From f85be7d76bf73d59dd4d70ffd07f1e34dfd1a2ef Mon Sep 17 00:00:00 2001 From: Remigiusz Janeczek Date: Fri, 16 Oct 2020 11:08:09 +0200 Subject: [PATCH] [OOM-K8S-CERT-EXTERNAL-PROVIDER] Provide certs to CMPv2 Issuer Format code Issue-ID: OOM-2559 Signed-off-by: Remigiusz Janeczek Change-Id: I88346b96657606b010aa8d7da0f8b86d1844f9d7 --- certServiceK8sExternalProvider/README.md | 10 +- .../deploy/configuration.yaml | 11 +- certServiceK8sExternalProvider/deploy/crd.yaml | 36 +++++-- certServiceK8sExternalProvider/main.go | 12 ++- certServiceK8sExternalProvider/main_test.go | 9 +- .../src/cmpv2api/cmpv2_groupversion_info.go | 1 - .../src/cmpv2api/cmpv2_groupversion_info_test.go | 2 +- .../src/cmpv2api/cmpv2_issuer_crd_deepcopy.go | 2 +- .../src/cmpv2api/cmpv2_issuer_crd_schema.go | 15 +-- .../certificate_request_controller.go | 10 +- .../certificate_request_controller_test.go | 6 +- .../src/cmpv2controller/cmpv2_issuer_controller.go | 54 ++++------ .../cmpv2_issuer_controller_test.go | 67 ++++++++---- .../cmpv2controller/cmpv2_issuer_status_updater.go | 2 + .../src/cmpv2controller/status_reason.go | 6 +- .../src/cmpv2provisioner/cmpv2_provisioner.go | 23 ++-- .../cmpv2provisioner/cmpv2_provisioner_factory.go | 55 ++++++++++ .../cmpv2_provisioner_factory_test.go | 120 +++++++++++++++++++++ certServiceK8sExternalProvider/src/exit_code.go | 6 +- .../src/exit_code_test.go | 1 + certs/Makefile | 38 ++++++- certs/cacert.pem | 40 +++++++ certs/certServiceClient-keystore.jks | Bin 4065 -> 4067 bytes certs/certServiceServer-keystore.jks | Bin 4110 -> 4110 bytes certs/certServiceServer-keystore.p12 | Bin 4683 -> 4683 bytes certs/cmpv2Issuer-cert.pem | 75 +++++++++++++ certs/cmpv2Issuer-key.pem | 32 ++++++ certs/root.crt | 52 ++++----- certs/truststore.jks | Bin 1730 -> 1730 bytes 29 files changed, 548 insertions(+), 137 deletions(-) create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go create mode 100644 certs/cacert.pem create mode 100644 certs/cmpv2Issuer-cert.pem create mode 100644 certs/cmpv2Issuer-key.pem diff --git a/certServiceK8sExternalProvider/README.md b/certServiceK8sExternalProvider/README.md index 57ca5930..3fc00f90 100644 --- a/certServiceK8sExternalProvider/README.md +++ b/certServiceK8sExternalProvider/README.md @@ -9,13 +9,21 @@ There are two methods for building the project: ### Installation +Create secret with certificates for communication between CMPv2Issuer and Cert Service API: +``` +kubectl create secret generic -n onap cmpv2-issuer-secret --from-file=/certs/cmpv2Issuer-key.pem + --from-file=/certs/cmpv2Issuer-cert.pem --from-file=/certs/cacert.pem +``` + Apply k8s files from 'deploy' directory in following order: - crd.yaml - roles.yaml - deployment.yaml - - configuration.yaml + - configuration.yaml (certRef, keyRef and cacertRef should match file names if secret was created with command listed + above) +**Note:** Files and installation are currently examples, which should be used as a guide for OOM Helm Charts implementation ### Usage diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml index 95c38d75..4a0f2dc6 100644 --- a/certServiceK8sExternalProvider/deploy/configuration.yaml +++ b/certServiceK8sExternalProvider/deploy/configuration.yaml @@ -28,7 +28,10 @@ metadata: name: cmpv2-issuer namespace: onap spec: - url: https://certservice.default.svc.cluster.local - keyRef: - name: certservice-key - key: key + url: https://oom-cert-service:8443/v1/certificate/ + caName: RA + certSecretRef: + name: cmpv2-issuer-secret + certRef: cmpv2Issuer-cert.pem + keyRef: cmpv2Issuer-key.pem + cacertRef: cacert.pem diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml index 1d45b0c9..cc884388 100644 --- a/certServiceK8sExternalProvider/deploy/crd.yaml +++ b/certServiceK8sExternalProvider/deploy/crd.yaml @@ -58,27 +58,41 @@ spec: description: CMPv2IssuerSpec defines the desired state of CMPv2Issuer properties: url: - description: URL is the base URL for the certservice certificates instance. + description: URL to CertService API. type: string - keyRef: - description: keyRef is a reference to a Secret containing the - cmpv2provisioner password used to decrypt the cmpv2provisioner private key. + caName: + description: Name of the external CA server configured on CertService API side. + type: string + certSecretRef: + description: Reference to K8s secret which contains certificate, private key and CA certificate + needed to connect to CertService API (which requires client certificate authentication) properties: - key: - description: The key of the secret to select from. Must be a + name: + description: The name of K8s secret to select certificates from. Secret must be in the same + namespace as CMPv2Issuer. + type: string + keyRef: + description: The key of the secret to select private key from. Must be a valid secret key. type: string - name: - description: The name of the secret in the pod's namespace to - select from. + certRef: + description: The key of the secret to select cert from. Must be a + valid secret key. + type: string + cacertRef: + description: The key of the secret to select cacert from. Must be a + valid secret key. type: string required: - name - - key + - keyRef + - certRef + - cacertRef type: object required: - url - - keyRef + - caName + - certSecretRef type: object status: description: CMPv2IssuerStatus defines the observed state of CMPv2Issuer diff --git a/certServiceK8sExternalProvider/main.go b/certServiceK8sExternalProvider/main.go index 8e5d36cb..57058e9e 100644 --- a/certServiceK8sExternalProvider/main.go +++ b/certServiceK8sExternalProvider/main.go @@ -28,18 +28,20 @@ package main import ( "flag" "fmt" + "os" + certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "k8s.io/apimachinery/pkg/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" "k8s.io/utils/clock" - app "onap.org/oom-certservice/k8s-external-provider/src" - certserviceapi "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" - controllers "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller" - "os" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" "sigs.k8s.io/controller-runtime/pkg/manager" + + app "onap.org/oom-certservice/k8s-external-provider/src" + certserviceapi "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + controllers "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller" ) var ( @@ -107,7 +109,7 @@ func createControllerManager(metricsAddr string, enableLeaderElection bool) mana return manager } -func registerCMPv2IssuerController(manager manager.Manager) { +func registerCMPv2IssuerController(manager manager.Manager) { setupLog.Info("Registering CMPv2IssuerController...") err := (&controllers.CMPv2IssuerController{ diff --git a/certServiceK8sExternalProvider/main_test.go b/certServiceK8sExternalProvider/main_test.go index d74fe0d3..0ad70246 100644 --- a/certServiceK8sExternalProvider/main_test.go +++ b/certServiceK8sExternalProvider/main_test.go @@ -21,14 +21,15 @@ package main import ( + "flag" "os" "testing" + "github.com/stretchr/testify/assert" - "flag" ) func Test_shouldParseArguments_defaultValues(t *testing.T) { - os.Args = []string { + os.Args = []string{ "first-arg-is-omitted-by-method-parse-arguments-so-this-only-a-placeholder"} flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError) @@ -39,10 +40,10 @@ func Test_shouldParseArguments_defaultValues(t *testing.T) { } func Test_shouldParseArguments_valuesFromCLI(t *testing.T) { - os.Args = []string { + os.Args = []string{ "first-arg-is-omitted-by-method-parse-arguments-so-this-only-a-placeholder", "--metrics-addr=127.0.0.1:555", - "--enable-leader-election=true" } + "--enable-leader-election=true"} flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError) metricsAddr, enableLeaderElection := parseInputArguments() diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go index 996cf21a..ec4d6835 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go @@ -42,4 +42,3 @@ var ( ) const CMPv2IssuerKind = "CMPv2Issuer" - diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go index b95bded5..eae6a2c8 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info_test.go @@ -22,6 +22,7 @@ package cmpv2api import ( "testing" + "github.com/stretchr/testify/assert" ) @@ -33,4 +34,3 @@ func Test_shouldHaveRightGroupVersion(t *testing.T) { func Test_shouldRightIssuerKind(t *testing.T) { assert.Equal(t, "CMPv2Issuer", CMPv2IssuerKind) } - diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go index 68e79ce1..83785ab9 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go @@ -125,7 +125,7 @@ func (inputIssuerList *CMPv2IssuerList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (inputIssuerSpec *CMPv2IssuerSpec) DeepCopyInto(outIssuerSpec *CMPv2IssuerSpec) { *outIssuerSpec = *inputIssuerSpec - outIssuerSpec.KeyRef = inputIssuerSpec.KeyRef + outIssuerSpec.CertSecretRef = inputIssuerSpec.CertSecretRef } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerSpec. diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go index f2482657..f26dc876 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go @@ -37,10 +37,10 @@ func init() { type CMPv2IssuerSpec struct { // URL is the base URL for the CertService certificates instance. URL string `json:"url"` - + // CaName is the name of the external CA server + CaName string `json:"caName"` // KeyRef is a reference to a Secret containing the provisioner - // password used to decrypt the provisioner private key. - KeyRef SecretKeySelector `json:"keyRef"` + CertSecretRef SecretKeySelector `json:"certSecretRef"` } // CMPv2IssuerStatus defines the observed state of CMPv2Issuer @@ -72,9 +72,12 @@ type SecretKeySelector struct { // The name of the secret in the pod's namespace to select from. Name string `json:"name"` - // The key of the secret to select from. Must be a valid secret key. - // +optional - Key string `json:"key,omitempty"` + // The key of the secret to select private key from. Must be a valid secret key. + KeyRef string `json:"keyRef,omitempty"` + // The key of the secret to select cert from. Must be a valid secret key. + CertRef string `json:"certRef,omitempty"` + // The key of the secret to select cacert from. Must be a valid secret key. + CacertRef string `json:"cacertRef,omitempty"` } // ConditionType represents a CMPv2Issuer condition type. diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index 38b5cdf3..54b4b103 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -28,8 +28,6 @@ package cmpv2controller import ( "context" "fmt" - "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" "github.com/go-logr/logr" apiutil "github.com/jetstack/cert-manager/pkg/api/util" @@ -41,6 +39,9 @@ import ( "k8s.io/client-go/tools/record" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" ) // CertificateRequestController reconciles a CMPv2Issuer object. @@ -144,7 +145,6 @@ func (controller *CertificateRequestController) setStatus(ctx context.Context, c return controller.Client.Status().Update(ctx, certificateRequest) } - func isCMPv2IssuerReady(issuer cmpv2api.CMPv2Issuer) bool { condition := cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue} return hasCondition(issuer, condition) @@ -183,12 +183,12 @@ func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady return err } -func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) { +func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) { log.Error(err, "Failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) } -func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) { +func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) { log.Error(err, "Failed to sign certificate request") _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go index 7e55f36f..2c401cce 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go @@ -21,10 +21,10 @@ package cmpv2controller import ( - cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "testing" - "github.com/stretchr/testify/assert" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + "github.com/stretchr/testify/assert" ) const group = "certmanager.onap.org" @@ -43,7 +43,6 @@ func Test_shouldBeInvalidCMPv2CertificateRequest_whenKindIsCertificateRequest(t assert.False(t, isCMPv2CertificateRequest(request)) } - func Test_shouldBeValidCMPv2CertificateRequest_whenKindIsCMPvIssuer(t *testing.T) { request := new(cmapi.CertificateRequest) request.Spec.IssuerRef.Group = group @@ -51,4 +50,3 @@ func Test_shouldBeValidCMPv2CertificateRequest_whenKindIsCMPvIssuer(t *testing.T assert.True(t, isCMPv2CertificateRequest(request)) } - diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go index f57f5677..1b4e5312 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go @@ -28,6 +28,7 @@ package cmpv2controller import ( "context" "fmt" + "github.com/go-logr/logr" core "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -35,10 +36,11 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/tools/record" "k8s.io/utils/clock" - "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" ) // CMPv2IssuerController reconciles a CMPv2Issuer object @@ -74,21 +76,18 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul var secret core.Secret secretNamespaceName := types.NamespacedName{ Namespace: req.Namespace, - Name: issuer.Spec.KeyRef.Name, + Name: issuer.Spec.CertSecretRef.Name, } if err := controller.loadResource(ctx, secretNamespaceName, &secret); err != nil { handleErrorInvalidSecret(ctx, log, err, statusUpdater, secretNamespaceName) return ctrl.Result{}, err } - password, ok := secret.Data[issuer.Spec.KeyRef.Key] - if !ok { - err := handleErrorSecretNotFound(ctx, log, issuer, statusUpdater, secretNamespaceName, secret) - return ctrl.Result{}, err - } // 4. Create CMPv2 provisioner and store the instance for further use - provisioner, err := provisioners.New(issuer, password) + provisioner, err := provisioners.CreateProvisioner(issuer, secret) if err != nil { + log.Error(err, "failed to initialize provisioner") + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "Failed to initialize provisioner: %v", err) handleErrorProvisionerInitialization(ctx, log, err, statusUpdater) return ctrl.Result{}, err } @@ -103,7 +102,6 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul return ctrl.Result{}, nil } - func (controller *CMPv2IssuerController) SetupWithManager(manager ctrl.Manager) error { return ctrl.NewControllerManagedBy(manager). For(&cmpv2api.CMPv2Issuer{}). @@ -114,18 +112,22 @@ func (controller *CMPv2IssuerController) loadResource(ctx context.Context, key c return controller.Client.Get(ctx, key, obj) } - func validateCMPv2IssuerSpec(issuerSpec cmpv2api.CMPv2IssuerSpec, log logr.Logger) error { switch { - case issuerSpec.URL == "": - return fmt.Errorf("spec.url cannot be empty") - case issuerSpec.KeyRef.Name == "": - return fmt.Errorf("spec.keyRef.name cannot be empty") - case issuerSpec.KeyRef.Key == "": - return fmt.Errorf("spec.keyRef.key cannot be empty") - default: - log.Info("CMPv2Issuer validated. ") - return nil + case issuerSpec.URL == "": + return fmt.Errorf("spec.url cannot be empty") + case issuerSpec.CaName == "": + return fmt.Errorf("spec.caName cannot be empty") + case issuerSpec.CertSecretRef.Name == "": + return fmt.Errorf("spec.certSecretRef.name cannot be empty") + case issuerSpec.CertSecretRef.KeyRef == "": + return fmt.Errorf("spec.certSecretRef.keyRef cannot be empty") + case issuerSpec.CertSecretRef.CertRef == "": + return fmt.Errorf("spec.certSecretRef.certRef cannot be empty") + case issuerSpec.CertSecretRef.CacertRef == "": + return fmt.Errorf("spec.certSecretRef.cacertRef cannot be empty") + default: + return nil } } @@ -134,22 +136,19 @@ func updateCMPv2IssuerStatusToVerified(statusUpdater *CMPv2IssuerStatusUpdater, return statusUpdater.Update(ctx, cmpv2api.ConditionTrue, Verified, "CMPv2Issuer verified and ready to sign certificates") } - // Error handling func handleErrorUpdatingCMPv2IssuerStatus(log logr.Logger, err error) { log.Error(err, "Failed to update CMPv2Issuer status") } - func handleErrorLoadingCMPv2Issuer(log logr.Logger, err error) { log.Error(err, "Failed to retrieve CMPv2Issuer resource") } - func handleErrorProvisionerInitialization(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) { log.Error(err, "Failed to initialize provisioner") - statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed initialize provisioner") + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed to initialize provisioner: %v", err) } func handleErrorCMPv2IssuerValidation(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) { @@ -157,13 +156,6 @@ func handleErrorCMPv2IssuerValidation(ctx context.Context, log logr.Logger, err statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, ValidationFailed, "Failed to validate resource: %v", err) } -func handleErrorSecretNotFound(ctx context.Context, log logr.Logger, issuer *cmpv2api.CMPv2Issuer, statusUpdater *CMPv2IssuerStatusUpdater, secretNamespaceName types.NamespacedName, secret core.Secret) error { - err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key) - log.Error(err, "Failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) - statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, NotFound, "Failed to retrieve provisioner secret: %v", err) - return err -} - func handleErrorInvalidSecret(ctx context.Context, log logr.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater, secretNamespaceName types.NamespacedName) { log.Error(err, "Failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) if apierrors.IsNotFound(err) { diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go index 8409ea78..79c78ed5 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller_test.go @@ -21,13 +21,22 @@ package cmpv2controller import ( + "testing" + "github.com/go-logr/logr" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" - "testing" ) +func Test_shouldBeValidCMPv2IssuerSpec_whenAllFieldsAreSet(t *testing.T) { + spec := getValidCMPv2IssuerSpec() + + err := validateCMPv2IssuerSpec(spec, &MockLogger{}) + assert.Nil(t, err) +} + func Test_shouldBeInvalidCMPv2IssuerSpec_whenSpecIsEmpty(t *testing.T) { spec := cmpv2api.CMPv2IssuerSpec{} err := validateCMPv2IssuerSpec(spec, nil) @@ -35,32 +44,50 @@ func Test_shouldBeInvalidCMPv2IssuerSpec_whenSpecIsEmpty(t *testing.T) { } func Test_shouldBeInvalidCMPv2IssuerSpec_whenNotAllFieldsAreSet(t *testing.T) { - spec := cmpv2api.CMPv2IssuerSpec{} - spec.URL = "https://localhost" - spec.KeyRef = cmpv2api.SecretKeySelector{} - spec.KeyRef.Name = "secret-key" + setEmptyFieldFunctions := map[string]func(spec *cmpv2api.CMPv2IssuerSpec){ + "emptyUrl": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.URL = "" }, + "empryCaName": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CaName = "" }, + "emptySecretName": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.Name = "" }, + "emptySecretKeyRef": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.KeyRef = "" }, + "emptySecretCertRef": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.CertRef = "" }, + "emptySecretCaertRef": func(spec *cmpv2api.CMPv2IssuerSpec) { spec.CertSecretRef.CacertRef = "" }, + } - err := validateCMPv2IssuerSpec(spec, &MockLogger{}) - assert.NotNil(t, err) + for caseName, setEmptyFieldFunction := range setEmptyFieldFunctions { + t.Run(caseName, func(t *testing.T) { + test_shouldBeInvalidCMPv2IssuerSpec_whenFunctionApplied(t, setEmptyFieldFunction) + }) + } } -func Test_shouldBeValidCMPv2IssuerSpec_whenAllFieldsAreSet(t *testing.T) { - spec := cmpv2api.CMPv2IssuerSpec{} - spec.URL = "https://localhost" - spec.KeyRef = cmpv2api.SecretKeySelector{} - spec.KeyRef.Name = "secret-key" - spec.KeyRef.Key = "the-key" +func test_shouldBeInvalidCMPv2IssuerSpec_whenFunctionApplied(t *testing.T, transformSpec func(spec *cmpv2api.CMPv2IssuerSpec)) { + spec := getValidCMPv2IssuerSpec() + transformSpec(&spec) + err := validateCMPv2IssuerSpec(spec, nil) + assert.NotNil(t, err) +} - err := validateCMPv2IssuerSpec(spec, &MockLogger{}) - assert.Nil(t, err) +func getValidCMPv2IssuerSpec() cmpv2api.CMPv2IssuerSpec { + issuerSpec := cmpv2api.CMPv2IssuerSpec{ + URL: "https://oom-cert-service:8443/v1/certificate/", + CaName: "RA", + CertSecretRef: cmpv2api.SecretKeySelector{ + Name: "issuer-cert-secret", + KeyRef: "cmpv2Issuer-key.pem", + CertRef: "cmpv2Issuer-cert.pem", + CacertRef: "cacert.pem", + }, + } + return issuerSpec } type MockLogger struct { mock.Mock } -func (m *MockLogger) Info(msg string, keysAndValues ...interface{}) {} + +func (m *MockLogger) Info(msg string, keysAndValues ...interface{}) {} func (m *MockLogger) Error(err error, msg string, keysAndValues ...interface{}) {} -func (m *MockLogger) Enabled() bool { return false } -func (m *MockLogger) V(level int) logr.Logger { return m } -func (m *MockLogger) WithValues(keysAndValues ...interface{}) logr.Logger { return m } -func (m *MockLogger) WithName(name string) logr.Logger { return m } +func (m *MockLogger) Enabled() bool { return false } +func (m *MockLogger) V(level int) logr.Logger { return m } +func (m *MockLogger) WithValues(keysAndValues ...interface{}) logr.Logger { return m } +func (m *MockLogger) WithName(name string) logr.Logger { return m } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go index 017e36a4..f07101db 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go @@ -28,9 +28,11 @@ package cmpv2controller import ( "context" "fmt" + "github.com/go-logr/logr" core "k8s.io/api/core/v1" meta "k8s.io/apimachinery/pkg/apis/meta/v1" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ) diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go b/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go index d41712d3..fc1772e9 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/status_reason.go @@ -21,8 +21,8 @@ package cmpv2controller const ( - NotFound = "NotFound" + NotFound = "NotFound" ValidationFailed = "ValidationFailed" - Error = "Error" - Verified = "Verified" + Error = "Error" + Verified = "Verified" ) diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index a51b8425..e48b527d 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -32,30 +32,39 @@ import ( "encoding/base64" "encoding/pem" "fmt" + "sync" + certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "k8s.io/apimachinery/pkg/types" - "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ctrl "sigs.k8s.io/controller-runtime" - "sync" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" ) var collection = new(sync.Map) type CertServiceCA struct { - name string - url string - key []byte + name string + url string + caName string + key []byte + cert []byte + cacert []byte } -func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte) (*CertServiceCA, error) { +func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte, cert []byte, cacert []byte) (*CertServiceCA, error) { ca := CertServiceCA{} ca.name = cmpv2Issuer.Name ca.url = cmpv2Issuer.Spec.URL + ca.caName = cmpv2Issuer.Spec.CaName ca.key = key + ca.cert = cert + ca.cacert = cacert log := ctrl.Log.WithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "key", ca.key) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "key", ca.key, + "cert", ca.cert, "cacert", ca.cacert) return &ca, nil } diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go new file mode 100644 index 00000000..4a3898e7 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go @@ -0,0 +1,55 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2provisioner + +import ( + "fmt" + + v1 "k8s.io/api/core/v1" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" +) + +func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertServiceCA, error) { + secretKeys := issuer.Spec.CertSecretRef + key, err := readValueFromSecret(secret, secretKeys.KeyRef) + if err != nil { + return nil, err + } + cert, err := readValueFromSecret(secret, secretKeys.CertRef) + if err != nil { + return nil, err + } + cacert, err := readValueFromSecret(secret, secretKeys.CacertRef) + if err != nil { + return nil, err + } + return New(issuer, key, cert, cacert) +} + +func readValueFromSecret(secret v1.Secret, secretKey string) ([]byte, error) { + value, ok := secret.Data[secretKey] + if !ok { + err := fmt.Errorf("secret %s does not contain key %s", secret.Name, secretKey) + return nil, err + } + return value, nil +} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go new file mode 100644 index 00000000..6ef33098 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go @@ -0,0 +1,120 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2provisioner + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/core/v1" + + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" +) + +const ( + secretName = "issuer-cert-secret" + url = "https://oom-cert-service:8443/v1/certificate/" + caName = "RA" + keySecretKey = "cmpv2Issuer-key.pem" + certSecretKey = "cmpv2Issuer-cert.pem" + cacertSecretKey = "cacert.pem" +) + +var ( + keySecretValue = []byte("keyData") + certSecretValue = []byte("certData") + cacertSecretValue = []byte("cacertData") +) + +func Test_shouldCreateProvisioner(t *testing.T) { + issuer, secret := getValidIssuerAndSecret() + + provisioner, _ := CreateProvisioner(&issuer, secret) + + assert.NotNil(t, provisioner) + assert.Equal(t, url, provisioner.url) + assert.Equal(t, caName, provisioner.caName) + assert.Equal(t, keySecretValue, provisioner.key) + assert.Equal(t, certSecretValue, provisioner.cert) + assert.Equal(t, cacertSecretValue, provisioner.cacert) +} + +func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) { + issuer, secret := getValidIssuerAndSecret() + delete(secret.Data, keySecretKey) + + provisioner, err := CreateProvisioner(&issuer, secret) + + assert.Nil(t, provisioner) + if assert.Error(t, err) { + assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, keySecretKey), err) + } +} + +func Test_shouldReturnError_whenSecretMissingCertRef(t *testing.T) { + issuer, secret := getValidIssuerAndSecret() + delete(secret.Data, certSecretKey) + + provisioner, err := CreateProvisioner(&issuer, secret) + + assert.Nil(t, provisioner) + if assert.Error(t, err) { + assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, certSecretKey), err) + } +} + +func Test_shouldReturnError_whenSecretMissingCacertRef(t *testing.T) { + issuer, secret := getValidIssuerAndSecret() + delete(secret.Data, cacertSecretKey) + + provisioner, err := CreateProvisioner(&issuer, secret) + + assert.Nil(t, provisioner) + if assert.Error(t, err) { + assert.Equal(t, fmt.Errorf("secret %s does not contain key %s", secretName, cacertSecretKey), err) + } +} + +func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { + issuer := cmpv2api.CMPv2Issuer{ + Spec: cmpv2api.CMPv2IssuerSpec{ + URL: url, + CaName: caName, + CertSecretRef: cmpv2api.SecretKeySelector{ + Name: secretName, + KeyRef: keySecretKey, + CertRef: certSecretKey, + CacertRef: cacertSecretKey, + }, + }, + } + secret := v1.Secret{ + + Data: map[string][]byte{ + keySecretKey: keySecretValue, + certSecretKey: certSecretValue, + cacertSecretKey: cacertSecretValue, + }, + } + secret.Name = secretName + return issuer, secret +} diff --git a/certServiceK8sExternalProvider/src/exit_code.go b/certServiceK8sExternalProvider/src/exit_code.go index 7435c64f..4fb984d3 100644 --- a/certServiceK8sExternalProvider/src/exit_code.go +++ b/certServiceK8sExternalProvider/src/exit_code.go @@ -1,13 +1,13 @@ package app type ExitCode struct { - Code int + Code int Message string } var ( - FAILED_TO_CREATE_CONTROLLER_MANAGER = ExitCode{1, "Unable to create k8s controller manager"} + FAILED_TO_CREATE_CONTROLLER_MANAGER = ExitCode{1, "Unable to create K8s controller manager"} FAILED_TO_REGISTER_CMPv2_ISSUER_CONTROLLER = ExitCode{2, "Unable to register CMPv2Issuer controller"} FAILED_TO_REGISTER_CERT_REQUEST_CONTROLLER = ExitCode{3, "Unable to register CertificateRequestController"} - EXCEPTION_WHILE_RUNNING_CONTROLLER_MANAGER = ExitCode{4, "An exception occurs while running k8s controller manager"} + EXCEPTION_WHILE_RUNNING_CONTROLLER_MANAGER = ExitCode{4, "An exception occurs while running K8s controller manager"} ) diff --git a/certServiceK8sExternalProvider/src/exit_code_test.go b/certServiceK8sExternalProvider/src/exit_code_test.go index 8a42909a..1492036b 100644 --- a/certServiceK8sExternalProvider/src/exit_code_test.go +++ b/certServiceK8sExternalProvider/src/exit_code_test.go @@ -22,6 +22,7 @@ package app import ( "testing" + "github.com/stretchr/testify/assert" ) diff --git a/certs/Makefile b/certs/Makefile index 3dcb9cda..b684659a 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -1,9 +1,11 @@ -all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 \ + step_16 step_17 step_18 step_19 .PHONY: all #Clear certificates clear: @echo "Clear certificates" - rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 \ + cmpv2Issuer-cert.pem cmpv2Issuer-key.pem cacert.pem @echo "#####done#####" #Generate root private and public keys @@ -104,8 +106,36 @@ step_14: -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret @echo "#####done#####" -#Clear unused certificates +#Convert certServiceClient-keystore(.jks) to PCKS12 format(.p12) step_15: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceClient-keystore.jks -srcstorepass secret \ + -destkeystore certServiceClient-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Convert truststore(.jks) to PCKS12 format(.p12) +step_16: + @echo "Convert truststore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ + -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Create CMPv2 Issuer PEM key pair from certServiceClient-keystore(.p12) +step_17: + @echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)" + openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nokeys -out cmpv2Issuer-cert.pem + openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out cmpv2Issuer-key.pem + @echo "#####done#####" + +#Convert truststore(.p12) to PEM format(.pem) +step_18: + @echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)" + openssl pkcs12 -in truststore.p12 -passin 'pass:secret' -out cacert.pem + @echo "#####done#####" + +#Clear unused certificates +step_19: @echo "Clear unused certificates" - rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt \ + certServiceServer.csr certServiceClient-keystore.p12 truststore.p12 @echo "#####done#####" diff --git a/certs/cacert.pem b/certs/cacert.pem new file mode 100644 index 00000000..26c9b3e2 --- /dev/null +++ b/certs/cacert.pem @@ -0,0 +1,40 @@ +Bag Attributes + friendlyName: root + 2.16.840.1.113894.746875.1.1: +subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +-----BEGIN CERTIFICATE----- +MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV +UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ +MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE +AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy +YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B +UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq +TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh +TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT +epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh +pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ +bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN +55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ +JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1 +E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51 +pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx +P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd +BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu +iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j +c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6 +FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8 +2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI +eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF +XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81 +38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR +okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK +TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d +c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9 +QS4= +-----END CERTIFICATE----- diff --git a/certs/certServiceClient-keystore.jks b/certs/certServiceClient-keystore.jks index d91daa6ea4c62d77d4c25c5981710593e6ec4038..7c651d6034234f9c3e33addeeeb616a65092ec37 100644 GIT binary patch delta 3332 zcmV+f4g2!pALAd8CVzD>se|qS00jatf&~6B4h9M<1_1;CDgqG!0R;dAf&}V_T;5$& zfqc+mH-TmBnW#*Xo*D>0CC7`Tu+&_mSolnPgUlCD0U~@7y^l338L_ptbMf#zZ%?;x zF7iqwEsA1a;qUMxh@uh=Lt+2Iezv3bk`IB-AFs*(k{yi~h<_qV*RZKK&}{FzV8;aa z94J4^WiBuHfx#jmx8y9NvVQa^w%cZRDGEW$mz{Uf)%->ME5}4~3mEIxbNbH>(U((i zY!ABK@3*dfW1)-Vc9`a-s-#;ievkB;-Wyb*0$E&ta|P~JF#C;<{Q&55=;=89wT95a zcjDx6Yv(~mz<)fL4g|3l%WfZw7}j6ts=gQ_Je?_PohchlIG^$sO0@A$rh1GTn7@=^ zSQP346dQ`iqwt02T5yGffxhT*TdI`}o`$kRgw}t5Kcb$Lv!(D+g=wTH0N{kPd(3!% z&+=R@I>zi+r4TUwNQS_*I?8EUx^}APzF>nEr0G+L1%HYX08?Gc{olCN7&hgZ&l_!I zJGQY5%y9Y+@F-Z+E{6rNi1C=>!-W5Ay>1E44)Q)+V(X`rC&8@+`}V%BN9@YXaNHs3 zW#h}62D#*u`Zzm?L2R|coUv%g1}k`bv2;5T;z$6Z6DhQ=R>uW!q=!DX#xVpO^1lT< zpLU?JMt{_u7|2C6vmo|2&9S%zbPKiKsMWBQc2xoIQ2}cej!^~U z4;h+)Js*cf#mq4GMj_o`&wTf{#7o!8{CDzKWJhJ5m&_0qq9LJck($x<7vWCAFSp6j z`hPKSk!!N4?#=hSlfEspX~gYQZ3Ojni|CBT zvaGg_tNW-w$Z@kaO^DPur#JEE39Hbs$_kSJ*y)~%Q!-Zz7L`K@KfeyNuolWBjH>R5_FcY*{wxRdXBEOjDa~*XPF8vOZDrIEg$?r*7iF| zP|}Q-?w#ONb&GGbx@Ri?{z^Dmh!Z@k5c5<=K)T1&W#mz_7k)mzrzNk9LCw45{C}}_ zjRB^Ne(&_fP!9!-ChLZH{q1@HgX)`N9MF-7z1OuF=+lZ(DsiIpApauMglv3>2lJKWs-tn z=TG1}-GG1t)ul?%aX5(K6unfmIe!aQZPOh-gTBIs*lZ6Tb^~i$3I8M+r3BhV(QBo$ z9_1**$I{<4*NFYmD8nWXy)SBfGV&hB2pYY`QZ24^t7|V`+^d~}B0+IJ;b@$;ggo8& z%No&EUbB8Jw|Ddz=)|G=FJFFU@s3*Yd%b3tsRKdMe&B9@xQrBk&z09bd==G$W_97A zT+n%50^1%*fGZi}ty5c*F9jY1H>5&SlTihZ8Zj_2HZVCbHZ?X{7Y#BoF)%SUFgY+b zH8xt4U07)1rI}y&h zd250SZs{Vt6kD(YubN7@q!Bhf+dV*PtB2Aklk`hq?~hSeID(e)7;tBCWyk>dq6wV@ zXaXpc(#^tkLTQ9LJVK*SkfLc`NtSM#ifK#WQ@Mm&Bg{0#VSioFZYV&VnbGj@{lVlH z@}znj^(f#fl6L|F0RRD`axic(9R>qc9S#H*1QgJ(5)wQ&VBaWqKKC49w>7x$$qz@Hyfq9A!?Hm}EovV4vfa7aecr~BYa{yFJIiwLwL6gBxlgHO@eBIk{u zH^^+EhCRw-vghf4OJ+hKRD!6tKyb#tNUfk?G^Wvq%4(5(3n3}V7Bvq1=#F!<090|C zwsJD&EO<2Ix`3nmC7aMlSndbmO@%NQcdW1uBD%~nAQmsq7BWZz zFLQk3w<0Q;kr(ux2@F>SW(7Z}6GxR}*3G(Z6|V0@pt-O9p_MJ+80+&U^BJ;!QgDUw z*8z=#x)I;vLrsgOp8L!YvZYXitZ}8+oCl^rn2ghCx=I)x z7QVb8EVg-JOt4SM>d>Xv9;|y5O`++AH)N&qXvBnpT$?t%gyJP$l-vH zAFE|X>=2G!M?)eH4S3=3;z%NX2!qzL^iw?vFUiBP|>O`B4c+p z`o$wFsJ;GpcPhhK2yK<^9J+Ub1ulCXC>KfK<#Ftr)NS4-z z6CvzyT1{>~Z9l*@C0pug%EE_Fns)a?WVIC>2S)KfhdtlIE|?=;HG`Ij@PMV@k%|90 z(7EB&-P5RV);~tm1aWSC*(AF~4*k*%G1-5JelJBRX4C?L z;s0k5)wKm(3t}natRMXcSr5$GB`F=Gl7kunQkieM3-S5(qp64d=0j1U zM{XArm$!2q+OeIsIzNAKE34MbigGpQ2kRJ{FdIK+Qjk3ho8fzQllB{qpD*@`O)|$s zs+CA=!izAjkn;|9kIRf4YdFOnxErT|At$DxjtFc#pZ?vAQYDwSgPJcLbBZT-$1`rC z;c&lQ;3~#~ggClM=(8=^zX4PpSvRK&}{(__i1&JwYx`nto%-^3rb& Ot>Uqd3HMHS6!rqGyGzUf delta 3366 zcmZwJ_ct4i0><&g7JIMSTZEuS(Mr`$N{yh_YmX|msTH)O_J}=eZ@PjSF^kq#J1Am= zmzK7+a^G|BFZZ5ve|-Lc&-Xk8{&oH|F_eG)2O%^7Kn{S$kX=FPDL`NfAQ@1Kgb4^F z2av^(5#5_nO)@O01&bi!jk*o^7oQW`WU`i-R~(>3ff(NN{+9@c-(_oav0!YP@DVOO7yCJC;Tp4;#=PKz-tQ3gRL3o@NtAi6&J;n}I#rh4+ z@gW3dTGOX+Bmhv>>*Awc65%KfJ!pBaz-_+t*Fn65U)Y>&hTe;X-;csY+OfNVJ8lTc zi48HcCU46wC+19wl(E)nQ31tsQVmeIs`9~{9^)q{;z@-t%s-#uPXxC7!^*=QGO9}rGg^qR>J?F*mB zf5M5%SR07wcJ{2UD0&CjeV8Jn(-1c2ED5U~Gu28SGK{XL6#5d13w1S4D(EM_^k*pI zuRtBpcY*t_5{Ui*(Y1s49tG>(D29;!gBk)7+Z@dQ&HET))R7|C3|qR)#+6!DV6qW zvzLIb`ME3Qb3rN`kTS|EYt{2oAQ_qAi_}*3Ac*NRio8GJ`<}hS{On1|%h}9wMVmNX zU-}>>N)pdafoq?}ZhaLlUllzJGr zUO+negLJQ5Q)NEL9#PqjCzOijg zc*kPbvkQH)WK;mj$6icjvX=xue9_Bx`UPtY`3WRboaSsj8c-Q_k zf+Zi0_Ym@i5DUOFjc2K?U!Q){s=l0sN!waev8#s{XBpYC(ZAJu^~K0W>aXOo6&J^;uFQP47)*S_Q}^2pGDv0cW=+j5vPkR5C(Co zY?)1m>!Z+&^>ZS@>J<;NA{xH$IJs>KxUdVPy^L=x3IANcUC$fxp=}H?RRhE0lJne_ z!=7}_?NjnlS!47PrL17T=+?9%E0&Bw1v?e?7KCqvqU3h8kybmuYY;XxeOWQp3ZyKU$P>6&>3bD5{9x^|9p`%gjdl0g7d)nXziPOVaq+vpXlvd%B9EI?s-lNY7Xj zSO_By#~rC~h0NM&Cx*0eQQE!{j2t;18A4)c0s{l3a6^^l@5m|0$={Z@;-Hh4`>%;H z0)=7%DFje8CAuTJ@6$p)9$+cd+{a7uqXO^BE88#mxlvE~8@W)HpFO#SAaDlw)g^65GZtWuW{F=94r~$M^NH1r+iXJ zOSLg&nv#na3iW)I?IGX4w zSSTgsJWE0f1OUtZpgvGu3Q{C5JsCS0>*buLvzOVr!z^<5@{`@&1uB=~B}^A3A8Qj? z*oIgoJVrWXgkm||P}tmU+#2(PQUS#lyH49#_fiV~tM`-Od3#F`s4^HUlFxj>|9f64 z3c+OXCG)`V;b3riSRDIOAo6FN9b`G*C$#(}GtpRcL;KX~x%qM3KmncTzpnOvmw$&uf9)$2Yc+@Sp&>r=MQBlpde}`0s-{cMDZNAvQtPWc)0mWV>k_LE z%nxBRUku9cNKNY(X;iEwx#_Q_lP?~2wsaRw_?Es0f5?j;O<0JkpAj=FsT^Qh{v~34yPKVw2fuj$-`XXxQWJ;VThDFjecU*p_Rm4+KyJ6K0bDII8Q-!%DulV?dIn@Mz;e?(zt;Dwr?*fRsZ(t>vMH>V zM7M8D216C|hE6Qme3OVMcLUe%&Qd0Xz=fQ)p&3c4`!i>?Djs1N8=fFkPVGLBeoc&%gph9TI?kvnhvQ(|0ZiJE z&S^BIi6U31tU3J%F$~C)(U(6O@%{+5p@wx$V8l-JE#d*F!B&4O>QA|^29-qbs}&A( zE2m~$Z0Uf*;3ko5_FxQx*+=)S%WA&YeFNPMD*cGEM=OPy81CzR$P*0YOQn6PV7rf- zPGqW5+gdf$mB%k#B9jxZD`Ft9mpG-weG=cZDbu3`RaV7 zGGyw53CKu;5{2sj(SrRyXVf4;lRhwLF#oQ+fVcD=)eeLcZNrbFcfm) zZ4r&In})?qh)5N)vEpW>7d%C;X&;nwZiXcIsoz`*)8p34@C|`PPwA(z4`fX|P^8;0 zf;Vpz!r#TifY9SJQ@PRxu~Kq?$N{0_eM}LsRIS+!|9FJqChu1tMHeq= zS0>~B*^*iR;E!L0BfD9GumE`aue)uG!D{xpLkX{Re;)`Zg)2B9YS??%OcuvLLtlkraS!|UYUZyOtWEu z6?FO`x&Hv5tb>?`1>O&yt-5H){&efx?k!giwVUmHF++yDRo diff --git a/certs/certServiceServer-keystore.jks b/certs/certServiceServer-keystore.jks index 046d71654ebb95a4570e7fe36b58c207a28696ed..57a075ac4138ccf22d098c44ba26e8aa750dfc86 100644 GIT binary patch delta 3336 zcmZwH=QkUS0)X+5gwzT(YetQtM(o-%wj!nWs99Qj3xe1xMr@)*#Vjo~O6?UjUN1_k zHm$u&73IF?-Y@r_b3ZU!i%dFBGk8Bz>i29R8%w^W zB{7}rY<}>Wb}#VgKuTnzZGy={AXxgF)Y*5!Z&x*yk9hlI!`~-?3Z^h@rc-RDQj5*1 zT*9?2DFeB+Z|=^s*kl5abp$ZK)+g=#ikQH|w&0D??Y!ma9ueryiMpa@)&|J9eN1q{TEG5&%vz3pyzKwd`0*ZwT-ht(ZoY{==wq)~m_SILu@GUY!T-2lv%^?(4 zbrweO4t9OjxE;tThPazQ-b@J_EGb*eP&gQL%#?kc!T*|r6s;Fi*pG&#w+)6(ru)c;@(p|Eyb^zhuW@9g;G(9=*KE7)*vYC>ZJIbKXrj*R zzEoE8J0+HpUJcQa`M+jyi!^_eeO75#nlPtzlPwhwU|BcMBNN9owiur$+1y^Is3)K` z5LiKHr*fVaAO6oN7ms|Bn;&JXhbJ+0pXFs_go6BwOdhBHGOu6KkWJ-&S_h}1=K?Kd zo&eL@)W)yO#WKU3s4O^3rUuL(-mGeD(Q0kHHEN@m6{`{u%rBO;rlU{nY4q?EFKCWu zWiddO1Of085YkgiHUJ+jIZ$f&q!^7m($oTT!>X`u1{3r&`4?W7J%#oC(Wat3R1ZQP z-&WbHteUKm+t?1?%$TZPH}&RKkhv;dxY>HCrSXl7?AxT&5m!EFsOrfDr}9GF5=qL3 zI|{s4TUMFauErolp-$nwj_bTbgLblX-VgyJwzkUW6P<(K^+=ffUVMsZNt8#^HU6GH zrLZ8*p&U(OiGEqme|b_`PzFm(w?<(?f58h_4W?p&{v_{2?l9%)M9yFEq3uf^blV-& zcY0Fz1yQaoKUBqrb}GhU*h2?%e#ErZ64wRPM&w?xTO=@<&c0f`gVSTKC-!!=RxLkM zI1dj<{b?rZnCR}jZCmm6)~=9j}lB z5vPGNTcL>cBKxe<7kxper)qf%(7U&&^6bT!>O_q>7SFvRZ@T8AB31rEz!66BSeJw+ z3MQ(ZUgBq|Ab$XE;V(m_#_sO=~WN3mRkq}7IRc+s|UB%N__8pBA$r-nej^bu5 z`|Z%LkSg^xG=owgoD)Z=ANx7L?lMp#nR?&jj@P9KPjMpH{)(#6Xn5fd3L0u3CePou z0_5=g@{|M{U&+`zsL@DzUte|ixXRsa-drl)l`T44%<;gtrvoW3)l05i&z>zlH&n)u z+jqwNi}nZ}tQhXn6^m{G_wy>4B1~i47d#UwO<4f7wC{U=mrAfQKfriI7}}6hVABIH zcg0v1#5D>c8zRQbZeOue9cJ`Zn_Jqe{)yXfaCk+=urdl;!u-6NHE}UXgCgFrawRI> zv!eE^@9tOY`$C6BbzLCa&9Y(}jw7c90eZtJ!J*eAJ!nj;()dm6#5nC{*g^47 zll&a$El$F_pr;VEIOTCm8m}L*9ArzQZ^EE6&b5DWMHQIV`eM0G_k&pvgIqu!Nuh^6 z=Vs~%Zg(+6lxiJS3=QhjAJq-~`s6VkozoHkz`US(-nl-O)2zp!O+536(Rx4)002k< zU<*-cxEuh0Qv}n2Bu7x!I1@0IRU9rZ1DAu#NXuC7`kS%^6%81 zP2vzg72{gd_Qt8BxjifjHqkR0C^9)etLna*h{4e_zllaAb{&)~>%#CX)AuTBc}tY{ z6qb8kDC`s@d`Cwee4Bt@$DnN%)%baqgrpY9YHQl8<2~lWXR3x>LHLL87MaI`f@;<3 z&-j&B54ZNi=#^O!CgF|O=qj=)jr=27DrJj*Z7uL&8mrL`F*9GDe7 z;Jv9|!Z=olBw8*#$H^M4l%eT=PyFLrkz?W}<94>kl-%U@2Q9x>hriPS4fCzR2__uL z0U=;JWxywc8BN}N!gcwm4a)@|XokOjg1b6cq;w2B^8ghx^o`aGe)-QfwT6Ck$LWWI(K05W3*H5UvnILKd;`dy&1yK$ zsR&c=NaRRbFZEEPPOz3+RTS)W(!E@=kpF&pKHO@aWy3f#3{|H4`XG+#tyj-!2}1FP zNwf3W95;83M3-Cqyt22kjd~qT^M}RSV#v^ujQwboko)94Qx1>nOW$+Zyh#pCMj3=B zO8!YEI_DUD;=>Cxkcznen6s31t4(R68sQ?72lP}kEv{~crFiP86UxjkNZ)gb{RT1T zHh3$DIFk2#J>HKLaGCOAyEA~gicyD1DHGAQU-*NVlBmC;zF zY~~}=xQR4cn&O7srxkppRkKZHL&RuqoyT410KkYCWI^5>HYlRk`X^Xo|2gQiXF=CH zz_y^#-_wuIFd4r)%hXg6dvb)Fo)l{H60H5cBbO}$?P*z@r1$eH++PVB9qAB`CLI2` zJDT`B)bK$F^p*CUn&2AVtX+Hi&D|wES5@7jEjy|VGTvX8DXi;^Tk(fJ&hz?7qMm`E z#*p4aoFN4(h{eZx^MCnC{KHQY{trK?e`}Pm`ZvE+N*Edg=8)Ir`7xkVhbdOE)3P?a zzc@R#NZnN<_m;+L&t{32oD8lCP%T(asW!}bD-+Yz5w|lZbgW^RLMXl*rEMrT#?<5{M zuuDWP4d7{P+2c~djE0p8$OaJeLuAIAv-5aNSxb`s%N{u5rqMW3cidn-ztZe1s8Gmu z@rTUK;MABub%Uknd=?i>NZAXr-yFGhF?7(k2|5>K|EGAp0id-L$O}BHN z9=#ke|7&DyBbT@mmCjY;qP0tlwbjdWv1zfaWLo!L*3Jb~?G$xKgeY_E1VDVrS1{vxx4cRxI|{DvQdS#Gf5lQru)$J|&? z>BG>`^I5x2S>1P?f@LlSc4xOW9MUTbj>$+x=5-f>A-xFAe7=Ms{+oBb5ZDrC!lI z9y@7FPU2xy`Eo|mjr_!imCp-PmEJQdT2sQl5eX#!8IS}V{$Km~znA$;&4-pW1;&cv z?HpV5|<85N9&1St{nU1JE)F8 zsJ`Dydll|200}h|gyQMoW$G7S=R*Ac7HAs;A`7g)^0p&r{!CJfe?=!oiXjACr%7X0 zZrtcTH-T*_9R*iwx&Dw_LPzKL1UX)3Vz}Oo&ZF1Juwnyvml~(AavM*&?<2pRw>>&7 zjHH){9kqi7iQ$YwOegJR{2I|It>ngk*gW5;kIr6$OX<0h`QB}mN59X?suHe#Xqc30 zdok1Jw)nHpy~8)ltDt@E*UXG2`$=z*@30iY*;HJS=}MG^E2tpc85{Pc*jcin#E@on zw$Ah36nI_w2~AMi$P4yo4+c0|*(##B?-5F{kmrgouNP90e7P-{0x=H%m9$tgH-B-K?que*DChu3RW63ygX5mv(6Ga7AfFGf%W{_Z; OeeVmvxHJ#r+P?r@W;JO5 delta 3336 zcmZwH`9Bj51HkdkZ8MRxxf#tdhOlxpa&O7pDZXwMDn}HviCkgB%uP8fXN25WiZ65L z91=nyXKwX;U(fT)^SoZqkDou_{UM2y#1o~N{WELePDygYL{Lbtu1AA`)Yjj*th>b# zSiYWcUR^f3Xs5!;%@F;>7+T2KGR~my)*Mk*XW4!F(((a<$>RGb{Wkz%((UR&iJqY2 zp|xW-p>Xs&6G3G&=pyOf>5Q9q{qeULs$1xAlE{_M{!QGkq$j?fNAbu9D_a%=h^)%v z?@O$&Tsx^YCb~b7t*uJI7OkPqrQcd27~Fv^hed2Fk2w6%q}CTPyXqZHx-ob}y&IPW zI(DHq*55U9X>sN##p`)$K!+Jd15|$uZJz;;JPf>ICC1sVzBpM*iB#OUu$sjb&shGk^{XtWi9pmq~}|CM}R0s6;w+5l^VC=tU&aeUw4X_5PvqL2it)gYPY z#)4MP!zxnxBs_dwlr{_Esowu6Jh!K@3)|@G{4N3ZW$NI4g@^U^z`ltsNxz( zZR3Vy`5)deQFd(>aO3j@(gu?hW5uD(#PVDu_pqei~S-WLZ zer=CNpexXQ=5C7#NP2{#{330Q39n6h4yR>TPw$~OpSlerNd~3Dl zV1yqbDNMz~Ui{eQolPCY*~ou9GkfOg{lInkIdBl17R8eW8_qPvT;?)-VAD;nfT^M$ z8)@)7)R6k^=w7z?oB8aC{z8j{)-;dwvCQV~+trGv1906##ihkG&Pf*r0bx0kP1nv! zArW{7+&vM*u?t9}i#iF2@atYF#)zX3op_C;)QX43Kcf7!6Cphn(pRfr;6!T5!|TK~ zu zA;ct-9*Ktb=JZfAP6MosrSXP(K9jC?@Rs}2p-i=SKYjU&kz-6~jzGPYm9TbJ!Kn;L zKc(OZlaaMnH})VH@Bo#ZhJsAc`0C;4jPZ}{cAPg zqkZF=O~>b>9;1mOg#`U5=xt@@Eg}CKfpP$IX`!a??ol*UEzDYRU7$_>7|o_wc0H&v zGJPFAKf5`4@?fu|EH~cMe8sR}zV?P+_bDVroION;t@r*2YwB%Zlzu6y0E)=4f zL*j1ROw~l;`S+gwlyUPRubFQ!jwWX*N+j0BIV|nCjPcj%NM4yUR20KnnE`t?^GXb} z2+o6OoAdcR4yy4Dyv+&WG?_wQU0%_I57uP{8_|_ z;eNo5t2Moh=)Hx|{D3mCQO3INbY$Rnc%T;avvA|H_^-5=qB{oDG!^GT;qH7cl<ZfZW=Gx!ns}j;R%NNCPrxc5VYp z@aw!l^xw(4eu!4$F}Q-ldu zc-+S_gEy11@f^5CfwHL*!RF`{CCJ!o#9l->=v7}z$cBs8-ix3AUH$;|DSaEpaPwHzk847Adq}2F1agH! z+uZkVKR?T|A9nSb7Hau`Ot;%~Dyb^ZE8;m=d@adLZ^YMV!pgn-Bq?)sa@1+;QD+x^2<9~rFAaS9WCZcggzV0{^8(B8P*YC;?h zvQyrl>9I%cNDy1jp@;fzPJIyV-2%IXw^qpO1TdMrkq-={{hX4huSMfq9Ljt*%#1`w z{?3N+@(RQ|>@nNvOOs2A>bVwQjo)&vGNUxmNmpCiRoG+YVhX$ZX49&>oGf}R2EPyR zJj!GC*fOrzpBv=(UNhXUWX7;jnk$VIF*_{!{d?MuvyiyBIKC4(>C5UNDst(48Rg*1 z6P;`FS@`JIZr+bP{gNG&lo1ual`KZ#>a`=cH@-)Uu$sl!d4R@w16kc?pO0d_?h*Xu z%sbaPKd#lQ6&`$W)QE}D+ILWS5%Y~Y#xbH|3v9aA=kqxE4D9Y1pQyJcuzxgGA#fgzg^b8uP1tkGK zM^HX^de5p!KOUOb7_B+->z9kC(B9QJeo^MRaRTqG1(?W`6EIv63<=w;DE=MH4^1C= zyUAH89muGgo!pJ~^IU2*x@3sb9Xu)QOcNdYcxe&(?XLu)h5&_>tx(KB-IVYG!w}X^@kTzZuGhU@QoHPVyA&`G-bT?sJ(wx~4`8 zY$l=k=Cj!;6zK1D#61e4x5$Ys(fH8QkU&(7Z4XX|`Ez3kDdmx6cXH6@F?M8@Taprt>m`07|R5c%uSQaP_oCXX3lu|rMqkhR%h zzg+Cs$sLL&>yIt?$70QvL`EN~x%()1aN|CVy%_TkY8aIwwDAPi0x(It+Vxxm8m*Qw z)+5Zb^0XH-A zfNc&QRYAsDw8z+_*{`Olr!%$&*xEJp!v&O7epc+<{|yyk!K^4V7E(0=gGtwhA+9{f2Gm+* z&iMY2X|4?6-jnm`Gp4yts>UZ(@A;4ny<;E%*1EU9Vz2xv#pDVco|1lMZ_zv`prd-n zb~R_%s+L_)nt$OkBfPgUt7-%!Zb9!Yy*s*POh(-6|Ju|B8e+7#194cjAS%!^#v_13 zlnm8$>7(cpZv(k&SV#|{Nb`6*ZeWOk24?ut=$#`kM|1aFAJkvP+Rdov4X!stc)RrjX)wNDvZP|)W8JU&nzA7s%Bgv{(ta*8a+bUqKJaGRJgyN9v(F- z$ST1qI|bR|B!8v95RCcNHp+yzfSrk!&pL)Ng?7Yabt!{p8hfK0nR{e9UkeQ}Yv+Gf zVx&rjjsVRmty`LMniBai%}-TYSJv!YTYe2nNT6Y*a+O9U13z&d2iicAJnCH|!SLe< zsva9A_kWZYU=?X2p5R8BFUBx>7MS~@XYz{7bolybOPC&s|0?WGC-Hn&sFK%`LUbNt zIx214Qzp9OsC2^YG#uKygL90hjwo$k<-**p38?HsahrJK8ZTXNkDUmUV{%d+q)IG* zz}(j(v<4%!8M9lj$v^k|0UEq4_3?99}&*c zo$B80zeTWZ+fV8MK)&gV# z6GZgE2V#$F7(SX#Xtw5ej-|FFt(0EM0)&_%;cr_4r}z1Z+o5`BwJ17814ShRgMTrx!Qeg%)>IxiYX2aOWZfeH+h%Qa|MjxqS( zYbu(+NEtvxc<4vTTKvQ*0dkv?^pZ^o*$Oo|*0Ion@0KI>XZ#OB-y-4cvc2>3lF(U2 zf)f!C7l0!OlSc=fO1um0FVhudDIsbbDSu0ne!xZ#$#Hmh$%wfA*9#4#& zxN-V^98SplV*gumP5zGAXhM&$-|aV(|;yZ z?55qHgGVe^nxSg9;eE#_@#KRC$~2Ue7i`)9iTzRiqM{_U3<0C??$`wc7=~Z!$YY3o zRyH0sC1_e<3a@~>@Q+DqIFY$}2l^s*QHRvpJXrz`@yT7_l@-atF`xR35j{gOD?;S~Lj3^cNVSg2C4Da=ZepS3C`&Dn!KCPfJICuAWB1Jy^uMamG z3-l8@HerDIS2E1gb|CnF&*Fc$T*3=;P;VMT&)mVK$_e z^Qxqr8kQ$Vey#QgmY}gQ2F#T_BBhzEubjV(F;p-w1_>&LNQUE0y`l&Sn0|3KNfPxGViBeT$!G66j zm&TT;3Fcx1pm(?g{WCZ_c?%fY`AY(X^mp=L@6V1UekQ0==i<6(`Un;T%8>veZP4NtYmwqEkk?>SgIF^pnCzj)Z(GP&t(GU z*=s$ArJ%!CeK2Y2D&J4AAnpiZQuVtyEKg8#%A%d*s|MoyG_#f|PNK!;Y+hzxRyRQ{ zSOt{YmH^RsBgJSt^PVUZnitN9;?XB*=L=ujr6Lf_F6@7QI<&rJ{gJW5E3HJo91>3K z@MWZ@90hj8LQD7G`(sk{@Pzp5L2FkX-sn!-qy(O^?W&kc`1_B*G(^zG z9W=Cf@Pd`mn(_KBdP3q0*Ujq^oBt4HCCZUPiIr!nVvIwjIw^Z za_o=z1?~oJQg%!SD>FIDVl0|_BvpFSTvQY_v zK5&1*E0P^EG^SooH`8t+<%w9Jb_$h7BZjm(U!TX)`-6plPKildX_O!J3Rosq zR?a0ftE;0|0}zxf;399AmJ&wbBXl`q*od7&L7rgoVJFjBi3(2++S4#5 zIt5(OqJof6=|ST?dgyQivnr03p~B zD|N1q4M%qOMr#FkJihqf2nB5}NM>X5X$H-)_7_ABl3JYv-lHYg>ub=#Cczo12R%?$ zC)5T_7vHQ!jKt)`tc&j>TW|)!CkK9WW1@5B`0D{ylE=n->(g9psj4XE=;){W9?ySH zq*vd$;Q=h0g%P&I6+;o64pyxik!V+dCCG$H)76bnh=NuuC!QLZsndwJqX)qV?HyCv z{<{V!>jWGD?E1EdXj;krS7|>jv*ID>C^^&)?j|80wF2Iq&^fF1Otwgd-X2!gjk8k$>1LT$e1 z_`!HX0DUbt6CM*Y44MBjFa@d%#}Wz!q%asQY2*JcchSgMn52K-T0>!!fjN7h=!@kY zGPu`AY*y68Ry@z^D^m^z@8O^9-BUxSk+ZjuvVBo5d8Mh}TlpR}p)SjR9ln3ttyh$A zOBZfht3pN1UCOLWb0y6qexsmlKLA`~J%nS9;LWJ6=2C@UlM zK27Vr02@?;y32vNM@h!WSId7g#+1|sNY{&d=*qeBRT@aiej39xMZQ3r84?e%PVcE4 zhkSY-md{$WVh=o2fLL*fm35r7j6%lfasn^88>w5-B9C7#(Zj?N{c47UdAkbiq>7A+ zL-8*LhMAgL&GdEzZ)m5)!b|_LnVNV2vuTSi?RcIH+LELt$hGql?4o~K{}^UGuK>B! zV$WWr&MS-~x_KNt5;8lOBY<^+!wrk~@YuESpskR$ktW*N`&!*Ws-We{9^bO}9W(iP z&t+*t8cZemOCkzl7h-6yV34#td?F+^9E9qU$HkzP4Q6wKTIn=)U| zr>I!f^oAAt8$kxpc{9LU`v)8%{yooM4O*1d?Ltby@vChQXGiKKsCr@FY=bt0t2<%a z(Va`p-|N*k@;>~X9VRSS)T1*Oyge~8pGdSjAKWzbG7)ug3d(<(H1Hu2!ak`o)QbIO z*7a!a3LrG=%rG}yZr%wqIAWsqX53*vK*r!EBFtz5R%tdZ$bSi(sSUEE7{!Q=?IZ>U zGqDhY4We7mBAXYf`H*PF6+M1w5UGvV3JwM3igrvFff(mm>K>~hBEp**X#Hxi(#)Sf zsSCjFwLJQ+V~Cw7`> z`M*@SiEqXaAEdIgX+e(3OafI1?%6Y(HS%2S3&zcq`VwrCe(enEqdim446xNsKxCdG z=xFW2)^uTLj!s^j@~1)an-o6?JLF=Odz(Ag?r!*C4X%GNeY{MM;nHyfb8!(x_C@b@ z8W+lcTr5TW>*Hx>Yv6M+(T7ravho^pE}BpL?+hX#TQlw~bn%WzAtCN@vQhCyA_udV z(pzw678eee!Drj!l0a2#s@V74&TV@ao@pzV@1>ezZ5dN>y@a6k!)zSGchR>)tQ|$RUJAm4>2Z=DnBFr zOhU49WkV>gR1m^3i~X!KA4FkF3Fjgj{9N@0}hTEw)tn265C`#;+&e5Nuu+GEho(41~NCm@_txWRs3n)bPCY za^PHmF8*Lh!6$oA8l%1!=WCt?`Z10zqn@HA3yN)J1Q!`=P7-bpB|%oZfm+Q(sW3Oc zS9O1e^@-Y_&9}y_F?>!P0ZDMHS^1CJUAxC&!a)%{f;8WNSnm-v-K0$!bbx6n0x|_) zUCi^B{UTlRzlX=xPm!catK58s_h6q6p~g%brUQi*$edM#?T{=9a-^F-B9t)skrazC z!NjfFrgP^nR0!=<8;Q4Ycrlb8De#$ULdAcG&=Hgk%9B(&Vw4(&8}M>S4t56frr!V+ zkr7g2tXMxT7)cX5sFLF|^fkKyw~piaQ}=Om+JZ+G!Is2^%^Hda34^#HHjVYta!#wt z1zp9;LJn+7EvnGQ+2Xhkq>Xgom=DjaQT%ihM%D5xrJZ{D3rhARkUlxQ$SA&=jX{4m zsBl7*(;(JfJ?1zT+S&5}7XH;N>=8XgHtHWew{)dWumBMJQod7?o7OdM=TyFl9SYVF z^v~|Z;JVMw>D+p7t>SAgTi9wA`fqH44A^c{o`a1tdNx~+Blb$LJ0}t9Lyi2k%lOd4sgzqjkYf}{-$h+E>4JvgGPk8DFj1da<<&TQCmURSmJc&{7{PzjU#pW5 z9(+lIRxb6&2KOZ>sWr?*MiNCsG{P<5+|X#uB+LL|FF*0|&XU9*R*lH>-)l_iV#KqA zqwFei7r35`Kr+I_p8GL6n!uYY7icyn_9*h#M&?X0!8-~6QE7=O#~N%dU^XIaZ2OF4 z-1}8x^)6(GMrr7{ysr(4euRHfo#0WSFfX}l(*anhjJHx`PaD4R+3Jiu4G`E+q!{0s{etpa|fO AYybcN delta 4514 zcmV;T5nb-fB+Dd_Xn(LdklmqTl1n8CDWvV8VeZbhu#*A<0K-rOf&|D9S)!?SY2U`z zl{y8+wAgkE9bSbcfcxZq{)ZjEO3IZu!8Q7QKw`GU@D&){W{Zc4dXj>A6A|hzG}XDO=A540zFc6he^OF3{l6 zlJyA$_UA&&xZE)(xH8$z>f3W`Eah8?wGd_1_CQBdPx6eiw~YFvcLrHt1?vif(Mj@aTY?@4XVb>KHg0 zRb{61(9J9HAK>n3T5sc_;y(Y7GT>w}HM3_bWC`Vzxy)ZG&DG_h-Om|J|FDywj;`xu zC$ZZ!p)0`hue6sG$6k{Y3$8@rJMwL<~V68CQ*Z6aOLkbT>n#Cfet zc>*cV(=1`19OT!-!~C^*hcw4MkJ>a+n;kwq-{;WwOOuJYuzmIvv&?f(T#UXNNW%_i z$G1i=jDOnv7iT(Rsc&$O(l-U@3`azj)Dq?J7kL)`4{#x*7R9Qrbl?B_I&vEu{b48i zZ&>F55n$03kOMvX55WKK4crKOuGnQ9NRqxFFq*Jf$va2+8_JrE`3#)$Yahni?@B~{ zyt`!FOLn&X-r+G5H-FCse=v@C*4ZKXX1T|V{eKVfH!$O8K3xOWJg^sMoD{gTC=4A6 zb@Ok7{!y}qjvVQEy>E;FETT*WAC7O1f@JxF(X;<~h8(!qOHJd}Myr^#qe3eKXl-Lo z4ffuy-8Fu-zULSUWYD0vRIm%8z3pbH>+oG|Z}@q5~BN%rjeu@zn* z#`ezHeo17z5Ujeo0C3z*qvX1rV(QiKnaskq@bF2(_9DS`P zo$~zisp|KpR$hGi1wnmxJlYdc4$^rJ_U`L?^YUvh3k#^G%DOgCmcWw$!E78BtdSd^ z-lXuvfuaz)=IGvLBcK-l&*lJ#1Y3(c%pD4!Y$!(ef|MNkEYI|-eiO}EqkBn0@_&6f z%BDgB(Py2-_xS@O@1*LqgC0^CZOa?hfn);#VJu-Jw_2{{sxbyd8Cy`dG$DMuBZi$! z-I?q*Pgy-r6_kSc>^W>*gTOOCRfPV)qQrLBLmxRt8=UlQOISN$E~0p~LH6Vo>N&sF znw~~EU6eUrMY`HA)y}GZ00P3ZAb(i0jpmqrKbE3s(QU6`uK6Z}ts<%QbfeY1*VS2+} zIK9AI$>eVa+^{pPIQc$=)%RVq3S{pzy{>otF;p-w1_>&LNQUAaiv{^|0=qJ}qqHg>-P0|3KNfPxGVoOusuD5op? z5QAi$<86$nRd2(;?stJ5+0mAMBuJE1H1=ullvMx|KUPNA))FfF#u+2t3&9r^j9r0VD4(h*HBHaA`j<|myGsVhf1Kv<#wyhwY zA7xaMm{w~a*_{1w49^7&{@g%qB1#|tp37V6{|6RMEXZNj0z`jG&zLdfHLAS&Rh_s! z6X~06!#0pucpq=!9WrB%B=h3q<|xj1WvDssfwKK>(;QpXd_-lEugpol3Ltl*iw z-Md`f;6K=Y*IuJ_qic9!tgbA~-EM$&$dRH$bN)s-GrvR=iyq0#;=P}$(nO5Tng=>3P>E$}vffVZgH&PZgM=Pt$V_e0 zj-)prAC)Q(ng2p4^!Y~Z6@w5Fue*t{dt_FL;9kA%KXe;ZVKkPT2NTo1v%`Pq$d)xYA?oa@cF9EpkSAxIM|-)f z9$5;ytJl7gEf%U%E_-?$5@D^Q2BVb#4_v7dwr*b-TlFFE|1x>#hGJ z8zx0YAe^BeLIL#}+n`m0FN{Ks=L2h`G*K2Zuo(V(*+JGzlUqAK9lx)a{hjiD&)odj zZ$^J%FYAu5SK{JL1s)Zsu8)<>=3wJh%i;8qmIhezC6e}c!6^>N4Znp20r6P_zHvv2 z{5WPZ{ncx1o%J@^bK#H{XsOeA`#mE+cYv0Ylhd<-Bk42c6 z`rgM#zP=W$n16sL+RtRrsVd$FA098y5h#BzqzNgvj|TIMb|PAaM-${GQbhm(9F*t+ z%N5%2Dk=dTai`Q4UW6M=3%mOjzs9X{x3{@S15pfupQpRVSfJZiDmhcp*?kLl0W^gy zA^G)n68$-5M>qEak*ouDr^ov{-sM*=12Ur`~fcHsa(kw(ptyCMl$2a{yu-7 zX2){r=7_T2*o`-I$KpORx6y?16>Ai!jMykAYU0(}B&kAPH7u*UEKGQD+@wKEfGjrk z4uma$I-eS`SxeDo5~7pg{MAqPWcB^rs9{_UUeHY)E_eVBEsNY$i6`dCDSYf9Q~>~y zUkit;ZRbpAq}qAz{qr8|?Gj+s5n%H4xg)WLEkG^HGvWNi^b3 zK-(g25rTHmrZf5Ze)f3BfA3)0jj{@)reXdW7kGA|!~LkhW)&}5PUmy+1Z+)1=IG0K zex(kUuQ*IUFcIHHt=gQ;$)=obJaX?yd?Wk}+*D2h%Q+9o{(lO?-kBg`u!$YiA8+)B!Zync(r z<zBFcYq@nNn?COp?$l04XO^&gzlq5kdU=9#w!q+ai5-&oxy zJVCzJ2Hzcg3Z*5_L+}%3OGqacBLx=DKa_>t0CHw$dAM=H*`u|Y_ImYa!kJDbS2*go z(ve=zi|)AfmW?${!T$xvB(Vzu+c;3n>OWZG8sfwI3V3mXT-qi|@w|U!WGJJE0F<#` z%+B&0s@Xn;+#`KS3cL-5u!4Aj$$;^vp5hlwz89f|4sXsy*f0Uh6Gj*>hh$dp=R8b+4%;laNG+ftXm8tF+*XNRhY4acH3&P+~L@q z8CbAJzQu+GE&obmv~uWO-lLW^j9yDv?u9z(BU|X@K=oZ*1ae3ucIzXj>OAIK6#&RC zbfg#Is)e4BO02J-e#PU2?R;OMh$50m|z8*z^)7RN_xd=>dB8Z#OKo zKX70hTe$KD5iozz5W_$#-zcs82jo0C9<|9)a#VBS+B+kUv^RS8iNp85kNjlpzj>@4 zq_iWdnaT1}5g6|<|5`jY4kJ>Cw~;V`Ia92%v#-iSup@l{iJ9N)8($#^82r}nHQu4Q zjPkg!7V(8$9TLKWLp(GBSOpCy2yYj zu=jE``634=LD>B7spR1l)lYVAx*Pvp6DNFXP;n&HaCe;%y%n|ZngqwWUmS^b@f~Z$ z9Wd(L%+|%nYo#Yzi4yDKiebD<6j;^+C!b37i7gRd%L3-@=w&Od3SJom8h>f?;&E>h z!%TVVW?O%`y?2UjVg07t`)w6;N>do?&5@VAX>1E<3J@9iwHQK)$n(wsw!zj39Sa&hO)5K_#Uh z1EPIqU1DG0t!gu-twEtWxxZ-UJbB5|zc7pt=h=TB8z#|6rMox&%knbXeOfl@brT=v zV)GAmG3J;~@YFdT^$}Z;x!8bmLAq`%ScwT9Sb}SZe)vcBrFfLOE*Y)f0&uqP1J4Q= zf~8z~gCjrwL)3!-9f_-_hQnLf(9QNmp@5$mD;1S`n}Pr8;23aRRX);uuI#kA$N}$g zv}S)hE!)5)6gf04ES9WrFNk1xS_ZOYCUne^(xlc}auyCRlUicku=SYDK^*T0ne-)H z1Tp%=L73F_*+w~g zOc~3GoZSe)wKP36(eKdCFg9Xp+;|G><2`@6k@wf#H$ZsR2$8X7WC7VUOo>dTT}KMv z1@(5zw+Ag3vUi@W)s{o0MZK8lfp-mWytn+~+Bqd5_oWM#(ulA4oKIod_=^Ci5vy&mNos{oO*EoE6V&FCt`%h%|p_ zT7b*-2QYF1j9uqLW;^suwD1F-eMknO{|T3O3YEXqT64kjX`zs3+4V=WWz^-7#}}cO8Yuj=#bTI6L$>Q= zCJ(F(vfi2y_u_CY)zdoIq2LZO`z?R{-1CZ^9s%U6955(5eC97L66LOJ^P=0s5YEWM zItBiV-$D{9jqEbPzhWDkqK{kr*p5n`YW5k83T%69f|Vdu0^OQ1>k!e`RL9*XLhQ|q zn{t4EXD5b~Xbg_(={C(kv2NfGp5EMtptm24>6)Zy(nrigE-$ily!lo8K#hMyrCHkJ z)R$HnpI+UdLo?P)M14~}tPQ7XskHn!=~8x?9_hWVQ_GTIzNBI0NZ&16l1!_UjfJ2% zn)U%=)pku2yX&gfTN?-3x8|+Be;j_?YH@5sUJj3*F={8yz&v4|Z5z&V%C_Gn5HDxu z@BU)JLs3^D=shQ45d~MwlQ)#|LmU&lrJ{})&_nXC&!i-K$n=#9+bv9A`sdh zXqs5hHRa&MY<@K)kb*f0;m}Cb20s{etplM#o AlmGw# diff --git a/certs/cmpv2Issuer-cert.pem b/certs/cmpv2Issuer-cert.pem new file mode 100644 index 00000000..22f42d0b --- /dev/null +++ b/certs/cmpv2Issuer-cert.pem @@ -0,0 +1,75 @@ +Bag Attributes + friendlyName: oom-cert-service + localKeyID: 54 69 6D 65 20 31 36 30 32 38 33 39 32 32 30 37 39 35 +subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +-----BEGIN CERTIFICATE----- +MIIFCzCCAvOgAwIBAgIEM8t7/jANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV +UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ +MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE +AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjU5WhcNMjExMDE2MDkwNjU5WjB3MQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy +YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B +UDERMA8GA1UEAxMIb25hcC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCr0qjRjcHoyMcmDBXjtern9WJXXyCAINDBzHUt0tzXQGniiIOTExetgXuI +v++h4EkgnRjUJ6esJKE+7TvgwmUKXjsycczMYHG1A9nND7pYqp3cGIeJtzOqWxCU +8u0Xm2tATb92nU4wtzZWxilBqkJrJj7i8OnuehM+GkVRfLP+qQbTQ5nxNww+e2ZL +Mg2oH7L30m7am4qgXE/RtGUr54kwWfUOA3v1YswWZF1YnXpD4oFggtbYYdUSW9Bp +SW6HNDFxQh2kiARrmOkZWLcbc7zFzR7GHG2erXB88Y7p7tUyenORYzFHg3CDth71 +ETl+Tf6HL6bzpjsa6RcIUrKXqKtnAgMBAAGjgZ4wgZswHQYDVR0OBBYEFDZ0R/yN +JNMVm4PCGh5cgWSGVD19MCkGA1UdEQEB/wQfMB2CEG9vbS1jZXJ0LXNlcnZpY2WC +CWxvY2FsaG9zdDAPBgNVHRMECDAGAQH/AgEAMB8GA1UdIwQYMBaAFGQNDdvijQHo +S6mO/gjJegXt0/csMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkq +hkiG9w0BAQwFAAOCAgEAOZCWY1t/PZFEcycxvOOcYojoFeqVatM50uq5RnKg8PmQ +ALLcuHeHUR2KdHgFXj4AykzWRCSZpv6lzFwY+iUE1iav0CGqdy2izVLvjjoP1hDt +AtUB85VpknRpvQobWp7K6MHN1teQiggHA68jAzuRS0/jTPdz17W4edtpk0t8BTZR +BPok3UVkRAda3LIEXxtayZhjnIOvYsgdieSiakENh1s54jwpvmNJ+99YOuX7+Mm4 +V5RcFdbJDz4R2TiFDLBuwfWhRTz/FkS+a9ohIasyv2eG3D5vUFxCrg62ud6sngjH +8TZfzIAqadInVB1qqvtx+DeY0h1EFTZFbXs6YZKW8n/zcCQDTDR9/ryW35QJuj3n +qkVlNpgDbUFUnqq2IIttSkKmo1X6ArQfL/kEF5eybzstYgfB2fLufihl024bGcV7 +/IJCCDQ+yH9d2CZ2fMmnxZiDy2amAENgOu1FVKQMT81+N5JTVIXQjxAOnrKXaKcl +AqnXtaPHyIEhSFa/dADLLwjdOlcgxi1KuP13Mu5sBPXB3UlvdF2as3NtchFNip3s +1xa1p4Tz8VLU0iq6bims5es5lTYPwbfe0hNycpvu4XrMy70sgabw/SLMiGx5TTh4 +D6BH2kEp451Vu0fqrSLfSmZASZzpXgyRBiT3+4sa5BXphvBwZNxLiS5tdbN4wvA= +-----END CERTIFICATE----- +Bag Attributes + friendlyName: CN=onap.org,OU=ONAP,O=Linux-Foundation,L=San-Francisco,ST=California,C=US +subject=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +issuer=C = US, ST = California, L = San-Francisco, O = Linux-Foundation, OU = ONAP, CN = onap.org + +-----BEGIN CERTIFICATE----- +MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV +UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ +MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE +AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy +YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B +UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq +TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh +TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT +epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh +pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ +bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN +55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ +JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1 +E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51 +pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx +P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd +BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu +iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j +c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6 +FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8 +2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI +eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF +XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81 +38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR +okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK +TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d +c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9 +QS4= +-----END CERTIFICATE----- diff --git a/certs/cmpv2Issuer-key.pem b/certs/cmpv2Issuer-key.pem new file mode 100644 index 00000000..8fdd9596 --- /dev/null +++ b/certs/cmpv2Issuer-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: oom-cert-service + localKeyID: 54 69 6D 65 20 31 36 30 32 38 33 39 32 32 30 37 39 35 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCr0qjRjcHoyMcm +DBXjtern9WJXXyCAINDBzHUt0tzXQGniiIOTExetgXuIv++h4EkgnRjUJ6esJKE+ +7TvgwmUKXjsycczMYHG1A9nND7pYqp3cGIeJtzOqWxCU8u0Xm2tATb92nU4wtzZW +xilBqkJrJj7i8OnuehM+GkVRfLP+qQbTQ5nxNww+e2ZLMg2oH7L30m7am4qgXE/R +tGUr54kwWfUOA3v1YswWZF1YnXpD4oFggtbYYdUSW9BpSW6HNDFxQh2kiARrmOkZ +WLcbc7zFzR7GHG2erXB88Y7p7tUyenORYzFHg3CDth71ETl+Tf6HL6bzpjsa6RcI +UrKXqKtnAgMBAAECggEANoW2RCiza2aqqwwSths32zsmZYsuCPpgw95ZIJ1Urokm +EFg5SCY60TfRN2eQZtGA4vR2uHuM3TcSY6Fr6rpEzbFxH2S1E/VWn5YFOujOvOwH +A5xVBgI4Rsp2zIz5ZxBOTC1foAfyk8rPV2GyHcAlK1MLiX/g+2eJS5+Sd3UWuKvq +mMBrsyHXy6cGjwvilw0jaE39XK55MDOyoZMeJ8T4eFBAEyoBo9jfXZ8kmtD3NOeT +92Xem+/ggzDZ1kSYEq8pddJCEoUgisVfueKJt4MzOEqKW9sUmJz66N+AgOhsl56U +7uHit4FWO+VbmGBPChBK33GXI56ID6VjD26YkZSBwQKBgQD9jNY6qorZgWo8nrq2 +NU77QVcr9UswhmBS6PMsGMWXf/xX7qEZyIHo21O88NFxsiWk50g68PeSNt4Tdrgy +LnQkz838VNOYv3eBFEXV6EqEPV6UKeee8D622+DObXiKjKKpyYjiz86dOqGKy2cx +DNVFBtCXEbF1+pKfadm9MXy/OQKBgQCte6sD8OCNw+0K33+LaPh5NY2oGc5Vr6nr +N16yUWINTAFVMJfAAR9I4ZCGeyEL5QSX8ZlF9R9ceUoSibR2gh8Uyt4+gFCSrAIo +Q0kZHIxoAbzy0oAjrH4kp5WvADewVBCnZJlWxacqFLGctY6QamOjZVUupJUNChzS +p3aLujYfnwKBgFjW5x1JMjuB1+qDp2I+jX0F6PhTC1RmUQvb6ZBy4ZDy3EUnLLVv +Bu3DI7UZIBnZVM1R6IIWenh11xw0xdd3ZWScl00pn7Zup/3HT6zipnFtW11IzYpo +HWFO65cIzmqlWj1pixgFvhxjNcT+/ho2p+d2utGj9m0jLgrDOPLMiywpAoGAE54f +eaOckQtt28PoVWh6aKKAsVixt4jUyy+IuttvHhfRMsP69RBrbD9tq3dzBjhQq6n7 +bijI8hkZIj2GNbyDLUO/nAvAkMV4vPrW4ksTKZPAvSjGqsIPxa9Zwt9gbMUk2PkM +Sf6x55VNfG4ff/834ztLRaoA3Oee2MdtJWHaSvsCgYEAyowbkfptaMIOolx9ckfK +DSEM8Bm5DuIZj3VBXGQeKf2w/XpWzDyIdCw/Y80E5dR5iLdHVKPo9Rjy69njKy3k +rmkjss31kgKi1XGAB3+S7lfPMlBqBk+yXuDOZV+vsdQVGNq3X0PUdGOpWH6UKsNo +osNGN6HxtgCEh51vSoOkAcE= +-----END PRIVATE KEY----- diff --git a/certs/root.crt b/certs/root.crt index 54798de4..7d2bd04f 100644 --- a/certs/root.crt +++ b/certs/root.crt @@ -1,33 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIFnjCCA4agAwIBAgIES09RbTANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV +MIIFnjCCA4agAwIBAgIEGHBb6DANBgkqhkiG9w0BAQwFADB3MQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEZ MBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05BUDERMA8GA1UE -AxMIb25hcC5vcmcwHhcNMjAwNzI5MTMxMjQwWhcNMzAwNzI3MTMxMjQwWjB3MQsw +AxMIb25hcC5vcmcwHhcNMjAxMDE2MDkwNjUyWhcNMzAxMDE0MDkwNjUyWjB3MQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuLUZy YW5jaXNjbzEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsGA1UECxMET05B UDERMA8GA1UEAxMIb25hcC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQCFkduZzAq9OCELD34x94FqVLtEjBqhuoc70vX1Ymcb9D+LFh4F3tZ+FN1S -C38EnXTRrnoNgO+upv56FhqY0rDvDq8ldgNBnJLHQHJn5L5HNEY4QdP934CcZOUA -6DEDu2CNUq3uuxBSezcQsRMtpCMahsDEL5MBo1OZcrez3vccV4/RuFwvjhRY6Gff -TLJTBnkMZtdjKi1XUS1dzO1R+o1xKH0928FZ+poJggU8ClB6K0rl66uL9mWbLRK6 -WuRCFPsfQ3IZQHec1GEjgEx3LbW1YVVCrXrseRfQIRRVQNrVDiC63N4fxfTbg6IP -N06UI0uOvETAV6LaFGM7pFy2EhhY0+njCABp8GiOC9Ti56gzT14oUXp1SMbvEfqH -S3YjS77AxPZLH9Nk4PCTGYsChVe4zBXZMryH99YdKVPZKfwOGug8Q3wpqK6GR27Q -2/z1kqajS75A5nQRRS280ocHUjUZei9WDsvoewEbksKazH2z8UDiO7VmihC1z8LZ -2wDGt3NaCcWYiMY2JUE7nMS/N4+S+uVGK3tLUn4VYCuTTBJwR7Fl3pptQUpH4ghJ -faJQ3ZyUkxr+7C1qky3KpWCPIbpwZ0Z+jza44KcwZhtykSiUGNs2ZVAgYdKWKEzN -3IaiRTZ8a26thx3Emc3VW8C1ROKV7Z1xRtMIThHCQCAuCosiqwIDAQABozIwMDAd -BgNVHQ4EFgQUrgR74ialS4IseMsG3HxOI1ZnzlswDwYDVR0TAQH/BAUwAwEB/zAN -BgkqhkiG9w0BAQwFAAOCAgEAgLlAXuD3EQpn5vn2wkUcF0yFLG5UzjaTwHQAAdZU -jtK+9IxcccOwMCaF3S17eqRxiVO6a+fxTsS5yXY8qsvmbJpeDStMUWgPUDVAf1XP -sZ0LI2c/V9R4JKYSUTXkpW1Ljkiu7AqO+VRV43I8//sjDr7gotusdehrLGyFQy9S -aQPmg3fk/zN8solAATD1+FMxoawmoQUAUvKVlGYpVu0JOaZywhF9QI9E1eJziUxO -5B3TcDVlbSxmEVHD1Z/Vc3e50yN+vxN2tQBLkfM9uBDON75TiFXSBd0rUfaOXjb+ -Zab5vMF4h4VeUocx+BJtA1SDuEF5JoKY+1QL8ZOIkWtsCaiQQ6psJDLP4GVic6k7 -FFh9nL4KFCGVKh7Q7RqUiyUhU69MYFNEHcEpZvBrksInlXwIdDv9v2gVGufjp7+2 -2YdOzzOVYP+/kbLbNwYPVEKs2BQK97SNw+0AN0ZM1y2XdXQ14HHh9VxhKPj7FUpV -c7u8CaQMjCotLvKLcCxlVkOBTpPPO75i81Z+j8BMqIdTOp5KptZLvPRavJY31VTs -OPULKA0vjdEmid/syLuta9BSNvyJkhvvJmQ43LCRpteOOQsB6MhHvYZqsubifsJE -SSe1GKF90FIPp6/P2ya5jwVl3KyLmOBMplJIbIekS8EVNvkEGIHhBS2AYr2VDsgK -YhM= +AoICAQCDBR06SSPmxUiug54/XkZbTSve183eDb+rObAOWu1c3yQHBjBAAECa4Iuq +TZGwNoK/vYXr2iryQ02Lpp77zBCypVCDrHGl15wHpkCYjNNoukoYHha+vCEstnlh +TLBPyerQpdcerHsUTaHphjdkpfLklFrfFz6SCo1kvInghFAERljOaN3/iq271IAT +epyAVDdTzQ+xzMBNQFgF3QUORh165IJ4Qd9ZVcXcjGwILGV9lw4AaISjVqIpkbLh +pwjnA4PmLdZvHr7yzT5GMxPY7QV9/7NQfknOTOSZqFX2dpsqXd7mNv/G081zDbJZ +bdyUHyAqPm4I7rZ+6frH78PoCHwAp1mOP5AzTKEYUen1PB+88lTqlmjxn8VXz8vN +55fI4YCQH6tlRuwQjl1HQyIPDXjh8OJIIn4Ig9ay9FM9CS/Jw7HkObjImhAM2MnQ +JnCAsOvXyn4jdbsGihZoXF387OgLtWCjzwZZMMBO8FnbncYgWecbnYpErr7NZxr1 +E3qB3JTsY5TAImN3NvrFIyuovf54dyrDWQhtle0cuneBBS57HSgXSeDjvVJ8Wr51 +pfRkdMBnA4ZYxJdZjkiW1ocTIexwWk1uPm0/wDUlW+ppysKHT5p290NktRUcB0bx +P4c938IumCNeNYOWiPCApeCRif860Lnh1d3TqG/WP0bTcX2HAQIDAQABozIwMDAd +BgNVHQ4EFgQUZA0N2+KNAehLqY7+CMl6Be3T9ywwDwYDVR0TAQH/BAUwAwEB/zAN +BgkqhkiG9w0BAQwFAAOCAgEAM1QDhC6dJzwEe0sf8x6ip+c/LHAElOOWX7+N/QRu +iZaccfgox6adu4BE+l9mUrqKxFBnpomzvoLfSrsOkjhj1G5uOjIuxARZnKrcwI4j +c+WucSqBBnDqyzL7+7G1Unm5+yifl5AEs2x+7ftFzogUKWa93xsQ22aNgDOz0+B6 +FL+VPC0JSLH2QGTtHJVMKiLKAj1M1rAsiuISK5KKmk9CGFJl2HAgWK4LT4cbZPT8 +2BODLKaW2qFVRJRCRJUB9HZGDz+Fn9MxNXmQf0ox++HycJlgQMsIDOUJj6B8bygI +eU0pD50RMKNC+tnaeHLRKLrGA1KaW9kku0UO/dINMdmIfi9FKGbUAoLh/2cR1bUF +XQtiKeKsH/0HWQ/M2iUpHaSSgx+xzNx/4waOL8WdZatjeqVcbRHly/lk6mq+WE81 +38i9rMZMiHwVKhbzuwYmQ4GLuAdQ/RttrULM1/4FohMhUplvugvx+fajqYf85kNR +okduFxOXt3Mc2rGdtjo/cCur1syKcjXnB+sYmzAbP2ZSkD0Lm+F7dpP2G46fL/aK +TTLHRKqVSGzCizCukPMOdo/LjBxrOMUduBungSEnpqGOCGw8n/7djVIll7eDmi8d +c4ond8czbqLhcMgaUkj6hU2IDxGTN/Hsxxx8q5MSw57pIAvuT6oHxECuGJH4tiU9 +QS4= -----END CERTIFICATE----- diff --git a/certs/truststore.jks b/certs/truststore.jks index 3d8187f699088494fad4a6a7adc94963e30686ac..a1478775cb3a5cad3007f814ff0ab6792e3d7177 100644 GIT binary patch delta 1656 zcmV-;28a2=4Z;nOU4P4ge^&#Dcp;rr%u5ko|ysz0K-s#f(8gqdr@I$f~F$k z9J^~~%eh2{JGz4tvNDmw^n?%7_W!=0pT*X^suuR|wuA|ZKThMl$^?;|r z&LK$WGW!)57Y3^qssGoF@FKa1@pSDSJ2s9E1J`> zFbB6wAzX*dJ8=D0d&s#q22*u;k zPxEZLIBUONb$>6}$tPq<6L)JV;aH0LQ+q>cfuoEU?O7w*_Z>d_cW`7Z^5NVonV0YD6dgZ9cB-t{7 z_(7Xd=7mg1I7z7~@K2A!=-AYF<{qNR_nX}EEwVCe!hc0=mA;-?bPzXw>R_^kM)@Iv zC;$xONPRW;6)#3pvW*i+txmu;)7F&zZXQd)-ZM^S7OFz46<#H##jt#LG8tc=rPeKH zvka?h!?R1mbMj-HIh=sref@3U&uh?aZUm>wtg;#;$&sI@$JW|xlooH9VRs25R?+~d z{a$mxym9Wjv*zNE{J~}ki3x+MIwex1bDSrkzu3E9#e~KQ2kA?zj=EErdmEJ zD-tu|B#Wcdv6II`IyBx;CjYYQYR=lj*pmA0*}w#vY6LhZ(3h^XJ!p#P6r*O`AqK^dM^3kSSPVJDe2H5>F$UQz<*p+*stfRc#_b_;d1*<#MNX|HdIkm zo390)i?GyDF3h@cpJ&M65i`Kd25~^frY1Pe$jU{=ODY_PrsDjMiAbl)W9wn~*uamI z#-pwQx?y^6l6OUW8UMIh3P@#tCe-sSA}Sl)M7on9MZqVUpzrw!u(_47aA9JdAWj?H zY=2m&`#}*iyz}&uBUpxbm|AhVEDK)0&uM>_NCaGeS%;byz)K`sB$G6^0=k*L=-1xW zIc>;}Fj2#AxR0+|&eQ`4F$Yft%@5A3vcRaI2R#e9z!n&nn3>-+8XpLrH0SqnqnTM& z2662IlK{bMO$SoDNV4S1&Lq_F2*asAHh=1$-BnOvCw#B=FTu{^EU+xq4#L;-j?tH4}VqaL{E|B}ePMY0wTbn0h7Ux8GR%Jw`Tnqara=`UN2jUW`6=ej;w1?Z(f(Kq^d{-iS;*Xb%2~z)?EZ4Fj!zj z!jBIPS-1uI7W0@m?Rj&>!!yBjRNCNvtAE^i_a~u~EO$DO|2jY{-+t(VWkMIaHa{bp z5;#y*VU2G`hJV5OM&02v9AbN;XQR?uH8z|BKfOZ2R#^bdK^rmF*F*k010~U z$BPgy7Ivt{#HJ!kuW2iY5LE5K43==lBRD~WUOc3Eb%iH6xJs;3wQxFJt+JMB9Ki`k z4=d71qH|9MtYI|TJ!7C2Tz?6nN-H-|rG31GUn(e51pgr346WUR(#hJ$fBj;5LDq+^ z{~bf|M3r7+D|NW`D()}6Rd?mv!}~p!&NSLTsb0{^_Y`XA9L-w}PS$h65<2!LB8gYP z;t7RZ5K?Y2>}BMg91sJFgmE3GJ(Ty~OLu3d zPlE373%=FOMZPiSUtCeD$;1RRi9|eunjX~|v6nen@tsRZJfM>>J}@CL2?hl#4g&%j z1povTIyeQXZeLcDLm`ttKdKALE|r#e1QfV8;d`W}81q`mysOU9CU;rIZ&v~X0fwMg C&MI2~ delta 1656 zcmV-;28a2=4Z;nOU4JP`9I$w#Zw(4?>O~iW3&E!?oyY)qfuU4Qxz50rb0sE#?Eh zL~jVo<0rv(2m98yGvgfb1dYYFteLRR#4ZvPVD*t+R+KAYfQKUIdu}Mm*+F-{V1Z*q zvD23>;#arh7CplZEN>e5fpPnxRepStv$WY^y$8AR>K+WLvvFTz@CqQGS96z>CYL!a5e{MoA3p zU}k6*=(|2ESHuiXP(c|Zy#^++-p_4L(?O|yHf`b0vVtN(IjIq?O3cfB};T>f%- z&)V9AD}RFzygsOdS-ESD2`9_&2Rp=|fqN(+Y|KYbGi!XwhsV&vS*muM+u8*z`I!3D z88EstnI0Y=J=@9jhZjR0jgeSf-98=E?5-Jy0Va?uQQjXM~*Nwgjc zVx{g%p8e&Hg2;SSZUWJ=PaMQOG>4)$kO2m2_{<&o)to7GB)tvsrQsMII{JsI1enixe0@5HMM89I<)?4un6hEY z$%X92af=~)$B+b<;>!kkgh%(TOzK2b(SM2gvO?&7hsstqhxC^Q)$B!#L6#7xOAe(G zdh7o8rICt~lHXfFY~o(j>*Lv6U@C8FkHwpya^+ceVI74FaFv=RXooxlTbQ`m)c=$0r+rh%p{p?0*p8gs;`t z(SGnemfq9DfsDzcb;OT678uo$CGqF591Qsm6SGIozW!x!l4LA0;#p@l%z>aGlTOzn zEKPRaG8PES;9~Zf=Vsjas?PyP6lTm?2u8!V{ySb=TNPpntw(D`MBe0Kk+hpI&uI=DjIvwId^G|!o#J_bTMc_!(D5v z8J2nERGCh>{dU{btBO#FS8%cMyWtlDT{D1vUjXFU4NiX-P(tAUAayzUBNG!hAOtee ze~vy6gfQUgHYLQ zQ2a7YtqRtVr#t+HYf4LS%hvm%k7miC3ZDF4JV($_1!F2PqKFJIJ}@CL2?hl#4g&%j z1povT#352i3>}=(XjwyV3LCb!L(<$p1Qc;*#44{%)MVjG1dy4>ACU!DvqS;|0fwML C4l^