Add test keys to the project

Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com>

15 files changed, 334 insertions, 0 deletions

diff --git a/test/keys/README.md b/test/keys/README.md
new file mode 100644
index 0000000..188debd
--- /dev/null
+++ b/test/keys/README.md
@@ -0,0 +1,179 @@
+# Important Information About Secure and Trusted Boot And Signing Keys
+
+## Background
+
+IBM OpenPOWER systems support Secure and Trusted Boot to protect system
+firmware.  Secure Boot implements a processor based chain of trust.  The
+chain starts with an implicitly trusted component with other components being
+authenticated and integrity checked before being executed on the host processor
+cores.  At the root of this trust chain is the Host Platform Core Root of Trust
+for Measurement (CRTM).  Immutable Read Only Memory (ROM - fixed in the POWER
+processor chip) verifies the initial firmware load.  That firmware verifies
+cryptographic signatures on all subsequent "to be trusted" firmware that is
+loaded for execution on the P8 cores.  Trusted Boot also makes use of this same
+CRTM by measuring and recording FW images via a Trusted Platform Module (TPM)
+before control is passed on to the next layer in the boot stack.  The CRTM
+design is based on a Public Key Infrastructure (PKI) process to validate the
+firmware images before they are executed.  This process makes use of a set of
+hardware and firmware asymmetric keys.  Multiple organizations will want to
+deliver POWER hardware, digitally signed firmware, signed boot code,
+hypervisors, and operating systems.  Each platform manufacturer wants to
+maintain control over its own code and sign it with its own keys.  A single key
+hash is stored in host processor module SEEPROM representing the anchoring root
+set of hardware keys.  The P8 Trusted Boot supports a key management flow that
+makes use of two kinds of hardware root keys, a wide open, well-known, openly
+published public/private key pair (imprint keys) and a set of production keys
+where the private key is protected by a hardware security module (HSM) internal
+to the manufacturing facility of the key owner.
+
+## Purpose Of Imprint Public/Private Keys
+
+It is critical to note that the imprint keys are not to be used for production.
+These are strictly for manufacturing and development level support given the
+open nature of the private part of the Hardware keys.  This allows developers
+and testers to sign images and create builds for Secure and Trusted Boot
+development lab testing.  Systems must be transitioned to production level
+keys for customer environments.
+
+## Manufacturer Key Management Role
+
+If a system is shipped from the System Manufacturer with imprint keys installed
+rather than production level hardware keys, the system must be viewed as running
+with a set of well-known default keys and vulnerable to exploitation.  The
+System Access Administrator must work with the System Manufacturer to insure
+that a key transition process is utilized once a hardware based chain of trust
+is to be enabled as part of Secure or Trusted Boot functionality.
+
+## Intentional Public Release Of Imprint Public/Private Keys
+
+All public and private keys in this directory are being intentionally released
+to enable the developer community to sign code images.  For true security, a
+different set of production signing keys should be used, and the private
+production signing key should be carefully guarded.  Currently, we do not yet
+support production key signing, only development signing.
+
+### Imprint Private Keys
+
+#### Hardware Private Keys
+
+The following files contain the Imprint private keys, in PEM format:
+
+    hw_key_a.key
+    hw_key_b.key
+    hw_key_c.key
+
+#### Software Private Keys
+
+The project contains one sample Software key:
+
+    sw_key_p.key
+
+To generate your own software keys use the openssl "ecparam" command.  The
+following commands will generate new private software keys P, Q and R:
+
+    $ openssl ecparam -genkey -outform pem -noout -name secp521r1 -out sw_key_p.key
+    $ openssl ecparam -genkey -outform pem -noout -name secp521r1 -out sw_key_q.key
+    $ openssl ecparam -genkey -outform pem -noout -name secp521r1 -out sw_key_r.key
+
+OpenPOWER secure boot supports three keys for Hardware (HW) key signing and (up
+to) three keys for Software (SW) key signing,  This permits a "separation of
+duties" in the firmware signing process, if such a separation is desired.  All
+three HW keys are required, but the SW keys allow for the use of one, two or
+three keys.  A signature is required (i.e. must be present in the container) by
+*all three* firwmare keys, and by every (1-3) SW key in use, to create a
+container that will boot with secure mode on.  If a separation of duties is not
+required, the signer may use the same key for all three required HW keys, and
+for the (1-3) required SW keys.  The container will boot as long as all required
+signatures are present.
+
+#### Hardware and Software Public Keys
+
+The project includes the public keys for all the above private keys, in both PEM
+format (*.pub) and RAW format (*.raw).  In the case where public keys are
+required, you may use either format.  The RAW format is the minimal binary
+format, with all (ASN.1) metadata stripped.  This is how they keys are stored
+within the container, to provide the minimal footprint.  Usually you will work
+with the keys in PEM format, as this is the most flexible and widely compatible
+format.  The RAW keys are included mainly for testing.  However, for all
+programs included in this project, the *.pub and *.raw keys are interchangeable.
+
+The PEM format public keys can be easily extracted from the private keys using
+the openssl `pkey` command, for example:
+
+    $ openssl pkey -pubout -inform pem -outform pem -in sw_key_p.key -out sw_key_p.pub
+
+To automatically extract the PEM public keys from the private keys, run the
+included `extract_pubkeys.sh`
+
+#### Keys required by each operational mode
+
+When running the program in `Local (a.k.a. Development) mode` you must use the
+private keys, as the signatures will be created locally.  The public keys are
+not required, as the program automatically extracts the public key from the
+private as needed.
+
+When running in `Independent mode` you will use the public keys to generate the
+signing requests, use the private keys to create the signatures, and again use
+the public keys to complete the container.  This allows the signing operation to
+be done independently of the other steps.
+
+When running in `Production mode` the public keys are requested from the signing
+server, and the signing operations are performed *at* the server, so the private
+keys are never exposed.  In this mode there is no need to input any keys to the
+program; it knows exactly what to request.
+
+In sum: for any operation where signing is done, the program must consume the
+private keys.  For any operation where signing requests are generated, or the
+final container construction is done, the program needs only the public keys.
+
+#### Hardware Keys Hash
+
+As mentioned, a hash of the three public HW keys authorizing the platform
+firmware is stored in system SEEPROM.  This is a 64 byte, SHA512 hash value.
+On a running OpenPOWER machine this value may be read from an entry in the
+system device tree:
+
+    # cat /proc/device-tree/ibm,secureboot/hw-key-hash | xxd -p
+    40d487ff7380ed6ad54775d5795fea0de2f541fea9db06b8466a42a320e6
+    5f75b48665460017d907515dc2a5f9fc50954d6ee0c9b67d219dfb708535
+    1d01d6d1
+
+This pseudo-file is accessible from both the target OS and the petitboot shell.
+
+Secure boot protects the signed firmware by comparing this hash to the
+(calculated) hash of the three HW public keys in the container header (and then
+using these keys to verify the HW key signatures, also in the container header).
+If the hashes don't match, the machine won't boot.
+
+To check that the hash of the HW keys you are using to build your container
+matches the hash installed in the machine you wish to boot, use the `hashkeys`
+tool:
+
+    $ hashkeys -a hw_key_a.key -b hw_key_b.key -c hw_key_c.key
+
+Note that the tool can calculate the value using either public or private keys
+as input.  The output is always the hash of the public keys.
+
+To store the value to a file that you can use to verify the completed container:
+
+    $ hashkeys -a hw_key_a.key -b hw_key_b.key -c hw_key_c.key --outfile hw_keys_hash.md
+
+Or run the included `gen_keys_hash.sh` which does the same.
+
+To check the hash of the HW keys in an existing container, run the
+`print-container` tool and look for the value in the output:
+
+    $ print-container -w0 --imagefile /tmp/secure-container | grep -A1 "HW keys hash"
+    HW keys hash (calculated):
+        40d487ff7380ed6ad54775d5795fea0de2f541fea9db06b8466a42a32...
+
+To verify that the value of the HW keys hash in the container matches the given
+value, run the `print-container` tool with the `--verify` option.
+
+    $ print-container --no-print --imagefile /tmp/secure-container \
+                      --validate --verify hw_keys_hash.md
+
+    Container validity check PASSED. Container verification check PASSED.
+
+Note the `--validate` option performs an independent validity check, but is
+shown for completeness
diff --git a/test/keys/extract_pubkeys.sh b/test/keys/extract_pubkeys.sh
new file mode 100644
index 0000000..36888a7
--- /dev/null
+++ b/test/keys/extract_pubkeys.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+for f in *key
+do
+	prefix=$(echo "$f" | cut -f1 -d.)
+	openssl pkey -pubout -inform pem -outform pem -in "$prefix.key" -out "$prefix.pub"
+done
diff --git a/test/keys/gen_keys_hash.sh b/test/keys/gen_keys_hash.sh
new file mode 100644
index 0000000..2038eb5
--- /dev/null
+++ b/test/keys/gen_keys_hash.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ ../../hashkeys -a hw_key_a.key -b hw_key_b.key -c hw_key_c.key --pretty --outfile hw_keys_hash.md
diff --git a/test/keys/hw_key_a.key b/test/keys/hw_key_a.key
new file mode 100644
index 0000000..8cfd2f2
--- /dev/null
+++ b/test/keys/hw_key_a.key
@@ -0,0 +1,25 @@
+!!! Important WARNING About This Private Key !!!
+
+DO NOT STRIP THIS WARNING FROM THIS PRIVATE KEY
+
+This private is being intentionally released by IBM to enable the developer
+community to sign code images.  For true security, a different set of production
+signing keys should be used, and the private production signing key should be
+carefully guarded.
+
+-----BEGIN EC PRIVATE KEY-----
+MIICnAIBAQRBVvu38Sbtau77TPvsvEmYHwAD8WY12vTjRE6SowkePCI0+3k5bawC
+J9rKnafuMLCxE2SzTh5JPonVKhBPZeUpaOugggHGMIIBwgIBATBNBgcqhkjOPQEB
+AkIB////////////////////////////////////////////////////////////
+//////////////////////////8wgZ4EQgH/////////////////////////////
+/////////////////////////////////////////////////////////ARBUZU+
+uWGOHJofkpohoLaFQO6i2nJbmbMV87i0iZGO8QnhVhk5Uex+k3sWUsC9O7G/BzVz
+34g9LDTx70Uf1GtQPwADFQDQnogAKRy4U5bMZxc5MoSqoNpkugSBhQQAxoWOBrcE
+BOnNnj7LZiOVtEKcZIE5BT+1Ifgor2BrTT26oUted+/nWSj+HcEnov+o3jNIs8GF
+akKb+X5+McLlvWYBGDkpaniaO8AEXIpftCx9G9mY9URJV5tEaBevvRcnPmYsl+5y
+mV70JkDFULkBP60HYTU8cIaicsJAiL6Udp/RZlACQgH/////////////////////
+//////////////////////pRhoeDvy+Wa3/MAUj3CaXQO7XJuImcR667b7cekThk
+CQIBAaGBiQOBhgAEALseCHiWoJ4wcnQGjefKigKgnFVDj1D03ikeYzefc2y3wnoe
+8neyeB+X071kpXg83nEAVuxqm1Yn1IMJCP9Tz7NhALhglEF2RzciUSwF+GDx8CW7
+RlSBlxbtEPxpODD8/tImnjRig/OngZFce8fds7NPEUxPsoS7xCQ6V+dSAaYM+QYi
+-----END EC PRIVATE KEY-----
diff --git a/test/keys/hw_key_a.pub b/test/keys/hw_key_a.pub
new file mode 100644
index 0000000..f1d6a57
--- /dev/null
+++ b/test/keys/hw_key_a.pub
@@ -0,0 +1,15 @@
+-----BEGIN PUBLIC KEY-----
+MIICXDCCAc8GByqGSM49AgEwggHCAgEBME0GByqGSM49AQECQgH/////////////
+////////////////////////////////////////////////////////////////
+/////////zCBngRCAf//////////////////////////////////////////////
+///////////////////////////////////////8BEFRlT65YY4cmh+SmiGgtoVA
+7qLacluZsxXzuLSJkY7xCeFWGTlR7H6TexZSwL07sb8HNXPfiD0sNPHvRR/Ua1A/
+AAMVANCeiAApHLhTlsxnFzkyhKqg2mS6BIGFBADGhY4GtwQE6c2ePstmI5W0Qpxk
+gTkFP7Uh+CivYGtNPbqhS1537+dZKP4dwSei/6jeM0izwYVqQpv5fn4xwuW9ZgEY
+OSlqeJo7wARcil+0LH0b2Zj1RElXm0RoF6+9Fyc+ZiyX7nKZXvQmQMVQuQE/rQdh
+NTxwhqJywkCIvpR2n9FmUAJCAf//////////////////////////////////////
+////+lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEBA4GGAAQAux4I
+eJagnjBydAaN58qKAqCcVUOPUPTeKR5jN59zbLfCeh7yd7J4H5fTvWSleDzecQBW
+7GqbVifUgwkI/1PPs2EAuGCUQXZHNyJRLAX4YPHwJbtGVIGXFu0Q/Gk4MPz+0iae
+NGKD86eBkVx7x92zs08RTE+yhLvEJDpX51IBpgz5BiI=
+-----END PUBLIC KEY-----
diff --git a/test/keys/hw_key_a.raw b/test/keys/hw_key_a.raw
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/keys/hw_key_a.raw
diff --git a/test/keys/hw_key_b.key b/test/keys/hw_key_b.key
new file mode 100644
index 0000000..60afd2d
--- /dev/null
+++ b/test/keys/hw_key_b.key
@@ -0,0 +1,26 @@
+!!! Important WARNING About This Private Key !!!
+
+DO NOT STRIP THIS WARNING FROM THIS PRIVATE KEY
+
+This private is being intentionally released by IBM to enable the developer
+community to sign code images.  For true security, a different set of production
+signing keys should be used, and the private production signing key should be
+carefully guarded.
+
+-----BEGIN EC PRIVATE KEY-----
+MIICnQIBAQRCAQ0nt+2t5RDGWJF6S326TEWyHPdI/VHm+pKvFgCCrVujE7P5oUlv
+GP3HZ3qemUX0RgmRjD27RflVdyOL6IlekHSsoIIBxjCCAcICAQEwTQYHKoZIzj0B
+AQJCAf//////////////////////////////////////////////////////////
+////////////////////////////MIGeBEIB////////////////////////////
+//////////////////////////////////////////////////////////wEQVGV
+PrlhjhyaH5KaIaC2hUDuotpyW5mzFfO4tImRjvEJ4VYZOVHsfpN7FlLAvTuxvwc1
+c9+IPSw08e9FH9RrUD8AAxUA0J6IACkcuFOWzGcXOTKEqqDaZLoEgYUEAMaFjga3
+BATpzZ4+y2YjlbRCnGSBOQU/tSH4KK9ga009uqFLXnfv51ko/h3BJ6L/qN4zSLPB
+hWpCm/l+fjHC5b1mARg5KWp4mjvABFyKX7QsfRvZmPVESVebRGgXr70XJz5mLJfu
+cple9CZAxVC5AT+tB2E1PHCGonLCQIi+lHaf0WZQAkIB////////////////////
+///////////////////////6UYaHg78vlmt/zAFI9wml0Du1ybiJnEeuu2+3HpE4
+ZAkCAQGhgYkDgYYABACTA8hhnkYIZKrc1O0tojIuF5Mhs9/XLMoSfPmDeqSXg2X9
+tjq598htT5uDWU/9WfrISQ9w81RR+blEvcY+GctkEQFJPYdOapsX2TVoNwvlJeVp
+gsQFwer4TOkmNV0FVbH7sJiHRw+ROHC5TOmy9YfQHCc2uAqInaZqPKTz13D8zQCG
+Cw==
+-----END EC PRIVATE KEY-----
diff --git a/test/keys/hw_key_b.pub b/test/keys/hw_key_b.pub
new file mode 100644
index 0000000..773fa26
--- /dev/null
+++ b/test/keys/hw_key_b.pub
@@ -0,0 +1,15 @@
+-----BEGIN PUBLIC KEY-----
+MIICXDCCAc8GByqGSM49AgEwggHCAgEBME0GByqGSM49AQECQgH/////////////
+////////////////////////////////////////////////////////////////
+/////////zCBngRCAf//////////////////////////////////////////////
+///////////////////////////////////////8BEFRlT65YY4cmh+SmiGgtoVA
+7qLacluZsxXzuLSJkY7xCeFWGTlR7H6TexZSwL07sb8HNXPfiD0sNPHvRR/Ua1A/
+AAMVANCeiAApHLhTlsxnFzkyhKqg2mS6BIGFBADGhY4GtwQE6c2ePstmI5W0Qpxk
+gTkFP7Uh+CivYGtNPbqhS1537+dZKP4dwSei/6jeM0izwYVqQpv5fn4xwuW9ZgEY
+OSlqeJo7wARcil+0LH0b2Zj1RElXm0RoF6+9Fyc+ZiyX7nKZXvQmQMVQuQE/rQdh
+NTxwhqJywkCIvpR2n9FmUAJCAf//////////////////////////////////////
+////+lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEBA4GGAAQAkwPI
+YZ5GCGSq3NTtLaIyLheTIbPf1yzKEnz5g3qkl4Nl/bY6uffIbU+bg1lP/Vn6yEkP
+cPNUUfm5RL3GPhnLZBEBST2HTmqbF9k1aDcL5SXlaYLEBcHq+EzpJjVdBVWx+7CY
+h0cPkThwuUzpsvWH0BwnNrgKiJ2majyk89dw/M0Ahgs=
+-----END PUBLIC KEY-----
diff --git a/test/keys/hw_key_b.raw b/test/keys/hw_key_b.raw
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/keys/hw_key_b.raw
diff --git a/test/keys/hw_key_c.key b/test/keys/hw_key_c.key
new file mode 100644
index 0000000..1bf4dfb
--- /dev/null
+++ b/test/keys/hw_key_c.key
@@ -0,0 +1,26 @@
+!!! Important WARNING About This Private Key !!!
+
+DO NOT STRIP THIS WARNING FROM THIS PRIVATE KEY
+
+This private is being intentionally released by IBM to enable the developer
+community to sign code images.  For true security, a different set of production
+signing keys should be used, and the private production signing key should be
+carefully guarded.
+
+-----BEGIN EC PRIVATE KEY-----
+MIICnQIBAQRCASomU+ACnQy0UDtFX53VV2bwBrc3GPK3hbMrsU1E98YmU4eh/Dpj
+FYQOyCPV27GRK8V46a1xvWs57per+X4R9LVdoIIBxjCCAcICAQEwTQYHKoZIzj0B
+AQJCAf//////////////////////////////////////////////////////////
+////////////////////////////MIGeBEIB////////////////////////////
+//////////////////////////////////////////////////////////wEQVGV
+PrlhjhyaH5KaIaC2hUDuotpyW5mzFfO4tImRjvEJ4VYZOVHsfpN7FlLAvTuxvwc1
+c9+IPSw08e9FH9RrUD8AAxUA0J6IACkcuFOWzGcXOTKEqqDaZLoEgYUEAMaFjga3
+BATpzZ4+y2YjlbRCnGSBOQU/tSH4KK9ga009uqFLXnfv51ko/h3BJ6L/qN4zSLPB
+hWpCm/l+fjHC5b1mARg5KWp4mjvABFyKX7QsfRvZmPVESVebRGgXr70XJz5mLJfu
+cple9CZAxVC5AT+tB2E1PHCGonLCQIi+lHaf0WZQAkIB////////////////////
+///////////////////////6UYaHg78vlmt/zAFI9wml0Du1ybiJnEeuu2+3HpE4
+ZAkCAQGhgYkDgYYABAFUBCtSjR9PiJqVhg/EIsNGp0phvJ8gE5XBFTnox8n8a+Ji
+4e7r8Uae9Qea6hnvWa6HzAup1KEJAl6vobyhyItaegDEHRy56UIij9nDVYhSIXia
+EEln8xLVz5cB//hToEtexHUvdax85Nacwco6FyGNxzptGddL+/ds/rkZ05Q1fFUr
+WQ==
+-----END EC PRIVATE KEY-----
diff --git a/test/keys/hw_key_c.pub b/test/keys/hw_key_c.pub
new file mode 100644
index 0000000..d954440
--- /dev/null
+++ b/test/keys/hw_key_c.pub
@@ -0,0 +1,15 @@
+-----BEGIN PUBLIC KEY-----
+MIICXDCCAc8GByqGSM49AgEwggHCAgEBME0GByqGSM49AQECQgH/////////////
+////////////////////////////////////////////////////////////////
+/////////zCBngRCAf//////////////////////////////////////////////
+///////////////////////////////////////8BEFRlT65YY4cmh+SmiGgtoVA
+7qLacluZsxXzuLSJkY7xCeFWGTlR7H6TexZSwL07sb8HNXPfiD0sNPHvRR/Ua1A/
+AAMVANCeiAApHLhTlsxnFzkyhKqg2mS6BIGFBADGhY4GtwQE6c2ePstmI5W0Qpxk
+gTkFP7Uh+CivYGtNPbqhS1537+dZKP4dwSei/6jeM0izwYVqQpv5fn4xwuW9ZgEY
+OSlqeJo7wARcil+0LH0b2Zj1RElXm0RoF6+9Fyc+ZiyX7nKZXvQmQMVQuQE/rQdh
+NTxwhqJywkCIvpR2n9FmUAJCAf//////////////////////////////////////
+////+lGGh4O/L5Zrf8wBSPcJpdA7tcm4iZxHrrtvtx6ROGQJAgEBA4GGAAQBVAQr
+Uo0fT4ialYYPxCLDRqdKYbyfIBOVwRU56MfJ/GviYuHu6/FGnvUHmuoZ71muh8wL
+qdShCQJer6G8ociLWnoAxB0cuelCIo/Zw1WIUiF4mhBJZ/MS1c+XAf/4U6BLXsR1
+L3WsfOTWnMHKOhchjcc6bRnXS/v3bP65GdOUNXxVK1k=
+-----END PUBLIC KEY-----
diff --git a/test/keys/hw_key_c.raw b/test/keys/hw_key_c.raw
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/keys/hw_key_c.raw
diff --git a/test/keys/hw_keys_hash.md b/test/keys/hw_keys_hash.md
new file mode 100644
index 0000000..e0328fc
--- /dev/null
+++ b/test/keys/hw_keys_hash.md
@@ -0,0 +1 @@
+0x40d487ff7380ed6ad54775d5795fea0de2f541fea9db06b8466a42a320e65f75b48665460017d907515dc2a5f9fc50954d6ee0c9b67d219dfb7085351d01d6d1
diff --git a/test/keys/sw_key_p.key b/test/keys/sw_key_p.key
new file mode 100644
index 0000000..548e880
--- /dev/null
+++ b/test/keys/sw_key_p.key
@@ -0,0 +1,16 @@
+!!! Important WARNING About This Private Key !!!
+
+DO NOT STRIP THIS WARNING FROM THIS PRIVATE KEY
+
+This private is being intentionally released by IBM to enable the developer
+community to sign code images.  For true security, a different set of production
+signing keys should be used, and the private production signing key should be
+carefully guarded.
+
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIA1vyq2cSPgwWxVtPIEOqGL3UVsy5juBQz8XekOq6aeYf/nqC9u8u+
+GqCiffgBCPnXfWOWLtkaokYEPuMe7TekzomgBwYFK4EEACOhgYkDgYYABAD8W6NM
+6nVfsYps75ko1gfNrJO9XqbWAuUuyFA/O8S5tPwVP+atGpc4PE+uTEI24t7mkYLa
+kZhnGlmQpjr4fjkFvgAZDwhcQ+hWmzXYEBobYIPgItJi+8GvxBHBZvQWqpVWRfU9
+nSOxLTjjZ3i3dvBnQpCnx4cpTtIJPzFuE+kXqxLDnQ==
+-----END EC PRIVATE KEY-----
diff --git a/test/keys/sw_key_p.pub b/test/keys/sw_key_p.pub
new file mode 100644
index 0000000..8d404c9
--- /dev/null
+++ b/test/keys/sw_key_p.pub
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA/FujTOp1X7GKbO+ZKNYHzayTvV6m
+1gLlLshQPzvEubT8FT/mrRqXODxPrkxCNuLe5pGC2pGYZxpZkKY6+H45Bb4AGQ8I
+XEPoVps12BAaG2CD4CLSYvvBr8QRwWb0FqqVVkX1PZ0jsS0442d4t3bwZ0KQp8eH
+KU7SCT8xbhPpF6sSw50=
+-----END PUBLIC KEY-----