pulpcore 3.84.0__py3-none-any.whl → 3.85.0__py3-none-any.whl

pulp_certguard/app/__init__.py

@@ -6,6 +6,6 @@ class PulpCertGuardPluginAppConfig(PulpPluginAppConfig):
 
     name = "pulp_certguard.app"
     label = "certguard"
-    version = "3.84.0"
+    version = "3.85.0"
     python_package_name = "pulpcore"
     domain_compatible = True

pulp_certguard/app/models.py

@@ -6,16 +6,12 @@ from urllib.parse import unquote
 from django.conf import settings
 from django.db import models
 
+from cryptography import x509
 from OpenSSL import crypto as openssl
 
 from pulpcore.plugin.models import ContentGuard
 
-from pulp_certguard.app.utils import get_rhsm
-
-try:
-    from rhsm import certificate
-except ImportError:
-    pass
+from pulp_certguard import rhsm
 
 
 logger = getLogger(__name__)
@@ -139,11 +135,6 @@ class RHSMCertGuard(BaseCertGuard):
 
     TYPE = "rhsm"
 
-    def __init__(self, *args, **kwargs):
-        """Initialize a RHSMCertGuard and ensure this system has python-rhsm on it."""
-        get_rhsm()  # Validate that rhsm is installed
-        super().__init__(*args, **kwargs)
-
     class Meta:
         default_related_name = "%(app_label)s_%(model_name)s"
 
@@ -159,29 +150,19 @@ class RHSMCertGuard(BaseCertGuard):
                 certificate, or if the client certificate is not trusted from the CA certificated
                 stored as `ca_certificate`.
         """
-        get_rhsm()
+        # TODO use python cryptography and only parse the certificate once.
         unquoted_certificate = self._get_client_cert_header(request)
         self._ensure_client_cert_is_trusted(unquoted_certificate)
-        rhsm_cert = self._create_rhsm_cert_from_pem(unquoted_certificate)
+        cert = x509.load_pem_x509_certificate(unquoted_certificate.encode())
         content_path_prefix_without_trail_slash = settings.CONTENT_PATH_PREFIX.rstrip("/")
         len_prefix_to_remove = len(content_path_prefix_without_trail_slash)
         path_without_content_path_prefix = request.path[len_prefix_to_remove:]
-        self._check_paths(rhsm_cert, path_without_content_path_prefix)
-
-    @staticmethod
-    def _create_rhsm_cert_from_pem(unquoted_certificate):
-        try:
-            rhsm_cert = certificate.create_from_pem(unquoted_certificate)
-        except certificate.CertificateException:
-            msg = _("An error occurred while loading the client certificate data into python-rhsm.")
-            logger.warning(msg)
-            raise PermissionError(msg)
-        return rhsm_cert
+        self._check_paths(cert, path_without_content_path_prefix)
 
     @staticmethod
-    def _check_paths(rhsm_cert, path):
+    def _check_paths(cert, path):
         logger.debug(f"Checking that path {path} is allowed in client cert")
-        if rhsm_cert.check_path(path) is False:
+        if rhsm.check_path(cert, path) is False:
             logger.warning(f"Path {path} is *not* allowed in client cert")
             msg = _("Requested path is not a subpath of a path in the client certificate.")
             raise PermissionError(msg)

pulp_certguard/app/serializers.py

@@ -6,7 +6,6 @@ from pulpcore.plugin.serializers import ContentGuardSerializer
 
 from rest_framework import serializers
 
-from pulp_certguard.app.utils import get_rhsm
 from .models import RHSMCertGuard, X509CertGuard
 
 
@@ -45,7 +44,6 @@ class RHSMCertGuardSerializer(BaseCertGuardSerializer):
     @staticmethod
     def validate_ca_certificate(ca_certificate):
         """Validates the given certificate."""
-        get_rhsm()  # Validate that rhsm is installed
         return BaseCertGuardSerializer.validate_ca_certificate(ca_certificate)
 
 

pulp_certguard/rhsm/__init__.py

@@ -0,0 +1,4 @@
+from .rhsm_check_path import check_path
+
+
+__all__ = ["check_path"]

pulp_certguard/rhsm/rhsm_check_path.py

@@ -0,0 +1,198 @@
+import typing as t
+from cryptography import x509
+from heapq import heappush, heappop
+import itertools
+import re
+import zlib
+
+
+RH_OID = "1.3.6.1.4.1.2312.9"
+RH_ORDER_NAME_OID = RH_OID + ".4.1"
+RH_VERSION_OID = RH_OID + ".6"
+RH_ENTITLEMENT_OID = RH_OID + ".7"
+V1_PATH_OID_REGEX = re.compile(rf"^{re.escape(RH_OID)}\.2\.\d+\.1\.6$")
+
+
+T = t.TypeVar("T")
+RecursiveDict = t.Dict[str, "RecursiveDict"]
+
+
+# Proper anntoation of generic classes was introduced in Python 3.12
+# class HuffmannNode[T]
+class HuffmannNode:
+    def __init__(
+        self,
+        left: "t.Self | T",
+        right: "t.Self | T",
+    ) -> None:
+        self.left: "t.Self | T" = left
+        self.right: "t.Self | T" = right
+
+    @classmethod
+    def build_tree(cls, items: t.Iterable[T]) -> "t.Self":
+        # This builds a special type of tree, where the weights are _always_ like 1,2,3,...
+        serial = itertools.count(1)  # Used to keep items of equal weight in order.
+        heap: list[tuple[int, int, "t.Self | T"]] = []
+        for value in items:
+            weight = next(serial)
+            # First item is the actual weight, second is the tiebreaker.
+            # Values are never compared.
+            heappush(heap, (weight, weight, value))
+        while True:
+            lw, _, left = heappop(heap)
+            try:
+                rw, _, right = heappop(heap)
+                node = cls(left=left, right=right)
+                heappush(heap, (lw + rw, next(serial), node))
+            except IndexError:
+                assert isinstance(left, cls)
+                return left
+
+    def decode(self, bitstream: t.Iterator[bool]) -> T:
+        node = self.right if next(bitstream) else self.left
+        if isinstance(node, self.__class__):
+            return node.decode(bitstream)
+        else:
+            return t.cast(T, node)
+
+
+def split_count(v: bytes) -> tuple[int, bytes]:
+    if v[0] & 128:
+        len_count = v[0] - 128
+        length = 0
+        for i in range(len_count):
+            length <<= 8
+            length += v[i + 1]
+    else:
+        len_count = 0
+        length = int(v[0])
+    return length, v[len_count + 1 :]
+
+
+def asn1_string(v: bytes) -> str:
+    assert v[0] == 12
+    length, rest = split_count(v[1:])
+    result = rest.decode()
+    assert len(result) == length
+    return result
+
+
+def asn1_bytes(v: bytes) -> bytes:
+    assert v[0] == 4
+    length, result = split_count(v[1:])
+    assert len(result) == length
+    return result
+
+
+def cert_version(cert: x509.Certificate) -> str:
+    return next(
+        (
+            asn1_string(ext.value.value)
+            for ext in cert.extensions
+            if ext.oid.dotted_string == RH_VERSION_OID
+        ),
+        "1.0",
+    )
+
+
+def is_v1_entitlement(cert: x509.Certificate) -> bool:
+    return any((ext for ext in cert.extensions if ext.oid.dotted_string == RH_ORDER_NAME_OID))
+
+
+def v1_paths(cert: x509.Certificate) -> t.Iterator[str]:
+    for ext in cert.extensions:
+        if V1_PATH_OID_REGEX.match(ext.oid.dotted_string):
+            yield asn1_string(ext.value.value)
+
+
+def check_path_v1(cert: x509.Certificate, normalized_path: str) -> bool:
+    assert is_v1_entitlement(cert)
+    for cert_path in v1_paths(cert):
+        # We build a regex here, nicely escaped, from the cert_path,
+        # that translates the '$variables' to regex wildcards.
+        path_regex = (
+            r"^"
+            + r"[^/]+".join(map(re.escape, re.split(r"\$[^/]*", cert_path.strip("/"))))
+            + r"($|/)"
+        )
+        if re.match(path_regex, normalized_path):
+            return True
+    return False
+
+
+def bitstream(data: bytes) -> t.Iterator[bool]:
+    for b in data:
+        for i in range(8):
+            yield (b << i) & 128 != 0
+
+
+class Entitlement:
+    def __init__(self, cert: x509.Certificate):
+        payload = self._read_payload(cert)
+        lex_data, node_count, path_data = self._split_payload(payload)
+        word_tree = self._build_word_tree(lex_data)
+        self._path_tree = self._build_path_tree(word_tree, node_count, path_data)
+
+    @staticmethod
+    def _read_payload(cert: x509.Certificate) -> bytes:
+        return asn1_bytes(
+            next(
+                ext.value.value
+                for ext in cert.extensions
+                if ext.oid.dotted_string == RH_ENTITLEMENT_OID
+            )
+        )
+
+    @staticmethod
+    def _split_payload(payload: bytes) -> tuple[bytes, int, bytes]:
+        decobj = zlib.decompressobj()
+        lex_data = decobj.decompress(payload)
+        node_count, path_data = split_count(decobj.unused_data)
+        return lex_data, node_count, path_data
+
+    @staticmethod
+    def _build_word_tree(lex_data: bytes) -> "HuffmannNode[str]":
+        words = [item.decode() for item in lex_data.split(b"\x00")]
+        assert len(words) > 1
+        return HuffmannNode.build_tree(words)
+
+    @staticmethod
+    def _build_path_tree(
+        word_tree: "HuffmannNode[str]", node_count: int, path_data: bytes
+    ) -> RecursiveDict:
+        path_nodes: list[RecursiveDict] = [{} for _ in range(node_count)]
+        address_tree: "HuffmannNode[RecursiveDict]" = HuffmannNode.build_tree(path_nodes[1:])
+        bitsource = bitstream(path_data)
+        for node in path_nodes:
+            while True:
+                word = word_tree.decode(bitsource)
+                if word == "":
+                    break
+                assert word not in node
+                node[word] = address_tree.decode(bitsource)
+        return path_nodes[0]
+
+    @classmethod
+    def _check_path_tree(cls, node: RecursiveDict, segments: t.List[str]) -> bool:
+        if len(node) == 0:
+            return True
+        if len(segments) == 0:
+            return False
+        segment = segments[0]
+        segments = segments[1:]
+        for key, child in node.items():
+            if (segment == key or key[0] == "$") and cls._check_path_tree(child, segments):
+                return True
+        return False
+
+    def check_path(self, normalized_path: str) -> bool:
+        segments = normalized_path.split("/")
+        return self._check_path_tree(self._path_tree, segments)
+
+
+def check_path(cert: x509.Certificate, path: str) -> bool:
+    normalized_path = re.sub(r"/+", "/", path.strip("/"))
+    if int(cert_version(cert).split(".")[0]) >= 3:
+        return Entitlement(cert).check_path(normalized_path)
+    else:
+        return check_path_v1(cert, normalized_path)

pulp_certguard/tests/unit/certdata.py

@@ -0,0 +1,249 @@
+#
+# Copyright (c) 2012 Red Hat, Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 2 (GPLv2). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+# along with this software; if not, see
+# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+#
+# Red Hat trademarks are not licensed under GPLv2. No permission is
+# granted to use or replicate Red Hat trademarks that are incorporated
+# in this software or its documentation.
+#
+
+# A product cert from Candlepin's test data (product ID 100000000000002):
+PRODUCT_CERT_V1_0 = """
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAuGgAwIBAgIECgf/jTANBgkqhkiG9w0BAQUFADAzMRIwEAYDVQQDDAls
+b2NhbGhvc3QxCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdSYWxlaWdoMB4XDTExMDgy
+MzE3NDEzOVoXDTIxMDgyMzE3NDEzOVowGjEYMBYGA1UEAxMPMTAwMDAwMDAwMDAw
+MDAyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkbvsjJXu+vRzbBa+
+G9S77gbQTtSbZXWncykJkinwqQkUl2jEnGN+BBYa30dfLFatkA6UP4XICIu+xVMw
+qXc2O82BBubYvBTcqJy62U1YQnJFz/upSF0b9mKhcwJv2sAqMfkviGTYpjuCTfw6
+VVSFUvIj+K16vRzZWgn+qTIUIt8yXipuz7E/4t+R2BG/9GCqjQq7LQb4y0FmWdGT
+OehTjEY+G4+evsjyom5hXLgXlMhd3vkb7gHOyc3Yuk9h9eqGKg0oCiaF88KafMcu
+hCp0mIC7W97jE2tHTWzfERw99j+uPjccBUljqVpNfW6S/iKDx0tkzv0pOnSxYYmd
+HF5rbQIDAQABo4IBLDCCASgwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIE
+sDBjBgNVHSMEXDBagBQckL9Tc4HS6Df/ppG4uN7zSUsnD6E3pDUwMzESMBAGA1UE
+AwwJbG9jYWxob3N0MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAPrR
+0C/V93lLMB0GA1UdDgQWBBQPunbOh02rAFia+TmNDHCa05vI/DATBgNVHSUEDDAK
+BggrBgEFBQcDAjAxBhErBgEEAZIICQGW3rGD6YACAQQcDBpBd2Vzb21lIE9TIGZv
+ciB4ODZfNjQgQml0czAdBhErBgEEAZIICQGW3rGD6YACAwQIDAZ4ODZfNjQwGwYR
+KwYBBAGSCAkBlt6xg+mAAgIEBgwEMy4xMTANBgkqhkiG9w0BAQUFAAOBgQARCW1E
+d/w1WYaQElsYAN9/EyDXyXq4GJfTFES8eg09nUKYrMACds2wdh8m8vV7NtHl8E0y
+wE//vrTlHGSD5m4/mcXsgpkHvbj/kOTP7aag7RPa51M8ocjtOplugUyIF0PsXO4B
+SOxSnd1U0dX6pzEwMaJD9lCW8xZ2jsmdLUtLzQ==
+-----END CERTIFICATE-----
+"""
+
+# Test entitlement to the product cert above:
+ENTITLEMENT_CERT_V1_0 = """
+-----BEGIN CERTIFICATE-----
+MIIJSzCCCLSgAwIBAgIICT4q81yqebkwDQYJKoZIhvcNAQEFBQAwNjEVMBMGA1UE
+AwwMMTkyLjE2OC4xLjI1MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaDAe
+Fw0xMjA3MDUwMDAwMDBaFw0xMzA3MDUwMDAwMDBaMCsxKTAnBgNVBAMTIGZmODA4
+MDgxMzg1NzRiZDIwMTM4NTc0ZDg1YTUwYjJmMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAlUV2otyTyQbhSV77Od1qoZMwr2Xz1gvgQUN5/0b7HREutMCT
+4okqvDkYkt50pu76M0CatAK89A716plMjzcFyyWvUuR9adxzD6VXTSxORabL1hto
+30a6hERNdwt7ma43ezvouY0tvjQ8MDFMQb2MC5yhKAq3H1mdZEtDdjlU7MQ1ujX3
+wK2We0HW4sMkZXM/ZtiqXU5vB9h5hVFeZo4E7d+HayopsQoB5cKMu9MAGCg75rdD
+i3pO/9za1q2fQsUjnzImMPBCVfpN2K7CuI7098MxDyjvNrU/Vql6rYhDbdGOJTWD
+GZf40j/j/T+CReEMZsKHNRgLtMK+dcg4GuD+DQIDAQABo4IG5zCCBuMwEQYJYIZI
+AYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIEsDBmBgNVHSMEXzBdgBREQHYTNskB3AHY
+/8EcmROo5jrOoqE6pDgwNjEVMBMGA1UEAwwMMTkyLjE2OC4xLjI1MQswCQYDVQQG
+EwJVUzEQMA4GA1UEBwwHUmFsZWlnaIIJAPMeoqmMwB3XMB0GA1UdDgQWBBSsreit
+gWXwXzIMZ3JIMdUOEkylIDATBgNVHSUEDDAKBggrBgEFBQcDAjAxBhErBgEEAZII
+CQGW3rGD6YACAQQcDBpBd2Vzb21lIE9TIGZvciB4ODZfNjQgQml0czAdBhErBgEE
+AZIICQGW3rGD6YACAwQIDAZ4ODZfNjQwGwYRKwYBBAGSCAkBlt6xg+mAAgIEBgwE
+My4xMTAUBgsrBgEEAZIICQIBAQQFDAN5dW0wKAYMKwYBBAGSCAkCAQEBBBgMFmFs
+d2F5cy1lbmFibGVkLWNvbnRlbnQwKAYMKwYBBAGSCAkCAQECBBgMFmFsd2F5cy1l
+bmFibGVkLWNvbnRlbnQwHQYMKwYBBAGSCAkCAQEFBA0MC3Rlc3QtdmVuZG9yMC4G
+DCsGAQQBkggJAgEBBgQeDBwvZm9vL3BhdGgvYWx3YXlzLyRyZWxlYXNldmVyMCYG
+DCsGAQQBkggJAgEBBwQWDBQvZm9vL3BhdGgvYWx3YXlzL2dwZzATBgwrBgEEAZII
+CQIBAQgEAwwBMTAVBgwrBgEEAZIICQIBAQkEBQwDMjAwMBUGDCsGAQQBkggJAtZ0
+AQQFDAN5dW0wIwYNKwYBBAGSCAkC1nQBAQQSDBBhd2Vzb21lb3MteDg2XzY0MCMG
+DSsGAQQBkggJAtZ0AQIEEgwQYXdlc29tZW9zLXg4Nl82NDAaBg0rBgEEAZIICQLW
+dAEFBAkMB1JlZCBIYXQwLAYNKwYBBAGSCAkC1nQBBgQbDBkvcGF0aC90by9hd2Vz
+b21lb3MveDg2XzY0MCoGDSsGAQQBkggJAtZ0AQcEGQwXL3BhdGgvdG8vYXdlc29t
+ZW9zL2dwZy8wFAYNKwYBBAGSCAkC1nQBCAQDDAEwMBcGDSsGAQQBkggJAtZ0AQkE
+BgwEMzYwMDAUBgsrBgEEAZIICQIAAQQFDAN5dW0wJwYMKwYBBAGSCAkCAAEBBBcM
+FW5ldmVyLWVuYWJsZWQtY29udGVudDAnBgwrBgEEAZIICQIAAQIEFwwVbmV2ZXIt
+ZW5hYmxlZC1jb250ZW50MB0GDCsGAQQBkggJAgABBQQNDAt0ZXN0LXZlbmRvcjAh
+BgwrBgEEAZIICQIAAQYEEQwPL2Zvby9wYXRoL25ldmVyMCUGDCsGAQQBkggJAgAB
+BwQVDBMvZm9vL3BhdGgvbmV2ZXIvZ3BnMBMGDCsGAQQBkggJAgABCAQDDAEwMBUG
+DCsGAQQBkggJAgABCQQFDAM2MDAwFQYMKwYBBAGSCAkC1mkBBAUMA3l1bTAcBg0r
+BgEEAZIICQLWaQEBBAsMCWF3ZXNvbWVvczAcBg0rBgEEAZIICQLWaQECBAsMCWF3
+ZXNvbWVvczAaBg0rBgEEAZIICQLWaQEFBAkMB1JlZCBIYXQwOwYNKwYBBAGSCAkC
+1mkBBgQqDCgvcGF0aC90by8kYmFzZWFyY2gvJHJlbGVhc2V2ZXIvYXdlc29tZW9z
+MCoGDSsGAQQBkggJAtZpAQcEGQwXL3BhdGgvdG8vYXdlc29tZW9zL2dwZy8wFAYN
+KwYBBAGSCAkC1mkBCAQDDAExMBcGDSsGAQQBkggJAtZpAQkEBgwEMzYwMDAlBgor
+BgEEAZIICQQBBBcMFUF3ZXNvbWUgT1MgZm9yIHg4Nl82NDAwBgorBgEEAZIICQQC
+BCIMIGZmODA4MDgxMzg1NzRiZDIwMTM4NTc0YzdmMWYwMjNjMCAGCisGAQQBkggJ
+BAMEEgwQYXdlc29tZW9zLXg4Nl82NDARBgorBgEEAZIICQQFBAMMATUwEQYKKwYB
+BAGSCAkECQQDDAExMCQGCisGAQQBkggJBAYEFgwUMjAxMi0wNy0wNVQwMDowMDow
+MFowJAYKKwYBBAGSCAkEBwQWDBQyMDEzLTA3LTA1VDAwOjAwOjAwWjASBgorBgEE
+AZIICQQMBAQMAjMwMBIGCisGAQQBkggJBAoEBAwCNjYwGwYKKwYBBAGSCAkEDQQN
+DAsxMjMzMTEzMTIzMTARBgorBgEEAZIICQQOBAMMATAwEQYKKwYBBAGSCAkEEQQD
+DAExMBEGCisGAQQBkggJBAsEAwwBMjA0BgorBgEEAZIICQUBBCYMJDQwOTJlYzcz
+LTE5MGUtNGY0Ny1iMmEzLWUxZTg4OWVkOGE5ODANBgkqhkiG9w0BAQUFAAOBgQA4
+BLbyoRumbzf3/UXZfzkQbUPeN1CYBP64soVdIe8Wp0Dp3H6ZF8CFR6+w1R3Q7asL
+Ej4AxyURBnHhQCz5UleHnMBdLU9BK2Z0BTHCrkke8tDFxsIQ2oz2Ny/+gqegyJS/
+AOY8AMtVsQ9LuANGqNf42hcpFsAWy5kboT+gIXFxmw==
+-----END CERTIFICATE-----
+"""
+
+ENTITLEMENT_CERT_V3_0 = """
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAvigAwIBAgIIEiB+vHfSYuwwDQYJKoZIhvcNAQEFBQAwMDEPMA0GA1UE
+AwwGcGlwYm95MQswCQYDVQQGEwJVUzEQMA4GA1UEBwwHUmFsZWlnaDAeFw0xMjA5
+MTgwMDAwMDBaFw0xMzA5MTgwMDAwMDBaMCsxKTAnBgNVBAMTIGZmODA4MDgxMzlk
+OWUyNmMwMTM5ZGEyMzQ4OWEwMDY2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAgDfkG4OZAfxAGKPjNrhrqBJbGbB0r7CmFRnFPcnwdQQVxx6gxyH5ia5/
+VoNmQRsFlWJJsl2W64IJq8xe2PeF8nhqOh3bg8Q5lPkSqHHb/9G370quRj0Ig+FX
+up3eDUfiF+BpKkTHlelpPOhG6aeZzvwuLcF9+5SSqJTtuyMv759Kneybijm/Gv7x
+t8EZkaUydoZhjgkN7fQAhAEW9L6y0+fudL4nBXnm7CW7k3/JSA7V73Ae1u6L/3+k
+W+FDGGqKa0NR+sYOroCarMsqVd29uRabSO4rxzmYZ5W0RE0f1cUfYFM0aDwaU1+l
+bVnNelesXnhjJ219BWcVdZhS+X84VwIDAQABo4IBMTCCAS0wEQYJYIZIAYb4QgEB
+BAQDAgWgMAsGA1UdDwQEAwIEsDBgBgNVHSMEWTBXgBThiP6NmxGeYgJ5XWPC2dy0
+EoDcVKE0pDIwMDEPMA0GA1UEAwwGcGlwYm95MQswCQYDVQQGEwJVUzEQMA4GA1UE
+BwwHUmFsZWlnaIIJAN6RU5TAoOZ5MB0GA1UdDgQWBBTqqQFQLeZGIrYGXQSYxfw8
+zNaXqzATBgNVHSUEDDAKBggrBgEFBQcDAjASBgkrBgEEAZIICQYEBQwDMy4wMGEG
+CSsGAQQBkggJBwRUBFJ42hXKwQmAMBAEwC0mJUiwG1llJY/ohbtgtHv1O8w95yVP
+6IZTlxy7GVgHn0BaGaJvBY29ILmqPvkXh8IOWeAFpiEVtwrrTkxmoYKDgtHpgfcA
+MA0GCSqGSIb3DQEBBQUAA4GBAF0jikJbd1C0PqhpRkmRGaNnAPO4kCSH+nTee1UF
+xSYERpmDHnimDWYjcs35gb1wWwSOLVsTn4X+3TQqMQ1rdnEX5mn7iutqCjj5Rjzk
+icfe5PF7mmnMv6FeKlFEg3WGkIkatI1tF13spHowM8GFZvAcMGVzFkvL6QtzyNKa
+t6+/
+-----END CERTIFICATE-----
+-----BEGIN ENTITLEMENT DATA-----
+eJydUl1vmzAU/SvI6iMMG1NCeNue9jZp29OmKvIXKQrYzDZNo6j/fdeQ0kT5aFU+
+hM25595z7vUeCaPd0CmLKsSZpJLldUJzLpOcLklS3tc8KReiXt4XC8o5RTH6NzDt
+G79DVRYjN3AnbNP7xmhU7ZHbDJCJbZUznTIueS6LVZEDS7NOAfJ1QqIfv6La2GiG
+t8zqRq9RRTEkNWKjvEMVgbVnYgPIqpFAJ+glRsbKoHeP9NDxUXldlxhuQpdymfMc
+42klMCnhHQu8qSZ4zGo9EDNMsgQvE1L+xrganz8QrLScQHoBhI55y0SgFwvYMyHM
+oMOWZJQSQuEz6uytkYMIPv7u0SQfH1/ZO22JvjVAjtGTsm5sL6JfCAkVrXhsvBJ+
+sCpkR4c2PkziVBAzl4R4v+tDkd3QvVVk7ZbtXKI0462SySsvRi3jqr0V8ATdMaHr
+XjmfHHbglvlH+JnWxqRhnU4J0jurWsWcAhcQte7Xq8G2lwIBgoBOeSaZZyv13DcW
+lGYYv8SvZgjJ8muGzs/cbOUcmk38VDL6zvyRgVGTN+nMSmfWoRmoqlnr1ImbcxaA
+6SVDtDhyhK+40aFfN6ZzDf/ocPRhHjccncZeG09xOh5C3xvPpbl8bCB3HI5ROPvH
+Zyo9TvL5eTzA/R9AE5nG
+-----END ENTITLEMENT DATA-----
+-----BEGIN RSA SIGNATURE-----
+FWYaGqnaDRpuaKLEXu9RtxNLbp3q7BM651s1P1jwlE/Ff1GMZrzsreBfRa4FE6ST
+jdWIkOEVpZPEHtdnHlpQaphYDOQBfdSGrOb2ksKqfp0qKrqT4dvzau5IzqtVmkTJ
+SgW0kgf/C5sFxdgD6s9NKmP/u6OgI/qqE+KfnCex/ko=
+-----END RSA SIGNATURE-----
+"""
+
+ENTITLEMENT_CERT_V3_2 = """
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAx6gAwIBAgIIV9sJOhe2u10wDQYJKoZIhvcNAQEFBQAwQzEiMCAGA1UE
+AwwZYXJraGFtLnVzZXJzeXMucmVkaGF0LmNvbTELMAkGA1UEBhMCVVMxEDAOBgNV
+BAcMB1JhbGVpZ2gwHhcNMTMwMjE0MDAwMDAwWhcNMTQwMjE0MDAwMDAwWjArMSkw
+JwYDVQQDEyA4YThkMDFmNTNjZWVkM2FmMDEzY2VlZDQ4ZDIzMDAzYzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIzSGrfBi8FZ6G4mRRtXGB3QJFXrg/Ni
+Q7+7RxCJ9iMlH7XNceUyIAkJ1R3dNXLxjGrMW1Oe5uZwFrwsOnVrCC0FGXqGVRL1
+afXWqcKfRwfCIYjlKVuufD5Yx4uQL+qCyqwZLvW+uSfxrFR6h6EGly8FEuAj4HFV
+bosBZkD3U763olTGRThq1TNXDtP5azExjet83SHG77xfkYqKQ72d1/2zVs8HrTHN
+QrDAnmaDkMu1j0DBLMEoRuHHTnWosMa3h/pDZl0U9J2fD2EGsqM1d0S7cgn4qkG3
+PyIfaIMTyv3hxqGvZNP6N0yc4DMQytuqonocE3vW1jA4eJLNUakXVSkCAwEAAaOC
+AUQwggFAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBLAwcwYDVR0jBGww
+aoAUNqBl9Y1c0laNj+4nS/ds3IYTlnOhR6RFMEMxIjAgBgNVBAMMGWFya2hhbS51
+c2Vyc3lzLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdSYWxlaWdo
+ggkAmKoF4QTK9QYwHQYDVR0OBBYEFEQE1wfCnyRQkK87AIDtELjHI22RMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMCMBIGCSsGAQQBkggJBgQFDAMzLjIwYQYJKwYBBAGSCAkH
+BFQEUnjaFcrBCYAwEATALSYlSLAbWWUlj+iFu2C0e/U7zD3nJU/ohlOXHLsZWAef
+QFoZom8Fjb0guao++ReHwg5Z4AWmIRW3CuqQvHBGK2ufmB6KGAAwDQYJKoZIhvcN
+AQEFBQADgYEAsSQHCtJeEqXGEMoug4T95mOPNqqs30gRG/159E1fklNs3Ao1G+WH
+/W/WrOAR8tyPDboWhhCJ3h8q7vEZgmq9Y6bO2HYu+PXrDqzgWYhOgytZnlvTsp3O
+cCwL0kVRZWaSVAPcaM9HUqFcPthidsVPP0gw3iws7XhFhYVaILIPSZ0=
+-----END CERTIFICATE-----
+-----BEGIN ENTITLEMENT DATA-----
+eJydVMuOmzAU/ZXImiUUGxOSsGtX3VVqu2o1iox9mUEBm9pmMlGUf+81ZGiiPGZU
+hATm3Mc599jsiTTa9S1YUhCp0pzmGY8X+TKLM6hEXDJF41ykq/mCV2KxyklE/vRC
++9rvSMEi4vrSSVt3vjaaFHviNj1WEltwpgXj4tdlvs4zzNKiBUQ+j8js249ZZexs
+grfC6lo/kYJTLGrkBrwbG3ghN4isa4XpjBwiYqwKfPdE9205MB++xMt8Med0dU6R
+DiWsx6iUMh7TNGbZT0qL4f6FwaDVCGZXQByPt0KG9HyBayGl6XVYspRzxjg+BlKd
+NaqXgfTvPRm50tMrfWcGsy81JkfkBawbZkn4J8ZCRyufaw/S9xZCdXKc2eNIDgKZ
+qSXG+10Xmuz69l9H0WzFzsWgRdmAit/yItKIEpp7AS84HRNG7MH5+LhCtcI/48ek
+MiYJ78lYIHmw0IBwgCow6ql7Wve2uRaIEAa04IUSXqzhtastMk0pPURvYhhLs1uC
+LjfYJOUSmkR8BzX7KvyJgIGTN8mUlUxZx2GQohKNgzM1l1kIJtcE8fxEEb2hRod5
+3XHnFv5Rc/TRjzuKzmNv2ZOf28P4e/Zc8+VjhjyUuI3C3j/dU8lpkf/34/GAh6cz
+pgk/kUHMUiwVZdWcSyVWSlH8U4Q3UHM8xdliTg6Hvy+doq0=
+-----END ENTITLEMENT DATA-----
+-----BEGIN RSA SIGNATURE-----
+sO2ZOqXX5Vz0v41cWwd24emxZkmo+kHjYPvZ7W3UGW1bIUrPPOfNNlv+k9eybPWh
+9kULCZHdj9ULg9FXAKnQCG412vc2jWld0/vcOTuPdr8sUpEsGF5jeWNzqTiF3Yxb
+Ik5dd1fP0nqF9cgWitFmsdG9olZ17jU1jg3uMj+ujyg=
+-----END RSA SIGNATURE-----
+"""
+
+ENTITLEMENT_CERT_V3_2_WITH_CONTENT_ARCH = """
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAw2gAwIBAgIIGDqZvvF1e2kwDQYJKoZIhvcNAQEFBQAwQzEiMCAGA1UE
+AwwZZGhjcDIzMS0yOC5yZHUucmVkaGF0LmNvbTELMAkGA1UEBhMCVVMxEDAOBgNV
+BAcMB1JhbGVpZ2gwHhcNMTMwNTA4MDAwMDAwWhcNMTQwNTA4MDAwMDAwWjArMSkw
+JwYDVQQDEyA4YThiNjc5YzNlODRkODQ5MDEzZTg0ZGViYjUyMTUwMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ4Fg6UL7AIch/3riQTxvSFh/6AUZmFR
+OQ+Pz270AF8JC9Vrc/nRA/EQB1CUoRn2hgJjJulkMgZ1rVOTBnq9KQomPhOOwbMJ
+fWwrdkfvZnUFVT/hXzYhu+7NVIzX6MAovvJc6iYrfctPFVJj7TmWVR2Ay/Dyio0f
+B4ZTang7GDePbNhuHD6PSUZ/3fINJUEkYOW9DyEDFPTZ+LiMbJGV/ZoR6Ww6myAG
+BnIE5M2oiQZlD44/XhbD3VDXOv3HFvxdr366EVBm+LFpOBWPHXW0wSYPcEopWlqB
+sH3QJqSWYVsLP+MC2rreVpTKB80i9/pvbyYX6nRRKnZPCONv+0JemL8CAwEAAaOC
+ATMwggEvMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBLAwcwYDVR0jBGww
+aoAUSlRGfcR6m6MjZo741DCPph6ow5ehR6RFMEMxIjAgBgNVBAMMGWRoY3AyMzEt
+MjgucmR1LnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdSYWxlaWdo
+ggkA0xVWC8yXifgwHQYDVR0OBBYEFP8CFn4AqepLndT/X68rOESBHQTtMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMCMBIGCSsGAQQBkggJBgQFDAMzLjIwUAYJKwYBBAGSCAkH
+BEMEQXjaK8lnyEstSy1iSMvPZ1ApSs1JTSwG8xNzyhMrixkSy1OL83NT84GsnByG
+gsSSDAYA1JYR5Aim7nCyJxRoevAAMA0GCSqGSIb3DQEBBQUAA4GBAI1jfsg9ODpZ
+exsNA1d0OZbUn/1sK4LUtP/eFD0YQl3dv9A0/wRnoDXXFlJLsGt5EzY8qK7iOzti
+K4bLngHfsWDJTOm95FvRRucUu5pAJnuzC/c9fGro+VsqlnNDpU+40bxlY4ODZj5g
+FZ6RLuYKmu5IXLONxIrAVBMAckIA4vrS
+-----END CERTIFICATE-----
+-----BEGIN ENTITLEMENT DATA-----
+eJyNk02PmzAQhv8KsnpoJVw+TPi6paceVqrU9tRqFRkzZFGMTY3Z3SjKf++YkOxm
+m2wjEYE978y8zzjeEaHVMHZgSElYLKI8boA2abigSVQsaJHFGa2aeJEIkRQs48Qn
+f0aubGu3pIx8MozVIEzb21YrUu7IsBmxEn+CQXegB8qlpM95SrGNxVzFO8D48hD3
+vv3wGm28pZTe0ogH7yNKnRKU/YTqJ25Uq9akZCF20mIDdjh0tVxsMLJqa6wWkb1P
+tKkdxI6osasmnGmH5mm2YGFx5nsxVTAWRXEYMYq0Yf4zDMvp+YVaUPUhmFwIOoeG
+C5depLjmQuhRuWUUMxZFDF+Tp97oehTO8+8dmazGEUsw6n7ZbePwjvPwvrRYySeP
+YIZp2IR9jiLXHqWtBWFHA64VWd7dkfuDTXC2js2d2G5713E7di/tuXzi24GC4pWE
+mh7zfCJ5BfI9wSPOSbtZWxgsnVfIze0DbgaN1oH7Dg4Fgg8GJPABEGH2fWZ43a9X
+o5GXMjGEGR1YXnPLV/Dctwatx2G492e68Aqdcu3egbsWv5VNzThzBVI2XA5wI96U
+fI0ufUXH8jRNrp3f6bbh/2WVJrRl8417c4z/0Z2Iv0PtfeX2Fe1k1urgVAIPRp6d
+oauFG4fKb3D/zcZgcAmZOeb7Pab3Wkt3nSf6nOdVmhWCQZ7UeVLgpXVfRSESEWYh
+kP3+L1Ysgb8=
+-----END ENTITLEMENT DATA-----
+-----BEGIN RSA SIGNATURE-----
+Ra24dHnR8vRvtRg4j0DXbftz3DX1c+Cf1yhgKBoLeS6aJ9g2HUJXoDLbLR+6ttHB
+idE9jFhxTj/sNUvewMCKJIE1+El6tcfHmQRAZTiI4Dgqq50buHVmXmTNhotmaMsp
+vVOVtdoqHYcPIZ3makIL9FO9/jLs+G5NH4dCJVrpj8o=
+-----END RSA SIGNATURE-----
+"""
+
+IDENTITY_CERT = """
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAuCgAwIBAgIIBdnhr/WCKpMwDQYJKoZIhvcNAQEFBQAwTDErMCkGA1UE
+Awwid3BvdGVhdC1kZXNrdG9wLnVzZXJzeXMucmVkaGF0LmNvbTELMAkGA1UEBhMC
+VVMxEDAOBgNVBAcMB1JhbGVpZ2gwHhcNMTQwNTA4MTMwNDA0WhcNMzAwNTA4MTMw
+NDA0WjAvMS0wKwYDVQQDEyQwZjVkNDYxNy1kOTEzLTRhMGYtYmU2MS1kOGE5Yzg4
+ZTE0NzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCHsIAMwqDBji/k
+SMy0BgkrWscYYwy/3vhaU8oEmhFBRMFwy8gzByKcKTTMB642cDhFa+anBbNm4+QS
+OKpfKf8JDj8GKnBspQF3qWxxi1vJGo6iTD/znPQRAlB//furFNmEDaDbhMUtcHEK
+UvjALioR5V3flfMU3hPCYdaAcVvYu8ikI6N52abPlFWCkzbp6EGehISyVZxrlqac
+QOCIPmnUnMVZ1pxYjOTrEhqjvjHMlUuEAmeKlLXKtirgs+X2yfulMJFYXUDeeO20
+AB9CRp/wg3zoGcSzwtriO8GuRSuAmXO0O4HzcpXU7oXJGYBjrTy/B8rukuZbep+t
+Y3+FQmr1AgMBAAGjgfowgfcwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIE
+sDB8BgNVHSMEdTBzgBTPYX+LWg9Ed3S0lIZtc4PuYrbv5qFQpE4wTDErMCkGA1UE
+Awwid3BvdGVhdC1kZXNrdG9wLnVzZXJzeXMucmVkaGF0LmNvbTELMAkGA1UEBhMC
+VVMxEDAOBgNVBAcMB1JhbGVpZ2iCCQCQJzUqJvMgMjAdBgNVHQ4EFgQU4yyaMLWq
+Mc3ch8CwTPRHZrhHFCQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwIwYDVR0RBBwwGoYY
+Q049cmVkaGF0LmxvY2FsLnJtLXJmLmNhMA0GCSqGSIb3DQEBBQUAA4GBAEso9d/F
+xZsoPA4OgfEcTad/5CorTswNTqpmwlkQ6Yp61h8L7BDWJ6ywovqXJQqo6lYK3149
+9+EC6nhTA9uhtODtQQgITkU6nwlYRkB0vrbofR7yO7eewlJ+ybhcVw1FllXfc4E9
+7SS6c7YbmlfQhcoGyzfYXuJYGCyDmDHvcQiU
+-----END CERTIFICATE-----
+"""