From 7ec670d7756cc829a53c2705d84dcc3c3b2a908f Mon Sep 17 00:00:00 2001 From: JiriOndrusek Date: Thu, 2 Nov 2023 15:57:09 +0100 Subject: [PATCH] Cxf-soap tests fail in FIPS environment --- .../cxf-soap-ws-security-server/README.adoc | 17 +- .../cxfca-openssl.cnf | 16 ++ .../cxf-soap-ws-security-server/keystores.sh | 42 ++++ .../cxf-soap-ws-security-server/pom.xml | 230 +++--------------- .../src/main/resources/alice.p12 | Bin 0 -> 4569 bytes .../src/main/resources/alice.properties | 4 +- .../src/main/resources/application.properties | 5 +- .../src/main/resources/bob.p12 | Bin 0 -> 4565 bytes .../src/main/resources/bob.properties | 4 +- .../cxf-soap/cxf-soap-ws-trust/README.adoc | 53 ++++ .../cxf-soap-ws-trust/cxfca-openssl.cnf | 16 ++ .../cxf-soap/cxf-soap-ws-trust/pom.xml | 30 +++ .../trust/server/ServerCallbackHandler.java | 2 +- .../it/ws/trust/sts/StsCallbackHandler.java | 2 +- .../src/main/resources/application.properties | 3 + .../main/resources/serviceKeystore.properties | 5 +- .../src/main/resources/servicestore.jks | Bin 3475 -> 0 bytes .../src/main/resources/servicestore.p12 | Bin 0 -> 4599 bytes .../src/main/resources/stsKeystore.properties | 4 +- .../src/main/resources/stsstore.jks | Bin 5570 -> 0 bytes .../src/main/resources/stsstore.p12 | Bin 0 -> 6415 bytes .../it/ws/trust/ClientCallbackHandler.java | 4 +- .../test/resources/clientKeystore.properties | 4 +- .../src/test/resources/clientstore.jks | Bin 5571 -> 0 bytes .../src/test/resources/clientstore.p12 | Bin 0 -> 6421 bytes 25 files changed, 224 insertions(+), 217 deletions(-) create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-security-server/keystores.sh create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.p12 create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.p12 create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/README.adoc create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/cxfca-openssl.cnf delete mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/servicestore.jks create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/servicestore.p12 delete mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.jks create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.p12 delete mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/test/resources/clientstore.jks create mode 100644 integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/test/resources/clientstore.p12 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc index f5a485d1accc..cf2240308bbb 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/README.adoc @@ -16,4 +16,19 @@ We test in two ways how the SOAP service endpoints are deployed: the Camel way a * The service method then forwards to a Camel route defined in `WsSecurityPolicyServerRoutesCxfWay` * See also `WssSecurityPolicyHelloServiceCxfWayImpl` * This way may come in handy in situations when the Camel way does not work properly, - such as https://github.com/apache/camel-quarkus/issues/4291 \ No newline at end of file + such as https://github.com/apache/camel-quarkus/issues/4291 + += FIPS + +Please use profile `fips` if running the tests in the FIPS-enabled environment. The tests have to leverage BouncyCastle-fips dependency instead of standard BouncyCastle. + += Generating keystores + +Run following script `keystores.sh` in a folder with `cxfca-openssl.config`. + +Content of the script file: + +[source,bash] +---- +include::./keystores.sh[] +---- \ No newline at end of file diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf new file mode 100644 index 000000000000..e30286ea7e51 --- /dev/null +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/cxfca-openssl.cnf @@ -0,0 +1,16 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +organizationName = Organization Name (eg, company) +organizationName_default = apache.org +organizationalUnitName = Organization Unit (eg, company) +organizationalUnitName_default = eng (NOT FOR PRODUCTION) +commonName = Common Name (eg, YOUR name) +commonName_default = cxfca + +[v3_req] +basicConstraints = CA:true +keyUsage = critical, keyCertSign + diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/keystores.sh b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/keystores.sh new file mode 100644 index 000000000000..fae4ac53dc34 --- /dev/null +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/keystores.sh @@ -0,0 +1,42 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +echo "*** Generate keys ***" +openssl genrsa -out alice.key 2048 +openssl genrsa -out bob.key 2048 + +echo "*** Certificate authority ***" +echo "When prompted for certificate information, confirm default values." +openssl genrsa -out cxfca.key 2048 +openssl req -x509 -new -key cxfca.key -nodes -out cxfca.pem -config cxfca-openssl.cnf -days 10000 -extensions v3_req +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -days 10000 -out cxfca.crt + +echo "*** Generate certificates ***" +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -out cxfca.crt +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=alice' -key alice.key -out alice.csr +openssl x509 -req -in alice.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out alice.crt +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=bob' -key bob.key -out bob.csr +openssl x509 -req -in bob.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out bob.crt + +echo "*** Export keystores ***" +openssl pkcs12 -export -in alice.crt -inkey alice.key -certfile cxfca.crt -name "alice" -out alice.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc +openssl pkcs12 -export -in bob.crt -inkey bob.key -certfile cxfca.crt -name "bob" -out bob.p12 -passout pass:password -keypbe aes-256-cbc -certpbe aes-256-cbc + +echo "When prompted for password, type 'password'." +echo "When prompted whether to trust the certificate, type 'yes'." +keytool -import -trustcacerts -alias bob -file bob.crt -keystore alice.p12 +keytool -import -trustcacerts -alias alice -file alice.crt -keystore bob.p12 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml index 546df014f801..25391d38f975 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/pom.xml @@ -118,206 +118,6 @@ password - - generate-cxfca-keypair - generate-sources - - clean - generateKeyPair - - - cxfca - CN=cxfca, OU=eng, O=apache.org - - bc:c=ca:true,pathlen:2147483647 - IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE - - ${project.build.outputDirectory}/cxfca.jks - - - - export-cxfca-certificate - generate-sources - - exportCertificate - - - cxfca - ${project.build.outputDirectory}/cxfca.jks - true - ${project.build.outputDirectory}/cxfca.pem - - - - generate-alice-keypair - generate-sources - - clean - generateKeyPair - - - alice - CN=alice, OU=eng, O=apache.org - - IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE - SubjectAlternativeName=DNS:localhost,IP:127.0.0.1 - - ${project.build.outputDirectory}/alice.jks - - - - generate-bob-keypair - generate-sources - - clean - generateKeyPair - - - bob - CN=bob, OU=eng, O=apache.org - - IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE - SubjectAlternativeName=DNS:localhost,IP:127.0.0.1 - - ${project.build.outputDirectory}/bob.jks - - - - generate-alice-certificate-request - generate-sources - - generateCertificateRequest - - - alice - ${project.build.outputDirectory}/alice.jks - ${project.build.outputDirectory}/alice.csr - - - - generate-alice-certificate - generate-sources - - generateCertificate - - - cxfca - ${project.build.outputDirectory}/cxfca.jks - true - ${project.build.outputDirectory}/alice.csr - ${project.build.outputDirectory}/alice.pem - - - - generate-bob-certificate-request - generate-sources - - generateCertificateRequest - - - bob - ${project.build.outputDirectory}/bob.jks - ${project.build.outputDirectory}/bob.csr - - - - generate-bob-certificate - generate-sources - - generateCertificate - - - cxfca - ${project.build.outputDirectory}/cxfca.jks - true - ${project.build.outputDirectory}/bob.csr - ${project.build.outputDirectory}/bob.pem - - - - import-cxfca-certificate-to-alice - generate-sources - - importCertificate - - - cxfca - true - true - ${project.build.outputDirectory}/alice.jks - ${project.build.outputDirectory}/cxfca.pem - - - - import-cxfca-certificate-to-bob - generate-sources - - importCertificate - - - cxfca - true - true - ${project.build.outputDirectory}/bob.jks - ${project.build.outputDirectory}/cxfca.pem - - - - import-alice-certificate - generate-sources - - importCertificate - - - alice - true - true - ${project.build.outputDirectory}/alice.jks - ${project.build.outputDirectory}/alice.pem - - - - import-bob-certificate - generate-sources - - importCertificate - - - bob - true - true - ${project.build.outputDirectory}/bob.jks - ${project.build.outputDirectory}/bob.pem - - - - import-bob-certificate-to-alice - generate-sources - - importCertificate - - - bob - true - true - ${project.build.outputDirectory}/alice.jks - ${project.build.outputDirectory}/bob.pem - - - - import-alice-certificate-to-bob - generate-sources - - importCertificate - - - alice - true - true - ${project.build.outputDirectory}/bob.jks - ${project.build.outputDirectory}/alice.pem - - @@ -383,6 +183,36 @@ true + + fips + + + fips + + + + + io.quarkiverse.cxf + quarkus-cxf-rt-ws-security + + + + * + org.bouncycastle + + + + + org.bouncycastle + bc-fips + + + + io.quarkus + quarkus-security + + + diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.p12 b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.p12 new file mode 100644 index 0000000000000000000000000000000000000000..2d6185c7762d7289d94619b6654a21d6f6597829 GIT binary patch literal 4569 zcmaJ_WmFUlv)+ZJ7h&mc=~%j1Sh~B*r5gdIa{(y<0SQ3~>DHwsBqUZsQo2(SQCJ$} z^E>yR_dWN|{V`|G^E@;2YtD1#3=|2O!vbPMk&q}{0^VmD&n}38c)(&LD zpU+_TyJBJC1E64B{Qnt&MSufkzcamYMcJs+1jlVelIY{_3_WGc&p3_sW;xgt7h}`8i0KUe2MxFWYth8tYJD!> z-piA&XKD>99N1Aa&zc zTw=E&0v_{d=tSipo3bQIYx}o5W+u$j?@8-%ZZyDd2}kW@d_ ztw81Y69$0IuR62wj{^K#kvs<;k{v$MGsNWfiqY+XIik4aPufHAA2d))?60_QS#Afp zMFkpPD}8mY8~Jn!tqJZsRv1)PBT#8^03F@HFK}a(Y8`A_kIRZnO3d=Ub9OCNv7Cqg z{M59{fGve1)YpG3Kn03=H;NcgaIS%|He!p4&y@CfNd?vv{N1YO70(1G`5q1Fh=<#M z5#Y3?Arwfe4Llg;uA1cc|lkT`bL^|lC?p$v)QG$PtZ&v+Z!Sj-t`QRHvWd?jJ& ziS)jFzBl9zN(oN|3a3S02UiyO!z9u{?X?085g@v_svz2ZOk}K#gYR(;xt}Q`Vs@8# zT`>%9EK+cN+jK$P^dOLz>vA3B`yEud%p!X4ohy(qUUk1UF(;2RBz{DjPTL?YHdv2z z^De}bh&^sexCY|w8ivF0$5zcydgtn_a7Weh8qhom*7xy6yS5UJ`Z-{s-Orm(Sg~Yjj zbEfKmf;M;x&~k7O*|6hN_qHO?Sj*#@K%nXKqz`g#qo;p(nvGcV7-n%Ha&uZPz%7rmwT(4ED%qtlH76yt3akE_tA0Bho zC|Ck-B&bYd9Tf<@!ecZYXV$(NjqP>${{p*EaCU{nKw|8IPY)B|pY$+k7MJBY#?lb|2Gv?Vym2xwP31b&MPTn~Bg!tGaaud=O&3fg%^ISoqU|nARn)oa ztp_?QR5x6_ez5LgyiUpu%$qMm)c>f!Q zDFjPQ-+6Ij3h$+r5dn+ zfWN8oUj+zt`3L;m3nyOkRZzz%r*0)kwj1oVVEsOgZpiu5$m{fmNR^SVk%olQdWv*+ z*Qy=7gs(Ex%k~Ha&|Mn@UdX7s`uWwJ> z6&=ZEQxBzB&2Mkv{CJy_ODT6Zw4li&~_Ko!FPCa&LWe>|&H#>7M4ogvp zN}mD$r$NWmxA20eC@z)A5&V_C-}@Fu+;dmIJevXBKOe6?hPi09Ve9JD$uCZP=cDq! z8~qZI_wu+vYVm8d!r7T4{fJ8R72j2yV;YTnTV@avA(ejydK|ClHRsHtQ4AJY$gYwd3zTx9}y=r`x@mGHkpODs8GD-KFcZ2pTTgQl;7(-Q3=^t$E;VB zP0q^``NZYDS3Y7E!E%l+Xc;-~)1_taj!Ll;-Pdj&If1hO$R5WPXGehLa^=5kv+!entfVB9z&elQX^; zA}LHHLB%NF)Acz+g9lUH|yva7UV1@Eaw{-&>U{!qm_))F&`VtG9v|MltnY+ zw0qS}#hbne#hacJGljACRjXEujTlv&quV>kvI+xL1(&-;E0UvPvU!Ab4X1t^A2J@) z^gfx!+oG1=Ykj5?N>8-q4`biMhx6dzQAP14XeEoMgSWTi?fj+`4?Msfp9}(v&wj&< ztzU9~f8M=Tc}16AOe?BP)_-}>5!kLyfU%*XF8k++ zFXJxwNqhY)=T1U#&wx*VahE^$7yer9DXgaA&R$e-aZ8qPv7UIW-^#4&YfzUwU&_;d zOf}FIda2ymdosTM+ZH!Q^k&iisj@kilQkJOgRw461?Q`a-vZSQuBe8@M6tH&XW@l; z`WCQ{j@#j{DP@_-9K62H+ zrJoLlFro3Vq(m{x{*I|8($~Z#Fw5gBCjNL?zgSHoy=0T$zDR0|W>*tDLL;BD&n#Un z>-F^rDuvsQayTuZeMtZ&k>)hVRyd0HM<=ZjF80B%n{N#8hx{S;h}0Qt5cR@zr#LlK z0*F4PIz@=n;ci|Z&0%UJL#PHpf-$Y4B?}dUqpx!1c4HTcaYcvD?Yt4j9iC!i$3p4L zt0NZ-yEJ*1119+{X5}OyhcXW%5u=LC4J+AXoCmC(%nR0F+nCu*28@=zCA~%)fqieK zYS@$3+aFSl3(d=_k~?B?K87FeXDsqr1t*{jA6Y|C%NG2tz8srU9#(_5Ol!m60sC89 zeUXGsf;CrGlH8-nb*-v=>FNfbrWlhwFBJY$@e;;!`so)75WV5nxz;T4CmIiJ=1fe- zTT^=wS*gk}mcA32Sgyt;N81A&IQ6ErblKBuI+9Q83Fy?3<}XfL27y(fmrlx-MBpAFQdkhf|6lf zL;6s;Z+LBS_n3VN9L`(bG>4)Eep}J5GYh{~ZY`9!JDsj3q#B;8hy#gaI{$bqhu!r< zct~JzCXp0Ytu5c59W2IRs5_<5!gz`Yn?IkQiW+Kx$VN-qIg-}D0$w_ z9Ak-XB|pj_6l&FNfPO9xMy^#GHLyI_%Orac)vuMk`F`_ds(#k!o#?OOMUVZJ$`g}? z5^1d1i?91$92BX43k)7(NCWh zeffbsSFF)GM(B_iNiN^abmAiJ+{hwWC}ei0ZGNiZ$Hy^G$);(=^`z>1tB&CK5CPp> ziUwD&v))9la90102p*kk@L)?m2WzhLq{lfw(RqtjwzE>HnQP$Q+g6ah_Fx%Drux_n zX`z7NI_>?=6HcW(Hd%@u$6KjYP$ngbSx+9$wUOO@>u@aJFy1TtLeD$F1Zm6)TCqDv z$Ddx=jzfZ8P8)LE#@FiOX}3n?F}NutZ@^hfUP_6}=o2_<#<`7}T$G~^h!thBmF5zB ze@Mt-TSVojY3Gq7+isF^rD1d2Y&xz->q<(j9prcS1X)BwP{Aihmh!vjA~%-Nik16~ zhXmFKDl=XED3v(mZ%9FZWuzAELw!^-^Mg1WDQ)>iS-$Y^L2OOYnI79kU{_oJvEz#SW4BDQB9KczM5I z6r1jV+1UJE5O?bot@nex#(wgwPACws#tOhwKV>wyBMdsPzZ- z;I3bHXW$*X$W6xDXZ>}3e+u-TN1vmHl#`#|a{#~$Q&O@eEfJD09@5tv%}AoQL)QZN zs!p^WI%X_rlJuwJq!bdqeIke z0(B0=P+yFp)X<`qJAFJji}hW4e%SGBr1w@pJ503*p!vkDszhMjhi_Ny#W~%!e4XMJ zb0@)0#b;(GY~#XHdIkdSO3@z45ozh^7jQlze&6@>4cPqJ8v3o@{n};{#7!TRpa8P9+~hDChG29<6P-pmjoG`jb>gAPeW>qd2jpca#t=) zAw#pR=S{Lk8{akn{Od_uG>@gAWa=LuXg7 zY4l;YA7v%$GIX|^lHQj1vn0}4T3`&^ST(Ne{9zcw+wx?dyk?n+&nt(&nOC2Ju|!r% zhVC*sI-;F;Ol}U=^auXDu~DPWgY3wRLUp0SP~v~SA6P&f0EopWp0=7~V_;($M9*Hm wTIgMsg3Bsp_NYxILIxIML7D@i5PPa|jBv|sVLAClRo|x3GU^+z|KF4SKXsF2ssI20 literal 0 HcmV?d00001 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties index b562e89eec21..d091ff496354 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/alice.properties @@ -15,7 +15,7 @@ ## limitations under the License. ## --------------------------------------------------------------------------- org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin -org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=password org.apache.ws.security.crypto.merlin.keystore.alias=alice -org.apache.ws.security.crypto.merlin.file=alice.jks +org.apache.ws.security.crypto.merlin.file=alice.p12 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties index b562d1923498..1951074594fe 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/application.properties @@ -19,4 +19,7 @@ quarkus.cxf.path=/soapservice quarkus.cxf.endpoint."/security-policy-hello-cxf-way".implementor=org.apache.camel.quarkus.component.cxf.soap.securitypolicy.server.cxf.way.it.WssSecurityPolicyHelloServiceCxfWayImpl -quarkus.native.resources.includes=bob.properties,alice.properties,alice.jks,bob.jks,encrypt-sign-policy.xml +quarkus.native.resources.includes=bob.properties,alice.properties,alice.p12,bob.p12,encrypt-sign-policy.xml + +#If profile 'fips' is active, this property is used to select a security-provider. +quarkus.security.security-providers=BCFIPS \ No newline at end of file diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.p12 b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.p12 new file mode 100644 index 0000000000000000000000000000000000000000..97afb1dd9f7117fffd8ff1d020e51746dae01c79 GIT binary patch literal 4565 zcmaKwWmFX0x5kHI0BMFCVL*`Xp*y6N?w0P52FYOvhwcy*k&qUUknR>36b4XAzyU!z zbm+hTb?U7q}PmWBHO~*77vA3F4P!*SlBeV8@&4ij6_(x+k^&)^hgI?);>b> z(O_`>B5}t`GT&9cYWkGMMn2<%`|>!S$fNS`OVIS&#RF7-YV(Xx>QO29uz0*JZ5J@e z8O9xUaeI+S<>VnVS0ckcSVgW!5MY}4z$&B@y!v9G60lOEd2iC%&STL#3&j%3%AH&^ zfP9m~%dW_sXOi5p$a>47@manfqVJJIpq^to(!FQR19uw(WU7=>!_*JGA-EFFI%33FE$DeA6LYMj<9% z@(16c)ec#gT2a+4tapCx*FcJ?=8DaOXN1YB`5NX9fG=VsSjG=uHEs@s>3aQmLl}C$ZL{VLOTboefVD(G6VNm0GJi z(OcVfA2bS;Q_J1T&tBR(o*E2u2!5ysNtVvpoZSqL@>ZdLo$|&ni^BIztCrc86%|oW z(jn3WK=y9@6*_6Oei+uff@2susGlv$;(+#~3f*T6&p{c#3bu7QIRSROVOb{|JE~tp z=lg2e9lF=cFBVp-m$%f+#8R?N%kr zmhD=riE=k~n*(}_zp%weu`{J7br{8e<>890h_Ugr-TTThS{XMQILf$5f%MF4%1A|U zw+g$PEP-}9y~n?;22|!MuT*=L*99ZvhSP?6o95&aS>0=&g_k*t(``x{EVQEDyo$x$ zICR_FdT#ROX~XQxgSYvowQSvN_fVAoJdeYWL` zA!B3G7Q8_T5Mh(S-*jZ!j6%hT}3QpaI!6H_~Lz^PAGQD=M z*+|20&{&-eaiY$jwbBl`$It^3rh!5ICr0`M!q#Q#Vyw1d^++tN2f||npAa5&;q#YX zu?$F5n9sd8H&u}0=>4rQQ||6`|0Z7km~Z!Cz0>oZv6ktpSq5|{8P1droY z@*kPmJh70Mshpqv2W*ksHe*5B40%&98O~73bcY7{>u!H)IkPpM7HJzsIrt9)pYKiP zQ*L<;Q(wp?f*inHS8n7R2whdRv@=nI`_)M2PWONt!l_jo6A!9iQoLHR5<%l#s($H6 zit*dHgcm`W5b}`bNTqiTD;fw8ghGLb5QLfBcbuQ0eNF%Xt6cz^_mq9hmMO?$=902gJ63Sg)k8! zM?RaY1OVhPwTLS7S5tQ?=h?L%kN#jRjm9CkLC9-(V^+grq|?q5YnbeM=Mt~ZQlXfW zm-z;@T_1^g>;&!o3VHS`W&pCduw&#qAn1bY##Y(`=Ziw($`f=nkzWWZy^dQm_=cFgBHPbo08Ue(Z?0V-1mCDd3=09JALM~IvGID!(@MxPiIFke{WZf$uQ9=-{y=air8?lm z(8|%(_J>;eL)8H9RAR^)p@g(bAh7>WeuiL(W68+ZqDktr+uoz!iE$l~RXPrzWCJhB zJbTRfQ=%!OJ~m_(U8|ZyXSMhamm6agC*q9r#Kn5-MJulWJW>r=@+Wzqjfnog+t)VN zUoMqzKc{2ihH8b0F0Va0sYdf~)%!HP@#;siL0Yt{hna4SW+iUFmc_|vk}0b-2_FTB>h#_>Wx&gJJg##`b6aGwz8T_lr&KG3qfX~n*sl4=ee?*c zp#(11=1T})7hyr%wdlm2?D1}$>7bY5<=4Xe`U4pyIY=z3Piep3TL+D`-0d(5@enp( zmaQp$G++p+$XirQjtTr5Y~&2K`F%1!^;VUt z*{ILyDw(q0QN;qgBh`8BCL`JVKhj2js&WMRRz}%4wwO;7=Nx`5#?1ii>gTT?JW1H+ zt*sFq%XN_^9skoZI(>xdiqJO=Hpz#TuzeqQC?4k3U<567D7bjSdPY(`Rzi6U$4mREjWQo*)uIK93boF3eKU;*sK`a zS*{Sb40OD2YG-L|2=57e{CUBkLd#PHZ;n(6s3RY+Qa33|Gcbfi z6?cv!Eh?yod(AwD2z}xmW6$zTo-!aeVZKIEQpQ;%?BE?#IKy?wjlvl+4#tEX$293j zTYs!&74)1A#L~k_E#1Z?th_lKyVajR)wdE(TWfm$;;Ld5h3WkQ4^1!DopBoDBc%NH z8m-JEEGfml-Ysvh0=5DKcb z-V1SlvdhFz0|2{{2z&Qj>UC_dvX+I-2@o)IvgaOZcxASIPT!_O2F{Dh+>8vEJA19c zgL&nA0AVh zsr4}U5H@{tR171TnANy?ZAFcyZ_M#5G^76`X|iEbl>M?SN#x0u$-RV8uQ&z|-ynA( zEX_~iS?J~`(xSO&42UqjUpkuGrB zgBZPIMgcyQnmzFk^<_KX2>vo7GC|p~o_rmy7-e1a_zv_b6Lm|Js_F^{Gkr&jlq) zBb+VT!wYrWaRswic^+nZW&HvJ<2Vj3Q7=A!Zl_C2e*74?iH&h|+_Ap@4!Ldk7BSmx zidf#6zdC2tq2=rGx7ppf-*`vI_6N17{18}mw-MRd+c!9DrtpnnK|mWVX5?ry9&YG# zzcWf=qN1yTxyE}l?WDQF5W$oTr>THyo|x859ksVIpWjBCi_eXw=jJHUU08-kGNLbw zbdDW?eJ?}~kRQw+npU`#r@+RUmTBw9oFwl)OTwhh-ja@t_bERvO}D!OpP0PQbxKX;hxicQAGoehtTU|Xar6+f^qN;Zt%R+S1$8ZyKL6S=QO-TTTw=!y8RGgwpx_9 zHLI4IvP8QlS7SrIREIoXeW&cgJJV`iVd$yf(oD%zZo<*L{zmQ)imf_ZzHRw@7g z*2_^y&CfH`IvQYpGItfe3_Vm{=xYbw2XW=5Ild$$m;Rl@6p!4-I!1V`)Z89?Li@LW ziV)q3b|-uB@*}v&>kx;E`fBT3iKYd;a3#f_-dzhm5&m)Yb5h3{Qe|$7{O)?2@24ZB zo{4@m!cXQP#Ku0N7hQ*5IMwnO`XDji1EEpA{m41y_R&({F&W2j-F#QPICrJ_(Pot|XperirgM!{oFpL1A!?9+U_WTS-$N7O z1jPtwI+I{U2T^u*u0CA7%`V4LT%YZdRvT+*Rz;OpES47_xE(WgBjR&BVgh!IgtM2?l znQ8FHpj+UJ$zq|q*C3;emEWa98T#+HDOI3f1rzn13xFh>4v4LrpcbMbx7Xqc|AG0`SM0q|bWH+IQ;Z>ziMVXx$iuRn~8 z5-6XIJ@!kRYC}CZ${Nkb6Xp!=sU47>QHUr(BlRQhQStFn)EY%~YTrnM)ZU=E%?^C( z%jz-9*DmnZgXjg3usfAV&WZBg>N5h)yQ|1AjRuw$lHaU2qk21b#h{R$`_+*Zznde+ zEBXc13(PICyx;qVatr0`DSd?$N@CYx+Atv)=|4XoKpZ>(h#B-@Z={!ppk`Nljx1aE vhUCUwBZVv!NN>Zd444=FlLDe1mYQYeVlUDVjcBDc4t+ouH5{V*-^l(SJIbeJ literal 0 HcmV?d00001 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties index 4b4e1bd8a567..6f56138d7ebc 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-security-server/src/main/resources/bob.properties @@ -15,7 +15,7 @@ ## limitations under the License. ## --------------------------------------------------------------------------- org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin -org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=password org.apache.ws.security.crypto.merlin.keystore.alias=bob -org.apache.ws.security.crypto.merlin.file=bob.jks \ No newline at end of file +org.apache.ws.security.crypto.merlin.file=bob.p12 \ No newline at end of file diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/README.adoc b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/README.adoc new file mode 100644 index 000000000000..87c46c6f81b2 --- /dev/null +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/README.adoc @@ -0,0 +1,53 @@ += WS-Trust tests + +== FIPS + +Please use profile `fips` if running the tests in the FIPS-enabled environment. The tests have to leverage BouncyCastle-fips dependency instead of standard BouncyCastle. + +== Generating keystores + +Run following commands in a folder with `cxfca-openssl.config`. + +``` +echo "*** Generate keys ***" +openssl genrsa -out myservice.key 2048 +openssl genrsa -out mysts.key 2048 +openssl genrsa -out myclient.key 2048 +openssl genrsa -out actasclient.key 2048 + +echo "*** Certificate authority ***" +echo "When prompted for certificate information, confirm default values." +openssl genrsa -out cxfca.key 2048 +openssl req -x509 -new -key cxfca.key -nodes -out cxfca.pem -config cxfca-openssl.cnf -days 10000 -extensions v3_req +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=cxfca' -x509 -key cxfca.key -out cxfca.crt + +echo "*** Generate certificates ***" +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=myservice' -key myservice.key -out myservice.csr +openssl x509 -req -in myservice.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out myservice.crt +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=mysts' -key mysts.key -out mysts.csr +openssl x509 -req -in mysts.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out mysts.crt +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=myclient' -key myclient.key -out myclient.csr +openssl x509 -req -in myclient.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out myclient.crt +openssl req -new -subj '/O=apache.org/OU=eng (NOT FOR PRODUCTION)/CN=actasclient' -key actasclient.key -out actasclient.csr +openssl x509 -req -in actasclient.csr -CA cxfca.pem -CAkey cxfca.key -CAcreateserial -days 10000 -out actasclient.crt + +echo "*** Export keystores ***" +echo "When prompted for password, type 'sspass'." +openssl pkcs12 -export -in myservice.crt -inkey myservice.key -certfile cxfca.crt -name "myservicekey" -out servicestore.p12 -passout pass:sspass -keypbe aes-256-cbc -certpbe aes-256-cbc +echo "When prompted whether to trust the certificate, type 'yes'." +keytool -import -trustcacerts -alias mystskey -file mysts.crt -keystore servicestore.p12 + +echo "When prompted for password, type 'stsspass'." +openssl pkcs12 -export -in mysts.crt -inkey mysts.key -certfile cxfca.crt -name "mystskey" -out stsstore.p12 -passout pass:stsspass -keypbe aes-256-cbc -certpbe aes-256-cbc +echo "When prompted whether to trust the certificate, type 'yes'." +keytool -import -trustcacerts -alias myservicekey -file myservice.crt -keystore stsstore.p12 +keytool -import -trustcacerts -alias myclientkey -file myclient.crt -keystore stsstore.p12 +keytool -import -trustcacerts -alias myactaskey -file actasclient.crt -keystore stsstore.p12 + +echo "When prompted for password, type 'cspass'." +openssl pkcs12 -export -in myclient.crt -inkey myclient.key -certfile cxfca.crt -name "myclientkey" -out clientstore.p12 -passout pass:cspass -keypbe aes-256-cbc -certpbe aes-256-cbc +echo "When prompted whether to trust the certificate, type 'yes'." +keytool -import -trustcacerts -alias myservicekey -file myservice.crt -keystore clientstore.p12 +keytool -import -trustcacerts -alias mystskey -file mysts.crt -keystore clientstore.p12 +keytool -import -trustcacerts -alias actaskey -file actasclient.crt -keystore clientstore.p12 +``` \ No newline at end of file diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/cxfca-openssl.cnf b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/cxfca-openssl.cnf new file mode 100644 index 000000000000..e30286ea7e51 --- /dev/null +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/cxfca-openssl.cnf @@ -0,0 +1,16 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +organizationName = Organization Name (eg, company) +organizationName_default = apache.org +organizationalUnitName = Organization Unit (eg, company) +organizationalUnitName_default = eng (NOT FOR PRODUCTION) +commonName = Common Name (eg, YOUR name) +commonName_default = cxfca + +[v3_req] +basicConstraints = CA:true +keyUsage = critical, keyCertSign + diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/pom.xml b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/pom.xml index 0f09f1922938..4b78b0794538 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/pom.xml +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/pom.xml @@ -147,6 +147,36 @@ true + + fips + + + fips + + + + + io.quarkiverse.cxf + quarkus-cxf-services-sts + + + + * + org.bouncycastle + + + + + org.bouncycastle + bc-fips + + + + io.quarkus + quarkus-security + + + \ No newline at end of file diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/server/ServerCallbackHandler.java b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/server/ServerCallbackHandler.java index 9579a3e249bb..d8441410688c 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/server/ServerCallbackHandler.java +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/server/ServerCallbackHandler.java @@ -25,6 +25,6 @@ public class ServerCallbackHandler extends PasswordCallbackHandler { public ServerCallbackHandler() { - super(Map.of("myservicekey", "skpass")); + super(Map.of("myservicekey", "sspass")); } } diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/sts/StsCallbackHandler.java b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/sts/StsCallbackHandler.java index 68e4b2e874ad..38a746a5d7f5 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/sts/StsCallbackHandler.java +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/java/org/apache/camel/quarkus/component/cxf/soap/it/ws/trust/sts/StsCallbackHandler.java @@ -26,7 +26,7 @@ public class StsCallbackHandler extends PasswordCallbackHandler { public StsCallbackHandler() { super(Map.of( - "mystskey", "stskpass", + "mystskey", "stsspass", "alice", "clarinet")); } } diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/application.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/application.properties index 98c1825180fc..6b9ac77ca85e 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/application.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/application.properties @@ -22,3 +22,6 @@ quarkus.cxf.endpoint."/jaxws-samples-wsse-policy-trust-sts".features=org.apache. quarkus.cxf.endpoint."/jaxws-samples-wsse-policy-trust-cxf-way".implementor=org.apache.camel.quarkus.component.cxf.soap.it.ws.trust.server.cxf.way.TrustHelloServiceCxfWayImpl quarkus.native.resources.includes=*.properties,*.jks,*.wsdl,*.xml,*.xsd + +#If profile 'fips' is active, this property is used to select a security-provider. +quarkus.security.security-providers=BCFIPS diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/serviceKeystore.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/serviceKeystore.properties index 58141f467966..74aea2be73c9 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/serviceKeystore.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/serviceKeystore.properties @@ -33,8 +33,7 @@ # under the License. # org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin -org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=sspass org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey -org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks - +org.apache.ws.security.crypto.merlin.keystore.file=servicestore.p12 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/servicestore.jks b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/servicestore.jks deleted file mode 100644 index 999ee824c3248c0b89da0336bdc451678795fbc2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3475 zcmds(XHe728pc!TArz^CN<#1cLugW@t3e=vBmx3bBT_;*fE4K<5m1n(QUyesf*eso z5kwFW=|!XpN19TU4i^sK1&`;9bLQT;b3fkuVQ1%kc4ueb-FKh;?SI+-0s?^`e>Em@ zfVYpg8z}$;0^>e>xY-7xw~$u?PJuwsEg%BA21GzcbD$6~1VZO_GHMTiGcZe2&r!GF zU@(jx1cVo(U;r}%lt{5oB;b_z{JI5Z0{A|ZtvlQIs$MUN{n30y7ulqE@X-q z2_*$c9BM3F2)sSn)18FC6YvN*IfMz8fH;FSL*UG?`b0ef25W-i1-K8V!noiV0z#kU zY47DjCVBXvxPc>wI+P3M=jSJXkb}G4prfl_<;DFPe!Tpr`h7g1=?Zhfr3l$yS})L+eHF_M z%JhTeOLL!tCWCUAm-rH2@T2$Hc~~a^7v$L646RrzwiLZR)vZ)3t^#5@?_j`}=Bw9S z=lCB;OxEd-mTEo7kzUjg$r8Cu;xvUy#Xv`>4QrV9VcE`2N8wR-n#XRAa#o*mVQit1 zWrAk}->8YrdCTny@$lrgJJ7}H7zT1k2wD!V(yO~o7#R1B@Lex!Fpl>%_(kywJmaW^ zYIkgR;Pd7**_R)sZ#v8tC)78=YTM7c;McU%iYqB*>akaLZ+(h<|7^sgDR91Pez6Ef z$Cwj1lW=#MrgouZ&=4wc=F&Q+Ze{hVA-Utg8^9pe179F{`MNlg{`7`1bSDTz4+bLW z_5d~p78wRG9atK|2|lPjx(K>C6epKbA-9>iRQqG}l_$A;kH$|p2}tI(XBl09Y4_u= z^&{yo!txor)V6w{@aksY4HFCRC7Pgp*&Uuncg%B&k)5C{TK#;2f3k{Wq}{hbUteWZ zmfP=URTQWCl+4Ky`p;5ZZ{ze&4O)Qqd2`RyK6bV6-jqzRco>nX(NBOUTANwVT->v` zH9S!;Um5N8wJIUH;<;$2;E3i_$7EAy8vUF~=z0P*mAEU2t+F|Xc;uTmn>`OrV%M=! z=j>U1Yjz|jp@b*{e8PNc?QrFN=NQ5Ga4W{F8KMh$n!TX1qlnXuc>VaHL;Gy6~IpSELb%RIX2u(#U(d7f85)+jVuVl%?{a) z4G=fc_WB%G?*p@lJP3-(8glfQzb>p*blc?4wN@h5v6=Alv!PN)5xC=)i+qHM4y^R} zMR&ej0nFFnM1Krq*fgp`-$ODM^}ynp;;hAO3aK?)s-V-2M%a#jg$leRnJe>NFEu?A zAgNM}7EUD24;KcOw-AFeojqU2OFqj7+ptB<%I*hMC~2-TG+R$5={QLzO-$V^+Gpr| zoyct4m=j7T>zz7a=$&Q5+3S)VD7L483{6InFixhCd!wnEPVc7bEPsoB3My9>&%-4s zb2JAz=$@RG&z(I)0bw1eD{XsxqouZG zLfWwJxDpvH;ubDI9>8Z1yza5J@KknheG;@_wTU+HDWoWD zuSd#==o62@zYJdU+92{O70{UZUS!!-*hJzx@~BUQkI7TRRZ1&E5F9H3xMm$MPeLnq zP4oz@_}&2KrRwfK4AW@xisNn6zQV<@Bl;(TZ|WE#8@l&%cT|mfyc_Dz>0QrZ|GY`T zC6wF;#7sD1)d4t>>D5T2qJ2T|=+NVON&4cGVZ@=d{iw>$hZya**m<0gm&iK99j_~o zF3N6jU2&WbJKF!KMXe4ZhWF{)a3(HoM+rzub1GpU$=a2LU=unU>_#k`5?>3eMZd!s zPAr{}{(vhZD6o4~%)lhI6Cp!4bQkL0o%XEFjwvuG4Pod%$|00o!SwUAHtT$h}&Lu!S6FoHMEKxE%2wN2Tru#LNRP!dJ@vNWp@vt*F*G`e8 z_;ZF>TXrRudc4B1gY%A|n{(%t;*f=|(Te@&dlpkz^oO}I)6dM84a+VEL&+-;qXpq# zJ9wL`-Uw4G*sN>EgPSBuy4Gui1e*s+l((L=Vs>qR6S=E2(3mT1MYc(B80~a; zIe&4mZSA8UJ6K+`9o-v@D4t-o78N&(NlJH;JYnOPT;6sTuW|EtdaLYY4}V$w*U`id zEk1Wfz0jr^RYivJcNf=@Uwe<$XBP@KOchJ`RHMU>Nqx7+KOu=u?!XVF4nT?X2P8=v za##QDQvt%8{v9Nlko*vq6fZXv$AP7Oha^VbtCug^yHikVfa;;b!iD;QNaiF51pW_8 zM&P_CzAjEAum6&n_yOKOn2G&6GySpHcWx2}5I=Jh*AMU4{?Q-K`I(>4Xa&We`00E2 z|B~i^LMtjx%*5zuytn!0NMEIb<>mlrg+|9(bE`GcYK1?YT{R;p{3D)8t4C@qJA0ZK zQ%(zl+j%aL5z{wvIItVc$qMkKySu)n4OP?1TTS!L{j!DK#fdvQ1%f#6V zk?r1|J03W(K|&VM!0*4#)rh?r_Ri(%xO7)JI4tB?R!r2>nEr5VLYbzj_*P{1H=nhJ zI^w@VE6>@8jmNnhJt`lPu-l6z%Y7z})_;2i-_eRtbgz8U>XB_180Ps<^lXIxC28}f zm0w{Wa_OzwLsu9xcMCZlI`8k9FuHj&&6K^3j~lHqcZpSL+uX^N)6!7RbIR`@COj}* zD`RKbmwgw!3@tojGP6n!DWan-f6(KGtgI}CxFBt1_fYK|yqWCgf}J$U;mi7q73Pr{ zPMBo<>u$KQtfi*}h36@CXQ%oANUudP(Wl#IKay>s=4oomu}-^(Yfj!G{=U^ZZ;@0U zfI+Or3B}JZ5fE^aqU-Mwg0V?i5gTNhWkL8GXW*C1sRf8NfYgY9y6b?TWapR|SRg1_J}!_i`epQQVhlVCIFu|A8%p-! zFC7hn;(Y!;C7c3mC{E5_I^%Do;1d3?iiiLM6Ar}@{!0pijQ>&K5Q8*8y#GQX5Cb;8 zXm-V==fe3YCMG@rM1+g~KO-=KH~5IC}Kt9TmRg8pp;`r>%f!K!9HKBGtHvvAZPG(3k%pD2k(*HTq<{Q=WVaI zkLbBjv~5(<>8QUYS#D!CSfLUWW6o_bef@)OsCEhO?J7RJ^QG>mtO#jLxFN)A-OVzM z-g28HNDg!FqZe88-N=N}ywDS?KyUyFM+<07w{I}C_arnX!U-d-|1+1t$itpMIGJNB>G=aHDLLI;J45Ty9BG=&L^3>H@0y-7EABR4`ox&5|W_bcP>vKAzkGj3jqPZ3sOhs3hMypc|3Aj%kD=nNmgav zlWSCvx?6c_1-RaahcnRY>Tcwq!6m9OK2c%Lp1v-skP{^cu56e5%;fgykq3WtfJ?UK zl@n5*E#Chur{*O^a*PkU4eH9$4Igc+I68pQqMIDVb(eFcblc~U8?YSBR)GAMKY%~V zyu%U!KJw%YHe$lO9xJ5w`Vt~bbwC%`x;=zxl`beGI1$iJ^&O02dac;ZeKhd4rXrqf zclUQal&wACk$Prm_i!M~cVz_e0hfa=k1 zb)!qElU3|ge58Xj4d%7S`f4WfJo7vzBs_mpK!%MJ%AI7HlWSqcWlubavfm1h`jnq} z;DxHAk}R2cTK$=U)g+$fRx%es9}hiEyD6IcCZ4xT<#d-e+(<>MHi+*W|HF&2P0cH7 z+Q{Shr({h{ZV7?aNb7+zoPnHCwW7~I3dQ=XE0sgr%8D&35q04jK3dGLkZhH{jG|u8 z<05l*rX(OzDf285km+d1mV9BVQ@ACmjRFZJ%UTLmHHb%6Kv8O2b7l|jXxp5WSe%<& ztOh4f)y*s*M}yES*zp~2#*M+wuQp2=v^<$B+$kEhAIaCehwuTHfguch-@bjdcp534 zzb(AP*ij>YY;hhMcw#%kN$H;w5gj6~k^_-_F~oC9C;awhKZhSIhaEkG##7H4a;0Y% zV@<(Iecjqo`=ZR5RoTxhMXHL;SE1;QTE{2$HV%89I=4`@$Q9SM@rEgRz13K|aczGI zoHhVww)pGA&!X2s^{1DAE@HlQ$;}>pQ|fvs)PQK4T<(ECvPzeBAS>8hD2t-dqtogf zE7Bg}PWC^OJLj%vu~A&Ior%v0;Kz8*mBuQG6Sj%mRb?!ERiKYpXjN0QV{^b*3L#6; zJlkUEr)53L6-Py&u~-H(fh$azT)=BLxQ=($(Ztm$$udch##9`;$DA0IHhyYTbz%lLq8Mk zS=hb#-;Rxm!Ser__Rlz8HK!n2F-d_BTcmyDA`wtR1trTh*g?*l5&d1XuU=>LybPI; zYIOj8`x3(CQWn*`o(oHqqMr&^-&9gMA0!|1k&xFZCq)poNoEQ_?Dq?fk#o2OtbCarQ6-eLrWVDMw zf|h9a5Orl{Ed*zz6b=;#JNodsr&~?5xP4`ulV`jk2TPz(bF8wfTasbRRNI2h{M;Kg z9^IkmAei3!qxavne!Ke}iA#Mr28nJ#42~HMsR^c)fLG~yZzszO!!EeyB5a(lYwgb7 z@1=krJ(H3*;w6C#sQlTtoFm*KZOhrNVtO1aWq1Ga4LtSMa86*>-QHOy7Yb~CZ`}Pw zNc!&!=H%N5HmcOP*QV3ZVgIa(-vP;fVW`xhGFhf4T{4r=bU?9|(JY#$YmIg`t2#0r zH)up`MjsrEZ-1JiEq$A4@zFzSiA2#)m_9BEu|Ll&rX@qDy(2Mp{``cPY&h0%oG+)i zUN;%dNT6zE^truhX?W*aC|R8?PVUG6e_-nD8PZadkg$S0>?$7KjBid3bo4T#FZ)R( z!Tc#8rb9f}+8$8qC}DGGu|M3UD{FbFfiTGtT(rhpoUpJpTH{^Y7Y#Ihx*^pdyJ0{r z>T7bB49c|2G;LzBFR+K8bYx(Rk? z_lbTos#!iXUw@xI%X>P|F8U27^d37<& zZ3|?RnljY~pcktJH!thUvhv}ck-!EGbLVBbthElUNX9SXvCHG^Mx@f1m73fwe5$uB zfPG?J3zH13s^LAEoNwM%0UFsW}y%F{tao=V{^} zMUOZ!J&5!M142d|)z9xb_RtaZh4TQS# z314V+#SgqrfxE6x5gwc1X_IvbznW)IfpWNqY=u2fT7z_JCS|gxI7AMhYooIx!;J;{ z?Q`H*nH+`Dr;LVK#qYqA9M25-B(L@Nt<+9PQ?&!yv#Mi1{9e9YfcN(|hi^NN<#X&* zaq=z5C54)l+81r-x8;@ke6L6KWz>k<=<`G%ux0Ca%NyMKBM*Y*{F)y&+qU=Y@Smxa z=bfdHWR|F_*DYwz>39OQ_$voZ#^&HRi0Sa)Hz9t{ub%D4#$;#xkp}VxXFQUW%zkzd z*dlwNb{CYIW^E5p-#hMUjkye^7Q3qdaSXpCEQ^ukk~-#PjAl>1iwZ!5?OnbR?*$eR z6BcVnA7q)w`1(c=tgDv&Nxn&{^gpl)l8z(QLq80R3^wuv=?3<+Hr;P${}e#h71kz* zUa-*dE$Nu2rG5QEzWkmz%&5W@k(t$FB9;kdIM8083Zp8~+?1Niy#hZ3ht{-( zaRF2|g>Y~#+8f;NcY|@m?|u*Q0%obE?2W{~@;KFk6l1B2x0DB#pQYEXta?l#3*OIp zJn@8IU~+Aoq_y<>u2GHj=OyJTE55EUbYSZrvR=M{Eh)c^{=@T7`0M@jFKI$^N4)uMI}aZXFZ~7+WI1 z$!OP~#Rz=%j^+oQ#)exmNtwDV#gax35^#Z=&cw(wyynrFcJRUTH}G8ZM{vS+DnM-| z<{?FGOQ3M!M;y3It?kl)^-@vG9VyXEN$KfntSEgjMY2hSJ($jKaiD><>`?7&s3~J{ z{|9`HOyy}q%PvBl((D+czamcO$z9KKX^PwhBIO8ePlet@fJ1^WwqA*B)45%A4>H`> zgmO+{&`5Vb`Sdl&>25MV>o{VO|0HCPYo`m;k7<$HQepOF-|ur5YL(xIEULvyAY#@S zI^^;D+pwVD2VSdaEMdOuT6xjMK2;ZoOE-hA$ftyMaS#kaWwq*lZX*6wf|+KCUF<`M z!0|4nz4thKR8xPvz>V6h<>Agvv4E6P#Dg-C?CW4;lC#qXD4b!TnF=5ne|GM)u6qIB zpp2br0c3uxD6yUcaZqfdi{g^Oz02gkQgr5P+&e5r=>W0X0xz&?fwty91p9&9!)dbG z>HsB~JMgGfrXhg-*?ly60o)R)!u|rO6`B;WoFt1;66aL!cKBpjX=J?r^ewvBE`|gV z9~!o*;rL!3t+&Y494y7RcSWOqHzR`P_G1bSfw{N|!rez*4#((!d#rJ}#m}AkSu=)H z1SxQhIDGm^mRHr}|IA$Ak*O!&$2N=Eu;*&})Yf!5`Mbg}HSLKm7wBoAz_!(g^RE72 ztD|*>OyeiUsJya<_Ai~-^`{YhufDb8TO220>U4Ei5Mv%FMOf-K7TNQVnhyhe zxGplLw~U9C)zCY$b%LTggu^Q?es+_J)S`8nn+0WUQ`Gew9+ZdkWv1L6R5T2R zJ)7rM-B;NB6t4rDUNV$BXcbeEXGc7_v25cJ+f0ok4^mIx<~WlPK^{Nt2o8hcd4Z^!{W6S4z36m z_s(ROtz)fbiD@+QEjNN)EF&?APNBW;bdYa!1DPppV$3CtM8Es-6v{ua1d_1|UZ^?9 zQrX6~);gRy29bj;!ht=#EUttRPj(0_aIXpDj@ZBA*iZhNMw*lOQ@oYP5jGjZaj=nt z5H`t56)C+7`v@Z_!N+?33)Eqb7kht8J3XUe!!T?1{gq>1tV+SAg0@00`7bZCBQqnH z`=Yq3hzFlaR${hd`KO{5{byb;+l#k!3w7tUsg}hgVpw`s2P9v97G-kiLd{2sHQ#Y(=$vxTn2H=Oe8Yb;;STQeC=*PRj&$NOzwA^L%tKTFH z*TocWTTpm6O64AgSw#0T|CU+3Z+b+qM#`OOOlHA!!tW_GNHSU)>u_h%)=GW7ofqu9 z*DkN`Y!Vh@dRm&Nym$a}CQ&=T*oM+?T20}S4NCV2>OtM^qIqYLa4t)k&b@c4(!Y?f(hedUgYj>Rn&-L!z-zZb$hDtX=9Jg^>f@-i{v*a(}#eC(sB Y1&)Hc0W|^Ry3aA_aJ{qYzrXPR1vZkb{r~^~ literal 0 HcmV?d00001 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsKeystore.properties b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsKeystore.properties index c67a29ed4c32..d2efec0c9f55 100644 --- a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsKeystore.properties +++ b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsKeystore.properties @@ -33,7 +33,7 @@ # under the License. # org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin -org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=stsspass -org.apache.ws.security.crypto.merlin.keystore.file=stsstore.jks +org.apache.ws.security.crypto.merlin.keystore.file=stsstore.p12 diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.jks b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.jks deleted file mode 100644 index 4ba33e40ef53ee81f1233d0bf89a9f837c168992..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5570 zcmds)XH-+$)`k-jI-vzfAP6C$2m&Udi4>&^N1DI^MM~&3bOk}AS1BS@K&li0ks`f| zA}F9BAVn#Hbm^kfzJQ!_y^iyZGtR$z?~gt9m~*YM$C`7m_gU}SU*2B^001P!2TXi` z018JhH+MICOD|%e^?q>J1^^%hU;@Cq7+Nx_Q)ECeP=JI12qXo71Hf~qKGcsa2UP_1 z|E99SoR+WH2x~lv3XWJJpoH~+3boJ6Wdsi}%`BoO_{2C-8EV?dgt|erA*rVs%Xcw= zX%{+TYOG(IAR9}zz#7-t=5p1^lTN}@Vr+fxD0?3Qm`HJD%l$H|Y z{c_D!$(p_bRbp`o%sbs;~YvCuAU+{*Y*vp1pWzpL+TTvGJ zH7-!QeY=?`(zAxWM##Wr1fgP~9J-gME z&~f00HfEw2?e5r0TiKaom1l@JbvcfvW&CyBkQGyB?L3K4YlbKD(HW?6lpUSlLHcxbjh}|Vb zOK1aRDC_#8U=YK?tEj_3Fttsbq>!_+_H&qc|7sWwi@l@~Gq~L@}cTSS=aR2UlyQ1yn zuV-|@7wn~m2!rS~uWe(KezVKVacXlM1P^Hl^4)vLcsI*Kn=<)6wvevnCHH|y)3?E> zgs;jB9!m(E{KSh&g%hrZ;Mm_jldSfB6ba;7x$$=8`Ku<)QhGcHmr{A5QVJkoIqX#_ zaduBlZ<+N4`~Ln8cj{svd}xFuZ}|I^*HfJ>zM_n~k7EXe+}kDwq@gAy!Mwg60tONq zM#BkyqA?Uon;3XEFbZur9FU)qHn|E~ECmAN1?rc1jfaF=C1@i}bO>9QgtxFi4Aj^*Gsw-#FX(J9yt-bI&l)@VbyQjjH#G*Z=o9a*e z_%cuHGVW7`G)SIvZum;O_WpC9-=xmB0a6(;MWqy1i*N(3eeV8IVK!gBR=Mc7an4!o z&pPKD<_4I-WDk=8p%!-4Hp$~xd{j+&_M|zA?xjSGtLLV`1vae>Z&>Ds?+WD&+%KY_ z4~Q9x=H)(Hro$$q-CgUsNLCLlUDVUL1`nvTzc5Kf?bb5ZfCKVcJ%~eCZWlwf?&P&Ji#ME5leTR4SP3YiRWRL%=kjPCGK{ErMQtwxAyK>$ zMs;!bl7EfS)}p?Lz(lAiC)LUPxKDkCy<35vD^vWtpdcus@w%=#9b zo6jc0h;$%Gcho6@N~T|ydugWNDfnBVKxGm^DoA`nE3X~E^@#yLnq2DOJfi*}Yvn=a`D?8#J&NmBhA-)@QkPG}#l3E0JJ@#*gR4db&z+y#eA=?+B}yrs1%eq4 z^t*}oomg$tS1?suSxw9Tz!yprSV@Zb{8{oo^+~V`(DlJHyN_Ja)3@zHw(ml;T}35| zD|88Tx2~uhk&)CuSPUZx0D!hJ0iX>`0Lf@3hy+MN0=7RLyoZ61Q3`}y2-$`Jfz(7` z`WIrUF_dH=Jun%RL{A6HfT24KD4-PTcvmk6Ji!9Xh@n4BkwYov@eb~`j!v$YSbhxO zVU7xl)WJJCJ6IxhbajwILP!lwU8J(+C8X9RO+`HgT~$pDEDMI|a4IzvqNE6KJ67`bGa9A!)l}r>iYp zum@FHL2GMY20rvQ*Y;$*(XtTHl6WdA^Om;^kbPr5b6MSZPVkWj>_cZJ=Xu}Js5gzw z<$_@`g!vpuCCz0@{o0T?CNnP2{+9a~oo@w3)@nXnBp@IFn8StP#GD}Rk`uIG7BG{1 z^D7O~TemLE!XL1io!xUP(UCOzxrxO6Ol%?$z|Sz{Xrvq6j1BN@L~6_I@puI`*HDEz zO=sUVo}crX^2wxJf!(Qxi|o@e(~M(mxyCwE&qWy0#w+Zd*-kcu=IPyI8S+|w=5fPr z9-hrN)u=dHaxOblU`ZOCj*hWp&<62`gGNGHH&h4xGOXKKA;AgH#v(@3Y`88}K#&6}PNad~K+RLXu_Nxg3b7F61*9(_&8Mbrk8%4%?? zH=@_O@>z;t)1*M8*{8zT=633amnyb88|PCBtDP=MMcC}#o(&wV7$LNKFZ3)d6;Ol8 zGrebG6Q`@r{$5NZC7ZJGCWCx+?Yf%dt0SL8L-a?MuGehME&uRHW48_ff3N{8M6^o$ zL_RPav*Dx~Q|&Lk#Q3-We{9gOypFu=F%Uethf*7bpz!XIwy!OFn=6KAiJ2Hbg{l zqCa8dDEwb3^Y4ffqQ#?eku};)|I0{UHSY440l-=nn5ORbi#vvE@OyM;Qhod>Lc@4`IWMOCOT}|d+U@yw&98|u5mY+Ljn(= zligh!>9mSU{woi{XqT-~=PK6gSy-a=7z~wW6jagZ&{|#Z68W&;SqXFwIeov>v(b+q z>HKr%4(v*!yk%g!lNCC09WeaPaed9Z$!wTNd<{aiaK5KVSCr@ZhrWet*r_QkgTn z+kw3Y?i;O*dVfU}=T8A!MOpN(CEmwrep@PD?b9&7`ilyVh@xANR6b?+(4+@Q?VQW4 z65weppx?gsnEHJdso~38YvgIW`SiKg`+FMX_HGn2rJd1HqjmbW5fWWrzNZPDlNQgh zc+fwro2|W3N=LOX`1a;1D4$VdX5G=Z09>{DUV({ZZEeZdmdiwN5BrjyC5=uW(Oq?N z*h+EfiGEiW&U662rv??8cIs1J2b0R?N?*g9e9i1UwNLZ*oK za(5zNB`{(?SR#DP5;=2sIXC3bMEPf)YT z!Qya#g#Wn<|2xq?>hH7QR_Xq}uvdF0^{bYQXQRD0JU_)~r!4VoiHHE-AmS2PgjNDu zV&uYFu_=>SSoe}f4O&5(iU0lJ+!tmlH5>KZ82%AhlB>1yOs`!f&L7YC^6N^3@;oBG zszJW7>W15R&5FHNv(J!GOS1Gu-hv(AUlPKU8Gr<(D=NO4UqXqqG`ynb3O%K zqnKXZvshVSb>Q79&=lY(O|bTMajK>Qx$D_&7V` zFjsAc2Fppep$^(SE>K;*uLyMRcF|wUdq)bVycFJ^qc`FI^jzaD^ug$hf8qX|M zc&v=GZkx;YUx_}*Wks<@1kA2yx~*kT_pMnUQKa+BPCXL6)r`nRv^;tKSfawhQv@>Q zp!ex!;5}nBU21uJ$a*YCc!wC6Rdg8629SF&Sn|2=>ZZ-+`Z8>4CWi)=#_LO|yWoSu zUaRTXMLKp%1hqI*LYsRR5^H?FOLDq(KHTzd_LCXhu!1S5MDpaC{3hej=;))2 ztB%TNmFO5Vvv~hlpyXki%oVZR(+3NTtK5K&jT!uTAv=k@iydF$pas>7Yd2y6FBN*b zriVmmp*2a9Z|%cVY*!al!Yg=4CJHcg@OxqkOb&anPq3(n;PP!}Oyj#Z8sDso9}7#J zPL}z;9w{Ca%4wIaKUSE^yrRI4x*h8p@UH%2TQctU)DO`+di_xRA1-3#<(of64~7w4 z1e7THonz6TAw%)}(n^ef?Z1ouUpI_DUBt00$)OMpTf8;i6^~TLJ2<#u1u+6Y^p8H) zzrqoG{-Jw-VVDoU0)o;WivCA6N9F;E;rQ7+F#H%g|F0Q8TL+vZ?vM+A-Z&1!|LWTQ z4jomLN@GJJ+dkNGr>4vm?@NB1a2Au<#IPCTkk<=z6t`(2e@%jQZbAoa8MmF4Fv+#Q_%Iwm#@9LI# zH}d;0L~8)P*O&q(YFG^jONo}O0`UneM%gwolRbNx6=LMGFYedeQHN9pO_P5Ox&4sM zz)m)cJ)8Lh1t~RUJ-+Os`t^EWPX8EA(IIrZ_ZR`^tx+q-#a2=|_8;v*>kk$67zRxiGrJT)cjsuF;J1!8? z4>(yVkMrD8WdLBA_PKHCu9o*c`?lXabKYI(0ItIFAC)AQ+q20;w3M9QoW9xne;=5O A6aWAK diff --git a/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.p12 b/integration-test-groups/cxf-soap/cxf-soap-ws-trust/src/main/resources/stsstore.p12 new file mode 100644 index 0000000000000000000000000000000000000000..dc4226635926355ed7e2377f4dc9f6c1d9a43d47 GIT binary patch literal 6415 zcmaJ`RZtuZlibB2i@QUxzyev^f;$Aa;I;&J3+}SG1Sk07?!h6r2X_s@-2;UCuI}pl z>t61mYpT0v=CL1UAi<<>5P*n~V3H;jbe3?r@Ow-kDljjYq!=lfq~ISp2NH}7|34OT zDpD|V(m!(CKZrtk^S@Id3?M>YFfzwKA{#{K-w9+)hysN9KNJL^Ktg-h#{VtzM56)$ z0Sy2Fp`iWG3Iudy0E7|+-6UKNXn}|XWI@6yFB?!mrY?K2U`hyDF0m~_3Pzeve-ZLO zZFS=^!;){&PUSWwBej6P+Y|J|;7+ra*g`in5?B5x{1WRu1RRX1(@OmrrO7}0#82tK z=d=VZAzkp!Rg>VT1GqiP(vBRNYqY1bjd`ULq*q~D<5F;iVpFLyF)`2e(A8OAwpciJ zrJWo<2V6cB-1!fdd+~OK*3ZIT9oXSQ#1W#tcOUWbS;!VRVlDT4Yzoj9j6EyBDy!sK zp1nCE$Q@fn{9_n396f&+VyKaYo(->bUEqT~uXDK0*7{w1Tzjo%Gc{YdX{ht}v}*c9mvw;%=4P05d;sruLVDWtS=@46CqDsVG(6 zli74QVY4m9Ssl0*&J%;B8HQS#^8Ufb8Y15*6mAv#Iiaw?6kVp`Hb3&i<82Y^(>FP8~v;s{Ac^e zN@AZk))q>N8rwdvqOHe*qIP3`^8n3{{C~IZ_a2R3Iy5($3k~=Z_-t7$5LP~t-I-)F zd`xNFLrR$z>A*j)>GVz4EVK32ckd*aOq?p?#~$@Dhm9Up>xAReG8_#Vmgmvvibk;? zMuduq6?8$P7`RZ~{|sU6*sPyd%iO=XbrVX%t-%YNc7n{qw${(l2d-uvS4tFH1v55X z&t0qJ*r_xZaF4q5H6*z+&)_VcuZq>qB9$eWb<5tgDzYoajGrxgE!8BtZgZLZ5$$#-&fAN;m9hmMj?O7OtkgFDcv3gMC>rdqDnt>Yt|dIig3ddawiP5sFn5L z(&}Qd7(C5U4$dD_V~HuC1ps{5*KLI!lEN-lRH!va+hPmJ;P6Xf zf%dcyvtUi?sBX5-b`=8)i+&9tO_d9W=|TAZ#_O%*eW9G1+?u&jsem(udiP2U zQS@dTTZ!HDRSQaE86v;c8OGEMsql9`Gl?FxpLoY11EKymAJGXo@ThPA_5d${E5Pj^ z*a9p7UJ$zfG!SwSArTl9+%vVB+%k&B33j6!EX!9p1PMTb@h<;uLq*98#@qQv+CTsT z{wa(9ae$D||B`>wSr@|p9}0qikq8KH`h~>v0c*7#a&Dy(ti(`z1KIyhY6Kw7{~OjH zjA~Xj;-eHE3MwWH^~iz)gYisY70l38va@e5tTBHJ3}DOt>Ws;8lu9!&DBW-!;hHG+ zvPw!*XI-R(5cKYZZ0Y2f^e$EnIrBh1Nt=bLlmSok4`8CdDoN zRLq+ixLBY2=Jw_IdJ@P-tLeyo(4trOmcEx>y}~vgoic#eme2lB@~x;}4Ndk4VBQB0 ze1&)5{s!BE)jy~z(%whffyFz%c&A1qK++OArsn-=QAYKvLmWn0VA+B{r_PDkbFPOuNOhJwqD6lSnS- zWsG7;itf6!w|L7D>OAf(|C&&;> z!|)EEEBd;45QpVHkTQu zAv>m?8fa0#&IK@IaQq340W>`dJ9tWRvc+Kaw&R*y6#IGUVDX2{PT$Ne7jZm4T*~#<_Z@H4FR#D5p#_yw z1opL6Om)r6p4^KS)8B32J6vyqqQ5G9>S6B7ue#_|<(>7ikit`;MR0nL(#hDay8I?I z5SI`4i-h$fsi8oJeYZ4>_Z$_`yE{d>Ij)Az<+_ij$30tcqCSg|SpOOWt83=i82)vP z`O$*b>?P1UiP~TJ?UpZ#hm>-v^N6Xky)C8yDw(fck2Q_G5l$A*wiDWXXgt}qkguM9lx9Z2FMAf?7TE%_AyLf{ycRSiR%Q6IuXGgV^_)eLUrh26} z(VHBLT+Dz>46T!kV@DMp@9r3U{!Op&O%;N22Sbg$ImjE~p}3wl1}{>`bQz^!gEcb>q%q?diuLrFbR`T)Gf;&X!u;18gvZtf6$jjx z6S`d#6MUTFztKfE0955En zo`x}|G|uGkAzIQcg>0Nk!t~Q#%GCJkTfxnX<=e_wYT9d@nlmCP79CdMa)I*tSVxnRn(N1Ec1Nzx}XGO8bH?o{3e>6cUEq=jYi_Q~f zDGwYbZhA#w@d-J7@#6gUH(m7aFL0ZXe5!ZeXH)=Qk9Z>v!=zb|rFCSb`GhUV&LAM1 zOg9E^ZiW_h@p#t}hKU%2?~Gvf`=tG+=jzM1WPq>7g;_WO3u)pas$K|I+os`r#cT(H z;%|Pmwb+5H8ax4NJ2+9c%9Wy)yUDrh9a(qFpXCzG-e07r{_p_?RM&&25}+7cqxtq)60j zI#FY6hSB`llIuo~4W=Oby*B46qsc+F_u>v4ZSSUDrR15!W+yee1EZ9u&iiA|*2NN{ zjGXwYqi$_CSzN9j;mimym{do0`1V>fsw1FA+-f@uT@JU!N11m6xHeGI5S^?~d51Y1 z6(PGoXOpDhHECK281SZXc3+6&M5fs!3}He)>e~5&CrpW;PK=2bP5>#Bg-;j}mh2`o z0*$o_rxH}cd~+U9om=JSv_Yo=K0vG)9f!^5eqt%@N!v5Qg~18!Tl3)SDPH=Qda>|U zGA64TjPzN=x-HajqIvy+%fP9Pr@Xk9ki{V4I28R76GUm^CM2VQQa<#+A{ng5)d|{_ zYvb}md@3=rH8x%EQ52ftUyj;e`VC9LP|E<1S-v+OjI|^3z!UOwD|*j4nkSFCOd;#2 z8rygG_I)he9X}C~f@7~Fst%^x(4Y>cPZ29UtuD63i(25x3j4~;(ep+9!%~_fkzKsd zVKRpr@=wI>NDnn^mb)Bbr4=tcG1HNR`m?9|LyUDq(>t5?;_PoSzMXGN&E}MDlVi-o zQzRf-4OiZB)ELn4k_J5I&PP)1<~V99Ye;h!Rw1-HTgLDt zp4SG_9h|n`-Hh=aT>WXOl@pX{Ka}y$@5p#dxI!Moe|B63`-HUv4@mD8mXHpumpis( z=UmpSs^mnk_2Dhj%Xki*FME(oE<6c-m8{WWaTkn?|E|mR*shI}y)9z8Q*$J@tQSR2 z|CDz_;APDblr#5rm^&%{y^cc4zN08X2RRn%_tJxM3{y7h&v}e4idn=A%RBWrWjyAKPr@kmTw5b`vDCX#y+P?=ey_sEyzR`rj`h z*V~cT?04tB`g*^=U+AiGPEdDMczr~vgyQpsR(^@*4#3Mr~&!r6nagDIGgpz z?S`|PbEw8j0h{;TK3KTD^s4nmQMxk8yAYO@`i$yuo!SWAPwWVOwYE4gncz>O@gl2M zxoFE{#;c)}I0dS) zp5bUn^LV;#^_u!kEk+D!C}P}yLk|LwM-H5JCs?z?RqDxJ+(VViX}z+Uesz)TPYNQ* z&?nliZ>1p7Y@W0e*BPUfwTML8C< zREZOYF|`q4hiAPZid$!XzJmTx@>h!cyOEu#J-bUG8*24p8IIj#s&VH~wogG#sBX}k{UG<%L)dlSS`c6+HWiN(Z7`)aeLe{Pk47gp3NRlNwKFn>YMn2&w^Xbw!SgGZ@A&C-)LGqnp95H?Gk% z$yvRX%t+C=QRtzpUD>T8AGYpbC8EWBZzAso{IcEHG%-ce@!WQlnR1@|hK=b36xE7& z#i&??UD?9%&`d)MUd!}Je-7Qlxojp4*X?3&+2+?AI?4d8Vj70a@9Z||b!{3AGW+Nl zK^Q}?o`KglHBaJzPqw|9;Bk@^du{i)GV8Das9AFn?5-)zIGj|EBOeEqMN2x{U>=fyy^G)-HmweW0`s4GH`*jT8IOu7n z$CLk*8hoPzlaQ#a7B4092DcxiPs4&S9(%8JHp7ne>EKeOR0Bz%oM6qxG*^DaVZl{v{|=W#QBj_WyK%n&5o&TdgtQ-?36`y>CerJ_ zpNji`cEP${B~|$ZbMP}V7P9W{yDfaPcvHR>k~GQeyX!PBb>nHEGdEpuGnJkPu%P2M ze9%_4RWe+o@sGhjy}?9&p_XueSf_J<+r6eII_}8eZF4Q7{qP!}BsD4xI@PI$+D(E) zy6&kBGC3sg`ru-ttNLa7IySWrg_Yo2E(81q@o2#mUj=S4Df>DOGQtHbS=ov*61mQ*VcPQ&9;e&q(d=I}F+zN20>L*Lr z2Y|jOn(sdCv9rtj^Dcp6bBO}5lNqK8;n&s3Ftgj!DiMbB= zlIGP01K8O2agnJ}2E>xsfZ3A z!dobAM;anaD!BYv56zo5B}ob$7Ej^+LlI7Xi7JbKOHfzpNlH3#X_Usr23!{rjQW4< zUC8MnYmrpN>&La}1e)L-OTyEUxU6eIU8g3WVlB7Sc-3~lzZ3S^(8Qz9R88teuk%3{ zx6fz|pP*FIKJWttOXyy_r0JuCp;)abl{Nr~E#8&}zvuT*JkU;P8`|@^?+d@D1Rgzo z|3JW{oB7;*sbtwo1wdb-8oNOg710lhifTf4?ToeE|J?6+UM{I_n<*Gtpn~Esvun4= zF~7VRu-{`gXkO^~ma|?)r2y@(;db7}W>kGpZNuUB`ay2$X#_ztqS0V^^^Va85VU>$ z41jzU5c7m3@%MQb#MTSO)K z>Z7`-cG)weqHK#nj!(^2M5?BFeT}tWq#eszJgQ)C3ef{dnW^ZFXj4bDFRS+j4{Mf?fjVEQL$`G#)NQ>L*RkJlRwRuoVMC zLh9-^f3zV@+PkGb1ceF!pCorBDP{cR)B$e4%P4XuF5x-sD>lTP@htX_f$p8qw*AR` z#6IH(#X=b1Y(^(lVpws&27hIhf;OI(oF*E2-dWKre~D{`#4Kfbgn4zFT(f3SD!w)S z7-#_l-KF;&L?)$jU^SHjB>w8__KYjlM0)dG3FUaAY z5*J`)<74IRViy1cfiKos^R|LWj71~>X%L9`HGn663E+vUbBT$-L_`qoM%-P1hLl1u z@{h<(8ZelO1O$YoqNxB1Qes00DU8TaA58;L9R%bsh>oL^I~uw_em^9Gk*Zh)__({F zB>{ixIJL#{nD&8Vnl1prrvZakRwA z^9UL-0FA-?4F7X~91lkQ+GH>Zh!_usf&e_2k_Zn5gYNbB+488r++N(RPtN*^mGf_M z31lwLF#A@Kda7JZkbjU(k2D5*gEcjFk#N_NQR3>$CG9$HWm!gniNW~|CdxC8S_O#$ zqlh#w2esK==PFE?6+`#eyI@;_hRj;iW!Kwyz_witLHy48 z3|+Tt8TQOn2$C{o{^aD%L%6Pm4DLFWoZ6m`RS)g=0^07x3cBULpd7dzHLm#wuqVH>(P)8PQIu^*?X~;w>qXIla5?tOvG)$_=jCBb3!+c?&Gg%DFb-g48gz@x?5XPsgoo zCmslv-^rFcFHs=6x5)5?2lRAx)=ELxS+Yp;>Bco!N$p3%r6f?da_{q*Au(E5UE2Er zm*@kuYObKO1*ImR1M10JZ%1sZTY52AFmc!i#A~K@sa@#AhCnKUb zo%4;xOS71kmDy2oNnZHj#_9HSOx)C==E-pZ-abc)$4-18i~pD6H}@64y07@LBgMOj zUfKPvk3d-Izbl>|fF1~w97e8X0X9O4yK0yqlI*|H)4F^I;vjWV2B8dVFr`pde96dXL09pc#22P?SF_L1K zeF$IoMY7!bMw3G=J4^hSPudv``jD3Nh2v3sRJa-5+lUHd+5pE}XqIzCmjc zq^{g9Z$NlU9c7gJO#XHAh54YVpj?V&L~(r)ae0>Q=_%d?Z{b}|CZ@t}Ye>A}nLs*zHj|+h5*e4bs#<-ch=}`b zS_yutp5l%)SuDmfGI-GsLWF=44!a4!zIK)ug}A4~8LH-Md3 zILGoQ8z8~}9wM;M2l^v696!TY|64DCu#W$a4cc}WktXh5E@(P{_6Hltlzi>&tz6yF zrvRxRWI!L0;a4+&^>X)fvbFR2hp1o%;6G3SJw(NivJP>90+7Gr0(Mlg!qNSwcle17 zF)@tzFW5K?|5wWVJEBBld9^iJ61H@PHuKAKIs=K?k!E;RxDz} zg3CDFn$wR*nE9qgCPu2Xdj$^3e_p-1!!~DxEdC;(ng_PfXVu+Zp#ZavJlycQc9|(M zd=K{i<#X*ES{2o><-)79pBzx9AFedQ;R%NHrmC~b8r{JUNpjyNqwAM> zGB!PV+TilA4oS37@7BVxz_;smTqQN&!Osf~yiZ5G^I$K`Q%_zF4Q9`YzETn0AEuLZ zUrvf|GrV`tXSJ=#@UMvC@d3YHmPhwWa^jlK*3#WCecCn`epA6AQ4C7bDyK~ESoDCY zJPLT!@&4w5MjeC)R1E0PHyQv?GBGP9Eo;5p^RnenUE}uW{kR%<_0yj6?EBIVsYO&)v zehEQ9G0F=%;9EuK&0p)AHR$E>i1J`v?~Kpu0<8B^??G+_F1?}6rYOvr#%P9~V~xKt zTGib7aJfuU+kb5bO*K{*}X0R-Ew^q6SJmCb;XLB>7r?hHfNl0AWX$m zD1S@BK(mxBPb6q(K1<_X3tSJKo7R>2X5cbZ^lWur;hXuD^I}((Ddj#$(3@>o=N78p+INTc#Ni4Tyzp zKi1d@R_4u`PNj&3ZVZFlq9T`I35`H$p2kXbowtO@i-25iwRV>t!KS3{;oRNhF^ztl z{7kUIIdeCuK%Vb(7qpYvTgjt!cw7tWcvw4;FIw~L^go^T#Bhw9B%AJ0OL3gC9}P)h zQp1r;Ly7Q~Y?7M%pG}@cCNGL=sIt0P56gZRHCxAPVvZw>qK8(-&P+cV4XB`UcWy$FS$XP16SP`22f31!xPEEk}E^RaL9Sop1> zP42{4yWyQx4DG01LkMS}mBKWd_HLh|U|(e?y1Z!vU&iXh=88OE2nwS~hu1fR1hq5gO?K+;u|}jI zLSJSfS#zS~VrPg3K*RlXm8SvRJIbwkbHdJwYf_TPaxtbOXYEXJbsy0i14O3z;5=lK z{XH^lTrYChR7?(kkG$%`4V|mliy0(z3&n7Ss5QoFPvgm+wNK?DjZX+I;(^a16N#$J ze2UeP)5UX$&h~JVjyodp@QO(2{Phm{^6TzJeSGM>g55VTnc}l$NkgHt5L4p|!zvo= z_3$FZU4>q$Z23ZSOL=w=(ifvyucVVy3e#`D>RTIPNWSdqr!y67NcMOMinl&JkbCJ^ zBL{oZg_8?JH9mn}TAkNqsGdMg86>pdYT+U2`6YKR!9^&!mK??-2 z4@B7hw(HxGwUQ!5@&2}`0AcliYpsrsNXTF`+D=vuR$f*}H7i$FZ?q5~_`_gv9~ms= zLn!}4ON9WKepo8n155RT>xYgC32^-CsOWz@Qux=1f7^yhV-C(@{@jKgg#XpG{hf)b zp->$k659+ySGqUnE(hv`ax%j$=2EZL`HHZhCN*%(rmPw$bW=^O{x07(btV<}xWx(?|Hxv6g}vH+ko2ofAe7erY*#VogQ8Fyk`t zy1(V!3vp=KulNTRl{+`{!=>Wy@6{{%gs}8@THMc*fJCBLGvYm0xWs+$pA@=|x=X?s z_K90b`vp|_v*JaY2(gZ)^7}mN#3`W{WC=x2s~?uS?|!gy9c#K;)XJwW$~+g#J%gez z>A9O=e}-%N0^z3dwSE;F9@1`CJO+X@z)rs__F9EsQME0{(zM;?fEbmp@P=WN~U2IYZG z0%3~@+Mw+^OVGPI7Gt-iR67>IlpD)t`HqS2dvTB~=GO<1zgs4X8(f+-xWCdF>w>`%Lq@6&+u3?2)%6d(x0h zV&r9f6?kMSK;R19({E*;w@w6ociQs5J^V)~8_vSD`CF&1iA}(KI6d^4CmDmsp0LC^?#>(zZ zB{2#L1`-4t4def;Kmh@fAe3kz(+GKFD^vh7D*%6-%R_G{iIaMP5liE>{3{M0aPVt3Jc!OE2AZ^c&E+(uc7_DcLy2FrTb4svehn!)7qM2Ck6LsEx+> zmFG3J9M@c)eAj;`c}pgu^mSvb=Zc|LpLLmnUABD}<8~P-#&pdks%eUm=o+Mx``sH7 zQ~EHG-jJX}Ww!ED)A1t6=rs+ChVIz({35o<(TWM}z|P(i_EQEM*5b!^DfUzcmgm_? zp08A?A?0~D(Vk=T!W!clY40@v(*Yw9>@dPg-KV>}mc)P@tX*$rTFzva`6yh*TLC1w zr3+Bzxpm@HgUyjmJ(rN-IAuv`Yn%~;aQ>Y~egWB{3{HPQFx25!61hPsX6pV-?ICKv zAU}Bjr`QjSP)^v*lX~Sl=4MJ;VhjaU8%0%zRGgJ~kB&E*n%L8VVB>run%9@3LR1RL zbivWwiq7S0ca{!^llF}!dz-6884S8LoV0|0NGjtY00<^5LEq@dkDE;K01x>;MW9W6 zZ9WjOhI=yV;26M}w!8z~o$#eu%+FnjP>6~Aq4!lDZ5h>Eof#SPz4Xd3e)%y0g(t9N^%_Lk!q<^X?YC|AZ*_rXf~N_}F_RpGWm5of1|;FK(9K%lQ>@`Bem7k0$VT``ouhg+e79+($waeMijv!j>0_JrO>x15%u#??Go zcHTv?(Gz`Vi2dv1woW0um&N#3xL2NbO4D8xP%S#5s^Pmzb0b4(OeXk{g`RmPxMnVl zM26-Ece5AoZJ6)D*68`rCc^xghbE$K*h8Mr=43vwQivTOG?x;U&+1>Mb{X2H@E&3044ZKs#q$ji4VIF~Yn;Xix?5p$7JksvuC z`65{$IU?C1Ss_7@JdhmzWnT#0f7@PhkpPHI7Ni0q6z}_$f_Iw(e}<;&2)L?3LJ80R z(}s>#7)rSH&ss-8M*5c){#!wYSpP@-WAsOez<(t+gbhIa5QKv;AG%nSdn1!ymMuuFgTRZv`{P8UpBM(Do#!xIW~DE6~y>{ zey5F_fMx2w7cVM#0HmElW3u_#&wgEk49?d<<+VEM_;C+X4NY7EOs;eNV?{Tx!muTXTsc=s73}CRO((T#O37{?_hIH*FNv zQ1IyYPZG`9oWPG8$VP%pU&R}=B=$+ng4#boorN6%4+|$r)&R*GHFHc(e-p|;C;2+oIgw^6#hgA7j%0t%(gVTdX!-N+x>IwF6J%zgh?H4Uzj1;1~A z6b#kBRIKmG)PC~VyMFm7R6|>NwjyyzrVTHFl@Mi99j72_YQ?!Uyc5y2?h8dt=lA&w zP5tq+)ON^Iigc&{c1MyaTs8fr=Z*94(*-yw(I;)#ZfM9BNN9nUQc=taTwZRqEGSL4 zv=ID2?h{a<$f!0sQRPuMa$_`t zZ```mWqKttc{#iB%}FITm%MP$I!ajRV#Mta0=9JC6{`&UIaS}Zmi+j+gV>Dc~oba0|lwH~5$ee+6H#`L{gVJmf`78XY#rotn-9eO&_;G;{-m zFpGAs-1nW+>W%dY8aSF1vuWR6)#HNA8Juhj6Z*^>kz-|*`<;begw1p9O~gFQ%XN#vziBV<^mlv6n(()D!}I*wI8?g4i|SKl!p<%eZU3&E~L%?8noC>q! zh0$X&frh=(_!01s0Ls^c2kjc`YmAMRvUs>m_*~n7KeBEl>A`x(TYD&vANUUWmfpo^$#GCt zSE_(D?=Up&P#k%x>MeZ<0f{7*lnk@m9xH?< zsGuP>K3AD{EvWv<)0#8XD55RW+W48FM=ZCHVsA}1eUOLeoiRX`4XG&sJxZ9W)R265 z<-T%VTtUQ1*++Bho0CE#V}gcNMifJb>Gz(zzU=c+>+Ajn4cuf7b;&WF#Zz-IWGv|H9Xa&&^VBSm-gkZdD63|aqM!q7W{FV~DS0|iPMMkuks zP=&DYwPgfzT4M8LQBI#sA4_pCu!vf~J{xrFX`Kbw5h)2F>z6QIw}x?$}n;ydTZ_ z&Kgfw_tbm3@x{4kY>9q%P`yhL^PH*JQr(?1Z@&FKqs#DWx8Zf))=in4RtpThCe!4$ z&NJiQ@beZQWFTVJyzJ~|w2X4kP&MDAY}-H?*l9&Om@iZ=mYq2|?|W|#p_hJBLjQi= zRd7T^$FehwJkW}6z2-w1Is=GkaVB8VYC*48nEh+4PE`5b!B?G?==KytB=WxvGND^F z229utV7wFwt=jhj9t@*{ffp)kR`JjdC2ZPl;(R1BEPSa_ZMF6l| zCM<69f;F%eSxQ7tGgd+vue8j4ukN5p_2_^O1DN4%`{+yGX!~N}Ms}0ljT#%WH;Lzn z2EqMMUw&Gk;U8Bmu!7|Q&*m-KXSAPsqaGa@;jDWwYIc=#@Dcy4@Ty9nmLJ+BVT3Ss zm7Pk365;s+&4Uj061=j>;A6QxhoyG*B zBYdFh8N%b5G@lvvOBBC8p+?V5>p)i!&v+6F&-P~J8U*zhj`XZAG-U?aMsF~#n+?q1 zbR~B5D_mNB>$rLo$-ofICa8O9D{C4aC5a1}10P-&zmUd7JbJ&O?;{1IlVROB2#waj zMSGLyUdvxL`j*#vZs{&NgE1>>=gDcq9ew{4Q~@8qU#*jiSGyM*Pbv%zh<<#yfykQXXV*Hyvkmo?*{`2p9v_{3NLAK zRqAEv+Qhw~ww^027EbTnk1IN#OIGd^$wZ_;A+~C5@ zxZy;!T$Nqc`q`2{uJIJ(uM}OVWIdb$Ela8*b7sI7bN!ieC6ZxR!FDJV3xXMRrc_o@ z9}YHMn|5@dk5UZzV}Gu(Evt+*V-9(W&Tlxp;jZjP9_pBODmIXE8+E>l2$_kchN_`; zQ{dzZyA=0ClB6}#^6^%Omuv<%Uy*+TgON8!RL&GSK)b<~O{ehN@tZNY#gD1If^fZb ziMNYyCf`{p<#}^$CyU#>>J;2pwRJzOJirZCk6|d`W-CwLvh~T72sC#8P?H>b?J;ny z0)CXzZm#@u$(`0b{zv++x^i#xplP> zXmcQEt_%F@BC)~pWIR9FSQ+7vP~k!E;nw2H)8RFn4uSj5*W6js6OBfK04cqAzUU*b zs8n?Gk#wzWE>;tq^FdhA*o=GxgKuGFQM<`?5e|#nl;Q~XP7i$3UvLVGIsr>{G!N>k z?@)p|uN_zGEb{Otq|zXLAkJsBb3B=}bB6mgS4NO2I%+pO^2gF?kZb793t#^Xs0V`< zvvieJ!=>f)F=}H6IaN?wm@kY|^c`Vzdo@JFoSzx4cdmnL82mnRJkLV7MXsy#sA(YV z9pHD(!OP%xz5*yZk23z%-wuwE?4Xa>#O7^m@g ziDv7}A=}7&iAsxTPXAa5bJdrvH_zFxVgWwkzj}FV%Vn66=r`O1U4kZ7G1U>xU$8iLJNs?YjZ3sq$SEb z2Nqi&4@PN{KtcPfcsQ2oY!_4+p0;%Hfdg!MHo-FD)XnlRggiMGE*&%S;Rlrqt5JLV z>hVBL)GiOM#pDn(P*<#iAqNT$!&mU);?IZqEPq;jxrUfI#UDn{s-faN2Rt*vK%x*Y zoVM-}GCIuk{=SZRRhp(c_>P~q@R@BpbiCMBb;~6tIZK)Hpc=>w6!A+b42lan<#Adc zunD$RkgC>iH+A9hdpfLE!8S%C(XZtBejlKADkou}5tKd~Vn zznO2|L8qoE7AHl=5dAQkv@P4s@4e$yhUHp>X%1~Bp6lw|a=2_~Zn`j=J>o0&&qb-o z6Vna8h0zD{YY{kqfLt|B*vVYnd+OKqqS@R6=Q;KUM7!8*c@!{ye?v=lsCwsH`|_zN z0ye8Y#E6pi*=JpI8OeC{zJQitT_NDU+@hZ^yy{Xo32(Qt@!B@P)W4GMoHi<-r09=^ z(Sp<=)?kSNhk!@OmBAH$b>qI)yK!*}k#N_-ISi3kA-8E+eT%7$0na;;ZJ)T^Ijc#} ze7Mv5U-RhU@LN0GSW4Jli6(ng8ZBLr(btV6`A_ppReQ+Vl3ZhAY;hU!(Fl%?>qedT z1DNQ?qYV4pSco%qlJ4YR!J52Wb)1;%Fqf7t6`BcxND}=KiMBByx zw{xOW%kq4kVWMR%)FiE_@PxsSBY7wGMS~;pJyScTu z+2`chi8@$nyCzo+M0*!t02JzQ#lBjQ^uT_JqfE~I#VdEMg8u1ueALn(CG|i83aUnB z#yBJ0=qan3z81cyVx_)P9Ew^wx)uW}YC0-f#q1XuGvCz9-GMp9UE`Y==Vj~Iw={(` z0|?bGZ*xkU_)m!uS;Rl~12?3pQ^GSHM|H7PMp|!0B#iStLh-H&Q|-OTRoJXWkihVa zSv(!91%4EIxk)>Ea=AsyPtg$9cJHWLpNgVN4Me=SWQhG}_eUarR8lFO_KWXE*aY#H z#-4_cKi{9<SqLO;RTS*Q=n%XR4o^I%j$h4xF8OsHs$2<>~W=UCOr zXs>o_Nw5KT?~<5!+hawvdHFmS{k3u4Q;|bgb