Merge pull request 'ca-certificates: get rid of expired "DST Root CA X3"' (#2) from osmith/201705 into 201705

Reviewed-on: #2
This commit is contained in:
Harald Welte 2021-11-05 11:49:47 +00:00
commit e862cd6912
11 changed files with 405 additions and 115 deletions

View File

@ -3,15 +3,15 @@ HOMEPAGE = "http://www.cacert.org/index.php?id=3"
SECTION = "misc"
LICENSE = "RDL-COD14"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
PR = "r6"
PR = "r7"
SRC_URI = "file://root.crt file://class3.crt file://DST_Root_CA_X3.pem"
SRC_URI = "file://root.crt file://class3.crt file://ISRG_Root_X1.pem"
do_install() {
install -d ${D}${libdir}/ssl/certs
install -m 0644 ${WORKDIR}/root.crt ${D}${libdir}/ssl/certs/cacert.org.pem
cat ${WORKDIR}/class3.crt >> ${D}${libdir}/ssl/certs/cacert.org.pem
install -m 0644 ${WORKDIR}/DST_Root_CA_X3.pem ${D}${libdir}/ssl/certs/
install -m 0644 ${WORKDIR}/ISRG_Root_X1.pem ${D}${libdir}/ssl/certs/
# Create hash symlinks
cd ${D}${libdir}/ssl/certs
@ -19,7 +19,7 @@ do_install() {
ln -s cacert.org.pem 5ed36f99.0
ln -s cacert.org.pem 99d0fa06.0
ln -s DST_Root_CA_X3.pem 2e5ac55d.0
ln -s ISRG_Root_X1.pem 4042bcee.0
}
FILES_${PN} = "${libdir}/ssl/certs/*"

View File

@ -0,0 +1,80 @@
From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex@linutronix.de>
Date: Mon, 18 Oct 2021 12:05:49 +0200
Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
certificates."
This avoids a dependency on python3-cryptography, and only checks
for expired certs (which is upstream concern, but not ours).
Upstream-Status: Inappropriate [oe-core specific]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
debian/changelog | 1 -
debian/control | 2 +-
mozilla/certdata2pem.py | 11 -----------
3 files changed, 1 insertion(+), 13 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 531e4d0..4006509 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
- "Trustis FPS Root CA"
- "Staat der Nederlanden Root CA - G3"
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
- * mozilla/certdata2pem.py: print a warning for expired certificates.
-- Julien Cristau <jcristau@debian.org> Thu, 07 Oct 2021 17:12:47 +0200
diff --git a/debian/control b/debian/control
index 4434b7a..5c6ba24 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: misc
Priority: optional
Maintainer: Julien Cristau <jcristau@debian.org>
Build-Depends: debhelper-compat (= 13), po-debconf
-Build-Depends-Indep: python3, openssl, python3-cryptography
+Build-Depends-Indep: python3, openssl
Standards-Version: 4.5.0.2
Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index ede23d4..7d796f1 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,16 +21,12 @@
# USA.
import base64
-import datetime
import os.path
import re
import sys
import textwrap
import io
-from cryptography import x509
-
-
objects = []
# Dirty file parser.
@@ -121,13 +117,6 @@ for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
-
- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
- if cert.not_valid_after < datetime.datetime.now():
- print('!'*74)
- print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
- print('!'*74)
-
bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
.replace(' ', '_')\
.replace('(', '=')\
--
2.20.1

View File

@ -0,0 +1,34 @@
ca-certificates is a package from Debian, but some host distros such as Fedora
have a leaner run-parts provided by cron which doesn't support --verbose or the
-- separator between arguments and paths.
This solves errors such as
| Running hooks in [...]/rootfs/etc/ca-certificates/update.d...
| [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found
| [...]/usr/sbin/update-ca-certificates: line 230: Not a directory: --: command not found
| E: Not a directory: -- exited with code 127.
Upstream-Status: Inappropriate
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
---
sbin/update-ca-certificates | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Index: git/sbin/update-ca-certificates
===================================================================
--- git.orig/sbin/update-ca-certificates
+++ git/sbin/update-ca-certificates
@@ -191,9 +191,7 @@ if [ -d "$HOOKSDIR" ]
then
echo "Running hooks in $HOOKSDIR..."
- VERBOSE_ARG=
- [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
- eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
+ eval run-parts --test "$HOOKSDIR" | while read hook
do
( cat "$ADDED"
cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."

View File

@ -1,45 +0,0 @@
From 111e905fe931da1a3800accfc675cc01c8ee080c Mon Sep 17 00:00:00 2001
From: Ulf Samuelsson <ulf@emagii.com>
Date: Tue, 28 Feb 2012 06:42:58 +0100
Subject: [PATCH] update-ca-certificates: remove c rehash
Updated earlier patch to apply clean on 2012-02-12
Signed-off-by: Ulf Samuelsson <ulf@emagii.com>
---
sbin/update-ca-certificates | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index 5375950..c567e3d 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -132,16 +132,16 @@ rm -f "$CERTBUNDLE"
ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")
-if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
-then
- # only run if set of files has changed
- if [ "$verbose" = 0 ]
- then
- c_rehash . > /dev/null
- else
- c_rehash .
- fi
-fi
+#if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+#then
+# # only run if set of files has changed
+# if [ "$verbose" = 0 ]
+# then
+# c_rehash . > /dev/null
+# else
+# c_rehash .
+# fi
+#fi
chmod 0644 "$TEMPBUNDLE"
mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
--
1.7.4.1

View File

@ -0,0 +1,46 @@
Upstream-Status: Pending
From 724cb153ca0f607fb38b3a8db3ebb2742601cd81 Mon Sep 17 00:00:00 2001
From: Andreas Oberritter <obi@opendreambox.org>
Date: Tue, 19 Mar 2013 17:14:33 +0100
Subject: [PATCH 2/2] update-ca-certificates: use $SYSROOT
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
---
sbin/update-ca-certificates | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
Index: git/sbin/update-ca-certificates
===================================================================
--- git.orig/sbin/update-ca-certificates
+++ git/sbin/update-ca-certificates
@@ -24,12 +24,12 @@
verbose=0
fresh=0
default=0
-CERTSCONF=/etc/ca-certificates.conf
-CERTSDIR=/usr/share/ca-certificates
-LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTSCONF=$SYSROOT/etc/ca-certificates.conf
+CERTSDIR=$SYSROOT/usr/share/ca-certificates
+LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
CERTBUNDLE=ca-certificates.crt
-ETCCERTSDIR=/etc/ssl/certs
-HOOKSDIR=/etc/ca-certificates/update.d
+ETCCERTSDIR=$SYSROOT/etc/ssl/certs
+HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
while [ $# -gt 0 ];
do
@@ -92,9 +92,9 @@ add() {
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
-e 's/[()]/=/g' \
-e 's/,/_/g').pem"
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
then
- ln -sf "$CERT" "$PEM"
+ ln -sf "${CERT##$SYSROOT}" "$PEM"
echo "+$PEM" >> "$ADDED"
fi
# Add trailing newline to certificate, if it is missing (#635570)

View File

@ -0,0 +1,71 @@
From a9fc13b2aee55655d58fcb77a3180fa99f96438a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
Date: Wed, 28 Mar 2018 16:45:05 +0100
Subject: [PATCH] update-ca-certificates: use relative symlinks from
$ETCCERTSDIR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
update-ca-certificates symlinks (trusted) certificates
from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
update-ca-certificates can call hook scripts installed
into /etc/ca-certificates/update.d. Those scripts are
passed the pem file in /etc/ssl/certs/ that was added or
removed in this run and those pem files are absolute
symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
When running update-ca-certificates during image build
time, they thusly all point into the host's file system,
not into the $SYSROOT. This means:
* the host's file system layout must match the one
produced by OE, and
* it also means that the host must have installed the same
(or more) certificates as the target in $CERTSDIR and
$LOCALCERTSDIR
This is a problem when wanting to execute hook scripts,
because they all need to be taught about $SYSROOT, and
behave differently depending on whether they're called
at image build time, or on the target, as otherwise they
will be trying to actually read the host's certificates
from $CERTSDIR or $LOCALCERTSDIR.
This also is a problem when running anything else during
image build time that depends on the trusted CA
certificates.
Changing the symlink to be relative solves all of these
problems. Do so.
Upstream-Status: Inappropriate [OE-specific]
Signed-off-by: André Draszik <andre.draszik@jci.com>
---
sbin/update-ca-certificates | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index 00f80c7..7e911a9 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
CERTBUNDLE=ca-certificates.crt
ETCCERTSDIR=$SYSROOT/etc/ssl/certs
+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
while [ $# -gt 0 ];
@@ -125,9 +126,10 @@ add() {
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
-e 's/[()]/=/g' \
-e 's/,/_/g').pem"
- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
+ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
then
- ln -sf "${CERT##$SYSROOT}" "$PEM"
+ ln -sf "${DST}" "$PEM"
echo "+$PEM" >> "$ADDED"
fi
# Add trailing newline to certificate, if it is missing (#635570)

View File

@ -0,0 +1,50 @@
Upstream-Status: Pending
update-ca-certificates: find SYSROOT relative to its own location
This makes the script relocatable.
Index: git/sbin/update-ca-certificates
===================================================================
--- git.orig/sbin/update-ca-certificates
+++ git/sbin/update-ca-certificates
@@ -66,6 +66,39 @@ do
shift
done
+if [ -z "$SYSROOT" ]; then
+ local_which () {
+ if [ $# -lt 1 ]; then
+ return 1
+ fi
+
+ (
+ IFS=:
+ for entry in $PATH; do
+ if [ -x "$entry/$1" ]; then
+ echo "$entry/$1"
+ exit 0
+ fi
+ done
+ exit 1
+ )
+ }
+
+ case "$0" in
+ */*)
+ sbindir=$(cd ${0%/*} && pwd)
+ ;;
+ *)
+ sbindir=$(cd $(dirname $(local_which $0)) && pwd)
+ ;;
+ esac
+ prefix=${sbindir%/*}
+ SYSROOT=${prefix%/*}
+ if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then
+ SYSROOT=
+ fi
+fi
+
if [ ! -s "$CERTSCONF" ]
then
fresh=1

View File

@ -1,46 +0,0 @@
DESCRIPTION = "Common CA certificates"
HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
SECTION = "misc"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://debian/copyright;md5=6135800ff6d893c7904d7aad90972eb5"
SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/ca-certificates_${PV}.tar.gz \
file://0001-update-ca-certificates-remove-c-rehash.patch"
SRC_URI[md5sum] = "5105d4cc086f0d4ecf7bf2e4c4667289"
SRC_URI[sha256sum] = "878cd1130ba056fe5f96decde7e5fc1b71d35eb8565a1515744912e100731ee9"
inherit allarch
do_install_prepend() {
mkdir -p ${D}/usr/share/ca-certificates
mkdir -p ${D}/usr/sbin
mkdir -p ${D}/etc/ssl/certs
mkdir -p ${D}/etc/ca-certificates/update.d
oe_runmake 'DESTDIR=${D}' install
}
do_install_append() {
cd ${D}/usr/share/ca-certificates
echo "# Lines starting with # will be ignored" > ${D}/etc/ca-certificates.conf
echo "# Lines starting with ! will remove certificate on next update" >> ${D}/etc/ca-certificates.conf
echo "#" >> ${D}/etc/ca-certificates.conf
for crt in $(find . -type f -name '*.crt' -print)
do
crt=$(echo $crt | sed -e 's/\.\///')
echo $crt >> ${D}/etc/ca-certificates.conf
done
}
pkg_postinst_${PN} () {
if [ -n "$D" ] ; then
exit 1
fi
${sbindir}/update-ca-certificates
}
CONFFILES_${PN} = "/etc/ca-certificates.conf"
DEFAULT_PREFERENCE = "-1"

View File

@ -0,0 +1,89 @@
SUMMARY = "Common CA certificates"
DESCRIPTION = "This package includes PEM files of CA certificates to allow \
SSL-based applications to check for the authenticity of SSL connections. \
This derived from Debian's CA Certificates."
HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
SECTION = "misc"
LICENSE = "GPL-2.0+ & MPL-2.0"
LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e"
# This is needed to ensure we can run the postinst at image creation time
DEPENDS = ""
DEPENDS_class-native = "openssl-native"
DEPENDS_class-nativesdk = "openssl-native"
# Need rehash from openssl and run-parts from debianutils
PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
file://0002-update-ca-certificates-use-SYSROOT.patch \
file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
file://default-sysroot.patch \
file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
S = "${WORKDIR}/git"
inherit allarch
EXTRA_OEMAKE = "\
'CERTSDIR=${datadir}/ca-certificates' \
'SBINDIR=${sbindir}' \
"
do_compile_prepend() {
oe_runmake clean
}
do_install () {
install -d ${D}${datadir}/ca-certificates \
${D}${sysconfdir}/ssl/certs \
${D}${sysconfdir}/ca-certificates/update.d
oe_runmake 'DESTDIR=${D}' install
install -d ${D}${mandir}/man8
install -m 0644 sbin/update-ca-certificates.8 ${D}${mandir}/man8/
install -d ${D}${sysconfdir}
{
echo "# Lines starting with # will be ignored"
echo "# Lines starting with ! will remove certificate on next update"
echo "#"
find ${D}${datadir}/ca-certificates -type f -name '*.crt' | \
sed 's,^${D}${datadir}/ca-certificates/,,' | sort
} >${D}${sysconfdir}/ca-certificates.conf
}
do_install_append_class-target () {
sed -i -e 's,/etc/,${sysconfdir}/,' \
-e 's,/usr/share/,${datadir}/,' \
-e 's,/usr/local,${prefix}/local,' \
${D}${sbindir}/update-ca-certificates \
${D}${mandir}/man8/update-ca-certificates.8
}
pkg_postinst_${PN}_class-target () {
SYSROOT="$D" $D${sbindir}/update-ca-certificates
}
CONFFILES_${PN} += "${sysconfdir}/ca-certificates.conf"
# Rather than make a postinst script that works for both target and nativesdk,
# we just run update-ca-certificate from do_install() for nativesdk.
CONFFILES_${PN}_append_class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
do_install_append_class-nativesdk () {
SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
}
do_install_append_class-native () {
SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
}
RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
RDEPENDS_${PN}_append_class-native = " openssl-native"
RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
BBCLASSEXTEND = "native nativesdk"

View File

@ -1,20 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

View File

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----