diff options
| author | portix <none@none> | 2013-02-27 10:06:55 +0100 |
|---|---|---|
| committer | portix <none@none> | 2013-02-27 10:06:55 +0100 |
| commit | 244a3de85ed9d7ee77cc514fd2efa5b5336810c5 (patch) | |
| tree | 795c615029c72f53dd66b8ae3946ba1d584fc598 | |
| parent | 82119ac5df62069860b27fd4b783322c7a02bfb7 (diff) | |
| parent | c1be2d00f1d6e55bdfea0f24f141b3dc73639c0e (diff) | |
| download | dwb-244a3de85ed9d7ee77cc514fd2efa5b5336810c5.zip | |
Automated merge with ssh://bitbucket.org/portix/dwb
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | config.mk | 7 | ||||
| -rw-r--r-- | src/config.h | 4 | ||||
| -rw-r--r-- | src/dwb.c | 20 | ||||
| -rw-r--r-- | src/dwb.h | 2 | ||||
| -rw-r--r-- | src/hsts.c | 922 | ||||
| -rw-r--r-- | src/hsts.h | 29 | ||||
| -rw-r--r-- | util/Makefile | 11 | ||||
| -rw-r--r-- | util/convert_transport_security.c | 397 | ||||
| -rw-r--r-- | util/settings.pre | 3 | ||||
| -rw-r--r-- | util/transport_security_state_static.certs | 1209 | ||||
| -rw-r--r-- | util/transport_security_state_static.json | 579 |
12 files changed, 3178 insertions, 6 deletions
@@ -9,5 +9,6 @@ Bastien Dejean 2012 Sean DuBois 2012 Jonas Haag 2010 Elias Norberg <xyzzy@kudzu.se> 2013 +Adam Ehlers Nyholm Thomsen 2012 Nathan Owens 2011-2012 Jason Woofenden 2012 @@ -92,7 +92,12 @@ $(error Cannot find gtk2-libs or gtk3-libs) endif #has gtk3 libs endif #has gtk2 libs endif #GTK=3 - +GNUTLS=gnutls +ifeq ($(shell pkg-config --exists $(GNUTLS) && echo 1), 1) +LIBS+=$(GNUTLS) +else +$(error Cannot find $(GNUTLS)) +endif # HTML-files diff --git a/src/config.h b/src/config.h index e4b6dede..67edea8f 100644 --- a/src/config.h +++ b/src/config.h @@ -960,7 +960,7 @@ static WebSettings DWB_SETTINGS[] = { SETTING_GLOBAL, BOOLEAN, { .b = false }, (S_Func) dwb_set_proxy, { 0 }, }, { { "proxy-url", "The HTTP-proxy url", }, SETTING_GLOBAL, CHAR, { .p = NULL }, (S_Func) dwb_soup_init_proxy, { 0 }, }, - { { "ssl-strict", "Whether to allow only save certificates", }, + { { "ssl-strict", "Whether to allow only safe certificates", }, SETTING_GLOBAL, BOOLEAN, { .b = true }, (S_Func) dwb_soup_init_session_features, { 0 }, }, #ifdef WITH_LIBSOUP_2_38 { { "ssl-use-system-ca-file", "Whether to use the system certification file", }, @@ -1142,6 +1142,8 @@ static WebSettings DWB_SETTINGS[] = { SETTING_GLOBAL, BOOLEAN, { .b = false }, (S_Func)dwb_set_adblock, { 0 }, }, { { "adblocker-filterlist", "Path to a filterlist", }, SETTING_GLOBAL, CHAR, { .p = NULL }, NULL, { 0 }, }, + { { "hsts", "Whether HSTS support should be enabled",}, + SETTING_GLOBAL, BOOLEAN, { .b = true }, (S_Func)dwb_set_hsts, { 0 }, }, #ifdef WITH_LIBSOUP_2_38 { { "addressbar-dns-lookup", "Whether to perform a dns check for text typed into the address bar", }, SETTING_GLOBAL | SETTING_ONINIT, BOOLEAN, { .b = false }, (S_Func)dwb_set_dns_lookup, { 0 }, }, @@ -48,6 +48,7 @@ #include "application.h" #include "scripts.h" #include "dom.h" +#include "hsts.h" /* DECLARATIONS {{{*/ static DwbStatus dwb_webkit_setting(GList *, WebSettings *); @@ -179,6 +180,18 @@ dwb_set_accept_language(GList *gl, WebSettings *s) g_object_set(webkit_get_default_session(), "accept-language", s->arg_local.p, NULL); return STATUS_OK; }/*}}}*/ +void +dwb_set_hsts(GList *gl, WebSettings *s) +{ + if (s->arg_local.b) + { + hsts_activate(); + } + else + { + hsts_deactivate(); + } +} /*{{{*/ //static DwbStatus @@ -3334,8 +3347,8 @@ dwb_clean_up() // 'execute' can crash scripts_end(); - for (GList *l = dwb.keymap; l; l=l->next) - { + hsts_end(); /* Assumes it has access to dwb.settings */ + for (GList *l = dwb.keymap; l; l=l->next) { KeyMap *m = l->data; if (m->map->prop & CP_SCRIPT) { @@ -4283,6 +4296,8 @@ dwb_init_files() dwb_check_create(dwb.files[FILES_PLUGINS_ALLOW]); dwb.files[FILES_CUSTOM_KEYS] = g_build_filename(profile_path, "custom_keys", NULL); dwb_check_create(dwb.files[FILES_CUSTOM_KEYS]); + dwb.files[FILES_HSTS] = g_build_filename(profile_path, "hsts", NULL); + dwb_check_create(dwb.files[FILES_HSTS]); userscripts = g_build_filename(path, "userscripts", NULL); dwb.files[FILES_USERSCRIPTS] = util_check_directory(userscripts); @@ -4493,6 +4508,7 @@ dwb_init() dwb_init_hints(NULL, NULL); dwb_soup_init(); + hsts_init(); } /*}}}*/ /*}}}*/ /* FIFO {{{*/ @@ -800,6 +800,7 @@ enum Files { FILES_COOKIES_SESSION_ALLOW, FILES_DOWNLOAD_PATH, FILES_HISTORY, + FILES_HSTS, FILES_KEYS, FILES_MIMETYPES, FILES_QUICKMARKS, @@ -957,6 +958,7 @@ gboolean dwb_update_find_quickmark(const char *text); gboolean dwb_entry_activate(GdkEventKey *e); void dwb_set_adblock(GList *, WebSettings *); +void dwb_set_hsts(GList *, WebSettings *); gboolean dwb_eval_key(GdkEventKey *); gboolean dwb_eval_override_key(GdkEventKey *e, CommandProperty prop); diff --git a/src/hsts.c b/src/hsts.c new file mode 100644 index 00000000..5b8a253b --- /dev/null +++ b/src/hsts.c @@ -0,0 +1,922 @@ +/* + * Copyright (c) 2010-2012 Stefan Bolte <portix@gmx.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#include <stdio.h> +#include <string.h> +#include <glib-object.h> +#include <glib/gstdio.h> +#include "dwb.h" +#include "util.h" +#include "hsts.h" +#include "gnutls/gnutls.h" +#include "gnutls/x509.h" + +/* + * This file contains an HSTS (HTTP Strict Transport Security) implementation + * for the dwb browser. It works by registering a session interface with soup + * and rewriting relevant requests when they are queued, and listening for + * hsts headers. The approach was inspired by the HSTS implementation in thje + * midori browser. + * + * Current Features: + * + Enforces HSTS as specified in [RFC6797] + * + Loading and saving of the cache + * + Enforce strict ssl verification on known hsts hosts + * + Bootstrap whitelist (automatically converted from the chromium project) + * + Add support for certificate pinning a la Chromium + * + * TODO: + * + Handle UTF-8 BOM in loading code + * + Periodic saving of database to mitigate loss of information in event of crash + * + * Problems: + * 1. The implementation doesn't consider mixed content, which should be + * blocked according to RFC 6797 12.4 + */ + +#define HSTS_HEADER_NAME "Strict-Transport-Security" + +/* The HSTSEntry data structure represents a known host in the HSTS database + * + * Members: + * expiry - the expiry of the rule, represented as microseconds since January 1, 1970 UTC. + * sub_domains - whether the rule applies to sub_domains + */ +typedef struct _HSTSEntry { + gint64 expiry; + gboolean sub_domains; +} HSTSEntry; + +/* Allocate a new HSTSEntry and initialise it. It is initialised to have + * maximum expiry (effectively indefinite life) and not to apply to sub + * domains. + */ +static HSTSEntry * +hsts_entry_new() +{ + HSTSEntry *entry = dwb_malloc(sizeof(HSTSEntry)); + entry->expiry = G_MAXINT64; + entry->sub_domains = false; + return entry; +} + +/* Allocates and initialises a new HSTSEntry to the given values. + * Params: + * max_age - number of seconds the rule should live. + * sub_domains - whether the rule applies to sub_domains + */ +static HSTSEntry * +hsts_entry_new_from_val(gint64 max_age, gboolean sub_domains) +{ + HSTSEntry *entry = hsts_entry_new(); + entry->expiry = g_get_real_time(); + if(max_age > (G_MAXINT64 - entry->expiry)/G_USEC_PER_SEC) + entry->expiry = G_MAXINT64; + else + entry->expiry += max_age*G_USEC_PER_SEC; + entry->sub_domains = sub_domains; + return entry; +} + +/* Frees the HSTSEntry + */ +static void +hsts_entry_free(HSTSEntry *entry) +{ + g_free(entry); +} + +/* The HSTSPinEntry data structure represents a host with a static set of + * allowed and forbidden SPKIs hashes. + */ +typedef struct _HSTSPinEntry { + GHashTable *good_certs; + GHashTable *bad_certs; + gboolean sub_domains; +} HSTSPinEntry; + +/* Allocates and initialises a new HSTSPinEntry + */ +static HSTSPinEntry * +hsts_pin_entry_new() +{ + HSTSPinEntry *entry = dwb_malloc(sizeof(HSTSPinEntry)); + entry->good_certs = NULL; + entry->bad_certs = NULL; + entry->sub_domains = false; + return entry; +} + +/* Frees the HSTSPinEntry, it is safe to pass NULL + */ +static void +hsts_pin_entry_free(HSTSPinEntry *entry) +{ + if(entry == NULL) + return; + + if(entry->good_certs != NULL) + g_hash_table_destroy(entry->good_certs); + if(entry->bad_certs != NULL) + g_hash_table_destroy(entry->bad_certs); + g_free(entry); +} + +/* + * HSTSProvider works by registering as a SoupSessionFeature and rewriting all + * http requests into https requests for known hosts. However this means that + * HSTSProvider has to be implement the SoupSessionFeatureInterface and hence + * all the boilerplate gobject code in the following. + * + */ + +/* + * Type macros. + */ +#define HSTS_TYPE_PROVIDER (hsts_provider_get_type ()) +#define HSTS_PROVIDER(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), HSTS_TYPE_PROVIDER, HSTSProvider)) +#define HSTS_IS_PROVIDER(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), HSTS_TYPE_PROVIDER)) +#define HSTS_PROVIDER_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), HSTS_TYPE_PROVIDER, HSTSProviderClass)) +#define HSTS_IS_PROVIDER_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), HSTS_TYPE_PROVIDER)) +#define HSTS_PROVIDER_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), HSTS_TYPE_PROVIDER, HSTSProviderClass)) +#define HSTS_PROVIDER_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), HSTS_TYPE_PROVIDER, HSTSProviderPrivate)) + +/* The HSTSProvider public interface + */ +typedef struct _HSTSProvider +{ + GObject parent_instance; +} HSTSProvider; + +/* The private members of the HSTSProvider + */ +typedef struct _HSTSProviderPrivate +{ + GHashTable *domains, *pin_domains; +} HSTSProviderPrivate; + +/* The class members of the HSTSProvider + */ +typedef struct _HSTSProviderClass +{ + GObjectClass parent_class; + + /* The following static variables are used to do case insensitive comparisons + * of directive names, as specified in RFC 6797 6.1 2. + */ + gchar *directive_max_age; + gchar *directive_sub_domains; +} HSTSProviderClass; + +/* Prototypes of various functions, some are needed for glib magic. This is not an exhaustive + * list of the hsts_provider functions. + */ +static void hsts_provider_init (HSTSProvider *self); +static void hsts_provider_class_init (HSTSProviderClass *klass); +static void hsts_provider_base_class_init (HSTSProviderClass *klass); +static void hsts_provider_base_class_finalize (HSTSProviderClass *klass); +static gpointer hsts_provider_parent_class = NULL; +static void hsts_provider_session_feature_init(SoupSessionFeatureInterface *feature_interface, gpointer interface_data); +static void hsts_provider_finalize (GObject *object); + +/* GLib essential function. This basically declares the existence of the + * HSTSProvider class to GLib and gives it various information about it. This + * rather cumbersome function is needed to get dynamic class members(ie. + * setting the base_* options). + */ +GType +hsts_provider_get_type (void) +{ + static volatile gsize g_define_type_id__volatile = 0; + if (g_once_init_enter (&g_define_type_id__volatile)) + { + GTypeInfo info; + info.class_size = sizeof(HSTSProviderClass); + info.base_init = (GBaseInitFunc) hsts_provider_base_class_init; + info.base_finalize = (GBaseFinalizeFunc) hsts_provider_base_class_finalize; + info.class_init = (GClassInitFunc) hsts_provider_class_init; + info.class_finalize = NULL; + info.class_data = NULL; + info.instance_size = sizeof(HSTSProvider); + info.n_preallocs = 0; + info.instance_init = (GInstanceInitFunc) hsts_provider_init; + info.value_table = NULL; + + GType g_define_type_id = g_type_register_static (G_TYPE_OBJECT, g_intern_static_string ("HSTSProvider"), &info, 0); + + const GInterfaceInfo g_implement_interface_info = { + (GInterfaceInitFunc) hsts_provider_session_feature_init, NULL, NULL + }; + g_type_add_interface_static (g_define_type_id, SOUP_TYPE_SESSION_FEATURE, &g_implement_interface_info); + g_once_init_leave (&g_define_type_id__volatile, g_define_type_id); + } + return g_define_type_id__volatile; +} + +/* Initialise the dynamic class members of HSTSProvider + */ +static void +hsts_provider_base_class_init (HSTSProviderClass *klass) +{ + klass->directive_max_age = g_utf8_casefold("max-age", -1); + klass->directive_sub_domains = g_utf8_casefold("includeSubDomains", -1); +} + +/* Finalise(free) the dynamic class members of HSTSProvider + */ +static void +hsts_provider_base_class_finalize (HSTSProviderClass *klass) +{ + g_free(klass->directive_max_age); + g_free(klass->directive_sub_domains); +} + +/* Initialise the HSTSProvider class + */ +static void +hsts_provider_class_init (HSTSProviderClass *klass) +{ + hsts_provider_parent_class = g_type_class_peek_parent (klass); + GObjectClass *object_class = G_OBJECT_CLASS (klass); + + g_type_class_add_private (klass, sizeof (HSTSProviderPrivate)); + + object_class->finalize = hsts_provider_finalize; +} + +/* Initialise an HSTSProvider instance + */ +static void +hsts_provider_init (HSTSProvider *provider) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE (provider); + + priv->domains = g_hash_table_new_full((GHashFunc)g_str_hash, (GEqualFunc)g_str_equal, (GDestroyNotify)g_free, (GDestroyNotify)hsts_entry_free); + priv->pin_domains = g_hash_table_new_full((GHashFunc)g_str_hash, (GEqualFunc)g_str_equal, (GDestroyNotify)g_free, (GDestroyNotify)hsts_pin_entry_free); +} + +/* Finalise an HSTSProvider instance + */ +static void +hsts_provider_finalize (GObject *object) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE (object); + + g_hash_table_destroy(priv->domains); + g_hash_table_destroy(priv->pin_domains); + + G_OBJECT_CLASS (hsts_provider_parent_class)->finalize (object); +} + +/* Remove an entry from the known hosts, this doesn't remove superdomains of + * host with the includeSubDomains directive. So the host might still be + * affected by the HSTS code + */ +static void +hsts_provider_remove_entry(HSTSProvider *provider, const char *host) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + + gchar *canonical = g_hostname_to_unicode(host); + g_hash_table_remove(priv->domains, canonical); + g_free(canonical); +} + +/* Adds the host to the known host, if it already exists it replaces it with + * the information contained in entry. As specified in 8.1 [RFC6797] it won't + * add ip addresses as hosts. + */ +static void +hsts_provider_add_entry(HSTSProvider *provider, const char *host, HSTSEntry *entry) +{ + if(g_hostname_is_ip_address(host)) + return; + + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + + g_hash_table_replace(priv->domains, g_hostname_to_unicode(host), entry); +} + +/* Adds the host to hosts for which a certificate black or whitelist has been + * specified. + */ +static void +hsts_provider_add_pin_entry(HSTSProvider *provider, const char *host, HSTSPinEntry *entry) +{ + if(g_hostname_is_ip_address(host)) + return; + + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + + g_hash_table_replace(priv->pin_domains, g_hostname_to_unicode(host), entry); +} + +/* Checks whether host is currently a known host or it is a sub domain of a + * known host which covers sub domains. + * + * Beware: An ip address will return false, as specified in 8.3 [RFC6797] + */ +static gboolean +hsts_provider_should_secure_host(HSTSProvider *provider, const char *host) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + + if(g_hostname_is_ip_address(host)) + return false; + + gchar *canonical = g_hostname_to_unicode(host); + gboolean result = false; + if(strlen(canonical) > 0) /* Don't match empty strings as per. 8.3 [RFC6797] */ + { + gchar *cur = canonical; + gboolean sub_domain = false; /* Indicates whether host is a proper sub domain of cur */ + gunichar dot = g_utf8_get_char("."); + while(cur != NULL) + { + HSTSEntry *entry = g_hash_table_lookup(priv->domains, cur); + if(entry != NULL) + { + if(g_get_real_time() > entry->expiry) /* Remove expired entries */ + hsts_provider_remove_entry(provider, cur); + else if(!sub_domain || entry->sub_domains) + { /* If either host == cur or host is a proper sub domain of + cur and the cur entry covers sub domains. */ + result = true; + break; + } + } + + sub_domain = true; + cur = g_utf8_strchr(cur, -1, dot); + /* Since canonical is in canonical form, it doesn't end with a . + * and hence there's no problem with the following: */ + if(cur != NULL) + cur = g_utf8_next_char(cur); + } + } + g_free(canonical); + + return result; +} + +/* Checks whether there is relevant information for host in the certificate + * white- and blacklist, if so it returns the relevant entry. Else it returns + * NULL. + */ +static HSTSPinEntry * +hsts_provider_has_cert_pin(HSTSProvider *provider, const char *host) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + + if(g_hostname_is_ip_address(host)) + return NULL; + + HSTSPinEntry *result = NULL; + gchar *canonical = g_hostname_to_unicode(host); + if(strlen(canonical) > 0) /* Don't match empty strings as per. 8.3 [RFC6797] */ + { + gchar *cur = canonical; + gboolean sub_domain = false; /* Indicates whether host is a proper sub domain of cur */ + gunichar dot = g_utf8_get_char("."); + while(cur != NULL) + { + result = g_hash_table_lookup(priv->pin_domains, cur); + if(result != NULL && (!sub_domain || result->sub_domains)) + /* If either host == cur or host is a proper sub domain of + cur and the cur entry covers sub domains. */ + break; + result = NULL; + + sub_domain = true; + cur = g_utf8_strchr(cur, -1, dot); + /* Since canonical is in canonical form, it doesn't end with a . + * and hence there's no problem with the following: */ + if(cur != NULL) + cur = g_utf8_next_char(cur); + } + } + g_free(canonical); + + return result; +} + +/* Parse an HSTS header and add it to the known hosts. + * Returns whether or not the header was valid. + */ +static gboolean +hsts_provider_parse_header(HSTSProvider *provider, const char *host, const char *header) +{ + GHashTable *directives = soup_header_parse_semi_param_list(header); + + HSTSProviderClass *klass = g_type_class_ref(HSTS_TYPE_PROVIDER); + gint64 max_age = -1; + gboolean sub_domains = false; + gboolean success = true; + + GHashTableIter iter; + gpointer key, value; + g_hash_table_iter_init(&iter, directives); + while (g_hash_table_iter_next (&iter, &key, &value)) + { + /* We have to jump through hoops here to be able to do the + * comparison in a case-insensitive manner, as specified in + * RFC 6797 6.1 + */ + gchar *key_ci = g_utf8_casefold(key, -1); + if (g_utf8_collate(key_ci, klass->directive_max_age) == 0) + { + if(value == NULL) + { + success = false; + break; + } + else + { + gchar *endptr; + max_age = g_ascii_strtoll(value, &endptr, 10); + if(endptr == value || max_age < 0) + { + success = false; + break; + } + } + } + else if (g_utf8_collate(key_ci, klass->directive_sub_domains) == 0) + { + if(value != NULL) + { + success = false; + break; + } + else + sub_domains = true; + } + g_free(key_ci); + } + g_type_class_unref(klass); + if(success) + { + if(max_age != 0) + hsts_provider_add_entry(provider, host, hsts_entry_new_from_val(max_age, sub_domains)); + else /* max_age = 0 indicates remove header */ + hsts_provider_remove_entry(provider, host); + } + + soup_header_free_param_list(directives); + return success; +} + +/* Processes the headers of msg and looks for a valid HSTS, if found it adds it + * as a known host according to the information specified in the header. + */ +static void +hsts_process_hsts_header (SoupMessage *msg, gpointer user_data) +{ + GTlsCertificate *certificate; + GTlsCertificateFlags errors; + /* Only read HSTS headers sent over a properly validated https connection + * as specified in 8.1 [RFC6797] + */ + SoupURI *uri = soup_message_get_uri(msg); + const char *host = soup_uri_get_host(uri); + if(!g_hostname_is_ip_address(host) && + soup_message_get_https_status(msg, &certificate, &errors) && + errors == 0){ + HSTSProvider *provider = user_data; + + SoupMessageHeaders *hdrs; + g_object_get(G_OBJECT(msg), SOUP_MESSAGE_RESPONSE_HEADERS, &hdrs, NULL); + + SoupMessageHeadersIter iter; + soup_message_headers_iter_init(&iter, hdrs); + const char *name, *value; + while(soup_message_headers_iter_next(&iter, &name, &value)) + { + if(strcmp(name, HSTS_HEADER_NAME) == 0) + { + /* It is not exactly clear to me what the correct behavior is + * if multiple headers are present. There seems to be some + * relevant information in 8.1 [RFC6797]. + */ + if(hsts_provider_parse_header(provider, host, value)) + break; + } + } + /* FIXME: Possible memory leak, Investigate whether hdrs should be + * cleaned up? + * g_object_unref(hdrs); <-- This makes GLib complain so that clearly + * isn't the right approach. */ + } +} + +/* Contains case folded versions of true and false used for comparisons in + * parse_line */ +static char *parser_true, *parser_false; + +/* Parses a line from a known hosts file and if it is correctly parsed it is + * added to the known hosts in provider */ +static void +parse_line(HSTSProvider *provider, const char *line, gint64 now) +{ + /* Ignore comments */ + if(g_utf8_get_char(line) == g_utf8_get_char("#")) + return; + + char **split = g_strsplit(line, "\t", -1); + if(g_strv_length(split) == 3) + { + char *host = split[0], *sub_domains = split[1], *expires = split[2]; + HSTSEntry *entry = hsts_entry_new(); + gboolean success = true; + + if(g_utf8_collate(parser_true, sub_domains) == 0) + entry->sub_domains = true; + else if(g_utf8_collate(parser_false, sub_domains) == 0) + entry->sub_domains = false; + else + success = false; + + char *end; + entry->expiry = g_ascii_strtoll(expires, &end, 10); + if(expires == end || entry->expiry < now) + success = false; + + if(success) + hsts_provider_add_entry(provider, host, entry); + else + hsts_entry_free(entry); + } + + g_strfreev(split); +} + +/* Represents an entry in the preloaded HSTS database. + * + * Members: + * host - the host of the entry + * good_certs - a null terminated array of base64 encoded key ids of the good certificates, if NULL it is treated as the empty array + * bad_certs - a null terminated array of base64 encoded key ids of the bad certificates, if NULL it is treated as the empty array + * hsts - if true the host is added to the database of known HSTS hosts + * sub_domains - indicates whether this entry applies to sub_domains + * + */ +typedef struct _HSTSPreloadEntry { + const char *host; + const char * const *good_certs; + const char * const *bad_certs; + gboolean hsts; + gboolean sub_domains; +} HSTSPreloadEntry; + +#include "hsts_preload.h" + +/* Allocates and fills a hash set of certificates + */ +static void +fill_cert_set(GHashTable **cert_set, const char * const *certs) +{ + if(certs == NULL) + return; + if(*cert_set == NULL) + *cert_set = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL); + GHashTable *hash_set = *cert_set; + while(*certs != NULL) + { + g_hash_table_add(hash_set, g_strdup(*certs)); + certs++; + } +} + +/* Loads the default database built into dwb + */ +static void +load_default_database(HSTSProvider *provider) +{ + const HSTSPreloadEntry *entry = s_hsts_preload; + size_t i; + for(i=0; i < s_hsts_preload_length; i++) + { + if(entry->hsts) + { + HSTSEntry *hsts_entry = hsts_entry_new(); + hsts_entry->sub_domains = entry->sub_domains; + hsts_provider_add_entry(provider, entry->host, hsts_entry); + } + if(entry->good_certs != NULL || entry->bad_certs != NULL) + { + HSTSPinEntry *hsts_pin_entry = hsts_pin_entry_new(); + hsts_pin_entry->sub_domains = entry->sub_domains; + fill_cert_set(&hsts_pin_entry->good_certs, entry->good_certs); + fill_cert_set(&hsts_pin_entry->bad_certs, entry->bad_certs); + hsts_provider_add_pin_entry(provider, entry->host, hsts_pin_entry); + } + entry++; + } +} + +/* Reads a database of known hosts from filename. filename is a utf-8 encoded + * file, which on each line contains the following tab separated fields: + * + * host - is the known host + * sub domains - is either true or false compared case-insensitively and + * indicates whether the entry applies to sub domains of the + * given host + * expiry - Expiry time given as the number of microseconds since + * January 1, 1970 UTF. Encoded as a decimal. + * + * Lines which start with a '#' are treated as comments. Only \n and \r are + * recognised as line separators. + */ +static gboolean +hsts_provider_load(HSTSProvider *provider, const char *filename) +{ + + load_default_database(provider); + + gchar *contents; + gsize length = 0; + if(!g_file_get_contents(filename, &contents, &length, NULL)) + return false; + + gboolean success = false; + if(g_utf8_validate(contents, length, NULL)) + { + parser_true = g_utf8_casefold("true", -1); + parser_false = g_utf8_casefold("false", -1); + + gint64 now = g_get_real_time(); + /* TODO: Handle UTF-8 BOM */ + gchar *line = contents, *p = contents; + gunichar r = g_utf8_get_char("\r"), n = g_utf8_get_char("\n"); + while(*p) + { + gunichar c = g_utf8_get_char(p); + if(c == r || c == n) + { + /* \r\n is treated as two lines but it doesn't since empty + * lines are ignored */ + gchar *next = g_utf8_next_char(p); + *p = '\0'; /* null terminate line */ + parse_line(provider, line, now); + line = next; + p = next; + } + else + p = g_utf8_next_char(p); + } + + success = true; + g_free(parser_true); + g_free(parser_false); + } + g_free(contents); + return success; +} + +/* Saves the database of known hosts to filename in the format specified for + * hsts_provider_load */ +static void +hsts_provider_save(HSTSProvider *provider, const char *filename) +{ + HSTSProviderPrivate *priv = HSTS_PROVIDER_GET_PRIVATE(provider); + FILE *file = g_fopen(filename, "w"); + fprintf(file, "# dwb hsts database\n"); + + GHashTableIter iter; + gpointer key, value; + g_hash_table_iter_init(&iter, priv->domains); + while (g_hash_table_iter_next (&iter, &key, &value)) + { + const char *host = (const char *)key; + const HSTSEntry *entry = (HSTSEntry *)value; + /* TODO: assert MAX_LONG_LONG >= G_MAXINT64 */ + long long expiry = entry->expiry; + fprintf(file, "%s\t%s\t%lld\n", host, entry->sub_domains ? "true" : "false", expiry); + } + fclose(file); +} + +/* This callback is called when a new message is put on the session queue. It + * investigates whether the message is intended for a known host and if so it + * switches URI scheme to HTTPS. + */ +static void +hsts_provider_request_queued (SoupSessionFeature *feature, + SoupSession *session, + SoupMessage *msg) +{ + HSTSProvider *provider = HSTS_PROVIDER (feature); + + SoupURI *uri = soup_message_get_uri(msg); + if(soup_uri_get_scheme(uri) == SOUP_URI_SCHEME_HTTP && + hsts_provider_should_secure_host(provider, soup_uri_get_host(uri))) + { + soup_uri_set_scheme(uri, SOUP_URI_SCHEME_HTTPS); + /* Only change port if it explicitly references port 80 as specified in + * 8.3 [RFC6797]. */ + if(soup_uri_get_port(uri) == 80) + soup_uri_set_port(uri, 443); + soup_session_requeue_message(session, msg); + } + + /* Only look for HSTS headers sent over https */ + if(soup_uri_get_scheme(uri) == SOUP_URI_SCHEME_HTTPS) + { + soup_message_add_header_handler (msg, "got-headers", + HSTS_HEADER_NAME, + G_CALLBACK (hsts_process_hsts_header), + feature); + } +} + + +/* This callback is called when a new message is started, that is right before + * data is sent but after a connection has been made. This callback might be + * called multiple times for the same message. It is used to check the HTTPS + * certificates according to the relevant HSTS directives and certificate + * pinnings.*/ +static void +hsts_provider_request_started (SoupSessionFeature *feature, + SoupSession *session, + SoupMessage *msg, + SoupSocket *socket) +{ + HSTSProvider *provider = HSTS_PROVIDER (feature); + + const char *host = soup_uri_get_host(soup_message_get_uri(msg)); + gboolean cancel = false; + if(hsts_provider_should_secure_host(provider, host)) + { + GTlsCertificate *certificate; + GTlsCertificateFlags errors; + if(!(soup_message_get_https_status(msg, &certificate, &errors) && + errors == 0)) + /* If host is known HSTS host the standard specifies that we should ensure strict ssl handling */ + cancel = true; + } + HSTSPinEntry *entry; + GTlsCertificate *certificate; + GTlsCertificateFlags errors; + if(!cancel && soup_message_get_https_status(msg, &certificate, &errors) && (entry = hsts_provider_has_cert_pin(provider, host)) != NULL) + { + /* If we are connecting over HTTPS to a host with a certificate black/whitelist */ + /* If there is no whitelist assume the certificate chain is good */ + gboolean is_good = entry->good_certs != NULL ? false : true; /* Whether a certificate on the chain is found in the whitelist */ + gboolean is_bad = false; /* Whether a certificate in the chain is on the blacklist */ + GTlsCertificate *cur = certificate; + while(cur != NULL) + { + /* Check each certificate in the chain */ + + /* First import the certificate into gnutls */ + GByteArray *cert_bytes; + g_object_get(G_OBJECT(cur), "certificate", &cert_bytes, NULL); + + gnutls_datum_t data; + data.data = cert_bytes->data; + data.size = cert_bytes->len; + + gnutls_x509_crt_t cert; + gnutls_x509_crt_init(&cert); + + /* Then try to get the key_id and check that against the black/white lists */ + int err; + unsigned char key_id[1024]; + size_t key_id_size = 1024; + + if((err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_DER)) == GNUTLS_E_SUCCESS && + (err = gnutls_x509_crt_get_key_id(cert, 0, key_id, &key_id_size)) == GNUTLS_E_SUCCESS + ) + { + + char *key_id_base64 = g_base64_encode(key_id, key_id_size); + is_good = is_good || + (entry->good_certs != NULL && g_hash_table_lookup(entry->good_certs, key_id_base64)); + is_bad = is_bad || + (entry->bad_certs != NULL && g_hash_table_lookup(entry->bad_certs, key_id_base64)); + g_free(key_id_base64); + } + else + { + printf("HSTS: Warning: Problems getting certificate key id for a certificate of %s\n", host); + } + + /* Cleanup */ + gnutls_x509_crt_deinit(cert); + g_byte_array_unref(cert_bytes); + cur = g_tls_certificate_get_issuer(cur); + } + /* If we aren't explicitly on the whitelist or a certificate is on the + * blacklist, cancel the message. Said simpler a certificate is + * accepted only if it has at least one certificate in it's chain on + * the whitelist and none on the blacklist + */ + if(!is_good || is_bad) + cancel = true; + } + if(cancel) + soup_session_cancel_message(session, msg, SOUP_STATUS_SSL_FAILED); +} + +/* Removes added callbacks on message unqueue + */ +static void +hsts_provider_request_unqueued (SoupSessionFeature *feature, + SoupSession *session, + SoupMessage *msg) +{ + g_signal_handlers_disconnect_by_func (msg, hsts_process_hsts_header, feature); +} + +/* Initialise the SoupSessionFeature interface. + */ +static void +hsts_provider_session_feature_init (SoupSessionFeatureInterface *feature_interface, + gpointer interface_data) +{ + feature_interface->request_queued = hsts_provider_request_queued; + feature_interface->request_started = hsts_provider_request_started; + feature_interface->request_unqueued = hsts_provider_request_unqueued; +} + +/* Indicates whether hsts has been initialised */ +static gboolean s_init = false; +static HSTSProvider *s_provider; + +gboolean +hsts_running() +{ + return s_init && GET_BOOL("hsts"); +} + +/* Activates hsts */ +void +hsts_activate() +{ + if(!hsts_init()) + return; + soup_session_add_feature(dwb.misc.soupsession, SOUP_SESSION_FEATURE(s_provider)); +} + +/* Deactivates hsts */ +void +hsts_deactivate() +{ + if(!s_init) + return; + soup_session_remove_feature(dwb.misc.soupsession, SOUP_SESSION_FEATURE(s_provider)); +} + +/* Save current hsts lists */ +void +hsts_save() +{ + if(hsts_running()) + hsts_provider_save(s_provider, dwb.files[FILES_HSTS]); +} + +/* Initialises the hsts implementation */ +gboolean +hsts_init() +{ + if(s_init) + return true; + if(!GET_BOOL("hsts")) + return false; + + s_provider = g_object_new(HSTS_TYPE_PROVIDER, NULL); + s_init = true; + + hsts_provider_load(s_provider, dwb.files[FILES_HSTS]); + hsts_activate(); + + return true; +} + +/* Finalises the hsts implementation */ +void +hsts_end() +{ + hsts_save(); + hsts_deactivate(); + + if(s_init) + { + g_object_unref(s_provider); + s_init = false; + } +} diff --git a/src/hsts.h b/src/hsts.h new file mode 100644 index 00000000..4b47dfa3 --- /dev/null +++ b/src/hsts.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2010-2012 Stefan Bolte <portix@gmx.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef HSTS_H +#define HSTS_H + +gboolean hsts_running(); +gboolean hsts_init(); +void hsts_end(); +void hsts_save(); +void hsts_activate(); +void hsts_deactivate(); + +#endif // HSTS_H diff --git a/util/Makefile b/util/Makefile index 5dcc5f67..797c9fe3 100644 --- a/util/Makefile +++ b/util/Makefile @@ -4,7 +4,9 @@ include ../config.mk SETTINGS=../$(LIBDIR)/settings.html KEYS=../$(LIBDIR)/keys.html TLDS_H=../$(SRCDIR)/tlds.h -OUTFILES=$(SETTINGS) $(KEYS) $(TLDS_H) +HSTS=convert_transport_security +HSTS_PRELOAD=../$(SRCDIR)/hsts_preload.h +OUTFILES=$(SETTINGS) $(KEYS) $(HSTS_PRELOAD) $(TLDS_H) all: $(OUTFILES) @@ -33,6 +35,13 @@ settings.in: settings.pre sed 's/^SSL_CERTIFICATION/ssl-use-system-ca-file checkbox Whether to use the system certification file/' $< > $@;\ else sed 's/^SSL_CERTIFICATION/ssl-ca-file text Path to ssl-certificate/;/^addressbar-dns-lookup/d' $< > $@; fi) +$(HSTS): $(HSTS).c + @echo "${CC} $<" + @$(CC) $(CFLAGS) $(shell pkg-config --cflags --libs glib-2.0 gnutls json) -o $(HSTS) $(HSTS).c + +$(HSTS_PRELOAD): $(HSTS) transport_security_state_static.certs transport_security_state_static.json + ./$(HSTS) > $(HSTS_PRELOAD) + clean: $(RM) $(OUTFILES) diff --git a/util/convert_transport_security.c b/util/convert_transport_security.c new file mode 100644 index 00000000..34dd849a --- /dev/null +++ b/util/convert_transport_security.c @@ -0,0 +1,397 @@ +/* + * Copyright (c) 2012 Adam Ehlers Nyholm Thomsen + * Copyright (c) 2013 Stefan Bolte <portix@gmx.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#define _XOPEN_SOURCE 700 +#define _POSIX_C_SOURCE 200809L +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <glib.h> +#include <glib/gstdio.h> +#include <json.h> + +/* Converts the static .certs and .json whitelist to a header file of the + * apropriate type. + * + * Warning: This file is slightly non portable as it uses getline. */ + + +/* Indicates whether a given pinset included a list of good certificates and/or + * a list of bad certificates. */ +typedef enum _has_certs { + HAS_GOOD_CERTS = 1, + HAS_BAD_CERTS = 2, +} has_certs; + +/* Whether a certificate is a good certificate or a bad certificate */ +typedef enum _cert_type { + GOOD_CERT, + BAD_CERT, +} cert_type; + +/* Maps pinset name to has_certs. + */ +GHashTable *pins; + +#define cert_filename "transport_security_state_static.certs" +#define json_filename "transport_security_state_static.json" +#define certificate_begin "-----BEGIN CERTIFICATE-----" +#define certificate_end "-----END CERTIFICATE-----" +#define sha1_prefix "sha1/" +#define cert_template "static const char s_hsts_cert_hash_%s[] = \"%s\";\n" + +#define cert_list_template_begin "static const char * const s_hsts_cert_list_%s_%s[] = {\n" +#define cert_list_template_entry " s_hsts_cert_hash_%s,\n" +#define cert_list_template_end " NULL,\n};\n\n" + +#define entry_list_begin "static const HSTSPreloadEntry s_hsts_preload[] = {\n" +#define entry_list_end "};\n" +#define entry_list_length "static const size_t s_hsts_preload_length = %zu\n;" + +const char *gboolean_to_string(gboolean val){ + return val ? "true" : "false"; +} +const char *cert_type_to_string(cert_type val){ + return val == GOOD_CERT ? "good" : "bad"; +} +void print_has_certs(const char *name, has_certs cert_status, cert_type val){ + if(cert_status & ((val == GOOD_CERT) ? HAS_GOOD_CERTS : HAS_BAD_CERTS)) { + printf("s_hsts_cert_list_%s_%s", cert_type_to_string(val), name); + } else + printf("NULL"); +} +void print_entry_list_entry(const char *host, const char *pin_name, gboolean hsts, gboolean sub_domains){ + has_certs cert_status = pin_name != NULL ? *((has_certs *)g_hash_table_lookup(pins, pin_name)) : 0; + char *host_safe = g_strescape(host, ""); + printf(" {\"%s\", ", host); + g_free(host_safe); + print_has_certs(pin_name, cert_status, GOOD_CERT); + printf(", "); + print_has_certs(pin_name, cert_status, BAD_CERT); + printf(", "); + printf("%s, %s},\n", gboolean_to_string(hsts), gboolean_to_string(sub_domains)); +} + +/* The ID size should be 20, but give some room for changes */ +#define MAX_ID_SIZE 4096 + +/* Parse the certificate file and for each certificate print the base64 encoded + * certificate key id, to be used in pinsets */ +gboolean parse_certs(const char *filename) +{ + FILE *file = g_fopen(filename, "r"); + char *line = NULL; + size_t line_size = 0; + size_t buffer_size = 4096; + size_t buffer_used = 0; + unsigned char *buffer = g_malloc(sizeof(unsigned char)*buffer_size); + while(getline(&line, &line_size, file) >= 0) + { + g_strstrip(line); + size_t len = strlen(line); + if(len == 0 || line[0] == '#') + continue; /* Ignore comments and pure whitespace lines */ + char *name = g_strdup(line); + char *key_id_base64; + + if(getline(&line, &line_size, file) < 0) + { + fprintf(stderr, "Unexpected end of file while parsing %s\n", name); + return FALSE; + } + g_strstrip(line); + if(g_str_has_prefix(line, certificate_begin)) + { + /* If it is a certificate entry: base64 decode the certificate, + * load it using gnutls, and compute the base64 encoded key id. + */ + gint state = 0; + guint save = 0; + buffer_used = 0; + ssize_t read; + while((read = getline(&line, &line_size, file)) >= 0 && !g_str_has_prefix(line, certificate_end)) + { + /* Read certificate line by line and base64 decode */ + g_strstrip(line); + size_t len = strlen(line); + gboolean to_realloc = FALSE; + while(len > buffer_size - buffer_used - 3) + { + to_realloc = TRUE; + buffer_size *= 2; + } + if(to_realloc) + { + /* Increase buffer_size if it is a long certificate -- this + * should never really happen */ + fprintf(stderr, "Warning: Increasing buffer size to %zd\n", buffer_size); + buffer = g_realloc(buffer, buffer_size); + } + buffer_used += g_base64_decode_step(line, len, &buffer[buffer_used], &state, &save); + } + if(read < 0) + { + fprintf(stderr, "Unexpected end of file while parsing base64 certificate of %s\n", name); + return FALSE; + } + gnutls_datum_t binary; + binary.data = buffer; + binary.size = buffer_used; + + /* Load the certificate and compute the key id */ + gnutls_x509_crt_t cert; + gnutls_x509_crt_init(&cert); + int err; + if((err = gnutls_x509_crt_import(cert, &binary, GNUTLS_X509_FMT_DER)) != GNUTLS_E_SUCCESS) + { + fprintf(stderr, "Error while decoding certificate of %s, error was %d, is it perhaps PEM encoded?\n", name, err); + return FALSE; + } + unsigned char key_id[MAX_ID_SIZE]; + size_t key_id_size = MAX_ID_SIZE; + if((err = gnutls_x509_crt_get_key_id(cert, 0, key_id, &key_id_size)) != GNUTLS_E_SUCCESS) + { + fprintf(stderr, "Couldn't retrieve the key id for the certificate of %s, error was %d\n", name, err); + return FALSE; + } + if(key_id_size != 20) + { + /* This might be problematic, I don't know */ + fprintf(stderr, "Warning: Key id for %s isn't 20 bytes long, this means it probably isn't a sha-1 hash...\n", name); + } + key_id_base64 = g_base64_encode(key_id, key_id_size); + gnutls_x509_crt_deinit(cert); + } + else if(g_str_has_prefix(line, sha1_prefix)) + { + /* If it is given as a sha-1 hash directly */ + key_id_base64 = g_strdup(&line[strlen(sha1_prefix)]); + } + else + { + fprintf(stderr, "Unrecognised line: %s\n", line); + return FALSE; + } + + printf(cert_template, name, key_id_base64); + + g_free(name); + g_free(key_id_base64); + } + printf("\n"); + g_free(buffer); + free(line); + fclose(file); + return TRUE; +} + + +/* Writes a list of certificate id names + * Params: + * name - The name of the pinset + * type - Whether it is a list of good or bad certificates + * list - The json_array of certificate id names + */ +gboolean write_cert_list(const char *name, cert_type type, has_certs *certs, json_object *list) +{ + if(list == NULL) + return TRUE; + if(!json_object_is_type(list, json_type_array)) + return FALSE; + int len = json_object_array_length(list); + printf(cert_list_template_begin, cert_type_to_string(type), name); + int i; + for(i = 0; i < len; i++) + { + printf(cert_list_template_entry, json_object_get_string(json_object_array_get_idx(list, i))); + } + printf(cert_list_template_end); + *certs |= (type == GOOD_CERT) ? HAS_GOOD_CERTS : HAS_BAD_CERTS; + return TRUE; +} + +/* Allocates a new has_certs enum and initializes it to 0(No certificates) */ +has_certs *has_certs_new() +{ + has_certs *var = g_malloc(sizeof(has_certs)); + *var = 0; + return var; +} + +/* For each pinset check whether it has a list of good certificates and if so + * print, and do likewise for the bad certificates */ +gboolean handle_pinsets(json_object *pinsets) +{ + int len = json_object_array_length(pinsets), i; + for(i = 0; i < len; i++) + { + json_object *pin_list = json_object_array_get_idx(pinsets, i); + if(pin_list == NULL || !json_object_is_type(pin_list, json_type_object)) + { + fprintf(stderr, "pinset %d is not of type object\n", i); + return FALSE; + } + json_object *name_obj, *good_hashes, *bad_hashes; + if((name_obj = json_object_object_get(pin_list, "name")) == NULL || !json_object_is_type(name_obj, json_type_string)) + { + fprintf(stderr, "Couldn't get name from pinset %d\n", i); + return FALSE; + } + const char *name = json_object_get_string(name_obj); + + good_hashes = json_object_object_get(pin_list, "static_spki_hashes"); + bad_hashes = json_object_object_get(pin_list, "bad_static_spki_hashes"); + has_certs *certs = has_certs_new(); + if(!write_cert_list(name, GOOD_CERT, certs, good_hashes) || + !write_cert_list(name, BAD_CERT, certs, bad_hashes)) + { + fprintf(stderr, "Couldn't parse hash lists for pinset %s\n", name); + return FALSE; + } + + g_hash_table_insert(pins, g_strdup(name), certs); + } + return TRUE; +} + +/* For each entry convert it into the structure of an HSTSPreloadEntry and + * print it as c code on stdout. + */ +gboolean handle_entries(json_object *entries) +{ + int len = json_object_array_length(entries); + printf(entry_list_begin); + int i; + for(i = 0; i < len; i++) + { + json_object *entry = json_object_array_get_idx(entries, i); + if(entry == NULL || !json_object_is_type(entry, json_type_object)) + { + fprintf(stderr, "Entry %d wasn't a json object\n", i); + return FALSE; + } + + /* Get hostname */ + json_object *name_obj; + if((name_obj = json_object_object_get(entry, "name")) == NULL || + !json_object_is_type(name_obj, json_type_string)) + { + fprintf(stderr, "Couldn't process name from entry %d\n", i); + return FALSE; + } + const char *name = json_object_get_string(name_obj); + char *host = g_hostname_to_unicode(name); + + /* Get whether to enable hsts for host */ + json_object *mode = json_object_object_get(entry, "mode"); + gboolean hsts = mode != NULL; + if(hsts && strcmp(json_object_get_string(mode), "force-https") != 0) + { + fprintf(stderr, "Unknown mode for entry %s: %s", name, json_object_get_string(mode)); + } + + /* Get sub domains directive */ + json_object *include_subdomains = json_object_object_get(entry, "include_subdomains"); + gboolean sub_domains = include_subdomains != NULL && + json_object_get_boolean(include_subdomains); + if(include_subdomains != NULL && !json_object_is_type(include_subdomains, json_type_boolean)) + { + fprintf(stderr, "include_subdomains for entry %s wasn't of type boolean\n", name); + return FALSE; + } + + /* Get pins directive */ + json_object *entry_pins; + const char *pin_name = NULL; + if((entry_pins = json_object_object_get(entry, "pins")) != NULL) + { + if(!json_object_is_type(entry_pins, json_type_string)) + { + fprintf(stderr, "non string pins entry for %s\n", name); + return FALSE; + } + pin_name = json_object_get_string(entry_pins); + if(g_hash_table_lookup(pins, pin_name) == NULL) + { + fprintf(stderr, "unrecognised pin name in entry for %s\n", name); + } + } + + print_entry_list_entry(host, pin_name, hsts, sub_domains); + g_free(host); + } + size_t length = len; + printf(entry_list_end); + printf(entry_list_length, length); + return TRUE; +} + +/* Parse the json file and print the relevant c code */ +gboolean parse_json(const char *filename) +{ + /* Read and parse the file */ + char *file; + if(!g_file_get_contents(filename, &file, NULL, NULL)) + { + fprintf(stderr, "Couldn't read JSON file: %s\n", filename); + return FALSE; + } + + json_object *json = json_tokener_parse(file); + if(json == NULL) + { + fprintf(stderr, "There was an error while parsing %s\n", filename); + return FALSE; + } + + /* Parse and handle the pinsets entry */ + json_object *pinsets; + pins = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free); + if((pinsets = json_object_object_get(json, "pinsets")) == NULL || !json_object_is_type(pinsets, json_type_array) || + !handle_pinsets(pinsets)) + { + fprintf(stderr, "Error while handling pinsets\n"); + return FALSE; + } + + /* Parse and handle the list of hostnames */ + json_object *entries; + if((entries = json_object_object_get(json, "entries")) == NULL || !json_object_is_type(entries, json_type_array) || + !handle_entries(entries)) + { + fprintf(stderr, "Error while handling entries\n"); + return FALSE; + } + + g_free(file); + g_hash_table_destroy(pins); + json_object_put(json); + return TRUE; +} + +int main(){ + gnutls_global_init(); + if(!parse_certs(cert_filename)) + return -1; + if(!parse_json(json_filename)) + return -1; + gnutls_global_deinit(); + return 0; +} diff --git a/util/settings.pre b/util/settings.pre index b38a3b1e..bf6f9d7d 100644 --- a/util/settings.pre +++ b/util/settings.pre @@ -26,7 +26,7 @@ proxy-url text The HTTP-proxy url save-session checkbox Whether to Automatically save sessions single-instance checkbox Whether to have only one instance SSL_CERTIFICATION -ssl-strict checkbox Whether to allow only save ssl-certificates +ssl-strict checkbox Whether to allow only safe ssl-certificates use-ntlm checkbox Whether to use ntlm-authentication user-agent text The user agent string @@ -115,6 +115,7 @@ adblocker-filterlist text Path to a adblock plus compatible filterlist enable-java-applet checkbox Whether to enable java applets enable-plugins checkbox Whether to enable plugins enable-scripts checkbox Enable embedded scripting languages +hsts checkbox Whether HSTS support should be enabled javascript-can-access-clipboard checkbox Whether javascript can access the clipboard javascript-can-open-windows-automatically checkbox Whether javascript can open windows javascript-schemes checkbox Whether to allow loading url with scheme 'javascript' diff --git a/util/transport_security_state_static.certs b/util/transport_security_state_static.certs new file mode 100644 index 00000000..346b48fa --- /dev/null +++ b/util/transport_security_state_static.certs @@ -0,0 +1,1209 @@ +# Copyright (c) 2012 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# This file contains pinned certificates to be used in conjunction with +# hsts_preloaded.json. See the comments at the beginning of that file for +# details. + +# Each entry consists of a line containing the name of the pin followed either +# by a hash in the format "sha1/" + base64(hash), or a PEM encoded certificate. + +TestSPKI +sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA= + +VeriSignClass3 +-----BEGIN CERTIFICATE----- +MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE +BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is +I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G +CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i +2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ +2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ +-----END CERTIFICATE----- + +VeriSignClass3_G3 +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b +N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t +KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu +kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm +CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ +Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu +imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te +2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe +DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC +/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p +F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt +TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ== +-----END CERTIFICATE----- + +Google1024 +-----BEGIN CERTIFICATE----- +MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3 +WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ +R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw +gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf +NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb +qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB +oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk +MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB +Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v +Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde +BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN +0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml +UUIuOss4jHg7y/j7lYe8vJD5UDI= +-----END CERTIFICATE----- + +Google2048 +sha1/AbkhxY0L343gKf+cki7NVWp+ozk= + +EquifaxSecureCA +-----BEGIN CERTIFICATE----- +MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV +UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy +dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 +MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx +dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f +BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A +cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC +AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm +aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw +ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj +IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF +MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA +A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y +7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh +1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 +-----END CERTIFICATE----- + +Aetna +-----BEGIN CERTIFICATE----- +MIICsjCCAhugAwIBAgIDBe3YMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUwODMxMjA0MDM3WhcNMTIwODMxMjA0MDM3 +WjBIMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQWV0bmEgSW5jLjEkMCIGA1UEAxMb +QWV0bmEgSW5jLiBTZWN1cmUgU2VydmVyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQCnB2yrm4i44DG5epPu0fbe/pOZDWOvAS7qCcy6YbSkPfOHfH9Blmf3 +8L6D5yY1pzmTXaU7cDQu4qmj21toEIGwBziMmW6NsiV8nHtmtfXfHP6xrmyPUdN2 +DdTj937fnrYOoyMhGgBYEjiemeHFQxZSpKZdolFEFXbUa2/yWQafrQIDAQABo4Gj +MIGgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU2S4/xnaeitmFkzoxLnZeo33n +H4owHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwEgYDVR0TAQH/BAgw +BgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNv +bS9jcmxzL3NlY3VyZWNhLmNybDANBgkqhkiG9w0BAQUFAAOBgQBMSoZHIrD1rq8v +UG3UYbN76xiF9FDRzWTs5Mvv4Psvf2kk426slzNO0ukFAsmwqN1mA/P9Nc4FlMMC +YtcnLNwC/syEYdQBOJjxfTVGTqh5q6jDs7S3rPJv8mrFk8ldC8PxU1ZJVfSlFCDn +6diMDgvOAJfUeJlIRLGu2k/ksI0Y1w== +-----END CERTIFICATE----- + +GeoTrustGlobal +-----BEGIN CERTIFICATE----- +MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw +WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE +AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m +OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu +T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c +JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR +Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz +PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm +aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM +TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g +LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO +BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv +dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB +AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL +NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W +b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S +-----END CERTIFICATE----- + +GeoTrustPrimary +-----BEGIN CERTIFICATE----- +MIIDizCCAvSgAwIBAgIDDW5iMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMTI3MDAwMDAwWhcNMTgwODIxMTYxNTAw +WjBYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UE +AxMoR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64FXv/1Hx9Z62DZHvIQlMt3/aE +CCBh1gFZapxEEa/vdv2Vfs5hMLt6g18CvQFmyu4VjW+hMJy9oYWelDrzVogAMc/Y +7mqWAtntA4z7dW3n6rhVFgUWmvTgXrGIwGSFXBVNiMe3uuB16a0FPZ3HiUjguyjI +A+Ewk2ReUsBZcCI1V4iK8ZUKg9e8MXMBNO3vRnHgawKoNXJrl5tm4MsceV/YGgRo +HkcC5p1g4jaXAd/ONZLfvmfHbXdZO4+d1pAVlLxCNBDBOfmxJz5+1op1xbKvltOi +3pvkmL594emBrbZv/NcO2uA0sA0ad+fjCJjvWPqchLc2r8LfrNL0EAZwcTUCAwEA +AaOB6DCB5TAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCzVUEGXFYvwjzZhW0r7 +a9mZyTOSMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMA8GA1UdEwEB +/wQFMAMBAf8wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j +b20vY3Jscy9zZWN1cmVjYS5jcmwwRgYDVR0gBD8wPTA7BgRVHSAAMDMwMQYIKwYB +BQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJ +KoZIhvcNAQEFBQADgYEAr/MO1nKrx6mXyiprhDneeanwgeUIZ6vXLyACAXEMBCLJ +HoiVA8lJOq9nCEmw1Qj1ID2AkaDFh6P7yaMXkfmoL67pD9+Wcg91F4BdeAFNnx9t +e9j1QjgjGpmT9IO+OzV05zcTNXqstLaQgmwnpODsnjW9v+UpoUefWzL86Zl9Kzk= +-----END CERTIFICATE----- + +Intel +-----BEGIN CERTIFICATE----- +MIIFijCCBHKgAwIBAgIKYSCKYgAAAAAACDANBgkqhkiG9w0BAQUFADBSMQswCQYD +VQQGEwJVUzEaMBgGA1UEChMRSW50ZWwgQ29ycG9yYXRpb24xJzAlBgNVBAMTHklu +dGVsIEV4dGVybmFsIEJhc2ljIFBvbGljeSBDQTAeFw0wOTA1MTUxOTI3MjZaFw0x +NTA1MTUxOTM3MjZaMFYxCzAJBgNVBAYTAlVTMRowGAYDVQQKExFJbnRlbCBDb3Jw +b3JhdGlvbjErMCkGA1UEAxMiSW50ZWwgRXh0ZXJuYWwgQmFzaWMgSXNzdWluZyBD +QSAzQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQEM1Wn9TU9vc9C ++/Tc7KB+eiYElmrcEWE32WUdHvWG+IcQHVQsikTmMyKKojNLw2B5s6Iekc8ivDo/ +wCfjZzX9JyftMnc+AArc0la87Olybzm8K9jXEfTBvTnUSFSiI9ZYefITdiUgqlAF +uljFZEHYKYtLuhrRacpmQfP4mV63NKdc2bT804HRf6YptZFa4k6YN94zlrGNrBuQ +Q74WFzz/jLBusbUpEkro6Mu/ZYFOFWQrV9lBhF9Ruk8yN+3N6n9fUo/qBigiF2kE +n9xVh1ykl7SCGL2jBUkXx4qgV27a6Si8lRRdgrHGtN/HWnSWlLXTH5l575H4Lq++ +77OFv38CAwEAAaOCAlwwggJYMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA7G +KvdZsggQkCVvw939imYxMCvFMAsGA1UdDwQEAwIBhjASBgkrBgEEAYI3FQEEBQID +AQABMCMGCSsGAQQBgjcVAgQWBBQ5oFY2ekKQ/5Ktim+VdMeSWb4QWTAZBgkrBgEE +AYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQaxgxKxEdvqNutK/D0Vgaj +7TdUDDCBvQYDVR0fBIG1MIGyMIGvoIGsoIGphk5odHRwOi8vd3d3LmludGVsLmNv +bS9yZXBvc2l0b3J5L0NSTC9JbnRlbCUyMEV4dGVybmFsJTIwQmFzaWMlMjBQb2xp +Y3klMjBDQS5jcmyGV2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuaW50ZWwuY29tL3JlcG9z +aXRvcnkvQ1JML0ludGVsJTIwRXh0ZXJuYWwlMjBCYXNpYyUyMFBvbGljeSUyMENB +LmNybDCB4wYIKwYBBQUHAQEEgdYwgdMwYwYIKwYBBQUHMAKGV2h0dHA6Ly93d3cu +aW50ZWwuY29tL3JlcG9zaXRvcnkvY2VydGlmaWNhdGVzL0ludGVsJTIwRXh0ZXJu +YWwlMjBCYXNpYyUyMFBvbGljeSUyMENBLmNydDBsBggrBgEFBQcwAoZgaHR0cDov +L2NlcnRpZmljYXRlcy5pbnRlbC5jb20vcmVwb3NpdG9yeS9jZXJ0aWZpY2F0ZXMv +SW50ZWwlMjBFeHRlcm5hbCUyMEJhc2ljJTIwUG9saWN5JTIwQ0EuY3J0MA0GCSqG +SIb3DQEBBQUAA4IBAQCxtQEHchVQhXyjEqtMVUMe6gkmPsIczHxSeqNbo9dsD+6x +bT65JT+oYgpIAtfEsYXeUJu1cChqpb22U5bMAz7eaQcW5bzefufWvA6lg2048B8o +czBj/q+5P5NpYrUO8jOmN4jTjfJq3ElZ7yFWpy7rB3Vm/aN6ATYqWfMbS/xfh+JC +xmH3droUmMJI0/aZJHsLtjbjFnNsHDNrJZX1vxlM78Lb1hjskTENPmhbVbfTj5i/ +ZGnhv4tmI8QZPCNtcegXJrfhRl2D9bWpdTOPrWiLDUqzy1Z6KL7TcOS/PCl8RHCJ +XkPau/thTQCpIoDa2+c+3XA++gRTfAQ4svTO260N +-----END CERTIFICATE----- + +TCTrustCenter +-----BEGIN CERTIFICATE----- +MIIDWzCCAsSgAwIBAgIDCaxIMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDgwODE1MTY0NTE1WhcNMTMwMjE0MTc0NTE1 +WjBtMQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21iSDEe +MBwGA1UECxMVVEMgVHJ1c3RDZW50ZXIgU1NMIENBMSAwHgYDVQQDExdUQyBUcnVz +dENlbnRlciBTU0wgQ0EgSTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOkCoJoNbJw33wSxNWbDdmIfDIedR8Zmr/mjOhMkXdxRYb6qrl/WfMEuo4PBcysJ +kF81LaDMkBH0zc7Hs1eYixrMVObkCmEUjxYylgOk4ExGwhmIWDJUWGslNBUIIhFf ++ucDWuGZNfILQrwCWRHYBG0n/6lZPylCqopCMYhBK5sTI/PyuHEAzDL7+buep/Na +zn+oy/a6x1nobsuL9X2oFaWZb7Z6ty5kZ/U56JHa7vnsLrg4ePwiQb8jtyUdz0fD +uMHkNzK0gWxr4hm0v92otYFuOTZqNLEJneeiILxUCCMop2chr1obpq2zGVNxJ/rP +StWmcu75KBGMpT+mzFgIyf0CAwEAAaOBozCBoDAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFOe/bKlImXeG4tD/MKCQHQtk0IU6MB8GA1UdIwQYMBaAFEjmaPkr0rKV +10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2g +K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwDQYJ +KoZIhvcNAQEFBQADgYEAVKyJLbJha83PggEit8+dzh50wIsKXpTV2K6K4HnUI1kh +xqocLVfQORluC+LS7L78D2EKTWLZ8WNujiP6DbbIPSTsMasuiBMQMBUlJMUqsp/M +XmQJgIGAbxsr19MY6mmB30oWuo4cjHnkMzSCfhcON6Rxvbjijk2qCWXkk2T2HAk= +-----END CERTIFICATE----- + +Vodafone +-----BEGIN CERTIFICATE----- +MIIDJDCCAo2gAwIBAgIDBfw3MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT +MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 +aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYwNzIxMTUwNTA2WhcNMTEwNzEyMTUwNTA2 +WjA5MQswCQYDVQQGEwJVSzEXMBUGA1UEChMOVm9kYWZvbmUgR3JvdXAxETAPBgNV +BAMTCFZvZGFmb25lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs61K +wbMcB+GGGbjyo1dYEiVNGRYKRsDXfeOgeq03Vebf7D5Xq6a0Qs4Rvp6CuRTSNDPi +M+0vuQRW5sib9UD8UB2x4znc6FriRV4FUpAyKNVqQ9NB0MOBpQekVlX9DzcXkn+p +zWRi6tt3CtPsaDyHo06oAwX5qu3tW3pjtf0vnQqJWwwA6Mp4YJ/acHD/vVtt67hz +a0Upz0O2DEJetb3OaqI5yaNZ91y6i7sK0KTvBQxZHeJs+y5UjluHv3ptMUZvmsf0 +SiKysXnkg5mtsZSFlfM+U7dADq1zNb764NV5sSlmbDLEkvohQyg1p9gh2HX9Jk4A +e9nnF4hjw2U33HLBXwIDAQABo4GgMIGdMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E +FgQUR+YiAaq+68BPLD6l0UcvzlkcgvswHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj +IBBPM5iQn9QwDwYDVR0TAQH/BAUwAwEB/zA6BgNVHR8EMzAxMC+gLaArhilodHRw +Oi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDANBgkqhkiG9w0B +AQUFAAOBgQCs37zuSY/KkPigCvJevu+ewWy9GP2bFZi5EaxKuHGF+tYFZUNkyc06 +ACYMM3ADPM6dVUYeXIDZnPfV8BJFCpdoAHkSNlg341AVjabCOWtzOYolBn0ua8Wi +BM471XfzzXD7yMliek9J4fUn2vQU7MYgEkSAA53ZkMScGDkA/c1wMQ== +-----END CERTIFICATE----- + +RapidSSL +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG +EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM +IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0 +l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e +6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb +ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8 +N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5 +HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd +gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC +St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w +EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js +Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw +JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B +AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x +/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O +SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61 +04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4 +knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK +LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw== +-----END CERTIFICATE----- + +DigiCertEVRoot +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug +RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm ++9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW +PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM +xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB +Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 +hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg +EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA +FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec +nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z +eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF +hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 +Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep ++OkuE6N36B9K +-----END CERTIFICATE----- + +Tor1 +sha1/juNxSTv9UANmpC9kF5GKpmWNx3Y= +Tor2 +sha1/lia43lPolzSPVIq34Dw57uYcLD8= +Tor3 +sha1/rzEyQIKOh77j87n5bjWUNguXF8Y= + +VeriSignClass1 +-----BEGIN CERTIFICATE----- +MIICPTCCAaYCEQDNun9W8N/kvFT+IqyzcqpVMA0GCSqGSIb3DQEBAgUAMF8xCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh +c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 +NjAxMjkwMDAwMDBaFw0yODA4MDEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD +VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0N +H8xlbgyw0FaEGIeaBpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR +4k5FVmkfeAKA2txHkSm7NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATAN +BgkqhkiG9w0BAQIFAAOBgQBMP7iLxmjf7kMzDl3ppssHhE16M/+SG/Q2rdiVIjZo +EWx8QszznC7EBz8UsA9P/5CSdvnivErpj82ggAr3xSnxgiJduLHdgSOjeyUVRjB5 +FvjqBUuUfx3CHMjjt/QQQDwTw18fU+hI5Ia0e6E1sHslurjTjqs/OJ0ANACY89Fx +lA== +-----END CERTIFICATE----- + +VeriSignClass3_G4 +-----BEGIN CERTIFICATE----- +MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp +U2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwg +SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2ln +biBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8Utpkmw4tXNherJI9/gHm +GUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGzrl0Bp3ve +fLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJ +aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYj +aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMW +kf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUCMGYhDBgmYFo4e1ZC +4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIxAJw9SDkjOVga +FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA== +-----END CERTIFICATE----- + +VeriSignClass4_G3 +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1 +GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ ++mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd +U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm +NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY +ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/ +ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1 +CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq +g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm +fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c +2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/ +bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg== +-----END CERTIFICATE----- + +VeriSignClass1_G3 +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN2E1Lm0+afY8wR4 +nN493GwTFtl63SRRZsDHJlkNrAYIwpTRMx/wgzUfbhvI3qpuFU5UJ+/EbRrsC+MO +8ESlV8dAWB6jRx9x7GD2bZTIGDnt/kIYVt/kTEkQeE4BdjVjEjbdZrwBBDajVWjV +ojYJrKshJlQGrT/KFOCsyq0GHZXi+J3x4GD/wn91K0zM2v6HmSHquv4+VNfSWXjb +PG7PoBMAGrgnoeS+Z5bKoMWznN3JdZ7rMJpfo83ZrngZPyPpXNspva1VyBtUjGP2 +6KbqxzcSXKMpHgLZ2x87tNcPVkeBFQRKr4Mn0cVYiMHd9qqnoxjaaKptEVHhv2Vr +n5Z20T0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAq2aN17O6x5q25lXQBfGfMY1a +qtmqRiYPce2lrVNWYgFHKkTp/j90CxObufRNG7LRX7K20ohcs5/Ny9Sn2WCVhDr4 +wTcdYcrnsMXlkdpUpqwxga6X3s0IrLjAl4B/bnKk52kTlWUfxJM8/XmPBNQ+T+r3 +ns7NZ3xPZQL/kYVUc8f/NveGLezQXk//EZ9yBta4GvFMDSZl4kSAHsef493oCtrs +pSCAaWihT37ha88HQfqDjrw43bAuEbFrskLMmrz5SCJ5ShkPshw+IHTZasO+8ih4 +E1Z5T21Q6huwtVexN2ZYI/PcD98Kh8TvhgXVOBRgmaNL3gaWcSzy27YfpO8/7g== +-----END CERTIFICATE----- + +VeriSignClass2_G3 +-----BEGIN CERTIFICATE----- +MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy +aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s +IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp +Z24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJBgNV +BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp +Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIElu +Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24g +Q2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt +IEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwoNwtUs22e5LeWU +J92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6tW8UvxDO +JxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUY +wZF7C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9o +koqQHgiBVrKtaaNS0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjN +qWm6o+sdDZykIKbBoMXRRkwXbdKsZj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/E +Srg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0JhU8wI1NQ0kdvekhktdmnLfe +xbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf0xwLRtxyID+u +7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU +sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RI +sH/7NiXaldDxJBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTP +cjnhsUPgKM+351psE2tJs//jGHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q +-----END CERTIFICATE----- + +VeriSignClass3_G2 +-----BEGIN CERTIFICATE----- +MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh +c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy +MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp +emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X +DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw +FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg +UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo +YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 +MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4 +pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0 +13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID +AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk +U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i +F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY +oJ2daZH9 +-----END CERTIFICATE----- + +VeriSignClass2_G2 +-----BEGIN CERTIFICATE----- +MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0Ns +YXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH +MjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y +aXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAe +Fw05ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEX +MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGlj +IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMx +KGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s +eTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0B +AQEFAAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjM +HiwSViy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjw +DqL7MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cC +AwEAATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9ji +nb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAX +rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnIn +jBJ7xUS0rg== +-----END CERTIFICATE----- + +VeriSignClass3_G5 +-----BEGIN CERTIFICATE----- +MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW +ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 +nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex +t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz +SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG +BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ +rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ +NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH +BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy +aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv +MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE +p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y +5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK +WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ +4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N +hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq +-----END CERTIFICATE----- + +VeriSignUniversal +-----BEGIN CERTIFICATE----- +MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB +vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W +ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe +Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX +MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0 +IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y +IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh +bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF +9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH +H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H +LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN +/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT +rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud +EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw +WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs +exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud +DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4 +sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+ +seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz +4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+ +BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR +lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3 +7M2CYfE45k+XmCpajQ== +-----END CERTIFICATE----- + +Twitter1 +sha1/Vv7zwhR9TtOIN/29MFI4cgHld40= + +GeoTrustGlobal2 +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMQswCQYDVQQGEwJVUzEW +MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3QgR2xvYmFs +IENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMTkwMzA0MDUwMDAwWjBEMQswCQYDVQQG +EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3Qg +R2xvYmFsIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvPE1A +PRDfO1MA4Wf+lGAVPoWI8YkNkMgoI5kF6CsgncbzYEbYwbLVjDHZ3CB5JIG/NTL8 +Y2nbsSpr7iFY8gjpeMtvy/wWUsiRxP89c96xPqfCfWbB9X5SJBri1WeR0IIQ13hL +TytCOb1kLUCgsBDTOEhGiKEMuzozKmKY+wCdE1l/bztyqu6mD4b5BWHqZ38MN5aL +5mkWRxHCJ1kDs6ZgwiFAVvqgx306E+PsV8ez1q6diYD3Aecs9pYrEw15LNnA5IZ7 +S4wMcoKK+xfNAGw6EzywhIdLFnopsk/bHdQL82Y3vdj2V7teJHq4PIu5+pIaGoSe +2HSPqht/XvT+RSIhAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE +FHE4NvICMVNHK266ZUapEBVYIAUJMB8GA1UdIwQYMBaAFHE4NvICMVNHK266ZUap +EBVYIAUJMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAQEAA/e1K6td +EPx7srJerJsOflN4WT5CBP51o62sgU7XAotexC3IUnbHLB/8gTKY0UvGkpMzNTEv +/NgdRN3ggX+d6YvhZJFiCzkIjKx0nVnZellSlxG5FntvRdOW2TF9AjYPnDtuzywN +A0ZF66D0f0hExghAzN4bcLUprbqLOzRldRtxIR0sFAqwlpW41uryZfspuk/qkZN0 +abby/+Ea0AzRdoXLiiW9l14sbxWZJue2Kf8i7MkCx1YAzUm5s2x7UwQa4qjJqhIF +I8LO57sEAszAR6LkxCkvW0VXiVHuPOtSCP8HNR6fNWpHSlaY0VqFH4z1Ir+rzoPz +4iIprn2DQKi6bA== +-----END CERTIFICATE----- + +GeoTrustUniversal +-----BEGIN CERTIFICATE----- +MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEW +MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVy +c2FsIENBMB4XDTA0MDMwNDA1MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UE +BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHjAcBgNVBAMTFUdlb1RydXN0 +IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYV +VaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9tJPi8 +cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTT +QjOgNB0eRXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFh +F7em6fgemdtzbvQKoiFs7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2v +c7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d8Lsrlh/eezJS/R27tQahsiFepdaVaH/w +mZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7VqnJNk22CDtucvc+081xd +VHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3CgaRr0BHdCX +teGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZ +f9hBZ3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfRe +Bi9Fi1jUIxaS5BZuKGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+ +nhutxx9z3SxPGWX9f5NAEC7S8O08ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0XG0D08DYj3rWMB8GA1UdIwQY +MBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG +9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc +aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fX +IwjhmF7DWgh2qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzyn +ANXH/KttgCJwpQzgXQQpAvvLoJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0z +uzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsKxr2EoyNB3tZ3b4XUhRxQ4K5RirqN +Pnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxFKyDuSN/n3QmOGKja +QI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2DFKW +koRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9 +ER/frslKxfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQt +DF4JbAiXfKM9fJP/P6EUp8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/Sfuvm +bJxPgWp6ZKy7PtXny3YuxadIwVyQD8vIP/rmMuGNG2+k5o7Y+SlIis5z/iw= +-----END CERTIFICATE----- + +GeoTrustUniversal2 +-----BEGIN CERTIFICATE----- +MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEW +MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVy +c2FsIENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYD +VQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1 +c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0DE81 +WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUG +FF+3Qs17j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdq +XbboW0W63MOhBW9Wjo8QJqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxL +se4YuU6W3Nx2/zu+z18DwPw76L5GG//aQMJS9/7jOvdqdzXQ2o3rXhhqMcceujwb +KNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2WP0+GfPtDCapkzj4T8Fd +IgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP20gaXT73 +y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRt +hAAnZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgoc +QIgfksILAAX/8sgCSqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4 +Lt1ZrtmhN79UNdxzMk+MBB4zsslG8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAfBgNV +HSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8EBAMCAYYwDQYJ +KoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z +dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQ +L1EuxBRa3ugZ4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgr +Fg5fNuH8KrUwJM/gYwx7WBr+mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSo +ag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpqA1Ihn0CoZ1Dy81of398j9tx4TuaY +T1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpgY+RdM4kX2TGq2tbz +GDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiPpm8m +1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJV +OCiNUW7dFGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH +6aLcr34YEoP9VhdBLtUpgn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwX +QMAJKOSLakhT2+zNVVXxxvjpoixMptEmX36vWkzaH6byHCx+rgIW0lbQL1dTR+iS +-----END CERTIFICATE----- + +GeoTrustPrimary_G2 +-----BEGIN CERTIFICATE----- +MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDEL +MAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChj +KSAyMDA3IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2 +MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1OVowgZgxCzAJBgNV +BAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykgMjAw +NyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNV +BAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH +MjB2MBAGByqGSM49AgEGBSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcL +So17VDs6bl8VAsBQps8lL33KSLjHUGMcKiEIfJo22Av+0SbFWDEwKCXzXV2juLal +tJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO +BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+EVXVMAoG +CCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGT +qQ7mndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBucz +rD6ogRLQy7rQkgu2npaqBA+K +-----END CERTIFICATE----- + +GeoTrustPrimary_G3 +-----BEGIN CERTIFICATE----- +MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCB +mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT +MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s +eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIzNTk1OVowgZgxCzAJ +BgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg +MjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0 +BgNVBAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz ++uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5jK/BGvESyiaHAKAxJcCGVn2TAppMSAmUm +hsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdEc5IiaacDiGydY8hS2pgn +5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3CIShwiP/W +JmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exAL +DmKudlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZC +huOl1UcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw +HQYDVR0OBBYEFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IB +AQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9cr5HqQ6XErhK8WTTOd8lNNTB +zU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbEAp7aDHdlDkQN +kv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD +AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUH +SJsMC8tJP33st/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2G +spki4cErx5z481+oghLrGREt +-----END CERTIFICATE----- + +Entrust_2048 +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u +ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp +bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV +BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx +NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3 +d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl +MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u +ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL +Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr +hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW +nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi +VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ +KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy +T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf +zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT +J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e +nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= +-----END CERTIFICATE----- + +Entrust_EV +-----BEGIN CERTIFICATE----- +MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC +VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 +Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW +KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl +cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw +NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw +NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy +ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV +BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo +Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4 +4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9 +KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI +rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi +94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB +sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi +gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo +kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE +vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA +A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t +O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua +AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP +9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/ +eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m +0vdXcDazv/wor3ElhVsT/h5/WrQ8 +-----END CERTIFICATE----- + +Entrust_G2 +-----BEGIN CERTIFICATE----- +MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC +VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 +cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs +IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz +dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy +NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu +dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt +dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 +aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T +RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN +cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW +wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 +U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 +jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN +BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ +jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ +Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v +1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R +nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH +VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g== +-----END CERTIFICATE----- + +Entrust_SSL +-----BEGIN CERTIFICATE----- +MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC +VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u +ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc +KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u +ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1 +MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE +ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j +b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF +bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg +U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA +A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/ +I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3 +wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC +AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb +oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5 +BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p +dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk +MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp +b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu +dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0 +MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi +E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa +MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI +hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN +95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd +2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI= +-----END CERTIFICATE----- + +AAACertificateServices +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj +YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL +MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE +BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM +GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua +BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe +3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 +YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR +rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm +ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU +oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v +QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t +b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF +AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q +GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz +Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 +G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi +l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 +smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +-----END CERTIFICATE----- + +AddTrustClass1CARoot +-----BEGIN CERTIFICATE----- +MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU +MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw +MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML +QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD +VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul +CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n +tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl +dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch +PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC ++Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O +BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E +BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl +MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk +ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB +IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X +7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz +43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY +eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl +pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA +WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= +-----END CERTIFICATE----- + +AddTrustExternalCARoot +-----BEGIN CERTIFICATE----- +MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU +MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs +IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 +MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux +FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h +bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt +H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 +uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX +mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX +a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN +E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 +WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD +VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 +Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU +cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx +IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN +AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH +YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC +Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX +c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a +mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +-----END CERTIFICATE----- + +AddTrustPublicCARoot +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBkMQswCQYDVQQGEwJTRTEU +MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +b3JrMSAwHgYDVQQDExdBZGRUcnVzdCBQdWJsaWMgQ0EgUm9vdDAeFw0wMDA1MzAx +MDQxNTBaFw0yMDA1MzAxMDQxNTBaMGQxCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtB +ZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIDAeBgNV +BAMTF0FkZFRydXN0IFB1YmxpYyBDQSBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA6Rowj4OIFMEg2Dybjxt+A3S72mnTRqX4jsIMEZBRpS9mVEBV +6tsfSlbunyNu9DnLoblv8n75XYcmYZ4c+OLspoH4IcUkzBEMP9smcnrHAZcHF/nX +GCwwfQ56HmIexkvA/X1id9NEHif2P0tEs7c42TkfYNVRknMDtABp4/MUTu7R3AnP +dzRGULD4EfL+OHn3Bzn+UZKXC1sIXzSGAa2Il+tmzV7R/9x98oTaunet3IAIx6eH +1lWfl2royBFkuucZKT8Rs3iQhCBSWxHveNCD9tVIkNAwHM+A+WD+eeSI8t0A65RF +62WUaUC6wNW0uLp9BBGo6zEFlpROWCGOn9Bg/QIDAQABo4HRMIHOMB0GA1UdDgQW +BBSBPjfYkrAfd59ctKtzquf2NGAv+jALBgNVHQ8EBAMCAQYwDwYDVR0TAQH/BAUw +AwEB/zCBjgYDVR0jBIGGMIGDgBSBPjfYkrAfd59ctKtzquf2NGAv+qFopGYwZDEL +MAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQLExRBZGRU +cnVzdCBUVFAgTmV0d29yazEgMB4GA1UEAxMXQWRkVHJ1c3QgUHVibGljIENBIFJv +b3SCAQEwDQYJKoZIhvcNAQEFBQADggEBAAP3FUr4JNojVhaTdt02KLmuG7jD8WS6 +IBh4lSknVwW8fCr0uVFV2ocC3g8WFzH4qnkuCRO7r7IgGRLlk/lL+YPoRNWyQSW/ +iHVv/xD8SlTQX/D67zZzfRs2RcYhbbQVuE7PnFylPVoAjgbjPGsye/Kf8Lb93/Ao +GEjwxrzQvzSAlsJKsW2Ox5BF3i9nrEUEo3rcVZLJR2bYGozH7ZxOmuASu7VqTITh +4SINhwBk/ox9Yjllpu9CtoAlEmEBqCQTcAARJl/6NVDFSMwGR+gn2HCNX2TmoUQm +XiLsks3/QppEIW1cxeMiHV9HEufOX1362KqxMy3ZdvJOOjMMK7MtkAY= +-----END CERTIFICATE----- + +AddTrustQualifiedCARoot +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJTRTEU +MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 +b3JrMSMwIQYDVQQDExpBZGRUcnVzdCBRdWFsaWZpZWQgQ0EgUm9vdDAeFw0wMDA1 +MzAxMDQ0NTBaFw0yMDA1MzAxMDQ0NTBaMGcxCzAJBgNVBAYTAlNFMRQwEgYDVQQK +EwtBZGRUcnVzdCBBQjEdMBsGA1UECxMUQWRkVHJ1c3QgVFRQIE5ldHdvcmsxIzAh +BgNVBAMTGkFkZFRydXN0IFF1YWxpZmllZCBDQSBSb290MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA5B6a/twJWoekn0e+EV+vhDTbYjx5eLfpMLXsDBwq +xBb/4Oxx64r1EW7tTw2R0hIYLUkVAcKkIhPHEWT/IhKauY5cLwjPcWqzZwFZ8V1G +87B4pfYOQnrjfxvM0PC3KP0q6p6zsLkEqv32x7SxuCqg+1jxGaBvcCV+PmlKfw8i +2O+tCBGaKZnhqkRFmhJePp1tUvznoD1oL/BLcHwTOK28FSXx1s6rosAx1i+f4P8U +WfyEk9mHfExUE+uf0S0R+Bg6Ot4l2ffTQO2kBhLEO+GRwVY18BTcZTYJbqukB8c1 +0cIDMzZbdSZtQvESa0NvS3GU+jQd7RNuyoB/mC9suWXY6QIDAQABo4HUMIHRMB0G +A1UdDgQWBBQ5lYtii1zJ1IC6WA+XPxUIQ8yYpzALBgNVHQ8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zCBkQYDVR0jBIGJMIGGgBQ5lYtii1zJ1IC6WA+XPxUIQ8yYp6Fr +pGkwZzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMR0wGwYDVQQL +ExRBZGRUcnVzdCBUVFAgTmV0d29yazEjMCEGA1UEAxMaQWRkVHJ1c3QgUXVhbGlm +aWVkIENBIFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBABmrder4i2VhlRO6aQTv +hsoToMeqT2QbPxj2qC0sVY8FtzDqQmodwCVRLae/DLPt7wh/bDxGGuoYQ992zPlm +hpwsaPXpF/gxsxjE1kh9I0xowX67ARRvxdlu3rsEQmr49lx95dr6h+sNNVJn0J6X +dgWTP5XHAeZpVTh/EGGZyeNfpso+gmNIquIISD6q8rKFYqa0p9m9N5xotS1WfbC3 +P6CxB9bpT9zeRXEwMn8bLgn5v1Kh7sKAPgZcLlVAwRv1cEWw3F369nJad9Jjzc9Y +iQBCYz95OdBEsIJuQRno3eDBiFrRHnGTHyQwdOUeqN48Jzd/g66ed8/wMLH/S5no +xqE= +-----END CERTIFICATE----- + +COMODOCertificationAuthority +-----BEGIN CERTIFICATE----- +MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB +gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV +BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw +MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl +YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P +RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3 +UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI +2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8 +Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp ++2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+ +DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O +nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW +/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g +PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u +QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY +SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv +IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/ +RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4 +zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd +BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB +ZQ== +-----END CERTIFICATE----- + +SecureCertificateServices +-----BEGIN CERTIFICATE----- +MIIEPzCCAyegAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEkMCIGA1UEAwwbU2VjdXJlIENlcnRp +ZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVow +fjELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G +A1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxJDAiBgNV +BAMMG1NlY3VyZSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMBxM4KK0HDrc4eCQNUd5MvJDkKQ+d40uaG6EfQlhfPM +cm3ye5drswfxdySRXyWP9nQ95IDC+DwN879A6vfIUtFyb+/Iq0G4bi4XKpVpDM3S +HpR7LZQdqnXXs5jLrLxkU0C8j6ysNstcrbvd4JQX7NFc0L/vpZXJkMWwrPsbQ996 +CF23uPJAGysnnlDOXmWCiIxe004MeuoIkbY2qitC++rCoznl2yY4rYsK7hljxxwk +3wN42ubqwUcaCwtGCd0C/N7Lh1/XMGNooa7cMqG6vv5Eq2i2pRcV/b3Vp6ea5EQz +6YiO/O1R65NxTq0B50SOqy3LqP4BSUjwwN3HaNiS/j0CAwEAAaOBxzCBxDAdBgNV +HQ4EFgQUPNiTiMLAggnMAZkGkyDpnnAJY08wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud +EwEB/wQFMAMBAf8wgYEGA1UdHwR6MHgwO6A5oDeGNWh0dHA6Ly9jcmwuY29tb2Rv +Y2EuY29tL1NlY3VyZUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDmgN6A1hjNodHRw +Oi8vY3JsLmNvbW9kby5uZXQvU2VjdXJlQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmww +DQYJKoZIhvcNAQEFBQADggEBAIcBbSMdflsXfcFhMs+P5/OKlFlm4J4oqF7Tt/Q0 +5qo5spcWxYJvMqTpjOev/e/C6LlLqqP05tqNZSH7uoDrJiiFGv45jN5bBAS0VPmj +Z55B+glSzAVIqMk/IQQezkhr/IXownuvf7fM+F86/TXGDe+X3EyrEeFryzHRbPtI +gKvcnDe4IRRLDXE97IMzbtFuMhbsmMcWi1mmNKsFVy2T96oTy9IT4rcuO81rUBcJ +aD61JlfutuC23bkpgHl9j6PwpCikFcSF9CfUa7/lXORlAnZUtOM3ZiTTGWHIUhDl +izeauan5Hb/qmZJhlv8BzaFfDbxxvA6sCx1HRR3B7Hzs/Sk= +-----END CERTIFICATE----- + +TrustedCertificateServices +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJHQjEb +MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow +GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDElMCMGA1UEAwwcVHJ1c3RlZCBDZXJ0 +aWZpY2F0ZSBTZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTla +MH8xCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO +BgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1pdGVkMSUwIwYD +VQQDDBxUcnVzdGVkIENlcnRpZmljYXRlIFNlcnZpY2VzMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA33FvNlhTWvI2VFeAxHQIIO0Yfyod5jWaHiWsnOWW +fnJSoBVC21ndZHoa0Lh73TkVvFVIxO06AOoxEbrycXQaZ7jPM8yoMa+j49d/vzMt +TGo87IvDktJTdyR0nAducPy9C1t2ul/y/9c3S0pgePfw+spwtOpZqqPOSC+pw7IL +fhdyFgymBwwbOM/JYrc/oJOlh0Hyt3BAd9i+FHzjqMB6juljatEPmsbS9Is6FARW +1O24zG71++IsWL1/T2sr92AkWCTOJu80kTrV44HQsvAEAtdbtz6SrGsSivnkBbA7 +kUlcsutT6vifR4buv5XAwAaf0lteERv0xwQ1KdJVXOTt6wIDAQABo4HJMIHGMB0G +A1UdDgQWBBTFe1i97doladL3WRaoszLAeydb9DAOBgNVHQ8BAf8EBAMCAQYwDwYD +VR0TAQH/BAUwAwEB/zCBgwYDVR0fBHwwejA8oDqgOIY2aHR0cDovL2NybC5jb21v +ZG9jYS5jb20vVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMuY3JsMDqgOKA2hjRo +dHRwOi8vY3JsLmNvbW9kby5uZXQvVHJ1c3RlZENlcnRpZmljYXRlU2VydmljZXMu +Y3JsMA0GCSqGSIb3DQEBBQUAA4IBAQDIk4E7ibSvuIQSTI3S8NtwuleGFTQQuS9/ +HrCoiWChisJ3DFBKmwCL2Iv0QeLQg4pKHBQGsKNoBXAxMKdTmw7pSqBYaWcOrp32 +pSxBvzwGa+RZzG0Q8ZZvH9/0BAKkn0U+yNj6NkZEUD+Cl5EfKNsYEYwq5GWDVxIS +jBc/lDb+XbDABHcTuPQV1T84zJQ6VdCsmPW6AF/ghhmBeC8owH7TzEIK9a5QoNE+ +xqFx7D+gIIxmOom0jtTYsU0lR+4viMi14QVFwL4Ucd56/Y57fU0IlqUSc/Atyjcn +dBInTMu2l+nZrghtWjlA3QVHdWpaIbOjGM9O9y5Xt5hwXsjEeLBi +-----END CERTIFICATE----- + +UTNDATACorpSGC +-----BEGIN CERTIFICATE----- +MIIEXjCCA0agAwIBAgIQRL4Mi1AAIbQR0ypoBqmtaTANBgkqhkiG9w0BAQUFADCB +kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug +Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho +dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw +IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMIGTMQswCQYDVQQG +EwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD +VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cu +dXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNvcnAgU0dDMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3+5YEKIrblXEjr8uRgnn4AgPLit6 +E5Qbvfa2gI5lBZMAHryv4g+OGQ0SR+ysraP6LnD43m77VkIVni5c7yPeIbkFdicZ +D0/Ww5y0vpQZY/KmEQrrU0icvvIpOxboGqBMpsn0GFlowHDyUwDAXlCCpVZvNvlK +4ESGoE1O1kduSUrLZ9emxAW5jh70/P/N5zbgnAVssjMiFdC04MwXwLLA9P4yPykq +lXvY8qdOD1R8oQ2AswkDwf9c3V6aPryuvEeKaq5xyh+xKrhfQgUL7EYw0XILyulW +bfXv33i+Ybqypa4ETLyorGkVl73v67SMvzX41MPRKA5cOp9wGDMgd8SirwIDAQAB +o4GrMIGoMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRT +MtGzz3/64PGgXYVOktKeRR20TzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3Js +LnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dDLmNybDAqBgNVHSUEIzAhBggr +BgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMA0GCSqGSIb3DQEBBQUAA4IB +AQAnNZcAiosovcYzMB4p/OL31ZjUQLtgyr+rFywJNn9Q+kHcrpY6CiM+iVnJowft +Gzet/Hy+UUla3joKVAgWRcKZsYfNjGjgaQPpxE6YsjuMFrMOoAyYUJuTqXAJyCyj +j98C5OBxOvG0I3KgqgHf35g+FFCgMSa9KOlaMCZ1+XtgHI3zzVAmbQQnmt/VDUVH +KWss5nbZqSl9Mt3JNjy9rjXxEZ4du5A/EkdOjtd+D2JzHVImOBwYSf0wdJrE5SIv +2MCN7ZF6TACPcn9d2t0bi0Vr591pl6jFVkwPDPafepE39peC4N1xaf92P2BNPM/3 +mfnGV/TJVTl4uix5yaaIK/QI +-----END CERTIFICATE----- + +UTNUSERFirstClientAuthenticationandEmail +-----BEGIN CERTIFICATE----- +MIIEojCCA4qgAwIBAgIQRL4Mi1AAJLQR0zYlJWfJiTANBgkqhkiG9w0BAQUFADCB +rjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug +Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho +dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3Qt +Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw05OTA3MDkxNzI4NTBa +Fw0xOTA3MDkxNzM2NThaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAV +BgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5l +dHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UE +AxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3B +YHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9 +hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8om+rWV6l +L8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLm +SGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM +1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws +6wIDAQABo4G5MIG2MAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud +DgQWBBSJgmd9xJ0mcABLtFBIfN49rgRufTBYBgNVHR8EUTBPME2gS6BJhkdodHRw +Oi8vY3JsLnVzZXJ0cnVzdC5jb20vVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50 +aWNhdGlvbmFuZEVtYWlsLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH +AwQwDQYJKoZIhvcNAQEFBQADggEBALFtYV2mGn98q0rkMPxTbyUkxsrt4jFcKw7u +7mFVbwQ+zznexRtJlOTrIEy05p5QLnLZjfWqo7NK2lYcYJeA3IKirUq9iiv/Cwm0 +xtcgBEXkzYABurorbs6q15L+5K/r9CYdFip/bDCVNy8zEqx/3cfREYxRmLLQo5HQ +rfafnoOTHh1CuEava2bwm3/q4wMC5QJRwarVNZ1yQAOJujEdxRBoUp7fooXFXAim +eOZTT7Hot9MUnpOmw2TjrH5xzbyf6QMbzPvprDHBr3wVdAKZw7JHpsIyYdfHb0gk +USeh1YdV8nuPmD0Wnu51tvjQjvLzxq4oW6fw8zYX/MMF08oDSlQ= +-----END CERTIFICATE----- + +UTNUSERFirstHardware +-----BEGIN CERTIFICATE----- +MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB +lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug +Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho +dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt +SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG +A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe +MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v +d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh +cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn +0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ +M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a +MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd +oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI +DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy +oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0 +dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy +bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF +BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM +//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli +CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE +CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t +3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS +KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA== +-----END CERTIFICATE----- + +UTNUSERFirstObject +-----BEGIN CERTIFICATE----- +MIIEZjCCA06gAwIBAgIQRL4Mi1AAJLQR0zYt4LNfGzANBgkqhkiG9w0BAQUFADCB +lTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug +Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho +dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHTAbBgNVBAMTFFVUTi1VU0VSRmlyc3Qt +T2JqZWN0MB4XDTk5MDcwOTE4MzEyMFoXDTE5MDcwOTE4NDAzNlowgZUxCzAJBgNV +BAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAc +BgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3 +dy51c2VydHJ1c3QuY29tMR0wGwYDVQQDExRVVE4tVVNFUkZpcnN0LU9iamVjdDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6qgT+jo2F4qjEAVZURnicP +HxzfOpuCaDDASmEd8S8O+r5596Uj71VRloTN2+O5bj4x2AogZ8f02b+U60cEPgLO +KqJdhwQJ9jCdGIqXsqoc/EHSoTbL+z2RuufZcDX65OeQw5ujm9M89RKZd7G3CeBo +5hy485RjiGpq/gt2yb70IuRnuasaXnfBhQfdDWy/7gbHd2pBnqcP1/vulBe3/IW+ +pKvEHDHd17bR5PDv3xaPslKT16HUiaEHLr/hARJCHhrh2JU022R5KP+6LhHC5ehb +kkj7RwvCbNqtMoNB86XlQXD9ZZBt+vpRxPm9lisZBCzTbafc8H9vg2XiaquHhnUC +AwEAAaOBrzCBrDALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQU2u1kdBScFDyr3ZmpvVsoTYs8ydgwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDov +L2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmlyc3QtT2JqZWN0LmNybDApBgNV +HSUEIjAgBggrBgEFBQcDAwYIKwYBBQUHAwgGCisGAQQBgjcKAwQwDQYJKoZIhvcN +AQEFBQADggEBAAgfUrE3RHjb/c652pWWmKpVZIC1WkDdIaXFwfNfLEzIR1pp6ujw +NTX00CXzyKakh0q9G7FzCL3Uw8q2NbtZhncxzaeAFK4T7/yxSPlrJSUtUbYsbUXB +mMiKVl0+7kNOPmsnjtA6S4ULX9Ptaqd1y9Fahy85dRNacrACgZ++8A+EVCBibGnU +4U3GDZlDAQ0Slox4nb9QorFEqmrPF3rPbw/U+CRVX/A0FklmPlBGyWNxODFiuGK5 +81OtbLUrohKqGU8J2l7nk8aOFAj+8DCAGKCGhU3IfdeLA/5u1fedFqySLKAj5ZyR +Uh+U3xeUc8OzwcFxBSAAeL0TUh2oPs0AH8g= +-----END CERTIFICATE----- + +GTECyberTrustGlobalRoot +-----BEGIN CERTIFICATE----- +MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD +VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv +bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv +b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV +UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU +cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds +b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH +iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS +r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4 +04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r +GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9 +3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P +lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/ +-----END CERTIFICATE----- + +Tor2web +-----BEGIN CERTIFICATE----- +MIIEgjCCA2qgAwIBAgISESHiIwbyj8tbXjvCF3lADzOxMA0GCSqGSIb3DQEBBQUA +MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy +MB4XDTExMTIwNTEyMzYzMVoXDTE2MTIwNTA0NTk1OFowSDELMAkGA1UEBhMCREUx +ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEWMBQGA1UEAxQNKi50 +b3Iyd2ViLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJZ/olAy +7o+W0soGoxD5xWXGVKa3cQdv/daqwDyFhGINhVgsm3GS3Oo2XLAYvyvlUFceuy2v +fRecb431lh7xtLhPpr5nZL/T0cjUxffstxSt5HI5BQ5Q/TFLA4iJQDzJgiNld0DJ +RYd8gGADwh5cVBjvAtRouUbFw75b1/4hR3kJnQsHutvglLjWHmZtf/ZoZ39CbR1a +LBJpEPoWkVqJ9LrvgA+aJ1wmi+oKLfSYQkDEn30DBeVxBZBp6tRc93eGqK1skzpG +2Sof9cmlRNIXp8plYBvtsV3LKrFlBXvQRr+hhpjrqGNib02ynyJdRij7tOCLHfqW +UitjVQVOWoGs49MCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIFoDBNBgNVHSAE +RjBEMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv +YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wJQYDVR0RBB4wHIINKi50b3Iyd2ViLm9y +Z4ILdG9yMndlYi5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDIuYWxwaGFzc2wu +Y29tL2dzL2dzYWxwaGFnMi5jcmwwTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzAC +hjBodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFnMi5j +cnQwHQYDVR0OBBYEFLE3Bo2XTl90LORxYwgr2pPD06tSMB8GA1UdIwQYMBaAFBTq +GVXwDg0yxh90M7eOZhpMEjEeMA0GCSqGSIb3DQEBBQUAA4IBAQAyOUFr9R7EKzPP +B8UsWT5ckA/TNlOqbdo6fvqshQfH/FHUQja28IbYcpBiC2XsMov+r7WNiH3lh1CF +WKT1SwfO6a0I/58CL36pL/asWv/onlDYgAsCwr1j7qcSiROZlpLD+tehiCE70afa ++3VlyoGsbKVZ2A7MrXnxIaYhmhe4Y+238PwyBT74fpBvwoFIcbccwWEST8J2y2YW +4+SWm4pJtcJxJH/uJ8qzvZLwjzcgFKQbBLVtl+SRAblFSj64YuO9Xu97+nta1HuL +fmLvlwIO/yvONapjePASH6prPdmWvj3Clqz381mkU1pLpxTgHQqeoP87DYi8z084 ++maO9AY4 +-----END CERTIFICATE----- + +AlphaSSL_G2 +-----BEGIN CERTIFICATE----- +MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw +MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD +ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx +T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx +XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL +OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/ +UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq ++jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG +MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM +EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3 +dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0 +cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w +LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf +BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOC +AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/ +UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61 +VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb +WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ +OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l ++MPpZqmyIJ3E+LgDYqeF0RhjWw== +-----END CERTIFICATE----- + +CryptoCat1 +-----BEGIN CERTIFICATE----- +MIIHtTCCBp2gAwIBAgIQBQJvUvveB1Ep7CH9FkuAMjANBgkqhkiG9w0BAQUFADBm +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBDQS0zMB4XDTEyMTEwOTAwMDAwMFoXDTE1MDExMjEyMDAwMFowczELMAkGA1UE +BhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzERMA8GA1UEBxMITW9udHJlYWwxFzAVBgNV +BAoTDk5hZGltIEtvYmVpc3NpMRIwEAYDVQQLEwlDcnlwdG9jYXQxEzARBgNVBAMT +CmNyeXB0by5jYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDS1vdN +oZ+gNyjs3RnyQ0ZfQ8aGeRvnzYBZsZawwmRN/aSzdYhwxENAKr1wUnJk7aiXhYWq +Z+ME/GUI8/89LHyHImQtVxTVRgfDSQSeciP7fplJGDNTz9+IOS849doom2sTsolH +WJtJ/ggSDX4igDc+6/c3D1rz34gAGspQ1XK2TZEcPvN6+IW9a+BUqYMfyRZmoft6 +YfDDf8S36weyyIASoRc9nB02wvOJ/7ME8sbExXbUEjQBr/HFcI3IwElft32zLsVu +NWdYz0TsFHG5tPhHSGQ/QI85uON4TJthlu3T0lV//T5nME2hijRcMo4C/yD+JK5Y +4h0tLCHrce4xx4au4EPF2YoGO8IEPVlQLJb5Yz92vQaAA15NnDSCVlb4Tfe6zwsf +7qBBobM9A1ZTKDtQiZZLHIACmJ4EfENtSFE+On3y31vvkaWXRROgo1Z0ECNBynb4 +ubPTlR2ZlAeE7Qp3b3GdMmnIP8QPn6tSxqYEveLwqOhXD/Upa5qxjnbbwQk1SRpA +Pbvz5waGzA/9UXLwcgJguqh3cLIuKmOysCG6qiSkpfzSdeCDa4vheLJl+rUbS0DV +abcRkRUmzRvNCeYYlTe6I0gHRC1UPef8aj2ppinw+9dWiQVxhjjIhw8JyGjM5Qg9 +NH5lDyXEuoS7f/VOTOOhAHvHSl5Ec/iXYU7PpQIDAQABo4IDUDCCA0wwHwYDVR0j +BBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cwHQYDVR0OBBYEFPtM/u402qRHQsv4 +C3aUc3BKnofhMCUGA1UdEQQeMByCCmNyeXB0by5jYXSCDnd3dy5jcnlwdG8uY2F0 +MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +YQYDVR0fBFowWDAqoCigJoYkaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL2NhMy1n +MTYuY3JsMCqgKKAmhiRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vY2EzLWcxNi5j +cmwwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwBATCCAaQwOgYIKwYBBQUH +AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o +dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0 +AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1 +AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp +AGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl +AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo +AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg +AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg +AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wewYIKwYBBQUHAQEEbzBtMCQGCCsG +AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0 +dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VD +QS0zLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQBlJ+AAe5Il +9Tj9ZD7Equ9JjdbKi5srhjEDtDXtvl/2ga8Bjbh2qs0Qb18DtfpdTdIPuDF2KKjW +kIQabl4h8s5NcQ/U7+AssAyKZGjiHs40G0iAlHpMeo/YzzEVqfoG+AT6c8caL4b0 +M2FnRee23OuKUdPixln3iShViViKt29NqDliIu4/IaeB7WkgJgljtIPNPZVoNqXa +TvwjIDhO+wtc3qXjtO1zej3+GBmGz7RcZckturc2pZe3NRWQ7wO8ZzWShWU/ii3z +2PftKlqZo3WAeJoUCPtQNsLnBFGvdUx2rUZwMhdgPuGeV4kEULAtu8M74xR5/Opz +nRGP22zr1K4q +-----END CERTIFICATE----- diff --git a/util/transport_security_state_static.json b/util/transport_security_state_static.json new file mode 100644 index 00000000..be0d54ea --- /dev/null +++ b/util/transport_security_state_static.json @@ -0,0 +1,579 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This file contains the HSTS preloaded list in a machine readable format. + +// The top-level element is a dictionary with two keys: "pinsets" maps details +// of certificate pinning to a name and "entries" contains the HSTS details for +// each host. +// +// "pinsets" is a list of objects. Each object has the following members: +// name: (string) the name of the pinset +// static_spki_hashes: (list of strings) the set of allowed SPKIs hashes +// bad_static_spki_hashes: (optional list of strings) the set of forbidden SPKIs hashes +// +// For a given pinset, a certifiacte is accepted if at least one of the +// "static_spki_hashes" SPKIs is found in the chain and none of the "bad_static_spki_hashes" SPKIs are. +// SPKIs are specified as names, which must match up with the file of +// certificates. +// +// "entries" is a list of objects. Each object has the following members: +// name: (string) the DNS name of the host in question +// include_subdomains: (optional bool) whether subdomains of |name| are also covered +// mode: (optional string) "force-https" iff covered names should require HTTPS +// pins: (optional string) the |name| member of an object in |pinsets| +// snionly: (optional bool) if true then this entry is only enforced if TLS is +// enabled because the site in question only serves the correct +// certificate if SNI is sent. Note that this only covers the case where +// TLS has been disabled by explicit configuration. If TLS was disabled +// because of SSLv3 fallback, then the entry is still in force and a +// fatal certificate error will result. Spurious certificate errors are +// an unfortunate result of SSLv3 fallback. + +{ + "pinsets": [ + { + "name": "test", + "static_spki_hashes": [ + "TestSPKI" + ] + }, + { + "name": "google", + "static_spki_hashes": [ + "VeriSignClass3", + "VeriSignClass3_G3", + "Google1024", + "Google2048", + "EquifaxSecureCA" + ], + "bad_static_spki_hashes": [ + "Aetna", + "Intel", + "TCTrustCenter", + "Vodafone" + ] + }, + { + "name": "tor", + "static_spki_hashes": [ + "RapidSSL", + "DigiCertEVRoot", + "Tor1", + "Tor2", + "Tor3" + ] + }, + { + "name": "twitterCom", + "static_spki_hashes": [ + "VeriSignClass1", + "VeriSignClass3", + "VeriSignClass3_G4", + "VeriSignClass4_G3", + "VeriSignClass3_G3", + "VeriSignClass1_G3", + "VeriSignClass2_G3", + "VeriSignClass3_G2", + "VeriSignClass2_G2", + "VeriSignClass3_G5", + "VeriSignUniversal", + "GeoTrustGlobal", + "GeoTrustGlobal2", + "GeoTrustUniversal", + "GeoTrustUniversal2", + "GeoTrustPrimary", + "GeoTrustPrimary_G2", + "GeoTrustPrimary_G3", + "Twitter1" + ] + }, + { + "name": "twitterCDN", + "static_spki_hashes": [ + "VeriSignClass1", + "VeriSignClass3", + "VeriSignClass3_G4", + "VeriSignClass4_G3", + "VeriSignClass3_G3", + "VeriSignClass1_G3", + "VeriSignClass2_G3", + "VeriSignClass3_G2", + "VeriSignClass2_G2", + "VeriSignClass3_G5", + "VeriSignUniversal", + "GeoTrustGlobal", + "GeoTrustGlobal2", + "GeoTrustUniversal", + "GeoTrustUniversal2", + "GeoTrustPrimary", + "GeoTrustPrimary_G2", + "GeoTrustPrimary_G3", + "Twitter1", + + "Entrust_2048", + "Entrust_EV", + "Entrust_G2", + "Entrust_SSL", + "AAACertificateServices", + "AddTrustClass1CARoot", + "AddTrustExternalCARoot", + "AddTrustPublicCARoot", + "AddTrustQualifiedCARoot", + "COMODOCertificationAuthority", + "SecureCertificateServices", + "TrustedCertificateServices", + "UTNDATACorpSGC", + "UTNUSERFirstClientAuthenticationandEmail", + "UTNUSERFirstHardware", + "UTNUSERFirstObject", + "GTECyberTrustGlobalRoot" + ] + }, + { + "name": "tor2web", + "static_spki_hashes": [ + "AlphaSSL_G2", + "Tor2web" + ] + }, + { + "name": "cryptoCat", + "static_spki_hashes": [ + "DigiCertEVRoot", + "CryptoCat1" + ] + } + ], + + "entries": [ + // Dummy entry to test certificate pinning. + { "name": "pinningtest.appspot.com", "include_subdomains": true, "pins": "test" }, + + // (*.)google.com, iff using SSL, must use an acceptable certificate. + { "name": "google.com", "include_subdomains": true, "pins": "google" }, + + // Now we force HTTPS for subtrees of google.com. + { "name": "health.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "checkout.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "chrome.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "docs.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "sites.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "spreadsheets.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "appengine.google.com", "mode": "force-https", "pins": "google" }, + { "name": "encrypted.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "accounts.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "profiles.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "mail.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "talkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "talk.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "hostedtalkgadget.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "plus.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "script.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "history.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + + // Other Google-related domains that must use HTTPS. + { "name": "market.android.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "ssl.google-analytics.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "drive.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "googleplex.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "groups.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "apis.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "chromiumcodereview.appspot.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "codereview.appspot.com", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + { "name": "codereview.chromium.org", "include_subdomains": true, "mode": "force-https", "pins": "google" }, + // TODO(palmer): include_subdomains must be set to true when the + // certificate for uploads.code.google.com is corrected. See + // https://code.google.com/p/chromium/issues/detail?id=158594. + { "name": "code.google.com", "include_subdomains": false, "mode": "force-https", "pins": "google" }, + { "name": "googlecode.com", "include_subdomains": true, "pins": "google" }, + + // chart.apis.google.com is *not* HSTS because the certificate doesn't match + // and there are lots of links out there that still use the name. The correct + // hostname for this is chart.googleapis.com. + { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" }, + + // Other Google-related domains that must use an acceptable certificate + // iff using SSL. + { "name": "ytimg.com", "include_subdomains": true, "pins": "google" }, + { "name": "googleusercontent.com", "include_subdomains": true, "pins": "google" }, + { "name": "youtube.com", "include_subdomains": true, "pins": "google" }, + { "name": "googleapis.com", "include_subdomains": true, "pins": "google" }, + { "name": "googleadservices.com", "include_subdomains": true, "pins": "google" }, + { "name": "appspot.com", "include_subdomains": true, "pins": "google" }, + { "name": "googlesyndication.com", "include_subdomains": true, "pins": "google" }, + { "name": "doubleclick.net", "include_subdomains": true, "pins": "google" }, + { "name": "ssl.gstatic.com", "include_subdomains": true, "pins": "google" }, + { "name": "youtu.be", "include_subdomains": true, "pins": "google" }, + { "name": "android.com", "include_subdomains": true, "pins": "google" }, + { "name": "googlecommerce.com", "include_subdomains": true, "pins": "google" }, + { "name": "urchin.com", "include_subdomains": true, "pins": "google" }, + { "name": "goo.gl", "include_subdomains": true, "pins": "google" }, + { "name": "g.co", "include_subdomains": true, "pins": "google" }, + { "name": "google.ac", "include_subdomains": true, "pins": "google" }, + { "name": "google.ad", "include_subdomains": true, "pins": "google" }, + { "name": "google.ae", "include_subdomains": true, "pins": "google" }, + { "name": "google.af", "include_subdomains": true, "pins": "google" }, + { "name": "google.ag", "include_subdomains": true, "pins": "google" }, + { "name": "google.am", "include_subdomains": true, "pins": "google" }, + { "name": "google.as", "include_subdomains": true, "pins": "google" }, + { "name": "google.at", "include_subdomains": true, "pins": "google" }, + { "name": "google.az", "include_subdomains": true, "pins": "google" }, + { "name": "google.ba", "include_subdomains": true, "pins": "google" }, + { "name": "google.be", "include_subdomains": true, "pins": "google" }, + { "name": "google.bf", "include_subdomains": true, "pins": "google" }, + { "name": "google.bg", "include_subdomains": true, "pins": "google" }, + { "name": "google.bi", "include_subdomains": true, "pins": "google" }, + { "name": "google.bj", "include_subdomains": true, "pins": "google" }, + { "name": "google.bs", "include_subdomains": true, "pins": "google" }, + { "name": "google.by", "include_subdomains": true, "pins": "google" }, + { "name": "google.ca", "include_subdomains": true, "pins": "google" }, + { "name": "google.cat", "include_subdomains": true, "pins": "google" }, + { "name": "google.cc", "include_subdomains": true, "pins": "google" }, + { "name": "google.cd", "include_subdomains": true, "pins": "google" }, + { "name": "google.cf", "include_subdomains": true, "pins": "google" }, + { "name": "google.cg", "include_subdomains": true, "pins": "google" }, + { "name": "google.ch", "include_subdomains": true, "pins": "google" }, + { "name": "google.ci", "include_subdomains": true, "pins": "google" }, + { "name": "google.cl", "include_subdomains": true, "pins": "google" }, + { "name": "google.cm", "include_subdomains": true, "pins": "google" }, + { "name": "google.cn", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ao", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.bw", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ck", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.cr", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.hu", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.id", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.il", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.im", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.in", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.je", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.jp", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ke", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.kr", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ls", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ma", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.mz", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.nz", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.th", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.tz", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ug", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.uk", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.uz", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.ve", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.vi", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.za", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.zm", "include_subdomains": true, "pins": "google" }, + { "name": "google.co.zw", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.af", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ag", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ai", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ar", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.au", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.bd", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.bh", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.bn", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.bo", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.br", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.by", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.bz", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.cn", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.co", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.cu", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.cy", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.do", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ec", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.eg", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.et", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.fj", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ge", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.gh", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.gi", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.gr", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.gt", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.hk", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.iq", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.jm", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.jo", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.kh", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.kw", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.lb", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ly", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.mt", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.mx", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.my", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.na", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.nf", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ng", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ni", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.np", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.nr", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.om", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.pa", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.pe", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ph", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.pk", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.pl", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.pr", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.py", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.qa", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ru", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.sa", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.sb", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.sg", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.sl", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.sv", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.tj", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.tn", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.tr", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.tw", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ua", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.uy", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.vc", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.ve", "include_subdomains": true, "pins": "google" }, + { "name": "google.com.vn", "include_subdomains": true, "pins": "google" }, + { "name": "google.cv", "include_subdomains": true, "pins": "google" }, + { "name": "google.cz", "include_subdomains": true, "pins": "google" }, + { "name": "google.de", "include_subdomains": true, "pins": "google" }, + { "name": "google.dj", "include_subdomains": true, "pins": "google" }, + { "name": "google.dk", "include_subdomains": true, "pins": "google" }, + { "name": "google.dm", "include_subdomains": true, "pins": "google" }, + { "name": "google.dz", "include_subdomains": true, "pins": "google" }, + { "name": "google.ee", "include_subdomains": true, "pins": "google" }, + { "name": "google.es", "include_subdomains": true, "pins": "google" }, + { "name": "google.fi", "include_subdomains": true, "pins": "google" }, + { "name": "google.fm", "include_subdomains": true, "pins": "google" }, + { "name": "google.fr", "include_subdomains": true, "pins": "google" }, + { "name": "google.ga", "include_subdomains": true, "pins": "google" }, + { "name": "google.ge", "include_subdomains": true, "pins": "google" }, + { "name": "google.gg", "include_subdomains": true, "pins": "google" }, + { "name": "google.gl", "include_subdomains": true, "pins": "google" }, + { "name": "google.gm", "include_subdomains": true, "pins": "google" }, + { "name": "google.gp", "include_subdomains": true, "pins": "google" }, + { "name": "google.gr", "include_subdomains": true, "pins": "google" }, + { "name": "google.gy", "include_subdomains": true, "pins": "google" }, + { "name": "google.hk", "include_subdomains": true, "pins": "google" }, + { "name": "google.hn", "include_subdomains": true, "pins": "google" }, + { "name": "google.hr", "include_subdomains": true, "pins": "google" }, + { "name": "google.ht", "include_subdomains": true, "pins": "google" }, + { "name": "google.hu", "include_subdomains": true, "pins": "google" }, + { "name": "google.ie", "include_subdomains": true, "pins": "google" }, + { "name": "google.im", "include_subdomains": true, "pins": "google" }, + { "name": "google.info", "include_subdomains": true, "pins": "google" }, + { "name": "google.iq", "include_subdomains": true, "pins": "google" }, + { "name": "google.is", "include_subdomains": true, "pins": "google" }, + { "name": "google.it", "include_subdomains": true, "pins": "google" }, + { "name": "google.it.ao", "include_subdomains": true, "pins": "google" }, + { "name": "google.je", "include_subdomains": true, "pins": "google" }, + { "name": "google.jo", "include_subdomains": true, "pins": "google" }, + { "name": "google.jobs", "include_subdomains": true, "pins": "google" }, + { "name": "google.jp", "include_subdomains": true, "pins": "google" }, + { "name": "google.kg", "include_subdomains": true, "pins": "google" }, + { "name": "google.ki", "include_subdomains": true, "pins": "google" }, + { "name": "google.kz", "include_subdomains": true, "pins": "google" }, + { "name": "google.la", "include_subdomains": true, "pins": "google" }, + { "name": "google.li", "include_subdomains": true, "pins": "google" }, + { "name": "google.lk", "include_subdomains": true, "pins": "google" }, + { "name": "google.lt", "include_subdomains": true, "pins": "google" }, + { "name": "google.lu", "include_subdomains": true, "pins": "google" }, + { "name": "google.lv", "include_subdomains": true, "pins": "google" }, + { "name": "google.md", "include_subdomains": true, "pins": "google" }, + { "name": "google.me", "include_subdomains": true, "pins": "google" }, + { "name": "google.mg", "include_subdomains": true, "pins": "google" }, + { "name": "google.mk", "include_subdomains": true, "pins": "google" }, + { "name": "google.ml", "include_subdomains": true, "pins": "google" }, + { "name": "google.mn", "include_subdomains": true, "pins": "google" }, + { "name": "google.ms", "include_subdomains": true, "pins": "google" }, + { "name": "google.mu", "include_subdomains": true, "pins": "google" }, + { "name": "google.mv", "include_subdomains": true, "pins": "google" }, + { "name": "google.mw", "include_subdomains": true, "pins": "google" }, + { "name": "google.ne", "include_subdomains": true, "pins": "google" }, + { "name": "google.ne.jp", "include_subdomains": true, "pins": "google" }, + { "name": "google.net", "include_subdomains": true, "pins": "google" }, + { "name": "google.nl", "include_subdomains": true, "pins": "google" }, + { "name": "google.no", "include_subdomains": true, "pins": "google" }, + { "name": "google.nr", "include_subdomains": true, "pins": "google" }, + { "name": "google.nu", "include_subdomains": true, "pins": "google" }, + { "name": "google.off.ai", "include_subdomains": true, "pins": "google" }, + { "name": "google.pk", "include_subdomains": true, "pins": "google" }, + { "name": "google.pl", "include_subdomains": true, "pins": "google" }, + { "name": "google.pn", "include_subdomains": true, "pins": "google" }, + { "name": "google.ps", "include_subdomains": true, "pins": "google" }, + { "name": "google.pt", "include_subdomains": true, "pins": "google" }, + { "name": "google.ro", "include_subdomains": true, "pins": "google" }, + { "name": "google.rs", "include_subdomains": true, "pins": "google" }, + { "name": "google.ru", "include_subdomains": true, "pins": "google" }, + { "name": "google.rw", "include_subdomains": true, "pins": "google" }, + { "name": "google.sc", "include_subdomains": true, "pins": "google" }, + { "name": "google.se", "include_subdomains": true, "pins": "google" }, + { "name": "google.sh", "include_subdomains": true, "pins": "google" }, + { "name": "google.si", "include_subdomains": true, "pins": "google" }, + { "name": "google.sk", "include_subdomains": true, "pins": "google" }, + { "name": "google.sm", "include_subdomains": true, "pins": "google" }, + { "name": "google.sn", "include_subdomains": true, "pins": "google" }, + { "name": "google.so", "include_subdomains": true, "pins": "google" }, + { "name": "google.st", "include_subdomains": true, "pins": "google" }, + { "name": "google.td", "include_subdomains": true, "pins": "google" }, + { "name": "google.tg", "include_subdomains": true, "pins": "google" }, + { "name": "google.tk", "include_subdomains": true, "pins": "google" }, + { "name": "google.tl", "include_subdomains": true, "pins": "google" }, + { "name": "google.tm", "include_subdomains": true, "pins": "google" }, + { "name": "google.tn", "include_subdomains": true, "pins": "google" }, + { "name": "google.to", "include_subdomains": true, "pins": "google" }, + { "name": "google.tp", "include_subdomains": true, "pins": "google" }, + { "name": "google.tt", "include_subdomains": true, "pins": "google" }, + { "name": "google.us", "include_subdomains": true, "pins": "google" }, + { "name": "google.uz", "include_subdomains": true, "pins": "google" }, + { "name": "google.vg", "include_subdomains": true, "pins": "google" }, + { "name": "google.vu", "include_subdomains": true, "pins": "google" }, + { "name": "google.ws", "include_subdomains": true, "pins": "google" }, + // Exclude the learn.doubleclick.net subdomain because it uses a different + // CA. + { "name": "learn.doubleclick.net", "include_subdomains": true }, + + // Force HTTPS for sites that have requested it. + { "name": "www.paypal.com", "mode": "force-https" }, + { "name": "www.elanex.biz", "mode": "force-https" }, + { "name": "jottit.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "sunshinepress.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "www.noisebridge.net", "mode": "force-https" }, + { "name": "neg9.org", "mode": "force-https" }, + { "name": "riseup.net", "include_subdomains": true, "mode": "force-https" }, + { "name": "factor.cc", "mode": "force-https" }, + { "name": "members.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "support.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "id.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "lists.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "webmail.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "roundcube.mayfirst.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "aladdinschools.appspot.com", "mode": "force-https" }, + { "name": "ottospora.nl", "include_subdomains": true, "mode": "force-https" }, + { "name": "www.paycheckrecords.com", "mode": "force-https" }, + { "name": "lastpass.com", "mode": "force-https" }, + { "name": "www.lastpass.com", "mode": "force-https" }, + { "name": "keyerror.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "entropia.de", "mode": "force-https" }, + { "name": "www.entropia.de", "mode": "force-https" }, + { "name": "romab.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "logentries.com", "mode": "force-https" }, + { "name": "www.logentries.com", "mode": "force-https" }, + { "name": "stripe.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "cloudsecurityalliance.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "login.sapo.pt", "include_subdomains": true, "mode": "force-https" }, + { "name": "mattmccutchen.net", "include_subdomains": true, "mode": "force-https" }, + { "name": "betnet.fr", "include_subdomains": true, "mode": "force-https" }, + { "name": "uprotect.it", "include_subdomains": true, "mode": "force-https" }, + { "name": "squareup.com", "mode": "force-https" }, + { "name": "cert.se", "include_subdomains": true, "mode": "force-https" }, + { "name": "crypto.is", "include_subdomains": true, "mode": "force-https" }, + { "name": "simon.butcher.name", "include_subdomains": true, "mode": "force-https" }, + { "name": "linx.net", "include_subdomains": true, "mode": "force-https" }, + { "name": "dropcam.com", "mode": "force-https" }, + { "name": "www.dropcam.com", "mode": "force-https" }, + { "name": "ebanking.indovinabank.com.vn", "include_subdomains": true, "mode": "force-https" }, + { "name": "epoxate.com", "mode": "force-https" }, + { "name": "torproject.org", "mode": "force-https", "pins": "tor" }, + { "name": "blog.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" }, + { "name": "check.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" }, + { "name": "www.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" }, + { "name": "dist.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" }, + { "name": "www.moneybookers.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "ledgerscope.net", "mode": "force-https" }, + { "name": "www.ledgerscope.net", "mode": "force-https" }, + { "name": "kyps.net", "mode": "force-https" }, + { "name": "www.kyps.net", "mode": "force-https" }, + { "name": "app.recurly.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "api.recurly.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "greplin.com", "mode": "force-https" }, + { "name": "www.greplin.com", "mode": "force-https" }, + { "name": "luneta.nearbuysystems.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "ubertt.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "pixi.me", "include_subdomains": true, "mode": "force-https" }, + { "name": "grepular.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "mydigipass.com", "mode": "force-https" }, + { "name": "www.mydigipass.com", "mode": "force-https" }, + { "name": "developer.mydigipass.com", "mode": "force-https" }, + { "name": "www.developer.mydigipass.com", "mode": "force-https" }, + { "name": "sandbox.mydigipass.com", "mode": "force-https" }, + { "name": "www.sandbox.mydigipass.com", "mode": "force-https" }, + { "name": "crypto.cat", "include_subdomains": true, "mode": "force-https", "pins": "cryptoCat" }, + { "name": "bigshinylock.minazo.net", "include_subdomains": true, "mode": "force-https" }, + { "name": "crate.io", "include_subdomains": true, "mode": "force-https" }, + { "name": "twitter.com", "mode": "force-https", "pins": "twitterCom" }, + { "name": "www.twitter.com", "include_subdomains": true, "mode": "force-https", "pins": "twitterCom" }, + { "name": "api.twitter.com", "include_subdomains": true, "pins": "twitterCDN" }, + { "name": "oauth.twitter.com", "include_subdomains": true, "pins": "twitterCom" }, + { "name": "mobile.twitter.com", "include_subdomains": true, "pins": "twitterCom" }, + { "name": "dev.twitter.com", "include_subdomains": true, "pins": "twitterCom" }, + { "name": "business.twitter.com", "include_subdomains": true, "pins": "twitterCom" }, + { "name": "platform.twitter.com", "include_subdomains": true, "pins": "twitterCDN" }, + { "name": "si0.twimg.com", "include_subdomains": true, "pins": "twitterCDN" }, + { "name": "twimg0-a.akamaihd.net", "include_subdomains": true, "pins": "twitterCDN" }, + { "name": "braintreegateway.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "braintreepayments.com", "mode": "force-https" }, + { "name": "www.braintreepayments.com", "mode": "force-https" }, + { "name": "emailprivacytester.com", "mode": "force-https" }, + { "name": "tor2web.org", "include_subdomains": true, "pins": "tor2web" }, + { "name": "business.medbank.com.mt", "include_subdomains": true, "mode": "force-https" }, + { "name": "arivo.com.br", "include_subdomains": true, "mode": "force-https" }, + { "name": "www.apollo-auto.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "www.cueup.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "jitsi.org", "mode": "force-https" }, + { "name": "www.jitsi.org", "mode": "force-https" }, + { "name": "download.jitsi.org", "mode": "force-https" }, + { "name": "sol.io", "include_subdomains": true, "mode": "force-https" }, + { "name": "irccloud.com", "mode": "force-https" }, + { "name": "www.irccloud.com", "mode": "force-https" }, + { "name": "alpha.irccloud.com", "mode": "force-https" }, + { "name": "passwd.io", "include_subdomains": true, "mode": "force-https" }, + { "name": "browserid.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "login.persona.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "neonisi.com", "mode": "force-https" }, + { "name": "www.neonisi.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "shops.neonisi.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "piratenlogin.de", "include_subdomains": true, "mode": "force-https" }, + { "name": "howrandom.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "intercom.io", "mode": "force-https" }, + { "name": "api.intercom.io", "mode": "force-https" }, + { "name": "www.intercom.io", "mode": "force-https" }, + { "name": "fatzebra.com.au", "include_subdomains": true, "mode": "force-https" }, + { "name": "csawctf.poly.edu", "include_subdomains": true, "mode": "force-https" }, + { "name": "makeyourlaws.org", "mode": "force-https" }, + { "name": "www.makeyourlaws.org", "mode": "force-https" }, + { "name": "iop.intuit.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "surfeasy.com", "mode": "force-https" }, + { "name": "www.surfeasy.com", "mode": "force-https" }, + { "name": "packagist.org", "mode": "force-https" }, + { "name": "lookout.com", "mode": "force-https" }, + { "name": "www.lookout.com", "mode": "force-https" }, + { "name": "mylookout.com", "mode": "force-https" }, + { "name": "www.mylookout.com", "mode": "force-https" }, + { "name": "dm.lookout.com", "mode": "force-https" }, + { "name": "dm.mylookout.com", "mode": "force-https" }, + { "name": "itriskltd.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "stocktrade.de", "include_subdomains": true, "mode": "force-https" }, + { "name": "rhcloud.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "openshift.redhat.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "therapynotes.com", "mode": "force-https" }, + { "name": "www.therapynotes.com", "mode": "force-https" }, + { "name": "wiz.biz", "include_subdomains": true, "mode": "force-https" }, + { "name": "my.onlime.ch", "include_subdomains": true, "mode": "force-https" }, + { "name": "webmail.onlime.ch", "include_subdomains": true, "mode": "force-https" }, + { "name": "crm.onlime.ch", "include_subdomains": true, "mode": "force-https" }, + { "name": "www.gov.uk", "include_subdomains": true, "mode": "force-https" }, + { "name": "silentcircle.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "silentcircle.org", "include_subdomains": true, "mode": "force-https" }, + { "name": "serverdensity.io", "include_subdomains": true, "mode": "force-https" }, + { "name": "my.alfresco.com", "include_subdomains": true, "mode": "force-https" }, + { "name": "webmail.gigahost.dk", "include_subdomains": true, "mode": "force-https" }, + + // Entries that are only valid if the client supports SNI. + { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true }, + { "name": "googlemail.com", "mode": "force-https", "pins": "google", "snionly": true }, + { "name": "www.gmail.com", "mode": "force-https", "pins": "google", "snionly": true }, + { "name": "www.googlemail.com", "mode": "force-https", "pins": "google", "snionly": true }, + { "name": "google-analytics.com", "include_subdomains": true, "pins": "google", "snionly": true }, + { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "snionly": true } + ] +} |