notaryproject · Two-Hearts · Jul 22, 2024 · Dec 6, 2023 · Jan 4, 2024 · Jan 4, 2024
@@ -28,6 +28,7 @@
 	"github.com/notaryproject/notation/internal/cmd"
 	"github.com/notaryproject/notation/internal/envelope"
 	"github.com/notaryproject/notation/internal/httputil"
+	nx509 "github.com/notaryproject/notation/internal/x509"
 	"github.com/notaryproject/tspclient-go"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/cobra"
@@ -222,7 +223,7 @@
 		fmt.Printf("Configured to timestamp with TSA %q\n", opts.tsaServerURL)
 		signOpts.Timestamper, err = tspclient.NewHTTPTimestamper(httputil.NewClient(ctx, &http.Client{Timeout: timestampingTimeout}), opts.tsaServerURL)
 		if err != nil {
 			return notation.SignOptions{}, fmt.Errorf("cannot get http timestamper for timestamping: %w", err)
 		}

 		rootCerts, err := corex509.ReadCertificateFile(opts.tsaRootCertificatePath)
@@ -230,10 +231,22 @@
 			return notation.SignOptions{}, err
 		}
 		if len(rootCerts) == 0 {
-			return notation.SignOptions{}, fmt.Errorf("cannot find any tsa root certificate from %q. Expecting x509 certificate in PEM or DER format from the file", opts.tsaRootCertificatePath)
+			return notation.SignOptions{}, fmt.Errorf("cannot find any certificate from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath)
+		}
+		if len(rootCerts) > 1 {
+			return notation.SignOptions{}, fmt.Errorf("found more than one certificates from %q. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath)
+		}
+		tsaRootCert := rootCerts[0]
+		isRoot, err := nx509.IsRootCertificate(tsaRootCert)
+		if err != nil {
+			return notation.SignOptions{}, fmt.Errorf("failed to check root certificate with error: %w", err)
+		}
+		if !isRoot {
+			return notation.SignOptions{}, fmt.Errorf("certificate from %q is not a root certificate. Expecting single x509 root certificate in PEM or DER format from the file", opts.tsaRootCertificatePath)
+
 		}
 		rootCAs := x509.NewCertPool()
-		rootCAs.AddCert(rootCerts[0])
+		rootCAs.AddCert(tsaRootCert)
 		signOpts.TSARootCAs = rootCAs
 	}
 	return signOpts, nil

@@ -4,7 +4,7 @@ go 1.22
 
 require (
 	github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b
-	github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b
+	github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a
 	github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0

@@ -37,8 +37,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw=
 github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY=
-github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc=
-github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI=
+github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a h1:o3kYOcQii0dMaDKdxnr1wPlEskXHHkDZDDb3kuss+W0=
+github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a/go.mod h1:FwHtZC29bBvFdJu0NYM5MHxSrHJGwhkPRvEgevNo9wo=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y=

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTIyMDYzMDE5MjAwM1oYDzMwMjExMDMxMTkyMDAzWjAYMRYwFAYDVQQDDA1J
+bnRlcm1lZGlhdGUxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1JTs
+aiC/7+bho43kMVyHDwCsuocYp4PvYahB59NsKDR4QbrImU5ziaQ94D0DQqthe9pm
+qOW0SxN/vSRJAZFELxacrB9hc1y4MjiDYaRSt/LVx7astylBV/QRpmxWSEqp0Avu
+6nMJivIa1sD0WIEchizx6jG9BI5ULr9LbJICYvMgDalQR+0JGG+rKWnf1mPZyxEu
+9zEh215LCg5K56P3W5kC8fKBXSdSgTqZAvHzp6u78qet9S8gARtOEfS03A/7y7MC
+U0Sn2wdQyQdci0PBsR2sTZvUw179Cr93r5aRbb3I6jXgMWHAP2vvIndb9CM9ePyY
+yEy4Je7oWVVfMQ3CWQIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud
+DwEB/wQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEALR0apUQVbWGmagLUz4Y/bRsl
+mY9EJJXCiLuSxVWd3offjZfQTlGkQkCAW9FOQnm7JhEtaaHF1+AEVLo56/Gsd/hk
+sXsrBagYGi72jun7QTb6j7iZ3X9zanrP3SjdkpjVnqxRfH83diSh0r68Xruq1NSK
+qhUy1V+KQaXF0SSEutPqdTCoXUyxyXohVLU78uqZX/jx9Nc1XDuW9AZd+hMsLdk8
+qGJqHYFvj2vOHGMTeYk8dWgMBthQeL0wdsg2AvKtAvn6FQXCN7mKCWjpFTtYsU8v
+NsesS9M/i+geJjR/8/DDT3RP7S100BtCMm4XfHfmKcjXVaBh5evQVqGsa6TKLw==
+-----END CERTIFICATE-----
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEJ
+MAcGA1UECBMAMQkwBwYDVQQHEwAxDzANBgNVBAoTBk5vdGFyeTENMAsGA1UEAxME
+dGVzdDAeFw0yNDA3MjIwNTIwMzZaFw0yNDA4MjIwNTIwMzZaMEwxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90
+YXJ5MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAp7XmYGf3p4JS/y5v6AIc/TxQvPTwIRxVmctNmDm5kG3LDUoGAAJbicTUfI/0
+Un38j/PlHNKQz9hKPwV+oYotKuQrVhaA2fft+INl36tvgCAPr8yX3ToOMCLr/UlT
+zQ7o9TB7IpnVT9DR9uik9MWfkz0Db5ARG1POquvSy2QM5wseEA58313YJ/7Em/Cq
+FCH5s9THCfQKpb09MZ/RTEggNqU4zGADah8e1KieYeZntM/hrw7sW5oeUueKG4D4
+3kvL8o7n1k6C+w8LwaOGhYXCQ51JxTE3lnmTrDdFRuKGObpNFNbLxdJPVLuHT1Nu
+bwVxj5APBJQyEyja3jJ9qLQANwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYD
+VR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU
+yPScYtI4hs0+ibHaRV9BsgY734AwDQYJKoZIhvcNAQELBQADggEBABJHh3NELq1b
+jcJiJX76DwDTx+FGGN96/+T5622FGg1kHeAwuxS6pQODJNrVofbrhGAqaXTDT/Tz
+0b0AA5XCohmBFZQRwMh+C5QkFiIcZ9VMMBc6KTQT8DEgjI6Qo/OW2TDGOoFuAhmh
+4a1ACHszuHS55Th+0TKLqeZNA6DnL9IBm0RX1FJXbqhjX52ZnRH3Zqe7uML+kxKt
+LUdfnxHrpA1G2ugyAj+K7K6vth5QpezwCS1PZD2s5vlJd6clawxm5qRyyU46ow/y
+7bpTSEyg6PIWWh/qv4O2t4NMa1OoRkIXx/ppsKH9XwbRg/WZ0VWlGVS6GxBtLSpG
+tkyaxSRLdz0=
+-----END CERTIFICATE-----
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIBeTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEP
+MA0GA1UEAxMGYWxwaW5lMB4XDTIzMDUwOTA0NTUxMloXDTMzMDUxMDA0NTUxMlow
+TjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8w
+DQYDVQQKEwZOb3RhcnkxDzANBgNVBAMTBmFscGluZTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK5hpq1229GGLjMK6i9KZhuUO+SV7rUFnWIDiIPO5yWx
+YDkl+bGroeAvJYu6MVCMQ6FMRXD9jhnG6R+sAHwY7gVgcJ1OXak87PkLp/Ii1Cr7
+XkkySZeD+Br1vSQzfxs3pFG+iBCeVVkeZdsg+xqwnAlqAILXwIbTGRyJP1Xiu9nw
+OeuX1YmxPl2m29Pt1EtfVCL9COsVKt5LgOVyWP/9ISWevOBqSCU9bk35HFo9VTeU
+f6+ffhSMjv0Y9uwkFFOKXpcV8Sa3ArqyBmgQlUfGg1iwYlqiDE0fTYxiB3gLgETA
+lmTm50J+WB9LoDrnrQpbXFLoegm+JV+uSD8J8H7DL2sCAwEAAaMnMCUwDgYDVR0P
+AQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
+AQAt0Nvna1c4pPn8kzoN5VvmFmeIgdO/BJpmdhdg0WIQ9aeN/xPXXaVjPp1Mk7ed
+XHAvBwQr0Gyzqyy7g/h0gdnAFG7f6blrRNzbrRBCq6cNqX8iwgK/9+2OYKxk1QWj
+8Gx0cvu1DN1aXjPPGgQ2j3tHjJvJv32J/zuZa8gU40RPPSLaBlc5ZjpFmyi29sKl
+TeeZ+F/Ssic51qXXw2CsYGGWK5yQ3xSCxbw6bb2G/s/YI7/KlWg9BktBJHzRu04Z
+NR77W7/dyJ3Lj17PlW1XKmMOFHsQivagXeRCbmYZ43fX4ugFRFKL7KE0EgmGOWpJ
+0xv+6ig93sqHzQ/0uv1YgFov
+-----END CERTIFICATE-----
@@ -0,0 +1,30 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package x509
+
+import (
+	"bytes"
+	"crypto/x509"
+)
+
+// IsRootCertificate returns true if cert is a root certificate.
+// A root certificate MUST be a self-signed and self-issued CA certificate with
+// valid BasicConstraints.
+func IsRootCertificate(cert *x509.Certificate) (bool, error) {
+	// CheckSignatureFrom also checks cert.BasicConstraintsValid
+	if err := cert.CheckSignatureFrom(cert); err != nil {
+		return false, err
+	}
+	return cert.IsCA && bytes.Equal(cert.RawSubject, cert.RawIssuer), nil
+}
@@ -0,0 +1,67 @@
+// Copyright The Notary Project Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package x509
+
+import (
+	"testing"
+
+	corex509 "github.com/notaryproject/notation-core-go/x509"
+)
+
+func TestIsRootCertificate(t *testing.T) {
+	tsaRoot, err := corex509.ReadCertificateFile("../testdata/tsaRootCA.cer")
+	if err != nil {
+		t.Fatal(err)
+	}
+	isRoot, err := IsRootCertificate(tsaRoot[0])
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !isRoot {
+		t.Fatal("expected IsRootCertificate to return true")
+	}
+
+	intermediate, err := corex509.ReadCertificateFile("../testdata/intermediate.pem")
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedErrMsg := "crypto/rsa: verification error"
+	_, err = IsRootCertificate(intermediate[0])
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
+
+	selfSigned, err := corex509.ReadCertificateFile("../testdata/self-signed.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedErrMsg = "x509: invalid signature: parent certificate cannot sign this kind of certificate"
+	_, err = IsRootCertificate(selfSigned[0])
+	if err == nil || err.Error() != expectedErrMsg {
+		t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
+	}
+
+	notSelfIssued, err := corex509.ReadCertificateFile("../testdata/notSelfIssued.crt")
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedErrMsg = "x509: invalid signature: parent certificate cannot sign this kind of certificate"
+	isRoot, err = IsRootCertificate(notSelfIssued[0])
+	if err != nil {
+		t.Fatal(err)
+	}
+	if isRoot {
+		t.Fatal("expected IsRootCertificate to return false")
+	}
+}
@@ -5,7 +5,7 @@ go 1.21
 require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b
-	github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b
+	github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a
 	github.com/notaryproject/notation-plugin-framework-go v1.0.0
 	github.com/spf13/cobra v1.7.0
 )

@@ -39,8 +39,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b h1:uJ4bmNieZRkPj3UgmKr3bZr8vs7UJ2MdlJMeB0oOaZw=
 github.com/notaryproject/notation-core-go v1.0.4-0.20240716001320-f45197cbd53b/go.mod h1:MdxSbL9F5h63EmtXWfYMWy7hEmGmOmsfN4B6KM2WyhY=
-github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b h1:Bz/b2CxF5zs4/+/o37zC47U8yipMBkFdP5QTZtqZfJc=
-github.com/notaryproject/notation-go v1.1.1-0.20240715044011-b52583166f2b/go.mod h1:h0U0bVTjCxnozj1OhyeqQsNWWd7frFK+DUJsnH6tAhI=
+github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a h1:o3kYOcQii0dMaDKdxnr1wPlEskXHHkDZDDb3kuss+W0=
+github.com/notaryproject/notation-go v1.1.1-0.20240719045753-83409204754a/go.mod h1:FwHtZC29bBvFdJu0NYM5MHxSrHJGwhkPRvEgevNo9wo=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
 github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
 github.com/notaryproject/tspclient-go v0.1.1-0.20240715235637-df25ef8d2172 h1:Q8UsmeFMzyFuMMq4dlbIRJUi7khEKXKUe2H2Hm3W92Y=

@@ -280,32 +280,62 @@ var _ = Describe("notation sign", func() {
 		})
 	})
 
-	It("with empty tsa server", func() {
+	It("with timestamping and empty tsa server", func() {
 		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
 			notation.ExpectFailure().Exec("sign", "--timestamp-url", "", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()).
 				MatchErrKeyWords("Error: timestamping: tsa url cannot be empty")
 		})
 	})
 
-	It("with empty tsa root cert", func() {
+	It("with timestamping and empty tsa root cert", func() {
 		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
 			notation.ExpectFailure().Exec("sign", "--timestamp-url", "dummy", "--timestamp-root-cert", "", artifact.ReferenceWithDigest()).
 				MatchErrKeyWords("Error: timestamping: tsa root certificate path cannot be empty")
 		})
 	})
 
-	It("with invalid tsa server", func() {
+	It("with timestamping and invalid tsa server", func() {
 		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
 			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://invalid.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "globalsignTSARoot.cer"), artifact.ReferenceWithDigest()).
 				MatchErrKeyWords("Error: timestamp: Post \"http://invalid.com\"").
 				MatchErrKeyWords("server misbehaving")
 		})
 	})
 
-	It("with invalid tsa root certificate", func() {
+	It("with timestamping and invalid tsa root certificate", func() {
 		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
 			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "invalid.crt"), artifact.ReferenceWithDigest()).
 				MatchErrKeyWords("Error: x509: malformed certificate")
 		})
 	})
+
+	It("with timestamping and empty tsa root certificate file", func() {
+		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "Empty.txt"), artifact.ReferenceWithDigest()).
+				MatchErrKeyWords("cannot find any certificate from").
+				MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file")
+		})
+	})
+
+	It("with timestamping and more than one certificates in tsa root certificate file", func() {
+		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "CertChain.pem"), artifact.ReferenceWithDigest()).
+				MatchErrKeyWords("found more than one certificates").
+				MatchErrKeyWords("Expecting single x509 root certificate in PEM or DER format from the file")
+		})
+	})
+
+	It("with timestamping and intermediate certificate file", func() {
+		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "intermediate.pem"), artifact.ReferenceWithDigest()).
+				MatchErrKeyWords("failed to check root certificate with error: crypto/rsa: verification error")
+		})
+	})
+
+	It("with timestamping and not self-issued certificate file", func() {
+		Host(BaseOptions(), func(notation *utils.ExecOpts, artifact *Artifact, vhost *utils.VirtualHost) {
+			notation.ExpectFailure().Exec("sign", "--timestamp-url", "http://timestamp.digicert.com", "--timestamp-root-cert", filepath.Join(NotationE2EConfigPath, "timestamp", "notSelfIssued.crt"), artifact.ReferenceWithDigest()).
+				MatchErrKeyWords("is not a root certificate. Expecting single x509 root certificate in PEM or DER format from the file")
+		})
+	})
 })
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCATugAwIBAgIQJOyDt70f+HOyQMEt06yvpjAKBggqhkjOPQQDAjAkMRAw
+DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDcyMjA1MjEz
+N1oXDTIzMDcyMjA1MjEzN1owKDEQMA4GA1UEChMHQWNtZSBDbzEUMBIGA1UEAwwL
+dGVzdF9jZXJ0XzEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATnf3lSRtUYOeph
+UQZvUm5niB8kpm7kn6iAm2zwCTBeqKbUtgESCbN+x6TTpWZIaEo+CDu1rPUdicB3
+FUwXNzz8o0swSTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DAYDVR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwCgYIKoZIzj0EAwID
+SQAwRgIhAMgdV/zJnwK0J4ZBXZVwAB6abpgNcESFScDeQQyIzRs8AiEAjjLTfkXp
+CuoXnu5/hYy6Li7Smw3UbW3XKkekOELMFYo=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBnjCCAUOgAwIBAgIQBUvhbMcjM35qmJzncyZ5tzAKBggqhkjOPQQDAjAkMRAw
+DgYDVQQKEwdBY21lIENvMRAwDgYDVQQDEwdSb290IENBMB4XDTIyMDcyMjA1MjEz
+N1oXDTIzMDcyMjA1MjEzN1owJDEQMA4GA1UEChMHQWNtZSBDbzEQMA4GA1UEAxMH
+Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGmby5GUiBDR+Ge+s/R9
+EqOfoDwEdDBPYU0emJg8j8CPJGM0ldalI1Sk7YMTIi34clvfTqEixE7nDwQj8FjQ
+VvCjVzBVMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTcOHZMx0z3I9Hi8oa2Kp0umdXOsTAKBggq
+hkjOPQQDAgNJADBGAiEArHTaO3f6vaiI+4IOrR7SYSzeHIAqoFAWFcf1yOzxDA4C
+IQDRcDIPWJd7pXvFJT/Q++Vkq9QuUhqrigCQDkgksnxf5w==
+-----END CERTIFICATE-----
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTIyMDYzMDE5MjAwM1oYDzMwMjExMDMxMTkyMDAzWjAYMRYwFAYDVQQDDA1J
+bnRlcm1lZGlhdGUxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1JTs
+aiC/7+bho43kMVyHDwCsuocYp4PvYahB59NsKDR4QbrImU5ziaQ94D0DQqthe9pm
+qOW0SxN/vSRJAZFELxacrB9hc1y4MjiDYaRSt/LVx7astylBV/QRpmxWSEqp0Avu
+6nMJivIa1sD0WIEchizx6jG9BI5ULr9LbJICYvMgDalQR+0JGG+rKWnf1mPZyxEu
+9zEh215LCg5K56P3W5kC8fKBXSdSgTqZAvHzp6u78qet9S8gARtOEfS03A/7y7MC
+U0Sn2wdQyQdci0PBsR2sTZvUw179Cr93r5aRbb3I6jXgMWHAP2vvIndb9CM9ePyY
+yEy4Je7oWVVfMQ3CWQIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1Ud
+DwEB/wQEAwICBDANBgkqhkiG9w0BAQsFAAOCAQEALR0apUQVbWGmagLUz4Y/bRsl
+mY9EJJXCiLuSxVWd3offjZfQTlGkQkCAW9FOQnm7JhEtaaHF1+AEVLo56/Gsd/hk
+sXsrBagYGi72jun7QTb6j7iZ3X9zanrP3SjdkpjVnqxRfH83diSh0r68Xruq1NSK
+qhUy1V+KQaXF0SSEutPqdTCoXUyxyXohVLU78uqZX/jx9Nc1XDuW9AZd+hMsLdk8
+qGJqHYFvj2vOHGMTeYk8dWgMBthQeL0wdsg2AvKtAvn6FQXCN7mKCWjpFTtYsU8v
+NsesS9M/i+geJjR/8/DDT3RP7S100BtCMm4XfHfmKcjXVaBh5evQVqGsa6TKLw==
+-----END CERTIFICATE-----
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEJ
+MAcGA1UECBMAMQkwBwYDVQQHEwAxDzANBgNVBAoTBk5vdGFyeTENMAsGA1UEAxME
+dGVzdDAeFw0yNDA3MjIwNTIwMzZaFw0yNDA4MjIwNTIwMzZaMEwxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90
+YXJ5MQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAp7XmYGf3p4JS/y5v6AIc/TxQvPTwIRxVmctNmDm5kG3LDUoGAAJbicTUfI/0
+Un38j/PlHNKQz9hKPwV+oYotKuQrVhaA2fft+INl36tvgCAPr8yX3ToOMCLr/UlT
+zQ7o9TB7IpnVT9DR9uik9MWfkz0Db5ARG1POquvSy2QM5wseEA58313YJ/7Em/Cq
+FCH5s9THCfQKpb09MZ/RTEggNqU4zGADah8e1KieYeZntM/hrw7sW5oeUueKG4D4
+3kvL8o7n1k6C+w8LwaOGhYXCQ51JxTE3lnmTrDdFRuKGObpNFNbLxdJPVLuHT1Nu
+bwVxj5APBJQyEyja3jJ9qLQANwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYD
+VR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU
+yPScYtI4hs0+ibHaRV9BsgY734AwDQYJKoZIhvcNAQELBQADggEBABJHh3NELq1b
+jcJiJX76DwDTx+FGGN96/+T5622FGg1kHeAwuxS6pQODJNrVofbrhGAqaXTDT/Tz
+0b0AA5XCohmBFZQRwMh+C5QkFiIcZ9VMMBc6KTQT8DEgjI6Qo/OW2TDGOoFuAhmh
+4a1ACHszuHS55Th+0TKLqeZNA6DnL9IBm0RX1FJXbqhjX52ZnRH3Zqe7uML+kxKt
+LUdfnxHrpA1G2ugyAj+K7K6vth5QpezwCS1PZD2s5vlJd6clawxm5qRyyU46ow/y
+7bpTSEyg6PIWWh/qv4O2t4NMa1OoRkIXx/ppsKH9XwbRg/WZ0VWlGVS6GxBtLSpG
+tkyaxSRLdz0=
+-----END CERTIFICATE-----