Add lint to check that all CRL Distribution Points only contain "http…

…" URLs (per CABF BRs 7.1.2.11.2) (#867)

* Add files via upload

* Add files via upload

* Add files via upload

* Add files via upload

* Update lint_invalid_subject_rdn_order_test.go

Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment

* Update lint_invalid_subject_rdn_order.go

Fixed import block

* Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go

Fine to me.

Co-authored-by: Christopher Henderson <chris@chenderson.org>

* Update lint_invalid_subject_rdn_order.go

As per Chris Henderson's suggestion, to "improve readability".

* Update lint_invalid_subject_rdn_order_test.go

As per Chris Henderson's suggestion.

* Update time.go

Added CABFEV_Sec9_2_8_Date

* Add files via upload

* Add files via upload

* Revised according to Chris and Corey suggestions

* Add files via upload

* Add files via upload

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go

* Delete v3/testdata/invalid_cps_uri_ko_01.pem

* Delete v3/testdata/invalid_cps_uri_ko_02.pem

* Delete v3/testdata/invalid_cps_uri_ko_03.pem

* Delete v3/testdata/invalid_cps_uri_ok_01.pem

* Delete v3/testdata/invalid_cps_uri_ok_02.pem

* Delete v3/testdata/invalid_cps_uri_ok_03.pem

* Add files via upload

* Add files via upload

---------

Co-authored-by: Christopher Henderson <chris@chenderson.org>

v3/lints/cabf_br/lint_crl_distrib_points_not_http.go

@@ -0,0 +1,64 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <adriano.santoni@staff.aruba.it>
+ * of ACTALIS S.p.A. (www.actalis.com).
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"strings"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_crl_distrib_points_not_http",
+			Description:   "The scheme of each CRL Distribution Point MUST be 'http'",
+			Citation:      "CABF BRs §7.1.2.11.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,
+		},
+		Lint: NewCrlDistribPointsNotHTTP,
+	})
+}
+
+type crlDistribPointsNotHTTP struct{}
+
+func NewCrlDistribPointsNotHTTP() lint.LintInterface {
+	return &crlDistribPointsNotHTTP{}
+}
+
+func (l *crlDistribPointsNotHTTP) CheckApplies(c *x509.Certificate) bool {
+	return len(c.CRLDistributionPoints) > 0
+}
+
+func (l *crlDistribPointsNotHTTP) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, dp := range c.CRLDistributionPoints {
+		if !strings.HasPrefix(dp, "http:") {
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: "Certificate contains a non-HTTP CRL distribution point",
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/cabf_br/lint_crl_distrib_points_not_http_test.go

@@ -0,0 +1,78 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+ * Test cases:
+ *
+ *      Input file              Want        Description
+ *      ==========              ====        ===========
+ *      cdp_not_http_na1.pem    NA          Subscriber cert with no CDPs at all
+ *      cdp_not_http_ne1.pem    NE          Subscriber cert with an LDAP CDP, but issued before effective date
+ *      cdp_not_http_ok1.pem    Pass        Subscriber cert with single HTTP CDP
+ *      cdp_not_http_ok2.pem    Pass        Subscriber cert with double HTTP CDP
+ *      cdp_not_http_ko1.pem    Error       Subscriber cert with single LDAP CDP, issued after effective date
+ *      cdp_not_http_ko2.pem    Error       Subscriber cert with an HTTP CDP and an LDAP CDP, issued after effective date
+ */
+
+func TestCrlDistribPointsNotHTTP(t *testing.T) {
+	type Data struct {
+		input  string
+		config string
+		want   lint.LintStatus
+	}
+	data := []Data{
+		{
+			input: "cdp_not_http_na1.pem",
+			want:  lint.NA,
+		},
+		{
+			input: "cdp_not_http_ne1.pem",
+			want:  lint.NE,
+		},
+		{
+			input: "cdp_not_http_ok1.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "cdp_not_http_ok2.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "cdp_not_http_ko1.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "cdp_not_http_ko2.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLintWithConfig("e_crl_distrib_points_not_http", testData.input, testData.config)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+}

v3/testdata/cdp_not_http_ko1.pem

@@ -0,0 +1,101 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            81:66:2c:d3:24:f1:38:10:4c:08:e3:70:d5:ff:fb:e3
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Jul 11 13:33:25 2024 GMT
+            Not After : Jul 11 13:33:25 2025 GMT
+        Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ac:53:25:59:60:58:6e:d6:11:52:73:65:81:28:
+                    2e:bf:ae:ae:7f:f9:73:9c:21:f1:21:2e:be:23:c0:
+                    62:66:b1:4a:51:e8:19:0a:ac:05:93:64:e0:be:f1:
+                    b1:84:f7:ac:09:85:27:8c:df:78:1f:7a:01:6f:20:
+                    7d:10:36:ce:c8:86:c0:c9:f4:42:89:21:6d:f6:df:
+                    dc:e5:b5:e8:03:6a:a6:ed:9e:75:8b:bc:9d:1d:28:
+                    3c:9b:10:d9:65:3a:3f:98:0f:3d:71:fd:7d:98:e9:
+                    9f:ce:69:64:a6:1a:43:0a:8f:af:0a:18:6a:92:9d:
+                    0b:dd:d3:79:59:c2:e5:a0:de:dc:cc:69:8e:9e:73:
+                    53:39:c6:d3:46:43:36:1f:aa:c1:91:31:b5:09:24:
+                    cb:a5:25:ee:5a:da:b7:bb:c3:0c:e6:7e:bd:cf:d6:
+                    19:bc:70:af:d6:af:d8:43:0e:57:08:f6:25:88:87:
+                    be:fe:a8:db:4b:4c:09:2c:cd:12:d9:0d:e5:3a:5c:
+                    31:7b:ca:a3:80:c3:af:01:26:80:9f:88:68:5f:24:
+                    13:b5:f5:7a:5c:cd:9e:42:cd:f0:f6:ce:94:52:b6:
+                    ee:42:fd:3c:58:5e:8b:36:c6:70:d6:4e:e8:70:56:
+                    6d:15:6a:04:dc:92:ca:71:87:28:65:a6:3e:de:62:
+                    b9:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                B4:22:6E:14:41:B2:11:20:DD:43:23:BE:4C:F5:34:CB:56:A6:C7:AD
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:ldap://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         72:85:85:c5:cf:03:ea:95:07:cd:a4:c2:d4:a3:f2:04:0f:8e:
+         d2:6c:61:34:b5:6f:bc:c1:72:df:30:d3:5e:d3:db:a8:d3:3c:
+         dd:ce:0e:f8:6b:39:40:f3:b3:b1:e6:e4:5f:b5:79:7b:ae:a6:
+         db:43:c1:52:8a:1e:34:1f:c5:e5:00:9f:fc:54:98:81:01:8a:
+         e1:cd:52:09:d5:51:ae:75:c1:95:53:fe:93:23:8c:43:93:08:
+         34:bc:de:68:26:1a:48:7e:26:18:d7:d4:8f:db:6a:52:47:ea:
+         80:60:8b:a7:97:92:0e:f6:f8:31:63:31:2b:14:bd:93:f4:f6:
+         83:cd:e7:19:e5:9f:c4:3c:5f:dd:f3:42:a0:03:93:88:49:3b:
+         d9:1d:c1:51:a3:d5:91:d6:fc:3a:c1:d9:2f:dc:1c:dc:a1:20:
+         9e:67:c2:80:50:a5:ad:c7:10:95:97:3b:cb:d7:14:ad:20:a0:
+         8a:d6:3e:ad:4e:ed:39:dd:db:3d:d6:42:59:d5:5b:c4:2e:fb:
+         ac:dd:65:5c:89:ab:93:2c:c4:65:02:2f:e6:2b:46:93:55:35:
+         36:e7:ae:cc:bc:eb:96:3f:69:d7:f8:23:ed:8d:62:e3:d5:2c:
+         6b:39:e7:0f:f1:36:1c:d0:56:13:09:21:8d:81:1f:bf:d7:0d:
+         10:45:c2:67
+-----BEGIN CERTIFICATE-----
+MIIEjzCCA3egAwIBAgIRAIFmLNMk8TgQTAjjcNX/++MwDQYJKoZIhvcNAQELBQAw
+QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
+Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNzExMTMzMzI1WhcNMjUwNzExMTMz
+MzI1WjCBiTELMAkGA1UEBhMCSVQxHzAdBgNVBAgTFlNvbWUgU3RhdGUgb3IgUHJv
+dmluY2UxEjAQBgNVBAcTCVNvbWV3aGVyZTEaMBgGA1UEChMRU29tZSBDb21wYW55
+IEx0ZC4xFDASBgNVBAMTC2V4YW1wbGUub3JnMRMwEQYDVQQFEwoxMjM0NTY3ODkw
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArFMlWWBYbtYRUnNlgSgu
+v66uf/lznCHxIS6+I8BiZrFKUegZCqwFk2TgvvGxhPesCYUnjN94H3oBbyB9EDbO
+yIbAyfRCiSFt9t/c5bXoA2qm7Z51i7ydHSg8mxDZZTo/mA89cf19mOmfzmlkphpD
+Co+vChhqkp0L3dN5WcLloN7czGmOnnNTOcbTRkM2H6rBkTG1CSTLpSXuWtq3u8MM
+5n69z9YZvHCv1q/YQw5XCPYliIe+/qjbS0wJLM0S2Q3lOlwxe8qjgMOvASaAn4ho
+XyQTtfV6XM2eQs3w9s6UUrbuQv08WF6LNsZw1k7ocFZtFWoE3JLKcYcoZaY+3mK5
+EQIDAQABo4IBNTCCATEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
+BwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUtCJuFEGyESDdQyO+TPU0y1amx60wHwYD
+VR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYIKwYBBQUHAQEEWDBWMCkG
+CCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vb2NzcDApBggrBgEF
+BQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jvb3QwFgYDVR0RBA8wDYIL
+ZXhhbXBsZS5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgIwLQYDVR0fBCYwJDAioCCg
+HoYcbGRhcDovL2NhLnNvbWVjYS1pbmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOC
+AQEAcoWFxc8D6pUHzaTC1KPyBA+O0mxhNLVvvMFy3zDTXtPbqNM83c4O+Gs5QPOz
+sebkX7V5e66m20PBUooeNB/F5QCf/FSYgQGK4c1SCdVRrnXBlVP+kyOMQ5MINLze
+aCYaSH4mGNfUj9tqUkfqgGCLp5eSDvb4MWMxKxS9k/T2g83nGeWfxDxf3fNCoAOT
+iEk72R3BUaPVkdb8OsHZL9wc3KEgnmfCgFClrccQlZc7y9cUrSCgitY+rU7tOd3b
+PdZCWdVbxC77rN1lXImrkyzEZQIv5itGk1U1NueuzLzrlj9p1/gj7Y1i49Usaznn
+D/E2HNBWEwkhjYEfv9cNEEXCZw==
+-----END CERTIFICATE-----

v3/testdata/cdp_not_http_ko2.pem

@@ -0,0 +1,105 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3a:96:d9:e0:2c:f8:b2:6c:34:63:7f:25:70:38:21:2d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Jul 11 13:34:51 2024 GMT
+            Not After : Jul 11 13:34:51 2025 GMT
+        Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:da:ab:37:0e:79:e1:60:15:b5:18:d1:44:b9:75:
+                    69:26:1b:75:c7:84:7e:86:39:26:56:1d:6e:42:5f:
+                    9b:6b:97:a8:3b:e0:9f:b4:34:94:f8:af:f3:f2:54:
+                    76:8e:74:69:da:31:59:51:76:23:26:3f:af:4c:f3:
+                    03:d8:50:14:86:a8:68:96:0f:87:09:bb:0b:67:43:
+                    dc:ce:ab:a3:b9:6a:49:2d:f8:72:06:92:14:5c:b3:
+                    06:db:c0:70:67:0c:76:2e:71:65:e2:f7:5e:1d:6a:
+                    34:fb:6e:0a:c3:7b:8b:45:91:8e:65:5b:e7:6e:10:
+                    85:e4:cd:a0:ab:dd:28:16:94:fc:8c:7d:60:d6:e9:
+                    0a:c5:3d:86:ce:a7:bb:61:3e:3b:a2:fd:92:ce:73:
+                    a5:46:7f:d5:6f:e6:63:eb:67:de:7e:b6:85:a8:ea:
+                    29:a8:e2:4f:be:0b:b5:e9:8b:6f:ed:11:fe:5f:cc:
+                    ab:b9:3c:02:58:54:62:e2:12:41:85:0a:f3:c8:50:
+                    09:72:85:49:b3:a1:2d:ff:c0:8a:c3:2f:47:1b:75:
+                    25:8f:50:4f:5b:31:b6:db:b2:ad:3d:9d:f0:3e:ec:
+                    ec:76:d1:3c:5e:fe:7c:d5:6a:4b:6c:c8:50:71:91:
+                    8a:1d:5c:c8:fe:a6:71:7e:1a:0a:d4:e3:96:fd:bb:
+                    bc:a3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                2B:E8:34:84:6A:38:96:53:0C:3C:EB:47:63:56:D2:4A:EA:22:9B:D3
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+                Full Name:
+                  URI:ldap://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         4f:c9:94:f3:15:84:e2:f3:a9:fc:17:e1:7b:eb:bc:00:49:c3:
+         e8:d7:73:a4:74:c3:16:ef:12:15:cd:4a:2d:45:d0:cd:44:b7:
+         48:5f:47:4b:73:5b:d9:9f:5b:aa:b4:2e:d4:de:e4:d1:94:1a:
+         a2:51:cd:7d:d1:30:2e:1b:16:ba:4a:bd:56:d6:ac:e5:af:bd:
+         e8:ea:3f:b7:8f:56:94:e3:8b:ab:5a:93:43:0f:59:a7:d9:f1:
+         4e:a8:09:68:c3:bc:3d:3b:71:7c:6c:78:09:64:80:2d:53:59:
+         44:19:80:49:27:85:d2:0f:fa:a7:c8:1f:91:ef:e2:58:bd:ab:
+         33:76:aa:6c:d9:da:f4:0e:af:cd:88:fc:b2:98:f0:97:18:c6:
+         14:3f:93:8c:4f:0c:94:8c:20:bd:73:a0:4c:1d:4a:9e:34:56:
+         ff:0d:12:e4:fc:a6:af:5d:67:07:7a:b3:bc:39:a6:e0:d2:b8:
+         70:86:8e:b6:d1:cc:2a:b8:a8:46:b1:60:de:ae:46:f7:67:94:
+         0d:4f:fb:d8:a7:90:66:8c:0b:56:65:90:94:5b:ae:ca:43:82:
+         25:4c:df:ad:f8:fe:ac:a0:72:e3:2c:ab:f5:50:c1:83:ec:20:
+         48:28:6a:6c:04:74:1c:04:ac:f0:fe:d1:28:77:aa:85:01:d4:
+         c0:f9:68:1b
+-----BEGIN CERTIFICATE-----
+MIIEsjCCA5qgAwIBAgIQOpbZ4Cz4smw0Y38lcDghLTANBgkqhkiG9w0BAQsFADBD
+MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD
+QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MTExMzM0NTFaFw0yNTA3MTExMzM0
+NTFaMIGJMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaqzcOeeFgFbUY0US5dWkm
+G3XHhH6GOSZWHW5CX5trl6g74J+0NJT4r/PyVHaOdGnaMVlRdiMmP69M8wPYUBSG
+qGiWD4cJuwtnQ9zOq6O5akkt+HIGkhRcswbbwHBnDHYucWXi914dajT7bgrDe4tF
+kY5lW+duEIXkzaCr3SgWlPyMfWDW6QrFPYbOp7thPjui/ZLOc6VGf9Vv5mPrZ95+
+toWo6imo4k++C7Xpi2/tEf5fzKu5PAJYVGLiEkGFCvPIUAlyhUmzoS3/wIrDL0cb
+dSWPUE9bMbbbsq09nfA+7Ox20Txe/nzVaktsyFBxkYodXMj+pnF+GgrU45b9u7yj
+AgMBAAGjggFZMIIBVTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwIGCCsGAQUFBwMBMB0GA1UdDgQWBBQr6DSEajiWUww860djVtJK6iKb0zAfBgNV
+HSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYI
+KwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUF
+BzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAWBgNVHREEDzANggtl
+eGFtcGxlLm9yZzATBgNVHSAEDDAKMAgGBmeBDAECAjBRBgNVHR8ESjBIMCKgIKAe
+hhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMCKgIKAehhxsZGFwOi8vY2Eu
+c29tZWNhLWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBPyZTzFYTi86n8
+F+F767wAScPo13OkdMMW7xIVzUotRdDNRLdIX0dLc1vZn1uqtC7U3uTRlBqiUc19
+0TAuGxa6Sr1W1qzlr73o6j+3j1aU44urWpNDD1mn2fFOqAlow7w9O3F8bHgJZIAt
+U1lEGYBJJ4XSD/qnyB+R7+JYvaszdqps2dr0Dq/NiPyymPCXGMYUP5OMTwyUjCC9
+c6BMHUqeNFb/DRLk/KavXWcHerO8Oabg0rhwho620cwquKhGsWDerkb3Z5QNT/vY
+p5BmjAtWZZCUW67KQ4IlTN+t+P6soHLjLKv1UMGD7CBIKGpsBHQcBKzw/tEod6qF
+AdTA+Wgb
+-----END CERTIFICATE-----