open-eid
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 3 deletions b/‎.gitignore‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 65 additions & 0 deletions b/‎.gitlab-ci.yml‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 63 additions & 9 deletions b/‎README.md‎
Lines changed: 63 additions & 9 deletions
diff --git a/‎cdoc2-cli/README.md‎
Lines changed: 78 additions & 2 deletions b/‎cdoc2-cli/README.md‎
Lines changed: 78 additions & 2 deletions
diff --git a/‎cdoc2-cli/config/localhost/key-shares.properties‎
Lines changed: 8 additions & 0 deletions b/‎cdoc2-cli/config/localhost/key-shares.properties‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎cdoc2-cli/config/localhost/localhost.properties‎
Lines changed: 3 additions & 3 deletions b/‎cdoc2-cli/config/localhost/localhost.properties‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎cdoc2-cli/config/mobile-id/RIA_ROOT_CA_2018.pem‎
Lines changed: 34 additions & 0 deletions b/‎cdoc2-cli/config/mobile-id/RIA_ROOT_CA_2018.pem‎
Lines changed: 34 additions & 0 deletions
@@ -30,6 +30,3 @@ hs_err_pid*
 
 /doc/
 /test/testvectors/zipbomb.cdoc
-
-/test/bats/keys
-/test/bats/config
@@ -1,3 +1,7 @@
+variables:
+  DOCKER_TLS_CERTDIR: ""
+  DOCKER_HOST: "tcp://docker:2375"
+
 stages:
   - test
   - coverage
@@ -6,6 +10,11 @@ stages:
 test:
   stage: test
   image: maven:3.8.8-eclipse-temurin-17
+#  services:
+#    - name: docker:25.0.3-dind
+#      alias: docker
+#  tags:
+#    - dind
   script:
     - mvn clean verify -s $MAVEN_SETTINGS -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository
     - shopt -s globstar
@@ -14,6 +23,10 @@ test:
     - source install_bats.sh
     - source variables.sh 
     - $BATS_HOME/bats-core/bin/bats --gather-test-outputs-in target/reports -x --report-formatter junit --output target/ cdoc2_tests.bats
+# following will fail because docker-compose-plugin is not available from Jammy repository
+#    - apt-get update && apt-get install -y docker.io docker-compose-plugin
+#    - source ../config/shares-server/export-env.sh ../config/shares-server/.env.cyber
+#    - bash run-shares-server-bats-tests.sh
     - 'for file in target/reports/*; do echo "## $file ##" >> target/bats-test.log; cat "$file" >> target/bats-test.log; done'
   coverage: /Total \d+\.\d+ %/
   artifacts:
@@ -36,6 +49,58 @@ test:
     paths:
       - .m2/repository
 
+test_with_servers:
+  # this will fail as docker image is based on alpine linux and flatc installation fails
+  # use build from previous stage?
+  stage: test
+  image: docker:25.0.3
+  services:
+    - name: docker:25.0.3-dind
+      alias: docker
+  tags:
+    - dind
+  before_script:
+    # Install Java
+    - apk add --no-cache openjdk17
+    # Install Maven
+    - apk add --no-cache maven
+    # Verify installations
+    - java -version
+    - mvn -version
+    - docker compose version
+  script:
+    - mvn clean verify -s $MAVEN_SETTINGS -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository
+    - shopt -s globstar
+    - awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print "Total", 100*covered/instructions, "% covered" }' /builds/**/target/site/jacoco/jacoco.csv
+    - cd test/bats
+    - source install_bats.sh
+    - source variables.sh
+    - source ../config/shares-server/export-env.sh ../config/shares-server/.env.cyber
+    - BATS_OPTS="--gather-test-outputs-in target/reports -x --report-formatter junit --output target/" bash run-shares-server-bats-tests.sh
+    - 'for file in target/reports/*; do echo "## $file ##" >> target/bats-test.log; cat "$file" >> target/bats-test.log; done'
+  coverage: /Total \d+\.\d+ %/
+  artifacts:
+    when: always
+    reports:
+      junit:
+        - "**/target/surefire-reports/*.xml"
+        - "**/target/report.xml"
+    paths:
+      - "**/target/site/jacoco"
+      - "**/target/bats-test.log"
+  rules:
+# disabled for now
+#    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+#      when: on_success
+#    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+#      when: on_success
+    - when: never
+  cache:
+    key: "$CI_COMMIT_REF_NAME"
+    paths:
+      - .m2/repository
+
+
 coverage:
   stage: coverage
   image: mcr.microsoft.com/dotnet/sdk:8.0
 
@@ -139,23 +139,76 @@ Similar to Symmetric Key scenario, but symmetric key is derived from password an
 cdoc2-java-ref-impl does not provide solution for securely storing the password, but most password managers
 can do that.
 
+### CDOC2 with symmetric key from/to N-of-N shares (Smart-ID/Mobile-ID)
+
+1. Sender knows recipient id-code and assumes that recipient might have Smart-ID or Mobile-ID account.   
+   _Note:_ No way to check if recipient has existing Smart-ID or Mobile-ID account.
+2. Sender [generates file master key (FMK)](https://github.com/open-eid/cdoc2-java-ref-impl/blob/main/cdoc20-lib/src/main/java/ee/cyber/cdoc20/crypto/Crypto.java#L94)
+   (FMK) using HKDF extract algorithm `HKDF_Extract(Static_FMK_Salt, CSRNG())`.
+3. Sender [generates encryption key (KEK)] using HKDF `HKDF_Expand(KEK_i_pm, "CDOC2kek" + FMKEncryptionMethod.XOR + RecipientInfo_i, 32)`, 
+   where `KEK_i_pm = HKDF_Extract(CSRNG(256), CSRNG(256))` and `RecipientInfo_i` is a recipient 
+   identifier `etsi/PNOEE-48010010101`.
+4. Sender splits `KEK` into `N` shares. `N` equals to configured servers quantity in CDOC2 
+   client configuration.
+   ```java
+      public static List<byte[]> splitKek(byte[] kek, int numOfShares) {
+        ArrayList<byte[]> shares = new ArrayList<>(numOfShares);
+        shares.add(kek);
+
+        for (int i=1; i < numOfShares; i++) {
+            byte[] share = new byte[kek.length];
+            sRnd.nextBytes(share);
+            shares.add(share);
+            shares.set(0, xor(shares.get(0), share));
+        }
+        return shares;
+    }
+   ```
+5. Sender uploads each `share` and recipient `etsi_identifier` to each CDOC2 shares server
+   (each CDOC2 server will receive a different share). CDOC2 servers are configured in client configuration.
+   Sender gets `shareID` for each share. [^1] FBS and OAS
+6. Sender [derives content encryption key](https://github.com/open-eid/cdoc2-java-ref-impl/blob/4fa3028298e7f1ea5414e3215dbfd8b0e9b49409/cdoc20-lib/src/main/java/ee/cyber/cdoc20/crypto/Crypto.java#L100) (CEK) `HKDF_Expand(FMK,"CDOC20cek")`and hmac key 
+   (HHK) `HKDF_Expand(FMK,"CDOC20hmac")` from FMK using HKDF expand algorithm.
+7. Sender encrypts FMK with KEK (xor) and gets `encrypted_FMK`
+8. Sender adds `encrypted FMK`  and [KeySharesCapsule](https://github.com/open-eid/cdoc2-java-ref-impl/blob/a2dbe6711d88d2442e23d4ca80494f285f4d00cd/cdoc2-schema/src/main/fbs/recipients.fbs#L92) 
+   containing recipient_id `etsi_identifier` with list of `server:shareId` into CDOC2 header. 
+9. Sender calculates header hmac using hmac key (HHK) and adds calculated hmac to CDOC2
+10. Sender encrypts content with CEK (ChaCha20-Poly1305 with AAD)
+11. Sender sends CDOC2 document to Recipient
+12. Recipient will choose Smart-ID or Mobile-ID decryption method (depending on what auth means he owns) and 
+    enters/chooses his/her identity code.  
+    For Mobile-ID, user needs to enter mobile phone number additionally to identity code.
+13. Recipient finds `KeySharesCapsule` record from CDOC2 header where `recipient_id` matches 
+    recipients entered identity code.   
+14. Recipient [prepares](https://open-eid.github.io/CDOC2/2.0-Draft/03_system_architecture/ch05_ID_authentication_protocol/#overview-of-the-generic-authentication-protocol) 
+    auth token by creating `nonce` for each share in [shares](https://github.com/open-eid/cdoc2-java-ref-impl/blob/a2dbe6711d88d2442e23d4ca80494f285f4d00cd/cdoc2-schema/src/main/fbs/recipients.fbs#L93). 
+    `nonce` is created by using [`/key-shares/{shareId}/nonce`](https://github.com/open-eid/cdoc2-openapi/blob/55a0b02adae0d8c61f2589a47555a93e4cf31971/cdoc2-key-shares-openapi.yaml#L105)
+    endpoint in each `cdoc2-shares-server`.
+15. Recipient finishes creation of auth token by signing it with supported auth means (currently Smart-ID/Mobile-ID authentication certificate).
+16. Recipient downloads all `share` objects by presenting [auth token](https://github.com/open-eid/cdoc2-auth?tab=readme-ov-file#cdoc2auth-tokenv1-examples) 
+    and certificate using '/key-shares/{shareId}' [endpoint](https://github.com/open-eid/cdoc2-openapi/blob/55a0b02adae0d8c61f2589a47555a93e4cf31971/cdoc2-key-shares-openapi.yaml#L32).
+17. Recipient [combines](https://github.com/open-eid/cdoc2-java-ref-impl/blob/a2dbe6711d88d2442e23d4ca80494f285f4d00cd/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/Crypto.java#L376) 
+    downloaded `share` [objects](https://github.com/open-eid/cdoc2-openapi/blob/55a0b02adae0d8c61f2589a47555a93e4cf31971/cdoc2-key-shares-openapi.yaml#L144) into `KEK`
+18. *Follow steps from ECDH scenario 13-15*
 
 
 ## Structure
-[![CDOC2 Dependencies](./cdoc2-docs/arch/images/cdoc2-deps.png)](https://viewer.diagrams.net/?tags=%7B%7D&highlight=0000ff&edit=_blank&layers=1&nav=1&title=CDOC2%20deps#R3VjbcpswEP0aPybDpWDnMb4knY7bycQzbZ03BTagVCAiCxvn6yuZxYjBdpOpEzx%2Bsvbs6sI5q11wzx0lxa0gWfydh8B6jhUWPXfccxzb8x31o5F1iQz8fglEgoYYVAMz%2BgoIWojmNIRFI1ByziTNmmDA0xQC2cCIEHzVDHvirLlrRiLc0aqBWUAYtMJ%2B0VDGiNqWEf4VaBTj1gMPHQmpghFYxCTkKwNyJz13JDiX5SgpRsA0eRUv5bybPd7twQSk8i0TnucvM7h6%2BnMzvh4%2B59l1dHPPLmwfDyfX1RNDqAhAkwsZ84inhE1qdCh4noagl7WUVcdMOc8UaCvwGaRco5okl1xBsUwYeqGg8rcxnuulLj20xgWuvDHWaKTcOMJmZnlyfdy9jCC04LkIMOoh96h1%2B230egdT9%2BVe%2Fnj8mV9gkkoiIpAH4rytbirhgScgxVrNE8CIpMvmOQhmXrSNq8VRA9TnPVoNutTKuvSvDLnsg2IpAcS6nNX3KntuOut5G2u%2FynrdOxBUcQgCoz5W%2BZ3k%2B5%2Bk%2FKFDLgnLcSdGH1vJoApMpocJD%2FON9oTRKFUAgyf1aMNFRgKaRtONNXYsIyJQvGl2h0sQkqrqd40OqbNkuIqphJmarpdfqULfTJG97OvVoDCgNoGVt4%2FPiG3CxaK5MmpuVXJjo9xW1fbolLstynuOzzSNIV2qYaSHPIOUZLTyqI0M51nrsyW%2BM4G8lkCLIIaEnBXtbofXYncP%2BtJFDzpW79%2F5SO4be7%2FTZe9vl6OA0VNL9VZe7xBkf6pb%2F8r0q09N9P5pJLrxJuW8603qiDfEe%2BMNcbu8ITv6AQiVkWd1SZzmJbH9rvuBv6su6Yc5K9b7p0a77XZRnYxa5P%2FvV532H%2Bez7lBennbJsr2OVWyIaL9bxA5azAe9hCmz%2FiNu4zP%2BznQnfwE%3D)
+[![CDOC2 Dependencies](./cdoc2-docs/img/deps.drawio.png)](https://viewer.diagrams.net/?tags=%7B%7D&lightbox=1&highlight=0000ff&edit=_blank&layers=1&nav=1#R%3Cmxfile%3E%3Cdiagram%20id%3D%22cR2MIER7KRh0lRtEKnlR%22%20name%3D%22Page-1%22%3E3VjbcpswEP0aP9rDJRD86EucTifteOKZtOmbAjIoEYgIYZt8fSUjgriY0DQNHT9ZOtpdSWcvWjMyF%2BHhmoI4%2BEY8iEeG5h1G5nJkGLplG%2FxHIFmOOLaTAz5FnhQqgQ16gRLUJJoiDyYVQUYIZiiugi6JIuiyCgYoJfuq2Jbg6q4x8OWOWglsXIBhQ%2BwH8lggUV1TxL9A5Adya8eSCyEohCWQBMAjewUyr0bmghLC8lF4WEAsyCt4yfVWJ1ZfD0ZhxPooPN4%2Fb%2BB0%2B7RazuaPaTzzV7d4rNvycCwrbgw9ToCcEsoC4pMI4KsSnVOSRh4UZjU%2BK2VuCIk5qHPwETKWSW%2BClBEOBSzEchUeEPupjO%2BFqYklZ8uDtHycZHISEeUIR80mAZKThKTUlbf5lVpIu%2F66eFnDG%2FP5ln1%2FuEvHMiYZoD5kHXJWLicYUTaQ9F5DEkJGMy5AIQYM7aohA2Tk%2Ba9ypXP4QPrnT3zlDOkrbWJPFXfpnc7iHqGZqiXmQm2sTTSnAErd4%2By0p4XtNaSI8wipqlMHPzQkWp1gDxUSXafeAZzKnTB6aEQJrzyxGIbES49BATDyIw5guOV3nScxcFHk3xxnS0NTJFxOpGB3voOUIV4WZ3KBifCZ7wPE4IarC%2FN7%2FgJUY%2BekO4Q1eOgksFi9lHeU74cpq%2BleKcZFLQ6UOlyU4Q%2Bn3GxQPjJsLGj00I4PfTEkMYxAjIoVvpGyeNb%2BMbShHWQ1HJS4AQzBWdFuXmiDpUX743QxxOP0zqag9QZmz6bA%2BK%2BagmY5cjE6r1B%2FM9Knnxnodhvh4nbnxHm9quvG4PXFHKK%2BqH2spfaxZdfau4dt61eV5vpSba4n2kV3f93SEL%2B%2F8tk9K5%2F50ZVPqq4JEvlTBF894%2FVpLajyC0mtWly9HqNXqG3Q3Rbs3ZWz1FY0A8H64ellXGRLmeE8MIKzyu96%2B6Drn5jfraS3tdX1fI%2B8mfiiIwjEIEmQW%2BWlmu1t3xj6%2Fmk9nel6M9X%2F%2FR%2FRrih9MxkVj1odDv3bnDVqr7TTL2ebhi5rhsyaoZyYdyQ%2Fn5Yf23Lx8pOlefUb%3C%2Fdiagram%3E%3C%2Fmxfile%3E)
 
 - cdoc2-schema      - flatbuffers schemas and code generation
 - cdoc2-lib         - CDOC2 creation and processing library
-- cdoc2-client      - client for communicating with [cdoc2-capsule-server](https://github.com/open-eid/cdoc2-capsule-server)
+- cdoc2-client      - Code generation for `cdoc2-capsule-server` and `cdoc2-shares-server` clients
 - cdoc2-cli         - Command line utility to create/process CDOC2 files
 - test              - Sample CDOC2 containers (with script to create and decrypt them) 
-                      and automated tests for CLI
-- cdoc2-example-app - Example, how to use cdoc2-java-ref-impl and cdoc4j together
+                      and automated end-to-end (bats) tests for CLI 
+- cdoc2-example-app - Example, how to use `cdoc2-java-ref-impl` and `cdoc4j` together
 
 Other CDOC2 repositories:
 - https://github.com/open-eid/cdoc2-openapi CDOC2 OpenAPI specifications
-- https://github.com/open-eid/cdoc2-capsule-server CDOC2 Capsule Server
-- https://github.com/open-eid/cdoc2-gatling-tests Gatling tests for CDOC2 Capsule Server
+- https://github.com/open-eid/cdoc2-capsule-server CDOC2 Capsule Server (server scenarios with id-card)
+- https://github.com/open-eid/cdoc2-shares-server CDOC2 Shares Server (encryption/decryption Smart-ID/Mobile-ID scenarios)
+- https://github.com/open-eid/cdoc2-auth CDOC2 auth token implementation (used for Smart-ID/Mobile-ID scenarios)
+- https://github.com/open-eid/cdoc2-gatling-tests Gatling tests for CDOC2 Capsule Server and CDOC2 Shares Server
 
 ## Using
 
@@ -168,12 +221,13 @@ Refer [cdoc2-lib/README.md](cdoc2-lib/README.md) and see [cdoc2-example-app](cdo
 ## Maven dependencies
 
 Depends on:
-https://github.com/open-eid/cdoc2-openapi OpenAPI specifications for client stub generation
+- https://github.com/open-eid/cdoc2-openapi OpenAPI specifications for client stub generation
+- https://github.com/open-eid/cdoc2-auth CDOC2 auth token used by Smart-ID/Mobile-ID scenario
 
 Configure github package repo access
 https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-with-a-personal-access-token
 
-Add repository url to `<profile>` section of your PC local file `.m2/settings.xml` for using cdoc2 
+Add repository url to `<profile>` section of your PC local file `~/.m2/settings.xml` for using cdoc2 
 dependencies:
 ```xml
   <profile>
@@ -257,7 +311,7 @@ mvn test -Dtests=pkcs11 -Dcdoc2.pkcs11.conf-file=src/test/resources/pkcs11-test-
 
 By default, the pkcs11 configuration is read from the file `pkcs11-test-idcard.properties`.
 
-### Bats tests
+### Bats tests (end to end)
 
 Additional tests using [Bats](https://github.com/bats-core/bats-core) and `cdoc2-cli`. 
 Refer [test/README.md](test/README.md)
 
@@ -119,6 +119,50 @@ java -jar target/cdoc2-cli-*.jar decrypt --secret "label_b64secret:base64,aejUgx
 Key and label can be safely stored in a password manager.
 
 
+### Encryption with Smart ID
+
+```
+java -jar target/cdoc2-cli-*.jar create --smart-id=38001085718 -f /tmp/smartid.cdoc README.md
+```
+
+Multiple ID codes are allowed to be sent for encryption:
+
+```
+java -jar target/cdoc2-cli-*.jar create -sid=38001085718 -sid=47101010033 -f /tmp/smartid.cdoc README.md
+```
+
+Key shares or Smart-ID properties can be sent externally by adding following options (the same 
+for decryption):
+
+`-Dkey-shares.properties=config/localhost/key-shares.properties`
+
+and/or
+
+`-Dsmart-id.properties=config/smart-id/smart-id.properties`
+
+
+### Encryption with Mobile ID
+
+```
+java -jar target/cdoc2-cli-*.jar create --mobile-id=51307149560 -f /tmp/mobileid.cdoc README.md
+```
+
+Multiple ID codes are allowed to be sent for encryption:
+
+```
+java -jar target/cdoc2-cli-*.jar create -mid=51307149560 -mid=60001017869 -f /tmp/mobileid.cdoc README.md
+```
+
+Key shares or Mobile-ID properties can be sent externally by adding following options (the same
+for decryption):
+
+`-Dkey-shares.properties=config/localhost/key-shares.properties`
+
+and/or
+
+`-Dmobile-id.properties=config/mobile-id/mobile-id.properties`
+
+
 ### Decryption
 To decrypt:
 - CDOC2 file `/tmp/mydoc.cdoc`
@@ -129,6 +173,18 @@ To decrypt:
 java -jar target/cdoc2-cli-*.jar decrypt --file /tmp/mydoc.cdoc -k keys/bob.pem --output /tmp
 ```
 
+or with Smart-ID:
+
+```
+java -jar target/cdoc2-cli-*.jar decrypt -sid=38001085718 -f /tmp/smartid.cdoc --output /tmp
+```
+
+or with Mobile-ID:
+
+```
+java -jar target/cdoc2-cli-*.jar decrypt -mid=51307149560  -mid-phone=+37269930366 -f /tmp/mobileid.cdoc --output /tmp
+```
+
 ### Decrypting with server scenario
 Server must be running, see cdoc2-capsule-server/README.md for starting the server
 
@@ -205,8 +261,8 @@ java -jar target/cdoc2-cli-*.jar info -f /tmp/id.cdoc
 
 ### Encrypting for ID-card owner
 
-cdoc2-cli can download authentication certificate (Isikutuvastus PIN1) from SK LDAP directory 
-https://www.skidsolutions.eu/repositoorium/ldap/esteid-ldap-kataloogi-kasutamine/
+cdoc2-cli can download authentication certificate (Isikutuvastus PIN1) from SK LDAP directory
+https://github.com/SK-EID/LDAP/wiki/Knowledge-Base
 
 To create cdoc for recipient with id code 37101010021 use:
 ```
@@ -368,3 +424,23 @@ default true
 
 Key label `<data>` field contains different parameters. File name is one of them. For security 
 purpose it can be hidden in configuration. File name is added by default.
+
+#### ee.cyber.key-shares.properties
+CLI option which indicates the path to key capsule client key-shares properties file.
+- ##### ee.cyber.key-shares.urls
+  Key shares servers URL-s, separated by comma `","`
+- ##### ee.cyber.key-shares.min_num
+  Minimum quantity of key shares servers
+- ##### ee.cyber.key-shares.algorithm
+  Key shares algorithm
+
+#### ee.cyber.smart-id.properties
+CLI option which indicates the path to smart-id properties file.
+- ##### ee.cyber.smartid.client.hostUrl
+  Smart ID client host URL
+- ##### ee.cyber.smartid.client.relyingPartyUuid
+  Smart ID client relying party UUID
+- ##### ee.cyber.smartid.client.relyingPartyName
+  Smart ID client relying party name
+- ##### ee.cyber.smartid.client.ssl.trust-store-password
+  Smart ID client SSL trust store password
@@ -0,0 +1,8 @@
+key-shares.servers.urls=https://localhost:8442, https://localhost:8443
+key-shares.servers.min_num=2
+key-shares.algorithm=n-of-n
+
+# trusted certificates by client
+cdoc2.key-shares.client.ssl.trust-store=config/localhost/clienttruststore.jks
+cdoc2.key-shares.client.ssl.trust-store.type=JKS
+cdoc2.key-shares.client.ssl.trust-store-password=passwd
@@ -14,9 +14,9 @@ cdoc2.client.server.read-timeout=5000
 
 # trusted certificates by client
 cdoc2.client.ssl.trust-store.type=JKS
-#specify trust store jks as file in classpath
-#cdoc2.client.ssl.trust-store=classpath:keystore/clienttruststore.jks
-#or path (full or relative)
+# specify trust store jks as file in classpath
+# cdoc2.client.ssl.trust-store=classpath:keystore/clienttruststore.jks
+# or path (full or relative)
 cdoc2.client.ssl.trust-store=config/localhost/clienttruststore.jks
 cdoc2.client.ssl.trust-store-password=passwd
 
 
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF5zCCA8+gAwIBAgIIciltck00n8UwDQYJKoZIhvcNAQEMBQAwbTELMAkGA1UE
+BhMCRUUxJTAjBgNVBAoMHEluZm9ybWF0aW9uIFN5c3RlbSBBdXRob3JpdHkxHDAa
+BgNVBAMME1JJQSBST09UIENBIDIwMTggRzExGTAXBgkqhkiG9w0BCQEWCnBraUBy
+aWEuZWUwHhcNMTgwMzE1MTExMjExWhcNMzgwMTE5MTExMjExWjBtMQswCQYDVQQG
+EwJFRTElMCMGA1UECgwcSW5mb3JtYXRpb24gU3lzdGVtIEF1dGhvcml0eTEcMBoG
+A1UEAwwTUklBIFJPT1QgQ0EgMjAxOCBHMTEZMBcGCSqGSIb3DQEJARYKcGtpQHJp
+YS5lZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbR/9a97hZszVcL
++J2bvORbTRximHdwMz/UdmaXCJvUwCirfwmt8wXqNTkU93XYheoOs85NaznCDXnj
+kpfZKNsQiA2/GhXoOgWk4pTpgGXyfWGyPQdkvadLyqanWaxHFayYdluNjU0KUX4E
+E2w9cBC56d4H/OhMcc7f6I6gipY9G+BH3Tp1pA0TmB/Cmbw2IgE8l4N+SVZme7TQ
++CrouHs6stR1JlpRHFxpO0qJDcPr/oA1aGAEEMfNVttR4/bg5MERSxNblm8yDoih
+buLOz8VuxXcATURV9qt22Ny85BGQRR7tsqyPU3oezfmGFYGd3YCjjHs6E6rc2C7D
+X6ooS1MuJkm34LOd3hiFK0+d8vmOFNCj53j6MAffqtLHrYfTKPDSgzbdmvYG+AYi
+G8norpQ5hRM4xAMQM7JaCdyNpFfZK6DhuMqSYY50lwHkv4/MUWl35r4s9g653Yqc
+T2+hLxbyAqYk1oq33ZdzvMehaUaRKViwfjE2G8OGl0J77bxkGRofxkuBN/02vzKR
+eRzMoAgx/PB78kC8G7oLctKU6GcYKABCXPWmM9185rJQYy6friCQs9ocmxTVT7Ly
+tpGn/DTtECJCEjpy3SZ1ZaYpExw0E2aPkQvqHoKUJoc6m1E2tmTG7te08XUlPyN8
+xu8YBDeT6CWsY1vc2FxUOETlqgg9AgMBAAGjgYowgYcwDwYDVR0TAQH/BAUwAwEB
+/zBFBgNVHSUEPjA8BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF
+BQcDCQYIKwYBBQUHAwEGCCsGAQUFBwMIMB0GA1UdDgQWBBRypgFOU6MkMj9DBZoW
+VPhqA2uenzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEMBQADggIBAHYKaXi9
++D+sUJRZ8tLESVrVtU80hMjNLfb4hyGcoU3NlC319Oo3j6fQ6no31P7RGPgoTV6C
+3Gr99RTwf6D6NucB4BVcpvanPKfBEwrKCyq1CDaRnxG2RF2rte1m4tXwvk2ggt12
+TtC5yknPQATel5nkqB6bhPovmFO9cfYVDIKY61B+DSglXFQ1wuKJL2e3KAW1HhiC
+4ktQCMSTDjWQcrVfsqAaYwjGfRZcYig3sIGuq4jRDNvT2AuaBs2siOr9zO3LOeiP
+JmmrS24IgY8zTfF1jLpRC8Trnx3cL3yYTHeYOSaYTmEcO277GWQFnRiXbroASX38
+ABEWVBe9lO9A98ZSKmrmPnSWLzK0fK4sDkFP13YQdcDjNcceugOp6in8XO0wf2mg
+vPtGtEk82pGTrwGMjNkrUTYTD82I/8Tdrt7TRgxkgp5ju73hf3G2H3QzGS2gfY0q
+h5wmbriFo2KvR8fp4Vmb9BLlpV2VEaU5LAQNCl4PPKULlBkbVR9qGAKYgfGekBha
+wfuHHGYx7pdrJTp59xN5aQ04Fd2C+ZNN8AkYBwXLz4aAfqyeUiB3HbK7L6yY4crz
+uIGjdko9pKSSH69sqlUUj8PDrT9Hv92PWO3276ceLGPb9x1gQiaLvNgkXd0pXQPP
+NUjXTJ+xYtwhEb95mb35idSv+ZLqTGU71rCV
+-----END CERTIFICATE-----