Added RSASSA-PSS support

Since `oscrypto` doesn't do PSS with arbitrary parameters (which is an
issue in our validation use case) all cryptographic operations have been
replaced with `pyca/cryptography` instead. The role of `oscrypto` is
now limited to accessing the system trust.

Since oscrypto is a fairly lightweight dependency it'll probably stay;
extracting & testing its trust list API would probably be more trouble
than it's worth. I realise that `pyca/cryptography` can be harder to
install (especially on resource-limited systems running on somewhat
obscure architectures), but since this certvalidator fork is mainly
intended as a tool to serve pyHanko's needs, the additional dependency
burden is not a significant one.

Author: MatthiasValvekens

.github/workflows/ci.yml

@@ -1,6 +1,10 @@
 name: CI
 on: [push, pull_request]
 
+
+# TODO: work out how many of these tests configs still make sense now that we use 
+# pyca/cryptography for all crypto operations (and oscrypto just serves as a means
+# to access the system trust)
 jobs:
   build:
     name: Python ${{ matrix.python }} on ${{ matrix.os }} ${{ matrix.arch }}
@@ -32,7 +36,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install requests~=2.24.0 uritools~=3.0.1
+          pip install requests~=2.24.0 uritools~=3.0.1 cryptography>=3.3.1
           python run.py deps
       - name: Run test suite
         run: python run.py ci

README.md

@@ -23,7 +23,7 @@ revocation checks.
  - X.509 path building
  - X.509 basic path validation
    - Signatures
-     - RSA, DSA and EC algorithms
+     - RSA (including PSS padding), DSA and EC algorithms
    - Name chaining
    - Validity dates
    - Basic constraints extension

pyhanko_certvalidator/validate.py

@@ -1,9 +1,11 @@
 # coding: utf-8
 from __future__ import unicode_literals, division, absolute_import, print_function
 
-from asn1crypto import x509, crl
-from oscrypto import asymmetric
-import oscrypto.errors
+from asn1crypto import x509, crl, algos
+from asn1crypto.keys import PublicKeyInfo
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa, ec, dsa
 
 from ._errors import pretty_message
 from ._types import str_cls, type_name
@@ -324,27 +326,23 @@ def _validate_path(validation_context, path, end_entity_name_override=None):
                 hash_algo
             ))
 
-        if signature_algo == 'rsassa_pkcs1v15':
-            verify_func = asymmetric.rsa_pkcs1v15_verify
-        elif signature_algo == 'dsa':
-            verify_func = asymmetric.dsa_verify
-        elif signature_algo == 'ecdsa':
-            verify_func = asymmetric.ecdsa_verify
-        else:
+        try:
+            _validate_sig(
+                signature=cert['signature_value'].native,
+                signed_data=cert['tbs_certificate'].dump(),
+                public_key_info=working_public_key,
+                sig_algo=signature_algo, hash_algo=hash_algo,
+                parameters=cert['signature_algorithm']['parameters']
+            )
+        except PSSParameterMismatch:
             raise PathValidationError(pretty_message(
                 '''
-                The path could not be validated because the signature of %s
-                uses the unsupported algorithm %s
+                The signature parameters for %s do not match the constraints
+                on the public key.
                 ''',
-                _cert_type(index, last_index, end_entity_name_override, definite=True),
-                signature_algo
+                _cert_type(index, last_index, end_entity_name_override, definite=True)
             ))
-
-        try:
-            key_object = asymmetric.load_public_key(working_public_key)
-            verify_func(key_object, cert['signature_value'].native, cert['tbs_certificate'].dump(), hash_algo)
-
-        except (oscrypto.errors.SignatureError):
+        except InvalidSignature:
             raise PathValidationError(pretty_message(
                 '''
                 The path could not be validated because the signature of %s
@@ -638,6 +636,9 @@ def _validate_path(validation_context, path, end_entity_name_override=None):
 
             # Handle inheritance of DSA parameters from a signing CA to the
             # next in the chain
+            # NOTE: we don't perform this step for RSASSA-PSS since there the
+            #  parameters are drawn form the signature parameters, where they
+            #  must always be present.
             copy_params = None
             if cert.public_key.algorithm == 'dsa' and cert.public_key.hash_algo is None:
                 if working_public_key.algorithm == 'dsa':
@@ -831,7 +832,7 @@ def _cert_type(index, last_index, end_entity_name_override, definite=False):
     return prefix + 'end-entity certificate'
 
 
-def _self_signed(cert):
+def _self_signed(cert: x509.Certificate):
     """
     Determines if a certificate is self-signed
 
@@ -853,27 +854,16 @@ def _self_signed(cert):
     signature_algo = cert['signature_algorithm'].signature_algo
     hash_algo = cert['signature_algorithm'].hash_algo
 
-    if signature_algo == 'rsassa_pkcs1v15':
-        verify_func = asymmetric.rsa_pkcs1v15_verify
-    elif signature_algo == 'dsa':
-        verify_func = asymmetric.dsa_verify
-    elif signature_algo == 'ecdsa':
-        verify_func = asymmetric.ecdsa_verify
-    else:
-        raise PathValidationError(pretty_message(
-            '''
-            Unable to verify the signature of the certificate since it uses
-            the unsupported algorithm %s
-            ''',
-            signature_algo
-        ))
-
     try:
-        key_object = asymmetric.load_certificate(cert)
-        verify_func(key_object, cert['signature_value'].native, cert['tbs_certificate'].dump(), hash_algo)
+        _validate_sig(
+            signature=cert['signature_value'].native,
+            signed_data=cert['tbs_certificate'].dump(),
+            public_key_info=cert.public_key,
+            sig_algo=signature_algo, hash_algo=hash_algo,
+            parameters=cert['signature_algorithm']['parameters']
+        )
         return True
-
-    except (oscrypto.errors.SignatureError):
+    except InvalidSignature:
         return False
 
 
@@ -1128,30 +1118,22 @@ def verify_ocsp_response(cert, path, validation_context, cert_description=None,
         signature_algo = response['signature_algorithm'].signature_algo
         hash_algo = response['signature_algorithm'].hash_algo
 
-        if signature_algo == 'rsassa_pkcs1v15':
-            verify_func = asymmetric.rsa_pkcs1v15_verify
-        elif signature_algo == 'dsa':
-            verify_func = asymmetric.dsa_verify
-        elif signature_algo == 'ecdsa':
-            verify_func = asymmetric.ecdsa_verify
-        else:
+        # Verify that the response was properly signed by the validated certificate
+        try:
+            _validate_sig(
+                signature=response['signature'].native,
+                signed_data=tbs_response.dump(),
+                public_key_info=signing_cert.public_key,
+                sig_algo=signature_algo, hash_algo=hash_algo,
+                parameters=response['signature_algorithm']['parameters']
+            )
+        except PSSParameterMismatch:
             failures.append((
-                pretty_message(
-                    '''
-                    Unable to verify OCSP response since response signature
-                    uses the unsupported algorithm %s
-                    ''',
-                    signature_algo
-                ),
+                'The signature parameters on the OCSP response do not match '
+                'the constraints on the public key',
                 ocsp_response
             ))
-            continue
-
-        # Verify that the response was properly signed by the validated certificate
-        try:
-            key_object = asymmetric.load_certificate(signing_cert)
-            verify_func(key_object, response['signature'].native, tbs_response.dump(), hash_algo)
-        except (oscrypto.errors.SignatureError):
+        except InvalidSignature:
             failures.append((
                 'Unable to verify OCSP response signature',
                 ocsp_response
@@ -1828,30 +1810,19 @@ def _verify_signature(certificate_list, crl_issuer):
     signature_algo = certificate_list['signature_algorithm'].signature_algo
     hash_algo = certificate_list['signature_algorithm'].hash_algo
 
-    if signature_algo == 'rsassa_pkcs1v15':
-        verify_func = asymmetric.rsa_pkcs1v15_verify
-    elif signature_algo == 'dsa':
-        verify_func = asymmetric.dsa_verify
-    elif signature_algo == 'ecdsa':
-        verify_func = asymmetric.ecdsa_verify
-    else:
-        raise CRLValidationError(pretty_message(
-            '''
-            Unable to verify the CertificateList since the signature uses the
-            unsupported algorithm %s
-            ''',
-            signature_algo
-        ))
-
     try:
-        key_object = asymmetric.load_certificate(crl_issuer)
-        verify_func(
-            key_object,
-            certificate_list['signature'].native,
-            certificate_list['tbs_cert_list'].dump(),
-            hash_algo
+        _validate_sig(
+            signature=certificate_list['signature'].native,
+            signed_data=certificate_list['tbs_cert_list'].dump(),
+            public_key_info=crl_issuer.public_key,
+            sig_algo=signature_algo, hash_algo=hash_algo,
+            parameters=certificate_list['signature_algorithm']['parameters']
         )
-    except (oscrypto.errors.SignatureError):
+    except PSSParameterMismatch as e:
+        raise CRLValidationError(
+            'Invalid signature parameters on CertificateList'
+        ) from e
+    except InvalidSignature:
         raise CRLValidationError('Unable to verify the signature of the CertificateList')
 
 
@@ -2038,3 +2009,60 @@ def __init__(self, valid_policy, qualifier_set, expected_policy_set):
         self.qualifier_set = qualifier_set
         self.expected_policy_set = expected_policy_set
         self.children = []
+
+
+class PSSParameterMismatch(InvalidSignature):
+    pass
+
+
+def _validate_sig(signature: bytes, signed_data: bytes,
+                  public_key_info: PublicKeyInfo,
+                  sig_algo: str, hash_algo: str, parameters=None):
+
+    hash_algo = getattr(hashes, hash_algo.upper())()
+
+    # pyca/cryptography can't load PSS-exclusive keys without some help:
+    if public_key_info.algorithm == 'rsassa_pss':
+        public_key_info = public_key_info.copy()
+        assert isinstance(parameters, algos.RSASSAPSSParams)
+        pss_key_params = public_key_info['algorithm']['parameters'].native
+        if pss_key_params is not None and pss_key_params != parameters.native:
+            raise PSSParameterMismatch(
+                "Public key info includes PSS parameters that do not match "
+                "those on the signature"
+            )
+        # set key type to generic RSA, discard parameters
+        public_key_info['algorithm'] = {'algorithm': 'rsa'}
+
+    pub_key = serialization.load_der_public_key(public_key_info.dump())
+
+    if sig_algo == 'rsassa_pkcs1v15':
+        assert isinstance(pub_key, rsa.RSAPublicKey)
+        pub_key.verify(signature, signed_data, padding.PKCS1v15(), hash_algo)
+    elif sig_algo == 'rsassa_pss':
+        assert isinstance(pub_key, rsa.RSAPublicKey)
+        assert isinstance(parameters, algos.RSASSAPSSParams)
+        mga: algos.MaskGenAlgorithm = parameters['mask_gen_algorithm']
+        if not mga['algorithm'].native == 'mgf1':
+            raise NotImplementedError("Only MFG1 is supported")
+
+        mgf_md_name = mga['parameters']['algorithm'].native
+
+        salt_len: int = parameters['salt_length'].native
+
+        mgf_md = getattr(hashes, mgf_md_name.upper())()
+        pss_padding = padding.PSS(
+            mgf=padding.MGF1(algorithm=mgf_md),
+            salt_length=salt_len
+        )
+        pub_key.verify(signature, signed_data, pss_padding, hash_algo)
+    elif sig_algo == 'dsa':
+        assert isinstance(pub_key, dsa.DSAPublicKey)
+        pub_key.verify(signature, signed_data, hash_algo)
+    elif sig_algo == 'ecdsa':
+        assert isinstance(pub_key, ec.EllipticCurvePublicKey)
+        pub_key.verify(signature, signed_data, ec.ECDSA(hash_algo))
+    else:  # pragma: nocover
+        raise NotImplementedError(
+            f"Signature mechanism {sig_algo} is not supported."
+        )

setup.py

@@ -125,6 +125,7 @@ def run(self):
         'requests>=2.24.0',
         'asn1crypto>=1.2.0',
         'oscrypto>=1.1.0',
+        'cryptography>=3.3.1',
         'uritools>=3.0.1'
     ],
     packages=[PYTHON_PACKAGE_NAME],

tests/fixtures/testing-ca-pss-exclusive/interm.cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyjCCAn6gAwIBAgICEAEwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
+AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT
+AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD
+QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjBDMQswCQYDVQQG
+EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVy
+bWVkaWF0ZSBDQTCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEKAoIBAQDPlhBn2wSd
+um440KB4vmb4RbFeo7C6YfAulLEEF4D8V0fgd6Rj2XKRk8WowNCmf+QPFA0xH6Ew
+ndIGT+i4haS04TsOt++Wkz/Dj8lyFTC50WW1ZVyDZl89mpJ5myyTbToke9fF/YLN
+K0QyH19BXoxNGqAGf/cDvraWpUWVwgcA+rGWwGZU4CRnOSs2WqBO2ESzaJ1xAqMJ
+bBZyQeCrS8p5+Wz6e1G0layjinNtAQdwe2UVzsOUtZ/errqb0t3If3wRWh2rf93c
+t/MGYBC4R0LeR7vn3ZwAdOgZ39+LyHz04mmUBsokT8P55p2wuxecw8YiFDoy0xFe
+bAq4NnzEzG6vAgMBAAGjZjBkMB0GA1UdDgQWBBRnXK/DvDkcd7dpfXcgnEV7tQAn
+ITAfBgNVHSMEGDAWgBRx8eBpesXpOEuTGzsVR4vzVq9i+zASBgNVHRMBAf8ECDAG
+AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFl
+AwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAFZH
+FG2TegyZGn5x/v4qOgDVGNxIDVbMPZ7vFAwfmDRu/JsNH3MynzhUjEIWq3OAbk4e
+acE5oJ2FsUCHkqVcLizqma89pltGDD/Aug1JWY3gKKuEMEFDUBggAy0V7i6VY6pw
+SoJRRxAi7YINwqHt4iytM98aLQJc6ceyMcRXA1cWzjjIDPMv90SdRha1kBnGTtjR
+nkJ2bteVSX6NAhj81GKbA+7PDGKbOCvzmM7k3punDgFL8vbJrkvpg/2F8f5vZaiP
+29vHI9MwOS4L2MkjFV8AzssAc771P42ND9ns38iw04d5w1uM07voDe8pBKBRdMCF
+Z+KJicfjpfcXzNiUOQU=
+-----END CERTIFICATE-----

tests/fixtures/testing-ca-pss-exclusive/root.cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvzCCAnOgAwIBAgICEAAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
+AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT
+AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD
+QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzI1MDAwMTAxMDAwMDAwWjA7MQswCQYDVQQG
+EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3Qg
+Q0EwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAr6rUQReGwbWaufayDOPl
+Js/Gm1bDOPt8+3kC3Ejd1RXvilsKpdOfuP8s+4D7MmNfjrCEMnvlGYKrVuZHySHz
+48qQlFUxb7jsuD5YS9KWClkV7xJ2FoFC2q57jgBrUhfBHhU/i+EWu5zuMlHWALjU
+rQIjAqheQAfaj5RG6W7fsufx7zgN9hWUDUClCXUauVdS6rIwMH3poyvixojQGgQF
+WUyWDOd1ZzCG33XaY4yPglppvRorDVVfajW7qnStbjW36s/ekCCit+w2JU699HuH
+93B89nmCoylh1WhogT9WBqjjWcN7B6Q52jGx2N+A0lUvsk6DApEmCHUM48Sa3hO5
+RwIDAQABo2MwYTAdBgNVHQ4EFgQUcfHgaXrF6ThLkxs7FUeL81avYvswHwYDVR0j
+BBgwFoAUcfHgaXrF6ThLkxs7FUeL81avYvswDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAYYwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoG
+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgA4IBAQAdouZlWC/t3mBBGdhG
+/UMzmA1+5OlOOAFszt2+LAqMj3lxLbAreDNNuSfxqmFaN+4CanZVELVacV5BUU4y
+tfLFLpf3zu7iWyGUXJTHlwknSvVS5ZXZIY3jw0JsdC0OCDtRVmnMxYcMlqjzQZ+V
+Gp8j6ce8qbvw5Vkky4k2hpnx79E/9+88uHGKZhhasU1yuEZgLwIfq04RwCc13tTg
+wfYo4ysEJ0TzsNuXUyC/V7xtpbKmH9ZgnyubspmIgMM0HGKnk6id7eHPe/SNyM5J
+f0qVOkh86mIMwaL2puQqE9wogp/vtsxNN1jI9eA5Q3h8YkTVUUm0q0SfkzUE+Yp1
+6Lv2
+-----END CERTIFICATE-----

tests/fixtures/testing-ca-pss-exclusive/signer1.cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxjCCAnqgAwIBAgICEAAwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
+AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMEMxCzAJBgNVBAYT
+AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEYMBYGA1UEAwwPSW50ZXJt
+ZWRpYXRlIENBMCIYDzIwMjAwMTAxMDAwMDAwWhgPMjAyMjAxMDEwMDAwMDBaMEsx
+CzAJBgNVBAYTAkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UE
+CwwHU2lnbmVyczEOMAwGA1UEAwwFQWxpY2UwggEgMAsGCSqGSIb3DQEBCgOCAQ8A
+MIIBCgKCAQEA54KAlKDeHceR3gNmgsWtBX5MjYg6PFd8rUI6mac+O+/LuoZvwLoR
+Wa59ivHJpJ/yLpUrKP9r3byNyEojAlJB5Em7YLhNR9uJcRc4nXPStyZhBGWO438s
+U6cCDJDF7NckD7E2vCBw6+sB4UhkpRCgFn8O8WEWtdt3QuJqchkdL1KB1bGH5dve
+NeJ+oW+rzuxqQ6SuDT5O2uztA2LM27poMxWdb250NvcuRELLFkvwWxgb6bZUiDIa
+HUPt1naZPGhH8VKt5ZhCuOhTnv2vJViQzbFPHX2sG7d2u1YhUYxqmOVtDIG84hzp
+JQRZ9xX+1oBFDIF6a14PSc/YyLw91X2C6wIDAQABo1IwUDAdBgNVHQ4EFgQUADv2
+3DgWFu93XfHVtOrrhMGByfEwHwYDVR0jBBgwFoAUZ1yvw7w5HHe3aX13IJxFe7UA
+JyEwDgYDVR0PAQH/BAQDAgbAMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAQEAoo6uWgOd
+Dyo1FtsFWMylhjOUJ8TGN82ZEV2ZkXS7OxkXNES8yyY84jS72MjJEbcmSrV/Elb2
+4+UOiYoZepwaClPtAypWI7YQCM3V7ZA6sW2F2yac7TNpAsngNR1ERAQA8BFg4WSH
+pvrm3I+w77jSzRM/hKxKlYcrdoE0+e3Oeb7o0DYqAlnN2axiozy74xUR8PkqUdfX
+CZwtvCqBHsP7U50dAKBxKRuZ150/BzgBAgAKjYtQXH6GhAiySjVnuMrAfrhbqMje
+0H9fP5hrSjdtdsKWZxYckZ4yxOoWnswPfQTQZ7VDRmXnqaxXUe2LMG/FktiolEqE
+XJqkP0FPBIOtXg==
+-----END CERTIFICATE-----

tests/fixtures/testing-ca-pss/interm.cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCAoCgAwIBAgICEAEwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEF
+AKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMDsxCzAJBgNVBAYT
+AkJFMRowGAYDVQQKDBFUZXN0aW5nIEF1dGhvcml0eTEQMA4GA1UEAwwHUm9vdCBD
+QTAiGA8yMDAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjBDMQswCQYDVQQG
+EwJCRTEaMBgGA1UECgwRVGVzdGluZyBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVy
+bWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHp2s/e
+iBXxSdjZgzQZEQ9QIIR7sVf3Tn85yXYyPI/KHf+9p/njYsZBZ0LWZ/d81Cwy7Z2p
+plPBRCsonAizTtBXuvWejDespQ0bxjIa11l8rK3qOA6x9pnkoHnixS1YbLgspPhw
++rS8RaebyUWj3WS8mpU6MVdalRIrBM9glX6uIGYqDbkL7wPYvmgp0zNDF3yj0rSQ
+AjR8MXUI9uq0IH8YjPA3YKrbRtf12nNNtk6W8i6d0DiEtgE1x9eeKA8vKVzfHdjH
+KmgGi1Dkv0zEpx4GCu/VJ+C0QCrF5iBRl79RB0QbuNHLQkhgUpL8Ra8dwnqMBf6/
+riEp4gCyU7/rtNsCAwEAAaNmMGQwHQYDVR0OBBYEFO+/elGLLqQuSl3SzudheM5q
+NklPMB8GA1UdIwQYMBaAFPG0eZUCsrRfOXL9sI/CX69bmlC1MBIGA1UdEwEB/wQI
+MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZI
+AWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBIAOCAQEA
+cBP88oJDFzHF5n63taaY1AKVZKrphwTWdqn2UQH13F065qfxIZcxZJgQArTd0nc5
+aVPsh/cXs5hv+bKsdsnkZeoEWSDmCdKh7rk5PcwFaX75ebWASrQ6JVSwJKlVI+3Y
+99wsqQ56PPBFYQmr3iNlC4RW079UHek+e1BnTizyUzutdVRZPqTEUqAYWB2ksqDG
+ICGi6zuzsZMOJc13uV27SL4hrLueNQnOPu2HMBZ/DWBRbvtkQeeYItPYqjmSVain
+ggAylz2v84tCxAVZC1OKpIOt5vRJxrpA9vpMvT1SlReC3ZXtHM0HpB4+SXH2PKuF
+lPWqtS+yvu2uSiUderYZ/g==
+-----END CERTIFICATE-----