From f4602e40409257658159002a9af6aedb875949fb Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@golang.org>
Date: Tue, 2 Dec 2025 14:40:57 +0100
Subject: [PATCH 1/5] ssh/agent: fix flaky test by ensuring a writeable home
 directory

This fixes flakiness observed inside Google (b/465393996).

Change-Id: Ic3decc3206b470cddf22c441b0cf92bb2bebb075
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/724002
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 ssh/agent/client_test.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssh/agent/client_test.go b/ssh/agent/client_test.go
index 0fd284d786..2ca92a48e1 100644
--- a/ssh/agent/client_test.go
+++ b/ssh/agent/client_test.go
@@ -40,7 +40,11 @@ func startOpenSSHAgent(t *testing.T) (client ExtendedAgent, socket string, clean
 	}
 
 	cmd := exec.Command(bin, "-s")
-	cmd.Env = []string{} // Do not let the user's environment influence ssh-agent behavior.
+	cmd.Env = []string{
+		// ssh-agent creates ~/.ssh and ~/.ssh/agent;
+		// ensure a writeable home directory.
+		"HOME=" + t.TempDir(),
+	} // Do not let the user's environment influence ssh-agent behavior.
 	cmd.Stderr = new(bytes.Buffer)
 	out, err := cmd.Output()
 	if err != nil {

From 3a1c6b4b61966d06b6469ad7bc15839ba76eeb89 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Mon, 24 Nov 2025 17:28:54 +0000
Subject: [PATCH 2/5] x509roots/fallback: update bundle

This is an automated CL which updates the NSS root bundle.

[git-generate]
go generate ./x509roots

Change-Id: Icde363f2fa61d1cb85552e57d4cae30b33ec96ed
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/723803
Auto-Submit: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
---
 x509roots/fallback/bundle/bundle.der | Bin 156781 -> 152908 bytes
 x509roots/fallback/bundle/bundle.go  | 246 ++++++++++++---------------
 2 files changed, 111 insertions(+), 135 deletions(-)

diff --git a/x509roots/fallback/bundle/bundle.der b/x509roots/fallback/bundle/bundle.der
index 7c75ce5e070fcfe21d67283484dcf8e72b024236..ae76992db012033be578a5cfd3b6d9d3268ec74a 100644
GIT binary patch
delta 18
acmaERg7eHO&JETb%`wxr$4qAwJPQC>VhFGR

delta 3420
zcmbuBS6CC+8buRA#{g1AdJjDbA%GDO5D=sjK&k--MT#K3M~W0_VkFVfr6VmgDI(GY
zl-?8p1u;NqN-v7uxoyU|-+h^x$9*3Dm-X#+_CPtqMjt~BDnW=J8VxMS15p8~s5rEJ
zqJxHw91vTts^ALB2fNsSyd2zI6CbYKmEQIggSNMqmxYVBk1I?DDn$#jqz0W5`Rz@}
zG{D*OhKmr|H^9$dNJm>+$lTl8Uk(a`3UGtrFen190#jC0LMYmDgAvHzBHR{gj3c>n
zDgVXu1T!-r59TtGQf2K}>hoqK&EGkw%Q3W^-1vAa_=GCbdM-UA%d^=$0sTyY`gzmf
zKI^E|dc#Ow*Ox>eo>nv09__5IOqXn-7<F2vVy%mJPL~**lcP+zDO@tPkfGBsYHO|t
zQne<WzDNbdrqVgTFr9nJLkrOLr#{%JiU=@*LK$i4rQ<FQsZoPKAU6Qil?n#PQv9H~
zC|at8lprYChpo+AJ}gi2v*fg|2$o`L5q{g9_jVLC=QXOT){VoAE&A3{LBo3@6UI&V
z1jJX4jRTgh;0u+m^17}%5q(4(zy+E2&Ao5rC8x+6jBF+`zt&3~NjVLTrsDev9OUE?
zMpLgCc<vQPnBeClH~JWdh`$RC{xdiPLJ9E`xL>2<-vyTs`4wC+G-|~~fV_6gjOBoi
z?v?7JaN|jq0VtFy?HW#fxUDCy?TGZWUcH{KZwC+C*(fwQEHF-y;=Ix{>5bj=6ltib
zzNEw0R;vG?JyyGBCe{EX%5&Y_yW{3FT2<xI1d)S(f#X;@6Y%3R=6!78o^J1Z1ItA?
zGGq_u)W?pM@Y4@%e6pm!8)2?7p-EkJTRX-zp!v>i71WgXCtTc<wB^J;Y-XefBb%jD
z`RVx(DrnFO>{iA3TcD{}2?36#9Te*QhRrt*Lnzi}NQdHw;UpS<S#lH?;q>Z^w;8ET
zb%#dNctWE==>IfK9i$%>z~v81HGDGJbB|UE-=oSpM}VaQ1^;}<%q=wkPsfl5rJqs#
zGyXMHzn>@6FaSlcHJ4lq!2DW^>0a5fg-&?3&W)~jq6nVA{nZmo+kH!*1<Uq8GQp(T
z^mQHZq80um6S5xW&$O)NVL8<ARJ&4n;e1Q8CL@gruf&}+?S=~tcSa{}&Bkc%?CbR2
zejIB`&>hM<)s3;D=BKmMEn=>{T*zD$zIiy|3~I)?-{ok+`W(tf>#B${`}cZiJ{^%N
z$i7_@8H97u`ih7_`4!j-BiHnf&u~w-T<gRYrhRiLto&x`o>B2kOmVa=0UNisSL-L8
z7G6!iefFV7S(K|rM{;5h9!g{!-ks<}Y-B4uOHqll*d*kZ)w(?3PGOn7CLL~W7V!E}
z>WZ3udkzYMO^KmmDa-Z!C@WJpdyN3NFj9z4&2$LUK}t;dYOf8ySOw1xu`NZY<kCo%
z64WVXFFk1>9aJooGhXX$S+o-+`nzZv4^QaU8fbD=%{{R5^;w9%5%!n)W0`k;F;PF#
zL2VCOKQ*Oh!CeM(Tiv2av3AwS_MlCE?16r!`T7_($TlK9+o)4j?o&(jq4&120E_XG
zhE0*^tXh02<O*bTix)X#(*0v0+0Hk)R{|tipvnj=e^Cp=#E9gZurUBnS0g5d-&8q|
z)6mt!0_MS9)+RUNkF3jDIQRR^z4BjY36j4Bmnso+H93Zg>W3cC^D$Ifk>54y6Ae~f
z&R9@q$;x-(gvF$AFT782C_5Ar{o$RRN4>?ItTs)bPRLDOge?vr2e!Io`2COhHmwvR
zvIzcz+iHZ7bi_!d8kfEHa>R?cl~5&@t%0b%mrN`2=1PUd`uAMSDi9SkC~E*^+<AOj
zY7+gNk2O83*6X{?Nyx#f)kuyTS}RS${G;Iq1wygH7~R9t9gM?e;uY(J&(Y-LYR{<4
z_tP#Aak@6IuLg6Gu4C1;m_9(JYbqZKJ=YE&bv(<!EtV4IkU@FUfq7zg=9k-FE9Yq=
z_+QyH?F36*e`&>E-PqtS9hk52H2|9Xz!6o1*?Db$>LYVM=CEIo>#oGyvLtp*y!dWg
zlN^$jNV;M~bTh%A$@{wOsR<R&gtgczUm7GvWOlrjqu@cikNvTyo&osVr<BF7*ZU?_
z-)UQw2Bi&rJ%3Rw`XjK2$)*vJ0%u|auSs^EXui2{-d9)ZMe=G3%N8w8{vfM#7o%RV
zrQ(>%-cfgs5U+9nRd5+!^+*k`gurv3_0T=VhpYBKWSFRpwdY(SnM;g=K^f{3a?p&^
ztPuJ3JSz1cjyB_18s?0v7CN6j;wLW+auwra7CzL`?sRa>l&te5Io!Jk_BC5}I^uX$
z9h25xO=7fhn6-cN314Z4;eS^}s8yY&-3tV;AG#R|*C=(*TGsY=Xxj26zDV}=&+||;
zY5+n`Dk~GYQN_gAXKTr;-M7R_TcnQYYbC9e;8#~wzru);lRN`o{zrOfu69(UYR0XU
z(Q-gh99SkTl*agPJMRzQ6Abx>UGZ!D@2*h!Q@i4K=fMdi2B0u@;h6cW8-T6PXtF}2
zTM3BjL6dC)U5c=49o_B^+u$kOx7Qq6MxE8fMR}AsDA>djUgz^urpt&75S&zx6HzPq
zNZMEmGnS9f1S<wGzAsl=jwB-=KCTka$*6<l3uUedeAf8xjJRYrTA!j-iFv2*p5Ze$
z2KYE&?LrlXpTp`C?Cu+9j32$05<FvY2$UXkVYn$qNgN~hiWtuN#pwac!3n8VcOncZ
zt%@eh=04dOi{V~)J2|zh`7yc<jf>(<;Uzq``Bq)EXVXKFvi{-Q*J=9``)AtUxwVUK
z%z9KpVnP(wRf@pM!0VDkisH25RptDiFHh8tgKL&$bFusCxtRISmnipi1Zd2H&&smN
z+CwV9k41A3X*5fZ6^Bj-u}?4;3TO$&4f=eamgiLCZ*AJPu$~!s=`WRarVbgPBF}=(
zKfEuPh&O4S*vzJ&kXj9lDCvn`LXfNrN9iD$Fd_6HnCEPtCLA$Z^Jw9o0Pq5`;puT1
zIVhk|1RLd0lk`cFjRl?Xa^{Zz($g1jilvTc-tXWDlGK(8jNZyUYV6gFfHK)6z9`6>
z&vCG_s_mOiuiRzPdT*r@<f}XASc5B0KUUECqTI9HWHra^EH@-)6=}I$a&cb<zAIX)
zw=y9O3?6pxQZCJL9g`&=w<vbdUff?AE&`Waqo+pPmEHMGdU_+vB#|H4vU}6km^u>4
zC*!kI=)a{GcY|c4K*==`!MUY=5`I)Lq+`MBchLe6<unLeq;H9WKtk^~H<tEk=k&5m
z7<IlSTV~yNFn!x8GxL3^lrU_5POQuI7kfQefvXaG7q0o>$c)fh_{BNCXNq>55F=C;
z+1e=FSp<#+ENn}%#<a|Vq9*6ux~{SIjRw}&c}rn)07sotdn6o>`Hi!(hIvWzoJ5$y
zctVEFO>%dgX&(o@L1q$r45`q!78R(dIXhckOy|un#+KU`*rqU@x+}Z+bWDX+3~8pY
zXzvguT=K5f_{S1m>Gx)^q-U#-tz{@XWlLKBM(@>lYeVf2uXC;xsJ-UqT2PT6Tf$0v
zL=~3YT`CAp<?}M7GLbl={XWg|4v9&b2Geh;%0`_pJ$#ER7ip&7?t{v?p7k{>q+gXU
zxFRSWO>7Eaj4~%IUUTx;P*)MaJ6SHIqmwt1#RQ}JS&4p+WVnod0UBuD!<3e!Wsa#v
z9TUttzN$-s%Ge<rukQ<}eG*{L;%3M1itW6r$Rfb<1r@hfW89i`uqsY7TlqNiGB@zK
z)(0hF{>mp+yX{qiyyG8H-|Bq*_%b2)64}-GI{<nNc%lmL9BCNbS$}Z{pD_eKmxjoi
z=k9eJsshi%tB^J9PBM8GV49&m<)R+I1s%h|2ScbFx#a{Zk=>gsed|-_cbaS8PzQxp
PgvF>NJXJ{mat!_h#(Ch)

diff --git a/x509roots/fallback/bundle/bundle.go b/x509roots/fallback/bundle/bundle.go
index 8b8f20a470..3f5222130c 100644
--- a/x509roots/fallback/bundle/bundle.go
+++ b/x509roots/fallback/bundle/bundle.go
@@ -199,699 +199,675 @@ var unparsedCertificates = []unparsedCertificate{
 		certStartOff: 33396,
 		certLength:   1476,
 	},
-	{
-		cn:           "CN=CommScope Public Trust ECC Root-01,O=CommScope,C=US",
-		sha256Hash:   "11437cda7bb45e41365f45b39a38986b0de00def348e0c7bb0873633800bc38b",
-		certStartOff: 34872,
-		certLength:   545,
-	},
-	{
-		cn:           "CN=CommScope Public Trust ECC Root-02,O=CommScope,C=US",
-		sha256Hash:   "2ffb7f813bbbb3c89ab4e8162d0f16d71509a830cc9d73c262e5140875d1ad4a",
-		certStartOff: 35417,
-		certLength:   544,
-	},
-	{
-		cn:           "CN=CommScope Public Trust RSA Root-01,O=CommScope,C=US",
-		sha256Hash:   "02bdf96e2a45dd9bf18fc7e1dbdf21a0379ba3c9c2610344cfd8d606fec1ed81",
-		certStartOff: 35961,
-		certLength:   1392,
-	},
-	{
-		cn:           "CN=CommScope Public Trust RSA Root-02,O=CommScope,C=US",
-		sha256Hash:   "ffe943d793424b4f7c440c1c3d648d5363f34b82dc87aa7a9f118fc5dee101f1",
-		certStartOff: 37353,
-		certLength:   1392,
-	},
 	{
 		cn:           "CN=D-TRUST BR Root CA 1 2020,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "e59aaa816009c22bff5b25bad37df306f049797c1f81d85ab089e657bd8f0044",
-		certStartOff: 38745,
+		certStartOff: 34872,
 		certLength:   735,
 	},
 	{
 		cn:           "CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "0552e6f83fdf65e8fa9670e666df28a4e21340b510cbe52566f97c4fb94b2bd1",
-		certStartOff: 39480,
+		certStartOff: 35607,
 		certLength:   1453,
 	},
 	{
 		cn:           "CN=D-TRUST EV Root CA 1 2020,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "08170d1aa36453901a2f959245e347db0c8d37abaabc56b81aa100dc958970db",
-		certStartOff: 40933,
+		certStartOff: 37060,
 		certLength:   735,
 	},
 	{
 		cn:           "CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "8e8221b2e7d4007836a1672f0dcc299c33bc07d316f132fa1a206d587150f1ce",
-		certStartOff: 41668,
+		certStartOff: 37795,
 		certLength:   1453,
 	},
 	{
 		cn:           "CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1",
-		certStartOff: 43121,
+		certStartOff: 39248,
 		certLength:   1079,
 	},
 	{
 		cn:           "CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE",
 		sha256Hash:   "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881",
-		certStartOff: 44200,
+		certStartOff: 40327,
 		certLength:   1095,
 	},
 	{
 		cn:           "CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c",
-		certStartOff: 45295,
+		certStartOff: 41422,
 		certLength:   955,
 	},
 	{
 		cn:           "CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185",
-		certStartOff: 46250,
+		certStartOff: 42377,
 		certLength:   922,
 	},
 	{
 		cn:           "CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2",
-		certStartOff: 47172,
+		certStartOff: 43299,
 		certLength:   586,
 	},
 	{
 		cn:           "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161",
-		certStartOff: 47758,
+		certStartOff: 43885,
 		certLength:   947,
 	},
 	{
 		cn:           "CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f",
-		certStartOff: 48705,
+		certStartOff: 44832,
 		certLength:   914,
 	},
 	{
 		cn:           "CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0",
-		certStartOff: 49619,
+		certStartOff: 45746,
 		certLength:   579,
 	},
 	{
 		cn:           "CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf",
-		certStartOff: 50198,
+		certStartOff: 46325,
 		certLength:   969,
 	},
 	{
 		cn:           "CN=DigiCert TLS ECC P384 Root G5,O=DigiCert\\, Inc.,C=US",
 		sha256Hash:   "018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05",
-		certStartOff: 51167,
+		certStartOff: 47294,
 		certLength:   541,
 	},
 	{
 		cn:           "CN=DigiCert TLS RSA4096 Root G5,O=DigiCert\\, Inc.,C=US",
 		sha256Hash:   "371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75",
-		certStartOff: 51708,
+		certStartOff: 47835,
 		certLength:   1386,
 	},
 	{
 		cn:           "CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US",
 		sha256Hash:   "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988",
-		certStartOff: 53094,
+		certStartOff: 49221,
 		certLength:   1428,
 	},
 	{
 		cn:            "CN=Entrust Root Certification Authority - EC1,OU=See www.entrust.net/legal-terms+OU=(c) 2012 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
 		sha256Hash:    "02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5",
-		certStartOff:  54522,
+		certStartOff:  50649,
 		certLength:    765,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
 		cn:            "CN=Entrust Root Certification Authority - G2,OU=See www.entrust.net/legal-terms+OU=(c) 2009 Entrust\\, Inc. - for authorized use only,O=Entrust\\, Inc.,C=US",
 		sha256Hash:    "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339",
-		certStartOff:  55287,
+		certStartOff:  51414,
 		certLength:    1090,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
 		cn:            "CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2006 Entrust\\, Inc.,O=Entrust\\, Inc.,C=US",
 		sha256Hash:    "73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c",
-		certStartOff:  56377,
+		certStartOff:  52504,
 		certLength:    1173,
 		distrustAfter: "2024-11-30T23:59:59Z",
 	},
 	{
 		cn:           "CN=FIRMAPROFESIONAL CA ROOT-A WEB,O=Firmaprofesional SA,C=ES,2.5.4.97=#130f56415445532d413632363334303638",
 		sha256Hash:   "bef256daf26e9c69bdec1602359798f3caf71821a03e018257c53c65617f3d4a",
-		certStartOff: 57550,
+		certStartOff: 53677,
 		certLength:   638,
 	},
 	{
 		cn:           "CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.\\,LTD.,C=CN",
 		sha256Hash:   "bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893",
-		certStartOff: 58188,
+		certStartOff: 54315,
 		certLength:   1420,
 	},
 	{
 		cn:            "CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT",
 		sha256Hash:    "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a",
-		certStartOff:  59608,
+		certStartOff:  55735,
 		certLength:    1414,
 		distrustAfter: "2024-06-30T00:00:00Z",
 	},
 	{
 		cn:           "CN=GTS Root R1,O=Google Trust Services LLC,C=US",
 		sha256Hash:   "d947432abde7b7fa90fc2e6b59101b1280e0e1c7e4e40fa3c6887fff57a7f4cf",
-		certStartOff: 61022,
+		certStartOff: 57149,
 		certLength:   1371,
 	},
 	{
 		cn:           "CN=GTS Root R2,O=Google Trust Services LLC,C=US",
 		sha256Hash:   "8d25cd97229dbf70356bda4eb3cc734031e24cf00fafcfd32dc76eb5841c7ea8",
-		certStartOff: 62393,
+		certStartOff: 58520,
 		certLength:   1371,
 	},
 	{
 		cn:           "CN=GTS Root R3,O=Google Trust Services LLC,C=US",
 		sha256Hash:   "34d8a73ee208d9bcdb0d956520934b4e40e69482596e8b6f73c8426b010a6f48",
-		certStartOff: 63764,
+		certStartOff: 59891,
 		certLength:   525,
 	},
 	{
 		cn:           "CN=GTS Root R4,O=Google Trust Services LLC,C=US",
 		sha256Hash:   "349dfa4058c5e263123b398ae795573c4e1313c83fe68f93556cd5e8031b3c7d",
-		certStartOff: 64289,
+		certStartOff: 60416,
 		certLength:   525,
 	},
 	{
 		cn:           "CN=GlobalSign Root E46,O=GlobalSign nv-sa,C=BE",
 		sha256Hash:   "cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058",
-		certStartOff: 64814,
+		certStartOff: 60941,
 		certLength:   527,
 	},
 	{
 		cn:           "CN=GlobalSign Root R46,O=GlobalSign nv-sa,C=BE",
 		sha256Hash:   "4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9",
-		certStartOff: 65341,
+		certStartOff: 61468,
 		certLength:   1374,
 	},
 	{
 		cn:           "CN=GlobalSign,OU=GlobalSign ECC Root CA - R4,O=GlobalSign",
 		sha256Hash:   "b085d70b964f191a73e4af0d54ae7a0e07aafdaf9b71dd0862138ab7325a24a2",
-		certStartOff: 66715,
+		certStartOff: 62842,
 		certLength:   480,
 	},
 	{
 		cn:           "CN=GlobalSign,OU=GlobalSign ECC Root CA - R5,O=GlobalSign",
 		sha256Hash:   "179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924",
-		certStartOff: 67195,
+		certStartOff: 63322,
 		certLength:   546,
 	},
 	{
 		cn:           "CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign",
 		sha256Hash:   "cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b",
-		certStartOff: 67741,
+		certStartOff: 63868,
 		certLength:   867,
 	},
 	{
 		cn:           "CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign",
 		sha256Hash:   "2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69",
-		certStartOff: 68608,
+		certStartOff: 64735,
 		certLength:   1415,
 	},
 	{
 		cn:           "CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
 		sha256Hash:   "45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda",
-		certStartOff: 70023,
+		certStartOff: 66150,
 		certLength:   969,
 	},
 	{
 		cn:           "CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
 		sha256Hash:   "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401",
-		certStartOff: 70992,
+		certStartOff: 67119,
 		certLength:   600,
 	},
 	{
 		cn:           "CN=HARICA TLS RSA Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR",
 		sha256Hash:   "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d",
-		certStartOff: 71592,
+		certStartOff: 67719,
 		certLength:   1448,
 	},
 	{
 		cn:           "CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
 		sha256Hash:   "44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833",
-		certStartOff: 73040,
+		certStartOff: 69167,
 		certLength:   711,
 	},
 	{
 		cn:           "CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR",
 		sha256Hash:   "a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36",
-		certStartOff: 73751,
+		certStartOff: 69878,
 		certLength:   1551,
 	},
 	{
 		cn:           "CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
 		sha256Hash:   "f015ce3cc239bfef064be9f1d2c417e1a0264a0a94be1f0c8d121864eb6949cc",
-		certStartOff: 75302,
+		certStartOff: 71429,
 		certLength:   1390,
 	},
 	{
 		cn:           "CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK",
 		sha256Hash:   "5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6",
-		certStartOff: 76692,
+		certStartOff: 72819,
 		certLength:   1491,
 	},
 	{
 		cn:           "CN=ISRG Root X1,O=Internet Security Research Group,C=US",
 		sha256Hash:   "96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6",
-		certStartOff: 78183,
+		certStartOff: 74310,
 		certLength:   1391,
 	},
 	{
 		cn:           "CN=ISRG Root X2,O=Internet Security Research Group,C=US",
 		sha256Hash:   "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470",
-		certStartOff: 79574,
+		certStartOff: 75701,
 		certLength:   543,
 	},
 	{
 		cn:           "CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US",
 		sha256Hash:   "5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae",
-		certStartOff: 80117,
+		certStartOff: 76244,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US",
 		sha256Hash:   "30d0895a9a448a262091635522d1f52010b5867acae12c78ef958fd4f4389f2f",
-		certStartOff: 81497,
+		certStartOff: 77624,
 		certLength:   1386,
 	},
 	{
 		cn:           "CN=Izenpe.com,O=IZENPE S.A.,C=ES",
 		sha256Hash:   "2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f",
-		certStartOff: 82883,
+		certStartOff: 79010,
 		certLength:   1525,
 	},
 	{
 		cn:           "CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU,1.2.840.113549.1.9.1=#0c10696e666f40652d737a69676e6f2e6875",
 		sha256Hash:   "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378",
-		certStartOff: 84408,
+		certStartOff: 80535,
 		certLength:   1038,
 	},
 	{
 		cn:           "CN=Microsoft ECC Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
 		sha256Hash:   "358df39d764af9e1b766e9c972df352ee15cfac227af6ad1d70e8e4a6edcba02",
-		certStartOff: 85446,
+		certStartOff: 81573,
 		certLength:   605,
 	},
 	{
 		cn:           "CN=Microsoft RSA Root Certificate Authority 2017,O=Microsoft Corporation,C=US",
 		sha256Hash:   "c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0",
-		certStartOff: 86051,
+		certStartOff: 82178,
 		certLength:   1452,
 	},
 	{
 		cn:           "CN=NAVER Global Root Certification Authority,O=NAVER BUSINESS PLATFORM Corp.,C=KR",
 		sha256Hash:   "88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265",
-		certStartOff: 87503,
+		certStartOff: 83630,
 		certLength:   1446,
 	},
 	{
 		cn:           "CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU",
 		sha256Hash:   "6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98",
-		certStartOff: 88949,
+		certStartOff: 85076,
 		certLength:   1049,
 	},
 	{
 		cn:           "CN=OISTE Server Root ECC G1,O=OISTE Foundation,C=CH",
 		sha256Hash:   "eec997c0c30f216f7e3b8b307d2bae42412d753fc8219dafd1520b2572850f49",
-		certStartOff: 89998,
+		certStartOff: 86125,
 		certLength:   569,
 	},
 	{
 		cn:           "CN=OISTE Server Root RSA G1,O=OISTE Foundation,C=CH",
 		sha256Hash:   "9ae36232a5189ffddb353dfd26520c015395d22777dac59db57b98c089a651e6",
-		certStartOff: 90567,
+		certStartOff: 86694,
 		certLength:   1415,
 	},
 	{
 		cn:           "CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
 		sha256Hash:   "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6",
-		certStartOff: 91982,
+		certStartOff: 88109,
 		certLength:   953,
 	},
 	{
 		cn:           "CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH",
 		sha256Hash:   "8560f91c3624daba9570b5fea0dbe36ff11a8323be9486854fb3f34a5571198d",
-		certStartOff: 92935,
+		certStartOff: 89062,
 		certLength:   621,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "8a866fd1b276b57e578e921c65828a2bed58e9f2f288054134b7f1f4bfc9cc74",
-		certStartOff: 93556,
+		certStartOff: 89683,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840",
-		certStartOff: 94936,
+		certStartOff: 91063,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86",
-		certStartOff: 96316,
+		certStartOff: 92443,
 		certLength:   1467,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46",
-		certStartOff: 97783,
+		certStartOff: 93910,
 		certLength:   1380,
 	},
 	{
 		cn:           "CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM",
 		sha256Hash:   "18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35",
-		certStartOff: 99163,
+		certStartOff: 95290,
 		certLength:   1697,
 	},
 	{
 		cn:           "CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8",
-		certStartOff: 100860,
+		certStartOff: 96987,
 		certLength:   664,
 	},
 	{
 		cn:           "CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c",
-		certStartOff: 101524,
+		certStartOff: 97651,
 		certLength:   1519,
 	},
 	{
 		cn:           "CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65",
-		certStartOff: 103043,
+		certStartOff: 99170,
 		certLength:   657,
 	},
 	{
 		cn:           "CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US",
 		sha256Hash:   "85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69",
-		certStartOff: 103700,
+		certStartOff: 99827,
 		certLength:   1505,
 	},
 	{
 		cn:           "CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US",
 		sha256Hash:   "c32ffd9f46f936d16c3673990959434b9ad60aafbb9e7cf33654f144cc1ba143",
-		certStartOff: 105205,
+		certStartOff: 101332,
 		certLength:   574,
 	},
 	{
 		cn:           "CN=SSL.com TLS RSA Root CA 2022,O=SSL Corporation,C=US",
 		sha256Hash:   "8faf7d2e2cb4709bb8e0b33666bf75a5dd45b5de480f8ea8d4bfe6bebc17f2ed",
-		certStartOff: 105779,
+		certStartOff: 101906,
 		certLength:   1421,
 	},
 	{
 		cn:           "CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL",
 		sha256Hash:   "a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe",
-		certStartOff: 107200,
+		certStartOff: 103327,
 		certLength:   886,
 	},
 	{
 		cn:           "CN=Sectigo Public Server Authentication Root E46,O=Sectigo Limited,C=GB",
 		sha256Hash:   "c90f26f0fb1b4018b22227519b5ca2b53e2ca5b3be5cf18efe1bef47380c5383",
-		certStartOff: 108086,
+		certStartOff: 104213,
 		certLength:   574,
 	},
 	{
 		cn:           "CN=Sectigo Public Server Authentication Root R46,O=Sectigo Limited,C=GB",
 		sha256Hash:   "7bb647a62aeeac88bf257aa522d01ffea395e0ab45c73f93f65654ec38f25a06",
-		certStartOff: 108660,
+		certStartOff: 104787,
 		certLength:   1422,
 	},
 	{
 		cn:           "CN=Secure Global CA,O=SecureTrust Corporation,C=US",
 		sha256Hash:   "4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69",
-		certStartOff: 110082,
+		certStartOff: 106209,
 		certLength:   960,
 	},
 	{
 		cn:           "CN=SecureSign Root CA12,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e",
-		certStartOff: 111042,
+		certStartOff: 107169,
 		certLength:   886,
 	},
 	{
 		cn:           "CN=SecureSign Root CA14,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338",
-		certStartOff: 111928,
+		certStartOff: 108055,
 		certLength:   1398,
 	},
 	{
 		cn:           "CN=SecureSign Root CA15,O=Cybertrust Japan Co.\\, Ltd.,C=JP",
 		sha256Hash:   "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a",
-		certStartOff: 113326,
+		certStartOff: 109453,
 		certLength:   551,
 	},
 	{
 		cn:           "CN=SecureTrust CA,O=SecureTrust Corporation,C=US",
 		sha256Hash:   "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73",
-		certStartOff: 113877,
+		certStartOff: 110004,
 		certLength:   956,
 	},
 	{
 		cn:           "CN=Security Communication ECC RootCA1,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
 		sha256Hash:   "e74fbda55bd564c473a36b441aa799c8a68e077440e8288b9fa1e50e4bbaca11",
-		certStartOff: 114833,
+		certStartOff: 110960,
 		certLength:   572,
 	},
 	{
 		cn:           "CN=Starfield Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
 		sha256Hash:   "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5",
-		certStartOff: 115405,
+		certStartOff: 111532,
 		certLength:   993,
 	},
 	{
 		cn:           "CN=Starfield Services Root Certificate Authority - G2,O=Starfield Technologies\\, Inc.,L=Scottsdale,ST=Arizona,C=US",
 		sha256Hash:   "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5",
-		certStartOff: 116398,
+		certStartOff: 112525,
 		certLength:   1011,
 	},
 	{
 		cn:           "CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH",
 		sha256Hash:   "62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95",
-		certStartOff: 117409,
+		certStartOff: 113536,
 		certLength:   1470,
 	},
 	{
 		cn:           "CN=SwissSign RSA TLS Root CA 2022 - 1,O=SwissSign AG,C=CH",
 		sha256Hash:   "193144f431e0fddb740717d4de926a571133884b4360d30e272913cbe660ce41",
-		certStartOff: 118879,
+		certStartOff: 115006,
 		certLength:   1431,
 	},
 	{
 		cn:           "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
 		sha256Hash:   "91e2f5788d5810eba7ba58737de1548a8ecacd014598bc0b143e041b17052552",
-		certStartOff: 120310,
+		certStartOff: 116437,
 		certLength:   967,
 	},
 	{
 		cn:           "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE",
 		sha256Hash:   "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd",
-		certStartOff: 121277,
+		certStartOff: 117404,
 		certLength:   967,
 	},
 	{
 		cn:           "CN=TWCA CYBER Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "3f63bb2814be174ec8b6439cf08d6d56f0b7c405883a5648a334424d6b3ec558",
-		certStartOff: 122244,
+		certStartOff: 118371,
 		certLength:   1425,
 	},
 	{
 		cn:           "CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b",
-		certStartOff: 123669,
+		certStartOff: 119796,
 		certLength:   1349,
 	},
 	{
 		cn:           "CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW",
 		sha256Hash:   "bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44",
-		certStartOff: 125018,
+		certStartOff: 121145,
 		certLength:   895,
 	},
 	{
 		cn:           "CN=Telekom Security TLS ECC Root 2020,O=Deutsche Telekom Security GmbH,C=DE",
 		sha256Hash:   "578af4ded0853f4e5998db4aeaf9cbea8d945f60b620a38d1a3c13b2bc7ba8e1",
-		certStartOff: 125913,
+		certStartOff: 122040,
 		certLength:   582,
 	},
 	{
 		cn:           "CN=Telekom Security TLS RSA Root 2023,O=Deutsche Telekom Security GmbH,C=DE",
 		sha256Hash:   "efc65cadbb59adb6efe84da22311b35624b71b3b1ea0da8b6655174ec8978646",
-		certStartOff: 126495,
+		certStartOff: 122622,
 		certLength:   1463,
 	},
 	{
 		cn:           "CN=Telia Root CA v2,O=Telia Finland Oyj,C=FI",
 		sha256Hash:   "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c",
-		certStartOff: 127958,
+		certStartOff: 124085,
 		certLength:   1400,
 	},
 	{
 		cn:           "CN=TeliaSonera Root CA v1,O=TeliaSonera",
 		sha256Hash:   "dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389",
-		certStartOff: 129358,
+		certStartOff: 125485,
 		certLength:   1340,
 	},
 	{
 		cn:           "CN=TrustAsia Global Root CA G3,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "e0d3226aeb1163c2e48ff9be3b50b4c6431be7bb1eacc5c36b5d5ec509039a08",
-		certStartOff: 130698,
+		certStartOff: 126825,
 		certLength:   1449,
 	},
 	{
 		cn:           "CN=TrustAsia Global Root CA G4,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "be4b56cb5056c0136a526df444508daa36a0b54f42e4ac38f72af470e479654c",
-		certStartOff: 132147,
+		certStartOff: 128274,
 		certLength:   601,
 	},
 	{
 		cn:           "CN=TrustAsia TLS ECC Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "c0076b9ef0531fb1a656d67c4ebe97cd5dbaa41ef44598acc2489878c92d8711",
-		certStartOff: 132748,
+		certStartOff: 128875,
 		certLength:   565,
 	},
 	{
 		cn:           "CN=TrustAsia TLS RSA Root CA,O=TrustAsia Technologies\\, Inc.,C=CN",
 		sha256Hash:   "06c08d7dafd876971eb1124fe67f847ec0c7a158d3ea53cbe940e2ea9791f4c3",
-		certStartOff: 133313,
+		certStartOff: 129440,
 		certLength:   1412,
 	},
 	{
 		cn:           "CN=Trustwave Global Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8",
-		certStartOff: 134725,
+		certStartOff: 130852,
 		certLength:   1502,
 	},
 	{
 		cn:           "CN=Trustwave Global ECC P256 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "945bbc825ea554f489d1fd51a73ddf2ea624ac7019a05205225c22a78ccfa8b4",
-		certStartOff: 136227,
+		certStartOff: 132354,
 		certLength:   612,
 	},
 	{
 		cn:           "CN=Trustwave Global ECC P384 Certification Authority,O=Trustwave Holdings\\, Inc.,L=Chicago,ST=Illinois,C=US",
 		sha256Hash:   "55903859c8c0c3ebb8759ece4e2557225ff5758bbd38ebd48276601e1bd58097",
-		certStartOff: 136839,
+		certStartOff: 132966,
 		certLength:   673,
 	},
 	{
 		cn:           "CN=TunTrust Root CA,O=Agence Nationale de Certification Electronique,C=TN",
 		sha256Hash:   "2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41",
-		certStartOff: 137512,
+		certStartOff: 133639,
 		certLength:   1463,
 	},
 	{
 		cn:           "CN=UCA Extended Validation Root,O=UniTrust,C=CN",
 		sha256Hash:   "d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24",
-		certStartOff: 138975,
+		certStartOff: 135102,
 		certLength:   1374,
 	},
 	{
 		cn:           "CN=UCA Global G2 Root,O=UniTrust,C=CN",
 		sha256Hash:   "9bea11c976fe014764c1be56a6f914b5a560317abd9988393382e5161aa0493c",
-		certStartOff: 140349,
+		certStartOff: 136476,
 		certLength:   1354,
 	},
 	{
 		cn:           "CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
 		sha256Hash:   "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a",
-		certStartOff: 141703,
+		certStartOff: 137830,
 		certLength:   659,
 	},
 	{
 		cn:           "CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US",
 		sha256Hash:   "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2",
-		certStartOff: 142362,
+		certStartOff: 138489,
 		certLength:   1506,
 	},
 	{
 		cn:           "CN=e-Szigno Root CA 2017,O=Microsec Ltd.,L=Budapest,C=HU,2.5.4.97=#130e56415448552d3233353834343937",
 		sha256Hash:   "beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99",
-		certStartOff: 143868,
+		certStartOff: 139995,
 		certLength:   580,
 	},
 	{
 		cn:           "CN=emSign ECC Root CA - C3,OU=emSign PKI,O=eMudhra Inc,C=US",
 		sha256Hash:   "bc4d809b15189d78db3e1d8cf4f9726a795da1643ca5f1358e1ddb0edc0d7eb3",
-		certStartOff: 144448,
+		certStartOff: 140575,
 		certLength:   559,
 	},
 	{
 		cn:           "CN=emSign ECC Root CA - G3,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
 		sha256Hash:   "86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b",
-		certStartOff: 145007,
+		certStartOff: 141134,
 		certLength:   594,
 	},
 	{
 		cn:           "CN=emSign Root CA - C1,OU=emSign PKI,O=eMudhra Inc,C=US",
 		sha256Hash:   "125609aa301da0a249b97a8239cb6a34216f44dcac9f3954b14292f2e8c8608f",
-		certStartOff: 145601,
+		certStartOff: 141728,
 		certLength:   887,
 	},
 	{
 		cn:           "CN=emSign Root CA - G1,OU=emSign PKI,O=eMudhra Technologies Limited,C=IN",
 		sha256Hash:   "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367",
-		certStartOff: 146488,
+		certStartOff: 142615,
 		certLength:   920,
 	},
 	{
 		cn:           "CN=vTrus ECC Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
 		sha256Hash:   "30fbba2c32238e2a98547af97931e550428b9b3f1c8eeb6633dcfa86c5b27dd3",
-		certStartOff: 147408,
+		certStartOff: 143535,
 		certLength:   531,
 	},
 	{
 		cn:           "CN=vTrus Root CA,O=iTrusChina Co.\\,Ltd.,C=CN",
 		sha256Hash:   "8a71de6559336f426c26e53880d00d88a18da4c6a91f0dcb6194e206c5c96387",
-		certStartOff: 147939,
+		certStartOff: 144066,
 		certLength:   1370,
 	},
 	{
 		cn:           "OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES",
 		sha256Hash:   "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa",
-		certStartOff: 149309,
+		certStartOff: 145436,
 		certLength:   1415,
 	},
 	{
 		cn:           "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\\,LTD.,C=JP",
 		sha256Hash:   "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6",
-		certStartOff: 150724,
+		certStartOff: 146851,
 		certLength:   891,
 	},
 	{
 		cn:           "OU=certSIGN ROOT CA G2,O=CERTSIGN SA,C=RO",
 		sha256Hash:   "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305",
-		certStartOff: 151615,
+		certStartOff: 147742,
 		certLength:   1355,
 	},
 	{
 		cn:           "OU=certSIGN ROOT CA,O=certSIGN,C=RO",
 		sha256Hash:   "eaa962c4fa4a6bafebe415196d351ccd888d4f53f3fa8ae6d7c466a94e6042bb",
-		certStartOff: 152970,
+		certStartOff: 149097,
 		certLength:   828,
 	},
 	{
 		cn:            "OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\\, Ltd.,C=TW",
 		sha256Hash:    "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5",
-		certStartOff:  153798,
+		certStartOff:  149925,
 		certLength:    1460,
 		distrustAfter: "2025-04-15T23:59:59Z",
 	},
 	{
 		cn:           "SERIALNUMBER=G63287510,CN=ANF Secure Server Root CA,OU=ANF CA Raiz,O=ANF Autoridad de Certificacion,C=ES",
 		sha256Hash:   "fb8fec759169b9106b1e511644c618c51304373f6c0643088d8beffd1b997599",
-		certStartOff: 155258,
+		certStartOff: 151385,
 		certLength:   1523,
 	},
 }

From 19acf81bd7bc7b558d18a550e8e023df2c33e742 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Mon, 8 Dec 2025 09:39:42 -0800
Subject: [PATCH 3/5] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I81158fb078bccce57d8d46cac0cb87e6c4f8cff9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/728181
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 go.mod |  6 +++---
 go.sum | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index ed7433125c..9f278a2f84 100644
--- a/go.mod
+++ b/go.mod
@@ -4,8 +4,8 @@ go 1.24.0
 
 require (
 	golang.org/x/net v0.47.0 // tagx:ignore
-	golang.org/x/sys v0.38.0
-	golang.org/x/term v0.37.0
+	golang.org/x/sys v0.39.0
+	golang.org/x/term v0.38.0
 )
 
-require golang.org/x/text v0.31.0 // indirect
+require golang.org/x/text v0.32.0 // indirect
diff --git a/go.sum b/go.sum
index 3a0b108e1d..2a85f538e5 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=

From 7dacc380ba001e8fe7c3c7a46bf3cbdaa5064df9 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Mon, 8 Dec 2025 23:54:43 +0100
Subject: [PATCH 4/5] chacha20poly1305: error out in fips140=only mode

We don't guarantee fips140=only support in x/crypto, but
chacha20poly1305 is special in that it's vendored into the standard
library. We could wrap all the callsites, but it's more robust to
just error out at construction time.

Change-Id: I4b1e451bd250429c4c5c5b61c8b2141c6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/728480
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
---
 chacha20poly1305/chacha20poly1305.go   |  3 +++
 chacha20poly1305/fips140only_compat.go |  9 +++++++++
 chacha20poly1305/fips140only_go1.26.go | 11 +++++++++++
 chacha20poly1305/xchacha20poly1305.go  |  3 +++
 4 files changed, 26 insertions(+)
 create mode 100644 chacha20poly1305/fips140only_compat.go
 create mode 100644 chacha20poly1305/fips140only_go1.26.go

diff --git a/chacha20poly1305/chacha20poly1305.go b/chacha20poly1305/chacha20poly1305.go
index 8cf5d8112e..956795524f 100644
--- a/chacha20poly1305/chacha20poly1305.go
+++ b/chacha20poly1305/chacha20poly1305.go
@@ -38,6 +38,9 @@ type chacha20poly1305 struct {
 
 // New returns a ChaCha20-Poly1305 AEAD that uses the given 256-bit key.
 func New(key []byte) (cipher.AEAD, error) {
+	if fips140Enforced() {
+		return nil, errors.New("chacha20poly1305: use of ChaCha20Poly1305 is not allowed in FIPS 140-only mode")
+	}
 	if len(key) != KeySize {
 		return nil, errors.New("chacha20poly1305: bad key length")
 	}
diff --git a/chacha20poly1305/fips140only_compat.go b/chacha20poly1305/fips140only_compat.go
new file mode 100644
index 0000000000..9b9d5643ec
--- /dev/null
+++ b/chacha20poly1305/fips140only_compat.go
@@ -0,0 +1,9 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.26
+
+package chacha20poly1305
+
+func fips140Enforced() bool { return false }
diff --git a/chacha20poly1305/fips140only_go1.26.go b/chacha20poly1305/fips140only_go1.26.go
new file mode 100644
index 0000000000..f71089c486
--- /dev/null
+++ b/chacha20poly1305/fips140only_go1.26.go
@@ -0,0 +1,11 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.26
+
+package chacha20poly1305
+
+import "crypto/fips140"
+
+func fips140Enforced() bool { return fips140.Enforced() }
diff --git a/chacha20poly1305/xchacha20poly1305.go b/chacha20poly1305/xchacha20poly1305.go
index 1cebfe946f..b4299b718c 100644
--- a/chacha20poly1305/xchacha20poly1305.go
+++ b/chacha20poly1305/xchacha20poly1305.go
@@ -22,6 +22,9 @@ type xchacha20poly1305 struct {
 // preferred when nonce uniqueness cannot be trivially ensured, or whenever
 // nonces are randomly generated.
 func NewX(key []byte) (cipher.AEAD, error) {
+	if fips140Enforced() {
+		return nil, errors.New("chacha20poly1305: use of ChaCha20Poly1305 is not allowed in FIPS 140-only mode")
+	}
 	if len(key) != KeySize {
 		return nil, errors.New("chacha20poly1305: bad key length")
 	}

From 44494f2ae9c7091785b38dcab4322ae6713ff751 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20=C4=8Ctvrtka?= <j.ctvrtka@gmail.com>
Date: Fri, 19 Dec 2025 11:24:10 +0100
Subject: [PATCH 5/5] PMM-14577 Update go and packages.

---
 go.mod | 4 ++--
 go.sum | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 9f278a2f84..62b1873b5b 100644
--- a/go.mod
+++ b/go.mod
@@ -1,9 +1,9 @@
 module golang.org/x/crypto
 
-go 1.24.0
+go 1.25.5
 
 require (
-	golang.org/x/net v0.47.0 // tagx:ignore
+	golang.org/x/net v0.48.0 // tagx:ignore
 	golang.org/x/sys v0.39.0
 	golang.org/x/term v0.38.0
 )
diff --git a/go.sum b/go.sum
index 2a85f538e5..b25f10f51d 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=