Project import
diff --git a/tlsdate/.travis.yml b/tlsdate/.travis.yml
new file mode 100644
index 0000000..57e3045
--- /dev/null
+++ b/tlsdate/.travis.yml
@@ -0,0 +1,12 @@
+language: c
+before_script: ./autogen.sh
+compiler:
+ - clang
+ - gcc
+branches:
+ only:
+ - master
+before_install:
+ - sudo apt-get update -qq
+ - sudo apt-get install -qq autotools-dev dh-apparmor hardening-wrapper libssl-dev autoconf automake pkg-config libtool
+script: ./configure && make && make test
diff --git a/tlsdate/AUTHORS b/tlsdate/AUTHORS
new file mode 100644
index 0000000..6905aff
--- /dev/null
+++ b/tlsdate/AUTHORS
@@ -0,0 +1,4 @@
+Jacob Appelbaum <jacob@appelbaum.net>
+Christian Grothoff <christian@grothoff.org>
+Elly Jones <elly@leptoquark.net>
+Will Drewry <wad@chromium.org>
diff --git a/tlsdate/Android.mk b/tlsdate/Android.mk
new file mode 100644
index 0000000..939f9e9
--- /dev/null
+++ b/tlsdate/Android.mk
@@ -0,0 +1,98 @@
+# Copyright (C) 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+tlsdate_tlsdated_sources := \
+ src/conf.c \
+ src/dbus.c \
+ src/events/check_continuity.c \
+ src/events/kickoff_time_sync.c \
+ src/events/route_up.c \
+ src/events/run_tlsdate.c \
+ src/events/save.c \
+ src/events/sigchld.c \
+ src/events/sigterm.c \
+ src/events/time_set.c \
+ src/events/tlsdate_status.c \
+ src/platform-cros.c \
+ src/routeup.c \
+ src/seccomp.c \
+ src/tlsdate-monitor.c \
+ src/tlsdate-setter.c \
+ src/tlsdated.c \
+ src/util.c \
+
+tlsdate_common_shared_libs := libcrypto libdbus libevent
+
+define tlsdate_common
+ LOCAL_CFLAGS += \
+ -DWITH_EVENTS -DHAVE_DBUS -DHAVE_CROS -DHAVE_PV_UIO \
+ -DRECENT_COMPILE_DATE=$$$(BUILD_DATETIME_FROM_FILE)L \
+ -DTARGET_OS_LINUX -Wall -Werror -Wno-unused-parameter
+endef
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdate
+LOCAL_SRC_FILES := src/tlsdate.c
+$(eval $(tlsdate_common))
+include $(BUILD_EXECUTABLE)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdate-helper
+LOCAL_SRC_FILES := \
+ src/compat/clock-linux.c \
+ src/proxy-bio.c \
+ src/seccomp.c \
+ src/tlsdate-helper.c \
+ src/util.c
+LOCAL_SHARED_LIBRARIES := libcrypto libevent libssl
+$(eval $(tlsdate_common))
+include $(BUILD_EXECUTABLE)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdate_proxy-bio_unittest
+LOCAL_SRC_FILES := \
+ src/proxy-bio-unittest.c \
+ src/proxy-bio.c \
+ src/seccomp.c \
+ src/test-bio.c \
+ src/util.c
+LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
+$(eval $(tlsdate_common))
+include $(BUILD_NATIVE_TEST)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdated
+LOCAL_INIT_RC := init/tlsdated.rc
+LOCAL_REQUIRED_MODULES := tlsdated.rc
+LOCAL_SRC_FILES := $(tlsdate_tlsdated_sources)
+LOCAL_CFLAGS := -DTLSDATED_MAIN
+LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
+$(eval $(tlsdate_common))
+include $(BUILD_EXECUTABLE)
+
+
+include $(CLEAR_VARS)
+LOCAL_MODULE := tlsdated_unittest
+LOCAL_SRC_FILES := \
+ src/tlsdated-unittest.c \
+ $(tlsdate_tlsdated_sources)
+LOCAL_SHARED_LIBRARIES := $(tlsdate_common_shared_libs)
+$(eval $(tlsdate_common))
+include $(BUILD_NATIVE_TEST)
diff --git a/tlsdate/CHANGELOG b/tlsdate/CHANGELOG
new file mode 100644
index 0000000..f6bbb45
--- /dev/null
+++ b/tlsdate/CHANGELOG
@@ -0,0 +1,168 @@
+0.0.13 Thu 28, May, 2015
+ Update default host to google.com - www.ptb.de randomized timestamps
+0.0.12 Sun 26, Oct, 2014
+ Fix AppArmor for tlsdated: allow unprivileged helper to read the time.
+ Update tlsdated systemd service file.
+ Various little fixes and an early release to make the Debian Freeze!
+0.0.11 Mon 20, Oct, 2014
+ Fix routeup flushing when using stdout (Avery Pennarun).
+ Update AppArmor profile to support multiarch systems.
+ Instruct syslog to properly output tlsdated and pid information.
+ (This closes: https://github.com/ioerror/tlsdate/issues/144 )
+ Fix -Wsizeof-pointer-memaccess in build of tlsdated unit test.
+ FreeBSD build improvements (Fabian Keil).
+ Update man pages.
+ Update AppArmor profile to remove unused stanzas.
+ Fix seccomp filter support on x86 systems (Will Drewry).
+ Refactor chatty tlsdated logging output to make it quiet.
+ Close syslog after tlsdated finishes using it.
+ Update systemd and init.d scripts for Debian.
+0.0.10 Fri 26, Sep, 2014
+ tlsdated removed from /usr/bin and now is only in /usr/sbin
+ This release is because 0.0.9 had two trivial bugs. Argh.
+0.0.9 Fri 25, Sep, 2014
+ Fix missing function prototype.
+ major libevent refactor by Will Drewry and Elly Fong-Jones of Google.
+ tlsdated should now function properly on ChromeOS and Debian GNU/Linux
+ Add ability to set COMPILE_DATE at configure/build time.
+ Add support for deterministic builds on Debian GNU/*.
+0.0.8 Sun 14, Sep, 2014
+ Add Debian GNU/Hurd and Debian GNU/kFreeBSD build support.
+ Fix build on FreeBSD 10 and 11.
+ Add FreeBSD (9.2 & 11-CURRENT) support for tlsdate and
+ tlsdate-helper. (Fabian Keil).
+ Update man pages (Kartik Mistry, Holger Levsen).
+ tlsdate will now abort if time fetch has a long delay (Avery Pennarun).
+ Updates for tlsdate related systemd service (Holger Levsen).
+ Check previously unchecked return codes (Brian Aker).
+ Update headers to reflect the correct location (Brian Aker).
+ Addition of various TODO items.
+ Update git tag to reference new GnuPG key
+ Key fingerprint = D2C6 7D20 E9C3 6C2A C5FE 74A2 D255 D3F5 C868 227F
+ Update tlsdate HTTPS user-agent to reflect proper version number
+0.0.7 Sat 2 Nov, 2013
+ Add tentative -plan9.[ch] versions of tlsdate-helper.
+ Add -x option to tlsdated to override source proxies.
+ Correctly check SANs against target host when using proxies.
+ Fix a race in tlsdate-dbus-announce that can cause signal drops.
+ Support -l argument to tlsdated.
+ Pass -l and -v arguments from tlsdated to tlsdate.
+ Log more verbosely at tlsdated startup.
+ Add FreeBSD support for tlsdate and tlsdate-helper.
+ Add Android build support with Android NDK for tlsdate.
+ Add NetBSD 6.0.1 support for tlsdate and tlsdate-helper.
+ Add OpenBSD 5.2 support for tldate and tlsdate-helper.
+ Add official support for Debian, Ubuntu, CentOS, Fedora, RHEL, OpenSUSE,
+ and Arch GNU/Linux distros.
+ Add Mac OS X 10.8.3 support
+ Extensive setup/install documentation is now present in INSTALL for most OSes
+ Add DragonFly BSD 3.3 support
+ Refactored subprocess watching.
+ Added integration tests. Run with ./run-tests
+ Refactored event loop.
+ Added suspend/resume RTC corruption detection.
+ Add -w option to get time from HTTPS header instead of from TLS ServerHello
+ Update AppArmor profile
+ Add simple systemd service file
+ Extra verbose output available with -vv; useful verbosity is -v
+0.0.6 Mon 18 Feb, 2013
+ Ensure that tlsdate compiles with g++ by explicit casting rather than
+ implicit casting by whatever compiler is compiling tlsdate.
+ Fix a logic bug in CN parsing caught by Ryan Sleevi of the Google Chrome Team
+ Further fixes by Thijs Alkemade
+ Add PolarSSL support (We no longer require OpenSSL to function!)
+ Thanks to Paul Bakker and the PolarSSL team!
+ Experimental Mac OS X (10.8.2) support
+ Thanks to Brian Aker and Ingy döt Net for pair programming time
+0.0.5 Web 23 Jan, 2013
+ Fix spelling error in tlsdate-helper
+ Update man pages formatting
+ Add Seccomp-BPF policies to be used with Minijail
+ Update CA cert file to remove TÜRKTRUST
+ Support both CA certificate files or directories full of CA certs
+ Currently /etc/tlsdate/ca-roots/tlsdate-ca-roots.conf
+ Support announcing time updates over DBus with --enable-dbus
+ This introduces the 'tlsdate-dbus-announce' utility
+ Add support for lcov/gcov at build time
+ See ./configure --enable-code-coverage-checks and make lcov
+ Don't hardfail if DEFAULT_RTC_DEVICE cannot be opened, even if desired
+ Raspberry PI users rejoice (if the fix works)
+ Support -j to add jitter to tlsdated time checks.
+ Exponential backoff when TLS connections fail.
+ Add config file support (have a look at man/tlsdated.conf.5)
+ Support multiple hosts for time fetches
+ Add multiple hosts to your tlsdated.conf file today
+ Add simple AppArmor profile for /usr/bin/tlsdate-dbus-announce
+ Update AppArmor profile for tlsdated
+0.0.4 Wed 7 Nov, 2012
+ Fixup CHANGELOG and properly tag
+ Version Numbers Are Free! Hooray!
+ Update certificate data in ca-roots/
+ tlsdate will now call tlsdate-helper with an absolute path
+ Pointed out ages ago by 0xabad1dea and others as a better execlp path
+ forward for execution.
+0.0.3 Mon 5 Nov, 2012
+ Add tlsdate-routeup man page
+ Update all man pages to reference other related man pages
+ Fix deb Makefile target
+ Update documentation
+ misc src changes (retab, formatting, includes, etc)
+ Update AppArmor profiles
+ Add HTTP/socks4a/socks5 proxy support and update man page documentation
+0.0.2 Mon 29 Oct, 2012
+ Released at the Metalab in Vienna during their third #CryptoParty
+ Add '-n' and '--dont-set-clock' option to fetch but not set time
+ Add '-V' and '--showtime' option to display remote time
+ Add '-t' and '--timewarp' option
+ If the local clock is before RECENT_COMPILE_DATE; we set the clock to the
+ RECENT_COMPILE_DATE. If the local clock is after RECENT_COMPILE_DATE, we
+ leave the clock alone. Clock setting is performed as the first operation
+ and will impact certificate verification. Specifically, this option is
+ helpful if on first boot, the local system clock is set back to the era
+ of Disco and Terrible Hair. This should ensure that
+ X509_V_ERR_CERT_NOT_YET_VALID or X509_V_ERR_CERT_HAS_EXPIRED are not
+ encountered because of a broken RTC or the lack of a local RTC; we assume
+ that tlsdate is recompiled yearly and that all certificates are otherwise
+ considered valid.
+ Add '-l' and '--leap'
+ Normally, the passing of time or time yet to come ensures that SSL verify
+ functions will fail to validate certificates. Commonly,
+ X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully
+ annoying but still very important error states. When the only issue with
+ the certificates in question is the timing information, this option allows
+ one to trust the remote system's time, as long as it is after
+ RECENT_COMPILE_DATE and before MAX_REASONABLE_TIME. The connection will
+ only be trusted if X509_V_ERR_CERT_NOT_YET_VALID and/or
+ X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are the only errors encountered. The
+ SSL verify function will not return X509_V_OK if there are any other
+ issues, such as self-signed certificates or if the user pins to a CA that
+ is not used by the remote server. This is useful if your RTC is broken on
+ boot and you are unable to use DNSSEC until you've at least had some kind
+ of leap of cryptographically assured data.
+ Update usage documentation
+ Move {*.c,h} into src/
+ Move *.1 into man/
+ Update TODO list to reflect desired changes
+ Update AppArmor profile to restrict {tlsdate,tlsdate-helper,tlsdated,tlsdate-routeup}
+ Update AUTHORS file to include a new email address
+ Update CHANGELOG
+ Added proper date for the 0.0.1 release
+ (Added all of the above items, obviously)
+ Print key bit length and key type information
+ Update Copyright headers to include the Great Christian Grothoff
+ Ensure key bit length and key type values are reasonable
+ Add CommonName and SAN checking
+ Add enumeration and printing of other x.509 extensions in SAN checking
+ Add SAN checking for iPAddress field per RFC2818
+ Various small bug fixes
+ Fixed various tiny memory leaks
+ Added compat layer library for future multi-platform support by David Goulet
+ Compile output is now largely silent by default
+ Wildcard certificate verification per RFC 2595
+ Add list of trusted CA certs to /etc/tlsdate/tlsdate-ca-roots.conf
+ Add Makefile target to update trusted CA certs from Mozilla's NSS trust root
+ Add tlsdated daemon
+ Add tlsdated documentation
+
+0.0.1 Fri Jul 13, 2012
+ First git tagged release
diff --git a/tlsdate/HACKING.md b/tlsdate/HACKING.md
new file mode 100644
index 0000000..b069e07
--- /dev/null
+++ b/tlsdate/HACKING.md
@@ -0,0 +1,108 @@
+Please feel free to contribute patches; here are the basic guidelines to hack
+along with us!
+
+Please work from a git tree by cloning the repo:
+
+ git clone https://github.com/ioerror/tlsdate.git
+
+Please file bugs on the tlsdate issue tracker:
+
+ https://github.com/ioerror/tlsdate/issues
+
+Please use the github pull request feature when possible.
+
+The current build status is available as a handy image:
+
+[](http://travis-ci.org/ioerror/tlsdate)
+
+Continuous integration is available for a number of platforms:
+
+ https://jenkins.torproject.org/job/tlsdate-ci-linux/
+ https://travis-ci.org/ioerror/tlsdate
+ http://build.chromium.org/p/chromiumos/waterfall
+
+White Space:
+
+ Spaces only, no tabs; all tabs must die
+ No stray spaces at the end of lines
+ Generally try not to add excessive empty white space
+
+Documentation:
+
+ Document all functions with doxygen style comments
+
+Ensuring Correctness:
+
+ Test your patches and ensure:
+
+ No compiler warnings or errors
+ No linker warnings or errors
+
+ Test your improved copy of tlsdate extensively
+
+Security:
+
+ tlsdate is security sensitive - please consider where you add code and in
+ what context it will run. When possible, run with the least privilege as is
+ possible.
+
+Proactively find bugs:
+
+ Run your copy of tlsdate under valgrind
+
+Weird but meaningful conventions are prefered in tlsdate. We prefer attention
+to detail:
+
+ if ( NULL == foo (void) )
+ {
+ bar (void);
+ }
+
+Over quick, hard to read and potentilly incorrect:
+
+ if (foo(void)==NULL))
+ bar();
+
+Define magic numbers and explain their origin:
+
+ // As taken from RFC 3.14
+ #define MAGIC_NUMBER 23 // This goes in foo.h
+ ptr = malloc (MAGIC_NUMBER);
+
+Rather than just throwing them about in code:
+
+ ptr = malloc (23);
+
+It is almost always prefered to use dynamically allocated memory:
+
+ widget_ptr = malloc (WIDGET_SIZE);
+
+Try to avoid static allocations like the following:
+
+ char widget[WIDGET_SIZE];
+
+Try to use unsigned values unless an API requires signed values:
+
+ uint32_t server_time_s;
+
+Please provide relevant CHANGELOG entries for all changes.
+Please remove items from the TODO file as they are completed.
+Please provide unittest cases.
+
+When submitting patches via email, please use `git format-patch` to format
+patches:
+
+ git format-patch 9a61fcba9bebc3fa2d91c9f79306bf316c59cbcc
+
+Email patches with a GnuPG signature whenever possible.
+
+When applying patches, please use `git am` to apply patches:
+
+ git am -i 0001-add-TODO-item.patch
+
+If `git format-patch` is not possible, please send a unified diff.
+
+When in doubt, please consult the Tor HACKING guide:
+
+ https://gitweb.torproject.org/tor.git/blob/HEAD:/doc/HACKING
+
diff --git a/tlsdate/HARDENING b/tlsdate/HARDENING
new file mode 100644
index 0000000..e977395
--- /dev/null
+++ b/tlsdate/HARDENING
@@ -0,0 +1,76 @@
+Platforms offer varying security features; we'd like to support the best.
+
+This is a document that notes which security hardening we have implemented and
+which things we'd like to see implemented for various platforms. We
+specifically address exploitation mitigation and containment; security issues
+such as x509 certification validation are not addressed here, yet. Patches,
+suggestions and improvements are welcome! We always want the strongest set of
+options by default on each supported platform.
+
+We attempt to use the C programming language correctly and in a standard way.
+We do however use some compiler specific options such as defining integer
+wrapping because we believe the practical benefit outweights the implied risks.
+As such, we prefer to be explicit rather than implicit in our casting or other
+possible ambiguity.
+
+We should treat all compiler and linker warnings as fatal errors. Currently,
+consider autotools warnings to be an exception as we would like to support
+platforms imperfectly rather than not at all. We generally wish to support
+autotools bootstrapping on all of our supported platforms. This is not possible
+on Plan 9. Currently autotools will complain on the BSD systems.
+
+On all platforms we attempt to support available compiler hardening and linking
+options. Please do not disable these options. Additional compiler and linker
+hardening options are welcome and the current options are implemented in the
+following file:
+
+ configure.ac
+
+On all platforms, we attempt to switch from the administrative user to an
+unimportant role account which shares data with no other processes. If we start
+as any user other than an administrative user, we will likely be unable to
+switch to our normal unprivileged account. These users are defined at
+`configure` time. It is most effective if such a user is not the traditional
+'nobody' or group 'nogroup' as is often the tradition.
+
+In addition to the above hardening options, we have tried to extend our
+hardening when the platform supports it. Each additional security measure that
+we take is documented as well as planned or desired improvements.
+
+We do not currently support or set ulimits, we should do so where possible.
+
+On Debian Gnu/Linux platforms, we ship with a minimal AppArmor profile, see
+the policy for details:
+
+ apparmor-profile
+
+We'd like to have an SELinux policy specifically for tlsdate.
+We'd like to support capability dropping with libcap or libcap-ng.
+We'd like to support libseccomp2 filters.
+Other kernel hardening suggestions are welcome.
+
+On ChromeOS we use minijail and seccomp filters, see the following policies for
+details:
+
+ tlsdate-seccomp-amd64.policy
+ tlsdate-seccomp-arm.policy
+ tlsdate-seccomp-x86.policy
+
+These are enabled by default in ChromeOS.
+
+On FreeBSD, we'd like to support jails, chroot, and Capsicum.
+
+On OpenBSD, we'd like to support chroot and systrace.
+
+On NetBSD, we'd like to chroot.
+
+On DragonFly BSD, we'd like to support chroot and jails.
+
+On Mac OS X, we'd like to support chroot and seatbelt.
+
+On Plan9, we'd like to chroot.
+
+On Windows, we do nothing beyond compile time hardening. We'd like to do more.
+
+On other platforms, we'll try to run correctly with the understanding that any
+bug is likely a much more serious problem.
diff --git a/tlsdate/INSTALL b/tlsdate/INSTALL
new file mode 100644
index 0000000..03e91b6
--- /dev/null
+++ b/tlsdate/INSTALL
@@ -0,0 +1,217 @@
+tlsdate should build and work on the following Operating Systems:
+
+ Debian GNU/Linux squeeze, wheezy, jessie, sid
+ Ubuntu lucid, natty, oneiric, precise, quantal
+ CentOS 6.2, 6.3, 6.4
+ Fedora 17, 18
+ RedHat Enterprise Server 6.4
+ OpenSUSE 11.2, 12.3
+ FreeBSD 9.2, 10, 11
+ Mac OS X 10.8.2, 10.8.3
+ ChromeOS Release 25, 26, 27 and above
+ Android with the Android NDK (use Makefile.android)
+ Arch Linux (Don't forget to symlink to /dev/rtc to /dev/rtc0)
+ NetBSD 6.0.1
+ OpenBSD 5.2
+ Gentoo 20130413
+ DragonFly BSD 3.3-DEVELOPMENT
+ Debian GNU/kFreeBSD 7.0 (8.2-1-amd64)
+ Debian GNU/Hurd
+
+tlsdate should build and might even work on the following Operating Systems:
+
+ Win32 with Cygwin CYGWIN_NT-6.1 1.7.18(0.263/5/3
+ Win32 with MinGW
+ Haiku r1alpha4
+
+Please file a bug or email the tlsdate team if you have successfully built or
+use tlsdate on a platform that is not listed. We are specifically looking for
+ports of tlsdate or for tlsdate integration on the following Operating Systems:
+
+ Windows native
+ OpenWRT
+ pfsense
+ OpenVMS
+ Irix
+ Minix
+ Any of the other classic unix systems
+
+Currently porting is in progress or partially documented for:
+
+ Plan9 (with APE)
+ Debian GNU/Hurd 7.0 (GNU-Mach 1.3.99-486-dbg/Hurd-0.3)
+ Currently we report "server time 0 (difference is about 1367009757 s)"
+Building and install of tlsdate on GNU/Linux and FreeBSD:
+
+ ./autogen.sh
+ ./configure
+ make
+ make install
+
+Cleaning is the usual:
+
+ make clean
+
+On Debian Gnu/Linux sid/unstable:
+
+ apt-get install tlsdate
+
+On other versions of Debian GNU/Linux and with Debian backports, tlsdate may be
+available:
+
+ apt-get install tlsdate
+
+On recent Debian GNU/Linux and related systems, we provide a systemd service.
+It will notice network changes and regularly invoke tlsdate to keep the clock
+in sync. Start it like so:
+
+ service tlsdated start
+
+On older Debian GNU/Linux and related systems, we provide an init.d script that
+controls the tlsdated daemon. It will notice network changes and regularly
+invoke tlsdate to keep the clock in sync. Start it like so:
+
+ /etc/init.d/tlsdated start
+
+Debian GNU/Hurd does not yet support autotools bootstrapping and users must
+bootstrap with `make dist` on another platform from the tlsdate git
+repository. With such a release tar.gz it is the expected process:
+
+ ./configure
+ make
+ make install
+
+Please note that setting time on GNU/Hurd has not yet been tested.
+
+On ChromeOS:
+
+ tlsdated and tlsdate are included in the ChromeOS TCB; no install needed. They
+ run automatically and are the core ntp service for ChromeOS.
+
+On Gentoo:
+
+ emerge net-misc/tlsdate
+
+On FreeBSD one may also use the ports system:
+
+ cd /usr/ports/sysutils/tlsdate
+ make
+ make install
+
+On Mac OS X, we require that you have XCode installed. You may also need brew
+for autoconf and automake packages:
+
+ brew install autoconf automake libtool pkg-config
+
+It should also be possible to install tlsdate on OS X 10.8.x with brew directly:
+
+ brew install tlsdate
+
+On Fedora:
+
+ yum install tlsdate
+
+To run tlsdated as a service on Fedora:
+
+ systemctl enable tlsdate.service
+ systemctl start tlsdate.service
+
+On Arch Linux there is a PKGBUILD in the Arch User Repository:
+
+ https://aur.archlinux.org/packages/tlsdate
+ https://aur.archlinux.org/packages/tl/tlsdate/PKGBUILD
+
+Cygwin requires that the user installs openssl-dev, gcc, pkg-config, libtool, automake, autoconf:
+
+ ./configure
+ make
+
+On Plan9 the start of building might look something like this:
+
+ ip/ipconfig
+ ndb/dns -r
+ 9fs sources
+ /n/sources/contrib/fgb/root/rc/bin/contrib/install fgb/openssl
+ mk install
+
+On Haiku we must use gcc4:
+
+ export CC=/boot/develop/abi/x86/gcc4/tools/gcc4.6.3-haiku-121101/bin/gcc
+ export LDFLAGS="$LDFLAGS -lbsd"
+ ./configure # This includes the above exports currently
+ make
+
+OpenBSD builds from source and is not yet in the port system:
+
+ export AUTOCONF_VERSION=<your installed version>
+ export AUTOMAKE_VERSION=<your installed version>
+ ./autogen.sh
+ ./configure
+ make
+ make install
+
+If you wish to make a Debian package there are several other options. It is
+expected that you are building for Sid and that you are familiar with how to
+build Debian packages that are for upload into Debian directly. It is expected
+that you should build in a chroot if you wish to have reliable and or
+reproducible builds.
+
+ # Prep your schroot
+ mysid=sid$RANDOM;
+ schroot -b -c sid -n $mysid;
+ dd-schroot-cmd -c $mysid apt-get update;
+ dd-schroot-cmd -c $mysid apt-get build-dep tlsdate;
+ # If build-dep is building an older tlsdate, you may need these tools too:
+ dd-schroot-cmd -c $mysid apt-get install git ca-certificates \
+ lintian libevent-dev libseccomp-dev;
+ echo "Your chroot is called: $mysid";
+ schroot -r -c $mysid
+ # Build tlsdate
+ git clone https://www.github.com/ioerror/tlsdate/
+ cd tlsdate/
+ git checkout debian-master
+ dpkg-buildpackage -B "-mMyName <MyEmail>" -uc
+
+Building without schroot should work with dpkg-buildpackage but the build
+environment will have to be manually configured.
+
+To make a Debian package with git-buildpackage is the expected build process:
+
+ # install dependencies
+ apt-get install git ca-certificates \
+ lintian libevent-dev libseccomp-dev build-essential \
+ autoconf dh-autoreconf dh-systemd automake autotools-dev \
+ dh-apparmor libssl-dev libevent-dev libtool pkg-config \
+ debhelper fakeroot hardening-wrapper git-buildpackage;
+ git clone https://www.github.com/ioerror/tlsdate/
+ cd tlsdate/
+ git checkout debian-master
+ git-buildpackage --git-upstream-branch=master \
+ --git-debian-branch=debian-master \
+ --git-upstream-tree=master \
+ --git-ignore-new
+
+For Android:
+
+To cross compile tlsdate for Android (tested on Linux) you must have the
+Android NDK (>=r8) installed somewhere on your system, and define the
+environment variable NDK_BASE to be the path to the NDK's root dir.
+
+ export NDK_BASE=/home/user/src/android-ndk-r8d
+
+The Android build also requires a cross-compiled OpenSSL. The Android Makefile
+will attempt to build openssl, if you provide the path via the OPENSSL_ANDROID
+env var.
+
+ git clone https://github.com/guardianproject/openssl-android.git /path/to/android-openssl
+ export OPENSSL_ANDROID=/path/to/android-openssl
+
+Once NDK_BASE and OPENSSL_ANDROID are set properly, you can cross compile tlsdate with:
+
+ make distclean # clean any previous builds
+ rm configure # distclean doesn't remove this file
+ make -f Makefile.android
+
+Android NDK: https://developer.android.com/tools/sdk/ndk/index.html
+OpenSSL for Android: https://github.com/guardianproject/openssl-android
+
diff --git a/tlsdate/LICENSE b/tlsdate/LICENSE
new file mode 100644
index 0000000..3253de6
--- /dev/null
+++ b/tlsdate/LICENSE
@@ -0,0 +1,51 @@
+ This file contains the license for tlsdate,
+ a free software project to set your system clock securely.
+
+ It also lists the licenses for other components used by tlsdate.
+
+ For more information about tlsdate, see https://github.com/ioerror/tlsdate
+
+ If you got this file as a part of a larger bundle,
+ there may be other license terms that you should be aware of.
+
+===============================================================================
+tlsdate is distributed under this license:
+
+Copyright (c) 2011-2012, Jacob Appelbaum <jacob@appelbaum.net>
+Copyright (c) 2011-2012, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
+If you got tlsdate as a static binary with OpenSSL included, then you should
+know:
+
+ "This product includes software developed by the OpenSSL Project for use in
+ the OpenSSL Toolkit (http://www.openssl.org/)"
+
+===============================================================================
diff --git a/tlsdate/MODULE_LICENSE_BSD_LIKE b/tlsdate/MODULE_LICENSE_BSD_LIKE
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tlsdate/MODULE_LICENSE_BSD_LIKE
diff --git a/tlsdate/Makefile.am b/tlsdate/Makefile.am
new file mode 100644
index 0000000..1573a7b
--- /dev/null
+++ b/tlsdate/Makefile.am
@@ -0,0 +1,149 @@
+# vim:ft=automake
+
+AM_CFLAGS="-D__STDC_LIMIT_MACROS"
+
+BUILT_SOURCES=
+doc_DATA=
+EXTRA_DIST=
+TESTS=
+bin_PROGRAMS=
+sbin_PROGRAMS=
+check_PROGRAMS=
+lib_LTLIBRARIES=
+man_MANS=
+noinst_HEADERS=
+noinst_LTLIBRARIES=
+noinst_PROGRAMS=
+
+if !TARGET_OSX
+# GNU style is "make check", this will make check and test work
+TESTS+= src/conf_unittest src/proxy-bio_unittest
+if TARGET_LINUX
+TESTS+= src/tlsdated_unittest
+endif
+test: check
+endif
+
+ACLOCAL_AMFLAGS= -I m4
+
+# Our Debian version
+DEBIAN_VERSION := $(shell if [ -e debian/changelog ]; then cat debian/changelog|head -n1|cut -d\- -f2| head -c 1; else echo "unknown"; fi)
+
+doc_DATA+= AUTHORS
+doc_DATA+= CHANGELOG
+doc_DATA+= LICENSE
+doc_DATA+= README
+doc_DATA+= TODO
+
+EXTRA_DIST+= $(doc_DATA)
+EXTRA_DIST+= apparmor-profile
+EXTRA_DIST+= autogen.sh
+EXTRA_DIST+= tlsdated.service
+
+include src/include.am
+
+# Cleanup individual files in order to preserve uninstall/etc order
+maintainer-clean-local:
+ @rm -r -f autom4te.cache
+ @rm Makefile.in
+ @rm aclocal.m4
+ @rm config.in
+ @rm config/config.guess
+ @rm config/config.sub
+ @rm config/depcomp
+ @rm config/install-sh
+ @rm config/ltmain.sh
+ @rm config/missing
+ @rm configure
+ @rmdir config
+ @rm dbus/org.torproject.tlsdate.conf
+ @rm m4/libtool.m4
+ @rm m4/ltoptions.m4
+ @rm m4/ltsugar.m4
+ @rm m4/ltversion.m4
+ @rm m4/lt~obsolete.m4
+ @rm -f tlsdate-*.tar.gz
+ -rm src/configmake.h
+ -rm dbus/org.torproject.tlsdate.conf
+ @find ./ | $(GREP) \~$$ | xargs rm -f
+
+certdir = @TLSDATE_CA_ROOTS@
+cert_DATA = ca-roots/tlsdate-ca-roots.conf
+EXTRA_DIST+= $(cert_DATA)
+
+confdir = @TLSDATE_CONF_DIR@
+if TARGET_LINUX
+conf_DATA = etc/tlsdated.conf
+EXTRA_DIST+= $(conf_DATA)
+endif
+
+# Our documentation
+man_MANS+= man/tlsdate.1
+man_MANS+= man/tlsdate-helper.1
+
+if TARGET_LINUX
+man_MANS+= man/tlsdated.8
+man_MANS+= man/tlsdated.conf.5
+endif
+
+EXTRA_DIST+= $(man_MANS)
+
+.PHONY: debian_orig git-tag git-push git-tag-debian deb really-clean valgrind_test
+debian_orig:
+ $(MAKE) dist
+ mv tlsdate-$(VERSION).tar.gz ../tlsdate_$(VERSION).orig.tar.gz
+
+git-tag:
+ git tag -u 0x1801A819 -s tlsdate-$(VERSION)
+
+git-tag-debian:
+ git tag -u 0x1801A819 -s tlsdate-$(VERSION)-debian-${DEBIAN_VERSION}
+
+git-push:
+ git push --tags
+ git push
+
+deb: debian_orig
+ debuild -i'.*' -rfakeroot -uc -us -d
+
+# This generates code coverage data that is useful for continuous integration
+lcov:
+# ./configure --enable-code-coverage-checks && make && # ... run everything and then...
+ lcov --directory src -b . --capture --output-file tlsdate.lcov && genhtml -o lcov/ tlsdate.lcov
+
+valgrind_test:
+ TESTS_ENVIRONMENT="./libtool --mode=execute valgrind --trace-children=yes --leak-check=full" ./src/tlsdate -v -V -n -H encrypted.google.com
+
+# This allows us to parse the Mozilla NSS CA trusted root list and ensures we
+# respect the trust bits as they are set - using them directly without the
+# context is dangerous. This gives us a basic set of CA roots to trust for use
+# with tlsdate without relying on any system CA list.
+# You'll need agl's extract-nss-root-certs to recreate this file:
+# https://github.com/agl/extract-nss-root-certs
+update_ca_root_data:
+ curl https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt\?raw\=1 -o ca-roots/certdata.txt
+ go run ~/Documents/code/git/extract-nss-root-certs/convert_mozilla_certdata.go ca-roots/certdata.txt > ca-roots/tlsdate-ca-roots.conf
+ rm ca-roots/certdata.txt
+
+test_run:
+ ./src/tlsdate-helper google.com 443 tlsv1 racket verbose ca-roots/tlsdate-ca-roots.conf dont-set-clock showtime no-fun holdfast none
+
+BUILT_SOURCES+= src/configmake.h
+noinst_HEADERS+= src/configmake.h
+src/configmake.h: ${top_srcdir}/Makefile.in
+ @echo "Making $@"
+ @rm -f $@-t $@
+ @{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
+ echo '#define TLSDATE_CONFIG "$(sysconfdir)/ca-roots/"'; \
+ echo '#define TLSDATE_CERTFILE "$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf"'; \
+ echo '#define TLSDATE_CONF_DIR "$(sysconfdir)/tlsdate/"'; \
+ echo '#define TLSDATE_HELPER "$(bindir)/tlsdate-helper"'; \
+ echo '#define TLSDATE "$(bindir)/tlsdate"'; \
+ echo '#define TLSDATED "$(bindir)/tlsdated"'; \
+ } | sed '/""/d' > $@-t
+ @if diff $@-t $@ >/dev/null 2>&1 ; then \
+ rm @-t ; \
+ else \
+ mv $@-t $@ ; \
+ fi
+
diff --git a/tlsdate/Makefile.android b/tlsdate/Makefile.android
new file mode 100644
index 0000000..fba97ac
--- /dev/null
+++ b/tlsdate/Makefile.android
@@ -0,0 +1,76 @@
+#
+## Cross-compile env for Android
+# Requires Android NDK >= r8
+# Requires the following env variables:
+#
+# NDK_BASE - path to your NDK's root directory
+# e.g., /home/user/android-ndk
+# OPENSSL_ANDROID - path to NDK built openssl
+# e.g., /home/user/src/openssl-android
+#
+
+# Android NDK setup
+NDK_COMPILER_VERSION=4.6
+NDK_ABI=arm
+NDK_BASE ?= /usr/local/android-ndk
+#platform level >= 8 required for dladdr()
+NDK_PLATFORM_LEVEL ?= 8
+NDK_SYSROOT=$(NDK_BASE)/platforms/android-$(NDK_PLATFORM_LEVEL)/arch-arm
+NDK_UNAME=`uname -s | tr '[A-Z]' '[a-z]'`
+NDK_TOOLCHAIN=$(NDK_BASE)/toolchains/$(NDK_ABI)-linux-androideabi-$(NDK_COMPILER_VERSION)/prebuilt/$(NDK_UNAME)-x86
+
+# to use the real HOST tag, you need the latest libtool files:
+# http://stackoverflow.com/questions/4594736/configure-does-not-recognize-androideabi
+NDK_UNAME := `uname -s | tr '[A-Z]' '[a-z]'`
+HOST := arm-linux-androideabi
+
+LOCAL_LDFLAGS = -L$(OPENSSL_ANDROID)/obj/local/armeabi/ -ldl -lcrypto -lssl -lz
+LOCAL_LDFLAGS += -L$(NDK_TOOLCHAIN)/lib/gcc/arm-linux-androideabi/$($NDK_COMPILER_VERSION) -lgcc
+CFLAGS = -I$(OPENSSL_ANDROID)/include
+CC := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-gcc --sysroot=$(NDK_SYSROOT)
+CXX := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-g++
+CPP := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-cpp
+LD := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-ld
+AR := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-ar
+RANLIB := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-ranlib
+STRIP := $(NDK_TOOLCHAIN)/bin/arm-linux-androideabi-strip \
+
+all: $(OPENSSL_ANDROID)/libs/armeabi/libcrypto.so tlsdate-build
+
+$(OPENSSL_ANDROID)/libs/armeabi/libcrypto.so:
+ cd $(OPENSSL_ANDROID) && ndk-build -j4
+
+openssl-clean:
+ -cd $(OPENSSL_ANDROID) && ndk-build clean
+
+openssl-distclean:
+ -cd $(OPENSSL_ANDROID) && ndk-build distclean
+
+configure: configure.ac
+ ./autogen.sh && \
+ CFLAGS="$(CFLAGS)" ./configure \
+ CC="$(CC)" \
+ AR=$(AR) \
+ RANLIB=$(RANLIB) \
+ CFLAGS="$(CFLAGS)" \
+ --disable-static \
+ --disable-languages \
+ --disable-dbus \
+ --host=$(HOST)
+ #--prefix=$(prefix) \
+ #--exec-prefix=$(prefix)
+
+tlsdate-build: configure
+ make -f Makefile CFLAGS="$(CFLAGS)" LDFLAGS="$(LOCAL_LDFLAGS)"
+
+tlsdate-clean:
+ -make -f Makefile clean
+
+tlsdate-distclean:
+ -make -f Makefile distclean && rm configure
+
+
+clean: openssl-clean tlsdate-clean
+distclean: openssl-distclean tlsdate-distclean
+
+.PHONY: clean openssl-clean tlsdate-clean
diff --git a/tlsdate/NOTICE b/tlsdate/NOTICE
new file mode 100644
index 0000000..3253de6
--- /dev/null
+++ b/tlsdate/NOTICE
@@ -0,0 +1,51 @@
+ This file contains the license for tlsdate,
+ a free software project to set your system clock securely.
+
+ It also lists the licenses for other components used by tlsdate.
+
+ For more information about tlsdate, see https://github.com/ioerror/tlsdate
+
+ If you got this file as a part of a larger bundle,
+ there may be other license terms that you should be aware of.
+
+===============================================================================
+tlsdate is distributed under this license:
+
+Copyright (c) 2011-2012, Jacob Appelbaum <jacob@appelbaum.net>
+Copyright (c) 2011-2012, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
+If you got tlsdate as a static binary with OpenSSL included, then you should
+know:
+
+ "This product includes software developed by the OpenSSL Project for use in
+ the OpenSSL Toolkit (http://www.openssl.org/)"
+
+===============================================================================
diff --git a/tlsdate/README b/tlsdate/README
new file mode 100644
index 0000000..2eccdde
--- /dev/null
+++ b/tlsdate/README
@@ -0,0 +1,47 @@
+tlsdate: secure parasitic rdate replacement
+
+ tlsdate sets the local clock by securely connecting with TLS to remote
+ servers and extracting the remote time out of the secure handshake. Unlike
+ ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS
+ enabled service, and provides some protection against adversaries that try to
+ feed you malicious time information.
+
+On Debian GNU/Linux and related systems, we provide an init.d script that
+controls the tlsdated daemon. It will notice network changes and regularly
+invoke tlsdate to keep the clock in sync. Start it like so:
+
+ /etc/init.d/tlsdate start
+
+
+Here is an example an unprivileged user fetching the remote time:
+
+ % tlsdate -V -n -H encrypted.google.com
+ Fri Apr 19 17:56:46 PDT 2013
+
+
+This is an example run - starting as root and dropping to nobody, setting the
+clock and printing it:
+
+ % sudo tlsdate -V
+ Fri Apr 19 17:57:49 PDT 2013
+
+
+Here is an example with a custom host and custom port without verification:
+
+ % sudo tlsdate --skip-verification -p 80 -H rgnx.net
+
+Here is an example where a system may not have any kind of RTC at boot. Do the
+time warp to restore sanity and do so with a leap of faith:
+
+ % sudo tlsdate -V -l -t
+ Fri Apr 19 18:08:03 PDT 2013
+
+
+Some SSL/TLS services do not provide accurate time in their handshake process;
+tlsdate may also be used to fetch time by processing the HTTP Date headers of
+HTTP services:
+
+ % sudo tlsdate -V -l -t -w
+ Wed Oct 30 18:08:46 CET 2013
+
+
diff --git a/tlsdate/TLSDATEPOOL b/tlsdate/TLSDATEPOOL
new file mode 100644
index 0000000..2ca8015
--- /dev/null
+++ b/tlsdate/TLSDATEPOOL
@@ -0,0 +1,31 @@
+"Lets parasitically pool TLS resources into a single location!"
+
+ntp has pool.ntp.org which currently hosts around ~3000 machines.
+tlsdate has only the wild internet's pool of TLS/SSL machines.
+
+It is believed that there are around ~185,000 reasonable SSL/TLS servers in the
+genepool that is the internet.
+
+To discover the relevant systems in the genepool we will conduct scans and
+collect data of SSL/TLS services for the entire internet. When a server is
+discovered and it is confirmed to have a reasonably accurate clock, we will
+store it in the genepool list.
+
+The genepool list will first be a text file included with tlsdate and tlsdate
+will have an option to use the local genepool; it will randomly select an entry
+from the list and use it for timing information.
+
+The genepool list will be in the following CSV format:
+
+ hostname,port,last known IP address, protocol
+
+Currently, the default protocol is TLSv1 unless otherwise specified. Fields may
+include sslv2, sslv3, tlsv1, tlsv1.1, tlsv1.2, xmpp, pop3, imap and other
+STARTTLS enabled protocols.
+
+Eventually, we propose that a simple DNS query interface located at
+genepool.tlsdate.net should return random entries from the genepool list. It
+should only host records of machines that have correct timing information in
+their SSL/TLS handshakes. The data returned will optionally be a TXT record
+containing a line from a regularly updated genepool cache file or an A/AAAA
+record for the host.
diff --git a/tlsdate/TODO b/tlsdate/TODO
new file mode 100644
index 0000000..75cc095
--- /dev/null
+++ b/tlsdate/TODO
@@ -0,0 +1,42 @@
+
+Here is a nice list of things to do to improve tlsdate:
+
+
+ 1) hack the client handshake to not leak the clock to the server
+ set it to all zeros or something cute or something random
+
+ 3) add HTTP GET request to avoid network fingerprinting
+ 6) skew the clock rather than slamming it
+11) verification of remote certificate for Tor nodes
+13) account for servers that do not send UTC (Microsoft sends local time)
+14) port to bssl, nss, gnutls, yassl, and other libraries
+15) starttls support (smtp, pop, imap, ftp, xmpp)
+16) ensure that 32bit time isn't near wrapping time on 32bit systems
+17) find others to audit it - we need more eyes!
+20) Add verification of remote servers by DANE/CAA DNSSEC protected records
+21) Integrate Chrome's CRL list into tlsdate
+22) Block revoked or bad certs such as MD5 inc. and others.
+24) Add OCSP check option
+25) Block weak signature algorithms
+26) Hard code block list of known horrible certs (extract from Chrome/FF)
+28) Check that extended key usage is empty, or includes TLS Server Auth
+29) extract the SubjectPublicKeyInfo from the certificates; match against
+ public keys
+31) Confirm HTTP and TLS date is within a sane range
+32) Integrate tack support https://github.com/tack/tackc
+33) Implement checking of RFC 2818 style wildcards:
+ http://wiki.cacert.org/WildcardCertificates
+35) seatbelt profile for Mac OS X
+36) SELinux policy for GNU/Linux platforms
+37) Port to some Windows operating system that anyone actually uses
+42) Unit-test everything
+47) Review cert validation and compare it with Chrome:
+ https://code.google.com/p/chromium/codesearch#chrome/src/net/base/x509_certificate.cc&l=500
+48) Complain when server uses very weak DH group parameters
+ example weak server: https://demo.cmrg.net/
+49) Add seccomp tlsdate and tlsdate-helper
+50) Add AppArmor fixes for Tails
+52) Port tlsdated to FreeBSD and other non GNU/Linux systems
+
+Patches welcome!
+
diff --git a/tlsdate/apparmor-profile b/tlsdate/apparmor-profile
new file mode 100644
index 0000000..20451ed
--- /dev/null
+++ b/tlsdate/apparmor-profile
@@ -0,0 +1,200 @@
+#
+# AppArmor tlsdate profile for Debian GNU/Linux
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+
+#include <tunables/global>
+#include <tunables/multiarch.d>
+/usr/bin/tlsdate {
+ #include <abstractions/consoles>
+ #include <abstractions/ssl_certs>
+
+ capability sys_time,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+ # IPv4 TCP
+ network inet stream,
+ # IPv4 UDP for DNS resolution
+ network inet dgram,
+ # IPv6 TCP
+ network inet6 stream,
+ # IPv6 UDP
+ network inet6 dgram,
+
+ # Required for gethostbyname
+ /etc/resolv.conf r,
+ /run/resolvconf/resolv.conf r,
+ /etc/nsswitch.conf r,
+ /etc/localtime r,
+ /etc/nsswitch.conf r,
+ /etc/hosts r,
+ /etc/host.conf r,
+
+ # Allow reading public certs but not private keys
+ /etc/ssl/certs/* r,
+ /usr/share/ca-certificates/*/** r,
+
+ # Allow reading of /etc/tlsdate/
+ /etc/tlsdate/*/** r,
+
+ # Required for getpwnam
+ /etc/passwd r,
+ /etc/group r,
+ /proc/sys/kernel/ngroups_max r,
+
+ # Allow reading of libs and /tmp
+ /etc/ld.so.cache r,
+
+ # Random number generation requires these two
+ /dev/random r,
+ /dev/urandom r,
+
+ # Allow mapping of shared libraries
+ /lib{,32,64}/* rm,
+ /usr/lib/* rm,
+ /lib/@{multiarch}/* rm,
+ /usr/lib/@{multiarch}/* rm,
+
+ # We'll allow tlsdate to write a new root to chroot into
+ /tmp/ r,
+ owner /tmp/tlsdate_*/ rw,
+
+ # We'll allow tlsdate to exec tlsdate-helper
+ /usr/bin/tlsdate-helper ixm,
+ /usr/bin/tlsdate ixm,
+}
+
+/usr/bin/tlsdate-helper {
+ #include <abstractions/consoles>
+ #include <abstractions/ssl_certs>
+
+ capability sys_time,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+ # IPv4 TCP
+ network inet stream,
+ # IPv4 UDP for DNS resolution
+ network inet dgram,
+ # IPv6 TCP
+ network inet6 stream,
+ # IPv6 UDP
+ network inet6 dgram,
+
+ # Required for gethostbyname
+ /etc/resolv.conf r,
+ /run/resolvconf/resolv.conf r,
+ /etc/nsswitch.conf r,
+ /etc/localtime r,
+ /etc/nsswitch.conf r,
+ /etc/hosts r,
+ /etc/host.conf r,
+
+ # Allow reading public certs but not private keys
+ /etc/ssl/certs/* r,
+ /usr/share/ca-certificates/*/** r,
+
+ # Allow reading of /etc/tlsdate/
+ /etc/tlsdate/*/** r,
+
+ # Required for getpwnam
+ /etc/passwd r,
+ /etc/group r,
+ /proc/sys/kernel/ngroups_max r,
+
+ # Allow reading of libs and /tmp
+ /etc/ld.so.cache r,
+
+ # Random number generation requires these two
+ /dev/random r,
+ /dev/urandom r,
+
+ # Allow mapping of shared libraries
+ /lib{,32,64}/* rm,
+ /usr/lib/* rm,
+ /lib/@{multiarch}/* rm,
+ /usr/lib/@{multiarch}/* rm,
+
+ # We'll allow tlsdate to write a new root to chroot into
+ /tmp/ r,
+ owner /tmp/tlsdate_*/ rw,
+}
+
+/usr/sbin/tlsdated {
+ #include <abstractions/consoles>
+ #include <abstractions/ssl_certs>
+
+ capability sys_time,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+
+ # IPv4 TCP
+ network inet stream,
+ # IPv4 UDP for DNS resolution
+ network inet dgram,
+ # IPv6 TCP
+ network inet6 stream,
+ # IPv6 UDP
+ network inet6 dgram,
+
+ # Required for gethostbyname
+ /etc/resolv.conf r,
+ /etc/nsswitch.conf r,
+ /etc/localtime r,
+ /etc/nsswitch.conf r,
+ /etc/hosts r,
+ /etc/host.conf r,
+
+ # Allow reading public certs but not private keys
+ /etc/ssl/certs/* r,
+ /usr/share/ca-certificates/*/** r,
+
+ # Allow reading of /etc/tlsdate/
+ /etc/tlsdate/*/** r,
+ /etc/tlsdate/tlsdated.conf r,
+
+ # Required for getpwnam
+ /etc/passwd r,
+ /etc/group r,
+ /proc/sys/kernel/ngroups_max r,
+
+ # tlsdated looks into proc for answers
+ /proc/meminfo r,
+
+ # Allow reading of libs and /tmp
+ /etc/ld.so.cache r,
+
+ # Random number generation requires these two
+ /dev/random r,
+ /dev/urandom r,
+
+ # RTC
+ /dev/rtc0 rw,
+ /dev/rtc1 rw,
+
+ # Allow mapping of shared libraries
+ /lib{,32,64}/* rm,
+ /usr/lib/* rm,
+ /lib/@{multiarch}/* rm,
+ /usr/lib/@{multiarch}/* rm,
+
+ # We'll allow tlsdate to write a new root to chroot into
+ /tmp/ r,
+ owner /tmp/tlsdate_*/ rw,
+
+ # We'll allow tlsdated to cache the time here
+ owner /var/cache/tlsdated/* rw,
+ # We'll allow the unprivileged helper to read the time
+ /var/cache/tlsdated/* r,
+
+ # We'll allow tlsdated to exec tlsdate-helper
+ /usr/bin/tlsdate-helper ixm,
+ /usr/bin/tlsdate ixm,
+}
diff --git a/tlsdate/autogen.sh b/tlsdate/autogen.sh
new file mode 100755
index 0000000..efdcacc
--- /dev/null
+++ b/tlsdate/autogen.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# This generates our configure scripts and leads us onto the path of
+# the great Makefile...
+#
+
+set -e
+
+if [ ! -d config ];
+then
+ mkdir config;
+fi
+
+if [ $(uname) != FreeBSD ];
+then
+ WARNINGS="all,error"
+ export WARNINGS
+fi
+
+if [ $(uname) = NetBSD ] || [ $(uname) = DragonFly ];
+then
+ WARNINGS=""
+ export WARNINGS
+fi
+
+if [ $(uname) = "CYGWIN_NT-6.1" ] || [ $(uname) = "MINGW32_NT-6.1" ];
+then
+ WARNINGS=""
+ export WARNINGS
+fi
+
+autoreconf --install --verbose --force
diff --git a/tlsdate/ca-roots/tlsdate-ca-roots.conf b/tlsdate/ca-roots/tlsdate-ca-roots.conf
new file mode 100644
index 0000000..9122472
--- /dev/null
+++ b/tlsdate/ca-roots/tlsdate-ca-roots.conf
@@ -0,0 +1,4725 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Issuer: CN=GTE CyberTrust Global Root O=GTE Corporation OU=GTE CyberTrust Solutions, Inc.
+# Subject: CN=GTE CyberTrust Global Root O=GTE Corporation OU=GTE CyberTrust Solutions, Inc.
+# Label: "GTE CyberTrust Global Root"
+# Serial: 421
+# MD5 Fingerprint: ca:3d:d3:68:f1:03:5c:d0:32:fa:b8:2b:59:e8:5a:db
+# SHA1 Fingerprint: 97:81:79:50:d8:1c:96:70:cc:34:d8:09:cf:79:44:31:36:7e:f4:74
+# SHA256 Fingerprint: a5:31:25:18:8d:21:10:aa:96:4b:02:c7:b7:c6:da:32:03:17:08:94:e5:fb:71:ff:fb:66:67:d5:e6:81:0a:36
+-----BEGIN CERTIFICATE-----
+MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
+VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
+bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
+b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
+UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
+cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
+b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
+iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
+r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
+04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
+GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
+3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
+lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
+-----END CERTIFICATE-----
+
+# Issuer: CN=Thawte Server CA O=Thawte Consulting cc OU=Certification Services Division
+# Subject: CN=Thawte Server CA O=Thawte Consulting cc OU=Certification Services Division
+# Label: "Thawte Server CA"
+# Serial: 1
+# MD5 Fingerprint: c5:70:c4:a2:ed:53:78:0c:c8:10:53:81:64:cb:d0:1d
+# SHA1 Fingerprint: 23:e5:94:94:51:95:f2:41:48:03:b4:d5:64:d2:a3:a3:f5:d8:8b:8c
+# SHA256 Fingerprint: b4:41:0b:73:e2:e6:ea:ca:47:fb:c4:2f:8f:a4:01:8a:f4:38:1d:c5:4c:fa:a8:44:50:46:1e:ed:09:45:4d:e9
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
+FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
+VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
+biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
+MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx
+MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
+DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3
+dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
+cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3
+DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91
+yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX
+L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj
+EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG
+7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
+QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ
+qdq5snUb9kLy78fyGPmJvKP/iiMucEc=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Thawte Premium Server CA O=Thawte Consulting cc OU=Certification Services Division
+# Subject: CN=Thawte Premium Server CA O=Thawte Consulting cc OU=Certification Services Division
+# Label: "Thawte Premium Server CA"
+# Serial: 1
+# MD5 Fingerprint: 06:9f:69:79:16:66:90:02:1b:8c:8c:a2:c3:07:6f:3a
+# SHA1 Fingerprint: 62:7f:8d:78:27:65:63:99:d2:7d:7f:90:44:c9:fe:b3:f3:3e:fa:9a
+# SHA256 Fingerprint: ab:70:36:36:5c:71:54:aa:29:c2:c2:9f:5d:41:91:16:3b:16:2a:22:25:01:13:57:d5:6d:07:ff:a7:bc:1f:72
+-----BEGIN CERTIFICATE-----
+MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
+FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
+VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
+biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
+dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
+MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
+MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
+A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
+b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
+cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
+VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
+ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
+uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
+hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
+pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
+-----END CERTIFICATE-----
+
+# Issuer: O=Equifax OU=Equifax Secure Certificate Authority
+# Subject: O=Equifax OU=Equifax Secure Certificate Authority
+# Label: "Equifax Secure CA"
+# Serial: 903804111
+# MD5 Fingerprint: 67:cb:9d:c0:13:24:8a:82:9b:b2:17:1e:d1:1b:ec:d4
+# SHA1 Fingerprint: d2:32:09:ad:23:d3:14:23:21:74:e4:0d:7f:9d:62:13:97:86:63:3a
+# SHA256 Fingerprint: 08:29:7a:40:47:db:a2:36:80:c7:31:db:6e:31:76:53:ca:78:48:e1:be:bd:3a:0b:01:79:a7:07:f9:2c:f1:78
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
+UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
+dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
+MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
+dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
+BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
+cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
+AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
+aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
+ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
+IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
+MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
+A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
+7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
+1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
+-----END CERTIFICATE-----
+
+# Issuer: O=Digital Signature Trust Co. OU=DSTCA E1
+# Subject: O=Digital Signature Trust Co. OU=DSTCA E1
+# Label: "Digital Signature Trust Co. Global CA 1"
+# Serial: 913315222
+# MD5 Fingerprint: 25:7a:ba:83:2e:b6:a2:0b:da:fe:f5:02:0f:08:d7:ad
+# SHA1 Fingerprint: 81:96:8b:3a:ef:1c:dc:70:f5:fa:32:69:c2:92:a3:63:5b:d1:23:d3
+# SHA256 Fingerprint: 63:04:19:ae:c4:78:cb:b4:bb:80:83:de:9d:9c:f2:79:75:2f:03:9d:ef:16:e4:64:71:b6:79:ca:93:00:2d:b0
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIENnAVljANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
+EwhEU1RDQSBFMTAeFw05ODEyMTAxODEwMjNaFw0xODEyMTAxODQwMjNaMEYxCzAJ
+BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
+ETAPBgNVBAsTCERTVENBIEUxMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCg
+bIGpzzQeJN3+hijM3oMv+V7UQtLodGBmE5gGHKlREmlvMVW5SXIACH7TpWJENySZ
+j9mDSI+ZbZUTu0M7LklOiDfBu1h//uG9+LthzfNHwJmm8fOR6Hh8AMthyUQncWlV
+Sn5JTe2io74CTADKAqjuAQIxZA9SLRN0dja1erQtcQIBA6OCASQwggEgMBEGCWCG
+SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
+JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
+RFNUQ0EgRTExDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMTAxODEw
+MjNagQ8yMDE4MTIxMDE4MTAyM1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGp5
+fpFpRhgTCgJ3pVlbYJglDqL4MB0GA1UdDgQWBBRqeX6RaUYYEwoCd6VZW2CYJQ6i
++DAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
+SIb3DQEBBQUAA4GBACIS2Hod3IEGtgllsofIH160L+nEHvI8wbsEkBFKg05+k7lN
+QseSJqBcNJo4cvj9axY+IO6CizEqkzaFI4iKPANo08kJD038bKTaKHKTDomAsH3+
+gG9lbRgzl4vCa4nuYD3Im+9/KzJic5PLPON74nZ4RbyhkwS7hp86W0N6w4pl
+-----END CERTIFICATE-----
+
+# Issuer: O=Digital Signature Trust Co. OU=DSTCA E2
+# Subject: O=Digital Signature Trust Co. OU=DSTCA E2
+# Label: "Digital Signature Trust Co. Global CA 3"
+# Serial: 913232846
+# MD5 Fingerprint: 93:c2:8e:11:7b:d4:f3:03:19:bd:28:75:13:4a:45:4a
+# SHA1 Fingerprint: ab:48:f3:33:db:04:ab:b9:c0:72:da:5b:0c:c1:d0:57:f0:36:9b:46
+# SHA256 Fingerprint: 8f:62:d7:73:6f:99:db:d3:3e:e0:0e:10:c7:e3:29:33:9c:98:8a:5b:47:ef:25:f4:08:29:3c:f2:42:6b:4d:44
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
+EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
+BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
+ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
+k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
+LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
+TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
+SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
+JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
+RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
+MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
+TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
+WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
+SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
+xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
+B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
+-----END CERTIFICATE-----
+
+# Issuer: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority
+# Subject: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority
+# Label: "Verisign Class 3 Public Primary Certification Authority"
+# Serial: 149843929435818692848040365716851702463
+# MD5 Fingerprint: 10:fc:63:5d:f6:26:3e:0d:f3:25:be:5f:79:cd:67:67
+# SHA1 Fingerprint: 74:2c:31:92:e6:07:e4:24:eb:45:49:54:2b:e1:bb:c5:3e:61:74:e2
+# SHA256 Fingerprint: e7:68:56:34:ef:ac:f6:9a:ce:93:9a:6b:25:5b:7b:4f:ab:ef:42:93:5b:50:a2:65:ac:b5:cb:60:27:e4:4e:70
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
+lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
+AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
+-----END CERTIFICATE-----
+
+# Issuer: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority - G2/(c) 1998 VeriSign, Inc. - For authorized use only/VeriSign Trust Network
+# Subject: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority - G2/(c) 1998 VeriSign, Inc. - For authorized use only/VeriSign Trust Network
+# Label: "Verisign Class 3 Public Primary Certification Authority - G2"
+# Serial: 167285380242319648451154478808036881606
+# MD5 Fingerprint: a2:33:9b:4c:74:78:73:d4:6c:e7:c1:f3:8d:cb:5c:e9
+# SHA1 Fingerprint: 85:37:1c:a6:e5:50:14:3d:ce:28:03:47:1b:de:3a:09:e8:f8:77:0f
+# SHA256 Fingerprint: 83:ce:3c:12:29:68:8a:59:3d:48:5f:81:97:3c:0f:91:95:43:1e:da:37:cc:5e:36:43:0e:79:c7:a8:88:63:8b
+-----BEGIN CERTIFICATE-----
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
+oJ2daZH9
+-----END CERTIFICATE-----
+
+# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
+# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
+# Label: "GlobalSign Root CA"
+# Serial: 4835703278459707669005204
+# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a
+# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c
+# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99
+-----BEGIN CERTIFICATE-----
+MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+-----END CERTIFICATE-----
+
+# Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R2
+# Subject: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R2
+# Label: "GlobalSign Root CA - R2"
+# Serial: 4835703278459682885658125
+# MD5 Fingerprint: 94:14:77:7e:3e:5e:fd:8f:30:bd:41:b0:cf:e7:d0:30
+# SHA1 Fingerprint: 75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe
+# SHA256 Fingerprint: ca:42:dd:41:74:5f:d0:b8:1e:b9:02:36:2c:f9:d8:bf:71:9d:a1:bd:1b:1e:fc:94:6f:5b:4c:99:f4:2c:1b:9e
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
+MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
+v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
+eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
+tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
+C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
+zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
+mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
+V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
+bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
+3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
+J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
+291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
+AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
+TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 1 Policy Validation Authority
+# Subject: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 1 Policy Validation Authority
+# Label: "ValiCert Class 1 VA"
+# Serial: 1
+# MD5 Fingerprint: 65:58:ab:15:ad:57:6c:1e:a8:a7:b5:69:ac:bf:ff:eb
+# SHA1 Fingerprint: e5:df:74:3c:b6:01:c4:9b:98:43:dc:ab:8c:e8:6a:81:10:9f:e4:8e
+# SHA256 Fingerprint: f4:c1:49:55:1a:30:13:a3:5b:c7:bf:fe:17:a7:f3:44:9b:c1:ab:5b:5a:0a:e7:4b:06:c2:3b:90:00:4c:01:04
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNTIyMjM0OFoXDTE5MDYy
+NTIyMjM0OFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYWYJ6ibiWuqYvaG9Y
+LqdUHAZu9OqNSLwxlBfw8068srg1knaw0KWlAdcAAxIiGQj4/xEjm84H9b9pGib+
+TunRf50sQB1ZaG6m+FiwnRqP0z/x3BkGgagO4DrdyFNFCQbmD3DD+kCmDuJWBQ8Y
+TfwggtFzVXSNdnKgHZ0dwN0/cQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFBoPUn0
+LBwGlN+VYH+Wexf+T3GtZMjdd9LvWVXoP+iOBSoh8gfStadS/pyxtuJbdxdA6nLW
+I8sogTLDAHkY7FkXicnGah5xyf23dKUlRWnFSKsZ4UWKJWsZ7uW7EvV/96aNUcPw
+nXS3qT6gpf+2SQMT2iLM7XGCK5nPOrf1LXLI
+-----END CERTIFICATE-----
+
+# Issuer: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 2 Policy Validation Authority
+# Subject: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 2 Policy Validation Authority
+# Label: "ValiCert Class 2 VA"
+# Serial: 1
+# MD5 Fingerprint: a9:23:75:9b:ba:49:36:6e:31:c2:db:f2:e7:66:ba:87
+# SHA1 Fingerprint: 31:7a:2a:d0:7f:2b:33:5e:f5:a1:c3:4e:4b:57:e8:b7:d8:f1:fc:a6
+# SHA256 Fingerprint: 58:d0:17:27:9c:d4:dc:63:ab:dd:b1:96:a6:c9:90:6c:30:c4:e0:87:83:ea:e8:c1:60:99:54:d6:93:55:59:6b
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy
+NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY
+dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9
+WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS
+v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v
+UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu
+IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
+W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
+-----END CERTIFICATE-----
+
+# Issuer: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 3 Policy Validation Authority
+# Subject: CN=http://www.valicert.com/ O=ValiCert, Inc. OU=ValiCert Class 3 Policy Validation Authority
+# Label: "RSA Root Certificate 1"
+# Serial: 1
+# MD5 Fingerprint: a2:6f:53:b7:ee:40:db:4a:68:e7:fa:18:d9:10:4b:72
+# SHA1 Fingerprint: 69:bd:8c:f4:9c:d3:00:fb:59:2e:17:93:ca:55:6a:f3:ec:aa:35:fb
+# SHA256 Fingerprint: bc:23:f9:8a:31:3c:b9:2d:e3:bb:fc:3a:5a:9f:44:61:ac:39:49:4c:4a:e1:5a:9e:9d:f1:31:e9:9b:73:01:9a
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMjIzM1oXDTE5MDYy
+NjAwMjIzM1owgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjmFGWHOjVsQaBalfD
+cnWTq8+epvzzFlLWLU2fNUSoLgRNB0mKOCn1dzfnt6td3zZxFJmP3MKS8edgkpfs
+2Ejcv8ECIMYkpChMMFp2bbFc893enhBxoYjHW5tBbcqwuI4V7q0zK89HBFx1cQqY
+JJgpp0lZpd34t0NiYfPT4tBVPwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFa7AliE
+Zwgs3x/be0kz9dNnnfS0ChCzycUs4pJqcXgn8nCDQtM+z6lU9PHYkhaM0QTLS6vJ
+n0WuPIqpsHEzXcjFV9+vqDWzf4mH6eglkrh/hXqu1rweN1gqZ8mRzyqBPu3GOd/A
+PhmcGcwTTYJBtYze4D1gCCAPRX5ron+jjBXu
+-----END CERTIFICATE-----
+
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 1999 VeriSign, Inc. - For authorized use only
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 1999 VeriSign, Inc. - For authorized use only
+# Label: "Verisign Class 3 Public Primary Certification Authority - G3"
+# Serial: 206684696279472310254277870180966723415
+# MD5 Fingerprint: cd:68:b6:a7:c7:c4:ce:75:e0:1d:4f:57:44:61:92:09
+# SHA1 Fingerprint: 13:2d:0d:45:53:4b:69:97:cd:b2:d5:c3:39:e2:55:76:60:9b:5c:c6
+# SHA256 Fingerprint: eb:04:cf:5e:b1:f3:9a:fa:76:2f:2b:b1:20:f2:96:cb:a5:20:c1:b9:7d:b1:58:95:65:b8:1c:b9:a1:7b:72:44
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
+N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
+KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
+kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
+CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
+Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
+imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
+2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
+DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
+/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
+F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
+TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 1999 VeriSign, Inc. - For authorized use only
+# Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 1999 VeriSign, Inc. - For authorized use only
+# Label: "Verisign Class 4 Public Primary Certification Authority - G3"
+# Serial: 314531972711909413743075096039378935511
+# MD5 Fingerprint: db:c8:f2:27:2e:b1:ea:6a:29:23:5d:fe:56:3e:33:df
+# SHA1 Fingerprint: c8:ec:8c:87:92:69:cb:4b:ab:39:e9:8d:7e:57:67:f3:14:95:73:9d
+# SHA256 Fingerprint: e3:89:36:0d:0f:db:ae:b3:d2:50:58:4b:47:30:31:4e:22:2f:39:c1:56:a0:20:14:4e:8d:96:05:61:79:15:06
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1
+GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ
++mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd
+U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm
+NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY
+ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/
+ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1
+CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq
+g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm
+fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c
+2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/
+bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Entrust.net Secure Server Certification Authority O=Entrust.net OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
+# Subject: CN=Entrust.net Secure Server Certification Authority O=Entrust.net OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
+# Label: "Entrust.net Secure Server CA"
+# Serial: 927650371
+# MD5 Fingerprint: df:f2:80:73:cc:f1:e6:61:73:fc:f5:42:e9:c5:7c:ee
+# SHA1 Fingerprint: 99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39
+# SHA256 Fingerprint: 62:f2:40:27:8c:56:4c:4d:d8:bf:7d:9d:4f:6f:36:6e:a8:94:d2:2f:5f:34:d9:89:a9:83:ac:ec:2f:ff:ed:50
+-----BEGIN CERTIFICATE-----
+MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
+ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
+KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
+ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
+MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
+ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
+b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
+bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
+U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
+A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
+I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
+wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
+AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
+oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
+BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
+dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
+MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
+dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
+MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
+E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
+MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
+hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
+95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
+2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
+# Subject: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
+# Label: "Entrust.net Premium 2048 Secure Server CA"
+# Serial: 946059622
+# MD5 Fingerprint: ba:21:ea:20:d6:dd:db:8f:c1:57:8b:40:ad:a1:fc:fc
+# SHA1 Fingerprint: 80:1d:62:d0:7b:44:9d:5c:5c:03:5c:98:ea:61:fa:44:3c:2a:58:fe
+# SHA256 Fingerprint: d1:c3:39:ea:27:84:eb:87:0f:93:4f:c5:63:4e:4a:a9:ad:55:05:01:64:01:f2:64:65:d3:7a:57:46:63:35:9f
+-----BEGIN CERTIFICATE-----
+MIIEXDCCA0SgAwIBAgIEOGO5ZjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
+RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
+bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
+IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0xOTEy
+MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
+LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
+YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
+A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
+K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
+sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
+MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
+XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
+HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
+4QIDAQABo3QwcjARBglghkgBhvhCAQEEBAMCAAcwHwYDVR0jBBgwFoAUVeSB0RGA
+vtiJuQijMfmhJAkWuXAwHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMB0G
+CSqGSIb2fQdBAAQQMA4bCFY1LjA6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEA
+WUesIYSKF8mciVMeuoCFGsY8Tj6xnLZ8xpJdGGQC49MGCBFhfGPjK50xA3B20qMo
+oPS7mmNz7W3lKtvtFKkrxjYR0CvrB4ul2p5cGZ1WEvVUKcgF7bISKo30Axv/55IQ
+h7A6tcOdBTcSo8f0FbnVpDkWm1M6I5HxqIKiaohowXkCIryqptau37AUX7iH0N18
+f3v/rxzP5tsHrV7bhZ3QKw0z2wTR5klAEyt2+z7pnIkPFc4YsIV4IU9rTw76NmfN
+B/L/CNDi3tm/Kq+4h4YhPATKt5Rof8886ZjXOP/swNlQ8C5LWK5Gb9Auw2DaclVy
+vUxFnmG6v4SBkgPR0ml8xQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
+# Label: "Baltimore CyberTrust Root"
+# Serial: 33554617
+# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
+# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
+# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
+
+# Issuer: CN=Equifax Secure Global eBusiness CA-1 O=Equifax Secure Inc.
+# Subject: CN=Equifax Secure Global eBusiness CA-1 O=Equifax Secure Inc.
+# Label: "Equifax Secure Global eBusiness CA"
+# Serial: 1
+# MD5 Fingerprint: 8f:5d:77:06:27:c4:98:3c:5b:93:78:e7:d7:7d:9b:cc
+# SHA1 Fingerprint: 7e:78:4a:10:1c:82:65:cc:2d:e1:f1:6d:47:b4:40:ca:d9:0a:19:45
+# SHA256 Fingerprint: 5f:0b:62:ea:b5:e3:53:ea:65:21:65:16:58:fb:b6:53:59:f4:43:28:0a:4a:fb:d1:04:d7:7d:10:f9:f0:4c:07
+-----BEGIN CERTIFICATE-----
+MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT
+ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw
+MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj
+dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l
+c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC
+UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc
+58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/
+o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH
+MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr
+aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA
+A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA
+Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv
+8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV
+-----END CERTIFICATE-----
+
+# Issuer: CN=Equifax Secure eBusiness CA-1 O=Equifax Secure Inc.
+# Subject: CN=Equifax Secure eBusiness CA-1 O=Equifax Secure Inc.
+# Label: "Equifax Secure eBusiness CA 1"
+# Serial: 4
+# MD5 Fingerprint: 64:9c:ef:2e:44:fc:c6:8f:52:07:d0:51:73:8f:cb:3d
+# SHA1 Fingerprint: da:40:18:8b:91:89:a3:ed:ee:ae:da:97:fe:2f:9d:f5:b7:d1:8a:41
+# SHA256 Fingerprint: cf:56:ff:46:a4:a1:86:10:9d:d9:65:84:b5:ee:b5:8a:51:0c:42:75:b0:e5:f9:4f:40:bb:ae:86:5e:19:f6:73
+-----BEGIN CERTIFICATE-----
+MIICgjCCAeugAwIBAgIBBDANBgkqhkiG9w0BAQQFADBTMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEmMCQGA1UEAxMdRXF1aWZheCBT
+ZWN1cmUgZUJ1c2luZXNzIENBLTEwHhcNOTkwNjIxMDQwMDAwWhcNMjAwNjIxMDQw
+MDAwWjBTMQswCQYDVQQGEwJVUzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5j
+LjEmMCQGA1UEAxMdRXF1aWZheCBTZWN1cmUgZUJ1c2luZXNzIENBLTEwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBAM4vGbwXt3fek6lfWg0XTzQaDJj0ItlZ1MRo
+RvC0NcWFAyDGr0WlIVFFQesWWDYyb+JQYmT5/VGcqiTZ9J2DKocKIdMSODRsjQBu
+WqDZQu4aIZX5UkxVWsUPOE9G+m34LjXWHXzr4vCwdYDIqROsvojvOm6rXyo4YgKw
+Env+j6YDAgMBAAGjZjBkMBEGCWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTAD
+AQH/MB8GA1UdIwQYMBaAFEp4MlIR21kWNl7fwRQ2QGpHfEyhMB0GA1UdDgQWBBRK
+eDJSEdtZFjZe38EUNkBqR3xMoTANBgkqhkiG9w0BAQQFAAOBgQB1W6ibAxHm6VZM
+zfmpTMANmvPMZWnmJXbMWbfWVMMdzZmsGd20hdXgPfxiIKeES1hl8eL5lSE/9dR+
+WB5Hh1Q+WKG1tfgq73HnvMP2sUlG4tega+VWeponmHxGYhTnyfxuAxJ5gDgdSIKN
+/Bf+KpYrtWKmpj29f5JZzVoqgrI3eQ==
+-----END CERTIFICATE-----
+
+# Issuer: O=Equifax Secure OU=Equifax Secure eBusiness CA-2
+# Subject: O=Equifax Secure OU=Equifax Secure eBusiness CA-2
+# Label: "Equifax Secure eBusiness CA 2"
+# Serial: 930140085
+# MD5 Fingerprint: aa:bf:bf:64:97:da:98:1d:6f:c6:08:3a:95:70:33:ca
+# SHA1 Fingerprint: 39:4f:f6:85:0b:06:be:52:e5:18:56:cc:10:e1:80:e8:82:b3:85:cc
+# SHA256 Fingerprint: 2f:27:4e:48:ab:a4:ac:7b:76:59:33:10:17:75:50:6d:c3:0e:e3:8e:f6:ac:d5:c0:49:32:cf:e0:41:23:42:20
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAomgAwIBAgIEN3DPtTANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
+UzEXMBUGA1UEChMORXF1aWZheCBTZWN1cmUxJjAkBgNVBAsTHUVxdWlmYXggU2Vj
+dXJlIGVCdXNpbmVzcyBDQS0yMB4XDTk5MDYyMzEyMTQ0NVoXDTE5MDYyMzEyMTQ0
+NVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkVxdWlmYXggU2VjdXJlMSYwJAYD
+VQQLEx1FcXVpZmF4IFNlY3VyZSBlQnVzaW5lc3MgQ0EtMjCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEA5Dk5kx5SBhsoNviyoynF7Y6yEb3+6+e0dMKP/wXn2Z0G
+vxLIPw7y1tEkshHe0XMJitSxLJgJDR5QRrKDpkWNYmi7hRsgcDKqQM2mll/EcTc/
+BPO3QSQ5BxoeLmFYoBIL5aXfxavqN3HMHMg3OrmXUqesxWoklE6ce8/AatbfIb0C
+AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEX
+MBUGA1UEChMORXF1aWZheCBTZWN1cmUxJjAkBgNVBAsTHUVxdWlmYXggU2VjdXJl
+IGVCdXNpbmVzcyBDQS0yMQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTkw
+NjIzMTIxNDQ1WjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUUJ4L6q9euSBIplBq
+y/3YIHqngnYwHQYDVR0OBBYEFFCeC+qvXrkgSKZQasv92CB6p4J2MAwGA1UdEwQF
+MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
+A4GBAAyGgq3oThr1jokn4jVYPSm0B482UJW/bsGe68SQsoWou7dC4A8HOd/7npCy
+0cE+U58DRLB+S/Rv5Hwf5+Kx5Lia78O9zt4LMjTZ3ijtM2vE1Nc9ElirfQkty3D1
+E4qUoSek1nDFbZS1yX2doNLGCEnZZpum0/QL3MUmV+GRMOrN
+-----END CERTIFICATE-----
+
+# Issuer: CN=AddTrust Class 1 CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Subject: CN=AddTrust Class 1 CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Label: "AddTrust Low-Value Services Root"
+# Serial: 1
+# MD5 Fingerprint: 1e:42:95:02:33:92:6b:b9:5f:c0:7f:da:d6:b2:4b:fc
+# SHA1 Fingerprint: cc:ab:0e:a0:4c:23:01:d6:69:7b:dd:37:9f:cd:12:eb:24:e3:94:9d
+# SHA256 Fingerprint: 8c:72:09:27:9a:c0:4e:27:5e:16:d0:7f:d3:b7:75:e8:01:54:b5:96:80:46:e3:1f:52:dd:25:76:63:24:e9:a7
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
+b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw
+MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML
+QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD
+VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul
+CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n
+tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl
+dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch
+PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC
++Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O
+BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E
+BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl
+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk
+ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB
+IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X
+7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz
+43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY
+eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl
+pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA
+WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk=
+-----END CERTIFICATE-----
+
+# Issuer: CN=AddTrust External CA Root O=AddTrust AB OU=AddTrust External TTP Network
+# Subject: CN=AddTrust External CA Root O=AddTrust AB OU=AddTrust External TTP Network
+# Label: "AddTrust External Root"
+# Serial: 1
+# MD5 Fingerprint: 1d:35:54:04:85:78:b0:3f:42:42:4d:bf:20:73:0a:3f
+# SHA1 Fingerprint: 02:fa:f3:e2:91:43:54:68:60:78:57:69:4d:f5:e4:5b:68:85:18:68
+# SHA256 Fingerprint: 68:7f:a4:51:38:22:78:ff:f0:c8:b1:1f:8d:43:d5:76:67:1c:6e:b2:bc:ea:b4:13:fb:83:d9:65:d0:6d:2f:f2
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----
+
+# Issuer: CN=AddTrust Public CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Subject: CN=AddTrust Public CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Label: "AddTrust Public Services Root"
+# Serial: 1
+# MD5 Fingerprint: c1:62:3e:23:c5:82:73:9c:03:59:4b:2b:e9:77:49:7f
+# SHA1 Fingerprint: 2a:b6:28:48:5e:78:fb:f3:ad:9e:79:10:dd:6b:df:99:72:2c:96:e5
+# SHA256 Fingerprint: 07:91:ca:07:49:b2:07:82:aa:d3:c7:d7:bd:0c:df:c9:48:58:35:84:3e:b2:d7:99:60:09:ce:43:ab:6c:69:27
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
+b3JrMSAwHgYDVQQDExdBZGRUcnVzdCBQdWJsaWMgQ0EgUm9vdDAeFw0wMDA1MzAx
+MDQxNTBaFw0yMDA1MzAxMDQxNTBaMGQxCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtB
+ZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIDAeBgNV
+BAMTF0FkZFRydXN0IFB1YmxpYyBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA6Rowj4OIFMEg2Dybjxt+A3S72mnTRqX4jsIMEZBRpS9mVEBV
+6tsfSlbunyNu9DnLoblv8n75XYcmYZ4c+OLspoH4IcUkzBEMP9smcnrHAZcHF/nX
+GCwwfQ56HmIexkvA/X1id9NEHif2P0tEs7c42TkfYNVRknMDtABp4/MUTu7R3AnP
+dzRGULD4EfL+OHn3Bzn+UZKXC1sIXzSGAa2Il+tmzV7R/9x98oTaunet3IAIx6eH
+1lWfl2royBFkuucZKT8Rs3iQhCBSWxHveNCD9tVIkNAwHM+A+WD+eeSI8t0A65RF
+62WUaUC6wNW0uLp9BBGo6zEFlpROWCGOn9Bg/QIDAQABo4HRMIHOMB0GA1UdDgQW
+BBSBPjfYkrAfd59ctKtzquf2NGAv+jALBgNVHQ8EBAMCAQYwDwYDVR0TAQH/BAUw
+AwEB/zCBjgYDVR0jBIGGMIGDgBSBPjfYkrAfd59ctKtzquf2NGAv+qFopGYwZDEL
+MAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQLExRBZGRU
+cnVzdCBUVFAgTmV0d29yazEgMB4GA1UEAxMXQWRkVHJ1c3QgUHVibGljIENBIFJv
+b3SCAQEwDQYJKoZIhvcNAQEFBQADggEBAAP3FUr4JNojVhaTdt02KLmuG7jD8WS6
+IBh4lSknVwW8fCr0uVFV2ocC3g8WFzH4qnkuCRO7r7IgGRLlk/lL+YPoRNWyQSW/
+iHVv/xD8SlTQX/D67zZzfRs2RcYhbbQVuE7PnFylPVoAjgbjPGsye/Kf8Lb93/Ao
+GEjwxrzQvzSAlsJKsW2Ox5BF3i9nrEUEo3rcVZLJR2bYGozH7ZxOmuASu7VqTITh
+4SINhwBk/ox9Yjllpu9CtoAlEmEBqCQTcAARJl/6NVDFSMwGR+gn2HCNX2TmoUQm
+XiLsks3/QppEIW1cxeMiHV9HEufOX1362KqxMy3ZdvJOOjMMK7MtkAY=
+-----END CERTIFICATE-----
+
+# Issuer: CN=AddTrust Qualified CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Subject: CN=AddTrust Qualified CA Root O=AddTrust AB OU=AddTrust TTP Network
+# Label: "AddTrust Qualified Certificates Root"
+# Serial: 1
+# MD5 Fingerprint: 27:ec:39:47:cd:da:5a:af:e2:9a:01:65:21:a9:4c:bb
+# SHA1 Fingerprint: 4d:23:78:ec:91:95:39:b5:00:7f:75:8f:03:3b:21:1e:c5:4d:8b:cf
+# SHA256 Fingerprint: 80:95:21:08:05:db:4b:bc:35:5e:44:28:d8:fd:6e:c2:cd:e3:ab:5f:b9:7a:99:42:98:8e:b8:f4:dc:d0:60:16
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3
+b3JrMSMwIQYDVQQDExpBZGRUcnVzdCBRdWFsaWZpZWQgQ0EgUm9vdDAeFw0wMDA1
+MzAxMDQ0NTBaFw0yMDA1MzAxMDQ0NTBaMGcxCzAJBgNVBAYTAlNFMRQwEgYDVQQK
+EwtBZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIzAh
+BgNVBAMTGkFkZFRydXN0IFF1YWxpZmllZCBDQSBSb290MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA5B6a/twJWoekn0e+EV+vhDTbYjx5eLfpMLXsDBwq
+xBb/4Oxx64r1EW7tTw2R0hIYLUkVAcKkIhPHEWT/IhKauY5cLwjPcWqzZwFZ8V1G
+87B4pfYOQnrjfxvM0PC3KP0q6p6zsLkEqv32x7SxuCqg+1jxGaBvcCV+PmlKfw8i
+2O+tCBGaKZnhqkRFmhJePp1tUvznoD1oL/BLcHwTOK28FSXx1s6rosAx1i+f4P8U
+WfyEk9mHfExUE+uf0S0R+Bg6Ot4l2ffTQO2kBhLEO+GRwVY18BTcZTYJbqukB8c1
+0cIDMzZbdSZtQvESa0NvS3GU+jQd7RNuyoB/mC9suWXY6QIDAQABo4HUMIHRMB0G
+A1UdDgQWBBQ5lYtii1zJ1IC6WA+XPxUIQ8yYpzALBgNVHQ8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zCBkQYDVR0jBIGJMIGGgBQ5lYtii1zJ1IC6WA+XPxUIQ8yYp6Fr
+pGkwZzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQL
+ExRBZGRUcnVzdCBUVFAgTmV0d29yazEjMCEGA1UEAxMaQWRkVHJ1c3QgUXVhbGlm
+aWVkIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBABmrder4i2VhlRO6aQTv
+hsoToMeqT2QbPxj2qC0sVY8FtzDqQmodwCVRLae/DLPt7wh/bDxGGuoYQ992zPlm
+hpwsaPXpF/gxsxjE1kh9I0xowX67ARRvxdlu3rsEQmr49lx95dr6h+sNNVJn0J6X
+dgWTP5XHAeZpVTh/EGGZyeNfpso+gmNIquIISD6q8rKFYqa0p9m9N5xotS1WfbC3
+P6CxB9bpT9zeRXEwMn8bLgn5v1Kh7sKAPgZcLlVAwRv1cEWw3F369nJad9Jjzc9Y
+iQBCYz95OdBEsIJuQRno3eDBiFrRHnGTHyQwdOUeqN48Jzd/g66ed8/wMLH/S5no
+xqE=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
+# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
+# Label: "Entrust Root Certification Authority"
+# Serial: 1164660820
+# MD5 Fingerprint: d6:a5:c3:ed:5d:dd:3e:00:c1:3d:87:92:1f:1d:3f:e4
+# SHA1 Fingerprint: b3:1e:b1:b7:40:e3:6c:84:02:da:dc:37:d4:4d:f5:d4:67:49:52:f9
+# SHA256 Fingerprint: 73:c1:76:43:4f:1b:c6:d5:ad:f4:5b:0e:76:e7:27:28:7c:8d:e5:76:16:c1:e6:e6:14:1a:2b:2c:bc:7d:8e:4c
+-----BEGIN CERTIFICATE-----
+MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
+VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
+Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
+KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
+cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
+NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
+NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
+ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
+BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
+Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
+4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
+KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
+rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
+94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
+sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
+gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
+kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
+vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
+A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
+O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
+AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
+9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
+eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
+0vdXcDazv/wor3ElhVsT/h5/WrQ8
+-----END CERTIFICATE-----
+
+# Issuer: O=RSA Security Inc OU=RSA Security 2048 V3
+# Subject: O=RSA Security Inc OU=RSA Security 2048 V3
+# Label: "RSA Security 2048 v3"
+# Serial: 13297492616345471454730593562152402946
+# MD5 Fingerprint: 77:0d:19:b1:21:fd:00:42:9c:3e:0c:a5:dd:0b:02:8e
+# SHA1 Fingerprint: 25:01:90:19:cf:fb:d9:99:1c:b7:68:25:74:8d:94:5f:30:93:95:42
+# SHA256 Fingerprint: af:8b:67:62:a1:e5:28:22:81:61:a9:5d:5c:55:9e:e2:66:27:8f:75:d7:9e:83:01:89:a5:03:50:6a:bd:6b:4c
+-----BEGIN CERTIFICATE-----
+MIIDYTCCAkmgAwIBAgIQCgEBAQAAAnwAAAAKAAAAAjANBgkqhkiG9w0BAQUFADA6
+MRkwFwYDVQQKExBSU0EgU2VjdXJpdHkgSW5jMR0wGwYDVQQLExRSU0EgU2VjdXJp
+dHkgMjA0OCBWMzAeFw0wMTAyMjIyMDM5MjNaFw0yNjAyMjIyMDM5MjNaMDoxGTAX
+BgNVBAoTEFJTQSBTZWN1cml0eSBJbmMxHTAbBgNVBAsTFFJTQSBTZWN1cml0eSAy
+MDQ4IFYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt49VcdKA3Xtp
+eafwGFAyPGJn9gqVB93mG/Oe2dJBVGutn3y+Gc37RqtBaB4Y6lXIL5F4iSj7Jylg
+/9+PjDvJSZu1pJTOAeo+tWN7fyb9Gd3AIb2E0S1PRsNO3Ng3OTsor8udGuorryGl
+wSMiuLgbWhOHV4PR8CDn6E8jQrAApX2J6elhc5SYcSa8LWrg903w8bYqODGBDSnh
+AMFRD0xS+ARaqn1y07iHKrtjEAMqs6FPDVpeRrc9DvV07Jmf+T0kgYim3WBU6JU2
+PcYJk5qjEoAAVZkZR73QpXzDuvsf9/UP+Ky5tfQ3mBMY3oVbtwyCO4dvlTlYMNpu
+AWgXIszACwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAfBgNVHSMEGDAWgBQHw1EwpKrpRa41JPr/JCwz0LGdjDAdBgNVHQ4EFgQUB8NR
+MKSq6UWuNST6/yQsM9CxnYwwDQYJKoZIhvcNAQEFBQADggEBAF8+hnZuuDU8TjYc
+HnmYv/3VEhF5Ug7uMYm83X/50cYVIeiKAVQNOvtUudZj1LGqlk2iQk3UUx+LEN5/
+Zb5gEydxiKRz44Rj0aRV4VCT5hsOedBnvEbIvz8XDZXmxpBp3ue0L96VfdASPz0+
+f00/FGj1EVDVwfSQpQgdMWD/YIwjVAqv/qFuxdF6Kmh4zx6CCiC0H63lhbJqaHVO
+rSU3lIW+vaHU6rcMSzyd6BIA8F+sDeGscGNz9395nzIlQnQFgCi/vcEkllgVsRch
+6YlL2weIZ/QVrXA+L02FO8K32/6YaCOJ4XQP3vTFhGMpG8zLB8kApKnXwiJPZ9d3
+7CAFYd4=
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Global CA O=GeoTrust Inc.
+# Subject: CN=GeoTrust Global CA O=GeoTrust Inc.
+# Label: "GeoTrust Global CA"
+# Serial: 144470
+# MD5 Fingerprint: f7:75:ab:29:fb:51:4e:b7:77:5e:ff:05:3c:99:8e:f5
+# SHA1 Fingerprint: de:28:f4:a4:ff:e5:b9:2f:a3:c5:03:d1:a3:49:a7:f9:96:2a:82:12
+# SHA256 Fingerprint: ff:85:6a:2d:25:1d:cd:88:d3:66:56:f4:50:12:67:98:cf:ab:aa:de:40:79:9c:72:2d:e4:d2:b5:db:36:a7:3a
+-----BEGIN CERTIFICATE-----
+MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
+MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
+YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
+R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
+9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
+fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
+iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
+1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
+MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
+ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
+uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
+Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
+tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
+PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
+hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
+5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Global CA 2 O=GeoTrust Inc.
+# Subject: CN=GeoTrust Global CA 2 O=GeoTrust Inc.
+# Label: "GeoTrust Global CA 2"
+# Serial: 1
+# MD5 Fingerprint: 0e:40:a7:6c:de:03:5d:8f:d1:0f:e4:d1:8d:f9:6c:a9
+# SHA1 Fingerprint: a9:e9:78:08:14:37:58:88:f2:05:19:b0:6d:2b:0d:2b:60:16:90:7d
+# SHA256 Fingerprint: ca:2d:82:a0:86:77:07:2f:8a:b6:76:4f:f0:35:67:6c:fe:3e:5e:32:5e:01:21:72:df:3f:92:09:6d:b7:9b:85
+-----BEGIN CERTIFICATE-----
+MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEW
+MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3QgR2xvYmFs
+IENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMTkwMzA0MDUwMDAwWjBEMQswCQYDVQQG
+EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3Qg
+R2xvYmFsIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvPE1A
+PRDfO1MA4Wf+lGAVPoWI8YkNkMgoI5kF6CsgncbzYEbYwbLVjDHZ3CB5JIG/NTL8
+Y2nbsSpr7iFY8gjpeMtvy/wWUsiRxP89c96xPqfCfWbB9X5SJBri1WeR0IIQ13hL
+TytCOb1kLUCgsBDTOEhGiKEMuzozKmKY+wCdE1l/bztyqu6mD4b5BWHqZ38MN5aL
+5mkWRxHCJ1kDs6ZgwiFAVvqgx306E+PsV8ez1q6diYD3Aecs9pYrEw15LNnA5IZ7
+S4wMcoKK+xfNAGw6EzywhIdLFnopsk/bHdQL82Y3vdj2V7teJHq4PIu5+pIaGoSe
+2HSPqht/XvT+RSIhAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
+FHE4NvICMVNHK266ZUapEBVYIAUJMB8GA1UdIwQYMBaAFHE4NvICMVNHK266ZUap
+EBVYIAUJMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAQEAA/e1K6td
+EPx7srJerJsOflN4WT5CBP51o62sgU7XAotexC3IUnbHLB/8gTKY0UvGkpMzNTEv
+/NgdRN3ggX+d6YvhZJFiCzkIjKx0nVnZellSlxG5FntvRdOW2TF9AjYPnDtuzywN
+A0ZF66D0f0hExghAzN4bcLUprbqLOzRldRtxIR0sFAqwlpW41uryZfspuk/qkZN0
+abby/+Ea0AzRdoXLiiW9l14sbxWZJue2Kf8i7MkCx1YAzUm5s2x7UwQa4qjJqhIF
+I8LO57sEAszAR6LkxCkvW0VXiVHuPOtSCP8HNR6fNWpHSlaY0VqFH4z1Ir+rzoPz
+4iIprn2DQKi6bA==
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Universal CA O=GeoTrust Inc.
+# Subject: CN=GeoTrust Universal CA O=GeoTrust Inc.
+# Label: "GeoTrust Universal CA"
+# Serial: 1
+# MD5 Fingerprint: 92:65:58:8b:a2:1a:31:72:73:68:5c:b4:a5:7a:07:48
+# SHA1 Fingerprint: e6:21:f3:35:43:79:05:9a:4b:68:30:9d:8a:2f:74:22:15:87:ec:79
+# SHA256 Fingerprint: a0:45:9b:9f:63:b2:25:59:f5:fa:5d:4c:6d:b3:f9:f7:2f:f1:93:42:03:35:78:f0:73:bf:1d:1b:46:cb:b9:12
+-----BEGIN CERTIFICATE-----
+MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEW
+MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVy
+c2FsIENBMB4XDTA0MDMwNDA1MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UE
+BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHjAcBgNVBAMTFUdlb1RydXN0
+IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYV
+VaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9tJPi8
+cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTT
+QjOgNB0eRXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFh
+F7em6fgemdtzbvQKoiFs7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2v
+c7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d8Lsrlh/eezJS/R27tQahsiFepdaVaH/w
+mZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7VqnJNk22CDtucvc+081xd
+VHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3CgaRr0BHdCX
+teGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZ
+f9hBZ3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfRe
+Bi9Fi1jUIxaS5BZuKGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+
+nhutxx9z3SxPGWX9f5NAEC7S8O08ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0XG0D08DYj3rWMB8GA1UdIwQY
+MBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
+9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc
+aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fX
+IwjhmF7DWgh2qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzyn
+ANXH/KttgCJwpQzgXQQpAvvLoJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0z
+uzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsKxr2EoyNB3tZ3b4XUhRxQ4K5RirqN
+Pnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxFKyDuSN/n3QmOGKja
+QI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2DFKW
+koRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9
+ER/frslKxfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQt
+DF4JbAiXfKM9fJP/P6EUp8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/Sfuvm
+bJxPgWp6ZKy7PtXny3YuxadIwVyQD8vIP/rmMuGNG2+k5o7Y+SlIis5z/iw=
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Universal CA 2 O=GeoTrust Inc.
+# Subject: CN=GeoTrust Universal CA 2 O=GeoTrust Inc.
+# Label: "GeoTrust Universal CA 2"
+# Serial: 1
+# MD5 Fingerprint: 34:fc:b8:d0:36:db:9e:14:b3:c2:f2:db:8f:e4:94:c7
+# SHA1 Fingerprint: 37:9a:19:7b:41:85:45:35:0c:a6:03:69:f3:3c:2e:af:47:4f:20:79
+# SHA256 Fingerprint: a0:23:4f:3b:c8:52:7c:a5:62:8e:ec:81:ad:5d:69:89:5d:a5:68:0d:c9:1d:1c:b8:47:7f:33:f8:78:b9:5b:0b
+-----BEGIN CERTIFICATE-----
+MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEW
+MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVy
+c2FsIENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYD
+VQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1
+c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0DE81
+WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUG
+FF+3Qs17j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdq
+XbboW0W63MOhBW9Wjo8QJqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxL
+se4YuU6W3Nx2/zu+z18DwPw76L5GG//aQMJS9/7jOvdqdzXQ2o3rXhhqMcceujwb
+KNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2WP0+GfPtDCapkzj4T8Fd
+IgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP20gaXT73
+y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRt
+hAAnZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgoc
+QIgfksILAAX/8sgCSqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4
+Lt1ZrtmhN79UNdxzMk+MBB4zsslG8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAfBgNV
+HSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z
+dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQ
+L1EuxBRa3ugZ4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgr
+Fg5fNuH8KrUwJM/gYwx7WBr+mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSo
+ag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpqA1Ihn0CoZ1Dy81of398j9tx4TuaY
+T1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpgY+RdM4kX2TGq2tbz
+GDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiPpm8m
+1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJV
+OCiNUW7dFGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH
+6aLcr34YEoP9VhdBLtUpgn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwX
+QMAJKOSLakhT2+zNVVXxxvjpoixMptEmX36vWkzaH6byHCx+rgIW0lbQL1dTR+iS
+-----END CERTIFICATE-----
+
+# Issuer: CN=America Online Root Certification Authority 1 O=America Online Inc.
+# Subject: CN=America Online Root Certification Authority 1 O=America Online Inc.
+# Label: "America Online Root Certification Authority 1"
+# Serial: 1
+# MD5 Fingerprint: 14:f1:08:ad:9d:fa:64:e2:89:e7:1c:cf:a8:ad:7d:5e
+# SHA1 Fingerprint: 39:21:c1:15:c1:5d:0e:ca:5c:cb:5b:c4:f0:7d:21:d8:05:0b:56:6a
+# SHA256 Fingerprint: 77:40:73:12:c6:3a:15:3d:5b:c0:0b:4e:51:75:9c:df:da:c2:37:dc:2a:33:b6:79:46:e9:8e:9b:fa:68:0a:e3
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
+bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTAyMDUyODA2
+MDAwMFoXDTM3MTExOTIwNDMwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft
+ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg
+Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKgv6KRpBgNHw+kqmP8ZonCaxlCyfqXfaE0bfA+2l2h9LaaLl+lk
+hsmj76CGv2BlnEtUiMJIxUo5vxTjWVXlGbR0yLQFOVwWpeKVBeASrlmLojNoWBym
+1BW32J/X3HGrfpq/m44zDyL9Hy7nBzbvYjnF3cu6JRQj3gzGPTzOggjmZj7aUTsW
+OqMFf6Dch9Wc/HKpoH145LcxVR5lu9RhsCFg7RAycsWSJR74kEoYeEfffjA3PlAb
+2xzTa5qGUwew76wGePiEmf4hjUyAtgyC9mZweRrTT6PP8c9GsEsPPt2IYriMqQko
+O3rHl+Ee5fSfwMCuJKDIodkP1nsmgmkyPacCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUAK3Zo/Z59m50qX8zPYEX10zPM94wHwYDVR0jBBgwFoAU
+AK3Zo/Z59m50qX8zPYEX10zPM94wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+BQUAA4IBAQB8itEfGDeC4Liwo+1WlchiYZwFos3CYiZhzRAW18y0ZTTQEYqtqKkF
+Zu90821fnZmv9ov761KyBZiibyrFVL0lvV+uyIbqRizBs73B6UlwGBaXCBOMIOAb
+LjpHyx7kADCVW/RFo8AasAFOq73AI25jP4BKxQft3OJvx8Fi8eNy1gTIdGcL+oir
+oQHIb/AUr9KZzVGTfu0uOMe9zkZQPXLjeSWdm4grECDdpbgyn43gKd8hdIaC2y+C
+MMbHNYaz+ZZfRtsMRf3zUMNvxsNIrUam4SdHCh0Om7bCd39j8uB9Gr784N/Xx6ds
+sPmuujz9dLQR6FgNgLzTqIA6me11zEZ7
+-----END CERTIFICATE-----
+
+# Issuer: CN=America Online Root Certification Authority 2 O=America Online Inc.
+# Subject: CN=America Online Root Certification Authority 2 O=America Online Inc.
+# Label: "America Online Root Certification Authority 2"
+# Serial: 1
+# MD5 Fingerprint: d6:ed:3c:ca:e2:66:0f:af:10:43:0d:77:9b:04:09:bf
+# SHA1 Fingerprint: 85:b5:ff:67:9b:0c:79:96:1f:c8:6e:44:22:00:46:13:db:17:92:84
+# SHA256 Fingerprint: 7d:3b:46:5a:60:14:e5:26:c0:af:fc:ee:21:27:d2:31:17:27:ad:81:1c:26:84:2d:00:6a:f3:73:06:cc:80:bd
+-----BEGIN CERTIFICATE-----
+MIIFpDCCA4ygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
+bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTAyMDUyODA2
+MDAwMFoXDTM3MDkyOTE0MDgwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft
+ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg
+Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBAMxBRR3pPU0Q9oyxQcngXssNt79Hc9PwVU3dxgz6sWYFas14tNwC
+206B89enfHG8dWOgXeMHDEjsJcQDIPT/DjsS/5uN4cbVG7RtIuOx238hZK+GvFci
+KtZHgVdEglZTvYYUAQv8f3SkWq7xuhG1m1hagLQ3eAkzfDJHA1zEpYNI9FdWboE2
+JxhP7JsowtS013wMPgwr38oE18aO6lhOqKSlGBxsRZijQdEt0sdtjRnxrXm3gT+9
+BoInLRBYBbV4Bbkv2wxrkJB+FFk4u5QkE+XRnRTf04JNRvCAOVIyD+OEsnpD8l7e
+Xz8d3eOyG6ChKiMDbi4BFYdcpnV1x5dhvt6G3NRI270qv0pV2uh9UPu0gBe4lL8B
+PeraunzgWGcXuVjgiIZGZ2ydEEdYMtA1fHkqkKJaEBEjNa0vzORKW6fIJ/KD3l67
+Xnfn6KVuY8INXWHQjNJsWiEOyiijzirplcdIz5ZvHZIlyMbGwcEMBawmxNJ10uEq
+Z8A9W6Wa6897GqidFEXlD6CaZd4vKL3Ob5Rmg0gp2OpljK+T2WSfVVcmv2/LNzGZ
+o2C7HK2JNDJiuEMhBnIMoVxtRsX6Kc8w3onccVvdtjc+31D1uAclJuW8tf48ArO3
++L5DwYcRlJ4jbBeKuIonDFRH8KmzwICMoCfrHRnjB453cMor9H124HhnAgMBAAGj
+YzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE1FwWg4u3OpaaEg5+31IqEj
+FNeeMB8GA1UdIwQYMBaAFE1FwWg4u3OpaaEg5+31IqEjFNeeMA4GA1UdDwEB/wQE
+AwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAZ2sGuV9FOypLM7PmG2tZTiLMubekJcmn
+xPBUlgtk87FYT15R/LKXeydlwuXK5w0MJXti4/qftIe3RUavg6WXSIylvfEWK5t2
+LHo1YGwRgJfMqZJS5ivmae2p+DYtLHe/YUjRYwu5W1LtGLBDQiKmsXeu3mnFzccc
+obGlHBD7GL4acN3Bkku+KVqdPzW+5X1R+FXgJXUjhx5c3LqdsKyzadsXg8n33gy8
+CNyRnqjQ1xU3c6U1uPx+xURABsPr+CKAXEfOAuMRn0T//ZoyzH1kUQ7rVyZ2OuMe
+IjzCpjbdGe+n/BLzJsBZMYVMnNjP36TMzCmT/5RtdlwTCJfy7aULTd3oyWgOZtMA
+DjMSW7yV5TKQqLPGbIOtd+6Lfn6xqavT4fG2wLHqiMDn05DpKJKUe2h7lyoKZy2F
+AjgQ5ANh1NolNscIWC2hp1GvMApJ9aZphwctREZ2jirlmjvXGKL8nDgQzMY70rUX
+Om/9riW99XJZZLF0KjhfGEzfz3EEWjbUvy+ZnOjZurGV5gJLIaFb1cFPj65pbVPb
+AZO1XB4Y3WRayhgoPmMEEf0cjQAPuDffZ4qdZqkCapH/E8ovXYO8h5Ns3CRRFgQl
+Zvqz2cK6Kb6aSDiCmfS/O0oxGfm/jiEzFMpPVF/7zvuPcX/9XhmgD0uRuMRUvAaw
+RY8mkaKO/qk=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Visa eCommerce Root O=VISA OU=Visa International Service Association
+# Subject: CN=Visa eCommerce Root O=VISA OU=Visa International Service Association
+# Label: "Visa eCommerce Root"
+# Serial: 25952180776285836048024890241505565794
+# MD5 Fingerprint: fc:11:b8:d8:08:93:30:00:6d:23:f9:7e:eb:52:1e:02
+# SHA1 Fingerprint: 70:17:9b:86:8c:00:a4:fa:60:91:52:22:3f:9f:3e:32:bd:e0:05:62
+# SHA256 Fingerprint: 69:fa:c9:bd:55:fb:0a:c7:8d:53:bb:ee:5c:f1:d5:97:98:9f:d0:aa:ab:20:a2:51:51:bd:f1:73:3e:e7:d1:22
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIQE4Y1TR0/BvLB+WUF1ZAcYjANBgkqhkiG9w0BAQUFADBr
+MQswCQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRl
+cm5hdGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNv
+bW1lcmNlIFJvb3QwHhcNMDIwNjI2MDIxODM2WhcNMjIwNjI0MDAxNjEyWjBrMQsw
+CQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRlcm5h
+dGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNvbW1l
+cmNlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvV95WHm6h
+2mCxlCfLF9sHP4CFT8icttD0b0/Pmdjh28JIXDqsOTPHH2qLJj0rNfVIsZHBAk4E
+lpF7sDPwsRROEW+1QK8bRaVK7362rPKgH1g/EkZgPI2h4H3PVz4zHvtH8aoVlwdV
+ZqW1LS7YgFmypw23RuwhY/81q6UCzyr0TP579ZRdhE2o8mCP2w4lPJ9zcc+U30rq
+299yOIzzlr3xF7zSujtFWsan9sYXiwGd/BmoKoMWuDpI/k4+oKsGGelT84ATB+0t
+vz8KPFUgOSwsAGl0lUq8ILKpeeUYiZGo3BxN77t+Nwtd/jmliFKMAGzsGHxBvfaL
+dXe6YJ2E5/4tAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgEGMB0GA1UdDgQWBBQVOIMPPyw/cDMezUb+B4wg4NfDtzANBgkqhkiG9w0BAQUF
+AAOCAQEAX/FBfXxcCLkr4NWSR/pnXKUTwwMhmytMiUbPWU3J/qVAtmPN3XEolWcR
+zCSs00Rsca4BIGsDoo8Ytyk6feUWYFN4PMCvFYP3j1IzJL1kk5fui/fbGKhtcbP3
+LBfQdCVp9/5rPJS+TUtBjE7ic9DjkCJzQ83z7+pzzkWKsKZJ/0x9nXGIxHYdkFsd
+7v3M9+79YKWxehZx0RbQfBI8bGmX265fOZpwLwU8GUYEmSA20GBuYQa7FkKMcPcw
+++DbZqMAAb3mLNqRX6BGi01qnD093QVG/na/oAo85ADmJ7f/hC3euiInlhBx6yLt
+398znM/jra6O1I7mT1GvFpLgXPYHDw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Certum CA O=Unizeto Sp. z o.o.
+# Subject: CN=Certum CA O=Unizeto Sp. z o.o.
+# Label: "Certum Root CA"
+# Serial: 65568
+# MD5 Fingerprint: 2c:8f:9f:66:1d:18:90:b1:47:26:9d:8e:86:82:8c:a9
+# SHA1 Fingerprint: 62:52:dc:40:f7:11:43:a2:2f:de:9e:f7:34:8e:06:42:51:b1:81:18
+# SHA256 Fingerprint: d8:e0:fe:bc:1d:b2:e3:8d:00:94:0f:37:d2:7d:41:34:4d:99:3e:73:4b:99:d5:65:6d:97:78:d4:d8:14:36:24
+-----BEGIN CERTIFICATE-----
+MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBM
+MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
+QTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBM
+MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/E
+jG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWo
+ePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GI
+ULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapu
+Ob7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUg
+AKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lvzs2I1qsb2pY7
+HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA
+uI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQa
+TOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTg
+xSvgGrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1q
+CjqTE5s7FCMTY5w/0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5x
+O/fIR/RpbxXyEV6DHpx8Uq79AtoSqFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs
+6GAqm4VKQPNriiTsBhYscw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=AAA Certificate Services O=Comodo CA Limited
+# Subject: CN=AAA Certificate Services O=Comodo CA Limited
+# Label: "Comodo AAA Services root"
+# Serial: 1
+# MD5 Fingerprint: 49:79:04:b0:eb:87:19:ac:47:b0:bc:11:51:9b:74:d0
+# SHA1 Fingerprint: d1:eb:23:a4:6d:17:d6:8f:d9:25:64:c2:f1:f1:60:17:64:d8:e3:49
+# SHA256 Fingerprint: d7:a7:a0:fb:5d:7e:27:31:d7:71:e9:48:4e:bc:de:f7:1d:5f:0c:3e:0a:29:48:78:2b:c8:3e:e0:ea:69:9e:f4
+-----BEGIN CERTIFICATE-----
+MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
+MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
+GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
+YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
+MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
+BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
+GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
+BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
+3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
+YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
+rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
+ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
+oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
+MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
+QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
+b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
+AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
+GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
+Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
+G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
+l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
+smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Secure Certificate Services O=Comodo CA Limited
+# Subject: CN=Secure Certificate Services O=Comodo CA Limited
+# Label: "Comodo Secure Services root"
+# Serial: 1
+# MD5 Fingerprint: d3:d9:bd:ae:9f:ac:67:24:b3:c8:1b:52:e1:b9:a9:bd
+# SHA1 Fingerprint: 4a:65:d5:f4:1d:ef:39:b8:b8:90:4a:4a:d3:64:81:33:cf:c7:a1:d1
+# SHA256 Fingerprint: bd:81:ce:3b:4f:65:91:d1:1a:67:b5:fc:7a:47:fd:ef:25:52:1b:f9:aa:4e:18:b9:e3:df:2e:34:a7:80:3b:e8
+-----BEGIN CERTIFICATE-----
+MIIEPzCCAyegAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJHQjEb
+MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
+GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEkMCIGA1UEAwwbU2VjdXJlIENlcnRp
+ZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVow
+fjELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxJDAiBgNV
+BAMMG1NlY3VyZSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMBxM4KK0HDrc4eCQNUd5MvJDkKQ+d40uaG6EfQlhfPM
+cm3ye5drswfxdySRXyWP9nQ95IDC+DwN879A6vfIUtFyb+/Iq0G4bi4XKpVpDM3S
+HpR7LZQdqnXXs5jLrLxkU0C8j6ysNstcrbvd4JQX7NFc0L/vpZXJkMWwrPsbQ996
+CF23uPJAGysnnlDOXmWCiIxe004MeuoIkbY2qitC++rCoznl2yY4rYsK7hljxxwk
+3wN42ubqwUcaCwtGCd0C/N7Lh1/XMGNooa7cMqG6vv5Eq2i2pRcV/b3Vp6ea5EQz
+6YiO/O1R65NxTq0B50SOqy3LqP4BSUjwwN3HaNiS/j0CAwEAAaOBxzCBxDAdBgNV
+HQ4EFgQUPNiTiMLAggnMAZkGkyDpnnAJY08wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
+EwEB/wQFMAMBAf8wgYEGA1UdHwR6MHgwO6A5oDeGNWh0dHA6Ly9jcmwuY29tb2Rv
+Y2EuY29tL1NlY3VyZUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDmgN6A1hjNodHRw
+Oi8vY3JsLmNvbW9kby5uZXQvU2VjdXJlQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmww
+DQYJKoZIhvcNAQEFBQADggEBAIcBbSMdflsXfcFhMs+P5/OKlFlm4J4oqF7Tt/Q0
+5qo5spcWxYJvMqTpjOev/e/C6LlLqqP05tqNZSH7uoDrJiiFGv45jN5bBAS0VPmj
+Z55B+glSzAVIqMk/IQQezkhr/IXownuvf7fM+F86/TXGDe+X3EyrEeFryzHRbPtI
+gKvcnDe4IRRLDXE97IMzbtFuMhbsmMcWi1mmNKsFVy2T96oTy9IT4rcuO81rUBcJ
+aD61JlfutuC23bkpgHl9j6PwpCikFcSF9CfUa7/lXORlAnZUtOM3ZiTTGWHIUhDl
+izeauan5Hb/qmZJhlv8BzaFfDbxxvA6sCx1HRR3B7Hzs/Sk=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Trusted Certificate Services O=Comodo CA Limited
+# Subject: CN=Trusted Certificate Services O=Comodo CA Limited
+# Label: "Comodo Trusted Services root"
+# Serial: 1
+# MD5 Fingerprint: 91:1b:3f:6e:cd:9e:ab:ee:07:fe:1f:71:d2:b3:61:27
+# SHA1 Fingerprint: e1:9f:e3:0e:8b:84:60:9e:80:9b:17:0d:72:a8:c5:ba:6e:14:09:bd
+# SHA256 Fingerprint: 3f:06:e5:56:81:d4:96:f5:be:16:9e:b5:38:9f:9f:2b:8f:f6:1e:17:08:df:68:81:72:48:49:cd:5d:27:cb:69
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJHQjEb
+MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
+GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDElMCMGA1UEAwwcVHJ1c3RlZCBDZXJ0
+aWZpY2F0ZSBTZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTla
+MH8xCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
+BgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSUwIwYD
+VQQDDBxUcnVzdGVkIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA33FvNlhTWvI2VFeAxHQIIO0Yfyod5jWaHiWsnOWW
+fnJSoBVC21ndZHoa0Lh73TkVvFVIxO06AOoxEbrycXQaZ7jPM8yoMa+j49d/vzMt
+TGo87IvDktJTdyR0nAducPy9C1t2ul/y/9c3S0pgePfw+spwtOpZqqPOSC+pw7IL
+fhdyFgymBwwbOM/JYrc/oJOlh0Hyt3BAd9i+FHzjqMB6juljatEPmsbS9Is6FARW
+1O24zG71++IsWL1/T2sr92AkWCTOJu80kTrV44HQsvAEAtdbtz6SrGsSivnkBbA7
+kUlcsutT6vifR4buv5XAwAaf0lteERv0xwQ1KdJVXOTt6wIDAQABo4HJMIHGMB0G
+A1UdDgQWBBTFe1i97doladL3WRaoszLAeydb9DAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zCBgwYDVR0fBHwwejA8oDqgOIY2aHR0cDovL2NybC5jb21v
+ZG9jYS5jb20vVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMuY3JsMDqgOKA2hjRo
+dHRwOi8vY3JsLmNvbW9kby5uZXQvVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMu
+Y3JsMA0GCSqGSIb3DQEBBQUAA4IBAQDIk4E7ibSvuIQSTI3S8NtwuleGFTQQuS9/
+HrCoiWChisJ3DFBKmwCL2Iv0QeLQg4pKHBQGsKNoBXAxMKdTmw7pSqBYaWcOrp32
+pSxBvzwGa+RZzG0Q8ZZvH9/0BAKkn0U+yNj6NkZEUD+Cl5EfKNsYEYwq5GWDVxIS
+jBc/lDb+XbDABHcTuPQV1T84zJQ6VdCsmPW6AF/ghhmBeC8owH7TzEIK9a5QoNE+
+xqFx7D+gIIxmOom0jtTYsU0lR+4viMi14QVFwL4Ucd56/Y57fU0IlqUSc/Atyjcn
+dBInTMu2l+nZrghtWjlA3QVHdWpaIbOjGM9O9y5Xt5hwXsjEeLBi
+-----END CERTIFICATE-----
+
+# Issuer: CN=QuoVadis Root Certification Authority O=QuoVadis Limited OU=Root Certification Authority
+# Subject: CN=QuoVadis Root Certification Authority O=QuoVadis Limited OU=Root Certification Authority
+# Label: "QuoVadis Root CA"
+# Serial: 985026699
+# MD5 Fingerprint: 27:de:36:fe:72:b7:00:03:00:9d:f4:f0:1e:6c:04:24
+# SHA1 Fingerprint: de:3f:40:bd:50:93:d3:9b:6c:60:f6:da:bc:07:62:01:00:89:76:c9
+# SHA256 Fingerprint: a4:5e:de:3b:bb:f0:9c:8a:e1:5c:72:ef:c0:72:68:d6:93:a2:1c:99:6f:d5:1e:67:ca:07:94:60:fd:6d:88:73
+-----BEGIN CERTIFICATE-----
+MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz
+MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw
+IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR
+dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp
+li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D
+rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ
+WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug
+F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU
+xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC
+Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
+dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw
+ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl
+IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh
+c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy
+ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
+Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI
+KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T
+KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq
+y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
+dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD
+VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk
+fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8
+7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R
+cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y
+mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW
+xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK
+SnQ2+Q==
+-----END CERTIFICATE-----
+
+# Issuer: CN=QuoVadis Root CA 2 O=QuoVadis Limited
+# Subject: CN=QuoVadis Root CA 2 O=QuoVadis Limited
+# Label: "QuoVadis Root CA 2"
+# Serial: 1289
+# MD5 Fingerprint: 5e:39:7b:dd:f8:ba:ec:82:e9:ac:62:ba:0c:54:00:2b
+# SHA1 Fingerprint: ca:3a:fb:cf:12:40:36:4b:44:b2:16:20:88:80:48:39:19:93:7c:f7
+# SHA256 Fingerprint: 85:a0:dd:7d:d7:20:ad:b7:ff:05:f8:3d:54:2b:20:9d:c7:ff:45:28:f7:d6:77:b1:83:89:fe:a5:e5:c4:9e:86
+-----BEGIN CERTIFICATE-----
+MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
+b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
+BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
+YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa
+GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg
+Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J
+WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB
+rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp
++ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1
+ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i
+Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz
+PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og
+/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH
+oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI
+yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud
+EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2
+A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL
+MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT
+ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f
+BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn
+g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl
+fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K
+WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha
+B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc
+hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR
+TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD
+mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z
+ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
+4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza
+8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
+-----END CERTIFICATE-----
+
+# Issuer: CN=QuoVadis Root CA 3 O=QuoVadis Limited
+# Subject: CN=QuoVadis Root CA 3 O=QuoVadis Limited
+# Label: "QuoVadis Root CA 3"
+# Serial: 1478
+# MD5 Fingerprint: 31:85:3c:62:94:97:63:b9:aa:fd:89:4e:af:6f:e0:cf
+# SHA1 Fingerprint: 1f:49:14:f7:d8:74:95:1d:dd:ae:02:c0:be:fd:3a:2d:82:75:51:85
+# SHA256 Fingerprint: 18:f1:fc:7f:20:5d:f8:ad:dd:eb:7f:e0:07:dd:57:e3:af:37:5a:9c:4d:8d:73:54:6b:f4:f1:fe:d1:e1:8d:35
+-----BEGIN CERTIFICATE-----
+MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
+GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
+b3QgQ0EgMzAeFw0wNjExMjQxOTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNV
+BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
+YWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDM
+V0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNggDhoB
+4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUr
+H556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd
+8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9Cabwv
+vWhDFlaJKjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLT
+mZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhe
+btfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjc
+T5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDt
+WAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZ
+c6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A
+4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYD
+VR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG
+CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0
+aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0
+aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVu
+dC4wLQYIKwYBBQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2Nw
+czALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4G
+A1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQoUmkRzBFMQswCQYDVQQGEwJC
+TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UEAxMSUXVvVmFkaXMg
+Um9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZVqyM0
+7ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem
+d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd
++LJ2w/w4E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B
+4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadN
+t54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6x
+DYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBCbjPsMZ57
+k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6s
+zHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0j
+Wy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeT
+mJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK
+4SVhM7JZG+Ju1zdXtg2pEto=
+-----END CERTIFICATE-----
+
+# Issuer: O=SECOM Trust.net OU=Security Communication RootCA1
+# Subject: O=SECOM Trust.net OU=Security Communication RootCA1
+# Label: "Security Communication Root CA"
+# Serial: 0
+# MD5 Fingerprint: f1:bc:63:6a:54:e0:b5:27:f5:cd:e7:1a:e3:4d:6e:4a
+# SHA1 Fingerprint: 36:b1:2b:49:f9:81:9e:d7:4c:9e:bc:38:0f:c6:56:8f:5d:ac:b2:f7
+# SHA256 Fingerprint: e7:5e:72:ed:9f:56:0e:ec:6e:b4:80:00:73:a4:3f:c3:ad:19:19:5a:39:22:82:01:78:95:97:4a:99:02:6b:6c
+-----BEGIN CERTIFICATE-----
+MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
+MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
+dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
+WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
+VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
+9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
+DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
+Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
+QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
+xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
+A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
+kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
+Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
+Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
+JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
+RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Sonera Class2 CA O=Sonera
+# Subject: CN=Sonera Class2 CA O=Sonera
+# Label: "Sonera Class 2 Root CA"
+# Serial: 29
+# MD5 Fingerprint: a3:ec:75:0f:2e:88:df:fa:48:01:4e:0b:5c:48:6f:fb
+# SHA1 Fingerprint: 37:f7:6d:e6:07:7c:90:c5:b1:3e:93:1a:b7:41:10:b4:f2:e4:9a:27
+# SHA256 Fingerprint: 79:08:b4:03:14:c1:38:10:0b:51:8d:07:35:80:7f:fb:fc:f8:51:8a:00:95:33:71:05:ba:38:6b:15:3d:d9:27
+-----BEGIN CERTIFICATE-----
+MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
+MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx
+MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV
+BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o
+Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt
+5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s
+3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej
+vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu
+8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw
+DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG
+MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil
+zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/
+3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD
+FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6
+Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2
+ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M
+-----END CERTIFICATE-----
+
+# Issuer: CN=Staat der Nederlanden Root CA O=Staat der Nederlanden
+# Subject: CN=Staat der Nederlanden Root CA O=Staat der Nederlanden
+# Label: "Staat der Nederlanden Root CA"
+# Serial: 10000010
+# MD5 Fingerprint: 60:84:7c:5a:ce:db:0c:d4:cb:a7:e9:fe:02:c6:a9:c0
+# SHA1 Fingerprint: 10:1d:fa:3f:d5:0b:cb:bb:9b:b5:60:0c:19:55:a4:1a:f4:73:3a:04
+# SHA256 Fingerprint: d4:1d:82:9e:8c:16:59:82:2a:f9:3f:ce:62:bf:fc:de:26:4f:c8:4e:8b:95:0c:5f:f2:75:d0:52:35:46:95:a3
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIEAJiWijANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJO
+TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSYwJAYDVQQDEx1TdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQTAeFw0wMjEyMTcwOTIzNDlaFw0xNTEy
+MTYwOTE1MzhaMFUxCzAJBgNVBAYTAk5MMR4wHAYDVQQKExVTdGFhdCBkZXIgTmVk
+ZXJsYW5kZW4xJjAkBgNVBAMTHVN0YWF0IGRlciBOZWRlcmxhbmRlbiBSb290IENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmNK1URF6gaYUmHFtvszn
+ExvWJw56s2oYHLZhWtVhCb/ekBPHZ+7d89rFDBKeNVU+LCeIQGv33N0iYfXCxw71
+9tV2U02PjLwYdjeFnejKScfST5gTCaI+Ioicf9byEGW07l8Y1Rfj+MX94p2i71MO
+hXeiD+EwR+4A5zN9RGcaC1Hoi6CeUJhoNFIfLm0B8mBF8jHrqTFoKbt6QZ7GGX+U
+tFE5A3+y3qcym7RHjm+0Sq7lr7HcsBthvJly3uSJt3omXdozSVtSnA71iq3DuD3o
+BmrC1SoLbHuEvVYFy4ZlkuxEK7COudxwC0barbxjiDn622r+I/q85Ej0ZytqERAh
+SQIDAQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wTwYDVR0gBEgwRjBEBgRVHSAAMDww
+OgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cucGtpb3ZlcmhlaWQubmwvcG9saWNpZXMv
+cm9vdC1wb2xpY3kwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSofeu8Y6R0E3QA
+7Jbg0zTBLL9s+DANBgkqhkiG9w0BAQUFAAOCAQEABYSHVXQ2YcG70dTGFagTtJ+k
+/rvuFbQvBgwp8qiSpGEN/KtcCFtREytNwiphyPgJWPwtArI5fZlmgb9uXJVFIGzm
+eafR2Bwp/MIgJ1HI8XxdNGdphREwxgDS1/PTfLbwMVcoEoJz6TMvplW0C5GUR5z6
+u3pCMuiufi3IvKwUv9kP2Vv8wfl6leF9fpb8cbDCTMjfRTTJzg3ynGQI0DvDKcWy
+7ZAEwbEpkcUwb8GpcjPM/l0WFywRaed+/sWDCN+83CI6LiBpIzlWYGeQiy52OfsR
+iJf2fL1LuCAWZwWN4jvBcj+UlTfHXbme2JOhF4//DGYVwSR8MnwDHTuhWEUykw==
+-----END CERTIFICATE-----
+
+# Issuer: O=TDC Internet OU=TDC Internet Root CA
+# Subject: O=TDC Internet OU=TDC Internet Root CA
+# Label: "TDC Internet Root CA"
+# Serial: 986490188
+# MD5 Fingerprint: 91:f4:03:55:20:a1:f8:63:2c:62:de:ac:fb:61:1c:8e
+# SHA1 Fingerprint: 21:fc:bd:8e:7f:6c:af:05:1b:d1:b3:43:ec:a8:e7:61:47:f2:0f:8a
+# SHA256 Fingerprint: 48:98:c6:88:8c:0c:ff:b0:d3:e3:1a:ca:8a:37:d4:e3:51:5f:f7:46:d0:26:35:d8:66:46:cf:a0:a3:18:5a:e7
+-----BEGIN CERTIFICATE-----
+MIIEKzCCAxOgAwIBAgIEOsylTDANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJE
+SzEVMBMGA1UEChMMVERDIEludGVybmV0MR0wGwYDVQQLExRUREMgSW50ZXJuZXQg
+Um9vdCBDQTAeFw0wMTA0MDUxNjMzMTdaFw0yMTA0MDUxNzAzMTdaMEMxCzAJBgNV
+BAYTAkRLMRUwEwYDVQQKEwxUREMgSW50ZXJuZXQxHTAbBgNVBAsTFFREQyBJbnRl
+cm5ldCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLhA
+vJHVYx/XmaCLDEAedLdInUaMArLgJF/wGROnN4NrXceO+YQwzho7+vvOi20jxsNu
+Zp+Jpd/gQlBn+h9sHvTQBda/ytZO5GhgbEaqHF1j4QeGDmUApy6mcca8uYGoOn0a
+0vnRrEvLznWv3Hv6gXPU/Lq9QYjUdLP5Xjg6PEOo0pVOd20TDJ2PeAG3WiAfAzc1
+4izbSysseLlJ28TQx5yc5IogCSEWVmb/Bexb4/DPqyQkXsN/cHoSxNK1EKC2IeGN
+eGlVRGn1ypYcNIUXJXfi9i8nmHj9eQY6otZaQ8H/7AQ77hPv01ha/5Lr7K7a8jcD
+R0G2l8ktCkEiu7vmpwIDAQABo4IBJTCCASEwEQYJYIZIAYb4QgEBBAQDAgAHMGUG
+A1UdHwReMFwwWqBYoFakVDBSMQswCQYDVQQGEwJESzEVMBMGA1UEChMMVERDIElu
+dGVybmV0MR0wGwYDVQQLExRUREMgSW50ZXJuZXQgUm9vdCBDQTENMAsGA1UEAxME
+Q1JMMTArBgNVHRAEJDAigA8yMDAxMDQwNTE2MzMxN1qBDzIwMjEwNDA1MTcwMzE3
+WjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUbGQBx/2FbazI2p5QCIUItTxWqFAw
+HQYDVR0OBBYEFGxkAcf9hW2syNqeUAiFCLU8VqhQMAwGA1UdEwQFMAMBAf8wHQYJ
+KoZIhvZ9B0EABBAwDhsIVjUuMDo0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4IBAQBO
+Q8zR3R0QGwZ/t6T609lN+yOfI1Rb5osvBCiLtSdtiaHsmGnc540mgwV5dOy0uaOX
+wTUA/RXaOYE6lTGQ3pfphqiZdwzlWqCE/xIWrG64jcN7ksKsLtB9KOy282A4aW8+
+2ARVPp7MVdK6/rtHBNcK2RYKNCn1WBPVT8+PVkuzHu7TmHnaCB4Mb7j4Fifvwm89
+9qNLPg7kbWzbO0ESm70NRyN/PErQr8Cv9u8btRXE64PECV90i9kR+8JWsTz4cMo0
+jUNAE4z9mQNUecYu6oah9jrUCbz0vGbMPVjQV0kK7iXiQe4T+Zs4NNEA9X7nlB38
+aQNiuJkFBT1reBK9sG9l
+-----END CERTIFICATE-----
+
+# Issuer: CN=UTN - DATACorp SGC O=The USERTRUST Network OU=http://www.usertrust.com
+# Subject: CN=UTN - DATACorp SGC O=The USERTRUST Network OU=http://www.usertrust.com
+# Label: "UTN DATACorp SGC Root CA"
+# Serial: 91374294542884689855167577680241077609
+# MD5 Fingerprint: b3:a5:3e:77:21:6d:ac:4a:c0:c9:fb:d5:41:3d:ca:06
+# SHA1 Fingerprint: 58:11:9f:0e:12:82:87:ea:50:fd:d9:87:45:6f:4f:78:dc:fa:d6:d4
+# SHA256 Fingerprint: 85:fb:2f:91:dd:12:27:5a:01:45:b6:36:53:4f:84:02:4a:d6:8b:69:b8:ee:88:68:4f:f7:11:37:58:05:b3:48
+-----BEGIN CERTIFICATE-----
+MIIEXjCCA0agAwIBAgIQRL4Mi1AAIbQR0ypoBqmtaTANBgkqhkiG9w0BAQUFADCB
+kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
+Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
+dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw
+IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMIGTMQswCQYDVQQG
+EwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD
+VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cu
+dXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNvcnAgU0dDMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3+5YEKIrblXEjr8uRgnn4AgPLit6
+E5Qbvfa2gI5lBZMAHryv4g+OGQ0SR+ysraP6LnD43m77VkIVni5c7yPeIbkFdicZ
+D0/Ww5y0vpQZY/KmEQrrU0icvvIpOxboGqBMpsn0GFlowHDyUwDAXlCCpVZvNvlK
+4ESGoE1O1kduSUrLZ9emxAW5jh70/P/N5zbgnAVssjMiFdC04MwXwLLA9P4yPykq
+lXvY8qdOD1R8oQ2AswkDwf9c3V6aPryuvEeKaq5xyh+xKrhfQgUL7EYw0XILyulW
+bfXv33i+Ybqypa4ETLyorGkVl73v67SMvzX41MPRKA5cOp9wGDMgd8SirwIDAQAB
+o4GrMIGoMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRT
+MtGzz3/64PGgXYVOktKeRR20TzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3Js
+LnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dDLmNybDAqBgNVHSUEIzAhBggr
+BgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMA0GCSqGSIb3DQEBBQUAA4IB
+AQAnNZcAiosovcYzMB4p/OL31ZjUQLtgyr+rFywJNn9Q+kHcrpY6CiM+iVnJowft
+Gzet/Hy+UUla3joKVAgWRcKZsYfNjGjgaQPpxE6YsjuMFrMOoAyYUJuTqXAJyCyj
+j98C5OBxOvG0I3KgqgHf35g+FFCgMSa9KOlaMCZ1+XtgHI3zzVAmbQQnmt/VDUVH
+KWss5nbZqSl9Mt3JNjy9rjXxEZ4du5A/EkdOjtd+D2JzHVImOBwYSf0wdJrE5SIv
+2MCN7ZF6TACPcn9d2t0bi0Vr591pl6jFVkwPDPafepE39peC4N1xaf92P2BNPM/3
+mfnGV/TJVTl4uix5yaaIK/QI
+-----END CERTIFICATE-----
+
+# Issuer: CN=UTN-USERFirst-Hardware O=The USERTRUST Network OU=http://www.usertrust.com
+# Subject: CN=UTN-USERFirst-Hardware O=The USERTRUST Network OU=http://www.usertrust.com
+# Label: "UTN USERFirst Hardware Root CA"
+# Serial: 91374294542884704022267039221184531197
+# MD5 Fingerprint: 4c:56:41:e5:0d:bb:2b:e8:ca:a3:ed:18:08:ad:43:39
+# SHA1 Fingerprint: 04:83:ed:33:99:ac:36:08:05:87:22:ed:bc:5e:46:00:e3:be:f9:d7
+# SHA256 Fingerprint: 6e:a5:47:41:d0:04:66:7e:ed:1b:48:16:63:4a:a3:a7:9e:6e:4b:96:95:0f:82:79:da:fc:8d:9b:d8:81:21:37
+-----BEGIN CERTIFICATE-----
+MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB
+lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
+Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
+dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
+SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe
+MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v
+d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh
+cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn
+0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ
+M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a
+MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd
+oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI
+DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy
+oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
+VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0
+dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy
+bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF
+BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM
+//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli
+CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE
+CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t
+3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS
+KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Chambers of Commerce Root O=AC Camerfirma SA CIF A82743287 OU=http://www.chambersign.org
+# Subject: CN=Chambers of Commerce Root O=AC Camerfirma SA CIF A82743287 OU=http://www.chambersign.org
+# Label: "Camerfirma Chambers of Commerce Root"
+# Serial: 0
+# MD5 Fingerprint: b0:01:ee:14:d9:af:29:18:94:76:8e:f1:69:33:2a:84
+# SHA1 Fingerprint: 6e:3a:55:a4:19:0c:19:5c:93:84:3c:c0:db:72:2e:31:30:61:f0:b1
+# SHA256 Fingerprint: 0c:25:8a:12:a5:67:4a:ef:25:f2:8b:a7:dc:fa:ec:ee:a3:48:e5:41:e6:f5:cc:4e:e6:3b:71:b3:61:60:6a:c3
+-----BEGIN CERTIFICATE-----
+MIIEvTCCA6WgAwIBAgIBADANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJFVTEn
+MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL
+ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEiMCAGA1UEAxMZQ2hhbWJlcnMg
+b2YgQ29tbWVyY2UgUm9vdDAeFw0wMzA5MzAxNjEzNDNaFw0zNzA5MzAxNjEzNDRa
+MH8xCzAJBgNVBAYTAkVVMScwJQYDVQQKEx5BQyBDYW1lcmZpcm1hIFNBIENJRiBB
+ODI3NDMyODcxIzAhBgNVBAsTGmh0dHA6Ly93d3cuY2hhbWJlcnNpZ24ub3JnMSIw
+IAYDVQQDExlDaGFtYmVycyBvZiBDb21tZXJjZSBSb290MIIBIDANBgkqhkiG9w0B
+AQEFAAOCAQ0AMIIBCAKCAQEAtzZV5aVdGDDg2olUkfzIx1L4L1DZ77F1c2VHfRtb
+unXF/KGIJPov7coISjlUxFF6tdpg6jg8gbLL8bvZkSM/SAFwdakFKq0fcfPJVD0d
+BmpAPrMMhe5cG3nCYsS4No41XQEMIwRHNaqbYE6gZj3LJgqcQKH0XZi/caulAGgq
+7YN6D6IUtdQis4CwPAxaUWktWBiP7Zme8a7ileb2R6jWDA+wWFjbw2Y3npuRVDM3
+0pQcakjJyfKl2qUMI/cjDpwyVV5xnIQFUZot/eZOKjRa3spAN2cMVCFVd9oKDMyX
+roDclDZK9D7ONhMeU+SsTjoF7Nuucpw4i9A5O4kKPnf+dQIBA6OCAUQwggFAMBIG
+A1UdEwEB/wQIMAYBAf8CAQwwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5j
+aGFtYmVyc2lnbi5vcmcvY2hhbWJlcnNyb290LmNybDAdBgNVHQ4EFgQU45T1sU3p
+26EpW1eLTXYGduHRooowDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIA
+BzAnBgNVHREEIDAegRxjaGFtYmVyc3Jvb3RAY2hhbWJlcnNpZ24ub3JnMCcGA1Ud
+EgQgMB6BHGNoYW1iZXJzcm9vdEBjaGFtYmVyc2lnbi5vcmcwWAYDVR0gBFEwTzBN
+BgsrBgEEAYGHLgoDATA+MDwGCCsGAQUFBwIBFjBodHRwOi8vY3BzLmNoYW1iZXJz
+aWduLm9yZy9jcHMvY2hhbWJlcnNyb290Lmh0bWwwDQYJKoZIhvcNAQEFBQADggEB
+AAxBl8IahsAifJ/7kPMa0QOx7xP5IV8EnNrJpY0nbJaHkb5BkAFyk+cefV/2icZd
+p0AJPaxJRUXcLo0waLIJuvvDL8y6C98/d3tGfToSJI6WjzwFCm/SlCgdbQzALogi
+1djPHRPH8EjX1wWnz8dHnjs8NMiAT9QUu/wNUPf6s+xCX6ndbcj0dc97wXImsQEc
+XCz9ek60AcUFV7nnPKoF2YjpB0ZBzu9Bga5Y34OirsrXdx/nADydb47kMgkdTXg0
+eDQ8lJsm7U9xxhl6vSAiSFr+S30Dt+dYvsYyTnQeaN2oaFuzPu5ifdmA6Ap1erfu
+tGWaIZDgqtCYvDi1czyL+Nw=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Global Chambersign Root O=AC Camerfirma SA CIF A82743287 OU=http://www.chambersign.org
+# Subject: CN=Global Chambersign Root O=AC Camerfirma SA CIF A82743287 OU=http://www.chambersign.org
+# Label: "Camerfirma Global Chambersign Root"
+# Serial: 0
+# MD5 Fingerprint: c5:e6:7b:bf:06:d0:4f:43:ed:c4:7a:65:8a:fb:6b:19
+# SHA1 Fingerprint: 33:9b:6b:14:50:24:9b:55:7a:01:87:72:84:d9:e0:2f:c3:d2:d8:e9
+# SHA256 Fingerprint: ef:3c:b4:17:fc:8e:bf:6f:97:87:6c:9e:4e:ce:39:de:1e:a5:fe:64:91:41:d1:02:8b:7d:11:c0:b2:29:8c:ed
+-----BEGIN CERTIFICATE-----
+MIIExTCCA62gAwIBAgIBADANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFVTEn
+MCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgyNzQzMjg3MSMwIQYDVQQL
+ExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEgMB4GA1UEAxMXR2xvYmFsIENo
+YW1iZXJzaWduIFJvb3QwHhcNMDMwOTMwMTYxNDE4WhcNMzcwOTMwMTYxNDE4WjB9
+MQswCQYDVQQGEwJFVTEnMCUGA1UEChMeQUMgQ2FtZXJmaXJtYSBTQSBDSUYgQTgy
+NzQzMjg3MSMwIQYDVQQLExpodHRwOi8vd3d3LmNoYW1iZXJzaWduLm9yZzEgMB4G
+A1UEAxMXR2xvYmFsIENoYW1iZXJzaWduIFJvb3QwggEgMA0GCSqGSIb3DQEBAQUA
+A4IBDQAwggEIAoIBAQCicKLQn0KuWxfH2H3PFIP8T8mhtxOviteePgQKkotgVvq0
+Mi+ITaFgCPS3CU6gSS9J1tPfnZdan5QEcOw/Wdm3zGaLmFIoCQLfxS+EjXqXd7/s
+QJ0lcqu1PzKY+7e3/HKE5TWH+VX6ox8Oby4o3Wmg2UIQxvi1RMLQQ3/bvOSiPGpV
+eAp3qdjqGTK3L/5cPxvusZjsyq16aUXjlg9V9ubtdepl6DJWk0aJqCWKZQbua795
+B9Dxt6/tLE2Su8CoX6dnfQTyFQhwrJLWfQTSM/tMtgsL+xrJxI0DqX5c8lCrEqWh
+z0hQpe/SyBoT+rB/sYIcd2oPX9wLlY/vQ37mRQklAgEDo4IBUDCCAUwwEgYDVR0T
+AQH/BAgwBgEB/wIBDDA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmNoYW1i
+ZXJzaWduLm9yZy9jaGFtYmVyc2lnbnJvb3QuY3JsMB0GA1UdDgQWBBRDnDafsJ4w
+TcbOX60Qq+UDpfqpFDAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAH
+MCoGA1UdEQQjMCGBH2NoYW1iZXJzaWducm9vdEBjaGFtYmVyc2lnbi5vcmcwKgYD
+VR0SBCMwIYEfY2hhbWJlcnNpZ25yb290QGNoYW1iZXJzaWduLm9yZzBbBgNVHSAE
+VDBSMFAGCysGAQQBgYcuCgEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly9jcHMuY2hh
+bWJlcnNpZ24ub3JnL2Nwcy9jaGFtYmVyc2lnbnJvb3QuaHRtbDANBgkqhkiG9w0B
+AQUFAAOCAQEAPDtwkfkEVCeR4e3t/mh/YV3lQWVPMvEYBZRqHN4fcNs+ezICNLUM
+bKGKfKX0j//U2K0X1S0E0T9YgOKBWYi+wONGkyT+kL0mojAt6JcmVzWJdJYY9hXi
+ryQZVgICsroPFOrGimbBhkVVi76SvpykBMdJPJ7oKXqJ1/6v/2j1pReQvayZzKWG
+VwlnRtvWFsJG8eSpUPWP0ZIV018+xgBJOm5YstHRJw0lyDL4IBHNfTIzSJRUTN3c
+ecQwn+uOuFW114hcxWokPbLTBQNRxgfvzBRydD1ucs4YKIxKoHflCStFREest2d/
+AYoFWpO+ocH/+OcOZ6RHSXZddZAa9SaP8A==
+-----END CERTIFICATE-----
+
+# Issuer: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Subject: CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Label: "NetLock Notary (Class A) Root"
+# Serial: 259
+# MD5 Fingerprint: 86:38:6d:5e:49:63:6c:85:5c:db:6d:dc:94:b7:d0:f7
+# SHA1 Fingerprint: ac:ed:5f:65:53:fd:25:ce:01:5f:1f:7a:48:3b:6a:74:9f:61:78:c6
+# SHA256 Fingerprint: 7f:12:cd:5f:7e:5e:29:0e:c7:d8:51:79:d5:b7:2c:20:a5:be:75:08:ff:db:5b:f8:1a:b9:68:4a:7f:c9:f6:67
+-----BEGIN CERTIFICATE-----
+MIIGfTCCBWWgAwIBAgICAQMwDQYJKoZIhvcNAQEEBQAwga8xCzAJBgNVBAYTAkhV
+MRAwDgYDVQQIEwdIdW5nYXJ5MREwDwYDVQQHEwhCdWRhcGVzdDEnMCUGA1UEChMe
+TmV0TG9jayBIYWxvemF0Yml6dG9uc2FnaSBLZnQuMRowGAYDVQQLExFUYW51c2l0
+dmFueWtpYWRvazE2MDQGA1UEAxMtTmV0TG9jayBLb3pqZWd5em9pIChDbGFzcyBB
+KSBUYW51c2l0dmFueWtpYWRvMB4XDTk5MDIyNDIzMTQ0N1oXDTE5MDIxOTIzMTQ0
+N1owga8xCzAJBgNVBAYTAkhVMRAwDgYDVQQIEwdIdW5nYXJ5MREwDwYDVQQHEwhC
+dWRhcGVzdDEnMCUGA1UEChMeTmV0TG9jayBIYWxvemF0Yml6dG9uc2FnaSBLZnQu
+MRowGAYDVQQLExFUYW51c2l0dmFueWtpYWRvazE2MDQGA1UEAxMtTmV0TG9jayBL
+b3pqZWd5em9pIChDbGFzcyBBKSBUYW51c2l0dmFueWtpYWRvMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvHSMD7tM9DceqQWC2ObhbHDqeLVu0ThEDaiD
+zl3S1tWBxdRL51uUcCbbO51qTGL3cfNk1mE7PetzozfZz+qMkjvN9wfcZnSX9EUi
+3fRc4L9t875lM+QVOr/bmJBVOMTtplVjC7B4BPTjbsE/jvxReB+SnoPC/tmwqcm8
+WgD/qaiYdPv2LD4VOQ22BFWoDpggQrOxJa1+mm9dU7GrDPzr4PN6s6iz/0b2Y6LY
+Oph7tqyF/7AlT3Rj5xMHpQqPBffAZG9+pyeAlt7ULoZgx2srXnN7F+eRP2QM2Esi
+NCubMvJIH5+hCoR64sKtlz2O1cH5VqNQ6ca0+pii7pXmKgOM3wIDAQABo4ICnzCC
+ApswDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB/wQIMAYBAf8CAQQwEQYJYIZIAYb4
+QgEBBAQDAgAHMIICYAYJYIZIAYb4QgENBIICURaCAk1GSUdZRUxFTSEgRXplbiB0
+YW51c2l0dmFueSBhIE5ldExvY2sgS2Z0LiBBbHRhbGFub3MgU3pvbGdhbHRhdGFz
+aSBGZWx0ZXRlbGVpYmVuIGxlaXJ0IGVsamFyYXNvayBhbGFwamFuIGtlc3p1bHQu
+IEEgaGl0ZWxlc2l0ZXMgZm9seWFtYXRhdCBhIE5ldExvY2sgS2Z0LiB0ZXJtZWtm
+ZWxlbG9zc2VnLWJpenRvc2l0YXNhIHZlZGkuIEEgZGlnaXRhbGlzIGFsYWlyYXMg
+ZWxmb2dhZGFzYW5hayBmZWx0ZXRlbGUgYXogZWxvaXJ0IGVsbGVub3J6ZXNpIGVs
+amFyYXMgbWVndGV0ZWxlLiBBeiBlbGphcmFzIGxlaXJhc2EgbWVndGFsYWxoYXRv
+IGEgTmV0TG9jayBLZnQuIEludGVybmV0IGhvbmxhcGphbiBhIGh0dHBzOi8vd3d3
+Lm5ldGxvY2submV0L2RvY3MgY2ltZW4gdmFneSBrZXJoZXRvIGF6IGVsbGVub3J6
+ZXNAbmV0bG9jay5uZXQgZS1tYWlsIGNpbWVuLiBJTVBPUlRBTlQhIFRoZSBpc3N1
+YW5jZSBhbmQgdGhlIHVzZSBvZiB0aGlzIGNlcnRpZmljYXRlIGlzIHN1YmplY3Qg
+dG8gdGhlIE5ldExvY2sgQ1BTIGF2YWlsYWJsZSBhdCBodHRwczovL3d3dy5uZXRs
+b2NrLm5ldC9kb2NzIG9yIGJ5IGUtbWFpbCBhdCBjcHNAbmV0bG9jay5uZXQuMA0G
+CSqGSIb3DQEBBAUAA4IBAQBIJEb3ulZv+sgoA0BO5TE5ayZrU3/b39/zcT0mwBQO
+xmd7I6gMc90Bu8bKbjc5VdXHjFYgDigKDtIqpLBJUsY4B/6+CgmM0ZjPytoUMaFP
+0jn8DxEsQ8Pdq5PHVT5HfBgaANzze9jyf1JsIPQLX2lS9O74silg6+NJMSEN1rUQ
+QeJBCWziGppWS3cC9qCbmieH6FUpccKQn0V4GuEVZD3QDtigdp+uxdAu6tYPVuxk
+f1qbFFgBJ34TUMdrKuZoPL9coAob4Q566eKAw+np9v1sEZ7Q5SgnK1QyQhSCdeZK
+8CtmdWOMovsEPoMOmzbwGOQmIMOM8CgHrTwXZoi1/baI
+-----END CERTIFICATE-----
+
+# Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Label: "NetLock Business (Class B) Root"
+# Serial: 105
+# MD5 Fingerprint: 39:16:aa:b9:6a:41:e1:14:69:df:9e:6c:3b:72:dc:b6
+# SHA1 Fingerprint: 87:9f:4b:ee:05:df:98:58:3b:e3:60:d6:33:e7:0d:3f:fe:98:71:af
+# SHA256 Fingerprint: 39:df:7b:68:2b:7b:93:8f:84:71:54:81:cc:de:8d:60:d8:f2:2e:c5:98:87:7d:0a:aa:c1:2b:59:18:2b:03:12
+-----BEGIN CERTIFICATE-----
+MIIFSzCCBLSgAwIBAgIBaTANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCSFUx
+ETAPBgNVBAcTCEJ1ZGFwZXN0MScwJQYDVQQKEx5OZXRMb2NrIEhhbG96YXRiaXp0
+b25zYWdpIEtmdC4xGjAYBgNVBAsTEVRhbnVzaXR2YW55a2lhZG9rMTIwMAYDVQQD
+EylOZXRMb2NrIFV6bGV0aSAoQ2xhc3MgQikgVGFudXNpdHZhbnlraWFkbzAeFw05
+OTAyMjUxNDEwMjJaFw0xOTAyMjAxNDEwMjJaMIGZMQswCQYDVQQGEwJIVTERMA8G
+A1UEBxMIQnVkYXBlc3QxJzAlBgNVBAoTHk5ldExvY2sgSGFsb3phdGJpenRvbnNh
+Z2kgS2Z0LjEaMBgGA1UECxMRVGFudXNpdHZhbnlraWFkb2sxMjAwBgNVBAMTKU5l
+dExvY2sgVXpsZXRpIChDbGFzcyBCKSBUYW51c2l0dmFueWtpYWRvMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQCx6gTsIKAjwo84YM/HRrPVG/77uZmeBNwcf4xK
+gZjupNTKihe5In+DCnVMm8Bp2GQ5o+2So/1bXHQawEfKOml2mrriRBf8TKPV/riX
+iK+IA4kfpPIEPsgHC+b5sy96YhQJRhTKZPWLgLViqNhr1nGTLbO/CVRY7QbrqHvc
+Q7GhaQIDAQABo4ICnzCCApswEgYDVR0TAQH/BAgwBgEB/wIBBDAOBgNVHQ8BAf8E
+BAMCAAYwEQYJYIZIAYb4QgEBBAQDAgAHMIICYAYJYIZIAYb4QgENBIICURaCAk1G
+SUdZRUxFTSEgRXplbiB0YW51c2l0dmFueSBhIE5ldExvY2sgS2Z0LiBBbHRhbGFu
+b3MgU3pvbGdhbHRhdGFzaSBGZWx0ZXRlbGVpYmVuIGxlaXJ0IGVsamFyYXNvayBh
+bGFwamFuIGtlc3p1bHQuIEEgaGl0ZWxlc2l0ZXMgZm9seWFtYXRhdCBhIE5ldExv
+Y2sgS2Z0LiB0ZXJtZWtmZWxlbG9zc2VnLWJpenRvc2l0YXNhIHZlZGkuIEEgZGln
+aXRhbGlzIGFsYWlyYXMgZWxmb2dhZGFzYW5hayBmZWx0ZXRlbGUgYXogZWxvaXJ0
+IGVsbGVub3J6ZXNpIGVsamFyYXMgbWVndGV0ZWxlLiBBeiBlbGphcmFzIGxlaXJh
+c2EgbWVndGFsYWxoYXRvIGEgTmV0TG9jayBLZnQuIEludGVybmV0IGhvbmxhcGph
+biBhIGh0dHBzOi8vd3d3Lm5ldGxvY2submV0L2RvY3MgY2ltZW4gdmFneSBrZXJo
+ZXRvIGF6IGVsbGVub3J6ZXNAbmV0bG9jay5uZXQgZS1tYWlsIGNpbWVuLiBJTVBP
+UlRBTlQhIFRoZSBpc3N1YW5jZSBhbmQgdGhlIHVzZSBvZiB0aGlzIGNlcnRpZmlj
+YXRlIGlzIHN1YmplY3QgdG8gdGhlIE5ldExvY2sgQ1BTIGF2YWlsYWJsZSBhdCBo
+dHRwczovL3d3dy5uZXRsb2NrLm5ldC9kb2NzIG9yIGJ5IGUtbWFpbCBhdCBjcHNA
+bmV0bG9jay5uZXQuMA0GCSqGSIb3DQEBBAUAA4GBAATbrowXr/gOkDFOzT4JwG06
+sPgzTEdM43WIEJessDgVkcYplswhwG08pXTP2IKlOcNl40JwuyKQ433bNXbhoLXa
+n3BukxowOR0w2y7jfLKRstE3Kfq51hdcR0/jHTjrn9V7lagonhVK0dHQKwCXoOKS
+NitjrFgBazMpUIaD8QFI
+-----END CERTIFICATE-----
+
+# Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado O=NetLock Halozatbiztonsagi Kft. OU=Tanusitvanykiadok
+# Label: "NetLock Express (Class C) Root"
+# Serial: 104
+# MD5 Fingerprint: 4f:eb:f1:f0:70:c2:80:63:5d:58:9f:da:12:3c:a9:c4
+# SHA1 Fingerprint: e3:92:51:2f:0a:cf:f5:05:df:f6:de:06:7f:75:37:e1:65:ea:57:4b
+# SHA256 Fingerprint: 0b:5e:ed:4e:84:64:03:cf:55:e0:65:84:84:40:ed:2a:82:75:8b:f5:b9:aa:1f:25:3d:46:13:cf:a0:80:ff:3f
+-----BEGIN CERTIFICATE-----
+MIIFTzCCBLigAwIBAgIBaDANBgkqhkiG9w0BAQQFADCBmzELMAkGA1UEBhMCSFUx
+ETAPBgNVBAcTCEJ1ZGFwZXN0MScwJQYDVQQKEx5OZXRMb2NrIEhhbG96YXRiaXp0
+b25zYWdpIEtmdC4xGjAYBgNVBAsTEVRhbnVzaXR2YW55a2lhZG9rMTQwMgYDVQQD
+EytOZXRMb2NrIEV4cHJlc3N6IChDbGFzcyBDKSBUYW51c2l0dmFueWtpYWRvMB4X
+DTk5MDIyNTE0MDgxMVoXDTE5MDIyMDE0MDgxMVowgZsxCzAJBgNVBAYTAkhVMREw
+DwYDVQQHEwhCdWRhcGVzdDEnMCUGA1UEChMeTmV0TG9jayBIYWxvemF0Yml6dG9u
+c2FnaSBLZnQuMRowGAYDVQQLExFUYW51c2l0dmFueWtpYWRvazE0MDIGA1UEAxMr
+TmV0TG9jayBFeHByZXNzeiAoQ2xhc3MgQykgVGFudXNpdHZhbnlraWFkbzCBnzAN
+BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6+ywbGGKIyWvYCDj2Z/8kwvbXY2wobNA
+OoLO/XXgeDIDhlqGlZHtU/qdQPzm6N3ZW3oDvV3zOwzDUXmbrVWg6dADEK8KuhRC
+2VImESLH0iDMgqSaqf64gXadarfSNnU+sYYJ9m5tfk63euyucYT2BDMIJTLrdKwW
+RMbkQJMdf60CAwEAAaOCAp8wggKbMBIGA1UdEwEB/wQIMAYBAf8CAQQwDgYDVR0P
+AQH/BAQDAgAGMBEGCWCGSAGG+EIBAQQEAwIABzCCAmAGCWCGSAGG+EIBDQSCAlEW
+ggJNRklHWUVMRU0hIEV6ZW4gdGFudXNpdHZhbnkgYSBOZXRMb2NrIEtmdC4gQWx0
+YWxhbm9zIFN6b2xnYWx0YXRhc2kgRmVsdGV0ZWxlaWJlbiBsZWlydCBlbGphcmFz
+b2sgYWxhcGphbiBrZXN6dWx0LiBBIGhpdGVsZXNpdGVzIGZvbHlhbWF0YXQgYSBO
+ZXRMb2NrIEtmdC4gdGVybWVrZmVsZWxvc3NlZy1iaXp0b3NpdGFzYSB2ZWRpLiBB
+IGRpZ2l0YWxpcyBhbGFpcmFzIGVsZm9nYWRhc2FuYWsgZmVsdGV0ZWxlIGF6IGVs
+b2lydCBlbGxlbm9yemVzaSBlbGphcmFzIG1lZ3RldGVsZS4gQXogZWxqYXJhcyBs
+ZWlyYXNhIG1lZ3RhbGFsaGF0byBhIE5ldExvY2sgS2Z0LiBJbnRlcm5ldCBob25s
+YXBqYW4gYSBodHRwczovL3d3dy5uZXRsb2NrLm5ldC9kb2NzIGNpbWVuIHZhZ3kg
+a2VyaGV0byBheiBlbGxlbm9yemVzQG5ldGxvY2submV0IGUtbWFpbCBjaW1lbi4g
+SU1QT1JUQU5UISBUaGUgaXNzdWFuY2UgYW5kIHRoZSB1c2Ugb2YgdGhpcyBjZXJ0
+aWZpY2F0ZSBpcyBzdWJqZWN0IHRvIHRoZSBOZXRMb2NrIENQUyBhdmFpbGFibGUg
+YXQgaHR0cHM6Ly93d3cubmV0bG9jay5uZXQvZG9jcyBvciBieSBlLW1haWwgYXQg
+Y3BzQG5ldGxvY2submV0LjANBgkqhkiG9w0BAQQFAAOBgQAQrX/XDDKACtiG8XmY
+ta3UzbM2xJZIwVzNmtkFLp++UOv0JhQQLdRmF/iewSf98e3ke0ugbLWrmldwpu2g
+pO0u9f38vf5NNwgMvOOWgyL1SRt/Syu0VMGAfJlOHdCM7tCs5ZL6dVb+ZKATj7i4
+Fp1hBWeAyNDYpQcCNJgEjTME1A==
+-----END CERTIFICATE-----
+
+# Issuer: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
+# Subject: CN=XRamp Global Certification Authority O=XRamp Security Services Inc OU=www.xrampsecurity.com
+# Label: "XRamp Global CA Root"
+# Serial: 107108908803651509692980124233745014957
+# MD5 Fingerprint: a1:0b:44:b3:ca:10:d8:00:6e:9d:0f:d8:0f:92:0a:d1
+# SHA1 Fingerprint: b8:01:86:d1:eb:9c:86:a5:41:04:cf:30:54:f3:4c:52:b7:e5:58:c6
+# SHA256 Fingerprint: ce:cd:dc:90:50:99:d8:da:df:c5:b1:d2:09:b7:37:cb:e2:c1:8c:fb:2c:10:c0:ff:0b:cf:0d:32:86:fc:1a:a2
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
+gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
+MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
+UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
+NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
+dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
+dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
+38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
+KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
+DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
+qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
+JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
+PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
+BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
+jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
+eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
+ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
+vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
+qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
+IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
+i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
+O+7ETPTsJ3xCwnR8gooJybQDJbw=
+-----END CERTIFICATE-----
+
+# Issuer: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
+# Subject: O=The Go Daddy Group, Inc. OU=Go Daddy Class 2 Certification Authority
+# Label: "Go Daddy Class 2 CA"
+# Serial: 0
+# MD5 Fingerprint: 91:de:06:25:ab:da:fd:32:17:0c:bb:25:17:2a:84:67
+# SHA1 Fingerprint: 27:96:ba:e6:3f:18:01:e2:77:26:1b:a0:d7:77:70:02:8f:20:ee:e4
+# SHA256 Fingerprint: c3:84:6b:f2:4b:9e:93:ca:64:27:4c:0e:c6:7c:1e:cc:5e:02:4f:fc:ac:d2:d7:40:19:35:0e:81:fe:54:6a:e4
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
+MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
+YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
+MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
+ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
+MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
+PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
+wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
+EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
+avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
+sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
+/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
+IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
+OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
+TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
+HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
+dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
+ReYNnyicsbkqWletNw+vHX/bvZ8=
+-----END CERTIFICATE-----
+
+# Issuer: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
+# Subject: O=Starfield Technologies, Inc. OU=Starfield Class 2 Certification Authority
+# Label: "Starfield Class 2 CA"
+# Serial: 0
+# MD5 Fingerprint: 32:4a:4b:bb:c8:63:69:9b:be:74:9a:c6:dd:1d:46:24
+# SHA1 Fingerprint: ad:7e:1c:28:b0:64:ef:8f:60:03:40:20:14:c3:d0:e3:37:0e:b5:8a
+# SHA256 Fingerprint: 14:65:fa:20:53:97:b8:76:fa:a6:f0:a9:95:8e:55:90:e4:0f:cc:7f:aa:4f:b7:c2:c8:67:75:21:fb:5f:b6:58
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
+MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
+U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
+NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
+ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
+ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
+DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
+8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
++lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
+X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
+K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
+1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
+A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
+zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
+YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
+bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
+L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
+eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
+xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
+VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
+WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
+-----END CERTIFICATE-----
+
+# Issuer: CN=StartCom Certification Authority O=StartCom Ltd. OU=Secure Digital Certificate Signing
+# Subject: CN=StartCom Certification Authority O=StartCom Ltd. OU=Secure Digital Certificate Signing
+# Label: "StartCom Certification Authority"
+# Serial: 1
+# MD5 Fingerprint: 22:4d:8f:8a:fc:f7:35:c2:bb:57:34:90:7b:8b:22:16
+# SHA1 Fingerprint: 3e:2b:f7:f2:03:1b:96:f3:8c:e6:c4:d8:a8:5d:3e:2d:58:47:6a:0f
+# SHA256 Fingerprint: c7:66:a9:be:f2:d4:07:1c:86:3a:31:aa:49:20:e8:13:b2:d1:98:60:8c:b7:b7:cf:e2:11:43:b8:36:df:09:ea
+-----BEGIN CERTIFICATE-----
+MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
+MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
+Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
+dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
+U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
+cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
+pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
+OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
+Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
+Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
+HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
+Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
++2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
+Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
+Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
+26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
+AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
+FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
+ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
+LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
+BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
+Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
+dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
+cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
+YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
+dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
+bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
+YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
+TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
+9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
+jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
+FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
+ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
+ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
+EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
+L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
+yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
+O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
+um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
+NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
+-----END CERTIFICATE-----
+
+# Issuer: O=Government Root Certification Authority
+# Subject: O=Government Root Certification Authority
+# Label: "Taiwan GRCA"
+# Serial: 42023070807708724159991140556527066870
+# MD5 Fingerprint: 37:85:44:53:32:45:1f:20:f0:f3:95:e1:25:c4:43:4e
+# SHA1 Fingerprint: f4:8b:11:bf:de:ab:be:94:54:20:71:e6:41:de:6b:be:88:2b:40:b9
+# SHA256 Fingerprint: 76:00:29:5e:ef:e8:5b:9e:1f:d6:24:db:76:06:2a:aa:ae:59:81:8a:54:d2:77:4c:d4:c0:b2:c0:11:31:e1:b3
+-----BEGIN CERTIFICATE-----
+MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/
+MQswCQYDVQQGEwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5MB4XDTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1ow
+PzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dvdmVybm1lbnQgUm9vdCBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qNw8XR
+IePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1q
+gQdW8or5BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKy
+yhwOeYHWtXBiCAEuTk8O1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAts
+F/tnyMKtsc2AtJfcdgEWFelq16TheEfOhtX7MfP6Mb40qij7cEwdScevLJ1tZqa2
+jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wovJ5pGfaENda1UhhXcSTvx
+ls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7Q3hub/FC
+VGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHK
+YS1tB6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoH
+EgKXTiCQ8P8NHuJBO9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThN
+Xo+EHWbNxWCWtFJaBYmOlXqYwZE8lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1Ud
+DgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNVHRMEBTADAQH/MDkGBGcqBwAE
+MTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg209yewDL7MTqK
+UWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ
+TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyf
+qzvS/3WXy6TjZwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaK
+ZEk9GhiHkASfQlK3T8v+R0F2Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFE
+JPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlUD7gsL0u8qV1bYH+Mh6XgUmMqvtg7
+hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6QzDxARvBMB1uUO07+1
+EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+HbkZ6Mm
+nD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WX
+udpVBrkk7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44Vbnz
+ssQwmSNOXfJIoRIM3BKQCZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDe
+LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl
+pYYsfPQS
+-----END CERTIFICATE-----
+
+# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
+# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
+# Label: "Firmaprofesional Root CA"
+# Serial: 1
+# MD5 Fingerprint: 11:92:79:40:3c:b1:83:40:e5:ab:66:4a:67:92:80:df
+# SHA1 Fingerprint: a9:62:8f:4b:98:a9:1b:48:35:ba:d2:c1:46:32:86:bb:66:64:6a:8c
+# SHA256 Fingerprint: c1:cf:0b:52:09:64:35:e3:f1:b7:1d:aa:ec:45:5a:23:11:c8:40:4f:55:83:a9:e2:13:c6:9d:85:7d:94:33:05
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAz+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCRVMx
+IjAgBgNVBAcTGUMvIE11bnRhbmVyIDI0NCBCYXJjZWxvbmExQjBABgNVBAMTOUF1
+dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVzaW9uYWwgQ0lGIEE2
+MjYzNDA2ODEmMCQGCSqGSIb3DQEJARYXY2FAZmlybWFwcm9mZXNpb25hbC5jb20w
+HhcNMDExMDI0MjIwMDAwWhcNMTMxMDI0MjIwMDAwWjCBnTELMAkGA1UEBhMCRVMx
+IjAgBgNVBAcTGUMvIE11bnRhbmVyIDI0NCBCYXJjZWxvbmExQjBABgNVBAMTOUF1
+dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVzaW9uYWwgQ0lGIEE2
+MjYzNDA2ODEmMCQGCSqGSIb3DQEJARYXY2FAZmlybWFwcm9mZXNpb25hbC5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDnIwNvbyOlXnjOlSztlB5u
+Cp4Bx+ow0Syd3Tfom5h5VtP8c9/Qit5Vj1H5WuretXDE7aTt/6MNbg9kUDGvASdY
+rv5sp0ovFy3Tc9UTHI9ZpTQsHVQERc1ouKDAA6XPhUJHlShbz++AbOCQl4oBPB3z
+hxAwJkh91/zpnZFx/0GaqUC1N5wpIE8fUuOgfRNtVLcK3ulqTgesrBlf3H5idPay
+BQC6haD9HThuy1q7hryUZzM1gywfI834yJFxzJeL764P3CkDG8A563DtwW4O2GcL
+iam8NeTvtjS0pbbELaW+0MOUJEjb35bTALVmGotmBQ/dPz/LP6pemkr4tErvlTcb
+AgMBAAGjgZ8wgZwwKgYDVR0RBCMwIYYfaHR0cDovL3d3dy5maXJtYXByb2Zlc2lv
+bmFsLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEBMCsGA1UdEAQkMCKADzIwMDExMDI0
+MjIwMDAwWoEPMjAxMzEwMjQyMjAwMDBaMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E
+FgQUMwugZtHq2s7eYpMEKFK1FH84aLcwDQYJKoZIhvcNAQEFBQADggEBAEdz/o0n
+VPD11HecJ3lXV7cVVuzH2Fi3AQL0M+2TUIiefEaxvT8Ub/GzR0iLjJcG1+p+o1wq
+u00vR+L4OQbJnC4xGgN49Lw4xiKLMzHwFgQEffl25EvXwOaD7FnMP97/T2u3Z36m
+hoEyIwOdyPdfwUpgpZKpsaSgYMN4h7Mi8yrrW6ntBas3D7Hi05V2Y1Z0jFhyGzfl
+ZKG+TQyTmAyX9odtsz/ny4Cm7YjHX1BiAuiZdBbQ5rQ58SfLyEDW44YQqSMSkuBp
+QWOnryULwMWSyx6Yo1q6xTMPoJcB3X/ge9YGVM+h4k0460tQtcsm9MracEpqoeJ5
+quGnM/b9Sh/22WA=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Wells Fargo Root Certificate Authority O=Wells Fargo OU=Wells Fargo Certification Authority
+# Subject: CN=Wells Fargo Root Certificate Authority O=Wells Fargo OU=Wells Fargo Certification Authority
+# Label: "Wells Fargo Root CA"
+# Serial: 971282334
+# MD5 Fingerprint: 20:0b:4a:7a:88:a7:a9:42:86:8a:5f:74:56:7b:88:05
+# SHA1 Fingerprint: 93:e6:ab:22:03:03:b5:23:28:dc:da:56:9e:ba:e4:d1:d1:cc:fb:65
+# SHA256 Fingerprint: 03:45:8b:6a:be:ec:c2:14:95:3d:97:14:9a:f4:53:91:69:1d:e9:f9:cd:cc:26:47:86:3a:3d:67:c9:5c:24:3b
+-----BEGIN CERTIFICATE-----
+MIID5TCCAs2gAwIBAgIEOeSXnjANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSwwKgYDVQQLEyNXZWxscyBGYXJnbyBD
+ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0GA1UEAxMmV2VsbHMgRmFyZ28gUm9v
+dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDAxMDExMTY0MTI4WhcNMjEwMTE0
+MTY0MTI4WjCBgjELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1dlbGxzIEZhcmdvMSww
+KgYDVQQLEyNXZWxscyBGYXJnbyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEvMC0G
+A1UEAxMmV2VsbHMgRmFyZ28gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVqDM7Jvk0/82bfuUER84A4n13
+5zHCLielTWi5MbqNQ1mXx3Oqfz1cQJ4F5aHiidlMuD+b+Qy0yGIZLEWukR5zcUHE
+SxP9cMIlrCL1dQu3U+SlK93OvRw6esP3E48mVJwWa2uv+9iWsWCaSOAlIiR5NM4O
+JgALTqv9i86C1y8IcGjBqAr5dE8Hq6T54oN+J3N0Prj5OEL8pahbSCOz6+MlsoCu
+ltQKnMJ4msZoGK43YjdeUXWoWGPAUe5AeH6orxqg4bB4nVCMe+ez/I4jsNtlAHCE
+AQgAFG5Uhpq6zPk3EPbg3oQtnaSFN9OH4xXQwReQfhkhahKpdv0SAulPIV4XAgMB
+AAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wTAYDVR0gBEUwQzBBBgtghkgBhvt7hwcB
+CzAyMDAGCCsGAQUFBwIBFiRodHRwOi8vd3d3LndlbGxzZmFyZ28uY29tL2NlcnRw
+b2xpY3kwDQYJKoZIhvcNAQEFBQADggEBANIn3ZwKdyu7IvICtUpKkfnRLb7kuxpo
+7w6kAOnu5+/u9vnldKTC2FJYxHT7zmu1Oyl5GFrvm+0fazbuSCUlFLZWohDo7qd/
+0D+j0MNdJu4HzMPBJCGHHt8qElNvQRbn7a6U+oxy+hNH8Dx+rn0ROhPs7fpvcmR7
+nX1/Jv16+yWt6j4pf0zjAFcysLPp7VMX2YuyFA4w6OXVE8Zkr8QA1dhYJPz1j+zx
+x32l2w8n0cbyQIjmH/ZhqPRCyLk306m+LFZ4wnKbWV01QIroTmMatukgalHizqSQ
+33ZwmVxwQ023tqcZZE6St8WRPH9IFmV7Fv3L/PvZ1dZPIWU7Sn9Ho/s=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Swisscom Root CA 1 O=Swisscom OU=Digital Certificate Services
+# Subject: CN=Swisscom Root CA 1 O=Swisscom OU=Digital Certificate Services
+# Label: "Swisscom Root CA 1"
+# Serial: 122348795730808398873664200247279986742
+# MD5 Fingerprint: f8:38:7c:77:88:df:2c:16:68:2e:c2:e2:52:4b:b8:f9
+# SHA1 Fingerprint: 5f:3a:fc:0a:8b:64:f6:86:67:34:74:df:7e:a9:a2:fe:f9:fa:7a:51
+# SHA256 Fingerprint: 21:db:20:12:36:60:bb:2e:d4:18:20:5d:a1:1e:e7:a8:5a:65:e2:bc:6e:55:b5:af:7e:78:99:c8:a2:66:d9:2e
+-----BEGIN CERTIFICATE-----
+MIIF2TCCA8GgAwIBAgIQXAuFXAvnWUHfV8w/f52oNjANBgkqhkiG9w0BAQUFADBk
+MQswCQYDVQQGEwJjaDERMA8GA1UEChMIU3dpc3Njb20xJTAjBgNVBAsTHERpZ2l0
+YWwgQ2VydGlmaWNhdGUgU2VydmljZXMxGzAZBgNVBAMTElN3aXNzY29tIFJvb3Qg
+Q0EgMTAeFw0wNTA4MTgxMjA2MjBaFw0yNTA4MTgyMjA2MjBaMGQxCzAJBgNVBAYT
+AmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGlnaXRhbCBDZXJ0aWZp
+Y2F0ZSBTZXJ2aWNlczEbMBkGA1UEAxMSU3dpc3Njb20gUm9vdCBDQSAxMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0LmwqAzZuz8h+BvVM5OAFmUgdbI9
+m2BtRsiMMW8Xw/qabFbtPMWRV8PNq5ZJkCoZSx6jbVfd8StiKHVFXqrWW/oLJdih
+FvkcxC7mlSpnzNApbjyFNDhhSbEAn9Y6cV9Nbc5fuankiX9qUvrKm/LcqfmdmUc/
+TilftKaNXXsLmREDA/7n29uj/x2lzZAeAR81sH8A25Bvxn570e56eqeqDFdvpG3F
+EzuwpdntMhy0XmeLVNxzh+XTF3xmUHJd1BpYwdnP2IkCb6dJtDZd0KTeByy2dbco
+kdaXvij1mB7qWybJvbCXc9qukSbraMH5ORXWZ0sKbU/Lz7DkQnGMU3nn7uHbHaBu
+HYwadzVcFh4rUx80i9Fs/PJnB3r1re3WmquhsUvhzDdf/X/NTa64H5xD+SpYVUNF
+vJbNcA78yeNmuk6NO4HLFWR7uZToXTNShXEuT46iBhFRyePLoW4xCGQMwtI89Tbo
+19AOeCMgkckkKmUpWyL3Ic6DXqTz3kvTaI9GdVyDCW4pa8RwjPWd1yAv/0bSKzjC
+L3UcPX7ape8eYIVpQtPM+GP+HkM5haa2Y0EQs3MevNP6yn0WR+Kn1dCjigoIlmJW
+bjTb2QK5MHXjBNLnj8KwEUAKrNVxAmKLMb7dxiNYMUJDLXT5xp6mig/p/r+D5kNX
+JLrvRjSq1xIBOO0CAwEAAaOBhjCBgzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0hBBYw
+FDASBgdghXQBUwABBgdghXQBUwABMBIGA1UdEwEB/wQIMAYBAf8CAQcwHwYDVR0j
+BBgwFoAUAyUv3m+CATpcLNwroWm1Z9SM0/0wHQYDVR0OBBYEFAMlL95vggE6XCzc
+K6FptWfUjNP9MA0GCSqGSIb3DQEBBQUAA4ICAQA1EMvspgQNDQ/NwNurqPKIlwzf
+ky9NfEBWMXrrpA9gzXrzvsMnjgM+pN0S734edAY8PzHyHHuRMSG08NBsl9Tpl7Ik
+Vh5WwzW9iAUPWxAaZOHHgjD5Mq2eUCzneAXQMbFamIp1TpBcahQq4FJHgmDmHtqB
+sfsUC1rxn9KVuj7QG9YVHaO+htXbD8BJZLsuUBlL0iT43R4HVtA4oJVwIHaM190e
+3p9xxCPvgxNcoyQVTSlAPGrEqdi3pkSlDfTgnXceQHAm/NrZNuR55LU/vJtlvrsR
+ls/bxig5OgjOR1tTWsWZ/l2p3e9M1MalrQLmjAcSHm8D0W+go/MpvRLHUKKwf4ip
+mXeascClOS5cfGniLLDqN2qk4Vrh9VDlg++luyqI54zb/W1elxmofmZ1a3Hqv7HH
+b6D0jqTsNFFbjCYDcKF31QESVwA12yPeDooomf2xEG9L/zgtYE4snOtnta1J7ksf
+rK/7DZBaZmBwXarNeNQk7shBoJMBkpxqnvy5JMWzFYJ+vq6VK+uxwNrjAWALXmms
+hFZhvnEX/h0TD/7Gh0Xp/jKgGg0TpJRVcaUWi7rKibCyx/yP2FS1k2Kdzs9Z+z0Y
+zirLNRWCXf9UIltxUvu3yf5gmwBBZPCqKuy2QkPOiWaByIufOVQDJdMWNY6E0F/6
+MBr1mmz0DlP5OlvRHA==
+-----END CERTIFICATE-----
+
+# Issuer: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Assured ID Root CA"
+# Serial: 17154717934120587862167794914071425081
+# MD5 Fingerprint: 87:ce:0b:7b:2a:0e:49:00:e1:58:71:9b:37:a8:93:72
+# SHA1 Fingerprint: 05:63:b8:63:0d:62:d7:5a:bb:c8:ab:1e:4b:df:b5:a8:99:b2:4d:43
+# SHA256 Fingerprint: 3e:90:99:b5:01:5e:8f:48:6c:00:bc:ea:9d:11:1e:e7:21:fa:ba:35:5a:89:bc:f1:df:69:56:1e:3d:c6:32:5c
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
+JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
+mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
+VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
+AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
+AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
+pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
+dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
+fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
+NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
+H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
+-----END CERTIFICATE-----
+
+# Issuer: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert Global Root CA"
+# Serial: 10944719598952040374951832963794454346
+# MD5 Fingerprint: 79:e4:a9:84:0d:7d:3a:96:d7:c0:4f:e2:43:4c:89:2e
+# SHA1 Fingerprint: a8:98:5d:3a:65:e5:e5:c4:b2:d7:d6:6d:40:c6:dd:2f:b1:9c:54:36
+# SHA256 Fingerprint: 43:48:a0:e9:44:4c:78:cb:26:5e:05:8d:5e:89:44:b4:d8:4f:96:62:bd:26:db:25:7f:89:34:a4:43:c7:01:61
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
+
+# Issuer: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
+# Subject: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
+# Label: "DigiCert High Assurance EV Root CA"
+# Serial: 3553400076410547919724730734378100087
+# MD5 Fingerprint: d4:74:de:57:5c:39:b2:d3:9c:85:83:c5:c0:65:49:8a
+# SHA1 Fingerprint: 5f:b7:ee:06:33:e2:59:db:ad:0c:4c:9a:e6:d3:8f:1a:61:c7:dc:25
+# SHA256 Fingerprint: 74:31:e5:f4:c3:c1:ce:46:90:77:4f:0b:61:e0:54:40:88:3b:a9:a0:1e:d0:0b:a6:ab:d7:80:6e:d3:b1:18:cf
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
+ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
+LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
+RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
+PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
+xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
+Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
+hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
+EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
+FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
+nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
+eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
+hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
+Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
+vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
++OkuE6N36B9K
+-----END CERTIFICATE-----
+
+# Issuer: CN=Class 2 Primary CA O=Certplus
+# Subject: CN=Class 2 Primary CA O=Certplus
+# Label: "Certplus Class 2 Primary CA"
+# Serial: 177770208045934040241468760488327595043
+# MD5 Fingerprint: 88:2c:8c:52:b8:a2:3c:f3:f7:bb:03:ea:ae:ac:42:0b
+# SHA1 Fingerprint: 74:20:74:41:72:9c:dd:92:ec:79:31:d8:23:10:8d:c2:81:92:e2:bb
+# SHA256 Fingerprint: 0f:99:3c:8a:ef:97:ba:af:56:87:14:0e:d5:9a:d1:82:1b:b4:af:ac:f0:aa:9a:58:b5:d5:7a:33:8a:3a:fb:cb
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIRAIW9S/PY2uNp9pTXX8OlRCMwDQYJKoZIhvcNAQEFBQAw
+PTELMAkGA1UEBhMCRlIxETAPBgNVBAoTCENlcnRwbHVzMRswGQYDVQQDExJDbGFz
+cyAyIFByaW1hcnkgQ0EwHhcNOTkwNzA3MTcwNTAwWhcNMTkwNzA2MjM1OTU5WjA9
+MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2VydHBsdXMxGzAZBgNVBAMTEkNsYXNz
+IDIgUHJpbWFyeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANxQ
+ltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR5aiR
+VhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyL
+kcAbmXuZVg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCd
+EgETjdyAYveVqUSISnFOYFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yas
+H7WLO7dDWWuwJKZtkIvEcupdM5i3y95ee++U8Rs+yskhwcWYAqqi9lt3m/V+llU0
+HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRMECDAGAQH/AgEKMAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJYIZIAYb4
+QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMu
+Y29tL0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/
+AN9WM2K191EBkOvDP9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8
+yfFC82x/xXp8HVGIutIKPidd3i1RTtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMR
+FcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+7UCmnYR0ObncHoUW2ikbhiMA
+ybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW//1IMwrh3KWB
+kJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7
+l7+ijrRU
+-----END CERTIFICATE-----
+
+# Issuer: CN=DST Root CA X3 O=Digital Signature Trust Co.
+# Subject: CN=DST Root CA X3 O=Digital Signature Trust Co.
+# Label: "DST Root CA X3"
+# Serial: 91299735575339953335919266965803778155
+# MD5 Fingerprint: 41:03:52:dc:0f:f7:50:1b:16:f0:02:8e:ba:6f:45:c5
+# SHA1 Fingerprint: da:c9:02:4f:54:d8:f6:df:94:93:5f:b1:73:26:38:ca:6a:d7:7c:13
+# SHA256 Fingerprint: 06:87:26:03:31:a7:24:03:d9:09:f1:05:e6:9b:cf:0d:32:e1:bd:24:93:ff:c6:d9:20:6d:11:bc:d6:77:07:39
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----
+
+# Issuer: CN=DST ACES CA X6 O=Digital Signature Trust OU=DST ACES
+# Subject: CN=DST ACES CA X6 O=Digital Signature Trust OU=DST ACES
+# Label: "DST ACES CA X6"
+# Serial: 17771143917277623872238992636097467865
+# MD5 Fingerprint: 21:d8:4c:82:2b:99:09:33:a2:eb:14:24:8d:8e:5f:e8
+# SHA1 Fingerprint: 40:54:da:6f:1c:3f:40:74:ac:ed:0f:ec:cd:db:79:d1:53:fb:90:1d
+# SHA256 Fingerprint: 76:7c:95:5a:76:41:2c:89:af:68:8e:90:a1:c7:0f:55:6c:fd:6b:60:25:db:ea:10:41:6d:7e:b6:83:1f:8c:40
+-----BEGIN CERTIFICATE-----
+MIIECTCCAvGgAwIBAgIQDV6ZCtadt3js2AdWO4YV2TANBgkqhkiG9w0BAQUFADBb
+MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3Qx
+ETAPBgNVBAsTCERTVCBBQ0VTMRcwFQYDVQQDEw5EU1QgQUNFUyBDQSBYNjAeFw0w
+MzExMjAyMTE5NThaFw0xNzExMjAyMTE5NThaMFsxCzAJBgNVBAYTAlVTMSAwHgYD
+VQQKExdEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdDERMA8GA1UECxMIRFNUIEFDRVMx
+FzAVBgNVBAMTDkRTVCBBQ0VTIENBIFg2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuT31LMmU3HWKlV1j6IR3dma5WZFcRt2SPp/5DgO0PWGSvSMmtWPu
+ktKe1jzIDZBfZIGxqAgNTNj50wUoUrQBJcWVHAx+PhCEdc/BGZFjz+iokYi5Q1K7
+gLFViYsx+tC3dr5BPTCapCIlF3PoHuLTrCq9Wzgh1SpL11V94zpVvddtawJXa+ZH
+fAjIgrrep4c9oW24MFbCswKBXy314powGCi4ZtPLAZZv6opFVdbgnf9nKxcCpk4a
+ahELfrd755jWjHZvwTvbUJN+5dCOHze4vbrGn2zpfDPyMjwmR/onJALJfh1biEIT
+ajV8fTXpLmaRcpPVMibEdPVTo7NdmvYJywIDAQABo4HIMIHFMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB8GA1UdEQQYMBaBFHBraS1vcHNAdHJ1c3Rk
+c3QuY29tMGIGA1UdIARbMFkwVwYKYIZIAWUDAgEBATBJMEcGCCsGAQUFBwIBFjto
+dHRwOi8vd3d3LnRydXN0ZHN0LmNvbS9jZXJ0aWZpY2F0ZXMvcG9saWN5L0FDRVMt
+aW5kZXguaHRtbDAdBgNVHQ4EFgQUCXIGThhDD+XWzMNqizF7eI+og7gwDQYJKoZI
+hvcNAQEFBQADggEBAKPYjtay284F5zLNAdMEA+V25FYrnJmQ6AgwbN99Pe7lv7Uk
+QIRJ4dEorsTCOlMwiPH1d25Ryvr/ma8kXxug/fKshMrfqfBfBC6tFr8hlxCBPeP/
+h40y3JTlR4peahPJlJU90u7INJXQgNStMgiAVDzgvVJT11J8smk/f3rPanTK+gQq
+nExaBqXpIK1FZg9p8d2/6eMyi/rgwYZNcjwu2JN4Cir42NInPRmJX1p7ijvMDNpR
+rscL9yuwNwXsvFcj4jjSm2jzVhKIT0J8uDHEtdvkyCE06UgRNe76x5JXxZ805Mf2
+9w4LTJxoeHtxMcfrHuBnQfO3oKfN5XozNmr6mis=
+-----END CERTIFICATE-----
+
+# Issuer: CN=TÜRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı O=(c) 2005 TÜRKTRUST Bilgi Ä°letiÅŸim ve BiliÅŸim GüvenliÄŸi Hizmetleri A.Åž.
+# Subject: CN=TÜRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı O=(c) 2005 TÜRKTRUST Bilgi Ä°letiÅŸim ve BiliÅŸim GüvenliÄŸi Hizmetleri A.Åž.
+# Label: "TURKTRUST Certificate Services Provider Root 1"
+# Serial: 1
+# MD5 Fingerprint: f1:6a:22:18:c9:cd:df:ce:82:1d:1d:b7:78:5c:a9:a5
+# SHA1 Fingerprint: 79:98:a3:08:e1:4d:65:85:e6:c2:1e:15:3a:71:9f:ba:5a:d3:4a:d9
+# SHA256 Fingerprint: 44:04:e3:3b:5e:14:0d:cf:99:80:51:fd:fc:80:28:c7:c8:16:15:c5:ee:73:7b:11:1b:58:82:33:a9:b5:35:a0
+-----BEGIN CERTIFICATE-----
+MIID+zCCAuOgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtzE/MD0GA1UEAww2VMOc
+UktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
+c8SxMQswCQYDVQQGDAJUUjEPMA0GA1UEBwwGQU5LQVJBMVYwVAYDVQQKDE0oYykg
+MjAwNSBUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8
+dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLjAeFw0wNTA1MTMxMDI3MTdaFw0xNTAz
+MjIxMDI3MTdaMIG3MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2Vy
+dGlmaWthIEhpem1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYMAlRSMQ8wDQYD
+VQQHDAZBTktBUkExVjBUBgNVBAoMTShjKSAyMDA1IFTDnFJLVFJVU1QgQmlsZ2kg
+xLBsZXRpxZ9pbSB2ZSBCaWxpxZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEu
+xZ4uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylIF1mMD2Bxf3dJ7
+XfIMYGFbazt0K3gNfUW9InTojAPBxhEqPZW8qZSwu5GXyGl8hMW0kWxsE2qkVa2k
+heiVfrMArwDCBRj1cJ02i67L5BuBf5OI+2pVu32Fks66WJ/bMsW9Xe8iSi9BB35J
+YbOG7E6mQW6EvAPs9TscyB/C7qju6hJKjRTP8wrgUDn5CDX4EVmt5yLqS8oUBt5C
+urKZ8y1UiBAG6uEaPj1nH/vO+3yC6BFdSsG5FOpU2WabfIl9BJpiyelSPJ6c79L1
+JuTm5Rh8i27fbMx4W09ysstcP4wFjdFMjK2Sx+F4f2VsSQZQLJ4ywtdKxnWKWU51
+b0dewQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAV
+9VX/N5aAWSGk/KEVTCD21F/aAyT8z5Aa9CEKmu46sWrv7/hg0Uw2ZkUd82YCdAR7
+kjCo3gp2D++Vbr3JN+YaDayJSFvMgzbC9UZcWYJWtNX+I7TYVBxEq8Sn5RTOPEFh
+fEPmzcSBCYsk+1Ql1haolgxnB2+zUEfjHCQo3SqYpGH+2+oSN7wBGjSFvW5P55Fy
+B0SFHljKVETd96y5y4khctuPwGkplyqjrhgjlxxBKot8KsF8kOipKMDTkcatKIdA
+aLX/7KfS0zgYnNN9aV3wxqUeJBujR/xpB2jn5Jq07Q+hh4cCzofSSE7hvP/L8XKS
+RGQDJereW26fyfJOrN3H
+-----END CERTIFICATE-----
+
+# Issuer: CN=TÜRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı O=TÜRKTRUST Bilgi Ä°letiÅŸim ve BiliÅŸim GüvenliÄŸi Hizmetleri A.Åž. (c) Kasım 2005
+# Subject: CN=TÜRKTRUST Elektronik Sertifika Hizmet SaÄŸlayıcısı O=TÜRKTRUST Bilgi Ä°letiÅŸim ve BiliÅŸim GüvenliÄŸi Hizmetleri A.Åž. (c) Kasım 2005
+# Label: "TURKTRUST Certificate Services Provider Root 2"
+# Serial: 1
+# MD5 Fingerprint: 37:a5:6e:d4:b1:25:84:97:b7:fd:56:15:7a:f9:a2:00
+# SHA1 Fingerprint: b4:35:d4:e1:11:9d:1c:66:90:a7:49:eb:b3:94:bd:63:7b:a7:82:b7
+# SHA256 Fingerprint: c4:70:cf:54:7e:23:02:b9:77:fb:29:dd:71:a8:9a:7b:6c:1f:60:77:7b:03:29:f5:60:17:f3:28:bf:4f:6b:e6
+-----BEGIN CERTIFICATE-----
+MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBvjE/MD0GA1UEAww2VMOc
+UktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
+c8SxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMV0wWwYDVQQKDFRUw5xS
+S1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kg
+SGl6bWV0bGVyaSBBLsWeLiAoYykgS2FzxLFtIDIwMDUwHhcNMDUxMTA3MTAwNzU3
+WhcNMTUwOTE2MTAwNzU3WjCBvjE/MD0GA1UEAww2VMOcUktUUlVTVCBFbGVrdHJv
+bmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxMQswCQYDVQQGEwJU
+UjEPMA0GA1UEBwwGQW5rYXJhMV0wWwYDVQQKDFRUw5xSS1RSVVNUIEJpbGdpIMSw
+bGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWe
+LiAoYykgS2FzxLFtIDIwMDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCpNn7DkUNMwxmYCMjHWHtPFoylzkkBH3MOrHUTpvqeLCDe2JAOCtFp0if7qnef
+J1Il4std2NiDUBd9irWCPwSOtNXwSadktx4uXyCcUHVPr+G1QRT0mJKIx+XlZEdh
+R3n9wFHxwZnn3M5q+6+1ATDcRhzviuyV79z/rxAc653YsKpqhRgNF8k+v/Gb0AmJ
+Qv2gQrSdiVFVKc8bcLyEVK3BEx+Y9C52YItdP5qtygy/p1Zbj3e41Z55SZI/4PGX
+JHpsmxcPbe9TmJEr5A++WXkHeLuXlfSfadRYhwqp48y2WBmfJiGxxFmNskF1wK1p
+zpwACPI2/z7woQ8arBT9pmAPAgMBAAGjQzBBMB0GA1UdDgQWBBTZN7NOBf3Zz58S
+Fq62iS/rJTqIHDAPBgNVHQ8BAf8EBQMDBwYAMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
+KoZIhvcNAQEFBQADggEBAHJglrfJ3NgpXiOFX7KzLXb7iNcX/nttRbj2hWyfIvwq
+ECLsqrkw9qtY1jkQMZkpAL2JZkH7dN6RwRgLn7Vhy506vvWolKMiVW4XSf/SKfE4
+Jl3vpao6+XF75tpYHdN0wgH6PmlYX63LaL4ULptswLbcoCb6dxriJNoaN+BnrdFz
+gw2lGh1uEpJ+hGIAF728JRhX8tepb1mIvDS3LoV4nZbcFMMsilKbloxSZj2GFotH
+uFEJjOp9zYhys2AzsfAKRO8P9Qk3iCQOLGsgOqL6EfJANZxEaGM7rDNvY7wsu/LS
+y3Z9fYjYHcgFHW68lKlmjHdxx/qR+i9Rnuk5UrbnBEI=
+-----END CERTIFICATE-----
+
+# Issuer: CN=SwissSign Gold CA - G2 O=SwissSign AG
+# Subject: CN=SwissSign Gold CA - G2 O=SwissSign AG
+# Label: "SwissSign Gold CA - G2"
+# Serial: 13492815561806991280
+# MD5 Fingerprint: 24:77:d9:a8:91:d1:3b:fa:88:2d:c2:ff:f8:cd:33:93
+# SHA1 Fingerprint: d8:c5:38:8a:b7:30:1b:1b:6e:d4:7a:e6:45:25:3a:6f:9f:1a:27:61
+# SHA256 Fingerprint: 62:dd:0b:e9:b9:f5:0a:16:3e:a0:f8:e7:5c:05:3b:1e:ca:57:ea:55:c8:68:8f:64:7c:68:81:f2:c8:35:7b:95
+-----BEGIN CERTIFICATE-----
+MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
+biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
+MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
+d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
+76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
+bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
+6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
+emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
+MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
+MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
+MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
+FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
+aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
+gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
+qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
+lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
+8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
+L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
+45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
+UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
+O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
+bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
+GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
+77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
+hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
+92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
+Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
+ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
+Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
+-----END CERTIFICATE-----
+
+# Issuer: CN=SwissSign Silver CA - G2 O=SwissSign AG
+# Subject: CN=SwissSign Silver CA - G2 O=SwissSign AG
+# Label: "SwissSign Silver CA - G2"
+# Serial: 5700383053117599563
+# MD5 Fingerprint: e0:06:a1:c9:7d:cf:c9:fc:0d:c0:56:75:96:d8:62:13
+# SHA1 Fingerprint: 9b:aa:e5:9f:56:ee:21:cb:43:5a:be:25:93:df:a7:f0:40:d1:1d:cb
+# SHA256 Fingerprint: be:6c:4d:a2:bb:b9:ba:59:b6:f3:93:97:68:37:42:46:c3:c0:05:99:3f:a9:8f:02:0d:1d:ed:be:d4:8a:81:d5
+-----BEGIN CERTIFICATE-----
+MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UE
+BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWdu
+IFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0Nlow
+RzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMY
+U3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0Mv
+Fz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7br
+YT7QbNHm+/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieF
+nbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH
+6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK7PayS+VFheZt
+eJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/
+c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJ
+MoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRH
+HTBsROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTf
+jNFusB3hB48IHpmccelM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb6
+5i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOB
+rDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+F6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0c
+wpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0
+cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIB
+AHPGgeAn0i0P4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShp
+WJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9
+xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+mHtwX6WQ
+2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZ
+IseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8
+aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2X
+em1ZqSqPe97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQR
+dAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/
+OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+
+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy
+tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Primary Certification Authority O=GeoTrust Inc.
+# Subject: CN=GeoTrust Primary Certification Authority O=GeoTrust Inc.
+# Label: "GeoTrust Primary Certification Authority"
+# Serial: 32798226551256963324313806436981982369
+# MD5 Fingerprint: 02:26:c3:01:5e:08:30:37:43:a9:d0:7d:cf:37:e6:bf
+# SHA1 Fingerprint: 32:3c:11:8e:1b:f7:b8:b6:52:54:e2:e2:10:0d:d6:02:90:37:f0:96
+# SHA256 Fingerprint: 37:d5:10:06:c5:12:ea:ab:62:64:21:f1:ec:8c:92:01:3f:c5:f8:2a:e9:8e:e5:33:eb:46:19:b8:de:b4:d0:6c
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBY
+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMo
+R2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEx
+MjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
+Ew1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9
+AWbK7hWNb6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjA
+ZIVcFU2Ix7e64HXprQU9nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE0
+7e9GceBrAqg1cmuXm2bgyxx5X9gaBGgeRwLmnWDiNpcB3841kt++Z8dtd1k7j53W
+kBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGttm/81w7a4DSwDRp35+MI
+mO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJ
+KoZIhvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ1
+6CePbJC/kRYkRj5KTs4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl
+4b7UVXGYNTq+k+qurUKykG/g/CFNNWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6K
+oKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHaFloxt/m0cYASSJlyc1pZU8Fj
+UjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG1riR/aYNKxoU
+AT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk=
+-----END CERTIFICATE-----
+
+# Issuer: CN=thawte Primary Root CA O=thawte, Inc. OU=Certification Services Division/(c) 2006 thawte, Inc. - For authorized use only
+# Subject: CN=thawte Primary Root CA O=thawte, Inc. OU=Certification Services Division/(c) 2006 thawte, Inc. - For authorized use only
+# Label: "thawte Primary Root CA"
+# Serial: 69529181992039203566298953787712940909
+# MD5 Fingerprint: 8c:ca:dc:0b:22:ce:f5:be:72:ac:41:1a:11:a8:d8:12
+# SHA1 Fingerprint: 91:c6:d6:ee:3e:8a:c8:63:84:e5:48:c2:99:29:5c:75:6c:81:7b:81
+# SHA256 Fingerprint: 8d:72:2f:81:a9:c1:13:c0:79:1d:f1:36:a2:96:6d:b2:6c:95:0a:97:1d:b4:6b:41:99:f4:ea:54:b7:8b:fb:9f
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
+qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
+BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
+NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
+LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
+A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
+IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
+W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
+3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
+6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
+Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
+NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
+r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
+DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
+YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
+xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
+/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
+LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
+jVaMaA==
+-----END CERTIFICATE-----
+
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2006 VeriSign, Inc. - For authorized use only
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2006 VeriSign, Inc. - For authorized use only
+# Label: "VeriSign Class 3 Public Primary Certification Authority - G5"
+# Serial: 33037644167568058970164719475676101450
+# MD5 Fingerprint: cb:17:e4:31:67:3e:e2:09:fe:45:57:93:f3:0a:fa:1c
+# SHA1 Fingerprint: 4e:b6:d5:78:49:9b:1c:cf:5f:58:1e:ad:56:be:3d:9b:67:44:a5:e5
+# SHA256 Fingerprint: 9a:cf:ab:7e:43:c8:d8:80:d0:6b:26:2a:94:de:ee:e4:b4:65:99:89:c3:d0:ca:f1:9b:af:64:05:e4:1a:b7:df
+-----BEGIN CERTIFICATE-----
+MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
+nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
+t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
+SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
+BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
+NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
+BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
+aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
+MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
+p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
+5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
+WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
+4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
+hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
+-----END CERTIFICATE-----
+
+# Issuer: CN=SecureTrust CA O=SecureTrust Corporation
+# Subject: CN=SecureTrust CA O=SecureTrust Corporation
+# Label: "SecureTrust CA"
+# Serial: 17199774589125277788362757014266862032
+# MD5 Fingerprint: dc:32:c3:a7:6d:25:57:c7:68:09:9d:ea:2d:a9:a2:d1
+# SHA1 Fingerprint: 87:82:c6:c3:04:35:3b:cf:d2:96:92:d2:59:3e:7d:44:d9:34:ff:11
+# SHA256 Fingerprint: f1:c1:b5:0a:e5:a2:0d:d8:03:0e:c9:f6:bc:24:82:3d:d3:67:b5:25:57:59:b4:e7:1b:61:fc:e9:f7:37:5d:73
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI
+MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
+FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz
+MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv
+cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz
+Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO
+0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao
+wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj
+7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS
+8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT
+BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg
+JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC
+NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3
+6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/
+3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm
+D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS
+CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
+3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Secure Global CA O=SecureTrust Corporation
+# Subject: CN=Secure Global CA O=SecureTrust Corporation
+# Label: "Secure Global CA"
+# Serial: 9751836167731051554232119481456978597
+# MD5 Fingerprint: cf:f4:27:0d:d4:ed:dc:65:16:49:6d:3d:da:bf:6e:de
+# SHA1 Fingerprint: 3a:44:73:5a:e5:81:90:1f:24:86:61:46:1e:3b:9c:c4:5f:f5:3a:1b
+# SHA256 Fingerprint: 42:00:f5:04:3a:c8:59:0e:bb:52:7d:20:9e:d1:50:30:29:fb:cb:d4:1c:a1:b5:06:ec:27:f1:5a:de:7d:ac:69
+-----BEGIN CERTIFICATE-----
+MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK
+MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
+GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx
+MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg
+Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ
+iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa
+/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ
+jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI
+HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7
+sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w
+gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw
+KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG
+AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L
+URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO
+H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm
+I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY
+iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc
+f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW
+-----END CERTIFICATE-----
+
+# Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
+# Subject: CN=COMODO Certification Authority O=COMODO CA Limited
+# Label: "COMODO Certification Authority"
+# Serial: 104350513648249232941998508985834464573
+# MD5 Fingerprint: 5c:48:dc:f7:42:72:ec:56:94:6d:1c:cc:71:35:80:75
+# SHA1 Fingerprint: 66:31:bf:9e:f7:4f:9e:b6:c9:d5:a6:0c:ba:6a:be:d1:f7:bd:ef:7b
+# SHA256 Fingerprint: 0c:2c:d6:3d:f7:80:6f:a3:99:ed:e8:09:11:6b:57:5b:f8:79:89:f0:65:18:f9:80:8c:86:05:03:17:8b:af:66
+-----BEGIN CERTIFICATE-----
+MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
+gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
+BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
+MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
+YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
+RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
+UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
+2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
+Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
++2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
+DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
+nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
+/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
+PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
+QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
+SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
+IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
+RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
+zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
+BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
+ZQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C.
+# Subject: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C.
+# Label: "Network Solutions Certificate Authority"
+# Serial: 116697915152937497490437556386812487904
+# MD5 Fingerprint: d3:f3:a6:16:c0:fa:6b:1d:59:b1:2d:96:4d:0e:11:2e
+# SHA1 Fingerprint: 74:f8:a3:c3:ef:e7:b3:90:06:4b:83:90:3c:21:64:60:20:e5:df:ce
+# SHA256 Fingerprint: 15:f0:ba:00:a3:ac:7a:f3:ac:88:4c:07:2b:10:11:a0:77:bd:77:c0:97:f4:01:64:b2:f8:59:8a:bd:83:86:0c
+-----BEGIN CERTIFICATE-----
+MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi
+MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
+MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
+dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV
+UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO
+ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz
+c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP
+OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl
+mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF
+BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4
+qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw
+gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB
+BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu
+bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp
+dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8
+6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/
+h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH
+/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv
+wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN
+pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey
+-----END CERTIFICATE-----
+
+# Issuer: CN=WellsSecure Public Root Certificate Authority O=Wells Fargo WellsSecure OU=Wells Fargo Bank NA
+# Subject: CN=WellsSecure Public Root Certificate Authority O=Wells Fargo WellsSecure OU=Wells Fargo Bank NA
+# Label: "WellsSecure Public Root Certificate Authority"
+# Serial: 1
+# MD5 Fingerprint: 15:ac:a5:c2:92:2d:79:bc:e8:7f:cb:67:ed:02:cf:36
+# SHA1 Fingerprint: e7:b4:f6:9d:61:ec:90:69:db:7e:90:a7:40:1a:3c:f4:7d:4f:e8:ee
+# SHA256 Fingerprint: a7:12:72:ae:aa:a3:cf:e8:72:7f:7f:b3:9f:0f:b3:d1:e5:42:6e:90:60:b0:6e:e6:f1:3e:9a:3c:58:33:cd:43
+-----BEGIN CERTIFICATE-----
+MIIEvTCCA6WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCVVMx
+IDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxs
+cyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9v
+dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMjEzMTcwNzU0WhcNMjIxMjE0
+MDAwNzU0WjCBhTELMAkGA1UEBhMCVVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdl
+bGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQD
+DC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDub7S9eeKPCCGeOARBJe+r
+WxxTkqxtnt3CxC5FlAM1iGd0V+PfjLindo8796jE2yljDpFoNoqXjopxaAkH5OjU
+Dk/41itMpBb570OYj7OeUt9tkTmPOL13i0Nj67eT/DBMHAGTthP796EfvyXhdDcs
+HqRePGj4S78NuR4uNuip5Kf4D8uCdXw1LSLWwr8L87T8bJVhHlfXBIEyg1J55oNj
+z7fLY4sR4r1e6/aN7ZVyKLSsEmLpSjPmgzKuBXWVvYSV2ypcm44uDLiBK0HmOFaf
+SZtsdvqKXfcBeYF8wYNABf5x/Qw/zE5gCQ5lRxAvAcAFP4/4s0HvWkJ+We/Slwxl
+AgMBAAGjggE0MIIBMDAPBgNVHRMBAf8EBTADAQH/MDkGA1UdHwQyMDAwLqAsoCqG
+KGh0dHA6Ly9jcmwucGtpLndlbGxzZmFyZ28uY29tL3dzcHJjYS5jcmwwDgYDVR0P
+AQH/BAQDAgHGMB0GA1UdDgQWBBQmlRkQ2eihl5H/3BnZtQQ+0nMKajCBsgYDVR0j
+BIGqMIGngBQmlRkQ2eihl5H/3BnZtQQ+0nMKaqGBi6SBiDCBhTELMAkGA1UEBhMC
+VVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNX
+ZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMg
+Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQEwDQYJKoZIhvcNAQEFBQADggEB
+ALkVsUSRzCPIK0134/iaeycNzXK7mQDKfGYZUMbVmO2rvwNa5U3lHshPcZeG1eMd
+/ZDJPHV3V3p9+N701NX3leZ0bh08rnyd2wIDBSxxSyU+B+NemvVmFymIGjifz6pB
+A4SXa5M4esowRBskRDPQ5NHcKDj0E0M1NSljqHyita04pO2t/caaH/+Xc/77szWn
+k4bGdpEA5qxRFsQnMlzbc9qlk1eOPm01JghZ1edE13YgY+esE2fDbbFwRnzVlhE9
+iW9dqKHrjQrawx0zbKPqZxmamX9LPYNRKh3KL4YMon4QLSvUFpULB6ouFJJJtylv
+2G0xffX8oRAHh84vWdw+WNs=
+-----END CERTIFICATE-----
+
+# Issuer: CN=COMODO ECC Certification Authority O=COMODO CA Limited
+# Subject: CN=COMODO ECC Certification Authority O=COMODO CA Limited
+# Label: "COMODO ECC Certification Authority"
+# Serial: 41578283867086692638256921589707938090
+# MD5 Fingerprint: 7c:62:ff:74:9d:31:53:5e:68:4a:d5:78:aa:1e:bf:23
+# SHA1 Fingerprint: 9f:74:4e:9f:2b:4d:ba:ec:0f:31:2c:50:b6:56:3b:8e:2d:93:c3:11
+# SHA256 Fingerprint: 17:93:92:7a:06:14:54:97:89:ad:ce:2f:8f:34:f7:f0:b6:6d:0f:3a:e3:a3:b8:4d:21:ec:15:db:ba:4f:ad:c7
+-----BEGIN CERTIFICATE-----
+MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
+MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
+BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
+IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw
+MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy
+ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
+T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv
+biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR
+FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J
+cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW
+BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm
+fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv
+GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=
+-----END CERTIFICATE-----
+
+# Issuer: CN=IGC/A O=PM/SGDN OU=DCSSI
+# Subject: CN=IGC/A O=PM/SGDN OU=DCSSI
+# Label: "IGC/A"
+# Serial: 245102874772
+# MD5 Fingerprint: 0c:7f:dd:6a:f4:2a:b9:c8:9b:bd:20:7e:a9:db:5c:37
+# SHA1 Fingerprint: 60:d6:89:74:b5:c2:65:9e:8a:0f:c1:88:7c:88:d2:46:69:1b:18:2c
+# SHA256 Fingerprint: b9:be:a7:86:0a:96:2e:a3:61:1d:ab:97:ab:6d:a3:e2:1c:10:68:b9:7d:55:57:5e:d0:e1:12:79:c1:1c:89:32
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAuqgAwIBAgIFORFFEJQwDQYJKoZIhvcNAQEFBQAwgYUxCzAJBgNVBAYT
+AkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBhcmlzMRAwDgYDVQQKEwdQ
+TS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMFSUdDL0ExIzAhBgkqhkiG
+9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMB4XDTAyMTIxMzE0MjkyM1oXDTIw
+MTAxNzE0MjkyMlowgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAM
+BgNVBAcTBVBhcmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEO
+MAwGA1UEAxMFSUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2
+LmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsh/R0GLFMzvABIaI
+s9z4iPf930Pfeo2aSVz2TqrMHLmh6yeJ8kbpO0px1R2OLc/mratjUMdUC24SyZA2
+xtgv2pGqaMVy/hcKshd+ebUyiHDKcMCWSo7kVc0dJ5S/znIq7Fz5cyD+vfcuiWe4
+u0dzEvfRNWk68gq5rv9GQkaiv6GFGvm/5P9JhfejcIYyHF2fYPepraX/z9E0+X1b
+F8bc1g4oa8Ld8fUzaJ1O/Id8NhLWo4DoQw1VYZTqZDdH6nfK0LJYBcNdfrGoRpAx
+Vs5wKpayMLh35nnAvSk7/ZR3TL0gzUEl4C7HG7vupARB0l2tEmqKm0f7yd1GQOGd
+PDPQtQIDAQABo3cwdTAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBRjAVBgNV
+HSAEDjAMMAoGCCqBegF5AQEBMB0GA1UdDgQWBBSjBS8YYFDCiQrdKyFP/45OqDAx
+NjAfBgNVHSMEGDAWgBSjBS8YYFDCiQrdKyFP/45OqDAxNjANBgkqhkiG9w0BAQUF
+AAOCAQEABdwm2Pp3FURo/C9mOnTgXeQp/wYHE4RKq89toB9RlPhJy3Q2FLwV3duJ
+L92PoF189RLrn544pEfMs5bZvpwlqwN+Mw+VgQ39FuCIvjfwbF3QMZsyK10XZZOY
+YLxuj7GoPB7ZHPOpJkL5ZB3C55L29B5aqhlSXa/oovdgoPaN8In1buAKBQGVyYsg
+Crpa/JosPL3Dt8ldeCUFP1YUmwza+zpI/pdpXsoQhvdOlgQITeywvl3cO45Pwf2a
+NjSaTFR+FwNIlQgRHAdvhQh+XU3Endv7rs6y0bO4g2wdsrN58dhwmX7wEwLOXt1R
+0982gaEbeC9xs/FZTEYYKKuF0mBWWg==
+-----END CERTIFICATE-----
+
+# Issuer: O=SECOM Trust Systems CO.,LTD. OU=Security Communication EV RootCA1
+# Subject: O=SECOM Trust Systems CO.,LTD. OU=Security Communication EV RootCA1
+# Label: "Security Communication EV RootCA1"
+# Serial: 0
+# MD5 Fingerprint: 22:2d:a6:01:ea:7c:0a:f7:f0:6c:56:43:3f:77:76:d3
+# SHA1 Fingerprint: fe:b8:c4:32:dc:f9:76:9a:ce:ae:3d:d8:90:8f:fd:28:86:65:64:7d
+# SHA256 Fingerprint: a2:2d:ba:68:1e:97:37:6e:2d:39:7d:72:8a:ae:3a:9b:62:96:b9:fd:ba:60:bc:2e:11:f6:47:f2:c6:75:fb:37
+-----BEGIN CERTIFICATE-----
+MIIDfTCCAmWgAwIBAgIBADANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJKUDEl
+MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEqMCgGA1UECxMh
+U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBFViBSb290Q0ExMB4XDTA3MDYwNjAyMTIz
+MloXDTM3MDYwNjAyMTIzMlowYDELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09N
+IFRydXN0IFN5c3RlbXMgQ08uLExURC4xKjAoBgNVBAsTIVNlY3VyaXR5IENvbW11
+bmljYXRpb24gRVYgUm9vdENBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALx/7FebJOD+nLpCeamIivqA4PUHKUPqjgo0No0c+qe1OXj/l3X3L+SqawSE
+RMqm4miO/VVQYg+kcQ7OBzgtQoVQrTyWb4vVog7P3kmJPdZkLjjlHmy1V4qe70gO
+zXppFodEtZDkBp2uoQSXWHnvIEqCa4wiv+wfD+mEce3xDuS4GBPMVjZd0ZoeUWs5
+bmB2iDQL87PRsJ3KYeJkHcFGB7hj3R4zZbOOCVVSPbW9/wfrrWFVGCypaZhKqkDF
+MxRldAD5kd6vA0jFQFTcD4SQaCDFkpbcLuUCRarAX1T4bepJz11sS6/vmsJWXMY1
+VkJqMF/Cq/biPT+zyRGPMUzXn0kCAwEAAaNCMEAwHQYDVR0OBBYEFDVK9U2vP9eC
+OKyrcWUXdYydVZPmMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4IBAQCoh+ns+EBnXcPBZsdAS5f8hxOQWsTvoMpfi7ent/HW
+tWS3irO4G8za+6xmiEHO6Pzk2x6Ipu0nUBsCMCRGef4Eh3CXQHPRwMFXGZpppSeZ
+q51ihPZRwSzJIxXYKLerJRO1RuGGAv8mjMSIkh1W/hln8lXkgKNrnKt34VFxDSDb
+EJrbvXZ5B3eZKK2aXtqxT0QsNY6llsf9g/BYxnnWmHyojf6GPgcWkuF75x3sM3Z+
+Qi5KhfmRiWiEA4Glm5q+4zfFVKtWOxgtQaQM+ELbmaDgcm+7XeEWT1MKZPlO9L9O
+VL14bIjqv5wTJMJwaaJ/D8g8rQjJsJhAoyrniIPtd490
+-----END CERTIFICATE-----
+
+# Issuer: CN=OISTE WISeKey Global Root GA CA O=WISeKey OU=Copyright (c) 2005/OISTE Foundation Endorsed
+# Subject: CN=OISTE WISeKey Global Root GA CA O=WISeKey OU=Copyright (c) 2005/OISTE Foundation Endorsed
+# Label: "OISTE WISeKey Global Root GA CA"
+# Serial: 86718877871133159090080555911823548314
+# MD5 Fingerprint: bc:6c:51:33:a7:e9:d3:66:63:54:15:72:1b:21:92:93
+# SHA1 Fingerprint: 59:22:a1:e1:5a:ea:16:35:21:f8:98:39:6a:46:46:b0:44:1b:0f:a9
+# SHA256 Fingerprint: 41:c9:23:86:6a:b4:ca:d6:b7:ad:57:80:81:58:2e:02:07:97:a6:cb:df:4f:ff:78:ce:83:96:b3:89:37:d7:f5
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCB
+ijELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHly
+aWdodCAoYykgMjAwNTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl
+ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQSBDQTAeFw0w
+NTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYDVQQGEwJDSDEQMA4G
+A1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIwIAYD
+VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBX
+SVNlS2V5IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAy0+zAJs9Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxR
+VVuuk+g3/ytr6dTqvirdqFEr12bDYVxgAsj1znJ7O7jyTmUIms2kahnBAbtzptf2
+w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbDd50kc3vkDIzh2TbhmYsF
+mQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ/yxViJGg
+4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t9
+4B3RLoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQw
+EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOx
+SPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vImMMkQyh2I+3QZH4VFvbBsUfk2
+ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4+vg1YFkCExh8
+vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa
+hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZi
+Fj4A4xylNoEYokxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ
+/L7fCg0=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Microsec e-Szigno Root CA O=Microsec Ltd. OU=e-Szigno CA
+# Subject: CN=Microsec e-Szigno Root CA O=Microsec Ltd. OU=e-Szigno CA
+# Label: "Microsec e-Szigno Root CA"
+# Serial: 272122594155480254301341951808045322001
+# MD5 Fingerprint: f0:96:b6:2f:c5:10:d5:67:8e:83:25:32:e8:5e:2e:e5
+# SHA1 Fingerprint: 23:88:c9:d3:71:cc:9e:96:3d:ff:7d:3c:a7:ce:fc:d6:25:ec:19:0d
+# SHA256 Fingerprint: 32:7a:3d:76:1a:ba:de:a0:34:eb:99:84:06:27:5c:b1:a4:77:6e:fd:ae:2f:df:6d:01:68:ea:1c:4f:55:67:d0
+-----BEGIN CERTIFICATE-----
+MIIHqDCCBpCgAwIBAgIRAMy4579OKRr9otxmpRwsDxEwDQYJKoZIhvcNAQEFBQAw
+cjELMAkGA1UEBhMCSFUxETAPBgNVBAcTCEJ1ZGFwZXN0MRYwFAYDVQQKEw1NaWNy
+b3NlYyBMdGQuMRQwEgYDVQQLEwtlLVN6aWdubyBDQTEiMCAGA1UEAxMZTWljcm9z
+ZWMgZS1Temlnbm8gUm9vdCBDQTAeFw0wNTA0MDYxMjI4NDRaFw0xNzA0MDYxMjI4
+NDRaMHIxCzAJBgNVBAYTAkhVMREwDwYDVQQHEwhCdWRhcGVzdDEWMBQGA1UEChMN
+TWljcm9zZWMgTHRkLjEUMBIGA1UECxMLZS1Temlnbm8gQ0ExIjAgBgNVBAMTGU1p
+Y3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDtyADVgXvNOABHzNuEwSFpLHSQDCHZU4ftPkNEU6+r+ICbPHiN1I2u
+uO/TEdyB5s87lozWbxXGd36hL+BfkrYn13aaHUM86tnsL+4582pnS4uCzyL4ZVX+
+LMsvfUh6PXX5qqAnu3jCBspRwn5mS6/NoqdNAoI/gqyFxuEPkEeZlApxcpMqyabA
+vjxWTHOSJ/FrtfX9/DAFYJLG65Z+AZHCabEeHXtTRbjcQR/Ji3HWVBTji1R4P770
+Yjtb9aPs1ZJ04nQw7wHb4dSrmZsqa/i9phyGI0Jf7Enemotb9HI6QMVJPqW+jqpx
+62z69Rrkav17fVVA71hu5tnVvCSrwe+3AgMBAAGjggQ3MIIEMzBnBggrBgEFBQcB
+AQRbMFkwKAYIKwYBBQUHMAGGHGh0dHBzOi8vcmNhLmUtc3ppZ25vLmh1L29jc3Aw
+LQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuZS1zemlnbm8uaHUvUm9vdENBLmNydDAP
+BgNVHRMBAf8EBTADAQH/MIIBcwYDVR0gBIIBajCCAWYwggFiBgwrBgEEAYGoGAIB
+AQEwggFQMCgGCCsGAQUFBwIBFhxodHRwOi8vd3d3LmUtc3ppZ25vLmh1L1NaU1ov
+MIIBIgYIKwYBBQUHAgIwggEUHoIBEABBACAAdABhAG4A+gBzAO0AdAB2AOEAbgB5
+ACAA6QByAHQAZQBsAG0AZQB6AOkAcwDpAGgAZQB6ACAA6QBzACAAZQBsAGYAbwBn
+AGEAZADhAHMA4QBoAG8AegAgAGEAIABTAHoAbwBsAGcA4QBsAHQAYQB0APMAIABT
+AHoAbwBsAGcA4QBsAHQAYQB0AOEAcwBpACAAUwB6AGEAYgDhAGwAeQB6AGEAdABh
+ACAAcwB6AGUAcgBpAG4AdAAgAGsAZQBsAGwAIABlAGwAagDhAHIAbgBpADoAIABo
+AHQAdABwADoALwAvAHcAdwB3AC4AZQAtAHMAegBpAGcAbgBvAC4AaAB1AC8AUwBa
+AFMAWgAvMIHIBgNVHR8EgcAwgb0wgbqggbeggbSGIWh0dHA6Ly93d3cuZS1zemln
+bm8uaHUvUm9vdENBLmNybIaBjmxkYXA6Ly9sZGFwLmUtc3ppZ25vLmh1L0NOPU1p
+Y3Jvc2VjJTIwZS1Temlnbm8lMjBSb290JTIwQ0EsT1U9ZS1Temlnbm8lMjBDQSxP
+PU1pY3Jvc2VjJTIwTHRkLixMPUJ1ZGFwZXN0LEM9SFU/Y2VydGlmaWNhdGVSZXZv
+Y2F0aW9uTGlzdDtiaW5hcnkwDgYDVR0PAQH/BAQDAgEGMIGWBgNVHREEgY4wgYuB
+EGluZm9AZS1zemlnbm8uaHWkdzB1MSMwIQYDVQQDDBpNaWNyb3NlYyBlLVN6aWdu
+w7MgUm9vdCBDQTEWMBQGA1UECwwNZS1TemlnbsOzIEhTWjEWMBQGA1UEChMNTWlj
+cm9zZWMgS2Z0LjERMA8GA1UEBxMIQnVkYXBlc3QxCzAJBgNVBAYTAkhVMIGsBgNV
+HSMEgaQwgaGAFMegSXUWYYTbMUuE0vE3QJDvTtz3oXakdDByMQswCQYDVQQGEwJI
+VTERMA8GA1UEBxMIQnVkYXBlc3QxFjAUBgNVBAoTDU1pY3Jvc2VjIEx0ZC4xFDAS
+BgNVBAsTC2UtU3ppZ25vIENBMSIwIAYDVQQDExlNaWNyb3NlYyBlLVN6aWdubyBS
+b290IENBghEAzLjnv04pGv2i3GalHCwPETAdBgNVHQ4EFgQUx6BJdRZhhNsxS4TS
+8TdAkO9O3PcwDQYJKoZIhvcNAQEFBQADggEBANMTnGZjWS7KXHAM/IO8VbH0jgds
+ZifOwTsgqRy7RlRw7lrMoHfqaEQn6/Ip3Xep1fvj1KcExJW4C+FEaGAHQzAxQmHl
+7tnlJNUb3+FKG6qfx1/4ehHqE5MAyopYse7tDk2016g2JnzgOsHVV4Lxdbb9iV/a
+86g4nzUGCM4ilb7N1fy+W955a9x6qWVmvrElWl/tftOsRm1M9DKHtCAE4Gx4sHfR
+hUZLphK3dehKyVZs15KrnfVJONJPU+NVkBHbmJbGSfI+9J8b4PeI3CVimUTYc78/
+MPMMNz7UwiiAc7EBt51alhQBS6kRnSlqLtBdgcDPsiBDxwPgN05dCtxZICU=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Certigna O=Dhimyotis
+# Subject: CN=Certigna O=Dhimyotis
+# Label: "Certigna"
+# Serial: 18364802974209362175
+# MD5 Fingerprint: ab:57:a6:5b:7d:42:82:19:b5:d8:58:26:28:5e:fd:ff
+# SHA1 Fingerprint: b1:2e:13:63:45:86:a4:6f:1a:b2:60:68:37:58:2d:c4:ac:fd:94:97
+# SHA256 Fingerprint: e3:b6:a2:db:2e:d7:ce:48:84:2f:7a:c5:32:41:c7:b7:1d:54:14:4b:fb:40:c1:1f:3f:1d:0b:42:f5:ee:a1:2d
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNV
+BAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4X
+DTA3MDYyOTE1MTMwNVoXDTI3MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQ
+BgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwIQ2VydGlnbmEwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7qXOEm7RFHYeGifBZ4
+QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyHGxny
+gQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbw
+zBfsV1/pogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q
+130yGLMLLGq/jj8UEYkgDncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2
+JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKfIrjxwo1p3Po6WAbfAgMBAAGjgbwwgbkw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQtCRZvgHyUtVF9lo53BEw
+ZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJBgNVBAYT
+AkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzj
+AQ/JSP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG
+9w0BAQUFAAOCAQEAhQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8h
+bV6lUmPOEvjvKtpv6zf+EwLHyzs+ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFnc
+fca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1kluPBS1xp81HlDQwY9qcEQCYsuu
+HWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY1gkIl2PlwS6w
+t0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw
+WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=AC Raíz Certicámara S.A. O=Sociedad Cameral de Certificación Digital - Certicámara S.A.
+# Subject: CN=AC Raíz Certicámara S.A. O=Sociedad Cameral de Certificación Digital - Certicámara S.A.
+# Label: "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
+# Serial: 38908203973182606954752843738508300
+# MD5 Fingerprint: 93:2a:3e:f6:fd:23:69:0d:71:20:d4:2b:47:99:2b:a6
+# SHA1 Fingerprint: cb:a1:c5:f8:b0:e3:5e:b8:b9:45:12:d3:f9:34:a2:e9:06:10:d3:36
+# SHA256 Fingerprint: a6:c5:1e:0d:a5:ca:0a:93:09:d2:e4:c0:e4:0c:2a:f9:10:7a:ae:82:03:85:7f:e1:98:e3:e7:69:e3:43:08:5c
+-----BEGIN CERTIFICATE-----
+MIIGZjCCBE6gAwIBAgIPB35Sk3vgFeNX8GmMy+wMMA0GCSqGSIb3DQEBBQUAMHsx
+CzAJBgNVBAYTAkNPMUcwRQYDVQQKDD5Tb2NpZWRhZCBDYW1lcmFsIGRlIENlcnRp
+ZmljYWNpw7NuIERpZ2l0YWwgLSBDZXJ0aWPDoW1hcmEgUy5BLjEjMCEGA1UEAwwa
+QUMgUmHDrXogQ2VydGljw6FtYXJhIFMuQS4wHhcNMDYxMTI3MjA0NjI5WhcNMzAw
+NDAyMjE0MjAyWjB7MQswCQYDVQQGEwJDTzFHMEUGA1UECgw+U29jaWVkYWQgQ2Ft
+ZXJhbCBkZSBDZXJ0aWZpY2FjacOzbiBEaWdpdGFsIC0gQ2VydGljw6FtYXJhIFMu
+QS4xIzAhBgNVBAMMGkFDIFJhw616IENlcnRpY8OhbWFyYSBTLkEuMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq2uJo1PMSCMI+8PPUZYILrgIem08kBeG
+qentLhM0R7LQcNzJPNCNyu5LF6vQhbCnIwTLqKL85XXbQMpiiY9QngE9JlsYhBzL
+fDe3fezTf3MZsGqy2IiKLUV0qPezuMDU2s0iiXRNWhU5cxh0T7XrmafBHoi0wpOQ
+Y5fzp6cSsgkiBzPZkc0OnB8OIMfuuzONj8LSWKdf/WU34ojC2I+GdV75LaeHM/J4
+Ny+LvB2GNzmxlPLYvEqcgxhaBvzz1NS6jBUJJfD5to0EfhcSM2tXSExP2yYe68yQ
+54v5aHxwD6Mq0Do43zeX4lvegGHTgNiRg0JaTASJaBE8rF9ogEHMYELODVoqDA+b
+MMCm8Ibbq0nXl21Ii/kDwFJnmxL3wvIumGVC2daa49AZMQyth9VXAnow6IYm+48j
+ilSH5L887uvDdUhfHjlvgWJsxS3EF1QZtzeNnDeRyPYL1epjb4OsOMLzP96a++Ej
+YfDIJss2yKHzMI+ko6Kh3VOz3vCaMh+DkXkwwakfU5tTohVTP92dsxA7SH2JD/zt
+A/X7JWR1DhcZDY8AFmd5ekD8LVkH2ZD6mq093ICK5lw1omdMEWux+IBkAC1vImHF
+rEsm5VoQgpukg3s0956JkSCXjrdCx2bD0Omk1vUgjcTDlaxECp1bczwmPS9KvqfJ
+pxAe+59QafMCAwEAAaOB5jCB4zAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBBjAdBgNVHQ4EFgQU0QnQ6dfOeXRU+Tows/RtLAMDG2gwgaAGA1UdIASBmDCB
+lTCBkgYEVR0gADCBiTArBggrBgEFBQcCARYfaHR0cDovL3d3dy5jZXJ0aWNhbWFy
+YS5jb20vZHBjLzBaBggrBgEFBQcCAjBOGkxMaW1pdGFjaW9uZXMgZGUgZ2FyYW50
+7WFzIGRlIGVzdGUgY2VydGlmaWNhZG8gc2UgcHVlZGVuIGVuY29udHJhciBlbiBs
+YSBEUEMuMA0GCSqGSIb3DQEBBQUAA4ICAQBclLW4RZFNjmEfAygPU3zmpFmps4p6
+xbD/CHwso3EcIRNnoZUSQDWDg4902zNc8El2CoFS3UnUmjIz75uny3XlesuXEpBc
+unvFm9+7OSPI/5jOCk0iAUgHforA1SBClETvv3eiiWdIG0ADBaGJ7M9i4z0ldma/
+Jre7Ir5v/zlXdLp6yQGVwZVR6Kss+LGGIOk/yzVb0hfpKv6DExdA7ohiZVvVO2Dp
+ezy4ydV/NgIlqmjCMRW3MGXrfx1IebHPOeJCgBbT9ZMj/EyXyVo3bHwi2ErN0o42
+gzmRkBDI8ck1fj+404HGIGQatlDCIaR43NAvO2STdPCWkPHv+wlaNECW8DYSwaN0
+jJN+Qd53i+yG2dIPPy3RzECiiWZIHiCznCNZc6lEc7wkeZBWN7PGKX6jD/EpOe9+
+XCgycDWs2rjIdWb8m0w5R44bb5tNAlQiM+9hup4phO9OSzNHdpdqy35f/RWmnkJD
+W2ZaiogN9xa5P1FlK2Zqi9E4UqLWRhH6/JocdJ6PlwsCT2TG9WjTSy3/pDceiz+/
+RL5hRqGEPQgnTIEgd4kI6mdAXmwIUV80WoyWaM3X94nCHNMyAK9Sy9NgWyo6R35r
+MDOhYil/SrnhLecUIw4OGEfhefwVVdCx/CVxY3UzHCMrr1zZ7Ud3YA47Dx7SwNxk
+BYn8eNZcLCZDqQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=TC TrustCenter Class 2 CA II O=TC TrustCenter GmbH OU=TC TrustCenter Class 2 CA
+# Subject: CN=TC TrustCenter Class 2 CA II O=TC TrustCenter GmbH OU=TC TrustCenter Class 2 CA
+# Label: "TC TrustCenter Class 2 CA II"
+# Serial: 941389028203453866782103406992443
+# MD5 Fingerprint: ce:78:33:5c:59:78:01:6e:18:ea:b9:36:a0:b9:2e:23
+# SHA1 Fingerprint: ae:50:83:ed:7c:f4:5c:bc:8f:61:c6:21:fe:68:5d:79:42:21:15:6e
+# SHA256 Fingerprint: e6:b8:f8:76:64:85:f8:07:ae:7f:8d:ac:16:70:46:1f:07:c0:a1:3e:ef:3a:1f:f7:17:53:8d:7a:ba:d3:91:b4
+-----BEGIN CERTIFICATE-----
+MIIEqjCCA5KgAwIBAgIOLmoAAQACH9dSISwRXDswDQYJKoZIhvcNAQEFBQAwdjEL
+MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
+BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDIgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
+Q2VudGVyIENsYXNzIDIgQ0EgSUkwHhcNMDYwMTEyMTQzODQzWhcNMjUxMjMxMjI1
+OTU5WjB2MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
+SDEiMCAGA1UECxMZVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQTElMCMGA1UEAxMc
+VEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQSBJSTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAKuAh5uO8MN8h9foJIIRszzdQ2Lu+MNF2ujhoF/RKrLqk2jf
+tMjWQ+nEdVl//OEd+DFwIxuInie5e/060smp6RQvkL4DUsFJzfb95AhmC1eKokKg
+uNV/aVyQMrKXDcpK3EY+AlWJU+MaWss2xgdW94zPEfRMuzBwBJWl9jmM/XOBCH2J
+XjIeIqkiRUuwZi4wzJ9l/fzLganx4Duvo4bRierERXlQXa7pIXSSTYtZgo+U4+lK
+8edJsBTj9WLL1XK9H7nSn6DNqPoByNkN39r8R52zyFTfSUrxIan+GE7uSNQZu+99
+5OKdy1u2bv/jzVrndIIFuoAlOMvkaZ6vQaoahPUCAwEAAaOCATQwggEwMA8GA1Ud
+EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTjq1RMgKHbVkO3
+kUrL84J6E1wIqzCB7QYDVR0fBIHlMIHiMIHfoIHcoIHZhjVodHRwOi8vd3d3LnRy
+dXN0Y2VudGVyLmRlL2NybC92Mi90Y19jbGFzc18yX2NhX0lJLmNybIaBn2xkYXA6
+Ly93d3cudHJ1c3RjZW50ZXIuZGUvQ049VEMlMjBUcnVzdENlbnRlciUyMENsYXNz
+JTIwMiUyMENBJTIwSUksTz1UQyUyMFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290
+Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
+TGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAjNfffu4bgBCzg/XbEeprS6iS
+GNn3Bzn1LL4GdXpoUxUc6krtXvwjshOg0wn/9vYua0Fxec3ibf2uWWuFHbhOIprt
+ZjluS5TmVfwLG4t3wVMTZonZKNaL80VKY7f9ewthXbhtvsPcW3nS7Yblok2+XnR8
+au0WOB9/WIFaGusyiC2y8zl3gK9etmF1KdsjTYjKUCjLhdLTEKJZbtOTVAB6okaV
+hgWcqRmY5TFyDADiZ9lA4CQze28suVyrZZ0srHbqNZn1l7kPJOzHdiEoZa5X6AeI
+dUpWoNIFOqTmjZKILPPy4cHGYdtBxceb9w4aUUXCYWvcZCcXjFq32nQozZfkvQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=TC TrustCenter Class 3 CA II O=TC TrustCenter GmbH OU=TC TrustCenter Class 3 CA
+# Subject: CN=TC TrustCenter Class 3 CA II O=TC TrustCenter GmbH OU=TC TrustCenter Class 3 CA
+# Label: "TC TrustCenter Class 3 CA II"
+# Serial: 1506523511417715638772220530020799
+# MD5 Fingerprint: 56:5f:aa:80:61:12:17:f6:67:21:e6:2b:6d:61:56:8e
+# SHA1 Fingerprint: 80:25:ef:f4:6e:70:c8:d4:72:24:65:84:fe:40:3b:8a:8d:6a:db:f5
+# SHA256 Fingerprint: 8d:a0:84:fc:f9:9c:e0:77:22:f8:9b:32:05:93:98:06:fa:5c:b8:11:e1:c8:13:f6:a1:08:c7:d3:36:b3:40:8e
+-----BEGIN CERTIFICATE-----
+MIIEqjCCA5KgAwIBAgIOSkcAAQAC5aBd1j8AUb8wDQYJKoZIhvcNAQEFBQAwdjEL
+MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
+BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
+Q2VudGVyIENsYXNzIDMgQ0EgSUkwHhcNMDYwMTEyMTQ0MTU3WhcNMjUxMjMxMjI1
+OTU5WjB2MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
+SDEiMCAGA1UECxMZVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMyBDQTElMCMGA1UEAxMc
+VEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMyBDQSBJSTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALTgu1G7OVyLBMVMeRwjhjEQY0NVJz/GRcekPewJDRoeIMJW
+Ht4bNwcwIi9v8Qbxq63WyKthoy9DxLCyLfzDlml7forkzMA5EpBCYMnMNWju2l+Q
+Vl/NHE1bWEnrDgFPZPosPIlY2C8u4rBo6SI7dYnWRBpl8huXJh0obazovVkdKyT2
+1oQDZogkAHhg8fir/gKya/si+zXmFtGt9i4S5Po1auUZuV3bOx4a+9P/FRQI2Alq
+ukWdFHlgfa9Aigdzs5OW03Q0jTo3Kd5c7PXuLjHCINy+8U9/I1LZW+Jk2ZyqBwi1
+Rb3R0DHBq1SfqdLDYmAD8bs5SpJKPQq5ncWg/jcCAwEAAaOCATQwggEwMA8GA1Ud
+EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTUovyfs8PYA9NX
+XAek0CSnwPIA1DCB7QYDVR0fBIHlMIHiMIHfoIHcoIHZhjVodHRwOi8vd3d3LnRy
+dXN0Y2VudGVyLmRlL2NybC92Mi90Y19jbGFzc18zX2NhX0lJLmNybIaBn2xkYXA6
+Ly93d3cudHJ1c3RjZW50ZXIuZGUvQ049VEMlMjBUcnVzdENlbnRlciUyMENsYXNz
+JTIwMyUyMENBJTIwSUksTz1UQyUyMFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290
+Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
+TGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEANmDkcPcGIEPZIxpC8vijsrlN
+irTzwppVMXzEO2eatN9NDoqTSheLG43KieHPOh6sHfGcMrSOWXaiQYUlN6AT0PV8
+TtXqluJucsG7Kv5sbviRmEb8yRtXW+rIGjs/sFGYPAfaLFkB2otE6OF0/ado3VS6
+g0bsyEa1+K+XwDsJHI/OcpY9M1ZwvJbL2NV9IJqDnxrcOfHFcqMRA/07QlIp2+gB
+95tejNaNhk4Z+rwcvsUhpYeeeC422wlxo3I0+GzjBgnyXlal092Y+tTmBvTwtiBj
+S+opvaqCZh77gaqnN60TGOaSw4HBM7uIHqHn4rS9MWwOUT1v+5ZWgOI2F9Hc5A==
+-----END CERTIFICATE-----
+
+# Issuer: CN=TC TrustCenter Universal CA I O=TC TrustCenter GmbH OU=TC TrustCenter Universal CA
+# Subject: CN=TC TrustCenter Universal CA I O=TC TrustCenter GmbH OU=TC TrustCenter Universal CA
+# Label: "TC TrustCenter Universal CA I"
+# Serial: 601024842042189035295619584734726
+# MD5 Fingerprint: 45:e1:a5:72:c5:a9:36:64:40:9e:f5:e4:58:84:67:8c
+# SHA1 Fingerprint: 6b:2f:34:ad:89:58:be:62:fd:b0:6b:5c:ce:bb:9d:d9:4f:4e:39:f3
+# SHA256 Fingerprint: eb:f3:c0:2a:87:89:b1:fb:7d:51:19:95:d6:63:b7:29:06:d9:13:ce:0d:5e:10:56:8a:8a:77:e2:58:61:67:e7
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIOHaIAAQAC7LdggHiNtgYwDQYJKoZIhvcNAQEFBQAweTEL
+MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJDAiBgNV
+BAsTG1RDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQTEmMCQGA1UEAxMdVEMgVHJ1
+c3RDZW50ZXIgVW5pdmVyc2FsIENBIEkwHhcNMDYwMzIyMTU1NDI4WhcNMjUxMjMx
+MjI1OTU5WjB5MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIg
+R21iSDEkMCIGA1UECxMbVEMgVHJ1c3RDZW50ZXIgVW5pdmVyc2FsIENBMSYwJAYD
+VQQDEx1UQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0EgSTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKR3I5ZEr5D0MacQ9CaHnPM42Q9e3s9B6DGtxnSR
+JJZ4Hgmgm5qVSkr1YnwCqMqs+1oEdjneX/H5s7/zA1hV0qq34wQi0fiU2iIIAI3T
+fCZdzHd55yx4Oagmcw6iXSVphU9VDprvxrlE4Vc93x9UIuVvZaozhDrzznq+VZeu
+jRIPFDPiUHDDSYcTvFHe15gSWu86gzOSBnWLknwSaHtwag+1m7Z3W0hZneTvWq3z
+wZ7U10VOylY0Ibw+F1tvdwxIAUMpsN0/lm7mlaoMwCC2/T42J5zjXM9OgdwZu5GQ
+fezmlwQek8wiSdeXhrYTCjxDI3d+8NzmzSQfO4ObNDqDNOMCAwEAAaNjMGEwHwYD
+VR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQdXMwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFJKkdSyknr6BROt5/IrFlaXrEHVzMA0G
+CSqGSIb3DQEBBQUAA4IBAQAo0uCG1eb4e/CX3CJrO5UUVg8RMKWaTzqwOuAGy2X1
+7caXJ/4l8lfmXpWMPmRgFVp/Lw0BxbFg/UU1z/CyvwbZ71q+s2IhtNerNXxTPqYn
+8aEt2hojnczd7Dwtnic0XQ/CNnm8yUpiLe1r2X1BQ3y2qsrtYbE3ghUJGooWMNjs
+ydZHcnhLEEYUjl8Or+zHL6sQ17bxbuyGssLoDZJz3KL0Dzq/YSMQiZxIQG5wALPT
+ujdEWBF6AmqI8Dc08BnprNRlc/ZpjGSUOnmFKbAWKwyCPwacx/0QK54PLLae4xW/
+2TYcuiUaUj0a7CIMHOCkoj3w6DnPgcB77V0fb8XQC9eY
+-----END CERTIFICATE-----
+
+# Issuer: CN=Deutsche Telekom Root CA 2 O=Deutsche Telekom AG OU=T-TeleSec Trust Center
+# Subject: CN=Deutsche Telekom Root CA 2 O=Deutsche Telekom AG OU=T-TeleSec Trust Center
+# Label: "Deutsche Telekom Root CA 2"
+# Serial: 38
+# MD5 Fingerprint: 74:01:4a:91:b1:08:c4:58:ce:47:cd:f0:dd:11:53:08
+# SHA1 Fingerprint: 85:a4:08:c0:9c:19:3e:5d:51:58:7d:cd:d6:13:30:fd:8c:de:37:bf
+# SHA256 Fingerprint: b6:19:1a:50:d0:c3:97:7f:7d:a9:9b:cd:aa:c8:6a:22:7d:ae:b9:67:9e:c7:0b:a3:b0:c9:d9:22:71:c1:70:d3
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc
+MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj
+IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB
+IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE
+RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl
+U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290
+IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU
+ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC
+QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr
+rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S
+NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc
+QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH
+txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP
+BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
+AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp
+tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa
+IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl
+6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+
+xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU
+Cm26OWMohpLzGITY+9HPBVZkVw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=ComSign Secured CA O=ComSign
+# Subject: CN=ComSign Secured CA O=ComSign
+# Label: "ComSign Secured CA"
+# Serial: 264725503855295744117309814499492384489
+# MD5 Fingerprint: 40:01:25:06:8d:21:43:6a:0e:43:00:9c:e7:43:f3:d5
+# SHA1 Fingerprint: f9:cd:0e:2c:da:76:24:c1:8f:bd:f0:f0:ab:b6:45:b8:f7:fe:d5:7a
+# SHA256 Fingerprint: 50:79:41:c7:44:60:a0:b4:70:86:22:0d:4e:99:32:57:2a:b5:d1:b5:bb:cb:89:80:ab:1c:b1:76:51:a8:44:d2
+-----BEGIN CERTIFICATE-----
+MIIDqzCCApOgAwIBAgIRAMcoRwmzuGxFjB36JPU2TukwDQYJKoZIhvcNAQEFBQAw
+PDEbMBkGA1UEAxMSQ29tU2lnbiBTZWN1cmVkIENBMRAwDgYDVQQKEwdDb21TaWdu
+MQswCQYDVQQGEwJJTDAeFw0wNDAzMjQxMTM3MjBaFw0yOTAzMTYxNTA0NTZaMDwx
+GzAZBgNVBAMTEkNvbVNpZ24gU2VjdXJlZCBDQTEQMA4GA1UEChMHQ29tU2lnbjEL
+MAkGA1UEBhMCSUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGtWhf
+HZQVw6QIVS3joFd67+l0Kru5fFdJGhFeTymHDEjWaueP1H5XJLkGieQcPOqs49oh
+gHMhCu95mGwfCP+hUH3ymBvJVG8+pSjsIQQPRbsHPaHA+iqYHU4Gk/v1iDurX8sW
+v+bznkqH7Rnqwp9D5PGBpX8QTz7RSmKtUxvLg/8HZaWSLWapW7ha9B20IZFKF3ue
+Mv5WJDmyVIRD9YTC2LxBkMyd1mja6YJQqTtoz7VdApRgFrFD2UNd3V2Hbuq7s8lr
+9gOUCXDeFhF6K+h2j0kQmHe5Y1yLM5d19guMsqtb3nQgJT/j8xH5h2iGNXHDHYwt
+6+UarA9z1YJZQIDTAgMBAAGjgacwgaQwDAYDVR0TBAUwAwEB/zBEBgNVHR8EPTA7
+MDmgN6A1hjNodHRwOi8vZmVkaXIuY29tc2lnbi5jby5pbC9jcmwvQ29tU2lnblNl
+Y3VyZWRDQS5jcmwwDgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFMFL7XC29z58
+ADsAj8c+DkWfHl3sMB0GA1UdDgQWBBTBS+1wtvc+fAA7AI/HPg5Fnx5d7DANBgkq
+hkiG9w0BAQUFAAOCAQEAFs/ukhNQq3sUnjO2QiBq1BW9Cav8cujvR3qQrFHBZE7p
+iL1DRYHjZiM/EoZNGeQFsOY3wo3aBijJD4mkU6l1P7CW+6tMM1X5eCZGbxs2mPtC
+dsGCuY7e+0X5YxtiOzkGynd6qDwJz2w2PQ8KRUtpFhpFfTMDZflScZAmlaxMDPWL
+kz/MdXSFmLr/YnpNH4n+rr2UAJm/EaXc4HnFFgt9AmEd6oX5AhVP51qJThRv4zdL
+hfXBPGHg/QVBspJ/wx2g0K5SZGBrGMYmnNj1ZOQ2GmKfig8+/21OGVZOIJFsnzQz
+OjRXUDpvgV4GxvU+fE6OK85lBi5d0ipTdF7Tbieejw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Cybertrust Global Root O=Cybertrust, Inc
+# Subject: CN=Cybertrust Global Root O=Cybertrust, Inc
+# Label: "Cybertrust Global Root"
+# Serial: 4835703278459682877484360
+# MD5 Fingerprint: 72:e4:4a:87:e3:69:40:80:77:ea:bc:e3:f4:ff:f0:e1
+# SHA1 Fingerprint: 5f:43:e5:b1:bf:f8:78:8c:ac:1c:c7:ca:4a:9a:c6:22:2b:cc:34:c6
+# SHA256 Fingerprint: 96:0a:df:00:63:e9:63:56:75:0c:29:65:dd:0a:08:67:da:0b:9c:bd:6e:77:71:4a:ea:fb:23:49:ab:39:3d:a3
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG
+A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh
+bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE
+ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS
+b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5
+7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS
+J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y
+HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP
+t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz
+FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY
+XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/
+MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw
+hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js
+MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA
+A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj
+Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx
+XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o
+omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc
+A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW
+WL1WMRJOEcgh4LMRkWXbtKaIOM5V
+-----END CERTIFICATE-----
+
+# Issuer: O=Chunghwa Telecom Co., Ltd. OU=ePKI Root Certification Authority
+# Subject: O=Chunghwa Telecom Co., Ltd. OU=ePKI Root Certification Authority
+# Label: "ePKI Root Certification Authority"
+# Serial: 28956088682735189655030529057352760477
+# MD5 Fingerprint: 1b:2e:00:ca:26:06:90:3d:ad:fe:6f:15:68:d3:6b:b3
+# SHA1 Fingerprint: 67:65:0d:f1:7e:8e:7e:5b:82:40:a4:f4:56:4b:cf:e2:3d:69:c6:f0
+# SHA256 Fingerprint: c0:a6:f4:dc:63:a2:4b:fd:cf:54:ef:2a:6a:08:2a:0a:72:de:35:80:3e:2f:f5:ff:52:7a:e5:d8:72:06:df:d5
+-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBe
+MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
+ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
+Fw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMw
+IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEqMCgGA1UECwwhZVBL
+SSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAH
+SyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh
+ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3X
+DZoTM1PRYfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1
+TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJ
+fzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffA
+sgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uU
+WH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLS
+nT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pH
+dmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJip
+NiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC
+AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQF
+MAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH
+ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGB
+uvl2ICO1J2B01GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6Yl
+PwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkP
+JXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsStZf0X4OFunHB2WyBEXYKCrC/
+gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEPNXubrjlpC2JgQCA2
+j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+rGNm6
+5ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB
+o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS
+/jQ6fbjpKdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2z
+Gp1iro2C6pSe3VkQw63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTE
+W9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+D
+hNQ+IIX3Sj0rnP0qCglN6oH4EZw=
+-----END CERTIFICATE-----
+
+# Issuer: CN=TÜBÄ°TAK UEKAE Kök Sertifika Hizmet SaÄŸlayıcısı - Sürüm 3 O=Türkiye Bilimsel ve Teknolojik AraÅŸtırma Kurumu - TÜBÄ°TAK OU=Ulusal Elektronik ve Kriptoloji AraÅŸtırma Enstitüsü - UEKAE/Kamu Sertifikasyon Merkezi
+# Subject: CN=TÜBÄ°TAK UEKAE Kök Sertifika Hizmet SaÄŸlayıcısı - Sürüm 3 O=Türkiye Bilimsel ve Teknolojik AraÅŸtırma Kurumu - TÜBÄ°TAK OU=Ulusal Elektronik ve Kriptoloji AraÅŸtırma Enstitüsü - UEKAE/Kamu Sertifikasyon Merkezi
+# Label: "T\xc3\x9c\x42\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1 - S\xC3\xBCr\xC3\xBCm 3"
+# Serial: 17
+# MD5 Fingerprint: ed:41:f5:8c:50:c5:2b:9c:73:e6:ee:6c:eb:c2:a8:26
+# SHA1 Fingerprint: 1b:4b:39:61:26:27:6b:64:91:a2:68:6d:d7:02:43:21:2d:1f:1d:96
+# SHA256 Fingerprint: e4:c7:34:30:d7:a5:b5:09:25:df:43:37:0a:0d:21:6e:9a:79:b9:d6:db:83:73:a0:c6:9e:b1:cc:31:c7:c5:2a
+-----BEGIN CERTIFICATE-----
+MIIFFzCCA/+gAwIBAgIBETANBgkqhkiG9w0BAQUFADCCASsxCzAJBgNVBAYTAlRS
+MRgwFgYDVQQHDA9HZWJ6ZSAtIEtvY2FlbGkxRzBFBgNVBAoMPlTDvHJraXllIEJp
+bGltc2VsIHZlIFRla25vbG9qaWsgQXJhxZ90xLFybWEgS3VydW11IC0gVMOcQsSw
+VEFLMUgwRgYDVQQLDD9VbHVzYWwgRWxla3Ryb25payB2ZSBLcmlwdG9sb2ppIEFy
+YcWfdMSxcm1hIEVuc3RpdMO8c8O8IC0gVUVLQUUxIzAhBgNVBAsMGkthbXUgU2Vy
+dGlmaWthc3lvbiBNZXJrZXppMUowSAYDVQQDDEFUw5xCxLBUQUsgVUVLQUUgS8O2
+ayBTZXJ0aWZpa2EgSGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSAtIFPDvHLDvG0gMzAe
+Fw0wNzA4MjQxMTM3MDdaFw0xNzA4MjExMTM3MDdaMIIBKzELMAkGA1UEBhMCVFIx
+GDAWBgNVBAcMD0dlYnplIC0gS29jYWVsaTFHMEUGA1UECgw+VMO8cmtpeWUgQmls
+aW1zZWwgdmUgVGVrbm9sb2ppayBBcmHFn3TEsXJtYSBLdXJ1bXUgLSBUw5xCxLBU
+QUsxSDBGBgNVBAsMP1VsdXNhbCBFbGVrdHJvbmlrIHZlIEtyaXB0b2xvamkgQXJh
+xZ90xLFybWEgRW5zdGl0w7xzw7wgLSBVRUtBRTEjMCEGA1UECwwaS2FtdSBTZXJ0
+aWZpa2FzeW9uIE1lcmtlemkxSjBIBgNVBAMMQVTDnELEsFRBSyBVRUtBRSBLw7Zr
+IFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIC0gU8O8csO8bSAzMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAim1L/xCIOsP2fpTo6iBkcK4h
+gb46ezzb8R1Sf1n68yJMlaCQvEhOEav7t7WNeoMojCZG2E6VQIdhn8WebYGHV2yK
+O7Rm6sxA/OOqbLLLAdsyv9Lrhc+hDVXDWzhXcLh1xnnRFDDtG1hba+818qEhTsXO
+fJlfbLm4IpNQp81McGq+agV/E5wrHur+R84EpW+sky58K5+eeROR6Oqeyjh1jmKw
+lZMq5d/pXpduIF9fhHpEORlAHLpVK/swsoHvhOPc7Jg4OQOFCKlUAwUp8MmPi+oL
+hmUZEdPpCSPeaJMDyTYcIW7OjGbxmTDY17PDHfiBLqi9ggtm/oLL4eAagsNAgQID
+AQABo0IwQDAdBgNVHQ4EFgQUvYiHyY/2pAoLquvF/pEjnatKijIwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAB18+kmP
+NOm3JpIWmgV050vQbTlswyb2zrgxvMTfvCr4N5EY3ATIZJkrGG2AA1nJrvhY0D7t
+wyOfaTyGOBye79oneNGEN3GKPEs5z35FBtYt2IpNeBLWrcLTy9LQQfMmNkqblWwM
+7uXRQydmwYj3erMgbOqwaSvHIOgMA8RBBZniP+Rr+KCGgceExh/VS4ESshYhLBOh
+gLJeDEoTniDYYkCrkOpkSi+sDQESeUWoL4cZaMjihccwsnX5OD+ywJO0a+IDRM5n
+oN+J1q2MdqMTw5RhK2vZbMEHCiIHhWyFJEapvj+LeISCfiQMnf2BN+MlqO02TpUs
+yZyQ2uypQjyttgI=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Buypass Class 2 CA 1 O=Buypass AS-983163327
+# Subject: CN=Buypass Class 2 CA 1 O=Buypass AS-983163327
+# Label: "Buypass Class 2 CA 1"
+# Serial: 1
+# MD5 Fingerprint: b8:08:9a:f0:03:cc:1b:0d:c8:6c:0b:76:a1:75:64:23
+# SHA1 Fingerprint: a0:a1:ab:90:c9:fc:84:7b:3b:12:61:e8:97:7d:5f:d3:22:61:d3:cc
+# SHA256 Fingerprint: 0f:4e:9c:dd:26:4b:02:55:50:d1:70:80:63:40:21:4f:e9:44:34:c9:b0:2f:69:7e:c7:10:fc:5f:ea:fb:5e:38
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjugAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd
+MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg
+Q2xhc3MgMiBDQSAxMB4XDTA2MTAxMzEwMjUwOVoXDTE2MTAxMzEwMjUwOVowSzEL
+MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD
+VQQDDBRCdXlwYXNzIENsYXNzIDIgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAIs8B0XY9t/mx8q6jUPFR42wWsE425KEHK8T1A9vNkYgxC7McXA0
+ojTTNy7Y3Tp3L8DrKehc0rWpkTSHIln+zNvnma+WwajHQN2lFYxuyHyXA8vmIPLX
+l18xoS830r7uvqmtqEyeIWZDO6i88wmjONVZJMHCR3axiFyCO7srpgTXjAePzdVB
+HfCuuCkslFJgNJQ72uA40Z0zPhX0kzLFANq1KWYOOngPIVJfAuWSeyXTkh4vFZ2B
+5J2O6O+JzhRMVB0cgRJNcKi+EAUXfh/RuFdV7c27UsKwHnjCTTZoy1YmwVLBvXb3
+WNVyfh9EdrsAiR0WnVE1703CVu9r4Iw7DekCAwEAAaNCMEAwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUP42aWYv8e3uco684sDntkHGA1sgwDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAVGn4TirnoB6NLJzKyQJHyIdFkhb5jatLP
+gcIV1Xp+DCmsNx4cfHZSldq1fyOhKXdlyTKdqC5Wq2B2zha0jX94wNWZUYN/Xtm+
+DKhQ7SLHrQVMdvvt7h5HZPb3J31cKA9FxVxiXqaakZG3Uxcu3K1gnZZkOb1naLKu
+BctN518fV4bVIJwo+28TOPX2EZL2fZleHwzoq0QkKXJAPTZSr4xYkHPB7GEseaHs
+h7U/2k3ZIQAw3pDaDtMaSKk+hQsUi4y8QZ5q9w5wwDX3OaJdZtB7WZ+oRxKaJyOk
+LY4ng5IgodcVf/EuGO70SH8vf/GhGLWhC5SgYiAynB321O+/TIho
+-----END CERTIFICATE-----
+
+# Issuer: CN=Buypass Class 3 CA 1 O=Buypass AS-983163327
+# Subject: CN=Buypass Class 3 CA 1 O=Buypass AS-983163327
+# Label: "Buypass Class 3 CA 1"
+# Serial: 2
+# MD5 Fingerprint: df:3c:73:59:81:e7:39:50:81:04:4c:34:a2:cb:b3:7b
+# SHA1 Fingerprint: 61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71
+# SHA256 Fingerprint: b7:b1:2b:17:1f:82:1d:aa:99:0c:d0:fe:50:87:b1:28:44:8b:a8:e5:18:4f:84:c5:1e:02:b5:c8:fb:96:2b:24
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd
+MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg
+Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL
+MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD
+VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg
+isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z
+NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI
++MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R
+hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+
+mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD
+AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP
+Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s
+EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2
+mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC
+e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow
+dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915
+-----END CERTIFICATE-----
+
+# Issuer: CN=EBG Elektronik Sertifika Hizmet Sağlayıcısı O=EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
+# Subject: CN=EBG Elektronik Sertifika Hizmet Sağlayıcısı O=EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
+# Label: "EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1"
+# Serial: 5525761995591021570
+# MD5 Fingerprint: 2c:20:26:9d:cb:1a:4a:00:85:b5:b7:5a:ae:c2:01:37
+# SHA1 Fingerprint: 8c:96:ba:eb:dd:2b:07:07:48:ee:30:32:66:a0:f3:98:6e:7c:ae:58
+# SHA256 Fingerprint: 35:ae:5b:dd:d8:f7:ae:63:5c:ff:ba:56:82:a8:f0:0b:95:f4:84:62:c7:10:8e:e9:a0:e5:29:2b:07:4a:af:b2
+-----BEGIN CERTIFICATE-----
+MIIF5zCCA8+gAwIBAgIITK9zQhyOdAIwDQYJKoZIhvcNAQEFBQAwgYAxODA2BgNV
+BAMML0VCRyBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
+c8SxMTcwNQYDVQQKDC5FQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXpt
+ZXRsZXJpIEEuxZ4uMQswCQYDVQQGEwJUUjAeFw0wNjA4MTcwMDIxMDlaFw0xNjA4
+MTQwMDMxMDlaMIGAMTgwNgYDVQQDDC9FQkcgRWxla3Ryb25payBTZXJ0aWZpa2Eg
+SGl6bWV0IFNhxJ9sYXnEsWPEsXPEsTE3MDUGA1UECgwuRUJHIEJpbGnFn2ltIFRl
+a25vbG9qaWxlcmkgdmUgSGl6bWV0bGVyaSBBLsWeLjELMAkGA1UEBhMCVFIwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDuoIRh0DpqZhAy2DE4f6en5f2h
+4fuXd7hxlugTlkaDT7byX3JWbhNgpQGR4lvFzVcfd2NR/y8927k/qqk153nQ9dAk
+tiHq6yOU/im/+4mRDGSaBUorzAzu8T2bgmmkTPiab+ci2hC6X5L8GCcKqKpE+i4s
+tPtGmggDg3KriORqcsnlZR9uKg+ds+g75AxuetpX/dfreYteIAbTdgtsApWjluTL
+dlHRKJ2hGvxEok3MenaoDT2/F08iiFD9rrbskFBKW5+VQarKD7JK/oCZTqNGFav4
+c0JqwmZ2sQomFd2TkuzbqV9UIlKRcF0T6kjsbgNs2d1s/OsNA/+mgxKb8amTD8Um
+TDGyY5lhcucqZJnSuOl14nypqZoaqsNW2xCaPINStnuWt6yHd6i58mcLlEOzrz5z
++kI2sSXFCjEmN1ZnuqMLfdb3ic1nobc6HmZP9qBVFCVMLDMNpkGMvQQxahByCp0O
+Lna9XvNRiYuoP1Vzv9s6xiQFlpJIqkuNKgPlV5EQ9GooFW5Hd4RcUXSfGenmHmMW
+OeMRFeNYGkS9y8RsZteEBt8w9DeiQyJ50hBs37vmExH8nYQKE3vwO9D8owrXieqW
+fo1IhR5kX9tUoqzVegJ5a9KK8GfaZXINFHDk6Y54jzJ0fFfy1tb0Nokb+Clsi7n2
+l9GkLqq+CxnCRelwXQIDAJ3Zo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
+/wQEAwIBBjAdBgNVHQ4EFgQU587GT/wWZ5b6SqMHwQSny2re2kcwHwYDVR0jBBgw
+FoAU587GT/wWZ5b6SqMHwQSny2re2kcwDQYJKoZIhvcNAQEFBQADggIBAJuYml2+
+8ygjdsZs93/mQJ7ANtyVDR2tFcU22NU57/IeIl6zgrRdu0waypIN30ckHrMk2pGI
+6YNw3ZPX6bqz3xZaPt7gyPvT/Wwp+BVGoGgmzJNSroIBk5DKd8pNSe/iWtkqvTDO
+TLKBtjDOWU/aWR1qeqRFsIImgYZ29fUQALjuswnoT4cCB64kXPBfrAowzIpAoHME
+wfuJJPaaHFy3PApnNgUIMbOv2AFoKuB4j3TeuFGkjGwgPaL7s9QJ/XvCgKqTbCmY
+Iai7FvOpEl90tYeY8pUm3zTvilORiF0alKM/fCL414i6poyWqD1SNGKfAB5UVUJn
+xk1Gj7sURT0KlhaOEKGXmdXTMIXM3rRyt7yKPBgpaP3ccQfuJDlq+u2lrDgv+R4Q
+DgZxGhBM/nV+/x5XOULK1+EVoVZVWRvRo68R2E7DpSvvkL/A7IITW43WciyTTo9q
+Kd+FPNMN4KIYEsxVL0e3p5sC/kH2iExt2qkBR4NkJ2IQgtYSe14DHzSpyZH+r11t
+hie3I6p1GMog57AP14kOpmciY/SDQSsGS7tY1dHXt7kQY9iJSrSq3RZj9W6+YKH4
+7ejWkE8axsWgKdOnIaj1Wjz3x0miIZpKlVIglnKaZsv30oZDfCK+lvm9AahH3eU7
+QPl1K5srRmSGjR70j/sHd9DqSaIcjVIUpgqT
+-----END CERTIFICATE-----
+
+# Issuer: O=certSIGN OU=certSIGN ROOT CA
+# Subject: O=certSIGN OU=certSIGN ROOT CA
+# Label: "certSIGN ROOT CA"
+# Serial: 35210227249154
+# MD5 Fingerprint: 18:98:c0:d6:e9:3a:fc:f9:b0:f5:0c:f7:4b:01:44:17
+# SHA1 Fingerprint: fa:b7:ee:36:97:26:62:fb:2d:b0:2a:f6:bf:03:fd:e8:7c:4b:2f:9b
+# SHA256 Fingerprint: ea:a9:62:c4:fa:4a:6b:af:eb:e4:15:19:6d:35:1c:cd:88:8d:4f:53:f3:fa:8a:e6:d7:c4:66:a9:4e:60:42:bb
+-----BEGIN CERTIFICATE-----
+MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYT
+AlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBD
+QTAeFw0wNjA3MDQxNzIwMDRaFw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJP
+MREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7IJUqOtdu0KBuqV5Do
+0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHHrfAQ
+UySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5d
+RdY4zTW2ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQ
+OA7+j0xbm0bqQfWwCHTD0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwv
+JoIQ4uNllAoEwF73XVv4EOLQunpL+943AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08C
+AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O
+BBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IBAQA+0hyJ
+LjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecY
+MnQ8SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ
+44gx+FkagQnIl6Z0x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6I
+Jd1hJyMctTEHBDa0GpC9oHRxUIltvBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNw
+i/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7NzTogVZ96edhBiIL5VaZVDADlN
+9u6wWk5JRFRYX0KD
+-----END CERTIFICATE-----
+
+# Issuer: CN=CNNIC ROOT O=CNNIC
+# Subject: CN=CNNIC ROOT O=CNNIC
+# Label: "CNNIC ROOT"
+# Serial: 1228079105
+# MD5 Fingerprint: 21:bc:82:ab:49:c4:13:3b:4b:b2:2b:5c:6b:90:9c:19
+# SHA1 Fingerprint: 8b:af:4c:9b:1d:f0:2a:92:f7:da:12:8e:b9:1b:ac:f4:98:60:4b:6f
+# SHA256 Fingerprint: e2:83:93:77:3d:a8:45:a6:79:f2:08:0c:c7:fb:44:a3:b7:a1:c3:79:2c:b7:eb:77:29:fd:cb:6a:8d:99:ae:a7
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIESTMAATANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJD
+TjEOMAwGA1UEChMFQ05OSUMxEzARBgNVBAMTCkNOTklDIFJPT1QwHhcNMDcwNDE2
+MDcwOTE0WhcNMjcwNDE2MDcwOTE0WjAyMQswCQYDVQQGEwJDTjEOMAwGA1UEChMF
+Q05OSUMxEzARBgNVBAMTCkNOTklDIFJPT1QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDTNfc/c3et6FtzF8LRb+1VvG7q6KR5smzDo+/hn7E7SIX1mlwh
+IhAsxYLO2uOabjfhhyzcuQxauohV3/2q2x8x6gHx3zkBwRP9SFIhxFXf2tizVHa6
+dLG3fdfA6PZZxU3Iva0fFNrfWEQlMhkqx35+jq44sDB7R3IJMfAw28Mbdim7aXZO
+V/kbZKKTVrdvmW7bCgScEeOAH8tjlBAKqeFkgjH5jCftppkA9nCTGPihNIaj3XrC
+GHn2emU1z5DrvTOTn1OrczvmmzQgLx3vqR1jGqCA2wMv+SYahtKNu6m+UjqHZ0gN
+v7Sg2Ca+I19zN38m5pIEo3/PIKe38zrKy5nLAgMBAAGjczBxMBEGCWCGSAGG+EIB
+AQQEAwIABzAfBgNVHSMEGDAWgBRl8jGtKvf33VKWCscCwQ7vptU7ETAPBgNVHRMB
+Af8EBTADAQH/MAsGA1UdDwQEAwIB/jAdBgNVHQ4EFgQUZfIxrSr3991SlgrHAsEO
+76bVOxEwDQYJKoZIhvcNAQEFBQADggEBAEs17szkrr/Dbq2flTtLP1se31cpolnK
+OOK5Gv+e5m4y3R6u6jW39ZORTtpC4cMXYFDy0VwmuYK36m3knITnA3kXr5g9lNvH
+ugDnuL8BV8F3RTIMO/G0HAiw/VGgod2aHRM2mm23xzy54cXZF/qD1T0VoDy7Hgvi
+yJA/qIYM/PmLXoXLT1tLYhFHxUV8BS9BsZ4QaRuZluBVeftOhpm4lNqGOGqTo+fL
+buXf6iFViZx9fX+Y9QCJ7uOEwFyWtcVG6kbghVW2G8kS1sHNzYDzAgE8yGnLRUhj
+2JTQ7IUOO04RZfSCjKY9ri4ilAnIXOo8gV0WKgOXFlUJ24pBgp5mmxE=
+-----END CERTIFICATE-----
+
+# Issuer: O=Japanese Government OU=ApplicationCA
+# Subject: O=Japanese Government OU=ApplicationCA
+# Label: "ApplicationCA - Japanese Government"
+# Serial: 49
+# MD5 Fingerprint: 7e:23:4e:5b:a7:a5:b4:25:e9:00:07:74:11:62:ae:d6
+# SHA1 Fingerprint: 7f:8a:b0:cf:d0:51:87:6a:66:f3:36:0f:47:c8:8d:8c:d3:35:fc:74
+# SHA256 Fingerprint: 2d:47:43:7d:e1:79:51:21:5a:12:f3:c5:8e:51:c7:29:a5:80:26:ef:1f:cc:0a:5f:b3:d9:dc:01:2f:60:0d:19
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJKUDEc
+MBoGA1UEChMTSmFwYW5lc2UgR292ZXJubWVudDEWMBQGA1UECxMNQXBwbGljYXRp
+b25DQTAeFw0wNzEyMTIxNTAwMDBaFw0xNzEyMTIxNTAwMDBaMEMxCzAJBgNVBAYT
+AkpQMRwwGgYDVQQKExNKYXBhbmVzZSBHb3Zlcm5tZW50MRYwFAYDVQQLEw1BcHBs
+aWNhdGlvbkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp23gdE6H
+j6UG3mii24aZS2QNcfAKBZuOquHMLtJqO8F6tJdhjYq+xpqcBrSGUeQ3DnR4fl+K
+f5Sk10cI/VBaVuRorChzoHvpfxiSQE8tnfWuREhzNgaeZCw7NCPbXCbkcXmP1G55
+IrmTwcrNwVbtiGrXoDkhBFcsovW8R0FPXjQilbUfKW1eSvNNcr5BViCH/OlQR9cw
+FO5cjFW6WY2H/CPek9AEjP3vbb3QesmlOmpyM8ZKDQUXKi17safY1vC+9D/qDiht
+QWEjdnjDuGWk81quzMKq2edY3rZ+nYVunyoKb58DKTCXKB28t89UKU5RMfkntigm
+/qJj5kEW8DOYRwIDAQABo4GeMIGbMB0GA1UdDgQWBBRUWssmP3HMlEYNllPqa0jQ
+k/5CdTAOBgNVHQ8BAf8EBAMCAQYwWQYDVR0RBFIwUKROMEwxCzAJBgNVBAYTAkpQ
+MRgwFgYDVQQKDA/ml6XmnKzlm73mlL/lupwxIzAhBgNVBAsMGuOCouODl+ODquOC
+seODvOOCt+ODp+ODs0NBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBADlqRHZ3ODrso2dGD/mLBqj7apAxzn7s2tGJfHrrLgy9mTLnsCTWw//1sogJ
+hyzjVOGjprIIC8CFqMjSnHH2HZ9g/DgzE+Ge3Atf2hZQKXsvcJEPmbo0NI2VdMV+
+eKlmXb3KIXdCEKxmJj3ekav9FfBv7WxfEPjzFvYDio+nEhEMy/0/ecGc/WLuo89U
+DNErXxc+4z6/wCs+CZv+iKZ+tJIX/COUgb1up8WMwusRRdv4QcmWdupwX3kSa+Sj
+B1oF7ydJzyGfikwJcGapJsErEU4z0g781mzSDjJkaP+tBXhfAx2o45CsJOAPQKdL
+rosot4LKGAfmt1t06SAZf7IbiVQ=
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Primary Certification Authority - G3 O=GeoTrust Inc. OU=(c) 2008 GeoTrust Inc. - For authorized use only
+# Subject: CN=GeoTrust Primary Certification Authority - G3 O=GeoTrust Inc. OU=(c) 2008 GeoTrust Inc. - For authorized use only
+# Label: "GeoTrust Primary Certification Authority - G3"
+# Serial: 28809105769928564313984085209975885599
+# MD5 Fingerprint: b5:e8:34:36:c9:10:44:58:48:70:6d:2e:83:d4:b8:05
+# SHA1 Fingerprint: 03:9e:ed:b8:0b:e7:a0:3c:69:53:89:3b:20:d2:d9:32:3a:4c:2a:fd
+# SHA256 Fingerprint: b4:78:b8:12:25:0d:f8:78:63:5c:2a:a7:ec:7d:15:5e:aa:62:5e:e8:29:16:e2:cd:29:43:61:88:6c:d1:fb:d4
+-----BEGIN CERTIFICATE-----
+MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCB
+mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
+MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
+eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIzNTk1OVowgZgxCzAJ
+BgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg
+MjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0
+BgNVBAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz
++uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5jK/BGvESyiaHAKAxJcCGVn2TAppMSAmUm
+hsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdEc5IiaacDiGydY8hS2pgn
+5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3CIShwiP/W
+JmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exAL
+DmKudlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZC
+huOl1UcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+HQYDVR0OBBYEFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IB
+AQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9cr5HqQ6XErhK8WTTOd8lNNTB
+zU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbEAp7aDHdlDkQN
+kv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD
+AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUH
+SJsMC8tJP33st/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2G
+spki4cErx5z481+oghLrGREt
+-----END CERTIFICATE-----
+
+# Issuer: CN=thawte Primary Root CA - G2 O=thawte, Inc. OU=(c) 2007 thawte, Inc. - For authorized use only
+# Subject: CN=thawte Primary Root CA - G2 O=thawte, Inc. OU=(c) 2007 thawte, Inc. - For authorized use only
+# Label: "thawte Primary Root CA - G2"
+# Serial: 71758320672825410020661621085256472406
+# MD5 Fingerprint: 74:9d:ea:60:24:c4:fd:22:53:3e:cc:3a:72:d9:29:4f
+# SHA1 Fingerprint: aa:db:bc:22:23:8f:c4:01:a1:27:bb:38:dd:f4:1d:db:08:9e:f0:12
+# SHA256 Fingerprint: a4:31:0d:50:af:18:a6:44:71:90:37:2a:86:af:af:8b:95:1f:fb:43:1d:83:7f:1e:56:88:b4:59:71:ed:15:57
+-----BEGIN CERTIFICATE-----
+MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDEL
+MAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE4MDYGA1UECxMvKGMp
+IDIwMDcgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAi
+BgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMjAeFw0wNzExMDUwMDAw
+MDBaFw0zODAxMTgyMzU5NTlaMIGEMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhh
+d3RlLCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBGb3Ig
+YXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9v
+dCBDQSAtIEcyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEotWcgnuVnfFSeIf+iha/
+BebfowJPDQfGAFG6DAJSLSKkQjnE/o/qycG+1E3/n3qe4rF8mq2nhglzh9HnmuN6
+papu+7qzcMBniKI11KOasf2twu8x+qi58/sIxpHR+ymVo0IwQDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUmtgAMADna3+FGO6Lts6K
+DPgR4bswCgYIKoZIzj0EAwMDaQAwZgIxAN344FdHW6fmCsO99YCKlzUNG4k8VIZ3
+KMqh9HneteY4sPBlcIx/AlTCv//YoT7ZzwIxAMSNlPzcU9LcnXgWHxUzI1NS41ox
+XZ3Krr0TKUQNJ1uo52icEvdYPy5yAlejj6EULg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=thawte Primary Root CA - G3 O=thawte, Inc. OU=Certification Services Division/(c) 2008 thawte, Inc. - For authorized use only
+# Subject: CN=thawte Primary Root CA - G3 O=thawte, Inc. OU=Certification Services Division/(c) 2008 thawte, Inc. - For authorized use only
+# Label: "thawte Primary Root CA - G3"
+# Serial: 127614157056681299805556476275995414779
+# MD5 Fingerprint: fb:1b:5d:43:8a:94:cd:44:c6:76:f2:43:4b:47:e7:31
+# SHA1 Fingerprint: f1:8b:53:8d:1b:e9:03:b6:a6:f0:56:43:5b:17:15:89:ca:f3:6b:f2
+# SHA256 Fingerprint: 4b:03:f4:58:07:ad:70:f2:1b:fc:2c:ae:71:c9:fd:e4:60:4c:06:4c:f5:ff:b6:86:ba:e5:db:aa:d7:fd:d3:4c
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
+rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
+BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
+Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
+LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
+MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
+ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
+gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
+YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
+b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
+9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
+zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
+OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
+2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
+oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
+t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
+KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
+m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
+MdRAGmI0Nj81Aa6sY6A=
+-----END CERTIFICATE-----
+
+# Issuer: CN=GeoTrust Primary Certification Authority - G2 O=GeoTrust Inc. OU=(c) 2007 GeoTrust Inc. - For authorized use only
+# Subject: CN=GeoTrust Primary Certification Authority - G2 O=GeoTrust Inc. OU=(c) 2007 GeoTrust Inc. - For authorized use only
+# Label: "GeoTrust Primary Certification Authority - G2"
+# Serial: 80682863203381065782177908751794619243
+# MD5 Fingerprint: 01:5e:d8:6b:bd:6f:3d:8e:a1:31:f8:12:e0:98:73:6a
+# SHA1 Fingerprint: 8d:17:84:d5:37:f3:03:7d:ec:70:fe:57:8b:51:9a:99:e6:10:d7:b0
+# SHA256 Fingerprint: 5e:db:7a:c4:3b:82:a0:6a:87:61:e8:d7:be:49:79:eb:f2:61:1f:7d:d7:9b:f9:1c:1c:6b:56:6a:21:9e:d7:66
+-----BEGIN CERTIFICATE-----
+MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDEL
+MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj
+KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2
+MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgZgxCzAJBgNV
+BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAw
+NyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNV
+BAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
+MjB2MBAGByqGSM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcL
+So17VDs6bl8VAsBQps8lL33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLal
+tJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+EVXVMAoG
+CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT
+qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz
+rD6ogRLQy7rQkgu2npaqBA+K
+-----END CERTIFICATE-----
+
+# Issuer: CN=VeriSign Universal Root Certification Authority O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2008 VeriSign, Inc. - For authorized use only
+# Subject: CN=VeriSign Universal Root Certification Authority O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2008 VeriSign, Inc. - For authorized use only
+# Label: "VeriSign Universal Root Certification Authority"
+# Serial: 85209574734084581917763752644031726877
+# MD5 Fingerprint: 8e:ad:b5:01:aa:4d:81:e4:8c:1d:d1:e1:14:00:95:19
+# SHA1 Fingerprint: 36:79:ca:35:66:87:72:30:4d:30:a5:fb:87:3b:0f:a7:7b:b7:0d:54
+# SHA256 Fingerprint: 23:99:56:11:27:a5:71:25:de:8c:ef:ea:61:0d:df:2f:a0:78:b5:c8:06:7f:4e:82:82:90:bf:b8:60:e8:4b:3c
+-----BEGIN CERTIFICATE-----
+MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
+vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
+ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
+Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
+MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
+IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
+IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
+bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
+9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
+H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
+LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
+/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
+rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
+EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
+WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
+exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
+DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
+sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
+seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
+4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
+BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
+lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
+7M2CYfE45k+XmCpajQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2007 VeriSign, Inc. - For authorized use only
+# Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4 O=VeriSign, Inc. OU=VeriSign Trust Network/(c) 2007 VeriSign, Inc. - For authorized use only
+# Label: "VeriSign Class 3 Public Primary Certification Authority - G4"
+# Serial: 63143484348153506665311985501458640051
+# MD5 Fingerprint: 3a:52:e1:e7:fd:6f:3a:e3:6f:f3:6f:99:1b:f9:22:41
+# SHA1 Fingerprint: 22:d5:d8:df:8f:02:31:d1:8d:f7:9d:b7:cf:8a:2d:64:c9:3f:6c:3a
+# SHA256 Fingerprint: 69:dd:d7:ea:90:bb:57:c9:3e:13:5d:c8:5e:a6:fc:d5:48:0b:60:32:39:bd:c4:54:fc:75:8b:2a:26:cf:7f:79
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
+U2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwg
+SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2ln
+biBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
+IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8Utpkmw4tXNherJI9/gHm
+GUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGzrl0Bp3ve
+fLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJ
+aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYj
+aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMW
+kf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUCMGYhDBgmYFo4e1ZC
+4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIxAJw9SDkjOVga
+FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA==
+-----END CERTIFICATE-----
+
+# Issuer: CN=NetLock Arany (Class Gold) FÅ‘tanúsítvány O=NetLock Kft. OU=Tanúsítványkiadók (Certification Services)
+# Subject: CN=NetLock Arany (Class Gold) FÅ‘tanúsítvány O=NetLock Kft. OU=Tanúsítványkiadók (Certification Services)
+# Label: "NetLock Arany (Class Gold) FÅ‘tanúsítvány"
+# Serial: 80544274841616
+# MD5 Fingerprint: c5:a1:b7:ff:73:dd:d6:d7:34:32:18:df:fc:3c:ad:88
+# SHA1 Fingerprint: 06:08:3f:59:3f:15:a1:04:a0:69:a4:6b:a9:03:d0:06:b7:97:09:91
+# SHA256 Fingerprint: 6c:61:da:c3:a2:de:f0:31:50:6b:e0:36:d2:a6:fe:40:19:94:fb:d1:3d:f9:c8:d4:66:59:92:74:c4:46:ec:98
+-----BEGIN CERTIFICATE-----
+MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG
+EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3
+MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl
+cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR
+dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB
+pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM
+b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm
+aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz
+IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT
+lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz
+AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5
+VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG
+ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2
+BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG
+AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M
+U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh
+bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C
++C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC
+bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F
+uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2
+XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Staat der Nederlanden Root CA - G2 O=Staat der Nederlanden
+# Subject: CN=Staat der Nederlanden Root CA - G2 O=Staat der Nederlanden
+# Label: "Staat der Nederlanden Root CA - G2"
+# Serial: 10000012
+# MD5 Fingerprint: 7c:a5:0f:f8:5b:9a:7d:6d:30:ae:54:5a:e3:42:a2:8a
+# SHA1 Fingerprint: 59:af:82:79:91:86:c7:b4:75:07:cb:cf:03:57:46:eb:04:dd:b7:16
+# SHA256 Fingerprint: 66:8c:83:94:7d:a6:3b:72:4b:ec:e1:74:3c:31:a0:e6:ae:d0:db:8e:c5:b3:1b:e3:77:bb:78:4f:91:b6:71:6f
+-----BEGIN CERTIFICATE-----
+MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
+TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX
+DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl
+ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv
+b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291
+qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp
+uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU
+Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE
+pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp
+5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M
+UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN
+GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy
+5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv
+6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK
+eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6
+B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/
+BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov
+L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG
+SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS
+CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen
+5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897
+IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK
+gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL
++63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL
+vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm
+bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk
+N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC
+Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z
+ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=CA Disig O=Disig a.s.
+# Subject: CN=CA Disig O=Disig a.s.
+# Label: "CA Disig"
+# Serial: 1
+# MD5 Fingerprint: 3f:45:96:39:e2:50:87:f7:bb:fe:98:0c:3c:20:98:e6
+# SHA1 Fingerprint: 2a:c8:d5:8b:57:ce:bf:2f:49:af:f2:fc:76:8f:51:14:62:90:7a:41
+# SHA256 Fingerprint: 92:bf:51:19:ab:ec:ca:d0:b1:33:2d:c4:e1:d0:5f:ba:75:b5:67:90:44:ee:0c:a2:6e:93:1f:74:4f:2f:33:cf
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBATANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJTSzET
+MBEGA1UEBxMKQnJhdGlzbGF2YTETMBEGA1UEChMKRGlzaWcgYS5zLjERMA8GA1UE
+AxMIQ0EgRGlzaWcwHhcNMDYwMzIyMDEzOTM0WhcNMTYwMzIyMDEzOTM0WjBKMQsw
+CQYDVQQGEwJTSzETMBEGA1UEBxMKQnJhdGlzbGF2YTETMBEGA1UEChMKRGlzaWcg
+YS5zLjERMA8GA1UEAxMIQ0EgRGlzaWcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCS9jHBfYj9mQGp2HvycXXxMcbzdWb6UShGhJd4NLxs/LxFWYgmGErE
+Nx+hSkS943EE9UQX4j/8SFhvXJ56CbpRNyIjZkMhsDxkovhqFQ4/61HhVKndBpnX
+mjxUizkDPw/Fzsbrg3ICqB9x8y34dQjbYkzo+s7552oftms1grrijxaSfQUMbEYD
+XcDtab86wYqg6I7ZuUUohwjstMoVvoLdtUSLLa2GDGhibYVW8qwUYzrG0ZmsNHhW
+S8+2rT+MitcE5eN4TPWGqvWP+j1scaMtymfraHtuM6kMgiioTGohQBUgDCZbg8Kp
+FhXAJIJdKxatymP2dACw30PEEGBWZ2NFAgMBAAGjgf8wgfwwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUjbJJaJ1yCCW5wCf1UJNWSEZx+Y8wDgYDVR0PAQH/BAQD
+AgEGMDYGA1UdEQQvMC2BE2Nhb3BlcmF0b3JAZGlzaWcuc2uGFmh0dHA6Ly93d3cu
+ZGlzaWcuc2svY2EwZgYDVR0fBF8wXTAtoCugKYYnaHR0cDovL3d3dy5kaXNpZy5z
+ay9jYS9jcmwvY2FfZGlzaWcuY3JsMCygKqAohiZodHRwOi8vY2EuZGlzaWcuc2sv
+Y2EvY3JsL2NhX2Rpc2lnLmNybDAaBgNVHSAEEzARMA8GDSuBHpGT5goAAAABAQEw
+DQYJKoZIhvcNAQEFBQADggEBAF00dGFMrzvY/59tWDYcPQuBDRIrRhCA/ec8J9B6
+yKm2fnQwM6M6int0wHl5QpNt/7EpFIKrIYwvF/k/Ji/1WcbvgAa3mkkp7M5+cTxq
+EEHA9tOasnxakZzArFvITV734VP/Q3f8nktnbNfzg9Gg4H8l37iYC5oyOGwwoPP/
+CBUz91BKez6jPiCp3C9WgArtQVCwyfTssuMmRAAOb54GvCKWU3BlxFAKRmukLyeB
+EicTXxChds6KezfqwzlhA5WYOudsiCUI/HloDYd9Yvi0X/vF2Ey9WLw/Q1vUHgFN
+PGO+I++MzVpQuGhU+QqZMxEA4Z7CRneC9VkGjCFMhwnN5ag=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Juur-SK O=AS Sertifitseerimiskeskus
+# Subject: CN=Juur-SK O=AS Sertifitseerimiskeskus
+# Label: "Juur-SK"
+# Serial: 999181308
+# MD5 Fingerprint: aa:8e:5d:d9:f8:db:0a:58:b7:8d:26:87:6c:82:35:55
+# SHA1 Fingerprint: 40:9d:4b:d9:17:b5:5c:27:b6:9b:64:cb:98:22:44:0d:cd:09:b8:89
+# SHA256 Fingerprint: ec:c3:e9:c3:40:75:03:be:e0:91:aa:95:2f:41:34:8f:f8:8b:aa:86:3b:22:64:be:fa:c8:07:90:15:74:e9:39
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIEO45L/DANBgkqhkiG9w0BAQUFADBdMRgwFgYJKoZIhvcN
+AQkBFglwa2lAc2suZWUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKExlBUyBTZXJ0aWZp
+dHNlZXJpbWlza2Vza3VzMRAwDgYDVQQDEwdKdXVyLVNLMB4XDTAxMDgzMDE0MjMw
+MVoXDTE2MDgyNjE0MjMwMVowXTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMQsw
+CQYDVQQGEwJFRTEiMCAGA1UEChMZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEQ
+MA4GA1UEAxMHSnV1ci1TSzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AIFxNj4zB9bjMI0TfncyRsvPGbJgMUaXhvSYRqTCZUXP00B841oiqBB4M8yIsdOB
+SvZiF3tfTQou0M+LI+5PAk676w7KvRhj6IAcjeEcjT3g/1tf6mTll+g/mX8MCgkz
+ABpTpyHhOEvWgxutr2TC+Rx6jGZITWYfGAriPrsfB2WThbkasLnE+w0R9vXW+RvH
+LCu3GFH+4Hv2qEivbDtPL+/40UceJlfwUR0zlv/vWT3aTdEVNMfqPxZIe5EcgEMP
+PbgFPtGzlc3Yyg/CQ2fbt5PgIoIuvvVoKIO5wTtpeyDaTpxt4brNj3pssAki14sL
+2xzVWiZbDcDq5WDQn/413z8CAwEAAaOCAawwggGoMA8GA1UdEwEB/wQFMAMBAf8w
+ggEWBgNVHSAEggENMIIBCTCCAQUGCisGAQQBzh8BAQEwgfYwgdAGCCsGAQUFBwIC
+MIHDHoHAAFMAZQBlACAAcwBlAHIAdABpAGYAaQBrAGEAYQB0ACAAbwBuACAAdgDk
+AGwAagBhAHMAdABhAHQAdQBkACAAQQBTAC0AaQBzACAAUwBlAHIAdABpAGYAaQB0
+AHMAZQBlAHIAaQBtAGkAcwBrAGUAcwBrAHUAcwAgAGEAbABhAG0ALQBTAEsAIABz
+AGUAcgB0AGkAZgBpAGsAYQBhAHQAaQBkAGUAIABrAGkAbgBuAGkAdABhAG0AaQBz
+AGUAawBzMCEGCCsGAQUFBwIBFhVodHRwOi8vd3d3LnNrLmVlL2Nwcy8wKwYDVR0f
+BCQwIjAgoB6gHIYaaHR0cDovL3d3dy5zay5lZS9qdXVyL2NybC8wHQYDVR0OBBYE
+FASqekej5ImvGs8KQKcYP2/v6X2+MB8GA1UdIwQYMBaAFASqekej5ImvGs8KQKcY
+P2/v6X2+MA4GA1UdDwEB/wQEAwIB5jANBgkqhkiG9w0BAQUFAAOCAQEAe8EYlFOi
+CfP+JmeaUOTDBS8rNXiRTHyoERF5TElZrMj3hWVcRrs7EKACr81Ptcw2Kuxd/u+g
+kcm2k298gFTsxwhwDY77guwqYHhpNjbRxZyLabVAyJRld/JXIWY7zoVAtjNjGr95
+HvxcHdMdkxuLDF2FvZkwMhgJkVLpfKG6/2SSmuz+Ne6ML678IIbsSt4beDI3poHS
+na9aEhbKmVv8b20OxaAehsmR0FyYgl9jDIpaq9iVpszLita/ZEuOyoqysOkhMp6q
+qIWYNIE5ITuoOlIyPfZrN4YGWhWY3PARZv40ILcD9EEQfTmEeZZyY7aWAuVrua0Z
+TbvGRNs2yyqcjg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Hongkong Post Root CA 1 O=Hongkong Post
+# Subject: CN=Hongkong Post Root CA 1 O=Hongkong Post
+# Label: "Hongkong Post Root CA 1"
+# Serial: 1000
+# MD5 Fingerprint: a8:0d:6f:39:78:b9:43:6d:77:42:6d:98:5a:cc:23:ca
+# SHA1 Fingerprint: d6:da:a8:20:8d:09:d2:15:4d:24:b5:2f:cb:34:6e:b2:58:b2:8a:58
+# SHA256 Fingerprint: f9:e6:7d:33:6c:51:00:2a:c0:54:c6:32:02:2d:66:dd:a2:e7:e3:ff:f1:0a:d0:61:ed:31:d8:bb:b4:10:cf:b2
+-----BEGIN CERTIFICATE-----
+MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx
+FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg
+Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG
+A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr
+b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ
+jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn
+PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh
+ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9
+nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h
+q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED
+MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC
+mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3
+7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB
+oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs
+EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO
+fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi
+AmvZWg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=SecureSign RootCA11 O=Japan Certification Services, Inc.
+# Subject: CN=SecureSign RootCA11 O=Japan Certification Services, Inc.
+# Label: "SecureSign RootCA11"
+# Serial: 1
+# MD5 Fingerprint: b7:52:74:e2:92:b4:80:93:f2:75:e4:cc:d7:f2:ea:26
+# SHA1 Fingerprint: 3b:c4:9f:48:f8:f3:73:a0:9c:1e:bd:f8:5b:b1:c3:65:c7:d8:11:b3
+# SHA256 Fingerprint: bf:0f:ee:fb:9e:3a:58:1a:d5:f9:e9:db:75:89:98:57:43:d2:61:08:5c:4d:31:4f:6f:5d:72:59:aa:42:16:12
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDEr
+MCkGA1UEChMiSmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoG
+A1UEAxMTU2VjdXJlU2lnbiBSb290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0
+MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZp
+Y2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RD
+QTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvLTJsz
+i1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8
+h9uuywGOwvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOV
+MdrAG/LuYpmGYz+/3ZMqg6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9
+UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rPO7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni
+8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitAbpSACW22s293bzUIUPsC
+h8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZXt94wDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+AKChOBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xm
+KbabfSVSSUOrTC4rbnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQ
+X5Ucv+2rIrVls4W6ng+4reV6G4pQOh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWr
+QbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01y8hSyn+B/tlr0/cR7SXf+Of5
+pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061lgeLKBObjBmN
+QSdJQO7e5iNEOdyhIta6A/I=
+-----END CERTIFICATE-----
+
+# Issuer: CN=ACEDICOM Root O=EDICOM OU=PKI
+# Subject: CN=ACEDICOM Root O=EDICOM OU=PKI
+# Label: "ACEDICOM Root"
+# Serial: 7029493972724711941
+# MD5 Fingerprint: 42:81:a0:e2:1c:e3:55:10:de:55:89:42:65:96:22:e6
+# SHA1 Fingerprint: e0:b4:32:2e:b2:f6:a5:68:b6:54:53:84:48:18:4a:50:36:87:43:84
+# SHA256 Fingerprint: 03:95:0f:b4:9a:53:1f:3e:19:91:94:23:98:df:a9:e0:ea:32:d7:ba:1c:dd:9b:c8:5d:b5:7e:d9:40:0b:43:4a
+-----BEGIN CERTIFICATE-----
+MIIFtTCCA52gAwIBAgIIYY3HhjsBggUwDQYJKoZIhvcNAQEFBQAwRDEWMBQGA1UE
+AwwNQUNFRElDT00gUm9vdDEMMAoGA1UECwwDUEtJMQ8wDQYDVQQKDAZFRElDT00x
+CzAJBgNVBAYTAkVTMB4XDTA4MDQxODE2MjQyMloXDTI4MDQxMzE2MjQyMlowRDEW
+MBQGA1UEAwwNQUNFRElDT00gUm9vdDEMMAoGA1UECwwDUEtJMQ8wDQYDVQQKDAZF
+RElDT00xCzAJBgNVBAYTAkVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEA/5KV4WgGdrQsyFhIyv2AVClVYyT/kGWbEHV7w2rbYgIB8hiGtXxaOLHkWLn7
+09gtn70yN78sFW2+tfQh0hOR2QetAQXW8713zl9CgQr5auODAKgrLlUTY4HKRxx7
+XBZXehuDYAQ6PmXDzQHe3qTWDLqO3tkE7hdWIpuPY/1NFgu3e3eM+SW10W2ZEi5P
+Grjm6gSSrj0RuVFCPYewMYWveVqc/udOXpJPQ/yrOq2lEiZmueIM15jO1FillUAK
+t0SdE3QrwqXrIhWYENiLxQSfHY9g5QYbm8+5eaA9oiM/Qj9r+hwDezCNzmzAv+Yb
+X79nuIQZ1RXve8uQNjFiybwCq0Zfm/4aaJQ0PZCOrfbkHQl/Sog4P75n/TSW9R28
+MHTLOO7VbKvU/PQAtwBbhTIWdjPp2KOZnQUAqhbm84F9b32qhm2tFXTTxKJxqvQU
+fecyuB+81fFOvW8XAjnXDpVCOscAPukmYxHqC9FK/xidstd7LzrZlvvoHpKuE1XI
+2Sf23EgbsCTBheN3nZqk8wwRHQ3ItBTutYJXCb8gWH8vIiPYcMt5bMlL8qkqyPyH
+K9caUPgn6C9D4zq92Fdx/c6mUlv53U3t5fZvie27k5x2IXXwkkwp9y+cAS7+UEae
+ZAwUswdbxcJzbPEHXEUkFDWug/FqTYl6+rPYLWbwNof1K1MCAwEAAaOBqjCBpzAP
+BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKaz4SsrSbbXc6GqlPUB53NlTKxQ
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUprPhKytJttdzoaqU9QHnc2VMrFAw
+RAYDVR0gBD0wOzA5BgRVHSAAMDEwLwYIKwYBBQUHAgEWI2h0dHA6Ly9hY2VkaWNv
+bS5lZGljb21ncm91cC5jb20vZG9jMA0GCSqGSIb3DQEBBQUAA4ICAQDOLAtSUWIm
+fQwng4/F9tqgaHtPkl7qpHMyEVNEskTLnewPeUKzEKbHDZ3Ltvo/Onzqv4hTGzz3
+gvoFNTPhNahXwOf9jU8/kzJPeGYDdwdY6ZXIfj7QeQCM8htRM5u8lOk6e25SLTKe
+I6RF+7YuE7CLGLHdztUdp0J/Vb77W7tH1PwkzQSulgUV1qzOMPPKC8W64iLgpq0i
+5ALudBF/TP94HTXa5gI06xgSYXcGCRZj6hitoocf8seACQl1ThCojz2GuHURwCRi
+ipZ7SkXp7FnFvmuD5uHorLUwHv4FB4D54SMNUI8FmP8sX+g7tq3PgbUhh8oIKiMn
+MCArz+2UW6yyetLHKKGKC5tNSixthT8Jcjxn4tncB7rrZXtaAWPWkFtPF2Y9fwsZ
+o5NjEFIqnxQWWOLcpfShFosOkYuByptZ+thrkQdlVV9SH686+5DdaaVbnG0OLLb6
+zqylfDJKZ0DcMDQj3dcEI2bw/FWAp/tmGYI1Z2JwOV5vx+qQQEQIHriy1tvuWacN
+GHk0vFQYXlPKNFHtRQrmjseCNj6nOGOpMCwXEGCSn1WHElkQwg9naRHMTh5+Spqt
+r0CodaxWkHS4oJyleW/c6RrIaQXpuvoDs3zk4E7Czp3otkYNbn5XOmeUwssfnHdK
+Z05phkOTOPu220+DkdRgfks+KzgHVZhepA==
+-----END CERTIFICATE-----
+
+# Issuer: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority
+# Subject: O=VeriSign, Inc. OU=Class 3 Public Primary Certification Authority
+# Label: "Verisign Class 3 Public Primary Certification Authority"
+# Serial: 80507572722862485515306429940691309246
+# MD5 Fingerprint: ef:5a:f1:33:ef:f1:cd:bb:51:02:ee:12:14:4b:96:c4
+# SHA1 Fingerprint: a1:db:63:93:91:6f:17:e4:18:55:09:40:04:15:c7:02:40:b0:ae:6b
+# SHA256 Fingerprint: a4:b6:b3:99:6f:c2:f3:06:b3:fd:86:81:bd:63:41:3d:8c:50:09:cc:4f:a3:29:c2:cc:f0:e2:fa:1b:14:03:05
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
+2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
+2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
+-----END CERTIFICATE-----
+
+# Issuer: CN=Microsec e-Szigno Root CA 2009 O=Microsec Ltd.
+# Subject: CN=Microsec e-Szigno Root CA 2009 O=Microsec Ltd.
+# Label: "Microsec e-Szigno Root CA 2009"
+# Serial: 14014712776195784473
+# MD5 Fingerprint: f8:49:f4:03:bc:44:2d:83:be:48:69:7d:29:64:fc:b1
+# SHA1 Fingerprint: 89:df:74:fe:5c:f4:0f:4a:80:f9:e3:37:7d:54:da:91:e1:01:31:8e
+# SHA256 Fingerprint: 3c:5f:81:fe:a5:fa:b8:2c:64:bf:a2:ea:ec:af:cd:e8:e0:77:fc:86:20:a7:ca:e5:37:16:3d:f3:6e:db:f3:78
+-----BEGIN CERTIFICATE-----
+MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
+VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0
+ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0G
+CSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTAeFw0wOTA2MTYxMTMwMThaFw0y
+OTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3Qx
+FjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUtU3pp
+Z25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o
+dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvP
+kd6mJviZpWNwrZuuyjNAfW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tc
+cbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG0IMZfcChEhyVbUr02MelTTMuhTlAdX4U
+fIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKApxn1ntxVUwOXewdI/5n7
+N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm1HxdrtbC
+xkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1
++rUCAwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
+A1UdDgQWBBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPM
+Pcu1SCOhGnqmKrs0aDAbBgNVHREEFDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqG
+SIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0olZMEyL/azXm4Q5DwpL7v8u8h
+mLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfXI/OMn74dseGk
+ddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775
+tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c
+2Pm2G2JwCz02yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5t
+HMN1Rq41Bab2XD0h7lbwyYIiLXpUq3DDfSJlgnCW
+-----END CERTIFICATE-----
+
+# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi O=Elektronik Bilgi Guvenligi A.S.
+# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi O=Elektronik Bilgi Guvenligi A.S.
+# Label: "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+# Serial: 91184789765598910059173000485363494069
+# MD5 Fingerprint: 3d:41:29:cb:1e:aa:11:74:cd:5d:b0:62:af:b0:43:5b
+# SHA1 Fingerprint: dd:e1:d2:a9:01:80:2e:1d:87:5e:84:b3:80:7e:4b:b1:fd:99:41:34
+# SHA256 Fingerprint: e6:09:07:84:65:a4:19:78:0c:b6:ac:4c:1c:0b:fb:46:53:d9:d9:cc:6e:b3:94:6e:b7:f3:d6:99:97:ba:d5:98
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
+MQswCQYDVQQGEwJUUjEoMCYGA1UEChMfRWxla3Ryb25payBCaWxnaSBHdXZlbmxp
+Z2kgQS5TLjE8MDoGA1UEAxMzZS1HdXZlbiBLb2sgRWxla3Ryb25payBTZXJ0aWZp
+a2EgSGl6bWV0IFNhZ2xheWljaXNpMB4XDTA3MDEwNDExMzI0OFoXDTE3MDEwNDEx
+MzI0OFowdTELMAkGA1UEBhMCVFIxKDAmBgNVBAoTH0VsZWt0cm9uaWsgQmlsZ2kg
+R3V2ZW5saWdpIEEuUy4xPDA6BgNVBAMTM2UtR3V2ZW4gS29rIEVsZWt0cm9uaWsg
+U2VydGlmaWthIEhpem1ldCBTYWdsYXlpY2lzaTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMMSIJ6wXgBljU5Gu4Bc6SwGl9XzcslwuedLZYDBS75+PNdU
+MZTe1RK6UxYC6lhj71vY8+0qGqpxSKPcEC1fX+tcS5yWCEIlKBHMilpiAVDV6wlT
+L/jDj/6z/P2douNffb7tC+Bg62nsM+3YjfsSSYMAyYuXjDtzKjKzEve5TfL0TW3H
+5tYmNwjy2f1rXKPlSFxYvEK+A1qBuhw1DADT9SN+cTAIJjjcJRFHLfO6IxClv7wC
+90Nex/6wN1CZew+TzuZDLMN+DfIcQ2Zgy2ExR4ejT669VmxMvLz4Bcpk9Ok0oSy1
+c+HCPujIyTQlCFzz7abHlJ+tiEMl1+E5YP6sOVkCAwEAAaNCMEAwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJ/uRLOU1fqRTy7ZVZoE
+VtstxNulMA0GCSqGSIb3DQEBBQUAA4IBAQB/X7lTW2M9dTLn+sR0GstG30ZpHFLP
+qk/CaOv/gKlR6D1id4k9CnU58W5dF4dvaAXBlGzZXd/aslnLpRCKysw5zZ/rTt5S
+/wzw9JKp8mxTq5vSR6AfdPebmvEvFZ96ZDAYBzwqD2fK/A+JYZ1lpTzlvBNbCNvj
+/+27BrtqBrF6T2XGgv0enIu1De5Iu7i9qgi0+6N8y5/NkHZchpZ4Vwpm+Vganf2X
+KWDeEaaQHBkc7gGWIjQ0LpH5t8Qn0Xvmv/uARFoW5evg1Ao4vOSR49XrXMGs3xtq
+fJ7lddK2l4fbzIcrQzqECK+rPNv3PGYxhrCdU3nt+CPeQuMtgvEP5fqX
+-----END CERTIFICATE-----
+
+# Issuer: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R3
+# Subject: CN=GlobalSign O=GlobalSign OU=GlobalSign Root CA - R3
+# Label: "GlobalSign Root CA - R3"
+# Serial: 4835703278459759426209954
+# MD5 Fingerprint: c5:df:b8:49:ca:05:13:55:ee:2d:ba:1a:c3:3e:b0:28
+# SHA1 Fingerprint: d6:9b:56:11:48:f0:1c:77:c5:45:78:c1:09:26:df:5b:85:69:76:ad
+# SHA256 Fingerprint: cb:b5:22:d7:b7:f1:27:ad:6a:01:13:86:5b:df:1c:d4:10:2e:7d:07:59:af:63:5a:7c:f4:72:0d:c9:63:c5:3b
+-----BEGIN CERTIFICATE-----
+MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
+MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
+RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
+gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
+KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
+QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
+XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
+LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
+RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
+jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
+6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
+mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
+Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
+WD9f
+-----END CERTIFICATE-----
+
+# Issuer: CN=TC TrustCenter Universal CA III O=TC TrustCenter GmbH OU=TC TrustCenter Universal CA
+# Subject: CN=TC TrustCenter Universal CA III O=TC TrustCenter GmbH OU=TC TrustCenter Universal CA
+# Label: "TC TrustCenter Universal CA III"
+# Serial: 2010889993983507346460533407902964
+# MD5 Fingerprint: 9f:dd:db:ab:ff:8e:ff:45:21:5f:f0:6c:9d:8f:fe:2b
+# SHA1 Fingerprint: 96:56:cd:7b:57:96:98:95:d0:e1:41:46:68:06:fb:b8:c6:11:06:87
+# SHA256 Fingerprint: 30:9b:4a:87:f6:ca:56:c9:31:69:aa:a9:9c:6d:98:88:54:d7:89:2b:d5:43:7e:2d:07:b2:9c:be:da:55:d3:5d
+-----BEGIN CERTIFICATE-----
+MIID4TCCAsmgAwIBAgIOYyUAAQACFI0zFQLkbPQwDQYJKoZIhvcNAQEFBQAwezEL
+MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJDAiBgNV
+BAsTG1RDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQTEoMCYGA1UEAxMfVEMgVHJ1
+c3RDZW50ZXIgVW5pdmVyc2FsIENBIElJSTAeFw0wOTA5MDkwODE1MjdaFw0yOTEy
+MzEyMzU5NTlaMHsxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRl
+ciBHbWJIMSQwIgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0ExKDAm
+BgNVBAMTH1RDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJSUkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC2pxisLlxErALyBpXsq6DFJmzNEubkKLF
+5+cvAqBNLaT6hdqbJYUtQCggbergvbFIgyIpRJ9Og+41URNzdNW88jBmlFPAQDYv
+DIRlzg9uwliT6CwLOunBjvvya8o84pxOjuT5fdMnnxvVZ3iHLX8LR7PH6MlIfK8v
+zArZQe+f/prhsq75U7Xl6UafYOPfjdN/+5Z+s7Vy+EutCHnNaYlAJ/Uqwa1D7KRT
+yGG299J5KmcYdkhtWyUB0SbFt1dpIxVbYYqt8Bst2a9c8SaQaanVDED1M4BDj5yj
+dipFtK+/fz6HP3bFzSreIMUWWMv5G/UPyw0RUmS40nZid4PxWJ//AgMBAAGjYzBh
+MB8GA1UdIwQYMBaAFFbn4VslQ4Dg9ozhcbyO5YAvxEjiMA8GA1UdEwEB/wQFMAMB
+Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRW5+FbJUOA4PaM4XG8juWAL8RI
+4jANBgkqhkiG9w0BAQUFAAOCAQEAg8ev6n9NCjw5sWi+e22JLumzCecYV42Fmhfz
+dkJQEw/HkG8zrcVJYCtsSVgZ1OK+t7+rSbyUyKu+KGwWaODIl0YgoGhnYIg5IFHY
+aAERzqf2EQf27OysGh+yZm5WZ2B6dF7AbZc2rrUNXWZzwCUyRdhKBgePxLcHsU0G
+DeGl6/R1yrqc0L2z0zIkTO5+4nYES0lT2PLpVDP85XEfPRRclkvxOvIAu2y0+pZV
+CIgJwcyRGSmwIC3/yzikQOEXvnlhgP8HA4ZMTnsGnxGGjYnuJ8Tb4rwZjgvDwxPH
+LQNjO9Po5KIqwoIIlBZU8O8fJ5AluA0OKBtHd0e9HKgl8ZS0Zg==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
+# Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
+# Label: "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+# Serial: 6047274297262753887
+# MD5 Fingerprint: 73:3a:74:7a:ec:bb:a3:96:a6:c2:e4:e2:c8:9b:c0:c3
+# SHA1 Fingerprint: ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6:fa
+# SHA256 Fingerprint: 04:04:80:28:bf:1f:28:64:d4:8f:9a:d4:d8:32:94:36:6a:82:88:56:55:3f:3b:14:30:3f:90:14:7f:5d:40:ef
+-----BEGIN CERTIFICATE-----
+MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE
+BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
+cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy
+MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg
+Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9
+thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM
+cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG
+L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i
+NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h
+X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b
+m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy
+Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja
+EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T
+KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF
+6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh
+OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD
+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD
+VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp
+cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv
+ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl
+AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF
+661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9
+am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1
+ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481
+PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS
+3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k
+SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF
+3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM
+ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g
+StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz
+Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB
+jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V
+-----END CERTIFICATE-----
+
+# Issuer: CN=Izenpe.com O=IZENPE S.A.
+# Subject: CN=Izenpe.com O=IZENPE S.A.
+# Label: "Izenpe.com"
+# Serial: 917563065490389241595536686991402621
+# MD5 Fingerprint: a6:b0:cd:85:80:da:5c:50:34:a3:39:90:2f:55:67:73
+# SHA1 Fingerprint: 2f:78:3d:25:52:18:a7:4a:65:39:71:b5:2c:a2:9c:45:15:6f:e9:19
+# SHA256 Fingerprint: 25:30:cc:8e:98:32:15:02:ba:d9:6f:9b:1f:ba:1b:09:9e:2d:29:9e:0f:45:48:bb:91:4f:36:3b:c0:d4:53:1f
+-----BEGIN CERTIFICATE-----
+MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
+MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
+ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
+VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
+b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
+scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
+xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
+LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
+uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
+yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
+rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
+BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
+hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
+QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
+HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
+Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
+QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
+BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
+MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
+A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
+laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
+awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
+JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
+LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
+VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
+LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
+UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
+QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
+QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Chambers of Commerce Root - 2008 O=AC Camerfirma S.A.
+# Subject: CN=Chambers of Commerce Root - 2008 O=AC Camerfirma S.A.
+# Label: "Chambers of Commerce Root - 2008"
+# Serial: 11806822484801597146
+# MD5 Fingerprint: 5e:80:9e:84:5a:0e:65:0b:17:02:f3:55:18:2a:3e:d7
+# SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
+# SHA256 Fingerprint: 06:3e:4a:fa:c4:91:df:d3:32:f3:08:9b:85:42:e9:46:17:d8:93:d7:fe:94:4e:10:a7:93:7e:e2:9d:96:93:c0
+-----BEGIN CERTIFICATE-----
+MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
+VQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0
+IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3
+MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMTIENoYW1iZXJz
+IG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEyMjk1MFoXDTM4MDcz
+MTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBj
+dXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIw
+EAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEp
+MCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW9
+28sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKAXuFixrYp4YFs8r/lfTJq
+VKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorjh40G072Q
+DuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR
+5gN/ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfL
+ZEFHcpOrUMPrCXZkNNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05a
+Sd+pZgvMPMZ4fKecHePOjlO+Bd5gD2vlGts/4+EhySnB8esHnFIbAURRPHsl18Tl
+UlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331lubKgdaX8ZSD6e2wsWsSaR6s
++12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ0wlf2eOKNcx5
+Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj
+ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAx
+hduub+84Mxh2EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNV
+HQ4EFgQU+SSsD7K1+HnA+mCIG8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1
++HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpN
+YWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29t
+L2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVy
+ZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAt
+IDIwMDiCCQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRV
+HSAAMCowKAYIKwYBBQUHAgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20w
+DQYJKoZIhvcNAQEFBQADggIBAJASryI1wqM58C7e6bXpeHxIvj99RZJe6dqxGfwW
+PJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH3qLPaYRgM+gQDROpI9CF
+5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbURWpGqOt1
+glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaH
+FoI6M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2
+pSB7+R5KBWIBpih1YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MD
+xvbxrN8y8NmBGuScvfaAFPDRLLmF9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QG
+tjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcKzBIKinmwPQN/aUv0NCB9szTq
+jktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvGnrDQWzilm1De
+fhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg
+OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZ
+d0jQ
+-----END CERTIFICATE-----
+
+# Issuer: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A.
+# Subject: CN=Global Chambersign Root - 2008 O=AC Camerfirma S.A.
+# Label: "Global Chambersign Root - 2008"
+# Serial: 14541511773111788494
+# MD5 Fingerprint: 9e:80:ff:78:01:0c:2e:c1:36:bd:fe:96:90:6e:08:f3
+# SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
+# SHA256 Fingerprint: 13:63:35:43:93:34:a7:69:80:16:a0:d3:24:de:72:28:4e:07:9d:7b:52:20:bb:8f:bd:74:78:16:ee:be:ba:ca
+-----BEGIN CERTIFICATE-----
+MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYD
+VQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0
+IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3
+MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD
+aGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMxNDBaFw0zODA3MzEx
+MjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3Vy
+cmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAG
+A1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAl
+BgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAMDfVtPkOpt2RbQT2//BthmLN0EYlVJH6xed
+KYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXfXjaOcNFccUMd2drvXNL7
+G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0ZJJ0YPP2
+zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4
+ddPB/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyG
+HoiMvvKRhI9lNNgATH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2
+Id3UwD2ln58fQ1DJu7xsepeY7s2MH/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3V
+yJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfeOx2YItaswTXbo6Al/3K1dh3e
+beksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSFHTynyQbehP9r
+6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh
+wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsog
+zCtLkykPAgMBAAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQW
+BBS5CcqcHtvTbDprru1U8VuTBjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDpr
+ru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UEBhMCRVUxQzBBBgNVBAcTOk1hZHJp
+ZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJmaXJtYS5jb20vYWRk
+cmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJmaXJt
+YSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiC
+CQDJzdPp1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCow
+KAYIKwYBBQUHAgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZI
+hvcNAQEFBQADggIBAICIf3DekijZBZRG/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZ
+UohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6ReAJ3spED8IXDneRRXoz
+X1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/sdZ7LoR/x
+fxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVz
+a2Mg9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yyd
+Yhz2rXzdpjEetrHHfoUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMd
+SqlapskD7+3056huirRXhOukP9DuqqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9O
+AP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETrP3iZ8ntxPjzxmKfFGBI/5rso
+M0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVqc5iJWzouE4ge
+v8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z
+09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B
+-----END CERTIFICATE-----
+
+# Issuer: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Subject: CN=Go Daddy Root Certificate Authority - G2 O=GoDaddy.com, Inc.
+# Label: "Go Daddy Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: 80:3a:bc:22:c1:e6:fb:8d:9b:3b:27:4a:32:1b:9a:01
+# SHA1 Fingerprint: 47:be:ab:c9:22:ea:e8:0e:78:78:34:62:a7:9f:45:c2:54:fd:e6:8b
+# SHA256 Fingerprint: 45:14:0b:32:47:eb:9c:c8:c5:b4:f0:d7:b5:30:91:f7:32:92:08:9e:6e:5a:63:e2:74:9d:d3:ac:a9:19:8e:da
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
+NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
+AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
+E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
+/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
+DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
+GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
+tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
+AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
+FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
+WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
+9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
+gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
+2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
+LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
+4uJEvlz36hz1
+-----END CERTIFICATE-----
+
+# Issuer: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Subject: CN=Starfield Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Label: "Starfield Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: d6:39:81:c6:52:7e:96:69:fc:fc:ca:66:ed:05:f2:96
+# SHA1 Fingerprint: b5:1c:06:7c:ee:2b:0c:3d:f8:55:ab:2d:92:f4:fe:39:d4:e7:0f:0e
+# SHA256 Fingerprint: 2c:e1:cb:0b:f9:d2:f9:e1:02:99:3f:be:21:51:52:c3:b2:dd:0c:ab:de:1c:68:e5:31:9b:83:91:54:db:b7:f5
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
+ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
+MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
+b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
+aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
+Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
+nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
+HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
+Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
+dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
+HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
+CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
+sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
+4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
+8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
+pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
+mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
+-----END CERTIFICATE-----
+
+# Issuer: CN=Starfield Services Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Subject: CN=Starfield Services Root Certificate Authority - G2 O=Starfield Technologies, Inc.
+# Label: "Starfield Services Root Certificate Authority - G2"
+# Serial: 0
+# MD5 Fingerprint: 17:35:74:af:7b:61:1c:eb:f4:f9:3c:e2:ee:40:f9:a2
+# SHA1 Fingerprint: 92:5a:8f:8d:2c:6d:04:e0:66:5f:59:6a:ff:22:d8:63:e8:25:6f:3f
+# SHA256 Fingerprint: 56:8d:69:05:a2:c8:87:08:a4:b3:02:51:90:ed:cf:ed:b1:97:4a:60:6a:13:c6:e5:29:0f:cb:2a:e6:3e:da:b5
+-----BEGIN CERTIFICATE-----
+MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
+HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs
+ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5
+MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy
+ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy
+dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p
+OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2
+8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K
+Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe
+hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk
+6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw
+DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q
+AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI
+bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB
+ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z
+qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd
+iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn
+0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN
+sSi6
+-----END CERTIFICATE-----
+
+# Issuer: CN=AffirmTrust Commercial O=AffirmTrust
+# Subject: CN=AffirmTrust Commercial O=AffirmTrust
+# Label: "AffirmTrust Commercial"
+# Serial: 8608355977964138876
+# MD5 Fingerprint: 82:92:ba:5b:ef:cd:8a:6f:a6:3d:55:f9:84:f6:d6:b7
+# SHA1 Fingerprint: f9:b5:b6:32:45:5f:9c:be:ec:57:5f:80:dc:e9:6e:2c:c7:b2:78:b7
+# SHA256 Fingerprint: 03:76:ab:1d:54:c5:f9:80:3c:e4:b2:e2:01:a0:ee:7e:ef:7b:57:b6:36:e8:a9:3c:9b:8d:48:60:c9:6f:5f:a7
+-----BEGIN CERTIFICATE-----
+MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
+BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
+dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
+MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
+cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
+Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
+ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
+MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
+yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
+VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
+nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
+XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
+vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
+Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
+N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
+nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
+-----END CERTIFICATE-----
+
+# Issuer: CN=AffirmTrust Networking O=AffirmTrust
+# Subject: CN=AffirmTrust Networking O=AffirmTrust
+# Label: "AffirmTrust Networking"
+# Serial: 8957382827206547757
+# MD5 Fingerprint: 42:65:ca:be:01:9a:9a:4c:a9:8c:41:49:cd:c0:d5:7f
+# SHA1 Fingerprint: 29:36:21:02:8b:20:ed:02:f5:66:c5:32:d1:d6:ed:90:9f:45:00:2f
+# SHA256 Fingerprint: 0a:81:ec:5a:92:97:77:f1:45:90:4a:f3:8d:5d:50:9f:66:b5:e2:c5:8f:cd:b5:31:05:8b:0e:17:f3:f0:b4:1b
+-----BEGIN CERTIFICATE-----
+MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
+BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
+dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
+MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
+cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
+YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
+kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
+QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
+6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
+yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
+QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
+KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
+tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
+QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
+Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
+olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
+x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
+-----END CERTIFICATE-----
+
+# Issuer: CN=AffirmTrust Premium O=AffirmTrust
+# Subject: CN=AffirmTrust Premium O=AffirmTrust
+# Label: "AffirmTrust Premium"
+# Serial: 7893706540734352110
+# MD5 Fingerprint: c4:5d:0e:48:b6:ac:28:30:4e:0a:bc:f9:38:16:87:57
+# SHA1 Fingerprint: d8:a6:33:2c:e0:03:6f:b1:85:f6:63:4f:7d:6a:06:65:26:32:28:27
+# SHA256 Fingerprint: 70:a7:3f:7f:37:6b:60:07:42:48:90:45:34:b1:14:82:d5:bf:0e:69:8e:cc:49:8d:f5:25:77:eb:f2:e9:3b:9a
+-----BEGIN CERTIFICATE-----
+MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
+BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
+dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
+A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
+cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
+qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
+JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
++jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
+s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
+HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
+70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
+V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
+qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
+5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
+C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
+OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
+FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
+KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
+Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
+8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
+MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
+0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
+u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
+u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
+YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
+GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
+RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
+KeC2uAloGRwYQw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=AffirmTrust Premium ECC O=AffirmTrust
+# Subject: CN=AffirmTrust Premium ECC O=AffirmTrust
+# Label: "AffirmTrust Premium ECC"
+# Serial: 8401224907861490260
+# MD5 Fingerprint: 64:b0:09:55:cf:b1:d5:99:e2:be:13:ab:a6:5d:ea:4d
+# SHA1 Fingerprint: b8:23:6b:00:2f:1d:16:86:53:01:55:6c:11:a4:37:ca:eb:ff:c3:bb
+# SHA256 Fingerprint: bd:71:fd:f6:da:97:e4:cf:62:d1:64:7a:dd:25:81:b0:7d:79:ad:f8:39:7e:b4:ec:ba:9c:5e:84:88:82:14:23
+-----BEGIN CERTIFICATE-----
+MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
+VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
+cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
+BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
+VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
+0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
+ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
+A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
+A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
+aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
+flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Subject: CN=Certum Trusted Network CA O=Unizeto Technologies S.A. OU=Certum Certification Authority
+# Label: "Certum Trusted Network CA"
+# Serial: 279744
+# MD5 Fingerprint: d5:e9:81:40:c5:18:69:fc:46:2c:89:75:62:0f:aa:78
+# SHA1 Fingerprint: 07:e0:32:e0:20:b7:2c:3f:19:2f:06:28:a2:59:3a:19:a7:0f:06:9e
+# SHA256 Fingerprint: 5c:58:46:8d:55:f5:8e:49:7e:74:39:82:d2:b5:00:10:b6:d1:65:37:4a:cf:83:a7:d4:a3:2d:b7:68:c4:40:8e
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Certinomis - Autorité Racine O=Certinomis OU=0002 433998903
+# Subject: CN=Certinomis - Autorité Racine O=Certinomis OU=0002 433998903
+# Label: "Certinomis - Autorité Racine"
+# Serial: 1
+# MD5 Fingerprint: 7f:30:78:8c:03:e3:ca:c9:0a:e2:c9:ea:1e:aa:55:1a
+# SHA1 Fingerprint: 2e:14:da:ec:28:f0:fa:1e:8e:38:9a:4e:ab:eb:26:c0:0a:d3:83:c3
+# SHA256 Fingerprint: fc:bf:e2:88:62:06:f7:2b:27:59:3c:8b:07:02:97:e1:2d:76:9e:d1:0e:d7:93:07:05:a8:09:8e:ff:c1:4d:17
+-----BEGIN CERTIFICATE-----
+MIIFnDCCA4SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJGUjET
+MBEGA1UEChMKQ2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxJjAk
+BgNVBAMMHUNlcnRpbm9taXMgLSBBdXRvcml0w6kgUmFjaW5lMB4XDTA4MDkxNzA4
+Mjg1OVoXDTI4MDkxNzA4Mjg1OVowYzELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNl
+cnRpbm9taXMxFzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMSYwJAYDVQQDDB1DZXJ0
+aW5vbWlzIC0gQXV0b3JpdMOpIFJhY2luZTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBAJ2Fn4bT46/HsmtuM+Cet0I0VZ35gb5j2CN2DpdUzZlMGvE5x4jY
+F1AMnmHawE5V3udauHpOd4cN5bjr+p5eex7Ezyh0x5P1FMYiKAT5kcOrJ3NqDi5N
+8y4oH3DfVS9O7cdxbwlyLu3VMpfQ8Vh30WC8Tl7bmoT2R2FFK/ZQpn9qcSdIhDWe
+rP5pqZ56XjUl+rSnSTV3lqc2W+HN3yNw2F1MpQiD8aYkOBOo7C+ooWfHpi2GR+6K
+/OybDnT0K0kCe5B1jPyZOQE51kqJ5Z52qz6WKDgmi92NjMD2AR5vpTESOH2VwnHu
+7XSu5DaiQ3XV8QCb4uTXzEIDS3h65X27uK4uIJPT5GHfceF2Z5c/tt9qc1pkIuVC
+28+BA5PY9OMQ4HL2AHCs8MF6DwV/zzRpRbWT5BnbUhYjBYkOjUjkJW+zeL9i9Qf6
+lSTClrLooyPCXQP8w9PlfMl1I9f09bze5N/NgL+RiH2nE7Q5uiy6vdFrzPOlKO1E
+nn1So2+WLhl+HPNbxxaOu2B9d2ZHVIIAEWBsMsGoOBvrbpgT1u449fCfDu/+MYHB
+0iSVL1N6aaLwD4ZFjliCK0wi1F6g530mJ0jfJUaNSih8hp75mxpZuWW/Bd22Ql09
+5gBIgl4g9xGC3srYn+Y3RyYe63j3YcNBZFgCQfna4NH4+ej9Uji29YnfAgMBAAGj
+WzBZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQN
+jLZh2kS40RR9w759XkjwzspqsDAXBgNVHSAEEDAOMAwGCiqBegFWAgIAAQEwDQYJ
+KoZIhvcNAQEFBQADggIBACQ+YAZ+He86PtvqrxyaLAEL9MW12Ukx9F1BjYkMTv9s
+ov3/4gbIOZ/xWqndIlgVqIrTseYyCYIDbNc/CMf4uboAbbnW/FIyXaR/pDGUu7ZM
+OH8oMDX/nyNTt7buFHAAQCvaR6s0fl6nVjBhK4tDrP22iCj1a7Y+YEq6QpA0Z43q
+619FVDsXrIvkxmUP7tCMXWY5zjKn2BCXwH40nJ+U8/aGH88bc62UeYdocMMzpXDn
+2NU4lG9jeeu/Cg4I58UvD0KgKxRA/yHgBcUn4YQRE7rWhh1BCxMjidPJC+iKunqj
+o3M3NYB9Ergzd0A4wPpeMNLytqOx1qKVl4GbUu1pTP+A5FPbVFsDbVRfsbjvJL1v
+nxHDx2TCDyhihWZeGnuyt++uNckZM6i4J9szVb9o4XVIRFb7zdNIu0eJOqxp9YDG
+5ERQL1TEqkPFMTFYvZbF6nVsmnWxTfj3l/+WFvKXTej28xH5On2KOG4Ey+HTRRWq
+pdEdnV1j6CTmNhTih60bWfVEm/vXd3wfAXBioSAaosUaKPQhA+4u2cGA6rnZgtZb
+dsLLO7XSAPCjDuGtbkD326C00EauFddEwk01+dIL8hf2rGbVJLJP0RyZwG71fet0
+BLj5TXcJ17TPBzAJ8bgAVtkXFhYKK4bfjwEZGuW7gmP/vgt2Fl43N+bYdJeimUV5
+-----END CERTIFICATE-----
+
+# Issuer: CN=Root CA Generalitat Valenciana O=Generalitat Valenciana OU=PKIGVA
+# Subject: CN=Root CA Generalitat Valenciana O=Generalitat Valenciana OU=PKIGVA
+# Label: "Root CA Generalitat Valenciana"
+# Serial: 994436456
+# MD5 Fingerprint: 2c:8c:17:5e:b1:54:ab:93:17:b5:36:5a:db:d1:c6:f2
+# SHA1 Fingerprint: a0:73:e5:c5:bd:43:61:0d:86:4c:21:13:0a:85:58:57:cc:9c:ea:46
+# SHA256 Fingerprint: 8c:4e:df:d0:43:48:f3:22:96:9e:7e:29:a4:cd:4d:ca:00:46:55:06:1c:16:e1:b0:76:42:2e:f3:42:ad:63:0e
+-----BEGIN CERTIFICATE-----
+MIIGizCCBXOgAwIBAgIEO0XlaDANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJF
+UzEfMB0GA1UEChMWR2VuZXJhbGl0YXQgVmFsZW5jaWFuYTEPMA0GA1UECxMGUEtJ
+R1ZBMScwJQYDVQQDEx5Sb290IENBIEdlbmVyYWxpdGF0IFZhbGVuY2lhbmEwHhcN
+MDEwNzA2MTYyMjQ3WhcNMjEwNzAxMTUyMjQ3WjBoMQswCQYDVQQGEwJFUzEfMB0G
+A1UEChMWR2VuZXJhbGl0YXQgVmFsZW5jaWFuYTEPMA0GA1UECxMGUEtJR1ZBMScw
+JQYDVQQDEx5Sb290IENBIEdlbmVyYWxpdGF0IFZhbGVuY2lhbmEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGKqtXETcvIorKA3Qdyu0togu8M1JAJke+
+WmmmO3I2F0zo37i7L3bhQEZ0ZQKQUgi0/6iMweDHiVYQOTPvaLRfX9ptI6GJXiKj
+SgbwJ/BXufjpTjJ3Cj9BZPPrZe52/lSqfR0grvPXdMIKX/UIKFIIzFVd0g/bmoGl
+u6GzwZTNVOAydTGRGmKy3nXiz0+J2ZGQD0EbtFpKd71ng+CT516nDOeB0/RSrFOy
+A8dEJvt55cs0YFAQexvba9dHq198aMpunUEDEO5rmXteJajCq+TA81yc477OMUxk
+Hl6AovWDfgzWyoxVjr7gvkkHD6MkQXpYHYTqWBLI4bft75PelAgxAgMBAAGjggM7
+MIIDNzAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnBr
+aS5ndmEuZXMwEgYDVR0TAQH/BAgwBgEB/wIBAjCCAjQGA1UdIASCAiswggInMIIC
+IwYKKwYBBAG/VQIBADCCAhMwggHoBggrBgEFBQcCAjCCAdoeggHWAEEAdQB0AG8A
+cgBpAGQAYQBkACAAZABlACAAQwBlAHIAdABpAGYAaQBjAGEAYwBpAPMAbgAgAFIA
+YQDtAHoAIABkAGUAIABsAGEAIABHAGUAbgBlAHIAYQBsAGkAdABhAHQAIABWAGEA
+bABlAG4AYwBpAGEAbgBhAC4ADQAKAEwAYQAgAEQAZQBjAGwAYQByAGEAYwBpAPMA
+bgAgAGQAZQAgAFAAcgDhAGMAdABpAGMAYQBzACAAZABlACAAQwBlAHIAdABpAGYA
+aQBjAGEAYwBpAPMAbgAgAHEAdQBlACAAcgBpAGcAZQAgAGUAbAAgAGYAdQBuAGMA
+aQBvAG4AYQBtAGkAZQBuAHQAbwAgAGQAZQAgAGwAYQAgAHAAcgBlAHMAZQBuAHQA
+ZQAgAEEAdQB0AG8AcgBpAGQAYQBkACAAZABlACAAQwBlAHIAdABpAGYAaQBjAGEA
+YwBpAPMAbgAgAHMAZQAgAGUAbgBjAHUAZQBuAHQAcgBhACAAZQBuACAAbABhACAA
+ZABpAHIAZQBjAGMAaQDzAG4AIAB3AGUAYgAgAGgAdAB0AHAAOgAvAC8AdwB3AHcA
+LgBwAGsAaQAuAGcAdgBhAC4AZQBzAC8AYwBwAHMwJQYIKwYBBQUHAgEWGWh0dHA6
+Ly93d3cucGtpLmd2YS5lcy9jcHMwHQYDVR0OBBYEFHs100DSHHgZZu90ECjcPk+y
+eAT8MIGVBgNVHSMEgY0wgYqAFHs100DSHHgZZu90ECjcPk+yeAT8oWykajBoMQsw
+CQYDVQQGEwJFUzEfMB0GA1UEChMWR2VuZXJhbGl0YXQgVmFsZW5jaWFuYTEPMA0G
+A1UECxMGUEtJR1ZBMScwJQYDVQQDEx5Sb290IENBIEdlbmVyYWxpdGF0IFZhbGVu
+Y2lhbmGCBDtF5WgwDQYJKoZIhvcNAQEFBQADggEBACRhTvW1yEICKrNcda3Fbcrn
+lD+laJWIwVTAEGmiEi8YPyVQqHxK6sYJ2fR1xkDar1CdPaUWu20xxsdzCkj+IHLt
+b8zog2EWRpABlUt9jppSCS/2bxzkoXHPjCpaF3ODR00PNvsETUlR4hTJZGH71BTg
+9J63NI8KJr2XXPR5OkowGcytT6CYirQxlyric21+eLj4iIlPsSKRZEv1UN4D2+XF
+ducTZnV+ZfsBn5OHiJ35Rld8TWCvmHMTI6QgkYH60GFmuH3Rr9ZvHmw96RH9qfmC
+IoaZM3Fa6hlXPZHNqcCjbgcTpsnt+GijnsNacgmHKNHEc8RzGF9QdRYxn7fofMM=
+-----END CERTIFICATE-----
+
+# Issuer: CN=A-Trust-nQual-03 O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH OU=A-Trust-nQual-03
+# Subject: CN=A-Trust-nQual-03 O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH OU=A-Trust-nQual-03
+# Label: "A-Trust-nQual-03"
+# Serial: 93214
+# MD5 Fingerprint: 49:63:ae:27:f4:d5:95:3d:d8:db:24:86:b8:9c:07:53
+# SHA1 Fingerprint: d3:c0:63:f2:19:ed:07:3e:34:ad:5d:75:0b:32:76:29:ff:d5:9a:f2
+# SHA256 Fingerprint: 79:3c:bf:45:59:b9:fd:e3:8a:b2:2d:f1:68:69:f6:98:81:ae:14:c4:b0:13:9a:c7:88:a7:8a:1a:fc:ca:02:fb
+-----BEGIN CERTIFICATE-----
+MIIDzzCCAregAwIBAgIDAWweMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
+VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
+bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBBLVRydXN0LW5R
+dWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAzMB4XDTA1MDgxNzIyMDAw
+MFoXDTE1MDgxNzIyMDAwMFowgY0xCzAJBgNVBAYTAkFUMUgwRgYDVQQKDD9BLVRy
+dXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0ZW52
+ZXJrZWhyIEdtYkgxGTAXBgNVBAsMEEEtVHJ1c3QtblF1YWwtMDMxGTAXBgNVBAMM
+EEEtVHJ1c3QtblF1YWwtMDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCtPWFuA/OQO8BBC4SAzewqo51ru27CQoT3URThoKgtUaNR8t4j8DRE/5TrzAUj
+lUC5B3ilJfYKvUWG6Nm9wASOhURh73+nyfrBJcyFLGM/BWBzSQXgYHiVEEvc+RFZ
+znF/QJuKqiTfC0Li21a8StKlDJu3Qz7dg9MmEALP6iPESU7l0+m0iKsMrmKS1GWH
+2WrX9IWf5DMiJaXlyDO6w8dB3F/GaswADm0yqLaHNgBid5seHzTLkDx4iHQF63n1
+k3Flyp3HaxgtPVxO59X4PzF9j4fsCiIvI+n+u33J4PTs63zEsMMtYrWacdaxaujs
+2e3Vcuy+VwHOBVWf3tFgiBCzAgMBAAGjNjA0MA8GA1UdEwEB/wQFMAMBAf8wEQYD
+VR0OBAoECERqlWdVeRFPMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
+AQEAVdRU0VlIXLOThaq/Yy/kgM40ozRiPvbY7meIMQQDbwvUB/tOdQ/TLtPAF8fG
+KOwGDREkDg6lXb+MshOWcdzUzg4NCmgybLlBMRmrsQd7TZjTXLDR8KdCoLXEjq/+
+8T/0709GAHbrAvv5ndJAlseIOrifEXnzgGWovR/TeIGgUUw3tKZdJXDRZslo+S4R
+FGjxVJgIrCaSD96JntT6s3kr0qN51OyLrIdTaEJMUVF0HhsnLuP1Hyl0Te2v9+GS
+mYHovjrHF1D2t8b8m7CKa9aIA5GPBnc6hQLdmNVDeD/GMBWsm2vLV7eJUYs66MmE
+DNuxUCAKGkq6ahq97BvIxYSazQ==
+-----END CERTIFICATE-----
+
+# Issuer: CN=TWCA Root Certification Authority O=TAIWAN-CA OU=Root CA
+# Subject: CN=TWCA Root Certification Authority O=TAIWAN-CA OU=Root CA
+# Label: "TWCA Root Certification Authority"
+# Serial: 1
+# MD5 Fingerprint: aa:08:8f:f6:f9:7b:b7:f2:b1:a7:1e:9b:ea:ea:bd:79
+# SHA1 Fingerprint: cf:9e:87:6d:d3:eb:fc:42:26:97:a3:b5:a3:7a:a0:76:a9:06:23:48
+# SHA256 Fingerprint: bf:d8:8f:e1:10:1c:41:ae:3e:80:1b:f8:be:56:35:0e:e9:ba:d1:a6:b9:bd:51:5e:dc:5c:6d:5b:87:11:ac:44
+-----BEGIN CERTIFICATE-----
+MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzES
+MBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU
+V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMz
+WhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO
+LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlm
+aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFE
+AcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HH
+K3XLfJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeX
+RfwZVzsrb+RH9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/z
+rX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx
+3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkq
+hkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeC
+MErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdls
+XebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62D
+lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn
+aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ
+YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
+-----END CERTIFICATE-----
+
+# Issuer: O=SECOM Trust Systems CO.,LTD. OU=Security Communication RootCA2
+# Subject: O=SECOM Trust Systems CO.,LTD. OU=Security Communication RootCA2
+# Label: "Security Communication RootCA2"
+# Serial: 0
+# MD5 Fingerprint: 6c:39:7d:a4:0e:55:59:b2:3f:d6:41:b1:12:50:de:43
+# SHA1 Fingerprint: 5f:3b:8c:f2:f8:10:b3:7d:78:b4:ce:ec:19:19:c3:73:34:b9:c7:74
+# SHA256 Fingerprint: 51:3b:2c:ec:b8:10:d4:cd:e5:dd:85:39:1a:df:c6:c2:dd:60:d8:7b:b7:36:d2:b5:21:48:4a:a4:7a:0e:be:f6
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDEl
+MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe
+U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoX
+DTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRy
+dXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmlj
+YXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAV
+OVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGr
+zbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVM
+VAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQ
+hNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVKkaHnFtWO
+ojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw
+awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5cs
+OPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpF
+coJxDjrSzG+ntKEju/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXc
+okgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8
+t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6qtnRGEmyR7jTV7JqR50S+kDFy
+1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29mvVXIwAHIRc/
+SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03
+-----END CERTIFICATE-----
+
+# Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011 O=Hellenic Academic and Research Institutions Cert. Authority
+# Subject: CN=Hellenic Academic and Research Institutions RootCA 2011 O=Hellenic Academic and Research Institutions Cert. Authority
+# Label: "Hellenic Academic and Research Institutions RootCA 2011"
+# Serial: 0
+# MD5 Fingerprint: 73:9f:4c:4b:73:5b:79:e9:fa:ba:1c:ef:6e:cb:d5:c9
+# SHA1 Fingerprint: fe:45:65:9b:79:03:5b:98:a1:61:b5:51:2e:ac:da:58:09:48:22:4d
+# SHA256 Fingerprint: bc:10:4f:15:a4:8b:e7:09:dc:a5:42:a7:e1:d4:b9:df:6f:05:45:27:e8:02:ea:a9:2d:59:54:44:25:8a:fe:71
+-----BEGIN CERTIFICATE-----
+MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix
+RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
+dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p
+YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw
+NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK
+EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl
+cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
+c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz
+dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ
+fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns
+bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD
+75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP
+FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp
+5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu
+b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA
+A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p
+6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8
+TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7
+dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys
+Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI
+l7WdmplNsDz4SgCbZN2fOUvRJ9e4
+-----END CERTIFICATE-----
+
+# Issuer: CN=Actalis Authentication Root CA O=Actalis S.p.A./03358520967
+# Subject: CN=Actalis Authentication Root CA O=Actalis S.p.A./03358520967
+# Label: "Actalis Authentication Root CA"
+# Serial: 6271844772424770508
+# MD5 Fingerprint: 69:c1:0d:4f:07:a3:1b:c3:fe:56:3d:04:bc:11:f6:a6
+# SHA1 Fingerprint: f3:73:b3:87:06:5a:28:84:8a:f2:f3:4a:ce:19:2b:dd:c7:8e:9c:ac
+# SHA256 Fingerprint: 55:92:60:84:ec:96:3a:64:b9:6e:2a:be:01:ce:0b:a8:6a:64:fb:fe:bc:c7:aa:b5:af:c1:55:b3:7f:d7:60:66
+-----BEGIN CERTIFICATE-----
+MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
+BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
+MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290
+IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC
+SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
+ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv
+UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX
+4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9
+KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/
+gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb
+rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ
+51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F
+be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe
+KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F
+v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn
+fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7
+jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz
+ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt
+ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL
+e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70
+jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz
+WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V
+SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j
+pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX
+X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok
+fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R
+K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU
+ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU
+LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT
+LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
+-----END CERTIFICATE-----
+
+# Issuer: O=Trustis Limited OU=Trustis FPS Root CA
+# Subject: O=Trustis Limited OU=Trustis FPS Root CA
+# Label: "Trustis FPS Root CA"
+# Serial: 36053640375399034304724988975563710553
+# MD5 Fingerprint: 30:c9:e7:1e:6b:e6:14:eb:65:b2:16:69:20:31:67:4d
+# SHA1 Fingerprint: 3b:c0:38:0b:33:c3:f6:a6:0c:86:15:22:93:d9:df:f5:4b:81:c0:04
+# SHA256 Fingerprint: c1:b4:82:99:ab:a5:20:8f:e9:63:0a:ce:55:ca:68:a0:3e:da:5a:51:9c:88:02:a0:d3:a6:73:be:8f:8e:55:7d
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF
+MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL
+ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx
+MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc
+MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+
+AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH
+iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj
+vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA
+0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB
+OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/
+BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E
+FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01
+GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW
+zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4
+1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE
+f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F
+jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN
+ZetX2fNXlrtIzYE=
+-----END CERTIFICATE-----
+
+# Issuer: CN=StartCom Certification Authority O=StartCom Ltd. OU=Secure Digital Certificate Signing
+# Subject: CN=StartCom Certification Authority O=StartCom Ltd. OU=Secure Digital Certificate Signing
+# Label: "StartCom Certification Authority"
+# Serial: 45
+# MD5 Fingerprint: c9:3b:0d:84:41:fc:a4:76:79:23:08:57:de:10:19:16
+# SHA1 Fingerprint: a3:f1:33:3f:e2:42:bf:cf:c5:d1:4e:8f:39:42:98:40:68:10:d1:a0
+# SHA256 Fingerprint: e1:78:90:ee:09:a3:fb:f4:f4:8b:9c:41:4a:17:d6:37:b7:a5:06:47:e9:bc:75:23:22:72:7f:cc:17:42:a9:11
+-----BEGIN CERTIFICATE-----
+MIIHhzCCBW+gAwIBAgIBLTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDEW
+MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
+Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
+dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM3WhcNMzYwOTE3MTk0NjM2WjB9
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
+U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
+cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
+pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
+OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
+Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
+Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
+HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
+Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
++2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
+Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
+Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
+26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
+AQABo4ICEDCCAgwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
+VR0OBBYEFE4L7xqkQFulF2mHMMo0aEPQQa7yMB8GA1UdIwQYMBaAFE4L7xqkQFul
+F2mHMMo0aEPQQa7yMIIBWgYDVR0gBIIBUTCCAU0wggFJBgsrBgEEAYG1NwEBATCC
+ATgwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5w
+ZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVk
+aWF0ZS5wZGYwgc8GCCsGAQUFBwICMIHCMCcWIFN0YXJ0IENvbW1lcmNpYWwgKFN0
+YXJ0Q29tKSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUg
+c2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0
+aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93
+d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMDgG
+CWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNTTCBDZXJ0aWZpY2F0aW9uIEF1
+dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAgEAjo/n3JR5fPGFf59Jb2vKXfuM/gTF
+wWLRfUKKvFO3lANmMD+x5wqnUCBVJX92ehQN6wQOQOY+2IirByeDqXWmN3PH/UvS
+Ta0XQMhGvjt/UfzDtgUx3M2FIk5xt/JxXrAaxrqTi3iSSoX4eA+D/i+tLPfkpLst
+0OcNOrg+zvZ49q5HJMqjNTbOx8aHmNrs++myziebiMMEofYLWWivydsQD032ZGNc
+pRJvkrKTlMeIFw6Ttn5ii5B/q06f/ON1FE8qMt9bDeD1e5MNq6HPh+GlBEXoPBKl
+CcWw0bdT82AUuoVpaiF8H3VhFyAXe2w7QSlc4axa0c2Mm+tgHRns9+Ww2vl5GKVF
+P0lDV9LdJNUso/2RjSe15esUBppMeyG7Oq0wBhjA2MFrLH9ZXF2RsXAiV+uKa0hK
+1Q8p7MZAwC+ITGgBF3f0JBlPvfrhsiAhS90a2Cl9qrjeVOwhVYBsHvUwyKMQ5bLm
+KhQxw4UtjJixhlpPiVktucf3HMiKf8CdBUrmQk9io20ppB+Fq9vlgcitKj1MXVuE
+JnHEhV5xJMqlG2zYYdMa4FTbzrqpMrUi9nNBCV24F10OD5mQ1kfabwo6YigUZ4LZ
+8dCAWZvLMdibD4x3TrVoivJs9iQOLWxwxXPR3hTQcY+203sC9uO41Alua551hDnm
+fyWl8kgAwKQB2j8=
+-----END CERTIFICATE-----
+
+# Issuer: CN=StartCom Certification Authority G2 O=StartCom Ltd.
+# Subject: CN=StartCom Certification Authority G2 O=StartCom Ltd.
+# Label: "StartCom Certification Authority G2"
+# Serial: 59
+# MD5 Fingerprint: 78:4b:fb:9e:64:82:0a:d3:b8:4c:62:f3:64:f2:90:64
+# SHA1 Fingerprint: 31:f1:fd:68:22:63:20:ee:c6:3b:3f:9d:ea:4a:3e:53:7c:7c:39:17
+# SHA256 Fingerprint: c7:ba:65:67:de:93:a7:98:ae:1f:aa:79:1e:71:2d:37:8f:ae:1f:93:c4:39:7f:ea:44:1b:b7:cb:e6:fd:59:95
+-----BEGIN CERTIFICATE-----
+MIIFYzCCA0ugAwIBAgIBOzANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJJTDEW
+MBQGA1UEChMNU3RhcnRDb20gTHRkLjEsMCoGA1UEAxMjU3RhcnRDb20gQ2VydGlm
+aWNhdGlvbiBBdXRob3JpdHkgRzIwHhcNMTAwMTAxMDEwMDAxWhcNMzkxMjMxMjM1
+OTAxWjBTMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEsMCoG
+A1UEAxMjU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRzIwggIiMA0G
+CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2iTZbB7cgNr2Cu+EWIAOVeq8Oo1XJ
+JZlKxdBWQYeQTSFgpBSHO839sj60ZwNq7eEPS8CRhXBF4EKe3ikj1AENoBB5uNsD
+vfOpL9HG4A/LnooUCri99lZi8cVytjIl2bLzvWXFDSxu1ZJvGIsAQRSCb0AgJnoo
+D/Uefyf3lLE3PbfHkffiAez9lInhzG7TNtYKGXmu1zSCZf98Qru23QumNK9LYP5/
+Q0kGi4xDuFby2X8hQxfqp0iVAXV16iulQ5XqFYSdCI0mblWbq9zSOdIxHWDirMxW
+RST1HFSr7obdljKF+ExP6JV2tgXdNiNnvP8V4so75qbsO+wmETRIjfaAKxojAuuK
+HDp2KntWFhxyKrOq42ClAJ8Em+JvHhRYW6Vsi1g8w7pOOlz34ZYrPu8HvKTlXcxN
+nw3h3Kq74W4a7I/htkxNeXJdFzULHdfBR9qWJODQcqhaX2YtENwvKhOuJv4KHBnM
+0D4LnMgJLvlblnpHnOl68wVQdJVznjAJ85eCXuaPOQgeWeU1FEIT/wCc976qUM/i
+UUjXuG+v+E5+M5iSFGI6dWPPe/regjupuznixL0sAA7IF6wT700ljtizkC+p2il9
+Ha90OrInwMEePnWjFqmveiJdnxMaz6eg6+OGCtP95paV1yPIN93EfKo2rJgaErHg
+TuixO/XWb/Ew1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBBjAdBgNVHQ4EFgQUS8W0QGutHLOlHGVuRjaJhwUMDrYwDQYJKoZIhvcNAQEL
+BQADggIBAHNXPyzVlTJ+N9uWkusZXn5T50HsEbZH77Xe7XRcxfGOSeD8bpkTzZ+K
+2s06Ctg6Wgk/XzTQLwPSZh0avZyQN8gMjgdalEVGKua+etqhqaRpEpKwfTbURIfX
+UfEpY9Z1zRbkJ4kd+MIySP3bmdCPX1R0zKxnNBFi2QwKN4fRoxdIjtIXHfbX/dtl
+6/2o1PXWT6RbdejF0mCy2wl+JYt7ulKSnj7oxXehPOBKc2thz4bcQ///If4jXSRK
+9dNtD2IEBVeC2m6kMyV5Sy5UGYvMLD0w6dEG/+gyRr61M3Z3qAFdlsHB1b6uJcDJ
+HgoJIIihDsnzb02CVAAgp9KP5DlUFy6NHrgbuxu9mk47EDTcnIhT76IxW1hPkWLI
+wpqazRVdOKnWvvgTtZ8SafJQYqz7Fzf07rh1Z2AQ+4NQ+US1dZxAF7L+/XldblhY
+XzD8AK6vM8EOTmy6p6ahfzLbOOCxchcKK5HsamMm7YnUeMx0HgX4a/6ManY5Ka5l
+IxKVCCIcl85bBu4M4ru8H0ST9tg4RQUh7eStqxK2A6RCLi3ECToDZ2mEmuFZkIoo
+hdVddLHRDiBYmxOlsGOm7XtH/UVVMKTumtTm4ofvmMkyghEpIrwACjFeLQ/Ajulr
+so8uBtjRkcfGEvRM/TAXw8HaOFvjqermobp573PYtlNXLfbQ4ddI
+-----END CERTIFICATE-----
+
+# Issuer: CN=Buypass Class 2 Root CA O=Buypass AS-983163327
+# Subject: CN=Buypass Class 2 Root CA O=Buypass AS-983163327
+# Label: "Buypass Class 2 Root CA"
+# Serial: 2
+# MD5 Fingerprint: 46:a7:d2:fe:45:fb:64:5a:a8:59:90:9b:78:44:9b:29
+# SHA1 Fingerprint: 49:0a:75:74:de:87:0a:47:fe:58:ee:f6:c7:6b:eb:c6:0b:12:40:99
+# SHA256 Fingerprint: 9a:11:40:25:19:7c:5b:b9:5d:94:e6:3d:55:cd:43:79:08:47:b6:46:b2:3c:df:11:ad:a4:a0:0e:ff:15:fb:48
+-----BEGIN CERTIFICATE-----
+MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
+MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
+Q2xhc3MgMiBSb290IENBMB4XDTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1ow
+TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw
+HgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1g1Lr
+6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPV
+L4O2fuPn9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC91
+1K2GScuVr1QGbNgGE41b/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHx
+MlAQTn/0hpPshNOOvEu/XAFOBz3cFIqUCqTqc/sLUegTBxj6DvEr0VQVfTzh97QZ
+QmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeffawrbD02TTqigzXsu8lkB
+arcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgIzRFo1clr
+Us3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLi
+FRhnBkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRS
+P/TizPJhk9H9Z2vXUq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN
+9SG9dKpN6nIDSdvHXx1iY8f93ZHsM+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxP
+AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMmAd+BikoL1Rpzz
+uvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAU18h
+9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s
+A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3t
+OluwlN5E40EIosHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo
++fsicdl9sz1Gv7SEr5AcD48Saq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7
+KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYdDnkM/crqJIByw5c/8nerQyIKx+u2
+DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWDLfJ6v9r9jv6ly0Us
+H8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0oyLQ
+I+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK7
+5t98biGCwWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h
+3PFaTWwyI0PurKju7koSCTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPz
+Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA=
+-----END CERTIFICATE-----
+
+# Issuer: CN=Buypass Class 3 Root CA O=Buypass AS-983163327
+# Subject: CN=Buypass Class 3 Root CA O=Buypass AS-983163327
+# Label: "Buypass Class 3 Root CA"
+# Serial: 2
+# MD5 Fingerprint: 3d:3b:18:9e:2c:64:5a:e8:d5:88:ce:0e:f9:37:c2:ec
+# SHA1 Fingerprint: da:fa:f7:fa:66:84:ec:06:8f:14:50:bd:c7:c2:81:a5:bc:a9:64:57
+# SHA256 Fingerprint: ed:f7:eb:bc:a2:7a:2a:38:4d:38:7b:7d:40:10:c6:66:e2:ed:b4:84:3e:4c:29:b4:ae:1d:5b:93:32:e6:b2:4d
+-----BEGIN CERTIFICATE-----
+MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
+MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
+Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow
+TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw
+HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y
+ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E
+N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9
+tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX
+0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c
+/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X
+KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY
+zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS
+O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D
+34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP
+K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3
+AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv
+Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj
+QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV
+cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS
+IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2
+HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa
+O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv
+033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u
+dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE
+kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41
+3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD
+u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq
+4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc=
+-----END CERTIFICATE-----
+
+# Issuer: CN=T-TeleSec GlobalRoot Class 3 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center
+# Subject: CN=T-TeleSec GlobalRoot Class 3 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center
+# Label: "T-TeleSec GlobalRoot Class 3"
+# Serial: 1
+# MD5 Fingerprint: ca:fb:40:a8:4e:39:92:8a:1d:fe:8e:2f:c4:27:ea:ef
+# SHA1 Fingerprint: 55:a6:72:3e:cb:f2:ec:cd:c3:23:74:70:19:9d:2a:be:11:e3:81:d1
+# SHA256 Fingerprint: fd:73:da:d3:1c:64:4f:f1:b4:3b:ef:0c:cd:da:96:71:0b:9c:d9:87:5e:ca:7e:31:70:7a:f3:e9:6d:52:2b:bd
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
+KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
+BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
+YyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1
+OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
+aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
+ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN
+8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/
+RLyTPWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4
+hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5
+ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltM
+EnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGj
+QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1
+A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOy
+WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ
+1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW30
+6gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT
+91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml
+e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p
+TpPDpFQUWw==
+-----END CERTIFICATE-----
+
+# Issuer: CN=EE Certification Centre Root CA O=AS Sertifitseerimiskeskus
+# Subject: CN=EE Certification Centre Root CA O=AS Sertifitseerimiskeskus
+# Label: "EE Certification Centre Root CA"
+# Serial: 112324828676200291871926431888494945866
+# MD5 Fingerprint: 43:5e:88:d4:7d:1a:4a:7e:fd:84:2e:52:eb:01:d4:6f
+# SHA1 Fingerprint: c9:a8:b9:e7:55:80:5e:58:e3:53:77:a7:25:eb:af:c3:7b:27:cc:d7
+# SHA256 Fingerprint: 3e:84:ba:43:42:90:85:16:e7:75:73:c0:99:2f:09:79:ca:08:4e:46:85:68:1f:f1:95:cc:ba:8a:22:9b:8a:76
+-----BEGIN CERTIFICATE-----
+MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
+MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
+czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
+CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
+MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
+ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
+b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
+euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
+bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
+WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
+MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
+1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
+zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
+BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
+BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
+v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
+E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
+uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
+iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
+GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
+-----END CERTIFICATE-----
diff --git a/tlsdate/config.h b/tlsdate/config.h
new file mode 100644
index 0000000..3347985
--- /dev/null
+++ b/tlsdate/config.h
@@ -0,0 +1,303 @@
+/* config.h. Generated from config.in by configure. */
+/* config.in. Generated from configure.ac by autoheader. */
+
+
+#pragma once
+
+/* _SYS_FEATURE_TESTS_H is Solaris, _FEATURES_H is GCC */
+#if defined( _SYS_FEATURE_TESTS_H) || defined(_FEATURES_H)
+#error "You should include config.h as your first include file"
+#endif
+
+
+
+/* DBus client group */
+#define DBUS_CLIENT_GROUP "root"
+
+/* Another magical number */
+/* #undef EAI_SYSTEM */
+
+/* Defined if we are to build for an Android system */
+#define HAVE_ANDROID 1
+
+/* Define to 1 if you have the <arpa/inet.h> header file. */
+#define HAVE_ARPA_INET_H 1
+
+/* Enable CrOS support */
+/* #undef HAVE_CROS */
+
+/* dbus enabled */
+/* #undef HAVE_DBUS */
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if you have the `fmemopen' function. */
+#define HAVE_FMEMOPEN 1
+
+/* Define to 1 if you have the `funopen' function. */
+#define HAVE_FUNOPEN 1
+
+/* Define to 1 if you have the <getopt.h> header file. */
+#define HAVE_GETOPT_H 1
+
+/* Define to 1 if you have the `gettimeofday' function. */
+#define HAVE_GETTIMEOFDAY 1
+
+/* Define to 1 if you have the <grp.h> header file. */
+#define HAVE_GRP_H 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the <linux/rtc.h> header file. */
+#define HAVE_LINUX_RTC_H 1
+
+/* Define to 1 if you have the <mach/clock.h> header file. */
+/* #undef HAVE_MACH_CLOCK_H */
+
+/* Define to 1 if you have the <mach/mach.h> header file. */
+/* #undef HAVE_MACH_MACH_H */
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the <openssl/bio.h> header file. */
+#define HAVE_OPENSSL_BIO_H 1
+
+/* Define to 1 if you have the <openssl/err.h> header file. */
+#define HAVE_OPENSSL_ERR_H 1
+
+/* Define to 1 if you have the <openssl/evp.h> header file. */
+#define HAVE_OPENSSL_EVP_H 1
+
+/* Define to 1 if you have the <openssl/ssl.h> header file. */
+#define HAVE_OPENSSL_SSL_H 1
+
+/* Define to 1 if you have the `prctl' function. */
+#define HAVE_PRCTL 1
+
+/* Define to 1 if you have the `preadv' function. */
+/* #undef HAVE_PREADV */
+
+/* Define to 1 if you have the <pwd.h> header file. */
+#define HAVE_PWD_H 1
+
+/* Define to 1 if you have the `pwritev' function. */
+/* #undef HAVE_PWRITEV */
+
+/* Enable seccomp filter */
+#define HAVE_SECCOMP_FILTER 1
+
+/* Define to 1 if you have the `setresuid' function. */
+#define HAVE_SETRESUID 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdio.h> header file. */
+#define HAVE_STDIO_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strchrnul' function. */
+/* #undef HAVE_STRCHRNUL */
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strnlen' function. */
+#define HAVE_STRNLEN 1
+
+/* Define to 1 if the system has the type `struct rtc_time'. */
+#define HAVE_STRUCT_RTC_TIME 1
+
+/* Define to 1 if you have the <sys/mman.h> header file. */
+#define HAVE_SYS_MMAN_H 1
+
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#define HAVE_SYS_SOCKET_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#define HAVE_SYS_TIME_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <sys/wait.h> header file. */
+#define HAVE_SYS_WAIT_H 1
+
+/* Define to 1 if you have the <time.h> header file. */
+#define HAVE_TIME_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 or 0, depending whether the compiler supports simple visibility
+ declarations. */
+#define HAVE_VISIBILITY 1
+
+/* CPU of Build System */
+/* #undef HOST_CPU */
+
+/* OS of Build System */
+/* #undef HOST_OS */
+
+/* Vendor of Build System */
+/* #undef HOST_VENDOR */
+
+/* User-Agent value to send when running as an HTTPS client */
+#define HTTPS_USER_AGENT "TLSDate/0.0.13"
+
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#define LT_OBJDIR ".libs/"
+
+/* Name of package */
+#define PACKAGE "tlsdate"
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT "jacob at appelbaum.net"
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "tlsdate"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "tlsdate 0.0.13"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "tlsdate"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "0.0.13"
+
+/* TODO Automate conditional definition of this symbol. */
+/* Time in seconds since the Disco epoch at build time */
+#ifndef RECENT_COMPILE_DATE
+# define RECENT_COMPILE_DATE 1440540554L
+#endif
+
+/* Enable seccomp filter debugging */
+/* #undef SECCOMP_FILTER_DEBUG */
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* CPU of Target System */
+/* #undef TARGET_CPU */
+
+/* OS of Target System */
+/* #undef TARGET_OS */
+
+/* Whether we are building for some other *BSD */
+/* #undef TARGET_OS_BSD */
+
+/* Whether we build for Cygwin */
+/* #undef TARGET_OS_CYGWIN */
+
+/* Whether we are building for DragonFly BSD */
+/* #undef TARGET_OS_DRAGONFLYBSD */
+
+/* Whether we are building for FreeBSD */
+/* #undef TARGET_OS_FREEBSD */
+
+/* Whether we build for GNU/Hurd */
+/* #undef TARGET_OS_GNUHURD */
+
+/* Whether we are building for GNU/kFreeBSD */
+/* #undef TARGET_OS_GNUKFREEBSD */
+
+/* Whether we build for Haiku */
+/* #undef TARGET_OS_HAIKU */
+
+/* Whether we build for Linux */
+#define TARGET_OS_LINUX 1
+
+/* Whether we build for MinGW */
+/* #undef TARGET_OS_MINGW */
+
+/* Whether we are building for NetBSD */
+/* #undef TARGET_OS_NETBSD */
+
+/* Whether we are building for OpenBSD */
+/* #undef TARGET_OS_OPENBSD */
+
+/* Whether we build for OSX */
+/* #undef TARGET_OS_OSX */
+
+/* Whether we are building for Solaris */
+/* #undef TARGET_OS_SOLARIS */
+
+/* Whether we are building for Windows */
+/* #undef TARGET_OS_WINDOWS */
+
+/* Vendor of Target System */
+/* #undef TARGET_VENDOR */
+
+/* Unprivileged group */
+#define UNPRIV_GROUP "tlsdate"
+
+/* Unprivileged user */
+#define UNPRIV_USER "tlsdate"
+
+/* if PolarSSL is enabled */
+/* #undef USE_POLARSSL */
+
+/* Enable extensions on AIX 3, Interix. */
+#ifndef _ALL_SOURCE
+# define _ALL_SOURCE 1
+#endif
+/* Enable GNU extensions on systems that have them. */
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE 1
+#endif
+/* Enable threading extensions on Solaris. */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# define _POSIX_PTHREAD_SEMANTICS 1
+#endif
+/* Enable extensions on HP NonStop. */
+#ifndef _TANDEM_SOURCE
+# define _TANDEM_SOURCE 1
+#endif
+/* Enable general extensions on Solaris. */
+#ifndef __EXTENSIONS__
+# define __EXTENSIONS__ 1
+#endif
+
+
+/* Version number of package */
+#define VERSION "0.0.13"
+
+/* Version of Windows */
+/* #undef WINVER */
+
+/* Define to 1 if on MINIX. */
+/* #undef _MINIX */
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+ this defined. */
+/* #undef _POSIX_1_SOURCE */
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+/* #undef _POSIX_SOURCE */
+
+/* Magical number to make things work */
+/* #undef _WIN32_WINNT */
+
+
+#ifndef HAVE_SYS_SOCKET_H
+# define SHUT_RD SD_RECEIVE
+# define SHUT_WR SD_SEND
+# define SHUT_RDWR SD_BOTH
+#endif
+
diff --git a/tlsdate/configure.ac b/tlsdate/configure.ac
new file mode 100644
index 0000000..9fc9faf
--- /dev/null
+++ b/tlsdate/configure.ac
@@ -0,0 +1,604 @@
+AC_INIT([tlsdate],[0.0.13],[jacob at appelbaum.net])
+AC_CONFIG_AUX_DIR([config])
+AC_CONFIG_MACRO_DIR([m4])
+
+AC_CANONICAL_TARGET
+AC_ARG_PROGRAM
+AC_USE_SYSTEM_EXTENSIONS
+
+AM_INIT_AUTOMAKE([-Wall -Werror -Wno-portability subdir-objects foreign tar-ustar])
+
+AC_PREREQ([2.63])
+
+AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS.
+
+PKG_PROG_PKG_CONFIG
+LT_PREREQ([2.2])
+LT_INIT
+LT_LANG([C])
+gl_VISIBILITY
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+CONFIG_EXTRA
+AX_PLATFORM
+
+dnl Here we should build a small program to fetch the build system time in a portable
+dnl manner. We have no Win32 users, we can fix this if we ever find one that
+dnl cares.
+dnl
+dnl In Debian GNU/Linux and other Debian GNU/* systems, we wish to make this a
+dnl deterministic build process. There is only one part of the build process that
+dnl is entropic and that is this COMPILE_DATE value. We want to check to see if
+dnl COMPILE_DATE is defined by the debian/rules file and if it is - we want to use
+dnl the value provided by the environment. If it isn't we'll use one that we
+dnl generate here.
+dnl
+echo "checking for \$COMPILE_DATE in the environment..."
+if test "${COMPILE_DATE+set}" = set; then
+ echo "...we've found \$COMPILE_DATE in the environment."
+ echo "...\$COMPILE_DATE is set to: $COMPILE_DATE"
+else
+ echo "...no \$COMPILE_DATE found in our build environment. Generating now..."
+ COMPILE_DATE=`date +%s`
+ echo "...\$COMPILE_DATE is set to: $COMPILE_DATE"
+fi
+
+AC_SUBST([COMPILE_DATE])
+AC_DEFINE_UNQUOTED([RECENT_COMPILE_DATE],
+ [${COMPILE_DATE}L],
+ [Time in seconds since the Disco epoch at build time])
+
+dnl Build up the directory we will use to install certs
+TLSDATE_CA_ROOTS="${sysconfdir}/$PACKAGE_NAME/ca-roots"
+AC_SUBST([TLSDATE_CA_ROOTS])
+
+dnl Place we install our config file
+TLSDATE_CONF_DIR="${sysconfdir}/$PACKAGE_NAME/"
+AC_SUBST([TLSDATE_CONF_DIR])
+
+dnl HTTPS User-agent
+AC_ARG_WITH([https-user-agent],
+ [AS_HELP_STRING([--with-https-user-agent=AGENT],
+ [a User-Agent value to send when running in HTTPS mode])],
+ [],
+ [with_https_user_agent="TLSDate/$VERSION"])
+AC_DEFINE_UNQUOTED([HTTPS_USER_AGENT],
+ ["${with_https_user_agent}"],
+ [User-Agent value to send when running as an HTTPS client])
+
+dnl check for PolarSSL
+OPT_POLARSSL=yes
+
+AC_MSG_CHECKING([PolarSSL])
+AC_ARG_WITH([polarssl],
+ [AS_HELP_STRING([--with-polarssl=DIR],
+ [where to look for PolarSSL, DIR points to the installation root])])
+
+AS_CASE([$with_polarssl],
+ [""|yes|no], [POLARSSL_DIR=""],
+ [*], [POLARSSL_DIR=$with_polarssl])
+OPT_POLARSSL=$with_polarssl
+
+SSL_FLAGS=""
+SSL_LDFLAGS=""
+SSL_LIBS="-lssl -lcrypto"
+
+AS_IF([test "x${OPT_POLARSSL}" != "xno"], [
+ AS_IF([test -z "${POLARSSL_DIR}"], [
+ dnl check for lib first without setting any new path
+ AC_CHECK_LIB(polarssl, ssl_init,
+ dnl libpolarssl found, set the variable
+ [
+ AC_DEFINE(USE_POLARSSL, 1, [if PolarSSL is enabled])
+ AC_SUBST(USE_POLARSSL, [1])
+ POLARSSL_ENABLED=1
+ USE_POLARSSL="yes"
+ ])
+ ])
+
+ addld=""
+ addlib=""
+ addcflags=""
+ polarssllib=""
+
+ AS_IF([test "x${USE_POLARSSL}" != "xyes"], [
+ dnl add the path and test again
+ addld=-L${POLARSSL_DIR}/lib$libsuff
+ addcflags=-I${POLARSSL_DIR}/include
+ polarssllib=${POLARSSL_DIR}/lib$libsuff
+
+ LDFLAGS="$LDFLAGS $addld"
+ AS_IF([test "$addcflags" != "-I/usr/include"], [
+ AX_APPEND_COMPILE_FLAGS(["$addcflags"])
+ CPPFLAGS="$CPPFLAGS $addcflags"
+ ])
+
+ AC_CHECK_LIB(polarssl, ssl_init,
+ [
+ AC_DEFINE(USE_POLARSSL, 1, [if PolarSSL is enabled])
+ AC_SUBST(USE_POLARSSL, [1])
+ POLARSSL_ENABLED=1
+ USE_POLARSSL="yes"
+ SSL_CFLAGS=$addcflags
+ SSL_LDFLAGS=$addld
+ ])
+ ])
+
+ AS_IF([test "x${USE_POLARSSL}" = "xyes"], [
+ AC_MSG_NOTICE([detected PolarSSL])
+ SSL_LIBS="-lpolarssl"
+
+ AS_IF([test -n "$polarssllib"], [
+ dnl when shared libs were found in a path that the run-time
+ dnl linker doesn't search through, we need to add it to
+ dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+ dnl due to this
+ AS_IF([test "x$cross_compiling" != "xyes"], [
+ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$polarssllib"
+ export LD_LIBRARY_PATH
+ AC_MSG_NOTICE([Added $polarssllib to LD_LIBRARY_PATH])
+ ])
+ ])
+ ])
+])
+AC_SUBST(SSL_CFLAGS)
+AC_SUBST(SSL_LDFLAGS)
+AC_SUBST(SSL_LIBS)
+AM_CONDITIONAL(POLARSSL, test "x${USE_POLARSSL}" = "xyes")
+
+dnl Required headers
+AS_IF([test "x${USE_POLARSSL}" != "xyes"], [
+ dnl First check to see if openssl is installed
+ AC_CHECK_HEADERS([openssl/ssl.h], ,[AC_MSG_ERROR([OpenSSL is not installed, openssl/sslh is missing])])
+ AC_CHECK_HEADERS([openssl/bio.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+ AC_CHECK_HEADERS([openssl/err.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+ AC_CHECK_HEADERS([openssl/evp.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+])
+
+AC_CHECK_HEADERS([arpa/inet.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([getopt.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([grp.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([pwd.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([stdint.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([stdio.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([stdlib.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([sys/mman.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([sys/socket.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([sys/time.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([sys/types.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([sys/wait.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([time.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+
+AC_CHECK_HEADERS([linux/rtc.h])
+AC_CHECK_TYPES([struct rtc_time], [], [], [
+#ifdef HAVE_LINUX_RTC_H
+#include <linux/rtc.h>
+#endif
+])
+
+AC_CHECK_FUNCS([strchrnul])
+AM_CONDITIONAL(HAVE_STRCHRNUL, [test "x${ac_cv_func_strchrnul}" = xyes])
+
+AC_CHECK_FUNCS([strnlen])
+AM_CONDITIONAL(HAVE_STRNLEN, [test "x${ac_cv_func_strnlen}" = xyes])
+
+AC_CHECK_FUNCS_ONCE(m4_flatten([
+ gettimeofday
+ prctl
+ preadv
+ pwritev
+ setresuid
+]))
+
+AC_CHECK_FUNCS([fmemopen funopen])
+AM_CONDITIONAL(HAVE_FMEMOPEN, [test "x${ac_cv_func_fmemopen}" = xyes])
+AM_CONDITIONAL(HAVE_FUNOPEN, [test "x${ac_cv_func_funopen}" = xyes])
+
+case "$host" in
+ *-darwin*)
+ dnl This is for Mac OS X (10.8.2)
+ AC_CHECK_HEADERS([mach/clock.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+ AC_CHECK_HEADERS([mach/mach.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-freebsd*)
+ dnl This is for FreeBSD
+ dnl clock_gettime is either part of libc or unavailable.
+ AC_CHECK_FUNC([clock_gettime], ,
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_WARN([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *kfreebsd*-gnu*)
+ dnl This is for Debian GNU/kFreeBSD
+ dnl clock_gettime is either part of libc or unavailable.
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_ERROR([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-netbsd*)
+ dnl This is for NetBSD
+ dnl clock_gettime is either part of libc or unavailable.
+ AC_CHECK_FUNC([clock_gettime], ,
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])
+ if test "x${ac_cv_func_fmemopen}" != xyes; then
+ if test "x${ac_cv_func_funopen}" != xyes; then
+ AC_MSG_ERROR([We need fmemopen or funopen for unit tests.])
+ fi
+ fi
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-openbsd*)
+ dnl This is for OpenBSD
+ dnl clock_gettime is either part of libc or unavailable.
+ AC_CHECK_FUNC([clock_gettime], ,
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_WARN([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *dragonfly*)
+ dnl This is for DragonFly BSD
+ dnl clock_gettime is either part of libc or unavailable.
+ AC_CHECK_FUNC([clock_gettime], ,
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_WARN([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-bsd*)
+ dnl This is a generic catch for BSD variants
+ dnl This likely needs to be tuned to catch all
+ dnl clock_gettime is either part of libc or unavailable.
+ AC_CHECK_FUNC([clock_gettime], ,
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_ERROR([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nobody"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-linux*)
+ dnl This is for GNU/Linux
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ case "$host" in
+ *-linux-androideabi)
+ dnl This is for Android NDK as it is a special case of linux
+ AC_DEFINE(HAVE_ANDROID,1, [Defined if we are to build for an Android system])
+ AC_SUBST(HAVE_ANDROID, [1])
+ HAVE_ANDROID="yes"
+ ;;
+ esac
+ ;;
+ *-gnu0.*)
+ dnl This is a generic catch for GNU/Hurd variants
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ dnl If the autoconf goo picks up a compiler that runs in pre-POSIX mode,
+ dnl the fmemopen prototype is hidden causing the unit tests to segfault.
+ dnl This can happen if gcc is a symlink to gcc46 and is preferred to clang.
+ AC_CHECK_FUNC([fmemopen], ,
+ [AC_MSG_ERROR([Missing fmemopen, unit tests are likely to segfault. Try CC=clang.])])
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nobody@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-cygwin*)
+ dnl This is for Cygwin
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-mingw32*)
+ dnl This is for MINGW32_NT
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+ *-beos*|*-haiku*)
+ dnl This is for BeOS and Haiku; we probably only support Haiku with gcc4
+ dnl Check for clock_gettime. Some systems put it into -lc, while
+ dnl others use -lrt. Try the first and fallback to the latter.
+ dnl on Haiku we require the bsd library for strsep
+ RT_LIB=
+ AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+ AC_SUBST(RT_LIB)
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ LDFLAGS="$LDFLAGS -lbsd"
+ CC="/boot/develop/abi/x86/gcc4/tools/gcc-4.6.3-haiku-121101/bin/gcc"
+ ;;
+ *)
+ AC_ARG_WITH([unpriv-group],
+ [AS_HELP_STRING([--with-unpriv-group=<group>],
+ [Group to drop privs to @<:@default: nogroup@:>@])])
+ AS_CASE([$with_unpriv_group],
+ [""|yes|no], [UNPRIV_GROUP="nogroup"],
+ [*], [UNPRIV_GROUP=$with_unpriv_group])
+ AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
+ ;;
+esac
+
+dnl Android conditional
+AM_CONDITIONAL(HAVE_ANDROID, test "x${HAVE_ANDROID}" = "xyes")
+
+AC_MSG_CHECKING([user/group to drop privs to])
+
+AC_ARG_WITH([unpriv-user],
+ [AS_HELP_STRING([--with-unpriv-user=<user>],
+ [User to drop privs to @<:@default: nobody@:>@])])
+AS_CASE([$with_unpriv_user],
+ [""|yes|no], [UNPRIV_USER="nobody"],
+ [*], [UNPRIV_USER=$with_unpriv_user])
+AC_DEFINE_UNQUOTED([UNPRIV_USER], ["${UNPRIV_USER}"], [Unprivileged user])
+AC_SUBST([UNPRIV_USER])
+
+AC_MSG_RESULT(${UNPRIV_USER}:${UNPRIV_GROUP})
+
+AC_MSG_CHECKING([group to allow DBus calls from])
+AC_ARG_WITH([dbus-client-group],
+ [AS_HELP_STRING([--with-dbus-client-group=<group>],
+ [Allow dbus method calls from group @<:@default: root@:>@])])
+AS_CASE([$with_dbus_client_group],
+ [""|yes|no], [DBUS_CLIENT_GROUP="root"],
+ [*], [DBUS_CLIENT_GROUP=$with_dbus_client_group])
+AC_DEFINE_UNQUOTED([DBUS_CLIENT_GROUP], ["${DBUS_CLIENT_GROUP}"], [DBus client group])
+AC_MSG_RESULT(${DBUS_CLIENT_GROUP})
+AC_SUBST([DBUS_CLIENT_GROUP])
+
+dnl Check for clock_gettime. Some systems put it into -lc, while
+dnl others use -lrt. Try the first and fallback to the latter.
+RT_LIB=
+AC_CHECK_FUNC([clock_gettime], [:],
+ [AC_CHECK_LIB([rt], [clock_gettime], [RT_LIB="-lrt"],
+ [AC_MSG_ERROR([Your system lacks clock_gettime])])])
+AC_SUBST(RT_LIB)
+
+PKG_CHECK_MODULES([LIBEVENT], [libevent >= 2.0])
+
+have_dbus=false
+AC_ARG_ENABLE([dbus],
+ [AS_HELP_STRING([--disable-dbus],
+ [Disable automatically dbus support])])
+AS_IF([test "x$enable_dbus" = xyes], [
+ PKG_CHECK_MODULES([DBUS], [dbus-1], [
+ have_dbus=true
+ AC_DEFINE([HAVE_DBUS], [1], [dbus enabled])
+ ], [
+ AS_IF([test "x$enable_dbus" = xyes],
+ [AC_MSG_ERROR([dbus requested but not found])])
+ ])
+ ])
+AM_CONDITIONAL([HAVE_DBUS], ${have_dbus})
+
+AC_SUBST(DBUS_CFLAGS)
+AC_SUBST(DBUS_LIBS)
+AC_SUBST(LIBEVENT_CFLAGS)
+AC_SUBST(LIBEVENT_LIBS)
+
+have_seccomp_filter=false
+AC_ARG_ENABLE([seccomp_filter],
+ [AS_HELP_STRING([--enable-seccomp-filter],
+ [Require seccomp filter])])
+
+AC_MSG_CHECKING([kernel for seccomp_filter support])
+AS_IF([test "x$enable_seccomp_filter" = xyes], [
+ dnl Force seccomp filter use
+ have_seccomp_filter=true
+ AC_MSG_RESULT([forced])
+ ], [
+ AS_IF([test "x$enable_seccomp_filter" = xno], [
+ have_seccomp_filter=no
+ AC_MSG_RESULT([disabled])
+ ], [
+ dnl Detect seccomp filter support.
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+ #include <errno.h>
+ #include <linux/audit.h>
+ #include <linux/filter.h>
+ #include <stdlib.h>
+ #include <sys/prctl.h>
+ #include "src/seccomp-compat.h"
+ ]],
+ [[ errno = 0;
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+ exit(1);
+ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+ exit(errno == EFAULT ? 0 : 1); ]])],
+ [ AC_MSG_RESULT([yes])
+ have_seccomp_filter=true
+ ], [
+ AC_MSG_RESULT([no])
+ ],
+ [ AC_MSG_RESULT([cross-compiling, assuming yes])
+ have_seccomp_filter=true
+ ]
+ )
+])])
+
+AS_IF([${have_seccomp_filter}], [
+ AC_DEFINE([HAVE_SECCOMP_FILTER], [1], [Enable seccomp filter])
+ ])
+AM_CONDITIONAL([HAVE_SECCOMP_FILTER], ${have_seccomp_filter})
+
+
+
+have_seccomp_debug=false
+AC_ARG_ENABLE([seccomp_debugging],
+ [AS_HELP_STRING([--enable-seccomp-debugging],
+ [Enable seccomp filter debugging])])
+AS_IF([test "x$enable_seccomp_debugging" = xyes], [
+ AC_DEFINE([SECCOMP_FILTER_DEBUG], [1], [Enable seccomp filter debugging])
+ have_seccomp_debug=true
+ ])
+AM_CONDITIONAL([SECCOMP_FILTER_DEBUG], ${have_seccomp_debug})
+
+
+AC_MSG_CHECKING([for CrOS-specific platform wake event support])
+AC_ARG_ENABLE([cros],
+ [AS_HELP_STRING([--disable-cros],
+ [Disable CrOS platform support])])
+
+AS_IF([test "x$enable_cros" = xyes -a "x$enable_dbus" != xyes ], [
+ AC_MSG_ERROR([--enable-dbus is required for --enable-cros])
+ ])
+
+have_cros=false
+AS_IF([test "x$enable_cros" = xyes], [
+ have_cros=true
+ AC_DEFINE([HAVE_CROS], [1], [Enable CrOS support])
+ AC_MSG_RESULT([yes])
+ ], [
+ AC_MSG_RESULT([no])
+ ])
+AM_CONDITIONAL([HAVE_CROS], ${have_cros})
+
+dnl Debug and hardening flags all in one shot
+dnl Always do this at the end, otherwise you end up filtering system/other libraries
+AC_ARG_ENABLE([hardened-checks],
+ [AS_HELP_STRING([--disable-hardened-checks],
+ [Disable automatically enabling hardened toolchain options])])
+AC_DEFUN([LOCAL_CHECK_FLAGS],[
+ AC_REQUIRE([AX_CHECK_LINK_FLAG])
+ AC_REQUIRE([AX_APPEND_COMPILE_FLAGS])
+ AC_LANG_PUSH([C])
+ AS_IF([test "x$enable_hardened_checks" != xno], [
+ AX_APPEND_COMPILE_FLAGS([-g -O1])
+ ], [
+ AC_MSG_WARN([using hardened flags is HIGHLY RECOMMENDED and disabling them is a BAD IDEA])
+ ])
+ AX_APPEND_COMPILE_FLAGS([-Wall -fno-strict-aliasing])
+ AS_IF([test "x$enable_hardened_checks" != xno], [
+ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all])
+ AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector])
+ AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1])
+ AX_CHECK_LINK_FLAG([-z relro -z now])
+ AX_CHECK_LINK_FLAG([-pie])
+ ])
+ AC_LANG_POP
+ ])
+LOCAL_CHECK_FLAGS
+
+AC_ARG_ENABLE([code-coverage-checks],
+ [AS_HELP_STRING([--enable-code-coverage-checks],
+ [Enable gcov/lcov compile time options])],
+ [AX_APPEND_COMPILE_FLAGS([-ftest-coverage -fprofile-arcs])])
+
+AC_CONFIG_FILES([dbus/org.torproject.tlsdate.conf])
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
diff --git a/tlsdate/dbus/org.torproject.tlsdate.conf b/tlsdate/dbus/org.torproject.tlsdate.conf
new file mode 100644
index 0000000..78e055a
--- /dev/null
+++ b/tlsdate/dbus/org.torproject.tlsdate.conf
@@ -0,0 +1,31 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+ <!-- Only certain user can own the tlsdated service -->
+ <policy user="nobody">
+ <allow own="org.torproject.tlsdate"/>
+ </policy>
+
+ <!-- Allow anyone in the given group to invoke methods -->
+ <policy group="root">
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="LastSyncInfo"/>
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="SetTime"/>
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="CanSetTime"/>
+ </policy>
+
+ <!-- Disallow anyone to invoke methods on tlsdated interface -->
+ <policy context="default">
+ <deny send_interface="org.torproject.tlsdate" />
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="LastSyncInfo"/>
+ </policy>
+</busconfig>
diff --git a/tlsdate/dbus/org.torproject.tlsdate.conf.in b/tlsdate/dbus/org.torproject.tlsdate.conf.in
new file mode 100644
index 0000000..80c83c1
--- /dev/null
+++ b/tlsdate/dbus/org.torproject.tlsdate.conf.in
@@ -0,0 +1,31 @@
+<!DOCTYPE busconfig PUBLIC
+ "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+ <!-- Only certain user can own the tlsdated service -->
+ <policy user="@UNPRIV_USER@">
+ <allow own="org.torproject.tlsdate"/>
+ </policy>
+
+ <!-- Allow anyone in the given group to invoke methods -->
+ <policy group="@DBUS_CLIENT_GROUP@">
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="LastSyncInfo"/>
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="SetTime"/>
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="CanSetTime"/>
+ </policy>
+
+ <!-- Disallow anyone to invoke methods on tlsdated interface -->
+ <policy context="default">
+ <deny send_interface="org.torproject.tlsdate" />
+ <allow send_destination="org.torproject.tlsdate"
+ send_interface="org.torproject.tlsdate"
+ send_member="LastSyncInfo"/>
+ </policy>
+</busconfig>
diff --git a/tlsdate/dbus/org.torproject.tlsdate.service b/tlsdate/dbus/org.torproject.tlsdate.service
new file mode 100644
index 0000000..36ee56d
--- /dev/null
+++ b/tlsdate/dbus/org.torproject.tlsdate.service
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.torproject.tlsdate
+Exec=/usr/bin/tlsdated
diff --git a/tlsdate/dbus/org.torproject.tlsdate.xml b/tlsdate/dbus/org.torproject.tlsdate.xml
new file mode 100644
index 0000000..2023494
--- /dev/null
+++ b/tlsdate/dbus/org.torproject.tlsdate.xml
@@ -0,0 +1,42 @@
+<!DOCTYPE node PUBLIC
+"-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+<node name="/" xmlns:doc="http://www.freedesktop.org/dbus/1.0/doc.dtd">
+
+ <interface name="org.torproject.tlsdate">
+ <method name="SetTime">
+ <arg name="time" direction="in" type="x">
+ <doc:doc><doc:summary>The requested time to set the system clock to. It may be tested
+ with:
+ dbus-send --print-reply --system --dest=org.torproject.tlsdate --type=method_call \
+ /org/torproject/tlsdate org.torproject.tlsdate.SetTime int64:12345678
+ </doc:summary></doc:doc>
+ </arg>
+ <arg name="code" direction="out" type="u">
+ <doc:doc><doc:summary>Returns success or failure via an enum:
+ OK:0, Bad value:1, Not allowed:2, Bad call format:3
+ </doc:summary></doc:doc>
+ </arg>
+ </method>
+ <method name="CanSetTime">
+ <arg name="code" direction="out" type="b">
+ <doc:doc><doc:summary>Returns TRUE is SetTime is allowed.
+ </doc:summary></doc:doc>
+ </arg>
+ </method>
+ <method name="LastSyncInfo">
+ <arg name="network_synchronized" direction="out" type="b">
+ <doc:doc><doc:summary>Whether the time is rooted in a network synchronization source since
+ fallback to "system-clock" happens at steady state intervals.
+ </doc:summary></doc:doc>
+ </arg>
+ <arg name="source" direction="out" type="s">
+ <doc:doc><doc:summary>Name of the last source</doc:summary></doc:doc>
+ </arg>
+ <arg name="time" direction="out" type="x">
+ <doc:doc><doc:summary>Last sync time</doc:summary></doc:doc>
+ </arg>
+ </method>
+
+ </interface>
+</node>
diff --git a/tlsdate/etc/tlsdated.conf b/tlsdate/etc/tlsdated.conf
new file mode 100644
index 0000000..ca42029
--- /dev/null
+++ b/tlsdate/etc/tlsdated.conf
@@ -0,0 +1,24 @@
+# tlsdated example config file
+# for boolean options, "yes" enables them, any other value disables them.
+# see tlsdated.conf(5) for details about the options
+
+base-path /var/cache/tlsdated
+dry-run no
+jitter 0
+max-tries 10
+min-steady-state-interval 86400
+should-load-disk yes
+should-netlink yes
+should-save-disk yes
+should-sync-hwclock yes
+steady-state-interval 86400
+subprocess-timeout 30
+verbose no
+wait-between-tries 10
+
+# Host configuration.
+source
+ host google.com
+ port 443
+ proxy none
+end
diff --git a/tlsdate/events.dot b/tlsdate/events.dot
new file mode 100644
index 0000000..658240b
--- /dev/null
+++ b/tlsdate/events.dot
@@ -0,0 +1,58 @@
+/* This DOT file represents the logical interaction between
+ * the events in the system and the "state" of tlsdated.
+ */
+digraph tlsdated {
+ graph[compound=true];
+
+ node[style=filled,color=lightblue];
+
+ subgraph cluster_states {
+ state_label[shape=box,style=dashed,label="States"];
+ sleep -> wake;
+ wake -> sync;
+ sync -> save;
+ save -> sleep;
+ wake -> terminate;
+ sync -> terminate;
+ save -> terminate;
+ }
+
+ subgraph cluster_wake {
+ color=purple;
+ style=filled;
+ wake_label[shape=box,style=dashed,label="Wake Events"];
+ periodic_local_clock_check -> wake;
+ periodic_network_sync -> wake;
+ random_sigterm -> wake;
+ random_route_change -> wake;
+ }
+
+ subgraph cluster_dbus {
+ dbus_label[shape=box,style=dashed,label="DBus Events"];
+ dbus-> cros_shill_manager_change -> wake;
+ dbus-> cros_shill_service_change -> wake;
+ dbus -> cros_proxy_resolved -> {proxy_ok, proxy_failed};
+ dbus -> cros_user_set_time -> save;
+ cros_user_set_time -> sync [style=dotted];
+ get_proxy -> cros_resolve_proxy -> dbus;
+ announce -> dbus;
+ }
+
+ subgraph cluster_sync {
+ sync_label[shape=box,style=dashed,label="Network Sync"];
+ sync -> get_proxy -> {proxy_ok, proxy_failed, proxy_timed_out} -> tlsdate;
+ tlsdate -> tlsdate_ok -> save;
+ tlsdate -> tlsdate_fail;
+ tlsdate_fail -> tlsdate [label="retry",style=dotted];
+ tlsdate_fail -> terminate;
+ };
+
+ subgraph cluster_save {
+ save_label[shape=box,style=dashed,label="Save to the system"];
+ save -> { synchronize_rtc, synchronize_kernel, synchronize_disk } -> { save_ok, save_fail, save_bad_time };
+ save_ok -> announce -> sleep;
+ save_fail -> terminate;
+ save_bad_time -> sleep;
+ }
+}
+
diff --git a/tlsdate/init/tlsdated-cros.conf b/tlsdate/init/tlsdated-cros.conf
new file mode 100644
index 0000000..f5b46a4
--- /dev/null
+++ b/tlsdate/init/tlsdated-cros.conf
@@ -0,0 +1,22 @@
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+description "Run the tlsdate daemon to set the system time"
+author "chromium-os-dev@chromium.org"
+
+start on started system-services
+stop on stopping system-services
+respawn
+
+script
+ GOOGLE_CERTS=/usr/share/chromeos-ca-certificates
+ mkdir -m 755 -p /var/cache/tlsdated
+ # Make sure the timestamp file has the proper permissions.
+ chmod 0644 /var/cache/tlsdated/timestamp || true
+ # When it runs tlsdate, tlsdated stitches together an argument vector for it
+ # as follows: it begins with everything supplied to it after the --, then
+ # appends -H $host -p $port, and maybe -x $proxy if it has a proxy to use.
+ exec tlsdated -v -- /usr/bin/tlsdate -v -C "$GOOGLE_CERTS" -l \
+ 2>&1 | logger -t tlsdate
+end script
diff --git a/tlsdate/init/tlsdated.rc b/tlsdate/init/tlsdated.rc
new file mode 100644
index 0000000..8603198
--- /dev/null
+++ b/tlsdate/init/tlsdated.rc
@@ -0,0 +1,10 @@
+# Init file for starting tlsdated on Android.
+
+on post-fs-data
+ mkdir /data/misc/tlsdated 0755 root system
+
+service tlsdated /system/bin/tlsdated -c /data/misc/tlsdated -G dbus,inet -- /system/bin/tlsdate -C /system/etc/security/cacerts -l
+ class late_start
+ # This daemon needs to start as root and drops privileges early on.
+ user root
+ group system
diff --git a/tlsdate/m4/ax_append_compile_flags.m4 b/tlsdate/m4/ax_append_compile_flags.m4
new file mode 100644
index 0000000..1f8e708
--- /dev/null
+++ b/tlsdate/m4/ax_append_compile_flags.m4
@@ -0,0 +1,65 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_append_compile_flags.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_APPEND_COMPILE_FLAGS([FLAG1 FLAG2 ...], [FLAGS-VARIABLE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# For every FLAG1, FLAG2 it is checked whether the compiler works with the
+# flag. If it does, the flag is added FLAGS-VARIABLE
+#
+# If FLAGS-VARIABLE is not specified, the current language's flags (e.g.
+# CFLAGS) is used. During the check the flag is always added to the
+# current language's flags.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# NOTE: This macro depends on the AX_APPEND_FLAG and
+# AX_CHECK_COMPILE_FLAG. Please keep this macro in sync with
+# AX_APPEND_LINK_FLAGS.
+#
+# LICENSE
+#
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 3
+
+AC_DEFUN([AX_APPEND_COMPILE_FLAGS],
+[AC_REQUIRE([AX_CHECK_COMPILE_FLAG])
+AC_REQUIRE([AX_APPEND_FLAG])
+for flag in $1; do
+ AX_CHECK_COMPILE_FLAG([$flag], [AX_APPEND_FLAG([$flag], [$2])], [], [$3])
+done
+])dnl AX_APPEND_COMPILE_FLAGS
diff --git a/tlsdate/m4/ax_append_flag.m4 b/tlsdate/m4/ax_append_flag.m4
new file mode 100644
index 0000000..1d38b76
--- /dev/null
+++ b/tlsdate/m4/ax_append_flag.m4
@@ -0,0 +1,69 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_append_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE])
+#
+# DESCRIPTION
+#
+# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space
+# added in between.
+#
+# If FLAGS-VARIABLE is not specified, the current language's flags (e.g.
+# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains
+# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly
+# FLAG.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_APPEND_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])dnl
+AS_VAR_SET_IF(FLAGS,
+ [case " AS_VAR_GET(FLAGS) " in
+ *" $1 "*)
+ AC_RUN_LOG([: FLAGS already contains $1])
+ ;;
+ *)
+ AC_RUN_LOG([: FLAGS="$FLAGS $1"])
+ AS_VAR_SET(FLAGS, ["AS_VAR_GET(FLAGS) $1"])
+ ;;
+ esac],
+ [AS_VAR_SET(FLAGS,["$1"])])
+AS_VAR_POPDEF([FLAGS])dnl
+])dnl AX_APPEND_FLAG
diff --git a/tlsdate/m4/ax_check_compile_flag.m4 b/tlsdate/m4/ax_check_compile_flag.m4
new file mode 100644
index 0000000..c3a8d69
--- /dev/null
+++ b/tlsdate/m4/ax_check_compile_flag.m4
@@ -0,0 +1,72 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the current language's compiler
+# or gives an error. (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
diff --git a/tlsdate/m4/ax_check_link_flag.m4 b/tlsdate/m4/ax_check_link_flag.m4
new file mode 100644
index 0000000..e2d0d36
--- /dev/null
+++ b/tlsdate/m4/ax_check_link_flag.m4
@@ -0,0 +1,71 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the linker or gives an error.
+# (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the linker's default flags
+# when the check is done. The check is thus made with the flags: "LDFLAGS
+# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
+# issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS $4 $1"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ LDFLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS
diff --git a/tlsdate/m4/ax_platform.m4 b/tlsdate/m4/ax_platform.m4
new file mode 100644
index 0000000..f3da57d
--- /dev/null
+++ b/tlsdate/m4/ax_platform.m4
@@ -0,0 +1,103 @@
+# ===========================================================================
+# http://
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_PLATFORM
+#
+# DESCRIPTION
+#
+# Provide target and host defines.
+#
+# LICENSE
+#
+# Copyright (c) 2012 Brian Aker <brian@tangent.org>
+# Copyleft (ↄ) 2013 Jacob Appelbaum <jacob@appelbaum.net>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 1
+ AC_DEFUN([AX_PLATFORM],
+ [AC_REQUIRE([AC_CANONICAL_HOST])
+ AC_REQUIRE([AC_CANONICAL_TARGET])
+
+ AC_DEFINE_UNQUOTED([HOST_VENDOR],["$host_vendor"],[Vendor of Build System])
+ AC_DEFINE_UNQUOTED([HOST_OS],["$host_os"], [OS of Build System])
+ AC_DEFINE_UNQUOTED([HOST_CPU],["$host_cpu"], [CPU of Build System])
+
+ AC_DEFINE_UNQUOTED([TARGET_VENDOR],["$target_vendor"],[Vendor of Target System])
+ AC_DEFINE_UNQUOTED([TARGET_OS],["$target_os"], [OS of Target System])
+ AC_DEFINE_UNQUOTED([TARGET_CPU],["$target_cpu"], [CPU of Target System])
+
+ AS_CASE([$target_os],
+ [*mingw32*],
+ [TARGET_OS_WINDOWS="true"
+ AC_DEFINE([TARGET_OS_WINDOWS], [1], [Whether we are building for Windows])
+ AC_DEFINE([WINVER], [WindowsXP], [Version of Windows])
+ AC_DEFINE([_WIN32_WINNT], [0x0501], [Magical number to make things work])
+ AC_DEFINE([EAI_SYSTEM], [11], [Another magical number])
+ AH_BOTTOM([
+#ifndef HAVE_SYS_SOCKET_H
+# define SHUT_RD SD_RECEIVE
+# define SHUT_WR SD_SEND
+# define SHUT_RDWR SD_BOTH
+#endif
+ ])],
+ [*mingw*],
+ [TARGET_OS_MINGW="true"
+ AC_DEFINE([TARGET_OS_MINGW],[1],[Whether we build for MinGW])],
+ [*cygwin*],
+ [TARGET_OS_CYGWIN="true"
+ AC_DEFINE([TARGET_OS_CYGWIN],[1],[Whether we build for Cygwin])],
+ [*haiku*],
+ [TARGET_OS_HAIKU="true"
+ AC_DEFINE([TARGET_OS_HAIKU],[1],[Whether we build for Haiku])],
+ [*freebsd*],
+ [TARGET_OS_FREEBSD="true"
+ AC_DEFINE([TARGET_OS_FREEBSD],[1],[Whether we are building for FreeBSD])],
+ [*kfreebsd*-gnu],
+ [TARGET_OS_GNUKFREEBSD="true"
+ TARGET_OS_FREEBSD="true"
+ AC_DEFINE([TARGET_OS_FREEBSD],[1],[Whether we are building for FreeBSD])
+ AC_DEFINE([TARGET_OS_GNUKFREEBSD],[1],[Whether we are building for GNU/kFreeBSD])],
+ [*netbsd*],
+ [TARGET_OS_NETBSD="true"
+ AC_DEFINE([TARGET_OS_NETBSD],[1],[Whether we are building for NetBSD])],
+ [*openbsd*],
+ [TARGET_OS_OPENBSD="true"
+ AC_DEFINE([TARGET_OS_OPENBSD],[1],[Whether we are building for OpenBSD])],
+ [*dragonfly*],
+ [TARGET_OS_DRAGONFLYBSD="true"
+ AC_DEFINE([TARGET_OS_DRAGONFLYBSD],[1],[Whether we are building for DragonFly BSD])],
+ [*bsd*],
+ [TARGET_OS_BSD="true"
+ AC_DEFINE([TARGET_OS_BSD],[1],[Whether we are building for some other *BSD])],
+ [*solaris*],[AC_DEFINE([TARGET_OS_SOLARIS],[1],[Whether we are building for Solaris])],
+ [*darwin*],
+ [TARGET_OS_OSX="true"
+ AC_DEFINE([TARGET_OS_OSX],[1],[Whether we build for OSX])],
+ [*linux*],
+ [TARGET_OS_LINUX="true"
+ AC_DEFINE([TARGET_OS_LINUX],[1],[Whether we build for Linux])],
+ [*gnu*],
+ [TARGET_OS_GNUHURD="true"
+ AC_DEFINE([TARGET_OS_GNUHURD],[1],[Whether we build for GNU/Hurd])])
+
+ AM_CONDITIONAL([TARGET_WIN32],[test "x${TARGET_OS_WINDOWS}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_MINGW],[test "x${TARGET_OS_MINGW}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_CYGWIN],[test "x${TARGET_OS_CYGWIN}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_HAIKU],[test "x${TARGET_OS_HAIKU}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_OSX],[test "x${TARGET_OS_OSX}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_GNUHURD],[test "x${TARGET_OS_GNUHURD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_LINUX],[test "x${TARGET_OS_LINUX}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_FREEBSD],[test "x${TARGET_OS_FREEBSD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_GNUKFREEBSD],[test "x${TARGET_OS_GNUKFREEBSD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_NETBSD],[test "x${TARGET_OS_NETBSD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_OPENBSD],[test "x${TARGET_OS_OPENBSD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_DRAGONFLYBSD],[test "x${TARGET_OS_DRAGONFLYBSD}" = "xtrue"])
+ AM_CONDITIONAL([TARGET_BSD],[test "x${TARGET_OS_BSD}" = "xtrue"])
+ ])
diff --git a/tlsdate/m4/bottom.m4 b/tlsdate/m4/bottom.m4
new file mode 100644
index 0000000..28e1c30
--- /dev/null
+++ b/tlsdate/m4/bottom.m4
@@ -0,0 +1,12 @@
+AC_DEFUN([CONFIG_EXTRA],[
+
+ AH_TOP([
+#pragma once
+
+/* _SYS_FEATURE_TESTS_H is Solaris, _FEATURES_H is GCC */
+#if defined( _SYS_FEATURE_TESTS_H) || defined(_FEATURES_H)
+#error "You should include config.h as your first include file"
+#endif
+
+ ])
+ ])
diff --git a/tlsdate/m4/visibility.m4 b/tlsdate/m4/visibility.m4
new file mode 100644
index 0000000..75c34b6
--- /dev/null
+++ b/tlsdate/m4/visibility.m4
@@ -0,0 +1,77 @@
+# visibility.m4 serial 4 (gettext-0.18.2)
+dnl Copyright (C) 2005, 2008, 2010-2011 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
+
+dnl From Bruno Haible.
+
+dnl Tests whether the compiler supports the command-line option
+dnl -fvisibility=hidden and the function and variable attributes
+dnl __attribute__((__visibility__("hidden"))) and
+dnl __attribute__((__visibility__("default"))).
+dnl Does *not* test for __visibility__("protected") - which has tricky
+dnl semantics (see the 'vismain' test in glibc) and does not exist e.g. on
+dnl MacOS X.
+dnl Does *not* test for __visibility__("internal") - which has processor
+dnl dependent semantics.
+dnl Does *not* test for #pragma GCC visibility push(hidden) - which is
+dnl "really only recommended for legacy code".
+dnl Set the variable CFLAG_VISIBILITY.
+dnl Defines and sets the variable HAVE_VISIBILITY.
+
+AC_DEFUN([gl_VISIBILITY],
+[
+ AC_REQUIRE([AC_PROG_CC])
+ CFLAG_VISIBILITY=
+ HAVE_VISIBILITY=0
+ if test -n "$GCC"; then
+ dnl First, check whether -Werror can be added to the command line, or
+ dnl whether it leads to an error because of some other option that the
+ dnl user has put into $CC $CFLAGS $CPPFLAGS.
+ AC_MSG_CHECKING([whether the -Werror option is usable])
+ AC_CACHE_VAL([gl_cv_cc_vis_werror], [
+ gl_save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -Werror"
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[]], [[]])],
+ [gl_cv_cc_vis_werror=yes],
+ [gl_cv_cc_vis_werror=no])
+ CFLAGS="$gl_save_CFLAGS"])
+ AC_MSG_RESULT([$gl_cv_cc_vis_werror])
+ dnl Now check whether visibility declarations are supported.
+ AC_MSG_CHECKING([for simple visibility declarations])
+ AC_CACHE_VAL([gl_cv_cc_visibility], [
+ gl_save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fvisibility=hidden"
+ dnl We use the option -Werror and a function dummyfunc, because on some
+ dnl platforms (Cygwin 1.7) the use of -fvisibility triggers a warning
+ dnl "visibility attribute not supported in this configuration; ignored"
+ dnl at the first function definition in every compilation unit, and we
+ dnl don't want to use the option in this case.
+ if test $gl_cv_cc_vis_werror = yes; then
+ CFLAGS="$CFLAGS -Werror"
+ fi
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[extern __attribute__((__visibility__("hidden"))) int hiddenvar;
+ extern __attribute__((__visibility__("default"))) int exportedvar;
+ extern __attribute__((__visibility__("hidden"))) int hiddenfunc (void);
+ extern __attribute__((__visibility__("default"))) int exportedfunc (void);
+ void dummyfunc (void) {}
+ ]],
+ [[]])],
+ [gl_cv_cc_visibility=yes],
+ [gl_cv_cc_visibility=no])
+ CFLAGS="$gl_save_CFLAGS"])
+ AC_MSG_RESULT([$gl_cv_cc_visibility])
+ if test $gl_cv_cc_visibility = yes; then
+ CFLAG_VISIBILITY="-fvisibility=hidden"
+ HAVE_VISIBILITY=1
+ fi
+ fi
+ AC_SUBST([CFLAG_VISIBILITY])
+ AC_SUBST([HAVE_VISIBILITY])
+ AC_DEFINE_UNQUOTED([HAVE_VISIBILITY], [$HAVE_VISIBILITY],
+ [Define to 1 or 0, depending whether the compiler supports simple visibility declarations.])
+])
diff --git a/tlsdate/man/tlsdate-helper.1 b/tlsdate/man/tlsdate-helper.1
new file mode 100644
index 0000000..aedfe2b
--- /dev/null
+++ b/tlsdate/man/tlsdate-helper.1
@@ -0,0 +1,39 @@
+.\" Process this file with
+.\" groff -man -Tascii foo.1
+.\"
+.TH TLSDATE 1 "OCTOBER 2012" Linux "User Manuals"
+.SH NAME
+tlsdate-helper \- secure parasitic rdate replacement
+.SH SYNOPSIS
+.B tlsdate-helper host port protocol ca_racket verbose certdir setclock \
+showtime timewarp leapaway proxy-type://proxyhost:proxyport httpmode
+.SH DESCRIPTION
+.B tlsdate-helper
+is a tool for setting the system clock by hand or by communication
+with the network. It does not set the Real Time Clock. It is designed to be as
+secure as TLS (RFC 2246) but of course the security of TLS is often reduced to
+whichever CA racket you believe is trustworthy. By default, tlsdate-helper
+trusts your local CA root store - so any of these companies could assist in a
+MITM attack against you and you'd be screwed.
+
+The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
+
+ http://127.0.0.1:8118
+ socks4a://127.0.0.1:9050
+ socks5://127.0.0.1:9050
+
+This tool is designed to be run by hand or as a system daemon. It must be
+run as root or otherwise have the proper caps; it will not be able to set
+the system time without running as root or another privileged user.
+.SH BUGS
+It's likely! Let us know by contacting jacob@appelbaum.net
+
+Note that
+.B tlsdate(1)
+is in Beta, and may not work as expected.
+.SH AUTHOR
+Jacob Appelbaum <jacob at appelbaum dot net>
+.SH "SEE ALSO"
+.B tlsdate(1),
+.B tlsdated(8),
+.B tlsdated.conf(5)
diff --git a/tlsdate/man/tlsdate.1 b/tlsdate/man/tlsdate.1
new file mode 100644
index 0000000..b052e48
--- /dev/null
+++ b/tlsdate/man/tlsdate.1
@@ -0,0 +1,95 @@
+.\" Process this file with
+.\" groff -man -Tascii foo.1
+.\"
+.TH TLSDATE 1 "OCTOBER 2012" Linux "User Manuals"
+.SH NAME
+tlsdate \- secure parasitic rdate replacement
+.SH SYNOPSIS
+.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \
+[\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport]
+.SH DESCRIPTION
+.B tlsdate
+is a tool for setting the system clock by hand or by communication
+with the network. It does not set the Real Time Clock. It is designed to be as
+secure as TLS (RFC 2246) but of course the security of TLS is often reduced to
+whichever CA racket you believe is trustworthy. By default, tlsdate trusts your
+local CA root store - so any of these companies could assist in a MITM attack
+against you and you'd be screwed.
+
+This tool is designed to be run by hand or as a system daemon. It must be
+run as root or otherwise have the proper caps; it will not be able to set
+the system time without running as root or another privileged user.
+.SH OPTIONS
+.IP "\-h | \-\-help"
+Print the help message
+.IP "\-s | \-\-skip\-verification"
+Skip certificate verification
+.IP "\-H | \-\-host [hostname|ip]"
+Set remote hostname (default: 'google.com')
+.IP "\-n | \-\-dont\-set\-clock"
+Do not set the system clock to the time of the remote server
+.IP "\-p | \-\-port [port]"
+Set remote port (default: '443')
+.IP "\-P | \-\-protocol [sslv23|sslv3|tlsv1]"
+Set protocol to use when communicating with server (default: 'tlsv1')
+.IP "\-C | \-\-certdir [dirname]"
+Set the local directory where certificates are located
+(default: '/etc/ssl/certs')
+This allows for certificate or certificate authority (CA) pinning. To ensure
+that signatures are only valid if they are signed by a specific CA or
+certificate, set the path to a directory containing only the desired
+certificates.
+.IP "\-x | \-\-proxy [proxy\-type://proxyhost:proxyport]"
+The proxy argument expects HTTP, SOCKS4A or SOCKS5 formatted as followed:
+
+ http://127.0.0.1:8118
+ socks4a://127.0.0.1:9050
+ socks5://127.0.0.1:9050
+
+The proxy support should not leak DNS requests and is suitable for use with Tor.
+.IP "\-v | \-\-verbose"
+Provide verbose output
+.IP "\-V | \-\-showtime [human|raw]"
+Show the time retrieved from the remote server in a human-readable format or as
+a raw time_t.
+.IP "\-t | \-\-timewarp"
+If the local clock is before RECENT_COMPILE_DATE; we set the clock to the
+RECENT_COMPILE_DATE. If the local clock is after RECENT_COMPILE_DATE, we leave
+the clock alone. Clock setting is performed as the first operation and will
+impact certificate verification. Specifically, this option is helpful if on
+first boot, the local system clock is set back to the era of Disco and Terrible
+Hair. This should ensure that X509_V_ERR_CERT_NOT_YET_VALID or
+X509_V_ERR_CERT_HAS_EXPIRED are not encountered because of a broken RTC or the
+lack of a local RTC; we assume that tlsdate is recompiled yearly and that all
+certificates are otherwise considered valid.
+.IP "\-l | \-\-leap"
+Normally, the passing of time or time yet to come ensures that SSL verify
+functions will fail to validate certificates. Commonly,
+X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED are painfully
+annoying but still very important error states. When the only issue with the
+certificates in question is the timing information, this option allows you to
+trust the remote system's time, as long as it is after RECENT_COMPILE_DATE and
+before MAX_REASONABLE_TIME. The connection will only be trusted if
+X509_V_ERR_CERT_NOT_YET_VALID and/or X509_V_OKX509_V_ERR_CERT_HAS_EXPIRED are
+the only errors encountered. The SSL verify function will not return X509_V_OK
+if there are any other issues, such as self-signed certificates or if the user
+pins to a CA that is not used by the remote server. This is useful if your RTC
+is broken on boot and you are unable to use DNSEC until you've at least had
+some kind of leap of cryptographically assured data.
+.IP "\-w | \-\-http"
+Run in web mode: look for the time in an HTTP "Date" header inside an
+HTTPS connection, rather than in the TLS connection itself. The provided
+hostname and port must support HTTPS.
+.SH BUGS
+It's likely! Let us know by contacting jacob@appelbaum.net
+
+Note that
+.B tlsdate(1)
+is in Beta, and may not work as expected.
+.SH AUTHOR
+Jacob Appelbaum <jacob at appelbaum dot net>
+.SH "SEE ALSO"
+.B tlsdate(1),
+.B tlsdate-helper(1),
+.B tlsdated(8),
+.B tlsdated.conf(5)
diff --git a/tlsdate/man/tlsdated.8 b/tlsdate/man/tlsdated.8
new file mode 100644
index 0000000..24f79fb
--- /dev/null
+++ b/tlsdate/man/tlsdated.8
@@ -0,0 +1,73 @@
+.\" Process this file with
+.\" groff -man -Tascii foo.1
+.\"
+.TH TLSDATED 8 "OCTOBER 2012" Linux "User Manuals"
+.SH NAME
+tlsdated \- secure parasitic rdate replacement daemon
+.SH SYNOPSIS
+.B tlsdated [\-wprlsvh] \
+[\-t <n>] \
+[\-d <n>] \
+[\-T <n>] \
+[\-D <n>] \
+[\-c /path/to ] \
+[\-a seconds ] \
+[\-\-] \
+[commands to be passed to tlsdate]
+.SH DESCRIPTION
+.B tlsdated
+is a daemon that runs tlsdate. It must be run as root or otherwise have the
+proper caps; it will not be able to set the system time without running as root
+or another privileged user.
+.SH OPTIONS
+.IP "\-w"
+don't set hwclock
+.IP "\-p"
+dry run (don't really set time)
+.IP "\-r"
+use stdin instead of netlink for routes
+.IP "\-t [n]"
+try up to n times if unsuccessful to synchronize the time
+.IP "\-d [n]"
+delay n seconds between tries
+.IP "\-T [n]"
+give subprocess n chances to exit
+.IP "\-D [n]"
+delay n seconds between wait attempts
+.IP "\-c [/path/to/cache/directory/]"
+set the cache directory
+.IP "\-a [n]"
+run at most every n seconds in steady state
+.IP "\-l"
+don't load disk timestamps
+.IP "\-s"
+don't save disk timestamp
+.IP "\-j [n]"
+add up to n seconds of jitter to steady-state fetches
+.IP "\-v"
+be verbose
+.IP "\-b"
+be extra verbose (debugging)
+.IP "\-U"
+do not use DBus if supported
+.IP "\-h"
+print help message
+.IP "\-f [/path/to/config/file]"
+use alternate config file
+.IP "\-x [proxy]"
+override the proxy supplied to sources in the config file
+.IP "[tlsdate command arguments]"
+arguments to be passed to tlsdate at launch time
+
+.SH BUGS
+It's likely! Let us know by contacting jacob@appelbaum.net
+
+Note that
+.B tlsdate(8)
+is in Beta, and may not work as expected.
+.SH AUTHOR
+Jacob Appelbaum <jacob at appelbaum dot net>
+.SH "SEE ALSO"
+.B tlsdate(1),
+.B tlsdate-helper(1),
+.B tlsdated.conf(5)
diff --git a/tlsdate/man/tlsdated.conf.5 b/tlsdate/man/tlsdated.conf.5
new file mode 100644
index 0000000..d4f763d
--- /dev/null
+++ b/tlsdate/man/tlsdated.conf.5
@@ -0,0 +1,75 @@
+.\" Process this file with
+.\" groff -man -Tascii foo.1
+.\"
+.TH TLSDATED 5 "JANUARY 2013" "File Formats and Conversions"
+.SH NAME
+tlsdated.conf \- tlsdated config file
+.SH SYNTAX
+\fBtlsdated.conf\fR is the configuration file for the \fBtlsdated(8)\fR daemon.
+The config file is formatted as a list of key-value pairs, one per line,
+separated by whitespace. Whitespace inside values is preserved, so
+.RS
+foo bar baz quxx
+.RE
+represents the key \fBfoo\fR mapping to the value \fBbar baz quxx\fR. Empty
+lines and lines beginning with \fB#\fR are ignored; leading whitespace on lines
+is stripped. For boolean options, the value \fByes\fR or no value at all
+indicates that the option should be switched on, and all other values indicate
+that the option should be switched off. \fINote that trailing whitespace is
+preserved in values.\fR
+.SH OPTIONS
+.IP "base-path [string]"
+Sets the path to tlsdated's cache directory.
+.IP "dry-run [bool]"
+If enabled, don't actually adjust the system time.
+.IP "jitter [int]"
+Add or subtract up to this many seconds from the steady-state interval when
+checking. This helps prevent correlation between sequential checks and smooth
+load on time hosts.
+.IP "max-tries [int]"
+How many times to try running the tlsdate subprocess.
+.IP "min-steady-state-interval [int]"
+Do not check more than once this many seconds when in steady state.
+.IP "should-load-disk [bool]"
+If enabled, try loading the current timestamp out of the cache directory.
+.IP "should-netlink [bool]"
+If enabled, use a netlink socket to get network events; otherwise, read network
+events from stdin.
+.IP "should-save-disk [bool]"
+If enabled, save the current timestamp to the cache directory every so often and
+at exit.
+.IP "should-sync-hwclock [bool]"
+If enabled, set the hwclock to the fetched time.
+.IP "steady-state-interval [int]"
+Check at least once this many seconds when in steady state.
+.IP "subprocess-timeout [int]"
+How many seconds to wait for the subprocess to exit.
+.IP "verbose [bool]"
+If enabled, tlsdated will be annoyingly verbose in syslog and on stdout.
+.IP "wait-between-tries [int]"
+How long to wait between runs of the subprocess.
+.SH SOURCES
+You can list one or more sources to fetch time from. The format of these is:
+.RS 4
+source
+.RS 4
+host www.example.com
+.br
+port 443
+.br
+proxy socks5://127.0.0.1:9050
+.RE
+end
+.RE
+.SH BUGS
+It's likely! Let us know by contacting jacob@appelbaum.net
+
+Note that
+.B tlsdated(8)
+is in Beta, and may not work as expected.
+.SH AUTHOR
+Jacob Appelbaum <jacob at appelbaum dot net>
+.SH "SEE ALSO"
+.B tlsdate(1),
+.B tlsdate-helper(1),
+.B tlsdated(8),
diff --git a/tlsdate/mkfile b/tlsdate/mkfile
new file mode 100644
index 0000000..00a51a9
--- /dev/null
+++ b/tlsdate/mkfile
@@ -0,0 +1,12 @@
+</$objtype/mkfile
+
+#src/tlsdate: src/tlsdate.c
+# $CC -I. $prereq
+
+src/tlsdatehelper: config.h
+ $CC -I. ./src/util-plan9.c ./src/proxy-bio-plan9.c ./src/tlsdate-helper-plan9.c /$objtype/lib/ape/libssl.a /$objtype/lib/ape/libcrypto.a
+
+config.h:
+ touch config.h
+
+CC=pcc -DHAVE_TIME_H -D_PLAN9_SOURCE -D_REENTRANT_SOURCE -D_BSD_EXTENSION -D_SUSV2_SOURCE -D_POSIX_SOURCE
diff --git a/tlsdate/run-tests b/tlsdate/run-tests
new file mode 100755
index 0000000..1e43b05
--- /dev/null
+++ b/tlsdate/run-tests
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+run_test() {
+ # Clear the last results
+ rm -f "$1"/result
+ [ -x "$1"/setup ] && "$1"/setup
+ if [ -r "$1"/tlsdated-flags ]; then
+ flags=$(cat "$1"/tlsdated-flags | sed "s/@TESTDIR@/$1/g")
+ elif [ -r "$1"/test.conf ]; then
+ flags="-U -w -p -r -l -s -b -f $1/test.conf -v"
+ else
+ flags="-U -w -p -r -l -s -b -f test.conf -v"
+ fi
+ # flags are deliberately unquoted here so that they'll be interpolated
+ (test -x "$1"/input.sh && "$1"/input.sh) |
+ timeout 8 src/tlsdated $flags -- "$1"/subproc.sh \
+ >"$1"/run-output 2>"$1"/run-err
+ [ -x "$1"/teardown ] && "$1"/teardown
+}
+
+test_passed() {
+ f="$t"/result
+ test -f "$f" && grep -q ok "$f"
+}
+
+total=0
+passed=0
+
+if ! test -x src/test/emit; then
+ echo "Make sure src/test/emit has been built (make check)!"
+ exit 1
+fi
+for t in tests/*; do
+ [ ! -d "$t" ] && continue
+ name="$(basename "$t")"
+ echo -n "$name: "
+ run_test "$t"
+ if test_passed "$t"; then
+ echo "ok"
+ passed=$((passed + 1))
+ else
+ echo "failed"
+ fi
+ total=$((total + 1))
+done
+echo "Passed: $passed/$total"
+[ $passed != $total ]
+exit $?
diff --git a/tlsdate/src/common/fmemopen-funopen.c b/tlsdate/src/common/fmemopen-funopen.c
new file mode 100644
index 0000000..87c8675
--- /dev/null
+++ b/tlsdate/src/common/fmemopen-funopen.c
@@ -0,0 +1,158 @@
+/*
+ * POSIX 2008 fmemopen(3) implemented in terms of BSD funopen(3)
+ */
+
+/*
+ * Copyright (c) 2013 Taylor R. Campbell
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define _BSD_SOURCE
+#define _NETBSD_SOURCE
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fmemopen.h"
+
+struct fmem_cookie {
+ void *fmc_buffer;
+ size_t fmc_index;
+ size_t fmc_limit;
+};
+
+static int
+fmem_read(void *cookie, char *buffer, int n)
+{
+ struct fmem_cookie *const fmc = cookie;
+
+ if (n < 0) { /* paranoia */
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (n > (fmc->fmc_limit - fmc->fmc_index))
+ n = (fmc->fmc_limit - fmc->fmc_index);
+
+ (void)memcpy(buffer, (char *)fmc->fmc_buffer + fmc->fmc_index, n);
+ fmc->fmc_index += n;
+ return n;
+}
+
+static int
+fmem_write(void *cookie, const char *buffer, int n)
+{
+ struct fmem_cookie *const fmc = cookie;
+
+ if (n < 0) { /* paranoia */
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (n > (fmc->fmc_limit - fmc->fmc_index))
+ n = (fmc->fmc_limit - fmc->fmc_index);
+
+ (void)memcpy((char *)fmc->fmc_buffer + fmc->fmc_index, buffer, n);
+ fmc->fmc_index += n;
+ return n;
+}
+
+static fpos_t
+fmem_seek(void *cookie, fpos_t offset, int cmd)
+{
+ struct fmem_cookie *const fmc = cookie;
+
+ switch (cmd) {
+ case SEEK_SET:
+ if ((offset < 0) || (fmc->fmc_limit < offset))
+ goto einval;
+ fmc->fmc_index = offset;
+ return 0;
+
+ case SEEK_CUR:
+ if (offset < 0) {
+ /* Assume two's-complement arithmetic. */
+ if ((offset == ~(fpos_t)0) || (-offset > fmc->fmc_index))
+ goto einval;
+ } else {
+ if (offset > (fmc->fmc_limit - fmc->fmc_index))
+ goto einval;
+ }
+ fmc->fmc_index += offset;
+ return 0;
+
+ case SEEK_END:
+ /* Assume two's-complement arithmetic. */
+ if ((offset >= 0) || (offset == ~(fpos_t)0) || (fmc->fmc_limit < -offset))
+ goto einval;
+ fmc->fmc_index = (fmc->fmc_limit + offset);
+ return 0;
+
+ default:
+ goto einval;
+ }
+
+einval:
+ errno = EINVAL;
+ return -1;
+}
+
+static int
+fmem_close(void *cookie)
+{
+ struct fmem_cookie *const fmc = cookie;
+
+ free(fmc);
+
+ return 0;
+}
+
+FILE *
+fmemopen(void *buffer, size_t len, const char *mode)
+{
+ struct fmem_cookie *fmc;
+ FILE *file;
+
+ fmc = malloc(sizeof(*fmc));
+ if (fmc == NULL)
+ goto fail0;
+
+ (void)memset(fmc, 0, sizeof(*fmc));
+ fmc->fmc_buffer = buffer;
+ fmc->fmc_index = 0;
+ fmc->fmc_limit = len;
+
+ file = funopen(fmc, &fmem_read, &fmem_write, &fmem_seek, &fmem_close);
+ if (file == NULL)
+ goto fail1;
+
+ return file;
+
+fail1:
+ free(fmc);
+fail0:
+ return NULL;
+}
diff --git a/tlsdate/src/common/fmemopen.c b/tlsdate/src/common/fmemopen.c
new file mode 100644
index 0000000..99f6740
--- /dev/null
+++ b/tlsdate/src/common/fmemopen.c
@@ -0,0 +1,228 @@
+/*
+ This file was retrieved from
+ http://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/lib/libc/stdio/fmemopen.c
+ on 26/04/2013 by Abel Luck for inclusion in tlsdate for the Android port.
+*/
+/* $NetBSD: fmemopen.c,v 1.4 2010/09/27 16:50:13 tnozaki Exp $ */
+
+/*-
+ * Copyright (c)2007, 2010 Takehiko NOZAKI,
+ * Copyright (c) 2012, Venkatesh Srinivas <vsrinivas@dragonflybsd.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+//#include "local.h"
+//#include "priv_stdio.h"
+
+int MIN(int a, int b) {
+ return a < b ? a : b;
+}
+
+struct fmemopen_cookie {
+ char *head, *tail, *cur, *eob;
+};
+
+static int
+fmemopen_read(void *cookie, char *buf, int nbytes)
+{
+ struct fmemopen_cookie *p;
+ char *s;
+ int len;
+
+ assert(cookie != NULL);
+ assert(buf != NULL && nbytes > 0);
+
+ p = cookie;
+ s = p->cur;
+ len = MIN(p->tail - p->cur, nbytes);
+ bcopy(p->cur, buf, len);
+ p->cur += len;
+
+ return (int)(p->cur - s);
+}
+
+static int
+fmemopen_write(void *cookie, const char *buf, int nbytes)
+{
+ struct fmemopen_cookie *p;
+ char *s;
+ int len;
+
+ assert(cookie != NULL);
+ assert(buf != NULL && nbytes > 0);
+
+ p = cookie;
+ if (p->cur >= p->tail)
+ return 0;
+ s = p->cur;
+
+ len = MIN(p->tail - p->cur, nbytes);
+
+ bcopy(buf, p->cur, len);
+
+ p->cur += len - 1;
+ if (p->cur == p->tail - 1) {
+ *p->cur = '\0';
+ if (buf[len - 1] == '\0')
+ p->cur++;
+ } else {
+ *++p->cur = '\0';
+ }
+
+ if (p->cur > p->eob)
+ p->eob = p->cur;
+
+ return (int)(p->cur - s);
+}
+
+static fpos_t
+fmemopen_seek(void *cookie, fpos_t offset, int whence)
+{
+ struct fmemopen_cookie *p;
+
+ assert(cookie != NULL);
+
+ p = (struct fmemopen_cookie *)cookie;
+ switch (whence) {
+ case SEEK_SET:
+ break;
+ case SEEK_CUR:
+ offset += p->cur - p->head;
+ break;
+ case SEEK_END:
+ offset += p->eob - p->head;
+ break;
+ default:
+ errno = EINVAL;
+ goto error;
+ }
+ if (offset >= (fpos_t)0 && offset <= p->tail - p->head) {
+ p->cur = p->head + (ptrdiff_t)offset;
+ return (fpos_t)(p->cur - p->head);
+ }
+error:
+ return (fpos_t)-1;
+}
+
+static int
+fmemopen_close0(void *cookie)
+{
+ assert(cookie != NULL);
+
+ free(cookie);
+
+ return 0;
+}
+
+static int
+fmemopen_close1(void *cookie)
+{
+ struct fmemopen_cookie *p;
+
+ assert(cookie != NULL);
+
+ p = cookie;
+ free(p->head);
+ free(p);
+
+ return 0;
+}
+
+
+FILE *
+fmemopen(void * __restrict buf, size_t size, const char * __restrict mode)
+{
+ int flags, oflags;
+ FILE *fp;
+ struct fmemopen_cookie *cookie;
+
+ if (size < (size_t)1)
+ goto invalid;
+
+ flags = __sflags(mode, &oflags);
+ if (flags == 0)
+ return NULL;
+
+ if ((oflags & O_RDWR) == 0 && buf == NULL)
+ goto invalid;
+
+ fp = __sfp();
+ if (fp == NULL)
+ return NULL;
+
+ cookie = malloc(sizeof(*cookie));
+ if (cookie == NULL)
+ goto release;
+
+ if (buf == NULL) {
+ cookie->head = malloc(size);
+ if (cookie->head == NULL) {
+ free(cookie);
+ goto release;
+ }
+ *cookie->head = '\0';
+ fp->_close = &fmemopen_close1;
+ } else {
+ cookie->head = (char *)buf;
+ if (oflags & O_TRUNC)
+ *cookie->head = '\0';
+ fp->_close = &fmemopen_close0;
+ }
+
+ cookie->tail = cookie->head + size;
+ cookie->eob = cookie->head;
+ do {
+ if (*cookie->eob == '\0')
+ break;
+ ++cookie->eob;
+ } while (--size > 0);
+
+ cookie->cur = (oflags & O_APPEND) ? cookie->eob : cookie->head;
+
+ // fp->pub._flags = flags;
+ fp->_write = (flags & __SRD) ? NULL : &fmemopen_write;
+ fp->_read = (flags & __SWR) ? NULL : &fmemopen_read;
+ fp->_seek = &fmemopen_seek;
+ fp->_cookie = (void *)cookie;
+
+ return fp;
+
+invalid:
+ errno = EINVAL;
+ return NULL;
+
+release:
+ //fp->pub._flags = 0;
+ return NULL;
+}
+
+
diff --git a/tlsdate/src/common/fmemopen.h b/tlsdate/src/common/fmemopen.h
new file mode 100644
index 0000000..28a2500
--- /dev/null
+++ b/tlsdate/src/common/fmemopen.h
@@ -0,0 +1,8 @@
+#ifndef TLSDATE_FMEMOPEN_H
+#define TLSDATE_FMEMOPEN_H
+
+#include <stdio.h>
+
+FILE *fmemopen(void *, size_t, const char *);
+
+#endif /* TLSDATE_FMEMOPEN_H */
diff --git a/tlsdate/src/common/strnlen.c b/tlsdate/src/common/strnlen.c
new file mode 100644
index 0000000..38e56e1
--- /dev/null
+++ b/tlsdate/src/common/strnlen.c
@@ -0,0 +1,19 @@
+/*
+ * Trivial strnlen(3) implementation
+ */
+
+#include <stddef.h>
+
+#include "strnlen.h"
+
+size_t
+strnlen(const char *s, size_t limit)
+{
+ size_t len;
+
+ for (len = 0; len < limit; len++)
+ if (*s++ == '\0')
+ break;
+
+ return len;
+}
diff --git a/tlsdate/src/common/strnlen.h b/tlsdate/src/common/strnlen.h
new file mode 100644
index 0000000..945c0d4
--- /dev/null
+++ b/tlsdate/src/common/strnlen.h
@@ -0,0 +1,8 @@
+#ifndef TLSDATE_STRNLEN_H
+#define TLSDATE_STRNLEN_H
+
+#include <stddef.h>
+
+size_t strnlen(const char *, size_t);
+
+#endif /* TLSDATE_STRNLEN_H */
diff --git a/tlsdate/src/compat/clock-darwin.c b/tlsdate/src/compat/clock-darwin.c
new file mode 100644
index 0000000..13cc82a
--- /dev/null
+++ b/tlsdate/src/compat/clock-darwin.c
@@ -0,0 +1,110 @@
+/* Copyright (c) 2012, David Goulet <dgoulet@ev0ke.net>
+ * Jacob Appelbaum <jacob@torproject.org>
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file clock-darwin.c
+ * \brief Contains clock primitives for Mac OS X (Tested on 10.8.2)
+ **/
+
+#include "config.h"
+#include "clock.h"
+#include <stdio.h>
+#include <sys/time.h>
+#include <time.h>
+
+#ifdef __APPLE__
+#include <mach/clock.h>
+#include <mach/clock_priv.h>
+#include <mach/mach.h>
+#include <mach/clock_types.h>
+#include <mach/mach_traps.h>
+#include <mach/clock_reply.h>
+#include <mach/mach_time.h>
+#include <mach/mach_error.h>
+#endif
+
+#include <assert.h>
+
+/**
+ * Get current real time value and store it into time.
+ *
+ * @param time where the current time is stored
+ * @return clock_gettime syscall return value
+ */
+int clock_get_real_time(struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert(time);
+
+ kern_return_t r;
+ clock_serv_t cclock;
+ mach_timespec_t mts;
+
+ r = host_get_clock_service(mach_host_self(), CALENDAR_CLOCK, &cclock);
+ if (r != KERN_SUCCESS)
+ {
+ fprintf(stderr, "host_get_clock_service failed!\n");
+ return -1;
+ }
+
+ r = clock_get_time(cclock, &mts);
+ if (r != KERN_SUCCESS)
+ {
+ fprintf(stderr, "clock_get_time failed!\n");
+ return -1;
+ }
+
+ r = mach_port_deallocate(mach_task_self(), cclock);
+ if (r != KERN_SUCCESS)
+ {
+ fprintf(stderr, "mach_port_deallocate failed!\n");
+ return -1;
+ }
+
+ time->tp.tv_sec = mts.tv_sec;
+ time->tp.tv_nsec = mts.tv_nsec;
+ return r;
+}
+
+/**
+ * Set current real time clock using time.
+ *
+ * @param time where the current time to set is stored
+ * @return clock_settime syscall return value
+ */
+int clock_set_real_time(const struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert(time);
+
+ //printf ("V: server time %u\n", (unsigned int) time->tp.tv_sec);
+ int r;
+ struct timeval tv = {time->tp.tv_sec, 0};
+
+ r = settimeofday(&tv, NULL);
+ if (r != 0)
+ {
+ fprintf(stderr, "setimeofday failed!\n");
+ return -1;
+ }
+
+ return r;
+}
+
+/**
+ * Init a tlsdate_time structure.
+ *
+ * @param sec is the seconds
+ * @param nsec is the nanoseconds
+ */
+void clock_init_time(struct tlsdate_time *time, time_t sec,
+ long nsec)
+{
+ /* Safety net */
+ assert(time);
+
+ time->tp.tv_sec = sec;
+ time->tp.tv_nsec = nsec;
+}
diff --git a/tlsdate/src/compat/clock-hurd.c b/tlsdate/src/compat/clock-hurd.c
new file mode 100644
index 0000000..3d62068
--- /dev/null
+++ b/tlsdate/src/compat/clock-hurd.c
@@ -0,0 +1,59 @@
+/* Copyright (c) 2012, David Goulet <dgoulet@ev0ke.net>
+ * Jacob Appelbaum
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file clock-linux.c
+ * \brief Contains clock primitives for GNU/Linux OS
+ **/
+
+#include "config.h"
+
+#include <assert.h>
+
+#include "src/compat/clock.h"
+
+/**
+ * Get current real time value and store it into time.
+ *
+ * @param time where the current time is stored
+ * @return clock_gettime syscall return value
+ */
+int clock_get_real_time(struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert(time);
+
+ return clock_gettime(CLOCK_REALTIME, &time->tp);
+}
+
+/**
+ * Set current real time clock using time.
+ *
+ * @param time where the current time to set is stored
+ * @return clock_settime syscall return value
+ */
+int clock_set_real_time(const struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert(time);
+
+ return clock_settime(CLOCK_REALTIME, &time->tp);
+}
+
+/**
+ * Init a tlsdate_time structure.
+ *
+ * @param sec is the seconds
+ * @param nsec is the nanoseconds
+ */
+void clock_init_time(struct tlsdate_time *time, time_t sec,
+ long nsec)
+{
+ /* Safety net */
+ assert(time);
+
+ time->tp.tv_sec = sec;
+ time->tp.tv_nsec = nsec;
+}
diff --git a/tlsdate/src/compat/clock-linux.c b/tlsdate/src/compat/clock-linux.c
new file mode 100644
index 0000000..84bc934
--- /dev/null
+++ b/tlsdate/src/compat/clock-linux.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2012, David Goulet <dgoulet@ev0ke.net>
+ * Jacob Appelbaum
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file clock-linux.c
+ * \brief Contains clock primitives for GNU/Linux OS
+ **/
+
+#include "config.h"
+
+#include <assert.h>
+
+#include "src/compat/clock.h"
+
+/**
+ * Get current real time value and store it into time.
+ *
+ * @param time where the current time is stored
+ * @return clock_gettime syscall return value
+ */
+int clock_get_real_time(struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert (time);
+ return clock_gettime (CLOCK_REALTIME, &time->tp);
+}
+
+/**
+ * Set current real time clock using time.
+ *
+ * @param time where the current time to set is stored
+ * @return clock_settime syscall return value
+ */
+int clock_set_real_time(const struct tlsdate_time *time)
+{
+ /* Safety net */
+ assert (time);
+ return clock_settime (CLOCK_REALTIME, &time->tp);
+}
+
+/**
+ * Init a tlsdate_time structure.
+ *
+ * @param sec is the seconds
+ * @param nsec is the nanoseconds
+ */
+void clock_init_time(struct tlsdate_time *time, time_t sec,
+ long nsec)
+{
+ /* Safety net */
+ assert (time);
+ time->tp.tv_sec = sec;
+ time->tp.tv_nsec = nsec;
+}
diff --git a/tlsdate/src/compat/clock.h b/tlsdate/src/compat/clock.h
new file mode 100644
index 0000000..15f3223
--- /dev/null
+++ b/tlsdate/src/compat/clock.h
@@ -0,0 +1,74 @@
+/* Copyright (c) 2012, David Goulet <dgoulet@ev0ke.net>
+ * Jacob Appelbaum <jacob@torproject.org>
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file clock.h
+ * \brief Header file for the clock primitives.
+ **/
+
+#pragma once
+#ifndef CLOCK_HEADER_GUARD
+#define CLOCK_HEADER_GUARD 1
+
+#include <src/visibility.h>
+
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
+#ifdef TARGET_OS_OPENBSD
+#include <sys/time.h>
+#endif
+
+#ifdef HAVE_MACH_CLOCK_H
+#include <mach/clock.h>
+#endif
+#ifdef HAVE_MACH_MACH_H
+#include <mach/mach.h>
+#endif
+
+struct tlsdate_time {
+#if defined(__linux__) || defined(__FreeBSD__) || defined (__NetBSD__) || defined (__OpenBSD__) || defined (__DragonFly__)
+ struct timespec tp;
+#elif defined(__APPLE__)
+ mach_timespec_t tp;
+#elif _WIN32
+ void *tp;
+#elif TARGET_OS_HAIKU
+ struct timespec tp;
+#elif TARGET_OS_CYGWIN
+ struct timespec tp;
+#elif TARGET_OS_MINGW
+ struct timespec tp;
+#elif TARGET_OS_GNUHURD
+ struct timespec tp;
+#else
+ struct timespec tp;
+#endif
+};
+
+TLSDATE_API
+int clock_get_real_time(struct tlsdate_time *time);
+
+TLSDATE_API
+int clock_set_real_time(const struct tlsdate_time *time);
+
+TLSDATE_API
+void clock_init_time(struct tlsdate_time *time, time_t sec, long nsec);
+
+/* Helper macros to access time values */
+#define CLOCK_SEC(time) ((time)->tp.tv_sec)
+#define CLOCK_MSEC(time) ((time)->tp.tv_nsec / 1000000)
+#define CLOCK_USEC(time) ((time)->tp.tv_nsec / 1000)
+#define CLOCK_NSEC(time) ((time)->tp.tv_nsec)
+
+/* Helper macros to access time values. TODO: Complete them */
+/*
+#define CLOCK_SEC(time)
+#define CLOCK_MSEC(time)
+#define CLOCK_USEC(time)
+#define CLOCK_NSEC(time)
+*/
+#endif // CLOCK_HEADER_GUARD
diff --git a/tlsdate/src/compat/include.am b/tlsdate/src/compat/include.am
new file mode 100644
index 0000000..f499c70
--- /dev/null
+++ b/tlsdate/src/compat/include.am
@@ -0,0 +1,59 @@
+# vim:ft=automake
+
+noinst_LTLIBRARIES+= src/compat/libtlsdate_compat.la
+
+noinst_HEADERS+= src/compat/clock.h
+
+src_compat_libtlsdate_compat_la_SOURCES =
+src_compat_libtlsdate_compat_la_CFLAGS = -DBUILDING_TLSDATE
+src_compat_libtlsdate_compat_la_LIBADD =
+
+if TARGET_OSX
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-darwin.c
+endif
+
+if TARGET_LINUX
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_FREEBSD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_NETBSD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_OPENBSD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_DRAGONFLYBSD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_BSD
+if !TARGET_NETBSD
+if !TARGET_FREEBSD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+endif
+endif
+
+if TARGET_GNUHURD
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-hurd.c
+endif
+
+if TARGET_CYGWIN
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_MINGW
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+if TARGET_HAIKU
+src_compat_libtlsdate_compat_la_SOURCES+= src/compat/clock-linux.c
+endif
+
+src_compat_libtlsdate_compat_la_LIBADD+= @RT_LIB@
diff --git a/tlsdate/src/conf-unittest.c b/tlsdate/src/conf-unittest.c
new file mode 100644
index 0000000..aa499fd
--- /dev/null
+++ b/tlsdate/src/conf-unittest.c
@@ -0,0 +1,91 @@
+/*
+ * conf-unittest.c - config parser unit tests
+ * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "src/conf.h"
+#include "src/test_harness.h"
+
+#ifndef HAVE_FMEMOPEN
+#include "src/common/fmemopen.h"
+#endif
+
+FILE *fopenstr (const char *str)
+{
+ /* strlen(str) instead of strlen(str) + 1 because files shouldn't appear
+ * null-terminated. Cast away constness because we're in read mode, but the
+ * fmemopen prototype has no way to express that. */
+ return fmemopen ( (char *) str, strlen (str), "r");
+}
+
+TEST (parse_empty)
+{
+ /* can't do a truly empty file - fmemopen() combusts */
+ FILE *f = fopenstr ("\n");
+ ASSERT_NE (NULL, f);
+ struct conf_entry *e = conf_parse (f);
+ EXPECT_NULL (e);
+ conf_free (e);
+}
+
+TEST (parse_basic)
+{
+ FILE *f = fopenstr ("foo bar\nbaz quxx\n");
+ ASSERT_NE (NULL, f);
+ struct conf_entry *e = conf_parse (f);
+ ASSERT_NE (NULL, e);
+ EXPECT_STREQ (e->key, "foo");
+ EXPECT_STREQ (e->value, "bar");
+ ASSERT_NE (NULL, e->next);
+ EXPECT_STREQ (e->next->key, "baz");
+ EXPECT_STREQ (e->next->value, "quxx");
+ ASSERT_NULL (e->next->next);
+ conf_free (e);
+}
+
+TEST (parse_novalue)
+{
+ FILE *f = fopenstr ("abcdef\n");
+ ASSERT_NE (NULL, f);
+ struct conf_entry *e = conf_parse (f);
+ ASSERT_NE (NULL, e);
+ EXPECT_STREQ (e->key, "abcdef");
+ EXPECT_NULL (e->value);
+ EXPECT_NULL (e->next);
+ conf_free (e);
+}
+
+TEST (parse_whitespace)
+{
+ FILE *f = fopenstr (" fribble grotz \n");
+ ASSERT_NE (NULL, f);
+ struct conf_entry *e = conf_parse (f);
+ ASSERT_NE (NULL, e);
+ EXPECT_STREQ (e->key, "fribble");
+ EXPECT_STREQ (e->value, "grotz ");
+ EXPECT_NULL (e->next);
+ conf_free (e);
+}
+
+TEST (parse_comment)
+{
+ FILE *f = fopenstr ("#foo bar\nbaz quxx\n");
+ ASSERT_NE (NULL, f);
+ struct conf_entry *e = conf_parse (f);
+ ASSERT_NE (NULL, e);
+ EXPECT_STREQ (e->key, "baz");
+ EXPECT_STREQ (e->value, "quxx");
+ EXPECT_NULL (e->next);
+ conf_free (e);
+}
+
+TEST_HARNESS_MAIN
diff --git a/tlsdate/src/conf.c b/tlsdate/src/conf.c
new file mode 100644
index 0000000..7a89932
--- /dev/null
+++ b/tlsdate/src/conf.c
@@ -0,0 +1,97 @@
+/* conf.c - config file parser */
+
+#include "config.h"
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "src/conf.h"
+
+void strip_char (char *line, char c)
+{
+ char *p = strchr (line, c);
+ if (p)
+ *p = '\0';
+}
+
+void strip_newlines (char *line)
+{
+ strip_char (line, '\n');
+ strip_char (line, '\r');
+}
+
+char *eat_whitespace (char *line)
+{
+ while (isspace ((int)(unsigned char)*line))
+ line++;
+ return line;
+}
+
+int is_ignored_line (char *line)
+{
+ return !*line || *line == '#';
+}
+
+struct conf_entry *conf_parse (FILE *f)
+{
+ struct conf_entry *head = NULL;
+ struct conf_entry *tail = NULL;
+ char buf[CONF_MAX_LINE];
+
+ while (fgets (buf, sizeof (buf), f))
+ {
+ struct conf_entry *e;
+ char *start = buf;
+ char *key;
+ char *val;
+ strip_newlines (start);
+ start = eat_whitespace (start);
+ if (is_ignored_line (start))
+ continue;
+ key = strtok (start, " \t");
+ val = strtok (NULL, "");
+ if (val)
+ val = eat_whitespace (val);
+ e = malloc (sizeof *e);
+ if (!e)
+ goto fail;
+ e->next = NULL;
+ e->key = strdup (key);
+ e->value = val ? strdup (val) : NULL;
+ if (!e->key || (val && !e->value))
+ {
+ free (e->key);
+ free (e->value);
+ goto fail;
+ }
+ if (!head)
+ {
+ head = e;
+ tail = e;
+ }
+ else
+ {
+ tail->next = e;
+ tail = e;
+ }
+ }
+
+ return head;
+fail:
+ conf_free (head);
+ return NULL;
+}
+
+void conf_free (struct conf_entry *e)
+{
+ struct conf_entry *n;
+ while (e)
+ {
+ n = e->next;
+ free (e->key);
+ free (e->value);
+ free (e);
+ e = n;
+ }
+}
diff --git a/tlsdate/src/conf.h b/tlsdate/src/conf.h
new file mode 100644
index 0000000..d01290b
--- /dev/null
+++ b/tlsdate/src/conf.h
@@ -0,0 +1,20 @@
+/* conf.h - config file parser */
+
+#ifndef CONF_H
+#define CONF_H
+
+#include <stdio.h>
+
+#define CONF_MAX_LINE 16384
+
+struct conf_entry
+{
+ struct conf_entry *next;
+ char *key;
+ char *value;
+};
+
+struct conf_entry *conf_parse (FILE *f);
+void conf_free (struct conf_entry *e);
+
+#endif /* !CONF_H */
diff --git a/tlsdate/src/configmake.h b/tlsdate/src/configmake.h
new file mode 100644
index 0000000..46c299d
--- /dev/null
+++ b/tlsdate/src/configmake.h
@@ -0,0 +1,8 @@
+/* DO NOT EDIT! GENERATED AUTOMATICALLY! */
+#define TLSDATE_CONFIG "/system/etc/ca-roots/"
+#define TLSDATE_CERTFILE "/system/etc/tlsdate/ca-roots/tlsdate-ca-roots.conf"
+#define TLSDATE_CONF_DIR "/system/etc/tlsdate/"
+#define TLSDATE_HELPER "/system/bin/tlsdate-helper"
+#define TLSDATE "/system/bin/tlsdate"
+#define TLSDATED "/system/bin/tlsdated"
+#define TLSDATE_DBUS_ANNOUNCE "/system/bin/tlsdate-dbus-announce"
diff --git a/tlsdate/src/dbus.c b/tlsdate/src/dbus.c
new file mode 100644
index 0000000..b83e9ef
--- /dev/null
+++ b/tlsdate/src/dbus.c
@@ -0,0 +1,578 @@
+/*
+ * dbus.c - event loop dbus integration
+ * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#include "config.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <dbus/dbus.h>
+#include <event2/event.h>
+#include "src/dbus.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+/* Pointers are needed so that we don't have to deal with array-to-pointer
+ * weirdness with DBus argument passing.
+ */
+static const char kServiceInterfaceData[] = "org.torproject.tlsdate";
+static const char *kServiceInterface = kServiceInterfaceData;
+static const char kServicePathData[] = "/org/torproject/tlsdate";
+static const char *kServicePath = kServicePathData;
+static const char kServiceSetTimeData[] = "SetTime";
+static const char *kServiceSetTime = kServiceSetTimeData;
+static const char kServiceCanSetTimeData[] = "CanSetTime";
+static const char *kServiceCanSetTime = kServiceCanSetTimeData;
+static const char kServiceLastSyncInfoData[] = "LastSyncInfo";
+static const char *kServiceLastSyncInfo = kServiceLastSyncInfoData;
+
+static const char kTimeUpdatedData[] = "TimeUpdated";
+static const char *kTimeUpdated = kTimeUpdatedData;
+
+static
+short
+dbus_to_event (unsigned int flags)
+{
+ short events = 0;
+ if (flags & DBUS_WATCH_READABLE)
+ events |= EV_READ;
+ if (flags & DBUS_WATCH_WRITABLE)
+ events |= EV_WRITE;
+ return events;
+}
+
+static
+unsigned int
+event_to_dbus (short events)
+{
+ unsigned int flags = 0;
+ if (events & EV_READ)
+ flags |= DBUS_WATCH_READABLE;
+ if (events & EV_WRITE)
+ flags |= DBUS_WATCH_WRITABLE;
+ return flags;
+}
+
+static
+void
+watch_handler (evutil_socket_t fd, short what, void *arg)
+{
+ DBusWatch *watch = arg;
+ struct dbus_event_data *data = dbus_watch_get_data (watch);
+ unsigned int flags = event_to_dbus (what);
+ dbus_connection_ref (data->state->conn);
+ while (!dbus_watch_handle (watch, flags))
+ {
+ info ("dbus_watch_handle waiting for memory . . .");
+ /* TODO(wad) this seems like a bad idea. */
+ sleep (1);
+ }
+ while (dbus_connection_dispatch (data->state->conn) ==
+ DBUS_DISPATCH_DATA_REMAINS);
+ dbus_connection_unref (data->state->conn);
+}
+
+static
+dbus_bool_t
+add_watch (DBusWatch *watch, void *user_data)
+{
+ struct state *tlsdate_state = user_data;
+ struct dbus_state *state = tlsdate_state->dbus;
+ struct dbus_event_data *data;
+ /* Don't add anything if it isn't active. */
+ data = dbus_malloc0 (sizeof (struct dbus_event_data));
+ if (!data)
+ return FALSE;
+ data->state = state;
+ data->event = event_new (tlsdate_state->base,
+ dbus_watch_get_unix_fd (watch),
+ EV_PERSIST|dbus_to_event (dbus_watch_get_flags (watch)),
+ watch_handler,
+ watch);
+ if (!data->event)
+ {
+ dbus_free (data);
+ return FALSE;
+ }
+ event_priority_set (data->event, PRI_WAKE);
+
+ dbus_watch_set_data (watch, data, dbus_free);
+ if (!dbus_watch_get_enabled (watch))
+ return TRUE;
+ /* Only add the event if it is enabled. */
+ if (event_add (data->event, NULL))
+ {
+ error ("Could not add a new watch!");
+ event_free (data->event);
+ dbus_free (data);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static
+void
+remove_watch (DBusWatch *watch, void *user_data)
+{
+ struct dbus_event_data *data = dbus_watch_get_data (watch);
+ /* TODO(wad) should this just be in a free_function? */
+ if (data && data->event)
+ {
+ event_del (data->event);
+ event_free (data->event);
+ }
+}
+
+static
+void
+toggle_watch (DBusWatch *watch, void *user_data)
+{
+ struct dbus_event_data *data = dbus_watch_get_data (watch);
+ if (!data || !data->event) /* should not be possible */
+ return;
+ /* If the event is pending, then we have to remove it to
+ * disable it or remove it before re-enabling it.
+ */
+ if (event_pending (data->event,
+ dbus_to_event (dbus_watch_get_flags (watch)), NULL))
+ event_del (data->event);
+ if (dbus_watch_get_enabled (watch))
+ {
+ event_add (data->event, NULL);
+ }
+}
+
+static
+void
+timeout_handler (evutil_socket_t fd, short what, void *arg)
+{
+ DBusTimeout *t = arg;
+ struct dbus_event_data *data = dbus_timeout_get_data (t);
+ dbus_connection_ref (data->state->conn);
+ dbus_timeout_handle (t);
+ dbus_connection_unref (data->state->conn);
+}
+
+static
+dbus_bool_t
+add_timeout (DBusTimeout *t, void *user_data)
+{
+ struct state *tlsdate_state = user_data;
+ struct dbus_state *state = tlsdate_state->dbus;
+ struct dbus_event_data *data;
+ int ms = dbus_timeout_get_interval (t);
+ struct timeval interval;
+ data = dbus_malloc0 (sizeof (struct dbus_event_data));
+ if (!data)
+ return FALSE;
+ interval.tv_sec = ms / 1000;
+ interval.tv_usec = (ms % 1000) * 1000;
+ data->state = state;
+ data->event = event_new (tlsdate_state->base,
+ -1,
+ EV_TIMEOUT|EV_PERSIST,
+ timeout_handler,
+ t);
+ if (!data->event)
+ {
+ dbus_free (data);
+ return FALSE;
+ }
+ event_priority_set (data->event, PRI_WAKE);
+ dbus_timeout_set_data (t, data, dbus_free);
+ /* Only add it to the queue if it is enabled. */
+ if (!dbus_timeout_get_enabled (t))
+ return TRUE;
+ if (event_add (data->event, &interval))
+ {
+ error ("Could not add a new timeout!");
+ event_free (data->event);
+ dbus_free (data);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+static
+void
+remove_timeout (DBusTimeout *t, void *user_data)
+{
+ struct dbus_event_data *data = dbus_timeout_get_data (t);
+ if (data && data->event)
+ {
+ event_del (data->event);
+ event_free (data->event);
+ }
+}
+
+static
+void
+toggle_timeout (DBusTimeout *t, void *user_data)
+{
+ struct dbus_event_data *data = dbus_timeout_get_data (t);
+ int ms = dbus_timeout_get_interval (t);
+ struct timeval interval;
+ /* If the event is pending, then we have to remove it to
+ * disable it or remove it before re-enabling it.
+ */
+ if (evtimer_pending (data->event, NULL))
+ event_del (data->event);
+ if (dbus_timeout_get_enabled (t))
+ {
+ interval.tv_sec = ms / 1000;
+ interval.tv_usec = (ms % 1000) * 1000;
+ event_add (data->event, &interval);
+ }
+}
+
+void
+dbus_announce (struct state *global_state)
+{
+ struct dbus_state *state = global_state->dbus;
+ DBusConnection *conn;
+ DBusMessage *msg;
+ uint32_t ignored;
+ const char *sync_type = sync_type_str (global_state->last_sync_type);
+
+#ifndef TLSDATED_MAIN
+ /* Return early if we're not linked to tlsdated. */
+ return;
+#endif
+
+ conn = state->conn;
+ msg = dbus_message_new_signal (kServicePath, kServiceInterface, kTimeUpdated);
+ if (!msg)
+ {
+ error ("[dbus] could not allocate new announce signal");
+ return;
+ }
+ if (!dbus_message_append_args (msg,
+ DBUS_TYPE_STRING, &sync_type,
+ DBUS_TYPE_INVALID))
+ {
+ error ("[dbus] could not allocate new announce args");
+ return;
+ }
+ if (!dbus_connection_send (conn, msg, &ignored))
+ {
+ error ("[dbus] could not send announce signal");
+ return;
+ }
+}
+
+static
+DBusHandlerResult
+send_time_reply (DBusConnection *connection,
+ DBusMessage *message,
+ dbus_uint32_t code)
+{
+ DBusMessage *reply;
+ DBusMessageIter args;
+ dbus_uint32_t serial = dbus_message_get_serial (message);
+
+ reply = dbus_message_new_method_return (message);
+ if (!reply)
+ {
+ error ("[dbus] no memory to reply to SetTime");
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_message_set_reply_serial (reply, serial))
+ {
+ error ("[dbus] no memory to set serial for reply to SetTime");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ dbus_message_iter_init_append (reply, &args);
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_UINT32, &code))
+ {
+ error ("[dbus] no memory to add reply args to SetTime");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_connection_send (connection, reply, &serial))
+ {
+ error ("[dbus] unable to send SetTime reply");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ dbus_connection_flush (connection);
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+DBusHandlerResult
+send_can_reply (DBusConnection *connection,
+ DBusMessage *message,
+ dbus_bool_t allowed)
+{
+ DBusMessage *reply;
+ DBusMessageIter args;
+ dbus_uint32_t serial = dbus_message_get_serial (message);
+
+ reply = dbus_message_new_method_return (message);
+ if (!reply)
+ {
+ error ("[dbus] no memory to reply to CanSetTime");
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_message_set_reply_serial (reply, serial))
+ {
+ error ("[dbus] no memory to set serial for reply to CanSetTime");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ dbus_message_iter_init_append (reply, &args);
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_BOOLEAN, &allowed))
+ {
+ error ("[dbus] no memory to add reply args to CanSetTime");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_connection_send (connection, reply, &serial))
+ {
+ error ("[dbus] unable to send CanSetTime reply");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ dbus_connection_flush (connection);
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+/* Returns 0 if time cannot be set, and 1 otherwise. */
+static
+int
+can_set_time (struct state *state)
+{
+ time_t delta = state->clock_delta;
+ /* Force a synchronization check. */
+ if (check_continuity (&delta) > 0)
+ {
+ info ("[event:%s] clock delta desync detected (%ld != %ld)",
+ __func__, state->clock_delta, delta);
+ delta = state->clock_delta = 0;
+ invalidate_time (state);
+ }
+ /* Only use the time if we're not synchronized. */
+ return !state->clock_delta;
+}
+
+static
+DBusHandlerResult
+handle_set_time (DBusConnection *connection,
+ DBusMessage *message,
+ struct state *state)
+{
+ DBusMessageIter iter;
+ DBusError error;
+ dbus_int64_t requested_time = 0;
+ verb_debug ("[event:%s]: fired", __func__);
+ dbus_error_init (&error);
+
+ /* Expects DBUS_TYPE_INT64:<time_t> */
+ if (!dbus_message_iter_init (message, &iter))
+ return send_time_reply (connection, message, SET_TIME_BAD_CALL);
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_INT64)
+ return send_time_reply (connection, message, SET_TIME_BAD_CALL);
+ dbus_message_iter_get_basic (&iter, &requested_time);
+ if (!is_sane_time ((time_t) requested_time))
+ {
+ error ("event:%s] invalid time from user: %ld", __func__,
+ (time_t) requested_time);
+ return send_time_reply (connection, message, SET_TIME_INVALID);
+ }
+ if (!can_set_time (state))
+ {
+ info ("[event:%s]: time is already synchronized.", __func__);
+ return send_time_reply (connection, message, SET_TIME_NOT_ALLOWED);
+ }
+
+ state->last_time = requested_time;
+ state->last_sync_type = SYNC_TYPE_PLATFORM;
+ trigger_event (state, E_SAVE, -1);
+ /* Kick off a network sync for good measure. */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, state);
+
+ return send_time_reply (connection, message, SET_TIME_OK);
+}
+
+static
+DBusHandlerResult
+handle_can_set_time (DBusConnection *connection,
+ DBusMessage *message,
+ struct state *state)
+{
+ verb_debug ("[event:%s]: fired", __func__);
+ return send_can_reply (connection, message, can_set_time (state));
+}
+
+static
+DBusHandlerResult
+handle_last_sync_info (DBusConnection *connection,
+ DBusMessage *message,
+ struct state *state)
+{
+ DBusMessage *reply;
+ DBusMessageIter args;
+ dbus_uint32_t serial = dbus_message_get_serial (message);
+ dbus_bool_t net_synced = !!state->clock_delta;
+ const char *sync = sync_type_str (state->last_sync_type);
+ int64_t t = state->last_time;
+
+ verb_debug ("[dbus]: handler fired");
+ reply = dbus_message_new_method_return (message);
+ if (!reply)
+ {
+ error ("[dbus] no memory to reply to LastSyncInfo");
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_message_set_reply_serial (reply, serial))
+ {
+ error ("[dbus] no memory to set serial for reply to LastSyncInfo");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ dbus_message_iter_init_append (reply, &args);
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_BOOLEAN, &net_synced))
+ {
+ error ("[dbus] no memory to add reply args to LastSyncInfo");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_STRING, &sync))
+ {
+ error ("[dbus] no memory to add reply args to LastSyncInfo");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_INT64, &t))
+ {
+ error ("[dbus] no memory to add reply args to LastSyncInfo");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+
+ if (!dbus_connection_send (connection, reply, &serial))
+ {
+ error ("[dbus] unable to send LastSyncInfo reply");
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ dbus_connection_flush (connection);
+ dbus_message_unref (reply);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+void
+unregister_service (DBusConnection *conn, void *data)
+{
+ info ("dbus service has been unregistered");
+}
+
+static
+DBusHandlerResult
+service_dispatch (DBusConnection *conn, DBusMessage *msg, void *data)
+{
+ struct state *state = data;
+ const char *interface;
+ const char *method;
+
+ verb_debug ("[dbus] service dispatcher called");
+ if (dbus_message_get_type (msg) != DBUS_MESSAGE_TYPE_METHOD_CALL)
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+
+ interface = dbus_message_get_interface (msg);
+ method = dbus_message_get_member (msg);
+ if (!interface || !method)
+ {
+ verb_debug ("[dbus] service request fired with bogus data");
+ /* Consume it */
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ if (strcmp (interface, kServiceInterface))
+ {
+ verb_debug ("[dbus] invalid interface supplied");
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ if (!strcmp (method, kServiceSetTime))
+ return handle_set_time (conn, msg, state);
+ else if (!strcmp (method, kServiceCanSetTime))
+ return handle_can_set_time (conn, msg, state);
+ else if (!strcmp (method, kServiceLastSyncInfo))
+ return handle_last_sync_info (conn, msg, state);
+ verb_debug ("[dbus] invalid method supplied");
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+static DBusObjectPathVTable service_vtable = {
+ .unregister_function = unregister_service,
+ .message_function = service_dispatch,
+};
+
+int
+init_dbus (struct state *tlsdate_state)
+{
+ DBusError error;
+ dbus_error_init (&error);
+ struct dbus_state *state = calloc (1, sizeof (struct dbus_state));
+ if (!state)
+ return 1;
+ tlsdate_state->dbus = state;
+ state->conn = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
+ if (state->conn == NULL || dbus_error_is_set (&error))
+ {
+ error ("[dbus] error when connecting to the bus: %s",
+ error.message);
+ goto err;
+ }
+ if (!dbus_connection_set_timeout_functions (state->conn, add_timeout,
+ remove_timeout, toggle_timeout, tlsdate_state, dbus_free))
+ {
+ error ("[dbus] dbus_connection_set_timeout_functions failed");
+ /* TODO(wad) disconnect from DBus */
+ goto err;
+ }
+ if (!dbus_connection_set_watch_functions (state->conn, add_watch,
+ remove_watch, toggle_watch, tlsdate_state, dbus_free))
+ {
+ error ("[dbus] dbus_connection_set_watch_functions failed");
+ goto err;
+ }
+ if (!dbus_bus_request_name (state->conn, kServiceInterface, 0, &error) ||
+ dbus_error_is_set (&error))
+ {
+ error ("[dbus] failed to get name: %s", error.message);
+ goto err;
+ }
+
+ /* Setup the vtable for dispatching incoming messages. */
+ if (dbus_connection_register_object_path (
+ state->conn, kServicePath, &service_vtable, tlsdate_state) == FALSE)
+ {
+ error ("[dbus] failed to register object path: %s", kServicePath);
+ goto err;
+ }
+
+ verb_debug ("[dbus] initialized");
+ return 0;
+err:
+ tlsdate_state->dbus = NULL;
+ free (state);
+ return 1;
+}
diff --git a/tlsdate/src/dbus.h b/tlsdate/src/dbus.h
new file mode 100644
index 0000000..296ba86
--- /dev/null
+++ b/tlsdate/src/dbus.h
@@ -0,0 +1,47 @@
+/*
+ * dbus.h - event loop dbus integration
+ * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#ifndef DBUS_H_
+#define DBUS_H_
+
+#include "config.h"
+
+#ifdef HAVE_DBUS
+#include <dbus/dbus.h>
+
+#define SET_TIME_OK 0
+#define SET_TIME_INVALID 1
+#define SET_TIME_NOT_ALLOWED 2
+#define SET_TIME_BAD_CALL 3
+
+struct state;
+int init_dbus (struct state *state);
+
+struct dbus_state
+{
+ DBusConnection *conn;
+};
+
+struct dbus_event_data
+{
+ struct dbus_state *state;
+ struct event *event;
+};
+
+void dbus_announce (struct state *);
+
+#else /* !HAVE_DBUS */
+struct state;
+static inline int init_dbus (struct state *state)
+{
+ return 0;
+}
+static inline void dbus_announce (struct state *global_state)
+{
+}
+#endif
+
+#endif /* DBUS_H_ */
diff --git a/tlsdate/src/events/check_continuity.c b/tlsdate/src/events/check_continuity.c
new file mode 100644
index 0000000..9340fa1
--- /dev/null
+++ b/tlsdate/src/events/check_continuity.c
@@ -0,0 +1,77 @@
+/*
+ * check_continuity.c - periodically check local clock deltas
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <time.h>
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+
+/* Returns < 0 on error,
+ * 0 on sync'd,
+ * and > 0 on desync'd.
+ * Old delta is in |delta|. |delta| is overwritten
+ * if >= 0 is returned.
+ *
+ * This event catches any sort of real-time clock jump. A jump is observed
+ * when settimeofday() or adjtimex() is called, or if the RTC misbehaves on
+ * return from suspend. If a jump is detected between a cycle-oriented clock
+ * (MONOTONIC_RAW) and a potentially RTC managed clock (REALTIME), then a
+ * network resynchronization will be required. To avoid requiring this on
+ * every resume-from-suspend, a larger delta represents the largest time jump
+ * allowed before needing a resync.
+ *
+ * Note, CLOCK_BOOTTIME does not resolve this on platforms without a persistent
+ * clock because the RTC still determines the time considered "suspend time".
+ */
+int
+check_continuity (time_t *delta)
+{
+ time_t new_delta;
+ struct timespec monotonic, real;
+ if (clock_gettime (CLOCK_REALTIME, &real) < 0)
+ return -1;
+ if (clock_gettime (CLOCK_MONOTONIC_RAW, &monotonic) < 0)
+ return -1;
+ new_delta = real.tv_sec - monotonic.tv_sec;
+ if (*delta)
+ {
+ /* The allowed delta matches the interval for now. */
+ static const time_t kDelta = CONTINUITY_INTERVAL;
+ if (new_delta < *delta - kDelta || new_delta > *delta + kDelta)
+ {
+ *delta = new_delta;
+ return 1;
+ }
+ }
+ /* First delta after de-sync. */
+ *delta = new_delta;
+ return 0;
+}
+
+/* Sets up a wake event just in case there has not been a wake event
+ * recently enough to catch clock desynchronization. This does not
+ * invalidate the time like the action_invalidate_time event.
+ */
+int setup_event_timer_continuity (struct state *state)
+{
+ struct event *event;
+ struct timeval interval = { state->opts.continuity_interval, 0 };
+ event = event_new (state->base, -1, EV_TIMEOUT|EV_PERSIST,
+ action_kickoff_time_sync, state);
+ if (!event)
+ {
+ error ("Failed to create interval event");
+ return 1;
+ }
+ event_priority_set (event, PRI_WAKE);
+ return event_add (event, &interval);
+}
diff --git a/tlsdate/src/events/kickoff_time_sync.c b/tlsdate/src/events/kickoff_time_sync.c
new file mode 100644
index 0000000..2ed2b0b
--- /dev/null
+++ b/tlsdate/src/events/kickoff_time_sync.c
@@ -0,0 +1,170 @@
+/*
+ * kickoff_time_sync.c - network time synchronization
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#ifdef USE_POLARSSL
+#include <polarssl/entropy.h>
+#include <polarssl/ctr_drbg.h>
+#else
+#include <openssl/rand.h>
+#endif
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+#ifdef USE_POLARSSL
+static int random_init = 0;
+static entropy_context entropy;
+static ctr_drbg_context ctr_drbg;
+static char *pers = "tlsdated";
+#endif
+
+int
+add_jitter (int base, int jitter)
+{
+ int n = 0;
+ if (!jitter)
+ return base;
+#ifdef USE_POLARSSL
+ if (0 == random_init)
+ {
+ entropy_init(&entropy);
+ if (0 > ctr_drbg_init(&ctr_drbg, entropy_func, &entropy,
+ (unsigned char *) pers, strlen(pers)))
+ {
+ pfatal ("Failed to initialize random source");
+ }
+ random_init = 1;
+ }
+ if (0 != ctr_drbg_random(&ctr_drbg, (unsigned char *)&n, sizeof(n)))
+ fatal ("ctr_drbg_random() failed");
+#else
+ if (RAND_bytes ( (unsigned char *) &n, sizeof (n)) != 1)
+ fatal ("RAND_bytes() failed");
+#endif
+ return base + (abs (n) % (2 * jitter)) - jitter;
+}
+
+void
+invalidate_time (struct state *state)
+{
+ state->last_sync_type = SYNC_TYPE_RTC;
+ state->last_time = time (NULL);
+ /* Note(!) this does not invalidate the clock_delta implicitly.
+ * This allows forced invalidation to not lose synchronization
+ * data.
+ */
+}
+
+void
+action_invalidate_time (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ verb_debug ("[event:%s] fired", __func__);
+ /* If time is already invalid and being acquired, do nothing. */
+ if (state->last_sync_type == SYNC_TYPE_RTC &&
+ event_pending (state->events[E_TLSDATE], EV_TIMEOUT, NULL))
+ return;
+ /* Time out our trust in network synchronization but don't persist
+ * the change to disk or notify the system. Let a network sync
+ * failure or success do that.
+ */
+ invalidate_time (state);
+ /* Then trigger a network sync if possible. */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, arg);
+}
+
+int
+setup_event_timer_sync (struct state *state)
+{
+ int wait_time = add_jitter (state->opts.steady_state_interval,
+ state->opts.jitter);
+ struct timeval interval = { wait_time, 0 };
+ state->events[E_STEADYSTATE] = event_new (state->base, -1,
+ EV_TIMEOUT|EV_PERSIST,
+ action_invalidate_time, state);
+ if (!state->events[E_STEADYSTATE])
+ {
+ error ("Failed to create interval event");
+ return 1;
+ }
+ event_priority_set (state->events[E_STEADYSTATE], PRI_ANY);
+ return event_add (state->events[E_STEADYSTATE], &interval);
+}
+
+/* Begins a network synchronization attempt. If the local clocks
+ * are synchronized, then make sure that the _current_ synchronization
+ * source is set to the real-time clock and note that the clock_delta
+ * is unreliable. If the clock was in sync and the last synchronization
+ * source was the network, then this action does nothing.
+ *
+ * In the case of desynchronization, the clock_delta value is used as a
+ * guard to indicate that even if the synchronization source isn't the
+ * network, the source is still tracking the clock delta that was
+ * established from a network source.
+ * TODO(wad) Change the name of clock_delta to indicate that it is the local
+ * clock delta after the last network sync.
+ */
+void action_kickoff_time_sync (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ verb_debug ("[event:%s] fired", __func__);
+ time_t delta = state->clock_delta;
+ int jitter = 0;
+ if (check_continuity (&delta) > 0)
+ {
+ info ("[event:%s] clock delta desync detected (%d != %d)", __func__,
+ state->clock_delta, delta);
+ /* Add jitter iff we had network synchronization once before. */
+ if (state->clock_delta)
+ jitter = add_jitter (30, 30); /* TODO(wad) make configurable */
+ /* Forget the old delta until we have time again. */
+ state->clock_delta = 0;
+ invalidate_time (state);
+ }
+ if (state->last_sync_type == SYNC_TYPE_NET)
+ {
+ verb_debug ("[event:%s] time in sync. skipping", __func__);
+ return;
+ }
+ /* Keep parity with run_tlsdate: for every wake, allow it to retry again. */
+ if (state->tries > 0)
+ {
+ state->tries -= 1;
+ /* Don't bother re-triggering tlsdate */
+ verb_debug ("[event:%s] called while tries are in progress", __func__);
+ return;
+ }
+ /* Don't over-schedule if the first attempt hasn't fired. If a wake event
+ * impacts the result of a proxy resolution, then the updated value can be
+ * acquired on the next run. If the wake comes in after E_TLSDATE is
+ * serviced, then the tries count will be decremented.
+ */
+ if (event_pending (state->events[E_TLSDATE], EV_TIMEOUT, NULL))
+ {
+ verb_debug ("[event:%s] called while tlsdate is pending", __func__);
+ return;
+ }
+ if (!state->events[E_RESOLVER])
+ {
+ trigger_event (state, E_TLSDATE, jitter);
+ return;
+ }
+ /* If the resolver relies on an external response, then make sure that a
+ * tlsdate event is waiting in the wings if the resolver is too slow. Even
+ * if this fires, it won't stop eventual handling of the resolver since it
+ * doesn't event_del() E_RESOLVER.
+ */
+ trigger_event (state, E_TLSDATE, jitter + RESOLVER_TIMEOUT);
+ trigger_event (state, E_RESOLVER, jitter);
+}
diff --git a/tlsdate/src/events/route_up.c b/tlsdate/src/events/route_up.c
new file mode 100644
index 0000000..0691cc7
--- /dev/null
+++ b/tlsdate/src/events/route_up.c
@@ -0,0 +1,93 @@
+/*
+ * route_up.c - wake events for route changes
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/routeup.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+void action_stdin_wakeup (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ char buf[1];
+ verb_debug ("[event:%s] fired", __func__);
+ if (what != EV_READ)
+ return;
+ if (IGNORE_EINTR (read (fd, buf, sizeof (buf))) != sizeof (buf))
+ {
+ error ("[event:%s] unregistering stdin handler - it's broken!",
+ __func__);
+ event_del (state->events[E_ROUTEUP]);
+ return;
+ }
+ action_kickoff_time_sync (-1, EV_TIMEOUT, arg);
+}
+
+void action_netlink_ready (evutil_socket_t fd, short what, void *arg)
+{
+ struct routeup routeup_cfg;
+ verb_debug ("[event:%s] fired", __func__);
+ routeup_cfg.netlinkfd = fd;
+ if (what & EV_READ)
+ {
+ if (routeup_process (&routeup_cfg) == 0)
+ {
+ verb_debug ("[event:%s] routes changed", __func__);
+ /* Fire off a proxy resolution attempt and a new sync request */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, arg);
+ }
+ }
+}
+
+int setup_event_route_up (struct state *state)
+{
+ event_callback_fn handler;
+ int fd = -1;
+ struct routeup routeup_cfg;
+ if (state->opts.should_netlink)
+ {
+ if (routeup_setup (&routeup_cfg))
+ {
+ error ("routeup_setup() failed");
+ return 1;
+ }
+ fd = routeup_cfg.netlinkfd;
+ handler = action_netlink_ready;
+ }
+ else /* Listen for cues from stdin */
+ {
+ fd = STDIN_FILENO;
+ if (fcntl (fd, F_SETFL, O_NONBLOCK) < 0)
+ {
+ perror ("stdin fcntl(O_NONBLOCK) failed");
+ return 1;
+ }
+ handler = action_stdin_wakeup;
+ }
+ state->events[E_ROUTEUP] = event_new (state->base, fd,
+ EV_READ|EV_PERSIST, handler, state);
+ if (!state->events[E_ROUTEUP])
+ {
+ if (state->opts.should_netlink)
+ {
+ routeup_teardown (&routeup_cfg);
+ }
+ return 1;
+ }
+ event_priority_set (state->events[E_ROUTEUP], PRI_WAKE);
+ event_add (state->events[E_ROUTEUP], NULL);
+ return 0;
+}
diff --git a/tlsdate/src/events/run_tlsdate.c b/tlsdate/src/events/run_tlsdate.c
new file mode 100644
index 0000000..544eb45
--- /dev/null
+++ b/tlsdate/src/events/run_tlsdate.c
@@ -0,0 +1,77 @@
+/*
+ * run_tlsdate.c - events for running tlsdate
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/dbus.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+/* TODO(wad) split out backoff logic to make this testable */
+void action_run_tlsdate (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ verb_debug ("[event:%s] fired", __func__);
+ if (state->last_sync_type == SYNC_TYPE_NET)
+ {
+ verb ("[event:%s] called, but network time isn't needed",
+ __func__);
+ return;
+ }
+ state->resolving = 0;
+ if (state->running)
+ {
+ /* It's possible that a network or proxy change occurred during a call. If
+ * the call succeeded, it doesn't matter. If the call fails, reissuing
+ * the attempt with the new configuration has a chance of succeeding. To
+ * avoid missing a retry, we decrement the try count and reset the
+ * backoff.
+ */
+ if (state->tries > 0)
+ {
+ state->tries--;
+ /* TODO(wad) Make a shorter retry constant for this. */
+ state->backoff = state->opts.wait_between_tries;
+ }
+ info ("[event:%s] requested re-run of tlsdate while tlsdate is running",
+ __func__);
+ return;
+ }
+ /* Enforce maximum retries here instead of in sigchld.c */
+ if (state->tries < state->opts.max_tries)
+ {
+ state->tries++;
+ }
+ else
+ {
+ state->tries = 0;
+ state->backoff = state->opts.wait_between_tries;
+ error ("[event:%s] tlsdate tried and failed to get the time", __func__);
+ return;
+ }
+ state->running = 1;
+ verb ("[event:%s] attempt %d backoff %d", __func__,
+ state->tries, state->backoff);
+ /* Setup a timeout before killing tlsdate */
+ trigger_event (state, E_TLSDATE_TIMEOUT,
+ state->opts.subprocess_wait_between_tries);
+ /* Add the response listener event */
+ trigger_event (state, E_TLSDATE_STATUS, -1);
+ /* Fire off the child process now! */
+ if (tlsdate (state))
+ {
+ /* TODO(wad) Should this be fatal? */
+ error ("[event:%s] tlsdate failed to launch!", __func__);
+ state->running = 0;
+ state->tries = 0;
+ event_del (state->events[E_TLSDATE_TIMEOUT]);
+ return;
+ }
+}
diff --git a/tlsdate/src/events/save.c b/tlsdate/src/events/save.c
new file mode 100644
index 0000000..8fa733e
--- /dev/null
+++ b/tlsdate/src/events/save.c
@@ -0,0 +1,63 @@
+/*
+ * save.c - send new time to the time setter
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <string.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+void action_sync_and_save (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ time_t t = state->last_time;
+ ssize_t bytes;
+ verb_debug ("[event:%s] fired", __func__);
+ /* For all non-net sources, don't write to disk by
+ * flagging the time negative. We don't use negative
+ * times and this won't effect shutdown (0) writes.
+ */
+ if (state->last_sync_type != SYNC_TYPE_NET)
+ t = -t;
+ if (what & EV_READ)
+ {
+ /* EPIPE/EBADF notification */
+ error ("[event:%s] time setter is gone!", __func__);
+ /* SIGCHLD will handle teardown. */
+ return;
+ }
+ bytes = IGNORE_EINTR (write (fd, &t, sizeof (t)));
+ if (bytes == -1)
+ {
+ if (errno == EPIPE)
+ {
+ error ("[event:%s] time setter is gone! (EPIPE)", __func__);
+ return;
+ }
+ if (errno == EAGAIN)
+ return; /* Get notified again. */
+ error ("[event:%s] Unexpected errno %d", __func__, errno);
+ }
+ if (bytes != sizeof (t))
+ pfatal ("[event:%s] unexpected write to time setter (%d)",
+ __func__, bytes);
+ /* If we're going down and we wrote the time, send a shutdown message. */
+ if (state->exitting && t)
+ {
+ state->last_time = 0;
+ action_sync_and_save (fd, what, arg);
+ /* TODO(wad) platform->pgrp_kill() ? */
+ }
+ return;
+}
diff --git a/tlsdate/src/events/sigchld.c b/tlsdate/src/events/sigchld.c
new file mode 100644
index 0000000..66d2fe0
--- /dev/null
+++ b/tlsdate/src/events/sigchld.c
@@ -0,0 +1,141 @@
+/*
+ * sigchld.c - event for SIGCHLD
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <event2/event.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+#include "src/conf.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+/* Returns 1 if a death was handled, otherwise 0. */
+int
+handle_child_death (struct state *state)
+{
+ siginfo_t info;
+ int ret;
+ info.si_pid = 0;
+ ret = waitid (P_ALL, -1, &info, WEXITED|WNOHANG);
+ if (ret == -1)
+ {
+ if (errno == ECHILD)
+ return 0;
+ perror ("[event:%s] waitid() failed after SIGCHLD", __func__);
+ return 0;
+ }
+ if (info.si_pid == 0)
+ {
+ return 0;
+ }
+ if (info.si_pid == state->setter_pid)
+ {
+ report_setter_error (&info);
+ event_base_loopbreak (state->base);
+ return 1;
+ }
+ if (info.si_pid != state->tlsdate_pid)
+ {
+ error ("[event:%s] SIGCHLD for an unknown process -- "
+ "pid:%d uid:%d status:%d code:%d", __func__,
+ info.si_pid, info.si_uid, info.si_status, info.si_code);
+ return 1;
+ }
+ verb ("[event:%s] tlsdate reaped => "
+ "pid:%d uid:%d status:%d code:%d", __func__,
+ info.si_pid, info.si_uid, info.si_status, info.si_code);
+
+ /* If it was still active, remove it. */
+ event_del (state->events[E_TLSDATE_TIMEOUT]);
+ state->running = 0;
+ state->tlsdate_pid = 0;
+ /* Clean exit - don't rerun! */
+ if (info.si_status == 0)
+ return 1;
+ verb_debug ("[event:%s] scheduling a retry", __func__);
+ /* Rerun a failed tlsdate */
+ if (state->backoff < MAX_SANE_BACKOFF)
+ state->backoff *= 2;
+ /* If there is no resolver, call tlsdate directly. */
+ if (!state->events[E_RESOLVER])
+ {
+ trigger_event (state, E_TLSDATE, state->backoff);
+ return 1;
+ }
+ /* Run tlsdate even if the resolver doesn't come back. */
+ trigger_event (state, E_TLSDATE, RESOLVER_TIMEOUT + state->backoff);
+ /* Schedule the resolver. This is always done after tlsdate in case there
+ * is no resolver.
+ */
+ trigger_event (state, E_RESOLVER, state->backoff);
+ return 1;
+}
+
+/* Returns 1 if a death was handled, otherwise 0. */
+int
+handle_child_stop (struct state *state)
+{
+ /* Handle unexpected external interactions */
+ siginfo_t info;
+ int ret;
+ info.si_pid = 0;
+ ret = waitid (P_ALL, -1, &info, WSTOPPED|WCONTINUED|WNOHANG);
+ if (ret == -1)
+ {
+ if (errno == ECHILD)
+ return 0;
+ perror ("[event:%s] waitid() failed after SIGCHLD", __func__);
+ return 0;
+ }
+ if (info.si_pid == 0)
+ return 0;
+ info ("[event:%s] a child has been STOPPED or CONTINUED. Killing it.",
+ __func__);
+ /* Kill it then catch the next SIGCHLD. */
+ if (kill (info.si_pid, SIGKILL))
+ {
+ if (errno == EPERM)
+ fatal ("[event:%s] cannot terminate STOPPED privileged child",
+ __func__);
+ if (errno == ESRCH)
+ info ("[event:%s] child gone before we could kill it",
+ __func__);
+ }
+ return 1;
+}
+
+void
+action_sigchld (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ verb_debug ("[event:%s] a child process has SIGCHLD'd!", __func__);
+ /* Process SIGCHLDs in two steps: death and stopped until all
+ * pending children are sorted.
+ */
+ if (!handle_child_death (state) && !handle_child_stop (state))
+ verb ("[event:%s] SIGCHLD fired but no children ready!", __func__);
+ while (handle_child_death (state) || handle_child_stop (state));
+}
+
+int
+setup_sigchld_event (struct state *state, int persist)
+{
+ state->events[E_SIGCHLD] = event_new (state->base, SIGCHLD,
+ EV_SIGNAL| (persist ? EV_PERSIST : 0),
+ action_sigchld, state);
+ if (!state->events[E_SIGCHLD])
+ return 1;
+ /* Make sure this is lower than SAVE so we get any error
+ * messages back from the time setter.
+ */
+ event_priority_set (state->events[E_SIGCHLD], PRI_NET);
+ event_add (state->events[E_SIGCHLD], NULL);
+ return 0;
+}
diff --git a/tlsdate/src/events/sigterm.c b/tlsdate/src/events/sigterm.c
new file mode 100644
index 0000000..ff09ab8
--- /dev/null
+++ b/tlsdate/src/events/sigterm.c
@@ -0,0 +1,33 @@
+/*
+ * sigterm.c - handler for SIGTERM
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <sys/time.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+/* On sigterm, grab the system clock and write it before terminating */
+void action_sigterm (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ struct timeval tv;
+ info ("[event:%s] starting graceful shutdown . . .", __func__);
+ state->exitting = 1;
+ if (platform->time_get (&tv))
+ {
+ pfatal ("[event:%s] couldn't gettimeofday to exit gracefully", __func__);
+ }
+ /* Don't change the last sync_type */
+ state->last_time = tv.tv_sec;
+ /* Immediately save and exit. */
+ trigger_event (state, E_SAVE, -1);
+}
diff --git a/tlsdate/src/events/time_set.c b/tlsdate/src/events/time_set.c
new file mode 100644
index 0000000..edc30c9
--- /dev/null
+++ b/tlsdate/src/events/time_set.c
@@ -0,0 +1,174 @@
+/*
+ * time_set.c - time setting functions
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/dbus.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+void
+handle_time_setter (struct state *state, int status)
+{
+ switch (status)
+ {
+ case SETTER_BAD_TIME:
+ info ("[event:%s] time setter received bad time", __func__);
+ /* This is the leaf node. Failure means that our source
+ * tried to walk back in time.
+ */
+ state->last_sync_type = SYNC_TYPE_RTC;
+ state->last_time = time (NULL);
+ break;
+ case SETTER_TIME_SET:
+ info ("[event:%s] time set from the %s (%ld)",
+ __func__, sync_type_str (state->last_sync_type), state->last_time);
+ if (state->last_sync_type == SYNC_TYPE_NET)
+ {
+ /* Update the delta so it doesn't fire again immediately. */
+ state->clock_delta = 0;
+ check_continuity (&state->clock_delta);
+ /* Reset the sources list! */
+ state->opts.cur_source = NULL;
+ }
+ /* Share our success. */
+ if (state->opts.should_dbus)
+ dbus_announce (state);
+ break;
+ case SETTER_NO_SBOX:
+ error ("[event:%s] time setter failed to sandbox", __func__);
+ break;
+ case SETTER_EXIT:
+ error ("[event:%s] time setter exited gracefully", __func__);
+ break;
+ case SETTER_SET_ERR:
+ error ("[event:%s] time setter could not settimeofday()", __func__);
+ break;
+ case SETTER_NO_RTC:
+ error ("[event:%s] time setter could sync rtc", __func__);
+ break;
+ case SETTER_NO_SAVE:
+ error ("[event:%s] time setter could not open save file", __func__);
+ break;
+ case SETTER_READ_ERR:
+ error ("[event:%s] time setter could not read time", __func__);
+ break;
+ default:
+ error ("[event:%s] received bogus status from time setter: %d",
+ __func__, status);
+ exit (status);
+ }
+}
+
+void
+action_time_set (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ int status = -1;
+ ssize_t bytes = 0;
+ verb_debug ("[event:%s] fired", __func__);
+ bytes = IGNORE_EINTR (read (fd, &status, sizeof (status)));
+ if (bytes == -1 && errno == EAGAIN)
+ return; /* Catch next wake up */
+ /* Catch the rest of the errnos and any truncation. */
+ if (bytes != sizeof (status))
+ {
+ /* Truncation of an int over a pipe shouldn't happen except in
+ * terminal cases.
+ */
+ perror ("[event:%s] time setter pipe truncated! (%d)", __func__,
+ bytes);
+ /* Let SIGCHLD do the teardown. */
+ close (fd);
+ return;
+ }
+ handle_time_setter (state, status);
+}
+
+int
+setup_time_setter (struct state *state)
+{
+ struct event *event;
+ int to_fds[2];
+ int from_fds[2];
+ if (pipe (to_fds) < 0)
+ {
+ perror ("pipe failed");
+ return 1;
+ }
+ if (pipe (from_fds) < 0)
+ {
+ perror ("pipe failed");
+ close (to_fds[0]);
+ close (to_fds[1]);
+ return 1;
+ }
+ /* The fd that tlsdated will write to */
+ state->setter_save_fd = to_fds[1];
+ state->setter_notify_fd = from_fds[0];
+ /* Make the notifications fd non-blocking. */
+ if (fcntl (from_fds[0], F_SETFL, O_NONBLOCK) < 0)
+ {
+ perror ("notifier_fd fcntl(O_NONBLOCK) failed");
+ goto close_and_fail;
+ }
+ /* Make writes non-blocking */
+ if (fcntl (to_fds[1], F_SETFL, O_NONBLOCK) < 0)
+ {
+ perror ("save_fd fcntl(O_NONBLOCK) failed");
+ goto close_and_fail;
+ }
+ event = event_new (state->base, from_fds[0], EV_READ|EV_PERSIST,
+ action_time_set, state);
+ if (!event)
+ {
+ error ("Failed to allocate tlsdate setter event");
+ goto close_and_fail;
+ }
+ event_priority_set (event, PRI_NET);
+ event_add (event, NULL);
+ /* fork */
+ state->setter_pid = fork();
+ if (state->setter_pid < 0)
+ {
+ perror ("fork()ing the time setter failed");
+ goto close_and_fail;
+ }
+ if (state->setter_pid == 0)
+ {
+ close (to_fds[1]);
+ close (from_fds[0]);
+ time_setter_coprocess (to_fds[0], from_fds[1], state);
+ _exit (1);
+ }
+ close (from_fds[1]);
+ close (to_fds[0]);
+ return 0;
+
+close_and_fail:
+ close (to_fds[0]);
+ close (to_fds[1]);
+ close (from_fds[0]);
+ close (from_fds[1]);
+ return 1;
+}
diff --git a/tlsdate/src/events/tlsdate_status.c b/tlsdate/src/events/tlsdate_status.c
new file mode 100644
index 0000000..9c6a6a9
--- /dev/null
+++ b/tlsdate/src/events/tlsdate_status.c
@@ -0,0 +1,148 @@
+/*
+ * tlsdate_status.c - handles tlsdate-monitor responses
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+/* Returns < 0 on error, > 0 on eagain, and 0 on success */
+int
+read_tlsdate_response (int fd, time_t *t)
+{
+ /* TLS passes time as a 32-bit value. */
+ uint32_t server_time = 0;
+ ssize_t ret = IGNORE_EINTR (read (fd, &server_time, sizeof (server_time)));
+ if (ret == -1 && errno == EAGAIN)
+ {
+ /* Full response isn't ready yet. */
+ return 1;
+ }
+ if (ret != sizeof (server_time))
+ {
+ /* End of pipe (0) or truncated: death probable. */
+ error ("[event:(%s)] invalid time read from tlsdate (rd:%d,ret:%zd).",
+ __func__, server_time, ret);
+ return -1;
+ }
+ /* uint32_t moves to signed long so there is room for silliness. */
+ *t = server_time;
+ return 0;
+}
+
+void
+action_tlsdate_timeout (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ info ("[event:%s] tlsdate timed out", __func__);
+ /* Force kill it and let action_sigchld rerun. */
+ if (state->tlsdate_pid)
+ kill (state->tlsdate_pid, SIGKILL);
+}
+
+void
+action_tlsdate_status (evutil_socket_t fd, short what, void *arg)
+{
+ struct state *state = arg;
+ time_t t = 0;
+ int ret = read_tlsdate_response (fd, &t);
+ verb_debug ("[event:%s] fired", __func__);
+ if (ret < 0)
+ {
+ verb_debug ("[event:%s] forcibly timing out tlsdate", __func__);
+ trigger_event (state, E_TLSDATE_TIMEOUT, 0);
+ return;
+ }
+ if (ret)
+ {
+ /* EAGAIN'd: wait for the rest. */
+ trigger_event (state, E_TLSDATE_STATUS, -1);
+ return;
+ }
+ if (is_sane_time (t))
+ {
+ /* Note that last_time is from an online source */
+ state->last_sync_type = SYNC_TYPE_NET;
+ state->last_time = t;
+ trigger_event (state, E_SAVE, -1);
+ }
+ else
+ {
+ error ("[event:%s] invalid time received from tlsdate: %ld",
+ __func__, t);
+ }
+ /* Restore the backoff and tries count on success, insane or not.
+ * On failure, the event handler does it.
+ */
+ state->tries = 0;
+ state->backoff = state->opts.wait_between_tries;
+ return;
+}
+
+/* Returns 0 on success and populates |fds| */
+int
+new_tlsdate_monitor_pipe (int fds[2])
+{
+ if (pipe (fds) < 0)
+ {
+ perror ("pipe failed");
+ return -1;
+ }
+ /* TODO(wad): CLOEXEC, Don't leak these into tlsdate proper. */
+ return 0;
+}
+
+/* Create a fd pair that the tlsdate runner will communicate over */
+int
+setup_tlsdate_status (struct state *state)
+{
+ int fds[2] = { -1, -1 };
+ /* One pair of pipes are reused along with the event. */
+ if (new_tlsdate_monitor_pipe (fds))
+ {
+ return -1;
+ }
+ verb_debug ("[%s] monitor fd pair (%d, %d)", __func__, fds[0], fds[1]);
+ /* The fd that the monitor process will write to */
+ state->tlsdate_monitor_fd = fds[1];
+ /* Make the reader fd non-blocking and not leak into tlsdate. */
+ if (fcntl (fds[0], F_SETFL, O_NONBLOCK|O_CLOEXEC) < 0)
+ {
+ perror ("pipe[0] fcntl(O_NONBLOCK) failed");
+ return 1;
+ }
+ state->events[E_TLSDATE_STATUS] = event_new (state->base, fds[0],
+ EV_READ,
+ action_tlsdate_status, state);
+ if (!state->events[E_TLSDATE_STATUS])
+ {
+ error ("Failed to allocate tlsdate status event");
+ return 1;
+ }
+ event_priority_set (state->events[E_TLSDATE_STATUS], PRI_NET);
+ state->events[E_TLSDATE_TIMEOUT] = event_new (state->base, -1,
+ EV_TIMEOUT,
+ action_tlsdate_timeout, state);
+ if (!state->events[E_TLSDATE_TIMEOUT])
+ {
+ error ("Failed to allocate tlsdate timeout event");
+ return 1;
+ }
+ event_priority_set (state->events[E_TLSDATE_TIMEOUT], PRI_SAVE);
+ return 0;
+}
diff --git a/tlsdate/src/include.am b/tlsdate/src/include.am
new file mode 100644
index 0000000..6e1e321
--- /dev/null
+++ b/tlsdate/src/include.am
@@ -0,0 +1,456 @@
+# vim:ft=automake
+
+src_tlsdate_SOURCES=
+src_tlsdate_LDADD=
+
+src_tlsdate_helper_CFLAGS=
+src_tlsdate_helper_SOURCES=
+src_tlsdate_helper_LDADD=
+
+include src/compat/include.am
+
+# Our main program
+if TARGET_LINUX
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+if HAVE_SECCOMP_FILTER
+src_tlsdate_helper_SOURCES+= src/seccomp.c
+endif
+
+sbin_PROGRAMS+= src/tlsdated
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+
+if HAVE_ANDROID
+src_conf_unittest_SOURCES+= src/common/fmemopen.c
+endif
+
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif # TARGET_LINUX
+
+if TARGET_GNUKFREEBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_FREEBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_NETBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+
+# XXX This conditional should apply for any system where we're building
+# conf_unittest, but I don't know how to tell that to automake.
+if !HAVE_FMEMOPEN
+if HAVE_FUNOPEN
+src_conf_unittest_SOURCES+= src/common/fmemopen-funopen.c
+endif
+endif
+
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_OPENBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+src_conf_unittest_SOURCES+= src/common/fmemopen.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_DRAGONFLYBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_BSD
+if !TARGET_FREEBSD
+if !TARGET_NETBSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+endif
+endif
+
+if TARGET_GNUHURD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_CYGWIN
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_MINGW
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_HAIKU
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+
+if TARGET_OSX
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+endif
+
+src_tlsdate_SOURCES+= src/tlsdate.c
+src_tlsdate_CFLAGS = -DBUILDING_TLSDATE
+
+src_tlsdate_helper_CFLAGS+= @SSL_CFLAGS@
+src_tlsdate_helper_LDADD+= @SSL_LIBS@
+src_tlsdate_helper_LDADD+= src/compat/libtlsdate_compat.la
+src_tlsdate_helper_SOURCES+= src/tlsdate-helper.c
+
+if POLARSSL
+src_tlsdate_helper_SOURCES+= src/proxy-polarssl.c
+else
+# OpenSSL is our default if we're not using PolarSSL
+src_tlsdate_helper_SOURCES+= src/proxy-bio.c
+endif
+src_tlsdate_helper_SOURCES+= src/util.c
+
+if !HAVE_STRNLEN
+src_tlsdate_helper_SOURCES+= src/common/strnlen.c
+endif
+
+# This doesn't work on Mac OS X
+if TARGET_LINUX
+
+src_tlsdated_CFLAGS = $(DBUS_CFLAGS) $(LIBEVENT_CFLAGS) @SSL_CFLAGS@
+src_tlsdated_CPPFLAGS = -DTLSDATED_MAIN -DWITH_EVENTS
+if SECCOMP_FILTER_DEBUG
+src_tlsdated_CPPFLAGS += -DSECCOMP_FILTER_DEBUG=1
+endif
+src_tlsdated_LDADD = @SSL_LIBS@ $(RT_LIB) $(DBUS_LIBS) $(LIBEVENT_LIBS)
+src_tlsdated_SOURCES = src/conf.c
+
+# This doesn't work on Mac OS X or FreeBSD
+if TARGET_LINUX
+src_tlsdated_SOURCES+= src/routeup.c
+endif
+
+if HAVE_DBUS
+src_tlsdated_SOURCES+= src/dbus.c
+endif
+if HAVE_CROS
+src_tlsdated_SOURCES+= src/platform-cros.c
+endif
+if HAVE_SECCOMP_FILTER
+src_tlsdated_SOURCES+= src/seccomp.c
+endif
+src_tlsdated_SOURCES+= src/tlsdate-monitor.c
+src_tlsdated_SOURCES+= src/tlsdate-setter.c
+src_tlsdated_SOURCES+= src/tlsdated.c
+src_tlsdated_SOURCES+= src/util.c
+src_tlsdated_SOURCES+= src/events/check_continuity.c
+src_tlsdated_SOURCES+= src/events/kickoff_time_sync.c
+src_tlsdated_SOURCES+= src/events/route_up.c
+src_tlsdated_SOURCES+= src/events/run_tlsdate.c
+src_tlsdated_SOURCES+= src/events/sigterm.c
+src_tlsdated_SOURCES+= src/events/sigchld.c
+src_tlsdated_SOURCES+= src/events/save.c
+src_tlsdated_SOURCES+= src/events/time_set.c
+src_tlsdated_SOURCES+= src/events/tlsdate_status.c
+
+src_tlsdated_unittest_CFLAGS = $(DBUS_CFLAGS) $(LIBEVENT_CFLAGS)
+src_tlsdated_unittest_CPPFLAGS = -DWITH_EVENTS
+if SECCOMP_FILTER_DEBUG
+src_tlsdated_unittest_CPPFLAGS += -DSECCOMP_FILTER_DEBUG=1
+endif
+src_tlsdated_unittest_LDADD = @SSL_LIBS@ $(RT_LIB) $(DBUS_LIBS) $(LIBEVENT_LIBS)
+src_tlsdated_unittest_SOURCES = src/tlsdated-unittest.c
+src_tlsdated_unittest_SOURCES+= $(src_tlsdated_SOURCES)
+
+check_PROGRAMS+= src/tlsdated_unittest
+noinst_PROGRAMS+= src/tlsdated_unittest
+endif
+
+# This doesn't work on Mac OS X
+if TARGET_LINUX
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+if HAVE_SECCOMP_FILTER
+src_proxy_bio_unittest_SOURCES+= src/seccomp.c
+endif
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_FREEBSD
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+# XXX This conditional should apply for any system where we're building
+# conf_unittest, but I don't know how to tell that to automake.
+if !HAVE_FMEMOPEN
+if HAVE_FUNOPEN
+src_conf_unittest_SOURCES+= src/common/fmemopen-funopen.c
+endif
+endif
+endif
+
+if TARGET_NETBSD
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+
+# XXX This conditional should apply for any system where we're building
+# proxy_bio_unittest, but I don't know how to tell that to automake.
+if !HAVE_STRNLEN
+src_proxy_bio_unittest_SOURCES+= src/common/strnlen.c
+endif
+
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_OPENBSD
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+src_proxy_bio_unittest_SOURCES+= src/common/fmemopen.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_DRAGONFLYBSD
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_BSD
+if !POLARSSL
+if !TARGET_FREEBSD
+if !TARGET_NETBSD
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+endif
+endif
+
+if TARGET_GNUHURD
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_CYGWIN
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_MINGW
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+if TARGET_HAIKU
+if !POLARSSL
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+endif
+endif
+
+# We're not shipping headers
+noinst_HEADERS+= src/routeup.h
+noinst_HEADERS+= src/test_harness.h
+noinst_HEADERS+= src/tlsdate-helper.h
+noinst_HEADERS+= src/seccomp.h
+noinst_HEADERS+= src/seccomp-compat.h
+noinst_HEADERS+= src/tlsdate.h
+noinst_HEADERS+= src/util.h
+noinst_HEADERS+= src/visibility.h
+noinst_HEADERS+= src/proxy-bio.h
+noinst_HEADERS+= src/proxy-polarssl.h
+noinst_HEADERS+= src/test-bio.h
+noinst_HEADERS+= src/conf.h
+noinst_HEADERS+= src/dbus.h
+noinst_HEADERS+= src/platform.h
+
+# This is our explicit target list
+# We do not attempt to build with PolarSSL
+if !POLARSSL
+if !TARGET_LINUX
+if !TARGET_OSX
+if !TARGET_OPENBSD
+if !TARGET_NETBSD
+if !TARGET_FREEBSD
+if !TARGET_DRAGONFLYBSD
+if !TARGET_HAIKU
+if !TARGET_GNUHURD
+if !TARGET_CYGWIN
+if !TARGET_MINGW
+if !TARGET_BSD
+bin_PROGRAMS+= src/tlsdate
+bin_PROGRAMS+= src/tlsdate-helper
+
+src_conf_unittest_SOURCES = src/conf.c
+src_conf_unittest_SOURCES+= src/conf-unittest.c
+check_PROGRAMS+= src/conf_unittest
+noinst_PROGRAMS+= src/conf_unittest
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+
+if !POLARSSL
+if !TARGET_LINUX
+if !TARGET_OSX
+if !TARGET_OPENBSD
+if !TARGET_NETBSD
+if !TARGET_FREEBSD
+if !TARGET_GNUKFREEBSD
+if !TARGET_DRAGONFLYBSD
+if !TARGET_HAIKU
+if !TARGET_GNUHURD
+if !TARGET_CYGWIN
+if !TARGET_MINGW
+if !TARGET_BSD
+src_proxy_bio_unittest_LDADD = @SSL_LIBS@
+src_proxy_bio_unittest_SOURCES = src/proxy-bio.c
+src_proxy_bio_unittest_SOURCES+= src/proxy-bio-unittest.c
+src_proxy_bio_unittest_SOURCES+= src/test-bio.c
+src_proxy_bio_unittest_SOURCES+= src/util.c
+check_PROGRAMS+= src/proxy-bio_unittest
+noinst_PROGRAMS+= src/proxy-bio_unittest
+
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+endif
+
+
+check_PROGRAMS+= src/test/proxy-override src/test/check-host-1 \
+ src/test/check-host-2 src/test/sleep-wrap \
+ src/test/return-argc src/test/emit
diff --git a/tlsdate/src/platform-cros.c b/tlsdate/src/platform-cros.c
new file mode 100644
index 0000000..9341750
--- /dev/null
+++ b/tlsdate/src/platform-cros.c
@@ -0,0 +1,615 @@
+/*
+ * platform-cros.c - CrOS platform DBus integration
+ * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#include "config.h"
+
+#include <ctype.h>
+#include <dbus/dbus.h>
+#include <errno.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <string.h>
+#include <time.h>
+
+#include <event2/event.h>
+
+#include "src/dbus.h"
+#include "src/platform.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+static const char kMatchFormatData[] = "interface='%s',member='%s',arg0='%s'";
+static const char *kMatchFormat = kMatchFormatData;
+static const char kMatchNoArgFormatData[] = "interface='%s',member='%s'";
+static const char *kMatchNoArgFormat = kMatchNoArgFormatData;
+
+static const char kLibCrosDestData[] = "org.chromium.LibCrosService";
+static const char *kLibCrosDest = kLibCrosDestData;
+static const char kLibCrosInterfaceData[] = "org.chromium.LibCrosServiceInterface";
+static const char *kLibCrosInterface = kLibCrosInterfaceData;
+static const char kLibCrosPathData[] = "/org/chromium/LibCrosService";
+static const char *kLibCrosPath = kLibCrosPathData;
+static const char kResolveNetworkProxyData[] = "ResolveNetworkProxy";
+static const char *kResolveNetworkProxy = kResolveNetworkProxyData;
+
+static const char kDBusInterfaceData[] = "org.freedesktop.DBus";
+static const char *kDBusInterface = kDBusInterfaceData;
+static const char kNameOwnerChangedData[] = "NameOwnerChanged";
+static const char *kNameOwnerChanged = kNameOwnerChangedData;
+static const char kNameAcquiredData[] = "NameAcquired";
+static const char *kNameAcquired = kNameAcquiredData;
+
+static const char kManagerInterfaceData[] = "org.chromium.flimflam.Manager";
+static const char *kManagerInterface = kManagerInterfaceData;
+
+static const char kServiceInterfaceData[] = "org.chromium.flimflam.Service";
+static const char *kServiceInterface = kServiceInterfaceData;
+static const char kMemberData[] = "PropertyChanged";
+static const char *kMember = kMemberData;
+
+static const char kProxyConfigData[] = "ProxyConfig";
+static const char *kProxyConfig = kProxyConfigData;
+static const char kDefaultServiceData[] = "DefaultService";
+static const char *kDefaultService = kDefaultServiceData;
+
+static const char kResolveInterfaceData[] = "org.torproject.tlsdate.Resolver";
+static const char *kResolveInterface = kResolveInterfaceData;
+static const char kResolveMemberData[] = "ProxyChange";
+static const char *kResolveMember = kResolveMemberData;
+
+/* TODO(wad) Integrate with cros_system_api/dbus/service_constants.h */
+static const char kPowerManagerInterfaceData[] = "org.chromium.PowerManager";
+static const char *kPowerManagerInterface = kPowerManagerInterfaceData;
+static const char kSuspendDoneData[] = "SuspendDone";
+static const char *kSuspendDone = kSuspendDoneData;
+
+static const char kErrorServiceUnknownData[] = "org.freedesktop.DBus.Error.ServiceUnknown";
+static const char *kErrorServiceUnknown = kErrorServiceUnknownData;
+
+struct platform_state
+{
+ struct event_base *base;
+ struct state *state;
+ DBusMessage **resolve_msg;
+ int resolve_msg_count;
+ uint32_t resolve_network_proxy_serial;
+};
+
+static
+bool
+get_valid_hostport (const char *hostport, char *out, size_t len)
+{
+ bool host = true;
+ const char *end = hostport + strlen (hostport);
+ const char *c;
+ *out = '\0';
+ /* Hosts begin with alphanumeric only. */
+ if (!isalnum (*hostport))
+ {
+ info ("Host does not start with alnum");
+ return false;
+ }
+ *out++ = *hostport;
+ for (c = hostport + 1; c < end && len > 0; ++c, ++out, --len)
+ {
+ *out = *c;
+ if (host)
+ {
+ if (isalnum (*c) || *c == '-' || *c == '.')
+ {
+ continue;
+ }
+ if (*c == ':')
+ {
+ host = false;
+ continue;
+ }
+ }
+ else
+ {
+ if (isdigit (*c))
+ continue;
+ }
+ *out = '\0';
+ return false;
+ }
+ *out = '\0';
+ return true;
+}
+
+/* Convert PAC return format to tlsdated url format */
+/* TODO(wad) support multiple proxies when Chromium does:
+ * PROXY x.x.x.x:yyyy; PROXY z.z.z.z:aaaaa
+ */
+static
+void
+canonicalize_pac (const char *pac_fmt, char *proxy_url, size_t len)
+{
+ size_t type_len;
+ int copied = 0;
+ const char *space;
+ /* host[255]:port[6]\0 */
+ char hostport[6 + 255 + 2];
+ proxy_url[0] = '\0';
+ if (len < 1)
+ return;
+ if (!strcmp (pac_fmt, "DIRECT"))
+ {
+ return;
+ }
+ /* Find type */
+ space = strchr (pac_fmt, ' ');
+ if (!space)
+ return;
+ type_len = space - pac_fmt;
+ if (!get_valid_hostport (space + 1, hostport, sizeof (hostport)))
+ {
+ error ("invalid host:port: %s", space + 1);
+ return;
+ }
+ proxy_url[0] = '\0';
+ if (!strncmp (pac_fmt, "PROXY", type_len))
+ {
+ copied = snprintf (proxy_url, len, "http://%s", hostport);
+ }
+ else if (!strncmp (pac_fmt, "SOCKS", type_len))
+ {
+ copied = snprintf (proxy_url, len, "socks4://%s", hostport);
+ }
+ else if (!strncmp (pac_fmt, "SOCKS5", type_len))
+ {
+ copied = snprintf (proxy_url, len, "socks5://%s", hostport);
+ }
+ else if (!strncmp (pac_fmt, "HTTPS", type_len))
+ {
+ copied = snprintf (proxy_url, len, "https://%s", hostport);
+ }
+ else
+ {
+ error ("pac_fmt unmatched: '%s' %zu", pac_fmt, type_len);
+ }
+ if (copied < 0 || ((size_t) copied) >= len)
+ {
+ error ("canonicalize_pac: truncation '%s'", proxy_url);
+ proxy_url[0] = '\0';
+ return;
+ }
+}
+
+static
+DBusHandlerResult
+handle_service_change (DBusConnection *connection,
+ DBusMessage *message,
+ struct platform_state *ctx)
+{
+ DBusMessageIter iter, subiter;
+ DBusError error;
+ const char *pname;
+ const char *pval;
+ const char *service;
+ dbus_error_init (&error);
+ verb_debug ("[event:cros:%s]: fired", __func__);
+ /* TODO(wad) Track the current DefaultService only fire when it changes */
+ service = dbus_message_get_path (message);
+ if (!service)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ /* Shill emits string:ProxyConfig variant string:"..." */
+ if (!dbus_message_iter_init (message, &iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&iter, &pname);
+ /* Make sure we are only firing on a ProxyConfig property change. */
+ if (strcmp (pname, kProxyConfig))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (!dbus_message_iter_next (&iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_VARIANT)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_recurse (&iter, &subiter);
+ if (dbus_message_iter_get_arg_type (&subiter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&subiter, &pval);
+ /* Right now, nothing is done with the Shill proxy value because
+ * Chromium handles .pac resolution. This may be more useful for
+ * ignoring incomplete proxy values sent while a user is typing.
+ */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, ctx->state);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+DBusHandlerResult
+handle_manager_change (DBusConnection *connection,
+ DBusMessage *message,
+ struct platform_state *ctx)
+{
+ DBusMessageIter iter, subiter;
+ DBusError error;
+ const char *pname;
+ const char *pval;
+ verb_debug ("[event:cros:%s]: fired", __func__);
+ dbus_error_init (&error);
+ if (!dbus_message_iter_init (message, &iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&iter, &pname);
+ /* Make sure we caught the right property. */
+ if (strcmp (pname, kDefaultService))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (!dbus_message_iter_next (&iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_VARIANT)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_recurse (&iter, &subiter);
+ if (dbus_message_iter_get_arg_type (&subiter) != DBUS_TYPE_OBJECT_PATH)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&subiter, &pval);
+ /* TODO(wad) Filter on the currently active service in pval. */
+ verb_debug ("[event:cros:%s] service change on path %s",
+ __func__, pval);
+ action_kickoff_time_sync (-1, EV_TIMEOUT, ctx->state);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+DBusHandlerResult
+handle_suspend_done (DBusConnection *connection,
+ DBusMessage *message,
+ struct platform_state *ctx)
+{
+ verb_debug ("[event:cros:%s]: fired", __func__);
+ /* Coming back from resume, trigger a continuity and time
+ * check just in case none of the other events happen.
+ */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, ctx->state);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+DBusHandlerResult
+handle_proxy_change (DBusConnection *connection,
+ DBusMessage *message,
+ struct platform_state *ctx)
+{
+ DBusMessageIter iter;
+ DBusError error;
+ const char *pname;
+ const char *pval;
+ char time_host[MAX_PROXY_URL];
+ int url_len = 0;
+ struct source *src = ctx->state->opts.sources;
+ verb_debug ("[event:cros:%s]: fired", __func__);
+ if (ctx->state->opts.cur_source && ctx->state->opts.cur_source->next)
+ src = ctx->state->opts.cur_source->next;
+ if (!ctx->state->resolving)
+ {
+ info ("[event:cros:%s] Unexpected ResolveNetworkProxy signal seen",
+ __func__);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ dbus_error_init (&error);
+ /* Shill emits string:ProxyConfig variant string:"..." */
+ if (!dbus_message_iter_init (message, &iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&iter, &pname);
+ /* Make sure this was the resolution we asked for */
+ url_len = snprintf (time_host, sizeof (time_host), "https://%s:%s",
+ src->host, src->port);
+ if (url_len < 0 || ((size_t) url_len) >= sizeof (time_host))
+ {
+ error ("[event:cros:%s]: current source url is too long",
+ __func__);
+ }
+ if (strcmp (pname, time_host))
+ {
+ error ("[event:cros:%s]: resolved host mismatch: %s v %s",
+ __func__, pname, time_host);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ if (!dbus_message_iter_next (&iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&iter, &pval);
+ ctx->state->resolving = 0;
+ canonicalize_pac (pval, ctx->state->dynamic_proxy, sizeof (ctx->state->dynamic_proxy));
+ trigger_event (ctx->state, E_TLSDATE, 1);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+DBusHandlerResult
+handle_dbus_change (DBusConnection *connection,
+ DBusMessage *message,
+ struct platform_state *ctx)
+{
+ DBusMessageIter iter;
+ DBusError error;
+ const char *pname;
+ verb_debug ("[event:cros:%s]: fired", __func__);
+ dbus_error_init (&error);
+ if (!dbus_message_iter_init (message, &iter))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ if (dbus_message_iter_get_arg_type (&iter) != DBUS_TYPE_STRING)
+ return DBUS_HANDLER_RESULT_HANDLED;
+ dbus_message_iter_get_basic (&iter, &pname);
+ /* Make sure we caught the right property. */
+ if (strcmp (pname, kLibCrosDest))
+ return DBUS_HANDLER_RESULT_HANDLED;
+ action_kickoff_time_sync (-1, EV_TIMEOUT, ctx->state);
+ return DBUS_HANDLER_RESULT_HANDLED;
+}
+
+static
+void
+action_resolve_proxy (evutil_socket_t fd, short what, void *arg)
+{
+ struct platform_state *ctx = arg;
+ struct dbus_state *dbus_state = ctx->state->dbus;
+ DBusConnection *conn = dbus_state->conn;
+ struct source *src = ctx->state->opts.sources;
+ verb_debug ("[event:%s] fired", __func__);
+ /* Emulate tlsdate-monitor.c:build_argv and choose the next source */
+ if (ctx->state->opts.cur_source && ctx->state->opts.cur_source->next)
+ src = ctx->state->opts.cur_source->next;
+ if (ctx->state->resolving || ctx->resolve_network_proxy_serial)
+ {
+ /* Note, this is not the same as the response signal. It just avoids
+ * multiple requests in a single dispatch window.
+ */
+ info ("[event:%s] no resolve_proxy sent; pending method_reply",
+ __func__);
+ return;
+ }
+ ctx->state->dynamic_proxy[0] = '\0';
+ if (ctx->resolve_msg[src->id] == NULL)
+ {
+ info ("[event:%s] no dynamic proxy for %s:%s", __func__,
+ src->host, src->port);
+ trigger_event (ctx->state, E_TLSDATE, 1);
+ return;
+ }
+ info ("[event:%s] resolving proxy for %s:%s", __func__,
+ src->host, src->port);
+ ctx->state->resolving = 1;
+ if (!dbus_connection_send (conn,
+ ctx->resolve_msg[src->id],
+ &ctx->resolve_network_proxy_serial))
+ {
+ error ("[event:%s] cannot send ResolveNetworkProxy query!", __func__);
+ return;
+ }
+}
+
+static
+DBusHandlerResult
+dbus_filter (DBusConnection *connection, DBusMessage *message, void *data)
+{
+ struct platform_state *state = data;
+ /* Terminate gracefully if DBus goes away. */
+ if (dbus_message_is_signal (message, DBUS_INTERFACE_LOCAL, "Disconnected"))
+ {
+ error ("[cros] DBus system bus has become inaccessible. Terminating.");
+ /* Trigger a graceful teardown. */
+ kill (getpid(), SIGINT);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ /* Hand it over to the service dispatcher. */
+ if (dbus_message_get_type (message) == DBUS_MESSAGE_TYPE_METHOD_CALL)
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+
+ /* Handle explicitly defined signals only. */
+ if (dbus_message_is_signal (message, kDBusInterface, kNameAcquired))
+ {
+ info ("[cros] DBus name acquired successfully");
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ if (dbus_message_is_signal (message, kServiceInterface, kMember))
+ return handle_service_change (connection, message, state);
+ if (dbus_message_is_signal (message, kManagerInterface, kMember))
+ return handle_manager_change (connection, message, state);
+ if (dbus_message_is_signal (message, kResolveInterface, kResolveMember))
+ return handle_proxy_change (connection, message, state);
+ if (dbus_message_is_signal (message, kDBusInterface, kNameOwnerChanged))
+ return handle_dbus_change (connection, message, state);
+ if (dbus_message_is_signal (message, kPowerManagerInterface, kSuspendDone))
+ return handle_suspend_done (connection, message, state);
+ if (dbus_message_is_error (message, kErrorServiceUnknown))
+ {
+ info ("[cros] org.chromium.LibCrosService.ResolveNetworkProxy is missing");
+ info ("[cros] skipping proxy resolution for now");
+ /* Fire off tlsdate rather than letting it fail silently. */
+ state->resolve_network_proxy_serial = 0;
+ state->state->resolving = 0;
+ trigger_event (state->state, E_TLSDATE, 1);
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ /* Indicates a successful resolve request was issued. */
+ if (dbus_message_get_type (message) == DBUS_MESSAGE_TYPE_METHOD_RETURN)
+ {
+ uint32_t serial = dbus_message_get_reply_serial (message);
+ if (serial == state->resolve_network_proxy_serial)
+ {
+ state->resolve_network_proxy_serial = 0;
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ info ("[cros] unknown DBus METHOD_RETURN seen: %u", serial);
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+ }
+ verb_debug ("[cros] unknown message received: "
+ "type=%s dest=%s interface=%s member=%s path=%s sig=%s error_name=%s",
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+ dbus_message_get_destination (message),
+ dbus_message_get_interface (message),
+ dbus_message_get_member (message),
+ dbus_message_get_path (message),
+ dbus_message_get_signature (message),
+ dbus_message_get_error_name (message));
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+int
+add_match (DBusConnection *conn, const char *interface, const char *member,
+ const char *arg0)
+{
+ char match[1024];
+ DBusError error;
+ int len;
+ dbus_error_init (&error);
+ if (arg0)
+ {
+ len = snprintf (match, sizeof (match), kMatchFormat,
+ interface, member, arg0);
+ }
+ else
+ {
+ len = snprintf (match, sizeof (match), kMatchNoArgFormat,
+ interface, member);
+ }
+ if (len < 0 || ((size_t) len) >= sizeof (match))
+ {
+ error ("[dbus] match truncated for '%s,%s'", interface, member);
+ return 1;
+ }
+ dbus_bus_add_match (conn, match, &error);
+ if (dbus_error_is_set (&error))
+ {
+ error ("[dbus] failed to add_match for '%s,%s'; error: %s, %s",
+ interface, member, error.name, error.message);
+ dbus_error_free (&error);
+ return 1;
+ }
+ return 0;
+}
+
+DBusMessage *
+new_resolver_message(const struct source *src)
+{
+ char time_host[MAX_PROXY_URL];
+ void *time_host_ptr = &time_host;
+ int url_len;
+ DBusMessage *res;
+ DBusMessageIter args;
+ if (!src->proxy || strcmp (src->proxy, "dynamic"))
+ {
+ return NULL;
+ }
+ res = dbus_message_new_method_call (kLibCrosDest, kLibCrosPath,
+ kLibCrosInterface, kResolveNetworkProxy);
+ if (!res)
+ {
+ error ("[cros] could not setup dynamic proxy for source %d", src->id);
+ return NULL;
+ }
+ /* Build the time_host */
+ url_len = snprintf (time_host, sizeof (time_host), "https://%s:%s",
+ src->host, src->port);
+ if (url_len < 0 || ((size_t) url_len) >= sizeof (time_host))
+ {
+ fatal ("[cros] source %d url is too long! (%d)", src->id, url_len);
+ }
+ /* Finish the message */
+ dbus_message_iter_init_append (res, &args);
+ if (!dbus_message_iter_append_basic (&args, DBUS_TYPE_STRING, &time_host_ptr) ||
+ !dbus_message_iter_append_basic (&args, DBUS_TYPE_STRING, &kResolveInterface) ||
+ !dbus_message_iter_append_basic (&args, DBUS_TYPE_STRING, &kResolveMember))
+ {
+ fatal ("[cros could not append arguments for resolver message");
+ }
+ return res;
+}
+
+int
+platform_init_cros (struct state *state)
+{
+ /* Watch for per-service ProxyConfig property changes */
+ struct event_base *base = state->base;
+ struct dbus_state *dbus_state = state->dbus;
+ if (!dbus_state)
+ {
+ info ("[cros] DBus not connected, skipping platform initialization.");
+ return 0;
+ }
+ struct source *src = NULL;
+ int sources = 0;
+ DBusConnection *conn = dbus_state->conn;
+ DBusError error;
+ struct platform_state *platform_state =
+ calloc (1, sizeof (struct platform_state));
+ if (!platform_state)
+ {
+ error ("[cros] could not allocate platform_state");
+ return -1;
+ }
+ /* TODO(wad) Follow up with dbus_error_free() where needed. */
+ dbus_error_init (&error);
+ /* Add watches for: proxy changes, default service changes, proxy resolution,
+ * LibCrosService ownership, and power state changes.
+ */
+ if (add_match (conn, kServiceInterface, kMember, kProxyConfig) ||
+ add_match (conn, kManagerInterface, kMember, kDefaultService) ||
+ add_match (conn, kResolveInterface, kResolveMember, NULL) ||
+ add_match (conn, kDBusInterface, kNameOwnerChanged, kLibCrosDest) ||
+ add_match (conn, kPowerManagerInterface, kSuspendDone, NULL))
+ return 1;
+
+ /* Allocate one per source */
+ for (src = state->opts.sources; src; src = src->next, ++sources);
+ platform_state->resolve_msg_count = sources;
+ platform_state->resolve_msg = calloc (sources, sizeof (DBusMessage *));
+ if (!platform_state->resolve_msg)
+ {
+ error ("[cros] cannot allocate resolver messages");
+ free (platform_state);
+ return -1;
+ }
+ for (src = state->opts.sources; src; src = src->next)
+ {
+ if (src->id >= sources)
+ fatal ("Source ID is greater than available sources!");
+ platform_state->resolve_msg[src->id] = new_resolver_message (src);
+ if (platform_state->resolve_msg[src->id])
+ src->proxy = state->dynamic_proxy;
+ }
+ state->dynamic_proxy[0] = '\0';
+ if (state->opts.proxy && !strcmp (state->opts.proxy, "dynamic"))
+ {
+ info ("[cros] default dynamic proxy support");
+ state->opts.proxy = state->dynamic_proxy;
+ }
+ platform_state->base = base;
+ platform_state->state = state;
+ /* Add the dynamic resolver if tlsdate doesn't already have one. */
+ if (!state->events[E_RESOLVER])
+ {
+ state->events[E_RESOLVER] = event_new (base, -1, EV_TIMEOUT,
+ action_resolve_proxy,
+ platform_state);
+ if (!state->events[E_RESOLVER])
+ /* Let's not clean up DBus. */
+ fatal ("Could not allocated resolver event");
+ /* Wake up as a NET event since it'll self-block until DBus has a chance
+ * to send it.
+ */
+ event_priority_set (state->events[E_RESOLVER], PRI_NET);
+ }
+ /* Each platform can attach their own filter, but the filter func needs to be
+ * willing to DBUS_HANDLER_RESULT_NOT_YET_HANDLED on unexpected events.
+ */
+ /* TODO(wad) add the clean up function as the callback. */
+ if (!dbus_connection_add_filter (conn,
+ dbus_filter, platform_state, NULL))
+ {
+ error ("Failed to register signal handler callback");
+ return 1;
+ }
+ return 0;
+}
diff --git a/tlsdate/src/platform.h b/tlsdate/src/platform.h
new file mode 100644
index 0000000..f17efa2
--- /dev/null
+++ b/tlsdate/src/platform.h
@@ -0,0 +1,21 @@
+/*
+ * platform.h - platform handlers for event loops
+ * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#ifndef PLATFORM_H_
+#define PLATFORM_H_
+#include "config.h"
+
+struct state;
+
+#ifdef HAVE_CROS
+int platform_init_cros (struct state *state);
+#else
+static inline int platform_init_cros (struct state *state)
+{
+ return 0;
+}
+#endif /* HAVE_CROS */
+#endif /* PLATFORM_H_ */
diff --git a/tlsdate/src/proxy-bio-plan9.c b/tlsdate/src/proxy-bio-plan9.c
new file mode 100644
index 0000000..98d3f97
--- /dev/null
+++ b/tlsdate/src/proxy-bio-plan9.c
@@ -0,0 +1,449 @@
+/*
+ * proxy-bio.c - BIO layer for SOCKS4a/5 proxy connections
+ *
+ * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * This file implements a SOCKS4a/SOCKS5 "filter" BIO. In SSL terminology, a BIO
+ * is a stackable IO filter, kind of like sysv streams. These filters are
+ * inserted into a stream to cause it to run SOCKS over whatever transport is
+ * being used. Most commonly, this would be:
+ * SSL BIO (filter) -> SOCKS BIO (filter) -> connect BIO (source/sink)
+ * This configuration represents doing an SSL connection through a SOCKS proxy,
+ * which is itself connected to in plaintext. You might also do:
+ * SSL BIO -> SOCKS BIO -> SSL BIO -> connect BIO
+ * This is an SSL connection through a SOCKS proxy which is itself reached over
+ * SSL.
+ */
+
+#include <arpa/inet.h>
+#include <assert.h>
+#ifndef __USE_MISC
+#define __USE_MISC
+#endif
+#ifndef __USE_POSIX
+#define __USE_POSIX
+#endif
+
+#ifndef NI_MAXHOST
+#define NI_MAXHOST 1025
+#endif
+
+#ifndef UINT8_MAX
+#define UINT8_MAX (255)
+#endif
+
+#include <netdb.h>
+
+#include <inttypes.h>
+
+#include "src/proxy-bio-plan9.h"
+
+int socks4a_connect(BIO *b);
+int socks5_connect(BIO *b);
+int http_connect(BIO *b);
+
+int proxy_new(BIO *b)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) malloc(sizeof *ctx);
+ if (!ctx)
+ return 0;
+ ctx->connected = 0;
+ ctx->connect = NULL;
+ ctx->host = NULL;
+ ctx->port = 0;
+ b->init = 1;
+ b->flags = 0;
+ b->ptr = ctx;
+ return 1;
+}
+
+int proxy_free(BIO *b)
+{
+ struct proxy_ctx *c;
+ if (!b || !b->ptr)
+ return 1;
+ c = (struct proxy_ctx *) b->ptr;
+ if (c->host)
+ free(c->host);
+ c->host = NULL;
+ b->ptr = NULL;
+ free(c);
+ return 1;
+}
+
+int socks4a_connect(BIO *b)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ int r;
+ unsigned char buf[NI_MAXHOST + 16];
+ uint16_t port_n = htons(ctx->port);
+ size_t sz = 0;
+
+ verb("V: proxy4: connecting %s:%d", ctx->host, ctx->port);
+
+ /*
+ * Packet layout:
+ * 1b: Version (must be 0x04)
+ * 1b: command (0x01 is connect)
+ * 2b: port number, big-endian
+ * 4b: 0x00, 0x00, 0x00, 0x01 (bogus IPv4 addr)
+ * 1b: 0x00 (empty 'userid' field)
+ * nb: hostname, null-terminated
+ */
+ buf[0] = 0x04;
+ buf[1] = 0x01;
+ sz += 2;
+
+ memcpy(buf + 2, &port_n, sizeof(port_n));
+ sz += sizeof(port_n);
+
+ buf[4] = 0x00;
+ buf[5] = 0x00;
+ buf[6] = 0x00;
+ buf[7] = 0x01;
+ sz += 4;
+
+ buf[8] = 0x00;
+ sz += 1;
+
+ memcpy(buf + sz, ctx->host, strlen(ctx->host) + 1);
+ sz += strlen(ctx->host) + 1;
+
+ r = BIO_write(b->next_bio, buf, sz);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != sz)
+ return 0;
+
+ /* server reply: 1 + 1 + 2 + 4 */
+ r = BIO_read(b->next_bio, buf, 8);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != 8)
+ return 0;
+ if (buf[1] == 0x5a) {
+ verb("V: proxy4: connected");
+ ctx->connected = 1;
+ return 1;
+ }
+ return 0;
+}
+
+int socks5_connect(BIO *b)
+{
+ unsigned char buf[NI_MAXHOST + 16];
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ uint16_t port_n = htons(ctx->port);
+ size_t sz = 0;
+
+ /* the length for SOCKS addresses is only one byte. */
+ if (strlen(ctx->host) == UINT8_MAX + 1)
+ return 0;
+
+ verb("V: proxy5: connecting %s:%d", ctx->host, ctx->port);
+
+ /*
+ * Hello packet layout:
+ * 1b: Version
+ * 1b: auth methods
+ * nb: method types
+ *
+ * We support only one method (no auth, 0x00). Others listed in RFC
+ * 1928.
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+
+ r = BIO_write(b->next_bio, buf, 3);
+ if (r != 3)
+ return 0;
+
+ r = BIO_read(b->next_bio, buf, 2);
+ if (r != 2)
+ return 0;
+
+ if (buf[0] != 0x05 || buf[1] != 0x00) {
+ verb("V: proxy5: auth error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+
+ /*
+ * Connect packet layout:
+ * 1b: version
+ * 1b: command (0x01 is connect)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+ buf[3] = 0x03;
+ buf[4] = strlen(ctx->host);
+ sz += 5;
+ memcpy(buf + 5, ctx->host, strlen(ctx->host));
+ sz += strlen(ctx->host);
+ memcpy(buf + sz, &port_n, sizeof(port_n));
+ sz += sizeof(port_n);
+
+ r = BIO_write(b->next_bio, buf, sz);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != sz)
+ return 0;
+
+ /*
+ * Server's response:
+ * 1b: version
+ * 1b: status (0x00 is okay)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name, 0x01 ipv4)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+
+ /* grab up through the addr type */
+ r = BIO_read(b->next_bio, buf, 4);
+ if ( -1 == r )
+ return -1;
+ if (r != 4)
+ return 0;
+
+ if (buf[0] != 0x05 || buf[1] != 0x00) {
+ verb("V: proxy5: connect error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+
+ if (buf[3] == 0x03) {
+ unsigned int len;
+ r = BIO_read(b->next_bio, buf + 4, 1);
+ if (r != 1)
+ return 0;
+ /* host (buf[4] bytes) + port (2 bytes) */
+ len = buf[4] + 2;
+ while (len) {
+ r = BIO_read(b->next_bio, buf + 5, min(len, sizeof(buf)));
+ if (r <= 0)
+ return 0;
+ len -= min(len, r);
+ }
+ } else if (buf[3] == 0x01) {
+ /* 4 bytes ipv4 addr, 2 bytes port */
+ r = BIO_read(b->next_bio, buf + 4, 6);
+ if (r != 6)
+ return 0;
+ }
+
+ verb("V: proxy5: connected");
+ ctx->connected = 1;
+ return 1;
+}
+
+/* SSL socket BIOs don't support BIO_gets, so... */
+int sock_gets(BIO *b, char *buf, size_t sz)
+{
+ char c;
+ while (BIO_read(b, &c, 1) > 0 && sz > 1) {
+ *buf++ = c;
+ sz--;
+ if (c == '\n') {
+ *buf = '\0';
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int http_connect(BIO *b)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ char buf[4096];
+ int retcode;
+
+ snprintf(buf, sizeof(buf), "CONNECT %s:%d HTTP/1.1\r\n",
+ ctx->host, ctx->port);
+ r = BIO_write(b->next_bio, buf, strlen(buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+ /* required by RFC 2616 14.23 */
+ snprintf(buf, sizeof(buf), "Host: %s:%d\r\n", ctx->host, ctx->port);
+ r = BIO_write(b->next_bio, buf, strlen(buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+ strcpy(buf, "\r\n");
+ r = BIO_write(b->next_bio, buf, strlen(buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+
+ r = sock_gets(b->next_bio, buf, sizeof(buf));
+ if (r)
+ return 0;
+ /* use %*s to ignore the version */
+ if (sscanf(buf, "HTTP/%*s %d", &retcode) != 1)
+ return 0;
+
+ if (retcode < 200 || retcode > 299)
+ return 0;
+ while (!(r = sock_gets(b->next_bio, buf, sizeof(buf)))) {
+ if (!strcmp(buf, "\r\n")) {
+ /* Done with the header */
+ ctx->connected = 1;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int proxy_write(BIO *b, const char *buf, int sz)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+
+ assert(buf);
+
+ if (sz <= 0)
+ return 0;
+
+ if (!b->next_bio)
+ return 0;
+
+ if (!ctx->connected) {
+ assert(ctx->connect);
+ if (!ctx->connect(b))
+ return 0;
+ }
+
+ r = BIO_write(b->next_bio, buf, sz);
+ BIO_clear_retry_flags(b);
+ BIO_copy_next_retry(b);
+ return r;
+}
+
+int proxy_read(BIO *b, char *buf, int sz)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+
+ assert(buf);
+
+ if (!b->next_bio)
+ return 0;
+
+ if (!ctx->connected) {
+ assert(ctx->connect);
+ if (!ctx->connect(b))
+ return 0;
+ }
+
+ r = BIO_read(b->next_bio, buf, sz);
+ BIO_clear_retry_flags(b);
+ BIO_copy_next_retry(b);
+ return r;
+}
+
+long proxy_ctrl(BIO *b, int cmd, long num, void *ptr)
+{
+ long ret;
+ struct proxy_ctx *ctx;
+ if (!b->next_bio)
+ return 0;
+ ctx = (struct proxy_ctx *) b->ptr;
+ assert(ctx);
+
+ switch (cmd) {
+ case BIO_C_DO_STATE_MACHINE:
+ BIO_clear_retry_flags(b);
+ ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+ BIO_copy_next_retry(b);
+ break;
+ case BIO_CTRL_DUP:
+ ret = 0;
+ break;
+ default:
+ ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
+ }
+ return ret;
+}
+
+int proxy_gets(BIO *b, char *buf, int size)
+{
+ return BIO_gets(b->next_bio, buf, size);
+}
+
+int proxy_puts(BIO *b, const char *str)
+{
+ return BIO_puts(b->next_bio, str);
+}
+
+long proxy_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
+{
+ if (!b->next_bio)
+ return 0;
+ return BIO_callback_ctrl(b->next_bio, cmd, fp);
+}
+
+BIO_METHOD proxy_methods = {
+ BIO_TYPE_MEM,
+ "proxy",
+ proxy_write,
+ proxy_read,
+ proxy_puts,
+ proxy_gets,
+ proxy_ctrl,
+ proxy_new,
+ proxy_free,
+ proxy_callback_ctrl,
+};
+
+BIO_METHOD *BIO_f_proxy()
+{
+ return &proxy_methods;
+}
+
+/* API starts here */
+
+BIO API *BIO_new_proxy()
+{
+ return BIO_new(BIO_f_proxy());
+}
+
+int API BIO_proxy_set_type(BIO *b, const char *type)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ if (!strcmp(type, "socks5"))
+ ctx->connect = socks5_connect;
+ else if (!strcmp(type, "socks4a"))
+ ctx->connect = socks4a_connect;
+ else if (!strcmp(type, "http"))
+ ctx->connect = http_connect;
+ else
+ return 1;
+ return 0;
+}
+
+int API BIO_proxy_set_host(BIO *b, const char *host)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ if (strlen(host) == NI_MAXHOST)
+ return 1;
+ ctx->host = strdup(host);
+ return 0;
+}
+
+void API BIO_proxy_set_port(BIO *b, uint16_t port)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ ctx->port = port;
+}
diff --git a/tlsdate/src/proxy-bio-plan9.h b/tlsdate/src/proxy-bio-plan9.h
new file mode 100644
index 0000000..3e8e74b
--- /dev/null
+++ b/tlsdate/src/proxy-bio-plan9.h
@@ -0,0 +1,32 @@
+/*
+ * proxy-bio.h - BIO layer for transparent proxy connections
+ *
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef PROXY_BIO_H
+#define PROXY_BIO_H
+
+#include <inttypes.h>
+
+#include <openssl/bio.h>
+
+#include "util-plan9.h"
+
+struct proxy_ctx {
+ char *host;
+ uint16_t port;
+ int connected;
+ int (*connect)(BIO *b);
+};
+
+BIO *BIO_new_proxy();
+
+/* These do not take ownership of their string arguments. */
+int BIO_proxy_set_type(BIO *b, const char *type);
+int BIO_proxy_set_host(BIO *b, const char *host);
+void BIO_proxy_set_port(BIO *b, uint16_t port);
+
+#endif /* !PROXY_BIO_H */
diff --git a/tlsdate/src/proxy-bio-unittest.c b/tlsdate/src/proxy-bio-unittest.c
new file mode 100644
index 0000000..40b47e3
--- /dev/null
+++ b/tlsdate/src/proxy-bio-unittest.c
@@ -0,0 +1,292 @@
+/*
+ * proxy-bio-unittest.c - proxy-bio unit tests
+ * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#if defined(__linux__)
+#include <alloca.h>
+#endif
+
+#include "src/proxy-bio.h"
+#include "src/test-bio.h"
+#include "src/test_harness.h"
+#include "src/tlsdate.h"
+
+FIXTURE (test_bio)
+{
+ BIO *test;
+};
+
+FIXTURE_SETUP (test_bio)
+{
+ self->test = BIO_new_test();
+ ASSERT_NE (NULL, self->test);
+}
+
+FIXTURE_TEARDOWN (test_bio)
+{
+ BIO_free (self->test);
+}
+
+BIO *proxy_bio (BIO *test, const char *type)
+{
+ BIO *proxy = BIO_new_proxy();
+ BIO_proxy_set_type (proxy, type);
+ BIO_proxy_set_host (proxy, kTestHost);
+ BIO_proxy_set_port (proxy, TEST_PORT);
+ BIO_push (proxy, test);
+ return proxy;
+}
+
+int need_out_bytes (BIO *test, const unsigned char *out, size_t sz)
+{
+ unsigned char *buf = malloc (sz);
+ size_t i;
+ int result;
+ if (!buf)
+ return 1;
+ if (BIO_test_output_left (test) < sz)
+ {
+ fprintf (TH_LOG_STREAM, "not enough output: %d < %d\n",
+ (int) BIO_test_output_left (test), (int) sz);
+ free (buf);
+ return 2;
+ }
+ if (BIO_test_get_output (test, buf, sz) != sz)
+ {
+ free (buf);
+ return 3;
+ }
+ if (memcmp (buf, out, sz))
+ {
+ for (i = 0; i < sz; i++)
+ {
+ if (buf[i] != out[i])
+ fprintf (TH_LOG_STREAM,
+ "mismatch %d %02x %02x\n", (int) i,
+ buf[i], out[i]);
+ }
+ }
+ result = memcmp (buf, out, sz);
+ free (buf);
+ return result;
+}
+
+int need_out_byte (BIO *test, unsigned char out)
+{
+ unsigned char c;
+ if (BIO_test_output_left (test) < 1)
+ return 1;
+ if (BIO_test_get_output (test, &c, 1) != 1)
+ return 2;
+ return c != out;
+}
+
+int get_bytes (BIO *test, unsigned char *buf, size_t sz)
+{
+ return BIO_test_get_output (test, buf, sz);
+}
+
+void put_bytes (BIO *test, const unsigned char *buf, size_t sz)
+{
+ BIO_test_add_input (test, buf, sz);
+}
+
+void put_byte (BIO *test, char c)
+{
+ BIO_test_add_input (test, (unsigned char *) &c, 1);
+}
+
+unsigned const char kSocks4ARequest[] =
+{
+ 0x04, /* socks4 */
+ 0x01, /* tcp stream */
+ (TEST_PORT & 0xff00) >> 8,
+ TEST_PORT & 0xff,
+ 0x00, 0x00, 0x00, 0x01, /* bogus IP */
+ 0x00, /* userid */
+ TEST_HOST, 0x00 /* null-terminated host */
+};
+
+TEST_F (test_bio, socks4a_success)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ unsigned const char kReply[] =
+ {
+ 0x00, /* null byte */
+ 0x5a, /* success */
+ (TEST_PORT & 0xff00) >> 8, /* port high */
+ TEST_PORT & 0xff, /* port low */
+ 0x00, 0x00, 0x00, 0x00 /* bogus IP */
+ };
+ BIO *proxy = proxy_bio (self->test, "socks4a");
+ put_bytes (self->test, kReply, sizeof (kReply));
+ EXPECT_EQ (4, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks4ARequest,
+ sizeof (kSocks4ARequest)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kTestInput,
+ sizeof (kTestInput)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_F (test_bio, socks4a_fail)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ unsigned const char kReply[] =
+ {
+ 0x00, /* null byte */
+ 0x5b, /* fail */
+ (TEST_PORT & 0xff00) >> 8, /* port high */
+ TEST_PORT & 0xff, /* port low */
+ 0x00, 0x00, 0x00, 0x00 /* bogus IP */
+ };
+ BIO *proxy = proxy_bio (self->test, "socks4a");
+ put_bytes (self->test, kReply, sizeof (kReply));
+ EXPECT_EQ (0, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks4ARequest,
+ sizeof (kSocks4ARequest)));
+ /* We shouldn't have written any payload */
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+unsigned const char kSocks5AuthRequest[] =
+{
+ 0x05, /* socks5 */
+ 0x01, /* one auth method */
+ 0x00 /* no auth */
+};
+
+unsigned const char kSocks5AuthReply[] =
+{
+ 0x05, /* socks5 */
+ 0x00, /* no auth */
+};
+
+unsigned const char kSocks5ConnectRequest[] =
+{
+ 0x05, /* socks5 */
+ 0x01, /* tcp stream */
+ 0x00, /* reserved 0x00 */
+ 0x03, /* domain name */
+ TEST_HOST_SIZE, /* hostname with length prefix */
+ TEST_HOST,
+ (TEST_PORT & 0xff00) >> 8,
+ TEST_PORT & 0xff
+};
+
+unsigned const char kSocks5ConnectReply[] =
+{
+ 0x05, /* socks5 */
+ 0x00, /* success */
+ 0x00, /* reserved 0x00 */
+ 0x03, /* domain name */
+ TEST_HOST_SIZE, /* hostname with length prefix */
+ TEST_HOST,
+ (TEST_PORT & 0xff00) >> 8,
+ TEST_PORT & 0xff
+};
+
+TEST_F (test_bio, socks5_success)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ BIO *proxy = proxy_bio (self->test, "socks5");
+ put_bytes (self->test, kSocks5AuthReply, sizeof (kSocks5AuthReply));
+ put_bytes (self->test, kSocks5ConnectReply, sizeof (kSocks5ConnectReply));
+ EXPECT_EQ (4, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks5AuthRequest,
+ sizeof (kSocks5AuthRequest)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks5ConnectRequest,
+ sizeof (kSocks5ConnectRequest)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kTestInput,
+ sizeof (kTestInput)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_F (test_bio, socks5_auth_fail)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ unsigned const char kAuthFail[] =
+ {
+ 0x05,
+ 0xff,
+ };
+ BIO *proxy = proxy_bio (self->test, "socks5");
+ put_bytes (self->test, kAuthFail, sizeof (kAuthFail));
+ EXPECT_EQ (0, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks5AuthRequest,
+ sizeof (kSocks5AuthRequest)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_F (test_bio, socks5_connect_fail)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ unsigned const char kConnectFail[] =
+ {
+ 0x05,
+ 0x01,
+ 0x00,
+ 0x03,
+ TEST_HOST_SIZE,
+ TEST_HOST,
+ (TEST_PORT & 0xff00) >> 8,
+ TEST_PORT & 0xff
+ };
+ BIO *proxy = proxy_bio (self->test, "socks5");
+ put_bytes (self->test, kSocks5AuthReply, sizeof (kSocks5AuthReply));
+ put_bytes (self->test, kConnectFail, sizeof (kConnectFail));
+ EXPECT_EQ (0, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks5AuthRequest,
+ sizeof (kSocks5AuthRequest)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kSocks5ConnectRequest,
+ sizeof (kSocks5ConnectRequest)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_F (test_bio, http_success)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ BIO *proxy = proxy_bio (self->test, "http");
+ char kConnectRequest[1024];
+ char kConnectResponse[] = "HTTP/1.0 200 OK\r\n"
+ "Uninteresting-Header: foobar\r\n"
+ "Another-Header: lol\r\n"
+ "\r\n";
+ snprintf (kConnectRequest, sizeof (kConnectRequest),
+ "CONNECT %s:%d HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
+ kTestHost, TEST_PORT, kTestHost, TEST_PORT);
+ put_bytes (self->test, (unsigned char *) kConnectResponse,
+ strlen (kConnectResponse));
+ EXPECT_EQ (4, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test,
+ (unsigned char *) kConnectRequest,
+ strlen (kConnectRequest)));
+ EXPECT_EQ (0, need_out_bytes (self->test, kTestInput,
+ sizeof (kTestInput)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_F (test_bio, http_error)
+{
+ unsigned const char kTestInput[] = { 0xde, 0xad, 0xbe, 0xef };
+ BIO *proxy = proxy_bio (self->test, "http");
+ char kConnectRequest[1024];
+ char kConnectResponse[] = "HTTP/1.0 403 NO U\r\n"
+ "Uninteresting-Header: foobar\r\n"
+ "Another-Header: lol\r\n"
+ "\r\n";
+ snprintf (kConnectRequest, sizeof (kConnectRequest),
+ "CONNECT %s:%d HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
+ kTestHost, TEST_PORT, kTestHost, TEST_PORT);
+ put_bytes (self->test, (unsigned char *) kConnectResponse,
+ strlen (kConnectResponse));
+ EXPECT_EQ (0, BIO_write (proxy, kTestInput, sizeof (kTestInput)));
+ EXPECT_EQ (0, need_out_bytes (self->test,
+ (unsigned char *) kConnectRequest,
+ strlen (kConnectRequest)));
+ EXPECT_EQ (0U, BIO_test_output_left (self->test));
+}
+
+TEST_HARNESS_MAIN
diff --git a/tlsdate/src/proxy-bio.c b/tlsdate/src/proxy-bio.c
new file mode 100644
index 0000000..d980e95
--- /dev/null
+++ b/tlsdate/src/proxy-bio.c
@@ -0,0 +1,432 @@
+/*
+ * proxy-bio.c - BIO layer for SOCKS4a/5 proxy connections
+ *
+ * Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * This file implements a SOCKS4a/SOCKS5 "filter" BIO. In SSL terminology, a BIO
+ * is a stackable IO filter, kind of like sysv streams. These filters are
+ * inserted into a stream to cause it to run SOCKS over whatever transport is
+ * being used. Most commonly, this would be:
+ * SSL BIO (filter) -> SOCKS BIO (filter) -> connect BIO (source/sink)
+ * This configuration represents doing an SSL connection through a SOCKS proxy,
+ * which is itself connected to in plaintext. You might also do:
+ * SSL BIO -> SOCKS BIO -> SSL BIO -> connect BIO
+ * This is an SSL connection through a SOCKS proxy which is itself reached over
+ * SSL.
+ */
+
+#include "config.h"
+
+#include <arpa/inet.h>
+#include <assert.h>
+#ifndef __USE_MISC
+#define __USE_MISC
+#endif
+#ifndef __USE_POSIX
+#define __USE_POSIX
+#endif
+#include <netdb.h>
+
+#include <stdint.h>
+
+#ifndef HAVE_STRNLEN
+#include "src/common/strnlen.h"
+#endif
+
+#include "src/proxy-bio.h"
+
+int socks4a_connect (BIO *b);
+int socks5_connect (BIO *b);
+int http_connect (BIO *b);
+
+int proxy_new (BIO *b)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) malloc (sizeof *ctx);
+ if (!ctx)
+ return 0;
+ ctx->connected = 0;
+ ctx->connect = NULL;
+ ctx->host = NULL;
+ ctx->port = 0;
+ b->init = 1;
+ b->flags = 0;
+ b->ptr = ctx;
+ return 1;
+}
+
+int proxy_free (BIO *b)
+{
+ struct proxy_ctx *c;
+ if (!b || !b->ptr)
+ return 1;
+ c = (struct proxy_ctx *) b->ptr;
+ if (c->host)
+ free (c->host);
+ c->host = NULL;
+ b->ptr = NULL;
+ free (c);
+ return 1;
+}
+
+int socks4a_connect (BIO *b)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ int r;
+ unsigned char buf[NI_MAXHOST + 16];
+ uint16_t port_n = htons (ctx->port);
+ size_t sz = 0;
+ verb ("V: proxy4: connecting %s:%d", ctx->host, ctx->port);
+ /*
+ * Packet layout:
+ * 1b: Version (must be 0x04)
+ * 1b: command (0x01 is connect)
+ * 2b: port number, big-endian
+ * 4b: 0x00, 0x00, 0x00, 0x01 (bogus IPv4 addr)
+ * 1b: 0x00 (empty 'userid' field)
+ * nb: hostname, null-terminated
+ */
+ buf[0] = 0x04;
+ buf[1] = 0x01;
+ sz += 2;
+ memcpy (buf + 2, &port_n, sizeof (port_n));
+ sz += sizeof (port_n);
+ buf[4] = 0x00;
+ buf[5] = 0x00;
+ buf[6] = 0x00;
+ buf[7] = 0x01;
+ sz += 4;
+ buf[8] = 0x00;
+ sz += 1;
+
+ memcpy (buf + sz, ctx->host, strlen (ctx->host) + 1);
+ sz += strlen (ctx->host) + 1;
+ r = BIO_write (b->next_bio, buf, sz);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != sz)
+ return 0;
+ /* server reply: 1 + 1 + 2 + 4 */
+ r = BIO_read (b->next_bio, buf, 8);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != 8)
+ return 0;
+ if (buf[1] == 0x5a)
+ {
+ verb ("V: proxy4: connected");
+ ctx->connected = 1;
+ return 1;
+ }
+ return 0;
+}
+
+int socks5_connect (BIO *b)
+{
+ unsigned char buf[NI_MAXHOST + 16];
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ uint16_t port_n = htons (ctx->port);
+ size_t sz = 0;
+ /* the length for SOCKS addresses is only one byte. */
+ if (strnlen (ctx->host, UINT8_MAX + 1) == UINT8_MAX + 1)
+ return 0;
+ verb ("V: proxy5: connecting %s:%d", ctx->host, ctx->port);
+ /*
+ * Hello packet layout:
+ * 1b: Version
+ * 1b: auth methods
+ * nb: method types
+ *
+ * We support only one method (no auth, 0x00). Others listed in RFC
+ * 1928.
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+ r = BIO_write (b->next_bio, buf, 3);
+ if (r != 3)
+ return 0;
+ r = BIO_read (b->next_bio, buf, 2);
+ if (r != 2)
+ return 0;
+ if (buf[0] != 0x05 || buf[1] != 0x00)
+ {
+ verb ("V: proxy5: auth error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+ /*
+ * Connect packet layout:
+ * 1b: version
+ * 1b: command (0x01 is connect)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+ buf[3] = 0x03;
+ buf[4] = strlen (ctx->host);
+ sz += 5;
+ memcpy (buf + 5, ctx->host, strlen (ctx->host));
+ sz += strlen (ctx->host);
+ memcpy (buf + sz, &port_n, sizeof (port_n));
+ sz += sizeof (port_n);
+ r = BIO_write (b->next_bio, buf, sz);
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != sz)
+ return 0;
+ /*
+ * Server's response:
+ * 1b: version
+ * 1b: status (0x00 is okay)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name, 0x01 ipv4)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+ /* grab up through the addr type */
+ r = BIO_read (b->next_bio, buf, 4);
+ if ( -1 == r )
+ return -1;
+ if (r != 4)
+ return 0;
+ if (buf[0] != 0x05 || buf[1] != 0x00)
+ {
+ verb ("V: proxy5: connect error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+ if (buf[3] == 0x03)
+ {
+ unsigned int len;
+ r = BIO_read (b->next_bio, buf + 4, 1);
+ if (r != 1)
+ return 0;
+ /* host (buf[4] bytes) + port (2 bytes) */
+ len = buf[4] + 2;
+ while (len)
+ {
+ r = BIO_read (b->next_bio, buf + 5, min (len, sizeof (buf)));
+ if (r <= 0)
+ return 0;
+ len -= min (len, r);
+ }
+ }
+ else if (buf[3] == 0x01)
+ {
+ /* 4 bytes ipv4 addr, 2 bytes port */
+ r = BIO_read (b->next_bio, buf + 4, 6);
+ if (r != 6)
+ return 0;
+ }
+ verb ("V: proxy5: connected");
+ ctx->connected = 1;
+ return 1;
+}
+
+/* SSL socket BIOs don't support BIO_gets, so... */
+int sock_gets (BIO *b, char *buf, size_t sz)
+{
+ char c;
+ while (BIO_read (b, &c, 1) > 0 && sz > 1)
+ {
+ *buf++ = c;
+ sz--;
+ if (c == '\n')
+ {
+ *buf = '\0';
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int http_connect (BIO *b)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ char buf[4096];
+ int retcode;
+ snprintf (buf, sizeof (buf), "CONNECT %s:%d HTTP/1.1\r\n",
+ ctx->host, ctx->port);
+ r = BIO_write (b->next_bio, buf, strlen (buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+ /* required by RFC 2616 14.23 */
+ snprintf (buf, sizeof (buf), "Host: %s:%d\r\n", ctx->host, ctx->port);
+ r = BIO_write (b->next_bio, buf, strlen (buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+ strcpy (buf, "\r\n");
+ r = BIO_write (b->next_bio, buf, strlen (buf));
+ if ( -1 == r )
+ return -1;
+ if ( (size_t) r != strlen(buf))
+ return 0;
+ r = sock_gets (b->next_bio, buf, sizeof (buf));
+ if (r)
+ return 0;
+ /* use %*s to ignore the version */
+ if (sscanf (buf, "HTTP/%*s %d", &retcode) != 1)
+ return 0;
+ if (retcode < 200 || retcode > 299)
+ return 0;
+ while (! (r = sock_gets (b->next_bio, buf, sizeof (buf))))
+ {
+ if (!strcmp (buf, "\r\n"))
+ {
+ /* Done with the header */
+ ctx->connected = 1;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int proxy_write (BIO *b, const char *buf, int sz)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+
+ assert (buf);
+ if (sz <= 0)
+ return 0;
+ if (!b->next_bio)
+ return 0;
+ if (!ctx->connected)
+ {
+ assert (ctx->connect);
+ if (!ctx->connect (b))
+ return 0;
+ }
+ r = BIO_write (b->next_bio, buf, sz);
+ BIO_clear_retry_flags (b);
+ BIO_copy_next_retry (b);
+ return r;
+}
+
+int proxy_read (BIO *b, char *buf, int sz)
+{
+ int r;
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+
+ assert (buf);
+ if (!b->next_bio)
+ return 0;
+ if (!ctx->connected)
+ {
+ assert (ctx->connect);
+ if (!ctx->connect (b))
+ return 0;
+ }
+ r = BIO_read (b->next_bio, buf, sz);
+ BIO_clear_retry_flags (b);
+ BIO_copy_next_retry (b);
+ return r;
+}
+
+long proxy_ctrl (BIO *b, int cmd, long num, void *ptr)
+{
+ long ret;
+ struct proxy_ctx *ctx;
+ if (!b->next_bio)
+ return 0;
+ ctx = (struct proxy_ctx *) b->ptr;
+ assert (ctx);
+ switch (cmd)
+ {
+ case BIO_C_DO_STATE_MACHINE:
+ BIO_clear_retry_flags (b);
+ ret = BIO_ctrl (b->next_bio, cmd, num, ptr);
+ BIO_copy_next_retry (b);
+ break;
+#if defined(BIO_CTRL_DUP)
+ case BIO_CTRL_DUP:
+ ret = 0;
+ break;
+#endif /* BIO_CTRL_DUP */
+ default:
+ ret = BIO_ctrl (b->next_bio, cmd, num, ptr);
+ }
+ return ret;
+}
+
+int proxy_gets (BIO *b, char *buf, int size)
+{
+ return BIO_gets (b->next_bio, buf, size);
+}
+
+int proxy_puts (BIO *b, const char *str)
+{
+ return BIO_puts (b->next_bio, str);
+}
+
+long proxy_callback_ctrl (BIO *b, int cmd, bio_info_cb fp)
+{
+ if (!b->next_bio)
+ return 0;
+ return BIO_callback_ctrl (b->next_bio, cmd, fp);
+}
+
+BIO_METHOD proxy_methods =
+{
+ BIO_TYPE_MEM,
+ "proxy",
+ proxy_write,
+ proxy_read,
+ proxy_puts,
+ proxy_gets,
+ proxy_ctrl,
+ proxy_new,
+ proxy_free,
+ proxy_callback_ctrl,
+};
+
+BIO_METHOD *BIO_f_proxy()
+{
+ return &proxy_methods;
+}
+
+/* API starts here */
+
+BIO API *BIO_new_proxy()
+{
+ return BIO_new (BIO_f_proxy());
+}
+
+int API BIO_proxy_set_type (BIO *b, const char *type)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ if (!strcmp (type, "socks5"))
+ ctx->connect = socks5_connect;
+ else if (!strcmp (type, "socks4a"))
+ ctx->connect = socks4a_connect;
+ else if (!strcmp (type, "http"))
+ ctx->connect = http_connect;
+ else
+ return 1;
+ return 0;
+}
+
+int API BIO_proxy_set_host (BIO *b, const char *host)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ if (strnlen (host, NI_MAXHOST) == NI_MAXHOST)
+ return 1;
+ ctx->host = strdup (host);
+ return 0;
+}
+
+void API BIO_proxy_set_port (BIO *b, uint16_t port)
+{
+ struct proxy_ctx *ctx = (struct proxy_ctx *) b->ptr;
+ ctx->port = port;
+}
diff --git a/tlsdate/src/proxy-bio.h b/tlsdate/src/proxy-bio.h
new file mode 100644
index 0000000..3a68153
--- /dev/null
+++ b/tlsdate/src/proxy-bio.h
@@ -0,0 +1,32 @@
+/*
+ * proxy-bio.h - BIO layer for transparent proxy connections
+ *
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef PROXY_BIO_H
+#define PROXY_BIO_H
+
+#include <stdint.h>
+
+#include <openssl/bio.h>
+
+#include "util.h"
+
+struct proxy_ctx {
+ char *host;
+ uint16_t port;
+ int connected;
+ int (*connect)(BIO *b);
+};
+
+BIO *BIO_new_proxy();
+
+/* These do not take ownership of their string arguments. */
+int BIO_proxy_set_type (BIO *b, const char *type);
+int BIO_proxy_set_host (BIO *b, const char *host);
+void BIO_proxy_set_port (BIO *b, uint16_t port);
+
+#endif /* !PROXY_BIO_H */
diff --git a/tlsdate/src/proxy-polarssl.c b/tlsdate/src/proxy-polarssl.c
new file mode 100644
index 0000000..04f7f6d
--- /dev/null
+++ b/tlsdate/src/proxy-polarssl.c
@@ -0,0 +1,360 @@
+/*
+ * proxy-polarssl.c - Net stack layer for SOCKS4a/5 proxy connections
+ *
+ * Based on proxy-bio.c - Original copyright (c) 2012 The Chromium OS Authors.
+ *
+ * This file was adapted by Paul Bakker <p.j.bakker@offspark.com>
+ * All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * This file implements a SOCKS4a/SOCKS5 net layer as used by PolarSSL.
+ */
+
+#include "config.h"
+
+#include <arpa/inet.h>
+#include <assert.h>
+#ifndef __USE_MISC
+#define __USE_MISC
+#endif
+#ifndef __USE_POSIX
+#define __USE_POSIX
+#endif
+#include <netdb.h>
+#include <stdint.h>
+#include <stdio.h>
+
+#ifndef HAVE_STRNLEN
+#include "src/common/strnlen.h"
+#endif
+
+#include "src/proxy-polarssl.h"
+#include "src/util.h"
+
+int socks4a_connect(proxy_polarssl_ctx *ctx)
+{
+ int r;
+ unsigned char buf[NI_MAXHOST + 16];
+ uint16_t port_n;
+ size_t sz = 0;
+
+ if (!ctx)
+ return 0;
+
+ verb("V: proxy4: connecting %s:%d", ctx->host, ctx->port);
+
+ port_n = htons(ctx->port);
+
+ /*
+ * Packet layout:
+ * 1b: Version (must be 0x04)
+ * 1b: command (0x01 is connect)
+ * 2b: port number, big-endian
+ * 4b: 0x00, 0x00, 0x00, 0x01 (bogus IPv4 addr)
+ * 1b: 0x00 (empty 'userid' field)
+ * nb: hostname, null-terminated
+ */
+ buf[0] = 0x04;
+ buf[1] = 0x01;
+ sz += 2;
+
+ memcpy(buf + 2, &port_n, sizeof(port_n));
+ sz += sizeof(port_n);
+
+ buf[4] = 0x00;
+ buf[5] = 0x00;
+ buf[6] = 0x00;
+ buf[7] = 0x01;
+ sz += 4;
+
+ buf[8] = 0x00;
+ sz += 1;
+
+ memcpy(buf + sz, ctx->host, strlen(ctx->host) + 1);
+ sz += strlen(ctx->host) + 1;
+
+ r = ctx->f_send(ctx->p_send, buf, sz);
+ if (r != sz)
+ return 0;
+
+ /* server reply: 1 + 1 + 2 + 4 */
+ r = ctx->f_recv(ctx->p_recv, buf, 8);
+ if (r != 8)
+ return 0;
+
+ if (buf[1] == 0x5a) {
+ verb("V: proxy4: connected");
+ ctx->connected = 1;
+ return 1;
+ }
+ return 0;
+}
+
+int socks5_connect(proxy_polarssl_ctx *ctx)
+{
+ unsigned char buf[NI_MAXHOST + 16];
+ int r;
+ uint16_t port_n;
+ size_t sz = 0;
+
+ if (!ctx)
+ return 0;
+
+ /* the length for SOCKS addresses is only one byte. */
+ if (strnlen(ctx->host, UINT8_MAX + 1) == UINT8_MAX + 1)
+ return 0;
+
+ verb("V: proxy5: connecting %s:%d", ctx->host, ctx->port);
+
+ port_n = htons(ctx->port);
+
+ /*
+ * Hello packet layout:
+ * 1b: Version
+ * 1b: auth methods
+ * nb: method types
+ *
+ * We support only one method (no auth, 0x00). Others listed in RFC
+ * 1928.
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+
+ r = ctx->f_send(ctx->p_send, buf, 3);
+ if (r != 3)
+ return 0;
+
+ r = ctx->f_recv(ctx->p_recv, buf, 2);
+ if (r != 2)
+ return 0;
+
+ if (buf[0] != 0x05 || buf[1] != 0x00) {
+ verb("V: proxy5: auth error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+
+ /*
+ * Connect packet layout:
+ * 1b: version
+ * 1b: command (0x01 is connect)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+ buf[0] = 0x05;
+ buf[1] = 0x01;
+ buf[2] = 0x00;
+ buf[3] = 0x03;
+ buf[4] = strlen(ctx->host);
+ sz += 5;
+ memcpy(buf + 5, ctx->host, strlen(ctx->host));
+ sz += strlen(ctx->host);
+ memcpy(buf + sz, &port_n, sizeof(port_n));
+ sz += sizeof(port_n);
+
+ r = ctx->f_send(ctx->p_send, buf, sz);
+ if (r != sz)
+ return 0;
+
+ /*
+ * Server's response:
+ * 1b: version
+ * 1b: status (0x00 is okay)
+ * 1b: reserved, 0x00
+ * 1b: addr type (0x03 is domain name, 0x01 ipv4)
+ * nb: addr len (1b) + addr bytes, no null termination
+ * 2b: port, network byte order
+ */
+
+ /* grab up through the addr type */
+ r = ctx->f_recv(ctx->p_recv, buf, 4);
+ if (r != 4)
+ return 0;
+
+ if (buf[0] != 0x05 || buf[1] != 0x00) {
+ verb("V: proxy5: connect error %02x %02x", buf[0], buf[1]);
+ return 0;
+ }
+
+ if (buf[3] == 0x03) {
+ unsigned int len;
+ r = ctx->f_recv(ctx->p_recv, buf + 4, 1);
+ if (r != 1)
+ return 0;
+ /* host (buf[4] bytes) + port (2 bytes) */
+ len = buf[4] + 2;
+ while (len) {
+ r = ctx->f_recv(ctx->p_recv, buf + 5, min(len, sizeof(buf)));
+ if (r <= 0)
+ return 0;
+ len -= min(len, r);
+ }
+ } else if (buf[3] == 0x01) {
+ /* 4 bytes ipv4 addr, 2 bytes port */
+ r = ctx->f_recv(ctx->p_recv, buf + 4, 6);
+ if (r != 6)
+ return 0;
+ }
+
+ verb("V: proxy5: connected");
+ ctx->connected = 1;
+ return 1;
+}
+
+/* SSL socket BIOs don't support BIO_gets, so... */
+int sock_gets(proxy_polarssl_ctx *ctx, char *buf, size_t sz)
+{
+ unsigned char c;
+ while (ctx->f_recv(ctx->p_recv, &c, 1) > 0 && sz > 1) {
+ *buf++ = c;
+ sz--;
+ if (c == '\n') {
+ *buf = '\0';
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int http_connect(proxy_polarssl_ctx *ctx)
+{
+ int r;
+ char buf[4096];
+ int retcode;
+
+ snprintf(buf, sizeof(buf), "CONNECT %s:%d HTTP/1.1\r\n",
+ ctx->host, ctx->port);
+ r = ctx->f_send(ctx->p_send, (unsigned char *) buf, strlen(buf));
+ if (r != strlen(buf))
+ return 0;
+ /* required by RFC 2616 14.23 */
+ snprintf(buf, sizeof(buf), "Host: %s:%d\r\n", ctx->host, ctx->port);
+ r = ctx->f_send(ctx->p_send, (unsigned char *) buf, strlen(buf));
+ if (r != strlen(buf))
+ return 0;
+ strcpy(buf, "\r\n");
+ r = ctx->f_send(ctx->p_send, (unsigned char *) buf, strlen(buf));
+ if (r != strlen(buf))
+ return 0;
+
+ r = sock_gets(ctx, buf, sizeof(buf));
+ if (r)
+ return 0;
+ /* use %*s to ignore the version */
+ if (sscanf(buf, "HTTP/%*s %d", &retcode) != 1)
+ return 0;
+
+ if (retcode < 200 || retcode > 299)
+ return 0;
+ while (!(r = sock_gets(ctx, buf, sizeof(buf)))) {
+ if (!strcmp(buf, "\r\n")) {
+ /* Done with the header */
+ ctx->connected = 1;
+ return 1;
+ }
+ }
+ return 0;
+}
+
+int API proxy_polarssl_init(proxy_polarssl_ctx *ctx)
+{
+ if (!ctx)
+ return 0;
+
+ memset(ctx, 0, sizeof(proxy_polarssl_ctx));
+ return 1;
+}
+
+void API proxy_polarssl_set_bio(proxy_polarssl_ctx *ctx,
+ int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
+ int (*f_send)(void *, const unsigned char *, size_t), void *p_send)
+{
+ if (!ctx)
+ return;
+
+ ctx->f_recv = f_recv;
+ ctx->p_recv = p_recv;
+ ctx->f_send = f_send;
+ ctx->p_send = p_send;
+}
+
+int API proxy_polarssl_free(proxy_polarssl_ctx *ctx)
+{
+ if (!ctx)
+ return 0;
+
+ if (ctx->host)
+ {
+ free(ctx->host);
+ ctx->host = NULL;
+ }
+
+ return 1;
+}
+
+int API proxy_polarssl_set_scheme(proxy_polarssl_ctx *ctx, const char *scheme)
+{
+ if (!strcmp(scheme, "socks5"))
+ ctx->f_connect = socks5_connect;
+ else if (!strcmp(scheme, "socks4"))
+ ctx->f_connect = socks4a_connect;
+ else if (!strcmp(scheme, "http"))
+ ctx->f_connect = http_connect;
+ else
+ return 1;
+ return 0;
+}
+
+int API proxy_polarssl_set_host(proxy_polarssl_ctx *ctx, const char *host)
+{
+ if (strnlen(host, NI_MAXHOST) == NI_MAXHOST)
+ return 1;
+ ctx->host = strdup(host);
+ return 0;
+}
+
+void API proxy_polarssl_set_port(proxy_polarssl_ctx *ctx, uint16_t port)
+{
+ ctx->port = port;
+}
+
+int API proxy_polarssl_recv(void *ctx, unsigned char *data, size_t len)
+{
+ proxy_polarssl_ctx *proxy = (proxy_polarssl_ctx *) ctx;
+ int r;
+
+ if (!ctx)
+ return -1;
+
+ if (!proxy->connected)
+ {
+ r = proxy->f_connect(ctx);
+ if (r)
+ return (r);
+ }
+
+ return proxy->f_recv(proxy->p_recv, data, len);
+}
+
+
+int API proxy_polarssl_send(void *ctx, const unsigned char *data, size_t len)
+{
+ proxy_polarssl_ctx *proxy = (proxy_polarssl_ctx *) ctx;
+ int r;
+
+ if (!ctx)
+ return -1;
+
+ if (!proxy->connected)
+ {
+ r = proxy->f_connect(ctx);
+ if (r)
+ return (r);
+ }
+
+ return proxy->f_send(proxy->p_send, data, len);
+}
diff --git a/tlsdate/src/proxy-polarssl.h b/tlsdate/src/proxy-polarssl.h
new file mode 100644
index 0000000..144ba20
--- /dev/null
+++ b/tlsdate/src/proxy-polarssl.h
@@ -0,0 +1,46 @@
+/*
+ * proxy-polarssl.h - PolarSSL layer for transparent proxy connections
+ *
+ * Based on proxy-bio.c - Original copyright (c) 2012 The Chromium OS Authors.
+ *
+ * This file was adapted by Paul Bakker <p.j.bakker@offspark.com>
+ * All rights reserved.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef PROXY_POLARSSL_H
+#define PROXY_POLARSSL_H
+
+#include <stdint.h>
+
+typedef struct _proxy_polarssl_ctx proxy_polarssl_ctx;
+
+struct _proxy_polarssl_ctx {
+ char *host;
+ uint16_t port;
+ int connected;
+
+ int (*f_recv)(void *, unsigned char *, size_t);
+ int (*f_send)(void *, const unsigned char *, size_t);
+ int (*f_connect)(proxy_polarssl_ctx *);
+
+ void *p_recv; /*!< context for reading operations */
+ void *p_send; /*!< context for writing operations */
+};
+
+int proxy_polarssl_init(proxy_polarssl_ctx *proxy);
+int proxy_polarssl_free(proxy_polarssl_ctx *ctx);
+
+void proxy_polarssl_set_bio(proxy_polarssl_ctx *ctx,
+ int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
+ int (*f_send)(void *, const unsigned char *, size_t), void *p_send);
+int proxy_polarssl_set_scheme(proxy_polarssl_ctx *ctx, const char *scheme);
+int proxy_polarssl_set_host(proxy_polarssl_ctx *ctx, const char *host);
+void proxy_polarssl_set_port(proxy_polarssl_ctx *ctx, uint16_t port);
+
+int proxy_polarssl_recv(void *ctx, unsigned char *data, size_t len);
+int proxy_polarssl_send(void *ctx, const unsigned char *data, size_t len);
+
+#endif /* !PROXY_POLARSSL_H */
diff --git a/tlsdate/src/routeup.c b/tlsdate/src/routeup.c
new file mode 100644
index 0000000..f2accdc
--- /dev/null
+++ b/tlsdate/src/routeup.c
@@ -0,0 +1,160 @@
+/*
+ * routeup.c - listens for routes coming up, tells stdout
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * We emit 'n' for a route coming up.
+ */
+
+#include "config.h"
+
+#ifdef linux
+#include <asm/types.h>
+#endif
+
+#include <sys/socket.h> /* needed for linux/if.h for struct sockaddr */
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/if.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/sockios.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/select.h>
+#include <unistd.h>
+
+#include "src/util.h"
+#include "src/routeup.h"
+
+int verbose;
+int verbose_debug;
+
+/*
+ * Set up the supplied context by creating and binding its netlink socket.
+ * Returns 0 for success, 1 for failure.
+ */
+int API
+routeup_setup (struct routeup *rtc)
+{
+ struct sockaddr_nl sa;
+ memset (&sa, 0, sizeof (sa));
+ sa.nl_family = AF_NETLINK;
+ sa.nl_groups = RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE;
+ rtc->netlinkfd = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+ if (rtc->netlinkfd < 0)
+ {
+ perror ("netlink socket() failed");
+ return 1;
+ }
+ if (bind (rtc->netlinkfd, (struct sockaddr *) &sa, sizeof (sa)) < 0)
+ {
+ perror ("netlink bind() failed");
+ close (rtc->netlinkfd);
+ return 1;
+ }
+ if (fcntl (rtc->netlinkfd, F_SETFL, O_NONBLOCK) < 0)
+ {
+ perror ("netlink fcntl(O_NONBLOCK) failed");
+ close (rtc->netlinkfd);
+ return 1;
+ }
+ return 0;
+}
+
+/*
+ * Handle a single netlink message.
+ * Returns 0 if there was a route status change, 1 if there
+ * were no valid nlmsghdrs, and -1 if there was a read error.
+ */
+int API
+routeup_process (struct routeup *rtc)
+{
+ char buf[4096];
+ ssize_t ret;
+ size_t sz;
+ struct nlmsghdr *nh;
+ if ( (ret = read (rtc->netlinkfd, buf, sizeof (buf))) < 0)
+ return -1;
+ sz = (size_t) ret;
+ for (nh = (struct nlmsghdr *) buf; NLMSG_OK (nh, sz);
+ nh = NLMSG_NEXT (nh, sz))
+ {
+ /*
+ * Unpack the netlink message into a bunch of... well...
+ * netlink messages. The terminology is overloaded. Walk
+ * through the message until we find a header of type
+ * NLMSG_DONE.
+ */
+ if (nh->nlmsg_type == NLMSG_DONE)
+ break;
+ if (nh->nlmsg_type != RTM_NEWROUTE)
+ continue;
+ /*
+ * Clear out the socket so we don't keep old messages
+ * queued up and eventually overflow the receive buffer.
+ */
+ while (read (rtc->netlinkfd, buf, sizeof (buf)) > 0)
+ /* loop through receive queue */;
+ if (errno != EAGAIN) return -1;
+ return 0;
+ }
+ return 1;
+}
+
+
+/*
+ * Blocks until we get a route status change message then calls
+ * route_process(). Returns 0 if there was a route state change, 1 if there
+ * was a timeout, and -1 if there was a read error.
+ */
+int API
+routeup_once (struct routeup *rtc, unsigned int timeout)
+{
+ int ret;
+ struct timeval remaining;
+ struct timeval *rp = timeout ? &remaining : NULL;
+ fd_set fds;
+ remaining.tv_sec = timeout;
+ remaining.tv_usec = 0;
+ FD_ZERO (&fds);
+ FD_SET (rtc->netlinkfd, &fds);
+ while (select (rtc->netlinkfd + 1, &fds, NULL, NULL, rp) >= 0)
+ {
+ FD_ZERO (&fds);
+ FD_SET (rtc->netlinkfd, &fds);
+ if (timeout && !remaining.tv_sec && !remaining.tv_usec)
+ return 1;
+ ret = routeup_process (rtc);
+ if (ret == 1)
+ continue;
+ return ret;
+ }
+ return -1;
+}
+
+/* Tear down the supplied context by closing its netlink socket. */
+void API
+routeup_teardown (struct routeup *rtc)
+{
+ close (rtc->netlinkfd);
+}
+
+#ifdef ROUTEUP_MAIN
+int API
+main ()
+{
+ struct routeup rtc;
+ if (routeup_setup (&rtc))
+ return 1;
+ while (!routeup_once (&rtc, 0))
+ {
+ printf ("n\n");
+ fflush (stdout);
+ }
+ routeup_teardown (&rtc);
+ return 0;
+}
+#endif /* ROUTEUP_MAIN */
diff --git a/tlsdate/src/routeup.h b/tlsdate/src/routeup.h
new file mode 100644
index 0000000..29d87e2
--- /dev/null
+++ b/tlsdate/src/routeup.h
@@ -0,0 +1,44 @@
+/*
+ * routeup.h - routeup library interface
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Call routeup_setup() to initialize a routeup context, then call
+ * routeup_once() until it returns nonzero (indicating an error) or until
+ * you're no longer interested in route changes. Call routeup_teardown()
+ * when you're done with an routeup context.
+ */
+
+#ifndef ROUTEUP_H
+#define ROUTEUP_H
+
+struct routeup
+{
+ int netlinkfd; /* AF_NETLINK event socket */
+};
+
+#ifdef TARGET_OS_LINUX
+int routeup_setup (struct routeup *ifc);
+int routeup_once (struct routeup *ifc, unsigned int timeout);
+int routeup_process (struct routeup *rtc);
+void routeup_teardown (struct routeup *ifc);
+#else
+static inline int routeup_setup (struct routeup *ifc)
+{
+ return 1; /* Fail for platforms without support. */
+}
+static inline int routeup_once (struct routeup *ifc, unsigned int timeout)
+{
+ return -1;
+}
+static inline int routeup_process (struct routeup *rtc)
+{
+ return -1;
+}
+static inline void routeup_teardown (struct routeup *ifc)
+{
+}
+#endif
+
+#endif /* !ROUTEUP_H */
diff --git a/tlsdate/src/rtc.h b/tlsdate/src/rtc.h
new file mode 100644
index 0000000..2017e96
--- /dev/null
+++ b/tlsdate/src/rtc.h
@@ -0,0 +1,9 @@
+#ifndef RTC_H
+#define RTC_H
+
+struct rtc_handle
+{
+ int fd;
+};
+
+#endif /* RTC_H */
diff --git a/tlsdate/src/seccomp-compat.h b/tlsdate/src/seccomp-compat.h
new file mode 100644
index 0000000..9f1da87
--- /dev/null
+++ b/tlsdate/src/seccomp-compat.h
@@ -0,0 +1,32 @@
+/*
+ * seccomp-compat.h - seccomp defines for bad headers
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#ifndef SECCOMP_COMPAT_H
+#define SECCOMP_COMPAT_H
+
+#include <stdint.h>
+
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
+#define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
+#define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
+#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
+#define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */
+
+struct seccomp_data
+{
+ int nr;
+ uint32_t arch;
+ uint64_t instruction_pointer;
+ uint64_t args[6];
+};
+#endif /* !SECCOMP_MODE_FILTER */
+
+#endif
diff --git a/tlsdate/src/seccomp.c b/tlsdate/src/seccomp.c
new file mode 100644
index 0000000..9c33244
--- /dev/null
+++ b/tlsdate/src/seccomp.c
@@ -0,0 +1,152 @@
+/*
+ * seccomp.c - seccomp utility functions
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <asm/unistd.h>
+#include <elf.h>
+#include <errno.h>
+#include <sys/prctl.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+#include <linux/audit.h>
+#include <linux/filter.h>
+
+#include "src/seccomp.h"
+
+/* Linux seccomp_filter sandbox */
+#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
+
+/* Use a signal handler to emit violations when debugging */
+#ifdef SECCOMP_FILTER_DEBUG
+# undef SECCOMP_FILTER_FAIL
+# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
+#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
+
+/* Simple helpers to avoid manual errors (but larger BPF programs). */
+#define SC_DENY(_nr, _errno) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
+#define SC_ALLOW(_nr) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+
+#if defined(__i386__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
+#elif defined(__x86_64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
+#elif defined(__arm__)
+# ifndef EM_ARM
+# define EM_ARM 40
+# endif
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARM
+#elif defined(__aarch64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
+#elif defined(__mips__)
+# if defined(__MIPSEL__)
+# if defined(__LP64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPSEL
+# endif
+# elif defined(__LP64__)
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS64
+# else
+# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_MIPS
+# endif
+#else
+# error "Platform does not support seccomp filter yet"
+#endif
+
+/* Returns 0 if the the sandbox is enabled using
+ * the time setter policy.
+ */
+int
+enable_setter_seccomp (void)
+{
+ static const struct sock_filter insns[] =
+ {
+ /* Ensure the syscall arch convention is as expected. */
+ BPF_STMT (BPF_LD+BPF_W+BPF_ABS,
+ offsetof (struct seccomp_data, arch)),
+ BPF_JUMP (BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
+ BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
+ /* Load the syscall number for checking. */
+ BPF_STMT (BPF_LD+BPF_W+BPF_ABS,
+ offsetof (struct seccomp_data, nr)),
+
+ /* Process ALLOWs as quickly as possible */
+ SC_ALLOW (read),
+ SC_ALLOW (write),
+ SC_ALLOW (pwrite64),
+
+ SC_ALLOW (settimeofday),
+ SC_ALLOW (ioctl), /* TODO(wad) filter for fd and RTC_SET_TIME */
+#ifdef __NR_time /* This is required for x86 systems */
+ SC_ALLOW (time),
+#endif
+
+#ifdef __NR_lseek
+ SC_ALLOW (lseek),
+#endif
+#ifdef __NR_llseek
+ SC_ALLOW (llseek),
+#endif
+#ifdef __NR_lseek64
+ SC_ALLOW (lseek64),
+#endif
+ SC_ALLOW (close),
+ SC_ALLOW (munmap),
+
+ SC_ALLOW (exit_group),
+ SC_ALLOW (exit),
+
+#ifdef __NR_open
+ SC_DENY (open, EINVAL),
+#endif
+#ifdef __NR_openat
+ SC_DENY (openat, EINVAL),
+#endif
+ SC_DENY (fcntl, EINVAL),
+#ifdef __NR_fstat
+ SC_DENY (fstat, EINVAL),
+#endif
+#ifdef __NR_fstatat
+ SC_DENY (fstatat, EINVAL),
+#endif
+#ifdef __NR_newfstatat
+ SC_DENY (newfstatat, EINVAL),
+#endif
+#ifdef __NR_mmap
+ SC_DENY (mmap, EINVAL),
+#endif
+#ifdef __NR_mmap2
+ SC_DENY (mmap2, EINVAL),
+#endif
+#ifdef __NR_sendto
+ SC_DENY (sendto, EINVAL),
+#endif
+#ifdef __NR_socket
+ SC_DENY (socket, EINVAL),
+#endif
+#ifdef __NR_socketcall
+ SC_DENY (socketcall, EINVAL),
+#endif
+ BPF_STMT (BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
+ };
+ static const struct sock_fprog prog =
+ {
+ .len = (unsigned short) (sizeof (insns) /sizeof (insns[0])),
+ .filter = (struct sock_filter *) insns,
+ };
+ return (prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
+ prctl (PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog));
+}
diff --git a/tlsdate/src/seccomp.h b/tlsdate/src/seccomp.h
new file mode 100644
index 0000000..5f4a5f3
--- /dev/null
+++ b/tlsdate/src/seccomp.h
@@ -0,0 +1,24 @@
+/*
+ * seccomp.h - seccomp functions
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+#ifndef SECCOMP_H
+#define SECCOMP_H
+
+#include "config.h"
+
+#include "src/seccomp-compat.h"
+
+#ifdef HAVE_SECCOMP_FILTER
+int enable_setter_seccomp (void);
+#else /* HAVE_SECCOMP_FILTER */
+static
+inline int enable_setter_seccomp (void)
+{
+ return 0;
+}
+#endif /* !HAVE_SECCOMP_FILTER */
+
+#endif
diff --git a/tlsdate/src/test-bio.c b/tlsdate/src/test-bio.c
new file mode 100644
index 0000000..5c54b2d
--- /dev/null
+++ b/tlsdate/src/test-bio.c
@@ -0,0 +1,156 @@
+/*
+ * test-bio.c - BIO layer for testing
+ *
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * This is a 'source/sink' BIO which supports synthetic inputs and outputs, and
+ * can be used to drive filter BIOs through a state machine. It buffers all
+ * output sent to it, which can be retrieved with BIO_test_get_output(), and
+ * input sent to it, which is handed back in response to BIO_read() by the
+ * filter BIO.
+ */
+
+#include <assert.h>
+#include <string.h>
+
+#include "src/test-bio.h"
+#include "src/util.h"
+
+int verbose;
+int verbose_debug;
+
+static const unsigned int kMagic = 0x5f8d3f15;
+
+struct test_ctx
+{
+ unsigned int magic;
+ unsigned char *out;
+ size_t outsz;
+ unsigned char *in;
+ size_t insz;
+};
+
+static struct test_ctx *bio_ctx (BIO *b)
+{
+ struct test_ctx *ctx = b->ptr;
+ assert (ctx->magic == kMagic);
+ return ctx;
+}
+
+static size_t buf_drain (unsigned char **buf, size_t *bufsz,
+ unsigned char *out, size_t outsz)
+{
+ if (*bufsz < outsz)
+ outsz = *bufsz;
+ memcpy (out, *buf, outsz);
+ if (*bufsz > outsz)
+ memmove (*buf, *buf + outsz, *bufsz - outsz);
+ *bufsz -= outsz;
+ *buf = realloc (*buf, *bufsz);
+ return outsz;
+}
+
+static void buf_fill (unsigned char **buf, size_t *bufsz,
+ const unsigned char *in, size_t insz)
+{
+ *buf = realloc (*buf, *bufsz + insz);
+ memcpy (*buf + *bufsz, in, insz);
+ *bufsz += insz;
+}
+
+int test_new (BIO *b)
+{
+ struct test_ctx *ctx = malloc (sizeof *ctx);
+ if (!ctx)
+ return 0;
+ ctx->magic = kMagic;
+ ctx->in = NULL;
+ ctx->insz = 0;
+ ctx->out = NULL;
+ ctx->outsz = 0;
+ b->init = 1;
+ b->flags = 0;
+ b->ptr = ctx;
+ return 1;
+}
+
+int test_free (BIO *b)
+{
+ struct test_ctx *ctx;
+ if (!b || !b->ptr)
+ return 1;
+ ctx = bio_ctx (b);
+ free (ctx->in);
+ free (ctx->out);
+ return 1;
+}
+
+int test_write (BIO *b, const char *buf, int sz)
+{
+ struct test_ctx *ctx = bio_ctx (b);
+ if (sz <= 0)
+ return 0;
+ buf_fill (&ctx->out, &ctx->outsz, (unsigned char *) buf, sz);
+ return sz;
+}
+
+int test_read (BIO *b, char *buf, int sz)
+{
+ struct test_ctx *ctx = bio_ctx (b);
+ if (sz <= 0)
+ return 0;
+ return buf_drain (&ctx->in, &ctx->insz, (unsigned char *) buf, sz);
+}
+
+long test_ctrl (BIO *b, int cmd, long num, void *ptr)
+{
+ return 0;
+}
+
+long test_callback_ctrl (BIO *b, int cmd, bio_info_cb fp)
+{
+ return 0;
+}
+
+BIO_METHOD test_methods =
+{
+ BIO_TYPE_SOCKET,
+ "test",
+ test_write,
+ test_read,
+ NULL,
+ NULL,
+ test_ctrl,
+ test_new,
+ test_free,
+ test_callback_ctrl,
+};
+
+BIO_METHOD *BIO_s_test()
+{
+ return &test_methods;
+}
+
+BIO API *BIO_new_test()
+{
+ return BIO_new (BIO_s_test());
+}
+
+size_t API BIO_test_output_left (BIO *b)
+{
+ return bio_ctx (b)->outsz;
+}
+
+size_t API BIO_test_get_output (BIO *b, unsigned char *buf, size_t bufsz)
+{
+ struct test_ctx *c = bio_ctx (b);
+ return buf_drain (&c->out, &c->outsz, buf, bufsz);
+}
+
+void API BIO_test_add_input (BIO *b, const unsigned char *buf, size_t bufsz)
+{
+ struct test_ctx *c = bio_ctx (b);
+ return buf_fill (&c->in, &c->insz, buf, bufsz);
+}
diff --git a/tlsdate/src/test-bio.h b/tlsdate/src/test-bio.h
new file mode 100644
index 0000000..dcf1721
--- /dev/null
+++ b/tlsdate/src/test-bio.h
@@ -0,0 +1,20 @@
+/*
+ * test-bio.h - test BIO that stores reads/writes
+ *
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef TEST_BIO_H
+#define TEST_BIO_H
+
+#include <openssl/bio.h>
+
+BIO *BIO_new_test();
+
+size_t BIO_test_output_left (BIO *b);
+size_t BIO_test_get_output (BIO *b, unsigned char *buf, size_t bufsz);
+void BIO_test_add_input (BIO *b, const unsigned char *buf, size_t bufsz);
+
+#endif /* !TEST_BIO_H */
diff --git a/tlsdate/src/test/check-host-1.c b/tlsdate/src/test/check-host-1.c
new file mode 100644
index 0000000..33f745a
--- /dev/null
+++ b/tlsdate/src/test/check-host-1.c
@@ -0,0 +1,27 @@
+/* test returns a "sane" time if the host, port, and proxy
+ * are passed in properly on the commandline. The test
+ * is invoked by tlsdated instead of tlsdate.
+ * This expects host1, port1, proxy1.
+ *
+ * Paired with check-host-2.c, it allows for source rotation
+ * testing.
+ */
+#include "config.h"
+
+#include <string.h>
+#include <stdio.h>
+
+int main (int argc, char *argv[])
+{
+ unsigned int t = RECENT_COMPILE_DATE + 1;
+ if (argc < 7)
+ return 3;
+ if (!strcmp (argv[2], "host1")
+ && !strcmp (argv[4], "port1")
+ && !strcmp (argv[6], "proxy1"))
+ {
+ fwrite (&t, sizeof (t), 1, stdout);
+ return 0;
+ }
+ return 1;
+}
diff --git a/tlsdate/src/test/check-host-2.c b/tlsdate/src/test/check-host-2.c
new file mode 100644
index 0000000..869a865
--- /dev/null
+++ b/tlsdate/src/test/check-host-2.c
@@ -0,0 +1,26 @@
+/* test returns a "sane" time if the host, port, and proxy
+ * are passed in properly on the commandline. The test
+ * is invoked by tlsdated instead of tlsdate.
+ * This expects host2, port2, proxy2.
+ *
+ * Paired with check-host-2.c, it allows for source rotation
+ * testing.
+ */
+#include "config.h"
+#include <string.h>
+#include <stdio.h>
+
+int main (int argc, char *argv[])
+{
+ unsigned int t = RECENT_COMPILE_DATE + 1;
+ if (argc < 7)
+ return 3;
+ if (!strcmp (argv[2], "host2")
+ && !strcmp (argv[4], "port2")
+ && !strcmp (argv[6], "proxy2"))
+ {
+ fwrite (&t, sizeof (t), 1, stdout);
+ return 0;
+ }
+ return 1;
+}
diff --git a/tlsdate/src/test/emit.c b/tlsdate/src/test/emit.c
new file mode 100644
index 0000000..2c9d8e7
--- /dev/null
+++ b/tlsdate/src/test/emit.c
@@ -0,0 +1,18 @@
+/* Integration test helper which will print out
+ * the given time in seconds as an unsigned int.
+ */
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main (int argc, char *argv[])
+{
+ /* Unsigned int to match what tlsdate -Vraw returns, not time_t */
+ unsigned int t = argc > 1 ? (unsigned int) atoi(argv[1]) :
+ RECENT_COMPILE_DATE + 1;
+ fwrite (&t, sizeof (t), 1, stdout);
+ fflush(stdout);
+ return 0;
+}
diff --git a/tlsdate/src/test/proxy-override.c b/tlsdate/src/test/proxy-override.c
new file mode 100644
index 0000000..39abdc6
--- /dev/null
+++ b/tlsdate/src/test/proxy-override.c
@@ -0,0 +1,32 @@
+/* This test is called in lieu of tlsdate by tlsdated
+ * and it returns a timestamp that matches the proxy
+ * ordering - global, dynamic, etc.
+ * For use, see tlsdated-unittests.c
+ */
+#include "config.h"
+
+#include <string.h>
+#include <stdio.h>
+
+int main (int argc, char *argv[])
+{
+ /* Unsigned int to match what tlsdate -Vraw returns, not time_t */
+ /* TODO(wad) move tlsdated -Vraw to emitting time_t */
+ unsigned int t = RECENT_COMPILE_DATE + 1;
+ int saw_good_proxy = 0;
+ while (argc--)
+ {
+ if (!strcmp (argv[0], "socks5://good.proxy"))
+ saw_good_proxy = 1;
+ if (!strcmp (argv[0], "socks5://bad.proxy"))
+ {
+ t = RECENT_COMPILE_DATE + 3;
+ break;
+ }
+ argv++;
+ }
+ if (saw_good_proxy)
+ t = RECENT_COMPILE_DATE + 2;
+ fwrite (&t, sizeof (t), 1, stdout);
+ return 0;
+}
diff --git a/tlsdate/src/test/return-argc.c b/tlsdate/src/test/return-argc.c
new file mode 100644
index 0000000..3bcface
--- /dev/null
+++ b/tlsdate/src/test/return-argc.c
@@ -0,0 +1,3 @@
+/* return-argc.c - returns argc */
+
+int main(int argc, char *argv[]) { return argc; }
diff --git a/tlsdate/src/test/sleep-wrap.c b/tlsdate/src/test/sleep-wrap.c
new file mode 100644
index 0000000..d45d92f
--- /dev/null
+++ b/tlsdate/src/test/sleep-wrap.c
@@ -0,0 +1,20 @@
+/* Test invoked by tlsdated instead of tlsdate to
+ * show allow arbitrary delays before returning a
+ * "sane" time. This makes for easy timeout testing.
+ */
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main (int argc, char *argv[])
+{
+ /* Unsigned int to match what tlsdate -Vraw returns, not time_t */
+ unsigned int t = RECENT_COMPILE_DATE + 1;
+ if (argc < 2)
+ return 1;
+ sleep (atoi (argv[1]));
+ fwrite (&t, sizeof (t), 1, stdout);
+ return 0;
+}
diff --git a/tlsdate/src/test_harness.h b/tlsdate/src/test_harness.h
new file mode 100644
index 0000000..00a7bee
--- /dev/null
+++ b/tlsdate/src/test_harness.h
@@ -0,0 +1,451 @@
+/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * test_harness.h: simple C unit test helper.
+ *
+ * Usage:
+ * #include "test_harness.h"
+ * TEST(standalone_test) {
+ * do_some_stuff;
+ * EXPECT_GT(10, stuff) {
+ * stuff_state_t state;
+ * enumerate_stuff_state(&state);
+ * TH_LOG("expectation failed with state: %s", state.msg);
+ * }
+ * more_stuff;
+ * ASSERT_NE(some_stuff, NULL) TH_LOG("how did it happen?!");
+ * last_stuff;
+ * EXPECT_EQ(0, last_stuff);
+ * }
+ *
+ * FIXTURE(my_fixture) {
+ * mytype_t *data;
+ * int awesomeness_level;
+ * };
+ * FIXTURE_SETUP(my_fixture) {
+ * self->data = mytype_new();
+ * ASSERT_NE(NULL, self->data);
+ * }
+ * FIXTURE_TEARDOWN(my_fixture) {
+ * mytype_free(self->data);
+ * }
+ * TEST_F(my_fixture, data_is_good) {
+ * EXPECT_EQ(1, is_my_data_good(self->data));
+ * }
+ *
+ * TEST_HARNESS_MAIN
+ *
+ * API inspired by code.google.com/p/googletest
+ */
+#ifndef TEST_HARNESS_H_
+#define TEST_HARNESS_H_
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+/* All exported functionality should be declared through this macro. */
+#define TEST_API(x) _##x
+
+/*
+ * Exported APIs
+ */
+
+/* TEST(name) { implementation }
+ * Defines a test by name.
+ * Names must be unique and tests must not be run in parallel. The
+ * implementation containing block is a function and scoping should be treated
+ * as such. Returning early may be performed with a bare "return;" statement.
+ *
+ * EXPECT_* and ASSERT_* are valid in a TEST() { } context.
+ */
+#define TEST TEST_API(TEST)
+
+/* FIXTURE(datatype name) {
+ * type property1;
+ * ...
+ * };
+ * Defines the data provided to TEST_F()-defined tests as |self|. It should be
+ * populated and cleaned up using FIXTURE_SETUP and FIXTURE_TEARDOWN.
+ */
+#define FIXTURE TEST_API(FIXTURE)
+
+/* FIXTURE_DATA(datatype name)
+ * This call may be used when the type of the fixture data
+ * is needed. In general, this should not be needed unless
+ * the |self| is being passed to a helper directly.
+ */
+#define FIXTURE_DATA TEST_API(FIXTURE_DATA)
+
+/* FIXTURE_SETUP(fixture name) { implementation }
+ * Populates the required "setup" function for a fixture. An instance of the
+ * datatype defined with _FIXTURE_DATA will be exposed as |self| for the
+ * implementation.
+ *
+ * ASSERT_* are valid for use in this context and will prempt the execution
+ * of any dependent fixture tests.
+ *
+ * A bare "return;" statement may be used to return early.
+ */
+#define FIXTURE_SETUP TEST_API(FIXTURE_SETUP)
+
+/* FIXTURE_TEARDOWN(fixture name) { implementation }
+ * Populates the required "teardown" function for a fixture. An instance of the
+ * datatype defined with _FIXTURE_DATA will be exposed as |self| for the
+ * implementation to clean up.
+ *
+ * A bare "return;" statement may be used to return early.
+ */
+#define FIXTURE_TEARDOWN TEST_API(FIXTURE_TEARDOWN)
+
+/* TEST_F(fixture, name) { implementation }
+ * Defines a test that depends on a fixture (e.g., is part of a test case).
+ * Very similar to TEST() except that |self| is the setup instance of fixture's
+ * datatype exposed for use by the implementation.
+ */
+#define TEST_F TEST_API(TEST_F)
+
+/* Use once to append a main() to the test file. E.g.,
+ * TEST_HARNESS_MAIN
+ */
+#define TEST_HARNESS_MAIN TEST_API(TEST_HARNESS_MAIN)
+
+/*
+ * Operators for use in TEST and TEST_F.
+ * ASSERT_* calls will stop test execution immediately.
+ * EXPECT_* calls will emit a failure warning, note it, and continue.
+ */
+
+/* ASSERT_EQ(expected, measured): expected == measured */
+#define ASSERT_EQ TEST_API(ASSERT_EQ)
+/* ASSERT_NE(expected, measured): expected != measured */
+#define ASSERT_NE TEST_API(ASSERT_NE)
+/* ASSERT_LT(expected, measured): expected < measured */
+#define ASSERT_LT TEST_API(ASSERT_LT)
+/* ASSERT_LE(expected, measured): expected <= measured */
+#define ASSERT_LE TEST_API(ASSERT_LE)
+/* ASSERT_GT(expected, measured): expected > measured */
+#define ASSERT_GT TEST_API(ASSERT_GT)
+/* ASSERT_GE(expected, measured): expected >= measured */
+#define ASSERT_GE TEST_API(ASSERT_GE)
+/* ASSERT_NULL(measured): NULL == measured */
+#define ASSERT_NULL TEST_API(ASSERT_NULL)
+/* ASSERT_TRUE(measured): measured != 0 */
+#define ASSERT_TRUE TEST_API(ASSERT_TRUE)
+/* ASSERT_FALSE(measured): measured == 0 */
+#define ASSERT_FALSE TEST_API(ASSERT_FALSE)
+/* ASSERT_STREQ(expected, measured): !strcmp(expected, measured) */
+#define ASSERT_STREQ TEST_API(ASSERT_STREQ)
+/* ASSERT_STRNE(expected, measured): strcmp(expected, measured) */
+#define ASSERT_STRNE TEST_API(ASSERT_STRNE)
+/* EXPECT_EQ(expected, measured): expected == measured */
+#define EXPECT_EQ TEST_API(EXPECT_EQ)
+/* EXPECT_NE(expected, measured): expected != measured */
+#define EXPECT_NE TEST_API(EXPECT_NE)
+/* EXPECT_LT(expected, measured): expected < measured */
+#define EXPECT_LT TEST_API(EXPECT_LT)
+/* EXPECT_LE(expected, measured): expected <= measured */
+#define EXPECT_LE TEST_API(EXPECT_LE)
+/* EXPECT_GT(expected, measured): expected > measured */
+#define EXPECT_GT TEST_API(EXPECT_GT)
+/* EXPECT_GE(expected, measured): expected >= measured */
+#define EXPECT_GE TEST_API(EXPECT_GE)
+/* EXPECT_NULL(measured): NULL == measured */
+#define EXPECT_NULL TEST_API(EXPECT_NULL)
+/* EXPECT_TRUE(measured): 0 != measured */
+#define EXPECT_TRUE TEST_API(EXPECT_TRUE)
+/* EXPECT_FALSE(measured): 0 == measured */
+#define EXPECT_FALSE TEST_API(EXPECT_FALSE)
+/* EXPECT_STREQ(expected, measured): !strcmp(expected, measured) */
+#define EXPECT_STREQ TEST_API(EXPECT_STREQ)
+/* EXPECT_STRNE(expected, measured): strcmp(expected, measured) */
+#define EXPECT_STRNE TEST_API(EXPECT_STRNE)
+
+/* TH_LOG(format, ...)
+ * Optional debug logging function available for use in tests.
+ * Logging may be enabled or disabled by defining TH_LOG_ENABLED.
+ * E.g., #define TH_LOG_ENABLED 1
+ * If no definition is provided, logging is enabled by default.
+ */
+#define TH_LOG TEST_API(TH_LOG)
+
+/*
+ * Internal implementation.
+ *
+ */
+
+/* Utilities exposed to the test definitions */
+#ifndef TH_LOG_STREAM
+# define TH_LOG_STREAM stderr
+#endif
+
+#ifndef TH_LOG_ENABLED
+# define TH_LOG_ENABLED 1
+#endif
+
+#define _TH_LOG(fmt, ...) do { \
+ if (TH_LOG_ENABLED) \
+ __TH_LOG(fmt, ##__VA_ARGS__); \
+} while (0)
+
+/* Unconditional logger for internal use. */
+#define __TH_LOG(fmt, ...) \
+ fprintf(TH_LOG_STREAM, "%s:%d:%s:" fmt "\n", \
+ __FILE__, __LINE__, _metadata->name, ##__VA_ARGS__)
+
+/* Defines the test function and creates the registration stub. */
+#define _TEST(test_name) \
+ static void test_name(struct __test_metadata *_metadata); \
+ static struct __test_metadata _##test_name##_object = \
+ { .name = "global." #test_name, .fn = &test_name }; \
+ static void __attribute__((constructor)) _register_##test_name(void) { \
+ __register_test(&_##test_name##_object); \
+ } \
+ static void test_name( \
+ struct __test_metadata __attribute__((unused)) *_metadata)
+
+/* Wraps the struct name so we have one less argument to pass around. */
+#define _FIXTURE_DATA(fixture_name) struct _test_data_##fixture_name
+
+/* Called once per fixture to setup the data and register. */
+#define _FIXTURE(fixture_name) \
+ static void __attribute__((constructor)) \
+ _register_##fixture_name##_data(void) { \
+ __fixture_count++; \
+ } \
+ _FIXTURE_DATA(fixture_name)
+
+/* Prepares the setup function for the fixture. |_metadata| is included
+ * so that ASSERT_* work as a convenience.
+ */
+#define _FIXTURE_SETUP(fixture_name) \
+ void fixture_name##_setup( \
+ struct __test_metadata __attribute__((unused)) *_metadata, \
+ _FIXTURE_DATA(fixture_name) __attribute__((unused)) *self)
+#define _FIXTURE_TEARDOWN(fixture_name) \
+ void fixture_name##_teardown( \
+ struct __test_metadata __attribute__((unused)) *_metadata, \
+ _FIXTURE_DATA(fixture_name) __attribute__((unused)) *self)
+
+/* Emits test registration and helpers for fixture-based test
+ * cases.
+ * TODO(wad) register fixtures on dedicated test lists.
+ */
+#define _TEST_F(fixture_name, test_name) \
+ static void fixture_name##_##test_name( \
+ struct __test_metadata *_metadata, \
+ _FIXTURE_DATA(fixture_name) *self); \
+ static inline void wrapper_##fixture_name##_##test_name( \
+ struct __test_metadata *_metadata) { \
+ /* fixture data is allocated, setup, and torn down per call. */ \
+ _FIXTURE_DATA(fixture_name) self; \
+ memset(&self, 0, sizeof(_FIXTURE_DATA(fixture_name))); \
+ fixture_name##_setup(_metadata, &self); \
+ /* Let setup failure terminate early. */ \
+ if (!_metadata->passed) return; \
+ fixture_name##_##test_name(_metadata, &self); \
+ fixture_name##_teardown(_metadata, &self); \
+ } \
+ static struct __test_metadata _##fixture_name##_##test_name##_object = { \
+ .name = #fixture_name "." #test_name, \
+ .fn = &wrapper_##fixture_name##_##test_name, \
+ }; \
+ static void __attribute__((constructor)) \
+ _register_##fixture_name##_##test_name(void) { \
+ __register_test(&_##fixture_name##_##test_name##_object); \
+ } \
+ static void fixture_name##_##test_name( \
+ struct __test_metadata __attribute__((unused)) *_metadata, \
+ _FIXTURE_DATA(fixture_name) __attribute__((unused)) *self)
+
+/* Exports a simple wrapper to run the test harness. */
+#define _TEST_HARNESS_MAIN \
+ int main(int argc, char **argv) { return test_harness_run(argc, argv); }
+
+#define _ASSERT_EQ(_expected, _seen) \
+ __EXPECT(_expected, _seen, ==, 1)
+#define _ASSERT_NE(_expected, _seen) \
+ __EXPECT(_expected, _seen, !=, 1)
+#define _ASSERT_LT(_expected, _seen) \
+ __EXPECT(_expected, _seen, <, 1)
+#define _ASSERT_LE(_expected, _seen) \
+ __EXPECT(_expected, _seen, <=, 1)
+#define _ASSERT_GT(_expected, _seen) \
+ __EXPECT(_expected, _seen, >, 1)
+#define _ASSERT_GE(_expected, _seen) \
+ __EXPECT(_expected, _seen, >=, 1)
+#define _ASSERT_NULL(_seen) \
+ __EXPECT(NULL, _seen, ==, 1)
+
+#define _ASSERT_TRUE(_seen) \
+ _ASSERT_NE(0, _seen)
+#define _ASSERT_FALSE(_seen) \
+ _ASSERT_EQ(0, _seen)
+#define _ASSERT_STREQ(_expected, _seen) \
+ __EXPECT_STR(_expected, _seen, ==, 1)
+#define _ASSERT_STRNE(_expected, _seen) \
+ __EXPECT_STR(_expected, _seen, !=, 1)
+
+#define _EXPECT_EQ(_expected, _seen) \
+ __EXPECT(_expected, _seen, ==, 0)
+#define _EXPECT_NE(_expected, _seen) \
+ __EXPECT(_expected, _seen, !=, 0)
+#define _EXPECT_LT(_expected, _seen) \
+ __EXPECT(_expected, _seen, <, 0)
+#define _EXPECT_LE(_expected, _seen) \
+ __EXPECT(_expected, _seen, <=, 0)
+#define _EXPECT_GT(_expected, _seen) \
+ __EXPECT(_expected, _seen, >, 0)
+#define _EXPECT_GE(_expected, _seen) \
+ __EXPECT(_expected, _seen, >=, 0)
+
+#define _EXPECT_NULL(_seen) \
+ __EXPECT(NULL, _seen, ==, 0)
+#define _EXPECT_TRUE(_seen) \
+ _EXPECT_NE(0, _seen)
+#define _EXPECT_FALSE(_seen) \
+ _EXPECT_EQ(0, _seen)
+
+#define _EXPECT_STREQ(_expected, _seen) \
+ __EXPECT_STR(_expected, _seen, ==, 0)
+#define _EXPECT_STRNE(_expected, _seen) \
+ __EXPECT_STR(_expected, _seen, !=, 0)
+
+/* Support an optional handler after and ASSERT_* or EXPECT_*. The approach is
+ * not thread-safe, but it should be fine in most sane test scenarios.
+ *
+ * Using __bail(), which optionally abort()s, is the easiest way to early
+ * return while still providing an optional block to the API consumer.
+ */
+#define OPTIONAL_HANDLER(_assert) \
+ for (; _metadata->trigger; _metadata->trigger = __bail(_assert))
+
+#define __EXPECT(_expected, _seen, _t, _assert) do { \
+ /* Avoid multiple evaluation of the cases */ \
+ __typeof__(_expected) __exp = (_expected); \
+ __typeof__(_seen) __seen = (_seen); \
+ if (!(__exp _t __seen)) { \
+ unsigned long long __exp_print = 0; \
+ unsigned long long __seen_print = 0; \
+ /* Avoid casting complaints the scariest way we can. */ \
+ memcpy(&__exp_print, &__exp, sizeof(__exp)); \
+ memcpy(&__seen_print, &__seen, sizeof(__seen)); \
+ __TH_LOG("Expected %s (%llu) %s %s (%llu)", \
+ #_expected, __exp_print, #_t, \
+ #_seen, __seen_print); \
+ _metadata->passed = 0; \
+ /* Ensure the optional handler is triggered */ \
+ _metadata->trigger = 1; \
+ } \
+} while (0); OPTIONAL_HANDLER(_assert)
+
+#define __EXPECT_STR(_expected, _seen, _t, _assert) do { \
+ const char *__exp = (_expected); \
+ const char *__seen = (_seen); \
+ if (!(strcmp(__exp, __seen) _t 0)) { \
+ __TH_LOG("Expected '%s' %s '%s'.", __exp, #_t, __seen); \
+ _metadata->passed = 0; \
+ _metadata->trigger = 1; \
+ } \
+} while (0); OPTIONAL_HANDLER(_assert)
+
+/* Contains all the information for test execution and status checking. */
+struct __test_metadata
+{
+ const char *name;
+ void (*fn) (struct __test_metadata *);
+ int passed;
+ int trigger; /* extra handler after the evaluation */
+ struct __test_metadata *prev, *next;
+};
+
+/* Storage for the (global) tests to be run. */
+static struct __test_metadata *__test_list = NULL;
+static unsigned int __test_count = 0;
+static unsigned int __fixture_count = 0;
+
+static inline void __register_test (struct __test_metadata *t)
+{
+ __test_count++;
+ /* Circular linked list where only prev is circular. */
+ if (__test_list == NULL)
+ {
+ __test_list = t;
+ t->next = NULL;
+ t->prev = t;
+ return;
+ }
+ t->next = NULL;
+ t->prev = __test_list->prev;
+ t->prev->next = t;
+ __test_list->prev = t;
+}
+
+static inline int __bail (int for_realz)
+{
+ if (for_realz)
+ abort();
+ return 0;
+}
+
+static int test_harness_run (int __attribute__ ( (unused)) argc,
+ char __attribute__ ( (unused)) **argv)
+{
+ struct __test_metadata *t;
+ int ret = 0;
+ unsigned int count = 0;
+ /* TODO(wad) add optional arguments similar to gtest. */
+ printf ("[==========] Running %u tests from %u test cases.\n",
+ __test_count, __fixture_count + 1);
+ for (t = __test_list; t; t = t->next)
+ {
+ pid_t child_pid;
+ int status;
+ count++;
+ t->passed = 1;
+ t->trigger = 0;
+ printf ("[ RUN ] %s\n", t->name);
+ child_pid = fork();
+ if (child_pid < 0)
+ {
+ printf ("ERROR SPAWNING TEST CHILD\n");
+ t->passed = 0;
+ }
+ else if (child_pid == 0)
+ {
+ t->fn (t);
+ _exit (t->passed);
+ }
+ else
+ {
+ /* TODO(wad) add timeout support. */
+ waitpid (child_pid, &status, 0);
+ if (WIFEXITED (status))
+ t->passed = WEXITSTATUS (status);
+ if (WIFSIGNALED (status))
+ {
+ t->passed = 0;
+ fprintf (TH_LOG_STREAM,
+ "%s: Test terminated unexpectedly by signal %d\n",
+ t->name,
+ WTERMSIG (status));
+ }
+ }
+ printf ("[ %4s ] %s\n", (t->passed ? "OK" : "FAIL"), t->name);
+ if (!t->passed)
+ ret = 1;
+ }
+ /* TODO(wad) organize by fixtures since ordering is not guaranteed now. */
+ printf ("[==========] %u tests ran.\n", count);
+ printf ("[ %s ]\n", (ret ? "FAILED" : "PASSED"));
+ return ret;
+}
+
+#endif /* TEST_HARNESS_H_ */
diff --git a/tlsdate/src/tlsdate-helper-plan9.c b/tlsdate/src/tlsdate-helper-plan9.c
new file mode 100644
index 0000000..c245a6b
--- /dev/null
+++ b/tlsdate/src/tlsdate-helper-plan9.c
@@ -0,0 +1,1250 @@
+/* Copyright (c) 2012, Jacob Appelbaum.
+ * Copyright (c) 2012, The Tor Project, Inc.
+ * Copyright (c) 2012, Christian Grothoff. */
+/* See LICENSE for licensing information */
+/*
+ This file contains the license for tlsdate,
+ a free software project to set your system clock securely.
+
+ It also lists the licenses for other components used by tlsdate.
+
+ For more information about tlsdate, see https://github.com/ioerror/tlsdate
+
+ If you got this file as a part of a larger bundle,
+ there may be other license terms that you should be aware of.
+
+===============================================================================
+tlsdate is distributed under this license:
+
+Copyright (c) 2011-2012, Jacob Appelbaum <jacob@appelbaum.net>
+Copyright (c) 2011-2012, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
+If you got tlsdate as a static binary with OpenSSL included, then you should
+know:
+
+ "This product includes software developed by the OpenSSL Project for use in
+ the OpenSSL Toolkit (http://www.openssl.org/)"
+
+===============================================================================
+*/
+
+/**
+ * \file tlsdate-helper.c
+ * \brief Helper program that does the actual work of setting the system clock.
+ **/
+
+/*
+ * tlsdate is a tool for setting the system clock by hand or by communication
+ * with the network. It does not set the RTC. It is designed to be as secure as
+ * TLS (RFC 2246) but of course the security of TLS is often reduced to
+ * whichever CA racket you believe is trustworthy. By default, tlsdate trusts
+ * your local CA root store - so any of these companies could assist in a MITM
+ * attack against you and you'd be screwed.
+
+ * This tool is designed to be run by hand or as a system daemon. It must be
+ * run as root or otherwise have the proper caps; it will not be able to set
+ * the system time without running as root or another privileged user.
+ */
+
+#include "config.h"
+#include "src/tlsdate-helper-plan9.h"
+
+#ifndef USE_POLARSSL
+#include "src/proxy-bio-plan9.h"
+#else
+#include "src/proxy-polarssl.h"
+#endif
+
+#include "src/compat/clock-plan9.h"
+
+#ifndef MAP_ANONYMOUS
+#define MAP_ANONYMOUS MAP_ANON
+#endif
+
+#ifdef USE_POLARSSL
+#include "polarssl/entropy.h"
+#include "polarssl/ctr_drbg.h"
+#include "polarssl/ssl.h"
+#endif
+
+static void
+validate_proxy_scheme(const char *scheme)
+{
+ if (!strcmp(scheme, "http"))
+ return;
+ if (!strcmp(scheme, "socks4"))
+ return;
+ if (!strcmp(scheme, "socks5"))
+ return;
+ die("invalid proxy scheme\n");
+}
+
+static void
+validate_proxy_host(const char *host)
+{
+ const char *kValid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789"
+ ".-";
+ if (strspn(host, kValid) != strlen(host))
+ die("invalid char in host\n");
+}
+
+static void
+validate_proxy_port(const char *port)
+{
+ while (*port)
+ if (!isdigit(*port++))
+ die("invalid char in port\n");
+}
+
+static void
+parse_proxy_uri(char *proxy, char **scheme, char **host, char **port)
+{
+ /* Expecting a URI, so: <scheme> '://' <host> ':' <port> */
+ *scheme = proxy;
+ proxy = strstr(proxy, "://");
+ if (!proxy)
+ die("malformed proxy URI\n");
+ *proxy = '\0'; /* terminate scheme string */
+ proxy += strlen("://");
+
+ *host = proxy;
+ proxy = strchr(proxy, ':');
+ if (!proxy)
+ die("malformed proxy URI\n");
+ *proxy++ = '\0';
+
+ *port = proxy;
+
+ validate_proxy_scheme(*scheme);
+ validate_proxy_host(*host);
+ validate_proxy_port(*port);
+}
+
+#ifndef USE_POLARSSL
+static void
+setup_proxy(BIO *ssl)
+{
+ BIO *bio;
+ char *scheme;
+ char *proxy_host;
+ char *proxy_port;
+
+ if (!proxy)
+ return;
+ /*
+ * grab the proxy's host and port out of the URI we have for it. We want the
+ * underlying connect BIO to connect to this, not the target host and port, so
+ * we squirrel away the target host and port in the proxy BIO (as the proxy
+ * target) and swap out the connect BIO's target host and port so it'll
+ * connect to the proxy instead.
+ */
+ parse_proxy_uri(proxy, &scheme, &proxy_host, &proxy_port);
+ bio = BIO_new_proxy();
+ BIO_proxy_set_type(bio, scheme);
+ BIO_proxy_set_host(bio, host);
+ BIO_proxy_set_port(bio, atoi(port));
+ host = proxy_host;
+ port = proxy_port;
+ BIO_push(ssl, bio);
+}
+
+static BIO *
+make_ssl_bio(SSL_CTX *ctx)
+{
+ BIO *con = NULL;
+ BIO *ssl = NULL;
+
+ if (!(con = BIO_new(BIO_s_connect())))
+ die("BIO_s_connect failed\n");
+ if (!(ssl = BIO_new_ssl(ctx, 1)))
+ die("BIO_new_ssl failed\n");
+ setup_proxy(ssl);
+ BIO_push(ssl, con);
+ return ssl;
+}
+
+/** helper function for 'malloc' */
+static void *
+xmalloc (size_t size)
+{
+ void *ptr;
+
+ if (0 == size)
+ die("xmalloc: zero size\n");
+
+ ptr = malloc(size);
+ if (NULL == ptr)
+ die("xmalloc: out of memory (allocating %zu bytes)\n", size);
+
+ return ptr;
+}
+
+
+/** helper function for 'free' */
+static void
+xfree (void *ptr)
+{
+ if (NULL == ptr)
+ die("xfree: NULL pointer given as argument\n");
+
+ free(ptr);
+}
+
+void
+openssl_time_callback (const SSL* ssl, int where, int ret)
+{
+ if (where == SSL_CB_CONNECT_LOOP &&
+ (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B))
+ {
+ /*
+ // XXX TODO: If we want to trust the remote system for time,
+ // can we just read that time out of the remote system and if the
+ // cert verifies, decide that the time is reasonable?
+ // Such a process seems to indicate that a once valid cert would be
+ // forever valid - we stopgap that by ensuring it isn't less than
+ // the latest compiled_time and isn't above max_reasonable_time...
+ // XXX TODO: Solve eternal question about the Chicken and the Egg...
+ */
+ uint32_t compiled_time = RECENT_COMPILE_DATE;
+ uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
+ uint32_t server_time;
+ verb("V: freezing time for x509 verification\n");
+ memcpy(&server_time, ssl->s3->server_random, sizeof(uint32_t));
+ if (compiled_time < ntohl(server_time)
+ &&
+ ntohl(server_time) < max_reasonable_time)
+ {
+ verb("V: remote peer provided: %d, preferred over compile time: %d\n",
+ ntohl(server_time), compiled_time);
+ verb("V: freezing time with X509_VERIFY_PARAM_set_time\n");
+ X509_VERIFY_PARAM_set_time(ssl->ctx->cert_store->param,
+ (time_t) ntohl(server_time) + 86400);
+ } else {
+ die("V: the remote server is a false ticker! server: %d compile: %d\n",
+ ntohl(server_time), compiled_time);
+ }
+ }
+}
+
+uint32_t
+get_certificate_keybits (EVP_PKEY *public_key)
+{
+ /*
+ In theory, we could use check_bitlen_dsa() and check_bitlen_rsa()
+ */
+ uint32_t key_bits;
+ switch (public_key->type)
+ {
+ case EVP_PKEY_RSA:
+ verb("V: key type: EVP_PKEY_RSA\n");
+ key_bits = BN_num_bits(public_key->pkey.rsa->n);
+ break;
+ case EVP_PKEY_RSA2:
+ verb("V: key type: EVP_PKEY_RSA2\n");
+ key_bits = BN_num_bits(public_key->pkey.rsa->n);
+ break;
+ case EVP_PKEY_DSA:
+ verb("V: key type: EVP_PKEY_DSA\n");
+ key_bits = BN_num_bits(public_key->pkey.dsa->p);
+ break;
+ case EVP_PKEY_DSA1:
+ verb("V: key type: EVP_PKEY_DSA1\n");
+ key_bits = BN_num_bits(public_key->pkey.dsa->p);
+ break;
+ case EVP_PKEY_DSA2:
+ verb("V: key type: EVP_PKEY_DSA2\n");
+ key_bits = BN_num_bits(public_key->pkey.dsa->p);
+ break;
+ case EVP_PKEY_DSA3:
+ verb("V: key type: EVP_PKEY_DSA3\n");
+ key_bits = BN_num_bits(public_key->pkey.dsa->p);
+ break;
+ case EVP_PKEY_DSA4:
+ verb("V: key type: EVP_PKEY_DSA4\n");
+ key_bits = BN_num_bits(public_key->pkey.dsa->p);
+ break;
+ case EVP_PKEY_DH:
+ verb("V: key type: EVP_PKEY_DH\n");
+ key_bits = BN_num_bits(public_key->pkey.dh->pub_key);
+ break;
+ case EVP_PKEY_EC:
+ verb("V: key type: EVP_PKEY_EC\n");
+ key_bits = EVP_PKEY_bits(public_key);
+ break;
+ // Should we also care about EVP_PKEY_HMAC and EVP_PKEY_CMAC?
+ default:
+ key_bits = 0;
+ die ("unknown public key type\n");
+ break;
+ }
+ verb ("V: keybits: %d\n", key_bits);
+ return key_bits;
+}
+
+uint32_t
+dns_label_count(char *label, char *delim)
+{
+ char *label_tmp;
+ char *saveptr;
+ char *saveptr_tmp;
+ uint32_t label_count;
+
+ label_tmp = strdup(label);
+ label_count = 0;
+ saveptr = NULL;
+ saveptr_tmp = NULL;
+ saveptr = strtok_r(label_tmp, delim, &saveptr);
+ if (NULL != saveptr)
+ {
+ // Did we find our first label?
+ if (saveptr[0] != delim[0])
+ {
+ label_count++;
+ verb ("V: label found; total label count: %d\n", label_count);
+ }
+ do
+ {
+ // Find all subsequent labels
+ label_count++;
+ saveptr_tmp = strtok_r(NULL, delim, &saveptr);
+ verb ("V: label found; total label count: %d\n", label_count);
+ } while (NULL != saveptr_tmp);
+ }
+ free(label_tmp);
+ return label_count;
+}
+
+// first we split strings on '.'
+// then we call each split string a 'label'
+// Do not allow '*' for the top level domain label; eg never allow *.*.com
+// Do not allow '*' for subsequent subdomains; eg never allow *.foo.example.com
+// Do allow *.example.com
+uint32_t
+check_wildcard_match_rfc2595 (const char *orig_hostname,
+ const char *orig_cert_wild_card)
+{
+ char *hostname;
+ char *hostname_to_free;
+ char *cert_wild_card;
+ char *cert_wild_card_to_free;
+ char *expected_label;
+ char *wildcard_label;
+ char *delim;
+ char *wildchar;
+ uint32_t ok;
+ uint32_t wildcard_encountered;
+ uint32_t label_count;
+
+ // First we copy the original strings
+ hostname = strdup(orig_hostname);
+ cert_wild_card = strdup(orig_cert_wild_card);
+ hostname_to_free = hostname;
+ cert_wild_card_to_free = cert_wild_card;
+ delim = strdup(".");
+ wildchar = strdup("*");
+
+ verb ("V: Inspecting '%s' for possible wildcard match against '%s'\n",
+ hostname, cert_wild_card);
+
+ // By default we have not processed any labels
+ label_count = dns_label_count(cert_wild_card, delim);
+
+ // By default we have no match
+ ok = 0;
+ wildcard_encountered = 0;
+ // First - do we have labels? If not, we refuse to even try to match
+ if ((NULL != strpbrk(cert_wild_card, delim)) &&
+ (NULL != strpbrk(hostname, delim)) &&
+ (label_count <= ((uint32_t)RFC2595_MIN_LABEL_COUNT)))
+ {
+ if (wildchar[0] == cert_wild_card[0])
+ {
+ verb ("V: Found wildcard in at start of provided certificate name\n");
+ do
+ {
+ // Skip over the bytes between the first char and until the next label
+ wildcard_label = strtok(cert_wild_card, delim);
+ expected_label = strtok(hostname, delim);
+ if (NULL != wildcard_label &&
+ NULL != expected_label &&
+ NULL != hostname &&
+ NULL != cert_wild_card)
+ {
+ // Now we only consider this wildcard valid if the rest of the
+ // hostnames match verbatim
+ verb ("V: Attempting match of '%s' against '%s'\n",
+ expected_label, wildcard_label);
+ // This is the case where we have a label that begins with wildcard
+ // Furthermore, we only allow this for the first label
+ if (wildcard_label[0] == wildchar[0] &&
+ 0 == wildcard_encountered && 0 == ok)
+ {
+ verb ("V: Forced match of '%s' against '%s'\n", expected_label, wildcard_label);
+ wildcard_encountered = 1;
+ } else {
+ verb ("V: Attempting match of '%s' against '%s'\n",
+ hostname, cert_wild_card);
+ if (0 == strcasecmp (expected_label, wildcard_label) &&
+ label_count >= ((uint32_t)RFC2595_MIN_LABEL_COUNT))
+ {
+ ok = 1;
+ verb ("V: remaining labels match!\n");
+ break;
+ } else {
+ ok = 0;
+ verb ("V: remaining labels do not match!\n");
+ break;
+ }
+ }
+ } else {
+ // We hit this case when we have a mismatched number of labels
+ verb("V: NULL label; no wildcard here\n");
+ break;
+ }
+ } while (0 != wildcard_encountered && label_count <= RFC2595_MIN_LABEL_COUNT);
+ } else {
+ verb ("V: Not a RFC 2595 wildcard\n");
+ }
+ } else {
+ verb ("V: Not a valid wildcard certificate\n");
+ ok = 0;
+ }
+ // Free our copies
+ free(wildchar);
+ free(delim);
+ free(hostname_to_free);
+ free(cert_wild_card_to_free);
+ if (wildcard_encountered & ok && label_count >= RFC2595_MIN_LABEL_COUNT)
+ {
+ verb ("V: wildcard match of %s against %s\n",
+ orig_hostname, orig_cert_wild_card);
+ return (wildcard_encountered & ok);
+ } else {
+ verb ("V: wildcard match failure of %s against %s\n",
+ orig_hostname, orig_cert_wild_card);
+ return 0;
+ }
+}
+#endif
+
+#ifndef USE_POLARSSL
+/**
+ This extracts the first commonName and checks it against hostname.
+*/
+uint32_t
+check_cn (SSL *ssl, const char *hostname)
+{
+ int ok = 0;
+ int ret;
+ char *cn_buf;
+ X509 *certificate;
+ X509_NAME *xname;
+
+ // We cast this to cast away g++ complaining about the following:
+ // error: invalid conversion from ‘void*’ to ‘char*’
+ cn_buf = (char *) xmalloc(TLSDATE_HOST_NAME_MAX + 1);
+
+ certificate = SSL_get_peer_certificate(ssl);
+ if (NULL == certificate)
+ {
+ die ("Unable to extract certificate\n");
+ }
+
+ memset(cn_buf, '\0', (TLSDATE_HOST_NAME_MAX + 1));
+ xname = X509_get_subject_name(certificate);
+ ret = X509_NAME_get_text_by_NID(xname, NID_commonName,
+ cn_buf, TLSDATE_HOST_NAME_MAX);
+
+ if (-1 == ret || ret != (int) strlen(cn_buf))
+ {
+ die ("Unable to extract commonName\n");
+ }
+ if (strcasecmp(cn_buf, hostname))
+ {
+ verb ("V: commonName mismatch! Expected: %s - received: %s\n",
+ hostname, cn_buf);
+ } else {
+ verb ("V: commonName matched: %s\n", cn_buf);
+ ok = 1;
+ }
+
+ X509_NAME_free(xname);
+ X509_free(certificate);
+ xfree(cn_buf);
+
+ return ok;
+}
+
+/**
+ Search for a hostname match in the SubjectAlternativeNames.
+*/
+uint32_t
+check_san (SSL *ssl, const char *hostname)
+{
+ X509 *cert;
+ int extcount, ok = 0;
+ /* What an OpenSSL mess ... */
+ if (NULL == (cert = SSL_get_peer_certificate(ssl)))
+ {
+ die ("Getting certificate failed\n");
+ }
+
+ if ((extcount = X509_get_ext_count(cert)) > 0)
+ {
+ int i;
+ for (i = 0; i < extcount; ++i)
+ {
+ const char *extstr;
+ X509_EXTENSION *ext;
+ ext = X509_get_ext(cert, i);
+ extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
+
+ if (!strcmp(extstr, "subjectAltName"))
+ {
+
+ int j;
+ void *extvalstr;
+ const unsigned char *tmp;
+
+ STACK_OF(CONF_VALUE) *val;
+ CONF_VALUE *nval;
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ const
+#endif
+ X509V3_EXT_METHOD *method;
+
+ if (!(method = X509V3_EXT_get(ext)))
+ {
+ break;
+ }
+
+ tmp = ext->value->data;
+ if (method->it)
+ {
+ extvalstr = ASN1_item_d2i(NULL, &tmp, ext->value->length,
+ ASN1_ITEM_ptr(method->it));
+ } else {
+ extvalstr = method->d2i(NULL, &tmp, ext->value->length);
+ }
+
+ if (!extvalstr)
+ {
+ break;
+ }
+
+ if (method->i2v)
+ {
+ val = method->i2v(method, extvalstr, NULL);
+ for (j = 0; j < sk_CONF_VALUE_num(val); ++j)
+ {
+ nval = sk_CONF_VALUE_value(val, j);
+ if ((!strcasecmp(nval->name, "DNS") &&
+ !strcasecmp(nval->value, hostname) ) ||
+ (!strcasecmp(nval->name, "iPAddress") &&
+ !strcasecmp(nval->value, hostname)))
+ {
+ verb ("V: subjectAltName matched: %s, type: %s\n", nval->value, nval->name); /* We matched this; so it's safe to print */
+ ok = 1;
+ break;
+ }
+ // Attempt to match subjectAltName DNS names
+ if (!strcasecmp(nval->name, "DNS"))
+ {
+ ok = check_wildcard_match_rfc2595(hostname, nval->value);
+ if (ok)
+ {
+ break;
+ }
+ }
+ verb ("V: subjectAltName found but not matched: %s, type: %s\n", nval->value, nval->name); // XXX: Clean this string!
+ }
+ }
+ } else {
+ verb ("V: found non subjectAltName extension\n");
+ }
+ if (ok)
+ {
+ break;
+ }
+ }
+ } else {
+ verb ("V: no X509_EXTENSION field(s) found\n");
+ }
+ X509_free(cert);
+ return ok;
+}
+
+uint32_t
+check_name (SSL *ssl, const char *hostname)
+{
+ uint32_t ret;
+ ret = check_cn(ssl, hostname);
+ ret += check_san(ssl, hostname);
+ if (0 != ret && 0 < ret)
+ {
+ verb ("V: hostname verification passed\n");
+ } else {
+ die ("hostname verification failed for host %s!\n", host);
+ }
+ return ret;
+}
+#endif
+
+#ifdef USE_POLARSSL
+uint32_t
+verify_signature (ssl_context *ssl, const char *hostname)
+{
+ int ssl_verify_result;
+
+ ssl_verify_result = ssl_get_verify_result (ssl);
+ if (ssl_verify_result & BADCERT_EXPIRED)
+ {
+ die ("certificate has expired\n");
+ }
+ if (ssl_verify_result & BADCERT_REVOKED)
+ {
+ die ("certificate has been revoked\n");
+ }
+ if (ssl_verify_result & BADCERT_CN_MISMATCH)
+ {
+ die ("CN and subject AltName mismatch for certificate\n");
+ }
+ if (ssl_verify_result & BADCERT_NOT_TRUSTED)
+ {
+ die ("certificate is self-signed or not signed by a trusted CA\n");
+ }
+
+ if (0 == ssl_verify_result)
+ {
+ verb ("V: verify success\n");
+ }
+ else
+ {
+ die ("certificate verification error: -0x%04x\n", -ssl_verify_result);
+ }
+ return 0;
+}
+#else
+uint32_t
+verify_signature (SSL *ssl, const char *hostname)
+{
+ long ssl_verify_result;
+ X509 *certificate;
+
+ certificate = SSL_get_peer_certificate(ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed\n");
+ }
+ // In theory, we verify that the cert is valid
+ ssl_verify_result = SSL_get_verify_result(ssl);
+ switch (ssl_verify_result)
+ {
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ die ("certificate is self signed\n");
+ case X509_V_OK:
+ verb ("V: certificate verification passed\n");
+ break;
+ default:
+ die ("certification verification error: %ld\n",
+ ssl_verify_result);
+ }
+ return 0;
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+check_key_length (ssl_context *ssl)
+{
+ uint32_t key_bits;
+ const x509_cert *certificate;
+ const rsa_context *public_key;
+ char buf[1024];
+
+ certificate = ssl_get_peer_cert (ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed\n");
+ }
+
+ x509parse_dn_gets(buf, 1024, &certificate->subject);
+ verb ("V: Certificate for subject '%s'\n", buf);
+
+ public_key = &certificate->rsa;
+ if (NULL == public_key)
+ {
+ die ("public key extraction failure\n");
+ } else {
+ verb ("V: public key is ready for inspection\n");
+ }
+ key_bits = mpi_msb (&public_key->N);
+ if (MIN_PUB_KEY_LEN >= key_bits)
+ {
+ die ("Unsafe public key size: %d bits\n", key_bits);
+ } else {
+ verb ("V: key length appears safe\n");
+ }
+}
+#else
+void
+check_key_length (SSL *ssl)
+{
+ uint32_t key_bits;
+ X509 *certificate;
+ EVP_PKEY *public_key;
+ certificate = SSL_get_peer_certificate (ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed\n");
+ }
+ public_key = X509_get_pubkey (certificate);
+ if (NULL == public_key)
+ {
+ die ("public key extraction failure\n");
+ } else {
+ verb ("V: public key is ready for inspection\n");
+ }
+
+ key_bits = get_certificate_keybits (public_key);
+ if (MIN_PUB_KEY_LEN >= key_bits && public_key->type != EVP_PKEY_EC)
+ {
+ die ("Unsafe public key size: %d bits\n", key_bits);
+ } else {
+ if (public_key->type == EVP_PKEY_EC)
+ if(key_bits >= MIN_ECC_PUB_KEY_LEN
+ && key_bits <= MAX_ECC_PUB_KEY_LEN)
+ {
+ verb ("V: ECC key length appears safe\n");
+ } else {
+ die ("Unsafe ECC key size: %d bits\n", key_bits);
+ } else {
+ verb ("V: key length appears safe\n");
+ }
+ }
+ EVP_PKEY_free (public_key);
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+inspect_key (ssl_context *ssl, const char *hostname)
+{
+ verify_signature (ssl, hostname);
+
+ // ssl_get_verify_result() already checks for CN / subjectAltName match
+ // and reports the mismatch as error. So check_name() is not called
+}
+#else
+void
+inspect_key (SSL *ssl, const char *hostname)
+{
+
+ verify_signature (ssl, hostname);
+ check_name (ssl, hostname);
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+check_timestamp (uint32_t server_time)
+{
+ uint32_t compiled_time = RECENT_COMPILE_DATE;
+ uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
+ if (compiled_time < server_time
+ &&
+ server_time < max_reasonable_time)
+ {
+ verb("V: remote peer provided: %d, preferred over compile time: %d\n",
+ server_time, compiled_time);
+ } else {
+ die("V: the remote server is a false ticker! server: %d compile: %d\n",
+ server_time, compiled_time);
+ }
+}
+
+static int ssl_do_handshake_part(ssl_context *ssl)
+{
+ int ret = 0;
+
+ /* Only do steps till ServerHello is received */
+ while (ssl->state != SSL_SERVER_HELLO)
+ {
+ ret = ssl_handshake_step (ssl);
+ if (0 != ret)
+ {
+ die("SSL handshake failed\n");
+ }
+ }
+ /* Do ServerHello so we can skim the timestamp */
+ ret = ssl_handshake_step (ssl);
+ if (0 != ret)
+ {
+ die("SSL handshake failed\n");
+ }
+
+ return 0;
+}
+
+/**
+ * Run SSL handshake and store the resulting time value in the
+ * 'time_map'.
+ *
+ * @param time_map where to store the current time
+ */
+static void
+run_ssl (uint32_t *time_map, int time_is_an_illusion)
+{
+ entropy_context entropy;
+ ctr_drbg_context ctr_drbg;
+ ssl_context ssl;
+ proxy_polarssl_ctx proxy_ctx;
+ x509_cert cacert;
+ struct stat statbuf;
+ int ret = 0, server_fd = 0;
+ char *pers = "tlsdate-helper";
+
+ memset (&ssl, 0, sizeof(ssl_context));
+ memset (&cacert, 0, sizeof(x509_cert));
+
+ verb("V: Using PolarSSL for SSL\n");
+ if (ca_racket)
+ {
+ if (-1 == stat (ca_cert_container, &statbuf))
+ {
+ die("Unable to stat CA certficate container %s\n", ca_cert_container);
+ }
+ else
+ {
+ switch (statbuf.st_mode & S_IFMT)
+ {
+ case S_IFREG:
+ if (0 > x509parse_crtfile(&cacert, ca_cert_container))
+ fprintf(stderr, "x509parse_crtfile failed\n");
+ break;
+ case S_IFDIR:
+ if (0 > x509parse_crtpath(&cacert, ca_cert_container))
+ fprintf(stderr, "x509parse_crtpath failed\n");
+ break;
+ default:
+ die("Unable to load CA certficate container %s\n", ca_cert_container);
+ }
+ }
+ }
+
+ entropy_init (&entropy);
+ if (0 != ctr_drbg_init (&ctr_drbg, entropy_func, &entropy,
+ (unsigned char *) pers, strlen(pers)))
+ {
+ die("Failed to initialize CTR_DRBG\n");
+ }
+
+ if (0 != ssl_init (&ssl))
+ {
+ die("SSL initialization failed\n");
+ }
+ ssl_set_endpoint (&ssl, SSL_IS_CLIENT);
+ ssl_set_rng (&ssl, ctr_drbg_random, &ctr_drbg);
+ ssl_set_ca_chain (&ssl, &cacert, NULL, hostname_to_verify);
+ if (ca_racket)
+ {
+ // You can do SSL_VERIFY_REQUIRED here, but then the check in
+ // inspect_key() never happens as the ssl_handshake() will fail.
+ ssl_set_authmode (&ssl, SSL_VERIFY_OPTIONAL);
+ }
+
+ if (proxy)
+ {
+ char *scheme;
+ char *proxy_host;
+ char *proxy_port;
+
+ parse_proxy_uri (proxy, &scheme, &proxy_host, &proxy_port);
+
+ verb("V: opening socket to proxy %s:%s\n", proxy_host, proxy_port);
+ if (0 != net_connect (&server_fd, proxy_host, atoi(proxy_port)))
+ {
+ die ("SSL connection failed\n");
+ }
+
+ proxy_polarssl_init (&proxy_ctx);
+ proxy_polarssl_set_bio (&proxy_ctx, net_recv, &server_fd, net_send, &server_fd);
+ proxy_polarssl_set_host (&proxy_ctx, host);
+ proxy_polarssl_set_port (&proxy_ctx, atoi(port));
+ proxy_polarssl_set_scheme (&proxy_ctx, scheme);
+
+ ssl_set_bio (&ssl, proxy_polarssl_recv, &proxy_ctx, proxy_polarssl_send, &proxy_ctx);
+
+ verb("V: Handle proxy connection\n");
+ if (0 == proxy_ctx.f_connect (&proxy_ctx))
+ die("Proxy connection failed\n");
+ }
+ else
+ {
+ verb("V: opening socket to %s:%s\n", host, port);
+ if (0 != net_connect (&server_fd, host, atoi(port)))
+ {
+ die ("SSL connection failed\n");
+ }
+
+ ssl_set_bio (&ssl, net_recv, &server_fd, net_send, &server_fd);
+ }
+
+ verb("V: starting handshake\n");
+ if (0 != ssl_do_handshake_part (&ssl))
+ die("SSL handshake first part failed\n");
+
+ uint32_t timestamp = ( (uint32_t) ssl.in_msg[6] << 24 )
+ | ( (uint32_t) ssl.in_msg[7] << 16 )
+ | ( (uint32_t) ssl.in_msg[8] << 8 )
+ | ( (uint32_t) ssl.in_msg[9] );
+ check_timestamp (timestamp);
+
+ verb("V: continuing handshake\n");
+ /* Continue with handshake */
+ while (0 != (ret = ssl_handshake (&ssl)))
+ {
+ if (POLARSSL_ERR_NET_WANT_READ != ret &&
+ POLARSSL_ERR_NET_WANT_WRITE != ret)
+ {
+ die("SSL handshake failed\n");
+ }
+ }
+
+ // Verify the peer certificate against the CA certs on the local system
+ if (ca_racket) {
+ inspect_key (&ssl, hostname_to_verify);
+ } else {
+ verb ("V: Certificate verification skipped!\n");
+ }
+ check_key_length (&ssl);
+
+ memcpy (time_map, ×tamp, sizeof(uint32_t));
+ proxy_polarssl_free (&proxy_ctx);
+ ssl_free (&ssl);
+ x509_free (&cacert);
+}
+#else /* USE_POLARSSL */
+/**
+ * Run SSL handshake and store the resulting time value in the
+ * 'time_map'.
+ *
+ * @param time_map where to store the current time
+ */
+static void
+run_ssl (uint32_t *time_map, int time_is_an_illusion)
+{
+ BIO *s_bio;
+ SSL_CTX *ctx;
+ SSL *ssl;
+ struct stat statbuf;
+
+ SSL_load_error_strings();
+ SSL_library_init();
+
+ ctx = NULL;
+ if (0 == strcmp("sslv23", protocol))
+ {
+ verb ("V: using SSLv23_client_method()\n");
+ ctx = SSL_CTX_new(SSLv23_client_method());
+ } else if (0 == strcmp("sslv3", protocol))
+ {
+ verb ("V: using SSLv3_client_method()\n");
+ ctx = SSL_CTX_new(SSLv3_client_method());
+ } else if (0 == strcmp("tlsv1", protocol))
+ {
+ verb ("V: using TLSv1_client_method()\n");
+ ctx = SSL_CTX_new(TLSv1_client_method());
+ } else
+ die("Unsupported protocol `%s'\n", protocol);
+
+ if (ctx == NULL)
+ die("OpenSSL failed to support protocol `%s'\n", protocol);
+
+ verb("V: Using OpenSSL for SSL\n");
+ if (ca_racket)
+ {
+ if (-1 == stat(ca_cert_container, &statbuf))
+ {
+ die("Unable to stat CA certficate container %s\n", ca_cert_container);
+ } else
+ {
+ switch (statbuf.st_mode & S_IFMT)
+ {
+ case S_IFREG:
+ if (1 != SSL_CTX_load_verify_locations(ctx, ca_cert_container, NULL))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ break;
+ case S_IFDIR:
+ if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ break;
+ default:
+ if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
+ {
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed\n");
+ die("Unable to load CA certficate container %s\n", ca_cert_container);
+ }
+ }
+ }
+ }
+
+ if (NULL == (s_bio = make_ssl_bio(ctx)))
+ die ("SSL BIO setup failed\n");
+ BIO_get_ssl(s_bio, &ssl);
+ if (NULL == ssl)
+ die ("SSL setup failed\n");
+
+ if (time_is_an_illusion)
+ {
+ SSL_set_info_callback(ssl, openssl_time_callback);
+ }
+
+ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ verb("V: opening socket to %s:%s\n", host, port);
+ if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
+ (1 != BIO_set_conn_port(s_bio, port)) )
+ die ("Failed to initialize connection to `%s:%s'\n", host, port);
+
+ if (NULL == BIO_new_fp(stdout, BIO_NOCLOSE))
+ die ("BIO_new_fp returned error, possibly: %s", strerror(errno));
+
+ // This should run in seccomp
+ // eg: prctl(PR_SET_SECCOMP, 1);
+ if (1 != BIO_do_connect(s_bio)) /* XXX TODO: BIO_should_retry() later? */
+ die ("SSL connection failed\n");
+ if (1 != BIO_do_handshake(s_bio))
+ die ("SSL handshake failed\n");
+
+ // Verify the peer certificate against the CA certs on the local system
+ if (ca_racket) {
+ inspect_key (ssl, hostname_to_verify);
+ } else {
+ verb ("V: Certificate verification skipped!\n");
+ }
+ check_key_length(ssl);
+ // from /usr/include/openssl/ssl3.h
+ // ssl->s3->server_random is an unsigned char of 32 bits
+ memcpy(time_map, ssl->s3->server_random, sizeof (uint32_t));
+ SSL_free(ssl);
+ SSL_CTX_free(ctx);
+}
+#endif /* USE_POLARSSL */
+/** drop root rights and become 'nobody' */
+
+int
+main(int argc, char **argv)
+{
+ uint32_t *time_map;
+ struct tlsdate_time start_time, end_time, warp_time;
+ int status;
+ pid_t ssl_child;
+ long long rt_time_ms;
+ uint32_t server_time_s;
+ int setclock;
+ int showtime;
+ int timewarp;
+ int leap;
+
+ if (argc != 12)
+ return 1;
+ host = argv[1];
+ hostname_to_verify = argv[1];
+ port = argv[2];
+ protocol = argv[3];
+ ca_cert_container = argv[6];
+ ca_racket = (0 != strcmp ("unchecked", argv[4]));
+ verbose = (0 != strcmp ("quiet", argv[5]));
+ setclock = (0 == strcmp ("setclock", argv[7]));
+ showtime = (0 == strcmp ("showtime", argv[8]));
+ timewarp = (0 == strcmp ("timewarp", argv[9]));
+ leap = (0 == strcmp ("leapaway", argv[10]));
+ proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]);
+
+ if (timewarp)
+ {
+
+ verb ("V: RECENT_COMPILE_DATE is %lu.%06lu\n",
+ (unsigned long) CLOCK_SEC(&warp_time),
+ (unsigned long) CLOCK_USEC(&warp_time));
+
+ if (1 == setclock) {
+ clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0);
+ } else {
+ verb ("V: we'll do the time warp another time - we're not setting clock\n");
+ }
+ }
+
+ /* We are not going to set the clock, thus no need to stay root */
+ if (0 == setclock && 0 == timewarp)
+ {
+ drop_privs_to (UNPRIV_USER, UNPRIV_GROUP, NULL);
+ }
+/*
+ XXX: KILL ME
+ // We cast the mmap value to remove this error when compiling with g++:
+ // src/tlsdate-helper.c: In function ‘int main(int, char**)’:
+ // src/tlsdate-helper.c:822:41: error: invalid conversion from ‘void*’ to ‘uint32_t
+ time_map = (uint32_t *) mmap (NULL, sizeof (uint32_t),
+ PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ if (MAP_FAILED == time_map)
+ {
+ fprintf (stderr, "mmap failed: %s\n",
+ strerror (errno));
+ return 1;
+ }
+*/
+ /* Get the current time from the system clock. */
+ if (0 != clock_get_real_time(&start_time))
+ {
+ die ("Failed to read current time of day: %s\n", strerror (errno));
+ }
+
+ verb ("V: time is currently %lu.%06lu\n",
+ (unsigned long) CLOCK_SEC(&start_time),
+ (unsigned long) CLOCK_NSEC(&start_time));
+
+ if (((unsigned long) CLOCK_SEC(&start_time)) < ((unsigned long) CLOCK_SEC(&warp_time)))
+ {
+ verb ("V: local clock time is less than RECENT_COMPILE_DATE\n");
+ if (timewarp)
+ {
+ verb ("V: Attempting to warp local clock into the future\n");
+ if (0 != clock_set_real_time(&warp_time))
+ {
+ die ("setting time failed: %s (Attempted to set clock to %lu.%06lu)\n",
+ strerror (errno),
+ (unsigned long) CLOCK_SEC(&warp_time),
+ (unsigned long) CLOCK_SEC(&warp_time));
+ }
+ if (0 != clock_get_real_time(&start_time))
+ {
+ die ("Failed to read current time of day: %s\n", strerror (errno));
+ }
+ verb ("V: time is currently %lu.%06lu\n",
+ (unsigned long) CLOCK_SEC(&start_time),
+ (unsigned long) CLOCK_NSEC(&start_time));
+ verb ("V: It's just a step to the left...\n");
+ }
+ } else {
+ verb ("V: time is greater than RECENT_COMPILE_DATE\n");
+ }
+
+ /* initialize to bogus value, just to be on the safe side */
+ *time_map = 0;
+
+ /* Run SSL interaction in separate process (and not as 'root') */
+ ssl_child = fork ();
+ if (-1 == ssl_child)
+ die ("fork failed: %s\n", strerror (errno));
+ if (0 == ssl_child)
+ {
+ drop_privs_to (UNPRIV_USER, UNPRIV_GROUP, NULL);
+ run_ssl (time_map, leap);
+ /*
+ XXX: should be a pipe close
+ (void) munmap (time_map, sizeof (uint32_t));
+ */
+ _exit (0);
+ }
+ if (ssl_child != waitpid (ssl_child, &status, 0))
+ die ("waitpid failed: %s\n", strerror (errno));
+ if (! (WIFEXITED (status) && (0 == WEXITSTATUS (status)) ))
+ die ("child process failed in SSL handshake\n");
+
+ if (0 != clock_get_real_time(&end_time))
+ die ("Failed to read current time of day: %s\n", strerror (errno));
+
+ /* calculate RTT */
+ rt_time_ms = (CLOCK_SEC(&end_time) - CLOCK_SEC(&start_time)) * 1000 + (CLOCK_USEC(&end_time) - CLOCK_USEC(&start_time)) / 1000;
+ if (rt_time_ms < 0)
+ rt_time_ms = 0; /* non-linear time... */
+#ifdef USE_POLARSSL
+ server_time_s = *time_map;
+#else
+ server_time_s = ntohl (*time_map);
+#endif
+ /*
+ XXX: should be a pipe close
+ munmap (time_map, sizeof (uint32_t));
+ */
+ verb ("V: server time %u (difference is about %d s) was fetched in %lld ms\n",
+ (unsigned int) server_time_s,
+ CLOCK_SEC(&start_time) - server_time_s,
+ rt_time_ms);
+
+ /* warning if the handshake took too long */
+ if (rt_time_ms > TLS_RTT_THRESHOLD) {
+ verb ("V: the TLS handshake took more than %d msecs - consider using a different " \
+ "server or run it again\n", TLS_RTT_THRESHOLD);
+ }
+
+ if (showtime)
+ {
+ struct tm ltm;
+ time_t tim = server_time_s;
+ char buf[256];
+
+ localtime_r(&tim, <m);
+ if (0 == strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y", <m))
+ {
+ die ("strftime returned 0\n");
+ }
+ fprintf(stdout, "%s\n", buf);
+ }
+
+ /* finally, actually set the time */
+ if (setclock)
+ {
+ struct tlsdate_time server_time;
+
+ clock_init_time(&server_time, server_time_s + (rt_time_ms / 2 / 1000),
+ (rt_time_ms / 2) % 1000);
+
+ // We should never receive a time that is before the time we were last
+ // compiled; we subscribe to the linear theory of time for this program
+ // and this program alone!
+ if (CLOCK_SEC(&server_time) >= MAX_REASONABLE_TIME)
+ die("remote server is a false ticker from the future!\n");
+ if (CLOCK_SEC(&server_time) <= RECENT_COMPILE_DATE)
+ die ("remote server is a false ticker!\n");
+ if (0 != clock_set_real_time(&server_time))
+ die ("setting time failed: %s (Difference from server is about %d s)\n",
+ strerror (errno),
+ CLOCK_SEC(&start_time) - server_time_s);
+ verb ("V: setting time succeeded\n");
+ }
+ return 0;
+}
diff --git a/tlsdate/src/tlsdate-helper-plan9.h b/tlsdate/src/tlsdate-helper-plan9.h
new file mode 100644
index 0000000..4838ed6
--- /dev/null
+++ b/tlsdate/src/tlsdate-helper-plan9.h
@@ -0,0 +1,118 @@
+/* Copyright (c) 2012, Jacob Appelbaum
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file tlsdate-helper.h
+ * \brief The secondary header for our clock helper.
+ **/
+
+#ifndef TLSDATEHELPER_H
+#define TLSDATEHELPER_H
+
+#include <stdarg.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <pwd.h>
+#include <grp.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+
+#ifndef USE_POLARSSL
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#endif
+
+int verbose;
+
+#include "src/util.h"
+
+/** Name of user that we feel safe to run SSL handshake with. */
+#ifndef UNPRIV_USER
+#define UNPRIV_USER "nobody"
+#endif
+#ifndef UNPRIV_GROUP
+#define UNPRIV_GROUP "nogroup"
+#endif
+
+// We should never accept a time before we were compiled
+// We measure in seconds since the epoch - eg: echo `date '+%s'`
+// We set this manually to ensure others can reproduce a build;
+// automation of this will make every build different!
+#ifndef RECENT_COMPILE_DATE
+#define RECENT_COMPILE_DATE (uint32_t) 1342323666
+#endif
+
+#ifndef MAX_REASONABLE_TIME
+#define MAX_REASONABLE_TIME (uint32_t) 1999991337
+#endif
+
+#ifndef MIN_PUB_KEY_LEN
+#define MIN_PUB_KEY_LEN (uint32_t) 1023
+#endif
+
+#ifndef MIN_ECC_PUB_KEY_LEN
+#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
+#endif
+
+#ifndef MAX_ECC_PUB_KEY_LEN
+#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
+#endif
+// After the duration of the TLS handshake exceeds this threshold
+// (in msec), a warning is printed.
+#define TLS_RTT_THRESHOLD 2000
+
+// RFC 5280 says...
+// ub-common-name-length INTEGER ::= 64
+#define MAX_CN_NAME_LENGTH 64
+
+// RFC 1034 and posix say...
+#define TLSDATE_HOST_NAME_MAX 255
+
+// To support our RFC 2595 wildcard verification
+#define RFC2595_MIN_LABEL_COUNT 3
+
+static int ca_racket;
+
+static const char *host;
+
+static const char *hostname_to_verify;
+
+static const char *port;
+
+static const char *protocol;
+
+static char *proxy;
+
+static const char *ca_cert_container;
+#ifndef USE_POLARSSL
+void openssl_time_callback (const SSL* ssl, int where, int ret);
+uint32_t get_certificate_keybits (EVP_PKEY *public_key);
+uint32_t check_cn (SSL *ssl, const char *hostname);
+uint32_t check_san (SSL *ssl, const char *hostname);
+long openssl_check_against_host_and_verify (SSL *ssl);
+uint32_t check_name (SSL *ssl, const char *hostname);
+uint32_t verify_signature (SSL *ssl, const char *hostname);
+void check_key_length (SSL *ssl);
+void inspect_key (SSL *ssl, const char *hostname);
+void check_key_length (SSL *ssl);
+void inspect_key (SSL *ssl, const char *hostname);
+#endif
+uint32_t dns_label_count (char *label, char *delim);
+uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
+ const char *orig_cert_wild_card);
+static void run_ssl (uint32_t *time_map, int time_is_an_illusion);
+
+#endif
diff --git a/tlsdate/src/tlsdate-helper.c b/tlsdate/src/tlsdate-helper.c
new file mode 100644
index 0000000..3960458
--- /dev/null
+++ b/tlsdate/src/tlsdate-helper.c
@@ -0,0 +1,1424 @@
+/* Copyright (c) 2012, Jacob Appelbaum.
+ * Copyright (c) 2012, The Tor Project, Inc.
+ * Copyright (c) 2012, Christian Grothoff. */
+/* See LICENSE for licensing information */
+/*
+ This file contains the license for tlsdate,
+ a free software project to set your system clock securely.
+
+ It also lists the licenses for other components used by tlsdate.
+
+ For more information about tlsdate, see https://github.com/ioerror/tlsdate
+
+ If you got this file as a part of a larger bundle,
+ there may be other license terms that you should be aware of.
+
+===============================================================================
+tlsdate is distributed under this license:
+
+Copyright (c) 2011-2012, Jacob Appelbaum <jacob@appelbaum.net>
+Copyright (c) 2011-2012, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
+If you got tlsdate as a static binary with OpenSSL included, then you should
+know:
+
+ "This product includes software developed by the OpenSSL Project for use in
+ the OpenSSL Toolkit (http://www.openssl.org/)"
+
+===============================================================================
+*/
+
+/**
+ * \file tlsdate-helper.c
+ * \brief Helper program that does the actual work of setting the system clock.
+ **/
+
+/*
+ * tlsdate is a tool for setting the system clock by hand or by communication
+ * with the network. It does not set the RTC. It is designed to be as secure as
+ * TLS (RFC 2246) but of course the security of TLS is often reduced to
+ * whichever CA racket you believe is trustworthy. By default, tlsdate trusts
+ * your local CA root store - so any of these companies could assist in a MITM
+ * attack against you and you'd be screwed.
+
+ * This tool is designed to be run by hand or as a system daemon. It must be
+ * run as root or otherwise have the proper caps; it will not be able to set
+ * the system time without running as root or another privileged user.
+ */
+
+#include "config.h"
+#include "src/tlsdate-helper.h"
+#include "src/util.h"
+
+#ifndef USE_POLARSSL
+#include "src/proxy-bio.h"
+#else
+#include "src/proxy-polarssl.h"
+#endif
+
+#include "src/compat/clock.h"
+
+#ifndef MAP_ANONYMOUS
+#define MAP_ANONYMOUS MAP_ANON
+#endif
+
+#ifdef USE_POLARSSL
+#include "polarssl/entropy.h"
+#include "polarssl/ctr_drbg.h"
+#include "polarssl/ssl.h"
+#endif
+
+static void
+validate_proxy_scheme(const char *scheme)
+{
+ if (!strcmp(scheme, "http"))
+ return;
+ if (!strcmp(scheme, "socks4"))
+ return;
+ if (!strcmp(scheme, "socks5"))
+ return;
+ die("invalid proxy scheme");
+}
+
+static void
+validate_proxy_host(const char *host)
+{
+ const char *kValid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789"
+ ".-";
+ if (strspn(host, kValid) != strlen(host))
+ die("invalid char in host");
+}
+
+static void
+validate_proxy_port(const char *port)
+{
+ while (*port)
+ if (!isdigit((int)(unsigned char)*port++))
+ die("invalid char in port");
+}
+
+static void
+parse_proxy_uri(char *proxy, char **scheme, char **host, char **port)
+{
+ /* Expecting a URI, so: <scheme> '://' <host> ':' <port> */
+ *scheme = proxy;
+ proxy = strstr(proxy, "://");
+ if (!proxy)
+ die("malformed proxy URI");
+ *proxy = '\0'; /* terminate scheme string */
+ proxy += strlen("://");
+
+ *host = proxy;
+ proxy = strchr(proxy, ':');
+ if (!proxy)
+ die("malformed proxy URI");
+ *proxy++ = '\0';
+
+ *port = proxy;
+
+ validate_proxy_scheme(*scheme);
+ validate_proxy_host(*host);
+ validate_proxy_port(*port);
+}
+
+#ifndef USE_POLARSSL
+static void
+setup_proxy(BIO *ssl)
+{
+ BIO *bio;
+ char *scheme;
+ char *proxy_host;
+ char *proxy_port;
+
+ if (!proxy)
+ return;
+ /*
+ * grab the proxy's host and port out of the URI we have for it. We want the
+ * underlying connect BIO to connect to this, not the target host and port, so
+ * we squirrel away the target host and port in the proxy BIO (as the proxy
+ * target) and swap out the connect BIO's target host and port so it'll
+ * connect to the proxy instead.
+ */
+ parse_proxy_uri(proxy, &scheme, &proxy_host, &proxy_port);
+ bio = BIO_new_proxy();
+ BIO_proxy_set_type(bio, scheme);
+ BIO_proxy_set_host(bio, host);
+ BIO_proxy_set_port(bio, atoi(port));
+ host = proxy_host;
+ port = proxy_port;
+ BIO_push(ssl, bio);
+}
+
+static int
+write_all_to_ssl(SSL *ssl, const char *string)
+{
+ int n = (int) strlen(string);
+ int r;
+
+ while (n) {
+ r = SSL_write(ssl, string, n);
+ if (r > 0) {
+ if (r > n)
+ return -1;
+ n -= r;
+ string += r;
+ } else {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+/* If the string is all nice clean ascii that it's safe to log, return
+ * it. Otherwise return a placeholder "This is junk" string. */
+static const char *
+sanitize_string(const char *s)
+{
+ const unsigned char *cp;
+ for (cp = (const unsigned char *)s; *cp; cp++) {
+ if (*cp < 32 || *cp >= 127)
+ return "string with invalid characters";
+ }
+ return s;
+}
+
+static int
+handle_date_line(const char *dateline, uint32_t *result)
+{
+ int year,mon,day,hour,min,sec;
+ char month[4];
+ struct tm tm;
+ int i;
+ time_t t;
+ /* We recognize the three formats in RFC2616, section 3.3.1. Month
+ names are always in English. The formats are:
+
+ Sun, 06 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123
+ Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036
+ Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format
+
+ Note that the first is preferred.
+ */
+
+ static const char *MONTHS[] =
+ { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+ "Jul", "Aug", "Sep", "Oct", "Nov", "Dec", NULL };
+
+ if (strncmp("\r\nDate: ", dateline, 8))
+ return 0;
+
+ dateline += 8;
+ if (strlen(dateline) > MAX_DATE_LINE_LEN) {
+ verb("V: The date line was impossibly long.");
+ return -1;
+ }
+ verb("V: The alleged date is <%s>", sanitize_string(dateline));
+
+ while (*dateline == ' ')
+ ++dateline;
+ while (*dateline && *dateline != ' ')
+ ++dateline;
+ while (*dateline == ' ')
+ ++dateline;
+ /* We just skipped over the day of the week. Now we have:*/
+ if (sscanf(dateline, "%d %3s %d %d:%d:%d",
+ &day, month, &year, &hour, &min, &sec) == 6 ||
+ sscanf(dateline, "%d-%3s-%d %d:%d:%d",
+ &day, month, &year, &hour, &min, &sec) == 6 ||
+ sscanf(dateline, "%3s %d %d:%d:%d %d",
+ month, &day, &hour, &min, &sec, &year) == 6) {
+
+ /* Two digit dates are defined to be relative to 1900; all other dates
+ * are supposed to be represented as four digits. */
+ if (year < 100)
+ year += 1900;
+
+ verb("V: Parsed the date: %04d-%s-%02d %02d:%02d:%02d",
+ year, month, day, hour, min, sec);
+ } else {
+ verb("V: Couldn't parse date.");
+ return -1;
+ }
+
+ for (i = 0; ; ++i) {
+ if (!MONTHS[i])
+ return -2;
+ if (!strcmp(month, MONTHS[i])) {
+ mon = i;
+ break;
+ }
+ }
+
+ memset(&tm, 0, sizeof(tm));
+ tm.tm_year = year - 1900;
+ tm.tm_mon = mon;
+ tm.tm_mday = day;
+ tm.tm_hour = hour;
+ tm.tm_min = min;
+ tm.tm_sec = sec;
+
+ t = timegm(&tm);
+ if (t > ((time_t) 0xffffffff) || t < 0)
+ return -1;
+
+ *result = (uint32_t) t;
+
+ return 1;
+}
+
+static int
+read_http_date_from_ssl(SSL *ssl, uint32_t *result)
+{
+ int n;
+ char buf[MAX_HTTP_HEADERS_SIZE];
+ size_t buf_len=0;
+ char *dateline, *endofline;
+
+ while (buf_len < sizeof(buf)-1) {
+ n = SSL_read(ssl, buf+buf_len, sizeof(buf)-buf_len-1);
+ if (n <= 0)
+ return 0;
+ buf_len += n;
+ buf[buf_len] = 0;
+ verb_debug ("V: read %d bytes.", n, buf);
+
+ dateline = memmem(buf, buf_len, "\r\nDate: ", 8);
+ if (NULL == dateline)
+ continue;
+
+ endofline = memmem(dateline+2, buf_len - (dateline-buf+2), "\r\n", 2);
+ if (NULL == endofline)
+ continue;
+
+ *endofline = 0;
+ return handle_date_line(dateline, result);
+ }
+ return -2;
+}
+
+/** helper function for 'malloc' */
+static void *
+xmalloc (size_t size)
+{
+ void *ptr;
+
+ if (0 == size)
+ die("xmalloc: zero size");
+
+ ptr = malloc(size);
+ if (NULL == ptr)
+ die("xmalloc: out of memory (allocating %zu bytes)", size);
+
+ return ptr;
+}
+
+
+/** helper function for 'free' */
+static void
+xfree (void *ptr)
+{
+ if (NULL == ptr)
+ die("xfree: NULL pointer given as argument");
+
+ free(ptr);
+}
+
+static int
+verify_with_server_time (X509_STORE_CTX *store_ctx, void *arg)
+{
+ SSL *ssl = X509_STORE_CTX_get_ex_data(
+ store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+
+ // XXX TODO: If we want to trust the remote system for time,
+ // can we just read that time out of the remote system and if the
+ // cert verifies, decide that the time is reasonable?
+ // Such a process seems to indicate that a once valid cert would be
+ // forever valid - we stopgap that by ensuring it isn't less than
+ // the latest compiled_time and isn't above max_reasonable_time...
+ // XXX TODO: Solve eternal question about the Chicken and the Egg...
+ uint32_t compiled_time = RECENT_COMPILE_DATE;
+ uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
+ uint32_t server_time;
+ verb("V: freezing time for x509 verification");
+ SSL_get_server_random(ssl, (unsigned char*)&server_time, sizeof(uint32_t));
+ if (compiled_time < ntohl(server_time)
+ &&
+ ntohl(server_time) < max_reasonable_time)
+ {
+ verb("V: remote peer provided: %d, preferred over compile time: %d",
+ ntohl(server_time), compiled_time);
+ verb("V: freezing time with X509_VERIFY_PARAM_set_time");
+ X509_STORE_CTX_set_time(store_ctx, 0, (time_t) ntohl(server_time) + 86400);
+ } else {
+ die("V: the remote server is a false ticker! server: %d compile: %d",
+ ntohl(server_time), compiled_time);
+ }
+
+ return X509_verify_cert(store_ctx);
+}
+
+static const char *
+key_type_to_str (int key_type)
+{
+ switch (key_type)
+ {
+ case EVP_PKEY_RSA:
+ return "EVP_PKEY_RSA";
+ case EVP_PKEY_RSA2:
+ return "EVP_PKEY_RSA2";
+ case EVP_PKEY_DSA:
+ return "EVP_PKEY_DSA";
+#if defined(EVP_PKEY_DSA1)
+ case EVP_PKEY_DSA1:
+ return "EVP_PKEY_DSA1";
+#endif /* EVP_PKEY_DSA1 */
+#if defined(EVP_PKEY_DSA2)
+ case EVP_PKEY_DSA2:
+ return "EVP_PKEY_DSA2";
+#endif /* EVP_PKEY_DSA2 */
+#if defined(EVP_PKEY_DSA3)
+ case EVP_PKEY_DSA3:
+ return "EVP_PKEY_DSA3";
+#endif /* EVP_PKEY_DSA3 */
+#if defined(EVP_PKEY_DSA4)
+ case EVP_PKEY_DSA4:
+ return "EVP_PKEY_DSA4";
+#endif /* EVP_PKEY_DSA4 */
+ case EVP_PKEY_DH:
+ return "EVP_PKEY_DH";
+ case EVP_PKEY_EC:
+ return "EVP_PKEY_EC";
+ // Should we also care about EVP_PKEY_HMAC and EVP_PKEY_CMAC?
+ default:
+ return NULL;
+ }
+ return NULL;
+}
+
+uint32_t
+get_certificate_keybits (EVP_PKEY *public_key)
+{
+ /*
+ In theory, we could use check_bitlen_dsa() and check_bitlen_rsa()
+ */
+ uint32_t key_bits;
+ const char *key_type_str;
+
+ key_type_str = key_type_to_str(public_key->type);
+ if (key_type_str)
+ verb("V: key type: %s", key_type_str);
+ else
+ verb("V: key type: %d", public_key->type);
+
+ key_bits = EVP_PKEY_bits(public_key);
+ if (0 == key_bits)
+ die ("unknown public key type");
+ verb ("V: keybits: %d", key_bits);
+ return key_bits;
+}
+
+uint32_t
+dns_label_count(char *label, char *delim)
+{
+ char *label_tmp;
+ char *saveptr;
+ char *saveptr_tmp;
+ uint32_t label_count;
+
+ label_tmp = strdup(label);
+ label_count = 0;
+ saveptr = NULL;
+ saveptr_tmp = NULL;
+ saveptr = strtok_r(label_tmp, delim, &saveptr);
+ if (NULL != saveptr)
+ {
+ // Did we find our first label?
+ if (saveptr[0] != delim[0])
+ {
+ label_count++;
+ }
+ do
+ {
+ // Find all subsequent labels
+ label_count++;
+ saveptr_tmp = strtok_r(NULL, delim, &saveptr);
+ } while (NULL != saveptr_tmp);
+ }
+ verb_debug ("V: label found; total label count: %d", label_count);
+ free(label_tmp);
+ return label_count;
+}
+
+// first we split strings on '.'
+// then we call each split string a 'label'
+// Do not allow '*' for the top level domain label; eg never allow *.*.com
+// Do not allow '*' for subsequent subdomains; eg never allow *.foo.example.com
+// Do allow *.example.com
+uint32_t
+check_wildcard_match_rfc2595 (const char *orig_hostname,
+ const char *orig_cert_wild_card)
+{
+ char *hostname;
+ char *hostname_to_free;
+ char *cert_wild_card;
+ char *cert_wild_card_to_free;
+ char *expected_label;
+ char *wildcard_label;
+ char *delim;
+ char *wildchar;
+ uint32_t ok;
+ uint32_t wildcard_encountered;
+ uint32_t label_count;
+
+ // First we copy the original strings
+ hostname = strndup(orig_hostname, strlen(orig_hostname));
+ cert_wild_card = strndup(orig_cert_wild_card, strlen(orig_cert_wild_card));
+ hostname_to_free = hostname;
+ cert_wild_card_to_free = cert_wild_card;
+ delim = strdup(".");
+ wildchar = strdup("*");
+
+ verb_debug ("V: Inspecting '%s' for possible wildcard match against '%s'",
+ hostname, cert_wild_card);
+
+ // By default we have not processed any labels
+ label_count = dns_label_count(cert_wild_card, delim);
+
+ // By default we have no match
+ ok = 0;
+ wildcard_encountered = 0;
+ // First - do we have labels? If not, we refuse to even try to match
+ if ((NULL != strpbrk(cert_wild_card, delim)) &&
+ (NULL != strpbrk(hostname, delim)) &&
+ (label_count <= ((uint32_t)RFC2595_MIN_LABEL_COUNT)))
+ {
+ if (wildchar[0] == cert_wild_card[0])
+ {
+ verb_debug ("V: Found wildcard in at start of provided certificate name");
+ do
+ {
+ // Skip over the bytes between the first char and until the next label
+ wildcard_label = strsep(&cert_wild_card, delim);
+ expected_label = strsep(&hostname, delim);
+ if (NULL != wildcard_label &&
+ NULL != expected_label &&
+ NULL != hostname &&
+ NULL != cert_wild_card)
+ {
+ // Now we only consider this wildcard valid if the rest of the
+ // hostnames match verbatim
+ verb_debug ("V: Attempting match of '%s' against '%s'",
+ expected_label, wildcard_label);
+ // This is the case where we have a label that begins with wildcard
+ // Furthermore, we only allow this for the first label
+ if (wildcard_label[0] == wildchar[0] &&
+ 0 == wildcard_encountered && 0 == ok)
+ {
+ verb ("V: Forced match of '%s' against '%s'", expected_label, wildcard_label);
+ wildcard_encountered = 1;
+ } else {
+ verb_debug ("V: Attempting match of '%s' against '%s'",
+ hostname, cert_wild_card);
+ if (0 == strcasecmp (expected_label, wildcard_label) &&
+ label_count >= ((uint32_t)RFC2595_MIN_LABEL_COUNT))
+ {
+ ok = 1;
+ verb_debug ("V: remaining labels match!");
+ break;
+ } else {
+ ok = 0;
+ verb_debug ("V: remaining labels do not match!");
+ break;
+ }
+ }
+ } else {
+ // We hit this case when we have a mismatched number of labels
+ verb_debug ("V: NULL label; no wildcard here");
+ break;
+ }
+ } while (0 != wildcard_encountered && label_count <= RFC2595_MIN_LABEL_COUNT);
+ } else {
+ verb_debug ("V: Not a RFC 2595 wildcard");
+ }
+ } else {
+ verb_debug ("V: Not a valid wildcard certificate");
+ ok = 0;
+ }
+ // Free our copies
+ free(wildchar);
+ free(delim);
+ free(hostname_to_free);
+ free(cert_wild_card_to_free);
+ if (wildcard_encountered & ok && label_count >= RFC2595_MIN_LABEL_COUNT)
+ {
+ verb_debug ("V: wildcard match of %s against %s",
+ orig_hostname, orig_cert_wild_card);
+ return (wildcard_encountered & ok);
+ } else {
+ verb_debug ("V: wildcard match failure of %s against %s",
+ orig_hostname, orig_cert_wild_card);
+ return 0;
+ }
+}
+#endif
+
+#ifndef USE_POLARSSL
+/**
+ This extracts the first commonName and checks it against hostname.
+*/
+uint32_t
+check_cn (SSL *ssl, const char *hostname)
+{
+ int ok = 0;
+ int ret;
+ char *cn_buf;
+ X509 *certificate;
+ X509_NAME *xname;
+
+ // We cast this to cast away g++ complaining about the following:
+ // error: invalid conversion from ‘void*’ to ‘char*’
+ cn_buf = (char *) xmalloc(TLSDATE_HOST_NAME_MAX + 1);
+
+ certificate = SSL_get_peer_certificate(ssl);
+ if (NULL == certificate)
+ {
+ die ("Unable to extract certificate");
+ }
+
+ memset(cn_buf, '\0', (TLSDATE_HOST_NAME_MAX + 1));
+ xname = X509_get_subject_name(certificate);
+ ret = X509_NAME_get_text_by_NID(xname, NID_commonName,
+ cn_buf, TLSDATE_HOST_NAME_MAX);
+
+ if (-1 == ret || ret != (int) strlen(cn_buf))
+ {
+ die ("Unable to extract commonName");
+ }
+ if (strcasecmp(cn_buf, hostname))
+ {
+ verb ("V: commonName mismatch! Expected: %s - received: %s",
+ hostname, cn_buf);
+ } else {
+ verb ("V: commonName matched: %s", cn_buf);
+ ok = 1;
+ }
+
+ X509_NAME_free(xname);
+ X509_free(certificate);
+ xfree(cn_buf);
+
+ return ok;
+}
+
+/**
+ Search for a hostname match in the SubjectAlternativeNames.
+*/
+uint32_t
+check_san (SSL *ssl, const char *hostname)
+{
+ X509 *cert;
+ int extcount, ok = 0;
+ /* What an OpenSSL mess ... */
+ if (NULL == (cert = SSL_get_peer_certificate(ssl)))
+ {
+ die ("Getting certificate failed");
+ }
+
+ if ((extcount = X509_get_ext_count(cert)) > 0)
+ {
+ int i;
+ for (i = 0; i < extcount; ++i)
+ {
+ const char *extstr;
+ X509_EXTENSION *ext;
+ ext = X509_get_ext(cert, i);
+ extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
+
+ if (!strcmp(extstr, "subjectAltName"))
+ {
+
+ int j;
+ void *extvalstr;
+ const unsigned char *tmp;
+
+ STACK_OF(CONF_VALUE) *val;
+ CONF_VALUE *nval;
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ const
+#endif
+ X509V3_EXT_METHOD *method;
+
+ if (!(method = X509V3_EXT_get(ext)))
+ {
+ break;
+ }
+
+ tmp = ext->value->data;
+ if (method->it)
+ {
+ extvalstr = ASN1_item_d2i(NULL, &tmp, ext->value->length,
+ ASN1_ITEM_ptr(method->it));
+ } else {
+ extvalstr = method->d2i(NULL, &tmp, ext->value->length);
+ }
+
+ if (!extvalstr)
+ {
+ break;
+ }
+
+ if (method->i2v)
+ {
+ val = method->i2v(method, extvalstr, NULL);
+ for (j = 0; ((size_t) j) < sk_CONF_VALUE_num(val); ++j)
+ {
+ nval = sk_CONF_VALUE_value(val, j);
+ if ((!strcasecmp(nval->name, "DNS") &&
+ !strcasecmp(nval->value, hostname) ) ||
+ (!strcasecmp(nval->name, "iPAddress") &&
+ !strcasecmp(nval->value, hostname)))
+ {
+ verb ("V: subjectAltName matched: %s, type: %s", nval->value, nval->name); // We matched this; so it's safe to print
+ ok = 1;
+ break;
+ }
+ // Attempt to match subjectAltName DNS names
+ if (!strcasecmp(nval->name, "DNS"))
+ {
+ ok = check_wildcard_match_rfc2595(hostname, nval->value);
+ if (ok)
+ {
+ break;
+ }
+ }
+ verb_debug ("V: subjectAltName found but not matched: %s, type: %s",
+ nval->value, sanitize_string(nval->name));
+ }
+ }
+ } else {
+ verb_debug ("V: found non subjectAltName extension");
+ }
+ if (ok)
+ {
+ break;
+ }
+ }
+ } else {
+ verb_debug ("V: no X509_EXTENSION field(s) found");
+ }
+ X509_free(cert);
+ return ok;
+}
+
+uint32_t
+check_name (SSL *ssl, const char *hostname)
+{
+ uint32_t ret;
+ ret = check_cn(ssl, hostname);
+ ret += check_san(ssl, hostname);
+ if (0 != ret && 0 < ret)
+ {
+ verb ("V: hostname verification passed");
+ } else {
+ die ("hostname verification failed for host %s!", host);
+ }
+ return ret;
+}
+#endif
+
+#ifdef USE_POLARSSL
+uint32_t
+verify_signature (ssl_context *ssl, const char *hostname)
+{
+ int ssl_verify_result;
+
+ ssl_verify_result = ssl_get_verify_result (ssl);
+ if (ssl_verify_result & BADCERT_EXPIRED)
+ {
+ die ("certificate has expired");
+ }
+ if (ssl_verify_result & BADCERT_REVOKED)
+ {
+ die ("certificate has been revoked");
+ }
+ if (ssl_verify_result & BADCERT_CN_MISMATCH)
+ {
+ die ("CN and subject AltName mismatch for certificate");
+ }
+ if (ssl_verify_result & BADCERT_NOT_TRUSTED)
+ {
+ die ("certificate is self-signed or not signed by a trusted CA");
+ }
+
+ if (0 == ssl_verify_result)
+ {
+ verb ("V: verify success");
+ }
+ else
+ {
+ die ("certificate verification error: -0x%04x", -ssl_verify_result);
+ }
+ return 0;
+}
+#else
+uint32_t
+verify_signature (SSL *ssl, const char *hostname)
+{
+ long ssl_verify_result;
+ X509 *certificate;
+
+ certificate = SSL_get_peer_certificate(ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed");
+ }
+ // In theory, we verify that the cert is valid
+ ssl_verify_result = SSL_get_verify_result(ssl);
+ switch (ssl_verify_result)
+ {
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ die ("certificate is self signed");
+ case X509_V_OK:
+ verb ("V: certificate verification passed");
+ break;
+ default:
+ die ("certification verification error: %ld",
+ ssl_verify_result);
+ }
+ return 0;
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+check_key_length (ssl_context *ssl)
+{
+ uint32_t key_bits;
+ const x509_cert *certificate;
+ const rsa_context *public_key;
+ char buf[1024];
+
+ certificate = ssl_get_peer_cert (ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed");
+ }
+
+ x509parse_dn_gets(buf, 1024, &certificate->subject);
+ verb_debug ("V: Certificate for subject '%s'", buf);
+
+ public_key = &certificate->rsa;
+ if (NULL == public_key)
+ {
+ die ("public key extraction failure");
+ } else {
+ verb_debug ("V: public key is ready for inspection");
+ }
+ key_bits = mpi_msb (&public_key->N);
+ if (MIN_PUB_KEY_LEN >= key_bits)
+ {
+ die ("Unsafe public key size: %d bits", key_bits);
+ } else {
+ verb_debug ("V: key length appears safe");
+ }
+}
+#else
+void
+check_key_length (SSL *ssl)
+{
+ uint32_t key_bits;
+ X509 *certificate;
+ EVP_PKEY *public_key;
+ certificate = SSL_get_peer_certificate (ssl);
+ if (NULL == certificate)
+ {
+ die ("Getting certificate failed");
+ }
+ public_key = X509_get_pubkey (certificate);
+ if (NULL == public_key)
+ {
+ die ("public key extraction failure");
+ } else {
+ verb_debug ("V: public key is ready for inspection");
+ }
+
+ key_bits = get_certificate_keybits (public_key);
+ if (MIN_PUB_KEY_LEN >= key_bits && public_key->type != EVP_PKEY_EC)
+ {
+ die ("Unsafe public key size: %d bits", key_bits);
+ } else {
+ if (public_key->type == EVP_PKEY_EC)
+ if(key_bits >= MIN_ECC_PUB_KEY_LEN
+ && key_bits <= MAX_ECC_PUB_KEY_LEN)
+ {
+ verb_debug ("V: ECC key length appears safe");
+ } else {
+ die ("Unsafe ECC key size: %d bits", key_bits);
+ } else {
+ verb_debug ("V: key length appears safe");
+ }
+ }
+ EVP_PKEY_free (public_key);
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+inspect_key (ssl_context *ssl, const char *hostname)
+{
+ verify_signature (ssl, hostname);
+
+ // ssl_get_verify_result() already checks for CN / subjectAltName match
+ // and reports the mismatch as error. So check_name() is not called
+}
+#else
+void
+inspect_key (SSL *ssl, const char *hostname)
+{
+
+ verify_signature (ssl, hostname);
+ check_name (ssl, hostname);
+}
+#endif
+
+#ifdef USE_POLARSSL
+void
+check_timestamp (uint32_t server_time)
+{
+ uint32_t compiled_time = RECENT_COMPILE_DATE;
+ uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
+ if (compiled_time < server_time
+ &&
+ server_time < max_reasonable_time)
+ {
+ verb("V: remote peer provided: %d, preferred over compile time: %d",
+ server_time, compiled_time);
+ } else {
+ die("V: the remote server is a false ticker! server: %d compile: %d",
+ server_time, compiled_time);
+ }
+}
+
+static int ssl_do_handshake_part(ssl_context *ssl)
+{
+ int ret = 0;
+
+ /* Only do steps till ServerHello is received */
+ while (ssl->state != SSL_SERVER_HELLO)
+ {
+ ret = ssl_handshake_step (ssl);
+ if (0 != ret)
+ {
+ die("SSL handshake failed");
+ }
+ }
+ /* Do ServerHello so we can skim the timestamp */
+ ret = ssl_handshake_step (ssl);
+ if (0 != ret)
+ {
+ die("SSL handshake failed");
+ }
+
+ return 0;
+}
+
+/**
+ * Run SSL handshake and store the resulting time value in the
+ * 'time_map'.
+ *
+ * @param time_map where to store the current time
+ * @param time_is_an_illusion
+ * @param http whether to do an http request and take the date from that
+ * instead.
+ */
+static void
+run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
+{
+ entropy_context entropy;
+ ctr_drbg_context ctr_drbg;
+ ssl_context ssl;
+ proxy_polarssl_ctx proxy_ctx;
+ x509_cert cacert;
+ struct stat statbuf;
+ int ret = 0, server_fd = 0;
+ char *pers = "tlsdate-helper";
+
+ memset (&ssl, 0, sizeof(ssl_context));
+ memset (&cacert, 0, sizeof(x509_cert));
+
+ verb("V: Using PolarSSL for SSL");
+ if (ca_racket)
+ {
+ if (-1 == stat (ca_cert_container, &statbuf))
+ {
+ die("Unable to stat CA certficate container %s", ca_cert_container);
+ }
+ else
+ {
+ switch (statbuf.st_mode & S_IFMT)
+ {
+ case S_IFREG:
+ if (0 > x509parse_crtfile(&cacert, ca_cert_container))
+ fprintf(stderr, "x509parse_crtfile failed");
+ break;
+ case S_IFDIR:
+ if (0 > x509parse_crtpath(&cacert, ca_cert_container))
+ fprintf(stderr, "x509parse_crtpath failed");
+ break;
+ default:
+ die("Unable to load CA certficate container %s", ca_cert_container);
+ }
+ }
+ }
+
+ entropy_init (&entropy);
+ if (0 != ctr_drbg_init (&ctr_drbg, entropy_func, &entropy,
+ (unsigned char *) pers, strlen(pers)))
+ {
+ die("Failed to initialize CTR_DRBG");
+ }
+
+ if (0 != ssl_init (&ssl))
+ {
+ die("SSL initialization failed");
+ }
+ ssl_set_endpoint (&ssl, SSL_IS_CLIENT);
+ ssl_set_rng (&ssl, ctr_drbg_random, &ctr_drbg);
+ ssl_set_ca_chain (&ssl, &cacert, NULL, hostname_to_verify);
+ if (ca_racket)
+ {
+ // You can do SSL_VERIFY_REQUIRED here, but then the check in
+ // inspect_key() never happens as the ssl_handshake() will fail.
+ ssl_set_authmode (&ssl, SSL_VERIFY_OPTIONAL);
+ }
+
+ if (proxy)
+ {
+ char *scheme;
+ char *proxy_host;
+ char *proxy_port;
+
+ parse_proxy_uri (proxy, &scheme, &proxy_host, &proxy_port);
+
+ verb("V: opening socket to proxy %s:%s", proxy_host, proxy_port);
+ if (0 != net_connect (&server_fd, proxy_host, atoi(proxy_port)))
+ {
+ die ("SSL connection failed");
+ }
+
+ proxy_polarssl_init (&proxy_ctx);
+ proxy_polarssl_set_bio (&proxy_ctx, net_recv, &server_fd, net_send, &server_fd);
+ proxy_polarssl_set_host (&proxy_ctx, host);
+ proxy_polarssl_set_port (&proxy_ctx, atoi(port));
+ proxy_polarssl_set_scheme (&proxy_ctx, scheme);
+
+ ssl_set_bio (&ssl, proxy_polarssl_recv, &proxy_ctx, proxy_polarssl_send, &proxy_ctx);
+
+ verb("V: Handle proxy connection");
+ if (0 == proxy_ctx.f_connect (&proxy_ctx))
+ die("Proxy connection failed");
+ }
+ else
+ {
+ verb("V: opening socket to %s:%s", host, port);
+ if (0 != net_connect (&server_fd, host, atoi(port)))
+ {
+ die ("SSL connection failed");
+ }
+
+ ssl_set_bio (&ssl, net_recv, &server_fd, net_send, &server_fd);
+ }
+
+ verb("V: starting handshake");
+ if (0 != ssl_do_handshake_part (&ssl))
+ die("SSL handshake first part failed");
+
+ uint32_t timestamp = ( (uint32_t) ssl.in_msg[6] << 24 )
+ | ( (uint32_t) ssl.in_msg[7] << 16 )
+ | ( (uint32_t) ssl.in_msg[8] << 8 )
+ | ( (uint32_t) ssl.in_msg[9] );
+ check_timestamp (timestamp);
+
+ verb("V: continuing handshake");
+ /* Continue with handshake */
+ while (0 != (ret = ssl_handshake (&ssl)))
+ {
+ if (POLARSSL_ERR_NET_WANT_READ != ret &&
+ POLARSSL_ERR_NET_WANT_WRITE != ret)
+ {
+ die("SSL handshake failed");
+ }
+ }
+
+ // Verify the peer certificate against the CA certs on the local system
+ if (ca_racket) {
+ inspect_key (&ssl, hostname_to_verify);
+ } else {
+ verb ("V: Certificate verification skipped!");
+ }
+ check_key_length (&ssl);
+
+ memcpy (time_map, ×tamp, sizeof(uint32_t));
+ proxy_polarssl_free (&proxy_ctx);
+ ssl_free (&ssl);
+ x509_free (&cacert);
+}
+#else /* USE_POLARSSL */
+/**
+ * Run SSL handshake and store the resulting time value in the
+ * 'time_map'.
+ *
+ * @param time_map where to store the current time
+ * @param time_is_an_illusion
+ * @param http whether to do an http request and take the date from that
+ * instead.
+ */
+static void
+run_ssl (uint32_t *time_map, int time_is_an_illusion, int http)
+{
+ BIO *s_bio;
+ SSL_CTX *ctx;
+ SSL *ssl;
+ struct stat statbuf;
+ uint32_t result_time;
+
+ SSL_load_error_strings();
+ SSL_library_init();
+
+ ctx = NULL;
+ if (0 == strcmp("sslv23", protocol))
+ {
+ verb ("V: using SSLv23_client_method()");
+ ctx = SSL_CTX_new(SSLv23_client_method());
+ } else if (0 == strcmp("sslv3", protocol))
+ {
+ verb ("V: using SSLv3_client_method()");
+ ctx = SSL_CTX_new(SSLv3_client_method());
+ } else if (0 == strcmp("tlsv1", protocol))
+ {
+ verb ("V: using TLSv1_client_method()");
+ ctx = SSL_CTX_new(TLSv1_client_method());
+ } else
+ die("Unsupported protocol `%s'", protocol);
+
+ if (ctx == NULL)
+ die("OpenSSL failed to support protocol `%s'", protocol);
+
+ verb("V: Using OpenSSL for SSL");
+ if (ca_racket)
+ {
+ if (-1 == stat(ca_cert_container, &statbuf))
+ {
+ die("Unable to stat CA certficate container %s", ca_cert_container);
+ } else
+ {
+ switch (statbuf.st_mode & S_IFMT)
+ {
+ case S_IFREG:
+ if (1 != SSL_CTX_load_verify_locations(ctx, ca_cert_container, NULL))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed");
+ break;
+ case S_IFDIR:
+ if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed");
+ break;
+ default:
+ if (1 != SSL_CTX_load_verify_locations(ctx, NULL, ca_cert_container))
+ {
+ fprintf(stderr, "SSL_CTX_load_verify_locations failed");
+ die("Unable to load CA certficate container %s", ca_cert_container);
+ }
+ }
+ }
+ }
+
+ if (time_is_an_illusion)
+ {
+ SSL_CTX_set_cert_verify_callback(ctx, verify_with_server_time, NULL);
+ }
+
+ if (NULL == (s_bio = BIO_new(BIO_s_connect())))
+ die ("connect BIO setup failed");
+ setup_proxy(s_bio);
+ if (NULL == (ssl = SSL_new(ctx)))
+ die ("SSL setup failed");
+ SSL_set_bio(ssl, s_bio, s_bio);
+
+ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ verb("V: opening socket to %s:%s", host, port);
+ if ( (1 != BIO_set_conn_hostname(s_bio, host)) ||
+ (1 != BIO_set_conn_port(s_bio, port)) )
+ die ("Failed to initialize connection to `%s:%s'", host, port);
+
+ // This should run in seccomp
+ // eg: prctl(PR_SET_SECCOMP, 1);
+ if (1 != SSL_connect(ssl))
+ die ("SSL connection failed");
+
+ // from /usr/include/openssl/ssl3.h
+ // ssl->s3->server_random is an unsigned char of 32 bits
+ SSL_get_server_random(ssl, (unsigned char*)&result_time, sizeof(uint32_t));
+ verb("V: In TLS response, T=%lu", (unsigned long)ntohl(result_time));
+
+ if (http) {
+ char buf[1024];
+ verb_debug ("V: Starting HTTP");
+ if (snprintf(buf, sizeof(buf),
+ HTTP_REQUEST, HTTPS_USER_AGENT, hostname_to_verify) >= 1024)
+ die("hostname too long");
+ buf[1023]='\0'; /* Unneeded. */
+ verb_debug ("V: Writing HTTP request");
+ if (1 != write_all_to_ssl(ssl, buf))
+ die ("write all to bio failed.");
+ verb_debug ("V: Reading HTTP response");
+ if (1 != read_http_date_from_ssl(ssl, &result_time))
+ die ("read all from bio failed.");
+ verb ("V: Received HTTP response. T=%lu", (unsigned long)result_time);
+
+ result_time = htonl(result_time);
+ }
+
+ // Verify the peer certificate against the CA certs on the local system
+ if (ca_racket) {
+ inspect_key (ssl, hostname_to_verify);
+ } else {
+ verb ("V: Certificate verification skipped!");
+ }
+ check_key_length(ssl);
+
+ memcpy(time_map, &result_time, sizeof (uint32_t));
+
+ SSL_free(ssl);
+ SSL_CTX_free(ctx);
+}
+#endif /* USE_POLARSSL */
+/** drop root rights and become 'nobody' */
+
+int
+main(int argc, char **argv)
+{
+ uint32_t *time_map;
+ struct tlsdate_time start_time, end_time, warp_time;
+ int status;
+ pid_t ssl_child;
+ long long rt_time_ms;
+ uint32_t server_time_s;
+ int setclock;
+ int showtime;
+ int showtime_raw;
+ int timewarp;
+ int leap;
+ int http;
+
+ if (argc != 13)
+ return 1;
+ host = argv[1];
+ hostname_to_verify = argv[1];
+ port = argv[2];
+ protocol = argv[3];
+ ca_cert_container = argv[6];
+ ca_racket = (0 != strcmp ("unchecked", argv[4]));
+ verbose = (0 != strcmp ("quiet", argv[5]));
+ verbose_debug = (0 != strcmp ("verbose", argv[5]));
+ setclock = (0 == strcmp ("setclock", argv[7]));
+ showtime = (0 == strcmp ("showtime", argv[8]));
+ showtime_raw = (0 == strcmp ("showtime=raw", argv[8]));
+ timewarp = (0 == strcmp ("timewarp", argv[9]));
+ leap = (0 == strcmp ("leapaway", argv[10]));
+ proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]);
+ http = (0 == (strcmp("http", argv[12])));
+
+ /* Initalize warp_time with RECENT_COMPILE_DATE */
+ clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0);
+
+ verb ("V: RECENT_COMPILE_DATE is %lu.%06lu",
+ (unsigned long) CLOCK_SEC(&warp_time),
+ (unsigned long) CLOCK_USEC(&warp_time));
+
+ if (1 != timewarp)
+ {
+ verb ("V: we'll do the time warp another time - we're not setting clock");
+ }
+
+ /* We are not going to set the clock, thus no need to stay root */
+ if (0 == setclock && 0 == timewarp)
+ {
+ verb ("V: attemping to drop administrator privileges");
+ drop_privs_to (UNPRIV_USER, UNPRIV_GROUP, NULL);
+ }
+
+ // We cast the mmap value to remove this error when compiling with g++:
+ // src/tlsdate-helper.c: In function ‘int main(int, char**)’:
+ // src/tlsdate-helper.c:822:41: error: invalid conversion from ‘void*’ to ‘uint32_t
+ time_map = (uint32_t *) mmap (NULL, sizeof (uint32_t),
+ PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ if (MAP_FAILED == time_map)
+ {
+ fprintf (stderr, "mmap failed: %s",
+ strerror (errno));
+ return 1;
+ }
+
+ /* Get the current time from the system clock. */
+ if (0 != clock_get_real_time(&start_time))
+ {
+ die ("Failed to read current time of day: %s", strerror (errno));
+ }
+
+ verb ("V: time is currently %lu.%06lu",
+ (unsigned long) CLOCK_SEC(&start_time),
+ (unsigned long) CLOCK_NSEC(&start_time));
+
+ if (((unsigned long) CLOCK_SEC(&start_time)) < ((unsigned long) CLOCK_SEC(&warp_time)))
+ {
+ verb ("V: local clock time is less than RECENT_COMPILE_DATE");
+ if (timewarp)
+ {
+ verb ("V: Attempting to warp local clock into the future");
+ if (0 != clock_set_real_time(&warp_time))
+ {
+ die ("setting time failed: %s (Attempted to set clock to %lu.%06lu)",
+ strerror (errno),
+ (unsigned long) CLOCK_SEC(&warp_time),
+ (unsigned long) CLOCK_SEC(&warp_time));
+ }
+ if (0 != clock_get_real_time(&start_time))
+ {
+ die ("Failed to read current time of day: %s", strerror (errno));
+ }
+ verb ("V: time is currently %lu.%06lu",
+ (unsigned long) CLOCK_SEC(&start_time),
+ (unsigned long) CLOCK_NSEC(&start_time));
+ verb ("V: It's just a step to the left...");
+ }
+ } else {
+ verb ("V: time is greater than RECENT_COMPILE_DATE");
+ }
+
+ /* initialize to bogus value, just to be on the safe side */
+ *time_map = 0;
+
+ /* Run SSL interaction in separate process (and not as 'root') */
+ ssl_child = fork ();
+ if (-1 == ssl_child)
+ die ("fork failed: %s", strerror (errno));
+ if (0 == ssl_child)
+ {
+ drop_privs_to (UNPRIV_USER, UNPRIV_GROUP, NULL);
+ run_ssl (time_map, leap, http);
+ (void) munmap (time_map, sizeof (uint32_t));
+ _exit (0);
+ }
+ if (ssl_child != platform->process_wait (ssl_child, &status, 1))
+ die ("waitpid failed: %s", strerror (errno));
+ if (! (WIFEXITED (status) && (0 == WEXITSTATUS (status)) ))
+ die ("child process failed in SSL handshake");
+
+ if (0 != clock_get_real_time(&end_time))
+ die ("Failed to read current time of day: %s", strerror (errno));
+
+ /* calculate RTT */
+ rt_time_ms = (CLOCK_SEC(&end_time) - CLOCK_SEC(&start_time)) * 1000 + (CLOCK_USEC(&end_time) - CLOCK_USEC(&start_time)) / 1000;
+ if (rt_time_ms < 0)
+ rt_time_ms = 0; /* non-linear time... */
+#ifdef USE_POLARSSL
+ server_time_s = *time_map;
+#else
+ server_time_s = ntohl (*time_map);
+#endif
+ // We should never have a time_map of zero here;
+ // It either stayed zero or we have a false ticker.
+ if ( 0 == server_time_s )
+ die ("child process failed to update time map; weird platform issues?");
+ munmap (time_map, sizeof (uint32_t));
+
+ verb ("V: server time %u (difference is about %d s) was fetched in %lld ms",
+ (unsigned int) server_time_s,
+ CLOCK_SEC(&start_time) - server_time_s,
+ rt_time_ms);
+
+ /* warning if the handshake took too long */
+ if (rt_time_ms > TLS_RTT_UNREASONABLE) {
+ die ("the TLS handshake took more than %d msecs - consider using a different " \
+ "server or run it again", TLS_RTT_UNREASONABLE);
+ }
+ if (rt_time_ms > TLS_RTT_THRESHOLD) {
+ verb ("V: the TLS handshake took more than %d msecs - consider using a different " \
+ "server or run it again", TLS_RTT_THRESHOLD);
+ }
+
+ if (showtime_raw)
+ {
+ fwrite(&server_time_s, sizeof(server_time_s), 1, stdout);
+ }
+
+ if (showtime)
+ {
+ struct tm ltm;
+ time_t tim = server_time_s;
+ char buf[256];
+
+ localtime_r(&tim, <m);
+ if (0 == strftime(buf, sizeof buf, "%a %b %e %H:%M:%S %Z %Y", <m))
+ {
+ die ("strftime returned 0");
+ }
+ fprintf(stdout, "%s\n", buf);
+ }
+
+ /* finally, actually set the time */
+ if (setclock)
+ {
+ struct tlsdate_time server_time;
+
+ clock_init_time(&server_time, server_time_s + (rt_time_ms / 2 / 1000),
+ (rt_time_ms / 2) % 1000);
+
+ // We should never receive a time that is before the time we were last
+ // compiled; we subscribe to the linear theory of time for this program
+ // and this program alone!
+ if (CLOCK_SEC(&server_time) >= MAX_REASONABLE_TIME)
+ die("remote server is a false ticker from the future!");
+ if (CLOCK_SEC(&server_time) <= RECENT_COMPILE_DATE)
+ die ("remote server is a false ticker!");
+ if (0 != clock_set_real_time(&server_time))
+ die ("setting time failed: %s (Difference from server is about %d s)",
+ strerror (errno),
+ CLOCK_SEC(&start_time) - server_time_s);
+ verb ("V: setting time succeeded");
+ }
+ return 0;
+}
diff --git a/tlsdate/src/tlsdate-helper.h b/tlsdate/src/tlsdate-helper.h
new file mode 100644
index 0000000..fa9861a
--- /dev/null
+++ b/tlsdate/src/tlsdate-helper.h
@@ -0,0 +1,143 @@
+/* Copyright (c) 2012, Jacob Appelbaum
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file tlsdate-helper.h
+ * \brief The secondary header for our clock helper.
+ **/
+
+#ifndef TLSDATEHELPER_H
+#define TLSDATEHELPER_H
+
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#ifdef TARGET_OS_HAIKU
+#include <posix/string.h>
+#include <bsd/string.h>
+#endif
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <time.h>
+#include <pwd.h>
+#include <grp.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+#ifdef HAVE_PRCTL
+#include <sys/prctl.h>
+#endif
+
+#ifndef USE_POLARSSL
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+#endif
+
+int verbose;
+int verbose_debug;
+
+#include "src/util.h"
+
+/** Name of user that we feel safe to run SSL handshake with. */
+#ifndef UNPRIV_USER
+#define UNPRIV_USER "nobody"
+#endif
+#ifndef UNPRIV_GROUP
+#define UNPRIV_GROUP "nogroup"
+#endif
+
+// We should never accept a time before we were compiled
+// We measure in seconds since the epoch - eg: echo `date '+%s'`
+// We set this manually to ensure others can reproduce a build;
+// automation of this will make every build different!
+#ifndef RECENT_COMPILE_DATE
+#define RECENT_COMPILE_DATE 1342323666L
+#endif
+
+#ifndef MAX_REASONABLE_TIME
+#define MAX_REASONABLE_TIME 1999991337L
+#endif
+
+#ifndef MIN_PUB_KEY_LEN
+#define MIN_PUB_KEY_LEN (uint32_t) 1023
+#endif
+
+#ifndef MIN_ECC_PUB_KEY_LEN
+#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
+#endif
+
+#ifndef MAX_ECC_PUB_KEY_LEN
+#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
+#endif
+// After the duration of the TLS handshake exceeds this threshold
+// (in msec), a warning is printed.
+#define TLS_RTT_THRESHOLD 2000
+
+// After the duration of the TLS handshake exceeds this threshold
+// (in msec), we consider the operation to have failed.
+#define TLS_RTT_UNREASONABLE 30000
+
+// RFC 5280 says...
+// ub-common-name-length INTEGER ::= 64
+#define MAX_CN_NAME_LENGTH 64
+
+// RFC 1034 and posix say...
+#define TLSDATE_HOST_NAME_MAX 255
+
+// To support our RFC 2595 wildcard verification
+#define RFC2595_MIN_LABEL_COUNT 3
+
+// Define a max length for the HTTP Date: header
+#define MAX_DATE_LINE_LEN 32
+
+// Define a max length for HTTP headers
+#define MAX_HTTP_HEADERS_SIZE 8192
+
+// Define our basic HTTP request
+#define HTTP_REQUEST \
+ "HEAD / HTTP/1.1\r\n" \
+ "User-Agent: %s\r\n" \
+ "Host: %s\r\n" \
+ "\r\n"
+
+static int ca_racket;
+
+static const char *host;
+
+static const char *hostname_to_verify;
+
+static const char *port;
+
+static const char *protocol;
+
+static char *proxy;
+
+static const char *ca_cert_container;
+#ifndef USE_POLARSSL
+uint32_t get_certificate_keybits (EVP_PKEY *public_key);
+uint32_t check_cn (SSL *ssl, const char *hostname);
+uint32_t check_san (SSL *ssl, const char *hostname);
+long openssl_check_against_host_and_verify (SSL *ssl);
+uint32_t check_name (SSL *ssl, const char *hostname);
+uint32_t verify_signature (SSL *ssl, const char *hostname);
+void check_key_length (SSL *ssl);
+void inspect_key (SSL *ssl, const char *hostname);
+void check_key_length (SSL *ssl);
+void inspect_key (SSL *ssl, const char *hostname);
+#endif
+uint32_t dns_label_count (char *label, char *delim);
+uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
+ const char *orig_cert_wild_card);
+static void run_ssl (uint32_t *time_map, int time_is_an_illusion, int http);
+
+#endif
diff --git a/tlsdate/src/tlsdate-monitor.c b/tlsdate/src/tlsdate-monitor.c
new file mode 100644
index 0000000..5169a09
--- /dev/null
+++ b/tlsdate/src/tlsdate-monitor.c
@@ -0,0 +1,99 @@
+/*
+ * tlsdate-monitor.c - tlsdated monitor for tlsdate.
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "src/util.h"
+#include "src/tlsdate.h"
+
+static
+char **
+build_argv (struct opts *opts)
+{
+ int argc;
+ char **new_argv;
+ assert (opts->sources);
+ /* choose the next source in the list; if we're at the end, start over. */
+ if (!opts->cur_source || !opts->cur_source->next)
+ opts->cur_source = opts->sources;
+ else
+ opts->cur_source = opts->cur_source->next;
+ for (argc = 0; opts->base_argv[argc]; argc++)
+ ;
+ /* Put an arbitrary limit on the number of args. */
+ if (argc > 1024)
+ return NULL;
+ argc++; /* uncounted null terminator */
+ argc += 9; /* -H host -p port -x proxy -Vraw -n -l */
+ new_argv = malloc (argc * sizeof (char *));
+ if (!new_argv)
+ return NULL;
+ for (argc = 0; opts->base_argv[argc]; argc++)
+ new_argv[argc] = opts->base_argv[argc];
+ new_argv[argc++] = "-H";
+ new_argv[argc++] = opts->cur_source->host;
+ new_argv[argc++] = "-p";
+ new_argv[argc++] = opts->cur_source->port;
+ if (opts->cur_source->proxy || opts->proxy)
+ {
+ char *proxy = opts->proxy ? opts->proxy : opts->cur_source->proxy;
+ if (strcmp (proxy, ""))
+ {
+ new_argv[argc++] = (char *) "-x";
+ new_argv[argc++] = proxy;
+ }
+ }
+ new_argv[argc++] = "-Vraw";
+ new_argv[argc++] = "-n";
+ if (opts->leap)
+ new_argv[argc++] = "-l";
+ new_argv[argc++] = NULL;
+ return new_argv;
+}
+
+/* Run tlsdate and redirects stdout to the monitor_fd */
+int
+tlsdate (struct state *state)
+{
+ char **new_argv;
+ pid_t pid;
+ switch ((pid = fork()))
+ {
+ case 0: /* child! */
+ break;
+ case -1:
+ perror ("fork() failed!");
+ return -1;
+ default:
+ verb_debug ("[tlsdate-monitor] spawned tlsdate: %d", pid);
+ state->tlsdate_pid = pid;
+ return 0;
+ }
+ if (!(new_argv = build_argv (&state->opts)))
+ fatal ("out of memory building argv");
+ /* Replace stdout with the pipe back to tlsdated */
+ if (dup2 (state->tlsdate_monitor_fd, STDOUT_FILENO) < 0)
+ {
+ perror ("dup2 failed");
+ _exit (2);
+ }
+ execve (new_argv[0], new_argv, state->envp);
+ perror ("[tlsdate-monitor] execve() failed");
+ _exit (1);
+}
diff --git a/tlsdate/src/tlsdate-setter.c b/tlsdate/src/tlsdate-setter.c
new file mode 100644
index 0000000..138be59
--- /dev/null
+++ b/tlsdate/src/tlsdate-setter.c
@@ -0,0 +1,181 @@
+/*
+ * tlsdate-setter.c - privileged time setter for tlsdated
+ * Copyright (c) 2013 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/dbus.h"
+#include "src/seccomp.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+/* Atomically writes the timestamp to the specified fd. */
+int
+save_timestamp_to_fd (int fd, time_t t)
+{
+ return platform->file_write(fd, &t, sizeof (t));
+}
+
+void
+report_setter_error (siginfo_t *info)
+{
+ const char *code;
+ int killit = 0;
+ switch (info->si_code)
+ {
+ case CLD_EXITED:
+ code = "EXITED";
+ break;
+ case CLD_KILLED:
+ code = "KILLED";
+ break;
+ case CLD_DUMPED:
+ code = "DUMPED";
+ break;
+ case CLD_STOPPED:
+ code = "STOPPED";
+ killit = 1;
+ break;
+ case CLD_TRAPPED:
+ code = "TRAPPED";
+ killit = 1;
+ break;
+ case CLD_CONTINUED:
+ code = "CONTINUED";
+ killit = 1;
+ break;
+ default:
+ code = "???";
+ killit = 1;
+ }
+ info ("tlsdate-setter exitting: code:%s status:%d pid:%d uid:%d",
+ code, info->si_status, info->si_pid, info->si_uid);
+ if (killit)
+ kill (info->si_pid, SIGKILL);
+}
+
+void
+time_setter_coprocess (int time_fd, int notify_fd, struct state *state)
+{
+ int save_fd = -1;
+ int status;
+ prctl (PR_SET_NAME, "tlsdated-setter");
+ if (state->opts.should_save_disk && !state->opts.dry_run)
+ {
+ const mode_t perms = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
+ /* TODO(wad) platform->file_open */
+ if ( (save_fd = open (state->timestamp_path,
+ O_WRONLY | O_CREAT | O_NOFOLLOW | O_CLOEXEC,
+ perms)) < 0 ||
+ fchmod (save_fd, perms) != 0)
+ {
+ /* Attempt to unlink the path on the way out. */
+ unlink (state->timestamp_path);
+ status = SETTER_NO_SAVE;
+ goto notify_and_die;
+ }
+ }
+ /* XXX: Drop all privs but CAP_SYS_TIME */
+#ifdef HAVE_SECCOMP_FILTER
+ if (enable_setter_seccomp())
+ {
+ status = SETTER_NO_SBOX;
+ goto notify_and_die;
+ }
+#endif
+ while (1)
+ {
+ struct timeval tv = { 0, 0 };
+ /* The wire protocol is a time_t, but the caller should
+ * always be the unprivileged tlsdated process which spawned this
+ * helper.
+ * There are two special messages:
+ * (time_t) 0: requests a clean shutdown
+ * (time_t) < 0: indicates not to write to disk
+ * On Linux, time_t is a signed long. Expanding the protocol
+ * is easy, but writing one long only is ideal.
+ */
+ ssize_t bytes = read (time_fd, &tv.tv_sec, sizeof (tv.tv_sec));
+ int save = 1;
+ if (bytes == -1)
+ {
+ if (errno == EINTR)
+ continue;
+ status = SETTER_READ_ERR;
+ goto notify_and_die;
+ }
+ if (bytes == 0)
+ {
+ /* End of pipe */
+ status = SETTER_READ_ERR;
+ goto notify_and_die;
+ }
+ if (bytes != sizeof (tv.tv_sec))
+ continue;
+ if (tv.tv_sec < 0)
+ {
+ /* Don't write to disk */
+ tv.tv_sec = -tv.tv_sec;
+ save = 0;
+ }
+ if (tv.tv_sec == 0)
+ {
+ status = SETTER_EXIT;
+ goto notify_and_die;
+ }
+ if (is_sane_time (tv.tv_sec))
+ {
+ /* It would be nice if time was only allowed to move forward, but
+ * if a single time source is wrong, then it could make it impossible
+ * to recover from once the time is written to disk.
+ */
+ status = SETTER_BAD_TIME;
+ if (!state->opts.dry_run)
+ {
+ if (settimeofday (&tv, NULL) < 0)
+ {
+ status = SETTER_SET_ERR;
+ goto notify_and_die;
+ }
+ if (state->opts.should_sync_hwclock &&
+ platform->rtc_write(&state->hwclock, &tv))
+ {
+ status = SETTER_NO_RTC;
+ goto notify_and_die;
+ }
+ if (save && save_fd != -1 &&
+ save_timestamp_to_fd (save_fd, tv.tv_sec))
+ {
+ status = SETTER_NO_SAVE;
+ goto notify_and_die;
+ }
+ }
+ status = SETTER_TIME_SET;
+ }
+ /* TODO(wad) platform->file_write */
+ IGNORE_EINTR (write (notify_fd, &status, sizeof(status)));
+ }
+notify_and_die:
+ IGNORE_EINTR (write (notify_fd, &status, sizeof(status)));
+ close (notify_fd);
+ close (save_fd);
+ _exit (status);
+}
diff --git a/tlsdate/src/tlsdate.c b/tlsdate/src/tlsdate.c
new file mode 100644
index 0000000..dd7f993
--- /dev/null
+++ b/tlsdate/src/tlsdate.c
@@ -0,0 +1,235 @@
+/* Copyright (c) 2012, Jacob Appelbaum.
+ * Copyright (c) 2012, The Tor Project, Inc.
+ * Copyright (c) 2012, Christian Grothoff. */
+/* See LICENSE for licensing information */
+/*
+ This file contains the license for tlsdate,
+ a free software project to set your system clock securely.
+
+ It also lists the licenses for other components used by tlsdate.
+
+ For more information about tlsdate, see https://github.com/ioerror/tlsdate
+
+ If you got this file as a part of a larger bundle,
+ there may be other license terms that you should be aware of.
+
+===============================================================================
+tlsdate is distributed under this license:
+
+Copyright (c) 2011-2012, Jacob Appelbaum <jacob@appelbaum.net>
+Copyright (c) 2011-2012, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+ * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+ * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
+If you got tlsdate as a static binary with OpenSSL included, then you should
+know:
+
+ "This product includes software developed by the OpenSSL Project for use in
+ the OpenSSL Toolkit (http://www.openssl.org/)"
+
+===============================================================================
+*/
+
+/**
+ * \file tlsdate.c
+ * \brief The main program to assist in setting the system clock.
+ **/
+
+/*
+ * tlsdate is a tool for setting the system clock by hand or by communication
+ * with the network. It does not set the RTC. It is designed to be as secure as
+ * TLS (RFC 2246) but of course the security of TLS is often reduced to
+ * whichever CA racket you believe is trustworthy. By default, tlsdate trusts
+ * your local CA root store - so any of these companies could assist in a MITM
+ * attack against you and you'd be screwed.
+
+ * This tool is designed to be run by hand or as a system daemon. It must be
+ * run as root or otherwise have the proper caps; it will not be able to set
+ * the system time without running as root or another privileged user.
+ */
+
+#include "config.h"
+#include "src/tlsdate.h"
+
+
+/** Return the proper commandline switches when the user needs information. */
+static void
+usage (void)
+{
+ fprintf (stderr, "tlsdate usage:\n"
+ " [-h|--help]\n"
+ " [-s|--skip-verification]\n"
+ " [-n|--dont-set-clock]\n"
+ " [-H|--host] [hostname|ip]\n"
+ " [-p|--port] [port number]\n"
+ " [-P|--protocol] [sslv23|sslv3|tlsv1]\n"
+ " [-C|--certcontainer] [dirname|filename]\n"
+ " [-v|--verbose]\n"
+ " [-V|--showtime] [human|raw]\n"
+ " [-t|--timewarp]\n"
+ " [-l|--leap]\n"
+ " [-x|--proxy] [url]\n"
+ " [-w|--http]\n");
+}
+
+
+int
+main (int argc, char **argv)
+{
+ int verbose;
+ int ca_racket;
+ int showtime;
+ int setclock;
+ const char *host;
+ const char *port;
+ const char *protocol;
+ const char *ca_cert_container;
+ int timewarp;
+ int leap;
+ const char *proxy;
+ int http;
+
+ host = DEFAULT_HOST;
+ port = DEFAULT_PORT;
+ protocol = DEFAULT_PROTOCOL;
+ ca_cert_container = DEFAULT_CERTFILE;
+ verbose = 0;
+ ca_racket = 1;
+ showtime = 0;
+ setclock = 1;
+ timewarp = 0;
+ leap = 0;
+ proxy = NULL;
+ http = 0;
+
+ while (1)
+ {
+ int option_index = 0;
+ int c;
+ static struct option long_options[] =
+ {
+ {"verbose", 0, 0, 'v'},
+ {"showtime", 2, 0, 'V'},
+ {"skip-verification", 0, 0, 's'},
+ {"help", 0, 0, 'h'},
+ {"host", 0, 0, 'H'},
+ {"port", 0, 0, 'p'},
+ {"protocol", 0, 0, 'P'},
+ {"dont-set-clock", 0, 0, 'n'},
+ {"certcontainer", 0, 0, 'C'},
+ {"timewarp", 0, 0, 't'},
+ {"leap", 0, 0, 'l'},
+ {"proxy", 0, 0, 'x'},
+ {"http", 0, 0, 'w'},
+ {0, 0, 0, 0}
+ };
+
+ c = getopt_long (argc, argv, "vV::shH:p:P:nC:tlx:w",
+ long_options, &option_index);
+ if (c == -1)
+ break;
+ switch (c)
+ {
+ case 'v':
+ verbose = 1;
+ break;
+ case 'V':
+ showtime = (optarg && 0 == strcmp ("raw", optarg) ? 2:1);
+ break;
+ case 's':
+ ca_racket = 0;
+ break;
+ case 'h':
+ usage();
+ exit (1);
+ break;
+ case 'H':
+ host = optarg;
+ break;
+ case 'p':
+ port = optarg;
+ break;
+ case 'P':
+ protocol = optarg;
+ break;
+ case 'n':
+ setclock = 0;
+ break;
+ case 'C':
+ ca_cert_container = optarg;
+ break;
+ case 't':
+ timewarp = 1;
+ break;
+ case 'l':
+ leap = 1;
+ break;
+ case 'x':
+ proxy = optarg;
+ break;
+ case 'w':
+ http = 1;
+ break;
+ case '?':
+ break;
+ default :
+ fprintf (stderr, "Unknown option!\n");
+ usage();
+ exit (1);
+ }
+ }
+ if (1 == verbose) {
+ fprintf(stderr,
+ "V: tlsdate version %s\n"
+ "V: We were called with the following arguments:\n"
+ "V: %s host = %s:%s\n",
+ PACKAGE_VERSION,
+ ca_racket ? "validate SSL certificates" : "disable SSL certificate check",
+ host, port);
+ if (0 == ca_racket)
+ fprintf(stderr, "WARNING: Skipping certificate verification!\n");
+ }
+ execlp (TLSDATE_HELPER,
+ "tlsdate",
+ host,
+ port,
+ protocol,
+ (ca_racket ? "racket" : "unchecked"),
+ (verbose ? "verbose" : "quiet"),
+ ca_cert_container,
+ (setclock ? "setclock" : "dont-set-clock"),
+ (showtime ? (showtime == 2 ? "showtime=raw" : "showtime") : "no-showtime"),
+ (timewarp ? "timewarp" : "no-fun"),
+ (leap ? "leapaway" : "holdfast"),
+ (proxy ? proxy : "none"),
+ (http ? "http" : "tls"),
+ NULL);
+ perror ("Failed to run tlsdate-helper");
+ return 1;
+}
diff --git a/tlsdate/src/tlsdate.h b/tlsdate/src/tlsdate.h
new file mode 100644
index 0000000..97d4fec
--- /dev/null
+++ b/tlsdate/src/tlsdate.h
@@ -0,0 +1,246 @@
+/* Copyright (c) 2013, Jacob Appelbaum
+ * Copyright (c) 2012, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file tlsdate.h
+ * \brief The main header for our clock helper.
+ **/
+
+#ifndef TLSDATE_H
+#define TLSDATE_H
+
+#include "src/configmake.h"
+#include <limits.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <limits.h>
+#include <signal.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "src/rtc.h"
+
+#define DEFAULT_HOST "google.com"
+#define DEFAULT_PORT "443"
+#define DEFAULT_PROXY "none"
+#define DEFAULT_PROTOCOL "tlsv1"
+#define DEFAULT_CERTDIR "/etc/ssl/certs"
+#define DEFAULT_CERTFILE TLSDATE_CERTFILE
+#define DEFAULT_DAEMON_CACHEDIR "/var/cache/tlsdated"
+#define DEFAULT_DAEMON_TMPSUFFIX ".new"
+#define DEFAULT_TLSDATE TLSDATE
+#define DEFAULT_RTC_DEVICE "/dev/rtc"
+#define DEFAULT_CONF_FILE TLSDATE_CONF_DIR "tlsdated.conf"
+
+/* tlsdated magic numbers */
+#define MAX_TRIES 10
+#define WAIT_BETWEEN_TRIES 10
+#define SUBPROCESS_TRIES 10
+#define SUBPROCESS_WAIT_BETWEEN_TRIES 10
+#define RESOLVER_TIMEOUT 30
+/* Invalidate the network sync once per day. */
+#define STEADY_STATE_INTERVAL (60*60*24)
+/* Check if the clock has jumped every four hours. */
+#define CONTINUITY_INTERVAL (60*60*4)
+#define DEFAULT_SYNC_HWCLOCK 1
+#define DEFAULT_LOAD_FROM_DISK 1
+#define DEFAULT_SAVE_TO_DISK 1
+#define DEFAULT_USE_NETLINK 1
+#define DEFAULT_DRY_RUN 0
+#define MAX_SANE_BACKOFF (10*60) /* exponential backoff should only go this far */
+
+#ifndef TLSDATED_MAX_DATE
+#define TLSDATED_MAX_DATE 1999991337L /* this'll be a great bug some day */
+#endif
+
+#define MAX_EVENT_PRIORITIES 2
+#define PRI_SAVE 0
+#define PRI_NET 1
+#define PRI_WAKE 1
+#define PRI_ANY 1
+
+/* Sync sources in order of "reliability" */
+#define SYNC_TYPE_NONE (0)
+#define SYNC_TYPE_BUILD (1 << 0)
+#define SYNC_TYPE_DISK (1 << 1)
+#define SYNC_TYPE_RTC (1 << 2)
+#define SYNC_TYPE_PLATFORM (1 << 3)
+#define SYNC_TYPE_NET (1 << 4)
+
+/* Simple time setter<>tlsdated protocol */
+#define SETTER_EXIT 0
+#define SETTER_BAD_TIME 1
+#define SETTER_NO_SAVE 2
+#define SETTER_READ_ERR 3
+#define SETTER_TIME_SET 4
+#define SETTER_SET_ERR 5
+#define SETTER_NO_SBOX 6
+#define SETTER_NO_RTC 7
+
+#define TEST_HOST 'w', 'w', 'w', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', \
+ 'c', 'o', 'm'
+#define TEST_HOST_SIZE 14
+static const char kTestHost[] = { TEST_HOST, 0 };
+#define TEST_PORT 80
+
+/** The current version of tlsdate. */
+#define tlsdate_version VERSION
+
+/** GNU/Hurd support requires that we declare this ourselves: */
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+#ifndef MAXPATHLEN
+#define MAXPATHLEN PATH_MAX
+#endif
+
+struct source
+{
+ struct source *next;
+ char *host;
+ char *port;
+ char *proxy;
+ int id;
+};
+
+struct opts
+{
+ const char *user;
+ const char *group;
+ char *supp_groups;
+ int max_tries;
+ int min_steady_state_interval;
+ int wait_between_tries;
+ int subprocess_tries;
+ int subprocess_wait_between_tries;
+ int steady_state_interval;
+ int continuity_interval;
+ const char *base_path;
+ char **base_argv;
+ char **argv;
+ int should_sync_hwclock;
+ int should_load_disk;
+ int should_save_disk;
+ int should_netlink;
+ int dry_run;
+ int jitter;
+ char *conf_file;
+ struct source *sources;
+ struct source *cur_source;
+ char *proxy;
+ int leap;
+ int should_dbus;
+};
+
+#define MAX_FQDN_LEN 255
+#define MAX_SCHEME_LEN 9
+#define MAX_PORT_LEN 6 /* incl. : */
+#define MAX_PROXY_URL (MAX_FQDN_LEN + MAX_SCHEME_LEN + MAX_PORT_LEN + 1)
+
+enum event_id_t
+{
+ E_RESOLVER = 0,
+ E_TLSDATE,
+ E_TLSDATE_STATUS,
+ E_TLSDATE_TIMEOUT,
+ E_SAVE,
+ E_SIGCHLD,
+ E_SIGTERM,
+ E_STEADYSTATE,
+ E_ROUTEUP,
+ E_MAX
+};
+
+struct event_base;
+
+/* This struct is used for passing tlsdated runtime state between
+ * events/ in its event loop.
+ */
+struct state
+{
+ struct opts opts;
+ struct event_base *base;
+ void *dbus;
+ char **envp;
+
+ time_t clock_delta;
+ int last_sync_type;
+ time_t last_time;
+
+ char timestamp_path[PATH_MAX];
+ struct rtc_handle hwclock;
+ char dynamic_proxy[MAX_PROXY_URL];
+ /* Event triggered events */
+
+ struct event *events[E_MAX];
+ int tlsdate_monitor_fd;
+ pid_t tlsdate_pid;
+ pid_t setter_pid;
+ int setter_save_fd;
+ int setter_notify_fd;
+ uint32_t backoff;
+ int tries;
+ int resolving;
+ int running; /* tlsdate itself */
+ int exitting;
+};
+
+char timestamp_path[PATH_MAX];
+
+int is_sane_time (time_t ts);
+int load_disk_timestamp (const char *path, time_t * t);
+void save_disk_timestamp (const char *path, time_t t);
+int add_jitter (int base, int jitter);
+void time_setter_coprocess (int time_fd, int notify_fd, struct state *state);
+int tlsdate (struct state *state);
+
+int save_timestamp_to_fd (int fd, time_t t);
+void set_conf_defaults (struct opts *opts);
+int new_tlsdate_monitor_pipe (int fds[2]);
+int read_tlsdate_response (int fd, time_t *t);
+
+void invalidate_time (struct state *state);
+int check_continuity (time_t *delta);
+
+void action_check_continuity (int fd, short what, void *arg);
+void action_kickoff_time_sync (int fd, short what, void *arg);
+void action_invalidate_time (int fd, short what, void *arg);
+void action_stdin_wakeup (int fd, short what, void *arg);
+void action_netlink_ready (int fd, short what, void *arg);
+void action_run_tlsdate (int fd, short what, void *arg);
+void action_sigterm (int fd, short what, void *arg);
+void action_sync_and_save (int fd, short what, void *arg);
+void action_time_set (int fd, short what, void *arg);
+void action_tlsdate_status (int fd, short what, void *arg);
+
+int setup_event_timer_continuity (struct state *state);
+int setup_event_timer_sync (struct state *state);
+int setup_event_route_up (struct state *state);
+int setup_time_setter (struct state *state);
+int setup_tlsdate_status (struct state *state);
+int setup_sigchld_event (struct state *state, int persist);
+
+void report_setter_error (siginfo_t *info);
+
+void sync_and_save (void *hwclock_handle, int should_save);
+
+/** This is where we store parsed commandline options. */
+typedef struct
+{
+ int verbose;
+ int verbose_debug;
+ int ca_racket;
+ int help;
+ int showtime;
+ int setclock;
+ time_t manual_time;
+ char *host;
+ char *port;
+ char *protocol;
+} tlsdate_options_t;
+
+#endif /* TLSDATE_H */
diff --git a/tlsdate/src/tlsdated-unittest.c b/tlsdate/src/tlsdated-unittest.c
new file mode 100644
index 0000000..c82a85c
--- /dev/null
+++ b/tlsdate/src/tlsdated-unittest.c
@@ -0,0 +1,328 @@
+/*
+ * tlsdated-unittest.c - tlsdated unit tests
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include "src/test_harness.h"
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+#include <event2/event.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <sys/time.h>
+#include <unistd.h>
+
+FIXTURE (tempdir)
+{
+ char path[PATH_MAX];
+};
+
+FIXTURE_SETUP (tempdir)
+{
+ char *p;
+ strncpy (self->path, "/tmp/tlsdated-unit-XXXXXX", sizeof (self->path));
+ p = mkdtemp (self->path);
+ ASSERT_NE (NULL, p);
+}
+
+FIXTURE_TEARDOWN(tempdir) {
+ char buf[256];
+ snprintf(buf, sizeof(buf), "%s/load", self->path);
+ unlink(buf);
+ snprintf(buf, sizeof(buf), "%s/save", self->path);
+ unlink(buf);
+ ASSERT_EQ(0, rmdir(self->path));
+}
+
+int write_time (const char *path, time_t time)
+{
+ int fd = open (path, O_WRONLY | O_TRUNC | O_CREAT, 0600);
+ if (fd == -1)
+ return 1;
+ if (save_timestamp_to_fd (fd, time))
+ return 1;
+ if (write (fd, &time, sizeof (time)) != sizeof (time))
+ {
+ close (fd);
+ return 1;
+ }
+ return close (fd);
+}
+
+int read_time (const char *path, time_t* time)
+{
+ int fd = open (path, O_RDONLY);
+ if (fd == -1)
+ return 1;
+ if (read (fd, time, sizeof (*time)) != sizeof (*time))
+ {
+ close (fd);
+ return 1;
+ }
+ return close (fd);
+}
+
+TEST (sane_time)
+{
+ ASSERT_EQ (0, is_sane_time (0));
+ ASSERT_EQ (0, is_sane_time (INT_MAX));
+}
+
+TEST (sane_host_time)
+{
+ ASSERT_EQ (1, is_sane_time (time (NULL)));
+}
+
+TEST_F (tempdir, load_time)
+{
+ char buf[PATH_MAX];
+ time_t tm = 3;
+ time_t now = time (NULL);
+ snprintf (buf, sizeof (buf), "%s/load", self->path);
+ ASSERT_EQ (0, write_time (buf, 0));
+ ASSERT_EQ (-1, load_disk_timestamp (buf, &tm));
+ ASSERT_EQ (3, tm);
+ ASSERT_EQ (0, write_time (buf, INT_MAX));
+ ASSERT_EQ (-1, load_disk_timestamp (buf, &tm));
+ ASSERT_EQ (3, tm);
+ ASSERT_EQ (0, write_time (buf, now));
+ ASSERT_EQ (0, truncate (buf, 2));
+ ASSERT_EQ (-1, load_disk_timestamp (buf, &tm));
+ ASSERT_EQ (3, tm);
+ ASSERT_EQ (0, unlink (buf));
+ ASSERT_EQ (-1, load_disk_timestamp (buf, &tm));
+ ASSERT_EQ (3, tm);
+ ASSERT_EQ (0, write_time (buf, now));
+ ASSERT_EQ (0, load_disk_timestamp (buf, &tm));
+ ASSERT_EQ (now, tm);
+}
+
+
+TEST_F (tempdir, save_time)
+{
+ char buf[PATH_MAX];
+ time_t now = time (NULL);
+ time_t tm;
+ snprintf (buf, sizeof (buf), "%s/save", self->path);
+ ASSERT_EQ (0, write_time (buf, now));
+ ASSERT_EQ (0, read_time (buf, &tm));
+ EXPECT_EQ (now, tm);
+}
+
+FIXTURE (tlsdate)
+{
+ struct state state;
+ struct timeval timeout;
+};
+
+
+FIXTURE_SETUP (tlsdate)
+{
+ memset (self, 0, sizeof (*self));
+ /* TODO(wad) make this use the same function tlsdated uses. */
+ self->state.base = event_base_new();
+ set_conf_defaults (&self->state.opts);
+ ASSERT_NE (NULL, self->state.base);
+ event_base_priority_init (self->state.base, MAX_EVENT_PRIORITIES);
+ ASSERT_EQ (0, setup_sigchld_event (&self->state, 1));
+ self->state.events[E_TLSDATE] = event_new (self->state.base, -1, EV_TIMEOUT,
+ action_run_tlsdate, &self->state);
+ ASSERT_NE (NULL, self->state.events[E_TLSDATE]);
+ event_priority_set (self->state.events[E_TLSDATE], PRI_NET);
+ /* The timeout and fd will be filled in per-call. */
+ ASSERT_EQ (0, setup_tlsdate_status (&self->state));
+ self->timeout.tv_sec = 1;
+}
+
+FIXTURE_TEARDOWN (tlsdate)
+{
+ int i;
+ for (i = 0; i < E_MAX; ++i)
+ {
+ struct event *e = self->state.events[i];
+ if (e)
+ {
+ int fd = event_get_fd (e);
+ if (fd >= 0 && ! (event_get_events (e) & EV_SIGNAL))
+ close (fd);
+ event_free (e);
+ self->state.events[i] = NULL;
+ }
+ }
+ /* The other half was closed above. */
+ close (self->state.tlsdate_monitor_fd);
+ if (self->state.tlsdate_pid)
+ {
+ kill (self->state.tlsdate_pid, SIGKILL);
+ waitpid (self->state.tlsdate_pid, NULL, WNOHANG);
+ }
+ if (self->state.base)
+ event_base_free (self->state.base);
+}
+
+static int
+runner (FIXTURE_DATA (tlsdate) *self, time_t *newtime)
+{
+ if (newtime)
+ *newtime = 0;
+ trigger_event (&self->state, E_TLSDATE, 0);
+ event_base_loopexit (self->state.base, &self->timeout);
+ if (event_base_dispatch (self->state.base))
+ return -1;
+ if (self->state.last_time)
+ {
+ if (newtime)
+ *newtime = self->state.last_time;
+ return 0;
+ }
+ return 1;
+}
+
+TEST_F (tlsdate, runner_multi)
+{
+ struct source source =
+ {
+ .next = NULL,
+ .host = "host1",
+ .port = "port1",
+ .proxy = "proxy1"
+ };
+ char *args[] = { "/nonexistent", NULL, NULL };
+ extern char **environ;
+ self->state.opts.sources = &source;
+ self->state.opts.base_argv = args;
+ self->state.opts.subprocess_tries = 2;
+ self->state.opts.subprocess_wait_between_tries = 1;
+ self->state.opts.max_tries = 3;
+ self->state.envp = environ;
+ EXPECT_EQ (1, runner (self, NULL));
+ args[0] = "/bin/false";
+ self->state.tries = 0;
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (1, runner (self, NULL));
+ args[0] = "src/test/check-host-1";
+ self->state.tries = 0;
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+ args[0] = "src/test/sleep-wrap";
+ args[1] = "3";
+ self->state.tries = 0;
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+}
+
+TEST (jitter)
+{
+ int i = 0;
+ int r;
+ const int kBase = 100;
+ const int kJitter = 25;
+ int nonequal = 0;
+ for (i = 0; i < 1000; i++)
+ {
+ r = add_jitter (kBase, kJitter);
+ EXPECT_GE (r, kBase - kJitter);
+ EXPECT_LE (r, kBase + kJitter);
+ if (r != kBase)
+ nonequal++;
+ }
+ EXPECT_NE (nonequal, 0);
+}
+
+TEST_F (tlsdate, rotate_hosts)
+{
+ struct source s2 =
+ {
+ .next = NULL,
+ .host = "host2",
+ .port = "port2",
+ .proxy = "proxy2"
+ };
+ struct source s1 =
+ {
+ .next = &s2,
+ .host = "host1",
+ .port = "port1",
+ .proxy = "proxy1"
+ };
+ char *args[] = { "src/test/check-host-1", NULL };
+ extern char **environ;
+ self->state.envp = environ;
+ self->state.opts.sources = &s1;
+ self->state.opts.base_argv = args;
+ self->state.opts.subprocess_tries = 2;
+ self->state.opts.subprocess_wait_between_tries = 1;
+ self->state.opts.max_tries = 5;
+ self->timeout.tv_sec = 2;
+ EXPECT_EQ (0, runner (self, NULL));
+ self->state.tries = 0;
+ args[0] = "src/test/check-host-2";
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+ self->state.tries = 0;
+ args[0] = "src/test/check-host-1";
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+ self->state.tries = 0;
+ args[0] = "src/test/check-host-2";
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+}
+
+TEST_F (tlsdate, proxy_override)
+{
+ struct source s1 =
+ {
+ .next = NULL,
+ .host = "host",
+ .port = "port",
+ .proxy = NULL,
+ };
+ char *args[] = { "src/test/proxy-override", NULL };
+ extern char **environ;
+ self->state.envp = environ;
+ self->state.opts.sources = &s1;
+ self->state.opts.base_argv = args;
+ self->state.opts.subprocess_tries = 2;
+ self->state.opts.subprocess_wait_between_tries = 1;
+ EXPECT_EQ (0, runner (self, NULL));
+ EXPECT_EQ (RECENT_COMPILE_DATE + 1, self->state.last_time);
+ s1.proxy = "socks5://bad.proxy";
+ self->state.tries = 0;
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+ EXPECT_EQ (RECENT_COMPILE_DATE + 3, self->state.last_time);
+ self->state.opts.proxy = "socks5://good.proxy";
+ self->state.tries = 0;
+ self->state.last_sync_type = SYNC_TYPE_NONE;
+ EXPECT_EQ (0, runner (self, NULL));
+ EXPECT_EQ (RECENT_COMPILE_DATE + 2, self->state.last_time);
+}
+
+FIXTURE(mock_platform) {
+ struct platform platform;
+ struct platform *old_platform;
+};
+
+FIXTURE_SETUP(mock_platform) {
+ self->old_platform = platform;
+ self->platform.rtc_open = NULL;
+ self->platform.rtc_write = NULL;
+ self->platform.rtc_read = NULL;
+ self->platform.rtc_close = NULL;
+ platform = &self->platform;
+}
+
+FIXTURE_TEARDOWN(mock_platform) {
+ platform = self->old_platform;
+}
+
+/* TODO: leap_tests, time_setter tests. */
+
+TEST_HARNESS_MAIN
diff --git a/tlsdate/src/tlsdated.c b/tlsdate/src/tlsdated.c
new file mode 100644
index 0000000..f577e19
--- /dev/null
+++ b/tlsdate/src/tlsdated.c
@@ -0,0 +1,630 @@
+/*
+ * tlsdated.c - invoke tlsdate when necessary.
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * We invoke tlsdate once at system startup, then we start trying to invoke
+ * tlsdate when a new network route appears. We try a few times after each route
+ * comes up. As soon as we get a successful tlsdate run, we save that timestamp
+ * to disk, then linger to wait for system shutdown. At system shutdown
+ * (indicated by us getting SIGTERM), we save our timestamp to disk.
+ */
+
+#include "config.h"
+
+#include <assert.h>
+#include <errno.h>
+#include <grp.h> /* setgroups */
+#include <fcntl.h>
+#include <limits.h>
+#include <linux/rtc.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+
+#include <event2/event.h>
+
+#include "src/conf.h"
+#include "src/routeup.h"
+#include "src/util.h"
+#include "src/tlsdate.h"
+#include "src/dbus.h"
+#include "src/platform.h"
+
+
+static const char kTlsdatedOpts[] = "hwrpt:d:T:D:c:a:lsvbm:j:f:x:Uu:g:G:";
+const char *kCacheDir = DEFAULT_DAEMON_CACHEDIR;
+
+int
+is_sane_time (time_t ts)
+{
+ return ts > RECENT_COMPILE_DATE && ts < TLSDATED_MAX_DATE;
+}
+
+/*
+ * Load a time value out of the file named by path. Returns 0 if successful,
+ * -1 if not. The file contains the time in seconds since epoch in host byte
+ * order.
+ */
+int
+load_disk_timestamp (const char *path, time_t * t)
+{
+ int fd = platform->file_open (path, 0 /* RDONLY */, 1 /* CLOEXEC */);
+ time_t tmpt = 0;
+ if (fd < 0)
+ {
+ perror ("Can't open %s for reading", path);
+ return -1;
+ }
+ if (platform->file_read(fd, &tmpt, sizeof(tmpt)))
+ {
+ perror ("Can't read seconds from %s", path);
+ platform->file_close (fd);
+ return -1;
+ }
+ platform->file_close (fd);
+ if (!is_sane_time (tmpt))
+ {
+ error ("Disk timestamp is not sane: %ld", tmpt);
+ return -1;
+ }
+ *t = tmpt;
+ return 0;
+}
+
+
+void
+usage (const char *progn)
+{
+ printf ("Usage: %s [flags...] [--] [tlsdate command...]\n", progn);
+ printf (" -w don't set hwclock\n");
+ printf (" -p dry run (don't really set time)\n");
+ printf (" -r use stdin instead of netlink for routes\n");
+ printf (" -t <n> try n times to synchronize the time\n");
+ printf (" -d <n> delay n seconds between tries\n");
+ printf (" -T <n> give subprocess n chances to exit\n");
+ printf (" -D <n> delay n seconds between wait attempts\n");
+ printf (" -c <path> set the cache directory\n");
+ printf (" -a <n> run at most every n seconds in steady state\n");
+ printf (" -m <n> run at most once every n seconds in steady state\n");
+ printf (" -j <n> add up to n seconds jitter to steady state checks\n");
+ printf (" -l don't load disk timestamps\n");
+ printf (" -s don't save disk timestamps\n");
+ printf (" -U don't use DBus if supported\n");
+ printf (" -u <user> user to change to\n");
+ printf (" -g <grp> group to change to\n");
+ printf (" -G <grps> comma-separated list of supplementary groups\n");
+ printf (" -v be verbose\n");
+ printf (" -b use verbose debugging\n");
+ printf (" -x <h> set proxy for subprocs to h\n");
+ printf (" -h this\n");
+}
+
+void
+set_conf_defaults (struct opts *opts)
+{
+ static char *kDefaultArgv[] =
+ {
+ (char *) DEFAULT_TLSDATE, (char *) "-H", (char *) DEFAULT_HOST, NULL
+ };
+ opts->user = UNPRIV_USER;
+ opts->group = UNPRIV_GROUP;
+ opts->supp_groups = NULL;
+ opts->max_tries = MAX_TRIES;
+ opts->min_steady_state_interval = STEADY_STATE_INTERVAL;
+ opts->wait_between_tries = WAIT_BETWEEN_TRIES;
+ opts->subprocess_tries = SUBPROCESS_TRIES;
+ opts->subprocess_wait_between_tries = SUBPROCESS_WAIT_BETWEEN_TRIES;
+ opts->steady_state_interval = STEADY_STATE_INTERVAL;
+ opts->continuity_interval = CONTINUITY_INTERVAL;
+ opts->base_path = kCacheDir;
+ opts->base_argv = kDefaultArgv;
+ opts->argv = NULL;
+ opts->should_dbus = 1;
+ opts->should_sync_hwclock = DEFAULT_SYNC_HWCLOCK;
+ opts->should_load_disk = DEFAULT_LOAD_FROM_DISK;
+ opts->should_save_disk = DEFAULT_SAVE_TO_DISK;
+ opts->should_netlink = DEFAULT_USE_NETLINK;
+ opts->dry_run = DEFAULT_DRY_RUN;
+ opts->jitter = 0;
+ opts->conf_file = NULL;
+ opts->sources = NULL;
+ opts->cur_source = NULL;
+ opts->proxy = NULL;
+ opts->leap = 0;
+}
+
+void
+parse_argv (struct opts *opts, int argc, char *argv[])
+{
+ int opt;
+ while ((opt = getopt (argc, argv, kTlsdatedOpts)) != -1)
+ {
+ switch (opt)
+ {
+ case 'w':
+ opts->should_sync_hwclock = 0;
+ break;
+ case 'r':
+ opts->should_netlink = 0;
+ break;
+ case 'U':
+ opts->should_dbus = 0;
+ break;
+ case 'p':
+ opts->dry_run = 1;
+ break;
+ case 't':
+ opts->max_tries = atoi (optarg);
+ break;
+ case 'd':
+ opts->wait_between_tries = atoi (optarg);
+ break;
+ case 'T':
+ opts->subprocess_tries = atoi (optarg);
+ break;
+ case 'D':
+ opts->subprocess_wait_between_tries = atoi (optarg);
+ break;
+ case 'c':
+ opts->base_path = optarg;
+ break;
+ case 'a':
+ opts->steady_state_interval = atoi (optarg);
+ break;
+ case 'l':
+ opts->should_load_disk = 0;
+ break;
+ case 's':
+ opts->should_save_disk = 0;
+ break;
+ case 'v':
+ verbose = 1;
+ break;
+ case 'b':
+ verbose_debug = 1;
+ break;
+ case 'm':
+ opts->min_steady_state_interval = atoi (optarg);
+ break;
+ case 'j':
+ opts->jitter = atoi (optarg);
+ break;
+ case 'f':
+ opts->conf_file = optarg;
+ break;
+ case 'x':
+ opts->proxy = optarg;
+ break;
+ case 'u':
+ opts->user = optarg;
+ break;
+ case 'g':
+ opts->group = optarg;
+ break;
+ case 'G':
+ opts->supp_groups = optarg;
+ break;
+ case 'h':
+ default:
+ usage (argv[0]);
+ exit (1);
+ }
+ }
+ if (optind < argc)
+ opts->base_argv = argv + optind;
+ /* Validate arguments */
+}
+
+static
+void add_source_to_conf (struct opts *opts, char *host, char *port, char *proxy)
+{
+ struct source *s;
+ struct source *source = (struct source *) calloc (1, sizeof *source);
+ if (!source)
+ fatal ("out of memory for source");
+ source->host = strdup (host);
+ if (!source->host)
+ fatal ("out of memory for host");
+ source->port = strdup (port);
+ if (!source->port)
+ fatal ("out of memory for port");
+ if (proxy)
+ {
+ source->proxy = strdup (proxy);
+ if (!source->proxy)
+ fatal ("out of memory for proxy");
+ }
+ if (!opts->sources)
+ {
+ opts->sources = source;
+ source->id = 0;
+ }
+ else
+ {
+ for (s = opts->sources; s->next; s = s->next)
+ ;
+ source->id = s->id + 1;
+ s->next = source;
+ }
+}
+
+static struct conf_entry *
+parse_source (struct opts *opts, struct conf_entry *conf)
+{
+ char *host = NULL;
+ char *port = NULL;
+ char *proxy = NULL;
+ /* a source entry:
+ * source
+ * host <host>
+ * port <port>
+ * [proxy <proxy>]
+ * end
+ */
+ assert (!strcmp (conf->key, "source"));
+ conf = conf->next;
+ while (conf && strcmp (conf->key, "end"))
+ {
+ if (!strcmp (conf->key, "host"))
+ host = conf->value;
+ else if (!strcmp (conf->key, "port"))
+ port = conf->value;
+ else if (!strcmp (conf->key, "proxy"))
+ proxy = conf->value;
+ else
+ fatal ("malformed config: '%s' in source stanza", conf->key);
+ conf = conf->next;
+ }
+ if (!conf)
+ fatal ("unclosed source stanza");
+ if (!host || !port)
+ fatal ("incomplete source stanza (needs host, port)");
+ add_source_to_conf (opts, host, port, proxy);
+ return conf;
+}
+
+void
+load_conf (struct opts *opts)
+{
+ FILE *f;
+ struct conf_entry *conf, *e;
+ char *conf_file = opts->conf_file;
+ if (!opts->conf_file)
+ conf_file = (char *) DEFAULT_CONF_FILE;
+ f = fopen (conf_file, "r");
+ if (!f)
+ {
+ if (opts->conf_file)
+ {
+ pfatal ("can't open conf file '%s'", opts->conf_file);
+ }
+ else
+ {
+ pinfo ("can't open conf file '%s'", conf_file);
+ return;
+ }
+ }
+ conf = conf_parse (f);
+ if (!conf)
+ pfatal ("can't parse config file");
+
+ for (e = conf; e; e = e->next)
+ {
+ if (!strcmp (e->key, "max-tries") && e->value)
+ {
+ opts->max_tries = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "min-steady-state-interval") && e->value)
+ {
+ opts->min_steady_state_interval = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "wait-between-tries") && e->value)
+ {
+ opts->wait_between_tries = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "subprocess-tries") && e->value)
+ {
+ opts->subprocess_tries = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "subprocess-wait-between-tries") && e->value)
+ {
+ opts->subprocess_wait_between_tries = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "steady-state-interval") && e->value)
+ {
+ opts->steady_state_interval = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "base-path") && e->value)
+ {
+ opts->base_path = strdup (e->value);
+ if (!opts->base_path)
+ fatal ("out of memory for base path");
+ }
+ else if (!strcmp (e->key, "should-sync-hwclock"))
+ {
+ opts->should_sync_hwclock = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "should-load-disk"))
+ {
+ opts->should_load_disk = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "should-save-disk"))
+ {
+ opts->should_save_disk = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "should-netlink"))
+ {
+ opts->should_netlink = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "dry-run"))
+ {
+ opts->dry_run = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "jitter") && e->value)
+ {
+ opts->jitter = atoi (e->value);
+ }
+ else if (!strcmp (e->key, "verbose"))
+ {
+ verbose = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ else if (!strcmp (e->key, "source"))
+ {
+ e = parse_source (opts, e);
+ }
+ else if (!strcmp (e->key, "leap"))
+ {
+ opts->leap = e->value ? !strcmp (e->value, "yes") : 1;
+ }
+ }
+}
+
+void
+check_conf (struct state *state)
+{
+ struct opts *opts = &state->opts;
+ if (!opts->max_tries)
+ fatal ("-t argument must be nonzero");
+ if (!opts->wait_between_tries)
+ fatal ("-d argument must be nonzero");
+ if (!opts->steady_state_interval)
+ fatal ("-a argument must be nonzero");
+ int ret = snprintf (state->timestamp_path, sizeof (state->timestamp_path),
+ "%s/timestamp", opts->base_path);
+ if (ret < 0 || ((size_t) ret) >= sizeof (state->timestamp_path))
+ fatal ("supplied base path is too long: '%s'", opts->base_path);
+ if (opts->jitter >= opts->steady_state_interval)
+ fatal ("jitter must be less than steady state interval (%d >= %d)",
+ opts->jitter, opts->steady_state_interval);
+}
+
+int
+cleanup_main (struct state *state)
+{
+ int i;
+ for (i = 0; i < E_MAX; ++i)
+ {
+ struct event *e = state->events[i];
+ if (e)
+ {
+ int fd = event_get_fd (e);
+ if (fd >= 0 && ! (event_get_events (e) & EV_SIGNAL))
+ close (fd);
+ event_free (e);
+ }
+ }
+ /* The other half was closed above. */
+ platform->file_close (state->tlsdate_monitor_fd);
+ if (state->tlsdate_pid)
+ {
+ platform->process_signal (state->tlsdate_pid, SIGKILL);
+ platform->process_wait (state->tlsdate_pid, NULL, 0 /* !forever */);
+ }
+ /* Best effort to tear it down if it is still alive. */
+ close(state->setter_notify_fd);
+ close(state->setter_save_fd);
+ if (state->setter_pid)
+ {
+ platform->process_signal (state->setter_pid, SIGKILL);
+ platform->process_wait (state->setter_pid, NULL, 0 /* !forever */);
+ }
+ /* TODO(wad) Add dbus_cleanup() */
+ if (state->base)
+ event_base_free (state->base);
+ memset(state, 0, sizeof(*state));
+ info ("tlsdated clean up finished; exiting!");
+ terminate_syslog ();
+ return 0;
+}
+
+#ifdef TLSDATED_MAIN
+static const char **
+parse_supp_groups (char *arg)
+{
+ size_t i;
+ char *scan;
+ const char **supp_groups;
+
+ for (i = 1, scan = arg; (scan = strchr (scan, ',')); i++, scan++) ;
+ supp_groups = (const char **) calloc (i + 1, sizeof (const char *));
+ if (!supp_groups)
+ die ("Failed to allocate memory for supplementary group names\n");
+ for (i = 0; (supp_groups[i] = strsep (&arg, ",")); i++) ;
+ return supp_groups;
+}
+
+int API
+main (int argc, char *argv[], char *envp[])
+{
+ const char **supp_groups = NULL;
+
+ initalize_syslog ();
+ struct state state;
+ /* TODO(wad) EVENT_BASE_FLAG_PRECISE_TIMER | EVENT_BASE_FLAG_PRECISE_TIMER */
+ struct event_base *base = event_base_new();
+ if (!base)
+ {
+ fatal ("could not allocated new event base");
+ }
+ /* Add three priority levels:
+ * 0 - time saving. Must be done before any other events are handled.
+ * 1 - network synchronization events
+ * 2 - any other events (wake, platform, etc)
+ */
+ event_base_priority_init (base, MAX_EVENT_PRIORITIES);
+ memset (&state, 0, sizeof (state));
+ set_conf_defaults (&state.opts);
+ parse_argv (&state.opts, argc, argv);
+ check_conf (&state);
+ load_conf (&state.opts);
+ check_conf (&state);
+ if (!state.opts.sources)
+ add_source_to_conf (&state.opts, DEFAULT_HOST, DEFAULT_PORT, DEFAULT_PROXY);
+ state.base = base;
+ state.envp = envp;
+ state.backoff = state.opts.wait_between_tries;
+ /* TODO(wad) move this into setup_time_setter */
+ /* grab a handle to /dev/rtc for time-setter. */
+ if (state.opts.should_sync_hwclock &&
+ platform->rtc_open(&state.hwclock))
+ {
+ pinfo ("can't open hwclock fd");
+ state.opts.should_sync_hwclock = 0;
+ }
+ /* install the SIGCHLD handler for the setter and tlsdate */
+ if (setup_sigchld_event (&state, 1))
+ {
+ error ("Failed to setup SIGCHLD event");
+ goto out;
+ }
+ /* fork off the privileged helper */
+ verb ("spawning time setting helper . . .");
+ if (setup_time_setter (&state))
+ {
+ error ("could not fork privileged coprocess");
+ goto out;
+ }
+ /* release the hwclock now that the time-setter is running. */
+ if (state.opts.should_sync_hwclock)
+ {
+ platform->rtc_close (&state.hwclock);
+ }
+ /* drop privileges before touching any untrusted data */
+ if (state.opts.supp_groups)
+ supp_groups = parse_supp_groups (state.opts.supp_groups);
+ drop_privs_to (state.opts.user, state.opts.group, supp_groups);
+ free (supp_groups);
+ /* register a signal handler to save time at shutdown */
+ if (state.opts.should_save_disk)
+ {
+ struct event *event = event_new (base, SIGTERM, EV_SIGNAL|EV_PERSIST,
+ action_sigterm, &state);
+ if (!event)
+ fatal ("Failed to create SIGTERM event");
+ event_priority_set (event, PRI_SAVE);
+ event_add (event, NULL);
+ }
+ if (state.opts.should_dbus && init_dbus (&state))
+ {
+ error ("Failed to initialize DBus");
+ goto out;
+ }
+ /* Register the tlsdate event before any listeners could show up. */
+ state.events[E_TLSDATE] = event_new (base, -1, EV_TIMEOUT,
+ action_run_tlsdate, &state);
+ if (!state.events[E_TLSDATE])
+ {
+ error ("Failed to create tlsdate event");
+ goto out;
+ }
+ event_priority_set (state.events[E_TLSDATE], PRI_NET);
+ /* The timeout and fd will be filled in per-call. */
+ if (setup_tlsdate_status (&state))
+ {
+ error ("Failed to create tlsdate status event");
+ goto out;
+ }
+ /* TODO(wad) Could use a timeout on this to catch setter death? */
+ /* EV_READ is for truncation/EPIPE notification */
+ state.events[E_SAVE] = event_new (base, state.setter_save_fd,
+ EV_READ|EV_WRITE, action_sync_and_save,
+ &state);
+ if (!state.events[E_SAVE])
+ {
+ error ("Failed to create sync & save event");
+ goto out;
+ }
+ event_priority_set (state.events[E_SAVE], PRI_SAVE);
+ /* Start by grabbing the system time. */
+ state.last_sync_type = SYNC_TYPE_RTC;
+ state.last_time = time (NULL);
+ /* If possible, grab disk time and check the two. */
+ if (state.opts.should_load_disk)
+ {
+ time_t disk_time = state.last_time;
+ if (!load_disk_timestamp (state.timestamp_path, &disk_time))
+ {
+ verb ("disk timestamp available: yes (%ld)", disk_time);
+ if (!is_sane_time (state.last_time) ||
+ state.last_time < disk_time)
+ {
+ state.last_sync_type = SYNC_TYPE_DISK;
+ state.last_time = disk_time;
+ }
+ }
+ else
+ {
+ verb ("disk timestamp available: no");
+ }
+ }
+ if (!is_sane_time (state.last_time))
+ {
+ state.last_sync_type = SYNC_TYPE_BUILD;
+ state.last_time = RECENT_COMPILE_DATE + 1;
+ }
+ /* Save and announce the initial time source. */
+ trigger_event (&state, E_SAVE, -1);
+ verb ("tlsdated parasitic time synchronization initialized");
+ info ("initial time sync type: %s", sync_type_str (state.last_sync_type));
+ /* Initialize platform specific loop behavior */
+ if (platform_init_cros (&state))
+ {
+ error ("Failed to initialize platform code");
+ goto out;
+ }
+ if (setup_event_route_up (&state))
+ {
+ error ("Failed to setup route up monitoring");
+ goto out;
+ }
+ if (setup_event_timer_sync (&state))
+ {
+ error ("Failed to setup a timer event");
+ goto out;
+ }
+ if (setup_event_timer_continuity (&state))
+ {
+ error ("Failed to setup continuity timer");
+ goto out;
+ }
+ /* Add a forced sync event to the event list. */
+ action_kickoff_time_sync (-1, EV_TIMEOUT, &state);
+ verb ("Entering dispatch . . .");
+ event_base_dispatch (base);
+ verb ("tlsdated event dispatch terminating gracefully");
+out:
+ return cleanup_main (&state);
+}
+#endif /* !TLSDATED_MAIN */
diff --git a/tlsdate/src/util-plan9.c b/tlsdate/src/util-plan9.c
new file mode 100644
index 0000000..84b68fc
--- /dev/null
+++ b/tlsdate/src/util-plan9.c
@@ -0,0 +1,116 @@
+/*
+ * util.c - routeup/tlsdated utility functions
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+
+#include <grp.h>
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#if !_PLAN9_SOURCE
+#include <syslog.h>
+#endif
+#include <unistd.h>
+
+#include "src/util.h"
+
+/** helper function to print message and die */
+void
+die (const char *fmt, ...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ exit(1);
+}
+
+/** helper function for 'verbose' output */
+void
+verb (const char *fmt, ...)
+{
+ va_list ap;
+
+ if (! verbose) return;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+}
+
+#if !_PLAN9_SOURCE
+void API logat(int isverbose, const char *fmt, ...)
+{
+ if (isverbose && !verbose)
+ return;
+ va_list ap;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ fprintf(stderr, "\n");
+ va_end(ap);
+ va_start(ap, fmt);
+ vsyslog(LOG_INFO, fmt, ap);
+ va_end(ap);
+}
+#endif
+
+
+void
+drop_privs_to (const char *user, const char *group, const char **supp_groups)
+{
+#if !_PLAN9_SOURCE
+
+ uid_t uid;
+ gid_t gid;
+ struct passwd *pw;
+ struct group *gr;
+
+ /* TODO(garnold) Implement supplementary group support. */
+ if (supp_groups)
+ die ("Supplementary groups not supported\n");
+
+ if (0 != getuid ())
+ return; /* not running as root to begin with; should (!) be harmless to continue
+ without dropping to 'nobody' (setting time will fail in the end) */
+ pw = getpwnam(user);
+ gr = getgrnam(group);
+ if (NULL == pw)
+ die ("Failed to obtain UID for `%s'\n", user);
+ if (NULL == gr)
+ die ("Failed to obtain GID for `%s'\n", group);
+ uid = pw->pw_uid;
+ if (0 == uid)
+ die ("UID for `%s' is 0, refusing to run SSL\n", user);
+ gid = pw->pw_gid;
+ if (0 == gid || 0 == gr->gr_gid)
+ die ("GID for `%s' is 0, refusing to run SSL\n", user);
+ if (pw->pw_gid != gr->gr_gid)
+ die ("GID for `%s' is not `%s' as expected, refusing to run SSL\n",
+ user, group);
+
+ if (0 != initgroups((const char *)user, gr->gr_gid))
+ die ("Unable to initgroups for `%s' in group `%s' as expected\n",
+ user, group);
+
+#ifdef HAVE_SETRESGID
+ if (0 != setresgid (gid, gid, gid))
+ die ("Failed to setresgid: %s\n", strerror (errno));
+#else
+ if (0 != (setgid (gid) | setegid (gid)))
+ die ("Failed to setgid: %s\n", strerror (errno));
+#endif
+#ifdef HAVE_SETRESUID
+ if (0 != setresuid (uid, uid, uid))
+ die ("Failed to setresuid: %s\n", strerror (errno));
+#else
+ if (0 != (setuid (uid) | seteuid (uid)))
+ die ("Failed to setuid: %s\n", strerror (errno));
+#endif
+#endif /* !_PLAN9_SOURCE */
+}
+
diff --git a/tlsdate/src/util-plan9.h b/tlsdate/src/util-plan9.h
new file mode 100644
index 0000000..62f2329
--- /dev/null
+++ b/tlsdate/src/util-plan9.h
@@ -0,0 +1,42 @@
+/*
+ * util.h - routeup/tlsdated utility functions
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef UTIL_H
+#define UTIL_H
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+
+#if _PLAN9_SOURCE
+#define API
+#else
+#define API __attribute__((visibility("default")))
+#endif
+
+extern int verbose;
+extern int verbose_debug;
+void die (const char *fmt, ...);
+void verb (const char *fmt, ...);
+extern void logat(int isverbose, const char *fmt, ...);
+
+#define info(fmt, ...) logat(1, fmt, ## __VA_ARGS__)
+#define pinfo(fmt, ...) logat(1, fmt ": %s", ## __VA_ARGS__, strerror(errno))
+#define error(fmt, ...) logat(0, fmt, ## __VA_ARGS__)
+#define perror(fmt, ...) logat(0, fmt ": %s", ## __VA_ARGS__, strerror(errno))
+#define fatal(fmt, ...) do { logat(0, fmt, ## __VA_ARGS__); exit(1); } while (0)
+#define pfatal(fmt, ...) do { \
+ logat(0, fmt ": %s", ## __VA_ARGS__, strerror(errno)); \
+ exit(1); \
+} while (0)
+
+static inline int min(int x, int y) { return x < y ? x : y; }
+
+void drop_privs_to (const char *user, const char *group,
+ const char **supp_groups);
+
+#endif /* !UTIL_H */
diff --git a/tlsdate/src/util.c b/tlsdate/src/util.c
new file mode 100644
index 0000000..5a0acb9
--- /dev/null
+++ b/tlsdate/src/util.c
@@ -0,0 +1,440 @@
+/*
+ * util.c - routeup/tlsdated utility functions
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "config.h"
+#include "tlsdate.h"
+
+#include <fcntl.h>
+#include <grp.h>
+#include <limits.h>
+#ifdef HAVE_LINUX_RTC_H
+#include <linux/rtc.h>
+#endif
+#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <syslog.h>
+#include <time.h>
+#include <unistd.h>
+
+#ifdef WITH_EVENTS
+#include <event2/event.h>
+#endif
+
+#include "src/tlsdate.h"
+#include "src/util.h"
+
+#ifdef HAVE_SECCOMP_FILTER
+#include "src/seccomp.h"
+#endif
+
+#if defined(HAVE_STRUCT_RTC_TIME) && defined(RTC_SET_TIME) && defined(RTC_RD_TIME)
+#define ENABLE_RTC
+#endif
+
+const char *kTempSuffix = DEFAULT_DAEMON_TMPSUFFIX;
+
+/** helper function to print message and die */
+void
+die (const char *fmt, ...)
+{
+ va_list ap;
+ va_start (ap, fmt);
+ vfprintf (stderr, fmt, ap);
+ fprintf (stderr, "\n");
+ va_end (ap);
+ exit (1);
+}
+
+/* Initalize syslog */
+void initalize_syslog (void)
+{
+ openlog ("tlsdated", LOG_PID, LOG_DAEMON);
+}
+
+/* Signal to syslog that we're finished logging */
+void terminate_syslog (void)
+{
+ closelog ();
+}
+
+/** helper function for 'verbose' output without syslog support */
+void
+verb_no_syslog (const char *fmt, ...)
+{
+ va_list ap;
+
+ if (! verbose ) return;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ fprintf (stderr, "\n");
+ va_end(ap);
+}
+
+/** helper function for 'verbose' output */
+void
+verb (const char *fmt, ...)
+{
+ va_list ap;
+
+ if (! verbose ) return;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ fprintf (stderr, "\n");
+ va_end(ap);
+ va_start(ap, fmt);
+ vsyslog (LOG_DEBUG, fmt, ap);
+ va_end(ap);
+}
+
+void API logat (int isverbose, const char *fmt, ...)
+{
+ va_list ap;
+ if (isverbose && !verbose)
+ return;
+ va_start (ap, fmt);
+ vfprintf (stderr, fmt, ap);
+ fprintf (stderr, "\n");
+ va_end (ap);
+ va_start (ap, fmt);
+ vsyslog (LOG_INFO, fmt, ap);
+ va_end (ap);
+}
+
+void no_new_privs(void)
+{
+#ifdef TARGET_OS_LINUX
+#ifdef HAVE_PRCTL // XXX: Make this specific to PR_SET_NO_NEW_PRIVS
+ // Check to see if we're already set PR_SET_NO_NEW_PRIVS
+ // This happens in tlsdated earlier than when tlsdate-helper drops
+ // privileges.
+ if (0 == prctl (PR_GET_NO_NEW_PRIVS)) {
+ // Remove the ability to regain privileges.
+ if (0 != prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+ die ("Failed to PR_SET_NO_NEW_PRIVS");
+ } else {
+ verb ("V: Parent process has already set PR_SET_NO_NEW_PRIVS");
+ }
+#else
+ verb ("V: we are unwilling to set PR_SET_NO_NEW_PRIVS");
+#endif
+#endif
+}
+
+void enable_seccomp(void)
+{
+#ifdef HAVE_SECCOMP_FILTER
+ int status;
+ prctl (PR_SET_NAME, "tlsdate seccomp");
+ verb ("V: seccomp support is enabled");
+ if (enable_setter_seccomp())
+ {
+ status = SETTER_NO_SBOX;
+ _exit (status);
+ }
+#else
+ verb ("V: seccomp support is disabled");
+#endif
+}
+
+static gid_t
+get_unpriv_gid (const char *group)
+{
+ struct group *gr = getgrnam (group);
+ if (NULL == gr)
+ die ("Failed to obtain GID for `%s'\n", group);
+ if (0 == gr->gr_gid)
+ die ("GID for `%s' is 0, refusing to run SSL\n", group);
+ return gr->gr_gid;
+}
+
+void
+drop_privs_to (const char *user, const char *group, const char **supp_groups)
+{
+ uid_t uid;
+ gid_t gid;
+ struct passwd *pw;
+ size_t num_supp, i;
+
+ if (0 != getuid ())
+ return; /* not running as root to begin with; should (!) be harmless to continue
+ without dropping to 'nobody' (setting time will fail in the end) */
+ pw = getpwnam (user);
+ if (NULL == pw)
+ die ("Failed to obtain UID for `%s'\n", user);
+ uid = pw->pw_uid;
+ if (0 == uid)
+ die ("UID for `%s' is 0, refusing to run SSL\n", user);
+ gid = get_unpriv_gid (group);
+ if (pw->pw_gid != gid)
+ die ("GID for `%s' is not `%s' as expected, refusing to run SSL\n",
+ user, group);
+ if (0 != initgroups ( (const char *) user, gid))
+ die ("Unable to initgroups for `%s' in group `%s' as expected\n",
+ user, group);
+#ifdef HAVE_SETRESGID
+ if (0 != setresgid (gid, gid, gid))
+ die ("Failed to setresgid: %s\n", strerror (errno));
+#else
+ if (0 != (setgid (gid) | setegid (gid)))
+ die ("Failed to setgid: %s\n", strerror (errno));
+#endif
+ if (supp_groups)
+ {
+ for (num_supp = 0; supp_groups[num_supp]; num_supp++) ;
+ gid_t *supp_gids = (gid_t *) calloc (num_supp, sizeof (gid_t));
+ if (!supp_gids)
+ die ("Failed to allocate memory for supplementary GIDs\n");
+ for (i = 0; i < num_supp; i++)
+ supp_gids[i] = get_unpriv_gid (supp_groups[i]);
+ if (0 != setgroups (num_supp, supp_gids))
+ die ("Failed to setgroups: %s\n", strerror (errno));
+ free (supp_gids);
+ }
+#ifdef HAVE_SETRESUID
+ if (0 != setresuid (uid, uid, uid))
+ die ("Failed to setresuid: %s\n", strerror (errno));
+#else
+ if (0 != (setuid (uid) | seteuid (uid)))
+ die ("Failed to setuid: %s\n", strerror (errno));
+#endif
+}
+
+#ifdef ENABLE_RTC
+int rtc_open(struct rtc_handle *h)
+{
+ if (!h)
+ return -1;
+ h->fd = -1;
+ /* TODO: Use platform->file_open but drop NOFOLLOW? */
+ h->fd = open(DEFAULT_RTC_DEVICE, O_RDONLY);
+ if (h->fd < 0)
+ {
+ pinfo("can't open rtc");
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Set the hardware clock referred to by fd (which should be a descriptor to
+ * some device that implements the interface documented in rtc(4)) to the system
+ * time. See hwclock(8) for details of why this is important. If we fail, we
+ * just return - there's nothing the caller can really do about a failure of
+ * this function except try later.
+ */
+int rtc_write(struct rtc_handle *handle, const struct timeval *tv)
+{
+ struct tm tmr;
+ struct tm *tm;
+ struct rtc_time rtctm;
+ int fd = handle->fd;
+
+ tm = gmtime_r (&tv->tv_sec, &tmr);
+
+ /* these structs are identical, but separately defined */
+ rtctm.tm_sec = tm->tm_sec;
+ rtctm.tm_min = tm->tm_min;
+ rtctm.tm_hour = tm->tm_hour;
+ rtctm.tm_mday = tm->tm_mday;
+ rtctm.tm_mon = tm->tm_mon;
+ rtctm.tm_year = tm->tm_year;
+ rtctm.tm_wday = tm->tm_wday;
+ rtctm.tm_yday = tm->tm_yday;
+ rtctm.tm_isdst = tm->tm_isdst;
+
+ if (ioctl (fd, RTC_SET_TIME, &rtctm))
+ {
+ pinfo ("ioctl(%d, RTC_SET_TIME, ...) failed", fd);
+ return 1;
+ }
+
+ info ("synced rtc to sysclock");
+ return 0;
+}
+
+int rtc_read(struct rtc_handle *handle, struct timeval *tv)
+{
+ struct tm tm;
+ struct rtc_time rtctm;
+ int fd = handle->fd;
+
+ if (ioctl (fd, RTC_RD_TIME, &rtctm))
+ {
+ pinfo ("ioctl(%d, RTC_RD_TIME, ...) failed", fd);
+ return 1;
+ }
+
+ tm.tm_sec = rtctm.tm_sec;
+ tm.tm_min = rtctm.tm_min;
+ tm.tm_hour = rtctm.tm_hour;
+ tm.tm_mday = rtctm.tm_mday;
+ tm.tm_mon = rtctm.tm_mon;
+ tm.tm_year = rtctm.tm_year;
+ tm.tm_wday = rtctm.tm_wday;
+ tm.tm_yday = rtctm.tm_yday;
+ tm.tm_isdst = rtctm.tm_isdst;
+
+ tv->tv_sec = mktime(&tm);
+ tv->tv_usec = 0;
+
+ return 0;
+}
+
+int rtc_close(struct rtc_handle *handle)
+{
+ struct rtc_handle *h = handle;
+ platform->file_close(h->fd);
+ h->fd = -1;
+ return 0;
+}
+#endif
+
+int file_write(int fd, void *buf, size_t sz)
+{
+ ssize_t ret = IGNORE_EINTR (pwrite (fd, buf, sz, 0));
+ return (ret >= 0 && ((size_t) ret) == sz ? 0 : -1);
+}
+
+int file_open(const char *path, int write, int cloexec)
+{
+ int fd;
+ int oflags = cloexec ? O_CLOEXEC : 0;
+ if (write)
+ {
+ int perms = S_IRUSR | S_IWUSR;
+ oflags |= O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC;
+ /* Rely on atomic write calls rather than rename() calls. */
+ fd = open(path, oflags, perms);
+ }
+ else
+ {
+ oflags |= O_RDONLY | O_NOFOLLOW;
+ fd = open(path, oflags);
+ }
+ if (fd < 0)
+ {
+ pinfo("open(%s) failed", path);
+ return -1;
+ }
+ return fd;
+}
+
+int file_close(int fd)
+{
+ return close(fd);
+}
+
+int file_read(int fd, void *buf, size_t sz)
+{
+ ssize_t ret = IGNORE_EINTR (pread (fd, buf, sz, 0));
+ return (ret >= 0 && ((size_t) ret) == sz ? 0 : -1);
+}
+
+int time_get(struct timeval *tv)
+{
+ return gettimeofday(tv, NULL);
+}
+
+int pgrp_enter(void)
+{
+ return setpgid(0, 0);
+}
+
+int pgrp_kill(void)
+{
+ pid_t grp = getpgrp();
+ return kill(-grp, SIGKILL);
+}
+
+int process_signal(pid_t pid, int signal)
+{
+ return kill (pid, signal);
+}
+
+pid_t process_wait(pid_t pid, int *status, int forever)
+{
+ int flag = forever ? 0 : WNOHANG;
+ return waitpid (pid, status, flag);
+}
+
+static struct platform default_platform = {
+#ifdef ENABLE_RTC
+ .rtc_open = rtc_open,
+ .rtc_write = rtc_write,
+ .rtc_read = rtc_read,
+ .rtc_close = rtc_close,
+#endif
+
+ .file_open = file_open,
+ .file_close = file_close,
+ .file_write = file_write,
+ .file_read = file_read,
+
+ .time_get = time_get,
+
+ .pgrp_enter = pgrp_enter,
+ .pgrp_kill = pgrp_kill,
+
+ .process_signal = process_signal,
+ .process_wait = process_wait
+};
+
+struct platform *platform = &default_platform;
+
+/* TODO(wad) rename to schedule_event */
+void
+trigger_event (struct state *state, enum event_id_t id, int sec)
+{
+#ifdef WITH_EVENTS
+ struct event *e = state->events[id];
+ struct timeval delay = { sec, 0 };
+ /* Fallthrough to tlsdate if there is no resolver. */
+ if (!e && id == E_RESOLVER)
+ e = state->events[E_TLSDATE];
+ if (!e)
+ {
+ info ("trigger_event with NULL |e|. I hope this is a test!");
+ return;
+ }
+ if (event_pending (e, EV_READ|EV_WRITE|EV_TIMEOUT|EV_SIGNAL, NULL))
+ event_del (e);
+ if (sec >= 0)
+ event_add (e, &delay);
+ else /* Note! This will not fire a TIMEOUT event. */
+ event_add (e, NULL);
+#endif
+}
+
+const char *
+sync_type_str (int sync_type)
+{
+ switch (sync_type)
+ {
+ case SYNC_TYPE_NONE:
+ return "none";
+ case SYNC_TYPE_BUILD:
+ return "build-timestamp";
+ case SYNC_TYPE_DISK:
+ return "disk-timestamp";
+ case SYNC_TYPE_RTC:
+ return "system-clock";
+ case SYNC_TYPE_PLATFORM:
+ return "platform-feature";
+ case SYNC_TYPE_NET:
+ return "network";
+ default:
+ return "error";
+ }
+}
diff --git a/tlsdate/src/util.h b/tlsdate/src/util.h
new file mode 100644
index 0000000..7166aa9
--- /dev/null
+++ b/tlsdate/src/util.h
@@ -0,0 +1,98 @@
+/*
+ * util.h - routeup/tlsdated utility functions
+ * Copyright (c) 2012 The Chromium Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef UTIL_H
+#define UTIL_H
+
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#ifdef HAVE_PRCTL
+#include <sys/prctl.h>
+#ifndef PR_SET_NO_NEW_PRIVS
+# define PR_SET_NO_NEW_PRIVS 38
+#endif
+#ifndef PR_GET_NO_NEW_PRIVS
+# define PR_GET_NO_NEW_PRIVS 39
+#endif
+#endif
+
+#include "src/rtc.h"
+
+#ifdef TARGET_OS_HAIKU
+#include <stdarg.h>
+#endif
+
+#define API __attribute__((visibility("default")))
+
+extern const char *kTempSuffix;
+#define IGNORE_EINTR(expr) ({ \
+ typeof(expr) _r; \
+ while ((_r = (expr)) == -1 && errno == EINTR); \
+ _r; \
+})
+
+extern int verbose;
+extern int verbose_debug;
+void initalize_syslog (void);
+void terminate_syslog (void);
+void die (const char *fmt, ...);
+void verb (const char *fmt, ...);
+extern void logat (int isverbose, const char *fmt, ...);
+
+#define verb_debug debug
+#define debug(fmt, ...) if (verbose_debug) logat(1, fmt, ## __VA_ARGS__)
+#define info(fmt, ...) logat(0, fmt, ## __VA_ARGS__)
+#define pinfo(fmt, ...) logat(1, fmt ": %s", ## __VA_ARGS__, strerror(errno))
+#define error(fmt, ...) logat(0, fmt, ## __VA_ARGS__)
+#define perror(fmt, ...) logat(0, fmt ": %s", ## __VA_ARGS__, strerror(errno))
+#define fatal(fmt, ...) do { logat(0, fmt, ## __VA_ARGS__); exit(1); } while (0)
+#define pfatal(fmt, ...) do { \
+ logat(0, fmt ": %s", ## __VA_ARGS__, strerror(errno)); \
+ exit(1); \
+} while (0)
+
+static inline int min (int x, int y)
+{
+ return x < y ? x : y;
+}
+
+void drop_privs_to (const char *user, const char *group,
+ const char **supp_groups);
+void no_new_privs (void);
+const char *sync_type_str (int sync_type);
+
+struct state;
+enum event_id_t;
+void trigger_event (struct state *state, enum event_id_t e, int sec);
+
+struct platform {
+ int (*rtc_open)(struct rtc_handle *);
+ int (*rtc_write)(struct rtc_handle *, const struct timeval *tv);
+ int (*rtc_read)(struct rtc_handle *, struct timeval *tv);
+ int (*rtc_close)(struct rtc_handle *);
+
+ int (*file_open)(const char *path, int write, int cloexec);
+ int (*file_close)(int fd);
+ /* Atomic file write and read */
+ int (*file_write)(int fd, void *buf, size_t sz);
+ int (*file_read)(int fd, void *buf, size_t sz);
+
+ int (*time_get)(struct timeval *tv);
+
+ int (*pgrp_enter)(void);
+ int (*pgrp_kill)(void);
+
+ int (*process_signal)(pid_t pid, int sig);
+ int (*process_wait)(pid_t pid, int *status, int timeout);
+};
+
+extern struct platform *platform;
+
+#endif /* !UTIL_H */
diff --git a/tlsdate/src/visibility.h b/tlsdate/src/visibility.h
new file mode 100644
index 0000000..b9452f1
--- /dev/null
+++ b/tlsdate/src/visibility.h
@@ -0,0 +1,75 @@
+/* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
+ *
+ * Copyright (C) 2012 Brian Aker, brian@tangent.org
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * * The names of its contributors may not be used to endorse or
+ * promote products derived from this software without specific prior
+ * written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#pragma once
+
+#if defined(BUILDING_TLSDATE)
+# if defined(HAVE_VISIBILITY) && HAVE_VISIBILITY
+# define TLSDATE_API __attribute__ ((visibility("default")))
+# define TLSDATE_LOCAL __attribute__ ((visibility("default")))
+# elif defined (__SUNPRO_C) && (__SUNPRO_C >= 0x550)
+# define TLSDATE_API __global
+# define TLSDATE_LOCAL __global
+# elif defined(_MSC_VER)
+# define TLSDATE_API extern __declspec(dllexport)
+# define TLSDATE_LOCAL extern __declspec(dllexport)
+# else
+# define TLSDATE_API
+# define TLSDATE_LOCAL
+# endif
+#else
+# if defined(BUILDING_TLSDATE)
+# if defined(HAVE_VISIBILITY) && HAVE_VISIBILITY
+# define TLSDATE_API __attribute__ ((visibility("default")))
+# define TLSDATE_LOCAL __attribute__ ((visibility("hidden")))
+# elif defined (__SUNPRO_C) && (__SUNPRO_C >= 0x550)
+# define TLSDATE_API __global
+# define TLSDATE_LOCAL __hidden
+# elif defined(_MSC_VER)
+# define TLSDATE_API extern __declspec(dllexport)
+# define TLSDATE_LOCAL
+# else
+# define TLSDATE_API
+# define TLSDATE_LOCAL
+# endif /* defined(HAVE_VISIBILITY) */
+# else /* defined(BUILDING_TLSDATE) */
+# if defined(_MSC_VER)
+# define TLSDATE_API extern __declspec(dllimport)
+# define TLSDATE_LOCAL
+# else
+# define TLSDATE_API
+# define TLSDATE_LOCAL
+# endif /* defined(_MSC_VER) */
+# endif /* defined(BUILDING_TLSDATE) */
+#endif /* defined(BUILDING_TLSDATEINTERNAL) */
diff --git a/tlsdate/systemd/tlsdated.service b/tlsdate/systemd/tlsdated.service
new file mode 100644
index 0000000..5515a8e
--- /dev/null
+++ b/tlsdate/systemd/tlsdated.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Secure parasitic time daemon
+After=network.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/default/tlsdated
+ExecStart=/usr/sbin/tlsdated ${DAEMON_OPTS}
+ExecReload=/bin/kill -HUP ${MAINPID}
+ExecStop=/bin/kill -INT ${MAINPID}
diff --git a/tlsdate/test.conf b/tlsdate/test.conf
new file mode 100644
index 0000000..96827ef
--- /dev/null
+++ b/tlsdate/test.conf
@@ -0,0 +1,2 @@
+min-steady-state-interval 0
+wait-between-tries 1
diff --git a/tlsdate/tests/README b/tlsdate/tests/README
new file mode 100644
index 0000000..e0c0e00
--- /dev/null
+++ b/tlsdate/tests/README
@@ -0,0 +1 @@
+Integration tests for tlsdate/tlsdated.
diff --git a/tlsdate/tests/common.sh b/tlsdate/tests/common.sh
new file mode 100644
index 0000000..9e488db
--- /dev/null
+++ b/tlsdate/tests/common.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+kill_tlsdated() {
+ kill -TERM $PPID
+}
+
+result_passed() {
+ res=$(cat "$(mydir)"/"result")
+ if [ $res = "ok" ]; then
+ return 0
+ fi
+ return 1
+}
+
+check_err() {
+ grep -q "$1" "$(mydir)"/"run-err"
+}
+
+passed_if_timed_out() {
+ echo "ok" > "$(mydir)"/"result"
+}
+
+passed() {
+ echo "ok" > "$(mydir)"/"result"
+ kill_tlsdated
+}
+
+failed() {
+ echo "failed" > "$(mydir)"/"result"
+ kill_tlsdated
+}
+
+mydir() {
+ echo "$(dirname "$0")"
+}
+
+counter() {
+ cat "$(mydir)"/"$1"
+}
+
+inc_counter() {
+ c=$(counter "$1")
+ echo $((c + 1)) >"$(mydir)"/"$1"
+}
+
+reset_counter() {
+ echo 0 > "$(mydir)"/"$1"
+}
+
+reset_time() {
+ date +%s > "$(mydir)"/"$1"
+}
+
+emit_time() {
+ src/test/emit `cat "$(mydir)"/"$1"`
+}
diff --git a/tlsdate/tests/run-idle/output b/tlsdate/tests/run-idle/output
new file mode 100644
index 0000000..9766475
--- /dev/null
+++ b/tlsdate/tests/run-idle/output
@@ -0,0 +1 @@
+ok
diff --git a/tlsdate/tests/run-idle/setup b/tlsdate/tests/run-idle/setup
new file mode 100755
index 0000000..bd12ed6
--- /dev/null
+++ b/tlsdate/tests/run-idle/setup
@@ -0,0 +1,5 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_time "timestamp"
+reset_counter "runs"
diff --git a/tlsdate/tests/run-idle/subproc.sh b/tlsdate/tests/run-idle/subproc.sh
new file mode 100755
index 0000000..f01a814
--- /dev/null
+++ b/tlsdate/tests/run-idle/subproc.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+. "$(dirname $0)"/../common.sh
+
+inc_counter "runs"
+c=$(counter "runs")
+[ $c -eq 3 ] && passed
+
+# Bump it three seconds to overcome the steady state interval.
+inc_counter "timestamp"
+inc_counter "timestamp"
+inc_counter "timestamp"
+emit_time "timestamp"
diff --git a/tlsdate/tests/run-idle/teardown b/tlsdate/tests/run-idle/teardown
new file mode 100644
index 0000000..b153b10
--- /dev/null
+++ b/tlsdate/tests/run-idle/teardown
@@ -0,0 +1,15 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_counter "runs"
+# If the run count passed, then make sure the
+# time was being set and it wasn't error calls.
+if result_passed; then
+ if check_err 'time set from the network'; then
+ passed
+ else
+ failed
+ fi
+fi
+
+
diff --git a/tlsdate/tests/run-idle/test.conf b/tlsdate/tests/run-idle/test.conf
new file mode 100644
index 0000000..c97ac9b
--- /dev/null
+++ b/tlsdate/tests/run-idle/test.conf
@@ -0,0 +1,4 @@
+min-steady-state-interval 0
+steady-state-interval 1
+subprocess-tries 1
+subprocess-wait-between-tries 2
diff --git a/tlsdate/tests/run-once/output b/tlsdate/tests/run-once/output
new file mode 100644
index 0000000..9766475
--- /dev/null
+++ b/tlsdate/tests/run-once/output
@@ -0,0 +1 @@
+ok
diff --git a/tlsdate/tests/run-once/run-error b/tlsdate/tests/run-once/run-error
new file mode 100644
index 0000000..f84e1cf
--- /dev/null
+++ b/tlsdate/tests/run-once/run-error
@@ -0,0 +1 @@
+Killed
diff --git a/tlsdate/tests/run-once/subproc.sh b/tlsdate/tests/run-once/subproc.sh
new file mode 100755
index 0000000..5bf92e1
--- /dev/null
+++ b/tlsdate/tests/run-once/subproc.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+. "$(dirname $0)"/../common.sh
+passed
diff --git a/tlsdate/tests/run-routeup/input.sh b/tlsdate/tests/run-routeup/input.sh
new file mode 100755
index 0000000..fd33215
--- /dev/null
+++ b/tlsdate/tests/run-routeup/input.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Wake up from stdin twice.
+c=0
+while [ $c -lt 120 ]; do
+ echo
+ sleep 0.2
+ c=$((c+1))
+done
diff --git a/tlsdate/tests/run-routeup/output b/tlsdate/tests/run-routeup/output
new file mode 100644
index 0000000..9766475
--- /dev/null
+++ b/tlsdate/tests/run-routeup/output
@@ -0,0 +1 @@
+ok
diff --git a/tlsdate/tests/run-routeup/setup b/tlsdate/tests/run-routeup/setup
new file mode 100755
index 0000000..c4afd68
--- /dev/null
+++ b/tlsdate/tests/run-routeup/setup
@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_counter "runs"
diff --git a/tlsdate/tests/run-routeup/subproc.sh b/tlsdate/tests/run-routeup/subproc.sh
new file mode 100755
index 0000000..18bb5c9
--- /dev/null
+++ b/tlsdate/tests/run-routeup/subproc.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+. "$(dirname $0)"/../common.sh
+
+inc_counter "runs"
+c=$(counter "runs")
+[ $c -eq 2 ] && passed
+
+# Always emit a bogus time so that stdin retriggers.
+src/test/emit "0"
diff --git a/tlsdate/tests/run-routeup/teardown b/tlsdate/tests/run-routeup/teardown
new file mode 100644
index 0000000..c4afd68
--- /dev/null
+++ b/tlsdate/tests/run-routeup/teardown
@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_counter "runs"
diff --git a/tlsdate/tests/run-routeup/test.conf b/tlsdate/tests/run-routeup/test.conf
new file mode 100644
index 0000000..14a7747
--- /dev/null
+++ b/tlsdate/tests/run-routeup/test.conf
@@ -0,0 +1,4 @@
+# Don't let steady state trigger the next call.
+min-steady-state-interval 10
+steady-state-interval 30
+wait-between-tries 1
diff --git a/tlsdate/tests/subproc-retry/output b/tlsdate/tests/subproc-retry/output
new file mode 100644
index 0000000..0dae225
--- /dev/null
+++ b/tlsdate/tests/subproc-retry/output
@@ -0,0 +1,3 @@
+dying
+dying
+ok
diff --git a/tlsdate/tests/subproc-retry/setup b/tlsdate/tests/subproc-retry/setup
new file mode 100755
index 0000000..c4afd68
--- /dev/null
+++ b/tlsdate/tests/subproc-retry/setup
@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_counter "runs"
diff --git a/tlsdate/tests/subproc-retry/subproc.sh b/tlsdate/tests/subproc-retry/subproc.sh
new file mode 100755
index 0000000..b3fded7
--- /dev/null
+++ b/tlsdate/tests/subproc-retry/subproc.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Die on the first three attempts.
+. "$(dirname $0)"/../common.sh
+
+inc_counter "runs"
+if [ $(counter "runs") -lt 3 ]; then
+ exit 1
+fi
+passed
diff --git a/tlsdate/tests/subproc-retry/teardown b/tlsdate/tests/subproc-retry/teardown
new file mode 100644
index 0000000..c4afd68
--- /dev/null
+++ b/tlsdate/tests/subproc-retry/teardown
@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_counter "runs"
diff --git a/tlsdate/tests/wait-idle/output b/tlsdate/tests/wait-idle/output
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tlsdate/tests/wait-idle/output
diff --git a/tlsdate/tests/wait-idle/setup b/tlsdate/tests/wait-idle/setup
new file mode 100755
index 0000000..bd12ed6
--- /dev/null
+++ b/tlsdate/tests/wait-idle/setup
@@ -0,0 +1,5 @@
+#!/bin/sh
+. "$(dirname "$0")"/../common.sh
+
+reset_time "timestamp"
+reset_counter "runs"
diff --git a/tlsdate/tests/wait-idle/subproc.sh b/tlsdate/tests/wait-idle/subproc.sh
new file mode 100755
index 0000000..2994a5c
--- /dev/null
+++ b/tlsdate/tests/wait-idle/subproc.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+# Make sure that a longer steady state after a successful run
+# doesn't call again too soon.
+. "$(dirname $0)"/../common.sh
+
+emit_time "timestamp"
+# This one expects a timeout to end it.
+passed_if_timed_out
+
+inc_counter "runs"
+c=$(counter "runs")
+[ $c -eq 2 ] && failed
+
diff --git a/tlsdate/tlsdate-brew-formula.rb b/tlsdate/tlsdate-brew-formula.rb
new file mode 100644
index 0000000..5ed9bf3
--- /dev/null
+++ b/tlsdate/tlsdate-brew-formula.rb
@@ -0,0 +1,27 @@
+require 'formula'
+
+class Tlsdate < Formula
+ homepage 'https://www.github.com/ioerror/tlsdate/'
+ url 'https://nodeload.github.com/ioerror/tlsdate/tar.gz/master'
+ # This hash will never be correct until we put a tagged version into master
+ # update accordingly until we do a proper release that supports OS X
+ sha1 '2e818eb327af74c6a6c86a8c8b3911e20be9bc0f'
+ version '0.0.6'
+
+ depends_on 'autoconf' => :build
+ depends_on 'automake' => :build
+ depends_on 'libtool' => :build
+ depends_on 'pkg-config' => :build
+
+ def install
+ system "./autogen.sh"
+ system "./configure", "--disable-debug", "--disable-dependency-tracking",
+ "--prefix=#{prefix}"
+ system "make"
+ system "make install"
+ end
+
+ def test
+ system "tlsdate -v -n"
+ end
+end
diff --git a/tlsdate/tlsdate-seccomp-amd64.policy b/tlsdate/tlsdate-seccomp-amd64.policy
new file mode 100644
index 0000000..d22afdc
--- /dev/null
+++ b/tlsdate/tlsdate-seccomp-amd64.policy
@@ -0,0 +1,48 @@
+mmap: 1
+open: 1
+read: 1
+close: 1
+fstat: 1
+mprotect: 1
+munmap: 1
+stat: 1
+write: 1
+lseek: 1
+brk: 1
+fcntl: 1
+execve: 1
+sendto: 1
+# Allow domain == PF_FILE || domain == PF_INET || domain == PF_NETLINK
+socket: arg0 == 1 || arg0 == 2 || arg0 == 16
+connect: 1
+poll: 1
+access: 1
+arch_prctl: 1
+wait4: 1
+rt_sigaction: 1
+exit_group: 1
+rt_sigprocmask: 1
+clone: 1
+# Allow request == RTC_SET_TIME || request == FIONREAD
+ioctl: arg1 == 0x4024700a || arg1 == 0x541b
+getuid: 1
+exit: 1
+rt_sigreturn: 1
+rename: 1
+select: 1
+setgid: 1
+settimeofday: 1
+restart_syscall: 1
+setresgid: 1
+setgroups: 1
+setsockopt: 1
+bind: 1
+recvfrom: 1
+setresuid: 1
+nanosleep: 1
+clock_gettime: 1
+clock_settime: 1
+futex: 1
+getrlimit: 1
+set_robust_list: 1
+set_tid_address: 1
diff --git a/tlsdate/tlsdate-seccomp-arm.policy b/tlsdate/tlsdate-seccomp-arm.policy
new file mode 100644
index 0000000..2d31d89
--- /dev/null
+++ b/tlsdate/tlsdate-seccomp-arm.policy
@@ -0,0 +1,50 @@
+open: 1
+read: 1
+mmap2: 1
+stat64: 1
+close: 1
+fstat64: 1
+_newselect: 1
+mprotect: 1
+munmap: 1
+gettimeofday: 1
+_llseek: 1
+write: 1
+rt_sigprocmask: 1
+brk: 1
+execve: 1
+fcntl64: 1
+rt_sigaction: 1
+send: 1
+poll: 1
+# Allow domain == PF_FILE || domain == PF_INET || domain == PF_NETLINK
+socket: arg0 == 1 || arg0 == 2 || arg0 == 16
+uname: 1
+connect: 1
+access: 1
+ARM_set_tls: 1
+wait4: 1
+exit_group: 1
+getuid32: 1
+clone: 1
+# Allow request == RTC_SET_TIME || request == FIONREAD
+ioctl: arg1 == 0x4024700a || arg1 == 0x541b
+setgid32: 1
+recvfrom: 1
+setresuid32: 1
+setgroups32: 1
+settimeofday: 1
+restart_syscall: 1
+setsockopt: 1
+setresgid32: 1
+nanosleep: 1
+exit: 1
+rt_sigreturn: 1
+rename: 1
+bind: 1
+clock_gettime: 1
+clock_settime: 1
+futex: 1
+ugetrlimit: 1
+set_robust_list: 1
+set_tid_address: 1
diff --git a/tlsdate/tlsdate-seccomp-x86.policy b/tlsdate/tlsdate-seccomp-x86.policy
new file mode 100644
index 0000000..da790c9
--- /dev/null
+++ b/tlsdate/tlsdate-seccomp-x86.policy
@@ -0,0 +1,47 @@
+open: 1
+mmap2: 1
+read: 1
+close: 1
+fstat64: 1
+stat64: 1
+munmap: 1
+mprotect: 1
+time: 1
+socketcall: 1
+_llseek: 1
+brk: 1
+write: 1
+execve: 1
+fcntl64: 1
+gettimeofday: 1
+poll: 1
+access: 1
+set_thread_area: 1
+waitpid: 1
+exit_group: 1
+rt_sigprocmask: 1
+getuid32: 1
+clone: 1
+rt_sigaction: 1
+# Allow request == RTC_SET_TIME || request == FIONREAD
+ioctl: arg1 == 0x4024700a || arg1 == 0x541b
+setgid32: 1
+setgroups32: 1
+setresuid32: 1
+settimeofday: 1
+restart_syscall: 1
+setresgid32: 1
+nanosleep: 1
+exit: 1
+rt_sigreturn: 1
+rename: 1
+select: 1
+_newselect: 1
+clock_gettime: 1
+clock_settime: 1
+futex: 1
+getrlimit: 1
+ugetrlimit: 1
+set_robust_list: 1
+set_tid_address: 1
+uname: 1
