From 206c5b574b351fa56000704788a1fb3328b00ca8 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 10 Jul 2020 10:36:32 -0700 Subject: [PATCH 01/82] [release-1.6] Add version label to `pilot_xds` metric (#25284) * Add version label to metric Signed-off-by: Liam White * back to gauge Signed-off-by: Liam White Co-authored-by: Liam White --- pilot/pkg/proxy/envoy/v2/ads.go | 7 +++---- pilot/pkg/proxy/envoy/v2/monitoring.go | 13 +++++++++++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/pilot/pkg/proxy/envoy/v2/ads.go b/pilot/pkg/proxy/envoy/v2/ads.go index ba155bc3618..ea60e7f029c 100644 --- a/pilot/pkg/proxy/envoy/v2/ads.go +++ b/pilot/pkg/proxy/envoy/v2/ads.go @@ -769,21 +769,20 @@ func (s *DiscoveryServer) addCon(conID string, con *XdsConnection) { s.adsClientsMutex.Lock() defer s.adsClientsMutex.Unlock() s.adsClients[conID] = con - xdsClients.Record(float64(len(s.adsClients))) + recordXDSClients(con.node.Metadata.IstioVersion, 1) } func (s *DiscoveryServer) removeCon(conID string) { s.adsClientsMutex.Lock() defer s.adsClientsMutex.Unlock() - if _, exist := s.adsClients[conID]; !exist { + if con, exist := s.adsClients[conID]; !exist { adsLog.Errorf("ADS: Removing connection for non-existing node:%v.", conID) totalXDSInternalErrors.Increment() } else { delete(s.adsClients, conID) + recordXDSClients(con.node.Metadata.IstioVersion, -1) } - - xdsClients.Record(float64(len(s.adsClients))) if s.StatusReporter != nil { go s.StatusReporter.RegisterDisconnect(conID, []string{ClusterType, ListenerType, RouteType, EndpointType}) } diff --git a/pilot/pkg/proxy/envoy/v2/monitoring.go b/pilot/pkg/proxy/envoy/v2/monitoring.go index 74e0722ff98..727f96e32fb 100644 --- a/pilot/pkg/proxy/envoy/v2/monitoring.go +++ b/pilot/pkg/proxy/envoy/v2/monitoring.go @@ -14,6 +14,8 @@ package v2 import ( + "sync" + "google.golang.org/grpc/codes" "istio.io/istio/pilot/pkg/model" @@ -27,6 +29,7 @@ var ( clusterTag = monitoring.MustCreateLabel("cluster") nodeTag = monitoring.MustCreateLabel("node") typeTag = monitoring.MustCreateLabel("type") + versionTag = monitoring.MustCreateLabel("version") cdsReject = monitoring.NewGauge( "pilot_xds_cds_reject", @@ -84,7 +87,10 @@ var ( xdsClients = monitoring.NewGauge( "pilot_xds", "Number of endpoints connected to this pilot using XDS.", + monitoring.WithLabels(versionTag), ) + xdsClientTrackerMutex = &sync.Mutex{} + xdsClientTracker map[string]float64 = make(map[string]float64) xdsResponseWriteTimeouts = monitoring.NewSum( "pilot_xds_write_timeout", @@ -164,6 +170,13 @@ var ( inboundServiceDeletes = inboundUpdates.With(typeTag.Value("svcdelete")) ) +func recordXDSClients(version string, delta float64) { + xdsClientTrackerMutex.Lock() + defer xdsClientTrackerMutex.Unlock() + xdsClientTracker[version] += delta + xdsClients.With(versionTag.Value(version)).Record(xdsClientTracker[version]) +} + func recordPushTriggers(reasons ...model.TriggerReason) { for _, r := range reasons { pushTriggers.With(typeTag.Value(string(r))).Increment() From b90c698ff8c7184bea38a4cf0f106043fbc8dcd0 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 10 Jul 2020 11:43:41 -0700 Subject: [PATCH 02/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#25426) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b74f7ad3d62..5ab60b7270a 100644 --- a/go.mod +++ b/go.mod @@ -157,7 +157,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20200708135631-b736e804afd1 + istio.io/api v0.0.0-20200710180116-e1ce95268877 istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 istio.io/pkg v0.0.0-20200511212725-7bfbbf968c23 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index 6313f6297dd..90254820dcf 100644 --- a/go.sum +++ b/go.sum @@ -1061,8 +1061,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20200708135631-b736e804afd1 h1:GvIZ4goWRTAW/NUjtCVF61C1wnb4Ky2MvF+votyjFvM= -istio.io/api v0.0.0-20200708135631-b736e804afd1/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20200710180116-e1ce95268877 h1:ZcqwJU3wMaaoqaflElnbuI5k3HW93uCj6UN5//78ImQ= +istio.io/api v0.0.0-20200710180116-e1ce95268877/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 h1:+jL9OzDdbpqHghV6i1dDy2jV+FtC7wz+CuKi2UxZoSs= istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From d8ab09cda36e1d7533d1875cff5dff6906f5db60 Mon Sep 17 00:00:00 2001 From: Tao HE <1579288+elfinhe@users.noreply.github.com> Date: Fri, 10 Jul 2020 15:35:22 -0700 Subject: [PATCH 03/82] Never execute waitUpgradeComplete and retrieveControlPlaneVersion when upgrade with dry run option (#25207) (#25425) Co-authored-by: Zufar Dhiyaulhaq --- operator/cmd/mesh/upgrade.go | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/operator/cmd/mesh/upgrade.go b/operator/cmd/mesh/upgrade.go index f2e871681bd..a9295d023ff 100644 --- a/operator/cmd/mesh/upgrade.go +++ b/operator/cmd/mesh/upgrade.go @@ -222,20 +222,27 @@ func upgrade(rootArgs *rootArgs, args *upgradeArgs, l clog.Logger) (err error) { return nil } - // Waits for the upgrade to complete by periodically comparing the each - // component version to the target version. - err = waitUpgradeComplete(kubeClient, istioNamespace, targetVersion, l) - if err != nil { - return fmt.Errorf("failed to wait for the upgrade to complete. Error: %v", err) - } + if !rootArgs.dryRun { + // Waits for the upgrade to complete by periodically comparing the each + // component version to the target version. + err = waitUpgradeComplete(kubeClient, istioNamespace, targetVersion, l) + if err != nil { + return fmt.Errorf("failed to wait for the upgrade to complete. Error: %v", err) + } - // Read the upgraded Istio version from the the cluster - upgradeVer, err := retrieveControlPlaneVersion(kubeClient, istioNamespace, l) - if err != nil { - return fmt.Errorf("failed to read the upgraded Istio version. Error: %v", err) + // Read the upgraded Istio version from the the cluster + upgradeVer, err := retrieveControlPlaneVersion(kubeClient, istioNamespace, l) + if err != nil { + return fmt.Errorf("failed to read the upgraded Istio version. Error: %v", err) + } + + l.LogAndPrintf("Success. Now the Istio control plane is running at version %v.\n", upgradeVer) + } else { + l.LogAndPrintf("Upgrade rollout completed. " + + "All Istio control plane pods are running on the target version.\n\n") + l.LogAndPrintf("Success. Now the Istio control plane is running at version %v.\n", targetVersion) } - l.LogAndPrintf("Success. Now the Istio control plane is running at version %v.\n", upgradeVer) l.LogAndPrintf(upgradeSidecarMessage) return nil } From cc541d50634d21877a851a7e9639909f058d47fc Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 15 Jul 2020 10:40:51 -0700 Subject: [PATCH 04/82] Fix egress gateway config. (#25514) Co-authored-by: Oliver Liu --- .../gateways/istio-egress/templates/deployment.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/manifests/charts/gateways/istio-egress/templates/deployment.yaml index 0ab36faadfc..174326cb3e3 100644 --- a/manifests/charts/gateways/istio-egress/templates/deployment.yaml +++ b/manifests/charts/gateways/istio-egress/templates/deployment.yaml @@ -151,6 +151,12 @@ spec: value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} - name: NODE_NAME valueFrom: fieldRef: @@ -276,7 +282,7 @@ spec: # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs secret: - secretName: istio.default + secretName: istio.istio-egressgateway-service-account optional: true {{- end }} - name: config-volume From 68bf6e5c7c4aab654ba947e0950364170f407489 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 15 Jul 2020 15:09:43 -0700 Subject: [PATCH 05/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#25553) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5ab60b7270a..b29e51eacc8 100644 --- a/go.mod +++ b/go.mod @@ -157,7 +157,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20200710180116-e1ce95268877 + istio.io/api v0.0.0-20200715212100-dbf5277541ef istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 istio.io/pkg v0.0.0-20200511212725-7bfbbf968c23 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index 90254820dcf..e19dac2373a 100644 --- a/go.sum +++ b/go.sum @@ -1061,8 +1061,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20200710180116-e1ce95268877 h1:ZcqwJU3wMaaoqaflElnbuI5k3HW93uCj6UN5//78ImQ= -istio.io/api v0.0.0-20200710180116-e1ce95268877/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20200715212100-dbf5277541ef h1:EK7lCql3HAxEoyPQuPWamG00XkOKzIVzzMb5sShFwAM= +istio.io/api v0.0.0-20200715212100-dbf5277541ef/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 h1:+jL9OzDdbpqHghV6i1dDy2jV+FtC7wz+CuKi2UxZoSs= istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From 7108aad4a3662dbd31a2ccd48cff5e41e58a1e9f Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 15 Jul 2020 19:30:57 -0700 Subject: [PATCH 06/82] [release-1.6] Potential bug in tests.mk file (#25558) * fixed typo * fix the default behavior Co-authored-by: zhengzhey --- tests/integration/tests.mk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/tests.mk b/tests/integration/tests.mk index f2c4faf4188..cbf5a6a94b2 100644 --- a/tests/integration/tests.mk +++ b/tests/integration/tests.mk @@ -32,9 +32,9 @@ ifneq ($(TAG),) _INTEGRATION_TEST_FLAGS += --istio.test.tag=$(TAG) endif -_INTEGRATION_TEST_SELECT_FLAG = --istio.test.select=-postsubmit,-flaky,-multicluster -ifneq ($(TEST_SELECT),) - _INTEGRATION_TEST_SELECT_FLAGS += --istio.test.select=$(TEST_SELECT) +_INTEGRATION_TEST_SELECT_FLAGS ?= --istio.test.select=$(TEST_SELECT) +ifeq ($(TEST_SELECT),) + _INTEGRATION_TEST_SELECT_FLAGS = --istio.test.select=-postsubmit,-flaky,-multicluster endif # $(INTEGRATION_TEST_KUBECONFIG) overrides all kube config settings. From 850c5544563cd4c21f138a591d1e54440ddb4a68 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 17 Jul 2020 10:01:14 -0700 Subject: [PATCH 07/82] Remove potentionally massive log line (#25610) For clusters with many gateways this is a massive line, when its not very useful Co-authored-by: John Howard --- pilot/pkg/networking/core/v1alpha3/gateway.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pilot/pkg/networking/core/v1alpha3/gateway.go b/pilot/pkg/networking/core/v1alpha3/gateway.go index a703ee21e2c..d0d8dbde8c8 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway.go @@ -211,7 +211,7 @@ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Pr // make sure that there is some server listening on this port if _, ok := merged.ServersByRouteName[routeName]; !ok { - log.Warnf("Gateway missing for route %s. This is normal if gateway was recently deleted. Have %v", routeName, merged.ServersByRouteName) + log.Warnf("Gateway missing for route %s. This is normal if gateway was recently deleted.", routeName) // This can happen when a gateway has recently been deleted. Envoy will still request route // information due to the draining of listeners, so we should not return an error. From bae28dde42cf54e213d4c6bcd9c930f8d9ee60c4 Mon Sep 17 00:00:00 2001 From: John Howard Date: Fri, 17 Jul 2020 10:41:13 -0700 Subject: [PATCH 08/82] 1.6: Trigger endpoint update when pod comes in (#25161) (#25579) * 1.6: Trigger endpoint update when pod comes in (#25161) * change log * change debug log --- .../kube/controller/controller.go | 70 +++++-- .../kube/controller/controller_test.go | 174 +++++++++++++----- .../kube/controller/endpoints.go | 16 +- .../kube/controller/endpointsdiscovery.go | 4 + .../kube/controller/endpointslice.go | 31 ++-- .../serviceregistry/kube/controller/pod.go | 45 ++++- .../kube/controller/pod_test.go | 2 +- 7 files changed, 261 insertions(+), 81 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index 36f1ae0674e..f80769ba5d9 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -88,15 +88,23 @@ var ( "Events from k8s registry.", monitoring.WithLabels(typeTag, eventTag), ) - + // nolint: gocritic + // This is deprecated in favor of `pilot_k8s_endpoints_pending_pod`, which is a gauge indicating the number of + // currently missing pods. This helps distinguish transient errors from permanent ones endpointsWithNoPods = monitoring.NewSum( "pilot_k8s_endpoints_with_no_pods", "Endpoints that does not have any corresponding pods.") + + endpointsPendingPodUpdate = monitoring.NewGauge( + "pilot_k8s_endpoints_pending_pod", + "Number of endpoints that do not currently have any corresponding pods.", + ) ) func init() { monitoring.MustRegister(k8sEvents) monitoring.MustRegister(endpointsWithNoPods) + monitoring.MustRegister(endpointsPendingPodUpdate) } func incrementEvent(kind, event string) { @@ -259,7 +267,16 @@ func NewController(client kubernetes.Interface, metadataClient metadata.Interfac registerHandlers(c.filteredNodeInformer, c.queue, "Nodes", c.onNodeEvent) podInformer := sharedInformers.Core().V1().Pods().Informer() - c.pods = newPodCache(podInformer, c) + c.pods = newPodCache(podInformer, c, func(key string) { + item, exists, err := c.endpoints.getInformer().GetStore().GetByKey(key) + if err != nil || !exists { + log.Debugf("Endpoint %v lookup failed, skipping stale endpoint. error: %v", key, err) + return + } + c.queue.Push(func() error { + return c.endpoints.onEvent(item, model.EventUpdate) + }) + }) registerHandlers(podInformer, c.queue, "Pods", c.pods.onEvent) return c @@ -1006,7 +1023,35 @@ func (c *Controller) AppendInstanceHandler(f func(*model.ServiceInstance, model. return nil } -func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event) { +func getPod(c *Controller, ip string, ep *metav1.ObjectMeta, targetRef *v1.ObjectReference, host host.Name) *v1.Pod { + pod := c.pods.getPodByIP(ip) + if pod != nil { + return pod + } + // This means, the endpoint event has arrived before pod event. + // This might happen because PodCache is eventually consistent. + if targetRef != nil && targetRef.Kind == "Pod" { + key := kube.KeyFunc(targetRef.Name, targetRef.Namespace) + // There is a small chance getInformer may have the pod, but it hasn't + // made its way to the PodCache yet as it a shared queue. + podFromInformer, f, err := c.pods.informer.GetStore().GetByKey(key) + if err != nil || !f { + log.Debugf("Endpoint without pod %s %s.%s error: %v", ip, ep.Name, ep.Namespace, err) + endpointsWithNoPods.Increment() + if c.metrics != nil { + c.metrics.AddMetric(model.EndpointNoPod, string(host), nil, ip) + } + // Tell pod cache we want to queue the endpoint event when this pod arrives. + epkey := kube.KeyFunc(ep.Name, ep.Namespace) + c.pods.recordNeedsUpdate(epkey, ip) + return nil + } + pod = podFromInformer.(*v1.Pod) + } + return pod +} + +func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event, epc *endpointsController) { hostname := kube.ServiceHostname(ep.Name, ep.Namespace, c.domainSuffix) c.RLock() @@ -1020,22 +1065,9 @@ func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event) { if event != model.EventDelete { for _, ss := range ep.Subsets { for _, ea := range ss.Addresses { - pod := c.pods.getPodByIP(ea.IP) + pod := getPod(c, ea.IP, &metav1.ObjectMeta{Name: ep.Name, Namespace: ep.Namespace}, ea.TargetRef, hostname) if pod == nil { - // This means, the endpoint event has arrived before pod event. This might happen because - // PodCache is eventually consistent. We should try to get the pod from kube-api server. - if ea.TargetRef != nil && ea.TargetRef.Kind == "Pod" { - pod = c.pods.getPod(ea.TargetRef.Name, ea.TargetRef.Namespace) - if pod == nil { - // If pod is still not available, this an unusual case. - endpointsWithNoPods.Increment() - log.Errorf("Endpoint without pod %s %s.%s", ea.IP, ep.Name, ep.Namespace) - if c.metrics != nil { - c.metrics.AddMetric(model.EndpointNoPod, string(hostname), nil, ea.IP) - } - continue - } - } + continue } builder := NewEndpointBuilder(c, pod) @@ -1048,6 +1080,8 @@ func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event) { } } } + } else { + epc.forgetEndpoint(ep) } log.Debugf("Handle EDS: %d endpoints for %s in namespace %s", len(endpoints), ep.Name, ep.Namespace) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller_test.go b/pilot/pkg/serviceregistry/kube/controller/controller_test.go index 0eafdc6f725..b0a5eba9821 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller_test.go @@ -26,6 +26,7 @@ import ( core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" coreV1 "k8s.io/api/core/v1" discoveryv1alpha1 "k8s.io/api/discovery/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -47,6 +48,7 @@ import ( "istio.io/istio/pkg/config/protocol" "istio.io/istio/pkg/spiffe" "istio.io/istio/pkg/test" + "istio.io/istio/pkg/test/util/retry" ) const ( @@ -82,6 +84,9 @@ type XdsEvent struct { // The id of the event ID string + + // The endpoints associated with an EDS push if any + Endpoints []*model.IstioEndpoint } // NewFakeXDS creates a XdsUpdater reporting events via a channel. @@ -94,7 +99,7 @@ func NewFakeXDS() *FakeXdsUpdater { func (fx *FakeXdsUpdater) EDSUpdate(_, hostname string, _ string, entry []*model.IstioEndpoint) error { if len(entry) > 0 { select { - case fx.Events <- XdsEvent{Type: "eds", ID: hostname}: + case fx.Events <- XdsEvent{Type: "eds", ID: hostname, Endpoints: entry}: default: } @@ -1403,7 +1408,12 @@ func createEndpoints(controller *Controller, name, namespace string, portNames, }}, } if _, err := controller.client.CoreV1().Endpoints(namespace).Create(context.TODO(), endpoint, metaV1.CreateOptions{}); err != nil { - t.Fatalf("failed to create endpoints %s in namespace %s (error %v)", name, namespace, err) + if errors.IsAlreadyExists(err) { + _, err = controller.client.CoreV1().Endpoints(namespace).Update(context.TODO(), endpoint, metaV1.UpdateOptions{}) + } + if err != nil { + t.Fatalf("failed to create endpoints %s in namespace %s (error %v)", name, namespace, err) + } } // Create endpoint slice as well @@ -1424,13 +1434,24 @@ func createEndpoints(controller *Controller, name, namespace string, portNames, Endpoints: []discoveryv1alpha1.Endpoint{ { Addresses: ips, + TargetRef: &coreV1.ObjectReference{ + Kind: "Pod", + Name: name, + Namespace: namespace, + }, }, }, Ports: esps, } if _, err := controller.client.DiscoveryV1alpha1().EndpointSlices(namespace).Create(context.TODO(), endpointSlice, metaV1.CreateOptions{}); err != nil { - t.Errorf("failed to create endpoint slice %s in namespace %s (error %v)", name, namespace, err) + if errors.IsAlreadyExists(err) { + _, err = controller.client.DiscoveryV1alpha1().EndpointSlices(namespace).Update(context.TODO(), endpointSlice, metaV1.UpdateOptions{}) + } + if err != nil { + t.Fatalf("failed to create endpoint slice %s in namespace %s (error %v)", name, namespace, err) + } } + } func updateEndpoints(controller *Controller, name, namespace string, portNames, ips []string, t *testing.T) { @@ -1802,7 +1823,7 @@ func TestEndpointUpdate(t *testing.T) { } } -// Validates that when Pilot sees Endpoint before the corresponding Pod, it loads Pod from K8S and proceed. +// Validates that when Pilot sees Endpoint before the corresponding Pod, it triggers endpoint event on pod event. func TestEndpointUpdateBeforePodUpdate(t *testing.T) { for mode, name := range EndpointModeNames { mode := mode @@ -1810,58 +1831,123 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { controller, fx := newFakeControllerWithOptions(fakeControllerOptions{mode: mode}) // Setup kube caches defer controller.Stop() - pod1 := generatePod("172.0.1.1", "pod1", "nsA", "", "node1", map[string]string{"app": "prod-app"}, map[string]string{}) - pod2 := generatePod("172.0.1.2", "pod2", "nsA", "", "node2", map[string]string{"app": "prod-app"}, map[string]string{}) - - pods := []*coreV1.Pod{pod1, pod2} - nodes := []*coreV1.Node{ - generateNode("node1", map[string]string{NodeZoneLabel: "zone1", NodeRegionLabel: "region1", IstioSubzoneLabel: "subzone1"}), - generateNode("node2", map[string]string{NodeZoneLabel: "zone2", NodeRegionLabel: "region2", IstioSubzoneLabel: "subzone2"}), - } - addNodes(t, controller, nodes...) - addPods(t, controller, pods...) - for _, pod := range pods { + addNodes(t, controller, generateNode("node1", map[string]string{NodeZoneLabel: "zone1", NodeRegionLabel: "region1", IstioSubzoneLabel: "subzone1"})) + // Setup help functions to make the test more explicit + addPod := func(name, ip string) { + pod := generatePod(ip, name, "nsA", "", "node1", map[string]string{"app": "prod-app"}, map[string]string{}) + addPods(t, controller, pod) if err := waitForPod(controller, pod.Status.PodIP); err != nil { t.Fatalf("wait for pod err: %v", err) } // pod first time occur will trigger proxy push if ev := fx.Wait("proxy"); ev == nil { - t.Fatal("Timeout creating service") + t.Fatal("Timeout creating pod") } } - // create service - createService(controller, "pod1", "nsA", nil, - []int32{8080}, map[string]string{"app": "prod-app"}, t) - if ev := fx.Wait("service"); ev == nil { - t.Fatal("Timeout creating service") + deletePod := func(name, ip string) { + if err := controller.client.CoreV1().Pods("nsA").Delete(context.TODO(), name, metaV1.DeleteOptions{}); err != nil { + t.Fatal(err) + } + retry.UntilSuccessOrFail(t, func() error { + controller.pods.RLock() + defer controller.pods.RUnlock() + if _, ok := controller.pods.podsByIP[ip]; ok { + return fmt.Errorf("pod still present") + } + return nil + }, retry.Timeout(time.Second)) } + addService := func(name string) { + // create service + createService(controller, name, "nsA", nil, + []int32{8080}, map[string]string{"app": "prod-app"}, t) + if ev := fx.Wait("service"); ev == nil { + t.Fatal("Timeout creating service") + } - // Create Endpoints for pod1 and validate that EDS is triggered. - pod1Ips := []string{"172.0.1.1"} - portNames := []string{"tcp-port"} - createEndpoints(controller, "pod1", "nsA", portNames, pod1Ips, t) - if ev := fx.Wait("eds"); ev == nil { - t.Fatalf("Timeout incremental eds") } - - // Now delete pod2, from PodCache and send Endpoints. This simulates the case that endpoint comes - // when PodCache does not yet have entry for the pod. - _ = controller.pods.onEvent(pod2, model.EventDelete) - - // create service - createService(controller, "pod2", "nsA", nil, - []int32{8080}, map[string]string{"app": "prod-app"}, t) - if ev := fx.Wait("service"); ev == nil { - t.Fatal("Timeout creating service") + addEndpoint := func(svcName string, ips ...string) { + createEndpoints(controller, svcName, "nsA", []string{"tcp-port"}, ips, t) } - - pod2Ips := []string{"172.0.1.2"} - createEndpoints(controller, "pod2", "nsA", portNames, pod2Ips, t) - - // Validate that EDS is triggered with endpoints. - if ev := fx.Wait("eds"); ev == nil { - t.Fatalf("Timeout incremental eds") + assertEndpointsEvent := func(expected ...string) { + t.Helper() + ev := fx.Wait("eds") + if ev == nil { + t.Fatalf("Timeout eds") + } + ips := []string{} + for _, e := range ev.Endpoints { + ips = append(ips, e.Address) + } + if !reflect.DeepEqual(expected, ips) { + t.Fatalf("expected ips %v, got %v", expected, ips) + } + } + assertPendingResync := func(expected int) { + t.Helper() + retry.UntilSuccessOrFail(t, func() error { + controller.pods.RLock() + defer controller.pods.RUnlock() + if len(controller.pods.needResync) != expected { + return fmt.Errorf("expected %d pods needing resync, got %d", expected, len(controller.pods.needResync)) + } + return nil + }, retry.Timeout(time.Second)) + } + + // standard ordering + addService("svc") + addPod("pod1", "172.0.1.1") + addEndpoint("svc", "172.0.1.1") + assertEndpointsEvent("172.0.1.1") + fx.Clear() + + // Create the endpoint, then later add the pod. Should eventually get an update for the endpoint + addEndpoint("svc", "172.0.1.1", "172.0.1.2") + assertEndpointsEvent("172.0.1.1") + fx.Clear() + addPod("pod2", "172.0.1.2") + assertEndpointsEvent("172.0.1.1", "172.0.1.2") + + // Delete a pod before the endpoint + addEndpoint("svc", "172.0.1.1") + deletePod("pod2", "172.0.1.2") + assertEndpointsEvent("172.0.1.1") + fx.Clear() + + // add another service + addService("other") + // Add endpoints for the new service, and the old one. Both should be missing the last IP + addEndpoint("other", "172.0.1.1", "172.0.1.2") + addEndpoint("svc", "172.0.1.1", "172.0.1.2") + assertEndpointsEvent("172.0.1.1") + assertEndpointsEvent("172.0.1.1") + fx.Clear() + // Add the pod, expect the endpoints update for both + addPod("pod2", "172.0.1.2") + assertEndpointsEvent("172.0.1.1", "172.0.1.2") + assertEndpointsEvent("172.0.1.1", "172.0.1.2") + + // Check for memory leaks + assertPendingResync(0) + addEndpoint("svc", "172.0.1.1", "172.0.1.2", "172.0.1.3") + // This is really an implementation detail here - but checking to sanity check our test + assertPendingResync(1) + // Remove the endpoint again, with no pod events in between. Should have no memory leaks + addEndpoint("svc", "172.0.1.1", "172.0.1.2") + // TODO this case would leak + //assertPendingResync(0) + + // completely remove the endpoint + addEndpoint("svc", "172.0.1.1", "172.0.1.2", "172.0.1.3") + assertPendingResync(1) + if err := controller.client.CoreV1().Endpoints("nsA").Delete(context.TODO(), "svc", metaV1.DeleteOptions{}); err != nil { + t.Fatal(err) + } + if err := controller.client.DiscoveryV1alpha1().EndpointSlices("nsA").Delete(context.TODO(), "svc", metaV1.DeleteOptions{}); err != nil { + t.Fatal(err) } + assertPendingResync(0) }) } } diff --git a/pilot/pkg/serviceregistry/kube/controller/endpoints.go b/pilot/pkg/serviceregistry/kube/controller/endpoints.go index 1690d6b8023..851e6c3b8f3 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpoints.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpoints.go @@ -214,6 +214,20 @@ func (e *endpointsController) onEvent(curr interface{}, event model.Event) error return e.handleEvent(ep.Name, ep.Namespace, event, curr, func(obj interface{}, event model.Event) { ep := obj.(*v1.Endpoints) - e.c.updateEDS(ep, event) + e.c.updateEDS(ep, event, e) }) } + +func (e *endpointsController) getInformer() cache.SharedIndexInformer { + return e.informer +} + +func (e *endpointsController) forgetEndpoint(endpoint interface{}) { + ep := endpoint.(*v1.Endpoints) + key := kube.KeyFunc(ep.Name, ep.Namespace) + for _, ss := range ep.Subsets { + for _, ea := range ss.Addresses { + e.c.pods.dropNeedsUpdate(key, ea.IP) + } + } +} diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go index c9f4bfc25a4..ea7ad5b7b27 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go @@ -32,6 +32,10 @@ import ( type kubeEndpointsController interface { HasSynced() bool Run(stopCh <-chan struct{}) + getInformer() cache.SharedIndexInformer + onEvent(curr interface{}, event model.Event) error + // forgetEndpoint does internal bookkeeping on a deleted endpoint + forgetEndpoint(endpoint interface{}) InstancesByPort(c *Controller, svc *model.Service, reqSvcPort int, labelsList labels.Collection) ([]*model.ServiceInstance, error) GetProxyServiceInstances(c *Controller, proxy *model.Proxy) []*model.ServiceInstance diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go index 3ce4438020b..89c6d54feef 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go @@ -19,6 +19,7 @@ import ( v1 "k8s.io/api/core/v1" discoveryv1alpha1 "k8s.io/api/discovery/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" klabels "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/informers" discoverylister "k8s.io/client-go/listers/discovery/v1alpha1" @@ -76,19 +77,9 @@ func (esc *endpointSliceController) updateEDS(es interface{}, event model.Event) continue } for _, a := range e.Addresses { - pod := esc.c.pods.getPodByIP(a) + pod := getPod(esc.c, a, &metav1.ObjectMeta{Name: slice.Name, Namespace: slice.Namespace}, e.TargetRef, hostname) if pod == nil { - // This can not happen in usual case - if e.TargetRef != nil && e.TargetRef.Kind == "Pod" { - log.Warnf("Endpoint without pod %s %s.%s", a, svcName, slice.Namespace) - - if esc.c.metrics != nil { - esc.c.metrics.AddMetric(model.EndpointNoPod, string(hostname), nil, a) - } - // TODO: keep them in a list, and check when pod events happen ! - continue - } - // For service without selector, maybe there are no related pods + continue } builder := esc.newEndpointBuilder(pod, e) @@ -109,6 +100,8 @@ func (esc *endpointSliceController) updateEDS(es interface{}, event model.Event) } } } + } else { + esc.forgetEndpoint(es) } esc.endpointCache.Update(hostname, slice.Name, endpoints) @@ -330,3 +323,17 @@ func (e *endpointSliceCache) Get(hostname host.Name) []*model.IstioEndpoint { } return endpoints } + +func (esc *endpointSliceController) getInformer() cache.SharedIndexInformer { + return esc.informer +} + +func (esc *endpointSliceController) forgetEndpoint(endpoint interface{}) { + slice := endpoint.(*discoveryv1alpha1.EndpointSlice) + key := kube.KeyFunc(slice.Name, slice.Namespace) + for _, e := range slice.Endpoints { + for _, a := range e.Addresses { + esc.c.pods.dropNeedsUpdate(key, a) + } + } +} diff --git a/pilot/pkg/serviceregistry/kube/controller/pod.go b/pilot/pkg/serviceregistry/kube/controller/pod.go index f8d357e3d50..020d7e19098 100644 --- a/pilot/pkg/serviceregistry/kube/controller/pod.go +++ b/pilot/pkg/serviceregistry/kube/controller/pod.go @@ -27,6 +27,7 @@ import ( "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/serviceregistry/kube" + "istio.io/istio/pilot/pkg/util/sets" ) // PodCache is an eventually consistent pod cache @@ -42,15 +43,21 @@ type PodCache struct { // pod cache if a pod changes IP. IPByPods map[string]string + // map of IP to endpoint names + needResync map[string]sets.Set + endpointUpdate func(string) + c *Controller } -func newPodCache(informer cache.SharedIndexInformer, c *Controller) *PodCache { +func newPodCache(informer cache.SharedIndexInformer, c *Controller, endpointUpdate func(string)) *PodCache { out := &PodCache{ - informer: informer, - c: c, - podsByIP: make(map[string]string), - IPByPods: make(map[string]string), + informer: informer, + c: c, + podsByIP: make(map[string]string), + IPByPods: make(map[string]string), + needResync: make(map[string]sets.Set), + endpointUpdate: endpointUpdate, } return out @@ -135,9 +142,37 @@ func (pc *PodCache) update(ip, key string) { pc.podsByIP[ip] = key pc.IPByPods[key] = ip + if endpointsToUpdate, f := pc.needResync[ip]; f { + delete(pc.needResync, ip) + for ep := range endpointsToUpdate { + pc.endpointUpdate(ep) + } + } + pc.proxyUpdates(ip) } +func (pc *PodCache) recordNeedsUpdate(key, ip string) { + pc.Lock() + defer pc.Unlock() + if _, f := pc.needResync[ip]; !f { + pc.needResync[ip] = sets.NewSet(key) + } else { + pc.needResync[ip].Insert(key) + } + endpointsPendingPodUpdate.Record(float64(len(pc.needResync))) +} + +func (pc *PodCache) dropNeedsUpdate(key string, ip string) { + pc.Lock() + defer pc.Unlock() + delete(pc.needResync[ip], key) + if len(pc.needResync[ip]) == 0 { + delete(pc.needResync, ip) + } + endpointsPendingPodUpdate.Record(float64(len(pc.needResync))) +} + func (pc *PodCache) proxyUpdates(ip string) { if pc.c != nil && pc.c.xdsUpdater != nil { pc.c.xdsUpdater.ProxyUpdate(pc.c.clusterID, ip) diff --git a/pilot/pkg/serviceregistry/kube/controller/pod_test.go b/pilot/pkg/serviceregistry/kube/controller/pod_test.go index a22e7548213..28543108283 100644 --- a/pilot/pkg/serviceregistry/kube/controller/pod_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/pod_test.go @@ -224,7 +224,7 @@ func TestPodCacheEvents(t *testing.T) { t.Parallel() c, fx := newFakeControllerWithOptions(fakeControllerOptions{mode: EndpointsOnly}) defer c.Stop() - podCache := newPodCache(nil, c) + podCache := newPodCache(nil, c, nil) f := podCache.onEvent From 0f49eca87a408afb8e80f046f090546f412e4712 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 17 Jul 2020 10:41:21 -0700 Subject: [PATCH 09/82] Optimize ResolveGatewayName (#25611) In large clusters this has been shown to uses ~20% of CPU and ~10% of allocations BenchmarkResolveGatewayName/old-8 10342688 1222 ns/op 320 B/op 16 allocs/op BenchmarkResolveGatewayName/new-8 39173893 322 ns/op 64 B/op 4 allocs/op Co-authored-by: John Howard --- pilot/pkg/model/config.go | 12 +++--- pilot/pkg/model/virtualservice_test.go | 51 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 6 deletions(-) diff --git a/pilot/pkg/model/config.go b/pilot/pkg/model/config.go index 23b3edf1350..cef11b0e15d 100644 --- a/pilot/pkg/model/config.go +++ b/pilot/pkg/model/config.go @@ -370,17 +370,17 @@ func resolveGatewayName(gwname string, meta ConfigMeta) string { if !strings.Contains(gwname, "/") { if !strings.Contains(gwname, ".") { // we have a short name. Resolve to a gateway in same namespace - out = fmt.Sprintf("%s/%s", meta.Namespace, gwname) + out = meta.Namespace + "/" + gwname } else { // parse namespace from FQDN. This is very hacky, but meant for backward compatibility only - parts := strings.Split(gwname, ".") - out = fmt.Sprintf("%s/%s", parts[1], parts[0]) + i := strings.Index(gwname, ".") + out = gwname[i+1:] + "/" + gwname[:i] } } else { // remove the . from ./gateway and substitute it with the namespace name - parts := strings.Split(gwname, "/") - if parts[0] == "." { - out = fmt.Sprintf("%s/%s", meta.Namespace, parts[1]) + i := strings.Index(gwname, "/") + if gwname[:i] == "." { + out = meta.Namespace + "/" + gwname[i+1:] } } return out diff --git a/pilot/pkg/model/virtualservice_test.go b/pilot/pkg/model/virtualservice_test.go index ab77b50b2e9..ecfdb04ad2a 100644 --- a/pilot/pkg/model/virtualservice_test.go +++ b/pilot/pkg/model/virtualservice_test.go @@ -15,6 +15,7 @@ package model import ( + "fmt" "reflect" "testing" @@ -1582,3 +1583,53 @@ func TestFuzzMergeHttpMatchRequest(t *testing.T) { t.Errorf("%s", cmp.Diff(merged, root)) } } + +var gatewayNameTests = []struct { + gateway string + namespace string + resolved string +}{ + { + "./gateway", + "default", + "default/gateway", + }, + { + "gateway", + "default", + "default/gateway", + }, + { + "default/gateway", + "foo", + "default/gateway", + }, + { + "gateway.default", + "default", + "default/gateway", + }, + { + "gateway.default", + "foo", + "default/gateway", + }, +} + +func TestResolveGatewayName(t *testing.T) { + for _, tt := range gatewayNameTests { + t.Run(fmt.Sprintf("%s-%s", tt.gateway, tt.namespace), func(t *testing.T) { + if got := resolveGatewayName(tt.gateway, ConfigMeta{Namespace: tt.namespace}); got != tt.resolved { + t.Fatalf("expected %q got %q", tt.resolved, got) + } + }) + } +} + +func BenchmarkResolveGatewayName(b *testing.B) { + for i := 0; i < b.N; i++ { + for _, tt := range gatewayNameTests { + _ = resolveGatewayName(tt.gateway, ConfigMeta{Namespace: tt.namespace}) + } + } +} From 0a159e73e98842506a5f961cba0fb137c13ac08e Mon Sep 17 00:00:00 2001 From: John Howard Date: Fri, 17 Jul 2020 10:41:29 -0700 Subject: [PATCH 10/82] 1.6: pilot: fix n^2 scaling behavior with gateways (#25613) Cherrypick of https://github.com/istio/istio/pull/25136/ to 1.6 --- pilot/pkg/model/push_context.go | 151 +++++++++--------- pilot/pkg/model/sidecar.go | 6 +- pilot/pkg/model/sidecar_test.go | 5 +- pilot/pkg/networking/core/v1alpha3/gateway.go | 44 ++--- 4 files changed, 101 insertions(+), 105 deletions(-) diff --git a/pilot/pkg/model/push_context.go b/pilot/pkg/model/push_context.go index 5e80035c82d..566ad184510 100644 --- a/pilot/pkg/model/push_context.go +++ b/pilot/pkg/model/push_context.go @@ -85,8 +85,10 @@ type PushContext struct { QuotaSpecBinding []Config `json:"-"` // VirtualService related - privateVirtualServicesByNamespace map[string][]Config - publicVirtualServices []Config + // this contains all the virtual services with exportTo "." and current namespace. The keys are namespace,gateway. + privateVirtualServicesByNamespaceAndGateway map[string]map[string][]Config + // This contains all virtual services whose exportTo is "*", keyed by gateway + publicVirtualServicesByGateway map[string][]Config // destination rules are of two types: // namespaceLocalDestRules: all public/private dest rules pertaining to a service defined in a given namespace @@ -443,19 +445,19 @@ func init() { func NewPushContext() *PushContext { // TODO: detect push in progress, don't update status if set return &PushContext{ - publicServices: []*Service{}, - privateServicesByNamespace: map[string][]*Service{}, - publicVirtualServices: []Config{}, - privateVirtualServicesByNamespace: map[string][]Config{}, - namespaceLocalDestRules: map[string]*processedDestRules{}, - namespaceExportedDestRules: map[string]*processedDestRules{}, - sidecarsByNamespace: map[string][]*SidecarScope{}, - envoyFiltersByNamespace: map[string][]*EnvoyFilterWrapper{}, - gatewaysByNamespace: map[string][]Config{}, - allGateways: []Config{}, - ServiceByHostnameAndNamespace: map[host.Name]map[string]*Service{}, - ProxyStatus: map[string]map[string]ProxyPushStatus{}, - ServiceAccounts: map[host.Name]map[int][]string{}, + publicServices: []*Service{}, + privateServicesByNamespace: map[string][]*Service{}, + publicVirtualServicesByGateway: map[string][]Config{}, + privateVirtualServicesByNamespaceAndGateway: map[string]map[string][]Config{}, + namespaceLocalDestRules: map[string]*processedDestRules{}, + namespaceExportedDestRules: map[string]*processedDestRules{}, + sidecarsByNamespace: map[string][]*SidecarScope{}, + envoyFiltersByNamespace: map[string][]*EnvoyFilterWrapper{}, + gatewaysByNamespace: map[string][]Config{}, + allGateways: []Config{}, + ServiceByHostnameAndNamespace: map[host.Name]map[string]*Service{}, + ProxyStatus: map[string]map[string]ProxyPushStatus{}, + ServiceAccounts: map[host.Name]map[int][]string{}, } } @@ -527,8 +529,6 @@ func virtualServiceDestinations(v *networking.VirtualService) []*networking.Dest // GatewayServices returns the set of services which are referred from the proxy gateways. func (ps *PushContext) GatewayServices(proxy *Proxy) []*Service { svcs := ps.Services(proxy) - // gateway set. - gateways := map[string]bool{} // host set. hostsFromGateways := map[string]struct{}{} @@ -539,19 +539,16 @@ func (ps *PushContext) GatewayServices(proxy *Proxy) []*Service { } for _, gw := range proxy.MergedGateway.GatewayNameForServer { - gateways[gw] = true - } - log.Debugf("GatewayServices: gateway %v has following gw resources:%v", proxy.ID, gateways) - - for _, vsConfig := range ps.VirtualServices(proxy, gateways) { - vs, ok := vsConfig.Spec.(*networking.VirtualService) - if !ok { // should never happen - log.Errorf("Failed in getting a virtual service: %v", vsConfig.Labels) - return svcs - } + for _, vsConfig := range ps.VirtualServicesForGateway(proxy, gw) { + vs, ok := vsConfig.Spec.(*networking.VirtualService) + if !ok { // should never happen + log.Errorf("Failed in getting a virtual service: %v", vsConfig.Labels) + return svcs + } - for _, d := range virtualServiceDestinations(vs) { - hostsFromGateways[d.Host] = struct{}{} + for _, d := range virtualServiceDestinations(vs) { + hostsFromGateways[d.Host] = struct{}{} + } } } @@ -597,48 +594,10 @@ func (ps *PushContext) Services(proxy *Proxy) []*Service { return out } -// VirtualServices lists all virtual services bound to the specified gateways -// This replaces store.VirtualServices. Used only by the gateways -// Sidecars use the egressListener.VirtualServices(). -func (ps *PushContext) VirtualServices(proxy *Proxy, gateways map[string]bool) []Config { - configs := make([]Config, 0) - out := make([]Config, 0) - - // filter out virtual services not reachable - // First private virtual service - if proxy == nil { - for _, virtualSvcs := range ps.privateVirtualServicesByNamespace { - configs = append(configs, virtualSvcs...) - } - } else { - configs = append(configs, ps.privateVirtualServicesByNamespace[proxy.ConfigNamespace]...) - } - // Second public virtual service - configs = append(configs, ps.publicVirtualServices...) - - for _, cfg := range configs { - rule := cfg.Spec.(*networking.VirtualService) - if len(rule.Gateways) == 0 { - // This rule applies only to IstioMeshGateway - if _, ok := gateways[constants.IstioMeshGateway]; ok { - out = append(out, cfg) - } - } else { - for _, g := range rule.Gateways { - // note: Gateway names do _not_ use wildcard matching, so we do not use Name.Matches here - if _, ok := gateways[resolveGatewayName(g, cfg.ConfigMeta)]; ok { - out = append(out, cfg) - break - } else if _, ok := gateways[g]; ok && g == constants.IstioMeshGateway { - // "mesh" gateway cannot be expanded into FQDN - out = append(out, cfg) - break - } - } - } - } - - return out +func (ps *PushContext) VirtualServicesForGateway(proxy *Proxy, gateway string) []Config { + res := ps.privateVirtualServicesByNamespaceAndGateway[proxy.ConfigNamespace][gateway] + res = append(res, ps.publicVirtualServicesByGateway[gateway]...) + return res } // getSidecarScope returns a SidecarScope object associated with the @@ -946,8 +905,8 @@ func (ps *PushContext) updateContext( return err } } else { - ps.privateVirtualServicesByNamespace = oldPushContext.privateVirtualServicesByNamespace - ps.publicVirtualServices = oldPushContext.publicVirtualServices + ps.privateVirtualServicesByNamespaceAndGateway = oldPushContext.privateVirtualServicesByNamespaceAndGateway + ps.publicVirtualServicesByGateway = oldPushContext.publicVirtualServicesByGateway } if destinationRulesChanged { @@ -1089,8 +1048,9 @@ func (ps *PushContext) initAuthnPolicies(env *Environment) error { // Caches list of virtual services func (ps *PushContext) initVirtualServices(env *Environment) error { - ps.privateVirtualServicesByNamespace = map[string][]Config{} - ps.publicVirtualServices = []Config{} + ps.privateVirtualServicesByNamespaceAndGateway = map[string]map[string][]Config{} + ps.publicVirtualServicesByGateway = map[string][]Config{} + virtualServices, err := env.List(collections.IstioNetworkingV1Alpha3Virtualservices.Resource().GroupVersionKind(), NamespaceAll) if err != nil { return err @@ -1180,25 +1140,40 @@ func (ps *PushContext) initVirtualServices(env *Environment) error { for _, virtualService := range vservices { ns := virtualService.Namespace rule := virtualService.Spec.(*networking.VirtualService) + gwNames := getGatewayNames(rule, virtualService.ConfigMeta) if len(rule.ExportTo) == 0 { // No exportTo in virtualService. Use the global default // TODO: We currently only honor ., * and ~ if ps.defaultVirtualServiceExportTo[visibility.Private] { + if _, f := ps.privateVirtualServicesByNamespaceAndGateway[ns]; !f { + ps.privateVirtualServicesByNamespaceAndGateway[ns] = map[string][]Config{} + } // add to local namespace only - ps.privateVirtualServicesByNamespace[ns] = append(ps.privateVirtualServicesByNamespace[ns], virtualService) + for _, gw := range gwNames { + ps.privateVirtualServicesByNamespaceAndGateway[ns][gw] = append(ps.privateVirtualServicesByNamespaceAndGateway[ns][gw], virtualService) + } } else if ps.defaultVirtualServiceExportTo[visibility.Public] { - ps.publicVirtualServices = append(ps.publicVirtualServices, virtualService) + for _, gw := range gwNames { + ps.publicVirtualServicesByGateway[gw] = append(ps.publicVirtualServicesByGateway[gw], virtualService) + } } } else { // TODO: we currently only process the first element in the array // and currently only consider . or * which maps to public/private if visibility.Instance(rule.ExportTo[0]) == visibility.Private { + if _, f := ps.privateVirtualServicesByNamespaceAndGateway[ns]; !f { + ps.privateVirtualServicesByNamespaceAndGateway[ns] = map[string][]Config{} + } // add to local namespace only - ps.privateVirtualServicesByNamespace[ns] = append(ps.privateVirtualServicesByNamespace[ns], virtualService) + for _, gw := range gwNames { + ps.privateVirtualServicesByNamespaceAndGateway[ns][gw] = append(ps.privateVirtualServicesByNamespaceAndGateway[ns][gw], virtualService) + } } else { // ~ is not valid in the exportTo fields in virtualServices, services, destination rules // and we currently only allow . or *. So treat this as public export - ps.publicVirtualServices = append(ps.publicVirtualServices, virtualService) + for _, gw := range gwNames { + ps.publicVirtualServicesByGateway[gw] = append(ps.publicVirtualServicesByGateway[gw], virtualService) + } } } } @@ -1206,6 +1181,24 @@ func (ps *PushContext) initVirtualServices(env *Environment) error { return nil } +var meshGateways = []string{constants.IstioMeshGateway} + +func getGatewayNames(vs *networking.VirtualService, meta ConfigMeta) []string { + if len(vs.Gateways) == 0 { + return meshGateways + } + res := make([]string, 0, len(vs.Gateways)) + for _, g := range vs.Gateways { + if g == constants.IstioMeshGateway { + res = append(res, constants.IstioMeshGateway) + } else { + name := resolveGatewayName(g, meta) + res = append(res, name) + } + } + return res +} + func (ps *PushContext) initDefaultExportMaps() { ps.defaultDestinationRuleExportTo = make(map[visibility.Instance]bool) if ps.Mesh.DefaultDestinationRuleExportTo != nil { diff --git a/pilot/pkg/model/sidecar.go b/pilot/pkg/model/sidecar.go index a7acc1d9fb3..41e31e93cc6 100644 --- a/pilot/pkg/model/sidecar.go +++ b/pilot/pkg/model/sidecar.go @@ -149,8 +149,7 @@ func DefaultSidecarScopeForNamespace(ps *PushContext, configNamespace string) *S } defaultEgressListener.services = ps.Services(&dummyNode) - meshGateway := map[string]bool{constants.IstioMeshGateway: true} - defaultEgressListener.virtualServices = ps.VirtualServices(&dummyNode, meshGateway) + defaultEgressListener.virtualServices = ps.VirtualServicesForGateway(&dummyNode, constants.IstioMeshGateway) out := &SidecarScope{ EgressListeners: []*IstioEgressListenerWrapper{defaultEgressListener}, @@ -364,8 +363,7 @@ func convertIstioListenerToWrapper(ps *PushContext, configNamespace string, ConfigNamespace: configNamespace, } - meshGateway := map[string]bool{constants.IstioMeshGateway: true} - out.virtualServices = out.selectVirtualServices(ps.VirtualServices(&dummyNode, meshGateway)) + out.virtualServices = out.selectVirtualServices(ps.VirtualServicesForGateway(&dummyNode, constants.IstioMeshGateway)) out.services = out.selectServices(ps.Services(&dummyNode), configNamespace) return out diff --git a/pilot/pkg/model/sidecar_test.go b/pilot/pkg/model/sidecar_test.go index 2a5bddd8586..10d8d482701 100644 --- a/pilot/pkg/model/sidecar_test.go +++ b/pilot/pkg/model/sidecar_test.go @@ -21,6 +21,7 @@ import ( "strings" "testing" + "istio.io/istio/pkg/config/constants" "istio.io/istio/pkg/config/schema/collections" "istio.io/api/mesh/v1alpha1" @@ -971,7 +972,7 @@ func TestCreateSidecarScope(t *testing.T) { } } if tt.virtualServices != nil { - ps.publicVirtualServices = append(ps.publicVirtualServices, tt.virtualServices...) + ps.publicVirtualServicesByGateway[constants.IstioMeshGateway] = append(ps.publicVirtualServicesByGateway[constants.IstioMeshGateway], tt.virtualServices...) } sidecarConfig := tt.sidecarConfig @@ -1234,7 +1235,7 @@ func TestContainsEgressDependencies(t *testing.T) { }, } ps.publicServices = append(ps.publicServices, services...) - ps.publicVirtualServices = append(ps.publicVirtualServices, virtualServices...) + ps.publicVirtualServicesByGateway[constants.IstioMeshGateway] = append(ps.publicVirtualServicesByGateway[constants.IstioMeshGateway], virtualServices...) ps.SetDestinationRules(destinationRules) sidecarScope := ConvertToSidecarScope(ps, cfg, "default") if len(tt.egress) == 0 { diff --git a/pilot/pkg/networking/core/v1alpha3/gateway.go b/pilot/pkg/networking/core/v1alpha3/gateway.go index d0d8dbde8c8..a13927e980d 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway.go @@ -117,7 +117,7 @@ func (configgen *ConfigGeneratorImpl) buildGatewayListeners( } else { // passthrough or tcp, yields multiple filter chains tcpChainOpts := configgen.createGatewayTCPFilterChainOpts(node, push, - server, map[string]bool{mergedGateway.GatewayNameForServer[server]: true}) + server, mergedGateway.GatewayNameForServer[server]) filterChainOpts = append(filterChainOpts, tcpChainOpts...) for i := 0; i < len(tcpChainOpts); i++ { filterChains = append(filterChains, istionetworking.FilterChain{ListenerProtocol: istionetworking.ListenerProtocolTCP}) @@ -229,7 +229,7 @@ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Pr vHostDedupMap := make(map[host.Name]*route.VirtualHost) for _, server := range servers { gatewayName := merged.GatewayNameForServer[server] - virtualServices := push.VirtualServices(node, map[string]bool{gatewayName: true}) + virtualServices := push.VirtualServicesForGateway(node, gatewayName) for _, virtualService := range virtualServices { virtualServiceHosts := host.NewNames(virtualService.Spec.(*networking.VirtualService).Hosts) serverHosts := host.NamesForNamespace(server.Hosts, virtualService.Namespace) @@ -503,7 +503,7 @@ func convertTLSProtocol(in networking.ServerTLSSettings_TLSProtocol) auth.TlsPar func (configgen *ConfigGeneratorImpl) createGatewayTCPFilterChainOpts( node *model.Proxy, push *model.PushContext, server *networking.Server, - gatewaysForWorkload map[string]bool) []*filterChainOpts { + gatewayName string) []*filterChainOpts { // We have a TCP/TLS server. This could be TLS termination (user specifies server.TLS with simple/mutual) // or opaque TCP (server.TLS is nil). or it could be a TLS passthrough with SNI based routing. @@ -511,7 +511,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayTCPFilterChainOpts( // This is opaque TCP server. Find matching virtual services with TCP blocks and forward if server.Tls == nil { if filters := buildGatewayNetworkFiltersFromTCPRoutes(node, - push, server, gatewaysForWorkload); len(filters) > 0 { + push, server, gatewayName); len(filters) > 0 { return []*filterChainOpts{ { sniHosts: nil, @@ -525,7 +525,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayTCPFilterChainOpts( // and forward to backend // Validation ensures that non-passthrough servers will have certs if filters := buildGatewayNetworkFiltersFromTCPRoutes(node, - push, server, gatewaysForWorkload); len(filters) > 0 { + push, server, gatewayName); len(filters) > 0 { // If proxy version is over 1.1, and proxy sends metadata USER_SDS, then create SDS config for // gateway listener. return []*filterChainOpts{ @@ -538,7 +538,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayTCPFilterChainOpts( } } else { // Passthrough server. - return buildGatewayNetworkFiltersFromTLSRoutes(node, push, server, gatewaysForWorkload) + return buildGatewayNetworkFiltersFromTLSRoutes(node, push, server, gatewayName) } return []*filterChainOpts{} @@ -548,7 +548,7 @@ func (configgen *ConfigGeneratorImpl) createGatewayTCPFilterChainOpts( // It first obtains all virtual services bound to the set of Gateways for this workload, filters them by this // server's port and hostnames, and produces network filters for each destination from the filtered services. func buildGatewayNetworkFiltersFromTCPRoutes(node *model.Proxy, push *model.PushContext, server *networking.Server, - gatewaysForWorkload map[string]bool) []*listener.Filter { + gatewayName string) []*listener.Filter { port := &model.Port{ Name: server.Port.Name, Port: int(server.Port.Number), @@ -560,7 +560,7 @@ func buildGatewayNetworkFiltersFromTCPRoutes(node *model.Proxy, push *model.Push gatewayServerHosts[host.Name(hostname)] = true } - virtualServices := push.VirtualServices(node, gatewaysForWorkload) + virtualServices := push.VirtualServicesForGateway(node, gatewayName) for _, v := range virtualServices { vsvc := v.Spec.(*networking.VirtualService) // We have two cases here: @@ -577,7 +577,7 @@ func buildGatewayNetworkFiltersFromTCPRoutes(node *model.Proxy, push *model.Push // For the moment, there can be only one match that succeeds // based on the match port/server port and the gateway name for _, tcp := range vsvc.Tcp { - if l4MultiMatch(tcp.Match, server, gatewaysForWorkload) { + if l4MultiMatch(tcp.Match, server, gatewayName) { return buildOutboundNetworkFilters(node, tcp.Route, push, port, v.ConfigMeta) } } @@ -590,7 +590,7 @@ func buildGatewayNetworkFiltersFromTCPRoutes(node *model.Proxy, push *model.Push // It first obtains all virtual services bound to the set of Gateways for this workload, filters them by this // server's port and hostnames, and produces network filters for each destination from the filtered services func buildGatewayNetworkFiltersFromTLSRoutes(node *model.Proxy, push *model.PushContext, server *networking.Server, - gatewaysForWorkload map[string]bool) []*filterChainOpts { + gatewayName string) []*filterChainOpts { port := &model.Port{ Name: server.Port.Name, Port: int(server.Port.Number), @@ -612,7 +612,7 @@ func buildGatewayNetworkFiltersFromTLSRoutes(node *model.Proxy, push *model.Push networkFilters: buildOutboundAutoPassthroughFilterStack(push, node, port), }) } else { - virtualServices := push.VirtualServices(node, gatewaysForWorkload) + virtualServices := push.VirtualServicesForGateway(node, gatewayName) for _, v := range virtualServices { vsvc := v.Spec.(*networking.VirtualService) // We have two cases here: @@ -632,7 +632,7 @@ func buildGatewayNetworkFiltersFromTLSRoutes(node *model.Proxy, push *model.Push // chain matches for _, tls := range vsvc.Tls { for _, match := range tls.Match { - if l4SingleMatch(convertTLSMatchToL4Match(match), server, gatewaysForWorkload) { + if l4SingleMatch(convertTLSMatchToL4Match(match), server, gatewayName) { // the sni hosts in the match will become part of a filter chain match filterChains = append(filterChains, &filterChainOpts{ sniHosts: match.SniHosts, @@ -687,11 +687,11 @@ func convertTLSMatchToL4Match(tlsMatch *networking.TLSMatchAttributes) *networki } } -func l4MultiMatch(predicates []*networking.L4MatchAttributes, server *networking.Server, gatewaysForWorkload map[string]bool) bool { +func l4MultiMatch(predicates []*networking.L4MatchAttributes, server *networking.Server, gatewayName string) bool { // NB from proto definitions: each set of predicates is OR'd together; inside of a predicate all conditions are AND'd. // This means we can return as soon as we get any match of an entire predicate. for _, match := range predicates { - if l4SingleMatch(match, server, gatewaysForWorkload) { + if l4SingleMatch(match, server, gatewayName) { return true } } @@ -699,9 +699,9 @@ func l4MultiMatch(predicates []*networking.L4MatchAttributes, server *networking return len(predicates) == 0 } -func l4SingleMatch(match *networking.L4MatchAttributes, server *networking.Server, gatewaysForWorkload map[string]bool) bool { +func l4SingleMatch(match *networking.L4MatchAttributes, server *networking.Server, gatewayName string) bool { // if there's no gateway predicate, gatewayMatch is true; otherwise we match against the gateways for this workload - return isPortMatch(match.Port, server) && isGatewayMatch(gatewaysForWorkload, match.Gateways) + return isPortMatch(match.Port, server) && isGatewayMatch(gatewayName, match.Gateways) } func isPortMatch(port uint32, server *networking.Server) bool { @@ -713,15 +713,19 @@ func isPortMatch(port uint32, server *networking.Server) bool { return portMatch } -func isGatewayMatch(gatewaysForWorkload map[string]bool, gatewayNames []string) bool { +func isGatewayMatch(gateway string, gatewayNames []string) bool { // if there's no gateway predicate, gatewayMatch is true; otherwise we match against the gateways for this workload - gatewayMatch := len(gatewayNames) == 0 + if len(gatewayNames) == 0 { + return true + } if len(gatewayNames) > 0 { for _, gatewayName := range gatewayNames { - gatewayMatch = gatewayMatch || gatewaysForWorkload[gatewayName] + if gatewayName == gateway { + return true + } } } - return gatewayMatch + return false } func getSNIHostsForServer(server *networking.Server) []string { From 73a4d209b6195cff5e557aaca16c3e860d8fcf65 Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Fri, 17 Jul 2020 23:54:26 +0530 Subject: [PATCH 11/82] disable enforcing successrate based outlier detection (#25567) Signed-off-by: Rama Chavali --- pilot/pkg/networking/core/v1alpha3/cluster.go | 4 ++++ .../pkg/networking/core/v1alpha3/cluster_test.go | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pilot/pkg/networking/core/v1alpha3/cluster.go b/pilot/pkg/networking/core/v1alpha3/cluster.go index 8302a7dfb0a..7396457031b 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster.go @@ -819,6 +819,10 @@ func applyOutlierDetection(cluster *apiv2.Cluster, outlier *networking.OutlierDe } out := &v2Cluster.OutlierDetection{} + + // SuccessRate based outlier detection should be disabled. + out.EnforcingSuccessRate = &wrappers.UInt32Value{Value: 0} + if outlier.BaseEjectionTime != nil { out.BaseEjectionTime = gogo.DurationToProtoDuration(outlier.BaseEjectionTime) } diff --git a/pilot/pkg/networking/core/v1alpha3/cluster_test.go b/pilot/pkg/networking/core/v1alpha3/cluster_test.go index 67613ea4ad9..770cd4a3d00 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster_test.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster_test.go @@ -1047,10 +1047,17 @@ func TestApplyOutlierDetection(t *testing.T) { cfg *networking.OutlierDetection o *apiv2_cluster.OutlierDetection }{ + { + "Nil outlier detection", + nil, + nil, + }, { "No outlier detection is set", &networking.OutlierDetection{}, - &apiv2_cluster.OutlierDetection{}, + &apiv2_cluster.OutlierDetection{ + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, + }, }, { "Deprecated consecutive errors is set", @@ -1061,6 +1068,7 @@ func TestApplyOutlierDetection(t *testing.T) { EnforcingConsecutive_5Xx: &wrappers.UInt32Value{Value: 0}, ConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 3}, EnforcingConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 100}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, { @@ -1074,6 +1082,7 @@ func TestApplyOutlierDetection(t *testing.T) { EnforcingConsecutive_5Xx: &wrappers.UInt32Value{Value: 100}, ConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 3}, EnforcingConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 100}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, { @@ -1084,6 +1093,7 @@ func TestApplyOutlierDetection(t *testing.T) { &apiv2_cluster.OutlierDetection{ ConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 3}, EnforcingConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 100}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, { @@ -1094,6 +1104,7 @@ func TestApplyOutlierDetection(t *testing.T) { &apiv2_cluster.OutlierDetection{ Consecutive_5Xx: &wrappers.UInt32Value{Value: 3}, EnforcingConsecutive_5Xx: &wrappers.UInt32Value{Value: 100}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, { @@ -1104,6 +1115,7 @@ func TestApplyOutlierDetection(t *testing.T) { &apiv2_cluster.OutlierDetection{ ConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 0}, EnforcingConsecutiveGatewayFailure: &wrappers.UInt32Value{Value: 0}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, { @@ -1114,6 +1126,7 @@ func TestApplyOutlierDetection(t *testing.T) { &apiv2_cluster.OutlierDetection{ Consecutive_5Xx: &wrappers.UInt32Value{Value: 0}, EnforcingConsecutive_5Xx: &wrappers.UInt32Value{Value: 0}, + EnforcingSuccessRate: &wrappers.UInt32Value{Value: 0}, }, }, } From d008f468ba1d57ba167adee1cac6d9280fdae7a6 Mon Sep 17 00:00:00 2001 From: Morven Cao Date: Mon, 20 Jul 2020 07:25:28 +0800 Subject: [PATCH 12/82] update proxy readiness probe to port 15021 and cleanup demo profile. (#25635) --- manifests/profiles/demo.yaml | 49 ++---------------------------------- 1 file changed, 2 insertions(+), 47 deletions(-) diff --git a/manifests/profiles/demo.yaml b/manifests/profiles/demo.yaml index 5c0e6a12f57..30e499b88b7 100644 --- a/manifests/profiles/demo.yaml +++ b/manifests/profiles/demo.yaml @@ -28,8 +28,8 @@ spec: # Note that AWS ELB will by default perform health checks on the first port # on this list. Setting this to the health check port will ensure that health # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15020 - targetPort: 15020 + - port: 15021 + targetPort: 15021 name: status-port - port: 80 targetPort: 8080 @@ -45,36 +45,9 @@ spec: targetPort: 15443 name: tls - policy: - enabled: false - k8s: - resources: - requests: - cpu: 10m - memory: 100Mi - - telemetry: - k8s: - resources: - requests: - cpu: 50m - memory: 100Mi - pilot: k8s: env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: GODEBUG - value: gctrace=1 - name: PILOT_TRACE_SAMPLING value: "100" - name: CONFIG_NAMESPACE @@ -103,24 +76,6 @@ spec: pilot: autoscaleEnabled: false - mixer: - adapters: - useAdapterCRDs: false - kubernetesenv: - enabled: true - prometheus: - enabled: true - metricsExpiryDuration: 10m - stackdriver: - enabled: false - stdio: - enabled: true - outputAsJson: false - policy: - autoscaleEnabled: false - telemetry: - autoscaleEnabled: false - gateways: istio-egressgateway: autoscaleEnabled: false From eb2736e68cc73fcbd551fb3b74c5682f28499f42 Mon Sep 17 00:00:00 2001 From: Shamsher Ansari Date: Tue, 21 Jul 2020 01:16:43 +0530 Subject: [PATCH 13/82] Update the base image versions to latest for bookinfo sample (#24967) (#25645) * Update the base image versions to latest for bookinfo sample * use IPv4 address instead of IPv6 address --- samples/bookinfo/platform/consul/bookinfo.yaml | 12 ++++++------ samples/bookinfo/platform/kube/bookinfo-db.yaml | 4 ++-- .../bookinfo/platform/kube/bookinfo-details-v2.yaml | 2 +- samples/bookinfo/platform/kube/bookinfo-details.yaml | 2 +- samples/bookinfo/platform/kube/bookinfo-mysql.yaml | 4 ++-- .../platform/kube/bookinfo-ratings-v2-mysql-vm.yaml | 2 +- .../platform/kube/bookinfo-ratings-v2-mysql.yaml | 2 +- .../bookinfo/platform/kube/bookinfo-ratings-v2.yaml | 2 +- samples/bookinfo/platform/kube/bookinfo-ratings.yaml | 2 +- .../bookinfo/platform/kube/bookinfo-reviews-v2.yaml | 2 +- samples/bookinfo/platform/kube/bookinfo.yaml | 12 ++++++------ samples/bookinfo/src/details/Dockerfile | 2 +- samples/bookinfo/src/mongodb/Dockerfile | 2 +- samples/bookinfo/src/mysql/Dockerfile | 2 +- samples/bookinfo/src/productpage/Dockerfile | 2 +- samples/bookinfo/src/productpage/productpage.py | 4 +++- samples/bookinfo/src/ratings/Dockerfile | 2 +- .../bookinfo/src/reviews/reviews-wlpcfg/Dockerfile | 2 +- 18 files changed, 32 insertions(+), 30 deletions(-) diff --git a/samples/bookinfo/platform/consul/bookinfo.yaml b/samples/bookinfo/platform/consul/bookinfo.yaml index df215fad482..f2a79e68888 100644 --- a/samples/bookinfo/platform/consul/bookinfo.yaml +++ b/samples/bookinfo/platform/consul/bookinfo.yaml @@ -16,7 +16,7 @@ version: '2' services: details-v1: - image: docker.io/istio/examples-bookinfo-details-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 networks: istiomesh: dns: @@ -33,7 +33,7 @@ services: - "9080" ratings-v1: - image: docker.io/istio/examples-bookinfo-ratings-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 networks: istiomesh: dns: @@ -50,7 +50,7 @@ services: - "9080" reviews-v1: - image: docker.io/istio/examples-bookinfo-reviews-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2 networks: istiomesh: dns: @@ -68,7 +68,7 @@ services: - "9080" reviews-v2: - image: docker.io/istio/examples-bookinfo-reviews-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 networks: istiomesh: dns: @@ -86,7 +86,7 @@ services: - "9080" reviews-v3: - image: docker.io/istio/examples-bookinfo-reviews-v3:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2 networks: istiomesh: dns: @@ -104,7 +104,7 @@ services: - "9080" productpage-v1: - image: docker.io/istio/examples-bookinfo-productpage-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 networks: istiomesh: ipv4_address: 172.28.0.14 diff --git a/samples/bookinfo/platform/kube/bookinfo-db.yaml b/samples/bookinfo/platform/kube/bookinfo-db.yaml index 9eb2f3aa737..85a01b22a2a 100644 --- a/samples/bookinfo/platform/kube/bookinfo-db.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-db.yaml @@ -46,7 +46,7 @@ spec: spec: containers: - name: mongodb - image: docker.io/istio/examples-bookinfo-mongodb:1.15.1 + image: docker.io/istio/examples-bookinfo-mongodb:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 27017 @@ -55,5 +55,5 @@ spec: mountPath: /data/db volumes: - name: data-db - emptyDir: + emptyDir: {} --- diff --git a/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml index b86fb48143e..b1cef2234fc 100644 --- a/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: details - image: docker.io/istio/examples-bookinfo-details-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-details-v2:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 diff --git a/samples/bookinfo/platform/kube/bookinfo-details.yaml b/samples/bookinfo/platform/kube/bookinfo-details.yaml index e41cb89afde..67e9954df20 100644 --- a/samples/bookinfo/platform/kube/bookinfo-details.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-details.yaml @@ -49,7 +49,7 @@ spec: spec: containers: - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 diff --git a/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/samples/bookinfo/platform/kube/bookinfo-mysql.yaml index de62290a7ba..9f5391f892d 100644 --- a/samples/bookinfo/platform/kube/bookinfo-mysql.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-mysql.yaml @@ -58,7 +58,7 @@ spec: spec: containers: - name: mysqldb - image: docker.io/istio/examples-bookinfo-mysqldb:1.15.1 + image: docker.io/istio/examples-bookinfo-mysqldb:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 3306 @@ -74,5 +74,5 @@ spec: mountPath: /var/lib/mysql volumes: - name: var-lib-mysql - emptyDir: + emptyDir: {} --- diff --git a/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml index 6c9ad117a02..9084ce02a19 100644 --- a/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml @@ -33,7 +33,7 @@ spec: spec: containers: - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 imagePullPolicy: IfNotPresent env: # This assumes you registered your mysql vm as diff --git a/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml index 616eb1144c5..5f8a33d7838 100644 --- a/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml @@ -33,7 +33,7 @@ spec: spec: containers: - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 imagePullPolicy: IfNotPresent env: # ratings-v2 will use mongodb as the default db backend. diff --git a/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml index f578e3044f2..8d464f67c06 100644 --- a/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml @@ -39,7 +39,7 @@ spec: serviceAccountName: bookinfo-ratings-v2 containers: - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 imagePullPolicy: IfNotPresent env: # ratings-v2 will use mongodb as the default db backend. diff --git a/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/samples/bookinfo/platform/kube/bookinfo-ratings.yaml index 48eefe06773..4f94c41b2f8 100644 --- a/samples/bookinfo/platform/kube/bookinfo-ratings.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-ratings.yaml @@ -49,7 +49,7 @@ spec: spec: containers: - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 diff --git a/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml index ee03086b08f..b38018cef22 100644 --- a/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml +++ b/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 imagePullPolicy: IfNotPresent env: - name: LOG_DIR diff --git a/samples/bookinfo/platform/kube/bookinfo.yaml b/samples/bookinfo/platform/kube/bookinfo.yaml index 659691f7645..ad1e8c10fb3 100644 --- a/samples/bookinfo/platform/kube/bookinfo.yaml +++ b/samples/bookinfo/platform/kube/bookinfo.yaml @@ -72,7 +72,7 @@ spec: serviceAccountName: bookinfo-details containers: - name: details - image: docker.io/istio/examples-bookinfo-details-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 @@ -123,7 +123,7 @@ spec: serviceAccountName: bookinfo-ratings containers: - name: ratings - image: docker.io/istio/examples-bookinfo-ratings-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 @@ -174,7 +174,7 @@ spec: serviceAccountName: bookinfo-reviews containers: - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2 imagePullPolicy: IfNotPresent env: - name: LOG_DIR @@ -214,7 +214,7 @@ spec: serviceAccountName: bookinfo-reviews containers: - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v2:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 imagePullPolicy: IfNotPresent env: - name: LOG_DIR @@ -254,7 +254,7 @@ spec: serviceAccountName: bookinfo-reviews containers: - name: reviews - image: docker.io/istio/examples-bookinfo-reviews-v3:1.15.1 + image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2 imagePullPolicy: IfNotPresent env: - name: LOG_DIR @@ -318,7 +318,7 @@ spec: serviceAccountName: bookinfo-productpage containers: - name: productpage - image: docker.io/istio/examples-bookinfo-productpage-v1:1.15.1 + image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 imagePullPolicy: IfNotPresent ports: - containerPort: 9080 diff --git a/samples/bookinfo/src/details/Dockerfile b/samples/bookinfo/src/details/Dockerfile index 2cce11a182f..ea31a8e688f 100644 --- a/samples/bookinfo/src/details/Dockerfile +++ b/samples/bookinfo/src/details/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM ruby:2.7-rc-slim +FROM ruby:2.7.1-slim COPY details.rb /opt/microservices/ diff --git a/samples/bookinfo/src/mongodb/Dockerfile b/samples/bookinfo/src/mongodb/Dockerfile index 05548a67fe7..e2a842b0b42 100644 --- a/samples/bookinfo/src/mongodb/Dockerfile +++ b/samples/bookinfo/src/mongodb/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM mongo:4.0.12-xenial +FROM mongo:4.0.19-xenial WORKDIR /app/data/ COPY ratings_data.json /app/data/ COPY script.sh /docker-entrypoint-initdb.d/ diff --git a/samples/bookinfo/src/mysql/Dockerfile b/samples/bookinfo/src/mysql/Dockerfile index c6445a3ad82..164026a6801 100644 --- a/samples/bookinfo/src/mysql/Dockerfile +++ b/samples/bookinfo/src/mysql/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM mysql:8.0.17 +FROM mysql:8.0.20 # MYSQL_ROOT_PASSWORD must be supplied as an env var COPY ./mysqldb-init.sql /docker-entrypoint-initdb.d diff --git a/samples/bookinfo/src/productpage/Dockerfile b/samples/bookinfo/src/productpage/Dockerfile index d97d84c9d75..09d221981bd 100644 --- a/samples/bookinfo/src/productpage/Dockerfile +++ b/samples/bookinfo/src/productpage/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM python:3.7.4-slim +FROM python:3.7.7-slim COPY requirements.txt ./ RUN pip install --no-cache-dir -r requirements.txt diff --git a/samples/bookinfo/src/productpage/productpage.py b/samples/bookinfo/src/productpage/productpage.py index 3ff259b2120..b6650118a91 100755 --- a/samples/bookinfo/src/productpage/productpage.py +++ b/samples/bookinfo/src/productpage/productpage.py @@ -382,4 +382,6 @@ def flush(self): p = int(sys.argv[1]) logging.info("start at port %s" % (p)) - app.run(host='::', port=p, debug=True, threaded=True) + # Python does not work on an IPv6 only host + # https://bugs.python.org/issue10414 + app.run(host='0.0.0.0', port=p, debug=True, threaded=True) diff --git a/samples/bookinfo/src/ratings/Dockerfile b/samples/bookinfo/src/ratings/Dockerfile index 0fcbf9ac2f0..483270b007a 100644 --- a/samples/bookinfo/src/ratings/Dockerfile +++ b/samples/bookinfo/src/ratings/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM node:12.18.0-slim +FROM node:12.18.1-slim COPY package.json /opt/microservices/ COPY ratings.js /opt/microservices/ diff --git a/samples/bookinfo/src/reviews/reviews-wlpcfg/Dockerfile b/samples/bookinfo/src/reviews/reviews-wlpcfg/Dockerfile index 7c921ccbded..434821d35ac 100644 --- a/samples/bookinfo/src/reviews/reviews-wlpcfg/Dockerfile +++ b/samples/bookinfo/src/reviews/reviews-wlpcfg/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM websphere-liberty:19.0.0.6-javaee8 +FROM websphere-liberty:20.0.0.6-full-java8-ibmjava ENV SERVERDIRNAME reviews From 8b0f0bde5bd7a8a4b0893769808f49077b8ce483 Mon Sep 17 00:00:00 2001 From: stewartbutler Date: Thu, 23 Jul 2020 13:40:03 -0700 Subject: [PATCH 14/82] Changing CNI images from latest to 1.6-dev tag (#25811) --- tests/integration/pilot/cni/cni_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/pilot/cni/cni_test.go b/tests/integration/pilot/cni/cni_test.go index c5c7e48e595..dc318c69f7a 100644 --- a/tests/integration/pilot/cni/cni_test.go +++ b/tests/integration/pilot/cni/cni_test.go @@ -39,7 +39,7 @@ components: cni: enabled: true hub: gcr.io/istio-testing - tag: latest + tag: 1.6-dev namespace: kube-system ` })). From ee06a36ef447b81d7c6227582c08f54ffdea4a72 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 23 Jul 2020 15:23:08 -0700 Subject: [PATCH 15/82] Fix tombstone recovery bug in Galley (#25413) Co-authored-by: Brad Ison --- galley/pkg/config/source/kube/apiserver/watcher.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/galley/pkg/config/source/kube/apiserver/watcher.go b/galley/pkg/config/source/kube/apiserver/watcher.go index c7a61563e85..c0636a01874 100644 --- a/galley/pkg/config/source/kube/apiserver/watcher.go +++ b/galley/pkg/config/source/kube/apiserver/watcher.go @@ -107,17 +107,17 @@ func (w *watcher) dispatch(h event.Handler) { } func (w *watcher) handleEvent(c event.Kind, obj interface{}) { - object, ok := obj.(metav1.Object) - if !ok { - if obj = tombstone.RecoverResource(obj); object != nil { + if _, ok := obj.(metav1.Object); !ok { + recoveredObject := tombstone.RecoverResource(obj) + if recoveredObject == nil { // Tombstone recovery failed. scope.Source.Warnf("Unable to extract object for event: %v", obj) return } - obj = object + obj = recoveredObject } - object = w.adapter.ExtractObject(obj) + object := w.adapter.ExtractObject(obj) res, err := w.adapter.ExtractResource(obj) if err != nil { scope.Source.Warnf("unable to extract resource: %v: %e", obj, err) From fd8dda96249046c020b6f6a204ed8c4b0696e4e1 Mon Sep 17 00:00:00 2001 From: Gregory Hanson Date: Thu, 23 Jul 2020 18:56:48 -0400 Subject: [PATCH 16/82] maunal cherry pick of 3b58e4c5e #25588 (#25751) --- pilot/pkg/networking/core/v1alpha3/cluster.go | 4 ++ .../networking/core/v1alpha3/cluster_test.go | 47 +++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/pilot/pkg/networking/core/v1alpha3/cluster.go b/pilot/pkg/networking/core/v1alpha3/cluster.go index 7396457031b..1992d5d403b 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster.go @@ -1118,6 +1118,10 @@ func applyUpstreamTLSSettings(opts *buildClusterOpts, tls *networking.ClientTLSS }, defaultTransportSocketMatch, } + } else { + // Since previous calls to applyTrafficPolicy may have set TransportSocketMatches for a subset cluster + // make sure they are reset. See https://github.com/istio/istio/issues/23910 + cluster.TransportSocketMatches = nil } } } diff --git a/pilot/pkg/networking/core/v1alpha3/cluster_test.go b/pilot/pkg/networking/core/v1alpha3/cluster_test.go index 770cd4a3d00..51236839506 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster_test.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster_test.go @@ -2110,6 +2110,53 @@ func TestRedisProtocolClusterAtGateway(t *testing.T) { } } +func TestAutoMTLSClusterSubsets(t *testing.T) { + g := NewGomegaWithT(t) + + destRule := &networking.DestinationRule{ + Host: TestServiceNHostname, + Subsets: []*networking.Subset{ + { + Name: "foobar", + TrafficPolicy: &networking.TrafficPolicy{ + ConnectionPool: &networking.ConnectionPoolSettings{ + Http: &networking.ConnectionPoolSettings_HTTPSettings{ + MaxRequestsPerConnection: 1, + }, + }, + PortLevelSettings: []*networking.TrafficPolicy_PortTrafficPolicy{ + { + Port: &networking.PortSelector{ + Number: 8080, + }, + Tls: &networking.ClientTLSSettings{ + Mode: networking.ClientTLSSettings_ISTIO_MUTUAL, + Sni: "custom.sni.com", + }, + }, + }, + }, + }, + }, + } + + testMesh.EnableAutoMtls.Value = true + + clusters, err := buildTestClusters(TestServiceNHostname, 0, model.SidecarProxy, nil, testMesh, destRule) + g.Expect(err).NotTo(HaveOccurred()) + + tlsContext := getTLSContext(t, clusters[1]) + g.Expect(tlsContext).ToNot(BeNil()) + g.Expect(tlsContext.GetSni()).To(Equal("custom.sni.com")) + g.Expect(clusters[1].TransportSocketMatches).To(HaveLen(0)) + + for _, i := range []int{0, 2, 3} { + g.Expect(getTLSContext(t, clusters[i])).To(BeNil()) + g.Expect(clusters[i].TransportSocketMatches).To(HaveLen(2)) + } + +} + func TestAutoMTLSClusterIgnoreWorkloadLevelPeerAuthn(t *testing.T) { g := NewGomegaWithT(t) From f2f9dd526d7ff8e351b07290c316d2fa55d506a8 Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Thu, 23 Jul 2020 19:46:53 -0600 Subject: [PATCH 17/82] [release-1.6] Update 1.6 dependencies (#25817) * Update 1.6 dependencies UPDATE_BRANCH=release-1.6 ./bin/update_deps.sh; make gen * Fix integration test --- go.mod | 4 ++-- go.sum | 8 ++++---- istio.deps | 2 +- prow/release-commit.sh | 2 +- .../stackdriver/testdata/client_request_count.json.tmpl | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index b29e51eacc8..1d4cb01df34 100644 --- a/go.mod +++ b/go.mod @@ -158,8 +158,8 @@ require ( gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 istio.io/api v0.0.0-20200715212100-dbf5277541ef - istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 - istio.io/pkg v0.0.0-20200511212725-7bfbbf968c23 + istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 + istio.io/pkg v0.0.0-20200709220414-14d5de656564 k8s.io/api v0.18.1 k8s.io/apiextensions-apiserver v0.18.0 k8s.io/apimachinery v0.18.1 diff --git a/go.sum b/go.sum index e19dac2373a..be7d1bc38ca 100644 --- a/go.sum +++ b/go.sum @@ -1064,10 +1064,10 @@ istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml istio.io/api v0.0.0-20200715212100-dbf5277541ef h1:EK7lCql3HAxEoyPQuPWamG00XkOKzIVzzMb5sShFwAM= istio.io/api v0.0.0-20200715212100-dbf5277541ef/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5 h1:+jL9OzDdbpqHghV6i1dDy2jV+FtC7wz+CuKi2UxZoSs= -istio.io/gogo-genproto v0.0.0-20200511213158-02f1fd1746e5/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/pkg v0.0.0-20200511212725-7bfbbf968c23 h1:1GMOTQs9yVdNEBmVKxDlq6ios80gIAOMO1WfKYKYjZo= -istio.io/pkg v0.0.0-20200511212725-7bfbbf968c23/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= +istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 h1:41vUsZxxi7Kq9pyxmk7xjSKrYEYyXCQsTvP4mWOXzoI= +istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= +istio.io/pkg v0.0.0-20200709220414-14d5de656564 h1:iaOIWnzUh6T7O2ViQL9EDY6TtnPgDkNSohIcpJ92bHw= +istio.io/pkg v0.0.0-20200709220414-14d5de656564/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48= k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= k8s.io/api v0.18.0/go.mod h1:q2HRQkfDzHMBZL9l/y9rH63PkQl4vae0xRT+8prbrK8= diff --git a/istio.deps b/istio.deps index f9bada1396a..135ec15a25b 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "a20ed1b7b98d8a7a8480c5100c0752578e31d659" + "lastStableSHA": "ccae1bd37085ecd78415dc06b50233b3b97e30c0" }, { "_comment": "", diff --git a/prow/release-commit.sh b/prow/release-commit.sh index 71dcb4a8272..57e61e22680 100755 --- a/prow/release-commit.sh +++ b/prow/release-commit.sh @@ -32,7 +32,7 @@ DOCKER_HUB=${DOCKER_HUB:-gcr.io/istio-testing} GCS_BUCKET=${GCS_BUCKET:-istio-build/dev} # Use a pinned version in case breaking changes are needed -BUILDER_SHA=79c20a33e379966ac0e531925b5f1c42d0f90664 +BUILDER_SHA=9aac43a9201b5e3a47a956680ca1ddffb75222f4 # Reference to the next minor version of Istio # This will create a version like 1.4-alpha.sha diff --git a/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl b/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl index d9f979aff36..b9760fc82dd 100644 --- a/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl +++ b/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl @@ -16,7 +16,7 @@ "request_operation": "/proto.EchoTestService/Echo", "request_protocol": "grpc", "response_code": "200", - "service_authentication_policy": "", + "service_authentication_policy": "unknown", "source_canonical_revision": "v1", "source_canonical_service_name": "clt", "source_canonical_service_namespace": "{{ .EchoNamespace }}", From 25baf9c3df482261bcf7eafcca69f859e6d26aa2 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 24 Jul 2020 08:43:17 -0700 Subject: [PATCH 18/82] [release-1.6] verify if namespace exists during bookinfo cleanup (#25831) * verify if namespace exists during bookinfo cleanup * fix lint Co-authored-by: shamsher31 --- samples/bookinfo/platform/kube/cleanup.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/samples/bookinfo/platform/kube/cleanup.sh b/samples/bookinfo/platform/kube/cleanup.sh index 19302378e71..ec3335a4796 100755 --- a/samples/bookinfo/platform/kube/cleanup.sh +++ b/samples/bookinfo/platform/kube/cleanup.sh @@ -22,6 +22,16 @@ if [[ -t 0 && -z ${NAMESPACE} ]];then read -r NAMESPACE fi +# verify if the namespace exists, otherwise use default namespace +if [[ -n ${NAMESPACE} ]];then + ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) + if [[ -z ${ns} ]];then + echo "NAMESPACE ${NAMESPACE} not found." + NAMESPACE=default + fi +fi + +# if no namesapce is provided, use default namespace if [[ -z ${NAMESPACE} ]];then NAMESPACE=default fi @@ -57,4 +67,7 @@ else fi fi +# wait for 30 sec for bookinfo to clean up +sleep 30 + echo "Application cleanup successful" From d1a6a17e26fa04272ca86d16aad2453645c3c7d3 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 24 Jul 2020 09:30:36 -0700 Subject: [PATCH 19/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#25839) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1d4cb01df34..0778011f52b 100644 --- a/go.mod +++ b/go.mod @@ -157,7 +157,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20200715212100-dbf5277541ef + istio.io/api v0.0.0-20200724154434-34e474846e0d istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 istio.io/pkg v0.0.0-20200709220414-14d5de656564 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index be7d1bc38ca..0deac281483 100644 --- a/go.sum +++ b/go.sum @@ -1061,8 +1061,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20200715212100-dbf5277541ef h1:EK7lCql3HAxEoyPQuPWamG00XkOKzIVzzMb5sShFwAM= -istio.io/api v0.0.0-20200715212100-dbf5277541ef/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20200724154434-34e474846e0d h1:g33+9bRr+w9p3NuspqH1DK1mGnq8GlPXZScjXxsz7mw= +istio.io/api v0.0.0-20200724154434-34e474846e0d/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 h1:41vUsZxxi7Kq9pyxmk7xjSKrYEYyXCQsTvP4mWOXzoI= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From 6779bb6247ab64475eba2e099bfa33fb94cad11a Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Sat, 25 Jul 2020 01:00:11 +0800 Subject: [PATCH 20/82] Do not enable auto mtls when cluster type is `Cluster_ORIGINAL_DST` (#24319) (#25829) * disable tls for headless service when mtls is auto detected * move it to conditionallyConvertToIstioMtls * cleanup * fix e2e --- pilot/pkg/networking/core/v1alpha3/cluster.go | 10 +++- .../networking/core/v1alpha3/cluster_test.go | 52 ++++++++++++------- tests/integration/pilot/cni/cni_test.go | 4 ++ .../mtls_first_party_jwt/strict_test.go | 4 +- .../security/mtlsk8sca/strict_test.go | 4 +- .../integration/security/reachability_test.go | 26 ++++++---- .../security/util/reachability/context.go | 52 ++++++++++++------- 7 files changed, 97 insertions(+), 55 deletions(-) diff --git a/pilot/pkg/networking/core/v1alpha3/cluster.go b/pilot/pkg/networking/core/v1alpha3/cluster.go index 1992d5d403b..9add4cba09c 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster.go @@ -538,12 +538,17 @@ func conditionallyConvertToIstioMtls( autoMTLSEnabled bool, meshExternal bool, serviceMTLSMode model.MutualTLSMode, -) (*networking.ClientTLSSettings, mtlsContextType) { + clusterDiscoveryType apiv2.Cluster_DiscoveryType) (*networking.ClientTLSSettings, mtlsContextType) { mtlsCtx := userSupplied if tls == nil { if meshExternal || !autoMTLSEnabled || serviceMTLSMode == model.MTLSUnknown || serviceMTLSMode == model.MTLSDisable { return nil, mtlsCtx } + // Do not enable auto mtls when cluster type is `Cluster_ORIGINAL_DST` + // We don't know whether headless service instance has sidecar injected or not. + if clusterDiscoveryType == apiv2.Cluster_ORIGINAL_DST { + return nil, mtlsCtx + } mtlsCtx = autoDetected // we will setup transport sockets later @@ -719,7 +724,7 @@ func applyTrafficPolicy(opts buildClusterOpts) { autoMTLSEnabled := opts.push.Mesh.GetEnableAutoMtls().Value var mtlsCtxType mtlsContextType tls, mtlsCtxType = conditionallyConvertToIstioMtls(tls, opts.serviceAccounts, opts.istioMtlsSni, opts.proxy, - autoMTLSEnabled, opts.meshExternal, opts.serviceMTLSMode) + autoMTLSEnabled, opts.meshExternal, opts.serviceMTLSMode, opts.cluster.GetType()) applyUpstreamTLSSettings(&opts, tls, mtlsCtxType, opts.proxy) } } @@ -966,6 +971,7 @@ func applyUpstreamTLSSettings(opts *buildClusterOpts, tls *networking.ClientTLSS cluster := opts.cluster proxy := opts.proxy + certValidationContext := &auth.CertificateValidationContext{} var trustedCa *core.DataSource if len(tls.CaCertificates) != 0 { diff --git a/pilot/pkg/networking/core/v1alpha3/cluster_test.go b/pilot/pkg/networking/core/v1alpha3/cluster_test.go index 51236839506..5eacba45150 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster_test.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster_test.go @@ -857,16 +857,17 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { Sni: "custom.foo.com", } tests := []struct { - name string - tls *networking.ClientTLSSettings - sans []string - sni string - proxy *model.Proxy - autoMTLSEnabled bool - meshExternal bool - serviceMTLSMode model.MutualTLSMode - want *networking.ClientTLSSettings - wantCtxType mtlsContextType + name string + tls *networking.ClientTLSSettings + sans []string + sni string + proxy *model.Proxy + autoMTLSEnabled bool + meshExternal bool + serviceMTLSMode model.MutualTLSMode + clusterDiscoveryType apiv2.Cluster_DiscoveryType + want *networking.ClientTLSSettings + wantCtxType mtlsContextType }{ { "Destination rule TLS sni and SAN override", @@ -874,7 +875,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - false, false, model.MTLSUnknown, + false, false, model.MTLSUnknown, apiv2.Cluster_EDS, tlsSettings, userSupplied, }, @@ -891,7 +892,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - false, false, model.MTLSUnknown, + false, false, model.MTLSUnknown, apiv2.Cluster_EDS, &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_ISTIO_MUTUAL, CaCertificates: constants.DefaultRootCert, @@ -912,7 +913,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { TLSClientKey: "/custom/key.pem", TLSClientRootCert: "/custom/root.pem", }}, - false, false, model.MTLSUnknown, + false, false, model.MTLSUnknown, apiv2.Cluster_EDS, &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_ISTIO_MUTUAL, CaCertificates: "/custom/root.pem", @@ -929,7 +930,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - true, false, model.MTLSStrict, + true, false, model.MTLSStrict, apiv2.Cluster_EDS, &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_ISTIO_MUTUAL, CaCertificates: constants.DefaultRootCert, @@ -946,7 +947,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - true, false, model.MTLSPermissive, + true, false, model.MTLSPermissive, apiv2.Cluster_EDS, &networking.ClientTLSSettings{ Mode: networking.ClientTLSSettings_ISTIO_MUTUAL, CaCertificates: constants.DefaultRootCert, @@ -963,7 +964,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - true, false, model.MTLSDisable, + true, false, model.MTLSDisable, apiv2.Cluster_EDS, nil, userSupplied, }, @@ -973,7 +974,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - true, false, model.MTLSUnknown, + true, false, model.MTLSUnknown, apiv2.Cluster_EDS, nil, userSupplied, }, @@ -983,7 +984,7 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - true, true, model.MTLSUnknown, + true, true, model.MTLSUnknown, apiv2.Cluster_EDS, nil, userSupplied, }, @@ -993,7 +994,17 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { []string{"spiffe://foo/serviceaccount/1"}, "foo.com", &model.Proxy{Metadata: &model.NodeMetadata{}}, - false, false, model.MTLSDisable, + false, false, model.MTLSDisable, apiv2.Cluster_EDS, + nil, + userSupplied, + }, + { + "Do not enable auto mtls when cluster type is `Cluster_ORIGINAL_DST`", + nil, + []string{"spiffe://foo/serviceaccount/1"}, + "foo.com", + &model.Proxy{Metadata: &model.NodeMetadata{}}, + true, false, model.MTLSPermissive, apiv2.Cluster_ORIGINAL_DST, nil, userSupplied, }, @@ -1001,7 +1012,8 @@ func TestConditionallyConvertToIstioMtls(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - gotTLS, gotCtxType := conditionallyConvertToIstioMtls(tt.tls, tt.sans, tt.sni, tt.proxy, tt.autoMTLSEnabled, tt.meshExternal, tt.serviceMTLSMode) + gotTLS, gotCtxType := conditionallyConvertToIstioMtls(tt.tls, tt.sans, tt.sni, tt.proxy, + tt.autoMTLSEnabled, tt.meshExternal, tt.serviceMTLSMode, tt.clusterDiscoveryType) if !reflect.DeepEqual(gotTLS, tt.want) { t.Errorf("cluster TLS does not match exppected result want %#v, got %#v", tt.want, gotTLS) } diff --git a/tests/integration/pilot/cni/cni_test.go b/tests/integration/pilot/cni/cni_test.go index dc318c69f7a..f8abf580ed1 100644 --- a/tests/integration/pilot/cni/cni_test.go +++ b/tests/integration/pilot/cni/cni_test.go @@ -80,6 +80,10 @@ func TestCNIReachability(t *testing.T) { Namespace: systemNM, RequiredEnvironment: environment.Kube, Include: func(src echo.Instance, opts echo.CallOptions) bool { + // Exclude headless naked service, because it is no sidecar + if src == rctx.HeadlessNaked || opts.Target == rctx.HeadlessNaked { + return false + } // Exclude calls to the headless TCP port. if opts.Target == rctx.Headless && opts.PortName == "tcp" { return false diff --git a/tests/integration/security/mtls_first_party_jwt/strict_test.go b/tests/integration/security/mtls_first_party_jwt/strict_test.go index 4f0d1cbf2ba..54bed421400 100644 --- a/tests/integration/security/mtls_first_party_jwt/strict_test.go +++ b/tests/integration/security/mtls_first_party_jwt/strict_test.go @@ -47,7 +47,7 @@ func TestMtlsStrictK8sCA(t *testing.T) { // Exclude calls to the headless service. // Auto mtls does not apply to headless service, because for headless service // the cluster discovery type is ORIGINAL_DST, and it will not apply upstream tls setting - return opts.Target != rctx.Headless + return !rctx.IsHeadless(opts.Target) }, ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { // When mTLS is in STRICT mode, DR's TLS settings are default to mTLS so the result would @@ -58,7 +58,7 @@ func TestMtlsStrictK8sCA(t *testing.T) { } // If source is naked, and destination is not, expect failure. - return !(src == rctx.Naked && opts.Target != rctx.Naked) + return !(rctx.IsNaked(src) && !rctx.IsNaked(opts.Target)) }, }, { diff --git a/tests/integration/security/mtlsk8sca/strict_test.go b/tests/integration/security/mtlsk8sca/strict_test.go index 8712362bf69..6a76ea45f59 100644 --- a/tests/integration/security/mtlsk8sca/strict_test.go +++ b/tests/integration/security/mtlsk8sca/strict_test.go @@ -47,7 +47,7 @@ func TestMtlsStrictK8sCA(t *testing.T) { // Exclude calls to the headless service. // Auto mtls does not apply to headless service, because for headless service // the cluster discovery type is ORIGINAL_DST, and it will not apply upstream tls setting - return opts.Target != rctx.Headless + return !rctx.IsHeadless(opts.Target) }, ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { // When mTLS is in STRICT mode, DR's TLS settings are default to mTLS so the result would @@ -58,7 +58,7 @@ func TestMtlsStrictK8sCA(t *testing.T) { } // If source is naked, and destination is not, expect failure. - return !(src == rctx.Naked && opts.Target != rctx.Naked) + return !(rctx.IsNaked(src) && !rctx.IsNaked(opts.Target)) }, }, { diff --git a/tests/integration/security/reachability_test.go b/tests/integration/security/reachability_test.go index ec706e4d829..284eff32dee 100644 --- a/tests/integration/security/reachability_test.go +++ b/tests/integration/security/reachability_test.go @@ -49,13 +49,13 @@ func TestReachability(t *testing.T) { return true }, ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { - if src == rctx.Naked && opts.Target == rctx.Naked { + if rctx.IsNaked(src) && rctx.IsNaked(opts.Target) { // naked->naked should always succeed. return true } // If one of the two endpoints is naked, expect failure. - return src != rctx.Naked && opts.Target != rctx.Naked + return !rctx.IsNaked(src) && !rctx.IsNaked(opts.Target) }, }, { @@ -64,7 +64,7 @@ func TestReachability(t *testing.T) { RequiredEnvironment: environment.Kube, Include: func(src echo.Instance, opts echo.CallOptions) bool { // Exclude calls to the naked app. - return opts.Target != rctx.Naked + return !rctx.IsNaked(opts.Target) }, ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { return true @@ -103,8 +103,13 @@ func TestReachability(t *testing.T) { ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { // autoMtls doesn't work for client that doesn't have proxy, unless target doesn't // have proxy neither. - if src == rctx.Naked { - return opts.Target == rctx.Naked + if rctx.IsNaked(src) { + return rctx.IsNaked(opts.Target) + } + // headless service with sidecar injected, global mTLS enabled, + // no client side transport socket or transport_socket_matches since it's headless service. + if src != rctx.Headless && opts.Target == rctx.Headless { + return false } return true }, @@ -119,10 +124,14 @@ func TestReachability(t *testing.T) { ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { // autoMtls doesn't work for client that doesn't have proxy, unless target doesn't // have proxy or have mTLS disabled - if src == rctx.Naked { - return opts.Target == rctx.Naked || (opts.Target == rctx.B && opts.PortName != "http") + if rctx.IsNaked(src) { + return rctx.IsNaked(opts.Target) || (opts.Target == rctx.B && opts.PortName != "http") } + // headless with sidecar injected, global mTLS enabled, no client side transport socket or transport_socket_matches since it's headless service. + if src != rctx.Headless && opts.Target == rctx.Headless { + return false + } // PeerAuthentication disable mTLS for workload app:b, except http port. Thus, autoMTLS // will fail on all ports on b, except http port. return opts.Target != rctx.B || opts.PortName == "http" @@ -134,10 +143,9 @@ func TestReachability(t *testing.T) { RequiredEnvironment: environment.Kube, Include: func(src echo.Instance, opts echo.CallOptions) bool { // Exclude calls to the headless TCP port. - if opts.Target == rctx.Headless && opts.PortName == "tcp" { + if rctx.IsHeadless(opts.Target) && opts.PortName == "tcp" { return false } - return true }, ExpectSuccess: func(src echo.Instance, opts echo.CallOptions) bool { diff --git a/tests/integration/security/util/reachability/context.go b/tests/integration/security/util/reachability/context.go index 87600162e8b..d19b45809b2 100644 --- a/tests/integration/security/util/reachability/context.go +++ b/tests/integration/security/util/reachability/context.go @@ -61,14 +61,15 @@ type TestCase struct { // Context is a context for reachability tests. type Context struct { - ctx framework.TestContext - g galley.Instance - p pilot.Instance - Namespace namespace.Instance - A, B echo.Instance - Multiversion echo.Instance - Headless echo.Instance - Naked echo.Instance + ctx framework.TestContext + g galley.Instance + p pilot.Instance + Namespace namespace.Instance + A, B echo.Instance + Multiversion echo.Instance + Headless echo.Instance + Naked echo.Instance + HeadlessNaked echo.Instance } // CreateContext creates and initializes reachability context. @@ -78,7 +79,7 @@ func CreateContext(ctx framework.TestContext, g galley.Instance, p pilot.Instanc Inject: true, }) - var a, b, multiVersion, headless, naked echo.Instance + var a, b, multiVersion, headless, naked, headlessNaked echo.Instance cfg := util.EchoConfig("multiversion", ns, false, nil, g, p) cfg.Subsets = []echo.SubsetConfig{ // Istio deployment, with sidecar. @@ -98,18 +99,21 @@ func CreateContext(ctx framework.TestContext, g galley.Instance, p pilot.Instanc With(&headless, util.EchoConfig("headless", ns, true, nil, g, p)). With(&naked, util.EchoConfig("naked", ns, false, echo.NewAnnotations(). SetBool(echo.SidecarInject, false), g, p)). + With(&headlessNaked, util.EchoConfig("headless-naked", ns, true, echo.NewAnnotations(). + SetBool(echo.SidecarInject, false), g, p)). BuildOrFail(ctx) return Context{ - ctx: ctx, - g: g, - p: p, - Namespace: ns, - A: a, - B: b, - Multiversion: multiVersion, - Headless: headless, - Naked: naked, + ctx: ctx, + g: g, + p: p, + Namespace: ns, + A: a, + B: b, + Multiversion: multiVersion, + Headless: headless, + Naked: naked, + HeadlessNaked: headlessNaked, } } @@ -162,8 +166,8 @@ func (rc *Context) Run(testCases []TestCase) { time.Sleep(10 * time.Second) ctx.Logf("[%s] [%v] Finish waiting. Continue testing.", testName, time.Now()) - for _, src := range []echo.Instance{rc.A, rc.B, rc.Headless, rc.Naked} { - for _, dest := range []echo.Instance{rc.A, rc.B, rc.Headless, rc.Multiversion, rc.Naked} { + for _, src := range []echo.Instance{rc.A, rc.B, rc.Headless, rc.Naked, rc.HeadlessNaked} { + for _, dest := range []echo.Instance{rc.A, rc.B, rc.Headless, rc.Multiversion, rc.Naked, rc.HeadlessNaked} { copts := &callOptions // If test case specified service call options, use that instead. if c.CallOpts != nil { @@ -209,3 +213,11 @@ func (rc *Context) Run(testCases []TestCase) { }) } } + +func (rc *Context) IsNaked(i echo.Instance) bool { + return i == rc.HeadlessNaked || i == rc.Naked +} + +func (rc *Context) IsHeadless(i echo.Instance) bool { + return i == rc.HeadlessNaked || i == rc.Headless +} From 4e6e7f49375d84bb35ee614c6b7d38b6c2fd3e7b Mon Sep 17 00:00:00 2001 From: John Howard Date: Fri, 24 Jul 2020 12:07:28 -0700 Subject: [PATCH 21/82] Bump base image for 1.6 (#25845) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 14ddb35741b..fbc90591d96 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.5 +BASE_VERSION ?= 1.6-dev.6 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org From 2511ab8c8c59a203e77bb804846593c3690fcf4a Mon Sep 17 00:00:00 2001 From: John Howard Date: Thu, 30 Jul 2020 13:41:36 -0700 Subject: [PATCH 22/82] Fix regression for Endpoints without pod reference (#25978) (#25987) (cherry picked from commit d5ab2ebfa13107099a6fed596b5201f88ad28d24) (cherry picked from commit 805c4032fae7c3b81b3dcc359eba0d9b7b7dc2b8) --- .../kube/controller/controller.go | 19 +++-- .../kube/controller/controller_test.go | 85 +++++++++++-------- .../kube/controller/endpointslice.go | 4 +- 3 files changed, 65 insertions(+), 43 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index f80769ba5d9..def7645b530 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -1023,10 +1023,17 @@ func (c *Controller) AppendInstanceHandler(f func(*model.ServiceInstance, model. return nil } -func getPod(c *Controller, ip string, ep *metav1.ObjectMeta, targetRef *v1.ObjectReference, host host.Name) *v1.Pod { +// getPod fetches a pod by IP address. +// A pod may be missing (nil) for two reasons: +// * It is an endpoint without an associated Pod. In this case, expectPod will be false. +// * It is an endpoint with an associate Pod, but its not found. In this case, expectPod will be true. +// this may happen due to eventually consistency issues, out of order events, etc. In this case, the caller +// should not precede with the endpoint, or inaccurate information would be sent which may have impacts on +// correctness and security. +func getPod(c *Controller, ip string, ep *metav1.ObjectMeta, targetRef *v1.ObjectReference, host host.Name) (rpod *v1.Pod, expectPod bool) { pod := c.pods.getPodByIP(ip) if pod != nil { - return pod + return pod, false } // This means, the endpoint event has arrived before pod event. // This might happen because PodCache is eventually consistent. @@ -1044,11 +1051,11 @@ func getPod(c *Controller, ip string, ep *metav1.ObjectMeta, targetRef *v1.Objec // Tell pod cache we want to queue the endpoint event when this pod arrives. epkey := kube.KeyFunc(ep.Name, ep.Namespace) c.pods.recordNeedsUpdate(epkey, ip) - return nil + return nil, true } pod = podFromInformer.(*v1.Pod) } - return pod + return pod, false } func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event, epc *endpointsController) { @@ -1065,8 +1072,8 @@ func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event, epc *endpoin if event != model.EventDelete { for _, ss := range ep.Subsets { for _, ea := range ss.Addresses { - pod := getPod(c, ea.IP, &metav1.ObjectMeta{Name: ep.Name, Namespace: ep.Namespace}, ea.TargetRef, hostname) - if pod == nil { + pod, expectedUpdate := getPod(c, ea.IP, &metav1.ObjectMeta{Name: ep.Name, Namespace: ep.Namespace}, ea.TargetRef, hostname) + if pod == nil && expectedUpdate { continue } diff --git a/pilot/pkg/serviceregistry/kube/controller/controller_test.go b/pilot/pkg/serviceregistry/kube/controller/controller_test.go index b0a5eba9821..5121c0a8a58 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller_test.go @@ -248,7 +248,7 @@ func TestServices(t *testing.T) { }) // 2 ports 1001, 2 IPs - createEndpoints(ctl, testService, ns, []string{"http-example", "foo"}, []string{"10.10.1.1", "10.11.1.2"}, t) + createEndpoints(ctl, testService, ns, []string{"http-example", "foo"}, []string{"10.10.1.1", "10.11.1.2"}, nil, t) svc, err := sds.GetService(hostname) if err != nil { @@ -490,7 +490,7 @@ func TestGetProxyServiceInstances(t *testing.T) { svc1Ips := []string{"128.0.0.1"} portNames := []string{"tcp-port"} // Create 1 endpoint that refers to a pod in the same namespace. - createEndpoints(controller, "svc1", "nsA", portNames, svc1Ips, t) + createEndpoints(controller, "svc1", "nsA", portNames, svc1Ips, nil, t) // Creates 100 endpoints that refers to a pod in a different namespace. fakeSvcCounts := 100 @@ -503,12 +503,12 @@ func TestGetProxyServiceInstances(t *testing.T) { []int32{8080}, map[string]string{"app": "prod-app"}, t) fx.Wait("service") - createEndpoints(controller, svcName, "nsfake", portNames, svc1Ips, t) + createEndpoints(controller, svcName, "nsfake", portNames, svc1Ips, nil, t) fx.Wait("eds") } // Create 1 endpoint that refers to a pod in the same namespace. - createEndpoints(controller, "svc1", "nsa", portNames, svc1Ips, t) + createEndpoints(controller, "svc1", "nsa", portNames, svc1Ips, nil, t) fx.Wait("eds") var svcNode model.Proxy @@ -907,8 +907,8 @@ func TestController_GetIstioServiceAccounts(t *testing.T) { svc1Ips := []string{"128.0.0.2"} svc2Ips := make([]string, 0) portNames := []string{"tcp-port"} - createEndpoints(controller, "svc1", "nsA", portNames, svc1Ips, t) - createEndpoints(controller, "svc2", "nsA", portNames, svc2Ips, t) + createEndpoints(controller, "svc1", "nsA", portNames, svc1Ips, nil, t) + createEndpoints(controller, "svc2", "nsA", portNames, svc2Ips, nil, t) // We expect only one EDS update with Endpoints. <-fx.Events @@ -1381,15 +1381,14 @@ func TestCompareEndpoints(t *testing.T) { } } -func createEndpoints(controller *Controller, name, namespace string, portNames, ips []string, t *testing.T) { +func createEndpoints(controller *Controller, name, namespace string, portNames, ips []string, refs []*coreV1.ObjectReference, t *testing.T) { + if refs == nil { + refs = make([]*coreV1.ObjectReference, len(ips)) + } var portNum int32 = 1001 eas := make([]coreV1.EndpointAddress, 0) - for _, ip := range ips { - eas = append(eas, coreV1.EndpointAddress{IP: ip, TargetRef: &coreV1.ObjectReference{ - Kind: "Pod", - Name: name, - Namespace: namespace, - }}) + for i, ip := range ips { + eas = append(eas, coreV1.EndpointAddress{IP: ip, TargetRef: refs[i]}) } eps := make([]coreV1.EndpointPort, 0) @@ -1423,6 +1422,13 @@ func createEndpoints(controller *Controller, name, namespace string, portNames, esps = append(esps, discoveryv1alpha1.EndpointPort{Name: &n, Port: &portNum}) } + sliceEndpoint := []discoveryv1alpha1.Endpoint{} + for i, ip := range ips { + sliceEndpoint = append(sliceEndpoint, discoveryv1alpha1.Endpoint{ + Addresses: []string{ip}, + TargetRef: refs[i], + }) + } endpointSlice := &discoveryv1alpha1.EndpointSlice{ ObjectMeta: metaV1.ObjectMeta{ Name: name, @@ -1431,17 +1437,8 @@ func createEndpoints(controller *Controller, name, namespace string, portNames, discoveryv1alpha1.LabelServiceName: name, }, }, - Endpoints: []discoveryv1alpha1.Endpoint{ - { - Addresses: ips, - TargetRef: &coreV1.ObjectReference{ - Kind: "Pod", - Name: name, - Namespace: namespace, - }, - }, - }, - Ports: esps, + Endpoints: sliceEndpoint, + Ports: esps, } if _, err := controller.client.DiscoveryV1alpha1().EndpointSlices(namespace).Create(context.TODO(), endpointSlice, metaV1.CreateOptions{}); err != nil { if errors.IsAlreadyExists(err) { @@ -1790,7 +1787,7 @@ func TestEndpointUpdate(t *testing.T) { svc1Ips := []string{"128.0.0.1"} portNames := []string{"tcp-port"} // Create 1 endpoint that refers to a pod in the same namespace. - createEndpoints(controller, "svc1", "nsa", portNames, svc1Ips, t) + createEndpoints(controller, "svc1", "nsa", portNames, svc1Ips, nil, t) if ev := fx.Wait("eds"); ev == nil { t.Fatalf("Timeout incremental eds") } @@ -1866,8 +1863,20 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { } } - addEndpoint := func(svcName string, ips ...string) { - createEndpoints(controller, svcName, "nsA", []string{"tcp-port"}, ips, t) + addEndpoint := func(svcName string, ips []string, pods []string) { + refs := []*coreV1.ObjectReference{} + for _, pod := range pods { + if pod == "" { + refs = append(refs, nil) + } else { + refs = append(refs, &coreV1.ObjectReference{ + Kind: "Pod", + Namespace: "nsA", + Name: pod, + }) + } + } + createEndpoints(controller, svcName, "nsA", []string{"tcp-port"}, ips, refs, t) } assertEndpointsEvent := func(expected ...string) { t.Helper() @@ -1898,19 +1907,25 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { // standard ordering addService("svc") addPod("pod1", "172.0.1.1") - addEndpoint("svc", "172.0.1.1") + addEndpoint("svc", []string{"172.0.1.1"}, []string{"pod1"}) assertEndpointsEvent("172.0.1.1") fx.Clear() // Create the endpoint, then later add the pod. Should eventually get an update for the endpoint - addEndpoint("svc", "172.0.1.1", "172.0.1.2") + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) assertEndpointsEvent("172.0.1.1") fx.Clear() addPod("pod2", "172.0.1.2") assertEndpointsEvent("172.0.1.1", "172.0.1.2") + fx.Clear() + + // Create the endpoint without a pod reference. We should see it immediately + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2", "172.0.1.3"}, []string{"pod1", "pod2", ""}) + assertEndpointsEvent("172.0.1.1", "172.0.1.2", "172.0.1.3") + fx.Clear() // Delete a pod before the endpoint - addEndpoint("svc", "172.0.1.1") + addEndpoint("svc", []string{"172.0.1.1"}, []string{"pod1"}) deletePod("pod2", "172.0.1.2") assertEndpointsEvent("172.0.1.1") fx.Clear() @@ -1918,8 +1933,8 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { // add another service addService("other") // Add endpoints for the new service, and the old one. Both should be missing the last IP - addEndpoint("other", "172.0.1.1", "172.0.1.2") - addEndpoint("svc", "172.0.1.1", "172.0.1.2") + addEndpoint("other", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) assertEndpointsEvent("172.0.1.1") assertEndpointsEvent("172.0.1.1") fx.Clear() @@ -1930,16 +1945,16 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { // Check for memory leaks assertPendingResync(0) - addEndpoint("svc", "172.0.1.1", "172.0.1.2", "172.0.1.3") + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2", "172.0.1.3"}, []string{"pod1", "pod2", "pod3"}) // This is really an implementation detail here - but checking to sanity check our test assertPendingResync(1) // Remove the endpoint again, with no pod events in between. Should have no memory leaks - addEndpoint("svc", "172.0.1.1", "172.0.1.2") + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) // TODO this case would leak //assertPendingResync(0) // completely remove the endpoint - addEndpoint("svc", "172.0.1.1", "172.0.1.2", "172.0.1.3") + addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2", "172.0.1.3"}, []string{"pod1", "pod2", "pod3"}) assertPendingResync(1) if err := controller.client.CoreV1().Endpoints("nsA").Delete(context.TODO(), "svc", metaV1.DeleteOptions{}); err != nil { t.Fatal(err) diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go index 89c6d54feef..2beaa055109 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go @@ -77,8 +77,8 @@ func (esc *endpointSliceController) updateEDS(es interface{}, event model.Event) continue } for _, a := range e.Addresses { - pod := getPod(esc.c, a, &metav1.ObjectMeta{Name: slice.Name, Namespace: slice.Namespace}, e.TargetRef, hostname) - if pod == nil { + pod, expectedUpdate := getPod(esc.c, a, &metav1.ObjectMeta{Name: slice.Name, Namespace: slice.Namespace}, e.TargetRef, hostname) + if pod == nil && expectedUpdate { continue } From 5fed8d71693d10a5d306fc71045cf2f0bdfc1917 Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Tue, 11 Aug 2020 13:25:14 -0600 Subject: [PATCH 23/82] [release-1.6] CVE fix for 1.6.8 (#26371) * fix authz suffix matching in TCP (#29) * update the tests (#31) Co-authored-by: Yangmin Zhu --- .../action-deny-HTTP-for-TCP-filter-in.yaml | 16 +-- .../action-deny-HTTP-for-TCP-filter-out.yaml | 112 ++++++++++++++++++ pilot/pkg/security/authz/matcher/string.go | 11 +- .../pkg/security/authz/matcher/string_test.go | 39 +++--- pilot/pkg/security/authz/model/generator.go | 6 +- .../security/authorization_test.go | 35 ++++-- .../testdata/authz/v1beta1-tcp.yaml.tmpl | 17 ++- .../security/util/rbac_util/util.go | 2 +- 8 files changed, 195 insertions(+), 43 deletions(-) diff --git a/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-in.yaml b/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-in.yaml index f493c45d3ff..db8948ef9a3 100644 --- a/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-in.yaml +++ b/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-in.yaml @@ -53,13 +53,13 @@ spec: # rule[8] `from`: all fields, `to`: all fields, `when`: all fields. - from: - source: - principals: ["principal"] + principals: ["principal", "*principal-suffix", "principal-prefix*", "*"] requestPrincipals: ["requestPrincipals"] - namespaces: ["ns"] + namespaces: ["ns", "*ns-suffix", "ns-prefix*", "*"] ipBlocks: ["1.2.3.4"] - notPrincipals: ["not-principal"] + notPrincipals: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] notRequestPrincipals: ["not-requestPrincipals"] - notNamespaces: ["not-ns"] + notNamespaces: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] notIpBlocks: ["9.0.0.1"] to: - operation: @@ -79,11 +79,11 @@ spec: values: ["10.10.10.10"] notValues: ["90.10.10.10"] - key: "source.namespace" - values: ["ns"] - notValues: ["not-ns"] + values: ["ns", "*ns-suffix", "ns-prefix*", "*"] + notValues: ["not-ns", "*not-ns-suffix", "not-ns-prefix*", "*"] - key: "source.principal" - values: ["principal"] - notValues: ["not-principal"] + values: ["principal", "*principal-suffix", "principal-prefix*", "*"] + notValues: ["not-principal", "*not-principal-suffix", "not-principal-prefix*", "*"] - key: "request.auth.principal" values: ["requestPrincipals"] notValues: ["not-requestPrincipals"] diff --git a/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-out.yaml b/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-out.yaml index 19a912e2821..6db59f559f4 100644 --- a/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-out.yaml +++ b/pilot/pkg/security/authz/builder/testdata/action-deny-HTTP-for-TCP-filter-out.yaml @@ -159,12 +159,38 @@ typedConfig: - authenticated: principalName: exact: spiffe://principal + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: spiffe://.*principal-suffix + - authenticated: + principalName: + prefix: spiffe://principal-prefix + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .+ - notId: orIds: ids: - authenticated: principalName: exact: spiffe://not-principal + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: spiffe://.*not-principal-suffix + - authenticated: + principalName: + prefix: spiffe://not-principal-prefix + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .+ - orIds: ids: - authenticated: @@ -172,6 +198,21 @@ typedConfig: safeRegex: googleRe2: {} regex: .*/ns/ns/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*ns-suffix/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/ns-prefix.*/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*/.* - notId: orIds: ids: @@ -180,6 +221,21 @@ typedConfig: safeRegex: googleRe2: {} regex: .*/ns/not-ns/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*not-ns-suffix/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/not-ns-prefix.*/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*/.* - orIds: ids: - sourceIp: @@ -209,6 +265,21 @@ typedConfig: safeRegex: googleRe2: {} regex: .*/ns/ns/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*ns-suffix/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/ns-prefix.*/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*/.* - notId: orIds: ids: @@ -217,15 +288,56 @@ typedConfig: safeRegex: googleRe2: {} regex: .*/ns/not-ns/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*not-ns-suffix/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/not-ns-prefix.*/.* + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .*/ns/.*/.* - orIds: ids: - authenticated: principalName: exact: spiffe://principal + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: spiffe://.*principal-suffix + - authenticated: + principalName: + prefix: spiffe://principal-prefix + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .+ - notId: orIds: ids: - authenticated: principalName: exact: spiffe://not-principal + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: spiffe://.*not-principal-suffix + - authenticated: + principalName: + prefix: spiffe://not-principal-prefix + - authenticated: + principalName: + safeRegex: + googleRe2: {} + regex: .+ statPrefix: tcp. diff --git a/pilot/pkg/security/authz/matcher/string.go b/pilot/pkg/security/authz/matcher/string.go index b6d4e9f9faa..f8f127911bd 100644 --- a/pilot/pkg/security/authz/matcher/string.go +++ b/pilot/pkg/security/authz/matcher/string.go @@ -49,11 +49,14 @@ func StringMatcherWithPrefix(v, prefix string) *matcherpb.StringMatcher { case v == "*": return StringMatcherRegex(".+") case strings.HasPrefix(v, "*"): - return &matcherpb.StringMatcher{ - MatchPattern: &matcherpb.StringMatcher_Suffix{ - Suffix: prefix + strings.TrimPrefix(v, "*"), - }, + if prefix == "" { + return &matcherpb.StringMatcher{ + MatchPattern: &matcherpb.StringMatcher_Suffix{ + Suffix: strings.TrimPrefix(v, "*"), + }, + } } + return StringMatcherRegex(prefix + ".*" + strings.TrimPrefix(v, "*")) case strings.HasSuffix(v, "*"): return &matcherpb.StringMatcher{ MatchPattern: &matcherpb.StringMatcher_Prefix{ diff --git a/pilot/pkg/security/authz/matcher/string_test.go b/pilot/pkg/security/authz/matcher/string_test.go index 9196c252969..8edd6dc7308 100644 --- a/pilot/pkg/security/authz/matcher/string_test.go +++ b/pilot/pkg/security/authz/matcher/string_test.go @@ -23,18 +23,21 @@ import ( func TestStringMatcherWithPrefix(t *testing.T) { testCases := []struct { - name string - v string - want *matcherpb.StringMatcher + name string + v string + prefix string + want *matcherpb.StringMatcher }{ { - name: "wildcardAsRequired", - v: "*", - want: StringMatcherRegex(".+"), + name: "wildcardAsRequired", + v: "*", + prefix: "abc", + want: StringMatcherRegex(".+"), }, { - name: "prefix", - v: "-prefix-*", + name: "prefix", + v: "-prefix-*", + prefix: "abc", want: &matcherpb.StringMatcher{ MatchPattern: &matcherpb.StringMatcher_Prefix{ Prefix: "abc-prefix-", @@ -42,17 +45,25 @@ func TestStringMatcherWithPrefix(t *testing.T) { }, }, { - name: "suffix", - v: "*-suffix", + name: "suffix-empty-prefix", + v: "*-suffix", + prefix: "", want: &matcherpb.StringMatcher{ MatchPattern: &matcherpb.StringMatcher_Suffix{ - Suffix: "abc-suffix", + Suffix: "-suffix", }, }, }, { - name: "exact", - v: "-exact", + name: "suffix", + v: "*-suffix", + prefix: "abc", + want: StringMatcherRegex("abc.*-suffix"), + }, + { + name: "exact", + v: "-exact", + prefix: "abc", want: &matcherpb.StringMatcher{ MatchPattern: &matcherpb.StringMatcher_Exact{ Exact: "abc-exact", @@ -63,7 +74,7 @@ func TestStringMatcherWithPrefix(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - actual := StringMatcherWithPrefix(tc.v, "abc") + actual := StringMatcherWithPrefix(tc.v, tc.prefix) if !reflect.DeepEqual(*actual, *tc.want) { t.Errorf("want %s but got %s", tc.want.String(), actual.String()) } diff --git a/pilot/pkg/security/authz/model/generator.go b/pilot/pkg/security/authz/model/generator.go index 2a1576adb53..1f513b40fdb 100644 --- a/pilot/pkg/security/authz/model/generator.go +++ b/pilot/pkg/security/authz/model/generator.go @@ -116,15 +116,13 @@ func (srcNamespaceGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission } func (srcNamespaceGenerator) principal(_, value string, forTCP bool) (*rbacpb.Principal, error) { + v := strings.Replace(value, "*", ".*", -1) + m := matcher.StringMatcherRegex(fmt.Sprintf(".*/ns/%s/.*", v)) if forTCP { - regex := fmt.Sprintf(".*/ns/%s/.*", value) - m := matcher.StringMatcherRegex(regex) return principalAuthenticated(m), nil } // Proxy doesn't have attrSrcNamespace directly, but the information is encoded in attrSrcPrincipal // with format: cluster.local/ns/{NAMESPACE}/sa/{SERVICE-ACCOUNT}. - v := strings.Replace(value, "*", ".*", -1) - m := matcher.StringMatcherRegex(fmt.Sprintf(".*/ns/%s/.*", v)) metadata := matcher.MetadataStringMatcher(sm.AuthnFilterName, attrSrcPrincipal, m) return principalMetadata(metadata), nil } diff --git a/tests/integration/security/authorization_test.go b/tests/integration/security/authorization_test.go index ef2b8f6ce5a..e668b47789d 100644 --- a/tests/integration/security/authorization_test.go +++ b/tests/integration/security/authorization_test.go @@ -634,10 +634,15 @@ func TestAuthorization_TCP(t *testing.T) { InstancePort: 8091, }, { - Name: "tcp", + Name: "tcp-8092", Protocol: protocol.TCP, InstancePort: 8092, }, + { + Name: "tcp-8093", + Protocol: protocol.TCP, + InstancePort: 8093, + }, } echoboot.NewBuilderOrFail(t, ctx). With(&x, util.EchoConfig("x", ns2, false, nil, g, p)). @@ -706,18 +711,26 @@ func TestAuthorization_TCP(t *testing.T) { // The policy on workload b denies request with path "/data" to port 8090: // - request to port http-8090 should be denied because both path and port are matched. // - request to port http-8091 should be allowed because the port is not matched. - // - request to port tcp should be allowed because the port is not matched. + // - request to port tcp-8092 should be allowed because the port is not matched. newTestCase(a, b, "http-8090", false, scheme.HTTP), newTestCase(a, b, "http-8091", true, scheme.HTTP), - newTestCase(a, b, "tcp", true, scheme.TCP), + newTestCase(a, b, "tcp-8092", true, scheme.TCP), // The policy on workload c denies request to port 8090: // - request to port http-8090 should be denied because the port is matched. // - request to http port 8091 should be allowed because the port is not matched. // - request to tcp port 8092 should be allowed because the port is not matched. + // - request from b to tcp port 8092 should be allowed by default. + // - request from b to tcp port 8093 should be denied because the principal is matched. + // - request from x to tcp port 8092 should be denied because the namespace is matched. + // - request from x to tcp port 8093 should be allowed by default. newTestCase(a, c, "http-8090", false, scheme.HTTP), newTestCase(a, c, "http-8091", true, scheme.HTTP), - newTestCase(a, c, "tcp", true, scheme.TCP), + newTestCase(a, c, "tcp-8092", true, scheme.TCP), + newTestCase(b, c, "tcp-8092", true, scheme.TCP), + newTestCase(b, c, "tcp-8093", false, scheme.TCP), + newTestCase(x, c, "tcp-8092", false, scheme.TCP), + newTestCase(x, c, "tcp-8093", true, scheme.TCP), // The policy on workload d denies request from service account a and workloads in namespace 2: // - request from a to d should be denied because it has service account a. @@ -725,19 +738,19 @@ func TestAuthorization_TCP(t *testing.T) { // - request from c to d should be allowed. // - request from x to a should be allowed because there is no policy on a. // - request from x to d should be denied because it's in namespace 2. - newTestCase(a, d, "tcp", false, scheme.TCP), - newTestCase(b, d, "tcp", true, scheme.TCP), - newTestCase(c, d, "tcp", true, scheme.TCP), - newTestCase(x, a, "tcp", true, scheme.TCP), - newTestCase(x, d, "tcp", false, scheme.TCP), + newTestCase(a, d, "tcp-8092", false, scheme.TCP), + newTestCase(b, d, "tcp-8092", true, scheme.TCP), + newTestCase(c, d, "tcp-8092", true, scheme.TCP), + newTestCase(x, a, "tcp-8092", true, scheme.TCP), + newTestCase(x, d, "tcp-8092", false, scheme.TCP), // The policy on workload e denies request with path "/other": // - request to port http-8090 should be allowed because the path is not matched. // - request to port http-8091 should be allowed because the path is not matched. - // - request to port tcp should be denied because policy uses HTTP fields. + // - request to port tcp-8092 should be denied because policy uses HTTP fields. newTestCase(a, e, "http-8090", true, scheme.HTTP), newTestCase(a, e, "http-8091", true, scheme.HTTP), - newTestCase(a, e, "tcp", false, scheme.TCP), + newTestCase(a, e, "tcp-8092", false, scheme.TCP), } rbacUtil.RunRBACTest(t, cases) diff --git a/tests/integration/security/testdata/authz/v1beta1-tcp.yaml.tmpl b/tests/integration/security/testdata/authz/v1beta1-tcp.yaml.tmpl index 05bf67ffe6c..f84d7fe9a41 100644 --- a/tests/integration/security/testdata/authz/v1beta1-tcp.yaml.tmpl +++ b/tests/integration/security/testdata/authz/v1beta1-tcp.yaml.tmpl @@ -17,7 +17,10 @@ spec: ports: ["8090"] --- -# The following policy denies request to port 8090 for workload c +# The following policy denies: +# request to port 8090 for workload c +# request to port 8093 with principal suffix matching +# request to port 8092 with namespace suffix matching apiVersion: "security.istio.io/v1beta1" kind: AuthorizationPolicy @@ -33,6 +36,18 @@ spec: - to: - operation: ports: ["8090"] + - to: + - operation: + ports: ["8093"] + from: + - source: + principals: ["*/ns/{{ .Namespace }}/sa/b"] + - to: + - operation: + ports: ["8092"] + from: + - source: + namespaces: ["*{{ .Namespace2 }}"] --- # The following policy denies request from service account a and namespace 2 for workload d diff --git a/tests/integration/security/util/rbac_util/util.go b/tests/integration/security/util/rbac_util/util.go index 01194ac46f5..f7d77a86605 100644 --- a/tests/integration/security/util/rbac_util/util.go +++ b/tests/integration/security/util/rbac_util/util.go @@ -73,7 +73,7 @@ func (tc TestCase) CheckRBACRequest() error { return getError(req, "allow with code 200", fmt.Sprintf("error: %v", err)) } } else { - if req.Options.PortName == "tcp" || req.Options.PortName == "grpc" { + if strings.HasPrefix(req.Options.PortName, "tcp") || req.Options.PortName == "grpc" { expectedErrMsg := "EOF" // TCP deny message. if req.Options.PortName == "grpc" { expectedErrMsg = "rpc error: code = PermissionDenied desc = RBAC: access denied" From dc984804d633193fd7674fd95bfa98a82d222cb0 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 11 Aug 2020 17:12:20 -0700 Subject: [PATCH 24/82] Expand endpoints before pod test to check pod (#26032) This ensures we are actually getting the right pod, and populating the correct service account information. It doesn't fix any bug - the code works today, just expanding the testing Co-authored-by: John Howard --- .../kube/controller/controller_test.go | 46 +++++++++++++------ 1 file changed, 31 insertions(+), 15 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller_test.go b/pilot/pkg/serviceregistry/kube/controller/controller_test.go index 5121c0a8a58..31a78b7f514 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller_test.go @@ -1831,7 +1831,7 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { addNodes(t, controller, generateNode("node1", map[string]string{NodeZoneLabel: "zone1", NodeRegionLabel: "region1", IstioSubzoneLabel: "subzone1"})) // Setup help functions to make the test more explicit addPod := func(name, ip string) { - pod := generatePod(ip, name, "nsA", "", "node1", map[string]string{"app": "prod-app"}, map[string]string{}) + pod := generatePod(ip, name, "nsA", name, "node1", map[string]string{"app": "prod-app"}, map[string]string{}) addPods(t, controller, pod) if err := waitForPod(controller, pod.Status.PodIP); err != nil { t.Fatalf("wait for pod err: %v", err) @@ -1878,18 +1878,34 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { } createEndpoints(controller, svcName, "nsA", []string{"tcp-port"}, ips, refs, t) } - assertEndpointsEvent := func(expected ...string) { + assertEndpointsEvent := func(ips []string, pods []string) { t.Helper() ev := fx.Wait("eds") if ev == nil { t.Fatalf("Timeout eds") } - ips := []string{} + gotIps := []string{} for _, e := range ev.Endpoints { - ips = append(ips, e.Address) + gotIps = append(gotIps, e.Address) } - if !reflect.DeepEqual(expected, ips) { - t.Fatalf("expected ips %v, got %v", expected, ips) + gotSA := []string{} + expectedSa := []string{} + for _, e := range pods { + if e == "" { + expectedSa = append(expectedSa, "") + } else { + expectedSa = append(expectedSa, "spiffe://cluster.local/ns/nsA/sa/"+e) + } + } + + for _, e := range ev.Endpoints { + gotSA = append(gotSA, e.ServiceAccount) + } + if !reflect.DeepEqual(gotIps, ips) { + t.Fatalf("expected ips %v, got %v", ips, gotIps) + } + if !reflect.DeepEqual(gotSA, expectedSa) { + t.Fatalf("expected SAs %v, got %v", expectedSa, gotSA) } } assertPendingResync := func(expected int) { @@ -1908,26 +1924,26 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { addService("svc") addPod("pod1", "172.0.1.1") addEndpoint("svc", []string{"172.0.1.1"}, []string{"pod1"}) - assertEndpointsEvent("172.0.1.1") + assertEndpointsEvent([]string{"172.0.1.1"}, []string{"pod1"}) fx.Clear() // Create the endpoint, then later add the pod. Should eventually get an update for the endpoint addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) - assertEndpointsEvent("172.0.1.1") + assertEndpointsEvent([]string{"172.0.1.1"}, []string{"pod1"}) fx.Clear() addPod("pod2", "172.0.1.2") - assertEndpointsEvent("172.0.1.1", "172.0.1.2") + assertEndpointsEvent([]string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) fx.Clear() // Create the endpoint without a pod reference. We should see it immediately addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2", "172.0.1.3"}, []string{"pod1", "pod2", ""}) - assertEndpointsEvent("172.0.1.1", "172.0.1.2", "172.0.1.3") + assertEndpointsEvent([]string{"172.0.1.1", "172.0.1.2", "172.0.1.3"}, []string{"pod1", "pod2", ""}) fx.Clear() // Delete a pod before the endpoint addEndpoint("svc", []string{"172.0.1.1"}, []string{"pod1"}) deletePod("pod2", "172.0.1.2") - assertEndpointsEvent("172.0.1.1") + assertEndpointsEvent([]string{"172.0.1.1"}, []string{"pod1"}) fx.Clear() // add another service @@ -1935,13 +1951,13 @@ func TestEndpointUpdateBeforePodUpdate(t *testing.T) { // Add endpoints for the new service, and the old one. Both should be missing the last IP addEndpoint("other", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) addEndpoint("svc", []string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) - assertEndpointsEvent("172.0.1.1") - assertEndpointsEvent("172.0.1.1") + assertEndpointsEvent([]string{"172.0.1.1"}, []string{"pod1"}) + assertEndpointsEvent([]string{"172.0.1.1"}, []string{"pod1"}) fx.Clear() // Add the pod, expect the endpoints update for both addPod("pod2", "172.0.1.2") - assertEndpointsEvent("172.0.1.1", "172.0.1.2") - assertEndpointsEvent("172.0.1.1", "172.0.1.2") + assertEndpointsEvent([]string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) + assertEndpointsEvent([]string{"172.0.1.1", "172.0.1.2"}, []string{"pod1", "pod2"}) // Check for memory leaks assertPendingResync(0) From 3fee2f47fa5c8f4b43de04e2c580a6a2c7ff24fe Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 11 Aug 2020 17:12:28 -0700 Subject: [PATCH 25/82] remove istio-validation container when running istioctl rm (#26189) Co-authored-by: Tariq Ibrahim --- istioctl/cmd/kubeuninject.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/istioctl/cmd/kubeuninject.go b/istioctl/cmd/kubeuninject.go index 3f4d27ac04f..a25eb88b8a9 100644 --- a/istioctl/cmd/kubeuninject.go +++ b/istioctl/cmd/kubeuninject.go @@ -43,6 +43,7 @@ const ( enableCoreDumpContainerName = "enable-core-dump" envoyVolumeName = "istio-envoy" initContainerName = "istio-init" + initValidationContainerName = "istio-validation" jwtTokenVolumeName = "istio-token" proxyContainerName = "istio-proxy" sidecarAnnotationPrefix = "sidecar.istio.io" @@ -247,6 +248,7 @@ func extractObject(in runtime.Object) (interface{}, error) { } podSpec.InitContainers = removeInjectedContainers(podSpec.InitContainers, initContainerName) + podSpec.InitContainers = removeInjectedContainers(podSpec.InitContainers, initValidationContainerName) podSpec.InitContainers = removeInjectedContainers(podSpec.InitContainers, enableCoreDumpContainerName) podSpec.Containers = removeInjectedContainers(podSpec.Containers, proxyContainerName) podSpec.Volumes = removeInjectedVolumes(podSpec.Volumes, envoyVolumeName) From 02186c738088c6b5be939af86efe3f18a673f1e4 Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Tue, 11 Aug 2020 17:48:05 -0700 Subject: [PATCH 26/82] [release-1.6] Increase default proto sniffing timeout to 5s (#25954) * increase default proto sniffing timeout to 5s * make gen --- manifests/charts/global.yaml | 2 +- .../charts/istio-control/istio-discovery/files/gen-istio.yaml | 4 ++-- manifests/charts/istiod-remote/files/gen-istiod-remote.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/charts/global.yaml b/manifests/charts/global.yaml index 0e57191e9f5..95dfba784f8 100644 --- a/manifests/charts/global.yaml +++ b/manifests/charts/global.yaml @@ -124,7 +124,7 @@ global: # the specified period, defaulting to non mTLS plain TCP # traffic. Set this field to tweak the period that Envoy will wait # for the client to send the first bits of data. (MUST BE >=1ms) - protocolDetectionTimeout: 100ms + protocolDetectionTimeout: 5000ms #If set to true, istio-proxy container will have privileged securityContext privileged: false diff --git a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml index 92a4b23ef14..f916a443107 100644 --- a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml @@ -71,7 +71,7 @@ data: enabled: true outboundTrafficPolicy: mode: ALLOW_ANY - protocolDetectionTimeout: 100ms + protocolDetectionTimeout: 5000ms reportBatchMaxEntries: 100 reportBatchMaxTime: 1s sdsUdsPath: unix:/etc/istio/proxy/SDS @@ -218,7 +218,7 @@ data: "includeIPRanges": "*", "logLevel": "warning", "privileged": false, - "protocolDetectionTimeout": "100ms", + "protocolDetectionTimeout": "5000ms", "readinessFailureThreshold": 30, "readinessInitialDelaySeconds": 1, "readinessPeriodSeconds": 2, diff --git a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml index ce1fb27506d..3347fda1810 100644 --- a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml +++ b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml @@ -139,7 +139,7 @@ data: "includeIPRanges": "*", "logLevel": "warning", "privileged": false, - "protocolDetectionTimeout": "100ms", + "protocolDetectionTimeout": "5000ms", "readinessFailureThreshold": 30, "readinessInitialDelaySeconds": 1, "readinessPeriodSeconds": 2, From 7b439ad0c4f0b0b41dd8d52d3e216b93d5e68f97 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 11 Aug 2020 17:48:13 -0700 Subject: [PATCH 27/82] [release-1.6] properly drain gateway listeners (#26068) * drain all listeners for gateway Signed-off-by: Rama Chavali * lint Signed-off-by: Rama Chavali Co-authored-by: Rama Chavali --- pilot/cmd/pilot-agent/main.go | 1 + pkg/envoy/admin.go | 10 ++++++++-- pkg/envoy/instance.go | 4 ++-- pkg/envoy/proxy.go | 4 +++- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/pilot/cmd/pilot-agent/main.go b/pilot/cmd/pilot-agent/main.go index 503d50a738a..69c71b19158 100644 --- a/pilot/cmd/pilot-agent/main.go +++ b/pilot/cmd/pilot-agent/main.go @@ -331,6 +331,7 @@ var ( OutlierLogPath: outlierLogPath, PilotCertProvider: pilotCertProvider, ProvCert: citadel.ProvCert, + Sidecar: role.Type == model.SidecarProxy, }) agent := envoy.NewAgent(envoyProxy, features.TerminationDrainDuration()) diff --git a/pkg/envoy/admin.go b/pkg/envoy/admin.go index a22d8090b35..dfc99b9dfb8 100644 --- a/pkg/envoy/admin.go +++ b/pkg/envoy/admin.go @@ -36,8 +36,14 @@ func Shutdown(adminPort uint32) error { // DrainListeners drains inbound listeners of Envoy so that inflight requests // can gracefully finish and even continue making outbound calls as needed. -func DrainListeners(adminPort uint32) error { - res, err := doEnvoyPost("drain_listeners?inboundonly", "", "", adminPort) +func DrainListeners(adminPort uint32, inboundonly bool) error { + var drainURL string + if inboundonly { + drainURL = "drain_listeners?inboundonly" + } else { + drainURL = "drain_listeners" + } + res, err := doEnvoyPost(drainURL, "", "", adminPort) log.Debugf("Drain listener endpoint response : %s", res.String()) return err } diff --git a/pkg/envoy/instance.go b/pkg/envoy/instance.go index 010b3c98801..9fb1f5993b9 100644 --- a/pkg/envoy/instance.go +++ b/pkg/envoy/instance.go @@ -130,7 +130,7 @@ type Instance interface { // ShutdownAndWait is a helper that calls Shutdown and waits for the process to terminate. ShutdownAndWait() Waitable - // DrainListeners drains inbound listeners of Envoy so that inflight requests + // DrainListeners drains listeners of Envoy so that inflight requests // can gracefully finish and even continue making outbound calls as needed. DrainListeners() error } @@ -376,7 +376,7 @@ func (i *instance) ShutdownAndWait() Waitable { } func (i *instance) DrainListeners() error { - return DrainListeners(i.adminPort) + return DrainListeners(i.adminPort, true) } func (i *instance) close() { diff --git a/pkg/envoy/proxy.go b/pkg/envoy/proxy.go index ec1e9bffa6b..6d39f3c57f0 100644 --- a/pkg/envoy/proxy.go +++ b/pkg/envoy/proxy.go @@ -60,6 +60,7 @@ type ProxyConfig struct { OutlierLogPath string PilotCertProvider string ProvCert string + Sidecar bool } // NewProxy creates an instance of the proxy control commands @@ -98,7 +99,8 @@ func (e *envoy) IsLive() bool { func (e *envoy) Drain() error { adminPort := uint32(e.Config.ProxyAdminPort) - err := DrainListeners(adminPort) + + err := DrainListeners(adminPort, e.Sidecar) if err != nil { log.Infof("failed draining listeners for Envoy on port %d: %v", adminPort, err) } From 22a3816ee10047fd8fe7699f1af6ee0bfc66dea2 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 11 Aug 2020 17:48:21 -0700 Subject: [PATCH 28/82] Fix regression in gateway name resolution (#26352) Fixes https://github.com/istio/istio/issues/26264 Co-authored-by: John Howard --- pilot/pkg/model/config.go | 8 +++++++- pilot/pkg/model/virtualservice_test.go | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pilot/pkg/model/config.go b/pilot/pkg/model/config.go index cef11b0e15d..63996641e75 100644 --- a/pilot/pkg/model/config.go +++ b/pilot/pkg/model/config.go @@ -373,8 +373,14 @@ func resolveGatewayName(gwname string, meta ConfigMeta) string { out = meta.Namespace + "/" + gwname } else { // parse namespace from FQDN. This is very hacky, but meant for backward compatibility only + // This is a legacy FQDN format. Transform name.ns.svc.cluster.local -> ns/name i := strings.Index(gwname, ".") - out = gwname[i+1:] + "/" + gwname[:i] + fqdn := strings.Index(gwname[i+1:], ".") + if fqdn == -1 { + out = gwname[i+1:] + "/" + gwname[:i] + } else { + out = gwname[i+1:i+1+fqdn] + "/" + gwname[:i] + } } } else { // remove the . from ./gateway and substitute it with the namespace name diff --git a/pilot/pkg/model/virtualservice_test.go b/pilot/pkg/model/virtualservice_test.go index ecfdb04ad2a..2490c4d9e36 100644 --- a/pilot/pkg/model/virtualservice_test.go +++ b/pilot/pkg/model/virtualservice_test.go @@ -1614,6 +1614,11 @@ var gatewayNameTests = []struct { "foo", "default/gateway", }, + { + "private.ingress.svc.cluster.local", + "foo", + "ingress/private", + }, } func TestResolveGatewayName(t *testing.T) { From fd62cdd72df4f7b1a89420a1dba4012b4d8f9860 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 12 Aug 2020 09:49:26 -0700 Subject: [PATCH 29/82] Fix inaccurate endpointsPendingPodUpdate metric (#25906) This currently will be outdate when an update comes in, and is only updated when the error is retriggered Co-authored-by: John Howard --- pilot/pkg/serviceregistry/kube/controller/pod.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pilot/pkg/serviceregistry/kube/controller/pod.go b/pilot/pkg/serviceregistry/kube/controller/pod.go index 020d7e19098..2736c023e52 100644 --- a/pilot/pkg/serviceregistry/kube/controller/pod.go +++ b/pilot/pkg/serviceregistry/kube/controller/pod.go @@ -147,6 +147,7 @@ func (pc *PodCache) update(ip, key string) { for ep := range endpointsToUpdate { pc.endpointUpdate(ep) } + endpointsPendingPodUpdate.Record(float64(len(pc.needResync))) } pc.proxyUpdates(ip) From f5aa484dc1a4841b889bd4c69c2cc7c69231b670 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 12 Aug 2020 09:49:34 -0700 Subject: [PATCH 30/82] Fix networking.HTTPMatchRequest.WithoutHeaders conflict detect (#26064) Co-authored-by: xuzhonghu --- pilot/pkg/model/virtualservice.go | 2 +- pilot/pkg/model/virtualservice_test.go | 18 ++++++++++++++++++ pkg/config/validation/virtualservice.go | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/pilot/pkg/model/virtualservice.go b/pilot/pkg/model/virtualservice.go index 2449433cea3..b71a750612a 100644 --- a/pilot/pkg/model/virtualservice.go +++ b/pilot/pkg/model/virtualservice.go @@ -261,7 +261,7 @@ func hasConflict(root, leaf *networking.HTTPMatchRequest) bool { // without headers for key, leafValue := range leaf.WithoutHeaders { - if stringMatchConflict(root.Headers[key], leafValue) { + if stringMatchConflict(root.WithoutHeaders[key], leafValue) { return true } } diff --git a/pilot/pkg/model/virtualservice_test.go b/pilot/pkg/model/virtualservice_test.go index 2490c4d9e36..077e066b072 100644 --- a/pilot/pkg/model/virtualservice_test.go +++ b/pilot/pkg/model/virtualservice_test.go @@ -1462,6 +1462,24 @@ func TestHasConflict(t *testing.T) { }, expected: false, }, + { + name: "withoutHeaders mismatch", + root: &networking.HTTPMatchRequest{ + WithoutHeaders: map[string]*networking.StringMatch{ + "header": { + MatchType: &networking.StringMatch_Prefix{Prefix: "h1"}, + }, + }, + }, + leaf: &networking.HTTPMatchRequest{ + WithoutHeaders: map[string]*networking.StringMatch{ + "header": { + MatchType: &networking.StringMatch_Exact{Exact: "h2"}, + }, + }, + }, + expected: true, + }, { name: "port", root: &networking.HTTPMatchRequest{ diff --git a/pkg/config/validation/virtualservice.go b/pkg/config/validation/virtualservice.go index e9866351547..d34215b3593 100644 --- a/pkg/config/validation/virtualservice.go +++ b/pkg/config/validation/virtualservice.go @@ -27,7 +27,7 @@ func validateRootHTTPRoute(http *networking.HTTPRoute) (errs error) { } // only delegate can be specified if http.Redirect != nil { - errs = appendErrors(errs, fmt.Errorf("root HTTP route %s must not specify rewrite", http.Name)) + errs = appendErrors(errs, fmt.Errorf("root HTTP route %s must not specify redirect", http.Name)) } if http.Route != nil { errs = appendErrors(errs, fmt.Errorf("root HTTP route %s must not specify route", http.Name)) From 9fa4691e2df299e6e8aeb15e09d748acaf45b1cf Mon Sep 17 00:00:00 2001 From: Nupur Garg <37600866+gargnupur@users.noreply.github.com> Date: Wed, 12 Aug 2020 10:23:35 -0700 Subject: [PATCH 31/82] Change to comma separated value for app_container (#25441) (#25864) * Change to comma separated value for app_container Signed-off-by: gargnupur Run make gen Signed-off-by: gargnupur Add test for container name Signed-off-by: gargnupur Update VM test files Signed-off-by: gargnupur Change to comma separated value for app_container Signed-off-by: gargnupur Run make gen Signed-off-by: gargnupur Add test for container name Signed-off-by: gargnupur * Fix vm test Signed-off-by: gargnupur --- .../istio-control/istio-discovery/files/gen-istio.yaml | 8 +------- .../istio-discovery/files/injection-template.yaml | 8 +------- .../charts/istiod-remote/files/gen-istiod-remote.yaml | 8 +------- .../charts/istiod-remote/files/injection-template.yaml | 8 +------- pkg/test/framework/components/stackdriver/kube.go | 6 +++++- .../stackdriver/testdata/client_request_count.json.tmpl | 6 ++++++ .../stackdriver/testdata/server_request_count.json.tmpl | 7 +++++++ 7 files changed, 22 insertions(+), 29 deletions(-) diff --git a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml index f916a443107..e466b2793ca 100644 --- a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml @@ -521,13 +521,7 @@ data: {{- end}} ] - name: ISTIO_META_APP_CONTAINERS - value: |- - [ - {{- range $index, $container := .Spec.Containers }} - {{- if ne $index 0}},{{- end}} - {{ $container.Name }} - {{- end}} - ] + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE diff --git a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml index 14c53ef9302..a0091a14279 100644 --- a/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml @@ -207,13 +207,7 @@ template: | {{- end}} ] - name: ISTIO_META_APP_CONTAINERS - value: |- - [ - {{- range $index, $container := .Spec.Containers }} - {{- if ne $index 0}},{{- end}} - {{ $container.Name }} - {{- end}} - ] + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE diff --git a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml index 3347fda1810..b8897ab74c7 100644 --- a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml +++ b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml @@ -443,13 +443,7 @@ data: {{- end}} ] - name: ISTIO_META_APP_CONTAINERS - value: |- - [ - {{- range $index, $container := .Spec.Containers }} - {{- if ne $index 0}},{{- end}} - {{ $container.Name }} - {{- end}} - ] + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE diff --git a/manifests/charts/istiod-remote/files/injection-template.yaml b/manifests/charts/istiod-remote/files/injection-template.yaml index 14c53ef9302..a0091a14279 100644 --- a/manifests/charts/istiod-remote/files/injection-template.yaml +++ b/manifests/charts/istiod-remote/files/injection-template.yaml @@ -207,13 +207,7 @@ template: | {{- end}} ] - name: ISTIO_META_APP_CONTAINERS - value: |- - [ - {{- range $index, $container := .Spec.Containers }} - {{- if ne $index 0}},{{- end}} - {{ $container.Name }} - {{- end}} - ] + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE diff --git a/pkg/test/framework/components/stackdriver/kube.go b/pkg/test/framework/components/stackdriver/kube.go index cbf88f857e7..560998d8068 100644 --- a/pkg/test/framework/components/stackdriver/kube.go +++ b/pkg/test/framework/components/stackdriver/kube.go @@ -128,8 +128,12 @@ func (c *kubeComponent) ListTimeSeries() ([]*monitoringpb.TimeSeries, error) { for _, t := range r.TimeSeries { // Remove fields that do not need verification t.Points = nil - t.Resource = nil + delete(t.Resource.Labels, "cluster_name") + delete(t.Resource.Labels, "location") + delete(t.Resource.Labels, "project_id") + delete(t.Resource.Labels, "pod_name") ret = append(ret, t) + t.Metadata = nil } return ret, nil } diff --git a/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl b/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl index b9760fc82dd..af210483b01 100644 --- a/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl +++ b/tests/integration/telemetry/stackdriver/testdata/client_request_count.json.tmpl @@ -25,5 +25,11 @@ "source_workload_name": "clt-v1", "source_workload_namespace": "{{ .EchoNamespace }}" } + }, + "resource": { + "labels": { + "namespace_name": "{{ .EchoNamespace }}" + }, + "type": "k8s_pod" } } diff --git a/tests/integration/telemetry/stackdriver/testdata/server_request_count.json.tmpl b/tests/integration/telemetry/stackdriver/testdata/server_request_count.json.tmpl index a59fc30b20f..7c50c13b187 100644 --- a/tests/integration/telemetry/stackdriver/testdata/server_request_count.json.tmpl +++ b/tests/integration/telemetry/stackdriver/testdata/server_request_count.json.tmpl @@ -25,5 +25,12 @@ "source_workload_name": "clt-v1", "source_workload_namespace": "{{ .EchoNamespace }}" } + }, + "resource": { + "labels": { + "container_name": "app", + "namespace_name": "{{ .EchoNamespace }}" + }, + "type": "k8s_container" } } From 6eb7c3db8a2a8ba9d7b0fd6792066397df7af3bf Mon Sep 17 00:00:00 2001 From: Navraj Singh Chhina Date: Wed, 12 Aug 2020 13:23:43 -0400 Subject: [PATCH 32/82] [Release 1.6] Manual cherrypick of #25755 (#26122) * manual cherrypick * fix typo --- galley/pkg/config/analysis/analyzers/all.go | 2 + .../analysis/analyzers/analyzers_test.go | 72 +++++++++++++++++++ .../destinationrule/ca-certificates.go | 72 +++++++++++++++++++ ...estinationrule-compound-mutual-simple.yaml | 21 ++++++ ...estinationrule-compound-simple-mutual.yaml | 20 ++++++ .../destinationrule-mutual-destination.yaml | 12 ++++ .../testdata/destinationrule-mutual-port.yaml | 16 +++++ .../destinationrule-simple-destination.yaml | 12 ++++ .../testdata/destinationrule-simple-port.yaml | 16 +++++ .../testdata/destinationrule-with-ca.yaml | 22 ++++++ .../pkg/config/analysis/msg/messages.gen.go | 35 +++++++++ galley/pkg/config/analysis/msg/messages.yaml | 32 +++++++++ 12 files changed, 332 insertions(+) create mode 100644 galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml create mode 100644 galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml diff --git a/galley/pkg/config/analysis/analyzers/all.go b/galley/pkg/config/analysis/analyzers/all.go index 5de216e0467..9aefd0b8a19 100644 --- a/galley/pkg/config/analysis/analyzers/all.go +++ b/galley/pkg/config/analysis/analyzers/all.go @@ -20,6 +20,7 @@ import ( "istio.io/istio/galley/pkg/config/analysis/analyzers/auth" "istio.io/istio/galley/pkg/config/analysis/analyzers/deployment" "istio.io/istio/galley/pkg/config/analysis/analyzers/deprecation" + "istio.io/istio/galley/pkg/config/analysis/analyzers/destinationrule" "istio.io/istio/galley/pkg/config/analysis/analyzers/gateway" "istio.io/istio/galley/pkg/config/analysis/analyzers/injection" "istio.io/istio/galley/pkg/config/analysis/analyzers/multicluster" @@ -51,6 +52,7 @@ func All() []analysis.Analyzer { &virtualservice.DestinationRuleAnalyzer{}, &virtualservice.GatewayAnalyzer{}, &virtualservice.RegexAnalyzer{}, + &destinationrule.CaCertificateAnalyzer{}, } analyzers = append(analyzers, schema.AllValidationAnalyzers()...) diff --git a/galley/pkg/config/analysis/analyzers/analyzers_test.go b/galley/pkg/config/analysis/analyzers/analyzers_test.go index 6a74b8ca3e3..67b701579d9 100644 --- a/galley/pkg/config/analysis/analyzers/analyzers_test.go +++ b/galley/pkg/config/analysis/analyzers/analyzers_test.go @@ -22,6 +22,8 @@ import ( "testing" "time" + "istio.io/istio/galley/pkg/config/analysis/analyzers/destinationrule" + . "github.com/onsi/gomega" "istio.io/pkg/log" @@ -315,6 +317,76 @@ var testGrid = []testCase{ {msg.UnknownMeshNetworksServiceRegistry, "MeshNetworks meshnetworks.istio-system"}, }, }, + { + name: "destinationrule with no cacert, simple at destinationlevel", + inputFiles: []string{ + "testdata/destinationrule-simple-destination.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-tls"}, + }, + }, + { + name: "destinationrule with no cacert, mutual at destinationlevel", + inputFiles: []string{ + "testdata/destinationrule-mutual-destination.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"}, + }, + }, + { + name: "destinationrule with no cacert, simple at portlevel", + inputFiles: []string{ + "testdata/destinationrule-simple-port.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-tls"}, + }, + }, + { + name: "destinationrule with no cacert, mutual at portlevel", + inputFiles: []string{ + "testdata/destinationrule-mutual-port.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"}, + }, + }, + { + name: "destinationrule with no cacert, mutual at destinationlevel and simple at port level", + inputFiles: []string{ + "testdata/destinationrule-compound-simple-mutual.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"}, + {msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"}, + }, + }, + { + name: "destinationrule with no cacert, simple at destinationlevel and mutual at port level", + inputFiles: []string{ + "testdata/destinationrule-compound-mutual-simple.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{ + {msg.NoServerCertificateVerificationPortLevel, "DestinationRule db-mtls"}, + {msg.NoServerCertificateVerificationDestinationLevel, "DestinationRule db-mtls"}, + }, + }, + { + name: "destinationrule with both cacerts", + inputFiles: []string{ + "testdata/destinationrule-with-ca.yaml", + }, + analyzer: &destinationrule.CaCertificateAnalyzer{}, + expected: []message{}, + }, } // regex patterns for analyzer names that should be explicitly ignored for testing diff --git a/galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go b/galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go new file mode 100644 index 00000000000..04fcac6f065 --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/destinationrule/ca-certificates.go @@ -0,0 +1,72 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package destinationrule + +import ( + "istio.io/api/networking/v1alpha3" + + "istio.io/istio/galley/pkg/config/analysis" + "istio.io/istio/galley/pkg/config/analysis/msg" + "istio.io/istio/pkg/config/resource" + "istio.io/istio/pkg/config/schema/collection" + "istio.io/istio/pkg/config/schema/collections" +) + +// CaCertificateAnalyzer checks if CaCertificate is set in case mode is SIMPLE/MUTUAL +type CaCertificateAnalyzer struct{} + +var _ analysis.Analyzer = &CaCertificateAnalyzer{} + +func (c *CaCertificateAnalyzer) Metadata() analysis.Metadata { + return analysis.Metadata{ + Name: "destinationrule.CaCertificateAnalyzer", + Description: "Checks if caCertificates is set when TLS mode is SIMPLE/MUTUAL", + Inputs: collection.Names{ + collections.IstioNetworkingV1Alpha3Destinationrules.Name(), + }, + } +} + +func (c *CaCertificateAnalyzer) Analyze(ctx analysis.Context) { + ctx.ForEach(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), func(r *resource.Instance) bool { + c.analyzeDestinationRule(r, ctx) + return true + }) +} + +func (c *CaCertificateAnalyzer) analyzeDestinationRule(r *resource.Instance, ctx analysis.Context) { + dr := r.Message.(*v1alpha3.DestinationRule) + drNs := r.Metadata.FullName.Namespace + drName := r.Metadata.FullName.String() + mode := dr.GetTrafficPolicy().GetTls().GetMode() + + if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL { + if dr.GetTrafficPolicy().GetTls().GetCaCertificates() == "" { + ctx.Report(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), msg.NewNoServerCertificateVerificationDestinationLevel(r, drName, + drNs.String(), mode.String(), dr.GetHost())) + } + } + portSettings := dr.TrafficPolicy.GetPortLevelSettings() + + for _, p := range portSettings { + mode = p.GetTls().GetMode() + if mode == v1alpha3.ClientTLSSettings_SIMPLE || mode == v1alpha3.ClientTLSSettings_MUTUAL { + if p.GetTls().GetCaCertificates() == "" { + ctx.Report(collections.IstioNetworkingV1Alpha3Destinationrules.Name(), msg.NewNoServerCertificateVerificationPortLevel(r, drName, + drNs.String(), mode.String(), dr.GetHost(), p.GetPort().String())) + } + } + } +} diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml new file mode 100644 index 00000000000..f1cfe4cca66 --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-mutual-simple.yaml @@ -0,0 +1,21 @@ + +# No caCertificates when mode is simple at destination level and MUTUAL at port level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-mtls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + tls: + mode: SIMPLE + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + portLevelSettings: + - port: + number: 443 + tls: + mode: MUTUAL + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + sni: my-nginx.mesh-external.svc.cluster.local diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml new file mode 100644 index 00000000000..6006134781e --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-compound-simple-mutual.yaml @@ -0,0 +1,20 @@ +# No caCertificates when mode is simple at destination level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-mtls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + tls: + mode: MUTUAL + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + sni: my-nginx.mesh-external.svc.cluster.local diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml new file mode 100644 index 00000000000..7c8d4642eba --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-destination.yaml @@ -0,0 +1,12 @@ +# No caCertificates when mode is mutual at destination level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-mtls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + tls: + mode: MUTUAL + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml new file mode 100644 index 00000000000..0bd6c4ba94e --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-mutual-port.yaml @@ -0,0 +1,16 @@ +# No caCertificates when mode is mutual at port level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-mtls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: MUTUAL + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + sni: my-nginx.mesh-external.svc.cluster.local diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml new file mode 100644 index 00000000000..baad382b45e --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-destination.yaml @@ -0,0 +1,12 @@ +# No caCertificates when mode is simple at destination level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-tls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + tls: + mode: SIMPLE + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml new file mode 100644 index 00000000000..55c61f185bd --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-simple-port.yaml @@ -0,0 +1,16 @@ +# No caCertificates when mode is simple at port level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-tls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + sni: my-nginx.mesh-external.svc.cluster.local diff --git a/galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml new file mode 100644 index 00000000000..0a20e6b90cc --- /dev/null +++ b/galley/pkg/config/analysis/analyzers/testdata/destinationrule-with-ca.yaml @@ -0,0 +1,22 @@ +# caCertificates when mode is mutual at destination level and simple at port level +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: db-mtls +spec: + host: mydbserver.prod.svc.cluster.local + trafficPolicy: + tls: + mode: MUTUAL + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + caCertificates: /etc/certs/root.pem + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE + clientCertificate: /etc/certs/myclientcert.pem + privateKey: /etc/certs/client_private_key.pem + caCertificates: /etc/certs/root.pem + sni: my-nginx.mesh-external.svc.cluster.local diff --git a/galley/pkg/config/analysis/msg/messages.gen.go b/galley/pkg/config/analysis/msg/messages.gen.go index 0298b6c68ed..f57db8b4a10 100755 --- a/galley/pkg/config/analysis/msg/messages.gen.go +++ b/galley/pkg/config/analysis/msg/messages.gen.go @@ -116,6 +116,14 @@ var ( // UnknownMeshNetworksServiceRegistry defines a diag.MessageType for message "UnknownMeshNetworksServiceRegistry". // Description: A service registry in Mesh Networks is unknown UnknownMeshNetworksServiceRegistry = diag.NewMessageType(diag.Error, "IST0126", "Unknown service registry %s in network %s") + + // NoServerCertificateVerificationDestinationLevel defines a diag.MessageType for message "NoServerCertificateVerificationDestinationLevel". + // Description: No caCertificates are set in DestinationRule, this results in no verification of presented server certificate. + NoServerCertificateVerificationDestinationLevel = diag.NewMessageType(diag.Error, "IST0128", "DestinationRule %s in namespace %s has TLS mode set to %s but no caCertificates are set to validate server identity for host: %s") + + // NoServerCertificateVerificationPortLevel defines a diag.MessageType for message "NoServerCertificateVerificationPortLevel". + // Description: No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port. + NoServerCertificateVerificationPortLevel = diag.NewMessageType(diag.Error, "IST0129", "DestinationRule %s in namespace %s has TLS mode set to %s but no caCertificates are set to validate server identity for host: %s at port %s") ) // All returns a list of all known message types. @@ -148,6 +156,8 @@ func All() []*diag.MessageType { NamespaceMultipleInjectionLabels, InvalidAnnotation, UnknownMeshNetworksServiceRegistry, + NoServerCertificateVerificationDestinationLevel, + NoServerCertificateVerificationPortLevel, } } @@ -417,3 +427,28 @@ func NewUnknownMeshNetworksServiceRegistry(r *resource.Instance, serviceregistry network, ) } + +// NewNoServerCertificateVerificationDestinationLevel returns a new diag.Message based on NoServerCertificateVerificationDestinationLevel. +func NewNoServerCertificateVerificationDestinationLevel(r *resource.Instance, destinationrule string, namespace string, mode string, host string) diag.Message { + return diag.NewMessage( + NoServerCertificateVerificationDestinationLevel, + r, + destinationrule, + namespace, + mode, + host, + ) +} + +// NewNoServerCertificateVerificationPortLevel returns a new diag.Message based on NoServerCertificateVerificationPortLevel. +func NewNoServerCertificateVerificationPortLevel(r *resource.Instance, destinationrule string, namespace string, mode string, host string, port string) diag.Message { + return diag.NewMessage( + NoServerCertificateVerificationPortLevel, + r, + destinationrule, + namespace, + mode, + host, + port, + ) +} diff --git a/galley/pkg/config/analysis/msg/messages.yaml b/galley/pkg/config/analysis/msg/messages.yaml index 18ab8d5b6fa..7588be0fdf2 100644 --- a/galley/pkg/config/analysis/msg/messages.yaml +++ b/galley/pkg/config/analysis/msg/messages.yaml @@ -288,3 +288,35 @@ messages: type: string - name: network type: string + + - name: "NoServerCertificateVerificationDestinationLevel" + code: IST0128 + level: Error + description: "No caCertificates are set in DestinationRule, this results in no verification of presented server certificate." + template: "DestinationRule %s in namespace %s has TLS mode set to %s but no caCertificates are set to validate server identity for host: %s" + args: + - name: destinationrule + type: string + - name: namespace + type: string + - name: mode + type: string + - name: host + type: string + + - name: "NoServerCertificateVerificationPortLevel" + code: IST0129 + level: Error + description: "No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port." + template: "DestinationRule %s in namespace %s has TLS mode set to %s but no caCertificates are set to validate server identity for host: %s at port %s" + args: + - name: destinationrule + type: string + - name: namespace + type: string + - name: mode + type: string + - name: host + type: string + - name: port + type: string From 7f7a4172881be9892b7ca553a6c1911b6a14ced3 Mon Sep 17 00:00:00 2001 From: Morven Cao Date: Thu, 13 Aug 2020 01:23:52 +0800 Subject: [PATCH 33/82] cherrypick 24696. (#26348) --- .../istio-operator/templates/deployment.yaml | 6 ++-- manifests/charts/istio-operator/values.yaml | 3 +- operator/cmd/mesh/operator-common.go | 7 +++- operator/cmd/mesh/operator-init.go | 4 ++- operator/cmd/mesh/operator_test.go | 4 +-- .../istio-operator/templates/deployment.yaml | 6 ++-- .../operator/output/operator-init.yaml | 6 ++-- operator/cmd/operator/server.go | 32 +++++++++++++++---- 8 files changed, 47 insertions(+), 21 deletions(-) diff --git a/manifests/charts/istio-operator/templates/deployment.yaml b/manifests/charts/istio-operator/templates/deployment.yaml index 5ef78484020..63def3e0533 100644 --- a/manifests/charts/istio-operator/templates/deployment.yaml +++ b/manifests/charts/istio-operator/templates/deployment.yaml @@ -30,13 +30,13 @@ spec: memory: 128Mi env: - name: WATCH_NAMESPACE - value: {{.Values.istioNamespace}} + value: {{.Values.watchedNamespaces | quote}} - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} --- diff --git a/manifests/charts/istio-operator/values.yaml b/manifests/charts/istio-operator/values.yaml index 6a653f517c5..aa5d70aee0b 100644 --- a/manifests/charts/istio-operator/values.yaml +++ b/manifests/charts/istio-operator/values.yaml @@ -1,4 +1,5 @@ hub: gcr.io/istio-testing tag: 1.6-dev operatorNamespace: istio-operator -istioNamespace: istio-system +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system diff --git a/operator/cmd/mesh/operator-common.go b/operator/cmd/mesh/operator-common.go index a5504a91b4a..c68c38d28c6 100644 --- a/operator/cmd/mesh/operator-common.go +++ b/operator/cmd/mesh/operator-common.go @@ -33,7 +33,9 @@ type operatorCommonArgs struct { tag string // operatorNamespace is the namespace the operator controller is installed into. operatorNamespace string - // istioNamespace is the namespace Istio is installed into. + // watchedNamespaces is the namespaces the operator controller watches, could be namespace list separated by comma. + watchedNamespaces string + // istioNamespace is deprecated, use watchedNamespaces instead. istioNamespace string // charts is a path to a charts and profiles directory in the local filesystem, or URL with a release tgz. charts string @@ -68,6 +70,7 @@ func renderOperatorManifest(_ *rootArgs, ocArgs *operatorCommonArgs) (string, st tmpl := ` operatorNamespace: {{.OperatorNamespace}} istioNamespace: {{.IstioNamespace}} +watchedNamespaces: {{.WatchedNamespaces}} hub: {{.Hub}} tag: {{.Tag}} ` @@ -75,11 +78,13 @@ tag: {{.Tag}} tv := struct { OperatorNamespace string IstioNamespace string + WatchedNamespaces string Hub string Tag string }{ OperatorNamespace: ocArgs.operatorNamespace, IstioNamespace: ocArgs.istioNamespace, + WatchedNamespaces: ocArgs.watchedNamespaces, Hub: ocArgs.hub, Tag: ocArgs.tag, } diff --git a/operator/cmd/mesh/operator-init.go b/operator/cmd/mesh/operator-init.go index 27f47d6d097..514532d9321 100644 --- a/operator/cmd/mesh/operator-init.go +++ b/operator/cmd/mesh/operator-init.go @@ -51,7 +51,9 @@ func addOperatorInitFlags(cmd *cobra.Command, args *operatorInitArgs) { cmd.PersistentFlags().StringVar(&args.common.operatorNamespace, "operatorNamespace", operatorDefaultNamespace, "The namespace the operator controller is installed into") cmd.PersistentFlags().StringVar(&args.common.istioNamespace, "istioNamespace", istioDefaultNamespace, - "The namespace Istio is installed into") + "The namespace Istio is installed into. Deprecated, use '--watchedNamespaces' instead.") + cmd.PersistentFlags().StringVar(&args.common.watchedNamespaces, "watchedNamespaces", istioDefaultNamespace, + "The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2'") cmd.PersistentFlags().StringVarP(&args.common.charts, "charts", "d", "", chartsFlagHelpStr) } diff --git a/operator/cmd/mesh/operator_test.go b/operator/cmd/mesh/operator_test.go index 644a781403c..520767d817b 100644 --- a/operator/cmd/mesh/operator_test.go +++ b/operator/cmd/mesh/operator_test.go @@ -33,7 +33,7 @@ func TestOperatorDump(t *testing.T) { hub: "foo.io/istio", tag: "1.2.3", operatorNamespace: "operator-test-namespace", - istioNamespace: "istio-test-namespace", + watchedNamespaces: "istio-test-namespace1,istio-test-namespace2", }, } @@ -73,7 +73,7 @@ func TestOperatorInit(t *testing.T) { hub: "foo.io/istio", tag: "1.2.3", operatorNamespace: "operator-test-namespace", - istioNamespace: "istio-test-namespace", + watchedNamespaces: "istio-test-namespace1,istio-test-namespace2", }, } diff --git a/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-operator/templates/deployment.yaml b/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-operator/templates/deployment.yaml index 5ef78484020..63def3e0533 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-operator/templates/deployment.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/istio-operator/templates/deployment.yaml @@ -30,13 +30,13 @@ spec: memory: 128Mi env: - name: WATCH_NAMESPACE - value: {{.Values.istioNamespace}} + value: {{.Values.watchedNamespaces | quote}} - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} --- diff --git a/operator/cmd/mesh/testdata/operator/output/operator-init.yaml b/operator/cmd/mesh/testdata/operator/output/operator-init.yaml index 2847074c023..c2f21b6eb9a 100644 --- a/operator/cmd/mesh/testdata/operator/output/operator-init.yaml +++ b/operator/cmd/mesh/testdata/operator/output/operator-init.yaml @@ -202,15 +202,15 @@ spec: memory: 128Mi env: - name: WATCH_NAMESPACE - value: istio-test-namespace + value: "istio-test-namespace1,istio-test-namespace2" - name: LEADER_ELECTION_NAMESPACE - value: operator-test-namespace + value: "operator-test-namespace" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: operator-test-namespace + value: "operator-test-namespace" --- apiVersion: v1 kind: Namespace diff --git a/operator/cmd/operator/server.go b/operator/cmd/operator/server.go index d65fa5063b4..b397913e622 100644 --- a/operator/cmd/operator/server.go +++ b/operator/cmd/operator/server.go @@ -17,9 +17,11 @@ package main import ( "fmt" "os" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) + "strings" "github.com/spf13/cobra" _ "k8s.io/client-go/plugin/pkg/client/auth" + "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client/config" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/manager/signals" @@ -97,14 +99,30 @@ func run() { log.Fatalf("Could not get apiserver config: %v", err) } + var mgrOpt manager.Options + if watchNS != "" { + namespaces := strings.Split(watchNS, ",") + // Create MultiNamespacedCache with watched namespaces if it's not empty. + mgrOpt = manager.Options{ + NewCache: cache.MultiNamespacedCacheBuilder(namespaces), + MetricsBindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort), + LeaderElection: leaderElectionEnabled, + LeaderElectionNamespace: leaderElectionNS, + LeaderElectionID: "istio-operator-lock", + } + } else { + // Create manager option for watching all namespaces. + mgrOpt = manager.Options{ + Namespace: watchNS, + MetricsBindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort), + LeaderElection: leaderElectionEnabled, + LeaderElectionNamespace: leaderElectionNS, + LeaderElectionID: "istio-operator-lock", + } + } + // Create a new Cmd to provide shared dependencies and start components - mgr, err := manager.New(cfg, manager.Options{ - Namespace: watchNS, - MetricsBindAddress: fmt.Sprintf("%s:%d", metricsHost, metricsPort), - LeaderElection: leaderElectionEnabled, - LeaderElectionNamespace: leaderElectionNS, - LeaderElectionID: "istio-operator-lock", - }) + mgr, err := manager.New(cfg, mgrOpt) if err != nil { log.Fatalf("Could not create a controller manager: %v", err) } From aba85d757f5c9bcd174a6378c26e79de5f16bc5e Mon Sep 17 00:00:00 2001 From: williamaronli <64571891+williamaronli@users.noreply.github.com> Date: Wed, 12 Aug 2020 11:01:57 -0700 Subject: [PATCH 34/82] [Bug fix][Version 1.6]Fix ingress SDS not getting secret updates and create unit tests (#25681) * Fix ingress SDS not getting secret updates and create unit tests (#24817) * fix ingress SDS not getting secret updates issue and add unit test * change to use release * address comments * fix lint * add more comment and delete useless code (cherry picked from commit 120c9b053de0ddea3cfd1830363491d39217e200) * delete version conflict issue --- security/pkg/nodeagent/sds/sdsservice.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/security/pkg/nodeagent/sds/sdsservice.go b/security/pkg/nodeagent/sds/sdsservice.go index 84ed4a73ab7..d8a8fcac8c9 100644 --- a/security/pkg/nodeagent/sds/sdsservice.go +++ b/security/pkg/nodeagent/sds/sdsservice.go @@ -279,7 +279,8 @@ func (s *sdsservice) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecre // Reset SDS push time for new SDS push. con.sdsPushTime = time.Time{} con.mutex.Unlock() - defer recycleConnection(conID, resourceName) + + defer releaseResourcePerConn(s, conID, resourceName) conIDresourceNamePrefix := sdsLogPrefix(resourceName) if s.localJWT { @@ -355,10 +356,6 @@ func (s *sdsservice) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecre return err } - // Remove the secret from cache, otherwise refresh job will process this item(if envoy fails to reconnect) - // and cause some confusing logs like 'fails to notify because connection isn't found'. - defer s.st.DeleteSecret(conID, resourceName) - con.mutex.Lock() con.secret = secret con.mutex.Unlock() @@ -379,11 +376,7 @@ func (s *sdsservice) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecre sdsServiceLog.Debugf("%s received push channel request for proxy %q", conIDresourceNamePrefix, proxyID) if secret == nil { - defer func() { - recycleConnection(conID, resourceName) - s.st.DeleteSecret(conID, resourceName) - }() - + defer releaseResourcePerConn(s, conID, resourceName) // Secret is nil indicates close streaming to proxy, so that proxy // could connect again with updated token. // When nodeagent stops stream by sending envoy error response, it's Ok not to remove secret @@ -498,6 +491,13 @@ func NotifyProxy(connKey cache.ConnKey, secret *model.SecretItem) error { return nil } +func releaseResourcePerConn(s *sdsservice, conID, resourceName string) { + recycleConnection(conID, resourceName) + // Remove the secret from cache, otherwise refresh job will process this item(if envoy fails to reconnect) + // and cause some confusing logs like 'fails to notify because connection isn't found'. + s.st.DeleteSecret(conID, resourceName) +} + func recycleConnection(conID, resourceName string) { key := cache.ConnKey{ ConnectionID: conID, From a3f7b889fd8f6fc8bddae12403afb7360b49282d Mon Sep 17 00:00:00 2001 From: Sam Jo Date: Thu, 13 Aug 2020 03:02:05 +0900 Subject: [PATCH 35/82] Add missing telemetry.loadshedding.* options to mixer container args (#25867) --- .../istio-telemetry/mixer-telemetry/templates/deployment.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml b/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml index 33ca0be26e5..6c7d0e450b9 100644 --- a/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml +++ b/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml @@ -132,6 +132,10 @@ spec: {{- else }} - --trace_zipkin_url=http://zipkin.{{ .Values.global.telemetryNamespace }}:9411/api/v1/spans {{- end }} + - --averageLatencyThreshold + - {{ .Values.mixer.telemetry.loadshedding.latencyThreshold }} + - --loadsheddingMode + - {{ .Values.mixer.telemetry.loadshedding.mode }} env: - name: POD_NAMESPACE valueFrom: From a961916ef5bad0c9befc3ad72bb5b6c22356441c Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 13 Aug 2020 09:21:19 -0700 Subject: [PATCH 36/82] Fix egressgateway ports (#26460) Cannot bind to port 80/443 since we run as non root by default Co-authored-by: John Howard --- manifests/profiles/default.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/profiles/default.yaml b/manifests/profiles/default.yaml index 89376c1aa4b..f1baf84a5d8 100644 --- a/manifests/profiles/default.yaml +++ b/manifests/profiles/default.yaml @@ -175,8 +175,10 @@ spec: ports: - port: 80 name: http2 + targetPort: 8080 - port: 443 name: https + targetPort: 8443 - port: 15443 targetPort: 15443 name: tls From 528947c64f3e1c730a0f79f104ebc6ea590089a7 Mon Sep 17 00:00:00 2001 From: Neeraj Poddar Date: Thu, 13 Aug 2020 13:19:38 -0600 Subject: [PATCH 37/82] Update version of x/text package (#26464) --- go.mod | 1 + go.sum | 2 ++ 2 files changed, 3 insertions(+) diff --git a/go.mod b/go.mod index 0778011f52b..879b61da3f6 100644 --- a/go.mod +++ b/go.mod @@ -148,6 +148,7 @@ require ( golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e + golang.org/x/text v0.3.3 // indirect golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361 google.golang.org/api v0.15.0 diff --git a/go.sum b/go.sum index 0deac281483..2462162dcc7 100644 --- a/go.sum +++ b/go.sum @@ -926,6 +926,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From f3d9a0d7e2eba7d3cfb17dd9dfd4a89ef2fb33e1 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 13 Aug 2020 13:37:26 -0700 Subject: [PATCH 38/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#26474) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 879b61da3f6..c3fd2c50e09 100644 --- a/go.mod +++ b/go.mod @@ -158,7 +158,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20200724154434-34e474846e0d + istio.io/api v0.0.0-20200813195615-8ab1a23cc673 istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 istio.io/pkg v0.0.0-20200709220414-14d5de656564 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index 2462162dcc7..8170b6a0fad 100644 --- a/go.sum +++ b/go.sum @@ -1063,8 +1063,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20200724154434-34e474846e0d h1:g33+9bRr+w9p3NuspqH1DK1mGnq8GlPXZScjXxsz7mw= -istio.io/api v0.0.0-20200724154434-34e474846e0d/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20200813195615-8ab1a23cc673 h1:c8BMpmRDs3ktoeAXYZWHXZBZlup/NWvRxxFdg05knlU= +istio.io/api v0.0.0-20200813195615-8ab1a23cc673/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 h1:41vUsZxxi7Kq9pyxmk7xjSKrYEYyXCQsTvP4mWOXzoI= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From dd40c3e85b11c0919223d619581ae14b51aaf0fa Mon Sep 17 00:00:00 2001 From: williamaronli <64571891+williamaronli@users.noreply.github.com> Date: Tue, 18 Aug 2020 19:42:45 -0700 Subject: [PATCH 39/82] cherry-pick Remove SDS Timeout for default and root case (#26533) --- pilot/pkg/networking/core/v1alpha3/gateway_test.go | 7 +++++-- pilot/pkg/security/authn/utils/utils_test.go | 8 +++++--- pilot/pkg/security/model/authentication.go | 8 ++++++-- pilot/pkg/security/model/authentication_test.go | 7 +++++-- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/pilot/pkg/networking/core/v1alpha3/gateway_test.go b/pilot/pkg/networking/core/v1alpha3/gateway_test.go index ed7bb137c9d..f9ba34538b6 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway_test.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway_test.go @@ -18,6 +18,9 @@ import ( "reflect" "sort" "testing" + "time" + + "github.com/golang/protobuf/ptypes" auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" @@ -100,7 +103,7 @@ func TestBuildGatewayListenerTlsContext(t *testing.T) { { Name: "default", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, @@ -122,7 +125,7 @@ func TestBuildGatewayListenerTlsContext(t *testing.T) { ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "ROOTCA", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, diff --git a/pilot/pkg/security/authn/utils/utils_test.go b/pilot/pkg/security/authn/utils/utils_test.go index e1d28e8d69d..3ecaee403f9 100644 --- a/pilot/pkg/security/authn/utils/utils_test.go +++ b/pilot/pkg/security/authn/utils/utils_test.go @@ -17,6 +17,9 @@ package utils import ( "reflect" "testing" + "time" + + "github.com/golang/protobuf/ptypes" "github.com/davecgh/go-spew/spew" auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" @@ -24,7 +27,6 @@ import ( listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" structpb "github.com/golang/protobuf/ptypes/struct" - "istio.io/istio/pilot/pkg/features" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/networking" "istio.io/istio/pilot/pkg/networking/util" @@ -162,7 +164,7 @@ func TestBuildInboundFilterChain(t *testing.T) { { Name: "default", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(0 * time.Second), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, @@ -184,7 +186,7 @@ func TestBuildInboundFilterChain(t *testing.T) { ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "ROOTCA", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(0 * time.Second), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, diff --git a/pilot/pkg/security/model/authentication.go b/pilot/pkg/security/model/authentication.go index 7bb04ab9f87..e571ab56eb2 100644 --- a/pilot/pkg/security/model/authentication.go +++ b/pilot/pkg/security/model/authentication.go @@ -16,6 +16,7 @@ package model import ( "sync" + "time" auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" @@ -114,7 +115,10 @@ func ConstructSdsSecretConfig(name, sdsUdsPath string) *auth.SdsSecretConfig { if name == "" || sdsUdsPath == "" { return nil } - + var fetchTimeout = features.InitialFetchTimeout + if name == SDSDefaultResourceName || name == SDSRootResourceName { + fetchTimeout = ptypes.DurationProto(time.Second * 0) + } return &auth.SdsSecretConfig{ Name: name, SdsConfig: &core.ConfigSource{ @@ -130,7 +134,7 @@ func ConstructSdsSecretConfig(name, sdsUdsPath string) *auth.SdsSecretConfig { }, }, }, - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: fetchTimeout, }, } } diff --git a/pilot/pkg/security/model/authentication_test.go b/pilot/pkg/security/model/authentication_test.go index ffb49065902..6c6c9f33778 100644 --- a/pilot/pkg/security/model/authentication_test.go +++ b/pilot/pkg/security/model/authentication_test.go @@ -18,6 +18,9 @@ import ( "fmt" "reflect" "testing" + "time" + + "github.com/golang/protobuf/ptypes" "github.com/davecgh/go-spew/spew" auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" @@ -185,7 +188,7 @@ func TestApplyToCommonTLSContext(t *testing.T) { { Name: "default", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, @@ -207,7 +210,7 @@ func TestApplyToCommonTLSContext(t *testing.T) { ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "ROOTCA", SdsConfig: &core.ConfigSource{ - InitialFetchTimeout: features.InitialFetchTimeout, + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ ApiConfigSource: &core.ApiConfigSource{ ApiType: core.ApiConfigSource_GRPC, From fb69d11c32d1fd97d7e958b623c5a2e3570349b3 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Fri, 21 Aug 2020 21:33:30 +0800 Subject: [PATCH 40/82] [release-1.6] Fix headless svc instances scale (#26636) (#26681) * Fix headless svc instances scale (#26636) * Fix configupdate for service * Add unit test * add release-note * rm --- .../kube/controller/controller_test.go | 18 +++++++++++++++--- .../kube/controller/endpointsdiscovery.go | 2 +- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller_test.go b/pilot/pkg/serviceregistry/kube/controller/controller_test.go index 31a78b7f514..416e29bf7ca 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller_test.go @@ -57,9 +57,15 @@ const ( domainSuffix = "company.com" ) -func (fx *FakeXdsUpdater) ConfigUpdate(*model.PushRequest) { +func (fx *FakeXdsUpdater) ConfigUpdate(req *model.PushRequest) { + var id string + if req != nil && len(req.ConfigsUpdated) > 0 { + for key := range req.ConfigsUpdated { + id = key.Name + } + } select { - case fx.Events <- XdsEvent{Type: "xds"}: + case fx.Events <- XdsEvent{Type: "xds", ID: id}: default: } } @@ -77,6 +83,8 @@ type FakeXdsUpdater struct { Events chan XdsEvent } +var _ model.XDSUpdater = &FakeXdsUpdater{} + // XdsEvent is used to watch XdsEvents type XdsEvent struct { // Type of the event @@ -1813,9 +1821,13 @@ func TestEndpointUpdate(t *testing.T) { // Create 1 endpoint that refers to a pod in the same namespace. svc1Ips = append(svc1Ips, "128.0.0.2") updateEndpoints(controller, "svc1", "nsa", portNames, svc1Ips, t) - if ev := fx.Wait("xds"); ev == nil { + ev := fx.Wait("xds") + if ev == nil { t.Fatalf("Timeout xds push") } + if ev.ID != string(kube.ServiceHostname("svc1", "nsa", controller.domainSuffix)) { + t.Errorf("Expect service %s updated, but got %s", kube.ServiceHostname("svc1", "nsa", controller.domainSuffix), ev.ID) + } }) } } diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go index ea7ad5b7b27..8550c7033b6 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go @@ -73,7 +73,7 @@ func (e *kubeEndpoints) handleEvent(name string, namespace string, event model.E // TODO: extend and set service instance type, so no need to re-init push context ConfigsUpdated: map[model.ConfigKey]struct{}{{ Kind: model.ServiceEntryKind, - Name: svc.Name, + Name: string(kube.ServiceHostname(svc.Name, svc.Namespace, e.c.domainSuffix)), Namespace: svc.Namespace, }: {}}, Reason: []model.TriggerReason{model.EndpointUpdate}, From baf1d7e2de32a997a6133dc8133320596bde8549 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 25 Aug 2020 00:45:28 -0700 Subject: [PATCH 41/82] feat:istioctl x add-to-mesh and remove-from-mesh Should not affect OwnerReferences (#26770) Co-authored-by: tanjunchen --- istioctl/cmd/add-to-mesh.go | 7 ++++--- istioctl/cmd/remove-from-mesh.go | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/istioctl/cmd/add-to-mesh.go b/istioctl/cmd/add-to-mesh.go index ce64ae2e151..e173850de64 100644 --- a/istioctl/cmd/add-to-mesh.go +++ b/istioctl/cmd/add-to-mesh.go @@ -296,9 +296,10 @@ func injectSideCarIntoDeployment(client kubernetes.Interface, deps []appsv1.Depl } d := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Name: dep.Name, - Namespace: dep.Namespace, - UID: dep.UID, + Name: dep.Name, + Namespace: dep.Namespace, + UID: dep.UID, + OwnerReferences: dep.OwnerReferences, }, } if _, err = client.AppsV1().Deployments(svcNamespace).UpdateStatus(context.TODO(), d, metav1.UpdateOptions{}); err != nil { diff --git a/istioctl/cmd/remove-from-mesh.go b/istioctl/cmd/remove-from-mesh.go index 5f1f8c720dc..8612f869fa7 100644 --- a/istioctl/cmd/remove-from-mesh.go +++ b/istioctl/cmd/remove-from-mesh.go @@ -199,9 +199,10 @@ func unInjectSideCarFromDeployment(client kubernetes.Interface, deps []appsv1.De } d := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Name: dep.Name, - Namespace: dep.Namespace, - UID: dep.UID, + Name: dep.Name, + Namespace: dep.Namespace, + UID: dep.UID, + OwnerReferences: dep.OwnerReferences, }, } if _, err := client.AppsV1().Deployments(svcNamespace).UpdateStatus(context.TODO(), d, metav1.UpdateOptions{}); err != nil { From 765761f70ead81fe99ffc2b8185ec6719b066813 Mon Sep 17 00:00:00 2001 From: Steven Landow Date: Tue, 25 Aug 2020 09:46:26 -0700 Subject: [PATCH 42/82] [release-1.6] allow specifying network for cluster without meshNetworks being configured (#26657) * allow specifying network for cluster without meshNetworks being configured (#26618) * allow specifying network without meshNetworks fully configured * remove redundant slice alloc and add safety check for clusterID * move cluster id check * set clustername to match in tests * isControllerForProxy (cherry picked from commit 97c21c4e6036a3e09484ae1d5c007a94c134c2ff) * fix lint --- .../kube/controller/controller.go | 55 ++++++++++--------- .../kube/controller/controller_test.go | 2 +- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index def7645b530..4c7557110f2 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -731,51 +731,46 @@ func (c *Controller) InstancesByPort(svc *model.Service, reqSvcPort int, // GetProxyServiceInstances returns service instances co-located with a given proxy func (c *Controller) GetProxyServiceInstances(proxy *model.Proxy) ([]*model.ServiceInstance, error) { - out := make([]*model.ServiceInstance, 0) if len(proxy.IPAddresses) > 0 { // only need to fetch the corresponding pod through the first IP, although there are multiple IP scenarios, // because multiple ips belong to the same pod proxyIP := proxy.IPAddresses[0] pod := c.pods.getPodByIP(proxyIP) if pod != nil { - // for split horizon EDS k8s multi cluster, in case there are pods of the same ip across clusters, - // which can happen when multi clusters using same pod cidr. - // As we have proxy Network meta, compare it with the network which endpoint belongs to, - // if they are not same, ignore the pod, because the pod is in another cluster. - if proxy.Metadata.Network != c.endpointNetwork(proxyIP) { - return out, nil + if !c.isControllerForProxy(proxy) { + return nil, fmt.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.clusterID) } + // 1. find proxy service by label selector, if not any, there may exist headless service without selector // failover to 2 if services, err := getPodServices(listerv1.NewServiceLister(c.services.GetIndexer()), pod); err == nil && len(services) > 0 { + out := make([]*model.ServiceInstance, 0) for _, svc := range services { out = append(out, c.getProxyServiceInstancesByPod(pod, svc, proxy)...) } return out, nil } // 2. Headless service without selector - out = c.endpoints.GetProxyServiceInstances(c, proxy) - } else { - var err error - // 3. The pod is not present when this is called - // due to eventual consistency issues. However, we have a lot of information about the pod from the proxy - // metadata already. Because of this, we can still get most of the information we need. - // If we cannot accurately construct ServiceInstances from just the metadata, this will return an error and we can - // attempt to read the real pod. - out, err = c.getProxyServiceInstancesFromMetadata(proxy) - if err != nil { - log.Warnf("getProxyServiceInstancesFromMetadata for %v failed: %v", proxy.ID, err) - } + return c.endpoints.GetProxyServiceInstances(c, proxy), nil } - } - if len(out) == 0 { - if c.metrics != nil { - c.metrics.AddMetric(model.ProxyStatusNoService, proxy.ID, proxy, "") - } else { - log.Infof("Missing metrics env, empty list of services for pod %s", proxy.ID) + var err error + // 3. The pod is not present when this is called + // due to eventual consistency issues. However, we have a lot of information about the pod from the proxy + // metadata already. Because of this, we can still get most of the information we need. + // If we cannot accurately construct ServiceInstances from just the metadata, this will return an error and we can + // attempt to read the real pod. + out, err := c.getProxyServiceInstancesFromMetadata(proxy) + if err != nil { + log.Warnf("getProxyServiceInstancesFromMetadata for %v failed: %v", proxy.ID, err) } + return out, nil } - return out, nil + if c.metrics != nil { + c.metrics.AddMetric(model.ProxyStatusNoService, proxy.ID, proxy, "") + } else { + log.Infof("Missing metrics env, empty list of services for pod %s", proxy.ID) + } + return nil, nil } func getPodServices(s listerv1.ServiceLister, pod *v1.Pod) ([]*v1.Service, error) { @@ -800,6 +795,12 @@ func getPodServices(s listerv1.ServiceLister, pod *v1.Pod) ([]*v1.Service, error return services, nil } +// isControllerForProxy should be used for proxies assumed to be in the kube cluster for this controller. Workload Entries +// may not necessarily pass this check, but we still want to allow kube services to select workload instances. +func (c *Controller) isControllerForProxy(proxy *model.Proxy) bool { + return proxy.Metadata.ClusterID == c.clusterID +} + // getProxyServiceInstancesFromMetadata retrieves ServiceInstances using proxy Metadata rather than // from the Pod. This allows retrieving Instances immediately, regardless of delays in Kubernetes. // If the proxy doesn't have enough metadata, an error is returned @@ -808,7 +809,7 @@ func (c *Controller) getProxyServiceInstancesFromMetadata(proxy *model.Proxy) ([ return nil, fmt.Errorf("no workload labels found") } - if proxy.Metadata.ClusterID != c.clusterID { + if !c.isControllerForProxy(proxy) { return nil, fmt.Errorf("proxy is in cluster %v, but controller is for cluster %v", proxy.Metadata.ClusterID, c.clusterID) } diff --git a/pilot/pkg/serviceregistry/kube/controller/controller_test.go b/pilot/pkg/serviceregistry/kube/controller/controller_test.go index 416e29bf7ca..38f05479f3c 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller_test.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller_test.go @@ -524,7 +524,7 @@ func TestGetProxyServiceInstances(t *testing.T) { svcNode.IPAddresses = []string{"128.0.0.1"} svcNode.ID = "pod1.nsa" svcNode.DNSDomain = "nsa.svc.cluster.local" - svcNode.Metadata = &model.NodeMetadata{Namespace: "nsa"} + svcNode.Metadata = &model.NodeMetadata{Namespace: "nsa", ClusterID: clusterID} serviceInstances, err := controller.GetProxyServiceInstances(&svcNode) if err != nil { t.Fatalf("client encountered error during GetProxyServiceInstances(): %v", err) From ee70793f948e0a31fc0fca2fa3a62b65fc7d4cdf Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 25 Aug 2020 09:46:33 -0700 Subject: [PATCH 43/82] [release-1.6] cache readiness state with TTL (#26742) * remove stats filter in readiness probe Signed-off-by: Rama Chavali * cache readiness state with a TTL Signed-off-by: Rama Chavali * revert the parse state change Signed-off-by: Rama Chavali * rename variable Signed-off-by: Rama Chavali * add tests Signed-off-by: Rama Chavali * make readiness timeout configurable Signed-off-by: Rama Chavali * lint Signed-off-by: Rama Chavali * continuously check for readiness on failure Signed-off-by: Rama Chavali * lint Signed-off-by: Rama Chavali Co-authored-by: Rama Chavali --- pilot/cmd/pilot-agent/status/ready/probe.go | 34 +++++++++++++++- .../pilot-agent/status/ready/probe_test.go | 39 +++++++++++++++++++ pilot/cmd/pilot-agent/status/util/stats.go | 14 +++++-- pilot/cmd/pilot-agent/status/util/util.go | 10 +++-- 4 files changed, 90 insertions(+), 7 deletions(-) diff --git a/pilot/cmd/pilot-agent/status/ready/probe.go b/pilot/cmd/pilot-agent/status/ready/probe.go index 3b632352856..03e8cd2cd0f 100644 --- a/pilot/cmd/pilot-agent/status/ready/probe.go +++ b/pilot/cmd/pilot-agent/status/ready/probe.go @@ -16,6 +16,7 @@ package ready import ( "fmt" + "time" admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3" @@ -23,12 +24,23 @@ import ( "istio.io/istio/pilot/pkg/model" ) +var ( + // readinessTTL is the TTL for cached readiness values. + readinessTTL = 60 * time.Second +) + // Probe for readiness. type Probe struct { LocalHostAddr string NodeType model.NodeType AdminPort uint16 receivedFirstUpdate bool + lastUpdateTime time.Time + // Indicates that Envoy is ready atleast once so that we can cache and reuse that probe. + // If after TTL, Envoy becomes unready, we will reset this flag so that we continuously + // check Envoy till it becomes ready. + atleastOnceReady bool + readyError error } // Check executes the probe and returns an error if the probe fails. @@ -63,7 +75,27 @@ func (p *Probe) checkConfigStatus() error { // isEnvoyReady checks to ensure that Envoy is in the LIVE state and workers have started. func (p *Probe) isEnvoyReady() error { - state, ws, err := util.GetReadinessStats(p.LocalHostAddr, p.AdminPort) + // Execute the stats query on Envoy if atleast readinessTTL has expired or + // Envoy is not ready at least once. After Envoy is ready for the first time, + // we return cached value to avoid frequent executions of stats query till + // cached TTL is reached. + if !p.atleastOnceReady || time.Since(p.lastUpdateTime) >= readinessTTL { + p.readyError = checkEnvoyStats(p.LocalHostAddr, p.AdminPort) + if p.readyError == nil && !p.atleastOnceReady { + p.atleastOnceReady = true + } + // If readiness fails, we should keep checking. + if p.readyError != nil { + p.atleastOnceReady = false + } + p.lastUpdateTime = time.Now() + } + return p.readyError +} + +// checkEnvoyStats actually executes the Stats Query on Envoy admin endpoint. +func checkEnvoyStats(host string, port uint16) error { + state, ws, err := util.GetReadinessStats(host, port) if err != nil { return fmt.Errorf("failed to get readiness stats: %v", err) } diff --git a/pilot/cmd/pilot-agent/status/ready/probe_test.go b/pilot/cmd/pilot-agent/status/ready/probe_test.go index ea0a2940404..9fa7d23afb7 100644 --- a/pilot/cmd/pilot-agent/status/ready/probe_test.go +++ b/pilot/cmd/pilot-agent/status/ready/probe_test.go @@ -19,6 +19,7 @@ import ( "net/http" "net/http/httptest" "testing" + "time" . "github.com/onsi/gomega" ) @@ -144,6 +145,44 @@ func TestEnvoyNoServerStats(t *testing.T) { g.Expect(err).To(HaveOccurred()) } +func TestEnvoyReadinessCache(t *testing.T) { + readinessTTL = 1 * time.Second + g := NewWithT(t) + + server := createAndStartServer(noServerStats) + probe := Probe{AdminPort: 1234} + err := probe.Check() + g.Expect(err).To(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeFalse()) + g.Expect(probe.readyError).To(BeNil()) + err = probe.Check() + g.Expect(err).To(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeFalse()) + server.Close() + + server = createAndStartServer(liveServerStats) + err = probe.Check() + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeTrue()) + g.Expect(probe.readyError).To(BeNil()) + server.Close() + + time.Sleep(2 * time.Second) + server = createAndStartServer(noServerStats) + err = probe.Check() + g.Expect(err).To(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeFalse()) + g.Expect(probe.readyError).NotTo(BeNil()) + server.Close() + + server = createAndStartServer(liveServerStats) + err = probe.Check() + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeTrue()) + g.Expect(probe.readyError).To(BeNil()) + server.Close() +} + func createDefaultFuncMap(statsToReturn string) map[string]func(rw http.ResponseWriter, _ *http.Request) { return map[string]func(rw http.ResponseWriter, _ *http.Request){ diff --git a/pilot/cmd/pilot-agent/status/util/stats.go b/pilot/cmd/pilot-agent/status/util/stats.go index c1e371e7b49..17315fe837f 100644 --- a/pilot/cmd/pilot-agent/status/util/stats.go +++ b/pilot/cmd/pilot-agent/status/util/stats.go @@ -19,8 +19,11 @@ import ( "fmt" "strconv" "strings" + "time" multierror "github.com/hashicorp/go-multierror" + + "istio.io/pkg/env" ) const ( @@ -30,8 +33,12 @@ const ( statLdsSuccess = "listener_manager.lds.update_success" statServerState = "server.state" statWorkersStarted = "listener_manager.workers_started" - readyStatsRegex = "^(server.state|listener_manager.workers_started)" - updateStatsRegex = "^(cluster_manager.cds|listener_manager.lds).(update_success|update_rejected)$" + readyStatsRegex = "^(server\\.state|listener_manager\\.workers_started)" + updateStatsRegex = "^(cluster_manager\\.cds|listener_manager\\.lds)\\.(update_success|update_rejected)$" +) + +var ( + readinessTimeout = env.RegisterDurationVar("ENVOY_READINESS_CHECK_TIMEOUT", time.Second*5, "").Get() ) type stat struct { @@ -68,7 +75,8 @@ func GetReadinessStats(localHostAddr string, adminPort uint16) (*uint64, bool, e localHostAddr = "localhost" } - stats, err := doHTTPGet(fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex)) + readinessURL := fmt.Sprintf("http://%s:%d/stats?usedonly&filter=%s", localHostAddr, adminPort, readyStatsRegex) + stats, err := doHTTPGetWithTimeout(readinessURL, readinessTimeout) if err != nil { return nil, false, err } diff --git a/pilot/cmd/pilot-agent/status/util/util.go b/pilot/cmd/pilot-agent/status/util/util.go index 0a9bee504c6..b053baf66a5 100644 --- a/pilot/cmd/pilot-agent/status/util/util.go +++ b/pilot/cmd/pilot-agent/status/util/util.go @@ -22,11 +22,11 @@ import ( "time" ) -const requestTimeout = time.Second * 1 // Default readiness probe timeout. +const requestTimeout = time.Second * 1 // Default timeout. -func doHTTPGet(requestURL string) (*bytes.Buffer, error) { +func doHTTPGetWithTimeout(requestURL string, t time.Duration) (*bytes.Buffer, error) { httpClient := &http.Client{ - Timeout: requestTimeout, + Timeout: t, } response, err := httpClient.Get(requestURL) @@ -45,3 +45,7 @@ func doHTTPGet(requestURL string) (*bytes.Buffer, error) { } return &b, nil } + +func doHTTPGet(requestURL string) (*bytes.Buffer, error) { + return doHTTPGetWithTimeout(requestURL, requestTimeout) +} From 629c7de33828b2dd0a968e16f3d76e3506380eaa Mon Sep 17 00:00:00 2001 From: Jianfei Hu Date: Tue, 25 Aug 2020 10:15:01 -0700 Subject: [PATCH 44/82] trust domain validation cherry pick for release-1.6 (#26660) * Enable trust domain validation in transport socket level (#26224) * feature * make gen revert false fix unit test add aliases fix lint break line revert duplicate test only do this for sidecar fix alias test dont export constructSAN fix comments fix bug change lint create util function add copyright make gen * remove dup * another dup * fix tests * rename func * lint line too long * add todos * add release note * make copy * explicit true * fix issue * fix unit test * make gen * update release note * remove dead code * remove cluster.local * fix unit test Co-authored-by: Navraj Singh Chhina --- pilot/pkg/networking/core/v1alpha3/gateway.go | 2 +- .../networking/plugin/authn/authentication.go | 9 ++- pilot/pkg/networking/plugin/authn/util.go | 27 +++++++ pilot/pkg/networking/util/util.go | 13 ++++ pilot/pkg/security/authn/policy_applier.go | 2 +- pilot/pkg/security/authn/utils/utils.go | 4 +- pilot/pkg/security/authn/utils/utils_test.go | 78 ++++++++++++++++++- .../security/authn/v1beta1/policy_applier.go | 7 +- .../authn/v1beta1/policy_applier_test.go | 39 ++++------ pilot/pkg/security/model/authentication.go | 24 +++++- .../pkg/security/model/authentication_test.go | 77 ++++++++++++++++-- .../notes/trust-domain-validation.yaml | 8 ++ 12 files changed, 238 insertions(+), 52 deletions(-) create mode 100644 pilot/pkg/networking/plugin/authn/util.go create mode 100644 releasenotes/notes/trust-domain-validation.yaml diff --git a/pilot/pkg/networking/core/v1alpha3/gateway.go b/pilot/pkg/networking/core/v1alpha3/gateway.go index a13927e980d..da2b661cf54 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway.go @@ -436,7 +436,7 @@ func buildGatewayListenerTLSContext( // SDS config for gateway to fetch key/cert at gateway agent. authn_model.ApplyCustomSDSToCommonTLSContext(tls.CommonTlsContext, server.Tls, authn_model.IngressGatewaySdsUdsPath) } else if server.Tls.Mode == networking.ServerTLSSettings_ISTIO_MUTUAL { - authn_model.ApplyToCommonTLSContext(tls.CommonTlsContext, metadata, sdsPath, server.Tls.SubjectAltNames) + authn_model.ApplyToCommonTLSContext(tls.CommonTlsContext, metadata, sdsPath, server.Tls.SubjectAltNames, []string{}) } else { // Fall back to the read-from-file approach when SDS is not enabled or Tls.CredentialName is not specified. tls.CommonTlsContext.TlsCertificates = []*auth.TlsCertificate{ diff --git a/pilot/pkg/networking/plugin/authn/authentication.go b/pilot/pkg/networking/plugin/authn/authentication.go index f583e18772e..33e024db25b 100644 --- a/pilot/pkg/networking/plugin/authn/authentication.go +++ b/pilot/pkg/networking/plugin/authn/authentication.go @@ -36,9 +36,10 @@ func NewPlugin() plugin.Plugin { // OnInboundFilterChains setups filter chains based on the authentication policy. func (Plugin) OnInboundFilterChains(in *plugin.InputParams) []networking.FilterChain { - return factory.NewPolicyApplier(in.Push, - in.ServiceInstance, in.Node.Metadata.Namespace, labels.Collection{in.Node.Metadata.Labels}).InboundFilterChain( - in.ServiceInstance.Endpoint.EndpointPort, in.Push.Mesh.SdsUdsPath, in.Node, in.ListenerProtocol) + return factory.NewPolicyApplier(in.Push, in.ServiceInstance, + in.Node.Metadata.Namespace, labels.Collection{in.Node.Metadata.Labels}).InboundFilterChain( + in.ServiceInstance.Endpoint.EndpointPort, in.Push.Mesh.SdsUdsPath, in.Node, + in.ListenerProtocol, trustDomainsForValidation(in.Push.Mesh)) } // OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service @@ -115,5 +116,5 @@ func (Plugin) OnInboundPassthroughFilterChains(in *plugin.InputParams) []network // Pass nil for ServiceInstance so that we never consider any alpha policy for the pass through filter chain. applier := factory.NewPolicyApplier(in.Push, nil /* ServiceInstance */, in.Node.Metadata.Namespace, labels.Collection{in.Node.Metadata.Labels}) // Pass 0 for endpointPort so that it never matches any port-level policy. - return applier.InboundFilterChain(0, in.Push.Mesh.SdsUdsPath, in.Node, in.ListenerProtocol) + return applier.InboundFilterChain(0, in.Push.Mesh.SdsUdsPath, in.Node, in.ListenerProtocol, trustDomainsForValidation(in.Push.Mesh)) } diff --git a/pilot/pkg/networking/plugin/authn/util.go b/pilot/pkg/networking/plugin/authn/util.go new file mode 100644 index 00000000000..9c26bb7d902 --- /dev/null +++ b/pilot/pkg/networking/plugin/authn/util.go @@ -0,0 +1,27 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package authn + +import ( + meshconfig "istio.io/api/mesh/v1alpha1" + "istio.io/istio/pilot/pkg/features" +) + +func trustDomainsForValidation(meshConfig *meshconfig.MeshConfig) []string { + if features.SkipValidateTrustDomain.Get() { + return nil + } + return append([]string{meshConfig.TrustDomain}, meshConfig.TrustDomainAliases...) +} diff --git a/pilot/pkg/networking/util/util.go b/pilot/pkg/networking/util/util.go index af9af206a4d..2fb3d57b469 100644 --- a/pilot/pkg/networking/util/util.go +++ b/pilot/pkg/networking/util/util.go @@ -602,6 +602,19 @@ func StringToExactMatch(in []string) []*matcher.StringMatcher { return res } +func StringToPrefixMatch(in []string) []*matcher.StringMatcher { + if len(in) == 0 { + return nil + } + res := make([]*matcher.StringMatcher, 0, len(in)) + for _, s := range in { + res = append(res, &matcher.StringMatcher{ + MatchPattern: &matcher.StringMatcher_Prefix{Prefix: s}, + }) + } + return res +} + func StringSliceEqual(a, b []string) bool { if len(a) != len(b) { return false diff --git a/pilot/pkg/security/authn/policy_applier.go b/pilot/pkg/security/authn/policy_applier.go index fa3c609da01..4f34a75b276 100644 --- a/pilot/pkg/security/authn/policy_applier.go +++ b/pilot/pkg/security/authn/policy_applier.go @@ -27,7 +27,7 @@ type PolicyApplier interface { // InboundFilterChain returns inbound filter chain(s) for the given endpoint (aka workload) port to // enforce the underlying authentication policy. InboundFilterChain(endpointPort uint32, sdsUdsPath string, node *model.Proxy, - listenerProtocol networking.ListenerProtocol) []networking.FilterChain + listenerProtocol networking.ListenerProtocol, trustDomainAliases []string) []networking.FilterChain // AuthNFilter returns the JWT HTTP filter to enforce the underlying authentication policy. // It may return nil, if no JWT validation is needed. diff --git a/pilot/pkg/security/authn/utils/utils.go b/pilot/pkg/security/authn/utils/utils.go index 7cf284f6055..6ca875e82f0 100644 --- a/pilot/pkg/security/authn/utils/utils.go +++ b/pilot/pkg/security/authn/utils/utils.go @@ -31,7 +31,7 @@ import ( // BuildInboundFilterChain returns the filter chain(s) corresponding to the mTLS mode. func BuildInboundFilterChain(mTLSMode model.MutualTLSMode, sdsUdsPath string, node *model.Proxy, - listenerProtocol networking.ListenerProtocol) []networking.FilterChain { + listenerProtocol networking.ListenerProtocol, trustDomainAliases []string) []networking.FilterChain { if mTLSMode == model.MTLSDisable || mTLSMode == model.MTLSUnknown { return nil } @@ -73,7 +73,7 @@ func BuildInboundFilterChain(mTLSMode model.MutualTLSMode, sdsUdsPath string, no RequireClientCertificate: protovalue.BoolTrue, } } - authn_model.ApplyToCommonTLSContext(tls.CommonTlsContext, meta, sdsUdsPath, []string{} /*subjectAltNames*/) + authn_model.ApplyToCommonTLSContext(tls.CommonTlsContext, meta, sdsUdsPath, []string{} /*subjectAltNames*/, trustDomainAliases) if mTLSMode == model.MTLSStrict { log.Debug("Allow only istio mutual TLS traffic") diff --git a/pilot/pkg/security/authn/utils/utils_test.go b/pilot/pkg/security/authn/utils/utils_test.go index 3ecaee403f9..e2e6c3565b8 100644 --- a/pilot/pkg/security/authn/utils/utils_test.go +++ b/pilot/pkg/security/authn/utils/utils_test.go @@ -25,13 +25,14 @@ import ( auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" listener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" structpb "github.com/golang/protobuf/ptypes/struct" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/networking" - "istio.io/istio/pilot/pkg/networking/util" authn_model "istio.io/istio/pilot/pkg/security/model" protovalue "istio.io/istio/pkg/proto" + "istio.io/istio/pkg/spiffe" ) func TestBuildInboundFilterChain(t *testing.T) { @@ -72,6 +73,7 @@ func TestBuildInboundFilterChain(t *testing.T) { sdsUdsPath string node *model.Proxy listenerProtocol networking.ListenerProtocol + trustDomains []string } tests := []struct { name string @@ -182,7 +184,76 @@ func TestBuildInboundFilterChain(t *testing.T) { }, ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{ CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ - DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: util.StringToExactMatch([]string{})}, + DefaultValidationContext: &auth.CertificateValidationContext{}, + ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ + Name: "ROOTCA", + SdsConfig: &core.ConfigSource{ + InitialFetchTimeout: ptypes.DurationProto(0 * time.Second), + ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ + ApiConfigSource: &core.ApiConfigSource{ + ApiType: core.ApiConfigSource_GRPC, + GrpcServices: []*core.GrpcService{ + { + TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ + EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: authn_model.SDSClusterName}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + AlpnProtocols: []string{"h2", "http/1.1"}, + }, + RequireClientCertificate: protovalue.BoolTrue, + }, + }, + }, + }, + { + name: "MTLSStrict using SDS with local trust domain", + args: args{ + mTLSMode: model.MTLSStrict, + sdsUdsPath: "/tmp/sdsuds.sock", + node: &model.Proxy{ + Metadata: &model.NodeMetadata{ + SdsEnabled: true, + }, + }, + listenerProtocol: networking.ListenerProtocolHTTP, + trustDomains: []string{"cluster.local"}, + }, + want: []networking.FilterChain{ + { + TLSContext: &auth.DownstreamTlsContext{ + CommonTlsContext: &auth.CommonTlsContext{ + TlsCertificateSdsSecretConfigs: []*auth.SdsSecretConfig{ + { + Name: "default", + SdsConfig: &core.ConfigSource{ + InitialFetchTimeout: ptypes.DurationProto(0 * time.Second), + ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ + ApiConfigSource: &core.ApiConfigSource{ + ApiType: core.ApiConfigSource_GRPC, + GrpcServices: []*core.GrpcService{ + { + TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ + EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: authn_model.SDSClusterName}, + }, + }, + }, + }, + }, + }, + }, + }, + ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{ + CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ + DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: []*matcher.StringMatcher{ + {MatchPattern: &matcher.StringMatcher_Prefix{Prefix: spiffe.URIPrefix + spiffe.GetTrustDomain() + "/"}}, + }}, ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "ROOTCA", SdsConfig: &core.ConfigSource{ @@ -277,7 +348,8 @@ func TestBuildInboundFilterChain(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if got := BuildInboundFilterChain(tt.args.mTLSMode, tt.args.sdsUdsPath, tt.args.node, tt.args.listenerProtocol); !reflect.DeepEqual(got, tt.want) { + got := BuildInboundFilterChain(tt.args.mTLSMode, tt.args.sdsUdsPath, tt.args.node, tt.args.listenerProtocol, tt.args.trustDomains) + if !reflect.DeepEqual(got, tt.want) { t.Errorf("BuildInboundFilterChain() = %v, want %v", spew.Sdump(got), spew.Sdump(tt.want)) t.Logf("got:\n%v\n", got[0].TLSContext.CommonTlsContext.TlsCertificateSdsSecretConfigs[0]) } diff --git a/pilot/pkg/security/authn/v1beta1/policy_applier.go b/pilot/pkg/security/authn/v1beta1/policy_applier.go index 74712fc026b..34d7bdb3f87 100644 --- a/pilot/pkg/security/authn/v1beta1/policy_applier.go +++ b/pilot/pkg/security/authn/v1beta1/policy_applier.go @@ -28,7 +28,6 @@ import ( "istio.io/api/security/v1beta1" "istio.io/pkg/log" - "istio.io/istio/pilot/pkg/features" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/networking" "istio.io/istio/pilot/pkg/networking/util" @@ -75,7 +74,7 @@ func defaultAuthnFilter() *authn_filter.FilterConfig { return &authn_filter.FilterConfig{ Policy: &authn_alpha.Policy{}, // we can always set this field, it's no-op if mTLS is not used. - SkipValidateTrustDomain: features.SkipValidateTrustDomain.Get(), + SkipValidateTrustDomain: true, } } @@ -168,10 +167,10 @@ func (a *v1beta1PolicyApplier) AuthNFilter(proxyType model.NodeType, port uint32 } func (a *v1beta1PolicyApplier) InboundFilterChain(endpointPort uint32, sdsUdsPath string, node *model.Proxy, - listenerProtocol networking.ListenerProtocol) []networking.FilterChain { + listenerProtocol networking.ListenerProtocol, trustDomainAliases []string) []networking.FilterChain { effectiveMTLSMode := a.getMutualTLSModeForPort(endpointPort) authnLog.Debugf("InboundFilterChain: build inbound filter change for %v:%d in %s mode", node.ID, endpointPort, effectiveMTLSMode) - return authn_utils.BuildInboundFilterChain(effectiveMTLSMode, sdsUdsPath, node, listenerProtocol) + return authn_utils.BuildInboundFilterChain(effectiveMTLSMode, sdsUdsPath, node, listenerProtocol, trustDomainAliases) } // NewPolicyApplier returns new applier for v1beta1 authentication policies. diff --git a/pilot/pkg/security/authn/v1beta1/policy_applier_test.go b/pilot/pkg/security/authn/v1beta1/policy_applier_test.go index 6aa0b232572..3cef6289f97 100644 --- a/pilot/pkg/security/authn/v1beta1/policy_applier_test.go +++ b/pilot/pkg/security/authn/v1beta1/policy_applier_test.go @@ -15,7 +15,6 @@ package v1beta1 import ( - "os" "reflect" "testing" "time" @@ -35,7 +34,6 @@ import ( "istio.io/api/security/v1beta1" type_beta "istio.io/api/type/v1beta1" - "istio.io/istio/pilot/pkg/features" "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/model/test" "istio.io/istio/pilot/pkg/networking" @@ -836,13 +834,6 @@ func TestConvertToEnvoyJwtConfig(t *testing.T) { } } -func setSkipValidateTrustDomain(value string, t *testing.T) { - err := os.Setenv(features.SkipValidateTrustDomain.Name, value) - if err != nil { - t.Fatalf("failed to set SkipValidateTrustDomain: %v", err) - } -} - func humanReadableAuthnFilterDump(filter *http_conn.HttpFilter) string { if filter == nil { return "" @@ -860,12 +851,11 @@ func TestAuthnFilterConfig(t *testing.T) { jwksURI := ms.URL + "/oauth2/v3/certs" cases := []struct { - name string - isGateway bool - skipTrustDomainValidate bool - jwtIn []*model.Config - peerIn []*model.Config - expected *http_conn.HttpFilter + name string + isGateway bool + jwtIn []*model.Config + peerIn []*model.Config + expected *http_conn.HttpFilter }{ { name: "no-policy", @@ -884,6 +874,7 @@ func TestAuthnFilterConfig(t *testing.T) { }, }, }, + SkipValidateTrustDomain: true, }), }, }, @@ -894,8 +885,7 @@ func TestAuthnFilterConfig(t *testing.T) { expected: nil, }, { - name: "no-request-authn-rule-skip-trust-domain", - skipTrustDomainValidate: true, + name: "no-request-authn-rule-skip-trust-domain", expected: &http_conn.HttpFilter{ Name: "istio_authn", ConfigType: &http_conn.HttpFilter_TypedConfig{ @@ -954,6 +944,7 @@ func TestAuthnFilterConfig(t *testing.T) { OriginIsOptional: true, PrincipalBinding: authn_alpha.PrincipalBinding_USE_ORIGIN, }, + SkipValidateTrustDomain: true, }), }, }, @@ -988,6 +979,7 @@ func TestAuthnFilterConfig(t *testing.T) { OriginIsOptional: true, PrincipalBinding: authn_alpha.PrincipalBinding_USE_ORIGIN, }, + SkipValidateTrustDomain: true, }), }, }, @@ -1048,6 +1040,7 @@ func TestAuthnFilterConfig(t *testing.T) { OriginIsOptional: true, PrincipalBinding: authn_alpha.PrincipalBinding_USE_ORIGIN, }, + SkipValidateTrustDomain: true, }), }, }, @@ -1108,6 +1101,7 @@ func TestAuthnFilterConfig(t *testing.T) { OriginIsOptional: true, PrincipalBinding: authn_alpha.PrincipalBinding_USE_ORIGIN, }, + SkipValidateTrustDomain: true, }), }, }, @@ -1138,6 +1132,7 @@ func TestAuthnFilterConfig(t *testing.T) { }, }, }, + SkipValidateTrustDomain: true, }), }, }, @@ -1157,8 +1152,7 @@ func TestAuthnFilterConfig(t *testing.T) { expected: nil, }, { - name: "beta-mtls-skip-trust-domain", - skipTrustDomainValidate: true, + name: "beta-mtls-skip-trust-domain", peerIn: []*model.Config{ { Spec: &v1beta1.PeerAuthentication{ @@ -1191,12 +1185,6 @@ func TestAuthnFilterConfig(t *testing.T) { } for _, c := range cases { t.Run(c.name, func(t *testing.T) { - if c.skipTrustDomainValidate { - setSkipValidateTrustDomain("true", t) - defer func() { - setSkipValidateTrustDomain("false", t) - }() - } proxyType := model.SidecarProxy if c.isGateway { proxyType = model.Router @@ -1454,6 +1442,7 @@ func TestOnInboundFilterChain(t *testing.T) { tc.sdsUdsPath, testNode, networking.ListenerProtocolAuto, + []string{}, ) if !reflect.DeepEqual(got, tc.expected) { t.Errorf("[%v] unexpected filter chains, got %v, want %v", tc.name, got, tc.expected) diff --git a/pilot/pkg/security/model/authentication.go b/pilot/pkg/security/model/authentication.go index e571ab56eb2..261ff93fdbf 100644 --- a/pilot/pkg/security/model/authentication.go +++ b/pilot/pkg/security/model/authentication.go @@ -30,6 +30,7 @@ import ( "istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/networking/util" "istio.io/istio/pkg/config/constants" + "istio.io/istio/pkg/spiffe" ) const ( @@ -158,8 +159,17 @@ func ConstructValidationContext(rootCAFilePath string, subjectAltNames []string) return ret } +func appendURIPrefixToTrustDomain(trustDomainAliases []string) []string { + var res []string + for _, td := range trustDomainAliases { + res = append(res, spiffe.URIPrefix+td+"/") + } + return res +} + // ApplyToCommonTLSContext completes the commonTlsContext for `ISTIO_MUTUAL` TLS mode -func ApplyToCommonTLSContext(tlsContext *auth.CommonTlsContext, metadata *model.NodeMetadata, sdsPath string, subjectAltNames []string) { +func ApplyToCommonTLSContext(tlsContext *auth.CommonTlsContext, metadata *model.NodeMetadata, + sdsPath string, subjectAltNames []string, trustDomainAliases []string) { // configure TLS with SDS if metadata.SdsEnabled && sdsPath != "" { // These are certs being mounted from within the pod. Rather than reading directly in Envoy, @@ -171,12 +181,18 @@ func ApplyToCommonTLSContext(tlsContext *auth.CommonTlsContext, metadata *model. CaCertificatePath: metadata.TLSServerRootCert, } + // TODO: if subjectAltName ends with *, create a prefix match as well. + // TODO: if user explicitly specifies SANs - should we alter his explicit config by adding all spifee aliases? + matchSAN := util.StringToExactMatch(subjectAltNames) + if len(trustDomainAliases) > 0 { + matchSAN = append(matchSAN, util.StringToPrefixMatch(appendURIPrefixToTrustDomain(trustDomainAliases))...) + } + // configure server listeners with SDS. tlsContext.ValidationContextType = &auth.CommonTlsContext_CombinedValidationContext{ CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ - DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: util.StringToExactMatch(subjectAltNames)}, - ValidationContextSdsSecretConfig: ConstructSdsSecretConfig( - model.GetOrDefault(res.GetRootResourceName(), SDSRootResourceName), sdsPath), + DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: matchSAN}, + ValidationContextSdsSecretConfig: ConstructSdsSecretConfig(model.GetOrDefault(res.GetRootResourceName(), SDSRootResourceName), sdsPath), }, } tlsContext.TlsCertificateSdsSecretConfigs = []*auth.SdsSecretConfig{ diff --git a/pilot/pkg/security/model/authentication_test.go b/pilot/pkg/security/model/authentication_test.go index 6c6c9f33778..0aac4397f8f 100644 --- a/pilot/pkg/security/model/authentication_test.go +++ b/pilot/pkg/security/model/authentication_test.go @@ -25,10 +25,11 @@ import ( "github.com/davecgh/go-spew/spew" auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth" core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" "istio.io/istio/pilot/pkg/features" "istio.io/istio/pilot/pkg/model" - "istio.io/istio/pilot/pkg/networking/util" + "istio.io/istio/pkg/spiffe" ) func TestConstructSdsSecretConfig(t *testing.T) { @@ -170,10 +171,11 @@ func TestConstructSdsSecretConfigWithCustomUds(t *testing.T) { func TestApplyToCommonTLSContext(t *testing.T) { testCases := []struct { - name string - sdsUdsPath string - node *model.Proxy - result *auth.CommonTlsContext + name string + sdsUdsPath string + node *model.Proxy + trustDomainAliases []string + result *auth.CommonTlsContext }{ { name: "MTLSStrict using SDS", @@ -206,7 +208,66 @@ func TestApplyToCommonTLSContext(t *testing.T) { }, ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{ CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ - DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: util.StringToExactMatch([]string{})}, + DefaultValidationContext: &auth.CertificateValidationContext{}, + ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ + Name: "ROOTCA", + SdsConfig: &core.ConfigSource{ + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), + ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ + ApiConfigSource: &core.ApiConfigSource{ + ApiType: core.ApiConfigSource_GRPC, + GrpcServices: []*core.GrpcService{ + { + TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ + EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: SDSClusterName}, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + { + name: "MTLSStrict using SDS and SAN aliases", + sdsUdsPath: "/tmp/sdsuds.sock", + node: &model.Proxy{ + Metadata: &model.NodeMetadata{ + SdsEnabled: true, + }, + }, + trustDomainAliases: []string{"alias-1.domain", "some-other-alias-1.domain", "alias-2.domain"}, + result: &auth.CommonTlsContext{ + TlsCertificateSdsSecretConfigs: []*auth.SdsSecretConfig{ + { + Name: "default", + SdsConfig: &core.ConfigSource{ + InitialFetchTimeout: ptypes.DurationProto(time.Second * 0), + ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ + ApiConfigSource: &core.ApiConfigSource{ + ApiType: core.ApiConfigSource_GRPC, + GrpcServices: []*core.GrpcService{ + { + TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ + EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: SDSClusterName}, + }, + }, + }, + }, + }, + }, + }, + }, + ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{ + CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ + DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: []*matcher.StringMatcher{ + {MatchPattern: &matcher.StringMatcher_Prefix{Prefix: spiffe.URIPrefix + "alias-1.domain" + "/"}}, + {MatchPattern: &matcher.StringMatcher_Prefix{Prefix: spiffe.URIPrefix + "some-other-alias-1.domain" + "/"}}, + {MatchPattern: &matcher.StringMatcher_Prefix{Prefix: spiffe.URIPrefix + "alias-2.domain" + "/"}}, + }}, ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "ROOTCA", SdsConfig: &core.ConfigSource{ @@ -263,7 +324,7 @@ func TestApplyToCommonTLSContext(t *testing.T) { }, ValidationContextType: &auth.CommonTlsContext_CombinedValidationContext{ CombinedValidationContext: &auth.CommonTlsContext_CombinedCertificateValidationContext{ - DefaultValidationContext: &auth.CertificateValidationContext{MatchSubjectAltNames: util.StringToExactMatch([]string{})}, + DefaultValidationContext: &auth.CertificateValidationContext{}, ValidationContextSdsSecretConfig: &auth.SdsSecretConfig{ Name: "file-root:servrRootCert", SdsConfig: &core.ConfigSource{ @@ -359,7 +420,7 @@ func TestApplyToCommonTLSContext(t *testing.T) { for _, test := range testCases { t.Run(test.name, func(t *testing.T) { tlsContext := &auth.CommonTlsContext{} - ApplyToCommonTLSContext(tlsContext, test.node.Metadata, test.sdsUdsPath, []string{}) + ApplyToCommonTLSContext(tlsContext, test.node.Metadata, test.sdsUdsPath, []string{}, test.trustDomainAliases) if !reflect.DeepEqual(tlsContext, test.result) { t.Errorf("got() = %v, want %v", spew.Sdump(tlsContext), spew.Sdump(test.result)) diff --git a/releasenotes/notes/trust-domain-validation.yaml b/releasenotes/notes/trust-domain-validation.yaml new file mode 100644 index 00000000000..d807f77d45a --- /dev/null +++ b/releasenotes/notes/trust-domain-validation.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: security +issue: + - 26224 +releaseNotes: | + *Added* Trust Domain Validation by default rejecting requests in sidecars if the request is not from same trust domain + or if it's not in the TrustDomainAliases specified in the MeshConfig. From 6638d1292cd9e9363f8f382580118488331bb959 Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Wed, 26 Aug 2020 08:39:50 -0700 Subject: [PATCH 45/82] release-1.6: add e2e tests for trust domain validation (#26804) --- pkg/test/echo/cmd/client/main.go | 36 ++- pkg/test/echo/proto/echo.pb.go | 83 +++--- pkg/test/echo/proto/echo.proto | 3 + pkg/test/echo/server/endpoint/grpc.go | 5 +- pkg/test/echo/server/forwarder/protocol.go | 64 ++++- pkg/test/framework/components/echo/call.go | 4 + .../framework/components/echo/common/call.go | 2 + samples/certs/README.md | 11 +- samples/certs/generate-workload.sh | 49 ++++ samples/certs/workload-bar-cert.pem | 43 +++ samples/certs/workload-bar-key.pem | 27 ++ samples/certs/workload-foo-cert.pem | 43 +++ samples/certs/workload-foo-key.pem | 27 ++ .../security/ca_custom_root/main_test.go | 66 +++++ .../trust_domain_validation_test.go | 267 ++++++++++++++++++ tests/integration/security/util/cert/cert.go | 4 +- 16 files changed, 685 insertions(+), 49 deletions(-) create mode 100644 samples/certs/generate-workload.sh create mode 100644 samples/certs/workload-bar-cert.pem create mode 100644 samples/certs/workload-bar-key.pem create mode 100644 samples/certs/workload-foo-cert.pem create mode 100644 samples/certs/workload-foo-key.pem create mode 100644 tests/integration/security/ca_custom_root/main_test.go create mode 100644 tests/integration/security/ca_custom_root/trust_domain_validation_test.go diff --git a/pkg/test/echo/cmd/client/main.go b/pkg/test/echo/cmd/client/main.go index 4cf45f5b5a6..3325825455f 100644 --- a/pkg/test/echo/cmd/client/main.go +++ b/pkg/test/echo/cmd/client/main.go @@ -19,6 +19,7 @@ package main import ( "context" "fmt" + "io/ioutil" "os" "strings" "time" @@ -33,15 +34,17 @@ import ( ) var ( - count int - timeout time.Duration - qps int - url string - uds string - headerKey string - headerVal string - headers string - msg string + count int + timeout time.Duration + qps int + url string + uds string + headerKey string + headerVal string + headers string + msg string + clientCert string + clientKey string caFile string @@ -118,6 +121,8 @@ func init() { rootCmd.PersistentFlags().StringVar(&caFile, "ca", "/cert.crt", "CA root cert file") rootCmd.PersistentFlags().StringVar(&msg, "msg", "HelloWorld", "message to send (for websockets)") + rootCmd.PersistentFlags().StringVar(&clientCert, "client-cert", "", "client certificate file to use for request") + rootCmd.PersistentFlags().StringVar(&clientKey, "client-key", "", "client certificate key file to use for request") loggingOptions.AttachCobraFlags(rootCmd) @@ -157,6 +162,19 @@ func getRequest() (*proto.ForwardEchoRequest, error) { }) } } + + if clientCert != "" && clientKey != "" { + certData, err := ioutil.ReadFile(clientCert) + if err != nil { + return nil, fmt.Errorf("failed to load client certificate: %v", err) + } + request.Cert = string(certData) + keyData, err := ioutil.ReadFile(clientKey) + if err != nil { + return nil, fmt.Errorf("failed to load client certificate key: %v", err) + } + request.Key = string(keyData) + } return request, nil } diff --git a/pkg/test/echo/proto/echo.pb.go b/pkg/test/echo/proto/echo.pb.go index 9ee521b3ad4..f311a297cf7 100644 --- a/pkg/test/echo/proto/echo.pb.go +++ b/pkg/test/echo/proto/echo.pb.go @@ -4,12 +4,11 @@ package proto import ( + context "context" fmt "fmt" - math "math" - proto "github.com/golang/protobuf/proto" - context "golang.org/x/net/context" grpc "google.golang.org/grpc" + math "math" ) // Reference imports to suppress errors if they are not otherwise used. @@ -21,7 +20,7 @@ var _ = math.Inf // is compatible with the proto package it is being compiled against. // A compilation error at this line likely means your copy of the // proto package needs to be updated. -const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package type EchoRequest struct { Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` @@ -149,15 +148,18 @@ func (m *Header) GetValue() string { } type ForwardEchoRequest struct { - Count int32 `protobuf:"varint,1,opt,name=count,proto3" json:"count,omitempty"` - Qps int32 `protobuf:"varint,2,opt,name=qps,proto3" json:"qps,omitempty"` - TimeoutMicros int64 `protobuf:"varint,3,opt,name=timeout_micros,json=timeoutMicros,proto3" json:"timeout_micros,omitempty"` - Url string `protobuf:"bytes,4,opt,name=url,proto3" json:"url,omitempty"` - Headers []*Header `protobuf:"bytes,5,rep,name=headers,proto3" json:"headers,omitempty"` - Message string `protobuf:"bytes,6,opt,name=message,proto3" json:"message,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + Count int32 `protobuf:"varint,1,opt,name=count,proto3" json:"count,omitempty"` + Qps int32 `protobuf:"varint,2,opt,name=qps,proto3" json:"qps,omitempty"` + TimeoutMicros int64 `protobuf:"varint,3,opt,name=timeout_micros,json=timeoutMicros,proto3" json:"timeout_micros,omitempty"` + Url string `protobuf:"bytes,4,opt,name=url,proto3" json:"url,omitempty"` + Headers []*Header `protobuf:"bytes,5,rep,name=headers,proto3" json:"headers,omitempty"` + Message string `protobuf:"bytes,6,opt,name=message,proto3" json:"message,omitempty"` + // If non-empty, make the request with the corresponding cert and key. + Cert string `protobuf:"bytes,7,opt,name=cert,proto3" json:"cert,omitempty"` + Key string `protobuf:"bytes,8,opt,name=key,proto3" json:"key,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *ForwardEchoRequest) Reset() { *m = ForwardEchoRequest{} } @@ -227,6 +229,20 @@ func (m *ForwardEchoRequest) GetMessage() string { return "" } +func (m *ForwardEchoRequest) GetCert() string { + if m != nil { + return m.Cert + } + return "" +} + +func (m *ForwardEchoRequest) GetKey() string { + if m != nil { + return m.Key + } + return "" +} + type ForwardEchoResponse struct { Output []string `protobuf:"bytes,1,rep,name=output,proto3" json:"output,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -277,26 +293,27 @@ func init() { func init() { proto.RegisterFile("echo.proto", fileDescriptor_08134aea513e0001) } var fileDescriptor_08134aea513e0001 = []byte{ - // 301 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x50, 0xcb, 0x4a, 0xf3, 0x40, - 0x18, 0x25, 0x7f, 0x3a, 0x29, 0xfd, 0xfa, 0x57, 0x65, 0x5a, 0x64, 0xec, 0xaa, 0x04, 0xa4, 0xd9, - 0x58, 0xa5, 0xbe, 0x82, 0x8a, 0x1b, 0x37, 0xa3, 0x7b, 0x89, 0xe9, 0x87, 0x09, 0x26, 0x9d, 0x74, - 0x2e, 0x15, 0xdf, 0xc0, 0x47, 0xf2, 0xf1, 0x64, 0x2e, 0x85, 0x04, 0xc5, 0x55, 0xe6, 0x5c, 0x72, - 0xe6, 0xcc, 0x01, 0xc0, 0xa2, 0x14, 0xab, 0x56, 0x0a, 0x2d, 0x28, 0x71, 0x9f, 0x74, 0x09, 0xe3, - 0xdb, 0xa2, 0x14, 0x1c, 0x77, 0x06, 0x95, 0xa6, 0x0c, 0x86, 0x0d, 0x2a, 0x95, 0xbf, 0x22, 0x8b, - 0x16, 0x51, 0x36, 0xe2, 0x07, 0x98, 0x66, 0xf0, 0xdf, 0x1b, 0x55, 0x2b, 0xb6, 0x0a, 0xff, 0x70, - 0x5e, 0x41, 0x72, 0x8f, 0xf9, 0x06, 0x25, 0x3d, 0x81, 0xf8, 0x0d, 0x3f, 0x82, 0x6e, 0x8f, 0x74, - 0x06, 0x64, 0x9f, 0xd7, 0x06, 0xd9, 0x3f, 0xc7, 0x79, 0x90, 0x7e, 0x45, 0x40, 0xef, 0x84, 0x7c, - 0xcf, 0xe5, 0xa6, 0x5b, 0x66, 0x06, 0xa4, 0x10, 0x66, 0xab, 0x5d, 0x00, 0xe1, 0x1e, 0xd8, 0xd0, - 0x5d, 0xab, 0x5c, 0x00, 0xe1, 0xf6, 0x48, 0xcf, 0xe1, 0x48, 0x57, 0x0d, 0x0a, 0xa3, 0x9f, 0x9b, - 0xaa, 0x90, 0x42, 0xb1, 0x78, 0x11, 0x65, 0x31, 0x9f, 0x04, 0xf6, 0xc1, 0x91, 0xf6, 0x47, 0x23, - 0x6b, 0x36, 0xf0, 0x6d, 0x8c, 0xac, 0xe9, 0x12, 0x86, 0xa5, 0x6b, 0xaa, 0x18, 0x59, 0xc4, 0xd9, - 0x78, 0x3d, 0xf1, 0xe3, 0xac, 0x7c, 0x7f, 0x7e, 0x50, 0xbb, 0x8f, 0x4d, 0xfa, 0x8f, 0xbd, 0x80, - 0x69, 0xaf, 0x79, 0x58, 0xe7, 0x14, 0x12, 0x61, 0x74, 0x6b, 0x6c, 0xf7, 0x38, 0x1b, 0xf1, 0x80, - 0xd6, 0x9f, 0x11, 0x1c, 0x5b, 0xe3, 0x13, 0x2a, 0xfd, 0x88, 0x72, 0x5f, 0x15, 0x48, 0x2f, 0x61, - 0x60, 0x29, 0x4a, 0xc3, 0xe5, 0x9d, 0x09, 0xe6, 0xd3, 0x1e, 0x17, 0xc2, 0x6f, 0x60, 0xdc, 0xb9, - 0x93, 0x9e, 0x05, 0xcf, 0xcf, 0x05, 0xe7, 0xf3, 0xdf, 0x24, 0x9f, 0xf2, 0x92, 0x38, 0xe9, 0xfa, - 0x3b, 0x00, 0x00, 0xff, 0xff, 0x11, 0x07, 0xc8, 0x61, 0x15, 0x02, 0x00, 0x00, + // 318 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x50, 0xcd, 0x4e, 0x32, 0x41, + 0x10, 0xcc, 0x7e, 0xcb, 0x2e, 0x1f, 0x8d, 0xa8, 0x69, 0x88, 0x19, 0x39, 0x91, 0x4d, 0x0c, 0x7b, + 0x11, 0x0d, 0xbe, 0x82, 0x1a, 0x2f, 0x5e, 0x46, 0xef, 0x66, 0x1d, 0x3a, 0x42, 0x04, 0x66, 0x99, + 0x1f, 0x8c, 0x6f, 0xe0, 0x53, 0xfa, 0x2c, 0x66, 0x7e, 0x30, 0x4b, 0x34, 0x9e, 0xb6, 0xbb, 0xba, + 0xb6, 0xa6, 0xaa, 0x00, 0x48, 0xcc, 0xe5, 0xa4, 0x56, 0xd2, 0x48, 0xcc, 0xfc, 0xa7, 0x18, 0x43, + 0xf7, 0x46, 0xcc, 0x25, 0xa7, 0x8d, 0x25, 0x6d, 0x90, 0x41, 0x7b, 0x45, 0x5a, 0x57, 0x2f, 0xc4, + 0x92, 0x51, 0x52, 0x76, 0xf8, 0x6e, 0x2d, 0x4a, 0x38, 0x08, 0x44, 0x5d, 0xcb, 0xb5, 0xa6, 0x3f, + 0x98, 0x97, 0x90, 0xdf, 0x51, 0x35, 0x23, 0x85, 0xc7, 0x90, 0xbe, 0xd2, 0x7b, 0xbc, 0xbb, 0x11, + 0x07, 0x90, 0x6d, 0xab, 0xa5, 0x25, 0xf6, 0xcf, 0x63, 0x61, 0x29, 0x3e, 0x13, 0xc0, 0x5b, 0xa9, + 0xde, 0x2a, 0x35, 0x6b, 0x9a, 0x19, 0x40, 0x26, 0xa4, 0x5d, 0x1b, 0x2f, 0x90, 0xf1, 0xb0, 0x38, + 0xd1, 0x4d, 0xad, 0xbd, 0x40, 0xc6, 0xdd, 0x88, 0x67, 0x70, 0x68, 0x16, 0x2b, 0x92, 0xd6, 0x3c, + 0xad, 0x16, 0x42, 0x49, 0xcd, 0xd2, 0x51, 0x52, 0xa6, 0xbc, 0x17, 0xd1, 0x7b, 0x0f, 0xba, 0x1f, + 0xad, 0x5a, 0xb2, 0x56, 0x70, 0x63, 0xd5, 0x12, 0xc7, 0xd0, 0x9e, 0x7b, 0xa7, 0x9a, 0x65, 0xa3, + 0xb4, 0xec, 0x4e, 0x7b, 0xa1, 0x9c, 0x49, 0xf0, 0xcf, 0x77, 0xd7, 0x66, 0xd8, 0x7c, 0x2f, 0x2c, + 0x22, 0xb4, 0x04, 0x29, 0xc3, 0xda, 0x1e, 0xf6, 0xf3, 0x2e, 0xf6, 0xff, 0xef, 0xd8, 0xc5, 0x39, + 0xf4, 0xf7, 0xf2, 0xc5, 0x0e, 0x4f, 0x20, 0x97, 0xd6, 0xd4, 0xd6, 0x25, 0x4c, 0xcb, 0x0e, 0x8f, + 0xdb, 0xf4, 0x23, 0x81, 0x23, 0x47, 0x7c, 0x24, 0x6d, 0x1e, 0x48, 0x6d, 0x17, 0x82, 0xf0, 0x02, + 0x5a, 0x0e, 0x42, 0x8c, 0x16, 0x1b, 0x45, 0x0d, 0xfb, 0x7b, 0x58, 0x14, 0xbf, 0x86, 0x6e, 0xe3, + 0x4d, 0x3c, 0x8d, 0x9c, 0x9f, 0x3d, 0x0f, 0x87, 0xbf, 0x9d, 0x82, 0xca, 0x73, 0xee, 0x4f, 0x57, + 0x5f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x4c, 0xcb, 0xa1, 0x3a, 0x3b, 0x02, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. diff --git a/pkg/test/echo/proto/echo.proto b/pkg/test/echo/proto/echo.proto index 1dd2e97777a..b117f492a40 100644 --- a/pkg/test/echo/proto/echo.proto +++ b/pkg/test/echo/proto/echo.proto @@ -41,6 +41,9 @@ message ForwardEchoRequest { string url = 4; repeated Header headers = 5; string message = 6; + // If non-empty, make the request with the corresponding cert and key. + string cert = 7; + string key = 8; } message ForwardEchoResponse { diff --git a/pkg/test/echo/server/endpoint/grpc.go b/pkg/test/echo/server/endpoint/grpc.go index f36de35df9b..cc73aada2fa 100644 --- a/pkg/test/echo/server/endpoint/grpc.go +++ b/pkg/test/echo/server/endpoint/grpc.go @@ -165,6 +165,7 @@ func (h *grpcHandler) Echo(ctx context.Context, req *proto.EchoRequest) (*proto. } func (h *grpcHandler) ForwardEcho(ctx context.Context, req *proto.ForwardEchoRequest) (*proto.ForwardEchoResponse, error) { + log.Infof("ForwardEcho[%s] request", req.Url) instance, err := forwarder.New(forwarder.Config{ Request: req, Dialer: h.Dialer, @@ -174,5 +175,7 @@ func (h *grpcHandler) ForwardEcho(ctx context.Context, req *proto.ForwardEchoReq return nil, err } - return instance.Run(ctx) + ret, err := instance.Run(ctx) + log.Infof("ForwardEcho[%s] response: %v and error %v", req.Url, ret.GetOutput(), err) + return ret, err } diff --git a/pkg/test/echo/server/forwarder/protocol.go b/pkg/test/echo/server/forwarder/protocol.go index a81f11a3c88..5b911d5d3c1 100644 --- a/pkg/test/echo/server/forwarder/protocol.go +++ b/pkg/test/echo/server/forwarder/protocol.go @@ -19,6 +19,9 @@ package forwarder import ( "context" "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" "fmt" "net" "net/http" @@ -26,12 +29,14 @@ import ( "time" "github.com/gorilla/websocket" + "google.golang.org/grpc/credentials" "google.golang.org/grpc" "istio.io/istio/pkg/test/echo/common" "istio.io/istio/pkg/test/echo/common/scheme" "istio.io/istio/pkg/test/echo/proto" + "istio.io/pkg/log" ) type request struct { @@ -69,13 +74,48 @@ func newProtocol(cfg Config) (protocol, error) { timeout := common.GetTimeout(cfg.Request) headers := common.GetHeaders(cfg.Request) + var getClientCertificate func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) + if cfg.Request.Cert != "" && cfg.Request.Key != "" { + cert, err := tls.X509KeyPair([]byte(cfg.Request.Cert), []byte(cfg.Request.Key)) + if err != nil { + return nil, fmt.Errorf("failed to parse x509 key pair: %v", err) + } + + for _, c := range cert.Certificate { + cert, err := x509.ParseCertificate(c) + if err != nil { + log.Errorf("Failed to parse client certificate: %v", err) + } + log.Debugf("Using client certificate [%s] issued by %s", cert.SerialNumber, cert.Issuer) + for _, uri := range cert.URIs { + log.Debugf(" URI SAN: %s", uri) + } + } + getClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { + log.Debugf("Peer asking for client certificate") + for i, ca := range info.AcceptableCAs { + x := &pkix.RDNSequence{} + if _, err := asn1.Unmarshal(ca, x); err != nil { + log.Errorf("Failed to decode AcceptableCA[%d]: %v", i, err) + } else { + name := &pkix.Name{} + name.FillFromRDNSequence(x) + log.Debugf(" AcceptableCA[%d]: %s", i, name) + } + } + + return &cert, nil + } + } + switch scheme.Instance(u.Scheme) { case scheme.HTTP, scheme.HTTPS: return &httpProtocol{ client: &http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + GetClientCertificate: getClientCertificate, + InsecureSkipVerify: true, }, DialContext: httpDialContext, }, @@ -89,6 +129,13 @@ func newProtocol(cfg Config) (protocol, error) { // transport security security := grpc.WithInsecure() + if getClientCertificate != nil { + security = grpc.WithTransportCredentials(credentials.NewTLS( + &tls.Config{ + GetClientCertificate: getClientCertificate, + InsecureSkipVerify: true, + })) + } // Strip off the scheme from the address. address := rawURL[len(u.Scheme+"://"):] @@ -111,7 +158,8 @@ func newProtocol(cfg Config) (protocol, error) { case scheme.WebSocket: dialer := &websocket.Dialer{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + GetClientCertificate: getClientCertificate, + InsecureSkipVerify: true, }, NetDial: wsDialContext, HandshakeTimeout: timeout, @@ -127,7 +175,17 @@ func newProtocol(cfg Config) (protocol, error) { defer cancel() address := rawURL[len(u.Scheme+"://"):] - tcpConn, err := cfg.Dialer.TCP(dialer, ctx, address) + + var tcpConn net.Conn + var err error + if getClientCertificate == nil { + tcpConn, err = cfg.Dialer.TCP(dialer, ctx, address) + } else { + tcpConn, err = tls.Dial("tcp", address, &tls.Config{ + GetClientCertificate: getClientCertificate, + InsecureSkipVerify: true, + }) + } if err != nil { return nil, err } diff --git a/pkg/test/framework/components/echo/call.go b/pkg/test/framework/components/echo/call.go index 8cce67cf99c..46e91085165 100644 --- a/pkg/test/framework/components/echo/call.go +++ b/pkg/test/framework/components/echo/call.go @@ -55,4 +55,8 @@ type CallOptions struct { // Message to be sent if this is a GRPC request Message string + + // Use the custom certificate to make the call. This is mostly used to make mTLS request directly + // (without proxy) from naked client to test certificates issued by custom CA instead of the Istio self-signed CA. + Cert, Key string } diff --git a/pkg/test/framework/components/echo/common/call.go b/pkg/test/framework/components/echo/common/call.go index e119d23f9a3..b369482b5c6 100644 --- a/pkg/test/framework/components/echo/common/call.go +++ b/pkg/test/framework/components/echo/common/call.go @@ -78,6 +78,8 @@ func CallEcho(c *client.Instance, opts *echo.CallOptions, outboundPortSelector O Headers: protoHeaders, TimeoutMicros: common.DurationToMicros(opts.Timeout), Message: opts.Message, + Cert: opts.Cert, + Key: opts.Key, } resp, err := c.ForwardEcho(context.Background(), req) diff --git a/samples/certs/README.md b/samples/certs/README.md index 20bccfe0d1a..38621dfafd0 100644 --- a/samples/certs/README.md +++ b/samples/certs/README.md @@ -7,5 +7,14 @@ Instructions are available [here](https://istio.io/docs/tasks/security/cert-mana The included sample files are: - `root-cert.pem`: root CA certificate. -- `ca-cert.pem` and `ca-cert.key`: Citadel intermediate certificate and corresponding private key. +- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. - `cert-chain.pem`: certificate trust chain. +- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. +- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. + +The workload cert and key are generated by: + +```shell script + ./generate-workload.sh foo + ./generate-workload.sh bar +``` diff --git a/samples/certs/generate-workload.sh b/samples/certs/generate-workload.sh new file mode 100644 index 00000000000..e2c608402cb --- /dev/null +++ b/samples/certs/generate-workload.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# Copyright 2020 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name=${1:-foo} +san="spiffe://trust-domain-$name/ns/$name/sa/$name" + +openssl genrsa -out "workload-$name-key.pem" 2048 + +cat > workload.cfg <> "workload-$name-cert.pem" + +echo "Generated workload-$name-[cert|key].pem with URI SAN $san" +openssl verify -CAfile <(cat cert-chain.pem root-cert.pem) "workload-$name-cert.pem" + +# clean temporary files +rm ca-cert.srl workload.cfg workload.csr diff --git a/samples/certs/workload-bar-cert.pem b/samples/certs/workload-bar-cert.pem new file mode 100644 index 00000000000..c614ffc3854 --- /dev/null +++ b/samples/certs/workload-bar-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUBn+v5JAoezzNx9s3Euvzlny0LWcwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIwMDgxNDIyMTA1M1oXDTMwMDgxMjIyMTA1M1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMD18u/U1ouLwc2VblyFQCDN7XdGODoLV2eYA3NQrzMv +0873zS5wbvte2eRc+MX9jnwg8rW+Won7KUaEzD62a9QZv5ilO1137YUBZrTgQIkO +bhOnmpJRmR3Cxck8ZTEBMFsM+xyGAGc8ptdGJjEuxifFJHT3IB0ibXsnYuHnzpj1 +totq3sIPTRSkjsSOnKpyaOfBFiAyDQ0Rnm4+O32cJ654l0Co6iRABTnO9vIq1Tjn +fQm6+F99w3Wvv9Ik8HxB4HBLZ3+qgXQIJOD+d5+z88OnsiEMYKO4XHy2D/OAh9ND +7i9lzr+wXLYb5H1+TcEJuHFTHQcsm5YCl/zFt4YHgX0CAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAGAWE6bLO4L8fDFg2hVCJ +G+8uTVVeO2H8wFiDOqB0xq9OCrzSp39cZsBZLj9KFBWx/V0PEAlcmGlgHozdGkVG +Z1/B+ukeRgALYBmHgOegoC2zHOz5qacqiRnV8Kijxa6nFyU0qbJCFVWs76DSZZDm +872SMmoURs2VrAQTWInbtWxR4tAyEdmecYOdHEIXQDc13LQSwu7TINLs7JnjKlv7 +xIv6TsOyAyx305DSK0htxYfgrvo4cc33JmDOtL81bHfyUfx2B8HKeDYTaDh+V01G +OesJNzqECzW6IMMFJey0f/4W7hbldpZmgXs8qa/g1CR8pCRs2eTWKTS336glXLCG +MA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/samples/certs/workload-bar-key.pem b/samples/certs/workload-bar-key.pem new file mode 100644 index 00000000000..bc11603b998 --- /dev/null +++ b/samples/certs/workload-bar-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwPXy79TWi4vBzZVuXIVAIM3td0Y4OgtXZ5gDc1CvMy/TzvfN +LnBu+17Z5Fz4xf2OfCDytb5aifspRoTMPrZr1Bm/mKU7XXfthQFmtOBAiQ5uE6ea +klGZHcLFyTxlMQEwWwz7HIYAZzym10YmMS7GJ8UkdPcgHSJteydi4efOmPW2i2re +wg9NFKSOxI6cqnJo58EWIDINDRGebj47fZwnrniXQKjqJEAFOc728irVOOd9Cbr4 +X33Dda+/0iTwfEHgcEtnf6qBdAgk4P53n7Pzw6eyIQxgo7hcfLYP84CH00PuL2XO +v7BcthvkfX5NwQm4cVMdByyblgKX/MW3hgeBfQIDAQABAoIBAQCKn6bZ2YQQWGTw +tsvEOA5sAsT4jT/To1Y1nCXOcEaNdWyrIacMF8YDXI8Y2hn200PLtTfojUoqGn/6 +o2jAHPm2NJFKrlnJumCuzuTkSL7UN8Oo5x3KxEhF8yl4eqUP4ZTFtLuqMDKV+CK8 +QS8q4jmFVMHuLaOqipMwiIknVgs8IvmQSZf3LBPOLRX9vcTtT0YnOAhFQjb3048s +Da+pDSsKesVkcsTx9aw4pUHWcLFuDHxZ1f0hAXcOfkzjzuBkQ0uoUxSIE+kcA2i0 +9vZB7fSqL/5zKrKooDSjW189WHd8wMEtmGZW6VDeH0fMuC+KWEVZnyjMrrlCMesJ +MismTSABAoGBAPD2XAf01iMy4Y84XtI4vku0uO+pseyhZ2nyqLJW2q3M0bXKFMiD +jiE7GlxBjynZFfU5R/H7QJ3rDwH4PpKyd13mgnlUImyLTUVaSbC3Bu0rJ+NFLtsQ +7OCxi4F3pOvOAWUL5WJc0gyqmSBywoGFuCT1x0wch2si1/XGUH973EwBAoGBAM0A +te01yywQ+X17fApIh/R+LLPkORecpDJgC3vTcMvuvC9Rq1HEC4S4b7X0SfrUzvCw +BO+J3KUMBJXHC2S4VsWBn/jHA8vJ1RD11gDVUV776WLxhXiBekwneFyFlNUukkTa +2bcnM3vtXZBl8z8Fhddfo5i9MR0Wh6jXF3HpemV9AoGAW1k6CHYkHBH0+sOnBtEm +KzMnDQxq/EcwGjU5COruWgcU1XL3sBBXeHecha8A5B99OIrvoGfc1kE/XkLLDfgE +Up/JhM+FgVrJ/2m8F/c68/xxUbJvkfL3qjMErR87cX2Wf8Ujv8dqhgzCok9/N3UH +G1PlqxABsnbyIiV9bOb63AECgYEAqbsd5YF1b026k3dK8uSsk/RnpKWf03ngxMia +mXIt4NsPugnfU3qCoudlrnvNSL0rfUHvRDibk5dIsI21VDX/udUiEwMLlI3OOBWi +ktwLXB4sVLxtaqGhFS5UzB3ZZUwC1LlyKt9tE/0qS2Ttqc8zymcn900lPdUqitNT +WQAbU60CgYBsR9gyXA4SXFjKmk5WKFhHlvTf87UfaOrPeeDE7zeEo2iVgjq9gSHw +7zBaiVvrwcSn3COszrPgtOUM+Vl/T7Z2QmPTteP2R8mKxOJk4BWQ5q/bhoc3sEH7 +EjR9twDPRg3V9xEKtcTiJhzm4TitKGYBH8FQ22B4X6mouVE8KfXkyA== +-----END RSA PRIVATE KEY----- diff --git a/samples/certs/workload-foo-cert.pem b/samples/certs/workload-foo-cert.pem new file mode 100644 index 00000000000..e3697421be5 --- /dev/null +++ b/samples/certs/workload-foo-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUKR+dap3TpKhxmpwtNLchLa7E4JEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIwMDgxNDIyMTA0OVoXDTMwMDgxMjIyMTA0OVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAM3y5xVP1qYDsy4DSEG7eXhQEGL/XUbXOR1kTEXTAhAk +/Wo0YclowxRQuIyeXpLM+nRN2z0xDttkMRpI0m6Qb1vK43XtPkBieVm/tBSUyis+ +iBV6KBOhw7ionoAlyq6tOkwL2V3siMK5LvkpeeC7lJPJamaRN19LJcnWS214bcur +lq6g6+owQGb4BS4STqfiRkIciw7MHTN5vWQcNmWNT3ME19KNQGKLXPkJGJoNlq4P +98pIuO58k0mow8xESpmrJ1zOtMtUUDicXV67m8BV2xkn7YLDehfAyKsqMJjsdWB3 +LUlk/kFia9n/AwFz+3mMSPWe4OnRQGdtwUMuanknfSUCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAO3Rcr/CEnEieuKujrQ/j +ZrM5cjQckt/+NcpkXsTQaqpkARmUL23D/g3Cg3P9rfJVIfSIfN2509meX+ouDzIm +JWoFW3XVFLiev18aBBO6rmLaMMMKiVOZYAYzeM8Zt/3qH8mLxNq2CQYUL8EtAd7V +P1FVx6vauFqlyqPn2BWZO3CgdGyPwPRQkBUTrItcUI8OTgAFYd/Q5vQuLt82QIAl +givsPvGaKEWV02tpf8PfAZDgXrFkJLeFhFd0pgf7RSIdvShNdPyyz4r9/2CqEVmc +BRDyTw09OLceF0Mhi4HqcnzgVeLWvWT+yUo3FYf6kzeavK93CEdSU8c9OvQbyi9D +cQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/samples/certs/workload-foo-key.pem b/samples/certs/workload-foo-key.pem new file mode 100644 index 00000000000..bfad4d4cde4 --- /dev/null +++ b/samples/certs/workload-foo-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzfLnFU/WpgOzLgNIQbt5eFAQYv9dRtc5HWRMRdMCECT9ajRh +yWjDFFC4jJ5eksz6dE3bPTEO22QxGkjSbpBvW8rjde0+QGJ5Wb+0FJTKKz6IFXoo +E6HDuKiegCXKrq06TAvZXeyIwrku+Sl54LuUk8lqZpE3X0slydZLbXhty6uWrqDr +6jBAZvgFLhJOp+JGQhyLDswdM3m9ZBw2ZY1PcwTX0o1AYotc+QkYmg2Wrg/3yki4 +7nyTSajDzERKmasnXM60y1RQOJxdXrubwFXbGSftgsN6F8DIqyowmOx1YHctSWT+ +QWJr2f8DAXP7eYxI9Z7g6dFAZ23BQy5qeSd9JQIDAQABAoIBAQDLs7PpGnze284A +dvKjQYFWBSsQIDDsfrhZX/kpHxptSYj14TXPdzVtBKJlQ8ebP++B1fhBwCJH0gPX +UawB/A6JJlZxL+Vg3YXVxY2ixcBpoYIMbDTzpg7muLF9YuPkfiapTRcElY53u57A +h8urAx5kRtZc+MliEfwgdTtJ3dILnbXxGanKfi+nz9P5YuLkKzqIolbqu9ZxlJFD +/V4DKITA0IootE0OhCKP0GfeA6L9z3tH2OuEn/LXl2S8FbbFCeY4ji8FQBr2icSB +pXdee0gYIrvrU8G0eoE0ZV9bAGXkRhA3057HF9RqlAqhRc012s4ojbl/q4uINdWp +R+UiUecJAoGBAP4Pzo+NwS054kOgSYu+NMSi63j2OJD9aeHYJT6QwVYZurTMChxx +x283Da4qsCBGI37YjU5Ygd6DYc0T57GXfeka8tZQb5+v/ZvV1oIY+pVN5cp0xben +Ttm0qskF2H57TmPcH5atWkW7b5CjrSo7DYFtd6jKzzoAJ9uPH4DCM5ufAoGBAM+F +IRkSmzAPpiyPA1P7OlWy0vQLsNrFwZ59HOmovpQTgDLVW5Xbq+etEiAXmSvuxBU0 +OKiHMgGK2Pmg/vsM3mUVskrx+bDk+6GGM52feqa8N1rtxDTjamI5EHx29896jX/U +HGSW+8YYVZ/jbSSneY71AO1E2INsNEi1Ei5qWTC7AoGABOdnNEwnK2lPncCNSt48 +BIOkiewuwVWy4oIaje+bW78ZZH3/v/bOQ65LXE5EogrYio1BhP6eWx4sGBpHQZ1L +9+DmSQ66aNmryoNBJbe3toQPaG4Clv3qvrcHCORM/nwA0lqgXXcxI+FvUNpn8EW9 +h/8F7UMk5tiz7EAB+qlE978CgYAJBj8UOgzpoCSX13hLlKdKxsYJuuBsAyGSZNp3 +BtGS2u4+R6z97Vmib5JUNvKASJfaXDUCjy6LhqA86tVr0XlyZ+ki/TbgjHSs54sj +FaZdzd2SZLidnC4qK1UeNIY+TZQNtQmvDinQyYofs+IxL99HajwqFU5dGL2FU+qA +fjt2tQKBgQDrnpSRmAhhGcazmNVnzF8PVJGPwY4clGKB2jo6ru57tL0QRc/N+5pJ +8boLB7CqRpC0mHpijJLKkLoJ0oVoC9jsn3e8tfVuVqbO3AfwdB+nkABQVHRxRRGt +AlUeHXbjlY7OpemfK3smhLGBoOZKJVL7cKwyJc5MTPjcUgMwlwbW5w== +-----END RSA PRIVATE KEY----- diff --git a/tests/integration/security/ca_custom_root/main_test.go b/tests/integration/security/ca_custom_root/main_test.go new file mode 100644 index 00000000000..4f64a2ea400 --- /dev/null +++ b/tests/integration/security/ca_custom_root/main_test.go @@ -0,0 +1,66 @@ +// Copyright 2020 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// cacustomroot creates cluster with custom plugin root CA (samples/cert/ca-cert.pem) +// instead of using the auto-generated self-signed root CA. +package cacustomroot + +import ( + "testing" + + "istio.io/istio/pkg/test/framework" + "istio.io/istio/pkg/test/framework/components/galley" + "istio.io/istio/pkg/test/framework/components/istio" + "istio.io/istio/pkg/test/framework/label" + "istio.io/istio/pkg/test/framework/resource" + "istio.io/istio/pkg/test/framework/resource/environment" + "istio.io/istio/tests/integration/security/util/cert" +) + +var ( + g galley.Instance + inst istio.Instance +) + +func TestMain(m *testing.M) { + framework. + NewSuite("ca_custom_root", m). + // k8s is required because the plugin CA key and certificate are stored in a k8s secret. + RequireEnvironment(environment.Kube). + RequireSingleCluster(). + Label(label.CustomSetup). + Setup(func(ctx resource.Context) (err error) { + if g, err = galley.New(ctx, galley.Config{}); err != nil { + return err + } + return nil + }). + SetupOnEnv(environment.Kube, istio.Setup(&inst, setupConfig, cert.CreateCASecret)). + Run() +} + +func setupConfig(cfg *istio.Config) { + if cfg == nil { + return + } + cfg.ControlPlaneValues = ` +components: + ingressGateways: + - name: istio-ingressgateway + enabled: false +values: + meshConfig: + trustDomainAliases: [some-other, trust-domain-foo] +` +} diff --git a/tests/integration/security/ca_custom_root/trust_domain_validation_test.go b/tests/integration/security/ca_custom_root/trust_domain_validation_test.go new file mode 100644 index 00000000000..b7fea4fdcbb --- /dev/null +++ b/tests/integration/security/ca_custom_root/trust_domain_validation_test.go @@ -0,0 +1,267 @@ +// Copyright 2020 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cacustomroot + +import ( + "context" + "fmt" + "io/ioutil" + "path" + "strings" + "testing" + "time" + + "istio.io/istio/pkg/config/protocol" + "istio.io/istio/pkg/test" + client2 "istio.io/istio/pkg/test/echo/client" + "istio.io/istio/pkg/test/echo/common/scheme" + epb "istio.io/istio/pkg/test/echo/proto" + "istio.io/istio/pkg/test/env" + "istio.io/istio/pkg/test/framework" + "istio.io/istio/pkg/test/framework/components/echo" + "istio.io/istio/pkg/test/framework/components/echo/echoboot" + "istio.io/istio/pkg/test/framework/components/namespace" + "istio.io/istio/pkg/test/util/retry" +) + +const ( + httpPlaintext = "http-plaintext" + httpMTLS = "http-mtls" + tcpPlaintext = "tcp-plaintext" + tcpMTLS = "tcp-mtls" + passThrough = "tcp-mtls-pass-through" + + // policy to enable mTLS in client and server: + // ports with plaintext: 8090 (http) and 8092 (tcp) + // ports with mTLS: 8091 (http), 8093 (tcp) and 9000 (tcp passthrough). + policy = ` +apiVersion: "security.istio.io/v1beta1" +kind: "PeerAuthentication" +metadata: + name: "mtls" +spec: + selector: + matchLabels: + app: server + mtls: + mode: STRICT + portLevelMtls: + 8090: + mode: DISABLE + 8092: + mode: DISABLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: server +spec: + host: server.%s.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + portLevelSettings: + - port: + number: 8090 + tls: + mode: DISABLE + - port: + number: 8092 + tls: + mode: DISABLE +` +) + +// TestTrustDomainValidation tests the trust domain validation when mTLS is enabled. +// The trust domain validation should reject a request if it's not from the trust domains configured in the mesh config. +// The test uses naked client (no sidecar) with custom certificates of different trust domains and covers the following: +// - plaintext requests are not affected +// - same trust domain (cluster.local) and aliases (trust-domain-foo and trust-domain-bar) +// - works for both HTTP and TCP protocol +// - works for pass through filter chains +func TestTrustDomainValidation(t *testing.T) { + framework.NewTest(t).Run( + func(ctx framework.TestContext) { + testNS := namespace.NewOrFail(t, ctx, namespace.Config{ + Prefix: "trust-domain-validation", + Inject: true, + }) + + // Deploy 3 workloads: + // naked: only test app without sidecar, send requests from trust domain aliases + // client: app with sidecar, send request from cluster.local + // server: app with sidecar, verify requests from cluster.local or trust domain aliases + var naked, client, server echo.Instance + echoboot.NewBuilderOrFail(t, ctx). + With(&naked, echo.Config{ + Namespace: testNS, + Service: "naked", + Subsets: []echo.SubsetConfig{ + { + Annotations: echo.NewAnnotations().SetBool(echo.SidecarInject, false), + }, + }, + }). + With(&client, echo.Config{ + Namespace: testNS, + Service: "client", + }). + With(&server, echo.Config{ + Subsets: []echo.SubsetConfig{{}}, + Namespace: testNS, + Service: "server", + ServiceAccount: true, + Ports: []echo.Port{ + { + Name: httpPlaintext, + Protocol: protocol.HTTP, + ServicePort: 8090, + InstancePort: 8090, + }, + { + Name: httpMTLS, + Protocol: protocol.HTTP, + ServicePort: 8091, + InstancePort: 8091, + }, + { + Name: tcpPlaintext, + Protocol: protocol.TCP, + ServicePort: 8092, + InstancePort: 8092, + }, + { + Name: tcpMTLS, + Protocol: protocol.TCP, + ServicePort: 8093, + InstancePort: 8093, + }, + }, + WorkloadOnlyPorts: []echo.WorkloadPort{ + { + Port: 9000, + Protocol: protocol.TCP, + }, + }, + }). + BuildOrFail(t) + + g.ApplyConfigOrFail(t, testNS, fmt.Sprintf(policy, testNS.Name())) + + trustDomains := map[string]struct { + cert string + key string + }{ + "foo": { + cert: readFile(ctx, "workload-foo-cert.pem"), + key: readFile(ctx, "workload-foo-key.pem"), + }, + "bar": { + cert: readFile(ctx, "workload-bar-cert.pem"), + key: readFile(ctx, "workload-bar-key.pem"), + }, + } + + verify := func(t *testing.T, from echo.Instance, td, port string, s scheme.Instance, allow bool) { + t.Helper() + want := "allow" + if !allow { + want = "deny" + } + name := fmt.Sprintf("%s[%s]->server:%s[%s]", from.Config().Service, td, port, want) + t.Run(name, func(t *testing.T) { + t.Helper() + opt := echo.CallOptions{ + Target: server, + PortName: port, + Host: "server", + Scheme: s, + Cert: trustDomains[td].cert, + Key: trustDomains[td].key, + } + retry.UntilSuccessOrFail(t, func() error { + var resp client2.ParsedResponses + var err error + if port == passThrough { + // Manually make the request for pass through port. + resp, err = workload(t, from).ForwardEcho(context.TODO(), &epb.ForwardEchoRequest{ + Url: fmt.Sprintf("tcp://%s:9000", workload(t, server).Address()), + Count: 1, + Cert: trustDomains[td].cert, + Key: trustDomains[td].key, + }) + } else { + resp, err = from.Call(opt) + } + if allow { + if err != nil { + return fmt.Errorf("want allow but got error: %v", err) + } else if err := resp.CheckOK(); err != nil { + return fmt.Errorf("want allow but got %v: %v", resp, err) + } + } else { + if err == nil { + return fmt.Errorf("want deny but got allow: %v", resp) + } + // Look up for the specific "tls: unknown certificate" error when trust domain validation failed. + if tlsErr := "tls: unknown certificate"; !strings.Contains(err.Error(), tlsErr) { + return fmt.Errorf("want error %q but got %v", tlsErr, err) + } + } + return nil + }, retry.Delay(250*time.Millisecond), retry.Timeout(30*time.Second), retry.Converge(5)) + }) + } + + // Request using plaintext should always allowed. + verify(t, client, "plaintext", httpPlaintext, scheme.HTTP, true) + verify(t, client, "plaintext", tcpPlaintext, scheme.TCP, true) + verify(t, naked, "plaintext", httpPlaintext, scheme.HTTP, true) + verify(t, naked, "plaintext", tcpPlaintext, scheme.TCP, true) + + // Request from local trust domain should always allowed. + verify(t, client, "cluster.local", httpMTLS, scheme.HTTP, true) + verify(t, client, "cluster.local", tcpMTLS, scheme.TCP, true) + + // Trust domain foo is added as trust domain alias. + // Request from trust domain bar should be denied. + // Request from trust domain foo should be allowed. + verify(t, naked, "bar", httpMTLS, scheme.HTTPS, false) + verify(t, naked, "bar", tcpMTLS, scheme.TCP, false) + verify(t, naked, "bar", passThrough, scheme.TCP, false) + verify(t, naked, "foo", httpMTLS, scheme.HTTPS, true) + verify(t, naked, "foo", tcpMTLS, scheme.TCP, true) + verify(t, naked, "foo", passThrough, scheme.TCP, true) + }) +} + +func readFile(t test.Failer, name string) string { + data, err := ioutil.ReadFile(path.Join(env.IstioSrc, "samples/certs", name)) + if err != nil { + t.Fatal(err) + } + return string(data) +} + +func workload(t *testing.T, from echo.Instance) echo.Workload { + workloads, err := from.Workloads() + if err != nil { + t.Fatalf("failed to get worklaods: %v", err) + } + if len(workloads) < 1 { + t.Fatalf("got 0 workloads") + } + return workloads[0] +} diff --git a/tests/integration/security/util/cert/cert.go b/tests/integration/security/util/cert/cert.go index a93ea8e3441..fbf37f33422 100644 --- a/tests/integration/security/util/cert/cert.go +++ b/tests/integration/security/util/cert/cert.go @@ -103,8 +103,8 @@ func CreateCASecret(ctx resource.Context) error { }, } - err = kubeAccessor.CreateSecret(systemNs.Name(), secret) - if err != nil { + _ = kubeAccessor.DeleteSecret(systemNs.Name(), name) + if err := kubeAccessor.CreateSecret(systemNs.Name(), secret); err != nil { return err } From a613b6cc0726a73da8317bda18617451e443e1eb Mon Sep 17 00:00:00 2001 From: williamaronli <64571891+williamaronli@users.noreply.github.com> Date: Mon, 31 Aug 2020 08:39:21 -0700 Subject: [PATCH 46/82] add outputOutputKeyCertToDir to enable workload load from the file cert (#26897) Change-Id: I447dc3a7be70ad1086e30fdd7edbe0e31507bf3a --- pkg/istio-agent/sds-agent.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/istio-agent/sds-agent.go b/pkg/istio-agent/sds-agent.go index f64ddd47a51..c39244e8c9e 100644 --- a/pkg/istio-agent/sds-agent.go +++ b/pkg/istio-agent/sds-agent.go @@ -354,6 +354,7 @@ func (sa *SDSAgent) newSecretCache(serverOptions sds.Options) (workloadSecretCac var err error workloadSdsCacheOptions.Plugins = sds.NewPlugins(serverOptions.PluginNames) + workloadSdsCacheOptions.OutputKeyCertToDir = serverOptions.OutputKeyCertToDir workloadSecretCache = cache.NewSecretCache(fetcher, sds.NotifyProxy, workloadSdsCacheOptions) sa.WorkloadSecrets = workloadSecretCache @@ -481,7 +482,6 @@ func (sa *SDSAgent) newSecretCache(serverOptions sds.Options) (workloadSecretCac workloadSdsCacheOptions.TrustDomain = serverOptions.TrustDomain workloadSdsCacheOptions.Pkcs8Keys = serverOptions.Pkcs8Keys - workloadSdsCacheOptions.OutputKeyCertToDir = serverOptions.OutputKeyCertToDir return } From 9b6fb059bb19b531797040c8fd2d01707a3a49e2 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 31 Aug 2020 09:39:11 -0700 Subject: [PATCH 47/82] Fix ledger capacity size (#26670) 10^5 == 15 (xor) not 10 to the 5th power Co-authored-by: John Howard --- pilot/pkg/status/reporter.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pilot/pkg/status/reporter.go b/pilot/pkg/status/reporter.go index def34393b28..bc60423e1e2 100644 --- a/pilot/pkg/status/reporter.go +++ b/pilot/pkg/status/reporter.go @@ -80,7 +80,7 @@ func (r *Reporter) Start(clientSet kubernetes.Interface, namespace string, store if r.UpdateInterval == 0 { r.UpdateInterval = 500 * time.Millisecond } - r.distributionEventQueue = make(chan distributionEvent, 10^5) + r.distributionEventQueue = make(chan distributionEvent, 100_000) r.status = make(map[string]string) r.reverseStatus = make(map[string][]string) r.inProgressResources = make(map[string]*inProgressEntry) From 4e92d484b9fc449706a29bc41d6ee1bc3bd0bea3 Mon Sep 17 00:00:00 2001 From: John Howard Date: Mon, 31 Aug 2020 10:28:44 -0700 Subject: [PATCH 48/82] Bump 1.6 image (#26934) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index fbc90591d96..dffe0e83fd8 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.6 +BASE_VERSION ?= 1.6-dev.7 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org From 7c41afd1d5f82e86e502d3a6b034be2e3b46a5c2 Mon Sep 17 00:00:00 2001 From: Steven Landow Date: Wed, 2 Sep 2020 12:45:49 -0700 Subject: [PATCH 49/82] [release-1.6] manual cherry-pick of #26899 (#27002) --- .../serviceregistry/kube/controller/controller.go | 15 +++++++++++++++ .../kube/controller/multicluster.go | 6 +++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index 4c7557110f2..47fa8bfe809 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -182,6 +182,7 @@ type Controller struct { metadataClient metadata.Interface queue queue.Instance services cache.SharedIndexInformer + serviceLister listerv1.ServiceLister endpoints kubeEndpointsController nodeMetadataInformer cache.SharedIndexInformer @@ -247,6 +248,7 @@ func NewController(client kubernetes.Interface, metadataClient metadata.Interfac sharedInformers := informers.NewSharedInformerFactoryWithOptions(client, options.ResyncPeriod, informers.WithNamespace(options.WatchedNamespace)) c.services = sharedInformers.Core().V1().Services().Informer() + c.serviceLister = sharedInformers.Core().V1().Services().Lister() registerHandlers(c.services, c.queue, "Services", c.onServiceEvent) switch options.EndpointMode { @@ -297,6 +299,19 @@ func (c *Controller) checkReadyForEvents() error { return nil } +func (c *Controller) Cleanup() error { + svcs, err := c.serviceLister.List(klabels.NewSelector()) + if err != nil { + return fmt.Errorf("error listing services for deletion: %v", err) + } + for _, s := range svcs { + name := kube.ServiceHostname(s.Namespace, s.Namespace, c.domainSuffix) + c.xdsUpdater.SvcUpdate(c.clusterID, string(name), s.Namespace, model.EventDelete) + // TODO(landow) do we need to notify service handlers? + } + return nil +} + func (c *Controller) onServiceEvent(curr interface{}, event model.Event) error { if err := c.checkReadyForEvents(); err != nil { return err diff --git a/pilot/pkg/serviceregistry/kube/controller/multicluster.go b/pilot/pkg/serviceregistry/kube/controller/multicluster.go index acb5684a6ca..bedc4ee85b9 100644 --- a/pilot/pkg/serviceregistry/kube/controller/multicluster.go +++ b/pilot/pkg/serviceregistry/kube/controller/multicluster.go @@ -167,10 +167,14 @@ func (m *Multicluster) DeleteMemberCluster(clusterID string) error { m.m.Lock() defer m.m.Unlock() m.serviceController.DeleteRegistry(clusterID) - if _, ok := m.remoteKubeControllers[clusterID]; !ok { + kc, ok := m.remoteKubeControllers[clusterID] + if !ok { log.Infof("cluster %s does not exist, maybe caused by invalid kubeconfig", clusterID) return nil } + if err := kc.Cleanup(); err != nil { + log.Warnf("failed cleaning up services in %s: %v", clusterID, err) + } close(m.remoteKubeControllers[clusterID].stopCh) delete(m.remoteKubeControllers, clusterID) if m.XDSUpdater != nil { From f836be93afc68fee73bffe1badd06d43703f538d Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Thu, 3 Sep 2020 09:27:14 +0800 Subject: [PATCH 50/82] Fix bug: service occur later than endpoint (#26986) --- .../kube/controller/controller.go | 22 +------------------ .../kube/controller/endpointslice.go | 19 ---------------- 2 files changed, 1 insertion(+), 40 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index 47fa8bfe809..59c49d222ec 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -197,8 +197,7 @@ type Controller struct { domainSuffix string clusterID string - serviceHandlers []func(*model.Service, model.Event) - instanceHandlers []func(*model.ServiceInstance, model.Event) + serviceHandlers []func(*model.Service, model.Event) // This is only used for test stop chan struct{} @@ -1035,7 +1034,6 @@ func (c *Controller) AppendServiceHandler(f func(*model.Service, model.Event)) e // AppendInstanceHandler implements a service catalog operation func (c *Controller) AppendInstanceHandler(f func(*model.ServiceInstance, model.Event)) error { - c.instanceHandlers = append(c.instanceHandlers, f) return nil } @@ -1076,14 +1074,6 @@ func getPod(c *Controller, ip string, ep *metav1.ObjectMeta, targetRef *v1.Objec func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event, epc *endpointsController) { hostname := kube.ServiceHostname(ep.Name, ep.Namespace, c.domainSuffix) - - c.RLock() - svc := c.servicesMap[hostname] - c.RUnlock() - if svc == nil { - log.Infof("Handle EDS endpoints: skip updating, service %s/%s has not been populated", ep.Name, ep.Namespace) - return - } endpoints := make([]*model.IstioEndpoint, 0) if event != model.EventDelete { for _, ss := range ep.Subsets { @@ -1110,16 +1100,6 @@ func (c *Controller) updateEDS(ep *v1.Endpoints, event model.Event, epc *endpoin log.Debugf("Handle EDS: %d endpoints for %s in namespace %s", len(endpoints), ep.Name, ep.Namespace) _ = c.xdsUpdater.EDSUpdate(c.clusterID, string(hostname), ep.Namespace, endpoints) - for _, handler := range c.instanceHandlers { - for _, ep := range endpoints { - si := &model.ServiceInstance{ - Service: svc, - ServicePort: nil, - Endpoint: ep, - } - handler(si, event) - } - } } // namedRangerEntry for holding network's CIDR and name diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go index 2beaa055109..bdfdc8f4035 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointslice.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointslice.go @@ -60,15 +60,6 @@ func (esc *endpointSliceController) updateEDS(es interface{}, event model.Event) svcName := slice.Labels[discoveryv1alpha1.LabelServiceName] hostname := kube.ServiceHostname(svcName, slice.Namespace, esc.c.domainSuffix) - esc.c.RLock() - svc := esc.c.servicesMap[hostname] - esc.c.RUnlock() - - if svc == nil { - log.Infof("Handle EDS endpoint: skip updating, service %s/%s has mot been populated", svcName, slice.Namespace) - return - } - endpoints := make([]*model.IstioEndpoint, 0) if event != model.EventDelete { for _, e := range slice.Endpoints { @@ -109,16 +100,6 @@ func (esc *endpointSliceController) updateEDS(es interface{}, event model.Event) log.Debugf("Handle EDS endpoint %s in namespace %s", svcName, slice.Namespace) _ = esc.c.xdsUpdater.EDSUpdate(esc.c.clusterID, string(hostname), slice.Namespace, esc.endpointCache.Get(hostname)) - for _, handler := range esc.c.instanceHandlers { - for _, ep := range endpoints { - si := &model.ServiceInstance{ - Service: svc, - ServicePort: nil, - Endpoint: ep, - } - handler(si, event) - } - } } func (esc *endpointSliceController) onEvent(curr interface{}, event model.Event) error { From 6b4199d7f1330ad476c6c9c0bfab96a0ce67ebd1 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Wed, 2 Sep 2020 19:45:32 -0700 Subject: [PATCH 51/82] add update permission to servicemonitor. (#26996) Co-authored-by: morvencao --- manifests/charts/istio-operator/templates/clusterrole.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/charts/istio-operator/templates/clusterrole.yaml b/manifests/charts/istio-operator/templates/clusterrole.yaml index 53be806ea8d..d02da88de84 100644 --- a/manifests/charts/istio-operator/templates/clusterrole.yaml +++ b/manifests/charts/istio-operator/templates/clusterrole.yaml @@ -81,6 +81,7 @@ rules: verbs: - get - create + - update - apiGroups: - policy resources: From b768921e3504b03a81feb533c621c44caef6700a Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Thu, 10 Sep 2020 05:56:25 +0800 Subject: [PATCH 52/82] Fix eds: gateways missing endpoint instances of headless service (#27121) --- .../serviceregistry/kube/controller/endpointsdiscovery.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go index 8550c7033b6..a94d676a592 100644 --- a/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go +++ b/pilot/pkg/serviceregistry/kube/controller/endpointsdiscovery.go @@ -61,8 +61,10 @@ func (e *kubeEndpoints) Run(stopCh <-chan struct{}) { // handleEvent processes the event. func (e *kubeEndpoints) handleEvent(name string, namespace string, event model.Event, ep interface{}, fn updateEdsFunc) error { log.Debugf("Handle event %s for endpoint %s in namespace %s", event, name, namespace) + // Update internal endpoint cache no matter what kind of service, even headless service. + // As for gateways, the cluster discovery type is `EDS` for headless service. + fn(ep, event) - // headless service cluster discovery type is ORIGINAL_DST, we do not need update EDS. if features.EnableHeadlessService { if obj, _, _ := e.c.services.GetIndexer().GetByKey(kube.KeyFunc(name, namespace)); obj != nil { svc := obj.(*v1.Service) @@ -83,7 +85,5 @@ func (e *kubeEndpoints) handleEvent(name string, namespace string, event model.E } } - fn(ep, event) - return nil } From 1e8dba509b64d435d48f501db427e7b0daed09d7 Mon Sep 17 00:00:00 2001 From: Nupur Garg <37600866+gargnupur@users.noreply.github.com> Date: Thu, 10 Sep 2020 08:56:35 -0700 Subject: [PATCH 53/82] Add quotes in log sampling config and add it in the stackdriver test (#27007) (#27214) Signed-off-by: gargnupur --- .../istio-discovery/templates/telemetryv2_1.6.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.6.yaml b/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.6.yaml index 55483219819..8fdc7c4c908 100644 --- a/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.6.yaml +++ b/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.6.yaml @@ -570,7 +570,7 @@ spec: config: configuration: | { - "log_window_duration": {{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }} + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" } vm_config: runtime: envoy.wasm.runtime.null From 60354fff9683096be9eee33363cd1c2e6e5abc9a Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sat, 12 Sep 2020 00:49:37 -0700 Subject: [PATCH 54/82] cache envoy readiness value (#27269) Signed-off-by: Rama Chavali Co-authored-by: Rama Chavali --- pilot/cmd/pilot-agent/status/ready/probe.go | 39 +++++++------------ .../pilot-agent/status/ready/probe_test.go | 13 +------ 2 files changed, 16 insertions(+), 36 deletions(-) diff --git a/pilot/cmd/pilot-agent/status/ready/probe.go b/pilot/cmd/pilot-agent/status/ready/probe.go index 03e8cd2cd0f..3f7d2670602 100644 --- a/pilot/cmd/pilot-agent/status/ready/probe.go +++ b/pilot/cmd/pilot-agent/status/ready/probe.go @@ -16,7 +16,6 @@ package ready import ( "fmt" - "time" admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3" @@ -24,23 +23,14 @@ import ( "istio.io/istio/pilot/pkg/model" ) -var ( - // readinessTTL is the TTL for cached readiness values. - readinessTTL = 60 * time.Second -) - // Probe for readiness. type Probe struct { LocalHostAddr string NodeType model.NodeType AdminPort uint16 receivedFirstUpdate bool - lastUpdateTime time.Time // Indicates that Envoy is ready atleast once so that we can cache and reuse that probe. - // If after TTL, Envoy becomes unready, we will reset this flag so that we continuously - // check Envoy till it becomes ready. atleastOnceReady bool - readyError error } // Check executes the probe and returns an error if the probe fails. @@ -75,22 +65,21 @@ func (p *Probe) checkConfigStatus() error { // isEnvoyReady checks to ensure that Envoy is in the LIVE state and workers have started. func (p *Probe) isEnvoyReady() error { - // Execute the stats query on Envoy if atleast readinessTTL has expired or - // Envoy is not ready at least once. After Envoy is ready for the first time, - // we return cached value to avoid frequent executions of stats query till - // cached TTL is reached. - if !p.atleastOnceReady || time.Since(p.lastUpdateTime) >= readinessTTL { - p.readyError = checkEnvoyStats(p.LocalHostAddr, p.AdminPort) - if p.readyError == nil && !p.atleastOnceReady { - p.atleastOnceReady = true - } - // If readiness fails, we should keep checking. - if p.readyError != nil { - p.atleastOnceReady = false - } - p.lastUpdateTime = time.Now() + // If Envoy is ready atleast once i.e. server state is LIVE and workers + // have started, they will not go back in the life time of Envoy process. + // They will only change at hot restart or health check fails. Since Istio + // does not use both of them, it is safe to cache this value. Since the + // actual readiness probe goes via Envoy it ensures that Envoy is actively + // serving traffic and we can rely on that. + if p.atleastOnceReady { + return nil + } + + err := checkEnvoyStats(p.LocalHostAddr, p.AdminPort) + if err == nil { + p.atleastOnceReady = true } - return p.readyError + return err } // checkEnvoyStats actually executes the Stats Query on Envoy admin endpoint. diff --git a/pilot/cmd/pilot-agent/status/ready/probe_test.go b/pilot/cmd/pilot-agent/status/ready/probe_test.go index 9fa7d23afb7..9c10d182dc4 100644 --- a/pilot/cmd/pilot-agent/status/ready/probe_test.go +++ b/pilot/cmd/pilot-agent/status/ready/probe_test.go @@ -19,7 +19,6 @@ import ( "net/http" "net/http/httptest" "testing" - "time" . "github.com/onsi/gomega" ) @@ -146,7 +145,6 @@ func TestEnvoyNoServerStats(t *testing.T) { } func TestEnvoyReadinessCache(t *testing.T) { - readinessTTL = 1 * time.Second g := NewWithT(t) server := createAndStartServer(noServerStats) @@ -154,7 +152,6 @@ func TestEnvoyReadinessCache(t *testing.T) { err := probe.Check() g.Expect(err).To(HaveOccurred()) g.Expect(probe.atleastOnceReady).Should(BeFalse()) - g.Expect(probe.readyError).To(BeNil()) err = probe.Check() g.Expect(err).To(HaveOccurred()) g.Expect(probe.atleastOnceReady).Should(BeFalse()) @@ -164,23 +161,17 @@ func TestEnvoyReadinessCache(t *testing.T) { err = probe.Check() g.Expect(err).NotTo(HaveOccurred()) g.Expect(probe.atleastOnceReady).Should(BeTrue()) - g.Expect(probe.readyError).To(BeNil()) server.Close() - time.Sleep(2 * time.Second) server = createAndStartServer(noServerStats) err = probe.Check() - g.Expect(err).To(HaveOccurred()) - g.Expect(probe.atleastOnceReady).Should(BeFalse()) - g.Expect(probe.readyError).NotTo(BeNil()) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(probe.atleastOnceReady).Should(BeTrue()) server.Close() - server = createAndStartServer(liveServerStats) err = probe.Check() g.Expect(err).NotTo(HaveOccurred()) g.Expect(probe.atleastOnceReady).Should(BeTrue()) - g.Expect(probe.readyError).To(BeNil()) - server.Close() } func createDefaultFuncMap(statsToReturn string) map[string]func(rw http.ResponseWriter, _ *http.Request) { From e16c200e48a3a4f08cb7eeb473b1d6a0c92ba35f Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Mon, 14 Sep 2020 07:38:10 -0700 Subject: [PATCH 55/82] =?UTF-8?q?Trim=20job=20suffix=20to=20extract=20out?= =?UTF-8?q?=20cron=20job=20name=20for=20workload=20metadata=20(#=E2=80=A6?= =?UTF-8?q?=20(#27252)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Trim job suffix to extract out cron job name for workload metadata (#27195) * special case cron job processing in webhook * update * fix test --- .../webhook/TestWebhookInject_cron_job.patch | 76 +++++++++++++++++++ .../webhook/TestWebhookInject_cron_job.yaml | 10 +++ .../TestWebhookInject_cron_job_template.yaml | 20 +++++ pkg/kube/inject/webhook.go | 13 +++- pkg/kube/inject/webhook_test.go | 5 ++ .../notes/job-metric-cardinality.yaml | 8 ++ 6 files changed, 130 insertions(+), 2 deletions(-) create mode 100644 pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.patch create mode 100644 pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.yaml create mode 100644 pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job_template.yaml create mode 100644 releasenotes/notes/job-metric-cardinality.yaml diff --git a/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.patch b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.patch new file mode 100644 index 00000000000..432757f8e01 --- /dev/null +++ b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.patch @@ -0,0 +1,76 @@ +[ + { + "op": "add", + "path": "/spec/initContainers", + "value": [ + { + "name": "istio-init", + "image": "example.com/init:latest", + "resources": {} + } + ] + }, + { + "op": "add", + "path": "/spec/containers/-", + "value": { + "name": "istio-proxy", + "image": "example.com/proxy:latest", + "env": [ + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "hello" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1beta1/namespaces/default/cronjobs/hello" + } + ], + "resources": {} + } + }, + { + "op": "add", + "path": "/metadata/annotations", + "value": { + "prometheus.io/path": "/stats/prometheus" + } + }, + { + "op": "add", + "path": "/metadata/annotations/prometheus.io~1port", + "value": "15020" + }, + { + "op": "add", + "path": "/metadata/annotations/prometheus.io~1scrape", + "value": "true" + }, + { + "op": "add", + "path": "/metadata/annotations/sidecar.istio.io~1status", + "value": "{\"version\":\"unit-test-fake-version\",\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":null,\"imagePullSecrets\":null}" + }, + { + "op": "add", + "path": "/metadata/labels", + "value": { + "istio.io/rev": "" + } + }, + { + "op": "add", + "path": "/metadata/labels/security.istio.io~1tlsMode", + "value": "istio" + }, + { + "op": "add", + "path": "/metadata/labels/service.istio.io~1canonical-name", + "value": "hello" + }, + { + "op": "add", + "path": "/metadata/labels/service.istio.io~1canonical-revision", + "value": "latest" + } +] \ No newline at end of file diff --git a/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.yaml b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.yaml new file mode 100644 index 00000000000..39cbca182af --- /dev/null +++ b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job.yaml @@ -0,0 +1,10 @@ +metadata: + generateName: hello-1599753180- + ownerReferences: + - apiVersion: batch/v1 + controller: true + kind: Job + name: hello-1599753180 +spec: + containers: + - name: c \ No newline at end of file diff --git a/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job_template.yaml b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job_template.yaml new file mode 100644 index 00000000000..60f1bf1fe65 --- /dev/null +++ b/pkg/kube/inject/testdata/webhook/TestWebhookInject_cron_job_template.yaml @@ -0,0 +1,20 @@ +policy: enabled +alwaysInjectSelector: [] +neverInjectSelector: [] +injectedAnnotations: {} +template: |- + initContainers: + - name: istio-init + image: example.com/init:latest + containers: + - name: istio-proxy + image: example.com/proxy:latest + env: + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} diff --git a/pkg/kube/inject/webhook.go b/pkg/kube/inject/webhook.go index b35ae9b0796..3f0fe3cd5ae 100644 --- a/pkg/kube/inject/webhook.go +++ b/pkg/kube/inject/webhook.go @@ -793,12 +793,21 @@ func (wh *Webhook) inject(ar *v1beta1.AdmissionReview, path string) *v1beta1.Adm typeMetadata.Kind = controllerRef.Kind // heuristic for deployment detection + deployMeta.Name = controllerRef.Name if typeMetadata.Kind == "ReplicaSet" && strings.HasSuffix(controllerRef.Name, pod.Labels["pod-template-hash"]) { name := strings.TrimSuffix(controllerRef.Name, "-"+pod.Labels["pod-template-hash"]) deployMeta.Name = name typeMetadata.Kind = "Deployment" - } else { - deployMeta.Name = controllerRef.Name + } else if typeMetadata.Kind == "Job" && len(controllerRef.Name) > 11 { + // If job name suffixed with `-`, trim the suffix and set kind to cron job. + l := len(controllerRef.Name) + if _, err := strconv.Atoi(controllerRef.Name[l-10:]); err == nil && string(controllerRef.Name[l-11]) == "-" { + deployMeta.Name = controllerRef.Name[:l-11] + typeMetadata.Kind = "CronJob" + // heuristically set cron job api version to v1beta1 as it cannot be derived from pod metadata. + // Cronjob is not GA yet and latest version is v1beta1: https://github.com/kubernetes/enhancements/pull/978 + typeMetadata.APIVersion = "batch/v1beta1" + } } } } diff --git a/pkg/kube/inject/webhook_test.go b/pkg/kube/inject/webhook_test.go index 52e28121630..2da9b9714ba 100644 --- a/pkg/kube/inject/webhook_test.go +++ b/pkg/kube/inject/webhook_test.go @@ -638,6 +638,11 @@ func TestWebhookInject(t *testing.T) { wantFile: "TestWebhookInject_probe_rewrite_timeout_retention.patch", templateFile: "TestWebhookInject_probe_rewrite_timeout_retention_template.yaml", }, + { + inputFile: "TestWebhookInject_cron_job.yaml", + wantFile: "TestWebhookInject_cron_job.patch", + templateFile: "TestWebhookInject_cron_job_template.yaml", + }, } for i, c := range cases { diff --git a/releasenotes/notes/job-metric-cardinality.yaml b/releasenotes/notes/job-metric-cardinality.yaml new file mode 100644 index 00000000000..c72c51f2095 --- /dev/null +++ b/releasenotes/notes/job-metric-cardinality.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: telemetry +issue: + - 24058 +releaseNotes: +- | + **Fixed** unbounded cardinality of Istio metrics for cron job workload. From 3c0e73b4b6ff0c5eb2750c93160438bb8b43431e Mon Sep 17 00:00:00 2001 From: Xinnan Wen Date: Mon, 14 Sep 2020 11:45:37 -0700 Subject: [PATCH 56/82] remove deprecated format from help message (#27220) --- operator/cmd/mesh/manifest-migrate.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operator/cmd/mesh/manifest-migrate.go b/operator/cmd/mesh/manifest-migrate.go index 57c5e1be885..7bde77a999d 100644 --- a/operator/cmd/mesh/manifest-migrate.go +++ b/operator/cmd/mesh/manifest-migrate.go @@ -50,8 +50,8 @@ func addManifestMigrateFlags(cmd *cobra.Command, args *manifestMigrateArgs) { func manifestMigrateCmd(rootArgs *rootArgs, mmArgs *manifestMigrateArgs) *cobra.Command { return &cobra.Command{ Use: "migrate []", - Short: "Migrates a file containing Helm values or IstioControlPlane to IstioOperator format", - Long: "The migrate subcommand migrates a configuration from Helm values or IstioControlPlane format to IstioOperator format.", + Short: "Migrates a file containing Helm values to IstioOperator format", + Long: "The migrate subcommand migrates a configuration from Helm values to IstioOperator format.", Args: func(cmd *cobra.Command, args []string) error { if len(args) != 1 { return fmt.Errorf("migrate accepts optional single filepath") From d57a92bf78e6a68fb69615fe5be3af9ce541e10a Mon Sep 17 00:00:00 2001 From: Rama Chavali Date: Thu, 17 Sep 2020 00:07:11 +0530 Subject: [PATCH 57/82] [release-1.6] do not apply locality load balancer settings for inbound clusters (#27353) * manual cherrypick of 27295 Signed-off-by: Rama Chavali * fix compilation Signed-off-by: Rama Chavali --- pilot/pkg/networking/core/v1alpha3/cluster.go | 10 ++++++---- releasenotes/notes/27293.yaml | 8 ++++++++ 2 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/27293.yaml diff --git a/pilot/pkg/networking/core/v1alpha3/cluster.go b/pilot/pkg/networking/core/v1alpha3/cluster.go index 9add4cba09c..451c3989919 100644 --- a/pilot/pkg/networking/core/v1alpha3/cluster.go +++ b/pilot/pkg/networking/core/v1alpha3/cluster.go @@ -714,11 +714,13 @@ func setH2Options(cluster *apiv2.Cluster) { func applyTrafficPolicy(opts buildClusterOpts) { connectionPool, outlierDetection, loadBalancer, tls := SelectTrafficPolicyComponents(opts.policy, opts.port) - - applyH2Upgrade(opts, connectionPool) + // Connection pool settings are applicable for both inbound and outbound clusters. applyConnectionPool(opts.push, opts.cluster, connectionPool) - applyOutlierDetection(opts.cluster, outlierDetection) - applyLoadBalancer(opts.cluster, loadBalancer, opts.port, opts.proxy, opts.push.Mesh) + if opts.direction != model.TrafficDirectionInbound { + applyH2Upgrade(opts, connectionPool) + applyOutlierDetection(opts.cluster, outlierDetection) + applyLoadBalancer(opts.cluster, loadBalancer, opts.port, opts.proxy, opts.push.Mesh) + } if opts.clusterMode != SniDnatClusterMode && opts.direction != model.TrafficDirectionInbound { autoMTLSEnabled := opts.push.Mesh.GetEnableAutoMtls().Value diff --git a/releasenotes/notes/27293.yaml b/releasenotes/notes/27293.yaml new file mode 100644 index 00000000000..affbfbf3137 --- /dev/null +++ b/releasenotes/notes/27293.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: traffic-management +issue: + - 27293 +releaseNotes: + - | + **Fixed** a bug that locality load balancer settings were applied inbound clusters unnecessarily. \ No newline at end of file From 8c0f8549cfc78c68c6ab4a46489d9a43a624dc95 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 29 Sep 2020 15:53:19 -0700 Subject: [PATCH 58/82] Fix endpointShardz leak (#27451) Fixes https://github.com/istio/istio/issues/24927 Current we pass the service *name* to ServiceUpdate. In the SE registry, we pass hostname, as expected. The result of using the name is that on service deletion, we actually use the wrong key for deletion. Co-authored-by: John Howard --- pilot/pkg/serviceregistry/kube/controller/controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index 59c49d222ec..305b417e8c7 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -361,7 +361,7 @@ func (c *Controller) onServiceEvent(curr interface{}, event model.Event) error { c.Unlock() } - c.xdsUpdater.SvcUpdate(c.clusterID, svc.Name, svc.Namespace, event) + c.xdsUpdater.SvcUpdate(c.clusterID, string(svcConv.Hostname), svc.Namespace, event) // Notify service handlers. for _, f := range c.serviceHandlers { f(svcConv, event) From a7e9ed4dfb119fc538a97d08cbdf0baf5f4a1028 Mon Sep 17 00:00:00 2001 From: Immortan Joe <287214087@qq.com> Date: Wed, 30 Sep 2020 06:53:26 +0800 Subject: [PATCH 59/82] [release-1.6] fix error service name in Cleanup (#27461) * fix error service name in Cleanup * Fix endpointShardz leak (#24947) Fixes https://github.com/istio/istio/issues/24927 Current we pass the service *name* to ServiceUpdate. In the SE registry, we pass hostname, as expected. The result of using the name is that on service deletion, we actually use the wrong key for deletion. Co-authored-by: John Howard --- pilot/pkg/serviceregistry/kube/controller/controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go index 305b417e8c7..a6512184898 100644 --- a/pilot/pkg/serviceregistry/kube/controller/controller.go +++ b/pilot/pkg/serviceregistry/kube/controller/controller.go @@ -304,7 +304,7 @@ func (c *Controller) Cleanup() error { return fmt.Errorf("error listing services for deletion: %v", err) } for _, s := range svcs { - name := kube.ServiceHostname(s.Namespace, s.Namespace, c.domainSuffix) + name := kube.ServiceHostname(s.Name, s.Namespace, c.domainSuffix) c.xdsUpdater.SvcUpdate(c.clusterID, string(name), s.Namespace, model.EventDelete) // TODO(landow) do we need to notify service handlers? } From 2cb86c8df67231af4d63f9c4e957cc87020e98de Mon Sep 17 00:00:00 2001 From: Morven Cao Date: Thu, 1 Oct 2020 04:59:47 +0800 Subject: [PATCH 60/82] cherrypick 26456 to release-1.6 (#27539) * cherrypick 26456 to release-1.6 * fix lint. --- operator/ARCHITECTURE.md | 1 + operator/README.md | 1 + .../input/ingressgateway_k8s_settings.yaml | 4 ++++ operator/data/translateConfig/translateConfig-1.6.yaml | 2 ++ releasenotes/notes/add-pod-securitycontext.yaml | 8 ++++++++ 5 files changed, 16 insertions(+) create mode 100644 releasenotes/notes/add-pod-securitycontext.yaml diff --git a/operator/ARCHITECTURE.md b/operator/ARCHITECTURE.md index fb4f28b73ae..b7ee489d731 100644 --- a/operator/ARCHITECTURE.md +++ b/operator/ARCHITECTURE.md @@ -153,6 +153,7 @@ priorityClassName | [priority class name](https://kubernetes.io/docs/concepts/co nodeSelector| [node selector](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) affinity | [affinity and anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) serviceAnnotations | [service annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) +securityContext | [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) These K8s setting are available for each component under the `k8s` field, for example: diff --git a/operator/README.md b/operator/README.md index 1e21ccd24bd..938b4991193 100644 --- a/operator/README.md +++ b/operator/README.md @@ -378,6 +378,7 @@ way as galley settings. Supported K8s settings currently include: - [toleration](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) - [affinity and anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) - [deployment strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) +- [pod securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) All of these K8s settings use the K8s API definitions, so [K8s documentation](https://kubernetes.io/docs/concepts/) can be used for reference. All K8s overlay values are also validated in the operator. diff --git a/operator/cmd/mesh/testdata/manifest-generate/input/ingressgateway_k8s_settings.yaml b/operator/cmd/mesh/testdata/manifest-generate/input/ingressgateway_k8s_settings.yaml index 8f7f8f5e9f2..113145ab71c 100644 --- a/operator/cmd/mesh/testdata/manifest-generate/input/ingressgateway_k8s_settings.yaml +++ b/operator/cmd/mesh/testdata/manifest-generate/input/ingressgateway_k8s_settings.yaml @@ -23,5 +23,9 @@ spec: targetPort: 1234 serviceAnnotations: manifest-generate: "testserviceAnnotation" + securityContext: + sysctls: + - name: "net.ipv4.ip_local_port_range" + value: "80 65535" telemetry: enabled: false diff --git a/operator/data/translateConfig/translateConfig-1.6.yaml b/operator/data/translateConfig/translateConfig-1.6.yaml index a26c6f8da0e..67f7792a0e2 100644 --- a/operator/data/translateConfig/translateConfig-1.6.yaml +++ b/operator/data/translateConfig/translateConfig-1.6.yaml @@ -40,6 +40,8 @@ kubernetesMapping: outPath: "[Service:{{.ResourceName}}].metadata.annotations" "Components.{{.ComponentName}}.K8S.Service": outPath: "[Service:{{.ResourceName}}].spec" + "Components.{{.ComponentName}}.K8S.SecurityContext": + outPath: "[{{.ResourceType}}:{{.ResourceName}}].spec.template.spec.securityContext" globalNamespaces: Pilot: "istioNamespace" Galley: "configNamespace" diff --git a/releasenotes/notes/add-pod-securitycontext.yaml b/releasenotes/notes/add-pod-securitycontext.yaml new file mode 100644 index 00000000000..4194175a405 --- /dev/null +++ b/releasenotes/notes/add-pod-securitycontext.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: installation +issue: +- 26275 +releaseNotes: +- | + **Added** support for securityContext in the k8s settings for the operator API. From 3be303db2cf71802ce3669696496893acd7f4be6 Mon Sep 17 00:00:00 2001 From: aattuluri <44482891+aattuluri@users.noreply.github.com> Date: Fri, 2 Oct 2020 09:39:03 -0700 Subject: [PATCH 61/82] 1.6 patch for issue #27427 (#27470) * Add option to skip multicluster envoy filter (#27427) * Add a flag to include envoy filter and make global domain configurable * Fix values. * Update schema * Add release notes * Update generated files. * Trim global domain suffix * Fix typo * Add right values for multicluster * Re generate the values_types proto. --- .../templates/preconfigured.yaml | 10 +- manifests/charts/global.yaml | 4 + .../istio-discovery/files/gen-istio.yaml | 4 +- .../files/gen-istiod-remote.yaml | 4 +- .../values-istio-multicluster-gateways.yaml | 2 + .../pkg/apis/istio/v1alpha1/v1alpha1.pb.html | 18 + .../apis/istio/v1alpha1/values_types.pb.go | 945 +++++++++--------- .../apis/istio/v1alpha1/values_types.proto | 4 + releasenotes/notes/27300.yaml | 9 + 9 files changed, 531 insertions(+), 469 deletions(-) create mode 100644 releasenotes/notes/27300.yaml diff --git a/manifests/charts/gateways/istio-ingress/templates/preconfigured.yaml b/manifests/charts/gateways/istio-ingress/templates/preconfigured.yaml index cd6c52230b2..b3a21be5f31 100644 --- a/manifests/charts/gateways/istio-ingress/templates/preconfigured.yaml +++ b/manifests/charts/gateways/istio-ingress/templates/preconfigured.yaml @@ -13,7 +13,7 @@ spec: istio: ingressgateway servers: - hosts: - - "*.global" + - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" port: name: tls number: 15443 @@ -21,6 +21,7 @@ spec: tls: mode: AUTO_PASSTHROUGH --- +{{- if .Values.global.multiCluster.includeEnvoyFilter }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: @@ -47,10 +48,11 @@ spec: value: name: "envoy.filters.network.tcp_cluster_rewrite" config: - cluster_pattern: "\\.global$" + cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" --- -## To ensure all traffic to *.global is using mTLS +{{- end }} +## To ensure all traffic to globalDomainSuffix is using mTLS apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: @@ -60,7 +62,7 @@ metadata: {{ $gateway.labels | toYaml | indent 4 }} release: {{ .Release.Name }} spec: - host: "*.global" + host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" {{- if .Values.global.defaultConfigVisibilitySettings }} exportTo: - '*' diff --git a/manifests/charts/global.yaml b/manifests/charts/global.yaml index 95dfba784f8..58f31aa18e8 100644 --- a/manifests/charts/global.yaml +++ b/manifests/charts/global.yaml @@ -341,6 +341,10 @@ global: # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection # to properly label proxies clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). diff --git a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml index e466b2793ca..7bc8beab005 100644 --- a/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml +++ b/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml @@ -147,7 +147,9 @@ data: }, "multiCluster": { "clusterName": "", - "enabled": false + "enabled": false, + "globalDomainSuffix": "global", + "includeEnvoyFilter": true }, "network": "", "omitSidecarInjectorConfigMap": false, diff --git a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml index b8897ab74c7..202fb910742 100644 --- a/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml +++ b/manifests/charts/istiod-remote/files/gen-istiod-remote.yaml @@ -68,7 +68,9 @@ data: }, "multiCluster": { "clusterName": "", - "enabled": false + "enabled": false, + "globalDomainSuffix": "global", + "includeEnvoyFilter": true }, "network": "", "omitSidecarInjectorConfigMap": false, diff --git a/operator/data/examples/multicluster/values-istio-multicluster-gateways.yaml b/operator/data/examples/multicluster/values-istio-multicluster-gateways.yaml index c028d3641eb..8363dd6384c 100644 --- a/operator/data/examples/multicluster/values-istio-multicluster-gateways.yaml +++ b/operator/data/examples/multicluster/values-istio-multicluster-gateways.yaml @@ -18,6 +18,8 @@ spec: multiCluster: enabled: true + globalDomainSuffix: "global" + includeEnvoyFilter: true controlPlaneSecurityEnabled: true diff --git a/operator/pkg/apis/istio/v1alpha1/v1alpha1.pb.html b/operator/pkg/apis/istio/v1alpha1/v1alpha1.pb.html index 43cfa0bac80..6896e365ac4 100644 --- a/operator/pkg/apis/istio/v1alpha1/v1alpha1.pb.html +++ b/operator/pkg/apis/istio/v1alpha1/v1alpha1.pb.html @@ -3324,6 +3324,24 @@

MultiClusterConfig

No + +globalDomainSuffix +string + + + +No + + + +includeEnvoyFilter +BoolValue + + + +No + + diff --git a/operator/pkg/apis/istio/v1alpha1/values_types.pb.go b/operator/pkg/apis/istio/v1alpha1/values_types.pb.go index 61916eaa0e0..0d82b5c974d 100644 --- a/operator/pkg/apis/istio/v1alpha1/values_types.pb.go +++ b/operator/pkg/apis/istio/v1alpha1/values_types.pb.go @@ -3526,6 +3526,8 @@ type MultiClusterConfig struct { // Use if the pods in each cluster cannot directly talk to one another. Enabled *protobuf.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` ClusterName string `protobuf:"bytes,2,opt,name=clusterName,proto3" json:"clusterName,omitempty"` + GlobalDomainSuffix string `protobuf:"bytes,3,opt,name=globalDomainSuffix,proto3" json:"globalDomainSuffix,omitempty"` + IncludeEnvoyFilter *protobuf.BoolValue `protobuf:"bytes,4,opt,name=includeEnvoyFilter,proto3" json:"includeEnvoyFilter,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -3570,6 +3572,20 @@ func (m *MultiClusterConfig) GetClusterName() string { return "" } +func (m *MultiClusterConfig) GetGlobalDomainSuffix() string { + if m != nil { + return m.GlobalDomainSuffix + } + return "" +} + +func (m *MultiClusterConfig) GetIncludeEnvoyFilter() *protobuf.BoolValue { + if m != nil { + return m.IncludeEnvoyFilter + } + return nil +} + // OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application. type OutboundTrafficPolicyConfig struct { Mode OutboundTrafficPolicyConfig_Mode `protobuf:"varint,2,opt,name=mode,proto3,enum=v1alpha1.OutboundTrafficPolicyConfig_Mode" json:"mode,omitempty"` @@ -7922,471 +7938,474 @@ func init() { } var fileDescriptor_261260e22432516f = []byte{ - // 7451 bytes of a gzipped FileDescriptorProto + // 7490 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x7d, 0x49, 0x6f, 0x1c, 0x49, 0xd6, 0x58, 0x17, 0xf7, 0x7a, 0xc5, 0x22, 0x8b, 0x41, 0x91, 0x4a, 0x51, 0xd4, 0x96, 0xdd, 0xad, 0xd6, 0x48, 0x6a, 0x4a, 0x62, 0xab, 0x25, 0xb5, 0x5a, 0xad, 0x69, 0x6e, 0x6a, 0xb1, 0x9b, 0xdb, 0x97, 0x45, 0xf5, 0x36, 0x9f, 0x3f, 0x3a, 0x98, 0x19, 0x2c, 0x66, 0x33, 0x2b, 0x33, 0x27, 0x23, - 0x8a, 0x22, 0x1b, 0xb0, 0x8d, 0xef, 0x64, 0x18, 0x30, 0xc6, 0x98, 0xb1, 0x01, 0x5f, 0x0c, 0x18, - 0x86, 0x6d, 0xcc, 0xd9, 0x86, 0x61, 0xff, 0x00, 0x1b, 0xf0, 0xc5, 0xff, 0xc0, 0xa7, 0x81, 0x4f, - 0xf6, 0xc1, 0xb7, 0x81, 0x0f, 0x1e, 0xc0, 0x46, 0x2c, 0xb9, 0x67, 0x2d, 0x2c, 0x4a, 0xd3, 0x03, - 0xcc, 0xdc, 0x2a, 0x5f, 0xbc, 0x17, 0x19, 0x19, 0xcb, 0x5b, 0xe3, 0xbd, 0x82, 0xdb, 0xfe, 0x51, - 0xe3, 0x1e, 0xf6, 0x6d, 0x7a, 0xcf, 0xa6, 0xcc, 0xf6, 0xee, 0x1d, 0x3f, 0xc0, 0x8e, 0x7f, 0x88, - 0x1f, 0xdc, 0x3b, 0xc6, 0x4e, 0x8b, 0xd0, 0x3d, 0x76, 0xea, 0x13, 0xba, 0xe0, 0x07, 0x1e, 0xf3, - 0xd0, 0x58, 0xd8, 0x38, 0x77, 0xb5, 0xe1, 0x79, 0x0d, 0x87, 0xdc, 0x13, 0xf0, 0xfd, 0xd6, 0xc1, - 0x3d, 0xab, 0x15, 0x60, 0x66, 0x7b, 0xae, 0xc4, 0x9c, 0xfb, 0xbc, 0x61, 0xb3, 0xc3, 0xd6, 0xfe, - 0x82, 0xe9, 0x35, 0xef, 0x35, 0xbc, 0x86, 0x17, 0x23, 0x46, 0x3f, 0xb2, 0x3d, 0xbc, 0x0e, 0xb0, - 0xef, 0x93, 0x40, 0xbd, 0x4b, 0x37, 0x00, 0x96, 0x02, 0xf3, 0x70, 0xc5, 0x73, 0x0f, 0xec, 0x06, - 0xba, 0x00, 0xc3, 0xb8, 0x69, 0x3d, 0x7a, 0xa8, 0x95, 0xae, 0x97, 0x6e, 0x55, 0x0d, 0xf9, 0x80, - 0x34, 0x18, 0xf5, 0x7d, 0xf3, 0xd1, 0x43, 0x87, 0x68, 0x03, 0x02, 0x1e, 0x3e, 0x72, 0x7c, 0xfa, - 0xd1, 0x27, 0xf7, 0x4f, 0xb4, 0x41, 0x89, 0x2f, 0x1e, 0xf4, 0xff, 0x3a, 0x04, 0xe5, 0x95, 0xad, - 0x75, 0xd5, 0xe7, 0x43, 0x18, 0x25, 0x2e, 0xde, 0x77, 0x88, 0x25, 0x7a, 0xad, 0x2c, 0xce, 0x2d, - 0xc8, 0x31, 0x2d, 0x84, 0x63, 0x5a, 0x58, 0xf6, 0x3c, 0xe7, 0x6b, 0x3e, 0x0f, 0x46, 0x88, 0x8a, - 0x6a, 0x30, 0x78, 0xd8, 0xda, 0x17, 0xef, 0x2b, 0x1b, 0xfc, 0x27, 0xfa, 0x19, 0x0c, 0x32, 0xdc, - 0x10, 0x6f, 0xaa, 0x2c, 0x5e, 0x5c, 0x08, 0xe7, 0x68, 0x61, 0xf7, 0xd4, 0x27, 0xeb, 0x2e, 0x23, - 0xc1, 0x01, 0x36, 0x89, 0xc1, 0x71, 0xf8, 0xb0, 0xec, 0x26, 0x6e, 0x10, 0x6d, 0x48, 0x90, 0xcb, - 0x07, 0x74, 0x15, 0xc0, 0x6f, 0x39, 0xce, 0x8e, 0xe7, 0xd8, 0xe6, 0xa9, 0x36, 0x2c, 0x9a, 0x12, - 0x10, 0x34, 0x0f, 0x65, 0xd3, 0xb5, 0x97, 0x6d, 0x77, 0xd5, 0x0e, 0xb4, 0x11, 0xd1, 0x1c, 0x03, - 0x38, 0xb5, 0xe9, 0xda, 0xfc, 0x9b, 0x78, 0xf3, 0xa8, 0xa4, 0x8e, 0x21, 0xe8, 0x16, 0x4c, 0xaa, - 0xa7, 0x17, 0xb6, 0x43, 0xb6, 0x70, 0x93, 0x68, 0x63, 0x02, 0x29, 0x0b, 0x46, 0x77, 0x61, 0x8a, - 0x9c, 0x98, 0x4e, 0xcb, 0x12, 0x8f, 0xd4, 0xc7, 0x26, 0xa1, 0x5a, 0xf9, 0xfa, 0xe0, 0xad, 0xb2, - 0x91, 0x6f, 0x40, 0x1b, 0x30, 0xe1, 0x7b, 0xd6, 0x92, 0xeb, 0x7a, 0x4c, 0xac, 0x3c, 0xd5, 0x40, - 0xcc, 0xc0, 0xf5, 0xf4, 0x0c, 0x6c, 0x62, 0xbf, 0xce, 0x02, 0xdb, 0x6d, 0x44, 0x53, 0xb1, 0x3c, - 0xa0, 0x95, 0x8c, 0x0c, 0x2d, 0xba, 0x05, 0x35, 0x9f, 0xfa, 0x7b, 0xa6, 0xd3, 0xa2, 0x8c, 0x04, - 0x7b, 0x81, 0xe7, 0x10, 0xad, 0x22, 0x86, 0x39, 0xe1, 0x53, 0x7f, 0x45, 0x82, 0x0d, 0xcf, 0x21, - 0x68, 0x0e, 0xc6, 0x1c, 0xaf, 0xb1, 0x41, 0x8e, 0x89, 0xa3, 0x8d, 0x0b, 0x8c, 0xe8, 0x19, 0x3d, - 0x80, 0x91, 0x80, 0xf8, 0xd8, 0x0e, 0xb4, 0xaa, 0x18, 0xcb, 0xa5, 0x78, 0x2c, 0x2b, 0x5b, 0xeb, - 0x86, 0x68, 0x92, 0xab, 0x6f, 0x28, 0x44, 0xbe, 0x0b, 0xcc, 0x43, 0x6c, 0xbb, 0xc4, 0xd2, 0x26, - 0xba, 0xef, 0x02, 0x85, 0xaa, 0xff, 0x6a, 0x10, 0x26, 0x33, 0x3d, 0xfe, 0xe9, 0xec, 0xa7, 0x79, - 0x28, 0x3b, 0x78, 0x9f, 0x38, 0x3b, 0x9e, 0x45, 0xc5, 0x76, 0x1a, 0x33, 0x62, 0x00, 0xba, 0x09, - 0xe3, 0x66, 0x40, 0x30, 0x23, 0x6b, 0xc7, 0xc4, 0x65, 0x54, 0x6e, 0x28, 0xb1, 0x26, 0x29, 0x38, - 0xdf, 0x57, 0x16, 0x71, 0x08, 0x23, 0xa2, 0x9b, 0x51, 0xd1, 0x4d, 0x02, 0xc2, 0x77, 0xcb, 0x7e, - 0xe0, 0x1d, 0x11, 0x77, 0xc7, 0xb3, 0x36, 0x78, 0xef, 0x5f, 0x91, 0x53, 0xb5, 0xb3, 0xf2, 0x0d, - 0xe8, 0x3e, 0x4c, 0xa7, 0x81, 0x62, 0x1a, 0xb4, 0xb2, 0xc0, 0x2f, 0x6a, 0xe2, 0xfd, 0xdb, 0xae, - 0xcd, 0x56, 0x3c, 0x97, 0xf1, 0x39, 0x0f, 0xc4, 0xce, 0x05, 0xd9, 0x7f, 0xae, 0x41, 0xff, 0x16, - 0xe6, 0x56, 0x76, 0x5e, 0xed, 0xe2, 0xa0, 0x41, 0xd8, 0x2b, 0x66, 0x3b, 0xf6, 0x8f, 0x62, 0x63, - 0xa9, 0xa5, 0x79, 0x0a, 0x1a, 0x13, 0x4d, 0x4b, 0xc7, 0x24, 0xc0, 0x0d, 0x92, 0xc0, 0x10, 0x6b, - 0x35, 0x6c, 0xb4, 0x6d, 0xd7, 0xff, 0x6f, 0x09, 0xca, 0x06, 0xa1, 0x5e, 0x2b, 0xe0, 0xbb, 0xfe, - 0x31, 0x8c, 0x38, 0x76, 0xd3, 0x66, 0x54, 0x2b, 0x5d, 0x1f, 0xbc, 0x55, 0x59, 0xbc, 0x16, 0xaf, - 0x4f, 0x84, 0xb4, 0xb0, 0x21, 0x30, 0xd6, 0x5c, 0x16, 0x9c, 0x1a, 0x0a, 0x1d, 0x7d, 0x06, 0x63, - 0x01, 0xf9, 0x65, 0x8b, 0x50, 0x46, 0xb5, 0x01, 0x41, 0x7a, 0xa3, 0x88, 0xd4, 0x50, 0x38, 0x92, - 0x38, 0x22, 0x99, 0xfb, 0x04, 0x2a, 0x89, 0x5e, 0xf9, 0xae, 0x39, 0x22, 0xa7, 0x62, 0xec, 0x65, - 0x83, 0xff, 0xe4, 0x5b, 0x41, 0x70, 0x6c, 0xb5, 0x93, 0xe4, 0xc3, 0xd3, 0x81, 0x27, 0xa5, 0xb9, - 0x4f, 0xa1, 0x9a, 0xea, 0xf5, 0x2c, 0xc4, 0xfa, 0xaf, 0x47, 0xa1, 0xba, 0xe2, 0x05, 0x64, 0x75, - 0xab, 0x7e, 0xae, 0x6d, 0xae, 0xc3, 0xb8, 0x29, 0xbb, 0x59, 0x17, 0x1b, 0x56, 0xbe, 0x28, 0x05, - 0x13, 0x9c, 0x4c, 0x3e, 0xef, 0xaa, 0xfd, 0xcf, 0x39, 0x59, 0x04, 0x41, 0x0b, 0x80, 0xd4, 0xd3, - 0x8e, 0xd3, 0x6a, 0xd8, 0xee, 0x7a, 0x62, 0xeb, 0x17, 0xb4, 0xa0, 0x97, 0x30, 0xee, 0x7a, 0x16, - 0xa9, 0x13, 0x87, 0x98, 0xcc, 0x0b, 0xc4, 0x51, 0xe8, 0x95, 0x3f, 0xa5, 0x28, 0xf9, 0x99, 0x09, - 0x88, 0xef, 0xd8, 0x26, 0x5e, 0xf1, 0x5a, 0x2e, 0x13, 0x67, 0xa6, 0x2a, 0xf1, 0x92, 0xf0, 0x02, - 0x9e, 0x38, 0x7a, 0x0e, 0x9e, 0xf8, 0x31, 0x94, 0x83, 0x70, 0x63, 0x88, 0x93, 0x55, 0x59, 0x9c, - 0x2e, 0xd8, 0x33, 0x82, 0x36, 0xc6, 0x44, 0x1b, 0x30, 0x19, 0x78, 0x8e, 0x63, 0xbb, 0x8d, 0x4d, - 0x7c, 0x52, 0x6f, 0x05, 0x0d, 0x79, 0xcc, 0x2a, 0x8b, 0x57, 0x73, 0xbc, 0x64, 0x3b, 0x90, 0xe3, - 0x78, 0xe1, 0x05, 0x3b, 0xcb, 0xa2, 0x9f, 0x2c, 0x29, 0xfa, 0x16, 0x66, 0x62, 0xd0, 0x2b, 0x17, - 0x1f, 0x63, 0xdb, 0xe1, 0x4b, 0xaa, 0xb8, 0x7d, 0x2f, 0x7d, 0x16, 0x77, 0x80, 0x3c, 0x98, 0x17, - 0x1f, 0xcc, 0xec, 0xa5, 0x83, 0x03, 0x7e, 0xa2, 0x4f, 0xc5, 0xe9, 0x8f, 0x96, 0xab, 0x22, 0x5e, - 0xf0, 0x41, 0xfa, 0x05, 0x75, 0xc7, 0x36, 0xc9, 0xf6, 0x41, 0x9b, 0x19, 0xec, 0xd8, 0x21, 0x7a, - 0x0d, 0xd7, 0x33, 0xed, 0xbb, 0x24, 0x68, 0xa6, 0x5f, 0x3a, 0x7e, 0xf6, 0x97, 0x76, 0xed, 0x14, - 0x6d, 0x42, 0x85, 0x79, 0x0e, 0x09, 0xd4, 0x9e, 0xa8, 0x9e, 0xfd, 0x1d, 0x49, 0x7a, 0xfd, 0x5b, - 0xb8, 0xbe, 0x4a, 0x0e, 0x70, 0xcb, 0x61, 0x3b, 0x9e, 0xb5, 0x6a, 0xd3, 0xa0, 0xe5, 0xf3, 0x86, - 0xe5, 0x96, 0xd5, 0x20, 0xec, 0x3c, 0xa7, 0x54, 0xff, 0x06, 0x66, 0x55, 0xcf, 0xd1, 0xee, 0x52, - 0xfd, 0x25, 0xd9, 0x97, 0xec, 0xb0, 0x88, 0x7d, 0x85, 0x7c, 0x46, 0xc9, 0xd8, 0x88, 0x44, 0xff, - 0xa7, 0x55, 0x98, 0x5e, 0x6b, 0x04, 0x84, 0xd2, 0x2f, 0x30, 0x23, 0xaf, 0xf1, 0xa9, 0xea, 0xf6, - 0x05, 0xd4, 0x70, 0x8b, 0x79, 0xd4, 0xc4, 0x0e, 0x59, 0xeb, 0x79, 0xbc, 0x39, 0x1a, 0xce, 0x5e, - 0x22, 0xd8, 0x26, 0x3e, 0x51, 0xea, 0x60, 0x0a, 0x96, 0xc6, 0xb1, 0x5d, 0xa5, 0x1a, 0xa6, 0x60, - 0xe8, 0x26, 0x4c, 0x98, 0x9e, 0xeb, 0x12, 0x93, 0xed, 0xda, 0x4d, 0xe2, 0xb5, 0x98, 0x62, 0x2f, - 0x19, 0x28, 0x7a, 0x0a, 0x83, 0xa6, 0xdf, 0x52, 0x1c, 0xe5, 0xbd, 0x84, 0x96, 0xd1, 0x56, 0x06, - 0x89, 0x65, 0xe4, 0x44, 0xe8, 0xe7, 0x50, 0xb5, 0x02, 0x6c, 0xbb, 0xab, 0x4a, 0x65, 0x16, 0xdc, - 0x84, 0xeb, 0x2a, 0xd9, 0x0f, 0x0e, 0x11, 0x8c, 0x34, 0x7e, 0x72, 0x6d, 0x47, 0x7b, 0xe7, 0xc0, - 0x8b, 0x30, 0x48, 0xdc, 0x63, 0xc5, 0x47, 0xba, 0x32, 0x24, 0x83, 0x23, 0xa3, 0x8f, 0x61, 0x44, - 0x28, 0x0e, 0x54, 0x71, 0x90, 0x2b, 0x31, 0x99, 0x5a, 0x47, 0xb1, 0xd1, 0xc3, 0xf5, 0x56, 0xc8, - 0x08, 0xc1, 0x90, 0xcb, 0xa5, 0xf5, 0x25, 0x31, 0x77, 0xe2, 0x77, 0x8e, 0x19, 0x43, 0xdf, 0xcc, - 0x38, 0xcf, 0x64, 0x2b, 0xe7, 0x60, 0xb2, 0xdd, 0xb8, 0xd0, 0xf8, 0x4f, 0xc1, 0x85, 0xaa, 0x6f, - 0x83, 0x0b, 0xdd, 0x81, 0x61, 0xdf, 0x0b, 0x18, 0xd5, 0x26, 0x84, 0xfa, 0x31, 0x13, 0xf7, 0xbe, - 0xc3, 0xc1, 0x6a, 0x0d, 0x25, 0x4e, 0x5a, 0xf6, 0x4c, 0xf6, 0x2c, 0x7b, 0x9e, 0x41, 0x95, 0x12, - 0x33, 0x20, 0xec, 0x6b, 0xcf, 0x69, 0x35, 0x09, 0xd5, 0x6a, 0xe2, 0x5d, 0xb3, 0x31, 0x69, 0x3d, - 0xd1, 0x6c, 0xa4, 0x91, 0xd1, 0x0e, 0x20, 0x4a, 0x82, 0x63, 0xdb, 0x24, 0xc9, 0xd5, 0x9d, 0xea, - 0x71, 0xc7, 0x16, 0xd0, 0xf2, 0x9d, 0xc8, 0x0d, 0x58, 0x0d, 0xc9, 0x9d, 0xc8, 0x7f, 0xa3, 0x3b, - 0x30, 0xf4, 0xe3, 0xb1, 0xef, 0x6a, 0xd3, 0x59, 0x05, 0xfb, 0x7b, 0x12, 0x78, 0x5f, 0xef, 0x6c, - 0xa9, 0x89, 0x10, 0x48, 0x59, 0xd6, 0x7d, 0xe1, 0x7c, 0xac, 0xbb, 0x48, 0x36, 0xcf, 0xbc, 0x05, - 0xd9, 0x3c, 0x7b, 0x5e, 0xd9, 0xbc, 0x09, 0x55, 0x53, 0x4c, 0x43, 0xb8, 0x8e, 0x17, 0xcf, 0xf4, - 0xe1, 0x46, 0x9a, 0x1a, 0xfd, 0x02, 0x2e, 0x60, 0xcb, 0xb2, 0xf9, 0x1c, 0x60, 0x27, 0x52, 0xdc, - 0xa9, 0xa6, 0x9d, 0xad, 0xd7, 0xc2, 0x4e, 0xd0, 0x13, 0x28, 0x07, 0x2d, 0x77, 0x89, 0x1a, 0x9e, - 0xc7, 0xb4, 0xb9, 0xae, 0x0c, 0x31, 0x46, 0xd6, 0xff, 0x50, 0x02, 0xb4, 0xe6, 0x1e, 0x7b, 0xa7, - 0x9b, 0x84, 0x05, 0xb6, 0x49, 0xcf, 0xa5, 0xe1, 0x22, 0x18, 0x3a, 0xf4, 0x28, 0x53, 0x9a, 0xad, - 0xf8, 0xcd, 0x61, 0xfc, 0x38, 0x09, 0x51, 0x33, 0x6c, 0x88, 0xdf, 0x68, 0x19, 0x2a, 0xcc, 0xa1, - 0x75, 0xc2, 0x98, 0xed, 0x36, 0xa8, 0x90, 0x2f, 0xbd, 0xec, 0xee, 0x24, 0x11, 0x5a, 0x85, 0x71, - 0x66, 0xfa, 0x5f, 0x11, 0xe2, 0x63, 0xc7, 0x3e, 0x26, 0xbd, 0x6a, 0xb6, 0x46, 0x8a, 0x4a, 0xff, - 0x0c, 0xa6, 0x0b, 0xb8, 0x38, 0x37, 0x0f, 0xb0, 0xef, 0x87, 0xe6, 0x01, 0xf6, 0x7d, 0x61, 0x66, - 0x52, 0x66, 0x7b, 0xa1, 0x79, 0x20, 0x1e, 0xf4, 0xff, 0x59, 0x82, 0x09, 0x45, 0x1f, 0x92, 0x6e, - 0xc1, 0xb4, 0x68, 0xdb, 0x23, 0x42, 0xd6, 0x37, 0x64, 0xab, 0x9a, 0xc5, 0x84, 0xf0, 0x28, 0x50, - 0x05, 0x0c, 0x24, 0x28, 0xd7, 0x92, 0x84, 0xc9, 0x95, 0x18, 0xe8, 0x7d, 0x25, 0xfe, 0x0a, 0x2e, - 0xc8, 0x51, 0xd8, 0x6e, 0x6a, 0x18, 0x43, 0xd9, 0x53, 0xb1, 0xee, 0x16, 0x8c, 0x43, 0x7e, 0xc1, - 0x7a, 0x8a, 0x54, 0xff, 0x8f, 0x97, 0x61, 0xfc, 0x0b, 0xc7, 0xdb, 0x17, 0x1b, 0x8f, 0x7f, 0xe9, - 0x2d, 0x18, 0xc2, 0x81, 0x79, 0xa8, 0x3e, 0xed, 0x42, 0xdc, 0x67, 0xec, 0xb4, 0x32, 0x04, 0x06, - 0xfa, 0x0a, 0xc6, 0x4d, 0x12, 0x30, 0xfb, 0xc0, 0x36, 0x31, 0x23, 0x54, 0xbb, 0x75, 0xb6, 0x3d, - 0x9f, 0x22, 0x16, 0xce, 0x1c, 0xd1, 0x79, 0xe4, 0x88, 0x51, 0x6b, 0x92, 0x05, 0x73, 0x83, 0x5b, - 0x82, 0xf8, 0x4e, 0x8f, 0xb1, 0x17, 0xa5, 0xc1, 0x5d, 0xd0, 0xc4, 0x75, 0x31, 0x75, 0x6a, 0xb1, - 0x63, 0x5b, 0x52, 0x35, 0x19, 0xec, 0xae, 0x8b, 0x65, 0x69, 0xd0, 0x5f, 0xc3, 0x65, 0xd3, 0x73, - 0x59, 0xe0, 0x39, 0x3b, 0x0e, 0x76, 0x49, 0x9d, 0x98, 0xad, 0xc0, 0x66, 0xa7, 0xa1, 0x7a, 0x37, - 0xd4, 0xb5, 0xcb, 0x4e, 0xe4, 0xe8, 0x25, 0x5c, 0xb3, 0xa4, 0x8a, 0x2a, 0x67, 0xf9, 0x6b, 0x9b, - 0xda, 0xfb, 0xb6, 0x63, 0xb3, 0xd3, 0xe8, 0x48, 0x3d, 0x14, 0x2e, 0xab, 0x6e, 0x68, 0xe8, 0x6b, - 0x98, 0x56, 0x28, 0x5b, 0x49, 0xc5, 0x64, 0xe4, 0x0c, 0xca, 0x44, 0x51, 0x07, 0xc8, 0x85, 0x39, - 0xab, 0xad, 0x7a, 0xae, 0x34, 0xb6, 0xdb, 0x71, 0xf7, 0xdd, 0x54, 0x79, 0xf1, 0xa2, 0x0e, 0x3d, - 0xa2, 0x0d, 0x98, 0xb6, 0x6c, 0xca, 0x67, 0x47, 0xfa, 0x0b, 0x57, 0x0e, 0x89, 0x79, 0x14, 0x1a, - 0x8c, 0x9d, 0xe6, 0xb9, 0x88, 0x0c, 0xed, 0x40, 0xcd, 0xca, 0x98, 0x00, 0x4a, 0xf9, 0xbb, 0x9e, - 0x1b, 0x73, 0xc6, 0x48, 0x10, 0x23, 0xcd, 0x51, 0xa3, 0x5f, 0x00, 0x52, 0xb0, 0xdd, 0x84, 0x24, - 0x7d, 0x7c, 0x76, 0x49, 0x5a, 0xd0, 0x0d, 0x5a, 0x86, 0x09, 0x79, 0xec, 0x5f, 0x12, 0xa7, 0xb9, - 0x4b, 0x28, 0x53, 0x8a, 0x65, 0xa7, 0xef, 0xce, 0x50, 0xa0, 0xcf, 0xa1, 0x2a, 0x21, 0xbb, 0x01, - 0x36, 0x6d, 0xb7, 0xa1, 0xf4, 0xc9, 0x4e, 0x5d, 0xa4, 0x09, 0x42, 0x27, 0xde, 0x78, 0xec, 0xc4, - 0xbb, 0x05, 0x93, 0xc2, 0x19, 0xb7, 0x13, 0x3b, 0x76, 0xab, 0xf2, 0xa0, 0x66, 0xc0, 0xe8, 0x36, - 0xd4, 0x22, 0x90, 0x54, 0x8e, 0xa8, 0xf6, 0xbe, 0xd8, 0xc1, 0x39, 0x38, 0x37, 0x4f, 0x04, 0x77, - 0x8a, 0xcf, 0xf3, 0x84, 0x34, 0x4f, 0xd2, 0x50, 0xb4, 0x05, 0x53, 0x8e, 0x67, 0x62, 0xbe, 0xdd, - 0x37, 0xf6, 0xd5, 0x86, 0x57, 0x5a, 0x5c, 0x77, 0x21, 0x91, 0x27, 0xe5, 0x22, 0xd6, 0xf1, 0x1a, - 0x4b, 0xf4, 0x4b, 0xea, 0xb9, 0xda, 0x7b, 0xdd, 0x45, 0x6c, 0x84, 0x8c, 0x1e, 0xc3, 0xa8, 0xe3, - 0x35, 0x1a, 0xfc, 0xfd, 0x53, 0x39, 0x13, 0x42, 0x30, 0xd4, 0x0d, 0xd9, 0xac, 0x78, 0x66, 0x88, - 0x8d, 0x56, 0xa0, 0xda, 0x24, 0xf4, 0x70, 0xed, 0xc4, 0xc7, 0x2e, 0xe5, 0xac, 0x08, 0x65, 0xc9, - 0x37, 0x93, 0xcd, 0x8a, 0x3c, 0x4d, 0x83, 0x66, 0x61, 0x84, 0x03, 0xd6, 0x57, 0xb5, 0x8f, 0xc5, - 0x3c, 0xa9, 0x27, 0x2e, 0x3f, 0xf9, 0xaf, 0x2d, 0xc2, 0x5e, 0x7b, 0xc1, 0x11, 0x55, 0xaa, 0x60, - 0x0f, 0xf2, 0x33, 0x49, 0xc5, 0x57, 0xa3, 0xe9, 0xb9, 0x36, 0xf3, 0x38, 0x12, 0xd7, 0xa1, 0x85, - 0x7a, 0x58, 0x35, 0x32, 0x50, 0x2e, 0x2b, 0x9a, 0xcc, 0xa1, 0x4a, 0xd3, 0x4b, 0xc8, 0x8a, 0xcd, - 0xdd, 0x8d, 0x7a, 0x28, 0x2b, 0x38, 0x06, 0xfa, 0x1c, 0xc6, 0x9b, 0x2d, 0x87, 0xd9, 0xca, 0xdf, - 0xad, 0xf4, 0xb8, 0xf9, 0x04, 0x45, 0xa2, 0x55, 0x51, 0xa6, 0x28, 0x90, 0x06, 0xa3, 0xae, 0x1c, - 0x9f, 0xf6, 0x81, 0xf8, 0xe4, 0xf0, 0x11, 0x3d, 0x82, 0x59, 0xdf, 0xb3, 0x56, 0xb7, 0xea, 0x75, - 0xc2, 0xe5, 0x52, 0xc2, 0xc5, 0x7f, 0x47, 0xec, 0xb6, 0x36, 0xad, 0xe8, 0x6f, 0x60, 0xde, 0x6b, - 0xda, 0xac, 0x6e, 0x5b, 0xc4, 0xc4, 0xc1, 0xba, 0xfb, 0x83, 0xe0, 0x72, 0xf2, 0xe5, 0x9b, 0xd8, - 0xd7, 0x6e, 0x76, 0xdd, 0x0e, 0x1d, 0xe9, 0xd1, 0x73, 0x18, 0xf7, 0xdc, 0x38, 0xb0, 0xa0, 0x34, - 0xcd, 0x4e, 0xfd, 0xa5, 0xf0, 0x91, 0x01, 0xb3, 0x9e, 0xcf, 0xf9, 0x81, 0x17, 0x6c, 0x62, 0x17, - 0x37, 0xc8, 0x37, 0x64, 0xff, 0xd0, 0xf3, 0x8e, 0xa8, 0xf6, 0xb3, 0xae, 0x3d, 0xb5, 0xa1, 0x44, - 0xbf, 0x80, 0x19, 0xaf, 0xc5, 0xf6, 0xbd, 0x96, 0x6b, 0xed, 0x06, 0xf8, 0xe0, 0xc0, 0x36, 0xd5, - 0x19, 0x96, 0x0a, 0xeb, 0xfb, 0xf1, 0x82, 0x6c, 0x17, 0xa1, 0xa9, 0x95, 0x29, 0xee, 0x83, 0xf3, - 0x6b, 0x3f, 0xe6, 0xb8, 0x2f, 0xb0, 0xed, 0x6c, 0xfb, 0xc4, 0x15, 0xc6, 0x72, 0x17, 0x7e, 0x5d, - 0x40, 0xc6, 0x19, 0x8d, 0x04, 0xc7, 0x33, 0x38, 0x27, 0x19, 0x4d, 0x06, 0x8c, 0xee, 0xc3, 0x94, - 0x1f, 0xd8, 0x1e, 0x17, 0xa6, 0x2b, 0x0e, 0xa6, 0x54, 0x38, 0xd4, 0x2f, 0x47, 0xde, 0xff, 0x7c, - 0x23, 0xd7, 0x21, 0xfc, 0xc0, 0x6b, 0x12, 0x76, 0x48, 0x5a, 0x34, 0xee, 0xff, 0x23, 0xa9, 0x43, - 0x14, 0x34, 0x09, 0x1b, 0x33, 0xf0, 0x4e, 0x4e, 0xb5, 0x79, 0xf1, 0x35, 0x49, 0x1b, 0x93, 0x83, - 0x23, 0x1b, 0x93, 0x3f, 0xa0, 0xc7, 0x50, 0x16, 0x3f, 0xd6, 0x5d, 0x9b, 0x69, 0x57, 0xb2, 0x01, - 0x9b, 0x9d, 0xb0, 0x49, 0x11, 0xc5, 0xb8, 0xe8, 0x7d, 0x18, 0xa4, 0x16, 0xd5, 0xae, 0x66, 0xcd, - 0xd2, 0xfa, 0x6a, 0x78, 0x9c, 0x78, 0x7b, 0x18, 0x48, 0xb9, 0xd6, 0x43, 0x20, 0x65, 0x01, 0x10, - 0x23, 0x0e, 0x69, 0x12, 0x16, 0x24, 0x26, 0xf2, 0xba, 0x74, 0x2d, 0xe7, 0x5b, 0xd0, 0x02, 0x8c, - 0xb0, 0x00, 0x9b, 0x24, 0xd0, 0x6e, 0x88, 0xde, 0x13, 0x06, 0xee, 0xae, 0x80, 0x87, 0x1e, 0x11, - 0x89, 0x85, 0xae, 0x43, 0x85, 0x05, 0x2d, 0xca, 0x56, 0xbd, 0x26, 0xb6, 0x5d, 0x4d, 0x17, 0x1d, - 0x27, 0x41, 0x62, 0x04, 0xf1, 0xe3, 0x92, 0x63, 0x63, 0x4a, 0xa8, 0x76, 0x5b, 0x1c, 0xcd, 0x82, - 0x16, 0xb4, 0x08, 0x23, 0x2d, 0x4a, 0x36, 0x57, 0x76, 0xb4, 0x77, 0xbb, 0x6e, 0x1c, 0x85, 0x89, - 0x9e, 0x41, 0x45, 0x08, 0x0a, 0x83, 0x34, 0x3d, 0x46, 0xb4, 0xbb, 0x5d, 0x09, 0x93, 0xe8, 0xe8, - 0x6b, 0xd0, 0x64, 0x80, 0x48, 0x3e, 0xd7, 0x8f, 0xcd, 0x35, 0xd7, 0xf2, 0x3d, 0xdb, 0x65, 0x54, - 0xfb, 0xb0, 0x6b, 0x57, 0x6d, 0x69, 0x39, 0x83, 0x09, 0x04, 0x74, 0xc7, 0x76, 0x3c, 0xb6, 0x22, - 0xd0, 0x12, 0x08, 0xda, 0x42, 0x77, 0x06, 0xd3, 0x89, 0x9e, 0xef, 0x62, 0xd5, 0x2e, 0x0e, 0xc4, - 0x92, 0x65, 0x71, 0xcd, 0x5e, 0xbb, 0x27, 0x77, 0x71, 0x41, 0x13, 0x5f, 0x8b, 0x44, 0x8f, 0x21, - 0xc1, 0x7d, 0xb9, 0x1b, 0xf2, 0x2d, 0x9c, 0xb5, 0x4a, 0xe8, 0x6e, 0xb8, 0x53, 0x42, 0x9a, 0x07, - 0x82, 0xa6, 0x4d, 0x2b, 0xdf, 0x45, 0x62, 0x82, 0x2d, 0xed, 0x51, 0x76, 0x17, 0xad, 0x0b, 0x78, - 0xb8, 0x8b, 0x24, 0x16, 0xba, 0x0b, 0x53, 0xbe, 0xf8, 0x46, 0x12, 0xb0, 0x9d, 0xc0, 0x3b, 0xb6, - 0x2d, 0x12, 0x68, 0x4f, 0x64, 0x48, 0x2c, 0xd7, 0x80, 0xe6, 0xa1, 0xfc, 0xc3, 0x6b, 0xa6, 0x18, - 0xd7, 0x27, 0x32, 0x6c, 0x1c, 0x01, 0xc4, 0x19, 0x62, 0x54, 0x7b, 0x9a, 0x3b, 0x43, 0xbb, 0xf1, - 0x19, 0x62, 0x14, 0xcd, 0xc1, 0x58, 0x40, 0x8e, 0x6d, 0x21, 0x81, 0x3f, 0x95, 0xd1, 0xd6, 0xf0, - 0x99, 0xeb, 0x5e, 0x4d, 0xaf, 0xe5, 0xb2, 0x4d, 0xe6, 0x50, 0xfe, 0x66, 0xaa, 0x3d, 0xeb, 0xae, - 0x7b, 0xa5, 0x29, 0x44, 0x6c, 0x1b, 0x87, 0xb3, 0xf5, 0x99, 0x8a, 0x6d, 0x87, 0x00, 0xae, 0x99, - 0x99, 0xc4, 0x65, 0x01, 0x76, 0xe4, 0x7c, 0x68, 0xcf, 0xbb, 0x6b, 0x66, 0x29, 0x02, 0xfd, 0x43, - 0x28, 0x47, 0x5f, 0xc4, 0x4f, 0xa1, 0xf2, 0x11, 0x09, 0x69, 0x2d, 0xef, 0x12, 0x24, 0x41, 0xfa, - 0x3f, 0x2e, 0xc1, 0x78, 0x72, 0xea, 0xd1, 0x93, 0x33, 0xf8, 0x02, 0x04, 0x1b, 0x8d, 0xac, 0xd0, - 0x48, 0x33, 0x5d, 0x72, 0xb1, 0x73, 0x4a, 0x6d, 0xda, 0x83, 0x09, 0x9b, 0xa1, 0xd0, 0xef, 0xc0, - 0x74, 0x81, 0x92, 0xc4, 0xed, 0x71, 0x47, 0xc4, 0xbf, 0xa5, 0x8d, 0x2e, 0x1f, 0xf4, 0xff, 0x30, - 0x03, 0x17, 0x8a, 0x2c, 0xda, 0x3f, 0x4b, 0x27, 0x3b, 0xdf, 0x39, 0x2d, 0xca, 0xbc, 0x66, 0x5d, - 0xae, 0xae, 0x32, 0xeb, 0x3a, 0xef, 0x9c, 0x24, 0x01, 0x9f, 0x64, 0x8b, 0xec, 0xb7, 0x1a, 0xea, - 0x4a, 0x85, 0x7c, 0xe0, 0x1a, 0xa5, 0x25, 0x79, 0xb8, 0x0c, 0x75, 0xab, 0xa7, 0xbc, 0x53, 0xbf, - 0xdc, 0xbf, 0x53, 0x1f, 0xce, 0xec, 0xd4, 0xaf, 0x9c, 0xc5, 0xa9, 0x7f, 0x1d, 0x2a, 0xe4, 0x84, - 0x91, 0xc0, 0xc5, 0xce, 0xfa, 0x0e, 0xd5, 0xc6, 0x85, 0x88, 0x49, 0x82, 0xd0, 0x53, 0x80, 0xa3, - 0x27, 0x54, 0xed, 0x25, 0xe5, 0x8c, 0xee, 0x34, 0x9c, 0x04, 0x36, 0x5a, 0x85, 0xc9, 0xf8, 0xe9, - 0x25, 0x63, 0x3e, 0xed, 0xe1, 0x5e, 0x45, 0x96, 0x24, 0x11, 0x78, 0x98, 0x3c, 0x4b, 0xe0, 0xe1, - 0x26, 0x4c, 0x38, 0x1e, 0xb6, 0x96, 0xb1, 0x83, 0x5d, 0x93, 0x04, 0xeb, 0x3b, 0x5a, 0x4d, 0xee, - 0xac, 0x34, 0x14, 0x3d, 0x05, 0x2d, 0x09, 0xa9, 0x0b, 0x4b, 0xd5, 0xc0, 0x6e, 0x83, 0x50, 0x6d, - 0x4a, 0xcc, 0x47, 0xdb, 0x76, 0xb4, 0x06, 0x28, 0x65, 0x64, 0x08, 0xe7, 0xb9, 0x86, 0x3a, 0xf9, - 0xd4, 0x0b, 0x08, 0xa2, 0x18, 0xc9, 0xdd, 0x0e, 0x31, 0x92, 0xe9, 0x37, 0x18, 0x23, 0xb9, 0xf0, - 0x16, 0x63, 0x24, 0x33, 0x3f, 0x45, 0x8c, 0x64, 0xf6, 0xad, 0xc6, 0x48, 0x2e, 0xf6, 0x10, 0x23, - 0xc9, 0xde, 0x0a, 0xd0, 0xda, 0xdc, 0x0a, 0x58, 0x4e, 0xc6, 0x52, 0x2e, 0x9d, 0x61, 0x1d, 0x12, - 0x81, 0x95, 0x8f, 0xa4, 0xca, 0x3b, 0x97, 0x0d, 0xbd, 0xa6, 0x19, 0x7e, 0xdd, 0xa2, 0x49, 0x05, - 0x38, 0x17, 0x8d, 0xb9, 0x7c, 0xfe, 0x68, 0xcc, 0xfc, 0x1b, 0x88, 0xc6, 0x5c, 0x49, 0x44, 0x63, - 0x1e, 0xa9, 0x68, 0x8c, 0x54, 0xe6, 0xf5, 0x76, 0x5f, 0xf6, 0xfd, 0xb1, 0xef, 0xa6, 0x02, 0x33, - 0x05, 0x91, 0x94, 0x6b, 0x6f, 0x21, 0x92, 0x72, 0xfd, 0xbc, 0x91, 0x94, 0xdb, 0x50, 0xc3, 0xbe, - 0xd8, 0x0c, 0x2c, 0x62, 0x16, 0x37, 0xc4, 0xf7, 0xe7, 0xe0, 0xe8, 0x21, 0xcc, 0x84, 0x6c, 0x38, - 0x6d, 0x76, 0x4a, 0x7b, 0xa1, 0xb8, 0x31, 0x1b, 0xa2, 0x7a, 0xf7, 0x9c, 0x21, 0xaa, 0xaf, 0x60, - 0x5c, 0xf9, 0xcd, 0xe5, 0x60, 0xdf, 0x3b, 0xa3, 0xbf, 0x3a, 0x49, 0xdc, 0x36, 0xf0, 0xf3, 0xfe, - 0x9b, 0x08, 0xfc, 0xe4, 0x82, 0x54, 0x37, 0xcf, 0x15, 0xa4, 0x7a, 0x9e, 0x71, 0xd4, 0x7f, 0xd0, - 0xdd, 0x11, 0x91, 0xf2, 0xcd, 0xdf, 0x85, 0x41, 0xe6, 0x84, 0xfe, 0xfd, 0x4e, 0x64, 0x1c, 0x0d, - 0x7d, 0x0f, 0x5a, 0x64, 0x57, 0xee, 0x61, 0xcb, 0xf2, 0xdc, 0x3d, 0x15, 0x6c, 0x08, 0x1d, 0x17, - 0xdd, 0xcf, 0xd8, 0x2c, 0x4b, 0x58, 0x14, 0x9e, 0x1b, 0x06, 0x63, 0xd0, 0x67, 0x30, 0x7c, 0xe8, - 0x71, 0xed, 0xfe, 0xf6, 0xd9, 0x26, 0x44, 0x52, 0xa1, 0x45, 0x98, 0x89, 0x87, 0x26, 0xf5, 0x9b, - 0x3d, 0x21, 0xab, 0xee, 0x48, 0x93, 0x29, 0x6a, 0x94, 0x16, 0xa9, 0x70, 0x15, 0xa4, 0x82, 0x70, - 0x1f, 0x9e, 0x25, 0x08, 0xf7, 0x2f, 0x4a, 0x70, 0xb1, 0x0d, 0x17, 0xeb, 0x33, 0x12, 0x17, 0xdd, - 0x8a, 0x1c, 0x48, 0xde, 0x8a, 0x4c, 0x45, 0xb4, 0x07, 0x7b, 0x8d, 0x68, 0xeb, 0x87, 0xa0, 0xb5, - 0xe3, 0x44, 0x7d, 0x0e, 0x6f, 0x16, 0x46, 0x68, 0xeb, 0xe0, 0xc0, 0x3e, 0x51, 0xe3, 0x53, 0x4f, - 0xfa, 0x37, 0x70, 0xed, 0xab, 0xd6, 0x3e, 0x09, 0x5c, 0xc2, 0x08, 0x5d, 0x73, 0x8f, 0x37, 0xed, - 0x13, 0x12, 0x2c, 0x59, 0xd8, 0x8f, 0x7c, 0x7d, 0x7d, 0xde, 0xea, 0xb1, 0x00, 0x6d, 0x78, 0xd8, - 0xaa, 0x1f, 0x12, 0xcb, 0x8a, 0x8d, 0x88, 0xdb, 0x50, 0x73, 0x30, 0x23, 0xae, 0x79, 0xba, 0x7b, - 0x18, 0x10, 0x7a, 0xe8, 0x39, 0x96, 0xb2, 0x27, 0x72, 0x70, 0xa4, 0xc3, 0x50, 0xd3, 0xb3, 0xe4, - 0x84, 0x4e, 0x2c, 0x4e, 0xc4, 0xd3, 0xc6, 0xa1, 0x86, 0x68, 0xd3, 0x03, 0x80, 0xd8, 0x9f, 0xd9, - 0xe7, 0xd4, 0x2c, 0xc0, 0x10, 0xb7, 0x14, 0x7a, 0xb0, 0x94, 0x04, 0x9e, 0xfe, 0x0f, 0x60, 0xba, - 0xc0, 0x0b, 0xdc, 0xe7, 0xcb, 0xa5, 0x47, 0x65, 0x7d, 0x63, 0xb9, 0x87, 0xd7, 0x2b, 0x4c, 0xfd, - 0xff, 0x0d, 0xc0, 0xbc, 0x58, 0xa7, 0x84, 0x6d, 0x2f, 0x16, 0x2c, 0xdc, 0xc1, 0xdb, 0x50, 0x3d, - 0x8a, 0x16, 0x95, 0xab, 0xea, 0x72, 0x40, 0x3f, 0x8b, 0xa7, 0xb0, 0xcb, 0x9a, 0x1b, 0x69, 0x7a, - 0xf4, 0x02, 0x20, 0x76, 0xbc, 0xa9, 0x91, 0xde, 0x4c, 0x79, 0xcd, 0x54, 0x5b, 0x41, 0x57, 0x09, - 0x4a, 0xf4, 0x18, 0x86, 0x29, 0xb3, 0x6c, 0x4f, 0x1d, 0x85, 0x84, 0x4a, 0x51, 0xe7, 0xe0, 0x02, - 0x6a, 0x89, 0x8f, 0xd6, 0xa1, 0x42, 0x19, 0x36, 0x8f, 0xac, 0xc0, 0x3e, 0x26, 0x81, 0x0a, 0xe7, - 0x7d, 0x90, 0x24, 0x8f, 0x1a, 0x0b, 0x3a, 0x49, 0xd2, 0x72, 0x13, 0xb9, 0x45, 0x49, 0x88, 0x60, - 0xac, 0x52, 0x65, 0xeb, 0x75, 0x34, 0x91, 0xd3, 0x14, 0xfa, 0x1f, 0x06, 0xe0, 0x92, 0x78, 0x4f, - 0xe8, 0xc2, 0xf9, 0xcb, 0xf4, 0xff, 0x31, 0xa7, 0xff, 0xbf, 0x94, 0xa0, 0x22, 0xde, 0xa3, 0x26, - 0xfc, 0x23, 0x18, 0x91, 0x7e, 0x67, 0x35, 0xd3, 0x97, 0x13, 0xb1, 0x8b, 0x78, 0x95, 0x42, 0xb3, - 0x4d, 0xa2, 0xa2, 0x67, 0x50, 0x8e, 0x64, 0x8a, 0x9a, 0xd3, 0xab, 0x19, 0xba, 0xe8, 0x7c, 0x85, - 0xde, 0xe0, 0x88, 0x00, 0x2d, 0xc3, 0x18, 0x56, 0xab, 0xae, 0x66, 0xf3, 0x66, 0x3b, 0xe2, 0xf4, - 0xee, 0x30, 0x22, 0x3a, 0xfd, 0x1f, 0x01, 0x4c, 0xe5, 0xc6, 0xf7, 0x27, 0xe7, 0x38, 0x51, 0x0e, - 0x91, 0xa1, 0x7e, 0x1c, 0x22, 0x09, 0x9e, 0x38, 0xdc, 0x87, 0x28, 0x1d, 0x49, 0x8a, 0xd2, 0x37, - 0x7b, 0xcd, 0x39, 0x6b, 0x46, 0x8d, 0xb5, 0x31, 0xa3, 0x7e, 0x9e, 0x58, 0x67, 0xe9, 0x5d, 0x79, - 0xb7, 0x70, 0x73, 0xb5, 0x5b, 0x64, 0x64, 0xc0, 0x2c, 0x25, 0x94, 0xcb, 0x89, 0xd0, 0x00, 0x5c, - 0xeb, 0xd9, 0xe3, 0xd2, 0x86, 0x32, 0xad, 0x55, 0x54, 0xce, 0x73, 0x47, 0x7b, 0xfc, 0x2d, 0x58, - 0x2f, 0xd5, 0xb7, 0x7d, 0x47, 0x7b, 0xe2, 0xa7, 0xb0, 0xfc, 0x27, 0xdf, 0x86, 0xe5, 0x9f, 0xf5, - 0xbd, 0xd4, 0xfa, 0xf6, 0xbd, 0x28, 0x9f, 0xdc, 0xd4, 0x59, 0x7c, 0x72, 0x19, 0x1b, 0x0e, 0x9d, - 0xd3, 0x86, 0x53, 0xf7, 0x11, 0xa6, 0x73, 0x49, 0x45, 0x17, 0xba, 0xc7, 0xc2, 0xf4, 0xdf, 0x56, - 0xe0, 0x42, 0x11, 0xcf, 0x2d, 0x64, 0x87, 0x03, 0x6f, 0x80, 0x1d, 0x0e, 0xf6, 0xc0, 0x0e, 0x87, - 0xda, 0xb3, 0xc3, 0xe1, 0x73, 0xb2, 0xc3, 0x91, 0x33, 0xbb, 0x5b, 0x47, 0xcf, 0xb2, 0xb4, 0x11, - 0x0b, 0x1d, 0x4b, 0xb2, 0xd0, 0xcf, 0x61, 0xdc, 0xf1, 0xb0, 0x45, 0x95, 0x4e, 0xae, 0x18, 0x5a, - 0x22, 0xd2, 0x9f, 0xd7, 0xd8, 0x8d, 0x14, 0xc5, 0x9f, 0xec, 0x85, 0xea, 0x2c, 0x3b, 0x1f, 0x6f, - 0x9b, 0x2b, 0x93, 0x63, 0x81, 0x93, 0x6f, 0x81, 0x05, 0xd6, 0xce, 0xcb, 0x02, 0xe3, 0x40, 0xeb, - 0x54, 0xcf, 0x81, 0x56, 0x11, 0x40, 0xf4, 0xbd, 0x80, 0x2d, 0x63, 0x66, 0x1e, 0x6e, 0xe2, 0x93, - 0x5d, 0xbb, 0x19, 0x5e, 0x42, 0x2e, 0x68, 0x41, 0x0f, 0x61, 0x26, 0x0d, 0x5d, 0x73, 0x59, 0x60, - 0x13, 0x79, 0x31, 0xa5, 0x6a, 0x14, 0x37, 0xa6, 0x65, 0x4f, 0xb5, 0x67, 0xd9, 0xd3, 0x5e, 0x0c, - 0x4e, 0xf4, 0x2d, 0x06, 0xbb, 0xc9, 0x89, 0x0b, 0x3f, 0x85, 0x9c, 0x98, 0xf9, 0x23, 0xe4, 0xf2, - 0xcc, 0xbe, 0x19, 0x4e, 0x7d, 0x31, 0xc7, 0xa9, 0xb5, 0x1e, 0x38, 0xb5, 0x03, 0x28, 0x7f, 0x21, - 0xa8, 0x4f, 0xeb, 0xf7, 0x3a, 0x54, 0x54, 0xf2, 0xad, 0xb8, 0x17, 0x22, 0x5d, 0x13, 0x49, 0x90, - 0xfe, 0x0f, 0x4b, 0x70, 0xb9, 0xc3, 0x75, 0x17, 0xf4, 0x3c, 0xe5, 0x24, 0xb8, 0xdd, 0xd3, 0x1d, - 0x99, 0x85, 0xcd, 0xd8, 0x81, 0x70, 0x0b, 0x86, 0xf8, 0x13, 0xaa, 0x42, 0x79, 0x69, 0x63, 0x63, - 0xfb, 0x9b, 0xbd, 0xa5, 0xad, 0xef, 0x6a, 0xef, 0xa0, 0x29, 0xa8, 0x1a, 0x6b, 0x5f, 0xac, 0xd7, - 0x77, 0x8d, 0xef, 0xf6, 0xb6, 0xb7, 0x36, 0xbe, 0xab, 0x95, 0xf4, 0xdf, 0xd5, 0xa0, 0x22, 0x83, - 0xfd, 0xe7, 0xf9, 0xe2, 0xb7, 0x22, 0xce, 0xda, 0x68, 0xee, 0x59, 0x91, 0x37, 0x54, 0x20, 0xf2, - 0xb2, 0x8c, 0x73, 0xb8, 0x0d, 0xe3, 0x2c, 0xd6, 0xc9, 0x1f, 0xc2, 0x28, 0x95, 0x57, 0xac, 0x7a, - 0x49, 0x0a, 0x52, 0xa8, 0xe8, 0x3d, 0xa8, 0x8a, 0x1b, 0x2a, 0x75, 0xdc, 0xf4, 0x39, 0xef, 0x13, - 0x42, 0xaa, 0x64, 0xa4, 0x81, 0x69, 0x46, 0x53, 0xee, 0x99, 0xd1, 0x14, 0x5c, 0x56, 0x86, 0xe2, - 0xcb, 0xca, 0x4a, 0x92, 0x57, 0xfa, 0x91, 0xe4, 0x59, 0x39, 0x38, 0xde, 0xb7, 0x1c, 0x34, 0xe1, - 0xda, 0x51, 0x78, 0x39, 0x9e, 0x0b, 0x16, 0x12, 0x1c, 0x8b, 0x43, 0xe5, 0x12, 0x93, 0xbf, 0x78, - 0xa9, 0x41, 0xa2, 0xb4, 0xf2, 0xb6, 0x51, 0xdd, 0x6e, 0x3d, 0xa0, 0x0d, 0xa8, 0x59, 0xc4, 0x77, - 0xbc, 0xd3, 0x26, 0x71, 0x99, 0x0c, 0x62, 0x2a, 0xbe, 0xdb, 0x5d, 0x9f, 0xc8, 0x51, 0x76, 0xe5, - 0xbb, 0xb5, 0x9f, 0x82, 0xef, 0x4e, 0xbd, 0x0d, 0xbe, 0xfb, 0x04, 0xca, 0x66, 0x74, 0xe7, 0x10, - 0x75, 0x77, 0x30, 0x47, 0xc8, 0xe8, 0x11, 0x8c, 0xaa, 0x98, 0x84, 0x0a, 0xa8, 0x26, 0xb4, 0x2c, - 0xc1, 0x45, 0x94, 0x7f, 0x37, 0xbc, 0x81, 0xaa, 0x90, 0x13, 0x82, 0xff, 0x42, 0xcf, 0x82, 0x5f, - 0x29, 0x88, 0x33, 0x67, 0x51, 0x10, 0x63, 0x97, 0xc9, 0x6c, 0xd6, 0x65, 0x22, 0x86, 0x57, 0xe8, - 0x32, 0x29, 0xd0, 0x9e, 0xb4, 0xb7, 0xa0, 0x3d, 0x5d, 0x3a, 0x7f, 0x22, 0x51, 0x4a, 0x5c, 0xce, - 0x9d, 0x53, 0x5c, 0x6e, 0x42, 0x15, 0xfb, 0x7e, 0xe2, 0xee, 0xea, 0xe5, 0x33, 0x86, 0x7c, 0x52, - 0xd4, 0xe8, 0x10, 0x6e, 0x48, 0x69, 0xb0, 0xc3, 0x97, 0xd4, 0xf4, 0x9c, 0xba, 0x6b, 0xf3, 0x1d, - 0xc8, 0xbf, 0x2b, 0x94, 0x5a, 0x2a, 0xe2, 0xd9, 0x69, 0xf5, 0xbb, 0x77, 0x82, 0x0e, 0xe0, 0x7a, - 0x5b, 0xa4, 0x75, 0x57, 0xbe, 0xe8, 0x4a, 0xd7, 0x17, 0x75, 0xed, 0xa3, 0x40, 0x97, 0xbf, 0x7a, - 0x0e, 0x5d, 0xfe, 0xe7, 0x30, 0x2e, 0xcf, 0x91, 0xbc, 0x01, 0xa1, 0x22, 0xac, 0xd9, 0x0d, 0xba, - 0x92, 0x40, 0x31, 0x52, 0x04, 0xe8, 0x09, 0x5c, 0xfc, 0xe1, 0xf5, 0x11, 0xe5, 0x22, 0xc2, 0x39, - 0x26, 0xc1, 0xda, 0x09, 0x0b, 0xb0, 0xe1, 0x79, 0x6c, 0x65, 0x49, 0x5d, 0xae, 0x6c, 0xd7, 0x8c, - 0x96, 0x60, 0xd4, 0x17, 0xb9, 0xfc, 0x54, 0x5d, 0xb1, 0xec, 0x79, 0x8d, 0x43, 0xba, 0x50, 0xb7, - 0xd2, 0x73, 0xba, 0xd5, 0xbb, 0x3d, 0xe8, 0x56, 0xff, 0xa9, 0x04, 0x28, 0xcf, 0x1d, 0xc4, 0x0d, - 0x7c, 0x09, 0x08, 0x2f, 0x16, 0x95, 0xd4, 0x0d, 0xfc, 0x14, 0x14, 0xbd, 0x82, 0x19, 0x3b, 0x22, - 0x64, 0xfc, 0x6c, 0x90, 0x60, 0x33, 0xd6, 0x8e, 0x12, 0x65, 0x23, 0x0a, 0xd1, 0x8c, 0x62, 0x6a, - 0xae, 0x47, 0x84, 0x0d, 0x0e, 0xa6, 0x54, 0x15, 0x49, 0x48, 0xc1, 0xf4, 0x75, 0x98, 0xca, 0xf1, - 0x8d, 0x3e, 0x23, 0x47, 0xff, 0xaa, 0x04, 0x93, 0x59, 0x2f, 0x40, 0x7f, 0xca, 0xd6, 0x1d, 0x18, - 0x38, 0x7e, 0xa0, 0xd4, 0xab, 0xc4, 0xfe, 0x89, 0x3a, 0xff, 0xfa, 0x81, 0x62, 0x70, 0x03, 0xc7, - 0x0f, 0x04, 0xf2, 0xa2, 0xf2, 0xe5, 0x16, 0x22, 0x2f, 0x46, 0xc8, 0x8b, 0xfc, 0x73, 0x73, 0xbd, - 0xf4, 0xf9, 0xb9, 0xbf, 0x19, 0x4c, 0xf6, 0xb5, 0x78, 0xae, 0x0f, 0xfe, 0x16, 0xa6, 0x9a, 0x84, - 0x61, 0x0b, 0x33, 0xbc, 0x47, 0x4e, 0xcc, 0x43, 0xec, 0xaa, 0x5a, 0x15, 0x95, 0xc5, 0x3b, 0x85, - 0x9f, 0xb4, 0xa9, 0xb0, 0xd7, 0x14, 0xb2, 0xfa, 0xc4, 0x5a, 0x33, 0x03, 0x47, 0x6b, 0x05, 0x21, - 0x88, 0xf7, 0x0b, 0xbb, 0x8c, 0xa3, 0x11, 0x05, 0x11, 0x88, 0x97, 0xe9, 0x40, 0x42, 0xce, 0x73, - 0x9e, 0xe8, 0x47, 0xc4, 0x14, 0x56, 0x05, 0x5e, 0x51, 0x1c, 0xe1, 0xaf, 0x61, 0x0a, 0x9b, 0x26, - 0xa1, 0x74, 0xcf, 0xf1, 0x1a, 0x7b, 0x7e, 0x5c, 0xc6, 0xa8, 0xb2, 0x78, 0xbf, 0xb0, 0xbf, 0x25, - 0x81, 0xbd, 0xe1, 0x35, 0xe4, 0x16, 0x7d, 0x61, 0x3b, 0x71, 0x84, 0x62, 0x12, 0xa7, 0x1b, 0x75, - 0x0c, 0x37, 0xba, 0xce, 0x12, 0x7a, 0x06, 0x95, 0xd7, 0x98, 0x36, 0x7b, 0x57, 0xe3, 0x93, 0xe8, - 0xfa, 0xaf, 0x4b, 0x70, 0xb9, 0xc3, 0xb4, 0xf5, 0xb9, 0x03, 0xce, 0x37, 0xa6, 0x5f, 0x0d, 0xc2, - 0x7c, 0xa7, 0x25, 0xe8, 0x73, 0x50, 0x0f, 0xe3, 0x7c, 0x9c, 0x1e, 0x32, 0x2a, 0xc3, 0x64, 0x9c, - 0xa7, 0x00, 0x71, 0x4e, 0x4b, 0x0f, 0x49, 0x81, 0x09, 0x6c, 0xf4, 0x08, 0xc6, 0x98, 0xe7, 0x7b, - 0x8e, 0xd7, 0x38, 0xed, 0x21, 0xf7, 0x2f, 0xc2, 0x45, 0xab, 0x30, 0xa9, 0xf2, 0xd3, 0x22, 0x49, - 0xdc, 0xdd, 0x53, 0x97, 0x25, 0x41, 0x2f, 0xc5, 0x5d, 0xd3, 0x03, 0xbb, 0xb1, 0x7d, 0x4c, 0x82, - 0xc0, 0xb6, 0x7a, 0xcf, 0x95, 0xcd, 0xd0, 0xe9, 0xbf, 0x2d, 0xc1, 0xcd, 0xde, 0xf6, 0x70, 0x9f, - 0x4b, 0xf3, 0x05, 0x4c, 0x39, 0x5e, 0xe3, 0x1b, 0xdb, 0xb5, 0xbc, 0xd7, 0xd1, 0x35, 0xd2, 0x81, - 0x6e, 0x06, 0x47, 0x9e, 0x46, 0x5f, 0x53, 0x02, 0x20, 0x29, 0x97, 0xd1, 0x7d, 0x98, 0xa6, 0xad, - 0x7d, 0x6a, 0x06, 0xf6, 0x3e, 0xb1, 0xe2, 0xd4, 0xbe, 0x92, 0xb8, 0xed, 0x58, 0xd4, 0xa4, 0xff, - 0x12, 0x2a, 0x89, 0x4b, 0x6f, 0xd1, 0x85, 0xc5, 0x52, 0xe2, 0xc2, 0x62, 0x98, 0xdf, 0x3c, 0x90, - 0xc8, 0x6f, 0x9e, 0x83, 0x31, 0x6e, 0x55, 0xed, 0xc4, 0x79, 0xcf, 0xd1, 0x33, 0xba, 0x0a, 0x20, - 0xeb, 0x2c, 0x89, 0xd6, 0x21, 0xd1, 0x9a, 0x80, 0xe8, 0xff, 0xad, 0x0c, 0xb5, 0xdc, 0xe9, 0x8b, - 0xf2, 0x0e, 0xe2, 0x96, 0x70, 0x90, 0x3d, 0x4c, 0x6f, 0x5b, 0xda, 0x3e, 0x93, 0x8b, 0xb3, 0x56, - 0xfa, 0x60, 0x1b, 0x2b, 0x5d, 0x29, 0x1f, 0x43, 0x39, 0xe5, 0x63, 0xb8, 0x87, 0x74, 0x94, 0x79, - 0x6e, 0x70, 0x33, 0xe2, 0x46, 0xe5, 0x41, 0xca, 0x46, 0x0c, 0xc8, 0x59, 0xbc, 0xa3, 0x7d, 0x5b, - 0xbc, 0x4b, 0x30, 0x41, 0xcd, 0x00, 0xab, 0xf7, 0x1f, 0x63, 0x47, 0x65, 0x8d, 0x76, 0xd8, 0x6f, - 0x19, 0x02, 0xe1, 0x37, 0xf2, 0x5c, 0x46, 0x4e, 0xd8, 0x0e, 0x66, 0x87, 0xaa, 0xa0, 0x57, 0x12, - 0x84, 0x3e, 0x85, 0x51, 0x75, 0x17, 0x50, 0x19, 0xf8, 0x37, 0x8a, 0xe2, 0xe5, 0x4a, 0x71, 0x0a, - 0x8d, 0x30, 0x45, 0x81, 0x9e, 0xc3, 0x18, 0x55, 0x19, 0xc0, 0xca, 0xb2, 0xd7, 0x8b, 0xa9, 0x25, - 0x4e, 0x18, 0xf3, 0x0b, 0x69, 0xde, 0x70, 0xe9, 0x9d, 0x3f, 0xa3, 0x78, 0x58, 0xca, 0xe7, 0x53, - 0xeb, 0xd9, 0xe7, 0xb3, 0x09, 0x15, 0x2e, 0x9e, 0x43, 0xc2, 0x3e, 0x5c, 0x01, 0x49, 0xfa, 0x02, - 0x73, 0x06, 0x9d, 0xc3, 0x9c, 0xd1, 0x42, 0xcf, 0xd9, 0x74, 0x94, 0xf5, 0xa6, 0xbc, 0x67, 0xbb, - 0x70, 0xd1, 0x0f, 0x3c, 0x99, 0xd7, 0x92, 0x60, 0x40, 0x44, 0xe5, 0x74, 0x76, 0xe6, 0x0d, 0xed, - 0x48, 0xf5, 0x7f, 0x5b, 0x82, 0xf9, 0x4e, 0x37, 0x42, 0xfa, 0x14, 0x14, 0xdb, 0x30, 0xd3, 0x94, - 0x05, 0x2b, 0xd6, 0x4e, 0x7c, 0x3b, 0x38, 0xed, 0x5d, 0x58, 0x14, 0xd3, 0xe9, 0x3b, 0xa0, 0xb5, - 0x3b, 0x4a, 0x7d, 0x6a, 0xd2, 0xff, 0xa6, 0x04, 0x17, 0xdb, 0x9c, 0x6d, 0xb4, 0x0c, 0x15, 0x9c, - 0x58, 0xd0, 0x52, 0xaf, 0x05, 0x30, 0x12, 0x44, 0x68, 0x2d, 0x21, 0x64, 0x06, 0xb2, 0x57, 0x7a, - 0x72, 0x2f, 0xde, 0x52, 0xa8, 0x21, 0x77, 0x08, 0x49, 0xf5, 0x23, 0xb8, 0xd6, 0x05, 0xb9, 0xff, - 0x62, 0x20, 0x91, 0x60, 0xac, 0x4a, 0xc1, 0xa8, 0xff, 0xf3, 0x2a, 0x54, 0x12, 0x59, 0x90, 0xc9, - 0x9e, 0xdf, 0xed, 0xbd, 0xe7, 0xf7, 0xa0, 0x1a, 0x69, 0xc8, 0x2f, 0x6c, 0x27, 0x94, 0xc7, 0x69, - 0x20, 0xba, 0x05, 0xb1, 0x1e, 0xfd, 0xc2, 0x0b, 0x9a, 0x38, 0xac, 0x4b, 0x92, 0x05, 0xa3, 0xf5, - 0x50, 0x79, 0xdf, 0xf0, 0x1a, 0x6b, 0xae, 0xe9, 0x59, 0xa1, 0x86, 0x37, 0x91, 0x34, 0xbd, 0x72, - 0x28, 0x46, 0x9e, 0x8a, 0x4b, 0x77, 0xdc, 0x62, 0x9e, 0x4c, 0xf1, 0x55, 0x92, 0x2f, 0x01, 0xe1, - 0x43, 0x57, 0xf1, 0x04, 0x95, 0x06, 0x29, 0x4b, 0x9d, 0xa6, 0x81, 0xe8, 0x2e, 0x4c, 0x99, 0x5e, - 0xd3, 0xf7, 0x5c, 0xe2, 0xb2, 0x8d, 0xb0, 0xd0, 0xa7, 0x94, 0x81, 0xf9, 0x06, 0x25, 0x7e, 0xcc, - 0x56, 0x10, 0x10, 0xd7, 0x3c, 0x15, 0xa2, 0xb0, 0x6a, 0x24, 0x41, 0x71, 0x1e, 0x96, 0x28, 0x63, - 0xd8, 0x6a, 0xfa, 0xca, 0x83, 0xdd, 0x43, 0x1e, 0x56, 0x48, 0x81, 0xb6, 0x60, 0x9a, 0x24, 0xea, - 0xc4, 0x84, 0xa6, 0x3f, 0x64, 0xdd, 0x89, 0xf9, 0x62, 0x32, 0x46, 0x11, 0x21, 0x7a, 0x0e, 0x15, - 0x01, 0xae, 0x33, 0xcc, 0xa8, 0xa5, 0xc4, 0x62, 0xe7, 0x7e, 0x92, 0x04, 0x5c, 0x99, 0x53, 0x05, - 0x59, 0x95, 0xdf, 0x47, 0x5e, 0xd5, 0x96, 0xf5, 0x07, 0x8a, 0x9a, 0xf8, 0x86, 0x08, 0xc1, 0x3b, - 0x2a, 0xd1, 0x45, 0xd5, 0x23, 0xc8, 0x80, 0xe3, 0xf0, 0xc2, 0x44, 0x32, 0xbc, 0x70, 0x0b, 0x26, - 0x6d, 0x37, 0x4d, 0x5f, 0x53, 0xf5, 0x0c, 0xd2, 0xe0, 0x54, 0x7d, 0x56, 0x94, 0xa9, 0xcf, 0xfa, - 0x94, 0x9b, 0xae, 0xf6, 0xb1, 0xed, 0x90, 0x06, 0xb1, 0x94, 0x37, 0xb6, 0xa3, 0x1d, 0x11, 0x63, - 0xa3, 0x65, 0x98, 0x0f, 0x08, 0xb6, 0x6c, 0x97, 0x50, 0xba, 0xee, 0xda, 0xcc, 0xc6, 0xce, 0x2a, - 0x71, 0xf0, 0x69, 0x9d, 0x98, 0x9e, 0x6b, 0x51, 0x95, 0x7b, 0xdf, 0x11, 0x47, 0x26, 0x6a, 0xaa, - 0xf6, 0x1d, 0x12, 0xd8, 0x9e, 0x15, 0x52, 0xcf, 0x08, 0xea, 0x36, 0xad, 0xe8, 0x19, 0x5c, 0x8a, - 0x5a, 0x5e, 0x60, 0xdb, 0x69, 0x05, 0x24, 0xbe, 0x34, 0x3b, 0x2b, 0x48, 0xdb, 0x23, 0xf0, 0x73, - 0x41, 0x19, 0x66, 0x2d, 0x71, 0x27, 0x5e, 0x84, 0xfa, 0xaa, 0x46, 0x02, 0x92, 0x16, 0xb5, 0xda, - 0x19, 0xc2, 0x2b, 0x61, 0x0e, 0xf2, 0x25, 0x71, 0x5c, 0x6b, 0x31, 0x8d, 0x84, 0x47, 0xd9, 0xc7, - 0x4f, 0x41, 0xf3, 0x95, 0xcb, 0x70, 0x95, 0x30, 0x19, 0x8b, 0x08, 0x53, 0xef, 0x64, 0xb2, 0x78, - 0xdb, 0x76, 0xb4, 0x0b, 0x33, 0x62, 0xe7, 0x45, 0xf6, 0x4e, 0xb8, 0xf9, 0x2f, 0x67, 0x5d, 0xc3, - 0x6b, 0x29, 0xb4, 0x30, 0x07, 0xbe, 0x90, 0x18, 0x2d, 0xc2, 0x05, 0xb5, 0xef, 0x42, 0x4b, 0x4d, - 0xee, 0xe0, 0x79, 0x31, 0x9a, 0xc2, 0xb6, 0x7c, 0x8a, 0xdd, 0x95, 0x33, 0xa6, 0xd8, 0xe5, 0xf3, - 0x0e, 0xaf, 0x16, 0xe6, 0x1d, 0xfe, 0x15, 0xcc, 0xfa, 0x38, 0x20, 0x2e, 0xab, 0x1f, 0xb6, 0x98, - 0xe5, 0xbd, 0x8e, 0xdf, 0x78, 0xbd, 0xdb, 0x1b, 0xdb, 0x10, 0xa2, 0x87, 0x9c, 0x81, 0x24, 0x59, - 0x8a, 0xac, 0x5d, 0x7a, 0x23, 0xd2, 0x43, 0x8a, 0x9a, 0xf9, 0x80, 0xbd, 0x16, 0x73, 0x6c, 0x12, - 0x70, 0x3b, 0x93, 0xab, 0xd7, 0xd2, 0x97, 0x99, 0x81, 0xa2, 0xe7, 0x50, 0x76, 0xec, 0x03, 0x62, - 0x9e, 0x9a, 0x0e, 0x51, 0xf9, 0x1a, 0xdd, 0xe5, 0x69, 0x4c, 0xa2, 0xff, 0xed, 0x00, 0x5c, 0x28, - 0x5a, 0xbd, 0xb7, 0x54, 0x09, 0xab, 0xac, 0x2c, 0xc5, 0xb5, 0xa2, 0x4a, 0x58, 0xef, 0xb6, 0xdb, - 0x50, 0x09, 0xd4, 0xb7, 0x51, 0x0c, 0xeb, 0x77, 0x25, 0xb8, 0xd4, 0xf6, 0x85, 0x7c, 0xf8, 0x22, - 0xb6, 0xad, 0x8c, 0x5f, 0xfe, 0x5b, 0x08, 0x2a, 0xc7, 0x26, 0xae, 0xc8, 0xba, 0x56, 0x59, 0x20, - 0xea, 0x9b, 0xf3, 0x0d, 0xa2, 0xc8, 0x77, 0x60, 0x1f, 0x63, 0x46, 0xbe, 0x22, 0xa7, 0x61, 0x71, - 0xdb, 0x18, 0x22, 0x36, 0x27, 0x5e, 0x49, 0xe6, 0x9f, 0x84, 0x49, 0xb1, 0x29, 0x28, 0xb7, 0x2b, - 0xa9, 0x6b, 0x2b, 0xd1, 0xc9, 0x7f, 0x72, 0xd6, 0x4c, 0x5b, 0xfb, 0x5c, 0xc2, 0x2e, 0x39, 0xb2, - 0x9c, 0x93, 0x36, 0x22, 0xac, 0xfa, 0x2c, 0x58, 0xff, 0x1b, 0x98, 0xcc, 0x54, 0x55, 0x88, 0xb9, - 0x7d, 0xa9, 0x6d, 0xae, 0xc4, 0x70, 0xcf, 0xb9, 0x12, 0x2b, 0x70, 0xb1, 0x4d, 0x29, 0x50, 0x3e, - 0x6c, 0xd3, 0x6f, 0x85, 0x45, 0xc5, 0x4c, 0xbf, 0x25, 0x6b, 0xb3, 0x34, 0x3d, 0x75, 0xe3, 0x57, - 0xd4, 0x66, 0xe1, 0x4f, 0xfa, 0xbf, 0x1b, 0x80, 0x72, 0x54, 0xc8, 0xe1, 0x1c, 0xf9, 0xd7, 0xf3, - 0x30, 0xda, 0xb2, 0xa8, 0x38, 0x35, 0x03, 0xd1, 0x31, 0x0b, 0x41, 0x68, 0x19, 0xc6, 0x5b, 0x94, - 0x6c, 0x71, 0x1d, 0xc8, 0xf9, 0xf2, 0x35, 0xeb, 0xee, 0xd3, 0x92, 0xd6, 0x73, 0x92, 0x06, 0x6d, - 0xc0, 0x54, 0x8b, 0x92, 0xdd, 0xa0, 0x45, 0xd9, 0x6b, 0x2f, 0x60, 0x87, 0xa7, 0xbc, 0xa3, 0xa1, - 0x9e, 0x3a, 0xca, 0x13, 0xa2, 0xa7, 0x30, 0xcc, 0xbc, 0x23, 0xe2, 0x9e, 0xa9, 0x4c, 0xb1, 0x24, - 0xd1, 0xff, 0x2e, 0x8c, 0x27, 0x33, 0xf9, 0xd0, 0x3c, 0x94, 0x45, 0x9e, 0xbd, 0xf8, 0x7a, 0x39, - 0xe7, 0x31, 0x20, 0xf2, 0xe4, 0x0c, 0x24, 0x3c, 0x39, 0x5c, 0x46, 0x89, 0x1e, 0xc4, 0xed, 0x0f, - 0xb5, 0x3d, 0x63, 0x88, 0xfe, 0x2f, 0x4b, 0x50, 0x7d, 0xf3, 0x6a, 0xbc, 0x0e, 0xe3, 0x61, 0x4e, - 0xdb, 0x4e, 0xac, 0x2e, 0xa7, 0x60, 0xd1, 0x68, 0x07, 0xd3, 0x7e, 0xa7, 0x6c, 0x59, 0x47, 0xfd, - 0xbf, 0x0f, 0xc1, 0x4c, 0x61, 0x91, 0x19, 0xf4, 0x2d, 0x5c, 0x92, 0x9b, 0x22, 0x8e, 0xfc, 0x2d, - 0x9f, 0xaa, 0x12, 0x56, 0x3d, 0xb8, 0x7e, 0xda, 0x13, 0xa3, 0xef, 0x60, 0xda, 0x25, 0xc7, 0x44, - 0xbd, 0xb0, 0xcf, 0xca, 0xc5, 0x46, 0x51, 0x1f, 0x22, 0x73, 0xce, 0x79, 0x8d, 0x4f, 0x69, 0xa6, - 0xef, 0xf1, 0xb3, 0x66, 0xce, 0x15, 0x74, 0x82, 0x36, 0x60, 0x3a, 0x20, 0xaf, 0x03, 0x9b, 0x91, - 0x25, 0xdf, 0x7f, 0xb9, 0xbb, 0xbb, 0xb3, 0x13, 0x78, 0xfb, 0xe1, 0x5d, 0xb9, 0x8e, 0x25, 0x68, - 0x0a, 0xc8, 0xb8, 0x0e, 0x6e, 0x8b, 0xfe, 0x85, 0x07, 0x41, 0x2d, 0x4a, 0x12, 0x84, 0x0c, 0x98, - 0x96, 0x8f, 0x24, 0x65, 0xcb, 0xf7, 0x5a, 0x76, 0xa9, 0x88, 0x18, 0xbd, 0x84, 0x09, 0x6f, 0x3f, - 0x35, 0x35, 0xbd, 0x46, 0xdd, 0x33, 0x74, 0x32, 0xa8, 0xf6, 0x83, 0x54, 0x7b, 0x5e, 0x19, 0x1b, - 0x42, 0xa1, 0x13, 0x41, 0xb5, 0x18, 0xa6, 0xff, 0x93, 0x12, 0x5c, 0x6c, 0x93, 0x99, 0xd1, 0xa7, - 0x94, 0x7c, 0x0e, 0xe3, 0x5e, 0x8b, 0xf9, 0x2d, 0xa6, 0xca, 0x6a, 0x0d, 0xf4, 0x50, 0xf7, 0x28, - 0x81, 0xaf, 0xff, 0x7e, 0x10, 0xae, 0x74, 0x4c, 0xf6, 0xe8, 0x73, 0x5c, 0x1f, 0x89, 0x1c, 0xac, - 0x43, 0x35, 0x9e, 0x6b, 0x85, 0x99, 0x25, 0x4b, 0x2d, 0x16, 0x17, 0x39, 0x6c, 0xb1, 0x43, 0xf4, - 0x49, 0xa4, 0x8b, 0x16, 0xe4, 0xb3, 0x44, 0x64, 0x85, 0xa5, 0x71, 0xd6, 0x44, 0x8c, 0x99, 0x91, - 0x13, 0xf6, 0x45, 0x80, 0xfd, 0x43, 0xc5, 0x40, 0x8b, 0x3b, 0x58, 0x49, 0x20, 0x1a, 0x29, 0x32, - 0xb4, 0x1d, 0x07, 0x36, 0x24, 0x03, 0xfd, 0xb8, 0xc7, 0x9c, 0x98, 0x05, 0x15, 0x71, 0xc9, 0x16, - 0x20, 0xdb, 0x86, 0x51, 0xe5, 0x2d, 0x51, 0x71, 0x87, 0x7e, 0x3b, 0x54, 0xbd, 0xcc, 0xad, 0x41, - 0x35, 0xd5, 0xd2, 0xa7, 0x6b, 0xe5, 0x5f, 0x97, 0x60, 0xa6, 0x70, 0x29, 0xb8, 0xa5, 0x8b, 0x7d, - 0x7f, 0x25, 0x20, 0x16, 0x71, 0xb9, 0xe9, 0x43, 0x7b, 0xe8, 0x36, 0x43, 0xc1, 0xa5, 0x32, 0xf6, - 0x6d, 0xae, 0xa2, 0x28, 0xa9, 0x2c, 0x9f, 0xd0, 0x42, 0x9c, 0x0c, 0x6e, 0x9a, 0x91, 0x68, 0x91, - 0x3c, 0xb9, 0xa0, 0x45, 0xff, 0x7b, 0xfc, 0xb8, 0x14, 0x2e, 0x7c, 0x9f, 0xdb, 0xf2, 0x2e, 0x4c, - 0x51, 0xdc, 0xf4, 0xc5, 0xe5, 0x87, 0x7d, 0x2c, 0x4b, 0x39, 0x2a, 0x79, 0x91, 0x6f, 0xd0, 0xb7, - 0x53, 0xaf, 0x4f, 0x6e, 0x9b, 0x3e, 0x67, 0xfd, 0x6f, 0x07, 0x60, 0x3c, 0xf5, 0x15, 0x8f, 0x61, - 0xd4, 0xc2, 0x0c, 0x5b, 0x5e, 0x23, 0x5f, 0xde, 0x54, 0x22, 0xae, 0xca, 0xe6, 0x70, 0x1b, 0x28, - 0x6c, 0xf4, 0x19, 0x57, 0xd6, 0x1b, 0x87, 0x8c, 0x32, 0xe2, 0xe7, 0x0f, 0x99, 0x24, 0xdd, 0xe0, - 0x08, 0x75, 0x46, 0xfc, 0x30, 0xdb, 0x29, 0xa2, 0x40, 0x0f, 0x61, 0xe4, 0x47, 0xdb, 0x3f, 0xb2, - 0xc3, 0xda, 0x9c, 0xf3, 0x59, 0xda, 0xef, 0x45, 0x6b, 0x78, 0xc8, 0x24, 0x2e, 0x5a, 0x29, 0xca, - 0x1a, 0xbb, 0x91, 0x25, 0x4d, 0x4f, 0x59, 0x36, 0xce, 0xab, 0xdf, 0x83, 0xe9, 0x82, 0x2f, 0x43, - 0x1a, 0x8c, 0x62, 0x55, 0xc0, 0x47, 0xaa, 0x1a, 0xe1, 0xa3, 0x5e, 0x87, 0x99, 0xc2, 0xef, 0x69, - 0x4f, 0xc2, 0x65, 0x89, 0x74, 0x2c, 0xed, 0x0a, 0x5d, 0x48, 0x5d, 0x43, 0x4d, 0x80, 0xf4, 0x05, - 0x40, 0xf9, 0x0f, 0xed, 0x30, 0x88, 0xdf, 0x97, 0xe0, 0x62, 0x9b, 0xcf, 0x43, 0xf7, 0xc3, 0x1a, - 0x2f, 0xdd, 0x77, 0x82, 0xaa, 0xff, 0xf2, 0x10, 0x66, 0x9a, 0xf8, 0x64, 0xab, 0xd5, 0xdc, 0x27, - 0xc1, 0xf6, 0xc1, 0x12, 0x63, 0x81, 0xbd, 0xdf, 0xe2, 0xda, 0xba, 0xdc, 0x8a, 0xc5, 0x8d, 0xe8, - 0x11, 0xcc, 0x26, 0x1b, 0x12, 0x22, 0x50, 0x5e, 0x16, 0x6d, 0xd3, 0xca, 0x0d, 0xf7, 0x44, 0xcb, - 0x26, 0xa1, 0x14, 0x37, 0xc2, 0xff, 0x6d, 0x91, 0x57, 0x48, 0xdb, 0xb6, 0xeb, 0xff, 0x6b, 0x18, - 0xaa, 0xaa, 0x3e, 0xe5, 0xb9, 0x0e, 0xde, 0xc7, 0x30, 0xf2, 0x03, 0x26, 0x8d, 0x88, 0xb5, 0x67, - 0xf6, 0xb9, 0xed, 0x36, 0xbe, 0x14, 0xcd, 0xe1, 0x8e, 0x93, 0xc8, 0xb9, 0x20, 0xd5, 0x50, 0xdf, - 0x41, 0xaa, 0x39, 0x18, 0xf3, 0xc3, 0x62, 0x57, 0xd2, 0xec, 0x89, 0x9e, 0xd1, 0x83, 0x38, 0xb6, - 0x34, 0x92, 0x8d, 0xab, 0xb5, 0x89, 0x28, 0x7d, 0x1c, 0x1d, 0xa0, 0xd1, 0x36, 0xdf, 0x53, 0x78, - 0x82, 0x96, 0x00, 0x3c, 0x9f, 0xb8, 0x26, 0x71, 0x69, 0x2b, 0x2c, 0xae, 0x7a, 0x23, 0x47, 0xba, - 0x1d, 0xa1, 0x84, 0x37, 0x2e, 0x62, 0xa2, 0x1e, 0x42, 0x65, 0xdd, 0xc2, 0x4b, 0xd5, 0x9f, 0x22, - 0xbc, 0x34, 0xf1, 0x47, 0xb8, 0x46, 0x3f, 0x79, 0xce, 0xbf, 0xc4, 0xf8, 0xf7, 0x03, 0xf2, 0x90, - 0x17, 0x2c, 0x41, 0x18, 0x89, 0x2d, 0xe5, 0x22, 0xb1, 0x03, 0x3d, 0x44, 0x62, 0x5f, 0x42, 0x99, - 0x9c, 0xf8, 0x5e, 0x90, 0xc8, 0x2e, 0xbd, 0xdd, 0x61, 0xd5, 0xd7, 0x42, 0xdc, 0x90, 0x71, 0x47, - 0xc4, 0xe9, 0x2a, 0x30, 0xc3, 0xfd, 0x55, 0x81, 0xc9, 0x87, 0xc3, 0x46, 0xfa, 0x0f, 0x87, 0xe9, - 0x07, 0x70, 0xbd, 0xdb, 0x07, 0x70, 0x2b, 0x2f, 0x29, 0x38, 0x7a, 0xb6, 0xf2, 0x92, 0x72, 0xe3, - 0x7f, 0x0c, 0x4a, 0xc1, 0x91, 0x61, 0x15, 0xe7, 0x5b, 0x98, 0xc8, 0x71, 0x01, 0x49, 0xc7, 0xc5, - 0xa7, 0x91, 0x53, 0x61, 0x30, 0xeb, 0x4d, 0x4a, 0x8d, 0x60, 0x53, 0x20, 0x85, 0x47, 0x5c, 0x92, - 0x08, 0x47, 0x8a, 0x8f, 0xdd, 0x3a, 0xf3, 0x02, 0xdc, 0x20, 0xfc, 0x9d, 0xca, 0x07, 0x93, 0x05, - 0x73, 0x4e, 0xea, 0x93, 0x80, 0xda, 0x94, 0xf5, 0x92, 0x4c, 0xab, 0x50, 0xd1, 0x6d, 0xa8, 0x51, - 0xd9, 0x49, 0x5c, 0x7f, 0x53, 0x06, 0x36, 0x72, 0x70, 0x11, 0x4b, 0x11, 0x42, 0x4f, 0x5c, 0x1a, - 0x54, 0xff, 0xea, 0x16, 0x43, 0xd2, 0xbb, 0x69, 0xec, 0x4d, 0xed, 0xa6, 0xf2, 0x39, 0x76, 0xd3, - 0x53, 0xb8, 0xd4, 0x76, 0x8a, 0xd1, 0x15, 0x80, 0x26, 0x3e, 0xd9, 0x13, 0x2a, 0x3f, 0x55, 0x85, - 0xf7, 0xca, 0x4d, 0x7c, 0x22, 0x04, 0x33, 0xd5, 0xff, 0x77, 0xbc, 0x43, 0x52, 0x52, 0xfd, 0xcd, - 0xec, 0x90, 0x72, 0x72, 0x87, 0xdc, 0x85, 0x29, 0x9f, 0x5b, 0xad, 0x75, 0x86, 0x03, 0xd6, 0xf2, - 0x45, 0x78, 0x40, 0x49, 0xe1, 0x7c, 0x03, 0x7a, 0x06, 0x97, 0x1c, 0xfb, 0x98, 0x88, 0x88, 0x40, - 0x8e, 0xaa, 0x22, 0x1d, 0xff, 0x6d, 0x11, 0xd0, 0x3c, 0x94, 0x7f, 0xd9, 0x22, 0xc1, 0x69, 0x74, - 0xdb, 0xa5, 0x6a, 0xc4, 0x80, 0x3e, 0x9d, 0x6c, 0xdc, 0x5a, 0xfd, 0x01, 0x1f, 0xe3, 0x6d, 0x9f, - 0xd1, 0x97, 0x04, 0xfb, 0xf2, 0xbf, 0xa8, 0x8c, 0x14, 0x8c, 0x8b, 0xcc, 0x26, 0x3e, 0xa9, 0xfb, - 0x58, 0xa5, 0x66, 0x57, 0x8d, 0xe8, 0x19, 0x7d, 0x0c, 0x43, 0x5c, 0xbc, 0xb6, 0x15, 0x61, 0x72, - 0x01, 0xb6, 0x3c, 0x2b, 0x94, 0x9c, 0x02, 0xfd, 0xcd, 0xfe, 0xdd, 0x9f, 0xfe, 0x61, 0xc4, 0xae, - 0xb3, 0xaf, 0x43, 0x08, 0x86, 0x4c, 0xbf, 0x15, 0x6e, 0x12, 0xf1, 0x5b, 0xff, 0x4d, 0x09, 0xa6, - 0xbf, 0xb2, 0xb1, 0x63, 0xbf, 0x89, 0xe0, 0x34, 0xba, 0x0c, 0x65, 0x93, 0x04, 0x6c, 0xef, 0xc0, - 0x76, 0x42, 0x27, 0xd8, 0x18, 0x07, 0xa8, 0xc8, 0x69, 0x4d, 0x79, 0x65, 0xf7, 0x8e, 0xc8, 0xa9, - 0xc4, 0x19, 0x54, 0x7f, 0x44, 0x18, 0x79, 0x6b, 0x39, 0xa6, 0xee, 0x00, 0x52, 0x63, 0x7a, 0xd3, - 0x6e, 0xb1, 0x22, 0xf7, 0xd6, 0x3f, 0x1b, 0x84, 0x0b, 0xe2, 0x75, 0xab, 0x98, 0x1e, 0xee, 0x7b, - 0x38, 0x08, 0xad, 0xc8, 0xb4, 0xe7, 0xae, 0x94, 0xf5, 0xdc, 0x71, 0xad, 0xa3, 0x45, 0x49, 0xe0, - 0xe2, 0x26, 0x89, 0xcd, 0xba, 0x24, 0x08, 0xbd, 0x07, 0x55, 0x1f, 0x53, 0xea, 0x1f, 0x06, 0x98, - 0x26, 0xbc, 0xd3, 0x69, 0x20, 0x7a, 0x0e, 0xe3, 0xc7, 0x36, 0x79, 0xbd, 0xed, 0x3a, 0xa7, 0x82, - 0x27, 0x75, 0xbf, 0xcb, 0x97, 0xc2, 0xe7, 0xe3, 0x6c, 0x04, 0xf8, 0x00, 0xbb, 0xf8, 0x95, 0xb1, - 0x11, 0xfe, 0xcb, 0x65, 0x0c, 0x11, 0xe5, 0x4a, 0x05, 0xe3, 0xe0, 0xcd, 0xea, 0xce, 0x53, 0x04, - 0x40, 0x0f, 0x95, 0x57, 0xa2, 0xd7, 0xd4, 0x5b, 0xe9, 0x96, 0xb8, 0x0f, 0xd3, 0xea, 0x0d, 0xeb, - 0xae, 0x4a, 0x92, 0xe3, 0xbd, 0xcb, 0x4c, 0xdc, 0xa2, 0x26, 0x6e, 0xe7, 0xca, 0x97, 0xa6, 0x08, - 0x24, 0x07, 0x29, 0x68, 0xd1, 0xff, 0xf3, 0x18, 0x54, 0xc4, 0xb2, 0x9c, 0x37, 0x15, 0x4d, 0x5e, - 0x53, 0x5b, 0x25, 0x4d, 0x4f, 0x7a, 0x72, 0x7b, 0x49, 0x45, 0xcb, 0xd2, 0x84, 0xfc, 0x72, 0x30, - 0xc7, 0x2f, 0x87, 0x7a, 0xe0, 0x97, 0xbd, 0xe6, 0x9f, 0xb5, 0xa9, 0x0a, 0x3d, 0xd2, 0xbe, 0x2a, - 0xf4, 0x27, 0x89, 0x4b, 0x5c, 0x39, 0xa5, 0xbb, 0xe0, 0x5c, 0x27, 0xee, 0x6f, 0x3d, 0x83, 0xb2, - 0x15, 0x6e, 0x78, 0xc5, 0xb2, 0xae, 0x66, 0x68, 0x33, 0x07, 0xc2, 0x88, 0x09, 0xb2, 0x1a, 0xf7, - 0x64, 0x5e, 0xe3, 0xfe, 0xcb, 0xdf, 0x52, 0xfd, 0xd4, 0x7f, 0x4b, 0x95, 0xb1, 0x04, 0x26, 0xce, - 0x79, 0x43, 0x2f, 0xba, 0xe3, 0x55, 0xcb, 0xde, 0xf1, 0x4a, 0xc9, 0xdb, 0xa9, 0x9e, 0xe5, 0xed, - 0x6d, 0x98, 0x88, 0xf7, 0xf4, 0x92, 0x65, 0x05, 0x92, 0x2d, 0xab, 0x55, 0x4b, 0xb5, 0xa0, 0x47, - 0xb1, 0x39, 0x9a, 0x4b, 0x35, 0xcb, 0xcb, 0x8a, 0xc8, 0x26, 0xd5, 0xff, 0x3e, 0xc0, 0x32, 0xa6, - 0xa1, 0x08, 0xf9, 0x12, 0x90, 0x8a, 0x06, 0x1b, 0xab, 0xbb, 0xa4, 0xe9, 0x3b, 0x22, 0x1c, 0xd8, - 0x9d, 0x9d, 0x14, 0x50, 0x71, 0xde, 0x7e, 0x1c, 0xfd, 0x35, 0x0b, 0x67, 0x65, 0x92, 0xff, 0xa7, - 0x81, 0xfa, 0x13, 0x40, 0xb2, 0xea, 0xb1, 0x2c, 0xcf, 0xad, 0xc6, 0x91, 0xf5, 0x8b, 0x97, 0x0a, - 0xfc, 0xe2, 0xff, 0x67, 0x0c, 0x46, 0xc4, 0xdb, 0x29, 0x7a, 0x1f, 0x06, 0x4d, 0xd7, 0x56, 0x7c, - 0x6b, 0x3a, 0xf5, 0xcf, 0xbb, 0x61, 0x51, 0x4a, 0xd3, 0xb5, 0xd1, 0xa7, 0x30, 0x2e, 0xca, 0x59, - 0x9b, 0x5e, 0x40, 0x2c, 0x97, 0xe6, 0xff, 0xe7, 0x36, 0xf5, 0x77, 0xa3, 0x46, 0x0a, 0x19, 0x3d, - 0x84, 0xb1, 0xa8, 0x4a, 0x9e, 0x54, 0x99, 0xb4, 0x5c, 0x65, 0xd8, 0xa8, 0xf0, 0x4b, 0x88, 0x89, - 0x16, 0x60, 0xa4, 0x21, 0xca, 0x28, 0x2b, 0x73, 0x69, 0x36, 0xfb, 0x1f, 0x14, 0xa1, 0x21, 0x20, - 0xb1, 0xd0, 0x53, 0x18, 0x55, 0xb2, 0xa1, 0x67, 0x79, 0x13, 0x12, 0xa0, 0x3b, 0x30, 0xdc, 0xb4, - 0x4f, 0x48, 0xa0, 0x98, 0xd5, 0x4c, 0xa6, 0x44, 0x4d, 0x58, 0xcc, 0x49, 0xe0, 0x88, 0x72, 0xa3, - 0xb6, 0xe3, 0x85, 0x7f, 0x5a, 0x32, 0x53, 0x98, 0x58, 0x65, 0x48, 0x1c, 0xf4, 0x38, 0x59, 0x25, - 0xe9, 0x62, 0xb6, 0x5c, 0x7e, 0x87, 0x02, 0x49, 0x4f, 0x53, 0x09, 0x23, 0xe1, 0x9f, 0x9b, 0x14, - 0x5c, 0x97, 0x2b, 0xc8, 0x12, 0xf9, 0x06, 0x66, 0x69, 0x3a, 0xa8, 0xa6, 0xfe, 0x24, 0x41, 0x31, - 0x83, 0x64, 0x7c, 0xa0, 0x28, 0xf8, 0x66, 0xb4, 0x21, 0x47, 0x0f, 0x60, 0x94, 0xa9, 0xbf, 0x5b, - 0x99, 0xc8, 0x09, 0xa7, 0xa4, 0xdb, 0xca, 0x08, 0xf1, 0xf8, 0x6c, 0x1d, 0xf1, 0x43, 0xa4, 0xbc, - 0x05, 0x33, 0x99, 0xb3, 0x15, 0xce, 0x96, 0xc0, 0x41, 0x1a, 0x8c, 0x1e, 0x73, 0xbb, 0xcb, 0x73, - 0xd5, 0x45, 0xa5, 0xf0, 0x51, 0x08, 0x5b, 0xf5, 0x7f, 0xd2, 0x19, 0x76, 0xd0, 0x59, 0xd8, 0x66, - 0x68, 0xd0, 0x0e, 0xa0, 0x78, 0xa2, 0xb6, 0xd5, 0x1f, 0x49, 0xf4, 0x7a, 0x3f, 0xd5, 0x28, 0xa0, - 0x45, 0xf7, 0xa1, 0x2c, 0xff, 0xb8, 0x8a, 0x9f, 0xa3, 0xe9, 0xf6, 0xe7, 0x68, 0x4c, 0x60, 0xad, - 0xb8, 0x36, 0x7a, 0x02, 0xe5, 0x23, 0x51, 0xb5, 0xda, 0xfe, 0x91, 0xf4, 0x70, 0x53, 0x35, 0x46, - 0x4e, 0x15, 0x76, 0x9f, 0xc9, 0x14, 0x76, 0x7f, 0x0c, 0xd0, 0x24, 0x54, 0x85, 0x15, 0xd4, 0x85, - 0x92, 0xb6, 0xba, 0x43, 0x02, 0x15, 0xdd, 0x82, 0xa1, 0x7d, 0x4c, 0x89, 0x2a, 0xef, 0x99, 0xf8, - 0xa7, 0x93, 0x98, 0xbb, 0x19, 0x02, 0x03, 0x7d, 0xae, 0xb8, 0x80, 0xe2, 0x38, 0xaa, 0x74, 0xe7, - 0x7c, 0xb6, 0x00, 0x7e, 0x92, 0x1f, 0x19, 0x29, 0x0a, 0x5d, 0x83, 0xd9, 0xe2, 0xa9, 0xd5, 0xaf, - 0xc1, 0x95, 0x8e, 0x42, 0x43, 0x9f, 0x85, 0x0b, 0x45, 0x79, 0xac, 0xfa, 0xdf, 0x81, 0x6a, 0xea, - 0x3f, 0x00, 0xdf, 0x70, 0x81, 0xc7, 0x49, 0xa8, 0xa6, 0xa6, 0xee, 0xf6, 0x3d, 0x79, 0xab, 0x04, - 0x8d, 0xc3, 0x98, 0xca, 0x5b, 0xb1, 0x6a, 0xef, 0xf0, 0x27, 0xc7, 0x6b, 0xec, 0x79, 0xae, 0x73, - 0x5a, 0x2b, 0xa1, 0x0a, 0x1f, 0xc2, 0x81, 0x17, 0x98, 0xa4, 0x36, 0x70, 0xfb, 0xcb, 0x36, 0x59, - 0x85, 0x68, 0x12, 0x2a, 0xaf, 0xb6, 0xea, 0x3b, 0x6b, 0x2b, 0xeb, 0x2f, 0xd6, 0xd7, 0x56, 0x6b, - 0xef, 0x70, 0xb2, 0xd5, 0xb5, 0x17, 0x4b, 0xaf, 0x36, 0x76, 0x6b, 0x25, 0x04, 0x30, 0x52, 0xdf, - 0x35, 0xd6, 0x57, 0x76, 0x6b, 0x03, 0x68, 0x14, 0x06, 0xb7, 0x5f, 0xbc, 0xa8, 0x0d, 0xde, 0xfe, - 0xa0, 0xe0, 0xe2, 0x27, 0x1a, 0x83, 0xa1, 0x2f, 0xeb, 0xdb, 0x5b, 0xb5, 0x77, 0xf8, 0xaf, 0xdd, - 0xb5, 0x6f, 0x77, 0x6b, 0xa5, 0xdb, 0x4b, 0x61, 0x6c, 0x8f, 0xf7, 0x23, 0xbd, 0xa1, 0xb5, 0x77, - 0x50, 0x35, 0x11, 0xc6, 0x90, 0xc3, 0x54, 0x01, 0x8e, 0xda, 0x00, 0x1f, 0x4d, 0xc2, 0xff, 0x53, - 0x1b, 0x5c, 0x86, 0xef, 0xc7, 0xc2, 0x85, 0xdd, 0x1f, 0x11, 0x53, 0xf7, 0xd1, 0xff, 0x0f, 0x00, - 0x00, 0xff, 0xff, 0xd1, 0xa6, 0x46, 0xe3, 0x79, 0x80, 0x00, 0x00, + 0x8a, 0x22, 0x1b, 0xb0, 0x8d, 0xef, 0x64, 0x18, 0x30, 0x3e, 0x63, 0xc6, 0x06, 0x7c, 0x31, 0x60, + 0x18, 0xb6, 0x31, 0x67, 0x1b, 0x86, 0xfd, 0x03, 0x6c, 0xc0, 0x17, 0xff, 0x03, 0x9f, 0x06, 0xbe, + 0xd8, 0x3e, 0xf8, 0x36, 0xf0, 0xc1, 0x03, 0xf8, 0x43, 0x2c, 0xb9, 0x67, 0x2d, 0x2c, 0x4a, 0xd3, + 0x03, 0xcc, 0xdc, 0x2a, 0x5f, 0xbc, 0x17, 0x19, 0x19, 0xcb, 0x5b, 0xe3, 0xbd, 0x82, 0xdb, 0xfe, + 0x51, 0xe3, 0x1e, 0xf6, 0x6d, 0x7a, 0xcf, 0xa6, 0xcc, 0xf6, 0xee, 0x1d, 0x3f, 0xc0, 0x8e, 0x7f, + 0x88, 0x1f, 0xdc, 0x3b, 0xc6, 0x4e, 0x8b, 0xd0, 0x3d, 0x76, 0xea, 0x13, 0xba, 0xe0, 0x07, 0x1e, + 0xf3, 0xd0, 0x58, 0xd8, 0x38, 0x77, 0xb5, 0xe1, 0x79, 0x0d, 0x87, 0xdc, 0x13, 0xf0, 0xfd, 0xd6, + 0xc1, 0x3d, 0xab, 0x15, 0x60, 0x66, 0x7b, 0xae, 0xc4, 0x9c, 0xfb, 0xbc, 0x61, 0xb3, 0xc3, 0xd6, + 0xfe, 0x82, 0xe9, 0x35, 0xef, 0x35, 0xbc, 0x86, 0x17, 0x23, 0x46, 0x3f, 0xb2, 0x3d, 0xbc, 0x0e, + 0xb0, 0xef, 0x93, 0x40, 0xbd, 0x4b, 0x37, 0x00, 0x96, 0x02, 0xf3, 0x70, 0xc5, 0x73, 0x0f, 0xec, + 0x06, 0xba, 0x00, 0xc3, 0xb8, 0x69, 0x3d, 0x7a, 0xa8, 0x95, 0xae, 0x97, 0x6e, 0x55, 0x0d, 0xf9, + 0x80, 0x34, 0x18, 0xf5, 0x7d, 0xf3, 0xd1, 0x43, 0x87, 0x68, 0x03, 0x02, 0x1e, 0x3e, 0x72, 0x7c, + 0xfa, 0xd1, 0x27, 0xf7, 0x4f, 0xb4, 0x41, 0x89, 0x2f, 0x1e, 0xf4, 0xff, 0x3a, 0x04, 0xe5, 0x95, + 0xad, 0x75, 0xd5, 0xe7, 0x43, 0x18, 0x25, 0x2e, 0xde, 0x77, 0x88, 0x25, 0x7a, 0xad, 0x2c, 0xce, + 0x2d, 0xc8, 0x31, 0x2d, 0x84, 0x63, 0x5a, 0x58, 0xf6, 0x3c, 0xe7, 0x6b, 0x3e, 0x0f, 0x46, 0x88, + 0x8a, 0x6a, 0x30, 0x78, 0xd8, 0xda, 0x17, 0xef, 0x2b, 0x1b, 0xfc, 0x27, 0xfa, 0x19, 0x0c, 0x32, + 0xdc, 0x10, 0x6f, 0xaa, 0x2c, 0x5e, 0x5c, 0x08, 0xe7, 0x68, 0x61, 0xf7, 0xd4, 0x27, 0xeb, 0x2e, + 0x23, 0xc1, 0x01, 0x36, 0x89, 0xc1, 0x71, 0xf8, 0xb0, 0xec, 0x26, 0x6e, 0x10, 0x6d, 0x48, 0x90, + 0xcb, 0x07, 0x74, 0x15, 0xc0, 0x6f, 0x39, 0xce, 0x8e, 0xe7, 0xd8, 0xe6, 0xa9, 0x36, 0x2c, 0x9a, + 0x12, 0x10, 0x34, 0x0f, 0x65, 0xd3, 0xb5, 0x97, 0x6d, 0x77, 0xd5, 0x0e, 0xb4, 0x11, 0xd1, 0x1c, + 0x03, 0x38, 0xb5, 0xe9, 0xda, 0xfc, 0x9b, 0x78, 0xf3, 0xa8, 0xa4, 0x8e, 0x21, 0xe8, 0x16, 0x4c, + 0xaa, 0xa7, 0x17, 0xb6, 0x43, 0xb6, 0x70, 0x93, 0x68, 0x63, 0x02, 0x29, 0x0b, 0x46, 0x77, 0x61, + 0x8a, 0x9c, 0x98, 0x4e, 0xcb, 0x12, 0x8f, 0xd4, 0xc7, 0x26, 0xa1, 0x5a, 0xf9, 0xfa, 0xe0, 0xad, + 0xb2, 0x91, 0x6f, 0x40, 0x1b, 0x30, 0xe1, 0x7b, 0xd6, 0x92, 0xeb, 0x7a, 0x4c, 0xac, 0x3c, 0xd5, + 0x40, 0xcc, 0xc0, 0xf5, 0xf4, 0x0c, 0x6c, 0x62, 0xbf, 0xce, 0x02, 0xdb, 0x6d, 0x44, 0x53, 0xb1, + 0x3c, 0xa0, 0x95, 0x8c, 0x0c, 0x2d, 0xba, 0x05, 0x35, 0x9f, 0xfa, 0x7b, 0xa6, 0xd3, 0xa2, 0x8c, + 0x04, 0x7b, 0x81, 0xe7, 0x10, 0xad, 0x22, 0x86, 0x39, 0xe1, 0x53, 0x7f, 0x45, 0x82, 0x0d, 0xcf, + 0x21, 0x68, 0x0e, 0xc6, 0x1c, 0xaf, 0xb1, 0x41, 0x8e, 0x89, 0xa3, 0x8d, 0x0b, 0x8c, 0xe8, 0x19, + 0x3d, 0x80, 0x91, 0x80, 0xf8, 0xd8, 0x0e, 0xb4, 0xaa, 0x18, 0xcb, 0xa5, 0x78, 0x2c, 0x2b, 0x5b, + 0xeb, 0x86, 0x68, 0x92, 0xab, 0x6f, 0x28, 0x44, 0xbe, 0x0b, 0xcc, 0x43, 0x6c, 0xbb, 0xc4, 0xd2, + 0x26, 0xba, 0xef, 0x02, 0x85, 0xaa, 0xff, 0xcd, 0x20, 0x4c, 0x66, 0x7a, 0xfc, 0xe3, 0xd9, 0x4f, + 0xf3, 0x50, 0x76, 0xf0, 0x3e, 0x71, 0x76, 0x3c, 0x8b, 0x8a, 0xed, 0x34, 0x66, 0xc4, 0x00, 0x74, + 0x13, 0xc6, 0xcd, 0x80, 0x60, 0x46, 0xd6, 0x8e, 0x89, 0xcb, 0xa8, 0xdc, 0x50, 0x62, 0x4d, 0x52, + 0x70, 0xbe, 0xaf, 0x2c, 0xe2, 0x10, 0x46, 0x44, 0x37, 0xa3, 0xa2, 0x9b, 0x04, 0x84, 0xef, 0x96, + 0xfd, 0xc0, 0x3b, 0x22, 0xee, 0x8e, 0x67, 0x6d, 0xf0, 0xde, 0xbf, 0x22, 0xa7, 0x6a, 0x67, 0xe5, + 0x1b, 0xd0, 0x7d, 0x98, 0x4e, 0x03, 0xc5, 0x34, 0x68, 0x65, 0x81, 0x5f, 0xd4, 0xc4, 0xfb, 0xb7, + 0x5d, 0x9b, 0xad, 0x78, 0x2e, 0xe3, 0x73, 0x1e, 0x88, 0x9d, 0x0b, 0xb2, 0xff, 0x5c, 0x83, 0xfe, + 0x2d, 0xcc, 0xad, 0xec, 0xbc, 0xda, 0xc5, 0x41, 0x83, 0xb0, 0x57, 0xcc, 0x76, 0xec, 0x1f, 0xc5, + 0xc6, 0x52, 0x4b, 0xf3, 0x14, 0x34, 0x26, 0x9a, 0x96, 0x8e, 0x49, 0x80, 0x1b, 0x24, 0x81, 0x21, + 0xd6, 0x6a, 0xd8, 0x68, 0xdb, 0xae, 0xff, 0xbf, 0x12, 0x94, 0x0d, 0x42, 0xbd, 0x56, 0xc0, 0x77, + 0xfd, 0x63, 0x18, 0x71, 0xec, 0xa6, 0xcd, 0xa8, 0x56, 0xba, 0x3e, 0x78, 0xab, 0xb2, 0x78, 0x2d, + 0x5e, 0x9f, 0x08, 0x69, 0x61, 0x43, 0x60, 0xac, 0xb9, 0x2c, 0x38, 0x35, 0x14, 0x3a, 0xfa, 0x0c, + 0xc6, 0x02, 0xf2, 0xcb, 0x16, 0xa1, 0x8c, 0x6a, 0x03, 0x82, 0xf4, 0x46, 0x11, 0xa9, 0xa1, 0x70, + 0x24, 0x71, 0x44, 0x32, 0xf7, 0x09, 0x54, 0x12, 0xbd, 0xf2, 0x5d, 0x73, 0x44, 0x4e, 0xc5, 0xd8, + 0xcb, 0x06, 0xff, 0xc9, 0xb7, 0x82, 0xe0, 0xd8, 0x6a, 0x27, 0xc9, 0x87, 0xa7, 0x03, 0x4f, 0x4a, + 0x73, 0x9f, 0x42, 0x35, 0xd5, 0xeb, 0x59, 0x88, 0xf5, 0x5f, 0x8d, 0x42, 0x75, 0xc5, 0x0b, 0xc8, + 0xea, 0x56, 0xfd, 0x5c, 0xdb, 0x5c, 0x87, 0x71, 0x53, 0x76, 0xb3, 0x2e, 0x36, 0xac, 0x7c, 0x51, + 0x0a, 0x26, 0x38, 0x99, 0x7c, 0xde, 0x55, 0xfb, 0x9f, 0x73, 0xb2, 0x08, 0x82, 0x16, 0x00, 0xa9, + 0xa7, 0x1d, 0xa7, 0xd5, 0xb0, 0xdd, 0xf5, 0xc4, 0xd6, 0x2f, 0x68, 0x41, 0x2f, 0x61, 0xdc, 0xf5, + 0x2c, 0x52, 0x27, 0x0e, 0x31, 0x99, 0x17, 0x88, 0xa3, 0xd0, 0x2b, 0x7f, 0x4a, 0x51, 0xf2, 0x33, + 0x13, 0x10, 0xdf, 0xb1, 0x4d, 0xbc, 0xe2, 0xb5, 0x5c, 0x26, 0xce, 0x4c, 0x55, 0xe2, 0x25, 0xe1, + 0x05, 0x3c, 0x71, 0xf4, 0x1c, 0x3c, 0xf1, 0x63, 0x28, 0x07, 0xe1, 0xc6, 0x10, 0x27, 0xab, 0xb2, + 0x38, 0x5d, 0xb0, 0x67, 0x04, 0x6d, 0x8c, 0x89, 0x36, 0x60, 0x32, 0xf0, 0x1c, 0xc7, 0x76, 0x1b, + 0x9b, 0xf8, 0xa4, 0xde, 0x0a, 0x1a, 0xf2, 0x98, 0x55, 0x16, 0xaf, 0xe6, 0x78, 0xc9, 0x76, 0x20, + 0xc7, 0xf1, 0xc2, 0x0b, 0x76, 0x96, 0x45, 0x3f, 0x59, 0x52, 0xf4, 0x2d, 0xcc, 0xc4, 0xa0, 0x57, + 0x2e, 0x3e, 0xc6, 0xb6, 0xc3, 0x97, 0x54, 0x71, 0xfb, 0x5e, 0xfa, 0x2c, 0xee, 0x00, 0x79, 0x30, + 0x2f, 0x3e, 0x98, 0xd9, 0x4b, 0x07, 0x07, 0xfc, 0x44, 0x9f, 0x8a, 0xd3, 0x1f, 0x2d, 0x57, 0x45, + 0xbc, 0xe0, 0x83, 0xf4, 0x0b, 0xea, 0x8e, 0x6d, 0x92, 0xed, 0x83, 0x36, 0x33, 0xd8, 0xb1, 0x43, + 0xf4, 0x1a, 0xae, 0x67, 0xda, 0x77, 0x49, 0xd0, 0x4c, 0xbf, 0x74, 0xfc, 0xec, 0x2f, 0xed, 0xda, + 0x29, 0xda, 0x84, 0x0a, 0xf3, 0x1c, 0x12, 0xa8, 0x3d, 0x51, 0x3d, 0xfb, 0x3b, 0x92, 0xf4, 0xfa, + 0xb7, 0x70, 0x7d, 0x95, 0x1c, 0xe0, 0x96, 0xc3, 0x76, 0x3c, 0x6b, 0xd5, 0xa6, 0x41, 0xcb, 0xe7, + 0x0d, 0xcb, 0x2d, 0xab, 0x41, 0xd8, 0x79, 0x4e, 0xa9, 0xfe, 0x0d, 0xcc, 0xaa, 0x9e, 0xa3, 0xdd, + 0xa5, 0xfa, 0x4b, 0xb2, 0x2f, 0xd9, 0x61, 0x11, 0xfb, 0x0a, 0xf9, 0x8c, 0x92, 0xb1, 0x11, 0x89, + 0xfe, 0x4f, 0xab, 0x30, 0xbd, 0xd6, 0x08, 0x08, 0xa5, 0x5f, 0x60, 0x46, 0x5e, 0xe3, 0x53, 0xd5, + 0xed, 0x0b, 0xa8, 0xe1, 0x16, 0xf3, 0xa8, 0x89, 0x1d, 0xb2, 0xd6, 0xf3, 0x78, 0x73, 0x34, 0x9c, + 0xbd, 0x44, 0xb0, 0x4d, 0x7c, 0xa2, 0xd4, 0xc1, 0x14, 0x2c, 0x8d, 0x63, 0xbb, 0x4a, 0x35, 0x4c, + 0xc1, 0xd0, 0x4d, 0x98, 0x30, 0x3d, 0xd7, 0x25, 0x26, 0xdb, 0xb5, 0x9b, 0xc4, 0x6b, 0x31, 0xc5, + 0x5e, 0x32, 0x50, 0xf4, 0x14, 0x06, 0x4d, 0xbf, 0xa5, 0x38, 0xca, 0x7b, 0x09, 0x2d, 0xa3, 0xad, + 0x0c, 0x12, 0xcb, 0xc8, 0x89, 0xd0, 0xcf, 0xa1, 0x6a, 0x05, 0xd8, 0x76, 0x57, 0x95, 0xca, 0x2c, + 0xb8, 0x09, 0xd7, 0x55, 0xb2, 0x1f, 0x1c, 0x22, 0x18, 0x69, 0xfc, 0xe4, 0xda, 0x8e, 0xf6, 0xce, + 0x81, 0x17, 0x61, 0x90, 0xb8, 0xc7, 0x8a, 0x8f, 0x74, 0x65, 0x48, 0x06, 0x47, 0x46, 0x1f, 0xc3, + 0x88, 0x50, 0x1c, 0xa8, 0xe2, 0x20, 0x57, 0x62, 0x32, 0xb5, 0x8e, 0x62, 0xa3, 0x87, 0xeb, 0xad, + 0x90, 0x11, 0x82, 0x21, 0x97, 0x4b, 0xeb, 0x4b, 0x62, 0xee, 0xc4, 0xef, 0x1c, 0x33, 0x86, 0xbe, + 0x99, 0x71, 0x9e, 0xc9, 0x56, 0xce, 0xc1, 0x64, 0xbb, 0x71, 0xa1, 0xf1, 0x9f, 0x82, 0x0b, 0x55, + 0xdf, 0x06, 0x17, 0xba, 0x03, 0xc3, 0xbe, 0x17, 0x30, 0xaa, 0x4d, 0x08, 0xf5, 0x63, 0x26, 0xee, + 0x7d, 0x87, 0x83, 0xd5, 0x1a, 0x4a, 0x9c, 0xb4, 0xec, 0x99, 0xec, 0x59, 0xf6, 0x3c, 0x83, 0x2a, + 0x25, 0x66, 0x40, 0xd8, 0xd7, 0x9e, 0xd3, 0x6a, 0x12, 0xaa, 0xd5, 0xc4, 0xbb, 0x66, 0x63, 0xd2, + 0x7a, 0xa2, 0xd9, 0x48, 0x23, 0xa3, 0x1d, 0x40, 0x94, 0x04, 0xc7, 0xb6, 0x49, 0x92, 0xab, 0x3b, + 0xd5, 0xe3, 0x8e, 0x2d, 0xa0, 0xe5, 0x3b, 0x91, 0x1b, 0xb0, 0x1a, 0x92, 0x3b, 0x91, 0xff, 0x46, + 0x77, 0x60, 0xe8, 0xc7, 0x63, 0xdf, 0xd5, 0xa6, 0xb3, 0x0a, 0xf6, 0xf7, 0x24, 0xf0, 0xbe, 0xde, + 0xd9, 0x52, 0x13, 0x21, 0x90, 0xb2, 0xac, 0xfb, 0xc2, 0xf9, 0x58, 0x77, 0x91, 0x6c, 0x9e, 0x79, + 0x0b, 0xb2, 0x79, 0xf6, 0xbc, 0xb2, 0x79, 0x13, 0xaa, 0xa6, 0x98, 0x86, 0x70, 0x1d, 0x2f, 0x9e, + 0xe9, 0xc3, 0x8d, 0x34, 0x35, 0xfa, 0x05, 0x5c, 0xc0, 0x96, 0x65, 0xf3, 0x39, 0xc0, 0x4e, 0xa4, + 0xb8, 0x53, 0x4d, 0x3b, 0x5b, 0xaf, 0x85, 0x9d, 0xa0, 0x27, 0x50, 0x0e, 0x5a, 0xee, 0x12, 0x35, + 0x3c, 0x8f, 0x69, 0x73, 0x5d, 0x19, 0x62, 0x8c, 0xac, 0xff, 0xbe, 0x04, 0x68, 0xcd, 0x3d, 0xf6, + 0x4e, 0x37, 0x09, 0x0b, 0x6c, 0x93, 0x9e, 0x4b, 0xc3, 0x45, 0x30, 0x74, 0xe8, 0x51, 0xa6, 0x34, + 0x5b, 0xf1, 0x9b, 0xc3, 0xf8, 0x71, 0x12, 0xa2, 0x66, 0xd8, 0x10, 0xbf, 0xd1, 0x32, 0x54, 0x98, + 0x43, 0xeb, 0x84, 0x31, 0xdb, 0x6d, 0x50, 0x21, 0x5f, 0x7a, 0xd9, 0xdd, 0x49, 0x22, 0xb4, 0x0a, + 0xe3, 0xcc, 0xf4, 0xbf, 0x22, 0xc4, 0xc7, 0x8e, 0x7d, 0x4c, 0x7a, 0xd5, 0x6c, 0x8d, 0x14, 0x95, + 0xfe, 0x19, 0x4c, 0x17, 0x70, 0x71, 0x6e, 0x1e, 0x60, 0xdf, 0x0f, 0xcd, 0x03, 0xec, 0xfb, 0xc2, + 0xcc, 0xa4, 0xcc, 0xf6, 0x42, 0xf3, 0x40, 0x3c, 0xe8, 0xff, 0xab, 0x04, 0x13, 0x8a, 0x3e, 0x24, + 0xdd, 0x82, 0x69, 0xd1, 0xb6, 0x47, 0x84, 0xac, 0x6f, 0xc8, 0x56, 0x35, 0x8b, 0x09, 0xe1, 0x51, + 0xa0, 0x0a, 0x18, 0x48, 0x50, 0xae, 0x25, 0x09, 0x93, 0x2b, 0x31, 0xd0, 0xfb, 0x4a, 0xfc, 0x05, + 0x5c, 0x90, 0xa3, 0xb0, 0xdd, 0xd4, 0x30, 0x86, 0xb2, 0xa7, 0x62, 0xdd, 0x2d, 0x18, 0x87, 0xfc, + 0x82, 0xf5, 0x14, 0xa9, 0xfe, 0x1f, 0x2f, 0xc3, 0xf8, 0x17, 0x8e, 0xb7, 0x2f, 0x36, 0x1e, 0xff, + 0xd2, 0x5b, 0x30, 0x84, 0x03, 0xf3, 0x50, 0x7d, 0xda, 0x85, 0xb8, 0xcf, 0xd8, 0x69, 0x65, 0x08, + 0x0c, 0xf4, 0x15, 0x8c, 0x9b, 0x24, 0x60, 0xf6, 0x81, 0x6d, 0x62, 0x46, 0xa8, 0x76, 0xeb, 0x6c, + 0x7b, 0x3e, 0x45, 0x2c, 0x9c, 0x39, 0xa2, 0xf3, 0xc8, 0x11, 0xa3, 0xd6, 0x24, 0x0b, 0xe6, 0x06, + 0xb7, 0x04, 0xf1, 0x9d, 0x1e, 0x63, 0x2f, 0x4a, 0x83, 0xbb, 0xa0, 0x89, 0xeb, 0x62, 0xea, 0xd4, + 0x62, 0xc7, 0xb6, 0xa4, 0x6a, 0x32, 0xd8, 0x5d, 0x17, 0xcb, 0xd2, 0xa0, 0xbf, 0x84, 0xcb, 0xa6, + 0xe7, 0xb2, 0xc0, 0x73, 0x76, 0x1c, 0xec, 0x92, 0x3a, 0x31, 0x5b, 0x81, 0xcd, 0x4e, 0x43, 0xf5, + 0x6e, 0xa8, 0x6b, 0x97, 0x9d, 0xc8, 0xd1, 0x4b, 0xb8, 0x66, 0x49, 0x15, 0x55, 0xce, 0xf2, 0xd7, + 0x36, 0xb5, 0xf7, 0x6d, 0xc7, 0x66, 0xa7, 0xd1, 0x91, 0x7a, 0x28, 0x5c, 0x56, 0xdd, 0xd0, 0xd0, + 0xd7, 0x30, 0xad, 0x50, 0xb6, 0x92, 0x8a, 0xc9, 0xc8, 0x19, 0x94, 0x89, 0xa2, 0x0e, 0x90, 0x0b, + 0x73, 0x56, 0x5b, 0xf5, 0x5c, 0x69, 0x6c, 0xb7, 0xe3, 0xee, 0xbb, 0xa9, 0xf2, 0xe2, 0x45, 0x1d, + 0x7a, 0x44, 0x1b, 0x30, 0x6d, 0xd9, 0x94, 0xcf, 0x8e, 0xf4, 0x17, 0xae, 0x1c, 0x12, 0xf3, 0x28, + 0x34, 0x18, 0x3b, 0xcd, 0x73, 0x11, 0x19, 0xda, 0x81, 0x9a, 0x95, 0x31, 0x01, 0x94, 0xf2, 0x77, + 0x3d, 0x37, 0xe6, 0x8c, 0x91, 0x20, 0x46, 0x9a, 0xa3, 0x46, 0xbf, 0x00, 0xa4, 0x60, 0xbb, 0x09, + 0x49, 0xfa, 0xf8, 0xec, 0x92, 0xb4, 0xa0, 0x1b, 0xb4, 0x0c, 0x13, 0xf2, 0xd8, 0xbf, 0x24, 0x4e, + 0x73, 0x97, 0x50, 0xa6, 0x14, 0xcb, 0x4e, 0xdf, 0x9d, 0xa1, 0x40, 0x9f, 0x43, 0x55, 0x42, 0x76, + 0x03, 0x6c, 0xda, 0x6e, 0x43, 0xe9, 0x93, 0x9d, 0xba, 0x48, 0x13, 0x84, 0x4e, 0xbc, 0xf1, 0xd8, + 0x89, 0x77, 0x0b, 0x26, 0x85, 0x33, 0x6e, 0x27, 0x76, 0xec, 0x56, 0xe5, 0x41, 0xcd, 0x80, 0xd1, + 0x6d, 0xa8, 0x45, 0x20, 0xa9, 0x1c, 0x51, 0xed, 0x7d, 0xb1, 0x83, 0x73, 0x70, 0x6e, 0x9e, 0x08, + 0xee, 0x14, 0x9f, 0xe7, 0x09, 0x69, 0x9e, 0xa4, 0xa1, 0x68, 0x0b, 0xa6, 0x1c, 0xcf, 0xc4, 0x7c, + 0xbb, 0x6f, 0xec, 0xab, 0x0d, 0xaf, 0xb4, 0xb8, 0xee, 0x42, 0x22, 0x4f, 0xca, 0x45, 0xac, 0xe3, + 0x35, 0x96, 0xe8, 0x97, 0xd4, 0x73, 0xb5, 0xf7, 0xba, 0x8b, 0xd8, 0x08, 0x19, 0x3d, 0x86, 0x51, + 0xc7, 0x6b, 0x34, 0xf8, 0xfb, 0xa7, 0x72, 0x26, 0x84, 0x60, 0xa8, 0x1b, 0xb2, 0x59, 0xf1, 0xcc, + 0x10, 0x1b, 0xad, 0x40, 0xb5, 0x49, 0xe8, 0xe1, 0xda, 0x89, 0x8f, 0x5d, 0xca, 0x59, 0x11, 0xca, + 0x92, 0x6f, 0x26, 0x9b, 0x15, 0x79, 0x9a, 0x06, 0xcd, 0xc2, 0x08, 0x07, 0xac, 0xaf, 0x6a, 0x1f, + 0x8b, 0x79, 0x52, 0x4f, 0x5c, 0x7e, 0xf2, 0x5f, 0x5b, 0x84, 0xbd, 0xf6, 0x82, 0x23, 0xaa, 0x54, + 0xc1, 0x1e, 0xe4, 0x67, 0x92, 0x8a, 0xaf, 0x46, 0xd3, 0x73, 0x6d, 0xe6, 0x71, 0x24, 0xae, 0x43, + 0x0b, 0xf5, 0xb0, 0x6a, 0x64, 0xa0, 0x5c, 0x56, 0x34, 0x99, 0x43, 0x95, 0xa6, 0x97, 0x90, 0x15, + 0x9b, 0xbb, 0x1b, 0xf5, 0x50, 0x56, 0x70, 0x0c, 0xf4, 0x39, 0x8c, 0x37, 0x5b, 0x0e, 0xb3, 0x95, + 0xbf, 0x5b, 0xe9, 0x71, 0xf3, 0x09, 0x8a, 0x44, 0xab, 0xa2, 0x4c, 0x51, 0x20, 0x0d, 0x46, 0x5d, + 0x39, 0x3e, 0xed, 0x03, 0xf1, 0xc9, 0xe1, 0x23, 0x7a, 0x04, 0xb3, 0xbe, 0x67, 0xad, 0x6e, 0xd5, + 0xeb, 0x84, 0xcb, 0xa5, 0x84, 0x8b, 0xff, 0x8e, 0xd8, 0x6d, 0x6d, 0x5a, 0xd1, 0x5f, 0xc1, 0xbc, + 0xd7, 0xb4, 0x59, 0xdd, 0xb6, 0x88, 0x89, 0x83, 0x75, 0xf7, 0x07, 0xc1, 0xe5, 0xe4, 0xcb, 0x37, + 0xb1, 0xaf, 0xdd, 0xec, 0xba, 0x1d, 0x3a, 0xd2, 0xa3, 0xe7, 0x30, 0xee, 0xb9, 0x71, 0x60, 0x41, + 0x69, 0x9a, 0x9d, 0xfa, 0x4b, 0xe1, 0x23, 0x03, 0x66, 0x3d, 0x9f, 0xf3, 0x03, 0x2f, 0xd8, 0xc4, + 0x2e, 0x6e, 0x90, 0x6f, 0xc8, 0xfe, 0xa1, 0xe7, 0x1d, 0x51, 0xed, 0x67, 0x5d, 0x7b, 0x6a, 0x43, + 0x89, 0x7e, 0x01, 0x33, 0x5e, 0x8b, 0xed, 0x7b, 0x2d, 0xd7, 0xda, 0x0d, 0xf0, 0xc1, 0x81, 0x6d, + 0xaa, 0x33, 0x2c, 0x15, 0xd6, 0xf7, 0xe3, 0x05, 0xd9, 0x2e, 0x42, 0x53, 0x2b, 0x53, 0xdc, 0x07, + 0xe7, 0xd7, 0x7e, 0xcc, 0x71, 0x5f, 0x60, 0xdb, 0xd9, 0xf6, 0x89, 0x2b, 0x8c, 0xe5, 0x2e, 0xfc, + 0xba, 0x80, 0x8c, 0x33, 0x1a, 0x09, 0x8e, 0x67, 0x70, 0x4e, 0x32, 0x9a, 0x0c, 0x18, 0xdd, 0x87, + 0x29, 0x3f, 0xb0, 0x3d, 0x2e, 0x4c, 0x57, 0x1c, 0x4c, 0xa9, 0x70, 0xa8, 0x5f, 0x8e, 0xbc, 0xff, + 0xf9, 0x46, 0xae, 0x43, 0xf8, 0x81, 0xd7, 0x24, 0xec, 0x90, 0xb4, 0x68, 0xdc, 0xff, 0x47, 0x52, + 0x87, 0x28, 0x68, 0x12, 0x36, 0x66, 0xe0, 0x9d, 0x9c, 0x6a, 0xf3, 0xe2, 0x6b, 0x92, 0x36, 0x26, + 0x07, 0x47, 0x36, 0x26, 0x7f, 0x40, 0x8f, 0xa1, 0x2c, 0x7e, 0xac, 0xbb, 0x36, 0xd3, 0xae, 0x64, + 0x03, 0x36, 0x3b, 0x61, 0x93, 0x22, 0x8a, 0x71, 0xd1, 0xfb, 0x30, 0x48, 0x2d, 0xaa, 0x5d, 0xcd, + 0x9a, 0xa5, 0xf5, 0xd5, 0xf0, 0x38, 0xf1, 0xf6, 0x30, 0x90, 0x72, 0xad, 0x87, 0x40, 0xca, 0x02, + 0x20, 0x46, 0x1c, 0xd2, 0x24, 0x2c, 0x48, 0x4c, 0xe4, 0x75, 0xe9, 0x5a, 0xce, 0xb7, 0xa0, 0x05, + 0x18, 0x61, 0x01, 0x36, 0x49, 0xa0, 0xdd, 0x10, 0xbd, 0x27, 0x0c, 0xdc, 0x5d, 0x01, 0x0f, 0x3d, + 0x22, 0x12, 0x0b, 0x5d, 0x87, 0x0a, 0x0b, 0x5a, 0x94, 0xad, 0x7a, 0x4d, 0x6c, 0xbb, 0x9a, 0x2e, + 0x3a, 0x4e, 0x82, 0xc4, 0x08, 0xe2, 0xc7, 0x25, 0xc7, 0xc6, 0x94, 0x50, 0xed, 0xb6, 0x38, 0x9a, + 0x05, 0x2d, 0x68, 0x11, 0x46, 0x5a, 0x94, 0x6c, 0xae, 0xec, 0x68, 0xef, 0x76, 0xdd, 0x38, 0x0a, + 0x13, 0x3d, 0x83, 0x8a, 0x10, 0x14, 0x06, 0x69, 0x7a, 0x8c, 0x68, 0x77, 0xbb, 0x12, 0x26, 0xd1, + 0xd1, 0xd7, 0xa0, 0xc9, 0x00, 0x91, 0x7c, 0xae, 0x1f, 0x9b, 0x6b, 0xae, 0xe5, 0x7b, 0xb6, 0xcb, + 0xa8, 0xf6, 0x61, 0xd7, 0xae, 0xda, 0xd2, 0x72, 0x06, 0x13, 0x08, 0xe8, 0x8e, 0xed, 0x78, 0x6c, + 0x45, 0xa0, 0x25, 0x10, 0xb4, 0x85, 0xee, 0x0c, 0xa6, 0x13, 0x3d, 0xdf, 0xc5, 0xaa, 0x5d, 0x1c, + 0x88, 0x25, 0xcb, 0xe2, 0x9a, 0xbd, 0x76, 0x4f, 0xee, 0xe2, 0x82, 0x26, 0xbe, 0x16, 0x89, 0x1e, + 0x43, 0x82, 0xfb, 0x72, 0x37, 0xe4, 0x5b, 0x38, 0x6b, 0x95, 0xd0, 0xdd, 0x70, 0xa7, 0x84, 0x34, + 0x0f, 0x04, 0x4d, 0x9b, 0x56, 0xbe, 0x8b, 0xc4, 0x04, 0x5b, 0xda, 0xa3, 0xec, 0x2e, 0x5a, 0x17, + 0xf0, 0x70, 0x17, 0x49, 0x2c, 0x74, 0x17, 0xa6, 0x7c, 0xf1, 0x8d, 0x24, 0x60, 0x3b, 0x81, 0x77, + 0x6c, 0x5b, 0x24, 0xd0, 0x9e, 0xc8, 0x90, 0x58, 0xae, 0x01, 0xcd, 0x43, 0xf9, 0x87, 0xd7, 0x4c, + 0x31, 0xae, 0x4f, 0x64, 0xd8, 0x38, 0x02, 0x88, 0x33, 0xc4, 0xa8, 0xf6, 0x34, 0x77, 0x86, 0x76, + 0xe3, 0x33, 0xc4, 0x28, 0x9a, 0x83, 0xb1, 0x80, 0x1c, 0xdb, 0x42, 0x02, 0x7f, 0x2a, 0xa3, 0xad, + 0xe1, 0x33, 0xd7, 0xbd, 0x9a, 0x5e, 0xcb, 0x65, 0x9b, 0xcc, 0xa1, 0xfc, 0xcd, 0x54, 0x7b, 0xd6, + 0x5d, 0xf7, 0x4a, 0x53, 0x88, 0xd8, 0x36, 0x0e, 0x67, 0xeb, 0x33, 0x15, 0xdb, 0x0e, 0x01, 0x5c, + 0x33, 0x33, 0x89, 0xcb, 0x02, 0xec, 0xc8, 0xf9, 0xd0, 0x9e, 0x77, 0xd7, 0xcc, 0x52, 0x04, 0xfa, + 0x87, 0x50, 0x8e, 0xbe, 0x88, 0x9f, 0x42, 0xe5, 0x23, 0x12, 0xd2, 0x5a, 0xde, 0x25, 0x48, 0x82, + 0xf4, 0x7f, 0x5c, 0x82, 0xf1, 0xe4, 0xd4, 0xa3, 0x27, 0x67, 0xf0, 0x05, 0x08, 0x36, 0x1a, 0x59, + 0xa1, 0x91, 0x66, 0xba, 0xe4, 0x62, 0xe7, 0x94, 0xda, 0xb4, 0x07, 0x13, 0x36, 0x43, 0xa1, 0xdf, + 0x81, 0xe9, 0x02, 0x25, 0x89, 0xdb, 0xe3, 0x8e, 0x88, 0x7f, 0x4b, 0x1b, 0x5d, 0x3e, 0xe8, 0xff, + 0x61, 0x06, 0x2e, 0x14, 0x59, 0xb4, 0x7f, 0x92, 0x4e, 0x76, 0xbe, 0x73, 0x5a, 0x94, 0x79, 0xcd, + 0xba, 0x5c, 0x5d, 0x65, 0xd6, 0x75, 0xde, 0x39, 0x49, 0x02, 0x3e, 0xc9, 0x16, 0xd9, 0x6f, 0x35, + 0xd4, 0x95, 0x0a, 0xf9, 0xc0, 0x35, 0x4a, 0x4b, 0xf2, 0x70, 0x19, 0xea, 0x56, 0x4f, 0x79, 0xa7, + 0x7e, 0xb9, 0x7f, 0xa7, 0x3e, 0x9c, 0xd9, 0xa9, 0x5f, 0x39, 0x8b, 0x53, 0xff, 0x3a, 0x54, 0xc8, + 0x09, 0x23, 0x81, 0x8b, 0x9d, 0xf5, 0x1d, 0xaa, 0x8d, 0x0b, 0x11, 0x93, 0x04, 0xa1, 0xa7, 0x00, + 0x47, 0x4f, 0xa8, 0xda, 0x4b, 0xca, 0x19, 0xdd, 0x69, 0x38, 0x09, 0x6c, 0xb4, 0x0a, 0x93, 0xf1, + 0xd3, 0x4b, 0xc6, 0x7c, 0xda, 0xc3, 0xbd, 0x8a, 0x2c, 0x49, 0x22, 0xf0, 0x30, 0x79, 0x96, 0xc0, + 0xc3, 0x4d, 0x98, 0x70, 0x3c, 0x6c, 0x2d, 0x63, 0x07, 0xbb, 0x26, 0x09, 0xd6, 0x77, 0xb4, 0x9a, + 0xdc, 0x59, 0x69, 0x28, 0x7a, 0x0a, 0x5a, 0x12, 0x52, 0x17, 0x96, 0xaa, 0x81, 0xdd, 0x06, 0xa1, + 0xda, 0x94, 0x98, 0x8f, 0xb6, 0xed, 0x68, 0x0d, 0x50, 0xca, 0xc8, 0x10, 0xce, 0x73, 0x0d, 0x75, + 0xf2, 0xa9, 0x17, 0x10, 0x44, 0x31, 0x92, 0xbb, 0x1d, 0x62, 0x24, 0xd3, 0x6f, 0x30, 0x46, 0x72, + 0xe1, 0x2d, 0xc6, 0x48, 0x66, 0x7e, 0x8a, 0x18, 0xc9, 0xec, 0x5b, 0x8d, 0x91, 0x5c, 0xec, 0x21, + 0x46, 0x92, 0xbd, 0x15, 0xa0, 0xb5, 0xb9, 0x15, 0xb0, 0x9c, 0x8c, 0xa5, 0x5c, 0x3a, 0xc3, 0x3a, + 0x24, 0x02, 0x2b, 0x1f, 0x49, 0x95, 0x77, 0x2e, 0x1b, 0x7a, 0x4d, 0x33, 0xfc, 0xba, 0x45, 0x93, + 0x0a, 0x70, 0x2e, 0x1a, 0x73, 0xf9, 0xfc, 0xd1, 0x98, 0xf9, 0x37, 0x10, 0x8d, 0xb9, 0x92, 0x88, + 0xc6, 0x3c, 0x52, 0xd1, 0x18, 0xa9, 0xcc, 0xeb, 0xed, 0xbe, 0xec, 0xfb, 0x63, 0xdf, 0x4d, 0x05, + 0x66, 0x0a, 0x22, 0x29, 0xd7, 0xde, 0x42, 0x24, 0xe5, 0xfa, 0x79, 0x23, 0x29, 0xb7, 0xa1, 0x86, + 0x7d, 0xb1, 0x19, 0x58, 0xc4, 0x2c, 0x6e, 0x88, 0xef, 0xcf, 0xc1, 0xd1, 0x43, 0x98, 0x09, 0xd9, + 0x70, 0xda, 0xec, 0x94, 0xf6, 0x42, 0x71, 0x63, 0x36, 0x44, 0xf5, 0xee, 0x39, 0x43, 0x54, 0x5f, + 0xc1, 0xb8, 0xf2, 0x9b, 0xcb, 0xc1, 0xbe, 0x77, 0x46, 0x7f, 0x75, 0x92, 0xb8, 0x6d, 0xe0, 0xe7, + 0xfd, 0x37, 0x11, 0xf8, 0xc9, 0x05, 0xa9, 0x6e, 0x9e, 0x2b, 0x48, 0xf5, 0x3c, 0xe3, 0xa8, 0xff, + 0xa0, 0xbb, 0x23, 0x22, 0xe5, 0x9b, 0xbf, 0x0b, 0x83, 0xcc, 0x09, 0xfd, 0xfb, 0x9d, 0xc8, 0x38, + 0x1a, 0xfa, 0x1e, 0xb4, 0xc8, 0xae, 0xdc, 0xc3, 0x96, 0xe5, 0xb9, 0x7b, 0x2a, 0xd8, 0x10, 0x3a, + 0x2e, 0xba, 0x9f, 0xb1, 0x59, 0x96, 0xb0, 0x28, 0x3c, 0x37, 0x0c, 0xc6, 0xa0, 0xcf, 0x60, 0xf8, + 0xd0, 0xe3, 0xda, 0xfd, 0xed, 0xb3, 0x4d, 0x88, 0xa4, 0x42, 0x8b, 0x30, 0x13, 0x0f, 0x4d, 0xea, + 0x37, 0x7b, 0x42, 0x56, 0xdd, 0x91, 0x26, 0x53, 0xd4, 0x28, 0x2d, 0x52, 0xe1, 0x2a, 0x48, 0x05, + 0xe1, 0x3e, 0x3c, 0x4b, 0x10, 0xee, 0x5f, 0x94, 0xe0, 0x62, 0x1b, 0x2e, 0xd6, 0x67, 0x24, 0x2e, + 0xba, 0x15, 0x39, 0x90, 0xbc, 0x15, 0x99, 0x8a, 0x68, 0x0f, 0xf6, 0x1a, 0xd1, 0xd6, 0x0f, 0x41, + 0x6b, 0xc7, 0x89, 0xfa, 0x1c, 0xde, 0x2c, 0x8c, 0xd0, 0xd6, 0xc1, 0x81, 0x7d, 0xa2, 0xc6, 0xa7, + 0x9e, 0xf4, 0x6f, 0xe0, 0xda, 0x57, 0xad, 0x7d, 0x12, 0xb8, 0x84, 0x11, 0xba, 0xe6, 0x1e, 0x6f, + 0xda, 0x27, 0x24, 0x58, 0xb2, 0xb0, 0x1f, 0xf9, 0xfa, 0xfa, 0xbc, 0xd5, 0x63, 0x01, 0xda, 0xf0, + 0xb0, 0x55, 0x3f, 0x24, 0x96, 0x15, 0x1b, 0x11, 0xb7, 0xa1, 0xe6, 0x60, 0x46, 0x5c, 0xf3, 0x74, + 0xf7, 0x30, 0x20, 0xf4, 0xd0, 0x73, 0x2c, 0x65, 0x4f, 0xe4, 0xe0, 0x48, 0x87, 0xa1, 0xa6, 0x67, + 0xc9, 0x09, 0x9d, 0x58, 0x9c, 0x88, 0xa7, 0x8d, 0x43, 0x0d, 0xd1, 0xa6, 0x07, 0x00, 0xb1, 0x3f, + 0xb3, 0xcf, 0xa9, 0x59, 0x80, 0x21, 0x6e, 0x29, 0xf4, 0x60, 0x29, 0x09, 0x3c, 0xfd, 0x1f, 0xc0, + 0x74, 0x81, 0x17, 0xb8, 0xcf, 0x97, 0x4b, 0x8f, 0xca, 0xfa, 0xc6, 0x72, 0x0f, 0xaf, 0x57, 0x98, + 0xfa, 0xff, 0x1f, 0x80, 0x79, 0xb1, 0x4e, 0x09, 0xdb, 0x5e, 0x2c, 0x58, 0xb8, 0x83, 0xb7, 0xa1, + 0x7a, 0x14, 0x2d, 0x2a, 0x57, 0xd5, 0xe5, 0x80, 0x7e, 0x16, 0x4f, 0x61, 0x97, 0x35, 0x37, 0xd2, + 0xf4, 0xe8, 0x05, 0x40, 0xec, 0x78, 0x53, 0x23, 0xbd, 0x99, 0xf2, 0x9a, 0xa9, 0xb6, 0x82, 0xae, + 0x12, 0x94, 0xe8, 0x31, 0x0c, 0x53, 0x66, 0xd9, 0x9e, 0x3a, 0x0a, 0x09, 0x95, 0xa2, 0xce, 0xc1, + 0x05, 0xd4, 0x12, 0x1f, 0xad, 0x43, 0x85, 0x32, 0x6c, 0x1e, 0x59, 0x81, 0x7d, 0x4c, 0x02, 0x15, + 0xce, 0xfb, 0x20, 0x49, 0x1e, 0x35, 0x16, 0x74, 0x92, 0xa4, 0xe5, 0x26, 0x72, 0x8b, 0x92, 0x10, + 0xc1, 0x58, 0xa5, 0xca, 0xd6, 0xeb, 0x68, 0x22, 0xa7, 0x29, 0xf4, 0xdf, 0x0f, 0xc0, 0x25, 0xf1, + 0x9e, 0xd0, 0x85, 0xf3, 0xe7, 0xe9, 0xff, 0x43, 0x4e, 0xff, 0x7f, 0x29, 0x41, 0x45, 0xbc, 0x47, + 0x4d, 0xf8, 0x47, 0x30, 0x22, 0xfd, 0xce, 0x6a, 0xa6, 0x2f, 0x27, 0x62, 0x17, 0xf1, 0x2a, 0x85, + 0x66, 0x9b, 0x44, 0x45, 0xcf, 0xa0, 0x1c, 0xc9, 0x14, 0x35, 0xa7, 0x57, 0x33, 0x74, 0xd1, 0xf9, + 0x0a, 0xbd, 0xc1, 0x11, 0x01, 0x5a, 0x86, 0x31, 0xac, 0x56, 0x5d, 0xcd, 0xe6, 0xcd, 0x76, 0xc4, + 0xe9, 0xdd, 0x61, 0x44, 0x74, 0xfa, 0x3f, 0x02, 0x98, 0xca, 0x8d, 0xef, 0x8f, 0xce, 0x71, 0xa2, + 0x1c, 0x22, 0x43, 0xfd, 0x38, 0x44, 0x12, 0x3c, 0x71, 0xb8, 0x0f, 0x51, 0x3a, 0x92, 0x14, 0xa5, + 0x6f, 0xf6, 0x9a, 0x73, 0xd6, 0x8c, 0x1a, 0x6b, 0x63, 0x46, 0xfd, 0x3c, 0xb1, 0xce, 0xd2, 0xbb, + 0xf2, 0x6e, 0xe1, 0xe6, 0x6a, 0xb7, 0xc8, 0xc8, 0x80, 0x59, 0x4a, 0x28, 0x97, 0x13, 0xa1, 0x01, + 0xb8, 0xd6, 0xb3, 0xc7, 0xa5, 0x0d, 0x65, 0x5a, 0xab, 0xa8, 0x9c, 0xe7, 0x8e, 0xf6, 0xf8, 0x5b, + 0xb0, 0x5e, 0xaa, 0x6f, 0xfb, 0x8e, 0xf6, 0xc4, 0x4f, 0x61, 0xf9, 0x4f, 0xbe, 0x0d, 0xcb, 0x3f, + 0xeb, 0x7b, 0xa9, 0xf5, 0xed, 0x7b, 0x51, 0x3e, 0xb9, 0xa9, 0xb3, 0xf8, 0xe4, 0x32, 0x36, 0x1c, + 0x3a, 0xa7, 0x0d, 0xa7, 0xee, 0x23, 0x4c, 0xe7, 0x92, 0x8a, 0x2e, 0x74, 0x8f, 0x85, 0xe9, 0xbf, + 0xa9, 0xc0, 0x85, 0x22, 0x9e, 0x5b, 0xc8, 0x0e, 0x07, 0xde, 0x00, 0x3b, 0x1c, 0xec, 0x81, 0x1d, + 0x0e, 0xb5, 0x67, 0x87, 0xc3, 0xe7, 0x64, 0x87, 0x23, 0x67, 0x76, 0xb7, 0x8e, 0x9e, 0x65, 0x69, + 0x23, 0x16, 0x3a, 0x96, 0x64, 0xa1, 0x9f, 0xc3, 0xb8, 0xe3, 0x61, 0x8b, 0x2a, 0x9d, 0x5c, 0x31, + 0xb4, 0x44, 0xa4, 0x3f, 0xaf, 0xb1, 0x1b, 0x29, 0x8a, 0x3f, 0xda, 0x0b, 0xd5, 0x59, 0x76, 0x3e, + 0xde, 0x36, 0x57, 0x26, 0xc7, 0x02, 0x27, 0xdf, 0x02, 0x0b, 0xac, 0x9d, 0x97, 0x05, 0xc6, 0x81, + 0xd6, 0xa9, 0x9e, 0x03, 0xad, 0x22, 0x80, 0xe8, 0x7b, 0x01, 0x5b, 0xc6, 0xcc, 0x3c, 0xdc, 0xc4, + 0x27, 0xbb, 0x76, 0x33, 0xbc, 0x84, 0x5c, 0xd0, 0x82, 0x1e, 0xc2, 0x4c, 0x1a, 0xba, 0xe6, 0xb2, + 0xc0, 0x26, 0xf2, 0x62, 0x4a, 0xd5, 0x28, 0x6e, 0x4c, 0xcb, 0x9e, 0x6a, 0xcf, 0xb2, 0xa7, 0xbd, + 0x18, 0x9c, 0xe8, 0x5b, 0x0c, 0x76, 0x93, 0x13, 0x17, 0x7e, 0x0a, 0x39, 0x31, 0xf3, 0x07, 0xc8, + 0xe5, 0x99, 0x7d, 0x33, 0x9c, 0xfa, 0x62, 0x8e, 0x53, 0x6b, 0x3d, 0x70, 0xea, 0xff, 0x59, 0x02, + 0x94, 0xbf, 0x11, 0xd4, 0xa7, 0xf9, 0x7b, 0x1d, 0x2a, 0x2a, 0xfb, 0x56, 0x5c, 0x0c, 0x91, 0xbe, + 0x89, 0x24, 0x88, 0xef, 0xea, 0x86, 0x88, 0x46, 0x4a, 0xbf, 0x4f, 0x5d, 0x3a, 0x31, 0x64, 0x9e, + 0x5e, 0x41, 0x0b, 0xfa, 0x12, 0x90, 0xed, 0x8a, 0xb4, 0x61, 0x71, 0xc9, 0xfa, 0x85, 0xed, 0xb0, + 0xc8, 0x62, 0xe9, 0x34, 0xa4, 0x02, 0x2a, 0xfd, 0x1f, 0x96, 0xe0, 0x72, 0x87, 0xbb, 0x36, 0xe8, + 0x79, 0xca, 0x43, 0x71, 0xbb, 0xa7, 0x0b, 0x3a, 0x0b, 0x9b, 0xb1, 0xf7, 0xe2, 0x16, 0x0c, 0xf1, + 0x27, 0x54, 0x85, 0xf2, 0xd2, 0xc6, 0xc6, 0xf6, 0x37, 0x7b, 0x4b, 0x5b, 0xdf, 0xd5, 0xde, 0x41, + 0x53, 0x50, 0x35, 0xd6, 0xbe, 0x58, 0xaf, 0xef, 0x1a, 0xdf, 0xed, 0x6d, 0x6f, 0x6d, 0x7c, 0x57, + 0x2b, 0xe9, 0xbf, 0xad, 0x41, 0x45, 0xde, 0x34, 0x38, 0xcf, 0x6c, 0xbf, 0x15, 0x59, 0xda, 0xc6, + 0x6c, 0xc8, 0xca, 0xdb, 0xa1, 0x02, 0x79, 0x9b, 0xe5, 0xda, 0xc3, 0x6d, 0xb8, 0x76, 0xb1, 0x41, + 0xf0, 0x10, 0x46, 0xa9, 0xbc, 0xdf, 0xd5, 0x4b, 0x46, 0x92, 0x42, 0x45, 0xef, 0x41, 0x55, 0x5c, + 0x8f, 0xa9, 0xe3, 0xa6, 0xcf, 0x19, 0xaf, 0x90, 0x90, 0x25, 0x23, 0x0d, 0x4c, 0x73, 0xb9, 0x72, + 0xcf, 0x5c, 0xae, 0xe0, 0xa6, 0x34, 0x14, 0xdf, 0x94, 0x56, 0x6a, 0x44, 0xa5, 0x1f, 0x35, 0x22, + 0x2b, 0x84, 0xc7, 0xfb, 0x16, 0xc2, 0x26, 0x5c, 0x3b, 0x0a, 0x6f, 0xe6, 0x73, 0xa9, 0x46, 0x82, + 0x63, 0x71, 0xa0, 0x5d, 0x62, 0xf2, 0x17, 0x2f, 0x35, 0x48, 0x94, 0xd3, 0xde, 0x36, 0xa4, 0xdc, + 0xad, 0x07, 0xb4, 0x01, 0x35, 0x8b, 0xf8, 0x8e, 0x77, 0xda, 0x24, 0x2e, 0x93, 0x11, 0x54, 0xc5, + 0xf4, 0xbb, 0x2b, 0x33, 0x39, 0xca, 0xae, 0x4c, 0xbf, 0xf6, 0x53, 0x30, 0xfd, 0xa9, 0xb7, 0xc1, + 0xf4, 0x9f, 0x40, 0xd9, 0x8c, 0x2e, 0x3c, 0xa2, 0xee, 0xde, 0xed, 0x08, 0x19, 0x3d, 0x82, 0x51, + 0x15, 0x10, 0x51, 0xd1, 0xdc, 0x84, 0x8a, 0x27, 0xb8, 0x88, 0x72, 0x2e, 0x87, 0xd7, 0x5f, 0x15, + 0x72, 0x42, 0xeb, 0xb8, 0xd0, 0xb3, 0xd6, 0xa1, 0xb4, 0xd3, 0x99, 0xb3, 0x68, 0xa7, 0xb1, 0xbf, + 0x66, 0x36, 0xeb, 0xaf, 0x11, 0xc3, 0x2b, 0xf4, 0xd7, 0x14, 0xa8, 0x6e, 0xda, 0x5b, 0x50, 0xdd, + 0x2e, 0x9d, 0x3f, 0x8b, 0x29, 0x25, 0xab, 0xe7, 0xce, 0x29, 0xab, 0x37, 0xa1, 0x8a, 0x7d, 0x3f, + 0x71, 0x71, 0xf6, 0xf2, 0x19, 0xe3, 0x4d, 0x29, 0x6a, 0x74, 0x08, 0x37, 0xa4, 0x34, 0xd8, 0xe1, + 0x4b, 0x6a, 0x7a, 0x4e, 0xdd, 0xb5, 0xf9, 0x0e, 0xe4, 0xdf, 0x15, 0x4a, 0x2d, 0x15, 0x6e, 0xed, + 0xb4, 0xfa, 0xdd, 0x3b, 0x41, 0x07, 0x70, 0xbd, 0x2d, 0xd2, 0xba, 0x2b, 0x5f, 0x74, 0xa5, 0xeb, + 0x8b, 0xba, 0xf6, 0x51, 0x60, 0x48, 0x5c, 0x3d, 0x87, 0x21, 0xf1, 0x73, 0x18, 0x97, 0xe7, 0x48, + 0x5e, 0xbf, 0x50, 0xe1, 0xdd, 0xec, 0x06, 0x5d, 0x49, 0xa0, 0x18, 0x29, 0x02, 0xf4, 0x04, 0x2e, + 0xfe, 0xf0, 0xfa, 0x88, 0x72, 0x11, 0xe1, 0x1c, 0x93, 0x60, 0xed, 0x84, 0x05, 0xd8, 0xf0, 0x3c, + 0xb6, 0xb2, 0xa4, 0x6e, 0x76, 0xb6, 0x6b, 0x46, 0x4b, 0x30, 0xea, 0x8b, 0x42, 0x02, 0x54, 0xdd, + 0xef, 0xec, 0x79, 0x8d, 0x43, 0xba, 0x50, 0xb1, 0xd3, 0x73, 0x8a, 0xdd, 0xbb, 0x3d, 0x28, 0x76, + 0xff, 0xa9, 0x04, 0x28, 0xcf, 0x1d, 0xc4, 0xf5, 0x7f, 0x09, 0x08, 0x6f, 0x35, 0x95, 0xd4, 0xf5, + 0xff, 0x14, 0x14, 0xbd, 0x82, 0x19, 0x3b, 0x22, 0x64, 0xfc, 0x6c, 0x90, 0x60, 0x33, 0xd6, 0x8e, + 0x12, 0x35, 0x2b, 0x0a, 0xd1, 0x8c, 0x62, 0x6a, 0xae, 0x47, 0x84, 0x0d, 0x0e, 0xa6, 0x54, 0x69, + 0x7e, 0x29, 0x98, 0xbe, 0x0e, 0x53, 0x39, 0xbe, 0xd1, 0x67, 0xd8, 0xea, 0x5f, 0x95, 0x60, 0x32, + 0xeb, 0x82, 0xe8, 0x4f, 0xd9, 0xba, 0x03, 0x03, 0xc7, 0x0f, 0x94, 0x7a, 0x95, 0xd8, 0x3f, 0x51, + 0xe7, 0x5f, 0x3f, 0x50, 0x0c, 0x6e, 0xe0, 0xf8, 0x81, 0x40, 0x5e, 0x54, 0x8e, 0xe4, 0x42, 0xe4, + 0xc5, 0x08, 0x79, 0x91, 0x7f, 0x6e, 0xae, 0x97, 0x3e, 0x3f, 0xf7, 0xd7, 0x83, 0xc9, 0xbe, 0x16, + 0xcf, 0xf5, 0xc1, 0xdf, 0xc2, 0x54, 0x93, 0x30, 0x6c, 0x61, 0x86, 0xf7, 0xc8, 0x89, 0x79, 0x88, + 0x5d, 0x55, 0x28, 0xa3, 0xb2, 0x78, 0xa7, 0xf0, 0x93, 0x36, 0x15, 0xf6, 0x9a, 0x42, 0x56, 0x9f, + 0x58, 0x6b, 0x66, 0xe0, 0x68, 0xad, 0x20, 0xfe, 0xf1, 0x7e, 0x61, 0x97, 0x71, 0x28, 0xa4, 0x20, + 0xfc, 0xf1, 0x32, 0x1d, 0xc5, 0xc8, 0xb9, 0xed, 0x13, 0xfd, 0x88, 0x80, 0xc6, 0xaa, 0xc0, 0x2b, + 0x0a, 0x62, 0xfc, 0x25, 0x4c, 0x61, 0xd3, 0x24, 0x94, 0xee, 0x39, 0x5e, 0x63, 0xcf, 0x8f, 0x6b, + 0x28, 0x55, 0x16, 0xef, 0x17, 0xf6, 0xb7, 0x24, 0xb0, 0x37, 0xbc, 0x86, 0xdc, 0xa2, 0xd2, 0xbe, + 0x50, 0x3d, 0x4f, 0xe2, 0x74, 0xa3, 0x8e, 0xe1, 0x46, 0xd7, 0x59, 0x42, 0xcf, 0xa0, 0xf2, 0x1a, + 0xd3, 0x66, 0xef, 0x6a, 0x7c, 0x12, 0x5d, 0xff, 0x55, 0x09, 0x2e, 0x77, 0x98, 0xb6, 0x3e, 0x77, + 0xc0, 0xf9, 0xc6, 0xf4, 0x37, 0x83, 0x30, 0xdf, 0x69, 0x09, 0xfa, 0x1c, 0xd4, 0xc3, 0x38, 0x19, + 0xa8, 0x87, 0x74, 0xce, 0x30, 0x13, 0xe8, 0x29, 0x40, 0x9c, 0x50, 0xd3, 0x43, 0x46, 0x62, 0x02, + 0x1b, 0x3d, 0x82, 0x31, 0xe6, 0xf9, 0x9e, 0xe3, 0x35, 0x4e, 0x7b, 0x30, 0x3c, 0x23, 0x5c, 0xb4, + 0x0a, 0x93, 0x2a, 0x39, 0x2e, 0x92, 0xc4, 0xdd, 0xdd, 0x84, 0x59, 0x12, 0xf4, 0x52, 0x5c, 0x74, + 0x3d, 0xb0, 0x1b, 0xdb, 0xc7, 0x24, 0x08, 0x6c, 0xab, 0xf7, 0x44, 0xdd, 0x0c, 0x9d, 0xfe, 0x9b, + 0x12, 0xdc, 0xec, 0x6d, 0x0f, 0xf7, 0xb9, 0x34, 0x5f, 0xc0, 0x94, 0xe3, 0x35, 0xbe, 0xb1, 0x5d, + 0xcb, 0x7b, 0x1d, 0xdd, 0x61, 0x1d, 0xe8, 0x66, 0x70, 0xe4, 0x69, 0xf4, 0x35, 0x25, 0x00, 0x92, + 0x72, 0x19, 0xdd, 0x87, 0x69, 0xda, 0xda, 0xa7, 0x66, 0x60, 0xef, 0x13, 0x2b, 0xce, 0x2b, 0x2c, + 0x89, 0xab, 0x96, 0x45, 0x4d, 0xfa, 0x2f, 0xa1, 0x92, 0xb8, 0x71, 0x17, 0xdd, 0x96, 0x2c, 0x25, + 0x6e, 0x4b, 0x86, 0xc9, 0xd5, 0x03, 0x89, 0xe4, 0xea, 0x39, 0x18, 0xe3, 0x56, 0xd5, 0x4e, 0x9c, + 0x74, 0x1d, 0x3d, 0xa3, 0xab, 0x00, 0xb2, 0xc8, 0x93, 0x68, 0x1d, 0x12, 0xad, 0x09, 0x88, 0xfe, + 0xdf, 0xca, 0x50, 0xcb, 0x9d, 0xbe, 0x28, 0xe9, 0x21, 0x6e, 0x09, 0x07, 0xd9, 0xc3, 0xf4, 0xb6, + 0xa5, 0xed, 0x33, 0xb3, 0x39, 0x6b, 0xa5, 0x0f, 0xb6, 0xb1, 0xd2, 0x95, 0xf2, 0x31, 0x94, 0x53, + 0x3e, 0x86, 0x7b, 0xc8, 0x85, 0x99, 0xe7, 0x06, 0x37, 0x23, 0x6e, 0x54, 0x9b, 0xa4, 0x6c, 0xc4, + 0x80, 0x9c, 0xc5, 0x3b, 0xda, 0xb7, 0xc5, 0xbb, 0x04, 0x13, 0xd4, 0x0c, 0xb0, 0x7a, 0xff, 0x31, + 0x76, 0x54, 0xca, 0x6a, 0x87, 0xfd, 0x96, 0x21, 0x10, 0x3e, 0x2b, 0xcf, 0x65, 0xe4, 0x84, 0xed, + 0x60, 0x76, 0xa8, 0xaa, 0x89, 0x25, 0x41, 0xe8, 0x53, 0x18, 0x55, 0x17, 0x11, 0x95, 0x81, 0x7f, + 0xa3, 0x28, 0x58, 0xaf, 0x14, 0xa7, 0xd0, 0x08, 0x53, 0x14, 0xe8, 0x39, 0x8c, 0x51, 0x95, 0x7e, + 0xac, 0x2c, 0x7b, 0xbd, 0x98, 0x5a, 0xe2, 0x84, 0x01, 0xc7, 0x90, 0xe6, 0x0d, 0xd7, 0xfd, 0xf9, + 0x13, 0x0a, 0xc6, 0xa5, 0x7c, 0x3e, 0xb5, 0x9e, 0x7d, 0x3e, 0x9b, 0x50, 0xe1, 0xe2, 0x39, 0x24, + 0xec, 0xc3, 0x15, 0x90, 0xa4, 0x2f, 0x30, 0x67, 0xd0, 0x39, 0xcc, 0x19, 0x2d, 0xf4, 0x9c, 0x4d, + 0x47, 0x29, 0x77, 0xca, 0x7b, 0xb6, 0x0b, 0x17, 0xfd, 0xc0, 0x93, 0x49, 0x35, 0x09, 0x06, 0x44, + 0x54, 0x42, 0x69, 0x67, 0xde, 0xd0, 0x8e, 0x54, 0xff, 0xb7, 0x25, 0x98, 0xef, 0x74, 0x1d, 0xa5, + 0x4f, 0x41, 0xb1, 0x0d, 0x33, 0x4d, 0x59, 0x2d, 0x63, 0xed, 0xc4, 0xb7, 0x83, 0xd3, 0xde, 0x85, + 0x45, 0x31, 0x9d, 0xbe, 0x03, 0x5a, 0xbb, 0xa3, 0xd4, 0xa7, 0x26, 0xfd, 0x6f, 0x4a, 0x70, 0xb1, + 0xcd, 0xd9, 0x46, 0xcb, 0x50, 0xc1, 0x89, 0x05, 0x2d, 0xf5, 0x5a, 0x7d, 0x23, 0x41, 0x84, 0xd6, + 0x12, 0x42, 0x66, 0x20, 0x7b, 0x9f, 0x28, 0xf7, 0xe2, 0x2d, 0x85, 0x1a, 0x72, 0x87, 0x90, 0x54, + 0x3f, 0x82, 0x6b, 0x5d, 0x90, 0xfb, 0xaf, 0x44, 0x12, 0x09, 0xc6, 0xaa, 0x14, 0x8c, 0xfa, 0x3f, + 0xaf, 0x42, 0x25, 0x91, 0x82, 0x99, 0xec, 0xf9, 0xdd, 0xde, 0x7b, 0x7e, 0x0f, 0xaa, 0x91, 0x86, + 0xfc, 0xc2, 0x76, 0x42, 0x79, 0x9c, 0x06, 0xa2, 0x5b, 0x10, 0xeb, 0xd1, 0x2f, 0xbc, 0xa0, 0x89, + 0xc3, 0xa2, 0x28, 0x59, 0x30, 0x5a, 0x0f, 0x95, 0xf7, 0x0d, 0xaf, 0xb1, 0xe6, 0x9a, 0x9e, 0x15, + 0x6a, 0x78, 0x13, 0x49, 0xd3, 0x2b, 0x87, 0x62, 0xe4, 0xa9, 0xb8, 0x74, 0xc7, 0x2d, 0xe6, 0xc9, + 0xfc, 0x62, 0x25, 0xf9, 0x12, 0x10, 0x3e, 0x74, 0x15, 0xcb, 0x50, 0x39, 0x98, 0xb2, 0xce, 0x6a, + 0x1a, 0x88, 0xee, 0xc2, 0x94, 0xe9, 0x35, 0x7d, 0xcf, 0x25, 0x2e, 0xdb, 0x08, 0xab, 0x8c, 0x4a, + 0x19, 0x98, 0x6f, 0x50, 0xe2, 0xc7, 0x6c, 0x05, 0x01, 0x71, 0xcd, 0x53, 0x21, 0x0a, 0xab, 0x46, + 0x12, 0x14, 0x27, 0x81, 0x89, 0x1a, 0x8a, 0xad, 0xa6, 0xaf, 0x3c, 0xd8, 0x3d, 0x24, 0x81, 0x85, + 0x14, 0x68, 0x0b, 0xa6, 0x49, 0xa2, 0x48, 0x4d, 0x68, 0xfa, 0x43, 0xd6, 0x9d, 0x98, 0xaf, 0x64, + 0x63, 0x14, 0x11, 0xa2, 0xe7, 0x50, 0x11, 0xe0, 0x3a, 0xc3, 0x8c, 0x5a, 0x4a, 0x2c, 0x76, 0xee, + 0x27, 0x49, 0xc0, 0x95, 0x39, 0x55, 0x0d, 0x56, 0xf9, 0x7d, 0xe4, 0x3d, 0x71, 0x59, 0xfc, 0xa0, + 0xa8, 0x89, 0x6f, 0x88, 0x10, 0xbc, 0xa3, 0xb2, 0x6c, 0x54, 0x31, 0x84, 0x0c, 0x38, 0x0e, 0x2f, + 0x4c, 0x24, 0xc3, 0x0b, 0xb7, 0x60, 0x52, 0x85, 0x84, 0x22, 0xfa, 0x9a, 0x2a, 0xa6, 0x90, 0x06, + 0xa7, 0x8a, 0xc3, 0xa2, 0x4c, 0x71, 0xd8, 0xa7, 0xdc, 0x74, 0xb5, 0x8f, 0x6d, 0x87, 0x34, 0x88, + 0xa5, 0xbc, 0xb1, 0x1d, 0xed, 0x88, 0x18, 0x1b, 0x2d, 0xc3, 0x7c, 0x40, 0xb0, 0x65, 0xbb, 0x84, + 0xd2, 0x75, 0xd7, 0x66, 0x36, 0x76, 0x56, 0x89, 0x83, 0x4f, 0xeb, 0xc4, 0xf4, 0x5c, 0x8b, 0xaa, + 0xc4, 0xff, 0x8e, 0x38, 0x32, 0x4b, 0x54, 0xb5, 0xef, 0x90, 0xc0, 0xf6, 0xac, 0x90, 0x7a, 0x46, + 0x50, 0xb7, 0x69, 0x45, 0xcf, 0xe0, 0x52, 0xd4, 0xf2, 0x02, 0xdb, 0x4e, 0x2b, 0x20, 0xf1, 0x8d, + 0xdd, 0x59, 0x41, 0xda, 0x1e, 0x81, 0x9f, 0x0b, 0xca, 0x30, 0x6b, 0x89, 0x0b, 0xf9, 0x22, 0xce, + 0x58, 0x35, 0x12, 0x90, 0xb4, 0xa8, 0xd5, 0xce, 0x10, 0x5e, 0x09, 0x13, 0xa0, 0x2f, 0x89, 0xe3, + 0x5a, 0x8b, 0x69, 0x24, 0x3c, 0x4a, 0x7d, 0x7e, 0x0a, 0x9a, 0xaf, 0x5c, 0x86, 0xab, 0x84, 0xc9, + 0x58, 0x44, 0x98, 0xf7, 0x27, 0x33, 0xd5, 0xdb, 0xb6, 0xa3, 0x5d, 0x98, 0x11, 0x3b, 0x2f, 0xb2, + 0x77, 0xc2, 0xcd, 0x7f, 0x39, 0xeb, 0x1a, 0x5e, 0x4b, 0xa1, 0x85, 0x09, 0xf8, 0x85, 0xc4, 0x68, + 0x11, 0x2e, 0xa8, 0x7d, 0x17, 0x5a, 0x6a, 0x72, 0x07, 0xcf, 0x8b, 0xd1, 0x14, 0xb6, 0xe5, 0xf3, + 0xfb, 0xae, 0x9c, 0x31, 0xbf, 0x2f, 0x9f, 0xf4, 0x78, 0xb5, 0x30, 0xe9, 0xf1, 0x2f, 0x60, 0xd6, + 0xc7, 0x01, 0x71, 0x59, 0xfd, 0xb0, 0xc5, 0x2c, 0xef, 0x75, 0xfc, 0xc6, 0xeb, 0xdd, 0xde, 0xd8, + 0x86, 0x10, 0x3d, 0xe4, 0x0c, 0x24, 0xc9, 0x52, 0x64, 0xe1, 0xd4, 0x1b, 0x91, 0x1e, 0x52, 0xd4, + 0xcc, 0x07, 0xec, 0xb5, 0x98, 0x63, 0x93, 0x80, 0xdb, 0x99, 0x5c, 0xbd, 0x96, 0xbe, 0xcc, 0x0c, + 0x14, 0x3d, 0x87, 0xb2, 0x63, 0x1f, 0x10, 0xf3, 0xd4, 0x74, 0x88, 0x4a, 0x16, 0xe9, 0x2e, 0x4f, + 0x63, 0x12, 0xfd, 0xaf, 0x07, 0xe0, 0x42, 0xd1, 0xea, 0xbd, 0xa5, 0x32, 0x5c, 0x65, 0x65, 0x29, + 0xae, 0x15, 0x95, 0xe1, 0x7a, 0xb7, 0xdd, 0x86, 0x4a, 0xa0, 0xbe, 0x8d, 0x4a, 0x5c, 0xbf, 0x2d, + 0xc1, 0xa5, 0xb6, 0x2f, 0xe4, 0xc3, 0x17, 0xb1, 0x6d, 0x65, 0xfc, 0xf2, 0xdf, 0x42, 0x50, 0x39, + 0x36, 0x71, 0x45, 0xca, 0xb7, 0x4a, 0x41, 0x51, 0xdf, 0x9c, 0x6f, 0x10, 0x15, 0xc6, 0x03, 0xfb, + 0x18, 0x33, 0xf2, 0x15, 0x39, 0x0d, 0x2b, 0xeb, 0xc6, 0x10, 0xb1, 0x39, 0xf1, 0x4a, 0x32, 0xf9, + 0x25, 0xcc, 0xc8, 0x4d, 0x41, 0xb9, 0x5d, 0x49, 0x5d, 0x5b, 0x89, 0x4e, 0xfe, 0x93, 0xb3, 0x66, + 0xda, 0xda, 0xe7, 0x12, 0x76, 0xc9, 0x91, 0xb5, 0xa4, 0xb4, 0x11, 0x61, 0xd5, 0x67, 0xc1, 0xfa, + 0x5f, 0xc1, 0x64, 0xa6, 0xa4, 0x43, 0xcc, 0xed, 0x4b, 0x6d, 0x13, 0x35, 0x86, 0x7b, 0x4e, 0xd4, + 0x58, 0x81, 0x8b, 0x6d, 0xea, 0x90, 0xf2, 0x61, 0x9b, 0x7e, 0x2b, 0xac, 0x68, 0x66, 0xfa, 0x2d, + 0x59, 0x18, 0xa6, 0xe9, 0xa9, 0xeb, 0xc6, 0xa2, 0x30, 0x0c, 0x7f, 0xd2, 0xff, 0xdd, 0x00, 0x94, + 0xa3, 0x2a, 0x12, 0xe7, 0x48, 0xfe, 0x9e, 0x87, 0xd1, 0x96, 0x45, 0xc5, 0xa9, 0x19, 0x88, 0x8e, + 0x59, 0x08, 0x42, 0xcb, 0x30, 0xde, 0xa2, 0x64, 0x8b, 0xeb, 0x40, 0xce, 0x97, 0xaf, 0x59, 0x77, + 0x9f, 0x96, 0xb4, 0x9e, 0x93, 0x34, 0x68, 0x03, 0xa6, 0x5a, 0x94, 0xec, 0x06, 0x2d, 0xca, 0x5e, + 0x7b, 0x01, 0x3b, 0x3c, 0xe5, 0x1d, 0x0d, 0xf5, 0xd4, 0x51, 0x9e, 0x10, 0x3d, 0x85, 0x61, 0xe6, + 0x1d, 0x11, 0xf7, 0x4c, 0x35, 0x92, 0x25, 0x89, 0xfe, 0x77, 0x61, 0x3c, 0x99, 0x46, 0x88, 0xe6, + 0xa1, 0x2c, 0x92, 0xfc, 0xc5, 0xd7, 0xcb, 0x39, 0x8f, 0x01, 0x91, 0x27, 0x67, 0x20, 0xe1, 0xc9, + 0xe1, 0x32, 0x4a, 0xf4, 0x20, 0x6e, 0x9e, 0xa8, 0xed, 0x19, 0x43, 0xf4, 0x7f, 0x59, 0x82, 0xea, + 0x9b, 0x57, 0xe3, 0x75, 0x18, 0x0f, 0x13, 0xea, 0x76, 0x62, 0x75, 0x39, 0x05, 0x8b, 0x46, 0x3b, + 0x98, 0xf6, 0x3b, 0x65, 0x6b, 0x4a, 0xea, 0xff, 0x7d, 0x08, 0x66, 0x0a, 0x2b, 0xdc, 0xa0, 0x6f, + 0xe1, 0x92, 0xdc, 0x14, 0x71, 0xe4, 0x6f, 0xf9, 0x54, 0xd5, 0xcf, 0xea, 0xc1, 0xf5, 0xd3, 0x9e, + 0x18, 0x7d, 0x07, 0xd3, 0x2e, 0x39, 0x26, 0xea, 0x85, 0x7d, 0x96, 0x4d, 0x36, 0x8a, 0xfa, 0x10, + 0x69, 0x7b, 0xce, 0x6b, 0x7c, 0x4a, 0x33, 0x7d, 0x8f, 0x9f, 0x35, 0x6d, 0xaf, 0xa0, 0x13, 0xb4, + 0x01, 0xd3, 0x01, 0x79, 0x1d, 0xd8, 0x8c, 0x2c, 0xf9, 0xfe, 0xcb, 0xdd, 0xdd, 0x9d, 0x9d, 0xc0, + 0xdb, 0x0f, 0x2f, 0xea, 0x75, 0xac, 0x7f, 0x53, 0x40, 0xc6, 0x75, 0x70, 0x5b, 0xf4, 0x2f, 0x3c, + 0x08, 0x6a, 0x51, 0x92, 0x20, 0x64, 0xc0, 0xb4, 0x7c, 0x24, 0x29, 0x5b, 0xbe, 0xd7, 0x9a, 0x4f, + 0x45, 0xc4, 0xe8, 0x25, 0x4c, 0x78, 0xfb, 0xa9, 0xa9, 0xe9, 0x35, 0xea, 0x9e, 0xa1, 0x93, 0x41, + 0xb5, 0x1f, 0xa4, 0xda, 0xf3, 0xca, 0xd8, 0x10, 0x0a, 0x9d, 0x08, 0xaa, 0xc5, 0x30, 0xfd, 0x9f, + 0x94, 0xe0, 0x62, 0x9b, 0xb4, 0x90, 0x3e, 0xa5, 0xe4, 0x73, 0x18, 0xf7, 0x5a, 0xcc, 0x6f, 0x31, + 0x55, 0xd3, 0x6b, 0xa0, 0x87, 0xa2, 0x4b, 0x09, 0x7c, 0xfd, 0x77, 0x83, 0x70, 0xa5, 0x63, 0xa6, + 0x49, 0x9f, 0xe3, 0xfa, 0x48, 0x24, 0x80, 0x1d, 0xaa, 0xf1, 0x5c, 0x2b, 0x4c, 0x6b, 0x59, 0x6a, + 0xb1, 0xb8, 0xc2, 0x62, 0x8b, 0x1d, 0xa2, 0x4f, 0x22, 0x5d, 0xb4, 0x20, 0x99, 0x26, 0x22, 0x2b, + 0xac, 0xcb, 0xb3, 0x26, 0x62, 0xcc, 0x8c, 0x9c, 0xb0, 0x2f, 0x02, 0xec, 0x1f, 0x2a, 0x06, 0x5a, + 0xdc, 0xc1, 0x4a, 0x02, 0xd1, 0x48, 0x91, 0xa1, 0xed, 0x38, 0xb0, 0x21, 0x19, 0xe8, 0xc7, 0x3d, + 0x26, 0xe4, 0x2c, 0xa8, 0x88, 0x4b, 0xb6, 0xfa, 0xd9, 0x36, 0x8c, 0x2a, 0x6f, 0x89, 0x8a, 0x3b, + 0xf4, 0xdb, 0xa1, 0xea, 0x65, 0x6e, 0x0d, 0xaa, 0xa9, 0x96, 0x3e, 0x5d, 0x2b, 0xff, 0xba, 0x04, + 0x33, 0x85, 0x4b, 0xc1, 0x2d, 0x5d, 0xec, 0xfb, 0x2b, 0x01, 0xb1, 0x88, 0xcb, 0x4d, 0x1f, 0xda, + 0x43, 0xb7, 0x19, 0x0a, 0x2e, 0x95, 0xb1, 0x6f, 0x73, 0x15, 0x45, 0x49, 0x65, 0xf9, 0x84, 0x16, + 0xe2, 0x4c, 0x74, 0xd3, 0x8c, 0x44, 0x8b, 0xba, 0x78, 0x98, 0x6f, 0xd1, 0xff, 0x1e, 0x3f, 0x2e, + 0x85, 0x0b, 0xdf, 0xe7, 0xb6, 0xbc, 0x0b, 0x53, 0x14, 0x37, 0x7d, 0x71, 0xf9, 0x61, 0x1f, 0xcb, + 0x3a, 0x92, 0x4a, 0x5e, 0xe4, 0x1b, 0xf4, 0xed, 0xd4, 0xeb, 0x93, 0xdb, 0xa6, 0xcf, 0x59, 0xff, + 0xeb, 0x01, 0x18, 0x4f, 0x7d, 0xc5, 0x63, 0x18, 0xb5, 0x30, 0xc3, 0x96, 0xd7, 0xc8, 0xd7, 0x56, + 0x95, 0x88, 0xab, 0xb2, 0x39, 0xdc, 0x06, 0x0a, 0x1b, 0x7d, 0xc6, 0x95, 0xf5, 0xc6, 0x21, 0xa3, + 0x8c, 0xf8, 0xf9, 0x43, 0x26, 0x49, 0x37, 0x38, 0x42, 0x9d, 0x11, 0x3f, 0x4c, 0xb5, 0x8a, 0x28, + 0xd0, 0x43, 0x18, 0xf9, 0xd1, 0xf6, 0x8f, 0xec, 0xb0, 0x30, 0xe8, 0x7c, 0x96, 0xf6, 0x7b, 0xd1, + 0x1a, 0x1e, 0x32, 0x89, 0x8b, 0x56, 0x8a, 0x52, 0xd6, 0x6e, 0x64, 0x49, 0xd3, 0x53, 0x96, 0x8d, + 0xf3, 0xea, 0xf7, 0x60, 0xba, 0xe0, 0xcb, 0x90, 0x06, 0xa3, 0x58, 0x55, 0x0f, 0x92, 0xaa, 0x46, + 0xf8, 0xa8, 0xd7, 0x61, 0xa6, 0xf0, 0x7b, 0xda, 0x93, 0x70, 0x59, 0x22, 0x1d, 0x4b, 0xbb, 0x42, + 0x17, 0x52, 0x57, 0x60, 0x13, 0x20, 0x7d, 0x01, 0x50, 0xfe, 0x43, 0x3b, 0x0c, 0xe2, 0x77, 0x25, + 0xb8, 0xd8, 0xe6, 0xf3, 0xd0, 0xfd, 0xb0, 0xc0, 0x4c, 0xf7, 0x9d, 0xa0, 0x8a, 0xcf, 0x3c, 0x84, + 0x99, 0x26, 0x3e, 0xd9, 0x6a, 0x35, 0xf7, 0x49, 0xb0, 0x7d, 0xb0, 0xc4, 0x58, 0x60, 0xef, 0xb7, + 0xb8, 0xb6, 0x2e, 0xb7, 0x62, 0x71, 0x23, 0x7a, 0x04, 0xb3, 0xc9, 0x86, 0x84, 0x08, 0x94, 0x97, + 0x45, 0xdb, 0xb4, 0x72, 0xc3, 0x3d, 0xd1, 0xb2, 0x49, 0x28, 0xc5, 0x8d, 0xf0, 0x4f, 0x63, 0xe4, + 0x15, 0xd2, 0xb6, 0xed, 0xfa, 0xff, 0x1e, 0x86, 0xaa, 0x2a, 0x8e, 0x79, 0xae, 0x83, 0xf7, 0x31, + 0x8c, 0xfc, 0x80, 0x49, 0x23, 0x62, 0xed, 0x99, 0x7d, 0x6e, 0xbb, 0x8d, 0x2f, 0x45, 0x73, 0xb8, + 0xe3, 0x24, 0x72, 0x2e, 0x48, 0x35, 0xd4, 0x77, 0x90, 0x6a, 0x0e, 0xc6, 0xfc, 0xb0, 0xd2, 0x96, + 0x34, 0x7b, 0xa2, 0x67, 0xf4, 0x20, 0x8e, 0x2d, 0x8d, 0x64, 0xe3, 0x6a, 0x6d, 0x22, 0x4a, 0x1f, + 0x47, 0x07, 0x68, 0xb4, 0xcd, 0xf7, 0x14, 0x9e, 0xa0, 0x25, 0x00, 0xcf, 0x27, 0xae, 0x49, 0x5c, + 0xda, 0x0a, 0x2b, 0xbb, 0xde, 0xc8, 0x91, 0x6e, 0x47, 0x28, 0xe1, 0x8d, 0x8b, 0x98, 0xa8, 0x87, + 0x50, 0x59, 0xb7, 0xf0, 0x52, 0xf5, 0xa7, 0x08, 0x2f, 0x4d, 0xfc, 0x01, 0xee, 0xf0, 0x4f, 0x9e, + 0xf3, 0xff, 0x38, 0xfe, 0xfd, 0x80, 0x3c, 0xe4, 0x05, 0x4b, 0x10, 0x46, 0x62, 0x4b, 0xb9, 0x48, + 0xec, 0x40, 0x0f, 0x91, 0xd8, 0x97, 0x50, 0x26, 0x27, 0xbe, 0x17, 0x24, 0x52, 0x5b, 0x6f, 0x77, + 0x58, 0xf5, 0xb5, 0x10, 0x37, 0x64, 0xdc, 0x11, 0x71, 0xba, 0x04, 0xcd, 0x70, 0x7f, 0x25, 0x68, + 0xf2, 0xe1, 0xb0, 0x91, 0xfe, 0xc3, 0x61, 0xfa, 0x01, 0x5c, 0xef, 0xf6, 0x01, 0xdc, 0xca, 0x4b, + 0x0a, 0x8e, 0x9e, 0xad, 0xbc, 0xa4, 0xdc, 0xf8, 0x1f, 0x83, 0x52, 0x70, 0x64, 0x58, 0xc5, 0xf9, + 0x16, 0x26, 0x72, 0x5c, 0x40, 0xd2, 0x71, 0xf1, 0x69, 0xe4, 0x54, 0x18, 0xcc, 0x7a, 0x93, 0x52, + 0x23, 0xd8, 0x14, 0x48, 0xe1, 0x11, 0x97, 0x24, 0xc2, 0x91, 0xe2, 0x63, 0xb7, 0xce, 0xbc, 0x00, + 0x37, 0x08, 0x7f, 0xa7, 0xf2, 0xc1, 0x64, 0xc1, 0x9c, 0x93, 0xfa, 0x24, 0xa0, 0x36, 0x65, 0xbd, + 0x64, 0xf2, 0x2a, 0x54, 0x74, 0x1b, 0x6a, 0x54, 0x76, 0x12, 0x17, 0xff, 0x94, 0x81, 0x8d, 0x1c, + 0x5c, 0xc4, 0x52, 0x84, 0xd0, 0x13, 0x97, 0x06, 0xd5, 0x5f, 0xca, 0xc5, 0x90, 0xf4, 0x6e, 0x1a, + 0x7b, 0x53, 0xbb, 0xa9, 0x7c, 0x8e, 0xdd, 0xf4, 0x14, 0x2e, 0xb5, 0x9d, 0x62, 0x74, 0x05, 0xa0, + 0x89, 0x4f, 0xf6, 0x84, 0xca, 0x4f, 0x55, 0xd5, 0xbf, 0x72, 0x13, 0x9f, 0x08, 0xc1, 0x4c, 0xf5, + 0xff, 0x13, 0xef, 0x90, 0x94, 0x54, 0x7f, 0x33, 0x3b, 0xa4, 0x9c, 0xdc, 0x21, 0x77, 0x61, 0xca, + 0xe7, 0x56, 0x6b, 0x9d, 0xe1, 0x80, 0xb5, 0x7c, 0x11, 0x1e, 0x50, 0x52, 0x38, 0xdf, 0x80, 0x9e, + 0xc1, 0x25, 0xc7, 0x3e, 0x26, 0x22, 0x22, 0x90, 0xa3, 0xaa, 0x48, 0xc7, 0x7f, 0x5b, 0x04, 0x34, + 0x0f, 0xe5, 0x5f, 0xb6, 0x48, 0x70, 0x1a, 0xdd, 0x76, 0xa9, 0x1a, 0x31, 0xa0, 0x4f, 0x27, 0x1b, + 0xb7, 0x56, 0x7f, 0xc0, 0xc7, 0x78, 0xdb, 0x67, 0xf4, 0x25, 0xc1, 0xbe, 0xfc, 0x23, 0x2c, 0x23, + 0x05, 0xe3, 0x22, 0xb3, 0x89, 0x4f, 0xea, 0x3e, 0x56, 0x79, 0xe1, 0x55, 0x23, 0x7a, 0x46, 0x1f, + 0xc3, 0x10, 0x17, 0xaf, 0x6d, 0x45, 0x98, 0x5c, 0x80, 0x2d, 0xcf, 0x0a, 0x25, 0xa7, 0x40, 0x7f, + 0xb3, 0xff, 0x35, 0xa8, 0x7f, 0x18, 0xb1, 0xeb, 0xec, 0xeb, 0x10, 0x82, 0x21, 0xd3, 0x6f, 0x85, + 0x9b, 0x44, 0xfc, 0xd6, 0x7f, 0x5d, 0x82, 0xe9, 0xaf, 0x6c, 0xec, 0xd8, 0x6f, 0x22, 0x38, 0x8d, + 0x2e, 0x43, 0xd9, 0x24, 0x01, 0xdb, 0x3b, 0xb0, 0x9d, 0xd0, 0x09, 0x36, 0xc6, 0x01, 0x2a, 0x72, + 0x5a, 0x53, 0x5e, 0xd9, 0xbd, 0x23, 0x72, 0x2a, 0x71, 0x06, 0xd5, 0xbf, 0x20, 0x46, 0xde, 0x5a, + 0x8e, 0xa9, 0x3b, 0x80, 0xd4, 0x98, 0xde, 0xb4, 0x5b, 0xac, 0xc8, 0xbd, 0xf5, 0xcf, 0x06, 0xe1, + 0x82, 0x78, 0xdd, 0x2a, 0xa6, 0x87, 0xfb, 0x1e, 0x0e, 0x42, 0x2b, 0x32, 0xed, 0xb9, 0x2b, 0x65, + 0x3d, 0x77, 0x5c, 0xeb, 0x68, 0x51, 0x12, 0xb8, 0xb8, 0x49, 0x62, 0xb3, 0x2e, 0x09, 0x42, 0xef, + 0x41, 0xd5, 0xc7, 0x94, 0xfa, 0x87, 0x01, 0xa6, 0x09, 0xef, 0x74, 0x1a, 0x88, 0x9e, 0xc3, 0xf8, + 0xb1, 0x4d, 0x5e, 0x6f, 0xbb, 0xce, 0xa9, 0xe0, 0x49, 0xdd, 0xef, 0xf2, 0xa5, 0xf0, 0xf9, 0x38, + 0x1b, 0x01, 0x3e, 0xc0, 0x2e, 0x7e, 0x65, 0x6c, 0x84, 0x7f, 0xb1, 0x19, 0x43, 0x44, 0xad, 0x54, + 0xc1, 0x38, 0x78, 0xb3, 0xba, 0xf3, 0x14, 0x01, 0xd0, 0x43, 0xe5, 0x95, 0xe8, 0x35, 0xef, 0x57, + 0xba, 0x25, 0xee, 0xc3, 0xb4, 0x7a, 0xc3, 0xba, 0xab, 0x12, 0xf4, 0x78, 0xef, 0x32, 0x0d, 0xb8, + 0xa8, 0x89, 0xdb, 0xb9, 0xf2, 0xa5, 0x29, 0x02, 0xc9, 0x41, 0x0a, 0x5a, 0xf4, 0xff, 0x3c, 0x06, + 0x15, 0xb1, 0x2c, 0xe7, 0x4d, 0x45, 0x93, 0xd7, 0xd4, 0x56, 0x49, 0xd3, 0x93, 0x9e, 0xdc, 0x5e, + 0x52, 0xd1, 0xb2, 0x34, 0x21, 0xbf, 0x1c, 0xcc, 0xf1, 0xcb, 0xa1, 0x1e, 0xf8, 0x65, 0xaf, 0xf9, + 0x67, 0x6d, 0x4a, 0x52, 0x8f, 0xb4, 0x2f, 0x49, 0xfd, 0x49, 0xe2, 0x12, 0x57, 0x4e, 0xe9, 0x2e, + 0x38, 0xd7, 0x89, 0xfb, 0x5b, 0xcf, 0xa0, 0x6c, 0x85, 0x1b, 0x5e, 0xb1, 0xac, 0xab, 0x19, 0xda, + 0xcc, 0x81, 0x30, 0x62, 0x82, 0xac, 0xc6, 0x3d, 0x99, 0xd7, 0xb8, 0xff, 0xfc, 0x9f, 0x58, 0x3f, + 0xf5, 0x7f, 0x62, 0x65, 0x2c, 0x81, 0x89, 0x73, 0xde, 0xd0, 0x8b, 0xee, 0x78, 0xd5, 0xb2, 0x77, + 0xbc, 0x52, 0xf2, 0x76, 0xaa, 0x67, 0x79, 0x7b, 0x1b, 0x26, 0xe2, 0x3d, 0xbd, 0x64, 0x59, 0x81, + 0x64, 0xcb, 0x6a, 0xd5, 0x52, 0x2d, 0xe8, 0x51, 0x6c, 0x8e, 0xe6, 0x52, 0xcd, 0xf2, 0xb2, 0x22, + 0xb2, 0x49, 0xf5, 0xbf, 0x0f, 0xb0, 0x8c, 0x69, 0x28, 0x42, 0xbe, 0x04, 0xa4, 0xa2, 0xc1, 0xc6, + 0xea, 0x2e, 0x69, 0xfa, 0x8e, 0x08, 0x07, 0x76, 0x67, 0x27, 0x05, 0x54, 0x9c, 0xb7, 0x1f, 0x47, + 0xff, 0x0b, 0xc3, 0x59, 0x99, 0xe4, 0xff, 0x69, 0xa0, 0xfe, 0x04, 0x90, 0x2c, 0xb9, 0x2c, 0x6b, + 0x83, 0xab, 0x71, 0x64, 0xfd, 0xe2, 0xa5, 0x02, 0xbf, 0xf8, 0xff, 0x1d, 0x83, 0x11, 0xf1, 0x76, + 0x8a, 0xde, 0x87, 0x41, 0xd3, 0xb5, 0x15, 0xdf, 0x9a, 0x4e, 0xfd, 0xed, 0x6f, 0x58, 0x11, 0xd3, + 0x74, 0x6d, 0xf4, 0x29, 0x8c, 0x8b, 0x5a, 0xda, 0xa6, 0x17, 0x10, 0xcb, 0xa5, 0xf9, 0x3f, 0xd9, + 0x4d, 0xfd, 0xd7, 0xa9, 0x91, 0x42, 0x46, 0x0f, 0x61, 0x2c, 0x2a, 0xd1, 0x27, 0x55, 0x26, 0x2d, + 0x57, 0x96, 0x36, 0xaa, 0x3a, 0x13, 0x62, 0xa2, 0x05, 0x18, 0x91, 0xb9, 0xd1, 0xca, 0x5c, 0x9a, + 0xcd, 0xfe, 0x01, 0x46, 0x68, 0x08, 0x48, 0x2c, 0xf4, 0x14, 0x46, 0x95, 0x6c, 0xe8, 0x59, 0xde, + 0x84, 0x04, 0xe8, 0x0e, 0x0c, 0x37, 0xed, 0x13, 0x12, 0x28, 0x66, 0x35, 0x93, 0xa9, 0x8f, 0x13, + 0x56, 0x92, 0x12, 0x38, 0xa2, 0xd6, 0xa9, 0xed, 0x78, 0xe1, 0x3f, 0xa6, 0xcc, 0x14, 0x26, 0x56, + 0x19, 0x12, 0x07, 0x3d, 0x4e, 0x96, 0x68, 0xba, 0x98, 0xad, 0xd5, 0xdf, 0xa1, 0x3a, 0xd3, 0xd3, + 0x54, 0xc2, 0x48, 0xf8, 0xcf, 0x2a, 0x05, 0xd7, 0xe5, 0x0a, 0xb2, 0x44, 0xbe, 0x81, 0x59, 0x9a, + 0x0e, 0xaa, 0xa9, 0x7f, 0x68, 0x50, 0xcc, 0x20, 0x19, 0x1f, 0x28, 0x0a, 0xbe, 0x19, 0x6d, 0xc8, + 0xd1, 0x03, 0x18, 0x65, 0xea, 0xbf, 0x5e, 0x26, 0x72, 0xc2, 0x29, 0xe9, 0xb6, 0x32, 0x42, 0x3c, + 0x3e, 0x5b, 0x47, 0xfc, 0x10, 0x29, 0x6f, 0xc1, 0x4c, 0xe6, 0x6c, 0x85, 0xb3, 0x25, 0x70, 0x90, + 0x06, 0xa3, 0xc7, 0xdc, 0xee, 0xf2, 0x5c, 0x75, 0x51, 0x29, 0x7c, 0x14, 0xc2, 0x56, 0xfd, 0x99, + 0x75, 0x86, 0x1d, 0x74, 0x16, 0xb6, 0x19, 0x1a, 0xb4, 0x03, 0x28, 0x9e, 0xa8, 0x6d, 0xf5, 0x2f, + 0x16, 0xbd, 0xde, 0x4f, 0x35, 0x0a, 0x68, 0xd1, 0x7d, 0x28, 0xcb, 0x7f, 0xcd, 0xe2, 0xe7, 0x68, + 0xba, 0xfd, 0x39, 0x1a, 0x13, 0x58, 0x2b, 0xae, 0x8d, 0x9e, 0x40, 0xf9, 0x48, 0x94, 0xcc, 0xb6, + 0x7f, 0x24, 0x3d, 0xdc, 0x54, 0x8d, 0x91, 0x53, 0x55, 0xe5, 0x67, 0x32, 0x55, 0xe5, 0x1f, 0x03, + 0x34, 0x09, 0x55, 0x61, 0x05, 0x75, 0xa1, 0xa4, 0xad, 0xee, 0x90, 0x40, 0x45, 0xb7, 0x60, 0x68, + 0x1f, 0x53, 0xa2, 0x6a, 0x8b, 0x26, 0xfe, 0x66, 0x25, 0xe6, 0x6e, 0x86, 0xc0, 0x40, 0x9f, 0x2b, + 0x2e, 0xa0, 0x38, 0x8e, 0xaa, 0x1b, 0x3a, 0x9f, 0xad, 0xbe, 0x9f, 0xe4, 0x47, 0x46, 0x8a, 0x42, + 0xd7, 0x60, 0xb6, 0x78, 0x6a, 0xf5, 0x6b, 0x70, 0xa5, 0xa3, 0xd0, 0xd0, 0x67, 0xe1, 0x42, 0x51, + 0x1e, 0xab, 0xfe, 0x77, 0xa0, 0x9a, 0xfa, 0x03, 0xc2, 0x37, 0x5c, 0x5d, 0x72, 0x12, 0xaa, 0xa9, + 0xa9, 0xbb, 0x7d, 0x4f, 0xde, 0x2a, 0x41, 0xe3, 0x30, 0xa6, 0xf2, 0x56, 0xac, 0xda, 0x3b, 0xfc, + 0xc9, 0xf1, 0x1a, 0x7b, 0x9e, 0xeb, 0x9c, 0xd6, 0x4a, 0xa8, 0xc2, 0x87, 0x70, 0xe0, 0x05, 0x26, + 0xa9, 0x0d, 0xdc, 0xfe, 0xb2, 0x4d, 0x56, 0x21, 0x9a, 0x84, 0xca, 0xab, 0xad, 0xfa, 0xce, 0xda, + 0xca, 0xfa, 0x8b, 0xf5, 0xb5, 0xd5, 0xda, 0x3b, 0x9c, 0x6c, 0x75, 0xed, 0xc5, 0xd2, 0xab, 0x8d, + 0xdd, 0x5a, 0x09, 0x01, 0x8c, 0xd4, 0x77, 0x8d, 0xf5, 0x95, 0xdd, 0xda, 0x00, 0x1a, 0x85, 0xc1, + 0xed, 0x17, 0x2f, 0x6a, 0x83, 0xb7, 0x3f, 0x28, 0xb8, 0xf8, 0x89, 0xc6, 0x60, 0xe8, 0xcb, 0xfa, + 0xf6, 0x56, 0xed, 0x1d, 0xfe, 0x6b, 0x77, 0xed, 0xdb, 0xdd, 0x5a, 0xe9, 0xf6, 0x52, 0x18, 0xdb, + 0xe3, 0xfd, 0x48, 0x6f, 0x68, 0xed, 0x1d, 0x54, 0x4d, 0x84, 0x31, 0xe4, 0x30, 0x55, 0x80, 0xa3, + 0x36, 0xc0, 0x47, 0x93, 0xf0, 0xff, 0xd4, 0x06, 0x97, 0xe1, 0xfb, 0xb1, 0x70, 0x61, 0xf7, 0x47, + 0xc4, 0xd4, 0x7d, 0xf4, 0xb7, 0x01, 0x00, 0x00, 0xff, 0xff, 0x6a, 0x26, 0x81, 0xb6, 0xf6, 0x80, + 0x00, 0x00, } diff --git a/operator/pkg/apis/istio/v1alpha1/values_types.proto b/operator/pkg/apis/istio/v1alpha1/values_types.proto index d55c8cec887..ec3286dff96 100644 --- a/operator/pkg/apis/istio/v1alpha1/values_types.proto +++ b/operator/pkg/apis/istio/v1alpha1/values_types.proto @@ -967,6 +967,10 @@ message MultiClusterConfig { google.protobuf.BoolValue enabled = 1; string clusterName = 2; + + string globalDomainSuffix = 3; + + google.protobuf.BoolValue includeEnvoyFilter = 4; } // OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application. diff --git a/releasenotes/notes/27300.yaml b/releasenotes/notes/27300.yaml new file mode 100644 index 00000000000..9813b886b8f --- /dev/null +++ b/releasenotes/notes/27300.yaml @@ -0,0 +1,9 @@ +apiVersion: release-notes/v2 +kind: feature +area: istioctl +issue: + - 27300 + +releaseNotes: + - | + **Added** ability to configure domain suffix for multicluster installation \ No newline at end of file From cc0ec0d23f92b7e4ce63293de5aaadea38512468 Mon Sep 17 00:00:00 2001 From: John Howard Date: Fri, 2 Oct 2020 10:41:19 -0700 Subject: [PATCH 62/82] [1.6] Stop creating invalid double wildcard domains (#27362) (#27528) * Stop creating invalid double wildcard domains (#27362) * Stop creating invalid double wildcard domains For https://github.com/istio/istio/issues/25350 Does not fully fix the problem, see envoy issue * Add release notes (cherry picked from commit 0e8aebca29dc1dd0df1af01e5701176f39fb7d43) * Update pilot/pkg/networking/core/v1alpha3/gateway.go Co-authored-by: Shamsher Ansari Co-authored-by: Shamsher Ansari --- pilot/pkg/networking/core/v1alpha3/gateway.go | 19 +++++++++++--- .../networking/core/v1alpha3/gateway_test.go | 26 +++++++++++++++++++ 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/pilot/pkg/networking/core/v1alpha3/gateway.go b/pilot/pkg/networking/core/v1alpha3/gateway.go index da2b661cf54..a053a37857e 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway.go @@ -17,6 +17,7 @@ package v1alpha3 import ( "fmt" "sort" + "strconv" "strings" xdsapi "github.com/envoyproxy/go-control-plane/envoy/api/v2" @@ -254,7 +255,7 @@ func (configgen *ConfigGeneratorImpl) buildGatewayHTTPRouteConfig(node *model.Pr } else { newVHost := &route.VirtualHost{ Name: domainName(string(hostname), port), - Domains: buildGatewayVirtualHostDomains(string(hostname)), + Domains: buildGatewayVirtualHostDomains(string(hostname), port), Routes: routes, } if server.Tls != nil && server.Tls.HttpsRedirect { @@ -753,12 +754,22 @@ func getSNIHostsForServer(server *networking.Server) []string { return sniHostsSlice } -func buildGatewayVirtualHostDomains(hostname string) []string { +func buildGatewayVirtualHostDomains(hostname string, port int) []string { domains := []string{hostname} if hostname == "*" { return domains } - // To support gateway behind a LB with unknown port. - domains = append(domains, hostname+":*") + + // Per https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#route-virtualhost + // we can only have one wildcard. Ideally, we want to match any port, as the host + // header may have a different port (behind a LB, nodeport, etc). However, if we + // have a wildcard domain we cannot do that since we would need two wildcards. + // Therefore, we will preserve the original port if there is a wildcard host. + // TODO(https://github.com/envoyproxy/envoy/issues/12647) support wildcard host with wildcard port. + if len(hostname) > 0 && hostname[0] == '*' { + domains = append(domains, hostname+":"+strconv.Itoa(port)) + } else { + domains = append(domains, hostname+":*") + } return domains } diff --git a/pilot/pkg/networking/core/v1alpha3/gateway_test.go b/pilot/pkg/networking/core/v1alpha3/gateway_test.go index f9ba34538b6..86afb4f6958 100644 --- a/pilot/pkg/networking/core/v1alpha3/gateway_test.go +++ b/pilot/pkg/networking/core/v1alpha3/gateway_test.go @@ -913,6 +913,21 @@ func TestGatewayHTTPRouteConfig(t *testing.T) { }, }, } + httpGatewayWildcard := pilot_model.Config{ + ConfigMeta: pilot_model.ConfigMeta{ + Name: "gateway", + Namespace: "default", + }, + Spec: &networking.Gateway{ + Selector: map[string]string{"istio": "ingressgateway"}, + Servers: []*networking.Server{ + { + Hosts: []string{"*"}, + Port: &networking.Port{Name: "http", Number: 80, Protocol: "HTTP"}, + }, + }, + }, + } virtualServiceSpec := &networking.VirtualService{ Hosts: []string{"example.org"}, Gateways: []string{"gateway"}, @@ -1023,6 +1038,17 @@ func TestGatewayHTTPRouteConfig(t *testing.T) { }, }, }, + { + "wildcard virtual service", + []pilot_model.Config{virtualServiceWildcard}, + []pilot_model.Config{httpGatewayWildcard}, + "http.80", + map[string][]string{ + "*.org:80": { + "*.org", "*.org:80", + }, + }, + }, } for _, tt := range cases { t.Run(tt.name, func(t *testing.T) { From 224717b386cfc1d3fba1386fbe82f39f9b7e46a7 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 5 Oct 2020 09:39:01 -0700 Subject: [PATCH 63/82] Automator: update common-files@release-1.6 in istio/istio@release-1.6 (#27733) --- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index 86dea19763d..fc3c68a93cb 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -ea4c40d055ee4388a5697abd2bc0dafec5f4bb08 +1503234f312b836d9764cb3efd60fd6dff304efa diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 255b441473b..252bb57d196 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -59,7 +59,7 @@ fi # Build image to use if [[ "${IMAGE_VERSION:-}" == "" ]]; then - export IMAGE_VERSION=release-1.6-2020-05-08T22-06-04 + export IMAGE_VERSION=release-1.6-2020-10-01T21-30-44 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then export IMAGE_NAME=build-tools From 3fc7e58a8269859aac4ee9633e627d1a1dce5939 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 5 Oct 2020 10:22:49 -0700 Subject: [PATCH 64/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#27736) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c3fd2c50e09..e31395ed9cb 100644 --- a/go.mod +++ b/go.mod @@ -158,7 +158,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20200813195615-8ab1a23cc673 + istio.io/api v0.0.0-20201005161549-d516b0116b1e istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 istio.io/pkg v0.0.0-20200709220414-14d5de656564 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index 8170b6a0fad..d0949e6aa38 100644 --- a/go.sum +++ b/go.sum @@ -1063,8 +1063,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20200813195615-8ab1a23cc673 h1:c8BMpmRDs3ktoeAXYZWHXZBZlup/NWvRxxFdg05knlU= -istio.io/api v0.0.0-20200813195615-8ab1a23cc673/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20201005161549-d516b0116b1e h1:X8IgFv7k+ssOmsbNI2G7iKlAmi7rPqywX4iygITOURQ= +istio.io/api v0.0.0-20201005161549-d516b0116b1e/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 h1:41vUsZxxi7Kq9pyxmk7xjSKrYEYyXCQsTvP4mWOXzoI= istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From a89fb9a5fa604e338024236ad43665a10d1eeb1d Mon Sep 17 00:00:00 2001 From: Brian Avery Date: Tue, 6 Oct 2020 10:32:22 -0400 Subject: [PATCH 65/82] Update deps (#27754) --- istio.deps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/istio.deps b/istio.deps index 135ec15a25b..da4cb75a70f 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "ccae1bd37085ecd78415dc06b50233b3b97e30c0" + "lastStableSHA": "ef96e9c2f0b0d2a31e3a9426c4b339db0b33885f" }, { "_comment": "", From 92cb89444cfa76e5a1363aaa255e1e777abf80d4 Mon Sep 17 00:00:00 2001 From: John Howard Date: Wed, 7 Oct 2020 12:20:53 -0700 Subject: [PATCH 66/82] Bump 1.6 base image (#27812) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index dffe0e83fd8..ce48ba19fc8 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.7 +BASE_VERSION ?= 1.6-dev.8 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org From 7ab12a4d8c8b25472e916e8ec554df017265a9e2 Mon Sep 17 00:00:00 2001 From: Linggg Date: Wed, 7 Oct 2020 14:20:03 -0700 Subject: [PATCH 67/82] [release-1.6]Cherry-pick: remove cacert.pem and use x509.SystemCertPool() (#27766) * [release-1.6] cherry pick: remove cacert.pem and use x509.SystemCertPool() (#27657) * remove tests/integration/mixer/helper.go cacert.pem dependency * add release note --- pilot/docker/Dockerfile.pilot | 2 +- pilot/pkg/model/jwks_resolver.go | 12 +- pkg/test/echo/client/client.go | 9 +- pkg/test/echo/common/model.go | 1 + releasenotes/notes/27574.yaml | 9 + .../mixer/outboundtrafficpolicy/helper.go | 2 +- tests/testdata/certs/cacert.pem | 3338 ----------------- tools/istio-docker.mk | 5 +- 8 files changed, 28 insertions(+), 3350 deletions(-) create mode 100644 releasenotes/notes/27574.yaml delete mode 100644 tests/testdata/certs/cacert.pem diff --git a/pilot/docker/Dockerfile.pilot b/pilot/docker/Dockerfile.pilot index bb46cba1bbc..1bb8f350342 100644 --- a/pilot/docker/Dockerfile.pilot +++ b/pilot/docker/Dockerfile.pilot @@ -18,5 +18,5 @@ WORKDIR / FROM ${BASE_DISTRIBUTION} COPY pilot-discovery /usr/local/bin/ -COPY cacert.pem /cacert.pem + ENTRYPOINT ["/usr/local/bin/pilot-discovery"] diff --git a/pilot/pkg/model/jwks_resolver.go b/pilot/pkg/model/jwks_resolver.go index 0de768b0f87..171d8567bb2 100644 --- a/pilot/pkg/model/jwks_resolver.go +++ b/pilot/pkg/model/jwks_resolver.go @@ -74,8 +74,6 @@ const ( // as it's running separately from the main flow. networkFetchRetryCountOnRefreshFlow = 3 - // jwksPublicRootCABundlePath is the path of public root CA bundle in pilot container. - jwksPublicRootCABundlePath = "/cacert.pem" // jwksExtraRootCABundlePath is the path to any additional CA certificates pilot should accept when resolving JWKS URIs jwksExtraRootCABundlePath = "/cacerts/extra.pem" ) @@ -146,7 +144,7 @@ func NewJwksResolver(evictionDuration, refreshInterval time.Duration) *JwksResol return newJwksResolverWithCABundlePaths( evictionDuration, refreshInterval, - []string{jwksPublicRootCABundlePath, jwksExtraRootCABundlePath}, + []string{jwksExtraRootCABundlePath}, ) } @@ -164,8 +162,12 @@ func newJwksResolverWithCABundlePaths(evictionDuration, refreshInterval time.Dur }, } - caCertPool := x509.NewCertPool() - caCertsFound := false + caCertPool, err := x509.SystemCertPool() + caCertsFound := true + if err != nil { + caCertsFound = false + log.Errorf("Failed to fetch Cert from SystemCertPool: %v", err) + } for _, pemFile := range caBundlePaths { caCert, err := ioutil.ReadFile(pemFile) if err == nil { diff --git a/pkg/test/echo/client/client.go b/pkg/test/echo/client/client.go index 44f3d42e0a8..95a463f0e70 100644 --- a/pkg/test/echo/client/client.go +++ b/pkg/test/echo/client/client.go @@ -50,8 +50,13 @@ func New(address string, tlsSettings *common.TLSSettings) (*Instance, error) { return nil, err } - certPool := x509.NewCertPool() - if !certPool.AppendCertsFromPEM([]byte(tlsSettings.RootCert)) { + var certPool *x509.CertPool + certPool, err = x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("failed to fetch Cert from SystemCertPool: %v", err) + } + + if tlsSettings.RootCert != "" && !certPool.AppendCertsFromPEM([]byte(tlsSettings.RootCert)) { return nil, fmt.Errorf("failed to create cert pool") } cfg := credentials.NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}, RootCAs: certPool}) diff --git a/pkg/test/echo/common/model.go b/pkg/test/echo/common/model.go index 9ddc483b7f8..a42e75f8865 100644 --- a/pkg/test/echo/common/model.go +++ b/pkg/test/echo/common/model.go @@ -18,6 +18,7 @@ import "istio.io/istio/pkg/config/protocol" // TLSSettings defines TLS configuration for Echo server type TLSSettings struct { + // If not empty, RootCert supplies the extra root cert that will be appended to the system cert pool. RootCert string ClientCert string Key string diff --git a/releasenotes/notes/27574.yaml b/releasenotes/notes/27574.yaml new file mode 100644 index 00000000000..d64642fff82 --- /dev/null +++ b/releasenotes/notes/27574.yaml @@ -0,0 +1,9 @@ +apiVersion: release-notes/v2 +kind: feature +area: security +issue: +- 27574 + +releaseNotes: +- | + **Fixed** an issue that Istiod's cacert.pem is under testdata directory diff --git a/tests/integration/mixer/outboundtrafficpolicy/helper.go b/tests/integration/mixer/outboundtrafficpolicy/helper.go index 58527ef93f4..9dc3166bbf8 100644 --- a/tests/integration/mixer/outboundtrafficpolicy/helper.go +++ b/tests/integration/mixer/outboundtrafficpolicy/helper.go @@ -366,7 +366,7 @@ func setupEcho(t *testing.T, ctx resource.Context, mode TrafficPolicy) (echo.Ins }, TLSSettings: &common.TLSSettings{ // Echo has these test certs baked into the docker image - RootCert: mustReadCert(t, "cacert.pem"), + RootCert: "", ClientCert: mustReadCert(t, "cert.crt"), Key: mustReadCert(t, "cert.key"), }, diff --git a/tests/testdata/certs/cacert.pem b/tests/testdata/certs/cacert.pem deleted file mode 100644 index 45654c0b9c4..00000000000 --- a/tests/testdata/certs/cacert.pem +++ /dev/null @@ -1,3338 +0,0 @@ -## -## Bundle of CA Root Certificates -## -## Certificate data from Mozilla as of: Wed Mar 7 04:12:06 2018 GMT -## -## This is a bundle of X.509 certificates of public Certificate Authorities -## (CA). These were automatically extracted from Mozilla's root certificates -## file (certdata.txt). This file can be found in the mozilla source tree: -## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt -## -## It contains the certificates in PEM format and therefore -## can be directly used with curl / libcurl / php_curl, or with -## an Apache+mod_ssl webserver for SSL client authentication. -## Just configure this file as the SSLCACertificateFile. -## -## Conversion done with mk-ca-bundle.pl version 1.27. -## SHA256: 704f02707ec6b4c4a7597a8c6039b020def11e64f3ef0605a9c3543d48038a57 -## - - -GlobalSign Root CA -================== ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx -GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds -b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV -BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD -VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa -DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc -THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb -Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP -c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX -gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF -AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj -Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG -j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH -hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC -X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== ------END CERTIFICATE----- - -GlobalSign Root CA - R2 -======================= ------BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UECxMXR2xv -YmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh -bFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT -aWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln -bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6 -ErPLv4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8eoLrvozp -s6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjN -S7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CL -TfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pazq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6C -ygPCm48CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E -FgQUm+IHV2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9i -YWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjAN -BgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0/WwbgcQ3izDJr86iw8bmEbTUsp -9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu -01yiPqFbQfXf5WRDLenVOavSot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG7 -9G+dwfCMNYxdAfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 -TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== ------END CERTIFICATE----- - -Verisign Class 3 Public Primary Certification Authority - G3 -============================================================ ------BEGIN CERTIFICATE----- -MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV -UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv -cmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQsw -CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy -dXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhv -cml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAMu6nFL8eB8aHm8bN3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1 -EUGO+i2tKmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGukxUc -cLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBmCC+Vk7+qRy+oRpfw -EuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJXwzw3sJ2zq/3avL6QaaiMxTJ5Xpj -055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWuimi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA -ERSWwauSCPc/L8my/uRan2Te2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5f -j267Cz3qWhMeDGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC -/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565pF4ErWjfJXir0 -xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGtTxzhT5yvDwyd93gN2PQ1VoDa -t20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ== ------END CERTIFICATE----- - -Entrust.net Premium 2048 Secure Server CA -========================================= ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u -ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp -bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV -BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx -NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3 -d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl -MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u -ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL -Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr -hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW -nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi -VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E -BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ -KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy -T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf -zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT -J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e -nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= ------END CERTIFICATE----- - -Baltimore CyberTrust Root -========================= ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJRTESMBAGA1UE -ChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3li -ZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoXDTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMC -SUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFs -dGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKME -uyKrmD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsB -UnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/C -G9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9 -XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjpr -l3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoI -VDaGezq1BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB -BQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT929hkTI7gQCvlYpNRh -cL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3WgxjkzSswF07r51XgdIGn9w/xZchMB5 -hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsa -Y71k5h+3zvDyny67G7fyUIhzksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9H -RCwBXbsdtTLSR9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp ------END CERTIFICATE----- - -AddTrust External Root -====================== ------BEGIN CERTIFICATE----- -MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChML -QWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYD -VQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEw -NDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRU -cnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0Eg -Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821 -+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfw -Tz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmo -aSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy -2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv7 -7+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0P -BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTL -VBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRk -VHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENB -IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZl -j7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 -6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355 -e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4u -G+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= ------END CERTIFICATE----- - -Entrust Root Certification Authority -==================================== ------BEGIN CERTIFICATE----- -MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV -BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw -b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG -A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0 -MloXDTI2MTEyNzIwNTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu -MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu -Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v -dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz -A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww -Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68 -j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN -rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1 -MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH -hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA -A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM -Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa -v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS -W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0 -tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8 ------END CERTIFICATE----- - -GeoTrust Global CA -================== ------BEGIN CERTIFICATE----- -MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK -Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQw -MDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j -LjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjo -BbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet -8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+Vc -T4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagU -vTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVk -DBF9qn1luMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Q -zxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWVYrmm3ok9Nns4 -d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcFPseKUgzbFbS9bZvlxrFUaKnjaZC2 -mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6p -XE0zX5IJL4hmXXeXxx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm -Mw== ------END CERTIFICATE----- - -GeoTrust Universal CA -===================== ------BEGIN CERTIFICATE----- -MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN -R2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVyc2FsIENBMB4XDTA0MDMwNDA1 -MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IElu -Yy4xHjAcBgNVBAMTFUdlb1RydXN0IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP -ADCCAgoCggIBAKYVVaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9t -JPi8cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTTQjOgNB0e -RXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFhF7em6fgemdtzbvQKoiFs -7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2vc7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d -8Lsrlh/eezJS/R27tQahsiFepdaVaH/wmZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7V -qnJNk22CDtucvc+081xdVHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3Cga -Rr0BHdCXteGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZf9hB -Z3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfReBi9Fi1jUIxaS5BZu -KGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+nhutxx9z3SxPGWX9f5NAEC7S8O08 -ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0 -XG0D08DYj3rWMB8GA1UdIwQYMBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIB -hjANBgkqhkiG9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc -aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fXIwjhmF7DWgh2 -qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzynANXH/KttgCJwpQzgXQQpAvvL -oJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0zuzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsK -xr2EoyNB3tZ3b4XUhRxQ4K5RirqNPnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxF -KyDuSN/n3QmOGKjaQI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2 -DFKWkoRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9ER/frslK -xfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQtDF4JbAiXfKM9fJP/P6EU -p8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/SfuvmbJxPgWp6ZKy7PtXny3YuxadIwVyQD8vI -P/rmMuGNG2+k5o7Y+SlIis5z/iw= ------END CERTIFICATE----- - -GeoTrust Universal CA 2 -======================= ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN -R2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwHhcNMDQwMzA0 -MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3Qg -SW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0 -DE81WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUGFF+3Qs17 -j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdqXbboW0W63MOhBW9Wjo8Q -JqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxLse4YuU6W3Nx2/zu+z18DwPw76L5GG//a -QMJS9/7jOvdqdzXQ2o3rXhhqMcceujwbKNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2 -WP0+GfPtDCapkzj4T8FdIgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP -20gaXT73y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRthAAn -ZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgocQIgfksILAAX/8sgC -SqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4Lt1ZrtmhN79UNdxzMk+MBB4zsslG -8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2 -+/CfXGJx7Tz0RzgQKzAfBgNVHSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8E -BAMCAYYwDQYJKoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z -dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQL1EuxBRa3ugZ -4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgrFg5fNuH8KrUwJM/gYwx7WBr+ -mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSoag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpq -A1Ihn0CoZ1Dy81of398j9tx4TuaYT1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpg -Y+RdM4kX2TGq2tbzGDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiP -pm8m1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJVOCiNUW7d -FGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH6aLcr34YEoP9VhdBLtUp -gn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwXQMAJKOSLakhT2+zNVVXxxvjpoixMptEm -X36vWkzaH6byHCx+rgIW0lbQL1dTR+iS ------END CERTIFICATE----- - -Visa eCommerce Root -=================== ------BEGIN CERTIFICATE----- -MIIDojCCAoqgAwIBAgIQE4Y1TR0/BvLB+WUF1ZAcYjANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQG -EwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2Ug -QXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNvbW1lcmNlIFJvb3QwHhcNMDIwNjI2MDIxODM2 -WhcNMjIwNjI0MDAxNjEyWjBrMQswCQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMm -VmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNv -bW1lcmNlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvV95WHm6h2mCxlCfL -F9sHP4CFT8icttD0b0/Pmdjh28JIXDqsOTPHH2qLJj0rNfVIsZHBAk4ElpF7sDPwsRROEW+1QK8b -RaVK7362rPKgH1g/EkZgPI2h4H3PVz4zHvtH8aoVlwdVZqW1LS7YgFmypw23RuwhY/81q6UCzyr0 -TP579ZRdhE2o8mCP2w4lPJ9zcc+U30rq299yOIzzlr3xF7zSujtFWsan9sYXiwGd/BmoKoMWuDpI -/k4+oKsGGelT84ATB+0tvz8KPFUgOSwsAGl0lUq8ILKpeeUYiZGo3BxN77t+Nwtd/jmliFKMAGzs -GHxBvfaLdXe6YJ2E5/4tAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBQVOIMPPyw/cDMezUb+B4wg4NfDtzANBgkqhkiG9w0BAQUFAAOCAQEAX/FBfXxc -CLkr4NWSR/pnXKUTwwMhmytMiUbPWU3J/qVAtmPN3XEolWcRzCSs00Rsca4BIGsDoo8Ytyk6feUW -YFN4PMCvFYP3j1IzJL1kk5fui/fbGKhtcbP3LBfQdCVp9/5rPJS+TUtBjE7ic9DjkCJzQ83z7+pz -zkWKsKZJ/0x9nXGIxHYdkFsd7v3M9+79YKWxehZx0RbQfBI8bGmX265fOZpwLwU8GUYEmSA20GBu -YQa7FkKMcPcw++DbZqMAAb3mLNqRX6BGi01qnD093QVG/na/oAo85ADmJ7f/hC3euiInlhBx6yLt -398znM/jra6O1I7mT1GvFpLgXPYHDw== ------END CERTIFICATE----- - -Comodo AAA Services root -======================== ------BEGIN CERTIFICATE----- -MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS -R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0Eg -TGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw -MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hl -c3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV -BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhG -C1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUs -i14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszW -Y19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjH -Ypy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEK -Iz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f -BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl -cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2Vz -LmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm -7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz -Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z -8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C -12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== ------END CERTIFICATE----- - -QuoVadis Root CA -================ ------BEGIN CERTIFICATE----- -MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJCTTEZMBcGA1UE -ChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAz -MTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp -cyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQD -EyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4kVEAkOPcahdxYTMuk -J0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqYuvXtdj182d6UajtL -F8HVj71lODqV0D1VNk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeL -YzcS19Dsw3sgQUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWen -AScOospUxbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCCAk4w -PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVvdmFkaXNvZmZzaG9y -ZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJKwYBBAG+WAABMIH7 -MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmlj -YXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJs -ZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh -Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYIKwYBBQUHAgEW -Fmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3TKbkGGew5Oanwl4Rqy+/fMIGu -BgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkw -FwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6 -tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSkfnIYj9lo -fFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf87C9TqnN7Az10buYWnuul -LsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1RcHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2x -gI4JVrmcGmD+XcHXetwReNDWXcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi -5upZIof4l/UO/erMkqQWxFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi -5nrQNiOKSnQ2+Q== ------END CERTIFICATE----- - -QuoVadis Root CA 2 -================== ------BEGIN CERTIFICATE----- -MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoT -EFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0wNjExMjQx -ODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM -aW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6 -XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55JWpzmM+Yk -lvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbB -lDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGy -lZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt -66/3FsvbzSUr5R/7mp/iUcw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1Jdxn -wQ5hYIizPtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOh -D7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyy -BNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENie -J0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1Ud -DgQWBBQahGK8SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGU -a6FJpEcwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT -ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2fBluornFdLwUv -Z+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzng/iN/Ae42l9NLmeyhP3ZRPx3 -UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodm -VjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK -+JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrW -IozchLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPRTUIZ3Ph1 -WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWDmbA4CD/pXvk1B+TJYm5X -f6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0ZohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II -4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8 -VCLAAVBpQ570su9t+Oza8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u ------END CERTIFICATE----- - -QuoVadis Root CA 3 -================== ------BEGIN CERTIFICATE----- -MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoT -EFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMzAeFw0wNjExMjQx -OTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM -aW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQDMV0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNgg -DhoB4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUrH556VOij -KTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd8lyyBTNvijbO0BNO/79K -DDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9CabwvvWhDFlaJKjdhkf2mrk7AyxRllDdLkgbv -BNDInIjbC3uBr7E9KsRlOni27tyAsdLTmZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwp -p5ijJUMv7/FfJuGITfhebtfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8 -nT8KKdjcT5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDtWAEX -MJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZc6tsgLjoC2SToJyM -Gf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A4iLItLRkT9a6fUg+qGkM17uGcclz -uD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYDVR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHT -BgkrBgEEAb5YAAMwgcUwgZMGCCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmlj -YXRlIGNvbnN0aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0 -aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudC4wLQYIKwYB -BQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczALBgNVHQ8EBAMCAQYwHQYD -VR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4GA1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4 -ywLQoUmkRzBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UE -AxMSUXVvVmFkaXMgUm9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZV -qyM07ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSemd1o417+s -hvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd+LJ2w/w4E6oM3kJpK27z -POuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2 -Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadNt54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp -8kokUvd0/bpO5qgdAm6xDYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBC -bjPsMZ57k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6szHXu -g/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0jWy10QJLZYxkNc91p -vGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeTmJlglFwjz1onl14LBQaTNx47aTbr -qZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK4SVhM7JZG+Ju1zdXtg2pEto= ------END CERTIFICATE----- - -Security Communication Root CA -============================== ------BEGIN CERTIFICATE----- -MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP -U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw -HhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP -U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw -8yl89f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJDKaVv0uM -DPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9Ms+k2Y7CI9eNqPPYJayX -5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/NQV3Is00qVUarH9oe4kA92819uZKAnDfd -DJZkndwi92SL32HeFZRSFaB9UslLqCHJxrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2 -JChzAgMBAAGjPzA9MB0GA1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vGkl3g -0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfrUj94nK9NrvjVT8+a -mCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5Bw+SUEmK3TGXX8npN6o7WWWXlDLJ -s58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJUJRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ -6rBK+1YWc26sTfcioU+tHXotRSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAi -FL39vmwLAw== ------END CERTIFICATE----- - -Sonera Class 2 Root CA -====================== ------BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEPMA0GA1UEChMG -U29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAxMDQwNjA3Mjk0MFoXDTIxMDQw -NjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNVBAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJh -IENsYXNzMiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3 -/Ei9vX+ALTU74W+oZ6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybT -dXnt5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s3TmVToMG -f+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2EjvOr7nQKV0ba5cTppCD8P -tOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu8nYybieDwnPz3BjotJPqdURrBGAgcVeH -nfO+oJAjPYok4doh28MCAwEAAaMzMDEwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITT -XjwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt -0jSv9zilzqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/3DEI -cbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvDFNr450kkkdAdavph -Oe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6Tk6ezAyNlNzZRZxe7EJQY670XcSx -EtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLH -llpwrN9M ------END CERTIFICATE----- - -XRamp Global CA Root -==================== ------BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE -BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj -dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx -HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg -U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu -IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx -foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE -zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs -AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry -xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud -EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap -oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC -AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc -/Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt -qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n -nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz -8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbw= ------END CERTIFICATE----- - -Go Daddy Class 2 CA -=================== ------BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMY -VGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRp -ZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkG -A1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g -RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQAD -ggENADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv -2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+qN1j3hybX2C32 -qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6j -YGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmY -vLEHZ6IVDd2gWMZEewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0O -BBYEFNLEsNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h/t2o -atTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMu -MTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wim -PQoZ+YeAEW5p5JYXMP80kWNyOO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKt -I3lpjbi2Tc7PTMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ -HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VI -Ls9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/b -vZ8= ------END CERTIFICATE----- - -Starfield Class 2 CA -==================== ------BEGIN CERTIFICATE----- -MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMc -U3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBo -MQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAG -A1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqG -SIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTY -bitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZ -JRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVm -epsZGD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN -F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HF -MIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fRzt0f -hvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNo -bm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24g -QXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGs -afPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLM -PUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl -xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynpVSJYACPq4xJD -KVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3 -QBFGmh95DmK/D5fs4C8fF5Q= ------END CERTIFICATE----- - -Taiwan GRCA -=========== ------BEGIN CERTIFICATE----- -MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQG -EwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X -DTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1owPzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dv -dmVybm1lbnQgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBAJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qN -w8XRIePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1qgQdW8or5 -BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKyyhwOeYHWtXBiCAEuTk8O -1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAtsF/tnyMKtsc2AtJfcdgEWFelq16TheEfO -htX7MfP6Mb40qij7cEwdScevLJ1tZqa2jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wov -J5pGfaENda1UhhXcSTvxls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7 -Q3hub/FCVGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHKYS1t -B6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoHEgKXTiCQ8P8NHuJB -O9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThNXo+EHWbNxWCWtFJaBYmOlXqYwZE8 -lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1UdDgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNV -HRMEBTADAQH/MDkGBGcqBwAEMTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg2 -09yewDL7MTqKUWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ -TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyfqzvS/3WXy6Tj -Zwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaKZEk9GhiHkASfQlK3T8v+R0F2 -Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFEJPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlU -D7gsL0u8qV1bYH+Mh6XgUmMqvtg7hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6Qz -DxARvBMB1uUO07+1EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+Hbk -Z6MmnD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WXudpVBrkk -7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44VbnzssQwmSNOXfJIoRIM3BKQ -CZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDeLMDDav7v3Aun+kbfYNucpllQdSNpc5Oy -+fwC00fmcc4QAu4njIT/rEUNE1yDMuAlpYYsfPQS ------END CERTIFICATE----- - -DigiCert Assured ID Root CA -=========================== ------BEGIN CERTIFICATE----- -MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQw -IgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzEx -MTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL -ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0Ew -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7cJpSIqvTO -9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHy -UmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW -/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpy -oeb6pNnVFzF1roV9Iq4/AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whf -GHdPAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF -66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq -hkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2Bc -EkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38Fn -SbNd67IJKusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i -8b5QZ7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe -+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g== ------END CERTIFICATE----- - -DigiCert Global Root CA -======================= ------BEGIN CERTIFICATE----- -MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw -HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAw -MDAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 -dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsBCSDMAZOn -TjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97nh6Vfe63SKMI2tavegw5 -BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt43C/dxC//AH2hdmoRBBYMql1GNXRor5H -4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7PT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y -7vrTC0LUq7dBMtoM1O/4gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQAB -o2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbRTLtm -8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEF -BQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/EsrhMAtudXH/vTBH1jLuG2cenTnmCmr -EbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIt -tep3Sp+dWOIrWcBAI+0tKIJFPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886 -UAb3LujEV0lsYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk -CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= ------END CERTIFICATE----- - -DigiCert High Assurance EV Root CA -================================== ------BEGIN CERTIFICATE----- -MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw -KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAw -MFoXDTMxMTExMDAwMDAwMFowbDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ -MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFu -Y2UgRVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S75S0t -Mqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0OKRKzE0lgvdKpVMS -OO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3 -MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQ -NAQTXKFx01p8VdteZOE3hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUe -h10aUAsgEsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSY -JhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3NecnzyIZgYIVyHbIUf4KmeqvxgydkAQ -V8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6zeM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFp -myPInngiK3BD41VHMWEZ71jFhS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkK -mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe -vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K ------END CERTIFICATE----- - -Certplus Class 2 Primary CA -=========================== ------BEGIN CERTIFICATE----- -MIIDkjCCAnqgAwIBAgIRAIW9S/PY2uNp9pTXX8OlRCMwDQYJKoZIhvcNAQEFBQAwPTELMAkGA1UE -BhMCRlIxETAPBgNVBAoTCENlcnRwbHVzMRswGQYDVQQDExJDbGFzcyAyIFByaW1hcnkgQ0EwHhcN -OTkwNzA3MTcwNTAwWhcNMTkwNzA2MjM1OTU5WjA9MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2Vy -dHBsdXMxGzAZBgNVBAMTEkNsYXNzIDIgUHJpbWFyeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBANxQltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR -5aiRVhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyLkcAbmXuZ -Vg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCdEgETjdyAYveVqUSISnFO -YFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yasH7WLO7dDWWuwJKZtkIvEcupdM5i3y95e -e++U8Rs+yskhwcWYAqqi9lt3m/V+llU0HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRME -CDAGAQH/AgEKMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJ -YIZIAYb4QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMuY29t -L0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/AN9WM2K191EBkOvD -P9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8yfFC82x/xXp8HVGIutIKPidd3i1R -TtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMRFcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+ -7UCmnYR0ObncHoUW2ikbhiMAybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW -//1IMwrh3KWBkJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7 -l7+ijrRU ------END CERTIFICATE----- - -DST Root CA X3 -============== ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK -ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X -DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 -cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT -rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 -UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy -xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d -utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ -MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug -dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE -GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw -RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS -fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE----- - -SwissSign Gold CA - G2 -====================== ------BEGIN CERTIFICATE----- -MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNIMRUw -EwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBHb2xkIENBIC0gRzIwHhcN -MDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBFMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dp -c3NTaWduIEFHMR8wHQYDVQQDExZTd2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0B -AQEFAAOCAg8AMIICCgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUq -t2/876LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+bbqBHH5C -jCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c6bM8K8vzARO/Ws/BtQpg -vd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqEemA8atufK+ze3gE/bk3lUIbLtK/tREDF -ylqM2tIrfKjuvqblCqoOpd8FUrdVxyJdMmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvR -AiTysybUa9oEVeXBCsdtMDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuend -jIj3o02yMszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69yFGkO -peUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPiaG59je883WX0XaxR -7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxMgI93e2CaHt+28kgeDrpOVG2Y4OGi -GqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw -AwEB/zAdBgNVHQ4EFgQUWyV7lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64 -OfPAeGZe6Drn8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov -L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe645R88a7A3hfm -5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczOUYrHUDFu4Up+GC9pWbY9ZIEr -44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOf -Mke6UiI0HTJ6CVanfCU2qT1L2sCCbwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6m -Gu6uLftIdxf+u+yvGPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxp -mo/a77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCChdiDyyJk -vC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid392qgQmwLOM7XdVAyksLf -KzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEppLd6leNcG2mqeSz53OiATIgHQv2ieY2Br -NU0LbbqhPcCT4H8js1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6Lqj -viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ ------END CERTIFICATE----- - -SwissSign Silver CA - G2 -======================== ------BEGIN CERTIFICATE----- -MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTAT -BgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4X -DTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3 -aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG -9w0BAQEFAAOCAg8AMIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644 -N0MvFz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm -+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH -6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2Uu -MGoM9ZDulebyzYLs2aFK7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5h -qAaEuSh6XzjZG6k4sIN/c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5 -FZGkECwJMoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBs -ROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmc -celM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3X -CO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRB -tjpbO8tFnb0cwpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 -cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P -4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39F -kWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L -3XWgwF15kIwb4FDm3jH+mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx -/uNncqCxv1yL5PqZIseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFa -DGi8aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqP -e97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+Ssuu -WxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJ -DIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ub -DgEj8Z+7fNzcbBGXJbLytGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u ------END CERTIFICATE----- - -GeoTrust Primary Certification Authority -======================================== ------BEGIN CERTIFICATE----- -MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQG -EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMoR2VvVHJ1c3QgUHJpbWFyeSBD -ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgx -CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQ -cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9AWbK7hWN -b6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjAZIVcFU2Ix7e64HXprQU9 -nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE07e9GceBrAqg1cmuXm2bgyxx5X9gaBGge -RwLmnWDiNpcB3841kt++Z8dtd1k7j53WkBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGt -tm/81w7a4DSwDRp35+MImO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJKoZI -hvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ16CePbJC/kRYkRj5K -Ts4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl4b7UVXGYNTq+k+qurUKykG/g/CFN -NWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6KoKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHa -Floxt/m0cYASSJlyc1pZU8FjUjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG -1riR/aYNKxoUAT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk= ------END CERTIFICATE----- - -thawte Primary Root CA -====================== ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UE -BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 -aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv -cml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3 -MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwg -SW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMv -KGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMT -FnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs -oPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ -1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGc -q/gcfomk6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/K -aAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR32HuHUETVPm4p -afs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD -VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUF -AAOCAQEAeRHAS7ORtvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE -uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX -xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2/qxAeeWsEG89 -jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVH -z7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA== ------END CERTIFICATE----- - -VeriSign Class 3 Public Primary Certification Authority - G5 -============================================================ ------BEGIN CERTIFICATE----- -MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE -BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO -ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk -IHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRp -ZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCB -yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln -biBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBh -dXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmlt -YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKz -j/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhD -Y2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ -Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70r -fk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/ -BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2Uv -Z2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy -aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqG -SIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzEp6B4Eq1iDkVwZMXnl2YtmAl+ -X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKE -KQsTb47bDN0lAtukixlE0kF6BWlKWE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiC -Km0oHw0LxOXnGiYZ4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vE -ZV8NhnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq ------END CERTIFICATE----- - -SecureTrust CA -============== ------BEGIN CERTIFICATE----- -MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQG -EwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNVBAMTDlNlY3VyZVRy -dXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAe -BgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQX -OZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO0gMdA+9t -DWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIaowW8xQmxSPmjL8xk037uH -GFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b -01k/unK8RCSc43Oz969XL0Imnal0ugBS8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmH -ursCAwEAAaOBnTCBmjATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYj -aHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJ -KoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSu -SceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHf -mbx8IVQr5Fiiu1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZ -nMUFdAvnZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR -3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE= ------END CERTIFICATE----- - -Secure Global CA -================ ------BEGIN CERTIFICATE----- -MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQG -EwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBH -bG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkxMjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEg -MB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwg -Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jx -YDiJiQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa/FHtaMbQ -bqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJjnIFHovdRIWCQtBJwB1g -8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnIHmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYV -HDGA76oYa8J719rO+TMg1fW9ajMtgQT7sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi -0XPnj3pDAgMBAAGjgZ0wgZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud -EwEB/wQFMAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCswKaAn -oCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEA -MA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0LURYD7xh8yOOvaliTFGCRsoTciE6+ -OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXOH0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cn -CDpOGR86p1hcF895P4vkp9MmI50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/5 -3CYNv6ZHdAbYiNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc -f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW ------END CERTIFICATE----- - -COMODO Certification Authority -============================== ------BEGIN CERTIFICATE----- -MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UE -BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG -A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1 -dGhvcml0eTAeFw0wNjEyMDEwMDAwMDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEb -MBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFD -T01PRE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3UcEbVASY06m/weaKXTuH -+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI2GqGd0S7WWaXUF601CxwRM/aN5VCaTww -xHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV -4EajcNxo2f8ESIl33rXp+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA -1KGzqSX+DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5OnKVI -rLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW/zAOBgNVHQ8BAf8E -BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmNvbW9k -b2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOC -AQEAPpiem/Yb6dc5t3iuHXIYSdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CP -OGEIqB6BCsAvIC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/ -RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmc -IGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5ddBA6+C4OmF4O5MBKgxTMVBbkN -+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ== ------END CERTIFICATE----- - -Network Solutions Certificate Authority -======================================= ------BEGIN CERTIFICATE----- -MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQG -EwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3Jr -IFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMx -MjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu -MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7MEL7xx -jOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6UDL4wpPT -aaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXT -crA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc -/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMB -AAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAP -BgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNv -bS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUA -A4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q -4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/ -GGUsyfJj4akH/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv -wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxD -ydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey ------END CERTIFICATE----- - -COMODO ECC Certification Authority -================================== ------BEGIN CERTIFICATE----- -MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UEBhMC -R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE -ChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMDgwMzA2MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0Ix -GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR -Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRo -b3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSRFtSrYpn1PlILBs5BAH+X -4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0JcfRK9ChQtP6IHG4/bC8vCVlbpVsLM5ni -wz2J+Wos77LTBumjQjBAMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8E -BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VG -FAkK+qDmfQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdvGDeA -U/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY= ------END CERTIFICATE----- - -OISTE WISeKey Global Root GA CA -=============================== ------BEGIN CERTIFICATE----- -MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UE -BhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHlyaWdodCAoYykgMjAwNTEiMCAG -A1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBH -bG9iYWwgUm9vdCBHQSBDQTAeFw0wNTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYD -VQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIw -IAYDVQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5 -IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0+zAJs9 -Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxRVVuuk+g3/ytr6dTqvirdqFEr12bDYVxg -Asj1znJ7O7jyTmUIms2kahnBAbtzptf2w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbD -d50kc3vkDIzh2TbhmYsFmQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ -/yxViJGg4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t94B3R -LoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw -AwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJ -KoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOxSPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vIm -MMkQyh2I+3QZH4VFvbBsUfk2ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4 -+vg1YFkCExh8vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa -hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZiFj4A4xylNoEY -okxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ/L7fCg0= ------END CERTIFICATE----- - -Certigna -======== ------BEGIN CERTIFICATE----- -MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNVBAYTAkZSMRIw -EAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4XDTA3MDYyOTE1MTMwNVoXDTI3 -MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwI -Q2VydGlnbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7q -XOEm7RFHYeGifBZ4QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyH -GxnygQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbwzBfsV1/p -ogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q130yGLMLLGq/jj8UEYkg -DncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKf -Irjxwo1p3Po6WAbfAgMBAAGjgbwwgbkwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQ -tCRZvgHyUtVF9lo53BEwZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJ -BgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzjAQ/J -SP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQUFAAOCAQEA -hQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8hbV6lUmPOEvjvKtpv6zf+EwLHyzs+ -ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFncfca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1klu -PBS1xp81HlDQwY9qcEQCYsuuHWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY -1gkIl2PlwS6wt0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw -WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg== ------END CERTIFICATE----- - -Deutsche Telekom Root CA 2 -========================== ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMT -RGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEG -A1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5 -MjM1OTAwWjBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0G -A1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBS -b290IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEUha88EOQ5 -bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhCQN/Po7qCWWqSG6wcmtoI -KyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1MjwrrFDa1sPeg5TKqAyZMg4ISFZbavva4VhY -AUlfckE8FQYBjl2tqriTtM2e66foai1SNNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aK -Se5TBY8ZTNXeWHmb0mocQqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTV -jlsB9WoHtxa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAPBgNV -HRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAlGRZrTlk5ynr -E/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756AbrsptJh6sTtU6zkXR34ajgv8HzFZMQSy -zhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpaIzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8 -rZ7/gFnkm0W09juwzTkZmDLl6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4G -dyd1Lx+4ivn+xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU -Cm26OWMohpLzGITY+9HPBVZkVw== ------END CERTIFICATE----- - -Cybertrust Global Root -====================== ------BEGIN CERTIFICATE----- -MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYGA1UEChMPQ3li -ZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBSb290MB4XDTA2MTIxNTA4 -MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQD -ExZDeWJlcnRydXN0IEdsb2JhbCBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -+Mi8vRRQZhP/8NN57CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW -0ozSJ8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2yHLtgwEZL -AfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iPt3sMpTjr3kfb1V05/Iin -89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNzFtApD0mpSPCzqrdsxacwOUBdrsTiXSZT -8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAYXSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2 -MDSgMqAwhi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3JsMB8G -A1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUAA4IBAQBW7wojoFRO -lZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMjWqd8BfP9IjsO0QbE2zZMcwSO5bAi -5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUxXOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2 -hO0j9n0Hq0V+09+zv+mKts2oomcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+T -X3EJIrduPuocA06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW -WL1WMRJOEcgh4LMRkWXbtKaIOM5V ------END CERTIFICATE----- - -ePKI Root Certification Authority -================================= ------BEGIN CERTIFICATE----- -MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQG -EwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kg -Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMx -MjdaMF4xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEq -MCgGA1UECwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0B -AQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAHSyZbCUNs -IZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAhijHyl3SJCRImHJ7K2RKi -lTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDiv -qOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX -12ruOzjjK9SXDrkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O -WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uUWH1+ -ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLSnT0IFaUQAS2zMnao -lQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/ -vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXi -Zo1jDiVN1Rmy5nk3pyKdVDECAwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/Qkqi -MAwGA1UdEwQFMAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH -ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGBuvl2ICO1J2B0 -1GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6YlPwZpVnPDimZI+ymBV3QGypzq -KOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkPJXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdV -xrsStZf0X4OFunHB2WyBEXYKCrC/gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEP -NXubrjlpC2JgQCA2j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+r -GNm65ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUBo2M3IUxE -xJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS/jQ6fbjpKdx2qcgw+BRx -gMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2zGp1iro2C6pSe3VkQw63d4k3jMdXH7Ojy -sP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTEW9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmOD -BCEIZ43ygknQW/2xzQ+DhNQ+IIX3Sj0rnP0qCglN6oH4EZw= ------END CERTIFICATE----- - -certSIGN ROOT CA -================ ------BEGIN CERTIFICATE----- -MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYTAlJPMREwDwYD -VQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTAeFw0wNjA3MDQxNzIwMDRa -Fw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UE -CxMQY2VydFNJR04gUk9PVCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7I -JUqOtdu0KBuqV5Do0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHH -rfAQUySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5dRdY4zTW2 -ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQOA7+j0xbm0bqQfWwCHTD -0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwvJoIQ4uNllAoEwF73XVv4EOLQunpL+943 -AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B -Af8EBAMCAcYwHQYDVR0OBBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IB -AQA+0hyJLjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecYMnQ8 -SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ44gx+FkagQnIl6Z0 -x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6IJd1hJyMctTEHBDa0GpC9oHRxUIlt -vBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNwi/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7Nz -TogVZ96edhBiIL5VaZVDADlN9u6wWk5JRFRYX0KD ------END CERTIFICATE----- - -GeoTrust Primary Certification Authority - G3 -============================================= ------BEGIN CERTIFICATE----- -MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE -BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0 -IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy -eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz -NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo -YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT -LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j -K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE -c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C -IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu -dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr -2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9 -cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE -Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD -AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s -t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt ------END CERTIFICATE----- - -thawte Primary Root CA - G2 -=========================== ------BEGIN CERTIFICATE----- -MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDELMAkGA1UEBhMC -VVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE4MDYGA1UECxMvKGMpIDIwMDcgdGhhd3RlLCBJbmMu -IC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3Qg -Q0EgLSBHMjAeFw0wNzExMDUwMDAwMDBaFw0zODAxMTgyMzU5NTlaMIGEMQswCQYDVQQGEwJVUzEV -MBMGA1UEChMMdGhhd3RlLCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBG -b3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAt -IEcyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEotWcgnuVnfFSeIf+iha/BebfowJPDQfGAFG6DAJS -LSKkQjnE/o/qycG+1E3/n3qe4rF8mq2nhglzh9HnmuN6papu+7qzcMBniKI11KOasf2twu8x+qi5 -8/sIxpHR+ymVo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU -mtgAMADna3+FGO6Lts6KDPgR4bswCgYIKoZIzj0EAwMDaQAwZgIxAN344FdHW6fmCsO99YCKlzUN -G4k8VIZ3KMqh9HneteY4sPBlcIx/AlTCv//YoT7ZzwIxAMSNlPzcU9LcnXgWHxUzI1NS41oxXZ3K -rr0TKUQNJ1uo52icEvdYPy5yAlejj6EULg== ------END CERTIFICATE----- - -thawte Primary Root CA - G3 -=========================== ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UE -BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 -aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv -cml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0w -ODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhh -d3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYD -VQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG -A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAsr8nLPvb2FvdeHsbnndmgcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2At -P0LMqmsywCPLLEHd5N/8YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC -+BsUa0Lfb1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS99irY -7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2SzhkGcuYMXDhpxwTW -vGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUkOQIDAQABo0IwQDAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJ -KoZIhvcNAQELBQADggEBABpA2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweK -A3rD6z8KLFIWoCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu -t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7cKUGRIjxpp7sC -8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fMm7v/OeZWYdMKp8RcTGB7BXcm -er/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZuMdRAGmI0Nj81Aa6sY6A= ------END CERTIFICATE----- - -GeoTrust Primary Certification Authority - G2 -============================================= ------BEGIN CERTIFICATE----- -MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDELMAkGA1UEBhMC -VVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA3IEdlb1RydXN0IElu -Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBD -ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1 -OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg -MjAwNyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMTLUdl -b1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjB2MBAGByqGSM49AgEG -BSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcLSo17VDs6bl8VAsBQps8lL33KSLjHUGMc -KiEIfJo22Av+0SbFWDEwKCXzXV2juLaltJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYD -VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+ -EVXVMAoGCCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGTqQ7m -ndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBuczrD6ogRLQy7rQkgu2 -npaqBA+K ------END CERTIFICATE----- - -VeriSign Universal Root Certification Authority -=============================================== ------BEGIN CERTIFICATE----- -MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCBvTELMAkGA1UE -BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO -ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk -IHVzZSBvbmx5MTgwNgYDVQQDEy9WZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTAeFw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJV -UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv -cmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj -1mCOkdeQmIN65lgZOIzF9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGP -MiJhgsWHH26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+HLL72 -9fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN/BMReYTtXlT2NJ8I -AfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPTrJ9VAMf2CGqUuV/c4DPxhGD5WycR -tPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0G -CCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O -a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud -DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4sAPmLGd75JR3 -Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+seQxIcaBlVZaDrHC1LGmWazx -Y8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTx -P/jgdFcrGJ2BtMQo2pSXpXDrrB2+BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+P -wGZsY6rp2aQW9IHRlRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4 -mJO37M2CYfE45k+XmCpajQ== ------END CERTIFICATE----- - -VeriSign Class 3 Public Primary Certification Authority - G4 -============================================================ ------BEGIN CERTIFICATE----- -MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjELMAkGA1UEBhMC -VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 -b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVz -ZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmlj -YXRpb24gQXV0aG9yaXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU -cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRo -b3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5 -IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8 -Utpkmw4tXNherJI9/gHmGUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGz -rl0Bp3vefLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEw -HzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24u -Y29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMWkf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMD -A2gAMGUCMGYhDBgmYFo4e1ZC4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIx -AJw9SDkjOVgaFRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA== ------END CERTIFICATE----- - -NetLock Arany (Class Gold) Főtanúsítvány -======================================== ------BEGIN CERTIFICATE----- -MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQGEwJIVTERMA8G -A1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610 -dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBB -cmFueSAoQ2xhc3MgR29sZCkgRsWRdGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgx -MjA2MTUwODIxWjCBpzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxO -ZXRMb2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlmaWNhdGlv -biBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNzIEdvbGQpIEbFkXRhbsO6 -c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCRec75LbRTDofTjl5Bu -0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrTlF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw -/HpYzY6b7cNGbIRwXdrzAZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAk -H3B5r9s5VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRGILdw -fzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2BJtr+UBdADTHLpl1 -neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIB -BjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2MU9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwW -qZw8UQCgwBEIBaeZ5m8BiFRhbvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTta -YtOUZcTh5m2C+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC -bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2FuLjbvrW5Kfna -NwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQu -dZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= ------END CERTIFICATE----- - -Staat der Nederlanden Root CA - G2 -================================== ------BEGIN CERTIFICATE----- -MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE -CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -Um9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oXDTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMC -TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l -ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ -5291qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8SpuOUfiUtn -vWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPUZ5uW6M7XxgpT0GtJlvOj -CwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvEpMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiil -e7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCR -OME4HYYEhLoaJXhena/MUGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpI -CT0ugpTNGmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy5V65 -48r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv6q012iDTiIJh8BIi -trzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEKeN5KzlW/HdXZt1bv8Hb/C3m1r737 -qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMB -AAGjgZcwgZQwDwYDVR0TAQH/BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcC -ARYxaHR0cDovL3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqGSIb3DQEBCwUA -A4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLySCZa59sCrI2AGeYwRTlHSeYAz -+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwj -f/ST7ZwaUb7dRUG/kSS0H4zpX897IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaN -kqbG9AclVMwWVxJKgnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfk -CpYL+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxLvJxxcypF -URmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkmbEgeqmiSBeGCc1qb3Adb -CG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvkN1trSt8sV4pAWja63XVECDdCcAz+3F4h -oKOKwJCcaNpQ5kUQR3i2TtJlycM33+FCY7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoV -IPVVYpbtbZNQvOSqeK3Zywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm -66+KAQ== ------END CERTIFICATE----- - -Hongkong Post Root CA 1 -======================= ------BEGIN CERTIFICATE----- -MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoT -DUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUx -NTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25n -IFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1 -ApzQjVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqr -auh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqh -qZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMY -V18meMjWCnl3v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNV -HRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7i -h9legYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio -l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5Lmei -IAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZvRZ+K88ps -T/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilT -c4afU9hDDl3WY4JxHYB0yvbiAmvZWg== ------END CERTIFICATE----- - -SecureSign RootCA11 -=================== ------BEGIN CERTIFICATE----- -MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDErMCkGA1UEChMi -SmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoGA1UEAxMTU2VjdXJlU2lnbiBS -b290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSsw -KQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1 -cmVTaWduIFJvb3RDQTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvL -TJszi1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8h9uuywGO -wvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOVMdrAG/LuYpmGYz+/3ZMq -g6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rP -O7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitA -bpSACW22s293bzUIUPsCh8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZX -t94wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKCh -OBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xmKbabfSVSSUOrTC4r -bnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQX5Ucv+2rIrVls4W6ng+4reV6G4pQ -Oh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWrQbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01 -y8hSyn+B/tlr0/cR7SXf+Of5pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061 -lgeLKBObjBmNQSdJQO7e5iNEOdyhIta6A/I= ------END CERTIFICATE----- - -Microsec e-Szigno Root CA 2009 -============================== ------BEGIN CERTIFICATE----- -MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJIVTER -MA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jv -c2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o -dTAeFw0wOTA2MTYxMTMwMThaFw0yOTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UE -BwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUt -U3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvPkd6mJviZpWNwrZuuyjNA -fW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tccbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG -0IMZfcChEhyVbUr02MelTTMuhTlAdX4UfIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKA -pxn1ntxVUwOXewdI/5n7N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm -1HxdrtbCxkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1+rUC -AwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTLD8bf -QkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAbBgNVHREE -FDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqGSIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0o -lZMEyL/azXm4Q5DwpL7v8u8hmLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfX -I/OMn74dseGkddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775 -tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c2Pm2G2JwCz02 -yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5tHMN1Rq41Bab2XD0h7lbwyYIi -LXpUq3DDfSJlgnCW ------END CERTIFICATE----- - -GlobalSign Root CA - R3 -======================= ------BEGIN CERTIFICATE----- -MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xv -YmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh -bFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT -aWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln -bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWt -iHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ -0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3 -rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjl -OCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2 -xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7 -lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8 -EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1E -bddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18 -YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7r -kpeDMdmztcpHWD9f ------END CERTIFICATE----- - -Autoridad de Certificacion Firmaprofesional CIF A62634068 -========================================================= ------BEGIN CERTIFICATE----- -MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UEBhMCRVMxQjBA -BgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVzaW9uYWwgQ0lGIEE2 -MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEyMzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIw -QAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBB -NjI2MzQwNjgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDD -Utd9thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQMcas9UX4P -B99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefGL9ItWY16Ck6WaVICqjaY -7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15iNA9wBj4gGFrO93IbJWyTdBSTo3OxDqqH -ECNZXyAFGUftaI6SEspd/NYrspI8IM/hX68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyI -plD9amML9ZMWGxmPsu2bm8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctX -MbScyJCyZ/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirjaEbsX -LZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/TKI8xWVvTyQKmtFLK -bpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF6NkBiDkal4ZkQdU7hwxu+g/GvUgU -vzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVhOSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1Ud -EwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNH -DhpkLzCBpgYDVR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp -cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBvACAAZABlACAA -bABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBlAGwAbwBuAGEAIAAwADgAMAAx -ADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx -51tkljYyGOylMnfX40S2wBEqgLk9am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qk -R71kMrv2JYSiJ0L1ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaP -T481PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS3a/DTg4f -Jl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5kSeTy36LssUzAKh3ntLFl -osS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF3dvd6qJ2gHN99ZwExEWN57kci57q13XR -crHedUTnQn3iV2t93Jm8PYMo6oCTjcVMZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoR -saS8I8nkvof/uZS2+F0gStRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTD -KCOM/iczQ0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQBjLMi -6Et8Vcad+qMUu2WFbm5PEn4KPJ2V ------END CERTIFICATE----- - -Izenpe.com -========== ------BEGIN CERTIFICATE----- -MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQG -EwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wHhcNMDcxMjEz -MTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMu -QS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ -03rKDx6sp4boFmVqscIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAK -ClaOxdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6HLmYRY2xU -+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFXuaOKmMPsOzTFlUFpfnXC -PCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQDyCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxT -OTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbK -F7jJeodWLBoBHmy+E60QrLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK -0GqfvEyNBjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8Lhij+ -0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIBQFqNeb+Lz0vPqhbB -leStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+HMh3/1uaD7euBUbl8agW7EekFwID -AQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2luZm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+ -SVpFTlBFIFMuQS4gLSBDSUYgQTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBG -NjIgUzgxQzBBBgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx -MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O -BBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUAA4ICAQB4pgwWSp9MiDrAyw6l -Fn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWblaQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbga -kEyrkgPH7UIBzg/YsfqikuFgba56awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8q -hT/AQKM6WfxZSzwoJNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Cs -g1lwLDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCTVyvehQP5 -aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGkLhObNA5me0mrZJfQRsN5 -nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJbUjWumDqtujWTI6cfSN01RpiyEGjkpTHC -ClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZo -Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z -WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== ------END CERTIFICATE----- - -Chambers of Commerce Root - 2008 -================================ ------BEGIN CERTIFICATE----- -MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy -Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl -ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF -EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl -cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA -XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj -h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/ -ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk -NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g -D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331 -lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ -0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj -ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2 -EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI -G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ -BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh -bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh -bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC -CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH -AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1 -wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH -3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU -RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6 -M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1 -YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF -9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK -zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG -nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg -OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ ------END CERTIFICATE----- - -Global Chambersign Root - 2008 -============================== ------BEGIN CERTIFICATE----- -MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD -MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv -bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu -QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx -NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg -Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ -QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD -aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf -VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf -XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0 -ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB -/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA -TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M -H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe -Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF -HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh -wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB -AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT -BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE -BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm -aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm -aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp -1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0 -dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG -/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6 -ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s -dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg -9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH -foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du -qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr -P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq -c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z -09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B ------END CERTIFICATE----- - -Go Daddy Root Certificate Authority - G2 -======================================== ------BEGIN CERTIFICATE----- -MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT -B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMu -MTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5 -MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6 -b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8G -A1UEAxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKDE6bFIEMBO4Tx5oVJnyfq -9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD -+qK+ihVqf94Lw7YZFAXK6sOoBJQ7RnwyDfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutd -fMh8+7ArU6SSYmlRJQVhGkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMl -NAJWJwGRtDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9 -BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmXWWcDYfF+OwYxdS2hII5PZYe096ac -vNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r -5N9ss4UXnT3ZJE95kTXWXwTrgIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYV -N8Gb5DKj7Tjo2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO -LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI4uJEvlz36hz1 ------END CERTIFICATE----- - -Starfield Root Certificate Authority - G2 -========================================= ------BEGIN CERTIFICATE----- -MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT -B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9s -b2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVsZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 -eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAw -DgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQg -VGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZpY2F0ZSBB -dXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3twQP89o/8ArFv -W59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMgnLRJdzIpVv257IzdIvpy3Cdhl+72WoTs -bhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNk -N3mSwOxGXn/hbVNMYq/NHwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7Nf -ZTD4p7dNdloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0HZbU -JtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0GCSqGSIb3DQEBCwUAA4IBAQARWfol -TwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjUsHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx -4mcujJUDJi5DnUox9g61DLu34jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUw -F5okxBDgBPfg8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K -pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1mMpYjn0q7pBZ -c2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0 ------END CERTIFICATE----- - -Starfield Services Root Certificate Authority - G2 -================================================== ------BEGIN CERTIFICATE----- -MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT -B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9s -b2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRl -IEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNV -BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxT -dGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2VydmljZXMg -Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20pOsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2 -h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4Pa -hHQUw2eeBGg6345AWh1KTs9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLP -LJGmpufehRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFB -rMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqG -SIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPP -E95Dz+I0swSdHynVv/heyNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTy -xQGjhdByPq1zqwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd -iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jza -YyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6 ------END CERTIFICATE----- - -AffirmTrust Commercial -====================== ------BEGIN CERTIFICATE----- -MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMCVVMxFDAS -BgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBDb21tZXJjaWFsMB4XDTEw -MDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmly -bVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6Eqdb -DuKPHx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yrba0F8PrV -C8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPALMeIrJmqbTFeurCA+ukV6 -BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1yHp52UKqK39c/s4mT6NmgTWvRLpUHhww -MmWd5jyTXlBOeuM61G7MGvv50jeuJCqrVwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNV -HQ4EFgQUnZPGU4teyq8/nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwDQYJKoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYGXUPG -hi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNjvbz4YYCanrHOQnDi -qX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivtZ8SOyUOyXGsViQK8YvxO8rUzqrJv -0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9gN53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0kh -sUlHRUe072o0EclNmsxZt9YCnlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8= ------END CERTIFICATE----- - -AffirmTrust Networking -====================== ------BEGIN CERTIFICATE----- -MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UEBhMCVVMxFDAS -BgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBOZXR3b3JraW5nMB4XDTEw -MDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmly -bVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SE -Hi3yYJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbuakCNrmreI -dIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRLQESxG9fhwoXA3hA/Pe24 -/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gb -h+0t+nvujArjqWaJGctB+d1ENmHP4ndGyH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNV -HQ4EFgQUBx/S55zawm6iQLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwDQYJKoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfOtDIu -UFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzuQY0x2+c06lkh1QF6 -12S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZLgo/bNjR9eUJtGxUAArgFU2HdW23 -WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4uolu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9 -/ZFvgrG+CJPbFEfxojfHRZ48x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s= ------END CERTIFICATE----- - -AffirmTrust Premium -=================== ------BEGIN CERTIFICATE----- -MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UEBhMCVVMxFDAS -BgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVzdCBQcmVtaXVtMB4XDTEwMDEy -OTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRy -dXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A -MIICCgKCAgEAxBLfqV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtn -BKAQJG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ+jjeRFcV -5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrSs8PhaJyJ+HoAVt70VZVs -+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmd -GPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d770O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5R -p9EixAqnOEhss/n/fauGV+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NI -S+LI+H+SqHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S5u04 -6uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4IaC1nEWTJ3s7xgaVY5 -/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TXOwF0lkLgAOIua+rF7nKsu7/+6qqo -+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYEFJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB -/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByv -MiPIs0laUZx2KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg -Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B8OWycvpEgjNC -6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQMKSOyARiqcTtNd56l+0OOF6S -L5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK -+4w1IX2COPKpVJEZNZOUbWo6xbLQu4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmV -BtWVyuEklut89pMFu+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFg -IxpHYoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8GKa1qF60 -g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaORtGdFNrHF+QFlozEJLUb -zxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6eKeC2uAloGRwYQw== ------END CERTIFICATE----- - -AffirmTrust Premium ECC -======================= ------BEGIN CERTIFICATE----- -MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMCVVMxFDASBgNV -BAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQcmVtaXVtIEVDQzAeFw0xMDAx -MjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1U -cnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQA -IgNiAAQNMF4bFZ0D0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQ -N8O9ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0GA1UdDgQW -BBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAK -BggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/VsaobgxCd05DhT1wV/GzTjxi+zygk8N53X -57hG8f2h4nECMEJZh0PUUd+60wkyWs6Iflc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKM -eQ== ------END CERTIFICATE----- - -Certum Trusted Network CA -========================= ------BEGIN CERTIFICATE----- -MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQK -ExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIy -MTIwNzM3WhcNMjkxMjMxMTIwNzM3WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBU -ZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MSIwIAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rHUV+rpDKmYYe2bg+G0jAC -l/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LMTXPb865Px1bVWqeWifrzq2jUI4ZZJ88J -J7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVUBBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4 -fOQtf/WsX+sWn7Et0brMkUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0 -cvW0QM8xAcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNVHRMB -Af8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNVHQ8BAf8EBAMCAQYw -DQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15ysHhE49wcrwn9I0j6vSrEuVUEtRCj -jSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfLI9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1 -mS1FhIrlQgnXdAIv94nYmem8J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5aj -Zt3hrvJBW8qYVoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI -03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw= ------END CERTIFICATE----- - -TWCA Root Certification Authority -================================= ------BEGIN CERTIFICATE----- -MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJ -VEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMzWhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQG -EwJUVzESMBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NB -IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFEAcK0HMMx -QhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HHK3XLfJ+utdGdIzdjp9xC -oi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeXRfwZVzsrb+RH9JlF/h3x+JejiB03HFyP -4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/zrX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1r -y+UPizgN7gr8/g+YnzAx3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB -BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkqhkiG -9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeCMErJk/9q56YAf4lC -mtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdlsXebQ79NqZp4VKIV66IIArB6nCWlW -QtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62Dlhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVY -T0bf+215WfKEIlKuD8z7fDvnaspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocny -Yh0igzyXxfkZYiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw== ------END CERTIFICATE----- - -Security Communication RootCA2 -============================== ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc -U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMeU2VjdXJpdHkgQ29tbXVuaWNh -dGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoXDTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMC -SlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3Vy -aXR5IENvbW11bmljYXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ANAVOVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGrzbl+dp++ -+T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVMVAX3NuRFg3sUZdbcDE3R -3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQhNBqyjoGADdH5H5XTz+L62e4iKrFvlNV -spHEfbmwhRkGeC7bYRr6hfVKkaHnFtWOojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1K -EOtOghY6rCcMU/Gt1SSwawNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8 -QIH4D5csOPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB -CwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpFcoJxDjrSzG+ntKEj -u/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXcokgfGT+Ok+vx+hfuzU7jBBJV1uXk -3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6q -tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29 -mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03 ------END CERTIFICATE----- - -EC-ACC -====== ------BEGIN CERTIFICATE----- -MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UE -BhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0w -ODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD -VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UE -CxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMT -BkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQGEwJFUzE7 -MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8gKE5JRiBRLTA4MDExNzYt -SSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBDZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZl -Z2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJh -cnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUND -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iK -w5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeT -ae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4 -HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0a -E9jD2z3Il3rucO2n5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw -0JDnJwIDAQABo4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYD -VR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0 -Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5l -dC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJ -lF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNa -Al6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhyRp/7SNVe -l+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOSAgu+TGbrIP65y7WZf+a2 -E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6Un/10asIbvPuW/mIPX64b24D -5EI= ------END CERTIFICATE----- - -Hellenic Academic and Research Institutions RootCA 2011 -======================================================= ------BEGIN CERTIFICATE----- -MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1IxRDBCBgNVBAoT -O0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y -aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25z -IFJvb3RDQSAyMDExMB4XDTExMTIwNjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYT -AkdSMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25z -IENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNo -IEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPzdYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI -1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJfel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa -71HFK9+WXesyHgLacEnsbgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u -8yBRQlqD75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSPFEDH -3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNVHRMBAf8EBTADAQH/ -MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp5dgTBCPuQSUwRwYDVR0eBEAwPqA8 -MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQub3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQu -b3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVt -XdMiKahsog2p6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8 -TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7dIsXRSZMFpGD -/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8AcysNnq/onN694/BtZqhFLKPM58N -7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXIl7WdmplNsDz4SgCbZN2fOUvRJ9e4 ------END CERTIFICATE----- - -Actalis Authentication Root CA -============================== ------BEGIN CERTIFICATE----- -MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAM -BgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UE -AwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDky -MjExMjIwMlowazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz -IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 -IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNvUTufClrJ -wkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx4INRimlNAJZa -by/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZUj5NDKd45RnijMCO6 -zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1f -YVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2 -oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2Fbe8l -EfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxeKF+w6D9Fz8+vm2/7 -hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4Fv6MGn8i1zeQf1xcGDXqVdFUNaBr8 -EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbnfpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5 -jF66CyCU3nuDuP/jVo23Eek7jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLY -iDrIn3hm7YnzezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt -ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQALe3KHwGCmSUyI -WOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0 -JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKx -K3JCaKygvU5a2hi/a5iB0P2avl4VSM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+ -Xlff1ANATIGk0k9jpwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC -4yyXX04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo -2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0Hbhz -lefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXem -OR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9 -vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== ------END CERTIFICATE----- - -Trustis FPS Root CA -=================== ------BEGIN CERTIFICATE----- -MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQG -EwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQLExNUcnVzdGlzIEZQUyBSb290 -IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTExMzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNV -BAoTD1RydXN0aXMgTGltaXRlZDEcMBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQ -RUN+AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihHiTHcDnlk -H5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjjvSkCqPoc4Vu5g6hBSLwa -cY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zt -o3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlBOrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEA -AaNTMFEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAd -BgNVHQ4EFgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01GX2c -GE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmWzaD+vkAMXBJV+JOC -yinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP41BIy+Q7DsdwyhEQsb8tGD+pmQQ9P -8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZEf1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHV -l/9D7S3B2l0pKoU/rGXuhg8FjZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYl -iB6XzCGcKQENZetX2fNXlrtIzYE= ------END CERTIFICATE----- - -Buypass Class 2 Root CA -======================= ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEdMBsGA1UECgwU -QnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3MgQ2xhc3MgMiBSb290IENBMB4X -DTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1owTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1 -eXBhc3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIw -DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1 -g1Lr6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPVL4O2fuPn -9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC911K2GScuVr1QGbNgGE41b -/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHxMlAQTn/0hpPshNOOvEu/XAFOBz3cFIqU -CqTqc/sLUegTBxj6DvEr0VQVfTzh97QZQmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeff -awrbD02TTqigzXsu8lkBarcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgI -zRFo1clrUs3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLiFRhn -Bkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRSP/TizPJhk9H9Z2vX -Uq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN9SG9dKpN6nIDSdvHXx1iY8f93ZHs -M+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxPAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD -VR0OBBYEFMmAd+BikoL1RpzzuvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsF -AAOCAgEAU18h9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s -A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3tOluwlN5E40EI -osHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo+fsicdl9sz1Gv7SEr5AcD48S -aq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYd -DnkM/crqJIByw5c/8nerQyIKx+u2DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWD -LfJ6v9r9jv6ly0UsH8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0 -oyLQI+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK75t98biGC -wWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h3PFaTWwyI0PurKju7koS -CTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPzY11aWOIv4x3kqdbQCtCev9eBCfHJxyYN -rJgWVqA= ------END CERTIFICATE----- - -Buypass Class 3 Root CA -======================= ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEdMBsGA1UECgwU -QnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3MgQ2xhc3MgMyBSb290IENBMB4X -DTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFowTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1 -eXBhc3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIw -DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRH -sJ8YZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3EN3coTRiR -5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9tznDDgFHmV0ST9tD+leh -7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX0DJq1l1sDPGzbjniazEuOQAnFN44wOwZ -ZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH -2xc519woe2v1n/MuwU8XKhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV -/afmiSTYzIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvSO1UQ -RwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D34xFMFbG02SrZvPA -Xpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgPK9Dx2hzLabjKSWJtyNBjYt1gD1iq -j6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD -VR0OBBYEFEe4zf/lb+74suwvTg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsF -AAOCAgEAACAjQTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV -cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXSIGrs/CIBKM+G -uIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2HJLw5QY33KbmkJs4j1xrG0aG -Q0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsaO5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8 -ZORK15FTAaggiG6cX0S5y2CBNOxv033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2 -KSb12tjE8nVhz36udmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz -6MkEkbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg413OEMXbug -UZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvDu79leNKGef9JOxqDDPDe -eOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq4/g7u9xN12TyUb7mqqta6THuBrxzvxNi -Cp/HuZc= ------END CERTIFICATE----- - -T-TeleSec GlobalRoot Class 3 -============================ ------BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM -IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBU -cnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgx -MDAxMTAyOTU2WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz -dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD -ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN8ELg63iIVl6bmlQdTQyK -9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyTPWGrTs0NvvAgJ1gORH8EGoel15YU -NpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZF -iP0Zf3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W -0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGjQjBA -MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GCahKqGFPr -AyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGwUgC4TeQbIXQb -fsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzT -ucpH9sry9uetuUg/vBa3wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7h -P0HHRwA11fXT91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml -e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWw== ------END CERTIFICATE----- - -EE Certification Centre Root CA -=============================== ------BEGIN CERTIFICATE----- -MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQG -EwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2Vy -dGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIw -MTAxMDMwMTAxMDMwWhgPMjAzMDEyMTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlB -UyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRy -ZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUyeuuOF0+W2Ap7kaJjbMeM -TC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvObntl8jixwKIy72KyaOBhU8E2lf/slLo2 -rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIwWFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw -93X2PaRka9ZP585ArQ/dMtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtN -P2MbRMNE1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/zQas8fElyalL1BSZ -MEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF -BQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+Rj -xY6hUFaTlrg4wCQiZrxTFGGVv9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqM -lIpPnTX/dqQGE5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u -uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIWiAYLtqZLICjU -3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/vGVCJYMzpJJUPwssd8m92kMfM -dcGWxZ0= ------END CERTIFICATE----- - -D-TRUST Root Class 3 CA 2 2009 -============================== ------BEGIN CERTIFICATE----- -MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQK -DAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTAe -Fw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NThaME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxE -LVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOySs96R+91myP6Oi/WUEWJNTrGa9v+2wBoqOAD -ER03UAifTUpolDWzU9GUY6cgVq/eUXjsKj3zSEhQPgrfRlWLJ23DEE0NkVJD2IfgXU42tSHKXzlA -BF9bfsyjxiupQB7ZNoTWSPOSHjRGICTBpFGOShrvUD9pXRl/RcPHAY9RySPocq60vFYJfxLLHLGv -KZAKyVXMD9O0Gu1HNVpK7ZxzBCHQqr0ME7UAyiZsxGsMlFqVlNpQmvH/pStmMaTJOKDfHR+4CS7z -p+hnUquVH+BGPtikw8paxTGA6Eian5Rp/hnd2HN8gcqW3o7tszIFZYQ05ub9VxC1X3a/L7AQDcUC -AwEAAaOCARowggEWMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP3aFMSfMN4hvR5COfyrYyNJ -4PGEMA4GA1UdDwEB/wQEAwIBBjCB0wYDVR0fBIHLMIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVjdG9y -eS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMDIw -MDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwQ6BBoD+G -PWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAw -OS5jcmwwDQYJKoZIhvcNAQELBQADggEBAH+X2zDI36ScfSF6gHDOFBJpiBSVYEQBrLLpME+bUMJm -2H6NMLVwMeniacfzcNsgFYbQDfC+rAF1hM5+n02/t2A7nPPKHeJeaNijnZflQGDSNiH+0LS4F9p0 -o3/U37CYAqxva2ssJSRyoWXuJVrl5jLn8t+rSfrzkGkj2wTZ51xY/GXUl77M/C4KzCUqNQT4YJEV -dT1B/yMfGchs64JTBKbkTCJNjYy6zltz7GRUUG3RnFX7acM2w4y8PIWmawomDeCTmGCufsYkl4ph -X5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3YJohw1+qRzT65ysCQblrGXnRl11z+o+I= ------END CERTIFICATE----- - -D-TRUST Root Class 3 CA 2 EV 2009 -================================= ------BEGIN CERTIFICATE----- -MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQK -DAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAw -OTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUwNDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQK -DAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAw -OTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfS -egpnljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM03TP1YtHh -zRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6ZqQTMFexgaDbtCHu39b+T -7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lRp75mpoo6Kr3HGrHhFPC+Oh25z1uxav60 -sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure35 -11H3a6UCAwEAAaOCASQwggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyv -cop9NteaHNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFwOi8v -ZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xhc3MlMjAzJTIwQ0El -MjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0aWZpY2F0ZXJldm9jYXRp -b25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xh -c3NfM19jYV8yX2V2XzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+ -PPoeUSbrh/Yp3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 -nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNFCSuGdXzfX2lX -ANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7naxpeG0ILD5EJt/rDiZE4OJudA -NCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqXKVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVv -w9y4AyHqnxbxLFS1 ------END CERTIFICATE----- - -CA Disig Root R2 -================ ------BEGIN CERTIFICATE----- -MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAlNLMRMw -EQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMuMRkwFwYDVQQDExBDQSBEaXNp -ZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQyMDcxOTA5MTUzMFowUjELMAkGA1UEBhMCU0sx -EzARBgNVBAcTCkJyYXRpc2xhdmExEzARBgNVBAoTCkRpc2lnIGEucy4xGTAXBgNVBAMTEENBIERp -c2lnIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCio8QACdaFXS1tFPbC -w3OeNcJxVX6B+6tGUODBfEl45qt5WDza/3wcn9iXAng+a0EE6UG9vgMsRfYvZNSrXaNHPWSb6Wia -xswbP7q+sos0Ai6YVRn8jG+qX9pMzk0DIaPY0jSTVpbLTAwAFjxfGs3Ix2ymrdMxp7zo5eFm1tL7 -A7RBZckQrg4FY8aAamkw/dLukO8NJ9+flXP04SXabBbeQTg06ov80egEFGEtQX6sx3dOy1FU+16S -GBsEWmjGycT6txOgmLcRK7fWV8x8nhfRyyX+hk4kLlYMeE2eARKmK6cBZW58Yh2EhN/qwGu1pSqV -g8NTEQxzHQuyRpDRQjrOQG6Vrf/GlK1ul4SOfW+eioANSW1z4nuSHsPzwfPrLgVv2RvPN3YEyLRa -5Beny912H9AZdugsBbPWnDTYltxhh5EF5EQIM8HauQhl1K6yNg3ruji6DOWbnuuNZt2Zz9aJQfYE -koopKW1rOhzndX0CcQ7zwOe9yxndnWCywmZgtrEE7snmhrmaZkCo5xHtgUUDi/ZnWejBBhG93c+A -Ak9lQHhcR1DIm+YfgXvkRKhbhZri3lrVx/k6RGZL5DJUfORsnLMOPReisjQS1n6yqEm70XooQL6i -Fh/f5DcfEXP7kAplQ6INfPgGAVUzfbANuPT1rqVCV3w2EYx7XsQDnYx5nQIDAQABo0IwQDAPBgNV -HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUtZn4r7CU9eMg1gqtzk5WpC5u -Qu0wDQYJKoZIhvcNAQELBQADggIBACYGXnDnZTPIgm7ZnBc6G3pmsgH2eDtpXi/q/075KMOYKmFM -tCQSin1tERT3nLXK5ryeJ45MGcipvXrA1zYObYVybqjGom32+nNjf7xueQgcnYqfGopTpti72TVV -sRHFqQOzVju5hJMiXn7B9hJSi+osZ7z+Nkz1uM/Rs0mSO9MpDpkblvdhuDvEK7Z4bLQjb/D907Je -dR+Zlais9trhxTF7+9FGs9K8Z7RiVLoJ92Owk6Ka+elSLotgEqv89WBW7xBci8QaQtyDW2QOy7W8 -1k/BfDxujRNt+3vrMNDcTa/F1balTFtxyegxvug4BkihGuLq0t4SOVga/4AOgnXmt8kHbA7v/zjx -mHHEt38OFdAlab0inSvtBfZGR6ztwPDUO+Ls7pZbkBNOHlY667DvlruWIxG68kOGdGSVyCh13x01 -utI3gzhTODY7z2zp+WsO0PsE6E9312UBeIYMej4hYvF/Y3EMyZ9E26gnonW+boE+18DrG5gPcFw0 -sorMwIUY6256s/daoQe/qUKS82Ail+QUoQebTnbAjn39pCXHR+3/H3OszMOl6W8KjptlwlCFtaOg -UxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8xL4ysEr3vQCj8KWefshNPZiTEUxnpHikV -7+ZtsH8tZ/3zbBt1RqPlShfppNcL ------END CERTIFICATE----- - -ACCVRAIZ1 -========= ------BEGIN CERTIFICATE----- -MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UEAwwJQUNDVlJB -SVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQswCQYDVQQGEwJFUzAeFw0xMTA1 -MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQBgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwH -UEtJQUNDVjENMAsGA1UECgwEQUNDVjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCbqau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gM -jmoYHtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWoG2ioPej0 -RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpAlHPrzg5XPAOBOp0KoVdD -aaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhrIA8wKFSVf+DuzgpmndFALW4ir50awQUZ -0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDG -WuzndN9wrqODJerWx5eHk6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs7 -8yM2x/474KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMOm3WR -5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpacXpkatcnYGMN285J -9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPluUsXQA+xtrn13k/c4LOsOxFwYIRK -Q26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYIKwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRw -Oi8vd3d3LmFjY3YuZXMvZmlsZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEu -Y3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 -VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeTVfZW6oHlNsyM -Hj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIGCCsGAQUFBwICMIIBFB6CARAA -QQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUAcgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBh -AO0AegAgAGQAZQAgAGwAYQAgAEEAQwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUA -YwBuAG8AbABvAGcA7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBj -AHQAcgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAAQwBQAFMA -IABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUAczAwBggrBgEFBQcCARYk -aHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2MuaHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0 -dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRtaW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2 -MV9kZXIuY3JsMA4GA1UdDwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZI -hvcNAQEFBQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdpD70E -R9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gUJyCpZET/LtZ1qmxN -YEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+mAM/EKXMRNt6GGT6d7hmKG9Ww7Y49 -nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepDvV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJ -TS+xJlsndQAJxGJ3KQhfnlmstn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3 -sCPdK6jT2iWH7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h -I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szAh1xA2syVP1Xg -Nce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xFd3+YJ5oyXSrjhO7FmGYvliAd -3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2HpPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3p -EfbRD0tVNEYqi4Y7 ------END CERTIFICATE----- - -TWCA Global Root CA -=================== ------BEGIN CERTIFICATE----- -MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcxEjAQBgNVBAoT -CVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMTVFdDQSBHbG9iYWwgUm9vdCBD -QTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQK -EwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3Qg -Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2C -nJfF10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz0ALfUPZV -r2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfChMBwqoJimFb3u/Rk28OKR -Q4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbHzIh1HrtsBv+baz4X7GGqcXzGHaL3SekV -tTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1W -KKD+u4ZqyPpcC1jcxkt2yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99 -sy2sbZCilaLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYPoA/p -yJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQABDzfuBSO6N+pjWxn -kjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcEqYSjMq+u7msXi7Kx/mzhkIyIqJdI -zshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMC -AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6g -cFGn90xHNcgL1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn -LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WFH6vPNOw/KP4M -8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNoRI2T9GRwoD2dKAXDOXC4Ynsg -/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlg -lPx4mI88k1HtQJAH32RjJMtOcQWh15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryP -A9gK8kxkRr05YuWW6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3m -i4TWnsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5jwa19hAM8 -EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWzaGHQRiapIVJpLesux+t3 -zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmyKwbQBM0= ------END CERTIFICATE----- - -TeliaSonera Root CA v1 -====================== ------BEGIN CERTIFICATE----- -MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAwNzEUMBIGA1UE -CgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJvb3QgQ0EgdjEwHhcNMDcxMDE4 -MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYDVQQKDAtUZWxpYVNvbmVyYTEfMB0GA1UEAwwW -VGVsaWFTb25lcmEgUm9vdCBDQSB2MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMK+ -6yfwIaPzaSZVfp3FVRaRXP3vIb9TgHot0pGMYzHw7CTww6XScnwQbfQ3t+XmfHnqjLWCi65ItqwA -3GV17CpNX8GH9SBlK4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3GwYq/t75rH2D+1665I+XZ75Ljo1k -B1c4VWk0Nj0TSO9P4tNmHqTPGrdeNjPUtAa9GAH9d4RQAEX1jF3oI7x+/jXh7VB7qTCNGdMJjmhn -Xb88lxhTuylixcpecsHHltTbLaC0H2kD7OriUPEMPPCs81Mt8Bz17Ww5OXOAFshSsCPN4D7c3TxH -oLs1iuKYaIu+5b9y7tL6pe0S7fyYGKkmdtwoSxAgHNN/Fnct7W+A90m7UwW7XWjH1Mh1Fj+JWov3 -F0fUTPHSiXk+TT2YqGHeOh7S+F4D4MHJHIzTjU3TlTazN19jY5szFPAtJmtTfImMMsJu7D0hADnJ -oWjiUIMusDor8zagrC/kb2HCUQk5PotTubtn2txTuXZZNp1D5SDgPTJghSJRt8czu90VL6R4pgd7 -gUY2BIbdeTXHlSw7sKMXNeVzH7RcWe/a6hBle3rQf5+ztCo3O3CLm1u5K7fsslESl1MpWtTwEhDc -TwK7EpIvYtQ/aUN8Ddb8WHUBiJ1YFkveupD/RwGJBmr2X7KQarMCpgKIv7NHfirZ1fpoeDVNAgMB -AAGjPzA9MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTwj1k4ALP1j5qW -DNXr+nuqF+gTEjANBgkqhkiG9w0BAQUFAAOCAgEAvuRcYk4k9AwI//DTDGjkk0kiP0Qnb7tt3oNm -zqjMDfz1mgbldxSR651Be5kqhOX//CHBXfDkH1e3damhXwIm/9fH907eT/j3HEbAek9ALCI18Bmx -0GtnLLCo4MBANzX2hFxc469CeP6nyQ1Q6g2EdvZR74NTxnr/DlZJLo961gzmJ1TjTQpgcmLNkQfW -pb/ImWvtxBnmq0wROMVvMeJuScg/doAmAyYp4Db29iBT4xdwNBedY2gea+zDTYa4EzAvXUYNR0PV -G6pZDrlcjQZIrXSHX8f8MVRBE+LHIQ6e4B4N4cB7Q4WQxYpYxmUKeFfyxiMPAdkgS94P+5KFdSpc -c41teyWRyu5FrgZLAMzTsVlQ2jqIOylDRl6XK1TOU2+NSueW+r9xDkKLfP0ooNBIytrEgUy7onOT -JsjrDNYmiLbAJM+7vVvrdX3pCI6GMyx5dwlppYn8s3CQh3aP0yK7Qs69cwsgJirQmz1wHiRszYd2 -qReWt88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcnHL/EVlP6 -Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVxSK236thZiNSQvxaz2ems -WWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= ------END CERTIFICATE----- - -E-Tugra Certification Authority -=============================== ------BEGIN CERTIFICATE----- -MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNVBAYTAlRSMQ8w -DQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamls -ZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN -ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMw -NTEyMDk0OFoXDTIzMDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmEx -QDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxl -cmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQD -DB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A -MIICCgKCAgEA4vU/kwVRHoViVF56C/UYB4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vd -hQd2h8y/L5VMzH2nPbxHD5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5K -CKpbknSFQ9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEoq1+g -ElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3Dk14opz8n8Y4e0ypQ -BaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcHfC425lAcP9tDJMW/hkd5s3kc91r0 -E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsutdEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gz -rt48Ue7LE3wBf4QOXVGUnhMMti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAq -jqFGOjGY5RH8zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn -rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUXU8u3Zg5mTPj5 -dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6Jyr+zE7S6E5UMA8GA1UdEwEB -/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEG -MA0GCSqGSIb3DQEBCwUAA4ICAQAFNzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAK -kEh47U6YA5n+KGCRHTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jO -XKqYGwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c77NCR807 -VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3+GbHeJAAFS6LrVE1Uweo -a2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WKvJUawSg5TB9D0pH0clmKuVb8P7Sd2nCc -dlqMQ1DujjByTd//SffGqWfZbawCEeI6FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEV -KV0jq9BgoRJP3vQXzTLlyb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gT -Dx4JnW2PAJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpDy4Q0 -8ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8dNL/+I5c30jn6PQ0G -C7TbO6Orb1wdtn7os4I07QZcJA== ------END CERTIFICATE----- - -T-TeleSec GlobalRoot Class 2 -============================ ------BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM -IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBU -cnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgx -MDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz -dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD -ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZ -SBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/F -vudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx970 -2cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGV -WOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBA -MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXy -YdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4 -r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNf -vNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR -3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN -9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg== ------END CERTIFICATE----- - -Atos TrustedRoot 2011 -===================== ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UEAwwVQXRvcyBU -cnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0xMTA3MDcxNDU4 -MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMMFUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsG -A1UECgwEQXRvczELMAkGA1UEBhMCREUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCV -hTuXbyo7LjvPpvMpNb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr -54rMVD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+SZFhyBH+ -DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ4J7sVaE3IqKHBAUsR320 -HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0Lcp2AMBYHlT8oDv3FdU9T1nSatCQujgKR -z3bFmx5VdJx4IbHwLfELn8LVlhgf8FQieowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7R -l+lwrrw7GWzbITAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZ -bNshMBgGA1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8jvZfza1zv7v1Apt+h -k6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kPDpFrdRbhIfzYJsdHt6bPWHJxfrrh -TZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pcmaHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a9 -61qn8FYiqTxlVMYVqL2Gns2Dlmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G -3mB/ufNPRJLvKrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed ------END CERTIFICATE----- - -QuoVadis Root CA 1 G3 -===================== ------BEGIN CERTIFICATE----- -MIIFYDCCA0igAwIBAgIUeFhfLq0sGUvjNwc1NBMotZbUZZMwDQYJKoZIhvcNAQELBQAwSDELMAkG -A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv -b3QgQ0EgMSBHMzAeFw0xMjAxMTIxNzI3NDRaFw00MjAxMTIxNzI3NDRaMEgxCzAJBgNVBAYTAkJN -MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDEg -RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvlAQjunybEC0BJyFuTHK3C3kEakE -PBtVwedYMB0ktMPvhd6MLOHBPd+C5k+tR4ds7FtJwUrVu4/sh6x/gpqG7D0DmVIB0jWerNrwU8lm -PNSsAgHaJNM7qAJGr6Qc4/hzWHa39g6QDbXwz8z6+cZM5cOGMAqNF34168Xfuw6cwI2H44g4hWf6 -Pser4BOcBRiYz5P1sZK0/CPTz9XEJ0ngnjybCKOLXSoh4Pw5qlPafX7PGglTvF0FBM+hSo+LdoIN -ofjSxxR3W5A2B4GbPgb6Ul5jxaYA/qXpUhtStZI5cgMJYr2wYBZupt0lwgNm3fME0UDiTouG9G/l -g6AnhF4EwfWQvTA9xO+oabw4m6SkltFi2mnAAZauy8RRNOoMqv8hjlmPSlzkYZqn0ukqeI1RPToV -7qJZjqlc3sX5kCLliEVx3ZGZbHqfPT2YfF72vhZooF6uCyP8Wg+qInYtyaEQHeTTRCOQiJ/GKubX -9ZqzWB4vMIkIG1SitZgj7Ah3HJVdYdHLiZxfokqRmu8hqkkWCKi9YSgxyXSthfbZxbGL0eUQMk1f -iyA6PEkfM4VZDdvLCXVDaXP7a3F98N/ETH3Goy7IlXnLc6KOTk0k+17kBL5yG6YnLUlamXrXXAkg -t3+UuU/xDRxeiEIbEbfnkduebPRq34wGmAOtzCjvpUfzUwIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUo5fW816iEOGrRZ88F2Q87gFwnMwwDQYJKoZI -hvcNAQELBQADggIBABj6W3X8PnrHX3fHyt/PX8MSxEBd1DKquGrX1RUVRpgjpeaQWxiZTOOtQqOC -MTaIzen7xASWSIsBx40Bz1szBpZGZnQdT+3Btrm0DWHMY37XLneMlhwqI2hrhVd2cDMT/uFPpiN3 -GPoajOi9ZcnPP/TJF9zrx7zABC4tRi9pZsMbj/7sPtPKlL92CiUNqXsCHKnQO18LwIE6PWThv6ct -Tr1NxNgpxiIY0MWscgKCP6o6ojoilzHdCGPDdRS5YCgtW2jgFqlmgiNR9etT2DGbe+m3nUvriBbP -+V04ikkwj+3x6xn0dxoxGE1nVGwvb2X52z3sIexe9PSLymBlVNFxZPT5pqOBMzYzcfCkeF9OrYMh -3jRJjehZrJ3ydlo28hP0r+AJx2EqbPfgna67hkooby7utHnNkDPDs3b69fBsnQGQ+p6Q9pxyz0fa -wx/kNSBT8lTR32GDpgLiJTjehTItXnOQUl1CxM49S+H5GYQd1aJQzEH7QRTDvdbJWqNjZgKAvQU6 -O0ec7AAmTPWIUb+oI38YB7AL7YsmoWTTYUrrXJ/es69nA7Mf3W1daWhpq1467HxpvMc7hU6eFbm0 -FU/DlXpY18ls6Wy58yljXrQs8C097Vpl4KlbQMJImYFtnh8GKjwStIsPm6Ik8KaN1nrgS7ZklmOV -hMJKzRwuJIczYOXD ------END CERTIFICATE----- - -QuoVadis Root CA 2 G3 -===================== ------BEGIN CERTIFICATE----- -MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQELBQAwSDELMAkG -A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv -b3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJN -MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIg -RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFh -ZiFfqq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMWn4rjyduY -NM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ymc5GQYaYDFCDy54ejiK2t -oIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+O7q414AB+6XrW7PFXmAqMaCvN+ggOp+o -MiwMzAkd056OXbxMmO7FGmh77FOm6RQ1o9/NgJ8MSPsc9PG/Srj61YxxSscfrf5BmrODXfKEVu+l -V0POKa2Mq1W/xPtbAd0jIaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB1PLKFAeNilUSxmn1uIZo -L1NesNKqIcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt9DTEceT/AFr2XK4jYIVz8eQQ -sSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0ykRVKYnLP43ehvNURG3YBZwjgQQvD -6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9Uy3l7ZizlWNof/k19N+IxWA1ksB8aRxh -lRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALGcC4BrTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZI -hvcNAQELBQADggIBAJHfgD9DCX5xwvfrs4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66 -AarHakE7kNQIXLJgapDwyM4DYvmL7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RCroijQ1h5fq7K -pVMNqT1wvSAZYaRsOPxDMuHBR//47PERIjKWnML2W2mWeyAMQ0GaW/ZZGYjeVYg3UQt4XAoeo0L9 -x52ID8DyeAIkVJOviYeIyUqAHerQbj5hLja7NQ4nlv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgz -dWqTHBLmYF5vHX/JHyPLhGGfHoJE+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6X -U/IyAgkwo1jwDQHVcsaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+Nw -mNtddbINWQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNgKCLjsZWD -zYWm3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeMHVOyToV7BjjHLPj4sHKN -JeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4WSr2Rz0ZiC3oheGe7IUIarFsNMkd7Egr -O3jtZsSOeWmD3n+M ------END CERTIFICATE----- - -QuoVadis Root CA 3 G3 -===================== ------BEGIN CERTIFICATE----- -MIIFYDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQELBQAwSDELMAkG -A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv -b3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00MjAxMTIyMDI2MzJaMEgxCzAJBgNVBAYTAkJN -MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDMg -RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzyw4QZ47qFJenMioKVjZ/aEzHs286 -IxSR/xl/pcqs7rN2nXrpixurazHb+gtTTK/FpRp5PIpM/6zfJd5O2YIyC0TeytuMrKNuFoM7pmRL -Mon7FhY4futD4tN0SsJiCnMK3UmzV9KwCoWdcTzeo8vAMvMBOSBDGzXRU7Ox7sWTaYI+FrUoRqHe -6okJ7UO4BUaKhvVZR74bbwEhELn9qdIoyhA5CcoTNs+cra1AdHkrAj80//ogaX3T7mH1urPnMNA3 -I4ZyYUUpSFlob3emLoG+B01vr87ERRORFHAGjx+f+IdpsQ7vw4kZ6+ocYfx6bIrc1gMLnia6Et3U -VDmrJqMz6nWB2i3ND0/kA9HvFZcba5DFApCTZgIhsUfei5pKgLlVj7WiL8DWM2fafsSntARE60f7 -5li59wzweyuxwHApw0BiLTtIadwjPEjrewl5qW3aqDCYz4ByA4imW0aucnl8CAMhZa634RylsSqi -Md5mBPfAdOhx3v89WcyWJhKLhZVXGqtrdQtEPREoPHtht+KPZ0/l7DxMYIBpVzgeAVuNVejH38DM -dyM0SXV89pgR6y3e7UEuFAUCf+D+IOs15xGsIs5XPd7JMG0QA4XN8f+MFrXBsj6IbGB/kE+V9/Yt -rQE5BwT6dYB9v0lQ7e/JxHwc64B+27bQ3RP+ydOc17KXqQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUxhfQvKjqAkPyGwaZXSuQILnXnOQwDQYJKoZI -hvcNAQELBQADggIBADRh2Va1EodVTd2jNTFGu6QHcrxfYWLopfsLN7E8trP6KZ1/AvWkyaiTt3px -KGmPc+FSkNrVvjrlt3ZqVoAh313m6Tqe5T72omnHKgqwGEfcIHB9UqM+WXzBusnIFUBhynLWcKzS -t/Ac5IYp8M7vaGPQtSCKFWGafoaYtMnCdvvMujAWzKNhxnQT5WvvoxXqA/4Ti2Tk08HS6IT7SdEQ -TXlm66r99I0xHnAUrdzeZxNMgRVhvLfZkXdxGYFgu/BYpbWcC/ePIlUnwEsBbTuZDdQdm2NnL9Du -DcpmvJRPpq3t/O5jrFc/ZSXPsoaP0Aj/uHYUbt7lJ+yreLVTubY/6CD50qi+YUbKh4yE8/nxoGib -Ih6BJpsQBJFxwAYf3KDTuVan45gtf4Od34wrnDKOMpTwATwiKp9Dwi7DmDkHOHv8XgBCH/MyJnmD -hPbl8MFREsALHgQjDFSlTC9JxUrRtm5gDWv8a4uFJGS3iQ6rJUdbPM9+Sb3H6QrG2vd+DhcI00iX -0HGS8A85PjRqHH3Y8iKuu2n0M7SmSFXRDw4m6Oy2Cy2nhTXN/VnIn9HNPlopNLk9hM6xZdRZkZFW -dSHBd575euFgndOtBBj0fOtek49TSiIp+EgrPk2GrFt/ywaZWWDYWGWVjUTR939+J399roD1B0y2 -PpxxVJkES/1Y+Zj0 ------END CERTIFICATE----- - -DigiCert Assured ID Root G2 -=========================== ------BEGIN CERTIFICATE----- -MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQw -IgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgw -MTE1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL -ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSAn61UQbVH -35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4HteccbiJVMWWXvdMX0h5i89vq -bFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9HpEgjAALAcKxHad3A2m67OeYfcgnDmCXRw -VWmvo2ifv922ebPynXApVfSr/5Vh88lAbx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OP -YLfykqGxvYmJHzDNw6YuYjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+Rn -lTGNAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTO -w0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPIQW5pJ6d1Ee88hjZv -0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I0jJmwYrA8y8678Dj1JGG0VDjA9tz -d29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4GnilmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAW -hsI6yLETcDbYz+70CjTVW0z9B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0M -jomZmWzwPDCvON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo -IhNzbM8m9Yop5w== ------END CERTIFICATE----- - -DigiCert Assured ID Root G3 -=========================== ------BEGIN CERTIFICATE----- -MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQswCQYDVQQGEwJV -UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYD -VQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1 -MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8QdJ+1YlJfZn4f5dwb -RXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17QRSAPWXYQ1qAk8C3eNvJs -KTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTL0L2p4ZgF -UaFNN6KDec6NHSrkhDAKBggqhkjOPQQDAwNnADBkAjAlpIFFAmsSS3V0T8gj43DydXLefInwz5Fy -YZ5eEJJZVrmDxxDnOOlYJjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy -1vUhZscv6pZjamVFkpUBtA== ------END CERTIFICATE----- - -DigiCert Global Root G2 -======================= ------BEGIN CERTIFICATE----- -MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw -HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUx -MjAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 -dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI2/Ou8jqJ -kTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx1x7e/dfgy5SDN67sH0NO -3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQq2EGnI/yuum06ZIya7XzV+hdG82MHauV -BJVJ8zUtluNJbd134/tJS7SsVQepj5WztCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyM -UNGPHgm+F6HmIcr9g+UQvIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV5uNu -5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY1Yl9PMWLSn/pvtsr -F9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4NeF22d+mQrvHRAiGfzZ0JFrabA0U -WTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NGFdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBH -QRFXGU7Aj64GxJUTFy8bJZ918rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/ -iyK5S9kJRaTepLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl -MrY= ------END CERTIFICATE----- - -DigiCert Global Root G3 -======================= ------BEGIN CERTIFICATE----- -MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJV -UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYD -VQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAw -MDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k -aWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0C -AQYFK4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6O -YwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0IwQDAP -BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNp -Yim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y -3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34 -VOKa5Vt8sycX ------END CERTIFICATE----- - -DigiCert Trusted Root G4 -======================== ------BEGIN CERTIFICATE----- -MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBiMQswCQYDVQQG -EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSEw -HwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1 -MTIwMDAwWjBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 -d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3yithZwuEp -pz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1Ifxp4VpX6+n6lXFllVcq9o -k3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7Fsa -vOvJz82sNEBfsXpm7nfISKhmV1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGY -QJB5w3jHtrHEtWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6 -MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCiEhtm -mnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADMfRyVw4/3IbKyEbe7 -f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFH -dL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8 -oR7FwI+isX4KJpn15GkvmB0t9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBhjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD -ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2SV1EY+CtnJYY -ZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd+SeuMIW59mdNOj6PWTkiU0Tr -yF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWcfFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy -7zBZLq7gcfJW5GqXb5JQbZaNaHqasjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iah -ixTXTBmyUEFxPT9NcCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN -5r5N0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie4u1Ki7wb -/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mIr/OSmbaz5mEP0oUA51Aa -5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tK -G48BtieVU+i2iW1bvGjUI+iLUaJW+fCmgKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP -82Z+ ------END CERTIFICATE----- - -COMODO RSA Certification Authority -================================== ------BEGIN CERTIFICATE----- -MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UE -BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG -A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwHhcNMTAwMTE5MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMC -R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE -ChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR6FSS0gpWsawNJN3Fz0Rn -dJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8Xpz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZ -FGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+ -5eNu/Nio5JIk2kNrYrhV/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pG -x8cgoLEfZd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z+pUX -2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7wqP/0uK3pN/u6uPQL -OvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZahSL0896+1DSJMwBGB7FY79tOi4lu3 -sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVICu9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+C -GCe01a60y1Dma/RMhnEw6abfFobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5 -WdYgGq/yapiqcrxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E -FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w -DQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvlwFTPoCWOAvn9sKIN9SCYPBMt -rFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+ -nq6PK7o9mfjYcwlYRm6mnPTXJ9OV2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSg -tZx8jb8uk2IntznaFxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwW -sRqZCuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiKboHGhfKp -pC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmckejkk9u+UJueBPSZI9FoJA -zMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yLS0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHq -ZJx64SIDqZxubw5lT2yHh17zbqD5daWbQOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk52 -7RH89elWsn2/x20Kk4yl0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7I -LaZRfyHBNVOFBkpdn627G190 ------END CERTIFICATE----- - -USERTrust RSA Certification Authority -===================================== ------BEGIN CERTIFICATE----- -MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UE -BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK -ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UE -BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK -ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz -0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2j -Y0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFn -RghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O -+T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq -/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKE -Y1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJM -lXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8 -yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+ -eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd -BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF -MAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeW -FPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ -7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQ -Eg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM -8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYzeSf7dNXGi -FSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZXHlKYC6SQK5MNyosycdi -yA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9c -J2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRBVXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGw -sAvgnEzDHNb842m1R0aBL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gx -Q+6IHdfGjjxDah2nGN59PRbxYvnKkKj9 ------END CERTIFICATE----- - -USERTrust ECC Certification Authority -===================================== ------BEGIN CERTIFICATE----- -MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDELMAkGA1UEBhMC -VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU -aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMC -VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU -aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqfloI+d61SRvU8Za2EurxtW2 -0eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCjtHDix6Ez -nPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNV -HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBB -HU6+4WMBzzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbWRNZu -9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg= ------END CERTIFICATE----- - -GlobalSign ECC Root CA - R4 -=========================== ------BEGIN CERTIFICATE----- -MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEkMCIGA1UECxMb -R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD -EwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMb -R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD -EwpHbG9iYWxTaWduMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprl -OQcJFspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAwDgYDVR0P -AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61FuOJAf/sKbvu+M8k8o4TV -MAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGXkPoUVy0D7O48027KqGx2vKLeuwIgJ6iF -JzWbVsaj8kfSt24bAgAXqmemFZHe+pTsewv4n4Q= ------END CERTIFICATE----- - -GlobalSign ECC Root CA - R5 -=========================== ------BEGIN CERTIFICATE----- -MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEkMCIGA1UECxMb -R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD -EwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMb -R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD -EwpHbG9iYWxTaWduMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6 -SFkc8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8kehOvRnkmS -h5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd -BgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYIKoZIzj0EAwMDaAAwZQIxAOVpEslu28Yx -uglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7 -yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3 ------END CERTIFICATE----- - -Staat der Nederlanden Root CA - G3 -================================== ------BEGIN CERTIFICATE----- -MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE -CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -Um9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloXDTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMC -TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l -ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4y -olQPcPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WWIkYFsO2t -x1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqXxz8ecAgwoNzFs21v0IJy -EavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFyKJLZWyNtZrVtB0LrpjPOktvA9mxjeM3K -Tj215VKb8b475lRgsGYeCasH/lSJEULR9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUur -mkVLoR9BvUhTFXFkC4az5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU5 -1nus6+N86U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7Ngzp -07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHPbMk7ccHViLVlvMDo -FxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXtBznaqB16nzaeErAMZRKQFWDZJkBE -41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTtXUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMB -AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleu -yjWcLhL75LpdINyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD -U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwpLiniyMMB8jPq -KqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8Ipf3YF3qKS9Ysr1YvY2WTxB1 -v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixpgZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA -8KCWAg8zxXHzniN9lLf9OtMJgwYh/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b -8KKaa8MFSu1BYBQw0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0r -mj1AfsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq4BZ+Extq -1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR1VmiiXTTn74eS9fGbbeI -JG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/QFH1T/U67cjF68IeHRaVesd+QnGTbksV -tzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM94B7IWcnMFk= ------END CERTIFICATE----- - -Staat der Nederlanden EV Root CA -================================ ------BEGIN CERTIFICATE----- -MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwGA1UE -CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -RVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5M -MR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRl -cmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkk -SzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nCUiY4iKTW -O0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3dZ//BYY1jTw+bbRcwJu+r -0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46prfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8 -Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gV -XJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr -08C+eKxCKFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV -0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd -74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nx -fRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwa -ivsnuL8wbqg7MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI -eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmu -c0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq -5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLldRqAN -b/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tN -f1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi -5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIaGl6I6lD4 -WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeLeG9QgkRQP2YGiqtDhFZK -DyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGy -eUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg== ------END CERTIFICATE----- - -IdenTrust Commercial Root CA 1 -============================== ------BEGIN CERTIFICATE----- -MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQG -EwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBS -b290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzES -MBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENB -IDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ld -hNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU+ehcCuz/ -mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi -1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0C -XZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl -3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzy -NeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzV -WYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAg -xGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHix -uuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC -AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZI -hvcNAQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH -6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pg -ghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qnt -ozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmV -YjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUX -feu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/ro -kTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG4iZZRHUe -2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA2yUPHGNiiskz -Z2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7R -cGzM7vRX+Bi6hG6H ------END CERTIFICATE----- - -IdenTrust Public Sector Root CA 1 -================================= ------BEGIN CERTIFICATE----- -MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQG -EwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3Rv -ciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcNMzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJV -UzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBS -b290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTy -P4o7ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6 -Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXI -rcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESf -qy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoS -mJxZZoY+rfGwyj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFn -ol57plzy9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9VGxyh -LrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctscvG29ZV/v -iDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKiq3IXAAaOReyL -4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8B -Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMw -DQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj -t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHVDRDtfULAj+7A -mgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9TaDKQGXSc3z1i9kKlT/YPyNt -GtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8GlwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFt -m6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMx -NRF4eKLg6TCMf4DfWN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4 -Mhn5+bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDI -ajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vC -ZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ -3Wl9af0AVqW3rLatt8o+Ae+c ------END CERTIFICATE----- - -Entrust Root Certification Authority - G2 -========================================= ------BEGIN CERTIFICATE----- -MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCVVMxFjAUBgNV -BAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVy -bXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ug -b25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIw -HhcNMDkwNzA3MTcyNTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoT -DUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMx -OTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25s -eTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP -/vaCeb9zYQYKpSfYs1/TRU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXz -HHfV1IWNcCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hWwcKU -s/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1U1+cPvQXLOZprE4y -TGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0jaWvYkxN4FisZDQSA/i2jZRjJKRx -AgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ6 -0B7vfec7aVHUbI2fkBJmqzANBgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5Z -iXMRrEPR9RP/jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ -Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v1fN2D807iDgi -nWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4RnAuknZoh8/CbCzB428Hch0P+ -vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmHVHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xO -e4pIb4tF9g== ------END CERTIFICATE----- - -Entrust Root Certification Authority - EC1 -========================================== ------BEGIN CERTIFICATE----- -MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkGA1UEBhMCVVMx -FjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVn -YWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXpl -ZCB1c2Ugb25seTEzMDEGA1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -IC0gRUMxMB4XDTEyMTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYw -FAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2Fs -LXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQg -dXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt -IEVDMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHy -AsWfoPZb1YsGGYZPUxBtByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef -9eNi1KlHBz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVCR98crlOZF7ZvHH3h -vxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nXhTcGtXsI/esni0qU+eH6p44mCOh8 -kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G ------END CERTIFICATE----- - -CFCA EV ROOT -============ ------BEGIN CERTIFICATE----- -MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjEwMC4GA1UE -CgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNB -IEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkxMjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEw -MC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQD -DAxDRkNBIEVWIFJPT1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnV -BU03sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpLTIpTUnrD -7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5/ZOkVIBMUtRSqy5J35DN -uF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp7hZZLDRJGqgG16iI0gNyejLi6mhNbiyW -ZXvKWfry4t3uMCz7zEasxGPrb382KzRzEpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7 -xzbh72fROdOXW3NiGUgthxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9f -py25IGvPa931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqotaK8K -gWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNgTnYGmE69g60dWIol -hdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfVPKPtl8MeNPo4+QgO48BdK4PRVmrJ -tqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hvcWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAf -BgNVHSMEGDAWgBTj/i39KNALtbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB -/wQEAwIBBjAdBgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB -ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObTej/tUxPQ4i9q -ecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdLjOztUmCypAbqTuv0axn96/Ua -4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBSESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sG -E5uPhnEFtC+NiWYzKXZUmhH4J/qyP5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfX -BDrDMlI1Dlb4pd19xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjn -aH9dCi77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN5mydLIhy -PDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe/v5WOaHIz16eGWRGENoX -kbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+ZAAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3C -ekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su ------END CERTIFICATE----- - -TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 -==================================================== ------BEGIN CERTIFICATE----- -MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UEBhMCVFIxDzAN -BgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxnaSDEsGxldGnFn2ltIHZlIEJp -bGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkgQS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1Qg -RWxla3Ryb25payBTZXJ0aWZpa2EgSGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAw -ODA3MDFaFw0yMzA0MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0w -SwYDVQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnE -n2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBFbGVrdHJvbmlrIFNlcnRp -ZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEApCUZ4WWe60ghUEoI5RHwWrom/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537 -jVJp45wnEFPzpALFp/kRGml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1m -ep5Fimh34khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z5UNP -9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0hO8EuPbJbKoCPrZV -4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QIDAQABo0IwQDAdBgNVHQ4EFgQUVpkH -HtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAJ5FdnsXSDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPo -BP5yCccLqh0lVX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq -URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nfpeYVhDfwwvJl -lpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CFYv4HAqGEVka+lgqaE9chTLd8 -B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW+qtB4Uu2NQvAmxU= ------END CERTIFICATE----- - -Certinomis - Root CA -==================== ------BEGIN CERTIFICATE----- -MIIFkjCCA3qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJGUjETMBEGA1UEChMK -Q2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxHTAbBgNVBAMTFENlcnRpbm9taXMg -LSBSb290IENBMB4XDTEzMTAyMTA5MTcxOFoXDTMzMTAyMTA5MTcxOFowWjELMAkGA1UEBhMCRlIx -EzARBgNVBAoTCkNlcnRpbm9taXMxFzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMR0wGwYDVQQDExRD -ZXJ0aW5vbWlzIC0gUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTMCQos -P5L2fxSeC5yaah1AMGT9qt8OHgZbn1CF6s2Nq0Nn3rD6foCWnoR4kkjW4znuzuRZWJflLieY6pOo -d5tK8O90gC3rMB+12ceAnGInkYjwSond3IjmFPnVAy//ldu9n+ws+hQVWZUKxkd8aRi5pwP5ynap -z8dvtF4F/u7BUrJ1Mofs7SlmO/NKFoL21prbcpjp3vDFTKWrteoB4owuZH9kb/2jJZOLyKIOSY00 -8B/sWEUuNKqEUL3nskoTuLAPrjhdsKkb5nPJWqHZZkCqqU2mNAKthH6yI8H7KsZn9DS2sJVqM09x -RLWtwHkziOC/7aOgFLScCbAK42C++PhmiM1b8XcF4LVzbsF9Ri6OSyemzTUK/eVNfaoqoynHWmgE -6OXWk6RiwsXm9E/G+Z8ajYJJGYrKWUM66A0ywfRMEwNvbqY/kXPLynNvEiCL7sCCeN5LLsJJwx3t -FvYk9CcbXFcx3FXuqB5vbKziRcxXV4p1VxngtViZSTYxPDMBbRZKzbgqg4SGm/lg0h9tkQPTYKbV -PZrdd5A9NaSfD171UkRpucC63M9933zZxKyGIjK8e2uR73r4F2iw4lNVYC2vPsKD2NkJK/DAZNuH -i5HMkesE/Xa0lZrmFAYb1TQdvtj/dBxThZngWVJKYe2InmtJiUZ+IFrZ50rlau7SZRFDAgMBAAGj -YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTvkUz1pcMw6C8I -6tNxIqSSaHh02TAfBgNVHSMEGDAWgBTvkUz1pcMw6C8I6tNxIqSSaHh02TANBgkqhkiG9w0BAQsF -AAOCAgEAfj1U2iJdGlg+O1QnurrMyOMaauo++RLrVl89UM7g6kgmJs95Vn6RHJk/0KGRHCwPT5iV -WVO90CLYiF2cN/z7ZMF4jIuaYAnq1fohX9B0ZedQxb8uuQsLrbWwF6YSjNRieOpWauwK0kDDPAUw -Pk2Ut59KA9N9J0u2/kTO+hkzGm2kQtHdzMjI1xZSg081lLMSVX3l4kLr5JyTCcBMWwerx20RoFAX -lCOotQqSD7J6wWAsOMwaplv/8gzjqh8c3LigkyfeY+N/IZ865Z764BNqdeuWXGKRlI5nU7aJ+BIJ -y29SWwNyhlCVCNSNh4YVH5Uk2KRvms6knZtt0rJ2BobGVgjF6wnaNsIbW0G+YSrjcOa4pvi2WsS9 -Iff/ql+hbHY5ZtbqTFXhADObE5hjyW/QASAJN1LnDE8+zbz1X5YnpyACleAu6AdBBR8Vbtaw5Bng -DwKTACdyxYvRVB9dSsNAl35VpnzBMwQUAR1JIGkLGZOdblgi90AMRgwjY/M50n92Uaf0yKHxDHYi -I0ZSKS3io0EHVmmY0gUJvGnHWmHNj4FgFU2A3ZDifcRQ8ow7bkrHxuaAKzyBvBGAFhAn1/DNP3nM -cyrDflOR1m749fPH0FFNjkulW+YZFzvWgQncItzujrnEj1PhZ7szuIgVRs/taTX/dQ1G885x4cVr -hkIGuUE= ------END CERTIFICATE----- - -OISTE WISeKey Global Root GB CA -=============================== ------BEGIN CERTIFICATE----- -MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQG -EwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl -ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAw -MzJaFw0zOTEyMDExNTEwMzFaMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYD -VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEds -b2JhbCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3HEokKtaX -scriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGxWuR51jIjK+FTzJlFXHtP -rby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk -9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNku7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4o -Qnc/nSMbsrY9gBQHTC5P99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvg -GUpuuy9rM2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB -/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI -hvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrghcViXfa43FK8+5/ea4n32cZiZBKpD -dHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0 -VQreUGdNZtGn//3ZwLWoo4rOZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEui -HZeeevJuQHHfaPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic -Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM= ------END CERTIFICATE----- - -SZAFIR ROOT CA2 -=============== ------BEGIN CERTIFICATE----- -MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQELBQAwUTELMAkG -A1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xGDAWBgNV -BAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkwNzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJ -BgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYD -VQQDDA9TWkFGSVIgUk9PVCBDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5Q -qEvNQLXOYeeWyrSh2gwisPq1e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT3PSQ1hNK -DJA8w/Ta0o4NkjrcsbH/ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw3gAeqDRHu5rr/gsUvTaE -2g0gv/pby6kWIK05YO4vdbbnl5z5Pv1+TW9NL++IDWr63fE9biCloBK0TXC5ztdyO4mTp4CEHCdJ -ckm1/zuVnsHMyAHs6A6KCpbns6aH5db5BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwi -ieDhZNRnvDF5YTy7ykHNXGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P -AQH/BAQDAgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsFAAOC -AQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw8PRBEew/R40/cof5 -O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOGnXkZ7/e7DDWQw4rtTw/1zBLZpD67 -oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCPoky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul -4+vJhaAlIDf7js4MNIThPIGyd05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6 -+/NNIxuZMzSgLvWpCz/UXeHPhJ/iGcJfitYgHuNztw== ------END CERTIFICATE----- - -Certum Trusted Network CA 2 -=========================== ------BEGIN CERTIFICATE----- -MIIF0jCCA7qgAwIBAgIQIdbQSk8lD8kyN/yqXhKN6TANBgkqhkiG9w0BAQ0FADCBgDELMAkGA1UE -BhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1 -bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIGA1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29y -ayBDQSAyMCIYDzIwMTExMDA2MDgzOTU2WhgPMjA0NjEwMDYwODM5NTZaMIGAMQswCQYDVQQGEwJQ -TDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENl -cnRpZmljYXRpb24gQXV0aG9yaXR5MSQwIgYDVQQDExtDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENB -IDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9+Xj45tWADGSdhhuWZGc/IjoedQF9 -7/tcZ4zJzFxrqZHmuULlIEub2pt7uZld2ZuAS9eEQCsn0+i6MLs+CRqnSZXvK0AkwpfHp+6bJe+o -CgCXhVqqndwpyeI1B+twTUrWwbNWuKFBOJvR+zF/j+Bf4bE/D44WSWDXBo0Y+aomEKsq09DRZ40b -Rr5HMNUuctHFY9rnY3lEfktjJImGLjQ/KUxSiyqnwOKRKIm5wFv5HdnnJ63/mgKXwcZQkpsCLL2p -uTRZCr+ESv/f/rOf69me4Jgj7KZrdxYq28ytOxykh9xGc14ZYmhFV+SQgkK7QtbwYeDBoz1mo130 -GO6IyY0XRSmZMnUCMe4pJshrAua1YkV/NxVaI2iJ1D7eTiew8EAMvE0Xy02isx7QBlrd9pPPV3WZ -9fqGGmd4s7+W/jTcvedSVuWz5XV710GRBdxdaeOVDUO5/IOWOZV7bIBaTxNyxtd9KXpEulKkKtVB -Rgkg/iKgtlswjbyJDNXXcPiHUv3a76xRLgezTv7QCdpw75j6VuZt27VXS9zlLCUVyJ4ueE742pye -hizKV/Ma5ciSixqClnrDvFASadgOWkaLOusm+iPJtrCBvkIApPjW/jAux9JG9uWOdf3yzLnQh1vM -BhBgu4M1t15n3kfsmUjxpKEV/q2MYo45VU85FrmxY53/twIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBS2oVQ5AsOgP46KvPrU+Bym0ToO/TAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQENBQADggIBAHGlDs7k6b8/ONWJWsQCYftMxRQXLYtPU2sQF/xlhMcQSZDe28cmk4gmb3DW -Al45oPePq5a1pRNcgRRtDoGCERuKTsZPpd1iHkTfCVn0W3cLN+mLIMb4Ck4uWBzrM9DPhmDJ2vuA -L55MYIR4PSFk1vtBHxgP58l1cb29XN40hz5BsA72udY/CROWFC/emh1auVbONTqwX3BNXuMp8SMo -clm2q8KMZiYcdywmdjWLKKdpoPk79SPdhRB0yZADVpHnr7pH1BKXESLjokmUbOe3lEu6LaTaM4tM -pkT/WjzGHWTYtTHkpjx6qFcL2+1hGsvxznN3Y6SHb0xRONbkX8eftoEq5IVIeVheO/jbAoJnwTnb -w3RLPTYe+SmTiGhbqEQZIfCn6IENLOiTNrQ3ssqwGyZ6miUfmpqAnksqP/ujmv5zMnHCnsZy4Ypo -J/HkD7TETKVhk/iXEAcqMCWpuchxuO9ozC1+9eB+D4Kob7a6bINDd82Kkhehnlt4Fj1F4jNy3eFm -ypnTycUm/Q1oBEauttmbjL4ZvrHG8hnjXALKLNhvSgfZyTXaQHXyxKcZb55CEJh15pWLYLztxRLX -is7VmFxWlgPF7ncGNf/P5O4/E2Hu29othfDNrp2yGAlFw5Khchf8R7agCyzxxN5DaAhqXzvwdmP7 -zAYspsbiDrW5viSP ------END CERTIFICATE----- - -Hellenic Academic and Research Institutions RootCA 2015 -======================================================= ------BEGIN CERTIFICATE----- -MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1IxDzANBgNVBAcT -BkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0 -aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNl -YXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAx -MTIxWjCBpjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg -QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNV -BAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIw -MTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDC+Kk/G4n8PDwEXT2QNrCROnk8Zlrv -bTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+eh -iGsxr/CL0BgzuNtFajT0AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+ -6PAQZe104S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06CojXd -FPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV9Cz82XBST3i4vTwr -i5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrDgfgXy5I2XdGj2HUb4Ysn6npIQf1F -GQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2 -fu/Z8VFRfS0myGlZYeCsargqNhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9mu -iNX6hME6wGkoLfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc -Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNVHRMBAf8EBTAD -AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVdctA4GGqd83EkVAswDQYJKoZI -hvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0IXtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+ -D1hYc2Ryx+hFjtyp8iY/xnmMsVMIM4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrM -d/K4kPFox/la/vot9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+y -d+2VZ5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/eaj8GsGsVn -82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnhX9izjFk0WaSrT2y7Hxjb -davYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQl033DlZdwJVqwjbDG2jJ9SrcR5q+ss7F -Jej6A7na+RZukYT1HCjI/CbM1xyQVqdfbzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVt -J94Cj8rDtSvK6evIIVM4pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGa -JI7ZjnHKe7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0vm9q -p/UsQu0yrbYhnr68 ------END CERTIFICATE----- - -Hellenic Academic and Research Institutions ECC RootCA 2015 -=========================================================== ------BEGIN CERTIFICATE----- -MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0 -aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9u -cyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj -aCBJbnN0aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEw -MzcxMlowgaoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmlj -IEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUQwQgYD -VQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIEVDQyBSb290 -Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKgQehLgoRc4vgxEZmGZE4JJS+dQS8KrjVP -dJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJajq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoK -Vlp8aQuqgAkkbH7BRqNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O -BBYEFLQiC4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaeplSTA -GiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7SofTUwJCA3sS61kFyjn -dc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR ------END CERTIFICATE----- - -Certplus Root CA G1 -=================== ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgISESBVg+QtPlRWhS2DN7cs3EYRMA0GCSqGSIb3DQEBDQUAMD4xCzAJBgNV -BAYTAkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTAe -Fw0xNDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhD -ZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBANpQh7bauKk+nWT6VjOaVj0W5QOVsjQcmm1iBdTYj+eJZJ+622SLZOZ5KmHN -r49aiZFluVj8tANfkT8tEBXgfs+8/H9DZ6itXjYj2JizTfNDnjl8KvzsiNWI7nC9hRYt6kuJPKNx -Qv4c/dMcLRC4hlTqQ7jbxofaqK6AJc96Jh2qkbBIb6613p7Y1/oA/caP0FG7Yn2ksYyy/yARujVj -BYZHYEMzkPZHogNPlk2dT8Hq6pyi/jQu3rfKG3akt62f6ajUeD94/vI4CTYd0hYCyOwqaK/1jpTv -LRN6HkJKHRUxrgwEV/xhc/MxVoYxgKDEEW4wduOU8F8ExKyHcomYxZ3MVwia9Az8fXoFOvpHgDm2 -z4QTd28n6v+WZxcIbekN1iNQMLAVdBM+5S//Ds3EC0pd8NgAM0lm66EYfFkuPSi5YXHLtaW6uOrc -4nBvCGrch2c0798wct3zyT8j/zXhviEpIDCB5BmlIOklynMxdCm+4kLV87ImZsdo/Rmz5yCTmehd -4F6H50boJZwKKSTUzViGUkAksnsPmBIgJPaQbEfIDbsYIC7Z/fyL8inqh3SV4EJQeIQEQWGw9CEj -jy3LKCHyamz0GqbFFLQ3ZU+V/YDI+HLlJWvEYLF7bY5KinPOWftwenMGE9nTdDckQQoRb5fc5+R+ -ob0V8rqHDz1oihYHAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBSowcCbkahDFXxdBie0KlHYlwuBsTAfBgNVHSMEGDAWgBSowcCbkahDFXxdBie0KlHY -lwuBsTANBgkqhkiG9w0BAQ0FAAOCAgEAnFZvAX7RvUz1isbwJh/k4DgYzDLDKTudQSk0YcbX8ACh -66Ryj5QXvBMsdbRX7gp8CXrc1cqh0DQT+Hern+X+2B50ioUHj3/MeXrKls3N/U/7/SMNkPX0XtPG -YX2eEeAC7gkE2Qfdpoq3DIMku4NQkv5gdRE+2J2winq14J2by5BSS7CTKtQ+FjPlnsZlFT5kOwQ/ -2wyPX1wdaR+v8+khjPPvl/aatxm2hHSco1S1cE5j2FddUyGbQJJD+tZ3VTNPZNX70Cxqjm0lpu+F -6ALEUz65noe8zDUa3qHpimOHZR4RKttjd5cUvpoUmRGywO6wT/gUITJDT5+rosuoD6o7BlXGEilX -CNQ314cnrUlZp5GrRHpejXDbl85IULFzk/bwg2D5zfHhMf1bfHEhYxQUqq/F3pN+aLHsIqKqkHWe -tUNy6mSjhEv9DKgma3GX7lZjZuhCVPnHHd/Qj1vfyDBviP4NxDMcU6ij/UgQ8uQKTuEVV/xuZDDC -VRHc6qnNSlSsKWNEz0pAoNZoWRsz+e86i9sgktxChL8Bq4fA1SCC28a5g4VCXA9DO2pJNdWY9BW/ -+mGBDAkgGNLQFwzLSABQ6XaCjGTXOqAHVcweMcDvOrRl++O/QmueD6i9a5jc2NvLi6Td11n0bt3+ -qsOR0C5CB8AMTVPNJLFMWx5R9N/pkvo= ------END CERTIFICATE----- - -Certplus Root CA G2 -=================== ------BEGIN CERTIFICATE----- -MIICHDCCAaKgAwIBAgISESDZkc6uo+jF5//pAq/Pc7xVMAoGCCqGSM49BAMDMD4xCzAJBgNVBAYT -AkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjAeFw0x -NDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhDZXJ0 -cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BM0PW1aC3/BFGtat93nwHcmsltaeTpwftEIRyoa/bfuFo8XlGVzX7qY/aWfYeOKmycTbLXku54uN -Am8xIk0G42ByRZ0OQneezs/lf4WbGOT8zC5y0xaTTsqZY1yhBSpsBqNjMGEwDgYDVR0PAQH/BAQD -AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMB8GA1Ud -IwQYMBaAFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMAoGCCqGSM49BAMDA2gAMGUCMHD+sAvZ94OX7PNV -HdTcswYO/jOYnYs5kGuUIe22113WTNchp+e/IQ8rzfcq3IUHnQIxAIYUFuXcsGXCwI4Un78kFmjl -vPl5adytRSv3tjFzzAalU5ORGpOucGpnutee5WEaXw== ------END CERTIFICATE----- - -OpenTrust Root CA G1 -==================== ------BEGIN CERTIFICATE----- -MIIFbzCCA1egAwIBAgISESCzkFU5fX82bWTCp59rY45nMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV -BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcx -MB4XDTE0MDUyNjA4NDU1MFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM -CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQD4eUbalsUwXopxAy1wpLuwxQjczeY1wICkES3d5oeuXT2R0odsN7fa -Yp6bwiTXj/HbpqbfRm9RpnHLPhsxZ2L3EVs0J9V5ToybWL0iEA1cJwzdMOWo010hOHQX/uMftk87 -ay3bfWAfjH1MBcLrARYVmBSO0ZB3Ij/swjm4eTrwSSTilZHcYTSSjFR077F9jAHiOH3BX2pfJLKO -YheteSCtqx234LSWSE9mQxAGFiQD4eCcjsZGT44ameGPuY4zbGneWK2gDqdkVBFpRGZPTBKnjix9 -xNRbxQA0MMHZmf4yzgeEtE7NCv82TWLxp2NX5Ntqp66/K7nJ5rInieV+mhxNaMbBGN4zK1FGSxyO -9z0M+Yo0FMT7MzUj8czxKselu7Cizv5Ta01BG2Yospb6p64KTrk5M0ScdMGTHPjgniQlQ/GbI4Kq -3ywgsNw2TgOzfALU5nsaqocTvz6hdLubDuHAk5/XpGbKuxs74zD0M1mKB3IDVedzagMxbm+WG+Oi -n6+Sx+31QrclTDsTBM8clq8cIqPQqwWyTBIjUtz9GVsnnB47ev1CI9sjgBPwvFEVVJSmdz7QdFG9 -URQIOTfLHzSpMJ1ShC5VkLG631UAC9hWLbFJSXKAqWLXwPYYEQRVzXR7z2FwefR7LFxckvzluFqr -TJOVoSfupb7PcSNCupt2LQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB -/zAdBgNVHQ4EFgQUl0YhVyE12jZVx/PxN3DlCPaTKbYwHwYDVR0jBBgwFoAUl0YhVyE12jZVx/Px -N3DlCPaTKbYwDQYJKoZIhvcNAQELBQADggIBAB3dAmB84DWn5ph76kTOZ0BP8pNuZtQ5iSas000E -PLuHIT839HEl2ku6q5aCgZG27dmxpGWX4m9kWaSW7mDKHyP7Rbr/jyTwyqkxf3kfgLMtMrpkZ2Cv -uVnN35pJ06iCsfmYlIrM4LvgBBuZYLFGZdwIorJGnkSI6pN+VxbSFXJfLkur1J1juONI5f6ELlgK -n0Md/rcYkoZDSw6cMoYsYPXpSOqV7XAp8dUv/TW0V8/bhUiZucJvbI/NeJWsZCj9VrDDb8O+WVLh -X4SPgPL0DTatdrOjteFkdjpY3H1PXlZs5VVZV6Xf8YpmMIzUUmI4d7S+KNfKNsSbBfD4Fdvb8e80 -nR14SohWZ25g/4/Ii+GOvUKpMwpZQhISKvqxnUOOBZuZ2mKtVzazHbYNeS2WuOvyDEsMpZTGMKcm -GS3tTAZQMPH9WD25SxdfGbRqhFS0OE85og2WaMMolP3tLR9Ka0OWLpABEPs4poEL0L9109S5zvE/ -bw4cHjdx5RiHdRk/ULlepEU0rbDK5uUTdg8xFKmOLZTW1YVNcxVPS/KyPu1svf0OnWZzsD2097+o -4BGkxK51CUpjAEggpsadCwmKtODmzj7HPiY46SvepghJAwSQiumPv+i2tCqjI40cHLI5kqiPAlxA -OXXUc0ECd97N4EOH1uS6SsNsEn/+KuYj1oxx ------END CERTIFICATE----- - -OpenTrust Root CA G2 -==================== ------BEGIN CERTIFICATE----- -MIIFbzCCA1egAwIBAgISESChaRu/vbm9UpaPI+hIvyYRMA0GCSqGSIb3DQEBDQUAMEAxCzAJBgNV -BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcy -MB4XDTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM -CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzIwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDMtlelM5QQgTJT32F+D3Y5z1zCU3UdSXqWON2ic2rxb95eolq5cSG+ -Ntmh/LzubKh8NBpxGuga2F8ORAbtp+Dz0mEL4DKiltE48MLaARf85KxP6O6JHnSrT78eCbY2albz -4e6WiWYkBuTNQjpK3eCasMSCRbP+yatcfD7J6xcvDH1urqWPyKwlCm/61UWY0jUJ9gNDlP7ZvyCV -eYCYitmJNbtRG6Q3ffyZO6v/v6wNj0OxmXsWEH4db0fEFY8ElggGQgT4hNYdvJGmQr5J1WqIP7wt -UdGejeBSzFfdNTVY27SPJIjki9/ca1TSgSuyzpJLHB9G+h3Ykst2Z7UJmQnlrBcUVXDGPKBWCgOz -3GIZ38i1MH/1PCZ1Eb3XG7OHngevZXHloM8apwkQHZOJZlvoPGIytbU6bumFAYueQ4xncyhZW+vj -3CzMpSZyYhK05pyDRPZRpOLAeiRXyg6lPzq1O4vldu5w5pLeFlwoW5cZJ5L+epJUzpM5ChaHvGOz -9bGTXOBut9Dq+WIyiET7vycotjCVXRIouZW+j1MY5aIYFuJWpLIsEPUdN6b4t/bQWVyJ98LVtZR0 -0dX+G7bw5tYee9I8y6jj9RjzIR9u701oBnstXW5DiabA+aC/gh7PU3+06yzbXfZqfUAkBXKJOAGT -y3HCOV0GEfZvePg3DTmEJwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB -/zAdBgNVHQ4EFgQUajn6QiL35okATV59M4PLuG53hq8wHwYDVR0jBBgwFoAUajn6QiL35okATV59 -M4PLuG53hq8wDQYJKoZIhvcNAQENBQADggIBAJjLq0A85TMCl38th6aP1F5Kr7ge57tx+4BkJamz -Gj5oXScmp7oq4fBXgwpkTx4idBvpkF/wrM//T2h6OKQQbA2xx6R3gBi2oihEdqc0nXGEL8pZ0keI -mUEiyTCYYW49qKgFbdEfwFFEVn8nNQLdXpgKQuswv42hm1GqO+qTRmTFAHneIWv2V6CG1wZy7HBG -S4tz3aAhdT7cHcCP009zHIXZ/n9iyJVvttN7jLpTwm+bREx50B1ws9efAvSyB7DH5fitIw6mVskp -EndI2S9G/Tvw/HRwkqWOOAgfZDC2t0v7NqwQjqBSM2OdAzVWxWm9xiNaJ5T2pBL4LTM8oValX9YZ -6e18CL13zSdkzJTaTkZQh+D5wVOAHrut+0dSixv9ovneDiK3PTNZbNTe9ZUGMg1RGUFcPk8G97kr -gCf2o6p6fAbhQ8MTOWIaNr3gKC6UAuQpLmBVrkA9sHSSXvAgZJY/X0VdiLWK2gKgW0VU3jg9CcCo -SmVGFvyqv1ROTVu+OEO3KMqLM6oaJbolXCkvW0pujOotnCr2BXbgd5eAiN1nE28daCSLT7d0geX0 -YJ96Vdc+N9oWaz53rK4YcJUIeSkDiv7BO7M/Gg+kO14fWKGVyasvc0rQLW6aWQ9VGHgtPFGml4vm -u7JwqkwR3v98KzfUetF3NI/n+UL3PIEMS1IK ------END CERTIFICATE----- - -OpenTrust Root CA G3 -==================== ------BEGIN CERTIFICATE----- -MIICITCCAaagAwIBAgISESDm+Ez8JLC+BUCs2oMbNGA/MAoGCCqGSM49BAMDMEAxCzAJBgNVBAYT -AkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEczMB4X -DTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9w -ZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzMwdjAQBgcqhkjOPQIBBgUrgQQA -IgNiAARK7liuTcpm3gY6oxH84Bjwbhy6LTAMidnW7ptzg6kjFYwvWYpa3RTqnVkrQ7cG7DK2uu5B -ta1doYXM6h0UZqNnfkbilPPntlahFVmhTzeXuSIevRHr9LIfXsMUmuXZl5mjYzBhMA4GA1UdDwEB -/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAf -BgNVHSMEGDAWgBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAKBggqhkjOPQQDAwNpADBmAjEAj6jcnboM -BBf6Fek9LykBl7+BFjNAk2z8+e2AcG+qj9uEwov1NcoG3GRvaBbhj5G5AjEA2Euly8LQCGzpGPta -3U1fJAuwACEl74+nBCZx4nxp5V2a+EEfOzmTk51V6s2N8fvB ------END CERTIFICATE----- - -ISRG Root X1 -============ ------BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE -BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD -EwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQG -EwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMT -DElTUkcgUm9vdCBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54r -Vygch77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8ukj1 -3Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/TR5d8mUgjU+g4rk8K -b4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCN -Aymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ -4Q7e2RCOFvu396j3x+UCB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf -1b0SHzUvKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFu -hjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8BCNAw1FtxNrQH -usEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyGO0aoSCqI3Haadr8faqU9GY/r -OPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY -9umbbjANBgkqhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3BebYhtF8GaV -0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY2PwByVS5uCbMiogziUwt -hDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJw -TdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nx -e5AW0wdeRlN8NwdCjNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZA -JzVcoyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4RgqsahD -YVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGunUHBcnWEvgJBQl9n -JEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyPxgcYxn/eR44/KJ4EBs+lVDR3veyJ -m+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE----- - -AC RAIZ FNMT-RCM -================ ------BEGIN CERTIFICATE----- -MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNVBAYT -AkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBGTk1ULVJDTTAeFw0wODEw -MjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJD -TTEZMBcGA1UECwwQQUMgUkFJWiBGTk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBALpxgHpMhm5/yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcf -qQgfBBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAzWHFctPVr -btQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxFtBDXaEAUwED653cXeuYL -j2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z374jNUUeAlz+taibmSXaXvMiwzn15Cou -08YfxGyqxRxqAQVKL9LFwag0Jl1mpdICIfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mw -WsXmo8RZZUc1g16p6DULmbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnT -tOmlcYF7wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peSMKGJ -47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2ZSysV4999AeU14EC -ll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMetUqIJ5G+GR4of6ygnXYMgrwTJbFaa -i0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE -FPd9xf3E6Jobd2Sn9R2gzL+HYJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1o -dHRwOi8vd3d3LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD -nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1RXxlDPiyN8+s -D8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYMLVN0V2Ue1bLdI4E7pWYjJ2cJ -j+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrT -Qfv6MooqtyuGC2mDOL7Nii4LcK2NJpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW -+YJF1DngoABd15jmfZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7 -Ixjp6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp1txyM/1d -8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B9kiABdcPUXmsEKvU7ANm -5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wokRqEIr9baRRmW1FMdW4R58MD3R++Lj8UG -rp1MYp3/RgT408m2ECVAdf4WqslKYIYvuu8wd+RU4riEmViAqhOLUTpPSPaLtrM= ------END CERTIFICATE----- - -Amazon Root CA 1 -================ ------BEGIN CERTIFICATE----- -MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYD -VQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1 -MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpv -bjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgH -FzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQ -gLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0t -dHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcce -VOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3 -DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PM -CCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy -8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa -2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2 -xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5 ------END CERTIFICATE----- - -Amazon Root CA 2 -================ ------BEGIN CERTIFICATE----- -MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwFADA5MQswCQYD -VQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAyMB4XDTE1 -MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpv -bjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAK2Wny2cSkxKgXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4 -kHbZW0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg1dKmSYXp -N+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K8nu+NQWpEjTj82R0Yiw9 -AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvd -fLC6HM783k81ds8P+HgfajZRRidhW+mez/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAEx -kv8LV/SasrlX6avvDXbR8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSS -btqDT6ZjmUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz7Mt0 -Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6+XUyo05f7O0oYtlN -c/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI0u1ufm8/0i2BWSlmy5A5lREedCf+ -3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSw -DPBMMPQFWAJI/TPlUq9LhONmUjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oA -A7CXDpO8Wqj2LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY -+gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kSk5Nrp+gvU5LE -YFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl7uxMMne0nxrpS10gxdr9HIcW -xkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygmbtmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQ -gj9sAq+uEjonljYE1x2igGOpm/HlurR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbW -aQbLU8uz/mtBzUF+fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoV -Yh63n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE76KlXIx3 -KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H9jVlpNMKVv/1F2Rs76gi -JUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT4PsJYGw= ------END CERTIFICATE----- - -Amazon Root CA 3 -================ ------BEGIN CERTIFICATE----- -MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5MQswCQYDVQQG -EwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAzMB4XDTE1MDUy -NjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZ -MBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZB -f8ANm+gBG1bG8lKlui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjr -Zt6jQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSrttvXBp43 -rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkrBqWTrBqYaGFy+uGh0Psc -eGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteMYyRIHN8wfdVoOw== ------END CERTIFICATE----- - -Amazon Root CA 4 -================ ------BEGIN CERTIFICATE----- -MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQG -EwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUy -NjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZ -MBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN -/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri -83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gA -MGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1 -AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA== ------END CERTIFICATE----- - -LuxTrust Global Root 2 -====================== ------BEGIN CERTIFICATE----- -MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQELBQAwRjELMAkG -A1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNVBAMMFkx1eFRydXN0IEdsb2Jh -bCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUwMzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEW -MBQGA1UECgwNTHV4VHJ1c3QgUy5BLjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCC -AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wm -Kb3FibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTemhfY7RBi2 -xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1EMShduxq3sVs35a0VkBC -wGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsnXpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm -1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkm -FRseTJIpgp7VkoGSQXAZ96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niF -wpN6cj5mj5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4gDEa/ -a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+8kPREd8vZS9kzl8U -ubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2jX5t/Lax5Gw5CMZdjpPuKadUiDTSQ -MC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmHhFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB -/zBCBgNVHSAEOzA5MDcGByuBKwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5 -Lmx1eHRydXN0Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT -+Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQELBQADggIBAGoZ -FO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9BzZAcg4atmpZ1gDlaCDdLnIN -H2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTOjFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW -7MM3LGVYvlcAGvI1+ut7MV3CwRI9loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIu -ZY+kt9J/Z93I055cqqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWA -VWe+2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/JEAdemrR -TxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKrezrnK+T+Tb/mjuuqlPpmt -/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQfLSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc -7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31I -iyBMz2TWuJdGsE7RKlY6oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr ------END CERTIFICATE----- - -TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 -============================================= ------BEGIN CERTIFICATE----- -MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIxGDAWBgNVBAcT -D0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxpbXNlbCB2ZSBUZWtub2xvamlr -IEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0wKwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24g -TWVya2V6aSAtIEthbXUgU00xNjA0BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRp -ZmlrYXNpIC0gU3VydW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYD -VQQGEwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXllIEJpbGlt -c2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklUQUsxLTArBgNVBAsTJEth -bXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBTTTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11 -IFNNIFNTTCBLb2sgU2VydGlmaWthc2kgLSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAr3UwM6q7a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y8 -6Ij5iySrLqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INrN3wc -wv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2XYacQuFWQfw4tJzh0 -3+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/iSIzL+aFCr2lqBs23tPcLG07xxO9 -WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4fAJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQU -ZT/HiobGPN08VFw1+DrtUgxHV8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh -AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPfIPP54+M638yc -lNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4lzwDGrpDxpa5RXI4s6ehlj2R -e37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0j -q5Rm+K37DwhuJi1/FwcJsoz7UMCflo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM= ------END CERTIFICATE----- - -GDCA TrustAUTH R5 ROOT -====================== ------BEGIN CERTIFICATE----- -MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ04xMjAw -BgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8wHQYDVQQD -DBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVow -YjELMAkGA1UEBhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ -IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0B -AQEFAAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJjDp6L3TQs -AlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBjTnnEt1u9ol2x8kECK62p -OqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+uKU49tm7srsHwJ5uu4/Ts765/94Y9cnrr -pftZTqfrlYwiOXnhLQiPzLyRuEH3FMEjqcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ -9Cy5WmYqsBebnh52nUpmMUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQ -xXABZG12ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloPzgsM -R6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3GkL30SgLdTMEZeS1SZ -D2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeCjGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4 -oR24qoAATILnsn8JuLwwoC8N9VKejveSswoAHQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx -9hoh49pwBiFYFIeFd3mqgnkCAwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlR -MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg -p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZmDRd9FBUb1Ov9 -H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5COmSdI31R9KrO9b7eGZONn35 -6ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ryL3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd -+PwyvzeG5LuOmCd+uh8W4XAR8gPfJWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQ -HtZa37dG/OaG+svgIHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBD -F8Io2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ -8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQXR4EzzffHqhmsYzmIGrv -/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrqT8p+ck0LcIymSLumoRT2+1hEmRSuqguT -aaApJUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== ------END CERTIFICATE----- - -TrustCor RootCert CA-1 -====================== ------BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYDVQQGEwJQQTEP -MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig -U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkx -MjMxMTcyMzE2WjCBpDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFu -YW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUGA1UECwwe -VHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZUcnVzdENvciBSb290Q2Vy -dCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv463leLCJhJrMxnHQFgKq1mq -jQCj/IDHUHuO1CAmujIS2CNUSSUQIpidRtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4 -pQa81QBeCQryJ3pS/C3Vseq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0 -JEsq1pme9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CVEY4h -gLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorWhnAbJN7+KIor0Gqw -/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/DeOxCbeKyKsZn3MzUOcwHwYDVR0j -BBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwDQYJKoZIhvcNAQELBQADggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5 -mDo4Nvu7Zp5I/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf -ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZyonnMlo2HD6C -qFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djtsL1Ac59v2Z3kf9YKVmgenFK+P -3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdNzl/HHk484IkzlQsPpTLWPFp5LBk= ------END CERTIFICATE----- - -TrustCor RootCert CA-2 -====================== ------BEGIN CERTIFICATE----- -MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8w -DQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBT -eXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0 -eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEy -MzExNzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h -bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U -cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0 -IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQdsg4foDSq8Gb -ZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9Nk -RvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1 -oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nKDOOb -XUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hapeaz6LMvYHL1cEksr1 -/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF3wP+TfSvPd9cW436cOGlfifHhi5q -jxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQP -eSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+Ctg -rKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh -8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU -2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYD -VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/h -Osh80QA9z+LqBrWyOrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnp -kpfbsEZC89NiqpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv -2wnL/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3 -S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw -PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dv -DDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYU -RpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANE -xdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp5KeX -RKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu1uwJ ------END CERTIFICATE----- - -TrustCor ECA-1 -============== ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYDVQQGEwJQQTEP -MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig -U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxFzAVBgNVBAMMDlRydXN0Q29yIEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3Mjgw -N1owgZwxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5 -MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y -IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb3w9U73NjKYKtR8aja+3+XzP4Q1HpGjOR -MRegdMTUpwHmspI+ap3tDvl0mEDTPwOABoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23 -xFUfJ3zSCNV2HykVh0A53ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmc -p0yJF4OuowReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/wZ0+ -fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZFZtS6mFjBAgMBAAGj -YzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAfBgNVHSMEGDAWgBREnkj1zG1I1KBL -f/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF -AAOCAQEABT41XBVwm8nHc2FvcivUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u -/ukZMjgDfxT2AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F -hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50soIipX1TH0Xs -J5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BIWJZpTdwHjFGTot+fDz2LYLSC -jaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1WitJ/X5g== ------END CERTIFICATE----- - -SSL.com Root Certification Authority RSA -======================================== ------BEGIN CERTIFICATE----- -MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAM -BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24x -MTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYw -MjEyMTczOTM5WhcNNDEwMjEyMTczOTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMx -EDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NM -LmNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2RxFdHaxh3a3by/ZPkPQ/C -Fp4LZsNWlJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aXqhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8 -P2FI7bADFB0QDksZ4LtO7IZl/zbzXmcCC52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/ge -oeOy3ZExqysdBP+lSgQ36YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9aqkp -k8zruFvh/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq/LrFYD3Z -fBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93EJNyAKoFBbZQ+yODJ -gUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVcUS4cK38acijnALXRdMbX5J+tB5O2 -UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8ZVWb3vUNiSYE/CUapiVpy8JtynziWV+XrOvvLsi8 -1xtZPCvM8hnIk2snYxnP/Okm+Mpxm3+T/jRnhE6Z6/yzeAkzcLpmpnbtG3PrGqUNxCITIJRWCk4s -bE6x/c+cCbqiM+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAPBgNV -HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9UlMSkpXuOIAlDaZZMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7Jp0cHh5wYfGVcpNxJK1ok1iOMq8bs3AD/CUr -dIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8eEdBcHadm47GUBwwyOabqG7B52B2ccETjit3E+ZUf -ijhDPwGFpUenPUayvOUiaPd7nNgsPgohyC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAsl -u1OJD7OAUN5F7kR/q5R4ZJjT9ijdh9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjq -erQ0cuAjJ3dctpDqhiVAq+8zD8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jra6x+3uxj -MxW3IwiPxg+NQVrdjsW5j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90IH37hVZkLId6Tngr75qNJ -vTYw/ud3sqB1l7UtgYgXZSD32pAAn8lSzDLKNXz1PQ/YK9f1JmzJBjSWFupwWRoyeXkLtoh/D1JI -Pb9s2KJELtFOt3JY04kTlf5Eq/jXixtunLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406y -wKBjYZC6VWg3dGq2ktufoYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NI -WuuA8ShYIc2wBlX7Jz9TkHCpBB5XJ7k= ------END CERTIFICATE----- - -SSL.com Root Certification Authority ECC -======================================== ------BEGIN CERTIFICATE----- -MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMCVVMxDjAMBgNV -BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAv -BgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEy -MTgxNDAzWhcNNDEwMjEyMTgxNDAzWjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAO -BgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNv -bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI7Z4INcgn64mMU1jrYor+ -8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPgCemB+vNH06NjMGEwHQYDVR0OBBYEFILR -hXMw5zUE044CkvvlpNHEIejNMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTT -jgKS++Wk0cQh6M0wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCW -e+0F+S8Tkdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+gA0z -5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl ------END CERTIFICATE----- - -SSL.com EV Root Certification Authority RSA R2 -============================================== ------BEGIN CERTIFICATE----- -MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMQ4w -DAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9u -MTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy -MB4XDTE3MDUzMTE4MTQzN1oXDTQyMDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI -DAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYD -VQQDDC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvqM0fNTPl9fb69LT3w23jh -hqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssufOePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7w -cXHswxzpY6IXFJ3vG2fThVUCAtZJycxa4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTO -Zw+oz12WGQvE43LrrdF9HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+ -B6KjBSYRaZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcAb9Zh -CBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQGp8hLH94t2S42Oim -9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQVPWKchjgGAGYS5Fl2WlPAApiiECto -RHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMOpgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+Slm -JuwgUHfbSguPvuUCYHBBXtSuUDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48 -+qvWBkofZ6aYMBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV -HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa49QaAJadz20Zp -qJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBWs47LCp1Jjr+kxJG7ZhcFUZh1 -++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nx -Y/hoLVUE0fKNsKTPvDxeH3jnpaAgcLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2G -guDKBAdRUNf/ktUM79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDz -OFSz/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXtll9ldDz7 -CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEmKf7GUmG6sXP/wwyc5Wxq -lD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKKQbNmC1r7fSOl8hqw/96bg5Qu0T/fkreR -rwU7ZcegbLHNYhLDkBvjJc40vG93drEQw/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1 -hlMYegouCRw2n5H9gooiS9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX -9hwJ1C07mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w== ------END CERTIFICATE----- - -SSL.com EV Root Certification Authority ECC -=========================================== ------BEGIN CERTIFICATE----- -MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMCVVMxDjAMBgNV -BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xNDAy -BgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYw -MjEyMTgxNTIzWhcNNDEwMjEyMTgxNTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMx -EDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NM -LmNvbSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB -BAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMAVIbc/R/fALhBYlzccBYy -3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1KthkuWnBaBu2+8KGwytAJKaNjMGEwHQYDVR0O -BBYEFFvKXuXe0oGqzagtZFG22XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe -5d7SgarNqC1kUbbZcpuX5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJ -N+vp1RPZytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mm -m7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg== ------END CERTIFICATE----- diff --git a/tools/istio-docker.mk b/tools/istio-docker.mk index c2af2ac3e95..35368cf42e6 100644 --- a/tools/istio-docker.mk +++ b/tools/istio-docker.mk @@ -50,7 +50,7 @@ $(ISTIO_DOCKER)/certs: # tell make which files are copied from the source tree and generate rules to copy them to the proper location: # TODO(sdake) $(NODE_AGENT_TEST_FILES) $(GRAFANA_FILES) -DOCKER_FILES_FROM_SOURCE:=tests/testdata/certs/cert.crt tests/testdata/certs/cert.key tests/testdata/certs/cacert.pem +DOCKER_FILES_FROM_SOURCE:=tests/testdata/certs/cert.crt tests/testdata/certs/cert.key $(foreach FILE,$(DOCKER_FILES_FROM_SOURCE), \ $(eval $(ISTIO_DOCKER)/$(notdir $(FILE)): $(FILE) | $(ISTIO_DOCKER); cp $(FILE) $$(@D))) @@ -87,10 +87,9 @@ docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/stats-filter.wasm docker.proxyv2: $(ISTIO_ENVOY_LINUX_RELEASE_DIR)/metadata-exchange-filter.wasm $(DOCKER_RULE) -docker.pilot: BUILD_PRE=&& chmod 755 pilot-discovery cacert.pem +docker.pilot: BUILD_PRE=&& chmod 755 pilot-discovery docker.pilot: BUILD_ARGS=--build-arg BASE_VERSION=${BASE_VERSION} docker.pilot: $(ISTIO_OUT_LINUX)/pilot-discovery -docker.pilot: tests/testdata/certs/cacert.pem docker.pilot: pilot/docker/Dockerfile.pilot $(DOCKER_RULE) From 18128ab1a0e028e9ce37ac2aa9d20f74387fc3d9 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Tue, 20 Oct 2020 04:14:55 +0800 Subject: [PATCH 68/82] manually cherry pick #27864 (#27985) --- pilot/cmd/pilot-agent/status/server.go | 23 ++++++++++++++--------- releasenotes/notes/27726.yaml | 8 ++++++++ 2 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/27726.yaml diff --git a/pilot/cmd/pilot-agent/status/server.go b/pilot/cmd/pilot-agent/status/server.go index 7bd0141ec9b..3feb0784f9f 100644 --- a/pilot/cmd/pilot-agent/status/server.go +++ b/pilot/cmd/pilot-agent/status/server.go @@ -88,6 +88,7 @@ type Server struct { prometheus *PrometheusScrapeConfiguration mutex sync.RWMutex appKubeProbers KubeAppProbers + appProbeClient map[string]*http.Client statusPort uint16 lastProbeSuccessful bool envoyStatsPort int @@ -110,6 +111,8 @@ func NewServer(config Config) (*Server, error) { if err := json.Unmarshal([]byte(config.KubeAppProbers), &s.appKubeProbers); err != nil { return nil, fmt.Errorf("failed to decode app prober err = %v, json string = %v", err, config.KubeAppProbers) } + + s.appProbeClient = make(map[string]*http.Client, len(s.appKubeProbers)) // Validate the map key matching the regex pattern. for path, prober := range s.appKubeProbers { if !appProberPattern.Match([]byte(path)) { @@ -121,6 +124,15 @@ func NewServer(config Config) (*Server, error) { if prober.HTTPGet.Port.Type != intstr.Int { return nil, fmt.Errorf("invalid prober config for %v, the port must be int type", path) } + // Construct a http client and cache it in order to reuse the connection. + s.appProbeClient[path] = &http.Client{ + Timeout: time.Duration(prober.TimeoutSeconds) * time.Second, + // We skip the verification since kubelet skips the verification for HTTPS prober as well + // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + }, + } } // Enable prometheus server if its configured and a sidecar @@ -349,15 +361,6 @@ func (s *Server) handleAppProbe(w http.ResponseWriter, req *http.Request) { return } - // Construct a request sent to the application. - httpClient := &http.Client{ - Timeout: time.Duration(prober.TimeoutSeconds) * time.Second, - // We skip the verification since kubelet skips the verification for HTTPS prober as well - // https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - }, - } var url string if prober.HTTPGet.Scheme == corev1.URISchemeHTTPS { url = fmt.Sprintf("https://localhost:%v%s", prober.HTTPGet.Port.IntValue(), prober.HTTPGet.Path) @@ -386,6 +389,8 @@ func (s *Server) handleAppProbe(w http.ResponseWriter, req *http.Request) { } } + // get the http client must exist because + httpClient := s.appProbeClient[path] // Send the request. response, err := httpClient.Do(appReq) if err != nil { diff --git a/releasenotes/notes/27726.yaml b/releasenotes/notes/27726.yaml new file mode 100644 index 00000000000..911914fa3df --- /dev/null +++ b/releasenotes/notes/27726.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: networking +issue: + - 27726 +releaseNotes: + - | + **Fixed** pilot agent app probe connection leak. From 0111d7a3011c00ff7b7cb04989f4ded729aaaa21 Mon Sep 17 00:00:00 2001 From: John Howard Date: Tue, 20 Oct 2020 16:56:13 -0700 Subject: [PATCH 69/82] Bump base image (#28118) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index ce48ba19fc8..b14bc2fdb47 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.8 +BASE_VERSION ?= 1.6-dev.9 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org From 2259094caeb07b4cf631c99b71ea4a9d3840aa4e Mon Sep 17 00:00:00 2001 From: John Howard Date: Wed, 21 Oct 2020 09:01:24 -0700 Subject: [PATCH 70/82] Conditionally keep inbound listeners (#28111) --- pilot/pkg/features/pilot.go | 9 ++++++++- .../core/v1alpha3/listener_builder.go | 19 ++++++++++--------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go index b0401ad889f..69fe9ca2c09 100644 --- a/pilot/pkg/features/pilot.go +++ b/pilot/pkg/features/pilot.go @@ -21,7 +21,6 @@ import ( "github.com/golang/protobuf/ptypes/duration" "istio.io/istio/pkg/jwt" - "istio.io/pkg/env" ) @@ -193,6 +192,14 @@ var ( "Gateways with same selectors in different namespaces will not be applicable.", ).Get() + EnableLegacyInboundListeners = env.RegisterBoolVar( + "PILOT_ENABLE_LEGACY_INBOUND_LISTENERS", + false, + "Enable legacy inbound listeners. When enabled, inbound redirection to port 15001 will be supported. "+ + "If disabled, inbound requests must be directed to port 15006 and will be routed by a single listener. "+ + "This is intended for migration purposes only.", + ).Get() + InboundProtocolDetectionTimeout = env.RegisterDurationVar( "PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT", 1*time.Second, diff --git a/pilot/pkg/networking/core/v1alpha3/listener_builder.go b/pilot/pkg/networking/core/v1alpha3/listener_builder.go index 94995f3529b..cfa25afc43f 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener_builder.go +++ b/pilot/pkg/networking/core/v1alpha3/listener_builder.go @@ -28,8 +28,6 @@ import ( "github.com/golang/protobuf/ptypes/wrappers" networking "istio.io/api/networking/v1alpha3" - "istio.io/pkg/log" - "istio.io/istio/pilot/pkg/features" "istio.io/istio/pilot/pkg/model" istionetworking "istio.io/istio/pilot/pkg/networking" @@ -39,6 +37,7 @@ import ( "istio.io/istio/pilot/pkg/networking/util" "istio.io/istio/pkg/config/protocol" "istio.io/istio/pkg/proto" + "istio.io/pkg/log" ) var ( @@ -168,15 +167,17 @@ func (lb *ListenerBuilder) aggregateVirtualInboundListener(needTLSForPassThrough lb.virtualInboundListener.ListenerFiltersTimeout = ptypes.DurationProto(timeout) lb.virtualInboundListener.ContinueOnListenerFiltersTimeout = true - // All listeners except bind_to_port=true listeners are now a part of virtual inbound and not needed - // we can filter these ones out. - bindToPortInbound := make([]*xdsapi.Listener, 0, len(lb.inboundListeners)) - for _, i := range lb.inboundListeners { - if isBindtoPort(i) { - bindToPortInbound = append(bindToPortInbound, i) + if !features.EnableLegacyInboundListeners { + // All listeners except bind_to_port=true listeners are now a part of virtual inbound and not needed + // we can filter these ones out. + bindToPortInbound := make([]*xdsapi.Listener, 0, len(lb.inboundListeners)) + for _, i := range lb.inboundListeners { + if isBindtoPort(i) { + bindToPortInbound = append(bindToPortInbound, i) + } } + lb.inboundListeners = bindToPortInbound } - lb.inboundListeners = bindToPortInbound return lb } From a717973e7dc0033398c7c9292fd6e812d3fccde3 Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Wed, 28 Oct 2020 17:06:16 -0600 Subject: [PATCH 71/82] Update fake-stackdriver to the one used in istio/proxy release-1.6 (#28152) See https://github.com/istio/proxy/blob/release-1.6/test/envoye2e/stackdriver_plugin/cmd/Makefile#L21 --- pkg/test/framework/components/stackdriver/stackdriver.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/test/framework/components/stackdriver/stackdriver.yaml b/pkg/test/framework/components/stackdriver/stackdriver.yaml index 941b49e6fcb..2e16eb0f7ae 100644 --- a/pkg/test/framework/components/stackdriver/stackdriver.yaml +++ b/pkg/test/framework/components/stackdriver/stackdriver.yaml @@ -41,7 +41,7 @@ spec: app: stackdriver spec: containers: - - image: gcr.io/istio-testing/fake-stackdriver:2.0 + - image: gcr.io/istio-testing/fake-stackdriver:3.0 imagePullPolicy: Always name: stackdriver ports: From ad98f026dfeee44e686179d2811849ae3fe8ff5c Mon Sep 17 00:00:00 2001 From: John Howard Date: Wed, 28 Oct 2020 20:20:18 -0700 Subject: [PATCH 72/82] optimize memory usage (#25531) (#25532) (#28369) (cherry picked from commit ec9166a1e46945c6e301b1165c7ec1cc61b0aeb6) Co-authored-by: Dozer --- pilot/pkg/model/config.go | 15 ++++++++++++--- pilot/pkg/model/sidecar.go | 15 +++++++-------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/pilot/pkg/model/config.go b/pilot/pkg/model/config.go index 63996641e75..d778e29624c 100644 --- a/pilot/pkg/model/config.go +++ b/pilot/pkg/model/config.go @@ -16,24 +16,23 @@ package model import ( "fmt" + "hash/crc32" "sort" "strings" "time" - "istio.io/pkg/ledger" - udpa "github.com/cncf/udpa/go/udpa/type/v1" "github.com/gogo/protobuf/proto" mccpb "istio.io/api/mixer/v1/config/client" networking "istio.io/api/networking/v1alpha3" - "istio.io/istio/pkg/config/constants" "istio.io/istio/pkg/config/host" "istio.io/istio/pkg/config/labels" "istio.io/istio/pkg/config/schema/collection" "istio.io/istio/pkg/config/schema/collections" "istio.io/istio/pkg/config/schema/resource" + "istio.io/pkg/ledger" ) var ( @@ -49,6 +48,16 @@ type ConfigKey struct { Namespace string } +func (key ConfigKey) HashCode() uint32 { + var result uint32 + result = 31*result + crc32.ChecksumIEEE([]byte(key.Kind.Kind)) + result = 31*result + crc32.ChecksumIEEE([]byte(key.Kind.Version)) + result = 31*result + crc32.ChecksumIEEE([]byte(key.Kind.Group)) + result = 31*result + crc32.ChecksumIEEE([]byte(key.Namespace)) + result = 31*result + crc32.ChecksumIEEE([]byte(key.Name)) + return result +} + // ConfigsOfKind extracts configs of the specified kind. func ConfigsOfKind(configs map[ConfigKey]struct{}, kind resource.GroupVersionKind) map[ConfigKey]struct{} { ret := make(map[ConfigKey]struct{}) diff --git a/pilot/pkg/model/sidecar.go b/pilot/pkg/model/sidecar.go index 41e31e93cc6..213adb5c260 100644 --- a/pilot/pkg/model/sidecar.go +++ b/pilot/pkg/model/sidecar.go @@ -19,11 +19,10 @@ import ( "strings" networking "istio.io/api/networking/v1alpha3" - "istio.io/istio/pkg/config/schema/resource" - "istio.io/istio/pkg/config/constants" "istio.io/istio/pkg/config/host" "istio.io/istio/pkg/config/protocol" + "istio.io/istio/pkg/config/schema/resource" ) const ( @@ -92,7 +91,7 @@ type SidecarScope struct { // Set of known configs this sidecar depends on. // This field will be used to determine the config/resource scope // which means which config changes will affect the proxies within this scope. - configDependencies map[ConfigKey]struct{} + configDependencies map[uint32]struct{} } // IstioEgressListenerWrapper is a wrapper for @@ -155,7 +154,7 @@ func DefaultSidecarScopeForNamespace(ps *PushContext, configNamespace string) *S EgressListeners: []*IstioEgressListenerWrapper{defaultEgressListener}, services: defaultEgressListener.services, destinationRules: make(map[host.Name]*Config), - configDependencies: make(map[ConfigKey]struct{}), + configDependencies: make(map[uint32]struct{}), } // Now that we have all the services that sidecars using this scope (in @@ -207,7 +206,7 @@ func ConvertToSidecarScope(ps *PushContext, sidecarConfig *Config, configNamespa r := sidecarConfig.Spec.(*networking.Sidecar) out := &SidecarScope{ - configDependencies: make(map[ConfigKey]struct{}), + configDependencies: make(map[uint32]struct{}), } out.EgressListeners = make([]*IstioEgressListenerWrapper, 0) @@ -465,7 +464,7 @@ func (sc *SidecarScope) DependsOnConfig(config ConfigKey) bool { return true } - _, exists := sc.configDependencies[config] + _, exists := sc.configDependencies[config.HashCode()] return exists } @@ -477,11 +476,11 @@ func (sc *SidecarScope) AddConfigDependencies(dependencies ...ConfigKey) { } if sc.configDependencies == nil { - sc.configDependencies = make(map[ConfigKey]struct{}) + sc.configDependencies = make(map[uint32]struct{}) } for _, config := range dependencies { - sc.configDependencies[config] = struct{}{} + sc.configDependencies[config.HashCode()] = struct{}{} } } From 76a3a53bb338591e5e1bf5fa65d8426a1ca7c363 Mon Sep 17 00:00:00 2001 From: John Howard Date: Tue, 3 Nov 2020 17:22:44 -0800 Subject: [PATCH 73/82] [1.6] Adjust inbound and outbound filter chains (#28442) (#28554) * Adjust inbound and outbound filter chains (#28442) * Adjust inbound and outbound filter chains * fix test (cherry picked from commit 1f422dd56161d16f9e77bcde5ccc7cd3e065e870) * fixes --- pilot/pkg/features/pilot.go | 4 ++ .../pkg/networking/core/v1alpha3/listener.go | 7 +-- .../core/v1alpha3/listener_builder.go | 45 +++++++++++++++---- .../networking/core/v1alpha3/listener_test.go | 4 +- tests/integration/pilot/routing_test.go | 35 +++++++++++++++ tests/integration/pilot/sidecar_api_test.go | 6 +-- 6 files changed, 85 insertions(+), 16 deletions(-) diff --git a/pilot/pkg/features/pilot.go b/pilot/pkg/features/pilot.go index 69fe9ca2c09..633b30a20d0 100644 --- a/pilot/pkg/features/pilot.go +++ b/pilot/pkg/features/pilot.go @@ -341,4 +341,8 @@ var ( "It is safe to disable it if you are quite sure you don't need this feature").Get() InjectionWebhookConfigName = env.RegisterStringVar("INJECTION_WEBHOOK_CONFIG_NAME", "istio-sidecar-injector", "Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.") + + PilotEnableLoopBlockers = env.RegisterBoolVar("PILOT_ENABLE_LOOP_BLOCKER", true, + "If enabled, Envoy will be configured to prevent traffic directly to the inbound/outbound "+ + "ports (15001/15006). This prevents traffic loops. This option will be removed, and considered always enabled, in 1.9.").Get() ) diff --git a/pilot/pkg/networking/core/v1alpha3/listener.go b/pilot/pkg/networking/core/v1alpha3/listener.go index 18dca836993..5beb6a81126 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener.go +++ b/pilot/pkg/networking/core/v1alpha3/listener.go @@ -92,9 +92,10 @@ const ( // VirtualOutboundCatchAllTCPFilterChainName is the name of the catch all tcp filter chain VirtualOutboundCatchAllTCPFilterChainName = "virtualOutbound-catchall-tcp" - // VirtualOutboundTrafficLoopFilterChainName is the name of the filter chain that handles - // pod IP traffic loops - VirtualOutboundTrafficLoopFilterChainName = "virtualOutbound-trafficloop" + // VirtualOutboundCatchAllTCPFilterChainName is the name of the filter chain to blackhole undesired traffic + VirtualOutboundBlackholeFilterChainName = "virtualOutbound-blackhole" + // VirtualInboundCatchAllTCPFilterChainName is the name of the filter chain to blackhole undesired traffic + VirtualInboundBlackholeFilterChainName = "virtualInbound-blackhole" // VirtualInboundListenerName is the name for traffic capture listener VirtualInboundListenerName = "virtualInbound" diff --git a/pilot/pkg/networking/core/v1alpha3/listener_builder.go b/pilot/pkg/networking/core/v1alpha3/listener_builder.go index cfa25afc43f..780e42fe406 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener_builder.go +++ b/pilot/pkg/networking/core/v1alpha3/listener_builder.go @@ -410,7 +410,22 @@ func buildInboundCatchAllNetworkFilterChains(configgen *ConfigGeneratorImpl, if node.SupportsIPv6() { ipVersions = append(ipVersions, util.InboundPassthroughClusterIpv6) } - filterChains := make([]*listener.FilterChain, 0, 2) + filterChains := make([]*listener.FilterChain, 0, 3) + if features.PilotEnableLoopBlockers { + filterChains = append(filterChains, &listener.FilterChain{ + Name: VirtualInboundBlackholeFilterChainName, + FilterChainMatch: &listener.FilterChainMatch{ + DestinationPort: &wrappers.UInt32Value{Value: ProxyInboundListenPort}, + }, + Filters: []*listener.Filter{{ + Name: xdsutil.TCPProxy, + ConfigType: &listener.Filter_TypedConfig{TypedConfig: util.MessageToAny(&tcp_proxy.TcpProxy{ + StatPrefix: util.BlackHoleCluster, + ClusterSpecifier: &tcp_proxy.TcpProxy_Cluster{Cluster: util.BlackHoleCluster}, + })}, + }}, + }) + } needTLS := false for _, clusterName := range ipVersions { @@ -641,11 +656,25 @@ func buildOutboundCatchAllNetworkFilterChains(_ *ConfigGeneratorImpl, node *model.Proxy, push *model.PushContext) []*listener.FilterChain { filterStack := buildOutboundCatchAllNetworkFiltersOnly(push, node) - - return []*listener.FilterChain{ - { - Name: VirtualOutboundCatchAllTCPFilterChainName, - Filters: filterStack, - }, - } + chains := make([]*listener.FilterChain, 0, 2) + if features.PilotEnableLoopBlockers { + chains = append(chains, &listener.FilterChain{ + Name: VirtualOutboundBlackholeFilterChainName, + FilterChainMatch: &listener.FilterChainMatch{ + // We should not allow requests to the listen port directly. Requests must be + // sent to some other original port and iptables redirected to 15001. This + // ensures we do not passthrough back to the listen port. + DestinationPort: &wrappers.UInt32Value{Value: uint32(push.Mesh.ProxyListenPort)}, + }, + Filters: []*listener.Filter{{ + Name: xdsutil.TCPProxy, + ConfigType: &listener.Filter_TypedConfig{TypedConfig: util.MessageToAny(&tcp_proxy.TcpProxy{ + StatPrefix: util.BlackHoleCluster, + ClusterSpecifier: &tcp_proxy.TcpProxy_Cluster{Cluster: util.BlackHoleCluster}, + })}, + }}, + }) + } + chains = append(chains, &listener.FilterChain{Name: VirtualOutboundCatchAllTCPFilterChainName, Filters: filterStack}) + return chains } diff --git a/pilot/pkg/networking/core/v1alpha3/listener_test.go b/pilot/pkg/networking/core/v1alpha3/listener_test.go index 74323a9ae22..900d8d5658d 100644 --- a/pilot/pkg/networking/core/v1alpha3/listener_test.go +++ b/pilot/pkg/networking/core/v1alpha3/listener_test.go @@ -1361,7 +1361,7 @@ func TestOutboundListenerAccessLogs(t *testing.T) { for _, l := range listeners { if l.Name == VirtualOutboundListenerName { fc := &tcp_proxy.TcpProxy{} - if err := getFilterConfig(l.FilterChains[0].Filters[0], fc); err != nil { + if err := getFilterConfig(l.FilterChains[1].Filters[0], fc); err != nil { t.Fatalf("failed to get TCP Proxy config: %s", err) } if fc.AccessLog == nil { @@ -1393,7 +1393,7 @@ func TestOutboundListenerAccessLogs(t *testing.T) { func validateAccessLog(t *testing.T, l *xdsapi.Listener, format string) { t.Helper() fc := &tcp_proxy.TcpProxy{} - if err := getFilterConfig(l.FilterChains[0].Filters[0], fc); err != nil { + if err := getFilterConfig(l.FilterChains[1].Filters[0], fc); err != nil { t.Fatalf("failed to get TCP Proxy config: %s", err) } if fc.AccessLog == nil { diff --git a/tests/integration/pilot/routing_test.go b/tests/integration/pilot/routing_test.go index a5bda55eceb..e6b9c684d83 100644 --- a/tests/integration/pilot/routing_test.go +++ b/tests/integration/pilot/routing_test.go @@ -15,11 +15,13 @@ package pilot import ( + "context" "fmt" "testing" "time" echoclient "istio.io/istio/pkg/test/echo/client" + epb "istio.io/istio/pkg/test/echo/proto" "istio.io/istio/pkg/test/framework" "istio.io/istio/pkg/test/framework/components/echo" "istio.io/istio/pkg/test/framework/components/echo/echoboot" @@ -125,3 +127,36 @@ spec: } }) } + +func TestTrafficLoop(t *testing.T) { + framework. + NewTest(t). + RequiresEnvironment(environment.Kube). + Run(func(ctx framework.TestContext) { + ns := namespace.NewOrFail(t, ctx, namespace.Config{ + Prefix: "echo", + Inject: true, + }) + + var a, b echo.Instance + echoboot.NewBuilderOrFail(t, ctx). + With(&a, echoConfig(ns, "a")). + With(&b, echoConfig(ns, "b")). + BuildOrFail(t) + for _, port := range []string{"15001", "15006"} { + ctx.NewSubTest(port).Run(func(ctx framework.TestContext) { + dwl := b.WorkloadsOrFail(ctx)[0] + cwl := a.WorkloadsOrFail(ctx)[0] + resp, err := cwl.ForwardEcho(context.Background(), &epb.ForwardEchoRequest{ + Url: fmt.Sprintf("http://%s:%s", dwl.Address(), port), + Count: 1, + }) + // Ideally we would actually check to make sure we do not blow up the pod, + // but I couldn't find a way to reliably detect this. + if err == nil { + ctx.Fatalf("expected request to fail, but it didn't: %v", resp) + } + }) + } + }) +} diff --git a/tests/integration/pilot/sidecar_api_test.go b/tests/integration/pilot/sidecar_api_test.go index ced07f63df5..2c473299866 100644 --- a/tests/integration/pilot/sidecar_api_test.go +++ b/tests/integration/pilot/sidecar_api_test.go @@ -92,9 +92,9 @@ func validateListenersNoConfig(t *testing.T, response *structpath.Instance) { Select("{.resources[?(@.address.socketAddress.portValue==15001)]}"). Equals("virtualOutbound", "{.name}"). Equals("0.0.0.0", "{.address.socketAddress.address}"). - Equals("envoy.tcp_proxy", "{.filterChains[0].filters[0].name}"). - Equals("PassthroughCluster", "{.filterChains[0].filters[0].typedConfig.cluster}"). - Equals("PassthroughCluster", "{.filterChains[0].filters[0].typedConfig.statPrefix}"). + Equals("envoy.tcp_proxy", "{.filterChains[1].filters[0].name}"). + Equals("PassthroughCluster", "{.filterChains[1].filters[0].typedConfig.cluster}"). + Equals("PassthroughCluster", "{.filterChains[1].filters[0].typedConfig.statPrefix}"). Equals(true, "{.useOriginalDst}"). CheckOrFail(t) }) From 1d84c50ef07e47a58fbd2685098fd39325a718fd Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Wed, 11 Nov 2020 17:30:09 -0700 Subject: [PATCH 74/82] Update release-1.6 dependencies (#28622) * Run UPDATE_BRANCH=release-1.6 ./bin/update_deps.sh; make gen * Fix broken telemetry test --- go.mod | 4 ++-- go.sum | 8 ++++---- istio.deps | 2 +- pkg/test/framework/components/stackdriver/kube.go | 1 + prow/release-commit.sh | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index e31395ed9cb..d7a2f03f723 100644 --- a/go.mod +++ b/go.mod @@ -159,8 +159,8 @@ require ( gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 istio.io/api v0.0.0-20201005161549-d516b0116b1e - istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 - istio.io/pkg v0.0.0-20200709220414-14d5de656564 + istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 + istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9 k8s.io/api v0.18.1 k8s.io/apiextensions-apiserver v0.18.0 k8s.io/apimachinery v0.18.1 diff --git a/go.sum b/go.sum index d0949e6aa38..c1dc86ecebf 100644 --- a/go.sum +++ b/go.sum @@ -1066,10 +1066,10 @@ istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml istio.io/api v0.0.0-20201005161549-d516b0116b1e h1:X8IgFv7k+ssOmsbNI2G7iKlAmi7rPqywX4iygITOURQ= istio.io/api v0.0.0-20201005161549-d516b0116b1e/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8 h1:41vUsZxxi7Kq9pyxmk7xjSKrYEYyXCQsTvP4mWOXzoI= -istio.io/gogo-genproto v0.0.0-20200709220749-8607e17318e8/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/pkg v0.0.0-20200709220414-14d5de656564 h1:iaOIWnzUh6T7O2ViQL9EDY6TtnPgDkNSohIcpJ92bHw= -istio.io/pkg v0.0.0-20200709220414-14d5de656564/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= +istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 h1:/8Jzbsvj4njGfvAfIrkfvwWY4aqg4O0n5eZBZPTLWVQ= +istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= +istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9 h1:pSru9BIJRRQjFWIKGBP+7hR/pRYgTePo4bJbCzAF6C8= +istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48= k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= k8s.io/api v0.18.0/go.mod h1:q2HRQkfDzHMBZL9l/y9rH63PkQl4vae0xRT+8prbrK8= diff --git a/istio.deps b/istio.deps index da4cb75a70f..80590ae6f22 100644 --- a/istio.deps +++ b/istio.deps @@ -4,7 +4,7 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "ef96e9c2f0b0d2a31e3a9426c4b339db0b33885f" + "lastStableSHA": "980ec12ace4ed77e7d6eb1755ae43724231b39f0" }, { "_comment": "", diff --git a/pkg/test/framework/components/stackdriver/kube.go b/pkg/test/framework/components/stackdriver/kube.go index 560998d8068..ea7285c1bfc 100644 --- a/pkg/test/framework/components/stackdriver/kube.go +++ b/pkg/test/framework/components/stackdriver/kube.go @@ -165,6 +165,7 @@ func (c *kubeComponent) ListLogEntries() ([]*loggingpb.LogEntry, error) { l.HttpRequest.RequestSize = 0 l.HttpRequest.ServerIp = "" l.HttpRequest.RemoteIp = "" + l.HttpRequest.UserAgent = "" l.HttpRequest.Latency = nil delete(l.Labels, "request_id") delete(l.Labels, "source_name") diff --git a/prow/release-commit.sh b/prow/release-commit.sh index 57e61e22680..58e57b5b120 100755 --- a/prow/release-commit.sh +++ b/prow/release-commit.sh @@ -32,7 +32,7 @@ DOCKER_HUB=${DOCKER_HUB:-gcr.io/istio-testing} GCS_BUCKET=${GCS_BUCKET:-istio-build/dev} # Use a pinned version in case breaking changes are needed -BUILDER_SHA=9aac43a9201b5e3a47a956680ca1ddffb75222f4 +BUILDER_SHA=e7faacdeae0eec2fb9723406999106a6758964dd # Reference to the next minor version of Istio # This will create a version like 1.4-alpha.sha From 2e6e85e902c1be7021df6c6b64aec099228e914d Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 13 Nov 2020 10:39:38 -0800 Subject: [PATCH 75/82] Automator: update common-files@release-1.6 in istio/istio@release-1.6 (#28868) --- common/.commonfiles.sha | 2 +- common/scripts/setup_env.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index fc3c68a93cb..26ad48fc62a 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -1503234f312b836d9764cb3efd60fd6dff304efa +758a07d2c3884ec331764d34a5c4f7ab8afbae5c diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 252bb57d196..0c20bb433c6 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -59,7 +59,7 @@ fi # Build image to use if [[ "${IMAGE_VERSION:-}" == "" ]]; then - export IMAGE_VERSION=release-1.6-2020-10-01T21-30-44 + export IMAGE_VERSION=release-1.6-2020-11-13T15-30-50 fi if [[ "${IMAGE_NAME:-}" == "" ]]; then export IMAGE_NAME=build-tools From 8679fb5d1a8aacc8a22539ff45fac945a121bca0 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Fri, 13 Nov 2020 12:46:13 -0800 Subject: [PATCH 76/82] Automator: update istio/api@release-1.6 dependency in istio/istio@release-1.6 (#28870) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d7a2f03f723..db49fd6784e 100644 --- a/go.mod +++ b/go.mod @@ -158,7 +158,7 @@ require ( gopkg.in/square/go-jose.v2 v2.3.1 gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 - istio.io/api v0.0.0-20201005161549-d516b0116b1e + istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44 istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9 k8s.io/api v0.18.1 diff --git a/go.sum b/go.sum index c1dc86ecebf..a0724306fba 100644 --- a/go.sum +++ b/go.sum @@ -1063,8 +1063,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml9iS5NfNfqZGRt1pS9aVEo= -istio.io/api v0.0.0-20201005161549-d516b0116b1e h1:X8IgFv7k+ssOmsbNI2G7iKlAmi7rPqywX4iygITOURQ= -istio.io/api v0.0.0-20201005161549-d516b0116b1e/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= +istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44 h1:mfs4UJtpH8ElVEohFZw39qDGv9gg7TOkYVTwJZGQ5Yc= +istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 h1:/8Jzbsvj4njGfvAfIrkfvwWY4aqg4O0n5eZBZPTLWVQ= istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= From 2398158d6107e3b707ced6c58916b8e8071e9fad Mon Sep 17 00:00:00 2001 From: Eric Van Norman Date: Mon, 16 Nov 2020 14:19:43 -0600 Subject: [PATCH 77/82] Update 1.6 base image (#28923) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index b14bc2fdb47..848e9f426df 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.9 +BASE_VERSION ?= 1.6-dev.10 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org From 48183e1a7598ad380c7c2ea1e935de476efdf049 Mon Sep 17 00:00:00 2001 From: Steve Larkin Date: Tue, 17 Nov 2020 18:43:42 +0100 Subject: [PATCH 78/82] [release-1.6] cherry-pick: do not update root certs for destination rule certs (#27268) (#28869) * do not update root certs for destination rule certs (#27268) Signed-off-by: Rama Chavali (cherry picked from commit 2cbbf53da0acb42d23decabd2dacd7929961f515) * common/scripts: Fix quoting Quoting was causing CI lint check to fail: https://storage.googleapis.com/istio-prow/pr-logs/pull/istio_istio/28869/lint_istio_release-1.6/1328742716099530752/build-log.txt Signed-off-by: Steve Larkin Co-authored-by: Rama Chavali --- common/scripts/gobuild.sh | 2 +- common/scripts/setup_env.sh | 2 +- security/pkg/nodeagent/cache/secretcache.go | 12 +++++++----- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/common/scripts/gobuild.sh b/common/scripts/gobuild.sh index 17b66bd7d54..97e58875579 100755 --- a/common/scripts/gobuild.sh +++ b/common/scripts/gobuild.sh @@ -86,6 +86,6 @@ fi time GOOS=${BUILD_GOOS} GOARCH=${BUILD_GOARCH} ${GOBINARY} build \ ${V} "${GOBUILDFLAGS_ARRAY[@]}" ${GCFLAGS:+-gcflags "${GCFLAGS}"} \ -o "${OUT}" \ - ${OPTIMIZATION_FLAGS} \ + "${OPTIMIZATION_FLAGS}" \ -pkgdir="${GOPKG}/${BUILD_GOOS}_${BUILD_GOARCH}" \ -ldflags "${LDFLAGS} ${LD_EXTRAFLAGS}" "${@}" diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index 0c20bb433c6..b26a40e9988 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -69,7 +69,7 @@ export UID DOCKER_GID=$(grep '^docker:' /etc/group | cut -f3 -d:) export DOCKER_GID -TIMEZONE=$(readlink $readlink_flags /etc/localtime | sed -e 's/^.*zoneinfo\///') +TIMEZONE=$(readlink "$readlink_flags" /etc/localtime | sed -e 's/^.*zoneinfo\///') export TIMEZONE export TARGET_OUT="${TARGET_OUT:-$(pwd)/out/${TARGET_OS}_${TARGET_ARCH}}" diff --git a/security/pkg/nodeagent/cache/secretcache.go b/security/pkg/nodeagent/cache/secretcache.go index 741fc8fcfe1..6d6389ef6e1 100644 --- a/security/pkg/nodeagent/cache/secretcache.go +++ b/security/pkg/nodeagent/cache/secretcache.go @@ -730,7 +730,7 @@ func (sc *SecretCache) keyCertificateExist(certPath, keyPath string) bool { } // Generate a root certificate item from the passed in rootCertPath -func (sc *SecretCache) generateRootCertFromExistingFile(rootCertPath, token string, connKey ConnKey) (*model.SecretItem, error) { +func (sc *SecretCache) generateRootCertFromExistingFile(rootCertPath, token string, connKey ConnKey, workload bool) (*model.SecretItem, error) { rootCert, err := ioutil.ReadFile(rootCertPath) if err != nil { return nil, err @@ -743,8 +743,10 @@ func (sc *SecretCache) generateRootCertFromExistingFile(rootCertPath, token stri return nil, fmt.Errorf("failed to extract expiration time in the root certificate loaded from file: %v", err) } - // Set the rootCert - sc.setRootCert(rootCert, certExpireTime) + // Set the rootCert only if it is workload root cert. + if workload { + sc.setRootCert(rootCert, certExpireTime) + } return &model.SecretItem{ ResourceName: connKey.ResourceName, RootCert: rootCert, @@ -798,7 +800,7 @@ func (sc *SecretCache) generateFileSecret(connKey ConnKey, token string) (bool, // Default root certificate. case connKey.ResourceName == RootCertReqResourceName && sc.rootCertificateExist(sc.existingRootCertFile): sdsFromFile = true - ns, err = sc.generateRootCertFromExistingFile(sc.existingRootCertFile, token, connKey) + ns, err = sc.generateRootCertFromExistingFile(sc.existingRootCertFile, token, connKey, true) sc.addFileWatcher(sc.existingRootCertFile, token, connKey) // Default workload certificate. case connKey.ResourceName == WorkloadKeyCertResourceName && sc.keyCertificateExist(sc.existingCertChainFile, sc.existingKeyFile): @@ -814,7 +816,7 @@ func (sc *SecretCache) generateFileSecret(connKey ConnKey, token string) (bool, switch { case ok && cfg.IsRootCertificate() && sc.rootCertificateExist(cfg.CaCertificatePath): sdsFromFile = true - ns, err = sc.generateRootCertFromExistingFile(cfg.CaCertificatePath, token, connKey) + ns, err = sc.generateRootCertFromExistingFile(cfg.CaCertificatePath, token, connKey, false) sc.addFileWatcher(cfg.CaCertificatePath, token, connKey) case ok && cfg.IsKeyCertificate() && sc.keyCertificateExist(cfg.CertificatePath, cfg.PrivateKeyPath): sdsFromFile = true From a2393b0f428283ac1dc69c928a2d5f2af8bc44b7 Mon Sep 17 00:00:00 2001 From: Zhonghu Xu Date: Wed, 18 Nov 2020 15:15:39 +0800 Subject: [PATCH 79/82] Workloadentry add should trigger push to the associated proxy (#28846) --- .../pkg/serviceregistry/external/servicediscovery.go | 4 ++++ .../serviceregistry/external/servicediscovery_test.go | 11 ++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pilot/pkg/serviceregistry/external/servicediscovery.go b/pilot/pkg/serviceregistry/external/servicediscovery.go index a7754907e70..365d74d9ebc 100644 --- a/pilot/pkg/serviceregistry/external/servicediscovery.go +++ b/pilot/pkg/serviceregistry/external/servicediscovery.go @@ -141,6 +141,10 @@ func getWorkloadEntryHandler(c *ServiceEntryStore) func(model.Config, model.Conf } c.edsUpdate(instances) + // trigger full xds push to the related sidecar proxy + if event == model.EventAdd { + c.XdsUpdater.ProxyUpdate(c.Cluster(), wle.Address) + } } } diff --git a/pilot/pkg/serviceregistry/external/servicediscovery_test.go b/pilot/pkg/serviceregistry/external/servicediscovery_test.go index be02ba9d140..7990803632b 100644 --- a/pilot/pkg/serviceregistry/external/servicediscovery_test.go +++ b/pilot/pkg/serviceregistry/external/servicediscovery_test.go @@ -72,6 +72,7 @@ type Event struct { kind string host string namespace string + proxyIP string endpoints int pushReq *model.PushRequest } @@ -90,7 +91,8 @@ func (fx *FakeXdsUpdater) ConfigUpdate(req *model.PushRequest) { fx.Events <- Event{kind: "xds", pushReq: req} } -func (fx *FakeXdsUpdater) ProxyUpdate(_, _ string) { +func (fx *FakeXdsUpdater) ProxyUpdate(_, ip string) { + fx.Events <- Event{kind: "xds", proxyIP: ip} } func (fx *FakeXdsUpdater) SvcUpdate(_, hostname string, namespace string, _ model.Event) { @@ -496,7 +498,8 @@ func TestServiceDiscoveryWorkloadUpdate(t *testing.T) { expectProxyInstances(t, sd, instances, "2.2.2.2") expectServiceInstances(t, sd, selector, 0, instances) expectEvents(t, events, Event{kind: "eds", host: "selector.com", - namespace: selector.Namespace, endpoints: 2}) + namespace: selector.Namespace, endpoints: 2}, + Event{kind: "xds", proxyIP: "2.2.2.2"}) }) t.Run("another workload", func(t *testing.T) { @@ -515,7 +518,9 @@ func TestServiceDiscoveryWorkloadUpdate(t *testing.T) { makeInstanceWithServiceAccount(selector, "3.3.3.3", 445, selector.Spec.(*networking.ServiceEntry).Ports[1], map[string]string{"app": "wle"}, "default")) expectServiceInstances(t, sd, selector, 0, instances) - expectEvents(t, events, Event{kind: "eds", host: "selector.com", namespace: selector.Namespace, endpoints: 4}) + expectEvents(t, events, + Event{kind: "eds", host: "selector.com", namespace: selector.Namespace, endpoints: 4}, + Event{kind: "xds", proxyIP: "3.3.3.3"}) }) t.Run("deletion", func(t *testing.T) { From a04a184c16b5267f2b0e748171f98b13272a9573 Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Fri, 20 Nov 2020 09:57:56 -0700 Subject: [PATCH 80/82] [release-1.6] Cherry pick: fix conflict between replicas with hpa (#29051) * fix conflict between replicas with hpa. * add release note. * Update releasenotes/notes/28916.yaml Co-authored-by: Shamsher Ansari Co-authored-by: morvencao Co-authored-by: Morven Cao Co-authored-by: Shamsher Ansari --- .../mixer-telemetry/templates/deployment.yaml | 4 ++++ releasenotes/notes/28916.yaml | 8 ++++++++ 2 files changed, 12 insertions(+) create mode 100644 releasenotes/notes/28916.yaml diff --git a/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml b/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml index 6c7d0e450b9..33cf518971b 100644 --- a/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml +++ b/manifests/charts/istio-telemetry/mixer-telemetry/templates/deployment.yaml @@ -8,7 +8,11 @@ metadata: istio: mixer release: {{ .Release.Name }} spec: +{{- if not .Values.mixer.telemetry.autoscaleEnabled }} +{{- if .Values.mixer.telemetry.replicaCount }} replicas: {{ .Values.mixer.telemetry.replicaCount }} +{{- end }} +{{- end }} strategy: rollingUpdate: maxSurge: {{ .Values.mixer.telemetry.rollingMaxSurge }} diff --git a/releasenotes/notes/28916.yaml b/releasenotes/notes/28916.yaml new file mode 100644 index 00000000000..d6f0916532f --- /dev/null +++ b/releasenotes/notes/28916.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: bug-fix +area: istioctl +issue: + - 28916 +releaseNotes: + - | + **Fixed** HPA settings for telemetry is overridden by the inline replicas. From 4487619fb11f12f679791a591aa903cee82428ed Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Fri, 20 Nov 2020 10:43:21 -0700 Subject: [PATCH 81/82] [release-1/6] update dependencies (#29086) * run UPDATE_BRANCH=release-1.6 ./bin/update_deps.sh; make gen * Revert quote removal --- go.mod | 4 ++-- go.sum | 8 ++++---- istio.deps | 4 ++-- prow/release-commit.sh | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index db49fd6784e..18f1eda95f0 100644 --- a/go.mod +++ b/go.mod @@ -159,8 +159,8 @@ require ( gopkg.in/yaml.v2 v2.2.8 helm.sh/helm/v3 v3.2.0 istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44 - istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 - istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9 + istio.io/gogo-genproto v0.0.0-20201113182723-5b8563d8a012 + istio.io/pkg v0.0.0-20201113182530-a5cdf6e8c3cd k8s.io/api v0.18.1 k8s.io/apiextensions-apiserver v0.18.0 k8s.io/apimachinery v0.18.1 diff --git a/go.sum b/go.sum index a0724306fba..47c781ca477 100644 --- a/go.sum +++ b/go.sum @@ -1066,10 +1066,10 @@ istio.io/api v0.0.0-20190515205759-982e5c3888c6/go.mod h1:hhLFQmpHia8zgaM37vb2ml istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44 h1:mfs4UJtpH8ElVEohFZw39qDGv9gg7TOkYVTwJZGQ5Yc= istio.io/api v0.0.0-20201113182140-d4b7e3fc2b44/go.mod h1:kyq3g5w42zl/AKlbzDGppYpGMQYMYMyZKeq0/eexML8= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4 h1:/8Jzbsvj4njGfvAfIrkfvwWY4aqg4O0n5eZBZPTLWVQ= -istio.io/gogo-genproto v0.0.0-20201005161743-abf9e8cbe7a4/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= -istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9 h1:pSru9BIJRRQjFWIKGBP+7hR/pRYgTePo4bJbCzAF6C8= -istio.io/pkg v0.0.0-20201005161447-26c76ee34ff9/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= +istio.io/gogo-genproto v0.0.0-20201113182723-5b8563d8a012 h1:rCPnRe6A2LvpvP1/fy1ZzPFBUaWmBUHxFEw4Onphd7c= +istio.io/gogo-genproto v0.0.0-20201113182723-5b8563d8a012/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= +istio.io/pkg v0.0.0-20201113182530-a5cdf6e8c3cd h1:7C+MPiK9MJoGtzrXC0Jlq4r9e084LipK9FePdkCHNUM= +istio.io/pkg v0.0.0-20201113182530-a5cdf6e8c3cd/go.mod h1:pwGaxLUDLobzL/WvWV94z72LvBbB1dr2UUUyPuasfIU= k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0HRNyQ+8KTEERVsK0PW48= k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= k8s.io/api v0.18.0/go.mod h1:q2HRQkfDzHMBZL9l/y9rH63PkQl4vae0xRT+8prbrK8= diff --git a/istio.deps b/istio.deps index 80590ae6f22..f501eede22d 100644 --- a/istio.deps +++ b/istio.deps @@ -4,13 +4,13 @@ "name": "PROXY_REPO_SHA", "repoName": "proxy", "file": "", - "lastStableSHA": "980ec12ace4ed77e7d6eb1755ae43724231b39f0" + "lastStableSHA": "1ef6cb53abbb057185f4bcb60e28cf92c3a174ad" }, { "_comment": "", "name": "CNI_REPO_SHA", "repoName": "cni", "file": "", - "lastStableSHA": "14b34ea7e9aa3757375f2b98011739ebcceb02ed" + "lastStableSHA": "d052e5add3525fb34c88741062368af6136663ef" } ] diff --git a/prow/release-commit.sh b/prow/release-commit.sh index 58e57b5b120..e382a56811a 100755 --- a/prow/release-commit.sh +++ b/prow/release-commit.sh @@ -32,7 +32,7 @@ DOCKER_HUB=${DOCKER_HUB:-gcr.io/istio-testing} GCS_BUCKET=${GCS_BUCKET:-istio-build/dev} # Use a pinned version in case breaking changes are needed -BUILDER_SHA=e7faacdeae0eec2fb9723406999106a6758964dd +BUILDER_SHA=94e555db1ec205dd160357e1cb48488c3af00522 # Reference to the next minor version of Istio # This will create a version like 1.4-alpha.sha From 3ddc57b6d1e15afebefd725e01c0dc7099f3f6dd Mon Sep 17 00:00:00 2001 From: Eric Van Norman Date: Fri, 20 Nov 2020 13:43:48 -0600 Subject: [PATCH 82/82] Update base image for build (#29094) --- Makefile.core.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.core.mk b/Makefile.core.mk index 848e9f426df..8e2dc7208e7 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail VERSION ?= 1.6-dev # Base version of Istio image to use -BASE_VERSION ?= 1.6-dev.10 +BASE_VERSION ?= 1.6-dev.12 export GO111MODULE ?= on export GOPROXY ?= https://proxy.golang.org