omniauth-swedbank 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0771558c29f141a92ba04dac605eca8dcc169009
-  data.tar.gz: 4617272b07b93f44b1d9e8526871206e91dfba63
+SHA256:
+  metadata.gz: 528ab8c0fad20b14c0e37c6c5ed9a027e801aebd8c365d88d3278a450f3f008b
+  data.tar.gz: afd969593c671e47716fe4ab9a8aec56f2d4af37ba2422e6f8c898830d6bd7fd
 SHA512:
-  metadata.gz: e01dac01185b8e267efded3598fd5f69b8d2dcaa3e6a30847434b5c7a490986f5f3c3684985731914968838cd90b0c7852a1e11002cea2693ed40298b93467c3
-  data.tar.gz: 1008eb879420bde49410875e903dd0d801099c646ebfc4754974937e0923edb6aafb7b80ca43a9ecc9304a08b301e5fe856b0c08c5516771c8ef0ed2967aab66
+  metadata.gz: c4cd649797d99a39ae36c9874866a37c0622091232059723196eecfb39be7b1002e38fcde0d762f053e5031df280118a4ecc914bd10c45bb3e7fec75d87737f2
+  data.tar.gz: a27486b76f6f6dcd109d86efa93756df72694a146c0fa962821a6cdb4a160fcef89897839a2b12c97b66e5cbdf2f12e34600ee792e209430241d6614a1e220f8

data/.github/workflows/ruby.yml

@@ -0,0 +1,24 @@
+name: Ruby
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ["3.1", "3.2", "3.3", "3.4", "4.0"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Run tests
+        run: bundle exec rspec

data/README.md

@@ -2,22 +2,20 @@
 
 Omniauth strategy for using Swedbank as an authentication service provider.
 
-[![Gem Version](https://badge.fury.io/rb/omniauth-swedbank.png)](http://badge.fury.io/rb/omniauth-swedbank)
-[![Build Status](https://travis-ci.org/mak-it/omniauth-swedbank.svg?branch=master)](https://travis-ci.org/mak-it/omniauth-swedbank)
-
-Supported Ruby versions: 2.2+
+Supported Ruby versions: 2.7+
 
 ## Related projects
 
-- [omniauth-citadele](https://github.com/mak-it/omniauth-citadele) - strategy for authenticating with Citadele
-- [omniauth-dnb](https://github.com/mak-it/omniauth-dnb) - strategy for authenticating with DNB
-- [omniauth-nordea](https://github.com/mak-it/omniauth-nordea) - strategy for authenticating with Nordea
-- [omniauth-seb-elink](https://github.com/mak-it/omniauth-seb-elink) - strategy for authenticating with SEB
+- [omniauth-citadele](https://github.com/mitigate-dev/omniauth-citadele) - strategy for authenticating with Citadele
+- [omniauth-dnb](https://github.com/mitigate-dev/omniauth-dnb) - strategy for authenticating with DNB
+- [omniauth-nordea](https://github.com/mitigate-dev/omniauth-nordea) - strategy for authenticating with Nordea
+- [omniauth-seb-elink](https://github.com/mitigate-dev/omniauth-seb-elink) - strategy for authenticating with SEB
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add these lines to your application's Gemfile (omniauth-rails_csrf_protection is required if using Rails):
 
+    gem 'omniauth-rails_csrf_protection'
     gem 'omniauth-swedbank'
 
 And then execute:
@@ -26,7 +24,11 @@ And then execute:
 
 Or install it yourself as:
 
-    $ gem install omniauth-swedbank
+    $ gem install omniauth-rails_csrf_protection omniauth-swedbank
+
+## v009 Migration
+
+**Swedbank will shut down banklink protocol v008 on 2026-06-02.** See [Migration Guide](docs/migration_008_to_009.md) for details.
 
 ## Usage
 
@@ -39,13 +41,47 @@ Rails.application.config.middleware.use OmniAuth::Builder do
     File.read("path/to/private.key"),
     File.read("path/to/bank.crt"),
     ENV['SWEDBANK_SND_ID'],
-    ENV['SWEDBANK_REC_ID']
+    ENV['SWEDBANK_REC_ID'],
+    version: '009'
 end
 ```
 
+The `version` option defaults to `'008'` for backward compatibility. Set it to `'009'` when you're ready to migrate (requires a new bank certificate from [banklink.swedbank.com](https://banklink.swedbank.com/public/resources/bank-certificates/009)).
+
 ## Auth Hash
 
-Here's an example Auth Hash available in `request.env['omniauth.auth']`:
+### v009
+
+```ruby
+{
+  provider: 'swedbank',
+  uid: '374042-80367',
+  info: {
+    full_name: 'ARNIS RAITUMS',
+    country: 'LV'
+  },
+  extra: {
+    raw_info: {
+      VK_SERVICE: '3013',
+      VK_VERSION: '009',
+      VK_DATETIME: '2026-04-29T12:00:00+0300',
+      VK_SND_ID: 'SWEDBANK_LV',
+      VK_REC_ID: 'MPLMT',
+      VK_NONCE: '20170425114529204413',
+      VK_USER_NAME: 'ARNIS RAITUMS',
+      VK_USER_ID: '374042-80367',
+      VK_COUNTRY: 'LV',
+      VK_OTHER: '',
+      VK_TOKEN: '7',
+      VK_RID: '',
+      VK_MAC: 'qrEMRf6YV...',
+      VK_ENCODING: 'UTF-8'
+    }
+  }
+}
+```
+
+### v008 (deprecated)
 
 ```ruby
 {
@@ -63,7 +99,7 @@ Here's an example Auth Hash available in `request.env['omniauth.auth']`:
       VK_NONCE: '20170425114529204413',
       VK_INFO: 'ISIK:090482-12549;NIMI:DACE ĀBOLA',
       VK_MAC: 'qrEMRf6YV...',
-      VK_ENCODING: 'UTF-8
+      VK_ENCODING: 'UTF-8'
     }
   }
 }

data/docs/migration_008_to_009.md

@@ -0,0 +1,89 @@
+# Migration Guide: v008 to v009
+
+## Deadline
+
+Swedbank will shut down banklink protocol v008 on **2026-06-02**. After this date, all v008 authentication requests will be rejected by the bank.
+
+## What Changed in v009
+
+| Aspect | v008 | v009 |
+|--------|------|------|
+| Signing algorithm | SHA-1 | SHA-512 |
+| Request service code | 4002 | 4012 |
+| Response service code | 3003 | 3013 |
+| VK_SND_ID in response | HP | SWEDBANK_LV |
+| Bank certificate | Country-specific (LV) | Unified Baltic |
+| Min. key strength | 1024 bits | 2048 bits (recommended 4096) |
+| Response user data | VK_INFO (combined string) | VK_USER_NAME, VK_USER_ID, VK_COUNTRY, VK_OTHER, VK_TOKEN |
+| New request fields | - | VK_DATETIME, VK_RID |
+
+## Migration Steps
+
+### 1. Update the gem
+
+```bash
+bundle update omniauth-swedbank
+```
+
+With the default configuration (`version: '008'`), everything continues to work as before. You will see a deprecation warning in logs.
+
+### 2. Download the new bank certificate
+
+The v009 protocol uses a new unified Baltic certificate. Download it from:
+
+https://banklink.swedbank.com/public/resources/bank-certificates/009
+
+Replace your existing Swedbank public certificate file with the new one.
+
+### 3. Check your private key
+
+Your RSA private key must be at least **2048 bits** (recommended: **4096 bits**). Keys must be regenerated every **24 months**. Check your key size with:
+
+```bash
+openssl rsa -in your_private_key.pem -text -noout | head -1
+```
+
+If it shows less than 2048 bits or is older than 2 years, generate a new keypair. See [Keypair Change Instruction (PDF)](https://swedbank.lv/static/pdf/business/d2d/collection/keypair_change_instruction_LV.pdf) for detailed steps. Two options:
+
+- **Option A:** Use Swedbank's built-in keypair generator via the [support page](https://www.swedbank.lv/business/cash/banklink/integrate) (recommended). Log in, go to "My agreements", click "Update key" -> "Generate new key". Download and save the private key immediately — the bank does not store it.
+- **Option B:** Generate your own keypair and upload the public key via self-service or email it to cashmanagement@swedbank.lv.
+
+Note: When replacing keys, you can choose a transition period (up to 7 days) during which both old and new keys are valid.
+
+### 4. Update your provider configuration
+
+```ruby
+# Before (v008 - default)
+provider :swedbank,
+  File.read("path/to/private.key"),
+  File.read("path/to/old_bank.crt"),
+  ENV['SWEDBANK_SND_ID'],
+  ENV['SWEDBANK_REC_ID']
+
+# After (v009)
+provider :swedbank,
+  File.read("path/to/private.key"),
+  File.read("path/to/new_baltic_bank.crt"),
+  ENV['SWEDBANK_SND_ID'],
+  ENV['SWEDBANK_REC_ID'],
+  version: '009'
+```
+
+### 5. Update your callback handling (if applicable)
+
+If your application reads user data from the auth hash, note these changes:
+
+**v008:** User ID and name were parsed from the `VK_INFO` field (`ISIK:123456-12345;NIMI:John Doe`).
+
+**v009:** User data comes in separate fields:
+- `auth.uid` - reads from `VK_USER_ID` directly
+- `auth.info.full_name` - reads from `VK_USER_NAME` directly  
+- `auth.info.country` - new field from `VK_COUNTRY` (e.g., `LV`)
+- `auth.extra.raw_info` - contains all response parameters including `VK_TOKEN`, `VK_OTHER`, `VK_RID`
+
+If you only use `auth.uid` and `auth.info.full_name`, no changes are needed in your application code.
+
+## Reference
+
+- [Swedbank comparison PDF](https://www.swedbank.lv/static/business/banklink/LV_Authentication_008_vs_009_instruction.pdf)
+- [Bank certificates for v009](https://banklink.swedbank.com/public/resources/bank-certificates/009)

data/lib/omniauth/strategies/swedbank.rb

@@ -6,8 +6,18 @@ module OmniAuth
     class Swedbank
       include OmniAuth::Strategy
 
-      AUTH_SERVICE = '4002'
-      AUTH_VERSION = '008'
+      V008_AUTH_SERVICE = '4002'
+      V008_RESPONSE_SERVICE = '3003'
+      V009_AUTH_SERVICE = '4012'
+      V009_RESPONSE_SERVICE = '3013'
+
+      def self.render_nonce?
+         defined?(ActionDispatch::ContentSecurityPolicy::Request) != nil
+      end
+      if render_nonce?
+        include ActionDispatch::ContentSecurityPolicy::Request
+        delegate :get_header, :set_header, to: :request
+      end
 
       args [:private_key, :public_key, :snd_id, :rec_id]
 
@@ -18,40 +28,96 @@ module OmniAuth
 
       option :name, 'swedbank'
       option :site, 'https://www.swedbank.lv/banklink'
+      option :version, '008'
+
+      SUPPORTED_VERSIONS = %w[008 009].freeze
+
+      def version_009?
+        options.version == '009'
+      end
+
+      def invalid_version?
+        !SUPPORTED_VERSIONS.include?(options.version)
+      end
+
+      def auth_service
+        version_009? ? V009_AUTH_SERVICE : V008_AUTH_SERVICE
+      end
+
+      def response_service
+        version_009? ? V009_RESPONSE_SERVICE : V008_RESPONSE_SERVICE
+      end
+
+      def digest
+        version_009? ? OpenSSL::Digest::SHA512.new : OpenSSL::Digest::SHA1.new
+      end
 
       def stamp
         return @stamp if @stamp
         @stamp = Time.now.strftime('%Y%m%d%H%M%S') + SecureRandom.random_number(999999).to_s.rjust(6, '0')
       end
 
+      def datetime
+        @datetime ||= Time.now.strftime('%Y-%m-%dT%H:%M:%S%z')
+      end
+
+      def rid
+        ''
+      end
+
       def prepend_length(value)
         # prepend length to string in 0xx format
         [ value.to_s.length.to_s.rjust(3, '0'), value.dup.to_s.force_encoding('ascii')].join
       end
 
       def signature_input
-        [
-          AUTH_SERVICE,             # VK_SERVICE
-          AUTH_VERSION,             # VK_VERSION
-          options.snd_id,           # VK_SND_ID
-          options.rec_id,           # VK_REC_ID
-          stamp,                    # VK_NONCE
-          callback_url              # VK_RETURN
-        ].map{|v| prepend_length(v)}.join
+        fields = if version_009?
+          [
+            auth_service,       # VK_SERVICE
+            options.version,    # VK_VERSION
+            options.snd_id,     # VK_SND_ID
+            options.rec_id,     # VK_REC_ID
+            stamp,              # VK_NONCE
+            callback_url,       # VK_RETURN
+            datetime,           # VK_DATETIME
+            rid                 # VK_RID
+          ]
+        else
+          [
+            auth_service,       # VK_SERVICE
+            options.version,    # VK_VERSION
+            options.snd_id,     # VK_SND_ID
+            options.rec_id,     # VK_REC_ID
+            stamp,              # VK_NONCE
+            callback_url        # VK_RETURN
+          ]
+        end
+        fields.map{|v| prepend_length(v)}.join
       end
 
       def signature(priv_key)
-        Base64.encode64(priv_key.sign(OpenSSL::Digest::SHA1.new, signature_input))
+        Base64.encode64(priv_key.sign(digest, signature_input))
       end
 
       uid do
-        request.params['VK_INFO'].match(/ISIK:(\d{6}\-\d{5})/)[1]
+        if version_009?
+          request.params['VK_USER_ID']
+        else
+          request.params['VK_INFO'].match(/ISIK:(\d{6}\-\d{5})/)[1]
+        end
       end
 
       info do
-        {
-          full_name: request.params['VK_INFO'].match(/NIMI:(.+)/)[1]
-        }
+        if version_009?
+          {
+            full_name: request.params['VK_USER_NAME'],
+            country: request.params['VK_COUNTRY']
+          }
+        else
+          {
+            full_name: request.params['VK_INFO'].match(/NIMI:(.+)/)[1]
+          }
+        end
       end
 
       extra do
@@ -59,17 +125,22 @@ module OmniAuth
       end
 
       def callback_phase
+        if invalid_version?
+          return fail!(:unsupported_version_err,
+            ArgumentError.new("Unsupported banklink version '#{options.version}'. Supported: #{SUPPORTED_VERSIONS.join(', ')}"))
+        end
+
         begin
           pub_key = OpenSSL::X509::Certificate.new(options.public_key).public_key
         rescue => e
           return fail!(:public_key_load_err, e)
         end
 
-        if request.params['VK_SERVICE'] != '3003'
+        if request.params['VK_SERVICE'] != response_service
           return fail!(:unsupported_response_service_err)
         end
 
-        if request.params['VK_VERSION'] != '008'
+        if request.params['VK_VERSION'] != options.version
           return fail!(:unsupported_response_version_err)
         end
 
@@ -77,18 +148,35 @@ module OmniAuth
           return fail!(:unsupported_response_encoding_err)
         end
 
-        sig_str = [
-          request.params['VK_SERVICE'],
-          request.params['VK_VERSION'],
-          request.params['VK_SND_ID'],
-          request.params['VK_REC_ID'],
-          request.params['VK_NONCE'],
-          request.params['VK_INFO']
-        ].map{|v| prepend_length(v)}.join
+        sig_str = if version_009?
+          [
+            request.params['VK_SERVICE'],
+            request.params['VK_VERSION'],
+            request.params['VK_DATETIME'],
+            request.params['VK_SND_ID'],
+            request.params['VK_REC_ID'],
+            request.params['VK_NONCE'],
+            request.params['VK_USER_NAME'],
+            request.params['VK_USER_ID'],
+            request.params['VK_COUNTRY'],
+            request.params['VK_OTHER'],
+            request.params['VK_TOKEN'],
+            request.params['VK_RID']
+          ].map{|v| prepend_length(v)}.join
+        else
+          [
+            request.params['VK_SERVICE'],
+            request.params['VK_VERSION'],
+            request.params['VK_SND_ID'],
+            request.params['VK_REC_ID'],
+            request.params['VK_NONCE'],
+            request.params['VK_INFO']
+          ].map{|v| prepend_length(v)}.join
+        end
 
         raw_signature = Base64.decode64(request.params['VK_MAC'])
 
-        if !pub_key.verify(OpenSSL::Digest::SHA1.new, raw_signature, sig_str)
+        if !pub_key.verify(digest, raw_signature, sig_str)
           return fail!(:invalid_response_signature_err)
         end
 
@@ -96,34 +184,81 @@ module OmniAuth
       end
 
       def request_phase
+        if invalid_version?
+          return fail!(:unsupported_version_err,
+            ArgumentError.new("Unsupported banklink version '#{options.version}'. Supported: #{SUPPORTED_VERSIONS.join(', ')}"))
+        end
+
         begin
           priv_key = OpenSSL::PKey::RSA.new(options.private_key)
         rescue => e
           return fail!(:private_key_load_err, e)
         end
 
+        unless version_009?
+          warn "[DEPRECATION] omniauth-swedbank: Swedbank banklink v008 will be shut down on 2026-06-02. " \
+               "Please migrate to v009 by setting `version: '009'` in your provider config. " \
+               "See https://www.swedbank.lv/static/business/banklink/LV_Authentication_008_vs_009_instruction.pdf"
+        end
+
+        set_locale_from_query_param
+
         form = OmniAuth::Form.new(:title => I18n.t('omniauth.swedbank.please_wait'), :url => options.site)
 
-        {
-          'VK_SERVICE' => AUTH_SERVICE,
-          'VK_VERSION' => AUTH_VERSION,
+        params = {
+          'VK_SERVICE' => auth_service,
+          'VK_VERSION' => options.version,
           'VK_SND_ID' => options.snd_id,
           'VK_REC_ID' => options.rec_id,
           'VK_NONCE' => stamp,
           'VK_RETURN' => callback_url,
           'VK_MAC' => signature(priv_key),
-          'VK_LANG' => 'LAT',
+          'VK_LANG' => resolve_bank_ui_language,
           'VK_ENCODING' => 'UTF-8'
-        }.each do |name, val|
-          form.html "<input type=\"hidden\" name=\"#{name}\" value=\"#{val}\" />"
+        }
+
+        if version_009?
+          params['VK_DATETIME'] = datetime
+          params['VK_RID'] = rid
+        end
+
+        params.each do |name, val|
+          form.html "<input type=\"hidden\" name=\"#{name}\" value=\"#{escape(val)}\" />"
         end
 
         form.button I18n.t('omniauth.swedbank.click_here_if_not_redirected')
 
+        nonce_attribute = nil
+        if self.class.render_nonce?
+          nonce_attribute = " nonce='#{escape(content_security_policy_nonce)}'"
+        end
         form.instance_variable_set('@html',
-          form.to_html.gsub('</form>', '</form><script type="text/javascript">document.forms[0].submit();</script>'))
+          form.to_html.gsub('</form>', "</form><script type=\"text/javascript\"#{nonce_attribute}>document.forms[0].submit();</script>"))
         form.to_response
       end
+
+      private
+
+      def set_locale_from_query_param
+        locale = request.params['locale']
+        if (locale != nil && locale.strip != '' && I18n.locale_available?(locale))
+          I18n.locale = locale
+        end
+      end
+
+      def resolve_bank_ui_language
+        case I18n.locale
+        when :ru then 'RUS'
+        when :en then 'ENG'
+        when :et then 'EST'
+        when :lt then 'LIT'
+        else 'LAT'
+        end
+      end
+
+      def escape(html_attribute_value)
+         CGI.escapeHTML(html_attribute_value) unless html_attribute_value.nil?
+      end
     end
   end
 end

data/lib/omniauth/swedbank/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module Swedbank
-    VERSION = '0.2.0'
+    VERSION = '0.4.0'
   end
 end

data/omniauth-swedbank.gemspec

@@ -6,11 +6,11 @@ require 'omniauth/swedbank/version'
 Gem::Specification.new do |spec|
   spec.name          = 'omniauth-swedbank'
   spec.version       = Omniauth::Swedbank::VERSION
-  spec.authors       = ['MAK IT', 'Jānis Kiršteins', 'Kristaps Ērglis']
-  spec.email         = ['admin@makit.lv', 'janis@montadigital.com', 'kristaps.erglis@gmail.com' ]
+  spec.authors       = ['Mitigate', 'Jānis Kiršteins', 'Kristaps Ērglis']
+  spec.email         = ['admin@mitigate.dev', 'janis@montadigital.com', 'kristaps.erglis@gmail.com' ]
   spec.description   = %q{OmniAuth strategy for Swedbank Banklink}
   spec.summary       = %q{OmniAuth strategy for Swedbank Banklink}
-  spec.homepage      = 'https://github.com/mak-it/omniauth-swedbank'
+  spec.homepage      = 'https://github.com/mitigate-dev/omniauth-swedbank'
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files`.split($/)
@@ -18,13 +18,15 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.2.2'
+  spec.required_ruby_version = '>= 3.1'
 
-  spec.add_runtime_dependency 'omniauth', '~> 1.0'
-  spec.add_runtime_dependency "i18n"
+  spec.add_runtime_dependency 'omniauth', '~> 2.1'
+  spec.add_runtime_dependency 'i18n'
 
+  spec.add_development_dependency 'rack'
   spec.add_development_dependency 'rack-test'
-  spec.add_development_dependency 'rspec', '~> 2.7'
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake"
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rack-session'
 end

data/spec/certs/response.v009.public.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICoTCCAYmgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlUZXN0
+IFYwMDkwHhcNMjYwNDI5MDkyNjQ5WhcNMjcwNDI5MDkyNjQ5WjAUMRIwEAYDVQQD
+DAlUZXN0IFYwMDkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtZLYp
+KJNe16Fp2S/EVyyz0aFdPhBwgn+707JW/a8EM1m0rryNUbwZpQqZ2wzmPy6r/D13
+UssJpGVg74+LQ8GZI+mgiL+U7nY95111XhOQ/B258i40HAwf3WFVqDKmigYxXU+O
+0hbuUwXmT7qP3sRNgNLChn6BFDV6c1f/TYkiSZrSj45HQsqDekCIZdy6CvzV8m5I
+JV3TJWshoEj4HPJI7YEkgjc3nzwUsKiLi9k6FsLSiveFBaky+mhYBlJUtET7KEwu
+raHw7LkCn1FoCSodgxeHF9IFCCyKTI7VKETB4w0TYLKCbMOjtON0ifCx+H/w8LwP
+YrhXTF6rjcdL3A9jAgMBAAEwDQYJKoZIhvcNAQENBQADggEBAErV4sBKLwmUvjOT
+S8Kjw+BwTf0NU/yOpQS1kCSTD5gn9OOqDirOQe7Yj1dyGWMDmfGy4Jw7xcMSRTTq
+TCKS7poTkFa8mXRPm+kFqw1Hy3U6/MsswZCBxiIkGEltKytXe+AdLVY2uM46/j6W
+D6Rt0vgcBcj//h2et4f8GDMs4s1ndKp8o0rnggSQCcgC2yLMNL8AdSxwHj7eGDiv
+cCWspZCXq7SGOoMC3jhhNOYt9WjH+/Aj/FXDRu2iguaG4I4qBGJSmY2i4WQT/XJv
+sXPCrHoN0oGrmzX/V5/20AEOhS6oBLCIMfBeR4iRAicUW9mUnVj+PqigZkXGSArB
+tkkI44U=
+-----END CERTIFICATE-----