Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unified receipt verification procedure #1

Open
vizvamitra opened this issue Apr 10, 2017 · 4 comments
Open

unified receipt verification procedure #1

vizvamitra opened this issue Apr 10, 2017 · 4 comments

Comments

@vizvamitra
Copy link

vizvamitra commented Apr 10, 2017
edited
Loading

Hello there. I have some questions about your unified receipts verification procedure.

Reading your gem's sources I've noticed that when the ItunesReceiptDecoder::Decode::UnifiedReceipt is being created you don't check (here) whether the certificates embedded into the receipt's pkcs7 container were issued by Apple.

Instead you've separated certificate validation to a #signature_valid? method. In this video at 19:00 a guy from Apple describes the signature verification procedure. I've implemented it in ruby, the code is listed in a comment below. The procedure you use in #signature_valid? method is different.

So my questions are:

  1. Why you decided to separate certificate validation from signature verification?
  2. What are the cases when one may want to parse a receipt issued not by Apple?
  3. Is your certificate validation procedure safe? Did you ever have any issues with it? (I don't know much about cryptography 😞)
@vizvamitra
Copy link
Author

vizvamitra commented Apr 10, 2017
edited
Loading 

def verify_signature(base64_encoded_receipt)
  cert = OpenSSL::X509::Certificate.new(root_cert)

  cert_store = OpenSSL::X509::Store.new
  cert_store.add_cert(cert)

  receipt = Base64.decode64(base64_encoded_receipt)

  begin
    signature = OpenSSL::PKCS7.new(receipt)
    # note that I don't use NOVERIFY flag here, so the entire
    # certificate chain will be verified against a CA store
    signature.verify([cert], cert_store, nil)
  rescue ArgumentError
    false
  end
end

# Certificate was downloaded from here:
# https://www.apple.com/certificateauthority/
def root_cert
  <<-CERT.gsub(/^\s*/m, '')
    -----BEGIN CERTIFICATE-----
    MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET
    MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
    biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0
    MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBw
    bGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
    FjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg+
    +FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1
    XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9w
    tj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IW
    q6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKM
    aLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8E
    BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3
    R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAE
    ggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93
    d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNl
    IG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0
    YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBj
    b25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZp
    Y2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMA0GCSqGSIb3DQEBBQUAA4IBAQBc
    NplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQP
    y3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7
    R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4Fg
    xhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oP
    IQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AX
    UKqK1drk/NAJBzewdXUh
    -----END CERTIFICATE-----
  CERT
end

@vizvamitra
Copy link
Author

vizvamitra commented Apr 10, 2017
edited
Loading

Also here is a receipt I've found somewhere in the internet with one of the embedded certificates outdated. You don't check the certificate chain, so both #verify and #signature_valid? will return true while the implementation suggested by Apple will fail:

MIJDbAYJKoZIhvcNAQcCoIJDXTCCQ1kCAQExCzAJBgUrDgMCGgUAMIIzDAYJKoZIhvcNAQcBoIIy/QSCMvkxgjL1MAoCAQgCAQEEAhYAMAoCARQCAQEEAgwAMAsCAQECAQEEAwIBADALAgEDAgEBBAMMATEwCwIBCwIBAQQDAgEAMAsCAQ4CAQEEAwIBWjALAgEPAgEBBAMCAQAwCwIBEAIBAQQDAgEAMAsCARkCAQEEAwIBAzAMAgEKAgEBBAQWAjQrMA0CAQ0CAQEEBQIDAV+QMA0CARMCAQEEBQwDMS4wMA4CAQkCAQEEBgIEUDI0MjAYAgEEAgECBBDE3UBUsLYaB761hfaoQuBIMBsCAQACAQEEEwwRUHJvZHVjdGlvblNhbmRib3gwHAIBBQIBAQQULgoRW+rBxXAjpb03NJlVqa2Z200wHQIBAgIBAQQVDBNjb20ubWJhYXN5Lmlvcy5kZW1vMB4CAQwCAQEEFhYUMjAxNS0xMS0yMVQxODoxNzo0N1owHgIBEgIBAQQWFhQyMDEzLTA4LTAxVDA3OjAwOjAwWjA8AgEHAgEBBDQHqnA5j72JR9auhmwvKqZOVlHa3QWkbH7F87RDHwh6PEH2C6rRDm9k5/paXFI1Hy7fRHaWME4CAQYCAQEERs3QzPHNOOZRdgdCyYURlvPdM4DAKKbiAKnCC3dZdowUtQCJNJzjZ+Q7DjM9SjMHRkoLKxUibRfXffOGY8GXIRHELvlGlXQwggFPAgERAgEBBIIBRTGCAUEwCwICBqwCAQEEAhYAMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQEwDAICBq4CAQEEAwIBADAMAgIGrwIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwFQICBqYCAQEEDAwKY29uc3VtYWJsZTAbAgIGpwIBAQQSDBAxMDAwMDAwMTY2ODY1MjMxMBsCAgapAgEBBBIMEDEwMDAwMDAxNjY4NjUyMzEwHwICBqgCAQEEFhYUMjAxNS0wOC0wN1QyMDozNzo1NVowHwICBqoCAQEEFhYUMjAxNS0wOC0wN1QyMDozNzo1NVowggFPAgERAgEBBIIBRTGCAUEwCwICBqwCAQEEAhYAMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQEwDAICBq4CAQEEAwIBADAMAgIGrwIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwFQICBqYCAQEEDAwKY29uc3VtYWJsZTAbAgIGpwIBAQQSDBAxMDAwMDAwMTY3OTQyMTIxMBsCAgapAgEBBBIMEDEwMDAwMDAxNjc5NDIxMjEwHwICBqgCAQEEFhYUMjAxNS0wOC0xN1QxOTo0NzowNVowHwICBqoCAQEEFhYUMjAxNS0wOC0xN1QxOTo0NzowNVowggFSAgERAgEBBIIBSDGCAUQwCwICBqwCAQEEAhYAMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQAwDAICBq4CAQEEAwIBADAMAgIGrwIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwGAICBqYCAQEEDwwNbm9uY29uc3VtYWJsZTAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4NDM3ODcwMBsCAgapAgEBBBIMEDEwMDAwMDAxNjg0Mzc4NzAwHwICBqgCAQEEFhYUMjAxNS0wOC0yMFQxNjowOTozM1owHwICBqoCAQEEFhYUMjAxNS0wOC0yMFQxNjowOTozM1owggFWAgERAgEBBIIBTDGCAUgwCwICBqwCAQEEAhYAMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQQwDAICBq4CAQEEAwIBADAMAgIGrwIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODQ0NDYzMDAbAgIGqQIBAQQSDBAxMDAwMDAwMTY4NDQ0NjMwMBwCAgamAgEBBBMMEWZyZWVfc3Vic2NyaXB0aW9uMB8CAgaoAgEBBBYWFDIwMTUtMDgtMjBUMTc6NDA6MzNaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMjBUMTc6NDA6MzNaMIIBVgIBEQIBAQSCAUwxggFIMAsCAgasAgEBBAIWADALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEEMAwCAgauAgEBBAMCAQAwDAICBq8CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBsCAganAgEBBBIMEDEwMDAwMDAxNjg1NjU4ODUwGwICBqkCAQEEEgwQMTAwMDAwMDE2ODU2NTg4NTAcAgIGpgIBAQQTDBFmcmVlX3N1YnNjcmlwdGlvbjAfAgIGqAIBAQQWFhQyMDE1LTA4LTIxVDExOjA0OjU1WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTIxVDExOjA0OjU1WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ3ZWVrbHkwEgICBq8CAQEECQIHA41+ppTK1jAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4MDgxNjk4MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xOFQxNDozMjoxN1owHwICBqoCAQEEFhYUMjAxNS0wOC0xOFQxNDozMjoxN1owHwICBqwCAQEEFhYUMjAxNS0wOC0xOFQxNDozNToxN1owggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGd2Vla2x5MBICAgavAgEBBAkCBwONfqaVGuMwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODA4MjM2NDAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMThUMTQ6MzU6MTdaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMThUMTQ6MzQ6MzdaMB8CAgasAgEBBBYWFDIwMTUtMDgtMThUMTQ6Mzg6MTdaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBndlZWtseTASAgIGrwIBAQQJAgcDjX6mlRrsMBsCAganAgEBBBIMEDEwMDAwMDAxNjgwODI3ODgwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTE4VDE0OjM4OjE3WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTE4VDE0OjM3OjM3WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTE4VDE0OjQxOjE3WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ3ZWVrbHkwEgICBq8CAQEECQIHA41+ppUa+jAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4MDgzMDIzMBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xOFQxNDo0MToxN1owHwICBqoCAQEEFhYUMjAxNS0wOC0xOFQxNDo0MDozNVowHwICBqwCAQEEFhYUMjAxNS0wOC0xOFQxNDo0NDoxN1owggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGd2Vla2x5MBICAgavAgEBBAkCBwONfqaVGwcwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODA4MzQ2MjAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMThUMTQ6NDQ6MTdaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMThUMTQ6NDM6MjBaMB8CAgasAgEBBBYWFDIwMTUtMDgtMThUMTQ6NDc6MTdaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBndlZWtseTASAgIGrwIBAQQJAgcDjX6mlRsXMBsCAganAgEBBBIMEDEwMDAwMDAxNjgwODM5MDIwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTE4VDE0OjQ3OjE3WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTE4VDE0OjQ2OjM3WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTE4VDE0OjUwOjE3WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ3ZWVrbHkwEgICBq8CAQEECQIHA41+ppVWUzAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4NTY1NzExMBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0yMVQxMTowMjoyNFowHwICBqoCAQEEFhYUMjAxNS0wOC0yMVQxMTowMjoyNVowHwICBqwCAQEEFhYUMjAxNS0wOC0yMVQxMTowNToyNFowggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGd2Vla2x5MBICAgavAgEBBAkCBwONfqaVYtEwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODU2NTg2MzAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMjFUMTE6MDU6MjRaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMjFUMTE6MDQ6MzBaMB8CAgasAgEBBBYWFDIwMTUtMDgtMjFUMTE6MDg6MjRaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBndlZWtseTASAgIGrwIBAQQJAgcDjX6mlWLcMBsCAganAgEBBBIMEDEwMDAwMDAxNjg1NjYxMzIwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTIxVDExOjA4OjI0WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTIxVDExOjA3OjMwWjAfAgIGrAIBAQQWFhQyMDE1LTA4LTIxVDExOjExOjI0WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ3ZWVrbHkwEgICBq8CAQEECQIHA41+ppVi7zAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4NTY2NjM2MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0yMVQxMToxMToyNFowHwICBqoCAQEEFhYUMjAxNS0wOC0yMVQxMToxMDozMFowHwICBqwCAQEEFhYUMjAxNS0wOC0yMVQxMToxNDoyNFowggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGd2Vla2x5MBICAgavAgEBBAkCBwONfqaVYvkwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODU2NzA2NTAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMjFUMTE6MTQ6MjRaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMjFUMTE6MTM6MzBaMB8CAgasAgEBBBYWFDIwMTUtMDgtMjFUMTE6MTc6MjRaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBndlZWtseTASAgIGrwIBAQQJAgcDjX6mlWMDMBsCAganAgEBBBIMEDEwMDAwMDAxNjg1Njc2MjQwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTIxVDExOjE3OjI0WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTIxVDExOjE2OjI1WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTIxVDExOjIwOjI0WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ5ZWFybHkwEgICBq8CAQEECQIHA41+ppRy2DAbAgIGpwIBAQQSDBAxMDAwMDAwMTY3NTM1NDI5MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xM1QxMjo0ODo1N1owHwICBqoCAQEEFhYUMjAxNS0wOC0xM1QxMjo0ODo1N1owHwICBqwCAQEEFhYUMjAxNS0wOC0xM1QxMzo0ODo1N1owggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGeWVhcmx5MBICAgavAgEBBAkCBwONfqaUxP0wGwICBqcCAQEEEgwQMTAwMDAwMDE2NzU0MjUwNTAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMTNUMTM6NDg6NTdaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMTNUMTM6Mzc6MDNaMB8CAgasAgEBBBYWFDIwMTUtMDgtMTNUMTQ6NDg6NTdaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBnllYXJseTASAgIGrwIBAQQJAgcDjX6mlMYOMBsCAganAgEBBBIMEDEwMDAwMDAxNjc1NTE1NzIwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTEzVDE0OjQ4OjU3WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTEzVDE0OjM3OjExWjAfAgIGrAIBAQQWFhQyMDE1LTA4LTEzVDE1OjQ4OjU3WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ5ZWFybHkwEgICBq8CAQEECQIHA41+ppTHUzAbAgIGpwIBAQQSDBAxMDAwMDAwMTY3NTU3Njg4MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xM1QxNTo0ODo1N1owHwICBqoCAQEEFhYUMjAxNS0wOC0xM1QxNTozNzowNVowHwICBqwCAQEEFhYUMjAxNS0wOC0xM1QxNjo0ODo1N1owggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGeWVhcmx5MBICAgavAgEBBAkCBwONfqaUyNAwGwICBqcCAQEEEgwQMTAwMDAwMDE2NzU2NTUxOTAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMTNUMTY6NDg6NTdaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMTNUMTY6Mzc6MzNaMB8CAgasAgEBBBYWFDIwMTUtMDgtMTNUMTc6NDg6NTdaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBnllYXJseTASAgIGrwIBAQQJAgcDjX6mlMnDMBsCAganAgEBBBIMEDEwMDAwMDAxNjc1NzM1MTUwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTEzVDE3OjQ4OjU3WjAfAgIGqgIBAQQWFhQyMDE1LTA4LTEzVDE3OjM3OjM4WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTEzVDE4OjQ4OjU3WjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ5ZWFybHkwEgICBq8CAQEECQIHA41+ppUbMDAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4NDM4MDc0MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0yMFQxNjoxMjo0MlowHwICBqoCAQEEFhYUMjAxNS0wOC0yMFQxNjoxMjo0M1owHwICBqwCAQEEFhYUMjAxNS0wOC0yMFQxNzoxMjo0MlowggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGeWVhcmx5MBICAgavAgEBBAkCBwONfqaVUSQwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODQ0MTQ3MzAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMjBUMTc6MTI6NDJaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMjBUMTc6MDE6MTRaMB8CAgasAgEBBBYWFDIwMTUtMDgtMjBUMTg6MTI6NDJaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBnllYXJseTASAgIGrwIBAQQJAgcDjX6mlVHvMBsCAganAgEBBBIMEDEwMDAwMDAxNjg0NDU2MjQwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTIwVDE4OjEyOjQyWjAfAgIGqgIBAQQWFhQyMDE1LTA4LTIwVDE4OjAxOjE5WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTIwVDE5OjEyOjQyWjCCAWUCARECAQEEggFbMYIBVzALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADARAgIGpgIBAQQIDAZ5ZWFybHkwEgICBq8CAQEECQIHA41+ppVTDTAbAgIGpwIBAQQSDBAxMDAwMDAwMTY4NDUzMzc5MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0yMFQxOToxMjo0MlowHwICBqoCAQEEFhYUMjAxNS0wOC0yMFQxOTowMDo0NFowHwICBqwCAQEEFhYUMjAxNS0wOC0yMFQyMDoxMjo0MlowggFlAgERAgEBBIIBWzGCAVcwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEQICBqYCAQEECAwGeWVhcmx5MBICAgavAgEBBAkCBwONfqaVVFUwGwICBqcCAQEEEgwQMTAwMDAwMDE2ODQ1NzA4MjAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMjBUMjA6MTI6NDJaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMjBUMjA6MDA6NDNaMB8CAgasAgEBBBYWFDIwMTUtMDgtMjBUMjE6MTI6NDJaMIIBZQIBEQIBAQSCAVsxggFXMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBECAgamAgEBBAgMBnllYXJseTASAgIGrwIBAQQJAgcDjX6mlVVbMBsCAganAgEBBBIMEDEwMDAwMDAxNjg0NjI1OTkwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTIwVDIxOjEyOjQyWjAfAgIGqgIBAQQWFhQyMDE1LTA4LTIwVDIxOjAwOjU2WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTIwVDIyOjEyOjQyWjCCAWYCARECAQEEggFcMYIBWDALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADASAgIGpgIBAQQJDAdtb250aGx5MBICAgavAgEBBAkCBwONfqaUcmkwGwICBqcCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMTBUMDY6NDk6MzJaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMTBUMDY6NDk6MzNaMB8CAgasAgEBBBYWFDIwMTUtMDgtMTBUMDY6NTQ6MzJaMIIBZgIBEQIBAQSCAVwxggFYMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBICAgamAgEBBAkMB21vbnRobHkwEgICBq8CAQEECQIHA41+ppRyajAbAgIGpwIBAQQSDBAxMDAwMDAwMTY2OTY1MzI3MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xMFQwNjo1NDozMlowHwICBqoCAQEEFhYUMjAxNS0wOC0xMFQwNjo1MzoxOFowHwICBqwCAQEEFhYUMjAxNS0wOC0xMFQwNjo1OTozMlowggFmAgERAgEBBIIBXDGCAVgwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEgICBqYCAQEECQwHbW9udGhseTASAgIGrwIBAQQJAgcDjX6mlHJ1MBsCAganAgEBBBIMEDEwMDAwMDAxNjY5NjU4OTUwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTEwVDA2OjU5OjMyWjAfAgIGqgIBAQQWFhQyMDE1LTA4LTEwVDA2OjU3OjM0WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTEwVDA3OjA0OjMyWjCCAWYCARECAQEEggFcMYIBWDALAgIGrQIBAQQCDAAwCwICBrACAQEEAhYAMAsCAgayAgEBBAIMADALAgIGswIBAQQCDAAwCwICBrQCAQEEAgwAMAsCAga1AgEBBAIMADALAgIGtgIBAQQCDAAwDAICBqUCAQEEAwIBATAMAgIGqwIBAQQDAgEDMAwCAgauAgEBBAMCAQAwDAICBrECAQEEAwIBADASAgIGpgIBAQQJDAdtb250aGx5MBICAgavAgEBBAkCBwONfqaUcpAwGwICBqcCAQEEEgwQMTAwMDAwMDE2Njk2NzE1MjAbAgIGqQIBAQQSDBAxMDAwMDAwMTY2OTY1MTUwMB8CAgaoAgEBBBYWFDIwMTUtMDgtMTBUMDc6MDQ6MzJaMB8CAgaqAgEBBBYWFDIwMTUtMDgtMTBUMDc6MDI6MzNaMB8CAgasAgEBBBYWFDIwMTUtMDgtMTBUMDc6MDk6MzJaMIIBZgIBEQIBAQSCAVwxggFYMAsCAgatAgEBBAIMADALAgIGsAIBAQQCFgAwCwICBrICAQEEAgwAMAsCAgazAgEBBAIMADALAgIGtAIBAQQCDAAwCwICBrUCAQEEAgwAMAsCAga2AgEBBAIMADAMAgIGpQIBAQQDAgEBMAwCAgarAgEBBAMCAQMwDAICBq4CAQEEAwIBADAMAgIGsQIBAQQDAgEAMBICAgamAgEBBAkMB21vbnRobHkwEgICBq8CAQEECQIHA41+ppRyqzAbAgIGpwIBAQQSDBAxMDAwMDAwMTY2OTY3NDg0MBsCAgapAgEBBBIMEDEwMDAwMDAxNjY5NjUxNTAwHwICBqgCAQEEFhYUMjAxNS0wOC0xMFQwNzowOTozMlowHwICBqoCAQEEFhYUMjAxNS0wOC0xMFQwNzowODozMFowHwICBqwCAQEEFhYUMjAxNS0wOC0xMFQwNzoxNDozMlowggFmAgERAgEBBIIBXDGCAVgwCwICBq0CAQEEAgwAMAsCAgawAgEBBAIWADALAgIGsgIBAQQCDAAwCwICBrMCAQEEAgwAMAsCAga0AgEBBAIMADALAgIGtQIBAQQCDAAwCwICBrYCAQEEAgwAMAwCAgalAgEBBAMCAQEwDAICBqsCAQEEAwIBAzAMAgIGrgIBAQQDAgEAMAwCAgaxAgEBBAMCAQAwEgICBqYCAQEECQwHbW9udGhseTASAgIGrwIBAQQJAgcDjX6mlHLJMBsCAganAgEBBBIMEDEwMDAwMDAxNjY5Njc3ODIwGwICBqkCAQEEEgwQMTAwMDAwMDE2Njk2NTE1MDAfAgIGqAIBAQQWFhQyMDE1LTA4LTEwVDA3OjE0OjMyWjAfAgIGqgIBAQQWFhQyMDE1LTA4LTEwVDA3OjEyOjM0WjAfAgIGrAIBAQQWFhQyMDE1LTA4LTEwVDA3OjE5OjMyWqCCDmYwggV8MIIEZKADAgECAggO61eH554JjTANBgkqhkiG9w0BAQUFADCBljELMAkGA1UEBhMCVVMxEzARBgNVBAoMCkFwcGxlIEluYy4xLDAqBgNVBAsMI0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zMUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNTExMTMwMjE1MDlaFw0yMzAyMDcyMTQ4NDdaMIGJMTcwNQYDVQQDDC5NYWMgQXBwIFN0b3JlIGFuZCBpVHVuZXMgU3RvcmUgUmVjZWlwdCBTaWduaW5nMSwwKgYDVQQLDCNBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClz4H9JaKBW9aH7SPaMxyO4iPApcQmyz3Gn+xKDVWG/6QC15fKOVRtfX+yVBidxCxScY5ke4LOibpJ1gjltIhxzz9bRi7GxB24A6lYogQ+IXjV27fQjhKNg0xbKmg3k8LyvR7E0qEMSlhSqxLj7d0fmBWQNS3CzBLKjUiB91h4VGvojDE2H0oGDEdU8zeQuLKSiX1fpIVK4cCc4Lqku4KXY/Qrk8H9Pm/KwfU8qY9SGsAlCnYO3v6Z/v/Ca/VbXqxzUUkIVonMQ5DMjoEC0KCXtlyxoWlph5AQaCYmObgdEHOwCl3Fc9DfdjvYLdmIHuPsB8/ijtDT+iZVge/iA0kjAgMBAAGjggHXMIIB0zA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtd3dkcjA0MB0GA1UdDgQWBBSRpJz8xHa3n6CK9E31jzZd7SsEhTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIgnFwmpthhgi+zruvZHWcVSVKO3MIIBHgYDVR0gBIIBFTCCAREwggENBgoqhkiG92NkBQYBMIH+MIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wDgYDVR0PAQH/BAQDAgeAMBAGCiqGSIb3Y2QGCwEEAgUAMA0GCSqGSIb3DQEBBQUAA4IBAQANphvTLj3jWysHbkKWbNPojEMwgl/gXNGNvr0PvRr8JZLbjIXDgFnf4+LXLgUUrA3btrj+/DUufMutF2uOfx/kd7mxZ5W0E16mGYZ2+FogledjjA9z/Ojtxh+umfhlSFyg4Cg6wBA3LbmgBDkfc7nIBf3y3n8aKipuKwH8oCBc2et9J6Yz+PWY4L5E27FMZ/xuCk/J4gao0pfzp45rUaJahHVl0RYEYuPBX/UIqc9o2ZIAycGMs/iNAGS6WGDAfK+PdcppuVsq1h1obphC9UynNxmbzDscehlD86Ntv0hgBgw2kivs3hi1EdotI9CO/KBpnBcbnoB7OUdFMGEvxxOoMIIEIzCCAwugAwIBAgIBGTANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDgwMjE0MTg1NjM1WhcNMTYwMjE0MTg1NjM1WjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAoMCkFwcGxlIEluYy4xLDAqBgNVBAsMI0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zMUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMo4VKbLVqrIJDlI6Yzu7F+4fyaRvDRTes58Y4Bhd2RepQcjtjn+UC0VVlhwLX7EbsFKhT4v8N6EGqFXya97GP9q+hUSSRUIGayq2yoy7ZZjaFIVPYyK7L9rGJXgA6wBfZcFZ84OhZU3au0Jtq5nzVFkn8Zc0bxXbmc1gHY2pIeBbjiP2CsVTnsl2Fq/ToPBjdKT1RpxtWCcnTNOVfkSWAyGuBYNweV3RY1QSLorLeSUheHoxJ3GaKWwo/xnfnC6AllLd0KRObn1zeFM78A7SIym5SFd/Wpqu6cWNWDS5q3zRinJ6MOL6XnAamFnFbLw/eVovGJfbs+Z3e8bY/6SZasCAwEAAaOBrjCBqzAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUiCcXCam2GGCL7Ou69kdZxVJUo7cwHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5hcHBsZS5jb20vYXBwbGVjYS9yb290LmNybDAQBgoqhkiG92NkBgIBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEA2jIAlsVUlNM7gjdmfS5o1cPGuMsmjEiQzxMkakaOY9Tw0BMG3djEwTcV8jMTOSYtzi5VQOMLA6/6EsLnDSG41YDPrCgvzi2zTq+GGQTG6VDdTClHECP8bLsbmGtIieFbnd5G2zWFNe8+0OJYSzj07XVaH1xwHVY5EuXhDRHkiSUGvdW0FY5e0FmXkOlLgeLfGK9EdB4ZoDpHzJEdOusjWv6lLZf3e7vWh0ZChetSPSayY6i0scqP9Mzis8hH4L+aWYP62phTKoL1fGUuldkzXfXtZcwxN8VaBOhr4eeIA0p1npsoy0pAiGVDdd3LOiUjxZ5X+C7O0qmSXnMuLyV1FTCCBLswggOjoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTA2MDQyNTIxNDAzNloXDTM1MDIwOTIxNDAzNlowYjELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JGpCR+R2x5HUOsF7V55hC3rNqJXTFXsixmJ3vlLbPUHqyIwAugYPvhQCdN/QaiY+dHKZpwkaxHQo7vkGyrDH5WeegykR4tb1BY3M8vED03OFGnRyRly9V0O1X9fm/IlA7pVj01dDfFkNSMVSxVZHbOU9/acns9QusFYUGePCLQg98usLCBvcLY/ATCMt0PPD5098ytJKBrI/s61uQ7ZXhzWyz21Oq30Dw4AkguxIRYudNU8DdtiFqujcZJHU1XBry9Bs/j743DN5qNMRX4fTGtQlkGJxHRiCxCDQYczioGxMFjsWgQyjGizjx3eZXP/Z15lvEnYdp8zFGWhd5TJLQIDAQABo4IBejCCAXYwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCvQaUeUdgn+9GuNLkCm90dNfwheMB8GA1UdIwQYMBaAFCvQaUeUdgn+9GuNLkCm90dNfwheMIIBEQYDVR0gBIIBCDCCAQQwggEABgkqhkiG92NkBQEwgfIwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LmFwcGxlLmNvbS9hcHBsZWNhLzCBwwYIKwYBBQUHAgIwgbYagbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjANBgkqhkiG9w0BAQUFAAOCAQEAXDaZTC14t+2Mm9zzd5vydtJ3ME/BH4WDhRuZPUc38qmbQI4s1LGQEti+9HOb7tJkD8t5TzTYoj75eP9ryAfsfTmDi1Mg0zjEsb+aTwpr/yv8WacFCXwXQFYRHnTTt4sjO0ej1W8k4uvRt3DfD0XhJ8rxbXjt57UXF6jcfiI1yiXV2Q/Wa9SiJCMR96Gsj3OBYMYbWwkvkrL4REjwYDieFfU9JmcgijNq9w2Cz97roy/5U2pbZMBjM3f3OgcsVuvaDyEO2rpzGU+12TZ/wYdV2aeZuTJC+9jVcZ5+oVK3G72TQiQSKscPHbZNnF5jyEuAF1CqitXa5PzQCQc3sHV1ITGCAcswggHHAgEBMIGjMIGWMQswCQYDVQQGEwJVUzETMBEGA1UECgwKQXBwbGUgSW5jLjEsMCoGA1UECwwjQXBwbGUgV29ybGR3aWRlIERldmVsb3BlciBSZWxhdGlvbnMxRDBCBgNVBAMMO0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AggO61eH554JjTAJBgUrDgMCGgUAMA0GCSqGSIb3DQEBAQUABIIBAAV8tyQOUd036Fsl8yNWg1i8yAtStrzHc29bw3nQA/pVLaVkZ0mfAuRjfKajhfKavKETdeKPYGTSPipHe7xoguuXOHFOUZkjlxew/fd/U6/zQHk3dmxPBTcp9c8ehJdqkqRsjmMQQI/HRtfagTxaNWL7OxrYRFSYALiuZ8LnUyS/aFKtaZxQ2Y5Lg3EV2TiA9bU0nE4gJRSPEDTmVpriZHLU5umjf97wU4jtInlzuYPz7rBWA1fDBb7o6k6ahZPcE1EdsDRMIcm+3zHPxIfNGiseklUjsGA/L3euYW76ebJi5pA+zURuoCzgyQKPr90S8GRRlxOu3WKiFGAS+4BAPHM=

@marcgreenstock
Copy link
Contributor

Hi @vizvamitra,

Thanks for opening this issue. It was something I struggled with when I created this library.

The initial problem I had was related to expired apple certificates.

OpenSSL::PKCS7::NOVERIFY needs to be used to extract the payload, which includes the creation_date. If the certificate is expired, the verify method will fail.

This library should check the certificate chain and verify the certificate expiry in the context of the creation_date. I will look into this as soon as I can, but in the mean time please feel free to open a pull request, I appreciate any help I can get. Thanks!

@virusman
Copy link

@vizvamitra What does Apple validation server return when you check this receipt? I think an outdated certificate is not an issue if the signature was made before expiration. Receipts signed with the certificate that expired in 2016 should still be valid.

@virusman virusman mentioned this issue Jan 24, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcgreenstock @virusman @vizvamitra