zmap · christopher-henderson · Apr 28, 2024 · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri.go
@@ -0,0 +1,74 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <[email protected]>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"net/url"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_invalid_cps_uri",
+			Description:   "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL",
+			Citation:      "CABF BR 7.1.2 (several subsections thereof)",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewInvalidCPSUri,
+	})
+}
+
+type invalidCPSUri struct{}
+
+func NewInvalidCPSUri() lint.LintInterface {
+	return &invalidCPSUri{}
+}
+
+func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool {
+	return util.IsExtInCert(c, util.CertPolicyOID)
+}
+
+func isValidHttpOrHttpsURL(input string) bool {
+	parsedURL, err := url.Parse(input)
+	if err != nil {
+		return false
+	}
+
+	scheme := parsedURL.Scheme
+	return scheme == "http" || scheme == "https"
+}
+
+func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult {
+	// There should normally be just one CPS URI, but one never knows...
+	for _, pol := range c.CPSuri {
+		for _, uri := range pol {
+			if !isValidHttpOrHttpsURL(uri) {
+				return &lint.LintResult{Status: lint.Error}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go b/v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go
@@ -0,0 +1,83 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <[email protected]>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+   === Pass test cases ===
+   invalid_cps_uri_ok_01.pem       Certificate with a well-formed CPS URI
+   invalid_cps_uri_ok_02.pem       Certificate without a CPS URI
+
+   === NE test cases ===
+   invalid_cps_uri_ok_03.pem       Certificate with an invalid CPS URI, but issued before effective date
+
+   === Fail test cases ===
+   invalid_cps_uri_ko_01.pem       Certificate with an invalid CPS URI (disallowed scheme)
+   invalid_cps_uri_ko_02.pem       Certificate with an invalid CPS URI (syntax error)
+   invalid_cps_uri_ko_03.pem       Certificate with two CPS URIs, one good and one bad
+*/
+
+func TestInvalidCPSUri(t *testing.T) {
+	type Data struct {
+		input string
+		want  lint.LintStatus
+	}
+	data := []Data{
+		{
+			input: "invalid_cps_uri_ok_01.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "invalid_cps_uri_ok_02.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "invalid_cps_uri_ok_03.pem",
+			want:  lint.NE,
+		},
+		{
+			input: "invalid_cps_uri_ko_01.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "invalid_cps_uri_ko_02.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "invalid_cps_uri_ko_03.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLint("e_invalid_cps_uri", testData.input)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/invalid_cps_uri_ko_01.pem b/v3/testdata/invalid_cps_uri_ko_01.pem
@@ -0,0 +1,109 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 793070860651290632 (0xb018dbef2d56008)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA
+        Validity
+            Not Before: Mar 30 16:57:00 2024 GMT
+            Not After : Aug 13 16:57:00 2024 GMT
+        Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e:
+                    c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47:
+                    e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a:
+                    67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3:
+                    af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59:
+                    d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25:
+                    25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5:
+                    e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48:
+                    7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29:
+                    d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9:
+                    b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3:
+                    da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9:
+                    e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be:
+                    90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7:
+                    aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f:
+                    3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e:
+                    92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c:
+                    e9:23
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+                Policy: 1.2.3.4.5
+                  CPS: ftp://www.some-ca.inc/cps
+
+    Signature Algorithm: sha256WithRSAEncryption
+         97:54:ef:06:28:ff:dd:57:18:92:a4:e1:89:56:d5:90:f4:46:
+         9d:df:f4:67:d4:5f:dd:b5:0c:33:0a:cb:bc:a4:3c:86:3b:0b:
+         48:61:f0:0b:68:b1:72:ee:2a:55:f1:78:d4:25:10:ef:58:00:
+         5f:2e:26:a8:76:32:0e:45:31:69:98:79:a7:5d:51:b5:5d:d8:
+         4b:61:41:ee:02:ce:e6:10:18:cb:88:cd:3a:00:db:27:51:75:
+         ef:23:b8:61:2b:53:72:a6:fd:95:96:80:c2:3a:87:8a:f2:cf:
+         a4:c2:56:d2:8f:3d:52:28:a8:ee:11:c2:f4:0f:cb:6f:87:30:
+         35:8d:bd:0f:a2:3f:25:6b:b3:68:de:46:8d:fa:23:d9:8a:43:
+         90:a0:6b:97:cf:bb:8a:b5:e4:64:d0:dc:07:3f:e5:46:d0:d5:
+         79:e7:0f:7b:0c:ac:4c:03:8c:d3:c3:55:14:76:ed:02:a6:e1:
+         96:58:ab:2c:42:ac:6d:e7:75:04:3f:35:ae:7f:35:a0:5f:e7:
+         10:df:22:3f:94:eb:a2:9a:1a:a7:75:8d:f8:13:95:c4:a0:bc:
+         a5:90:ab:8f:af:f5:42:ba:c0:15:47:c8:15:47:d9:98:70:c8:
+         ff:10:90:1b:68:3d:74:ed:ec:94:14:70:5a:33:ce:1a:d7:ba:
+         9a:38:0e:d3:dc:9c:83:54:19:5e:bc:95:7e:ed:e6:8e:18:93:
+         28:c8:b9:77:a5:e5:a9:31:8e:29:9c:b2:8c:e3:d5:29:ce:5f:
+         5d:1c:b7:f7:00:36:5a:38:e3:99:a0:7c:20:a6:38:dd:6d:5b:
+         d8:76:e1:03:51:51:d2:7b:3b:01:35:4a:88:76:72:63:61:19:
+         7e:4e:79:62:7a:c0:e6:0c:a8:9e:3e:cf:15:1a:98:ab:f1:67:
+         8e:f7:4d:a4:01:b7:72:59:44:ec:e2:2d:d0:be:d0:9e:4f:af:
+         4f:56:06:90:c8:04:b3:04:cd:00:ca:c9:cb:d3:c4:04:0c:d6:
+         2e:0b:c7:85:05:31:32:89:70:4e:2f:b9:f1:04:b5:35:1f:0d:
+         12:0d:8d:fe:3c:1f:c7:bf:10:5d:01:c8:56:27:83:3d:67:ac:
+         82:e6:40:70:89:8d:c7:d7:5b:e2:3d:95:1d:e4:fa:92:ce:4e:
+         f7:47:88:e0:b7:10:60:8b:5f:8f:6c:7f:53:56:db:4b:ab:84:
+         db:d1:42:28:f9:de:35:4d:ad:c7:d7:e8:8c:13:c5:24:51:88:
+         3e:f3:9d:b3:7a:ba:14:9a:ac:ae:6b:a4:6e:c3:7c:53:18:0d:
+         b2:9f:17:c7:96:de:56:ef:fd:bd:b8:b7:30:d0:7c:81:28:4c:
+         12:db:c0:f0:e5:50:83:cb
+-----BEGIN CERTIFICATE-----
+MIIFKDCCAxCgAwIBAgIICwGNvvLVYAgwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE
+BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh
+MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD
+ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1
+NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE
+BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS
+BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn
+ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ
+ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E
+c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE
+W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS
+lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4G9MIG6MAwGA1UdEwEB/wQCMAAwHQYD
+VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v
+cmcwRAYDVR0gBD0wOzAIBgZngQwBAgIwLwYEKgMEBTAnMCUGCCsGAQUFBwIBFhlm
+dHA6Ly93d3cuc29tZS1jYS5pbmMvY3BzMA0GCSqGSIb3DQEBCwUAA4ICAQCXVO8G
+KP/dVxiSpOGJVtWQ9Ead3/Rn1F/dtQwzCsu8pDyGOwtIYfALaLFy7ipV8XjUJRDv
+WABfLiaodjIORTFpmHmnXVG1XdhLYUHuAs7mEBjLiM06ANsnUXXvI7hhK1Nypv2V
+loDCOoeK8s+kwlbSjz1SKKjuEcL0D8tvhzA1jb0Poj8la7No3kaN+iPZikOQoGuX
+z7uKteRk0NwHP+VG0NV55w97DKxMA4zTw1UUdu0CpuGWWKssQqxt53UEPzWufzWg
+X+cQ3yI/lOuimhqndY34E5XEoLylkKuPr/VCusAVR8gVR9mYcMj/EJAbaD107eyU
+FHBaM84a17qaOA7T3JyDVBlevJV+7eaOGJMoyLl3peWpMY4pnLKM49Upzl9dHLf3
+ADZaOOOZoHwgpjjdbVvYduEDUVHSezsBNUqIdnJjYRl+TnliesDmDKiePs8VGpir
+8WeO902kAbdyWUTs4i3QvtCeT69PVgaQyASzBM0AysnL08QEDNYuC8eFBTEyiXBO
+L7nxBLU1Hw0SDY3+PB/HvxBdAchWJ4M9Z6yC5kBwiY3H11viPZUd5PqSzk73R4jg
+txBgi1+PbH9TVttLq4Tb0UIo+d41Ta3H1+iME8UkUYg+852zeroUmqyua6Ruw3xT
+GA2ynxfHlt5W7/29uLcw0HyBKEwS28Dw5VCDyw==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/invalid_cps_uri_ko_02.pem b/v3/testdata/invalid_cps_uri_ko_02.pem
@@ -0,0 +1,109 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1892436556900320617 (0x1a4349059e01c569)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = IT, ST = Milano, L = Santa Redegonda, O = Certificati Gratis S.p.A., CN = Certificati Gratis CA
+        Validity
+            Not Before: Mar 30 16:57:00 2024 GMT
+            Not After : Aug 13 16:57:00 2024 GMT
+        Subject: C = AU, ST = Some State, L = Some Locality, O = Some Company Ltd., CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:bc:ae:30:0d:6a:39:0c:02:14:f6:98:c2:97:6e:
+                    c3:e2:a3:27:f8:e1:48:da:66:17:d7:d4:23:f9:47:
+                    e0:6c:67:ea:a4:7b:54:fa:b2:50:21:86:0b:69:7a:
+                    67:a2:e8:44:05:9d:fc:50:82:cc:91:3d:ef:22:d3:
+                    af:83:aa:90:db:69:89:d4:9c:e3:97:81:cf:c3:59:
+                    d9:c1:64:3c:aa:f3:42:25:3c:ae:3d:2a:48:cd:25:
+                    25:ae:59:d9:79:bb:e6:26:d3:cb:44:fa:21:5b:d5:
+                    e3:89:9b:6f:96:f1:fc:3a:5b:c4:0c:52:89:46:48:
+                    7b:41:4c:84:9f:cf:79:10:05:52:74:9c:e1:12:29:
+                    d7:3b:d8:10:b9:7d:44:73:da:f5:60:ce:1e:54:e9:
+                    b1:1d:7f:4c:ac:2c:23:f3:91:59:12:df:f9:07:a3:
+                    da:be:8e:18:a1:b5:74:60:e2:f9:64:52:30:65:f9:
+                    e8:75:22:21:4d:f6:4f:e2:47:c4:5b:f7:ea:b2:be:
+                    90:3d:9a:13:f3:7e:51:c7:6e:3e:bb:3f:43:9c:c7:
+                    aa:e1:26:11:e6:40:c5:ab:b2:4a:f3:44:36:19:8f:
+                    3d:d6:4a:45:1d:d2:db:03:53:ee:64:16:92:95:6e:
+                    92:ab:19:33:06:d8:ad:4d:a1:1e:39:4d:44:80:3c:
+                    e9:23
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                EF:A0:F9:31:2D:85:84:CF:39:D0:3A:8C:12:51:59:26:35:CB:C5:91
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+                Policy: 1.2.3.4.5
+                  CPS: www.some-ca.inc
+
+    Signature Algorithm: sha256WithRSAEncryption
+         16:57:14:9b:a6:7b:51:88:49:42:81:dc:ae:c0:13:ff:5e:55:
+         cf:24:5b:c8:00:68:dc:ac:7f:23:db:e5:24:bd:da:93:71:70:
+         c1:4a:7c:22:09:61:51:da:07:52:b7:5c:e8:0f:9e:30:6f:8e:
+         5e:33:0b:a2:75:2a:14:85:80:a9:72:5d:ba:c0:31:31:4f:b7:
+         56:ae:37:0a:9b:79:e5:34:5a:24:44:c6:c0:6f:b8:39:de:96:
+         69:43:f3:e9:69:c0:eb:5a:f3:c3:2b:7a:03:8b:d4:06:c6:a7:
+         de:09:00:c5:85:12:0f:6b:bb:1d:96:c7:e2:7a:17:56:17:dd:
+         c5:25:2c:41:3c:cb:d9:77:b6:fc:81:5b:d3:16:d1:c7:6b:8a:
+         bc:0e:5a:30:74:33:12:dd:ff:40:a4:83:2a:83:58:72:41:84:
+         19:87:f9:5c:3a:1d:c7:79:ca:5f:2c:ec:60:f3:a2:64:33:f4:
+         87:d8:f9:54:ba:28:7f:69:e7:2f:f7:40:04:90:86:21:3c:68:
+         0e:ee:c9:b2:ce:47:d7:2c:8a:90:65:83:70:59:53:fd:8a:df:
+         f7:2c:91:c2:06:be:ed:9b:89:65:47:32:ec:ec:70:c1:5c:7f:
+         ee:24:ea:ec:a7:b5:6f:28:b0:11:5f:47:e7:f5:ce:82:63:36:
+         6b:7a:74:53:00:e3:72:2c:1d:9e:4e:e7:27:54:59:1d:43:61:
+         36:53:bc:ba:7c:d4:d4:db:af:bd:4e:1c:a2:de:98:f0:a9:48:
+         75:73:1d:2a:cd:ea:12:b0:a9:dd:25:01:f7:e4:3c:15:8c:cb:
+         53:ff:d1:33:b8:a0:4d:fa:c7:c3:d8:b9:6d:e3:df:62:77:6e:
+         89:7b:17:c4:bc:96:3f:ed:25:72:f2:7b:66:04:49:da:91:a9:
+         73:ca:50:9b:ad:e2:46:ef:dd:7f:7a:14:55:df:ad:c5:55:f9:
+         f8:77:a7:1c:09:d7:42:ff:28:ef:c6:5b:e0:b5:f0:80:d8:ac:
+         09:45:1c:eb:a0:e5:69:07:de:ef:6d:b3:0d:6b:5d:e8:ea:d3:
+         9b:b3:98:70:45:fd:8f:5b:53:14:c0:e6:0b:57:5f:9a:37:14:
+         69:e2:10:8f:ab:59:3f:b7:54:51:4f:03:6c:1d:ce:54:40:2a:
+         be:f2:b5:f6:c8:25:b4:70:be:f7:44:4d:ed:03:ab:c3:98:59:
+         87:2a:41:be:5a:1b:d6:0d:40:11:64:ef:0f:13:37:fe:49:c3:
+         c7:df:f8:2d:e5:5a:6b:b4:e7:d2:52:1f:57:75:04:f9:0c:09:
+         5a:b4:e6:8f:be:74:5f:24:9b:bd:92:4c:ee:3d:96:1d:a1:fa:
+         f2:51:42:4e:bc:a3:a8:c3
+-----BEGIN CERTIFICATE-----
+MIIFHjCCAwagAwIBAgIIGkNJBZ4BxWkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UE
+BhMCSVQxDzANBgNVBAgTBk1pbGFubzEYMBYGA1UEBxMPU2FudGEgUmVkZWdvbmRh
+MSIwIAYDVQQKExlDZXJ0aWZpY2F0aSBHcmF0aXMgUy5wLkEuMR4wHAYDVQQDExVD
+ZXJ0aWZpY2F0aSBHcmF0aXMgQ0EwHhcNMjQwMzMwMTY1NzAwWhcNMjQwODEzMTY1
+NzAwWjBsMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZSBTdGF0ZTEWMBQGA1UE
+BxMNU29tZSBMb2NhbGl0eTEaMBgGA1UEChMRU29tZSBDb21wYW55IEx0ZC4xFDAS
+BgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvK4wDWo5DAIU9pjCl27D4qMn+OFI2mYX19Qj+UfgbGfqpHtU+rJQIYYLaXpn
+ouhEBZ38UILMkT3vItOvg6qQ22mJ1Jzjl4HPw1nZwWQ8qvNCJTyuPSpIzSUlrlnZ
+ebvmJtPLRPohW9XjiZtvlvH8OlvEDFKJRkh7QUyEn895EAVSdJzhEinXO9gQuX1E
+c9r1YM4eVOmxHX9MrCwj85FZEt/5B6Pavo4YobV0YOL5ZFIwZfnodSIhTfZP4kfE
+W/fqsr6QPZoT835Rx24+uz9DnMeq4SYR5kDFq7JK80Q2GY891kpFHdLbA1PuZBaS
+lW6SqxkzBtitTaEeOU1EgDzpIwIDAQABo4GzMIGwMAwGA1UdEwEB/wQCMAAwHQYD
+VR0OBBYEFO+g+TEthYTPOdA6jBJRWSY1y8WRMA4GA1UdDwEB/wQEAwIFoDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwFgYDVR0RBA8wDYILZXhhbXBsZS5v
+cmcwOgYDVR0gBDMwMTAIBgZngQwBAgIwJQYEKgMEBTAdMBsGCCsGAQUFBwIBFg93
+d3cuc29tZS1jYS5pbmMwDQYJKoZIhvcNAQELBQADggIBABZXFJume1GISUKB3K7A
+E/9eVc8kW8gAaNysfyPb5SS92pNxcMFKfCIJYVHaB1K3XOgPnjBvjl4zC6J1KhSF
+gKlyXbrAMTFPt1auNwqbeeU0WiRExsBvuDnelmlD8+lpwOta88MregOL1AbGp94J
+AMWFEg9rux2Wx+J6F1YX3cUlLEE8y9l3tvyBW9MW0cdrirwOWjB0MxLd/0CkgyqD
+WHJBhBmH+Vw6Hcd5yl8s7GDzomQz9IfY+VS6KH9p5y/3QASQhiE8aA7uybLOR9cs
+ipBlg3BZU/2K3/cskcIGvu2biWVHMuzscMFcf+4k6uyntW8osBFfR+f1zoJjNmt6
+dFMA43IsHZ5O5ydUWR1DYTZTvLp81NTbr71OHKLemPCpSHVzHSrN6hKwqd0lAffk
+PBWMy1P/0TO4oE36x8PYuW3j32J3bol7F8S8lj/tJXLye2YESdqRqXPKUJut4kbv
+3X96FFXfrcVV+fh3pxwJ10L/KO/GW+C18IDYrAlFHOug5WkH3u9tsw1rXejq05uz
+mHBF/Y9bUxTA5gtXX5o3FGniEI+rWT+3VFFPA2wdzlRAKr7ytfbIJbRwvvdETe0D
+q8OYWYcqQb5aG9YNQBFk7w8TN/5Jw8ff+C3lWmu059JSH1d1BPkMCVq05o++dF8k
+m72STO49lh2h+vJRQk68o6jD
+-----END CERTIFICATE-----