[c9b953e6] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
| 7 | <!ENTITY certhost "http://mxr.mozilla.org">
|
---|
| 8 | <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
|
---|
[15f1b0c] | 9 | <!ENTITY ca-bundle-download "&sources-anduin-other-http;/certdata.txt">
|
---|
[ac38e9dc] | 10 | <!ENTITY ca-bundle-size "1.6 MB">
|
---|
| 11 | <!ENTITY cacerts-buildsize "6 MB">
|
---|
| 12 | <!ENTITY cacerts-time "0.1 SBU">
|
---|
[c9b953e6] | 13 | ]>
|
---|
| 14 |
|
---|
| 15 | <sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
|
---|
| 16 | <?dbhtml filename="cacerts.html"?>
|
---|
| 17 |
|
---|
| 18 | <sect1info>
|
---|
| 19 | <othername>$LastChangedBy$</othername>
|
---|
| 20 | <date>$Date$</date>
|
---|
| 21 | </sect1info>
|
---|
| 22 |
|
---|
| 23 | <title>Certificate Authority Certificates</title>
|
---|
| 24 |
|
---|
| 25 | <para>The Public Key Inrastructure is used for many security issues in a
|
---|
| 26 | Linux system. In order for a certificate to be trusted, it must be signed by
|
---|
| 27 | a trusted agent called a Certificate Authority (CA). The certificates loaded
|
---|
| 28 | by this section are from the list on the Mozilla version control system and
|
---|
| 29 | formats it into a form used by <xref linkend='openssl'/>. The certificates
|
---|
| 30 | can also be used by other applications either directly of indirectly through
|
---|
| 31 | <application>openssl</application>.</para>
|
---|
| 32 |
|
---|
[ac38e9dc] | 33 | &lfs77_checked;
|
---|
[c9b953e6] | 34 |
|
---|
| 35 | <indexterm zone="cacerts">
|
---|
| 36 | <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
|
---|
| 37 | </indexterm>
|
---|
| 38 |
|
---|
| 39 | <sect2 role="package">
|
---|
| 40 | <title>Introduction to Certificate Authorities</title>
|
---|
| 41 |
|
---|
| 42 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 43 | <itemizedlist spacing="compact">
|
---|
| 44 | <listitem>
|
---|
| 45 | <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
|
---|
| 46 | </listitem>
|
---|
| 47 | <listitem>
|
---|
[ac38e9dc] | 48 | <para>CA Certificate size: &ca-bundle-size;</para>
|
---|
[c9b953e6] | 49 | </listitem>
|
---|
| 50 | <listitem>
|
---|
| 51 | <para>Estimated disk space required: &cacerts-buildsize;</para>
|
---|
| 52 | </listitem>
|
---|
| 53 | <listitem>
|
---|
| 54 | <para>Estimated build time: &cacerts-time;</para>
|
---|
| 55 | </listitem>
|
---|
| 56 | </itemizedlist>
|
---|
| 57 |
|
---|
[15f1b0c] | 58 | <note><para>The certfile.txt file above is actually retrieved from <ulink
|
---|
| 59 | url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
|
---|
| 60 | It is really an HTML file, but the text file can be retrieved indirectly
|
---|
| 61 | from the HTML file. The Download URL above automates that process and also
|
---|
| 62 | adds a line where the date can be extracted as a revision number by the
|
---|
| 63 | scripts below.</para></note>
|
---|
| 64 |
|
---|
[c9b953e6] | 65 | <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
|
---|
| 66 |
|
---|
| 67 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
[ac38e9dc] | 68 | <para role="required">
|
---|
| 69 | <xref linkend="openssl"/>
|
---|
| 70 | </para>
|
---|
[afc3f45] | 71 |
|
---|
[f0dfc28] | 72 | <bridgehead renderas="sect4">Recommended</bridgehead>
|
---|
[ac38e9dc] | 73 | <para role="recommended">
|
---|
| 74 | <xref linkend="wget"/>
|
---|
| 75 | </para>
|
---|
[c9b953e6] | 76 |
|
---|
| 77 | <para condition="html" role="usernotes">User Notes:
|
---|
[ac38e9dc] | 78 | <ulink url="&blfs-wiki;/cacerts"/></para>
|
---|
[c9b953e6] | 79 | </sect2>
|
---|
| 80 |
|
---|
| 81 | <sect2 role="installation">
|
---|
| 82 | <title>Installation of Certificate Authority Certificates</title>
|
---|
| 83 |
|
---|
| 84 | <para>First create a script to reformat a certificate into a
|
---|
| 85 | form needed by <application>openssl</application>. As the <systemitem
|
---|
| 86 | class="username">root</systemitem> user:</para>
|
---|
| 87 |
|
---|
[a1b18af2] | 88 | <screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF"
|
---|
[76ca09b] | 89 | <literal>#!/usr/bin/perl -w
|
---|
[c9b953e6] | 90 |
|
---|
| 91 | # Used to generate PEM encoded files from Mozilla certdata.txt.
|
---|
[ac38e9dc] | 92 | # Run as ./make-cert.pl > certificate.crt
|
---|
[c9b953e6] | 93 | #
|
---|
| 94 | # Parts of this script courtesy of RedHat (mkcabundle.pl)
|
---|
| 95 | #
|
---|
| 96 | # This script modified for use with single file data (tempfile.cer) extracted
|
---|
| 97 | # from certdata.txt, taken from the latest version in the Mozilla NSS source.
|
---|
| 98 | # mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
---|
| 99 | #
|
---|
| 100 | # Authors: DJ Lucas
|
---|
| 101 | # Bruce Dubbs
|
---|
[fe54f243] | 102 | #
|
---|
| 103 | # Version 20120211
|
---|
[c9b953e6] | 104 |
|
---|
| 105 | my $certdata = './tempfile.cer';
|
---|
| 106 |
|
---|
| 107 | open( IN, "cat $certdata|" )
|
---|
| 108 | || die "could not open $certdata";
|
---|
| 109 |
|
---|
| 110 | my $incert = 0;
|
---|
| 111 |
|
---|
[9a1c6a74] | 112 | while ( <IN> )
|
---|
[c9b953e6] | 113 | {
|
---|
[9a1c6a74] | 114 | if ( /^CKA_VALUE MULTILINE_OCTAL/ )
|
---|
[c9b953e6] | 115 | {
|
---|
| 116 | $incert = 1;
|
---|
| 117 | open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|
---|
| 118 | || die "could not pipe to openssl x509";
|
---|
[9a1c6a74] | 119 | }
|
---|
| 120 |
|
---|
| 121 | elsif ( /^END/ && $incert )
|
---|
[c9b953e6] | 122 | {
|
---|
| 123 | close( OUT );
|
---|
| 124 | $incert = 0;
|
---|
| 125 | print "\n\n";
|
---|
[9a1c6a74] | 126 | }
|
---|
| 127 |
|
---|
| 128 | elsif ($incert)
|
---|
[c9b953e6] | 129 | {
|
---|
| 130 | my @bs = split( /\\/ );
|
---|
[9a1c6a74] | 131 | foreach my $b (@bs)
|
---|
[c9b953e6] | 132 | {
|
---|
| 133 | chomp $b;
|
---|
| 134 | printf( OUT "%c", oct($b) ) unless $b eq '';
|
---|
| 135 | }
|
---|
| 136 | }
|
---|
[76ca09b] | 137 | }</literal>
|
---|
[c9b953e6] | 138 | EOF
|
---|
| 139 |
|
---|
[a1b18af2] | 140 | chmod +x /usr/bin/make-cert.pl</userinput></screen>
|
---|
[c9b953e6] | 141 |
|
---|
| 142 | <para>The following script creates the certificates and a bundle of all the
|
---|
| 143 | certificates. It creates a <filename class='directory'>./certs</filename>
|
---|
| 144 | directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
|
---|
| 145 | create this script as the <systemitem class="username">root</systemitem>
|
---|
| 146 | user:</para>
|
---|
| 147 |
|
---|
[a1b18af2] | 148 | <screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF"
|
---|
[c9087280] | 149 | <literal>#!/bin/sh
|
---|
[c9b953e6] | 150 | # Begin make-ca.sh
|
---|
| 151 | # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
|
---|
| 152 | #
|
---|
| 153 | # The file certdata.txt must exist in the local directory
|
---|
| 154 | # Version number is obtained from the version of the data.
|
---|
| 155 | #
|
---|
| 156 | # Authors: DJ Lucas
|
---|
| 157 | # Bruce Dubbs
|
---|
[fe54f243] | 158 | #
|
---|
| 159 | # Version 20120211
|
---|
[c9b953e6] | 160 |
|
---|
| 161 | certdata="certdata.txt"
|
---|
| 162 |
|
---|
| 163 | if [ ! -r $certdata ]; then
|
---|
| 164 | echo "$certdata must be in the local directory"
|
---|
| 165 | exit 1
|
---|
| 166 | fi
|
---|
| 167 |
|
---|
| 168 | REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
|
---|
| 169 |
|
---|
| 170 | if [ -z "${REVISION}" ]; then
|
---|
| 171 | echo "$certfile has no 'Revision' in CVS_ID"
|
---|
| 172 | exit 1
|
---|
| 173 | fi
|
---|
| 174 |
|
---|
| 175 | VERSION=$(echo $REVISION | cut -f2 -d" ")
|
---|
| 176 |
|
---|
| 177 | TEMPDIR=$(mktemp -d)
|
---|
| 178 | TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
|
---|
| 179 | BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
|
---|
[a1b18af2] | 180 | CONVERTSCRIPT="/usr/bin/make-cert.pl"
|
---|
[c9b953e6] | 181 | SSLDIR="/etc/ssl"
|
---|
| 182 |
|
---|
| 183 | mkdir "${TEMPDIR}/certs"
|
---|
| 184 |
|
---|
[ac38e9dc] | 185 | # Get a list of starting lines for each cert
|
---|
[c9b953e6] | 186 | CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
|
---|
| 187 |
|
---|
| 188 | # Get a list of ending lines for each cert
|
---|
| 189 | CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
|
---|
| 190 |
|
---|
| 191 | # Start a loop
|
---|
| 192 | for certbegin in ${CERTBEGINLIST}; do
|
---|
| 193 | for certend in ${CERTENDLIST}; do
|
---|
| 194 | if test "${certend}" -gt "${certbegin}"; then
|
---|
| 195 | break
|
---|
| 196 | fi
|
---|
| 197 | done
|
---|
| 198 |
|
---|
| 199 | # Dump to a temp file with the name of the file as the beginning line number
|
---|
| 200 | sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
|
---|
| 201 | done
|
---|
| 202 |
|
---|
[ac38e9dc] | 203 | unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
|
---|
[c9b953e6] | 204 |
|
---|
| 205 | mkdir -p certs
|
---|
[e01e772d] | 206 | rm -f certs/* # Make sure the directory is clean
|
---|
[c9b953e6] | 207 |
|
---|
| 208 | for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
---|
| 209 | # Make sure that the cert is trusted...
|
---|
| 210 | grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
|
---|
[fe54f243] | 211 | egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
|
---|
[c9b953e6] | 212 |
|
---|
| 213 | if test "${?}" = "0"; then
|
---|
| 214 | # Throw a meaningful error and remove the file
|
---|
| 215 | cp "${tempfile}" tempfile.cer
|
---|
[9a1c6a74] | 216 | perl ${CONVERTSCRIPT} > tempfile.crt
|
---|
[c9b953e6] | 217 | keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
---|
| 218 | echo "Certificate ${keyhash} is not trusted! Removing..."
|
---|
| 219 | rm -f tempfile.cer tempfile.crt "${tempfile}"
|
---|
| 220 | continue
|
---|
| 221 | fi
|
---|
| 222 |
|
---|
| 223 | # If execution made it to here in the loop, the temp cert is trusted
|
---|
| 224 | # Find the cert data and generate a cert file for it
|
---|
| 225 |
|
---|
| 226 | cp "${tempfile}" tempfile.cer
|
---|
[9a1c6a74] | 227 | perl ${CONVERTSCRIPT} > tempfile.crt
|
---|
[c9b953e6] | 228 | keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
---|
| 229 | mv tempfile.crt "certs/${keyhash}.pem"
|
---|
| 230 | rm -f tempfile.cer "${tempfile}"
|
---|
| 231 | echo "Created ${keyhash}.pem"
|
---|
| 232 | done
|
---|
| 233 |
|
---|
| 234 | # Remove blacklisted files
|
---|
| 235 | # MD5 Collision Proof of Concept CA
|
---|
| 236 | if test -f certs/8f111d69.pem; then
|
---|
| 237 | echo "Certificate 8f111d69 is not trusted! Removing..."
|
---|
| 238 | rm -f certs/8f111d69.pem
|
---|
| 239 | fi
|
---|
| 240 |
|
---|
| 241 | # Finally, generate the bundle and clean up.
|
---|
| 242 | cat certs/*.pem > ${BUNDLE}
|
---|
[76ca09b] | 243 | rm -r "${TEMPDIR}"</literal>
|
---|
[c9b953e6] | 244 | EOF
|
---|
| 245 |
|
---|
[a1b18af2] | 246 | chmod +x /usr/bin/make-ca.sh</userinput></screen>
|
---|
[c9b953e6] | 247 |
|
---|
[6ad29d3] | 248 | <para>Add a short script to remove expired certificates from a directory.
|
---|
[f216c56] | 249 | Again create this script as the <systemitem
|
---|
| 250 | class="username">root</systemitem> user:</para>
|
---|
| 251 |
|
---|
[ac38e9dc] | 252 | <screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh << "EOF"
|
---|
[c9087280] | 253 | <literal>#!/bin/sh
|
---|
[ac38e9dc] | 254 | # Begin /usr/sbin/remove-expired-certs.sh
|
---|
[fe54f243] | 255 | #
|
---|
| 256 | # Version 20120211
|
---|
| 257 |
|
---|
| 258 | # Make sure the date is parsed correctly on all systems
|
---|
[c9087280] | 259 | mydate()
|
---|
[fe54f243] | 260 | {
|
---|
| 261 | local y=$( echo $1 | cut -d" " -f4 )
|
---|
| 262 | local M=$( echo $1 | cut -d" " -f1 )
|
---|
| 263 | local d=$( echo $1 | cut -d" " -f2 )
|
---|
| 264 | local m
|
---|
| 265 |
|
---|
[f42ffb8a] | 266 | if [ ${d} -lt 10 ]; then d="0${d}"; fi
|
---|
| 267 |
|
---|
[fe54f243] | 268 | case $M in
|
---|
| 269 | Jan) m="01";;
|
---|
| 270 | Feb) m="02";;
|
---|
| 271 | Mar) m="03";;
|
---|
| 272 | Apr) m="04";;
|
---|
| 273 | May) m="05";;
|
---|
| 274 | Jun) m="06";;
|
---|
| 275 | Jul) m="07";;
|
---|
| 276 | Aug) m="08";;
|
---|
| 277 | Sep) m="09";;
|
---|
| 278 | Oct) m="10";;
|
---|
| 279 | Nov) m="11";;
|
---|
| 280 | Dec) m="12";;
|
---|
| 281 | esac
|
---|
| 282 |
|
---|
| 283 | certdate="${y}${m}${d}"
|
---|
| 284 | }
|
---|
[f216c56] | 285 |
|
---|
| 286 | OPENSSL=/usr/bin/openssl
|
---|
| 287 | DIR=/etc/ssl/certs
|
---|
| 288 |
|
---|
| 289 | if [ $# -gt 0 ]; then
|
---|
| 290 | DIR="$1"
|
---|
| 291 | fi
|
---|
| 292 |
|
---|
| 293 | certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
|
---|
| 294 | today=$( date +%Y%m%d )
|
---|
| 295 |
|
---|
| 296 | for cert in $certs; do
|
---|
| 297 | notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
|
---|
| 298 | date=$( echo ${notafter} | sed 's/^notAfter=//' )
|
---|
[f42ffb8a] | 299 | mydate "$date"
|
---|
[f216c56] | 300 |
|
---|
[fe54f243] | 301 | if [ ${certdate} -lt ${today} ]; then
|
---|
[f42ffb8a] | 302 | echo "${cert} expired on ${certdate}! Removing..."
|
---|
[f216c56] | 303 | rm -f "${cert}"
|
---|
| 304 | fi
|
---|
[76ca09b] | 305 | done</literal>
|
---|
[f216c56] | 306 | EOF
|
---|
| 307 |
|
---|
[ac38e9dc] | 308 | chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen>
|
---|
[f216c56] | 309 |
|
---|
[c9b953e6] | 310 | <para>The following commands will fetch the certificates and convert them to
|
---|
| 311 | the correct format. If desired, a web browser may be used instead of
|
---|
| 312 | <application>wget</application> but the file will need to be saved with the
|
---|
| 313 | name <filename>certdata.txt</filename>. These commands can be repeated as
|
---|
| 314 | necessary to update the CA Certificates.</para>
|
---|
| 315 |
|
---|
[a1b18af2] | 316 | <screen><userinput>URL=&sources-anduin-other-http;/certdata.txt &&
|
---|
| 317 | rm -f certdata.txt &&
|
---|
| 318 | wget $URL &&
|
---|
| 319 | make-ca.sh &&
|
---|
[ac38e9dc] | 320 | unset URL</userinput></screen>
|
---|
[c9b953e6] | 321 |
|
---|
| 322 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
| 323 |
|
---|
[a1b18af2] | 324 | <screen role="root"><userinput>SSLDIR=/etc/ssl &&
|
---|
[ac38e9dc] | 325 | remove-expired-certs.sh certs &&
|
---|
[a1b18af2] | 326 | install -d ${SSLDIR}/certs &&
|
---|
| 327 | cp -v certs/*.pem ${SSLDIR}/certs &&
|
---|
| 328 | c_rehash &&
|
---|
| 329 | install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
|
---|
| 330 | ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
|
---|
[f216c56] | 331 | unset SSLDIR</userinput></screen>
|
---|
[c9b953e6] | 332 |
|
---|
| 333 | <para>Finally, clean up the current directory:</para>
|
---|
| 334 |
|
---|
| 335 | <screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
|
---|
| 336 |
|
---|
[8b9034a] | 337 | <para>After installing or updating certificates, if OpenJDK is installed,
|
---|
| 338 | update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
|
---|
| 339 |
|
---|
| 340 |
|
---|
[c9b953e6] | 341 | </sect2>
|
---|
| 342 |
|
---|
| 343 | <sect2 role="content">
|
---|
| 344 | <title>Contents</title>
|
---|
| 345 |
|
---|
| 346 | <segmentedlist>
|
---|
| 347 | <segtitle>Installed Programs</segtitle>
|
---|
| 348 | <segtitle>Installed Libraries</segtitle>
|
---|
| 349 | <segtitle>Installed Directories</segtitle>
|
---|
| 350 |
|
---|
| 351 | <seglistitem>
|
---|
[f216c56] | 352 | <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
|
---|
[c9b953e6] | 353 | <seg>None</seg>
|
---|
| 354 | <seg>/etc/ssl/certs</seg>
|
---|
| 355 | </seglistitem>
|
---|
| 356 | </segmentedlist>
|
---|
| 357 |
|
---|
| 358 | <variablelist>
|
---|
| 359 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 360 | <?dbfo list-presentation="list"?>
|
---|
| 361 | <?dbhtml list-presentation="table"?>
|
---|
| 362 |
|
---|
| 363 | <varlistentry id="make-ca">
|
---|
| 364 | <term><command>make-ca.sh</command></term>
|
---|
| 365 | <listitem>
|
---|
[c9087280] | 366 | <para>is a shell script that reformats
|
---|
[c9b953e6] | 367 | the <filename>certdata.txt</filename> file for use by
|
---|
| 368 | <application>openssl</application>.</para>
|
---|
| 369 | <indexterm zone="cacerts make-ca">
|
---|
| 370 | <primary sortas="b-make-ca">make-ca</primary>
|
---|
| 371 | </indexterm>
|
---|
| 372 | </listitem>
|
---|
| 373 | </varlistentry>
|
---|
| 374 |
|
---|
| 375 | <varlistentry id="make-cert">
|
---|
| 376 | <term><command>make-cert.pl</command></term>
|
---|
| 377 | <listitem>
|
---|
[9a1c6a74] | 378 | <para>is a utility <application>perl</application> script that
|
---|
[c9b953e6] | 379 | converts a single binary certificate (.der format) into .pem format.</para>
|
---|
| 380 | <indexterm zone="cacerts make-cert">
|
---|
| 381 | <primary sortas="b-make-cert">make-cert</primary>
|
---|
| 382 | </indexterm>
|
---|
| 383 | </listitem>
|
---|
| 384 | </varlistentry>
|
---|
[f216c56] | 385 |
|
---|
| 386 | <varlistentry id="remove-expired-certs">
|
---|
| 387 | <term><command>remove-expired-certs.sh</command></term>
|
---|
| 388 | <listitem>
|
---|
[ac38e9dc] | 389 | <para>is a utility shell script that
|
---|
[068c8df] | 390 | removes expired certificates from a directory. The default
|
---|
[6ad29d3] | 391 | directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
|
---|
[f216c56] | 392 | <indexterm zone="cacerts remove-expired-certs">
|
---|
| 393 | <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
|
---|
| 394 | </indexterm>
|
---|
| 395 | </listitem>
|
---|
| 396 | </varlistentry>
|
---|
[c9b953e6] | 397 | </variablelist>
|
---|
| 398 |
|
---|
| 399 | </sect2>
|
---|
| 400 | </sect1>
|
---|