Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor of SMIME aia contains #777

Merged
merged 28 commits into from
Dec 12, 2023
Merged
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
6c23670
lint about the encoding of qcstatements for PSD2
Feb 4, 2020
4666bb7
Revert "lint about the encoding of qcstatements for PSD2"
Feb 4, 2020
01996c6
Merge https://github.com/zmap/zlint
Aug 26, 2020
28481cc
Merge https://github.com/zmap/zlint
Sep 1, 2021
749d896
Merge https://github.com/zmap/zlint
Oct 21, 2021
e56e2a0
util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC
web-flow Oct 21, 2021
8600050
Merge pull request #1 from mtgag/zlint-gtld-update
mtgag Oct 21, 2021
30b096e
Merge https://github.com/zmap/zlint
mtgag Apr 19, 2023
92e659c
always check and perform the operation in the execution
mtgag Apr 27, 2023
351a379
Merge branch 'master' into master
christopher-henderson May 14, 2023
b52111b
Merge https://github.com/zmap/zlint
mtgag May 16, 2023
526f9be
Merge https://github.com/zmap/zlint
mtgag Jun 9, 2023
92902fc
Merge https://github.com/zmap/zlint
mtgag Jul 1, 2023
1652cfa
synchronised with project
mtgag Jul 5, 2023
d4f2f9f
synchronised with project
mtgag Aug 30, 2023
88c933e
Merge https://github.com/zmap/zlint
mtgag Aug 30, 2023
cee805f
Merge https://github.com/zmap/zlint
mtgag Dec 3, 2023
87ee071
changed date, added check for existent extension
mtgag Dec 6, 2023
f1dea7f
updates in config after tests
mtgag Dec 6, 2023
530737b
removed accidentally commited file
mtgag Dec 6, 2023
a1eee50
removed internal names part, kept only has http only
mtgag Dec 9, 2023
2a6b887
changes addressing discussion in PR. Internal names are checked, IP a…
mtgag Dec 10, 2023
313bed4
the check for HTTP scheme is not needed here. This is covered by the …
mtgag Dec 10, 2023
cb0e939
Merge branch 'zmap:master' into smime_aia_contains_refactor
mtgag Dec 10, 2023
8a5d97c
fixed test
mtgag Dec 10, 2023
447c0a0
Merge branch 'smime_aia_contains_refactor' of https://github.com/mtga…
mtgag Dec 10, 2023
29eaf04
renamed file
mtgag Dec 11, 2023
a5711df
one lint for internal names in AIA covers all S/MIME generations, leg…
mtgag Dec 12, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
changed date, added check for existent extension
  • Loading branch information
mtgag committed Dec 6, 2023
commit 87ee071d19f6f4e8b62033e440d28766a205bbde
Original file line number Diff line number Diff line change
@@ -41,10 +41,10 @@ func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "w_smime_strict_aia_contains_internal_names",
Description: "SMIME Strict certificates authorityInformationAccess When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present.",
Description: "SMIME Strict certificates authorityInformationAccess. When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present.",
Citation: "BRs: 7.1.2.3c",
Source: lint.CABFSMIMEBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
},
Lint: NewSMIMEStrictAIAInternalName,
})
@@ -55,7 +55,7 @@ func NewSMIMEStrictAIAInternalName() lint.LintInterface {
}

func (l *smimeStrictAIAContainsInternalNames) CheckApplies(c *x509.Certificate) bool {
return util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)
return util.IsExtInCert(c, util.AiaOID) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c))
}

func (l *smimeStrictAIAContainsInternalNames) Execute(c *x509.Certificate) *lint.LintResult {
Original file line number Diff line number Diff line change
@@ -21,7 +21,12 @@ func TestSMIMEStrictAIAInternalName(t *testing.T) {
{
Name: "warn - aia with internal names",
InputFilename: "smime/aiaWithInternalNamesStrict.pem",
ExpectedResult: lint.Warn,
ExpectedResult: lint.NE,
},
{
Name: "warn - aia with internal names",
InputFilename: "smime/aiaWithLDAPOCSPStrict.pem",
ExpectedResult: lint.Error,
},
}
for _, tc := range testCases {
92 changes: 92 additions & 0 deletions v3/testdata/smime/aiaWithLDAPOCSPStrict.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
41:26:41:96:4b:9f:3d:d1:4f:ec:da:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Lint CA, O = Lint, C = DE
Validity
Not Before: Sep 1 00:00:00 2023 GMT
Not After : Sep 1 00:00:00 2024 GMT
Subject: CN = Certificate, O = Lint, C = DE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b4:37:8d:9d:e4:fe:2a:73:df:92:1a:37:e7:37:
41:a2:3f:fe:72:9d:de:f0:65:46:51:36:ec:f0:bd:
96:c1:ca:8e:5c:19:01:b3:f9:1d:c3:33:78:0d:06:
d8:a6:f8:b4:53:5a:fe:72:46:56:88:41:05:e6:28:
bb:9d:d2:61:f5:8d:c9:9c:7b:c2:07:31:67:0c:35:
53:e4:69:90:51:2a:85:ca:41:c1:0d:72:5c:1a:d6:
3f:0a:f4:dd:f9:0e:24:29:fa:e8:1f:c4:1b:83:41:
d2:36:d1:7f:ee:d8:e4:44:0a:66:f8:8b:8e:4b:5c:
d2:ec:f1:97:c0:2c:67:a7:b2:2c:5e:e5:5b:85:e6:
92:f4:7f:cc:51:04:73:5a:17:f6:fc:d8:ea:03:c4:
f3:0b:53:f6:73:f9:e2:4d:5a:8e:54:3c:fa:c4:40:
d3:b7:2f:ab:1c:cf:bb:06:49:56:52:0d:e8:87:8b:
c6:ad:b4:6a:f4:79:f4:c8:ac:a2:d3:cf:03:24:9e:
f2:51:e5:97:70:0e:d6:dc:94:7f:ee:f3:bd:6f:46:
3a:2b:eb:29:7b:2a:92:d1:03:7a:d9:22:cc:4d:e3:
dd:f3:d9:bb:8d:18:f2:bf:98:b0:ca:f9:39:59:e2:
71:05:ac:ea:f5:61:52:65:c9:90:a1:91:9c:45:88:
62:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:73:8F:6A:0E:B2:E5:63:CB:0E:1B:22:D6:56:40:FA:96:A6:DE:B1:2C

X509v3 Subject Key Identifier:
21:86:4F:4B:C0:DF:AE:90:1C:61:B5:7C:04:5E:05:89:2C:9C:FB:44
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Subject Alternative Name: critical
email:test@example.com
Authority Information Access:
OCSP - URI:http://ocsp.example.com/ocsp
OCSP - URI:http://ocsp.example.com/ocsp
OCSP - URI:ldap://ocsp.example.com/C=DE

X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.3

Signature Algorithm: sha256WithRSAEncryption
70:8f:99:59:33:77:e3:a9:85:82:91:fe:20:58:2e:e9:47:35:
f2:78:4e:d9:80:5e:14:cd:11:8e:85:6e:ec:5f:17:de:94:51:
e3:33:89:4d:07:02:f1:af:6c:07:13:76:64:34:bb:9a:1c:d9:
f7:57:52:33:8c:59:41:7f:3e:f0:0e:a4:27:f1:0e:4a:08:3a:
23:2a:ad:34:87:65:6e:df:16:67:07:16:85:e8:54:cd:87:3c:
01:5b:ce:b6:3b:a6:da:9d:6b:7d:2e:25:7e:ed:e1:b6:9f:89:
8c:5c:c9:96:52:92:4a:88:61:52:13:6b:46:fa:27:ed:a9:a4:
ed:1f:d7:18:98:f8:0c:75:f9:10:4c:06:44:47:60:fc:f5:8a:
45:78:48:c5:5f:dc:e8:37:65:b9:64:78:45:fe:7d:6c:81:46:
cc:33:7b:1e:a6:54:f8:93:13:fe:5d:a4:94:fd:51:ce:4d:0d:
b7:ad:2c:9b:9e:d0:80:91:2a:b0:16:8e:22:67:b7:e5:ca:e7:
b8:9e:4c:35:63:20:0c:8b:f9:3e:82:0c:92:7e:74:4c:08:f4:
1d:28:58:4b:de:e8:34:dc:bb:16:15:6b:ca:8d:c0:d1:32:d3:
9e:f3:c5:6d:2c:c1:ba:90:ef:3f:54:4e:a6:af:12:b1:a1:90:
c6:02:a3:0d
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIMQSZBlkufPdFP7NoDMA0GCSqGSIb3DQEBCwUAMC4xEDAO
BgNVBAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIz
MDkwMTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowMjEUMBIGA1UEAwwLQ2VydGlmaWNh
dGUxDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtDeNneT+KnPfkho35zdBoj/+cp3e8GVGUTbs8L2WwcqO
XBkBs/kdwzN4DQbYpvi0U1r+ckZWiEEF5ii7ndJh9Y3JnHvCBzFnDDVT5GmQUSqF
ykHBDXJcGtY/CvTd+Q4kKfroH8Qbg0HSNtF/7tjkRApm+IuOS1zS7PGXwCxnp7Is
XuVbheaS9H/MUQRzWhf2/NjqA8TzC1P2c/niTVqOVDz6xEDTty+rHM+7BklWUg3o
h4vGrbRq9Hn0yKyi088DJJ7yUeWXcA7W3JR/7vO9b0Y6K+speyqS0QN62SLMTePd
89m7jRjyv5iwyvk5WeJxBazq9WFSZcmQoZGcRYhitQIDAQABo4IBHzCCARswHwYD
VR0jBBgwFoAUc49qDrLlY8sOGyLWVkD6lqbesSwwHQYDVR0OBBYEFCGGT0vA366Q
HGG1fAReBYksnPtEMBMGA1UdJQQMMAoGCCsGAQUFBwMEMB4GA1UdEQEB/wQUMBKB
EHRlc3RAZXhhbXBsZS5jb20wgY0GCCsGAQUFBwEBBIGAMH4wKAYIKwYBBQUHMAGG
HGh0dHA6Ly9vY3NwLmV4YW1wbGUuY29tL29jc3AwKAYIKwYBBQUHMAGGHGh0dHA6
Ly9vY3NwLmV4YW1wbGUuY29tL29jc3AwKAYIKwYBBQUHMAGGHGxkYXA6Ly9vY3Nw
LmV4YW1wbGUuY29tL0M9REUwFAYDVR0gBA0wCzAJBgdngQwBBQEDMA0GCSqGSIb3
DQEBCwUAA4IBAQBwj5lZM3fjqYWCkf4gWC7pRzXyeE7ZgF4UzRGOhW7sXxfelFHj
M4lNBwLxr2wHE3ZkNLuaHNn3V1IzjFlBfz7wDqQn8Q5KCDojKq00h2Vu3xZnBxaF
6FTNhzwBW862O6banWt9LiV+7eG2n4mMXMmWUpJKiGFSE2tG+iftqaTtH9cYmPgM
dfkQTAZER2D89YpFeEjFX9zoN2W5ZHhF/n1sgUbMM3seplT4kxP+XaSU/VHOTQ23
rSybntCAkSqwFo4iZ7flyue4nkw1YyAMi/k+ggySfnRMCPQdKFhL3ug03LsWFWvK
jcDRMtOe88VtLMG6kO8/VE6mrxKxoZDGAqMN
-----END CERTIFICATE-----
117 changes: 85 additions & 32 deletions v3/testdata/smime/aiaWithValidNamesStrict.pem
Original file line number Diff line number Diff line change
@@ -1,45 +1,98 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Serial Number:
74:5a:c6:4c:d7:e3:ec:89:b3:22:ae:c9
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Lint CA, O = Lint, C = DE
Validity
Not Before: Jul 1 00:00:00 2013 GMT
Not After : Nov 30 00:00:00 9998 GMT
Subject:
Not Before: Sep 1 00:00:00 2023 GMT
Not After : Sep 1 00:00:00 2024 GMT
Subject: CN = Certificate, O = Lint, C = DE
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:5a:a5:56:3a:03:7d:75:47:a2:b8:f2:30:36:59:
c5:e4:89:34:2c:6e:c5:74:fd:2c:6d:1c:21:e7:f1:
d1:cc:04:f2:aa:88:f5:dd:52:20:57:b8:95:79:97:
51:ea:02:ea:22:f3:d9:00:17:e8:f6:05:60:e2:8e:
96:1f:b9:df:4d
ASN1 OID: prime256v1
NIST CURVE: P-256
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:96:fe:66:6f:11:72:79:1e:e2:cd:7a:8a:d4:39:
0e:0d:08:50:71:37:82:b6:39:16:9b:d7:b3:9b:46:
14:52:af:9f:09:17:67:0c:c2:d5:00:f0:aa:aa:45:
c1:97:7c:7c:aa:3e:7a:b9:47:d5:82:90:68:8b:a6:
10:e3:40:96:f8:f1:a7:98:ef:e4:d2:32:4d:47:98:
12:93:16:86:ce:3e:ed:31:39:28:91:0e:5e:6f:ec:
e1:47:7d:71:a8:a7:a9:05:21:c8:8f:e2:3f:8d:2d:
da:77:d9:f3:06:c4:71:21:fe:61:61:8d:00:0e:22:
13:34:25:3a:54:c2:17:02:ca:04:50:5a:c7:c0:d9:
41:8f:86:0d:58:fb:72:e6:3e:fc:2f:18:6f:a5:9d:
aa:a0:c2:c4:c6:c9:e5:aa:32:50:3c:14:be:d1:be:
3b:32:99:9f:5f:40:9a:0e:20:ce:15:ad:41:89:1d:
65:64:61:35:31:ab:33:63:c3:43:e2:88:f2:cd:ce:
9b:cb:93:da:9c:c4:80:f7:73:ae:5a:dd:5a:f5:e8:
3e:be:c2:07:69:20:56:b2:47:cd:0e:7e:5d:d5:b7:
1f:62:a7:e8:1e:b9:5e:c7:bc:bf:dd:f5:a7:1d:e7:
4e:30:41:16:bd:9b:1c:37:de:b6:53:e7:71:36:7e:
5e:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:5A:2F:23:67:76:FC:51:D5:86:5F:F1:6C:A5:65:62:FC:2C:06:24:A1

X509v3 Subject Key Identifier:
FF:87:DE:1F:7C:39:0C:F2:1B:FF:D8:27:97:79:32:08:0D:B3:AE:32
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Subject Alternative Name: critical
email:test@example.com
Authority Information Access:
OCSP - URI:http://example.com
CA Issuers - URI:http://example.com
OCSP - URI:http://ocsp1.example.com/ocsp
OCSP - URI:http://ocsp2.example.com/ocsp
OCSP - URI:http://ocsp3.example.com/ocsp
CA Issuers - URI:http://issuers1.example.com/issuer
CA Issuers - URI:http://issuers2.example.com/issuer
CA Issuers - URI:http://issuers3.example.com/issuer

X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.3
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:93:d3:05:1a:7c:5c:59:fa:f7:16:99:12:3b:
a5:16:00:49:56:bd:0a:c4:8c:eb:a6:a6:d2:57:f5:96:2c:dc:
a2:02:20:52:0e:73:ef:98:16:9b:5c:04:36:04:5c:e9:cf:3c:
f3:b3:e8:b1:77:84:73:f9:d2:63:a2:8d:3a:29:d7:b4:05

Signature Algorithm: sha256WithRSAEncryption
09:1c:41:1b:15:1c:92:68:75:50:6f:ea:dc:d7:6f:1a:3d:e6:
1e:e4:72:b4:9b:10:83:c3:36:f5:e9:0d:45:6c:08:52:34:8f:
dc:b8:88:fc:5b:b9:65:f1:39:29:3e:13:0d:1d:f5:70:45:29:
e7:c1:dd:b3:e4:51:5d:95:1d:80:a7:50:a6:c5:e9:6d:a3:fd:
1a:b6:ad:7a:dd:33:a2:4c:17:bd:85:fd:ca:c8:4b:e8:e9:b6:
8b:57:cd:a1:f4:36:d3:92:75:ea:84:d5:75:d3:d0:67:84:cf:
fc:0c:7c:47:19:fa:cf:f3:6b:7d:a7:13:87:7b:c5:1a:c6:12:
5f:e6:ce:34:30:98:a3:b7:e1:ed:11:e0:ee:ff:7c:1b:be:b7:
84:7e:5c:be:f5:ea:02:dc:3d:b2:38:f7:bb:09:fc:4f:95:e5:
70:a0:41:3c:5a:95:ce:95:9f:f2:ff:7a:20:4a:91:cd:18:5e:
af:a6:bc:3c:47:06:00:9b:91:8c:f6:6f:f8:8b:69:88:40:d5:
32:80:12:f9:c6:7b:08:06:eb:6e:8e:9b:eb:99:77:a3:06:40:
00:35:da:ad:db:13:40:6d:81:33:f1:39:0b:8c:d8:d2:4b:eb:
f0:66:62:00:a8:d3:33:8b:13:ae:54:22:24:65:c5:82:3f:f3:
54:24:1b:a8
-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTEzMDcwMTAwMDAwMFoY
Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWqVW
OgN9dUeiuPIwNlnF5Ik0LG7FdP0sbRwh5/HRzATyqoj13VIgV7iVeZdR6gLqIvPZ
ABfo9gVg4o6WH7nfTaN9MHswEwYDVR0lBAwwCgYIKwYBBQUHAwQwTgYIKwYBBQUH
AQEEQjBAMB4GCCsGAQUFBzABhhJodHRwOi8vZXhhbXBsZS5jb20wHgYIKwYBBQUH
MAKGEmh0dHA6Ly9leGFtcGxlLmNvbTAUBgNVHSAEDTALMAkGB2eBDAEFAQMwCgYI
KoZIzj0EAwIDSAAwRQIhAJPTBRp8XFn69xaZEjulFgBJVr0KxIzrpqbSV/WWLNyi
AiBSDnPvmBabXAQ2BFzpzzzzs+ixd4Rz+dJjoo06Kde0BQ==
MIIEnjCCA4agAwIBAgIMdFrGTNfj7ImzIq7JMA0GCSqGSIb3DQEBCwUAMC4xEDAO
BgNVBAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIz
MDkwMTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowMjEUMBIGA1UEAwwLQ2VydGlmaWNh
dGUxDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAlv5mbxFyeR7izXqK1DkODQhQcTeCtjkWm9ezm0YUUq+f
CRdnDMLVAPCqqkXBl3x8qj56uUfVgpBoi6YQ40CW+PGnmO/k0jJNR5gSkxaGzj7t
MTkokQ5eb+zhR31xqKepBSHIj+I/jS3ad9nzBsRxIf5hYY0ADiITNCU6VMIXAsoE
UFrHwNlBj4YNWPty5j78LxhvpZ2qoMLExsnlqjJQPBS+0b47MpmfX0CaDiDOFa1B
iR1lZGE1MaszY8ND4ojyzc6by5PanMSA93OuWt1a9eg+vsIHaSBWskfNDn5d1bcf
YqfoHrlex7y/3fWnHedOMEEWvZscN962U+dxNn5eaQIDAQABo4IBtjCCAbIwHwYD
VR0jBBgwFoAUWi8jZ3b8UdWGX/FspWVi/CwGJKEwHQYDVR0OBBYEFP+H3h98OQzy
G//YJ5d5MggNs64yMBMGA1UdJQQMMAoGCCsGAQUFBwMEMB4GA1UdEQEB/wQUMBKB
EHRlc3RAZXhhbXBsZS5jb20wggEjBggrBgEFBQcBAQSCARUwggERMCkGCCsGAQUF
BzABhh1odHRwOi8vb2NzcDEuZXhhbXBsZS5jb20vb2NzcDApBggrBgEFBQcwAYYd
aHR0cDovL29jc3AyLmV4YW1wbGUuY29tL29jc3AwKQYIKwYBBQUHMAGGHWh0dHA6
Ly9vY3NwMy5leGFtcGxlLmNvbS9vY3NwMC4GCCsGAQUFBzAChiJodHRwOi8vaXNz
dWVyczEuZXhhbXBsZS5jb20vaXNzdWVyMC4GCCsGAQUFBzAChiJodHRwOi8vaXNz
dWVyczIuZXhhbXBsZS5jb20vaXNzdWVyMC4GCCsGAQUFBzAChiJodHRwOi8vaXNz
dWVyczMuZXhhbXBsZS5jb20vaXNzdWVyMBQGA1UdIAQNMAswCQYHZ4EMAQUBAzAN
BgkqhkiG9w0BAQsFAAOCAQEACRxBGxUckmh1UG/q3NdvGj3mHuRytJsQg8M29ekN
RWwIUjSP3LiI/Fu5ZfE5KT4TDR31cEUp58Hds+RRXZUdgKdQpsXpbaP9Gratet0z
okwXvYX9yshL6Om2i1fNofQ205J16oTVddPQZ4TP/Ax8Rxn6z/NrfacTh3vFGsYS
X+bONDCYo7fh7RHg7v98G763hH5cvvXqAtw9sjj3uwn8T5XlcKBBPFqVzpWf8v96
IEqRzRher6a8PEcGAJuRjPZv+ItpiEDVMoAS+cZ7CAbrbo6b65l3owZAADXardsT
QG2BM/E5C4zY0kvr8GZiAKjTM4sTrlQiJGXFgj/zVCQbqA==
-----END CERTIFICATE-----