diff --git a/.gitlab/auto-deploy-values.yaml b/.gitlab/auto-deploy-values.yaml index 4a2d21e..34c354f 100644 --- a/.gitlab/auto-deploy-values.yaml +++ b/.gitlab/auto-deploy-values.yaml @@ -29,3 +29,10 @@ persistence: accessMode: ReadWriteMany size: 1Gi storageClass: nfs-client + - name: autogram-server-well-known + mount: + path: /app/public/.well-known + claim: + accessMode: ReadWriteMany + size: 1Mi + storageClass: nfs-client diff --git a/Gemfile b/Gemfile index 61874a1..9397205 100644 --- a/Gemfile +++ b/Gemfile @@ -39,6 +39,8 @@ gem "rack-cors" gem "faraday" gem "base64" +gem "jwt" +gem "fcm" group :development, :test do # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem @@ -51,3 +53,4 @@ group :development do # gem "spring" end +gem "good_job", "~> 3.28" diff --git a/Gemfile.lock b/Gemfile.lock index 9482519..d26e50b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -75,6 +75,8 @@ GEM minitest (>= 5.1) mutex_m tzinfo (~> 2.0) + addressable (2.8.6) + public_suffix (>= 2.0.2, < 6.0) base64 (0.2.0) bigdecimal (3.1.6) bootsnap (1.18.3) @@ -94,12 +96,36 @@ GEM drb (2.2.0) ruby2_keywords erubi (1.12.0) + et-orbi (1.2.11) + tzinfo faraday (2.9.0) faraday-net_http (>= 2.0, < 3.2) faraday-net_http (3.1.0) net-http + fcm (1.0.8) + faraday (>= 1.0.0, < 3.0) + googleauth (~> 1) + fugit (1.10.1) + et-orbi (~> 1, >= 1.2.7) + raabro (~> 1.4) globalid (1.2.1) activesupport (>= 6.1) + good_job (3.28.0) + activejob (>= 6.0.0) + activerecord (>= 6.0.0) + concurrent-ruby (>= 1.0.2) + fugit (>= 1.1) + railties (>= 6.0.0) + thor (>= 0.14.1) + google-cloud-env (2.1.1) + faraday (>= 1.0, < 3.a) + googleauth (1.11.0) + faraday (>= 1.0, < 3.a) + google-cloud-env (~> 2.1) + jwt (>= 1.4, < 3.0) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (>= 0.16, < 2.a) i18n (1.14.1) concurrent-ruby (~> 1.0) io-console (0.7.2) @@ -109,6 +135,8 @@ GEM jbuilder (2.11.5) actionview (>= 5.0.0) activesupport (>= 5.0.0) + jwt (2.8.1) + base64 loofah (2.22.0) crass (~> 1.0.2) nokogiri (>= 1.12.0) @@ -119,8 +147,10 @@ GEM net-smtp marcel (1.0.2) mini_mime (1.1.5) + mini_portile2 (2.8.5) minitest (5.22.2) msgpack (1.7.2) + multi_json (1.15.0) mutex_m (0.2.0) net-http (0.4.1) uri @@ -134,6 +164,9 @@ GEM net-smtp (0.4.0.1) net-protocol nio4r (2.7.0) + nokogiri (1.16.2) + mini_portile2 (~> 2.8.2) + racc (~> 1.4) nokogiri (1.16.2-aarch64-linux) racc (~> 1.4) nokogiri (1.16.2-arm-linux) @@ -146,11 +179,14 @@ GEM racc (~> 1.4) nokogiri (1.16.2-x86_64-linux) racc (~> 1.4) + os (1.1.4) pg (1.5.5) psych (5.1.2) stringio + public_suffix (5.0.5) puma (6.4.2) nio4r (~> 2.0) + raabro (1.4.0) racc (1.7.3) rack (3.0.9.1) rack-cors (2.0.1) @@ -197,6 +233,11 @@ GEM reline (0.4.3) io-console (~> 0.5) ruby2_keywords (0.0.5) + signet (0.19.0) + addressable (~> 2.8) + faraday (>= 0.17.5, < 3.a) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) stringio (3.1.0) thor (1.3.0) timeout (0.4.1) @@ -213,6 +254,7 @@ PLATFORMS aarch64-linux arm-linux arm64-darwin + ruby x86-linux x86_64-darwin x86_64-linux @@ -223,7 +265,10 @@ DEPENDENCIES debug (>= 1.6.2) dotenv-rails faraday + fcm + good_job (~> 3.28) jbuilder + jwt pg puma (>= 5.0) rack-cors diff --git a/app/controllers/api/v1/device_integrations_controller.rb b/app/controllers/api/v1/device_integrations_controller.rb new file mode 100644 index 0000000..c118ce3 --- /dev/null +++ b/app/controllers/api/v1/device_integrations_controller.rb @@ -0,0 +1,25 @@ +class Api::V1::DeviceIntegrationsController < ApiController + before_action :set_device + + def create + integration = ApiEnvironment.integration_token_authenticator.verify_token(params.require(:integration_pairing_token), expected_aud: 'device', max_exp_in: 24.hours) + @device.integrations << integration + + head 204 + end + + def index + @integrations = @device.integrations + end + + def destroy + @device.integrations.delete(Integration.find(params.require(:id))) + head 204 + end + + private + + def set_device + @device = ApiEnvironment.device_token_authenticator.verify_token(authenticity_token) + end +end diff --git a/app/controllers/api/v1/devices_controller.rb b/app/controllers/api/v1/devices_controller.rb new file mode 100644 index 0000000..31f2f54 --- /dev/null +++ b/app/controllers/api/v1/devices_controller.rb @@ -0,0 +1,11 @@ +class Api::V1::DevicesController < ApiController + def create + @device = Device.create!(device_params) + end + + private + + def device_params + params.permit(:display_name, :platform, :public_key, :registration_id) + end +end diff --git a/app/controllers/api/v1/documents_controller.rb b/app/controllers/api/v1/documents_controller.rb index d044d19..ca7ad93 100644 --- a/app/controllers/api/v1/documents_controller.rb +++ b/app/controllers/api/v1/documents_controller.rb @@ -1,21 +1,39 @@ class Api::V1::DocumentsController < ApplicationController - before_action :set_document, only: %i[ show datatosign sign visualization destroy ] - before_action :set_key, only: %i[ show create datatosign sign visualization ] - before_action :decrypt_document_content, only: %i[ show sign datatosign visualization destroy] + before_action :set_document, only: %i[ show datatosign sign visualization destroy parameters ] + before_action :set_key, only: %i[ create datatosign sign visualization ] + before_action :decrypt_document_content, only: %i[ sign datatosign visualization destroy] # GET /documents/1 def show - @signers = @document.signers + modified_since = request.headers.to_h['HTTP_IF_MODIFIED_SINCE'] + + response.set_header('Last-Modified', @document.last_signed_at + 1.seconds) + if modified_since && Time.zone.parse(modified_since) >= @document.last_signed_at + render json: nil, status: 304 + else + # expecting 1s polling on this operation + set_key + decrypt_document_content + + @signers = @document.signers + end end # POST /documents def create p = document_params - @document = Document.new(parameters: p[:parameters]) - @document.encrypt_file(@key, p[:document][:filename], p[:payloadMimeType], p[:document][:content]) - @document.validate_parameters(p[:document][:content]) + filename, mimetype = create_filename_and_mimetype(p[:document][:filename], p[:payload_mime_type]) + mimetype, content, parameters = Document.convert_to_b64(mimetype, p[:document][:content], p[:parameters]) - render json: @document.errors, status: :unprocessable_entity unless @document.save + @document = Document.new(parameters: parameters) + @document.encrypt_file(@key, filename, mimetype, content) + @document.validate_parameters(content, mimetype) + + unless @document.save + render json: @document.errors, status: :unprocessable_entity + else + response.set_header('Last-Modified', @document.last_signed_at + 1.seconds) + end end # POST /documents/1/visualization @@ -25,14 +43,14 @@ def visualization # POST /documents/1/datatosign def datatosign - @document.set_add_timestamp if datatosign_params[:addTimestamp] - @signing_certificate = datatosign_params.require(:signingCertificate) + @document.set_add_timestamp if datatosign_params[:add_timestamp] + @signing_certificate = datatosign_params.require(:signing_certificate) @result = @document.datatosign(@signing_certificate) end # POST /documents/1/sign def sign - @signer = @document.sign(@key, sign_params[:dataToSignStructure], sign_params[:signedData]) + @signer = @document.sign(@key, sign_params[:data_to_sign_structure], sign_params[:signed_data]) render json: @document.errors, status: :unprocessable_entity unless @signer @document = Document.find(params[:id]) @@ -44,20 +62,34 @@ def destroy @document.destroy! end + # GET /documents/1/parameters + def parameters + end + private def set_document @document = Document.find(params[:id]) end def set_key - @key = request.headers.to_h['HTTP_X_ENCRYPTION_KEY'] || params[:encryptionKey] + key_b64 = request.headers.to_h['HTTP_X_ENCRYPTION_KEY'] || params[:encryption_key] + begin + begin + # AVM app somehow sends urlsafe base64 even if its source code doesn't seem so + @key = Base64.urlsafe_decode64(key_b64) + rescue ArgumentError + @key = Base64.strict_decode64(key_b64) + end + rescue => e + raise AvmUnauthorizedError.new("ENCRYPTION_KEY_MALFORMED", "Encryption key Base64 decryption failed.", e.message) + end + raise AvmUnauthorizedError.new("ENCRYPTION_KEY_MISSING", "Encryption key not provided.", "Encryption key must be provided either in X-Encryption-Key header or as encryptionKey query parameter.") unless @key - # TODO - # raise AvmUnauthorizedError.new("ENCRYPTION_KEY_MALFORMED", "Encryption key invalid.", "Encryption key must be a 64 character long hexadecimal string.") unless validate_key(@key) + raise AvmUnauthorizedError.new("ENCRYPTION_KEY_MALFORMED", "Encryption key invalid.", "Encryption key must be a base64 string encoding 32 bytes long key.") unless validate_key(@key) end def validate_key(key) - key.length == 64 and !key[/\H/] + key.length == 32 end def decrypt_document_content @@ -68,22 +100,69 @@ def document_params params.require(:parameters) d = params.require(:document) d.require(:content) - d.require(:filename) - params.require(:payloadMimeType) - params.permit(:encryptionKey, :payloadMimeType, :key, :document => [:filename, :content], :parameters => [:level, :container]) + params.permit( + :encryption_key, + :payload_mime_type, + :document => [:filename, :content], + :parameters => [ + :checkPDFACompliance, + :autoLoadEform, + :level, + :container, + :containerXmlns, + :embedUsedSchemas, + :identifier, + :packaging, + :digestAlgorithm, + :en319132, + :infoCanonicalization, + :propertiesCanonicalization, + :keyInfoCanonicalization, + :schema, + :schemaIdentifier, + :transformation, + :transformationIdentifier, + :transformationLanguage, + :transformationMediaDestinationTypeDescription, + :transformationTargetEnvironment + ] + ) end def datatosign_params - params.permit(:encryptionKey, :id, :signingCertificate, :addTimestamp) + params.permit(:encryption_key, :id, :signing_certificate, :add_timestamp) end def sign_params - params.require(:signedData) - dts = params.require(:dataToSignStructure) + params.require(:signed_data) + dts = params.require(:data_to_sign_structure) dts.require(:dataToSign) dts.require(:signingTime) dts.require(:signingCertificate) - params.permit(:encryptionKey, :id, :signedData, :returnSignedDocument, :dataToSignStructure => [:dataToSign, :signingTime, :signingCertificate]) + params.permit(:encryption_key, :id, :signed_data, :return_signed_document, :data_to_sign_structure => [:dataToSign, :signingTime, :signingCertificate]) + end + + def create_filename_and_mimetype(filename, mimetype) + return [filename, mimetype] if filename && mimetype + + Mime::Type.register("application/vnd.etsi.asic-e+zip", "asice", [], [".sce"]) + Mime::Type.register("application/vnd.etsi.asic-s+zip", "asics", [], [".scs"]) + Mime::Type.register("application/vnd.gov.sk.xmldatacontainer+xml", "xdcf") + Mime::Type.register("application/msword", "doc") + Mime::Type.register("application/vnd.openxmlformats-officedocument.wordprocessingml.document", "docx") + Mime::Type.register("application/vnd.ms-excel", "xls") + Mime::Type.register("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", "xlsx") + Mime::Type.register("application/vnd.ms-powerpoint", "ppt") + Mime::Type.register("application/vnd.openxmlformats-officedocument.presentationml.presentation", "pptx") + + unless filename + filename = 'document.' + Mime::Type.lookup(mimetype).symbol.to_s + else + mimetype = Mime::Type.lookup_by_extension(File.extname(filename).downcase.gsub('.', '')).to_s + raise AvmServiceBadRequestError.new({code: "FAILED_PARSING_MIMETYPE", message: "Could not parse mimetype", details: "Could not parse mimetype from: #{filename}"}.to_json) if mimetype.empty? + end + + [filename, mimetype] end end diff --git a/app/controllers/api/v1/integration_devices_controller.rb b/app/controllers/api/v1/integration_devices_controller.rb new file mode 100644 index 0000000..eb2789b --- /dev/null +++ b/app/controllers/api/v1/integration_devices_controller.rb @@ -0,0 +1,18 @@ +class Api::V1::IntegrationDevicesController < ApiController + before_action :set_integration + + def index + @devices = @integration.devices + end + + def destroy + @integration.devices.delete(Device.find(params.require(:id))) + render :head + end + + private + + def set_integration + @integration = ApiEnvironment.integration_token_authenticator.verify_token(authenticity_token) + end +end diff --git a/app/controllers/api/v1/integrations_controller.rb b/app/controllers/api/v1/integrations_controller.rb new file mode 100644 index 0000000..4384b2f --- /dev/null +++ b/app/controllers/api/v1/integrations_controller.rb @@ -0,0 +1,11 @@ +class Api::V1::IntegrationsController < ApiController + def create + @integration = Integration.create!(integration_params) + end + + private + + def integration_params + params.permit(:display_name, :platform, :public_key, :pushkey) + end +end diff --git a/app/controllers/api/v1/sign_requests_controller.rb b/app/controllers/api/v1/sign_requests_controller.rb new file mode 100644 index 0000000..209696c --- /dev/null +++ b/app/controllers/api/v1/sign_requests_controller.rb @@ -0,0 +1,14 @@ +class Api::V1::SignRequestsController < ApiController + before_action :set_integration + + def create + @integration.notify_devices(params.require(:document_guid), params.require(:document_encryption_key)) + render json: {}, status: 200 + end + + private + + def set_integration + @integration = ApiEnvironment.integration_token_authenticator.verify_token(authenticity_token) + end +end diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb new file mode 100644 index 0000000..d77ab0f --- /dev/null +++ b/app/controllers/api_controller.rb @@ -0,0 +1,15 @@ +class ApiController < ApplicationController + rescue_from JWT::DecodeError do |error| + if error.message == 'Nil JSON web token' + render_bad_request(RuntimeError.new(:no_credentials)) + else + render_unauthorized(error.message) + end + end + + private + + def authenticity_token + (ActionController::HttpAuthentication::Token.token_and_options(request)&.first || params[:token])&.squish.presence + end +end diff --git a/app/controllers/apple_controller.rb b/app/controllers/apple_controller.rb new file mode 100644 index 0000000..41c7f0f --- /dev/null +++ b/app/controllers/apple_controller.rb @@ -0,0 +1,20 @@ +class AppleController < ApplicationController + def apple_app_site_association + render :json => { + "applinks": { + "details": [ + { + "appIDs": [ + "44U4JSRX4Z.digital.slovensko.avm" + ], + "components": [ + { + "/": "/api/*" + } + ] + } + ] + } + } + end +end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8999038..f95109f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,4 +1,6 @@ class ApplicationController < ActionController::API + before_action :transform_params + rescue_from ActionController::ParameterMissing do |e| render json: { code: "PARAMETER_MISSING", @@ -7,6 +9,10 @@ class ApplicationController < ActionController::API }, status: 400 end + rescue_from AvmServiceSignatureNotInTactError do |e| + render json: JSON.parse(e.message), status: 409 + end + rescue_from AvmServiceBadRequestError do |e| render json: JSON.parse(e.message), status: 422 end @@ -30,4 +36,19 @@ class ApplicationController < ActionController::API details: "Provided encryption key failed to decrypt document." }, status: 403 end + + private + + def render_bad_request(exception) + render status: :bad_request, json: { message: exception.message } + end + + def render_unauthorized(key = "credentials") + headers['WWW-Authenticate'] = 'Token realm="API"' + render status: :unauthorized, json: { message: "Unauthorized " + key } + end + + def transform_params + request.parameters.transform_keys!(&:underscore) + end end diff --git a/app/errors/avm_bad_encryption_key_error.rb b/app/errors/avm_bad_encryption_key_error.rb index 055d8aa..71fd59d 100644 --- a/app/errors/avm_bad_encryption_key_error.rb +++ b/app/errors/avm_bad_encryption_key_error.rb @@ -1,9 +1,2 @@ class AvmBadEncryptionKeyError < StandardError - def initialize(body_str) - @message = body_str - end - - def message - @message - end end diff --git a/app/errors/avm_service_signature_not_in_tact_error.rb b/app/errors/avm_service_signature_not_in_tact_error.rb new file mode 100644 index 0000000..8f9e8ce --- /dev/null +++ b/app/errors/avm_service_signature_not_in_tact_error.rb @@ -0,0 +1,9 @@ +class AvmServiceSignatureNotInTactError < StandardError + def initialize(body_str) + @message = body_str + end + + def message + @message + end +end diff --git a/app/jobs/delete_expired_documents_job.rb b/app/jobs/delete_expired_documents_job.rb new file mode 100644 index 0000000..d6939e1 --- /dev/null +++ b/app/jobs/delete_expired_documents_job.rb @@ -0,0 +1,5 @@ +class DeleteExpiredDocumentsJob < ApplicationJob + def perform + Document.where('created_at < ?', Time.now - 24.hours).destroy_all + end +end diff --git a/app/jobs/delete_expired_tokens_job.rb b/app/jobs/delete_expired_tokens_job.rb new file mode 100644 index 0000000..babf122 --- /dev/null +++ b/app/jobs/delete_expired_tokens_job.rb @@ -0,0 +1,5 @@ +class DeleteExpiredTokensJob < ApplicationJob + def perform + Token.where('expires_at < ?', Time.now).destroy_all + end +end diff --git a/app/lib/api_environment.rb b/app/lib/api_environment.rb new file mode 100644 index 0000000..562ae23 --- /dev/null +++ b/app/lib/api_environment.rb @@ -0,0 +1,21 @@ +module ApiEnvironment + extend self + + def integration_token_authenticator + @integration_token_authenticator ||= ApiTokenAuthenticator.new( + public_key_reader: -> (sub) { OpenSSL::PKey::EC.new(Integration.find(sub).public_key) }, + return_handler: -> (sub) { Integration.find(sub) } + ) + end + + def device_token_authenticator + @device_token_authenticator ||= ApiTokenAuthenticator.new( + public_key_reader: -> (sub) { OpenSSL::PKey::EC.new(Device.find(sub).public_key) }, + return_handler: -> (sub) { Device.find(sub) } + ) + end + + def fcm_notifier + @fcm_notifier ||= FcmNotifer.new + end +end diff --git a/app/lib/api_token_authenticator.rb b/app/lib/api_token_authenticator.rb new file mode 100644 index 0000000..bf3169a --- /dev/null +++ b/app/lib/api_token_authenticator.rb @@ -0,0 +1,35 @@ +# See https://tools.ietf.org/html/rfc7519 + +class ApiTokenAuthenticator + JTI_PATTERN = /\A[0-9a-z\-_]{32,256}\z/i + + def initialize(public_key_reader:, return_handler:) + @public_key_reader = public_key_reader + @return_handler = return_handler + end + + def verify_token(token, expected_aud: nil, max_exp_in: 15.minutes) + options = { + algorithm: 'ES256', + verify_jti: -> (jti) { jti =~ JTI_PATTERN }, + } + + key_finder = -> (_, payload) do + puts payload + @public_key_reader.call(payload['sub']) + rescue => e + raise e + raise JWT::InvalidSubError + end + + payload, _ = JWT.decode(token, nil, true, options, &key_finder) + sub, exp, jti, aud = payload['sub'], payload['exp'], payload['jti'], payload['aud'] + + raise JWT::ExpiredSignature unless exp.is_a?(Integer) + raise JWT::InvalidPayload, :jwt_expired if exp > (Time.now + max_exp_in).to_i + raise JWT::InvalidPayload, :invalid_aud unless aud == expected_aud + raise JWT::InvalidJtiError unless Token.write("#{sub}-#{jti}", '1', expires_in: max_exp_in, namespace: 'jti') + + @return_handler.call(sub) + end +end diff --git a/app/lib/fcm_notifier.rb b/app/lib/fcm_notifier.rb new file mode 100644 index 0000000..d8ed19a --- /dev/null +++ b/app/lib/fcm_notifier.rb @@ -0,0 +1,46 @@ +class FcmNotifier + def initialize + @fcm = FCM.new( + ENV.fetch('FIREBASE_API_TOKEN', ''), + StringIO.new(ENV.fetch('FIREBASE_CREDENTIALS')), + ENV.fetch('FIREBASE_PROJECT_ID') + ) + end + + def notify(registration_id, message) + Rails.logger.debug "FcmNorifier.notify for registration_id: #{registration_id} with message: #{message}" + + message = { + 'token': registration_id, + 'data': { + encrypted_message: message + }, + 'notification': { + title: "Podpisovanie dokumentu", + body: "Podpíšte elektronický dokument", + }, + 'android': { + priority: "high", + ttl: "300s" + }, + 'apns': { + payload: { + headers:{ + 'apns-priority': "10", + 'apns-expiration': "#{Time.zone.now.to_i + 300}" + }, + aps: { + category: "SIGN_EXTERNAL_DOCUMENT" + } + } + } + # TODO: consider analytic labels + # 'fcm_options': { + # analytics_label: 'Label' + # } + } + + # TODO: handle errors and implement exponential back-off + fcm.send_v1(message) + end +end diff --git a/app/models/device.rb b/app/models/device.rb new file mode 100644 index 0000000..6948424 --- /dev/null +++ b/app/models/device.rb @@ -0,0 +1,51 @@ +class Device < ApplicationRecord + has_many :devices_integrations + has_many :integrations, -> { distinct }, through: :devices_integrations + + validates :platform, presence: true + validates :display_name, presence: true + validates :registration_id, presence: true + validates :public_key, presence: true + validate :public_key_format_should_be_valid + + + def notify(integration, document_guid, document_encryption_key) + encrpyted_message = encrypt_message({ + document_guid: document_guid, + key: document_encryption_key + }.to_json, + integration.pushkey + ) + + if ['ios', 'android'].include? platform + ApiEnvironment.fcm_notifier.notify(registration_id, encrpyted_message) + elsif ['ntfy'].include? platform + conn = Faraday.new(url: registration_id) do |f| + f.headers["X-Actions"] = "view, Sign, https://autogram.slovensko.digital/api/v1/qr-code?guid=#{document_guid}&key=#{CGI.escape document_encryption_key}" + end + + conn.post + else + Rails.logger.warn "Unrecognized device platform: #{platform}" + end + end + + private + + def public_key_format_should_be_valid + begin + begin + OpenSSL::PKey::EC.new(public_key) + rescue + OpenSSL::PKey::EC.new("-----BEGIN PUBLIC KEY-----\n#{public_key}\n-----END PUBLIC KEY-----") + end + rescue OpenSSL::PKey::ECError => e + errors.add(:public_key, e.message) + end + end + + def encrypt_message(message, key) + encryptor = ActiveSupport::MessageEncryptor.new(Base64.decode64 key) + encryptor.encrypt_and_sign(message) + end +end diff --git a/app/models/devices_integration.rb b/app/models/devices_integration.rb new file mode 100644 index 0000000..daa2586 --- /dev/null +++ b/app/models/devices_integration.rb @@ -0,0 +1,5 @@ +class DevicesIntegration < ApplicationRecord + belongs_to :device + belongs_to :integration + validates :device, uniqueness: {scope: :integration, message: 'integration pair already exists'} +end diff --git a/app/models/document.rb b/app/models/document.rb index fc658f9..15e79fd 100644 --- a/app/models/document.rb +++ b/app/models/document.rb @@ -1,12 +1,25 @@ class Document < ApplicationRecord has_one_attached :encrypted_content + attr_accessor :decrypted_content - def decrypt_content(key) - @decrypted_content = encrypted_content.download + before_create :set_last_signed_at + + def self.convert_to_b64(mimetype, content, params) + return [mimetype, content, params] if mimetype.include?('base64') + + params[:schema] = Base64.strict_encode64(params[:schema]) if params[:schema] + params[:transformation] = Base64.strict_encode64(params[:transformation]) if params[:transformation] + + [mimetype + ';base64', Base64.strict_encode64(content), params] end - def decrypted_content - Base64.strict_encode64(@decrypted_content) + def decrypt_content(key) + decryptor = ActiveSupport::MessageEncryptor.new(key) + begin + @decrypted_content = decryptor.decrypt_and_verify(encrypted_content.download) + rescue ActiveSupport::MessageEncryptor::InvalidMessage => e + raise AvmBadEncryptionKeyError.new + end end def decrypted_content_mimetype_b64 @@ -14,14 +27,14 @@ def decrypted_content_mimetype_b64 end def encrypt_file(key, filename, mimetype, content) - if mimetype.include?('base64') - content = Base64.decode64(content) - end - encrypted_content.attach(filename: filename, content_type: mimetype, io: StringIO.new(content)) + encryptor = ActiveSupport::MessageEncryptor.new(key) + encrypted_data = encryptor.encrypt_and_sign(Base64.strict_encode64(Base64.decode64(content))) + + encrypted_content.attach(filename: filename, content_type: mimetype, io: StringIO.new(encrypted_data)) end - def validate_parameters(content) - avm_service.validate_parameters(self, content) + def validate_parameters(content, mimetype) + avm_service.validate_parameters(self, content, mimetype) end def signers @@ -51,12 +64,18 @@ def sign(key, data_to_sign, signed_data) document = response['documentResponse'] encrypt_file(key, document.dig('filename'), document['mimeType'], document['content']) + self.last_signed_at = Time.current + save! response['signer'] end private + def set_last_signed_at + self.last_signed_at = self.created_at + end + def avm_service Avm::Environment.avm_api end diff --git a/app/models/integration.rb b/app/models/integration.rb new file mode 100644 index 0000000..27c8f0d --- /dev/null +++ b/app/models/integration.rb @@ -0,0 +1,47 @@ +class Integration < ApplicationRecord + has_many :devices_integrations + has_many :devices, -> { distinct }, through: :devices_integrations + + encrypts :pushkey + + validates :platform, presence: true + validates :display_name, presence: true + validates :public_key, presence: true + validates :pushkey, presence: true + validate :public_key_format_should_be_valid + + + def notify_devices(document_guid, document_encryption_key) + devices.each { |d| d.notify(self, document_guid, document_encryption_key) } + end + + private + + def public_key_format_should_be_valid + begin + begin + OpenSSL::PKey::EC.new(public_key) + rescue + OpenSSL::PKey::EC.new("-----BEGIN PUBLIC KEY-----\n#{public_key}\n-----END PUBLIC KEY-----") + end + rescue OpenSSL::PKey::ECError => e + errors.add(:public_key, e.message) + end + end + + def pushkey_format_should_be_vakud + begin + key = nil + begin + key = Base64.urlsafe_decode64(pushkey) + rescue ArgumentError + key = Base64.strict_decode64(pushkey) + end + + errors.add(:pushkey, "aes256 key must be 32 bytes long") unless key.length == 32 + rescue => e + errors.add(:pushkey, e.message) + end + + end +end diff --git a/app/models/token.rb b/app/models/token.rb new file mode 100644 index 0000000..fef762e --- /dev/null +++ b/app/models/token.rb @@ -0,0 +1,11 @@ +class Token < ApplicationRecord + validates :key, uniqueness: {scope: :namespace} + + def self.write(key, value, expires_in: 1.hour, namespace: 'default') + begin + create!(namespace: namespace, key: key, value: value, expires_at: Time.now + expires_in) + rescue ActiveRecord::RecordInvalid + nil + end + end +end diff --git a/app/views/api/v1/device_integrations/index.json.jbuilder b/app/views/api/v1/device_integrations/index.json.jbuilder new file mode 100644 index 0000000..34cde7d --- /dev/null +++ b/app/views/api/v1/device_integrations/index.json.jbuilder @@ -0,0 +1,5 @@ +json.array! @integrations do |i| + json.integration_id i.id + json.platform i.platform + json.display_name i.display_name +end diff --git a/app/views/api/v1/devices/create.json.jbuilder b/app/views/api/v1/devices/create.json.jbuilder new file mode 100644 index 0000000..192fe3b --- /dev/null +++ b/app/views/api/v1/devices/create.json.jbuilder @@ -0,0 +1 @@ +json.guid @device.id \ No newline at end of file diff --git a/app/views/api/v1/documents/parameters.json.jbuilder b/app/views/api/v1/documents/parameters.json.jbuilder new file mode 100644 index 0000000..126c15d --- /dev/null +++ b/app/views/api/v1/documents/parameters.json.jbuilder @@ -0,0 +1 @@ +json.parameters @document.parameters diff --git a/app/views/api/v1/integrations/create.json.jbuilder b/app/views/api/v1/integrations/create.json.jbuilder new file mode 100644 index 0000000..03c319c --- /dev/null +++ b/app/views/api/v1/integrations/create.json.jbuilder @@ -0,0 +1 @@ +json.guid @integration.id \ No newline at end of file diff --git a/app/views/layouts/mailer.html.erb b/app/views/layouts/mailer.html.erb deleted file mode 100644 index 3aac900..0000000 --- a/app/views/layouts/mailer.html.erb +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - <%= yield %> - - diff --git a/app/views/layouts/mailer.text.erb b/app/views/layouts/mailer.text.erb deleted file mode 100644 index 37f0bdd..0000000 --- a/app/views/layouts/mailer.text.erb +++ /dev/null @@ -1 +0,0 @@ -<%= yield %> diff --git a/config/application.rb b/config/application.rb index 67aed6e..888beb8 100644 --- a/config/application.rb +++ b/config/application.rb @@ -8,7 +8,7 @@ Bundler.require(*Rails.groups) if ['development', 'test'].include? ENV['RAILS_ENV'] - Dotenv::Railtie.load + Dotenv::Rails.load end module AutogramServer @@ -37,5 +37,29 @@ class Application < Rails::Application config.exceptions_app = self.routes Rails.application.config.generators { |g| g.orm :active_record, primary_key_type: :uuid } + + config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] + config.active_record.encryption.deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] + config.active_record.encryption.key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] + + config.active_job.queue_adapter = :good_job + config.good_job.max_threads = 2 + config.good_job.execution_mode = :async + config.good_job.enable_cron = true + config.good_job.smaller_number_is_higher_priority = true + + config.good_job.cron = { + delete_expired_documents: { + cron: "*/15 * * * *", + class: "DeleteExpiredDocumentsJob", + set: {priority: -5} + }, + delete_expired_tokens: { + cron: "*/15 * * * *", + class: "DeleteExpiredTokensJob", + set: {priority: -10} + } + } + end end diff --git a/config/routes.rb b/config/routes.rb index 1c93c38..7105a26 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -9,10 +9,21 @@ get 'visualization' post 'datatosign' post 'sign' + get 'parameters' end end + + resources :devices, only: [:create] + resources :integrations, only: [:create] + resources :device_integrations, path: '/device-integrations', only: [:index, :create, :destroy] + resources :integration_devices, path: '/integration-devices', only: [:index, :destroy] + resource :sign_request, path: '/sign-request', only: [:create] + + get '/qr-code', to: redirect('https://sluzby.slovensko.digital/autogram-v-mobile/#download', status: 302) end end + + get '/apple-app-site-association' => 'apple#apple_app_site_association' # Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500. diff --git a/db/migrate/20240412122434_add_integrations_and_devices.rb b/db/migrate/20240412122434_add_integrations_and_devices.rb new file mode 100644 index 0000000..0a96c71 --- /dev/null +++ b/db/migrate/20240412122434_add_integrations_and_devices.rb @@ -0,0 +1,24 @@ +class AddIntegrationsAndDevices < ActiveRecord::Migration[7.1] + def change + create_table :devices, id: :uuid do |t| + t.string :registration_id, null: false + t.string :platform, null: false + t.string :display_name, null: false + t.string :public_key, null: false + + t.timestamps + end + + create_table :integrations, id: :uuid do |t| + t.string :platform, null: false + t.string :display_name, null: false + t.string :public_key, null: false + t.string :pushkey, null: false + + t.timestamps + end + + create_join_table :devices, :integrations, column_options: {type: :uuid} + add_index :devices_integrations, [:device_id, :integration_id], unique: true + end +end diff --git a/db/migrate/20240422051835_add_token.rb b/db/migrate/20240422051835_add_token.rb new file mode 100644 index 0000000..9284070 --- /dev/null +++ b/db/migrate/20240422051835_add_token.rb @@ -0,0 +1,14 @@ +class AddToken < ActiveRecord::Migration[7.1] + def change + create_table :tokens do |t| + t.string :namespace, null: false + t.string :key, null: false + t.string :value, null: false + t.datetime :expires_at, null: false + + t.timestamps + end + + add_index :tokens, [:namespace, :key], unique: true + end +end diff --git a/db/migrate/20240422052823_create_good_jobs.rb b/db/migrate/20240422052823_create_good_jobs.rb new file mode 100644 index 0000000..ff16de0 --- /dev/null +++ b/db/migrate/20240422052823_create_good_jobs.rb @@ -0,0 +1,92 @@ +# frozen_string_literal: true + +class CreateGoodJobs < ActiveRecord::Migration[7.1] + def change + # Uncomment for Postgres v12 or earlier to enable gen_random_uuid() support + # enable_extension 'pgcrypto' + + create_table :good_jobs, id: :uuid do |t| + t.text :queue_name + t.integer :priority + t.jsonb :serialized_params + t.datetime :scheduled_at + t.datetime :performed_at + t.datetime :finished_at + t.text :error + + t.timestamps + + t.uuid :active_job_id + t.text :concurrency_key + t.text :cron_key + t.uuid :retried_good_job_id + t.datetime :cron_at + + t.uuid :batch_id + t.uuid :batch_callback_id + + t.boolean :is_discrete + t.integer :executions_count + t.text :job_class + t.integer :error_event, limit: 2 + t.text :labels, array: true + end + + create_table :good_job_batches, id: :uuid do |t| + t.timestamps + t.text :description + t.jsonb :serialized_properties + t.text :on_finish + t.text :on_success + t.text :on_discard + t.text :callback_queue_name + t.integer :callback_priority + t.datetime :enqueued_at + t.datetime :discarded_at + t.datetime :finished_at + end + + create_table :good_job_executions, id: :uuid do |t| + t.timestamps + + t.uuid :active_job_id, null: false + t.text :job_class + t.text :queue_name + t.jsonb :serialized_params + t.datetime :scheduled_at + t.datetime :finished_at + t.text :error + t.integer :error_event, limit: 2 + t.text :error_backtrace, array: true + end + + create_table :good_job_processes, id: :uuid do |t| + t.timestamps + t.jsonb :state + end + + create_table :good_job_settings, id: :uuid do |t| + t.timestamps + t.text :key + t.jsonb :value + t.index :key, unique: true + end + + add_index :good_jobs, :scheduled_at, where: "(finished_at IS NULL)", name: :index_good_jobs_on_scheduled_at + add_index :good_jobs, [:queue_name, :scheduled_at], where: "(finished_at IS NULL)", name: :index_good_jobs_on_queue_name_and_scheduled_at + add_index :good_jobs, [:active_job_id, :created_at], name: :index_good_jobs_on_active_job_id_and_created_at + add_index :good_jobs, :concurrency_key, where: "(finished_at IS NULL)", name: :index_good_jobs_on_concurrency_key_when_unfinished + add_index :good_jobs, [:cron_key, :created_at], where: "(cron_key IS NOT NULL)", name: :index_good_jobs_on_cron_key_and_created_at_cond + add_index :good_jobs, [:cron_key, :cron_at], where: "(cron_key IS NOT NULL)", unique: true, name: :index_good_jobs_on_cron_key_and_cron_at_cond + add_index :good_jobs, [:finished_at], where: "retried_good_job_id IS NULL AND finished_at IS NOT NULL", name: :index_good_jobs_jobs_on_finished_at + add_index :good_jobs, [:priority, :created_at], order: { priority: "DESC NULLS LAST", created_at: :asc }, + where: "finished_at IS NULL", name: :index_good_jobs_jobs_on_priority_created_at_when_unfinished + add_index :good_jobs, [:priority, :created_at], order: { priority: "ASC NULLS LAST", created_at: :asc }, + where: "finished_at IS NULL", name: :index_good_job_jobs_for_candidate_lookup + add_index :good_jobs, [:batch_id], where: "batch_id IS NOT NULL" + add_index :good_jobs, [:batch_callback_id], where: "batch_callback_id IS NOT NULL" + add_index :good_jobs, :labels, using: :gin, where: "(labels IS NOT NULL)", name: :index_good_jobs_on_labels + + add_index :good_job_executions, [:active_job_id, :created_at], name: :index_good_job_executions_on_active_job_id_and_created_at + end +end diff --git a/db/migrate/20240610211535_add_last_signed_at_to_document.rb b/db/migrate/20240610211535_add_last_signed_at_to_document.rb new file mode 100644 index 0000000..4cf0352 --- /dev/null +++ b/db/migrate/20240610211535_add_last_signed_at_to_document.rb @@ -0,0 +1,7 @@ +class AddLastSignedAtToDocument < ActiveRecord::Migration[7.1] + def change + add_column :documents, :last_signed_at, :datetime + Document.update_all('last_signed_at = updated_at') + change_column_null :documents, :last_signed_at, false + end +end diff --git a/db/schema.rb b/db/schema.rb index 2d8f083..3d11631 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[7.1].define(version: 2024_02_16_154821) do +ActiveRecord::Schema[7.1].define(version: 2024_06_10_211535) do # These are extensions that must be enabled in order to support this database enable_extension "pgcrypto" enable_extension "plpgsql" @@ -43,10 +43,125 @@ t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true end + create_table "devices", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.string "registration_id", null: false + t.string "platform", null: false + t.string "display_name", null: false + t.string "public_key", null: false + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + end + + create_table "devices_integrations", id: false, force: :cascade do |t| + t.uuid "device_id", null: false + t.uuid "integration_id", null: false + t.index ["device_id", "integration_id"], name: "index_devices_integrations_on_device_id_and_integration_id", unique: true + end + create_table "documents", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| t.json "parameters" t.datetime "created_at", null: false t.datetime "updated_at", null: false + t.datetime "last_signed_at", null: false + end + + create_table "good_job_batches", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.text "description" + t.jsonb "serialized_properties" + t.text "on_finish" + t.text "on_success" + t.text "on_discard" + t.text "callback_queue_name" + t.integer "callback_priority" + t.datetime "enqueued_at" + t.datetime "discarded_at" + t.datetime "finished_at" + end + + create_table "good_job_executions", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.uuid "active_job_id", null: false + t.text "job_class" + t.text "queue_name" + t.jsonb "serialized_params" + t.datetime "scheduled_at" + t.datetime "finished_at" + t.text "error" + t.integer "error_event", limit: 2 + t.text "error_backtrace", array: true + t.index ["active_job_id", "created_at"], name: "index_good_job_executions_on_active_job_id_and_created_at" + end + + create_table "good_job_processes", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.jsonb "state" + end + + create_table "good_job_settings", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.text "key" + t.jsonb "value" + t.index ["key"], name: "index_good_job_settings_on_key", unique: true + end + + create_table "good_jobs", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.text "queue_name" + t.integer "priority" + t.jsonb "serialized_params" + t.datetime "scheduled_at" + t.datetime "performed_at" + t.datetime "finished_at" + t.text "error" + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.uuid "active_job_id" + t.text "concurrency_key" + t.text "cron_key" + t.uuid "retried_good_job_id" + t.datetime "cron_at" + t.uuid "batch_id" + t.uuid "batch_callback_id" + t.boolean "is_discrete" + t.integer "executions_count" + t.text "job_class" + t.integer "error_event", limit: 2 + t.text "labels", array: true + t.index ["active_job_id", "created_at"], name: "index_good_jobs_on_active_job_id_and_created_at" + t.index ["batch_callback_id"], name: "index_good_jobs_on_batch_callback_id", where: "(batch_callback_id IS NOT NULL)" + t.index ["batch_id"], name: "index_good_jobs_on_batch_id", where: "(batch_id IS NOT NULL)" + t.index ["concurrency_key"], name: "index_good_jobs_on_concurrency_key_when_unfinished", where: "(finished_at IS NULL)" + t.index ["cron_key", "created_at"], name: "index_good_jobs_on_cron_key_and_created_at_cond", where: "(cron_key IS NOT NULL)" + t.index ["cron_key", "cron_at"], name: "index_good_jobs_on_cron_key_and_cron_at_cond", unique: true, where: "(cron_key IS NOT NULL)" + t.index ["finished_at"], name: "index_good_jobs_jobs_on_finished_at", where: "((retried_good_job_id IS NULL) AND (finished_at IS NOT NULL))" + t.index ["labels"], name: "index_good_jobs_on_labels", where: "(labels IS NOT NULL)", using: :gin + t.index ["priority", "created_at"], name: "index_good_job_jobs_for_candidate_lookup", where: "(finished_at IS NULL)" + t.index ["priority", "created_at"], name: "index_good_jobs_jobs_on_priority_created_at_when_unfinished", order: { priority: "DESC NULLS LAST" }, where: "(finished_at IS NULL)" + t.index ["queue_name", "scheduled_at"], name: "index_good_jobs_on_queue_name_and_scheduled_at", where: "(finished_at IS NULL)" + t.index ["scheduled_at"], name: "index_good_jobs_on_scheduled_at", where: "(finished_at IS NULL)" + end + + create_table "integrations", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t| + t.string "platform", null: false + t.string "display_name", null: false + t.string "public_key", null: false + t.string "pushkey", null: false + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + end + + create_table "tokens", force: :cascade do |t| + t.string "namespace", null: false + t.string "key", null: false + t.string "value", null: false + t.datetime "expires_at", null: false + t.datetime "created_at", null: false + t.datetime "updated_at", null: false + t.index ["namespace", "key"], name: "index_tokens_on_namespace_and_key", unique: true end add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id" diff --git a/lib/avm_api.rb b/lib/avm_api.rb index 5812e77..9e7675a 100644 --- a/lib/avm_api.rb +++ b/lib/avm_api.rb @@ -3,14 +3,14 @@ def initialize(host:) @host = host end - def validate_parameters(document, content) + def validate_parameters(document, content, mimetype) response = Faraday.post(url('/parameters/validate'), { document: { filename: document.encrypted_content.filename, content: content }, parameters: document.parameters, - payloadMimeType: document.decrypted_content_mimetype_b64 + payloadMimeType: mimetype }.to_json) handle_response(response) @@ -76,6 +76,7 @@ def url(endpoint) def handle_response(response) raise AvmServiceInternalError.new(response.body) if response.status >= 500 + raise AvmServiceSignatureNotInTactError.new(response.body) if (response.status == 400 && JSON.parse(response.body)['code'] == 'SIGNATURE_NOT_IN_TACT') raise AvmServiceBadRequestError.new(response.body) if response.status >= 400 end end diff --git a/public/openapi.yaml b/public/openapi.yaml index 8044b0a..cdcabbe 100644 --- a/public/openapi.yaml +++ b/public/openapi.yaml @@ -12,10 +12,9 @@ tags: - name: Mobile2App - name: Desktop2App - Extension - name: Desktop2App - Client - -security: - - Header: [] - - Parameter: [] + - name: Minimal Integration + - name: QR code + - name: Integration paths: /documents: @@ -23,12 +22,29 @@ paths: tags: - Mobile2App - Desktop2App - Extension + security: + - Header: [ ] + - Parameter: [ ] + summary: Client app posts document along with some parameters to Server. description: Client app posts document along with some parameters to Server. Server encrypts the document using the provided EncryptionKey and stores it on a disk. requestBody: content: "application/json": schema: $ref: "#/components/schemas/DocumentPostRequestBody" + examples: + Plain TXT document: + $ref: "#/components/examples/XAdES-ASiC_E-TXT" + Slovak EForm with resources: + $ref: "#/components/examples/XAdES-ASiC_E-Base64-HTML" + Slovak EForm with auto-loaded resources: + $ref: "#/components/examples/XAdES-ASiC_E-Auto" + PDF document: + $ref: "#/components/examples/PAdES-PDF" + DOCX document: + $ref: "#/components/examples/XAdES-ASiC_E-DOCX" + Image with CAdES level: + $ref: "#/components/examples/CAdES-ASiC_E-PNG_md" parameters: - name: Accept in: header @@ -86,10 +102,11 @@ paths: get: tags: - Desktop2App - Extension - description: | - External system requests signed document at the end of the process. - - This endpoint is also designed for polling with the `If-Modified-Since` header (`TODO`). + security: + - Header: [ ] + - Parameter: [ ] + summary: External system requests signed document at the end of the process. + description: This endpoint is also designed for polling with the `If-Modified-Since` header. parameters: - name: guid in: path @@ -102,8 +119,7 @@ paths: required: false schema: type: string - pattern: '^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} GMT$' - example: 'Tue, 15 Oct 2019 12:45:26 GMT' + example: '2024-05-05 11:52:06 UTC' - name: Accept in: header schema: @@ -122,17 +138,15 @@ paths: Last-Modified: schema: type: string - pattern: '^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} GMT$' - example: 'Tue, 15 Oct 2019 12:45:26 GMT' - description: "`TODO` Datetime of the last-modified attribute of the requeste document." + example: '2024-05-05 11:52:06 UTC' + description: "Datetime of the last-modified attribute of the requeste document." 304: description: Requested document has not been modified since `If-Modified-Since` header headers: Last-Modified: schema: type: string - pattern: '^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} GMT$' - example: 'Tue, 15 Oct 2019 12:45:26 GMT' + example: '2024-05-05 11:52:06 UTC' description: Datetime of the last-modified attribute of the requeste document. 400: description: Bad request @@ -174,10 +188,13 @@ paths: $ref: "#/components/schemas/BadGatewayErrorResponseBody" delete: - description: | - External system requests signed document at the end of the process. - - This endpoint is also designed for polling with the `If-Modified-Since` header. + tags: + - Desktop2App - Extension + security: + - Header: [ ] + - Parameter: [ ] + summary: External system requests signed document at the end of the process. + description: This endpoint is also designed for polling with the `If-Modified-Since` header. parameters: - name: guid in: path @@ -232,7 +249,10 @@ paths: tags: - Desktop2App - Client - Mobile2App - description: Client app requests encrypted document to visualize it. + security: + - Header: [ ] + - Parameter: [ ] + summary: Client app requests encrypted document to visualize it. parameters: - name: guid in: path @@ -293,11 +313,58 @@ paths: schema: $ref: "#/components/schemas/BadGatewayErrorResponseBody" + /documents/{guid}/parameters: + get: + tags: + - Desktop2App - Client + security: + - Header: [ ] + - Parameter: [ ] + summary: Client app gets the signature parameters of the doucment + parameters: + - name: guid + in: path + schema: + type: string + required: true + example: bfde97b4-ee27-47bc-97e2-5164ed96a92a + - name: Accept + in: header + schema: + type: string + default: application/json + required: true + allowEmptyValue: false + responses: + 200: + description: OK + content: + "application/json": + schema: + $ref: "#/components/schemas/SigningParameters" + 401: + description: EncryptionKey not provided + content: + application/json: + schema: + $ref: "#/components/schemas/EncryptionKeyNotProvidedErrorResponseBody" + 403: + description: EncryptionKey mismatch + content: + application/json: + schema: + $ref: "#/components/schemas/EncryptionKeyMismatchErrorResponseBody" + 404: + description: Not found + /documents/{guid}/validation: get: tags: - Mobile2App - description: Client app requests a signature validation report of the document. + security: + - Header: [ ] + - Parameter: [ ] + summary: Client app requests a signature validation report of the document. parameters: - name: guid in: path @@ -365,6 +432,10 @@ paths: tags: - Mobile2App - Desktop2App - Client + security: + - Header: [ ] + - Parameter: [ ] + summary: Client app gets datatosign based on provided signing certificate. description: Client app posts signing certificate to the server. Server decrypts the encrypted document from disk, computes DataToSign and returns it along exact signing time in milliseconds. The whole response object is later required for POST /sign request. parameters: - name: guid @@ -436,7 +507,10 @@ paths: tags: - Mobile2App - Desktop2App - Client - description: Create signed document using the SignedData obtained from client. + security: + - Header: [ ] + - Parameter: [ ] + summary: Create signed document using the SignedData obtained from client. parameters: - name: guid in: path @@ -518,8 +592,361 @@ paths: schema: $ref: "#/components/schemas/BadGatewayErrorResponseBody" + /integrations: + post: + tags: + - Integration + - Minimal Integration + summary: Integration registers itself at the server + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/PostIntegrationRequestBody" + responses: + 200: + description: OK + content: + application/json: + schema: + $ref: "#/components/schemas/PostIntegrationResponse" + + /devices: + post: + tags: + - Integration + - Minimal Integration + summary: Device registers itself at the server + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/PostDeviceRequestBody" + responses: + 200: + description: OK + content: + application/json: + schema: + $ref: "#/components/schemas/PostDeviceResponse" + + /device-integrations: + post: + tags: + - Integration + - Minimal Integration + security: + - Device JWT: [] + summary: Device registers itself for receiving sign requests (push notification) from given integration + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/PostDeviceIntegrationsRequestBody" + responses: + 204: + description: OK + + get: + tags: + - Integration + security: + - Device JWT: [] + summary: Device retrieves a list of paired integrations + responses: + 200: + description: OK + content: + application/json: + schema: + $ref: "#/components/schemas/GetDeviceIntegrationsResponseBody" + + /device-integrations/{integration_id}: + delete: + tags: + - Integration + security: + - Device JWT: [] + summary: Device deletes integration from its paired integrations + parameters: + - name: integration_id + in: path + schema: + type: string + description: Identifier of the integration + example: 0d939eb1-8e14-41e5-9c7e-05e77641cc7b + required: true + allowEmptyValue: false + responses: + 204: + description: OK + 404: + description: Not found + + /integration-devices: + get: + tags: + - Integration + security: + - Integration JWT: [] + summary: Integration retrieves a list of paired devices + responses: + 200: + description: OK + content: + application/json: + schema: + $ref: "#/components/schemas/GetIntegrationDevicesResponseBody" + + /integration-devices/{device_id}: + delete: + tags: + - Integration + security: + - Integration JWT: [] + summary: Integration deletes device from its paired devices + parameters: + - name: device_id + in: path + schema: + type: string + description: Identifier of the device + example: 03de5319-a40d-48ea-b4fb-29d11e7017bb + required: true + allowEmptyValue: false + responses: + 204: + description: OK + 404: + description: Not found + + /sign-request: + post: + tags: + - Integration + - Minimal Integration + security: + - Integration JWT: [] + summary: Integration sends a sign request (push notification) to all paired signing devices + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/PostSignRequestBody" + responses: + 200: + description: OK + callbacks: + myEvent: + 'FCM-notificaiton-SDK': + post: + description: | + This is a pseudo-description of data sent to subscibing device in `data` payload through Firebase Cloud Messaging. + + `encryptedMessage` conatins document GUID and its encryption key encrypted with AES256 pushkey shared between integration and device, + + Encrpyted message JSON: + ```json + { + "documentGuid": "bfde97b4-ee27-47bc-97e2-5164ed96a92a", + "key": "EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ=" + } + ``` + requestBody: + content: + application/json: + schema: + type: object + properties: + encryptedMessage: + type: string + example: ZhHZtgaDJpYtxZD6TIOQJzRgRFgQ... + required: + - message + responses: + 200: + description: OK + + /qr-code: + get: + tags: + - QR code + description: | + Example: `https://autogram.slovensko.digital/api/v1/qr-code?guid=e7e95411-66a1-d401-e063-0a64dbb6b796&key=EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ%3D&pushkey=R%2FrfN%2Bz129w1H2iftbr1GOKXdC3OxSJU9PZeHs%2BW7ts%3D&integration=eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiI3OGQ5MWRlNy0xY2MyLTQwZTQtOWE3MS0zODU4YjRmMDMxOWQiLCJleHAiOjE3MTI5MDk3MjAsImp0aSI6IjAwZTAxN2Y1LTI4MTAtNDkyNS04ODRlLWNiN2FhZDAzZDFhNiIsImF1ZCI6ImRldmljZSJ9.7Op6W2BvbX2_mgj9dkz1IiolEsQ1Z2a0AzpS5bj4pcG3CJ4Z8j9W3RQE95wrAj3t6nmd9JaGZSlCJNSV_myyLQ` + + + parameters: + - name: guid + in: query + schema: + type: string + description: GUID of a document + example: e7e95411-66a1-d401-e063-0a64dbb6b796 + required: true + - name: key + in: query + schema: + type: string + description: AES256 key in Base64 for the document + example: EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ= + required: true + - name: pushkey + in: query + schema: + type: string + description: AES256 key in Base64 for push notification content + example: R/rfN+z129w1H2iftbr1GOKXdC3OxSJU9PZeHs+W7ts= + required: false + - name: integration + in: query + schema: + type: string + description: 'JWT of source integration. Can be used to pair device with the integration. Must contain `aud: "device"` claim' + example: eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiI3OGQ5MWRlNy0xY2MyLTQwZTQtOWE3MS0zODU4YjRmMDMxOWQiLCJleHAiOjE3MTI5MDk3MjAsImp0aSI6IjAwZTAxN2Y1LTI4MTAtNDkyNS04ODRlLWNiN2FhZDAzZDFhNiIsImF1ZCI6ImRldmljZSJ9.7Op6W2BvbX2_mgj9dkz1IiolEsQ1Z2a0AzpS5bj4pcG3CJ4Z8j9W3RQE95wrAj3t6nmd9JaGZSlCJNSV_myyLQ + required: false + responses: + 200: + description: OK + components: schemas: + PostSignRequestBody: + type: object + properties: + documentGuid: + type: string + example: e1b2fafc-59c4-46de-ac0a-83aa782184e9 + description: GUID of the document to sign + documentEncryptionKey: + type: string + description: AES256 encryption key in hexadecimal form (64 characters) that is used to encrypt and decrypt signing doucment. + example: EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ= + required: + - documentGuid + - documentEncryptionKey + + PostIntegrationRequestBody: + type: object + properties: + platform: + type: string + description: Platform identifier + example: extension + displayName: + type: string + description: Human-readable name of the integration + example: Autogram browser extension + publicKey: + type: string + description: Integration's ES256 public key that shall be used to authenticate its JWT tokens. Either with or without "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----". + example: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGoqUt0JPQgvvMhLNxFQkwOoClKxDK8D8oW+qmakxQuOJuy/V0uKPJbhRkEWz8WPFZCUXUr1LsD5E667h5StmLw==\n-----END PUBLIC KEY-----" + pushkey: + type: string + description: Integration's AES256 key in Base64 form that shall be used to encrypt notificaiton messages sent to device + example: "R/rfN+z129w1H2iftbr1GOKXdC3OxSJU9PZeHs+W7ts=" + required: + - platform + - displayName + - publicKey + - pushkey + + PostIntegrationResponse: + type: object + properties: + guid: + type: string + description: Assigned identifier + example: 57820662-f56c-4b2f-97d1-e95306aee6db + required: + - guid + + PostDeviceRequestBody: + type: object + properties: + platform: + type: string + description: Platform of the signing device used to determine which notification service to use. (`android` or `ios`) + example: android + registrationId: + type: string + description: Identifier of the app instance registration entry in the notification service (APNS or GCM) + example: idk32b83ef7-21fe-4120-b8fa-d9f6aba05731 + displayName: + type: string + description: Human-readable name of the device + example: John's phone + publicKey: + type: string + description: Device's ES256 public key that shall be used to authenticate its JWT tokens. Either with or without "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----". + example: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1iPVm0v/ZNM04587g10F54JVIrMZqWnlOXuGjOvcYsuweTYxuXafP8aJ6kIXe+jQhjeldm2mQZzSZ4ceLRq0yA==\n-----END PUBLIC KEY-----" + required: + - platform + - registrationId + - displayName + - publicKey + + PostDeviceResponse: + type: object + properties: + guid: + type: string + description: Assigned identifier + example: 03de5319-a40d-48ea-b4fb-29d11e7017bb + + GetDeviceIntegrationsResponseBody: + type: array + items: + type: object + properties: + integrationId: + type: string + description: Identifier of the integration + example: 0d939eb1-8e14-41e5-9c7e-05e77641cc7b + platform: + type: string + description: Platform identifier + example: extension + displayName: + type: string + description: Human-readable name of the integration + example: Autogram browser extension + required: + - platform + - integrationId + - displayName + + GetIntegrationDevicesResponseBody: + type: array + items: + type: object + properties: + deviceId: + type: string + description: Identifier of the device + example: 03de5319-a40d-48ea-b4fb-29d11e7017bb + platform: + type: string + description: Platform of the signing device used to determine which notification service to use. (`android` or `ios`) + example: android + displayName: + type: string + description: Human-readable name of the device + example: John's phone + required: + - platform + - deviceId + - displayName + + PostDeviceIntegrationsRequestBody: + type: object + properties: + integrationPairingToken: + type: string + description: "JWT token provided by integration on pairing. The token must contain `aud: \"device\"` claim." + example: eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiI3OGQ5MWRlNy0xY2MyLTQwZTQtOWE3MS0zODU4YjRmMDMxOWQiLCJleHAiOjE3MTI5MDk3MjAsImp0aSI6IjAwZTAxN2Y1LTI4MTAtNDkyNS04ODRlLWNiN2FhZDAzZDFhNiIsImF1ZCI6ImRldmljZSJ9.7Op6W2BvbX2_mgj9dkz1IiolEsQ1Z2a0AzpS5bj4pcG3CJ4Z8j9W3RQE95wrAj3t6nmd9JaGZSlCJNSV_myyLQ + required: + - integrationPairingToken + DocumentPostRequestBody: type: object properties: @@ -529,7 +956,7 @@ components: $ref: "#/components/schemas/SigningParameters" payloadMimeType: type: string - example: application/pdf;base64 + example: text/plain;base64 description: | MIME type for document content and signature parameters XSLT transformation and XSD schema. Binary files should be encoded using base64, e.g., `application/pdf;base64`. @@ -538,7 +965,6 @@ components: If omitted, mimetype is decided based on document.filename and content is expected to be in Base64. required: - document - - parameters SigningCertificate: type: string @@ -671,29 +1097,60 @@ components: - issuedBy Document: - description: JSON object that is encrypted for type: object properties: filename: type: string - description: Filename of the document - example: sample_document.pdf + description: Filename of the document. payloadMimeType must be provided if empty. Also, if payloadMimeType is empty, filename must be provided and mimetype must be understood from extension. + example: sample_document.txt content: type: string description: Base64 encrypted content of the document example: ZXhhbXBsZSBzdHJpbmcgaW4gYmFzZTY0Cg== required: - content - - filename + + SignatureLevelResponse: + type: object + properties: + level: + type: string + description: Signature level. + example: XAdES_BASELINE_B + enum: + - PAdES_BASELINE_B + - PAdES_BASELINE_T + - XAdES_BASELINE_B + - XAdES_BASELINE_T + - CAdES_BASELINE_B + - CAdES_BASELINE_T SigningParameters: type: object description: Signing parameters same as in the Autogram API properties: + checkPDFACompliance: + type: boolean + default: false + description: "Check for PDF/A compliance and show warning if not compliant." + + autoLoadEform: + type: boolean + default: false + description: + Try to find XSD and XSLT for a given eForm and load them automatically. Useful for visualizing and signing eForms. + If true, schema, transformation, conatinerXmlns, container, packaging, and identifier parameters are ignored. + If resources are not found, the response is 422. + If provided document is an ASiC_E container conatining XML Datacontainer or it is an XML Datacontainer itself, XSLT found is used for visualiztion of signing document. Also, XSD and XSLT hashes are compared with hashes of XSD and XSLT found in XML Data Container EForm. If they differ, the response is 422. + If the provided document is an XML document, Autogram will try to parse xmlns from root element and find resources based on its value. + If successful, XML Datacontainer with xmls="http://data.gov.sk/def/container/xmldatacontainer+xml/1.1" is created, the document is validated against the XSD and visualized using the XSLT. If XSD validation fails, the response is 422. + The XSLT transformation is found based on transformationLanguage (defaults to user preferred), transformationMediaDestinationTypeDescription (default XHTML, then HTML, then TXT), and transformationTargetEnvironment. + If multiple transformations meet the criteria, the first one found is used. + level: type: string description: Signature level. - example: PAdES_BASELINE_B + example: XAdES_BASELINE_B enum: - PAdES_BASELINE_B - PAdES_BASELINE_T @@ -701,15 +1158,131 @@ components: - XAdES_BASELINE_T - CAdES_BASELINE_B - CAdES_BASELINE_T + container: type: string description: Type of Advanced Signature Container. Defaults to null - no container. - example: + example: ASiC-E enum: - ASiC-E - ASiC-S - required: - - level + + containerXmlns: + type: string + enum: + - http://data.gov.sk/def/container/xmldatacontainer+xml/1.1 + example: http://data.gov.sk/def/container/xmldatacontainer+xml/1.1 + description: XML namespace for the XML Datacontainer. Specifies if xmldatacontainer should be created from XML. Doesn't create xmldatacontainer if payloadMimeType is application/vnd.gov.sk.xmldatacontainer+xml already. Accepts http://data.gov.sk/def/container/xmldatacontainer+xml/1.1 only. Defaults to null. Is ignored with autoLoadEform true. + + embedUsedSchemas: + type: boolean + example: false + description: When creating XML Datacontainer, parameter indicates whether to embed XSD and XML or reference them. Practically this should be only used for ORSR EForms in which case (when identifier contains "justice.gov.sk/Forms") this parameter is overridden to true. + + identifier: + type: string + example: https://data.gov.sk/id/egov/eform/App.GeneralAgenda/1.9 + description: Optional identifier of the document template. Required if containerXmlns is http://data.gov.sk/def/container/xmldatacontainer+xml/1.1. Defaults to null. Is ignored with autoLoadEform true. + + packaging: + type: string + enum: + - ENVELOPED + - ENVELOPING + default: ENVELOPED + description: Optional form of packaging used with XML. ENVELOPED adds the signature as a child of the root element while ENVELOPING wraps the XML in a new element. Only applies to XAdES signatures. Must be ENVELOPING when used without ASiC container and with non XML documents. Is ignored with autoLoadEform true. + + digestAlgorithm: + type: string + enum: + - SHA256 + - SHA384 + - SHA512 + default: SHA256 + description: Optional algorithm used to calculate digests. + + en319132: + type: boolean + default: false + description: Optional flag to control whether the signature should be made according to ETSI EN 319132 for XAdES and ETSI EN 319122 for CAdES and PAdES. + + infoCanonicalization: + type: string + enum: + - INCLUSIVE + - EXCLUSIVE + - INCLUSIVE_WITH_COMMENTS + - EXCLUSIVE_WITH_COMMENTS + - INCLUSIVE_11 + - INCLUSIVE_11_WITH_COMMENTS + default: INCLUSIVE + description: Optional info canonicalization method. + + propertiesCanonicalization: + type: string + enum: + - INCLUSIVE + - EXCLUSIVE + - INCLUSIVE_WITH_COMMENTS + - EXCLUSIVE_WITH_COMMENTS + - INCLUSIVE_11 + - INCLUSIVE_11_WITH_COMMENTS + default: INCLUSIVE + description: Optional properties canonicalization method. + + keyInfoCanonicalization: + type: string + enum: + - INCLUSIVE + - EXCLUSIVE + - INCLUSIVE_WITH_COMMENTS + - EXCLUSIVE_WITH_COMMENTS + - INCLUSIVE_11 + - INCLUSIVE_11_WITH_COMMENTS + default: INCLUSIVE + description: Optional key info canonicalization method. + + schema: + type: string + example: '' + description: Optional XML schema used to validate the signing document and to compute digest used in "UsedXSDReference" in "DigestValue" attribute inside created XML Datacontainer. Format (plaintext or base64) is dictated by `payloadMimeType`. Is ignored with autoLoadEform true. + + schemaIdentifier: + type: string + example: http://schemas.gov.sk/form/App.GeneralAgenda/1.9/form.xsd + description: Optional identifier of the XML schema. The value is used in "UsedXSDReference" field inside created XML Datacontainer. If provided with autoLoadEform true, Autogram will try to find such schema. Default value is "http://schemas.gov.sk/form///form.xsd". + + transformation: + type: string + example: '

' + description: Optional XML transformation used to present the signing document to user and to compute digest used in "UsedPresentationSchemaReference" in "DigestValue" attribute inside created XML Datacontainer. Format (plaintext or base64) is dictated by `payloadMimeType`. Is ignored with autoLoadEform true. + + transformationIdentifier: + type: string + example: http://schemas.gov.sk/form/App.GeneralAgenda/1.9/form.xslt + description: Optional identifier of the XML transformation. If provided with autoLoadEform true, Autogram will try to find such transformation. Default value is "http://schemas.gov.sk/form///form.xslt". + + transformationLanguage: + type: string + example: sk + description: Optional language of the XML transformation. If autoLoadEform is true, Autogram will try to find signing XSLT with this language. Otherwise transformation must be provided. Default value is user preferred or "sk". + + transformationMediaDestinationTypeDescription: + type: string + enum: + - XHTML + - HTML + - TXT + example: HTML + description: Optional media destination type description of the XML transformation. If autoLoadEform is true, Autogram will try to find signing XSLT with this type. Otherwise transformation must be provided. Overrides value of the output method in provided or auto-loaded transformation which is used by default. + + transformationTargetEnvironment: + type: string + example: example-value + description: Optional target environment of the XML transformation. If autoLoadEform is true, Autogram will try to find signing XSLT with this target. Otherwise transformation must be provided. Null and not used by default. + example: + level: XAdES_BASELINE_B + container: ASiC-E CreateDocumentResponseBody: type: object @@ -1016,6 +1589,7 @@ components: - EMPTY_BODY - DATATOSIGN_MISMATCH - CERTIFICATE_NOT_VALID + - FAILED_PARSING_MIMETYPE description: | Code that can be used to identify the error. @@ -1150,10 +1724,133 @@ components: type: apiKey in: header name: X-Encryption-Key - description: AES256 encryption key in hexadecimal form (64 characters) that is used to encrypt and decrypt signing doucment. + description: | + AES256 encryption key in Base64 form (44 base64 characters == 32 bytes) that is used to encrypt and decrypt signing doucment. + + Example: `EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ=` Parameter: type: apiKey in: query name: encryptionKey - description: AES256 encryption key in hexadecimal form (64 characters) that is used to encrypt and decrypt signing doucment. + description: | + AES256 encryption key in Base64 form (44 base64 characters == 32 bytes) that is used to encrypt and decrypt signing doucment. + + Example: `EeESAfZQh9OTf5qZhHZtgaDJpYtxZD6TIOQJzRgRFgQ=` + + Device JWT: + description: | + JWT token must be encoded using ES256 and device-specific key matching `sub` claim. + Maximum `exp` claim duration id 15 minutes. + `jti` claim is required and must be unique for the 15 minutes. + `jti` claim must complain with regular expression: `/\A[0-9a-z\-_]{32,256}\z/i` + + Example of `header` segment: + + { + "alg": "ES256", + } + + Example `payload` segment: + + { + "sub": "123", + "exp": 1543437976, + "jti": "4dee8618-abbe-4dc3-83ba-e984d1396f9f" + } + + Token must be present in either: + - header `Authorization: Bearer ` + - query parameter `?token=` + type: http + scheme: bearer + bearerFormat: JWT + + Integration JWT: + description: | + JWT token must be encoded using ES256 and integration-specific key matching `sub` claim. + Maximum `exp` claim duration id 15 minutes. + `jti` claim is required and must be unique for the 15 minutes. + `jti` claim must complain with regular expression: `/\A[0-9a-z\-_]{32,256}\z/i` + + Example of `header` segment: + + { + "alg": "ES256", + } + + Example `payload` segment: + + { + "sub": "123", + "exp": 1543437976, + "jti": "4dee8618-abbe-4dc3-83ba-e984d1396f9f" + } + + Token must be present in either: + - header `Authorization: Bearer ` + - query parameter `?token=` + type: http + scheme: bearer + bearerFormat: JWT + + examples: + XAdES-ASiC_E-TXT: + value: + document: + content: "Testovací dokument" + filename: TextDocument.txt + parameters: + level: XAdES_BASELINE_B + container: ASiC_E + payloadMimeType: "text/plain" + + XAdES-ASiC_E-Base64-HTML: + value: + document: + content: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48R2VuZXJhbEFnZW5kYSB4bWxucz0iaHR0cDovL3NjaGVtYXMuZ292LnNrL2Zvcm0vQXBwLkdlbmVyYWxBZ2VuZGEvMS45Ij4KICA8c3ViamVjdD5Ob3bDqSBwb2RhbmllPC9zdWJqZWN0PgogIDx0ZXh0PlBvZMOhdmFtIHRvdG8gbm92w6kgcG9kYW5pZS48L3RleHQ+CjwvR2VuZXJhbEFnZW5kYT4=" + parameters: + level: XAdES_BASELINE_B + container: ASiC_E + identifier: "http://data.gov.sk/doc/eform/App.GeneralAgenda/1.9" + containerXmlns: http://data.gov.sk/def/container/xmldatacontainer+xml/1.1 + schema: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48eHM6c2NoZW1hIGVsZW1lbnRGb3JtRGVmYXVsdD0icXVhbGlmaWVkIiBhdHRyaWJ1dGVGb3JtRGVmYXVsdD0idW5xdWFsaWZpZWQiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgdGFyZ2V0TmFtZXNwYWNlPSJodHRwOi8vc2NoZW1hcy5nb3Yuc2svZm9ybS9BcHAuR2VuZXJhbEFnZW5kYS8xLjkiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5nb3Yuc2svZm9ybS9BcHAuR2VuZXJhbEFnZW5kYS8xLjkiPgo8eHM6c2ltcGxlVHlwZSBuYW1lPSJ0ZXh0QXJlYSI+Cjx4czpyZXN0cmljdGlvbiBiYXNlPSJ4czpzdHJpbmciPgo8L3hzOnJlc3RyaWN0aW9uPgo8L3hzOnNpbXBsZVR5cGU+Cjx4czpzaW1wbGVUeXBlIG5hbWU9Im1lbm8iPgo8eHM6cmVzdHJpY3Rpb24gYmFzZT0ieHM6c3RyaW5nIj4KPC94czpyZXN0cmljdGlvbj4KPC94czpzaW1wbGVUeXBlPgoKCjx4czplbGVtZW50IG5hbWU9IkdlbmVyYWxBZ2VuZGEiPgo8eHM6Y29tcGxleFR5cGU+Cjx4czpzZXF1ZW5jZT4KPHhzOmVsZW1lbnQgbmFtZT0ic3ViamVjdCIgdHlwZT0ibWVubyIgbWluT2NjdXJzPSIwIiBuaWxsYWJsZT0idHJ1ZSIgLz4KPHhzOmVsZW1lbnQgbmFtZT0idGV4dCIgdHlwZT0idGV4dEFyZWEiIG1pbk9jY3Vycz0iMCIgbmlsbGFibGU9InRydWUiIC8+CjwveHM6c2VxdWVuY2U+CjwveHM6Y29tcGxleFR5cGU+CjwveHM6ZWxlbWVudD4KPC94czpzY2hlbWE+" + transformation: "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjx4c2w6c3R5bGVzaGVldCB2ZXJzaW9uPSIxLjAiICB4bWxuczp4c2w9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvWFNML1RyYW5zZm9ybSIgIHhtbG5zOmVnb25wPSJodHRwOi8vc2NoZW1hcy5nb3Yuc2svZm9ybS9BcHAuR2VuZXJhbEFnZW5kYS8xLjkiIGV4Y2x1ZGUtcmVzdWx0LXByZWZpeGVzPSJlZ29ucCI+DQo8eHNsOm91dHB1dCBtZXRob2Q9Imh0bWwiIGRvY3R5cGUtc3lzdGVtPSJodHRwOi8vd3d3LnczLm9yZy9UUi9odG1sNC9zdHJpY3QuZHRkIiBkb2N0eXBlLXB1YmxpYz0iLS8vVzNDLy9EVEQgSFRNTCA0LjAxLy9FTiIgaW5kZW50PSJubyIgb21pdC14bWwtZGVjbGFyYXRpb249InllcyIvPg0KPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iLyI+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT04IiAvPg0KPHRpdGxlPlbFoWVvYmVjbsOhIGFnZW5kYTwvdGl0bGU+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCIvPg0KPG1ldGEgbmFtZT0ibGFuZ3VhZ2UiIGNvbnRlbnQ9InNrLVNLIi8+DQo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPg0KYm9keSB7IA0KCWZvbnQtZmFtaWx5OiAnT3BlbiBTYW5zJywgJ1NlZ29lIFVJJywgJ1RyZWJ1Y2hldCBNUycsICdHZW5ldmEgQ0UnLCBsdWNpZGEsIHNhbnMtc2VyaWY7DQoJYmFja2dyb3VuZCA6ICNmZmZmZmYgIWltcG9ydGFudCA7DQp9DQoudWktdGFicyB7DQoJcGFkZGluZzogLjJlbTsNCglwb3NpdGlvbjogcmVsYXRpdmU7DQoJem9vbTogMTsNCn0JCQkJCQkJCQ0KLmNsZWFyIHsgY2xlYXI6IGJvdGg7IGhlaWdodDogMDt9DQoubGF5b3V0TWFpbiB7DQoJbWFyZ2luOiAwcHggYXV0bzsNCglwYWRkaW5nOiA1cHggNXB4IDVweCA1cHg7CQ0KfQkJCQkNCi5sYXlvdXRSb3cgeyBtYXJnaW4tYm90dG9tOiA1cHg7IH0JCQkJDQouY2FwdGlvbiB7IC8qd2lkdGg6IDEwMCU7IGJvcmRlci1ib3R0b206IHNvbGlkIDFweCBibGFjazsqLyB9DQoubm9jYXB0aW9uICZndDsgLmNhcHRpb24geyBib3JkZXI6IDBweCAhaW1wb3J0YW50OyB9DQoubm9jYXB0aW9uICZndDsgLmNhcHRpb24gc3BhbiB7DQoJYmFja2dyb3VuZDogbm9uZSAhaW1wb3J0YW50Ow0KCWRpc3BsYXk6IG5vbmU7DQp9IA0KLmNhcHRpb24gLnRpdGxlIHsgcGFkZGluZy1sZWZ0OiA1cHg7IH0NCi5oZWFkZXJjb3JyZWN0aW9uIHsJDQoJbWFyZ2luOiAwcHg7DQogICAgZm9udC1zaXplIDogMWVtOw0KICAgIGZvbnQtd2VpZ2h0OiBib2xkOw0KfQkJCQkNCi5sYWJlbFZpcyB7DQoJZmxvYXQ6IGxlZnQ7DQoJZm9udC13ZWlnaHQ6IGJvbGQ7DQoJZm9udC1mYW1pbHk6ICdPcGVuIFNhbnMnLCAnU2Vnb2UgVUknLCAnVHJlYnVjaGV0IE1TJywgJ0dlbmV2YSBDRScsIGx1Y2lkYSwgc2Fucy1zZXJpZjsNCglsaW5lLWhlaWdodDogMjVweDsNCgltYXJnaW46IDBweCAxOHB4IDBweCAwcHg7DQoJcGFkZGluZy1sZWZ0OiAzcHg7DQoJd2lkdGg6IDE5MHB4Ow0KCXdvcmQtd3JhcDogYnJlYWstd29yZDsNCiAgICBmb250LXNpemU6IDAuOGVtOw0KfQ0KLmNvbnRlbnRWaXMgeyAgICAJICAgICANCglmbG9hdDogbGVmdDsJDQoJbGluZS1oZWlnaHQ6IDI1cHg7DQoJbWFyZ2luOiAwcHg7DQoJcGFkZGluZzogMHB4Ow0KCXZlcnRpY2FsLWFsaWduOiB0b3A7DQogICAgZm9udC1zaXplOiAwLjc1ZW07CQkJDQp9DQoud29yZHdyYXAgeyANCiAgICB3aGl0ZS1zcGFjZTogcHJlLXdyYXA7ICAgICAgDQogICAgd2hpdGUtc3BhY2U6IC1tb3otcHJlLXdyYXA7IA0KICAgIHdoaXRlLXNwYWNlOiAtcHJlLXdyYXA7ICAgICANCiAgICB3aGl0ZS1zcGFjZTogLW8tcHJlLXdyYXA7ICAgDQogICAgd29yZC13cmFwOiBicmVhay13b3JkOyAgICAgIA0KfQkNCi51aS13aWRnZXQtY29udGVudCB7DQoJYmFja2dyb3VuZCA6IDUwJSA1MCUgcmVwZWF0LXggI2ZmZmZmZjsNCglib3JkZXIgOiAjZDRkNGQ0IHNvbGlkIDJweDsNCgljb2xvciA6ICM0ZjRlNGU7DQoJYm9yZGVyLXJhZGl1cyA6IDNweDsNCn0NCi51aS13aWRnZXQtaGVhZGVyIHsNCgljdXJzb3IgOiBwb2ludGVyOw0KCWZvbnQtc2l6ZSA6IDAuOGVtOw0KCWNvbG9yIDogIzQ5NDk0OTsNCglwYWRkaW5nLWxlZnQgOiAycHg7DQoJYm9yZGVyIDogI2VhZTllOCBzb2xpZCAxcHg7DQoJYmFja2dyb3VuZC1jb2xvciA6ICNlYWU5ZTg7DQoJbWFyZ2luLWJvdHRvbTogM3B4Ow0KCWJvcmRlci1yYWRpdXMgOiAzcHg7DQp9CQkJDQo8L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHk+DQo8ZGl2IGlkPSJtYWluIiBjbGFzcz0ibGF5b3V0TWFpbiI+DQo8eHNsOmFwcGx5LXRlbXBsYXRlcy8+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCjwveHNsOnRlbXBsYXRlPg0KPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iL2Vnb25wOkdlbmVyYWxBZ2VuZGEiPg0KPGRpdiBjbGFzcz0ibGF5b3V0Um93IHVpLXRhYnMgdWktd2lkZ2V0LWNvbnRlbnQiID4NCjxkaXYgY2xhc3M9ImNhcHRpb24gdWktd2lkZ2V0LWhlYWRlciI+DQo8ZGl2IGNsYXNzPSJoZWFkZXJjb3JyZWN0aW9uIj5WxaFlb2JlY27DoSBhZ2VuZGE8L2Rpdj4NCjwvZGl2Pg0KPHhzbDphcHBseS10ZW1wbGF0ZXMgc2VsZWN0PSIuL2Vnb25wOnN1YmplY3QiLz4NCjx4c2w6YXBwbHktdGVtcGxhdGVzIHNlbGVjdD0iLi9lZ29ucDp0ZXh0Ii8+DQo8L2Rpdj4NCjwveHNsOnRlbXBsYXRlPg0KPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iZWdvbnA6R2VuZXJhbEFnZW5kYS9lZ29ucDpzdWJqZWN0Ij4NCjx4c2w6aWYgdGVzdD0iLi90ZXh0KCkiPg0KPGRpdj48bGFiZWwgY2xhc3M9ImxhYmVsVmlzIj5QcmVkbWV0OiA8L2xhYmVsPjxzcGFuIGNsYXNzPSJjb250ZW50VmlzIHdvcmR3cmFwIj48eHNsOmNhbGwtdGVtcGxhdGUgbmFtZT0ic3RyaW5nLXJlcGxhY2UtYWxsIj48eHNsOndpdGgtcGFyYW0gbmFtZT0idGV4dCIgc2VsZWN0PSIuIiAvPjx4c2w6d2l0aC1wYXJhbSBuYW1lPSJyZXBsYWNlIiBzZWxlY3Q9IiclMEEnIiAvPjx4c2w6d2l0aC1wYXJhbSBuYW1lPSJieSIgc2VsZWN0PSInJiMxMzsmIzEwOyciIC8+PC94c2w6Y2FsbC10ZW1wbGF0ZT48L3NwYW4+PC9kaXY+PGRpdiBjbGFzcz0iY2xlYXIiPiYjeGEwOzwvZGl2PjwveHNsOmlmPg0KPC94c2w6dGVtcGxhdGU+DQo8eHNsOnRlbXBsYXRlIG1hdGNoPSJlZ29ucDpHZW5lcmFsQWdlbmRhL2Vnb25wOnRleHQiPg0KPHhzbDppZiB0ZXN0PSIuL3RleHQoKSI+DQo8ZGl2PjxsYWJlbCBjbGFzcz0ibGFiZWxWaXMiPlRleHQ6IDwvbGFiZWw+PHNwYW4gY2xhc3M9ImNvbnRlbnRWaXMgd29yZHdyYXAiPjx4c2w6Y2FsbC10ZW1wbGF0ZSBuYW1lPSJzdHJpbmctcmVwbGFjZS1hbGwiPjx4c2w6d2l0aC1wYXJhbSBuYW1lPSJ0ZXh0IiBzZWxlY3Q9Ii4iIC8+PHhzbDp3aXRoLXBhcmFtIG5hbWU9InJlcGxhY2UiIHNlbGVjdD0iJyUwQSciIC8+PHhzbDp3aXRoLXBhcmFtIG5hbWU9ImJ5IiBzZWxlY3Q9IicmIzEzOyYjMTA7JyIgLz48L3hzbDpjYWxsLXRlbXBsYXRlPjwvc3Bhbj48L2Rpdj48ZGl2IGNsYXNzPSJjbGVhciI+JiN4YTA7PC9kaXY+PC94c2w6aWY+DQo8L3hzbDp0ZW1wbGF0ZT4NCjx4c2w6dGVtcGxhdGUgbmFtZT0iZm9ybWF0VG9Ta0RhdGUiPg0KPHhzbDpwYXJhbSBuYW1lPSJkYXRlIiAvPg0KPHhzbDp2YXJpYWJsZSBuYW1lPSJkYXRlU3RyaW5nIiBzZWxlY3Q9InN0cmluZygkZGF0ZSkiIC8+DQo8eHNsOmNob29zZT4NCjx4c2w6d2hlbiB0ZXN0PSIkZGF0ZVN0cmluZyAhPSAnJyBhbmQgc3RyaW5nLWxlbmd0aCgkZGF0ZVN0cmluZyk9MTAgYW5kIHN0cmluZyhudW1iZXIoc3Vic3RyaW5nKCRkYXRlU3RyaW5nLCAxLCA0KSkpICE9ICdOYU4nICI+DQo8eHNsOnZhbHVlLW9mIHNlbGVjdD0iY29uY2F0KHN1YnN0cmluZygkZGF0ZVN0cmluZywgOSwgMiksICcuJywgc3Vic3RyaW5nKCRkYXRlU3RyaW5nLCA2LCAyKSwgJy4nLCBzdWJzdHJpbmcoJGRhdGVTdHJpbmcsIDEsIDQpKSIgLz4NCjwveHNsOndoZW4+DQo8eHNsOm90aGVyd2lzZT4NCjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSIkZGF0ZVN0cmluZyI+PC94c2w6dmFsdWUtb2Y+DQo8L3hzbDpvdGhlcndpc2U+DQo8L3hzbDpjaG9vc2U+DQo8L3hzbDp0ZW1wbGF0ZT4NCjx4c2w6dGVtcGxhdGUgbmFtZT0iYm9vbGVhbkNoZWNrYm94VG9TdHJpbmciPg0KPHhzbDpwYXJhbSBuYW1lPSJib29sVmFsdWUiIC8+DQo8eHNsOnZhcmlhYmxlIG5hbWU9ImJvb2xWYWx1ZVN0cmluZyIgc2VsZWN0PSJzdHJpbmcoJGJvb2xWYWx1ZSkiIC8+DQo8eHNsOmNob29zZT4NCjx4c2w6d2hlbiB0ZXN0PSIkYm9vbFZhbHVlU3RyaW5nID0gJ3RydWUnICI+DQo8eHNsOnRleHQ+w4FubzwveHNsOnRleHQ+DQo8L3hzbDp3aGVuPg0KPHhzbDp3aGVuIHRlc3Q9IiRib29sVmFsdWVTdHJpbmcgPSAnZmFsc2UnICI+DQo8eHNsOnRleHQ+TmllPC94c2w6dGV4dD4NCjwveHNsOndoZW4+DQo8eHNsOndoZW4gdGVzdD0iJGJvb2xWYWx1ZVN0cmluZyA9ICcxJyAiPg0KPHhzbDp0ZXh0PsOBbm88L3hzbDp0ZXh0Pg0KPC94c2w6d2hlbj4NCjx4c2w6d2hlbiB0ZXN0PSIkYm9vbFZhbHVlU3RyaW5nID0gJzAnICI+DQo8eHNsOnRleHQ+TmllPC94c2w6dGV4dD4NCjwveHNsOndoZW4+DQo8eHNsOm90aGVyd2lzZT4NCjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSIkYm9vbFZhbHVlU3RyaW5nIj48L3hzbDp2YWx1ZS1vZj4NCjwveHNsOm90aGVyd2lzZT4NCjwveHNsOmNob29zZT4NCjwveHNsOnRlbXBsYXRlPg0KPHhzbDp0ZW1wbGF0ZSBuYW1lPSJmb3JtYXRUaW1lVHJpbVNlY29uZHMiPg0KPHhzbDpwYXJhbSBuYW1lPSJ0aW1lIiAvPg0KPHhzbDp2YXJpYWJsZSBuYW1lPSJ0aW1lU3RyaW5nIiBzZWxlY3Q9InN0cmluZygkdGltZSkiIC8+DQo8eHNsOmlmIHRlc3Q9IiR0aW1lU3RyaW5nICE9ICcnIj4NCjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSJzdWJzdHJpbmcoJHRpbWVTdHJpbmcsIDEsIDUpIiAvPg0KPC94c2w6aWY+DQo8L3hzbDp0ZW1wbGF0ZT4NCjx4c2w6dGVtcGxhdGUgbmFtZT0iZm9ybWF0VGltZSI+DQo8eHNsOnBhcmFtIG5hbWU9InRpbWUiIC8+DQo8eHNsOnZhcmlhYmxlIG5hbWU9InRpbWVTdHJpbmciIHNlbGVjdD0ic3RyaW5nKCR0aW1lKSIgLz4NCjx4c2w6aWYgdGVzdD0iJHRpbWVTdHJpbmcgIT0gJyciPg0KPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9InN1YnN0cmluZygkdGltZVN0cmluZywgMSwgOCkiIC8+DQo8L3hzbDppZj4NCjwveHNsOnRlbXBsYXRlPg0KPHhzbDp0ZW1wbGF0ZSBuYW1lPSJzdHJpbmctcmVwbGFjZS1hbGwiPg0KPHhzbDpwYXJhbSBuYW1lPSJ0ZXh0Ii8+DQo8eHNsOnBhcmFtIG5hbWU9InJlcGxhY2UiLz4NCjx4c2w6cGFyYW0gbmFtZT0iYnkiLz4NCjx4c2w6Y2hvb3NlPg0KPHhzbDp3aGVuIHRlc3Q9ImNvbnRhaW5zKCR0ZXh0LCAkcmVwbGFjZSkiPg0KPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9InN1YnN0cmluZy1iZWZvcmUoJHRleHQsJHJlcGxhY2UpIi8+DQo8eHNsOnZhbHVlLW9mIHNlbGVjdD0iJGJ5Ii8+DQo8eHNsOmNhbGwtdGVtcGxhdGUgbmFtZT0ic3RyaW5nLXJlcGxhY2UtYWxsIj4NCjx4c2w6d2l0aC1wYXJhbSBuYW1lPSJ0ZXh0IiBzZWxlY3Q9InN1YnN0cmluZy1hZnRlcigkdGV4dCwkcmVwbGFjZSkiLz4NCjx4c2w6d2l0aC1wYXJhbSBuYW1lPSJyZXBsYWNlIiBzZWxlY3Q9IiRyZXBsYWNlIi8+DQo8eHNsOndpdGgtcGFyYW0gbmFtZT0iYnkiIHNlbGVjdD0iJGJ5IiAvPg0KPC94c2w6Y2FsbC10ZW1wbGF0ZT4NCjwveHNsOndoZW4+DQo8eHNsOm90aGVyd2lzZT4NCjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSIkdGV4dCIvPg0KPC94c2w6b3RoZXJ3aXNlPg0KPC94c2w6Y2hvb3NlPg0KPC94c2w6dGVtcGxhdGU+DQo8eHNsOnRlbXBsYXRlIG5hbWU9ImZvcm1hdFRvU2tEYXRlVGltZSI+DQo8eHNsOnBhcmFtIG5hbWU9ImRhdGVUaW1lIiAvPg0KPHhzbDp2YXJpYWJsZSBuYW1lPSJkYXRlVGltZVN0cmluZyIgc2VsZWN0PSJzdHJpbmcoJGRhdGVUaW1lKSIgLz4NCjx4c2w6Y2hvb3NlPg0KPHhzbDp3aGVuIHRlc3Q9IiRkYXRlVGltZVN0cmluZyE9ICcnIGFuZCBzdHJpbmctbGVuZ3RoKCRkYXRlVGltZVN0cmluZyk+MTggYW5kIHN0cmluZyhudW1iZXIoc3Vic3RyaW5nKCRkYXRlVGltZVN0cmluZywgMSwgNCkpKSAhPSAnTmFOJyAiPg0KPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9ImNvbmNhdChzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCA5LCAyKSwgJy4nLCBzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCA2LCAyKSwgJy4nLCBzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCAxLCA0KSwnICcsIHN1YnN0cmluZygkZGF0ZVRpbWVTdHJpbmcsIDEyLCAyKSwnOicsIHN1YnN0cmluZygkZGF0ZVRpbWVTdHJpbmcsIDE1LCAyKSkiIC8+DQo8L3hzbDp3aGVuPg0KPHhzbDpvdGhlcndpc2U+DQo8eHNsOnZhbHVlLW9mIHNlbGVjdD0iJGRhdGVUaW1lU3RyaW5nIj48L3hzbDp2YWx1ZS1vZj4NCjwveHNsOm90aGVyd2lzZT4NCjwveHNsOmNob29zZT4NCjwveHNsOnRlbXBsYXRlPg0KPHhzbDp0ZW1wbGF0ZSBuYW1lPSJmb3JtYXRUb1NrRGF0ZVRpbWVTZWNvbmQiPg0KPHhzbDpwYXJhbSBuYW1lPSJkYXRlVGltZSIgLz4NCjx4c2w6dmFyaWFibGUgbmFtZT0iZGF0ZVRpbWVTdHJpbmciIHNlbGVjdD0ic3RyaW5nKCRkYXRlVGltZSkiIC8+DQo8eHNsOmNob29zZT4NCjx4c2w6d2hlbiB0ZXN0PSIkZGF0ZVRpbWVTdHJpbmchPSAnJyBhbmQgc3RyaW5nLWxlbmd0aCgkZGF0ZVRpbWVTdHJpbmcpPjE4IGFuZCBzdHJpbmcobnVtYmVyKHN1YnN0cmluZygkZGF0ZVRpbWVTdHJpbmcsIDEsIDQpKSkgIT0gJ05hTicgIj4NCjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSJjb25jYXQoc3Vic3RyaW5nKCRkYXRlVGltZVN0cmluZywgOSwgMiksICcuJywgc3Vic3RyaW5nKCRkYXRlVGltZVN0cmluZywgNiwgMiksICcuJywgc3Vic3RyaW5nKCRkYXRlVGltZVN0cmluZywgMSwgNCksJyAnLCBzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCAxMiwgMiksJzonLCBzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCAxNSwgMiksJzonLCBzdWJzdHJpbmcoJGRhdGVUaW1lU3RyaW5nLCAxOCwgMikpIiAvPg0KPC94c2w6d2hlbj4NCjx4c2w6b3RoZXJ3aXNlPg0KPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9IiRkYXRlVGltZVN0cmluZyI+PC94c2w6dmFsdWUtb2Y+DQo8L3hzbDpvdGhlcndpc2U+DQo8L3hzbDpjaG9vc2U+DQo8L3hzbDp0ZW1wbGF0ZT4NCjwveHNsOnN0eWxlc2hlZXQ+DQoNCg==" + payloadMimeType: application/xml;base64 + + XAdES-ASiC_E-Auto: + value: + document: + content: "\n Nové podanie\n Podávam toto nové podanie.\n" + filename: document.xml + parameters: + autoLoadEform: true + level: XAdES_BASELINE_B + payloadMimeType: application/xml + + PAdES-PDF: + value: + parameters: + level: PAdES_BASELINE_B + document: + content: "JVBERi0xLjUKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nG1QO2uDMQzc/Ss0Fz5F8lMGY+jXJNBuAUOH0qmPTElJlv79yvaQQovBOut0usOEDN/mAgSEZAVCDmhTAPGMEhmuH+b5Ds5zQs/1aNZmQkSBxIJJMrR32OwZ2EL7fCnENUohS67aXjyFDmJdYtFHqlqEsoJl8Pe0Ksmde6iL1m0NhXb1tT2ZXTOHf53JY/7rvNJ+LnLTUfF0mVGYlNcUzMqw/Z0qj96QcB9mX2MqHG4pDnABKw5jzhCdHfYcBedN2r39VO/oF/bQCodMVOSQVPR2MpvHk4ftF/StP25JUbsKZW5kc3RyZWFtCmVuZG9iagoKMyAwIG9iagoyMjUKZW5kb2JqCgo0IDAgb2JqCjw8L1R5cGUvWE9iamVjdC9TdWJ0eXBlL0ltYWdlL1dpZHRoIDIyNS9IZWlnaHQgMjI0L0JpdHNQZXJDb21wb25lbnQgOC9MZW5ndGggNSAwIFIKL0ZpbHRlci9GbGF0ZURlY29kZS9Db2xvclNwYWNlL0RldmljZVJHQgo+PgpzdHJlYW0KeJzt3c9rFGcYwHH/BaGXInhZkFwCBSmCFG+GngSlCP64FCpeBA8LPYgQEMRLvIiHXIQeLBXFHiNFCh4sRanYeigihKoHE6NRshg0/to+ZtpUe9p3UnaedD4fXkoO8zqzmW9mZ8vMTr8PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGvYdz88O3ji8aGJ+aJx8tuFxRdvm952WiFi27R/5tOvZgcfn3w5E1X3Ft80ve20QiQayW09ODv4iEolytBIlOQkSnISJTmJkpxESU6iJCdRkpMoyUmU5CRKchIlOYmSnERJTqIkd/zM04++eNDZO1M0dh99JFGGI0qbefy6dDxZ0CcFFl+8vX335Z37r4pGlBZz47+lE1fm1pi4MpdWuXl7Kd6s45Ry8LFp/8y+Y/P95XPReOMumhvLx6yYu/3ww/h3SueePrfQ9C+MYYtEI5UaH3n6tT4uxfJVop935+LfKZ07eUGirSNRkpMoyUmU5CRKchIlOYmSnERJTqIkJ1GSkyjJSZTkJEpyEiU5iZJcJNrZW+fLwPu1vkg8ln8/0dL1SrSFItHthx9GMEXj69NP+suPY9h99NG+Y/ODj1i+yix+Ll1pbKdEgf+TS1cXj595WjriSOihNgxHdS5adP9RjHiLd5Myw+GrHkhOoiQnUZKTKMlJlOQkSnISJTmJkpxESU6iJCdRkpMoyUmU5CRKchIlueqhNpv2zww+OntdL8rwzDx+ffvuy9Jx5/6rpjecBtR7Rszii7ereajNk4U3Q36oTXX4rbHBK3NpRKRS3SBZNGJK7LjY3XF+WDr30MS7h9qcPrcQp5dFE2P56sE0u448Kl1pzL1y43m82BobHCPmNr2j2iv2WuyCom9OqBaOPmt81cP799EP7aseqvvoq0TjhLb0M1oMiTaoSrRor1VHv3qJNvhtJPUSrbZZog2SqESTk6hEk5OoRJOTqESTk6hEk5OoRJOTqESTk6hEk5OoRJOTqESTk6hEk5OoRJOTqESTW7kYr2hs/ftivEYealNjg99PtN7cpndUe8Veq54XUzRiSnVJcxzQiibuOvLo+Jmn/eWH2kSrhybmBx+xfMyKufFD6QbHen+69aK6frve3Ib3U7tVt3iUjtXPbc8GsxbFW+fkhYXS8f2PzwTDcMRZZZwWFj3RJs5F3aTM0PiqB5KTKMlJlOQkSnISJTmJkpxESU6iJCdRkpMoyUmU5CRKchIlOYmSnERJrrpetOihNq4XZZhu3l66dHWxdFy58dxV9wAAAAAAAAAAAAAAAACsXVNTU5Plzp8/v7i01PS20wrdbnddubGxsV6v1/S20wpVoutLxPI7duyQKMMhUZKTKMlJlOTGx8clSmaOoiQnUZKTKMk5FyU5R1GSkyjJSZTkJEpyPi6RnKMoyblelORqX3UvUYr0ank38+XLOmMVK3VHSQtdu3Yt3nw/LhGnlHv27Ila7p069cvmzb9u2zb4iOVjVqx3dHQ0/p2i9cZ2TkxMNP0LY9iqRGt85IlE/zhx4vrISFQ3+Lje6dw7eTLWWyVXul6JttBqEo3YihMdGakS3bhxY9FKJdpaEiU5iZKcRElOoiQnUZKTKMlJlOQkSnISJTmJkpxESU6iJCdRkqsSLfXPxXidTlmiH16MV0qiLRSJjo6OflZiy5Yt3W63uqT5t507S0d1SfPY2FjRSqv1Tk5ONv0LowERW43x1+S694asaqWsNb1e75taZmdnX83NPTh7du7ixaLx9PLlWO+zW7dKJ8aIWTG3xsQYsbXxYuNYWuPFTk9PN72j2itKq3FeF+JdPoL5ed26OEUcfFzbsOH3AwfiYBjnovFz6dzqXLQ6Ly2dG38atV/s1NRU0zuqvWKvlX46Xr98a1uVaOz60k/l7xLt92t+ol8+F61utSudu5Jojf8bINEGSVSiyUlUoslJVKLJSVSiyUlUoslJVKLJSVSiyUlUoslJVKLJSVSiyUlUoslJVKLJSVSiyUlUosn9B9eLjowUjE7ng+tFS+b++3rRwrmuF12jer3eeC3T09Ov5uaitMimaDw4ezbWG8GUToxRXbEfx9Iac+MPKl5st9ut8WLj77HpHQVt8SdiRoCzCmVuZHN0cmVhbQplbmRvYmoKCjUgMCBvYmoKMTU4NwplbmRvYmoKCjcgMCBvYmoKPDwvTGVuZ3RoIDggMCBSL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGgxIDEyNjAwPj4Kc3RyZWFtCnic5XppeBvXkeCrbpwESDQgnIQENAVTssQDPCRbtA62KBKkREqERFImdBEgAR42ScAAKFk+InriK1RkM76viZSs7VFmNOumpWQVryeiE3uyM15fGzsTx9FY89mz+fzFshlH8WRsE9x6Dw2IlGXnm9n9ty11d726Xr2qetX1BKWTYzFiJOOEJ1LfSCTRtX5NDSHkfxIClr79aXF9u20twucI4f5Xf2Jg5LH/tucCIapThGhPDQwf7H/15bueIMQ4SIj1+GAsEq2rPllGSImAOq4aRMSezEEtjltwfMXgSPrGv1Td0IrjYRx3D8f7IpM1bVfh+EUcV45EbkyUqFo5HOMcRByNjMT+9MDPooQstRJiSCXiqXSU3D1HSMXdlJ5IxhJtj/W+hOPjhPCTiAP8Qy8jgho65niVWqPV6QsMxsIik2C2LLLayP9Hl/oIsZEW9XpiIgn2XHDxJ4iLPErI3Id0dPGZaZv77P+lFbrs6xHyNDlFjpC3yV6FECBBMkTGEDP/eoG8gVh6Bcku8tdk4ivUniCnkZ7lC5N76UouewXJw+Qk+fmCWYJkhNyMtvyQvA3V5B8wVeLkE9CR28hLqPUTxG29nCquCB/9DOyfh32HPM4dJlu493HwKKVwfk4gL5InYB9qTuM6j+RXvO5LSu8it+KzgwyS/QizS73+i18T/dwfcFW3ki3kL8hGMjxP4nk4yhdg/DrJUfTpCwznzxG1Lfx13I84bvZ+HHyHDOAdAVw7d4Tf+BUe+g9ffBcphBV8KdFfjsqtIqbMZ1zN3AX+ClJAuuZmcri51rk/8JHMqKpHtVi9XvXy182h+Y5qBKXJ3L9mbs5E1dvUT2O0cKdLzbt3hbq7Ojt2bA+2b9va1rplc0tzoKlxU8NGqX7D+nVrr6lbc/VVq6ur/JUV5VcuX1Z6hW9piddpNQumokJDgV6n1ahVPAekXJQh3CTzpaI5EPE1+SItFeVik3OwsaK8yRcIy2JElPGlWuZraWEoX0QWw6K8DF+ReeiwLCFn/yWcUpZTynOCIK4j6+gUPlF+pdEnnoZd27sRPtLoC4nyeQZvZbBqGRsU4qCkBCWYVdRasUkO7B+caAqjjTBlKNjk2xQrqCgnUwUGBA0IyVf6ElNw5QZgAHdl0zVTHNEV0mlxpU2RqBzc3t3U6C4pCVWUb5aLfI2MRDYxlbJmk6xlKsUhajo5LE6VT098+7RAesNlxqgvGtnTLfMRlJ3gmyYm7pLNZfIKX6O84qb3nbjymFzua2ySy6jW1h35eVovTgmyulTwiRN/JLgc3/kPF2IiCkZTKvyRUFDmNsmwo7uEXu4A+npiIuATAxPhicjpufFenyj4JqaMxolEE7qbBLtRxem55w675cC3Q7IQHoRrQsrSAzta5UXbd3fLXGlAHIwgBv/W+0rWuEvMeZ7gV5EJugWdgx4uKaFuOHxaIr04kMe3d2fHIul1P0skf1lI5sKUMp2j2LooZTxHyYuHfRjb1o7uCVlVujnqa0KPH47I472YXdfRwPgEuehTd4lvwmIW6/whxiuiVZujQ6KsXoZOQqn5Apg3VGRCYIOiT7Ov826cYJnZItb5UA3V0+RrCit/9w86UYGIjm4pyyZCZ7csNSIgRZSINU1V+VEiEsaADTWyYMp+X0K2+hry0aVmNQ11dDMRRUy2bpJJuE+Rkv1NbF+JTRPhxqwJVJdve/ePSe3cualVovtkLVlFQo2U2b4Js2xZ00R3tF/2ht1R3Hf9Yre7RJZCGOGQrzsWommHHlpxzs2SI8RypbO7tcPXun1X9xrFkCyBqlOVNl2ixtftzqrBBJR1pTqxm3PzIWQUECEGEPA1rMOnrC3V4S2gwxmWJm7DOrEb3CTHjWbIK8SmWKPCR8cLlKppOm1qyWnT0CHq2dTiLgmVZK+Kcg7JojIxSuioU1tyJCxTSNBhfm5qYSjqSydNerHbF/OFfIOiLAW76dqoe5iXFWcwnyux6lwwmucsdBMpQXJuQJ0pB8rc850rN7NxfthyCXlzjixO6HytHRNUuU9RSNDyzTKhKSytMbtZLaAb2oe1VxRwS7MNPTElSXQzD15Dlfg2Ryd8Hd3rGDfWk1vdN9G5LKQVWjsbKsqxtDVM+eDu7VMS3N2xq/vHAvaFd3d2P8sBtyncEJq6AmndPxbxo8GwHMVSJB2IdEA17cCBjvG7fywRMs6oKoZg477TQBhOl8MB6TvNZXFCdqJlbCKJcEhRZSlSjluFOF0WN85w7Joi1GVSgVrSSXrJyBVy7imgqGcR8xz2sXogJ41QCO4plNrB0KdhfEovubMc48ghZS28u+vi1F27uk8a8evsZk+cqIFemC7OQQw2flaaxChNlFtCgxPhEN1sxI6hwb8gg28Dhsm3AQ3RGOUCX6xBNvgaKL6e4uuzeA3FazFFwQ4oPo6xD8pAM2B3dwluSbH4H9wTwnkaqRAWlQnhXyvQY6V4bngBe1ArrJPOWjgDp+NtdiPRgZ7X6fRmXs+HQ3rewhGuJ0Qs9XYw2eGcHc7Y4V47HLJDjx0QKTL89TN2eM0OxxgtYYd2O3gZIYuX7XCUkeJMTLJDFWMgdniXUccZvoph1s6xebJi9zJCO6PNMLycmyMrIDKZGaZomk0zzqhomj83x978dUPuSirXvkvwX6JQGqkvM5NaJ3uaa53+nn17a80WcNSZa6urSlZfbfYtNYHPXGL2La+EMjA7bLD2rdrZve5Nqica3Z5/vLH6rdVu1cPWN2Bt5qU3tIbPr3evZm0Z2Tb3If8s/xJ2VXbynHSbWW0gauJw6oqCIZ3AWYMhzi46gTjhnBOCTqhyguCEGTZ83QnTTpCdcMwJk04Yd0LCCWEnSE7Iiqw9ylBBhqpiWIER5ssfY5JZMXzu/Uov5N2UTKI7CHWGBerQA9QHIJQsXbZ61VW1NXbtqmW+pRqb1V5bcxX/bKblzV/96je//PWpb9z5zbEDt90+Du9kzJnff/TFv/3hVz997tx7f0cPmpiL1rkPuQrVbeiFZml5QVGRdhHPO5wqo8EYDOm1BhOeN83bQ8R+lK243gl+J41qMheZ2loWG7TIUldTQ01So0Fm3+p6qLXV2nxmas/VtiKAbeGem2+N1f/TP62tuqbDd7s1OcDdX7H8rbc6Zw9tbBA2Or00LnMvZdrgW+o2YiBLyAfSd4nRaNa4XB4vr+8IER4Enl8iLSkOhpaYTPZgyGJyf+6F/+6F271g8MIIDn7nhVYvrPVCmRfcDPu4Fw574WYv7GakVYznHSb2NwyPPGuPeYEb90LCC2EvBL0geuF1L0x7QfZCFRsSBucZTF7Q7ZuXwixoPQvTen4oSX0tCx4pdgqvYh6zKJpra7NhtGp8uTjyFF6+utZBA7navHx1CXxLKq+QpIpyqeDh+zZ0+N0lNWvXHYFa1bvlEqN89srP/tHy85HF3/g2P+2qYPkdxPwOYH7byGJyRNrlAjAV62wm2xKPiwRDJpfXxRl5l8tosVA3Ckb19pDRPu0B2QPHPDDpgXEPJDwQ9kDQA8QDG/AleaDKA6IHBA/MMD5kyi3zYr7ms5TUsR2by9daJWVtVg/g0mhS4KLNuGjRbANM3ZJVy0C1/tDAVQ9UVT21852XXz0DQ5mHB+Nw3x542zLxaNBiWOOt/BDUn36S6d8BTxx/8uSjNIc7MYd/gWu9koSkVSVaa3EhsZIVKwtLeIfDEwy5HQJvCIa0vH18JSRWQnglBFeCuBKeWQk9K6F9JeQCpsSoltled9HsfISUsKxe5YdKjoXLYfMtV/adw8Nzv5j628APqiqqW2/86aOh2J6aH0wOPO5fuTq5vWvrtvt31ftA9+3JJZbffrPx6ZtWLSlp7Avccq/3lRF/sLFuW3FN5aadbE8ux+8D/fcKF3lR2lqk1WpMRBBsoCnU6TQ2vtgtucNu7pgbiFtEOOiedp9za9YLbtnNCe4qRITdr7tn3BqCYMI9ifhpRGh1vPv03PTJ0N4W9t7alX2vrmNvaWlZdYsLk8FFhEKdbZENs4QUaVW8YZFNAzwEQ7wpv+ktjjoK1dLSDGV4YZhvSNLbbHGw0kT/1FpYndYD5rBNqweHDUs2aM3szRK7G27rhbaxzAXo7s8c2pnJ3BzNHDpwGKrhJTjqrqhwZD6a/chRUeGCB+/KfOJCQM05K6iP3JjfZ/kTWLcelHqIpVCl0lv0Dqd6kX0RhtpuUmE7siNUKNiN+mDIaDvGKu90rhDXnZtXmwkrbfkaLudqcxYjOmF+Cc5l+g3ZLK9VHJIrgsraab5g2aNrpKtdTjPdRd0AdcduGb4Hag9kPtI1P1c/cyN4wHjCy/3WVfHFY66KtuV1YOX6lT1M6DcK84DWwnFpu0WrXUIcSxwebzGuqdiusVisVn57yCqYjDRYkhfGWZmqm/SC4IVzufo1yQhYtiSGycJY0eZ9f9mq8t8X9rGd951hC2KfF62ZViW6ErNVS6uVzcrRfcFlxu9cmy7uHJu4Zfbwt8CviT4y/cq/vLXztW0wc/qUzTjrEH6lqnRWZOSrJrd98OFs5t+XeVmu+wnh/wX37mIyLd1KFi1yGoxGrVO7xLPYFQwtNi3Cgd0ZDBXYbRbk5IUdIV540gPve+BFD2AhUXmgDgcPeCDtgagHOj3Q6IFVHrjCA25GxorGza9nWMVe90C+1OXx8xuVnvxneF64FbfU5jN/nn+YhzYAdYiS3tRd81O9cet/veamW5KZ62/d3rXrm4cy191wAxj5cHndPXfNPkQzm+vu6Fkyu4iCvIgZwJG1WAdKsE/UESd6Z5zY1AUFJpup2KXXYIOoL7RYsFG0CD0hC19gKjT1hAot9xbDoWKIF4O/GAs+vFsMZ4rhKMO0F0M9w88x/GsM2cPY1mT5zjDhrOQzTOwQk/EyjG7f/H2wsH1jjso3a0rp/1L+YIOGyaO+6BTRjFWV3/XYj3oHf/C9zLa3Zl8+egI+gw///QNefuqe2Tseu5BpcK/GDu67xaszY6/+kvpk7gv1GPpETxykTfKrraTQWuh0OWw9IYcqHHLwgrUnJGjDIcFCXFAvuUB0wTkXHHNBwsUKPZqOlrJEX9hJkRIfzW4LiMSMg1IfM1L1ZOaNzG9P3fjUpx/M/glS0J/5q8wPMktPnDjBHQcXLP38Zh0s5V/K/DBzKiNnnlZlrWW5TeO3Am11kAvS03bcrWYAjcZq4F1OMwmHesxxM1dhBh6nM3N6tdms0esFjKy2B9t/0Kg0PSGV5ZQLnnTBAy4Yd0HaBVEXqFww44L3XfAmwyMy7IJOFzS64HUXvOiCvMjtORGkoieqmDOsTEPdBaYiy4fjaRdwsgtymb+w+7y0Ob000lj9e/ay77xj/n64GGjsz2n0S66uRQiOvzv7wtET/EcNYuLNd7A3W7/ey+2a/TQf6TNvF82+cSwT/T7GuwVr4A38C8SNp6YRqd6sKy1ViUajS8UvX1a6tGDp9pDTZjYvxvpn9pqxpTGbia7ArlXhR8BG8BtGhPHl0LMcpOWAwN6LTTQt3pY6pT8hdUoBz9lPzVf28nL88JtXbYB6WE33NJ43Vl8F2iJsY2gTA2889p2xTGZRcur3m489cqR5S7Rj6ZrvA/nmnT33NvbV8C984y9m73BV7EuCc9/NG3nV/ZE9/rFXfBmPSr1vVPY6aZ5gnVfRXyCKIC7NaTl9EVdkEor0Wjx5B0MGlUmrg0IdAXtagKgAnQI0CrBKgCsEsAqgEuCCAO8L8KYALwpwSoAnBXhAgNsF+Br+c/8R/rr/ywmOXY6/SgBRAIHxv8h0jgvAJZA9LOA+7Vl4NlxwNLr8EelrBLCvq923N1e55216tS/Xm7AXV7Elc2sYfvQgWEDzIOzZZeVvwnrsnj3AHca3DWNFz43b8HtlJ2FpHZ4a7Wo7nhpN2GPoBLuVt24P8XZsKDbMP/nNsDNftqlA/DNO6KFNRd5EVpByfcRF40qxaxDNrMmk+wdhdpbit1Wf2JW5+oO37zp2dVlHOnPhv/zNfcN1V6yA3/9u1pv57Gl/ZvDNH5bQ/qEMHxZ2lrKRv5T68SylMZsd9otHKZtkswRDNpPRbDLjDrJZHaByYLgdMOnAWDgg7ICgAyQHTDtAdsAxNhQdIDiAOGCGYZB1PufCUGQPRTRS+Zpx6QHoS+efi9/Mm+mZh55wCr6XcR27A8ryJ57Pr8l/J4GswHUK2CfpyfelhNpQoNfg2ZUQNa/GptX2pgFeNMApAzxpgAcMcLsB0gaIGuAKA1gNoDLgehnHpAGXbICwAYIGkAwwbQDZAMfYUDAAMcAMGyLffLYF61WWuyAzL/4bBq4Xo3pxeXG6qmMQCOQbWyCuTID/E9aCxfCeNGc2LnIanR4XZ4FClcWwxLnIbCzCXs9WZCJazDSyGJuefg/sxBbHA5+wtuhND/y9B37kgW+xlih7gGvwQA1ribBj0nhg8FMP/NIDP/XAsx7Abuo+D9zOuPtZAxVg3Es9YGEN1AUP/G/Gjx3XKQ88neNPeqDXAztyDdcyD9hz/Hk7Ti3Ufwl/1po1nzLuvDUP5LRL18635wpmDz2L4tnzHGvisgY9kNMeZWvNar/AGLhsm5dv/9o9YPLkOxlaZBaUi57/ZH25PH/2RFmTPyawkyT9F6yLW3xR7qC/Aa7OliB39gVF3M+3tflLvFev6t58deaxMJx6IPPp/bCvN/OdjeF0JmB5OexYt/8RPsHqU5y7n9anL3Y/Nbkl++86d829BwfJW7j3nZKBaDTGQl7/+G5+EalX9h1m4rxNBwebVq1qCtTWBvZUt7RU1wYC7P8PcK5Hb9Tv/WOPad0fiTf72/X/aHz91dzvknMvZQLYjdFfdHX0vEKycxNtSaaJXJv/+RIu+TnTrqnDzug9UqoiZBtXR6xUlKube4k/QoL8EtKJ+OV4u/HGkzDxq1JkrfrnZC19I08LxeObypbhvQLHLo4ovxj/FAJwD9zD1XDHeYH/vsqqulNtVX9XfUHzkFan/WfdKt1xfVFBTUGnYpkd60fWdo4IeB7Zg8DP+L8nPKN6YDRv/878WgA5dyowR7SkX4F57FNGFFiFPHcrsJoUkkcUWENM5CkF1pKbyCkF1hErVCqwHnuBBgUugFEIKrCBLOZ+kv+fHZXcrxW4kKzmdQpcRIr59dR6Ff1F+gR/rQIDEVW8AnOkSOVTYJ5cpapWYBXyDCiwmhSr7lJgDfGovqfAWnJBdUaBdeRK9UkF1pPF6ncUuID7jfrfFNhA1uh+ocBGskdvUOBCcp0+N1cRWaV/o3FoYCg9dFMsKkYj6YjYF08cTA4NDKbFK/tWiDVV1VViczw+MBwTN8WTiXgykh6Kj1YWbLqUrUbcgSpaIulycfNoX2XbUG8syyt2xJJD/TtiA2PDkeTGVF9sNBpLihXipRyXjnfGkik6qKmsrqy6SLyUdyglRsR0MhKNjUSS14vx/oV2iMnYwFAqHUsicmhU7KrsqBSDkXRsNC1GRqNiZ16wvb9/qC/GkH2xZDqCzPH0IFp63VhyKBUd6qOzpSrzC5jnjY50bH9M3BpJp2Op+GhDJIVzoWWdQ6PxVLl4YHCob1A8EEmJ0VhqaGAUib0HxYUyIlIjuJbR0fh+VLk/Vo529ydjqcGh0QExRZesSIvpwUiaLnoklk4O9UWGhw9iyEYSKNWLMTowlB7EiUdiKXFb7IC4Iz4SGf3ryqwp6Jt+9Kk4NJJIxvczGytSfclYbBQni0QjvUPDQ2nUNhhJRvrQY+i2ob4U8wg6QkxERiuaxpLxRAwtvba57SIjGpj1Zio+vB9nptyjsViUzohm748NoxBOPByPX0/X0x9PoqHR9GDFPMv746NpFI2LkWgUF47eiveNjdA4oZvTOeMifck40hLDkTRqGUlVDqbTiWv8/gMHDlRGlND0YWQqUbP/62jpg4mYEo8k1TIy3IbhH6WhG2PxpYvo2NwmtifQPwE0TlQYysVcZlZXVitToBuHEulUZWpouDKeHPC3B9pIIxkiA3in8b6JxEiUiHhHcBxBqI/ESYIcJEnGNYhYkVyJ2BX4riFVpBpvkTQjVxzpwygvkk0IJ1GKPiNMb5yMkkpSwChfr60GoR2KFS1MuhyhzSjfhxraUK4XqfP1iqSDYYawzFLJATKGdkQQs5GkUCqGPFHGIZIKvP+cjj9H38mgVJ5Sg3ZV4111Wck/p3cINYnM02lGoZaOMOuvR1wc5b7OHyLyxVj0UkiJsVGUaaW6u5Cjg3EFmST1RJrNNsq4Oi8zYzvO2I/yfSySOc4+pptmRFZzHOFBxafXob+TzIIok8utLYUzfzkCl8+NDmbdfjbnVoan4xSjNeA4pawr67NOZkUcsdQXB9ASOu8ggyPMn1EmTXNsVJHsxawTv3YeUZGNKHEZZXPsV6ykMuWKv/vZM8XmHcU5RGZfNsoL5xaZnyLM69lIjyA1zXj7ED+Mfw4qu2wEvZKdq1fZRwfYrhxUVjzC9IpkG74PsKyIs7iNlixlMb7olWze9Ct5KjLZBMJxtoqcHytYbOhKYsxSCkXYzu9FiWE2d9a2QZYdERbbmBLrNFtBzl9RZaXU6gTDVJAmlhd0v8cUn16LdaLtshqzHpyfmzQmw8ze1Dzdo8zaaH6NWW9TrmFlpuyKh1k9uj4fn36Wb1mPRpm2iq/weT/zTVqZNc4siuKfbMSzuRVH2TEWj+x+ymZz+kueizD/xhW5BKtKacWWEbY/BlkGJsg12Fj60Tr6p5Ll4fxd06fsmUrFZv9/Wo7alWAenL8/knlbRtDGNmX3j+Z33di8/ZuLRAfWoDZWLxJK/gQUz4mXaKC75tKaWc1q5sJVZLNxCMdpZk+K+bKSrWEA6e04QxvtobNnizvQpMtcU/rgxl6IEYBBGCCLiBfCZBv0kC7YSNaDhG8JaQ343oRj+q6E9WQc+dYjfgOO1yF+LdZOLz7r8W7H+168VXhnOaqQw49vvzKuwHE5SryGT2A3xdYjlr634LgF383KO4D4Jnw3KePNOMY3CYMWm/B69jwDKukknJuF12ZBnIVDn0Pwcxj/ZPIT7vczK7zPzJyZ4do/7vn4mY/5qo/B9DHoyHnhfPB8+Hzi/LHzmgLTh2AkvwPze+fWeN9df7brn9f/poucxZWdrTobPDt+Vj6rPgt81294u1eYFqerphPT49OvT5+bnpnWjf9k8ifc3z3v95qe9z7PeU+2nzx0kg8fB9Nx73Eu+Hj4cW7yCTA94X3C/wT/2KOV3kebPd6HH1ruPffQzEMc/cHwoUJz4HlohzayHn247SQ/531mow224rJM+PTi7ce7He843vfijWceZPfi7Yc2aQ3f8yAY7nPfV3bfzfcdvk+duHP8zsk7+fE7Ju/gntl/Zj+XCq7wxkfLvKPNK72uWmeXtpbv0uA09GfKzb2lVwbCPZK3B5l276ry7mpe4V1Ua+lS44JVyGjivXw9387H+Xv5M7xWtyPo8W7H+1xwJshJQb0xYGr3tvvb+dNz56RYawlq25LYMr6F3xxY4W1pXuM1NXub/c2vNb/b/HGzpqcZjuLfwDOBMwFeCqzwB6SApySwuMXdZa+1dZnB1CXUmro4wEDXki6/ac7EmUw9pkMm+nMp4cbtoIbTMDnV2VFW1npaO7ejVdYFd8twt1zaQZ/S9l2y5m6ZdO3a3T0FcE/ojiNHSMOSVrmmo1sOLwm1ylEEJAqMIyAsmbKThlAqlS5jF5SVITyGT1I2VobIfaksluTppCwFKSxRKSYEZZQhOwZ8llEaIqgcoPS+FKEPSizLClHplKKOCWcfDHDu+z+lYyLrCmVuZHN0cmVhbQplbmRvYmoKCjggMCBvYmoKNzM0MAplbmRvYmoKCjkgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQUFBQUErTGliZXJhdGlvblNlcmlmCi9GbGFncyA0Ci9Gb250QkJveFstNTQzIC0zMDMgMTI3NyA5ODFdL0l0YWxpY0FuZ2xlIDAKL0FzY2VudCA4OTEKL0Rlc2NlbnQgLTIxNgovQ2FwSGVpZ2h0IDk4MQovU3RlbVYgODAKL0ZvbnRGaWxlMiA3IDAgUgo+PgplbmRvYmoKCjEwIDAgb2JqCjw8L0xlbmd0aCAzMjAvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicXZJNboMwEIX3nMLLdBEBTkIaCSElJEgs+qPSHoDYQ2qpGMuQBbevZ4a2UhdYn8dvxk/PxGV9rq2Z4lc/qAYm0RmrPYzD3SsQV7gZG6VSaKOmZUer6lsXxaG3mccJ+tp2Q55H8Vs4Gyc/i9VRD1d4iOIXr8EbexOrj7IJ++bu3Bf0YCeRREUhNHRhzlPrntseYupa1zocm2leh5Y/wfvsQEjap2xFDRpG1yrwrb1BlCdJIfKqKiKw+t+ZXFqunfpsfZCmQZoku20RWBJnFfKGeE/1LbFMkHesOSJnzDvkPes3yI9cPyEfuE6aI9cl8on5glyyB5p/Jt7SvRfmDLlifRo4TXgm1lP2n+G96eL/gMz+sxKZ/e+pzv7lhcJZUsCY8B1/4hfq7n2Inh6bMse0jYXf/8ENDrvo+waqkpxbCmVuZHN0cmVhbQplbmRvYmoKCjExIDAgb2JqCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0JBQUFBQStMaWJlcmF0aW9uU2VyaWYKL0ZpcnN0Q2hhciAwCi9MYXN0Q2hhciAyMQovV2lkdGhzWzc3NyA2MTAgNTAwIDI3NyAyNTAgMjc3IDQ0MyAzODkgNTAwIDUwMCA1MDAgNTAwIDU1NiA3MjIgNTU2IDQ0Mwo1MDAgNDQzIDI3NyAyNzcgNTAwIDI1MCBdCi9Gb250RGVzY3JpcHRvciA5IDAgUgovVG9Vbmljb2RlIDEwIDAgUgo+PgplbmRvYmoKCjEyIDAgb2JqCjw8L0YxIDExIDAgUgo+PgplbmRvYmoKCjEzIDAgb2JqCjw8L0ZvbnQgMTIgMCBSCi9YT2JqZWN0PDwvSW00IDQgMCBSPj4KL1Byb2NTZXRbL1BERi9UZXh0L0ltYWdlQy9JbWFnZUkvSW1hZ2VCXQo+PgplbmRvYmoKCjEgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCA2IDAgUi9SZXNvdXJjZXMgMTMgMCBSL01lZGlhQm94WzAgMCA1OTUuMzAzOTM3MDA3ODc0IDg0MS44ODk3NjM3Nzk1MjhdL0dyb3VwPDwvUy9UcmFuc3BhcmVuY3kvQ1MvRGV2aWNlUkdCL0kgdHJ1ZT4+L0NvbnRlbnRzIDIgMCBSPj4KZW5kb2JqCgo2IDAgb2JqCjw8L1R5cGUvUGFnZXMKL1Jlc291cmNlcyAxMyAwIFIKL01lZGlhQm94WyAwIDAgNTk1IDg0MSBdCi9LaWRzWyAxIDAgUiBdCi9Db3VudCAxPj4KZW5kb2JqCgoxNCAwIG9iago8PC9UeXBlL0NhdGFsb2cvUGFnZXMgNiAwIFIKL09wZW5BY3Rpb25bMSAwIFIgL1hZWiBudWxsIG51bGwgMF0KL0xhbmcoZW4tVVMpCj4+CmVuZG9iagoKMTUgMCBvYmoKPDwvQ3JlYXRvcjxGRUZGMDA1NzAwNzIwMDY5MDA3NDAwNjUwMDcyPgovUHJvZHVjZXI8RkVGRjAwNEMwMDY5MDA2MjAwNzIwMDY1MDA0RjAwNjYwMDY2MDA2OTAwNjMwMDY1MDAyMDAwMzYwMDJFMDAzND4KL0NyZWF0aW9uRGF0ZShEOjIwMjExMTA5MjAzMjUyKzAxJzAwJyk+PgplbmRvYmoKCnhyZWYKMCAxNgowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMTA1MTMgMDAwMDAgbiAKMDAwMDAwMDAxOSAwMDAwMCBuIAowMDAwMDAwMzE1IDAwMDAwIG4gCjAwMDAwMDAzMzUgMDAwMDAgbiAKMDAwMDAwMjA4MyAwMDAwMCBuIAowMDAwMDEwNjgyIDAwMDAwIG4gCjAwMDAwMDIxMDQgMDAwMDAgbiAKMDAwMDAwOTUyOSAwMDAwMCBuIAowMDAwMDA5NTUwIDAwMDAwIG4gCjAwMDAwMDk3NDUgMDAwMDAgbiAKMDAwMDAxMDEzNSAwMDAwMCBuIAowMDAwMDEwMzgxIDAwMDAwIG4gCjAwMDAwMTA0MTQgMDAwMDAgbiAKMDAwMDAxMDc4MSAwMDAwMCBuIAowMDAwMDEwODc4IDAwMDAwIG4gCnRyYWlsZXIKPDwvU2l6ZSAxNi9Sb290IDE0IDAgUgovSW5mbyAxNSAwIFIKL0lEIFsgPDhGMDUyNjI1QTE1QzdBQkNBODQ2RUY5MDZBQzJGNDc4Pgo8OEYwNTI2MjVBMTVDN0FCQ0E4NDZFRjkwNkFDMkY0Nzg+IF0KL0RvY0NoZWNrc3VtIC9FNTVCMzQ1RUZEQzY5MkFFNTI4OEJFQ0Y5Nzg5NDgxNQo+PgpzdGFydHhyZWYKMTEwNTMKJSVFT0YK" + filename: document.pdf + + XAdES-ASiC_E-DOCX: + value: + document: + content: "UEsDBBQACAgIABV1OFQAAAAAAAAAAAAAAAALAAAAX3JlbHMvLnJlbHOtkk1LA0EMhu/9FUPu3WwriMjO9iJCbyL1B4SZ7O7Qzgczaa3/3kEKulCKoMe8efPwHNJtzv6gTpyLi0HDqmlBcTDRujBqeNs9Lx9g0y+6Vz6Q1EqZXCqq3oSiYRJJj4jFTOypNDFxqJshZk9SxzxiIrOnkXHdtveYfzKgnzHV1mrIW7sCtftI/Dc2ehayJIQmZl6mXK+zOC4VTnlk0WCjealx+Wo0lQx4XWj9e6E4DM7wUzRHz0GuefFZOFi2t5UopVtGd/9pNG98y7zHbNFe4ovNosPZG/SfUEsHCOjQASPZAAAAPQIAAFBLAwQUAAgICAAVdThUAAAAAAAAAAAAAAAAEQAAAGRvY1Byb3BzL2NvcmUueG1sjVLLTsMwELzzFZHvifMoCKIklQD1RCWkFoG4GXubGhLHsrevv8dJmpRCD9x2dsazL2fTfV15WzBWNionURASDxRvhFRlTl6WM/+WeBaZEqxqFOTkAJZMi6uM65Q3Bp5No8GgBOs5I2VTrnOyRtQppZavoWY2cArlyFVjaoYOmpJqxr9YCTQOwxtaAzLBkNHW0NejIzlaCj5a6o2pOgPBKVRQg0JLoyCiJy2Cqe3FBx3zQ1lLPGi4KB3IUb23chTudrtgl3RS139E3+ZPi25UX6p2VRxIkR0bSbkBhiA8Z5D25QbmNXl4XM5IEYdx7IeRH0+W0XWa3KWT5D2jv963hn3cmKJlT8DFAiw3UqO7YU+eJRyumCo3buEFKP9l0UnGVHvKilmcu6OvJIj7g/O4kBs6qo+5f480Cc9HGgy6yga2sv17RdQVHWHbtd18fALHfqQRuBglVtCnh/DPfyy+AVBLBwhYAVavYAEAANsCAABQSwMEFAAICAgAFXU4VAAAAAAAAAAAAAAAABAAAABkb2NQcm9wcy9hcHAueG1snZHNbsMgEITvfQoL5RrjWK6bRpioP+opUiPVbXqzKGxsKhsQbKLk7UsayfW5txlm9Q0sbH0a+uQIPmhrKrJIM5KAkVZp01bkvX6ZL0kSUBglemugImcIZM1v2NZbBx41hCQSTKhIh+hWlAbZwSBCGmMTk731g8BofUvtfq8lPFt5GMAgzbOspHBCMArU3I1AciWujvhfqLLycr/wUZ9d5HFWw+B6gcAZ/ZO1RdHXegC+iMejYQ/O9VoKjBvhG/3l4fW3gpZpkd6l+WyjzeHUfC7LpiySyUATn/ANEmmRzR4PulfznNEpjG1FC+HSdhVsZ70KvGT0KthTJ7yQGH+DF7eMTuwk2mns3pyQEVDcT4cmQWzyovXCdYHnl7rRRTMumv8AUEsHCC0XQ1cjAQAA/gEAAFBLAwQUAAgICAAVdThUAAAAAAAAAAAAAAAAHAAAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHOtkU0KwjAQhfeeIszeplUQkaZuRHAr9QAxnbbBNgnJKHp7A4paKOLC5fx97zEvX1/7jl3QB22NgCxJgaFRttKmEXAot9MlrItJvsdOUlwJrXaBxRsTBLREbsV5UC32MiTWoYmT2vpeUix9w51UJ9kgn6XpgvtPBhQDJttVAvyuyoCVN4e/sG1da4Ubq849GhqR4IFuHYZIlL5BEvCok8gBPi4/+6d8bQ2V8tjh28Gr9c3E/K8/QKKY5ecXnp2nhUnOB+EWd1BLBwj5LzDAxQAAABMCAABQSwMEFAAICAgAFXU4VAAAAAAAAAAAAAAAABEAAAB3b3JkL2RvY3VtZW50LnhtbM2VyW7bMBCG730KgccAtqQmCFwhci5Gix4aGHD6ABRFSaxJDkGOrLhPX1JrFqAwmkNzMc1ZvvlnJFJ3909KRidunQCdk3SdkIhrBqXQdU5+Pn5dbUjkkOqSStA8J2fuyP32012XlcBaxTVGnqBdBjlprc4ca7iibqUEs+CgwhUDlUFVCcbHhYwZNicNosnieExag+Ha+yqwiqLf2joeUnZjrfhzktzGlkuKXq9rhHET7fS3+iclp7jukqod2NJYYNw5Pwglh7qKCj1j0uSChgNnzjCXVC4t7Z6VfClkNzgXonuDnGWsvYxxej3F89LkFe/QUMMXWv0+2jcLrZloil3SraL22JowMeOfaCGkwHPf+CIqvXmfqtcz+zdeeH8Uy77XGiwtpD8IHhQFdWTrz0IB5Tmspv/Z23454FnyqMtOVObkIXQtSdxHi1JM9mQw/WKTQfIKB5sNnHhZR6594+sy3F5JUVg+aI8qevSFveyohGN/cK5CMA4pA+z/yf0IGsIwkDuMDJRGODhRLeiHnZHjDEfVZzPX1/wJ97TmA9rUh9/e46+3NP0SDlCXNf7/7eZ6MwX8oNZbg5oQdH0TYqyom2fbhtOS29CD3yCYxVMB4OwpABHU4qxbHJ1jqYdWPQ5SK+XxJWdinlW4APYWcOqjotKNTaBvaSesb9df7/P47GMR3PEyiHg6cvHyHdr+AVBLBwiM3jD+EAIAAMwGAABQSwMEFAAICAgAFXU4VAAAAAAAAAAAAAAAAA8AAAB3b3JkL3N0eWxlcy54bWzFVNtO20AQfe9XWPseHBCiKMIgaoRIi9KKwAdM7HG8Ym/dXRPC13fW8dKQSwkUiZd490xm9sw5ozk5e5QieUDruFYZ29/rswRVoUuuphm7u73sHbPEeVAlCK0wY3N07Oz0y8ls4PxcoEsoX7nBLGO192aQpq6oUYLb0wYVxSptJXi62mk607Y0VhfoHJWXIj3o949SCVyxWGb/cK2Q5IXVTld+r9Ay1VXFC2xLUfp+vz1JEQvIYhciEux9Y3pUz4DnEy64n7dkWCKLwXCqtIWJoG6JDzulXktdXGAFjfAuXO0v2127W/u51Mq7ZDYAV3CesWs+QUvltUrGaHnFKFSfK7clhOD8ueOQsZH2eoEn+fcfyTgP4cJRmq65Ty7wARRMwXKWhnfv0Sr6wwOIjB0sIPf0DBxGJHermAA1jRiq3t34JY2nupePAjThJXGueW84Colp13G6qoNZvYXPjJd6lpMyVosFk8YYSxNw3nh9NTc1qmdi3jbYvWC6F5Zrpms+tCNI2X5uyCwDFqYWTB1It6FhGdQk30XrogKJ8a0Obin9vmxnI/0X7SBCzO0vk/x0/wsttI3UgFT99LFotd/VnyuEsGzWDIr4Qn1wWP5Um8xT+Ogjfkvnb7qcb7X1HtGMlhLixBEfAwVvG58grQoMevQDUag8WtqMB293HZTbYnoXWfWc4J0sXzLyeIORx//jx7OGq4YEMAnRVy3pFPorqeAKb5qwUNv57BBi+vWILSn+Qu/DTXq/t6lr7vxaQy24qZeXY7S0ijb5vs2l91LNwYQZWWMb8dfE3zD1ceVek+ijRtIYui0zH6b8DTO/fUL54jd3Oy+e9+o1VCU+rqm1QD9Mq4+wP57c6R9QSwcInpRlwYsCAAB1CQAAUEsDBBQACAgIABV1OFQAAAAAAAAAAAAAAAASAAAAd29yZC9mb250VGFibGUueG1srVBBTsMwELzzCst36rQHhKKmFRLihHqg5QFbZ9NYsteR1yT097hOKyHIoaDe7J3ZmdlZrj+dFT0GNp4qOZ8VUiBpXxs6VPJ993L/KAVHoBqsJ6zkEVmuV3fLoWw8RRZpnbgcKtnG2JVKsW7RAc98h5SwxgcHMX3DQQ0+1F3wGpmTurNqURQPyoEheZYJ18j4pjEan73+cEhxFAloIaYLuDUdy9U5nRhKApdC74xDFhscxJt3QJmgWwiMJ04PtpJFIVXeA2fs8TINmZ6BzkTdXuY9BAN7iydIjWa/TLdHt/d20mtxa6+nRJm2mjyLB8P8T6tXs8eQyxZbDKbJrmDjJqEXnZ99q6lk81uX8D0ZEE8FG3u6Ps6fijo/ePUFUEsHCMHH2QgdAQAAVQMAAFBLAwQUAAgICAAVdThUAAAAAAAAAAAAAAAAEQAAAHdvcmQvc2V0dGluZ3MueG1sRY/LTgMxDEX3fEXkPU2gEo9RM92h7ikfYGbczkiJHcWeDuXrSYUQS+uce3W923/l5C5UdRaO8LAJ4IgHGWc+R/g4vt2/gFNDHjEJU4QrKez7u93aKZk1S11rYO3WCJNZ6bzXYaKMupFC3NhJakZrZz37VepYqgyk2qI5+ccQnnzGmaFvld8i2a1doToQW5uzDeBvYKQTLsmO+PluUppywRThObz+YlxMDtcyEaO1P/641YVugv8f2/8AUEsHCIeK7OW6AAAA8QAAAFBLAwQUAAgICAAVdThUAAAAAAAAAAAAAAAAEwAAAFtDb250ZW50X1R5cGVzXS54bWy9lMtOwzAQRff9ishblLiwQAgl6YLHEroIa2TsSWqIH7Ld0v494zSqUBWaAoVlPHPvmblOks/Wqk1W4Lw0uiDn2ZQkoLkRUjcFearu0ysyKyd5tbHgE+zVviCLEOw1pZ4vQDGfGQsaK7VxigV8dA21jL+xBujFdHpJudEBdEhD9CBlfgs1W7YhuVvj8ZaLcpLcbPsiqiDM2lZyFrBMY5UO6hy0/oBwpcXedGk/WYbKrscvpPVnXxOsbvYAUsXN4vmw4tXCsKQroOYR43ZSQDJnLjwwhQ30OW5CsxPvM0QShs+dsR6vxUF2OPgDvKhOLRqBCxKOI6L194GmriUH9FgqlGQQgxYgjmS/Gyf6cHcW2P4fQXfoz9Bf7R3dcGUO3uOniRvsKopJPTqHD5sW/Omn2PqO4mtEVuyl/cELNzbBzno8AwgBNX+RQu/cjzDJafe/LD8AUEsHCAvVEcdUAQAAXgUAAFBLAQIUABQACAgIABV1OFTo0AEj2QAAAD0CAAALAAAAAAAAAAAAAAAAAAAAAABfcmVscy8ucmVsc1BLAQIUABQACAgIABV1OFRYAVavYAEAANsCAAARAAAAAAAAAAAAAAAAABIBAABkb2NQcm9wcy9jb3JlLnhtbFBLAQIUABQACAgIABV1OFQtF0NXIwEAAP4BAAAQAAAAAAAAAAAAAAAAALECAABkb2NQcm9wcy9hcHAueG1sUEsBAhQAFAAICAgAFXU4VPkvMMDFAAAAEwIAABwAAAAAAAAAAAAAAAAAEgQAAHdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHNQSwECFAAUAAgICAAVdThUjN4w/hACAADMBgAAEQAAAAAAAAAAAAAAAAAhBQAAd29yZC9kb2N1bWVudC54bWxQSwECFAAUAAgICAAVdThUnpRlwYsCAAB1CQAADwAAAAAAAAAAAAAAAABwBwAAd29yZC9zdHlsZXMueG1sUEsBAhQAFAAICAgAFXU4VMHH2QgdAQAAVQMAABIAAAAAAAAAAAAAAAAAOAoAAHdvcmQvZm9udFRhYmxlLnhtbFBLAQIUABQACAgIABV1OFSHiuzlugAAAPEAAAARAAAAAAAAAAAAAAAAAJULAAB3b3JkL3NldHRpbmdzLnhtbFBLAQIUABQACAgIABV1OFQL1RHHVAEAAF4FAAATAAAAAAAAAAAAAAAAAI4MAABbQ29udGVudF9UeXBlc10ueG1sUEsFBgAAAAAJAAkAPAIAACMOAAAAAA==" + filename: WordDocument.docx + parameters: + level: XAdES_BASELINE_B + container: ASiC_E + payloadMimeType: "application/vnd.openxmlformats-officedocument.wordprocessingml.document; base64" + + CAdES-ASiC_E-PNG_md: + value: + document: + content: "iVBORw0KGgoAAAANSUhEUgAAAOEAAADgCAMAAADCMfHtAAAA0lBMVEX///86Z+gRERHMMzMAAAAwYec1ZOhFb+nKKCja4vv1+P5WfOvy9f3KIyONpfFnh+zhjY0mXOfy8vIZGRk8PDz1+fnqra1/f3+goKBIc+r/+vrY4Pru8f3JyclsjO3n7PzP2PmYq/GFne/Azfe3xPWYmJhOTk7QPj6MjIzRUVHo6Oj00tLWZWXvu7u2trYjWuceHh5zc3PJGxvfh4enufQUVOaUqPF2lO5bgu1SeuvF0viuvfSqqqpGRkZZWVnhkpItLS03Nzf76urd3d3HAADmpKSaLwkeAAADH0lEQVR4nO3c21IaQRCA4eG0CMhR0SAQBDQmIhI8BZMYjMb3f6Wgd9u9F1sVKrM9/t9l1y41f1Fu1YyrzgEAAAAAAAAAAAAAAAAAAAD/103zo9Co+l7TdjXaUVypuet7TdvVKOXiIgqtodA+Cu2j0D4K7aPQPgrtC79wcrsQaoEV7o6kge8l/YNqvyKM3EiONjM12sxsOL4txbVXrrEQs0XDldtydud76Skdt9VTRT9pSg3Xi+Rs7HvpKVFIYfZRSGH2UUhh9lFIYfZRGEDhQv1GW/+Wu/1aKK8zU1juCd/cTW0VVxu7lbysbKXwfTqZSOPg3jYRZzKlVWCnieGfCFNoH4X2UWgfhfZRaB+F9lFo3+S2HbcIbX846ksV30tKS78yUk1622SQ6m2TXadurfj+qge9stCr9CM5++jucmKUu3P38rLcdKBuLU99F5bFsW6U66sT4VK6E+GoNB0s5AMp8l8olpQr68LUZ966MEchhRRSSCGFFFJIIYUUvpNC+crIZveU8m0TdetroZ75LlzVhFWl3xOj+4n+vxjNG9eUt95/H8hbNzPPha6qJM+2e2sGTcfSDzNrT0f9VVA7tNPE8E+EKbSPQvsotI9C+yi0j0L7KLSvsRBvmwS3Pzw+kaaB7fEBAAAAAACQDZen0s+u7zVt17IoPXR8r2m7lsV8XPEThcZQaN9h8IXhf4cU2sfPoX0U2hd+IU8a+8LfHybs8S0XdhR3pCRdZuVgY1jci8v/6q4LZ3GFtXvMi+uKn30vPaWhfqp0r3cKcfWW21PXWS5sycKdlvuapzCrKKQw+yikMPsopDD7KKQw+4bqxGKze6qLwrfdk2Sm8HE/7veyu/4ird3Dvrzu1PfS0+oqLukYI+my7Ol8UM6fXg6EuZvJ0cHMqdHBU+dUfdyz58Jz9bNUHM7+1OOuLo6ur+Ss5Qp1OZsnfNyl70L5PMzvDWdX8rl54fSzdO3OCnK2KVTPVwoppJBCCimkkEIKKaSQwiAKE/eHO3H11/2hmL3tD+Usi/vDzqHy/HTdEl7cXI5ac7dWs1lnqT5u6LnQhr+aFu8uA6PcXwAAAABJRU5ErkJggg==" + filename: "Image.png" + parameters: + level: CAdES_BASELINE_B + container: ASiC_E