diff options
| -rw-r--r-- | .travis.yml | 14 | ||||
| -rwxr-xr-x | .travis/install.sh | 8 | ||||
| -rwxr-xr-x | .travis/run.sh | 13 | ||||
| -rw-r--r-- | CHANGELOG.rst | 12 | ||||
| -rw-r--r-- | docs/fernet.rst | 44 | ||||
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/ec.rst | 8 | ||||
| -rw-r--r-- | docs/installation.rst | 55 | ||||
| -rw-r--r-- | docs/spelling_wordlist.txt | 2 | ||||
| -rw-r--r-- | docs/x509/tutorial.rst | 19 | ||||
| -rw-r--r-- | src/_cffi_src/build_openssl.py | 19 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/ssl.py | 19 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 7 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 6 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 6 | ||||
| -rw-r--r-- | vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem | 67 |
15 files changed, 216 insertions, 83 deletions
diff --git a/.travis.yml b/.travis.yml index c61682ed..f1c3567d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -71,23 +71,27 @@ matrix: - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py26 + env: TOXENV=py26 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py27 + env: TOXENV=py27 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py33 + env: TOXENV=py33 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py34 + env: TOXENV=py34 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=pypy + env: TOXENV=pypy CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 + - language: generic + os: osx + osx_image: beta-xcode6.3 + env: TOXENV=py27 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=0 - language: generic os: osx osx_image: beta-xcode6.3 diff --git a/.travis/install.sh b/.travis/install.sh index 17aee435..3ff723da 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -35,8 +35,8 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then ;; pypy) brew outdated pyenv || brew upgrade pyenv - pyenv install pypy-2.6.0 - pyenv global pypy-2.6.0 + pyenv install pypy-2.6.1 + pyenv global pypy-2.6.1 ;; pypy3) brew outdated pyenv || brew upgrade pyenv @@ -57,8 +57,8 @@ else PYENV_ROOT="$HOME/.pyenv" PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init -)" - pyenv install pypy-2.6.0 - pyenv global pypy-2.6.0 + pyenv install pypy-2.6.1 + pyenv global pypy-2.6.1 fi pip install virtualenv fi diff --git a/.travis/run.sh b/.travis/run.sh index 17358655..3667b333 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -8,7 +8,12 @@ if [[ "$(uname -s)" == "Darwin" ]]; then if [[ "${OPENSSL}" != "0.9.8" ]]; then # set our flags to use homebrew openssl export ARCHFLAGS="-arch x86_64" - export LDFLAGS="-L/usr/local/opt/openssl/lib" + # if the build is static we need different LDFLAGS + if [[ "${CRYPTOGRAPHY_OSX_NO_LINK_FLAGS}" == "1" ]]; then + export LDFLAGS="/usr/local/opt/openssl/lib/libssl.a /usr/local/opt/openssl/lib/libcrypto.a" + else + export LDFLAGS="-L/usr/local/opt/openssl/lib" + fi export CFLAGS="-I/usr/local/opt/openssl/include" # The Travis OS X jobs are run for two versions # of OpenSSL, but we only need to run the @@ -21,8 +26,12 @@ else PYENV_ROOT="$HOME/.pyenv" PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init -)" - pyenv global pypy-2.6.0 + pyenv global pypy-2.6.1 fi fi source ~/.venv/bin/activate tox -- $TOX_FLAGS +# Output information about linking of the OpenSSL library on OS X +if [[ "$(uname -s)" == "Darwin" ]]; then + otool -L `find .tox -name _openssl*.so` +fi diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 900a3365..f8c7eefa 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,18 @@ Changelog .. note:: This version is not yet released and is under active development. +1.0.1 - 2015-09-05 +~~~~~~~~~~~~~~~~~~ + +* We now ship OS X wheels that statically link OpenSSL by default. When + installing a wheel on OS X 10.10+ (and using a Python compiled against the + 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for + alternate installation methods if required. +* Set the default string mask to UTF-8 in the OpenSSL backend to resolve + character encoding issues with older versions of OpenSSL. +* Several new OpenSSL bindings have been added to support a future pyOpenSSL + release. +* Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. 1.0 - 2015-08-12 ~~~~~~~~~~~~~~~~ diff --git a/docs/fernet.rst b/docs/fernet.rst index eacbc2ae..a2bab32a 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -3,7 +3,7 @@ Fernet (symmetric encryption) .. currentmodule:: cryptography.fernet -Fernet provides guarantees that a message encrypted using it cannot be +Fernet guarantees that a message encrypted using it cannot be manipulated or read without the key. `Fernet`_ is an implementation of symmetric (also known as "secret key") authenticated cryptography. Fernet also has support for implementing key rotation via :class:`MultiFernet`. @@ -106,6 +106,47 @@ has support for implementing key rotation via :class:`MultiFernet`. See :meth:`Fernet.decrypt` for more information. + +Using passwords with Fernet +--------------------------- + +It is possible to use passwords with Fernet. To do this, you need to run the +password through a key derivation function such as +:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, bcrypt or +scrypt. + +.. doctest:: + + >>> import base64 + >>> import os + >>> from cryptography.fernet import Fernet + >>> from cryptography.hazmat.backends import default_backend + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC + >>> password = b"password" + >>> salt = os.urandom(16) + >>> kdf = PBKDF2HMAC( + ... algorithm=hashes.SHA256(), + ... length=32, + ... salt=salt, + ... iterations=100000, + ... backend=default_backend() + ... ) + >>> key = base64.urlsafe_b64encode(kdf.derive(password)) + >>> f = Fernet(key) + >>> token = f.encrypt(b"Secret message!") + >>> token + '...' + >>> f.decrypt(token) + 'Secret message!' + +In this scheme, the salt has to be stored in a retrievable location in order +to derive the same key from the password in the future. + +The iteration count used should be adjusted to be as high as your server can +tolerate. A good default is at least 100,000 iterations which is what Django +`recommends`_ in 2014. + Implementation -------------- @@ -125,3 +166,4 @@ For complete details consult the `specification`_. .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md +.. _`recommends`: https://github.com/django/django/blob/master/django/utils/crypto.py#L148 diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 323f4c3f..01671d44 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -126,9 +126,9 @@ Elliptic Curves --------------- Elliptic curves provide equivalent security at much smaller key sizes than -asymmetric cryptography systems such as RSA or DSA. For some operations they -can also provide higher performance at every security level. According to NIST -they can have as much as a `64x lower computational cost than DH`_. +other asymmetric cryptography systems such as RSA or DSA. For many operations +elliptic curves are also significantly faster; `elliptic curve diffie-hellman +is faster than diffie-hellman`_. .. note:: Curves with a size of `less than 224 bits`_ should not be used. You should @@ -421,7 +421,7 @@ Key Interfaces .. _`FIPS 186-4`: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters .. _`less than 224 bits`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf -.. _`64x lower computational cost than DH`: https://www.nsa.gov/business/programs/elliptic_curve.shtml +.. _`elliptic curve diffie-hellman is faster than diffie-hellman`: http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork .. _`minimize the number of security concerns for elliptic-curve cryptography`: http://cr.yp.to/ecdh/curve25519-20060209.pdf .. _`SafeCurves`: http://safecurves.cr.yp.to/ .. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA diff --git a/docs/installation.rst b/docs/installation.rst index f7a88b98..277e021b 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -118,38 +118,65 @@ build. Building cryptography on OS X ----------------------------- -Building cryptography requires the presence of a C compiler and development -headers. On OS X this is typically provided by Apple's Xcode development tools. -To install the Xcode command line tools on open a terminal window and run: +The wheel package on OS X is a statically linked build (as of 1.0.1) so for +users on 10.10 (Yosemite) and above you need two steps: .. code-block:: console $ xcode-select --install -This will install a compiler (clang) along with the required development -headers. If you wish to compile against a more recent OpenSSL than the -version shipped with OS X see the next section. +followed by -Using your own OpenSSL on OS X -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. code-block:: console + + $ pip install cryptography + +If you want to build cryptography yourself or are on an older OS X version +cryptography requires the presence of a C compiler, development headers, and +the proper libraries. On OS X much of this is provided by Apple's Xcode +development tools. To install the Xcode command line tools open a terminal +window and run: + +.. code-block:: console + + $ xcode-select --install + +This will install a compiler (clang) along with (most of) the required +development headers. + +You'll also need OpenSSL, which you can obtain from `Homebrew`_ or `MacPorts`_. + +To build cryptography and dynamically link it: + +`Homebrew`_ + +.. code-block:: console + + $ brew install openssl + $ env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography + +`MacPorts`_: + +.. code-block:: console + + $ sudo port install openssl + $ env LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography -To link cryptography against a custom version of OpenSSL you'll need to set -``ARCHFLAGS``, ``LDFLAGS``, and ``CFLAGS``. OpenSSL can be installed via -`Homebrew`_ or `MacPorts`_: +You can also build cryptography statically: `Homebrew`_ .. code-block:: console $ brew install openssl - $ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography + $ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="$(brew --prefix openssl)/lib/libssl.a $(brew --prefix openssl)/lib/libcrypto.a" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography -or `MacPorts`_: +`MacPorts`_: .. code-block:: console $ sudo port install openssl - $ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography + $ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="/opt/local/lib/libssl.a /opt/local/lib/libcrypto.a" CFLAGS="-I/opt/local/include" pip install cryptography Building cryptography with conda -------------------------------- diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 1eed7c7a..75497840 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -1,6 +1,7 @@ affine backend backends +bcrypt Backends Blowfish boolean @@ -22,6 +23,7 @@ deserialize deserialized Diffie Docstrings +Django Encodings fernet Fernet diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index 6e587d8b..0fa061a2 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -37,7 +37,7 @@ are the most common types of keys on the web right now): ... backend=default_backend() ... ) >>> # Write our key to disk for safe keeping - >>> with open("path/to/store/key.pem", "w") as f: + >>> with open("path/to/store/key.pem", "wb") as f: ... f.write(key.private_bytes( ... encoding=serialization.Encoding.PEM, ... format=serialization.PrivateFormat.TraditionalOpenSSL, @@ -67,15 +67,18 @@ a few details: ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), - ... ])).add_extension(x509.SubjectAlternativeName([ - ... # Describe what sites we want this certificate for. - ... x509.DNSName(u"mysite.com"), - ... x509.DNSName(u"www.mysite.com"), - ... x509.DNSName(u"subdomain.mysite.com"), + ... ])).add_extension( + ... x509.SubjectAlternativeName([ + ... # Describe what sites we want this certificate for. + ... x509.DNSName(u"mysite.com"), + ... x509.DNSName(u"www.mysite.com"), + ... x509.DNSName(u"subdomain.mysite.com"), + ... ]), + ... critical=False, ... # Sign the CSR with our private key. - ... ])).sign(key, hashes.SHA256(), default_backend()) + ... ).sign(key, hashes.SHA256(), default_backend()) >>> # Write our CSR out to disk. - >>> with open("path/to/csr.pem", "w") as f: + >>> with open("path/to/csr.pem", "wb") as f: ... f.write(csr.public_bytes(serialization.Encoding.PEM)) Now we can give our CSR to a CA, who will give a certificate to us in return. diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6a5bf2da..defa69d3 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -4,6 +4,7 @@ from __future__ import absolute_import, division, print_function +import os import sys from _cffi_src.utils import build_ffi_for_binding, extra_link_args @@ -11,15 +12,27 @@ from _cffi_src.utils import build_ffi_for_binding, extra_link_args def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. - if platform != "win32": + if platform == "darwin": + return _osx_libraries( + os.environ.get("CRYPTOGRAPHY_OSX_NO_LINK_FLAGS") + ) + elif platform == "win32": + return ["libeay32", "ssleay32", "advapi32", + "crypt32", "gdi32", "user32", "ws2_32"] + else: # In some circumstances, the order in which these libs are # specified on the linker command-line is significant; # libssl must come before libcrypto # (http://marc.info/?l=openssl-users&m=135361825921871) return ["ssl", "crypto"] + + +def _osx_libraries(build_static): + # For building statically we don't want to pass the -lssl or -lcrypto flags + if build_static == "1": + return [] else: - return ["libeay32", "ssleay32", "advapi32", - "crypt32", "gdi32", "user32", "ws2_32"] + return ["ssl", "crypto"] _OSX_PRE_INCLUDE = """ diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 7a7968a1..ccabb872 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -45,6 +45,7 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET; static const long Cryptography_HAS_NETBSD_D1_METH; static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; +static const long Cryptography_HAS_SET_CERT_CB; static const long SSL_FILETYPE_PEM; static const long SSL_FILETYPE_ASN1; @@ -204,6 +205,8 @@ Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); +int SSL_renegotiate(SSL *); +int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); @@ -406,6 +409,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *, void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *); long SSL_get_server_tmp_key(SSL *, EVP_PKEY **); + +/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *); +void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); """ CUSTOMIZATIONS = """ @@ -609,6 +618,16 @@ static const long Cryptography_HAS_ALPN = 0; static const long Cryptography_HAS_ALPN = 1; #endif +/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */ +#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER) +void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; +void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; +static const long Cryptography_HAS_SET_CERT_CB = 0; +#else +static const long Cryptography_HAS_SET_CERT_CB = 1; +#endif + + #if defined(OPENSSL_NO_COMP) || defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_COMPRESSION = 0; typedef void COMP_METHOD; diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8c4abcd6..197bcb8c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -529,13 +529,6 @@ class Backend(object): self._binding.init_static_locks() - # adds all ciphers/digests for EVP - self._lib.OpenSSL_add_all_algorithms() - # registers available SSL/TLS ciphers and digests - self._lib.SSL_library_init() - # loads error strings for libcrypto and libssl functions - self._lib.SSL_load_error_strings() - self._cipher_registry = {} self._register_default_ciphers() self.activate_osrandom_engine() diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index adf00b02..670710b1 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -410,5 +410,9 @@ CONDITIONAL_NAMES = { ], "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [ "X509_V_FLAG_CHECK_SS_SIGNATURE", - ] + ], + "Cryptography_HAS_SET_CERT_CB": [ + "SSL_CTX_set_cert_cb", + "SSL_set_cert_cb", + ], } diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index e18d89c5..50d7f6d5 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -92,6 +92,12 @@ class Binding(object): if not cls._lib_loaded: cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES) cls._lib_loaded = True + # initialize the SSL library + cls.lib.SSL_library_init() + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + # loads error strings for libcrypto and libssl functions + cls.lib.SSL_load_error_strings() cls._register_osrandom_engine() @classmethod diff --git a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem index 960363d0..fdc82ae6 100644 --- a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem +++ b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem @@ -1,37 +1,36 @@ -----BEGIN X509 CRL----- -MIIGZTCCBU0CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV +MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw -MDAwMFowggTsMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjB1AgEBGA8yMDE1MDEwMTAw -MDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCuk -KTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1Ud -FQQDCgEAMHUCAQIYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEw -MTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQD -DA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwdQIBAxgPMjAxNTAxMDEwMDAw -MDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkw -JzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUE -AwoBAjB1AgEEGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEw -MDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP -Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEDMHUCAQUYDzIwMTUwMTAxMDAwMDAw -WjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcx -CzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMK -AQQwdQIBBhgPMjAxNTAxMDEwMDAwMDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAw -MDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2Ny -eXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBBTB1AgEHGA8yMDE1MDEwMTAwMDAwMFow -XzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQsw -CQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEG -MHUCAQgYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAw -MFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw -dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgwdQIBCRgPMjAxNTAxMDEwMDAwMDBaMF8w -GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkG -A1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBCTB1 -AgEKGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBa -MDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRv -Z3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIwMTUwMTAxMDAwMDAwWjAYMAoG -A1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYO41YpMSq -6pPwgp2gqBUHPkFe4FuoxP4kXpsdAurQMb3WM8eZBNMQkgLP94ZYW3cliy+QClb3 -3EzTbckFhnS/avpQGD92hkp7gY5aETL8PuxFpK8qD3gzS+YZ0icbHbqacGxRYwT5 -rdSKb0B5soXe6Wf149Z6mze3X8+kCKpZILHytFzlCeiUZ0lG4bZRYNyQEqGzpsXD -8LuA5McqwASR1QkGNJTT7TKLBIfhy4CSt5aclnmdf4sWNQa9i560lj38ariZExXV -mqtqFIfhvJiVwpljj08uWZocVJcCOEQ9yxk5iVRWMicT79p6wukHqq8ecJBkgH/W -EO3JcHNjZRmW +MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw +MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn +MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD +CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw +MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw +dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww +GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE +BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE +GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG +A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5 +LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR +GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw +FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx +MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr +pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV +HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx +MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP +Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw +WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ +BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw +cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw +WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy +YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV +HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV +UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw +MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3 +DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+ +drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c +oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4 +7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz +SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y +C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw -----END X509 CRL----- |