logic to parse a chain of certificates from the x5c section of a JWS (#20)

* functions and types for signing and validating a VerifiablePayID

* get pem and x5c working
simplify verify call to use Embedded option

* lint fixes and refactored SigningParams types from interface to classes

* exports

* packages.json cleanup

* WIP: get PKI with certificate chain validation workiing

* lint fixes
use generated Root CA, Intermediate CA, and server cert in tests

* add 'name' to crit section

* splitting web-pki into multiple branches

* logic to parse a chain of certificates from the x5c section of a JWS

* add test to verify self-signed certs pass signature check but fail chain of certificate check

* add TODO comment on types

Author: nhartner

src/verifiable/certificate-chain-validator.ts

@@ -0,0 +1,113 @@
+import { promises } from 'fs'
+import * as tls from 'tls'
+
+import { JWS } from 'jose'
+import * as forge from 'node-forge'
+
+import { getJwkFromRecipient, isX5C } from './keys'
+
+import certificateFromPem = forge.pki.certificateFromPem
+
+/**
+ * Service to validate the certificate chain (using web PKI) for Verifiable PayIDs
+ * signed with a a server key.
+ */
+export default class CertificateChainValidator {
+  public caStore: forge.pki.CAStore
+
+  public constructor() {
+    this.caStore = forge.pki.createCaStore([])
+    this.importNodeRootCertficates()
+  }
+
+  /**
+   * Verifies the certificate chain for any x5c certificates inside the JWS protected section.
+   *
+   * @param jws - The JWS to verify.
+   * @returns True if verified.
+   */
+  public verifyCertificateChainJWS(jws: JWS.GeneralJWS): boolean {
+    return jws.signatures
+      .map((recipient) => this.verifyCertificateChainRecipient(recipient))
+      .every((val) => val)
+  }
+
+  /**
+   * Verifies the chain within the recipient.
+   *
+   * @param recipient - The recipient to verify.
+   * @returns True if verified.
+   */
+  public verifyCertificateChainRecipient(recipient: JWS.JWSRecipient): boolean {
+    return this.verifyCertificateChain(extractX5CCertificates(recipient))
+  }
+
+  /**
+   * Verifies the chain within the list of certificates.
+   *
+   * @param chain - The list of certificates.
+   * @returns True if verified.
+   */
+  public verifyCertificateChain(chain: forge.pki.Certificate[]): boolean {
+    if (chain.length === 0) {
+      return true
+    }
+    try {
+      return forge.pki.verifyCertificateChain(this.caStore, chain)
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Adds a root certificate to be included in certificate chain validation.
+   *
+   * @param certificate - The certificate text in PEM format.
+   */
+  public addRootCertificate(certificate: string): void {
+    const cert = forge.pki.certificateFromPem(certificate)
+    this.caStore.addCertificate(cert)
+  }
+
+  /**
+   * Adds a root certificate to be included in certificate chain validation.
+   *
+   * @param path - Path to certificate file in PEM format.
+   */
+  public async addRootCertificateFile(path: string): Promise<void> {
+    this.addRootCertificate(await promises.readFile(path, 'ascii'))
+  }
+
+  /**
+   * Imports the Root certificates from Node into the CA store used for certificate chain validation.
+   */
+  private importNodeRootCertficates(): void {
+    for (const rootCert of tls.rootCertificates) {
+      try {
+        this.addRootCertificate(rootCert)
+      } catch {
+        // unsupported cert. just skip.
+      }
+    }
+  }
+}
+
+/**
+ * Extract X5C certificates from the JWS protected section.
+ *
+ * @param recipient - The recipient to parse.
+ * @returns List of certificates.
+ */
+export function extractX5CCertificates(
+  recipient: JWS.JWSRecipient,
+): forge.pki.Certificate[] {
+  const jwk = getJwkFromRecipient(recipient)
+  if (jwk && isX5C(jwk) && jwk.x5c) {
+    return jwk.x5c.map((pem) =>
+      certificateFromPem(
+        `-----BEGIN CERTIFICATE-----${pem}-----END CERTIFICATE-----`,
+      ),
+    )
+  }
+  return []
+}

src/verifiable/index.ts

@@ -1,5 +1,6 @@
 export * from './keys'
 export { default as IdentityKeySigningParams } from './identity-key-signing-params'
+export { default as CertificateChainValidator } from './certificate-chain-validator'
 export { default as ServerKeySigningParams } from './server-key-signing-params'
 export * from './signatures'
 export * from './verifiable-payid'

src/verifiable/signatures.ts

@@ -1,11 +1,14 @@
 import { JWS, JWK } from 'jose'
 
+import CertificateChainValidator from './certificate-chain-validator'
 import IdentityKeySigningParams from './identity-key-signing-params'
 import ServerKeySigningParams from './server-key-signing-params'
 import { Address, PaymentInformation } from './verifiable-payid'
 
 import GeneralJWS = JWS.GeneralJWS
 
+export const certificateChainValidator = new CertificateChainValidator()
+
 /**
  * Creates a signed JWS.
  *
@@ -149,11 +152,13 @@ export function verifyPayId(toVerify: string | PaymentInformation): boolean {
  *
  * @param expectedPayId - The expected payid.
  * @param verifiedAddress - JWS representing a verified address.
+ * @param checkCertificateChain - Flag to enable/disable validation of x5c certificate chain.
  * @returns Returns true if any signature is invalid, returns false. Otherwise true.
  */
 export function verifySignedAddress(
   expectedPayId: string,
   verifiedAddress: GeneralJWS | string,
+  checkCertificateChain = true,
 ): boolean {
   // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
   const jws: GeneralJWS =
@@ -162,18 +167,18 @@ export function verifySignedAddress(
       : verifiedAddress
   // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
   const address: UnsignedVerifiedAddress = JSON.parse(jws.payload)
-
   if (expectedPayId !== address.payId) {
     // payId does not match what was inside the signed payload
     return false
   }
-
   try {
-    // verifies signatures
     JWS.verify(jws, JWK.EmbeddedJWK, {
       crit: ['b64', 'name'],
       complete: true,
     })
+    if (checkCertificateChain) {
+      return certificateChainValidator.verifyCertificateChainJWS(jws)
+    }
     return true
   } catch {
     return false

test/certs/self-signed.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIJAJd9RRWtqliiMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNV
+BAMTD3d3dy5leGFtcGxlLmNvbTAeFw0yMDA3MzEyMzU2MjNaFw0zMDA3MjkyMzU2
+MjNaMBoxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAKomwXmr2JbchPHQv06fCw+mVibx719qyaPi6rYVCPkq
+Q9wuDBuA5zINcE/VqPNOgJ2eOYul3dZd5vXR83vq09azA1aig1AukLtcgqUGurG+
+UEHLZ0ylS5OFDfm/mxPty3Pw5pwsSl4d4Wn8PMkbxVqjsAkprkSiW6796+RNyc4O
+09+bjSG7EX1qLf+ekkutGTxAms80UOgT+s3xEQKGuCkFv1I1u1VX9uzTrM5YH1sj
+0GVXRz6aeT+8qEHciwecnGVR9nL53kLRch0VmSeIVBXYbKoEEZJhY9y9CfDpt3r0
+kJDWVdPjaCBYlD2aB/E/ZG996Fwaz9ruV58MLgy1KqkCAwEAAaMeMBwwGgYDVR0R
+BBMwEYIPd3d3LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQABpAlNIt3G
+Fuy9CuG12wWSp4Vlg805CxmV2OTgvW1XTeRHLbWiMfvm4nLiFRuOvjehthTUEkkt
+3/m5urEdrEknW27uL3etq5CYnkEVuGioQMQqtXFZGdQg+pwi3eT/VlzLDvmq0hcH
+oR133ik5xwLgwlw6kxe1nFMslLxg7/bf7EYavAtWzBP9FRu1ty+467Z8rCf360MN
+0A7S1LYLzsIJ6hjTrUKIwhac+bZrGdDhBDvm8TaDD7YU54A32arKYdCuGKqaLYK5
+YCQ1BdhSCVRS/0C8G0il0mEQqcBZHvX+zQ4lZ+eWLreqdv8IX4BI2+iTbDbQjTvH
+i+Mf2hijqhIi
+-----END CERTIFICATE-----

test/certs/self-signed.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqibBeavYltyE8dC/Tp8LD6ZWJvHvX2rJo+LqthUI+SpD3C4M
+G4DnMg1wT9Wo806AnZ45i6Xd1l3m9dHze+rT1rMDVqKDUC6Qu1yCpQa6sb5QQctn
+TKVLk4UN+b+bE+3Lc/DmnCxKXh3hafw8yRvFWqOwCSmuRKJbrv3r5E3Jzg7T35uN
+IbsRfWot/56SS60ZPECazzRQ6BP6zfERAoa4KQW/UjW7VVf27NOszlgfWyPQZVdH
+Ppp5P7yoQdyLB5ycZVH2cvneQtFyHRWZJ4hUFdhsqgQRkmFj3L0J8Om3evSQkNZV
+0+NoIFiUPZoH8T9kb33oXBrP2u5XnwwuDLUqqQIDAQABAoIBADSUXV1X+UpFQt/m
+/fcxtp1TbXQDd1EpEr6ONLGntmoo4Wd840jsgIU7GeXRxK/LJnuOlYHN88t2oRR9
+mJxGaMgD8ZgoCCQS/66mW8jbV33tradnT7ijq8Mebr8qsqVp6mEdpGXGWgTTfwDd
+bXtIFah4xMFQHAYhletxlB+s2hvOgAqCX1rnkjkRO79aidRmjtwWatTuirD+BL2a
+1gyC2t052PPH0FK0yH9yx/ez27mSMxqP4pod45r0/7N3t1wR0vDI6whsLMacJrWJ
+hf7aBKwoLILwjx6lcEZPnOuj7ozBpfm0cFPZfRG5c0IGkibnGkDEqzpLcz3MEBEt
+pwvcIgECgYEA25nwS/U54o7ihKJyBY5NnQXpGvBYJCd74s4q24ExQrQt2ua3ia1u
+HifpBrQk7UfPNVwrzco+A4fpvchGSR6vwhg9FvhGQTqwdR6/fMYqcX/vLR/nQEU/
+DKvXFK0dWAKhwP2dBBTobeJdVNXCV7K2jNHp5RsNzM+NeH8sojF+zNkCgYEAxlqS
+TbKCiMYjFOdiVW/0zou59YnlooTrwOJNKnCv7HsAxSbErWbtF8SFbeVDSCdHTI10
+hesToKKhYZhjGkVwu7pme9p6T3vOGVaD4E6Ooj34tkW87J2FqOdhmBY6+hUqx/LB
+3THjDLUgWTMIIB8RjLvHIcGzF3TCov1RKIgY6lECgYEAv7S3Ldg6XCnYXWlimK8N
+2lJamQXQLF+7qtfIWi+CTXT1wu8+spYQV4sHxq5kvi++GBsKsnAnivWPe/nmQdbk
+IFEAo5jB3BfcC6J4D/j+/G5u4bnEKztIO0uYS5iE0Vwa0VuVQwbtkV/XkkO5kM2W
+x4BI65Sei3l1Swfacw06YKECgYAGDyo8+WEHcJYNw2u7lGn0DUym9YlwR4M0JzWY
+QEz/elpxq1eCvIwtl7FDxCckAx8odYHDvYSh+ZXYd2E/ojNpaK5MxkXKO8v19jCd
+H4k355C7cLHuwHkeycKvdK5kiVT/Oqk1apq2/ql4UBjFcm2E0Q+qNlKUOtrfQ8HA
+7TdloQKBgG0hUZmuEfbF03UkZ360d6Ui2tyc2D/Txx4Zkoy7WUZe4VZ1vrHVBb/j
+dCl7MASpwySN4i+5bAAg/bpa92dhnrhrVuF9WXXqbhRTyJ+cX7/pv8xgEMu/1uGF
+uGcNkHwoP1EsuxQQBai5WGJPI4gp7B4COKbU+2f6etGy2WxmTD8m
+-----END RSA PRIVATE KEY-----

test/unit/verifiable/extractX5CCertificates.test.ts

@@ -0,0 +1,60 @@
+import 'mocha'
+
+import { assert } from 'chai'
+
+import { extractX5CCertificates } from '../../../src/verifiable/certificate-chain-validator'
+
+describe('extractX5CCertificates()', function () {
+  const nakedCert =
+    'MIIFNzCCBB+gAwIBAgIVALitpIaiMG63BEIyEPDvVd+wrmGOMA0GCSqGSIb3DQEB' +
+    'DQUAMG0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQHDAZMb25kb24xEjAQBgNVBAoMCU15' +
+    'Q29tcGFueTEVMBMGA1UEAwwMTXlDb21wYW55IENBMSIwIAYJKoZIhvcNAQkBFhNh' +
+    'ZG1pbkBteWNvbXBhbnkuY29tMB4XDTIwMDgwNTIwMTM1MFoXDTI1MDgwNDIwMTM1' +
+    'MFowOzELMAkGA1UEBhMCVVMxEzARBgNVBAoMClBheUlEIFRlc3QxFzAVBgNVBAMM' +
+    'DnRlc3QucGF5aWQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA' +
+    'nq5zAkTi9dldHeBx5L3BvI8uvd/YOjHdcJz+7GB0OW/dN7J8mcchPN6YGmJZajJa' +
+    'v7ZeqOXSrQZoqfrt+QN/YogiqRs4Dj6LnVIQ29bXW1OyPp4ZpfwNLBettcehP+Nc' +
+    'mwBNgvEecx1ap5z5qZym0qgJsjv2S6LeFrGwPfnvx4leLvA6ZuD90VtXxYwOVakY' +
+    'eJpPqmHZbPDxVz673izi3g9UUWh+Iz6GSdpj7ZNf2m7C5F1numYkrAEG3ZjnuTbt' +
+    '/scQij/9M+3wyJOY/Hac5SDnZDLXtequvL51wEYpSOumtR1GwBQ6NjmUudtgbpwq' +
+    '85zWC7VUHjKvuFxKD7HMXAAcHZ3aQ0PsDqy7qBeX7T8qAH6yTK2Uu+hj/h3Ua5Tz' +
+    '05xboXuTbgPyzFJRa3kv535NHa55nu6L0Vpx1NUFt7pRz9V4usnSW6ElwYbqIxdN' +
+    '3DRzqoKlTcIkgS/0YJku6+94diX8CUvu9rbACLDEQqxzfdt3TGyos3JzheQVtgYQ' +
+    'n9IHNDYBrrCMrKYKgZCAhp97Sba6Vi1IXVHZggQ1e7zAhxMsPb+YlxsMzqf70T3D' +
+    'NQTHYxhHSV4/SHIKh/8knCu/+bFg9fb4anXCXzD+C9GSZS+DFmYpdTkgE6t5DEH1' +
+    'mPC5scdOljPDWQaoJQq1cgwjR1xOHZOthwy0QOSVf2kCAwEAAaOB/zCB/DAJBgNV' +
+    'HRMEAjAAMB0GA1UdDgQWBBTNPOnIjDLnEdv51dGQXNa4GyOckjCBqgYDVR0jBIGi' +
+    'MIGfgBSFCeuSHVQE+yYW86SL1IjwF66DrKFxpG8wbTELMAkGA1UEBhMCR0IxDzAN' +
+    'BgNVBAcMBkxvbmRvbjESMBAGA1UECgwJTXlDb21wYW55MRUwEwYDVQQDDAxNeUNv' +
+    'bXBhbnkgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQG15Y29tcGFueS5jb22CFE4x' +
+    'B5M+twm35qBIXdskVZaI9GZUMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr' +
+    'BgEFBQcDATANBgkqhkiG9w0BAQ0FAAOCAQEAim7034Mpl0CZYDamnR67++qsGkZo' +
+    'lhdfjozAilZXPzKdTuOIe6LtPCpxx1Vdut44ZvZMZWfnz+vYbqC5TptmWTlHtK3R' +
+    'GgCZNPMnaDxbH/vIWOQvPxYLRALbo0TA9PuMO8CWuWxp8+Qd6ob12dhKSTbr4KdX' +
+    'RKS4iUVlj3d+y7UwS0eAtUINRDDnzapAnU86f3qUGnqAN9KV4sPGlYWA9F7e+uZd' +
+    'C6c+yXG8VmcMYBM4wChkPb+Yr3eNoKPSxDiPKh9NO3A69AaR2zpv4cu5CEn4wjK0' +
+    'rZIYsYKJwkFxikvDwmyH+BZ8jaDSS6ut/ftY2Sssia7uH6KisWD20Y6jkQ=='
+
+  it('succeeds verification of chain if Root CA configured', async function () {
+    const jwk = {
+      kty: 'RSA',
+      // eslint-disable-next-line id-length,id-blacklist -- JWK dictates
+      e: 'AQAB',
+      use: 'sig',
+      // eslint-disable-next-line id-length -- JWK dictates this
+      n:
+        'nq5zAkTi9dldHeBx5L3BvI8uvd_YOjHdcJz-7GB0OW_dN7J8mcchPN6YGmJZajJav7ZeqOXSrQZoqfrt-QN_YogiqRs4Dj6LnVIQ29bXW1OyPp4ZpfwNLBettcehP-NcmwBNgvEecx1ap5z5qZym0qgJsjv2S6LeFrGwPfnvx4leLvA6ZuD90VtXxYwOVakYeJpPqmHZbPDxVz673izi3g9UUWh-Iz6GSdpj7ZNf2m7C5F1numYkrAEG3ZjnuTbt_scQij_9M-3wyJOY_Hac5SDnZDLXtequvL51wEYpSOumtR1GwBQ6NjmUudtgbpwq85zWC7VUHjKvuFxKD7HMXAAcHZ3aQ0PsDqy7qBeX7T8qAH6yTK2Uu-hj_h3Ua5Tz05xboXuTbgPyzFJRa3kv535NHa55nu6L0Vpx1NUFt7pRz9V4usnSW6ElwYbqIxdN3DRzqoKlTcIkgS_0YJku6-94diX8CUvu9rbACLDEQqxzfdt3TGyos3JzheQVtgYQn9IHNDYBrrCMrKYKgZCAhp97Sba6Vi1IXVHZggQ1e7zAhxMsPb-YlxsMzqf70T3DNQTHYxhHSV4_SHIKh_8knCu_-bFg9fb4anXCXzD-C9GSZS-DFmYpdTkgE6t5DEH1mPC5scdOljPDWQaoJQq1cgwjR1xOHZOthwy0QOSVf2k',
+      x5c: [nakedCert, nakedCert],
+    }
+    const protectedHeaders = { jwk }
+    const protectedBase64 = Buffer.from(
+      JSON.stringify(protectedHeaders),
+    ).toString('base64')
+
+    const x5c = extractX5CCertificates({
+      protected: protectedBase64,
+      signature: 'not-a-real-signature',
+    })
+    assert.lengthOf(x5c, 2)
+  })
+})

test/unit/verifiable/signatures.test.ts

@@ -10,6 +10,7 @@ import {
 } from '../../../src/verifiable/keys'
 import ServerKeySigningParams from '../../../src/verifiable/server-key-signing-params'
 import {
+  certificateChainValidator,
   sign,
   signWithKeys,
   signWithServerKey,
@@ -38,6 +39,7 @@ describe('sign()', function () {
   let address: Address
 
   beforeEach(function () {
+    certificateChainValidator.addRootCertificateFile('test/certs/root.crt')
     address = {
       environment: 'TESTNET',
       paymentNetwork: 'XRPL',
@@ -130,6 +132,21 @@ describe('sign()', function () {
     assert.isFalse(verifySignedAddress('hacked$payid.example', jws))
   })
 
+  it('verification fails for untrusted self-signed certificate', async function () {
+    const jws = signWithServerKey(
+      payId,
+      address,
+      new ServerKeySigningParams(
+        await getSigningKeyFromFile('test/certs/self-signed.key'),
+        'RS256',
+        await getJwkFromFile('test/certs/self-signed.cert'),
+      ),
+    )
+    // should validate if certificate chain validation is skipped
+    assert.isTrue(verifySignedAddress(payId, jws, false))
+    assert.isFalse(verifySignedAddress(payId, jws))
+  })
+
   it('verifySignedAddress - verifies jws with multiple x5c', async function () {
     const jws = `{"payload":"{\\"payId\\":\\"alice$payid.example\\",\\"payIdAddress\\":{\\"environment\\":\\"TESTNET\\",\\"paymentNetwork\\":\\"XRPL\\",\\"addressDetailsType\\":\\"CryptoAddressDetails\\",\\"addressDetails\\":{\\"address\\":\\"rP3t3JStqWPYd8H88WfBYh3v84qqYzbHQ6\\"}}}","signatures":[{"protected":"eyJuYW1lIjoic2VydmVyS2V5IiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKT1NFK0pTT04iLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJqd2siOnsiZSI6IkFRQUIiLCJuIjoieVFDU0FwdVRCX3BSclJyT1h6aVVTcElvZ0JlckZjM09ZTzVWR0tsYXFJWFBpQkt1LW0tT3lPZEJCclh6eHdCR1lJSWZIbnhjdVFlN3REU3FzY1p4M2w5NklPSFJUU3p3NXdaV0tlVjdfZzAydlJWNEtBS1Z2TkpiUlBON05tSjdiQkNsUWgyZEZkRmZNRlZtUk5NN3A2SlVGeGt0VHhhREEtY0ZkWVNxTDlBYXd5N0RXTUNXT1pGYjR4SXNHbDF3MGs0Z2tEQThYWHE4UHVQYURkXzRxRFVRdjExdWZxQU9kQU1YWDdudy1LV3k4QURGRWVtWnZVcHo5RkVaMk9hWUM3UFJ0NVMzNmR4aS1JajJpOTZuVE5xVmlrbXhrN24zWkE2NlVSbXRHc3RKSFNtRS1oZWs0YzU4Y0ZJbXZSSl9FaFN1QjlHWVRFajBKS2dOaHlKWnlRIiwia3R5IjoiUlNBIiwia2lkIjoiNmNuRDY1NURnXzRLZkphRVY1N3ZGYTV6UkEyT0FuWHBNQXlVbmpuaEpJcyIsIng1YyI6WyJNSUlGU0RDQ0JEQ2dBd0lCQWdJU0JFLzRzVlJSYTBkNVJYM0c1ZUFOUWhoQU1BMEdDU3FHU0liM0RRRUJDd1VBTUVveEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55ZVhCME1TTXdJUVlEVlFRREV4cE1aWFFuY3lCRmJtTnllWEIwSUVGMWRHaHZjbWwwZVNCWU16QWVGdzB5TURBM01qQXlNVEEyTUROYUZ3MHlNREV3TVRneU1UQTJNRE5hTUJNeEVUQVBCZ05WQkFNVENIQmhlV2xrTG0xc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeVFDU0FwdVRCL3BSclJyT1h6aVVTcElvZ0JlckZjM09ZTzVWR0tsYXFJWFBpQkt1K20rT3lPZEJCclh6eHdCR1lJSWZIbnhjdVFlN3REU3FzY1p4M2w5NklPSFJUU3p3NXdaV0tlVjcvZzAydlJWNEtBS1Z2TkpiUlBON05tSjdiQkNsUWgyZEZkRmZNRlZtUk5NN3A2SlVGeGt0VHhhREErY0ZkWVNxTDlBYXd5N0RXTUNXT1pGYjR4SXNHbDF3MGs0Z2tEQThYWHE4UHVQYURkLzRxRFVRdjExdWZxQU9kQU1YWDdudytLV3k4QURGRWVtWnZVcHo5RkVaMk9hWUM3UFJ0NVMzNmR4aStJajJpOTZuVE5xVmlrbXhrN24zWkE2NlVSbXRHc3RKSFNtRStoZWs0YzU4Y0ZJbXZSSi9FaFN1QjlHWVRFajBKS2dOaHlKWnlRSURBUUFCbzRJQ1hUQ0NBbGt3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlJxMlNza3FiRVVtRG5Hc0ZmekdjMms1c3hSRFRBZkJnTlZIU01FR0RBV2dCU29TbXBqQkgzZHV1YlJPYmVtUldYdjg2anNvVEJ2QmdnckJnRUZCUWNCQVFSak1HRXdMZ1lJS3dZQkJRVUhNQUdHSW1oMGRIQTZMeTl2WTNOd0xtbHVkQzE0TXk1c1pYUnpaVzVqY25sd2RDNXZjbWN3THdZSUt3WUJCUVVITUFLR0kyaDBkSEE2THk5alpYSjBMbWx1ZEMxNE15NXNaWFJ6Wlc1amNubHdkQzV2Y21jdk1CTUdBMVVkRVFRTU1BcUNDSEJoZVdsa0xtMXNNRXdHQTFVZElBUkZNRU13Q0FZR1o0RU1BUUlCTURjR0N5c0dBUVFCZ3Q4VEFRRUJNQ2d3SmdZSUt3WUJCUVVIQWdFV0dtaDBkSEE2THk5amNITXViR1YwYzJWdVkzSjVjSFF1YjNKbk1JSUJCQVlLS3dZQkJBSFdlUUlFQWdTQjlRU0I4Z0R3QUhZQTV4THlzRGQrR21MN2pza01ZWVR4Nm5zM3kxWWRFU1piOCtEelMvSkJWRzRBQUFGemJrTXlMQUFBQkFNQVJ6QkZBaUIzVllqM2ExZThYQkJUa3QyREx3dG8rZWFGNGFYaWR3MnlIblpTY3NRRXhRSWhBSjZkMDRPV0ljaEdYRjdEdzBCcUxEVXFlWWpFQ3pPOTJ6STdqWHlsdkh2Q0FIWUFCN2RjRytWOWFQL3hzTVlkSXhYSHV1WlhmRmVVdDJydXZHRTZHbW5Ub2h3QUFBRnpia015VmdBQUJBTUFSekJGQWlFQXhFbC85b012S2x6WWFWMTQwWDJjUHhRd2h2WDJpOGs3MVZ4M29kZXdCSzRDSURzYVQrWFVxdU5xdS90SDVwRFBrMEVRSGViSUVScXpiVXVKMW9rTXVVZU5NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFqNUk3ZnZ0RkRhNnpsRHFMajJwYVVLMUpzYW9WSzFIMlJNVzY5YXdPbTNQV1laVG83RFF4cmNrenc0bjBlaElRb1V2UlpGT09BNmJKQmFKU1owaU9JY0hsNlhvVm1KZ0lEL2FHMDNDUHJYMWoreEkwMzdmMlBhOSs3QVpQNUE1Q1BrSWx2dnZQb1Z6cGM3eEZMRitWZHk1QThva1VlOTRobDhYKy80WjN6QXYyL0JaY3dENUxZWGxDK0YzQ09Yci9QNWFRVHFqOTlvWXU3ZlMzSHp2RENzOTlnM0dPQ28xWGgzWFg2UTVqZ1FtSTR0S1F0K1JPN0Z3cnhVTnFKWDg3WnNwNTF0azBGUS92NEEydE9kTHlnTzh2V2drR3J2NU1VZFprdUUvbm5SYWZYeTY3VWZWNFhYZ2F5YXAxTWRoeUcwaXh1SURWaXExTmk2eGpjeXVBZCIsIk1JSUVrakNDQTNxZ0F3SUJBZ0lRQ2dGQlFnQUFBVk9GYzJvTGhleW5DREFOQmdrcWhraUc5dzBCQVFzRkFEQS9NU1F3SWdZRFZRUUtFeHRFYVdkcGRHRnNJRk5wWjI1aGRIVnlaU0JVY25WemRDQkRieTR4RnpBVkJnTlZCQU1URGtSVFZDQlNiMjkwSUVOQklGZ3pNQjRYRFRFMk1ETXhOekUyTkRBME5sb1hEVEl4TURNeE56RTJOREEwTmxvd1NqRUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9URFV4bGRDZHpJRVZ1WTNKNWNIUXhJekFoQmdOVkJBTVRHa3hsZENkeklFVnVZM0o1Y0hRZ1FYVjBhRzl5YVhSNUlGZ3pNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5OTU04RnJsTGtlM2NsMDNnN05vWXpEcTF6VW1HU1hodmI0MThYQ1NMN2U0UzBFRnE2bWVOUWhZN0xFcXhHaUhDNlBqZGVUbTg2ZGljYnA1Z1dBZjE1R2FuL1BRZUdkeHlHa09sWkhQL3VhWjZXQThTTXgreWsxM0VpU2RSeHRhNjduc0hqY0FISnlzZTZjRjZzNUs2NzFCNVRhWXVjdjliVHlXYU44aktrS1FESVowWjhoL3BacTRVbUVVRXo5bDZZS0h5OXY2RGxiMmhvbnpoVCtYaHErdzNCcnZhdzJWRm4zRUs2QmxzcGtFTm5XQWE2eEs4eHVRU1hndm9wWlBLaUFsS1FUR2RNRFFNYzJQTVRpVkZycW9NN2hEOGJFZnd6Qi9vbmt4RXowdE52amovUEl6YXJrNU1jV3Z4STBOSFdRV002cjZoQ20yMUF2QTJIM0Rrd0lEQVFBQm80SUJmVENDQVhrd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQU9CZ05WSFE4QkFmOEVCQU1DQVlZd2Z3WUlLd1lCQlFVSEFRRUVjekJ4TURJR0NDc0dBUVVGQnpBQmhpWm9kSFJ3T2k4dmFYTnlaeTUwY25WemRHbGtMbTlqYzNBdWFXUmxiblJ5ZFhOMExtTnZiVEE3QmdnckJnRUZCUWN3QW9ZdmFIUjBjRG92TDJGd2NITXVhV1JsYm5SeWRYTjBMbU52YlM5eWIyOTBjeTlrYzNSeWIyOTBZMkY0TXk1d04yTXdId1lEVlIwakJCZ3dGb0FVeEtleHBIc3NjZnJiNFV1UWRmL0VGV0NGaVJBd1ZBWURWUjBnQkUwd1N6QUlCZ1puZ1F3QkFnRXdQd1lMS3dZQkJBR0MzeE1CQVFFd01EQXVCZ2dyQmdFRkJRY0NBUllpYUhSMGNEb3ZMMk53Y3k1eWIyOTBMWGd4TG14bGRITmxibU55ZVhCMExtOXlaekE4QmdOVkhSOEVOVEF6TURHZ0w2QXRoaXRvZEhSd09pOHZZM0pzTG1sa1pXNTBjblZ6ZEM1amIyMHZSRk5VVWs5UFZFTkJXRE5EVWt3dVkzSnNNQjBHQTFVZERnUVdCQlNvU21wakJIM2R1dWJST2JlbVJXWHY4Nmpzb1RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQTNUUFhFZk5qV0RqZEdCWDdDVlcrZGxhNWNFaWxhVWNuZThJa0NKTHhXaDlLRWlrM0pIUlJIR0pvdU0yVmNHZmw5NlM4VGloUnpadm9yb2VkNnRpNldxRUJtdHp3M1dvZGF0ZytWeU9lcGg0RVlwci8xd1hLdHg4L3dBcEl2SlN3dG1WaTRNRlU1YU1xclNERTZlYTczTWoydGNNeW81ak1kNmptZVdVSEs4c28vam9XVW9IT1Vnd3VYNFBvMVFZeiszZHN6a0RxTXA0ZmtseEJ3WFJzVzEwS1h6UE1UWitzT1BBdmV5eGluZG1qa1c4bEd5K1FzUmxHUGZaK0c2WjZoN21qZW0wWStpV2xrWWNWNFBJV0wxaXdCaThzYUNiR1M1ak4ycDhNK1grUTdVTktFa1JPYjNONktPcWtxbTU3VEgySDNlREpBa1NuaDYvRE5GdTBRZz09Il0sIng1dCI6Ino3QUpKOXNUUERvNEJ0Q3ZsN1U4T25pM3JPdyIsIng1dCNTMjU2IjoiVlVXQmNNRVltejU1Um9oWWxFYXpnemIxaFllRTVYVTc0cUJQR2cxZ0JhcyJ9fQ","signature":"c2N2Qe-iYnqsP5cr4f6Whx8Vc1wi1D6KgIawQk9m5-a0XCI_tXHzsxGyc01z2OCoH-P7apAxzEVpo11QBiPXaI3uHmHIS9nypQLqH61bVjH6P5cZXC-A_hWwNij65CrZKpwkUUPAOB1gVbbnS3yAyXyiXezvlHj_AMEKjvhXn4Okp3B2E0k_YgChlInvHw11x9DHxKouV_hb1bZT_pJKc74v4Z0l5i94bK4u8U22lZ6C25tBwH-BSg41bwdKiT29D9CDOhgUNc2saREo5T-BvwVvS_-92t_UBP5tso9c9sWpe871ShUaMK4jT1HT3NqHSTWde1q8MWIxIFBN3rVeow"}]}`