E613TBoYm5EPWNgGVMWX+Ko/IIqmhaZ39qb8HOLubpQzKoNQhArlT4b4UEV4AIHr
-W2jjJo3Me1xR9BQsQL4aYB16cmEdH2MtiKrOokWQCPxrvrNQKlr9qEgYRtaQQJKQ
-CoReaDH46+0N0x3GfZkYVVYnZS6NRcUk7M7jAgMBAAGjQjBAMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFApII6ZgpJIKM+qTW8VX6iVNvRLuMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAPpBIqm5iFSVmewzVjIuJndftTgfvnNAU
-X15QvWiWkKQUEapobQk1OUAJ2vQJLDSle1mESSmXdMgHHkdt8s4cUCbjnj1AUz/3
-f5Z2EMVGpdAgS1D0NTsY9FVqQRtHBmg8uwkIYtlfVUKqrFOFrJVWNlar5AWMxaja
-H6NpvVMPxP/cyuN+8kyIhkdGGvMA9YCRotxDQpSbIPDRzbLrLFPCU3hKTwSUQZqP
-JzLB5UkZv/HywouoCjkxKLR9YjYsTewfM7Z+d21+UPCfDtcRj88YxeMn/ibvBZ3P
-zzfF0HvaO7AWhAw6k9a+F9sPPg4ZeAnHqQJyIkv3N3a6dcSFA1pj1bF1BcK5vZSt
-jBWZp5N99sXzqnTPBIWUmAD04vnKJGW/4GKvyMX6ssmeVkjaef2WdhW+o45WxLM0
-/L5H9MG0qPzVMIho7suuyWPEdr6sOBjhXlzPrjoiUevRi7PzKzMHVIf6tLITe7pT
-BGIBnfHAT+7hOtSLIBD6Alfm78ELt5BGnBkpjNxvoEppaZS3JGWg/6w/zgH7IS79
-aPib8qXPMThcFarmlwDB31qlpzmq6YR/PFGoOtmUW4y/Twhx5duoXNTSpv4Ao8YW
-xw/ogM4cKGR0GQjTQuPOAF1/sdwTsOEFy9EgqoZ0njnnkf3/W9b3raYvAwtt41dU
-63ZTGI0RmLo=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
-		sha256Hash: "44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzAN
-BgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
-c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hl
-bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv
-b3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEwMzcxMlowgaoxCzAJ
-BgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFj
-YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5
-MUQwQgYDVQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0
-dXRpb25zIEVDQyBSb290Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKg
-QehLgoRc4vgxEZmGZE4JJS+dQS8KrjVPdJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJa
-jq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoKVlp8aQuqgAkkbH7BRqNC
-MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLQi
-C4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaep
-lSTAGiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7Sof
-TUwJCA3sS61kFyjndc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
-		sha256Hash: "a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1Ix
-DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5k
-IFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMT
-N0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9v
-dENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkG
-A1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh
-ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkx
-QDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
-dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA
-4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL0BgzuNtFajT0
-AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQZe10
-4S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06C
-ojXdFPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV
-9Cz82XBST3i4vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrD
-gfgXy5I2XdGj2HUb4Ysn6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6
-Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargq
-NhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9muiNX6hME6wGko
-LfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc
-Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVd
-ctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0I
-XtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMI
-M4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot
-9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2V
-Z5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/ea
-j8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnh
-X9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQ
-l033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI/CbM1xyQVqdf
-bzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evIIVM4
-pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK
-e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0
-vm9qp/UsQu0yrbYhnr68
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
-		sha256Hash: "f015ce3cc239bfef064be9f1d2c417e1a0264a0a94be1f0c8d121864eb6949cc",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFajCCA1KgAwIBAgIQLd2szmKXlKFD6LDNdmpeYDANBgkqhkiG9w0BAQsFADBP
-MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
-ZC4xGzAZBgNVBAMMEkhpUEtJIFJvb3QgQ0EgLSBHMTAeFw0xOTAyMjIwOTQ2MDRa
-Fw0zNzEyMzExNTU5NTlaME8xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3
-YSBUZWxlY29tIENvLiwgTHRkLjEbMBkGA1UEAwwSSGlQS0kgUm9vdCBDQSAtIEcx
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9B5/UnMyDHPkvRN0o9Qw
-qNCuS9i233VHZvR85zkEHmpwINJaR3JnVfSl6J3VHiGh8Ge6zCFovkRTv4354twv
-Vcg3Px+kwJyz5HdcoEb+d/oaoDjq7Zpy3iu9lFc6uux55199QmQ5eiY29yTw1S+6
-lZgRZq2XNdZ1AYDgr/SEYYwNHl98h5ZeQa/rh+r4XfEuiAU+TCK72h8q3VJGZDnz
-Qs7ZngyzsHeXZJzA9KMuH5UHsBffMNsAGJZMoYFL3QRtU6M9/Aes1MU3guvklQgZ
-KILSQjqj2FPseYlgSGDIcpJQ3AOPgz+yQlda22rpEZfdhSi8MEyr48KxRURHH+CK
-FgeW0iEPU8DtqX7UTuybCeyvQqww1r/REEXgphaypcXTT3OUM3ECoWqj1jOXTyFj
-HluP2cFeRXF3D4FdXyGarYPM+l7WjSNfGz1BryB1ZlpK9p/7qxj3ccC2HTHsOyDr
-y+K49a6SsvfhhEvyovKTmiKe0xRvNlS9H15ZFblzqMF8b3ti6RZsR1pl8w4Rm0bZ
-/W3c1pzAtH2lsN0/Vm+h+fbkEkj9Bn8SV7apI09bA8PgcSojt/ewsTu8mL3WmKgM
-a/aOEmem8rJY5AIJEzypuxC00jBF8ez3ABHfZfjcK0NVvxaXxA/VLGGEqnKG/uY6
-fsI/fe78LxQ+5oXdUG+3Se0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQU8ncX+l6o/vY9cdVouslGDDjYr7AwDgYDVR0PAQH/BAQDAgGGMA0GCSqG
-SIb3DQEBCwUAA4ICAQBQUfB13HAE4/+qddRxosuej6ip0691x1TPOhwEmSKsxBHi
-7zNKpiMdDg1H2DfHb680f0+BazVP6XKlMeJ45/dOlBhbQH3PayFUhuaVevvGyuqc
-SE5XCV0vrPSltJczWNWseanMX/mF+lLFjfiRFOs6DRfQUsJ748JzjkZ4Bjgs6Fza
-ZsT0pPBWGTMpWmWSBUdGSquEwx4noR8RkpkndZMPvDY7l1ePJlsMu5wP1G4wB9Tc
-XzZoZjmDlicmisjEOf6aIW/Vcobpf2Lll07QJNBAsNB1CI69aO4I1258EHBGG3zg
-iLKecoaZAeO/n0kZtCW+VmWuF2PlHt/o/0elv+EmBYTksMCv5wiZqAxeJoBF1Pho
-L5aPruJKHJwWDBNvOIf2u8g0X5IDUXlwpt/L9ZlNec1OvFefQ05rLisY+GpzjLrF
-Ne85akEez3GoorKGB1s6yeHvP2UEgEcyRHCVTjFnanRbEEV16rCf0OY1/k6fi8wr
-kkVbbiVghUbN0aqwdmaTd5a+g744tiROJgvM7XpWGuDpWsZkrUx6AEhEL7lAuxM+
-vhV4nYWBSipX3tUZQ9rbyltHhoMLP7YNdnhzeSJesYAfz77RP1YQmCuVh6EfnWQU
-YDksswBVLuT1sw5XxJFBAJw/6KXf6vb/yPCtbVKoF6ubYfwSUTXkJf2vqmqGOQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK",
-		sha256Hash: "5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFzzCCA7egAwIBAgIUCBZfikyl7ADJk0DfxMauI7gcWqQwDQYJKoZIhvcNAQEL
-BQAwbzELMAkGA1UEBhMCSEsxEjAQBgNVBAgTCUhvbmcgS29uZzESMBAGA1UEBxMJ
-SG9uZyBLb25nMRYwFAYDVQQKEw1Ib25na29uZyBQb3N0MSAwHgYDVQQDExdIb25n
-a29uZyBQb3N0IFJvb3QgQ0EgMzAeFw0xNzA2MDMwMjI5NDZaFw00MjA2MDMwMjI5
-NDZaMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtvbmcxEjAQBgNVBAcT
-CUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UEAxMXSG9u
-Z2tvbmcgUG9zdCBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCziNfqzg8gTr7m1gNt7ln8wlffKWihgw4+aMdoWJwcYEuJQwy51BWy7sFO
-dem1p+/l6TWZ5Mwc50tfjTMwIDNT2aa71T4Tjukfh0mtUC1Qyhi+AViiE3CWu4mI
-VoBc+L0sPOFMV4i707mV78vH9toxdCim5lSJ9UExyuUmGs2C4HDaOym71QP1mbpV
-9WTRYA6ziUm4ii8F0oRFKHyPaFASePwLtVPLwpgchKOesL4jpNrcyCse2m5FHomY
-2vkALgbpDDtw1VAliJnLzXNg99X/NWfFobxeq81KuEXryGgeDQ0URhLj0mRiikKY
-vLTGCAj4/ahMZJx2Ab0vqWwzD9g/KLg8aQFChn5pwckGyuV6RmXpwtZQQS4/t+Tt
-bNe/JgERohYpSms0BpDsE9K2+2p20jzt8NYt3eEV7KObLyzJPivkaTv/ciWxNoZb
-x39ri1UbSsUgYT2uy1DhCDq+sI9jQVMwCFk8mB13umOResoQUGC/8Ne8lYePl8X+
-l2oBlKN8W4UdKjk60FSh0Tlxnf0h+bV78OLgAo9uliQlLKAeLKjEiafv7ZkGL7YK
-TE/bosw3Gq9HhS2KX8Q0NEwA/RiTZxPRN+ZItIsGxVd7GYYKecsAyVKvQv83j+Gj
-Hno9UKtjBucVtT+2RTeUN7F+8kjDf8V1/peNRY8apxpyKBpADwIDAQABo2MwYTAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQXnc0e
-i9Y5K3DTXNSguB+wAPzFYTAdBgNVHQ4EFgQUF53NHovWOStw01zUoLgfsAD8xWEw
-DQYJKoZIhvcNAQELBQADggIBAFbVe27mIgHSQpsY1Q7XZiNc4/6gx5LS6ZStS6LG
-7BJ8dNVI0lkUmcDrudHr9EgwW62nV3OZqdPlt9EuWSRY3GguLmLYauRwCy0gUCCk
-MpXRAJi70/33MvJJrsZ64Ee+bs7Lo3I6LWldy8joRTnU+kLBEUx3XZL7av9YROXr
-gZ6voJmtvqkBZss4HTzfQx/0TW60uhdG/H39h4F5ag0zD/ov+BS5gLNdTaqX4fnk
-GMX41TiMJjz98iji7lpJiCzfeT2OnpA8vUFKOt1b9pq0zj8lMH8yfaIDlNDceqFS
-3m6TjRgm/VWsvY+b0s+v54Ysyx8Jb6NvqYTUc79NoXQbTiNg8swOqn+knEwlqLJm
-Ozj/2ZQw9nKEvmhVEA/GcywWaZMH/rFF7buiVWqw2rVKAiUnhde3t4ZEFolsgCs+
-l6mc1X5VTMbeRRAc6uk7nwNT7u56AQIWeNTowr5GdogTPyK7SBIdUgC0An4hGh6c
-JfTzPV4e0hz5sy229zdcxsshTrD3mUcYhcErulWuBurQB7Lcq9CClnXO0lD+mefP
-L5/ndtFhKvshuzHQqp9HpLIiyhY6UFfEW0NnxWViA0kB60PZ2Pierc+xYw5F9KBa
-LJstxabArahH9CdMOA0uG0k7UvToiIMrVCjU8jVStDKDYmlkDJGcn5fqdBb9HxEG
-mpv0
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=ISRG Root X1,O=Internet Security Research Group,C=US",
-		sha256Hash: "96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=ISRG Root X2,O=Internet Security Research Group,C=US",
-		sha256Hash: "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
-CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
-R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
-MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
-ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
-EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
-+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
-ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
-zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
-tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
-/q4AaOeMSQ+2b1tbFfLn
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US",
-		sha256Hash: "5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
-MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
-VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
-MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
-JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
-3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
-+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
-S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
-bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
-T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
-vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
-Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
-dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
-c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
-l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
-iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
-ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
-6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
-LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
-nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
-+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
-W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
-AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
-l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
-4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
-mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
-7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US",
-		sha256Hash: "30d0895a9a448a262091635522d1f52010b5867acae12c78ef958fd4f4389f2f",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBN
-MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVu
-VHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN
-MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0
-MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7
-ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGy
-RBb06tD6Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlS
-bdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF
-/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R
-3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGwyj4GD3vw
-EUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy
-9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9V
-GxyhLrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ
-2fjXctscvG29ZV/viDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsV
-WaFHVCkugyhfHMKiq3IXAAaOReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gD
-W/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
-BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMwDQYJKoZIhvcN
-AQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj
-t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHV
-DRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9
-TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8G
-lwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwW
-mhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4Df
-WN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5
-+bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJ
-tshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhA
-GaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv
-8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Izenpe.com,O=IZENPE S.A.,C=ES",
-		sha256Hash: "2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
-MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
-ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
-VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
-b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
-scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
-xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
-LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
-uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
-yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
-JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
-rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
-BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
-hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
-QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
-HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
-Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
-QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
-BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
-MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
-A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
-laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
-awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
-JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
-LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
-VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
-LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
-UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
-QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
-naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
-QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU,1.2.840.113549.1.9.1=#0c10696e666f40652d737a69676e6f2e6875",
-		sha256Hash: "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
-VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0
-ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0G
-CSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTAeFw0wOTA2MTYxMTMwMThaFw0y
-OTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3Qx
-FjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3pp
-Z25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o
-dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvP
-kd6mJviZpWNwrZuuyjNAfW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tc
-cbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG0IMZfcChEhyVbUr02MelTTMuhTlAdX4U
-fIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKApxn1ntxVUwOXewdI/5n7
-N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm1HxdrtbC
-xkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1
-+rUCAwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
-A1UdDgQWBBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPM
-Pcu1SCOhGnqmKrs0aDAbBgNVHREEFDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqG
-SIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0olZMEyL/azXm4Q5DwpL7v8u8h
-mLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfXI/OMn74dseGk
-ddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775
-tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c
-2Pm2G2JwCz02yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5t
-HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
-		sha256Hash: "358df39d764af9e1b766e9c972df352ee15cfac227af6ad1d70e8e4a6edcba02",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw
-CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD
-VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
-MTcwHhcNMTkxMjE4MjMwNjQ1WhcNNDIwNzE4MjMxNjA0WjBlMQswCQYDVQQGEwJV
-UzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1NaWNy
-b3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwdjAQBgcq
-hkjOPQIBBgUrgQQAIgNiAATUvD0CQnVBEyPNgASGAlEvaqiBYgtlzPbKnR5vSmZR
-ogPZnZH6thaxjG7efM3beaYvzrvOcS/lpaso7GMEZpn4+vKTEAXhgShC48Zo9OYb
-hGBKia/teQ87zvH2RPUBeMCjVDBSMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBTIy5lycFIM+Oa+sgRXKSrPQhDtNTAQBgkrBgEEAYI3
-FQEEAwIBADAKBggqhkjOPQQDAwNoADBlAjBY8k3qDPlfXu5gKcs68tvWMoQZP3zV
-L8KxzJOuULsJMsbG7X7JNpQS5GiFBqIb0C8CMQCZ6Ra0DvpWSNSkMBaReNtUjGUB
-iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
-		sha256Hash: "c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl
-MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw
-NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
-IDIwMTcwHhcNMTkxMjE4MjI1MTIyWhcNNDIwNzE4MjMwMDIzWjBlMQswCQYDVQQG
-EwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1N
-aWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKW76UM4wplZEWCpW9R2LBifOZ
-Nt9GkMml7Xhqb0eRaPgnZ1AzHaGm++DlQ6OEAlcBXZxIQIJTELy/xztokLaCLeX0
-ZdDMbRnMlfl7rEqUrQ7eS0MdhweSE5CAg2Q1OQT85elss7YfUJQ4ZVBcF0a5toW1
-HLUX6NZFndiyJrDKxHBKrmCk3bPZ7Pw71VdyvD/IybLeS2v4I2wDwAW9lcfNcztm
-gGTjGqwu+UcF8ga2m3P1eDNbx6H7JyqhtJqRjJHTOoI+dkC0zVJhUXAoP8XFWvLJ
-jEm7FFtNyP9nTUwSlq31/niol4fX/V4ggNyhSyL71Imtus5Hl0dVe49FyGcohJUc
-aDDv70ngNXtk55iwlNpNhTs+VcQor1fznhPbRiefHqJeRIOkpcrVE7NLP8TjwuaG
-YaRSMLl6IE9vDzhTyzMMEyuP1pq9KsgtsRx9S1HKR9FIJ3Jdh+vVReZIZZ2vUpC6
-W6IYZVcSn2i51BVrlMRpIpj0M+Dt+VGOQVDJNE92kKz8OMHY4Xu54+OU4UZpyw4K
-UGsTuqwPN1q3ErWQgR5WrlcihtnJ0tHXUeOrO8ZV/R4O03QK0dqq6mm4lyiPSMQH
-+FJDOvTKVTUssKZqwJz58oHhEmrARdlns87/I6KJClTUFLkqqNfs+avNJVgyeY+Q
-W5g5xAgGwax/Dj0ApQIDAQABo1QwUjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/
-BAUwAwEB/zAdBgNVHQ4EFgQUCctZf4aycI8awznjwNnpv7tNsiMwEAYJKwYBBAGC
-NxUBBAMCAQAwDQYJKoZIhvcNAQEMBQADggIBAKyvPl3CEZaJjqPnktaXFbgToqZC
-LgLNFgVZJ8og6Lq46BrsTaiXVq5lQ7GPAJtSzVXNUzltYkyLDVt8LkS/gxCP81OC
-gMNPOsduET/m4xaRhPtthH80dK2Jp86519efhGSSvpWhrQlTM93uCupKUY5vVau6
-tZRGrox/2KJQJWVggEbbMwSubLWYdFQl3JPk+ONVFT24bcMKpBLBaYVu32TxU5nh
-SnUgnZUP5NbcA/FZGOhHibJXWpS2qdgXKxdJ5XbLwVaZOjex/2kskZGT4d9Mozd2
-TaGf+G0eHdP67Pv0RR0Tbc/3WeUiJ3IrhvNXuzDtJE3cfVa7o7P4NHmJweDyAmH3
-pvwPuxwXC65B2Xy9J6P9LjrRk5Sxcx0ki69bIImtt2dmefU6xqaWM/5TkshGsRGR
-xpl/j8nWZjEgQRCHLQzWwa80mMpkg/sTV9HB8Dx6jKXB/ZUhoHHBk2dxEuqPiApp
-GWSZI1b7rCoucL5mxAyE7+WL85MB+GqQk2dLsmijtWKP6T+MejteD+eMuMZ87zf9
-dOLITzNy4ZQ5bb0Sr74MTnB8G2+NszKTc0QWbej09+CVgI+WXTik9KveCjCHk9hN
-AHFiRSdLOkKEW39lt2c0Ui2cFmuqqNh7o0JMcccMyj6D5KbvtwEwXlGjefVwaaZB
-RA+GsCyRxj3qrg+E
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR",
-		sha256Hash: "88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM
-BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG
-T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0
-aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx
-CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD
-b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB
-dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA
-iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH
-38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE
-HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz
-kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP
-szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq
-vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf
-nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG
-YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo
-0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a
-CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K
-AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I
-36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
-Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN
-qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj
-cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm
-+LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL
-hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe
-lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7
-p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8
-piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR
-LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX
-5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO
-dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul
-9XXeifdy
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU",
-		sha256Hash: "6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG
-EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3
-MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl
-cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR
-dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB
-pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM
-b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm
-aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz
-IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT
-lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz
-AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5
-VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG
-ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2
-BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG
-AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M
-U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh
-bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C
-+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC
-bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F
-uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2
-XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
-		sha256Hash: "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt
-MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg
-Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i
-YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x
-CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG
-b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh
-bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3
-HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx
-WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX
-1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk
-u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P
-99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r
-M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB
-BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh
-cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5
-gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO
-ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf
-aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic
-Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
-		sha256Hash: "8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICaTCCAe+gAwIBAgIQISpWDK7aDKtARb8roi066jAKBggqhkjOPQQDAzBtMQsw
-CQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91
-bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwg
-Um9vdCBHQyBDQTAeFw0xNzA1MDkwOTQ4MzRaFw00MjA1MDkwOTU4MzNaMG0xCzAJ
-BgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBGb3Vu
-ZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2JhbCBS
-b290IEdDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAETOlQwMYPchi82PG6s4ni
-eUqjFqdrVCTbUf/q9Akkwwsin8tqJ4KBDdLArzHkdIJuyiXZjHWd8dvQmqJLIX4W
-p2OQ0jnUsYd4XxiWD1AbNTcPasbc2RNNpI6QN+a9WzGRo1QwUjAOBgNVHQ8BAf8E
-BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUSIcUrOPDnpBgOtfKie7T
-rYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0EAwMDaAAwZQIwJsdpW9zV
-57LnyAyMjMPdeYwbY9XJUpROTYJKcx6ygISpJcBMWm1JKWB4E+J+SOtkAjEA2zQg
-Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM",
-		sha256Hash: "8a866fd1b276b57e578e921c65828a2bed58e9f2f288054134b7f1f4bfc9cc74",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIUeFhfLq0sGUvjNwc1NBMotZbUZZMwDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
-BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMSBHMzAeFw0xMjAxMTIxNzI3NDRaFw00
-MjAxMTIxNzI3NDRaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM
-aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDEgRzMwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvlAQjunybEC0BJyFuTHK3C3kEakEPBtV
-wedYMB0ktMPvhd6MLOHBPd+C5k+tR4ds7FtJwUrVu4/sh6x/gpqG7D0DmVIB0jWe
-rNrwU8lmPNSsAgHaJNM7qAJGr6Qc4/hzWHa39g6QDbXwz8z6+cZM5cOGMAqNF341
-68Xfuw6cwI2H44g4hWf6Pser4BOcBRiYz5P1sZK0/CPTz9XEJ0ngnjybCKOLXSoh
-4Pw5qlPafX7PGglTvF0FBM+hSo+LdoINofjSxxR3W5A2B4GbPgb6Ul5jxaYA/qXp
-UhtStZI5cgMJYr2wYBZupt0lwgNm3fME0UDiTouG9G/lg6AnhF4EwfWQvTA9xO+o
-abw4m6SkltFi2mnAAZauy8RRNOoMqv8hjlmPSlzkYZqn0ukqeI1RPToV7qJZjqlc
-3sX5kCLliEVx3ZGZbHqfPT2YfF72vhZooF6uCyP8Wg+qInYtyaEQHeTTRCOQiJ/G
-KubX9ZqzWB4vMIkIG1SitZgj7Ah3HJVdYdHLiZxfokqRmu8hqkkWCKi9YSgxyXSt
-hfbZxbGL0eUQMk1fiyA6PEkfM4VZDdvLCXVDaXP7a3F98N/ETH3Goy7IlXnLc6KO
-Tk0k+17kBL5yG6YnLUlamXrXXAkgt3+UuU/xDRxeiEIbEbfnkduebPRq34wGmAOt
-zCjvpUfzUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-BjAdBgNVHQ4EFgQUo5fW816iEOGrRZ88F2Q87gFwnMwwDQYJKoZIhvcNAQELBQAD
-ggIBABj6W3X8PnrHX3fHyt/PX8MSxEBd1DKquGrX1RUVRpgjpeaQWxiZTOOtQqOC
-MTaIzen7xASWSIsBx40Bz1szBpZGZnQdT+3Btrm0DWHMY37XLneMlhwqI2hrhVd2
-cDMT/uFPpiN3GPoajOi9ZcnPP/TJF9zrx7zABC4tRi9pZsMbj/7sPtPKlL92CiUN
-qXsCHKnQO18LwIE6PWThv6ctTr1NxNgpxiIY0MWscgKCP6o6ojoilzHdCGPDdRS5
-YCgtW2jgFqlmgiNR9etT2DGbe+m3nUvriBbP+V04ikkwj+3x6xn0dxoxGE1nVGwv
-b2X52z3sIexe9PSLymBlVNFxZPT5pqOBMzYzcfCkeF9OrYMh3jRJjehZrJ3ydlo2
-8hP0r+AJx2EqbPfgna67hkooby7utHnNkDPDs3b69fBsnQGQ+p6Q9pxyz0fawx/k
-NSBT8lTR32GDpgLiJTjehTItXnOQUl1CxM49S+H5GYQd1aJQzEH7QRTDvdbJWqNj
-ZgKAvQU6O0ec7AAmTPWIUb+oI38YB7AL7YsmoWTTYUrrXJ/es69nA7Mf3W1daWhp
-q1467HxpvMc7hU6eFbm0FU/DlXpY18ls6Wy58yljXrQs8C097Vpl4KlbQMJImYFt
-nh8GKjwStIsPm6Ik8KaN1nrgS7ZklmOVhMJKzRwuJIczYOXD
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM",
-		sha256Hash: "8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
-BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00
-MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM
-aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFhZiFf
-qq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMW
-n4rjyduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ym
-c5GQYaYDFCDy54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+
-O7q414AB+6XrW7PFXmAqMaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1
-o9/NgJ8MSPsc9PG/Srj61YxxSscfrf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0j
-IaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB1PLKFAeNilUSxmn1uIZoL1NesNKq
-IcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt9DTEceT/AFr2XK4jYIVz
-8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0ykRVKYnLP43eh
-vNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9Uy3l
-7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALG
-cC4BrTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-BjAdBgNVHQ4EFgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQAD
-ggIBAJHfgD9DCX5xwvfrs4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66
-AarHakE7kNQIXLJgapDwyM4DYvmL7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RC
-roijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHBR//47PERIjKWnML2W2mWeyAMQ0Ga
-W/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeIyUqAHerQbj5hLja7NQ4n
-lv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/JHyPLhGGfHoJE
-+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jwDQHV
-csaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtd
-dbINWQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNg
-KCLjsZWDzYWm3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeM
-HVOyToV7BjjHLPj4sHKNJeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4
-WSr2Rz0ZiC3oheGe7IUIarFsNMkd7EgrO3jtZsSOeWmD3n+M
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM",
-		sha256Hash: "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
-GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
-b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
-BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
-YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa
-GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg
-Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J
-WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB
-rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp
-+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1
-ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i
-Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz
-PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og
-/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH
-oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI
-yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud
-EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2
-A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL
-MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT
-ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f
-BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn
-g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl
-fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K
-WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha
-B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc
-hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR
-TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD
-mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z
-ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
-4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza
-8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM",
-		sha256Hash: "88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
-BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00
-MjAxMTIyMDI2MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM
-aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDMgRzMwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCzyw4QZ47qFJenMioKVjZ/aEzHs286IxSR
-/xl/pcqs7rN2nXrpixurazHb+gtTTK/FpRp5PIpM/6zfJd5O2YIyC0TeytuMrKNu
-FoM7pmRLMon7FhY4futD4tN0SsJiCnMK3UmzV9KwCoWdcTzeo8vAMvMBOSBDGzXR
-U7Ox7sWTaYI+FrUoRqHe6okJ7UO4BUaKhvVZR74bbwEhELn9qdIoyhA5CcoTNs+c
-ra1AdHkrAj80//ogaX3T7mH1urPnMNA3I4ZyYUUpSFlob3emLoG+B01vr87ERROR
-FHAGjx+f+IdpsQ7vw4kZ6+ocYfx6bIrc1gMLnia6Et3UVDmrJqMz6nWB2i3ND0/k
-A9HvFZcba5DFApCTZgIhsUfei5pKgLlVj7WiL8DWM2fafsSntARE60f75li59wzw
-eyuxwHApw0BiLTtIadwjPEjrewl5qW3aqDCYz4ByA4imW0aucnl8CAMhZa634Ryl
-sSqiMd5mBPfAdOhx3v89WcyWJhKLhZVXGqtrdQtEPREoPHtht+KPZ0/l7DxMYIBp
-VzgeAVuNVejH38DMdyM0SXV89pgR6y3e7UEuFAUCf+D+IOs15xGsIs5XPd7JMG0Q
-A4XN8f+MFrXBsj6IbGB/kE+V9/YtrQE5BwT6dYB9v0lQ7e/JxHwc64B+27bQ3RP+
-ydOc17KXqQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-BjAdBgNVHQ4EFgQUxhfQvKjqAkPyGwaZXSuQILnXnOQwDQYJKoZIhvcNAQELBQAD
-ggIBADRh2Va1EodVTd2jNTFGu6QHcrxfYWLopfsLN7E8trP6KZ1/AvWkyaiTt3px
-KGmPc+FSkNrVvjrlt3ZqVoAh313m6Tqe5T72omnHKgqwGEfcIHB9UqM+WXzBusnI
-FUBhynLWcKzSt/Ac5IYp8M7vaGPQtSCKFWGafoaYtMnCdvvMujAWzKNhxnQT5Wvv
-oxXqA/4Ti2Tk08HS6IT7SdEQTXlm66r99I0xHnAUrdzeZxNMgRVhvLfZkXdxGYFg
-u/BYpbWcC/ePIlUnwEsBbTuZDdQdm2NnL9DuDcpmvJRPpq3t/O5jrFc/ZSXPsoaP
-0Aj/uHYUbt7lJ+yreLVTubY/6CD50qi+YUbKh4yE8/nxoGibIh6BJpsQBJFxwAYf
-3KDTuVan45gtf4Od34wrnDKOMpTwATwiKp9Dwi7DmDkHOHv8XgBCH/MyJnmDhPbl
-8MFREsALHgQjDFSlTC9JxUrRtm5gDWv8a4uFJGS3iQ6rJUdbPM9+Sb3H6QrG2vd+
-DhcI00iX0HGS8A85PjRqHH3Y8iKuu2n0M7SmSFXRDw4m6Oy2Cy2nhTXN/VnIn9HN
-PlopNLk9hM6xZdRZkZFWdSHBd575euFgndOtBBj0fOtek49TSiIp+EgrPk2GrFt/
-ywaZWWDYWGWVjUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM",
-		sha256Hash: "18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
-GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
-b3QgQ0EgMzAeFw0wNjExMjQxOTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNV
-BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
-YWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
-V0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNggDhoB
-4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUr
-H556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd
-8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9Cabwv
-vWhDFlaJKjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLT
-mZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhe
-btfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjc
-T5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDt
-WAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZ
-c6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A
-4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYD
-VR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG
-CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0
-aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0
-aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVu
-dC4wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2Nw
-czALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4G
-A1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQoUmkRzBFMQswCQYDVQQGEwJC
-TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UEAxMSUXVvVmFkaXMg
-Um9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZVqyM0
-7ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem
-d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd
-+LJ2w/w4E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B
-4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadN
-t54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6x
-DYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBCbjPsMZ57
-k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6s
-zHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0j
-Wy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeT
-mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
-4SVhM7JZG+Ju1zdXtg2pEto=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
-		sha256Hash: "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC
-VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
-U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgx
-NTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv
-dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNv
-bSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMA
-VIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1Kthku
-WnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG22XKbl+ZP
-MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX
-5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZ
-ytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZg
-h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US",
-		sha256Hash: "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV
-BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE
-CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE3MDUzMTE4MTQzN1oXDTQy
-MDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4G
-A1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQD
-DC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvq
-M0fNTPl9fb69LT3w23jhhqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssuf
-OePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7wcXHswxzpY6IXFJ3vG2fThVUCAtZJycxa
-4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTOZw+oz12WGQvE43LrrdF9
-HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+B6KjBSYR
-aZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcA
-b9ZhCBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQ
-Gp8hLH94t2S42Oim9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQV
-PWKchjgGAGYS5Fl2WlPAApiiECtoRHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMO
-pgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+SlmJuwgUHfbSguPvuUCYHBBXtSu
-UDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48+qvWBkofZ6aY
-MBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
-HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa4
-9QaAJadz20ZpqJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBW
-s47LCp1Jjr+kxJG7ZhcFUZh1++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5
-Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nxY/hoLVUE0fKNsKTPvDxeH3jnpaAg
-cLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2GguDKBAdRUNf/ktUM
-79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDzOFSz
-/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXt
-ll9ldDz7CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEm
-Kf7GUmG6sXP/wwyc5WxqlD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKK
-QbNmC1r7fSOl8hqw/96bg5Qu0T/fkreRrwU7ZcegbLHNYhLDkBvjJc40vG93drEQ
-w/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1hlMYegouCRw2n5H9gooi
-S9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX9hwJ1C07
-mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
-		sha256Hash: "3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMC
-VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
-U0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0
-aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNDAzWhcNNDEwMjEyMTgxNDAz
-WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0
-b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBS
-b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI
-7Z4INcgn64mMU1jrYor+8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPg
-CemB+vNH06NjMGEwHQYDVR0OBBYEFILRhXMw5zUE044CkvvlpNHEIejNMA8GA1Ud
-EwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTTjgKS++Wk0cQh6M0wDgYD
-VR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCWe+0F+S8T
-kdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+
-gA0z5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US",
-		sha256Hash: "85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE
-BhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQK
-DA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEyMTcz
-OTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv
-dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNv
-bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2R
-xFdHaxh3a3by/ZPkPQ/CFp4LZsNWlJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aX
-qhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI7bADFB0QDksZ4LtO7IZl/zbzXmcC
-C52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/geoeOy3ZExqysdBP+lSgQ3
-6YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9aqkpk8zruFvh
-/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq/LrF
-YD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93E
-JNyAKoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVc
-US4cK38acijnALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8
-ZVWb3vUNiSYE/CUapiVpy8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm
-+Mpxm3+T/jRnhE6Z6/yzeAkzcLpmpnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqi
-M+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAPBgNV
-HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9UlMSkpXuOIAlDaZZMA4G
-A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7Jp0cHh5wYfGV
-cpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8eEdBc
-Hadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgs
-PgohyC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/
-q5R4ZJjT9ijdh9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0
-cuAjJ3dctpDqhiVAq+8zD8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jr
-a6x+3uxjMxW3IwiPxg+NQVrdjsW5j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90I
-H37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7UtgYgXZSD32pAAn8lSzDLKNXz1PQ/Y
-K9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFOt3JY04kTlf5Eq/jXixtu
-nLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6VWg3dGq2ktuf
-oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY
-Ic2wBlX7Jz9TkHCpBB5XJ7k=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US",
-		sha256Hash: "c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw
-CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT
-U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2
-MDgxOTE2MzM0N1owTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jwb3Jh
-dGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgRUNDIFJvb3QgQ0EgMjAyMjB2MBAG
-ByqGSM49AgEGBSuBBAAiA2IABEUpNXP6wrgjzhR9qLFNoFs27iosU8NgCTWyJGYm
-acCzldZdkkAZDsalE3D07xJRKF3nzL35PIXBz5SQySvOkkJYWWf9lCcQZIxPBLFN
-SeR7T5v15wj4A4j3p8OSSxlUgaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
-GDAWgBSJjy+j6CugFFR781a4Jl9nOAuc0DAdBgNVHQ4EFgQUiY8vo+groBRUe/NW
-uCZfZzgLnNAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMFXjIlbp
-15IkWE8elDIPDAI2wv2sdDJO4fscgIijzPvX6yv/N33w7deedWo1dlJF4AIxAMeN
-b0Igj762TVntd00pxCAgRWSGOlDGxK0tk/UYfXLtqc/ErFc2KAhl3zx5Zn6g6g==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US",
-		sha256Hash: "8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFiTCCA3GgAwIBAgIQb77arXO9CEDii02+1PdbkTANBgkqhkiG9w0BAQsFADBO
-MQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQD
-DBxTU0wuY29tIFRMUyBSU0EgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzQyMloX
-DTQ2MDgxOTE2MzQyMVowTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jw
-b3JhdGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgUlNBIFJvb3QgQ0EgMjAyMjCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANCkCXJPQIgSYT41I57u9nTP
-L3tYPc48DRAokC+X94xI2KDYJbFMsBFMF3NQ0CJKY7uB0ylu1bUJPiYYf7ISf5OY
-t6/wNr/y7hienDtSxUcZXXTzZGbVXcdotL8bHAajvI9AI7YexoS9UcQbOcGV0ins
-S657Lb85/bRi3pZ7QcacoOAGcvvwB5cJOYF0r/c0WRFXCsJbwST0MXMwgsadugL3
-PnxEX4MN8/HdIGkWCVDi1FW24IBydm5MR7d1VVm0U3TZlMZBrViKMWYPHqIbKUBO
-L9975hYsLfy/7PO0+r4Y9ptJ1O4Fbtk085zx7AGL0SDGD6C1vBdOSHtRwvzpXGk3
-R2azaPgVKPC506QVzFpPulJwoxJF3ca6TvvC0PeoUidtbnm1jPx7jMEWTO6Af77w
-dr5BUxIzrlo4QqvXDz5BjXYHMtWrifZOZ9mxQnUjbvPNQrL8VfVThxc7wDNY8VLS
-+YCk8OjwO4s4zKTGkH8PnP2L0aPP2oOnaclQNtVcBdIKQXTbYxE3waWglksejBYS
-d66UNHsef8JmAOSqg+qKkK3ONkRN0VHpvB/zagX9wHQfJRlAUW7qglFA35u5CCoG
-AtUjHBPW6dvbxrB6y3snm/vg1UYk7RBLY0ulBY+6uB0rpvqR4pJSvezrZ5dtmi2f
-gTIFZzL7SAg/2SW4BCUvAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
-BBgwFoAU+y437uOEeicuzRk1sTN8/9REQrkwHQYDVR0OBBYEFPsuN+7jhHonLs0Z
-NbEzfP/UREK5MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAjYlt
-hEUY8U+zoO9opMAdrDC8Z2awms22qyIZZtM7QbUQnRC6cm4pJCAcAZli05bg4vsM
-QtfhWsSWTVTNj8pDU/0quOr4ZcoBwq1gaAafORpR2eCNJvkLTqVTJXojpBzOCBvf
-R4iyrT7gJ4eLSYwfqUdYe5byiB0YrrPRpgqU+tvT5TgKa3kSM/tKWTcWQA673vWJ
-DPFs0/dRa1419dvAJuoSc06pkZCmF8NsLzjUo3KUQyxi4U5cMj29TH0ZR6LDSeeW
-P4+a0zvkEdiLA9z2tmBVGKaBUfPhqBVq6+AL8BQx1rmMRTqoENjwuSfr98t67wVy
-lrXEj5ZzxOhWc5y8aVFjvO9nHEMaX3cZHxj4HCUp+UmZKbaSPaKDN7EgkaibMOlq
-bLQjk2UEqxHzDh1TJElTHaE/nUiSEeJ9DU/1172iWD54nR4fK/4huxoTtrEoZP2w
-AgDHbICivRZQIA9ygV/MlP+7mea6kMvq+cYMwq7FGc4zoWtcu358NFcXrfA/rs3q
-r5nsLFR+jM4uElZI7xc7P0peYNLcdDa8pUNjyw9bowJWCZ4kLOGGgYz+qxcs+sji
-Mho6/4UIyYOf8kpIEFR3N+2ivEC+5BB09+Rbu7nzifmPQdjH5FCQNYA+HLhNkNPU
-98OwoX6EyneSMSy4kLGCenROmxMmtNVQZlR4rmA=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL",
-		sha256Hash: "a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQEL
-BQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6
-ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkw
-NzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9L
-cmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIg
-Uk9PVCBDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvN
-QLXOYeeWyrSh2gwisPq1e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT
-3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw
-3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05YO4vdbbnl5z5Pv1+TW9NL++IDWr6
-3fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHMyAHs6A6KCpbns6aH5db5
-BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRnvDF5YTy7ykHN
-XGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsF
-AAOCAQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw
-8PRBEew/R40/cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOG
-nXkZ7/e7DDWQw4rtTw/1zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCP
-oky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGy
-d05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6+/NNIxuZMzSg
-LvWpCz/UXeHPhJ/iGcJfitYgHuNztw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB",
-		sha256Hash: "c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICOjCCAcGgAwIBAgIQQvLM2htpN0RfFf51KBC49DAKBggqhkjOPQQDAzBfMQsw
-CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T
-ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN
-MjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEYMBYG
-A1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1YmxpYyBT
-ZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA
-IgNiAAR2+pmpbiDt+dd34wc7qNs9Xzjoq1WmVk/WSOrsfy2qw7LFeeyZYX8QeccC
-WvkEN/U0NSt3zn8gj1KjAIns1aeibVvjS5KToID1AZTc8GgHHs3u/iVStSBDHBv+
-6xnOQ6OjQjBAMB0GA1UdDgQWBBTRItpMWfFLXyY4qp3W7usNw/upYTAOBgNVHQ8B
-Af8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjAn7qRa
-qCG76UeXlImldCBteU/IvZNeWBj7LRoAasm4PdCkT0RHlAFWovgzJQxC36oCMB3q
-4S6ILuH5px0CMk7yn2xVdOOurvulGu7t0vzCAxHrRVxgED1cf5kDW21USAGKcw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB",
-		sha256Hash: "7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFijCCA3KgAwIBAgIQdY39i658BwD6qSWn4cetFDANBgkqhkiG9w0BAQwFADBf
-MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
-Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
-HhcNMjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEY
-MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1Ymxp
-YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCTvtU2UnXYASOgHEdCSe5jtrch/cSV1UgrJnwUUxDa
-ef0rty2k1Cz66jLdScK5vQ9IPXtamFSvnl0xdE8H/FAh3aTPaE8bEmNtJZlMKpnz
-SDBh+oF8HqcIStw+KxwfGExxqjWMrfhu6DtK2eWUAtaJhBOqbchPM8xQljeSM9xf
-iOefVNlI8JhD1mb9nxc4Q8UBUQvX4yMPFF1bFOdLvt30yNoDN9HWOaEhUTCDsG3X
-ME6WW5HwcCSrv0WBZEMNvSE6Lzzpng3LILVCJ8zab5vuZDCQOc2TZYEhMbUjUDM3
-IuM47fgxMMxF/mL50V0yeUKH32rMVhlATc6qu/m1dkmU8Sf4kaWD5QazYw6A3OAS
-VYCmO2a0OYctyPDQ0RTp5A1NDvZdV3LFOxxHVp3i1fuBYYzMTYCQNFu31xR13NgE
-SJ/AwSiItOkcyqex8Va3e0lMWeUgFaiEAin6OJRpmkkGj80feRQXEgyDet4fsZfu
-+Zd4KKTIRJLpfSYFplhym3kT2BFfrsU4YjRosoYwjviQYZ4ybPUHNs2iTG7sijbt
-8uaZFURww3y8nDnAtOFr94MlI1fZEoDlSfB1D++N6xybVCi0ITz8fAr/73trdf+L
-HaAZBav6+CuBQug4urv7qv094PPK306Xlynt8xhW6aWWrL3DkJiy4Pmi1KZHQ3xt
-zwIDAQABo0IwQDAdBgNVHQ4EFgQUVnNYZJX5khqwEioEYnmhQBWIIUkwDgYDVR0P
-AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAC9c
-mTz8Bl6MlC5w6tIyMY208FHVvArzZJ8HXtXBc2hkeqK5Duj5XYUtqDdFqij0lgVQ
-YKlJfp/imTYpE0RHap1VIDzYm/EDMrraQKFz6oOht0SmDpkBm+S8f74TlH7Kph52
-gDY9hAaLMyZlbcp+nv4fjFg4exqDsQ+8FxG75gbMY/qB8oFM2gsQa6H61SilzwZA
-Fv97fRheORKkU55+MkIQpiGRqRxOF3yEvJ+M0ejf5lG5Nkc/kLnHvALcWxxPDkjB
-JYOcCj+esQMzEhonrPcibCTRAUH4WAP+JWgiH5paPHxsnnVI84HxZmduTILA7rpX
-DhjvLpr3Etiga+kFpaHpaPi8TD8SHkXoUsCjvxInebnMMTzD9joiFgOgyY9mpFui
-TdaBJQbpdqQACj7LzTWb4OE4y2BThihCQRxEV+ioratF4yUQvNs+ZUH7G6aXD+u5
-dHn5HrwdVw1Hr8Mvn4dGp+smWg9WY7ViYG4A++MnESLn/pmPNPW56MORcr3Ywx65
-LvKRRFHQV80MNNVIIb/bE/FmJUNS0nAiNs2fxBx1IK1jcmMGDw4nztJqDby1ORrp
-0XZ60Vzk50lJLVU3aPAaOpg+VBeHVOmmJ1CJeyAvP/+/oYtKR5j/K3tJPsMpRmAY
-QqszKbrAKbkTidOIijlBO8n9pu0f9GBj39ItVQGL
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Secure Global CA,O=SecureTrust Corporation,C=US",
-		sha256Hash: "4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK
-MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
-GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx
-MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg
-Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ
-iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa
-/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ
-jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI
-HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7
-sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w
-gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw
-KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG
-AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L
-URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO
-H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm
-I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY
-iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc
-f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SecureSign Root CA12,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
-		sha256Hash: "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDcjCCAlqgAwIBAgIUZvnHwa/swlG07VOX5uaCwysckBYwDQYJKoZIhvcNAQEL
-BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u
-LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExMjAeFw0yMDA0MDgw
-NTM2NDZaFw00MDA0MDgwNTM2NDZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD
-eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS
-b290IENBMTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6OcE3emhF
-KxS06+QT61d1I02PJC0W6K6OyX2kVzsqdiUzg2zqMoqUm048luT9Ub+ZyZN+v/mt
-p7JIKwccJ/VMvHASd6SFVLX9kHrko+RRWAPNEHl57muTH2SOa2SroxPjcf59q5zd
-J1M3s6oYwlkm7Fsf0uZlfO+TvdhYXAvA42VvPMfKWeP+bl+sg779XSVOKik71gur
-FzJ4pOE+lEa+Ym6b3kaosRbnhW70CEBFEaCeVESE99g2zvVQR9wsMJvuwPWW0v4J
-hscGWa5Pro4RmHvzC1KqYiaqId+OJTN5lxZJjfU+1UefNzFJM3IFTQy2VYzxV4+K
-h9GtxRESOaCtAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
-AgEGMB0GA1UdDgQWBBRXNPN0zwRL1SXm8UC2LEzZLemgrTANBgkqhkiG9w0BAQsF
-AAOCAQEAPrvbFxbS8hQBICw4g0utvsqFepq2m2um4fylOqyttCg6r9cBg0krY6Ld
-mmQOmFxv3Y67ilQiLUoT865AQ9tPkbeGGuwAtEGBpE/6aouIs3YIcipJQMPTw4WJ
-mBClnW8Zt7vPemVV2zfrPIpyMpcemik+rY3moxtt9XUa5rBouVui7mlHJzWhhpmA
-8zNL4WukJsPvdFlseqJkth5Ew1DgDzk9qTPxpfPSvWKErI4cqc1avTc7bgoitPQV
-55FYxTpE05Uo2cBl6XLK0A+9H7MV2anjpEcJnuDLN/v9vZfVvhgaaaI5gdka9at/
-yOPiZwud9AzqVN/Ssq+xIvEg37xEHA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SecureSign Root CA14,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
-		sha256Hash: "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFcjCCA1qgAwIBAgIUZNtaDCBO6Ncpd8hQJ6JaJ90t8sswDQYJKoZIhvcNAQEM
-BQAwUTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28u
-LCBMdGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNDAeFw0yMDA0MDgw
-NzA2MTlaFw00NTA0MDgwNzA2MTlaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpD
-eWJlcnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBS
-b290IENBMTQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDF0nqh1oq/
-FjHQmNE6lPxauG4iwWL3pwon71D2LrGeaBLwbCRjOfHw3xDG3rdSINVSW0KZnvOg
-vlIfX8xnbacuUKLBl422+JX1sLrcneC+y9/3OPJH9aaakpUqYllQC6KxNedlsmGy
-6pJxaeQp8E+BgQQ8sqVb1MWoWWd7VRxJq3qdwudzTe/NCcLEVxLbAQ4jeQkHO6Lo
-/IrPj8BGJJw4J+CDnRugv3gVEOuGTgpa/d/aLIJ+7sr2KeH6caH3iGicnPCNvg9J
-kdjqOvn90Ghx2+m1K06Ckm9mH+Dw3EzsytHqunQG+bOEkJTRX45zGRBdAuVwpcAQ
-0BB8b8VYSbSwbprafZX1zNoCr7gsfXmPvkPx+SgojQlD+Ajda8iLLCSxjVIHvXib
-y8posqTdDEx5YMaZ0ZPxMBoH064iwurO8YQJzOAUbn8/ftKChazcqRZOhaBgy/ac
-18izju3Gm5h1DVXoX+WViwKkrkMpKBGk5hIwAUt1ax5mnXkvpXYvHUC0bcl9eQjs
-0Wq2XSqypWa9a4X0dFbD9ed1Uigspf9mR6XU/v6eVL9lfgHWMI+lNpyiUBzuOIAB
-SMbHdPTGrMNASRZhdCyvjG817XsYAFs2PJxQDcqSMxDxJklt33UkN4Ii1+iW/RVL
-ApY+B3KVfqs9TC7XyvDf4Fg/LS8EmjijAQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUBpOjCl4oaTeqYR3r6/wtbyPk
-86AwDQYJKoZIhvcNAQEMBQADggIBAJaAcgkGfpzMkwQWu6A6jZJOtxEaCnFxEM0E
-rX+lRVAQZk5KQaID2RFPeje5S+LGjzJmdSX7684/AykmjbgWHfYfM25I5uj4V7Ib
-ed87hwriZLoAymzvftAj63iP/2SbNDefNWWipAA9EiOWWF3KY4fGoweITedpdopT
-zfFP7ELyk+OZpDc8h7hi2/DsHzc/N19DzFGdtfCXwreFamgLRB7lUe6TzktuhsHS
-DCRZNhqfLJGP4xjblJUK7ZGqDpncllPjYYPGFrojutzdfhrGe0K22VoF3Jpf1d+4
-2kd92jjbrDnVHmtsKheMYc2xbXIBw8MgAGJoFjHVdqqGuw6qnsb58Nn4DSEC5MUo
-FlkRudlpcyqSeLiSV5sI8jrlL5WwWLdrIBRtFO8KvH7YVdiI2i/6GaX7i+B/OfVy
-K4XELKzvGUWSTLNhB9xNH27SgRNcmvMSZ4PPmz+Ln52kuaiWA3rF7iDeM9ovnhp6
-dB7h7sxaOgTdsxoEqBRjrLdHEoOabPXm6RUVkRqEGQ6UROcSjiVbgGcZ3GOTEAtl
-Lor6CZpO2oYofaphNdgOpygau1LgePhsumywbrmHXumZNTfxPWQrqaA0k89jL9WB
-365jJ6UeTo3cKXhZ+PmhIIynJkBugnLNeLLIjzwec+fBH7/PzqUqm9tEZDKgu39c
-JRNItX+S
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SecureSign Root CA15,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
-		sha256Hash: "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICIzCCAamgAwIBAgIUFhXHw9hJp75pDIqI7fBw+d23PocwCgYIKoZIzj0EAwMw
-UTELMAkGA1UEBhMCSlAxIzAhBgNVBAoTGkN5YmVydHJ1c3QgSmFwYW4gQ28uLCBM
-dGQuMR0wGwYDVQQDExRTZWN1cmVTaWduIFJvb3QgQ0ExNTAeFw0yMDA0MDgwODMy
-NTZaFw00NTA0MDgwODMyNTZaMFExCzAJBgNVBAYTAkpQMSMwIQYDVQQKExpDeWJl
-cnRydXN0IEphcGFuIENvLiwgTHRkLjEdMBsGA1UEAxMUU2VjdXJlU2lnbiBSb290
-IENBMTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQLUHSNZDKZmbPSYAi4Io5GdCx4
-wCtELW1fHcmuS1Iggz24FG1Th2CeX2yF2wYUleDHKP+dX+Sq8bOLbe1PL0vJSpSR
-ZHX+AezB2Ot6lHhWGENfa4HL9rzatAy2KZMIaY+jQjBAMA8GA1UdEwEB/wQFMAMB
-Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTrQciu/NWeUUj1vYv0hyCTQSvT
-9DAKBggqhkjOPQQDAwNoADBlAjEA2S6Jfl5OpBEHvVnCB96rMjhTKkZEBhd6zlHp
-4P9mLQlO4E/0BdGF9jVg3PVys0Z9AjBEmEYagoUeYWmJSwdLZrWeqrqgHkHZAXQ6
-bkU6iYAZezKYVWOr62Nuk22rGwlgMU4=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SecureTrust CA,O=SecureTrust Corporation,C=US",
-		sha256Hash: "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI
-MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
-FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz
-MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv
-cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz
-Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO
-0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao
-wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj
-7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS
-8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT
-BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg
-JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC
-NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3
-6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/
-3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm
-D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS
-CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
-3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Security Communication ECC RootCA1,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
-		sha256Hash: "e74fbda55bd564c473a36b441aa799c8a68e077440e8288b9fa1e50e4bbaca11",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICODCCAb6gAwIBAgIJANZdm7N4gS7rMAoGCCqGSM49BAMDMGExCzAJBgNVBAYT
-AkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSswKQYD
-VQQDEyJTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVDQyBSb290Q0ExMB4XDTE2MDYx
-NjA1MTUyOFoXDTM4MDExODA1MTUyOFowYTELMAkGA1UEBhMCSlAxJTAjBgNVBAoT
-HFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xKzApBgNVBAMTIlNlY3VyaXR5
-IENvbW11bmljYXRpb24gRUNDIFJvb3RDQTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNi
-AASkpW9gAwPDvTH00xecK4R1rOX9PVdu12O/5gSJko6BnOPpR27KkBLIE+Cnnfdl
-dB9sELLo5OnvbYUymUSxXv3MdhDYW72ixvnWQuRXdtyQwjWpS4g8EkdtXP9JTxpK
-ULGjQjBAMB0GA1UdDgQWBBSGHOf+LaVKiwj+KBH6vqNm+GBZLzAOBgNVHQ8BAf8E
-BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjAVXUI9/Lbu
-9zuxNuie9sRGKEkz0FhDKmMpzE2xtHqiuQ04pV1IKv3LsnNdo4gIxwwCMQDAqy0O
-be0YottT6SXbVQjgUMzfRGEWgqtJsLKB7HOHeLRMsmIbEvoWTSVLY70eN9k=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
-		sha256Hash: "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5",
-		pem: `-----BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
-		sha256Hash: "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5",
-		pem: `-----BEGIN CERTIFICATE-----
-MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs
-ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5
-MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD
-VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy
-ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy
-dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p
-OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2
-8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K
-Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe
-hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk
-6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw
-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q
-AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI
-bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB
-ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z
-qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd
-iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn
-0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN
-sSi6
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH",
-		sha256Hash: "62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
-biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
-MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
-d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
-76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
-bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
-6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
-emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
-MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
-MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
-MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
-FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
-aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
-gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
-qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
-lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
-8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
-L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
-45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
-UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
-O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
-bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
-GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
-77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
-hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
-92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
-Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
-ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
-Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH",
-		sha256Hash: "193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFkzCCA3ugAwIBAgIUQ/oMX04bgBhE79G0TzUfRPSA7cswDQYJKoZIhvcNAQEL
-BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
-AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2MDgx
-MTA4MjJaFw00NzA2MDgxMTA4MjJaMFExCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
-d2lzc1NpZ24gQUcxKzApBgNVBAMTIlN3aXNzU2lnbiBSU0EgVExTIFJvb3QgQ0Eg
-MjAyMiAtIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLKmjiC8NX
-vDVjvHClO/OMPE5Xlm7DTjak9gLKHqquuN6orx122ro10JFwB9+zBvKK8i5VUXu7
-LCTLf5ImgKO0lPaCoaTo+nUdWfMHamFk4saMla+ju45vVs9xzF6BYQ1t8qsCLqSX
-5XH8irCRIFucdFJtrhUnWXjyCcplDn/L9Ovn3KlMd/YrFgSVrpxxpT8q2kFC5zyE
-EPThPYxr4iuRR1VPuFa+Rd4iUU1OKNlfGUEGjw5NBuBwQCMBauTLE5tzrE0USJIt
-/m2n+IdreXXhvhCxqohAWVTXz8TQm0SzOGlkjIHRI36qOTw7D59Ke4LKa2/KIj4x
-0LDQKhySio/YGZxH5D4MucLNvkEM+KRHBdvBFzA4OmnczcNpI/2aDwLOEGrOyvi5
-KaM2iYauC8BPY7kGWUleDsFpswrzd34unYyzJ5jSmY0lpx+Gs6ZUcDj8fV3oT4MM
-0ZPlEuRU2j7yrTrePjxF8CgPBrnh25d7mUWe3f6VWQQvdT/TromZhqwUtKiE+shd
-OxtYk8EXlFXIC+OCeYSf8wCENO7cMdWP8vpPlkwGqnj73mSiI80fPsWMvDdUDrta
-clXvyFu1cvh43zcgTFeRc5JzrBh3Q4IgaezprClG5QtO+DdziZaKHG29777YtvTK
-wP1H8K4LWCDFyB02rpeNUIMmJCn3nTsPBQIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
-AQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBRvjmKLk0Ow4UD2p8P98Q+4
-DxU4pTAdBgNVHQ4EFgQUb45ii5NDsOFA9qfD/fEPuA8VOKUwDQYJKoZIhvcNAQEL
-BQADggIBAKwsKUF9+lz1GpUYvyypiqkkVHX1uECry6gkUSsYP2OprphWKwVDIqO3
-10aewCoSPY6WlkDfDDOLazeROpW7OSltwAJsipQLBwJNGD77+3v1dj2b9l4wBlgz
-Hqp41eZUBDqyggmNzhYzWUUo8aWjlw5DI/0LIICQ/+Mmz7hkkeUFjxOgdg3XNwwQ
-iJb0Pr6VvfHDffCjw3lHC1ySFWPtUnWK50Zpy1FVCypM9fJkT6lc/2cyjlUtMoIc
-gC9qkfjLvH4YoiaoLqNTKIftV+Vlek4ASltOU8liNr3CjlvrzG4ngRhZi0Rjn9UM
-ZfQpZX+RLOV/fuiJz48gy20HQhFRJjKKLjpHE7iNvUcNCfAWpO2Whi4Z2L6MOuhF
-LhG6rlrnub+xzI/goP+4s9GFe3lmozm1O2bYQL7Pt2eLSMkZJVX8vY3PXtpOpvJp
-zv1/THfQwUY1mFwjmwJFQ5Ra3bxHrSL+ul4vkSkphnsh3m5kt8sNjzdbowhq6/Td
-Ao9QAwKxuDdollDruF/UKIqlIgyKhPBZLtU30WHlQnNYKoH3dtvi4k0NX/a3vgW0
-rk4N3hY9A4GzJl5LuEsAz/+MF7psYC0nhzck5npgL7XTgwSqT0N1osGDsieYK7EO
-gLrAhV5Cud+xYJHT6xh+cHiudoO+cVrQkOPKwRYlZ0rwtnu64ZzZ
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
-		sha256Hash: "91e2f5788d5810eba7ba58737de1548a8ecacd014598bc0b143e041b17052552",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
-AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
-FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
-1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
-jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
-wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
-WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
-NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
-uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
-IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
-g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
-9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
-BSeOE6Fuwg==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
-		sha256Hash: "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN
-8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/
-RLyTPWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4
-hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5
-ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltM
-EnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1
-A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOy
-WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ
-1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW30
-6gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT
-91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml
-e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p
-TpPDpFQUWw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
-		sha256Hash: "3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5648a334424d6b3ec558",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIQQAE0jMIAAAAAAAAAATzyxjANBgkqhkiG9w0BAQwFADBQ
-MQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FOLUNBMRAwDgYDVQQLEwdSb290
-IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3QgQ0EwHhcNMjIxMTIyMDY1NDI5
-WhcNNDcxMTIyMTU1OTU5WjBQMQswCQYDVQQGEwJUVzESMBAGA1UEChMJVEFJV0FO
-LUNBMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJUV0NBIENZQkVSIFJvb3Qg
-Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDG+Moe2Qkgfh1sTs6P
-40czRJzHyWmqOlt47nDSkvgEs1JSHWdyKKHfi12VCv7qze33Kc7wb3+szT3vsxxF
-avcokPFhV8UMxKNQXd7UtcsZyoC5dc4pztKFIuwCY8xEMCDa6pFbVuYdHNWdZsc/
-34bKS1PE2Y2yHer43CdTo0fhYcx9tbD47nORxc5zb87uEB8aBs/pJ2DFTxnk684i
-JkXXYJndzk834H/nY62wuFm40AZoNWDTNq5xQwTxaWV4fPMf88oon1oglWa0zbfu
-j3ikRRjpJi+NmykosaS3Om251Bw4ckVYsV7r8Cibt4LK/c/WMw+f+5eesRycnupf
-Xtuq3VTpMCEobY5583WSjCb+3MX2w7DfRFlDo7YDKPYIMKoNM+HvnKkHIuNZW0CP
-2oi3aQiotyMuRAlZN1vH4xfyIutuOVLF3lSnmMlLIJXcRolftBL5hSmO68gnFSDA
-S9TMfAxsNAwmmyYxpjyn9tnQS6Jk/zuZQXLB4HCX8SS7K8R0IrGsayIyJNN4KsDA
-oS/xUgXJP+92ZuJF2A09rZXIx4kmyA+upwMu+8Ff+iDhcK2wZSA3M2Cw1a/XDBzC
-kHDXShi8fgGwsOsVHkQGzaRP6AzRwyAQ4VRlnrZR0Bp2a0JaWHY06rc3Ga4udfmW
-5cFZ95RXKSWNOkyrTZpB0F8mAwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYD
-VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSdhWEUfMFib5do5E83QOGt4A1WNzAd
-BgNVHQ4EFgQUnYVhFHzBYm+XaORPN0DhreANVjcwDQYJKoZIhvcNAQEMBQADggIB
-AGSPesRiDrWIzLjHhg6hShbNcAu3p4ULs3a2D6f/CIsLJc+o1IN1KriWiLb73y0t
-tGlTITVX1olNc79pj3CjYcya2x6a4CD4bLubIp1dhDGaLIrdaqHXKGnK/nZVekZn
-68xDiBaiA9a5F/gZbG0jAn/xX9AKKSM70aoK7akXJlQKTcKlTfjF/biBzysseKNn
-TKkHmvPfXvt89YnNdJdhEGoHK4Fa0o635yDRIG4kqIQnoVesqlVYL9zZyvpoBJ7t
-RCT5dEA7IzOrg1oYJkK2bVS1FmAwbLGg+LhBoF1JSdJlBTrq/p1hvIbZv97Tujqx
-f36SNI7JAG7cmL3c7IAFrQI932XtCwP39xaEBDG6k5TY8hL4iuO/Qq+n1M0RFxbI
-Qh0UqEL20kCGoE8jypZFVmAGzbdVAaYBlGX+bgUJurSkquLvWL69J1bY73NxW0Qz
-8ppy6rBePm6pUlvscG21h483XjyMnM7k8M4MZ0HMzvaAq07MTFb1wWFZk7Q+ptq4
-NxKfKjLji7gh7MMrZQzvIt6IKTtM1/r+t+FHvpw+PoP7UV31aPcuIYXcv/Fa4nzX
-xeSDwWrruoBa3lwtcHb4yOWHh8qgnaHlIhInD0Q9HWzq1MKLL295q39QpsQZp6F6
-t5b5wR9iWqJDB0BeJsas7a5wFsWqynKKTbDPAYsDP27X
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
-		sha256Hash: "59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx
-EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT
-VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5
-NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsT
-B1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF
-10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz
-0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfCh
-MBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbH
-zIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc
-46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2
-yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCi
-laLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYP
-oA/pyJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQA
-BDzfuBSO6N+pjWxnkjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcE
-qYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm
-4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6gcFGn90xHNcgL
-1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn
-LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WF
-H6vPNOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNo
-RI2T9GRwoD2dKAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+
-nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh
-15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW
-6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3mi4TW
-nsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5j
-wa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWz
-aGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmy
-KwbQBM0=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW",
-		sha256Hash: "bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzES
-MBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU
-V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMz
-WhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO
-LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlm
-aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFE
-AcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HH
-K3XLfJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeX
-RfwZVzsrb+RH9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/z
-rX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx
-3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkq
-hkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeC
-MErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdls
-XebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62D
-lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn
-aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ
-YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE",
-		sha256Hash: "578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICQjCCAcmgAwIBAgIQNjqWjMlcsljN0AFdxeVXADAKBggqhkjOPQQDAzBjMQsw
-CQYDVQQGEwJERTEnMCUGA1UECgweRGV1dHNjaGUgVGVsZWtvbSBTZWN1cml0eSBH
-bWJIMSswKQYDVQQDDCJUZWxla29tIFNlY3VyaXR5IFRMUyBFQ0MgUm9vdCAyMDIw
-MB4XDTIwMDgyNTA3NDgyMFoXDTQ1MDgyNTIzNTk1OVowYzELMAkGA1UEBhMCREUx
-JzAlBgNVBAoMHkRldXRzY2hlIFRlbGVrb20gU2VjdXJpdHkgR21iSDErMCkGA1UE
-AwwiVGVsZWtvbSBTZWN1cml0eSBUTFMgRUNDIFJvb3QgMjAyMDB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABM6//leov9Wq9xCazbzREaK9Z0LMkOsVGJDZos0MKiXrPk/O
-tdKPD/M12kOLAoC+b1EkHQ9rK8qfwm9QMuU3ILYg/4gND21Ju9sGpIeQkpT0CdDP
-f8iAC8GXs7s1J8nCG6NCMEAwHQYDVR0OBBYEFONyzG6VmUex5rNhTNHLq+O6zd6f
-MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2cA
-MGQCMHVSi7ekEE+uShCLsoRbQuHmKjYC2qBuGT8lv9pZMo7k+5Dck2TOrbRBR2Di
-z6fLHgIwN0GMZt9Ba9aDAEH9L1r3ULRn0SyocddDypwnJJGDSA3PzfdUga/sf+Rn
-27iQ7t0l
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE",
-		sha256Hash: "efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFszCCA5ugAwIBAgIQIZxULej27HF3+k7ow3BXlzANBgkqhkiG9w0BAQwFADBj
-MQswCQYDVQQGEwJERTEnMCUGA1UECgweRGV1dHNjaGUgVGVsZWtvbSBTZWN1cml0
-eSBHbWJIMSswKQYDVQQDDCJUZWxla29tIFNlY3VyaXR5IFRMUyBSU0EgUm9vdCAy
-MDIzMB4XDTIzMDMyODEyMTY0NVoXDTQ4MDMyNzIzNTk1OVowYzELMAkGA1UEBhMC
-REUxJzAlBgNVBAoMHkRldXRzY2hlIFRlbGVrb20gU2VjdXJpdHkgR21iSDErMCkG
-A1UEAwwiVGVsZWtvbSBTZWN1cml0eSBUTFMgUlNBIFJvb3QgMjAyMzCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAO01oYGA88tKaVvC+1GDrib94W7zgRJ9
-cUD/h3VCKSHtgVIs3xLBGYSJwb3FKNXVS2xE1kzbB5ZKVXrKNoIENqil/Cf2SfHV
-cp6R+SPWcHu79ZvB7JPPGeplfohwoHP89v+1VmLhc2o0mD6CuKyVU/QBoCcHcqMA
-U6DksquDOFczJZSfvkgdmOGjup5czQRxUX11eKvzWarE4GC+j4NSuHUaQTXtvPM6
-Y+mpFEXX5lLRbtLevOP1Czvm4MS9Q2QTps70mDdsipWol8hHD/BeEIvnHRz+sTug
-BTNoBUGCwQMrAcjnj02r6LX2zWtEtefdi+zqJbQAIldNsLGyMcEWzv/9FIS3R/qy
-8XDe24tsNlikfLMR0cN3f1+2JeANxdKz+bi4d9s3cXFH42AYTyS2dTd4uaNir73J
-co4vzLuu2+QVUhkHM/tqty1LkCiCc/4YizWN26cEar7qwU02OxY2kTLvtkCJkUPg
-8qKrBC7m8kwOFjQgrIfBLX7JZkcXFBGk8/ehJImr2BrIoVyxo/eMbcgByU/J7MT8
-rFEz0ciD0cmfHdRHNCk+y7AO+oMLKFjlKdw/fKifybYKu6boRhYPluV75Gp6SG12
-mAWl3G0eQh5C2hrgUve1g8Aae3g1LDj1H/1Joy7SWWO/gLCMk3PLNaaZlSJhZQNg
-+y+TS/qanIA7AgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUtqeX
-gj10hZv3PJ+TmpV5dVKMbUcwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS2
-p5eCPXSFm/c8n5OalXl1UoxtRzANBgkqhkiG9w0BAQwFAAOCAgEAqMxhpr51nhVQ
-pGv7qHBFfLp+sVr8WyP6Cnf4mHGCDG3gXkaqk/QeoMPhk9tLrbKmXauw1GLLXrtm
-9S3ul0A8Yute1hTWjOKWi0FpkzXmuZlrYrShF2Y0pmtjxrlO8iLpWA1WQdH6DErw
-M807u20hOq6OcrXDSvvpfeWxm4bu4uB9tPcy/SKE8YXJN3nptT+/XOR0so8RYgDd
-GGah2XsjX/GO1WfoVNpbOms2b/mBsTNHM3dA+VKq3dSDz4V4mZqTuXNnQkYRIer+
-CqkbGmVps4+uFrb2S1ayLfmlyOw7YqPta9BO1UAJpB+Y1zqlklkg5LB9zVtzaL1t
-xKITDmcZuI1CfmwMmm6gJC3VRRvcxAIU/oVbZZfKTpBQCHpCNfnqwmbU+AGuHrS+
-w6jv/naaoqYfRvaE7fzbzsQCzndILIyy7MMAo+wsVRjBfhnu4S/yrYObnqsZ38aK
-L4x35bcF7DvB7L6Gs4a8wPfc5+pbrrLMtTWGS9DiP7bY+A4A7l3j941Y/8+LN+lj
-X273CXE2whJdV/LItM3z7gLfEdxquVeEHVlNjM7IDiPCtyaaEBRx/pOyiriA8A4Q
-ntOoUAw3gi/q4Iqd4Sw5/7W0cwDk90imc6y/st53BIe0o82bNSQ3+pCTE4FCxpgm
-dTdmQRCsu/WU48IxK63nI1bMNSWSs1A=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI",
-		sha256Hash: "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFdDCCA1ygAwIBAgIPAWdfJ9b+euPkrL4JWwWeMA0GCSqGSIb3DQEBCwUAMEQx
-CzAJBgNVBAYTAkZJMRowGAYDVQQKDBFUZWxpYSBGaW5sYW5kIE95ajEZMBcGA1UE
-AwwQVGVsaWEgUm9vdCBDQSB2MjAeFw0xODExMjkxMTU1NTRaFw00MzExMjkxMTU1
-NTRaMEQxCzAJBgNVBAYTAkZJMRowGAYDVQQKDBFUZWxpYSBGaW5sYW5kIE95ajEZ
-MBcGA1UEAwwQVGVsaWEgUm9vdCBDQSB2MjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
-ADCCAgoCggIBALLQPwe84nvQa5n44ndp586dpAO8gm2h/oFlH0wnrI4AuhZ76zBq
-AMCzdGh+sq/H1WKzej9Qyow2RCRj0jbpDIX2Q3bVTKFgcmfiKDOlyzG4OiIjNLh9
-vVYiQJ3q9HsDrWj8soFPmNB06o3lfc1jw6P23pLCWBnglrvFxKk9pXSW/q/5iaq9
-lRdU2HhE8Qx3FZLgmEKnpNaqIJLNwaCzlrI6hEKNfdWV5Nbb6WLEWLN5xYzTNTOD
-n3WhUidhOPFZPY5Q4L15POdslv5e2QJltI5c0BE0312/UqeBAMN/mUWZFdUXyApT
-7GPzmX3MaRKGwhfwAZ6/hLzRUssbkmbOpFPlob/E2wnW5olWK8jjfN7j/4nlNW4o
-6GwLI1GpJQXrSPjdscr6bAhR77cYbETKJuFzxokGgeWKrLDiKca5JLNrRBH0pUPC
-TEPlcDaMtjNXepUugqD0XBCzYYP2AgWGLnwtbNwDRm41k9V6lS/eINhbfpSQBGq6
-WT0EBXWdN6IOLj3rwaRSg/7Qa9RmjtzG6RJOHSpXqhC8fF6CfaamyfItufUXJ63R
-DolUK5X6wK0dmBR4M0KGCqlztft0DbcbMBnEWg4cJ7faGND/isgFuvGqHKI3t+ZI
-pEYslOqodmJHixBTB0hXbOKSTbauBcvcwUpej6w9GU7C7WB1K9vBykLVAgMBAAGj
-YzBhMB8GA1UdIwQYMBaAFHKs5DN5qkWH9v2sHZ7Wxy+G2CQ5MB0GA1UdDgQWBBRy
-rOQzeapFh/b9rB2e1scvhtgkOTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw
-AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAoDtZpwmUPjaE0n4vOaWWl/oRrfxn83EJ
-8rKJhGdEr7nv7ZbsnGTbMjBvZ5qsfl+yqwE2foH65IRe0qw24GtixX1LDoJt0nZi
-0f6X+J8wfBj5tFJ3gh1229MdqfDBmgC9bXXYfef6xzijnHDoRnkDry5023X4blMM
-A8iZGok1GTzTyVR8qPAs5m4HeW9q4ebqkYJpCh3DflminmtGFZhb069GHWLIzoBS
-SRE/yQQSwxN8PzuKlts8oB4KtItUsiRnDe+Cy748fdHif64W1lZYudogsYMVoe+K
-TTJvQS8TUoKU1xrBeKJR3Stwbbca+few4GeXVtt8YVMJAygCQMez2P2ccGrGKMOF
-6eLtGpOg3kuYooQ+BXcBlj37tCAPnHICehIv1aO6UXivKitEZU61/Qrowc15h2Er
-3oBXRb9n8ZuRXqWk7FlIEA04x7D6w0RtBPV4UBySllva9bguulvP5fBqnUsvWHMt
-Ty3EHD70sz+rFQ47GUGKpMFXEmZxTPpT41frYpUJnlTd0cI8Vzy9OK2YZLe4A5pT
-VmBds9hCG1xLEooc6+t9xnppxyd/pPiL8uSUZodL6ZQHCRJ5irLrdATczvREWeAW
-ysUsWNc8e89ihmpQfTU2Zqf7N+cox9jQraVplI/owd8k+BsHMYeB2F326CjYSlKA
-rBPuUBQemMc=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TeliaSonera Root CA v1,O=TeliaSonera",
-		sha256Hash: "dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw
-NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv
-b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD
-VQQKDAtUZWxpYVNvbmVyYTEfMB0GA1UEAwwWVGVsaWFTb25lcmEgUm9vdCBDQSB2
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMK+6yfwIaPzaSZVfp3F
-VRaRXP3vIb9TgHot0pGMYzHw7CTww6XScnwQbfQ3t+XmfHnqjLWCi65ItqwA3GV1
-7CpNX8GH9SBlK4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3GwYq/t75rH2D+1665I+X
-Z75Ljo1kB1c4VWk0Nj0TSO9P4tNmHqTPGrdeNjPUtAa9GAH9d4RQAEX1jF3oI7x+
-/jXh7VB7qTCNGdMJjmhnXb88lxhTuylixcpecsHHltTbLaC0H2kD7OriUPEMPPCs
-81Mt8Bz17Ww5OXOAFshSsCPN4D7c3TxHoLs1iuKYaIu+5b9y7tL6pe0S7fyYGKkm
-dtwoSxAgHNN/Fnct7W+A90m7UwW7XWjH1Mh1Fj+JWov3F0fUTPHSiXk+TT2YqGHe
-Oh7S+F4D4MHJHIzTjU3TlTazN19jY5szFPAtJmtTfImMMsJu7D0hADnJoWjiUIMu
-sDor8zagrC/kb2HCUQk5PotTubtn2txTuXZZNp1D5SDgPTJghSJRt8czu90VL6R4
-pgd7gUY2BIbdeTXHlSw7sKMXNeVzH7RcWe/a6hBle3rQf5+ztCo3O3CLm1u5K7fs
-slESl1MpWtTwEhDcTwK7EpIvYtQ/aUN8Ddb8WHUBiJ1YFkveupD/RwGJBmr2X7KQ
-arMCpgKIv7NHfirZ1fpoeDVNAgMBAAGjPzA9MA8GA1UdEwEB/wQFMAMBAf8wCwYD
-VR0PBAQDAgEGMB0GA1UdDgQWBBTwj1k4ALP1j5qWDNXr+nuqF+gTEjANBgkqhkiG
-9w0BAQUFAAOCAgEAvuRcYk4k9AwI//DTDGjkk0kiP0Qnb7tt3oNmzqjMDfz1mgbl
-dxSR651Be5kqhOX//CHBXfDkH1e3damhXwIm/9fH907eT/j3HEbAek9ALCI18Bmx
-0GtnLLCo4MBANzX2hFxc469CeP6nyQ1Q6g2EdvZR74NTxnr/DlZJLo961gzmJ1Tj
-TQpgcmLNkQfWpb/ImWvtxBnmq0wROMVvMeJuScg/doAmAyYp4Db29iBT4xdwNBed
-Y2gea+zDTYa4EzAvXUYNR0PVG6pZDrlcjQZIrXSHX8f8MVRBE+LHIQ6e4B4N4cB7
-Q4WQxYpYxmUKeFfyxiMPAdkgS94P+5KFdSpcc41teyWRyu5FrgZLAMzTsVlQ2jqI
-OylDRl6XK1TOU2+NSueW+r9xDkKLfP0ooNBIytrEgUy7onOTJsjrDNYmiLbAJM+7
-vVvrdX3pCI6GMyx5dwlppYn8s3CQh3aP0yK7Qs69cwsgJirQmz1wHiRszYd2qReW
-t88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcn
-HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx
-SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TrustAsia Global Root CA G3,O=TrustAsia Technologies\\, Inc.,C=CN",
-		sha256Hash: "e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFpTCCA42gAwIBAgIUZPYOZXdhaqs7tOqFhLuxibhxkw8wDQYJKoZIhvcNAQEM
-BQAwWjELMAkGA1UEBhMCQ04xJTAjBgNVBAoMHFRydXN0QXNpYSBUZWNobm9sb2dp
-ZXMsIEluYy4xJDAiBgNVBAMMG1RydXN0QXNpYSBHbG9iYWwgUm9vdCBDQSBHMzAe
-Fw0yMTA1MjAwMjEwMTlaFw00NjA1MTkwMjEwMTlaMFoxCzAJBgNVBAYTAkNOMSUw
-IwYDVQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVzLCBJbmMuMSQwIgYDVQQDDBtU
-cnVzdEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzMwggIiMA0GCSqGSIb3DQEBAQUAA4IC
-DwAwggIKAoICAQDAMYJhkuSUGwoqZdC+BqmHO1ES6nBBruL7dOoKjbmzTNyPtxNS
-T1QY4SxzlZHFZjtqz6xjbYdT8PfxObegQ2OwxANdV6nnRM7EoYNl9lA+sX4WuDqK
-AtCWHwDNBSHvBm3dIZwZQ0WhxeiAysKtQGIXBsaqvPPW5vxQfmZCHzyLpnl5hkA1
-nyDvP+uLRx+PjsXUjrYsyUQE49RDdT/VP68czH5GX6zfZBCK70bwkPAPLfSIC7Ep
-qq+FqklYqL9joDiR5rPmd2jE+SoZhLsO4fWvieylL1AgdB4SQXMeJNnKziyhWTXA
-yB1GJ2Faj/lN03J5Zh6fFZAhLf3ti1ZwA0pJPn9pMRJpxx5cynoTi+jm9WAPzJMs
-hH/x/Gr8m0ed262IPfN2dTPXS6TIi/n1Q1hPy8gDVI+lhXgEGvNz8teHHUGf59gX
-zhqcD0r83ERoVGjiQTz+LISGNzzNPy+i2+f3VANfWdP3kXjHi3dqFuVJhZBFcnAv
-kV34PmVACxmZySYgWmjBNb9Pp1Hx2BErW+Canig7CjoKH8GB5S7wprlppYiU5msT
-f9FkPz2ccEblooV7WIQn3MSAPmeamseaMQ4w7OYXQJXZRe0Blqq/DPNL0WP3E1jA
-uPP6Z92bfW1K/zJMtSU7/xxnD4UiWQWRkUF3gdCFTIcQcf+eQxuulXUtgQIDAQAB
-o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFEDk5PIj7zjKsK5Xf/Ih
-MBY027ySMB0GA1UdDgQWBBRA5OTyI+84yrCuV3/yITAWNNu8kjAOBgNVHQ8BAf8E
-BAMCAQYwDQYJKoZIhvcNAQEMBQADggIBACY7UeFNOPMyGLS0XuFlXsSUT9SnYaP4
-wM8zAQLpw6o1D/GUE3d3NZ4tVlFEbuHGLige/9rsR82XRBf34EzC4Xx8MnpmyFq2
-XFNFV1pF1AWZLy4jVe5jaN/TG3inEpQGAHUNcoTpLrxaatXeL1nHo+zSh2bbt1S1
-JKv0Q3jbSwTEb93mPmY+KfJLaHEih6D4sTNjduMNhXJEIlU/HHzp/LgV6FL6qj6j
-ITk1dImmasI5+njPtqzn59ZW/yOSLlALqbUHM/Q4X6RJpstlcHboCoWASzY9M/eV
-VHUl2qzEc4Jl6VL1XP04lQJqaTDFHApXB64ipCz5xUG3uOyfT0gA+QEEVcys+TIx
-xHWVBqB/0Y0n3bOppHKH/lmLmnp0Ft0WpWIp6zqW3IunaFnT63eROfjXy9mPX1on
-AX1daBli2MjN9LdyR75bl87yraKZk62Uy5P2EgmVtqvXO9A/EcswFi55gORngS1d
-7XB4tmBZrOFdRWOPyN9yaFvqHbgB8X7754qz41SgOAngPN5C8sLtLpvzHzW2Ntjj
-gKGLzZlkD8Kqq7HK9W+eQ42EVJmzbsASZthwEPEGNTNDqJwuuhQxzhB/HIbjj9LV
-+Hfsm6vxL2PZQl/gZ4FkkfGXL/xuJvYz+NO1+MRiqzFRJQJ6+N1rZdVtTTDIZbpo
-FGWsJwt0ivKH
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TrustAsia Global Root CA G4,O=TrustAsia Technologies\\, Inc.,C=CN",
-		sha256Hash: "be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICVTCCAdygAwIBAgIUTyNkuI6XY57GU4HBdk7LKnQV1tcwCgYIKoZIzj0EAwMw
-WjELMAkGA1UEBhMCQ04xJTAjBgNVBAoMHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
-IEluYy4xJDAiBgNVBAMMG1RydXN0QXNpYSBHbG9iYWwgUm9vdCBDQSBHNDAeFw0y
-MTA1MjAwMjEwMjJaFw00NjA1MTkwMjEwMjJaMFoxCzAJBgNVBAYTAkNOMSUwIwYD
-VQQKDBxUcnVzdEFzaWEgVGVjaG5vbG9naWVzLCBJbmMuMSQwIgYDVQQDDBtUcnVz
-dEFzaWEgR2xvYmFsIFJvb3QgQ0EgRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATx
-s8045CVD5d4ZCbuBeaIVXxVjAd7Cq92zphtnS4CDr5nLrBfbK5bKfFJV4hrhPVbw
-LxYI+hW8m7tH5j/uqOFMjPXTNvk4XatwmkcN4oFBButJ+bAp3TPsUKV/eSm4IJij
-YzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUpbtKl86zK3+kMd6Xg1mD
-pm9xy94wHQYDVR0OBBYEFKW7SpfOsyt/pDHel4NZg6ZvccveMA4GA1UdDwEB/wQE
-AwIBBjAKBggqhkjOPQQDAwNnADBkAjBe8usGzEkxn0AAbbd+NvBNEU/zy4k6LHiR
-UKNbwMp1JvK/kF0LgoxgKJ/GcJpo5PECMFxYDlZ2z1jD1xCMuo6u47xkdUfFVZDj
-/bpV6wfEU6s3qe4hsiFbYI89MvHVI5TWWA==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TrustAsia TLS ECC Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
-		sha256Hash: "c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef44598acc2489878c92d8711",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICMTCCAbegAwIBAgIUNnThTXxlE8msg1UloD5Sfi9QaMcwCgYIKoZIzj0EAwMw
-WDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
-IEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgRUNDIFJvb3QgQ0EwHhcNMjQw
-NTE1MDU0MTU2WhcNNDQwNTE1MDU0MTU1WjBYMQswCQYDVQQGEwJDTjElMCMGA1UE
-ChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1c3RB
-c2lhIFRMUyBFQ0MgUm9vdCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLh/pVs/
-AT598IhtrimY4ZtcU5nb9wj/1WrgjstEpvDBjL1P1M7UiFPoXlfXTr4sP/MSpwDp
-guMqWzJ8S5sUKZ74LYO1644xST0mYekdcouJtgq7nDM1D9rs3qlKH8kzsaNCMEAw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULIVTu7FDzTLqnqOH/qKYqKaT6RAw
-DgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMFRH18MtYYZI9HlaVQ01
-L18N9mdsd0AaRuf4aFtOJx24mH1/k78ITcTaRTChD15KeAIxAKORh/IRM4PDwYqR
-OkwrULG9IpRdNYlzg8WbGf60oenUoWa2AaU2+dhoYSi3dOGiMQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TrustAsia TLS RSA Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
-		sha256Hash: "06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea53cbe940e2ea9791f4c3",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFgDCCA2igAwIBAgIUHBjYz+VTPyI1RlNUJDxsR9FcSpwwDQYJKoZIhvcNAQEM
-BQAwWDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dp
-ZXMsIEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgUlNBIFJvb3QgQ0EwHhcN
-MjQwNTE1MDU0MTU3WhcNNDQwNTE1MDU0MTU2WjBYMQswCQYDVQQGEwJDTjElMCMG
-A1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1
-c3RBc2lhIFRMUyBSU0EgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
-AgoCggIBAMMWuBtqpERz5dZO9LnPWwvB0ZqB9WOwj0PBuwhaGnrhB3YmH49pVr7+
-NmDQDIPNlOrnxS1cLwUWAp4KqC/lYCZUlviYQB2srp10Zy9U+5RjmOMmSoPGlbYJ
-Q1DNDX3eRA5gEk9bNb2/mThtfWza4mhzH/kxpRkQcwUqwzIZheo0qt1CHjCNP561
-HmHVb70AcnKtEj+qpklz8oYVlQwQX1Fkzv93uMltrOXVmPGZLmzjyUT5tUMnCE32
-ft5EebuyjBza00tsLtbDeLdM1aTk2tyKjg7/D8OmYCYozza/+lcK7Fs/6TAWe8Tb
-xNRkoDD75f0dcZLdKY9BWN4ArTr9PXwaqLEX8E40eFgl1oUh63kd0Nyrz2I8sMeX
-i9bQn9P+PN7F4/w6g3CEIR0JwqH8uyghZVNgepBtljhb//HXeltt08lwSUq6HTrQ
-UNoyIBnkiz/r1RYmNzz7dZ6wB3C4FGB33PYPXFIKvF1tjVEK2sUYyJtt3LCDs3+j
-TnhMmCWr8n4uIF6CFabW2I+s5c0yhsj55NqJ4js+k8UTav/H9xj8Z7XvGCxUq0DT
-bE3txci3OE9kxJRMT6DNrqXGJyV1J23G2pyOsAWZ1SgRxSHUuPzHlqtKZFlhaxP8
-S8ySpg+kUb8OWJDZgoM5pl+z+m6Ss80zDoWo8SnTq1mt1tve1CuBAgMBAAGjQjBA
-MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLgHkXlcBvRG/XtZylomkadFK/hT
-MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQwFAAOCAgEAIZtqBSBdGBanEqT3
-Rz/NyjuujsCCztxIJXgXbODgcMTWltnZ9r96nBO7U5WS/8+S4PPFJzVXqDuiGev4
-iqME3mmL5Dw8veWv0BIb5Ylrc5tvJQJLkIKvQMKtuppgJFqBTQUYo+IzeXoLH5Pt
-7DlK9RME7I10nYEKqG/odv6LTytpEoYKNDbdgptvT+Bz3Ul/KD7JO6NXBNiT2Twp
-2xIQaOHEibgGIOcberyxk2GaGUARtWqFVwHxtlotJnMnlvm5P1vQiJ3koP26TpUJ
-g3933FEFlJ0gcXax7PqJtZwuhfG5WyRasQmr2soaB82G39tp27RIGAAtvKLEiUUj
-pQ7hRGU+isFqMB3iYPg6qocJQrmBktwliJiJ8Xw18WLK7nn4GS/+X/jbh87qqA8M
-pugLoDzga5SYnH+tBuYc6kIQX+ImFTw3OffXvO645e8D7r0i+yiGNFjEWn9hongP
-XvPKnbwbPKfILfanIhHKA9jnZwqKDss1jjQ52MjqjZ9k4DewbNfFj8GQYSbbJIwe
-SsCI3zWQzj8C9GRh3sfIB5XeMhg6j6JCQCTl1jNdfK7vsU1P1FeQNWrcrgSXSYk0
-ly4wBOeY99sLAZDBHwo/+ML+TvrbmnNzFrwFuHnYWa8G5z9nODmxfKuU4CkUpijy
-323imttUQ/hHWKNddBWcwauwxzQ=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Trustwave Global Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
-		sha256Hash: "97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw
-CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x
-ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1
-c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMx
-OTM0MTJaFw00MjA4MjMxOTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
-SWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBI
-b2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
-ALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+CY66j96xz0Xzn
-swuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzDBcdu
-7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz8
-1Ws25kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW
-80OzfpgZdNmcc9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotP
-JqX+OsIgbrv4Fo7NDKm0G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1l
-RtzuzWniTY+HKE40Cz7PFNm73bZQmq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfw
-hI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49DxweMqZiNu5m4iK4BUBjECLzMx10
-coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9jaJXLE9gCxInm943xZYkqc
-BW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqjifLJS3tBEW1n
-twiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8GA1Ud
-EwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1Ud
-DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W
-0OhUKDtkLSGm+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfe
-uyk3QAUHw5RSn8pk3fEbK9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0Q
-lG/+4jSHg9bP5Rs1bdID4bANqKCqRieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhB
-aCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtKYdkNy1GTKv0WBpanI5ojSP5RvbbE
-sLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90lZvkWx3SD92YHJtZuSPT
-MaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrql5gR0IRiR2Qe
-qu5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDFQdxh
-VicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8
-h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9
-EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK
-yeC2nOnOcXHebD8WpHk=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Trustwave Global ECC P256 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
-		sha256Hash: "945bbc825ea554f489d1fd51a73ddf2ea624ac7019a05205225c22a78ccfa8b4",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD
-VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
-BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
-YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
-NzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYDVQQGEwJVUzERMA8G
-A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
-d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
-Q0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqG
-SM49AwEHA0IABH77bOYj43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoN
-FWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqmP62jQzBBMA8GA1UdEwEB/wQFMAMBAf8w
-DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt0UrrdaVKEJmzsaGLSvcw
-CgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjzRM4q3wgh
-DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=Trustwave Global ECC P384 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
-		sha256Hash: "55903859c8c0c3ebb8759ece4e2557225ff5758bbd38ebd48276601e1bd58097",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD
-VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
-BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
-YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
-NzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYDVQQGEwJVUzERMA8G
-A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
-d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
-Q0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuB
-BAAiA2IABGvaDXU1CDFHBa5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJ
-j9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr/TklZvFe/oyujUF5nQlgziip04pt89ZF
-1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G
-A1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNnADBkAjA3
-AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsC
-MGclCrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVu
-Sw==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN",
-		sha256Hash: "2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFszCCA5ugAwIBAgIUEwLV4kBMkkaGFmddtLu7sms+/BMwDQYJKoZIhvcNAQEL
-BQAwYTELMAkGA1UEBhMCVE4xNzA1BgNVBAoMLkFnZW5jZSBOYXRpb25hbGUgZGUg
-Q2VydGlmaWNhdGlvbiBFbGVjdHJvbmlxdWUxGTAXBgNVBAMMEFR1blRydXN0IFJv
-b3QgQ0EwHhcNMTkwNDI2MDg1NzU2WhcNNDQwNDI2MDg1NzU2WjBhMQswCQYDVQQG
-EwJUTjE3MDUGA1UECgwuQWdlbmNlIE5hdGlvbmFsZSBkZSBDZXJ0aWZpY2F0aW9u
-IEVsZWN0cm9uaXF1ZTEZMBcGA1UEAwwQVHVuVHJ1c3QgUm9vdCBDQTCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMPN0/y9BFPdDCA61YguBUtB9YOCfvdZ
-n56eY+hz2vYGqU8ftPkLHzmMmiDQfgbU7DTZhrx1W4eI8NLZ1KMKsmwb60ksPqxd
-2JQDoOw05TDENX37Jk0bbjBU2PWARZw5rZzJJQRNmpA+TkBuimvNKWfGzC3gdOgF
-VwpIUPp6Q9p+7FuaDmJ2/uqdHYVy7BG7NegfJ7/Boce7SBbdVtfMTqDhuazb1YMZ
-GoXRlJfXyqNlC/M4+QKu3fZnz8k/9YosRxqZbwUN/dAdgjH8KcwAWJeRTIAAHDOF
-li/LQcKLEITDCSSJH7UP2dl3RxiSlGBcx5kDPP73lad9UKGAwqmDrViWVSHbhlnU
-r8a83YFuB9tgYv7sEG7aaAH0gxupPqJbI9dkxt/con3YS7qC0lH4Zr8GRuR5KiY2
-eY8fTpkdso8MDhz/yV3A/ZAQprE38806JG60hZC/gLkMjNWb1sjxVj8agIl6qeIb
-MlEsPvLfe/ZdeikZjuXIvTZxi11Mwh0/rViizz1wTaZQmCXcI/m4WEEIcb9PuISg
-jwBUFfyRbVinljvrS5YnzWuioYasDXxU5mZMZl+QviGaAkYt5IPCgLnPSz7ofzwB
-7I9ezX/SKEIBlYrilz0QIX32nRzFNKHsLA4KUiwSVXAkPcvCFDVDXSdOvsC9qnyW
-5/yeYa1E0wCXAgMBAAGjYzBhMB0GA1UdDgQWBBQGmpsfU33x9aTI04Y+oXNZtPdE
-ITAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFAaamx9TffH1pMjThj6hc1m0
-90QhMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAqgVutt0Vyb+z
-xiD2BkewhpMl0425yAA/l/VSJ4hxyXT968pk21vvHl26v9Hr7lxpuhbI87mP0zYu
-QEkHDVneixCwSQXi/5E/S7fdAo74gShczNxtr18UnH1YeA32gAm56Q6XKRm4t+v4
-FstVEuTGfbvE7Pi1HE4+Z7/FXxttbUcoqgRYYdZ2vyJ/0Adqp2RT8JeNnYA/u8EH
-22Wv5psymsNUk8QcCMNE+3tjEUPRahphanltkE8pjkcFwRJpadbGNjHh/PqAulxP
-xOu3Mqz4dWEX1xAZufHSCe96Qp1bWgvUxpVOKs7/B9dPfhgGiPEZtdmYu65xxBzn
-dFlY7wyJz4sfdZMaBBSSSFCp61cpABbjNhzI+L/wM9VBD8TMPN3pM0MBkRArHtG5
-Xc0yGYuPjCB31yLEQtyEFpslbei0VXF/sHyz03FJuc9SpAQ/3D2gu68zngowYI7b
-nV2UqL1g52KAdoGDDIzMMEZJ4gzSqK/rYXHv5yJiqfdcZGyfFoxnNidF9Ql7v/YQ
-CvGwjVRDjAS6oz/v4jXH+XTgbzRB0L9zZVcg+ZtnemZoJE6AZb0QmQZZ8mWvuMZH
-u/2QeItBcy6vVR/cO5JyboTT0GFMDcx2V+IthSIVNg3rAZ3r2OvEhJn7wAzMMujj
-d9qDRIueVSjAi1jTkD5OGwDxFa2DK5o=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=UCA Extended Validation Root,O=UniTrust,C=CN",
-		sha256Hash: "d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
-MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
-eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
-MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
-BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
-D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
-sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
-O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
-sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
-c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
-VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
-KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
-TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
-sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
-1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
-fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
-AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
-l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
-ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
-VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
-c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
-4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
-t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
-2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
-vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
-xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
-cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
-fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=UCA Global G2 Root,O=UniTrust,C=CN",
-		sha256Hash: "9bea11c976fe014764c1be56a6f914b5a560317abd9988393382e5161aa0493c",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIQXd+x2lqj7V2+WmUgZQOQ7zANBgkqhkiG9w0BAQsFADA9
-MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBH
-bG9iYWwgRzIgUm9vdDAeFw0xNjAzMTEwMDAwMDBaFw00MDEyMzEwMDAwMDBaMD0x
-CzAJBgNVBAYTAkNOMREwDwYDVQQKDAhVbmlUcnVzdDEbMBkGA1UEAwwSVUNBIEds
-b2JhbCBHMiBSb290MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxeYr
-b3zvJgUno4Ek2m/LAfmZmqkywiKHYUGRO8vDaBsGxUypK8FnFyIdK+35KYmToni9
-kmugow2ifsqTs6bRjDXVdfkX9s9FxeV67HeToI8jrg4aA3++1NDtLnurRiNb/yzm
-VHqUwCoV8MmNsHo7JOHXaOIxPAYzRrZUEaalLyJUKlgNAQLx+hVRZ2zA+te2G3/R
-VogvGjqNO7uCEeBHANBSh6v7hn4PJGtAnTRnvI3HLYZveT6OqTwXS3+wmeOwcWDc
-C/Vkw85DvG1xudLeJ1uK6NjGruFZfc8oLTW4lVYa8bJYS7cSN8h8s+1LgOGN+jIj
-tm+3SJUIsUROhYw6AlQgL9+/V087OpAh18EmNVQg7Mc/R+zvWr9LesGtOxdQXGLY
-D0tK3Cv6brxzks3sx1DoQZbXqX5t2Okdj4q1uViSukqSKwxW/YDrCPBeKW4bHAyv
-j5OJrdu9o54hyokZ7N+1wxrrFv54NkzWbtA+FxyQF2smuvt6L78RHBgOLXMDj6Dl
-NaBa4kx1HXHhOThTeEDMg5PXCp6dW4+K5OXgSORIskfNTip1KnvyIvbJvgmRlld6
-iIis7nCs+dwp4wwcOxJORNanTrAmyPPZGpeRaOrvjUYG0lZFWJo8DA+DuAUlwznP
-O6Q0ibd5Ei9Hxeepl2n8pndntd978XplFeRhVmUCAwEAAaNCMEAwDgYDVR0PAQH/
-BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIHEjMz15DD/pQwIX4wV
-ZyF0Ad/fMA0GCSqGSIb3DQEBCwUAA4ICAQATZSL1jiutROTL/7lo5sOASD0Ee/oj
-L3rtNtqyzm325p7lX1iPyzcyochltq44PTUbPrw7tgTQvPlJ9Zv3hcU2tsu8+Mg5
-1eRfB70VVJd0ysrtT7q6ZHafgbiERUlMjW+i67HM0cOU2kTC5uLqGOiiHycFutfl
-1qnN3e92mI0ADs0b+gO3joBYDic/UvuUospeZcnWhNq5NXHzJsBPd+aBJ9J3O5oU
-b3n09tDh05S60FdRvScFDcH9yBIw7m+NESsIndTUv4BFFJqIRNow6rSn4+7vW4LV
-PtateJLbXDzz2K36uGt/xDYotgIVilQsnLAXc47QN6MUPJiVAAwpBVueSUmxX8fj
-y88nZY41F7dXyDDZQVu5FLbowg+UMaeUmMxq67XhJ/UQqAHojhJi6IjMtX9Gl8Cb
-EGY4GjZGXyJoPd/JxhMnq1MGrKI8hgZlb7F+sSlEmqO6SWkoaY/X5V+tBIZkbxqg
-DMUIYs6Ao9Dz7GjevjPHF1t/gMRMTLGmhIrDO7gJzRSBuhjjVFc2/tsvfEehOjPI
-+Vg7RE+xygKJBJYoaMVLuCaJu9YzL1DV/pqJuhgyklTGW+Cd+V7lDSKb9triyCGy
-YiGqhkCyLmTTX8jjfhFnRR8F/uOi77Oos/N9j/gMHyIfLXC0uAE0djAA5SN4p1bX
-UB+K+wb1whnw0A==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
-		sha256Hash: "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
-eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
-JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx
-MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg
-VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm
-aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo
-I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng
-o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G
-A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD
-VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB
-zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW
-RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
-		sha256Hash: "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
-MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
-aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
-3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
-tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
-Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
-VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
-79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
-c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
-Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
-c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
-UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
-Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
-BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
-Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
-VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
-ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
-8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
-iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
-Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
-XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
-qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
-VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
-L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
-jjxDah2nGN59PRbxYvnKkKj9
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=e-Szigno Root CA 2017,O=Microsec Ltd.,L=Budapest,C=HU,2.5.4.97=#130e56415448552d3233353834343937",
-		sha256Hash: "beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV
-BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk
-LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv
-b3QgQ0EgMjAxNzAeFw0xNzA4MjIxMjA3MDZaFw00MjA4MjIxMjA3MDZaMHExCzAJ
-BgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMg
-THRkLjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25v
-IFJvb3QgQ0EgMjAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJbcPYrYsHtv
-xie+RJCxs1YVe45DJH0ahFnuY2iyxl6H0BVIHqiQrb1TotreOpCmYF9oMrWGQd+H
-Wyx7xf58etqjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
-A1UdDgQWBBSHERUI0arBeAyxr87GyZDvvzAEwDAfBgNVHSMEGDAWgBSHERUI0arB
-eAyxr87GyZDvvzAEwDAKBggqhkjOPQQDAgNJADBGAiEAtVfd14pVCzbhhkT61Nlo
-jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ
-+efcMQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=emSign ECC Root CA - C3,OU=emSign PKI,O=eMudhra Inc,C=US",
-		sha256Hash: "bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICKzCCAbGgAwIBAgIKe3G2gla4EnycqDAKBggqhkjOPQQDAzBaMQswCQYDVQQG
-EwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMx
-IDAeBgNVBAMTF2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMB4XDTE4MDIxODE4MzAw
-MFoXDTQzMDIxODE4MzAwMFowWjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln
-biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMSAwHgYDVQQDExdlbVNpZ24gRUND
-IFJvb3QgQ0EgLSBDMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABP2lYa57JhAd6bci
-MK4G9IGzsUJxlTm801Ljr6/58pc1kjZGDoeVjbk5Wum739D+yAdBPLtVb4Ojavti
-sIGJAnB9SMVK4+kiVCJNk7tCDK93nCOmfddhEc5lx/h//vXyqaNCMEAwHQYDVR0O
-BBYEFPtaSNCAIEDyqOkAB2kZd6fmw/TPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
-Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMQC02C8Cif22TGK6Q04ThHK1rt0c
-3ta13FaPWEBaLd4gTCKDypOofu4SQMfWh0/434UCMBwUZOR8loMRnLDRWmFLpg9J
-0wD8ofzkpf9/rdcw0Md3f76BB1UwUCAU9Vc4CqgxUQ==
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=emSign ECC Root CA - G3,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
-		sha256Hash: "86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG
-EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo
-bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g
-RzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJ
-TjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s
-b2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMw
-djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQjpQy4LRL1KPOxst3iAhKAnjlfSU2fySU0
-WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyzdc6LBtCGI79G1Y4PPwT01xyS
-fvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQWBBR8XQKEE9TMipuB
-zhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggq
-hkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB
-CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD
-+JbNR6iC8hZVdyR+EhCVBCyj
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=emSign Root CA - C1,OU=emSign PKI,O=eMudhra Inc,C=US",
-		sha256Hash: "125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgILAK7PALrEzzL4Q7IwDQYJKoZIhvcNAQELBQAwVjELMAkG
-A1UEBhMCVVMxEzARBgNVBAsTCmVtU2lnbiBQS0kxFDASBgNVBAoTC2VNdWRocmEg
-SW5jMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEMxMB4XDTE4MDIxODE4MzAw
-MFoXDTQzMDIxODE4MzAwMFowVjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln
-biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMRwwGgYDVQQDExNlbVNpZ24gUm9v
-dCBDQSAtIEMxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz+upufGZ
-BczYKCFK83M0UYRWEPWgTywS4/oTmifQz/l5GnRfHXk5/Fv4cI7gklL35CX5VIPZ
-HdPIWoU/Xse2B+4+wM6ar6xWQio5JXDWv7V7Nq2s9nPczdcdioOl+yuQFTdrHCZH
-3DspVpNqs8FqOp099cGXOFgFixwR4+S0uF2FHYP+eF8LRWgYSKVGczQ7/g/IdrvH
-GPMF0Ybzhe3nudkyrVWIzqa2kbBPrH4VI5b2P/AgNBbeCsbEBEV5f6f9vtKppa+c
-xSMq9zwhbL2vj07FOrLzNBL834AaSaTUqZX3noleoomslMuoaJuvimUnzYnu3Yy1
-aylwQ6BpC+S5DwIDAQABo0IwQDAdBgNVHQ4EFgQU/qHgcB4qAzlSWkK+XJGFehiq
-TbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBAMJKVvoVIXsoounlHfv4LcQ5lkFMOycsxGwYFYDGrK9HWS8mC+M2sO87
-/kOXSTKZEhVb3xEp/6tT+LvBeA+snFOvV71ojD1pM/CjoCNjO2RnIkSt1XHLVip4
-kqNPEjE2NuLe/gDEo2APJ62gsIq1NnpSob0n9CAnYuhNlCQT5AoE6TyrLshDCUrG
-YQTlSTR+08TI9Q/Aqum6VF7zYytPT1DU/rl7mYw9wC68AivTxEDkigcxHpvOJpkT
-+xHqmiIMERnHXhuBUDDIlhJu58tBf5E7oke3VIAb3ADMmpDqw8NQBmIMMMAVSKeo
-WXzhriKi4gp6D/piq1JM4fHfyr6DDUI=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=emSign Root CA - G1,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
-		sha256Hash: "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD
-VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU
-ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBH
-MTAeFw0xODAyMTgxODMwMDBaFw00MzAyMTgxODMwMDBaMGcxCzAJBgNVBAYTAklO
-MRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxlTXVkaHJhIFRlY2hub2xv
-Z2llcyBMaW1pdGVkMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEcxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk0u76WaK7p1b1TST0Bsew+eeuGQz
-f2N4aLTNLnF115sgxk0pvLZoYIr3IZpWNVrzdr3YzZr/k1ZLpVkGoZM0Kd0WNHVO
-8oG0x5ZOrRkVUkr+PHB1cM2vK6sVmjM8qrOLqs1D/fXqcP/tzxE7lM5OMhbTI0Aq
-d7OvPAEsbO2ZLIvZTmmYsvePQbAyeGHWDV/D+qJAkh1cF+ZwPjXnorfCYuKrpDhM
-tTk1b+oDafo6VGiFbdbyL0NVHpENDtjVaqSW0RM8LHhQ6DqS0hdW5TUaQBw+jSzt
-Od9C4INBdN+jzcKGYEho42kLVACL5HZpIQ15TjQIXhTCzLG3rdd8cIrHhQIDAQAB
-o0IwQDAdBgNVHQ4EFgQU++8Nhp6w492pufEhF38+/PB3KxowDgYDVR0PAQH/BAQD
-AgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFn/8oz1h31x
-PaOfG1vR2vjTnGs2vZupYeveFix0PZ7mddrXuqe8QhfnPZHr5X3dPpzxz5KsbEjM
-wiI/aTvFthUvozXGaCocV685743QNcMYDHsAVhzNixl03r4PEuDQqqE/AjSxcM6d
-GNYIAwlG7mDgfrbESQRRfXBgvKqy/3lyeqYdPV8q+Mri/Tm3R7nrft8EI6/6nAYH
-6ftjk4BAtcZsCjEozgyfz7MjNYBBjWzEN3uBL4ChQEKF6dk4jeihU80Bv2noWgby
-RQuQ+q7hv53yrlc8pa6yVvSLZUDp/TGBLPQ5Cdjua6e0ph0VpZj3AYHYhX3zUVxx
-iN66zB+Afko=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=vTrus ECC Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
-		sha256Hash: "30fbba2c32238e2a98547af97931e550428b9b3f1c8eeb6633dcfa86c5b27dd3",
-		pem: `-----BEGIN CERTIFICATE-----
-MIICDzCCAZWgAwIBAgIUbmq8WapTvpg5Z6LSa6Q75m0c1towCgYIKoZIzj0EAwMw
-RzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28uLEx0ZC4xGjAY
-BgNVBAMTEXZUcnVzIEVDQyBSb290IENBMB4XDTE4MDczMTA3MjY0NFoXDTQzMDcz
-MTA3MjY0NFowRzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28u
-LEx0ZC4xGjAYBgNVBAMTEXZUcnVzIEVDQyBSb290IENBMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAEZVBKrox5lkqqHAjDo6LN/llWQXf9JpRCux3NCNtzslt188+cToL0
-v/hhJoVs1oVbcnDS/dtitN9Ti72xRFhiQgnH+n9bEOf+QP3A2MMrMudwpremIFUd
-e4BdS49nTPEQo0IwQDAdBgNVHQ4EFgQUmDnNvtiyjPeyq+GtJK97fKHbH88wDwYD
-VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIw
-V53dVvHH4+m4SVBrm2nDb+zDfSXkV5UTQJtS0zvzQBm8JsctBp61ezaf9SXUY2sA
-AjEA6dPGnlaaKsyh2j/IZivTWJwghfqrkYpwcBE4YGQLYgmRWAD5Tfs0aNoJrSEG
-GJTO
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "CN=vTrus Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
-		sha256Hash: "8a71de6559336f426c26e53880d00d88a18da4c6a91f0dcb6194e206c5c96387",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFVjCCAz6gAwIBAgIUQ+NxE9izWRRdt86M/TX9b7wFjUUwDQYJKoZIhvcNAQEL
-BQAwQzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28uLEx0ZC4x
-FjAUBgNVBAMTDXZUcnVzIFJvb3QgQ0EwHhcNMTgwNzMxMDcyNDA1WhcNNDMwNzMx
-MDcyNDA1WjBDMQswCQYDVQQGEwJDTjEcMBoGA1UEChMTaVRydXNDaGluYSBDby4s
-THRkLjEWMBQGA1UEAxMNdlRydXMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD
-ggIPADCCAgoCggIBAL1VfGHTuB0EYgWgrmy3cLRB6ksDXhA/kFocizuwZotsSKYc
-IrrVQJLuM7IjWcmOvFjai57QGfIvWcaMY1q6n6MLsLOaXLoRuBLpDLvPbmyAhykU
-AyyNJJrIZIO1aqwTLDPxn9wsYTwaP3BVm60AUn/PBLn+NvqcwBauYv6WTEN+VRS+
-GrPSbcKvdmaVayqwlHeFXgQPYh1jdfdr58tbmnDsPmcF8P4HCIDPKNsFxhQnL4Z9
-8Cfe/+Z+M0jnCx5Y0ScrUw5XSmXX+6KAYPxMvDVTAWqXcoKv8R1w6Jz1717CbMdH
-flqUhSZNO7rrTOiwCcJlwp2dCZtOtZcFrPUGoPc2BX70kLJrxLT5ZOrpGgrIDajt
-J8nU57O5q4IikCc9Kuh8kO+8T/3iCiSn3mUkpF3qwHYw03dQ+A0Em5Q2AXPKBlim
-0zvc+gRGE1WKyURHuFE5Gi7oNOJ5y1lKCn+8pu8fA2dqWSslYpPZUxlmPCdiKYZN
-pGvu/9ROutW04o5IWgAZCfEF2c6Rsffr6TlP9m8EQ5pV9T4FFL2/s1m02I4zhKOQ
-UqqzApVg+QxMaPnu1RcN+HFXtSXkKe5lXa/R7jwXC1pDxaWG6iSe4gUH3DRCEpHW
-OXSuTEGC2/KmSNGzm/MzqvOmwMVO9fSddmPmAsYiS8GVP1BkLFTltvA8Kc9XAgMB
-AAGjQjBAMB0GA1UdDgQWBBRUYnBj8XWEQ1iO0RYgscasGrz2iTAPBgNVHRMBAf8E
-BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAKbqSSaet
-8PFww+SX8J+pJdVrnjT+5hpk9jprUrIQeBqfTNqK2uwcN1LgQkv7bHbKJAs5EhWd
-nxEt/Hlk3ODg9d3gV8mlsnZwUKT+twpw1aA08XXXTUm6EdGz2OyC/+sOxL9kLX1j
-bhd47F18iMjrjld22VkE+rxSH0Ws8HqA7Oxvdq6R2xCOBNyS36D25q5J08FsEhvM
-Kar5CKXiNxTKsbhm7xqC5PD48acWabfbqWE8n/Uxy+QARsIvdLGx14HuqCaVvIiv
-TDUHKgLKeBRtRytAVunLKmChZwOgzoy8sHJnxDHO2zTlJQNgJXtxmOTAGytfdELS
-S8VZCAeHvsXDf+eW2eHcKJfWjwXj9ZtOyh1QRwVTsMo554WgicEFOwE30z9J4nfr
-I8iIZjs9OXYhRvHsXyO466JmdXTBQPfYaJqT4i2pLr0cox7IdMakLXogqzu4sEb9
-b91fUlV1YvCXoHzXOP0l382gmxDPi7g4Xl7FtKYCNqEeXxzP4padKar9mK5S4fNB
-UvupLnKWnyfjqnN9+BojZns7q2WwMgFLFT49ok8MKzWixtlnEjUwzXYuFrOZnk1P
-Ti07NEPhmg4NpGaXutIcSkwsKouLgU9xGqndXHt7CMUADTdA43x7VF8vhV929ven
-sBxXVsFy6K2ir40zSbofitzmdHxghm+Hl3s=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES",
-		sha256Hash: "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsx
-CzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJ
-WiBGTk1ULVJDTTAeFw0wODEwMjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJ
-BgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBG
-Tk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALpxgHpMhm5/
-yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcfqQgf
-BBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAz
-WHFctPVrbtQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxF
-tBDXaEAUwED653cXeuYLj2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z
-374jNUUeAlz+taibmSXaXvMiwzn15Cou08YfxGyqxRxqAQVKL9LFwag0Jl1mpdIC
-IfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mwWsXmo8RZZUc1g16p6DUL
-mbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnTtOmlcYF7
-wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peS
-MKGJ47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2
-ZSysV4999AeU14ECll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMet
-UqIJ5G+GR4of6ygnXYMgrwTJbFaai0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUw
-AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPd9xf3E6Jobd2Sn9R2gzL+H
-YJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3
-LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD
-nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1
-RXxlDPiyN8+sD8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYM
-LVN0V2Ue1bLdI4E7pWYjJ2cJj+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf
-77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrTQfv6MooqtyuGC2mDOL7Nii4LcK2N
-JpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW+YJF1DngoABd15jm
-fZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7Ixjp
-6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp
-1txyM/1d8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B
-9kiABdcPUXmsEKvU7ANm5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wok
-RqEIr9baRRmW1FMdW4R58MD3R++Lj8UGrp1MYp3/RgT408m2ECVAdf4WqslKYIYv
-uu8wd+RU4riEmViAqhOLUTpPSPaLtrM=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
-		sha256Hash: "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDEl
-MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe
-U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoX
-DTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRy
-dXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmlj
-YXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAV
-OVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGr
-zbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVM
-VAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQ
-hNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVKkaHnFtWO
-ojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw
-awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5cs
-OPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpF
-coJxDjrSzG+ntKEju/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXc
-okgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8
-t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6qtnRGEmyR7jTV7JqR50S+kDFy
-1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29mvVXIwAHIRc/
-SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO",
-		sha256Hash: "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
-BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g
-Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ
-BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ
-R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF
-dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw
-vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ
-uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp
-n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs
-cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW
-xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P
-rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF
-DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx
-DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy
-LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C
-eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ
-d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq
-kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC
-b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl
-qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0
-OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c
-NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk
-ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO
-pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj
-03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk
-PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE
-1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX
-QRBdJ3NghVdJIgc=
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "OU=certSIGN ROOT CA,O=certSIGN,C=RO",
-		sha256Hash: "eaa962c4fa4a6bafebe415196d351ccd888d4f53f3fa8ae6d7c466a94e6042bb",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT
-AlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBD
-QTAeFw0wNjA3MDQxNzIwMDRaFw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJP
-MREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7IJUqOtdu0KBuqV5Do
-0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHHrfAQ
-UySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5d
-RdY4zTW2ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQ
-OA7+j0xbm0bqQfWwCHTD0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwv
-JoIQ4uNllAoEwF73XVv4EOLQunpL+943AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08C
-AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O
-BBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IBAQA+0hyJ
-LjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecY
-MnQ8SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ
-44gx+FkagQnIl6Z0x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6I
-Jd1hJyMctTEHBDa0GpC9oHRxUIltvBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNw
-i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN
-9u6wWk5JRFRYX0KD
------END CERTIFICATE-----
-`,
-	},
-	{
-		cn:         "OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
-		sha256Hash: "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe
-MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
-ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
-Fw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMw
-IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UECwwhZVBL
-SSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAH
-SyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh
-ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3X
-DZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1
-TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJ
-fzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffA
-sgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uU
-WH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLS
-nT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pH
-dmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJip
-NiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC
-AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQF
-MAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH
-ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGB
-uvl2ICO1J2B01GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6Yl
-PwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkP
-JXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsStZf0X4OFunHB2WyBEXYKCrC/
-gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEPNXubrjlpC2JgQCA2
-j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+rGNm6
-5ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB
-o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS
-/jQ6fbjpKdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2z
-Gp1iro2C6pSe3VkQw63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTE
-W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D
-hNQ+IIX3Sj0rnP0qCglN6oH4EZw=
------END CERTIFICATE-----
-`,
+		cn:           "CN=GTS Root R1,O=Google Trust Services LLC,C=US",
+		sha256Hash:   "d947432abde7b7fa90fc2e6b59101b1280e0e1c7e4e40fa3c6887fff57a7f4cf",
+		certStartOff: 61022,
+		certLength:   1371,
+	},
+	{
+		cn:           "CN=GTS Root R2,O=Google Trust Services LLC,C=US",
+		sha256Hash:   "8d25cd97229dbf70356bda4eb3cc734031e24cf00fafcfd32dc76eb5841c7ea8",
+		certStartOff: 62393,
+		certLength:   1371,
+	},
+	{
+		cn:           "CN=GTS Root R3,O=Google Trust Services LLC,C=US",
+		sha256Hash:   "34d8a73ee208d9bcdb0d956520934b4e40e69482596e8b6f73c8426b010a6f48",
+		certStartOff: 63764,
+		certLength:   525,
+	},
+	{
+		cn:           "CN=GTS Root R4,O=Google Trust Services LLC,C=US",
+		sha256Hash:   "349dfa4058c5e263123b398ae795573c4e1313c83fe68f93556cd5e8031b3c7d",
+		certStartOff: 64289,
+		certLength:   525,
+	},
+	{
+		cn:           "CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE",
+		sha256Hash:   "cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058",
+		certStartOff: 64814,
+		certLength:   527,
+	},
+	{
+		cn:           "CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE",
+		sha256Hash:   "4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9",
+		certStartOff: 65341,
+		certLength:   1374,
+	},
+	{
+		cn:           "CN=GlobalSign,OU=GlobalSign ECC Root CA - R4,O=GlobalSign",
+		sha256Hash:   "b085d70b964f191a73e4af0d54ae7a0e07aafdaf9b71dd0862138ab7325a24a2",
+		certStartOff: 66715,
+		certLength:   480,
+	},
+	{
+		cn:           "CN=GlobalSign,OU=GlobalSign ECC Root CA - R5,O=GlobalSign",
+		sha256Hash:   "179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924",
+		certStartOff: 67195,
+		certLength:   546,
+	},
+	{
+		cn:           "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign",
+		sha256Hash:   "cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b",
+		certStartOff: 67741,
+		certLength:   867,
+	},
+	{
+		cn:           "CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign",
+		sha256Hash:   "2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69",
+		certStartOff: 68608,
+		certLength:   1415,
+	},
+	{
+		cn:           "CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
+		sha256Hash:   "45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda",
+		certStartOff: 70023,
+		certLength:   969,
+	},
+	{
+		cn:           "CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
+		sha256Hash:   "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401",
+		certStartOff: 70992,
+		certLength:   600,
+	},
+	{
+		cn:           "CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
+		sha256Hash:   "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d",
+		certStartOff: 71592,
+		certLength:   1448,
+	},
+	{
+		cn:           "CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
+		sha256Hash:   "44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833",
+		certStartOff: 73040,
+		certLength:   711,
+	},
+	{
+		cn:           "CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
+		sha256Hash:   "a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36",
+		certStartOff: 73751,
+		certLength:   1551,
+	},
+	{
+		cn:           "CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
+		sha256Hash:   "f015ce3cc239bfef064be9f1d2c417e1a0264a0a94be1f0c8d121864eb6949cc",
+		certStartOff: 75302,
+		certLength:   1390,
+	},
+	{
+		cn:           "CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK",
+		sha256Hash:   "5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6",
+		certStartOff: 76692,
+		certLength:   1491,
+	},
+	{
+		cn:           "CN=ISRG Root X1,O=Internet Security Research Group,C=US",
+		sha256Hash:   "96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6",
+		certStartOff: 78183,
+		certLength:   1391,
+	},
+	{
+		cn:           "CN=ISRG Root X2,O=Internet Security Research Group,C=US",
+		sha256Hash:   "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470",
+		certStartOff: 79574,
+		certLength:   543,
+	},
+	{
+		cn:           "CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US",
+		sha256Hash:   "5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae",
+		certStartOff: 80117,
+		certLength:   1380,
+	},
+	{
+		cn:           "CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US",
+		sha256Hash:   "30d0895a9a448a262091635522d1f52010b5867acae12c78ef958fd4f4389f2f",
+		certStartOff: 81497,
+		certLength:   1386,
+	},
+	{
+		cn:           "CN=Izenpe.com,O=IZENPE S.A.,C=ES",
+		sha256Hash:   "2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f",
+		certStartOff: 82883,
+		certLength:   1525,
+	},
+	{
+		cn:           "CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU,1.2.840.113549.1.9.1=#0c10696e666f40652d737a69676e6f2e6875",
+		sha256Hash:   "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378",
+		certStartOff: 84408,
+		certLength:   1038,
+	},
+	{
+		cn:           "CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
+		sha256Hash:   "358df39d764af9e1b766e9c972df352ee15cfac227af6ad1d70e8e4a6edcba02",
+		certStartOff: 85446,
+		certLength:   605,
+	},
+	{
+		cn:           "CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
+		sha256Hash:   "c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0",
+		certStartOff: 86051,
+		certLength:   1452,
+	},
+	{
+		cn:           "CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR",
+		sha256Hash:   "88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265",
+		certStartOff: 87503,
+		certLength:   1446,
+	},
+	{
+		cn:           "CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU",
+		sha256Hash:   "6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98",
+		certStartOff: 88949,
+		certLength:   1049,
+	},
+	{
+		cn:           "CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
+		sha256Hash:   "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6",
+		certStartOff: 89998,
+		certLength:   953,
+	},
+	{
+		cn:           "CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
+		sha256Hash:   "8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d",
+		certStartOff: 90951,
+		certLength:   621,
+	},
+	{
+		cn:           "CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM",
+		sha256Hash:   "8a866fd1b276b57e578e921c65828a2bed58e9f2f288054134b7f1f4bfc9cc74",
+		certStartOff: 91572,
+		certLength:   1380,
+	},
+	{
+		cn:           "CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM",
+		sha256Hash:   "8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840",
+		certStartOff: 92952,
+		certLength:   1380,
+	},
+	{
+		cn:           "CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM",
+		sha256Hash:   "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86",
+		certStartOff: 94332,
+		certLength:   1467,
+	},
+	{
+		cn:           "CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM",
+		sha256Hash:   "88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46",
+		certStartOff: 95799,
+		certLength:   1380,
+	},
+	{
+		cn:           "CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM",
+		sha256Hash:   "18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35",
+		certStartOff: 97179,
+		certLength:   1697,
+	},
+	{
+		cn:           "CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
+		sha256Hash:   "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8",
+		certStartOff: 98876,
+		certLength:   664,
+	},
+	{
+		cn:           "CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US",
+		sha256Hash:   "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c",
+		certStartOff: 99540,
+		certLength:   1519,
+	},
+	{
+		cn:           "CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
+		sha256Hash:   "3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65",
+		certStartOff: 101059,
+		certLength:   657,
+	},
+	{
+		cn:           "CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US",
+		sha256Hash:   "85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69",
+		certStartOff: 101716,
+		certLength:   1505,
+	},
+	{
+		cn:           "CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US",
+		sha256Hash:   "c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143",
+		certStartOff: 103221,
+		certLength:   574,
+	},
+	{
+		cn:           "CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US",
+		sha256Hash:   "8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed",
+		certStartOff: 103795,
+		certLength:   1421,
+	},
+	{
+		cn:           "CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL",
+		sha256Hash:   "a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe",
+		certStartOff: 105216,
+		certLength:   886,
+	},
+	{
+		cn:           "CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB",
+		sha256Hash:   "c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383",
+		certStartOff: 106102,
+		certLength:   574,
+	},
+	{
+		cn:           "CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB",
+		sha256Hash:   "7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06",
+		certStartOff: 106676,
+		certLength:   1422,
+	},
+	{
+		cn:           "CN=Secure Global CA,O=SecureTrust Corporation,C=US",
+		sha256Hash:   "4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69",
+		certStartOff: 108098,
+		certLength:   960,
+	},
+	{
+		cn:           "CN=SecureSign Root CA12,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
+		sha256Hash:   "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e",
+		certStartOff: 109058,
+		certLength:   886,
+	},
+	{
+		cn:           "CN=SecureSign Root CA14,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
+		sha256Hash:   "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338",
+		certStartOff: 109944,
+		certLength:   1398,
+	},
+	{
+		cn:           "CN=SecureSign Root CA15,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
+		sha256Hash:   "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a",
+		certStartOff: 111342,
+		certLength:   551,
+	},
+	{
+		cn:           "CN=SecureTrust CA,O=SecureTrust Corporation,C=US",
+		sha256Hash:   "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73",
+		certStartOff: 111893,
+		certLength:   956,
+	},
+	{
+		cn:           "CN=Security Communication ECC RootCA1,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
+		sha256Hash:   "e74fbda55bd564c473a36b441aa799c8a68e077440e8288b9fa1e50e4bbaca11",
+		certStartOff: 112849,
+		certLength:   572,
+	},
+	{
+		cn:           "CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
+		sha256Hash:   "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5",
+		certStartOff: 113421,
+		certLength:   993,
+	},
+	{
+		cn:           "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
+		sha256Hash:   "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5",
+		certStartOff: 114414,
+		certLength:   1011,
+	},
+	{
+		cn:           "CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH",
+		sha256Hash:   "62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95",
+		certStartOff: 115425,
+		certLength:   1470,
+	},
+	{
+		cn:           "CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH",
+		sha256Hash:   "193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41",
+		certStartOff: 116895,
+		certLength:   1431,
+	},
+	{
+		cn:           "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
+		sha256Hash:   "91e2f5788d5810eba7ba58737de1548a8ecacd014598bc0b143e041b17052552",
+		certStartOff: 118326,
+		certLength:   967,
+	},
+	{
+		cn:           "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
+		sha256Hash:   "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd",
+		certStartOff: 119293,
+		certLength:   967,
+	},
+	{
+		cn:           "CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
+		sha256Hash:   "3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5648a334424d6b3ec558",
+		certStartOff: 120260,
+		certLength:   1425,
+	},
+	{
+		cn:           "CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
+		sha256Hash:   "59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b",
+		certStartOff: 121685,
+		certLength:   1349,
+	},
+	{
+		cn:           "CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW",
+		sha256Hash:   "bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44",
+		certStartOff: 123034,
+		certLength:   895,
+	},
+	{
+		cn:           "CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE",
+		sha256Hash:   "578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1",
+		certStartOff: 123929,
+		certLength:   582,
+	},
+	{
+		cn:           "CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE",
+		sha256Hash:   "efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646",
+		certStartOff: 124511,
+		certLength:   1463,
+	},
+	{
+		cn:           "CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI",
+		sha256Hash:   "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c",
+		certStartOff: 125974,
+		certLength:   1400,
+	},
+	{
+		cn:           "CN=TeliaSonera Root CA v1,O=TeliaSonera",
+		sha256Hash:   "dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389",
+		certStartOff: 127374,
+		certLength:   1340,
+	},
+	{
+		cn:           "CN=TrustAsia Global Root CA G3,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash:   "e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08",
+		certStartOff: 128714,
+		certLength:   1449,
+	},
+	{
+		cn:           "CN=TrustAsia Global Root CA G4,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash:   "be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c",
+		certStartOff: 130163,
+		certLength:   601,
+	},
+	{
+		cn:           "CN=TrustAsia TLS ECC Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash:   "c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef44598acc2489878c92d8711",
+		certStartOff: 130764,
+		certLength:   565,
+	},
+	{
+		cn:           "CN=TrustAsia TLS RSA Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
+		sha256Hash:   "06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea53cbe940e2ea9791f4c3",
+		certStartOff: 131329,
+		certLength:   1412,
+	},
+	{
+		cn:           "CN=Trustwave Global Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
+		sha256Hash:   "97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8",
+		certStartOff: 132741,
+		certLength:   1502,
+	},
+	{
+		cn:           "CN=Trustwave Global ECC P256 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
+		sha256Hash:   "945bbc825ea554f489d1fd51a73ddf2ea624ac7019a05205225c22a78ccfa8b4",
+		certStartOff: 134243,
+		certLength:   612,
+	},
+	{
+		cn:           "CN=Trustwave Global ECC P384 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
+		sha256Hash:   "55903859c8c0c3ebb8759ece4e2557225ff5758bbd38ebd48276601e1bd58097",
+		certStartOff: 134855,
+		certLength:   673,
+	},
+	{
+		cn:           "CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN",
+		sha256Hash:   "2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41",
+		certStartOff: 135528,
+		certLength:   1463,
+	},
+	{
+		cn:           "CN=UCA Extended Validation Root,O=UniTrust,C=CN",
+		sha256Hash:   "d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24",
+		certStartOff: 136991,
+		certLength:   1374,
+	},
+	{
+		cn:           "CN=UCA Global G2 Root,O=UniTrust,C=CN",
+		sha256Hash:   "9bea11c976fe014764c1be56a6f914b5a560317abd9988393382e5161aa0493c",
+		certStartOff: 138365,
+		certLength:   1354,
+	},
+	{
+		cn:           "CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
+		sha256Hash:   "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a",
+		certStartOff: 139719,
+		certLength:   659,
+	},
+	{
+		cn:           "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
+		sha256Hash:   "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2",
+		certStartOff: 140378,
+		certLength:   1506,
+	},
+	{
+		cn:           "CN=e-Szigno Root CA 2017,O=Microsec Ltd.,L=Budapest,C=HU,2.5.4.97=#130e56415448552d3233353834343937",
+		sha256Hash:   "beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99",
+		certStartOff: 141884,
+		certLength:   580,
+	},
+	{
+		cn:           "CN=emSign ECC Root CA - C3,OU=emSign PKI,O=eMudhra Inc,C=US",
+		sha256Hash:   "bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3",
+		certStartOff: 142464,
+		certLength:   559,
+	},
+	{
+		cn:           "CN=emSign ECC Root CA - G3,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
+		sha256Hash:   "86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b",
+		certStartOff: 143023,
+		certLength:   594,
+	},
+	{
+		cn:           "CN=emSign Root CA - C1,OU=emSign PKI,O=eMudhra Inc,C=US",
+		sha256Hash:   "125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f",
+		certStartOff: 143617,
+		certLength:   887,
+	},
+	{
+		cn:           "CN=emSign Root CA - G1,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
+		sha256Hash:   "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367",
+		certStartOff: 144504,
+		certLength:   920,
+	},
+	{
+		cn:           "CN=vTrus ECC Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
+		sha256Hash:   "30fbba2c32238e2a98547af97931e550428b9b3f1c8eeb6633dcfa86c5b27dd3",
+		certStartOff: 145424,
+		certLength:   531,
+	},
+	{
+		cn:           "CN=vTrus Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
+		sha256Hash:   "8a71de6559336f426c26e53880d00d88a18da4c6a91f0dcb6194e206c5c96387",
+		certStartOff: 145955,
+		certLength:   1370,
+	},
+	{
+		cn:           "OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES",
+		sha256Hash:   "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa",
+		certStartOff: 147325,
+		certLength:   1415,
+	},
+	{
+		cn:           "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
+		sha256Hash:   "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6",
+		certStartOff: 148740,
+		certLength:   891,
+	},
+	{
+		cn:           "OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO",
+		sha256Hash:   "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305",
+		certStartOff: 149631,
+		certLength:   1355,
+	},
+	{
+		cn:           "OU=certSIGN ROOT CA,O=certSIGN,C=RO",
+		sha256Hash:   "eaa962c4fa4a6bafebe415196d351ccd888d4f53f3fa8ae6d7c466a94e6042bb",
+		certStartOff: 150986,
+		certLength:   828,
+	},
+	{
+		cn:            "OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
+		sha256Hash:    "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5",
+		certStartOff:  151814,
+		certLength:    1460,
 		distrustAfter: "2025-04-15T23:59:59Z",
 	},
 	{
-		cn:         "SERIALNUMBER=G63287510,CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES",
-		sha256Hash: "fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599",
-		pem: `-----BEGIN CERTIFICATE-----
-MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV
-BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk
-YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV
-BAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3QgQ0EwHhcNMTkwOTA0MTAwMDM4WhcN
-MzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF
-UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYD
-VQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9v
-dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCj
-cqQZAZ2cC4Ffc0m6p6zzBE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9q
-yGFOtibBTI3/TO80sh9l2Ll49a2pcbnvT1gdpd50IJeh7WhM3pIXS7yr/2WanvtH
-2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcvB2VSAKduyK9o7PQUlrZX
-H1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXsezx76W0OL
-zc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyR
-p1RMVwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQz
-W7i1o0TJrH93PB0j7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/
-SiOL9V8BY9KHcyi1Swr1+KuCLH5zJTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJn
-LNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe8TZBAQIvfXOn3kLMTOmJDVb3
-n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVOHj1tyRRM4y5B
-u8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj
-o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
-AgEATh65isagmD9uw2nAalxJUqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L
-9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzxj6ptBZNscsdW699QIyjlRRA96Gej
-rw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDtdD+4E5UGUcjohybK
-pFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM5gf0
-vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjq
-OknkJjCb5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ
-/zo1PqVUSlJZS2Db7v54EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ9
-2zg/LFis6ELhDtjTO0wugumDLmsx2d1Hhk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI
-+PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGyg77FGr8H6lnco4g175x2
-MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3r5+qPeoo
-tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw=
------END CERTIFICATE-----
-`,
+		cn:           "SERIALNUMBER=G63287510,CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES",
+		sha256Hash:   "fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599",
+		certStartOff: 153274,
+		certLength:   1523,
 	},
 }
diff --git a/x509roots/fallback/bundle_test.go b/x509roots/fallback/bundle_test.go
new file mode 100644
index 0000000000..a8922cc93d
--- /dev/null
+++ b/x509roots/fallback/bundle_test.go
@@ -0,0 +1,32 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package fallback
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"testing"
+)
+
+func TestBundle(t *testing.T) {
+	for i, unparsed := range unparsedCertificates {
+		cert, err := x509.ParseCertificate(rawCerts[unparsed.certStartOff : unparsed.certStartOff+unparsed.certLength])
+		if err != nil {
+			t.Errorf("ParseCertificate(unparsedCertificates[%v]) unexpected error: %v", i, err)
+			continue
+		}
+
+		if unparsed.cn != cert.Subject.String() {
+			t.Errorf("unparsedCertificates[%v].cn = %q; want = %q", i, unparsed.cn, cert.Subject.String())
+		}
+
+		sum := sha256.Sum256(cert.Raw)
+		sumHex := hex.EncodeToString(sum[:])
+		if sumHex != unparsed.sha256Hash {
+			t.Errorf("unparsedCertificates[%v].sha256Hash = %q; want = %q", i, unparsed.sha256Hash, sumHex)
+		}
+	}
+}
diff --git a/x509roots/fallback/fallback.go b/x509roots/fallback/fallback.go
index e4b53398b5..a0dad330ea 100644
--- a/x509roots/fallback/fallback.go
+++ b/x509roots/fallback/fallback.go
@@ -20,11 +20,14 @@ package fallback
 
 import (
 	"crypto/x509"
-	"encoding/pem"
+	_ "embed"
 	"fmt"
 	"time"
 )
 
+//go:embed bundle.der
+var rawCerts []byte
+
 func init() {
 	x509.SetFallbackRoots(newFallbackCertPool())
 }
@@ -49,9 +52,10 @@ func newFallbackCertPool() *x509.CertPool {
 }
 
 type unparsedCertificate struct {
-	cn         string
-	sha256Hash string
-	pem        string
+	cn           string
+	sha256Hash   string
+	certStartOff int
+	certLength   int
 
 	// possible constraints
 	distrustAfter string
@@ -63,19 +67,9 @@ type parsedCertificate struct {
 }
 
 func mustParse(unparsedCerts []unparsedCertificate) []parsedCertificate {
-	var b []parsedCertificate
+	b := make([]parsedCertificate, 0, len(unparsedCerts))
 	for _, unparsed := range unparsedCerts {
-		block, rest := pem.Decode([]byte(unparsed.pem))
-		if block == nil {
-			panic(fmt.Sprintf("unexpected nil PEM block for %q", unparsed.cn))
-		}
-		if len(rest) != 0 {
-			panic(fmt.Sprintf("unexpected trailing data in PEM for %q", unparsed.cn))
-		}
-		if block.Type != "CERTIFICATE" {
-			panic(fmt.Sprintf("unexpected PEM block type for %q: %s", unparsed.cn, block.Type))
-		}
-		cert, err := x509.ParseCertificate(block.Bytes)
+		cert, err := x509.ParseCertificate(rawCerts[unparsed.certStartOff : unparsed.certStartOff+unparsed.certLength])
 		if err != nil {
 			panic(err)
 		}
diff --git a/x509roots/gen_fallback_bundle.go b/x509roots/gen_fallback_bundle.go
index 1fe90225dc..ed2f9f84fb 100644
--- a/x509roots/gen_fallback_bundle.go
+++ b/x509roots/gen_fallback_bundle.go
@@ -11,7 +11,6 @@ package main
 import (
 	"bytes"
 	"crypto/sha256"
-	"encoding/pem"
 	"flag"
 	"fmt"
 	"go/format"
@@ -37,6 +36,7 @@ var (
 	certDataURL  = flag.String("certdata-url", "https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt", "URL to the raw certdata.txt file to parse (certdata-path overrides this, if provided)")
 	certDataPath = flag.String("certdata-path", "", "Path to the NSS certdata.txt file to parse (this overrides certdata-url, if provided)")
 	output       = flag.String("output", "fallback/bundle.go", "Path to file to write output to")
+	derOutput    = flag.String("deroutput", "fallback/bundle.der", "Path to file to write output to (DER certificate bundle)")
 )
 
 func main() {
@@ -92,8 +92,9 @@ func main() {
 		return subjI < subjJ
 	})
 
-	b := new(bytes.Buffer)
-	b.WriteString(tmpl)
+	rawCertsData := new(bytes.Buffer)
+	goSrcOut := new(bytes.Buffer)
+	goSrcOut.WriteString(tmpl)
 	for _, c := range certs {
 		var constraints []string
 		var skip bool
@@ -110,19 +111,24 @@ func main() {
 		if skip {
 			continue
 		}
-		fmt.Fprintf(b, "{\ncn: %q,\nsha256Hash: \"%x\",\npem: `%s`,\n",
+
+		off := rawCertsData.Len()
+		rawCertsData.Write(c.X509.Raw)
+
+		fmt.Fprintf(goSrcOut, "{\ncn: %q,\nsha256Hash: \"%x\",\ncertStartOff: %v,\ncertLength: %v,\n",
 			c.X509.Subject.String(),
 			sha256.Sum256(c.X509.Raw),
-			string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: c.X509.Raw})),
+			off,
+			len(c.X509.Raw),
 		)
 		for _, constraint := range constraints {
-			fmt.Fprintln(b, constraint)
+			fmt.Fprintln(goSrcOut, constraint)
 		}
-		fmt.Fprintln(b, "},")
+		fmt.Fprintln(goSrcOut, "},")
 	}
-	fmt.Fprintln(b, "}")
+	fmt.Fprintln(goSrcOut, "}")
 
-	formatted, err := format.Source(b.Bytes())
+	formatted, err := format.Source(goSrcOut.Bytes())
 	if err != nil {
 		log.Fatalf("failed to format source: %s", err)
 	}
@@ -130,4 +136,8 @@ func main() {
 	if err := os.WriteFile(*output, formatted, 0644); err != nil {
 		log.Fatalf("failed to write to %q: %s", *output, err)
 	}
+
+	if err := os.WriteFile(*derOutput, rawCertsData.Bytes(), 0644); err != nil {
+		log.Fatalf("failed to write to %q: %s", *output, err)
+	}
 }

From b999374650442ee37e9bbd97d6a11ad7ed999b98 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 6 Aug 2025 12:43:58 -0400
Subject: [PATCH 05/37] acme: fix pebble subprocess output data race

Wait for process completion before reading stdout/stderr buffers
to eliminate race between I/O Go routines and test cleanup.

Updates golang/go#74437

Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest-race
Change-Id: I2e650c04db5be0d7a1e858ce40e25f13ad12223c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/693596
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/pebble_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acme/pebble_test.go b/acme/pebble_test.go
index e3738497a5..b633435a71 100644
--- a/acme/pebble_test.go
+++ b/acme/pebble_test.go
@@ -789,6 +789,7 @@ func spawnServerProcess(t *testing.T, dir string, cmd string, args ...string) {
 
 	t.Cleanup(func() {
 		cmdInstance.Process.Kill()
+		cmdInstance.Wait()
 
 		if t.Failed() || testing.Verbose() {
 			t.Logf("=== %s output ===", cmd)

From ef5341b70697ceb55f904384bd982587224e8b0c Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Thu, 7 Aug 2025 09:08:13 -0700
Subject: [PATCH 06/37] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I93de641462a54b0ae565bb60e2a0e6e7c2c3b883
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/693999
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index 5cd0c6410d..4ba08a1445 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module golang.org/x/crypto
 go 1.23.0
 
 require (
-	golang.org/x/net v0.41.0 // tagx:ignore
-	golang.org/x/sys v0.34.0
-	golang.org/x/term v0.33.0
+	golang.org/x/net v0.42.0 // tagx:ignore
+	golang.org/x/sys v0.35.0
+	golang.org/x/term v0.34.0
 )
 
-require golang.org/x/text v0.27.0 // indirect
+require golang.org/x/text v0.28.0 // indirect
diff --git a/go.sum b/go.sum
index 93d2855a8c..b75af8566b 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=

From 44ecf3af9978b32529ce689a6964bd557c79aa1c Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Wed, 13 Aug 2025 14:21:40 +0000
Subject: [PATCH 07/37] all: upgrade go directive to at least 1.24.0
 [generated]

By now Go 1.25.0 has been released, and Go 1.23 is no longer supported
per the Go Release Policy (see https://go.dev/doc/devel/release#policy).

For golang/go#69095.

[git-generate]
(cd . && go get go@1.24.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none)
(cd x509roots/fallback && go get go@1.24.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none)

Change-Id: Ia4c201e9611a2c13489e16d4ae81d7e3e32bf455
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/695715
Auto-Submit: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
---
 go.mod                    | 2 +-
 x509roots/fallback/go.mod | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/go.mod b/go.mod
index 4ba08a1445..4ccce30fb4 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module golang.org/x/crypto
 
-go 1.23.0
+go 1.24.0
 
 require (
 	golang.org/x/net v0.42.0 // tagx:ignore
diff --git a/x509roots/fallback/go.mod b/x509roots/fallback/go.mod
index 6ffde44ff8..5d4b07eee5 100644
--- a/x509roots/fallback/go.mod
+++ b/x509roots/fallback/go.mod
@@ -1,3 +1,3 @@
 module golang.org/x/crypto/x509roots/fallback
 
-go 1.23.0
+go 1.24.0

From f5a2eabcab987dc84f30d5479ed5c5605b5de634 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 18 Aug 2025 18:57:42 +0200
Subject: [PATCH 08/37] ssh: use curve25519.X25519 instead of
 curve25519.ScalarMult

This lets us surface an error message instead of panicking if running
in fips140=only mode, where ECDH on X25519 returns an error.

Updates golang/go#75061

Change-Id: I6a6a6964c0591f3dca2dc946c99d44364314a3ab
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/696995
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
---
 ssh/kex.go | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/ssh/kex.go b/ssh/kex.go
index cf388a92aa..368624759d 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -9,7 +9,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/subtle"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -454,15 +453,17 @@ func (kp *curve25519KeyPair) generate(rand io.Reader) error {
 	if _, err := io.ReadFull(rand, kp.priv[:]); err != nil {
 		return err
 	}
-	curve25519.ScalarBaseMult(&kp.pub, &kp.priv)
+	p, err := curve25519.X25519(kp.priv[:], curve25519.Basepoint)
+	if err != nil {
+		return fmt.Errorf("curve25519: %w", err)
+	}
+	if len(p) != 32 {
+		return fmt.Errorf("curve25519: internal error: X25519 returned %d bytes, expected 32", len(p))
+	}
+	copy(kp.pub[:], p)
 	return nil
 }
 
-// curve25519Zeros is just an array of 32 zero bytes so that we have something
-// convenient to compare against in order to reject curve25519 points with the
-// wrong order.
-var curve25519Zeros [32]byte
-
 func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	var kp curve25519KeyPair
 	if err := kp.generate(rand); err != nil {
@@ -485,11 +486,9 @@ func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handsh
 		return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
 	}
 
-	var servPub, secret [32]byte
-	copy(servPub[:], reply.EphemeralPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &servPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
+	secret, err := curve25519.X25519(kp.priv[:], reply.EphemeralPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's curve25519 public value is not valid: %w", err)
 	}
 
 	h := crypto.SHA256.New()
@@ -531,11 +530,9 @@ func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handsh
 		return nil, err
 	}
 
-	var clientPub, secret [32]byte
-	copy(clientPub[:], kexInit.ClientPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &clientPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
+	secret, err := curve25519.X25519(kp.priv[:], kexInit.ClientPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's curve25519 public value is not valid: %w", err)
 	}
 
 	hostKeyBytes := priv.PublicKey().Marshal()

From b8d8dae13d7dda8706ca2ab98934ad404aacae22 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 18 Aug 2025 19:06:50 +0200
Subject: [PATCH 09/37] curve25519: include potential fips140=only error in
 panic message

Updates golang/go#75061

Change-Id: I6a6a696474122a12c12696d8a2efec902572327d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/696996
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
---
 curve25519/curve25519.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/curve25519/curve25519.go b/curve25519/curve25519.go
index 21ca3b2ee4..8ff087df4c 100644
--- a/curve25519/curve25519.go
+++ b/curve25519/curve25519.go
@@ -36,7 +36,7 @@ func ScalarBaseMult(dst, scalar *[32]byte) {
 	curve := ecdh.X25519()
 	priv, err := curve.NewPrivateKey(scalar[:])
 	if err != nil {
-		panic("curve25519: internal error: scalarBaseMult was not 32 bytes")
+		panic("curve25519: " + err.Error())
 	}
 	copy(dst[:], priv.PublicKey().Bytes())
 }

From a4d1237429d6056ef197b0b911b8b9d7dca8ecf6 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sat, 9 Aug 2025 19:56:31 +0200
Subject: [PATCH 10/37] ssh/knownhosts: improve IPv6 support in Normalize

Correctly converts bracketed IPv6:

- [abcd::abcd:abcd:abcd] => abcd::abcd:abcd:abcd
- [abcd::abcd:abcd:abcd]:22 => abcd::abcd:abcd:abcd
- [abcd::abcd:abcd:abcd]:23 => [abcd::abcd:abcd:abcd]:23

Fixes golang/go#53463

Change-Id: Id0a7460d8448a72e2a8c6d46137245bead9ecf9f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/694575
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
---
 ssh/knownhosts/knownhosts.go      | 22 ++++++++++++++--------
 ssh/knownhosts/knownhosts_test.go | 29 ++++++++++++++++++++---------
 2 files changed, 34 insertions(+), 17 deletions(-)

diff --git a/ssh/knownhosts/knownhosts.go b/ssh/knownhosts/knownhosts.go
index c022e411f0..1ebd7e6da2 100644
--- a/ssh/knownhosts/knownhosts.go
+++ b/ssh/knownhosts/knownhosts.go
@@ -421,20 +421,26 @@ func New(files ...string) (ssh.HostKeyCallback, error) {
 	return certChecker.CheckHostKey, nil
 }
 
-// Normalize normalizes an address into the form used in known_hosts
+// Normalize normalizes an address into the form used in known_hosts. Supports
+// IPv4, hostnames, bracketed IPv6. Any other non-standard formats are returned
+// with minimal transformation.
 func Normalize(address string) string {
+	const defaultSSHPort = "22"
+
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		host = address
-		port = "22"
+		port = defaultSSHPort
+	}
+
+	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
+		host = host[1 : len(host)-1]
 	}
-	entry := host
-	if port != "22" {
-		entry = "[" + entry + "]:" + port
-	} else if strings.Contains(host, ":") && !strings.HasPrefix(host, "[") {
-		entry = "[" + entry + "]"
+
+	if port == defaultSSHPort {
+		return host
 	}
-	return entry
+	return "[" + host + "]:" + port
 }
 
 // Line returns a line to add append to the known_hosts files.
diff --git a/ssh/knownhosts/knownhosts_test.go b/ssh/knownhosts/knownhosts_test.go
index 156576ad07..552a556110 100644
--- a/ssh/knownhosts/knownhosts_test.go
+++ b/ssh/knownhosts/knownhosts_test.go
@@ -236,7 +236,7 @@ func TestLine(t *testing.T) {
 		"server.org":                             "server.org " + edKeyStr,
 		"server.org:22":                          "server.org " + edKeyStr,
 		"server.org:23":                          "[server.org]:23 " + edKeyStr,
-		"[c629:1ec4:102:304:102:304:102:304]:22": "[c629:1ec4:102:304:102:304:102:304] " + edKeyStr,
+		"[c629:1ec4:102:304:102:304:102:304]:22": "c629:1ec4:102:304:102:304:102:304 " + edKeyStr,
 		"[c629:1ec4:102:304:102:304:102:304]:23": "[c629:1ec4:102:304:102:304:102:304]:23 " + edKeyStr,
 	} {
 		if got := Line([]string{in}, edKey); got != want {
@@ -310,14 +310,25 @@ func testHostHash(t *testing.T, hostname, encoded string) {
 
 func TestNormalize(t *testing.T) {
 	for in, want := range map[string]string{
-		"127.0.0.1:22":             "127.0.0.1",
-		"[127.0.0.1]:22":           "127.0.0.1",
-		"[127.0.0.1]:23":           "[127.0.0.1]:23",
-		"127.0.0.1:23":             "[127.0.0.1]:23",
-		"[a.b.c]:22":               "a.b.c",
-		"[abcd:abcd:abcd:abcd]":    "[abcd:abcd:abcd:abcd]",
-		"[abcd:abcd:abcd:abcd]:22": "[abcd:abcd:abcd:abcd]",
-		"[abcd:abcd:abcd:abcd]:23": "[abcd:abcd:abcd:abcd]:23",
+		"127.0.0.1":                 "127.0.0.1",
+		"127.0.0.1:22":              "127.0.0.1",
+		"[127.0.0.1]:22":            "127.0.0.1",
+		"[127.0.0.1]:23":            "[127.0.0.1]:23",
+		"127.0.0.1:23":              "[127.0.0.1]:23",
+		"[a.b.c]:22":                "a.b.c",
+		"[a.b.c]:23":                "[a.b.c]:23",
+		"abcd::abcd:abcd:abcd":      "abcd::abcd:abcd:abcd",
+		"[abcd::abcd:abcd:abcd]":    "abcd::abcd:abcd:abcd",
+		"[abcd::abcd:abcd:abcd]:22": "abcd::abcd:abcd:abcd",
+		"[abcd::abcd:abcd:abcd]:23": "[abcd::abcd:abcd:abcd]:23",
+		"2001:db8::1":               "2001:db8::1",
+		"2001:db8::1:22":            "2001:db8::1:22",
+		"[2001:db8::1]:22":          "2001:db8::1",
+		"2001:db8::1:2200":          "2001:db8::1:2200",
+		"a.b.c.d.com:2200":          "[a.b.c.d.com]:2200",
+		"2001::db8:1":               "2001::db8:1",
+		"2001::db8:1:22":            "2001::db8:1:22",
+		"2001::db8:1:2200":          "2001::db8:1:2200",
 	} {
 		got := Normalize(in)
 		if got != want {

From 8f580defa01dec23898d3cd27f6369cdcc62f71f Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 24 Aug 2025 10:53:36 +0200
Subject: [PATCH 11/37] ssh: remove Go 1.24 build tag for ML-KEM kex

Change-Id: Ia77ad1b6fef9919ab100fb10c42231725eb81c12
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/698775
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 ssh/common.go |  2 ++
 ssh/kex.go    |  1 +
 ssh/mlkem.go  | 15 ---------------
 3 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/ssh/common.go b/ssh/common.go
index f2ec0896c2..8bfad16c41 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -83,6 +83,7 @@ var (
 	// supportedKexAlgos specifies key-exchange algorithms implemented by this
 	// package in preference order, excluding those with security issues.
 	supportedKexAlgos = []string{
+		KeyExchangeMLKEM768X25519,
 		KeyExchangeCurve25519,
 		KeyExchangeECDHP256,
 		KeyExchangeECDHP384,
@@ -94,6 +95,7 @@ var (
 	// defaultKexAlgos specifies the default preference for key-exchange
 	// algorithms in preference order.
 	defaultKexAlgos = []string{
+		KeyExchangeMLKEM768X25519,
 		KeyExchangeCurve25519,
 		KeyExchangeECDHP256,
 		KeyExchangeECDHP384,
diff --git a/ssh/kex.go b/ssh/kex.go
index 368624759d..78aaf03103 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -438,6 +438,7 @@ func init() {
 	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
 	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
 	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
diff --git a/ssh/mlkem.go b/ssh/mlkem.go
index 657e1079d4..ddc0ed1fc0 100644
--- a/ssh/mlkem.go
+++ b/ssh/mlkem.go
@@ -2,8 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.24
-
 package ssh
 
 import (
@@ -13,23 +11,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"runtime"
-	"slices"
 
 	"golang.org/x/crypto/curve25519"
 )
 
-func init() {
-	// After Go 1.24rc1 mlkem swapped the order of return values of Encapsulate.
-	// See #70950.
-	if runtime.Version() == "go1.24rc1" {
-		return
-	}
-	supportedKexAlgos = slices.Insert(supportedKexAlgos, 0, KeyExchangeMLKEM768X25519)
-	defaultKexAlgos = slices.Insert(defaultKexAlgos, 0, KeyExchangeMLKEM768X25519)
-	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
-}
-
 // mlkem768WithCurve25519sha256 implements the hybrid ML-KEM768 with
 // curve25519-sha256 key exchange method, as described by
 // draft-kampanakis-curdle-ssh-pq-ke-05 section 2.3.3.

From 9d779377cff7ff1f58520cc044fb90b10ddfc561 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 11 Jun 2025 17:43:01 -0400
Subject: [PATCH 12/37] acme: include order problem in OrderError

If client.WaitOrder or client.CreateOrderCert return an acme.OrderError
it's helpful to include the order's problem field (if available). This
will often have detailed information about why a particular order
became invalid that's invaluable for debugging (e.g. a challenge
response was incorrect, a name couldn't be resolved, etc).

While it's possible for a consumer to poll the order themselves as part
of handling the order to extract a fresh Order.Error field value, it
would take an extra round-trip network request. Since we have the
underlying error in-hand when we produce the OrderError we might as well
include it directly.

Since this field is a structured object with a number of sub-fields the
OrderError.Error() function isn't updated to include the order problem
error in the String description. Interested callers should instead use
errors.Is to extract the problem information directly.

Resolves golang/go#74430

Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest
Change-Id: I3158f064793bbfdc292dd6b5e1a6bfd7729bd980
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/681037
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/pebble_test.go  |  7 ++++++-
 acme/rfc8555.go      |  4 ++--
 acme/rfc8555_test.go | 19 ++++++++++++++++---
 acme/types.go        |  5 ++++-
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/acme/pebble_test.go b/acme/pebble_test.go
index b633435a71..bb4809faf7 100644
--- a/acme/pebble_test.go
+++ b/acme/pebble_test.go
@@ -382,7 +382,12 @@ func testIssuance(t *testing.T, env *environment, challSrv challengeServer) {
 	// Wait for the order to become ready for finalization.
 	order, err = client.WaitOrder(ctx, order.URI)
 	if err != nil {
-		t.Fatalf("failed to wait for order %s: %s", orderURL, err)
+		var orderErr *acme.OrderError
+		if errors.Is(err, orderErr) {
+			t.Fatalf("failed to wait for order %s: %s: %s", orderURL, err, orderErr.Problem)
+		} else {
+			t.Fatalf("failed to wait for order %s: %s", orderURL, err)
+		}
 	}
 	if order.Status != acme.StatusReady {
 		t.Fatalf("expected order %s status to be ready, got %v",
diff --git a/acme/rfc8555.go b/acme/rfc8555.go
index 3152e531b6..fc653f3f0b 100644
--- a/acme/rfc8555.go
+++ b/acme/rfc8555.go
@@ -272,7 +272,7 @@ func (c *Client) WaitOrder(ctx context.Context, url string) (*Order, error) {
 		case err != nil:
 			// Skip and retry.
 		case o.Status == StatusInvalid:
-			return nil, &OrderError{OrderURL: o.URI, Status: o.Status}
+			return nil, &OrderError{OrderURL: o.URI, Status: o.Status, Problem: o.Error}
 		case o.Status == StatusReady || o.Status == StatusValid:
 			return o, nil
 		}
@@ -369,7 +369,7 @@ func (c *Client) CreateOrderCert(ctx context.Context, url string, csr []byte, bu
 	}
 	// The only acceptable status post finalize and WaitOrder is "valid".
 	if o.Status != StatusValid {
-		return nil, "", &OrderError{OrderURL: o.URI, Status: o.Status}
+		return nil, "", &OrderError{OrderURL: o.URI, Status: o.Status, Problem: o.Error}
 	}
 	crt, err := c.fetchCertRFC(ctx, o.CertURL, bundle)
 	return crt, o.CertURL, err
diff --git a/acme/rfc8555_test.go b/acme/rfc8555_test.go
index d65720a356..e9cedb5927 100644
--- a/acme/rfc8555_test.go
+++ b/acme/rfc8555_test.go
@@ -885,11 +885,17 @@ func TestRFC_WaitOrderError(t *testing.T) {
 	s.handle("/orders/1", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Location", s.url("/orders/1"))
 		w.WriteHeader(http.StatusOK)
-		s := StatusPending
 		if count > 0 {
-			s = StatusInvalid
+			// https://www.rfc-editor.org/rfc/rfc8555#section-7.3.3
+			errorData := `{
+				"type": "urn:ietf:params:acme:error:userActionRequired",
+				"detail": "Terms of service have changed",
+				"instance": "https://example.com/acme/agreement/?token=W8Ih3PswD-8"
+			}`
+			fmt.Fprintf(w, `{"status": %q, "error": %s}`, StatusInvalid, errorData)
+		} else {
+			fmt.Fprintf(w, `{"status": %q}`, StatusPending)
 		}
-		fmt.Fprintf(w, `{"status": %q}`, s)
 		count++
 	})
 	s.start()
@@ -910,6 +916,13 @@ func TestRFC_WaitOrderError(t *testing.T) {
 	if e.Status != StatusInvalid {
 		t.Errorf("e.Status = %q; want %q", e.Status, StatusInvalid)
 	}
+	if e.Problem == nil {
+		t.Errorf("e.Problem = nil")
+	}
+	expectedProbType := "urn:ietf:params:acme:error:userActionRequired"
+	if e.Problem.ProblemType != expectedProbType {
+		t.Errorf("e.Problem.ProblemType = %q; want %q", e.Problem.ProblemType, expectedProbType)
+	}
 }
 
 func TestRFC_CreateOrderCert(t *testing.T) {
diff --git a/acme/types.go b/acme/types.go
index c466645ca1..322640c453 100644
--- a/acme/types.go
+++ b/acme/types.go
@@ -154,13 +154,16 @@ func (a *AuthorizationError) Error() string {
 
 // OrderError is returned from Client's order related methods.
 // It indicates the order is unusable and the clients should start over with
-// AuthorizeOrder.
+// AuthorizeOrder. A Problem description may be provided with details on
+// what caused the order to become unusable.
 //
 // The clients can still fetch the order object from CA using GetOrder
 // to inspect its state.
 type OrderError struct {
 	OrderURL string
 	Status   string
+	// Problem is the error that occurred while processing the order.
+	Problem *Error
 }
 
 func (oe *OrderError) Error() string {

From 5307a0ce6db8057c8d7c4378dc4bd715b4985ba1 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Sun, 7 Sep 2025 20:55:38 -0700
Subject: [PATCH 13/37] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I75e16a930bfe42cc082df82ab67802c42ad56a97
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/701303
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index 4ccce30fb4..fd65b61893 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module golang.org/x/crypto
 go 1.24.0
 
 require (
-	golang.org/x/net v0.42.0 // tagx:ignore
-	golang.org/x/sys v0.35.0
-	golang.org/x/term v0.34.0
+	golang.org/x/net v0.43.0 // tagx:ignore
+	golang.org/x/sys v0.36.0
+	golang.org/x/term v0.35.0
 )
 
-require golang.org/x/text v0.28.0 // indirect
+require golang.org/x/text v0.29.0 // indirect
diff --git a/go.sum b/go.sum
index b75af8566b..c3f2d576cb 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=

From 559e062ce8bfd6a39925294620b50906ca2a6f95 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 31 Aug 2025 20:07:32 +0200
Subject: [PATCH 14/37] ssh/agent: return an error for unexpected message types

Previously, receiving an unexpected message type in response to a key
listing or a signing request could cause a panic due to a failed type
assertion.

This change adds a default case to the type switch in order to detect
and explicitly handle unknown or invalid message types, returning a
descriptive error instead of crashing.

Fixes golang/go#75178

Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
---
 ssh/agent/client.go      |  6 +++--
 ssh/agent/client_test.go | 48 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/ssh/agent/client.go b/ssh/agent/client.go
index 37525e1a18..b357e18b0a 100644
--- a/ssh/agent/client.go
+++ b/ssh/agent/client.go
@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
 		return keys, nil
 	case *failureAgentMsg:
 		return nil, errors.New("agent: failed to list keys")
+	default:
+		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
 	}
-	panic("unreachable")
 }
 
 // Sign has the agent sign the data using a protocol 2 key as defined
@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
 		return &sig, nil
 	case *failureAgentMsg:
 		return nil, errors.New("agent: failed to sign challenge")
+	default:
+		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
 	}
-	panic("unreachable")
 }
 
 // unmarshal parses an agent message in packet, returning the parsed
diff --git a/ssh/agent/client_test.go b/ssh/agent/client_test.go
index f0ffd59592..0fd284d786 100644
--- a/ssh/agent/client_test.go
+++ b/ssh/agent/client_test.go
@@ -7,6 +7,7 @@ package agent
 import (
 	"bytes"
 	"crypto/rand"
+	"encoding/binary"
 	"errors"
 	"io"
 	"net"
@@ -347,6 +348,53 @@ func TestServerResponseTooLarge(t *testing.T) {
 	}
 }
 
+func TestInvalidResponses(t *testing.T) {
+	a, b, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	done := make(chan struct{})
+	defer func() { <-done }()
+
+	defer a.Close()
+	defer b.Close()
+
+	agent := NewClient(a)
+	go func() {
+		defer close(done)
+
+		resp := []byte{agentSuccess}
+		msg := make([]byte, 4+len(resp))
+		binary.BigEndian.PutUint32(msg[:4], uint32(len(resp)))
+		copy(msg[4:], resp)
+
+		if _, err := b.Write(msg); err != nil {
+			t.Errorf("unexpected error sending agent reply: %v", err)
+			b.Close()
+			return
+		}
+
+		if _, err := b.Write(msg); err != nil {
+			t.Errorf("unexpected error sending agent reply: %v", err)
+			b.Close()
+		}
+	}()
+	_, err = agent.List()
+	if err == nil {
+		t.Fatal("error expected")
+	}
+	if !strings.Contains(err.Error(), "failed to list keys, unexpected message type") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	_, err = agent.Sign(testPublicKeys["rsa"], []byte("message"))
+	if err == nil {
+		t.Fatal("error expected")
+	}
+	if !strings.Contains(err.Error(), "failed to sign challenge, unexpected message type") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
 func TestAuth(t *testing.T) {
 	agent, _, cleanup := startOpenSSHAgent(t)
 	defer cleanup()

From 8c9ba318361080ea198c7461b6db621022d0a88e Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Sun, 7 Sep 2025 15:18:22 +0200
Subject: [PATCH 15/37] all: freeze and deprecate more packages

Fixes golang/go#65250

Change-Id: I6a6a6964a2c87e529be50dd67fec462483b07b75
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/701535
Reviewed-by: Mark Freeman <markfreeman@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
---
 curve25519/curve25519.go  | 11 +++++++----
 ed25519/ed25519.go        | 11 +++++++----
 nacl/auth/auth.go         | 29 ++++++++++-------------------
 nacl/sign/sign.go         | 21 ++++++++-------------
 otr/otr.go                |  4 ++++
 pkcs12/pkcs12.go          | 14 +++++++++-----
 salsa20/salsa/hsalsa20.go |  4 ++++
 ssh/test/doc.go           |  2 ++
 xts/xts.go                |  4 ++++
 9 files changed, 55 insertions(+), 45 deletions(-)

diff --git a/curve25519/curve25519.go b/curve25519/curve25519.go
index 8ff087df4c..048faef3a5 100644
--- a/curve25519/curve25519.go
+++ b/curve25519/curve25519.go
@@ -3,11 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package curve25519 provides an implementation of the X25519 function, which
-// performs scalar multiplication on the elliptic curve known as Curve25519.
-// See RFC 7748.
+// performs scalar multiplication on the elliptic curve known as Curve25519
+// according to [RFC 7748].
 //
-// This package is a wrapper for the X25519 implementation
-// in the crypto/ecdh package.
+// The curve25519 package is a wrapper for the X25519 implementation in the
+// crypto/ecdh package. It is [frozen] and is not accepting new features.
+//
+// [RFC 7748]: https://datatracker.ietf.org/doc/html/rfc7748
+// [frozen]: https://go.dev/wiki/Frozen
 package curve25519
 
 import "crypto/ecdh"
diff --git a/ed25519/ed25519.go b/ed25519/ed25519.go
index 59b3a95a7d..df453dcce0 100644
--- a/ed25519/ed25519.go
+++ b/ed25519/ed25519.go
@@ -2,16 +2,19 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
+// Package ed25519 implements the Ed25519 signature algorithm.
 //
 // These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
+// [RFC 8032]. However, unlike RFC 8032's formulation, this package's private key
 // representation includes a public key suffix to make multiple signing
 // operations with the same key more efficient. This package refers to the RFC
 // 8032 private key as the “seed”.
 //
-// This package is a wrapper around the standard library crypto/ed25519 package.
+// The ed25519 package is a wrapper for the Ed25519 implementation in the
+// crypto/ed25519 package. It is [frozen] and is not accepting new features.
+//
+// [RFC 8032]: https://datatracker.ietf.org/doc/html/rfc8032
+// [frozen]: https://go.dev/wiki/Frozen
 package ed25519
 
 import (
diff --git a/nacl/auth/auth.go b/nacl/auth/auth.go
index 1d588d5c1c..136093841f 100644
--- a/nacl/auth/auth.go
+++ b/nacl/auth/auth.go
@@ -2,25 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-/*
-Package auth authenticates a message using a secret key.
-
-The Sum function, viewed as a function of the message for a uniform random
-key, is designed to meet the standard notion of unforgeability. This means
-that an attacker cannot find authenticators for any messages not authenticated
-by the sender, even if the attacker has adaptively influenced the messages
-authenticated by the sender. For a formal definition see, e.g., Section 2.4
-of Bellare, Kilian, and Rogaway, "The security of the cipher block chaining
-message authentication code," Journal of Computer and System Sciences 61 (2000),
-362–399; http://www-cse.ucsd.edu/~mihir/papers/cbc.html.
-
-auth does not make any promises regarding "strong" unforgeability; perhaps
-one valid authenticator can be converted into another valid authenticator for
-the same message. NaCl also does not make any promises regarding "truncated
-unforgeability."
-
-This package is interoperable with NaCl: https://nacl.cr.yp.to/auth.html.
-*/
+// Package auth authenticates a message using a secret key.
+//
+// This package is interoperable with [NaCl].
+//
+// The auth package is essentially a wrapper for HMAC-SHA-512 (implemented by
+// crypto/hmac and crypto/sha512), truncated to 32 bytes. It is [frozen] and is
+// not accepting new features.
+//
+// [NaCl]: https://nacl.cr.yp.to/auth.html
+// [frozen]: https://go.dev/wiki/Frozen
 package auth
 
 import (
diff --git a/nacl/sign/sign.go b/nacl/sign/sign.go
index 109c08bb95..1cf2c4be2c 100644
--- a/nacl/sign/sign.go
+++ b/nacl/sign/sign.go
@@ -4,20 +4,15 @@
 
 // Package sign signs small messages using public-key cryptography.
 //
-// Sign uses Ed25519 to sign messages. The length of messages is not hidden.
-// Messages should be small because:
-// 1. The whole message needs to be held in memory to be processed.
-// 2. Using large messages pressures implementations on small machines to process
-// plaintext without verifying the signature. This is very dangerous, and this API
-// discourages it, but a protocol that uses excessive message sizes might present
-// some implementations with no other choice.
-// 3. Performance may be improved by working with messages that fit into data caches.
-// Thus large amounts of data should be chunked so that each message is small.
+// This package is interoperable with [libsodium], as well as [TweetNaCl].
 //
-// This package is not interoperable with the current release of NaCl
-// (https://nacl.cr.yp.to/sign.html), which does not support Ed25519 yet. However,
-// it is compatible with the NaCl fork libsodium (https://www.libsodium.org), as well
-// as TweetNaCl (https://tweetnacl.cr.yp.to/).
+// The sign package is essentially a wrapper for the Ed25519 signature
+// algorithm (implemented by crypto/ed25519). It is [frozen] and is not accepting
+// new features.
+//
+// [libsodium]: https://libsodium.gitbook.io/doc/public-key_cryptography/public-key_signatures
+// [TweetNaCl]: https://tweetnacl.cr.yp.to/
+// [frozen]: https://go.dev/wiki/Frozen
 package sign
 
 import (
diff --git a/otr/otr.go b/otr/otr.go
index 6210c1ae61..a36f7ca245 100644
--- a/otr/otr.go
+++ b/otr/otr.go
@@ -8,6 +8,10 @@
 // The version of OTR implemented by this package has been deprecated
 // (https://bugs.otr.im/lib/libotr/issues/140). An implementation of OTRv3 is
 // available at https://github.com/coyim/otr3.
+//
+// The otr package is [frozen] and is not accepting new features.
+//
+// [frozen]: https://go.dev/wiki/Frozen
 package otr
 
 import (
diff --git a/pkcs12/pkcs12.go b/pkcs12/pkcs12.go
index 3a89bdb3e3..374d9facf8 100644
--- a/pkcs12/pkcs12.go
+++ b/pkcs12/pkcs12.go
@@ -4,12 +4,16 @@
 
 // Package pkcs12 implements some of PKCS#12.
 //
-// This implementation is distilled from https://tools.ietf.org/html/rfc7292
-// and referenced documents. It is intended for decoding P12/PFX-stored
-// certificates and keys for use with the crypto/tls package.
+// This implementation is distilled from [RFC 7292] and referenced documents.
+// It is intended for decoding P12/PFX-stored certificates and keys for use
+// with the crypto/tls package.
 //
-// This package is frozen. If it's missing functionality you need, consider
-// an alternative like software.sslmate.com/src/go-pkcs12.
+// The pkcs12 package is [frozen] and is not accepting new features.
+// If it's missing functionality you need, consider an alternative like
+// software.sslmate.com/src/go-pkcs12.
+//
+// [RFC 7292]: https://datatracker.ietf.org/doc/html/rfc7292
+// [frozen]: https://go.dev/wiki/Frozen
 package pkcs12
 
 import (
diff --git a/salsa20/salsa/hsalsa20.go b/salsa20/salsa/hsalsa20.go
index 3685b34458..75df77406d 100644
--- a/salsa20/salsa/hsalsa20.go
+++ b/salsa20/salsa/hsalsa20.go
@@ -3,6 +3,10 @@
 // license that can be found in the LICENSE file.
 
 // Package salsa provides low-level access to functions in the Salsa family.
+//
+// Deprecated: this package exposes unsafe low-level operations. New applications
+// should consider using the AEAD construction in golang.org/x/crypto/chacha20poly1305
+// instead. Existing users should migrate to golang.org/x/crypto/salsa20.
 package salsa
 
 import "math/bits"
diff --git a/ssh/test/doc.go b/ssh/test/doc.go
index 444b29966b..865781c819 100644
--- a/ssh/test/doc.go
+++ b/ssh/test/doc.go
@@ -4,4 +4,6 @@
 
 // Package test contains integration tests for the
 // golang.org/x/crypto/ssh package.
+//
+// Deprecated: this package is for internal use only.
 package test
diff --git a/xts/xts.go b/xts/xts.go
index d64f536f9d..6a73020207 100644
--- a/xts/xts.go
+++ b/xts/xts.go
@@ -21,6 +21,10 @@
 //
 // Note that XTS is usually not appropriate for any use besides disk encryption.
 // Most users should use an AEAD mode like GCM (from crypto/cipher.NewGCM) instead.
+//
+// The xts package is [frozen] and is not accepting new features.
+//
+// [frozen]: https://go.dev/wiki/Frozen
 package xts
 
 import (

From 96dc232fbd7928e9c23da42e770c8b79a2348d86 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@golang.org>
Date: Thu, 10 Jul 2025 10:58:35 +0200
Subject: [PATCH 16/37] x509roots/fallback/bundle: add bundle package to export
 root certs

Fixes golang/go#69898

Change-Id: Idbb1bbe48016a622414c84a56fe26f48bfe712c8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/687155
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Mateusz Poliwczak <mpoliwczak34@gmail.com>
---
 x509roots/fallback/{ => bundle}/bundle.der    | Bin
 x509roots/fallback/{ => bundle}/bundle.go     |   2 +-
 .../fallback/{ => bundle}/bundle_test.go      |   2 +-
 x509roots/fallback/bundle/roots.go            |  73 ++++++++++++++++++
 x509roots/fallback/bundle/roots_test.go       |  18 +++++
 x509roots/fallback/fallback.go                |  68 +++-------------
 x509roots/gen_fallback_bundle.go              |   6 +-
 7 files changed, 105 insertions(+), 64 deletions(-)
 rename x509roots/fallback/{ => bundle}/bundle.der (100%)
 rename x509roots/fallback/{ => bundle}/bundle.go (99%)
 rename x509roots/fallback/{ => bundle}/bundle_test.go (98%)
 create mode 100644 x509roots/fallback/bundle/roots.go
 create mode 100644 x509roots/fallback/bundle/roots_test.go

diff --git a/x509roots/fallback/bundle.der b/x509roots/fallback/bundle/bundle.der
similarity index 100%
rename from x509roots/fallback/bundle.der
rename to x509roots/fallback/bundle/bundle.der
diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle/bundle.go
similarity index 99%
rename from x509roots/fallback/bundle.go
rename to x509roots/fallback/bundle/bundle.go
index ee99a40a28..be9e857790 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle/bundle.go
@@ -1,6 +1,6 @@
 // Code generated by gen_fallback_bundle.go; DO NOT EDIT.
 
-package fallback
+package bundle
 
 var unparsedCertificates = []unparsedCertificate{
 	{
diff --git a/x509roots/fallback/bundle_test.go b/x509roots/fallback/bundle/bundle_test.go
similarity index 98%
rename from x509roots/fallback/bundle_test.go
rename to x509roots/fallback/bundle/bundle_test.go
index a8922cc93d..3eafe153af 100644
--- a/x509roots/fallback/bundle_test.go
+++ b/x509roots/fallback/bundle/bundle_test.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package fallback
+package bundle
 
 import (
 	"crypto/sha256"
diff --git a/x509roots/fallback/bundle/roots.go b/x509roots/fallback/bundle/roots.go
new file mode 100644
index 0000000000..38a1b3d671
--- /dev/null
+++ b/x509roots/fallback/bundle/roots.go
@@ -0,0 +1,73 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bundle contains the bundle of root certificates parsed from the NSS
+// trust store, using x509roots/nss.
+package bundle
+
+import (
+	"crypto/x509"
+	_ "embed"
+	"fmt"
+	"iter"
+	"time"
+)
+
+//go:embed bundle.der
+var rawCerts []byte
+
+// Root represents a root certificate parsed from the NSS trust store.
+type Root struct {
+	// Certificate is the DER-encoded certificate (read-only; do not modify!).
+	Certificate []byte
+
+	// Constraint is nil if the root is unconstrained. If Constraint is non-nil,
+	// the certificate has additional constraints that cannot be encoded in
+	// X.509, and when building a certificate chain anchored with this root the
+	// chain should be passed to this function to check its validity. If using a
+	// [crypto/x509.CertPool] the root should be added using
+	// [crypto/x509.CertPool.AddCertWithConstraint].
+	Constraint func([]*x509.Certificate) error
+}
+
+// Roots returns the bundle of root certificates from the NSS trust store. The
+// [Root.Certificate] slice must be treated as read-only and should not be
+// modified.
+func Roots() iter.Seq[Root] {
+	return func(yield func(Root) bool) {
+		for _, unparsed := range unparsedCertificates {
+			root := Root{
+				Certificate: rawCerts[unparsed.certStartOff : unparsed.certStartOff+unparsed.certLength],
+			}
+			// parse possible constraints, this should check all fields of unparsedCertificate.
+			if unparsed.distrustAfter != "" {
+				distrustAfter, err := time.Parse(time.RFC3339, unparsed.distrustAfter)
+				if err != nil {
+					panic(fmt.Sprintf("failed to parse distrustAfter %q: %s", unparsed.distrustAfter, err))
+				}
+				root.Constraint = func(chain []*x509.Certificate) error {
+					for _, c := range chain {
+						if c.NotBefore.After(distrustAfter) {
+							return fmt.Errorf("certificate issued after distrust-after date %q", distrustAfter)
+						}
+					}
+					return nil
+				}
+			}
+			if !yield(root) {
+				return
+			}
+		}
+	}
+}
+
+type unparsedCertificate struct {
+	cn           string
+	sha256Hash   string
+	certStartOff int
+	certLength   int
+
+	// possible constraints
+	distrustAfter string
+}
diff --git a/x509roots/fallback/bundle/roots_test.go b/x509roots/fallback/bundle/roots_test.go
new file mode 100644
index 0000000000..04ba9db299
--- /dev/null
+++ b/x509roots/fallback/bundle/roots_test.go
@@ -0,0 +1,18 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package bundle
+
+import (
+	"crypto/x509"
+	"testing"
+)
+
+func TestRootsCanBeParsed(t *testing.T) {
+	for root := range Roots() {
+		if _, err := x509.ParseCertificate(root.Certificate); err != nil {
+			t.Fatalf("Could not parse root certificate: %v", err)
+		}
+	}
+}
diff --git a/x509roots/fallback/fallback.go b/x509roots/fallback/fallback.go
index a0dad330ea..79e18704a8 100644
--- a/x509roots/fallback/fallback.go
+++ b/x509roots/fallback/fallback.go
@@ -20,13 +20,9 @@ package fallback
 
 import (
 	"crypto/x509"
-	_ "embed"
-	"fmt"
-	"time"
-)
 
-//go:embed bundle.der
-var rawCerts []byte
+	"golang.org/x/crypto/x509roots/fallback/bundle"
+)
 
 func init() {
 	x509.SetFallbackRoots(newFallbackCertPool())
@@ -34,62 +30,16 @@ func init() {
 
 func newFallbackCertPool() *x509.CertPool {
 	p := x509.NewCertPool()
-	for _, c := range mustParse(unparsedCertificates) {
-		if len(c.constraints) == 0 {
-			p.AddCert(c.cert)
-		} else {
-			p.AddCertWithConstraint(c.cert, func(chain []*x509.Certificate) error {
-				for _, constraint := range c.constraints {
-					if err := constraint(chain); err != nil {
-						return err
-					}
-				}
-				return nil
-			})
-		}
-	}
-	return p
-}
-
-type unparsedCertificate struct {
-	cn           string
-	sha256Hash   string
-	certStartOff int
-	certLength   int
-
-	// possible constraints
-	distrustAfter string
-}
-
-type parsedCertificate struct {
-	cert        *x509.Certificate
-	constraints []func([]*x509.Certificate) error
-}
-
-func mustParse(unparsedCerts []unparsedCertificate) []parsedCertificate {
-	b := make([]parsedCertificate, 0, len(unparsedCerts))
-	for _, unparsed := range unparsedCerts {
-		cert, err := x509.ParseCertificate(rawCerts[unparsed.certStartOff : unparsed.certStartOff+unparsed.certLength])
+	for c := range bundle.Roots() {
+		cert, err := x509.ParseCertificate(c.Certificate)
 		if err != nil {
 			panic(err)
 		}
-		parsed := parsedCertificate{cert: cert}
-		// parse possible constraints, this should check all fields of unparsedCertificate.
-		if unparsed.distrustAfter != "" {
-			distrustAfter, err := time.Parse(time.RFC3339, unparsed.distrustAfter)
-			if err != nil {
-				panic(fmt.Sprintf("failed to parse distrustAfter %q: %s", unparsed.distrustAfter, err))
-			}
-			parsed.constraints = append(parsed.constraints, func(chain []*x509.Certificate) error {
-				for _, c := range chain {
-					if c.NotBefore.After(distrustAfter) {
-						return fmt.Errorf("certificate issued after distrust-after date %q", distrustAfter)
-					}
-				}
-				return nil
-			})
+		if c.Constraint == nil {
+			p.AddCert(cert)
+		} else {
+			p.AddCertWithConstraint(cert, c.Constraint)
 		}
-		b = append(b, parsed)
 	}
-	return b
+	return p
 }
diff --git a/x509roots/gen_fallback_bundle.go b/x509roots/gen_fallback_bundle.go
index ed2f9f84fb..810996cbac 100644
--- a/x509roots/gen_fallback_bundle.go
+++ b/x509roots/gen_fallback_bundle.go
@@ -27,7 +27,7 @@ import (
 
 const tmpl = `// Code generated by gen_fallback_bundle.go; DO NOT EDIT.
 
-package fallback
+package bundle
 
 var unparsedCertificates = []unparsedCertificate{
 `
@@ -35,8 +35,8 @@ var unparsedCertificates = []unparsedCertificate{
 var (
 	certDataURL  = flag.String("certdata-url", "https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt", "URL to the raw certdata.txt file to parse (certdata-path overrides this, if provided)")
 	certDataPath = flag.String("certdata-path", "", "Path to the NSS certdata.txt file to parse (this overrides certdata-url, if provided)")
-	output       = flag.String("output", "fallback/bundle.go", "Path to file to write output to")
-	derOutput    = flag.String("deroutput", "fallback/bundle.der", "Path to file to write output to (DER certificate bundle)")
+	output       = flag.String("output", "fallback/bundle/bundle.go", "Path to file to write output to")
+	derOutput    = flag.String("deroutput", "fallback/bundle/bundle.der", "Path to file to write output to (DER certificate bundle)")
 )
 
 func main() {

From f4d47b0db5875e61dd52acdb63be800177ab48bb Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Tue, 12 Aug 2025 07:59:34 +0200
Subject: [PATCH 17/37] ssh: return clearer error when signature algorithm is
 used as key format

ParsePublicKey now returns a more specific error when a signature
algorithm like rsa-sha2-256 is mistakenly provided as a key format

Change-Id: Ic08286a5b2b326e99dd3e61594919203f0c36791
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/695075
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
---
 ssh/common.go      | 29 +++++++++++++++++++++++++++++
 ssh/common_test.go | 20 ++++++++++++++++++++
 ssh/keys.go        | 18 ++++++++++++++++--
 ssh/keys_test.go   | 11 +++++++++++
 4 files changed, 76 insertions(+), 2 deletions(-)

diff --git a/ssh/common.go b/ssh/common.go
index 8bfad16c41..36c82a73ac 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -312,6 +312,35 @@ func algorithmsForKeyFormat(keyFormat string) []string {
 	}
 }
 
+// keyFormatForAlgorithm returns the key format corresponding to the given
+// signature algorithm. It returns an empty string if the signature algorithm is
+// invalid or unsupported.
+func keyFormatForAlgorithm(sigAlgo string) string {
+	switch sigAlgo {
+	case KeyAlgoRSA, KeyAlgoRSASHA256, KeyAlgoRSASHA512:
+		return KeyAlgoRSA
+	case CertAlgoRSAv01, CertAlgoRSASHA256v01, CertAlgoRSASHA512v01:
+		return CertAlgoRSAv01
+	case KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		InsecureKeyAlgoDSA,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoSKECDSA256v01,
+		CertAlgoED25519v01,
+		CertAlgoSKED25519v01:
+		return sigAlgo
+	default:
+		return ""
+	}
+}
+
 // isRSA returns whether algo is a supported RSA algorithm, including certificate
 // algorithms.
 func isRSA(algo string) bool {
diff --git a/ssh/common_test.go b/ssh/common_test.go
index 67cf1f4269..80aa2df73b 100644
--- a/ssh/common_test.go
+++ b/ssh/common_test.go
@@ -5,7 +5,9 @@
 package ssh
 
 import (
+	"maps"
 	"reflect"
+	"slices"
 	"testing"
 )
 
@@ -174,3 +176,21 @@ func TestFindAgreedAlgorithms(t *testing.T) {
 		})
 	}
 }
+
+func TestKeyFormatAlgorithms(t *testing.T) {
+	supportedAlgos := SupportedAlgorithms()
+	insecureAlgos := InsecureAlgorithms()
+	algoritms := append(supportedAlgos.PublicKeyAuths, insecureAlgos.PublicKeyAuths...)
+	algoritms = append(algoritms, slices.Collect(maps.Keys(certKeyAlgoNames))...)
+
+	for _, algo := range algoritms {
+		keyFormat := keyFormatForAlgorithm(algo)
+		if keyFormat == "" {
+			t.Errorf("got empty key format for algorithm %q", algo)
+		}
+		if !slices.Contains(algorithmsForKeyFormat(keyFormat), algo) {
+			t.Errorf("algorithms for key format %q, does not contain %q", keyFormat, algo)
+		}
+
+	}
+}
diff --git a/ssh/keys.go b/ssh/keys.go
index a28c0de503..8327260526 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -89,6 +89,11 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 		}
 		return cert, nil, nil
 	}
+	if keyFormat := keyFormatForAlgorithm(algo); keyFormat != "" {
+		return nil, nil, fmt.Errorf("ssh: signature algorithm %q isn't a key format; key is malformed and should be re-encoded with type %q",
+			algo, keyFormat)
+	}
+
 	return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
 }
 
@@ -191,9 +196,10 @@ func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey
 	return "", nil, nil, "", nil, io.EOF
 }
 
-// ParseAuthorizedKey parses a public key from an authorized_keys
-// file used in OpenSSH according to the sshd(8) manual page.
+// ParseAuthorizedKey parses a public key from an authorized_keys file used in
+// OpenSSH according to the sshd(8) manual page. Invalid lines are ignored.
 func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
+	var lastErr error
 	for len(in) > 0 {
 		end := bytes.IndexByte(in, '\n')
 		if end != -1 {
@@ -222,6 +228,8 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		// No key type recognised. Maybe there's an options field at
@@ -264,12 +272,18 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			options = candidateOptions
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		in = rest
 		continue
 	}
 
+	if lastErr != nil {
+		return nil, "", nil, nil, fmt.Errorf("ssh: no key found; last parsing error for ignored line: %w", lastErr)
+	}
+
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
diff --git a/ssh/keys_test.go b/ssh/keys_test.go
index f3eb223a9c..661e3cb31c 100644
--- a/ssh/keys_test.go
+++ b/ssh/keys_test.go
@@ -59,6 +59,17 @@ func TestKeyMarshalParse(t *testing.T) {
 	}
 }
 
+func TestParsePublicKeyWithSigningAlgoAsKeyFormat(t *testing.T) {
+	key := []byte(`rsa-sha2-256 AAAADHJzYS1zaGEyLTI1NgAAAAMBAAEAAAEBAJ7qMyjLXEJCCJmRknuCLo0uPi5GrPY5pQYr84lhlN8Gor5KVL2LKYCW4e70r5xzj7SrHHSCft1FMlYg1KDO9xrprJh733kQqAPWETmSuH0EfRtGtcH6EarKyVxk6As076/yNiiMKVBtG0RPa1L7FviTfcYK4vnCCVrbv3RmA5CCzuG5BSMbRLxzVb4Ri3p8jhxYT8N4QGe/2yqvJLys5vQ9szpZR3tcFp3DJIVZhBRfR6LnoY23XZniAAMQaUVBX86dXQ++dNwAwZSXSt9Og+AniOCiBYqhNVa5n3DID/H7YtEtG+CbZr3r2KD3fv8AfSLRar4XOp8rsRdD31h/kr8=`)
+	_, _, _, _, err := ParseAuthorizedKey(key)
+	if err == nil {
+		t.Fatal("parsing a public key using a signature algorithm as the key format succeeded unexpectedly")
+	}
+	if !strings.Contains(err.Error(), `signature algorithm "rsa-sha2-256" isn't a key format`) {
+		t.Errorf(`got %v, expected 'signature algorithm "rsa-sha2-256" isn't a key format'`, err)
+	}
+}
+
 func TestUnsupportedCurves(t *testing.T) {
 	raw, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
 	if err != nil {

From ddb4e80c6ad38c8a94001924a6ff8424f5cae369 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 14 Sep 2025 15:28:12 +0200
Subject: [PATCH 18/37] ssh: remove custom contains, use slices.Contains

Change-Id: If4784469e7285675bdd51399a76bdc16f0036a2e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/703635
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 ssh/client_auth.go      | 24 ++++++++----------------
 ssh/client_auth_test.go |  3 ++-
 ssh/common.go           |  4 ++--
 ssh/handshake.go        |  9 +++++----
 ssh/keys.go             |  9 +++++----
 ssh/server.go           |  9 +++++----
 6 files changed, 27 insertions(+), 31 deletions(-)

diff --git a/ssh/client_auth.go b/ssh/client_auth.go
index c12818fdc5..3127e49903 100644
--- a/ssh/client_auth.go
+++ b/ssh/client_auth.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 )
 
@@ -83,7 +84,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 			// success
 			return nil
 		} else if ok == authFailure {
-			if m := auth.method(); !contains(tried, m) {
+			if m := auth.method(); !slices.Contains(tried, m) {
 				tried = append(tried, m)
 			}
 		}
@@ -97,7 +98,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	findNext:
 		for _, a := range config.Auth {
 			candidateMethod := a.method()
-			if contains(tried, candidateMethod) {
+			if slices.Contains(tried, candidateMethod) {
 				continue
 			}
 			for _, meth := range methods {
@@ -117,15 +118,6 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)
 }
 
-func contains(list []string, e string) bool {
-	for _, s := range list {
-		if s == e {
-			return true
-		}
-	}
-	return false
-}
-
 // An AuthMethod represents an instance of an RFC 4252 authentication method.
 type AuthMethod interface {
 	// auth authenticates user over transport t.
@@ -255,7 +247,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 		// Fallback to use if there is no "server-sig-algs" extension or a
 		// common algorithm cannot be found. We use the public key format if the
 		// MultiAlgorithmSigner supports it, otherwise we return an error.
-		if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
+		if !slices.Contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
 			return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v",
 				underlyingAlgo(keyFormat), keyFormat, as.Algorithms())
 		}
@@ -284,7 +276,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 	// Filter algorithms based on those supported by MultiAlgorithmSigner.
 	var keyAlgos []string
 	for _, algo := range algorithmsForKeyFormat(keyFormat) {
-		if contains(as.Algorithms(), underlyingAlgo(algo)) {
+		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
 			keyAlgos = append(keyAlgos, algo)
 		}
 	}
@@ -334,7 +326,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// the key try to use the obtained algorithm as if "server-sig-algs" had
 		// not been implemented if supported from the algorithm signer.
 		if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 {
-			if contains(as.Algorithms(), KeyAlgoRSA) {
+			if slices.Contains(as.Algorithms(), KeyAlgoRSA) {
 				// We retry using the compat algorithm after all signers have
 				// been tried normally.
 				signers = append(signers, &multiAlgorithmSigner{
@@ -385,7 +377,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// contain the "publickey" method, do not attempt to authenticate with any
 		// other keys.  According to RFC 4252 Section 7, the latter can occur when
 		// additional authentication methods are required.
-		if success == authSuccess || !contains(methods, cb.method()) {
+		if success == authSuccess || !slices.Contains(methods, cb.method()) {
 			return success, methods, err
 		}
 	}
@@ -434,7 +426,7 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 			// servers send the key type instead. OpenSSH allows any algorithm
 			// that matches the public key, so we do the same.
 			// https://github.com/openssh/openssh-portable/blob/86bdd385/sshconnect2.c#L709
-			if !contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
+			if !slices.Contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
 				return false, nil
 			}
 			if !bytes.Equal(msg.PubKey, pubKey) {
diff --git a/ssh/client_auth_test.go b/ssh/client_auth_test.go
index 8d1767cdb7..e398c4062c 100644
--- a/ssh/client_auth_test.go
+++ b/ssh/client_auth_test.go
@@ -14,6 +14,7 @@ import (
 	"net"
 	"os"
 	"runtime"
+	"slices"
 	"strings"
 	"testing"
 )
@@ -1214,7 +1215,7 @@ func (cb configurablePublicKeyCallback) auth(session []byte, user string, c pack
 	if err != nil {
 		return authFailure, nil, err
 	}
-	if success == authSuccess || !contains(methods, cb.method()) {
+	if success == authSuccess || !slices.Contains(methods, cb.method()) {
 		return success, methods, err
 	}
 
diff --git a/ssh/common.go b/ssh/common.go
index 36c82a73ac..b1884c2c04 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -345,7 +345,7 @@ func keyFormatForAlgorithm(sigAlgo string) string {
 // algorithms.
 func isRSA(algo string) bool {
 	algos := algorithmsForKeyFormat(KeyAlgoRSA)
-	return contains(algos, underlyingAlgo(algo))
+	return slices.Contains(algos, underlyingAlgo(algo))
 }
 
 func isRSACert(algo string) bool {
@@ -544,7 +544,7 @@ func (c *Config) SetDefaults() {
 		if kexAlgoMap[k] != nil {
 			// Ignore the KEX if we have no kexAlgoMap definition.
 			kexs = append(kexs, k)
-			if k == KeyExchangeCurve25519 && !contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
+			if k == KeyExchangeCurve25519 && !slices.Contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
 				kexs = append(kexs, keyExchangeCurve25519LibSSH)
 			}
 		}
diff --git a/ssh/handshake.go b/ssh/handshake.go
index a90bfe331c..4be3cbb6de 100644
--- a/ssh/handshake.go
+++ b/ssh/handshake.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"log"
 	"net"
+	"slices"
 	"strings"
 	"sync"
 )
@@ -527,7 +528,7 @@ func (t *handshakeTransport) sendKexInit() error {
 			switch s := k.(type) {
 			case MultiAlgorithmSigner:
 				for _, algo := range algorithmsForKeyFormat(keyFormat) {
-					if contains(s.Algorithms(), underlyingAlgo(algo)) {
+					if slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 						msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
 					}
 				}
@@ -679,7 +680,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return err
 	}
 
-	if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
+	if t.sessionID == nil && ((isClient && slices.Contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && slices.Contains(clientInit.KexAlgos, kexStrictClient))) {
 		t.strictMode = true
 		if err := t.conn.setStrictMode(); err != nil {
 			return err
@@ -736,7 +737,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
 	// message with the server-sig-algs extension if the client supports it. See
 	// RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
-	if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
+	if !isClient && firstKeyExchange && slices.Contains(clientInit.KexAlgos, "ext-info-c") {
 		supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",")
 		extInfo := &extInfoMsg{
 			NumExtensions: 2,
@@ -790,7 +791,7 @@ func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, a
 func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 	for _, k := range hostKeys {
 		if s, ok := k.(MultiAlgorithmSigner); ok {
-			if !contains(s.Algorithms(), underlyingAlgo(algo)) {
+			if !slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 				continue
 			}
 		}
diff --git a/ssh/keys.go b/ssh/keys.go
index 8327260526..c972169773 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 	"strings"
 
 	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
@@ -409,11 +410,11 @@ func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (Multi
 	}
 
 	for _, algo := range algorithms {
-		if !contains(supportedAlgos, algo) {
+		if !slices.Contains(supportedAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q",
 				algo, signer.PublicKey().Type())
 		}
-		if !contains(signerAlgos, algo) {
+		if !slices.Contains(signerAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo)
 		}
 	}
@@ -500,7 +501,7 @@ func (r *rsaPublicKey) Marshal() []byte {
 
 func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
 	supportedAlgos := algorithmsForKeyFormat(r.Type())
-	if !contains(supportedAlgos, sig.Format) {
+	if !slices.Contains(supportedAlgos, sig.Format) {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
 	hash := hashFuncs[sig.Format]
@@ -1126,7 +1127,7 @@ func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		algorithm = s.pubKey.Type()
 	}
 
-	if !contains(s.Algorithms(), algorithm) {
+	if !slices.Contains(s.Algorithms(), algorithm) {
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 
diff --git a/ssh/server.go b/ssh/server.go
index 98679ba5b6..f06c08cd46 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"slices"
 	"strings"
 )
 
@@ -246,7 +247,7 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 		fullConf.PublicKeyAuthAlgorithms = defaultPubKeyAuthAlgos
 	} else {
 		for _, algo := range fullConf.PublicKeyAuthAlgorithms {
-			if !contains(SupportedAlgorithms().PublicKeyAuths, algo) && !contains(InsecureAlgorithms().PublicKeyAuths, algo) {
+			if !slices.Contains(SupportedAlgorithms().PublicKeyAuths, algo) && !slices.Contains(InsecureAlgorithms().PublicKeyAuths, algo) {
 				c.Close()
 				return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
 			}
@@ -631,7 +632,7 @@ userAuthLoop:
 				return nil, parseError(msgUserAuthRequest)
 			}
 			algo := string(algoBytes)
-			if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
+			if !slices.Contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
 				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
 				break
 			}
@@ -695,7 +696,7 @@ userAuthLoop:
 				// ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public
 				// key type. The algorithm and public key type must be
 				// consistent: both must be certificate algorithms, or neither.
-				if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
+				if !slices.Contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
 					authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q",
 						pubKey.Type(), algo)
 					break
@@ -705,7 +706,7 @@ userAuthLoop:
 				// algorithm name that corresponds to algo with
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
-				if !contains(config.PublicKeyAuthAlgorithms, sig.Format) {
+				if !slices.Contains(config.PublicKeyAuthAlgorithms, sig.Format) {
 					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}

From 66c3d8ce714c31eb5a8adb6c931b4e29f5bebcf5 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 24 Aug 2025 15:55:24 +0200
Subject: [PATCH 19/37] ssh: add support for FIPS mode

Unsupported algoritms are silently ignored and not negotiated, or
rejected

Fixes golang/go#75061

Change-Id: I08d50d10a97c08e78aedead89ca61beceff88918
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/698795
Reviewed-by: Mio Mio <miomio0086@gmail.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 ssh/certs_test.go |  4 ++-
 ssh/cipher.go     | 62 ++++++++++++++++++++++++-----------------------
 ssh/common.go     | 50 ++++++++++++++++++++++++++------------
 ssh/doc.go        | 10 ++++++++
 ssh/kex.go        | 24 +++++++++++++++---
 ssh/keys.go       | 42 +++++++++++++++++++++++++-------
 ssh/mac.go        | 42 ++++++++++++++++++++++----------
 ssh/transport.go  |  4 +++
 8 files changed, 166 insertions(+), 72 deletions(-)

diff --git a/ssh/certs_test.go b/ssh/certs_test.go
index e2a6fedc8b..ba435ab9cf 100644
--- a/ssh/certs_test.go
+++ b/ssh/certs_test.go
@@ -338,7 +338,9 @@ func TestCertTypes(t *testing.T) {
 				CertType: UserCert,
 				Key:      priv.PublicKey(),
 			}
-			cert.SignCert(rand.Reader, priv)
+			if err := cert.SignCert(rand.Reader, priv); err != nil {
+				t.Fatalf("error signing certificate: %v", err)
+			}
 
 			certSigner, err := NewCertSigner(cert, priv)
 			if err != nil {
diff --git a/ssh/cipher.go b/ssh/cipher.go
index 6a5b582aa9..7554ed57a9 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -8,6 +8,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
+	"crypto/fips140"
 	"crypto/rc4"
 	"crypto/subtle"
 	"encoding/binary"
@@ -15,6 +16,7 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"slices"
 
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/internal/poly1305"
@@ -93,41 +95,41 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 }
 
 // cipherModes documents properties of supported ciphers. Ciphers not included
-// are not supported and will not be negotiated, even if explicitly requested in
-// ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
-	// are defined in the order specified in the RFC.
-	CipherAES128CTR: {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES192CTR: {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	CipherAES256CTR: {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-
-	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
-	// They are defined in the order specified in the RFC.
-	InsecureCipherRC4128: {16, 0, streamCipherMode(1536, newRC4)},
-	InsecureCipherRC4256: {32, 0, streamCipherMode(1536, newRC4)},
-
-	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
-	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
-	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC 4345 introduces improved versions of Arcfour.
-	InsecureCipherRC4: {16, 0, streamCipherMode(0, newRC4)},
-
-	// AEAD ciphers
-	CipherAES128GCM:        {16, 12, newGCMCipher},
-	CipherAES256GCM:        {32, 12, newGCMCipher},
-	CipherChaCha20Poly1305: {64, 0, newChaCha20Cipher},
-
+// are not supported and will not be negotiated, even if explicitly configured.
+// When FIPS mode is enabled, only FIPS-approved algorithms are included.
+var cipherModes = map[string]*cipherMode{}
+
+func init() {
+	cipherModes[CipherAES128CTR] = &cipherMode{16, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES192CTR] = &cipherMode{24, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES256CTR] = &cipherMode{32, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	//  Use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode,
+	// we'll wire it up to NewGCMForSSH in Go 1.26.
+	//
+	// For now it means we'll work with fips140=on but not fips140=only.
+	cipherModes[CipherAES128GCM] = &cipherMode{16, 12, newGCMCipher}
+	cipherModes[CipherAES256GCM] = &cipherMode{32, 12, newGCMCipher}
+
+	if fips140.Enabled() {
+		defaultCiphers = slices.DeleteFunc(defaultCiphers, func(algo string) bool {
+			_, ok := cipherModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	cipherModes[CipherChaCha20Poly1305] = &cipherMode{64, 0, newChaCha20Cipher}
+	// Insecure ciphers not included in the default configuration.
+	cipherModes[InsecureCipherRC4128] = &cipherMode{16, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4256] = &cipherMode{32, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4] = &cipherMode{16, 0, streamCipherMode(0, newRC4)}
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	InsecureCipherAES128CBC: {16, aes.BlockSize, newAESCBCCipher},
-
-	// 3des-cbc is insecure and is not included in the default
-	// config.
-	InsecureCipherTripleDESCBC: {24, des.BlockSize, newTripleDESCBCCipher},
+	cipherModes[InsecureCipherAES128CBC] = &cipherMode{16, aes.BlockSize, newAESCBCCipher}
+	cipherModes[InsecureCipherTripleDESCBC] = &cipherMode{24, des.BlockSize, newTripleDESCBCCipher}
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
diff --git a/ssh/common.go b/ssh/common.go
index b1884c2c04..2e44e9c9ec 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -6,6 +6,7 @@ package ssh
 
 import (
 	"crypto"
+	"crypto/fips140"
 	"crypto/rand"
 	"fmt"
 	"io"
@@ -256,6 +257,40 @@ type Algorithms struct {
 	PublicKeyAuths []string
 }
 
+func init() {
+	if fips140.Enabled() {
+		defaultHostKeyAlgos = slices.DeleteFunc(defaultHostKeyAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+		defaultPubKeyAuthAlgos = slices.DeleteFunc(defaultPubKeyAuthAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+	}
+}
+
+func hashFunc(format string) (crypto.Hash, error) {
+	switch format {
+	case KeyAlgoRSASHA256, KeyAlgoECDSA256, KeyAlgoSKED25519, KeyAlgoSKECDSA256:
+		return crypto.SHA256, nil
+	case KeyAlgoECDSA384:
+		return crypto.SHA384, nil
+	case KeyAlgoRSASHA512, KeyAlgoECDSA521:
+		return crypto.SHA512, nil
+	case KeyAlgoED25519:
+		// KeyAlgoED25519 doesn't pre-hash.
+		return 0, nil
+	case KeyAlgoRSA, InsecureKeyAlgoDSA:
+		if fips140.Enabled() {
+			return 0, fmt.Errorf("ssh: hash algorithm for format %q not allowed in FIPS 140 mode", format)
+		}
+		return crypto.SHA1, nil
+	default:
+		return 0, fmt.Errorf("ssh: hash algorithm for format %q not mapped", format)
+	}
+}
+
 // SupportedAlgorithms returns algorithms currently implemented by this package,
 // excluding those with security issues, which are returned by
 // InsecureAlgorithms. The algorithms listed here are in preference order.
@@ -283,21 +318,6 @@ func InsecureAlgorithms() Algorithms {
 
 var supportedCompressions = []string{compressionNone}
 
-// hashFuncs keeps the mapping of supported signature algorithms to their
-// respective hashes needed for signing and verification.
-var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:         crypto.SHA1,
-	KeyAlgoRSASHA256:   crypto.SHA256,
-	KeyAlgoRSASHA512:   crypto.SHA512,
-	InsecureKeyAlgoDSA: crypto.SHA1,
-	KeyAlgoECDSA256:    crypto.SHA256,
-	KeyAlgoECDSA384:    crypto.SHA384,
-	KeyAlgoECDSA521:    crypto.SHA512,
-	// KeyAlgoED25519 doesn't pre-hash.
-	KeyAlgoSKECDSA256: crypto.SHA256,
-	KeyAlgoSKED25519:  crypto.SHA256,
-}
-
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
diff --git a/ssh/doc.go b/ssh/doc.go
index 04ccce3461..5b4de9effc 100644
--- a/ssh/doc.go
+++ b/ssh/doc.go
@@ -17,8 +17,18 @@ References:
 	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
 	[SSH-CERTS]:	https://datatracker.ietf.org/doc/html/draft-miller-ssh-cert-01
+	[FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
+
+# FIPS 140-3 mode
+
+When the program is in [FIPS 140-3 mode], this package behaves as if only SP
+800-140C and SP 800-140D approved cipher suites, signature algorithms,
+certificate public key types and sizes, and key exchange and derivation
+algorithms were implemented. Others are silently ignored and not negotiated, or
+rejected. This set may depend on the algorithms supported by the FIPS 140-3 Go
+Cryptographic Module selected with GOFIPS140, and may change across Go versions.
 */
 package ssh
diff --git a/ssh/kex.go b/ssh/kex.go
index 78aaf03103..5f7fdd8514 100644
--- a/ssh/kex.go
+++ b/ssh/kex.go
@@ -8,12 +8,14 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/fips140"
 	"crypto/rand"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 
 	"golang.org/x/crypto/curve25519"
 )
@@ -395,9 +397,27 @@ func ecHash(curve elliptic.Curve) crypto.Hash {
 	return crypto.SHA512
 }
 
+// kexAlgoMap defines the supported KEXs. KEXs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
 var kexAlgoMap = map[string]kexAlgorithm{}
 
 func init() {
+	// mlkem768x25519-sha256 we'll work with fips140=on but not fips140=only
+	// until Go 1.26.
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
+	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
+	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
+	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
+
+	if fips140.Enabled() {
+		defaultKexAlgos = slices.DeleteFunc(defaultKexAlgos, func(algo string) bool {
+			_, ok := kexAlgoMap[algo]
+			return !ok
+		})
+		return
+	}
+
 	p, _ := new(big.Int).SetString(oakleyGroup2, 16)
 	kexAlgoMap[InsecureKeyExchangeDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
@@ -431,14 +451,10 @@ func init() {
 		hashFunc: crypto.SHA512,
 	}
 
-	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
 	kexAlgoMap[KeyExchangeCurve25519] = &curve25519sha256{}
 	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
 	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
 	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
-	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
diff --git a/ssh/keys.go b/ssh/keys.go
index c972169773..a035956fcc 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -504,7 +504,10 @@ func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if !slices.Contains(supportedAlgos, sig.Format) {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
-	hash := hashFuncs[sig.Format]
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
 	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
@@ -621,7 +624,11 @@ func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -666,7 +673,11 @@ func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 	}
 
-	h := hashFuncs[k.PublicKey().Type()].New()
+	hash, err := hashFunc(k.PublicKey().Type())
+	if err != nil {
+		return nil, err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
@@ -816,8 +827,11 @@ func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -920,8 +934,11 @@ func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1024,7 +1041,11 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
 	}
 
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1131,7 +1152,10 @@ func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 
-	hashFunc := hashFuncs[algorithm]
+	hashFunc, err := hashFunc(algorithm)
+	if err != nil {
+		return nil, err
+	}
 	var digest []byte
 	if hashFunc != 0 {
 		h := hashFunc.New()
diff --git a/ssh/mac.go b/ssh/mac.go
index de2639d57f..87d626fbbf 100644
--- a/ssh/mac.go
+++ b/ssh/mac.go
@@ -7,11 +7,13 @@ package ssh
 // Message authentication support
 
 import (
+	"crypto/fips140"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
+	"slices"
 )
 
 type macMode struct {
@@ -46,23 +48,37 @@ func (t truncatingMAC) Size() int {
 
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
-var macModes = map[string]*macMode{
-	HMACSHA512ETM: {64, true, func(key []byte) hash.Hash {
+// macModes defines the supported MACs. MACs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
+var macModes = map[string]*macMode{}
+
+func init() {
+	macModes[HMACSHA512ETM] = &macMode{64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256ETM: {32, true, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256ETM] = &macMode{32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA512: {64, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA512] = &macMode{64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	HMACSHA256: {32, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256] = &macMode{32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	HMACSHA1: {20, false, func(key []byte) hash.Hash {
+	}}
+
+	if fips140.Enabled() {
+		defaultMACs = slices.DeleteFunc(defaultMACs, func(algo string) bool {
+			_, ok := macModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	macModes[HMACSHA1] = &macMode{20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
-	}},
-	InsecureHMACSHA196: {20, false, func(key []byte) hash.Hash {
+	}}
+	macModes[InsecureHMACSHA196] = &macMode{20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
-	}},
+	}}
 }
diff --git a/ssh/transport.go b/ssh/transport.go
index 663619845c..fa3dd6a429 100644
--- a/ssh/transport.go
+++ b/ssh/transport.go
@@ -8,6 +8,7 @@ import (
 	"bufio"
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 )
@@ -254,6 +255,9 @@ var (
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs DirectionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
+	if cipherMode == nil {
+		return nil, fmt.Errorf("ssh: unsupported cipher %v", algs.Cipher)
+	}
 
 	iv := make([]byte, cipherMode.ivSize)
 	key := make([]byte, cipherMode.keySize)

From 2beaa59a3c994e5d01b6d58dc348dcd6d814ef26 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 15 Dec 2024 20:02:38 +0100
Subject: [PATCH 20/37] ssh: add VerifiedPublicKeyCallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes golang/go#70795

Change-Id: I9b7c91f35f89495d1e9b5f6ec0c036c02a61d774
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/636335
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Ilia Mirkin <imirkin@alum.mit.edu>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jorge Hernández <jorgehcrda39@gmail.com>
---
 ssh/server.go      |  27 ++++
 ssh/server_test.go | 374 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 401 insertions(+)

diff --git a/ssh/server.go b/ssh/server.go
index f06c08cd46..064dcbaf5a 100644
--- a/ssh/server.go
+++ b/ssh/server.go
@@ -44,6 +44,9 @@ type Permissions struct {
 	// pass data from the authentication callbacks to the server
 	// application layer.
 	Extensions map[string]string
+
+	// ExtraData allows to store user defined data.
+	ExtraData map[any]any
 }
 
 type GSSAPIWithMICConfig struct {
@@ -127,6 +130,21 @@ type ServerConfig struct {
 	// Permissions.Extensions entry.
 	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
 
+	// VerifiedPublicKeyCallback, if non-nil, is called after a client
+	// successfully confirms having control over a key that was previously
+	// approved by PublicKeyCallback. The permissions object passed to the
+	// callback is the one returned by PublicKeyCallback for the given public
+	// key and its ownership is transferred to the callback. The returned
+	// Permissions object can be the same object, optionally modified, or a
+	// completely new object. If VerifiedPublicKeyCallback is non-nil,
+	// PublicKeyCallback is not allowed to return a PartialSuccessError, which
+	// can instead be returned by VerifiedPublicKeyCallback.
+	//
+	// VerifiedPublicKeyCallback does not affect which authentication methods
+	// are included in the list of methods that can be attempted by the client.
+	VerifiedPublicKeyCallback func(conn ConnMetadata, key PublicKey, permissions *Permissions,
+		signatureAlgorithm string) (*Permissions, error)
+
 	// KeyboardInteractiveCallback, if non-nil, is called when
 	// keyboard-interactive authentication is selected (RFC
 	// 4256). The client object's Challenge function should be
@@ -653,6 +671,9 @@ userAuthLoop:
 				candidate.pubKeyData = pubKeyData
 				candidate.perms, candidate.result = authConfig.PublicKeyCallback(s, pubKey)
 				_, isPartialSuccessError := candidate.result.(*PartialSuccessError)
+				if isPartialSuccessError && config.VerifiedPublicKeyCallback != nil {
+					return nil, errors.New("ssh: invalid library usage: PublicKeyCallback must not return partial success when VerifiedPublicKeyCallback is defined")
+				}
 
 				if (candidate.result == nil || isPartialSuccessError) &&
 					candidate.perms != nil &&
@@ -723,6 +744,12 @@ userAuthLoop:
 
 				authErr = candidate.result
 				perms = candidate.perms
+				if authErr == nil && config.VerifiedPublicKeyCallback != nil {
+					// Only call VerifiedPublicKeyCallback after the key has been accepted
+					// and successfully verified. If authErr is non-nil, the key is not
+					// considered verified and the callback must not run.
+					perms, authErr = config.VerifiedPublicKeyCallback(s, pubKey, perms, algo)
+				}
 			}
 		case "gssapi-with-mic":
 			if authConfig.GSSAPIWithMICConfig == nil {
diff --git a/ssh/server_test.go b/ssh/server_test.go
index 5bd18db5bb..e48f7e3059 100644
--- a/ssh/server_test.go
+++ b/ssh/server_test.go
@@ -434,6 +434,380 @@ func TestPreAuthConnAndBanners(t *testing.T) {
 	}
 }
 
+func TestVerifiedPublicKeyCallback(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	extraKey := "extra"
+	extraDataString := "just a string"
+
+	serverConf := &ServerConfig{
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			if permissions != nil && permissions.ExtraData != nil {
+				if !reflect.DeepEqual(map[any]any{extraKey: extraDataString}, permissions.ExtraData) {
+					t.Errorf("expected extra data: %v; got: %v", extraDataString, permissions.ExtraData)
+				}
+			} else {
+				t.Error("expected extra data is missing")
+			}
+			if signatureAlgorithm != KeyAlgoRSASHA256 {
+				t.Errorf("expected signature algorithm: %q; got: %q", KeyAlgoRSASHA256, signatureAlgorithm)
+			}
+			return permissions, nil
+		},
+		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+			return &Permissions{ExtraData: map[any]any{extraKey: extraDataString}}, nil
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		conn, _, _, err := NewServerConn(c1, serverConf)
+		if err != nil {
+			t.Errorf("unexpected server error: %v", err)
+		}
+		if !reflect.DeepEqual(map[any]any{extraKey: extraDataString}, conn.Permissions.ExtraData) {
+			t.Errorf("expected extra data: %v; got: %v", extraDataString, conn.Permissions.ExtraData)
+		}
+	}()
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	<-done
+}
+
+func TestVerifiedPublicCallbackPartialSuccess(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				return nil, nil
+			}
+			return nil, errors.New("invalid credentials")
+		},
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				return nil, &PartialSuccessError{
+					Next: ServerAuthCallbacks{
+						PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+							if string(password) == clientPassword {
+								return nil, nil
+							}
+							return nil, nil
+						},
+					},
+				}
+			}
+			return nil, errors.New("invalid credentials")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+			Password(clientPassword),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	go NewServerConn(c1, serverConf)
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err != nil {
+		t.Fatalf("client login error: %s", err)
+	}
+}
+
+func TestVerifiedPublicKeyCallbackPwdAndKey(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+			if string(password) == clientPassword {
+				return nil, &PartialSuccessError{
+					Next: ServerAuthCallbacks{
+						PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+							if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+								return nil, nil
+							}
+							return nil, errors.New("invalid credentials")
+						},
+					},
+				}
+			}
+			return nil, errors.New("invalid credentials")
+
+		},
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				return nil, nil
+			}
+			return nil, errors.New("invalid credentials")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			Password(clientPassword),
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	go NewServerConn(c1, serverConf)
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err != nil {
+		t.Fatalf("client login error: %s", err)
+	}
+}
+
+func TestVerifiedPubKeyCallbackAuthMethods(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+			return nil, nil
+		},
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				return nil, nil
+			}
+			return nil, errors.New("invalid credentials")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	go NewServerConn(c1, serverConf)
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err == nil {
+		t.Fatal("client login succeed with only VerifiedPublicKeyCallback defined")
+	}
+}
+
+func TestVerifiedPubKeyCallbackError(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+			return nil, nil
+		},
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			return nil, errors.New("invalid credentials")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	go NewServerConn(c1, serverConf)
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err == nil {
+		t.Fatal("client login succeed with VerifiedPublicKeyCallback returning an error")
+	}
+}
+
+func TestVerifiedPublicCallbackPartialSuccessBadUsage(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				// Returning PartialSuccessError is not permitted when
+				// VerifiedPublicKeyCallback is defined. This callback is
+				// invoked for both query requests and real authentications,
+				// while VerifiedPublicKeyCallback is only triggered if the
+				// client has proven control of the key.
+				return nil, &PartialSuccessError{
+					Next: ServerAuthCallbacks{
+						PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+							if string(password) == clientPassword {
+								return nil, nil
+							}
+							return nil, nil
+						},
+					},
+				}
+			}
+			return nil, errors.New("invalid credentials")
+		},
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			if bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
+				return nil, &PartialSuccessError{
+					Next: ServerAuthCallbacks{
+						PasswordCallback: func(conn ConnMetadata, password []byte) (*Permissions, error) {
+							if string(password) == clientPassword {
+								return nil, nil
+							}
+							return nil, nil
+						},
+					},
+				}
+			}
+			return nil, errors.New("invalid credentials")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+			Password(clientPassword),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	go NewServerConn(c1, serverConf)
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err == nil {
+		t.Fatal("authentication suceeded with PartialSuccess returned from PublicKeyCallback and  VerifiedPublicKeyCallback defined")
+	}
+}
+
+func TestVerifiedPublicKeyCallbackOnError(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	var verifiedCallbackCalled bool
+
+	serverConf := &ServerConfig{
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			verifiedCallbackCalled = true
+			return nil, nil
+		},
+		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
+			return nil, errors.New("invalid key")
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		NewServerConn(c1, serverConf)
+	}()
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err == nil {
+		t.Fatal("authentication should fail")
+	}
+	<-done
+	if verifiedCallbackCalled {
+		t.Error("VerifiedPublicKeyCallback called after PublicKeyCallback returned an error")
+	}
+}
+
+func TestVerifiedPublicKeyCallbackOnly(t *testing.T) {
+	c1, c2, err := netPipe()
+	if err != nil {
+		t.Fatalf("netPipe: %v", err)
+	}
+	defer c1.Close()
+	defer c2.Close()
+
+	serverConf := &ServerConfig{
+		VerifiedPublicKeyCallback: func(conn ConnMetadata, key PublicKey, permissions *Permissions, signatureAlgorithm string) (*Permissions, error) {
+			return nil, nil
+		},
+	}
+	serverConf.AddHostKey(testSigners["rsa"])
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		NewServerConn(c1, serverConf)
+	}()
+
+	clientConf := ClientConfig{
+		User: "user",
+		Auth: []AuthMethod{
+			PublicKeys(testSigners["rsa"]),
+		},
+		HostKeyCallback: InsecureIgnoreHostKey(),
+	}
+
+	_, _, _, err = NewClientConn(c2, "", &clientConf)
+	if err == nil {
+		t.Fatal("authentication suceeded with only VerifiedPublicKeyCallback defined")
+	}
+	<-done
+}
+
 type markerConn struct {
 	closed uint32
 	used   uint32

From 1336e21bd6f39d1ab82ca6412693849c2d120e1d Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Mon, 6 Oct 2025 16:00:59 +0000
Subject: [PATCH 21/37] x509roots/fallback: update bundle

This is an automated CL which updates the NSS root bundle.

[git-generate]
go generate ./x509roots

Change-Id: I9ab454c977013b2f6a42bc93fb0649612c54c6c0
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/709475
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
---
 x509roots/fallback/bundle/bundle.der | Bin 154797 -> 156781 bytes
 x509roots/fallback/bundle/bundle.go  | 132 +++++++++++++++------------
 2 files changed, 72 insertions(+), 60 deletions(-)

diff --git a/x509roots/fallback/bundle/bundle.der b/x509roots/fallback/bundle/bundle.der
index 1abf12f5980415e088cfe616e3c01c9fb5eb2108..7c75ce5e070fcfe21d67283484dcf8e72b024236 100644
GIT binary patch
delta 1854
zcmb`GdpOgJAIA;JnEPd8bD3PWF@0wn5{DX+i9|X%LNRN`oR-d9szr$kEyGl9B|UCS
zGPLX{ohLaF%5iI))J9Ak;TXC6ex1u7{c-;6&)4(%<NZ9J*Yn{E!Lyy<a{>@2f~`md
z(m{{Pl@vjWirU*&e;Fj!UqzA4=7VKtc_o0FiYn%!Pmi0jk`h41sRLjYrGv^UdWs|;
zoDl&13)CRm0egdjz0AE6PBEg7CejiZI3!^9mr{bj{!u{`=1&x+`GJIlL~}0^$$SqE
zFokM3-~l2&8iykg92}fOp&A5dfapN@8=XSG=^D3T7c3IG{j;v94z{Sa<T?1$?$X97
zvzFxQ@0(XBuUwD;RWlWBcO00D&7faxH&_{rpfSFz#@;Hgc^auxRo~>NzE~J}W9J8%
zagx2jZ36W>;@qP!hKAUvQsQ2WdFVkNn+)KdcyEDs+LuM?U3a@YQ1NN+6Mu+y!frt^
zVDjY{CYs8I%KHDMdA->nIJf&cm|cwlO!}UdaRLK9zAFeuzBG)H2gRux?&#A!&5nY<
zl{hQx7{Laad#NKLsW_6=tRhY!@6x^Luw&<s9bLs9stpn9j9InC`uiHE(?@&zMZS%$
zL-setD=3<Xj{S(c<svx*q;EM7q$|<??R~Ivgqn})n1y_{8T)|^+6MzPRKQ<?UzBTr
zK#(m8->AZYpj}@#|B@W<gme5V`4=RH`hCka-YXc$f?acOsW!cLZNf?Y!$2XQGet&^
z9*mT9iyB4PJfXBA<x`rVl*uH$b+1*o7R;p@)7DUZ%rM`0+V%M;Q^@Ov{|#mn`sT!S
zK0?`j{oLWL)s{tL)8Mu$3;5w3uWT|$5ieKP8fT`tNwZo#PN%I|j9bHYNI&W2faiLy
zjOPPvJ>G*Vu_f(%NI$JBUAMIazOX`AD6+-mDpQvwnYT>%j2_2C&2aqAE^#0)KeoWN
z2Nud8cdT!{YHuv`l}8iMqjz)mzstEop74P)?9XYtOUvLCcO8N35Uot0Fq2_<-SSUl
z39n|2z*eLiaQLmIp+@XG*~6dXQR~jn*%Ci~Y|n^4H!rsvLVc`GF6@b+1|9E$>f|1l
z*A>HsxyL<QVD*y|T9nZO@O`dsli7FqmCv(IAsc=NTVnj)i$3~M_dG>s3Dq90wkP&v
z!>lQ9<Ov<wsmH_A=c1m3lRx=)mu=U2H+3V0`)RyW{Mcraf=+cD#~YknD4}0qs~)#?
z+-hsnoirSqsktX{sis`-Nc7nyvHra^7wPtPibR;=5jU^Wl8U-H^e)2rWPaVqk6i5N
zg?ewq?G!urH0#|Tej9!kcOgdS3X2|$sAwA2p1+5dQ&qE|VGnu9y)s+O-1qp2_-S+v
z1*DO#_t8rIh@A)10Nu~AlN*zi2V&=G-0>MWFER@R!7u#UuB8#B(E8C!)7Px2q0#ZB
zX3kg7`Cpo+a}9*xnnbCx3Do2VE*%qY@@-5Z_>Vlkjaj+B+JiseKq0p?UZ2ei+%TXF
zh0&u8=PrA_fRG$Li6iXIWEaF#ht!SE`VFZqSza{vuWq}vh$yapD*{}guN+8yHJ6!)
zK$PE@W2Y2LJ##G+Q6gHeMHPl04SQ&Thxr)pm%Z3NUAcFZ?aIDmBy!~Ey%#Q#2WC|H
zACfkqPmW}=rl_m{g_!!K1|^p^-P5~>6H9mDd#-dP%LgAr8UB>{l{bgl^V23$LNr>v
z*$LM+&P+n3X*R7}vO>npE9FJlYeqC&#7$t~I-luL*gedOxhWXXe4xFlU-Qek6D4jr
zQ)l$!jz(YfzRMm8e%3t1G4!s?cv0#inbb3EHrUo(jXtoU(6P+P4Y_(rb*!*vvOl)^
zB5`@ZD`~f{_qtMN_;Ad!7sXQ0mYI6cyhL8ogjp9JGwO=lS>GS;99Nrq*EDB+x^$Cn
zAQY$H=qh@9@)oDO{Mq;vsH#H0xU>C6oxy&5&g^N-m6PlO50dqI+8s>94o-_rS0HPp
zkZanzz&c~*&Aoltw7~Nj_Ehx!!PRkBnoPL~q5j_6b029ZZ|@16pDml8@|nRZn{?PJ
zON_QVP#VulJ+`5>FSp1608Z!*S`j5>D+$F-GqG^KOuN6(kg0;S>hKd?{jn7y4YxRt
UeciU1q5OkD`g2Qe1juaT{|HeRK>z>%

delta 17
ZcmaERf^+Ro&W0_F6XLfAq%+F?1prKT2ipJu

diff --git a/x509roots/fallback/bundle/bundle.go b/x509roots/fallback/bundle/bundle.go
index be9e857790..8b8f20a470 100644
--- a/x509roots/fallback/bundle/bundle.go
+++ b/x509roots/fallback/bundle/bundle.go
@@ -521,365 +521,377 @@ var unparsedCertificates = []unparsedCertificate{
 		certStartOff: 88949,
 		certLength:   1049,
 	},
+	{
+		cn:           "CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH",
+		sha256Hash:   "eec997c0c30f216f7e3b8b307d2bae42412d753fc8219dafd1520b2572850f49",
+		certStartOff: 89998,
+		certLength:   569,
+	},
+	{
+		cn:           "CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH",
+		sha256Hash:   "9ae36232a5189ffddb353dfd26520c015395d22777dac59db57b98c089a651e6",
+		certStartOff: 90567,
+		certLength:   1415,
+	},
 	{
 		cn:           "CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
 		sha256Hash:   "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6",
-		certStartOff: 89998,
+		certStartOff: 91982,
 		certLength:   953,
 	},
 	{
 		cn:           "CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
 		sha256Hash:   "8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d",
-		certStartOff: 90951,
+		certStartOff: 92935,
 		certLength:   621,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "8a866fd1b276b57e578e921c65828a2bed58e9f2f288054134b7f1f4bfc9cc74",
-		certStartOff: 91572,
+		certStartOff: 93556,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840",
-		certStartOff: 92952,
+		certStartOff: 94936,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86",
-		certStartOff: 94332,
+		certStartOff: 96316,
 		certLength:   1467,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46",
-		certStartOff: 95799,
+		certStartOff: 97783,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35",
-		certStartOff: 97179,
+		certStartOff: 99163,
 		certLength:   1697,
 	},
 	{
 		cn:           "CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8",
-		certStartOff: 98876,
+		certStartOff: 100860,
 		certLength:   664,
 	},
 	{
 		cn:           "CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c",
-		certStartOff: 99540,
+		certStartOff: 101524,
 		certLength:   1519,
 	},
 	{
 		cn:           "CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65",
-		certStartOff: 101059,
+		certStartOff: 103043,
 		certLength:   657,
 	},
 	{
 		cn:           "CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69",
-		certStartOff: 101716,
+		certStartOff: 103700,
 		certLength:   1505,
 	},
 	{
 		cn:           "CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US",
 		sha256Hash:   "c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143",
-		certStartOff: 103221,
+		certStartOff: 105205,
 		certLength:   574,
 	},
 	{
 		cn:           "CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US",
 		sha256Hash:   "8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed",
-		certStartOff: 103795,
+		certStartOff: 105779,
 		certLength:   1421,
 	},
 	{
 		cn:           "CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL",
 		sha256Hash:   "a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe",
-		certStartOff: 105216,
+		certStartOff: 107200,
 		certLength:   886,
 	},
 	{
 		cn:           "CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB",
 		sha256Hash:   "c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383",
-		certStartOff: 106102,
+		certStartOff: 108086,
 		certLength:   574,
 	},
 	{
 		cn:           "CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB",
 		sha256Hash:   "7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06",
-		certStartOff: 106676,
+		certStartOff: 108660,
 		certLength:   1422,
 	},
 	{
 		cn:           "CN=Secure Global CA,O=SecureTrust Corporation,C=US",
 		sha256Hash:   "4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69",
-		certStartOff: 108098,
+		certStartOff: 110082,
 		certLength:   960,
 	},
 	{
 		cn:           "CN=SecureSign Root CA12,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e",
-		certStartOff: 109058,
+		certStartOff: 111042,
 		certLength:   886,
 	},
 	{
 		cn:           "CN=SecureSign Root CA14,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338",
-		certStartOff: 109944,
+		certStartOff: 111928,
 		certLength:   1398,
 	},
 	{
 		cn:           "CN=SecureSign Root CA15,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a",
-		certStartOff: 111342,
+		certStartOff: 113326,
 		certLength:   551,
 	},
 	{
 		cn:           "CN=SecureTrust CA,O=SecureTrust Corporation,C=US",
 		sha256Hash:   "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73",
-		certStartOff: 111893,
+		certStartOff: 113877,
 		certLength:   956,
 	},
 	{
 		cn:           "CN=Security Communication ECC RootCA1,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
 		sha256Hash:   "e74fbda55bd564c473a36b441aa799c8a68e077440e8288b9fa1e50e4bbaca11",
-		certStartOff: 112849,
+		certStartOff: 114833,
 		certLength:   572,
 	},
 	{
 		cn:           "CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
 		sha256Hash:   "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5",
-		certStartOff: 113421,
+		certStartOff: 115405,
 		certLength:   993,
 	},
 	{
 		cn:           "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
 		sha256Hash:   "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5",
-		certStartOff: 114414,
+		certStartOff: 116398,
 		certLength:   1011,
 	},
 	{
 		cn:           "CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH",
 		sha256Hash:   "62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95",
-		certStartOff: 115425,
+		certStartOff: 117409,
 		certLength:   1470,
 	},
 	{
 		cn:           "CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH",
 		sha256Hash:   "193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41",
-		certStartOff: 116895,
+		certStartOff: 118879,
 		certLength:   1431,
 	},
 	{
 		cn:           "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
 		sha256Hash:   "91e2f5788d5810eba7ba58737de1548a8ecacd014598bc0b143e041b17052552",
-		certStartOff: 118326,
+		certStartOff: 120310,
 		certLength:   967,
 	},
 	{
 		cn:           "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
 		sha256Hash:   "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd",
-		certStartOff: 119293,
+		certStartOff: 121277,
 		certLength:   967,
 	},
 	{
 		cn:           "CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5648a334424d6b3ec558",
-		certStartOff: 120260,
+		certStartOff: 122244,
 		certLength:   1425,
 	},
 	{
 		cn:           "CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b",
-		certStartOff: 121685,
+		certStartOff: 123669,
 		certLength:   1349,
 	},
 	{
 		cn:           "CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44",
-		certStartOff: 123034,
+		certStartOff: 125018,
 		certLength:   895,
 	},
 	{
 		cn:           "CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE",
 		sha256Hash:   "578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1",
-		certStartOff: 123929,
+		certStartOff: 125913,
 		certLength:   582,
 	},
 	{
 		cn:           "CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE",
 		sha256Hash:   "efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646",
-		certStartOff: 124511,
+		certStartOff: 126495,
 		certLength:   1463,
 	},
 	{
 		cn:           "CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI",
 		sha256Hash:   "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c",
-		certStartOff: 125974,
+		certStartOff: 127958,
 		certLength:   1400,
 	},
 	{
 		cn:           "CN=TeliaSonera Root CA v1,O=TeliaSonera",
 		sha256Hash:   "dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389",
-		certStartOff: 127374,
+		certStartOff: 129358,
 		certLength:   1340,
 	},
 	{
 		cn:           "CN=TrustAsia Global Root CA G3,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08",
-		certStartOff: 128714,
+		certStartOff: 130698,
 		certLength:   1449,
 	},
 	{
 		cn:           "CN=TrustAsia Global Root CA G4,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c",
-		certStartOff: 130163,
+		certStartOff: 132147,
 		certLength:   601,
 	},
 	{
 		cn:           "CN=TrustAsia TLS ECC Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef44598acc2489878c92d8711",
-		certStartOff: 130764,
+		certStartOff: 132748,
 		certLength:   565,
 	},
 	{
 		cn:           "CN=TrustAsia TLS RSA Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea53cbe940e2ea9791f4c3",
-		certStartOff: 131329,
+		certStartOff: 133313,
 		certLength:   1412,
 	},
 	{
 		cn:           "CN=Trustwave Global Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8",
-		certStartOff: 132741,
+		certStartOff: 134725,
 		certLength:   1502,
 	},
 	{
 		cn:           "CN=Trustwave Global ECC P256 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "945bbc825ea554f489d1fd51a73ddf2ea624ac7019a05205225c22a78ccfa8b4",
-		certStartOff: 134243,
+		certStartOff: 136227,
 		certLength:   612,
 	},
 	{
 		cn:           "CN=Trustwave Global ECC P384 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "55903859c8c0c3ebb8759ece4e2557225ff5758bbd38ebd48276601e1bd58097",
-		certStartOff: 134855,
+		certStartOff: 136839,
 		certLength:   673,
 	},
 	{
 		cn:           "CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN",
 		sha256Hash:   "2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41",
-		certStartOff: 135528,
+		certStartOff: 137512,
 		certLength:   1463,
 	},
 	{
 		cn:           "CN=UCA Extended Validation Root,O=UniTrust,C=CN",
 		sha256Hash:   "d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24",
-		certStartOff: 136991,
+		certStartOff: 138975,
 		certLength:   1374,
 	},
 	{
 		cn:           "CN=UCA Global G2 Root,O=UniTrust,C=CN",
 		sha256Hash:   "9bea11c976fe014764c1be56a6f914b5a560317abd9988393382e5161aa0493c",
-		certStartOff: 138365,
+		certStartOff: 140349,
 		certLength:   1354,
 	},
 	{
 		cn:           "CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
 		sha256Hash:   "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a",
-		certStartOff: 139719,
+		certStartOff: 141703,
 		certLength:   659,
 	},
 	{
 		cn:           "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
 		sha256Hash:   "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2",
-		certStartOff: 140378,
+		certStartOff: 142362,
 		certLength:   1506,
 	},
 	{
 		cn:           "CN=e-Szigno Root CA 2017,O=Microsec Ltd.,L=Budapest,C=HU,2.5.4.97=#130e56415448552d3233353834343937",
 		sha256Hash:   "beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99",
-		certStartOff: 141884,
+		certStartOff: 143868,
 		certLength:   580,
 	},
 	{
 		cn:           "CN=emSign ECC Root CA - C3,OU=emSign PKI,O=eMudhra Inc,C=US",
 		sha256Hash:   "bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3",
-		certStartOff: 142464,
+		certStartOff: 144448,
 		certLength:   559,
 	},
 	{
 		cn:           "CN=emSign ECC Root CA - G3,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
 		sha256Hash:   "86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b",
-		certStartOff: 143023,
+		certStartOff: 145007,
 		certLength:   594,
 	},
 	{
 		cn:           "CN=emSign Root CA - C1,OU=emSign PKI,O=eMudhra Inc,C=US",
 		sha256Hash:   "125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f",
-		certStartOff: 143617,
+		certStartOff: 145601,
 		certLength:   887,
 	},
 	{
 		cn:           "CN=emSign Root CA - G1,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
 		sha256Hash:   "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367",
-		certStartOff: 144504,
+		certStartOff: 146488,
 		certLength:   920,
 	},
 	{
 		cn:           "CN=vTrus ECC Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
 		sha256Hash:   "30fbba2c32238e2a98547af97931e550428b9b3f1c8eeb6633dcfa86c5b27dd3",
-		certStartOff: 145424,
+		certStartOff: 147408,
 		certLength:   531,
 	},
 	{
 		cn:           "CN=vTrus Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
 		sha256Hash:   "8a71de6559336f426c26e53880d00d88a18da4c6a91f0dcb6194e206c5c96387",
-		certStartOff: 145955,
+		certStartOff: 147939,
 		certLength:   1370,
 	},
 	{
 		cn:           "OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES",
 		sha256Hash:   "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa",
-		certStartOff: 147325,
+		certStartOff: 149309,
 		certLength:   1415,
 	},
 	{
 		cn:           "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
 		sha256Hash:   "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6",
-		certStartOff: 148740,
+		certStartOff: 150724,
 		certLength:   891,
 	},
 	{
 		cn:           "OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO",
 		sha256Hash:   "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305",
-		certStartOff: 149631,
+		certStartOff: 151615,
 		certLength:   1355,
 	},
 	{
 		cn:           "OU=certSIGN ROOT CA,O=certSIGN,C=RO",
 		sha256Hash:   "eaa962c4fa4a6bafebe415196d351ccd888d4f53f3fa8ae6d7c466a94e6042bb",
-		certStartOff: 150986,
+		certStartOff: 152970,
 		certLength:   828,
 	},
 	{
 		cn:            "OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
 		sha256Hash:    "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5",
-		certStartOff:  151814,
+		certStartOff:  153798,
 		certLength:    1460,
 		distrustAfter: "2025-04-15T23:59:59Z",
 	},
 	{
 		cn:           "SERIALNUMBER=G63287510,CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES",
 		sha256Hash:   "fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599",
-		certStartOff: 153274,
+		certStartOff: 155258,
 		certLength:   1523,
 	},
 }

From dca4914afe94ebd485672b06b9a120e18b452533 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 8 Oct 2025 10:15:41 -0400
Subject: [PATCH 22/37] acme: fix autocert TestHTTPHandlerDefaultFallback

The Go 1.25.2 release made net/url stricter about parsing bracketed IPv6
hostnames, and is rejecting some test URLs used in the autocert
TestHTTPHandlerDefaultFallback test with an error about the
colon-separated fields requiring at least one hex digit.

This commit replaces the invalid `xxxx` portion of some test URLS with
valid hex digits, fixing the test regression.

Change-Id: I84c192b1cd6daf53ef4199f7987437fd825f7041
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/710155
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/autocert/autocert_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
index 269bc2a6c2..8ca8e2b3a7 100644
--- a/acme/autocert/autocert_test.go
+++ b/acme/autocert/autocert_test.go
@@ -561,9 +561,9 @@ func TestHTTPHandlerDefaultFallback(t *testing.T) {
 		{"GET", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
 		{"GET", "http://example.org:80/foo?a=b", 302, "https://example.org:443/foo?a=b"},
 		{"GET", "http://example.org:80/foo%20bar", 302, "https://example.org:443/foo%20bar"},
-		{"GET", "http://[2602:d1:xxxx::c60a]:1234", 302, "https://[2602:d1:xxxx::c60a]:443/"},
-		{"GET", "http://[2602:d1:xxxx::c60a]", 302, "https://[2602:d1:xxxx::c60a]/"},
-		{"GET", "http://[2602:d1:xxxx::c60a]/foo?a=b", 302, "https://[2602:d1:xxxx::c60a]/foo?a=b"},
+		{"GET", "http://[2602:d1:abcd::c60a]:1234", 302, "https://[2602:d1:abcd::c60a]:443/"},
+		{"GET", "http://[2602:d1:abcd::c60a]", 302, "https://[2602:d1:abcd::c60a]/"},
+		{"GET", "http://[2602:d1:abcd::c60a]/foo?a=b", 302, "https://[2602:d1:abcd::c60a]/foo?a=b"},
 		{"HEAD", "http://example.org", 302, "https://example.org/"},
 		{"HEAD", "http://example.org/foo", 302, "https://example.org/foo"},
 		{"HEAD", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},

From 627cb894b6b2021e34c4ad4af4c0a963127491e4 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Wed, 8 Oct 2025 08:52:20 -0700
Subject: [PATCH 23/37] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Icf986acf9290649488777328f470200bf9e11442
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/710098
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index fd65b61893..f331951a16 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module golang.org/x/crypto
 go 1.24.0
 
 require (
-	golang.org/x/net v0.43.0 // tagx:ignore
-	golang.org/x/sys v0.36.0
-	golang.org/x/term v0.35.0
+	golang.org/x/net v0.45.0 // tagx:ignore
+	golang.org/x/sys v0.37.0
+	golang.org/x/term v0.36.0
 )
 
-require golang.org/x/text v0.29.0 // indirect
+require golang.org/x/text v0.30.0 // indirect
diff --git a/go.sum b/go.sum
index c3f2d576cb..6d9f239e86 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=

From 1faea2975ced2153e5086c1ee135f983db10150a Mon Sep 17 00:00:00 2001
From: cuishuang <imcusg@gmail.com>
Date: Mon, 29 Sep 2025 11:51:24 +0800
Subject: [PATCH 24/37] all: fix some typos in comment

Change-Id: Ia209f0a6d9b19d14e655c65d1287a1416b48c487
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/707535
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Sean Liao <sean@liao.dev>
---
 acme/autocert/internal/acmetest/ca.go | 2 +-
 acme/rfc8555.go                       | 2 +-
 chacha20/chacha_arm64.s               | 2 +-
 internal/wycheproof/rsa_pss_test.go   | 2 +-
 nacl/box/box_test.go                  | 2 +-
 nacl/sign/sign_test.go                | 2 +-
 openpgp/packet/opaque_test.go         | 2 +-
 openpgp/s2k/s2k.go                    | 2 +-
 ssh/agent/keyring.go                  | 2 +-
 ssh/agent/keyring_test.go             | 2 +-
 ssh/client_auth_test.go               | 2 +-
 ssh/example_test.go                   | 6 +++---
 ssh/handshake_test.go                 | 2 +-
 ssh/server_test.go                    | 4 ++--
 ssh/test/recording_client_test.go     | 2 +-
 ssh/test/recording_server_test.go     | 2 +-
 x509roots/nss/parser.go               | 2 +-
 17 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/acme/autocert/internal/acmetest/ca.go b/acme/autocert/internal/acmetest/ca.go
index 28e6e7da66..c7ddd3dbfb 100644
--- a/acme/autocert/internal/acmetest/ca.go
+++ b/acme/autocert/internal/acmetest/ca.go
@@ -145,7 +145,7 @@ func (ca *CAServer) URL() string {
 	return ca.url
 }
 
-// Roots returns a pool cointaining the CA root.
+// Roots returns a pool containing the CA root.
 func (ca *CAServer) Roots() *x509.CertPool {
 	if ca.url == "" {
 		panic("Roots called before Start")
diff --git a/acme/rfc8555.go b/acme/rfc8555.go
index fc653f3f0b..976b27702a 100644
--- a/acme/rfc8555.go
+++ b/acme/rfc8555.go
@@ -232,7 +232,7 @@ func (c *Client) AuthorizeOrder(ctx context.Context, id []AuthzID, opt ...OrderO
 	return responseOrder(res)
 }
 
-// GetOrder retrives an order identified by the given URL.
+// GetOrder retrieves an order identified by the given URL.
 // For orders created with AuthorizeOrder, the url value is Order.URI.
 //
 // If a caller needs to poll an order until its status is final,
diff --git a/chacha20/chacha_arm64.s b/chacha20/chacha_arm64.s
index 7dd2638e88..769af387e2 100644
--- a/chacha20/chacha_arm64.s
+++ b/chacha20/chacha_arm64.s
@@ -29,7 +29,7 @@ loop:
 	MOVD	$NUM_ROUNDS, R21
 	VLD1	(R11), [V30.S4, V31.S4]
 
-	// load contants
+	// load constants
 	// VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4]
 	WORD	$0x4D60E940
 
diff --git a/internal/wycheproof/rsa_pss_test.go b/internal/wycheproof/rsa_pss_test.go
index 2ad9a4313b..f2f9b6ebae 100644
--- a/internal/wycheproof/rsa_pss_test.go
+++ b/internal/wycheproof/rsa_pss_test.go
@@ -141,7 +141,7 @@ func TestRsaPss(t *testing.T) {
 			}
 			// Run all the tests twice: the first time with the salt length
 			// as PSSSaltLengthAuto, and the second time with the salt length
-			// explictily set to tg.SLen.
+			// explicitly set to tg.SLen.
 			for i := 0; i < 2; i++ {
 				for _, sig := range tg.Tests {
 					h.Reset()
diff --git a/nacl/box/box_test.go b/nacl/box/box_test.go
index cce1f3b4da..404925743c 100644
--- a/nacl/box/box_test.go
+++ b/nacl/box/box_test.go
@@ -114,7 +114,7 @@ func TestSealOpenAnonymous(t *testing.T) {
 		t.Fatal("expected out to be unchanged")
 	}
 	if !bytes.HasPrefix(box, orig) {
-		t.Fatal("expected out to be coppied to returned slice")
+		t.Fatal("expected out to be copied to returned slice")
 	}
 	_, ok = OpenAnonymous(nil, box[len(out):], publicKey, privateKey)
 	if !ok {
diff --git a/nacl/sign/sign_test.go b/nacl/sign/sign_test.go
index db269014c2..95ba801f2c 100644
--- a/nacl/sign/sign_test.go
+++ b/nacl/sign/sign_test.go
@@ -69,6 +69,6 @@ func TestGenerateSignOpen(t *testing.T) {
 	}
 
 	if !bytes.Equal(message, testMessage) {
-		t.Fatalf("verified message does not match signed messge, got\n%x\n, expected\n%x", message, testMessage)
+		t.Fatalf("verified message does not match signed message, got\n%x\n, expected\n%x", message, testMessage)
 	}
 }
diff --git a/openpgp/packet/opaque_test.go b/openpgp/packet/opaque_test.go
index 61159f4683..06a3bbf019 100644
--- a/openpgp/packet/opaque_test.go
+++ b/openpgp/packet/opaque_test.go
@@ -51,7 +51,7 @@ func TestOpaqueParseReason(t *testing.T) {
 	const expectedBad = 3
 	// Test post-conditions, make sure we actually parsed packets as expected.
 	if badPackets != expectedBad {
-		t.Errorf("unexpected # unparseable packets: %d (want %d)", badPackets, expectedBad)
+		t.Errorf("unexpected # unparsable packets: %d (want %d)", badPackets, expectedBad)
 	}
 	if uid == nil {
 		t.Errorf("failed to find expected UID in unsupported keyring")
diff --git a/openpgp/s2k/s2k.go b/openpgp/s2k/s2k.go
index fa1a919079..490cb633ce 100644
--- a/openpgp/s2k/s2k.go
+++ b/openpgp/s2k/s2k.go
@@ -53,7 +53,7 @@ func (c *Config) hash() crypto.Hash {
 
 func (c *Config) encodedCount() uint8 {
 	if c == nil || c.S2KCount == 0 {
-		return 96 // The common case. Correspoding to 65536
+		return 96 // The common case. Corresponding to 65536
 	}
 
 	i := c.S2KCount
diff --git a/ssh/agent/keyring.go b/ssh/agent/keyring.go
index c1b4361087..d129875510 100644
--- a/ssh/agent/keyring.go
+++ b/ssh/agent/keyring.go
@@ -112,7 +112,7 @@ func (r *keyring) Unlock(passphrase []byte) error {
 }
 
 // expireKeysLocked removes expired keys from the keyring. If a key was added
-// with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
+// with a lifetimesecs constraint and seconds >= lifetimesecs seconds have
 // elapsed, it is removed. The caller *must* be holding the keyring mutex.
 func (r *keyring) expireKeysLocked() {
 	for _, k := range r.keys {
diff --git a/ssh/agent/keyring_test.go b/ssh/agent/keyring_test.go
index e9c90a3131..5e495d56d3 100644
--- a/ssh/agent/keyring_test.go
+++ b/ssh/agent/keyring_test.go
@@ -30,7 +30,7 @@ func validateListedKeys(t *testing.T, a Agent, expectedKeys []string) {
 		return
 	}
 	if len(listedKeys) != len(expectedKeys) {
-		t.Fatalf("expeted %d key, got %d", len(expectedKeys), len(listedKeys))
+		t.Fatalf("expected %d key, got %d", len(expectedKeys), len(listedKeys))
 		return
 	}
 	actualKeys := make(map[string]bool)
diff --git a/ssh/client_auth_test.go b/ssh/client_auth_test.go
index e398c4062c..a183c2183e 100644
--- a/ssh/client_auth_test.go
+++ b/ssh/client_auth_test.go
@@ -1136,7 +1136,7 @@ func TestPickSignatureAlgorithm(t *testing.T) {
 				t.Fatalf("error generating cert signer: %v", err)
 			}
 			// The signer supports the public key algorithm and the
-			// public key format is a certificate type so the cerificate
+			// public key format is a certificate type so the certificate
 			// algorithm matching the key format must be returned
 			_, algo, err = pickSignatureAlgorithm(certSigner, c.extensions)
 			if err != nil {
diff --git a/ssh/example_test.go b/ssh/example_test.go
index d6bad3e215..653f2c8f50 100644
--- a/ssh/example_test.go
+++ b/ssh/example_test.go
@@ -155,7 +155,7 @@ func ExampleNewServerConn() {
 }
 
 func ExampleServerConfig() {
-	// Minimal ServerConfig with SHA-1 algoritms disabled and supporting only
+	// Minimal ServerConfig with SHA-1 algorithms disabled and supporting only
 	// public key authentication.
 
 	// The algorithms returned by ssh.SupportedAlgorithms() are different from
@@ -344,7 +344,7 @@ func ExampleClientConfig() {
 		log.Fatalf("unable to parse private key: %v", err)
 	}
 
-	// Minimal ClientConfig with SHA-1 algoritms disabled.
+	// Minimal ClientConfig with SHA-1 algorithms disabled.
 	// The algorithms returned by ssh.SupportedAlgorithms() are different from
 	// the default ones and do not include algorithms that are considered
 	// insecure, such as those using SHA-1, returned by
@@ -361,7 +361,7 @@ func ExampleClientConfig() {
 			ssh.PublicKeys(signer),
 		},
 		HostKeyCallback: ssh.FixedHostKey(hostKey),
-		// We should check that hostKey algorithm is inlcuded in
+		// We should check that hostKey algorithm is included in
 		// algorithms.HostKeys.
 		HostKeyAlgorithms: algorithms.HostKeys,
 	}
diff --git a/ssh/handshake_test.go b/ssh/handshake_test.go
index 61f978491f..56f230cae9 100644
--- a/ssh/handshake_test.go
+++ b/ssh/handshake_test.go
@@ -1330,7 +1330,7 @@ func TestAlgorithmNegotiationError(t *testing.T) {
 
 	_, _, _, err = NewClientConn(c2, "", clientConf)
 	if err == nil {
-		t.Fatal("client connection succeded expected algorithm negotiation error")
+		t.Fatal("client connection succeeded expected algorithm negotiation error")
 	}
 	var negotiationError *AlgorithmNegotiationError
 	if !errors.As(err, &negotiationError) {
diff --git a/ssh/server_test.go b/ssh/server_test.go
index e48f7e3059..e1861931db 100644
--- a/ssh/server_test.go
+++ b/ssh/server_test.go
@@ -724,7 +724,7 @@ func TestVerifiedPublicCallbackPartialSuccessBadUsage(t *testing.T) {
 
 	_, _, _, err = NewClientConn(c2, "", &clientConf)
 	if err == nil {
-		t.Fatal("authentication suceeded with PartialSuccess returned from PublicKeyCallback and  VerifiedPublicKeyCallback defined")
+		t.Fatal("authentication succeeded with PartialSuccess returned from PublicKeyCallback and  VerifiedPublicKeyCallback defined")
 	}
 }
 
@@ -803,7 +803,7 @@ func TestVerifiedPublicKeyCallbackOnly(t *testing.T) {
 
 	_, _, _, err = NewClientConn(c2, "", &clientConf)
 	if err == nil {
-		t.Fatal("authentication suceeded with only VerifiedPublicKeyCallback defined")
+		t.Fatal("authentication succeeded with only VerifiedPublicKeyCallback defined")
 	}
 	<-done
 }
diff --git a/ssh/test/recording_client_test.go b/ssh/test/recording_client_test.go
index 5c7830f92a..b744bd332e 100644
--- a/ssh/test/recording_client_test.go
+++ b/ssh/test/recording_client_test.go
@@ -251,7 +251,7 @@ func TestClientKeyExchanges(t *testing.T) {
 
 	var keyExchanges []string
 	for _, kex := range config.KeyExchanges {
-		// Exclude ecdh for now, to make them determistic we should use see a
+		// Exclude ecdh for now, to make them deterministic we should use see a
 		// stream of fixed bytes as the random source.
 		if !strings.HasPrefix(kex, "ecdh-") {
 			keyExchanges = append(keyExchanges, kex)
diff --git a/ssh/test/recording_server_test.go b/ssh/test/recording_server_test.go
index fe991986d3..898a8478e5 100644
--- a/ssh/test/recording_server_test.go
+++ b/ssh/test/recording_server_test.go
@@ -232,7 +232,7 @@ func TestServerKeyExchanges(t *testing.T) {
 
 	var keyExchanges []string
 	for _, kex := range config.KeyExchanges {
-		// Exclude ecdh for now, to make them determistic we should use see a
+		// Exclude ecdh for now, to make them deterministic we should use see a
 		// stream of fixed bytes as the random source.
 		// Exclude ML-KEM because server side is not deterministic.
 		if !strings.HasPrefix(kex, "ecdh-") && !strings.HasPrefix(kex, "mlkem") {
diff --git a/x509roots/nss/parser.go b/x509roots/nss/parser.go
index feca766e18..5c9f36a651 100644
--- a/x509roots/nss/parser.go
+++ b/x509roots/nss/parser.go
@@ -192,7 +192,7 @@ func Parse(r io.Reader) ([]*Certificate, error) {
 	// Since we only really care about a couple of fields, this parser throws
 	// away a lot of information, essentially just consuming CKA_CLASS objects
 	// and looking for the individual fields we care about. We could write a
-	// siginificantly more complex parser, which handles the entire format, but
+	// significantly more complex parser, which handles the entire format, but
 	// it feels like that would be over engineered for the little information
 	// that we really care about.
 

From 0b7aa0cfb07b6b13ead990b67cb3cb8639871f90 Mon Sep 17 00:00:00 2001
From: cuishuang <imcusg@gmail.com>
Date: Sun, 5 Oct 2025 15:42:14 +0800
Subject: [PATCH 25/37] ssh: use reflect.TypeFor instead of reflect.TypeOf

For golang/go#60088.

Change-Id: I58994c469a2793516214ab1a0072fb6137afc46e
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/709156
Auto-Submit: Sean Liao <sean@liao.dev>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Sean Liao <sean@liao.dev>
---
 ssh/messages.go      | 2 +-
 ssh/messages_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssh/messages.go b/ssh/messages.go
index 251b9d06a3..ab22c3d38d 100644
--- a/ssh/messages.go
+++ b/ssh/messages.go
@@ -792,7 +792,7 @@ func marshalString(to []byte, s []byte) []byte {
 	return to[len(s):]
 }
 
-var bigIntType = reflect.TypeOf((*big.Int)(nil))
+var bigIntType = reflect.TypeFor[*big.Int]()
 
 // Decode a packet into its corresponding message.
 func decode(packet []byte) (interface{}, error) {
diff --git a/ssh/messages_test.go b/ssh/messages_test.go
index d8691bd0ba..ed346285bf 100644
--- a/ssh/messages_test.go
+++ b/ssh/messages_test.go
@@ -257,7 +257,7 @@ func TestDecode(t *testing.T) {
 	userAuthSuccess, err := decode([]byte{msgUserAuthSuccess})
 	if err != nil {
 		t.Errorf("error decoding userAuthSuccessMsg")
-	} else if reflect.TypeOf(userAuthSuccess) != reflect.TypeOf((*userAuthSuccessMsg)(nil)) {
+	} else if _, ok := userAuthSuccess.(*userAuthSuccessMsg); !ok {
 		t.Errorf("error decoding userAuthSuccessMsg, unexpected %T", userAuthSuccess)
 	}
 }

From cf29fa96f8b66328e59829f064539321159bfa5b Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Wed, 8 Oct 2025 14:56:11 +0200
Subject: [PATCH 26/37] sha3: make it mostly a wrapper around crypto/sha3

crypto/sha3 was introduced in Go 1.24, which is now the minimum Go
version of this module.

Made the hashes go:fix inline wrappers, since the new types can be used
as hash.Hash directly.

The SHAKE instances need a wrapper for the methods we dropped from
crypto.XOF, so no go:fix inline there.

Kept the generic implementation for the legacy Keccak hashes we did not
bring to the standard library. We need to keep them working, but they
don't need to be fast.

Fixes golang/go#73681
Updates golang/go#65269

Change-Id: I6a6a69648b6353b153c70a2cec84864e64dcd61b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/710115
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 sha3/_asm/go.mod                       |   15 -
 sha3/_asm/go.sum                       |   12 -
 sha3/_asm/keccakf_amd64_asm.go         |  438 --
 sha3/allocations_test.go               |   61 -
 sha3/doc.go                            |   66 -
 sha3/hashes.go                         |  131 +-
 sha3/hashes_noasm.go                   |   23 -
 sha3/keccakf_amd64.go                  |   13 -
 sha3/keccakf_amd64.s                   | 5419 ------------------------
 sha3/{sha3.go => legacy_hash.go}       |   49 +-
 sha3/{keccakf.go => legacy_keccakf.go} |    6 +-
 sha3/sha3_s390x.go                     |  303 --
 sha3/sha3_s390x.s                      |   33 -
 sha3/sha3_test.go                      |  122 -
 sha3/shake.go                          |  172 +-
 sha3/shake_noasm.go                    |   15 -
 16 files changed, 136 insertions(+), 6742 deletions(-)
 delete mode 100644 sha3/_asm/go.mod
 delete mode 100644 sha3/_asm/go.sum
 delete mode 100644 sha3/_asm/keccakf_amd64_asm.go
 delete mode 100644 sha3/allocations_test.go
 delete mode 100644 sha3/doc.go
 delete mode 100644 sha3/hashes_noasm.go
 delete mode 100644 sha3/keccakf_amd64.go
 delete mode 100644 sha3/keccakf_amd64.s
 rename sha3/{sha3.go => legacy_hash.go} (83%)
 rename sha3/{keccakf.go => legacy_keccakf.go} (98%)
 delete mode 100644 sha3/sha3_s390x.go
 delete mode 100644 sha3/sha3_s390x.s
 delete mode 100644 sha3/shake_noasm.go

diff --git a/sha3/_asm/go.mod b/sha3/_asm/go.mod
deleted file mode 100644
index cd16c586a9..0000000000
--- a/sha3/_asm/go.mod
+++ /dev/null
@@ -1,15 +0,0 @@
-module sha3/_asm
-
-go 1.22
-
-require (
-	github.com/mmcloughlin/avo v0.6.0
-	golang.org/x/crypto v0.33.0
-)
-
-require (
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
-)
diff --git a/sha3/_asm/go.sum b/sha3/_asm/go.sum
deleted file mode 100644
index 6083f86740..0000000000
--- a/sha3/_asm/go.sum
+++ /dev/null
@@ -1,12 +0,0 @@
-github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY=
-github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
diff --git a/sha3/_asm/keccakf_amd64_asm.go b/sha3/_asm/keccakf_amd64_asm.go
deleted file mode 100644
index 78e931f757..0000000000
--- a/sha3/_asm/keccakf_amd64_asm.go
+++ /dev/null
@@ -1,438 +0,0 @@
-// Copyright 2024 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources at https://github.com/gvanas/KeccakCodePackage
-
-package main
-
-import (
-	. "github.com/mmcloughlin/avo/build"
-	. "github.com/mmcloughlin/avo/operand"
-	. "github.com/mmcloughlin/avo/reg"
-	_ "golang.org/x/crypto/sha3"
-)
-
-//go:generate go run . -out ../keccakf_amd64.s -pkg sha3
-
-// Round Constants for use in the ι step.
-var RoundConstants = [24]uint64{
-	0x0000000000000001,
-	0x0000000000008082,
-	0x800000000000808A,
-	0x8000000080008000,
-	0x000000000000808B,
-	0x0000000080000001,
-	0x8000000080008081,
-	0x8000000000008009,
-	0x000000000000008A,
-	0x0000000000000088,
-	0x0000000080008009,
-	0x000000008000000A,
-	0x000000008000808B,
-	0x800000000000008B,
-	0x8000000000008089,
-	0x8000000000008003,
-	0x8000000000008002,
-	0x8000000000000080,
-	0x000000000000800A,
-	0x800000008000000A,
-	0x8000000080008081,
-	0x8000000000008080,
-	0x0000000080000001,
-	0x8000000080008008,
-}
-
-var (
-	// Temporary registers
-	rT1 GPPhysical = RAX
-
-	// Round vars
-	rpState = Mem{Base: RDI}
-	rpStack = Mem{Base: RSP}
-
-	rDa = RBX
-	rDe = RCX
-	rDi = RDX
-	rDo = R8
-	rDu = R9
-
-	rBa = R10
-	rBe = R11
-	rBi = R12
-	rBo = R13
-	rBu = R14
-
-	rCa = RSI
-	rCe = RBP
-	rCi = rBi
-	rCo = rBo
-	rCu = R15
-)
-
-const (
-	_ba = iota * 8
-	_be
-	_bi
-	_bo
-	_bu
-	_ga
-	_ge
-	_gi
-	_go
-	_gu
-	_ka
-	_ke
-	_ki
-	_ko
-	_ku
-	_ma
-	_me
-	_mi
-	_mo
-	_mu
-	_sa
-	_se
-	_si
-	_so
-	_su
-)
-
-func main() {
-	Package("golang.org/x/crypto/sha3")
-	ConstraintExpr("amd64,!purego,gc")
-	keccakF1600()
-	Generate()
-}
-
-func MOVQ_RBI_RCE() { MOVQ(rBi, rCe) }
-func XORQ_RT1_RCA() { XORQ(rT1, rCa) }
-func XORQ_RT1_RCE() { XORQ(rT1, rCe) }
-func XORQ_RBA_RCU() { XORQ(rBa, rCu) }
-func XORQ_RBE_RCU() { XORQ(rBe, rCu) }
-func XORQ_RDU_RCU() { XORQ(rDu, rCu) }
-func XORQ_RDA_RCA() { XORQ(rDa, rCa) }
-func XORQ_RDE_RCE() { XORQ(rDe, rCe) }
-
-type ArgMacro func()
-
-func mKeccakRound(
-	iState, oState Mem,
-	rc U64,
-	B_RBI_RCE, G_RT1_RCA, G_RT1_RCE, G_RBA_RCU,
-	K_RT1_RCA, K_RT1_RCE, K_RBA_RCU, M_RT1_RCA,
-	M_RT1_RCE, M_RBE_RCU, S_RDU_RCU, S_RDA_RCA,
-	S_RDE_RCE ArgMacro,
-) {
-	Comment("Prepare round")
-	MOVQ(rCe, rDa)
-	ROLQ(Imm(1), rDa)
-
-	MOVQ(iState.Offset(_bi), rCi)
-	XORQ(iState.Offset(_gi), rDi)
-	XORQ(rCu, rDa)
-	XORQ(iState.Offset(_ki), rCi)
-	XORQ(iState.Offset(_mi), rDi)
-	XORQ(rDi, rCi)
-
-	MOVQ(rCi, rDe)
-	ROLQ(Imm(1), rDe)
-
-	MOVQ(iState.Offset(_bo), rCo)
-	XORQ(iState.Offset(_go), rDo)
-	XORQ(rCa, rDe)
-	XORQ(iState.Offset(_ko), rCo)
-	XORQ(iState.Offset(_mo), rDo)
-	XORQ(rDo, rCo)
-
-	MOVQ(rCo, rDi)
-	ROLQ(Imm(1), rDi)
-
-	MOVQ(rCu, rDo)
-	XORQ(rCe, rDi)
-	ROLQ(Imm(1), rDo)
-
-	MOVQ(rCa, rDu)
-	XORQ(rCi, rDo)
-	ROLQ(Imm(1), rDu)
-
-	Comment("Result b")
-	MOVQ(iState.Offset(_ba), rBa)
-	MOVQ(iState.Offset(_ge), rBe)
-	XORQ(rCo, rDu)
-	MOVQ(iState.Offset(_ki), rBi)
-	MOVQ(iState.Offset(_mo), rBo)
-	MOVQ(iState.Offset(_su), rBu)
-	XORQ(rDe, rBe)
-	ROLQ(Imm(44), rBe)
-	XORQ(rDi, rBi)
-	XORQ(rDa, rBa)
-	ROLQ(Imm(43), rBi)
-
-	MOVQ(rBe, rCa)
-	MOVQ(rc, rT1)
-	ORQ(rBi, rCa)
-	XORQ(rBa, rT1)
-	XORQ(rT1, rCa)
-	MOVQ(rCa, oState.Offset(_ba))
-
-	XORQ(rDu, rBu)
-	ROLQ(Imm(14), rBu)
-	MOVQ(rBa, rCu)
-	ANDQ(rBe, rCu)
-	XORQ(rBu, rCu)
-	MOVQ(rCu, oState.Offset(_bu))
-
-	XORQ(rDo, rBo)
-	ROLQ(Imm(21), rBo)
-	MOVQ(rBo, rT1)
-	ANDQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_bi))
-
-	NOTQ(rBi)
-	ORQ(rBa, rBu)
-	ORQ(rBo, rBi)
-	XORQ(rBo, rBu)
-	XORQ(rBe, rBi)
-	MOVQ(rBu, oState.Offset(_bo))
-	MOVQ(rBi, oState.Offset(_be))
-	B_RBI_RCE()
-
-	Comment("Result g")
-	MOVQ(iState.Offset(_gu), rBe)
-	XORQ(rDu, rBe)
-	MOVQ(iState.Offset(_ka), rBi)
-	ROLQ(Imm(20), rBe)
-	XORQ(rDa, rBi)
-	ROLQ(Imm(3), rBi)
-	MOVQ(iState.Offset(_bo), rBa)
-	MOVQ(rBe, rT1)
-	ORQ(rBi, rT1)
-	XORQ(rDo, rBa)
-	MOVQ(iState.Offset(_me), rBo)
-	MOVQ(iState.Offset(_si), rBu)
-	ROLQ(Imm(28), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ga))
-	G_RT1_RCA()
-
-	XORQ(rDe, rBo)
-	ROLQ(Imm(45), rBo)
-	MOVQ(rBi, rT1)
-	ANDQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_ge))
-	G_RT1_RCE()
-
-	XORQ(rDi, rBu)
-	ROLQ(Imm(61), rBu)
-	MOVQ(rBu, rT1)
-	ORQ(rBa, rT1)
-	XORQ(rBo, rT1)
-	MOVQ(rT1, oState.Offset(_go))
-
-	ANDQ(rBe, rBa)
-	XORQ(rBu, rBa)
-	MOVQ(rBa, oState.Offset(_gu))
-	NOTQ(rBu)
-	G_RBA_RCU()
-
-	ORQ(rBu, rBo)
-	XORQ(rBi, rBo)
-	MOVQ(rBo, oState.Offset(_gi))
-
-	Comment("Result k")
-	MOVQ(iState.Offset(_be), rBa)
-	MOVQ(iState.Offset(_gi), rBe)
-	MOVQ(iState.Offset(_ko), rBi)
-	MOVQ(iState.Offset(_mu), rBo)
-	MOVQ(iState.Offset(_sa), rBu)
-	XORQ(rDi, rBe)
-	ROLQ(Imm(6), rBe)
-	XORQ(rDo, rBi)
-	ROLQ(Imm(25), rBi)
-	MOVQ(rBe, rT1)
-	ORQ(rBi, rT1)
-	XORQ(rDe, rBa)
-	ROLQ(Imm(1), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ka))
-	K_RT1_RCA()
-
-	XORQ(rDu, rBo)
-	ROLQ(Imm(8), rBo)
-	MOVQ(rBi, rT1)
-	ANDQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_ke))
-	K_RT1_RCE()
-
-	XORQ(rDa, rBu)
-	ROLQ(Imm(18), rBu)
-	NOTQ(rBo)
-	MOVQ(rBo, rT1)
-	ANDQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_ki))
-
-	MOVQ(rBu, rT1)
-	ORQ(rBa, rT1)
-	XORQ(rBo, rT1)
-	MOVQ(rT1, oState.Offset(_ko))
-
-	ANDQ(rBe, rBa)
-	XORQ(rBu, rBa)
-	MOVQ(rBa, oState.Offset(_ku))
-	K_RBA_RCU()
-
-	Comment("Result m")
-	MOVQ(iState.Offset(_ga), rBe)
-	XORQ(rDa, rBe)
-	MOVQ(iState.Offset(_ke), rBi)
-	ROLQ(Imm(36), rBe)
-	XORQ(rDe, rBi)
-	MOVQ(iState.Offset(_bu), rBa)
-	ROLQ(Imm(10), rBi)
-	MOVQ(rBe, rT1)
-	MOVQ(iState.Offset(_mi), rBo)
-	ANDQ(rBi, rT1)
-	XORQ(rDu, rBa)
-	MOVQ(iState.Offset(_so), rBu)
-	ROLQ(Imm(27), rBa)
-	XORQ(rBa, rT1)
-	MOVQ(rT1, oState.Offset(_ma))
-	M_RT1_RCA()
-
-	XORQ(rDi, rBo)
-	ROLQ(Imm(15), rBo)
-	MOVQ(rBi, rT1)
-	ORQ(rBo, rT1)
-	XORQ(rBe, rT1)
-	MOVQ(rT1, oState.Offset(_me))
-	M_RT1_RCE()
-
-	XORQ(rDo, rBu)
-	ROLQ(Imm(56), rBu)
-	NOTQ(rBo)
-	MOVQ(rBo, rT1)
-	ORQ(rBu, rT1)
-	XORQ(rBi, rT1)
-	MOVQ(rT1, oState.Offset(_mi))
-
-	ORQ(rBa, rBe)
-	XORQ(rBu, rBe)
-	MOVQ(rBe, oState.Offset(_mu))
-
-	ANDQ(rBa, rBu)
-	XORQ(rBo, rBu)
-	MOVQ(rBu, oState.Offset(_mo))
-	M_RBE_RCU()
-
-	Comment("Result s")
-	MOVQ(iState.Offset(_bi), rBa)
-	MOVQ(iState.Offset(_go), rBe)
-	MOVQ(iState.Offset(_ku), rBi)
-	XORQ(rDi, rBa)
-	MOVQ(iState.Offset(_ma), rBo)
-	ROLQ(Imm(62), rBa)
-	XORQ(rDo, rBe)
-	MOVQ(iState.Offset(_se), rBu)
-	ROLQ(Imm(55), rBe)
-
-	XORQ(rDu, rBi)
-	MOVQ(rBa, rDu)
-	XORQ(rDe, rBu)
-	ROLQ(Imm(2), rBu)
-	ANDQ(rBe, rDu)
-	XORQ(rBu, rDu)
-	MOVQ(rDu, oState.Offset(_su))
-
-	ROLQ(Imm(39), rBi)
-	S_RDU_RCU()
-	NOTQ(rBe)
-	XORQ(rDa, rBo)
-	MOVQ(rBe, rDa)
-	ANDQ(rBi, rDa)
-	XORQ(rBa, rDa)
-	MOVQ(rDa, oState.Offset(_sa))
-	S_RDA_RCA()
-
-	ROLQ(Imm(41), rBo)
-	MOVQ(rBi, rDe)
-	ORQ(rBo, rDe)
-	XORQ(rBe, rDe)
-	MOVQ(rDe, oState.Offset(_se))
-	S_RDE_RCE()
-
-	MOVQ(rBo, rDi)
-	MOVQ(rBu, rDo)
-	ANDQ(rBu, rDi)
-	ORQ(rBa, rDo)
-	XORQ(rBi, rDi)
-	XORQ(rBo, rDo)
-	MOVQ(rDi, oState.Offset(_si))
-	MOVQ(rDo, oState.Offset(_so))
-}
-
-// keccakF1600 applies the Keccak permutation to a 1600b-wide
-// state represented as a slice of 25 uint64s.
-func keccakF1600() {
-	Implement("keccakF1600")
-	AllocLocal(200)
-
-	Load(Param("a"), rpState.Base)
-
-	Comment("Convert the user state into an internal state")
-	NOTQ(rpState.Offset(_be))
-	NOTQ(rpState.Offset(_bi))
-	NOTQ(rpState.Offset(_go))
-	NOTQ(rpState.Offset(_ki))
-	NOTQ(rpState.Offset(_mi))
-	NOTQ(rpState.Offset(_sa))
-
-	Comment("Execute the KeccakF permutation")
-	MOVQ(rpState.Offset(_ba), rCa)
-	MOVQ(rpState.Offset(_be), rCe)
-	MOVQ(rpState.Offset(_bu), rCu)
-
-	XORQ(rpState.Offset(_ga), rCa)
-	XORQ(rpState.Offset(_ge), rCe)
-	XORQ(rpState.Offset(_gu), rCu)
-
-	XORQ(rpState.Offset(_ka), rCa)
-	XORQ(rpState.Offset(_ke), rCe)
-	XORQ(rpState.Offset(_ku), rCu)
-
-	XORQ(rpState.Offset(_ma), rCa)
-	XORQ(rpState.Offset(_me), rCe)
-	XORQ(rpState.Offset(_mu), rCu)
-
-	XORQ(rpState.Offset(_sa), rCa)
-	XORQ(rpState.Offset(_se), rCe)
-	MOVQ(rpState.Offset(_si), rDi)
-	MOVQ(rpState.Offset(_so), rDo)
-	XORQ(rpState.Offset(_su), rCu)
-
-	for i, rc := range RoundConstants[:len(RoundConstants)-1] {
-		var iState, oState Mem
-		if i%2 == 0 {
-			iState, oState = rpState, rpStack
-		} else {
-			iState, oState = rpStack, rpState
-		}
-		mKeccakRound(iState, oState, U64(rc), MOVQ_RBI_RCE, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBA_RCU, XORQ_RT1_RCA, XORQ_RT1_RCE, XORQ_RBE_RCU, XORQ_RDU_RCU, XORQ_RDA_RCA, XORQ_RDE_RCE)
-	}
-	mKeccakRound(rpStack, rpState, U64(RoundConstants[len(RoundConstants)-1]), NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP, NOP)
-
-	Comment("Revert the internal state to the user state")
-	NOTQ(rpState.Offset(_be))
-	NOTQ(rpState.Offset(_bi))
-	NOTQ(rpState.Offset(_go))
-	NOTQ(rpState.Offset(_ki))
-	NOTQ(rpState.Offset(_mi))
-	NOTQ(rpState.Offset(_sa))
-
-	RET()
-}
diff --git a/sha3/allocations_test.go b/sha3/allocations_test.go
deleted file mode 100644
index 36de5d547e..0000000000
--- a/sha3/allocations_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !noopt
-
-package sha3_test
-
-import (
-	"runtime"
-	"testing"
-
-	"golang.org/x/crypto/sha3"
-)
-
-var sink byte
-
-func TestAllocations(t *testing.T) {
-	want := 0.0
-
-	if runtime.GOARCH == "s390x" {
-		// On s390x the returned hash.Hash is conditional so it escapes.
-		want = 3.0
-	}
-
-	t.Run("New", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			h := sha3.New256()
-			b := []byte("ABC")
-			h.Write(b)
-			out := make([]byte, 0, 32)
-			out = h.Sum(out)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-	t.Run("NewShake", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			h := sha3.NewShake128()
-			b := []byte("ABC")
-			h.Write(b)
-			out := make([]byte, 0, 32)
-			out = h.Sum(out)
-			sink ^= out[0]
-			h.Read(out)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-	t.Run("Sum", func(t *testing.T) {
-		if allocs := testing.AllocsPerRun(10, func() {
-			b := []byte("ABC")
-			out := sha3.Sum256(b)
-			sink ^= out[0]
-		}); allocs > want {
-			t.Errorf("expected zero allocations, got %0.1f", allocs)
-		}
-	})
-}
diff --git a/sha3/doc.go b/sha3/doc.go
deleted file mode 100644
index bbf391fe6e..0000000000
--- a/sha3/doc.go
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package sha3 implements the SHA-3 fixed-output-length hash functions and
-// the SHAKE variable-output-length hash functions defined by FIPS-202.
-//
-// All types in this package also implement [encoding.BinaryMarshaler],
-// [encoding.BinaryAppender] and [encoding.BinaryUnmarshaler] to marshal and
-// unmarshal the internal state of the hash.
-//
-// Both types of hash function use the "sponge" construction and the Keccak
-// permutation. For a detailed specification see http://keccak.noekeon.org/
-//
-// # Guidance
-//
-// If you aren't sure what function you need, use SHAKE256 with at least 64
-// bytes of output. The SHAKE instances are faster than the SHA3 instances;
-// the latter have to allocate memory to conform to the hash.Hash interface.
-//
-// If you need a secret-key MAC (message authentication code), prepend the
-// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
-// output.
-//
-// # Security strengths
-//
-// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
-// strength against preimage attacks of x bits. Since they only produce "x"
-// bits of output, their collision-resistance is only "x/2" bits.
-//
-// The SHAKE-256 and -128 functions have a generic security strength of 256 and
-// 128 bits against all attacks, provided that at least 2x bits of their output
-// is used.  Requesting more than 64 or 32 bytes of output, respectively, does
-// not increase the collision-resistance of the SHAKE functions.
-//
-// # The sponge construction
-//
-// A sponge builds a pseudo-random function from a public pseudo-random
-// permutation, by applying the permutation to a state of "rate + capacity"
-// bytes, but hiding "capacity" of the bytes.
-//
-// A sponge starts out with a zero state. To hash an input using a sponge, up
-// to "rate" bytes of the input are XORed into the sponge's state. The sponge
-// is then "full" and the permutation is applied to "empty" it. This process is
-// repeated until all the input has been "absorbed". The input is then padded.
-// The digest is "squeezed" from the sponge in the same way, except that output
-// is copied out instead of input being XORed in.
-//
-// A sponge is parameterized by its generic security strength, which is equal
-// to half its capacity; capacity + rate is equal to the permutation's width.
-// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
-// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
-//
-// # Recommendations
-//
-// The SHAKE functions are recommended for most new uses. They can produce
-// output of arbitrary length. SHAKE256, with an output length of at least
-// 64 bytes, provides 256-bit security against all attacks.  The Keccak team
-// recommends it for most applications upgrading from SHA2-512. (NIST chose a
-// much stronger, but much slower, sponge instance for SHA3-512.)
-//
-// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
-// They produce output of the same length, with the same security strengths
-// against all attacks. This means, in particular, that SHA3-256 only has
-// 128-bit collision resistance, because its output length is 32 bytes.
-package sha3
diff --git a/sha3/hashes.go b/sha3/hashes.go
index 31fffbe044..a51269d91a 100644
--- a/sha3/hashes.go
+++ b/sha3/hashes.go
@@ -2,127 +2,94 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// Package sha3 implements the SHA-3 hash algorithms and the SHAKE extendable
+// output functions defined in FIPS 202.
+//
+// Most of this package is a wrapper around the crypto/sha3 package in the
+// standard library. The only exception is the legacy Keccak hash functions.
 package sha3
 
-// This file provides functions for creating instances of the SHA-3
-// and SHAKE hash functions, as well as utility functions for hashing
-// bytes.
-
 import (
-	"crypto"
+	"crypto/sha3"
 	"hash"
 )
 
 // New224 creates a new SHA3-224 hash.
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New224] function in the standard library.
+//
+//go:fix inline
 func New224() hash.Hash {
-	return new224()
+	return sha3.New224()
 }
 
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New256] function in the standard library.
+//
+//go:fix inline
 func New256() hash.Hash {
-	return new256()
+	return sha3.New256()
 }
 
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New384] function in the standard library.
+//
+//go:fix inline
 func New384() hash.Hash {
-	return new384()
+	return sha3.New384()
 }
 
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
-func New512() hash.Hash {
-	return new512()
-}
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
-
-const (
-	dsbyteSHA3   = 0b00000110
-	dsbyteKeccak = 0b00000001
-	dsbyteShake  = 0b00011111
-	dsbyteCShake = 0b00000100
-
-	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
-	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
-	rateK256  = (1600 - 256) / 8
-	rateK448  = (1600 - 448) / 8
-	rateK512  = (1600 - 512) / 8
-	rateK768  = (1600 - 768) / 8
-	rateK1024 = (1600 - 1024) / 8
-)
-
-func new224Generic() *state {
-	return &state{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3}
-}
-
-func new256Generic() *state {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3}
-}
-
-func new384Generic() *state {
-	return &state{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3}
-}
-
-func new512Generic() *state {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3}
-}
-
-// NewLegacyKeccak256 creates a new Keccak-256 hash.
 //
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New256 instead.
-func NewLegacyKeccak256() hash.Hash {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
-}
-
-// NewLegacyKeccak512 creates a new Keccak-512 hash.
+// It is a wrapper for the [sha3.New512] function in the standard library.
 //
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New512 instead.
-func NewLegacyKeccak512() hash.Hash {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+//go:fix inline
+func New512() hash.Hash {
+	return sha3.New512()
 }
 
 // Sum224 returns the SHA3-224 digest of the data.
-func Sum224(data []byte) (digest [28]byte) {
-	h := New224()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum224] function in the standard library.
+//
+//go:fix inline
+func Sum224(data []byte) [28]byte {
+	return sha3.Sum224(data)
 }
 
 // Sum256 returns the SHA3-256 digest of the data.
-func Sum256(data []byte) (digest [32]byte) {
-	h := New256()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum256] function in the standard library.
+//
+//go:fix inline
+func Sum256(data []byte) [32]byte {
+	return sha3.Sum256(data)
 }
 
 // Sum384 returns the SHA3-384 digest of the data.
-func Sum384(data []byte) (digest [48]byte) {
-	h := New384()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum384] function in the standard library.
+//
+//go:fix inline
+func Sum384(data []byte) [48]byte {
+	return sha3.Sum384(data)
 }
 
 // Sum512 returns the SHA3-512 digest of the data.
-func Sum512(data []byte) (digest [64]byte) {
-	h := New512()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum512] function in the standard library.
+//
+//go:fix inline
+func Sum512(data []byte) [64]byte {
+	return sha3.Sum512(data)
 }
diff --git a/sha3/hashes_noasm.go b/sha3/hashes_noasm.go
deleted file mode 100644
index 9d85fb6214..0000000000
--- a/sha3/hashes_noasm.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func new224() *state {
-	return new224Generic()
-}
-
-func new256() *state {
-	return new256Generic()
-}
-
-func new384() *state {
-	return new384Generic()
-}
-
-func new512() *state {
-	return new512Generic()
-}
diff --git a/sha3/keccakf_amd64.go b/sha3/keccakf_amd64.go
deleted file mode 100644
index b908696be5..0000000000
--- a/sha3/keccakf_amd64.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build amd64 && !purego && gc
-
-package sha3
-
-// This function is implemented in keccakf_amd64.s.
-
-//go:noescape
-
-func keccakF1600(a *[25]uint64)
diff --git a/sha3/keccakf_amd64.s b/sha3/keccakf_amd64.s
deleted file mode 100644
index 99e2f16e97..0000000000
--- a/sha3/keccakf_amd64.s
+++ /dev/null
@@ -1,5419 +0,0 @@
-// Code generated by command: go run keccakf_amd64_asm.go -out ../keccakf_amd64.s -pkg sha3. DO NOT EDIT.
-
-//go:build amd64 && !purego && gc
-
-// func keccakF1600(a *[25]uint64)
-TEXT ·keccakF1600(SB), $200-8
-	MOVQ a+0(FP), DI
-
-	// Convert the user state into an internal state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-
-	// Execute the KeccakF permutation
-	MOVQ (DI), SI
-	MOVQ 8(DI), BP
-	MOVQ 32(DI), R15
-	XORQ 40(DI), SI
-	XORQ 48(DI), BP
-	XORQ 72(DI), R15
-	XORQ 80(DI), SI
-	XORQ 88(DI), BP
-	XORQ 112(DI), R15
-	XORQ 120(DI), SI
-	XORQ 128(DI), BP
-	XORQ 152(DI), R15
-	XORQ 160(DI), SI
-	XORQ 168(DI), BP
-	MOVQ 176(DI), DX
-	MOVQ 184(DI), R8
-	XORQ 192(DI), R15
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000008082, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000808a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008000, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000008a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000088, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000008b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008089, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008003, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008002, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000000080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000800a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008008, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	NOP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	NOP
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	NOP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	NOP
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	NOP
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	NOP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	NOP
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	NOP
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	NOP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	NOP
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	NOP
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	NOP
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	NOP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Revert the internal state to the user state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-	RET
diff --git a/sha3/sha3.go b/sha3/legacy_hash.go
similarity index 83%
rename from sha3/sha3.go
rename to sha3/legacy_hash.go
index 6658c44479..b8784536e0 100644
--- a/sha3/sha3.go
+++ b/sha3/legacy_hash.go
@@ -4,15 +4,46 @@
 
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import (
 	"crypto/subtle"
 	"encoding/binary"
 	"errors"
+	"hash"
 	"unsafe"
 
 	"golang.org/x/sys/cpu"
 )
 
+const (
+	dsbyteKeccak = 0b00000001
+
+	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
+	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
+	rateK256  = (1600 - 256) / 8
+	rateK512  = (1600 - 512) / 8
+	rateK1024 = (1600 - 1024) / 8
+)
+
+// NewLegacyKeccak256 creates a new Keccak-256 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New256 instead.
+func NewLegacyKeccak256() hash.Hash {
+	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
+}
+
+// NewLegacyKeccak512 creates a new Keccak-512 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New512 instead.
+func NewLegacyKeccak512() hash.Hash {
+	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+}
+
 // spongeDirection indicates the direction bytes are flowing through the sponge.
 type spongeDirection int
 
@@ -173,12 +204,9 @@ func (d *state) Sum(in []byte) []byte {
 }
 
 const (
-	magicSHA3   = "sha\x08"
-	magicShake  = "sha\x09"
-	magicCShake = "sha\x0a"
 	magicKeccak = "sha\x0b"
 	// magic || rate || main state || n || sponge direction
-	marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1
+	marshaledSize = len(magicKeccak) + 1 + 200 + 1 + 1
 )
 
 func (d *state) MarshalBinary() ([]byte, error) {
@@ -187,12 +215,6 @@ func (d *state) MarshalBinary() ([]byte, error) {
 
 func (d *state) AppendBinary(b []byte) ([]byte, error) {
 	switch d.dsbyte {
-	case dsbyteSHA3:
-		b = append(b, magicSHA3...)
-	case dsbyteShake:
-		b = append(b, magicShake...)
-	case dsbyteCShake:
-		b = append(b, magicCShake...)
 	case dsbyteKeccak:
 		b = append(b, magicKeccak...)
 	default:
@@ -210,12 +232,9 @@ func (d *state) UnmarshalBinary(b []byte) error {
 		return errors.New("sha3: invalid hash state")
 	}
 
-	magic := string(b[:len(magicSHA3)])
-	b = b[len(magicSHA3):]
+	magic := string(b[:len(magicKeccak)])
+	b = b[len(magicKeccak):]
 	switch {
-	case magic == magicSHA3 && d.dsbyte == dsbyteSHA3:
-	case magic == magicShake && d.dsbyte == dsbyteShake:
-	case magic == magicCShake && d.dsbyte == dsbyteCShake:
 	case magic == magicKeccak && d.dsbyte == dsbyteKeccak:
 	default:
 		return errors.New("sha3: invalid hash state identifier")
diff --git a/sha3/keccakf.go b/sha3/legacy_keccakf.go
similarity index 98%
rename from sha3/keccakf.go
rename to sha3/legacy_keccakf.go
index ce48b1dd3e..101588c16c 100644
--- a/sha3/keccakf.go
+++ b/sha3/legacy_keccakf.go
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !amd64 || purego || !gc
-
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import "math/bits"
 
 // rc stores the round constants for use in the ι step.
diff --git a/sha3/sha3_s390x.go b/sha3/sha3_s390x.go
deleted file mode 100644
index 00d8034ae6..0000000000
--- a/sha3/sha3_s390x.go
+++ /dev/null
@@ -1,303 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-package sha3
-
-// This file contains code for using the 'compute intermediate
-// message digest' (KIMD) and 'compute last message digest' (KLMD)
-// instructions to compute SHA-3 and SHAKE hashes on IBM Z.
-
-import (
-	"hash"
-
-	"golang.org/x/sys/cpu"
-)
-
-// codes represent 7-bit KIMD/KLMD function codes as defined in
-// the Principles of Operation.
-type code uint64
-
-const (
-	// function codes for KIMD/KLMD
-	sha3_224  code = 32
-	sha3_256       = 33
-	sha3_384       = 34
-	sha3_512       = 35
-	shake_128      = 36
-	shake_256      = 37
-	nopad          = 0x100
-)
-
-// kimd is a wrapper for the 'compute intermediate message digest' instruction.
-// src must be a multiple of the rate for the given function code.
-//
-//go:noescape
-func kimd(function code, chain *[200]byte, src []byte)
-
-// klmd is a wrapper for the 'compute last message digest' instruction.
-// src padding is handled by the instruction.
-//
-//go:noescape
-func klmd(function code, chain *[200]byte, dst, src []byte)
-
-type asmState struct {
-	a         [200]byte       // 1600 bit state
-	buf       []byte          // care must be taken to ensure cap(buf) is a multiple of rate
-	rate      int             // equivalent to block size
-	storage   [3072]byte      // underlying storage for buf
-	outputLen int             // output length for full security
-	function  code            // KIMD/KLMD function code
-	state     spongeDirection // whether the sponge is absorbing or squeezing
-}
-
-func newAsmState(function code) *asmState {
-	var s asmState
-	s.function = function
-	switch function {
-	case sha3_224:
-		s.rate = 144
-		s.outputLen = 28
-	case sha3_256:
-		s.rate = 136
-		s.outputLen = 32
-	case sha3_384:
-		s.rate = 104
-		s.outputLen = 48
-	case sha3_512:
-		s.rate = 72
-		s.outputLen = 64
-	case shake_128:
-		s.rate = 168
-		s.outputLen = 32
-	case shake_256:
-		s.rate = 136
-		s.outputLen = 64
-	default:
-		panic("sha3: unrecognized function code")
-	}
-
-	// limit s.buf size to a multiple of s.rate
-	s.resetBuf()
-	return &s
-}
-
-func (s *asmState) clone() *asmState {
-	c := *s
-	c.buf = c.storage[:len(s.buf):cap(s.buf)]
-	return &c
-}
-
-// copyIntoBuf copies b into buf. It will panic if there is not enough space to
-// store all of b.
-func (s *asmState) copyIntoBuf(b []byte) {
-	bufLen := len(s.buf)
-	s.buf = s.buf[:len(s.buf)+len(b)]
-	copy(s.buf[bufLen:], b)
-}
-
-// resetBuf points buf at storage, sets the length to 0 and sets cap to be a
-// multiple of the rate.
-func (s *asmState) resetBuf() {
-	max := (cap(s.storage) / s.rate) * s.rate
-	s.buf = s.storage[:0:max]
-}
-
-// Write (via the embedded io.Writer interface) adds more data to the running hash.
-// It never returns an error.
-func (s *asmState) Write(b []byte) (int, error) {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Write after Read")
-	}
-	length := len(b)
-	for len(b) > 0 {
-		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
-			// Hash the data directly and push any remaining bytes
-			// into the buffer.
-			remainder := len(b) % s.rate
-			kimd(s.function, &s.a, b[:len(b)-remainder])
-			if remainder != 0 {
-				s.copyIntoBuf(b[len(b)-remainder:])
-			}
-			return length, nil
-		}
-
-		if len(s.buf) == cap(s.buf) {
-			// flush the buffer
-			kimd(s.function, &s.a, s.buf)
-			s.buf = s.buf[:0]
-		}
-
-		// copy as much as we can into the buffer
-		n := len(b)
-		if len(b) > cap(s.buf)-len(s.buf) {
-			n = cap(s.buf) - len(s.buf)
-		}
-		s.copyIntoBuf(b[:n])
-		b = b[n:]
-	}
-	return length, nil
-}
-
-// Read squeezes an arbitrary number of bytes from the sponge.
-func (s *asmState) Read(out []byte) (n int, err error) {
-	// The 'compute last message digest' instruction only stores the digest
-	// at the first operand (dst) for SHAKE functions.
-	if s.function != shake_128 && s.function != shake_256 {
-		panic("sha3: can only call Read for SHAKE functions")
-	}
-
-	n = len(out)
-
-	// need to pad if we were absorbing
-	if s.state == spongeAbsorbing {
-		s.state = spongeSqueezing
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
-			s.buf = s.buf[:0]
-			return
-		}
-
-		// write hash into buffer
-		max := cap(s.buf)
-		if max > len(out) {
-			max = (len(out)/s.rate)*s.rate + s.rate
-		}
-		klmd(s.function, &s.a, s.buf[:max], s.buf)
-		s.buf = s.buf[:max]
-	}
-
-	for len(out) > 0 {
-		// flush the buffer
-		if len(s.buf) != 0 {
-			c := copy(out, s.buf)
-			out = out[c:]
-			s.buf = s.buf[c:]
-			continue
-		}
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function|nopad, &s.a, out, nil)
-			return
-		}
-
-		// write hash into buffer
-		s.resetBuf()
-		if cap(s.buf) > len(out) {
-			s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate]
-		}
-		klmd(s.function|nopad, &s.a, s.buf, nil)
-	}
-	return
-}
-
-// Sum appends the current hash to b and returns the resulting slice.
-// It does not change the underlying hash state.
-func (s *asmState) Sum(b []byte) []byte {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Sum after Read")
-	}
-
-	// Copy the state to preserve the original.
-	a := s.a
-
-	// Hash the buffer. Note that we don't clear it because we
-	// aren't updating the state.
-	switch s.function {
-	case sha3_224, sha3_256, sha3_384, sha3_512:
-		klmd(s.function, &a, nil, s.buf)
-		return append(b, a[:s.outputLen]...)
-	case shake_128, shake_256:
-		d := make([]byte, s.outputLen, 64)
-		klmd(s.function, &a, d, s.buf)
-		return append(b, d[:s.outputLen]...)
-	default:
-		panic("sha3: unknown function")
-	}
-}
-
-// Reset resets the Hash to its initial state.
-func (s *asmState) Reset() {
-	for i := range s.a {
-		s.a[i] = 0
-	}
-	s.resetBuf()
-	s.state = spongeAbsorbing
-}
-
-// Size returns the number of bytes Sum will return.
-func (s *asmState) Size() int {
-	return s.outputLen
-}
-
-// BlockSize returns the hash's underlying block size.
-// The Write method must be able to accept any amount
-// of data, but it may operate more efficiently if all writes
-// are a multiple of the block size.
-func (s *asmState) BlockSize() int {
-	return s.rate
-}
-
-// Clone returns a copy of the ShakeHash in its current state.
-func (s *asmState) Clone() ShakeHash {
-	return s.clone()
-}
-
-// new224 returns an assembly implementation of SHA3-224 if available,
-// otherwise it returns a generic implementation.
-func new224() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_224)
-	}
-	return new224Generic()
-}
-
-// new256 returns an assembly implementation of SHA3-256 if available,
-// otherwise it returns a generic implementation.
-func new256() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_256)
-	}
-	return new256Generic()
-}
-
-// new384 returns an assembly implementation of SHA3-384 if available,
-// otherwise it returns a generic implementation.
-func new384() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_384)
-	}
-	return new384Generic()
-}
-
-// new512 returns an assembly implementation of SHA3-512 if available,
-// otherwise it returns a generic implementation.
-func new512() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_512)
-	}
-	return new512Generic()
-}
-
-// newShake128 returns an assembly implementation of SHAKE-128 if available,
-// otherwise it returns a generic implementation.
-func newShake128() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_128)
-	}
-	return newShake128Generic()
-}
-
-// newShake256 returns an assembly implementation of SHAKE-256 if available,
-// otherwise it returns a generic implementation.
-func newShake256() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_256)
-	}
-	return newShake256Generic()
-}
diff --git a/sha3/sha3_s390x.s b/sha3/sha3_s390x.s
deleted file mode 100644
index 826b862c77..0000000000
--- a/sha3/sha3_s390x.s
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-#include "textflag.h"
-
-// func kimd(function code, chain *[200]byte, src []byte)
-TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  src+16(FP), R2, R3 // R2=base, R3=len
-
-continue:
-	WORD $0xB93E0002 // KIMD --, R2
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
-
-// func klmd(function code, chain *[200]byte, dst, src []byte)
-TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64
-	// TODO: SHAKE support
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  dst+16(FP), R2, R3 // R2=base, R3=len
-	LMG  src+40(FP), R4, R5 // R4=base, R5=len
-
-continue:
-	WORD $0xB93F0024 // KLMD R2, R4
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
diff --git a/sha3/sha3_test.go b/sha3/sha3_test.go
index d97a970b1a..bee9b10d46 100644
--- a/sha3/sha3_test.go
+++ b/sha3/sha3_test.go
@@ -16,7 +16,6 @@ import (
 	"encoding"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"hash"
 	"io"
 	"math/rand"
@@ -523,124 +522,3 @@ func testMarshalUnmarshal(t *testing.T, h hash.Hash) {
 		t.Errorf("got %x, want %x", got, want)
 	}
 }
-
-// BenchmarkPermutationFunction measures the speed of the permutation function
-// with no input data.
-func BenchmarkPermutationFunction(b *testing.B) {
-	b.SetBytes(int64(200))
-	var lanes [25]uint64
-	for i := 0; i < b.N; i++ {
-		keccakF1600(&lanes)
-	}
-}
-
-// benchmarkHash tests the speed to hash num buffers of buflen each.
-func benchmarkHash(b *testing.B, h hash.Hash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	var state []byte
-	for i := 0; i < b.N; i++ {
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		state = h.Sum(state[:0])
-	}
-	b.StopTimer()
-	h.Reset()
-}
-
-// benchmarkShake is specialized to the Shake instances, which don't
-// require a copy on reading output.
-func benchmarkShake(b *testing.B, h ShakeHash, size, num int) {
-	b.StopTimer()
-	h.Reset()
-	data := sequentialBytes(size)
-	d := make([]byte, 32)
-
-	b.SetBytes(int64(size * num))
-	b.StartTimer()
-
-	for i := 0; i < b.N; i++ {
-		h.Reset()
-		for j := 0; j < num; j++ {
-			h.Write(data)
-		}
-		h.Read(d)
-	}
-}
-
-func BenchmarkSha3_512_MTU(b *testing.B) { benchmarkHash(b, New512(), 1350, 1) }
-func BenchmarkSha3_384_MTU(b *testing.B) { benchmarkHash(b, New384(), 1350, 1) }
-func BenchmarkSha3_256_MTU(b *testing.B) { benchmarkHash(b, New256(), 1350, 1) }
-func BenchmarkSha3_224_MTU(b *testing.B) { benchmarkHash(b, New224(), 1350, 1) }
-
-func BenchmarkShake128_MTU(b *testing.B)  { benchmarkShake(b, NewShake128(), 1350, 1) }
-func BenchmarkShake256_MTU(b *testing.B)  { benchmarkShake(b, NewShake256(), 1350, 1) }
-func BenchmarkShake256_16x(b *testing.B)  { benchmarkShake(b, NewShake256(), 16, 1024) }
-func BenchmarkShake256_1MiB(b *testing.B) { benchmarkShake(b, NewShake256(), 1024, 1024) }
-
-func BenchmarkSha3_512_1MiB(b *testing.B) { benchmarkHash(b, New512(), 1024, 1024) }
-
-func Example_sum() {
-	buf := []byte("some data to hash")
-	// A hash needs to be 64 bytes long to have 256-bit collision resistance.
-	h := make([]byte, 64)
-	// Compute a 64-byte hash of buf and put it in h.
-	ShakeSum256(h, buf)
-	fmt.Printf("%x\n", h)
-	// Output: 0f65fe41fc353e52c55667bb9e2b27bfcc8476f2c413e9437d272ee3194a4e3146d05ec04a25d16b8f577c19b82d16b1424c3e022e783d2b4da98de3658d363d
-}
-
-func Example_mac() {
-	k := []byte("this is a secret key; you should generate a strong random key that's at least 32 bytes long")
-	buf := []byte("and this is some data to authenticate")
-	// A MAC with 32 bytes of output has 256-bit security strength -- if you use at least a 32-byte-long key.
-	h := make([]byte, 32)
-	d := NewShake256()
-	// Write the key into the hash.
-	d.Write(k)
-	// Now write the data.
-	d.Write(buf)
-	// Read 32 bytes of output from the hash into h.
-	d.Read(h)
-	fmt.Printf("%x\n", h)
-	// Output: 78de2974bd2711d5549ffd32b753ef0f5fa80a0db2556db60f0987eb8a9218ff
-}
-
-func ExampleNewCShake256() {
-	out := make([]byte, 32)
-	msg := []byte("The quick brown fox jumps over the lazy dog")
-
-	// Example 1: Simple cshake
-	c1 := NewCShake256([]byte("NAME"), []byte("Partition1"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 2: Different customization string produces different digest
-	c1 = NewCShake256([]byte("NAME"), []byte("Partition2"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 3: Longer output length produces longer digest
-	out = make([]byte, 64)
-	c1 = NewCShake256([]byte("NAME"), []byte("Partition1"))
-	c1.Write(msg)
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Example 4: Next read produces different result
-	c1.Read(out)
-	fmt.Println(hex.EncodeToString(out))
-
-	// Output:
-	//a90a4c6ca9af2156eba43dc8398279e6b60dcd56fb21837afe6c308fd4ceb05b
-	//a8db03e71f3e4da5c4eee9d28333cdd355f51cef3c567e59be5beb4ecdbb28f0
-	//a90a4c6ca9af2156eba43dc8398279e6b60dcd56fb21837afe6c308fd4ceb05b9dd98c6ee866ca7dc5a39d53e960f400bcd5a19c8a2d6ec6459f63696543a0d8
-	//85e73a72228d08b46515553ca3a29d47df3047e5d84b12d6c2c63e579f4fd1105716b7838e92e981863907f434bfd4443c9e56ea09da998d2f9b47db71988109
-}
diff --git a/sha3/shake.go b/sha3/shake.go
index a6b3a4281f..6f3f70c265 100644
--- a/sha3/shake.go
+++ b/sha3/shake.go
@@ -4,24 +4,10 @@
 
 package sha3
 
-// This file defines the ShakeHash interface, and provides
-// functions for creating SHAKE and cSHAKE instances, as well as utility
-// functions for hashing bytes to arbitrary-length output.
-//
-//
-// SHAKE implementation is based on FIPS PUB 202 [1]
-// cSHAKE implementations is based on NIST SP 800-185 [2]
-//
-// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
-// [2] https://doi.org/10.6028/NIST.SP.800-185
-
 import (
-	"bytes"
-	"encoding/binary"
-	"errors"
+	"crypto/sha3"
 	"hash"
 	"io"
-	"math/bits"
 )
 
 // ShakeHash defines the interface to hash functions that support
@@ -32,7 +18,7 @@ type ShakeHash interface {
 	hash.Hash
 
 	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
+	// state. (ShakeHash.Read is thus very different from Hash.Sum.)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
@@ -41,115 +27,18 @@ type ShakeHash interface {
 	Clone() ShakeHash
 }
 
-// cSHAKE specific context
-type cshakeState struct {
-	*state // SHA-3 state context and Read/Write operations
-
-	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
-	// by newCShake function and stores concatenation of N followed by S, encoded
-	// by the method specified in 3.3 of [1].
-	// It is stored here in order for Reset() to be able to put context into
-	// initial state.
-	initBlock []byte
-}
-
-func bytepad(data []byte, rate int) []byte {
-	out := make([]byte, 0, 9+len(data)+rate-1)
-	out = append(out, leftEncode(uint64(rate))...)
-	out = append(out, data...)
-	if padlen := rate - len(out)%rate; padlen < rate {
-		out = append(out, make([]byte, padlen)...)
-	}
-	return out
-}
-
-func leftEncode(x uint64) []byte {
-	// Let n be the smallest positive integer for which 2^(8n) > x.
-	n := (bits.Len64(x) + 7) / 8
-	if n == 0 {
-		n = 1
-	}
-	// Return n || x with n as a byte and x an n bytes in big-endian order.
-	b := make([]byte, 9)
-	binary.BigEndian.PutUint64(b[1:], x)
-	b = b[9-n-1:]
-	b[0] = byte(n)
-	return b
-}
-
-func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
-	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
-	c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
-	c.initBlock = append(c.initBlock, N...)
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
-	c.initBlock = append(c.initBlock, S...)
-	c.Write(bytepad(c.initBlock, c.rate))
-	return &c
-}
-
-// Reset resets the hash to initial state.
-func (c *cshakeState) Reset() {
-	c.state.Reset()
-	c.Write(bytepad(c.initBlock, c.rate))
-}
-
-// Clone returns copy of a cSHAKE context within its current state.
-func (c *cshakeState) Clone() ShakeHash {
-	b := make([]byte, len(c.initBlock))
-	copy(b, c.initBlock)
-	return &cshakeState{state: c.clone(), initBlock: b}
-}
-
-// Clone returns copy of SHAKE context within its current state.
-func (c *state) Clone() ShakeHash {
-	return c.clone()
-}
-
-func (c *cshakeState) MarshalBinary() ([]byte, error) {
-	return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
-}
-
-func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
-	b, err := c.state.AppendBinary(b)
-	if err != nil {
-		return nil, err
-	}
-	b = append(b, c.initBlock...)
-	return b, nil
-}
-
-func (c *cshakeState) UnmarshalBinary(b []byte) error {
-	if len(b) <= marshaledSize {
-		return errors.New("sha3: invalid hash state")
-	}
-	if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
-		return err
-	}
-	c.initBlock = bytes.Clone(b[marshaledSize:])
-	return nil
-}
-
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	return &shakeWrapper{sha3.NewSHAKE128(), 32, false, sha3.NewSHAKE128}
 }
 
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
-}
-
-func newShake128Generic() *state {
-	return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
-}
-
-func newShake256Generic() *state {
-	return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
+	return &shakeWrapper{sha3.NewSHAKE256(), 64, false, sha3.NewSHAKE256}
 }
 
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -159,10 +48,9 @@ func newShake256Generic() *state {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake128()
-	}
-	return newCShake(N, S, rateK256, 32, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE128(N, S), 32, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE128(N, S)
+	}}
 }
 
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -172,10 +60,9 @@ func NewCShake128(N, S []byte) ShakeHash {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake256()
-	}
-	return newCShake(N, S, rateK512, 64, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE256(N, S), 64, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE256(N, S)
+	}}
 }
 
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
@@ -191,3 +78,42 @@ func ShakeSum256(hash, data []byte) {
 	h.Write(data)
 	h.Read(hash)
 }
+
+// shakeWrapper adds the Size, Sum, and Clone methods to a sha3.SHAKE
+// to implement the ShakeHash interface.
+type shakeWrapper struct {
+	*sha3.SHAKE
+	outputLen int
+	squeezing bool
+	newSHAKE  func() *sha3.SHAKE
+}
+
+func (w *shakeWrapper) Read(p []byte) (n int, err error) {
+	w.squeezing = true
+	return w.SHAKE.Read(p)
+}
+
+func (w *shakeWrapper) Clone() ShakeHash {
+	s := w.newSHAKE()
+	b, err := w.MarshalBinary()
+	if err != nil {
+		panic(err) // unreachable
+	}
+	if err := s.UnmarshalBinary(b); err != nil {
+		panic(err) // unreachable
+	}
+	return &shakeWrapper{s, w.outputLen, w.squeezing, w.newSHAKE}
+}
+
+func (w *shakeWrapper) Size() int { return w.outputLen }
+
+func (w *shakeWrapper) Sum(b []byte) []byte {
+	if w.squeezing {
+		panic("sha3: Sum after Read")
+	}
+	out := make([]byte, w.outputLen)
+	// Clone the state so that we don't affect future Write calls.
+	s := w.Clone()
+	s.Read(out)
+	return append(b, out...)
+}
diff --git a/sha3/shake_noasm.go b/sha3/shake_noasm.go
deleted file mode 100644
index 4276ba4ab2..0000000000
--- a/sha3/shake_noasm.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func newShake128() *state {
-	return newShake128Generic()
-}
-
-func newShake256() *state {
-	return newShake256Generic()
-}

From 017a1aaa2d993492ef6f74ebe7c87f33d82d3717 Mon Sep 17 00:00:00 2001
From: Sean Liao <sean@liao.dev>
Date: Sun, 19 Oct 2025 00:57:52 +0100
Subject: [PATCH 27/37] chacha20poly1305: panic on dst and additionalData
 overlap

The cipher.AEAD interface specifies that these should not overlap.
This mirrors the check that the GCM implementation does.

Fixes golang/go#75968
Updates golang/go#21624

Change-Id: If5fbb8611ff6c0aae44d50079bad29f56ce00f5b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/712860
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 chacha20poly1305/chacha20poly1305_amd64.go   | 10 ++++++++--
 chacha20poly1305/chacha20poly1305_generic.go | 10 ++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/chacha20poly1305/chacha20poly1305_amd64.go b/chacha20poly1305/chacha20poly1305_amd64.go
index 50695a14f6..b850e772e1 100644
--- a/chacha20poly1305/chacha20poly1305_amd64.go
+++ b/chacha20poly1305/chacha20poly1305_amd64.go
@@ -56,7 +56,10 @@ func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []
 
 	ret, out := sliceForAppend(dst, len(plaintext)+16)
 	if alias.InexactOverlap(out, plaintext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	chacha20Poly1305Seal(out[:], state[:], plaintext, additionalData)
 	return ret
@@ -73,7 +76,10 @@ func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) (
 	ciphertext = ciphertext[:len(ciphertext)-16]
 	ret, out := sliceForAppend(dst, len(ciphertext))
 	if alias.InexactOverlap(out, ciphertext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	if !chacha20Poly1305Open(out, state[:], ciphertext, additionalData) {
 		for i := range out {
diff --git a/chacha20poly1305/chacha20poly1305_generic.go b/chacha20poly1305/chacha20poly1305_generic.go
index 6313898f0a..2ecc840fca 100644
--- a/chacha20poly1305/chacha20poly1305_generic.go
+++ b/chacha20poly1305/chacha20poly1305_generic.go
@@ -31,7 +31,10 @@ func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []b
 	ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize)
 	ciphertext, tag := out[:len(plaintext)], out[len(plaintext):]
 	if alias.InexactOverlap(out, plaintext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 
 	var polyKey [32]byte
@@ -67,7 +70,10 @@ func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []
 
 	ret, out := sliceForAppend(dst, len(ciphertext))
 	if alias.InexactOverlap(out, ciphertext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	if !p.Verify(tag) {
 		for i := range out {

From 0997000b45e3a40598272081bcad03ffd21b8adb Mon Sep 17 00:00:00 2001
From: cuishuang <imcusg@gmail.com>
Date: Mon, 20 Oct 2025 17:55:48 +0800
Subject: [PATCH 28/37] all: fix some comments

Change-Id: I0395c5db6edd7d90f9ec1dadbe881a77c906c732
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/713120
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
---
 acme/pebble_test.go                            |  2 +-
 argon2/argon2.go                               | 18 +++++++++++-------
 .../_asm/chacha20poly1305_amd64_asm.go         |  4 ++--
 chacha20poly1305/chacha20poly1305_test.go      | 12 ++++++------
 4 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/acme/pebble_test.go b/acme/pebble_test.go
index bb4809faf7..79051ac821 100644
--- a/acme/pebble_test.go
+++ b/acme/pebble_test.go
@@ -757,7 +757,7 @@ func prepareBinaries(t *testing.T, pebbleDir string) string {
 
 	// We don't want to build in the module cache dir, which might not be
 	// writable or to pollute the user's clone with binaries if pebbleLocalDir
-	//is used.
+	// is used.
 	binDir := t.TempDir()
 
 	build := func(cmd string) {
diff --git a/argon2/argon2.go b/argon2/argon2.go
index 29f0a2de45..2b65ec91ac 100644
--- a/argon2/argon2.go
+++ b/argon2/argon2.go
@@ -6,7 +6,7 @@
 // Argon2 was selected as the winner of the Password Hashing Competition and can
 // be used to derive cryptographic keys from passwords.
 //
-// For a detailed specification of Argon2 see [1].
+// For a detailed specification of Argon2 see [argon2-specs.pdf].
 //
 // If you aren't sure which function you need, use Argon2id (IDKey) and
 // the parameter recommendations for your scenario.
@@ -17,7 +17,7 @@
 // It uses data-independent memory access, which is preferred for password
 // hashing and password-based key derivation. Argon2i requires more passes over
 // memory than Argon2id to protect from trade-off attacks. The recommended
-// parameters (taken from [2]) for non-interactive operations are time=3 and to
+// parameters (taken from [RFC 9106 Section 7.3]) for non-interactive operations are time=3 and to
 // use the maximum available memory.
 //
 // # Argon2id
@@ -27,11 +27,11 @@
 // half of the first iteration over the memory and data-dependent memory access
 // for the rest. Argon2id is side-channel resistant and provides better brute-
 // force cost savings due to time-memory tradeoffs than Argon2i. The recommended
-// parameters for non-interactive operations (taken from [2]) are time=1 and to
+// parameters for non-interactive operations (taken from [RFC 9106 Section 7.3]) are time=1 and to
 // use the maximum available memory.
 //
-// [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
-// [2] https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3
+// [argon2-specs.pdf]: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 package argon2
 
 import (
@@ -59,7 +59,7 @@ const (
 //
 //	key := argon2.Key([]byte("some password"), salt, 3, 32*1024, 4, 32)
 //
-// The draft RFC recommends[2] time=3, and memory=32*1024 is a sensible number.
+// [RFC 9106 Section 7.3] recommends time=3, and memory=32*1024 as a sensible number.
 // If using that amount of memory (32 MB) is not possible in some contexts then
 // the time parameter can be increased to compensate.
 //
@@ -69,6 +69,8 @@ const (
 // adjusted to the number of available CPUs. The cost parameters should be
 // increased as memory latency and CPU parallelism increases. Remember to get a
 // good random salt.
+//
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
 	return deriveKey(argon2i, password, salt, nil, nil, time, memory, threads, keyLen)
 }
@@ -83,7 +85,7 @@ func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint3
 //
 //	key := argon2.IDKey([]byte("some password"), salt, 1, 64*1024, 4, 32)
 //
-// The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number.
+// [RFC 9106 Section 7.3] recommends time=1, and memory=64*1024 as a sensible number.
 // If using that amount of memory (64 MB) is not possible in some contexts then
 // the time parameter can be increased to compensate.
 //
@@ -93,6 +95,8 @@ func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint3
 // adjusted to the numbers of available CPUs. The cost parameters should be
 // increased as memory latency and CPU parallelism increases. Remember to get a
 // good random salt.
+//
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
 	return deriveKey(argon2id, password, salt, nil, nil, time, memory, threads, keyLen)
 }
diff --git a/chacha20poly1305/_asm/chacha20poly1305_amd64_asm.go b/chacha20poly1305/_asm/chacha20poly1305_amd64_asm.go
index e9ba153b4c..66af868b3c 100644
--- a/chacha20poly1305/_asm/chacha20poly1305_amd64_asm.go
+++ b/chacha20poly1305/_asm/chacha20poly1305_amd64_asm.go
@@ -641,7 +641,7 @@ func hashADDone() {
 // ----------------------------------------------------------------------------
 // ----------------------------------------------------------------------------
 
-// Implements the following function fignature:
+// Implements the following function signature:
 //
 //	func chacha20Poly1305Open(dst []byte, key []uint32, src []byte, ad []byte) bool
 func chacha20Poly1305Open() {
@@ -2967,7 +2967,7 @@ func openAVX2Tail512HashEnd() {
 // ----------------------------------------------------------------------------
 // ----------------------------------------------------------------------------
 
-// Implements the following function fignature:
+// Implements the following function signature:
 //
 //	func chacha20Poly1305Seal(dst []byte, key []uint32, src, ad []byte)
 func chacha20Poly1305Seal() {
diff --git a/chacha20poly1305/chacha20poly1305_test.go b/chacha20poly1305/chacha20poly1305_test.go
index 82a4a36102..b38970d177 100644
--- a/chacha20poly1305/chacha20poly1305_test.go
+++ b/chacha20poly1305/chacha20poly1305_test.go
@@ -153,7 +153,7 @@ func TestRandom(t *testing.T) {
 	t.Run("X", func(t *testing.T) { f(t, NonceSizeX) })
 }
 
-func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
+func benchmarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
 	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))
 
@@ -176,7 +176,7 @@ func benchamarkChaCha20Poly1305Seal(b *testing.B, buf []byte, nonceSize int) {
 	}
 }
 
-func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
+func benchmarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
 	b.ReportAllocs()
 	b.SetBytes(int64(len(buf)))
 
@@ -204,17 +204,17 @@ func benchamarkChaCha20Poly1305Open(b *testing.B, buf []byte, nonceSize int) {
 func BenchmarkChacha20Poly1305(b *testing.B) {
 	for _, length := range []int{64, 1350, 8 * 1024} {
 		b.Run("Open-"+strconv.Itoa(length), func(b *testing.B) {
-			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
+			benchmarkChaCha20Poly1305Open(b, make([]byte, length), NonceSize)
 		})
 		b.Run("Seal-"+strconv.Itoa(length), func(b *testing.B) {
-			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
+			benchmarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSize)
 		})
 
 		b.Run("Open-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
-			benchamarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
+			benchmarkChaCha20Poly1305Open(b, make([]byte, length), NonceSizeX)
 		})
 		b.Run("Seal-"+strconv.Itoa(length)+"-X", func(b *testing.B) {
-			benchamarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
+			benchmarkChaCha20Poly1305Seal(b, make([]byte, length), NonceSizeX)
 		})
 	}
 }

From c0531f9c34514ad5c5551e2d6ce569ca673a8afd Mon Sep 17 00:00:00 2001
From: Sean Liao <sean@liao.dev>
Date: Sun, 26 Oct 2025 13:45:57 +0000
Subject: [PATCH 29/37] all: eliminate vet diagnostics

For golang/go#74011

Change-Id: I189c5aba554a578bee1fd351edc30cd5cf4d0ed6
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/714960
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: David Chase <drchase@google.com>
---
 otr/otr_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/otr/otr_test.go b/otr/otr_test.go
index cfcd062b27..3b7aa1986e 100644
--- a/otr/otr_test.go
+++ b/otr/otr_test.go
@@ -75,8 +75,8 @@ const libOTRPrivateKey = `(privkeys
  (account
 (name "foo@example.com")
 (protocol prpl-jabber)
-(private-key 
- (dsa 
+(private-key
+ (dsa
   (p #00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB8C031D3561FECEE72EBB4A090D450A9B7A857#)
   (q #00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#)
   (g #535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57597766A2F9CE3857D7ACE3E1E3BC1FC6F26#)
@@ -402,7 +402,7 @@ func TestAgainstLibOTR(t *testing.T) {
 	// This test requires otr.c.test to be built as /tmp/a.out.
 	// If enabled, this tests runs forever performing OTR handshakes in a
 	// loop.
-	return
+	t.Skip("This test requires otr.c.test to be built as /tmp/a.out")
 
 	alicePrivateKey, _ := hex.DecodeString(alicePrivateKeyHex)
 	var alice Conversation

From 122a78f140d9d3303ed3261bc374bbbca149140f Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Tue, 11 Nov 2025 08:06:34 -0800
Subject: [PATCH 30/37] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I0f64669e7c813611f71b1381d9e6fdaba1a39712
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719641
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index f331951a16..7c5b2e95ae 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module golang.org/x/crypto
 go 1.24.0
 
 require (
-	golang.org/x/net v0.45.0 // tagx:ignore
-	golang.org/x/sys v0.37.0
-	golang.org/x/term v0.36.0
+	golang.org/x/net v0.46.0 // tagx:ignore
+	golang.org/x/sys v0.38.0
+	golang.org/x/term v0.37.0
 )
 
-require golang.org/x/text v0.30.0 // indirect
+require golang.org/x/text v0.31.0 // indirect
diff --git a/go.sum b/go.sum
index 6d9f239e86..69212f3190 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
-golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
-golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
-golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=

From 79ec3a51fcc7fbd2691d56155d578225ccc542e2 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sun, 21 Jul 2024 17:17:48 +0200
Subject: [PATCH 31/37] ssh: allow to bind to a hostname in remote forwarding

To avoid breaking backwards compatibility, we fix Listen, which
receives the address as a string, while ListenTCP can still only
be used with IP addresses.

Fixes golang/go#33227
Fixes golang/go#37239

Change-Id: I4d45b40fdcb0d6012ed8da59a02149fa37e7db50
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/599995
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Bishakh Ghosh <ghoshbishakh@gmail.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
---
 ssh/streamlocal.go            |   4 +-
 ssh/tcpip.go                  | 124 ++++++++++++++++++++++------------
 ssh/test/forward_unix_test.go |   4 ++
 3 files changed, 86 insertions(+), 46 deletions(-)

diff --git a/ssh/streamlocal.go b/ssh/streamlocal.go
index b171b330bc..152470fcb7 100644
--- a/ssh/streamlocal.go
+++ b/ssh/streamlocal.go
@@ -44,7 +44,7 @@ func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
 	if !ok {
 		return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
 	}
-	ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
+	ch := c.forwards.add("unix", socketPath)
 
 	return &unixListener{socketPath, c, ch}, nil
 }
@@ -96,7 +96,7 @@ func (l *unixListener) Accept() (net.Conn, error) {
 // Close closes the listener.
 func (l *unixListener) Close() error {
 	// this also closes the listener.
-	l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
+	l.conn.forwards.remove("unix", l.socketPath)
 	m := streamLocalChannelForwardMsg{
 		l.socketPath,
 	}
diff --git a/ssh/tcpip.go b/ssh/tcpip.go
index 93d844f035..78c41fe5a1 100644
--- a/ssh/tcpip.go
+++ b/ssh/tcpip.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"math/rand"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -22,14 +23,21 @@ import (
 // the returned net.Listener. The listener must be serviced, or the
 // SSH connection may hang.
 // N must be "tcp", "tcp4", "tcp6", or "unix".
+//
+// If the address is a hostname, it is sent to the remote peer as-is, without
+// being resolved locally, and the Listener Addr method will return a zero IP.
 func (c *Client) Listen(n, addr string) (net.Listener, error) {
 	switch n {
 	case "tcp", "tcp4", "tcp6":
-		laddr, err := net.ResolveTCPAddr(n, addr)
+		host, portStr, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, err
+		}
+		port, err := strconv.ParseInt(portStr, 10, 32)
 		if err != nil {
 			return nil, err
 		}
-		return c.ListenTCP(laddr)
+		return c.listenTCPInternal(host, int(port))
 	case "unix":
 		return c.ListenUnix(addr)
 	default:
@@ -102,15 +110,24 @@ func (c *Client) handleForwards() {
 // ListenTCP requests the remote peer open a listening socket
 // on laddr. Incoming connections will be available by calling
 // Accept on the returned net.Listener.
+//
+// ListenTCP accepts an IP address, to provide a hostname use [Client.Listen]
+// with "tcp", "tcp4", or "tcp6" network instead.
 func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 	c.handleForwardsOnce.Do(c.handleForwards)
 	if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
 		return c.autoPortListenWorkaround(laddr)
 	}
 
+	return c.listenTCPInternal(laddr.IP.String(), laddr.Port)
+}
+
+func (c *Client) listenTCPInternal(host string, port int) (net.Listener, error) {
+	c.handleForwardsOnce.Do(c.handleForwards)
+
 	m := channelForwardMsg{
-		laddr.IP.String(),
-		uint32(laddr.Port),
+		host,
+		uint32(port),
 	}
 	// send message
 	ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
@@ -123,20 +140,33 @@ func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 
 	// If the original port was 0, then the remote side will
 	// supply a real port number in the response.
-	if laddr.Port == 0 {
+	if port == 0 {
 		var p struct {
 			Port uint32
 		}
 		if err := Unmarshal(resp, &p); err != nil {
 			return nil, err
 		}
-		laddr.Port = int(p.Port)
+		port = int(p.Port)
 	}
+	// Construct a local address placeholder for the remote listener. If the
+	// original host is an IP address, preserve it so that Listener.Addr()
+	// reports the same IP. If the host is a hostname or cannot be parsed as an
+	// IP, fall back to IPv4zero. The port field is always set, even if the
+	// original port was 0, because in that case the remote server will assign
+	// one, allowing callers to determine which port was selected.
+	ip := net.IPv4zero
+	if parsed, err := netip.ParseAddr(host); err == nil {
+		ip = net.IP(parsed.AsSlice())
+	}
+	laddr := &net.TCPAddr{
+		IP:   ip,
+		Port: port,
+	}
+	addr := net.JoinHostPort(host, strconv.FormatInt(int64(port), 10))
+	ch := c.forwards.add("tcp", addr)
 
-	// Register this forward, using the port number we obtained.
-	ch := c.forwards.add(laddr)
-
-	return &tcpListener{laddr, c, ch}, nil
+	return &tcpListener{laddr, addr, c, ch}, nil
 }
 
 // forwardList stores a mapping between remote
@@ -149,8 +179,9 @@ type forwardList struct {
 // forwardEntry represents an established mapping of a laddr on a
 // remote ssh server to a channel connected to a tcpListener.
 type forwardEntry struct {
-	laddr net.Addr
-	c     chan forward
+	addr    string // host:port or socket path
+	network string // tcp or unix
+	c       chan forward
 }
 
 // forward represents an incoming forwarded tcpip connection. The
@@ -161,12 +192,13 @@ type forward struct {
 	raddr net.Addr   // the raddr of the incoming connection
 }
 
-func (l *forwardList) add(addr net.Addr) chan forward {
+func (l *forwardList) add(n, addr string) chan forward {
 	l.Lock()
 	defer l.Unlock()
 	f := forwardEntry{
-		laddr: addr,
-		c:     make(chan forward, 1),
+		addr:    addr,
+		network: n,
+		c:       make(chan forward, 1),
 	}
 	l.entries = append(l.entries, f)
 	return f.c
@@ -185,19 +217,20 @@ func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
 	if port == 0 || port > 65535 {
 		return nil, fmt.Errorf("ssh: port number out of range: %d", port)
 	}
-	ip := net.ParseIP(string(addr))
-	if ip == nil {
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
 		return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
 	}
-	return &net.TCPAddr{IP: ip, Port: int(port)}, nil
+	return &net.TCPAddr{IP: net.IP(ip.AsSlice()), Port: int(port)}, nil
 }
 
 func (l *forwardList) handleChannels(in <-chan NewChannel) {
 	for ch := range in {
 		var (
-			laddr net.Addr
-			raddr net.Addr
-			err   error
+			addr    string
+			network string
+			raddr   net.Addr
+			err     error
 		)
 		switch channelType := ch.ChannelType(); channelType {
 		case "forwarded-tcpip":
@@ -207,40 +240,34 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 				continue
 			}
 
-			// RFC 4254 section 7.2 specifies that incoming
-			// addresses should list the address, in string
-			// format. It is implied that this should be an IP
-			// address, as it would be impossible to connect to it
-			// otherwise.
-			laddr, err = parseTCPAddr(payload.Addr, payload.Port)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
+			// RFC 4254 section 7.2 specifies that incoming addresses should
+			// list the address that was connected, in string format. It is the
+			// same address used in the tcpip-forward request. The originator
+			// address is an IP address instead.
+			addr = net.JoinHostPort(payload.Addr, strconv.FormatUint(uint64(payload.Port), 10))
+
 			raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
 			if err != nil {
 				ch.Reject(ConnectionFailed, err.Error())
 				continue
 			}
-
+			network = "tcp"
 		case "forwarded-streamlocal@openssh.com":
 			var payload forwardedStreamLocalPayload
 			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
 				ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
 				continue
 			}
-			laddr = &net.UnixAddr{
-				Name: payload.SocketPath,
-				Net:  "unix",
-			}
+			addr = payload.SocketPath
 			raddr = &net.UnixAddr{
 				Name: "@",
 				Net:  "unix",
 			}
+			network = "unix"
 		default:
 			panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
 		}
-		if ok := l.forward(laddr, raddr, ch); !ok {
+		if ok := l.forward(network, addr, raddr, ch); !ok {
 			// Section 7.2, implementations MUST reject spurious incoming
 			// connections.
 			ch.Reject(Prohibited, "no forward for address")
@@ -252,11 +279,11 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 
 // remove removes the forward entry, and the channel feeding its
 // listener.
-func (l *forwardList) remove(addr net.Addr) {
+func (l *forwardList) remove(n, addr string) {
 	l.Lock()
 	defer l.Unlock()
 	for i, f := range l.entries {
-		if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			l.entries = append(l.entries[:i], l.entries[i+1:]...)
 			close(f.c)
 			return
@@ -274,11 +301,11 @@ func (l *forwardList) closeAll() {
 	l.entries = nil
 }
 
-func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
+func (l *forwardList) forward(n, addr string, raddr net.Addr, ch NewChannel) bool {
 	l.Lock()
 	defer l.Unlock()
 	for _, f := range l.entries {
-		if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			f.c <- forward{newCh: ch, raddr: raddr}
 			return true
 		}
@@ -288,6 +315,7 @@ func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
 
 type tcpListener struct {
 	laddr *net.TCPAddr
+	addr  string
 
 	conn *Client
 	in   <-chan forward
@@ -314,13 +342,21 @@ func (l *tcpListener) Accept() (net.Conn, error) {
 
 // Close closes the listener.
 func (l *tcpListener) Close() error {
+	host, port, err := net.SplitHostPort(l.addr)
+	if err != nil {
+		return err
+	}
+	rport, err := strconv.ParseUint(port, 10, 32)
+	if err != nil {
+		return err
+	}
 	m := channelForwardMsg{
-		l.laddr.IP.String(),
-		uint32(l.laddr.Port),
+		host,
+		uint32(rport),
 	}
 
 	// this also closes the listener.
-	l.conn.forwards.remove(l.laddr)
+	l.conn.forwards.remove("tcp", l.addr)
 	ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
 	if err == nil && !ok {
 		err = errors.New("ssh: cancel-tcpip-forward failed")
diff --git a/ssh/test/forward_unix_test.go b/ssh/test/forward_unix_test.go
index c10d1d02a6..549d46cef4 100644
--- a/ssh/test/forward_unix_test.go
+++ b/ssh/test/forward_unix_test.go
@@ -51,6 +51,8 @@ func testPortForward(t *testing.T, n, listenAddr string) {
 		}
 	}()
 
+	// The forwarded address match the listen address because we run the tests
+	// on the same host.
 	forwardedAddr := sshListener.Addr().String()
 	netConn, err := net.Dial(n, forwardedAddr)
 	if err != nil {
@@ -111,6 +113,8 @@ func testPortForward(t *testing.T, n, listenAddr string) {
 }
 
 func TestPortForwardTCP(t *testing.T) {
+	testPortForward(t, "tcp", ":0")
+	testPortForward(t, "tcp", "[::]:0")
 	testPortForward(t, "tcp", "localhost:0")
 }
 

From b4f2b62076abeee4e43fb59544dac565715fbf1e Mon Sep 17 00:00:00 2001
From: Santhanam <santhanambr2002@gmail.com>
Date: Sun, 9 Nov 2025 18:35:21 +0000
Subject: [PATCH 32/37] ssh: fix error message on unsupported cipher

Until now, when ssh keys using one of these[1] ciphers were passed, we were
giving a parse error "ssh: parse error in message type 0".

With this fix, we parse it successfully and return the correct error message.

[1] aes{128,256}-gcm@openssh.com and chacha20-poly1305@openssh.com

Fixes golang/go#52135

Change-Id: I3010fff43c48f29f21edb8d63f44e167861a054e
GitHub-Last-Rev: 14ac7e97306d41cba48053b9c60f2ffc7caded45
GitHub-Pull-Request: golang/crypto#324
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/709275
Reviewed-by: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 ssh/keys.go          |  1 +
 ssh/keys_test.go     | 15 ++++++++++++++
 ssh/testdata/keys.go | 47 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)

diff --git a/ssh/keys.go b/ssh/keys.go
index a035956fcc..47a07539d9 100644
--- a/ssh/keys.go
+++ b/ssh/keys.go
@@ -1490,6 +1490,7 @@ type openSSHEncryptedPrivateKey struct {
 	NumKeys      uint32
 	PubKey       []byte
 	PrivKeyBlock []byte
+	Rest         []byte `ssh:"rest"`
 }
 
 type openSSHPrivateKey struct {
diff --git a/ssh/keys_test.go b/ssh/keys_test.go
index 661e3cb31c..a1165ec68b 100644
--- a/ssh/keys_test.go
+++ b/ssh/keys_test.go
@@ -271,6 +271,21 @@ func TestParseEncryptedPrivateKeysWithPassphrase(t *testing.T) {
 	}
 }
 
+func TestParseEncryptedPrivateKeysWithUnsupportedCiphers(t *testing.T) {
+    for _, tt := range testdata.UnsupportedCipherData {
+        t.Run(tt.Name, func(t *testing.T){
+            _, err := ParsePrivateKeyWithPassphrase(tt.PEMBytes, []byte(tt.EncryptionKey))
+            if err == nil {
+                t.Fatalf("expected 'unknown cipher' error for %q, got nil", tt.Name)
+                // If this cipher is now supported, remove it from testdata.UnsupportedCipherData
+            }
+            if !strings.Contains(err.Error(), "unknown cipher") {
+                t.Errorf("wanted 'unknown cipher' error, got %v", err.Error())
+            }
+        })
+    }
+}
+
 func TestParseEncryptedPrivateKeysWithIncorrectPassphrase(t *testing.T) {
 	pem := testdata.PEMEncryptedKeys[0].PEMBytes
 	for i := 0; i < 4096; i++ {
diff --git a/ssh/testdata/keys.go b/ssh/testdata/keys.go
index 6e48841b67..adb4244eb3 100644
--- a/ssh/testdata/keys.go
+++ b/ssh/testdata/keys.go
@@ -310,6 +310,53 @@ gbDGyT3bXMQtagvCwoW+/oMTKXiZP5jCJpEO8=
 	},
 }
 
+var UnsupportedCipherData = []struct {
+    Name string
+    EncryptionKey string
+    PEMBytes []byte
+} {
+	0: {
+		Name:              "ed25519-encrypted-chacha20-poly1305",
+		EncryptionKey:     "password",
+		PEMBytes: []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAAHWNoYWNoYTIwLXBvbHkxMzA1QG9wZW5zc2guY29tAAAABm
+JjcnlwdAAAABgAAAAQdPyPIjXDRAVHskY0yp9SWwAAAGQAAAABAAAAMwAAAAtzc2gtZWQy
+NTUxOQAAACBi6qXITEUrmNce/c2lfozxALlKH3o/6sll8G7wzl1lvQAAAJDNlW1sEkvnK0
+8EecF1vHdPk85yClbh3KkHv09mbGAX/Gk6cJpYEGgJSkO7OEF4kG9DVGGd17+TZbTnM4LD
+vYAJZExx2XLgJFEtHCVmJjYzwxx7yC7+s6u/XjrSlZS60RHunOPKyq+C+s48sejXvmX+t5
+0ZoVCI8aftT0ycis3gvLU9sCwJ2UnF6kAV226Z4g2aLkuJbgCDTEcYCRD64K1r
+-----END OPENSSH PRIVATE KEY-----
+`),
+	},
+	1: {
+		Name:              "ed25519-encrypted-aes128-gcm",
+		EncryptionKey:     "password",
+		PEMBytes: []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAAFmFlczEyOC1nY21Ab3BlbnNzaC5jb20AAAAGYmNyeXB0AA
+AAGAAAABBeMJIOqiyFwNCvDv6f8tQeAAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAA
+IGYpUcb3tGp9kF6pppcUdq3EPMr85BaSUdhiXGbhS5YNAAAAkNBtMEu0UlLgToThuQc+4m
+/o0DfFIERu0sspQivn5RJHCtulVKfU9BMiEnF0+LOMOABMlYesgLOtoMxwm4ZCSWH54kZk
+vaFyyvvxY+RLDuWNQZCryffIA4+iLCUQR1EdxMDiJweKnGJuD64a+9xTJt47A3Vq4SYzji
+EuVmM0FqS8lbT2ynYSe3va0Qyw13jEO5qbtCuyG+C5GejL7kX4Z64=
+-----END OPENSSH PRIVATE KEY-----
+`),
+	},
+	2: {
+		Name:              "ed25519-encrypted-aes256-gcm",
+		EncryptionKey:     "password",
+		PEMBytes: []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAAFmFlczI1Ni1nY21Ab3BlbnNzaC5jb20AAAAGYmNyeXB0AA
+AAGAAAABBR1p3vH2Wr/HPL+q20L2rjAAAAZAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAA
+IM3tT1xrAuOHcrBdoLRo/ojWZsAw2lHfF5hJgFEOts5MAAAAkH/YGrDhDw8u+F8e4P+84B
+tAzvp55Lf1Yl7y34BrVmqlWqw/7boqahOp6iYJHNpcuanzc5T6s7Z3wSSYodbY1uvFOfbj
+rtP6rIHQIY5J2C40WOYJN8IkZlkwDXwZY0qoE9699ZYmWdwsXRZ7QDhjd2W8ziyZBsttiB
+kv2ceuJMLT04TrKc2+RUkj4CQYnz7p8EkgZlUozx8wBSxKFGnkP7k=
+-----END OPENSSH PRIVATE KEY-----
+`),
+	},
+}
+
+
 // SKData contains a list of PubKeys backed by U2F/FIDO2 Security Keys and their test data.
 var SKData = []struct {
 	Name         string

From bcf6a849efcf4702fa5172cb0998b46c3da1e989 Mon Sep 17 00:00:00 2001
From: Sean Liao <sean@liao.dev>
Date: Sun, 9 Nov 2025 16:53:06 +0000
Subject: [PATCH 33/37] acme: pass context to request

Fixes golang/go#30183

Change-Id: Ic02b34bc87b9465f5c05b2ef5bec157c58809a91
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719002
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/acme.go | 2 +-
 acme/http.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/acme/acme.go b/acme/acme.go
index 7a51284f91..b53ea28891 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -690,7 +690,7 @@ func (c *Client) addNonce(h http.Header) {
 }
 
 func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) {
-	r, err := http.NewRequest("HEAD", url, nil)
+	r, err := http.NewRequestWithContext(ctx, "HEAD", url, nil)
 	if err != nil {
 		return "", err
 	}
diff --git a/acme/http.go b/acme/http.go
index 8f29df56ee..7d1052acd4 100644
--- a/acme/http.go
+++ b/acme/http.go
@@ -128,7 +128,7 @@ func wantStatus(codes ...int) resOkay {
 func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
 	retry := c.retryTimer()
 	for {
-		req, err := http.NewRequest("GET", url, nil)
+		req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -228,7 +228,7 @@ func (c *Client) postNoRetry(ctx context.Context, key crypto.Signer, url string,
 	if err != nil {
 		return nil, nil, err
 	}
-	req, err := http.NewRequest("POST", url, bytes.NewReader(b))
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(b))
 	if err != nil {
 		return nil, nil, err
 	}

From 2df4153a0311bdfea44376e0eb6ef2faefb0275b Mon Sep 17 00:00:00 2001
From: Sean Liao <sean@liao.dev>
Date: Sun, 9 Nov 2025 12:22:03 +0000
Subject: [PATCH 34/37] acme/autocert: let automatic renewal work with short
 lifetime certs

Fixes golang/go#64997
Fixes golang/go#36548

Change-Id: Idb7a426ad3bfa6ac3b796f4b466da6e3154f1ffa
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/719080
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 acme/autocert/autocert.go     | 18 +++------
 acme/autocert/renewal.go      | 36 +++++++++---------
 acme/autocert/renewal_test.go | 69 ++++++++++++++++++++++++++---------
 3 files changed, 76 insertions(+), 47 deletions(-)

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index ccd5b7e3a1..cde9066f6d 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -134,7 +134,8 @@ type Manager struct {
 	// RenewBefore optionally specifies how early certificates should
 	// be renewed before they expire.
 	//
-	// If zero, they're renewed 30 days before expiration.
+	// If zero, they're renewed at the lesser of 30 days or
+	// 1/3 of the certificate lifetime.
 	RenewBefore time.Duration
 
 	// Client is used to perform low-level operations, such as account registration
@@ -464,7 +465,7 @@ func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error
 		leaf: cert.Leaf,
 	}
 	m.state[ck] = s
-	m.startRenew(ck, s.key, s.leaf.NotAfter)
+	m.startRenew(ck, s.key, s.leaf.NotBefore, s.leaf.NotAfter)
 	return cert, nil
 }
 
@@ -610,7 +611,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate,
 	}
 	state.cert = der
 	state.leaf = leaf
-	m.startRenew(ck, state.key, state.leaf.NotAfter)
+	m.startRenew(ck, state.key, state.leaf.NotBefore, state.leaf.NotAfter)
 	return state.tlscert()
 }
 
@@ -908,7 +909,7 @@ func httpTokenCacheKey(tokenPath string) string {
 //
 // The key argument is a certificate private key.
 // The exp argument is the cert expiration time (NotAfter).
-func (m *Manager) startRenew(ck certKey, key crypto.Signer, exp time.Time) {
+func (m *Manager) startRenew(ck certKey, key crypto.Signer, notBefore, notAfter time.Time) {
 	m.renewalMu.Lock()
 	defer m.renewalMu.Unlock()
 	if m.renewal[ck] != nil {
@@ -920,7 +921,7 @@ func (m *Manager) startRenew(ck certKey, key crypto.Signer, exp time.Time) {
 	}
 	dr := &domainRenewal{m: m, ck: ck, key: key}
 	m.renewal[ck] = dr
-	dr.start(exp)
+	dr.start(notBefore, notAfter)
 }
 
 // stopRenew stops all currently running cert renewal timers.
@@ -1028,13 +1029,6 @@ func (m *Manager) hostPolicy() HostPolicy {
 	return defaultHostPolicy
 }
 
-func (m *Manager) renewBefore() time.Duration {
-	if m.RenewBefore > renewJitter {
-		return m.RenewBefore
-	}
-	return 720 * time.Hour // 30 days
-}
-
 func (m *Manager) now() time.Time {
 	if m.nowFunc != nil {
 		return m.nowFunc()
diff --git a/acme/autocert/renewal.go b/acme/autocert/renewal.go
index 0df7da78a6..93984f3866 100644
--- a/acme/autocert/renewal.go
+++ b/acme/autocert/renewal.go
@@ -11,9 +11,6 @@ import (
 	"time"
 )
 
-// renewJitter is the maximum deviation from Manager.RenewBefore.
-const renewJitter = time.Hour
-
 // domainRenewal tracks the state used by the periodic timers
 // renewing a single domain's cert.
 type domainRenewal struct {
@@ -30,13 +27,13 @@ type domainRenewal struct {
 // defined by the certificate expiration time exp.
 //
 // If the timer is already started, calling start is a noop.
-func (dr *domainRenewal) start(exp time.Time) {
+func (dr *domainRenewal) start(notBefore, notAfter time.Time) {
 	dr.timerMu.Lock()
 	defer dr.timerMu.Unlock()
 	if dr.timer != nil {
 		return
 	}
-	dr.timer = time.AfterFunc(dr.next(exp), dr.renew)
+	dr.timer = time.AfterFunc(dr.next(notBefore, notAfter), dr.renew)
 }
 
 // stop stops the cert renewal timer and waits for any in-flight calls to renew
@@ -79,7 +76,7 @@ func (dr *domainRenewal) renew() {
 	// TODO: rotate dr.key at some point?
 	next, err := dr.do(ctx)
 	if err != nil {
-		next = renewJitter / 2
+		next = time.Hour / 2
 		next += time.Duration(pseudoRand.int63n(int64(next)))
 	}
 	testDidRenewLoop(next, err)
@@ -107,8 +104,8 @@ func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
 	// a race is likely unavoidable in a distributed environment
 	// but we try nonetheless
 	if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil {
-		next := dr.next(tlscert.Leaf.NotAfter)
-		if next > dr.m.renewBefore()+renewJitter {
+		next := dr.next(tlscert.Leaf.NotBefore, tlscert.Leaf.NotAfter)
+		if next > 0 {
 			signer, ok := tlscert.PrivateKey.(crypto.Signer)
 			if ok {
 				state := &certState{
@@ -139,18 +136,23 @@ func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {
 		return 0, err
 	}
 	dr.updateState(state)
-	return dr.next(leaf.NotAfter), nil
+	return dr.next(leaf.NotBefore, leaf.NotAfter), nil
 }
 
-func (dr *domainRenewal) next(expiry time.Time) time.Duration {
-	d := expiry.Sub(dr.m.now()) - dr.m.renewBefore()
-	// add a bit of randomness to renew deadline
-	n := pseudoRand.int63n(int64(renewJitter))
-	d -= time.Duration(n)
-	if d < 0 {
-		return 0
+// next returns the wait time before the next renewal should start.
+// If manager.RenewBefore is set, it uses that capped at 30 days,
+// otherwise it uses a default of 1/3 of the cert lifetime.
+// It builds in a jitter of 10% of the renew threshold, capped at 1 hour.
+func (dr *domainRenewal) next(notBefore, notAfter time.Time) time.Duration {
+	threshold := min(notAfter.Sub(notBefore)/3, 30*24*time.Hour)
+	if dr.m.RenewBefore > 0 {
+		threshold = min(dr.m.RenewBefore, 30*24*time.Hour)
 	}
-	return d
+	maxJitter := min(threshold/10, time.Hour)
+	jitter := pseudoRand.int63n(int64(maxJitter))
+	renewAt := notAfter.Add(-(threshold - time.Duration(jitter)))
+	renewWait := renewAt.Sub(dr.m.now())
+	return max(0, renewWait)
 }
 
 var testDidRenewLoop = func(next time.Duration, err error) {}
diff --git a/acme/autocert/renewal_test.go b/acme/autocert/renewal_test.go
index ffe4af2a5c..67e2da2e06 100644
--- a/acme/autocert/renewal_test.go
+++ b/acme/autocert/renewal_test.go
@@ -17,27 +17,60 @@ import (
 
 func TestRenewalNext(t *testing.T) {
 	now := time.Now()
-	man := &Manager{
-		RenewBefore: 7 * 24 * time.Hour,
-		nowFunc:     func() time.Time { return now },
-	}
-	defer man.stopRenew()
+	nowFn := func() time.Time { return now }
 	tt := []struct {
-		expiry   time.Time
-		min, max time.Duration
+		name        string
+		renewBefore time.Duration // arg to Manager
+		// leaf cert validity
+		notBefore time.Time
+		validFor  time.Duration
+		// wait time
+		waitMin, waitMax time.Duration
 	}{
-		{now.Add(90 * 24 * time.Hour), 83*24*time.Hour - renewJitter, 83 * 24 * time.Hour},
-		{now.Add(time.Hour), 0, 1},
-		{now, 0, 1},
-		{now.Add(-time.Hour), 0, 1},
+		{"default renewal, 1h cert, valid",
+			0, now, time.Hour, 40 * time.Minute, 50 * time.Minute},
+		{"default renewal, 1h cert, should renew",
+			0, now.Add(-50 * time.Minute), time.Hour, 0, 0},
+		{"default renewal, 1h cert, expired",
+			0, now.Add(-400 * 24 * time.Hour), time.Hour, 0, 0},
+		{"default renewal, 6d cert, valid",
+			0, now, 6 * 24 * time.Hour, 4 * 24 * time.Hour, (4*24 + 1) * time.Hour},
+		{"default renewal, 6d cert, should renew",
+			0, now.Add(-5 * 24 * time.Hour), 6 * 24 * time.Hour, 0, 0},
+		{"default renewal, 6d cert, expired",
+			0, now.Add(-400 * 24 * time.Hour), 6 * 24 * time.Hour, 0, 0},
+		{"default renewal, 90d cert, valid",
+			0, now, 90 * 24 * time.Hour, 60 * 24 * time.Hour, (60*24 + 1) * time.Hour},
+		{"default renewal, 90d cert, should renew",
+			0, now.Add(-70 * 24 * time.Hour), 90 * 24 * time.Hour, 0, 0},
+		{"default renewal, 90d cert, expired",
+			0, now.Add(-400 * 24 * time.Hour), 90 * 24 * time.Hour, 0, 0},
+		{"default renewal, 398d cert, valid",
+			0, now, 398 * 24 * time.Hour, (368 * 24) * time.Hour, (368*24 + 1) * time.Hour},
+		{"default renewal, 398d cert, should renew",
+			0, now.Add(-378 * 24 * time.Hour), 398 * 24 * time.Hour, 0, 0},
+		{"default renewal, 398d cert, expired",
+			0, now.Add(-400 * 24 * time.Hour), 398 * 24 * time.Hour, 0, 0},
+		{"7d renewal, 90d cert, valid",
+			7 * 24 * time.Hour, now, 90 * 24 * time.Hour, 83 * 24 * time.Hour, (83*24 + 1) * time.Hour},
+		{"7d renewal, 90d cert, should not renew",
+			7 * 24 * time.Hour, now.Add(-70 * 24 * time.Hour), 90 * 24 * time.Hour, 13 * 24 * time.Hour, (13*24 + 1) * time.Hour},
+		{"7d renewal, 90d cert, should renew",
+			7 * 24 * time.Hour, now.Add(-85 * 24 * time.Hour), 90 * 24 * time.Hour, 0, 0},
+		{"7d renewal, 90d cert, expired",
+			7 * 24 * time.Hour, now.Add(-400 * 24 * time.Hour), 90 * 24 * time.Hour, 0, 0},
 	}
 
-	dr := &domainRenewal{m: man}
-	for i, test := range tt {
-		next := dr.next(test.expiry)
-		if next < test.min || test.max < next {
-			t.Errorf("%d: next = %v; want between %v and %v", i, next, test.min, test.max)
-		}
+	for _, test := range tt {
+		t.Run(test.name, func(t *testing.T) {
+			dr := &domainRenewal{m: &Manager{RenewBefore: test.renewBefore, nowFunc: nowFn}}
+			defer dr.m.stopRenew()
+
+			next := dr.next(test.notBefore, test.notBefore.Add(test.validFor))
+			if next < test.waitMin || next > test.waitMax {
+				t.Errorf("expected wait time: %v <= %v <= %v", test.waitMin, next, test.waitMax)
+			}
+		})
 	}
 }
 
@@ -239,7 +272,7 @@ func TestRenewFromCacheAlreadyRenewed(t *testing.T) {
 	}
 
 	// trigger renew
-	man.startRenew(exampleCertKey, s.key, s.leaf.NotAfter)
+	man.startRenew(exampleCertKey, s.key, s.leaf.NotBefore, s.leaf.NotAfter)
 	<-renewed
 	func() {
 		man.renewalMu.Lock()

From f91f7a7c31bf90b39c1de895ad116a2bacc88748 Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Wed, 10 Sep 2025 14:27:42 -0400
Subject: [PATCH 35/37] ssh/agent: prevent panic on malformed constraint

An attacker could supply a malformed Constraint that
would trigger a panic in a serving agent, effectively
causing denial of service.

Thank you to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-47914
Fixes golang/go#76364

Change-Id: I195bbc68b1560d4f04897722a6a653a7cbf086eb
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721960
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
---
 ssh/agent/server.go      | 3 +++
 ssh/agent/server_test.go | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/ssh/agent/server.go b/ssh/agent/server.go
index 88ce4da6c4..4e8ff86b61 100644
--- a/ssh/agent/server.go
+++ b/ssh/agent/server.go
@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
 	for len(constraints) != 0 {
 		switch constraints[0] {
 		case agentConstrainLifetime:
+			if len(constraints) < 5 {
+				return 0, false, nil, io.ErrUnexpectedEOF
+			}
 			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
 			constraints = constraints[5:]
 		case agentConstrainConfirm:
diff --git a/ssh/agent/server_test.go b/ssh/agent/server_test.go
index 7700d18f1a..6309e2d9ab 100644
--- a/ssh/agent/server_test.go
+++ b/ssh/agent/server_test.go
@@ -8,6 +8,7 @@ import (
 	"crypto"
 	"crypto/rand"
 	"fmt"
+	"io"
 	pseudorand "math/rand"
 	"reflect"
 	"strings"
@@ -258,6 +259,12 @@ func TestParseConstraints(t *testing.T) {
 		t.Errorf("got extension %v, want %v", extensions, expect)
 	}
 
+	// Test Malformed Constraint
+	_, _, _, err = parseConstraints([]byte{1})
+	if err != io.ErrUnexpectedEOF {
+		t.Errorf("got %v, want %v", err, io.ErrUnexpectedEOF)
+	}
+
 	// Test Unknown Constraint
 	_, _, _, err = parseConstraints([]byte{128})
 	if err == nil || !strings.Contains(err.Error(), "unknown constraint") {

From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Wed, 19 Nov 2025 13:35:12 -0500
Subject: [PATCH 36/37] ssh: curb GSSAPI DoS risk by limiting number of
 specified OIDs

Previously, an attacker could specify an integer up to 0xFFFFFFFF
that would directly allocate memory despite the observability of
the rest of the payload. This change places a hard cap on the
amount of mechanisms that can be specified and encoded in the
payload. Additionally, it performs a small sanity check to deny
payloads whose stated size is contradictory to the observed payload.

Thank you to Jakub Ciolek for reporting this issue.

Fixes CVE-2025-58181
Fixes golang/go#76363

Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 ssh/ssh_gss.go      |  8 +++++++-
 ssh/ssh_gss_test.go | 31 +++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/ssh/ssh_gss.go b/ssh/ssh_gss.go
index 24bd7c8e83..a6249a1227 100644
--- a/ssh/ssh_gss.go
+++ b/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 	if !ok {
 		return nil, errors.New("parse uint32 failed")
 	}
+	// Each ASN.1 encoded OID must have a minimum
+	// of 2 bytes; 64 maximum mechanisms is an
+	// arbitrary, but reasonable ceiling.
+	const maxMechs = 64
+	if n > maxMechs || int(n)*2 > len(rest) {
+		return nil, errors.New("invalid mechanism count")
+	}
 	s := &userAuthRequestGSSAPI{
 		N:    n,
 		OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 		if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
 			return nil, err
 		}
-
 	}
 	return s, nil
 }
diff --git a/ssh/ssh_gss_test.go b/ssh/ssh_gss_test.go
index 39a111288a..9e3ea8c22c 100644
--- a/ssh/ssh_gss_test.go
+++ b/ssh/ssh_gss_test.go
@@ -17,6 +17,37 @@ func TestParseGSSAPIPayload(t *testing.T) {
 	}
 }
 
+func TestParseDubiousGSSAPIPayload(t *testing.T) {
+	for _, tc := range []struct {
+		name    string
+		payload []byte
+		wanterr bool
+	}{
+		{
+			"num mechanisms is unrealistic",
+			[]byte{0xFF, 0x00, 0x00, 0xFF,
+				0x00, 0x00, 0x00, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02},
+			true,
+		},
+		{
+			"num mechanisms greater than payload",
+			[]byte{0x00, 0x00, 0x00, 0x40, // 64, |rest| too small
+				0x00, 0x00, 0x00, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02},
+			true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := parseGSSAPIPayload(tc.payload)
+			if tc.wanterr && err == nil {
+				t.Errorf("got nil, want error")
+			}
+			if !tc.wanterr && err != nil {
+				t.Errorf("got %v, want nil", err)
+			}
+		})
+	}
+}
+
 func TestBuildMIC(t *testing.T) {
 	sessionID := []byte{134, 180, 134, 194, 62, 145, 171, 82, 119, 149, 254, 196, 125, 173, 177, 145, 187, 85, 53,
 		183, 44, 150, 219, 129, 166, 195, 19, 33, 209, 246, 175, 121}

From 4e0068c0098be10d7025c99ab7c50ce454c1f0f9 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Wed, 19 Nov 2025 11:44:35 -0800
Subject: [PATCH 37/37] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I3923d98d88595230b12db261c48168b863dc2ce9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/722000
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Neal Patel <nealpatel@google.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 7c5b2e95ae..ed7433125c 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module golang.org/x/crypto
 go 1.24.0
 
 require (
-	golang.org/x/net v0.46.0 // tagx:ignore
+	golang.org/x/net v0.47.0 // tagx:ignore
 	golang.org/x/sys v0.38.0
 	golang.org/x/term v0.37.0
 )
diff --git a/go.sum b/go.sum
index 69212f3190..3a0b108e1d 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=