Add m-esr52 at 52.6.0

8 files changed, 2950 insertions, 0 deletions

diff --git a/security/manager/tools/.eslintrc.js b/security/manager/tools/.eslintrc.js
new file mode 100644
index 000000000..49de9eadd
--- /dev/null
+++ b/security/manager/tools/.eslintrc.js
@@ -0,0 +1,9 @@
+"use strict";
+
+module.exports = { // eslint-disable-line no-undef
+  "globals": {
+    // JS files in this folder are commonly xpcshell scripts where |arguments|
+    // is defined in the global scope.
+    "arguments": false
+  }
+};
diff --git a/security/manager/tools/KnownRootHashes.json b/security/manager/tools/KnownRootHashes.json
new file mode 100644
index 000000000..81adeb653
--- /dev/null
+++ b/security/manager/tools/KnownRootHashes.json
@@ -0,0 +1,949 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+//
+//***************************************************************************
+// This is an automatically generated file. It's used to maintain state for
+// runs of genRootCAHashes.js; you should never need to manually edit it
+//***************************************************************************
+
+{
+  "roots": [
+    {
+      "label": "GTE_CyberTrust_Global_Root",
+      "binNumber": 1,
+      "sha256Fingerprint": "pTElGI0hEKqWSwLHt8baMgMXCJTl+3H/+2Zn1eaBCjY="
+    },
+    {
+      "label": "Thawte_Server_CA",
+      "binNumber": 2,
+      "sha256Fingerprint": "tEELc+Lm6spH+8Qvj6QBivQ4HcVM+qhEUEYe7QlFTek="
+    },
+    {
+      "label": "Thawte_Premium_Server_CA",
+      "binNumber": 3,
+      "sha256Fingerprint": "q3A2NlxxVKopwsKfXUGRFjsWKiIlARNX1W0H/6e8H3I="
+    },
+    {
+      "label": "OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US",
+      "binNumber": 4,
+      "sha256Fingerprint": "CCl6QEfbojaAxzHbbjF2U8p4SOG+vToLAXmnB/ks8Xg="
+    },
+    {
+      "label": "OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US",
+      "binNumber": 5,
+      "sha256Fingerprint": "g848Eiloilk9SF+BlzwPkZVDHto3zF42Qw55x6iIY4s="
+    },
+    {
+      "label": "GlobalSign_Root_CA",
+      "binNumber": 6,
+      "sha256Fingerprint": "69QQQOS7PsdCyeOB0x7ypBpItmhclufO88HfbNQzHJk="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 7,
+      "sha256Fingerprint": "ykLdQXRf0LgeuQI2LPnYv3Gdob0bHvyUb1tMmfQsG54="
+    },
+    {
+      "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G3",
+      "binNumber": 8,
+      "sha256Fingerprint": "6wTPXrHzmvp2LyuxIPKWy6Ugwbl9sViVZbgcuaF7ckQ="
+    },
+    {
+      "label": "VeriSign_Class_4_Public_Primary_Certification_Authority___G3",
+      "binNumber": 9,
+      "sha256Fingerprint": "44k2DQ/brrPSUFhLRzAxTiIvOcFWoCAUTo2WBWF5FQY="
+    },
+    {
+      "label": "Entrust_net_Certification_Authority__2048_",
+      "binNumber": 10,
+      "sha256Fingerprint": "bcRxcuAcvLC/YlgNiV/iuKya1PhzgB4MELnIN9IesXc="
+    },
+    {
+      "label": "Baltimore_CyberTrust_Root",
+      "binNumber": 11,
+      "sha256Fingerprint": "Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus="
+    },
+    {
+      "label": "Equifax_Secure_Global_eBusiness_CA_1",
+      "binNumber": 12,
+      "sha256Fingerprint": "Xwti6rXjU+plIWUWWPu2U1n0QygKSvvRBNd9EPnwTAc="
+    },
+    {
+      "label": "Equifax_Secure_eBusiness_CA_1",
+      "binNumber": 13,
+      "sha256Fingerprint": "z1b/RqShhhCd2WWEte61ilEMQnWw5flPQLuuhl4Z9nM="
+    },
+    {
+      "label": "AddTrust_Class_1_CA_Root",
+      "binNumber": 14,
+      "sha256Fingerprint": "jHIJJ5rATideFtB/07d16AFUtZaARuMfUt0ldmMk6ac="
+    },
+    {
+      "label": "AddTrust_External_CA_Root",
+      "binNumber": 15,
+      "sha256Fingerprint": "aH+kUTgieP/wyLEfjUPVdmccbrK86rQT+4PZZdBtL/I="
+    },
+    {
+      "label": "AddTrust_Public_CA_Root",
+      "binNumber": 16,
+      "sha256Fingerprint": "B5HKB0myB4Kq08fXvQzfyUhYNYQ+steZYAnOQ6tsaSc="
+    },
+    {
+      "label": "AddTrust_Qualified_CA_Root",
+      "binNumber": 17,
+      "sha256Fingerprint": "gJUhCAXbS7w1XkQo2P1uws3jq1+5eplCmI649NzQYBY="
+    },
+    {
+      "label": "Entrust_Root_Certification_Authority",
+      "binNumber": 18,
+      "sha256Fingerprint": "c8F2Q08bxtWt9FsOducnKHyN5XYWwebmFBorLLx9jkw="
+    },
+    {
+      "label": "OU_RSA_Security_2048_V3_O_RSA_Security_Inc",
+      "binNumber": 19,
+      "sha256Fingerprint": "r4tnYqHlKCKBYaldXFWe4mYnj3XXnoMBiaUDUGq9a0w="
+    },
+    {
+      "label": "GeoTrust_Global_CA",
+      "binNumber": 20,
+      "sha256Fingerprint": "/4VqLSUdzYjTZlb0UBJnmM+rqt5AeZxyLeTStds2pzo="
+    },
+    {
+      "label": "GeoTrust_Global_CA_2",
+      "binNumber": 21,
+      "sha256Fingerprint": "yi2CoIZ3By+KtnZP8DVnbP4+XjJeASFy3z+SCW23m4U="
+    },
+    {
+      "label": "GeoTrust_Universal_CA",
+      "binNumber": 22,
+      "sha256Fingerprint": "oEWbn2OyJVn1+l1MbbP59y/xk0IDNXjwc78dG0bLuRI="
+    },
+    {
+      "label": "GeoTrust_Universal_CA_2",
+      "binNumber": 23,
+      "sha256Fingerprint": "oCNPO8hSfKVijuyBrV1piV2laA3JHRy4R38z+Hi5Wws="
+    },
+    {
+      "label": "America_Online_Root_Certification_Authority_1",
+      "binNumber": 24,
+      "sha256Fingerprint": "d0BzEsY6FT1bwAtOUXWc39rCN9wqM7Z5RumOm/poCuM="
+    },
+    {
+      "label": "America_Online_Root_Certification_Authority_2",
+      "binNumber": 25,
+      "sha256Fingerprint": "fTtGWmAU5SbAr/zuISfSMRcnrYEcJoQtAGrzcwbMgL0="
+    },
+    {
+      "label": "Visa_eCommerce_Root",
+      "binNumber": 26,
+      "sha256Fingerprint": "afrJvVX7CseNU7vuXPHVl5if0KqrIKJRUb3xcz7n0SI="
+    },
+    {
+      "label": "Certum_CA",
+      "binNumber": 27,
+      "sha256Fingerprint": "2OD+vB2y440AlA830n1BNE2ZPnNLmdVlbZd41NgUNiQ="
+    },
+    {
+      "label": "AAA_Certificate_Services",
+      "binNumber": 28,
+      "sha256Fingerprint": "16eg+11+JzHXcelITrze9x1fDD4KKUh4K8g+4OppnvQ="
+    },
+    {
+      "label": "Secure_Certificate_Services",
+      "binNumber": 29,
+      "sha256Fingerprint": "vYHOO09lkdEaZ7X8ekf97yVSG/mqThi5498uNKeAO+g="
+    },
+    {
+      "label": "Trusted_Certificate_Services",
+      "binNumber": 30,
+      "sha256Fingerprint": "PwblVoHUlvW+Fp61OJ+fK4/2HhcI32iBckhJzV0ny2k="
+    },
+    {
+      "label": "QuoVadis_Root_Certification_Authority",
+      "binNumber": 31,
+      "sha256Fingerprint": "pF7eO7vwnIrhXHLvwHJo1pOiHJlv1R5nygeUYP1tiHM="
+    },
+    {
+      "label": "QuoVadis_Root_CA_2",
+      "binNumber": 32,
+      "sha256Fingerprint": "haDdfdcgrbf/Bfg9VCsgncf/RSj31nexg4n+peXEnoY="
+    },
+    {
+      "label": "QuoVadis_Root_CA_3",
+      "binNumber": 33,
+      "sha256Fingerprint": "GPH8fyBd+K3d63/gB91X4683WpxNjXNUa/Tx/tHhjTU="
+    },
+    {
+      "label": "OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP",
+      "binNumber": 34,
+      "sha256Fingerprint": "515y7Z9WDuxutIAAc6Q/w60ZGVo5IoIBeJWXSpkCa2w="
+    },
+    {
+      "label": "Sonera_Class2_CA",
+      "binNumber": 35,
+      "sha256Fingerprint": "eQi0AxTBOBALUY0HNYB/+/z4UYoAlTNxBbo4axU92Sc="
+    },
+    {
+      "label": "Staat_der_Nederlanden_Root_CA",
+      "binNumber": 36,
+      "sha256Fingerprint": "1B2CnowWWYIq+T/OYr/83iZPyE6LlQxf8nXQUjVGlaM="
+    },
+    {
+      "label": "UTN___DATACorp_SGC",
+      "binNumber": 37,
+      "sha256Fingerprint": "hfsvkd0SJ1oBRbY2U0+EAkrWi2m47ohoT/cRN1gFs0g="
+    },
+    {
+      "label": "UTN_USERFirst_Hardware",
+      "binNumber": 38,
+      "sha256Fingerprint": "bqVHQdAEZn7tG0gWY0qjp55uS5aVD4J52vyNm9iBITc="
+    },
+    {
+      "label": "Chambers_of_Commerce_Root",
+      "binNumber": 39,
+      "sha256Fingerprint": "DCWKEqVnSu8l8oun3Prs7qNI5UHm9cxO5jtxs2FgasM="
+    },
+    {
+      "label": "Global_Chambersign_Root",
+      "binNumber": 40,
+      "sha256Fingerprint": "7zy0F/yOv2+Xh2yeTs453h6l/mSRQdECi30RwLIpjO0="
+    },
+    {
+      "label": "NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado",
+      "binNumber": 41,
+      "sha256Fingerprint": "fxLNX35eKQ7H2FF51bcsIKW+dQj/21v4GrloSn/J9mc="
+    },
+    {
+      "label": "XRamp_Global_Certification_Authority",
+      "binNumber": 42,
+      "sha256Fingerprint": "zs3ckFCZ2NrfxbHSCbc3y+LBjPssEMD/C88NMob8GqI="
+    },
+    {
+      "label": "OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US",
+      "binNumber": 43,
+      "sha256Fingerprint": "w4Rr8kuek8pkJ0wOxnwezF4CT/ys0tdAGTUOgf5UauQ="
+    },
+    {
+      "label": "OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US",
+      "binNumber": 44,
+      "sha256Fingerprint": "FGX6IFOXuHb6pvCplY5VkOQPzH+qT7fCyGd1Iftftlg="
+    },
+    {
+      "label": "StartCom_Certification_Authority",
+      "binNumber": 45,
+      "sha256Fingerprint": "x2apvvLUBxyGOjGqSSDoE7LRmGCMt7fP4hFDuDbfCeo="
+    },
+    {
+      "label": "O_Government_Root_Certification_Authority_C_TW",
+      "binNumber": 46,
+      "sha256Fingerprint": "dgApXu/oW54f1iTbdgYqqq5ZgYpU0ndM1MCywBEx4bM="
+    },
+    {
+      "label": "Swisscom_Root_CA_1",
+      "binNumber": 47,
+      "sha256Fingerprint": "IdsgEjZguy7UGCBdoR7nqFpl4rxuVbWvfniZyKJm2S4="
+    },
+    {
+      "label": "DigiCert_Assured_ID_Root_CA",
+      "binNumber": 48,
+      "sha256Fingerprint": "PpCZtQFej0hsALzqnREe5yH6ujVaibzx32lWHj3GMlw="
+    },
+    {
+      "label": "DigiCert_Global_Root_CA",
+      "binNumber": 49,
+      "sha256Fingerprint": "Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE="
+    },
+    {
+      "label": "DigiCert_High_Assurance_EV_Root_CA",
+      "binNumber": 50,
+      "sha256Fingerprint": "dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8="
+    },
+    {
+      "label": "Class_2_Primary_CA",
+      "binNumber": 51,
+      "sha256Fingerprint": "D5k8iu+Xuq9WhxQO1ZrRghu0r6zwqppYtdV6M4o6+8s="
+    },
+    {
+      "label": "DST_Root_CA_X3",
+      "binNumber": 52,
+      "sha256Fingerprint": "BocmAzGnJAPZCfEF5pvPDTLhvSST/8bZIG0RvNZ3Bzk="
+    },
+    {
+      "label": "DST_ACES_CA_X6",
+      "binNumber": 53,
+      "sha256Fingerprint": "dnyVWnZBLImvaI6QoccPVWz9a2Al2+oQQW1+toMfjEA="
+    },
+    {
+      "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+      "binNumber": 54,
+      "sha256Fingerprint": "RATjO14UDc+ZgFH9/IAox8gWFcXuc3sRG1iCM6m1NaA="
+    },
+    {
+      "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+      "binNumber": 55,
+      "sha256Fingerprint": "xHDPVH4jArl3+yndcaiae2wfYHd7Ayn1YBfzKL9Pa+Y="
+    },
+    {
+      "label": "SwissSign_Gold_CA___G2",
+      "binNumber": 56,
+      "sha256Fingerprint": "Yt0L6bn1ChY+oPjnXAU7HspX6lXIaI9kfGiB8sg1e5U="
+    },
+    {
+      "label": "SwissSign_Silver_CA___G2",
+      "binNumber": 57,
+      "sha256Fingerprint": "vmxNoru5ulm285OXaDdCRsPABZk/qY8CDR3tvtSKgdU="
+    },
+    {
+      "label": "GeoTrust_Primary_Certification_Authority",
+      "binNumber": 58,
+      "sha256Fingerprint": "N9UQBsUS6qtiZCHx7IySAT/F+CrpjuUz60YZuN600Gw="
+    },
+    {
+      "label": "thawte_Primary_Root_CA",
+      "binNumber": 59,
+      "sha256Fingerprint": "jXIvganBE8B5HfE2opZtsmyVCpcdtGtBmfTqVLeL+58="
+    },
+    {
+      "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G5",
+      "binNumber": 60,
+      "sha256Fingerprint": "ms+rfkPI2IDQayYqlN7u5LRlmYnD0Mrxm69kBeQat98="
+    },
+    {
+      "label": "SecureTrust_CA",
+      "binNumber": 61,
+      "sha256Fingerprint": "8cG1CuWiDdgDDsn2vCSCPdNntSVXWbTnG2H86fc3XXM="
+    },
+    {
+      "label": "Secure_Global_CA",
+      "binNumber": 62,
+      "sha256Fingerprint": "QgD1BDrIWQ67Un0gntFQMCn7y9QcobUG7CfxWt59rGk="
+    },
+    {
+      "label": "COMODO_Certification_Authority",
+      "binNumber": 63,
+      "sha256Fingerprint": "DCzWPfeAb6OZ7egJEWtXW/h5ifBlGPmAjIYFAxeLr2Y="
+    },
+    {
+      "label": "Network_Solutions_Certificate_Authority",
+      "binNumber": 64,
+      "sha256Fingerprint": "FfC6AKOsevOsiEwHKxARoHe9d8CX9AFksvhZir2Dhgw="
+    },
+    {
+      "label": "WellsSecure_Public_Root_Certificate_Authority",
+      "binNumber": 65,
+      "sha256Fingerprint": "pxJyrqqjz+hyf3+znw+z0eVCbpBgsG7m8T6aPFgzzUM="
+    },
+    {
+      "label": "COMODO_ECC_Certification_Authority",
+      "binNumber": 66,
+      "sha256Fingerprint": "F5OSegYUVJeJrc4vjzT38LZtDzrjo7hNIewV27pPrcc="
+    },
+    {
+      "label": "IGC_A",
+      "binNumber": 67,
+      "sha256Fingerprint": "ub6nhgqWLqNhHauXq22j4hwQaLl9VVde0OESecEciTI="
+    },
+    {
+      "label": "OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+      "binNumber": 68,
+      "sha256Fingerprint": "oi26aB6XN24tOX1yiq46m2KWuf26YLwuEfZH8sZ1+zc="
+    },
+    {
+      "label": "OISTE_WISeKey_Global_Root_GA_CA",
+      "binNumber": 69,
+      "sha256Fingerprint": "Qckjhmq0yta3rVeAgVguAgeXpsvfT/94zoOWs4k31/U="
+    },
+    {
+      "label": "Microsec_e_Szigno_Root_CA",
+      "binNumber": 70,
+      "sha256Fingerprint": "Mno9dhq63qA065mEBidcsaR3bv2uL99tAWjqHE9VZ9A="
+    },
+    {
+      "label": "Certigna",
+      "binNumber": 71,
+      "sha256Fingerprint": "47ai2y7XzkiEL3rFMkHHtx1UFEv7QMEfPx0LQvXuoS0="
+    },
+    {
+      "label": "TC_TrustCenter_Class_2_CA_II",
+      "binNumber": 72,
+      "sha256Fingerprint": "5rj4dmSF+Aeuf42sFnBGHwfAoT7vOh/3F1ONerrTkbQ="
+    },
+    {
+      "label": "TC_TrustCenter_Class_3_CA_II",
+      "binNumber": 73,
+      "sha256Fingerprint": "jaCE/Pmc4Hci+JsyBZOYBvpcuBHhyBP2oQjH0zazQI4="
+    },
+    {
+      "label": "TC_TrustCenter_Universal_CA_I",
+      "binNumber": 74,
+      "sha256Fingerprint": "6/PAKoeJsft9URmV1mO3KQbZE84NXhBWiop34lhhZ+c="
+    },
+    {
+      "label": "Deutsche_Telekom_Root_CA_2",
+      "binNumber": 75,
+      "sha256Fingerprint": "thkaUNDDl399qZvNqshqIn2uuWeexwujsMnZInHBcNM="
+    },
+    {
+      "label": "ComSign_Secured_CA",
+      "binNumber": 76,
+      "sha256Fingerprint": "UHlBx0RgoLRwhiINTpkyVyq10bW7y4mAqxyxdlGoRNI="
+    },
+    {
+      "label": "Cybertrust_Global_Root",
+      "binNumber": 77,
+      "sha256Fingerprint": "lgrfAGPpY1Z1DCll3QoIZ9oLnL1ud3FK6vsjSas5PaM="
+    },
+    {
+      "label": "OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW",
+      "binNumber": 78,
+      "sha256Fingerprint": "wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U="
+    },
+    {
+      "label": "T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3",
+      "binNumber": 79,
+      "sha256Fingerprint": "5Mc0MNeltQkl30M3Cg0hbpp5udbbg3Ogxp6xzDHHxSo="
+    },
+    {
+      "label": "Buypass_Class_2_CA_1",
+      "binNumber": 80,
+      "sha256Fingerprint": "D06c3SZLAlVQ0XCAY0AhT+lENMmwL2l+xxD8X+r7Xjg="
+    },
+    {
+      "label": "Buypass_Class_3_CA_1",
+      "binNumber": 81,
+      "sha256Fingerprint": "t7ErFx+CHaqZDND+UIexKESLqOUYT4TFHgK1yPuWKyQ="
+    },
+    {
+      "label": "EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+      "binNumber": 82,
+      "sha256Fingerprint": "Na5b3dj3rmNc/7pWgqjwC5X0hGLHEI7poOUpKwdKr7I="
+    },
+    {
+      "label": "OU_certSIGN_ROOT_CA_O_certSIGN_C_RO",
+      "binNumber": 83,
+      "sha256Fingerprint": "6qlixPpKa6/r5BUZbTUczYiNT1Pz+orm18RmqU5gQrs="
+    },
+    {
+      "label": "CNNIC_ROOT",
+      "binNumber": 84,
+      "sha256Fingerprint": "4oOTdz2oRaZ58ggMx/tEo7ehw3kst+t3Kf3Lao2Zrqc="
+    },
+    {
+      "label": "OU_ApplicationCA_O_Japanese_Government_C_JP",
+      "binNumber": 85,
+      "sha256Fingerprint": "LUdDfeF5USFaEvPFjlHHKaWAJu8fzApfs9ncAS9gDRk="
+    },
+    {
+      "label": "GeoTrust_Primary_Certification_Authority___G3",
+      "binNumber": 86,
+      "sha256Fingerprint": "tHi4EiUN+HhjXCqn7H0VXqpiXugpFuLNKUNhiGzR+9Q="
+    },
+    {
+      "label": "thawte_Primary_Root_CA___G2",
+      "binNumber": 87,
+      "sha256Fingerprint": "pDENUK8YpkRxkDcqhq+vi5Uf+0Mdg38eVoi0WXHtFVc="
+    },
+    {
+      "label": "thawte_Primary_Root_CA___G3",
+      "binNumber": 88,
+      "sha256Fingerprint": "SwP0WAetcPIb/Cyuccn95GBMBkz1/7aGuuXbqtf900w="
+    },
+    {
+      "label": "GeoTrust_Primary_Certification_Authority___G2",
+      "binNumber": 89,
+      "sha256Fingerprint": "Xtt6xDuCoGqHYejXvkl56/JhH33Xm/kcHGtWaiGe12Y="
+    },
+    {
+      "label": "VeriSign_Universal_Root_Certification_Authority",
+      "binNumber": 90,
+      "sha256Fingerprint": "I5lWESelcSXejO/qYQ3fL6B4tcgGf06CgpC/uGDoSzw="
+    },
+    {
+      "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G4",
+      "binNumber": 91,
+      "sha256Fingerprint": "ad3X6pC7V8k+E13IXqb81UgLYDI5vcRU/HWLKibPf3k="
+    },
+    {
+      "label": "NetLock_Arany__Class_Gold__F_tan_s_tv_ny",
+      "binNumber": 92,
+      "sha256Fingerprint": "bGHaw6Le8DFQa+A20qb+QBmU+9E9+cjUZlmSdMRG7Jg="
+    },
+    {
+      "label": "Staat_der_Nederlanden_Root_CA___G2",
+      "binNumber": 93,
+      "sha256Fingerprint": "ZoyDlH2mO3JL7OF0PDGg5q7Q247Fsxvjd7t4T5G2cW8="
+    },
+    {
+      "label": "CA_Disig",
+      "binNumber": 94,
+      "sha256Fingerprint": "kr9RGavsytCxMy3E4dBfunW1Z5BE7gyibpMfdE8vM88="
+    },
+    {
+      "label": "Juur_SK",
+      "binNumber": 95,
+      "sha256Fingerprint": "7MPpw0B1A77gkaqVL0E0j/iLqoY7ImS++sgHkBV06Tk="
+    },
+    {
+      "label": "Hongkong_Post_Root_CA_1",
+      "binNumber": 96,
+      "sha256Fingerprint": "+eZ9M2xRACrAVMYyAi1m3aLn4//xCtBh7THYu7QQz7I="
+    },
+    {
+      "label": "SecureSign_RootCA11",
+      "binNumber": 97,
+      "sha256Fingerprint": "vw/u+546WBrV+enbdYmYV0PSYQhcTTFPb11yWapCFhI="
+    },
+    {
+      "label": "ACEDICOM_Root",
+      "binNumber": 98,
+      "sha256Fingerprint": "A5UPtJpTHz4ZkZQjmN+p4Ooy17oc3ZvIXbV+2UALQ0o="
+    },
+    {
+      "label": "Microsec_e_Szigno_Root_CA_2009",
+      "binNumber": 99,
+      "sha256Fingerprint": "PF+B/qX6uCxkv6Lq7K/N6OB3/IYgp8rlNxY9827b83g="
+    },
+    {
+      "label": "e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi",
+      "binNumber": 100,
+      "sha256Fingerprint": "5gkHhGWkGXgMtqxMHAv7RlPZ2cxus5Rut/PWmZe61Zg="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 101,
+      "sha256Fingerprint": "y7Ui17fxJ61qAROGW98c1BAufQdZr2NafPRyDcljxTs="
+    },
+    {
+      "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068",
+      "binNumber": 102,
+      "sha256Fingerprint": "BASAKL8fKGTUj5rU2DKUNmqCiFZVPzsUMD+QFH9dQO8="
+    },
+    {
+      "label": "Izenpe_com",
+      "binNumber": 103,
+      "sha256Fingerprint": "JTDMjpgyFQK62W+bH7obCZ4tKZ4PRUi7kU82O8DUUx8="
+    },
+    {
+      "label": "Chambers_of_Commerce_Root___2008",
+      "binNumber": 104,
+      "sha256Fingerprint": "Bj5K+sSR39My8wibhULpRhfYk9f+lE4Qp5N+4p2Wk8A="
+    },
+    {
+      "label": "Global_Chambersign_Root___2008",
+      "binNumber": 105,
+      "sha256Fingerprint": "E2M1Q5M0p2mAFqDTJN5yKE4HnXtSILuPvXR4Fu6+uso="
+    },
+    {
+      "label": "Go_Daddy_Root_Certificate_Authority___G2",
+      "binNumber": 106,
+      "sha256Fingerprint": "RRQLMkfrnMjFtPDXtTCR9zKSCJ5uWmPidJ3TrKkZjto="
+    },
+    {
+      "label": "Starfield_Root_Certificate_Authority___G2",
+      "binNumber": 107,
+      "sha256Fingerprint": "LOHLC/nS+eECmT++IVFSw7LdDKveHGjlMZuDkVTbt/U="
+    },
+    {
+      "label": "Starfield_Services_Root_Certificate_Authority___G2",
+      "binNumber": 108,
+      "sha256Fingerprint": "Vo1pBaLIhwikswJRkO3P7bGXSmBqE8blKQ/LKuY+2rU="
+    },
+    {
+      "label": "AffirmTrust_Commercial",
+      "binNumber": 109,
+      "sha256Fingerprint": "A3arHVTF+YA85LLiAaDufu97V7Y26Kk8m41IYMlvX6c="
+    },
+    {
+      "label": "AffirmTrust_Networking",
+      "binNumber": 110,
+      "sha256Fingerprint": "CoHsWpKXd/FFkErzjV1Qn2a14sWPzbUxBYsOF/PwtBs="
+    },
+    {
+      "label": "AffirmTrust_Premium",
+      "binNumber": 111,
+      "sha256Fingerprint": "cKc/fzdrYAdCSJBFNLEUgtW/DmmOzEmN9SV36/LpO5o="
+    },
+    {
+      "label": "AffirmTrust_Premium_ECC",
+      "binNumber": 112,
+      "sha256Fingerprint": "vXH99tqX5M9i0WR63SWBsH15rfg5frTsupxehIiCFCM="
+    },
+    {
+      "label": "Certum_Trusted_Network_CA",
+      "binNumber": 113,
+      "sha256Fingerprint": "XFhGjVX1jkl+dDmC0rUAELbRZTdKz4On1KMtt2jEQI4="
+    },
+    {
+      "label": "Certinomis___Autorit__Racine",
+      "binNumber": 114,
+      "sha256Fingerprint": "/L/iiGIG9ysnWTyLBwKX4S12ntEO15MHBagJjv/BTRc="
+    },
+    {
+      "label": "Root_CA_Generalitat_Valenciana",
+      "binNumber": 115,
+      "sha256Fingerprint": "jE7f0ENI8yKWnn4ppM1NygBGVQYcFuGwdkIu80KtYw4="
+    },
+    {
+      "label": "A_Trust_nQual_03",
+      "binNumber": 116,
+      "sha256Fingerprint": "eTy/RVm5/eOKsi3xaGn2mIGuFMSwE5rHiKeKGvzKAvs="
+    },
+    {
+      "label": "TWCA_Root_Certification_Authority",
+      "binNumber": 117,
+      "sha256Fingerprint": "v9iP4RAcQa4+gBv4vlY1Dum60aa5vVFe3FxtW4cRrEQ="
+    },
+    {
+      "label": "OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP",
+      "binNumber": 118,
+      "sha256Fingerprint": "UTss7LgQ1M3l3YU5Gt/Gwt1g2Hu3NtK1IUhKpHoOvvY="
+    },
+    {
+      "label": "EC_ACC",
+      "binNumber": 119,
+      "sha256Fingerprint": "iEl/AWAvMVQkauKMTVrvEPHYfrt2Ym9K4Lf5W6eWh5k="
+    },
+    {
+      "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2011",
+      "binNumber": 120,
+      "sha256Fingerprint": "vBBPFaSL5wncpUKn4dS5328FRSfoAuqpLVlURCWK/nE="
+    },
+    {
+      "label": "Actalis_Authentication_Root_CA",
+      "binNumber": 121,
+      "sha256Fingerprint": "VZJghOyWOmS5biq+Ac4LqGpk+/68x6q1r8FVs3/XYGY="
+    },
+    {
+      "label": "OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB",
+      "binNumber": 122,
+      "sha256Fingerprint": "wbSCmaulII/pYwrOVcpooD7aWlGciAKg06Zzvo+OVX0="
+    },
+    {
+      "label": "StartCom_Certification_Authority",
+      "binNumber": 123,
+      "sha256Fingerprint": "4XiQ7gmj+/T0i5xBShfWN7elBkfpvHUjInJ/zBdCqRE="
+    },
+    {
+      "label": "StartCom_Certification_Authority_G2",
+      "binNumber": 124,
+      "sha256Fingerprint": "x7plZ96Tp5iuH6p5HnEtN4+uH5PEOX/qRBu3y+b9WZU="
+    },
+    {
+      "label": "Buypass_Class_2_Root_CA",
+      "binNumber": 125,
+      "sha256Fingerprint": "mhFAJRl8W7ldlOY9Vc1DeQhHtkayPN8RraSgDv8V+0g="
+    },
+    {
+      "label": "Buypass_Class_3_Root_CA",
+      "binNumber": 126,
+      "sha256Fingerprint": "7ffrvKJ6KjhNOHt9QBDGZuLttIQ+TCm0rh1bkzLmsk0="
+    },
+    {
+      "label": "T_TeleSec_GlobalRoot_Class_3",
+      "binNumber": 127,
+      "sha256Fingerprint": "/XPa0xxkT/G0O+8MzdqWcQuc2Ydeyn4xcHrz6W1SK70="
+    },
+    {
+      "label": "EE_Certification_Centre_Root_CA",
+      "binNumber": 128,
+      "sha256Fingerprint": "PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY="
+    },
+    {
+      "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_",
+      "binNumber": 129,
+      "sha256Fingerprint": "l4zZZvL6oHunqpUA2cAunXfyza2mrWunSvS5HGZZPFA="
+    },
+    {
+      "label": "D_TRUST_Root_Class_3_CA_2_2009",
+      "binNumber": 130,
+      "sha256Fingerprint": "SeekQqzw6mKHBQBUtSVktlDk9J5C40jWqjjgOelXscE="
+    },
+    {
+      "label": "D_TRUST_Root_Class_3_CA_2_EV_2009",
+      "binNumber": 131,
+      "sha256Fingerprint": "7sVJa5iM6YYluTQJLuwpCL7QsPMWwtRzDITq8fPTSIE="
+    },
+    {
+      "label": "PSCProcert",
+      "binNumber": 132,
+      "sha256Fingerprint": "PPw8FNH2hP8X44xDykQMALln7JM+i/4GTKHXLJDyrbA="
+    },
+    {
+      "label": "China_Internet_Network_Information_Center_EV_Certificates_Root",
+      "binNumber": 133,
+      "sha256Fingerprint": "HAHG9Nuy/vwiVYsryjJWP0mESs/DK3vksP9Zn56Mevc="
+    },
+    {
+      "label": "Swisscom_Root_CA_2",
+      "binNumber": 134,
+      "sha256Fingerprint": "8JsSLHEU9KCb1OpPSpnVWLRuTCXNgRQNKcBWE5FMOEE="
+    },
+    {
+      "label": "Swisscom_Root_EV_CA_2",
+      "binNumber": 135,
+      "sha256Fingerprint": "2V/qPKTu3OdM1251/G0f9ixEHw+ovHfwNLGeXbJYAV0="
+    },
+    {
+      "label": "CA_Disig_Root_R1",
+      "binNumber": 136,
+      "sha256Fingerprint": "+W8j9MPnnAd6RpiNWvWQBnag8DnLZF3RdUmyFsgkQM4="
+    },
+    {
+      "label": "CA_Disig_Root_R2",
+      "binNumber": 137,
+      "sha256Fingerprint": "4j1KA217cOn1lbFCIHnSuR7fux+2UaBjPqqKncX4BwM="
+    },
+    {
+      "label": "ACCVRAIZ1",
+      "binNumber": 138,
+      "sha256Fingerprint": "mm7AEuGn2p2+NBlNR4rXwNsYIvsHHfEpgUlu0QQ4QRM="
+    },
+    {
+      "label": "TWCA_Global_Root_CA",
+      "binNumber": 139,
+      "sha256Fingerprint": "WXaQB/doXQ/NUIcvn5XVdVpbK0V9gfNpK2EKmGcvDhs="
+    },
+    {
+      "label": "TeliaSonera_Root_CA_v1",
+      "binNumber": 140,
+      "sha256Fingerprint": "3Wk2/iH48HfBI6GlIcEiJPciVbc+A6cmBpPooksPo4k="
+    },
+    {
+      "label": "E_Tugra_Certification_Authority",
+      "binNumber": 141,
+      "sha256Fingerprint": "sL/VK7DX2b2Sv11NwT2iVcAsVC83g2XqiTkR9V5V8jw="
+    },
+    {
+      "label": "T_TeleSec_GlobalRoot_Class_2",
+      "binNumber": 142,
+      "sha256Fingerprint": "keL1eI1YEOunulhzfeFUio7KzQFFmLwLFD4EGxcFJVI="
+    },
+    {
+      "label": "Atos_TrustedRoot_2011",
+      "binNumber": 143,
+      "sha256Fingerprint": "81a+okS3qR6zXVPKmteGSs4Bji011fj5bd9opvQapHQ="
+    },
+    {
+      "label": "QuoVadis_Root_CA_1_G3",
+      "binNumber": 144,
+      "sha256Fingerprint": "ioZv0bJ2tX5XjpIcZYKKK+1Y6fLyiAVBNLfx9L/JzHQ="
+    },
+    {
+      "label": "QuoVadis_Root_CA_2_G3",
+      "binNumber": 145,
+      "sha256Fingerprint": "j+T7Cvk6TQ1n2wvrsj43xxvzJdy83SQOoE2vWLR+GEA="
+    },
+    {
+      "label": "QuoVadis_Root_CA_3_G3",
+      "binNumber": 146,
+      "sha256Fingerprint": "iO+B3iAusBhFLkP4ZHJc6l+9H8LZ0gVzBwnF2LhpD0Y="
+    },
+    {
+      "label": "DigiCert_Assured_ID_Root_G2",
+      "binNumber": 147,
+      "sha256Fingerprint": "fQXrtoIzn4yUUe4JTuv++nlToRTtsvRJSUUvq30vwYU="
+    },
+    {
+      "label": "DigiCert_Assured_ID_Root_G3",
+      "binNumber": 148,
+      "sha256Fingerprint": "fjfLi0xHCQyrNlUbpvRduEBoD7oWapUtsQBxf0MFP8I="
+    },
+    {
+      "label": "DigiCert_Global_Root_G2",
+      "binNumber": 149,
+      "sha256Fingerprint": "yzzLt2Ax5eATj43TmiP53kf/w15DwRRM6ifUalqxy18="
+    },
+    {
+      "label": "DigiCert_Global_Root_G3",
+      "binNumber": 150,
+      "sha256Fingerprint": "Ma1mSPgQQTjHOPOepDIBMzk+OhjMAilu+Xwqye9nMdA="
+    },
+    {
+      "label": "DigiCert_Trusted_Root_G4",
+      "binNumber": 151,
+      "sha256Fingerprint": "VS973PGnr55s5nIBf08Sq/dyQMeOdhrCA9HZ0grImYg="
+    },
+    {
+      "label": "Certification_Authority_of_WoSign",
+      "binNumber": 152,
+      "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg="
+    },
+    {
+      "label": "CA______",
+      "binNumber": 153,
+      "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ="
+    },
+    {
+      "label": "COMODO_RSA_Certification_Authority",
+      "binNumber": 154,
+      "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ="
+    },
+    {
+      "label": "USERTrust_RSA_Certification_Authority",
+      "binNumber": 155,
+      "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I="
+    },
+    {
+      "label": "USERTrust_ECC_Certification_Authority",
+      "binNumber": 156,
+      "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 157,
+      "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 158,
+      "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ="
+    },
+    {
+      "label": "Staat_der_Nederlanden_Root_CA___G3",
+      "binNumber": 159,
+      "sha256Fingerprint": "PE+wuVq4swAy9DK4b1Nf4XLBhdD9OYZYN882GH+m9Cg="
+    },
+    {
+      "label": "Staat_der_Nederlanden_EV_Root_CA",
+      "binNumber": 160,
+      "sha256Fingerprint": "TSSRQUz+lWdG7Ezvps9vcuKKEylDL52KkHrEy12twVo="
+    },
+    {
+      "label": "IdenTrust_Commercial_Root_CA_1",
+      "binNumber": 161,
+      "sha256Fingerprint": "XVZJm+TS4IvPytCKPjhyPVBQO95waUjkL1VgMBnlKK4="
+    },
+    {
+      "label": "IdenTrust_Public_Sector_Root_CA_1",
+      "binNumber": 162,
+      "sha256Fingerprint": "MNCJWppEiiYgkWNVItH1IBC1hnrK4Sx475WP1PQ4ny8="
+    },
+    {
+      "label": "Entrust_Root_Certification_Authority___G2",
+      "binNumber": 163,
+      "sha256Fingerprint": "Q99XdLA+f+9f5A2TGnvt8bsua0JzjE5tOEEQPTqn8zk="
+    },
+    {
+      "label": "Entrust_Root_Certification_Authority___EC1",
+      "binNumber": 164,
+      "sha256Fingerprint": "Au0OsowU2kUWXFZnkXANZFHX+1bwsqsdO46wcOVu3/U="
+    },
+    {
+      "label": "CFCA_EV_ROOT",
+      "binNumber": 165,
+      "sha256Fingerprint": "XMPXjk4dXkVUegTmhz5k+Qz5U20czC74APNVxMX9cP0="
+    },
+    {
+      "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5",
+      "binNumber": 166,
+      "sha256Fingerprint": "STUbkDREwYXM3FxpPSTYVVyyCNaoFBMHaZ9K8GMZnXg="
+    },
+    {
+      "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6",
+      "binNumber": 167,
+      "sha256Fingerprint": "jeeGVeG+f3hHgAuT9pTSHTaMwG4DPn+rBLteuZ2mtwA="
+    },
+    {
+      "label": "Certinomis___Root_CA",
+      "binNumber": 168,
+      "sha256Fingerprint": "Kpn1vBF0tzy7HWIIhOAcNOUcyzl42hJfDjMmiIO/QVg="
+    },
+    {
+      "label": "OISTE_WISeKey_Global_Root_GB_CA",
+      "binNumber": 169,
+      "sha256Fingerprint": "a5wI6G6w92fPrWXNmLYhSeVJSmf1hF570e0Bnye4a9Y="
+    },
+    {
+      "label": "Certification_Authority_of_WoSign_G2",
+      "binNumber": 170,
+      "sha256Fingerprint": "1Ielb4OwdILoXpYzlMHswsnlHQkD7pRrAsMBWB7ZnhY="
+    },
+    {
+      "label": "CA_WoSign_ECC_Root",
+      "binNumber": 171,
+      "sha256Fingerprint": "i0XaHAb3kesMq/Jr5Yj1+yMWXC5hS/iFVi0NzlCymwI="
+    },
+    {
+      "label": "SZAFIR_ROOT_CA2",
+      "binNumber": 172,
+      "sha256Fingerprint": "oTOdMygaC1blV9PTKxzn+TZ+sJS9X6cqflAEyN7Xyv4="
+    },
+    {
+      "label": "Certum_Trusted_Network_CA_2",
+      "binNumber": 173,
+      "sha256Fingerprint": "tnby7drod1zTbLD2PNHUYDlh9J5iZboBOi8DB7bQuAQ="
+    },
+    {
+      "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2015",
+      "binNumber": 174,
+      "sha256Fingerprint": "oECSmgLOU7Ss9PL/xpgc5ElvdV5tRf4LKmkrzVJSPzY="
+    },
+    {
+      "label": "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015",
+      "binNumber": 175,
+      "sha256Fingerprint": "RLVFqool5lpzyhXcJ/w20kwcuZU6BmU5sRWC3Eh7SDM="
+    },
+    {
+      "label": "Certplus_Root_CA_G1",
+      "binNumber": 176,
+      "sha256Fingerprint": "FSpAK/zfLNVIBU0idbOcf8o+wJeAeLDw6nblYabHQz4="
+    },
+    {
+      "label": "Certplus_Root_CA_G2",
+      "binNumber": 177,
+      "sha256Fingerprint": "bMBQQeZEXnRpbEz7yfgPVDt+q7tEtM5veHxqmXHELxc="
+    },
+    {
+      "label": "OpenTrust_Root_CA_G1",
+      "binNumber": 178,
+      "sha256Fingerprint": "VsdxKNmMGNkbTP3/vCXukQPUdY6iq62CapDzRX1GDrQ="
+    },
+    {
+      "label": "OpenTrust_Root_CA_G2",
+      "binNumber": 179,
+      "sha256Fingerprint": "J5lYKf5qdRXBv+hI+cR2HbFsIlkpJXv0DQiU8p6ouvI="
+    },
+    {
+      "label": "OpenTrust_Root_CA_G3",
+      "binNumber": 180,
+      "sha256Fingerprint": "t8NiMXBugQeMNny4lhmPHjII3ZJpSd2PVwmkEPdbYpI="
+    },
+    {
+      "label": "ISRG_Root_X1",
+      "binNumber": 181,
+      "sha256Fingerprint": "lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY="
+    },
+    {
+      "label": "OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES",
+      "binNumber": 182,
+      "sha256Fingerprint": "68VXDCkBjE1nsaoSe68S9wO0YR68F7fatVc4lBebk/o="
+    },
+    {
+      "label": "Amazon_Root_CA_1",
+      "binNumber": 183,
+      "sha256Fingerprint": "js3miE89h7ESW6Maw/yxPXAW3n9XzJBP4cuXxq6YGW4="
+    },
+    {
+      "label": "Amazon_Root_CA_2",
+      "binNumber": 184,
+      "sha256Fingerprint": "G6WyqoxlQBqClgEY+AvsT2IwTYPOxHE6GcOcAR6kbbQ="
+    },
+    {
+      "label": "Amazon_Root_CA_3",
+      "binNumber": 185,
+      "sha256Fingerprint": "GM5s/nvxTmCy40e43+hoyzHQLrs62icVafUDQ7Rts6Q="
+    },
+    {
+      "label": "Amazon_Root_CA_4",
+      "binNumber": 186,
+      "sha256Fingerprint": "410oQZ7QICXPppA4zWI5YkWNpcaV+96jwisL+yWJcJI="
+    },
+    {
+      "label": "LuxTrust_Global_Root_2",
+      "binNumber": 187,
+      "sha256Fingerprint": "VEVfcSnCCxRHxBj5lxaPJMWPxQI79dpb4utuHdiQLtU="
+    }
+  ],
+  "maxBin": 187
+}
\ No newline at end of file
diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
new file mode 100644
index 000000000..d9c394a1d
--- /dev/null
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -0,0 +1,222 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// The top-level element is a dictionary with two keys: "pinsets" maps details
+// of certificate pinning to a name and "entries" contains the HPKP details for
+// each host.
+//
+// "pinsets" is a list of objects. Each object has the following members:
+//   name: (string) the name of the pinset
+//   sha256_hashes: (list of strings) the set of allowed SPKIs hashes
+//
+// For a given pinset, a certificate is accepted if at least one of the
+// Subject Public Key Infos (SPKIs) is found in the chain.  SPKIs are specified
+// as names, which must match up with the name given in the Mozilla root store.
+//
+// "entries" is a list of objects. Each object has the following members:
+//   name: (string) the DNS name of the host in question
+//   include_subdomains: (optional bool) whether subdomains of |name| are also covered
+//   pins: (string) the |name| member of an object in |pinsets|
+//
+// "extra_certs" is a list of base64-encoded certificates. These are used in
+// pinsets that reference certificates not in our root program (for example,
+// Facebook).
+
+// equifax -> aus3
+// Geotrust Primary -> www.mozilla.org
+// Geotrust Global -> *. addons.mozilla.org
+{
+  "chromium_data" : {
+    "cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.pins?format=TEXT",
+    "json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
+    "substitute_pinsets": {
+      // Use the larger google_root_pems pinset instead of google
+      "google": "google_root_pems"
+    },
+    "production_pinsets": [
+      "google_root_pems",
+      "facebook"
+    ],
+    "production_domains": [
+      // Chrome's test domains.
+      "pinningtest.appspot.com",
+      "pinning-test.badssl.com",
+      // Dropbox
+      "dropbox.com",
+      "www.dropbox.com",
+      // Twitter
+      "api.twitter.com",
+      "business.twitter.com",
+      "dev.twitter.com",
+      "mobile.twitter.com",
+      "oauth.twitter.com",
+      "platform.twitter.com",
+      "twimg.com",
+      "www.twitter.com",
+      // Tor
+      "torproject.org",
+      "blog.torproject.org",
+      "check.torproject.org",
+      "dist.torproject.org",
+      "www.torproject.org",
+      // SpiderOak
+      "spideroak.com"
+    ],
+    "exclude_domains" : [
+      // Chrome's entry for twitter.com doesn't include subdomains, so replace
+      // it with our own entry below which also uses an expanded pinset.
+      "twitter.com"
+    ]
+   },
+  "pinsets": [
+    {
+      // From bug 772756, mozilla uses GeoTrust, Digicert and Thawte.  Our
+      // cdn sites use Verisign and Baltimore. We exclude 1024-bit root certs
+      // from all providers. geotrust ca info:
+      // http://www.geotrust.com/resources/root-certificates/index.html
+      "name": "mozilla",
+      "sha256_hashes": [
+        "Baltimore CyberTrust Root",
+        "DigiCert Assured ID Root CA",
+        "DigiCert Global Root CA",
+        "DigiCert High Assurance EV Root CA",
+        "GeoTrust Global CA",
+        "GeoTrust Global CA 2",
+        "GeoTrust Primary Certification Authority",
+        "GeoTrust Primary Certification Authority - G2",
+        "GeoTrust Primary Certification Authority - G3",
+        "GeoTrust Universal CA",
+        "GeoTrust Universal CA 2",
+        "thawte Primary Root CA",
+        "thawte Primary Root CA - G2",
+        "thawte Primary Root CA - G3",
+        "Verisign Class 1 Public Primary Certification Authority - G3",
+        "Verisign Class 2 Public Primary Certification Authority - G3",
+        "Verisign Class 3 Public Primary Certification Authority - G3",
+        "VeriSign Class 3 Public Primary Certification Authority - G4",
+        "VeriSign Class 3 Public Primary Certification Authority - G5",
+        // "Verisign Class 4 Public Primary Certification Authority - G3",
+        "VeriSign Universal Root Certification Authority"
+      ]
+    },
+    {
+      "name": "mozilla_services",
+      "sha256_hashes": [
+        "DigiCert Global Root CA"
+      ]
+    },
+    // For pinning tests on pinning.example.com, the certificate must be 'End
+    // Entity Test Cert'
+    {
+      "name": "mozilla_test",
+      "sha256_hashes": [
+        "End Entity Test Cert"
+      ]
+    },
+    // Google's root PEMs. Chrome pins only to their intermediate certs, but
+    // they'd like us to be more liberal. For the initial list, we are using
+    // the certs from http://pki.google.com/roots.pem.
+    // We have no built-in for commented out CAs.
+    {
+      "name": "google_root_pems",
+      "sha256_hashes": [
+        "AddTrust External Root",
+        "AddTrust Low-Value Services Root",
+        "AddTrust Public Services Root",
+        "AddTrust Qualified Certificates Root",
+        "AffirmTrust Commercial",
+        "AffirmTrust Networking",
+        "AffirmTrust Premium",
+        "AffirmTrust Premium ECC",
+        "Baltimore CyberTrust Root",
+        "Comodo AAA Services root",
+        "COMODO Certification Authority",
+        "COMODO ECC Certification Authority",
+        "COMODO RSA Certification Authority",
+        "Comodo Secure Services root",
+        "Comodo Trusted Services root",
+        "Cybertrust Global Root",
+        "DigiCert Assured ID Root CA",
+        "DigiCert Assured ID Root G2",
+        "DigiCert Assured ID Root G3",
+        "DigiCert Global Root CA",
+        "DigiCert Global Root G2",
+        "DigiCert Global Root G3",
+        "DigiCert High Assurance EV Root CA",
+        "DigiCert Trusted Root G4",
+        "Entrust Root Certification Authority",
+        "Entrust Root Certification Authority - EC1",
+        "Entrust Root Certification Authority - G2",
+        "Entrust.net Premium 2048 Secure Server CA",
+        // "Equifax Secure Certificate Authority",
+        "GeoTrust Global CA",
+        "GeoTrust Global CA 2",
+        "GeoTrust Primary Certification Authority",
+        "GeoTrust Primary Certification Authority - G2",
+        "GeoTrust Primary Certification Authority - G3",
+        "GeoTrust Universal CA",
+        "GeoTrust Universal CA 2",
+        "GlobalSign ECC Root CA - R4",
+        "GlobalSign ECC Root CA - R5",
+        "GlobalSign Root CA",
+        "GlobalSign Root CA - R2",
+        "GlobalSign Root CA - R3",
+        "Go Daddy Class 2 CA",
+        "Go Daddy Root Certificate Authority - G2",
+        "Starfield Class 2 CA",
+        "Starfield Root Certificate Authority - G2",
+        "thawte Primary Root CA",
+        "thawte Primary Root CA - G2",
+        "thawte Primary Root CA - G3",
+        "USERTrust ECC Certification Authority",
+        "USERTrust RSA Certification Authority",
+        "UTN USERFirst Hardware Root CA",
+        "Verisign Class 3 Public Primary Certification Authority - G3",
+        "VeriSign Class 3 Public Primary Certification Authority - G4",
+        "VeriSign Class 3 Public Primary Certification Authority - G5",
+        "VeriSign Universal Root Certification Authority"
+      ]
+    }
+  ],
+
+  "entries": [
+    // Only domains that are operationally crucial to Firefox can have per-host
+    // telemetry reporting (the "id") field
+    { "name": "addons.mozilla.org", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": false, "id": 1 },
+    { "name": "addons.mozilla.net", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": false, "id": 2 },
+    { "name": "aus4.mozilla.org", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": true, "id": 3 },
+    { "name": "accounts.firefox.com", "include_subdomains": true,
+      "pins": "mozilla_services", "test_mode": false, "id": 4 },
+    { "name": "api.accounts.firefox.com", "include_subdomains": true,
+      "pins": "mozilla_services", "test_mode": false, "id": 5 },
+    { "name": "cdn.mozilla.net", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": false },
+    { "name": "cdn.mozilla.org", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": false },
+    { "name": "services.mozilla.com", "include_subdomains": true,
+      "pins": "mozilla_services", "test_mode": false, "id": 6 },
+    { "name": "include-subdomains.pinning.example.com",
+      "include_subdomains": true, "pins": "mozilla_test",
+      "test_mode": false },
+    // Example domain to collect per-host stats for telemetry tests.
+    { "name": "exclude-subdomains.pinning.example.com",
+      "include_subdomains": false, "pins": "mozilla_test",
+      "test_mode": false, "id": 0 },
+    { "name": "test-mode.pinning.example.com", "include_subdomains": true,
+      "pins": "mozilla_test", "test_mode": true },
+    // Expand twitter's pinset to include all of *.twitter.com and use
+    // twitterCDN. More specific rules take precedence because we search for
+    // exact domain name first.
+    { "name": "twitter.com", "include_subdomains": true,
+      "pins": "twitterCDN", "test_mode": false },
+    { "name": "aus5.mozilla.org", "include_subdomains": true,
+      "pins": "mozilla", "test_mode": true, "id": 7 }
+  ],
+
+  "extra_certificates": []
+}
diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js
new file mode 100644
index 000000000..2daa20434
--- /dev/null
+++ b/security/manager/tools/dumpGoogleRoots.js
@@ -0,0 +1,106 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// This file is a helper script that generates the list of certificates that
+// make up the preloaded pinset for Google properties.
+//
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js'
+// 4. [paste the output into the appropriate section in
+//     security/manager/tools/PreloadedHPKPins.json]
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+
+function downloadRoots() {
+  let req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+              .createInstance(Ci.nsIXMLHttpRequest);
+  req.open("GET", "https://pki.google.com/roots.pem", false);
+  try {
+    req.send();
+  }
+  catch (e) {
+    throw new Error("ERROR: problem downloading Google Root PEMs: " + e);
+  }
+
+  if (req.status != 200) {
+    throw new Error("ERROR: problem downloading Google Root PEMs. Status: " +
+                    req.status);
+  }
+
+  let pem = req.responseText;
+  let roots = [];
+  let currentPEM = "";
+  let readingRoot = false;
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+  for (let line of pem.split(/[\r\n]/)) {
+    if (line == "-----END CERTIFICATE-----") {
+      if (currentPEM) {
+        roots.push(certDB.constructX509FromBase64(currentPEM));
+      }
+      currentPEM = "";
+      readingRoot = false;
+      continue;
+    }
+    if (readingRoot) {
+      currentPEM += line;
+    }
+    if (line == "-----BEGIN CERTIFICATE-----") {
+      readingRoot = true;
+    }
+  }
+  return roots;
+}
+
+function makeFormattedNickname(cert) {
+  if (cert.nickname.startsWith("Builtin Object Token:")) {
+    return `"${cert.nickname.substring("Builtin Object Token:".length)}"`;
+  }
+  // Otherwise, this isn't a built-in and we have to comment it out.
+  if (cert.commonName) {
+    return `// "${cert.commonName}"`;
+  }
+  if (cert.organizationalUnit) {
+    return `// "${cert.organizationalUnit}"`;
+  }
+  if (cert.organization) {
+    return `// "${cert.organization}"`;
+  }
+  throw new Error(`couldn't make nickname for ${cert.subjectName}`);
+}
+
+var roots = downloadRoots();
+var rootNicknames = [];
+for (var root of roots) {
+  rootNicknames.push(makeFormattedNickname(root));
+}
+rootNicknames.sort(function(rootA, rootB) {
+  let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, "");
+  let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, "");
+  if (rootALowercase < rootBLowercase) {
+    return -1;
+  }
+  if (rootALowercase > rootBLowercase) {
+    return 1;
+  }
+  return 0;
+});
+dump("    {\n");
+dump("      \"name\": \"google_root_pems\",\n");
+dump("      \"sha256_hashes\": [\n");
+var first = true;
+for (var nickname of rootNicknames) {
+  if (!first) {
+    dump(",\n");
+  }
+  first = false;
+  dump("        " + nickname);
+}
+dump("\n");
+dump("      ]\n");
+dump("    }\n");
diff --git a/security/manager/tools/genHPKPStaticPins.js b/security/manager/tools/genHPKPStaticPins.js
new file mode 100644
index 000000000..f2b9dbdda
--- /dev/null
+++ b/security/manager/tools/genHPKPStaticPins.js
@@ -0,0 +1,630 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell \
+//                                  [path to]/genHPKPStaticpins.js \
+//                                  [absolute path to]/PreloadedHPKPins.json \
+//                                  [an unused argument - see bug 1205406] \
+//                                  [absolute path to]/StaticHPKPins.h
+"use strict";
+
+if (arguments.length != 3) {
+  throw new Error("Usage: genHPKPStaticPins.js " +
+                  "<absolute path to PreloadedHPKPins.json> " +
+                  "<an unused argument - see bug 1205406> " +
+                  "<absolute path to StaticHPKPins.h>");
+}
+
+var { 'classes': Cc, 'interfaces': Ci, 'utils': Cu, 'results': Cr } = Components;
+
+var { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
+var { FileUtils } = Cu.import("resource://gre/modules/FileUtils.jsm", {});
+var { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+                .getService(Ci.nsIX509CertDB);
+
+const BUILT_IN_NICK_PREFIX = "Builtin Object Token:";
+const SHA256_PREFIX = "sha256/";
+const GOOGLE_PIN_PREFIX = "GOOGLE_PIN_";
+
+// Pins expire in 14 weeks (6 weeks on Beta + 8 weeks on stable)
+const PINNING_MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 14;
+
+const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not                    */\n" +
+"/* PublicKeyPinningService.cpp, you shouldn't be #including it.              */\n" +
+"/*****************************************************************************/\n" +
+"#include <stdint.h>" +
+"\n";
+
+const DOMAINHEADER = "/* Domainlist */\n" +
+  "struct TransportSecurityPreload {\n" +
+  "  const char* mHost;\n" +
+  "  const bool mIncludeSubdomains;\n" +
+  "  const bool mTestMode;\n" +
+  "  const bool mIsMoz;\n" +
+  "  const int32_t mId;\n" +
+  "  const StaticFingerprints* pinset;\n" +
+  "};\n\n";
+
+const PINSETDEF = "/* Pinsets are each an ordered list by the actual value of the fingerprint */\n" +
+  "struct StaticFingerprints {\n" +
+  "  const size_t size;\n" +
+  "  const char* const* data;\n" +
+  "};\n\n";
+
+// Command-line arguments
+var gStaticPins = parseJson(arguments[0]);
+
+// arguments[1] is ignored for now. See bug 1205406.
+
+// Open the output file.
+var file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+file.initWithPath(arguments[2]);
+var gFileOutputStream = FileUtils.openSafeFileOutputStream(file);
+
+function writeString(string) {
+  gFileOutputStream.write(string, string.length);
+}
+
+function readFileToString(filename) {
+  let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+  file.initWithPath(filename);
+  let stream = Cc["@mozilla.org/network/file-input-stream;1"]
+                 .createInstance(Ci.nsIFileInputStream);
+  stream.init(file, -1, 0, 0);
+  let buf = NetUtil.readInputStreamToString(stream, stream.available());
+  return buf;
+}
+
+function stripComments(buf) {
+  let lines = buf.split("\n");
+  let entryRegex = /^\s*\/\//;
+  let data = "";
+  for (let i = 0; i < lines.length; ++i) {
+    let match = entryRegex.exec(lines[i]);
+    if (!match) {
+      data = data + lines[i];
+    }
+  }
+  return data;
+}
+
+function isBuiltinToken(tokenName) {
+  return tokenName == "Builtin Object Token";
+}
+
+function isCertBuiltIn(cert) {
+  let tokenNames = cert.getAllTokenNames({});
+  if (!tokenNames) {
+    return false;
+  }
+  if (tokenNames.some(isBuiltinToken)) {
+    return true;
+  }
+  return false;
+}
+
+function download(filename) {
+  let req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+              .createInstance(Ci.nsIXMLHttpRequest);
+  req.open("GET", filename, false); // doing the request synchronously
+  try {
+    req.send();
+  }
+  catch (e) {
+    throw new Error(`ERROR: problem downloading '${filename}': ${e}`);
+  }
+
+  if (req.status != 200) {
+    throw new Error("ERROR: problem downloading '" + filename + "': status " +
+                    req.status);
+  }
+
+  let resultDecoded;
+  try {
+    resultDecoded = atob(req.responseText);
+  }
+  catch (e) {
+    throw new Error("ERROR: could not decode data as base64 from '" + filename +
+                    "': " + e);
+  }
+  return resultDecoded;
+}
+
+function downloadAsJson(filename) {
+  // we have to filter out '//' comments, while not mangling the json
+  let result = download(filename).replace(/^(\s*)?\/\/[^\n]*\n/mg, "");
+  let data = null;
+  try {
+    data = JSON.parse(result);
+  }
+  catch (e) {
+    throw new Error("ERROR: could not parse data from '" + filename + "': " + e);
+  }
+  return data;
+}
+
+// Returns a Subject Public Key Digest from the given pem, if it exists.
+function getSKDFromPem(pem) {
+  let cert = gCertDB.constructX509FromBase64(pem, pem.length);
+  return cert.sha256SubjectPublicKeyInfoDigest;
+}
+
+/**
+ * Hashes |input| using the SHA-256 algorithm in the following manner:
+ *   btoa(sha256(atob(input)))
+ *
+ * @argument {String} input Base64 string to decode and return the hash of.
+ * @returns {String} Base64 encoded SHA-256 hash.
+ */
+function sha256Base64(input) {
+  let decodedValue;
+  try {
+    decodedValue = atob(input);
+  }
+  catch (e) {
+    throw new Error(`ERROR: could not decode as base64: '${input}': ${e}`);
+  }
+
+  // Convert |decodedValue| to an array so that it can be hashed by the
+  // nsICryptoHash instance below.
+  // In most cases across the code base, convertToByteArray() of
+  // nsIScriptableUnicodeConverter is used to do this, but the method doesn't
+  // seem to work here.
+  let data = [];
+  for (let i = 0; i < decodedValue.length; i++) {
+    data[i] = decodedValue.charCodeAt(i);
+  }
+
+  let hasher = Cc["@mozilla.org/security/hash;1"]
+                 .createInstance(Ci.nsICryptoHash);
+  hasher.init(hasher.SHA256);
+  hasher.update(data, data.length);
+
+  // true is passed so that the hasher returns a Base64 encoded string.
+  return hasher.finish(true);
+}
+
+// Downloads the static certs file and tries to map Google Chrome nicknames
+// to Mozilla nicknames, as well as storing any hashes for pins for which we
+// don't have root PEMs. Each entry consists of a line containing the name of
+// the pin followed either by a hash in the format "sha256/" + base64(hash),
+// a PEM encoded public key, or a PEM encoded certificate.
+// For certificates that we have in our database,
+// return a map of Google's nickname to ours. For ones that aren't return a
+// map of Google's nickname to SHA-256 values. This code is modeled after agl's
+// https://github.com/agl/transport-security-state-generate, which doesn't
+// live in the Chromium repo because go is not an official language in
+// Chromium.
+// For all of the entries in this file:
+// - If the entry has a hash format, find the Mozilla pin name (cert nickname)
+// and stick the hash into certSKDToName
+// - If the entry has a PEM format, parse the PEM, find the Mozilla pin name
+// and stick the hash in certSKDToName
+// We MUST be able to find a corresponding cert nickname for the Chrome names,
+// otherwise we skip all pinsets referring to that Chrome name.
+function downloadAndParseChromeCerts(filename, certNameToSKD, certSKDToName) {
+  // Prefixes that we care about.
+  const BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
+  const END_CERT = "-----END CERTIFICATE-----";
+  const BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
+  const END_PUB_KEY = "-----END PUBLIC KEY-----";
+
+  // Parsing states.
+  const PRE_NAME = 0;
+  const POST_NAME = 1;
+  const IN_CERT = 2;
+  const IN_PUB_KEY = 3;
+  let state = PRE_NAME;
+
+  let lines = download(filename).split("\n");
+  let name = "";
+  let pemCert = "";
+  let pemPubKey = "";
+  let hash = "";
+  let chromeNameToHash = {};
+  let chromeNameToMozName = {};
+  let chromeName;
+  for (let line of lines) {
+    // Skip comments and newlines.
+    if (line.length == 0 || line[0] == '#') {
+      continue;
+    }
+    switch (state) {
+      case PRE_NAME:
+        chromeName = line;
+        state = POST_NAME;
+        break;
+      case POST_NAME:
+        if (line.startsWith(SHA256_PREFIX)) {
+          hash = line.substring(SHA256_PREFIX.length);
+          chromeNameToHash[chromeName] = hash;
+          certNameToSKD[chromeName] = hash;
+          certSKDToName[hash] = chromeName;
+          state = PRE_NAME;
+        } else if (line.startsWith(BEGIN_CERT)) {
+          state = IN_CERT;
+        } else if (line.startsWith(BEGIN_PUB_KEY)) {
+          state = IN_PUB_KEY;
+        } else {
+          throw new Error("ERROR: couldn't parse Chrome certificate file " +
+                          "line: " + line);
+        }
+        break;
+      case IN_CERT:
+        if (line.startsWith(END_CERT)) {
+          state = PRE_NAME;
+          hash = getSKDFromPem(pemCert);
+          pemCert = "";
+          let mozName;
+          if (hash in certSKDToName) {
+            mozName = certSKDToName[hash];
+          } else {
+            // Not one of our built-in certs. Prefix the name with
+            // GOOGLE_PIN_.
+            mozName = GOOGLE_PIN_PREFIX + chromeName;
+            dump("Can't find hash in builtin certs for Chrome nickname " +
+                 chromeName + ", inserting " + mozName + "\n");
+            certSKDToName[hash] = mozName;
+            certNameToSKD[mozName] = hash;
+          }
+          chromeNameToMozName[chromeName] = mozName;
+        } else {
+          pemCert += line;
+        }
+        break;
+      case IN_PUB_KEY:
+        if (line.startsWith(END_PUB_KEY)) {
+          state = PRE_NAME;
+          hash = sha256Base64(pemPubKey);
+          pemPubKey = "";
+          chromeNameToHash[chromeName] = hash;
+          certNameToSKD[chromeName] = hash;
+          certSKDToName[hash] = chromeName;
+        } else {
+          pemPubKey += line;
+        }
+        break;
+      default:
+        throw new Error("ERROR: couldn't parse Chrome certificate file " + line);
+    }
+  }
+  return [ chromeNameToHash, chromeNameToMozName ];
+}
+
+// We can only import pinsets from chrome if for every name in the pinset:
+// - We have a hash from Chrome's static certificate file
+// - We have a builtin cert
+// If the pinset meets these requirements, we store a map array of pinset
+// objects:
+// {
+//   pinset_name : {
+//     // Array of names with entries in certNameToSKD
+//     sha256_hashes: []
+//   }
+// }
+// and an array of imported pinset entries:
+// { name: string, include_subdomains: boolean, test_mode: boolean,
+//   pins: pinset_name }
+function downloadAndParseChromePins(filename,
+                                    chromeNameToHash,
+                                    chromeNameToMozName,
+                                    certNameToSKD,
+                                    certSKDToName) {
+  let chromePreloads = downloadAsJson(filename);
+  let chromePins = chromePreloads.pinsets;
+  let chromeImportedPinsets = {};
+  let chromeImportedEntries = [];
+
+  chromePins.forEach(function(pin) {
+    let valid = true;
+    let pinset = { name: pin.name, sha256_hashes: [] };
+    // Translate the Chrome pinset format to ours
+    pin.static_spki_hashes.forEach(function(name) {
+      if (name in chromeNameToHash) {
+        let hash = chromeNameToHash[name];
+        pinset.sha256_hashes.push(certSKDToName[hash]);
+
+        // We should have already added hashes for all of these when we
+        // imported the certificate file.
+        if (!certNameToSKD[name]) {
+          throw new Error("ERROR: No hash for name: " + name);
+        }
+      } else if (name in chromeNameToMozName) {
+        pinset.sha256_hashes.push(chromeNameToMozName[name]);
+      } else {
+        dump("Skipping Chrome pinset " + pinset.name + ", couldn't find " +
+             "builtin " + name + " from cert file\n");
+        valid = false;
+      }
+    });
+    if (valid) {
+      chromeImportedPinsets[pinset.name] = pinset;
+    }
+  });
+
+  // Grab the domain entry lists. Chrome's entry format is similar to
+  // ours, except theirs includes a HSTS mode.
+  const cData = gStaticPins.chromium_data;
+  let entries = chromePreloads.entries;
+  entries.forEach(function(entry) {
+    // HSTS entry only
+    if (!entry.pins) {
+      return;
+    }
+    let pinsetName = cData.substitute_pinsets[entry.pins];
+    if (!pinsetName) {
+      pinsetName = entry.pins;
+    }
+
+    // We trim the entry name here to avoid breaking hostname comparisons in the
+    // HPKP implementation.
+    entry.name = entry.name.trim();
+
+    let isProductionDomain =
+      (cData.production_domains.indexOf(entry.name) != -1);
+    let isProductionPinset =
+      (cData.production_pinsets.indexOf(pinsetName) != -1);
+    let excludeDomain =
+      (cData.exclude_domains.indexOf(entry.name) != -1);
+    let isTestMode = !isProductionPinset && !isProductionDomain;
+    if (entry.pins && !excludeDomain && chromeImportedPinsets[entry.pins]) {
+      chromeImportedEntries.push({
+        name: entry.name,
+        include_subdomains: entry.include_subdomains,
+        test_mode: isTestMode,
+        is_moz: false,
+        pins: pinsetName });
+    }
+  });
+  return [ chromeImportedPinsets, chromeImportedEntries ];
+}
+
+// Returns a pair of maps [certNameToSKD, certSKDToName] between cert
+// nicknames and digests of the SPKInfo for the mozilla trust store
+function loadNSSCertinfo(extraCertificates) {
+  let allCerts = gCertDB.getCerts();
+  let enumerator = allCerts.getEnumerator();
+  let certNameToSKD = {};
+  let certSKDToName = {};
+  while (enumerator.hasMoreElements()) {
+    let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+    if (!isCertBuiltIn(cert)) {
+      continue;
+    }
+    let name = cert.nickname.substr(BUILT_IN_NICK_PREFIX.length);
+    let SKD = cert.sha256SubjectPublicKeyInfoDigest;
+    certNameToSKD[name] = SKD;
+    certSKDToName[SKD] = name;
+  }
+
+  for (let cert of extraCertificates) {
+    let name = cert.commonName;
+    let SKD = cert.sha256SubjectPublicKeyInfoDigest;
+    certNameToSKD[name] = SKD;
+    certSKDToName[SKD] = name;
+  }
+
+  {
+    // This is the pinning test certificate. The key hash identifies the
+    // default RSA key from pykey.
+    let name = "End Entity Test Cert";
+    let SKD = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
+    certNameToSKD[name] = SKD;
+    certSKDToName[SKD] = name;
+  }
+  return [certNameToSKD, certSKDToName];
+}
+
+function parseJson(filename) {
+  let json = stripComments(readFileToString(filename));
+  return JSON.parse(json);
+}
+
+function nameToAlias(certName) {
+  // change the name to a string valid as a c identifier
+  // remove  non-ascii characters
+  certName = certName.replace(/[^[:ascii:]]/g, "_");
+  // replace non word characters
+  certName = certName.replace(/[^A-Za-z0-9]/g, "_");
+
+  return "k" + certName + "Fingerprint";
+}
+
+function compareByName (a, b) {
+  return a.name.localeCompare(b.name);
+}
+
+function genExpirationTime() {
+  let now = new Date();
+  let nowMillis = now.getTime();
+  let expirationMillis = nowMillis + (PINNING_MINIMUM_REQUIRED_MAX_AGE * 1000);
+  let expirationMicros = expirationMillis * 1000;
+  return "static const PRTime kPreloadPKPinsExpirationTime = INT64_C(" +
+         expirationMicros + ");\n";
+}
+
+function writeFullPinset(certNameToSKD, certSKDToName, pinset) {
+  let prefix = "kPinset_" + pinset.name;
+  if (!pinset.sha256_hashes || pinset.sha256_hashes.length == 0) {
+    throw new Error(`ERROR: Pinset ${pinset.name} does not contain any hashes`);
+  }
+  writeFingerprints(certNameToSKD, certSKDToName, pinset.name,
+                    pinset.sha256_hashes);
+}
+
+function writeFingerprints(certNameToSKD, certSKDToName, name, hashes) {
+  let varPrefix = "kPinset_" + name;
+  writeString("static const char* const " + varPrefix + "_Data[] = {\n");
+  let SKDList = [];
+  for (let certName of hashes) {
+    if (!(certName in certNameToSKD)) {
+      throw new Error(`ERROR: Can't find '${certName}' in certNameToSKD`);
+    }
+    SKDList.push(certNameToSKD[certName]);
+  }
+  for (let skd of SKDList.sort()) {
+    writeString("  " + nameToAlias(certSKDToName[skd]) + ",\n");
+  }
+  if (hashes.length == 0) {
+    // ANSI C requires that an initialiser list be non-empty.
+    writeString("  0\n");
+  }
+  writeString("};\n");
+  writeString("static const StaticFingerprints " + varPrefix + " = {\n  " +
+    "sizeof(" + varPrefix + "_Data) / sizeof(const char*),\n  " + varPrefix +
+    "_Data\n};\n\n");
+}
+
+function writeEntry(entry) {
+  let printVal = "  { \"" + entry.name + "\",\ ";
+  if (entry.include_subdomains) {
+    printVal += "true, ";
+  } else {
+    printVal += "false, ";
+  }
+  // Default to test mode if not specified.
+  let testMode = true;
+  if (entry.hasOwnProperty("test_mode")) {
+    testMode = entry.test_mode;
+  }
+  if (testMode) {
+    printVal += "true, ";
+  } else {
+    printVal += "false, ";
+  }
+  if (entry.is_moz || (entry.pins.indexOf("mozilla") != -1 &&
+                       entry.pins != "mozilla_test")) {
+    printVal += "true, ";
+  } else {
+    printVal += "false, ";
+  }
+  if ("id" in entry) {
+    if (entry.id >= 256) {
+      throw new Error("ERROR: Not enough buckets in histogram");
+    }
+    if (entry.id >= 0) {
+      printVal += entry.id + ", ";
+    }
+  } else {
+    printVal += "-1, ";
+  }
+  printVal += "&kPinset_" + entry.pins;
+  printVal += " },\n";
+  writeString(printVal);
+}
+
+function writeDomainList(chromeImportedEntries) {
+  writeString("/* Sort hostnames for binary search. */\n");
+  writeString("static const TransportSecurityPreload " +
+          "kPublicKeyPinningPreloadList[] = {\n");
+  let count = 0;
+  let mozillaDomains = {};
+  gStaticPins.entries.forEach(function(entry) {
+    mozillaDomains[entry.name] = true;
+  });
+  // For any domain for which we have set pins, exclude them from
+  // chromeImportedEntries.
+  for (let i = chromeImportedEntries.length - 1; i >= 0; i--) {
+    if (mozillaDomains[chromeImportedEntries[i].name]) {
+      dump("Skipping duplicate pinset for domain " +
+           JSON.stringify(chromeImportedEntries[i], undefined, 2) + "\n");
+      chromeImportedEntries.splice(i, 1);
+    }
+  }
+  let sortedEntries = gStaticPins.entries;
+  sortedEntries.push.apply(sortedEntries, chromeImportedEntries);
+  for (let entry of sortedEntries.sort(compareByName)) {
+    count++;
+    writeEntry(entry);
+  }
+  writeString("};\n");
+
+  writeString("\n// Pinning Preload List Length = " + count + ";\n");
+  writeString("\nstatic const int32_t kUnknownId = -1;\n");
+}
+
+function writeFile(certNameToSKD, certSKDToName,
+                   chromeImportedPinsets, chromeImportedEntries) {
+  // Compute used pins from both Chrome's and our pinsets, so we can output
+  // them later.
+  let usedFingerprints = {};
+  let mozillaPins = {};
+  gStaticPins.pinsets.forEach(function(pinset) {
+    mozillaPins[pinset.name] = true;
+    pinset.sha256_hashes.forEach(function (name) {
+      usedFingerprints[name] = true;
+    });
+  });
+  for (let key in chromeImportedPinsets) {
+    let pinset = chromeImportedPinsets[key];
+    pinset.sha256_hashes.forEach(function(name) {
+      usedFingerprints[name] = true;
+    });
+  }
+
+  writeString(FILE_HEADER);
+
+  // Write actual fingerprints.
+  Object.keys(usedFingerprints).sort().forEach(function(certName) {
+    if (certName) {
+      writeString("/* " + certName + " */\n");
+      writeString("static const char " + nameToAlias(certName) + "[] =\n");
+      writeString("  \"" + certNameToSKD[certName] + "\";\n");
+      writeString("\n");
+    }
+  });
+
+  // Write the pinsets
+  writeString(PINSETDEF);
+  writeString("/* PreloadedHPKPins.json pinsets */\n");
+  gStaticPins.pinsets.sort(compareByName).forEach(function(pinset) {
+    writeFullPinset(certNameToSKD, certSKDToName, pinset);
+  });
+  writeString("/* Chrome static pinsets */\n");
+  for (let key in chromeImportedPinsets) {
+    if (mozillaPins[key]) {
+      dump("Skipping duplicate pinset " + key + "\n");
+    } else {
+      dump("Writing pinset " + key + "\n");
+      writeFullPinset(certNameToSKD, certSKDToName, chromeImportedPinsets[key]);
+    }
+  }
+
+  // Write the domainlist entries.
+  writeString(DOMAINHEADER);
+  writeDomainList(chromeImportedEntries);
+  writeString("\n");
+  writeString(genExpirationTime());
+}
+
+function loadExtraCertificates(certStringList) {
+  let constructedCerts = [];
+  for (let certString of certStringList) {
+    constructedCerts.push(gCertDB.constructX509FromBase64(certString));
+  }
+  return constructedCerts;
+}
+
+var extraCertificates = loadExtraCertificates(gStaticPins.extra_certificates);
+var [ certNameToSKD, certSKDToName ] = loadNSSCertinfo(extraCertificates);
+var [ chromeNameToHash, chromeNameToMozName ] = downloadAndParseChromeCerts(
+  gStaticPins.chromium_data.cert_file_url, certNameToSKD, certSKDToName);
+var [ chromeImportedPinsets, chromeImportedEntries ] =
+  downloadAndParseChromePins(gStaticPins.chromium_data.json_file_url,
+    chromeNameToHash, chromeNameToMozName, certNameToSKD, certSKDToName);
+
+writeFile(certNameToSKD, certSKDToName, chromeImportedPinsets,
+          chromeImportedEntries);
+
+FileUtils.closeSafeFileOutputStream(gFileOutputStream);
diff --git a/security/manager/tools/genRootCAHashes.js b/security/manager/tools/genRootCAHashes.js
new file mode 100644
index 000000000..0d6f1df48
--- /dev/null
+++ b/security/manager/tools/genRootCAHashes.js
@@ -0,0 +1,255 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell genRootCAHashes.js \
+//                                  [absolute path to]/RootHashes.inc'
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+var Cr = Components.results;
+
+const nsX509CertDB = "@mozilla.org/security/x509certdb;1";
+const CertDb = Components.classes[nsX509CertDB].getService(Ci.nsIX509CertDB);
+
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/FileUtils.jsm");
+Cu.import("resource://gre/modules/NetUtil.jsm");
+const { CommonUtils } = Cu.import("resource://services-common/utils.js", {});
+
+const FILENAME_OUTPUT = "RootHashes.inc";
+const FILENAME_TRUST_ANCHORS = "KnownRootHashes.json";
+const ROOT_NOT_ASSIGNED = -1;
+
+const JSON_HEADER = "// This Source Code Form is subject to the terms of the Mozilla Public\n" +
+"// License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+"// file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"//\n" +
+"//***************************************************************************\n" +
+"// This is an automatically generated file. It's used to maintain state for\n" +
+"// runs of genRootCAHashes.js; you should never need to manually edit it\n" +
+"//***************************************************************************\n" +
+"\n";
+
+const FILE_HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not                    */\n" +
+"/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it.        */\n" +
+"/*****************************************************************************/\n" +
+"\n" +
+"#define HASH_LEN 32\n";
+
+const FP_PREAMBLE = "struct CertAuthorityHash {\n" +
+" const uint8_t hash[HASH_LEN];\n" +
+" const int32_t binNumber;\n" +
+"};\n\n" +
+"static const struct CertAuthorityHash ROOT_TABLE[] = {\n";
+
+const FP_POSTAMBLE = "};\n";
+
+// Helper
+function writeString(fos, string) {
+  fos.write(string, string.length);
+}
+
+// Remove all colons from a string
+function stripColons(hexString) {
+  return hexString.replace(/:/g, '');
+}
+
+// Expect an array of bytes and make it C-formatted
+function hexSlice(bytes, start, end) {
+  let ret = "";
+  for (let i = start; i < end; i++) {
+    let hex = (0 + bytes.charCodeAt(i).toString(16)).slice(-2).toUpperCase();
+    ret += "0x" + hex;
+    if (i < end - 1) {
+      ret += ", ";
+    }
+  }
+  return ret;
+}
+
+function stripComments(buf) {
+  let lines = buf.split("\n");
+  let entryRegex = /^\s*\/\//;
+  let data = "";
+  for (let i = 0; i < lines.length; i++) {
+    let match = entryRegex.exec(lines[i]);
+    if (!match) {
+      data = data + lines[i];
+    }
+  }
+  return data;
+}
+
+
+// Load the trust anchors JSON object from disk
+function loadTrustAnchors(file) {
+  if (file.exists()) {
+    let stream = Cc["@mozilla.org/network/file-input-stream;1"]
+                   .createInstance(Ci.nsIFileInputStream);
+    stream.init(file, -1, 0, 0);
+    let buf = NetUtil.readInputStreamToString(stream, stream.available());
+    return JSON.parse(stripComments(buf));
+  }
+  // If there's no input file, bootstrap.
+  return { roots: [], maxBin: 0 };
+}
+
+// Saves our persistence file so that we don't lose track of the mapping
+// between bin numbers and the CA-hashes, even as CAs come and go.
+function writeTrustAnchors(file) {
+  let fos = FileUtils.openSafeFileOutputStream(file);
+
+  let serializedData = JSON.stringify(gTrustAnchors, null, '  ');
+  fos.write(JSON_HEADER, JSON_HEADER.length);
+  fos.write(serializedData, serializedData.length);
+
+  FileUtils.closeSafeFileOutputStream(fos);
+}
+
+
+// Write the C++ header file
+function writeRootHashes(fos) {
+  try {
+    writeString(fos, FILE_HEADER);
+
+    // Output the sorted gTrustAnchors
+    writeString(fos, FP_PREAMBLE);
+    gTrustAnchors.roots.forEach(function(fp) {
+      let fpBytes = atob(fp.sha256Fingerprint);
+
+      writeString(fos, "  {\n");
+      writeString(fos, "    /* " + fp.label + " */\n");
+      writeString(fos, "    { " + hexSlice(fpBytes, 0, 16) + ",\n");
+      writeString(fos, "      " + hexSlice(fpBytes, 16, 32) + " },\n");
+      writeString(fos, "      " + fp.binNumber + " /* Bin Number */\n");
+
+      writeString(fos, "  },\n");
+    });
+    writeString(fos, FP_POSTAMBLE);
+
+    writeString(fos, "\n");
+
+  }
+  catch (e) {
+    dump("ERROR: problem writing output: " + e + "\n");
+  }
+}
+
+// Scan our list (linearly) for the given fingerprint string
+function findTrustAnchorByFingerprint(sha256Fingerprint) {
+  for (let i = 0; i < gTrustAnchors.roots.length; i++) {
+    if (sha256Fingerprint == gTrustAnchors.roots[i].sha256Fingerprint) {
+      return i;
+    }
+  }
+  return ROOT_NOT_ASSIGNED;
+}
+
+// Get a clean label for a given certificate; usually the common name.
+function getLabelForCert(cert) {
+  let label = cert.commonName;
+
+  if (label.length < 5) {
+    label = cert.subjectName;
+  }
+
+  // replace non-ascii characters
+  label = label.replace(/[^[:ascii:]]/g, "_");
+  // replace non-word characters
+  label = label.replace(/[^A-Za-z0-9]/g, "_");
+  return label;
+}
+
+// Fill in the gTrustAnchors list with trust anchors from the database.
+function insertTrustAnchorsFromDatabase() {
+  // We only want CA certs for SSL
+  const CERT_TYPE = Ci.nsIX509Cert.CA_CERT;
+  const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL;
+
+  // Iterate through the whole Cert DB
+  let enumerator = CertDb.getCerts().getEnumerator();
+  while (enumerator.hasMoreElements()) {
+    let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+
+    // Find the certificate in our existing list. Do it here because we need to check if
+    // it's untrusted too.
+
+    // If this is a trusted cert
+    if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) {
+      // Base64 encode the hex string
+      let binaryFingerprint = CommonUtils.hexToBytes(stripColons(cert.sha256Fingerprint));
+      let encodedFingerprint = btoa(binaryFingerprint);
+
+       // Scan to see if this is already in the database.
+      if (findTrustAnchorByFingerprint(encodedFingerprint) == ROOT_NOT_ASSIGNED) {
+
+        // Let's get a usable name; some old certs do not have CN= filled out
+        let label = getLabelForCert(cert);
+
+        // Add to list
+        gTrustAnchors.maxBin += 1;
+        gTrustAnchors.roots.push(
+          {
+            "label": label,
+            "binNumber": gTrustAnchors.maxBin,
+            "sha256Fingerprint": encodedFingerprint
+          });
+      }
+    }
+  }
+}
+
+//
+//  PRIMARY LOGIC
+//
+
+if (arguments.length != 1) {
+  throw new Error("Usage: genRootCAHashes.js " +
+                  "<absolute path to current RootHashes.inc>");
+}
+
+var trustAnchorsFile = FileUtils.getFile("CurWorkD", [FILENAME_TRUST_ANCHORS]);
+// let rootHashesFile = FileUtils.getFile("CurWorkD", arguments[0]);
+var rootHashesFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+rootHashesFile.initWithPath(arguments[0]);
+
+// Open the known hashes file; this is to ensure stable bin numbers.
+var gTrustAnchors = loadTrustAnchors(trustAnchorsFile);
+
+// Collect all certificate entries
+insertTrustAnchorsFromDatabase();
+
+// Update known hashes before we sort
+writeTrustAnchors(trustAnchorsFile);
+
+// Sort all trust anchors before writing, as AccumulateRootCA.cpp
+// will perform binary searches
+gTrustAnchors.roots.sort(function(a, b) {
+  // We need to work from the binary values, not the base64 values.
+  let aBin = atob(a.sha256Fingerprint);
+  let bBin = atob(b.sha256Fingerprint);
+
+  if (aBin < bBin) {
+    return -1;
+  }
+  if (aBin > bBin) {
+    return 1;
+  }
+  return 0;
+});
+
+// Write the output file.
+var rootHashesFileOutputStream = FileUtils.openSafeFileOutputStream(rootHashesFile);
+writeRootHashes(rootHashesFileOutputStream);
+FileUtils.closeSafeFileOutputStream(rootHashesFileOutputStream);
diff --git a/security/manager/tools/getHSTSPreloadList.js b/security/manager/tools/getHSTSPreloadList.js
new file mode 100644
index 000000000..5b950f938
--- /dev/null
+++ b/security/manager/tools/getHSTSPreloadList.js
@@ -0,0 +1,497 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain firefox source code]
+// 2. [build/obtain firefox binaries]
+// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell \
+//                                  [path to]/getHSTSPreloadlist.js \
+//                                  [absolute path to]/nsSTSPreloadlist.inc'
+// Note: Running this file outputs a new nsSTSPreloadlist.inc in the current
+//       working directory.
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+var Cr = Components.results;
+
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/FileUtils.jsm");
+Cu.import("resource:///modules/XPCOMUtils.jsm");
+
+const SOURCE = "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT";
+const OUTPUT = "nsSTSPreloadList.inc";
+const ERROR_OUTPUT = "nsSTSPreloadList.errors";
+const MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
+const MAX_CONCURRENT_REQUESTS = 5;
+const MAX_RETRIES = 3;
+const REQUEST_TIMEOUT = 30 * 1000;
+const ERROR_NONE = "no error";
+const ERROR_CONNECTING_TO_HOST = "could not connect to host";
+const ERROR_NO_HSTS_HEADER = "did not receive HSTS header";
+const ERROR_MAX_AGE_TOO_LOW = "max-age too low: ";
+const HEADER = "/* This Source Code Form is subject to the terms of the Mozilla Public\n" +
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" +
+"\n" +
+"/*****************************************************************************/\n" +
+"/* This is an automatically generated file. If you're not                    */\n" +
+"/* nsSiteSecurityService.cpp, you shouldn't be #including it.     */\n" +
+"/*****************************************************************************/\n" +
+"\n" +
+"#include <stdint.h>\n";
+
+function download() {
+  var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+            .createInstance(Ci.nsIXMLHttpRequest);
+  req.open("GET", SOURCE, false); // doing the request synchronously
+  try {
+    req.send();
+  }
+  catch (e) {
+    throw new Error(`ERROR: problem downloading '${SOURCE}': ${e}`);
+  }
+
+  if (req.status != 200) {
+    throw new Error("ERROR: problem downloading '" + SOURCE + "': status " +
+                    req.status);
+  }
+
+  var resultDecoded;
+  try {
+    resultDecoded = atob(req.responseText);
+  }
+  catch (e) {
+    throw new Error("ERROR: could not decode data as base64 from '" + SOURCE +
+                    "': " + e);
+  }
+
+  // we have to filter out '//' comments, while not mangling the json
+  var result = resultDecoded.replace(/^(\s*)?\/\/[^\n]*\n/mg, "");
+  var data = null;
+  try {
+    data = JSON.parse(result);
+  }
+  catch (e) {
+    throw new Error(`ERROR: could not parse data from '${SOURCE}': ${e}`);
+  }
+  return data;
+}
+
+function getHosts(rawdata) {
+  var hosts = [];
+
+  if (!rawdata || !rawdata.entries) {
+    throw new Error("ERROR: source data not formatted correctly: 'entries' " +
+                    "not found");
+  }
+
+  for (let entry of rawdata.entries) {
+    if (entry.mode && entry.mode == "force-https") {
+      if (entry.name) {
+        // We trim the entry name here to avoid malformed URI exceptions when we
+        // later try to connect to the domain.
+        entry.name = entry.name.trim();
+        entry.retries = MAX_RETRIES;
+        entry.originalIncludeSubdomains = entry.include_subdomains;
+        hosts.push(entry);
+      } else {
+        throw new Error("ERROR: entry not formatted correctly: no name found");
+      }
+    }
+  }
+
+  return hosts;
+}
+
+var gSSService = Cc["@mozilla.org/ssservice;1"]
+                   .getService(Ci.nsISiteSecurityService);
+
+function processStsHeader(host, header, status, securityInfo) {
+  var maxAge = { value: 0 };
+  var includeSubdomains = { value: false };
+  var error = ERROR_NONE;
+  if (header != null && securityInfo != null) {
+    try {
+      var uri = Services.io.newURI("https://" + host.name, null, null);
+      var sslStatus = securityInfo.QueryInterface(Ci.nsISSLStatusProvider)
+                                  .SSLStatus;
+      gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS,
+                               uri, header, sslStatus, 0, maxAge,
+                               includeSubdomains);
+    }
+    catch (e) {
+      dump("ERROR: could not process header '" + header + "' from " +
+           host.name + ": " + e + "\n");
+      error = e;
+    }
+  } else if (status == 0) {
+    error = ERROR_CONNECTING_TO_HOST;
+  } else {
+    error = ERROR_NO_HSTS_HEADER;
+  }
+
+  let forceInclude = (host.forceInclude || host.pins == "google");
+
+  if (error == ERROR_NONE && maxAge.value < MINIMUM_REQUIRED_MAX_AGE) {
+    error = ERROR_MAX_AGE_TOO_LOW;
+  }
+
+  return { name: host.name,
+           maxAge: maxAge.value,
+           includeSubdomains: includeSubdomains.value,
+           error: error,
+           retries: host.retries - 1,
+           forceInclude: forceInclude,
+           originalIncludeSubdomains: host.originalIncludeSubdomains };
+}
+
+// RedirectAndAuthStopper prevents redirects and HTTP authentication
+function RedirectAndAuthStopper() {}
+
+RedirectAndAuthStopper.prototype = {
+  // nsIChannelEventSink
+  asyncOnChannelRedirect: function(oldChannel, newChannel, flags, callback) {
+    throw new Error(Cr.NS_ERROR_ENTITY_CHANGED);
+  },
+
+  // nsIAuthPrompt2
+  promptAuth: function(channel, level, authInfo) {
+    return false;
+  },
+
+  asyncPromptAuth: function(channel, callback, context, level, authInfo) {
+    throw new Error(Cr.NS_ERROR_NOT_IMPLEMENTED);
+  },
+
+  getInterface: function(iid) {
+    return this.QueryInterface(iid);
+  },
+
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIChannelEventSink,
+                                         Ci.nsIAuthPrompt2])
+};
+
+function getHSTSStatus(host, resultList) {
+  var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+            .createInstance(Ci.nsIXMLHttpRequest);
+  var inResultList = false;
+  var uri = "https://" + host.name + "/";
+  req.open("GET", uri, true);
+  req.timeout = REQUEST_TIMEOUT;
+
+  let errorhandler = (evt) => {
+    dump(`ERROR: error making request to ${host.name} (type=${evt.type})\n`);
+    if (!inResultList) {
+      inResultList = true;
+      resultList.push(processStsHeader(host, null, req.status,
+                                       req.channel.securityInfo));
+    }
+  };
+  req.onerror = errorhandler;
+  req.ontimeout = errorhandler;
+  req.onabort = errorhandler;
+
+  req.onload = function(event) {
+    if (!inResultList) {
+      inResultList = true;
+      var header = req.getResponseHeader("strict-transport-security");
+      resultList.push(processStsHeader(host, header, req.status,
+                                       req.channel.securityInfo));
+    }
+  };
+
+  try {
+    req.channel.notificationCallbacks = new RedirectAndAuthStopper();
+    req.send();
+  }
+  catch (e) {
+    dump("ERROR: exception making request to " + host.name + ": " + e + "\n");
+  }
+}
+
+function compareHSTSStatus(a, b) {
+  if (a.name > b.name) {
+    return 1;
+  }
+  if (a.name < b.name) {
+    return -1;
+  }
+  return 0;
+}
+
+function writeTo(string, fos) {
+  fos.write(string, string.length);
+}
+
+// Determines and returns a string representing a declaration of when this
+// preload list should no longer be used.
+// This is the current time plus MINIMUM_REQUIRED_MAX_AGE.
+function getExpirationTimeString() {
+  var now = new Date();
+  var nowMillis = now.getTime();
+  // MINIMUM_REQUIRED_MAX_AGE is in seconds, so convert to milliseconds
+  var expirationMillis = nowMillis + (MINIMUM_REQUIRED_MAX_AGE * 1000);
+  var expirationMicros = expirationMillis * 1000;
+  return "const PRTime gPreloadListExpirationTime = INT64_C(" + expirationMicros + ");\n";
+}
+
+function errorToString(status) {
+  return (status.error == ERROR_MAX_AGE_TOO_LOW
+          ? status.error + status.maxAge
+          : status.error);
+}
+
+function writeEntry(status, indices, outputStream) {
+  let includeSubdomains = (status.finalIncludeSubdomains ? "true" : "false");
+  writeTo("  { " + indices[status.name] + ", " + includeSubdomains + " },\n",
+          outputStream);
+}
+
+function output(sortedStatuses, currentList) {
+  try {
+    var file = FileUtils.getFile("CurWorkD", [OUTPUT]);
+    var errorFile = FileUtils.getFile("CurWorkD", [ERROR_OUTPUT]);
+    var fos = FileUtils.openSafeFileOutputStream(file);
+    var eos = FileUtils.openSafeFileOutputStream(errorFile);
+    writeTo(HEADER, fos);
+    writeTo(getExpirationTimeString(), fos);
+
+    for (let status in sortedStatuses) {
+      // If we've encountered an error for this entry (other than the site not
+      // sending an HSTS header), be safe and don't remove it from the list
+      // (given that it was already on the list).
+      if (status.error != ERROR_NONE &&
+          status.error != ERROR_NO_HSTS_HEADER &&
+          status.error != ERROR_MAX_AGE_TOO_LOW &&
+          status.name in currentList) {
+        dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n");
+        writeTo(status.name + ": " + errorToString(status) + "\n", eos);
+        status.maxAge = MINIMUM_REQUIRED_MAX_AGE;
+        status.includeSubdomains = currentList[status.name];
+      }
+    }
+
+    // Filter out entries we aren't including.
+    var includedStatuses = sortedStatuses.filter(function (status) {
+      if (status.maxAge < MINIMUM_REQUIRED_MAX_AGE && !status.forceInclude) {
+        dump("INFO: " + status.name + " NOT ON the preload list\n");
+        writeTo(status.name + ": " + errorToString(status) + "\n", eos);
+        return false;
+      }
+
+      dump("INFO: " + status.name + " ON the preload list\n");
+      if (status.forceInclude && status.error != ERROR_NONE) {
+        writeTo(status.name + ": " + errorToString(status) + " (error "
+                + "ignored - included regardless)\n", eos);
+      }
+      return true;
+    });
+
+    // Resolve whether we should include subdomains for each entry.  We could
+    // do this while writing out entries, but separating out that decision is
+    // clearer.  Making that decision here also means we can write the choices
+    // in the comments in the static string table, which makes parsing the
+    // current list significantly easier when we go to update the list.
+    for (let status of includedStatuses) {
+      let incSubdomainsBool = (status.forceInclude && status.error != ERROR_NONE
+                               ? status.originalIncludeSubdomains
+                               : status.includeSubdomains);
+      status.finalIncludeSubdomains = incSubdomainsBool;
+    }
+
+    writeTo("\nstatic const char kSTSHostTable[] = {\n", fos);
+    var indices = {};
+    var currentIndex = 0;
+    for (let status of includedStatuses) {
+      indices[status.name] = currentIndex;
+      // Add 1 for the null terminator in C.
+      currentIndex += status.name.length + 1;
+      // Rebuilding the preload list requires reading the previous preload
+      // list.  Write out a comment describing each host prior to writing out
+      // the string for the host.
+      writeTo("  /* \"" + status.name + "\", " +
+              (status.finalIncludeSubdomains ? "true" : "false") + " */ ",
+              fos);
+      // Write out the string itself as individual characters, including the
+      // null terminator.  We do it this way rather than using C's string
+      // concatentation because some compilers have hardcoded limits on the
+      // lengths of string literals, and the preload list is large enough
+      // that it runs into said limits.
+      for (let c of status.name) {
+	writeTo("'" + c + "', ", fos);
+      }
+      writeTo("'\\0',\n", fos);
+    }
+    writeTo("};\n", fos);
+
+    const PREFIX = "\n" +
+      "struct nsSTSPreload\n" +
+      "{\n" +
+      "  const uint32_t mHostIndex : 31;\n" +
+      "  const uint32_t mIncludeSubdomains : 1;\n" +
+      "};\n" +
+      "\n" +
+      "static const nsSTSPreload kSTSPreloadList[] = {\n";
+    const POSTFIX = "};\n";
+
+    writeTo(PREFIX, fos);
+    for (let status of includedStatuses) {
+      writeEntry(status, indices, fos);
+    }
+    writeTo(POSTFIX, fos);
+    FileUtils.closeSafeFileOutputStream(fos);
+    FileUtils.closeSafeFileOutputStream(eos);
+  }
+  catch (e) {
+    dump("ERROR: problem writing output to '" + OUTPUT + "': " + e + "\n");
+  }
+}
+
+function shouldRetry(response) {
+  return (response.error != ERROR_NO_HSTS_HEADER &&
+          response.error != ERROR_MAX_AGE_TOO_LOW &&
+          response.error != ERROR_NONE && response.retries > 0);
+}
+
+function getHSTSStatuses(inHosts, outStatuses) {
+  var expectedOutputLength = inHosts.length;
+  var tmpOutput = [];
+  for (var i = 0; i < MAX_CONCURRENT_REQUESTS && inHosts.length > 0; i++) {
+    let host = inHosts.shift();
+    dump("spinning off request to '" + host.name + "' (remaining retries: " +
+         host.retries + ")\n");
+    getHSTSStatus(host, tmpOutput);
+  }
+
+  while (outStatuses.length != expectedOutputLength) {
+    waitForAResponse(tmpOutput);
+    var response = tmpOutput.shift();
+    dump("request to '" + response.name + "' finished\n");
+    if (shouldRetry(response)) {
+      inHosts.push(response);
+    } else {
+      outStatuses.push(response);
+    }
+
+    if (inHosts.length > 0) {
+      let host = inHosts.shift();
+      dump("spinning off request to '" + host.name + "' (remaining retries: " +
+           host.retries + ")\n");
+      getHSTSStatus(host, tmpOutput);
+    }
+  }
+}
+
+// Since all events are processed on the main thread, and since event
+// handlers are not preemptible, there shouldn't be any concurrency issues.
+function waitForAResponse(outputList) {
+  // From <https://developer.mozilla.org/en/XPConnect/xpcshell/HOWTO>
+  var threadManager = Cc["@mozilla.org/thread-manager;1"]
+                      .getService(Ci.nsIThreadManager);
+  var mainThread = threadManager.currentThread;
+  while (outputList.length == 0) {
+    mainThread.processNextEvent(true);
+  }
+}
+
+function readCurrentList(filename) {
+  var currentHosts = {};
+  var file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+  file.initWithPath(filename);
+  var fis = Cc["@mozilla.org/network/file-input-stream;1"]
+              .createInstance(Ci.nsILineInputStream);
+  fis.init(file, -1, -1, Ci.nsIFileInputStream.CLOSE_ON_EOF);
+  var line = {};
+  // While we generate entries matching the version 2 format (see bug 1255425
+  // for details), we still need to be able to read entries in the version 1
+  // format for bootstrapping a version 2 preload list from a version 1
+  // preload list.  Hence these two regexes.
+  var v1EntryRegex = /  { "([^"]*)", (true|false) },/;
+  var v2EntryRegex = /  \/\* "([^"]*)", (true|false) \*\//;
+  while (fis.readLine(line)) {
+    var match = v1EntryRegex.exec(line.value);
+    if (!match) {
+      match = v2EntryRegex.exec(line.value);
+    }
+    if (match) {
+      currentHosts[match[1]] = (match[2] == "true");
+    }
+  }
+  return currentHosts;
+}
+
+function combineLists(newHosts, currentHosts) {
+  for (let currentHost in currentHosts) {
+    let found = false;
+    for (let newHost of newHosts) {
+      if (newHost.name == currentHost) {
+        found = true;
+        break;
+      }
+    }
+    if (!found) {
+      newHosts.push({ name: currentHost, retries: MAX_RETRIES });
+    }
+  }
+}
+
+const TEST_ENTRIES = [
+  { name: "includesubdomains.preloaded.test", includeSubdomains: true },
+  { name: "includesubdomains2.preloaded.test", includeSubdomains: true },
+  { name: "noincludesubdomains.preloaded.test", includeSubdomains: false },
+];
+
+function deleteTestHosts(currentHosts) {
+  for (let testEntry of TEST_ENTRIES) {
+    delete currentHosts[testEntry.name];
+  }
+}
+
+function insertTestHosts(hstsStatuses) {
+  for (let testEntry of TEST_ENTRIES) {
+    hstsStatuses.push({
+      name: testEntry.name,
+      maxAge: MINIMUM_REQUIRED_MAX_AGE,
+      includeSubdomains: testEntry.includeSubdomains,
+      error: ERROR_NONE,
+      // This deliberately doesn't have a value for `retries` (because we should
+      // never attempt to connect to this host).
+      forceInclude: true,
+      originalIncludeSubdomains: testEntry.includeSubdomains,
+    });
+  }
+}
+
+// ****************************************************************************
+// This is where the action happens:
+if (arguments.length != 1) {
+  throw new Error("Usage: getHSTSPreloadList.js " +
+                  "<absolute path to current nsSTSPreloadList.inc>");
+}
+// get the current preload list
+var currentHosts = readCurrentList(arguments[0]);
+// delete any hosts we use in tests so we don't actually connect to them
+deleteTestHosts(currentHosts);
+// disable the current preload list so it won't interfere with requests we make
+Services.prefs.setBoolPref("network.stricttransportsecurity.preloadlist", false);
+// download and parse the raw json file from the Chromium source
+var rawdata = download();
+// get just the hosts with mode: "force-https"
+var hosts = getHosts(rawdata);
+// add hosts in the current list to the new list (avoiding duplicates)
+combineLists(hosts, currentHosts);
+// get the HSTS status of each host
+var hstsStatuses = [];
+getHSTSStatuses(hosts, hstsStatuses);
+// add the hosts we use in tests
+insertTestHosts(hstsStatuses);
+// sort the hosts alphabetically
+hstsStatuses.sort(compareHSTSStatus);
+// write the results to a file (this is where we filter out hosts that we
+// either couldn't connect to, didn't receive an HSTS header from, couldn't
+// parse the header, or had a header with too short a max-age)
+output(hstsStatuses, currentHosts);
+// ****************************************************************************
diff --git a/security/manager/tools/makeCNNICHashes.js b/security/manager/tools/makeCNNICHashes.js
new file mode 100644
index 000000000..1b558949e
--- /dev/null
+++ b/security/manager/tools/makeCNNICHashes.js
@@ -0,0 +1,282 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// How to run this file:
+// 1. [obtain CNNIC-issued certificates to be whitelisted]
+// 2. [obtain firefox source code]
+// 3. [build/obtain firefox binaries]
+// 4. run `[path to]/run-mozilla.sh [path to]/xpcshell makeCNNICHashes.js \
+//                                  [path to]/intermediatesFile
+//                                  [path to]/certlist'
+//    Where |intermediatesFile| is a file containing PEM encoded intermediate
+//    certificates that the certificates in |certlist| may be issued by.
+//    where certlist is a file containing a list of paths to certificates to
+//    be included in the whitelist
+
+var Cc = Components.classes;
+var Ci = Components.interfaces;
+var Cu = Components.utils;
+
+var gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+                .getService(Ci.nsIX509CertDB);
+
+var { NetUtil } = Cu.import("resource://gre/modules/NetUtil.jsm", {});
+var { Services } = Cu.import("resource://gre/modules/Services.jsm", {});
+
+const HEADER = "// This Source Code Form is subject to the terms of the Mozilla Public\n" +
+"// License, v. 2.0. If a copy of the MPL was not distributed with this\n" +
+"// file, You can obtain one at http://mozilla.org/MPL/2.0/.\n" +
+"//\n" +
+"//***************************************************************************\n" +
+"// This file was automatically generated by makeCNNICHashes.js. It shouldn't\n" +
+"// need to be manually edited.\n" +
+"//***************************************************************************\n" +
+"\n";
+
+const PREAMBLE = "#define CNNIC_WHITELIST_HASH_LEN 32\n\n" +
+"struct WhitelistedCNNICHash {\n" +
+" const uint8_t hash[CNNIC_WHITELIST_HASH_LEN];\n" +
+"};\n\n" +
+"static const struct WhitelistedCNNICHash WhitelistedCNNICHashes[] = {\n";
+
+const POSTAMBLE = "};\n";
+
+function writeString(fos, string) {
+  fos.write(string, string.length);
+}
+
+// fingerprint is in the form "00:11:22:..."
+function hexSlice(fingerprint, start, end) {
+  let hexBytes = fingerprint.split(":");
+  let ret = "";
+  for (let i = start; i < end; i++) {
+    let hex = hexBytes[i];
+    ret += "0x" + hex;
+    if (i < end - 1) {
+      ret += ", ";
+    }
+  }
+  return ret;
+}
+
+// Write the C++ header file
+function writeHashes(certs, lastValidTime, fos) {
+  writeString(fos, HEADER);
+  writeString(fos, `// This file may be removed after ${new Date(lastValidTime)}\n\n`);
+  writeString(fos, PREAMBLE);
+
+  certs.forEach(function(cert) {
+    writeString(fos, "  {\n");
+    writeString(fos, "    { " + hexSlice(cert.sha256Fingerprint, 0, 16) + ",\n");
+    writeString(fos, "      " + hexSlice(cert.sha256Fingerprint, 16, 32) + " },\n");
+
+    writeString(fos, "  },\n");
+  });
+  writeString(fos, POSTAMBLE);
+}
+
+function readFileContents(file) {
+  let fstream = Cc["@mozilla.org/network/file-input-stream;1"]
+                  .createInstance(Ci.nsIFileInputStream);
+  fstream.init(file, -1, 0, 0);
+  let data = NetUtil.readInputStreamToString(fstream, fstream.available());
+  fstream.close();
+  return data;
+}
+
+function relativePathToFile(path) {
+  let currentDirectory = Cc["@mozilla.org/file/directory_service;1"]
+                           .getService(Ci.nsIProperties)
+                           .get("CurWorkD", Ci.nsILocalFile);
+  let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+  file.initWithPath(currentDirectory.path + "/" + path);
+  return file;
+}
+
+function pathToFile(path) {
+  let file = relativePathToFile(path);
+  if (!file.exists()) {
+    // Fall back to trying absolute path
+    file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsILocalFile);
+    file.initWithPath(path);
+  }
+  return file;
+}
+
+// punt on dealing with leap-years
+const sixYearsInMilliseconds = 6 * 366 * 24 * 60 * 60 * 1000;
+
+function loadCertificates(certFile, currentWhitelist) {
+  let nowInMilliseconds = (new Date()).getTime();
+  // months are 0-indexed, so April is month 3 :(
+  let april1InMilliseconds = (new Date(2015, 3, 1)).getTime();
+  let latestNotAfter = nowInMilliseconds;
+  let certs = [];
+  let certMap = {};
+  let invalidCerts = [];
+  let paths = readFileContents(certFile).split("\n");
+  for (let path of paths) {
+    if (!path) {
+      continue;
+    }
+    let certData = readFileContents(pathToFile(path));
+    let cert = null;
+    try {
+      cert = gCertDB.constructX509FromBase64(certData);
+    } catch (e) {}
+    if (!cert) {
+      cert = gCertDB.constructX509(certData, certData.length);
+    }
+    // Don't add multiple copies of any particular certificate.
+    if (cert.sha256Fingerprint in certMap) {
+      continue;
+    }
+    certMap[cert.sha256Fingerprint] = true;
+    // If we can't verify the certificate, don't include it. Unfortunately, if
+    // a CNNIC-issued certificate wasn't previously on the whitelist but it
+    // otherwise verifies successfully, verifyCertNow will return
+    // SEC_ERROR_REVOKED_CERTIFICATE, so we count that as verifying
+    // successfully. If the certificate is later revoked by CNNIC, the user
+    // will see that when they attempt to connect to a site using it and we do
+    // normal revocation checking.
+    let errorCode = gCertDB.verifyCertNow(cert, 2 /* SSL Server */,
+                                          Ci.nsIX509CertDB.LOCAL_ONLY, null,
+                                          {}, {});
+    if (errorCode != 0 &&
+        errorCode != -8180 /* SEC_ERROR_REVOKED_CERTIFICATE */) {
+      continue;
+    }
+    let durationMilliseconds = (cert.validity.notAfter - cert.validity.notBefore) / 1000;
+    let notBeforeMilliseconds = cert.validity.notBefore / 1000;
+    let notAfterMilliseconds = cert.validity.notAfter / 1000;
+    // Only consider certificates that were issued before 1 April 2015, haven't
+    // expired, and have a validity period shorter than 6 years (there is a
+    // delegated OCSP responder certificate with a validity period of 6 years
+    // that should be on the whitelist).
+    // Also only consider certificates that were already on the whitelist.
+    if (notBeforeMilliseconds < april1InMilliseconds &&
+        notAfterMilliseconds > nowInMilliseconds &&
+        durationMilliseconds < sixYearsInMilliseconds &&
+        currentWhitelist[cert.sha256Fingerprint]) {
+      certs.push(cert);
+      if (notAfterMilliseconds > latestNotAfter) {
+        latestNotAfter = notAfterMilliseconds;
+      }
+    }
+    if (durationMilliseconds >= sixYearsInMilliseconds) {
+      invalidCerts.push(cert);
+    }
+  }
+  return { certs: certs,
+           lastValidTime: latestNotAfter,
+           invalidCerts: invalidCerts };
+}
+
+// Expects something like "00:11:22:...", returns a string of bytes.
+function hexToBinaryString(hexString) {
+  let hexBytes = hexString.split(":");
+  let result = "";
+  for (let hexByte of hexBytes) {
+    result += String.fromCharCode(parseInt(hexByte, 16));
+  }
+  return result;
+}
+
+function compareCertificatesByHash(certA, certB) {
+  let aBin = hexToBinaryString(certA.sha256Fingerprint);
+  let bBin = hexToBinaryString(certB.sha256Fingerprint);
+
+  if (aBin < bBin) {
+     return -1;
+  }
+  if (aBin > bBin) {
+     return 1;
+  }
+ return 0;
+}
+
+function certToPEM(cert) {
+  let der = cert.getRawDER({});
+  let derString = '';
+  for (let i = 0; i < der.length; i++) {
+    derString += String.fromCharCode(der[i]);
+  }
+  let base64Lines = btoa(derString).replace(/(.{64})/g, "$1\n");
+  let output = "-----BEGIN CERTIFICATE-----\n";
+  for (let line of base64Lines.split("\n")) {
+    if (line.length > 0) {
+      output += line + "\n";
+    }
+  }
+  output += "-----END CERTIFICATE-----";
+  return output;
+}
+
+function loadIntermediates(intermediatesFile) {
+  let pem = readFileContents(intermediatesFile);
+  let intermediates = [];
+  let currentPEM = "";
+  for (let line of pem.split("\r\n")) {
+    if (line == "-----END CERTIFICATE-----") {
+      if (currentPEM) {
+        intermediates.push(gCertDB.constructX509FromBase64(currentPEM));
+      }
+      currentPEM = "";
+      continue;
+    }
+    if (line != "-----BEGIN CERTIFICATE-----") {
+      currentPEM += line;
+    }
+  }
+  return intermediates;
+}
+
+function readCurrentWhitelist(currentWhitelistFile) {
+  let contents = readFileContents(currentWhitelistFile).replace(/[\r\n ]/g, "");
+  let split = contents.split(/((?:0x[0-9A-F][0-9A-F],){31}0x[0-9A-F][0-9A-F])/);
+  // The hashes will be every odd-indexed element of the array.
+  let currentWhitelist = {};
+  for (let i = 1; i < split.length && i < split.length - 1; i += 2) {
+    let hash = split[i].replace(/0x/g, "").replace(/,/g, ":");
+    currentWhitelist[hash] = true;
+  }
+  return currentWhitelist;
+}
+
+///////////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////////
+///////////////////////////////////////////////////////////////////////////////
+
+if (arguments.length != 3) {
+  throw new Error("Usage: makeCNNICHashes.js <PEM intermediates file> " +
+                  "<path to list of certificates> <path to current whitelist file>");
+}
+
+Services.prefs.setIntPref("security.OCSP.enabled", 0);
+var intermediatesFile = pathToFile(arguments[0]);
+var intermediates = loadIntermediates(intermediatesFile);
+var certFile = pathToFile(arguments[1]);
+var currentWhitelistFile = pathToFile(arguments[2]);
+var currentWhitelist = readCurrentWhitelist(currentWhitelistFile);
+var { certs, lastValidTime, invalidCerts } = loadCertificates(certFile, currentWhitelist);
+
+dump("The following certificates were not included due to overlong validity periods:\n");
+for (let cert of invalidCerts) {
+  dump(certToPEM(cert) + "\n");
+}
+
+// Sort the key hashes to allow for binary search.
+certs.sort(compareCertificatesByHash);
+
+// Write the output file.
+var outFile = relativePathToFile("CNNICHashWhitelist.inc");
+if (!outFile.exists()) {
+  outFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0o644);
+}
+var outStream = Cc["@mozilla.org/network/file-output-stream;1"]
+                  .createInstance(Ci.nsIFileOutputStream);
+outStream.init(outFile, -1, 0, 0);
+writeHashes(certs, lastValidTime, outStream);
+outStream.close();