Cert validation errors (was RE: [xmlsec] 0.0.8a build error on Win32)
Moultrie, Ferrell (ISSAtlanta)
FMoultrie@iss.net
Wed, 28 Aug 2002 20:53:13 -0400
This is a multi-part message in MIME format.
------_=_NextPart_001_01C24EF6.74035A34
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Aleksey:
There is only one key and it's only certified by one CA, a self-signed
root CA. So, w/o the PEM file, it must fail. I'm attaching a test
document to this e-mail. Try:
xmlsec verify --print-all test_allkey_99.xml
It says everything is cool (except the cert validation error) -- but it
can't really be OK since there's no way to verify the cert w/o a trusted
root specification.
xmlsec verify --print-all --trusted new_export.pem test_allkey_99.xml=20
The above works completely because the root of the cert can be
validated. The issue appears to be that there must be at least one key
whose certification passes *and* one of those certifiable keys must be
used to validate the signed hash. Anything less is a security problem
because anyone can resign the document with any key they choose based on
a self-signed root and that root will be trusted -- the validation will
succeed and there's no real way to tell it didn't. As you point out, I
can't merely look for a cert validation error -- since the cert that
fails may not be needed to validate the signature. Somehow xmlsec *has*
to ensure that any key it reports success on must have been validated by
a trusted cert chain.
Thanks!
Ferrell
-----Original Message-----
From: Aleksey Sanin [mailto:aleksey@aleksey.com]=20
Sent: Wednesday, August 28, 2002 7:59 PM
To: Moultrie, Ferrell (ISSAtlanta)
Cc: xmlsec@aleksey.com
Subject: Re: [xmlsec] 0.0.8a build error on Win32
Not necessary. Suppose your are signing a message with a key and
provide more than one certificate for this key (for example, signed by
root CAs A and B). It is possible that one of your recipients trusts
the root CA A but not B and another trusts root CA B and not A.
Then in this case *both* recipients will be able to successfully
validate
the message and both of them will have the same error.
I believe that in your case the message verification succeeds because
XML Sec library was able to find correct keys for the message in some
other place (another cert, keys manager, etc.). From my point of view,
this is a correct behavior and the verification *must* succeed (see
scenario above).
Aleksey
Moultrie, Ferrell (ISSAtlanta) wrote:
>Aleksey:
> One other question .. when xmlSecDSigValidate() returns I'm getting a
>return code of zero, and pResult->result is equal to
>xmlSecTransformStatusOk. According to the doc, that means it worked.
>However, down in the guts of x509 verification, the following error is
>being generated: "error 31: cert verification failed : ".
Unfortunately,
>while that does result in a callback to the default error handler, it
>doesn't result in any final error status from the verification routine.
>So, unless I monitor the error handler, I don't know that the error
>occurred. In this case, because the uncertified public key is really OK
>and the hash is OK and the data is OK, the verify returns OK -- but it
>really isn't OK because I forgot to supply the PEM data needed to
>authenticate the certificate. Shouldn't this have resulted in a
failure?
>Verification with an invalid cert really isn't validation of the
>signature, IMO.=20
>Thanks!
> Ferrell
>
>-----Original Message-----
>From: Aleksey Sanin [mailto:aleksey@aleksey.com]=20
>Sent: Wednesday, August 28, 2002 7:36 PM
>To: Moultrie, Ferrell (ISSAtlanta)
>Cc: xmlsec@aleksey.com
>Subject: Re: [xmlsec] 0.0.8a build error on Win32
>
>
>Ferrell,
>
>Thanks for reporting the problem! I am really sucks :( and I am doing
>new
>build right now. For 0.0.8 release I've tried to use a new box for
doing
>builds but looks like it was really WRONG idea. I did 0.0.9 release on
>the
>old box and now smoke testing it. Should be done in 15-30 minutes.
>
>Sorry for the inconvinience,
>Aleksey
>
>Moultrie, Ferrell (ISSAtlanta) wrote:
>
> =20
>
>>When I try to build 0.0.8a, I get an error:
>>D:\xmlsec-0.0.8\src\enveloped.c(24) : fatal error C1083: Cannot open
>>include file: 'xmlsec/xpath.h': No such file or directory
>>
>>I don't see an xmlsec/xpath.h in the xmlsec distribution (there is one
>>in libxml2 -- but this specifically asks for xmlsec/xpath.h).=20
>>
>>If I simply comment out the line:
>>//#include <xmlsec/xpath.h>
>>.. then everything builds OK.
>>
>>Am I missing something? This same error persists in the 020828 daily
>>build also.
>>Thanks!
>> Ferrell
>>
>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>Ferrell Moultrie (ferrell@iss.net)
>>Software Engineer
>>
>>Internet Security Systems, Inc.
>>6303 Barfield Road
>>Atlanta, Georgia 30328
>>Phone: 404-236-2600
>>Direct: 404-236-2849
>>Fax: 404-236-2632
>>http://www.iss.net
>>
>>Internet Security Systems -- The Power to Protect
>>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec@aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>=20
>>
>> =20
>>
>
>_______________________________________________
>xmlsec mailing list
>xmlsec@aleksey.com
>http://www.aleksey.com/mailman/listinfo/xmlsec
> =20
>
------_=_NextPart_001_01C24EF6.74035A34
Content-Type: text/xml;
name="test_allkey_99.xml"
Content-Transfer-Encoding: base64
Content-Description: test_allkey_99.xml
Content-Disposition: attachment;
filename="test_allkey_99.xml"
PElTU0tleXMgU291cmNlPSJJU1MgQXRsYW50YSI+PCEtLSBUZXN0S2V5IElTUyBrZXlnZW4gLS0+
CjxDb250YWN0cz48Q29udGFjdD48S2V5cyBBZGRyZXNzMT0iMjYyNiBTb21ld2hlcmUgTGFuZSIg
QWRkcmVzczI9InN1aXRlIDIwMEEiIENpdHk9IkF0bGFudGEiIENvdW50cnk9IlVTIiBFbWFpbD0i
a2V5c0Bpc3MubmV0IiBGYXg9Ijc3OC01NTUtMTIxMiIgUGhvbmU9Ijc3Ny41NTUuMTIxMiIgUG9z
dENvZGU9IjMwMDY0IiBXZWJ1cmw9Imh0dHA6Ly93ZWIuZnViYXIubmV0Ij48L0tleXM+PEN1c3Rv
bWVyUmVsYXRpb25zIEFkZHJlc3MxPSIxMzEzIGtub3d3aGVyZSBMYW5lIiBBZGRyZXNzMj0ic3Vp
dGUgMzAwQSIgQ2l0eT0iQXRsYW50YSIgQ291bnRyeT0iVVMiIEVtYWlsPSJjdXN0b21lcl9yZWxh
dGlvbnNAaXNzLm5ldCIgRmF4PSI3NzgtNTU1LTc3OTkiIFBob25lPSI3NzcuNTU1Ljc3ODgiIFBv
c3RDb2RlPSIzMDA2NCIgV2VidXJsPSJodHRwOi8vd2ViLmN1c3RvbWVyX3JlbGF0aW9uc19pc3Mu
bmV0Ij48L0N1c3RvbWVyUmVsYXRpb25zPjxTdXBwb3J0IEFkZHJlc3MxPSIxMjM0IEFudmlsIFJk
LiIgQWRkcmVzczI9InN1aXRlIDQ0MEIiIENpdHk9IkF0bGFudGEiIENvdW50cnk9IlVTIiBFbWFp
bD0ic3VwcG9ydEBpc3MubmV0IiBGYXg9Ijc3OC01NTUtNzc1NSIgUGhvbmU9Ijc3Ny41NTUuNzc0
NCIgUG9zdENvZGU9IjMwMDY0IiBXZWJ1cmw9Imh0dHA6Ly93ZWIuc3Vwb3J0X2lzcy5uZXQiPjwv
U3VwcG9ydD48VmVyc2lvbj4xLjA8L1ZlcnNpb24+PE9DTj4xNjM0NDQ8L09DTj48U291cmNlPklT
UyBBdGxhbnRhPC9Tb3VyY2U+PFNlcmlhbD5BQ0M2NEJCNC1BNTNELUFDODMtM0U2Ri1FMEFCNzM3
REVDOUQ8L1NlcmlhbD48VGltZXN0YW1wPjIwMDAtMDYtMTQgMTA6MzQ6MDk8L1RpbWVzdGFtcD48
c2lnOlNpZ25hdHVyZSB4bWxuczpzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp
ZyMiPgo8c2lnOlNpZ25lZEluZm8+CjxzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0
aG09Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1Ij48L3Np
ZzpDYW5vbmljYWxpemF0aW9uTWV0aG9kPgo8c2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09
Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9zaWc6U2lnbmF0
dXJlTWV0aG9kPgo8c2lnOlJlZmVyZW5jZSBVUkk9IiI+CjxzaWc6VHJhbnNmb3Jtcz4KPHNpZzpU
cmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8xOTk5L1JFQy14cGF0aC0x
OTk5MTExNiI+CjxzaWc6WFBhdGg+Cm5vdChhbmNlc3Rvci1vci1zZWxmOjpzaWc6U2lnbmF0dXJl
KQogYW5kICgKICAgIChhbmNlc3Rvci1vci1zZWxmOjpub2RlKCkgPSAvSVNTS2V5cy9Db250YWN0
cy9Db250YWN0KSAKKQo8L3NpZzpYUGF0aD4KPC9zaWc6VHJhbnNmb3JtPgo8c2lnOlRyYW5zZm9y
bSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEw
MzE1I1dpdGhDb21tZW50cyI+PC9zaWc6VHJhbnNmb3JtPgo8L3NpZzpUcmFuc2Zvcm1zPgo8c2ln
OkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNp
ZyNzaGExIj48L3NpZzpEaWdlc3RNZXRob2Q+CjxzaWc6RGlnZXN0VmFsdWU+cGo5NnM2bi93TlRz
YXhLV010cXlUc1diVHJVPTwvc2lnOkRpZ2VzdFZhbHVlPgo8L3NpZzpSZWZlcmVuY2U+Cjwvc2ln
OlNpZ25lZEluZm8+CjxzaWc6U2lnbmF0dXJlVmFsdWU+akRaQlZ1WDd2dEcxTWdJUXlpaTUrMTBO
Y0c4bnJFOGFrMFZkczEyS21ycTNzN2hpcVVrNnlQNm50dDdpem9zL3VEa2FrcnJXMHF3QQpXcmZS
YTBNZnFJVWRvanlNMW56YnFUbUdYMjNCaENlVTFCS3ZqRmY3NUNFTWlrRWhDK1pnWTRsS045QmlJ
RTVTVjJEYmlyTDg3VHNaCktqdGE2dGx3WWdFTXhHbENzNEk9PC9zaWc6U2lnbmF0dXJlVmFsdWU+
CjxzaWc6S2V5SW5mbz4KPHNpZzpYNTA5RGF0YT4KPHNpZzpYNTA5Q2VydGlmaWNhdGU+Ck1JSUND
akNDQVhNQ0JEenZHTUl3RFFZSktvWklodmNOQVFFRUJRQXdUREVMTUFrR0ExVUVCaE1DVlZNeEZq
QVVCZ05WQkFvVERWZGwKWWlCRVpYWmxiRzl3WlhJeEN6QUpCZ05WQkFzVEFrbFVNUmd3RmdZRFZR
UURFdzlKVTFNZ1MyVjVaMlZ1SUZSbGMzUXdIaGNOTURJdwpOVEkxTURRMU16SXlXaGNOTWpjd01U
RTBNRFExTXpJeVdqQk1NUXN3Q1FZRFZRUUdFd0pWVXpFV01CUUdBMVVFQ2hNTlYyVmlJRVJsCmRt
VnNiM0JsY2pFTE1Ba0dBMVVFQ3hNQ1NWUXhHREFXQmdOVkJBTVREMGxUVXlCTFpYbG5aVzRnVkdW
emREQ0JuekFOQmdrcWhraUcKOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBeTZBQ3NWdEdKNjlma2VL
eEpVbFpxVVA0RkpGRElya3JVRWkwNGM4VUFBbUM2anh1OSttTQp1TEQrNzY2WnRyanAvMmFuWVgw
UVM3UmVEK1E3OGt5M2Ewbm1QRElwQXp2OFA3dFVDQmM2WXExMXc1YzF5SFNORGRMUHhMbFg2K0pU
Cm5VWG5tWE1zZkF5QzJjbm9ldmMzOGdmRUVrRUpuUzRpQ3pVQzdXSHNOZ01DQXdFQUFUQU5CZ2tx
aGtpRzl3MEJBUVFGQUFPQmdRQnkKMDhFdnFHWTRRTDVHWWh1VDVMeDI2dDdWMFRrOWJLeHpoOVlL
eHR5VEx1eDBzcURGY0FRV3UxVXBqUFNPTHdnTmhFK3VhUytDdXlJSwp3c1N6TXg4NGdPSWs3L2ZP
UzVGN29SazJvdUMwUVBQaFkwaVQyd1hpOVpodmQ2Q2lmak53dkNkRGUwdGluU2VRTmZ2cG8wRlNs
ZzhjCkdMMmVxWFl5bFBFZU12WjVhdz09Cjwvc2lnOlg1MDlDZXJ0aWZpY2F0ZT4KPC9zaWc6WDUw
OURhdGE+CjxzaWc6S2V5VmFsdWU+CjxzaWc6UlNBS2V5VmFsdWU+CjxzaWc6TW9kdWx1cz4KeTZB
Q3NWdEdKNjlma2VLeEpVbFpxVVA0RkpGRElya3JVRWkwNGM4VUFBbUM2anh1OSttTXVMRCs3NjZa
dHJqcC8yYW5ZWDBRUzdSZQpEK1E3OGt5M2Ewbm1QRElwQXp2OFA3dFVDQmM2WXExMXc1YzF5SFNO
RGRMUHhMbFg2K0pUblVYbm1YTXNmQXlDMmNub2V2YzM4Z2ZFCkVrRUpuUzRpQ3pVQzdXSHNOZ009
Cjwvc2lnOk1vZHVsdXM+CjxzaWc6RXhwb25lbnQ+QVFBQjwvc2lnOkV4cG9uZW50Pgo8L3NpZzpS
U0FLZXlWYWx1ZT4KPC9zaWc6S2V5VmFsdWU+Cjwvc2lnOktleUluZm8+Cjwvc2lnOlNpZ25hdHVy
ZT48L0NvbnRhY3Q+PC9Db250YWN0cz48RW5kVXNlcnM+PEVuZFVzZXIgQWRkcmVzczE9IjY2NiBS
b2NrZXRzIHdheSIgQWRkcmVzczI9IkFwdC4gQiIgQ2l0eT0iU2NpZW5jZXZpbGxlIiBDb21wYW55
TmFtZT0iU3BhY2VseSBTcHJvY2tldHMiIENvdW50cnk9IlVTIiBFbWFpbD0iZ2pldHNvbkBzcHJv
a2V0cy5uZXQiIFBvc3RDb2RlPSIiIFN0YXRlPSJEaXN0dXJiZWQiIFN1YmplY3ROYW1lPSJHZW9y
Z2UgSmV0c29uIiBUaXRsZT0iV2hpcHBpbmcgQm95Ij48VmVyc2lvbj4xLjA8L1ZlcnNpb24+PE9D
Tj4xNjM0NDQ8L09DTj48U291cmNlPklTUyBBdGxhbnRhPC9Tb3VyY2U+PFNlcmlhbD5DRTgxMzVE
Ny04RDI3LTRCQzQtQkNBNi0yREJERTcwM0I2QUU8L1NlcmlhbD48VGltZXN0YW1wPjIwMDAtMDYt
MTQgMTA6MzQ6MDk8L1RpbWVzdGFtcD48L0VuZFVzZXI+PC9FbmRVc2Vycz48TGljZW5zZWRNb2R1
bGVzPjxMaWNlbnNlZE1vZHVsZSBDb250YWN0SW5mbz0iQUNDNjRCQjQtQTUzRC1BQzgzLTNFNkYt
RTBBQjczN0RFQzlEIiBFbmRVc2VySW5mbz0iQ0U4MTM1RDctOEQyNy00QkM0LUJDQTYtMkRCREU3
MDNCNkFFIiBJZGVudGl0eT0iUk8iIExpY2Vuc2VFeHBpcmF0aW9uPSIyMDAzLTA2LTE0IiBMaWNl
bnNlVHlwZT0iZXZhbHVhdGlvbiIgTGltaXQ9IjIxNDc0ODM2NDciIExpbWl0T3V0T2ZNYWludGVu
YW5jZT0iMCIgTWFpbnRlbmFuY2VFeHBpcmF0aW9uPSIyMDAzLTA2LTE0Ij48VmVyc2lvbj4xLjA8
L1ZlcnNpb24+PE9DTj4xNjM0NDQ8L09DTj48U291cmNlPklTUyBBdGxhbnRhPC9Tb3VyY2U+PFNl
cmlhbD5GNjFCRDBGMy1ENUQ5LTJGOTAtQTI0RC1CRjk4OTIwMEQ3MTI8L1NlcmlhbD48VGltZXN0
YW1wPjIwMDAtMDYtMTQgMTA6MzQ6MDk8L1RpbWVzdGFtcD48L0xpY2Vuc2VkTW9kdWxlPjwvTGlj
ZW5zZWRNb2R1bGVzPjwvSVNTS2V5cz4=
------_=_NextPart_001_01C24EF6.74035A34
Content-Type: application/octet-stream;
name="new_export.pem"
Content-Transfer-Encoding: base64
Content-Description: new_export.pem
Content-Disposition: attachment;
filename="new_export.pem"
Q2VydGlmaWNhdGU6CiAgICBEYXRhOgogICAgICAgIFZlcnNpb246IDEgKDB4MCkKICAgICAgICBT
ZXJpYWwgTnVtYmVyOiAxMDIyMzAyNDAyICgweDNjZWYxOGMyKQogICAgICAgIFNpZ25hdHVyZSBB
bGdvcml0aG06IG1kNVdpdGhSU0FFbmNyeXB0aW9uCiAgICAgICAgSXNzdWVyOiBDPVVTLCBPPVdl
YiBEZXZlbG9wZXIsIE9VPUlULCBDTj1JU1MgS2V5Z2VuIFRlc3QKICAgICAgICBWYWxpZGl0eQog
ICAgICAgICAgICBOb3QgQmVmb3JlOiBNYXkgMjUgMDQ6NTM6MjIgMjAwMiBHTVQKICAgICAgICAg
ICAgTm90IEFmdGVyIDogSmFuIDE0IDA0OjUzOjIyIDIwMjcgR01UCiAgICAgICAgU3ViamVjdDog
Qz1VUywgTz1XZWIgRGV2ZWxvcGVyLCBPVT1JVCwgQ049SVNTIEtleWdlbiBUZXN0CiAgICAgICAg
U3ViamVjdCBQdWJsaWMgS2V5IEluZm86CiAgICAgICAgICAgIFB1YmxpYyBLZXkgQWxnb3JpdGht
OiByc2FFbmNyeXB0aW9uCiAgICAgICAgICAgIFJTQSBQdWJsaWMgS2V5OiAoMTAyNCBiaXQpCiAg
ICAgICAgICAgICAgICBNb2R1bHVzICgxMDI0IGJpdCk6CiAgICAgICAgICAgICAgICAgICAgMDA6
Y2I6YTA6MDI6YjE6NWI6NDY6Mjc6YWY6NWY6OTE6ZTI6YjE6MjU6NDk6CiAgICAgICAgICAgICAg
ICAgICAgNTk6YTk6NDM6Zjg6MTQ6OTE6NDM6MjI6Yjk6MmI6NTA6NDg6YjQ6ZTE6Y2Y6CiAgICAg
ICAgICAgICAgICAgICAgMTQ6MDA6MDk6ODI6ZWE6M2M6NmU6Zjc6ZTk6OGM6Yjg6YjA6ZmU6ZWY6
YWU6CiAgICAgICAgICAgICAgICAgICAgOTk6YjY6Yjg6ZTk6ZmY6NjY6YTc6NjE6N2Q6MTA6NGI6
YjQ6NWU6MGY6ZTQ6CiAgICAgICAgICAgICAgICAgICAgM2I6ZjI6NGM6Yjc6NmI6NDk6ZTY6M2M6
MzI6Mjk6MDM6M2I6ZmM6M2Y6YmI6CiAgICAgICAgICAgICAgICAgICAgNTQ6MDg6MTc6M2E6NjI6
YWQ6NzU6YzM6OTc6MzU6Yzg6NzQ6OGQ6MGQ6ZDI6CiAgICAgICAgICAgICAgICAgICAgY2Y6YzQ6
Yjk6NTc6ZWI6ZTI6NTM6OWQ6NDU6ZTc6OTk6NzM6MmM6N2M6MGM6CiAgICAgICAgICAgICAgICAg
ICAgODI6ZDk6Yzk6ZTg6N2E6Zjc6Mzc6ZjI6MDc6YzQ6MTI6NDE6MDk6OWQ6MmU6CiAgICAgICAg
ICAgICAgICAgICAgMjI6MGI6MzU6MDI6ZWQ6NjE6ZWM6MzY6MDMKICAgICAgICAgICAgICAgIEV4
cG9uZW50OiA2NTUzNyAoMHgxMDAwMSkKICAgIFNpZ25hdHVyZSBBbGdvcml0aG06IG1kNVdpdGhS
U0FFbmNyeXB0aW9uCiAgICAgICAgNzI6ZDM6YzE6MmY6YTg6NjY6Mzg6NDA6YmU6NDY6NjI6MWI6
OTM6ZTQ6YmM6NzY6ZWE6ZGU6CiAgICAgICAgZDU6ZDE6Mzk6M2Q6NmM6YWM6NzM6ODc6ZDY6MGE6
YzY6ZGM6OTM6MmU6ZWM6NzQ6YjI6YTA6CiAgICAgICAgYzU6NzA6MDQ6MTY6YmI6NTU6Mjk6OGM6
ZjQ6OGU6MmY6MDg6MGQ6ODQ6NGY6YWU6Njk6MmY6CiAgICAgICAgODI6YmI6MjI6MGE6YzI6YzQ6
YjM6MzM6MWY6Mzg6ODA6ZTI6MjQ6ZWY6Zjc6Y2U6NGI6OTE6CiAgICAgICAgN2I6YTE6MTk6MzY6
YTI6ZTA6YjQ6NDA6ZjM6ZTE6NjM6NDg6OTM6ZGI6MDU6ZTI6ZjU6OTg6CiAgICAgICAgNmY6Nzc6
YTA6YTI6N2U6MzM6NzA6YmM6Mjc6NDM6N2I6NGI6NjI6OWQ6Mjc6OTA6MzU6ZmI6CiAgICAgICAg
ZTk6YTM6NDE6NTI6OTY6MGY6MWM6MTg6YmQ6OWU6YTk6NzY6MzI6OTQ6ZjE6MWU6MzI6ZjY6CiAg
ICAgICAgNzk6NmIKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNDakNDQVhNQ0JEenZH
TUl3RFFZSktvWklodmNOQVFFRUJRQXdUREVMTUFrR0ExVUVCaE1DVlZNeEZqQVUKQmdOVkJBb1RE
VmRsWWlCRVpYWmxiRzl3WlhJeEN6QUpCZ05WQkFzVEFrbFVNUmd3RmdZRFZRUURFdzlKVTFNZwpT
MlY1WjJWdUlGUmxjM1F3SGhjTk1ESXdOVEkxTURRMU16SXlXaGNOTWpjd01URTBNRFExTXpJeVdq
Qk1NUXN3CkNRWURWUVFHRXdKVlV6RVdNQlFHQTFVRUNoTU5WMlZpSUVSbGRtVnNiM0JsY2pFTE1B
a0dBMVVFQ3hNQ1NWUXgKR0RBV0JnTlZCQU1URDBsVFV5QkxaWGxuWlc0Z1ZHVnpkRENCbnpBTkJn
a3Foa2lHOXcwQkFRRUZBQU9CalFBdwpnWWtDZ1lFQXk2QUNzVnRHSjY5ZmtlS3hKVWxacVVQNEZK
RkRJcmtyVUVpMDRjOFVBQW1DNmp4dTkrbU11TEQrCjc2Nlp0cmpwLzJhbllYMFFTN1JlRCtRNzhr
eTNhMG5tUERJcEF6djhQN3RVQ0JjNllxMTF3NWMxeUhTTkRkTFAKeExsWDYrSlRuVVhubVhNc2ZB
eUMyY25vZXZjMzhnZkVFa0VKblM0aUN6VUM3V0hzTmdNQ0F3RUFBVEFOQmdrcQpoa2lHOXcwQkFR
UUZBQU9CZ1FCeTA4RXZxR1k0UUw1R1lodVQ1THgyNnQ3VjBUazliS3h6aDlZS3h0eVRMdXgwCnNx
REZjQVFXdTFVcGpQU09Md2dOaEUrdWFTK0N1eUlLd3NTek14ODRnT0lrNy9mT1M1RjdvUmsyb3VD
MFFQUGgKWTBpVDJ3WGk5Wmh2ZDZDaWZqTnd2Q2REZTB0aW5TZVFOZnZwbzBGU2xnOGNHTDJlcVhZ
eWxQRWVNdlo1YXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
------_=_NextPart_001_01C24EF6.74035A34--