feature: add ssl_trusted_certificate argument for ssl.verify_client().

Author: theweakgod

lib/ngx/ssl.lua

@@ -100,7 +100,7 @@ if subsystem == 'http' then
     void ngx_http_lua_ffi_free_priv_key(void *cdata);
 
     int ngx_http_lua_ffi_ssl_verify_client(void *r,
-        void *cdata, int depth, char **err);
+        void *client_certs, void *trusted_certs, int depth, char **err);
 
     int ngx_http_lua_ffi_ssl_client_random(ngx_http_request_t *r,
         const unsigned char *out, size_t *outlen, char **err);
@@ -198,7 +198,7 @@ elseif subsystem == 'stream' then
     void ngx_stream_lua_ffi_free_priv_key(void *cdata);
 
     int ngx_stream_lua_ffi_ssl_verify_client(void *r,
-        void *cdata, int depth, char **err);
+        void *client_certs, void *trusted_certs, int depth, char **err);
 
     int ngx_stream_lua_ffi_ssl_client_random(ngx_stream_lua_request_t *r,
         unsigned char *out, size_t *outlen, char **err);
@@ -484,7 +484,7 @@ function _M.set_priv_key(priv_key)
 end
 
 
-function _M.verify_client(ca_certs, depth)
+function _M.verify_client(client_certs, depth, trusted_certs)
     local r = get_request()
     if not r then
         error("no request found")
@@ -494,7 +494,8 @@ function _M.verify_client(ca_certs, depth)
         depth = -1
     end
 
-    local rc = ngx_lua_ffi_ssl_verify_client(r, ca_certs, depth, errmsg)
+    local rc = ngx_lua_ffi_ssl_verify_client(r, client_certs, trusted_certs,
+                                             depth, errmsg)
     if rc == FFI_OK then
         return true
     end

lib/ngx/ssl.md

@@ -19,6 +19,8 @@ Table of Contents
     * [server_name](#server_name)
     * [server_port](#server_port)
     * [raw_server_addr](#raw_server_addr)
+    * [export_keying_material](#export_keying_material)
+    * [export_keying_material_early](#export_keying_material_early)
     * [raw_client_addr](#raw_client_addr)
     * [get_tls1_version](#get_tls1_version)
     * [get_tls1_version_str](#get_tls1_version_str)
@@ -30,8 +32,6 @@ Table of Contents
     * [set_priv_key](#set_priv_key)
     * [verify_client](#verify_client)
     * [get_client_random](#get_client_random)
-    * [export_keying_material](#export_keying_material)
-    * [export_keying_material_early](#export_keying_material_early)
     * [get_req_ssl_pointer](#get_req_ssl_pointer)
 * [Community](#community)
     * [English Mailing List](#english-mailing-list)
@@ -608,20 +608,23 @@ This function was first added in version `0.1.7`.
 
 verify_client
 -------------
-**syntax:** *ok, err = ssl.verify_client(ca_certs?, depth?)*
+**syntax:** *ok, err = ssl.verify_client(client_certs?, depth?, trusted_certs?)*
 
 **context:** *ssl_certificate_by_lua**
 
 Requires a client certificate during TLS handshake.
 
-The `ca_certs` is the CA certificate chain opaque pointer returned by the
+The `client_certs` is the CA certificate chain opaque pointer returned by the
 [parse_pem_cert](#parse_pem_cert) function for the current SSL connection.
 The list of certificates will be sent to clients. Also, they will be added to trusted store.
 If omitted, will not send any CA certificate to clients.
 
 The `depth` is the verification depth in the client certificates chain.
 If omitted, will use the value specified by `ssl_verify_depth`.
 
+The `trusted_certs` is same returned by the
+[parse_pem_cert](#parse_pem_cert) function. They will be added to trusted store.
+
 Returns `true` on success, or a `nil` value and a string describing the error otherwise.
 
 Note that TLS is not terminated when verification fails. You need to examine Nginx variable `$ssl_client_verify`
@@ -690,7 +693,7 @@ Bugs and Patches
 Please report bugs or submit patches by
 
 1. creating a ticket on the [GitHub Issue Tracker](https://github.com/openresty/lua-resty-core/issues),
-1. or posting to the [OpenResty community](#community).
+2. or posting to the [OpenResty community](#community).
 
 [Back to TOC](#table-of-contents)
 

t/cert/mtls_ca.crt

@@ -0,0 +1,78 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            32:ed:21:56:d8:4e:aa:03:89:a9:4a:a4:e2:85:2d:8a:3b:2b:89:22
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = California, O = OpenResty, CN = OpenResty Testing Root CA
+        Validity
+            Not Before: Mar 13 15:49:00 2022 GMT
+            Not After : Mar  8 15:49:00 2042 GMT
+        Subject: C = US, ST = California, O = OpenResty, CN = OpenResty Testing Root CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:e6:37:d2:c6:17:36:c7:b2:7f:7d:cf:d0:62:87:
+                    99:d9:21:b8:de:ff:d8:e2:3a:1c:68:90:8f:ce:17:
+                    68:22:b0:60:30:cc:29:e8:34:ee:ff:b2:25:de:6e:
+                    1a:d4:df:10:19:11:4b:40:61:d3:a9:4d:80:ed:97:
+                    81:4e:c5:74:e8:4d:63:e3:5f:21:bc:5a:6e:22:a0:
+                    17:91:c1:cb:25:53:9b:9d:4e:e1:51:5b:f6:52:e7:
+                    0a:27:f6:16:c2:31:cb:6c:47:f4:89:51:15:cc:06:
+                    be:31:3e:1c:ea:ee:81:9b:c4:97:96:fd:e5:1c:95:
+                    9e:c0:65:cd:a9:9a:cb:68:67:f2:62:a0:21:eb:5a:
+                    c5:a1:92:ed:32:41:28:f9:47:34:eb:44:ae:d6:e7:
+                    76:71:11:98:c9:2e:ce:6c:7c:10:1b:c7:4c:c3:14:
+                    89:4e:d9:4c:d9:c7:43:e9:3c:29:ca:62:a9:91:b3:
+                    87:e7:d7:b4:18:ab:65:f9:6b:ed:82:ca:a1:36:35:
+                    18:05:cb:5c:24:26:13:13:f8:99:ac:99:be:9b:a6:
+                    73:df:0d:16:95:b1:dc:be:fe:7a:c2:b6:dc:c8:93:
+                    cf:10:e0:29:03:0e:28:78:18:84:ee:14:92:ab:be:
+                    5a:a0:14:a2:4a:2f:d3:d0:b8:0e:00:d2:5a:cd:e4:
+                    bd:a1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                F0:D7:4B:14:73:E1:67:00:6B:54:B4:19:20:76:12:9F:9D:8E:C8:09
+    Signature Algorithm: sha256WithRSAEncryption
+         6d:52:21:6d:6e:8c:e5:4a:28:07:65:6d:d8:7c:23:2e:c6:c1:
+         d0:ec:27:b3:b0:c3:d3:e8:fa:72:b9:de:32:4e:ff:97:8d:86:
+         a9:6d:b3:a9:b4:2d:77:ca:28:97:6a:3d:7b:a2:15:ed:34:dc:
+         72:9f:6f:e7:01:0c:d3:28:6a:80:1b:50:09:fd:d7:2c:d8:92:
+         d5:10:c4:73:15:20:7d:99:dc:de:30:7b:3c:6e:e9:66:b2:0e:
+         4e:1a:c1:51:57:6e:5b:b0:a9:f6:ff:0b:8f:07:67:31:40:5b:
+         11:a9:06:d3:d3:76:c5:d2:56:95:9a:9e:4a:16:44:4b:32:e5:
+         af:dd:4b:4d:5d:57:b8:85:69:36:93:2a:c6:0c:8f:e1:42:35:
+         be:8e:f3:e7:35:d3:2c:3a:03:31:40:75:8e:e8:dd:57:35:20:
+         5e:18:a9:76:ce:85:be:7e:3a:cf:6e:08:58:5b:47:d5:e9:c4:
+         ec:0e:e9:8e:3c:2d:5c:7b:59:20:5b:24:92:a0:e0:1e:a3:5a:
+         67:d8:ff:7f:a5:82:f1:df:db:05:65:79:88:b1:3c:e6:01:d1:
+         5a:c7:d2:6e:9a:e6:a2:da:4a:c7:19:78:d9:14:71:6e:1f:70:
+         f3:41:e5:b3:78:31:d5:22:0e:7c:1a:b2:43:d9:86:ff:53:ea:
+         2b:ba:d2:27
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIUMu0hVthOqgOJqUqk4oUtijsriSIwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoT
+CU9wZW5SZXN0eTEiMCAGA1UEAxMZT3BlblJlc3R5IFRlc3RpbmcgUm9vdCBDQTAe
+Fw0yMjAzMTMxNTQ5MDBaFw00MjAzMDgxNTQ5MDBaMFoxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlPcGVuUmVzdHkxIjAgBgNVBAMT
+GU9wZW5SZXN0eSBUZXN0aW5nIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDmN9LGFzbHsn99z9Bih5nZIbje/9jiOhxokI/OF2gisGAwzCno
+NO7/siXebhrU3xAZEUtAYdOpTYDtl4FOxXToTWPjXyG8Wm4ioBeRwcslU5udTuFR
+W/ZS5won9hbCMctsR/SJURXMBr4xPhzq7oGbxJeW/eUclZ7AZc2pmstoZ/JioCHr
+WsWhku0yQSj5RzTrRK7W53ZxEZjJLs5sfBAbx0zDFIlO2UzZx0PpPCnKYqmRs4fn
+17QYq2X5a+2CyqE2NRgFy1wkJhMT+Jmsmb6bpnPfDRaVsdy+/nrCttzIk88Q4CkD
+Dih4GITuFJKrvlqgFKJKL9PQuA4A0lrN5L2hAgMBAAGjQjBAMA4GA1UdDwEB/wQE
+AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTw10sUc+FnAGtUtBkgdhKf
+nY7ICTANBgkqhkiG9w0BAQsFAAOCAQEAbVIhbW6M5UooB2Vt2HwjLsbB0Owns7DD
+0+j6crneMk7/l42GqW2zqbQtd8ool2o9e6IV7TTccp9v5wEM0yhqgBtQCf3XLNiS
+1RDEcxUgfZnc3jB7PG7pZrIOThrBUVduW7Cp9v8LjwdnMUBbEakG09N2xdJWlZqe
+ShZESzLlr91LTV1XuIVpNpMqxgyP4UI1vo7z5zXTLDoDMUB1jujdVzUgXhipds6F
+vn46z24IWFtH1enE7A7pjjwtXHtZIFskkqDgHqNaZ9j/f6WC8d/bBWV5iLE85gHR
+WsfSbprmotpKxxl42RRxbh9w80Hls3gx1SIOfBqyQ9mG/1PqK7rSJw==
+-----END CERTIFICATE-----

t/cert/mtls_ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA5jfSxhc2x7J/fc/QYoeZ2SG43v/Y4jocaJCPzhdoIrBgMMwp
+6DTu/7Il3m4a1N8QGRFLQGHTqU2A7ZeBTsV06E1j418hvFpuIqAXkcHLJVObnU7h
+UVv2UucKJ/YWwjHLbEf0iVEVzAa+MT4c6u6Bm8SXlv3lHJWewGXNqZrLaGfyYqAh
+61rFoZLtMkEo+Uc060Su1ud2cRGYyS7ObHwQG8dMwxSJTtlM2cdD6TwpymKpkbOH
+59e0GKtl+WvtgsqhNjUYBctcJCYTE/iZrJm+m6Zz3w0WlbHcvv56wrbcyJPPEOAp
+Aw4oeBiE7hSSq75aoBSiSi/T0LgOANJazeS9oQIDAQABAoIBAQDhH9+uNE8uUv/X
+MNvvLfklWpOlBf25o+fZ3NuzRjJgEafOsCee2fyI8FWVwIfeeE8OpFm5GLDZk1+r
+dwdM10xuSheO5Z1gyfF/TJwfvamA09SNrPArFkm3YhUNZNl2hykMtwSLL06oWEOu
+dbXjit4VS9aNIbTlEe7O5/6Ih0W3zmr1yvUua2swmAZMx3GFA4kbjZZ9vDs27sdu
+K+VY3DYRbq1HkiNFT0otfke5bObFBCG7Yp8JLyhYaIkGYFoBXuZ6JNY8EuU2+YyP
+6r40tJ7StR1Q6eZJh9/1leaYGZLCh5oFyKpilTuxHbRbr5A28RJKjKvPsdDgTtQn
+yHGg70FRAoGBAOhC3TQlFcT2WCCZHHql9JEEHnHVBWnL3Jg7VJuL1i6pEIz7qQkW
+AtBEIY/nnTcVNfJ6eXznYtutYvvRSgQTUsBNRoj3s1z9wKOo4uw4LoIUXDEmHCr+
+49DiQyIO21SNMHA+dVxvGRDDjLI9Uc+Scb64QOodoX75HLRZG++24mtdAoGBAP2/
+gCjga2p8Jx9UnhIcrEIIGANyxEQeBdhF56Nt9CJy/Iwi3a6qQ/GkbeoDm5FhXnXo
+xcBaHyv2lwi4uO/hONY8eRnYxAWMwAKMZe6VnU1hWI2Ytkh+OcMPMh7NIGQf6X1o
+JZrBtnTms060TuuDjLeIlaubDR/xDrMWTMKjKbsVAoGAVLuYAZ8J6xpIGlRhbGlA
+6OrMxJCHcgpahvsWKc0BLXKmRBjHmTX7fslsSRihZWgKj1SZH7U2fpgpxV6cFxKJ
+nPhUJEHhoKo+bjZ92tnANdqBq7iQjCsDJ8Bz52fuIlGD+1795+PsDA6bNKdkQkrV
+zlNf80kuEqmFDFJ5+6EHx00CgYAf+jkpbZa71aeMgDpnZ+uhaqm0DYuEVhBAgBa/
+9sRUbw86jc5IC7cCRcmAOzIosQ+ZZls9cV4KSUohVD4iJMzn2rkcM8AIPwOXjp/t
+4DbxoHnrZjpaimW3Gjwju5AAbjEbl7tddFoNA2HHYlurvGlIW9MYzDJsOxGyKfZE
+dRF2PQKBgQDUKNHgDYEjLJ99S5Fm5zN/64bKzzDtktGdqOxik5pBKcs/BvOdLM0i
+eCjGz/3qrEoenFIBwF/IRz3ug90Zr8bWOu6DudReflAKI/N13dZ2gOTAfaX4ljJF
+w0ohSi6xs+mu1GmtipGtNxHi/J3na2BeSnSRFSUg6Zd+oh8BZQKmNg==
+-----END RSA PRIVATE KEY-----

t/cert/mtls_cert_gen/.gitignore

@@ -0,0 +1,4 @@
+*.pem
+*.csr
+cfssl
+cfssljson

t/cert/mtls_cert_gen/generate.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+rm *.pem *.csr cfssl cfssljson
+
+wget -O cfssl https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
+wget -O cfssljson https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
+chmod +x cfssl cfssljson
+
+./cfssl gencert -initca -config profile.json mtls_ca.json | ./cfssljson -bare mtls_ca
+
+./cfssl gencert -ca mtls_ca.pem -ca-key mtls_ca-key.pem -config profile.json -profile=client mtls_client.json | ./cfssljson -bare mtls_client
+./cfssl gencert -ca mtls_ca.pem -ca-key mtls_ca-key.pem -config profile.json -profile=server mtls_server.json | ./cfssljson -bare mtls_server
+
+openssl x509 -in mtls_ca.pem -text > ../mtls_ca.crt
+mv mtls_ca-key.pem ../mtls_ca.key
+
+openssl x509 -in mtls_client.pem -text > ../mtls_client.crt
+mv mtls_client-key.pem ../mtls_client.key
+
+openssl x509 -in mtls_server.pem -text > ../mtls_server.crt
+mv mtls_server-key.pem ../mtls_server.key
+
+rm *.pem *.csr cfssl cfssljson

t/cert/mtls_cert_gen/mtls_ca.json

@@ -0,0 +1,18 @@
+{
+  "CA": {
+    "expiry": "175200h",
+    "pathlen": 0
+  },
+  "CN": "OpenResty Testing Root CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+ ]
+}

t/cert/mtls_cert_gen/mtls_client.json

@@ -0,0 +1,18 @@
+{
+  "CN": "[email protected]",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+  ],
+  "hosts": [
+    "[email protected]",
+    "[email protected]"
+  ]
+}

t/cert/mtls_cert_gen/mtls_server.json

@@ -0,0 +1,17 @@
+{
+  "CN": "example.com",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+  {
+    "C": "US",
+    "O": "OpenResty",
+    "ST": "California"
+  }
+  ],
+  "hosts": [
+    "example.com"
+  ]
+}

t/cert/mtls_cert_gen/profile.json

@@ -0,0 +1,27 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "175200h"
+    },
+    "profiles": {
+      "server": {
+        "usages": [
+          "signing",
+          "digital signing",
+          "key encipherment",
+          "server auth"
+        ],
+        "expiry": "175199h"
+      },
+      "client": {
+        "usages": [
+          "signing",
+          "digital signature",
+          "key encipherment",
+          "client auth"
+        ],
+        "expiry": "175199h"
+      }
+    }
+  }
+}

t/cert/mtls_client.crt

@@ -0,0 +1,87 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            19:0a:a3:a8:9c:d4:0f:dc:c6:fa:23:7b:f8:fc:bd:f4:73:4e:7e:b1
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = California, O = OpenResty, CN = OpenResty Testing Root CA
+        Validity
+            Not Before: Mar 13 15:49:00 2022 GMT
+            Not After : Mar  8 14:49:00 2042 GMT
+        Subject: C = US, ST = California, O = OpenResty, CN = [email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:be:5b:09:4c:94:71:d3:82:54:4a:42:6a:76:aa:
+                    34:5d:28:d9:45:e6:44:9a:74:9f:a6:e6:78:49:9e:
+                    c6:20:75:32:5f:92:3b:ec:6e:4b:7b:b0:75:1c:75:
+                    09:00:05:77:d6:59:ca:55:5b:13:b6:76:3a:c6:18:
+                    dc:37:6a:20:93:e6:26:56:5d:0b:96:8c:01:f2:96:
+                    38:08:08:36:a2:64:12:21:a0:8d:48:cd:9a:26:78:
+                    92:29:b6:63:eb:14:d9:b6:e5:87:f7:d5:55:a4:cc:
+                    53:1c:a3:7c:b8:bd:ad:7c:a4:d4:86:1f:a7:1c:43:
+                    c5:1a:b5:f1:03:bd:fe:19:98:1d:b7:13:2b:93:a2:
+                    2a:0e:21:7e:42:a9:bb:28:69:49:59:e7:89:0e:7d:
+                    5a:ce:fb:d4:0c:20:6a:e1:db:b2:6a:e5:a7:55:e0:
+                    d0:58:4a:e2:08:78:82:b9:06:0c:65:f9:24:06:e6:
+                    8a:13:b2:9a:ef:1b:4a:b2:3a:b4:98:7f:dd:3c:0e:
+                    85:0b:a6:c6:47:2f:63:c2:73:52:41:db:7c:06:c3:
+                    2a:b5:2d:d1:e1:30:d5:c4:79:c9:b9:35:68:46:ad:
+                    c4:45:57:ea:11:88:27:37:ed:ac:49:2d:c4:d6:c6:
+                    a6:74:8d:d3:bc:e0:d9:69:25:0c:0c:b0:e3:b7:cb:
+                    8d:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                22:70:5E:30:8C:4D:66:39:E7:60:C9:29:A2:ED:95:32:34:63:5C:C0
+            X509v3 Authority Key Identifier: 
+                keyid:F0:D7:4B:14:73:E1:67:00:6B:54:B4:19:20:76:12:9F:9D:8E:C8:09
+
+            X509v3 Subject Alternative Name: 
+                email:[email protected], email:[email protected]
+    Signature Algorithm: sha256WithRSAEncryption
+         96:e7:2a:fc:2a:56:16:80:e2:d3:79:0c:46:db:c3:88:ab:d3:
+         ef:39:66:4b:a9:ab:6c:0e:30:08:07:7c:fc:03:6c:f7:dd:fb:
+         3e:a8:c8:68:28:ab:4e:73:97:80:27:5d:c5:9d:52:00:aa:08:
+         25:c8:f9:dc:df:64:73:a4:58:5b:bd:5f:1a:53:a4:33:a3:b1:
+         45:38:2d:be:d7:f3:a4:c4:f4:7a:07:71:44:f1:a2:65:02:e4:
+         71:84:01:b5:83:4b:de:83:b5:ad:ac:b9:3c:17:42:0c:9a:7d:
+         eb:7f:ab:26:dd:9b:3a:fd:95:37:55:cc:01:c3:3f:20:df:e5:
+         ed:49:51:7a:42:ea:f3:8a:3f:da:6e:c1:1a:11:b9:45:4d:6e:
+         c9:21:f4:e3:4f:31:72:5b:bb:01:92:b6:7f:f1:8a:9e:6c:d0:
+         7f:96:d7:eb:29:09:53:38:26:41:00:f2:33:04:77:bd:a9:ee:
+         60:9e:06:b7:7d:26:ae:1c:4f:56:bd:a5:b6:50:40:be:be:84:
+         2a:54:21:59:47:7d:a5:1e:63:6d:28:36:4d:a6:e4:62:69:9b:
+         9b:fa:2b:48:e8:64:d7:14:f4:62:a2:26:17:a5:05:58:4a:38:
+         d2:44:e7:33:90:b9:c1:8c:85:02:99:b8:03:1a:03:d2:cf:ac:
+         a5:6b:44:98
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIUGQqjqJzUD9zG+iN7+Py99HNOfrEwDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAoT
+CU9wZW5SZXN0eTEiMCAGA1UEAxMZT3BlblJlc3R5IFRlc3RpbmcgUm9vdCBDQTAe
+Fw0yMjAzMTMxNTQ5MDBaFw00MjAzMDgxNDQ5MDBaMFAxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQKEwlPcGVuUmVzdHkxGDAWBgNVBAMM
+D2Zvb0BleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AL5bCUyUcdOCVEpCanaqNF0o2UXmRJp0n6bmeEmexiB1Ml+SO+xuS3uwdRx1CQAF
+d9ZZylVbE7Z2OsYY3DdqIJPmJlZdC5aMAfKWOAgINqJkEiGgjUjNmiZ4kim2Y+sU
+2bblh/fVVaTMUxyjfLi9rXyk1IYfpxxDxRq18QO9/hmYHbcTK5OiKg4hfkKpuyhp
+SVnniQ59Ws771AwgauHbsmrlp1Xg0FhK4gh4grkGDGX5JAbmihOymu8bSrI6tJh/
+3TwOhQumxkcvY8JzUkHbfAbDKrUt0eEw1cR5ybk1aEatxEVX6hGIJzftrEktxNbG
+pnSN07zg2WklDAyw47fLjZkCAwEAAaOBozCBoDAOBgNVHQ8BAf8EBAMCBaAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUInBeMIxN
+ZjnnYMkpou2VMjRjXMAwHwYDVR0jBBgwFoAU8NdLFHPhZwBrVLQZIHYSn52OyAkw
+KwYDVR0RBCQwIoEPZm9vQGV4YW1wbGUuY29tgQ9iYXJAZXhhbXBsZS5jb20wDQYJ
+KoZIhvcNAQELBQADggEBAJbnKvwqVhaA4tN5DEbbw4ir0+85Zkupq2wOMAgHfPwD
+bPfd+z6oyGgoq05zl4AnXcWdUgCqCCXI+dzfZHOkWFu9XxpTpDOjsUU4Lb7X86TE
+9HoHcUTxomUC5HGEAbWDS96Dta2suTwXQgyafet/qybdmzr9lTdVzAHDPyDf5e1J
+UXpC6vOKP9puwRoRuUVNbskh9ONPMXJbuwGStn/xip5s0H+W1+spCVM4JkEA8jME
+d72p7mCeBrd9Jq4cT1a9pbZQQL6+hCpUIVlHfaUeY20oNk2m5GJpm5v6K0joZNcU
+9GKiJhelBVhKONJE5zOQucGMhQKZuAMaA9LPrKVrRJg=
+-----END CERTIFICATE-----