Working with ASIC-E containers
eID Easy offers two libraries that provide tools for working with .asice containers:
- PHP: https://github.com/eideasy/eideasy-php/blob/master/src/Signatures/Asice.php
- Client side javascript: https://eideasy-browser-js.docs.eideasy.com/
If you wish to implement your own .asice handling functionality, then proceed to the next sections of this guide.
Terms
XAdES (XML Advanced Electronic Signatures)
eIDAS compliant flexible digital signature format in XML. Specifies the signed files (either by reference or by including the full file contents in XML) and the corresponding signees. A timestamp and an OCSP might also be included. More info here https://en.wikipedia.org/wiki/XAdES
ASIC-E (.asice, .scs, .bdoc, .adoc, .edoc, .ddoc)
An extremely useful digital signature packaging format that allows to add all the signed files and XAdES digital signatures together into one single digital signature container. You can read more about the ASIC-E format here: https://en.wikipedia.org/wiki/Associated_Signature_Containers
The main advantage of .asice digital signatures over digitally signed PDF-s (CAdES, PAdES, PKCS7) is that you can sign any file format and many files at once.
The flexibility of ASIC-E and XAdES is a double-edged blade though - there's huge variety of different implementations. For example, even in the three small Baltic countries there are already more than 4 slightly different ASIC formats in use:
- the Estonian .bdoc and .ddoc
- the Latvian .edoc
- the Lithuanian .adoc
Inspecting an ASIC-E container
You can use DigiDoc4 app to open and inspect .asice files. If DigiDoc4 shows the signatures as valid then you can be sure that any EU government institution will also accept this .asice container and signatures.
You can get DigiDoc4 from the following sources:
- All platforms: https://www.id.ee/en/article/install-id-software/
- Microsoft Windows: https://www.microsoft.com/en-us/p/digidoc4-client/9pfpfk4dj1s6
- iOS and Android: https://www.id.ee/en/article/ria-digidoc-mobile-application/
Creating a signed .asice container
.asice containers are pretty much just plain old ZIP files albeit with a specific structure and contents. The common file structure of an .asice container looks like this:
mimetype
META-INF
|── manifest.xml
└── signatures0.xml
small.pdf
test.txt
- file "mimetype" – Should be first entry in the ZIP and its content should be "application/vnd.etsi.asic-e+zip". Should be the first entry in the .asice digital signature container.
- folder "META-INF" – This folder contains XAdES digital signatures
- file "META-INF/manifest.xml" – This file contains the list of signed files
- files "META-INF/signaturesXXX.xml" – This file represents a XAdES digital signature. Prefix must be "signatures" and XXX in this case is the unique signature ID. For example signatures0.xml or signaturesid-120675d44e5cd16c3009517417dd24e4.xml
- The files referenced by manifest.xml in the root folder (in this example small.pdf and test.txt).
Now all you need to do is to put all of these files into one folder, zip it together and change the file extension to .asice like this: my-signed-container.asice.
You can take a look at these code bases for inspiration:
- https://github.com/eideasy/eideasy-php/blob/master/src/Signatures/Asice.php
- https://github.com/eideasy/eideasy-browser-js/tree/master/src
For reference a sample signed .asice container can be downloaded from here.
If DigiDoc4 app throws an error similar to this: "An error occurred while opening the document. ASiContainer.cpp:312 Failed to read mimetype". Then the mimetype is probably not the first entry in the zip file. Try some other ZIP client that might allow you to rearrange files inside the zip file or create the ZIP programmatically.
Examples
META-INF/manifest.xml
Assuming we are signing 2 files, test.txt and small.pdf, the manifest.xml will look like this:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0">
<manifest:file-entry manifest:full-path="/" manifest:media-type="application/vnd.etsi.asic-e+zip"/>
<manifest:file-entry manifest:full-path="test.txt" manifest:media-type="text/plain"/>
<manifest:file-entry manifest:full-path="small.pdf" manifest:media-type="application/pdf"/>
</manifest:manifest>
META-INF/signaturesXXX.xml
Your META-INF/signaturesXXX.xml might look something like this:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<asic:XAdESSignatures xmlns:asic="http://uri.etsi.org/02918/v1.2.1#">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="id-120675d44e5cd16c3009517417dd24e4">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference Id="r-id-120675d44e5cd16c3009517417dd24e4-1" URI="test.txt">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>GJShnIW6FTrL90OsTkP8AEyJFgSyb4xp4eg+oq/HxI8=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="r-id-120675d44e5cd16c3009517417dd24e4-2" URI="small.pdf">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>rSsPezgyGh+H1zfsH743n9KUdaytnHsBqqC6D8rjlLk=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties"
URI="#xades-id-120675d44e5cd16c3009517417dd24e4">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>b5yDRdMcGySK2ldJNeid/9NcFTlgRT39D2bnIgjHjK8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="value-id-120675d44e5cd16c3009517417dd24e4">
vR6ryvzNadabxX73Svoq+tv3h1DYJpk+JWBXeYAJyjWPNaEOOAda9aW06em3NNatqRGctOGnjMIbRE15N2KV274zaoURZNanqzIHXPct+OIKbbydopwKAuElVshIPPvR
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFwDCCA6igAwIBAgIQOMm/0JR7zi1aArcEgjE3PTANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVTVEVJRC1TSyAyMDE1MB4XDTE3MTEwODA3NDkyNFoXDTIyMTAxMjIwNTk1OVowgZIxCzAJBgNVBAYTAkVFMQ8wDQYDVQQKDAZFU1RFSUQxGjAYBgNVBAsMEWRpZ2l0YWwgc2lnbmF0dXJlMSAwHgYDVQQDDBdQQUxBLE1BUkdVUywzODExMjA4NjAyNzENMAsGA1UEBAwEUEFMQTEPMA0GA1UEKgwGTUFSR1VTMRQwEgYDVQQFEwszODExMjA4NjAyNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABCTuoJqEhmBs+VgHmY4IBMHgzzDWRwePn4L7icr8/9OJaVpW76AsmlEsq2cya49XsiYCy8GTtoek+/Yd/3W8yqlAdwEvLeOJHBFwIOcm408/QfgQlBF7WQpg0bTpymsIKKOCAewwggHoMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgZAMFQGA1UdIARNMEswPgYJKwYBBAHOHwEBMDEwLwYIKwYBBQUHAgEWI2h0dHBzOi8vd3d3LnNrLmVlL3JlcG9zaXRvb3JpdW0vQ1BTMAkGBwQAi+xAAQIwHQYDVR0OBBYEFFA+4NEGEp+075jA1gabUPt0yHAPMIGKBggrBgEFBQcBAwR+MHwwCAYGBACORgEBMAgGBgQAjkYBBDBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMBMGBgQAjkYBBjAJBgcEAI5GAQYBMB8GA1UdIwQYMBaAFLOriLyZ1WKkhSoIzbQdcjuDckdRMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYbaHR0cDovL2FpYS5zay5lZS9lc3RlaWQyMDE1MDEGCCsGAQUFBzAChiVodHRwOi8vYy5zay5lZS9FU1RFSUQtU0tfMjAxNS5kZXIuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly93d3cuc2suZWUvY3Jscy9lc3RlaWQvZXN0ZWlkMjAxNS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAsPR6S9fyeZ9T8mCpidsx7tIhjRwZ+rkJnB849B2J+tv59yxSA98xV+/cgNnJXTfMmfHuzxdwlifTbWqcSvHsGqMs6BjPX5c4MJlJS+z47HffRpKI1wthctyAlHKIzG+hA2CTlHZBwQ00v4bdjhBFrEam5gAgkjnw3E5iqwLNwxWanqvm/pHyYKDTsCCuag4TgeMDUvkMS3ZeYBbJUAcFg7UXk1nInDR1tZ8E1dAvVScYYkieTiOXNNG61znhP8TF1IQieq0+oP6c6MAsFGYgXJXIef0vx1bYuV9gr416aoQ4IHoFZvYXdM2FwLRkA7gg+d4lcTG7XM9hBUf3a8rwF26WTbY7pnEvLd5oi8m3fzjdvdgwhCYRstXKSPSCUbCB8EnQWoYDWcrycioRCv071HUjey2a2qMmki3e5In7W/ezCBnBV/38Hx8N4zJIt7UlOUs9RsQd28OL+xrB7ufZ+qQxFFKU+9ozT8W1EDBD0cXA+GS6B06Lb4NVN/0kcqw12rAMgglWN+ZDKU2tXdQlkCTbkMdt794zf0CNqW0DbYJoPXfOgxX13A7bNHmB9WgbCcDEginZi4j56I0zr7gkZ/Qzw5/rv5mxcYBZcuPtGeYPbCgE7LJKffYnUS667XLKxMZg4eJyG5jAOlpm4gvLw1bOeEQk477uarpTtTfkfg
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"
Target="#id-120675d44e5cd16c3009517417dd24e4">
<xades:SignedProperties Id="xades-id-120675d44e5cd16c3009517417dd24e4">
<xades:SignedSignatureProperties>
<xades:SigningTime>2020-12-28T15:23:49Z</xades:SigningTime>
<xades:SigningCertificateV2>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<ds:DigestValue>
eqGnRs8YAtlVft1jCPcMio22fVFnVK8dzwyXLpt4AzT12NvdyDwaLozW97HZ+sA/wvPrTLwloFtaoOWYqS63AA==
</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerialV2>
MHswZ6RlMGMxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEXMBUGA1UEAwwORVNURUlELVNLIDIwMTUCEDjJv9CUe84tWgK3BIIxNz0=
</xades:IssuerSerialV2>
</xades:Cert>
</xades:SigningCertificateV2>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#r-id-120675d44e5cd16c3009517417dd24e4-1">
<xades:MimeType>text/plain</xades:MimeType>
</xades:DataObjectFormat>
<xades:DataObjectFormat ObjectReference="#r-id-120675d44e5cd16c3009517417dd24e4-2">
<xades:MimeType>application/pdf</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
<xades:UnsignedProperties>
<xades:UnsignedSignatureProperties>
<xades:SignatureTimeStamp Id="TS-751d0b8f-ea0b-47c6-afcb-0ca82a1f7bc6">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<xades:EncapsulatedTimeStamp Id="ETS-751d0b8f-ea0b-47c6-afcb-0ca82a1f7bc6">
MIIIRgYJKoZIhvcNAQcCoIIINzCCCDMCAQMxDzANBglghkgBZQMEAgMFADCB9AYLKoZIhvcNAQkQAQSggeQEgeEwgd4CAQEGBgQAj2cBATAxMA0GCWCGSAFlAwQCAQUABCBTDZW6hmZGrTfA2PSxKBNk+xzYGutnvrhJAaP+eAyhSwIIea1bXI6X7VQYDzIwMjAxMjI4MTUyMzU2WjADAgEBoH6kfDB6MScwJQYDVQQDDB5TSyBUSU1FU1RBTVBJTkcgQVVUSE9SSVRZIDIwMjAxFzAVBgNVBGEMDk5UUkVFLTEwNzQ3MDEzMQwwCgYDVQQLDANUU0ExGzAZBgNVBAoMElNLIElEIFNvbHV0aW9ucyBBUzELMAkGA1UEBhMCRUWgggQaMIIEFjCCAv6gAwIBAgIQYjZ9dFrZQ6tdpFC5Xj/6bjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMB4XDTE5MTIzMTIyMDAwMFoXDTI0MTIzMTIyMDAwMFowejEnMCUGA1UEAwweU0sgVElNRVNUQU1QSU5HIEFVVEhPUklUWSAyMDIwMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEMMAoGA1UECwwDVFNBMRswGQYDVQQKDBJTSyBJRCBTb2x1dGlvbnMgQVMxCzAJBgNVBAYTAkVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdOHoO/xEAXVYd6m64QhKHoNZhT5L+wEkO59DH4K8lW1r//kEJusfY60zDY8o9s96HYACcQOR9Yltg3T3neqRZJ5GEPt5uFzCWzuSdyxIWMacxu/sSYaln4bqbCd97ML4qVdvwPGLNGRu8Utuy0JyhyuoBICHUcgyw1O2ATlc+95zdhGvKq15gazGXTpVUYgLpInkChp1ojZCv/WFdKN3dNGB5tqn3xsdfUfGDWxe4gLFFLeXjxo0pT2Y+5hJF1+r+PllZRnu1LKXEcrHxeyyZ+KL6wSLUyvfxZ++5hd0wR1pCnVgZ+hfYaGZ+YGRJXtiIA8DFqeKZ6qAhA8a6v99QIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUqD4KKP6RKqGdYfXNlT35pc1GkjEwHwYDVR0jBBgwFoAUEvJaPupWHL/NBqzx8SXJqUvUFJkwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUFBzABhhNodHRwOi8vYWlhLnNrLmVlL0NBMA0GCSqGSIb3DQEBCwUAA4IBAQAJ06Qp/kiOhcNbEsDUVGfLuVycKjEbrGGMWnAj18S08aWx7ijXtDD9mY5CxtRUl9IbjB/eyl/Rt8RDVURtIioiNckkxC/bOHxiCj2WNCvRxo8GT/qn4M1vV/Sy8vwx/ZlYsZrlRnuo7/dqPsQyxIgRGbUp12bVKO4KQb4DNOcA6KDwcPd2zv4nBT/4XW7qD07spW9LPVKEvsOU1MV1tznjD0lC5ZL67FdB8kKEJCbbNfqVLVBOYjBopct5qzTLLPB5LTmV8I281XzTEqeFxbFy+wo7VOT6K36OYSd+9CnPn2M/l6VfrSCi3OvaWcq+lggGR1kQzDsS4lN1JoyZqd39MYIDBjCCAwICAQEwgYkwdTELMAkGA1UEBhMCRUUxIjAgBgNVBAoMGUFTIFNlcnRpZml0c2VlcmltaXNrZXNrdXMxKDAmBgNVBAMMH0VFIENlcnRpZmljYXRpb24gQ2VudHJlIFJvb3QgQ0ExGDAWBgkqhkiG9w0BCQEWCXBraUBzay5lZQIQYjZ9dFrZQ6tdpFC5Xj/6bjANBglghkgBZQMEAgMFAKCCAU0wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yMDEyMjgxNTIzNTZaME8GCSqGSIb3DQEJBDFCBECzIzbtcKwdrvZfIWa/7dhcnvAjYXOXTLrSW+rLb8zCYCyX22v91DvaUNIYt9ogscePPFH8DX52CWYjnPiKfeesMIG/BgsqhkiG9w0BCRACDDGBrzCBrDCBqTCBpgQUHLMJmQCz8y/M0+v/p7XW5B0BxdUwgY0weaR3MHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUCEGI2fXRa2UOrXaRQuV4/+m4wDQYJKoZIhvcNAQENBQAEggEAlaJkoii6TffPsqsjCFlpKN9pkSi4URsYbMNx9ZmO79oJhBJx6CrOejwO+QNC400tWtsPNfRoAnPHsr29KuNBVg2T5NO45AUmiD6BhjacBPe6lY1v8n3NdwsLYUaXa687SO7dS+9GawZShnG3tc32sqkQzDa2891zljVOgEkomig3RL0Mwm74ugwd0ctt3eV5kcQ7wDLca733V2tyEnTCuBOsb/cXVekCOdj8bD/DmLScnLPbNWJCYYz2ZB81qXXdvr8SNiWP10rXIxV374x1sV3UKyUQ4j0aBsrQjO/YIBbjGm/n4laJYD4LDfWWKEJjTumIcgm4YmFnLXB8Qusvbg==
</xades:EncapsulatedTimeStamp>
</xades:SignatureTimeStamp>
<xades:CertificateValues>
<xades:EncapsulatedX509Certificate>
MIIEFjCCAv6gAwIBAgIQYjZ9dFrZQ6tdpFC5Xj/6bjANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMB4XDTE5MTIzMTIyMDAwMFoXDTI0MTIzMTIyMDAwMFowejEnMCUGA1UEAwweU0sgVElNRVNUQU1QSU5HIEFVVEhPUklUWSAyMDIwMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEMMAoGA1UECwwDVFNBMRswGQYDVQQKDBJTSyBJRCBTb2x1dGlvbnMgQVMxCzAJBgNVBAYTAkVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdOHoO/xEAXVYd6m64QhKHoNZhT5L+wEkO59DH4K8lW1r//kEJusfY60zDY8o9s96HYACcQOR9Yltg3T3neqRZJ5GEPt5uFzCWzuSdyxIWMacxu/sSYaln4bqbCd97ML4qVdvwPGLNGRu8Utuy0JyhyuoBICHUcgyw1O2ATlc+95zdhGvKq15gazGXTpVUYgLpInkChp1ojZCv/WFdKN3dNGB5tqn3xsdfUfGDWxe4gLFFLeXjxo0pT2Y+5hJF1+r+PllZRnu1LKXEcrHxeyyZ+KL6wSLUyvfxZ++5hd0wR1pCnVgZ+hfYaGZ+YGRJXtiIA8DFqeKZ6qAhA8a6v99QIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIGwDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUqD4KKP6RKqGdYfXNlT35pc1GkjEwHwYDVR0jBBgwFoAUEvJaPupWHL/NBqzx8SXJqUvUFJkwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUFBzABhhNodHRwOi8vYWlhLnNrLmVlL0NBMA0GCSqGSIb3DQEBCwUAA4IBAQAJ06Qp/kiOhcNbEsDUVGfLuVycKjEbrGGMWnAj18S08aWx7ijXtDD9mY5CxtRUl9IbjB/eyl/Rt8RDVURtIioiNckkxC/bOHxiCj2WNCvRxo8GT/qn4M1vV/Sy8vwx/ZlYsZrlRnuo7/dqPsQyxIgRGbUp12bVKO4KQb4DNOcA6KDwcPd2zv4nBT/4XW7qD07spW9LPVKEvsOU1MV1tznjD0lC5ZL67FdB8kKEJCbbNfqVLVBOYjBopct5qzTLLPB5LTmV8I281XzTEqeFxbFy+wo7VOT6K36OYSd+9CnPn2M/l6VfrSCi3OvaWcq+lggGR1kQzDsS4lN1JoyZqd39
</xades:EncapsulatedX509Certificate>
<xades:EncapsulatedX509Certificate>
MIIGcDCCBVigAwIBAgIQRUgJC4ec7yFWcqzT3mwbWzANBgkqhkiG9w0BAQwFADB1MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCAXDTE1MTIxNzEyMzg0M1oYDzIwMzAxMjE3MjM1OTU5WjBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVTVEVJRC1TSyAyMDE1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oH61NDxbdW9k8nLA1qGaL4B7vydod2Ewp/STBZB3wEtIJCLdkpEsS8pXfFiRqwDVsgGGbu+Q99trlb5LI7yi7rIkRov5NftBdSNPSU5rAhYPQhvZZQgOwRaHa5Ey+BaLJHmLqYQS9hQvQsCYyws+xVvNFUpK0pGD64iycqdMuBl/nWq3fLuZppwBh0VFltm4nhr/1S0R9TRJpqFUGbGr4OK/DwebQ5PjhdS40gCUNwmC7fPQ4vIH+x+TCk2aG+u3MoAz0IrpVWqiwzG/vxreuPPAkgXeFCeYf6fXLsGz4WivsZFbph2pMjELu6sltlBXfAG3fGv43t91VXicyzR/eT5dsB+zFsW1sHV+1ONPr+qzgDxCH2cmuqoZNfIIq+buob3eA8ee+XpJKJQr+1qGrmhggjvAhc7m6cU4x/QfxwRYhIVNhJf+sKVThkQhbJ9XxuKk3c18wymwL1mpDD0PIGJqlssMeiuJ4IzagFbgESGNDUd4icm0hQT8CmQeUm1GbWeBYseqPhMQX97QFBLXJLVy2SCyoAz7Bq1qA43++EcibN+yBc1nQs2Zoq8ck9MK0bCxDMeUkQUz6VeQGp69ImOQrsw46qTz0mtdQrMSbnkXCuLan5dPm284J9HmaqiYi6j6KLcZ2NkUnDQFesBVlMEm+fHa2iR6lnAFYZ06UECAwEAAaOCAgowggIGMB8GA1UdIwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMB0GA1UdDgQWBBSzq4i8mdVipIUqCM20HXI7g3JHUTAOBgNVHQ8BAf8EBAMCAQYwdwYDVR0gBHAwbjAIBgYEAI96AQIwCQYHBACL7EABAjAwBgkrBgEEAc4fAQEwIzAhBggrBgEFBQcCARYVaHR0cHM6Ly93d3cuc2suZWUvQ1BTMAsGCSsGAQQBzh8BAjALBgkrBgEEAc4fAQMwCwYJKwYBBAHOHwEEMBIGA1UdEwEB/wQIMAYBAf8CAQAwQQYDVR0eBDowOKE2MASCAiIiMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCcGA1UdJQQgMB4GCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwQwfAYIKwYBBQUHAQEEcDBuMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcC5zay5lZS9DQTBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5zay5lZS9jZXJ0cy9FRV9DZXJ0aWZpY2F0aW9uX0NlbnRyZV9Sb290X0NBLmRlci5jcnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL3d3dy5zay5lZS9yZXBvc2l0b3J5L2NybHMvZWVjY3JjYS5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHRWDGI3P00r2sOnlvLHKk9eE7X93eT+4e5TeaQsOpE5zQRUTtshxN8Bnx2ToQ9rgi18q+MwXm2f0mrGakYYG0bix7ZgDQvCMD/kuRYmwLGdfsTXwh8KuL6uSHF+U/ZTss6qG7mxCHG9YvebkN5Yj/rYRvZ9/uJ9rieByxw4wo7b19p22PXkAkXP5y3+qK/Oet98lqwI97kJhiS2zxFYRk+dXbazmoVHnozYKmsZaSUvoYNNH19tpS7BLdsgi9KpbvQLb5ywIMq9ut3+b2Xvzq8yzmHMFtLIJ6Afu1jJpqD82BUAFcvi5vhnP8M7b974R18WCOpgNQvXDI+2/8ZINeU=
</xades:EncapsulatedX509Certificate>
<xades:EncapsulatedX509Certificate>
MIIFPTCCAyWgAwIBAgIQDBSj4ibugKJfkf0PJv5snDANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxFzAVBgNVBAMMDkVTVEVJRC1TSyAyMDE1MB4XDTIwMTEzMDIxMDAwMFoXDTIxMDEwNDIxMDAwMFowdjExMC8GA1UEAwwoRVNURUlELVNLIDIwMTUgQUlBIE9DU1AgUkVTUE9OREVSIDIwMjAxMjEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxGzAZBgNVBAoMElNLIElEIFNvbHV0aW9ucyBBUzELMAkGA1UEBhMCRUUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChLU5fu/KXBsqG2Cmm0aD65mh5THRt8zpPahMXHq/imRdqeYcZH6PWoUqZrTlVOq1IAL2fDmqufAp5A08DT9mw/dYOEMafjqLZ8R3CZw5jSEDFJBaqtAg2Ne4mAXlc8EnojsofrOuxISD0oItNrbTVE3LFnfGPsNm0TxJPSt6Z6m+7UecX6h9S3tBL52DlPD8AKtm7llBUklhnARC6sc7edz6B5qtCze1MywzQj1Ghm5UpvDyz+V7N/LkqbRqvngygIz0+xksU2pzsC7eT+bNf0F2KxVkdUTh0YWp2wEKO3XbCqd/2ZrK0Xk7xQiZ60pcQQuVyCmTKnkw40lECAaTTAgMBAAGjgdkwgdYwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMB0GA1UdDgQWBBRH2UG6rBrCTTuv27rwSOc3Alc8PjAfBgNVHSMEGDAWgBSzq4i8mdVipIUqCM20HXI7g3JHUTBNBggrBgEFBQcBAQRBMD8wPQYIKwYBBQUHMAKGMWh0dHBzOi8vc2suZWUvdXBsb2FkL2ZpbGVzL0VTVEVJRC1TS18yMDE1LmRlci5jcnQwDAYDVR0TAQH/BAIwADAPBgkrBgEFBQcwAQUEAgUAMA0GCSqGSIb3DQEBCwUAA4ICAQA8K94P2I900VVBtDySl8FvqWzAnzZYBa3ZRavucbcKz9igK0tevGqf7ApGGFOofz9UPiRajtFWXs1wfu1TbUVH1P1aZTO4Y701WGoz5QCzDsukYm8ybBuAL1AdyI6aKzSbZ6g2qDTxQfsR/9d9FpyJsy8vN+C0dztyLudDuHHMbTnK9QxERbeLgUKblC8BRSVNc7NU37JanGpbtr2+kvG8Y1nRdB9R3KC/PSun+DzyxseE5Un0tExDRge0AaiWb7bjD4khhGXYF9z7Eu913k5BobtJEwd449Dsa+edTyOVHVS5aQvobkaywTPO+1kl6TppE9WM5BMkwSVqQCQO/h1XRMYQhwsAAT6tPiK6tCQR889U7XBictq1PkigxWmFWAZ28bPkDDZLBzidAYvRHC9grdhRgTM88fQ9zYrv6JJuAYBjScbr2xn8nc6W7+/S5hj8nim5cl1HrDWrI9GF+CCvOJdER3QhDdIYlEs6F0+sG+SIDRsQcHyXN4I7fzWb+eVs8Bxl9oWub7kq5OX144AhCA3/IyjYAyZL90gx7e4vsgelS6BH3X+a+0Eimq0u519RiJSHMK5JLY+45icqg8ij4NCNh26/zHoQpMnA0Q4sSY1QG5LWn+lNnTpaHZbz89Ay7WIIn0t5yVKLp/QMrrRd8y9YsnBG61hRMp/KFiLs+Q==
</xades:EncapsulatedX509Certificate>
<xades:EncapsulatedX509Certificate>
MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEyMTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUyeuuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvObntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIwWFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/dMtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGVv9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQGE5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5uuSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIWiAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/vGVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
</xades:EncapsulatedX509Certificate>
</xades:CertificateValues>
<xades:RevocationValues>
<xades:OCSPValues>
<xades:EncapsulatedOCSPValue>
MIIHlgoBAKCCB48wggeLBgkrBgEFBQcwAQEEggd8MIIHeDCCAReheDB2MTEwLwYDVQQDDChFU1RFSUQtU0sgMjAxNSBBSUEgT0NTUCBSRVNQT05ERVIgMjAyMDEyMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMQswCQYDVQQGEwJFRRgPMjAyMDEyMjgxNTIzNThaMIGFMIGCMEkwCQYFKw4DAhoFAAQU/ycPpUs92lD7/iLb2ohCQQ7zE+4EFLOriLyZ1WKkhSoIzbQdcjuDckdRAhA4yb/QlHvOLVoCtwSCMTc9gAAYDzIwMjAxMjI4MTUyMzU4WqEiMCAwHgYJKwYBBQUHMAEGBBEYDzIwMTUxMjE3MTIzODQzWqECMAAwDQYJKoZIhvcNAQELBQADggEBAHDwPukBrxWXHXbGsRAfZlvqjN9ctrUlEQOTxISwSvpYJlhxPOQySeqMeB3ZLaa6Q2g6vjYYznPFUQMsPdiVRQ4GDEH6RPk4L7ZLoMygRdAJJR4J+seItjIrmw8lUjc6kcE817G/+TU3iNyk4U8TUeDLsa1kgiZF4xigW76tjyg85JdUXqTOvuXkuTduWLeAsFWxv496DeVTDLutblzmidn99TrR+7Bitw1cz0Os4ItsdD06WuETa5XRk51KsD1e1fcL96NExsIq8g415KtdPT68l97AGOtBMht8KtxU9zBhOJRfLzbEzl953mRsGrfIQbl8STtlqXSORTtwplkq3KmgggVFMIIFQTCCBT0wggMloAMCAQICEAwUo+Im7oCiX5H9Dyb+bJwwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCRUUxIjAgBgNVBAoMGUFTIFNlcnRpZml0c2VlcmltaXNrZXNrdXMxFzAVBgNVBGEMDk5UUkVFLTEwNzQ3MDEzMRcwFQYDVQQDDA5FU1RFSUQtU0sgMjAxNTAeFw0yMDExMzAyMTAwMDBaFw0yMTAxMDQyMTAwMDBaMHYxMTAvBgNVBAMMKEVTVEVJRC1TSyAyMDE1IEFJQSBPQ1NQIFJFU1BPTkRFUiAyMDIwMTIxFzAVBgNVBGEMDk5UUkVFLTEwNzQ3MDEzMRswGQYDVQQKDBJTSyBJRCBTb2x1dGlvbnMgQVMxCzAJBgNVBAYTAkVFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoS1OX7vylwbKhtgpptGg+uZoeUx0bfM6T2oTFx6v4pkXanmHGR+j1qFKma05VTqtSAC9nw5qrnwKeQNPA0/ZsP3WDhDGn46i2fEdwmcOY0hAxSQWqrQINjXuJgF5XPBJ6I7KH6zrsSEg9KCLTa201RNyxZ3xj7DZtE8ST0remepvu1HnF+ofUt7QS+dg5Tw/ACrZu5ZQVJJYZwEQurHO3nc+gearQs3tTMsM0I9RoZuVKbw8s/lezfy5Km0ar54MoCM9PsZLFNqc7Au3k/mzX9BdisVZHVE4dGFqdsBCjt12wqnf9maytF5O8UImetKXEELlcgpkyp5MONJRAgGk0wIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAdBgNVHQ4EFgQUR9lBuqwawk07r9u68EjnNwJXPD4wHwYDVR0jBBgwFoAUs6uIvJnVYqSFKgjNtB1yO4NyR1EwTQYIKwYBBQUHAQEEQTA/MD0GCCsGAQUFBzAChjFodHRwczovL3NrLmVlL3VwbG9hZC9maWxlcy9FU1RFSUQtU0tfMjAxNS5kZXIuY3J0MAwGA1UdEwEB/wQCMAAwDwYJKwYBBQUHMAEFBAIFADANBgkqhkiG9w0BAQsFAAOCAgEAPCveD9iPdNFVQbQ8kpfBb6lswJ82WAWt2UWr7nG3Cs/YoCtLXrxqn+wKRhhTqH8/VD4kWo7RVl7NcH7tU21FR9T9WmUzuGO9NVhqM+UAsw7LpGJvMmwbgC9QHciOmis0m2eoNqg08UH7Ef/XfRacibMvLzfgtHc7ci7nQ7hxzG05yvUMREW3i4FCm5QvAUUlTXOzVN+yWpxqW7a9vpLxvGNZ0XQfUdygvz0rp/g88sbHhOVJ9LRMQ0YHtAGolm+24w+JIYRl2Bfc+xLvdd5OQaG7SRMHeOPQ7GvnnU8jlR1UuWkL6G5GssEzzvtZJek6aRPVjOQTJMElakAkDv4dV0TGEIcLAAE+rT4iurQkEfPPVO1wYnLatT5IoMVphVgGdvGz5Aw2Swc4nQGL0RwvYK3YUYEzPPH0Pc2K7+iSbgGAY0nG69sZ/J3Olu/v0uYY/J4puXJdR6w1qyPRhfggrziXREd0IQ3SGJRLOhdPrBvkiA0bEHB8lzeCO381m/nlbPAcZfaFrm+5KuTl9eOAIQgN/yMo2AMmS/dIMe3uL7IHpUugR91/mvtBIpqtLudfUYiUhzCuSS2PuOYnKoPIo+DQjYduv8x6EKTJwNEOLEmNUBuS1p/pTZ06Wh2W8/PQMu1iCJ9LeclSi6f0DK60XfMvWLJwRutYUTKfyhYi7Pk=
</xades:EncapsulatedOCSPValue>
</xades:OCSPValues>
</xades:RevocationValues>
</xades:UnsignedSignatureProperties>
</xades:UnsignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</asic:XAdESSignatures>