Check certificate profiles and its validity period (#306)

This makes the following checks to the leaf certificate if it has
- a valid public key corresponding to its private key
- a domain in CN or SubjectAltname specified in URLSet.Sign.Domain
- a validity period within 90 days according to SXG cert requirements

Author: shigeki

cmd/amppkg/main.go

@@ -93,13 +93,18 @@ func main() {
 	if !(*flagDevelopment || *flagInvalidCert || util.CanSignHttpExchanges(certs[0])) {
 		die("cert is missing CanSignHttpExchanges extension")
 	}
-	// TODO(twifkak): Verify that certs[0] covers all the signing domains in the config.
 
 	key, err := util.ParsePrivateKey(keyPem)
 	if err != nil {
 		die(errors.Wrapf(err, "parsing %s", config.KeyFile))
 	}
-	// TODO(twifkak): Verify that key matches certs[0].
+
+	for _, urlSet := range config.URLSet {
+		domain := urlSet.Sign.Domain
+		if err := util.CheckCertificate(certs[0], key, domain, time.Now()); err != nil {
+			die(errors.Wrapf(err, "checking %s", config.CertFile))
+		}
+	}
 
 	validityMap, err := validitymap.New()
 	if err != nil {

packager/testing/testing.go

@@ -42,6 +42,48 @@ var Key = func() crypto.PrivateKey {
 	return key
 }()
 
+// 90 days cert of amppackageexample.com and www.amppackageexample.com in SAN
+var B3Certs = func() []*x509.Certificate {
+	certPem, _ := ioutil.ReadFile("../../testdata/b3/fullchain.cert")
+	certs, _ := signedexchange.ParseCertificates(certPem)
+	return certs
+}()
+
+// Private key of B3Certs
+var B3Key = func() crypto.PrivateKey {
+	keyPem, _ := ioutil.ReadFile("../../testdata/b3/server.privkey")
+	key, _ := util.ParsePrivateKey(keyPem)
+	return key
+}()
+
+//  90 days cert of amppackageexample2.com and www.amppackageexample2.com in SAN
+var B3Certs2 = func() []*x509.Certificate {
+	certPem, _ := ioutil.ReadFile("../../testdata/b3/fullchain2.cert")
+	certs, _ := signedexchange.ParseCertificates(certPem)
+	return certs
+}()
+
+// Private key of B3Certs2
+var B3Key2 = func() crypto.PrivateKey {
+	keyPem, _ := ioutil.ReadFile("../../testdata/b3/server2.privkey")
+	key, _ := util.ParsePrivateKey(keyPem)
+	return key
+}()
+
+// 91 days cert from B3Key
+var B3Certs91Days = func() []*x509.Certificate {
+	certPem, _ := ioutil.ReadFile("../../testdata/b3/fullchain_91days.cert")
+	certs, _ := signedexchange.ParseCertificates(certPem)
+	return certs
+}()
+
+// secp521r1 private key
+var B3KeyP521 = func() crypto.PrivateKey {
+	keyPem, _ := ioutil.ReadFile("../../testdata/b3/server_p521.privkey")
+	key, _ := util.ParsePrivateKey(keyPem)
+	return key
+}()
+
 // The URL path component corresponding to the cert's sha-256.
 var CertName = util.CertName(Certs[0])
 

packager/util/util.go

@@ -17,18 +17,26 @@ package util
 import (
 	"bytes"
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/pem"
+	"time"
 
 	"github.com/WICG/webpackage/go/signedexchange"
 	"github.com/pkg/errors"
 )
 
 const CertURLPrefix = "/amppkg/cert"
 
+// https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req
+// Clients MUST reject certificates with this extension that were issued after 2019-05-01 and have a Validity Period longer than 90 days.
+// After 2019-08-01, clients MUST reject all certificates with this extension that have a Validity Period longer than 90 days.
+var start90DayGracePeriod = time.Date(2019, time.May, 1,  0, 0, 0, 0, time.UTC)
+var end90DayGracePeriod = time.Date(2019, time.August, 1, 0, 0, 0, 0, time.UTC)
+
 // CertName returns the basename for the given cert, as served by this
 // packager's cert cache. Should be stable and unique (e.g.
 // content-addressing). Clients should url.PathEscape this, just in case its
@@ -76,3 +84,27 @@ func CanSignHttpExchanges(cert *x509.Certificate) bool {
 	}
 	return false
 }
+
+func CheckCertificate(cert *x509.Certificate, priv crypto.PrivateKey, domain string, now time.Time) error {
+	certPubKey := cert.PublicKey.(*ecdsa.PublicKey)
+	pubKey := priv.(*ecdsa.PrivateKey).PublicKey
+	if certPubKey.Curve != pubKey.Curve {
+		return errors.New("PublicKey.Curve not match")
+	}
+	if certPubKey.X.Cmp(pubKey.X) != 0 {
+		return errors.New("PublicKey.X not match")
+	}
+	if certPubKey.Y.Cmp(pubKey.Y) != 0 {
+		return errors.New("PublicKey.Y not match")
+	}
+	if err := cert.VerifyHostname(domain); err != nil {
+		return err
+	}
+	// TODO: remove issue date and current time check after 2019-08-01
+	if cert.NotBefore.After(start90DayGracePeriod) || now.After(end90DayGracePeriod) {
+		if cert.NotBefore.AddDate(0,0,90).Before(cert.NotAfter) {
+			return errors.New("Certificate MUST have a Validity Period no greater than 90 days")
+		}
+	}
+	return nil
+}

packager/util/util_test.go

@@ -4,13 +4,21 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"testing"
+	"time"
 
 	pkgt "github.com/ampproject/amppackager/packager/testing"
 	"github.com/ampproject/amppackager/packager/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+func errorFrom(err error) string {
+	if err == nil {
+		return ""
+	}
+	return err.Error()
+}
+
 func TestCertName(t *testing.T) {
 	assert.Equal(t, "PJ1IwfP1igOlJd2oTUVs2mj4dWIZcOWHMk5jfJYS2Qc", util.CertName(pkgt.Certs[0]))
 }
@@ -27,3 +35,42 @@ func TestCanSignHttpExchanges(t *testing.T) {
 	// CA node does not.
 	assert.False(t, util.CanSignHttpExchanges(pkgt.Certs[1]))
 }
+
+func TestParseCertificate(t *testing.T) {
+	assert.Nil(t, util.CheckCertificate(pkgt.B3Certs[0], pkgt.B3Key, "amppackageexample.com", time.Now()))
+}
+
+func TestParseCertificateSubjectAltName(t *testing.T) {
+	assert.Nil(t, util.CheckCertificate(pkgt.B3Certs[0], pkgt.B3Key, "www.amppackageexample.com", time.Now()))
+}
+
+func TestParseCertificateNotMatchX(t *testing.T) {
+	assert.Contains(t, errorFrom(util.CheckCertificate(pkgt.B3Certs[0],
+		pkgt.B3Key2, "amppackageexample.com", time.Now())), "PublicKey.X not match")
+}
+
+func TestParseCertificateNotMatchCurve(t *testing.T) {
+	assert.Contains(t, errorFrom(util.CheckCertificate(pkgt.B3Certs[0],
+		pkgt.B3KeyP521, "amppackageexample.com", time.Now())), "PublicKey.Curve not match")
+}
+
+func TestParseCertificateNotMatchDomain(t *testing.T) {
+	assert.Contains(t, errorFrom(util.CheckCertificate(pkgt.B3Certs2[0],
+		pkgt.B3Key2, "amppackageexample.com", time.Now())), "x509: certificate is valid for amppackageexample2.com, www.amppackageexample2.com, not amppackageexample.com")
+}
+
+func TestParse91DaysCertificate(t *testing.T) {
+	assert.Contains(t, errorFrom(util.CheckCertificate(pkgt.B3Certs91Days[0],
+		pkgt.B3Key, "amppackageexample.com", time.Now())), "Certificate MUST have a Validity Period no greater than 90 days")
+}
+
+func TestParseCertificateIssuedBeforeMay1InGarcePeriod(t *testing.T) {
+	now := time.Date(2019, time.July, 31, 0, 0, 0, 0, time.UTC)
+	assert.Nil(t, util.CheckCertificate(pkgt.Certs[0], pkgt.Key, "amppackageexample.com", now))
+}
+
+func TestParseCertificateIssuedBeforeMay1AfterGracePeriod(t *testing.T) {
+	now := time.Date(2019, time.August, 1, 0, 0, 0, 1, time.UTC)
+	assert.Contains(t, errorFrom(util.CheckCertificate(pkgt.Certs[0],
+		pkgt.Key, "amppackageexample.com", now)), "Certificate MUST have a Validity Period no greater than 90 days")
+}

testdata/b3/README.md

@@ -0,0 +1,50 @@
+# Test certificates for b3
+
+This is example certificates for tests built under the constraints set by `v=b3` except having AIA and SCT extension.
+
+To generate:
+
+CA private key and cert,
+```
+$ openssl genrsa -out ca.privkey 2048
+$ openssl req -x509 -new -nodes -key ca.privkey -sha256 -days 1825 -out ca.cert -subj '/C=US/ST=California/O=Google LLC/CN=Fake CA'
+```
+
+server.privkey and server.cert of amppackageexample.com and www.amppackageexample.com,
+```
+$ openssl ecparam -out server.privkey -name prime256v1 -genkey
+$ openssl req -new -sha256 -key server.privkey -out server.csr -subj /CN=amppackageexample.com
+$ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.privkey -CAcreateserial -out server.cert -days 90  -extfile <(echo -e "subjectAltName = DNS:amppackageexample.com,DNS:www.amppackageexample.com\n1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL")
+$ cat server.cert ca.cert > fullchain.cert
+
+server2.privkey and server2.cert of amppackageexample2.com and www.amppackageexample2.com,
+```
+$ openssl ecparam -out server2.privkey -name prime256v1 -genkey
+$ openssl req -new -sha256 -key server2.privkey -out server2.csr -subj /CN=amppackageexample2.com
+$ openssl x509 -req -in server2.csr -CA ca.cert -CAkey ca.privkey -CAcreateserial -out server2.cert -days 90  -extfile <(echo -e "subjectAltName = DNS:amppackageexample2.com,DNS:www.amppackageexample2.com\n1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL")
+$ cat server2.cert ca.cert > fullchain2.cert
+```
+
+and others
+```
+$ openssl x509 -req -in server.csr -CA ca.cert -CAkey ca.privkey -CAcreateserial -out server_91days.cert -days 91  -extfile <(echo -e "subjectAltName = DNS:amppackageexample.com,DNS:www.amppackageexample.com\n1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL")
+$ cat server_91days.cert ca.cert > fullchain_91days.cert
+$ openssl ecparam -out server_p521.privkey -name secp521r1 -genkey
+```
+
+### Appendix
+
+<!--
+TODO(twifkak): Update this to add AIA for OCSP.
+https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
+https://github.com/grimm-co/GOCSP-responder
+https://github.com/OpenVPN/easy-rsa
+https://gist.github.com/NoMan2000/06fffaca2ea710175cbcdd1a933c44af
+-->
+
+See some tutorials:
+ - https://github.com/WICG/webpackage/tree/master/go/signedexchange
+ - https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
+ - https://github.com/jmmcatee/cracklord/wiki/Creating-Certificate-Authentication-From-Scratch-OpenSSL
+ - https://gist.github.com/Soarez/9688998
+ - https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html

testdata/b3/ca.cert

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIJAKRDrJBUupZAMA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApHb29nbGUgTExD
+MRAwDgYDVQQDDAdGYWtlIENBMB4XDTE4MDgyOTIxMjIyOVoXDTIzMDgyODIxMjIy
+OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM
+Ckdvb2dsZSBMTEMxEDAOBgNVBAMMB0Zha2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC52bjEZwQIt5pIZY712P6nbQOoRGKmalU6SksHjhVx8x93
+58Fjs+z1S1xm+HwU8LDj82wapj2/GZbLgk6wiYeSF17a4cKbdOfZUqQiQpQfciAB
+S3sd2ZG0YghR/VdTHa3mH56lX90Z/3pq0KlwIDk1U/PpKYaWwC1Ywpj1COEJ9Omd
+TjcoPQ1nEc1vKdlyjlAvDYqKptrK2grGykvu0Rh2ZeJ99YSSYknh6zx6U3FWtKlm
+PgMjSWO2gtpbMLPI3Uehde0b3Bq8JntjPvbh8gLoGaOEsvvDgTfFRpRkNqMAjLVf
+z/zol9CpBdggg4Fyj9J0CGjM9f1ZBhXLmtoxkAQjAgMBAAGjUzBRMB0GA1UdDgQW
+BBSiY4BoP6E4Rx6tSi0iXDHU5D3vlTAfBgNVHSMEGDAWgBSiY4BoP6E4Rx6tSi0i
+XDHU5D3vlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCG9ARQ
+S1tOW0PVuJ5H4WU0hRmDn5oUkEu9DzD1WoGGTN6CCM0AfLBo0ARwqntvSNtERIA6
+BfVSaeqO6WNrvGDLwi+YcUlTxyGLsGlDz/xeQ7WIVGlbhyTJYH5B1yliRyZN4M2E
+hIqWqBMSvtqCnMMJEr/0BsigDIEiEUXwsc6tC77HudXxV0AVs4MLBz3iowkeZMB6
+qZAVRKCmVptIsPyP+eO3vIIWi0y7eQx/8WOpW52CYj9MhhDa9/IcJLIRQIOe7fRn
+1tL/h+aRMq7ywOrwbO/s2HQ7kG/jFIRj0QMxeCExTzPhND22EVvVisfocXS91QuL
+PjZuIWmKwDo/Vvau
+-----END CERTIFICATE-----

testdata/b3/ca.privkey

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAudm4xGcECLeaSGWO9dj+p20DqERipmpVOkpLB44VcfMfd+fB
+Y7Ps9UtcZvh8FPCw4/NsGqY9vxmWy4JOsImHkhde2uHCm3Tn2VKkIkKUH3IgAUt7
+HdmRtGIIUf1XUx2t5h+epV/dGf96atCpcCA5NVPz6SmGlsAtWMKY9QjhCfTpnU43
+KD0NZxHNbynZco5QLw2KiqbaytoKxspL7tEYdmXiffWEkmJJ4es8elNxVrSpZj4D
+I0ljtoLaWzCzyN1HoXXtG9wavCZ7Yz724fIC6BmjhLL7w4E3xUaUZDajAIy1X8/8
+6JfQqQXYIIOBco/SdAhozPX9WQYVy5raMZAEIwIDAQABAoIBACHsv1CCqXbZ5PzQ
+JQ91g86WFLPTf9p20IXqZ9XCNuHtClJ96IxFnLyN/BkDxMqhwPhrR9F5hQ3sIt2V
+NL3+7NNbFsKHsVllNqkx76odUyKGV5dE6v1g6LrvpispPpZ6dXLrVK9FV3vWaccz
+vaotB6RXZc+q99luzRhFtVwNOd7yGQWkn1sKO1i/QWiARdob/inKArbNl3W0GtJ0
+kIjQNm28JFpzTxUbjoWOOUoH4B8PyOS+k6+ByjJDBhLiinl3I7M+g6LWqr2cdam8
+xyoHHyUtYM1DbCoPJKDtJeJkxNP9TZTJLLq/lqRjm14kvcIHvQxFSZF/NqJivurq
+LYtghDkCgYEA7SC1ot2PjkZ2MZNQQsT5HrAwqqfogb9AvQ2HSkFN71LGZQcfxhNS
+chg1/MH3R9k95xDPSFc2T5DxEBUFaImeGhPNnm1YzHJbixZgBu2G6DAEks95qtYf
+bDWRFG60ulaJAeveVYxhnoXARc9NMPAbek6VgFi1QWFY+M/VTC3cve8CgYEAyKRH
+J6eUurQZti9mUwbSPWB41+hi7KFL3qC618qOf0XDnDlGvhSxkMLdnICMDOxg6U/b
+0G4Zlyb6JbyZ5jiDpvcAbqqGsickmI8SJeKbp9zQT0mELuRdx12YuMi0aA81gaIm
+ekYDiQp28enO778s033ikrYwVu2yLakrFayakQ0CgYEAnc8Z8nSfGCF+gUm3rWfn
+HuxExx4Nl2OPkwGQ2vMRCce9rviJxcmQIcxJCZiQl+lU0BUYzdz0kQk11O0Yd1S2
+ukYZnmjJIu6sS6ktaQ7krFtgf8/B+dacfOg9UCrI7gWvEm9FvQs64EPFDPCEP6Bb
+uQ7ZYdwnbIZ7rsKqAhO3h1MCgYBfGwejc1sbmO0rH5K4Pl5/u2/sn/nsQpStBbEr
+QpeDGrWbIsc2qKZ2gPf9DC3WnmFdln4ScW3t6QrfwmOM7jLxfNmWm3xXjBhbvE2U
+6bJwwkl3m9htRdByBRq0VGa3gKYTOaJViUR5vB0flH2DxTHhWiWA9504R1mTLUH/
+9x4ZLQKBgE039cFcqazKgUrhGfnHo6DKMYv9tLfpwBrfGrjS5eL9HzwCjqflH7Ql
+rN/8D4hNeT+lU9m8gAZkf7a/9Atz+V97gIKRzLg8ShHPg4lcjHaAK35CRSrNc+i0
+Hf1WpUKryO9CCzqsmO1Z+hxLVC1rSYJ2C8TRI3FMf3Gay/IzUUXF
+-----END RSA PRIVATE KEY-----

testdata/b3/ca.srl

@@ -0,0 +1 @@
+E9E246FA1A4FB5BF

testdata/b3/fullchain.cert

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIICcjCCAVqgAwIBAgIJAOniRvoaT7W9MA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApHb29nbGUgTExD
+MRAwDgYDVQQDDAdGYWtlIENBMB4XDTE5MDUwOTA1NDMzMloXDTE5MDgwNzA1NDMz
+MlowIDEeMBwGA1UEAwwVYW1wcGFja2FnZWV4YW1wbGUuY29tMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEOFjcTTfGjzqRM1fZ+vzaDcOwQcO0enVPHYqe6c5pPEux
+3DYBUbPOkLuyzCwUpC+kxu1a3GcvdO4yyVT56GvEfqNRME8wOwYDVR0RBDQwMoIV
+YW1wcGFja2FnZWV4YW1wbGUuY29tghl3d3cuYW1wcGFja2FnZWV4YW1wbGUuY29t
+MBAGCisGAQQB1nkCARYEAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQA15v5hJEiinNQk
+GplWJBYeBSjWMnwfvXqpWYiIw47692+ELBihlmYY+xcAhUbvBty7695LiHRRbJLL
+c4QC8EoAePuvrty6vZVZbVc9FUFRKvgQ0n3FzMok/0QTfUNeQbfQBWomxxmlySsD
+WwQ3fcRtGRETspcBMrhHorVplSAqAtr41bxe1Wh+RywmJRtG+1/Tp8zU6Py6bkPz
+pHkwkkua+ucwhU0xk3Ipe5vZVOSZQofVqDpSuUadrhU6B7fDI+B+nniiyOXplgNx
+CVoSy6nrsUb1nAFIDxKxrTrhlHi8oXGR9JvMLf4u+A+0d64SeXkgmYFIc5ftYHlz
+BKMgdmFI
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIJAKRDrJBUupZAMA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApHb29nbGUgTExD
+MRAwDgYDVQQDDAdGYWtlIENBMB4XDTE4MDgyOTIxMjIyOVoXDTIzMDgyODIxMjIy
+OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM
+Ckdvb2dsZSBMTEMxEDAOBgNVBAMMB0Zha2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC52bjEZwQIt5pIZY712P6nbQOoRGKmalU6SksHjhVx8x93
+58Fjs+z1S1xm+HwU8LDj82wapj2/GZbLgk6wiYeSF17a4cKbdOfZUqQiQpQfciAB
+S3sd2ZG0YghR/VdTHa3mH56lX90Z/3pq0KlwIDk1U/PpKYaWwC1Ywpj1COEJ9Omd
+TjcoPQ1nEc1vKdlyjlAvDYqKptrK2grGykvu0Rh2ZeJ99YSSYknh6zx6U3FWtKlm
+PgMjSWO2gtpbMLPI3Uehde0b3Bq8JntjPvbh8gLoGaOEsvvDgTfFRpRkNqMAjLVf
+z/zol9CpBdggg4Fyj9J0CGjM9f1ZBhXLmtoxkAQjAgMBAAGjUzBRMB0GA1UdDgQW
+BBSiY4BoP6E4Rx6tSi0iXDHU5D3vlTAfBgNVHSMEGDAWgBSiY4BoP6E4Rx6tSi0i
+XDHU5D3vlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCG9ARQ
+S1tOW0PVuJ5H4WU0hRmDn5oUkEu9DzD1WoGGTN6CCM0AfLBo0ARwqntvSNtERIA6
+BfVSaeqO6WNrvGDLwi+YcUlTxyGLsGlDz/xeQ7WIVGlbhyTJYH5B1yliRyZN4M2E
+hIqWqBMSvtqCnMMJEr/0BsigDIEiEUXwsc6tC77HudXxV0AVs4MLBz3iowkeZMB6
+qZAVRKCmVptIsPyP+eO3vIIWi0y7eQx/8WOpW52CYj9MhhDa9/IcJLIRQIOe7fRn
+1tL/h+aRMq7ywOrwbO/s2HQ7kG/jFIRj0QMxeCExTzPhND22EVvVisfocXS91QuL
+PjZuIWmKwDo/Vvau
+-----END CERTIFICATE-----

testdata/b3/fullchain2.cert

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIICdTCCAV2gAwIBAgIJAOniRvoaT7W+MA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApHb29nbGUgTExD
+MRAwDgYDVQQDDAdGYWtlIENBMB4XDTE5MDUwOTA1NDQ1MVoXDTE5MDgwNzA1NDQ1
+MVowITEfMB0GA1UEAwwWYW1wcGFja2FnZWV4YW1wbGUyLmNvbTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABPrQ/l9HqUGjmupFkJo+dZt6/UoR5sFunT72ZoRc0Nvh
+zP+qpvZdTBzkZejExW3xor6iIGowuKKPWOJA976Sj52jUzBRMD0GA1UdEQQ2MDSC
+FmFtcHBhY2thZ2VleGFtcGxlMi5jb22CGnd3dy5hbXBwYWNrYWdlZXhhbXBsZTIu
+Y29tMBAGCisGAQQB1nkCARYEAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQCmh+Ff+GUC
+S/IFh2xLtXcnB+elfr75PwldD91LqRnTYu/DC9tKcfDxKZIwHw0B5gLg362lAdB1
+88I8XJrrf8WfH6auCcuhdoCDyNVbbXqsapwTHEaUFZiCVnPt0eJRdau6voZLKGZM
+/zEMVUg9qPOSCR5+j2hpmPyFNCUqK6RpNpCKFXf/WJOHphAIqLeFbLJa4kIfIL6b
+m/K2Og93H0uVX3j5jgaQncRxX6ZKCje+2MzNvPBZhWJgU+xTDPLPOPeQX+sHj6k6
+TjsTgQ9GbpHPuoWc0keW6ulVwN7VW5EfUmM3fvftO2/5hHI6qIVnhrTgto+u+7vH
+oDSK9AJC357d
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIJAKRDrJBUupZAMA0GCSqGSIb3DQEBCwUAMEkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQKDApHb29nbGUgTExD
+MRAwDgYDVQQDDAdGYWtlIENBMB4XDTE4MDgyOTIxMjIyOVoXDTIzMDgyODIxMjIy
+OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM
+Ckdvb2dsZSBMTEMxEDAOBgNVBAMMB0Zha2UgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC52bjEZwQIt5pIZY712P6nbQOoRGKmalU6SksHjhVx8x93
+58Fjs+z1S1xm+HwU8LDj82wapj2/GZbLgk6wiYeSF17a4cKbdOfZUqQiQpQfciAB
+S3sd2ZG0YghR/VdTHa3mH56lX90Z/3pq0KlwIDk1U/PpKYaWwC1Ywpj1COEJ9Omd
+TjcoPQ1nEc1vKdlyjlAvDYqKptrK2grGykvu0Rh2ZeJ99YSSYknh6zx6U3FWtKlm
+PgMjSWO2gtpbMLPI3Uehde0b3Bq8JntjPvbh8gLoGaOEsvvDgTfFRpRkNqMAjLVf
+z/zol9CpBdggg4Fyj9J0CGjM9f1ZBhXLmtoxkAQjAgMBAAGjUzBRMB0GA1UdDgQW
+BBSiY4BoP6E4Rx6tSi0iXDHU5D3vlTAfBgNVHSMEGDAWgBSiY4BoP6E4Rx6tSi0i
+XDHU5D3vlTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCG9ARQ
+S1tOW0PVuJ5H4WU0hRmDn5oUkEu9DzD1WoGGTN6CCM0AfLBo0ARwqntvSNtERIA6
+BfVSaeqO6WNrvGDLwi+YcUlTxyGLsGlDz/xeQ7WIVGlbhyTJYH5B1yliRyZN4M2E
+hIqWqBMSvtqCnMMJEr/0BsigDIEiEUXwsc6tC77HudXxV0AVs4MLBz3iowkeZMB6
+qZAVRKCmVptIsPyP+eO3vIIWi0y7eQx/8WOpW52CYj9MhhDa9/IcJLIRQIOe7fRn
+1tL/h+aRMq7ywOrwbO/s2HQ7kG/jFIRj0QMxeCExTzPhND22EVvVisfocXS91QuL
+PjZuIWmKwDo/Vvau
+-----END CERTIFICATE-----