We Keep Coding

How to connect AWS IOT by using AT Command (Sim7020C)

Does anyone know how to use AT Command to connect AWS IOT(Sim7020C)?
It's my log below, I have tried so many times and all responses are OK.
So I really can't tell what's wrong with my commands...
I think something went wrong in Certification step, but I'm not sure
AT+GSV
SIMCOM_Ltd
SIM7020C
Revision:1752B12SIM7020C
OK
AT+CGCONTRDP
+CGCONTRDP: 1,5,"internet.iot","10.173.155.29.255.255.255.0",,"168.95.1.1","168.95.192.1",,,,,1500
OK
AT+CSQ
+CSQ: 9,0
OK
AT+CSETCA=0,1172,1,0,-----BEGIN CERTIFICATE-----\r\n
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djAAAAAAAAAAAAAAAAAAAAAAAAAAdNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtM
OK
AT+CSETCA=0,1172,0,0,VT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
OK
AT+CSETCA=1,1208,1,0,-----BEGIN CERTIFICATE-----\r\n
MIIDWjCCAkKgAwIBAgIVAI1VmLTQ3Z4W4tDeuwexWbTR7mCAMA0GCSqGSIb3DQEB
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
IEluYy4gTD1TZASSSASASSSSSSSSSSSSSSSSSSSSSSSVUzAeFw0yMjAyMTcwOTA4
NDRaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDh4GKPuMgbfj/4uJyy
1G0yYDMvaetFO48jUxwx08Z9UkfHXhqwCysuLFNAWbYlNdWuU6UhozrnNRkIUfKu
rGZ8YWF6vK3JuXdyLnzyaoC35Lpf8fiTMUBzHuo0OB1Hsnr2a/wfcs7+zl3mhXNN
k7ycAXlkGwNBN9G3m6OMSllKAVJppO/5pTKiddEYRtVukDU4FHrSW6ZStgx0+WoC
woYawsDcAC4UTem5ElaazUrDNdtPnlZAfqvwxejK/RCUekIj1LnU4ciw0Kwm2qBI
iixOj8zbOEGYLzmemzVrJuk+lotTTCvD/SzTfedCrAcE916aoL7cZVGU8TIIRziw
YcgLAgMBAAGjYDBeMB8GA1UdIwQYMBaAFNw2P5zOfiEAC63uFvgKxqHgRQzSMB0G
A1UdDgQWBBTQwEffR+IMfArY47t4ePBl/unHfDAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEANx8HODRTapFXKnVPnIknae8g
oa//OH8t4dX9p7mzW3YXwwI/LKLyd+V/c4J2mQZCuCDxi0V2QABqZqC7k1gnMxh/
IOAGwl5teJ07hX0cNRl0m8yAYLpWtVle/wO29XcaAXN7hOZxMQk+PzbnFjkbCNGr
5StWd/OOA
OK
AT+CSETCA=1,1208,0,0,Lu+QtxR2Ij2Wv9iSLlkjAZWeppVCeJT/GMQ+SPHdt98Ry3Yj8XOJwCB
yXK00k3oiR81gnGTtZStAb5VC6KflLOKdPR9ZuXmYbSxdj5U/+Z//c1OmHBjfXlM
oG01qOwG1Sx1LmBsi1AkyJy0wPh9LW46qSRWHFuFFKafke0OqhqlKArTdAuP7A==
-----END CERTIFICATE-----
OK
AT+CSETCA=2,1658,1,0,-----BEGIN RSA PRIVATE KEY-----\r\n
MIIEpQIBAAKCAQEA4eBij7jIG34/+LicstRtMmAzL2nrRTuPI1McMdPGfVJHx14a
sAsrLixTQFm2JTXVrlOlIaM65zUZCFHyrqxmfGFherytybl3ci588mqAt+S6X/H4
kzFAcx7qNDgdR7J69mv8H3LO/s5d5oVzTZO8nAF5ZBsDQTfRt5ujjEpZSgFSaaTv
+aUyonXRGEbVbpA1OBR60lumUrYMdPlqAsKGGsLA3AAuFE3puRJWms1KwzXbT55W
QH6r8MXoyv0QlZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ5nps1aybpPpaLU0wr
w/0s033nQqwHBPdemqC+3GVRlPEyCEc4sGHICwIDAQABAoIBAQCtZx1DSJAWyy1B
PDjP8NSDv+aLl7zOQZL5g2w5tGLFAs2n+E50p55WrCCdXkG+/z0zv3MeB7nIlbLJ
+F9eSWvEQN4c44xnOMLCHX4+fBSlGCscTR6PoVfhCPKzdADGcfaEBxJe8jyG0Na1
ie2iuLAq89bFSxeMkdWmJw2/PbSeYkQY2D0Y5lf0cNofkOKoVbmkDX2ujPScImHq
NFRk9reliJqL4APfn7qCx054/XN2Ven+0yhZo9yx70p4swwwsGXdsuxAYBG/8aeT
V/3BAGnFrT2MGO5HeKYwcKW5z+xOmT0+5rxneCu3aEXdcPLQoliKsg747pwOdQxT
rWqxP/LBAoGBAPZIWiryCS9F2u7uOhinspMOAH/cLp/ZpREHdRcjTHzrBiM8iAud
vgSR/UgSTax2NugUlSDiEXEZgSwFM1wZxGBOontXChxHHCEKprH5ZgU5vANax7vF
Z99v2I+GUMOjSNR7wgigaQj5ZQhxSgO7mGJFY2KO/UU2JIkdBuOlUBJVAoGBAOrJ
6jm6X2XGUHruhbRNw3MO+Obp6PLjRf3D8dR5ZTNq7Amsr4lpEfCedrQ+7D1xIsUL
wAX2c
OK
AT+CSETCA=2,1658,0,0,S/SHohiUKlEJB8Qdc5e192/nkeYHTYcBhj3UgprxMWl94T1iJxQwpOu5Uim
bYt6QlhyPGFAZObTN0qVvtZ8jmigATzhrTA2CpDfAoGBAMrsfJbsDJNN3IGH+oh8
DJBMNi8jzaraGr74RQsGg6xdvhXkdzgTBhEf9PCgXC2gzcbVxrZsbvCgkiUiN9pI
RN0RjaFQ6zy3fr7e1tDH7L6bfoXJE89sbRTWRDql8f/wlz60pgCTo1fIne2h4tlG
hd1azPPVW2vem6X6KXXXXXXXXXXXXXXXXXX8YAXQRtAoGAIEoWiUvlVMTaSp3FC4
BOmRDmo0/fuexIILZZZZZZZZZZZZZZZZZZZZZZOdyVnkB/NUGGWWHgSTIW754JS9
57Qg7owM31wE2r3Bdaqi2ASPTeoupDgnNphgyXMkdKd7ePcxUnOXpD3LA/6FTQ8o
V0oHV/cCgYEAh8bSlHb2oiK9dHELwWXECdB27zAB62wreWJngv6vcGIEG4a+YXe2
r87S53lXpUjSHa2mLu6XGiLD5kv+G0ypMyqYSV+nhL3sxbRu8fmEouTgJMlIqHSi
wD07HsZhWwophhSugSSLbWX5ot/K4GxlWNeeWxCD17XTWF13y5LzxwM=
-----END RSA PRIVATE KEY-----
OK
AT+CSETCA?
Root CA:166
Client CA:84
Client Private Key:92
OK
AT+CMQNEW="example-ats.iot.us-east-1.amazonaws.com",8883,12000,1024
+CMQNEW: 0
OK
AT+CMQCON=0,3,"CLIENTID",12000,1,0
OK
AT+CMQCON?
+CMQCON: 0,1,example-ats.iot.us-east-1.amazonaws.com
OK
AT+CMQSUB=0,"TEST",0
OK
AT+CMQPUB=0,"TEST",1,0,0,8,"31323334"
OK
------------------------------------------------------------------
This is an example format from Simcom
AT+CSETCA=0,1172,1,0,"-----BEGIN CERTIFICATE-----\r\n
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7YXXXXXXXXXXXXXXXXXXXvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtM"
ERROR
------------------------------------------------------------------
This is another format that I tried
AT+CSETCA=0,1172,1,0,"-----BEGIN CERTIFICATE-----\n"
"MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n"
"ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
"b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n"
"MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n"
"b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n"
"ca9HgFB0fW7Y14h29Jlo91ghYPlXXXXXXXXXXXXXXXXOsqTQNroBvo3bSMgHFzZM\n"
"9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n"
"IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n"
"VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n"
"93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n"
"jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
"AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n"
"A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n"
"U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n"
"N+gDS63pYaAC\n"
OK
SIM7020 Series_MQTT(S)_Application Note_V1.05
(https://m5stack.oss-cn-shenzhen.aliyuncs.com/resource/docs/datasheet/unit/nbiot/SIM7020%20Series_MQTT(S)_Application%20Note_V1.05.pdf?fbclid=IwAR0qMLRTFa6GIcURLV6OoxFoqd-T-05d0rojXjLvoUug6hvomkBONUD7-Dc)
SIM7020 Series_MQTT(S)_Application Note_V1.03
(https://www.waveshare.com/w/upload/7/7b/SIM7020_Series_MQTT%28S%29_Application_Note_V1.03.pdf)

How to create AWS signed cookies with elixir?

I've been trying to set up CloudFront with signed cookies using elixir. From what I learned the signature must use sha1 encoding. According to AWS in the terminal that would look like this:
cat policy.json | openssl sha1 -sign CloudFront_Key.pem |base64 |tr '+=/' '-_~'
I can't figure out how to do that in elixir. I've been looking into this dependency and tried using :sha1 instead in it's sign method. I did read through here and did see sha, not sha1. Is that how erlang calls it? (I have close to no knowledge about erlang). Tried :sha but I do not get the same key as in the terminal and it does not seem to work. I also noticed that base64 usually adds a few extra chars at the end than the terminal. Not sure what to do.. Resort to try using System.cmd ?
This is the AWS doc I'm following: create & verify signed cookies and create signature for signed cookie

You can use :public_key.sign/3 for this.
For reference,
$ cat pk.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAknEbD26dg4w2JlaN2pmtz7sEBSEjFcfsgcUuV100L60Lz36s
EDySjiTMbhfhKRa46gBvGSEzb8G1l4iD1O5M5mfzEVg/shSOgwVfyvq5XShJBaz6
PcKJ4hsLh/aUIkvnfYWg5zdcPj5FBYT0I+jLnWvNevsolfGwN4rY5S/PuBCUwtVC
m1L3p5bVHvR33tjI4qenHkuRJUnJh4TMLCOTCGHdmZ+yyWJ2rLcYq7yciI0WlRh5
cCI1eYEehUsbcifOyazKNOAmO/9DzXZlo9S0TSYjxrG626mt+j9yD473t/FSfUeg
6Hn67wfGBWAk0HezJ3QGRl9jBAeYhSLbaX7DHQIDAQABAoIBAHo+Blu8d6oe+fjI
2cM389pq/7EUd0gwSmINamCtQenmZux/jjxDhAc5+piQQHlfKV7Um+j7SQeqSN7E
q1+syO6wqTu6UflipZADhXJYFzIHdeVR/tZdNWJUNyz5DbEPcZ7bVHSORucCbfVs
hawQISA4pB9b1wZL6VCEDAhM//ViRgBA3k6tBu5jNi+I1WXE9nrat4DSDV3uklfo
f5KfHLhbHgrl7R7jnAyWBya6O6Pw0r/3FeWrjo6W0wht5BprX4HSgJvpWtqjhodA
iucWjmWV7Gt++HBRX0NEQozajQ7fdfnCOpSD2g8QzVw/5whRBidYngJWLBNt1YQV
UMi7toECgYEAzw4i+m0PnqiExMOSLsvPcEQu0wScOe3vwXTBOcfOS0Uds0kWzZP2
BHQL7IATtN+OAMdtFi1xyN+auikTsZpy1hezUtamfeo75btFhgSrtRXQki5o3pX8
HgDh+31+Ox1RM/Qhm4DSPQ/YImw+HQD+lK9sw3yNZlmPmXwyCARxkCECgYEAtQ75
M5HcBG+zPbPHc4mrOgtQzaUTEs1onu/zDCuFZwYtyBB0RKSLLmacgh/Qcdu13Lli
fdTqego5asKztQfsB88aqkYtdY51dnm+H2sxQ2ef+1D2gbV+sdrsM7gUuVvxBMwv
itFizQ1rgZn/Vee4zfFXEoURjkKfTKT27Hn7A30CgYEAx4ugOiiRPR67lcXFREQ3
jsKnPcbbqRieT5rt/XmKXxAlJ3vw9f76wh/0veBRHae1exq3DwCNAEI/I9oimK94
rMv6joM/wWnUf/qTbi1iLgrwD3Gar6lsaJ4BLBYtaVs/vwowuWTVOPPkIIig8+LZ
dwH5mAyZWWJG+myu6vsdVwECgYAJqT/g4ZKU5gTxcOteneT2Fu572qgW48EGYhVc
++GFas38k+wwUXtfwXfudZYgzTF6EqZPwpG0a2E+8h62tTKCBCoPFemNEUnxRXPA
p26cgyYFOf+9UhrtkJnz9Imejmpg8ChFRwD3ohSveLEoO1IgIxWbVmBmb+WiKFdI
rQWY3QKBgA6Gw/8KB7LxqR3N9/1xgW5b02WVhG7gvFNlSYZMmdd8H3w8MdXCdk22
kJBfrIfkDS6nbF6w4+8q309NPwOqdkt2QNPq6Il1ugWuxFMiNEGHjjT21PrsgEJS
q6K6c+znrnI7O/wijdvEC2n+q+S9h8yv1bT6QfC1Vx88SC9GCBuq
-----END RSA PRIVATE KEY-----
$ cat policy.json
{"Statement":[{"Resource":"https://mycloudfront.net/a.png","​Condition":{"DateLes​sThan":{"AWS:EpochTi​me":1512086400}}}]}
First, read the key:
iex(1)> key = File.read!("pk.pem") |> :public_key.pem_decode |> hd |> :public_key.pem_entry_decode
...
Then sign the data using :public_key.sign/3:
iex(2)> File.read!("policy.json") |> :public_key.sign(:sha, key) |> Base.encode64
"QjLmx3LASRb1zt9eW/EMywGMXB1SwX/0JrTnLOFulYjcRJ1dpacUZBB/AYI1zwaXPEQTgQ8crNDFgje6fqbLKoNwgcpE9mOK/RdDKi963ztJnD6EmtM60YbROSpjQ/LDupEYgipPNZbjCnRCJcqDX43BadbVR75G3B5mFmAwtRSPdslJ5irVnt9PjoDMdi9DYe1wGhgQkoym1tiKEyaTrH5lyrw+KPdAi1tpzuZ60ZEcQFJJbKqYYdA0SslbUFL71mdLLkQ9xz95JPNpsSY3ZJyJsKpRGFJuaL1aMsdNLxlLD91PpNW15FitBpBnAwuiiEfPrwU14zIxsfFszaM6KA=="
The output is identical to openssl:
$ cat policy.json | openssl sha1 -sign pk.pem | base64
QjLmx3LASRb1zt9eW/EMywGMXB1SwX/0JrTnLOFulYjcRJ1dpacUZBB/AYI1zwaXPEQTgQ8crNDFgje6fqbLKoNwgcpE9mOK/RdDKi963ztJnD6EmtM60YbROSpjQ/LDupEYgipPNZbjCnRCJcqDX43BadbVR75G3B5mFmAwtRSPdslJ5irVnt9PjoDMdi9DYe1wGhgQkoym1tiKEyaTrH5lyrw+KPdAi1tpzuZ60ZEcQFJJbKqYYdA0SslbUFL71mdLLkQ9xz95JPNpsSY3ZJyJsKpRGFJuaL1aMsdNLxlLD91PpNW15FitBpBnAwuiiEfPrwU14zIxsfFszaM6KA==

Getting google search ssl pem certificate

For testing purpose I want to set up a https connection to google and start a search. I downloaded the OpenSSL example from here. In the code, I have to load a pem file here:
/* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */
res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL);
ssl_err = ERR_get_error();
now I search for the certificate of google search. Where can I get it?

now I search for the certificate of google search. Where can I get it?
Try Google's Certificate Authority at Google Internet Authority G2.
Google runs an unconstrained subordinate CA. The certifying authority is GeoTrust Global CA. You can use their CA certificate too.
GeoTrust was purchased by Equifax. So you can also use Equifax Secure Certificate Authority.
In general, you can see who certifies what with openssl s_client and the -showcerts option:
$ openssl s_client -connect search.google.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIfuDCCHqCgAwIBAgIIUmXT7OTMmWgwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNDIyMTQyNDAxWhcNMTUwNzIxMDAwMDAw
WjBkMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzETMBEGA1UEAwwKZ29v
Z2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQ0TXTtgOPD
iDCBnSP4TjJKv4RpGTITXlfPjHrsFK+j8ptbd8aLrHMmSOhLf8QG3+LoS7NUX+2f
l1Za4KuSbiP9rlS/PBMiFOGY/aPOynnNXSCrFyK2ZDGr99rr6Ey3zIKrfmFv3RXF
8MEUCvWm4cN1NKirRyW8AC6qHiQ+y5I3FPzIjrlxAGhSMIULQvOpLepbjNfOHqMR
WDYIBWtoIMx5rIle4yWnxXRK5Et308GoLcqKHBkMAkKDBgaQTqknunYf4mq+CiO7
PlYeEff/zI+H/fUtvWzc1A98rM0ty94tONw4j1w6+UR/WzBuWpylMY7S+q9Vc2FV
9i2euHxPLzsCAwEAAaOCHIcwghyDMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjCCG10GA1UdEQSCG1QwghtQggpnb29nbGUuY29tggoqLjJtZG4ubmV0gg0q
LmFuZHJvaWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghQqLmF1LmRvdWJs
ZWNsaWNrLm5ldIILKi5jYy1kdC5jb22CEiouY2xvdWQuZ29vZ2xlLmNvbYIUKi5k
ZS5kb3VibGVjbGljay5uZXSCESouZG91YmxlY2xpY2suY29tghEqLmRvdWJsZWNs
aWNrLm5ldIIVKi5mbHMuZG91YmxlY2xpY2submV0ghQqLmZyLmRvdWJsZWNsaWNr
Lm5ldIIWKi5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuYWOCCyouZ29v
Z2xlLmFkggsqLmdvb2dsZS5hZYILKi5nb29nbGUuYWaCCyouZ29vZ2xlLmFnggsq
Lmdvb2dsZS5hbIILKi5nb29nbGUuYW2CCyouZ29vZ2xlLmFzggsqLmdvb2dsZS5h
dIILKi5nb29nbGUuYXqCCyouZ29vZ2xlLmJhggsqLmdvb2dsZS5iZYILKi5nb29n
bGUuYmaCCyouZ29vZ2xlLmJnggsqLmdvb2dsZS5iaYILKi5nb29nbGUuYmqCCyou
Z29vZ2xlLmJzggsqLmdvb2dsZS5idIILKi5nb29nbGUuYnmCCyouZ29vZ2xlLmNh
ggwqLmdvb2dsZS5jYXSCCyouZ29vZ2xlLmNjggsqLmdvb2dsZS5jZIILKi5nb29n
bGUuY2aCCyouZ29vZ2xlLmNnggsqLmdvb2dsZS5jaIILKi5nb29nbGUuY2mCCyou
Z29vZ2xlLmNsggsqLmdvb2dsZS5jbYILKi5nb29nbGUuY26CDiouZ29vZ2xlLmNv
LmFvgg4qLmdvb2dsZS5jby5id4IOKi5nb29nbGUuY28uY2uCDiouZ29vZ2xlLmNv
LmNygg4qLmdvb2dsZS5jby5odYIOKi5nb29nbGUuY28uaWSCDiouZ29vZ2xlLmNv
Lmlsgg4qLmdvb2dsZS5jby5pbYIOKi5nb29nbGUuY28uaW6CDiouZ29vZ2xlLmNv
Lmplgg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28ua2WCDiouZ29vZ2xlLmNv
Lmtygg4qLmdvb2dsZS5jby5sc4IOKi5nb29nbGUuY28ubWGCDiouZ29vZ2xlLmNv
Lm16gg4qLmdvb2dsZS5jby5ueoIOKi5nb29nbGUuY28udGiCDiouZ29vZ2xlLmNv
LnR6gg4qLmdvb2dsZS5jby51Z4IOKi5nb29nbGUuY28udWuCDiouZ29vZ2xlLmNv
LnV6gg4qLmdvb2dsZS5jby52ZYIOKi5nb29nbGUuY28udmmCDiouZ29vZ2xlLmNv
Lnphgg4qLmdvb2dsZS5jby56bYIOKi5nb29nbGUuY28ueneCDCouZ29vZ2xlLmNv
bYIPKi5nb29nbGUuY29tLmFmgg8qLmdvb2dsZS5jb20uYWeCDyouZ29vZ2xlLmNv
bS5haYIPKi5nb29nbGUuY29tLmFygg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xl
LmNvbS5iZIIPKi5nb29nbGUuY29tLmJogg8qLmdvb2dsZS5jb20uYm6CDyouZ29v
Z2xlLmNvbS5ib4IPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20uYnmCDyou
Z29vZ2xlLmNvbS5ieoIPKi5nb29nbGUuY29tLmNugg8qLmdvb2dsZS5jb20uY2+C
DyouZ29vZ2xlLmNvbS5jdYIPKi5nb29nbGUuY29tLmN5gg8qLmdvb2dsZS5jb20u
ZG+CDyouZ29vZ2xlLmNvbS5lY4IPKi5nb29nbGUuY29tLmVngg8qLmdvb2dsZS5j
b20uZXSCDyouZ29vZ2xlLmNvbS5maoIPKi5nb29nbGUuY29tLmdlgg8qLmdvb2ds
ZS5jb20uZ2iCDyouZ29vZ2xlLmNvbS5naYIPKi5nb29nbGUuY29tLmdygg8qLmdv
b2dsZS5jb20uZ3SCDyouZ29vZ2xlLmNvbS5oa4IPKi5nb29nbGUuY29tLmlxgg8q
Lmdvb2dsZS5jb20uam2CDyouZ29vZ2xlLmNvbS5qb4IPKi5nb29nbGUuY29tLmto
gg8qLmdvb2dsZS5jb20ua3eCDyouZ29vZ2xlLmNvbS5sYoIPKi5nb29nbGUuY29t
Lmx5gg8qLmdvb2dsZS5jb20ubW2CDyouZ29vZ2xlLmNvbS5tdIIPKi5nb29nbGUu
Y29tLm14gg8qLmdvb2dsZS5jb20ubXmCDyouZ29vZ2xlLmNvbS5uYYIPKi5nb29n
bGUuY29tLm5mgg8qLmdvb2dsZS5jb20ubmeCDyouZ29vZ2xlLmNvbS5uaYIPKi5n
b29nbGUuY29tLm5wgg8qLmdvb2dsZS5jb20ubnKCDyouZ29vZ2xlLmNvbS5vbYIP
Ki5nb29nbGUuY29tLnBhgg8qLmdvb2dsZS5jb20ucGWCDyouZ29vZ2xlLmNvbS5w
Z4IPKi5nb29nbGUuY29tLnBogg8qLmdvb2dsZS5jb20ucGuCDyouZ29vZ2xlLmNv
bS5wbIIPKi5nb29nbGUuY29tLnBygg8qLmdvb2dsZS5jb20ucHmCDyouZ29vZ2xl
LmNvbS5xYYIPKi5nb29nbGUuY29tLnJ1gg8qLmdvb2dsZS5jb20uc2GCDyouZ29v
Z2xlLmNvbS5zYoIPKi5nb29nbGUuY29tLnNngg8qLmdvb2dsZS5jb20uc2yCDyou
Z29vZ2xlLmNvbS5zdoIPKi5nb29nbGUuY29tLnRqgg8qLmdvb2dsZS5jb20udG6C
DyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUuY29tLnR3gg8qLmdvb2dsZS5jb20u
dWGCDyouZ29vZ2xlLmNvbS51eYIPKi5nb29nbGUuY29tLnZjgg8qLmdvb2dsZS5j
b20udmWCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuY3aCCyouZ29vZ2xlLmN6
ggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZGqCCyouZ29vZ2xlLmRrggsqLmdvb2ds
ZS5kbYILKi5nb29nbGUuZHqCCyouZ29vZ2xlLmVlggsqLmdvb2dsZS5lc4IMKi5n
b29nbGUuZXVzggsqLmdvb2dsZS5maYILKi5nb29nbGUuZm2CCyouZ29vZ2xlLmZy
ggwqLmdvb2dsZS5mcmyCCyouZ29vZ2xlLmdhggwqLmdvb2dsZS5nYWyCCyouZ29v
Z2xlLmdlggsqLmdvb2dsZS5nZ4ILKi5nb29nbGUuZ2yCCyouZ29vZ2xlLmdtggsq
Lmdvb2dsZS5ncIILKi5nb29nbGUuZ3KCCyouZ29vZ2xlLmd5ggsqLmdvb2dsZS5o
a4ILKi5nb29nbGUuaG6CCyouZ29vZ2xlLmhyggsqLmdvb2dsZS5odIILKi5nb29n
bGUuaHWCCyouZ29vZ2xlLmllggsqLmdvb2dsZS5pbYILKi5nb29nbGUuaW6CDSou
Z29vZ2xlLmluZm+CCyouZ29vZ2xlLmlxggsqLmdvb2dsZS5pcoILKi5nb29nbGUu
aXOCCyouZ29vZ2xlLml0gg4qLmdvb2dsZS5pdC5hb4ILKi5nb29nbGUuamWCCyou
Z29vZ2xlLmpvgg0qLmdvb2dsZS5qb2JzggsqLmdvb2dsZS5qcIILKi5nb29nbGUu
a2eCCyouZ29vZ2xlLmtpggsqLmdvb2dsZS5reoILKi5nb29nbGUubGGCCyouZ29v
Z2xlLmxpggsqLmdvb2dsZS5sa4ILKi5nb29nbGUubHSCCyouZ29vZ2xlLmx1ggsq
Lmdvb2dsZS5sdoILKi5nb29nbGUubWSCCyouZ29vZ2xlLm1lggsqLmdvb2dsZS5t
Z4ILKi5nb29nbGUubWuCCyouZ29vZ2xlLm1sggsqLmdvb2dsZS5tboILKi5nb29n
bGUubXOCCyouZ29vZ2xlLm11ggsqLmdvb2dsZS5tdoILKi5nb29nbGUubXeCCyou
Z29vZ2xlLm5lgg4qLmdvb2dsZS5uZS5qcIIMKi5nb29nbGUubmV0ggsqLmdvb2ds
ZS5uZ4ILKi5nb29nbGUubmyCCyouZ29vZ2xlLm5vggsqLmdvb2dsZS5ucoILKi5n
b29nbGUubnWCDyouZ29vZ2xlLm9mZi5haYILKi5nb29nbGUucGuCCyouZ29vZ2xl
LnBsggsqLmdvb2dsZS5wboILKi5nb29nbGUucHOCCyouZ29vZ2xlLnB0ggsqLmdv
b2dsZS5yb4ILKi5nb29nbGUucnOCCyouZ29vZ2xlLnJ1ggsqLmdvb2dsZS5yd4IL
Ki5nb29nbGUuc2OCCyouZ29vZ2xlLnNlggsqLmdvb2dsZS5zaIILKi5nb29nbGUu
c2mCCyouZ29vZ2xlLnNrggsqLmdvb2dsZS5zbYILKi5nb29nbGUuc26CCyouZ29v
Z2xlLnNvggsqLmdvb2dsZS5zcoILKi5nb29nbGUuc3SCCyouZ29vZ2xlLnRkggsq
Lmdvb2dsZS50Z4ILKi5nb29nbGUudGuCCyouZ29vZ2xlLnRsggsqLmdvb2dsZS50
bYILKi5nb29nbGUudG6CCyouZ29vZ2xlLnRvggsqLmdvb2dsZS50dIILKi5nb29n
bGUudWGCCyouZ29vZ2xlLnVzggsqLmdvb2dsZS51eoILKi5nb29nbGUudmeCCyou
Z29vZ2xlLnZ1ggsqLmdvb2dsZS53c4ISKi5nb29nbGVhZGFwaXMuY29tghUqLmdv
b2dsZWFkc3NlcnZpbmcuY26CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21t
ZXJjZS5jb22CESouZ29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0
YXRpYy5jb22CCiouZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCouanAuZG91YmxlY2xp
Y2submV0ghQqLm1ldHJpYy5nc3RhdGljLmNvbYIUKi51ay5kb3VibGVjbGljay5u
ZXSCDCoudXJjaGluLmNvbYIQKi51cmwuZ29vZ2xlLmNvbYIWKi55b3V0dWJlLW5v
Y29va2llLmNvbYINKi55b3V0dWJlLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9uLmNv
bYILKi55dGltZy5jb22CFWFkLm1vLmRvdWJsZWNsaWNrLm5ldIILYW5kcm9pZC5j
b22CD2RvdWJsZWNsaWNrLm5ldIIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0
aWNzLmNvbYIJZ29vZ2xlLmFjgglnb29nbGUuYWSCCWdvb2dsZS5hZYIJZ29vZ2xl
LmFmgglnb29nbGUuYWeCCWdvb2dsZS5hbIIJZ29vZ2xlLmFtgglnb29nbGUuYXOC
CWdvb2dsZS5hdIIJZ29vZ2xlLmF6gglnb29nbGUuYmGCCWdvb2dsZS5iZYIJZ29v
Z2xlLmJmgglnb29nbGUuYmeCCWdvb2dsZS5iaYIJZ29vZ2xlLmJqgglnb29nbGUu
YnOCCWdvb2dsZS5idIIJZ29vZ2xlLmJ5gglnb29nbGUuY2GCCmdvb2dsZS5jYXSC
CWdvb2dsZS5jY4IJZ29vZ2xlLmNkgglnb29nbGUuY2aCCWdvb2dsZS5jZ4IJZ29v
Z2xlLmNogglnb29nbGUuY2mCCWdvb2dsZS5jbIIJZ29vZ2xlLmNtgglnb29nbGUu
Y26CDGdvb2dsZS5jby5hb4IMZ29vZ2xlLmNvLmJ3ggxnb29nbGUuY28uY2uCDGdv
b2dsZS5jby5jcoIMZ29vZ2xlLmNvLmh1ggxnb29nbGUuY28uaWSCDGdvb2dsZS5j
by5pbIIMZ29vZ2xlLmNvLmltggxnb29nbGUuY28uaW6CDGdvb2dsZS5jby5qZYIM
Z29vZ2xlLmNvLmpwggxnb29nbGUuY28ua2WCDGdvb2dsZS5jby5rcoIMZ29vZ2xl
LmNvLmxzggxnb29nbGUuY28ubWGCDGdvb2dsZS5jby5teoIMZ29vZ2xlLmNvLm56
ggxnb29nbGUuY28udGiCDGdvb2dsZS5jby50eoIMZ29vZ2xlLmNvLnVnggxnb29n
bGUuY28udWuCDGdvb2dsZS5jby51eoIMZ29vZ2xlLmNvLnZlggxnb29nbGUuY28u
dmmCDGdvb2dsZS5jby56YYIMZ29vZ2xlLmNvLnptggxnb29nbGUuY28ueneCDWdv
b2dsZS5jb20uYWaCDWdvb2dsZS5jb20uYWeCDWdvb2dsZS5jb20uYWmCDWdvb2ds
ZS5jb20uYXKCDWdvb2dsZS5jb20uYXWCDWdvb2dsZS5jb20uYmSCDWdvb2dsZS5j
b20uYmiCDWdvb2dsZS5jb20uYm6CDWdvb2dsZS5jb20uYm+CDWdvb2dsZS5jb20u
YnKCDWdvb2dsZS5jb20uYnmCDWdvb2dsZS5jb20uYnqCDWdvb2dsZS5jb20uY26C
DWdvb2dsZS5jb20uY2+CDWdvb2dsZS5jb20uY3WCDWdvb2dsZS5jb20uY3mCDWdv
b2dsZS5jb20uZG+CDWdvb2dsZS5jb20uZWOCDWdvb2dsZS5jb20uZWeCDWdvb2ds
ZS5jb20uZXSCDWdvb2dsZS5jb20uZmqCDWdvb2dsZS5jb20uZ2WCDWdvb2dsZS5j
b20uZ2iCDWdvb2dsZS5jb20uZ2mCDWdvb2dsZS5jb20uZ3KCDWdvb2dsZS5jb20u
Z3SCDWdvb2dsZS5jb20uaGuCDWdvb2dsZS5jb20uaXGCDWdvb2dsZS5jb20uam2C
DWdvb2dsZS5jb20uam+CDWdvb2dsZS5jb20ua2iCDWdvb2dsZS5jb20ua3eCDWdv
b2dsZS5jb20ubGKCDWdvb2dsZS5jb20ubHmCDWdvb2dsZS5jb20ubW2CDWdvb2ds
ZS5jb20ubXSCDWdvb2dsZS5jb20ubXiCDWdvb2dsZS5jb20ubXmCDWdvb2dsZS5j
b20ubmGCDWdvb2dsZS5jb20ubmaCDWdvb2dsZS5jb20ubmeCDWdvb2dsZS5jb20u
bmmCDWdvb2dsZS5jb20ubnCCDWdvb2dsZS5jb20ubnKCDWdvb2dsZS5jb20ub22C
DWdvb2dsZS5jb20ucGGCDWdvb2dsZS5jb20ucGWCDWdvb2dsZS5jb20ucGeCDWdv
b2dsZS5jb20ucGiCDWdvb2dsZS5jb20ucGuCDWdvb2dsZS5jb20ucGyCDWdvb2ds
ZS5jb20ucHKCDWdvb2dsZS5jb20ucHmCDWdvb2dsZS5jb20ucWGCDWdvb2dsZS5j
b20ucnWCDWdvb2dsZS5jb20uc2GCDWdvb2dsZS5jb20uc2KCDWdvb2dsZS5jb20u
c2eCDWdvb2dsZS5jb20uc2yCDWdvb2dsZS5jb20uc3aCDWdvb2dsZS5jb20udGqC
DWdvb2dsZS5jb20udG6CDWdvb2dsZS5jb20udHKCDWdvb2dsZS5jb20udHeCDWdv
b2dsZS5jb20udWGCDWdvb2dsZS5jb20udXmCDWdvb2dsZS5jb20udmOCDWdvb2ds
ZS5jb20udmWCDWdvb2dsZS5jb20udm6CCWdvb2dsZS5jdoIJZ29vZ2xlLmN6ggln
b29nbGUuZGWCCWdvb2dsZS5kaoIJZ29vZ2xlLmRrgglnb29nbGUuZG2CCWdvb2ds
ZS5keoIJZ29vZ2xlLmVlgglnb29nbGUuZXOCCmdvb2dsZS5ldXOCCWdvb2dsZS5m
aYIJZ29vZ2xlLmZtgglnb29nbGUuZnKCCmdvb2dsZS5mcmyCCWdvb2dsZS5nYYIK
Z29vZ2xlLmdhbIIJZ29vZ2xlLmdlgglnb29nbGUuZ2eCCWdvb2dsZS5nbIIJZ29v
Z2xlLmdtgglnb29nbGUuZ3CCCWdvb2dsZS5ncoIJZ29vZ2xlLmd5gglnb29nbGUu
aGuCCWdvb2dsZS5oboIJZ29vZ2xlLmhygglnb29nbGUuaHSCCWdvb2dsZS5odYIJ
Z29vZ2xlLmllgglnb29nbGUuaW2CCWdvb2dsZS5pboILZ29vZ2xlLmluZm+CCWdv
b2dsZS5pcYIJZ29vZ2xlLmlygglnb29nbGUuaXOCCWdvb2dsZS5pdIIMZ29vZ2xl
Lml0LmFvgglnb29nbGUuamWCCWdvb2dsZS5qb4ILZ29vZ2xlLmpvYnOCCWdvb2ds
ZS5qcIIJZ29vZ2xlLmtngglnb29nbGUua2mCCWdvb2dsZS5reoIJZ29vZ2xlLmxh
gglnb29nbGUubGmCCWdvb2dsZS5sa4IJZ29vZ2xlLmx0gglnb29nbGUubHWCCWdv
b2dsZS5sdoIJZ29vZ2xlLm1kgglnb29nbGUubWWCCWdvb2dsZS5tZ4IJZ29vZ2xl
Lm1rgglnb29nbGUubWyCCWdvb2dsZS5tboIJZ29vZ2xlLm1zgglnb29nbGUubXWC
CWdvb2dsZS5tdoIJZ29vZ2xlLm13gglnb29nbGUubmWCDGdvb2dsZS5uZS5qcIIK
Z29vZ2xlLm5ldIIJZ29vZ2xlLm5ngglnb29nbGUubmyCCWdvb2dsZS5ub4IJZ29v
Z2xlLm5ygglnb29nbGUubnWCDWdvb2dsZS5vZmYuYWmCCWdvb2dsZS5wa4IJZ29v
Z2xlLnBsgglnb29nbGUucG6CCWdvb2dsZS5wc4IJZ29vZ2xlLnB0gglnb29nbGUu
cm+CCWdvb2dsZS5yc4IJZ29vZ2xlLnJ1gglnb29nbGUucneCCWdvb2dsZS5zY4IJ
Z29vZ2xlLnNlgglnb29nbGUuc2iCCWdvb2dsZS5zaYIJZ29vZ2xlLnNrgglnb29n
bGUuc22CCWdvb2dsZS5zboIJZ29vZ2xlLnNvgglnb29nbGUuc3KCCWdvb2dsZS5z
dIIJZ29vZ2xlLnRkgglnb29nbGUudGeCCWdvb2dsZS50a4IJZ29vZ2xlLnRsggln
b29nbGUudG2CCWdvb2dsZS50boIJZ29vZ2xlLnRvgglnb29nbGUudHSCCWdvb2ds
ZS51YYIJZ29vZ2xlLnVzgglnb29nbGUudXqCCWdvb2dsZS52Z4IJZ29vZ2xlLnZ1
gglnb29nbGUud3OCEmdvb2dsZWNvbW1lcmNlLmNvbYILZ3N0YXRpYy5jb22CCnVy
Y2hpbi5jb22CCHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlv
bi5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdv
b2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEu
Z29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBSxIU3tmHdUyY6zBhGJUJ5pEaFPRzAM
BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcG
A1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v
cGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCKA5IO
G8WGMUUmFLM8GHjaVrIFxCH9TQcEIxvqvEa7UKc7xYDxStgjykpmLQaldEPP3BWh
ChiT6jShCaAfi1vNOVPFRw+9ZvCnCVRApjJL9cY3zBUfVqMkLqAhfM6IGfTe2ohM
/zAqn3vE9diLAPQBGT9zF2vmis8h9hwgnhHbBTs5ijMEf9J7KQ5eMEBkqKZFZOx6
Hedz/g5UBX9pYG3j7a7vyrzSaHpCFD1KIJCZYz6AD4dserwdh1Ee/iVpgJo/KMTp
1cF35ai+eL1NsIeap8GsOsIyG5tYhhP4/SaKEZ/OZ2vTpeaFQ++uwRQ0TpwmROtj
gXelPtsmz3tXlaiA
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE
+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6
8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS
etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i
vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP
WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8
VOBHBw==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---

SSL_CTX_use_PrivateKey_file() failed

I'm writing a client application on Windows that establishes an SSL connection to a server, and the server requests client certificate for authentication. The server provides me a .pfx file, then I use openssl command line tool to get the certificate and the private key like this:
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
after that, I try to load the certificate and the private key with functions from openssl as below, but SSL_CTX_use_PrivateKey_file() always failed, the error message is "error:0906D06C:PEM routines:PEM_read_bio:no start line", I can't figure it out why, can anyone give me some enlightenment?
Here is the code.
#include "openssl/ssl.h"
#include "openssl/err.h"
#include <stdio.h>
#include <string>
int InitClientCtx()
{
OpenSSL_add_ssl_algorithms();
SSL_CTX* m_pClientCtx;
m_pClientCtx = SSL_CTX_new(SSLv23_method());
if(!m_pClientCtx)
{
return -1;
}
::SSL_CTX_set_options(m_pClientCtx, SSL_OP_ALL); //for well-known bugs
int nRet = 0;
std::string sCertFilePath = "C:\\cert.pem";
nRet = SSL_CTX_use_certificate_chain_file(m_pClientCtx, sCertFilePath.c_str());
std::string sKeyPassWord = "123456";
SSL_CTX_set_default_passwd_cb_userdata(m_pClientCtx, (void*)(sKeyPassWord.c_str()));
std::string sKeyFilePath = "C:\\key.pem";
// this method returned 0, which means it failed.
nRet = SSL_CTX_use_PrivateKey_file(m_pClientCtx, sKeyFilePath.c_str(), SSL_FILETYPE_PEM);
SSL_load_error_strings();
unsigned long n = ERR_get_error();
char buf[1024];
printf("%s\n", ERR_error_string(n, buf));
nRet = SSL_CTX_check_private_key(m_pClientCtx);
if (nRet <= 0)
{
return -1;
}
/*std::string sCACertFilePath;
nRet = SSL_CTX_load_verify_locations(m_pClientCtx, sCACertFilePath.c_str(), NULL);*/
return 0;
}
int main()
{
InitClientCtx();
return 0;
};

In my case the error was because the PEM file did not contain both a key and a certificate.
Make sure your file contains both sections:
-----BEGIN PRIVATE KEY----- jhajk838383jks.....
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----- yoe55wjcxnshre.....
-----END CERTIFICATE KEY-----
I catenated .key and .crt files I already had in my Apache configuration to make a .pem file.
The 'no start line' error is certainly misleading as you can have a perfectly good "BEGIN" line in your PEM file and still get the error.

The error error:0906D06C:PEM routines:PEM_read_bio:no start line is because in both the cert.pem as well as key.pem, don't start off with -----BEGIN CERTIFICATE----- and -----BEGIN ENCRYPTED PRIVATE KEY-----.
If you open up your cert.pem and key.pem in a text editor and yank off whatever is there before the BEGIN markers, you should be good.
When you create a certificate and a key pair using Certificate Signing Request, you won't get this additional information.

I've solved this problem myself. I generated the key.pem using OpenSSL for Windows, when the CMD prompts me to type in the pass phrase, I just typed a Enter since I needn't a pass phrase, but the key.pem was invalid(neither BEGIN nor END markers). When I generate the private key in Linux, the terminal prompts I must type a pass phrase and I do. Then I remove the key pass phrase using this command:
openssl rsa -in key.pem -out newkey.pem
After that, I open the key.pem in a text editor, it starts off with -----BEGIN RSA PRIVATE KEY----- and end up with -----END RSA PRIVATE KEY-----. And SSL_CTX_use_PrivateKey_file() just works fine!

Under openssl directory demo/openssl there is a client example.
Change:
meth = SSLv2_client_method();
in your case to:
meth = SSLv23_client_method();
Try this example and see where it fails.
Are you sure that the key password is 123456 ?

I had the same problem in NGINX while installing the SSL certificate and I resolved using the following step:
Go to the folder where you have your certificate and pem files
Open your ca-bundle.crt file and copy everything, sudo nano your fileName select all and copy. the file looks like
-----BEGIN CERTIFICATE----- MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
..........
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
..........
-----END CERTIFICATE-----
Open your pem file using sudo nano your fileName.pem
You will see some code like
-----BEGIN CERTIFICATE----- MIIGLzCCBRegAwIBAgIIWI4ndTQi3MwwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
MAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIF
oDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcy
-----END CERTIFICATE-----
After -----END CERTIFICATE----- paste all the code copied from ca-bundle.crt file and save it
Restart your Nginx server using following command sudo service nginx restart
The above steps worked for me in my Nginx and SSL configuration

How I can create a DomainKey-Signature and DKIM-Signature by C++(or VC++) help of OpenSSL, Is it possible?

I have a public/private key pair, I submitted my public key into the server DNS TXT record(in SPF record), and I have a private key file.. I want to create DKIM-Signature and DomainKey-Signature for email, so I want to encrypt text message by private key to send it to email servers.. I want to use SHA-256 as the cryptographic hash and RSA as the public key encryption scheme.. I want to use OpenSSL and C++ to make DKIM-Signature and DomainKey-Signature for email..
This is my Public key in server TXT record :
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnHVS+q65lvG2xocltTYgPGt9F
aysGZTrcOwHedo8tX1dyPrcx2I8x/cvB9nmfdAkt65aGFAlBZrofbPCr2Mq4wDdv
IZ31KSuyMQI4T68ylWNT89GewQF6AOkpY1E2bW+oDXc+MpbtpYXY1rUJAS/Abt5v
Xi7gwKN9FSJ3mm9bjQIDAQAB
-----END PUBLIC KEY-----
This is my Privet key :
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCnHVS+q65lvG2xocltTYgPGt9FaysGZTrcOwHedo8tX1dyPrcx
2I8x/cvB9nmfdAkt65aGFAlBZrofbPCr2Mq4wDdvIZ31KSuyMQI4T68ylWNT89Ge
wQF6AOkpY1E2bW+oDXc+MpbtpYXY1rUJAS/Abt5vXi7gwKN9FSJ3mm9bjQIDAQAB
AoGACXuxnmxRpjZOJ0FeE9TNfsXwm5jcRS2jbHHwxjYGI/YAGVyTusFmRtj3Iheh
iTnld3SiAxPJ/qscrsHY2nef8Up60V7RF8bs+sbICnHbdz8ZoKxN9dEFCwJkIl55
dv0GHjox6UgWUUkUAiHCM2EgG5eOOQ8PsuXY8LpPWLvfuyUCQQDbkFG9y/Q/3lmb
CdYfBpsP3qvma+fdgCw9lRXTowhu0rKen/CC3rFkHMeHfSW9GHuR8QbPYdVA6d9H
Y7KxYa7LAkEAwtjTEo/zAVexH/+YgiqL6w89BHlTAmwIEkXpqtAnE86kDDCekYdE
fRIdGK1zHDOUddMAhwoJQjJzy/NJreQ8BwJBAMoJ6U3vKZjD8Ex8Jq5yE6nsyt3D
mZ73XL5mO6l9sjrYY0kX/+dNKIro+KoyfNGef8bxtcSLUALlsnIsybf0HTUCQQCR
DD4cvGJHJpOp4WkTxT6Bjsd6lCKyU9+yUq8/RFNC0HqYxHzWkx7uCFT2sPBXFyK2
j4v9+v+ncs13DzZTJ+tzAkBI6UWHtsn839nrAT32M8PEPF/TuDmqebMhFOaTl4an
W0Jr8w8iGk2gvQS2cXEPNh4XT9AgcTKDQkhui4RgxK4F
-----END RSA PRIVATE KEY-----
I tried some code help of OpenSSL, but I am unable to create DKIM-Signature and DomainKey-Signature for email..
This is code :
#include <stdio.h>
#include <stdlib.h>
#include <openssl/bio.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
/ * Arguments: to be signed email, PKCS#12 certificate with private key
*/
int main(int argc, char** argv) {
if (argc < 3) exit(1);
OpenSSL_add_all_algorithms();
BIO *data = BIO_new_file(argv[1], "rb");
if (!data) exit(1);
BIO *p12file = BIO_new_file(argv[2], "rb");
if (!p12file) exit(1);
PKCS12 *p12 = d2i_PKCS12_bio(p12file, NULL);
if (!p12) exit(1);
X509 *signcert;
EVP_PKEY *pkey;
STACK_OF(X509) *ca;
int ret = PKCS12_parse(p12, "", &pkey, &signcert, &ca);
if (!ret) exit(1);
PKCS7 *p7 = PKCS7_sign(signcert, pkey, ca, data, 0);
if (!p7) exit(1);
BIO *out = BIO_new_file("email.eml", "wb");
if (!out) exit(1);
ret = SMIME_write_PKCS7(out, p7, data, 0);
if (!ret) exit(1);
BIO_free(data);
BIO_free(p12file);
PKCS12_free(p12);
PKCS7_free(p7);
return (EXIT_SUCCESS);
}
Any one can help me how I will use my Privet key with text to create this "DKIM-Signature and DomainKey-Signature"????
This is not working : BIO *p12file = BIO_new_file(argv[2], "rb");
I dont have "PKCS#12 certificate", so how I will use only my Privet key with email's text message to create "DKIM-Signature and DomainKey-Signature" ????

Your private and public key are in PEM format. You can use OpenSSL to convert it to PKCS#12.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Having said this, this will not help you. The source code that you presented is for signing e-mails using S/MIME. This uses personal certificates that are signed by an official Certification Authority, not using self-signed certificates. This also provides for the ability to encrypt e-mails, provided the recipient has your public key in their key chain.
What you are looking for is DKIM and DomainKeys. This is signed and then hashed using SHA256 and SHA1, respectively. It is computationally less expensive than S/MIME, but requires canonicalization (Google it) of the header and body before hashes can be calculated.
I recommend you have a look at PHPMailer projet on Github. Although this is PHP source code, it should be readily adaptable to work in C. It only covers the DKIM implementation, but DKIM supersedes DomainKeys, so I wouldn't bother implementing DomainKeys.