diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-12-18 14:38:32 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-19 20:13:39 +0100 |
commit | 88b3fb2978558eb319eebdf776ac60884359a573 (patch) | |
tree | b5c536b3fffa54c4b9108792303bcddb3bd487de | |
parent | 9c3d0063689702d3f91db346247f28ce93a1c637 (diff) | |
download | gnutls-88b3fb2978558eb319eebdf776ac60884359a573.tar.gz |
certtool: added option to apply a certificate verification profile
This applies to the --verify and --verify-chain commands.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | src/certtool-args.def | 11 | ||||
-rw-r--r-- | src/certtool-common.h | 2 | ||||
-rw-r--r-- | src/certtool.c | 15 | ||||
-rw-r--r-- | tests/cert-tests/Makefile.am | 5 | ||||
-rwxr-xr-x | tests/cert-tests/certtool-verify-profiles | 78 | ||||
-rw-r--r-- | tests/cert-tests/data/chain-512-ca.pem | 45 | ||||
-rw-r--r-- | tests/cert-tests/data/chain-512-leaf.pem | 52 | ||||
-rw-r--r-- | tests/cert-tests/data/chain-512-subca.pem | 46 |
9 files changed, 256 insertions, 2 deletions
@@ -23,6 +23,10 @@ See the end for copying conditions. ** libgnutls: The min-verification-profile from system configuration applies for all certificate verifications, not only under TLS. +** certtool: Added the --verify-profile option to set a certificate + verification profile. Use '--verify-profile low' for certificate verification + to apply the 'NORMAL' verification profile. + ** API and ABI modifications: gnutls_ocsp_req_const_t: Added diff --git a/src/certtool-args.def b/src/certtool-args.def index 915598d446..f10f57bdbb 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -355,6 +355,17 @@ flag = { doc = "This can be combined with --p7-verify, --verify or --verify-chain."; }; +flag = { + name = verify-profile; + descrip = "Specify a security level profile to be used for verification"; + arg-type = string; + doc = "This option can be used to specify a certificate verification profile. Certificate + verification profiles correspond to the security level. This should be one of + 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra', + 'future'. Note that by default no profile is applied, unless one is set + as minimum in the gnutls configuration file."; +}; + //---------------------------------------- flag = { name = pkcs7_options; diff --git a/src/certtool-common.h b/src/certtool-common.h index 7217e69dec..bfeb66b2da 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -80,6 +80,8 @@ typedef struct common_info { unsigned rsa_pss_sign; unsigned sort_chain; + + gnutls_sec_param_t verification_profile; } common_info_st; static inline diff --git a/src/certtool.c b/src/certtool.c index 34188f4c6d..447f02f765 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1422,6 +1422,20 @@ static void cmd_parser(int argc, char **argv) cinfo.password = ""; } + if (HAVE_OPT(VERIFY_PROFILE)) { + if (strcasecmp(OPT_ARG(VERIFY_PROFILE), "none")) { + cinfo.verification_profile = GNUTLS_PROFILE_UNKNOWN; + } else { + cinfo.verification_profile = gnutls_certificate_verification_profile_get_id(OPT_ARG(VERIFY_PROFILE)); + } + } else if (!HAVE_OPT(VERIFY_ALLOW_BROKEN)) { + if (HAVE_OPT(VERIFY_CHAIN) || HAVE_OPT(VERIFY)) { + fprintf(stderr, "Note that no verification profile was selected. In the future the medium profile will be enabled by default.\n"); + fprintf(stderr, "Use --verify-profile low to apply the default verification of NORMAL priority string.\n"); + } + /* cinfo.verification_profile = GNUTLS_PROFILE_LOW; */ + } + if (HAVE_OPT(SIGN_PARAMS)) sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS)); @@ -2395,6 +2409,7 @@ _verify_x509_mem(const void *cert, int cert_size, common_info_st *cinfo, } vflags = GNUTLS_VERIFY_DO_NOT_ALLOW_SAME; + vflags |= GNUTLS_PROFILE_TO_VFLAGS(cinfo->verification_profile); if (HAVE_OPT(VERIFY_ALLOW_BROKEN)) vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index e0b4b68201..862557b5a3 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -98,7 +98,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/key-gost01.p8 data/key-gost01-2.p8 data/key-gost01-2-enc.p8 \ data/key-gost12-256.p8 data/key-gost12-256-2.p8 data/key-gost12-256-2-enc.p8 \ data/key-gost12-512.p8 data/grfc.crt data/gost-cert-ca.pem data/gost-cert-new.pem \ - data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem + data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \ + data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ @@ -108,7 +109,7 @@ dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs12 certtool-crl-decoding pkcs12-encode pkcs12-corner-cases inhibit-anypolicy \ smime cert-time alt-chain pkcs7-list-sign pkcs7-eddsa certtool-ecdsa \ key-id pkcs8 pkcs8-decode ecdsa illegal-rsa pkcs8-invalid key-invalid \ - pkcs8-eddsa certtool-subca cert-non-digits-time + pkcs8-eddsa certtool-subca cert-non-digits-time certtool-verify-profiles dist_check_SCRIPTS += key-id ecdsa pkcs8-invalid key-invalid pkcs8-decode pkcs8 pkcs8-eddsa \ certtool-utf8 crq diff --git a/tests/cert-tests/certtool-verify-profiles b/tests/cert-tests/certtool-verify-profiles new file mode 100755 index 0000000000..a7ebd711ea --- /dev/null +++ b/tests/cert-tests/certtool-verify-profiles @@ -0,0 +1,78 @@ +#!/bin/sh + +# Copyright (C) 2017 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +#set -e + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +DIFF="${DIFF:-diff -b -B}" + +if ! test -x "${CERTTOOL}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + +OUTFILE=out-pkcs7.$$.tmp + +. ${srcdir}/../scripts/common.sh + +check_for_datefudge + +echo "Checking chain with insecure leaf" +datefudge -s "2019-12-19" \ +${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-leaf.pem" >${OUTFILE} +rc=$? + +if test "${rc}" != "1"; then + echo "insecure chain succeeded verification (1)" + cat $OUTFILE + exit ${rc} +fi + +echo "Checking chain with insecure subca" +datefudge -s "2019-12-19" \ +${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-subca.pem" >${OUTFILE} +rc=$? + +if test "${rc}" != "1"; then + echo "insecure chain succeeded verification (2)" + cat $OUTFILE + exit ${rc} +fi + + +echo "Checking chain with insecure ca" +datefudge -s "2019-12-19" \ +${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-ca.pem" >${OUTFILE} +rc=$? + +if test "${rc}" != "1"; then + echo "insecure chain succeeded verification (3)" + cat $OUTFILE + exit ${rc} +fi + + +rm -f "${OUTFILE}" + +exit 0 diff --git a/tests/cert-tests/data/chain-512-ca.pem b/tests/cert-tests/data/chain-512-ca.pem new file mode 100644 index 0000000000..57b9850fae --- /dev/null +++ b/tests/cert-tests/data/chain-512-ca.pem @@ -0,0 +1,45 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAbmgAwIBAgIUf62L1YAmuKuNR4Bnwn4FEjFDpOcwPQYJKoZIhvcNAQEK +MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC +AUAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz +NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwgZswEAYHKoZIzj0CAQYFK4EEACMD +gYYABAGxhmDvIvu97o66LrAU40sO9Mqh78UpxNpdsDD8tD0aDhOivP2WK/9LqSBJ +uaIIzY4pQyNAHdp8WFnmwiutiMnXHgGcps4Mw7gEKMlQKDP8zS2GSkJt9r0ct6jY ++39JQ+fM0PPcxlyFMQlLTMwcFKPAH+stA3MqxroPLHpeds9u1HcrXaN3MHUwDAYD +VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA +ADAdBgNVHQ4EFgQUjYaF/lZImEi+LQtLIh9y035UucAwHwYDVR0jBBgwFoAUmoMA +sMqoL0N4sF0RT5M2mxyQrs8wPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGh +GjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEBAJ+FXZz9F6ie8EJc +OMA55zOr+SPgSqf/6E1xLNQqf/s44oyXkl3FfYXYitHc6vAp1LOD3WjXCDgSSM1R +Vp0qBKDO+7ESYVCIYdzoSC4OFwVSTID+rH1bv0m9ZMiPQB97vAzXJq0bGyijPZGb +TSUHjFNImGJdZq3B/uB0c/tQBLUi9YrVT1vYZ+lpOyMYaN21zFuDB6lc5sA6/k08 +I9J369z7iVCuibvXBo4roRL7wj+Cww5l6wjeFEo3Oj8wDoRHlxTk9ym40yvZinSY +PAESEyNkpLo6Ctyjz3HVxLmTZE/TyG/hNXionRXQ1uJZJOtdIMXouGCHStx2iFcL +2PSL3ng= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICgDCCAiqgAwIBAgIUZ91YTLTnOoGdoBoMZrk6sdNguM0wDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg +hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC +AQoCggEBALYQaHpuXl4jEi7KpErGCCcQ0c50NuEnUzfU92tGJzXNLnOdKQVxW7ma +ptJ1Lb+f2D+utL61/eyG32DLosaPiTDi8R7P8O/ivXEhwHe8ScH/B1DAHfbnRNv8 +MC4nTq8MavMIm/9UE7j19C+uhLFFPExnRohaFZXLqKbAiadMYyEqROjibpmBcyxY +StdQNOQ0qBC/NkPRh+kSA6vN+ZIsqizl/PNfgd7am7c793fAb42U36q3ymUpCtkM +GhCoVx625sVYOKIHdtzGOwTV277TcVnflg+BwK97p0FRUh0envFENI1uzz4Et5Mn +swTDE/KoYVM8EIDeQcFAnF5tVxZfSosCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBSagwCwyqgvQ3iwXRFPkzabHJCu +zzAfBgNVHSMEGDAWgBS4/wLP/kals1V+CMMSsHiF9p0QajANBgkqhkiG9w0BAQsF +AANBAGmYNtQ0MIrtLCUs+WHJUE6nTC4DQHjNJ9eiFDQtDiup7FOZlLPWuxBv8IG+ +zXVfCc9BxrAQSAGiwyx4gKDT95I= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBZzCCARGgAwIBAgIUR3WhmgKRJu05fANwlblt/s9l6jQwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUyMjZaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK +s7lICbgRDeRXEPqZagrNUi5TjJkMB4NfU9gb0OUi3Vsna8Vi/2CLqJQ+jttINcS6 +knobMwssEAnkLe+V+KTzAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P +AQH/BAUDAwcGADAdBgNVHQ4EFgQUuP8Cz/5GpbNVfgjDErB4hfadEGowDQYJKoZI +hvcNAQELBQADQQAFKda31c8Dsue9JpR4med450ZroHT5WrGkH6T7XwczXfNc8W9w +nKPMoJLZK47HSWqUdniMRPX9XydqxaVug5Rj +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/chain-512-leaf.pem b/tests/cert-tests/data/chain-512-leaf.pem new file mode 100644 index 0000000000..f8a4ce1c9b --- /dev/null +++ b/tests/cert-tests/data/chain-512-leaf.pem @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIICYTCCAUmgAwIBAgIUGaahqSHZnDisEpq7NdDyajix8GgwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjU0MzVaGA85OTk5MTIzMTIz +NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwXDANBgkqhkiG9w0BAQEFAANLADBI +AkEAmmMomDw6UyEVGsCdhWB3BbgJNP+T4bFMnovfcwl5GBI9htuMataGBWB202Nf +ICItBqPCI7Mu8kO4xsz44ejRNQIDAQABo3cwdTAMBgNVHRMBAf8EAjAAMBQGA1Ud +EQQNMAuCCWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSuKggm +nzHbFCskfAJqxOV+hLlfLDAfBgNVHSMEGDAWgBS0Hn5aBNJdFPII6ad0f/eSfxEL +MjANBgkqhkiG9w0BAQsFAAOCAQEAQZR/tbDYzzDo3CL/lFmk/dXs6/qMo3B/9xLV +HGhj2IqjRNY4Qo4V05a+Xw9bUxvmuae+BrNGOK4ouwhsmZerTPIhE6u1PWZclcQm +Ean6r8uXWKsCdUd1zMP/oZUuWiQga/7+Ej2MT/E7dxhfHoAQin9B6NGIJB8pG0KX +FU74gSlsA+bQFBEyIYDgJXj6Oht0ggyIzzy6nPzi+7cRgzmqhfCyoZoZd8vn1fi3 +Lvqt3XbfDITTBhr9FtBr0LQNbe5/j74nXKUiIYiu8EkDC0hTMK+s2q9qNi43+naR +8h0irt/ZBUIJrJWtPSJsVDHKXkEtwYaI+HNNGE/Zjk4wS3ydBg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDEjCCAfqgAwIBAgIUTJoYUgrAGOyE94h5R67I+cbdBtYwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjU0MzRaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAM+nUak8iG8Ff5u08dsTvdQsb+xVnHiL+cPOrAaDN76VpifZKE5fHMcy +LYJi3cXZHgIUMTTHqU0X9wef5GbRDdmH82073OHE4XTaf0NJckGLegqxt7xRN24b +bUQquy1Xr1mSBoVGPOZXkS75nZ0vLFXcP4hF8J4M2y8veCnJJZB/y110F+j8g2uJ +guXozXXk9/64obxycy/k6JSzCr/WjEhg0dL5t/rnpUxxMkqJqd8P5YpCabhP0mjh +gCb0R0UX5B4R3MqeQ4TwXbf9pI4EtEIGtYBmgWczEV300oe+CixiKABvxF6Q37Eg +N+c8Yjyod10M55YcOttIYrO/dAGOfOcCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS0Hn5aBNJdFPII6ad0f/eSfxEL +MjAfBgNVHSMEGDAWgBSCt0sRc+AtcCAfvZZvqd9gBkYnyTANBgkqhkiG9w0BAQsF +AAOCAQEAKvrBV31kz41qjkk2QQ6DR2COVfOmc9LHbeJMr/s1vFxyNJ1htsfHh2HW +lvYyqzS0m36RApCJXT1Z1dzvEp45GoCtaISVq9jenKSm7nLCqnhbPWFr3nMDWPPG +c9lV7PlPB8myeHhZpGK7df1VcTIJN2u/SI7P4RnaUck2176yJVyU4StOUcmbd+Yn +I7LWpxwVmNkcOwI5IR0zdbVWcLP9+2kL8Kju8koql1lrlqTnucRY+2sD1sjaTTIz +kQVrELO0l9EAAC5La6u9dACkOhppYFZIw++hbtEXxgkEYnoGzvptsNi3w+CrQ/g8 +7cuIfQFBCX/9C6APbz1o4FHJCKsDVw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUMPdFIRYbJUlkWLtbOqcbIE9nbkkwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjU0MzRaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALS9CFlh0IrSuEjuiDRnznblJiTWXuojqTp61CZkJzEt3mTAbAuvJGZa +wG6gQxMIIYwxtbdjC58wP9ZucJgFxVgD4211QBcwACxDCbGyUsxTZZrQkCMun6Y/ +YMUSu8Og6twIx++vAO+N0Eaa/FrUcYa0Hj8XxUgL8/CT40OJC/i49OuA9Bs3L6zj +aMEADZ/f3/33oo6jgOdRmUmVOuovNg02h4NjBk3OlKD03vZ2ygVzmXme0YBM0o3Z +SmMqhut96fI8taqcCV5ccNNsp6HHIg0GGuWtBB7rTkEFBhQg53AMrzgOpQ64Pueg +LXLdRdOVKRkX1lLvboRMbjlM5HtOTX8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBSCt0sRc+AtcCAfvZZvqd9gBkYn +yTANBgkqhkiG9w0BAQsFAAOCAQEAEjS+iRmeALeQIVvU4VztUmqp7FtkdD1P92xu +yuvPTKGmhRRwDNB1GleHUt4BFKF9EPTW9PK9VJTjNiivPcm9u6zjRENb95l7NOsY +5AYMZFyR+jRT7cxbDYGuQ9yc8nRF1mH6L0osfgMIub/Z7noMgSGhzQx5E56Q2CPj +QVLUH37Hkj0hAWsccFuiicZSeAsxSWAr7+qRKHWJKgJ1sBiDkXlsfuoUYJCFd4Q7 +LQraLxDpVfB44E+rxFRJoLYzExeTXhDvCJYNPd7OUd6WIOeq0yjaj1v8dn5pV6Vh +kockuY1rAy2fNlOoIEG9qVvWJ/vj+Uq9wUomW3wfyF8es74V2A== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/chain-512-subca.pem b/tests/cert-tests/data/chain-512-subca.pem new file mode 100644 index 0000000000..261137b28a --- /dev/null +++ b/tests/cert-tests/data/chain-512-subca.pem @@ -0,0 +1,46 @@ +-----BEGIN CERTIFICATE----- +MIIB3zCCAYmgAwIBAgIUJCiWOylfZcYmHICa+LwzULsEY5swDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz +NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwgZswEAYHKoZIzj0CAQYFK4EEACMD +gYYABAEkG+6EOxALvWgJfPPfTj6aM++G/Clb6qYKb7EKHKArIngKFB9jLmGCC9Nh ++2Fg75z9GjP1UNqdlwcuTYsFzIdFfgD7POQCoU/mQKGHCHrNgTd+yhbpkjIzMf94 +Pd37B3KWoMwpt42vi5oEv1wMaMT/9bgZtiTh5cFdYc53MpVqj9GAiaN3MHUwDAYD +VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA +ADAdBgNVHQ4EFgQUbktH02YQyE/FHx+/fWGUBEXQYxwwHwYDVR0jBBgwFoAUTXqT +trlGUSx93s8ATWGeoEDKrqcwDQYJKoZIhvcNAQELBQADQQAFHfmevmaYUZcMZLDY ++BrwecSLCxPWHd6T1QDhn6x7P8aVsY/8cLIn7ACURxR+ia2fG/px0o2+wV+bT+A5 +sDIv +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICSjCCATKgAwIBAgIUA6RF1rEvvPbBSliyFqD77roShB0wDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDl +cI6PmIU+IFbj7ykZkLWuGIlR8uF3CAyj2fq4iBeEk10hEA+d5Oz2Yp7YwmnTJvb6 +oO2XLPyLyE3htVmbaEj5AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P +AQH/BAUDAweEADAdBgNVHQ4EFgQUTXqTtrlGUSx93s8ATWGeoEDKrqcwHwYDVR0j +BBgwFoAUCWYWUmG4wYva7UCkhcdTRTJXTIQwDQYJKoZIhvcNAQELBQADggEBABeg +Ev6JXb78IRCeK11I/B30HW17ejR+wFBereGpuIxu6HtDHVl2Au1+vJ+ddK7hVvL5 +Z18RozUyvwpCAQ5DqC9SzabAfIszM7PvEZ7/j5xd11L+YEicd9g72jVKwP2VSIJL +9dfHBFvIlh7NrspwVipPSp5bDCbrTTOpNPHHQuTNO51dw9178UfmQhg4hIrMnGsW +edT5KswtixFekzW36giJ673tnz/amcDJxJC78sXFnpYsIrTRFqU2/rrd7Yd9Fmwv +4D2vvBVmRKVYTEz9W5tgMEQWvzSomQj5ejzHzcomXXp/W96XDKWVjHE43EmqquTE +rlIkVCK/Yf1h99U2+Ag= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUWV9HK/UEiOT8ZpQq2w2glOshGeUwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTEyMTgxMjUzMjdaGA85OTk5MTIzMTIz +NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMVYMEUmPcAGVgJkwMSser5bJWUEzD7PtXUzzeu3UAUl5D/B5I7vlZ3A +1T0ZlSdTB0N73HHg/FFE90jUrVoj/yI6Ml1otPZ1tYjH2eLGN+/NCkFVKSzxuNo3 +DURRRFoWMpk4kpmaCYkWoKMTYZtkcserm+Lv0kpBFT12+iT/GCPBmaqmcbMK8sbS +Pz45BVdRFwln8oyLKSunXyYrBd2LHlLkhag0YivojAxuE8IyEE2SkndGO1JC8WFB +DMwGrllrkAiZSZKdTEI4377r5LrgYXv7w9tr5jgkrABUohie8SpJOlJqcjzfaF/1 +QJrxZSwSUvOl4EZVziEBSnlwzrfk6G0CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB +/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBQJZhZSYbjBi9rtQKSFx1NFMldM +hDANBgkqhkiG9w0BAQsFAAOCAQEAXTYMg/3eQ46E+s6OoZ3wb4diYXfblgvdAlL4 +LYLGeQJ+Jys5iJ6cou+Ck3xsSpXr5+6ElwyP/T8DieHdZHYy/JC/EhU8O+nxsszr +zjxJGQWVBqlzsVSsELhJcH6OC5xhUw8F1Xpy95trpRTSQB7fkxrqWnEIgacKUuns +s5ntL3BJzOhNnxZM7dydFL3citM1lrfDLr2pErrXPFpLbul0yCT4sWZeriKbj4vh +7N/1CQ2cvChOSHAbB9KMUeCBDJgWP7u4zqVLQv/mTfjB0tXRWYMLsr2koyCOhcWj +MA5NnUuEfXtLLcCUbekk26SgYLKz+AGk6gAMN7ofsYLPOtTShw== +-----END CERTIFICATE----- |