From 128fb795277569ed070f3fe3bc9c0662578b3776 Mon Sep 17 00:00:00 2001
From: Iwan <iigonin@sternad.de>
Date: Mon, 4 Mar 2024 12:36:07 +0100
Subject: [PATCH 01/21] Draft to allow run in FIPS compliace mode

Signed-off-by: Iwan Igonin <iigonin@sternad.de>

# Conflicts:
#	server/build.gradle

# Conflicts:
#	server/build.gradle

# Conflicts:
#	server/build.gradle
---
 build.gradle                                  |   1 -
 buildSrc/build.gradle                         |   2 +
 .../opensearch/gradle/info/BuildParams.java   |   1 +
 .../gradle/testclusters/OpenSearchNode.java   |   1 +
 buildSrc/src/main/resources/cacerts.bcfks     | Bin 103905 -> 0 bytes
 .../main/resources/fips_java_bcjsse_11.policy |  29 -
 .../main/resources/fips_java_bcjsse_8.policy  |  34 -
 .../resources/fips_java_bcjsse_8.security     | 134 ----
 .../main/resources/fips_java_sunjsse.policy   |  29 -
 .../main/resources/fips_java_sunjsse.security | 134 ----
 .../src/config/fips_java.security             |  10 +-
 .../tools/launchers/JvmOptionsParser.java     |   2 +-
 .../tools/launchers/SystemJvmOptions.java     |   9 +-
 .../licenses/bouncycastle-LICENSE.txt         |  25 +-
 gradle/fips.gradle                            |  96 ---
 libs/ssl-config/build.gradle                  |   8 +
 .../licenses/bc-fips-1.0.2.5.jar.sha1         |   1 +
 .../licenses/bcpkix-fips-1.0.7.jar.sha1       |   1 +
 .../common/ssl/DefaultJdkTrustConfig.java     |  22 +-
 .../opensearch/common/ssl/KeyStoreUtil.java   |   2 +
 .../opensearch/common/ssl/PemKeyConfig.java   |  11 +-
 .../org/opensearch/common/ssl/PemUtils.java   | 653 ++----------------
 .../common/ssl/SslConfiguration.java          |   9 +-
 plugins/identity-shiro/build.gradle           |   3 +-
 .../shiro/realm/BCryptPasswordMatcher.java    |  41 +-
 plugins/ingest-attachment/build.gradle        |   3 -
 .../licenses/bcmail-jdk18on-1.78.jar.sha1     |   1 -
 .../licenses/bcmail-jdk18on-LICENSE.txt       |  23 -
 .../licenses/bcmail-jdk18on-NOTICE.txt        |   0
 .../licenses/bcpkix-jdk18on-1.78.jar.sha1     |   1 -
 .../licenses/bcpkix-jdk18on-LICENSE.txt       |  23 -
 .../licenses/bcpkix-jdk18on-NOTICE.txt        |   0
 .../licenses/bcprov-jdk18on-1.78.jar.sha1     |   1 -
 .../licenses/bcprov-jdk18on-LICENSE.txt       |  22 -
 .../licenses/bcprov-jdk18on-NOTICE.txt        |   0
 server/build.gradle                           |   5 +
 .../org/opensearch/bootstrap/Bootstrap.java   |  13 +
 .../common/settings/ClusterSettings.java      |   1 +
 .../common/settings/FipsSettings.java         |  23 +
 .../org/opensearch/bootstrap/security.policy  |  22 +
 40 files changed, 252 insertions(+), 1144 deletions(-)
 delete mode 100644 buildSrc/src/main/resources/cacerts.bcfks
 delete mode 100644 buildSrc/src/main/resources/fips_java_bcjsse_11.policy
 delete mode 100644 buildSrc/src/main/resources/fips_java_bcjsse_8.policy
 delete mode 100644 buildSrc/src/main/resources/fips_java_bcjsse_8.security
 delete mode 100644 buildSrc/src/main/resources/fips_java_sunjsse.policy
 delete mode 100644 buildSrc/src/main/resources/fips_java_sunjsse.security
 rename buildSrc/src/main/resources/fips_java_bcjsse_11.security => distribution/src/config/fips_java.security (84%)
 delete mode 100644 gradle/fips.gradle
 create mode 100644 libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
 create mode 100644 libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
 delete mode 100644 plugins/ingest-attachment/licenses/bcmail-jdk18on-1.78.jar.sha1
 delete mode 100644 plugins/ingest-attachment/licenses/bcmail-jdk18on-LICENSE.txt
 delete mode 100644 plugins/ingest-attachment/licenses/bcmail-jdk18on-NOTICE.txt
 delete mode 100644 plugins/ingest-attachment/licenses/bcpkix-jdk18on-1.78.jar.sha1
 delete mode 100644 plugins/ingest-attachment/licenses/bcpkix-jdk18on-LICENSE.txt
 delete mode 100644 plugins/ingest-attachment/licenses/bcpkix-jdk18on-NOTICE.txt
 delete mode 100644 plugins/ingest-attachment/licenses/bcprov-jdk18on-1.78.jar.sha1
 delete mode 100644 plugins/ingest-attachment/licenses/bcprov-jdk18on-LICENSE.txt
 delete mode 100644 plugins/ingest-attachment/licenses/bcprov-jdk18on-NOTICE.txt
 create mode 100644 server/src/main/java/org/opensearch/common/settings/FipsSettings.java

diff --git a/build.gradle b/build.gradle
index 679f7b9299248..80b60306a0917 100644
--- a/build.gradle
+++ b/build.gradle
@@ -65,7 +65,6 @@ apply from: 'gradle/ide.gradle'
 apply from: 'gradle/forbidden-dependencies.gradle'
 apply from: 'gradle/formatting.gradle'
 apply from: 'gradle/local-distribution.gradle'
-apply from: 'gradle/fips.gradle'
 apply from: 'gradle/run.gradle'
 apply from: 'gradle/missing-javadoc.gradle'
 apply from: 'gradle/code-coverage.gradle'
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 4f3c5de49dbc6..c227d890984f7 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -123,6 +123,8 @@ dependencies {
   api 'org.jruby.joni:joni:2.2.1'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
   api "org.ajoberstar.grgit:grgit-core:5.2.1"
+  api "org.bouncycastle:bc-fips:1.0.2.5"
+
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
   testFixturesApi "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${props.getProperty('randomizedrunner')}"
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
index a9ccb75569002..bbd06c84b30c9 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
@@ -52,6 +52,7 @@ public class BuildParams {
     private static JavaVersion gradleJavaVersion;
     private static JavaVersion runtimeJavaVersion;
     private static String runtimeJavaDetails;
+    @Deprecated
     private static Boolean inFipsJvm;
     private static String gitRevision;
     private static String gitOrigin;
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index aaa2daef2a158..974ef2c89efae 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -1187,6 +1187,7 @@ private void createConfiguration() {
         baseConfig.put("indices.breaker.total.use_real_memory", "false");
         // Don't wait for state, just start up quickly. This will also allow new and old nodes in the BWC case to become the master
         baseConfig.put("discovery.initial_state_timeout", "0s");
+        baseConfig.put("fips.approved", "true");
 
         HashSet<String> overriden = new HashSet<>(baseConfig.keySet());
         overriden.retainAll(settings.keySet());
diff --git a/buildSrc/src/main/resources/cacerts.bcfks b/buildSrc/src/main/resources/cacerts.bcfks
deleted file mode 100644
index 9c3863eda60c51ca08b3a5eb73434b1af6508b5a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 103905
zcmV(*K;FMFg8`M?FoOY=9x#EF1_>&LNQU<f0R;^(frc<-1_>&LNQU<f0R;>&R|G&g
z$@QPqz+fw9ASDQun{EE9+gFB9)}eY8-=Fuj-g2w67eG4I<fxM<1_qh+;!63hpg*`I
z+YUkH&S8O>6yGBP0t5g80U$681_&yKNQU<f0t*EIFdha8V1`HmWdj5OFE9}V4DLQU
zAW0B$&y4h%BLV>k1cL#Tf|(M)aDRZga$c>|CtbEA0ge__^=a&~8~X59dK+^G^2&kP
zELWdfKCTvkNsy!cdGP%jcIt@eli)x=z^9{Ir{oQs!Z_@3%0%P<ge|D!-Tvv3Bbk_T
zv3h};+;dBAv{wuUIu><dg^o90zP=%wEhxQ3v9rihktZ4Ld^#+6W)1xOY(AIuONglT
zFl!y?c-%K0)nR*IFLDzLA!ByA{l#m%zSp3(M^1hOd*vh|2Ru;gMJ@rb#$Q6HF(Cnx
zfod#Ht6ay)inb6AV*1FspuhUYH)-LRx;|ko`4KlIM7a8Yk=#EQWiSk1Y?%Z*Teh0n
z$cf-jcaV;9WPOBgB^8S3p|k<|^xGK5fLI?B=-qnh`A@bqNt?Y(aBiYkc@4fCOLeyI
z%}=i?D{;<4FeR^eowW$tAQFom^flW0)JJSf5xx?--+GGbAotVKsY}fk@L$=Orzg*M
zP;|<od(Ij~G8Dj7belJ=kEeDI!y-WH^1V7mlIuU@*=`n~5EN{d%{wogVXt1`cWa+v
zCs0GNvG6I_2I|0S&b8UjBv+nZ;-e~Pj3Py|VGv|CVH|b^31}_9c3@tYZ5Fnb`AF4)
zj}bTl^WG5NV$4<hAc{;hKWtsJV->iTwIfZTtYmZ)y4%%IeHodijv``GTH~qj^*sru
z<CKEjfr`2>Ki>8)GZ>K?u2dCbLgcJQViiyW8ooph;^5mdXoS9n56JqjD;uWK$-<m8
z6Ras~#IN<+f3WfWyv>n=kr_R5Z8Rdd<xK&&%&6~1{O0hT2E3yOvbmbjc5lX+(gD_#
zl9RC?GyTG%+M$?lq+=L5Pml$j-g8!6bz-f^8;jij)Hso+cm|1K81ETyFq7$!t6&ez
zph)CfX|H0n0!x{viKrmMg6$9bF<-K?v(x!5{<TxE6w<Cz(yr?4eGz3y$uo#e77}5@
zO4`9%bi=3$GNq@t{!y@t9dYI$fVD4rJTX)zaxmOR;=<OZv!sP{+~8U(A1Cg(DLDPx
z_upCqlQZyEJ5?7vBdXl|^A2^*9n`PQp=8p8X>_aER}<K|h4KJko%`zh3I{rhETRg}
z)PRD*txVEr1D=J;e^`JcRe^vRcOlY+-i_!cbVx){ZrWzn0ow_!(E9`~GeumrOL)7i
z(UQK{CB!l=XzCxf(qI+l_j}k)fwO5R@NGlKJJ$r=bRvmghyr&4OSzg7-j;~|dbbx)
zISiJ(UjBaS){uW!MUdkW<(A;(Uh(nL5W|9WU*9ndzJ0_Ojq0udf8=*{+_pc)a<R6N
z;s7NPHh{LsZC%BT`O5~pT;XA0=Ahjyx6G#@m}9w}pT~#DP&hFIM1N{C=g*SH;@MnE
zOnrc313f&y$R?TRts&Lf$|M?Q&7BP#4SAdT?-12&lEJ`h32qmK=SmhDclzA{<R<u)
zHmM+ZsXj9Yn=vjX*(dvTYs76&B?#$xe6<VF=y2t1ffv2^<V(?Cx>l9C#U=SgL`j0p
z8*7ZTqVBDI8ep{H@}QsXXKey(KoOjjr`7Xo7PuZExoKQ`0&OV~*2Tr8dl4*<nD|zy
zD&DIBsDj1DA^+N5N+f3i>BUqxUSJ*z#Y~XR(>58(Pwlk>l<p>x#1KDo;&5Kbu!>#`
zlp|a+3H@>XTuRTo{BkyCuyoW)?tN_gXA38pE@j&dn^-NJJ;1Q0YIP7O=;2(PZu`2k
zH^l8PM|&QHYV^+c{>&fLYk<1wUvcP5gypPWE+f|9ip=D&+*`y+RA+ua@p_O;h>I~M
zqMj#ftG=ejoV62ZZ=fRvyJIvp2;|$PO$=w1ABp!582$4m%NzO{II7&vT4!5rbHFBz
zW3AiS$!fMNKBkG<ow&Tj<xpnbm5r|MajX)8z*_`W(+5*doC3ZX_aCNcD_d<-FrpK6
zDaP1Ler2DnB$wQ|L8kDdmoFOVv(rR&xqmy`nQ(2KO+>h8<8Y^sCJ``D6-arQOkgRU
z;lP3;NXUcY=0SpR;P!C844CHvINM}<PY1HGN`bQg5!!c-cf^LJdlon4e!Hn8^EOM7
z#}Jw*6aZXxE01c@m&HH7>NoeI1ozH$4<vF75Y2Idc;t(jzAuhMz$Q<WkaGrkvV;sE
zyNP8%=S!>ejDl>_t}}R8kzX;K-ebT9kPwxRS10rzWkAZyij+40{l02QKV}dnHL0b5
z*n!SXj#k`*XWKv_5j3>onV_<nJe{BBe~Q=iQ3RUP+--XDV$|3D2{jyN@jUSOKrFMQ
z1_^ua6?Nn#P^8hpc~&Fb0z7~+=M;-X1?>03gFD$u)04)TkAG~bl79!hf2>ZPxTW=E
zE5p}a1q)Ubu*q)bQWPl~7-r*JbL&!Y_@f8+e%36s2ewy!HDhaq0HNYr1}S3TyW4?=
zHNAGW#aghD&MH?k@VaCjDBvBL1k4vCohU9k?*v?T$A3vafhE-G+=_&l97uO-%#JSc
zs(^xwS!4PuPZ-zm!#}nZg}}AQD7Yci*%bFH2p{FV4sQ&{PbX2WQyAm&p5C{z@@7Bt
zD}LCk-thU~NKA2VTv{o1Mh8U7^DRUpsTru;BiX<EqdG<6n`P2GDRU;7;$pqE|NhlM
zH|aO17RS$lemR34RS3<jq9GyyzY{o}pv6upqBfIi-4KF7I-C7BT!dWI=eFX<l0EXk
zee6_J5E*j2o{i=`f!EwWm>6)O#3+GpApe&U>X&WQc&X5TnHa`{dGg$kDbtAFQe@hb
zO+zE2?2w4%<FJw!#2h6;ArR)FmIb`*HC%9}o9atc^je2k?SU<q9s{gv@jg29+w1yi
z$^P0BsYcKW;Q|<B7T-nRoTrol4HUuM(LE=ym{LY3p%VjjU1X&6|AW<)w>tIHj+dji
z)*#1tht}8@+1WF=A`2G%-N5AvP{#zfhK{pX7$sKjd>qh#<~pz3uO_|;5;H&axCP1f
z3NH6OSaUl^{rbjJhL=S|nzp?(ptc2I%nDeUtoJq$D^69<Oe1!g5KRb%1>yYiySWi$
zPj9#b;$I3FUu9-D-#Y)rQ*`bMKx}Ocar<yF>zhl()q}JV--|H$C4S3dmHrl+tverA
zBulaYUV`5{mg1B7Wg18K+nCyz2<uMQNpAuGX1PdZ5RAdi1WSFi$1p`@F4ZxB4+5)9
zJ#Fhvt|c1G>p>I%xn!Y9v`g7dB%?Jwdb#UMvNpaBF?aoZu$>};$Q5;jF~2<_KfDOF
z^Sg|($<Z6V8kGd^Hy7@mw9yfYaj&d7f^GsSl1vg%k8xWdG87%_e)9@A9C6I=+NDY?
zn54PYsDw@&#Vb@_@RkvX(#)~IFCvlrM6TIjIkjzsl#+7*N3QU=!~hr47BP>#<gap7
zb(>?}JWGr@v&`xRZ2}e>^clB9ffl1IIvMu{%D}XPsLZN9)OQ-W8spWPZKIoR-)`|C
znu>R+y(g$tUOAXi)3x=)`52VYu6)uQRY_8yni-67-`q8cX^kCa5x*8#;p?1nXfSav
z^H5J~RGq-yXj=@gHEP3jv<Xq?MlEe_Aao_c-0bDCRD*cJK0Dz_Vr!`1pYgVC!HIjQ
z$c*gKB_p2w7jyg{@VG4tlv2l;)4kmd(;Vh>X0Az5cG%*BFGG?F;{%`vP>udpL>-S?
zRSBwWeBeGEKm~&)w5G%cm|WcjcPx9pG|g#O1IaL)g4o<8T+pu&-tvTO--u3k`Zz=W
zq+Hd8##2Gi)$p{RP95<A?MK%$H{WAlmoibE<+Iy#cu>fv?Cg^kHKdnq+({{36+FQ2
z#!dVv{>aVwN{`(xUx(n$!4V#A#8yF9#_HwE#-L4?Trw!!-Z_l!?MP+?sDbFXP}vH&
z`JDg)*vdMxqI4K(%7~%${dVmV^tAlDyF{_Xc{BWCQ(q!*Azo5VUZ=<XG&<3z|MG{9
z7Q?YIvAm4tWE!=ANeOnhv1FRtXNQZE0g-_=^5tK#=D77&q)b$LbN72-yaSu>t18d*
zsK57UGcYVE^9*&J@M}fQ$-q^3RD7;`UCKmBi5v}ve1~9on>4TfdZ0U;Vpdr94LNfr
zjiI6EB2f`rJ35ih%z!t?Vb8zH8mjo9J_W>7(mH88_j7HzF3M6S{t#+(1l?t?o1VG4
zTdFXj<gb+XG7^`fJo{^a-MFnvOofrj1vvX{7z>7U`WWhRcN)W7zk=5rXTY);;AV3D
zEh&u|>7{t3v*PWas`7OLvRaH)bHF={@k7v~2Z~X5*+*F?Clgw|UE#=J^kKs-!*0Ba
zdYNyOjfLJ>Fxayt|A(WwRq$piNi4~hS-?KxXct62eq_Hf&z(IaQnLK9lLj89TQ8qY
zb85F`xs|i^KwIiZCBJE-+aYRgp%sy<<_AnDzKcd>;QS9?4m`7TY`1nZbNqNlspcJx
zHw@YhjWs=CX?^69`j48N34qM?vwmgFWu~`w^t!mU8@ei}KRS^N!2iU#2};o(gBW<3
zj9A`<6b*)NYebpKfVKOh1PtB(v@M%?Oz!KyIWSzFw<GgmsN%1xEyf5sA##~kZn2C4
z^ytD>6r!B>bCuvkDpC#QF~rjjo!5U)f+|K}*F^+~1k4!a+cpQhx8_hB3PEA43L*`x
zo1iF5ZD7x-^JO|~Nm#erZbHfO3DoU6<O{<WY4}Ua=1M&pm2_~K{Tyd4Z{+9hI+LBa
zO7q`TZi7<f#)&YZ2TaEvKQ!-E4p`d+2Ww#4X0Bpq?ddaB!{S8fc#n*=u36y2rIgQ1
zryqYfZh4%cu{cj--vuwb_FWZR$qeP1Jkl^B;-6*9g&_-nnd2P?O;F>Yy2!)t`d{4G
zB~%h*2WSKC()!<Ceo&t(viZF<BRy_n_{=(1tg-O7Ht<vsgibMvSM?-iGA+a0g}p=~
z2}(ovps?egd~-fbG|wehFb%PMm*n_mB<vfSc!P@0`<lvJC46`!^7$yemJ>Zva}bro
zyOMx53$CEb9m<QUhlbtQgjF=~fQ+~Ru)nmH#Q?%ToUCLljUm<4hG-<4<vH@siv3sH
zOCHhU_*=OqdU&g{1S1FANMQwZmHecka)GUPTiEWDhpjAxYzb6{OMsKBJ!@&JSh>)q
zWZ<X#Sc&n9EtI4uJ=nZfq>=&q$1zxjPB5k4E@i)z1q;3twim#C8ICMkPR=&w7&eI~
zMs57>zL7@9cfc1bj^}}(9n8LV)+I|jO`aQqWT9=LN-~=LWFrWeu9<m1*-qTn`!#Pk
z-oN9HEihE5dux5nmV}!O4lZKbzh#S)W+EQLtzi7h)u&Rf3TSnV$t~mT^Wl$3vj0j8
z6rHkqV>Wjb^v9`)P3I)YVg??$Hyo2UCIDYYesmCfS0+X{rRk9uM#P-K80=gZJRk5^
zbm#B{r4wTN+;#PU+7cPyBXHfrHddK=uDUNaLNxn0EB?QYgy@vKy?dDeLgq<Kxsvqd
zNX4Cm?U-ARaMQv|c@Do?u_Y9mjNE8I!Jm^)K=NiI08MWfHP8V)j|vt|8N-xt<jc11
z+qYh#INK$=E<j2tHQyRkj`QNkT{736cCqb9VF?T;j!^<O+&0g3L{W<Akid>!8K^@!
zqw#mNLHB3#o~oc(jSR2SXaUZ>II1Lq;51z9b6?j?+%~wiQ=@J{2)sTn(+@Ud{HX@n
ze%<rwEqhP2nYx-qxLQP6ugOlj-4V-M_Y>P_2(O=IJTBTcrjL=Vf^l;=F;JoXVvd4X
z7_@uGegXo55?M!_+cZbX5vq@z_)r3)0{HFeHgz~^mj^RL7w)^L9g(OIM&ZvCmz$`|
zd+2B)Iw`5zrnD`Iisbzl(Js&qibkip$wknK*DG<F`r!dgjrQ7|)Jo=s!JfET*>gA~
zks-=TKmUO1z!mo5vRO`@U2l$6lMmw5n*=slq^=<GYv<d)=8{VC&L%`tOVeo0vBzg1
z4v6N<v>FSron(#ZtU~=r&&QG})5}V>$|;^K5Ee^wnLVZoXc(I$H(h&n6EiD0sbd^J
zq+g`GKn;*ioXi^4%Td~g_u~hCgDd9e|5|Ey;+s><462GBA%Z|}7%C3a?;r1Qgp&M|
ze@o!E^3Fr<-eo=b%;E!QgXx7elk8k(ZWVd73(>gSddBVsu-F=b_a;~!tqwK0X@#hY
zto)+FP4lnf;-`IHo#{@2QAmAPwxto!P1!e>K8)E&^T~@5FIcR=ysHg#+?i<R3|mJ<
zAE?zr<X?DMkNTcwV%d*|%4S+MDi*3Mc##RC&$4;@hIy+3O$NPBE=|wnZ-u-Uw+aWF
zgk99=vNzVCUiQwAt-GKrLSR`TgfN{lal~)NOt>V_^aRnkisW_T$xx-q?iAjr>FoRx
zMg{jASV|I=tOa`H_4fqw;PBsvNkD0wZ^Q%zNctzBAVwqpeLttTx6>H9kY61MmJG#%
zOVQ}U%GO!N27o!L7em`Af?skmi5Oj`5KE4fybE1qzy$XT;9zG#fsIg3JYa{OVaZ`_
zutmks*~iqjcowqiqb+|LKiMUYWLZ|QWxu*|ENz2a{80}eHH)6LxdDFg4LhV64ce5Q
zK5W!-!?U$A#tunJ7vhf5&C{0sm<lvC-eYG)rncHHp1wNke(h=O79w!r!x@CTZWg_^
z2o{d}=jWGW2CWyocDDH$p0>BY{($*h-IK+}3x<&k7Div3clfq(#AOmFC#1Pry~vr*
z=YU-P+Ul^D>Eb7SS0<ag6-84}E1&kja42R}KO`DK6~C<#4dKLyxyQe^$S0RyC`!_R
zuAdgO)CEno+stlF>4;B0TL(r)e@X|JAs;F28(75utAeedjHPpUr`4zy*oHkSk^tM7
zr|=s?j(z0`r{0{@$F?SJ7#D+!K5V#C@d7UO4&4S!{nlDPUXV+Bu2LPI2$t)OLNC4B
z_pIkwVzGA)W&jC!7Nf&mdVzr*rf_RAjniPs(&4|qv-Xg^S51>N6VRARtokIx779wQ
zw^OTdC*in0uPyC$-p>&8Ph98cO3z`(I5X2gC{S;A@da~_061SLNBvCKbqvLbHmhDk
zR}>_atZnNa`#iVES0agR=hbfYI`li*n(Cn+4HnoowY?fQ)D{q(TstNdz<Is!8YpNg
z|JXS?UO4QeMQCF6SDeVx-3B*!bEPDSINM1v;M)vq_;N6^{`|qNHSI8myzG=k3OEPt
z?G1cF1iR-YI_W#Hwq_t4Q4v7G2PD*Osh6H$jwBQ@zVGOM2Oo8$7`9ZL`v@${DfI04
zK>@m9(nAB39(hRGBw8eQ`0MQOP2_fWsu$qIg=n1#3Mx;qUckH070;@m!`KuQ17N7D
z$Zb2U=&+ph`h`7*Va_UW)}8!E_4yZidcy|qvap-Bjkf7$mSfCDQAebAfYRSp*|2j_
z&cNqNorCe5k0)aRs9*3uo3L#vDZhCzX9T}^Zm*UvRwhv>WluQ(I(>JcE+EJ7sP*St
zHJ}3;NFp>j0Al%Y6x63Or9+TDoPIX)&RCiM0_M&ciHl9-g~l+d;mYEUo=W7d8)@oK
zIX6`5)gYU(PodGV7nqAtvnIh2>2N>Q0XD;E^^lx6%1^yKK!Av?*5a40yL4UHdONGD
zqnrjo{y9Q5LGhikQ}t5$H4i{qTR|Jv(DR1?uW*oXs-r29j1%}?LT7@GPhCN7gOgNh
zXG0bllnPQ(mQNU$uv?~J+iIb@F}AC*!;9H%+ioY(=}c~9dlrIxd=~@OWyof$3;sy+
zE{eqxse2Wd_r1cE4As+IXgXs+XAmPZ$8a^mfmL;VY0uFg5a?&2ZX>E23$D+0)7qcw
zqhal5ZSHKflE&hJkU`*o-I>k4nFtO6o$wVwG$Tb+YuDmfDJ^pE{ER<Ri^9y<#g`k+
z@d7-j3S4#>c<^TS?=5o!N>f2{^IA}Q<HH^xJ;o(LX?>#_aN+fk4x(+mEq=6?P=A6d
zf)HAMZk6a~J+DZrfBh;Q{kXs^35iAfF$zR*|9usFb;FwH&-NJOtqK9!Wd(RSXeZT?
z<@zWR4ASB~1O}yrg=OhiOu_s8WVy1d1aCShuoim?tgva!jKsOdLJ4$${1}`%zP;0K
z#z9&k{0KRkP6IyfQS-}Or)eIpgt^N(l^h`ezFxl+7SR~H=F;zrEn?3Hki~5hd-}1Y
zbUB{(dRM}#Fj$RFO{mX5pEFd-8bWjcW7grfY+I}--rN0hJX=g0sGq)0XS{AkIfPsh
zkNp<sH(Dx;a7H#kRh#2Hx>EJ1)4kMtPsqi|h<V-}00lN_zCvR=o;kg<$&sJPy_o?^
z&$ms@gSrMS@P@l?dUZKI5ezUSLxMzyC>|&4tn(M*GhR?axFOzw)NJ6B*Lvmp)czJR
z(P=nSuU&%bS<YXp!Egw2cKFP+@)y(DUuO9R0^pP6ZMZF(a217K4$jYwzIFEeOi#97
zWT|snovvl(pSSq5Y06wck6KA@i!;rYkf_9lMG@-?UG^}feUC~{77i_eA_gCMkk59h
zn(-YVk$g8(+-Fj9ea<+cel;5N)4rr1D4?eHg*vID-DK-A7%wp|o8S^K{c2bkyTlCM
z&Lk~Nj#JXgz1tP9<bNHHDd1=yx_txIG2pmKmTs<|fKYTGV;a&R=Stbwfjrti#F>IQ
z3@!dGLgkEAm=v`H)M|~ZOOvu#`XGx~W;%d^2`2}srvzOK5Fs{{7TNc^_7ZryOc{Vq
z=7CSm_N?&U45j3+<}e>YPxZRo%j~PqQfBho((3uomc`>=@{B^g@(sI6=@gqcQuZzk
zIPqUk4vG&%=LP#YwJ**W!+XFwp9|KM#O^9?BVMf|eXLy<eHb62>XijCG=6<LYaKyG
zoLZ;1Sa5qY@pbcx15(e<hpzIq=Xp{FZo2vPIY|ixeYD)RGX^nF>zPX^g?%s|^2_E2
z@AIYPVN6Uc87mP=WcY92(E_9K6_!GEeoEB@%IsY2Cyol`6?RUdB?|Cu^oEdvsDZ|W
zG-Pam`n!e8`dM|@q+`Gn0UQl@@`G1Ltq(btBrpU^mM+Sc`!~d?K~aKSEm3Wv?%1Mm
zbC(+1!;`#*iaUT3ayQ($ir=rkw#~H(!XJ&q{o+$0R&IV%-m*MEcr826qV`)<Y~)mH
z5u9uDK1~~hsKaU%gh&rtlV&AcK(U)d)}<=AB%<?fbNbFuI`1ynq)&^_n5`s_!!gj}
z2^ni`BKSMh+<TA*QHj;F2fCEFuKSYqw+*g#{P$G2YIJ_nrRktD-ihKo^3T;bp7ioQ
zNEcB{XkV46I^-Gbneu)7OePjF+V*uaFfj?r=A#!wh~PbGyPeGRw84qjNhKP$(zHUv
zlJXcMHTf(|X?ou8)kSm1PJhF*kdJ7rR=o2P_%q|+I7BE#gU(ee!@N-1H!m|#vr+@|
z8j7Zt0G;8{(d(aw#FC<}&~KcxlA_2-lXR}g3hK;<QfQ|4FF1JB4_v!Z&8_-sLv0oN
z@$z5#?0$F6)R_@ZBEA3o1YL++@`%SeU2%y#vY(LI%P?t5lS)EQ2-N9IuNjecf36AL
z=AvOVI!>;AR2Pg?0C-KDx;?JKQ%x0pxDa~wjG9N#7&<VsP(5u$M3kx0D(<uiuzTBe
zRG8%9=$4tQa>B4#QC2>Q+}#38a{Tze8$?AN@ssqY)ni?qa2aG=_PoPRc>X)4I>T}t
zb^~ZP^Db-i+93JX1|Qw3v1r6~fn5KODP4>}>PPeCS^D{hnt#j7Dz#Cg;D0=0Z+pWT
zm}yNR<PgCZHBvzk;B4oOJj<xs{>*uwXSdnmD2a$BQS-$79+iNZK@8Hynq_%Gb}h)d
zzqWUc+G)_oYs=UXKVeNCP$5Lv1pHy40ybWo;POPcJTK&)38FY)jJR5HL1jE)^(w}>
zjB@&~%+!2pk%))VaVgmVj^M^Gswr@puU0lZ9d43~w8&T&%aW0erSCdY?fVmV3FF~m
zR}~I!Bd3h60^Ww$bMKQ$cgpa;F7h;=_=R_u6Q&>kYCaBB`;qmE7eXx3c7UXi!&T)N
zCBm<1UYO$0sSy9De)zF5vj_SJP}#YXY{8~iT|EzT5cN6z<yH~dK<{99dyV6n<z#*P
z8>lO8g7<W=Z5%EHD2TM-k7FrLsRpPUHpBSMsltnn@ajWSRVfMx4%$Yr7ZbiL_p(9x
z#xZpj-xkqV|87LUU3rsf53w<A6)4>c3~xUce&=?+Tcz!6NgGcIG`H#|YG)NQSMjI?
zji$ISXekC9mY@0?RR?Bbbx+JBsqM5qXl@U3<HgY*z`qrG!|Ms4hNWgWr^F=4%PVHH
zMGUiaf;_V6)-q|>+tAajTQ-ySkL%}9KUnL4ii_Z!g*Z(($;Ft<0^7YB7&mcoa=oPm
zHJRm2Z!*7@iKJafnPlq9;z&_4T7jvl1Q5_cV83?q3_rm_J=dwtx?et@1IU&`)Uhc`
zZPcLhRaNWF0BJAEj$u6mthH^n(#A~lyZ(sH=$NvBkQV8o;YNaUHI6Ked53-(;`vee
z?0Yv*euZECNYR#jL3UOCl5R8Fi9eb?CnTh--`a{t2qBsEc)dWaM#Sap_o2gM+_Arf
zmrC+$s1bd%4z`Y<hTv%Lh}K(3L(}Jm=i{}FrU&6`BIZK_Z1=BET|TN#oekQb_t_=j
z?a%dyQsBl*1erm(o#?k5<4R~+%uwO(Da}kSPnKtelPT_`6C%YoNP!LH2JSuej0glm
z>lI_gyBk5r=ybyATRG?A+Z#7zT&t>;bfOfFBk983B+Ck@=;+P}(kUrQIwkP9_dBb)
z4fXe*$ol_i+B6lA!Ct{=CU0k(*cxHOjCHFXE*L!UWUSZDY~bJ>a_dDvx1m#qW$j`c
z=i0XPy;Sy+SI=^AouAPwF{p3W7=UVJN(6?lo|)GOq?)A^RcNsF@1>#YvUzX2kE#dX
z$=wzT+wZz1c3NK+r`sHHKJVCcGH#mNmsy(L9hYPjlHlBl_5Yf}y0q)Hj8n|K_#!Cr
zj97xGP{$n)jkG5v5($d__>UN=)f$w^zQOaCGUL_n32h!(ynBu4^Ic5m{?JKNlu<QC
zurI=4v!<-vQFlp|{N14FQuI1|;Z^UXc7kR7oo;~TCAlW11M7&d#O^#KYf-FruEC7Z
z&uY81+8D#1S^fYK!N>{YfHjCbMQIx!oaCz}Jth<i$-l22X?_TLHB{<qot1F5mrdEQ
zcc=puZ>ooDvnmrnPWv!DDIkc(Z>9FO3lMQ<@M+|w2@qrvjkW4kC$dzfsjBKSZlWG>
z^TxvrPC+|iFm2n9o3RDt-9kIfkq%IzgtLWeA#iGYVAD2VCC}La##<TKbD7WYDIyMa
z!Qu(atTjlTny6IH(>V8=L&HI&m5q8-Ye!1r%9-vRI=+rQ30>|eG;by#wUns#r)!K@
z%XBHRxAZl-f}n1P4yLIr1t5Zc)oHZB&_gITBg4Ynj%18cp;;*(9g#EM#~}Tp0v8OZ
zpR~?m!(|y8dIyF9D@@Otv!@*(l?qt%LORddt;cuafK-M|&<S>iI+zs7VDe*zGxn#p
zRYbWDNfhghf=wMduTtd!E9A<7vrsx=%f&(G{XZDlg{6|o+)(-NfM=Fjd2mS?ip*Po
zxyqhk^ci0iNJFrp)Cd;v4N{`1bE!sF0zX5={O1<yv2p5Q9a8<i%_8Kl_FKy2BsJ-0
zh_Q90vT4b-01<)>2Rg@uG%Z_w4Y<!ZtWZ_uxM?3DEK|d-x4E6E(q9_zn7`!%YMOVF
zV@3v`<AZd{hQ0!h>0`332c>_1JexK6zazy(HTIK6N>1I*aapIF#5&0fv9e-Yq#Mk_
z?N-8lG#CR)ZJX1B3s<yzz3K{t690CWKZ_((wBLTitcz~=tacu7mQDn6>S!QPI&*IY
zS35@TT{UqZ*1fRm9&e>ha$MysJWSxxT2-lHn@&VE)KmtKbhjX&3K($Up;X4y?yDt1
z@1bG)mL3CHS9|g3*S*2(O-KRGvbil}%^+fo6O=3-&o#`oO@e@g!EI9oUufGCkArR<
zunETve0_4f<Tf@3RLO=ca_Y?F3>*dC=)&SN5hQ%12z?Cuxj(tvsa+_N+l2C^V$*lY
zcJ?OUa&y5jp0hk&XWUPOh2x!Sm4?id$$k~-SzF=uW~D-BWXAuB5ALn9nYO=#R8|x$
z1DS072!3c-|E;eD#(vL10`f8Uvp~^GD&Tv<By%oVMC0@uUk*sQPIVs17(GbV@0h9<
zOxtT>#WR3ooynk+(sGU1S`1uomDdPHDf98$#30ZU@%P^5heNHG+}H2IHN9(@@KZCK
z3=)X<m&)JxNT8JOjMzw!-*!`Bdar`0GcN8=NQn)J!666W!#2b1Sh26?dJUL-!;fx|
z09@-piVvUPcQ64BiLV};lt#`(&_cpIqe-|2D}i38p!s+JcfcCxO?R!jDy;`FSQ)LV
zQLpUl#j)v$Q;5_7l_AXvl+l5i=p3G6xzn~V?jiIfl}ANIFyWTd8Mn4e0{R^&r#TT5
zycB3rWLRLjUn4j!8WrRUgd!5cYAC+HPbV5X>)NApW(=QuO`29{6qkk2XCHxIP6QgA
zXyGs+#aCE=ynmI)wz_BZ+i;v|*w5{*sH?fza_t^f2v7!*4CYs`!~HyeE<t5T^^MVt
z<g`iV<mVa@k=AK-fH7*CSo;_RH-^o_vQjt5J-vo$L~PV_Za|*PZkQ8bI6C+y0=)f;
zB$`PyqYC;Kvdyq+e;&9Kb65sCd`bdYB!S7_;TQdW8F17u6PQOdo^oT($wl8tE7c+V
z{cJ%yx(>bzB(MaVf4jX&bWl~k&TYma+QYYK<*ldZRB5Xe!g6>`f8=UdZ`RE4kveVS
zVwNpA25y2a$M?lyzsr}*0JXxCYX+n7)qD5KO`fCEt<GrD>Qw(bYAbUIY5w9ujsxJ`
z`pzfK13?O53AgyR27tt5QGKzTSZ&B<G+eJ|z_i{2h<9~|<j_}u!=0(S$t}77JWoHm
z6;}T4DxsZkBbH$VvjJ3hIG`?hyx>;Xvdh^y8pNLA%t7F|r{LhJ*~_Kj#+qVRLvjn=
zbD9=)-DvFowGT-A^h~~a-AyaY=s<<*Yl@@zC9B-Ai!B{5#9>`=wNvPS(X8=W7KMum
zW+Cq|_^sLtWVOn4_h^6cA{;00V!VPnKK7S>cVS9@txsK9(S-2xpR#hF3ZD686gW^e
zL*j-_EmHxXk_|>LFDvf@t}S(U?e#OxVsE;>v7Gtj+|4Qc>JCd+99P-ggrfB7x{JNg
zC$IIOaRea;jt5i{s+F|2tE9pHWe(SG%hKt~t(;v&KHgg+Dk026Dj0Nb9cpGww7DHW
z%wr!zq-JI3VkFCv{z=x{I^85=e9~E+BM&2(ft@sK1bB0Uw5dVMV6n`{ldlb~3Q`gG
zQ7^}}>?=qmfvbt8rZod1$<Itt-{Y;=vXVvKwU9Hy!X-{IH)dO@x)hq3naNPCmC8X|
zr&(PyiM-)XPBJ>J(o@hJfk9Pn7~?bWkF`xC6H<iy3!3cwu2G_2WQN!{=NeB1r)2+n
zfOy3^y{gtkw|-&P94d_`#4-g_D%`f=UMYGL2!hu%NeRipNAv)1lMk88RORy&wnW92
zFRpd`QNI>e2EZ<6)CdnyPQxZ-^TA5WZ?02-EsvDQyr?ICnrkXX?fx}AXlCMtKPif1
zhY^;mRe&EGBF@euAN=uJ$#e`Za$CDsF!J{rxB2e5@MhDx?=FDKcI~vobqxFdo|u+Z
z{8H7$TXK{AA5=LdNxb?4^vB)lsjU*EH|0Vk=01obBmYwMdwy^L{*-0Gho)tqI(pIf
zxk<vO(9w(0yXbKlU@h6oApq`aAH`^a38VwBFya<HiZU|&4q4%fbf+(_Yg=WY{IT#0
zl@Z=(emrRgIw!d_M>j0k(*Qqx-~!i;Md|exm!pMp&d(R<3l1lH4K~xh-PW*<MLh(%
zJH1H>saB1p3uMw9p2&{5pWXxy?^z0)*z~mv#1sVJ58%r!;F#r+C11m>OnUQqV~BY*
zlu{;9)%J5BF7su)-5YZx=4*(i)v!1?gaM-e#OCg{$++Zg5#+zLfl^Y|a(mzir?*gm
zfn}BZ9Z)PUpB_foU`nT@GO=h;VDRSNx>NGA`pBxZX=OF?_Da59PB`jb3DRK$S~)|o
zc<(Dm<MkVi9pXnqEG&tsy3%+3dzg5_eR7{<9Y&qo8O)@k@^u*kR*5<MDzzlFr*z8(
z1X=Kr;bgXn)pb1KxHPP$%i4{L8uwnxq+&8UzDDb!q=5Iw8P}1@%q;>|7=#|&2O-CE
zQgy<;5N4D=2w)b7YmZFw@nGgg;R{R+(5zI6PG$2_>}OS!4*P8RfDHhV>FQtDr^aOq
zProw-KUP$mKN?F*!MIXliJbY*9G~Q0(russ6{I=)XVwlHJ5~R=mii9Vm7lHKm3fU2
zq*p@f$rKmmcE^R!x}W`=Iao$iroQ#ar*JHn9SeD)-E<l#&C-LO8bvM0=p07zNxX3>
zqPA0pb_g@K3I{k{4aapRU!Z&!9~L2UxFqCY2yAL$`xYzhf6_AHC}xG1qB=r<Y`<5;
zlFkMyzt#=?P^-jv4i(T1I4Xnvw?ShXYmb$!64D=DZ_~U_=d0&f|LknI(#jGiK^U!e
zXFvY<3wu!c>k!1y@_HJpgN@Kpjc+hRi92`tC_7Efa>Kq{eNAT3sZdj*AEPu%8xe*P
zL(878Sav)ir!gXPOX+2zyk_BrqqxzY<TtXHcLb2R)sQ}h;BTR0b)A7Iv+6%ihyWiJ
z<%~=WkUliDhuqa9@asYG+mspy<z?k1U*rjpDhh$K0)O0TprL(h{P*Euf<cQ}x01I}
za2<I6QdN+c3PEjwR^`5{5Ky+kpM!{~8oLIimO<wSdy^SJD3dE0=4+%193arBHgq%K
zEA6z~7tisM#@Lb@yrKruEtR33ZiiwN;bAVSpDnig88}G1STK&^1}6Xc0q@2NG=1WQ
zjf(8>vs$3Dge!pn0Ob3%Hvcj&55Aci2h?U3rD#k$VC3fox@BkNgG6rbjtZ)O`$s{V
z0x`zkvv;&Ty+k=fDEH9NqKGP%(n%8+hS<qqyFp>Y%^k^HJyr<Ed2tizJdU`9;tNxF
zp1Aa#4#I+Nj+4qDA}}A8myqrk+TC0_Ck5Z>P?7*0E4eaFTrtEE5rDRmuXyLbum$WJ
zcs=M-n%pVSdTuFj5IK|7B=KS{9o%kkA!9^aIP`_`tao~OGrC9Ngkdtkt=Pjuk`qFd
zhkHz_&ML&ggZ@jQTa?!mcm+~A*YKK`aqUvc!rN?^4leBIovKIoq0Lu#7hO4!KM@nU
z|8rbY4Q=-2Zou$e!&LY^yH^yPukR=5`_FXA-nPYr30{|9^`eiCH={(UOc+0ZqWL}(
z9y<HVfwS`2AAjVVKltCT0np3Ffi0x89~fA~E7E2<ui3Q^JuIs%%T}KVBsj~MgueG&
zBF~+V5ik!%ghtPE!5KuBb2R#K0ln6HF{v!3-E#{tutiI2=^3+I-0wBFv&v*(W?bn^
z$U+#DdhO@7tvu<%fYwXm2#6|i6vF>y0q;RdS(@T``^K*WTAZ&ixBKj{^3PY<Xtc^M
zbZ6Nvj$!%;f_|+Xncuv8c7lxVn8TDw<7cQ%kPPAP_q%@!A((nPVGC=xOn*%{zsVit
z%@K}Nl01P*P@S8W5g)-JpaG)yD*9UCzJfF}xCb;%_8hNpsNK+VX|04^7(**n02Mb9
zleOw$Jp;ZWpW9*B4xBBuNH+(<{bJj8wrfw1cV%?z1o<2YQhKraC4Rwqx10sG^jtB6
z47hDKw%P#4bvM@6473vNz9AWq0mi+pnMP)}`FW@|X?P<zc~mW9Z16p9#Zx+&`oljj
z>?wjNZcuD$ju8}Sd8{tSA@mT1!QC6IAwcTtdW&xAk0B8@7_Y~j(atI63b(D)HLYp=
zTe#!2B#sdfl<`jDP-v*kNVBqy+%VXpx3=NiP<ktQRH5L!67qy#PbArh=L=<VabjSN
zxC76Dii75j1>_a=&s#wA;<W2sHuTMTO}>fzxYd&gg7mSKiAM(Hv=1b4eiZ9))rvKZ
z>hfA20oNX;mH`Bv>%F#VEXp)8oj{{J>i85m!(xSO#I+o4gf8<t%8wMSFUgPR*+MF3
z>J{O{tfw%yUQ#tF9WR`@4=B{H>$IlDK_(CsYsBx5DG#alQsimx`ee_5!r8KH*!h;T
z7^C;`0PS@7>JY?^8dUEya?mW1`Ns&fjPT3;#4sv+v^>6$0e6E@iSCjAt!W6@3odc3
zlcOVYy~~QcQ$x5~^ubsKRn$ff9V`~c6{Fhj#JN5&l}Acot%2OY!kQqH+lWY;&-=HD
z=N%hSIK;@`!hyDx&y3dCff$`Wbnm|$`AY6NQ6Cs0_!d=7tmq&$C{>Q}$@NMxI~-n|
zC$qCe-zUz2G>q^IDA0iMvvRT;{S@ty)PXtyg)hYhxSIrE(v5P(3z~<HQ@O6b8XCBH
zlqMcU84Stm>v$h@y_M!TcBjZ9>tiGPwSR(iU?sBh6I72topHo0(SwPEUk@H#zi=iV
zK>4c=cHX*(UE8>}Vqv!!T0u0nxSodSoC6XcZ+=WHC2yHZ*&8yj1`Tk+OGOHJVCiQk
ztrkSAe1JF_fPtYHxsN}lLdX#Uo??rVb%)gHdkG%hdV#W+BbR>iG%upBPD>H$9amA3
zQFDSB;2;s(l0MXedp+&&OB2E^O|T4Zid!=8KA8JiN~FWz90Qr$tP%}{`SE5YXkq^{
z&l%Wz{0jI-e%;H92(iY9wzfF;NsZ5U5Huagx%UH}-|^7p*)crueO);Q*f%_Hco%1a
zpc|bNNhwZP$+oThl3BO}{Z#yjwT}?F#x{Bu8qR<M*aHeDzC791CM{p5slo@#mR8Xy
zjWf1RG5>XTSDV6mesbKxMCh_FwRui`BA)E>)zGhrqBr7YJkmijH%S!kZ6YK8zPdWa
zz3e0}JF_G%%|56j=TBtSn{U+4+xZ{*4_{tl2;A@g-K#QqNCZ@^<(`Zgggn@!C1!-7
zPbP-T70Cpz85KfOhVR9(!Ib=QZTvg+OPN5LIu#SPjh&_07zk5eFAy<+pGj;PN(a&N
z4;7EJDNE3#5rOGYC7hcg$nHWqwrg%t7#5aocKB+uqdxJRV$2*WX?*<eAzSL$%rEmf
zyabqG-93Y5b?sGvrs4`%_G<x$#I|)1_?Jelhbi(>1iJ}fe~KTJA_y!u9=GyDB$>*Z
zruDCM7%#vvRuZEYfM$lV1fAigO4{C^<zE!JP7}=sF-1tJn5$9+#gVD0h^cE8r?lUx
z?@Qy}IxJYmAw`h$kFy5#4<72nho&evav&QayK)w8Na0!|YFxb<J4??*eB*4Vz0hJo
z4hS|4nke^m&!P~7;KV&`mr*~LMIXjeFK|eDmE3HJQoqf!gH<FqB-3`Sn2*2WdSDRW
z?}v4|`rzxQy*Y6u@lK1K!+iR-P0GW-Grxu>3<1#V{#ai@`l)x#qmjItOsh@>>@c8_
zxIM5Sw(cFUG%+!y0PTZ|<T=?GwgnLbz30DCt3PP#?))}%5<&Av*DzZbCqiT&$bVS%
z)qq5+Rs%Xk`!FT4{t~f2$RZxveXjn4F$Q<g*2qzmL&gxsdM3ZDrfSaf)OAWgC(v>&
z&2kc1G(f3xcA~JVFo9h~snbj$N{&Qv7wiU(Hq#FgI+B{oGcaFN=7JHl?5UiJF6?*;
zZCAyxCYK*67aK+KCNq$h69&%uAUVdwU7E^1UUrR2&7tU8ughXzF!mYlG1)pj!r16$
z$`A&_@pv&nNK#zhCjMAi1@!b@M6ki365L$2h41_>>cbIo=E1~Yq#rZc!LJW~aoq$6
z=CrnrRbXd{Mdk$f4)ue!-WAkR9g@^fUhSP=*Lqb$NT7iUeMByjbYhADjEV@VTb7&D
z3E>q%cSQeQbF_GlJyn871(fg28Y!y_^{>)ZhdHecfx(%2x&<9Z0a(P+f1%TrN}CP@
zfnmr8<-GQ}l8o_j&%~zj>=K*!H#U?6cLp_(u!w2c$yGq`=tHmSTfH$U9{>6P0stBo
zW*UwrZGPMDN!~Q4KcHpodZWo5{x`g4$=NDBUD=wb50n>pVxRAs_hJXlYn5?qUQkab
zo|M)A<#7Qb-8yaU3%G0r4vq#7sitM4dLtMX8z|}}w)iB)daml?lD5YGPvncAnDF4>
z*Zp%u@=8=P2rWq<A9cm6a%fV5l#SN7djb_wtCI`;O;vKp)q*R7SZgXTuQkarB5@&?
zJ{|Wy)&zAW%YK8oEddEx?SzbalpB%r=XZ5<euK7n|93bgmt<1wPVk`sj*zvY2!X3A
zd+Oh%cE#3vES3NfZdf+)y9TV3(Iyg6vQkL^3^R5?COul|mX{G-HZdp;>8y?1FQ~RN
z(c>5poJ3EH0%~aD3kS~;+ut#++9emhT@u!!aCyyt4w=Br;@vhJ*`6Pt5{X3lwULi=
zl+ej{gwU}HVoD7uVfmXIb)DulPFNnO+<2{E32JzgA%wmMZtYB7)}c+ah9Wb6;BLn(
zV`cv)q&3T_9%CSnB`BaX{^i5PWUw|3_bdc#rgxdahY<;zA^{&^NDPcOu*-N%Udv*&
zmtW^YH+1K_5t6|!Ou}3qb*B<o$+RP(J<`Rvs08xHUONGLue*oBX|~orc3$AWqT`--
z6;K?FXb#k>F~I^BR}>0=vD@)QI*Zc&qm*Tos{dNaH@u<lCx6wf`D@J5x9XRu;dzL_
zoeAwh3j99izMyi3aN{Xp&d$<y^?+lP6&C5pIsn5evTMEns2jA12ByYX8}VQ~(8oKw
zy&~c5PCPIr_9DLrjHBxAsM?%F3TuhUI#Yd&twM8f*XERsr-r9GVQe6<@lam=zHjT7
z>YIu=x{`IwTTG$Yql<>z9ViI={yGuHO7Lj1`W`-7;F#UepEAg+NM^923JS3&`1jVI
z6|h|B=*>}^T+sifbSa3XyujX2edRP8$zSn{_G2r{!h!_8wG&4J<}k+DjOcW-T>IUB
zmr)iNWf=`Q1iLVZGHuMwEoaKsUYJ5w1@dStGV~G04duE*{Lfg9-^Z>$9@sjMVrE;c
z*i35!iOviTqF)0Oj}5l0ALQYjd28%=WwDbzx(7&X{ga-4)<S;>e7~Q=^LNZuN_m}N
z=B9Ic8Zk-}2789hgO2#cV=0k?4$vz{$!3vm4^fVIG(-#ke)f3RjG_Df6im_L?NxM*
zsUs10{a}F5fL&yr0?60ql>_rAtO7+ordxPP^AW5Vyf|!Mw4rahVln};UG9J*Yk<CZ
z^HY`jjGVtXyJ!p5vWKBZNeBYqi(zQ`wL{AR|58M-o5Vs#Lgo3A-p0^KD<MzEoh9@^
zcu#ue;IW{aE@zlW$h(y3ql5bZo+6VWupd`j=)opXu*Jzz06_1a*8Jqb(P!-Ja+iM8
zZ=xd-<myWVzMJ9(ci)8|0rS3(U>{SY*D@0glB2ihDCc~Ah=1%FJl^0Cw9jNm_Fd*?
zz==+XS!jSSc`RqgfMe;hH$Dg-L?*x|1O6Jc{Ab$!`#rfFO)j-2@%t+n+I_FgY_f3r
zPK_G;8Pqp!mav;p(xjPgNI+?7&3S+^w4wGrHwwIp17`9=d*&);7+<?dA~>z|2ev`y
zPEAjqBIfUd9lj)xQqLNfakbtGXo_r*msMhf$T%l!B@|xlR=HJX&7O)CrQZ_U0O0%c
z_!O9XNhux^py$m(<*&yWH-Y?<CyyyAJmPX99I_%|Cyl|S)bfc#IH`VB&d??fDy}m3
zUhQZW&_=iAXF66M@L|npW#2g-jkSVzwoYeO&;`%O^J^)EG!ABs&(k@eztzNJ;TG6?
zY}tOJpKqlG5s!NIj8X8SW3QUo6p?`&V;rY)%28o~YRH#boBYE^?5eF`y=cW|3Wdkk
z3loBwNYWJ8XXecu)PbxlgM#L*6%mRZQ<G`osQGSlD<J$G!?2(BhCdgQJ<(O1-GLqK
zHmPgY-Ez)`(vquJl_U_~JpIqT1(f1t;_&;MTa#pihqWdwXCC&ldu#-Nt3l>$P!}6C
zp9q`mw*0gJdcS?)0(?=XT|~|;vP!HG=qh+56Pqg?>mD2*K0C=I2atobSI*B9-W0$f
zbUYI1Me*jUUK{UkrGX&`*A1BUuOL2j|0TOB$M}=KJ=@ty!*ja{EGurAg6mMUm#>zU
zX`U`^YFDVl?4b4d!LT-2XLz9asAZ?qV)5mA4a&E&FbC@35VV*Cl#u`VLe^tn+&TOE
zoYjaYNyC-rJlu2O1^FwmaK=IKY*QGC?PL}8#A|ip|GcC`f0t_lv9{L4YaEIY6)U08
z_YJ+pTInlCtJWxT@sn;_Yi0O*N-K23BD7Q0=Tq}1P4YBt6&d9~01T_ET1aS|26AVp
z=OA8Ie~bDEi)RhPc6tVHLZ#W%DW_f^H;V}pr4cQzHXRG6FDo&8)!C#^#-<{{`s};<
z_T5C&O4=P|U0r(|+x`yB@rxuZLE9C$m(93@>qswg$VbvMdj~t$3(mdFE4Tky2N8|L
z?ew8-1he#@J#WA!lVZ7I^`-qx^>L@Xw!Q{PV3+B8^jSTuG6IAqKO!(*757bqs{>p_
zfC<4F-UAohq{)3y7!bS76M*ZOOONVg1U^Mci4iT~9NNrG0sV5V#U@s`^$j}k1xwn`
z$oaBT8M@ER>qlM8Az(Wobuc5d>ahg4q2ZNMpn{LQ*8ZsY!Fo&R!xxY3cf3+oRI{3B
z7%lhM$Fsb={Y>^D6w;)22#En#Lx)iJ2KMM60V&LBW&dVz(056{oLW?w&v{MZ<Ce}+
zdvZ>w=c8Hn8=Z8{{2+cce$+A?rb3&9TOFjqbdoBgqPu~>f-_gB^^Jj35pB<5qrG>V
zs;-f@JV}Z6E>v{*B=v$ZsC(bydcj}wF7^Z{9G+&?-=}Q%1Lvc!#6O(V63^+UgK{5?
z)q>pHdXL8QhWG5FeVn<@!lWIBG>y*qD&GBKLOe8(n|FKh$L(0VOGA*gtA755=xQz!
zFpxr-+sLh`7(TbA^;%gM<BMI=kn1i!^KEI|dtu@z=FTt`EyyzxD?VIysx)Z93GH--
zz`yUoq+g-(0pQ~BkqBY180yA~i06?qhi{$Yf7odZ+*X}%-v>PX0MpVi$+G%+V5syb
zjNc{VT@^OP8sbXt^k0~Gb8h@aa2~f*gtPIK4HD^Edl+~6zX-nCO7uxGlA=S@+CUU~
zcrH#mr<l}`8`Z4mmG)}mXVLQvz$MoXHV5=vzp3G9NC<Wck%RL}v>WjWgE&<SxP>t@
zG<7HQd&GnwGHe>l#ZaPP()mc03-iH)d9drr+@6`H$~y%!a>Z=yw8~%g-NTKEDMMS9
zxbrq>!*t0_>Mt!>hq?3^!aSUxtz(oxpTJALhRVqcfNDKaQrH?NdTx)_iVK0&$a!(G
zV>BN{_{tC#g{&<I2#aAQ^6u!+r#0)2t&WCSq{-Wa!kR;Zvr5t$yGcf>Jl{;w%*`t=
z^<kNal+yV7YmL(@xKS`!hp>3(5{tT08dEnGWQzs=J__BiWZET#Wjp_#05d?$ze$94
z=c2K--;f+v=DVAO0xIi0om`Y@RF8PhTF*YEt_1{=0l<sEk|P(BO0hOoSMOQKv6JL7
zk<`;Lg(*;~xBQIeHiq3iUr1z*1QLTBL6^kWXvA#oerVIHhl3zQN_Vd(ljw%B9G~zC
zKH_>-#=g8j$65?m*Tdb5Aq#ZhR*~<|Bdg4g++$aG=-7!PVODEn)i~(nzrZiaa$G%_
zb-m$k3+Cs2lpqYo8XKUh=w(ahXowxqi5u@8?$Q>g14-HOVF|jhrF;|Aziy0iykJqr
zlnY%c#aXI;ivth3L)AU7Pq5<D%#~~pIdnpcvg7Oh$gS+ohHabLH*xY%8vn6GqFI|k
zSu0vE(msnE`4%oX7d4tJBJ2WAsQk&yrh$mjSV}kpzAgL#V+{o{SX8{wS)!?Xi3KB8
zH6>~Vm{T%@?3?YE!rEh4Sg_F~cy8xki(5<7sq^k6>;c;JQE|@VTtZq=M($h2o47kw
z&fNc2!wa*MVEUiPS4z0y8i-A>o(tKkCTmp7Rdi!+A~`M}c~ri>o$q9r;7*H`#mb`m
z#Sa;b2krE($9S(@$M2m*1unxfZ=L6Vq2=*NpF58{A?aGLrh<~056+X>q--YYa7sM1
z3xpfT(2aB0+K>8;$%XMSMKp(#$8Zi-(KL~btU|2ps(>fmli3qxKbPWA8@ft%uv`v+
z-3R3EO~$jiR=|Kfs|n<l%|73vF0uwLgaP*;t_<hW7LrLuUW5PI1#rMN|N0$Hlp6Z}
zw+OC#w1in{ms{96Sd)x<Ij4nWz>z-@>22@*eRJo2U^G@It3XYnc8k#a>sQsf%;H9!
zSI23ttg1ccYC@-(?HY^&zO-GcE(l~E`FD{{r^_h&4vF}w{Cj-Nn-4g{diA|g)y5qt
zle4fF_-yBdoBb;|W(`_F2&HN6JGv9t{&UW<;GU`sV)bn}K{?f<d>TzBv*a&>WZ3J*
zcnvYHF$-mwcW-=OTx53=8k{9UT@av*y55X?v4jRNUa$!Y4J0bOBnj+6JjYL{%#Nw!
z;Glh^r(8JG42NrCiB%I(s|YIC6l`TKjoay_zg#Hi!VW!Rn^6$yjmD;*nn!eY#fpI9
zcyZLyASci?(0PAV+MZJI0}FCoZ$te`+NyYc)iV&b_Rk~Cyv!3n`KE;qbeEyroU&Jk
z_tDm;fre#%6Yfe~)h}EGWFK2~Y^Ku3WlGZO`h$aSw*R<N{>ovqt{e^yqS@R)*8(D<
zFUE+ZW()YUO^tNZc82W}Mg_&TM)eeX4K)TGUzBqvuHUC^fazCLA$H<}=Cw#7yo04S
z0iLt(cb5|7aqJb1{InE0oOlbOVh*KDrq6>8R`zLxFxymApwhh)IshZ!*m2kkvAICM
zVVS3mYVKCTGvIsx?pwoxB4yR|QiT1eU$M0#;-f>~)r8m01Fx8&#tBO$UhPMqVolFA
z^{!xdCW2B-I5Qa(tCandzr)wy4@g!Q+6qD9Jk^crn(yG)qG9kd{j9#AN`qSKnkF6v
zp3v11MtO)1L<l@+%NmA6S3$;i`2!1&-2}DgfDfFQ80Fb=ypws=Dy5&rHMxHG4_^LF
z^y7%Vo@${og2Gc!^IrG-VC|B`ecNIlpCG1+*^E2F^g458?T{>{(YF6?Q{x1;Dw`iR
zXeHG5Gzkp1&MaYUDWF31lw|63Stm^zM^lcT)ZT1h7!=pW@xJek9!(rXdmT9t9n5jc
zV1Ux$#p#J~FE%p(P6~BHc3GrdZ@8ZT{esMG1(nUPw<XTQ{DlBDmlLY0Z0fD_3U+ZU
zQLd!9h#^okOa;iMa2UEM2;mb|y7ahSR(dpij|m8?q2&@oSDoa`oPtLIFdk<XTrkz#
zzKccXWA~m0s3+x~o8`4U5Z5UAy;F5pgTtF2=I4p#ctdQ{Hk;kI9qaPIU2d5&U^5?#
zYlPCt7>DGGfWb21M4z%iPrfv;EgB9U#QN9vcjY1f-I*Z6+^q5Z0FHXRD4-r;DRlN)
zAwEwEvGqz7*2RR63F2UD6B1h7;xq_clxp#L{57Y+h(U{j-Akg?=DfZ0m=1_S@(9;r
zC>S#~YbS(@h*8*~f#}W0=?#rDGm{{V>fxkGV(?qPY0pI?Ge1Be7$f-wkjAFnXUI&n
zGte-Q=Cy`ljf-y0$oGxMePXEwQs5=$ceV?yiGjH})kw4rLjb#J=GaA7z#J-a6N4eS
zPe9dH4rb`;52@r%CW1Rk5yZVMYjhSyCkcJFH-&0QP<3{npB~{|gllN6&2OhP$wHHL
zH}TG=5Y>x4MfO*#2N%Voc^`L40n&&*v3Rv=qNqZGVaMEx>W&VcAIq*&br30N;TOmx
z8(cZPOHDs^71LB$9LAE&890sw;tVdDk2wNBC1jG;ykINHRj7xhJw0x6WQOS>vyEbk
zHSy--@yRA)XdYW@+$u&tQyRhtP9Zc-CO#t}LuNX$DBb{RWJ=4Z-k`4c{Auo>>~;U)
z++<<8h?F1$OKz0x6x@b9aeQ`5%q!ZzrVAElfpCRc^u?pJ*y%WSB>2j}3H~4b&wd)H
zbnV-a9YZV}mkNC#yb5RTRb+3N@q0vB-X0}_ZIW7mu$^zgXHkNaRW~3@MpG4i+Nq48
z*+^qIWN(vr#wDaPNxaT5a0J|Gr5($Vn0<`^2ww=5=dyN=hck`?qVVX=Y4K|NTU_8q
zDurM2u(j%+yiT!hu5lvIKIeeivK@M40`_Ww7z?ddRmC!oKgRs*_NE{eqF+j5?ShcU
zA;oWPU{JI=M1ESNO2@Mzl`uOHf_8jToNi0o5C?6e$&%ag;OkJ8<UK=Dtuqa}RaQ#Q
zzlw;Ji2oLFDUBu%e*@MR?YC4EH{W^gf{;vSB||lsRaPAf`Z!uOlG1HK)iu%Y0BddK
zjdmga)E6n~o(AWv0-1ihmF`Yk2ZuO^XP@HY4$Z(Twr5LQeS#y?NhkTV13kI|J&njK
zewvWjx)jxm`B)ZN;et77;9iH?QcW29B(9334c;;QD{v6|!$^ATF=0ui_iP_Y#YZf1
zLK7sQSz@Jj%tmzbk$kaCEwLEDTP<e-p`4V_y6^Q0n?Th4oE~oXga0o`UElcdeA-6%
z?yK*?GFa_7x-_nB{GE#4i~J4TR!Di@wc%JQmcZd%NyE5N<F@Ze*PqrIu7R~>jXt~n
zZ*u4FQlhMV&%Id=K$IYFQM=RxsWSFVQxlMF?PL2V))|)$&Dn=-d}8NAYrv9dp2uOQ
zw)xjVOwBtQesN1FjXStdsjk6Zz=*b78?0_wToi#+`)fB!yKQ-@aLFH6bb;XopOT40
zuMjJX^h~=_G9O{1-HUcV^^7y?e?IVO(4yQ=4XuZ-FTSD@5Yk)=Ms%~*LoAPT?Md$h
zY@3Ve#-_7Tn5fHcj;xc97s7?iN>?nmhA{1Cl!W($iTw@up^h|)Lq+@QkrGjpX$2oj
z)e|&)PI?@ouDRT%t9QRo!X^GJRifIP_|8|Jc;kC%btydo2>bG;<qdC5Bf8kBxjWQB
z=L8+B0BHF4yPCqmz?2U7hmZ72JfIWh;Id^UZ@@Bpc3JoqU;}RNkPs^to)0Xj07(Pn
zM}OpWg+Gr^nXRobu6i}9+!I`AQheQLkz>l+ya#F=Mlr&?pAu3Ei+s5N>0(w_@g%7D
z8;9tr<Sp#AVyKjMhFQhHi%HYV?~tedQG2aau&a@36dhR5QKu7>eKrhk6Nmk+>1l>L
zd$^&ib!2CKS-!*Ye{Y^)*!ZX(O`sXLfmJw8zK~DWzMKB+MJ)Jqp*jcINT~#L(?pJ?
zfGi@xe3=wO-hr_SehgnjNmth-FoCJKwY~J?DG)l?N^fU<GYi{g&#@r&h-jwWnM8I|
z*_j4Rnm~*2n)%a2r|)a=IEPJ%f%9DjfoAG2th|7p@s&4aXVt#7YeFEsXXrm=I8ry<
zmd1cL%-{KqrR(JDOy*pLPV~u}*=!T8pgOaft>Ndp?vf_}vf_tEEJc<=qm|YRRNL5;
z4T6q}0m#R}^BR){a0kI^1-oHA4r>l;f4n>pj^nB-ARsDRKSJX<X_FQs27Vu=<d<L(
zxuJ90M-)?#<QE$2Gi684io~+K$s9kskyO8bJIHshdt%0oMMmZFG$iK3Zk6*C{C)~$
zVM})-S(BcUanc3ZxY`-x{Z%vdtXOtx7myp`G9@!1%t6u}4Z&C#FV><V@XSCGe}+GQ
zAlL{hx4dw!v|I`7g|Jm&cjVeVRms%kuIG=(*&GCGYfr8^RgaBE<jV9n0_|zw%j~R6
z#3%_gBks!hE86KFs|qhL;hMta4OJX&6lAsfcP<=ttR%-#f<F|5qb=YbMV|9#uECmn
z^hp#wnN7@&a#KJG37ML%C7z0q%enSef~;d;&82cdRP<tV^;vMtSUxcuH$x*=uoe5~
zX`sOsRQ%8U;_VizAlba<w&J-S^6?V!i?0&k0QTb%j2YzeNi-+n_-4`gs*ZFW(aADS
zk*plHkaMtA{*g3`8*Cypd7OlALv%_{GeM?r)u)4T@WNMwhz2cl_d5Xe=#j_s3EhM}
z5p*$7agcij#qMM1hkJ3Q9*6@gH*`kQhS2po_LH?JN#izK)TD5=+uD#1_^g+BF$RFT
zznR!q`N(-mi;DkSd?~BwZ)e2|d|JiaOO{>~1lMD}NBszPpO*+Qfz_23q(D1#c(K@p
zGz4Hv>Ty7TU`IXQ%*>dS@6K>(dlZ8QUl|Kb4PR*B73;x2ZkXNwHScJH8xozT1no0x
zF@cMF&@)DQRSGdE!W4ictx+f33ijV$-mjz(j+;#9;M(5_1@jDqjif+yAVj+3;xJI?
z35z(Al^7_7eZy))6)&KfiDqF?>wb%7clHjd4X3ola_S*j1d&lo_TD9VWTKUESPq7m
zbUOP8DB;}HQ#dvy7kF+>%<*SmI_4O&XCG_5RMHIV@h1m2_bR2AD{L{u!)*ilPfN5k
zDgvrjPk-rNm=uNfE^2P1Vmq?9i0kJf@27a3gg@o*fV5#8u3pEPKLlSnWCBepzI56h
zvfe&mL7rw70ynps0EHiq*@qvFbyT&@Jg`Ru84s+=s?jRjSKVfSCb1kBzAeUw&+H-e
z0_EhJ_Mquod=eFyst^P~$<spiLEW86#tEG%K*lwqE8O5U7EMH!=g~dhbam=@+m#cI
z=E89WjD^A8C8&FbLULBn<3^QWQu1sX0qD)=)n<#>(BqjC@aQnn@UVEp#BDz6E4?C_
zx%jcwPrz#hUYIj(AfuLf!Q-5;EbV9??mH*JFh$Yr3oZSb-{Qg>omGljpKn6=qwZBS
z1$PrlyHHAsD$G+fU7sc~iJiTY*jLTHw=qc_aF5-8N@)`H{;z=;S;Fow@UGPF)q_M%
zjmDK%RltdMongy}5SZ4P;ZqU&Y?mB|E{cN{;~$*PN*7=|sO8A*KwdWtDh-;ZJTuBp
zEP+|-owvH(ZStLsF+o2?{GY_Ayh?_%>i2R5Vrd{X$3EhIvtW;E&U-o2HxA+nhcv9r
zOnLu)66?C5i(($pYGw%`Ik1@nXv$V>tPXvEF<~~At5FQ5=x*1cJ14}e3n*|_1;|7B
zO?T`9ePtAYxBH=0t9Od=mU=;WDa2}0{3sKA{mShc*CvZ5K^GJ|(o0+>8itIkN<@hQ
z-mZ=9X5f95y`||YiXnN}>eJvl<@8UWy5{d23|weBZs(#gc_oalTT0_kn^e3DW5o7r
zH#`7Nv-f}QqK`~Vp<5|K-9xT4x{SY~p4UgOFWX;ev#7hZyFxOoxa1fcPgChWqI<2k
zExH>K%~S(K6{;$E2_0dzPT1YUB6G<3ggty(5u@AIM4VFWstevxB}ANt1GHia$dWV`
z*)HUW$kX=CBw$YM{~Dm)9F#y-CdB<*c8BI7e3{x>#GoZzwq!}#hVJr0idRNOy?Ud+
zV$wf+ZsIG%S&AonBmR4sx7D<wQU<x2;<`6)ME`h!Yet=uOEX==5tZuV83o(ix|O=!
z!|pV5C?cHy6?Llt*RK}lZ6DK7fXq(0>8fx!3{7%juK!XE4t2JfpEZ%3aub-<$)v~h
zJB;Qjq~?LXc@?s5u?($Xr@lUZyd;4BYr?4#Erzun&fKUS^z=nTBXpQ8E}pm!AfahN
zsQ~W<8@L3a7$F7INNvLjHD@-#wtMh*uqb4Y7WI^boI{)3*h2*oa(tWzIb2G-?Q8Fl
z#)v}s?3)(xN{y41F2guKC2m@5lrbh(5Sz8Y?xQnA3aX_*=zNV>56mxlXHg(tR$rig
z2xeAYg$ZLX7WaLy>quZ0HJo=mlFI9V&0dK>5WcG_=$`RhLXhnsBAHwJNc!lmP?_Js
z@8$v);2;qRqAcFId227e{2-2(aCcbai9O5klq50_&|J$>4$&qzUV|ft5h+zS92=mI
zOKNhQt8R|*jAikEH6crY7HfR>)~T=2zicSykQLGZ3ZN)cLMeq*>H6kD)Bq977rfgw
zg0Tp~;SoGT2fKN3zZh8>MYD&pnZ2H_+qw*b;QBDUksL2t#v)p9VY6Rl??M=tQyjq|
z8`z)aJpH4z?3lT0r3DhH+#POK#9@iF$A#8RW;=y0lS68yIJ``s+j=cAGElMu_M$Ol
zGfM1xmk!ppZnQ~qN|pI`s0&?IR7!s1+0en{=5rSuw9Ef(4N!jS!|xRbrEsW|eiD{C
zacFpkV_JY0e)eG>m5%yU1&JBbeENb)Vknvi9sPD05zL&%zyr}-OQqzdqS`Y`j+NWF
z{}F}8C(NN&{8{2}osf!lG_zu<9<`Rp7_#M;Bl=tuGxS?|kEOWhYCYxj{aK`Qq@}z>
zZ&NGTxK7CIO*rUiKCa5ShD+B}s}^EcD7vZ#t3eJ7$P)GdQD=LAJUWSf6oj6X2dcle
z`P~#yd$`u-D(1rny4KJhOpF6WumSft=&mE$0Cy3lJgoKVXAf~=crU`B|Kq?{U^@5`
zc>m3@d@I_pnVjYiw(Qu0whkp__Sq1~k(D(Rsdak_NR&NrhF`C$iru>i)J|3+!fA-U
z7oxV$HqN!Je_3N7d}^n8FA%R2rU{h{ZHMLYw*2&|0e;oNyAV7UN5~K904!ICBR;W^
z=eBX%um~ZN5>T>uUp_ZOnyT4sbElXYMHJwl{J0$5(@LFR))38$a7&!z*to$7gfekf
za|`j!FW$>FSS<Yc4xWt47jR=exithJ;hEbS9!J#z?p){;Kteg7;jI!><^K_5fjnTp
z*C~x1oM`oWfr&Xp^P2<6eSdMNXLaCAK`DE?`y|R!R3{>})SLmtRLGE5QgqJ>2E~IL
zl-8$YZ@E5G$E?Qb!5rr#5;64zy)7dm2`kw{-jgA&As2COIX&3L_{Y>rBJEPMjX!yN
z51P1eKyav=7)27}46DX809w-_203eDj7=sC>$3WF|F_X6VKj4M&ItvYWka;xB6e@4
zk+MvIxz9n6Ra8l*WVn<I;`QN~iJn}cDk|_vz%44tdt_9z^43Qgk8vl(PtYK8on2K9
z318O~MjkKdc&EYKUtJ%f8Ql1AC=~#UUyk^rrtr!1#ly)8z)viL!$dY{&ltovuhIPj
zE!QjT5fa6wLtgrV;pT~aD$SkrZpunbk}vdl^lTotLmCbc$Cuiv6xvGMw$gV@&+xm|
z(DZkM-5j^yRRM2|iHG7fevBM3XR)h~62TTJb!@8~#Mcv9m?pRyCR}q6#tf^R#V9sD
z^_)+@c#EFpLZfJY?Z7Nn&c=VsV;ciI85!gSh<*{<-tB7}V)$U3s^PKnZdmhF2oZ~A
zlRGy{Fk|8Ue32<?nZ|BYdxpS65O$KK8wH2Mlx1+Y5+@N~i#01c03pa?y*uZY7>z6V
zR)R8ddZ>`U#f?5<QwSk~BHX4k4vOV!B($f`*Ec2lT5=ys5|!N(WuxRcZTlX#%8)_Z
z_9pt#(A(2L;b%E`FsWo8gk+{}8ZFm&xJmH}Ttt~M>okLuz{fv8L+YYk+D%0uyjbXp
z*SfP0g)UziF@*c|rl8#)mb5NjVy_QWkhV$K%Vo^|pqmq0ITq1{mB5k~kYRKr#s=lK
zoF<k$*JAzxC+;jAKXb6lAb36vibR0T;O8PTf+IX<5u|BhZA*Gxg*uE=FK2ez-iLkU
z9xTob$VH>Z>bo68uq2zVEZ^kK<!ou%5uU!-GggdqvrF!4N?hEkY~xuY_y&&V*aEV!
z!N4!_sqi0cc^qZZ<0EUq>|ApP1Ph)T_~E)}<+<G9Pi_d!fDs&x!s!>BO{NUHS$R0~
z24K79ib~)pclbP9kd^N#b*=qy$|yDBV?4z-6XlTm5>$~#;x4f*WyLH#<hO=VG;ejl
zanOm{Ag(W~26iJ+*_(yrYHg-m7FA*J)Tw7ag$@Z4Pe+8;<|R0BUQ!sQ4(<M48?E|9
zmG5ph1&1yHI`GVah4Rtl1Nmo}n+z}4Vd#9-0>HW?39NE+At*7laF*gICG%JZykf5o
z3}{@aElLh%`yQl<zu=&FSu19Unf8cqziE(hDG6i%(b=NP>DK8*P|}Q38w#7qbcj%6
zcotbdVaiI%#p8QT?o>!{PUmxJOWb5}_Rye}?5QfHEJQD$Os19M;p&LQoVl`Z)}{ja
zI>7GKTef$~D<}l-9OHTs%R5OP8IVqI3_H+SLGuJr?`l{6ZJ13x+tEk%rXFrnpEf*s
z6o<DDEvUZT7$_f&et)TDt!7meI&ZxZ=STf!Cx2LfLIxG^!-;k~p+6;wNHZ-$817{B
zZaE{#NZlw;S;{Ff((~V@K$FDPO`_|v>@>0)Oj_;bkl}0cg6SK`7LM}PEiKx_cRYTa
zL+rMr$x#Z`X$HgOg~txE_1!GB{xkI%AP|)Xe|$Bc&e3Vx`|?P)nWi&6VzGD=<dB&w
zl$13}L3)oQhM3(n7F>$~qNQ+Pzat~Z%C;_BY*VyHnDL~k%#tIHO}lu~<Jx01XFLr<
z(q&Oz7&U(pM2+JT=kr@Ot)E)dG`=L|xC&4N80lcZv@?TN%lYRlqU)%*wId`F3KmiS
zb*Z6;AG-%!(*bP#L7*Z3uA;pR#?=Cs(7rc*ogd9eZc1XArXyyF<hmK?oN3lUEP!8S
zL&`EAfoo{_2d+w+M9N;*dt&SxZM<ULl4U)LT}zY+#yPQs5|T=6LwBjABXArJA@rqs
z;R6<^Zu>&?ZGx3*4Pl-;EFmh}fpJGnxgovsD$<}YS&bF0S;_Q>E6v39HZ|b-y^@f_
z!QRbW99F(mi%VVAVfDx(ZsCpTqGx0mwz(A1fREG3@I&!k)R+Qsgf1jR%INvw`D9ok
z?=P4-wZb;Jn=)uU-R;7Zf*l!t;wMb|#Am+B3Z<)&9avOi&Yz)#;8(mtpx-JWa$0Qn
zFrJXUt?x+!FD<P;#Ac=RLKwy4m(&Rn=8K&?i~xyrmG1DJa$Md_0gw0;ap~a+n<HUd
zJ*x&97PUjc{x%NI>A>9XKNZ+7tEy=k<8+821M%QrWAq+rQ=+1%{AX|Cp5mW7l0Ua6
zDQF5kSMHj_-lS5$oUbYdA96d?@XqO&7bChA4cjtz|EQ-nPRZ)(T<Eq(j2(?#2(W(K
zD^#f~ATUf?5>q5+Gdnwu+Sk48a!~+I@&Z7M8Yf9xrRj}j5Yla_wUFBgl>w?_<?da#
zsGN2GvzHx@iDwK*GFYDN-cXI7A1hKpb*$}m{?tym=7D?H?uhhhXdYB>XNCK1&;k6W
zF{9g<^eQNzzXN}|pOtt5iNH`y!`U+W%MW<XO`(rUX~=5J!%E2c!os4@<{SEi1Necf
zkpwd0`x(F3>k!wYp!%aag<W(x@dbvuvm;D!z7!6V*&O;`7qFm%k;8%^R(lm}wGxD`
zycrc4*CDS#e~DX%mWMLb2M><3yy+hlK*brx1rMvAZh5_pF78nq<rQOR_4)q%UlLaC
z4ea<p8}@VSLN0z|$`obMMJ8vpE)RW6m$e~#jVnR7kW8~u5*AS_j%_A(;D<AYe~#}z
z*}Y)1=y@|%<w-=z5P87xHKjI4b%nA7-<ufy))8RtyzdWK7~ZbV%+?4Fn^wBo^D^ue
zJOC2ec2PD^7my$gRXB(QkEJjEZZ0_w@56Ks(EhX!=1rXMQ24Kpx8qn5Kv!@qgzJ1k
zV6KO>$|JLw82~lw7tAZb2&7A)=haY}F2y>L{;RtSQ%RBYr#|{#xjAUeq*iVSJGG25
z4MJ=b?WqAGc6P;)#(t3zMqA3=xZC-9o{04KR?%ViQdLXos#lm^UbnQLkM^Yf^nGFa
z0C2`M){1V?59uL)PCuzOBcmZ8&<lwu#t|@K1h{(3y1g)}R+*nJL=mSkqaz?~mET4<
zZI-}+omlawmnl3n<21KMUwrURlfK<;s9dXS`HaFTPWe=L#PYz{CqzW;jLHQ4w+2H1
zbDfs<ao%KhAt2ISnA=I0_5kfE7f`<mi1bj<*?Ekt>9qU7u%=}N)>kX3Buv^-;%~q@
zci%Km2KU|=f-!56hLNbEm1fU|>-!a>Jz6~yp0(&goE{O<X@*2}=|tD04TRCi!j#IZ
zwj*WBTIUada2OE;u;>OcO8t*T+~b{=421+w()z`m%QWFZ4aX!Id97G}Q?W^`!m@Th
zFCnm&5$n%r1CFHm%tV)v>PM^tLe6w8&?dc)Ww@Y543>u3EFT*1mDj8N1~|HOlYdGu
z55YHh+@|5iU${#43&i@jUxpL^(W*>D)az+2tCwUuh6=IViNA$2zDC85SG1s5_2GA6
z_T4r{T`i)!)$Lm?9^`SjmA-Pm<tIAv=Bu;)Wp|`sik4;v7huMIgPpS?rt!(<rn?1w
zHiLeh^eGLZ7&u+OREO^`#bVxx{=k{ak{$}~6RG*GqF_7&9+}sTMgHGJKS_H?#;z~s
zBaQwD2ju<F+vH!%1cFo{LIRCUW-9lOXgkba5_M~41iGD4vTl`^{ANpvmHzd0x1hl2
zo;GVB-G_on`|kr3S@0Ozh1t!p<n19V`P`akDk7ymZVwMRB=BDR*Hqa8DrrE5V<yIM
z011A!zA~}iP9Vmn2r#gXMiF_6IP|FuaXt?_)=q}eHm9@hWkgWAtsKrGVrOy9V_FVK
zJnKH!C}2F|Bo`bXru^f@qtVHy4qX%>o(W>P`Mo_T1yXliXcwSdN|<0lm(~h7jvrdl
zkqpoYYhzZl1QjZUqMK{#ESvRrKF|LOSJn3tSl4}UM)s?&X#%}W9`roq5k>+Fnmh<s
zc$L@%S0t4(P5upRC^Bz~C%TLH7rknwxuf?^ZP_=OLr31&m-5OQ;0AsmD2pD2Su$P$
z;T|&e(h2cNZfgG4OYAvRkuav7CA_8~<xkcbiWtaOH1DS)n@5qgmiJOnsKU=|N6v?$
zbi??Dyn;y22Omp>fmASRb;yU{vz$=82S1Tkz4d%oqBf}upDucRt!lxRP8?z+ah@~v
z!?#F_jc;RA5^Ok)d0pV1w2pWiTin7|@SvR$^8kHEURmFpJM>QT>HB`YGUZ)_N2}QE
zjT@*7YBi5M^k~6)5n^py(0fv%F;BwFWDQB9b>-E0uT=59qXkN7xx9OSs)(Fo)G*Qf
zi!Nk`(&MO=_Mtbl_=|9L?rK3lMoDyT;IqFF4GU+J%?OCm9GS(IcGm>m2DPBZ%lH&$
zjA}M=JNf6ZB4$*>cvNa&QD3L!o|Tf?k5962dJDebUP>}5e{sTt0@7x1!%+oWKdO0v
zgFa|?OL}8jIOeGWCZm5ZukPRx#NYlMXiX%5qUP56jQJ*`tU9Jydj$vbbU<kcva-P*
z3G6=FWf4gXhs#;w51meAKtVumtD&9VJz2rFIT4zQ&nxt0i}(qmbh5URCHZ-A|MD}j
z712?h(mh9mMITMJuGRVq@5dy#3o09{c^R!2u*u}blj>72W!t_?8ExLA;jgSDJJKF(
z6^JI(1Q!_4VANz1m`f+rN?;2GC~BtqLxu_Z1kJ(jBB=PU{})DaeF0A`M+jRacC$~!
zAqeis8Bq50xNx5e>z2ben)1i1m@Whw$wBzJ*Kqi50Z*NvGlOWS4w<w2uo1}3w>MY(
z>xAk6)N9zdDJQ7F9;*u}SU=O!(2u5^BUyFpewz%r=HXb5Y(|>wv`tlm$(=A~{xD8>
z1<RVs6PaOh%vP3rBa~iBR7S`J=8rufzl5vm-upK0MEj#%m*3~(dP!U#@~KS^9TM%5
zP)Mn@D&i~p0rr7XRBakoi$TL+fRc@6j>dgA@bmw?gd=0s+T;v+uxNnnSMAEgYmv*G
z#OO>=*Zc$(g7UG4Mr|8%EHIN#T)N1<C;Hmu)JfFXbW}UtVDo-3>3Panb_jE1^{EUH
zNgUY!$4fP(6{S`Ps0##frHe>7Fv~==gBVOvt?ho1tH@(=I5kZU-|Btl8Yi=-<~wVY
zpCwaH!69141N9ZjsC`~wy>=M?tw@<?<YN-!#tHsW`%rPWT(Wm1&(6mu&~yf-6Tx+)
z=k*l@>4!jwp(Kjsoc0%+U1(zD_frbcGU&>D@}g%p@pZA8!-FBNVy7XM>nXEF+PE^m
z9obWQpbkBq3VSMqKR&up*S$faM(T~Wf*cL*=Z`8}eoALJ`$})V=C9qqf+(r<H8kSo
zcdCB}L3^I>Wka~8+JNr$p>dNxRJ5d2y90^qz32Ct`d-?JymaIzepy?G<&N;IaO!Pc
zp7Zt;ML=52j3V7bIza2txZPieQd>B?oJy$qfMh0$<aWOA_aR2IHR}B(m>qb`yh6{r
z1@A!}5F&)Q+XMI<N}VkvWu4r2<9nODru^<9uh5)-%+$71W+&4?64yF?0ss+8(NGfI
zacsQ+1e}~J1NSXL)7kHqf?TBR1Jp(rP-z%B%OZ*xGhkB}HGPcNPaH!!{C`ISi&;{a
zhCgllu>1U*Xw74wQE^2-zpE>!Fg}K2gb;QVZC_m=iL>CgmJS%7zMH7w|AM+zrtbf^
z#!p<SiSU|E@sQd2yn&9wj?E!etGdMN?@&)NDK^Xjy#|dqIIm9Q^z_a(b`m|7R__b3
zVW<eya7WQ%x-yBp5B7a&z9uYs+g6I@_)^Av$vf9*vlh9G<%M^)O%(jWF_6yot@&?}
zQ`~4G&R9CSHbwz74`sD)rRBP!9rs4Q0NoK&#dkPJ4Y4R2)6qTfwZ$;hhRugG1=PWT
zra@}v%@BM@GO1MbN)=TKH*tA#|KSrb${a3l26HC?!idO|(r_(;!h@c@XQYMSDEk$w
z1|vnwl(uXQ@SK7a3H&}kh#9aVj0!3b7=Sd>qkz|&+9B5Y3?+Til~aCBG92?AwIUT7
zqqCWXdCP8`F}VvxC<aGBzPA3PSpwQw8MGNQ7VSDT+YFvHRfThzB4qv|mI{-3C~yQj
z$7Rb9F~>Tw5o;n_*c`KLl^Rpq8eMGVAM;D9oWIF#n1%xDEN^RNt{soihHPdV@ZI%v
zu|57g%R5ZQfysaN&&|?ARBhOprPrO0)EmG*_|8quuO|pt3muE-Xi%RJ!<5Dw1QxNd
zhDg9i-c;ithQuYnf(mRMZGkT{lD_?j3pz;xO2nlYS3JgI%62hDeM~a{s;@;46(lS_
zbr-<0iLU8E4Kq8d$IJO9mA|R#;5|bpD)ZRnBsb$X)1S;}q;B}QcD?^tw2N8YAlZ8_
zLtUy-l<_uC?a2n6gO_mKyU|ivqH|tAo!gMnt{(-yG>1qpL?3#Dt)%Z+xbpH4y{)Pj
zL5aAwBlW0f$8!RM6fR4=gjFk9TP^h$U!iZXF)KiX#Icuzury%}rbryu)Ha|@BPBcf
zREu#d|8;Pocsc|2n+ZVfI=K2|@ll(C`6dmTLvOzKpG^$Q*Hh0^532)sy+R0x2&8|I
zp@KnbQb@k10&05s@{AqBaeUOG^-A<;!-2z_l(Mw@`ohK6Y8SwA70}Lt+RVIvE19aN
zuQ#jc&&1wZ%UhWtiTZz{e-=A#m<uSiF|=BUzWNPc=$Z2UY+B<sKX9>ovOq7c$`2^e
zMw)pjskus<7|xqyptCt1L6C7xF#K-)g(Mes3?W6G1w9b)NuLQ5kEDR?=i&>f&U^GM
zA#QsgA?-`9%Xq}>2$u_IT$H8peYH!y5SDI$ZRxL`3CFZ}b%3_@Y1bZBadr(W?PYY(
zFCvEj6gc)JGt?N9{aY2c&u^Ta0VW2+R~-$g>D`D~$4`{jmVl`y6<`_=)#7+a(Sbti
z7*+iDn`fr!`q7^2msB|&$=V`~nZ4Kl@$hjmW7VVlHt8yAka7XB!h1q^KHRPv`|v`f
zj=fHfSY#BL5CGyA=aM?BZMGV~y>4I9!vjHS$ewPS0<-qu%cMDe`d)&RUDAc(=o&E}
zu0e(B03l-enJLBOuRgw!MZf6dgXhQOrY(r?Mq7{7X(J~!s|{(v+OoYF61T%mddNWb
z1PBM4DsJIAYp;;@5dTp&Z5Ed)-R<y45KsZJ5<9R=oaP8$sC;+ILSPRsKZk`|69^4(
z2T?IBcu>^vyZ7B9^~$S6uLXB_fe-#>r%*~g!AY+>t&3k8Wgpo94|cvJVfM&H$*)*Z
zcskr?&EpLNk`&1cKILP<ILYq*9VT5zoGv0Y4_5HZ$Ud%k*|`HT-Wvb8_5ZCI)iHa>
zwVblqYSNyGgV&!w_jxl4x;m&cJ*532*WZdK8jhFM^k5JCiPugr{^WF8{Nw_<1^CyP
zYxa{2N5aNFLH5^Ip%_6#qz>d^Ta5fx{6D2#sVVUd`O4Q87;MXrA}a%?9bA2(Om4<a
zhdJBhSOKOmzbns;-fy>c!&QBb_gHyOOs+ynsw0`C(IO#^@*dqbh;=36W*O|{FL14F
z4&<XuxO)QRiwh*t)~B><M>pGw4~JBpOvgskyFeB^e8k=dsR8xvdp4#?mf+O#q!Xsr
zXMu2c!^8sK^vAR!F1FH!)Xf%`m1ybo@|PT;Bk4_?s&n7v=Qhke=iqc|AkCG@^CMH0
zGzGtSf)EiNg><aG@+GOk-&HPa3%jIHkt2uVmbx`}deDrXI8&*@xJSPXW*tCeV~H^3
z4acr`<et5m)I=`E_?{{Cfx2v7CQZ@hC>@vqRHu8TW4f>S3j~n(DN&e_UkNKk>oU#7
zlDVGJ8$y*V=>t#5YRk=QFH75D^`$K6J{EtgpT_ie#DKIsxJbAm$Hce}!r+<HgQulf
z13d}2(=A`t@BPu*U6JtO0x|KAOjFz{Im8PuN2w|1Fzx0z8FO@+F>L+N)7f=S1n*md
z#rJl91(MS^*_fD~4G7;ZBv*zg^0gk?zjqsjZWx=*^#;QBS_@(j(_O!p+qw6?L37Hk
z_Wtb%zoW9=fqKCMLM>RB3wm^;{gVkU6a0dY>F&V#BxO#V&23I^B8sWBDZvTH6~PDN
zRGv_u`toh4hh90U1MG<js)<T>nWR6lkg4<k(_Fc$E!OR0T^i=>avj#%Oe`9Sw6M-!
zkQ6S9_Ztkrt6`RVTTrCgu>7%t6qOkh$(U>Cz-Qppz)zAvYDegrLo1NGm3u#B2$F4q
zEQQEp$*ZX?&24~cW3N?l|08{Ga^%8!I*F1lid8~G<JHLzU70IE8K%kVtbH!kSEBZQ
zaum%hkV8S^AYlkHBUG}i2vGeyL8x;6hUMH7dTI}0*hT1s@Mn)czrUtU=WOvxdYQ|_
z2co&URvHy1T%%!v9kc>-4(&-&DTmr(!2>7{BO>1vHbBA7^UnrDn5n-3Oi!VE5I{m~
zFc|JmxkQ%GB<XP(o9Pd35ZLBHupo0KtzOX>{L}C>_m6uBd5^n<=oo5e!cAFid0ash
zeE;6zw5EG0ncEO}w|oo!VpqM=Q@@7HTXTnXK?OCYwgBbUPi8#7mogm!hVjC>+ao&5
zmgfy2{|eu561^9w1>Zn$A`X}<{qQgDBx{Vl#ml;WnhgKbPe2h5X9kI;+yyvjA;znS
zyX$4{haFuFKs}h+Sf#2M;W(J1{ERy&78<Vzi!Y$#G~bkg-<!9Zu8LP9G9E7Uk?pv4
zpGhYnbF1ajax&<+>2F6HjfSYrCdm5JKq9scKsC76*si~y7HLcU3Rnx&B?p?>^_G<2
zWrt8fYdIsT+Dd7S6L0Q|oj8X3pZ**XZ!r#O+f9Ji`6P(W=SEG*71*s$v92&EkZ2c%
zXsm5>ifpu<y3)%OXplvgguk2^B#Yw_$SN3Im3Gd_VdNs%h5!dr_%8x_1iGc|@K}S~
z%ZdnEkFAoMES;YXLS~}S9#jiX9)Z0R;O;-p@-}?^WiR66yHy$o`>ka0Vh>q8zSVM(
zHd9oiRWolP*npJyv-=@y4XP1I8=4D$!Z_Kr!&+=P00@sATPn;0Pk|TZyVrU7>$Ddm
z@W#eEsn%TD5ta>>8uz~c9F0G0kyST5b&<qEv!QKO2jkda&&x>`Gd2nj)3b9zm9?1R
z>M(_;U_v6wG2_kz`06l7F;gm0S<;rMU;xTVO4xLB)L@pMvaECFb^3Lh-fEs?yA7>J
zayI83nN^9B;K<b+)h|_fUPbtRxWt2)v1Gi-FnX}`Kefo>N=f0y=>Hz+ri&er)A29V
z+cSgT@jmC^Ret#qquwjhAi>wf)x0dofKQ}vBEQO{f;E#kx38Om;UA*6+=BKI0_(}m
zcxjuSZBIo#kR6X_e2N4=kv&DVGpe8O@GjaR2-f@kPRPrw{Z^_ypp{=Cxs-WGcfvk_
zUM~Zf!l1Oa=s#qb_MuM)b`r3(>IW*DuZ>mKZ>Uk)OrdhXVa|d#v?%V31U>fRu3284
zTh#GAe5GR2ZuJWuIT!=YWzX?ScX9P$*trp}#Br|^)Y;lcN(3D6%myG1nQF|NCQnB@
zRp{3R!~ImLw;ye(LwkJfQ()bcG!)Oi<s^l$Wp~9!C?z}T56<u@pL#1Z)iw`V)lsaK
zm^N|g(~uEuFg5%kx6u!66;D`Q5zxdnk(@+)eGCSajqB;?Pvd_j_XrEQ*;3-CE$FlE
zV~D5(2hNZo-npPXTk8*NyV?)?EZVJuYUZ75P|C`hkaAuSNqzt{-&M?@F?Ff};LsqG
zWNhU>3E{R9CuAp?NX0}LA5(7}7v0g$UXxRZWa3kt3vCiPC-+4#zYmuqx!-8;g7Std
zVAgCCLZ$9>>Uml&QFGTISb1*Hj466BQ6b?3I<?tv>@hcsPK%NC96(M__-*k~1b$*Q
zH^of_oG7yZ>3ic94X%a%B_Vdk&zbK>rNebNbtvt9KHhGN9z~eslse!92$KO&fw9+J
zR_QOTj4q#6=1w-pmS@&q=ViIan&(4=`y!?fy>jildE4l&k_UucU$GZm$@+^VgFV*a
zO~2Ih5lEUQ9b!RHvQ7LhnvLgqL8x0ts{uw^s=!3d>WluVbwM|H`uk8lGCK4LLsbD#
z3XOX82vZBQB{^xxQUyu@Zio!y=g^TdW?@!60G5u=W^|h?1UqrDuVL!qG;r!m6;V>3
zI{l)p&dgZ~rbqD<2MqYoV9+u?8`g{k;v)ToZBGI&a}2=5N7lJSJLqOPyfZRYr5Bv$
z+q8$+rE%*C`D9SOZ&^uq*mQ8;9*lt*Anb0yMQ#x>2K*e_ndrU12#Xp)8D8D1z!*R4
zU4e>dLEXUtYg?l>kc4Bk)5K15zED?*Fjlu4iqcScTbqxvF4H5aGjq4DXWd<OuD|Oh
z(lCL^ko>eHZ*nc#2k#f4)<T~q5uEjn2OS~rALT^$<I&D?yG|7@!{XnxUG<-#a!jF~
z^N=Xn*gkY)%fTX@oTz+Ug#)*V2SVq}VmP{d^~x9IJMKwO<V_BJjYHlvQQciR0Sy|y
z+T|~>@$EAfq-J|1t*zxQHNcMV0SCq>G*ZQ&V_2HbiV<2F_je3yE`;v81M+39iqo6L
zuVqj=g7+EpyHTt%%Yk5ApV2QLXuMe+!@3oaALBJzWhX(h>_O7+KL_PtsUDQ8TD6oq
z<R~Hl{X1x}Ed{G4aIbe=eFgR5pb~9_MIp?R_v9kDVm|d1`CjSeBU;~UeL>w87Oa`)
z8@m9a`B{pQUb*04-CELh#%6&*jv6j8ESNN3Vdhpx)OS|ZK&wkr>J)0wxfC^E$r@LI
zKgV#qdNub0FCGL9Siit5p;w#IjX`671?RnHV9z6jWVgPL_9n~@kNe8;z-zE4Jv@6U
zmuFN3_-yd6kI~N_%4}Q@RG_&iW$%m+#p?l?8V}qhT!u9XAvq%g!3LhX@o)FZFECyH
zawR4cg!J+b)pgg8<!(K3-P~%=l3hFI<lE-GO^WL5^4e>Z21me$4MsNhXRL&9xgC?s
z--3FTu7`sY@>FuWk~gHMP3PK;v$*d}qT76C?P&e+X{$kkECfmmJg^*?fg%syOhF*u
z4yk<inZTZWlBwX{7Tz{11gq7i%!P<ACtwQsJ-NvCoqqniYGMsd9U#o^V_x^b=C+K}
zJ!9Zt{pn{Dqpz+RV6QhVvehQNx2J-|9t)~?Up|d6VFWx&0srS;_FCWWb%ltuMtOCX
zN;vmaMmMtA9`m9V#KlfX8s{^?gG6pV@ZlW~t=}nV=rNwlrSyL&*;ovYZXk8D<lj6y
z$)|)gX@EbGqN|;+nal1t52Vl-lLBGbR!+`$BiFFv9mNBU1h+-^5N+v0!(aH}c6}js
z0T?49=Ge1d;KD|b3}xOH`l}c7DB$C-a>MZOO}E)2I~g&9FNr61X^c`klWy0Xm?IHr
zhbW@oJoMPp-{8(obktjClrUDc08MPr=f0k*L3#d}jr%3R2RU6@^^O&x@d_RE6rRuc
zhF=IH%vR3QFZ>ggN<tL@x0zy@hv+88dLe~=rdfvkjINIxoFdFbrA14eIc(I4(Np8f
z8O^LN3{O4WI&2MEXS68^kiDw;l&(D0;!Y}my==<>I-zpp4mT`JxWfrarSc%ne&K|m
z>!j<(Wr<dxe{v08^5<<PXOvxDaMn89P(T3T#C+&69r*hcm>Y$UrhTeP-DEB|9fcO1
z9|_)a!et|O$$YSq#Ix_8I;G7>>=Vy7HuI6F!29Sv=t6X12O5J!>illpJ$|~$&&8f-
zMkb%>04!QPusbx1ou?nUT~s+ixRNrt)B{*Ao(2N2nLz;J|5t-$8Q~2nBUy8`OSTaS
z=S}>lmv`9sDh7A=pY53(Y5W9%*w-6m^}@DnQ(2nMa|@KYBouxHXyS~M`O^B-fc0>3
zuVTmbH?9YVk3(namNp)WL^yxUI}x$8J&eDl9RpCSQ~(17X7t;PuRg+XUt3DAXAp1@
z4m+1^Dh4zNB2fw=wO6_&yho|y9h7NGxIL#fAI-r%5MUsrk-=qg+)I$xMFio>Crpph
zl>u)f-)%;QZm-)fqd^&(vy78vJtvs+1-$|ub1m*E^BlMczKV$T(Q0P+Qoea2Cc)tF
zzZc(Q!6KJu=F?VL4*V1UA>;8{H_@BvgBE#PBSIllRj5J^lqXD1M{5uoteiT86UufJ
zh=NI|v8WAyw`RoC@-s=>UnOQ`;`yKtkgtABox9mg20SA`Q~pDs=-vX)M%bTh3>d<q
zrdi}G#F1~Zy9a4?t+ndS$pFP3R^*QiY>D9TA)*4$g?U_r<c!;e|L|1G&a8N^g~8!H
z5C-nNUM{oi-^>->Qh7n#4#1{H9%Mjrt#q))3HNT|R(3qT7$dgVrG?eO=}fL&YN9(Z
z_V3zO)34`wP75gxJF%w4hO2Xw({vicwyP+46KwAR72aJ<V=wV$<9)(E7U2od>1z(x
zA`K~~n~PZ3s<fsyM0}eINOdj_+(oSWpCwbMQ)@d3{vv^D&#aDND9+ZE<FUvLrDN<A
z0$C-G0-MOSSu*Hk0AzJruX|r~hhn=b&ZH*3(x@daR5RZ4jCAK56NWGO8Np@f$yO1B
zW>u9SC)CERMK=|bK3_;wE-TkSKSFF8mvi&C&=|Ezs@qlPGu|*;0#$OiKyqz0;RMqL
znN=%HF;1MhE@Er=Ai`L+6~5_86Z=?XE)j7^LBFHxIc%0qt=uH69P3}+WdcxWQ0%-N
zU7bFo#xWA3bSp#NR)Uxg#3lQ()rlq}gkh_&S_rTIdD^Wi#xQvp6Mr){wL2>02%dVj
zg?X_4+ZoLk9dXzGU`v4J1u#~D-1~**1#D^-M*cT4G`aIzY|`un7?Z_sfqjP=nn2X%
zi+e)0@QR2tYRhraL)2|UOti&ikoDuY^W|Y-n{F&l?XBt=_;C*DKz}`MgxW5$y@<^G
zUSgI?8S8`wgKZs+&6X2sXtE?{y0h_Amzm|ERy&M?CdcUhjoUg-(ITT|8(Hm#+?zv{
z3iteYQpt=5StVub8>-U{#=WKZu6Du-<D_&X3hHiag8%$?I){9(%8EKha^WNJK@ew2
zh(LxJ4L)TK{PH1r7_4Dbc*&lj<+i!`$i4A686P3*=|nZ$^En6m?+|KnKj7JoTfA4e
z#i;cAk?#82b9EjAn~vy?AFY(yaU(emvv?F!IvQ@nAQ|4_m394GValb@b@jd7E_}Q2
zGOlvS41XO&5M_E|otm`ID+1V~qy|Kr+tqAhVFpBay?8Z;t7yLWNy}J?T7b2RpRg20
zgmZ?T%zCyOi=~W6ZVQiV9i)1hK*p@QUuhw!9PD#Xd3BtWe;<EcS=nYKQ;1ap{+ewU
z7g+g6x`EOxK~b;0ibnn<q|qA6pAf#uXyl1a$t4y^IDXf#!H3|*rg6KlJ?TQo{LN;v
zsc4SFN3W*IV<GeLHYghP5h?4V5rZ)j&U*I9VzI7day#mWfU>1xQ7N`vcYx)_++75x
zT$7}QKi$6m#*Z7#(<YjJ-D`G0>^-D*RQo3C9eJOZ)(sM5C18}_$nrEw9IPOW+#i>P
zeQ}%B6E=2eYwoMd+;!8#sjr(LOx!L6J8+m=WewnQA0XDc**+Sa?UesH(JWfg_}*!6
zJGmqbz1=TAw&jl9?Z&5<X?W@@ZF)^#c%Nz2xs=x4d%{%R+;j~+m^_%Wsrx1`j$BPa
z!HN*o(%I((h;0|EdJ0_@C9t~Jn=<Xm7z%IUIwR=xo>mhXEIl0G6F*y?SH^N|2)41r
z1&{_*$OPs>#BUmz(G+H{vut)Hm#ZGWdff2qJg@UkbDww|axen5xh}GI3KGPa2fuVZ
zptnvp<jUf6;M&%&9sAW^hZvuQ2o4Flp&$Rscd1{xbMKkkr#PIibQ;zY%)t7L>NxB;
zO7E=h^KrWF+eYx4Ge)ZGn7|R@8WhoR2ybISd@scRbfyE7i}%CS;IT!Bd$lE9{<4-b
z*NR1H@#)jju3%3jK-|P(@SX9Q^;dcAS>^8KoLFgFnKzXEH7pX#78uCPEj2wF(V}b7
zqjemU+OhK={FS|#$;^g7^A75%$;QhpTaZqsnm`C=W|Zc}xzsb{8uI8WKCse@lRy(V
zyvi6p*H)Jcyi;_mBB2XfruN6{nI;%KsFuf&g14m!;LM21v`D|;q(UtIMVL({uJem}
z(zC#7%|ef={wNSCk;YlKkEaq=lh38_W7C9xbC$&+SlzE`IA2+~l)=q4HCG>Qm~o}_
z4<;lITEDRo#2ykC;LxHp|8!=EM`(1czSkj^V4!v#3VK>5zr<KU5_dV`s#1dkK%KD?
zu-}_j(jx&S4@x)4QoJ}fcr@YSU2r(nM<IM+8e+t@=e}s3CA=zq4NyfuOk7Yo_6!>~
z*+=+)ZcIK6W*`Qu4&sJ54AqA3R|+ar$L{0{>;ag*T<Mj5cM>4O4@@@|6nB7WFS{y`
zZ3aKUZ!>ly8n>N-&ox>?x-1+{GeY_B-zsZPVH@k1ou3mu%5EQweUgX`PE%CH4S&$*
z04+e$zs`H~k_U3#9auvqRK;Q^7s|}IuwvVRx}RF7YBP3rtb4}w&Gjy)xu!d6YdI;^
zdoah>@C)4a5?LSzFkyzNEe5W<p_aKUGyv=bye%BGS99^4Vzv*oql13hnWMT7#Kmh#
zf_C3$ZC}3q=b!T)$@Mq22pC>GTYTy0LiM)_ov2p-hQI)ByP2q1Wa2;n2`0i&Z;&=J
z?<=;6dKpX8ur*|bE4lE_pDm%b(1?&|q$J~0Zf=)Y#myDZ(lGS+SM&iY(Lvz|AePeI
zz3}zs^r9y_h&@7e*GynjAyQD<!8?IO2V8M)jqZQ%;_>4ib!MS!5GUp|=C{mP&@&*t
zMs(YP0AFUBf)4hrU`gmTKVxnv!CRLRwrw+{?hbsW7|r`r;HWiN*zFinlyK#<;Oe{g
zGeHu|Us`X(YL?CCLqeK3$I6A`K_=SDtog4|ECyu5_DwkhKl#^c;4KHxE_IrC<jKLX
z>soaEuc{cTP6SOcj;nOb(VPn#wXyBpz$8&`nvSiOKIvxY+h$wVL9vZKeZ!{&ofn2l
z*6j<k>4_8mu@B2>E(~?eEuDtZBk@w%qUL;C1`PSN&ICs{9pGFO*q_7zNkm{!0KG?>
z#bZY^B1q>Dw5fP2(8eX_{veBAYoy@N?^Ez21CW_nbq-nE9DQ)0Mj7JP%uS3h!uK@f
z5y1pv9(^g&@!HRS$O-5}1)<0ElLbz(plttQB<zg{xsWFCMz&C^$!cdv)!%3!8o1XZ
zGp+mgw_HQFKcpvVs4mg+LsNQuB<bm~(!BDgddudEfV}EP){lY;kwlw@$>b%f+9VV_
z*(OCKKh?+9bv-RY?G8O9M*(7<M>hLQGwp($j&a4%V_2&U@NbxasGZqlV%%;Xi9(V}
z!}82M1T815F2wHiXJj%XoVUJDZQ^{oN~a>U*Ph7-G}%q>T^WsTSmu2ji;`j5iy7y?
z$cO~2Z=sK|gX5^to>D56W&1#!8z9z&Uw|biFZMN9P(=T}Qlx?hhnsTUr3%jxCJ<IC
zmXGV};QP!${vETRTG4lk*U{5kXoS#R)%^2W<bGwWfqVyYQ4VN>e}5L>)XbxRYXj-i
z!}FurK>U#H@TI@SCrd!)YODWxT?t~wU1~vxNZ_<#C(#$zl(YSW8Uh1nzg-AwsEuG0
zMKQdv*re?7dZhut(4lm_d5%ar5DBL?vcZQ&*-2dRWy~H|YX5cuHU*HoAuR*~3>b~-
zB!oE(UcwD1CY1nXzKT!s0{k46E`U5-ieUZ)kh3XYd;Revz%}#<96nW29MC?n5~flD
z;OoRS?G3?NEwp>7iU43U`X;7&J+y2UF1{4bb~YMY?vtjyf*Gy^ZzzWtlN7%>01h!G
zvLQGIbR&ktHwSd7iyJ^?dvIMWpJeP5ti8!(56I(c!yN%ld?7UbJv-(&nByMQTKp`u
zxUUswBEmi0`2XDcFMxQB&2}LJw?f)A8g?#=cS`mwu^Q;&R$@dOd@2fj<X0)9DpiwR
zMSp$aSwZJTsbyEYT<Kj$fWjyX{VT_#mrjL)iy-Zs$&6gp<8!+AOaTJ)WnIpJZZBAr
zW68R|aRI9sv;A63yKDLS_(0#!Uukh|0Cic@j3_q0&p>k?=ec<pn$znw76Z;^9tlXR
zm)Q=iu0xV4X4}ph)^}f$BfXtfG<zM}5V)3!dR<>sH3{;pH|JedOd&`>tmM8hhyMO;
z*<x^EwBt(-lX2nU+39cikedDK7xu+kLT#Q!I4D@4YFkA)?eAmII(Dm|Z^=H6JDpSY
z1z^2s58FnGslMSX%gc`UPyTqFa7$=f_%Ace<LlqM2^K_8l<JQvYWFpEiN}u{WBDGI
z(c4LN(LX@)WOoI9(E6v{SI2mEm?<oG#GEk$qFEU6`0&fw{Ld>Jv)BejRNz=UoZ90U
zJ=HphM;D}lWfPT|@PK(a@Ibl*jiGI!egcz~|5!-^zVajNs;6XwnMC458zXA_`%<Oh
zvO?DxtOzRg5984>onWgdvV#0>{EUxbOLeP6Avfk3|Noy_0V?(D=h~|zqeHx#-#6W+
zMMcX*I#DH!mv*RMB%DenGrE(I7k{Pitp+{chJiz2m$*RZ+KRt*P4)u-wrP7JC5Vn*
zc&L_L%UIZIB-L$U5X|0uPy$d1pJomalE+xv1AR1SBo>~trV|5q1`xRzWIWM+<r{<$
zY}bV5ezw|byBuEa3q!=gXI5;8EgafJCIl^&zcHxGcwKFnsTK=m!tQ^WUx{l7%`fHP
zC+1{az%<~W2+9MP&p&OZ#Ji#99XZE&nV*bVF%gr-Il=DRL9`x(yzxILp{ow^Z#jV2
zX29lhrn$OkCGlfQ7UP!|c?J(kGmBF#cH8R64g~kuAbJ|K7SUm@bF~i;Ny-sZ|GPa|
z>p<GF+1%oBma8;njX*M~K&m9>&r5I}nl*ODOa<tb2R9XE`E1zgsH9{roM03SK7n$l
zt#j8V|C&*}D~snSt)>`=n_K3Yq4$~isR@JYag_YZs7fhZ+;`2^w27>1#Q8zu<O&3d
z^R8vwqshe$TQR~IpXC|8usStl^UCRFFek=Fwg@zH3G?v9`kh^cC-f(J<YzjOdKIlR
zZw{uDa6tV*1y8s9r#gmT6&WTP#@o$O;UA-Rp}Zxmo#5m|ulZ9+lWg#^0VkN@VUs`<
zP`|f4<6~egz<wRB2ziKUrO$2z>&>hpEfoG;&hKe1GLPzK)*tkYKviA$oTCFFore>T
z=pQZR9AA1YLAsnSr=CT=<9kdm+mSOUk0Y+st16o(LK}S{M01GiCtxCrCJY4#dBwJP
zC>i91+1hjPmG;J?(r!|ngGL%B#$;wOx{>~ozx{j?g668NmD9_y>Lejup(z?2E;r5g
zI{s@y0W1APtGqN}|BZwMID9sVIe}eE0a}~ofi($8xzwAhjJm1$KRy3_E;BwH*JV@t
z00itWlh)#&HAwH}Qd0?4Rr_gm1!PLzj0Y(~%=T^-j|@o)r9uoLC6Z_Ry~~6>*C>zi
zqvN43k`$1u-K!SAfN=7A&BG9){-(JwV9O5k5Y7fmG?DXW1>6oDhK|5LXJ2%hn3o$z
z@Fk&jk)NO*XubyTo9&2h^zT*oVO+urXFF8v>K}?$f=a3^kW`?BYyFrgvpvS#Y||;%
z2|dI%-wnqPJ+FzdR?7h-#`u$wv5*K%`RSrxXw5dlrDW6mQs32L7TTMI`QQT4INOrG
zW;gO;4e>jOg3szOLX)MLh>M1~rCLC`sWco(Q;!mKgj&f4IT3-5-Wcd5BkVrvhKTP~
zNmf%onuqHI3SfbW?&H$LtkNP>PkJVzzdmEA5g(sf28iF`_vzG&$)!r`5u$hlWB+b;
z(?ZCWkNSE{ai<kEteoPFf7Qpp^_EjAhc2_IO{Q5(nEk26yi{WHcD-O06|!tWrh#g_
z?z_V1eyq;w!sn!uubvKM<B5S`9LJ@$MBIuA{Ih~~4K77TJ`?kQoq3kd_{qn?*{nI=
z*;6#-2T^^8XXXJdldTF#V;LernhUzcoWE#{lP~Qz`ya>Q34Dj-MRmT6w(|sMd#xam
zM5z#n?QI?eqDL$LB%=t{4SpQoNWyHbTc~4Q?8_UlS9mqkbxCYD2Ic^rRPBMagQ%_4
zaGFF!r}q>_<Q8w{1FMF$-uT1@o-WM3pAK(N`XkDi#9^%9!_{#>4s}c{3%SmDiV6jE
zH7FxsFEv10jjhD|D3ODSmI0W+Gv@B{LW^0vAOxaG^X+nWjhD)TKeqmgTmxq!z?=Dm
z#2WP-q~hj|$d<+GvhIZcjjlR`4?|3zyqOanzg$wDAEKhrv(sA{lgG0$tve5uK17E7
z>o>)l6}{ZEoI-(rIovLWq=q#~oVkfmI(x_!ZLn5F#dGit4F)l>x=HrsO5&98u^$jJ
znI+k0#)b&*__xoZvBF^DfH<5Vl|Z=aFhN%U3wKW#-5|jU<VXERUfqo1f^p&1|JnmL
ztaKm>896B24|}rHR5ej5--OE&Yg^##Z;1YW`u+4e@1&2;RoS=Jfn<lg1haRJHW#rH
z6#E&ycp7Z!n{15dY|cM<Mov1oWN-)~=7`71oIIrx?8+?Mj;Y9jRx@ve?w!giOr@`c
zf^^Z>ilEu~njXHnA*LZ8A*64e^-G>ob0!E0ycwB;3)37t)f0i0Yh{@_mHOizJRRY1
zqPu?x^jRQZh&^Z}x1bkFXTue9pqq$<H}GMfc(-Fgz=UZ=!pZBXEC%E><`8w>?4={y
zM3+pTr4soK*|8`7<B@imdsgRuh(TSy5}~dr*)z}EBBX3)JT|OiY$+_rUbR6x=z{VN
z&1c8TVL$Xjb}v>cBkoz<7K?8=Y69>FGn=Z_(L<&xYv3Qp+WB?Qo|@BhX2@<bir|QC
z+ThE6)3+atE<2c59jHqmLx+k*cvW*p1G1}e+2K_UZ+IZUsi3YJo%?)K%#ZvH=gSm#
zc4Zj&+_!1$wp|dAq`__9(@PRk9AMvhS!w6W<}pwGCC)rmhI#d%`>IYpx2!BN8cMCS
z8nTa|`X@AXZepgz0+yC-lQ*616O1a&+?whm`NpS%U1HT=YIs%F*{QXehTWi0sxH46
zO|53q+9CD2a54h0!e`HmSYNp;#}lrfg&4WOZ@ZGBmK}NNWCs?xi!h_#r2;dxE|yOX
z2z|Nxb>c(y`(JvL(F5}7cc<@P;dN4WS<Q%dyh1Vw8%ypOCJo?Dh@m8euqe6p-~l$=
z*@g${&`fJus2qP?0C-9!(s8uInN9+`f8kE6i@1X<CkdjltLZjry+xdU(w4h45h*&?
zr~)oOr+fxAt}REBFAdEnxP2Y*5%B#?D~0obz2h>tj{dJzI{6!+X_y#i)awNTB}c5?
zz1<cE3|ZW>>KB&N)=$`ARn{H{6q9o)9AoTID)JJ2NRfyGAeqD`tmpKkLIT3*TF#!U
zrF!n-<`&3Q=R|qeG7ce*9|UxMbeUikoiv--m{CBmnl0lMR`XD`>-e85#?3g5OnqI5
zxh!f>mz*Hr%6w5s?V4DR@vPJQKUf@cgns$R`!VoVShhlpo=Tee`a}VqThU~5<`d{>
zQ&cFs{PO|e#8-!rQ$|pDB<}I)80JhPJ^HbJ?;1qp>PR*9(|ybuz&J-V2v9!!joEfA
z%B6{2Ty%=`vPAH`%-+kGTP0Jn->Wjr?!W+<j1a=IQ`!AC_AxPsk-g0?Bd|%ZI1=8H
zOz9(;LeayL>|5I9Co{YO<=K-9J1u^fORz751kuitK2^7Yb^HVLZmEfjEZ2HGd`JNb
z4@n#<J~lHysWi0Zv}KJoUaZL?heaSwy_E3fl;qQQW7WQx9~I!Fa2>H@Kja(;*V8=?
zU`3w?DWoL8i1QBzum-6=F{SPgoQ!gkC`}h5a<JQ#)8NA1%lq?Q^jQu*^u^3Q2$5cf
zBX^33;|+}m+8lw4!|hF3t5-eEc!4!oD%YuC0BodikcyeEb-p{jF_&GKgqKRnNwuJ~
zoe+m;1umJGVfU^8`(g{Q{sRnfD{Zvf55hy0kQv+-5l(<s^uLvKd=8(H=N^rqL;X~5
z1VrQ^S(3w91c}5Z+9NlX&L5-9KEJq|!ckm@*3}wtn#@}SfFL4O^-KtMm@!syxxIQU
z>TQfgcIQ^Kq3K>msv7o>zMdnIt%`F<^@a%XNfVG$mIDYqcub#WMyt}^OIWI-16|fl
zx*IB62JXnIapgDO-jAz;pFXf8vbg#yx!{&3d3MikaFSwsTq7L_ftxPp@P@;$Lyf7n
zKpc{hi1bt<rk0h{KyDw>krj1^kW?s{`K>H9F!(jxJ=8S%+UmX%ArIj%1vX^H0tUW}
zI;iJ6UVH<@&elEzlNdvFMN%<trrx=Y9-~P5cSkvPl(4J?#9_L~vXOn4jNQY(?)~N?
zNHZP^0}L}xJmq6RI?#`+6Amgtleveq6t#jzqkFQC|3(n=h@liez%m;F?kCa(cn)CA
zj+kw(%LDpJripF5bObut0iozJB5$gisaHnCuV(Ifm1xKMNrR`kevzP){!|sA_s5WY
zJ!HkxigZ8XfT94)0er}9HocoPw4@>}z)dg|Bc?j=?0m25X;Wi$i~U}gA0fAkShWj(
z-vP;{uhPxm;W2e9QI%Sl_J`f|!1yBRds&t!95U=F+*eED*qKajGPlXtElWG{4MPHn
zD)C(QseM%Ecyn%w>l46XLz)|*gPKBdsTA+^>MRlVgJ-Tb<g4>FULz=8U}ps>;6Ho!
z(s$#bGl-#!WD%7ms&uONO_$BOgow$!Nr42Z8bp6?@L@i^?p{7{{3q`CAy~yla1@h%
zp_z0+bmu0Qrj<Q6amY;<5He{`kh?O&2PKXf-e<RyLNh%^h`_r*Mm$rc8_3Tl2R26S
z1LC!$ufTITGM;cYP#?5B*8*G&tt27B4ja13C`LFO%lCZOZZ}V|3ZAs5qZya}ZEu<F
zxPlgddB|{?$G|L#0~5k|)c=ZF8|h`fm($mjX9Ot8j7eB$#XNRZwZ1`x#hmYjC#;-O
zh(uasYF-r5e~G+h(i|GB-=enDJ00H!@IRz(8Y`Yi{6g?>=;B<ftd-~;QA3E~yT>ID
zb(la3p1_Fh8(+;CNk}6B!wfbY-qn(BIjLxMu`KK8HS}d6Ux@?!QkqpL`<#o<M@tj?
zY~?6FWJ)D}SB#gG(0hsZ6XVWscx=TVIJak;E}8jSeL4P(M|foZ1!gK&hMl~Zr*r}}
zCN^dJPCOr5PC^McTmZz%RlZTeTSq~+y<%98oJ2%784G#8QVa(}e?(VnMSIY*=;@xC
z26PiaJ}NhZ7g1SatpPp%J){VpUPw*kc?qC%RLMvdqW?8mwjwfDu%dPpYO$mo_`$Ak
z1}lI(C^Bxr=t*~6Ks{Kmd3Kn6iDBjZL<k7mw!L*4)G>>E&Qw8#^&C-C5ul$*+hD#J
zO7;QC>NzVE@wXGcv-QKol*!KB#Mt`$5KI3pqRH}QKC4E=1R;pRd}dkZR7XkC_T+DB
z6}ATmTd(m}v{@2i2mf+Gnwn=J8Mp&O>9}{x>v~0m8b;*ld+HCN)?$@Dmr4~00KJnQ
z@nEEj13@Z^uHgP7F5uzj>R~nO3sp%Mf>2POn=8lQQod<_WrnbyDRN4^mv=xc34Ltd
z`0!P>wFQ9l9uWpZ{@DP=v<1twS|P7Eo@!Q+s;MO4LYI01hMb@ZEQbU#<Qw5N;DG{W
zL?q>sPaNM75(yj6JZ6yM<{tl^dT3dp$LUPTLYJzA<n;`k%Yq%Em>=lB6k6j|2n+%f
zkneA2gDJ6%0_mg{L*x=O^3;_?a$v|c%ma((F;C@^`I4CR>S8waW&-krxJfKm#u;ue
zIxev@`5*H8?Jcr2j~rIi_o>^aDqhUYT*={>(f?rPSJ$i@Y(BN0C<MmRQ<(`h@Xs#f
zh%#deZd9_bs?Os+iWTCc9Wzy%6WB$|aL61MYT$O#cH!PQYlofAOP5n<0NU(r`5Rg8
ze+`kn^Mkf%G6$~_*&GJ{VnBU|CXjf489Un)OWSI%7}5$(MqF{m-hecMLu}Zj`!f*)
zBDpw<omeYWzd9O+`7-qQrgH(v(MW-4c;&=t#0Dbqp13;wD+K4;-i*^{{2bF)=5aJ<
zmUxcZBt)|LZHy}`W7rSqZS)Gn;78s8f6Xd%)JZ3_R3vq@%5UNrA(s^Ck`+~p%lQqr
zlb-1G;Uj_6nU2Oh2*dXPt0q55c{sQx?RY>IW@v9ifgr`Hd`-ln<+gkb806?eTZqnk
zt3lNP!6lJ7l}9x@4IcQ^s;3ra3JDbI0}*K?W?=k&uGviv>a9y^Gnr(do%pQx#<RhE
z9RJ?RxVJy&md8^PI%b(!(oP~$-xqzz!M9s2u!@Jla!LFP%xc|Lyx)KcDH}>7+rspD
zCyVyxy!L+Pp_SU3_&rn4CN{{;ND`tPkgSgwkja$4w?(MUN*uq$DX+2(AM4-OMGM#f
zk1Kk$2$c5F^4gFLsWssVex7inzA2PbdGKy<T(?tFUp708A-Og;tMlKo9VRG!S9M}O
zRR!d*s;1t$Wytw-`9)5U0OD=<0IxqBFii1NEhjIYt_u+zmx+lt1<|vAi!L!HZ|JzV
zMRDnMAeTXw++0S-!z+V;q}q=W(bu{^{;C^6z^`*3#Ljw*cHEL!DcFQF*(U(;6^`=f
zS$$E%sQq|4J2dKXFF#z7)|R&K7L=V2{Iu=z(oLuh<1QZfoO(<F5j4x-vwPrwPfRzY
zXg=tc$RGx!zAc+~KpizV^2<BHHt@cJ$_5H`#t%qGMO#0#CJM=pL!p5*mO{Snh9h0d
zg{KkoV)jr})GX72a8`+@o(OQ{_#DXLwA4zMa;K1vJuVWzwLsuM!k%*khKVCq`)B<;
zm%0vEmzf#p?<&wHH=woI%ojR74a3bb$@Kax{)%$(E24(qy&or1G<J9#pHI!M%3w&|
zF1BHiy4hg!^>pY6e01<a8dsagUfEMpVd+>nq1+)GolE=XNWy7`i1b8NGIOp@a2ZKq
zOQ-N^hhlocROJ8oZKv>j=FGLlyKvpapgZpXa?OTz?uYSzh1lN-uo{zPo4`nPiN|06
zr@+P~>Rg4-Pe9Y|0JLOU1qO2h6ClgI`6oYx{CR<_It$7~F(1MEW2#NOe^C+W`#l=p
zt5vwRrW(5%OwYLXhVD_)L?s|IqO~h7DwR{DB6Ic1RCU6f7Y#uK6_^&b6CRUOb5e3d
zIlfJG69)1@0IWaXl=W>mdnewic6;eob{`j&AY?R@BYoc<(d%F3lee3V<ydska1^2&
z2ECxN_lH4U%Pkd3BK>JC)*qUa&a6H2Q}11~ix}8HE~O#$H-~H)FEns=w<C;988W&T
z9k0A0uRrY_4r`K5-uey3UqqPyXhGY+Su)2sDCHKz8t30dBuj7Pk{~3zRMJ(lG`wtD
z0%HDk?ob3XxXZHBwRj~p26zru9a^Xl##M~MHY_BpgoB=<-4hs%GG)P|%v(Bij{FX4
zmQEO>1Vo@qu)!j{tt_@5YsGYjO{h}-gwl3TnR4TUS(io{@CR=lx|t=IeEArX48$TV
zXLDxtt?yL0j+!3P>5r3u<?2}pIBR>5&c0VsdxgVAZK<<Xs*jbPWPijzED8O(lBNXr
zXv7;L&&3cpX-1aeT%P`Na#q<_%c?6&iq+3}mrOyk#45^;FO!>|=$|gY8xSvEV?6sI
z#tH@_IY_Kk0;z&fHLFe>#pqsaU`lE!8npQopfEBsBvPG>frlvRz7)apRJC=%wt3z#
zt5F0*!&=03Jj;<LPx%#I2AKz_nxoj3YJz|qKX0T}=5;OT&ky_cSh~Oh8|0KokC`6z
zi;~1)>_t$y)j`{po6>@ss5YI(j1?4`IydOjn2KSz7N8)kgszkW+tN?wtZ`PUVtHx@
zYIv<^fTL9mp9koEkHyHtw}{w{tD?KUQf3ro0Y~LoSS?)5zkNzA!1lbFK)i}}e!F++
zeHx5xn5+!Zv-sV8AB={t755-rZ6dkp9(`R3dwfvgOb<*8L81p*xEPn9eTzUZAz~Ji
z^p~G8&oEn)4&lSX`#cJRJW6>eJ+voaJ=mjSMNQ(~z^m4nc8<76;l;*oPm8H3`P>P7
zM&RbVx~7o!ZJ<vZbYjl3iZbN1d(D6t_siRHMb`|sCXS~q+y;5Em95w~YTmIm6!$!H
zU2fZ+<tete#qa$p%*daWMPCDBYaqP#byH~dEKFzR{rK`MeNhV-Ze$Jmk_hpTGst3F
zQ|%JIPr-E%iN{H=Z&BuPQ3NZLU(8L`R(fZ`Uhl<UmF8D*jGzOHnu})9!`)zk<}_Xc
zYCkQKj(7Z=(-&{*+EN%{LLF7Hv7@tcfTM)|h;vmcqa+HiRb`Z|RYtCiE@4qyf75L6
zlgAs2GUJZD+agUEps41h*yBQ0dYem|9JJg<#e~*4q)4jWBmes}C&u!7K=WT*sx7aP
zfL6i&#)p8fA5E!-fctiqrn(aKEwscGpRzH#3~C7v@_MQdt@p*+xai69CTL3XJWn{=
z1G$DL@<qTh)soJ4SP+2_^x4!l?GNr3$VlY_lx6IifXRj}t!O%hTuGgN3gPg`ML2z6
zLy#P3Z1!aOZ<S=C2koEEj*?AerKXrEk46clyzc@qnRxIX>XB@MaED3SGAubFRySI`
ztsqw~BO695KOG?qm>?@=6}7f>RUkd?4}do{`#q%z*c2WA2b%eGZe+-<6r)>A&{+0f
zft8JDciLU+Xk6bp;MT}+lx1NJ3mR`pu9-gVk3uqRX7rdwMo7hge*!9#dc4QisiS%S
zr<mCQyrnYakH;VCu&cFsI}}Q7M5VA7JwRQ|$B5bRk%lgQi)A0R;+iqNbKrCKTDbE4
zV){oabxBE+nY8QdNpE%!TCWePF`;?~m|gH#M}qfY20IBHre!9QD4@E7g6FFv^=(ve
zkt!n#RFuYP#>#h(`-#IakUX`IsxHg3bJZBCtu!wXd>r$5CWX%YnqPs$u(z~k<$x)k
z)?B2%a<8%pv^BvDbEXFZ4C@0Oq@T*9Nc%m8cnT%<mG~i*(X{xYBwn=(=9J#^afy<{
z^@3FVF3s(3v}Wm`8{)YKV{NN~Cs$QcU98vfjy`({Q;vwj6zAyqI^(2n{dBEndx`io
zJM8f4*blY;3FZkqI3mmxqX2G-tOpPT#(y?NZ8hfg<F^x<kmcvyw{}aBJF?X^;Ai*+
z{6lk4)gKRuG3#U%@2mm<m^Nlwl-JgmxyI32n=wMr!<}d-BHj9ui7QwCW}-MyDq0wr
z;$*yRlP$*63JVC}#%^YjI+}Z46Many=8N;9sX>Uyda&HY!PDZZ(*o^@+IpbY4~V=&
z#bJ8Cdjw>adxMPF+6&D+yL_hoW`DOWtjD$ay0l>m2Mwtm!fMJ)vzM^qXz;GuHwqFL
zW*9>Il4-$}OZn7*yZv^|r=aKDkB`eW|D2hefm^kVs;=)TfQ?ZOY<v#U<t?N@6%qne
zszIi&AVtG+_C>3_otnet&QQ|BbFQ$TEXqloajFnijrux#0wah4>8NW_eh{+xQFOqW
zQ7rA6mY7g+<?XiBZE$-JuE~n@fz9qzkIW5LdH5J8@(>yf<yM+}K)ap1U-$*l!e&Ag
zQipaDHJXNP+pBmRZ$@`yoto?=mGb31T={wmC{Cm_V;1K5)$};7$64o-yCq2$pX>g1
z!Z~8;dGM7)hbj6mJ*X3nBg0^Nl;V>u)Sc*6AWbt8Prtd$Dz8TAuIy9-RgzXR3sK_O
zVW5a2Km?`+kv*5lz;8+#GPSPAKQCz_okrhn((K=W|6166VMF8mFQ^+(ZHA`5ak5;C
zt{%W=d{rORG=SZam!z;fzj-U5EIUj~OI3g<nV;~z-d4{t4aJE40YPdL;j)k4mf$m|
zw2O2kD^D;tqu@Bp-;Ny~>c|65KR(rQg@pF4!nf00tOZEYnTlhB1VSy5#!zl$?o&a_
zFvH<QH?YTdRnpX%8gDY5T3p#7j!$mp{E&9gg%H|k3`gYKUFa^dUb!stYzi()#g3>=
zJdpby2bMP9H@8jlGevJ_VZu|sA86!ur%@Rixq!>YBp(qB&L2J#N+G^ue@{--1yKOQ
z8e`R`?k^zWD`ttD?oc-L#yy&QCL%_1()uyJzOKDlsVPSR)jNzE5k82^6%_D43DKZ#
zPUZKo;&2K3lhKKr++7EYT!b>P)tb}noO#9rZ!U~nY#s2aHc{m~hK(Vr@gnC)Z2JB%
zZb{;r_0Fx>%l9%K<QU)frY;Afrtg2O^*KS$E+zqW{;k?^2O4&ZrOkp%R=;y{M27%~
zA*3$JxSbN+gz91D{+(p$x4_Jvo?)kNTKzj5)YJUOvm%`~SPPQ(0%UoK1on;+Oz`YO
z*r~>O!;$qeI0J_jsl6VmQ3WLovxZ&;WigxXlcN&-BVmtaI4>A!Q+aF4v({i%#pi^O
ztX<6cp-Gac=wk_L48JCUS%KD78^%<0ju{=%gGt8fDTfT+jftC{d(YXszmN&3=Qh6{
zF^rKx!Md;4l)D@G2`Xt~F(>#caWja?dsPzm^eyhDYuUbrsyx!SuxO`%WDGtE&5@{J
z=+bOGlML{D?G&%xaR18dsWQE5>K%gPf+>%nT!GZL=`gUdURZfa&&`!fFj-d6d?Wk(
zsy(Y{m*R;`%I>My?xpp<W$L(>mvk7l5?I=clx=B61%Ha52Egf)?H|8(?`<j2y8Ps`
z=!N>MwkeF^P*^Rbr}=1iYRWK<IKkZ-*8hSQg_jYZjY4suvgHXCLvnZrHh3UT$nT$g
zDqDiy`UYjNU$U<0tCnHlDNrWu6d&rQq`x1xDNPnOyQ4-wX8_rdsZ2~8$O<K)KJxQU
z!k*Tv+rN-kERZSQameayCIR4GU!#Xw6B>1&?N?bCH&oi&R0^!$(3V<rqmoD~L9xuY
z)y2vzqz<M9&+1l_?&+ITS>VH(ysnH%+?%aYJ}i%(T$!A+vi2tyM&rdj;QZR<iX0r?
zo<v-CG0KSRWSt8Eq*LlRimQ%!@N4_e@u=5Cbtd<DYsmGt3vm{=@|j>O73tv;H2jaz
z<{Csj&z1cYH5|~dtkgs6B;Qw6qnVZ8Nr(AA$<_0}mVJpcx!F-KNYu@YbDB*6%;Z@@
z%(7c0e6?i&rGlvNt96?xi^={u`FqQ4>e*@(Mhan)E&QBuTdbz5)fM4@-&k--w?Q}X
z0fcx(c3%I&bJ2v-1`+~k87&W`?gpv3Va}7?(|{Br&3Kvx-Qw#KZwPlG#%}^g#c;1L
z`x7ZgIvTj9-IN6OqpY#7h~{wdanqKe4q~87p#HL<L)f8F6jHCDBf-i<HrL}Bs-tcn
zDM{2nx5)q7VO4FSD>72wu6Prxr0#6rarHwj?VHt2=+{Iz*;R_$#IjQ8)~u%!mDh-}
z{^uSApE*qw02G<8^Y_vEfbQ~PH<JHd<VbfR9q({_?qLW026eM$=-+6;k60J$jMH+~
zUCirZP`Acv!BLO{?syved~?M`bGUhv!gT6|5keNt1O{_|$_$r2Eyo>k3m_xhpO{tb
zZ<_A;pk{;!3qEvoL|wX9m@}+6o?z=eF`y|o!<Q+w_@1B4+zuMnlMq3{=>0p^5kzwf
zani41<-wtP;wFOaI(E6I`;*D9_l+^D-TJrE`o=;v(oDgF<37tOehLf7Em+VJU1%<6
zy;zJvlVY5UWFdk?0#f-eP;2Vr9q;ZRF<^cOj<j*C@<{;_S@&8EGKi<ukBPKB$T$;T
z<HB4>qn(4gS`iY8uaN^7v8?yl2Z<sODGG;;VuV9kFU5>A=?pl(!~0uix_)++RhKzy
zEk2QPLw}Ga`!~oPweM3o(~D49Wa`7nyHAqM#u-iJGi06>T=CQzFb%>=*qx}R=YU^@
zr&UXUb8Po2pfCPL1k(2_^X!NU<PhwszjK4*t8%W6#beT8&FMkP-4ogYp<T>7bBh?B
zYP}%1q-0|d^*&dQiG)R)(l~CqEcZZtlW3@j8M+7)2_dr~geejM>LEqQAANL7v#+ac
zTodUBG-5u@un8xpR1_cl5U4|rTkeeQd|RC{Mqs)f*WeVb--Bl7xu?S2$n5*c%FVcl
zB1)9?)v>Mb{@}lcHG^epHUfION5gmxbNnS^9GcK2!0R+vmOtx|KjOe(Nm}Ba`gz4@
zd>RZz=?e8mxJDvfcepSV{#F>7hgANhC;71<&HI0lAZqaM3V%2vjsjt5HX?GHUsquU
z-n%PL*R=<$7AG(zX$Sz7RgbSA>uL{VqAeiBwoxwgq(ENW6%VZ0kEETm<Bnrfce9a%
zTPk;4R)26H&V|;6l}Q*WyPq(gEo8^M`O<uzmeF*0A>R#?U^Z-rQ=e5;9XX}+6J{EK
z%5;^VI#OdDwoTEXAs25FNrLk;Q|%LAc|>^>*pYmm)-963kmvm=fLMBsH0+^=)M%G~
z3JO`_8i<UILFiC6;a}TY!G95AulMl-u@o?t=BYu)W=2oz?;7*cUv$S)w=K#{abbd%
z=JwF)AtwCMe59S?K4)}fa!>`%Hne0HDF5*9Mki6^Gvi@$a)-BmHR|k=ANMes8bY^#
zJWhInBES6tki};3Ex<_=!MY@1>0ZtV!UNoj2&W?M{yZECT+#$RS)`mThogc31^?7T
z#U{Hg0Bw+k+S||YqVfM-8XXfHbmt=R65HA{38QMh$Cqx!SyQOBPAqrw%~q{)*TkU7
zA0Igfu1)L4ulE~~u&YWVRNV}et!~N%ZVN5|x<s<WR9H{Dx%ECb%-TUS_XZ;aThcyk
zk*t2)0~4&}5e;L+XAFkC5Kry&&v}AUI}0=A1nWfqV09k;9Ytmq7si(Y;~xroRp-|z
zA+@?MlVXNQs?#C*NW|OZmfa6{eW$^%bBjT_h$1w?5Uz!qd40lB{}AZe=(;a^hXoGb
zk1Z{uZTE4vO#!k{L(#(x)d$?x3zLr&YrvEptw*`GYx8!uCR`-2{Fcueu)X=H3<cK)
zpjo-09bmn^QN&8awnL}J$TpR{KW2|H41P5|yU2~CPdlS!{9010GsP{AoF<Jyf~^#3
zZ~*<BEkUXEMh%GD6XZep*%y)bd}c3Gg58UgqqojV>eYi$khWn}ZpfL`?7{<E%AZ&w
z7&T`-B9-Ll1X50~{z}T$^5;+J>8~d?2=pwcT~EbnoP?H)5F$pLiqjJ(f^*zj+v+=t
zP7n@lDipl<1!(q}FNvWHV+dPTY`Ii-+?8qTRCG6$jTTeT0L9x+T6*c~%GoOXA~_Yf
z)wkT|*2adV#m#uJbuoBmBR02rxy%VU=*>4x`=r3gjNK|k5nXJe*fI=pCL*{Ra`zgz
zN&>BlKpk`NkgqzxxbB=Q(@;!uo6Ea?L{T)S$yQ7qF&jeGVQ=@URK=lItgTRuGz)%!
zE1*_xuV{Su{S>sOXOy=DSoER1)G|>_@dyO;36$lh5E(m5J^{nvAliUWS_r4(#aL!U
z$eG_w{M0ZHV5BIIgAUH!O=WO78NT0|cm`expe;$D{DYSzktL|~+;|)BfNyKVcITDa
zP6W(}5Z|nb_!4Qa$5cQT@9-#AK{TdP@U8ZjE~)5vRSTIUVlr%&A~l0Tu`EU4_r6om
zFdR-ht%Uk}Vb$j}dMx9HvbmWBzvWYDZPxtIQ(*ggIL)f8$A;YAV#~4$E8<rk>5EaW
zSNqxIlbv8l+<jq@R2R4raFht&mLrSMAWJ>6fK%RyQr7MMMc*9wx(BSHC#}r*X;n*1
zgw!Yu`o?eOd@ST<#4rJRZ<t8aG0nhj6UgU*Rw+7sRAnu`S6+_%e@am3HQrE<(1pZI
z>p!}8={B%Opr&^F<vMY;<cXSiw-2?33qpVBLy69DWOiKa=236f0D3mPz;wUsznrlS
z(r2LGVIjfG33Y&g;S6yUAif0OSgodw-KL6GErJJ2C(LNY3;5k{y^^Yojw)DugKn`J
zTSMXvwHh^(Qz<nc<eO_a64=7IO?%L|m=-Fwste?FpQ6{<85|KTfc*-yUMo0-QlQ*N
z8f~j_WQWpRRx{hChf19VKWXq0yrt^(EA3T#Az(mR-XLCcIT*k}MnBMS?5hgX;lTXx
zVU>iB15=UUu}C(a2|%1rTb*{R6Rx>dp1A-pVJH2Cf8Z5cqt3=6b<-pgna}t&Ru|gq
za@x?l$CC=4Qeiq`1r(4t%QAGbMeL6!!aEYwv@t`89`2or?8yU5p3%SiJ83iaNoFaj
zC~pv*v(1fJP<@4?(2<;9Yk`(znbGSL|LsHrqpY2e7Wl6B#)$e0=YCGb2Yg^XF1fv0
zs|&ikfIH-I6jto6IDO3>Rwa_HQ6edSE7WG#)``jaSF6Sc7j`D{CAKXjc0rKE1?4Pf
zahbVq^<VrwPP`Ic;W*Jot~dCp+}cj0&ScG~omFV10!{MNbY>yXS;0VDFgh)*I-`a?
zm76^)UuP5|!#F$4-|NZ(!<RBO3JWeJGz5XEhCOYWw+u#-Se=`A6}Ny!Y7Kaw2znw>
zJLiHB@eLh(g3QpZq?2ikPm)jB5X`0A3ir<i_47=0NM(#!U9L2!ykuQ?YBo?S_K73c
zjC%B{$Wz_sV;H8qblv$~E0zJOezJPA#bF_nC>>PFcw0;RFbZShAB1=LL{MYFMlkRU
zzV<IqFz-)Usk7nu=E~0FS$M7YmWj`ase4;m!ki!SmrI4Gu0DLELNBslNo~ek2k3}<
zkePm?bIzG2gT1ID41L6t+xzzMU}SI*LEmIsBpCG~H;r68k_yDi8@^43wXutg2*UhP
zW(rX~9swf~SSEkC6uo|#wXeb;7T%G<VrE=1rl1Aa(lU8Y6#!RE7h|QPa|+)iQ8exo
z^0I4@jr&Cx{MCKyEH_^td&|=L#-8)!@PyR#m9SO2AYWC)zY^u|JS}7L62NNUaT~TP
z+K6NS(EM6*xIb?Im*mg#*}DA|5+I5*!;(53(T}G$V5DJ<|J$I=k;``wS0IVn8HbY=
zahaN!IBRlPcOT-#r%hZ2Nd(5DK1Y}bC)Qu#={nsNHwaBTsD)mDC(`_wL|-jGRg-U{
zBCPW(Z}Tm4D$D}BU<y{^lQuEU2_t*F(mHG3xFQbw1uA=d@<%(layh1`iy3htnpr4H
znaIK#)SxHc-UCFd&=eFErr`|c?u3?(O=cpBv*7lq{Pk6PwaDvyL&654yr4qZ4PO0a
zMODuvI3)<!<L22{EBg`D(6qdriUA|4F7Z4P8grStHh?!dNd^i0m7P0>sX_TM3FNP9
zXrB~+P$Z}YK{|Z`cg0BY8eN{VdXy76H>+vpBtPCrsP<3msdOhe6&)fprfmzYF=F^1
z9s6bBEz#agtTAEY@hNooSQCoTU)B(S_QqS#;;3#kv!tKia*0J>mUsn9-%K6bC?LKC
z7gTV8>AGwiR&G+}P=6vD+qURT%Z}P!aAQ<uJ}C!g;Kg~bkrA=ST>I~AP3rC*Nd^*6
z_mgDeH^T6HXYh|;r`BVNTfAN}Y{iiip*gHc@U~76&0t|nM!W`t2de6ysQWBx&vv!C
zXO18gR3TntD%$&<y@RwVcM7evx@A^(O8`T4n<&8a2UB<BHbnr$a`H<XE|eEJ4u-|#
zP>z$ns!IV)Wa{f@=$^dW0afKv>X!h8^~b;b2_#*jOL8Y=8E(K_lr@HbS4?+-19<Ab
zFV8ySVoFVeQd<){K;KU}`r3MOBhtwz7x!v5u*TeOcq9$$=Q36D!kPf|xF`r7o2Xgv
z2H9jPzd#<BYCECzAf<=6mTs;6SD%ni4{FUtDR#8|<pnH-o+Dx2*j2zndT~cSk-pR3
zfIQ#GrRfwV8yg1p-3IlWC~c}9>t$_o&fxo|N~oP_Ix!X<5#msH|Hc;F48YtkapCzC
za%`#Xj)WM|&C{&z++D$E){^abz4j(oS7Gra>x>m=ea>JEJKQtziFKzW{5BI(*9s{j
z0ihRW;@ZM`S&8nz(M{Ht4sf`ycol>=lpjN1vuQ-Umz?4+Q9}sD(=x$`8L!VD#<D<M
zx={WWhIp9hVGGzrFMS8fnzEHgUKT1>|0T$a%qlV$m?Sz-Q0oAjVO`>y!EB?Rz~zVm
zT_2}@y##9D14|UVT$}oaGKX>jcsJhd8^R{Ej4n@RxgwP@&I9hKy~^J)4q8`OL;U~G
z0>KY~!vy)}v8siyKmn`{Gy9LCYR2ZzyFAV65jEXL2k&8NXETmEd|7_Ma@UFt4;IFl
zHim%1KGK4XYCV%2{Qo(496InaT~mu?B&asEAu4zZ>(S7|#LpTSan_H6j&LQY%0ipO
ztvJ@FDL`|9H4pSXb~Q=z4JXOj#?}HHa!i;Uk1+H(<EjKI0-LS%j8$MHo{|e#y9tWN
z=;S1Q8!nkZTnK0PW0FV*Q5r1*in!z=-6}TgqP%i7i5x6Akvs7XK-;0-#uDJH?pfQv
z5!;hh<0?!$vC+Dvax$cPEv69dX(#@I261<lHfx!y|JqCay8fO<$1)#e#60P1Fiw}1
zr5XllVEq@%tUcom;qGF?N@XI2zYVZ5q?h_~o3A9t+UkH+N-jEIg>lhIvmD}C9+LrF
z7I(+PgtZ^~mXBS99ooa+DU1MjyWP+vx=RPxReRaB25{~gTlJ{9G2WJ<Z$wD@9Aqsj
zJU(|ziwig{-(r&T6}rJy_9;Zf4tr8NHUZ9@<}$;0+Sxgq7}T{vmhF$bVe@~XsT9<O
zHn6-7s*O@Wj*pb3H>yE-Lis>X%&wDhW_;7q4%s))NYnDNtN63I5h4bZEzx)Qao-l%
z-2XW7!>!`XH&|sKQLSB29iEdOq=H{v1RiGfY$)IyIIbb#IWR?p*I1U`R?>9=!N)xB
z17{q<vq-T~a4UM*6uPoe$L|Y+e2U&gSD6jgR<w4rpT2HS8Ld~`n-sDKt28$K>@YM4
ziRY>vp6>XZ24V{rY+x57rFv4Uew=3Gm-aa8b$6|J$Rj<W(H(65n)ki6XdJZNypESZ
z6_J=eN+dsF7EMqdAA2yY)|*s!*F?J+e^!|%Drz~rnK<@e>>Cg~xcfY;ISDzjnpE2z
zeV3BDkYuPGT>#3`X(N+U4d?ko@8~LNd$9A%ke6!q7ng_K<K_tYuWRbI4RJ)E&fsmS
z3;jmcQhD1VNUEmP8U#T#zGf_fGHaNkJ(^pM3{=6%ut!@AQAwR|D^T*XuWvIi)S*#(
zR<SuY<+<l8d}po5qt0~8hoAantv$1<B>#VThYQgMKok8+su{WA9w{x;LZ+sb_x736
z9)K{P3ffNlb<sUfF`emIeBPmC=5yZpp*JPGO0kl>*ci**rX9VMa!OB4x2b;+%UI0{
zGN3c)?HPX5Q@P(0c2{Z!*}qozIY?R|5DYj(M{dpgX-EoKmm{wKH_?EC$d#1G-Q@7u
zcP+s&B;R{0h^d3KvT?d{AMfk4?@Gc7|35uRKC!1iK)&<2XZ8}_Qmc-fDMx%U)8<t&
zs)t_o72L?~%qKtl68a}Uvq&{iU(-1-p$AJcrcXb+CWkh;0>!kA(Om91r%wb1k2b_n
zG=T8;+`2?0QXMt;G#X*g1_n$vyzNo+!=ckmtYQzhJxDX@17dwW$a-6*#3H368HGcU
zH%~UL&qP}xd1Mzci=3$8`uya(IrWUJb3@xOe08nR_DKBVkDJiK5&-1M$XUZZ9fRny
z-w=X(5!uy)jm^fiDAiIfUw|=i`kD-FMPeq3^?RnF8<wO7=8cEp5GQdEbT5!)T1fzu
z>0WPC{QZ31AwPjhRFrZvJ3EOV-IKNJjY8?!{gq}9hUtlX$dS7Acz9&A<H||?APsWW
z!5wU?i2t?GjDo7k@(hboDE7aRen`*sg#un4ntl};b@!>J9i@>IVuDT*gd!xVCGO$M
zj=PqUP=uA#(WOc)&BKYMSsd)Mu=2o`b{~A-TKp<i-W)l-aM7FJ)GXy+Br^s`)IKhJ
zkXW>Ruk>6bzo_&Z{ZI1d=nP2uP7PEJkRi;KLl_6#b;%GlM4?d{!{%EB7fJNTK5Yr(
z`kS9VUan>7*#}bfzwlR-gf1nPKk5=k4Vb#=v!YJfJktPEHWr>>iEDWqMTna>-JD9`
zuFDyo`FFB(cb80$koZPpltKTPv9({XH(KaziFzxXVrdX({j#!|F@$%Pm&L9iY0*da
zr~IE`!ESmk6#1Mm!N@lFJI4gwe;4dLL{~2~pL0u%I03l3Qk&^o>;{_)zNWvUH|+bP
z0^<Xm7u(<hgZ<Ku-x>qCnPN<@T^+cAyP$|c${B{?ulXffa(ih#G$aVtWq-&7zN=M?
zB~P96!$w&%Iy;Su?Og3>NUtwGoK_4w8R$isjIzsZ*%6ic^4NE@0Y<sesp6@H&n*^h
z2?xub%N%gRg!8-X3-(oQE{Z`1=gIwwHM9X@Id<8DpxspBm$bo%y!HCwJ7zg{Lx<qa
zec7>~vq5&h5o)2#%IBy1N=}pr*DfI<@DMrb)XAvFwJ2T~!tm~Vj=Tw0vw`X_y0)@b
z7PR@oG^p*V85a8#<DUVK&(PDN|75m2tRXclSPylwy+dW+m<e#GN<H)F-tS&IL5f+q
ziMEsHuhL`+SrV4c>>Jx3Or`EBmS)qW9<lRPOzvv(Ej^7!ZF8z9b!i^N)%(qY9!?Tg
zR2K`*-CJfyqUYl%IA-TIa{Ovf<gPrHVOH7l?06tDrDs7}0wICl(vPTeac;37WEn+r
zc5oVVG<=-;QDo2UY;y;`&9a~;rvx?h&>kRU9wmcf+~9ymf4-9w!<H19HhjqBforT5
zF+YW;&}<Y9>HSbEHDNqzuPEgfn-?8gvY%E^!9Cf=(w%jM<mimg#^}tcj5jwia@&w*
zNF%x@1c(Mzw@kBL*nsDCA7y(e*=S&Om`i`mW6&ue`TSL$7{cS**)cf|Pal)$yIKf3
zZ6S8QB~=>{Lpl->qu6MAAEKQ9@5vG2*Ojr>rNxzUPs*Ag9F^un(l7KG90B5SO{+o;
z&cIAlI|<OA1S`zI0iH3DFO$;r)i+dY_wPoBp)uQn35d@*OTj^-Kgh{x3l=ys-(#_$
zaVV)On`@F#$^hdW?HsmTL^?={roR@!pYbwP{D-6BC|}Z?K!TN{1{lWPi^F|V!Icl=
zeWjImstc@OBHn7uW%xWYid%iP18Cv<GF!Exwhh4*OSNYZ|F5xC<cR5OeBo(8GRS1~
zzRovR=<I3pGwn@K6|#<j4%?#JKOk3;8rEZOc|Vcxh62t8i1oR7dNHxeTrCx@D41dJ
zwj>nnOcK_I8}uPR+HksmLDh!EtRC<9>I47)oOdYcv1*3p3~bEa*KhI>8)@jrodP_{
z2L8qoRwlunTc`gXigAeRAtL6S-pH*h>+QQcESDvnuH3l74%zlShy#4c981*^b%d<#
z<X)yHlXFBd^Xl+gz>1L;n8*GUln3&`jg<tb`+c)hu|>D@8of%b)_1!_FS4jyq`)tb
z!5kD|=aH*(Q(A??atsBWsOEbFAC{0F!~;Gl?1HY8Pn-e|pTNXump|+`1x-?7*jBN$
zf+QRF<~!_K`<T9W$;w-E*)m)QA^{Rsn*e_l12l2540M1H^-XH*=7Ja++wZUxLeVI(
zSwdCG*y{L1ZfCO@GXU%Sc9h3tCYiWQjo2UP-IU_kAqOUi(B&WB)Uc95YoszLv4}!H
zX|V_}CH1%s4ebIO#&<+5LRDE})QW~27O8WP0AqB8>&7Lu2Wo4dM!UJn2l3-H$bYoC
zr;lO8$lc+L3!m{~!$m6ofQ{d@WKq_DSM!ac6O850xS6|;ZNsXcBtk7{PLK2EM}%j|
zG5yJFSxTET@}R+jX<Y7;#d*_l?9mtpn=TA$ZyDE`giRdT=Snk8NC*U~lE*OtxB<tQ
zWY4uH=_;q(`1SZoPs=0IYTmkhTTKdaG`8SmFSgfUN5BHGKaE3Q=veRLMhBVYL&-D`
zjvJk7?ar=x2udk2K;8eR*sRflwyeH3FpOV3L(~TAO;zG{GI<!gkFiOmjpYZ^TgG2k
zpca_T;eZEqKtbIE36`#ov!90RT-&UfXLDR9eTabE0qEj|vMR>V;7jS^S)o~v*SEsp
zgt!LTNX?tU)k}s;w=&Erj){%UE);l$?E!Zj+nB;-MI-<DK}!a5CDbcookA?|1$CTd
z<Oykt4X>Gp1ner%DNsOW_`!`B9l)0nk><6k_*o3MjnQMdnjZRK$O*IcqbE7_0cl>f
z+fo2OK)}CJy`mAE|J~^dCtx1RGSv2*Rr1cOI-Pa{hf&bqkqYi~%7Ne9M@Zeet|#x2
zW%coferJ!Wm*OfQ$pd@QjH9eHI6%V69h`&uet{W&X9<IMC=}&hnGcu?V3Ms#>?D#&
z=DdA3HNezUPL;{u#|k>GDQo}A7;-PIFPMq@XiC|PnTZO2Mw6<BWE|f<ey1AuNp)}i
z2(9x(%#<UY^oT?Qr$A!-cA16m=Z~Nwx__uqY}y9|8^pMeAf@`t`m)5xw*{3O^iq;6
zJ|D8L2z^&@tvH1$idcF(NC?|8)$@y5`jd=YF=ZkNtdFvhJ=CNH8cGsY&Pf*q3n|Pa
z_c!cv6Lq2BTrY}J*E>EHKaJ{2%NJ-^ymn8Iu8#M4kCLw?M0lw+2R8AzzB<3fPU6Ga
z69I~>cpzWrnD-Ec=!>P@4nTY~L>25rjB-f15i=qi2l#2<cdrvQU-05B=`Y*jWREZ(
z^R%%jo3zcDA2GpTQyVdqT)R%4$H<UuH?E^=LyQ2#3=FD75w`^)oSlt+ouO^{>%AxL
z@GFI_w*)PIC#{r>Z^y!mR37Y;gA^r|tbB{ewq=Shfm@&EF}WO_e@Nqr=Q!|I&1mv2
zN6F0&cbDD)&Bs8iu<xO!7Q6vR$+^xttcnO;EC85+F`(>hu}K0Pn3(`bJfp2m-QRC(
z<@+o8A>0fnk*EX7aVqIsf~ptwD3i1rZJmnqVBGY!+j#MV*J^KkVC!m!5VvqJhf4`2
z*{CxEsDZA;j!yT)z+0qsD@s~f!4dHIO`GBBjc$OHSr?uK$j`2a$&S)|qPT;%+Homm
z5B6horCP^Mq(kpXu8uvNC3KMw7phDquEZ?Od4D&8iWvvx#_aYhmiRPEprA$b`#+V)
zFN1yubuii&7MO7`kcT@W<A3<U)KzfYP8K$mM;}-P)2KpqY!GxJ-sgwLmd`w6X`v&V
zXm4sl;qrFaMvBX4&2a-P(~tPUG+nE&C#orwbhq%qXg*quOb81oG<MFVwN}~B48GN(
zT`Zyh{ByPpz*gvXCiHf>SHyS`bw+o+v+7ri9RK1BDDj^`)HEbpSo`rXP_AA){tj$_
z5Za2&!Xv&*Wzgl??iWJkUs`do6?8!zac72O(vOt^P^pbXd)alDZv3L0Bk0MBf*TYd
z;4g~tnyV?UNC+)ZM+Jp{6%U#v(~U6F9Blve`?DZAEd_GZg$LGzbzCVVz93eh{^!bJ
z0U+iEh|@H>c{*q0c1=XM2YYIO5C6z0Z0lF{o3tCjs&FX{;yD-t{&L)?Vi_aw9ijYd
zMBD!BPMvy#ggZ#Y-D~dT`Bt}4gH1sj9iQx)OtQ2>O`uo_P3U{oRe5i|A<|##_+$jK
zg7I$M^d$M46|Dbmk~qS&{^>)G=oLksKMI;S!O39$gE)bpx{_eL)Gy$ELE%}ClfF@>
z&2@YS?nk~$a`81zq^n1nnbkUFAkOJ3EBmOZv&c2L2h)BzMr#v8cvU0@#m@{;kjP7l
zeHsF}UK;&Q2yz5X9xUGZa5W2$R9$3<E5x_~wMMQkT9RHi;RBgl*?yW>5pQ4olAq8T
zQSBj*cGk~}82(Moe5jTY1V*|4=cHeUL$OU7gqKZh8XBFV1llx7t<%C&!`3>!+ASIA
z3GF-gWM>pOZ^YRLA^ab(58Er6%mA+i$KGvGg&Zhj6z9`&i5~LGCaD{w(>yf?`t~N&
z*52W<F;gG7w-dR6Jn<NOWAjqmn@x14X_My+b`#RD_g<w86yhx^H`(1|N~&4;6T)GU
zQz;WMo!LW=zcuZ~j;y-J`xE-Nb(^_gpxnaIK9@)>W6%LNsd{F!%8NI-bw!0hWixOf
zvxK>TJJq4|Yq8^Zr_Ls<PIZ<Lwmg4I05+riT4!r=$ISqK$GTiu>|{6AqtF0RhoMr{
zwsoY#z9+9Q^Zoo)<l&fRpFE~+5qxs`N|W?*K*n|!&D&1wJ+eZ5_ZAD_g&px0n!C$H
zda3JPf>Fru+39%ODlBrRuY)5sOQJidM(>HDFH^Mq0FDPd^p)C<jSlLRAc~BuVs67+
zZhmO~cLE<_;5N!&Z8fVwo*N5~Lh9(4*HmV@=P3h^`{8!0veI;<RBmHOM*f=&gy4H+
z=LMqA>g!3<Eod;!yW7on35CpfZRrOxh>u2zDb1IHOCzhh`0SaLMRC9vOCX265*d>-
zd>rykX2~}&!yR8ji?>`@iPH8mL#k;pbC8w1qW2iyppLKA3s7%Qz2i;wbjO|Qzk)1D
zM`k%lu<$o_&t}N$C2N^b<CI7{=;v4$RHO7f$FZF;1-nOI3|0YMle=6$`%#JE6u#-h
zDYqrl>Gh&rf>3t63}b!zARvgI{*=w^*`kWqv{miFDPN(FZHCzVk<TAGtOXOV2#xrQ
zx~n_l{ekH*Yl^V9n7peDGBkdZYoi|XlAZhnA`jZYU$2`gx%hU*{x@h#I~CeeVo_t;
zhOv`FGo&#Kh^Gb64ArjV*)LYD>tkA8{leEjwRZkQx_7)ZGOz8KfQQv&S=Gydh_%}X
zeM~=BGSOw`s3NbafhzC1ygWJ}I+w)v9%;}9@l=PIc`cErfk28*w<+(|Wwr#<FQ$u&
zzZ1>cX-ur|ijzIv1<DjplPpX|Cj}>y0}D+m+>KwL-rJ=M9#|vtyp#XVU$DsiT0b3W
z(>&uUHlRfa;WVH5cvZ|DDzF4gi@n`9=V0-X$KUd(snS#ktQm_vv?_<+EDA#fiK(mS
zby!Mv1vGj;J%Wes(onBh)>I)l)3Sck^a^L<ubc;!64Hq1|9M5BbAkAl+BQG_OOtWY
zvn~9~_`e_GIuJhs{o*2^!?`?Vj`M?LbK9b&pEUW?8bRb-8NH@}`i2|v2~^lh0zvcz
zXH&@}?KYcsbY@IPhxh^xEux47m@BeWzgiM-S*$tF$7J^^2nDHk+-zNPx(C`CSHQg^
z%YboN4wDhMSahbwat;i5Fx#Mh3p)F{@2r+l46w{a{?ja^FHARq5S?g>4YeEd4;7Si
zQZ)1xCz4s5tr|ZyDKk4dpp<8OKOeqWZkq@b0+cj4&!Y-^R8Kcvv-FE*b-sH2<!N-7
zxk-5Cs9%h&xfnb!l$bDh#rS3Uq%+<2a`ZJ`_eo!Sn`O!^iaXEO7#Tx}VIZ{_VNb=j
zIw%s(ys3jDtbUJ5q-kPMvfu9~{a*BUiJ#)W&x*HvylgxLEugpAMq{vFCELeY%KW$w
z0D?kzbmBMoKZKP09nb@ul^{<Xh9xj^cJZZ3#>T@)Oa@S^LmFjHS{1ly*F#FFP3S9R
z8Gtjc!fj!qW0HuJuwSD{?F6N`77|MNn=E3(7h0$DK<NT;P2sx9iE@Wthhom^J*Sdo
zcroT5fnE$eAp6$SZ*lsxB*RCC3jZsSO<bIGeb)!j2OO<0oQ%3Ck4JWIa-jMQQcJTz
z&*}o-!OeCPOkK>0RabUyV5{NxaeF(JFxUpF$XXZof8{B{#YbgG7w6Nd1<(5A3~sV<
z6d!CXG|4`RiomKZ7fz!4>$+eR5p9qPWW-G+N@vj-a@I+zh(xjMV&hTP)Rk-5&CM~(
zctg7(^rF-h<g3meaZwK_zG#+^ekf(Vj)uLNB^T#{?XPLi)GWp4(+jqMdT1}88%mf|
z;X#1EnG1X!Wnir+X5efO=I?QgcgOpkWa5XZ9<}|Y+mqp*|6BIO(h6zQUQM<g8KStx
zGWncD#*odSL`OlAw1})LC3gV3ha6df;44jSF#HPz4fR>MjE!N?dV|ZD9~MaX%o0s=
zH+<Nczui;$BKC&c*(F?pQ9fJXsAC7pFW&i&^vYx75)}O)TY3b(2(ztzpG)d(5l|OC
z239Wih>n>H>lFVThh(}%?AkyNU2XyL)GTd>%$+t`a1QnKYEzp5Y-7J1ZZERE@706U
z1~vh4evKlegq-keZA$9~Zjq}42gqx?lsXC|#DbVVDwH7}xpNM*{c3pYZ9N#SqDG*A
z*_zO<IWwMfLnV|phVfjf!gB9hEbRCY?%6hOi!h>|f}cTktSmNgkSX)xki0Qo5)mx!
zt2jF^Nhn}oisP?dywceRxPR{#X2Ex>Bq!N!-%=3%7np)&3EBI;-7<j5y2%V~$}zSX
zFkha&V&gBYWW+AMGjfNq@`~`(GT{0o%JZskOtnYlEfbuwcc37!fxl_HehY6}j_rIj
zvnq-CykeY}7mLsm-y>?UH`vsAtm=39{KeKjHbf~_RzY*91ZG9_m+WZ!YRVG%mb_^o
z0|srxDRm-0wm%h07WUAEFiR-ytnEa9Pn9#p9Yz%thnLx5W&>OzH2DsCnm@I+?P(PR
z-@*vZ4!<2K>+er)fHlUQpzD<<j+fZm`5XGt>xJSm*8)+PU8yM6)+3DWagC|FSdRYJ
zO(%1k^Z5ARPPu75hWghPQ^SC_Fcnh_K9&eBSCk3<8Ias(;bwijj(tD!17H{~6}`aX
zj?RIXtW>$7G$Pzi$zRYv8bbQjzzm6|56ubz_r$wWlkR0BR4-8ykB%)6RK?+){6D~D
zDxDn()g1m_iO;(L$n9sVtZa)%X;cqt;kwDmxNcFunkSHN$68|Okd*?SCuLNb>JwqD
zMlhl&N7oZD&gvCx?W<qjA;et3rRze9JgS{L9us0oi+c%(Wl8gX_^jiGX1x&glB{-D
z9FKT}104Q_Y3*#gQ?xihf_2CBC@Pz_0(xdNfLMO^JhR1wIJjhDM?-we>HP<v+LUqS
za~1LL61syl5`u7KM0fWj5FJ1}M>i-&v_ee<P>T+*0Qk9FXWS4Lp5$ExwhEHB&l-e1
zunHJKM}t7dKv#GmC{l?nn)ZKM1}$RyZ$oc;L9i$}Okp3BVsO3p-~jkyjt{s%$HXAJ
z%yA`jmcC&z41$vqu&e=|!VSp5hdP5g5E5Kk@=L)X15QJANFNn+jmVuog`ex&HDldC
zR)ulBNPT#+A^>~{uA(nxC3FGh2?$U$a~N@n>zI@Il&iWtpqc_pYU!67H;qYDg~~e6
zPVn2TqQ($KLyZKocG|+fRk2o+5Eqo7C;#X4o!h{xafDF$NC>!4KuEIyxlY>FR>ND+
z4p;Sx-}09dVgChqPqET@XZ-jZC$weCO`RC&f8&N=JbC;pLxwYqu#TP)yU>~Id<RdB
ze8K6WX)3dFd(gmukbN#KynebDUo)o2`OaX}1@VL<SLvrNm;Q{hY#B};28BHRvcYeJ
zRXhNxrIo+yP(x|AUtjAW*vExrtdd@U+ke_SfWSn|S0Qlcc_VR2_5GR0;v|dcVexPb
zbeWsF$pa{}k*Jn#R9eX^Gu#E@Scuyg@@+U5AG1DlNpZO&Rilqn98U6}KgqLLOEnQy
zKdL2h^ijFG^5a#D`%{}iK0+u-R-J$3VN2l($i?7X9^e%FEC1GZ8w@S>QsVZ9f07M<
zRO~YoPp1?`x<y}}gZ%JxU3wGRf@HM@zDGaCg@QilWvgJkvp9i@|6CQ^dM#rk6FY1$
z7XU(8K4sRH2uqkdej64E>9Oh{5z5T!v0;MxhnB8%yCRj59iW*><dMuUhhKZ!vr8yZ
z&{&|}6O|ueSiqc|n&BqsfpBVxFB}=0FP}|;XbDe;ic}oigoh95Zpk-QH2%2C_lB5J
z1JVX#1g{}o5rm&dHvI`An<&B23CLFfR<9{uxAs`5>)=rCcU}(uA2Lc`X;^oID{|sW
z_UQlQ)FRRz4;$IUWKZPX4cQ4UIyT3fBrYz)BTW);Syu!!oe)3co`Orm?eU}qsAP~X
z$q=&-q|~b!q^Ap$J8;Gbe6m&xNeW~rUuwSFkr3{OJtE^s>vvL;sR)$E2_8-jzls7&
zP77Qr0d1Gtb3XHB7ie-ql}Zz;;|yU<U&ltoFo%ByQwgbbx`-Z`cGi}St$qdP4eU;8
z%l*mj>4bRW=lS(Hi;N876zk(XuC5T{R+SQZc)x7)eusyRgS%B?UoN+GSFWUVg6})w
zR`hsu;W$yk?Cc;m(uGe6@4u*6$!v0BVQo==3cozQ$2#-=JSH*|c-=~LlU{V_<|HzX
zQVCQ5R$pSzB@cLKzY+hYRa8UqR_{|ZlC75JG(SE*w%U@xUQoPmL2I|w2iGfDSPcIO
z*>w^*@>Jp899&aIP;j;w6q{WjI*&^3eytjQ{)ar%f@{dPDyP68FN);;45K|{rL#CG
zxow9VkBq5hMqQ7_yxVqyMAM0m-y?Ydrp9|@oJ_lR-Kgu%WmCfJq2T{vL27VdOxs`^
zm@CkPomt7GaxPJ5agi8Pyah8zUN#ue3Wrq0h{AZSzU!rEYxB~9eoro+=0*C%<+qmr
z+a(Ftv3AfDt9nH|H0B~Mek5vz_xXk~sFmBFWFPQa=}Rg~8JorI?fgZo`~;#T^ayBK
z-hr@+-Rq?UeO(7Uh1LlA(qukQp2rgQiZvu?sn8;4{3;~oP41l(G(3rFS*FLN1KVTI
zJqK)SUge`Z54OMvYiLmlotP_Fw}RWS*+p}3!)AnbA7mS|PJcZPtg^HbF$~Oj;7=P<
z&<M;RqJGOUy*#3kz3Bztvy72hYA*qv@w`CbUqwgLbJYLQ@NFU%5$(G%!5XoqgvUm`
zqXN-Ea?7{0!p+uY@6!JzCPHoe8F1BDpCH2PK<QwyGmY$S3DgN|=0`P9gNoXUqOBf7
z4@JSoY(!<Kn1i2(HS`>LNpZo*%F=1-rK}RuEMs}Ahm7T2eX0?|g^oop2oT$OdZ@KP
z5Drz+-lSBR!Bm;haNa@xK%?5J<Q_H54<X+U_Wr7qSCWxu5X?`o=|kshY}FSl5H^(}
zpk0|xhLL#5+%J}!sK#H}4}(E6@v#<U*BTu%G2&0+wQ2zwo!+Io=d*BM$dgs*T&kyE
z&4A7?%6X3N(PVs{Lk>ce4MX(PG&<Fx&JuP7<`L3iN)W(+wk1I_`U%O+aE>Zftw=ta
z)q<%F!*opI3G^;pA{bxI4$*Y4LWw_^<|mS*G`*S7n7G0`XD3Pb3A+jg>OJ=15JgGk
z!eY>A?^*1D92?yMh6==MeWy{A;>C1lEPZrM4uvc1t(G3*7nef)WEg`0*24X&2u~hh
zpht7#kfwuwiIJ9?<P`2SnN7#g3068JKG!{u(y{VXc9C~TO2^ufVcKm1_l3D|Eo}B!
z!=`NLr2_XN`t_suX%#+k+;EQ#(I5Xgw8v8>s^s{<UHi0-F5K<t!k<zey~sdro>GGC
zYcsb3t<@LC?)1DhaF3!H@$qrS$y`74xlTAHqV7Bky@lZ_ieLAI(-O!J88w0S{%-Pb
z*KWL#ucdT7I-Zp^GqfIfKD{U$H&~=ts?ya2+M-EwHcEGso|n?JFgOP$j(;*;Uk$yk
z0VBAFwSV!}&p-0x%W{Xe#tbTRG@JK=vy6xsZ=N9J3kTlEAc5Vibk3><Fd-Bl*RrXZ
zL@4W4w;&z@9m?W1zgO5C^xJIcnH(PHCOizPRk70N-4r(u4<LHb90xCg7Gb(D1P@|E
zBs6zuQ9?RcH7hmkKyT5++OU!zpr2+~&yMdNE1~a^@D|s{pwyEwo?Qty0Y-4(eGL^K
z9QtkJHGoC?Sh?VKqDz(_zhRW+(;Ogy;oLrbJ-g|^wLICg-WM5;<<@`pr|F9csW}#-
zMer*~#k^eQ)3bs<)68o?hoPoB^}*R#+Pmi~!+6s_JpRB3HI(3PQtaIGk!9ekKepnN
z4z4|U0A*Z?-0*AHUP091O8;9nwNOX7F4%k0hc-)L5fuqsJ3vRBEqi;h?q@nQ`hYqr
zwDr6H+|3q9b%^3ZXc~0Yxx3utwcy$$O;t#OJBpQUp?;4!l-p$1H5Jr{9ohxo0RdH?
zr;(DzkZgUgW1rh;6~E$6w#fGNQVg+)^;)aq$V&G-RhLQaIE<%Vua2v0DAPaRy@T2M
z<7QM%QSG-WaeHlT$uIGKA{Jh#M)x@q>t12A(vlU&n=?NAwjP)hki&fr9$RYyHc@0R
zix+7FtrMoXDwRC^HVZVCq#{Xvah~Z2C_5BLp_bhRZuT-G-hRu=JAQMKEz|pG0Y(~~
z#Gws2s@^AL8FV<m)O~D2w74%^XyDEqx*_c5xFTQJz+9WleoTElOKoyk3HdGq@E<_U
z7x*|S*hQbRWe=iZeTG|*=gv#+?^d9-eo8S}=tRlrp+2#DZMA=qo1-`IzO@|=@F!;|
zKAdvo3|5*A5E<%JoF`A0U+t@ZvnnG}6d_NIY*Q)VwjH`wv>mGV&~3;sHY51x&AhN%
zq^n<Nc4zvYa89ajj`xHm?180Rey&Yk6du_rLYQaJ4BBD6tJ?VmFae*o@W8vfqsXeH
z8&1$oxyf(z*Nrw@j8Dix{)l7lCcbU359{e)IjQ%5X3GBT-KH~b<Va?ibw9oZ1uq`_
zd0nZx;08|jI}^@7>TSBiJf(udaFm}P+I!ycZM_XM<m!W2^g)4LFHfDF1wfK=|9RFu
zc8rhA3<xt#!y<MUu|nlh3#h;X%kLctK&sY-+4th$<Y<^$(xL%RZ6L&HmEr#82VeCn
zh1mtH>{yl6LOp}!R1N-C<DH@fI5`-(AgFL;O`1O;-B9B`7Dj&jR`Q+pZ-ZB8`j%Sl
zaHC-bnO{pF;2#&|TCTaw{QK}DCaKG+aXgN|eCYEsrbFX}s=)bh%`4)|!uGE{pvYOV
zLr2q(+UoBxSTHAhGYVo+EWrd+Z>x1I9XzSxg!2{#OjBT*t`<np`8YDg4i^Kc1>|OA
zoXN2Qgc)YE+1DNJ7d@MLvH95RmS~l+1+`ZT>VnmYLVg@<sIkW{f&V+4%mF`LXw__N
z$(5P7s;!Y36u%;JCY0(m7|i?77$lj*%bmwIEINVV=5uch7LRNNiH!N7?~Vt@&fQlh
z1|P|$Cc`M9ZvczAPAd*{k<hxN(?e1&KiS^5JhZERs6P2v>F&=8!d#v`gh!uq4DfJQ
z^-q^n9rFdv(whnn%;h4kL%%-f)))H$HJp^s?TdUiYXG|rS`(L`hZ*}tRjh7YaW@1L
zu3*pJp;#*pJ+|61YB(3wi@bS)g_SKLR}LxTOG>u(f6zKFME+Ovi5QNOZo|WczAN!I
z(a5x$q=;MuC!2g9jUdBV;U5yws(LkDFif-Fgg6(a`AHQY&)Y@K(|LW!tA6w)s%FeN
zsAC>d&!O?t(tRu!{h&>hNG%PsPicll*$H2Cnz5+VLap6YjJO;z3rFLy%LU`&^Ifx`
zI6lPJ%R>$EKBgw@^-!YR&FG@?tfNc<O)t!HMkisvjUCUgzbdJePZpWZtT)pFSWzt3
z5bo18To9=253-ImBj|LS9G>UKDB*>!3~MGRj#e?jVA`D1cg`X={2<dKJX5^c{}MX%
zbB9DV3LgY^o2Z>{LL0qohsGHAB)?QH4elRYo`70KG(vO7oErmhLn83_+~wqp)8d9H
z4pd8eGd)~72A`fg%#alFAHAFsl%lRv<Ibac)a(?={bg!d@HOAsUc2`-c?2IUEo16H
z!D<}>yH6*lQsStJ9n$Q;9qP|5b0Wo}gb$SFgNy+5VVDwT{>rEAcemo)T*pwEX`{k4
z!!(er!V?^b8O@}gR)#j&rAU~4jd>BOAy(KVacHD{vT0MGzd8QqC(!!fNUw^H=7n6P
z0*7(^Bs8lc?Yse_N{;qFeV!pyOX%?@TJKn%R38Rw>%GyJ6>zcR^G!MFTFqu@7c4;X
zr$b<l2?7^=McYPh|FM)#;y#wtwtMkfsVOF})QOjwf#66mN~u2ot9lK$t1I@)m;x+1
z>zT>+6EX3&;P+NewPdN9V3d^4l*gj09AD_U0K7$>ka+F*lu(>6k{{kj`TyU{izbJR
zu6>{5<H$VpqR`bi1v#25B0=4lCOGX=cC>qg)J4UTgo8$b`90q+)}z(=Ii=SJLV;|v
zf%BG&(BVFD5Nms4A2@qL)QXcmH*$4T<EA%WOJO<dbI%;SQzmCJ*jkuHsKRI$=1OI@
z0~KSQMloPYy5F9uylaywg}+5Yg3yehW*M;ZhjTLV($252A<@;C<z(is7p>Z*#wZ35
z+<CYAT`XnRaQqO_qqAfGwA&DS>Gpx9aK&>H)ePM;xhmX(8Bv~+|1J)Y=~xp@^snQc
z>ZDSXoEU-03C9cKKwcbuWce=0QqS-6j}vsq_xAjoBo8fRfbFdB9crbnTrn?Wf1n4F
z|F|TA-}D=J8lrSboX-4&F#*G1jJ1_hV&DFJH&SybHXp6^II5{}{-CQPd%=;U>5dZV
zZL$1rGjOHXH-z{}T^Ptk@38p>n$DJ(vvT$;SJgR$&QDcIkpE6vW`ROP#^2-i@a@uj
zQdbk?%P1SL<ccD>IQY8aa(xPPzO6BVX@yKO(W|gSLvw6O?$UvY9gpx>O^c_qBeXr4
zf9;=<ylqtiJi{vnpk1g038<m+BVqMI!11>}tDH%uOG3}`0&kc4K452ne2FnWpb(P?
zYGqrCQ7?iRDeOOMt2EPpG~l=hz?^KXZ8QJgg6X~|d745?8eJ!Yb~Ka!yQW$I7F|o7
z(BEUrkY=_nzq@EPFnvMY`U^%)*>f~0beyigxal?Vl&JN6vlhRo_ZK>*-+qt|*N|IF
zt^&qknAA!abk9P*K$<>!IIZM!iHv1(4o&Y4Z@LyDMc+(m>xW2X1FyvzD-90+{OCWo
z^^45m{^zf1tX5+SoHL>;279L>=WAWCf$v1e+t(Bo3M)lN6=q4_=1oYfju21iBmP63
zrh)vIFkVVXiO8n@r9^_hLy4S`ni&p&8sjsWuK66kKK%VY9!;d2?;&ZX8xhmtblR!R
zVM0*sy6O;3Xpm*jRkoDKi4x0q!@X^YN<2^OV3ngMuXShvvpbea)vu8YKYQbw^-LcR
zF!D@mx=7u&rP6h)X)Xf|r8@8i%`3Iu18g@2*PMEYp#~IKZnl8U@FSgR{g{s^Uj{ov
zBe9!0l(5%UWhxX2l@w%)HTwNMM%}}_3>~vBbsx&vtXX8K;4*goJq{D;GU|0ZQo1ux
z`|PQV=K3w9WN(~cTr2N|a1Z|;RfU2tF3Gl|`D%Asl_8ul!Sx2%!zC4!x<xV@GVPv1
zTad9G2gu6E*aY~mJT7DIH-OZPr=wcy?({euMNa|Eoy;XVWkhJa@YQegry8c3QPfbs
zgzVJ&i-cje20pMA$B}VsFB$YQd!!_1o1VuGgH<uA0d^csG`tuL(=I+yb(`;cZ<y+y
zCXQUGO;?5B4+9B7;K|6HJ366~_-i<7rs9~%OXi1jTl<2bq?E0Jj-*_!&KwkVPfBr-
zQ4eY$rvHi=As3eKiZkw0NHd{gQVmWTAQQJy+|rQjxhvuEm*38Y5^Yl^6fr<w<MV~L
zBBgeEVYx;kACJ7&;4NKPMf_?g)QQ7qNz_ZV@04EIVwwSjFHvik$s0;|-sGcstYG7p
z2D~ahL1%o9tLc`3ROoW@YBGdJrUdrT*5<%3gt5BJhyP|Rwq-!B5!A`@3Uz=J{oADN
zi&j8b;!+7?AGe)4#&BX(FfsOWZU;zU{d%oD<$aF|zU}bg-V)5mM6-2VoT2<Tj{`G7
z>>l2Vh*9p5gI&5l-%X=<4od&`yW>EwGth;aQ3Y+bOeWK5feY6XuLS}RH6D$lK4U$;
zEPn-HCv}l8r@}j|iE<Bv8|E_{tt@VHi!Y4n35hi{q2b>N6w<22Eaky3CYje+%8nvt
z`R4LUdzQttw*iXW{`(J4pe`p}Yk5Kc;)Xu?$mzCWoZsKE-I1_pa_ad&Z%lQC>@zO}
z!*l~XdlVp58)O5IoO95(v{t>m6EM5yG3~LqK&|<rVjT2Jw<Ep=m9RTGV!Z$xjZFfU
z9nw9edg?5tiCJ-OmP-Zbo9IyKhD+B;lf8ETdpFKraa9s`uqo&0R^<YAtCDx_@brvl
z4+z5$Ja1o4(5JdCy%;qN&l}6su%|B#>w@CUC?jO*a?KuN`-J!jZ}0NX7WYO3y4{B~
z*Dvf8?F}hXP65SEMiEmtT27h?0H_!q9pokg;e_Z)A+sr0rcXDav0T-E3GToNmpFSw
zXwAeX?uq89p*^%s>dy-AnxK7))@fzKf(~$?h#X;{t>njq)ME{n+!URkv{O>WU;CVp
z=;;_KP4^r73fO_S!2sF*5G<Ad+r^czU~;;2kQ$+_>=fihRU;)vG7e+oWs>hG9s_iQ
zOluK}jhVPzVBcnFvI@kgm}=cMUU<{+p;O)21$=wj$Dp;AVyl77Q^c$<Z61JIZXVZ)
z!Ddk<$4!GaAfU<paR8rza3rqJ3n-bOB2|8H<>Sk!BhA|d_S#Yy)*B%!tNcXl{US4O
zxDP2`i$P+^dm6H>oxoB9x71p(z(`G(CAFmT7hQ&N63=wvVr{oB%EWAOYrs<$W+p<3
zAN@?Ex(JOJE}7B@4Frxj+o8`QhnQ@UOye9^USDzCa7=79`+<RI32UsUswgf_NZ`w%
zUXU%3L7^;TuodBQnexTJGFiqZ?eq9^7B)?)cM*96&gef`QsuB9wi5n>^4|98SSnIt
zheb$6P{Ml}kDRwWhy?5(6K!jE-z<g?E>hTkN%ZiMtz1aX7`yXgJJKr(-yNpXC_2Qv
ze^4Zci>MJ+aL+7t<R`sRzTQ?yBS|Nu%t4~1^@yKJe`K~2*xt`DT|pyGV&|jMhKSf_
z0AZGJcrA=8sN_q4W*7z(ZEU{3{!^bRQaqD}JR59{UXf-nKMZGJ^YFFlZ6JV-`ao?s
z5%d{*Vq5_d!2$dlMoYc@i*0u$Y@L&^-8B04Y>00tVdwp}W%8TAJ9SwD9OCfHEjS(%
z{Yk2|7*xyjVy@5aIZlos%KkxJlfMtzf*%>fyB#SeO%@tLPV<l7caSYv{iNEmoe1G8
z@dIdJ@PH7SnyskChQ%#1Pj?_p-yE#Hv9GO#8QI!qZ1aEl7T^F_H*c0{WX2!)nuJ%y
zMhL7I;`MRpEwvb(9;6+sVL-s61Ua@=={MJU^$&Wu`!kB#P9LB78Z7<wv&`eLL%{BN
zi07S|FXJMnNm)ZL##PxJw>Xe06k7-nGxPSObfxmh^LzdE9)6s?(0iUbA23qHE-nkV
zt?aR@sB17LY2wmV*34msPFSARJHd99@Rm+3;;L||?}WMn(+<N0$d{6Mu&re|^i@gg
zHhUX16NIj7Ev(Ws^->l`EnQOjsX$_JlZ+Pw1bfTn%)47Pna#5A9?^b^B%Q;%0QhXj
zIlVPRI~I4g@#hXXRnQS{U*q2ZcOw!(E@5kwC%BgeCT}->SLkPk2vG0(L%XTGs+}EQ
z(I_0D^`z>(!ZLR$#Z;VKe>NS31E?EBIz@BqJ>*o6`5{J562mipo!$v^mMoz$cn9Pr
z)v23<`NX_myDwJp9F#lUJlTAr+z}ZzMUKMd5f6A)$oC5fje$%ca#@=EJ%BNW9^yM7
zkvm^m55M_Vqz6;oWO~zURn`bUj_07!lb(D!=mQmsi;?HShlpBr?|*I5#}M*k?Apah
zj`q8(S{g80bkDhN9%eiXLRT0<)fF)-30^?5tdMj!n$8xVr~bo_Kh~_&AjX*IZDlAk
zkvxdzFc3Cf80jm_GH;K13EAJShPjVkFa5z)KfQv&f5#hVkV$KF_FS^Os5Ip*?uQVe
z%;|nH<5dmy;GJ<e55zL*k0Cng)|?)&ha~d$DP_$CXf+Ou9HCYUI)pKREyj?#7CF{L
z6dy6xT3UdZ)4;Dzkgg5iSG+_MDOB(Mnp5Yz(vN#aN~iTX{cA60I+?&RGW|NdLYBfh
z)N8pfh8`%KxF?093eSAC9mTzhqqWxCcdmE%Rrb=8tc}O2k`_W8nyP$T4je^l;-pM^
zl&d_7L1!IKbIy#=$L>^$BVo`LIb)udY?$@afv$aQ(1EiBKT;~DMXrch=<~+Tbix`0
zpGB!qL=yXxUQ=0&8M`@`BP?|Kf9!?_bwrgytV=XjkZgw((9+#t{sBx|l~+IT&V128
zp05bC*XEY9tA!iESysK}IS;bx(*T^RZfoSfD(F;Z12DLKfUzoMHpbQ<$N;Z99LypQ
zv0DY>#iz7H+}9?MX;aF!hijRFxbDe844gMGZk%C*(0MsL`auWuKc1_8jbe19GZ6m}
zyl-XP<m5acpH=P2?LFEtZ?W_#Mws-Ia!{ZAuXn*cOxo!?5sYc7B|l;#9Y)3=%EL5P
zN5L*&Jf97uE~cw{q9z#3pVuM;AML2`_2UF2p?7Iu><mCjZI0NoP|S!yysknOONU4O
z#d_u)Yy#1Bk@aAn7cETTjLiXj?Cx$Q631`icfVb|$p21C!UDN@GtLbjgDP7umqC<U
zGjYfd&&o2-m}ib|bx<>B5e4b{dd_7sZ7C@=E1BMna=x@<LnqkYuUou$Nvcn;$u2o&
zkvD5ym03tLk$T&i?Zxi&tEzdIbGBg}hxtl%bGIKF<;?g`Qy#n)NROJX0)bHh@PL`a
z8BUe@?AeYCh##9_b6Z8~PkLmKKF}z?tI@8&;JVe<;qhtxdC*`K2h}=?y0`*k;s3H~
z9%F#}1;vKI9F5hHX%*#$_%vlGHLr<QRRvrBqx5y(1nrGly1lU107s73Q<Xi-q((o4
z(|cT1R*3oOMHU90C-U)<f{qWt4yi^cTW<(&zqxPiod}R6`sEtu--IcrT*W@tg$LWr
z=<^#F@rXXx8f11Rj&)wEMc?9>%{0DZdt@{h(AZZRPD^-=5C^+%vjZYef)j~tXuA^G
zX^TLSdO97P5H|S>rJZ{G=?^;CnJ|kcQ|Awo((+iAl~xrTS(=y@EQ_yx>1M>JQJU!K
zE=-C7wHYC+n<e{NfE)N8n<&wS^+h6fKj>*x^bJy?-#WYX{>QRT4(G088|XHBrRrnC
zs;JX^$6<>I^53RXN9JoGPGjClhnPN3HEX+^BQ5&YGC)xq1uPDf4^in_7dB_c{OM)&
zew`t=?rpB5K*1rP2EkV{=EqQKhx)ltl&ijJ51hW~imW#w)#JEt^HX@68$nA4*0!Nh
z>CgW^<JEa=6{ytYonAE($svLh;Te4+H3lk6Z!xuOqs$j*{Yz`ycqKG&yck@TwZZQi
zcdsIa`3@7J>kA}*@tf$z=y*r95awA=D}ske=@Zl!nxzU67+Qn-;!2Amzl-TU;uFTw
z+<c`C%K8N;Rq0#X{9PK_hkX1iyy!|ju}>;s2k{a~9doJ4vCWegLe?W%Tzp`~D+NZ-
zla!V!6lBbD%HC5+2Z2r+x0bJzVj46z%MV~Lkqc0(5Q-T2xS;BWW%bVis}X9P%ERIc
zLAjn=<}0&H70V8K0fnW~Dl8Nscb1}HEQ7h9$kuGBdSb3I_{*~aWqW99Ysc(o{trWj
zjPojgm=^vmnYB@d85Q=o94GjbKPrQf<PSN!qiv*5RSm0Vy5>T?&U+n(?<L2u#uJ(D
z`x^#i(%@En&Pva^BTWp&Wp$W>@qHn75qbi2r@#l8j}ySpneoRn;Z5wOVhaDJ9V;Sv
z1BbYBy3DLIO{A)0l+y%<o7Y3$D>vYwPIU||Zd6uaK+m1&K$`^KJ+fX)u+EU_MZhaR
zta>g*l+gW6Nnd7aPs@rW%eS-#n8VPx)0DiSOz9@*9jH`y6evp9P2WD)fg%(2S_K4y
zT8C{>f8<H)eE-MtcN0*~;SLyx)_yywkFKc0-I8z^qd3tJk<h(vBv@%?M!M<oU2F*O
zkbFchftQw1z;GS#hnfc37cCYfNO<C3Gnsf2Q{$t-^sWs}3!Z~^=9Xs6wYD|~MvL=Q
zRS)16VH2HF@liWP>e(8}6DwEd(BnTE=)UvZTw%_`BndPh%FqR$Z4OCiXd8mIqmEy$
z%GCqHT?N8s>{r)QcEQ%~uUXv+j8#2%Cz-=2D21o%?Wu^S8(t{mr<YP?^gFP3xy10E
znCMOa<G>BoJxxHF9U!AlnV{c34@BwV0b^2KM!vxlr0mB9YZk(wXvL^ezDlB*%IQ!^
z{a}(pkGn(#jl;&pKmP5EJvV_n-#my3YxzVLwZaA!bXPfx3RPMJ1T}`*fJN8|O5$xi
zw#NVf2pZ<FAJd)@W9k!yW105dM9m=_`d&%xwx861Hj_MQR3U(#3+ZD%@@pm`C)V~%
zQqosz>ZGtB`hR{dX(|<d<hcl1mQncUi{Q!v^nR<TfG7aSQJYpQGpm`n9Fko1LmKBL
zoknHHWcjOC^&!h@Y*&781pdpNCU)shvyH5(pP+c8D$AQ;ReE13^8$Oysey`0hYoik
zU^52u42A9{_RGMh^=M`GU(MOzkFEpJHR+iRaMp3Q5h^y;HyYZRp7BQNt76i$ntajW
zMPG^Iu)Fh=OP+#wEX+>;X!udJacYG0C+^Jw3a8$2kCSs}xgzn87(JD0a6lY16w~|w
zU3auwX$^MxhQ1pVubv)J(!2@~9hgOw7sjz2M+e;Wz@b?mV+R2w>|!05^qViFqLO#b
zK{3;R#k?tWa%T6OLGn)1{EiK}<~oxn-`hH&G;>|v<NM;6mz7Uj$(Xyd=^5RsqUS}<
z0|#j0ANbHc*_~c>TYa#c&huQErom`z-S~fQ0~Qo50r`HKhOkfssQ5w9qB8-|pvEzS
zQy*&H^%KqJETBgQCWZ5xn9sXwb18ijh8mpuinO(JWsN-`)42rCyl|HuDH)nsqsa4D
zHlk&M_OUe;6C_y<u|%<G!gZ8Z-PLm8GXxf<PmmUt8gLA7pY0eB-7A?>`rfw&0=`Ae
z6lu50xCfIaqImGp8`$h@IVYksgx?z*FAm3mGR-|b)xx^}gEis#yHayQq_b#|b@$<1
z7)}fGO(Avn2pS6)iio}^JX6r?FUC*ETV^QrT^o*Ykotv^%gyX47V5*ZGj}6#kR?uc
zz?T4%nElciD9KsH<g<UGhmFBud?>t^X(Hd{Y@RCon2;S>(FE;2(kP&_F5LoV1Woxn
zNcPEuo85_Sn7-Z5G;9QvyS1tC)4v4SnF$$qX@l2oBD$$EI3ZpS7Wh;R=5~wx2mJzS
z80@o@go(-6)o{kpvm_Y)gEt~k587j@&-<9uL8_-KB$H=GMp(oG8xdf93}HicG)*!W
zY=a6BJq3s7#l49QEQLOxBS?rNGePxmL2YR^lWM=ed-#IP=zh}lAcDQLYS+hHS&f%Q
z^V&TyFQgRxC<Pno`C+Nf5nG87BY*(=vrI(>b^R5mvHtgo1g;93K~-fexl5qqYcG&}
zEp?smv>$pe5A(&U&57Ud`1}!py$XSl_!tUVOH6BAH*s%7@cr)2l4$Y<vyU)U9Y+6m
zj)#l?<bJa9J7bsc<xncDfU>O13(5FL_a#~1gr6x+f&!EXgV7<NkPhxsLQhr+pe)VM
zCACp3_Jd8;$ZU*C7Fussy>>J{6|9XN*3K(R3#By1tAw%DWT}_aZDwVmj|nTL*ktbr
z`(0rCY-*j0#%>p>3~uc6+OR4dQKKVZ4>6DfFYO|SLdhmpGZ{YOjGmWv)j{3aR;Q#~
zvM%zffK5h%9^Qx}!&NyEW}YpR*zcuaVd8Rr9tf({k)xM(Lxd#R8-SOZ;H692&JB5Y
z!FR4AOJUQW0PxD5pZ?pO1#r_K{drD{E_Xbt4+YO#z(>-?$H$>M*r+rVs{r0QKsDPk
z0cj<6z)?xL*NiCzGsZc<S2rlQ>RQ9HEkg4nO-q)fL`RV2$`LVSW;Rf&W-=u(Wkz07
zsQrWtE@=YL>M>|C-kwf{J0!W!xN>R=KMuR^>RvpZwG}r-yG|+ngQv_^P*5Nrv7*OY
z@;0XPA{F`C-p&3O62e&&{SarrxQ1_;s)lN7c1y`mRm4C4qs(M!oZkBmLaea7N3D{m
zXtP1|C7Sa2;o9fxW`p<=_03?UZNn=tW}BuMxP1iq128r9!Bt6ejL#onVjTEfr+H4t
zB$HzEVXt`T^}h(L&q*Rh|BH=kEgA9jvL8XQU)Z?|!y52%kNtbA0zOyTHR@W>@OzoX
zXWScCprGehPjGEKFO{?C!ryharr8VeKLqNoiL>Aia4-^+S3!`#Qj!4P#M@R`!Tc}8
zFVeE!{~YfpObPqe`XrwcO@C2os1Sq+bcdK26xwgoVw@W;KLC1y7|uysFkAdXJ`KgE
zC6RwptIOtvQH8vP^w0jb6#8i9SFFYVAJ|y&U=@B!Y?`=cm~*7~lXdch@#c3kuY!hc
z45niwl5SAh;6>Zu9?|ffUKMANiW8=&55&Woi9~Mxr(^xlybS%KA-|a~M}KpnV?qxj
zvJumy)DH1zq@wpq4;%#Vv6BbE373%6jN!M}ulN8yrc_sT$=S@dnGW=W?iU*9V1Wxa
zmJ2h@dW>7|8;(0Yo$J2pshQX5GEaE^`{?F8X-7ptybx^zibDNO8%O5`z&ev4iRNpQ
z?9Mt*`&wq)sAD70O#O`vKf}c#f1Dvlv5}$R%g3W2>EloSrdR+TYo;tC-QS8;fe|W7
z+AA*I_DnJK7a*MZ_?A&?H=v1$ru6Bzn=069AffZ?|1wWP^ig_OgM|zt<ZT~FM_>n-
znC|ACA}5U&XCFx_3h%Ak^js`yY$so$5sr)~IkmI=p&a9|i84MQ#}ocdv4?cQwpCSo
zW-<f6wDh;x>b=lx-#xG-BTGnBdulfTx@bcV>GkA`_hGkKW?7MJ9e1wTr+*Ir8(n%4
zlnV6;vESqkgtR5H+3XKXhpzCWM_z)$^dq+}g|g@xTL#1OcCWT9{xUhJ6zJnV63~yi
z-^Qw_5iB#kitd6gpS;F)(M82<YY)*CP2K2K-NXDHY`Y7Q?3sn8j1^rW4KhV#R@&K}
zc^2H=!<>;R>yNJKd;3KZJq`t}rg3R!)X+cxV0A9*q&mymOTW!FO?^giigi9K;cNnL
z(tN7}?PyeTvndLw$Om69u8&HQNl|zvgD5DUS`aQ%>s758sRS5jzGKa6Fz5zI_HBtB
zF2@W;dhuLt*I^h4)1<C4C$A*X`?Jyf<rro15FP;o{lzk=yZ4*eOMOT&;ALUwjSXm1
zjsl?H-o?sw|79<X6If_%sCl5BIzM7lAaxiZvk=9{b6~MR<LB0mN{!DrJh)?h*!SIW
z<1Ot2<}^gNuHLv&T*KrhoU4<POW&T)`a!9~I+<uwW)%^D*)f5%+PR815>^rNEhJ88
z_1bZ(f_lbppw-D>-!g|UWiB9P_h}I=eVWJBbJhjk0HfW8rzy=~DUlsA9C4dcaAHA4
z!LS=%6!Y;8&<bb0zCv0IS)P{k50cnWql<N>g${)JKz|ZV^*l%|`0K`?4D|xvQ=Hbo
zjS||fN&Nz#Ud=&4BDB<sFd@O9J0UjkOzukKnJ~^}GX+lC*~NeT3u-l6%^%;9V>k~9
z3!=LkOATqUF~FA-?<*SX&34m!{mZz@6haa`5?VH$x$%0xT=pj`2?yc<aKSR8aS6<%
z5wRAP?Uo0a=pU0|=Vm$UHX+mYOBNg~C$aH{huLwr2`uR}EFvsao?nPd;`=hy+!S1M
z)+djeD0v9SEw6xNoD%9>%18LmxWrQV1KrwW2HP(H?du2!(S@267oLqH#NxS}hEKMP
z6}&L&19J}1BMwOg>mdEMLnjW~^$Pu#YJuy(D*zxC=GTZ(w|*NqcBKavR}$bI2D0Ip
zRMbKm>}6wfUGD>ZWcc103T-N9r_YHUJgLGXaw_eNh6#o$#5zO2TG##dKi_4x;YL2n
z=S#ljUvmO)R4$10+?TU{0q+kG6ktE(E(d}c4?;1hcA`%GBp(gs%UKcm#h-<QK@1#2
z{3jQO2-Tj6er$xv%RG8GZs1l4P=H~cI>wQ{V;B~KuK<+%IEfE)z?V~qcIh}^dV^L2
zEK_Mka?Kcyh5a69i2mb=hx1L&lODt81;GaJPEboA<@>&{Jv!2Nqi@4aQ;Gc@?AYQO
z?^xLeeG)fTt+3sZ4Ry9_t_7Sjk`Q_FTu|t9vGZwj0Z+?D?b-wWkYOfcFg*1650AF-
z;@c6S4v(o#IL^CIpUhy>t5ytiNZ{ORbM@Ijq04UIbaOMB)%^e@)D0pWDu*!#?T=ek
z|4^@(<S2EtkOH=2K7JjAN7EP%<>qvt-1qpwazHjr(D2~S2dGP=x4w;rh=@E{61$I)
z*jyVks}nZ}hTI|gnujfH4(&|)>&NkYf6hRr!+nywfbOnB^s*PMeG!`t#WR|n)C98+
zz%;VI9^yaR80QTBN!yemSF~m6Zn@tEf_g{E?G}8dVY}TGsYa}8u@A5i+(tz-bfa}p
zBoQ9l%_9a8eNoVNp!nQ?a+q~<^UnERv$#2t&DX4_vUnmqN0o6v$mEP=q~S?_chx3T
z&PtNF@lN{kf|PM%IHEqect4f7@Wo6o0%wVXB}Bz@FCahnUTCHX2UWqqQ@+cM9_B@z
z($GgJ72P5awzmwMy>J2rJ-qx1`L6fqAmW{%5#O>$gi_xv_l&r7X?(wQf)K%?l1t^S
zXma-4lgG#gW3Sn|5qEVnlTL;^VwgaIJCkr?4i2hx>S=td7G`Vfl=`l>nc`{`XZMR9
z7eZhl&;U-Xt16cZ5D~Ljr-(gTct_|1Qxz`hR;V#(Acu;21sBB6G05F2k^%a%M1rN+
z-BSz1KlUu|D0WxT0XBQ^5|}?^Sy;;xAty}qI)0vD+5JUny_{9u2Q_*DCk<M<c-&l0
zTIL13Z#Fa5v#VO?XTAzU`PFExx*S`S-$Pp>!g~Sa`OJ$VjB`kK+4UW?iNi(O#!gcx
zG=VR@?J})Zv?&a;NGVf@i#;$Gh#pR~&OB3#t5_)-D|%4z?v6nPmD!Da-yqnc5%oQJ
zu7jBFleUv<MGkm1c(q1WA2UW)OdL7aZTt4KzeEQ$Jq+6nkwTjHL?x6k3lI8TMjM>h
z*TEG=(r8dDH*^vP_{AM##TTs{z(IW9fZF^WV^e`%X?1q0=(%(6*umlB&1}}SSpL5_
zKcvj-uSnH6(nig<9<KG)i*LacY6#M;%X+2nVjY@u3YXSml?iAwyFk@trW4i}T&4Oc
zo%c-bsLe>77?0S#j_E!)QpysU16hsI!2u{zS2`Azaf$+hkF(5c<vdM6A=yrR!15Dw
zls9tt8}V;VDqB(|7vDopxealKB`gFHo9>nVQ^1E8H&DHh@OQKl?J&be0x(6~PnR=g
zuXWSv&(K<nT8*1_0JWr%UKxg^%X_-uE?Ie_p|n4K!_$_sSH&%a^gnVH?l{z^T2n__
z)m@V#wgI{n!%D!RMM~Odw3B<xGS>Kha(z49sakBj0G%nXL_&d5Y{W$QONwF{QZ`kY
zEu<`qd_WJOC<&)Ru}Sx^QPN+3bzo!SWxAt0C<C>BTm4ae#_5^Eh-Nv(YA&x56w<;Y
zoXv^b)Dml|Y<!Qs=M|uHeBM!*(Po-nggxT^RSaEsF~K$s94X8zx{BCd*d;Xs;>Ed6
zcm=>tKXeM{lX6et>YthW&X~q-isDzeQf!>fTLQi3R!AtO#B@foAd1=bTxCoB8mw{b
zjj*j?=7bhMJpzI;Em&$*{`LB^yV(*F|4%#Mz2wm>SCB`b$&I3I_cGDqG;rW2*{LR1
zjPNdBT`rEgvnoNY{Pzo7F&}E;l^u=NjV<Ttk3a1k36hj_J|!53(<Q^UPNPFm#}fBv
zHFvH9d_+THL*6AAfF1zdH*yb-`sA$6_<>LGf>O<>Y~7Y_>h94B8{ko%N(_!G?6V~Q
z?}LTuI(M(CiKV{T@KLWqxDGyEk*VKqEMmW?l1s8bRE>8BJxhL!f!zA4#Kq0#VHVdE
zgCjG@N%^KNHqYPqbyTM~7x~MBX3PLJK+3<QD%MZQVsRvGn~N2x2W61e+I2Sq$u!_I
zb%{z5QjJyPDFqA4+yU6JaxDB$;bRnx&<4%HA0J>7lPH$YRqritwB^RH!_}${aHFLC
z$Or&4Qlhj@{Y|(ok=t%?!G6~eVrGM<f43d2_e`!Bm;T>lShb6hK_@S#vr+b~Q!z_F
z6~rB@j-1SmWVVPQ-spOEG>^H~I$j5=rzK^{wqk3d<)u9|$uyFQB`rtWV@?q6;}$~X
z?j^EOmj*`Ri*G2o((<VEcx`pmT``WPrBVd0xBvgZv|mTZ-d+*5sGh)Hx>HSHQ(ETi
zNVv$8PR(V-pyBkP=#=Y+TwmP>Wq*I9E=%<R^7M(w-y9zQ6ZDBumnC@~kX}+;zDSI-
z_Ke8Tv+?>^RP%a-!2e0b?qT(YdO?@9=5E>yYBbz{=NTU9`E~C&bp5L!rQZF>A}VJ}
z9%+TXlAG5YL_=*(%~vgUt{F~}^DQ#Tb>>kli%m%~^-sz!7lku^R0M{6ZO;y1-)^cR
znpAL1Yh$&=_@p&8HQY0-Kw38-hj1+*ufHvOQQH1FiDoGN`1FSwoZ*~3Gc)GX@0t+r
z@0cS`$AqVQhs?|K@eY1-z<x0LWe`L+aIsIlgpK#tP7v`BJ+##|sY;VxQfB`%dj9r~
zO^?!ZBs;_m2U`A+`Fg%X%QzupIY6Sq);aguTUIuSbIaEJy>{+UJj5KJFJkFDF<tV!
z3G;l2zW1pL?Y=j~034o)FG}0V8V@WS5of+5g_om1ZKk{Fp2N`|!q0_Obo}1HbP|R}
zj&z}ob|67>&q3fvI!|DYKb`fEKB|)g^eL^gP6sPH<jsJ}h;5sNc)7Rv_p$uVE&yYO
zibs=Zahi893O*dVJi&Jrf#4n-PZ{$?@aEp?4W)vuX|$9Svh^(ks@o9c9i_xmlUwJb
z&Q*zurBq4qK!DSDK16xPIG_a^1rG<w;eXPuJmQnJ4@`>vdtR^{aOSYbHQUV`6pP2B
zgqLjPOu-#Vx)c+y$O|D2%*zUog)2%7gIbWBuba7r%aOa-F^`_0-%F-aJV^$5iW<B~
zvA7S;jx_dSAmVK08){nhQlnvSp31_|<{8r%pEpsvc%U0}3!KUQmv+9bXyt!qP%tB|
z(Zlyr$7mmM{xBE)Ke(($Fc_G6EwYtCGpXP{D*OZfEP7XmE)d2~#+|FRpM9py^KLy~
zSO&9Q9)1ctdY6rTr7711TZWR#2g~A*#P^_m4gNMF9B~9R?SD?wV?+KUN)tK1WP7py
zurPm!;RQ~W-Epu0`hH5#V6IxZDk;5Q90YY5KHIsBq5g2{Q|_?YF>uwM6dqkvJ~VcE
z?m;5b^(Gt1p=pg3IgW)bJ95d6et*9sMsobyW2(wS&&lb2F5ffsU`06iz7^|-cnBME
zN<a;>=hp_N_rgh_-<KA4Q;Z|QbM&`(5dvE6Ry9Gh3koGRZ?r()p1o~@^wwnHE!7iE
zz8=s|Bu3kt_C1?^wo0>D`AlpTtw@aQpq_>WTj7A^=x{oC%^8nBIVIE$)za7b{W|-V
zdTL_q>tgub_C}tmeIXcslBy=M=qhM%+HWH>i^$^54)u$t%txTlK2UfHhZW(z-zJHn
z82T1FVf&4TllEpgQxcPD7M#;ECJ;jwpixtv_h<Z`Zy=bt@Bk)W$Tdw}9w0r8%AR$I
z)MqRy#V!zUX5$sll#5s1IEi5_)u51=23Ceabu)NlO(Zk>|Jw@ysf&3(?|+z>17!_9
znZ4#Y)lw{Xt6#@KAZrDa(VP}xjw&@^Rm&8$hH5JY^)&`5S>%qTvhDlgClt{ajesx`
z=d|tUT^R*42ZY2}u32!c<zO|aKrMjCBJQ=u2_+7tb}@FWT5?0ci&C^;Ru~A_>QV86
z;88)_ipXpwYT`&;8lxuqAR9Om8%J2+|KuctaI=l(?35xXZPH8{@Pnx$i8b@DRV`BO
z^5ivVGF@5YR#X?3;<Brr%p~SI4&NZ2nG#v?R@_F?e4UfSLa>poJ-%lQDd0A&be668
z&Zr(=@mUf-tLX@f`tA9t#MJX(vDc_Wdr_tBU=BefL<g>zgNntBZody>xeT^4;M+%8
z$6J5zOINXZa44u%YjtZtjYlaPeUU?Zq#F}Mx7|IX1J<Nt(R(6rFAkZ{3SssP$gfve
zVKx_pEno8$fQq?^(yk=E0<l%RV&nGqc2_zsIT#U=1m09#3*BKUw=VlzzcO7Q5`p;S
zwZA3?)3Q%-+L#w8<Q~J<7r2h+?I{(!ifju)U=Tz^Onj#L`LQ-oLpGzxT6wSXB9U~e
z-`^iM6e`E!ed)jKux_Mi8QaTIKX*TcP?<x8h8eKi*0A5|)*t{7I_8wygU43LbQjZX
zc1`;J;qY?oh<RVtx4e6s<sF?N{C=_X2obe39=86NN!%e$B#Y!JOM6IXTq!6N>^uQo
zhUvJsbNJC)%gs;_tS1(<1~`z?3=j>?4<4{=rLFadfgkxbDK7bhLQED~dVz_0<SJ;4
zj{-+N>1r4{g;_QJL98Gv97UAnx4tHp$1=HN__Yf1TqRkC+W0jAA!xUZWR<4S@9YO7
zYwCQkbm9y|j3&dlb&L%`D$j}m0#QC!N;LjrL$Bm|)d*ucDBjZEHR}FnDL9*Qt~6Vk
z|H)Ohi!Pn5|8RC<?Q${4Ats7%bvr0m_t4e@a1EkcHIF-n^S<l>SwBhcX~_8jL(0FP
z;owR!aS>;Hgb|1j4^v9KO`s*bhE<Te-LhZ;<>5$NY|-wF8wU=p9YuTGsp)Nt1vt>u
z4UUN~E{a?WkQI4J4y#w;?e<d*uUIwW1Xd~=)+&oj-lx@;IqDH^sfsftV55f9Qeve+
z&ke12__(fFPHSNdoX%;(-2K;dY*yGxw;Zr<x~Ni`klbE63h&~1E`CG1G3veCHuV<=
zW3+E7ZSZ_<aMpGLIBd&pdOgTs2z2XS>!d7u)W)_CB#NX?_WT76eli>8Clggv&v=EW
zH<y7zi&&+ZcQGutkd!$ASEtjVwwcThR|#Izg;2<v^Y+}M)ok!bEYEqt=l44zio0n(
z@75vwTS>)G>y3k%_*XfkZ&=<v>$G&W)fidDk&~{@Au$b$Y2{MUFxi`t_Ml2Ka-kjg
z5+TeD+{f1N6G4x&H}74T=Ud^Y#Q6m~^vMVwM@mNUjI$<KdiEEZrhznjfZp#PKtV-~
zp1r>Q2#`eP?S@6$|8It#6?cEvdYK)U!tr2rfU_*Q!DkxlB?+=PfqO0utYGHo7@PbD
zlxi}};x*a80GYk>Lhz?H21-Gp4G5$Zb)(vr5aqXZfI;4=hP8uU_v!AH2!8BL$El>G
zQIe%#I&3rDe**quh#sFsoAcQ@2Hvodd(y#tcwLl|-@b$ptjp;YBzeG<&Z~n9m|i(p
zw<E0H>E;9*@S#FiYX{^QNKIFyJQ~KV37-6!=VFWRN4p}xckwDHKsTaChNYefaYqne
z@n0|c&O0p8-mvm4%41_bQsrlQXn)&?%3BhhezeGZwxc$rkg8Oie!f?vqohmGQa9#K
zwFQzsF0f>70~GneGtbru;835Dgv5I4SA=G9TfR~+&pV~&Cbv)$8Zef)s8eZYHo*h)
z>1J-Rb<qKd<U`I>0&C(u05Jo1x}{9vOd$3IMDmi%%pp`U0FTXL+otO-50+#Pb_!P4
z;iKXRCZ>jT4l&kxc>+nOf||-Mv5v<TRciydwcAf(Ilbr^HE<13tLB0TGQqx~5EFj}
z@<<bLsW>2U-YnR?-p}XJ-rf-b5S@B9p@PYbST8f%mR-@rET^CqSskTv23EB3>+zo>
zX&tk|4IDT<BPCC9A_Q`gJaigg28jms-1HEVZ6@w@P_iX4_1wuQz0kbJskLW-<RLgP
z9pg9}3&O*mKRo(vB$SM3=4@vzIY?<w%QPSim-8%?huCEXhUN9~XXXO?BwbX3ot}2y
zVGVPph;Nv0j>`VfhF8jDvhlpw1vMYpV!W#FZem5}BX^*xtIUW;%ov>glqh!Qhc$I_
zj7D6ox-f8ODl6sj&dF2#V+~V{r{9dO7$%JJ-*knLE!*T7r_>i=4VV)LAhdqf9PBRE
zfNztup>5%sY*``p^puA9d&!L8HXU9W&<5WQgTpuLO-$zmBPZ4n0pg!uLif8jG0%l~
zrDIYmgVd9Q)ein3rfoG`yar((XmjVk$0BJ$Wy*#OEpcmq6N$`q`b1eeV&N3RM39(<
zTqTsQN|u?M;Ebq*w(mbtI87!*@P&IM8XnBwQiD_Oqmir+j9>nccizM>kOTP;*1;tm
zF>rnav;sdh5N(#cpcNEwqj<eGr(u7Y_X}MKWKQ>V;~BNG6ZNBvDM`q@zun2?2Quzs
zwgbR(TPgEP%+q?3RjL1~Dq^2_{EOVib@cZ4-|QQ))K=n2P;GI)UCYm-1U1qE@;Oo%
z2;Eg|(OC-M)qY*<*fUaIIaW9z0__;<F^?hit6P5R7v@hEFQ3*=#MEJsIArAEu$QQo
zE`o{VCs@9)-L7_N&_9+fuS(_J_BCoIP*=;tV%d5@d9su|hPwR>^8%qvdaf#)hd@dC
z*eS+o)lR2f|D$TG_>@`&Vk2KoLL@=;F(xI5B3ogHcaLELz<<A)V@zbxB9U_B)GKV}
za>fVBFI9Gzj~J^?tfrd|&+63B=gjz&#aTc~lBDm}>kJ|{+3o@fdTi5<Tk7@K7bJY)
z6togQ$op$ovC;wDc44J>m-va+nm}$gQx+Tw{yZ34qhYp9QAM2@n?`b>=nBpC&w*x5
zqU?)*;}gA)*?VU4^qPRYFRvJx&=@R`SAkY{7P)^re+ycAgiWO+DRW1z#m5}i2-hxz
zbY)=3YuE2M;jPwa(8G-=Pgjua6sSqi^(~3P2>UR?m56pZT<N5tyQj!Yic`Q;{iHj|
zw1i8I>p^Pl%M`p|<%mH+b%SpgeaBn3W)K2ggOE}r!(+b`PnUBwp1fwu<DHVWN6Hr7
zbb*I48zLgVuN6LB=1)&GuK)<TOpNo0HTfJt7Q1TOpfEXayK{{H7`$+P>Iq3;+X_=*
z(DEpd)tz8N9U_c@UNVNYL_hm<o{VU*C0hBLZ5?0d+EnU``S%4l)d(lB<^)6HR!KTD
zp2+^`(!-qvUBGjdq=}AAvREVO_R$bi#HpJ`vTUFOf&+(n;^S8>DKI)#QUv!~Oq93J
zCd<>izG~s~stKe+I7!l!!d+8m!Qo~yFjEg4EV+zF?QBvASko+>dGk;mEp^p_!Quo%
z-T;L1c*f$Qp8$!~SCsz7&1X};%)zWHPRf@QIr=ZBqt5Oiw+#~GRMma`mzakBAL;Kd
z#X3hHUctOKS{&%Wf{&~3@1M>vYX5JSK#A1j#n%g}(GfFZW$2V;aZr-_Nt+i#EB?CY
ze=(+Q%zaiw`_y^4J?6kY#Qx!x$mK5Z|8#FypJ46@EA$7u6<P*G{LO@8&duQ#uw(=r
zoNV4xnxdt{Z2kiGkWcM!)mfAzm;U$1K7u>R^}@!vwv;zT*{`X?NWJVEdnADMnFd$l
z4w$~p6~BB^9h4XM;k^7qZ$?N?l}qtJPBVK|^sCo*j&3B-eK9=<h*U5arsV^K#rdp1
zW*l}*+gVw@P2GZxw8~3^<k@SHxSICcybzs8DK-4tE~XyLz}#Z!G*QZS9T(l<z>V}F
z5PgY2jHxR0;BFg4nVc8~DrxkO@MD3Ky|)Vq7n!ps)R}r!MA}I;!5tv*;}7H5YG&Is
zjQt76)aSr-Io8Vetzj<9?|us`*_OL9xR2nF*g};x<h^sQQtoCc%DP1qkyFJ>;Qu35
z1e@7bxh=w|!eIDFvy*7vJ`U;HoJw-z!A(!Yy^&ETu68z$+V-2_#(C|tm;Q~$Her`h
zUROpm8VKjYd=*)a#xD1oALRj7KV{jGr3=@1`b{4X3si6iQehjx`Ze`_<HcI~j1MXM
zog-!0b>f&phJ-LZk=J{}M_5E$@1YGl<I8H(pNnB;_7*~w%RV~K7ujG(n52Snd!J!`
zo<N!EPSyf$+Mu&2a)qtW0Rbe@*oU?4hoSI1FpdROYYHdvW&_ZiKbLJJdZMmJB`~aX
z^ceyzScmKzRwm)AN5}OQEe=|&*JG9uYg*FDGS;m+a_^zw7QvqK;6eYdA)2?G4%X!S
z96wT(mL{wA65a*Y5!)%Sr;kF<{O3)B0-4SaQnIrOXhEj}`?=MG9;6DHH0*DFwFlI?
zO8ZmJj2kBC2;Pxq`nx@1&7_KQ@u*Rg_`M-L;F)9JbHc4KtIKz*Gkh<H_E?@9`MMJ$
zhwlP0vY%^YlBkQZdK#KeV=KIA%G4HaGn`Y5rCObX;&qV=^H0BC<^*%hTWn4ZKQWy2
z5xS>Db8#YOukf~Mv#PF#upf5h1~?9S&ln_&Y+iwe`G>Wh)%c+%F3}?GDybqHq=t5+
z4N4Jq9}`erqF)<j4f>sS0mcD|-cN0Nv@tLCnf*MT!zgk2vJ58*S;axbL>5#Pghm6D
zfFxUAzo}qC2H4Moc-;O;3SW7b(0_i&q^sCwYnxVFx#7ZBg+c4}!(WJLL8tLq0L$Rg
zA`!L@pcR_|9Fvz8Jg(TR2Mn{9Gi%aOJKG68c$13pUvM1fmzs1JaHtVkVnGB{+?Tyt
zjq=3M7rl`}8Bns+@|=U**RSbcmQj0|nbg5cq=Gk-$yY@k2yNZn@tm1b7UHRRwxrhx
zsCQ(Rk!rf);w_|}gAc59&?UTR5{56&9kJ&9WuR)O0}L!(09H?{U&a#an+vCBY=mb@
zvfVgL8S0X`(J`hZz*Q;%OBDo{51+o@+qfK=%Oiq+-~V$Kz%usVs`uc{nKy(T7#}e5
zftppyc{XUfeOn@W=c5;KfL(F8ygdVw0%@{fCHkQum|9F&TPQ}`W{&OT^li+On(EpM
z3A<F|iSb{0k(VI;w$=*ZZM$lk&br)ATzd9PyM{QXa@$=(996`p!;!#*dMz%m+O46G
znTQ^2f^%{0@n9ccEF34uzfEqrNi=2tWo9CP2{gYRO7~7cnUu5Z9%#A%6W0)QC&bBR
zC1zRH!9sX-=eW)TLbuyP<Q)Uivyo)7B>VyoPq=(5lYyRkUaf^mWZVsKa%oM0qYmNI
zEZFnd2clttDHZDL{EU--eIl~r0kPjWfx6rNU=sv=E`Y$j5YTj5G&KI^vj~JaFgVuj
zSSF!DbS<69Fq8?5M6j>nD->$k=-<t&30igYn?DKLPr@g(00vy2x?YTAotr23*C>@k
zcwlumO(}IX0>D6g47^H5=ZcM<`G!@aLj~4SB9z&tSrCkf|D?mxp=Lgm&8rJWRI%ou
zdT>c@AhP+#rsUk~DAkLv;8p1=XwbaOi$-g1RR52W9<yoXX%$kmQXp9*$e}_LmPq1}
zk8eW?^k%PyuO2vBJxyIg2#?~EvMLfWY{;y^B8E@Rr7adej*Erp8p9y|xs$VIEv(J=
zd@B~n)}G*}Q$y7U<0g}1$mkTLVpr#IyW#x7pe_+5$y4^b`LvXwysJ&}IRGT1)Qa8n
z-=me|oC!c{8Fq*0Ykv*HeCeG@5NPE`oQcIpw-2`5$GHn)Q=r#9*pRg$gO6q>w1o#{
z1&ey)@`-&f7Dzdr`V$9!54Hx|>d*ofc8$mNiT_XkoSgj!Nkv2IDt6IJn8I^hmQ3aH
zO|DPnOw%RjVd9$|mY{{TjqO@z)Y9PrB=pK<?Jk@Cv$Q(bP@VEm6Ur%Ps)u5e(RTP2
zWoxEzQrf_bnWNNY);sV_I9eFTz~mJSFoUEj2r}K-MNGq-Ex^b)TJ=6&5U5-ymYKV{
z=V6_|Z^RT7enrTp*~?&M&5~J9D?#$%qxy{9?qTfHB)60RdqEPM^+ZTgi}do(#)*Y+
zL!8j%wudl@TCZWRe=aCaxned;m@BEFTVcA0tqlU?v`sG-SA$Fu1f9eUSOxqmi*lM-
zyQoe=Ur{E6b${4g;}#{UJE)HG@19O;J1GS^q5OP#iu`7q<S`Ex)VOwxcBRGBq$MZv
zL?dyR`O@m-=h++@qgi`#X;2-KxhJMS<B?sa#7uVz+~Kj-9B%2#pEx9R9i;}%_w5s#
zzY<p4Zc1YO>qWbkdBTd<)DC+i!){Tthb0e@A56b+QnFWZ#P&9&s{%iY#>z_Z!vXLP
zOli5@XVtV>6)KS{Z8@nsw|La^ULO%<YjGucE1ut}!pY0xEK<zXTbyK$?ONTE^4}wQ
z)jMxrl_;_Th6&ijebmA6q7pT`6P4U%xf`G6Yz4Fe*0~E*1v3hS!>PBsz0OIFCqXo+
z43(`j7UdvLEr*o34<u}~3V=L&>OD?&3A7dc$<%>+d853;uZi;WNT#^-rucTG7ZPnC
z*pUe*=$fl7E|m7GgeU9Sbsxc%(7q3lTOGRbPILuya(d;O5uYZOi5p0A#>C8Dc3@lN
z0lY6?+^L`Nc*_<e`kkB@dyhSD*plY4RSev^z5S-a%2Cf@oh^BgYa;JP<7)^hRj}Dv
zNWy70#PJ=;=idRl_KT@iJb@9~z|EVhG?OjshsgBAqCW`$mWmy1JGZMBOUa!-fGbc!
zub`Hvr`{*{k5{XRrC{cnJ|My%=cx`NwzeKfn~iCG2}N~db3#8Y`w#1D6^1IKSt5o6
zDBHQYuR?iVF|Dl3H40ZoBo_hG^pxWsC<GV|&p05n0|}#5%~4){$H2Z=bY~V|U-ml%
zJO$mf*IogFk3vb8>v-{G+XG1D&k&T47NhIht1?5{%>3-H_mWGG^nCj(-FMN+shvVG
z1UUOoDXc+GGmNTHy*(3cmcfJ#3WZC{AZ>@xuPY7)3W!^UYK4$;E^7b)l5tujn1Us2
zm_s5Y;T`^rI=3rD{|{}5V$xn#z}lwx?$P8)ME-(cV=YTzS&Zzy<6k~Z5i=HQhWvqx
z-xCL%F|kTH&s2@Q-~C^)<qC!x%O(DZzHq;eJ#p+4A9d{-J#-O}L78<FcMgMxRh5Sj
zW{7HyeVB(9+x=+!i3-b5uZa|ea+sw-rGOe4-Ch)9J1TVk|BrB@eP4#&<q4&+_(D<U
zf0Nx+gW+i(;e$jZ?LTJNI-bE>`2GnRFS*Tq-;_M|Tz{h8of0B$wiqVFu|$CmiscEp
zax#J(Z1zU1e*%cw3QG)FXX!)$hAC*5kBwIlpt0R^wp~FDWTQa2c>s+Jj+&}P8*&aR
z#7FMg^}QLVFTr2Tb4BoaJC;)G1n=<n<JCL)ySpO1jp5|v2hemrfO_k3wSznFOe%lW
z&U$*nfRbu5xJ_&VwhKEP0#<y3pFf~QZLFG)A%V{D+uy4AuUGH2#N0NUbiA$Nif|N9
z&xqD?H(r$&OjomYajps4>k;Gn45S9?wimA3Eja=0{8}F|QYM1}%PW$j9Wg|zAeMWv
z?JYS8%L}d3rbyt^kP~>ro!GEk7MoZ2nogo3`WvBaNS^D6$u~=8Jn=DcbZW!6SmpEB
z4mP!V!+cm54RjSWY$@N956<P3JyPk40><F&xpdI2Rv5}WzFQ)+B*i37&vBT8XJtuE
zCTiGQ9&OC56nfe`qL!4c>Y$#QtRq{NDS(WIT0L_bpW4$^4s?2AYkp#uYTHY}WOGuB
z%Sq22ZC3-<;)pTK3|q(S&l}}5fXGA7s2!p8Hk*(r`$HnGErO3DGkGR#)&zs*F;F=X
z>)ARJyF?I>eCzSLn<8t7mS1N&E<5mx^{*3szI!u>F&4g=3#!8^GO$g7y@ENZAMgJ|
zcWUCX+yO<mz}>FU&-82g!fw@)y<wvy5go&Jx=i+$dyv^~6Tb>x>5<^H*#)-pJ)M$E
zw}@0@5?Qrc4h5u!Pd<z193JiZw!(WF(>rqCs!(dbn()pVoq*0{yAuguKrLqs{?^P2
zkUcJpP{_%(<4i?k0gh;Cn#j&*mh7be>qFNTvi>iZi#cTXpZ})zjW^VAqxcv=<0hM+
zJ$S6SQj1s!V(+mDDu*f8o0bjRtSwTJ%;J;*iORGqHxjsX9IeRkDjB~Te=U)%;P)QC
zB7hrW;T_&`Jd>?F9xd*q=_3lvJ}AV8r8V!#=hI@J>=pX{M!%~`MeItrT{3uz_(i}&
z3KyA0H>5L?_&)l+2<l*3OE|?+pw8qqa|2?sL*i$0{{9&qV--(FVDad%p>mo@qxfBc
zCqFhiVPAfu$}ECu(tjg!d;?c%e)GG2@#01(ntPMsTi=A0d3yl>ueC%y<CR37&zT~C
zeRDjX5{Hdw@bth7OB}nzD0$Wy(_5>p+?PGC7Y_BV>Vak$yZ`bn$+CA^kSw}-W0mlS
zOuq?P&zQ<j3rfvf(&WgiV9A#~YjhodX&ekK>kJ7lB-D-5f6&z>-YK6K5hxo5VP6Zp
zR>HfZ-8k<(9Yz;_p)Ni^_{$A!5vsVHPw|=fvP;*<-8(IQ^Df-5H#4tH<2q{T%mkCW
zc17}8W*Lk6F_A2SRhga7fBx?OEs?o*@|~+Q4Na<G?9n<aX=BW+ow!<6Jh+6)DI2TP
zwF0+hpvI?ug8^vDfKzn!1$vC{_<F1<@X61&dOC@;Vmeu#1U9G;K<upily!ij&e8IF
zLrtK1r(H{TvBG2xS`uGu{3yCNW<}0?;?YpR*<7U#V+lT6DaaUm%5}!$Pk7a7r&3yO
z3z8bioY$e6%qpMZ+^>{P!5yujaY7zoM43tV1Tv<YjVlMxZvyJoBiAW$bF&2OZsn~~
zdWPxDL*ulHG<MQ)Wpf5#Uo@1@Rx#$sXBVH0p>SF6Ed+fSiNP}3^8K@coq+}3(IB^G
zCUa!`lQCp9zib&I_&7>Gw6omFyLKK`w=Q$_8(OQWQ(Iz>=qyNXIHtm{h=jXy-Jp-R
z2%NR=#sRUFj1d4fW3nlH(%pmTxBmiLviMK6=J`mg?Rk(rfboAZh^bn5COz0DfAN(8
za`Vl2><5WH^z~Z&;JHSdI4|D`1$ZO-jh^}mdezc`jbbB@ktUIJ=yeSAF)X*nz3z1L
zIe$+18%pqfv@nh^6ppW727)-=T=f=K!$M{klQ6SUl_B%s&aR%X$L4_BM#(naCLz5E
zUa}*ojY^86u9Az^jtm5i@*fIRE|zLt#b+sUkF(u0?TWFfz$HK13lY2{jL~dG=eC3j
z@wZWzrI@}M+G9s^w%#Ye_Qkb9-)n{6AhBLBF3j&7TtjZ4QG%t8nP?LbqyM#|-2~)E
zA5qYe76_oPWP-egKM}K`cB&XIEAaYbhD>b{eg*4+9H`05id4~q-EFi->uRL~(*;6R
zyH67qi)wo&(rdDC7pJ)|sv?k=SY{sD4W}dGJqeppn>Es~51~CE8+;GIUh0lVbl}2R
ziPr`dqcb6DOPNJrn!m@xzvUBua~=q~z0R~DlZnL*TgtCk<SDueaL~kB$~tYq9N(=K
z5tn{|j3?!glI<%F3DkK#D2ji~0#ZXuxxJU=VC3AjG%|qzS#L_wjL+s$?LOJ7Oq@#9
z@1&+>Zi|i5S737#_VPwlgmbo+YySi!_A2<EEsz(1k9Vfzi(NY>_G~I)^}473U{x}7
z@d`e_?U2MZ@^nuBZOzWs*jkO`7p-cW`souU)I2<$T(Vaj_w{%>xUYU%qu^b9E(`#Z
zM3%MeqU6?N#U#3BWL%R@B-0bLDH{ycD|z`!65U^J<LFZ|Fp%Ux*bk&z{|JZq${mLy
zCqV&F8s5ll?qn@>jCQ|!B42&<zHqp~(2|~YST-y`v)jBhVh3*()tU1=xb(4&{|)b#
zgYXCLA}BmIhxAAdfH%v(Z6<8^XvX98vIR3{g<nxy><?meT4J``H_uzZaw>uWdOgMV
zy@(QCTejAo#4656adUdPS6+?v8>Vn#iU5rhOU}P6^mC?V!w=`F6$NwU9D<9m16@SQ
z>`!6T(GyHeEmM!FGh6{+bOl_~HamB(yY_%@Xx8701`h@OQkIxl!qZIE&vdJ3l*tb6
zHH|S9w^<P4bDJB*3h?_=2#&$+)!QMmzPmI?zy2S(XR4rARWd*Qol8H9K^Z@2XAAsO
zRyjYt$qe$}SHBA<EEy#y5erOvim&?^UjC)LSammB>*##eQbWOxcR~ClPC!HP$^`;3
z*22H);U6}$DhE#oE(R(H-HC4CbI7CHE2d2IvDv$)NR;xaT}r#*&-$ai6+y<1Y`dWo
zX2mA>MdB_BUQ0tWp8%>fP+`}*wjC^+9MjBc;Y5@jjk4?I>H!J#zZn7E)rdq*?G^4M
zHw&@HxQ)gzaZMte6vlHQ6HV4=2i|e1g~S-N1~+P8;MkGbrNs9;VW>T)odBTDqD#fg
zBFB5*h^vf1iq?|<AU68QqSshaq~i#M(RMr-(_;^rJH0pB6vLEYFZ;PEJ{OeXao{p-
z#7y|3AD<!aVN=Tm{zAJ8jphu+QoUNB(ft>uZzp)?p9_8gD`D~eVnTwQ=>d?*DIb#-
z^_D#e)+$cElqhJyuE(BE675dDNrAY{qlh^+B~XqHmH~T?S;H$Ht+Tx<5W<!+QC}ER
zZ%A>8Gfm8vq>>O=H!1=vHBPD|Y--Eoy<kKlPd3^6Yi%PG-@_+rXfNN`S0zC2Z?=1(
z@B)d(Y+8|?c}P;T&$aA(dDH+W{50c5SX$tk*hrul#^f}!jum(F)s{wwt2;)=$z_ah
zb~a0ifXT)#6fC<1!^o-;SvN?lsJVNfP(?gGNi_y-7bguEV)O?YZphTiF#o(@g+u>E
zc?w6mOMClusA0r`pR1w)5=RUGTRIKdSjSSIxmI7OGcWmDR8D&EZ-jRU9YIvo;dRL4
zUfyL4HdXR-ZQJmd6o3~==!ajV*By!L<|*`QZ^aZ>2rNAIj8Vkds#I56CR;%#H&e>y
z$bOwz<s4V}HU~bcy<N$rNRn7WzN*k8FUn7A9dQ8QH{2n)Tpp=0h)J~V2z-&x5b}I8
zvPKGPlS6w`cZ8)#rUjt^3t&ru0+^8lp}q-Q+%v=sX&=<eXZ%T@r68vHmSG0tz9cU$
zi%g4_BQ+@SGmX>2sRIIt*_u&dFT%1fSikih4YPk3D{b~?o%+Izd{n1MTsRue+pn0k
z@H0UsG*`_Pr&4mJMq5K8O?+o)b!UZ**lCh9eUhofcIz&2l>1lXFCCfdr|d5jPKRLY
z{o`dM_*LnEAf~UbS`iMTFQg<@qY~I7hx#y6rXmn5k&d@KWnC#rsGC?E<tvqJQb?6S
zPQdQi29mqu0BnBoJPtAuHUcTexCPz?uVL^u<pwDd2$!5IOs(_7dFJZPC?A4IVFz_V
zbsTy=*m?FJ*e&@0JV2r_KL&UF{p@O4=xuf>V0Vx3;ZH&at7ocP+HAy{U88ic9Eq0>
zTAWhz12R8m+Jk0n`&&iz{j*|6><FkBWV%5*>vikEBbG%1^Qzimj0{5G@<?-K78q%U
zAs<d&{uR$gX;D^T6SmLnvDffuRmZ^Y+yr?RSf|T~FJN&C=7G-qEkB{Z7>s8;=urU$
zPYL)BS)?Y<Gc0$McD0Z8hTZMSoLZZ)vypY&{<8Jwfm>RFcm#xzS=bOzbbRH3qicEv
z1ap;50y)!3Qi%_xt;X>i_cl7!TwFdVBlFl!@OeCuL7V7ag)EnA$kv~|mKB$G7Y5}C
zUDTVMmNWYdg;12iUd+nB)~VDMCm2EFf+v+^HH;%t;-PHQ_$B5M^6^LP8c6V{NR+mm
zBblreGyTwnul%%Rus_v<kJG6$<_KSx*VU$LE!x^gt#u^CCcUk)j~x~i(@LY$yO4=5
zoAh`Fp3tpshcWC0*by#m&ogk@B39Jso*YUta;Cs6qmV$muz3D;$xuY)=-i5BE-P!i
zasN05l`P9@9fO!yhZaTHdhsCZ&SmhY3SS#T6_br?XdheR1wr|$(iKx7yO9rG=;D`x
zk<eKy$+fEWy>?e&h0K~x_oJXn{nX;yKHdS*j+<-%sHNxCP{(oadskUvViJRt9+o6v
zDeTT~Nx3Cedfbj;uPHQW#xkfzO^N3yDs`uc3T9??4$T5aT}QnI`F4b}__z=iGg+J~
z@fGa$+@za;!YJipKhTI?&9N4b!oaIsr)RaxV7|q8Os0(B$bp8hB@;NL!B}A+4;`8`
zc1*$tv}E<gyMwP|5uB$xc+98DTi_HYP&abMru6ddDolVLMu!<Txz`sI#LBF{U0Oj<
z;U=^}oj3q}pFi918}JfSUSb}BsmNQd6623s4JAhwIn8vmN%4V;8iNhZi=|JIwNcw_
zl`NE1@-LX?lDlFFbC}0e{)MVUll@B*g>*uk;dTiGXOMTQvevCA;VPR|xbU}OQAW0|
z`}rWzc-Bb8)VE+lnIenT<9AmD6}KgWoOJV?y@8e6V(fXx9}th-S9aH4Yz0&#=tJ`Y
z+7?GM@ko-5NRHJCAg8!#mJbH}PVKer@5DJAVTWOv8Li;q^Y&2^ts>UT0+s=lzmC&1
zx!yWFXDr_1h9Ljd&qqTzu$~$nN_M>Ut`lcyR@u4RyQY={DKH&nb242Td?V&t1zj0O
zS_gx|{P3XPV48u=Ght6K(XLsRO7XRMd0=z6=DvJxNR5YvTA=31Ic`0@0VpK3<XX#Z
z6nf^7)U!es`BMd&h%esoG3NWV#l+D8+L7<SGR!pc3N2Fj&17)Dd2%yZO@bc2EcKs{
zAk+EX{T!rMq!53qc)w)^$)KW6Cm^aYubJp^HUGo#uLs)m3Z<xQ8Cn#7ENozn^tS$2
z_BY9>96QP<^z0Z8D><0b9}1LJd)?wMim|MS9SBR=n#ntXza7>O(KnX^8(ZGX8up-(
zcgGA^h|9<cL*7gfjhe5cQp)lGG}|ty;4_du>5%Z%C^yz0Dg?%g$J!@5Iur%aE$sXD
zyFf}-Zw`LjwCpTxY1*mXbZ-g2qjdtq_H@8`qkR`TUa1}8pcX8Zq#JNNJfU9v!8mMh
zuA{vmZ7hywSp!#gtE){O;(F@}U-Pz4bq>9b1O~9vDP7*hnLT~!Wg189kUheP{8P$F
z9GD>qkSIecp%b-V;}1>#09#W<m7>~d4un~SZ$>rONv3oQmQDcq<>I{IsW8z=SuDtT
zN4Fvy=dUTPUmB07sbw22!`y`K(A3^%^pPpFn!ePG1o53{GZ5k3-qprvnRbXE?l1)_
zy}lycT1D6K?UTc!CNTlrp2w1Gl4E!{GK5yh<(<vijrsO7uj-r^U-B|XV{`&~NV_Op
z8BGhd_{V2v;m6MR@PLr8a@8OM&`DfABPk{YrrCx>M#X`9?i6m7+@im*h>vv*3viXq
zOC?oDM}uZ{vI#ik3tqZg)TpghfQ{Wi$=9Kmw8IH%Fxic^yhh={2_hN7fyP@@1%+xI
z`-%Nm5K{#j%UKdS$+7!KSyhb;ev4u6C9iY#KseK{zb(pcf;pF+Z$s6aZ4ca>94dH(
z@K-q9E%|`JMyJb3v1g=YF<^-H*p0%d=ZXj31#=rVmMSQ95M+4{BkA!csi20FmCZaB
z>EFa2{SDyKjA(H%<Rp;QOXw}Nc=yxiK|(NDB;_iF#D!s{*#4PyD8?C6iPvuox7$8R
z41w6Dk71Ad5A2(06meI&)WZw*SFKtjU{4hY>&qz+8tdv}w;N-1%>RI-aqx86uTrWD
zD58>QL?<4@!D_tD<&Fb&9MH+oG#&Ny?cSY+lqi#q+YU~+b;bK3<l_siR|9ks%7p7j
z%Ms2R(oZiYhK^*)E<Ms{f}~^%=3k2-dtwu>fLi$6FuhCwGTcM)Q-?8q6lRtyQQVKM
z<V;SP+~MRxJDKiyM(Qtp&SnGGsI%u9Kq1Yck6fA*T)uJ^7LH4n(gAzf23#Og>&oh4
z3*k(WokWQ~<t|OcEY5&0rSn^%irV37R%Mf#W~w=2r*+Q#^hpz%ve4?WizSX6^};tR
z*f*?e(XH97`z|DGkXFvtWcP7on4{cSaRbvJAvxUZ{FDn&>nF!xbl$V3aHufs$WqHA
z%{85g8V>O01+%#`ktd(DoH7acIop%S`!2el`{M|^#5uCoiEql!_F**a(>(8nC5K62
z8l)_QTJ?B^2S_p-rI%^uvzY5H?f9xZVxzTXOlJx53>{65gf;3T<~ekF=D~`pl)GiA
zFLU8@VSDUz?PNm+RVP_pPajGYVt)wFzmq+|-^30rpP)kOEJug*z<JUJ&3O<eEWH_T
zn@#8U4fO8v*H+`Rp+<7x-vm<{SZ4sE_s3hkmFA<;o@B)6HpcM;t%HCWes6`@R#J2q
zL{%_|@g|jk%B|Sq0IGJ!oUWWc)PsY->vUmuE0SuazIBr+ioH{2s6&}AyVTb~gG7l(
z)F=wQm{Z{9R<Alou|5^9dlF=zV`LX&LciEKOmilP1~;GhP13hti!E2*52sOx5NF($
z`*XYIV1X}qh`R9h%N@-7pkU^J=ZZW58W<w$XQS%U4r?ETxf-PHwqllF1Tlv_loDRJ
z^Yy;RR<fn>Q)ZvS)8Dt>&qM)8W{)$z)-H&>QZXx@6mjH_HP;mFMr)&LVMfSv0i+_v
zGvXL8tc#uZv^Td6>Z2DszEid%7L~dHnfR~YLoh#i=3YFAf$Vf@XZs`Mii%<&y#01G
zY-=ko=_Otx1S66%9pYFR5X*ih4XxD=S=4II(sVNCGQMT>mBK@<U*TG_YULGe6C~u`
zx)ILXsEu+j830ay2PFo7ohwM9oUGS6BMadi3haD*;<os01x{#<C=9y2Zh`oojEH6(
z_+@N_R3?Ht=FwOt+b4W*;-#4Lc*WW5>E$EUx@F?{hd)p!Ab@j*kkr<_7`u><+Mrem
zw17oNKkW@sOCn8=E|C}wtoEh_7!SmPU-enHdec!bq`s_{AA7owT+ix*ggu6|;7<b2
z_}?sqT{|3#4iqVw_f2X#S_s)qQ@nq{+NQbS(248YdpGba9*hgm2q1vy8ChK(&nNH?
zRsNBX;^id|QHK_)5i<{M@4&|wY<v;03<_3aP;;8x#l8MAv*f~w`}xH`_3!ECGS~F|
zC812D|MNFOJ*C8vUnXyywws6Ci`1rYn6Qq+vr}=06zS;>q1SV=NN-1HnqrCuz*|G#
zg4TjfHkI*(c8h4FifQFQS^(@}SSaeHq38oV%uNi|*c_njRD_>90;&Eave1ZECb=`O
z({sv!%cPB?HqgG~iXT+$lMpmq@Vs=^;z81LVKwwVf~gk(<-Dq96#@G7T0IpesEA|o
zw4RsS6iRy}g*c*4lv8z8FSz-*iIs6mBIPcyfrjYXk|OKlpZs^Gx5L3kjKG;f)y9-7
zGZ}7t_cAwq3ACx==*xdB04}WF8PaZUV?Z@YLF1P;?HcE)PMvm{HjZG&Jo{bWtV>RQ
zA#B^#^}6dr<i!ssY-=scpCnH;-Q}N|TtL1Tu<yN9TD9e(^JY>L*2={gc#?P+DJlyt
zbbh%P5Q%np$Ul+gERe6Nf?!NtMkg~7BPh@k50JgsBjbWQ;aIYX(S}HF2YcVx<tFyZ
zY9xvRDI0t;>{VqQq3bN>bQXpP#Z-e;Nu-C5^*|+9@|{%M;dJaKvn{;>_!mFq{zlgD
z%NC7ypyKOZ2S;RzPRE)PFqnIna-Ir(UM6!#owq;16aG{`V^ju_bJ4f)rj6=UYo4MB
z2x!hj;7c8lbq-p+0TJ5Wk1b@*hbtuu+WRY+ukXl|ei~f@&a$s##W}nlw)}6lqk6&N
z^7VOge=i|mR3p~Sew{Rree}PQD&k({9MtMa3%X_nf`n*}P;Hjxt^&(g?jp~E<J5m+
zJOu-$(}pj-$H8>`0q%1bu;>i09e7R#WOLnbLpn|sbWd;G#;`qwZ_}HE1wLQc?4)DS
z4TX2GttpICWrjF(sWr=)_JoE0)oE$D0OY8?uI3mnT5f#H5?P>{GdP)>9bo3gmQm*8
zX~i6?q`lO{S;NG2;hom3Q@a?g*gx5%ErI?Q3MAzZ|Iyn7X(><asn@TlX7Kt7*oQ}4
zAK4@su`x3VER2^sXOKSm_X1pQ2w_`o;IZ9`u_by~DGK3@2N_+`aU#9TU!3rlyMzzT
zCLk?pC$p)>vL&Lv{4(=vVs${1uV*lc9kyq8HG%OAoA)6A7OXLcMo53Gooxt(xsgjy
z=18cH4-97yQ(cUIif3L(vlEVfFW0y>gdcFk^!5JTkgdw^W<<hba(-8+^?78lT^&Pv
zfQZ6FvuRgZwIj<x@Tf^d1|P9tmYbZ73N8`}!6@?cb-Eotz7h1|m9!d;p>TB)+WbOZ
z&cqH~fOlT+!6BEH8odjMH6R_u8V}-ACbe58-@C_97WaPNXOI<n9(NVl+=^OfBRaf1
zHk{(~>;Am?1PD{!`_h2k#r-hG#Pd%Et-^3G%C2O3=BQ@k3(Sf!>m?a9!r#t9$}bZ<
zD5+2)AxJ}ObdV_}*z6A{Ux51!lX83~r)IO9_FdSTP*<h<+zl%42Vp>~TO0g8X}k+L
z3t_FxFT5w$^Xb{Lsg~gvt^~n%m*qhrrGM@$l6q}wA}?K|IzZ$i!Q;WP@kw_$j)l&Z
zZ}e41L>?;jGl$)$^60cas16t=IzU#5pB%X3LdH4O`$Z}<LRY4ojCS!wbIVasW9DIW
zU+>WC-|Uz*_S}+^WLXt)a$*03UtrWgE`O08-qr{wU<t$m6=F}(`bYwWF57&Wk3Srd
z$8JKm#2Xg(l+xrNI-X7K0_yx)|Dv^R--I1Utr@=>_;--vF^#S159HuC@+d<N@NcZY
z#wT|FqJ0?YJSVWtJ|aMJaeBN0=?7yvX8O2<QTp5gH1Xl8?#vq*V!1HdTl(ztx%wK1
zBcBhMNJJ9do8ldtrc1_>7m(f>+}qjhco+xqf+~kT)56#kbSrkSpjF#Vn4BIc$po1S
zm2y|VXMO@YIm7heHCLCkY8Nw$MfxCOEtc6i*c=n>%t^8G&`C4~p^;(eYYv)bQW+jL
z^Y#xN|ACg1*PX|AFW&!8jYu^Rg*6$_y(S3`uhM_w`Ww?xXy;QnD|{(f8o@>ZCj1*G
zVRw46T0t5o<iB(b0{#Y_mtvK(PO|-L8(h0Gqm6HtN>amdU!aeJEUZe$5inqLPgjG*
z5TT^I4%Wy1PHCP`$eCOMQfTzoa4(O$V7A-n8!H;dgev%?(aJi4L*~)C&IL#*!LjHm
zI;XNBomuf%G4bkA(NM<Jr8|#H{Pd`jj>x3W2(6x6w5dHCiBv5OsKJ|;5-SGkGzG=P
znjZF3JIM(!eCbl6s<#lvH$PghV>N&5H>kM1VouHCSY0_0Tyc5ndrj+B9&74H+%LcK
zy_#UP{O8%Dbt#h^f4nH%2(PliDYlTgJypl~ubtK6zzcOA?8;l0e(uapNrN(u|K#Z7
zI-E(Eoz-Kka#{PSqzYVLSE3)A<zd-`EkSD8%lQ;VVvOgRUl1;>RfI`1+y@TTrdmU>
z?bmed9OvFKb9EveZSYr!1GnNycYHsnYHIG@7xRhYhCH<D_O>J<&Ud9U>=Y*ST~*&h
zVUUn$dEqrcv;OaUDZ)WvX`RN;Vp6xA09u?vA*9dgd~;^mHd^{~>orBj=TR0am6^fc
z-9<cEmSXBEw|iXEa6>828YFQ@zkpDskJuUzH5|<QYsN^VnuJwjVL1K0);HD00B|`N
zon%{vc#(wn!7$=qIm8C;GM@)GJ73=f2RR();dCA@?Qac;dL9-egPiRD$ZUH8aOw}m
zoa?E?LTMzEmLN?gZF<_Si?Ux?VXK3C*?!ms;iG%|+|S|+g<zQu?Swx%4BU=&S40X=
zv0A~^tqa5ipyCnmcO?gI4eoD&WMWEEK)nYiI|Dx4?H(HIFpj@T2jNm)(0538n$|HR
zoWH-qilzDwZ8Cl<4q<a76IYKFMi5WsGfNJwwj0Q9GxCy^+l<C7P1_j11g6Lwk^j_9
zt)BVp7^hqGyhi7yilJc(tuUVz3Q?krgAW6q_!2HvtIO%8eCz{vJ1u@i_MBY-*rkG5
zqzW{ONU$w6N$tRTKB&fTy`Qj4G?V^E?tDJv6pr(-<`ozxvFf_2L<R%#NFcf?qMJ;6
z!n88O%8$0?8wRpuEdGDLXq@y$YDRiWeCcaFz`g|my<lY~)d1`ct5P6q{Jay&iS>Fv
zr)hBxCGwP4Of^+T*+YHy^zf2eKcNP^Ar>=5(c>2On>~o&{)@8@fH6*)S+!TzpKtb}
z7A}G7NIzw!NkJq3DHNw*fA*^I9)t>HuG&t7v9<jhp(F*+(L>6kj{2K3kGEn20crZ!
z0T>cClRwKMlxL3s4$FhBIFrewR2|sSPSC?jC%lC-F#kkk)}u7z1-Jf^O(#2f4eS(u
z))^hT=>)0WA=4C0*aT5X>RRWLv>s~ijJ3g~cT^|SsA<m@xf+V3VW-!`Q~*5aAd8aO
z+e(O7#L&r|QP*dlY8gHlDL%H(;1qa7?ynAGGk!(*Lkzq^vB!FSw%fLtZXS?FA22VH
z#Q*{TW%kn1m<cK3&<0H8q@(T0vjZqT4zCXaAjO;^JZ1o_?-R_1Zlec$ub9v>9s(P#
z!Up|H9Rl8%;urXpiSjMu3+~og(2a*4s#%V#Xj1<s4b?FXq6{O4>WUmV6L>}@urU3c
zb6`zz2?Eo^FP&v}xqP1fH7e(^r#gdC_4*F^fPl~1<~a=dPfaQ#gxjOIpi^2IxIqL?
z@ZH@{VfsdC+x~l*#%c&a1qkkxolseGPG`Cpj-IEtpD*}LvI1Gq)r##4ovV3Ts@`)R
zLN(15YeyI<S-fT@U*Ja%UfFjV3VarF9>HF$CZ&tv+&-2F0+3@Aq1_lC2S3wC+N?Y#
z7PLz~SbMpbN$QOO8B|eBYuG?-we^Faj6=<g;(koCMR&!U4p9wxD@d-iSm%pfl%$@q
zg3#Yh$Pa|<sdqbUNU_N!e`5zjZb=W4KD@gjKFvx>-w*I|ZTqD9FT+V><qU7LMUR)*
zC;t!fmlJPruV#p*#eeQ)$(DNLv9CiFU7_@IWA=CqXJtVO!+CNzHyp7vuGkj9e3RtD
z0KAElRoOk&`Cj(k;2@Aa`G~|L)!j);vWOqpM*)6<%-G4%vIuUa&4Ug~lyyN1Ko&ld
z(pi!~JC^9M%Drc(b?m8My@~9vtS6nw&$ng#&`_P#hpDa#v#U0u{Q@Og82L9<GyrZT
zndjG+abDQIX78kReIM*>^97;q(i3=l+YEfnC|)m@<x!t%=;N{_f5j*)iU<Z1JYJ3y
zHEhlU=W*QBI{lk!)EUyf(N&f*-soov+6(w=ZzJ3Ol*!r{EfxgQ#ZU4`0ch?oBlu@l
zo&O0&&GqB4X>&BLj*Vcq*$W9An5Y9MG1VxoMnG9NHQXK|(ymC2Fh?~2%cD?-(tMVQ
zr7y2;gpe+M>vam)_)mbYHUv+}+M)URpZw5odutpErJd{;t*HQIP91tXgug$%20Y3&
zO#IUx|7{`IRmF^`qFuWfs?iE`SvrT>0TI8~=CCWApNSO{?BpvA{PdA39$F&CM&}XT
ziT0k!ETqKw05`I}i`_qty2^%idT<m)t_PJz`Us?8@&JC+KA-eWQGwu7^}`fi2X$?(
zcV44rtc-1oEPe)~uWqE<g9;K#i~K{JSb*X^Tt9f#0?*N2S(WxnhU@<^xPfSTH{Fyw
z)ejTV&)p4R@W_Br?(ACJc7$wdZ_DvJ1g(2jou26cRS&51;#O_-Uw9>Pws?bwJ6uqE
zinK6^DU<$eyhDf}T+drjuk+2t41%hmc$M{vb7*n)8%^vF{{M)N{|;1ip$_{T^%@5*
zIaOd_m^aYEF9UMwmqD;Q%qJL%a?5Q0`;B@_buWgT05L$$zu%nVK(`p1qQgg7SzV58
z9=nC#7OtI}p_sBWnFcy1av!#cKX7k}6Ej`uG?;?upfeF!uueSEJj>FxMT(NwM*vJn
zAzLjzt8oJISPZ5qxlm-o8BX94wNZH`ZKRl_%@FK@q7g+dRo*~UR5+&v%AV%{O$f|y
z1dT>bmtdoFDgZ%t)lEu->^+8=w0LSJQy3ms4Z)SRC*z9CVF^8-Eh28R4&X*xNcC=i
zw?ix6bcrE`Kg;}wijZ&^{V&1#U_N}9c#B4oI!u(S{@I4k5Z6*T`NIh!9Yy+}szrW2
z-=VdyK#I`9E^awU@@S=I1OjmdkjFlaGJj-XH5`@6KF<@{i8N%uPc++5(kIULby$_u
zZr}r==9`i0qp{tsAp?uhT?sc&(h@4((jFBuyTU8*7U+3TmI(2}jOXQx+@y&Q<LDa=
z2oHWFn__@<U8?ZxW!snuWY96f9yPE<kK>wVW_*<)RB)n*Kn9jTz7z=zE7vA>Kx<l@
zAu*=-M*fZWSFa_})#w+l$YfXQm}qKWH?Y@*|H%DpD1NE6wb?3=L4e2358?>gB`e8O
zIT!}l0hCDXP*}3lIw@$Lq)Nv-RwPTJ31d7YcK;RC6ir9k#BWcP@9BvAq_CM>#IF{9
z|70{(-D0m4@>2?+XpC!J5}qp-@(^cuPZoTj%r5$D8I|j%l6>TZP?uHT7@wFF>xsM8
z<Vf+^$IHFi&{qWl;7-0G*%9^Yg+Fy*(@8~Gr)#TM7qYPXM2)I5G9yM=te`oiZM@>>
zsY!AQN9QB~qvFE>m&hhmg#QX<9`wGbP-$8`EsWzcgyzt3wO#?BYI3a{8eu7O<-6`E
z&2ga>-mLmmToZ|RF=Nw8p!g6V2sS*fcl0yXKhgA!a(>siz>frN4d8y1i6qR|T_hT&
zcGQ{$4n8S!vRxk_OQiXr9kjA7u2GYNa1xu_+LV~^&x3s{0MQJlt{HhES>D2H!aGb#
zG~-NB(W2i`s|y4q)xUoiD%Z}dJ0wFef4jK*8|x#>;}|iwPk@Z9kz%?Pf4j3TT&%vg
zJAd#E(SA>ymoX9VzfE3n5Zdo2Xc+8oKSHbsHS@L9--0E#!Yc9oMJk*LOIap#HW}=j
z`Wf5HqXVbUZ=7PJYtC-aq1rKA_Z$I^_S2+5@%3ens5&h7)`VTk>0c%ZMR-k1540O5
z|J%4bHzu{yCo$FrQ7fW5V(G+Uz)1lI3P3DG0BZ|=60a{;$1#;2QJY&;CBToO)%9!g
zG?qY^e&<VM(}ajyF|2n?S$mAO{eZRS*aw&^D%BA`#bin`DFm6)7pvoL9G86dSY{>+
zU8|{rt!o6FH2pyuaXQix9`Xre$IlCyXFR(bRLfV{7`CxBrc#KJxOi>zPh_MC#f`4V
zRl|Mx!D#S=f5-c&b!yH98*U-Aiyx=9R%%Ik=UJUDwnS0z0QVR6TOw_g!$}ti+DA;(
zi<qQmeEv6F*~Wmt^cGWI6B}|biRid?_t!?{o}ycC_;WKu@Fd|(i|e*C$c*I9q!t0|
z2UFX&63rSsBl}S+4Iko_#xoC-1yau7E3`Z^<o8-4{o=WOSVn-r;L*!{LVk^%5+sJb
zHC{8#US&qU4g^1ihhioRA%bJ)c!}<@Y=>|BcLKAirk?<EJyY^XW6u3yxFiIT2BvD=
z^E8r*rOPAMM05&B#zm~^eOo72&Yz3MjBXLORL!TRn$3XxT8R=dRz%8xxupzjgUvea
zOzd9hF6neyiA5RW%Cj4AGLvT(wVzYHYq}GMr;1Y;=S^$QZjtaVb%%F4pyo}*k>Mo$
z%+M2+zF(MC$v9EJKEt}#m8IgH?PQsZj(?1iR%}0T4D9r(OTw=RF(^mesZw4XyDy?C
z4o`?CAX4Z)KV9q0k_2PItaZpJV{(^!t~}PX?(J5LV&rAf>0*%#$Hyme`;7qmMwiwe
zIzsT1!hGdH<$iS{6lvJ<OSPx~)ccXQ^LYTNXR{2cLHjKql{nC~;Uh1@p_%LDYG-!%
zJAoJ^-e20e-2U?{Eh7rUYGQpuu_O7%Yj~ez9BU}+bbNY)KBKPNq==}<Gui)^;re}-
z8hW=8Z$4tp$Vtav@(vw|WnO^+MD{}_BY}_7T9F}61LwT-G`R<9=E|fUF=h}$#T-wO
zVEe~EYB&+M+9D_q#bR$E;sJNcm7<VrS`x}D#5>9c1IY<CO^H<6mk-(9Lcb|9UsSJ#
zlVWH#Z~+00QCDRqZo4np47RB=b6l^@2u7v;QJ|f|7)W3OfA*oKa0RJ5qYwqOtQq0Z
zMoyZrp6dB^F#4uZ1uvA==VDn8Mj~I!4*y!dxRo8RXOPFyO}0;OL<&0_hnqUa#lE^5
z8!Sdv!En>T;T8|r=5^e?`pMv$fzU?#q2{~Nv9KD(S_W}<;jf%`Q+U69B;IFpCmp~7
z%fQLKi+&XrwGH-wF^)*@<5g=ER)DhmVhe-Beqb~PHXQ=w$C&>twYqcRy~FWJ%rsRP
z`lTu%mh5O{Ysl%AZWJ%*=_UZHmN`&zeN(G8v~a8Xk9v=em)M$LKiZ(M0;AJ9eUpLN
zHEWW%6rlBw??wh|83a>RbZEHWX6+T696tloo1LW#eWUM%FwRR~kB}Im6GrN6z+Z1`
zxrR&R5WLx;Aqod`48a*`Tf`1L?f(&&1ooZ&i|<ZV)pE(lJV98EgY(Sy4AkzZTO^yG
zwm^c&%0O(Ma7myX0-x@P0Fk`!236IZ7b$00nM+DOw4Sc_-w=GkpN9N5gxYGfYld6}
zaC%Z<0G2QEkM3KUh=!<@={@LV9(J%BT5bDk7$4cRbL~%W1(???a0z9T{jnD)WjJ|G
zngIo~42mLMitD2tOGCg_`<Vi+a#ooZBvRDL93uO#2_nVQ-X=~{i;ux%iS3OP5wuLH
zc&(B(>|h;r%g)j@&z2HrkK~Yf5!G$lfh_m@zGRe&1~;H3x(SnS?mvx+#u8s`g5t4x
z3vQ`1HU*)nWzn4nZ<GH+H}L3={yHzH%_P{6L{Z;lAQXpkZ`Ghj6_b7yAfD{$7HN=P
z+PY>U3rKk&wVG6NUEy^hL;HIe>cia&%R*T>w)m%H@97AQ{pSpe+%}!Tc}X@+L}^d3
zX9nCmMfzV2mcZ10F_pS#ISJuk>H?mab`Ko?5lBS{$4~tI;)k82ox&EX%7a(4+Q_vr
zH)_@Bdk0VnHZlWPOsL<$AmqREgG{0QVFER;xZv!fD&;*&($<H=r-|X&kfgvscMrYt
zS>q0GqE7HuNw5LgnCxRjzlHyqd!z@j)_!}(ZA5J{M&{|FAy5@-%%+(Y$2`JVgHqvD
z;&P=v&FGorW2xttQ6yex>6ALiWVS2w%rp$!D`^V9@^-h2{&}&nU87fU!hBsQM{KJ$
zf#;Ip+fqsW`twtdvTwz4XbP_!H!ceEm_RnHy^mMiN8t!I%EBOjd*rWbkjxDZJJ;x~
zuSU9IxL{m`7h1zp2e@!kNY*r={6Bw>s_<!j(5^Mhll~w?Nki{P>JXlINhms4uIP<+
zeflTxs+ubxq2JbUd9Bh>F-Iz@hiC=3rDSjCy@J1CGjP{&`o=U-{mi-{6bu~I!>q%K
zj*tEU0S3Rr$`KWAWXX?Jl>N7CInW`hmyR_}smR62_IR5&sHvwMu<fmFYiAFu#Ofg=
zM(p811`I?UL5Sz<=-<<{t|F48b{IPrDj_U}Dfq^QuO+IwsT8e`D5@lH?&8d9CR)!{
z$CFWdC`Q7`4)s5`EL%IBUlDp6@jZ?kRVWIUa;2nDQ5FCt-wPba2PndbGhLVOTne#=
zD3KUzgA!`<AVq?UJEiW~ETsetFbY(~vr_)_*NLKwH7ZSc;}B+KMB8@>Y7=ZWmLZYu
zvOtu~vH}ua{A~u-JI9xCRzzM}UAA=e7jV%@PBo>0@i(;u^cd1Wsr&w%mUqa?7+;2&
zO!IWhwzD~0>~$jIZ^|ipAy<9`cXd4L>6bnES5F=8z(qsoK}JkG%&vPG7-H(SEYmq3
z7n_K+CKLFN0eihn>9(!se+eyeC%FAelUAB3nE6uzpkl^bf$pHC0K5k0Uz%|&kkJ6Z
zYvoc66aC9^q^5mm!6(oQO0{xYYIs->BZourI8|g;NBv@i&>V5{eV-HU>TLe#6lDv{
zfY#mlx`M)z@Xp@A3MY<7`(vj;VdSY;`dn;0{9l(urRRpMG7Fvp3sr!uKH^3eH-02a
z_LIM;0XYd1UAoPwj(Du{NOtq56~=A@CFEG>5$HAd38ws;&FRiZYitf5ytK^oEl#X*
zuW)2Zmf!;-^w)(%n8OJSvj=#HAdvw|!YgEZ^XkR=7IQ_#Ws9Mrk$4mErE(P7T8Y@P
zVt208FP3ES6H?11OX*iq5&<UQUquZYhE%cI$zsmiM`x7kiHTXm<x})*iV6b2w=Lw#
z%q>V|9^xO<%m#Cr<Zq4xik$mXT$JA8l+ic4W%j!<7Yb7h#%frITq%>zp!ATAI}ZKY
zShc8g%v%CBp~>1FAoW2G_L-5a9AcY<zMfSm9uaHjRpmci(3N0n-Y4XCG_QE^VFaHy
zAi#L5bHdNPOINq4;lhTb&WPOF`CMJv6^-y%+$%CQ4*UrYSragQipBbGyGVU-GV<g!
zeUSwlXfEA`re}EcX%oBoxUF35gH(+`!y9uH6nU|EZ5q8GXN(6f#FKSDQhHF%Ahy6s
z0f8Bc765}K-~%wX;FGbpWTcP<E+<;G$IKD9Q2lYQ%F9f#vU7;><Pk=(bPPV4v+<wX
zaAcT!?a*9Yom~K9CBF<WgeIt+THZy-LsJwvrJbs}#Q{y5?La&h^_f7o8PI6teP(fi
zV0M!`H`+9($fe=0?_?;~W&;;`TJ!3Xc+~(xN(1N+uvgLsnH&Z^I0NEE0hX440@oA|
zcY=Kyh38b~fpHaeQSl?$IILSf-nYI|E@G<08Gv~x2iY&`-a0R{Y&5s(nOoap=o@oE
zjojmTTd1FsJ~uFeNe7iLT+5YK&esn|PH)z${CodG31S6lu*gnyrJ?y<5G<d?+%TZe
z?nuHq;Bx@mO$y_xzf;214idXyY;hSPD5UN}K|saQI0(YKDE4AnGYvQ1cUsK6SGdX*
zwqTInXDIFnj=C<9K-p+2E~KeJFyM>2^<wX*naYIy1f>|*5VMKE!HU;e%+1bKRvnRN
z(t{p#s)@27C+og*hx)Z(x_MtomLtiM;LY=G!*$R?86H{_XTqC9>HDHZ!8jymwygdQ
z>kFZ~s!gzD>I;mEh1Ena3ied^dRnivmmp8x7dpz2M{Vh6;BF<M4wP?R4<*}m@{as1
zb%{J{nWbabPJ{{#9~5QGphXYk$prZGU||8Bw+y2BS4wbwwq?l<d6)mv<&QRST8jpI
z&Jx2SfM-fcRIXJd!oaa}p5tYUM?=orkwulTiH73SFl)_Hy;RzQ`f-9#UFG~O!Z@m%
zW}6>(4QqYSTriu0)@5=*63;%uqnRXXQcU&8j;>}j{T7y#Suq(b6sHU8p`V#UQ-C*8
zQHb51g-1kHy=DL<b1I6^z2bL}O@9bym8?-n8dyw8FT0O^)rI@p57J^>uU~5xLUrrD
z5-M6+_=Zx#>&HgJ+Jo{@M3@Kx)~wteLy_73hEU*ZQ#kU5eV@GYZh9>1EQ*atl#T@j
zdQIz<C}t2edrE2}0yOiP@ppq#C=y9E%DgU(t>Gq$cL`MmfMuo6cty1LK_2UcAzj8#
zqX5^gv;`+>7fi)eo+5$qW8HG1%4tzSClzD1!#i|@&=oLq4;@;rzZ*kuUIbq3Lqkc-
zpG{JOwK?UdVYI;dXYRjS6hesZz@?+)Fvz-5;3|HkJ~*LWsp(vN<a@#C5@sk~D}?F}
zjr+>0?4XChrsBgHpbdWFw^|#=`$%c}ZUSN0nVujUhH8bBt&M6ydL>_}_S#j(;D{ES
z1k(WQg@u4PVidnyai!l%OOd$8ZXwg#R*agFiGhp962hy|Md=gE_2Zmw{M3*&sw?G=
zM9a^GY+J}#Jivj1Kf~Q)q=Vt5m7e_R5nVQEV%#}JPI5!WB*rWj09@{yhZQ$9Q9>kg
zMh*u?lY<)KpU(|&d>Xv=#9MfkOI!k(;80!UH5v)7yn##I<};&sTEmS^_$}V!f<a5~
zFutSZxJ+wbE?lK!${t=cY3b~=wJ3tIDlN&#0FB|}e&S3?h6Gv10{l~UC(_DZmw;aW
z$~n=2APesMXUnh%qZ?=`_!xboATi~zfvBvXV5rIvxc+iIV1Ej$!6#ta&U-z|J9_tq
zCEH+~PqfR3%z9pt)#yiJ9-4Ah_evO+D_!7`w$grBS()i=HmgYyw!%rW7%lR1tKUnm
zJwZw`KEXhFaixm^t{0w+<si2;wSxQNxsRhuW*}DXOfHEVZ6NL2Gn@L^1=GqNDzAPN
zOAw_lEk=_;z{bMIo&#L;Sx>^=pfPD*6W|0>9u{1vJ>4SGw`99Bqk;lb!3<bGrizp$
zwYnI&O!RK9+O7eU?#Qg+tE&B(j<#)~y{cAIp$WmUIRRe<>b#*fUJ$x?h|cvN#73r*
zz1fzRUvsHFHS!t2;$8O$i~W3bmN^Fg0*8EnJvSRk5-C&C`vR7U(t{ipB%^jghNWMY
zlUURVL3tkgUyehnHX0;y&_*S4o_2=we|c^0BiH+pu6$Z=`ZeIhPN2L7N~9}Ho#$!D
zZ1Qi5u)%dFjd*H{c58jhv`<?fT059O6;`@Kfcs^lbSmu?_(^tpMKTC3ORaKfK4w^^
z`~9PHK6;f1LUh$6?7L*Oz#B!de0o{HROPl0_{&CMltxVaG2{k1;$JyOnr|UhA<)N@
z$4DE8PT;*6C2jB9T)EHZC$BK&Iy+f~tpz~?XLHy#u&!&(xraRL$-$FJWRv%4l+Yg@
z^boGI)h{Z<DJ5a2UU6eQ^nMS4dJMtIX9Sd6H%G(7>sEc4zWzvEr|nKv?Tu)K|4mlD
zG$l^!^SUciuKRNkv@M5XUT%cahj$?pMD_yb%o4-81U3H?y!QgQjSzy=x4m1PBPk0|
zVS!#@9AHPdrZ7gt{y!V@q;57Ldp<v`Gqor&eL?mNP8Z5NUIL7^{u4Dmr(4K3;afx4
z3bWsHSp5K%?L#*vI=2#JKGcpPh(r+bb!Ju(ld53PUb(Hpt4$as9}gW`HsR(}w~by3
zZ+4pN?ZdlCA+p0Lw@k`UPwy<wBjCiDk6jR)Q=A51R(2pFr?t@bzN+d(It7cD_tJ$z
zJaP#4c`)&Fw$<Go6<V)p1}R`rbXEXd)Knu(&UZ)L2*~Bws;kHi1-zr*|BO=GPBoMj
z(v8kW3Z{E1^JJ6(VuT=|VUR}8kC9z(nGL)9G)gTHFKp3ijYu-om@jGMsNYh$A68p{
z>BDf+o1a!T#%dCQVCu$`wbHrU!`<*TqC4eI!SSGjL|R?oFOrJH&>QkyEmOEzM^WXV
z>wN&D!|#&$w)r*^8V~+LOEGBO#z%RNyA2@rB;ZB25fqDAk%FFxln;K+wTyw?m4aG@
z57`(bF129xX9AXGUogaDQG#x33wV1d1b;Ew(xKTJ_`fVW1<57M^T;33V9`MHlW_<r
zwk%I3`t-0n0qt6<snqOH1J`-BKDkY8KKq&1%5bo2h1>|MNW~q$17(%-05nO8?AkHU
zUSI{8o&0)@-(&`l@E~7E8rF}rVn&U<>A-U{N&M9?V4hyN<}(z#LIb0T15Cf;sqRuw
zU`AIO?Z?N3Z{=}#3hyob88~THoW*&R0~KZ2{|iP3=~AbgH$ZkTnTh|w23BOc<kJrl
zP7r!$;p|R49O|zHxX+kD9!5i*o76-1n<QikxNijM_f8BCBJQ~S6F8y)wOEtWUI9rj
z5UWVr%w+R5W%QB_oc6`mrqzRI#w`@CZ$ROH$<gax@?2IEB@Bj)MZ=wIovBhEQvdKv
zM?wcQgYoM}a7Aa{kXO-LAu{bUQU!1wjVMXu2CU!GX>9Q7n4;vkP1+UBh?lR?+U>UI
zgLS~HVO7Kg+*8QdRj!`q!Z-^TI|q<FZD|<dkXg?J{tNW?l?M|Y*7K%X-X%83u77rC
zLR$xnAS}DW58S=ZYD+Y!H-r^K$p4|vgJeC%0vJ_w!h|!{!6vo=WtD+6L#N`D%~63$
zZc9PC&-U{cs8g%tF_e?+n@d&daqzpACH$DHZrinUEJNcGyF&n^3FCv1$Uq<2acQf!
z3pLVbjNw#Ig-wL(=#d(xITD|UiFwiTAu6eqL=+s3VH9NX|4MxQ^m;z>RVU}ZGX?|s
zJ`frh>nFS+vuJIE!R;=^`4PoGN&lh_ff+SCf#f;z=_B9^E*-+$9P4Dtl9Lp0y(V3+
zY>XCp^ZjS~9ext4?D7dt)Mn8%Q-u@No5j>ci0R80T__v3GAo!8>LJ#oWcRk(tk+<^
zpR{z-wIbOLxKLu6e-QGyL%HegV{OPlZ%S!6l`Uf(`^1-J49A!xR-hx*xn%HQJI$?~
z=%NJiL&_bgKr_0#=8-3=yF6p|J^K|@m?ihle_OOey>BVFsS`Bk<m<BDLr_vce0KfB
zKTzdR9fSJZ(~nHkyNN**mYZcN0Roi_6%0GQw)1QgQ~-Y215!ih$MiQ+!D0C9nJ>>1
zuq+oSrU(LujNS3cP}oflGnw(={roafr$$7i9(7WfJn0<zw|Avi4`mZ3>>jV4$u@VS
zlK5J>)n)Kf`Ng-bE14A~K4DSHcT*ews%0y>p4q{?fUB^32-~=3=A1G&Gwg~0ue;5f
z!~o#FT-I41*)tjAd3wO_>U#p3CNW4vC9$ZJ+C2OFZ+@1}JJ#2V(aA=wZ;b5Jx<oK?
zdMtxl)ha{$Psa+JcC?EHm(+soYyGGDl`3J+9iETGpFKFop+qFXV7>lHqaDmNNCI&c
zVCk(`9xNqcLOK^4(VZb730rcUv0@hq&m%;+E1<L31Ck3|!{h9aFKt4ajLDRxbb8_e
zzo4ZE;=A@V)|4mD?r`Qbg>?pA5hKC)XHOv~Lp04zX>sU{<LtvmobulL6cYm5bsndb
zLn^3ItvO*1h~99m0xCw??#v=<asHBRjnLeH%xt&D`_baXVU&lW53CY&J@(fgu=faE
z!PoS#&f++EQXj*sP~C)k68*iz!c#@TFtLPhQem#pk+Rw~1uVL;^MtSUr2IRD$Wwlh
zFd2SmeqWVVSg410ZKocBZeK*8`s2B3?@97LJ?gOBn65?>?Jt5rncOWhM_OVG)6C=u
z2kb1!hUPWJ!~#Y=n!p*dBcY<&MH#hhf-lsa(4X|LOg{e2mCcwlZRRxKz$gJp-}%nD
zMV5*2Cwls)r&h&_ly5>SJ;%$Qx<0cLv<>BWE!0+0v8m)Kp1EPca}MMW=TKxUfXtR1
zIQvrW>_fFi)E~g?Eo6q`v?G+-wT|`p<!MnJ0w0Q0R!E3=bJ#!7rhi47{HNpQPpXZE
zQ>%8!GgRD?A^M3gS_<Rdty$0IVFUk!9Oib35w#(k-(A7Vho^QK%twygei=u_wz`Ob
zLjT_9BGCUW&G;3JQTxC-2)6Y@6F=A2wukMulRvKK^HhXEgzc;iB<SzYgdwu?O*F+f
z2b0o6FO<Mw!&t1VdcFE%J7+Y0l=^zmXsN$R>`C*b{!}oFzLEqXSc1vkyuyL{pnD_e
z;-6g4y@9?3!ZERDI%{RGS|`=u`a7?WBL!b;bW7D9GC2v9P4Bs7;r^$5Ew4l{n1tLe
zfJm_mwiC!lYvm!dVgaKck?A+@Ur^~>RH_5GNu98pMx*WO_%%ucz7`BF<C@GkMDv<{
zskcsZ8ypJ|8qc|Xwh-Mz8|C-jo)06p4esK<Cc%w3n(Bq(ZzI;Mj0CsFQp?Bxg}|U|
z^dPMS|GU!>8s^7bV^x4X)uai(SCTNKbq=EpZ(REd1AB(BD{-aVKJY~;PkK4kTBc44
z_#i$yOjVC=hI|ZK`Ic%1=#V)a!kb)CiZ$`YjaRR$<MjDnkbzwyv7XpA=e3dC{=T~^
zt~0s@k4F+c&?OroFE(GL@hv0ihkSyMQ=G92OFIr!U+UE0ITW6v0InE^gfxow56W`X
zM*<U;Qkz0vi(p%%8sEsHIg|g-X+IFq`S|G{(u#K@?FfGi(br5Z($K%fZC}2Zmka(>
zG74HbfB7}u50{ne{gfK8TPCJO>I9&oKr+0XOHBLV&eqb$5r!T%Bnb2g8aF2`U_jPy
z@?OY7$kFi^+>Kx>OY4**554iPhR}g^Zl{Wev(+_2fHlb|rBMI%<E`&}&1e}hwPika
zVMnQHlKr)mAB+whac~YQbCiqKgd=@4qOn^2>VoyDvvE-s>DulAUt-sW5m4>1<&O(K
zAmE6KZMk8?V@&d6idu)i>%cZ&Nk_(Nu)XDwf_UmrFk#8gv20b7VUj&|OA_X7cqjlT
zk5AP5qO4zWMIZorfAXLOJtzVH#96Q*j#(#AtZ%iD!W@eKQ|D?{P2W9<i-vKFDedtV
z+a;d*edriv1Qa)oaV2#9x8d{)<G4BunCt!l0!x>PGYomoYW4nBSoT<}GJtVj&(5g7
zsVqEArN1qpWl%AbL<{#6kN0bY-~x&hGFW1{oK`p|P8XHBX@E3VxDg#$Hpamo_AWo+
zPc{gnmaaR>Xt|rAtIQLZkJC3X^{n|M!!@N50SU3w+(-a!`AY!Chy#hKIj#?<g$V93
zkLn%hrXpT=gd?U|%&8xe4yiG&_^hxUcbfXAwNqN}M&j!|m(WDEyP-YOsVE)Co4%M7
z068qrl;b22X$|<cQp#ZM!#~emnRp&}PY2&b*6DgADd061P@EuArxPIOM%j436W(a!
z!#@*0tFtU1<8;i<@{hg_IG$<&kd8Uq7fUj`fHy$Bo{YtE!He|oMfFBExRSwX9+?pa
zP3>B=I^S}n3eI5XN@Qg0kd-)^=qPSJfn#S3Wu7IV<$8t|OCRcNq_k2$vVIi!K?9l8
zp>9SB7RQ}HtGMA{H1yusro>2}=CTUAo9+!74zI;b?4dG&^1dN?97`hJCGU@8ST1E&
z{2VK4g<7((isYd2!YS{^gT>_^2AF(Y)FN`fH3no$;bzGPS{muNo2a>STE}^Lyg+rr
zY}{2r2{5Bz`L@lDH%O6>`w9HMxmS_%kvB#8bN5)qWV%tih~N<W#Sc`v?M&-7e!=dB
z{8do<96VbN4h~^f_jfNd1>V>Hmb6Lv?v8her<C{J8vi%!o3on_1Z#b9B=^g^P_VVf
z;~HqU?dWYG(epo#23#Lm#<4_a$j{`EkZtVs*iFoE;H-`WYbS~u2nECx{zJ_k(2&z`
zM%rZZ{b8=@RK{O74Lw&02Ej*DDiJmpv@qz;!E$Py9NBd|TVG#ku(swvYH`>b(wO$E
zbqLY#Vg6VPG#=3Z|3B^>liD;dNbUz~gawgtNjH3PSW;@bMJ9}Q1Mm$<{^Iht!8h&z
zb^`UCt2fb6g3bNCw4gR)A~XTLZ!O4w`(e#nrE6`sTi?r%Cux<8rpux3O0zf<g4(m_
z>T0llxnJHYA}|8gK$&@{FC7{k$^II?ox(HyW4Nx1Cakn8Vp1gzDQ|9*bA<NA!NNbw
z47YS-9Ur<!DShxjS?((kF0M3skNjoZUcn2M>6}mDeTDOG$FKwobo_(|Ygr9qkI|8u
zo+FTwbm}k`)s^G8Tc-vuMjbfoA--H6XA}8Fr!gG_^50@mzIrGD4*;|NSpZM_6B9E?
zRgvhs$0M|g9h0K1MS$XwK2ip@8IhLlFPU`{z4HSo)0x9N;gfcFskUp}TIM4&6AC~|
zBjfy~!>96K1Ki>xTIW@wt;X1Iny2w>FYlj3R?j7;Yh{6H%^ctRZ*8(QuBfK3i8LQQ
z7|0Zr5nblq!Ax1S3HgSeL119D3J=JWcPu*>93pDXZy%B$Ty^&CXbBY}@N%{@@B>a-
zgh1HfK93qqx9I9ZW`}bY`jOrS$E_IWd{0pygpPL)q^qT}zE96fZyW4?ag1BJL%yny
z(m8PMqJ(lGEJA~LxZhN;<FRl8V>ryDhqc@?P%?}~qYB@lYJ{EJZT9-N`ANM#sXmKZ
z90-||=I9y5l~p}xtypv12EW+cdSA34lVFWXQ-JX?#9*u#c>=WY4Z<3wz2J&Y13I<R
z*nEEomMP5H(R+rHKSp%bkcupF4=X+z$^Q@{W+W<Kn%()fllOTA;Af{SmRI9L2V!L@
zv!M(sna7q$wcq6GRXp}0_3+hPN;+rMM-U{StigA<hI?+8fRP;aw-z}DOY4h&uGuXj
zX3HVhM>)jFC=(a_(axfP;fT5`!bCl~<E&!_VbL~uuKh-}_m8OSGLHfpDGs%4zH0A!
z5-p&jAQQs~iu7ydwK`Cmox-)>hd0a;v>?aZ8Jh2_!=Aq*G=4sVraE47epUNa&LMz0
zp(V7RnQPxo{WoGLxl$&d%l2L8E1>H;3Ph!|;D8GpjU-T<rxW8gLch>tj~ChR*O=3b
zGUwx_qfRLlWt|5%wQ5%(^N){pO86<tgdL|R3@Wb6+shTw_n(iTiP6hxy>K9F+1A)Z
zeBJ03lUhNoi(yy;oWG6`5=sVbJ7@WiNnU6s8O^d<>7IkrRv19GLn9<PMsBS=ZV>LA
zw?#qZeuvW<Ucxb<cz9IJi)`fD&L~hu)(E&n3zZ^4w0)47Nl8xh8EekQ)e%UxE=qFL
z{xxZxIln1hCq5uN%jfpG<+VZ@LhV(Z@t-N0D!;>5`?qA)YI$M6edC}j_(|XzKni)L
zmAEF^k6a>F=0L%NT!QbH!b0`s918kL{n7LZoQx;=AI4RdIp*@oCn5b{ol#)5T>Th_
z+!(fYy^}oqJoRG~Xg&s8S;y>VV3&s%w%$=!tN%p0xtSbvB0>R)Mc9MN9xz6O-j^d@
zvP*LJiD@ym=TJ<1QwxQ$7OJiTt6+bt571F&IRPbf)=~2Eo<G3sd`-gJ$EDd3?R!Sv
zh&Os8U`utpoz3%0)^f$rF#I>tP+%0yhKXk@-(`VVaX%=pg=`FNkQf?as>$E>ZA%s%
zLBdG3*awt86v-Sc3P7vs42b1uCWO5YC1#+#yc0<%>sPX{5_kb65ouNZ!q~{?G9`i=
zQZ;M*VQkDy)-D_-?1U>2C+~Wk&olhL?C9J~6@FbIh%TJYLN8F=06ia|!$K;G$cb2Z
z9C&tG3+<RyiWsq-^4=vNAbm3UXOVug$e5pkk>4hD*T@oLa@l0Np&9<bS*yf0ZAHS1
zXn*1=lKYWK47JC|)1+54dZ#45GF;Ys1%oo09QJn9*JD%WrBBcwX)>bVzZTFyHO~YR
z(F@ez>K<G4X9UQMnAGWoZYA(<53PG4(k_wkS)KAWslGru8Aw}O`7K@7mr_q-T^9nG
zbu!QHExQj?!Q<m-kHz@cdWlvx_+P#Dh2-a37ncP3h*RG26ab7Oc1yPDDZ+(SszuJ<
zZHX}GLqsXLwtH6z`uWc*6_Q~4Ln!!?v$ysI>;;`9jcNEea{00XlA^S;(JaV`WO0D<
zNEI$ou$jL?XvZb%LBxLjoO&1Dd4GvLBJiHV!wJtpXT!bQ8pR$yec+kjxb~@<1*0ac
z{S%W<or#g3H&qQqN$MVjZtpyCkAc256!W&GcQGH|a><^j&9w@KUG5U$?#G)eG>-y`
zG*2qv@$jPT8HoH%eZ#0)e~@#CArMYIn)Lj709X_WTTYANcJa+>6bLwG9jo=%J;8|U
zlt{iInnj{}xZAP|DCKHv9=^3H_eA7_wC8gOy(5fVCg&?+4fex{+j>7OOH{VJLrYEh
zX8iEK-yQgpp?HEC^Qhb`I%@&rGrnAIti39UV?F|v7kL<N{g@~=9nZ>mhCH6N+ZLRR
z`YtGUl-VQ*EfuLy$H_0forl9mR&LD0Pc7^1stLWchBq7onnj3S%$Rq-gLVr36qig%
z$EG^e9L9^X>@8`>qNbjxrz=X*Dg6uqlMlg^X092yoCqo3n@hyj$B?y->HCb0T~02|
zJt9277CJRsj!t!iZ9KI^kcDDciZzm`MpeG|jW7jB^eTbya<FKn>=$^t8(1p!*2T6s
zNAdfB@e)|On9sd|K%Iy~88Wr2B$wmt4(+kmTFnlF0%l-Ux(KO$m;3vL?c@kjE0z`7
z(1eDy-okzFowQ^^rpF!w+sOh6q8rZ^IKjW&erB%8k(<>)wh6i@(Q~KzZd@P*2u2*e
zHP{?}&&O4%W7Zz%*v1+?^&f_$fV@$h4Ikd<iVd1fl>7udU+^mqznisFH6j2|_aa1Q
z<EHrVf+^)y>y7{4^Ojg`Ci1>7Tts~?=+O;Y2=#yNQNJ-R-xM>ShSko-yA7uyi#e@K
z753kxkAQ?uju)NpPVh2s{N>q}4d*?eEE`xot;=b5-bezg!qP0Blr`{Rrj0MgQ2-R>
zO`;K{rkrIL3&qr<wspZdDCrsen%H>Cb4@xCTHVmNm4mYvLsnAL&pvrTVbCEM!x%*6
z!2a<9Q0K0taS<v?VpV&U5C?%1?VoG~AKMaux~_-*(b2eESeEZ`bDs{$A>=Ri4}mZ#
z5RcCXN>FrlK?k;m@C9&^VY};c5VUl!xiFRNr^Vj@!82;TQ#PkIq@sA>yKcR+*CB{~
zA8<r|ku&=m_q4#Ev@pkZLAmkVo(3xzx%KIcsq|v^Bg9CRJh4#DH)`ZSbTmlEy}9Ya
zn<Ts``}e@(u-cIUQjbUEDDpn*|I0*_0`cFOZ8rn5z>&E&INN5VD~Av;o#Wx+`*nd;
z@X<Jyda&YTUeC>|0cc+?`Bt^eFq7Ta*UM1`0{x<!t<)*<DH~oomiXu-K}S&Ta<RHP
zdcw1$(U==&HH*&pw25IzW<-tW8Xj#HFhOE;#%EA}1&&f+l&k-bmq8<Km$O-Ho{Ls>
zYL(-{{;PzR3NvdI46V)Ip@fS_v6fWAp@~ccD~cIf!nl2RYGno{bcXQ{$DbzEp$ks7
zmb{Oh8Kt<BiZK%irIzbO9UP9x2Bi#;#eETOr!RLK64td!cs*2$2>YH;S$)m()V21G
zV9QEjeVAh|LqjqK?;cSGh!zvVmm86vlY{!EAR0s?=!DRkP0=OkpP%FxTVoD>!BFi~
zOA|!~IH`%oe{bv&BI~;4b}U1<S0znG9w%q@qBaH&c#FsrFUR$JDP;Iw{bccSasx2R
zC?3jsuWcmyVrmpHPS42?HKXicf0{-xXaD^$?RW8%Dcd(g9*>)aBI~<LA-FyqC4Seu
z8%$trPeJ34Ja-FqHE}h}yk4oSS9t5;8+QD0%oV2DU+>QUF*7k|-{Jih@&S-yvVVvj
z#$&nSzWOQZPxj(*-jMOvAYmfZeKmSa;d%)?2G&`nJxbQRgheJ5$L2llIma)MV-tz}
z=TQ{LF(=_O?m$MbeN<(zOQ@;H?TZ?`a69CY!#p!`gxyhp`z%Uc9Zi;DQIk)0Y=C~g
z(#D2+X^88tWeQ9jK@39vI<^x?aonb~_iZvQ|28H>q3}HJkR%bk{7F!@{s8_cZ~@pR
z5DDT@7mu$N(V93dD)>1(JTTysx{HlB&znQd<2+}VNE8*bno5{NR&p-%5Y<$uY<j+C
zc|I}u><K)xN?%|MTYWl=g<f-sFZ4-P1Sl9<UcnYeRKjR1a$oW0>grUnOe6!T&OGIr
z-TGJZlo$R3bh2X?Jnyn3K|7+nx)^HG0%t#`tYa~~SYzR-zpq&~gvq9c8%X!t4egv^
zhkI0+AN_}`f`>~G%9h}mSBIm(l<CNlb=m^az8uN&A_s|w$*e5OQ5j1GFojJnW|~Or
z`9>JuR9Od<E0p?scYZ1ZuhgA}J}JbJ+}s`KkpYOS(_d81xFyEaer}9Hw_Ct{nv2ho
zb8Fa^YjDM=N%++^t|f}3xNMQ;AM+xXe9*1fZ_@g~h#dRWhZS#ClB>Ck<bOG^XvS(`
zXP0y@*W2Fp-v_n38{V{O?X)%)dh`rIKC4kl^o_5yc5Fj80oJsiO_@D)^t>!AXE3Mp
z4^~yfN2PMJv2XGcBz++C=P0Zi*mS5+ODNhTgrE1{U~$YrA*=(I1_`->1Az0@mtVW0
zNpm;c<?lJ3P|PFiL}WM9I)uuv$f-cA<BUvQo;giI)Hyp#+K_G=8M#ADQh*UF>s)je
z&VW)B&nS;4npoHP5=X}yrFT_AMDbr9*D6_W_!pG3P^3c5ZC7}B$0DfC&aWahUZ}F}
zTpKwfLZQFIG)%s=3LDs?Vl+wlK<s@_2te`|w<G^|7|_yor`W=ANYTtK0-M;4n;KbF
zNbOB^9p}!G89XS!_PH)p{!|s&X#$YB=;j_3-k~M1FP4*wQ4?Y;IYk(bf9y~#zP3UZ
z(s5Hgdp{!ELz#<DZzP^Bbxyars)l@U-_8O%boz@e0G{z@8-`!uHb}>!{|}z#eq)X4
z1VJ7HNX6^p(3Y~$V<_AUwXW`xd>5@5=+3Hm2o8oQ%!YwIkBdr$-(J7;mqpm6qE_dI
zDpzxsAHh)T3Ma#<`;c;yH$4+@s5H7Lx9g#&^!$yo-`6|;rEf|UlC|ZIdLGyIfAq&K
z+;t<Jr-piCGZ$D*a*J^7I$iw0Y`|*|Q3GRfnW77X62=TcCOJSj&1?^@UBR^s`vm~a
z1JpPa;!B&+p&!;8k1S<_XsxzF-#w%nI!b!G5c+!_qfzKjmD0p%*z3jUuvF8x0Q_hl
zbP6oAOVY@PSG+Yl39WdF(_IUK&d{rVU<}tycsALSE;c!Uo&5)89o7{O&4ZgR`OFpv
z3i<Qes|#wi@xn)acls%=tSIw~1SigYJI*6R2ML0Vq1KWP9dxG@z0*aDWQO`WblBcI
z0(zO&%{7pPgi9x_ehSx&hb$RR*W%cKMoLpM8P~D{`qPly=Pxr?_0*Dya^i6vPxxQ<
z0qVfpEcTgKv#$nk?MytcBJuE40-S;uz{b1)l*J^-P%(A>poMi=(8K}j>df{09rLb9
z=4nDgkSl3u3M`TJ`ud*dpadzqen?+i6v`6!m?ufxro#tXAIhk#E~#X3QEW0$Y->AZ
z!BV6BGCbG~@@!ksn5$2;p3-k(ZU7`PXXfkq#4@FfU0{>Q)J(`%UWu96t!G~fl>M&r
z2_tJfTk)!53IhNiWtwnR8FiG--rkQ{_LyFF95p6#UA$SdE0X6APt@x$nyRbcof={J
zG_X<Yq5Hq3L@td-la0;fbfTY*M~w&N_Xs=unBd4*E+Mt$S%a!r3>(@RY??8p)g1HU
zp!<tN%Vie9KnQw}^T`&s=&i1cWhQFAoP_NPb@{${=b!U+)*a)=b?04YR>pdWSlk86
zSAH6+^{Nf`8Sf4qgV45`hAo#Cpg;TJjrfWG6~;X+wiai_j&p@yP};7oOR+L|TVdkf
z;s98ep&@<1v+g^&yqDZD!`V#A56kD$TlKsHc7ol`f$m5a^yQc?87fO2nx1gB6cLFv
zwrdg8f9;yO@d$@w+I<taD?Hp&k(v0aDzYd55Lc>qS3Ja^na&1Nq|l+sc5I`J{!8qc
z;FxLAc=tu3m2P0CWVHaG1gBJmq(IKbu^bJv8q<@xWlqr4xKeRZ*{~#nr29;<(`$pw
zOSn!-`#XXO69OWlhgU=082SC#5v_A&Za9)03IN2MaX5l1+`$dzD~lU$Gfd9od}zT}
zkZ2_x8p3W1tFnNG?`ToK)N!2J+SvL!QgD-7>!A$5_`}`b?Xqdu2B#SQmlnqETsBaS
zg`SkEXal69W~5@D1+zo7+-8rd+;Q{KzM)`1Qr1rkw`>4ytUyA)yC0;;jaH0~Pc^;a
zA|7vqPp~pWXMi$@<^4uLv-sQKCG2LgwWux1ZzI_myaZ9(4ly_LhVjhQT{`kaXd)be
z+1Uy2(YUWaLm-W)X+8)K@~4pQp+VID-&hWd)5nSm4MphhkUqg#mb;7A6<AQn`o#0{
znhA%f1N>hEa5>00+;2;k;7__$67Js+CdaHsg3BN)6Wcxy_lIAi2S*Rq!}{%hyr`|z
z?})eP0{6J&_dfct7`EbZml+c_fzsP5Xy9%!;F=tHiNlJWy||v8oa-`=wIg9~#_B6V
zHfGBMqPHw#Tv{%cfO4E;_ITr^#V)|?gSD5_1@yOttryNw=EeD(=za#es=6#^g^1i5
z4j@=E;lB)aEk7a&lIV_tjG6nSh)T0twY2rgPf`}8;6vXQ>=yFOb_rp58$yw;<|Ort
z0LS1+MH&Uc5c9kvHYZ92s35y}+c^5h00SbK_)j$FV^_$%pEw0MZ(y33yUdi@Sz!E`
z;`+j~Gsl^x$F*+HepR<tT2c$-t>x~8)~6UBQ-O!VAetD%c1lb6$&uQgf33TCK9AGZ
z8XBvW0WiNPF4+qY<{BQ8v<?UAY@nU6Ss)uwBA`I8rW&oa<jG~>qkyC8BHhBkzGRZC
zsw}_7+EhOhAurVpRsk6<BsQ;!0v}+(zPp^x6#aZq_x8e-M-C|lDw^3AVBAf*S`<56
zb0+AG9!d<^)-^;S(vQ~9pan%r;O2Jqqf0EK<3tc_@R-$zc2h_8y$T|$p)uD)XR8EC
zB~O1V62`iRLe+d)5=!pnGL<?4{Q<Nswp5WtI!^LQO29S4T_Fr~>XU21{StMzM<71*
z(?#DMfvZELd1YIrfyd&)V}4l^a>k(F$FzPjOHgO+o&@FsK-!Wmg5-jC;kz9i9y9(0
zt)9hHUh=8eb{%-*9saF1y%`@<7>PpiB%BeRDZM0Xb`SpucZnP}WsVE4n6gvl47dmW
zhjHUOh<P$LoX5k9VQ*VvgE>M)D^;KIgvtd>((34RQl!ScjuKB)V|m@!HA&*DJoGNz
z@6DCz8*3OpTz9ZZ$bu5rKT3$VIhbw^8g^;|f>;=57m|s9r1>B~UbG8+VD(2bIC{><
z=UvEYii(Y?LuG~*6vV5$&&MVAmpBR&?-{~ddzpyfoNRr^xj{&W(2s8Nr^OQ4U|qkG
zwkTZhKI7cJqbr)^5)dXd(c)2<Yg~z~6#A^OvIKyeX!tFPQ_8Gjxsk@Lob5{41jgeU
z<yI9iH3{i%W`sKO9n0hD3eZD>-=#O;ExOO-JpBi4bPKW|?w}p_rcT}6mK6kigH^1H
zWpZ!6-IVJk`4&`r)GHVTcW<-mA)>s)aY3p%ZTu6c#5s=;@7_Rf{gREW{lvAIE4Avw
zODK+!7?I>xCbw4SIJxFJL81G~kXi{G_1DeTVe$fS*MluEDsqW)<r@^XXZZFLlayjy
z%27F2_{1kZlJu3ec5kPa@p+?4`KOW>qEG(a88UYh*0j4|q0R0?=Cd53#S1t1NlQv(
zf~d+(qOG_Q9yx(PmgKg&R>`@6<NC?$f_Kf>o=8Kwlhs{>EB4!9U+wX_Ddys?up_2T
z6=8~_*jH3B?*lGL@3ZBw{a$+Vn<M5atZy+5%$2QT9i7-#v+Of+;T<}4)ponPj&HIJ
z>?+%|(zI4iMz>lu%zZ7TmptBJ^=C9{hJHl<Q$^HrnxH&xNGK;v@4S&Z#oVQDul41(
zw+XThDS=H56#{ogfVj6?M_>Bf(_Z5#<U05?hOqCThsx@sbeU1L^9p|SCR{o13ud-_
zCm(hxZb#$oJn&BxGTeI|_7hH1u3BYg$S419M3eDr@A5b&h<2)qb(hgf{+?FqGg^bS
zQs9o?mAfOLn2^%jQ<VPBJ!*0Gnh7~70l-^|V=){Rs>s~LktS7B?I2;tAQ`vPa9Zdr
z=Qze|Aq1>h3!M&R!e{9=n=5AvbnJPzIdKsSHW4g(=hih-8uGrlx%oNB)|s~8$Q}Ki
z^<Wsu2exY0vE4FSrktAqQk=?ZgVZ|53gb9jRR`t!NrIYcIW-Ve?Id#+oR)IEM7WsV
zNJZOXJr#u?@Gdk_@!NbA5d9IIdd~1cIfX5|$UJU>KOEX4Y$(DRXLA=M01%@PNymEG
zKo*dOrBleRQSphHuBu*jOAte-Up?!+Cl^xb!{EeE1XFIJEskIv2R{fCW6z&HyqOzK
z%#pO7HN$5*Cwtjb$&xXQ!felyDtUh2R{r#Cn7uGoidzPpM~8)&UcHl7=IL|R8DQO0
z7*i!YDpf8%Wta93m4&O^PPcKxsBQdfbIyQH6nsAFRaU?{8kNCvEOLvX`VJ(xDnUF`
z9IbEOz4}E~gKJ4U(Z@#agHC{Znim&x2hN)P;OZVi=_+UDSE&R{4`W*p*6F3}79M~X
zaW$h)@TJ5DxbMa%haRk4(nKQY3M8!J=#N+q<x-i@sw^;KVuvprl3GkyEy%3AvkRF4
z<bqyIA~8c8LmcG*B`d)zJ}vBDH<{0Nv6noN42M}7ISR))jpiZ~oh^X;P3HE%(_-GX
zu3HBn45~w0qI)Ifcw3b+#ZROuhMSDC06E+yC!`R{*!U;Skk9*)Yun_><pKZ@$pW#G
zJ17Vn?lA!QRYJ2buAHsWw0z<u|MDW+M_4U4jumQ-Jp)b0Hr4a<P5c@c7l}?o<j_6u
z0(3M3nu?lPP<ND&c2MS0Rao`(g#F}4UnO=)FDN<YQa|@d@>DM4i>W$niPFg$>5C!$
zJ<9{aS(9aX1Jm5&()~rwTH*$0C@7O#zV}2M8wiJaz~&|7KN1{!|9+UWCd%PSZcONf
zpNb7-3}3w7IUx>{a7^`3v%La_^P1dwU>7m_5&QsGIq;~&_-&#g=l93>iSc$gM4sq6
z!&5s@(J`O9J^Xl;0e9pcNp&S05#+B8^w~GK3c9m(>ie7dy1VVM7v#3!E3%5ikX}rh
zHdnR~*VFIdt`ggyHO4A((%ue%^J}&tD~gr@7m}D(@tL_jU>twiH5hhn3Z1<rCPnHd
z=jxj2Q>RP~33QAAyBxKqO<>M+U(EnLM17{_in&`t!lj3cq(r2WP6U69;E5;*Avu|r
zRWdO>LSb5$_X{jaW@XSqQ%WtImBh32`zz*Xd!r_<W`Z;zap~T+qzjh4Vmi<ju5hJ5
zjC_yZ-X$nQENy%a<J0XeL0AaQK`XX8zI6nA#}kY;A`nX)7^`<vo5rIKzy3(F<d%c5
z9DNTeKxRL=+yRQ#e%eEIkRo{A(e5<T*_qo$)cqacb`^}|y~;AJuJC_&n-z`l6HPL1
z6lH16Cy6t9*TJ?gaYnW-I<-YO&eZ*rw45*w6izbo<k2}qgMeoQf+`Ip{h-rVZuRq`
zu5VS`u}ygdmp<dPV3+*Hhyj&gd_n-{?te(NMUu=ORYWpQeA}qlUnR%nLIV8%YQyyW
zX)Jfeg!pkM;;th{tjfUD{;#a2P=A})Ko^ONiw;mOYZ||FoBfrdZ7;N|>oJSl@yk?I
z%+$~W5Z`J8ks!G-`^q5*otJI>A9tr3ZgAyx^PdH$$n?!Nl^P~7W`SB~&Di+$v5r1P
z$?A15!@18QVwGql9?EBj4~vpqD|gl?UIU<}b$TlXYtB)&rLxN`R(i3mu6W+7GRUrt
zt|9pw9R3_>8>^!t>+1yu-p(w(Op(hmtoid3s4_O_4upMZnbN(n`zAED+X!0IqJXnR
zRVOYczzVf_CXWwo1R{X!ncJ8G5Asv4blVg4hg0JZ2iU!IqR}m)SW`^V^2(dN5=~4L
z8VW0huu}P=%AI?5Oj!CrazE-9d}MNcrB8eltu~E=-zSzyBe+*4md!CbXO_m!mo3<r
ziP6inU%ZHi7EN5iH7r(Z{dsTnT@l3StqBkCyod66+;p~0vd7slI&9l?S{DjN<Uggx
z)D<LJ1%Q?)Kz}i}w*)i3q4mRck%VCfw_c2AGqVvdC*HE}04o8z6h!Ohnd0#k=u}a(
zheTgkC8-uKi~yP_keWLY%!C0E(26`KCH*587`Ty}%M@g2)VtgQS~awhLaIV<K(}_`
zJ->9ifBfLAANwI@Q8}B<XjEi!!&Aetv=>?B@~|KZ{2iASHuqJEwUv*&GUU%bV9bNw
zB3{k|gO+E-0hbbtx|Z@0#^KGWVmeJOIrUn*x_Pv{SY*p{nS>vEJexRIq`y1y;*U6<
zMCp=kLjGP=k{V@QZUY;%#7=(&dq7#75OK5Kk*nMDg^z|n<i+>czmfll+XQL*FB14~
z80cAqVIfP><cr?c9pbk6A;l=gy4Z|}o|?(2WjG~!$xXyuAlgYVHZpd*RfqN7^J<p=
zdc<CsUu7M--Q{s1{q-Hkg5`RCL>)R=y2k^ur#yvnYx2mlt&nuafyK|VqL8`vvXCsE
z36A7KE6q_7JOXh%0)TjW1RHpkX%n2BzlPAP@@;~ugq16gwk8vx1Mu+vSe{A;?=m}i
z27Wfv2&>Q;Abu^#Bv#O8+yM8zNlY}GR-lDZcX*z6;TL4UWfCq^j=NgbH`uiOP%Jh*
z@J*pQ{}p~bU0QCJ-2h0B?o31T>&GNBNuQ?}&^1m?2U+&MbP__IUtmt&SyyCU*f(>Z
zt0ARki)DW>Ert4LBA^uu?@bWg3o_h_KGbZYb17$7ufMu7t~j^6jX2Mt6Ru;xQf!dd
zRQc;84|We$Zo19Nz7wB`HSpw3ke-#dO}KTW4dl`yZ)-re5ok_sHL35ny%i5vFgMDZ
z7a%t%5_CoWYive#KeA@zS_Dv3kYRlnC+uh;4ouR*j}FgHezYS^$lHOMzQA8633Q9?
zjb>xq2Zq28i+!mZKgc>JId7sV5$-=jm-z_hR~dS(+puWsjp{G^ITc|lfMbH43IZ8W
z7qF2t;hQ6xd~}6&8qmSMb{Any(a|2V!!$YZ{M{r2#LnnBb8{#fsgG3MJ)KI|eYhm<
zepE4dQua9*Q*iDG0ft61Xn4otgdmfIIXOrg9-j_E@X~M}ZM5`l+QR96FgCfeJ7!@T
zBndTV=jU0#-~lelLIz^B;Xb5;JB>pID$!4+9|b}T2)1;3u2BVpv6~hDSM%umE3z>@
zZ<^e#G^g3oy89cNzb+5eF*xLop#Q7M;}}yE_oDH`5=es0DXubI54s+tc_G}%!a+)t
zN#F}xhr*=hfoB9;s*3&E8_Hrj%O2Ct=V<x^)m4lr@~F!t@2%fy9ASdq^CkIV+fV+!
z;$OtTE3ABFq}yg&b)JlNn82Eg{;u9us=KuRWPA!I$g!UJkXV<i8ZOgj)i9ip1k;i)
zADl)jQKfGW>5zqt>vL3@6OisPB*&W0kUxAuXW9brB{{diQbuP3^o7urzK~WcGfVO(
zX2&lbosTiPK~t%jZVo;ZH#%7=TEU2eH*`%pb<DDsK^j=FHnY4f6aajYIPRoEo!3X#
zRj6UgqgkX@fnP5;gD9s8_l8T2{hB$J-yzEs(|y>xD@dOLMDbhb<3R=SU;1D!rQpHQ
z{~M9%;A<N|KwV+qJZV~thNs2T5K_<h-1VNSnn$UMOQD7wKSK3S5KS2o84Z~OzAW5d
z&NfS)e#|mR$dD!G<QQQ^_KE2lj&cy^yU-v6Ukd~orDCA*50bOV<uIN~YkGh<PC$bs
z2)C9Ap~*E=BBA*q8|VT|O!57C{e+5=fK$W0#OZ{Z8~WI#IB&LiJCv}Cu2;K45Jd3d
z_A0i=QqP|P`%~^s!e%6_S$T~V>{?-OA&~e}Qx8{7lL%1~pM)-o%7+VFUvlTRv3xBY
zF{puK03lWx;dtbj`|p{0r$bD)1mApd+^j>LDgg%Dppj8TIDuCG())Z|!T@pBNB7ZK
zS)alxAgp1pId!&?Ib0e5#L)UN-|#^uqgR)hd!bP5`)XLqaMoa1dH8a==wH%!utQ^3
z&x(fE^+4o7-#&n`wS{+3N0@`FB+;5*?!G@>L+Lei2(%K(-+yc1-XuIVMeM!*{s#m<
z5?owJUu&fRlx84J)!H6Yb!#NX@x;>29Ca8^S3wj&%&jb>JppOZoC%W{#g@O^o%9&k
zTW*>P2?~+`eMN5N!$|76wfrdtB2xwyMroa)I5^d7AcA88IQH9Lj`@_`acy1^QpvpE
zsYS2|pn?#K8((46FXPgVvE6?X^u|(t<7aI>0&x+={sNQ2CR&oh(=>DZW&uw9EY-PO
z1=)5wSnTrO70%A+3~}4_-R0+neoa$Qz%oa)nbWF6*+8>qrS8eG!>}BnIeH@I{wZ-{
zm=qpD14P2!q^fZE*0ZRAbhbr2HfriZ6K@{@&7Kaar%{-xEnufb<^oXb3*a<XJ+?qC
zg>Xz>o=DNL$r&Una;<8kn>m`qYzW~Y6!l10=-+^CAXrk!AZ9#_iorZCzBE1Um)mH0
zc7R`RvGr8@s^y<kH@X%sU9mjuQM6Gon@?lp4OHA2A2|hk`N*`XjC1Lf*gfEhMc^pl
zJSdRG5x~O?cI+f=L4Yw8^kmp|wMcw46&*uSX^nS+t!<%%5AQv!{^<r7YNbwxH>5CD
zdvy!z8>+_CSzBnyDL+J0s=9K)HmFvm6po8)SC~TlaOx?7oQw?E7PM7}Ve{+Qxl3>1
z;PLa*=TOMcbMh;gUIOw6)6ZdzuQOnxhO6uZdR(UfWXdk^LZ?yORwxzqg~Rex!1NkQ
zIp_~{aGhKzQ7ZNlHMv*dF_p~8{{VS11Fdk&-tp*r%)!aK<u8ndvmYfKd^dTq^PS>d
zka^TrcJ`SAi4;)$*C>!@wi3f5Xbkh#;E$^NeR|+$c0FNX0u5%@&++elWnSH;mHiu5
z<GR>0F5CxH%3{r$cGOLYb1Ci$VBK<Z<iqeSUN8@C-YkWRnyyIe?IBM3Xu>`00(LH2
z`wEN7V3!GtMJM152h?#a1-jtw>|Q~0|E);lV@t+!THOmRYoC4&kLP3=oMZ$u(?Qi+
zv6m|U_<gaswZ-W`;xS^~0)=BUwCXK;p%w9~)!U?rd!;Ok_4Gql6DKy=*32npZv?gp
zKNQLEXbXRlwjs8%f0m6e0bj!HkS~asgS(A=nsr5nLTU_fL*azcBhg>A(wB(HJ05&B
zc}4~C#3Q2vj3<7^sy0+-Lx#N)s@H$6AB`z%43*r~MW>xuC7BH~tv460HRakoB$hFd
zPA~Y=u-C>z>S0hVkAvY#w@jVhts8~HNE9H~2iGt9flzPYD)<DaY*aHX)-%7d+;-HV
zT`a&i{pZe|(o?ahs_zvDXie};fG<g|B)3ke-7LVlCu1Iw2SA8Q`)wfu;3ObIcxZ3=
ze?0Oo)z`R+7*f0`dFEUf{SF<}qRj`NBsFw~TcVWoMryN(G5$&A)cjJ~%cG^f3oX1)
zpjdnoyFZY0vhE;X!f?C?v^Szcua^#rK&eXJsL#Y#Xuy3GfJ4Lz>p6dW$U;(pc@-iC
zevSAQ>`;xmSg)S}{ZQB_7E45QrDp!BMPaNBTjvJJU2$C+;1tLdq~5!$QIVh&HE7-i
zZjaZPSFiAV?DoZ2ngPgX#9<*NWVb;P6t@y6kR6b!B}=FLE<hlX8sc~)VW(<91i_u%
zQoYapUF0rbjZY=b8Z(VBSy7OTi(wIt1?`QZs^tcQ@$PFAWICkjokv$EYBo4jf?|yl
zp@VybTxmU)6}&&`;0<&=Q3qY>F`A=&V0mSXPM+woyom|Gyx*NK5kg^76h<NXnT#*c
z*ZmqiqeW1{TJr`3m561Zw3FjOkefeW>OcOGAcf|3N@JT%FXDt>SWEWoDTwJh5r3K$
z_TX|<Mk<lHnx)uV1d^NMXnp~PitGp8k8oiLiTQfk4{16aG8^zF;k&t=Og!<x2jf0y
zmXPuhvz;&bWX6BmZ`!#NSr?jS7zI6>yh3r5ZK{l=qh3W7oJCmZj0{{;8*QnrE=<p0
z^DO?#Cs{t!S3Y56NMZFum9GC)P$-L0-(jHH%nIb0N!2o_aBb{=VN}L3a(lXRdORg;
zz$cqte|NCBu<TY)3*E_n&xfPkq0XT%toYHt2j=2Ttt|-)9(iaDE!FR4GAj)PR_PtN
ze$Q|&pk5FpDzoYSuJr!j#S%J;(fGQ*NKH+$jH?U*y{@?&aJ^NA@!)AF3ujgG1rJN`
z?bkz;nd4!B<cVT3q=ri-GmR5;*3B5}c#(Rc1&`p4#3pGg8tzu<$C*}CK*i$LX#p~!
z3ukUS*U3TBbq9q6tIi5f_YEDb1kbQ<(4RikM+94e)b+rCyL0(Ttxwmb^YygRks9>s
zh<D5_`mE6|@yZ2PO}*R+BaUkiFhnMcEWmru<{$G$Fjg3pJuPliM{U>x?9`FuraOZ|
zqc=+xtSLFg`&C**F@bav(BOPZlIc-wgvo$zG3rq}G6TVItj`5%_M_~z0vENs&NXK_
zD1@1Yox0m8uYOXvu3iJUS2xs-idU+}+qg1rJ`Q&Y`qz4<#&=jm?v~qE`^eUPPR<ws
zaz*~&o8nuFKYc46V<dI1fZf8eq}kBqcim}8UmM}KC3HpAi;;$R^=fRH1#G3X$qhZ}
z%wUPQx{>eoeI?wX+erBP8|^Fu5D)<n^F*14m$f9BfDms6mE+F4z6T2%4@XhMVz%Ua
z>(&W!?2kgWxc9RuBSP*7H9<1Wrx7FW&p<-oGqOz~=HhLV&}bFQ)-=b-k2W?i0X~Tj
zeMBxssQyKp_q9GKHL#}Jd;IZ*mG2jT(4=j#3@?m~s4A57(rDRIiELiIy-cVc`cfmQ
zmtnyl=aGgKVlL!{L+T*;#(^&3gFGRUAkZxG0T;s0<NCb8eBWKlmsm((eP7m(xO31Y
zNy9o8<B3hm`0P5S)n-Ia&b)JrvS}80^<cKi2$nq)++uO8iyIFTdk~)qO+~qNXQH4B
zzQE|7M*U=GAJAF>YI~Ckdmf?EZ!_R~-5@nvoTe?_FvnR`Nm)v}3bmkPvIF8zz=xPh
zqJc@tr+%?Uvi$DhiQti2-dU<Ki)LclaQK5?K+5c(n&f_AO6LFgqmI*1H2mP$g!ySm
z(G$-I@ui5v3SB_(h%~Qe*jNmeSfY6%HM`~IUSVV9R7h3|lIKR2D=<eJp<H*0wYv-r
z4j=hv_rJr7Sp&Ub$ZnEt9!VzdjuUS^l9FLJQH&scZ@td`e+E@L;^VQ>JU4|rH>K1m
z!zZ9w+bppmxg^Q}LWh8U;!}oW>m;H8XHRe12S_R1MSP4bq@IQFWD-sN!ZlPbe|ZGH
zP@~m&#waB7iBqH8D||sxU>BCL5<AUY1G|K<TKu6CS408^c@IAc9wq97s!pED&`}yw
zh{!hR5q>tis=7D0i1eI#$%s(OaH?&!(;kv>Q4vv9(AT#q0KgHg$nw$RXo0P$k@7EL
z+@X+|oCH!uGX+6{6|`G2cv4VLJ{Gt(N!d_~m&tzrJlhu@K~NkzSJD5s;+k6q2j0L4
zHC^eAjfxghn1ZjPbPzm~^;>0r`fsSI!ZXVDn6QW=0wddNw;o&5U>TP3c_`2U=#w;9
z5(OX!AXgW%KZ=r~+MaYsM$%vX#?CXeI%L45?GF^lP7jHu>uv_`{r=K5Xy|)&4h?~g
z)CKZU2l(z<Gqw)Nqh8^TOHtf4OX<Q>@?e~0(U>DZ=B4>kL0K?o^VXzqxlHlBLUy9?
z=~ojF@qxQ_T+aV4OW=iy>G}}HV0UC`ov6%$$THy)kA!|^5gDRW1$T96a>4A;=-toh
z2bz|yL}f#PP)80N{300pIQb9f2VDQ!temW^WeG4!Is#DwAOV2>=KK~h<Q~HVn{Q!h
z{$^D&-<yjgcLoE5NcFsTmJc)4hNYadFrpMgaRR8c(g9=)^BW@~1b}Cx?qecw*{<e6
zHoeoQjDWI59$*W{QvimRqinyYn&0p<Sw8vst~IAzWZV%NebR7U6XhH_z5E$aH5JAc
zeazJa;Y+IFYN^z2UDxrUcbG|ox4ClNpDsK3qfNJbnO0KD%+JYu7*^ug%)Zn;)1KwP
zN`Xy<n?xSIOam-1AYISa2PKNOtdfJ1w4Cn{XRScq`n8KIhWL(xylQ1*A%HJc)QWE0
zeZ-GA6A%Rih@uzb8%PGG3I|yP!fWV=)HrQ+9qyt_#o)^}rXeUnRP)t_aRXXOA8S1o
zv3guxVE=j-wE|iYo&**Y2dn^0<;(xRNc91g$EV@Uwlj-f?^8=0&)%%2rrF=}_6b~M
zUIfN!AqLP{6Qwr`bKT|6Gf4(iHGp?JJ0qW^T_v<AaNQ;B&a0WVpH1p1`Ei$;PwB3d
z5D?!Rxai-c=M_F}q>6Soyg1-QH(SNve^o9u7R9uL8OkRZau!kEo~=n`&c$p=R-+24
zy;!DP$e<(ke4SAINs5}xz%jYE$e<WfiqHt<!rN=+$&0Sh@-o)|pA8N-^~wB<Vu=U|
zCehEPirT#DGdjR1>kX^Lo7-VZ&19`sp<m-~t^1M*Ut_x>$eqi$d&vgag-?aG?{k6z
zpQC*R((fRQa?BMb!$Wz>*g4jVaGH0Ua4K-&d{qy8u|)-4bCw<vPLMk9_owXQnx&n}
zb8Vx6q!*OjRrQ_x-UK#0+9|Jc@S<CWbF2N$4o~WG^D@q{ez06p1TZ4`E*b)?^`knb
zJV=NJ?(mz)<1uTeV#sE|i5PBnmky1sBPvNE>O|w8tCFYrH<vWpz~Nmdw@$bO;>?je
zRYIC_%BvJsfP;V0Io_jVqV9fM!8<PSH79Tr|N15%>rt;TX@C_SkioWA;S{7x$WhXO
zehDaoGA_j9BGRYhhePAgG%$g-FboC=Duzgg_YDFI1pqK)1_>&LNQU<f0R;>&R|G(V
zdf*#t%!-H;kdbBlY$9AR1FJFvAk`Joo&}|_@+ONEIKd&3iT&}KG+ee#t8F~x28f{C
zsoY5O&qqknz*w>Z0t5g80YESe1_&yKNQU<f0t*EI1VBHWsf!iRvU{{nYe@2{^9}m0
xdoqt7DgMF6^G52bYLs4BG-0?rJ3{6C<k?YOHWBRp*EfGSjC3z2y#6Z?v2p(Ap*{cr

diff --git a/buildSrc/src/main/resources/fips_java_bcjsse_11.policy b/buildSrc/src/main/resources/fips_java_bcjsse_11.policy
deleted file mode 100644
index 10193f4eb385d..0000000000000
--- a/buildSrc/src/main/resources/fips_java_bcjsse_11.policy
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-// Security Policy for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
-
-grant {
-     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
-     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
-     permission java.lang.RuntimePermission "getProtectionDomain";
-     permission java.util.PropertyPermission "java.runtime.name", "read";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
-     //io.netty.handler.codec.DecoderException
-     permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
-     //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
-     permission java.lang.RuntimePermission "accessDeclaredMembers";
-     permission java.util.PropertyPermission "intellij.debug.agent", "read";
-     permission java.util.PropertyPermission "intellij.debug.agent", "write";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-     permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
-};
diff --git a/buildSrc/src/main/resources/fips_java_bcjsse_8.policy b/buildSrc/src/main/resources/fips_java_bcjsse_8.policy
deleted file mode 100644
index 87dbe85c22ab5..0000000000000
--- a/buildSrc/src/main/resources/fips_java_bcjsse_8.policy
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-// Security Policy for JDK 8, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
-
-grant codeBase "file:${java.home}/lib/ext/localedata.jar" {
-          // Allow resource bundles to be loaded for non root locales. See
-          // https://github.com/elastic/elasticsearch/issues/39981
-          permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
-};
-grant {
-     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
-     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
-     permission java.lang.RuntimePermission "getProtectionDomain";
-     permission java.util.PropertyPermission "java.runtime.name", "read";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
-     //io.netty.handler.codec.DecoderException
-     permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
-     //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
-     permission java.lang.RuntimePermission "accessDeclaredMembers";
-     permission java.util.PropertyPermission "intellij.debug.agent", "read";
-     permission java.util.PropertyPermission "intellij.debug.agent", "write";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
-     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-     permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
-};
diff --git a/buildSrc/src/main/resources/fips_java_bcjsse_8.security b/buildSrc/src/main/resources/fips_java_bcjsse_8.security
deleted file mode 100644
index df21041f5191b..0000000000000
--- a/buildSrc/src/main/resources/fips_java_bcjsse_8.security
+++ /dev/null
@@ -1,134 +0,0 @@
-# Security Properties for JDK 8, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
-
-security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
-security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
-security.provider.3=sun.security.provider.Sun
-security.provider.4=sun.security.jgss.SunProvider
-securerandom.source=file:/dev/urandom
-securerandom.strongAlgorithms=NativePRNGBlocking:SUN
-login.configuration.provider=sun.security.provider.ConfigFile
-policy.provider=sun.security.provider.PolicyFile
-policy.url.1=file:${java.home}/lib/security/java.policy
-policy.url.2=file:${user.home}/.java.policy
-policy.expandProperties=true
-policy.allowSystemProperty=true
-policy.ignoreIdentityScope=false
-keystore.type=bcfks
-keystore.type.compat=true
-package.access=sun.,\
-               org.GNOME.Accessibility.,\
-               com.sun.xml.internal.,\
-               com.sun.imageio.,\
-               com.sun.istack.internal.,\
-               com.sun.jmx.,\
-               com.sun.media.sound.,\
-               com.sun.naming.internal.,\
-               com.sun.proxy.,\
-               com.sun.corba.se.,\
-               com.sun.org.apache.bcel.internal.,\
-               com.sun.org.apache.regexp.internal.,\
-               com.sun.org.apache.xerces.internal.,\
-               com.sun.org.apache.xpath.internal.,\
-               com.sun.org.apache.xalan.internal.extensions.,\
-               com.sun.org.apache.xalan.internal.lib.,\
-               com.sun.org.apache.xalan.internal.res.,\
-               com.sun.org.apache.xalan.internal.templates.,\
-               com.sun.org.apache.xalan.internal.utils.,\
-               com.sun.org.apache.xalan.internal.xslt.,\
-               com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-               com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-               com.sun.org.apache.xalan.internal.xsltc.trax.,\
-               com.sun.org.apache.xalan.internal.xsltc.util.,\
-               com.sun.org.apache.xml.internal.res.,\
-               com.sun.org.apache.xml.internal.resolver.helpers.,\
-               com.sun.org.apache.xml.internal.resolver.readers.,\
-               com.sun.org.apache.xml.internal.security.,\
-               com.sun.org.apache.xml.internal.serializer.utils.,\
-               com.sun.org.apache.xml.internal.utils.,\
-               com.sun.org.glassfish.,\
-               com.oracle.xmlns.internal.,\
-               com.oracle.webservices.internal.,\
-               oracle.jrockit.jfr.,\
-               org.jcp.xml.dsig.internal.,\
-               jdk.internal.,\
-               jdk.nashorn.internal.,\
-               jdk.nashorn.tools.,\
-               jdk.xml.internal.,\
-               com.sun.activation.registries.
-
-package.definition=sun.,\
-                   com.sun.xml.internal.,\
-                   com.sun.imageio.,\
-                   com.sun.istack.internal.,\
-                   com.sun.jmx.,\
-                   com.sun.media.sound.,\
-                   com.sun.naming.internal.,\
-                   com.sun.proxy.,\
-                   com.sun.corba.se.,\
-                   com.sun.org.apache.bcel.internal.,\
-                   com.sun.org.apache.regexp.internal.,\
-                   com.sun.org.apache.xerces.internal.,\
-                   com.sun.org.apache.xpath.internal.,\
-                   com.sun.org.apache.xalan.internal.extensions.,\
-                   com.sun.org.apache.xalan.internal.lib.,\
-                   com.sun.org.apache.xalan.internal.res.,\
-                   com.sun.org.apache.xalan.internal.templates.,\
-                   com.sun.org.apache.xalan.internal.utils.,\
-                   com.sun.org.apache.xalan.internal.xslt.,\
-                   com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-                   com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-                   com.sun.org.apache.xalan.internal.xsltc.trax.,\
-                   com.sun.org.apache.xalan.internal.xsltc.util.,\
-                   com.sun.org.apache.xml.internal.res.,\
-                   com.sun.org.apache.xml.internal.resolver.helpers.,\
-                   com.sun.org.apache.xml.internal.resolver.readers.,\
-                   com.sun.org.apache.xml.internal.security.,\
-                   com.sun.org.apache.xml.internal.serializer.utils.,\
-                   com.sun.org.apache.xml.internal.utils.,\
-                   com.sun.org.glassfish.,\
-                   com.oracle.xmlns.internal.,\
-                   com.oracle.webservices.internal.,\
-                   oracle.jrockit.jfr.,\
-                   org.jcp.xml.dsig.internal.,\
-                   jdk.internal.,\
-                   jdk.nashorn.internal.,\
-                   jdk.nashorn.tools.,\
-                   jdk.xml.internal.,\
-                   com.sun.activation.registries.
-
-ssl.KeyManagerFactory.algorithm=PKIX
-ssl.TrustManagerFactory.algorithm=PKIX
-networkaddress.cache.negative.ttl=10
-krb5.kdc.bad.policy = tryLast
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-
-jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
-
-
-jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
-
-jdk.tls.legacyAlgorithms= \
-        K_NULL, C_NULL, M_NULL, \
-        DH_anon, ECDH_anon, \
-        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
-        3DES_EDE_CBC
-crypto.policy=unlimited
-
-jdk.xml.dsig.secureValidationPolicy=\
-    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
-    maxTransforms 5,\
-    maxReferences 30,\
-    disallowReferenceUriSchemes file http https,\
-    minKeySize RSA 1024,\
-    minKeySize DSA 1024,\
-    minKeySize EC 224,\
-    noDuplicateIds,\
-    noRetrievalMethodLoops
-
-jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
-  java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
diff --git a/buildSrc/src/main/resources/fips_java_sunjsse.policy b/buildSrc/src/main/resources/fips_java_sunjsse.policy
deleted file mode 100644
index 1d2f06e3a1314..0000000000000
--- a/buildSrc/src/main/resources/fips_java_sunjsse.policy
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-// Security Policy for JDK 8, with BouncyCastle FIPS provider and SunJSSE in FIPS mode
-
-grant codeBase "file:${java.home}/lib/ext/localedata.jar" {
-          // Allow resource bundles to be loaded for non root locales. See
-          // https://github.com/elastic/elasticsearch/issues/39981
-          permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
-};
-grant {
-          permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-          permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
-          permission java.lang.RuntimePermission "getProtectionDomain";
-          permission java.util.PropertyPermission "java.runtime.name", "read";
-          permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
-          //io.netty.handler.codec.DecoderException
-          permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
-          //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
-          permission java.lang.RuntimePermission "accessDeclaredMembers";
-};
diff --git a/buildSrc/src/main/resources/fips_java_sunjsse.security b/buildSrc/src/main/resources/fips_java_sunjsse.security
deleted file mode 100644
index 2959bea3b8596..0000000000000
--- a/buildSrc/src/main/resources/fips_java_sunjsse.security
+++ /dev/null
@@ -1,134 +0,0 @@
-# Security Properties for JDK 8, with BouncyCastle FIPS provider and SunJSSE in FIPS mode
-
-security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
-security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
-security.provider.3=sun.security.provider.Sun
-security.provider.4=sun.security.jgss.SunProvider
-securerandom.source=file:/dev/urandom
-securerandom.strongAlgorithms=NativePRNGBlocking:SUN
-login.configuration.provider=sun.security.provider.ConfigFile
-policy.provider=sun.security.provider.PolicyFile
-policy.url.1=file:${java.home}/lib/security/java.policy
-policy.url.2=file:${user.home}/.java.policy
-policy.expandProperties=true
-policy.allowSystemProperty=true
-policy.ignoreIdentityScope=false
-keystore.type=bcfks
-keystore.type.compat=true
-package.access=sun.,\
-               org.GNOME.Accessibility.,\
-               com.sun.xml.internal.,\
-               com.sun.imageio.,\
-               com.sun.istack.internal.,\
-               com.sun.jmx.,\
-               com.sun.media.sound.,\
-               com.sun.naming.internal.,\
-               com.sun.proxy.,\
-               com.sun.corba.se.,\
-               com.sun.org.apache.bcel.internal.,\
-               com.sun.org.apache.regexp.internal.,\
-               com.sun.org.apache.xerces.internal.,\
-               com.sun.org.apache.xpath.internal.,\
-               com.sun.org.apache.xalan.internal.extensions.,\
-               com.sun.org.apache.xalan.internal.lib.,\
-               com.sun.org.apache.xalan.internal.res.,\
-               com.sun.org.apache.xalan.internal.templates.,\
-               com.sun.org.apache.xalan.internal.utils.,\
-               com.sun.org.apache.xalan.internal.xslt.,\
-               com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-               com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-               com.sun.org.apache.xalan.internal.xsltc.trax.,\
-               com.sun.org.apache.xalan.internal.xsltc.util.,\
-               com.sun.org.apache.xml.internal.res.,\
-               com.sun.org.apache.xml.internal.resolver.helpers.,\
-               com.sun.org.apache.xml.internal.resolver.readers.,\
-               com.sun.org.apache.xml.internal.security.,\
-               com.sun.org.apache.xml.internal.serializer.utils.,\
-               com.sun.org.apache.xml.internal.utils.,\
-               com.sun.org.glassfish.,\
-               com.oracle.xmlns.internal.,\
-               com.oracle.webservices.internal.,\
-               oracle.jrockit.jfr.,\
-               org.jcp.xml.dsig.internal.,\
-               jdk.internal.,\
-               jdk.nashorn.internal.,\
-               jdk.nashorn.tools.,\
-               jdk.xml.internal.,\
-               com.sun.activation.registries.
-
-package.definition=sun.,\
-                   com.sun.xml.internal.,\
-                   com.sun.imageio.,\
-                   com.sun.istack.internal.,\
-                   com.sun.jmx.,\
-                   com.sun.media.sound.,\
-                   com.sun.naming.internal.,\
-                   com.sun.proxy.,\
-                   com.sun.corba.se.,\
-                   com.sun.org.apache.bcel.internal.,\
-                   com.sun.org.apache.regexp.internal.,\
-                   com.sun.org.apache.xerces.internal.,\
-                   com.sun.org.apache.xpath.internal.,\
-                   com.sun.org.apache.xalan.internal.extensions.,\
-                   com.sun.org.apache.xalan.internal.lib.,\
-                   com.sun.org.apache.xalan.internal.res.,\
-                   com.sun.org.apache.xalan.internal.templates.,\
-                   com.sun.org.apache.xalan.internal.utils.,\
-                   com.sun.org.apache.xalan.internal.xslt.,\
-                   com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-                   com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-                   com.sun.org.apache.xalan.internal.xsltc.trax.,\
-                   com.sun.org.apache.xalan.internal.xsltc.util.,\
-                   com.sun.org.apache.xml.internal.res.,\
-                   com.sun.org.apache.xml.internal.resolver.helpers.,\
-                   com.sun.org.apache.xml.internal.resolver.readers.,\
-                   com.sun.org.apache.xml.internal.security.,\
-                   com.sun.org.apache.xml.internal.serializer.utils.,\
-                   com.sun.org.apache.xml.internal.utils.,\
-                   com.sun.org.glassfish.,\
-                   com.oracle.xmlns.internal.,\
-                   com.oracle.webservices.internal.,\
-                   oracle.jrockit.jfr.,\
-                   org.jcp.xml.dsig.internal.,\
-                   jdk.internal.,\
-                   jdk.nashorn.internal.,\
-                   jdk.nashorn.tools.,\
-                   jdk.xml.internal.,\
-                   com.sun.activation.registries.
-
-ssl.KeyManagerFactory.algorithm=SunX509
-ssl.TrustManagerFactory.algorithm=PKIX
-networkaddress.cache.negative.ttl=10
-krb5.kdc.bad.policy = tryLast
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-
-jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
-
-
-jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
-
-jdk.tls.legacyAlgorithms= \
-        K_NULL, C_NULL, M_NULL, \
-        DH_anon, ECDH_anon, \
-        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
-        3DES_EDE_CBC
-crypto.policy=unlimited
-
-jdk.xml.dsig.secureValidationPolicy=\
-    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
-    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
-    maxTransforms 5,\
-    maxReferences 30,\
-    disallowReferenceUriSchemes file http https,\
-    minKeySize RSA 1024,\
-    minKeySize DSA 1024,\
-    minKeySize EC 224,\
-    noDuplicateIds,\
-    noRetrievalMethodLoops
-
-jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
-  java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
diff --git a/buildSrc/src/main/resources/fips_java_bcjsse_11.security b/distribution/src/config/fips_java.security
similarity index 84%
rename from buildSrc/src/main/resources/fips_java_bcjsse_11.security
rename to distribution/src/config/fips_java.security
index e6a025e7eb10d..e54e471c89e71 100644
--- a/buildSrc/src/main/resources/fips_java_bcjsse_11.security
+++ b/distribution/src/config/fips_java.security
@@ -12,7 +12,6 @@ policy.provider=sun.security.provider.PolicyFile
 policy.expandProperties=true
 policy.allowSystemProperty=true
 policy.ignoreIdentityScope=false
-keystore.type=BCFKS
 keystore.type.compat=true
 package.access=sun.misc.,\
                sun.reflect.
@@ -23,12 +22,9 @@ ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
 networkaddress.cache.negative.ttl=10
 krb5.kdc.bad.policy = tryLast
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-      DSA keySize < 1024
-jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
+jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
 jdk.tls.legacyAlgorithms= \
         K_NULL, C_NULL, M_NULL, \
         DH_anon, ECDH_anon, \
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
index 533d1f7e782ba..8ab3a65090b2b 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
@@ -148,7 +148,7 @@ private List<String> jvmOptions(final Path config, final String opensearchJavaOp
 
         final List<String> substitutedJvmOptions = substitutePlaceholders(jvmOptions, Collections.unmodifiableMap(substitutions));
         final List<String> ergonomicJvmOptions = JvmErgonomics.choose(substitutedJvmOptions);
-        final List<String> systemJvmOptions = SystemJvmOptions.systemJvmOptions();
+        final List<String> systemJvmOptions = SystemJvmOptions.systemJvmOptions(config);
         final List<String> finalJvmOptions = new ArrayList<>(
             systemJvmOptions.size() + substitutedJvmOptions.size() + ergonomicJvmOptions.size()
         );
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index af7138569972a..5098d0e343f5f 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -32,6 +32,7 @@
 
 package org.opensearch.tools.launchers;
 
+import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -39,7 +40,7 @@
 
 final class SystemJvmOptions {
 
-    static List<String> systemJvmOptions() {
+    static List<String> systemJvmOptions(final Path config) {
         return Collections.unmodifiableList(
             Arrays.asList(
                 /*
@@ -79,11 +80,17 @@ static List<String> systemJvmOptions() {
                 "-Dlog4j2.disable.jmx=true",
                 // security manager
                 allowSecurityManagerOption(),
+                loadJavaSecurityProperties(config),
                 javaLocaleProviders()
             )
         ).stream().filter(e -> e.isEmpty() == false).collect(Collectors.toList());
     }
 
+    private static String loadJavaSecurityProperties(final Path config) {
+        var securityFile = config.resolve("fips_java.security").toFile();
+        return "-Djava.security.properties=" + securityFile.getAbsolutePath();
+    }
+
     private static String allowSecurityManagerOption() {
         if (Runtime.version().feature() > 17) {
             return "-Djava.security.manager=allow";
diff --git a/distribution/tools/plugin-cli/licenses/bouncycastle-LICENSE.txt b/distribution/tools/plugin-cli/licenses/bouncycastle-LICENSE.txt
index 1bd35a7a35c21..5c7c14696849d 100644
--- a/distribution/tools/plugin-cli/licenses/bouncycastle-LICENSE.txt
+++ b/distribution/tools/plugin-cli/licenses/bouncycastle-LICENSE.txt
@@ -1,17 +1,14 @@
-Copyright (c) 2000-2015 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) 
+Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software 
-and associated documentation files (the "Software"), to deal in the Software without restriction, 
-including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 
-and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or substantial
-portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
-PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/gradle/fips.gradle b/gradle/fips.gradle
deleted file mode 100644
index 1ce2cb89176f6..0000000000000
--- a/gradle/fips.gradle
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- *
- * Modifications Copyright OpenSearch Contributors. See
- * GitHub history for details.
- */
-
-import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
-import org.opensearch.gradle.info.BuildParams
-import org.opensearch.gradle.testclusters.OpenSearchCluster
-
-// Common config when running with a FIPS-140 runtime JVM
-if (BuildParams.inFipsJvm) {
-
-  allprojects {
-    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
-    boolean java8 = BuildParams.runtimeJavaVersion == JavaVersion.VERSION_1_8
-    boolean zulu8 = java8 && BuildParams.runtimeJavaDetails.contains("Zulu")
-    File fipsSecurity;
-    File fipsPolicy;
-    if (java8) {
-      if (zulu8) {
-        //Azul brings many changes from JDK 11 to their Zulu8 so we can only use BCJSSE
-        fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_8.security")
-        fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_8.policy")
-      } else {
-        fipsSecurity = new File(fipsResourcesDir, "fips_java_sunjsse.security")
-        fipsPolicy = new File(fipsResourcesDir, "fips_java_sunjsse.policy")
-      }
-    } else {
-      fipsSecurity = new File(fipsResourcesDir, "fips_java_bcjsse_11.security")
-      fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
-    }
-    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.1')
-    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.12.2')
-
-    pluginManager.withPlugin('java') {
-      TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)
-      fipsResourcesTask.configure {
-        outputDir = fipsResourcesDir
-        copy fipsSecurity.name
-        copy fipsPolicy.name
-        copy 'cacerts.bcfks'
-      }
-
-      project.afterEvaluate {
-        def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
-        // ensure that bouncycastle is on classpath for the all of test types, must happen in evaluateAfter since the rest tests explicitly
-        // set the class path to help maintain pure black box testing, and here we are adding to that classpath
-        tasks.withType(Test).configureEach { Test test ->
-          test.setClasspath(test.getClasspath().plus(extraFipsJars))
-        }
-      }
-
-      pluginManager.withPlugin("opensearch.testclusters") {
-        afterEvaluate {
-          // This afterEvaluate hooks is required to avoid deprecated configuration resolution
-          // This configuration can be removed once system modules are available
-          def extraFipsJars = configurations.detachedConfiguration(bcFips, bcTlsFips)
-          testClusters.all {
-            extraFipsJars.files.each {
-              extraJarFile it
-            }
-          }
-        }
-        testClusters.all {
-          extraConfigFile "fips_java.security", fipsSecurity
-          extraConfigFile "fips_java.policy", fipsPolicy
-          extraConfigFile "cacerts.bcfks", fipsTrustStore
-          systemProperty 'java.security.properties', '=${OPENSEARCH_PATH_CONF}/fips_java.security'
-          systemProperty 'java.security.policy', '=${OPENSEARCH_PATH_CONF}/fips_java.policy'
-          systemProperty 'javax.net.ssl.trustStore', '${OPENSEARCH_PATH_CONF}/cacerts.bcfks'
-          systemProperty 'javax.net.ssl.trustStorePassword', 'password'
-          systemProperty 'javax.net.ssl.keyStorePassword', 'password'
-          systemProperty 'javax.net.ssl.keyStoreType', 'BCFKS'
-        }
-      }
-      project.tasks.withType(Test).configureEach { Test task ->
-        task.dependsOn('fipsResources')
-        task.systemProperty('javax.net.ssl.trustStorePassword', 'password')
-        task.systemProperty('javax.net.ssl.keyStorePassword', 'password')
-        task.systemProperty('javax.net.ssl.trustStoreType', 'BCFKS')
-        // Using the key==value format to override default JVM security settings and policy
-        // see also: https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html
-        task.systemProperty('java.security.properties', String.format(Locale.ROOT, "=%s", fipsSecurity))
-        task.systemProperty('java.security.policy', String.format(Locale.ROOT, "=%s", fipsPolicy))
-        task.systemProperty('javax.net.ssl.trustStore', fipsTrustStore)
-      }
-    }
-  }
-}
diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle
index 3226ec12ff6f7..889c278ffbfcb 100644
--- a/libs/ssl-config/build.gradle
+++ b/libs/ssl-config/build.gradle
@@ -35,6 +35,10 @@ apply plugin: "opensearch.publish"
 dependencies {
   api project(':libs:opensearch-common')
 
+  // bouncyCastle
+  implementation 'org.bouncycastle:bcpkix-fips:1.0.7'
+  compileOnly 'org.bouncycastle:bc-fips:1.0.2.5'
+
   testImplementation(project(":test:framework")) {
     exclude group: 'org.opensearch', module: 'opensearch-ssl-config'
   }
@@ -49,6 +53,10 @@ tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 forbiddenPatterns {
   exclude '**/*.key'
   exclude '**/*.pem'
diff --git a/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1 b/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
new file mode 100644
index 0000000000000..cc29a787cee56
--- /dev/null
+++ b/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
@@ -0,0 +1 @@
+704e65f7e4fe679e5ab2aa8a840f27f8ced4c522
diff --git a/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1 b/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
new file mode 100644
index 0000000000000..57cf4cfe10b5f
--- /dev/null
+++ b/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
@@ -0,0 +1 @@
+fe07959721cfa2156be9722ba20fdfee2b5441b0
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
index 859b74b200dc6..6d5b1b02c67ca 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
@@ -65,7 +65,7 @@ final class DefaultJdkTrustConfig implements SslTrustConfig {
      * Create a trust config that uses supplied {@link BiFunction} to determine the TrustStore type, and the relevant password.
      */
     DefaultJdkTrustConfig(BiFunction<String, String, String> systemProperties) {
-        this(systemProperties, isPkcs11Truststore(systemProperties) ? getSystemTrustStorePassword(systemProperties) : null);
+        this(systemProperties, getSystemTrustStorePassword(systemProperties));
     }
 
     /**
@@ -93,11 +93,16 @@ public X509ExtendedTrustManager createTrustManager() {
      * @return the KeyStore used as truststore for PKCS#11 initialized with the password, null otherwise
      */
     private KeyStore getSystemTrustStore() {
-        if (isPkcs11Truststore(systemProperties) && trustStorePassword != null) {
+        if (trustStorePassword != null) {
             try {
-                KeyStore keyStore = KeyStore.getInstance("PKCS11");
-                keyStore.load(null, trustStorePassword);
-                return keyStore;
+                if (isBcfksTruststore(systemProperties)) {
+                    var path = Path.of(System.getProperty("javax.net.ssl.trustStore", ""));
+                    KeyStoreUtil.readKeyStore(path, "BCFKS", trustStorePassword);
+                } else if (isPkcs11Truststore(systemProperties)) {
+                    KeyStore keyStore = KeyStore.getInstance("PKCS11");
+                    keyStore.load(null, trustStorePassword);
+                    return keyStore;
+                }
             } catch (GeneralSecurityException | IOException e) {
                 throw new SslConfigException("failed to load the system PKCS#11 truststore", e);
             }
@@ -105,12 +110,17 @@ private KeyStore getSystemTrustStore() {
         return null;
     }
 
+    private static boolean isBcfksTruststore(BiFunction<String, String, String> systemProperties) {
+        return systemProperties.apply("javax.net.ssl.trustStoreType", "").equalsIgnoreCase("BCFKS");
+    }
+
     private static boolean isPkcs11Truststore(BiFunction<String, String, String> systemProperties) {
         return systemProperties.apply("javax.net.ssl.trustStoreType", "").equalsIgnoreCase("PKCS11");
     }
 
     private static char[] getSystemTrustStorePassword(BiFunction<String, String, String> systemProperties) {
-        return systemProperties.apply("javax.net.ssl.trustStorePassword", "").toCharArray();
+        var password = systemProperties.apply("javax.net.ssl.trustStorePassword", "");
+        return password.isEmpty() ? null : password.toCharArray();
     }
 
     @Override
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
index b6b6cdd90af14..3fca84e303e27 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
@@ -71,6 +71,8 @@ static String inferKeyStoreType(Path path) {
         String name = path == null ? "" : path.toString().toLowerCase(Locale.ROOT);
         if (name.endsWith(".p12") || name.endsWith(".pfx") || name.endsWith(".pkcs12")) {
             return "PKCS12";
+        } else if (name.endsWith(".bks")) {
+            return "BCFKS";
         } else {
             return "jks";
         }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemKeyConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemKeyConfig.java
index bfc29a5801b11..1865b13d644aa 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemKeyConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemKeyConfig.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.bouncycastle.pkcs.PKCSException;
+
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
 
@@ -82,7 +84,12 @@ public X509ExtendedKeyManager createKeyManager() {
 
     private PrivateKey getPrivateKey() {
         try {
-            final PrivateKey privateKey = PemUtils.readPrivateKey(key, () -> keyPassword);
+            final PrivateKey privateKey = PemUtils.readPrivateKey(key, () -> {
+                if (keyPassword.length == 0) {
+                    throw new SslConfigException("cannot read encrypted key [" + key.toAbsolutePath() + "] without a password");
+                }
+                return keyPassword;
+            });
             if (privateKey == null) {
                 throw new SslConfigException("could not load ssl private key file [" + key + "]");
             }
@@ -91,7 +98,7 @@ private PrivateKey getPrivateKey() {
             throw new SslConfigException("the configured ssl private key file [" + key.toAbsolutePath() + "] does not exist", e);
         } catch (IOException e) {
             throw new SslConfigException("the configured ssl private key file [" + key.toAbsolutePath() + "] cannot be read", e);
-        } catch (GeneralSecurityException e) {
+        } catch (PKCSException e) {
             throw new SslConfigException("cannot load ssl private key file [" + key.toAbsolutePath() + "]", e);
         }
     }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
index 8a3730ee554f9..df842650d65ca 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
@@ -32,68 +32,32 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.CharArrays;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+import org.bouncycastle.pkcs.PKCSException;
+import org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
 
-import javax.crypto.Cipher;
-import javax.crypto.EncryptedPrivateKeyInfo;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
+import java.security.PrivateKey;
 
-import java.io.BufferedReader;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.InputStream;
-import java.math.BigInteger;
-import java.nio.charset.StandardCharsets;
+import java.io.*;
 import java.nio.file.Files;
-import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
-import java.security.GeneralSecurityException;
-import java.security.KeyFactory;
-import java.security.KeyPairGenerator;
-import java.security.MessageDigest;
-import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
-import java.security.interfaces.ECKey;
-import java.security.spec.AlgorithmParameterSpec;
-import java.security.spec.DSAPrivateKeySpec;
-import java.security.spec.ECGenParameterSpec;
-import java.security.spec.ECParameterSpec;
-import java.security.spec.ECPrivateKeySpec;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.RSAPrivateCrtKeySpec;
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Base64;
 import java.util.Collection;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
 import java.util.function.Supplier;
 
 final class PemUtils {
 
-    private static final String PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----";
-    private static final String PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----";
-    private static final String OPENSSL_DSA_HEADER = "-----BEGIN DSA PRIVATE KEY-----";
-    private static final String OPENSSL_DSA_FOOTER = "-----END DSA PRIVATE KEY-----";
-    private static final String OPENSSL_DSA_PARAMS_HEADER = "-----BEGIN DSA PARAMETERS-----";
-    private static final String OPENSSL_DSA_PARAMS_FOOTER = "-----END DSA PARAMETERS-----";
-    private static final String PKCS8_HEADER = "-----BEGIN PRIVATE KEY-----";
-    private static final String PKCS8_FOOTER = "-----END PRIVATE KEY-----";
-    private static final String PKCS8_ENCRYPTED_HEADER = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
-    private static final String PKCS8_ENCRYPTED_FOOTER = "-----END ENCRYPTED PRIVATE KEY-----";
-    private static final String OPENSSL_EC_HEADER = "-----BEGIN EC PRIVATE KEY-----";
-    private static final String OPENSSL_EC_FOOTER = "-----END EC PRIVATE KEY-----";
-    private static final String OPENSSL_EC_PARAMS_HEADER = "-----BEGIN EC PARAMETERS-----";
-    private static final String OPENSSL_EC_PARAMS_FOOTER = "-----END EC PARAMETERS-----";
-    private static final String HEADER = "-----BEGIN";
-
     private PemUtils() {
         throw new IllegalStateException("Utility class should not be instantiated");
     }
@@ -106,555 +70,88 @@ private PemUtils() {
      * @param passwordSupplier A password supplier for the potentially encrypted (password protected) key
      * @return a private key from the contents of the file
      */
-    public static PrivateKey readPrivateKey(Path keyPath, Supplier<char[]> passwordSupplier) throws IOException, GeneralSecurityException {
-        try (BufferedReader bReader = Files.newBufferedReader(keyPath, StandardCharsets.UTF_8)) {
-            String line = bReader.readLine();
-            while (null != line && line.startsWith(HEADER) == false) {
-                line = bReader.readLine();
-            }
-            if (null == line) {
-                throw new SslConfigException("Error parsing Private Key [" + keyPath.toAbsolutePath() + "], file is empty");
-            }
-            if (PKCS8_ENCRYPTED_HEADER.equals(line.trim())) {
-                char[] password = passwordSupplier.get();
-                if (password == null) {
-                    throw new SslConfigException("cannot read encrypted key [" + keyPath.toAbsolutePath() + "] without a password");
-                }
-                return parsePKCS8Encrypted(bReader, password);
-            } else if (PKCS8_HEADER.equals(line.trim())) {
-                return parsePKCS8(bReader);
-            } else if (PKCS1_HEADER.equals(line.trim())) {
-                return parsePKCS1Rsa(bReader, passwordSupplier);
-            } else if (OPENSSL_DSA_HEADER.equals(line.trim())) {
-                return parseOpenSslDsa(bReader, passwordSupplier);
-            } else if (OPENSSL_DSA_PARAMS_HEADER.equals(line.trim())) {
-                return parseOpenSslDsa(removeDsaHeaders(bReader), passwordSupplier);
-            } else if (OPENSSL_EC_HEADER.equals(line.trim())) {
-                return parseOpenSslEC(bReader, passwordSupplier);
-            } else if (OPENSSL_EC_PARAMS_HEADER.equals(line.trim())) {
-                return parseOpenSslEC(removeECHeaders(bReader), passwordSupplier);
-            } else {
-                throw new SslConfigException(
-                    "error parsing Private Key [" + keyPath.toAbsolutePath() + "], file does not contain a supported key format"
-                );
-            }
-        } catch (FileNotFoundException | NoSuchFileException e) {
-            throw new SslConfigException("private key file [" + keyPath.toAbsolutePath() + "] does not exist", e);
-        } catch (IOException | GeneralSecurityException e) {
-            throw new SslConfigException("private key file [" + keyPath.toAbsolutePath() + "] cannot be parsed", e);
-        }
-    }
-
-    /**
-     * Removes the EC Headers that OpenSSL adds to EC private keys as the information in them
-     * is redundant
-     *
-     * @throws IOException if the EC Parameter footer is missing
-     */
-    private static BufferedReader removeECHeaders(BufferedReader bReader) throws IOException {
-        String line = bReader.readLine();
-        while (line != null) {
-            if (OPENSSL_EC_PARAMS_FOOTER.equals(line.trim())) {
-                break;
-            }
-            line = bReader.readLine();
-        }
-        if (null == line || OPENSSL_EC_PARAMS_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, EC Parameters footer is missing");
-        }
-        // Verify that the key starts with the correct header before passing it to parseOpenSslEC
-        if (OPENSSL_EC_HEADER.equals(bReader.readLine()) == false) {
-            throw new IOException("Malformed PEM file, EC Key header is missing");
-        }
-        return bReader;
-    }
-
-    /**
-     * Removes the DSA Params Headers that OpenSSL adds to DSA private keys as the information in them
-     * is redundant
-     *
-     * @throws IOException if the EC Parameter footer is missing
-     */
-    private static BufferedReader removeDsaHeaders(BufferedReader bReader) throws IOException {
-        String line = bReader.readLine();
-        while (line != null) {
-            if (OPENSSL_DSA_PARAMS_FOOTER.equals(line.trim())) {
-                break;
-            }
-            line = bReader.readLine();
-        }
-        if (null == line || OPENSSL_DSA_PARAMS_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, DSA Parameters footer is missing");
-        }
-        // Verify that the key starts with the correct header before passing it to parseOpenSslDsa
-        if (OPENSSL_DSA_HEADER.equals(bReader.readLine()) == false) {
-            throw new IOException("Malformed PEM file, DSA Key header is missing");
-        }
-        return bReader;
-    }
-
-    /**
-     * Creates a {@link PrivateKey} from the contents of {@code bReader} that contains an plaintext private key encoded in
-     * PKCS#8
-     *
-     * @param bReader the {@link BufferedReader} containing the key file contents
-     * @return {@link PrivateKey}
-     * @throws IOException              if the file can't be read
-     * @throws GeneralSecurityException if the private key can't be generated from the {@link PKCS8EncodedKeySpec}
-     */
-    private static PrivateKey parsePKCS8(BufferedReader bReader) throws IOException, GeneralSecurityException {
-        StringBuilder sb = new StringBuilder();
-        String line = bReader.readLine();
-        while (line != null) {
-            if (PKCS8_FOOTER.equals(line.trim())) {
-                break;
-            }
-            sb.append(line.trim());
-            line = bReader.readLine();
-        }
-        if (null == line || PKCS8_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
-        }
-        byte[] keyBytes = Base64.getDecoder().decode(sb.toString());
-        String keyAlgo = getKeyAlgorithmIdentifier(keyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance(keyAlgo);
-        return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
-    }
-
-    /**
-     * Creates a {@link PrivateKey} from the contents of {@code bReader} that contains an EC private key encoded in
-     * OpenSSL traditional format.
-     *
-     * @param bReader          the {@link BufferedReader} containing the key file contents
-     * @param passwordSupplier A password supplier for the potentially encrypted (password protected) key
-     * @return {@link PrivateKey}
-     * @throws IOException              if the file can't be read
-     * @throws GeneralSecurityException if the private key can't be generated from the {@link ECPrivateKeySpec}
-     */
-    private static PrivateKey parseOpenSslEC(BufferedReader bReader, Supplier<char[]> passwordSupplier) throws IOException,
-        GeneralSecurityException {
-        StringBuilder sb = new StringBuilder();
-        String line = bReader.readLine();
-        Map<String, String> pemHeaders = new HashMap<>();
-        while (line != null) {
-            if (OPENSSL_EC_FOOTER.equals(line.trim())) {
-                break;
-            }
-            // Parse PEM headers according to https://www.ietf.org/rfc/rfc1421.txt
-            if (line.contains(":")) {
-                String[] header = line.split(":");
-                pemHeaders.put(header[0].trim(), header[1].trim());
-            } else {
-                sb.append(line.trim());
-            }
-            line = bReader.readLine();
-        }
-        if (null == line || OPENSSL_EC_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
-        }
-        byte[] keyBytes = possiblyDecryptPKCS1Key(pemHeaders, sb.toString(), passwordSupplier);
-        KeyFactory keyFactory = KeyFactory.getInstance("EC");
-        ECPrivateKeySpec ecSpec = parseEcDer(keyBytes);
-        return keyFactory.generatePrivate(ecSpec);
+    public static PrivateKey readPrivateKey(Path keyPath, Supplier<char[]> passwordSupplier) throws IOException, PKCSException {
+            PrivateKeyInfo pki = loadPrivateKeyFromFile(keyPath, passwordSupplier);
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            return converter.getPrivateKey(pki);
     }
 
-    /**
-     * Creates a {@link PrivateKey} from the contents of {@code bReader} that contains an RSA private key encoded in
-     * OpenSSL traditional format.
-     *
-     * @param bReader          the {@link BufferedReader} containing the key file contents
-     * @param passwordSupplier A password supplier for the potentially encrypted (password protected) key
-     * @return {@link PrivateKey}
-     * @throws IOException              if the file can't be read
-     * @throws GeneralSecurityException if the private key can't be generated from the {@link RSAPrivateCrtKeySpec}
-     */
-    private static PrivateKey parsePKCS1Rsa(BufferedReader bReader, Supplier<char[]> passwordSupplier) throws IOException,
-        GeneralSecurityException {
-        StringBuilder sb = new StringBuilder();
-        String line = bReader.readLine();
-        Map<String, String> pemHeaders = new HashMap<>();
-
-        while (line != null) {
-            if (PKCS1_FOOTER.equals(line.trim())) {
-                // Unencrypted
-                break;
-            }
-            // Parse PEM headers according to https://www.ietf.org/rfc/rfc1421.txt
-            if (line.contains(":")) {
-                String[] header = line.split(":");
-                pemHeaders.put(header[0].trim(), header[1].trim());
-            } else {
-                sb.append(line.trim());
+    static List<Certificate> readCertificates(Collection<Path> certPaths) throws CertificateException, IOException {
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+        List<Certificate> certificates = new ArrayList<>(certPaths.size());
+        for (Path path : certPaths) {
+            try (InputStream input = Files.newInputStream(path)) {
+                final Collection<? extends Certificate> parsed = certFactory.generateCertificates(input);
+                if (parsed.isEmpty()) {
+                    throw new SslConfigException("failed to parse any certificates from [" + path.toAbsolutePath() + "]");
+                }
+                certificates.addAll(parsed);
             }
-            line = bReader.readLine();
         }
-        if (null == line || PKCS1_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
-        }
-        byte[] keyBytes = possiblyDecryptPKCS1Key(pemHeaders, sb.toString(), passwordSupplier);
-        RSAPrivateCrtKeySpec spec = parseRsaDer(keyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-        return keyFactory.generatePrivate(spec);
+        return certificates;
     }
 
     /**
-     * Creates a {@link PrivateKey} from the contents of {@code bReader} that contains an DSA private key encoded in
-     * OpenSSL traditional format.
+     * Creates a {@link PrivateKey} from the private key, with or without encryption.
+     * When enforcing the approved-only mode in Java security settings, some functionalities might be restricted due to the limited
+     * set of allowed algorithms. One such restriction includes Password Based Key Derivation Functions (PBKDF) like those used by OpenSSL
+     * and PKCS#12 formats. Since these formats rely on PBKDF algorithms, they cannot operate correctly within the approved-only mode.
+     * Consequently, attempting to utilize them could result in a {@link java.security.NoSuchAlgorithmException}.
      *
-     * @param bReader          the {@link BufferedReader} containing the key file contents
-     * @param passwordSupplier A password supplier for the potentially encrypted (password protected) key
+     * @param passwordSupplier The password supplier for the encrypted (password protected) key
      * @return {@link PrivateKey}
-     * @throws IOException              if the file can't be read
-     * @throws GeneralSecurityException if the private key can't be generated from the {@link DSAPrivateKeySpec}
-     */
-    private static PrivateKey parseOpenSslDsa(BufferedReader bReader, Supplier<char[]> passwordSupplier) throws IOException,
-        GeneralSecurityException {
-        StringBuilder sb = new StringBuilder();
-        String line = bReader.readLine();
-        Map<String, String> pemHeaders = new HashMap<>();
-
-        while (line != null) {
-            if (OPENSSL_DSA_FOOTER.equals(line.trim())) {
-                // Unencrypted
-                break;
-            }
-            // Parse PEM headers according to https://www.ietf.org/rfc/rfc1421.txt
-            if (line.contains(":")) {
-                String[] header = line.split(":");
-                pemHeaders.put(header[0].trim(), header[1].trim());
+     * @throws IOException If the file can't be read
+     */
+    private static PrivateKeyInfo loadPrivateKeyFromFile(Path keyPath, Supplier<char[]> passwordSupplier)
+        throws IOException, PKCSException {
+        try (PEMParser pemParser = new PEMParser(new FileReader(keyPath.toFile()))) {
+            Object object = readObject(keyPath, pemParser);
+
+            if (object instanceof PKCS8EncryptedPrivateKeyInfo) { // encrypted private key in pkcs8-format
+                var privateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) object;
+                var inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder()
+                    .setProvider("BCFIPS")
+                    .build(passwordSupplier.get());
+                return privateKeyInfo.decryptPrivateKeyInfo(inputDecryptorProvider);
+            } else if (object instanceof PEMEncryptedKeyPair) { // encrypted private key
+                var encryptedKeyPair = (PEMEncryptedKeyPair) object;
+                var decryptorProvider = new JcePEMDecryptorProviderBuilder()
+                    .setProvider("BCFIPS")
+                    .build(passwordSupplier.get());
+                var keyPair = encryptedKeyPair.decryptKeyPair(decryptorProvider);
+                return keyPair.getPrivateKeyInfo();
+            } else if (object instanceof PEMKeyPair) { // unencrypted private key
+                return ((PEMKeyPair) object).getPrivateKeyInfo();
+            } else if (object instanceof PrivateKeyInfo) { // unencrypted private key in pkcs8-format
+                return (PrivateKeyInfo) object;
             } else {
-                sb.append(line.trim());
+                throw new SslConfigException(String.format(
+                    "error parsing private key [%s], invalid encrypted private key class: [%s]",
+                    keyPath.toAbsolutePath(),
+                    object.getClass().getName()
+                ));
             }
-            line = bReader.readLine();
         }
-        if (null == line || OPENSSL_DSA_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
-        }
-        byte[] keyBytes = possiblyDecryptPKCS1Key(pemHeaders, sb.toString(), passwordSupplier);
-        DSAPrivateKeySpec spec = parseDsaDer(keyBytes);
-        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
-        return keyFactory.generatePrivate(spec);
-    }
-
-    /**
-     * Creates a {@link PrivateKey} from the contents of {@code bReader} that contains an encrypted private key encoded in
-     * PKCS#8
-     *
-     * @param bReader     the {@link BufferedReader} containing the key file contents
-     * @param keyPassword The password for the encrypted (password protected) key
-     * @return {@link PrivateKey}
-     * @throws IOException              if the file can't be read
-     * @throws GeneralSecurityException if the private key can't be generated from the {@link PKCS8EncodedKeySpec}
-     */
-    private static PrivateKey parsePKCS8Encrypted(BufferedReader bReader, char[] keyPassword) throws IOException, GeneralSecurityException {
-        StringBuilder sb = new StringBuilder();
-        String line = bReader.readLine();
-        while (line != null) {
-            if (PKCS8_ENCRYPTED_FOOTER.equals(line.trim())) {
-                break;
-            }
-            sb.append(line.trim());
-            line = bReader.readLine();
-        }
-        if (null == line || PKCS8_ENCRYPTED_FOOTER.equals(line.trim()) == false) {
-            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
-        }
-        byte[] keyBytes = Base64.getDecoder().decode(sb.toString());
-
-        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(keyBytes);
-        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName());
-        SecretKey secretKey = secretKeyFactory.generateSecret(new PBEKeySpec(keyPassword));
-        Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
-        cipher.init(Cipher.DECRYPT_MODE, secretKey, encryptedPrivateKeyInfo.getAlgParameters());
-        PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
-        String keyAlgo = getKeyAlgorithmIdentifier(keySpec.getEncoded());
-        KeyFactory keyFactory = KeyFactory.getInstance(keyAlgo);
-        return keyFactory.generatePrivate(keySpec);
-    }
-
-    /**
-     * Decrypts the password protected contents using the algorithm and IV that is specified in the PEM Headers of the file
-     *
-     * @param pemHeaders       The Proc-Type and DEK-Info PEM headers that have been extracted from the key file
-     * @param keyContents      The key as a base64 encoded String
-     * @param passwordSupplier A password supplier for the encrypted (password protected) key
-     * @return the decrypted key bytes
-     * @throws GeneralSecurityException if the key can't be decrypted
-     * @throws IOException              if the PEM headers are missing or malformed
-     */
-    private static byte[] possiblyDecryptPKCS1Key(Map<String, String> pemHeaders, String keyContents, Supplier<char[]> passwordSupplier)
-        throws GeneralSecurityException, IOException {
-        byte[] keyBytes = Base64.getDecoder().decode(keyContents);
-        String procType = pemHeaders.get("Proc-Type");
-        if ("4,ENCRYPTED".equals(procType)) {
-            // We only handle PEM encryption
-            String encryptionParameters = pemHeaders.get("DEK-Info");
-            if (null == encryptionParameters) {
-                // malformed pem
-                throw new IOException("Malformed PEM File, DEK-Info header is missing");
-            }
-            char[] password = passwordSupplier.get();
-            if (password == null) {
-                throw new IOException("cannot read encrypted key without a password");
-            }
-            Cipher cipher = getCipherFromParameters(encryptionParameters, password);
-            byte[] decryptedKeyBytes = cipher.doFinal(keyBytes);
-            return decryptedKeyBytes;
-        }
-        return keyBytes;
-    }
-
-    /**
-     * Creates a {@link Cipher} from the contents of the DEK-Info header of a PEM file. RFC 1421 indicates that supported algorithms are
-     * defined in RFC 1423. RFC 1423 only defines DES-CBS and triple DES (EDE) in CBC mode. AES in CBC mode is also widely used though ( 3
-     * different variants of 128, 192, 256 bit keys )
-     *
-     * @param dekHeaderValue The value of the DEK-Info PEM header
-     * @param password       The password with which the key is encrypted
-     * @return a cipher of the appropriate algorithm and parameters to be used for decryption
-     * @throws GeneralSecurityException if the algorithm is not available in the used security provider, or if the key is inappropriate
-     * for the cipher
-     * @throws IOException if the DEK-Info PEM header is invalid
-     */
-    private static Cipher getCipherFromParameters(String dekHeaderValue, char[] password) throws GeneralSecurityException, IOException {
-        final String padding = "PKCS5Padding";
-        final SecretKey encryptionKey;
-        final String[] valueTokens = dekHeaderValue.split(",");
-        if (valueTokens.length != 2) {
-            throw new IOException("Malformed PEM file, DEK-Info PEM header is invalid");
-        }
-        final String algorithm = valueTokens[0];
-        final String ivString = valueTokens[1];
-        final byte[] iv;
-        try {
-            iv = hexStringToByteArray(ivString);
-        } catch (IllegalArgumentException e) {
-            throw new IOException("Malformed PEM file, DEK-Info IV is invalid", e);
-        }
-        if ("DES-CBC".equals(algorithm)) {
-            byte[] key = generateOpenSslKey(password, iv, 8);
-            encryptionKey = new SecretKeySpec(key, "DES");
-        } else if ("DES-EDE3-CBC".equals(algorithm)) {
-            byte[] key = generateOpenSslKey(password, iv, 24);
-            encryptionKey = new SecretKeySpec(key, "DESede");
-        } else if ("AES-128-CBC".equals(algorithm)) {
-            byte[] key = generateOpenSslKey(password, iv, 16);
-            encryptionKey = new SecretKeySpec(key, "AES");
-        } else if ("AES-192-CBC".equals(algorithm)) {
-            byte[] key = generateOpenSslKey(password, iv, 24);
-            encryptionKey = new SecretKeySpec(key, "AES");
-        } else if ("AES-256-CBC".equals(algorithm)) {
-            byte[] key = generateOpenSslKey(password, iv, 32);
-            encryptionKey = new SecretKeySpec(key, "AES");
-        } else {
-            throw new GeneralSecurityException("Private Key encrypted with unsupported algorithm [" + algorithm + "]");
-        }
-        String transformation = encryptionKey.getAlgorithm() + "/" + "CBC" + "/" + padding;
-        Cipher cipher = Cipher.getInstance(transformation);
-        cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new IvParameterSpec(iv));
-        return cipher;
-    }
-
-    /**
-     * Performs key stretching in the same manner that OpenSSL does. This is basically a KDF
-     * that uses n rounds of salted MD5 (as many times as needed to get the necessary number of key bytes)
-     * <p>
-     * https://www.openssl.org/docs/man1.1.0/crypto/PEM_write_bio_PrivateKey_traditional.html
-     */
-    private static byte[] generateOpenSslKey(char[] password, byte[] salt, int keyLength) {
-        byte[] passwordBytes = CharArrays.toUtf8Bytes(password);
-        MessageDigest md5 = SslUtil.messageDigest("md5");
-        byte[] key = new byte[keyLength];
-        int copied = 0;
-        int remaining;
-        while (copied < keyLength) {
-            remaining = keyLength - copied;
-            md5.update(passwordBytes, 0, passwordBytes.length);
-            md5.update(salt, 0, 8);// AES IV (salt) is longer but we only need 8 bytes
-            byte[] tempDigest = md5.digest();
-            int bytesToCopy = (remaining > 16) ? 16 : remaining; // MD5 digests are 16 bytes
-            System.arraycopy(tempDigest, 0, key, copied, bytesToCopy);
-            copied += bytesToCopy;
-            if (remaining == 0) {
-                break;
-            }
-            md5.update(tempDigest, 0, 16); // use previous round digest as IV
-        }
-        Arrays.fill(passwordBytes, (byte) 0);
-        return key;
-    }
-
-    /**
-     * Converts a hexadecimal string to a byte array
-     */
-    private static byte[] hexStringToByteArray(String hexString) {
-        int len = hexString.length();
-        if (len % 2 == 0) {
-            byte[] data = new byte[len / 2];
-            for (int i = 0; i < len; i += 2) {
-                final int k = Character.digit(hexString.charAt(i), 16);
-                final int l = Character.digit(hexString.charAt(i + 1), 16);
-                if (k == -1 || l == -1) {
-                    throw new IllegalStateException("String [" + hexString + "] is not hexadecimal");
-                }
-                data[i / 2] = (byte) ((k << 4) + l);
-            }
-            return data;
-        } else {
-            throw new IllegalStateException(
-                "Hexadecimal string [" + hexString + "] has odd length and cannot be converted to a byte array"
-            );
-        }
-    }
-
-    /**
-     * Parses a DER encoded EC key to an {@link ECPrivateKeySpec} using a minimal {@link DerParser}
-     *
-     * @param keyBytes the private key raw bytes
-     * @return {@link ECPrivateKeySpec}
-     * @throws IOException if the DER encoded key can't be parsed
-     */
-    private static ECPrivateKeySpec parseEcDer(byte[] keyBytes) throws IOException, GeneralSecurityException {
-        DerParser parser = new DerParser(keyBytes);
-        DerParser.Asn1Object sequence = parser.readAsn1Object();
-        parser = sequence.getParser();
-        parser.readAsn1Object().getInteger(); // version
-        String keyHex = parser.readAsn1Object().getString();
-        BigInteger privateKeyInt = new BigInteger(keyHex, 16);
-        DerParser.Asn1Object choice = parser.readAsn1Object();
-        parser = choice.getParser();
-        String namedCurve = getEcCurveNameFromOid(parser.readAsn1Object().getOid());
-        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
-        AlgorithmParameterSpec algorithmParameterSpec = new ECGenParameterSpec(namedCurve);
-        keyPairGenerator.initialize(algorithmParameterSpec);
-        ECParameterSpec parameterSpec = ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams();
-        return new ECPrivateKeySpec(privateKeyInt, parameterSpec);
-    }
-
-    /**
-     * Parses a DER encoded RSA key to a {@link RSAPrivateCrtKeySpec} using a minimal {@link DerParser}
-     *
-     * @param keyBytes the private key raw bytes
-     * @return {@link RSAPrivateCrtKeySpec}
-     * @throws IOException if the DER encoded key can't be parsed
-     */
-    private static RSAPrivateCrtKeySpec parseRsaDer(byte[] keyBytes) throws IOException {
-        DerParser parser = new DerParser(keyBytes);
-        DerParser.Asn1Object sequence = parser.readAsn1Object();
-        parser = sequence.getParser();
-        parser.readAsn1Object().getInteger(); // (version) We don't need it but must read to get to modulus
-        BigInteger modulus = parser.readAsn1Object().getInteger();
-        BigInteger publicExponent = parser.readAsn1Object().getInteger();
-        BigInteger privateExponent = parser.readAsn1Object().getInteger();
-        BigInteger prime1 = parser.readAsn1Object().getInteger();
-        BigInteger prime2 = parser.readAsn1Object().getInteger();
-        BigInteger exponent1 = parser.readAsn1Object().getInteger();
-        BigInteger exponent2 = parser.readAsn1Object().getInteger();
-        BigInteger coefficient = parser.readAsn1Object().getInteger();
-        return new RSAPrivateCrtKeySpec(modulus, publicExponent, privateExponent, prime1, prime2, exponent1, exponent2, coefficient);
-    }
-
-    /**
-     * Parses a DER encoded DSA key to a {@link DSAPrivateKeySpec} using a minimal {@link DerParser}
-     *
-     * @param keyBytes the private key raw bytes
-     * @return {@link DSAPrivateKeySpec}
-     * @throws IOException if the DER encoded key can't be parsed
-     */
-    private static DSAPrivateKeySpec parseDsaDer(byte[] keyBytes) throws IOException {
-        DerParser parser = new DerParser(keyBytes);
-        DerParser.Asn1Object sequence = parser.readAsn1Object();
-        parser = sequence.getParser();
-        parser.readAsn1Object().getInteger(); // (version) We don't need it but must read to get to p
-        BigInteger p = parser.readAsn1Object().getInteger();
-        BigInteger q = parser.readAsn1Object().getInteger();
-        BigInteger g = parser.readAsn1Object().getInteger();
-        parser.readAsn1Object().getInteger(); // we don't need x
-        BigInteger x = parser.readAsn1Object().getInteger();
-        return new DSAPrivateKeySpec(x, p, q, g);
     }
 
     /**
-     * Parses a DER encoded private key and reads its algorithm identifier Object OID.
+     * Supports PEM files that includes parameters.
      *
-     * @param keyBytes the private key raw bytes
-     * @return A string identifier for the key algorithm (RSA, DSA, or EC)
-     * @throws GeneralSecurityException if the algorithm oid that is parsed from ASN.1 is unknown
-     * @throws IOException if the DER encoded key can't be parsed
-     */
-    private static String getKeyAlgorithmIdentifier(byte[] keyBytes) throws IOException, GeneralSecurityException {
-        DerParser parser = new DerParser(keyBytes);
-        DerParser.Asn1Object sequence = parser.readAsn1Object();
-        parser = sequence.getParser();
-        parser.readAsn1Object().getInteger(); // version
-        DerParser.Asn1Object algSequence = parser.readAsn1Object();
-        parser = algSequence.getParser();
-        String oidString = parser.readAsn1Object().getOid();
-        switch (oidString) {
-            case "1.2.840.10040.4.1":
-                return "DSA";
-            case "1.2.840.113549.1.1.1":
-                return "RSA";
-            case "1.2.840.10045.2.1":
-                return "EC";
-        }
-        throw new GeneralSecurityException(
-            "Error parsing key algorithm identifier. Algorithm with OID [" + oidString + "] is not żsupported"
-        );
-    }
-
-    static List<Certificate> readCertificates(Collection<Path> certPaths) throws CertificateException, IOException {
-        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-        List<Certificate> certificates = new ArrayList<>(certPaths.size());
-        for (Path path : certPaths) {
-            try (InputStream input = Files.newInputStream(path)) {
-                final Collection<? extends Certificate> parsed = certFactory.generateCertificates(input);
-                if (parsed.isEmpty()) {
-                    throw new SslConfigException("failed to parse any certificates from [" + path.toAbsolutePath() + "]");
+     * @return high-level Object from the content
+     */
+    private static Object readObject(Path keyPath, PEMParser pemParser) throws IOException {
+        while (pemParser.ready()) {
+            try {
+                var object = pemParser.readObject();
+                if (object instanceof ASN1ObjectIdentifier) { // handles -----BEGIN EC PARAMETERS-----
+                    continue;
                 }
-                certificates.addAll(parsed);
+                return object;
+            } catch (IOException e) { // handles -----BEGIN DSA PARAMETERS-----
+                // ignore
             }
         }
-        return certificates;
-    }
-
-    private static String getEcCurveNameFromOid(String oidString) throws GeneralSecurityException {
-        switch (oidString) {
-            // see https://tools.ietf.org/html/rfc5480#section-2.1.1.1
-            case "1.2.840.10045.3.1":
-                return "secp192r1";
-            case "1.3.132.0.1":
-                return "sect163k1";
-            case "1.3.132.0.15":
-                return "sect163r2";
-            case "1.3.132.0.33":
-                return "secp224r1";
-            case "1.3.132.0.26":
-                return "sect233k1";
-            case "1.3.132.0.27":
-                return "sect233r1";
-            case "1.2.840.10045.3.1.7":
-                return "secp256r1";
-            case "1.3.132.0.16":
-                return "sect283k1";
-            case "1.3.132.0.17":
-                return "sect283r1";
-            case "1.3.132.0.34":
-                return "secp384r1";
-            case "1.3.132.0.36":
-                return "sect409k1";
-            case "1.3.132.0.37":
-                return "sect409r1";
-            case "1.3.132.0.35":
-                return "secp521r1";
-            case "1.3.132.0.38":
-                return "sect571k1";
-            case "1.3.132.0.39":
-                return "sect571r1";
-        }
-        throw new GeneralSecurityException(
-            "Error parsing EC named curve identifier. Named curve with OID: " + oidString + " is not supported"
-        );
+        throw new SslConfigException("Error parsing Private Key [" + keyPath.toAbsolutePath() + "], file is empty");
     }
 
 }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
index 23acb0ff269e2..d6aa106039ce3 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.X509ExtendedKeyManager;
 import javax.net.ssl.X509ExtendedTrustManager;
@@ -155,7 +157,12 @@ public SSLContext createSslContext() {
         final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager();
         final X509ExtendedTrustManager trustManager = trustConfig.createTrustManager();
         try {
-            SSLContext sslContext = SSLContext.getInstance(contextProtocol());
+            SSLContext sslContext;
+            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+                sslContext = SSLContext.getInstance("TLS");
+            } else {
+                sslContext = SSLContext.getInstance(contextProtocol());
+            }
             sslContext.init(new X509ExtendedKeyManager[] { keyManager }, new X509ExtendedTrustManager[] { trustManager }, null);
             return sslContext;
         } catch (GeneralSecurityException e) {
diff --git a/plugins/identity-shiro/build.gradle b/plugins/identity-shiro/build.gradle
index 436a9b3e48128..4af2eef0d0840 100644
--- a/plugins/identity-shiro/build.gradle
+++ b/plugins/identity-shiro/build.gradle
@@ -28,7 +28,8 @@ dependencies {
 
   implementation 'org.passay:passay:1.6.3'
 
-  implementation "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
+  // Bcrypt hash matching
+  implementation 'com.password4j:password4j:1.8.2'
 
   testImplementation project(path: ':modules:transport-netty4') // for http
   testImplementation "org.mockito:mockito-core:${versions.mockito}"
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
index f8113101deb70..9c900836d3a66 100644
--- a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
@@ -12,7 +12,16 @@
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authc.credential.CredentialsMatcher;
-import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
+import com.password4j.BcryptFunction;
+import com.password4j.Password;
+import org.opensearch.SpecialPermission;
+
+import java.nio.CharBuffer;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.Arrays;
+
+import static org.opensearch.core.common.Strings.isNullOrEmpty;
 
 /**
  * Password matcher for BCrypt
@@ -28,7 +37,35 @@ public class BCryptPasswordMatcher implements CredentialsMatcher {
     @Override
     public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
         final UsernamePasswordToken userToken = (UsernamePasswordToken) token;
-        return OpenBSDBCrypt.checkPassword((String) info.getCredentials(), userToken.getPassword());
+        return check(userToken.getPassword(), (String) info.getCredentials());
+
+    }
+
+    private boolean check(char[] password, String hash) {
+        if (password == null || password.length == 0) {
+            throw new IllegalStateException("Password cannot be empty or null");
+        }
+        if (isNullOrEmpty(hash)) {
+            throw new IllegalStateException("Hash cannot be empty or null");
+        }
+        CharBuffer passwordBuffer = CharBuffer.wrap(password);
+        try {
+            SecurityManager securityManager = System.getSecurityManager();
+            if (securityManager != null) {
+                securityManager.checkPermission(new SpecialPermission());
+            }
+            return AccessController.doPrivileged((PrivilegedAction<Boolean>) () -> Password.check(passwordBuffer, hash)
+                .with(BcryptFunction.getInstanceFromHash(hash)));
+        } finally {
+            cleanup(passwordBuffer);
+        }
+    }
+
+    private void cleanup(CharBuffer password) {
+        password.clear();
+        char[] passwordOverwrite = new char[password.capacity()];
+        Arrays.fill(passwordOverwrite, '\0');
+        password.put(passwordOverwrite);
     }
 
 }
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
index e0ad602266602..47a15b75234dc 100644
--- a/plugins/ingest-attachment/build.gradle
+++ b/plugins/ingest-attachment/build.gradle
@@ -81,9 +81,6 @@ dependencies {
   api "org.apache.pdfbox:fontbox:${versions.pdfbox}"
   api "org.apache.pdfbox:jempbox:1.8.17"
   api "commons-logging:commons-logging:${versions.commonslogging}"
-  api "org.bouncycastle:bcmail-jdk18on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcprov-jdk18on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
   // OpenOffice
   api "org.apache.poi:poi-ooxml:${versions.poi}"
   api "org.apache.poi:poi:${versions.poi}"
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk18on-1.78.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk18on-1.78.jar.sha1
deleted file mode 100644
index eb7e650306f73..0000000000000
--- a/plugins/ingest-attachment/licenses/bcmail-jdk18on-1.78.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-d26f5514b8c54f2878f8d49e0bc8e2acaab3c8bd
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk18on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcmail-jdk18on-LICENSE.txt
deleted file mode 100644
index dbba1dd7829c7..0000000000000
--- a/plugins/ingest-attachment/licenses/bcmail-jdk18on-LICENSE.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
-                          (http://www.bouncycastle.org) 
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk18on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcmail-jdk18on-NOTICE.txt
deleted file mode 100644
index e69de29bb2d1d..0000000000000
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk18on-1.78.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk18on-1.78.jar.sha1
deleted file mode 100644
index 385a9d930eede..0000000000000
--- a/plugins/ingest-attachment/licenses/bcpkix-jdk18on-1.78.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-dd61bcdb87678451dd42d42e267979bd4b4451a1
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk18on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcpkix-jdk18on-LICENSE.txt
deleted file mode 100644
index e1fc4a1506db5..0000000000000
--- a/plugins/ingest-attachment/licenses/bcpkix-jdk18on-LICENSE.txt
+++ /dev/null
@@ -1,23 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
-                          (http://www.bouncycastle.org)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk18on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcpkix-jdk18on-NOTICE.txt
deleted file mode 100644
index e69de29bb2d1d..0000000000000
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk18on-1.78.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk18on-1.78.jar.sha1
deleted file mode 100644
index 47fb5fd5e5f5d..0000000000000
--- a/plugins/ingest-attachment/licenses/bcprov-jdk18on-1.78.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-619aafb92dc0b4c6cc4cf86c487ca48ee2d67a8e
\ No newline at end of file
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk18on-LICENSE.txt b/plugins/ingest-attachment/licenses/bcprov-jdk18on-LICENSE.txt
deleted file mode 100644
index 9f27bafe96885..0000000000000
--- a/plugins/ingest-attachment/licenses/bcprov-jdk18on-LICENSE.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
-                          (http://www.bouncycastle.org)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk18on-NOTICE.txt b/plugins/ingest-attachment/licenses/bcprov-jdk18on-NOTICE.txt
deleted file mode 100644
index e69de29bb2d1d..0000000000000
diff --git a/server/build.gradle b/server/build.gradle
index 5d98874cbef23..e9bc4be170feb 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -113,6 +113,11 @@ dependencies {
 
   // https://mvnrepository.com/artifact/org.roaringbitmap/RoaringBitmap
   api libs.roaringbitmap
+
+  // bouncyCastle
+  api 'org.bouncycastle:bc-fips:1.0.2.5'
+  api 'org.bouncycastle:bctls-fips:1.0.19'
+
   testImplementation 'org.awaitility:awaitility:4.2.2'
   testImplementation(project(":test:framework")) {
     // tests use the locally compiled version of server
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index b40ac67b04917..66cc85ee33756 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -40,6 +40,7 @@
 import org.apache.logging.log4j.core.config.Configurator;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.StringHelper;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.OpenSearchException;
 import org.opensearch.Version;
 import org.opensearch.cli.Terminal;
@@ -52,6 +53,7 @@
 import org.opensearch.common.logging.LogConfigurator;
 import org.opensearch.common.logging.Loggers;
 import org.opensearch.common.network.IfConfig;
+import org.opensearch.common.settings.FipsSettings;
 import org.opensearch.common.settings.KeyStoreWrapper;
 import org.opensearch.common.settings.SecureSettings;
 import org.opensearch.common.settings.Settings;
@@ -196,6 +198,17 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
             BootstrapSettings.CTRLHANDLER_SETTING.get(settings)
         );
 
+        var isFipsEnabled = FipsSettings.FIPS_ENABLED.get(settings);
+        var isRunningInFipsMode = CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
+
+        if (!isRunningInFipsMode && isFipsEnabled){
+            throw new BootstrapException(new RuntimeException("cannot enable FIPS mode"));
+        }
+
+        if (isRunningInFipsMode) {
+            LogManager.getLogger(Bootstrap.class).info("running in FIPS mode");
+        }
+
         // initialize probes before the security manager is installed
         initializeProbes();
 
diff --git a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
index f8c5d8e3b2480..cf2d459d7a1c8 100644
--- a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
+++ b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
@@ -673,6 +673,7 @@ public void apply(Settings value, Settings current, Settings previous) {
                 ClusterManagerTaskThrottler.THRESHOLD_SETTINGS,
                 ClusterManagerTaskThrottler.BASE_DELAY_SETTINGS,
                 ClusterManagerTaskThrottler.MAX_DELAY_SETTINGS,
+                FipsSettings.FIPS_ENABLED,
                 // Settings related to search backpressure
                 SearchBackpressureSettings.SETTING_MODE,
 
diff --git a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
new file mode 100644
index 0000000000000..958a1440ec29f
--- /dev/null
+++ b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
@@ -0,0 +1,23 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.common.settings;
+
+import org.opensearch.common.settings.Setting.Property;
+
+/**
+ * Settings used for NIST FIPS 140-2 compliance
+ */
+public class FipsSettings {
+
+    public static final Setting<Boolean> FIPS_ENABLED = Setting.boolSetting(
+        "fips.approved",
+        false,
+        Property.NodeScope);
+
+}
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index a6d6014b26bfb..ee75ad91904a4 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -93,6 +93,28 @@ grant codeBase "${codebase.reactor-core}" {
   permission java.net.SocketPermission "*", "connect,resolve";
 };
 
+// security
+grant {
+    permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
+    permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+    permission java.security.SecurityPermission "getProperty.keystore.type.compat";
+    permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
+    permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
+    permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
+    permission java.lang.RuntimePermission "getProtectionDomain";
+    permission java.util.PropertyPermission "java.runtime.name", "read";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
+    //io.netty.handler.codec.DecoderException
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
+    //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
+    permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
+    permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
+    permission java.io.FilePermission "${javaHome}/lib/security/jssecacerts", "read";
+};
+
 //// Everything else:
 
 grant {

From 2c6e14b994ef66cf66bf478e8ba9c30c5cf8396d Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Wed, 7 Aug 2024 18:52:46 +0200
Subject: [PATCH 02/21] make tests run without BC (not BCFIPS) libraries.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 buildSrc/build.gradle                         |   2 +-
 .../gradle/OpenSearchTestBasePlugin.java      |   5 +
 .../opensearch/gradle/info/BuildParams.java   |   1 -
 client/rest/build.gradle                      |  18 ++
 client/rest/licenses/bc-fips-1.0.2.4.jar.sha1 |   1 +
 .../rest/licenses/bctls-fips-1.0.19.jar.sha1  |   1 +
 client/rest/licenses/bouncycastle-LICENSE.txt |  14 ++
 client/rest/licenses/bouncycastle-NOTICE.txt  |   1 +
 .../client/RestClientBuilderIntegTests.java   |   7 +-
 distribution/src/config/fips_java.security    |   6 +-
 .../keystore/AddFileKeyStoreCommandTests.java |  18 +-
 .../AddStringKeyStoreCommandTests.java        |  18 +-
 .../ChangeKeyStorePasswordCommandTests.java   |  18 +-
 .../cli/keystore/KeyStoreWrapperTests.java    |  26 +--
 .../keystore/ListKeyStoreCommandTests.java    |  18 +-
 .../RemoveSettingKeyStoreCommandTests.java    |  19 +-
 .../tools/launchers/SystemJvmOptions.java     |   4 +-
 distribution/tools/plugin-cli/build.gradle    |   3 +-
 gradle/libs.versions.toml                     |   5 +-
 libs/ssl-config/build.gradle                  |   4 +-
 .../licenses/bc-fips-1.0.2.5.jar.sha1         |   1 -
 .../licenses/bouncycastle-LICENSE.txt         |  14 ++
 .../licenses/bouncycastle-NOTICE.txt          |   1 +
 .../common/ssl/DefaultJdkTrustConfig.java     |  22 +-
 .../org/opensearch/common/ssl/PemUtils.java   |  43 ++--
 .../common/ssl/PemKeyConfigTests.java         |  13 +-
 .../common/ssl/PemTrustConfigTests.java       |  17 +-
 .../opensearch/common/ssl/PemUtilsTests.java  |  10 +-
 .../reindex/ReindexRestClientSslTests.java    |  11 +-
 modules/transport-netty4/build.gradle         |   4 +
 .../SecureNetty4HttpServerTransportTests.java |   4 +-
 .../ssl/SimpleSecureNetty4TransportTests.java |   4 +-
 .../src/test/resources/netty4-secure.jks      | Bin 2790 -> 0 bytes
 .../src/test/resources/netty4-secure.p12      | Bin 0 -> 2790 bytes
 .../AzureDiscoveryClusterFormationTests.java  |   4 +-
 .../licenses/bcprov-jdk18on-1.78.jar.sha1     |   1 -
 .../licenses/bcprov-jdk18on-LICENSE.txt       |  22 --
 .../licenses/password4j-1.8.2.jar.sha1        |   1 +
 .../licenses/password4j-LICENSE.txt           | 201 ++++++++++++++++++
 ...k18on-NOTICE.txt => password4j-NOTICE.txt} |   0
 .../shiro/realm/BCryptPasswordMatcher.java    |  28 +--
 plugins/repository-azure/build.gradle         |   3 -
 plugins/telemetry-otel/build.gradle           |  16 +-
 server/build.gradle                           |  20 +-
 server/licenses/bc-fips-1.0.2.4.jar.sha1      |   1 +
 server/licenses/bctls-fips-1.0.19.jar.sha1    |   1 +
 server/licenses/bouncycastle-LICENSE.txt      |  14 ++
 server/licenses/bouncycastle-NOTICE.txt       |   1 +
 .../org/opensearch/bootstrap/Bootstrap.java   |  15 +-
 .../common/settings/FipsSettings.java         |   5 +-
 .../common/settings/KeyStoreWrapper.java      |   4 +-
 .../org/opensearch/bootstrap/security.policy  |  15 +-
 .../bootstrap/test-framework.policy           |   2 +-
 53 files changed, 455 insertions(+), 232 deletions(-)
 create mode 100644 client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
 create mode 100644 client/rest/licenses/bctls-fips-1.0.19.jar.sha1
 create mode 100644 client/rest/licenses/bouncycastle-LICENSE.txt
 create mode 100644 client/rest/licenses/bouncycastle-NOTICE.txt
 delete mode 100644 libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
 create mode 100644 libs/ssl-config/licenses/bouncycastle-LICENSE.txt
 create mode 100644 libs/ssl-config/licenses/bouncycastle-NOTICE.txt
 delete mode 100644 modules/transport-netty4/src/test/resources/netty4-secure.jks
 create mode 100644 modules/transport-netty4/src/test/resources/netty4-secure.p12
 delete mode 100644 plugins/identity-shiro/licenses/bcprov-jdk18on-1.78.jar.sha1
 delete mode 100644 plugins/identity-shiro/licenses/bcprov-jdk18on-LICENSE.txt
 create mode 100644 plugins/identity-shiro/licenses/password4j-1.8.2.jar.sha1
 create mode 100644 plugins/identity-shiro/licenses/password4j-LICENSE.txt
 rename plugins/identity-shiro/licenses/{bcprov-jdk18on-NOTICE.txt => password4j-NOTICE.txt} (100%)
 create mode 100644 server/licenses/bc-fips-1.0.2.4.jar.sha1
 create mode 100644 server/licenses/bctls-fips-1.0.19.jar.sha1
 create mode 100644 server/licenses/bouncycastle-LICENSE.txt
 create mode 100644 server/licenses/bouncycastle-NOTICE.txt

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index c227d890984f7..38e4f6afb1cf5 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -123,7 +123,7 @@ dependencies {
   api 'org.jruby.joni:joni:2.2.1'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
   api "org.ajoberstar.grgit:grgit-core:5.2.1"
-  api "org.bouncycastle:bc-fips:1.0.2.5"
+  api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"
 
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
index d0cb2da9c1dd3..3161343ee1148 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
@@ -164,6 +164,11 @@ public void execute(Task t) {
                 test.systemProperty("tests.seed", BuildParams.getTestSeed());
             }
 
+            test.systemProperty(
+                "java.security.properties",
+                project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/fips_java.security"
+            );
+
             // don't track these as inputs since they contain absolute paths and break cache relocatability
             File gradleHome = project.getGradle().getGradleUserHomeDir();
             String gradleVersion = project.getGradle().getGradleVersion();
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
index bbd06c84b30c9..a9ccb75569002 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java
@@ -52,7 +52,6 @@ public class BuildParams {
     private static JavaVersion gradleJavaVersion;
     private static JavaVersion runtimeJavaVersion;
     private static String runtimeJavaDetails;
-    @Deprecated
     private static Boolean inFipsJvm;
     private static String gitRevision;
     private static String gitOrigin;
diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 93faf0024b51e..8e3d82c9a95b8 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -51,6 +51,8 @@ dependencies {
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "org.slf4j:slf4j-api:${versions.slf4j}"
+  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
 
   // reactor
   api "io.projectreactor:reactor-core:${versions.reactor}"
@@ -70,6 +72,10 @@ dependencies {
   testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
 }
 
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 tasks.withType(CheckForbiddenApis).configureEach {
   //client does not depend on server, so only jdk and http signatures should be checked
   replaceSignatureFiles('jdk-signatures', 'http-signatures')
@@ -141,6 +147,18 @@ thirdPartyAudit {
       'reactor.blockhound.integration.BlockHoundIntegration'
    )
    ignoreViolations(
+      'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
+      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2',
       'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
    )
 }
diff --git a/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1 b/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
new file mode 100644
index 0000000000000..da37449f80d7e
--- /dev/null
+++ b/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
@@ -0,0 +1 @@
+9008d04fc13da6455e6a792935b93b629757335d
\ No newline at end of file
diff --git a/client/rest/licenses/bctls-fips-1.0.19.jar.sha1 b/client/rest/licenses/bctls-fips-1.0.19.jar.sha1
new file mode 100644
index 0000000000000..7f0eb6e1c6bea
--- /dev/null
+++ b/client/rest/licenses/bctls-fips-1.0.19.jar.sha1
@@ -0,0 +1 @@
+b15d650f6e2a9de08d5569e25a642b6a384dbfd2
\ No newline at end of file
diff --git a/client/rest/licenses/bouncycastle-LICENSE.txt b/client/rest/licenses/bouncycastle-LICENSE.txt
new file mode 100644
index 0000000000000..5c7c14696849d
--- /dev/null
+++ b/client/rest/licenses/bouncycastle-LICENSE.txt
@@ -0,0 +1,14 @@
+Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/client/rest/licenses/bouncycastle-NOTICE.txt b/client/rest/licenses/bouncycastle-NOTICE.txt
new file mode 100644
index 0000000000000..8b137891791fe
--- /dev/null
+++ b/client/rest/licenses/bouncycastle-NOTICE.txt
@@ -0,0 +1 @@
+
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index 0b7cf6e8bb5fe..46f6cfa22096b 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -43,7 +43,7 @@
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManagerFactory;
 
 import java.io.IOException;
@@ -95,15 +95,14 @@ public static void stopHttpServers() throws IOException {
     }
 
     public void testBuilderUsesDefaultSSLContext() throws Exception {
-        assumeFalse("https://github.com/elastic/elasticsearch/issues/49094", inFipsJvm());
         final SSLContext defaultSSLContext = SSLContext.getDefault();
         try {
             try (RestClient client = buildRestClient()) {
                 try {
                     client.performRequest(new Request("GET", "/"));
-                    fail("connection should have been rejected due to SSL handshake");
+                    fail("connection should have been rejected due to SSL failure");
                 } catch (Exception e) {
-                    assertThat(e, instanceOf(SSLHandshakeException.class));
+                    assertThat(e.getCause(), instanceOf(SSLException.class));
                 }
             }
 
diff --git a/distribution/src/config/fips_java.security b/distribution/src/config/fips_java.security
index e54e471c89e71..fc1608c8df1bd 100644
--- a/distribution/src/config/fips_java.security
+++ b/distribution/src/config/fips_java.security
@@ -22,9 +22,9 @@ ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
 networkaddress.cache.negative.ttl=10
 krb5.kdc.bad.policy = tryLast
-jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
-jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
-jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224
+jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 2048, DSA keySize < 2048
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
 jdk.tls.legacyAlgorithms= \
         K_NULL, C_NULL, M_NULL, \
         DH_anon, ECDH_anon, \
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
index 3d188590d5c47..db6bb2d5473f4 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
@@ -211,17 +211,13 @@ public void testIncorrectPassword() throws Exception {
         terminal.addSecretInput("thewrongkeystorepassword");
         UserException e = expectThrows(UserException.class, () -> execute("foo", file.toString()));
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testAddToUnprotectedKeystore() throws Exception {
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
index 22012d1f44986..05ce0bb61a4fd 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
@@ -72,17 +72,13 @@ public void testInvalidPassphrease() throws Exception {
         terminal.addSecretInput("thewrongpassword");
         UserException e = expectThrows(UserException.class, () -> execute("foo2"));
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
 
     }
 
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
index 1ce57332a9a31..1aa62cf71ed65 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
@@ -104,16 +104,12 @@ public void testChangeKeyStorePasswordWrongExistingPassword() throws Exception {
         // We'll only be prompted once (for the old password)
         UserException e = expectThrows(UserException.class, this::execute);
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 }
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index efb833e8fd94a..19bc06f7c64bc 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -133,17 +133,13 @@ public void testDecryptKeyStoreWithWrongPassword() throws Exception {
             SecurityException.class,
             () -> loadedKeystore.decrypt(new char[] { 'i', 'n', 'v', 'a', 'l', 'i', 'd' })
         );
-        if (inFipsJvm()) {
-            assertThat(
-                exception.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(exception.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            exception.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testCannotReadStringFromClosedKeystore() throws Exception {
@@ -374,8 +370,8 @@ public void testBackcompatV1() throws Exception {
             output.writeString("PKCS12");
             output.writeString("PBE");
 
-            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE");
-            KeyStore keystore = KeyStore.getInstance("PKCS12");
+            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
+            KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
             keystore.load(null, null);
             SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
             KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
@@ -415,8 +411,8 @@ public void testBackcompatV2() throws Exception {
             output.writeString("file_setting");
             output.writeString("FILE");
 
-            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE");
-            KeyStore keystore = KeyStore.getInstance("PKCS12");
+            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
+            KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
             keystore.load(null, null);
             SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
             KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
index 0846e28fb42af..36bef3a82281d 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
@@ -90,17 +90,13 @@ public void testListWithIncorrectPassword() throws Exception {
         terminal.addSecretInput("thewrongkeystorepassword");
         UserException e = expectThrows(UserException.class, this::execute);
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testListWithUnprotectedKeystore() throws Exception {
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
index 66d448400d4e3..276af6cfa659f 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
@@ -107,18 +107,13 @@ public void testRemoveWithIncorrectPassword() throws Exception {
         terminal.addSecretInput("thewrongpassword");
         UserException e = expectThrows(UserException.class, () -> execute("foo"));
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
-
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testRemoveFromUnprotectedKeystore() throws Exception {
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 5098d0e343f5f..030dc15aa67fe 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -87,8 +87,8 @@ static List<String> systemJvmOptions(final Path config) {
     }
 
     private static String loadJavaSecurityProperties(final Path config) {
-        var securityFile = config.resolve("fips_java.security").toFile();
-        return "-Djava.security.properties=" + securityFile.getAbsolutePath();
+        var securityFile = config.resolve("fips_java.security");
+        return "-Djava.security.properties=" + securityFile.toAbsolutePath();
     }
 
     private static String allowSecurityManagerOption() {
diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle
index 784cdc457a1a9..34a895538a0ae 100644
--- a/distribution/tools/plugin-cli/build.gradle
+++ b/distribution/tools/plugin-cli/build.gradle
@@ -37,8 +37,7 @@ base {
 dependencies {
   compileOnly project(":server")
   compileOnly project(":libs:opensearch-cli")
-  api "org.bouncycastle:bcpg-fips:2.0.9"
-  api "org.bouncycastle:bc-fips:2.0.0"
+  api "org.bouncycastle:bcpg-fips:${versions.bouncycastle_pg}"
   testImplementation project(":test:framework")
   testImplementation 'com.google.jimfs:jimfs:1.3.0'
   testRuntimeOnly("com.google.guava:guava:${versions.guava}") {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 0b6886ce011b2..07928ca3a4942 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -58,7 +58,10 @@ reactivestreams   = "1.0.4"
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle="1.78"
+bouncycastle_jce  = "1.0.2.4"
+bouncycastle_tls  = "1.0.19"
+bouncycastle_pkix = "1.0.7"
+bouncycastle_pg   = "1.0.7.1"
 # test dependencies
 randomizedrunner  = "2.7.1"
 junit             = "4.13.2"
diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle
index 889c278ffbfcb..f2da097a7fe09 100644
--- a/libs/ssl-config/build.gradle
+++ b/libs/ssl-config/build.gradle
@@ -36,8 +36,8 @@ dependencies {
   api project(':libs:opensearch-common')
 
   // bouncyCastle
-  implementation 'org.bouncycastle:bcpkix-fips:1.0.7'
-  compileOnly 'org.bouncycastle:bc-fips:1.0.2.5'
+  implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
+  compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
 
   testImplementation(project(":test:framework")) {
     exclude group: 'org.opensearch', module: 'opensearch-ssl-config'
diff --git a/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1 b/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
deleted file mode 100644
index cc29a787cee56..0000000000000
--- a/libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-704e65f7e4fe679e5ab2aa8a840f27f8ced4c522
diff --git a/libs/ssl-config/licenses/bouncycastle-LICENSE.txt b/libs/ssl-config/licenses/bouncycastle-LICENSE.txt
new file mode 100644
index 0000000000000..5c7c14696849d
--- /dev/null
+++ b/libs/ssl-config/licenses/bouncycastle-LICENSE.txt
@@ -0,0 +1,14 @@
+Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/libs/ssl-config/licenses/bouncycastle-NOTICE.txt b/libs/ssl-config/licenses/bouncycastle-NOTICE.txt
new file mode 100644
index 0000000000000..8b137891791fe
--- /dev/null
+++ b/libs/ssl-config/licenses/bouncycastle-NOTICE.txt
@@ -0,0 +1 @@
+
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
index 6d5b1b02c67ca..859b74b200dc6 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
@@ -65,7 +65,7 @@ final class DefaultJdkTrustConfig implements SslTrustConfig {
      * Create a trust config that uses supplied {@link BiFunction} to determine the TrustStore type, and the relevant password.
      */
     DefaultJdkTrustConfig(BiFunction<String, String, String> systemProperties) {
-        this(systemProperties, getSystemTrustStorePassword(systemProperties));
+        this(systemProperties, isPkcs11Truststore(systemProperties) ? getSystemTrustStorePassword(systemProperties) : null);
     }
 
     /**
@@ -93,16 +93,11 @@ public X509ExtendedTrustManager createTrustManager() {
      * @return the KeyStore used as truststore for PKCS#11 initialized with the password, null otherwise
      */
     private KeyStore getSystemTrustStore() {
-        if (trustStorePassword != null) {
+        if (isPkcs11Truststore(systemProperties) && trustStorePassword != null) {
             try {
-                if (isBcfksTruststore(systemProperties)) {
-                    var path = Path.of(System.getProperty("javax.net.ssl.trustStore", ""));
-                    KeyStoreUtil.readKeyStore(path, "BCFKS", trustStorePassword);
-                } else if (isPkcs11Truststore(systemProperties)) {
-                    KeyStore keyStore = KeyStore.getInstance("PKCS11");
-                    keyStore.load(null, trustStorePassword);
-                    return keyStore;
-                }
+                KeyStore keyStore = KeyStore.getInstance("PKCS11");
+                keyStore.load(null, trustStorePassword);
+                return keyStore;
             } catch (GeneralSecurityException | IOException e) {
                 throw new SslConfigException("failed to load the system PKCS#11 truststore", e);
             }
@@ -110,17 +105,12 @@ private KeyStore getSystemTrustStore() {
         return null;
     }
 
-    private static boolean isBcfksTruststore(BiFunction<String, String, String> systemProperties) {
-        return systemProperties.apply("javax.net.ssl.trustStoreType", "").equalsIgnoreCase("BCFKS");
-    }
-
     private static boolean isPkcs11Truststore(BiFunction<String, String, String> systemProperties) {
         return systemProperties.apply("javax.net.ssl.trustStoreType", "").equalsIgnoreCase("PKCS11");
     }
 
     private static char[] getSystemTrustStorePassword(BiFunction<String, String, String> systemProperties) {
-        var password = systemProperties.apply("javax.net.ssl.trustStorePassword", "");
-        return password.isEmpty() ? null : password.toCharArray();
+        return systemProperties.apply("javax.net.ssl.trustStorePassword", "").toCharArray();
     }
 
     @Override
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
index df842650d65ca..821c38c8d2f46 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
@@ -43,21 +43,25 @@
 import org.bouncycastle.pkcs.PKCSException;
 import org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
 
-import java.security.PrivateKey;
-
-import java.io.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+import java.util.Locale;
 import java.util.function.Supplier;
 
 final class PemUtils {
 
+    protected static final String BCFIPS = "BCFIPS";
+
     private PemUtils() {
         throw new IllegalStateException("Utility class should not be instantiated");
     }
@@ -71,9 +75,9 @@ private PemUtils() {
      * @return a private key from the contents of the file
      */
     public static PrivateKey readPrivateKey(Path keyPath, Supplier<char[]> passwordSupplier) throws IOException, PKCSException {
-            PrivateKeyInfo pki = loadPrivateKeyFromFile(keyPath, passwordSupplier);
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
-            return converter.getPrivateKey(pki);
+        PrivateKeyInfo pki = loadPrivateKeyFromFile(keyPath, passwordSupplier);
+        JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+        return converter.getPrivateKey(pki);
     }
 
     static List<Certificate> readCertificates(Collection<Path> certPaths) throws CertificateException, IOException {
@@ -102,22 +106,20 @@ static List<Certificate> readCertificates(Collection<Path> certPaths) throws Cer
      * @return {@link PrivateKey}
      * @throws IOException If the file can't be read
      */
-    private static PrivateKeyInfo loadPrivateKeyFromFile(Path keyPath, Supplier<char[]> passwordSupplier)
-        throws IOException, PKCSException {
-        try (PEMParser pemParser = new PEMParser(new FileReader(keyPath.toFile()))) {
+    private static PrivateKeyInfo loadPrivateKeyFromFile(Path keyPath, Supplier<char[]> passwordSupplier) throws IOException,
+        PKCSException {
+
+        try (PEMParser pemParser = new PEMParser(Files.newBufferedReader(keyPath, StandardCharsets.UTF_8))) {
             Object object = readObject(keyPath, pemParser);
 
             if (object instanceof PKCS8EncryptedPrivateKeyInfo) { // encrypted private key in pkcs8-format
                 var privateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) object;
-                var inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder()
-                    .setProvider("BCFIPS")
+                var inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder().setProvider(BCFIPS)
                     .build(passwordSupplier.get());
                 return privateKeyInfo.decryptPrivateKeyInfo(inputDecryptorProvider);
             } else if (object instanceof PEMEncryptedKeyPair) { // encrypted private key
                 var encryptedKeyPair = (PEMEncryptedKeyPair) object;
-                var decryptorProvider = new JcePEMDecryptorProviderBuilder()
-                    .setProvider("BCFIPS")
-                    .build(passwordSupplier.get());
+                var decryptorProvider = new JcePEMDecryptorProviderBuilder().setProvider(BCFIPS).build(passwordSupplier.get());
                 var keyPair = encryptedKeyPair.decryptKeyPair(decryptorProvider);
                 return keyPair.getPrivateKeyInfo();
             } else if (object instanceof PEMKeyPair) { // unencrypted private key
@@ -125,11 +127,14 @@ private static PrivateKeyInfo loadPrivateKeyFromFile(Path keyPath, Supplier<char
             } else if (object instanceof PrivateKeyInfo) { // unencrypted private key in pkcs8-format
                 return (PrivateKeyInfo) object;
             } else {
-                throw new SslConfigException(String.format(
-                    "error parsing private key [%s], invalid encrypted private key class: [%s]",
-                    keyPath.toAbsolutePath(),
-                    object.getClass().getName()
-                ));
+                throw new SslConfigException(
+                    String.format(
+                        Locale.ROOT,
+                        "error parsing private key [%s], invalid encrypted private key class: [%s]",
+                        keyPath.toAbsolutePath(),
+                        object.getClass().getName()
+                    )
+                );
             }
         }
     }
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
index 688f03a1e51fa..a4cbea14ff261 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
@@ -41,7 +41,6 @@
 import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
-import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
@@ -131,7 +130,7 @@ public void testKeyConfigReloadsFileContents() throws Exception {
 
         Files.copy(cert2, cert, StandardCopyOption.REPLACE_EXISTING);
         Files.copy(key2, key, StandardCopyOption.REPLACE_EXISTING);
-        assertPasswordIsIncorrect(keyConfig, key);
+        assertPasswordNotSet(keyConfig, key);
 
         Files.copy(cert1, cert, StandardCopyOption.REPLACE_EXISTING);
         Files.copy(key1, key, StandardCopyOption.REPLACE_EXISTING);
@@ -166,7 +165,15 @@ private void assertPasswordIsIncorrect(PemKeyConfig keyConfig, Path key) {
         final SslConfigException exception = expectThrows(SslConfigException.class, keyConfig::createKeyManager);
         assertThat(exception.getMessage(), containsString("private key file"));
         assertThat(exception.getMessage(), containsString(key.toAbsolutePath().toString()));
-        assertThat(exception.getCause(), instanceOf(GeneralSecurityException.class));
+        assertThat(exception, instanceOf(SslConfigException.class));
+    }
+
+    private void assertPasswordNotSet(PemKeyConfig keyConfig, Path key) {
+        final SslConfigException exception = expectThrows(SslConfigException.class, keyConfig::createKeyManager);
+        assertThat(exception.getMessage(), containsString("cannot read encrypted key"));
+        assertThat(exception.getMessage(), containsString(key.toAbsolutePath().toString()));
+        assertThat(exception.getMessage(), containsString("without a password"));
+        assertThat(exception, instanceOf(SslConfigException.class));
     }
 
     private void assertFileNotFound(PemKeyConfig keyConfig, String type, Path file) {
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
index e664e379d1e97..543021e0b1252 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
@@ -42,7 +42,6 @@
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.StandardOpenOption;
-import java.security.GeneralSecurityException;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -74,7 +73,7 @@ public void testBadFileFormatFails() throws Exception {
         Files.write(ca, generateRandomByteArrayOfLength(128), StandardOpenOption.APPEND);
         final PemTrustConfig trustConfig = new PemTrustConfig(Collections.singletonList(ca));
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ca));
-        assertInvalidFileFormat(trustConfig, ca);
+        assertFailedToParse(trustConfig, ca);
     }
 
     public void testEmptyFileFails() throws Exception {
@@ -121,7 +120,7 @@ public void testTrustConfigReloadsFileContents() throws Exception {
         assertFileNotFound(trustConfig, ca1);
 
         Files.write(ca1, generateRandomByteArrayOfLength(128), StandardOpenOption.CREATE);
-        assertInvalidFileFormat(trustConfig, ca1);
+        assertFailedToParse(trustConfig, ca1);
     }
 
     private void assertCertificateChain(PemTrustConfig trustConfig, String... caNames) {
@@ -142,17 +141,11 @@ private void assertEmptyFile(PemTrustConfig trustConfig, Path file) {
         assertThat(exception.getMessage(), Matchers.containsString("failed to parse any certificates"));
     }
 
-    private void assertInvalidFileFormat(PemTrustConfig trustConfig, Path file) {
+    private void assertFailedToParse(PemTrustConfig trustConfig, Path file) {
         final SslConfigException exception = expectThrows(SslConfigException.class, trustConfig::createTrustManager);
+        logger.info("failure", exception);
         assertThat(exception.getMessage(), Matchers.containsString(file.toAbsolutePath().toString()));
-        // When running on BC-FIPS, an invalid file format *might* just fail to parse, without any errors (just like an empty file)
-        // or it might behave per the SUN provider, and throw a GSE (depending on exactly what was invalid)
-        if (inFipsJvm() && exception.getMessage().contains("failed to parse any certificates")) {
-            return;
-        }
-        assertThat(exception.getMessage(), Matchers.containsString("cannot create trust"));
-        assertThat(exception.getMessage(), Matchers.containsString("PEM"));
-        assertThat(exception.getCause(), Matchers.instanceOf(GeneralSecurityException.class));
+        assertThat(exception.getMessage(), Matchers.containsString("failed to parse any certificates"));
     }
 
     private void assertFileNotFound(PemTrustConfig trustConfig, Path file) {
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
index c7ca19bb679d3..85d5172b87d0b 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
@@ -211,24 +211,24 @@ public void testReadEncryptedOpenSslEcKey() throws Exception {
     public void testReadUnsupportedKey() {
         final Path path = getDataPath("/certs/pem-utils/key_unsupported.pem");
         SslConfigException e = expectThrows(SslConfigException.class, () -> PemUtils.readPrivateKey(path, TESTNODE_PASSWORD));
-        assertThat(e.getMessage(), containsString("file does not contain a supported key format"));
+        assertThat(e.getMessage(), containsString("Error parsing Private Key"));
         assertThat(e.getMessage(), containsString(path.toAbsolutePath().toString()));
+        assertThat(e.getMessage(), containsString("file is empty"));
     }
 
     public void testReadPemCertificateAsKey() {
         final Path path = getDataPath("/certs/pem-utils/testnode.crt");
         SslConfigException e = expectThrows(SslConfigException.class, () -> PemUtils.readPrivateKey(path, TESTNODE_PASSWORD));
-        assertThat(e.getMessage(), containsString("file does not contain a supported key format"));
+        assertThat(e.getMessage(), containsString("invalid encrypted private key class"));
         assertThat(e.getMessage(), containsString(path.toAbsolutePath().toString()));
     }
 
     public void testReadCorruptedKey() {
         final Path path = getDataPath("/certs/pem-utils/corrupted_key_pkcs8_plain.pem");
         SslConfigException e = expectThrows(SslConfigException.class, () -> PemUtils.readPrivateKey(path, TESTNODE_PASSWORD));
-        assertThat(e.getMessage(), containsString("private key"));
-        assertThat(e.getMessage(), containsString("cannot be parsed"));
+        assertThat(e.getMessage(), containsString("Error parsing Private Key"));
         assertThat(e.getMessage(), containsString(path.toAbsolutePath().toString()));
-        assertThat(e.getCause().getMessage(), containsString("PEM footer is invalid or missing"));
+        assertThat(e.getMessage(), containsString("file is empty"));
     }
 
     public void testReadEmptyFile() {
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
index 1123ae4623300..4fa84f88af35f 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
@@ -56,7 +56,6 @@
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509ExtendedKeyManager;
@@ -65,6 +64,7 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.file.Path;
+import java.security.cert.CertPathBuilderException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -129,7 +129,6 @@ private static SSLContext buildServerSslContext() throws Exception {
     }
 
     public void testClientFailsWithUntrustedCertificate() throws IOException {
-        assumeFalse("https://github.com/elastic/elasticsearch/issues/49094", inFipsJvm());
         final List<Thread> threads = new ArrayList<>();
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
@@ -138,7 +137,13 @@ public void testClientFailsWithUntrustedCertificate() throws IOException {
         final Environment environment = TestEnvironment.newEnvironment(settings);
         final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
         try (RestClient client = Reindexer.buildRestClient(getRemoteInfo(), ssl, 1L, threads)) {
-            expectThrows(SSLHandshakeException.class, () -> client.performRequest(new Request("GET", "/")));
+            var exception = expectThrows(Exception.class, () -> client.performRequest(new Request("GET", "/")));
+            var rootCause = exception.getCause().getCause().getCause().getCause();
+            assertThat(rootCause, Matchers.instanceOf(CertPathBuilderException.class));
+            assertThat(
+                rootCause.getMessage(),
+                Matchers.containsString("No issuer certificate for certificate in certification path found")
+            );
         }
     }
 
diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle
index 4e68a4ce17f73..89d3f03032d9f 100644
--- a/modules/transport-netty4/build.gradle
+++ b/modules/transport-netty4/build.gradle
@@ -77,6 +77,10 @@ tasks.named("dependencyLicenses").configure {
   mapping from: /netty-.*/, to: 'netty'
 }
 
+forbiddenPatterns {
+  exclude '**/*.p12'
+}
+
 test {
   /*
    * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index f80ad901ce765..d57252950620a 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -123,11 +123,11 @@ public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpSe
                 try {
                     final KeyStore keyStore = KeyStore.getInstance("PKCS12");
                     keyStore.load(
-                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.jks"),
+                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.p12"),
                         "password".toCharArray()
                     );
 
-                    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
+                    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                     keyManagerFactory.init(keyStore, "password".toCharArray());
 
                     SSLEngine engine = SslContextBuilder.forServer(keyManagerFactory)
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index e0600aebd90e5..ff52e6e178692 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -79,11 +79,11 @@ public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, T
                 try {
                     final KeyStore keyStore = KeyStore.getInstance("PKCS12");
                     keyStore.load(
-                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.jks"),
+                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.p12"),
                         "password".toCharArray()
                     );
 
-                    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
+                    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                     keyManagerFactory.init(keyStore, "password".toCharArray());
 
                     SSLEngine engine = SslContextBuilder.forServer(keyManagerFactory)
diff --git a/modules/transport-netty4/src/test/resources/netty4-secure.jks b/modules/transport-netty4/src/test/resources/netty4-secure.jks
deleted file mode 100644
index 59dfd31c2a1567c6fbae386aa8f15c563bc66ae0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2790
zcma)8XEYm(8crgiLaZ7k_^3S_Tdh)5I#8=<Yd1!XG-_5O8cM}z?NLRH(pvS|qgJR<
z4MMA=G<-&@W~`e1+;i{gckZuy&wJkUp67Yq=l%Jd7lDV)f`AMNJT#t>SvDFOy$b^}
z0rT-tEEo?BJ)r{;cu4DiNstOK9`fphE<R}@Bg=nWtWY2*9}m$#A$1V$za0=5!XBad
z4`fBifw@Z?UHUl{O6rb;hQ&>~rNH!<Z6**%iUR}`L9jBO`u9Z;GX#JTVq|uXMgma`
zV4y6RgYV#!_iDU*BS3Y?|CkxK2gZYkqhK(?8(KgzwJD3=OafGx>5#!!9K_}1H^u_V
z=usLU2dZ9W+tu&&HP&rr0Gj`32Xv({(IBcgf--PNjPP?Wl@c*PRlG~?w#y{$$E7Ac
zx~e{WW#twe_l9Rk?!G}q_9k~<RU*lxvB_tpaMk%8S@Gtc@6fax2mQ~N`~aB6kAc=t
zW9QCOZYA-^xAAqed>-h|^Nd;KI<0tW*OJCTydW5K?zK18ZR;_&+8)QRWs&D)HUeQu
z9uJg@R_z>@?>MI)N$iZs?C70IBKa$HMTmwtRZM2#Eoh>qRjH=pY|<sfxO;u(53&uU
zc6(e_JH<>48!KPy$z*ryQVZ6bbD&&t4TF&?ZKHwA0q_P!85hGFhoG?V+nrEvu|YdG
zNrL!x5hXK9XG!dHbKAhpa*yK2X+&`U9}I8`ON-SR2AaO}$md&6HEJY?sp&0?74^a&
zVGN_jRIazY8Xhs~^9fS?Fi-gwcl8p=<-=HX>-`)aSrru|SJ3LA(S5lX(T8(;a;TEk
zjAO5JZ;+6Ri7Fk+ojzl_j>FsNxien-@nif$*x?i|H~&{et(-zmOA(y|b9$qWo>F~6
zki+c@3Ez0iXk}m9oTR;sSPhbZ=SK~bRJ`f>5rk8+I0fjlFBn~o1e<4(<AxXNrP`tP
zPsu_Nq#>6(c5WFg`wy)X+ZN{sOnlx=ETJarFP_~xRzcNqSZ7%QHR!VzITeKkh$31~
zImEggf>lp$FXnU=Ts#bWExW*Y9;7%4Oe?((yn8vIeg2W0PfQBbZg?H7S6jR7_Ab`i
zFt+ORFZV!dxP5(el{8;w<@pHgN@T-AM|1c0R#EBHJ|EF9tDR?*`HCSSS-NChY<rOJ
z!o0%+l(0$4dcz=w5rg^4jHT680HE(VUv^*VdE0wWyGHZ?+v_s<g$pi~v9P|ke|mVq
z$xQ4tl!QbFcT%UCXKR)c2tqzV*KvUqHC%+&l(QZ$CNgBo0Nu=ylwW@s?CUV}Hm@XH
zOMaH1Ac<7EYFp>vG5g86>yVnk$g?6B#Mb(2mG-cf!r7rvHyV<s=&0nIm!Wss!%`ct
zBvMRNx3$)A^Ir+NoaQ7C5P+C?E?v*k?#w-Q@sLt2(GtLM+u}2qciX(o=?!sG#)Fd~
zf0`{z@0x^Y6?|eZ=F_Ipv&p>nf8E8TJzgSB$KPWTl~g|#-Rw(h>E!kcXTQ3Q6z`cP
z)fS*)cgRrG{5|EtiN~1M7vJ;J2n&CXaT*Pb--Bc$Zi!bnJlbwCvj3*7ebDIBSRV6)
zJ(Pz1F<m)TV^408#^o9(cv3Z1v;+ozbWVmIQ<IpIg)ODCi<L*}bH}>*1RFZ#H99b!
zFAr=1?f}O-Ds0l4sX~>=qET8%wZFXa-H{oyX`N12eqs0c0QyH-0D8xlm&3z#uIe`1
zrI9EslWc5kB75)nwQj9;_~TDgCgpG=C=?yr`DQL%YWUdLLKt~BF_>(ozPEDYfmq5|
z0JoEQ)AV!wN+o_w*8sM82I;8g<TpH(!z)xEav;p>UaTdYv=QY$QCfcLv(IxGSQ+S>
z%RxCJI*K1%Di#OIIA!I`gNrV;_(=luy&a6i<Po9^tDkrtT?{MgC&1XJKL8}_ck1s5
zsenc?;Ywx*ncs2A%&jCSECBEWpa20U6$(%VC;;xCAU8lDz#o7@i2k$6qr?s7vi9;t
zi706(Ayie>R5jIAl$8;9aP{vcCdPa`xZs4!1pxskBjX<h_`gCMwLWrpx-MoIQG~p9
zU5uyK@xxNi{}bAI8zP*~$$eXlN(&|x@awn;JXqxY$gk;48?nn)YE8QpAG6nt>CrY<
zOcTKv`EhagL&xGTrIIUt2v?a2%l?bgMOV&&+|WU;e$<xjTg$gyL?0zCRkibPsAd+F
z@fbhboH<AnoFa6_=*u_74CFVv$|ssu`*e;hUaDJ?SQGrxv7^Nv_K86bJ^6Uc;66nM
z7I2``a3Q3pJd3|^o!40{Q(<vF_6YH;vhbRSDL)VW={#~i3)$fA`nt|uUxBjEMifKh
zun;DX;(@Z8&VCcIXf3kKQXon<V{$uhv%pS#FvW69HP1gpQroaEHQ2m#-w`8K)$mF*
z@>=RpZpz1|dNV>*m~d#i)d2TYZVO)~XMlNxBrxoWuJ<66oc1(`c8LIHSqMFI@oVB5
zCTi-Btx2^*IwaoUOI*HGf^JQ#GU_^GnY6KL3-W;<6D`7ahRD>wHVTL3(9$baE*+Uh
zI?Qh*6kS<aVb(Bvgj+vnH20U6)eZ5|**?FU%60f|0#*y_y+Q90Ozc}}NB8u9Q|4U8
zQ+sJk4eZJNmTLmxC0@xlxa65#@YqoqV3)|xg~h=4M_m~r3kn<bOl8W?CrlOIq@Ky7
zzM0goHEr6amL?_HR?kP_`oXoYdF!oxBogG)z&>`O(EC~T8Xj=&-O3)}wcfX~t$yft
z0#%1s3udIR?zCsDgD^((_g@(9316i|*L)iFc0tc}Oh8!c)=u|})&8|LYjG)q`<fum
zjsFQ8$^<nJ6)a~TK$qBkP5M^H;J9gB9cy2zybwNd;cUG4GvZn$X^2fz)pp_B9my7p
zzBakrAF_O|ole@BgPjSfuidiPz`gcgPEmRT3|=jY8k1BcvhgIZKl`X9o~vV<@yply
zP|;XBxKN^W!<_-75RR<5k#dK%$@Jm2*eFlnc{#oFwAlKhnuVNp=eUhq!qe~<1+qQM
zEHAYq6XNz7*hq8e2VEV{Z7Q@`7hShpKQq*tQkWzI@X+*9au?eNMS*WYb+$KjKq^#x
znM3v1dN4RNz_&fi)-NJnZCi7#V~;E97!F5ArF|RUnan4l@~^B)MU(pB=Wp0hJ*udv
znDv!SGk3LB%@vf9bozs=ZrfK!wMP{f$={zL-PB(0x346^M4Lu>SIr(O$~<-27o6EP
z#<~$zeByPj(`59rPL~;qQy3J_7#W=XF0H@rb!E#Ub}O0BW;u<W%G2ukezz_b$dz{V
z#B8=9+I~|*rQ=PqO1f=8O<p)oLp4h99qLGSfrUqWTW8z1`%BH(exD}K@h~g9jd@#o
zBG{mG`YhXA(i^GnBwn?q+>}u1Ml#*1v|V#XY%_PSfaE#-vVR6s9p13SJS(vq?@w&x
z1io}4NWAA0VtOK@D-a#+({tI}OZlv_g9^ZdL~a$%7K051T_}A1FpPpLUh51%m?D%A
zu;0HQ2nYdyMN)q`vbBY0Z04-Vi-TU!{Ws&)J05FHCn{A|`7rGNj0AIUHubc-71}?2
T^$whsN!%rkGx+QOE291eC9)6<

diff --git a/modules/transport-netty4/src/test/resources/netty4-secure.p12 b/modules/transport-netty4/src/test/resources/netty4-secure.p12
new file mode 100644
index 0000000000000000000000000000000000000000..822d7ff8236f3dccd5693f1dcd7e39dbd0ca0f26
GIT binary patch
literal 2790
zcma)8cQhLe_f8^-SJ0?Usl=X@gyN-krF4)YMyb(+4vkgRiV-VnbkI^GrM9B9Mr+Ti
z1_@eJrA?_-HA-t$`TWlBJAKdh*Y}-!?z!iAp8MQCpL0<Z*c1rJfug{Yp<K%G=JA`n
zKu%yD1x5x_U?B%|Ac_KM{tpRK38p~G4(OtT&WCdU+r<L|g7PR3qXY5;%JYu{!i#c5
z>HGtEP%2<SI~m8tZ(J6{nR6tcx?`*^;L7lA5J-U!1Vo^Cpnv`UMGzMRfRcoAxy73U
zJvhKXWiX#y(&b(ScyF<i%Y09Cx&jPL0W*<Bu6;qHzqRZuMVJkg-q@-!M-Ak8=WMnK
z7N(Js9U&@jWd`ev7X0x>W1{=gGb>DV(5!@AmxDgO;&T*6x<x4NX8#G5))(94NIU5d
zJy$*{>dkhK>_?vBRbRC@E)X6$G{!s6CPLxV{$o`sV=~!EoWGu=nTC?Rh#N`U-puvz
zLSvd`pYX?tERoss3zIabhY^YvBkx^^ZO>(ma+s;zrT$}vp)q<l20wjT;nqU@ZWDdN
z+tWDnb9Lc@guLIprJid4F=~v5m^-xC7BJkqvdrz`>7~x^TtW%wO0*)SLbu<iJ}b=I
zi0g0BX5cm#^jUW=M;QrWsx``5lG_VEth2<A$||u1DsGB8^(!~&@*rd{C5Y#HuZNbf
z?rB1cQ37>hY&`-Xq?-|G;P;*Tot}vK5czFRS`!DCzk;6S>*tB;V&2Td5jKRYdx8wc
zM%$X~bAtI?rT5U<voF3godS_fJI*XbbR8(56N6+5bP{X+cBtI-=Wn%LL!RHai&Uww
z=s=$3Tu(nfObXWWFP}2@3xGnhCLWc>S-nl-V{qs6!+H4En2c7|#644UYFe-RZT7ln
zQJ0xXrmIAWgJO-)7~xh7_%gq5MN)$2G!{}gW&P!n@Q*wC5fhj`#PwT8b<Y{3eiUQ{
z2M_f5*pm$No)%eB*hVEwf_cf`*S@NOiyM(mU_p&lyfMAA*}w32df|@G-4cf(i)AaW
zjkh%E)1fQ%){cGN?MJaK9gL5f^G$l6o!%ZPe<wR;fKeoy_+xjMUheNqi^+HRsFaOF
zlGciTd|0dqz8=4qb%&=<uRUHoE78X6I(3t#X!#{<v+y{R-Vb4yk@$o}tr4da{XJ|?
zM~&*YT9MN&R=|6(?nz1xFFruQs_!FcpI`7$JiBwZZmL9C2I3`LL7>bekNS-@slxl*
z-qUT2H+8Q$X5^_((SJG3O0&>>GjS68uREx9g;mP7t)w>YC|2)4`wPO_py!W8WR!6|
z(Z!55XY@D|;|ptak9Ey{YiU}kb6@FRK}S+%a-|1p=Hj7PKR(f=S6fak48jm)K*;R=
zqrq!!u!cQO*~Yfs`tZ7%s7SKoE%UBV5T$|F;c!Xbh=D=fN2YZRSw7FL>HAV>dUg1I
z)4LzPgCnuNuc)hUMZx3ej0Z|@l{BQBT*9d|sKl+sMrm8Dx=j1PAH$Q+cL%3sL`>2R
z^b2xdn$JECm}3ebIj^G>e*rn-TqI<U2){rQJso|qD{Y41BJxajl`Gx?*oOeEY>k;h
zm}v^s8LVfP*3XTZJoz3UlHXM&Bu?$HM%4F-sT<-*{6iwhr3s=lw{M;;{L}qGDLp;4
zi@@TG^9qdM*cMX1mAqNYb$lNd)z-a`AQlioyAzX`1Zu?G9G^GKHTk`UFTU%$-1D~t
z<dtKsoGSTetu0v&fy^dk)P&uqWJ(o$kSif%WZ}riC)t$hj*2%np&i2ohCyd7PwBi!
zWGlx%#Y^LX3+Aggq&k+E!uK1Kw2#oJKSg@NXEPsL@ykq~kqcT;jg#h~*>9a;o~+`Q
zs#A=)KtUkc3+1X9JGivQk0T|aUtf7^nZPq&4nmvj?~J5-DTf9=p?U)XI9`T5G?39k
z<z_g#`_g`)Em2B;;*v`cEpb#F;0^Eq1RPWdKog(_xN(38fIxshzypQ+XH^I-2<ErF
zO7cLUwJ{h?4YZaH8m;j+iUO|rv&0F_qktbDP&5z_a4<6dQGov~v@He-gzGu;JMpku
zHCW1*bCPnY_Ww(0&*8!xF26Auv6OW6EjBXJh@yZI*Ba=3lefNndFu^I*HZ06T-FXF
zK^?wr<{XOXv8sIVT}~TwL!)gfWN2ydA^*_J&nI%<EQe?+A^ft0fQ#N3Lt8g1_3_6{
zA<2?EQG1=qZ#E3){N3S}0vBPk!LmHW8J}^Q)80oSzC!2sob-L;CuSO15&{ps0?E#@
zt|3;hu#I=GdCQ(r$cf?Dwk{-L8L&=Q<X7huzp?N7wdc>~7JSWAa$s}dWJoO(qZhy2
zW|v+gOX$1VPd_8?aaOntJzad`Ws$%;a?X4wRIzhm!cQO!5UcwPVfWN^aCd?u_6meX
z<Fn@mqnSI34Qh2_zJI05%9kPX(HZ{In*y<f?d@AQ8->a8O%;mYdb!ac`LcEIbi*Nn
z$Z9S@e`hp5aKb*e)E|SOpB4JnsxTtlsA~4Nl3ZV%DL^x`{6rvYg}FR*k<-Y;0DE@}
z#3(t98(=v;4g`mMti-<rDsNf@GTNEV`dc@v01w)Ob3;;>iS1>F^h=!6TJUSPpDd^;
z4=>FyAL;qIo_0>I%9BBBJX$ZcS+wr3LINU|0b((Efpt^9r|M05Ud^fLjrwGF(;=AA
zQu$*$<p~a-p+|vPxX4mH%x+aD^PBjo%>u1hX#^D)w6x?7?+P7$fRh2SI7SO>aNzQW
zoBcYVH_KSps%LlKsd7?(3I^b5Ud>|DA){NrXnzHN<6C$4sOsn8ou03Sy(8u((5^J5
ztUI3UN(%@(8Bu|~ozmjpa@Jr|kKDL2cN<675UQRI%{w-|#-erxx*ulSFror-Br#eS
z$#?wBEGjyzV%^2aYm4C-ai-ozTIZhtI$Ln0&e~HJN5<SF1c_hX>j=3A@J%M!^GnIS
zj#kIri|f+gbE?~c>t%Fen^`BDS1+B=o<<3iUwR#;A7hxkx-xWQ_^@Vp3BIDvCMs9I
z#lToMM|B)F5MoE#Jdwq4;I5%)UOju|T=d$Ry6d9#>3nIU@1xWS<M+4$`N?RPA-P@m
z)@X;Nvb5(u@~QO=0YluqxbM(I9Ple7fq~IxUMcPU>L8PW4CU5%$*@nNrc!H7xDJPa
zZ=&*(?WSq-Z4bpqs)909IIW&<Vuz{K;(kV0B}1+!M9u#6ys|{H!?V0AL1*Y(h+>F<
z5$VTtvMw)Qe(knHJUlFdgZTQ?{Owptksuzym^&glW%4O5`yta(Q#;q~bM;3C-0WID
zWscpTVs08zdo~jC$1f>l9j^%NDz+Bb|ET^>EEvyDd!*Jg<f1u#yMKDo<;;o5ciPZq
zy;F?6ro@41uF&s7P%n1ouU6ZVja;LxU6H37F@D!p<@E~>k%|P%W2><SGml&oR&bL+
z#OeqGw`N1T$eOqgwz`&@zkyPLYP$XGtZ<4jcahr%s_+)E9H0?@`aV`4?U{>EMV&*T
zQM`YCKM)WC03&3!eU%ip;M|@a7S@R&`86xqY05<34@<CiC%)%=`pICy#d<tEaanQE
U%*5g616{qC$m3#X{x72b1-cdi4gdfE

literal 0
HcmV?d00001

diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index a4b733ec7d894..a4a2e672f3afe 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -283,9 +283,9 @@ private static SSLContext getSSLContext() throws Exception {
             assertNotNull("can't find keystore file", stream);
             ks.load(stream, passphrase);
         }
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
         kmf.init(ks, passphrase);
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
         tmf.init(ks);
         SSLContext ssl = SSLContext.getInstance(getProtocol());
         ssl.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk18on-1.78.jar.sha1 b/plugins/identity-shiro/licenses/bcprov-jdk18on-1.78.jar.sha1
deleted file mode 100644
index 47fb5fd5e5f5d..0000000000000
--- a/plugins/identity-shiro/licenses/bcprov-jdk18on-1.78.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-619aafb92dc0b4c6cc4cf86c487ca48ee2d67a8e
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk18on-LICENSE.txt b/plugins/identity-shiro/licenses/bcprov-jdk18on-LICENSE.txt
deleted file mode 100644
index 9f27bafe96885..0000000000000
--- a/plugins/identity-shiro/licenses/bcprov-jdk18on-LICENSE.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2000 - 2013 The Legion of the Bouncy Castle Inc.
-                          (http://www.bouncycastle.org)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/plugins/identity-shiro/licenses/password4j-1.8.2.jar.sha1 b/plugins/identity-shiro/licenses/password4j-1.8.2.jar.sha1
new file mode 100644
index 0000000000000..bee14467d32a2
--- /dev/null
+++ b/plugins/identity-shiro/licenses/password4j-1.8.2.jar.sha1
@@ -0,0 +1 @@
+f8ac106c667c0b081075e81a90dc92861b9bb66e
\ No newline at end of file
diff --git a/plugins/identity-shiro/licenses/password4j-LICENSE.txt b/plugins/identity-shiro/licenses/password4j-LICENSE.txt
new file mode 100644
index 0000000000000..261eeb9e9f8b2
--- /dev/null
+++ b/plugins/identity-shiro/licenses/password4j-LICENSE.txt
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk18on-NOTICE.txt b/plugins/identity-shiro/licenses/password4j-NOTICE.txt
similarity index 100%
rename from plugins/identity-shiro/licenses/bcprov-jdk18on-NOTICE.txt
rename to plugins/identity-shiro/licenses/password4j-NOTICE.txt
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
index 9c900836d3a66..a1945bab6a4ed 100644
--- a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
@@ -12,14 +12,14 @@
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authc.credential.CredentialsMatcher;
-import com.password4j.BcryptFunction;
-import com.password4j.Password;
 import org.opensearch.SpecialPermission;
 
 import java.nio.CharBuffer;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
-import java.util.Arrays;
+
+import com.password4j.BcryptFunction;
+import com.password4j.Password;
 
 import static org.opensearch.core.common.Strings.isNullOrEmpty;
 
@@ -49,23 +49,13 @@ private boolean check(char[] password, String hash) {
             throw new IllegalStateException("Hash cannot be empty or null");
         }
         CharBuffer passwordBuffer = CharBuffer.wrap(password);
-        try {
-            SecurityManager securityManager = System.getSecurityManager();
-            if (securityManager != null) {
-                securityManager.checkPermission(new SpecialPermission());
-            }
-            return AccessController.doPrivileged((PrivilegedAction<Boolean>) () -> Password.check(passwordBuffer, hash)
-                .with(BcryptFunction.getInstanceFromHash(hash)));
-        } finally {
-            cleanup(passwordBuffer);
+        SecurityManager securityManager = System.getSecurityManager();
+        if (securityManager != null) {
+            securityManager.checkPermission(new SpecialPermission());
         }
-    }
-
-    private void cleanup(CharBuffer password) {
-        password.clear();
-        char[] passwordOverwrite = new char[password.capacity()];
-        Arrays.fill(passwordOverwrite, '\0');
-        password.put(passwordOverwrite);
+        return AccessController.doPrivileged(
+            (PrivilegedAction<Boolean>) () -> Password.check(passwordBuffer, hash).with(BcryptFunction.getInstanceFromHash(hash))
+        );
     }
 
 }
diff --git a/plugins/repository-azure/build.gradle b/plugins/repository-azure/build.gradle
index 332651e37cfa4..5dae37d80ca6a 100644
--- a/plugins/repository-azure/build.gradle
+++ b/plugins/repository-azure/build.gradle
@@ -213,9 +213,6 @@ thirdPartyAudit {
     // Worth nothing that, the latest dependency "net.shibboleth.utilities:java-support:8.0.0" has many vulnerabilities.
     // Hence ignored.
     'net.shibboleth.utilities.java.support.xml.SerializeSupport',
-    'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
-    'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
-    'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
     'org.bouncycastle.cert.X509CertificateHolder',
     'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder',
     'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
diff --git a/plugins/telemetry-otel/build.gradle b/plugins/telemetry-otel/build.gradle
index 54f4f2f897562..3c8aedb4a12d2 100644
--- a/plugins/telemetry-otel/build.gradle
+++ b/plugins/telemetry-otel/build.gradle
@@ -44,13 +44,13 @@ dependencies {
 
 thirdPartyAudit {
   ignoreViolations(
-   'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueConsumerIndexField',
-   'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueProducerIndexField',
-   'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueProducerLimitField',
-   'io.opentelemetry.internal.shaded.jctools.util.UnsafeAccess',
-   'io.opentelemetry.internal.shaded.jctools.util.UnsafeRefArrayAccess',
-   'io.opentelemetry.exporter.internal.marshal.UnsafeAccess',
-   'io.opentelemetry.exporter.internal.marshal.UnsafeAccess$UnsafeHolder'
+    'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueConsumerIndexField',
+    'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueProducerIndexField',
+    'io.opentelemetry.internal.shaded.jctools.queues.MpscArrayQueueProducerLimitField',
+    'io.opentelemetry.internal.shaded.jctools.util.UnsafeAccess',
+    'io.opentelemetry.internal.shaded.jctools.util.UnsafeRefArrayAccess',
+    'io.opentelemetry.exporter.internal.marshal.UnsafeAccess',
+    'io.opentelemetry.exporter.internal.marshal.UnsafeAccess$UnsafeHolder'
   )
 
   ignoreMissingClasses(
@@ -73,8 +73,6 @@ thirdPartyAudit {
     'io.grpc.stub.AbstractFutureStub',
     'io.grpc.stub.AbstractStub',
     'io.grpc.stub.ClientCalls',
-    'org.bouncycastle.jsse.BCSSLParameters',
-    'org.bouncycastle.jsse.BCSSLSocket',
     'org.conscrypt.Conscrypt',
     'org.conscrypt.Conscrypt$Version',
     'org.conscrypt.ConscryptHostnameVerifier',
diff --git a/server/build.gradle b/server/build.gradle
index e9bc4be170feb..875b25a671081 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -115,8 +115,8 @@ dependencies {
   api libs.roaringbitmap
 
   // bouncyCastle
-  api 'org.bouncycastle:bc-fips:1.0.2.5'
-  api 'org.bouncycastle:bctls-fips:1.0.19'
+  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
 
   testImplementation 'org.awaitility:awaitility:4.2.2'
   testImplementation(project(":test:framework")) {
@@ -154,6 +154,10 @@ tasks.named("forbiddenPatterns").configure {
     exclude '**/*.meta'
 }
 
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 tasks.named("testingConventions").configure {
     naming.clear()
     naming {
@@ -345,6 +349,18 @@ tasks.named("thirdPartyAudit").configure {
             'com.google.protobuf.UnsafeUtil$MemoryAccessor',
             'org.apache.logging.log4j.core.util.internal.UnsafeUtil',
             'org.apache.logging.log4j.core.util.internal.UnsafeUtil$1',
+            'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
+            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2',
             'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
     )
 }
diff --git a/server/licenses/bc-fips-1.0.2.4.jar.sha1 b/server/licenses/bc-fips-1.0.2.4.jar.sha1
new file mode 100644
index 0000000000000..da37449f80d7e
--- /dev/null
+++ b/server/licenses/bc-fips-1.0.2.4.jar.sha1
@@ -0,0 +1 @@
+9008d04fc13da6455e6a792935b93b629757335d
\ No newline at end of file
diff --git a/server/licenses/bctls-fips-1.0.19.jar.sha1 b/server/licenses/bctls-fips-1.0.19.jar.sha1
new file mode 100644
index 0000000000000..7f0eb6e1c6bea
--- /dev/null
+++ b/server/licenses/bctls-fips-1.0.19.jar.sha1
@@ -0,0 +1 @@
+b15d650f6e2a9de08d5569e25a642b6a384dbfd2
\ No newline at end of file
diff --git a/server/licenses/bouncycastle-LICENSE.txt b/server/licenses/bouncycastle-LICENSE.txt
new file mode 100644
index 0000000000000..5c7c14696849d
--- /dev/null
+++ b/server/licenses/bouncycastle-LICENSE.txt
@@ -0,0 +1,14 @@
+Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/server/licenses/bouncycastle-NOTICE.txt b/server/licenses/bouncycastle-NOTICE.txt
new file mode 100644
index 0000000000000..8b137891791fe
--- /dev/null
+++ b/server/licenses/bouncycastle-NOTICE.txt
@@ -0,0 +1 @@
+
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 66cc85ee33756..69816e435c48f 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -199,14 +199,13 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         );
 
         var isFipsEnabled = FipsSettings.FIPS_ENABLED.get(settings);
-        var isRunningInFipsMode = CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
-
-        if (!isRunningInFipsMode && isFipsEnabled){
-            throw new BootstrapException(new RuntimeException("cannot enable FIPS mode"));
-        }
-
-        if (isRunningInFipsMode) {
-            LogManager.getLogger(Bootstrap.class).info("running in FIPS mode");
+        try {
+            var isRunningInFipsMode = CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
+            if (isRunningInFipsMode) {
+                LogManager.getLogger(Bootstrap.class).info("running in FIPS mode");
+            }
+        } catch (Exception e) {
+            throw new BootstrapException(e);
         }
 
         // initialize probes before the security manager is installed
diff --git a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
index 958a1440ec29f..9f667b1497a2e 100644
--- a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
+++ b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
@@ -15,9 +15,6 @@
  */
 public class FipsSettings {
 
-    public static final Setting<Boolean> FIPS_ENABLED = Setting.boolSetting(
-        "fips.approved",
-        false,
-        Property.NodeScope);
+    public static final Setting<Boolean> FIPS_ENABLED = Setting.boolSetting("fips.approved", false, Property.NodeScope);
 
 }
diff --git a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
index ed58e6b21e165..81fb1309df310 100644
--- a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
+++ b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
@@ -449,7 +449,7 @@ private byte[] encrypt(char[] password, byte[] salt, byte[] iv) throws GeneralSe
 
     private void decryptLegacyEntries() throws GeneralSecurityException, IOException {
         // v1 and v2 keystores never had passwords actually used, so we always use an empty password
-        KeyStore keystore = KeyStore.getInstance("PKCS12");
+        KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
         Map<String, EntryType> settingTypes = new HashMap<>();
         ByteArrayInputStream inputBytes = new ByteArrayInputStream(dataBytes);
         try (DataInputStream input = new DataInputStream(inputBytes)) {
@@ -488,7 +488,7 @@ private void decryptLegacyEntries() throws GeneralSecurityException, IOException
 
         // fill in the entries now that we know all the types to expect
         this.entries.set(new HashMap<>());
-        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBE");
+        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
         KeyStore.PasswordProtection password = new KeyStore.PasswordProtection("".toCharArray());
 
         for (Map.Entry<String, EntryType> settingEntry : settingTypes.entrySet()) {
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index ee75ad91904a4..fb3d62ab432db 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -95,24 +95,21 @@ grant codeBase "${codebase.reactor-core}" {
 
 // security
 grant {
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
+    permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission java.lang.RuntimePermission "getProtectionDomain";
+    permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
+    permission java.io.FilePermission "${java.home}/lib/security/cacerts", "read";
     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.keystore.type.compat";
     permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
-    permission java.lang.RuntimePermission "getProtectionDomain";
     permission java.util.PropertyPermission "java.runtime.name", "read";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
-    //io.netty.handler.codec.DecoderException
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
-    //java.security.InvalidAlgorithmParameterException: Cannot process GCMParameterSpec
-    permission java.lang.RuntimePermission "accessDeclaredMembers";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-    permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
-    permission java.io.FilePermission "${javaHome}/lib/security/jssecacerts", "read";
+    permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
 };
 
 //// Everything else:
diff --git a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
index 78f302e9b23db..8492c9f12fdd8 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
@@ -167,5 +167,5 @@ grant {
   permission org.opensearch.secure_sm.ThreadContextPermission "markAsSystemContext";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashAndMergeHeaders";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashWithOrigin";
-  permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
+  permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
 };

From 30c0b323913a1f01764fbe50afad6abc5039cc85 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 8 Aug 2024 09:48:15 +0200
Subject: [PATCH 03/21] disable approved-only mode for launch configuration of
 testcluster

Signed-off-by: Iwan Igonin <iigonin@sternad.de>

# Conflicts:
#	buildSrc/version.properties
---
 .../java/org/opensearch/gradle/testclusters/OpenSearchNode.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index 974ef2c89efae..1f4f4a447a1fd 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -1187,7 +1187,7 @@ private void createConfiguration() {
         baseConfig.put("indices.breaker.total.use_real_memory", "false");
         // Don't wait for state, just start up quickly. This will also allow new and old nodes in the BWC case to become the master
         baseConfig.put("discovery.initial_state_timeout", "0s");
-        baseConfig.put("fips.approved", "true");
+        baseConfig.put("fips.approved", "false");
 
         HashSet<String> overriden = new HashSet<>(baseConfig.keySet());
         overriden.retainAll(settings.keySet());

From 0ef725d2b91d448f3a3b80aa8143d74b0661800d Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 8 Aug 2024 13:09:40 +0200
Subject: [PATCH 04/21] update all BC libraries to support JAVA 21

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 client/rest/build.gradle                            | 13 +------------
 client/rest/licenses/bc-fips-1.0.2.4.jar.sha1       |  1 -
 client/rest/licenses/bc-fips-2.0.0.jar.sha1         |  1 +
 client/rest/licenses/bctls-fips-1.0.19.jar.sha1     |  1 -
 client/rest/licenses/bctls-fips-2.0.19.jar.sha1     |  1 +
 client/rest/licenses/bcutil-fips-2.0.3.jar.sha1     |  1 +
 .../plugin-cli/licenses/bc-fips-2.0.0.jar.sha1      |  1 -
 gradle/libs.versions.toml                           |  9 +++++----
 libs/ssl-config/build.gradle                        |  1 +
 libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1 |  1 -
 libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1 |  1 +
 server/build.gradle                                 | 13 +------------
 server/licenses/bc-fips-1.0.2.4.jar.sha1            |  1 -
 server/licenses/bc-fips-2.0.0.jar.sha1              |  1 +
 server/licenses/bctls-fips-1.0.19.jar.sha1          |  1 -
 server/licenses/bctls-fips-2.0.19.jar.sha1          |  1 +
 server/licenses/bcutil-fips-2.0.3.jar.sha1          |  1 +
 17 files changed, 15 insertions(+), 34 deletions(-)
 delete mode 100644 client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
 create mode 100644 client/rest/licenses/bc-fips-2.0.0.jar.sha1
 delete mode 100644 client/rest/licenses/bctls-fips-1.0.19.jar.sha1
 create mode 100644 client/rest/licenses/bctls-fips-2.0.19.jar.sha1
 create mode 100644 client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
 delete mode 100644 distribution/tools/plugin-cli/licenses/bc-fips-2.0.0.jar.sha1
 delete mode 100644 libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
 create mode 100644 libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1
 delete mode 100644 server/licenses/bc-fips-1.0.2.4.jar.sha1
 create mode 100644 server/licenses/bc-fips-2.0.0.jar.sha1
 delete mode 100644 server/licenses/bctls-fips-1.0.19.jar.sha1
 create mode 100644 server/licenses/bctls-fips-2.0.19.jar.sha1
 create mode 100644 server/licenses/bcutil-fips-2.0.3.jar.sha1

diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 8e3d82c9a95b8..049d66eb99ddb 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -53,6 +53,7 @@ dependencies {
   api "org.slf4j:slf4j-api:${versions.slf4j}"
   api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
+  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 
   // reactor
   api "io.projectreactor:reactor-core:${versions.reactor}"
@@ -147,18 +148,6 @@ thirdPartyAudit {
       'reactor.blockhound.integration.BlockHoundIntegration'
    )
    ignoreViolations(
-      'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
-      'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2',
       'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
    )
 }
diff --git a/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1 b/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
deleted file mode 100644
index da37449f80d7e..0000000000000
--- a/client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9008d04fc13da6455e6a792935b93b629757335d
\ No newline at end of file
diff --git a/client/rest/licenses/bc-fips-2.0.0.jar.sha1 b/client/rest/licenses/bc-fips-2.0.0.jar.sha1
new file mode 100644
index 0000000000000..d635985983ebc
--- /dev/null
+++ b/client/rest/licenses/bc-fips-2.0.0.jar.sha1
@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab
diff --git a/client/rest/licenses/bctls-fips-1.0.19.jar.sha1 b/client/rest/licenses/bctls-fips-1.0.19.jar.sha1
deleted file mode 100644
index 7f0eb6e1c6bea..0000000000000
--- a/client/rest/licenses/bctls-fips-1.0.19.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-b15d650f6e2a9de08d5569e25a642b6a384dbfd2
\ No newline at end of file
diff --git a/client/rest/licenses/bctls-fips-2.0.19.jar.sha1 b/client/rest/licenses/bctls-fips-2.0.19.jar.sha1
new file mode 100644
index 0000000000000..2c7aff0e46a13
--- /dev/null
+++ b/client/rest/licenses/bctls-fips-2.0.19.jar.sha1
@@ -0,0 +1 @@
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76
diff --git a/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1 b/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
new file mode 100644
index 0000000000000..d553536576656
--- /dev/null
+++ b/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
@@ -0,0 +1 @@
+a1857cd639295b10cc90e6d31ecbc523cdafcc19
\ No newline at end of file
diff --git a/distribution/tools/plugin-cli/licenses/bc-fips-2.0.0.jar.sha1 b/distribution/tools/plugin-cli/licenses/bc-fips-2.0.0.jar.sha1
deleted file mode 100644
index 79f0e3e9930bb..0000000000000
--- a/distribution/tools/plugin-cli/licenses/bc-fips-2.0.0.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab
\ No newline at end of file
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 07928ca3a4942..9dc0f5ad58d69 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -58,10 +58,11 @@ reactivestreams   = "1.0.4"
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle_jce  = "1.0.2.4"
-bouncycastle_tls  = "1.0.19"
-bouncycastle_pkix = "1.0.7"
-bouncycastle_pg   = "1.0.7.1"
+bouncycastle_jce  = "2.0.0"
+bouncycastle_tls  = "2.0.19"
+bouncycastle_pkix = "2.0.7"
+bouncycastle_pg   = "2.0.8"
+bouncycastle_util = "2.0.3"
 # test dependencies
 randomizedrunner  = "2.7.1"
 junit             = "4.13.2"
diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle
index f2da097a7fe09..68f3cae7a0ac2 100644
--- a/libs/ssl-config/build.gradle
+++ b/libs/ssl-config/build.gradle
@@ -38,6 +38,7 @@ dependencies {
   // bouncyCastle
   implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
   compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 
   testImplementation(project(":test:framework")) {
     exclude group: 'org.opensearch', module: 'opensearch-ssl-config'
diff --git a/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1 b/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
deleted file mode 100644
index 57cf4cfe10b5f..0000000000000
--- a/libs/ssl-config/licenses/bcpkix-fips-1.0.7.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-fe07959721cfa2156be9722ba20fdfee2b5441b0
diff --git a/libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1 b/libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1
new file mode 100644
index 0000000000000..ff463e602ad88
--- /dev/null
+++ b/libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1
@@ -0,0 +1 @@
+01eea0f325315ca6295b0a6926ff862d8001cdf9
diff --git a/server/build.gradle b/server/build.gradle
index 875b25a671081..f12dfaaba91de 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -117,6 +117,7 @@ dependencies {
   // bouncyCastle
   api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
+  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 
   testImplementation 'org.awaitility:awaitility:4.2.2'
   testImplementation(project(":test:framework")) {
@@ -349,18 +350,6 @@ tasks.named("thirdPartyAudit").configure {
             'com.google.protobuf.UnsafeUtil$MemoryAccessor',
             'org.apache.logging.log4j.core.util.internal.UnsafeUtil',
             'org.apache.logging.log4j.core.util.internal.UnsafeUtil$1',
-            'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
-            'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2',
             'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
     )
 }
diff --git a/server/licenses/bc-fips-1.0.2.4.jar.sha1 b/server/licenses/bc-fips-1.0.2.4.jar.sha1
deleted file mode 100644
index da37449f80d7e..0000000000000
--- a/server/licenses/bc-fips-1.0.2.4.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9008d04fc13da6455e6a792935b93b629757335d
\ No newline at end of file
diff --git a/server/licenses/bc-fips-2.0.0.jar.sha1 b/server/licenses/bc-fips-2.0.0.jar.sha1
new file mode 100644
index 0000000000000..d635985983ebc
--- /dev/null
+++ b/server/licenses/bc-fips-2.0.0.jar.sha1
@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab
diff --git a/server/licenses/bctls-fips-1.0.19.jar.sha1 b/server/licenses/bctls-fips-1.0.19.jar.sha1
deleted file mode 100644
index 7f0eb6e1c6bea..0000000000000
--- a/server/licenses/bctls-fips-1.0.19.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-b15d650f6e2a9de08d5569e25a642b6a384dbfd2
\ No newline at end of file
diff --git a/server/licenses/bctls-fips-2.0.19.jar.sha1 b/server/licenses/bctls-fips-2.0.19.jar.sha1
new file mode 100644
index 0000000000000..2c7aff0e46a13
--- /dev/null
+++ b/server/licenses/bctls-fips-2.0.19.jar.sha1
@@ -0,0 +1 @@
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76
diff --git a/server/licenses/bcutil-fips-2.0.3.jar.sha1 b/server/licenses/bcutil-fips-2.0.3.jar.sha1
new file mode 100644
index 0000000000000..d553536576656
--- /dev/null
+++ b/server/licenses/bcutil-fips-2.0.3.jar.sha1
@@ -0,0 +1 @@
+a1857cd639295b10cc90e6d31ecbc523cdafcc19
\ No newline at end of file

From a33a10f678fc889bb00b1ba779dc22d17000b420 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 8 Aug 2024 17:35:13 +0200
Subject: [PATCH 05/21] try to pass bwc staged build by adding expected version

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../java/org/opensearch/gradle/testclusters/OpenSearchNode.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index 1f4f4a447a1fd..aaa2daef2a158 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -1187,7 +1187,6 @@ private void createConfiguration() {
         baseConfig.put("indices.breaker.total.use_real_memory", "false");
         // Don't wait for state, just start up quickly. This will also allow new and old nodes in the BWC case to become the master
         baseConfig.put("discovery.initial_state_timeout", "0s");
-        baseConfig.put("fips.approved", "false");
 
         HashSet<String> overriden = new HashSet<>(baseConfig.keySet());
         overriden.retainAll(settings.keySet());

From 54e31bedf63d2d0a9dbbc23d2b5f55c7cc980139 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Fri, 30 Aug 2024 19:03:16 +0200
Subject: [PATCH 06/21] ensure FIPS-mode can be enabled by fixing existent and
 creating additional tests.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../main/resources/test/ssl/test-node.bcfks   | Bin 0 -> 3775 bytes
 client/rest/build.gradle                      |   7 +-
 .../client/FipsEnabledThreadFactory.java      |  36 ++++
 .../opensearch/client/RestClientBuilder.java  |   2 +
 .../client/RestClientBuilderIntegTests.java   |  90 ++++++----
 .../RestClientDocumentation.java              |  11 +-
 .../HeapBufferedAsyncEntityConsumerTests.java |  18 +-
 .../src/test/resources/test_truststore.bcfks  | Bin 0 -> 1502 bytes
 .../src/test/resources/test_truststore.jks    | Bin 1097 -> 0 bytes
 client/rest/src/test/resources/testks.bcfks   | Bin 0 -> 2889 bytes
 client/rest/src/test/resources/testks.jks     | Bin 2381 -> 0 bytes
 client/test/build.gradle                      |   6 +
 .../opensearch/client/RestClientTestCase.java |  11 +-
 .../opensearch/bootstrap/BootstrapTests.java  |   1 +
 .../keystore/AddFileKeyStoreCommandTests.java |   7 +-
 .../AddStringKeyStoreCommandTests.java        |   7 +-
 .../ChangeKeyStorePasswordCommandTests.java   |   8 +-
 .../keystore/CreateKeyStoreCommandTests.java  |  16 +-
 .../HasPasswordKeyStoreCommandTests.java      |   5 +-
 .../cli/keystore/KeyStoreWrapperTests.java    |  36 ++--
 .../keystore/ListKeyStoreCommandTests.java    |   4 +
 .../RemoveSettingKeyStoreCommandTests.java    |   1 +
 libs/common/build.gradle                      |   2 +
 .../common/crypto/KeyStoreFactory.java        |  56 +++++++
 .../common/crypto/KeyStoreType.java           |  68 ++++++++
 libs/ssl-config/build.gradle                  |   1 +
 .../common/ssl/DefaultJdkTrustConfig.java     |   4 +-
 .../opensearch/common/ssl/KeyStoreUtil.java   |  24 +--
 .../org/opensearch/common/ssl/PemUtils.java   |  13 +-
 .../common/ssl/SslConfiguration.java          |  22 +--
 .../common/ssl/SslConfigurationLoader.java    |  40 +++--
 .../opensearch/common/ssl/StoreKeyConfig.java |   8 +-
 .../common/ssl/StoreTrustConfig.java          |   8 +-
 .../common/ssl/TrustEverythingConfig.java     |  12 ++
 .../common/ssl/PemKeyConfigTests.java         |  14 +-
 .../opensearch/common/ssl/PemUtilsTests.java  |  91 +++++++---
 .../ssl/SslConfigurationLoaderTests.java      |  53 +++++-
 .../common/ssl/SslConfigurationTests.java     |   4 +-
 .../common/ssl/SslDiagnosticsTests.java       |  18 +-
 .../common/ssl/StoreKeyConfigTests.java       |  93 +++++++----
 .../common/ssl/StoreTrustConfigTests.java     |  52 +++---
 .../src/test/resources/certs/README.md        | 155 ++++++++++++++++++
 .../src/test/resources/certs/README.txt       |  85 ----------
 .../src/test/resources/certs/ca-all/ca.bcfks  | Bin 0 -> 2909 bytes
 .../test/resources/certs/cert-all/certs.bcfks | Bin 0 -> 4901 bytes
 .../test/resources/certs/cert-all/certs.p12   | Bin 4757 -> 4895 bytes
 .../resources/certs/cert1/cert1-pkcs1.crt     |  19 +++
 .../resources/certs/cert1/cert1-pkcs1.key     |  27 +++
 .../resources/certs/cert1/cert1-pkcs8.key     |  28 ----
 .../src/test/resources/certs/cert1/cert1.crt  |  34 ++--
 .../src/test/resources/certs/cert1/cert1.key  |  55 ++++---
 .../src/test/resources/certs/cert1/cert1.p12  | Bin 2456 -> 2606 bytes
 .../resources/certs/cert2/cert2-pkcs1.crt     |  19 +++
 .../resources/certs/cert2/cert2-pkcs1.key     |  30 ++++
 .../resources/certs/cert2/cert2-pkcs8.key     |  29 ----
 .../src/test/resources/certs/cert2/cert2.crt  |  34 ++--
 .../src/test/resources/certs/cert2/cert2.key  |  60 +++----
 .../src/test/resources/certs/cert2/cert2.p12  | Bin 2456 -> 2606 bytes
 .../test/resources/certs/pem-utils/README.md  |  70 +++++++-
 .../certs/pem-utils/key_DSA_enc_pbkdf2.pem    |  18 ++
 .../certs/pem-utils/key_EC_enc_pbkdf2.pem     |   6 +
 .../certs/pem-utils/key_PKCS8_enc_pbkdf2.pem  |  30 ++++
 .../resources/certs/pem-utils/testnode.bcfks  | Bin 0 -> 6009 bytes
 .../resources/certs/pem-utils/testnode.jks    | Bin 9360 -> 14572 bytes
 .../ingest/common/DateProcessorTests.java     |   1 -
 .../opensearch/index/reindex/Reindexer.java   |  37 ++++-
 ...ReindexFromRemoteBuildRestClientTests.java |   2 +-
 .../reindex/ReindexRestClientSslTests.java    |  58 +++++--
 .../org/opensearch/index/reindex/README.md    |  48 ++++++
 .../org/opensearch/index/reindex/README.txt   |  16 --
 .../org/opensearch/index/reindex/ca.key       |  30 ++++
 .../org/opensearch/index/reindex/ca.pem       |  43 +++--
 .../index/reindex/client/client.crt           |  35 ++--
 .../index/reindex/client/client.key           |  60 +++----
 .../opensearch/index/reindex/http/http.crt    |  38 ++---
 .../opensearch/index/reindex/http/http.key    |  60 +++----
 .../SecureNetty4HttpServerTransportTests.java |   4 +-
 .../ssl/SimpleSecureNetty4TransportTests.java |   4 +-
 .../AzureDiscoveryClusterFormationTests.java  |   9 +-
 plugins/repository-gcs/build.gradle           |   2 +-
 .../gcs/GoogleCloudStorageService.java        |  13 +-
 .../gcs/GoogleCloudStorageServiceTests.java   |   2 +-
 .../repositories/gcs/TestUtils.java           |   2 +-
 .../packaging/util/ServerUtils.java           |   4 +-
 .../common/settings/KeyStoreWrapper.java      |   8 +-
 .../org/opensearch/bootstrap/security.policy  |   5 +-
 .../test/OpenSearchIntegTestCase.java         |   4 -
 .../opensearch/test/OpenSearchTestCase.java   |   9 +-
 .../test/rest/OpenSearchRestTestCase.java     |   4 +-
 89 files changed, 1404 insertions(+), 642 deletions(-)
 create mode 100644 buildSrc/src/main/resources/test/ssl/test-node.bcfks
 create mode 100644 client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
 create mode 100644 client/rest/src/test/resources/test_truststore.bcfks
 delete mode 100644 client/rest/src/test/resources/test_truststore.jks
 create mode 100644 client/rest/src/test/resources/testks.bcfks
 delete mode 100644 client/rest/src/test/resources/testks.jks
 create mode 100644 libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
 create mode 100644 libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
 create mode 100644 libs/ssl-config/src/test/resources/certs/README.md
 delete mode 100644 libs/ssl-config/src/test/resources/certs/README.txt
 create mode 100644 libs/ssl-config/src/test/resources/certs/ca-all/ca.bcfks
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert-all/certs.bcfks
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.crt
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.key
 delete mode 100644 libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs8.key
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.crt
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.key
 delete mode 100644 libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs8.key
 create mode 100644 libs/ssl-config/src/test/resources/certs/pem-utils/key_DSA_enc_pbkdf2.pem
 create mode 100644 libs/ssl-config/src/test/resources/certs/pem-utils/key_EC_enc_pbkdf2.pem
 create mode 100644 libs/ssl-config/src/test/resources/certs/pem-utils/key_PKCS8_enc_pbkdf2.pem
 create mode 100644 libs/ssl-config/src/test/resources/certs/pem-utils/testnode.bcfks
 create mode 100644 modules/reindex/src/test/resources/org/opensearch/index/reindex/README.md
 delete mode 100644 modules/reindex/src/test/resources/org/opensearch/index/reindex/README.txt
 create mode 100644 modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.key

diff --git a/buildSrc/src/main/resources/test/ssl/test-node.bcfks b/buildSrc/src/main/resources/test/ssl/test-node.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..141eec9d66ded9d995087bcf2391631ce799b2b3
GIT binary patch
literal 3775
zcmV;w4nXlRf)2Ydf(`yKfs_UbDuzgg_YDCB4KRU*Fk}V^Duzgg_YDCB3@}#&K%SZH
zvTbzcJ9o8CAOp5V8Vx>R(x3=|1^rlqpO?!5vH1N)ag9@z&qsb!)7;_~<yy;}iWT`S
z3E(+G@wQ0+Mgjsr00IFZFboC=Duzgg_YDFI1pqJ}1_@w>NC9O71OYEF5d;iT^rgen
z<F_9vvhO<r0SE+w4Pz)IvHZ9nHKpco`|oh-O;bpt`Khlul&{X40oPgEGYp!b_Y%*q
zQiv;ktP#&|<XnD7BIE#k@-9^^^$J3WOim&2G*b8x>G)m*z(iuP;6;GaUFco8^fXJ{
zug6QX>x%2%$hh!g5ZDmsH583wOg1L-BQ;QVZghi5A5#BHRL<SuwX~IX^DX(2+{i{S
zS57=SaK`$ASezfEEQ8shW&oLn7A4tiVXHOlu7mXLA~Q%cjjEaK&;zvPpoQm}4HdfQ
zV9~Abu13|$5f{XOC(My5&eC`%Qibbxl8lEHW<WD3Tp*5j53$gfDuKJsShwG&9Bq$5
zs!2dGerVY{%!XpgjFZV)fK5tZ^J~eQTQAt!?yT^(csi}j?|xQizoJXTgHPxDD4Z^C
zKHG7+1jix4gxo@pMxPLPDj$nqu%+YK%>wNg+%P<i(>22`&Sp;<>|Z2J6sDuLmNc=s
z2%xFUHKAz)S4Q9r|GZqwVufnX(2_jEoq<6Pu1HWKTPYP@0X$x-YRz6Ih&f_RjhEvo
zF>}MjWI0^iBNbZK@W1>${m-{89w%{;D5>_;1ycRBn%4%i?hfueP?lwTBSY~FMRxps
zNYvH?a1QRu%9X6x8NkzxWcH4GWQTiNp`Jw2iZq5}Vvu5w7jYWdmNkH*?yd$V6Ye$j
z9m7ksj2Ds!2JWI%n(M?T-`>3IE`kOFq<tmw>dhF$!hXBN6W_qLUASD3#3ZqysVX=A
zd78@VL8zt06;!5-qim7bf@TkM-aHB({to527P<rLUBTewH0pDkDQ3`P6MD^vUpKyq
z{8)WRl?9pjsqcuj@DFLom8p9oJ67%8TSWO&qb?w+A&j+;<#ph9c*ZFZ){i|>T(9SY
zwXu|H^He(bL3hqyn18Yq&7CbI_#g<Lt<qvtA}tYY>36=q;HyKwl)zY|OXmfAX?6M)
zYB}pMv|uhZ7%d6SAZA=fO?b6}3y{m_ned}~dUdTR?*kA*)X^DFpPZ%3>f!eG=K---
zUeaMswtxh+&Y=tHnMi(#`1&RXgfX|9b!HbNkHr|LmX0k$LF4cRXUfV=R_hAl*Ne!?
z5<k{x(+Sq<@%wU>i<j=c?EI8KwHdE)q@ry{!=JhHbF0JDWXJ{z5}MIjT?n0)TlIbx
z`8{^C=mTecEl|G1=zn~Z0E)fyN4t1C5V2k|+S@YO;{i>i*=vg^2&R~6!STivWVOsc
z&xvc!<}7bD#OGH4_BEFpn<X!rj#b}{>-DXW`a%V%3cIn4OI*)S_Ea6H6<k+X3!H#3
zcS_X^x8i;Uzg3!~^y#;%>A5bGaR_2bCE|^+ZVghN<<BQWO)-{87er0DA=WP)&)5fQ
z%PNQ{c2@MI`(e`HVkv^1<XEAc^F}m=ZPA#7Y1`4zpF%}KB5wF#{)&%{-mh8M@%EnQ
z^M&%9L!p<C@L9pkqdH;NDoW&=SiWuzczG^IBKe1p(g4BMEBIbvt+4njpVPDCw6E$r
zWbXe`17^w+@G#0XF&*P;y{H$4L_)@NlV+m=i+O7^gT$MT;bow#o}{0MMeFWagBM7a
z_G)tVzbx`-bw;nYYcX<oP}oM_f>Z2-ew+mz5cTuw#B0!s?yy|R&X76e98yw9+~dB4
zmX6nIt#|3*j}QqIibr_mN8h6c-7tVY8g%i|!X?+Pq%G|)fq#DzsbQ(A`064_X0w4~
z7<;2AaH(LwN6s$zix^M7gp$yf<u0dA*u^Up&eulwcD4#XfXA(JJ&Pw!_-$gPSqWNk
zjGCcX+%BC;WPaA)9Iu5Z>9@Jl(w%uk81ZV(EWfVpBNZ{Zy2P3ygj6PBG(D(^;iOp*
zMhpf?5ZI}>Ai36zBl~d-=IthEDaJ(~Nd$d%BZz!qNeGTBo0MF)3U@UDgRj}4)}{G&
zrhkI(NnyorNtc0h*Qhj!OP@M0(Ft-m?923qMxdh8Kn)qZ_2y}hGD5lG)CtXgv+~69
z?VA}-j(7ru<=IAh$nX1O<0@|6m39hNL8b;b=P#v$qX%TTAlU0dGpMnF+wK5C>nh?3
zv~d}yI>PQtt4x#<n!X!pLUWM=E;fGWK@sDPr!+y$Ge@ISsr&72!%2u!v?`jUF`ni0
zPA_d1Dm^QHvPLQvkXwpX4KeEsdkLsNvUr5nGqM%0D9asK*!y5`E_-eqo=myr(rUDz
zC%xvKG2I1Fd6jV@g~JACc_Kmx1dt8%xA6)oV#}?|0eor<`%EXQ3Z&`<?|_%!B6JE6
zA*1BafFtidOyDx66x?PHiLaa5Ifq2eou!T!g1o((Nl9MqpiJMuU>`=tDJHNVS!)8;
zAQ~bXqtRVH8mRfYq(r&Tmqz8mRhrs=RmtKH91?{JS?IRiM0&u1Cah?#bkEsIfa*CM
zgm!jj!$1bd`*F68A<T7s2i7*Mfg@WZGEbQG49kS0zJ@hVMYs+><K5OX<F(KO?7H`_
zR1la}v+!E8TP-{~q`SKuz$5&?L=qC4(LbKWNNQ6c^l0}l*r?&c|DAKvo5be6y|>>m
zz{`*oODz0b`8_C-VHq4PVeT;6I?L%hDx1oUI1ozy(T-N$HlImxz2a}^k?c4iyYfN-
zNXEE=k#08>&$2{!QKWbWGD`#?`V^q0^yb>n9>KZ8!Z^2VgLDP*Me%Ig9q`*8Zs35<
z^9?Ef*!ezx_bPI3Sl}vs4avrIn(mJLa?MAHU#334%~>Kq$uqrcClu|;v@-)ak~xaR
z6(_2SB>w+dC|}_eYg#W#@&63$ckN`&WfODk-_p)<EoK^eHB<z&CsvQz$N>Je=3$C`
zf%5oZs|19KJgzyRy?k9LzBS`KbM-7pwAE6(zt)poEd21z9t4qEijD59YcpMHR~%oE
z33XP<FSrti7g-;#xRUnWE4!DGnQR?nkxqDRC6>`YvY>cT(lt9pC<Z<?_qAu98fwe?
zv%j2sdvqs;RxCdkJ8bVNv@dCxv>+g5K3wX!%7N4x&&xBQ9h(<-^F<h^z6GyWTG|iy
z$sBR0PFeL0k7KB^?FcR($M8(s*t0Y^euKjl?;1iQ#x;j*P4Wp4RUT!2cLe`KQF5et
zhhpXT7L_H#0Z=_wXmx7WiSVG?t0Lq4;#Z}y3q|AIE_5s8WiYXfYhWUq*Hj{Jz{6C}
zLcW-%jKLi!Af0o%&?jhTvr{gdS$u=Z#B|u=f`8L-Z0~<>)75j<nOXMY^9K%*F-<(x
z?o*z9DxO_dwKq#0%hY$R*v@`rGR*Cd{v_$`vw}8q%rtys(b0nPbBdAVus%Y7x^b%q
z#ycgAd9^v^WZ6Gb2R7x4C(XHG{hyUfx%_($r1gKnN$CWya6(u(UhEpV=6>2}Cz@%6
zJv>Yi&ex`X%inYPU_XO{G81k$FC5*~kTpnzm1_0(Vl5QIlWecIB=!#a2Uyngh_o}`
znv;wb!t{2>%zbhP;T=k{W%VO<8@iOSrOJD}S;V@%tde=x`u6YXcrk9b3IpV;GzE;B
z<ME)FtwGeH9+x@zE5jBt<ujOGHYD^7ro7!YTjF1)+rQMDdPn~?Mdz2^Z-%)cpBqjQ
zl2nLS?g4rc;}hH#bRvdVBWsMM5YPj#c~pGf^+J{&j`!8S%(teZt_hSvU3SV9qq9tl
z>gC$IW-pIK)iJImE5dJb55Ht9+?Sy*B(fTVD@&8%7@j+<uC{+gi0{;XCZ+CFZ^Kch
z|2AguP9R~)ivI*2nR}-9jSEGX9Aq>ZiZaXM11f~Al>}h_P)fY1B;=Hl7p**#zJpo9
zL9a^IU?F-ol;_IY-xi<Rr;KX>RVmB1+nwqQIv&cp@jbwv7A5==jrdsQ$V*p<HY#ME
z50Kx*`wi!tX^rmt4TI%l<zBaO8b>k^qwit6QTzk*G4qmLS|9fciyn*h^~)=Ib(PcE
zrBLlpD*<9ah}(dWAlwe>tL@6E#t_lC=8$`X<FRJXE;pn$&k^oRS#_$?<H!I$M}zBG
zD;&H$rq$M6{UrfaDl**E(49jaL^+}tC0xZhV1X@iQKb$rVVy>S@hdo`PzppHq)S=F
z*@I+Y1y7~RD{@jkLU(qFi*(?;&ppb(7Qax5?=FEwz=e_O6nbkCeQ6*#^G;A)e4pne
zPn3?&rt9BZc;W>zR*!mGjyAe&`Fl7Ux)V}dH2G2*p|^*j4MmzO7~ME*IX~S+eU$?>
zchwQ3zZ`2@<H%LwAL;M0Xx44mvK~1h*NGHavN)G*izaz?S#UyJInZrdX6aq-kkVx*
z2od_MRJ<`?ajWJu<EL2e+ffY9@K?q-7~5YWR+|DJ72LNwb9Hes=}<bSGYvr*G(2a9
z%afe@i9b^a=V@)3ycm8eKX|f2A%xkg#@xiAzgRC8Bcvik_UIS%k9CJNh`a#hSRx4g
zjXo>h9L#|wb=Yek?)vQqz-J~rgcPh8-h#=VgtVkfv2vWN9Po%a(`C)T<mdYNC#}1?
zh;07=v>#Tv8t<+)2ktjD%gd)ETGm}ZPm>PZ)w-r>GOIdF?EpQV?fbWicoi&mVA71n
z$hY<;j3YzmQ!s(HFboC=Duzgg_YDFI1pqK)1_>&LNQU<f0R;>&R|G&XCNc!>IX0PH
zo`t};!uFvRVTW5GQa+K>l7gjZ$udq}D_(IfnW}O<(mlW^p<Y2e>mX8dk1OH;Tx)v6
zFbWa^0zd!)0YESe1_&yKNQU<f0t*EI1VF*LDCqW_NXuqg;soc!L=l74@--hVpNp~i
psjQ_jp>3MtAEEUILe~54%26}d=z?MA29lvOrr&U@%tFR@uIE}7MtlGO

literal 0
HcmV?d00001

diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 049d66eb99ddb..87cf3d460752f 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -34,8 +34,8 @@ apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
 
 java {
-  targetCompatibility = JavaVersion.VERSION_1_8
-  sourceCompatibility = JavaVersion.VERSION_1_8
+  targetCompatibility = JavaVersion.VERSION_11
+  sourceCompatibility = JavaVersion.VERSION_11
 }
 
 base {
@@ -60,6 +60,7 @@ dependencies {
   api "org.reactivestreams:reactive-streams:${versions.reactivestreams}"
 
   testImplementation project(":client:test")
+  testImplementation project(':libs:opensearch-common')
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"
   testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}"
@@ -71,6 +72,7 @@ dependencies {
   testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
+  testImplementation "commons-io:commons-io:${versions.commonsio}"
 }
 
 tasks.named("dependencyLicenses").configure {
@@ -83,6 +85,7 @@ tasks.withType(CheckForbiddenApis).configureEach {
 }
 
 forbiddenPatterns {
+  exclude '**/*.bcfks'
   exclude '**/*.der'
 }
 
diff --git a/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java b/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
new file mode 100644
index 0000000000000..2efdc48c70f59
--- /dev/null
+++ b/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
@@ -0,0 +1,36 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.client;
+
+import org.apache.hc.core5.concurrent.DefaultThreadFactory;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+
+import java.util.concurrent.ThreadFactory;
+
+public class FipsEnabledThreadFactory implements ThreadFactory {
+
+    private final ThreadFactory defaultFactory;
+    private final boolean isFipsEnabled;
+
+    public FipsEnabledThreadFactory(String namePrefix, boolean isFipsEnabled) {
+        this.defaultFactory = new DefaultThreadFactory(namePrefix);
+        this.isFipsEnabled = isFipsEnabled;
+    }
+
+    @Override
+    public Thread newThread(final Runnable target) {
+        return defaultFactory.newThread(() -> {
+            if (isFipsEnabled) {
+                CryptoServicesRegistrar.setApprovedOnlyMode(true);
+            }
+            target.run();
+        });
+    }
+
+}
diff --git a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
index 3e38f9ae95dec..0a46da6e1e8b0 100644
--- a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
+++ b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
@@ -48,6 +48,7 @@
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -334,6 +335,7 @@ public TlsDetails create(final SSLEngine sslEngine) {
             HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create()
                 .setDefaultRequestConfig(requestConfigBuilder.build())
                 .setConnectionManager(connectionManager)
+                .setThreadFactory(new FipsEnabledThreadFactory("os-client-dispatcher", CryptoServicesRegistrar.isInApprovedOnlyMode()))
                 .setTargetAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
                 .disableAutomaticRetries();
             if (httpClientConfigCallback != null) {
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index 46f6cfa22096b..db578ebb196ac 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -38,6 +38,9 @@
 import com.sun.net.httpserver.HttpsServer;
 
 import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
@@ -50,19 +53,18 @@
 import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
-import java.nio.file.Files;
-import java.nio.file.Paths;
 import java.security.AccessController;
-import java.security.KeyFactory;
 import java.security.KeyStore;
 import java.security.PrivilegedAction;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
-import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.SecureRandom;
+import java.util.concurrent.Executor;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
 
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertThat;
 import static org.junit.Assert.fail;
 
 /**
@@ -75,8 +77,11 @@ public class RestClientBuilderIntegTests extends RestClientTestCase {
     @BeforeClass
     public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
-        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext()));
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
         httpsServer.createContext("/", new ResponseHandler());
+        var threadFactory = new FipsEnabledThreadFactory("test-httpserver-dispatch", inFipsJvm());
+        Executor executor = Executors.newFixedThreadPool(1, threadFactory);
+        httpsServer.setExecutor(executor);
         httpsServer.start();
     }
 
@@ -90,8 +95,22 @@ public void handle(HttpExchange httpExchange) throws IOException {
 
     @AfterClass
     public static void stopHttpServers() throws IOException {
-        httpsServer.stop(0);
-        httpsServer = null;
+        if (httpsServer != null) {
+            httpsServer.stop(0); // Stop the server
+            Executor executor = httpsServer.getExecutor();
+            if (executor instanceof ExecutorService) {
+                ((ExecutorService) executor).shutdown(); // Shutdown the executor
+                try {
+                    if (!((ExecutorService) executor).awaitTermination(15, TimeUnit.SECONDS)) {
+                        ((ExecutorService) executor).shutdownNow(); // Force shutdown if not terminated
+                    }
+                } catch (InterruptedException ex) {
+                    ((ExecutorService) executor).shutdownNow(); // Force shutdown on interruption
+                    Thread.currentThread().interrupt();
+                }
+            }
+            httpsServer = null;
+        }
     }
 
     public void testBuilderUsesDefaultSSLContext() throws Exception {
@@ -106,7 +125,7 @@ public void testBuilderUsesDefaultSSLContext() throws Exception {
                 }
             }
 
-            SSLContext.setDefault(getSslContext());
+            SSLContext.setDefault(getSslContext(false));
             try (RestClient client = buildRestClient()) {
                 Response response = client.performRequest(new Request("GET", "/"));
                 assertEquals(200, response.getStatusLine().getStatusCode());
@@ -121,34 +140,37 @@ private RestClient buildRestClient() {
         return RestClient.builder(new HttpHost("https", address.getHostString(), address.getPort())).build();
     }
 
-    private static SSLContext getSslContext() throws Exception {
-        SSLContext sslContext = SSLContext.getInstance(getProtocol());
+    private static SSLContext getSslContext(boolean server) throws Exception {
+        SSLContext sslContext;
+        char[] password = "password".toCharArray();
+        SecureRandom secureRandom = SecureRandom.getInstance("DEFAULT", "BCFIPS");
+
         try (
-            InputStream certFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test.crt");
-            InputStream keyStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test_truststore.jks")
+            InputStream trustStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test_truststore.bcfks");
+            InputStream keyStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/testks.bcfks")
         ) {
-            // Build a keystore of default type programmatically since we can't use JKS keystores to
-            // init a KeyManagerFactory in FIPS 140 JVMs.
-            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keyStore.load(null, "password".toCharArray());
-            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-            PKCS8EncodedKeySpec privateKeySpec = new PKCS8EncodedKeySpec(
-                Files.readAllBytes(Paths.get(RestClientBuilderIntegTests.class.getResource("/test.der").toURI()))
-            );
-            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-            keyStore.setKeyEntry(
-                "mykey",
-                keyFactory.generatePrivate(privateKeySpec),
-                "password".toCharArray(),
-                new Certificate[] { certFactory.generateCertificate(certFile) }
-            );
+            KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+            keyStore.load(keyStoreFile, password);
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(keyStore, "password".toCharArray());
-            KeyStore trustStore = KeyStore.getInstance("JKS");
-            trustStore.load(keyStoreFile, "password".toCharArray());
+            kmf.init(keyStore, password);
+
+            KeyStore trustStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+            trustStore.load(trustStoreFile, password);
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             tmf.init(trustStore);
-            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+
+            var sslContextBuilder = SSLContextBuilder.create()
+                .setProvider("BCJSSE")
+                .setProtocol(getProtocol())
+                .setSecureRandom(secureRandom);
+
+            if (server) {
+                sslContextBuilder.loadKeyMaterial(keyStore, password).build();
+            } else {
+                sslContextBuilder.loadTrustMaterial(trustStore, null);
+            }
+            sslContext = sslContextBuilder.build();
+
         }
         return sslContext;
     }
diff --git a/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java b/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
index d9c82307cae8a..60cbf689d8853 100644
--- a/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
+++ b/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
@@ -67,6 +67,7 @@
 import org.opensearch.client.RestClient;
 import org.opensearch.client.RestClientBuilder;
 import org.opensearch.client.RestClientBuilder.HttpClientConfigCallback;
+import org.opensearch.common.crypto.KeyStoreFactory;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -84,6 +85,8 @@
 import java.util.Iterator;
 import java.util.concurrent.CountDownLatch;
 
+import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+
 /**
  * This class is used to generate the Java low-level REST client documentation.
  * You need to wrap your code between two tags like:
@@ -436,7 +439,7 @@ public HttpAsyncClientBuilder customizeHttpClient(
             String keyStorePass = "";
             //tag::rest-client-config-encrypted-communication
             Path trustStorePath = Paths.get("/path/to/truststore.p12");
-            KeyStore truststore = KeyStore.getInstance("pkcs12");
+            KeyStore truststore = KeyStoreFactory.getInstance(PKCS_12);
             try (InputStream is = Files.newInputStream(trustStorePath)) {
                 truststore.load(is, keyStorePass.toCharArray());
             }
@@ -478,7 +481,7 @@ public TlsDetails create(final SSLEngine sslEngine) {
             try (InputStream is = Files.newInputStream(caCertificatePath)) {
                 trustedCa = factory.generateCertificate(is);
             }
-            KeyStore trustStore = KeyStore.getInstance("pkcs12");
+            KeyStore trustStore = KeyStoreFactory.getInstance(PKCS_12);
             trustStore.load(null, null);
             trustStore.setCertificateEntry("ca", trustedCa);
             SSLContextBuilder sslContextBuilder = SSLContexts.custom()
@@ -516,8 +519,8 @@ public TlsDetails create(final SSLEngine sslEngine) {
             //tag::rest-client-config-mutual-tls-authentication
             Path trustStorePath = Paths.get("/path/to/your/truststore.p12");
             Path keyStorePath = Paths.get("/path/to/your/keystore.p12");
-            KeyStore trustStore = KeyStore.getInstance("pkcs12");
-            KeyStore keyStore = KeyStore.getInstance("pkcs12");
+            KeyStore trustStore = KeyStoreFactory.getInstance(PKCS_12);
+            KeyStore keyStore = KeyStoreFactory.getInstance(PKCS_12);
             try (InputStream is = Files.newInputStream(trustStorePath)) {
                 trustStore.load(is, trustStorePass.toCharArray());
             }
diff --git a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
index fdfe49ca901c9..6a4b176edd011 100644
--- a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
@@ -35,34 +35,34 @@ public void tearDown() {
     }
 
     public void testConsumerAllocatesBufferLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
+        consumer.consume(randomByteBufferOfLength(1000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(1000));
     }
 
     public void testConsumerAllocatesEmptyBuffer() throws IOException {
-        consumer.consume((ByteBuffer) ByteBuffer.allocate(0).flip());
+        consumer.consume(ByteBuffer.allocate(0).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(0));
     }
 
     public void testConsumerExpandsBufferLimits() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(2000).flip());
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(3000).flip());
+        consumer.consume(randomByteBufferOfLength(1000).flip());
+        consumer.consume(randomByteBufferOfLength(2000).flip());
+        consumer.consume(randomByteBufferOfLength(3000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(6000));
     }
 
     public void testConsumerAllocatesLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(BUFFER_LIMIT));
     }
 
     public void testConsumerFailsToAllocateOverLimit() throws IOException {
-        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
+        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
     }
 
     public void testConsumerFailsToExpandOverLimit() throws IOException {
-        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
-        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(1).flip()));
+        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(1).flip()));
     }
 
     private static ByteBuffer randomByteBufferOfLength(int length) {
diff --git a/client/rest/src/test/resources/test_truststore.bcfks b/client/rest/src/test/resources/test_truststore.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..dfa168caf70ef59a030b72e7993bb35927f3ce10
GIT binary patch
literal 1502
zcmV<41tIz{f(6<zf(0Egfs_UbDuzgg_YDCB4KRU*Fk}V^Duzgg_YDCB3@}#&Kx_~i
z$Xn`lH{2GtS$8pue6ex4>~*CNl$vc#K4f8~DJ;uHAH8H2tmRKlybR%~MlHuuZ#P4h
zur-)dAbuj~x&i_~00IFZFboC=Duzgg_YDFI1pqJ}1_@w>NC9O71OYEF5d;i9<6?-e
zDu)k!w?be70SE+w1cHi`ZlDi6NkPK~s2gZVgo1U<zXR)HCM~@xd(NAMXS@B8%EYaZ
z^n)jL@m1RB)yNH$jg~9dGr`1FsoS&m#fqDmNL{I;Q=6(!A+#blv{e-NhkI=UePiqS
zw{l3!OlKLa{VjtkPZwWByU6@gs<G{H<RfuJO&+Y$fRHxgX<qv20iG2(fM&nEpWy8M
zqF@XL7PfBFcwIpEhQiv(&r9m8447Wd_UQWQpvQ}dk0L-AsE2l&L8D^Bk>R>sPQ0`{
zzd6*kKlu5!)I1W@YFzo<!5=mnkyKyb1vMud=g`oOU)E*N_}KtaMUPbv0-KlME+Eon
zA+%%CT;Xa^@SDjo_>Tz;RGk8%BW{DdfSE!(y|?i;^F!`2dBYAzO-7NCHoS#9p)VkZ
z*Bha^9ofRL_-bTRH#^~5B44iq+w#^rfzbnRvFNM1{PgNDON~;n*xX?zjC!>i-X>sq
zRTpztnGc%94m;{{%3io>ni{0o5Z%Z>qf)Y=u0Fb%s!P(CY0x-Af+d=Sp9^&{$OPKH
zmn&)dx%FHLso=}rwynAvO!~1>S?c!ZOp?6XYr%fO12%00tN*E~ht6UuLb*ooIrIyx
ze;JAk*v2v9V<d-Xt5OhuDU0azs<~I^5I_H0;lf|Z({%$)ivF^et>$DzrEzqy$QJDO
zxAXL>qBP$x<s=ax9g;-OR1r6|x$88NL&Da9a-EXjlfs`9=!oeD8tihx;##APaH`M$
z;`5zB#AS$5JX_#e?fl#heBrA0QN8u~HM6*(85wl{RdVg61KGlGsEJ64Y`+&{Ei`&R
z$0D}wiHr%tC^4y~n8WkJ2ZMzlQLs(nN->@;&81m-Dnk<-VTEN8R^{Taw_EMwVqarK
zE*I!Pz0FMUh-Qz1N;qG2f5m`lqNl|5W72a)JHCNfjEpw@;V3FMdZ2B?=PD-<Qp^Z*
zP0Zb8T98Fz&yn0_T@TxRocONS2!$6t{OZPXgI8t9JLt?8U0PXnp>tMOS*T_D9H<up
z=KzC`(6~7R;H*7eetP+(QqhI-*f{M?Mdqx|=6XDCgD8X;hG!Xsdje<MP}2Y{U0&2A
zFU)jZU9)L!ZU{ID(D<<xCv<Sv9F_e5u|pw{H1I~;OAbrO;ScXA>W=YbLNgDeOS?W5
zs}I>~^an-xvvDDrpYTFV6w>9;BwPn67mg8}q{E)X1=Fn86J=6e|7)FJS7W8;ZQ7e5
zrIP5s-HM8-j<D@CZjmM5i*JM=AyCm@wtVfBT<Q0zu8(A{Fbv+YoiV6F&Py-gH08vj
zY{A!$KY|-QS5{jxSrc<f5;ESnaXfG$6b2U4`X!XwiM5PGjKWKl#l(r$%K3@JW7~H@
z6!0?f=ttgTsL)n1#$T)dJYAGdg$@!B5@vKMH}`${C61OYlQCMqGPgC%WcaUNp14Td
zPw6BR!3zUo^n{`a#K7W;-33Ytc^}Y#s8`o^T-XgnKAiXiebR4kjniHPyE<4(iqLMu
zq<Ce}C!W(kmsKYxUn5L#{c})X>eDBTFoCu(3<d})hDe6@4FU@V05D_*2`Yw2hW8Bt
z1q?7(1VEviW2WE?|5%6wK4x!^;OM47LYXfF{>%Btc9zF2597a@-!C53d6M2NX(sO{
z0n@L`@GBXwuX)Fw^zC?BFbe_#KmY;(Krjpj2r7n1hW8Bu3k3iKKz<sbh$JDTE2YM|
zC6}-nk!HD7eG<HwdbpWjxvZ~ON9~EJ-l1P7Ixg@fN!{V7BQ=aPXSAB=LWG>4T*oY$
E?DD(L)c^nh

literal 0
HcmV?d00001

diff --git a/client/rest/src/test/resources/test_truststore.jks b/client/rest/src/test/resources/test_truststore.jks
deleted file mode 100644
index d27635fec5040d63969f7d124d499fa1b4788d1b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1097
zcmezO_TO6u1_mY|W(3pRB}JvhC8;UNsYN9~vAkwc`ArP05qhQumJAFmtOiXij0R0i
zFBdQ~F)}f+SnhC6G2mt6)N1o+`_9YA$j!=NkZ#Crz{$oO%EBhh6dDZUa0oLwI~s}^
zh=63+g?WAROY=$+GxHR}GE>V91q}E=;#|V)sX2+oC7H>FyawDL5pH3YlGNf7Lm>kJ
z5SLk)6U0@>%TGx)kQ3)MG&e9eG&eLeG%_`d66ZAnaZRCI`Z=VDQ3*K^7+D#Zn;7{S
z44N3Zn3@<F8Rk~!Npvu*UVZJX!}kZJPZHv{?2a{W-7kAh_U9z?btYUXK_a`3e~sR8
ztJ-hsvSr&3H{=z3wbENt{i$oYfPtad8tLWUtDb4~CToW-oBH+@b79%^s~)M!ag{9!
z)s~xgc)Hm9Z0xx&&LYzhu}nGj;M`~L4tK5Y50VeiX<y%UgYlO6qc8SyhqZ5cZgp^a
zVsN6Z+5FP)$4r|H^jUV>9EiBm+{dKY&Mx?Dh3UI&DWy9-kNdy3Y1&zCVq0?3+gn8M
zW^BmU&9hebbM`WL%SM>)H`p6)xX$#V^e3^_c|yKH+g&^_eww-4(bN0WeUHXpj<24|
z8#s44{mgM{<-E<DxMtGBY(pkyMh3>kjav*FHySkd1LILvkfpKRps}T$r5>2Z+690q
z4;e5vapvSFC+1}27nd}N!kKztR!V*@FxfP5!G%ql#1U*{H6}=k%#akBAuBR7kOeu2
zk420{B!;(W5m!xu6HAtD?Gnzr*6g$93L!@<Fm(eXmXRSpV9Lc_<@x_#zdfmYZjp~*
zSA=OwV)?QYCcGKR^63i|#m{zbHBCMk>ePE8)StWekcf6T@8>!Hn2u@bR@rlREmQe3
z*E!m4Dbw#AUFZ2b>f&VICND7KS>ox+=yy2j@n+^nCE4?htut-6e$*Az+UNcJvug@p
zxy3{0kBJ}Or$o&-*t0S9IK#8deQaWSimx8m{Sg0s=1fG3q~-m^ZtGbxL!O1KZ8*=P
zSUgEB^1BHS@5>p<cLj8gJh&?w*2HOk_)u7Mc+B6UZ`Ph(XxF5x(Rug$3Etq0P(4l8
zxQQ?OG!z#6_5bp90tdsMS63uOXH=O^cpNx4C{yj&uBMD*S2^D4yiah-h<=r^aoP!&
R<*x6;`XrcdUEQFS1^|>hh28)F

diff --git a/client/rest/src/test/resources/testks.bcfks b/client/rest/src/test/resources/testks.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..988242f0db6b8296ef66da25e1d7d4ced35b246b
GIT binary patch
literal 2889
zcmV-P3%2wyf(u13f(nQ*fs_UbDuzgg_YDCB4KRU*Fk}V^Duzgg_YDCB3@}#&Kn@rq
zu?ZB>(LE|p@1sCOXeSsmurFSv=*yEKa{G+V1n4kvC>cE-zQ$QcG$bCJMI?}`hI(jc
z)Sa)*g5I4|SONk-00IFZFboC=Duzgg_YDFI1pqJ}1_@w>NC9O71OYEF5d;h@s!fbp
z144BGN04X&0SE+w3GJULtkvm9eXDj@qb+ZUNMk7)W;iLvNKqsePzqh^`I8OIi%fH6
zsTq>b{=UwnLj1U<wg*^g^50@q8Z~dG;%G4?v^bIdK2rnTEDBCop!`renkDEPZ89ai
zwhjon5k`9i`x;|6MKZwmikNv^fcpao9y@c~OB{*ML&}|I<+cJL<BF&!-J?+Pt{C_G
zmtxKSB&b(n!_Sny{cF)N$o-JRM3Ax&kAdm*UI&pb`D%d(w*b#yKUYi)v-<R}c!vw{
z4LKD2v&R+VI2z*$^H^@4O6|Ewj_~B*-P+;uQUSK1dmikvMP^27Ld|o{?gOG-np<lP
zP$oG80$W=V#EJT<%b_cOU9SwIBmlwl{C0jy#Cn^<?`?SE*lUI1Qp^{L_Xk0s@(s>L
z;Fdd~H}*IKi;#4NRkw!L!PZ!{Q4Lxhl~PSoDO2RPG*S=`l%(dium3-|Y~Cthsh*eR
ziJ{yjKIC4GWsVRl>4I#=6H;8)riZ+>EP8W;8P3~h+TV^Y65;H>__1jK-IGlJl(!D@
zP%$C|-3Z>^nS`4m)|k?GMN~_1dG)Y}oG#8A`AI5uNKOccgz~*&uUU8ryb$DQ7oOki
z6G74HdgP&_678V@3fCG80&Rb0%+b;v<pjmqw2dP`tTYH4Ia=qHs{--RP8=`qU_V?z
z0*{X@NFwwuNi3@@hx&YXP&NaDse86wCnD&zY@u#D#cdG-9~vTHrNJi*1clt$S<QSL
z#(ucuMJAJ86PH@MBU@AePIYx}Sa*uHby2Sj<(MGk*YU~m{B$>#Hrih0i_(%p`T-dS
zmzUIie7G|fl5bYZIKM8QqmH^s*CYdV_l_5vMyMb?F53@|<ZTzq@8ekprVG{$TxSgZ
zKyysOZX|6Nt2)CET1=iHkqMi~PF&9;o|L6p`KaR37V3_NN#fp1!`PVMNYR>eHK71?
z#h8OX`^e}Hz7-cOh9{`#f#-yR0Py)()<s5w+tCXzVrg}x^Ze9dLSK6{l1S5T*g)aV
z-E$BLhNA<Vu5iQriyyk93+9tQHGy&cjhC>TJ|Re6vV8QT<2TSmMp=g^-T<lj#=eMQ
zN=qM17hw12Q>W#X@!OE@|CK%gJ&QL_NsChaN2&Czrz{iPsfXfu%-{<j55c1Ug&{(e
zjEcl@b5*ejqFH5*UAD$N<70ox)8BYVp$%95+#`PXQuQM740`?7-!;Hg+|OAiv%F^B
zHrg7wb(uYetj6;h%J7VoY3&j_wWbUX^Ewk6L*I2I{wN>L`3<k=eJ~4xFXtJxZ$!CA
z)M~&L1~BEFZ8YKG!cE=!KL!#CDXT#JHuMJQ?e1;$gjxvoR=11P>`NxFp$C&J@fE~x
z+7HwWBfs>VQ$1bwH&#CwXsrwN6`EB+Qg26?zX6ko156k-_rP9~!2;93?Jq`lsnrKC
z9XuJ)UR?Zr?aWf?SxAR&%Pjr6Zi%!&3dE@N>V5x=f8f@i;c?_noTeVFdCwEgOZzeC
zD=#fy>;LE0l-(0Iff#6B?%Lj)eF5(zKgNX`#w<p%$ToaJV2iJ8khnar&lmK?AZ^2Y
zxL*Sb%+#op43+8i#aH6V%oRlvk+;`S6va4S>Jq*B1hqMP*^NW&-Dv9S(;AN*0Cq|w
zSPCxwDIV#AC2bPLO{b=75$4M9EHnucKpueKD6J2w&f0FHIV+rE*Tb1Ki5XYxg&h11
z=z6gO;e48MPbzS?>AoG?=un9UO?Rcdr{Eer;v}eG`q7vmSJh#M+C*R*WR6R#s{VvU
zuqBnCBBRh1nQ)nt!gu0l6bJUvu8|mya!-B;lbm6a^W7zjBk59tjPf&OpvC_co_QdR
z`I0`(V07)31`0+l+IbUzAjLU5`EXUc#=7bF!0(GhBT2k2hi#$nwY+)dHUW5>L-|BI
zRCbf@<0MpMP%(ToNdTR%9ave+L3<xLL;zIVsY)eJJRqWlj{0?tnXUlD!|_%x+PQLQ
zcCIndevyV;Jk)fe`8ziGZ<!H}zOxjjU<rzfXA=(Bo*X!a(4dPxvWm*B8a?-w+v{EU
zP&&-NK;5SUMfICx?fVYXDA<zvJ9pJd|8!fl_=)kY>in>eG%uZa7nUsoB32g1J~W$k
zw!U5>SU(G<u5)Vpz;+Ypt0Y8|E7Q|V-;X2;l<}E9ZGmamTaEP`s$aKGFt{=WNvG9V
zVuUQ<T0g%bT8y3!(y5+b;p6gxCA_|uVik9OCdDdmKmfwgiLZ7qzL|^UzSGas*}U7m
zAD!*-7v^a(jRMY2@joQX&R9^E)E46TOR5%1E4YJ|^+iu)E!nrKJ%aiWSG{Kc3NZI8
zo8AR*&KefNqnTXB%-S8;1c06`nL6BbO2v>JDug=QzMqSx)l}a_s$-91pbq24VW`PS
zI42++oZAymSr(6luRm`m6*0`oN!aYg)f;7oeX)61m7iO`L>Z07LMn2;jvt(a8Ig>n
z5XA6r%^=ig7j<J@QP>H3+|FApFYHgR=2}3NB?_ad9>4$+1)Y+H;!SG^tKtz-DNt;2
z&cz~#H*C~%J`D1tPd+Yl6#N4bIORVifDzDIgMfKxtsa<TJeUw5-@ljzm(mTs^3Ve;
z{I~6NhoG9PP0@{xlP<~shzH7Os$Cpcc_O|vrd1$ZMbpx7MF825Qmn66XR+)>d*@~<
z`nP^A^_Dz%wiX#PqI{*-(P!&;;P^P9o-^sw`g&{tnSIcMp<K{YHT7(fk$_R0*@IXq
zGO=u}xl4Zw(tg+6gf8bMa2ly40YYjzk<F5EZfY4I%c*2&aUnJvM_+YWB3}IHoiv7g
z3RKNPG(NWG$z#DwsB5^x3t(4_@t|h4#;jnUvjq1@G?-MyRyU*20M|Lg2B92Pvedqh
zetiUk-`F6mqp3}?&WRo(&9+OE^pYt>6$c&O*>Hu7Acm+BBi&$4w{oREq1j?W?H|2q
z4L}{~`+<`7txcaT%<S6k9Utitg4m&4i4QV^PVox|E+X=HS7)r@sU`>|U#W3J{0v~N
zAGkgWWQ)@2SEHqz)88&Fo!7LTQbA6T{LM0|ByUE_%c4+=rh6jegbp|I-LxIiVDa7j
zC~OZDpe+2j(dHA810Or}ebtrGEo^FyR!N&+=)bY9@6RrGjg7a2nMNhs?2x}wZ^Q`d
zwlo@{5L_&>fX$H4y*)dua7LD{!~H}WwN}=qr5UIZ^b=1^uoz@5rY0KgsV0yfnw8Dy
zAP3X2in1|JjAh!)Lz)Fp4H2huQVthM3y^M9DHe~ln1rI-Q|Ix`Yani1vIqARp3ktV
z`ZgYh!=_GwZ%8jgAcFwC_%a}Gpy$y<3r1k?4=8Ij;#oHQg!z)RiSZ=>K+hPPSLrUq
z%8U%PI+Ry1fwnLV1_&yKNQU<f0t*EIFk}V^Duzgg_YDCB3@}#&K$ERZ{!(p)>{vv6
z_A@gwAsxG}bLM<AjZ!z8jw%nJ-ja@3Hy(>3t-HWodM5`5cFA(c4&-GB&UBOzTTWBP
z+X4bW00IF(FboC=Duzgg_YDFI1pov<P(>r9H3~hfa}QBds5)gkVTEleDGXU8bBiyb
nr0KPClG}^xSg_RYyk$7Hb?If@AcqbwXKE!|0bzbVFRn<$5WZjy

literal 0
HcmV?d00001

diff --git a/client/rest/src/test/resources/testks.jks b/client/rest/src/test/resources/testks.jks
deleted file mode 100644
index cd706db5e3834f4b44493530bca17697f32d8de2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2381
zcmcgt`9IYA8vlOB80%QF%P^K4yYI*ll4T;A?8cHMVh&T*Y{!}zYjf<S$aSr8vgFuz
z(iF1B4W;Ztgb<F9!@2jK>o2&U*Xwz`-tYJ4{loKmp6B&EKURON0ssIz4)Cv__YA&G
z3_fNKX6Ang002D<qQHMZYzSsq1PBLZV4NUG55Ot#<=_{tQ#G%rrPFumiBPzvU%+Ce
z#o}Z)+>BTG4J7uREh5mJ7*;DV;dAlA=s5+KPl4wULQJdoL8~Pe7D3^*Cpn+O9sr03
zISo5KN{!m#CIL0)yz>t}H?Dji7ewQeMTpah_;lIM9lfx^{MI46EY=H2Gb87zSV!L9
zBNwGc)hcRNP-{ZbigjTAb+b#asOW1;eDvzR6aB?nZ0b51o)HL=(P6?em8T=Dtimf@
zkw!zNEH-cfeLsno#O=RbxSvAmmq_5eGP;=CTVxI0y~COhkJiND1UdLS2Ol7#CcE^d
zL>{Nth-L14Z4j+X`yfibe=ag4rVlxJp#US7Q|y@QX^G~`3fl?pyl5Y^R8rIQWW4Id
zQ{z=r`vr-qyIpkx)5AVH*xUo_`4Nx4b(N?wT{OYbRG2-rc<pTqw#u`Oi=x&eL=*Z|
zvL3yhq0`y9ALyu%FJEc+uv~jfx20S~Wwo4VzVyhRe$@sQ)G1>bCh$ubPg4`&+@r5D
zzPUX@zCiejz)?}CTe3&^u7rVdbjjY6C5l<H#aw@TcZ&~wl=mdNU5I%@pwoN7+|oWb
z@3c^ldotaePq$RYELTbtF+VcA-;q8T+~LOQ(*km^2Vd-(MJ{UgF02|x-6e~ui!*E2
zP=P+!j6-6xnyJL_CMs>@V4|cw6<vXss3L!4Knu}e8CTny6rR=dkks}}eJ|yIp30uz
zAjsIA`6`}CG#TXg8v<C}Dktmd`+t6Q@IhMRK+QcO^6^AYaDi<jYp0umUQI4ML*!wO
zq80dtcbz3<|H`KiVlD83$Z#chtYBQ6YNp?XTfg^y?NG`p1;-Z(>NVPj+>;MVdCH6G
z;*UbVqziZ{8{q|$yRDA6AbU?YM#cWH7~gF>>!8r(I*ID&@IdyK9Vh)mhm9(9QprF*
zTcmmB5ofTGhE^wgc6e}~gaOj0+F~@7<CmPSX0<Y!Me#cnv+U-4VJL1v@(Ps7EIIWJ
z)H<ryoPMV7_fF_3-4v^J=0qF#Qu^0mWwEQRy)Wa-9u4R|YHTItWx24dtgOeZMhRv0
zJriDiT-!Eo276ttd9B|<h_i9VR>M8SRe&>AqUy`aoNh?gL%tOLG=Z`F!b~nE6fm|g
zn~sp%GU*wT?a;|Lx{14y5rz@Zi*Ei`1^Asfnk+f1QoG!rBKWDm!N)n4tjm$w;#(Ms
z*y4S9lR%xR<uyyRaa(Y_HJin1qhr|BNL`w8eL0b$<yp5xJ7X$025<IK^t{|v@lC{8
zy)TWnA65Qp<0kj*a@$NLh27sqo6RHmaU%SgqJ@@|*BQ)_&M;D(fY5gLbg$IR)U0um
z(_uV$-^@m@+*B%>>-qfN9B<|yeOK)-bH747=ZNpA3?IQ6RWFHIE8S<zx$65SB2Rm<
zDlgHeDhEqQzzs7GWZ9p;F_2SI5f>gO`efbu{fcV~?x(fP{fMBSHJgUi@HE~B!hGqp
zOO=HE;j=bw>XQc_Lz$N7+B!oz5O}9z4<B1RWAE^-m$u;0(ba&kwj>>`!sl^^yX__=
zt-G_fDHBHnrXd?sZVgtfT~YRfOVPRZGOfh@@i4+lcQw=8yf9tQ<v|R5x4h6;BK(as
z>pirKyrJ1>K}mXUYH+n6o>({TY+<a~<X4vZzTG`@(O1%_Ev07~m}3SF|GgM(6tIvQ
z0Kn;w7a|BzV4rj8U?2<zS8KqzLP!LYOsqldE)oP;=mE$L!vZlO=m>BG7mQ%>U&6=*
z!|7mnA?}kO1}>zLcYv3_Gsz2WMIr`aIF6U>vChoJK=g3-^C!7rkPyp>!omgjC;Itg
z&OjU|l#Yw(grdE?U5St|9}=SqsbW+yDi|fK%5^@Z(h0@>hyMQ(p@3qii*S4+=qMmN
z08v0@7zG4@>`*WMc%Za&v|oF7I$+-EMoqJWYD_z76t$P8`b?SG)ttMjYum12Jk&V7
zsHmP6>E*Mnu22@bNiF7pFuY}Fi}583GKns-grfA-Wjf!$M<WJAamV0jbf{W&gW=_i
zd*p;EKDbc4O_4aUBYR<uMlDS?7crHKtDwFE$5m&)X$jM0#|>+>b?2e(*eKQE{W(|_
zqzG@m_}u1gR1!=yj)8OGH|*MNL9vesbIH50(wEe#5QVStcy5LF4wl>1k4ux85&=BQ
z2HOs`T4SDJht6*D#{Bb)k$L@P!=cU0W*tNP=9B^XyUy|_5eP@s-Sg0mVfsMlT$VO-
z8v~;Q0kD8v1Cc8sa`JH>QJipc97K+egWo;Aws9QCLw5Rs6ebUE7iSN5Z$Ezu&)-nt
zFXZa&c|0~0=D%fS3g7?mX^-+LlgcTR%4w4dggQxx4bBVawnyH{XAX1Hh2PQ)FJzj~
zV0fH;=5%9^r~A0EAmDBKU?@>M=V)d1wfsQ-HBPDx*3~(vs9PE7?jqurC(74<uNLdl
zLC{U?CYZ1!zTlR%MsEG%2dq;@K17R!S|o9hjkD8#0^4t(4zkBbIHFcva#dIh4fQ}{
z+ReFYx>^6*Ip;M<nzbA9oHA|r#VtKowxA0$xDDrxb=T_|9SN1hE?|MwhTv5YU7m~h
zgKxjD&n8+xZK^=O0#34Auq=-pWEJ&GleFDcW<`F^aGBtcdpSM9V?|+7rM<ASv$j8c
z^`*Qw?-E5`>fXd)H`2nLpdhX1nEE+M3Y~js@@+eX5olR{E5MTxf=!t-%Qh!Tb~aJm
hJ4YDT<kp>Z?{bYj5Ah4y>@bn_^A>sIjjET5{u3>b{aXM4

diff --git a/client/test/build.gradle b/client/test/build.gradle
index b77865df6decf..4c59fc1a07d99 100644
--- a/client/test/build.gradle
+++ b/client/test/build.gradle
@@ -43,6 +43,12 @@ dependencies {
   api "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   api "junit:junit:${versions.junit}"
   api "org.hamcrest:hamcrest:${versions.hamcrest}"
+  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+}
+
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
 }
 
 tasks.named('forbiddenApisMain').configure {
diff --git a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
index b4eacdbf88827..e7c17e81dabed 100644
--- a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
+++ b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
@@ -45,6 +45,8 @@
 import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite;
 
 import org.apache.hc.core5.http.Header;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.junit.BeforeClass;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -125,7 +127,14 @@ private static void addValueToListEntry(final Map<String, List<String>> map, fin
         values.add(value);
     }
 
+    @BeforeClass
+    public static void setFipsJvm() {
+        boolean isFipsEnabled = Boolean.parseBoolean(System.getProperty("tests.fips.enabled", "false"));
+        CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
+    }
+
     public static boolean inFipsJvm() {
-        return Boolean.parseBoolean(System.getProperty("tests.fips.enabled"));
+        return CryptoServicesRegistrar.isInApprovedOnlyMode();
     }
+
 }
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapTests.java
index 149145bb2d66b..83303b85bd36a 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapTests.java
@@ -71,6 +71,7 @@ public void setupEnv() throws IOException {
     }
 
     public void testLoadSecureSettings() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         final Path configPath = env.configDir();
         final SecureString seed;
         try (KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create()) {
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
index db6bb2d5473f4..b09e2a921f5fc 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
@@ -78,6 +78,7 @@ private void addFile(KeyStoreWrapper keystore, String setting, Path file, String
     }
 
     public void testMissingCreateWithEmptyPasswordWhenPrompted() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         String password = "";
         Path file1 = createRandomFile();
         terminal.addTextInput("y");
@@ -86,6 +87,7 @@ public void testMissingCreateWithEmptyPasswordWhenPrompted() throws Exception {
     }
 
     public void testMissingCreateWithEmptyPasswordWithoutPromptIfForced() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         String password = "";
         Path file1 = createRandomFile();
         execute("-f", "foo", file1.toString());
@@ -93,7 +95,9 @@ public void testMissingCreateWithEmptyPasswordWithoutPromptIfForced() throws Exc
     }
 
     public void testMissingNoCreate() throws Exception {
-        terminal.addSecretInput(randomFrom("", "keystorepassword"));
+        var password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        terminal.addSecretInput(password);
         terminal.addTextInput("n"); // explicit no
         execute("foo");
         assertNull(KeyStoreWrapper.load(env.configDir()));
@@ -221,6 +225,7 @@ public void testIncorrectPassword() throws Exception {
     }
 
     public void testAddToUnprotectedKeystore() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         String password = "";
         Path file = createRandomFile();
         KeyStoreWrapper keystore = createKeystore(password);
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
index 05ce0bb61a4fd..2f284c622f3b4 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java
@@ -83,6 +83,7 @@ public void testInvalidPassphrease() throws Exception {
     }
 
     public void testMissingPromptCreateWithoutPasswordWhenPrompted() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         terminal.addTextInput("y");
         terminal.addSecretInput("bar");
         execute("foo");
@@ -90,6 +91,7 @@ public void testMissingPromptCreateWithoutPasswordWhenPrompted() throws Exceptio
     }
 
     public void testMissingPromptCreateWithoutPasswordWithoutPromptIfForced() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         terminal.addSecretInput("bar");
         execute("-f", "foo");
         assertSecureString("foo", "bar", "");
@@ -261,7 +263,9 @@ public void testMissingSettingName() throws Exception {
     }
 
     public void testSpecialCharacterInName() throws Exception {
-        createKeystore("");
+        String password = "keystorepassword";
+        createKeystore(password);
+        terminal.addSecretInput(password);
         terminal.addSecretInput("value");
         final String key = randomAlphaOfLength(4) + '@' + randomAlphaOfLength(4);
         final UserException e = expectThrows(UserException.class, () -> execute(key));
@@ -270,6 +274,7 @@ public void testSpecialCharacterInName() throws Exception {
     }
 
     public void testAddToUnprotectedKeystore() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         String password = "";
         createKeystore(password, "foo", "bar");
         terminal.addTextInput("");
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
index 1aa62cf71ed65..b3be29517766e 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java
@@ -54,6 +54,7 @@ protected Environment createEnv(Map<String, String> settings) throws UserExcepti
     }
 
     public void testSetKeyStorePassword() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         createKeystore("");
         loadKeystore("");
         terminal.addSecretInput("thepassword");
@@ -67,14 +68,15 @@ public void testChangeKeyStorePassword() throws Exception {
         createKeystore("theoldpassword");
         loadKeystore("theoldpassword");
         terminal.addSecretInput("theoldpassword");
-        terminal.addSecretInput("thepassword");
-        terminal.addSecretInput("thepassword");
+        terminal.addSecretInput("thenewpassword");
+        terminal.addSecretInput("thenewpassword");
         // Prompted thrice: Once for the existing and twice for the new password
         execute();
-        loadKeystore("thepassword");
+        loadKeystore("thenewpassword");
     }
 
     public void testChangeKeyStorePasswordToEmpty() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         createKeystore("theoldpassword");
         loadKeystore("theoldpassword");
         terminal.addSecretInput("theoldpassword");
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
index 5a06bc2400176..11755400cb16b 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
@@ -59,6 +59,7 @@ protected Environment createEnv(Map<String, String> settings) throws UserExcepti
 
     public void testNotMatchingPasswords() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         terminal.addSecretInput(password);
         terminal.addSecretInput("notthekeystorepasswordyouarelookingfor");
         UserException e = expectThrows(UserException.class, () -> execute(randomFrom("-p", "--password")));
@@ -67,6 +68,7 @@ public void testNotMatchingPasswords() throws Exception {
     }
 
     public void testDefaultNotPromptForPassword() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         execute();
         Path configDir = env.configDir();
         assertNotNull(KeyStoreWrapper.load(configDir));
@@ -74,25 +76,29 @@ public void testDefaultNotPromptForPassword() throws Exception {
 
     public void testPosix() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
-        execute();
+        execute(randomFrom("-p", "--password"));
         Path configDir = env.configDir();
         assertNotNull(KeyStoreWrapper.load(configDir));
     }
 
     public void testNotPosix() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
         env = setupEnv(false, fileSystems);
-        execute();
+        execute(randomFrom("-p", "--password"));
         Path configDir = env.configDir();
         assertNotNull(KeyStoreWrapper.load(configDir));
     }
 
     public void testOverwrite() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+
         Path keystoreFile = KeyStoreWrapper.keystorePath(env.configDir());
         byte[] content = "not a keystore".getBytes(StandardCharsets.UTF_8);
         Files.write(keystoreFile, content);
@@ -106,9 +112,9 @@ public void testOverwrite() throws Exception {
         assertArrayEquals(content, Files.readAllBytes(keystoreFile));
 
         terminal.addTextInput("y");
-        terminal.addSecretInput(password);
-        terminal.addSecretInput(password);
-        execute();
+        terminal.addSecretInput(password); // enter password
+        terminal.addSecretInput(password); // enter password again
+        execute(randomFrom("-p", "--password"));
         assertNotNull(KeyStoreWrapper.load(env.configDir()));
     }
 }
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/HasPasswordKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/HasPasswordKeyStoreCommandTests.java
index 9ebc92c55530b..39f645e587d3a 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/HasPasswordKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/HasPasswordKeyStoreCommandTests.java
@@ -61,6 +61,7 @@ public void testFailsWithNoKeystore() throws Exception {
     }
 
     public void testFailsWhenKeystoreLacksPassword() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         createKeystore("");
         UserException e = expectThrows(UserException.class, this::execute);
         assertEquals("Unexpected exit code", HasPasswordKeyStoreCommand.NO_PASSWORD_EXIT_CODE, e.exitCode);
@@ -68,13 +69,13 @@ public void testFailsWhenKeystoreLacksPassword() throws Exception {
     }
 
     public void testSucceedsWhenKeystoreHasPassword() throws Exception {
-        createKeystore("password");
+        createKeystore("thenewpassword");
         String output = execute();
         assertThat(output, containsString("Keystore is password-protected"));
     }
 
     public void testSilentSucceedsWhenKeystoreHasPassword() throws Exception {
-        createKeystore("password");
+        createKeystore("thenewpassword");
         String output = execute("--silent");
         assertThat(output, is(emptyString()));
     }
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index 19bc06f7c64bc..c8c0b8f8b3928 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -40,6 +40,8 @@
 import org.apache.lucene.store.NIOFSDirectory;
 import org.opensearch.common.Randomness;
 import org.opensearch.common.settings.KeyStoreWrapper;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.util.io.IOUtils;
 import org.opensearch.core.common.settings.SecureString;
 import org.opensearch.env.Environment;
@@ -76,6 +78,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
+import java.util.function.Supplier;
 
 import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.containsString;
@@ -85,6 +88,7 @@
 
 public class KeyStoreWrapperTests extends OpenSearchTestCase {
 
+    Supplier<char[]> passphraseSupplier = () -> inFipsJvm() ? "6!6428DQXwPpi7@$ggeg/=".toCharArray() : new char[0];
     Environment env;
     List<FileSystem> fileSystems = new ArrayList<>();
 
@@ -105,9 +109,9 @@ public void testFileSettingExhaustiveBytes() throws Exception {
             bytes[i] = (byte) i;
         }
         keystore.setFile("foo", bytes);
-        keystore.save(env.configDir(), new char[0]);
+        keystore.save(env.configDir(), passphraseSupplier.get());
         keystore = KeyStoreWrapper.load(env.configDir());
-        keystore.decrypt(new char[0]);
+        keystore.decrypt(passphraseSupplier.get());
         try (InputStream stream = keystore.getFile("foo")) {
             for (int i = 0; i < 256; ++i) {
                 int got = stream.read();
@@ -127,11 +131,11 @@ public void testCreate() throws Exception {
 
     public void testDecryptKeyStoreWithWrongPassword() throws Exception {
         KeyStoreWrapper keystore = KeyStoreWrapper.create();
-        keystore.save(env.configDir(), new char[0]);
+        keystore.save(env.configDir(), passphraseSupplier.get());
         final KeyStoreWrapper loadedKeystore = KeyStoreWrapper.load(env.configDir());
         final SecurityException exception = expectThrows(
             SecurityException.class,
-            () -> loadedKeystore.decrypt(new char[] { 'i', 'n', 'v', 'a', 'l', 'i', 'd' })
+            () -> loadedKeystore.decrypt("wrong_password_<1234567890%&!\"/>_but_a_strong_one".toCharArray())
         );
         assertThat(
             exception.getMessage(),
@@ -181,12 +185,12 @@ public void testValueSHA256Digest() throws Exception {
     public void testUpgradeNoop() throws Exception {
         KeyStoreWrapper keystore = KeyStoreWrapper.create();
         SecureString seed = keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey());
-        keystore.save(env.configDir(), new char[0]);
+        keystore.save(env.configDir(), passphraseSupplier.get());
         // upgrade does not overwrite seed
         KeyStoreWrapper.upgrade(keystore, env.configDir(), new char[0]);
         assertEquals(seed.toString(), keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey()).toString());
         keystore = KeyStoreWrapper.load(env.configDir());
-        keystore.decrypt(new char[0]);
+        keystore.decrypt(passphraseSupplier.get());
         assertEquals(seed.toString(), keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey()).toString());
     }
 
@@ -213,7 +217,7 @@ public void testFailWhenCannotConsumeSecretStream() throws Exception {
         }
 
         KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
-        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(passphraseSupplier.get()));
         assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
         assertThat(e.getCause(), instanceOf(EOFException.class));
     }
@@ -270,7 +274,7 @@ public void testFailWhenSecretStreamNotConsumed() throws Exception {
         }
 
         KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
-        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(passphraseSupplier.get()));
         assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
     }
 
@@ -301,7 +305,7 @@ public void testFailWhenEncryptedBytesStreamIsNotConsumed() throws Exception {
     }
 
     private CipherOutputStream getCipherStream(ByteArrayOutputStream bytes, byte[] salt, byte[] iv) throws Exception {
-        PBEKeySpec keySpec = new PBEKeySpec(new char[0], salt, 10000, 128);
+        PBEKeySpec keySpec = new PBEKeySpec(passphraseSupplier.get(), salt, 10000, 128);
         SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
         SecretKey secretKey = keyFactory.generateSecret(keySpec);
         SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
@@ -341,12 +345,12 @@ private void possiblyAlterEncryptedBytes(
     public void testUpgradeAddsSeed() throws Exception {
         KeyStoreWrapper keystore = KeyStoreWrapper.create();
         keystore.remove(KeyStoreWrapper.SEED_SETTING.getKey());
-        keystore.save(env.configDir(), new char[0]);
-        KeyStoreWrapper.upgrade(keystore, env.configDir(), new char[0]);
+        keystore.save(env.configDir(), passphraseSupplier.get());
+        KeyStoreWrapper.upgrade(keystore, env.configDir(), passphraseSupplier.get());
         SecureString seed = keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey());
         assertNotNull(seed);
         keystore = KeyStoreWrapper.load(env.configDir());
-        keystore.decrypt(new char[0]);
+        keystore.decrypt(passphraseSupplier.get());
         assertEquals(seed.toString(), keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey()).toString());
     }
 
@@ -371,7 +375,7 @@ public void testBackcompatV1() throws Exception {
             output.writeString("PBE");
 
             SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
-            KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
+            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
             keystore.load(null, null);
             SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
             KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
@@ -412,7 +416,7 @@ public void testBackcompatV2() throws Exception {
             output.writeString("FILE");
 
             SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
-            KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
+            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
             keystore.load(null, null);
             SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
             KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
@@ -455,12 +459,12 @@ public void testStringAndFileDistinction() throws Exception {
         final Path temp = createTempDir();
         Files.write(temp.resolve("file_setting"), "file_value".getBytes(StandardCharsets.UTF_8));
         wrapper.setFile("file_setting", Files.readAllBytes(temp.resolve("file_setting")));
-        wrapper.save(env.configDir(), new char[0]);
+        wrapper.save(env.configDir(), passphraseSupplier.get());
         wrapper.close();
 
         final KeyStoreWrapper afterSave = KeyStoreWrapper.load(env.configDir());
         assertNotNull(afterSave);
-        afterSave.decrypt(new char[0]);
+        afterSave.decrypt(passphraseSupplier.get());
         assertThat(afterSave.getSettingNames(), equalTo(new HashSet<>(Arrays.asList("keystore.seed", "string_setting", "file_setting"))));
         assertThat(afterSave.getString("string_setting"), equalTo("string_value"));
         assertThat(toByteArray(afterSave.getFile("string_setting")), equalTo("string_value".getBytes(StandardCharsets.UTF_8)));
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
index 36bef3a82281d..63e9bbbdf7849 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
@@ -62,6 +62,7 @@ public void testMissing() throws Exception {
 
     public void testEmpty() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         createKeystore(password);
         terminal.addSecretInput(password);
         execute();
@@ -70,6 +71,7 @@ public void testEmpty() throws Exception {
 
     public void testOne() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         createKeystore(password, "foo", "bar");
         terminal.addSecretInput(password);
         execute();
@@ -78,6 +80,7 @@ public void testOne() throws Exception {
 
     public void testMultiple() throws Exception {
         String password = randomFrom("", "keystorepassword");
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
         createKeystore(password, "foo", "1", "baz", "2", "bar", "3");
         terminal.addSecretInput(password);
         execute();
@@ -100,6 +103,7 @@ public void testListWithIncorrectPassword() throws Exception {
     }
 
     public void testListWithUnprotectedKeystore() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         createKeystore("", "foo", "bar");
         execute();
         // Not prompted for a password
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
index 276af6cfa659f..7fe189dce84e7 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java
@@ -117,6 +117,7 @@ public void testRemoveWithIncorrectPassword() throws Exception {
     }
 
     public void testRemoveFromUnprotectedKeystore() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         String password = "";
         createKeystore(password, "foo", "bar");
         // will not be prompted for a password
diff --git a/libs/common/build.gradle b/libs/common/build.gradle
index 576e78bbe19f4..909d7c5ebe209 100644
--- a/libs/common/build.gradle
+++ b/libs/common/build.gradle
@@ -25,6 +25,8 @@ base {
 dependencies {
   // This dependency is used only by :libs:core for null-checking interop with other tools
   compileOnly "com.google.code.findbugs:jsr305:3.0.2"
+  compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 
   /*******
    *  !!!! NO THIRD PARTY DEPENDENCIES !!!!
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
new file mode 100644
index 0000000000000..ee2d1b92c855a
--- /dev/null
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
@@ -0,0 +1,56 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.common.crypto;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchProviderException;
+import java.util.stream.Collectors;
+
+import static org.opensearch.common.crypto.KeyStoreType.SECURE_KEYSTORE_TYPES;
+import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
+
+/**
+ * Restricts types of keystores to PKCS#11 and BCFKS when running in FIPS JVM.
+ * Returns the keystore from specified provider or otherwise follows the priority of
+ * declared security providers and their support for different keystores.
+ */
+public final class KeyStoreFactory {
+
+    /**
+     * Make a best guess about the "type" (see {@link KeyStore#getType()}) of the keystore file located at the given {@code Path}.
+     * This method only references the <em>file name</em> of the keystore, it does not look at its contents.
+     */
+    public static KeyStore getInstanceBasedOnFileExtension(String filePath) {
+        return getInstance(inferStoreType(filePath));
+    }
+
+    public static KeyStore getInstance(KeyStoreType type) {
+        return getInstance(type, null);
+    }
+
+    public static KeyStore getInstance(KeyStoreType type, String provider) {
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode() && !SECURE_KEYSTORE_TYPES.contains(type)) {
+            var secureKeyStoreNames = SECURE_KEYSTORE_TYPES.stream().map(KeyStoreType::name).collect(Collectors.joining(", "));
+            throw new SecurityException("Only " + secureKeyStoreNames + " keystores are allowed in FIPS JVM");
+        }
+
+        try {
+            if (provider == null) {
+                return KeyStore.getInstance(type.getJcaName());
+            }
+            return KeyStore.getInstance(type.getJcaName(), provider);
+        } catch (KeyStoreException | NoSuchProviderException e) {
+            throw new SecurityException(e);
+        }
+    }
+
+}
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
new file mode 100644
index 0000000000000..d92b8067d3368
--- /dev/null
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
@@ -0,0 +1,68 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.common.crypto;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Stream;
+
+public enum KeyStoreType {
+
+    JKS("JKS"),
+    PKCS_12("PKCS12"),
+    PKCS_11("PKCS11"),
+    BKS("BKS"),
+    BCFKS("BCFKS");
+
+    private static final Map<KeyStoreType, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>();
+
+    static {
+        TYPE_TO_EXTENSION_MAP.put(JKS, List.of(".jks", ".ks"));
+        TYPE_TO_EXTENSION_MAP.put(PKCS_12, List.of(".p12", ".pkcs12", ".pfx"));
+        TYPE_TO_EXTENSION_MAP.put(BKS, List.of(".bks")); // Bouncy Castle Keystore
+        TYPE_TO_EXTENSION_MAP.put(BCFKS, List.of(".bcfks")); // Bouncy Castle FIPS Keystore
+    }
+
+    /**
+     * Specifies KeyStore formats that are appropriate for use in a FIPS-compliant JVM:
+     * - BCFKS KeyStore is specifically designed for FIPS compliance.
+     * - PKCS#11 is vendor-specific and requires proper configuration to operate in FIPS mode.
+     * - JKS can be used under FIPS with restrictions: it may contain only certificates, and it will be readable but not writable.
+     */
+    public static final List<KeyStoreType> SECURE_KEYSTORE_TYPES = List.of(PKCS_11, BCFKS, JKS);
+
+    private final String jcaName;
+
+    KeyStoreType(String jks) {
+        jcaName = jks;
+    }
+
+    public String getJcaName() {
+        return jcaName;
+    }
+
+    public static KeyStoreType inferStoreType(String filePath) {
+        return TYPE_TO_EXTENSION_MAP.entrySet()
+            .stream()
+            .filter(entry -> entry.getValue().stream().anyMatch(filePath::endsWith))
+            .map(Map.Entry::getKey)
+            .findFirst()
+            .orElseThrow(() -> new IllegalArgumentException("Unknown keystore type for file path: " + filePath));
+    }
+
+    public static KeyStoreType getByJcaName(String value) {
+        return Stream.of(KeyStoreType.values()).filter(type -> type.getJcaName().equals(value)).findFirst().orElse(null);
+    }
+
+    public static String getExtensionsByType(KeyStoreType type) {
+        return TYPE_TO_EXTENSION_MAP.get(type).get(0);
+    }
+
+}
diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle
index 68f3cae7a0ac2..8d09782b04b89 100644
--- a/libs/ssl-config/build.gradle
+++ b/libs/ssl-config/build.gradle
@@ -63,6 +63,7 @@ forbiddenPatterns {
   exclude '**/*.pem'
   exclude '**/*.p12'
   exclude '**/*.jks'
+  exclude '**/*.bcfks'
 }
 
 tasks.test {
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
index 859b74b200dc6..d82716085b504 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
@@ -33,6 +33,8 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
@@ -95,7 +97,7 @@ public X509ExtendedTrustManager createTrustManager() {
     private KeyStore getSystemTrustStore() {
         if (isPkcs11Truststore(systemProperties) && trustStorePassword != null) {
             try {
-                KeyStore keyStore = KeyStore.getInstance("PKCS11");
+                KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_11);
                 keyStore.load(null, trustStorePassword);
                 return keyStore;
             } catch (GeneralSecurityException | IOException e) {
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
index 3fca84e303e27..e0bef21ed4242 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
@@ -33,6 +33,8 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
@@ -52,7 +54,6 @@
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.util.Collection;
-import java.util.Locale;
 
 /**
  * A variety of utility methods for working with or constructing {@link KeyStore} instances.
@@ -63,35 +64,20 @@ private KeyStoreUtil() {
         throw new IllegalStateException("Utility class should not be instantiated");
     }
 
-    /**
-     * Make a best guess about the "type" (see {@link KeyStore#getType()}) of the keystore file located at the given {@code Path}.
-     * This method only references the <em>file name</em> of the keystore, it does not look at its contents.
-     */
-    static String inferKeyStoreType(Path path) {
-        String name = path == null ? "" : path.toString().toLowerCase(Locale.ROOT);
-        if (name.endsWith(".p12") || name.endsWith(".pfx") || name.endsWith(".pkcs12")) {
-            return "PKCS12";
-        } else if (name.endsWith(".bks")) {
-            return "BCFKS";
-        } else {
-            return "jks";
-        }
-    }
-
     /**
      * Read the given keystore file.
      *
      * @throws SslConfigException       If there is a problem reading from the provided path
      * @throws GeneralSecurityException If there is a problem with the keystore contents
      */
-    static KeyStore readKeyStore(Path path, String type, char[] password) throws GeneralSecurityException {
+    static KeyStore readKeyStore(Path path, KeyStoreType type, char[] password) throws GeneralSecurityException {
         if (Files.notExists(path)) {
             throw new SslConfigException(
                 "cannot read a [" + type + "] keystore from [" + path.toAbsolutePath() + "] because the file does not exist"
             );
         }
         try {
-            KeyStore keyStore = KeyStore.getInstance(type);
+            KeyStore keyStore = KeyStoreFactory.getInstance(type);
             try (InputStream in = Files.newInputStream(path)) {
                 keyStore.load(in, password);
             }
@@ -135,7 +121,7 @@ static KeyStore buildTrustStore(Iterable<Certificate> certificates) throws Gener
     }
 
     private static KeyStore buildNewKeyStore() throws GeneralSecurityException {
-        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
         try {
             keyStore.load(null, null);
         } catch (IOException e) {
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
index 821c38c8d2f46..3a1b369c64902 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
@@ -60,7 +60,7 @@
 
 final class PemUtils {
 
-    protected static final String BCFIPS = "BCFIPS";
+    private static final String BCFIPS = "BCFIPS";
 
     private PemUtils() {
         throw new IllegalStateException("Utility class should not be instantiated");
@@ -148,15 +148,20 @@ private static Object readObject(Path keyPath, PEMParser pemParser) throws IOExc
         while (pemParser.ready()) {
             try {
                 var object = pemParser.readObject();
-                if (object instanceof ASN1ObjectIdentifier) { // handles -----BEGIN EC PARAMETERS-----
+                if (object == null) { // ignore unknown objects;
+                    continue;
+                }
+                if (object instanceof ASN1ObjectIdentifier) { // ignore -----BEGIN EC PARAMETERS-----
                     continue;
                 }
                 return object;
-            } catch (IOException e) { // handles -----BEGIN DSA PARAMETERS-----
+            } catch (IOException e) { // ignore -----BEGIN DSA PARAMETERS-----
                 // ignore
             }
         }
-        throw new SslConfigException("Error parsing Private Key [" + keyPath.toAbsolutePath() + "], file is empty");
+        throw new SslConfigException(
+            "Error parsing Private Key [" + keyPath.toAbsolutePath() + "]. The file is empty, or does not contain expected key format."
+        );
     }
 
 }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
index d6aa106039ce3..909b8facd68b5 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
@@ -40,7 +40,6 @@
 
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -68,12 +67,7 @@ public class SslConfiguration {
     static final Map<String, String> ORDERED_PROTOCOL_ALGORITHM_MAP;
     static {
         LinkedHashMap<String, String> protocolAlgorithmMap = new LinkedHashMap<>();
-        try {
-            SSLContext.getInstance("TLSv1.3");
-            protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
-        } catch (NoSuchAlgorithmException e) {
-            // ignore since we support JVMs (and BC JSSE in FIPS mode) that do not support TLSv1.3
-        }
+        protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
         protocolAlgorithmMap.put("TLSv1.2", "TLSv1.2");
         protocolAlgorithmMap.put("TLSv1.1", "TLSv1.1");
         protocolAlgorithmMap.put("TLSv1", "TLSv1");
@@ -157,12 +151,7 @@ public SSLContext createSslContext() {
         final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager();
         final X509ExtendedTrustManager trustManager = trustConfig.createTrustManager();
         try {
-            SSLContext sslContext;
-            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance(contextProtocol());
-            }
+            SSLContext sslContext = SSLContext.getInstance(contextProtocol());
             sslContext.init(new X509ExtendedKeyManager[] { keyManager }, new X509ExtendedTrustManager[] { trustManager }, null);
             return sslContext;
         } catch (GeneralSecurityException e) {
@@ -178,6 +167,13 @@ private String contextProtocol() {
         if (supportedProtocols.isEmpty()) {
             throw new SslConfigException("no SSL/TLS protocols have been configured");
         }
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            if (!new HashSet<>(SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS).containsAll(supportedProtocols)) {
+                throw new SslConfigException(
+                    "in FIPS mode only the following SSL/TLS protocols are allowed: " + SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS
+                );
+            }
+        }
         for (Entry<String, String> entry : ORDERED_PROTOCOL_ALGORITHM_MAP.entrySet()) {
             if (supportedProtocols.contains(entry.getKey())) {
                 return entry.getValue();
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
index 0b06a0692197e..4deeed2bbc45e 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.opensearch.common.crypto.KeyStoreType;
+
 import javax.crypto.Cipher;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -40,14 +42,14 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
-import static org.opensearch.common.ssl.KeyStoreUtil.inferKeyStoreType;
-import static org.opensearch.common.ssl.SslConfiguration.ORDERED_PROTOCOL_ALGORITHM_MAP;
+import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CIPHERS;
@@ -84,11 +86,7 @@
  */
 public abstract class SslConfigurationLoader {
 
-    static final List<String> DEFAULT_PROTOCOLS = Collections.unmodifiableList(
-        ORDERED_PROTOCOL_ALGORITHM_MAP.containsKey("TLSv1.3")
-            ? Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1")
-            : Arrays.asList("TLSv1.2", "TLSv1.1")
-    );
+    static final List<String> FIPS_APPROVED_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2");
     static final List<String> DEFAULT_CIPHERS = loadDefaultCiphers();
     private static final char[] EMPTY_PASSWORD = new char[0];
 
@@ -119,7 +117,7 @@ public SslConfigurationLoader(String settingPrefix) {
         this.defaultKeyConfig = EmptyKeyConfig.INSTANCE;
         this.defaultVerificationMode = SslVerificationMode.FULL;
         this.defaultClientAuth = SslClientAuthenticationMode.OPTIONAL;
-        this.defaultProtocols = DEFAULT_PROTOCOLS;
+        this.defaultProtocols = FIPS_APPROVED_PROTOCOLS;
         this.defaultCiphers = DEFAULT_CIPHERS;
     }
 
@@ -167,7 +165,7 @@ public void setDefaultCiphers(List<String> defaultCiphers) {
 
     /**
      * Change the default SSL/TLS protocol list.
-     * The initial protocol list is defined by {@link #DEFAULT_PROTOCOLS}
+     * The initial protocol list is defined by {@link #FIPS_APPROVED_PROTOCOLS}
      */
     public void setDefaultProtocols(List<String> defaultProtocols) {
         this.defaultProtocols = defaultProtocols;
@@ -248,7 +246,11 @@ private SslTrustConfig buildTrustConfig(Path basePath, SslVerificationMode verif
         }
         if (trustStorePath != null) {
             final char[] password = resolvePasswordSetting(TRUSTSTORE_SECURE_PASSWORD, TRUSTSTORE_LEGACY_PASSWORD);
-            final String storeType = resolveSetting(TRUSTSTORE_TYPE, Function.identity(), inferKeyStoreType(trustStorePath));
+            final Optional<String> maybeStoreType = Optional.ofNullable(resolveSetting(TRUSTSTORE_TYPE, Function.identity(), null));
+            final KeyStoreType storeType = maybeStoreType
+                .map(KeyStoreType::getByJcaName)
+                .orElse(inferStoreType(trustStorePath.toString().toLowerCase(Locale.ROOT)));
+
             final String algorithm = resolveSetting(TRUSTSTORE_ALGORITHM, Function.identity(), TrustManagerFactory.getDefaultAlgorithm());
             return new StoreTrustConfig(trustStorePath, password, storeType, algorithm);
         }
@@ -287,7 +289,12 @@ private SslKeyConfig buildKeyConfig(Path basePath) {
             if (keyPassword.length == 0) {
                 keyPassword = storePassword;
             }
-            final String storeType = resolveSetting(KEYSTORE_TYPE, Function.identity(), inferKeyStoreType(keyStorePath));
+
+            final Optional<String> maybeStoreType = Optional.ofNullable(resolveSetting(KEYSTORE_TYPE, Function.identity(), null));
+            final KeyStoreType storeType = maybeStoreType
+                .map(KeyStoreType::getByJcaName)
+                .orElse(inferStoreType(keyStorePath.toString().toLowerCase(Locale.ROOT)));
+
             final String algorithm = resolveSetting(KEYSTORE_ALGORITHM, Function.identity(), KeyManagerFactory.getDefaultAlgorithm());
             return new StoreKeyConfig(keyStorePath, storePassword, storeType, keyPassword, algorithm);
         }
@@ -360,14 +367,11 @@ private <V> List<V> resolveListSetting(String key, Function<String, V> parser, L
 
     private static List<String> loadDefaultCiphers() {
         final boolean has256BitAES = has256BitAES();
-        final boolean tlsV13Supported = DEFAULT_PROTOCOLS.contains("TLSv1.3");
         List<String> ciphers = new ArrayList<>();
-        if (tlsV13Supported) { // TLSv1.3 cipher has PFS, AEAD, hardware support
-            if (has256BitAES) {
-                ciphers.add("TLS_AES_256_GCM_SHA384");
-            }
-            ciphers.add("TLS_AES_128_GCM_SHA256");
+        if (has256BitAES) {
+            ciphers.add("TLS_AES_256_GCM_SHA384");
         }
+        ciphers.add("TLS_AES_128_GCM_SHA256");
         // use GCM: PFS, AEAD, hardware support
         if (has256BitAES) {
             ciphers.addAll(
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
index b3b7b7dc346a6..c60e4d1b0f65a 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.opensearch.common.crypto.KeyStoreType;
+
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
 
@@ -51,7 +53,7 @@
 public class StoreKeyConfig implements SslKeyConfig {
     private final Path path;
     private final char[] storePassword;
-    private final String type;
+    private final KeyStoreType type;
     private final char[] keyPassword;
     private final String algorithm;
 
@@ -59,12 +61,12 @@ public class StoreKeyConfig implements SslKeyConfig {
      * @param path          The path to the keystore file
      * @param storePassword The password for the keystore
      * @param type          The {@link KeyStore#getType() type} of the keystore (typically "PKCS12" or "jks").
-     *                      See {@link KeyStoreUtil#inferKeyStoreType(Path)}.
+     *                      See {@link KeyStoreType#inferStoreType(String)}.
      * @param keyPassword   The password for the key(s) within the keystore
      *                      (see {@link javax.net.ssl.KeyManagerFactory#init(KeyStore, char[])}).
      * @param algorithm     The algorithm to use for the Key Manager (see {@link KeyManagerFactory#getAlgorithm()}).
      */
-    StoreKeyConfig(Path path, char[] storePassword, String type, char[] keyPassword, String algorithm) {
+    StoreKeyConfig(Path path, char[] storePassword, KeyStoreType type, char[] keyPassword, String algorithm) {
         this.path = path;
         this.storePassword = storePassword;
         this.type = type;
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
index 556cb052c4391..138fff71b8a3d 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.opensearch.common.crypto.KeyStoreType;
+
 import javax.net.ssl.X509ExtendedTrustManager;
 
 import java.nio.file.Path;
@@ -47,17 +49,17 @@
 final class StoreTrustConfig implements SslTrustConfig {
     private final Path path;
     private final char[] password;
-    private final String type;
+    private final KeyStoreType type;
     private final String algorithm;
 
     /**
      * @param path      The path to the keystore file
      * @param password  The password for the keystore
      * @param type      The {@link KeyStore#getType() type} of the keystore (typically "PKCS12" or "jks").
-     *                  See {@link KeyStoreUtil#inferKeyStoreType(Path)}.
+     *                  See {@link KeyStoreType#inferStoreType(String)}.
      * @param algorithm The algorithm to use for the Trust Manager (see {@link javax.net.ssl.TrustManagerFactory#getAlgorithm()}).
      */
-    StoreTrustConfig(Path path, char[] password, String type, String algorithm) {
+    StoreTrustConfig(Path path, char[] password, KeyStoreType type, String algorithm) {
         this.path = path;
         this.type = type;
         this.algorithm = algorithm;
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/TrustEverythingConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/TrustEverythingConfig.java
index c366210133687..dd58606ec44c4 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/TrustEverythingConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/TrustEverythingConfig.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common.ssl;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;
 
@@ -40,6 +42,7 @@
 import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Locale;
 
 /**
  * A {@link SslTrustConfig} that trusts all certificates. Used when {@link SslVerificationMode#isCertificateVerificationEnabled()} is
@@ -90,6 +93,15 @@ public Collection<Path> getDependentFiles() {
 
     @Override
     public X509ExtendedTrustManager createTrustManager() {
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            var message = String.format(
+                Locale.ROOT,
+                "The use of %s is not permitted in FIPS mode. This issue may be caused by the '%s' setting.",
+                TRUST_EVERYTHING.getClass().getSimpleName(),
+                "ssl.verification_mode=NONE"
+            );
+            throw new IllegalStateException(message);
+        }
         return TRUST_MANAGER;
     }
 
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
index a4cbea14ff261..a685d0b346161 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java
@@ -45,6 +45,7 @@
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.function.Supplier;
 
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -57,6 +58,7 @@
 public class PemKeyConfigTests extends OpenSearchTestCase {
     private static final int IP_NAME = 7;
     private static final int DNS_NAME = 2;
+    private static final Supplier<char[]> STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/="::toCharArray;
 
     public void testBuildKeyConfigFromPkcs1PemFilesWithoutPassword() throws Exception {
         final Path cert = getDataPath("/certs/cert1/cert1.crt");
@@ -67,8 +69,9 @@ public void testBuildKeyConfigFromPkcs1PemFilesWithoutPassword() throws Exceptio
     }
 
     public void testBuildKeyConfigFromPkcs1PemFilesWithPassword() throws Exception {
-        final Path cert = getDataPath("/certs/cert2/cert2.crt");
-        final Path key = getDataPath("/certs/cert2/cert2.key");
+        assumeFalse("Can't run in a FIPS JVM, PBKDF-OPENSSL KeySpec is not available", inFipsJvm());
+        final Path cert = getDataPath("/certs/cert2/cert2-pkcs1.crt");
+        final Path key = getDataPath("/certs/cert2/cert2-pkcs1.key");
         final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, "c2-pass".toCharArray());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(cert, key));
         assertCertificateAndKey(keyConfig, "CN=cert2");
@@ -76,17 +79,16 @@ public void testBuildKeyConfigFromPkcs1PemFilesWithPassword() throws Exception {
 
     public void testBuildKeyConfigFromPkcs8PemFilesWithoutPassword() throws Exception {
         final Path cert = getDataPath("/certs/cert1/cert1.crt");
-        final Path key = getDataPath("/certs/cert1/cert1-pkcs8.key");
+        final Path key = getDataPath("/certs/cert1/cert1.key");
         final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, new char[0]);
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(cert, key));
         assertCertificateAndKey(keyConfig, "CN=cert1");
     }
 
     public void testBuildKeyConfigFromPkcs8PemFilesWithPassword() throws Exception {
-        assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
         final Path cert = getDataPath("/certs/cert2/cert2.crt");
-        final Path key = getDataPath("/certs/cert2/cert2-pkcs8.key");
-        final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, "c2-pass".toCharArray());
+        final Path key = getDataPath("/certs/cert2/cert2.key");
+        final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, STRONG_PRIVATE_SECRET.get());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(cert, key));
         assertCertificateAndKey(keyConfig, "CN=cert2");
     }
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
index 85d5172b87d0b..7ab684fea0670 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
@@ -32,18 +32,20 @@
 
 package org.opensearch.common.ssl;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.test.OpenSearchTestCase;
 
-import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AlgorithmParameters;
 import java.security.Key;
-import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.interfaces.ECPrivateKey;
 import java.security.spec.ECGenParameterSpec;
 import java.security.spec.ECParameterSpec;
+import java.util.Locale;
 import java.util.function.Supplier;
 
 import static org.hamcrest.Matchers.equalTo;
@@ -55,9 +57,11 @@ public class PemUtilsTests extends OpenSearchTestCase {
 
     private static final Supplier<char[]> EMPTY_PASSWORD = () -> new char[0];
     private static final Supplier<char[]> TESTNODE_PASSWORD = "testnode"::toCharArray;
+    private static final Supplier<char[]> STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/="::toCharArray; // has to be at least 112 bit long.
 
     public void testReadPKCS8RsaKey() throws Exception {
-        Key key = getKeyFromKeystore("RSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/rsa_key_pkcs8_plain.pem"), EMPTY_PASSWORD);
@@ -66,7 +70,8 @@ public void testReadPKCS8RsaKey() throws Exception {
     }
 
     public void testReadPKCS8RsaKeyWithBagAttrs() throws Exception {
-        Key key = getKeyFromKeystore("RSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/testnode_with_bagattrs.pem"), EMPTY_PASSWORD);
@@ -74,7 +79,8 @@ public void testReadPKCS8RsaKeyWithBagAttrs() throws Exception {
     }
 
     public void testReadPKCS8DsaKey() throws Exception {
-        Key key = getKeyFromKeystore("DSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("DSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/dsa_key_pkcs8_plain.pem"), EMPTY_PASSWORD);
@@ -94,7 +100,8 @@ public void testReadEcKeyCurves() throws Exception {
     }
 
     public void testReadPKCS8EcKey() throws Exception {
-        Key key = getKeyFromKeystore("EC");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("EC", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/ec_key_pkcs8_plain.pem"), EMPTY_PASSWORD);
@@ -104,7 +111,7 @@ public void testReadPKCS8EcKey() throws Exception {
 
     public void testReadEncryptedPKCS8Key() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
-        Key key = getKeyFromKeystore("RSA");
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/key_pkcs8_encrypted.pem"), TESTNODE_PASSWORD);
@@ -113,7 +120,8 @@ public void testReadEncryptedPKCS8Key() throws Exception {
     }
 
     public void testReadDESEncryptedPKCS1Key() throws Exception {
-        Key key = getKeyFromKeystore("RSA");
+        assumeFalse("Can't run in a FIPS JVM, PBKDF-OPENSSL KeySpec is not available", inFipsJvm());
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/testnode.pem"), TESTNODE_PASSWORD);
@@ -122,7 +130,8 @@ public void testReadDESEncryptedPKCS1Key() throws Exception {
     }
 
     public void testReadAESEncryptedPKCS1Key() throws Exception {
-        Key key = getKeyFromKeystore("RSA");
+        assumeFalse("Can't run in a FIPS JVM, PBKDF-OPENSSL KeySpec is not available", inFipsJvm());
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         String bits = randomFrom("128", "192", "256");
@@ -133,7 +142,8 @@ public void testReadAESEncryptedPKCS1Key() throws Exception {
     }
 
     public void testReadPKCS1RsaKey() throws Exception {
-        Key key = getKeyFromKeystore("RSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/testnode-unprotected.pem"), TESTNODE_PASSWORD);
@@ -143,7 +153,8 @@ public void testReadPKCS1RsaKey() throws Exception {
     }
 
     public void testReadOpenSslDsaKey() throws Exception {
-        Key key = getKeyFromKeystore("DSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("DSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/dsa_key_openssl_plain.pem"), EMPTY_PASSWORD);
@@ -153,7 +164,8 @@ public void testReadOpenSslDsaKey() throws Exception {
     }
 
     public void testReadOpenSslDsaKeyWithParams() throws Exception {
-        Key key = getKeyFromKeystore("DSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("DSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(
@@ -166,7 +178,8 @@ public void testReadOpenSslDsaKeyWithParams() throws Exception {
     }
 
     public void testReadEncryptedOpenSslDsaKey() throws Exception {
-        Key key = getKeyFromKeystore("DSA");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("DSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/dsa_key_openssl_encrypted.pem"), TESTNODE_PASSWORD);
@@ -176,7 +189,8 @@ public void testReadEncryptedOpenSslDsaKey() throws Exception {
     }
 
     public void testReadOpenSslEcKey() throws Exception {
-        Key key = getKeyFromKeystore("EC");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("EC", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/ec_key_openssl_plain.pem"), EMPTY_PASSWORD);
@@ -186,7 +200,8 @@ public void testReadOpenSslEcKey() throws Exception {
     }
 
     public void testReadOpenSslEcKeyWithParams() throws Exception {
-        Key key = getKeyFromKeystore("EC");
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        Key key = getKeyFromKeystore("EC", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(
@@ -199,7 +214,8 @@ public void testReadOpenSslEcKeyWithParams() throws Exception {
     }
 
     public void testReadEncryptedOpenSslEcKey() throws Exception {
-        Key key = getKeyFromKeystore("EC");
+        assumeFalse("Can't run in a FIPS JVM, PBKDF-OPENSSL KeySpec is not available", inFipsJvm());
+        Key key = getKeyFromKeystore("EC", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/ec_key_openssl_encrypted.pem"), TESTNODE_PASSWORD);
@@ -208,6 +224,33 @@ public void testReadEncryptedOpenSslEcKey() throws Exception {
         assertThat(privateKey, equalTo(key));
     }
 
+    public void testReadEncryptedPKCS8KeyWithPBKDF2() throws Exception {
+        Key key = getKeyFromKeystore("PKCS8_PBKDF2");
+        assertThat(key, notNullValue());
+        assertThat(key, instanceOf(PrivateKey.class));
+        PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/key_PKCS8_enc_pbkdf2.pem"), STRONG_PRIVATE_SECRET);
+        assertThat(privateKey, notNullValue());
+        assertThat(privateKey, equalTo(key));
+    }
+
+    public void testReadEncryptedDsaKeyWithPBKDF2() throws Exception {
+        Key key = getKeyFromKeystore("DSA_PBKDF2");
+        assertThat(key, notNullValue());
+        assertThat(key, instanceOf(PrivateKey.class));
+        PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/key_DSA_enc_pbkdf2.pem"), STRONG_PRIVATE_SECRET);
+        assertThat(privateKey, notNullValue());
+        assertThat(privateKey, equalTo(key));
+    }
+
+    public void testReadEncryptedEcKeyWithPBKDF2() throws Exception {
+        Key key = getKeyFromKeystore("EC_PBKDF2");
+        assertThat(key, notNullValue());
+        assertThat(key, instanceOf(PrivateKey.class));
+        PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/key_EC_enc_pbkdf2.pem"), STRONG_PRIVATE_SECRET);
+        assertThat(privateKey, notNullValue());
+        assertThat(privateKey, equalTo(key));
+    }
+
     public void testReadUnsupportedKey() {
         final Path path = getDataPath("/certs/pem-utils/key_unsupported.pem");
         SslConfigException e = expectThrows(SslConfigException.class, () -> PemUtils.readPrivateKey(path, TESTNODE_PASSWORD));
@@ -239,11 +282,17 @@ public void testReadEmptyFile() {
     }
 
     private Key getKeyFromKeystore(String algo) throws Exception {
-        Path keystorePath = getDataPath("/certs/pem-utils/testnode.jks");
-        try (InputStream in = Files.newInputStream(keystorePath)) {
-            KeyStore keyStore = KeyStore.getInstance("jks");
-            keyStore.load(in, "testnode".toCharArray());
-            return keyStore.getKey("testnode_" + algo, "testnode".toCharArray());
+        return getKeyFromKeystore(algo, CryptoServicesRegistrar.isInApprovedOnlyMode() ? KeyStoreType.BCFKS : KeyStoreType.JKS);
+    }
+
+    private Key getKeyFromKeystore(String algo, KeyStoreType keyStoreType) throws Exception {
+        var keystorePath = getDataPath("/certs/pem-utils/testnode" + KeyStoreType.getExtensionsByType(keyStoreType));
+        var alias = "testnode_" + algo.toLowerCase(Locale.ROOT);
+        var password = "testnode".toCharArray();
+        try (var in = Files.newInputStream(keystorePath)) {
+            var keyStore = KeyStoreFactory.getInstance(keyStoreType);
+            keyStore.load(in, password);
+            return keyStore.getKey(alias, password);
         }
     }
 }
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
index 5af7ddc73e680..bb46c086fbedc 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
@@ -53,6 +53,8 @@
 
 public class SslConfigurationLoaderTests extends OpenSearchTestCase {
 
+    protected static final String BCFKS = "BCFKS";
+    private final String STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/=";
     private final Path certRoot = getDataPath("/certs/ca1/ca.crt").getParent().getParent();
 
     private Settings settings;
@@ -113,7 +115,30 @@ public void testLoadTrustFromPemCAs() {
         assertThat(trustConfig.createTrustManager(), notNullValue());
     }
 
+    public void testLoadTrustFromBCFKS() {
+        final Settings.Builder builder = Settings.builder().put("test.ssl.truststore.path", "ca-all/ca.bcfks");
+        if (randomBoolean()) {
+            builder.put("test.ssl.truststore.password", "bcfks-pass");
+        } else {
+            secureSettings.setString("test.ssl.truststore.secure_password", "bcfks-pass");
+        }
+        if (randomBoolean()) {
+            // If this is not set, the loader will guess from the extension
+            builder.put("test.ssl.truststore.type", BCFKS);
+        }
+        if (randomBoolean()) {
+            builder.put("test.ssl.truststore.algorithm", TrustManagerFactory.getDefaultAlgorithm());
+        }
+        settings = builder.build();
+        final SslConfiguration configuration = loader.load(certRoot);
+        final SslTrustConfig trustConfig = configuration.getTrustConfig();
+        assertThat(trustConfig, instanceOf(StoreTrustConfig.class));
+        assertThat(trustConfig.getDependentFiles(), containsInAnyOrder(getDataPath("/certs/ca-all/ca.bcfks")));
+        assertThat(trustConfig.createTrustManager(), notNullValue());
+    }
+
     public void testLoadTrustFromPkcs12() {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Settings.Builder builder = Settings.builder().put("test.ssl.truststore.path", "ca-all/ca.p12");
         if (randomBoolean()) {
             builder.put("test.ssl.truststore.password", "p12-pass");
@@ -136,6 +161,7 @@ public void testLoadTrustFromPkcs12() {
     }
 
     public void testLoadTrustFromJKS() {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Settings.Builder builder = Settings.builder().put("test.ssl.truststore.path", "ca-all/ca.jks");
         if (randomBoolean()) {
             builder.put("test.ssl.truststore.password", "jks-pass");
@@ -166,9 +192,9 @@ public void testLoadKeysFromPemFiles() {
             .put("test.ssl.key", certName + "/" + certName + ".key");
         if (usePassword) {
             if (useLegacyPassword) {
-                builder.put("test.ssl.key_passphrase", "c2-pass");
+                builder.put("test.ssl.key_passphrase", STRONG_PRIVATE_SECRET);
             } else {
-                secureSettings.setString("test.ssl.secure_key_passphrase", "c2-pass");
+                secureSettings.setString("test.ssl.secure_key_passphrase", STRONG_PRIVATE_SECRET);
             }
         }
         settings = builder.build();
@@ -185,7 +211,30 @@ public void testLoadKeysFromPemFiles() {
         assertThat(keyConfig.createKeyManager(), notNullValue());
     }
 
+    public void testLoadKeysFromBCFKS() {
+        final Settings.Builder builder = Settings.builder().put("test.ssl.keystore.path", "cert-all/certs.bcfks");
+        if (randomBoolean()) {
+            builder.put("test.ssl.keystore.password", "bcfks-pass");
+        } else {
+            secureSettings.setString("test.ssl.keystore.secure_password", "bcfks-pass");
+        }
+        if (randomBoolean()) {
+            // If this is not set, the loader will guess from the extension
+            builder.put("test.ssl.keystore.type", BCFKS);
+        }
+        if (randomBoolean()) {
+            builder.put("test.ssl.keystore.algorithm", KeyManagerFactory.getDefaultAlgorithm());
+        }
+        settings = builder.build();
+        final SslConfiguration configuration = loader.load(certRoot);
+        final SslKeyConfig keyConfig = configuration.getKeyConfig();
+        assertThat(keyConfig, instanceOf(StoreKeyConfig.class));
+        assertThat(keyConfig.getDependentFiles(), containsInAnyOrder(getDataPath("/certs/cert-all/certs.bcfks")));
+        assertThat(keyConfig.createKeyManager(), notNullValue());
+    }
+
     public void testLoadKeysFromPKCS12() {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Settings.Builder builder = Settings.builder().put("test.ssl.keystore.path", "cert-all/certs.p12");
         if (randomBoolean()) {
             builder.put("test.ssl.keystore.password", "p12-pass");
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
index ee907952c52ff..9281d9612d806 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
@@ -166,7 +166,7 @@ public void testDependentFiles() {
             randomFrom(SslVerificationMode.values()),
             randomFrom(SslClientAuthenticationMode.values()),
             DEFAULT_CIPHERS,
-            SslConfigurationLoader.DEFAULT_PROTOCOLS
+            SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS
         );
 
         final Path dir = createTempDir();
@@ -184,7 +184,7 @@ public void testDependentFiles() {
     public void testBuildSslContext() {
         final SslTrustConfig trustConfig = Mockito.mock(SslTrustConfig.class);
         final SslKeyConfig keyConfig = Mockito.mock(SslKeyConfig.class);
-        final String protocol = randomFrom(SslConfigurationLoader.DEFAULT_PROTOCOLS);
+        final String protocol = randomFrom(SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS);
         final SslConfiguration configuration = new SslConfiguration(
             trustConfig,
             keyConfig,
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
index c966b4259219f..b733b6536f5cb 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
@@ -85,7 +85,7 @@ public void testDiagnosticMessageWhenServerProvidesAFullCertChainThatIsTrusted()
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1];"
                     + " the certificate is signed by"
@@ -110,7 +110,7 @@ public void testDiagnosticMessageWhenServerProvidesAFullCertChainThatIsntTrusted
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1];"
                     + " the certificate is signed by (subject [CN=Test CA 1] fingerprint [2b7b0416391bdf86502505c23149022d2213dadc])"
@@ -134,7 +134,7 @@ public void testDiagnosticMessageWhenServerFullCertChainIsntTrustedButMimicIssue
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1];"
                     + " the certificate is signed by (subject [CN=Test CA 1] fingerprint [2b7b0416391bdf86502505c23149022d2213dadc])"
@@ -160,7 +160,7 @@ public void testDiagnosticMessageWhenServerProvidesEndCertificateOnlyAndTheCertA
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1]"
                     + " but the server did not provide a copy of the issuing certificate in the certificate chain;"
@@ -185,7 +185,7 @@ public void testDiagnosticMessageWhenServerProvidesEndCertificateOnlyButTheCertA
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1]"
                     + " but the server did not provide a copy of the issuing certificate in the certificate chain;"
@@ -209,7 +209,7 @@ public void testDiagnosticMessageWhenServerProvidesEndCertificateOnlyWithMimicIs
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.1];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1]"
                     + " but the server did not provide a copy of the issuing certificate in the certificate chain;"
@@ -235,7 +235,7 @@ public void testDiagnosticMessageWhenServerProvidesEndCertificateWithMultipleMim
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.9];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1]"
                     + " but the server did not provide a copy of the issuing certificate in the certificate chain;"
@@ -538,7 +538,7 @@ public void testDiagnosticMessageForClientCertificate() throws Exception {
             Matchers.equalTo(
                 "failed to establish trust with client at [192.168.1.7];"
                     + " the client provided a certificate with subject name [CN=cert1]"
-                    + " and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate is issued by [CN=Test CA 1]"
                     + " but the client did not provide a copy of the issuing certificate in the certificate chain;"
                     + " the issuing certificate with fingerprint [2b7b0416391bdf86502505c23149022d2213dadc]"
@@ -571,7 +571,7 @@ public void testDiagnosticMessageWhenCaHasNewIssuingCertificate() throws Excepti
             message,
             Matchers.equalTo(
                 "failed to establish trust with server at [192.168.1.4];"
-                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [3bebe388a66362784afd6c51a9000961a4e10050];"
+                    + " the server provided a certificate with subject name [CN=cert1] and fingerprint [7e0919348e566651a136f2a1d5974585d5b3712e];"
                     + " the certificate has subject alternative names [DNS:localhost,IP:127.0.0.1];"
                     + " the certificate is issued by [CN=Test CA 1];"
                     + " the certificate is signed by (subject [CN=Test CA 1]"
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
index 7806671d02793..5c7a23445a877 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
@@ -48,6 +48,10 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 
+import static org.opensearch.common.crypto.KeyStoreType.BCFKS;
+import static org.opensearch.common.crypto.KeyStoreType.JKS;
+import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.containsString;
@@ -64,11 +68,12 @@ public class StoreKeyConfigTests extends OpenSearchTestCase {
 
     private static final char[] P12_PASS = "p12-pass".toCharArray();
     private static final char[] JKS_PASS = "jks-pass".toCharArray();
+    private static final char[] BCFKS_PASS = "bcfks-pass".toCharArray();
 
     public void testLoadSingleKeyPKCS12() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path p12 = getDataPath("/certs/cert1/cert1.p12");
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, "PKCS12", P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, PKCS_12, P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(p12));
         assertKeysLoaded(keyConfig, "cert1");
     }
@@ -76,18 +81,17 @@ public void testLoadSingleKeyPKCS12() throws Exception {
     public void testLoadMultipleKeyPKCS12() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path p12 = getDataPath("/certs/cert-all/certs.p12");
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, "PKCS12", P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, PKCS_12, P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(p12));
         assertKeysLoaded(keyConfig, "cert1", "cert2");
     }
 
     public void testLoadMultipleKeyJksWithSeparateKeyPassword() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(
             jks,
             JKS_PASS,
-            "jks",
+            JKS,
             "key-pass".toCharArray(),
             KeyManagerFactory.getDefaultAlgorithm()
         );
@@ -95,13 +99,19 @@ public void testLoadMultipleKeyJksWithSeparateKeyPassword() throws Exception {
         assertKeysLoaded(keyConfig, "cert1", "cert2");
     }
 
-    public void testKeyManagerFailsWithIncorrectStorePassword() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+    public void testLoadMultipleKeyBcfks() throws CertificateParsingException {
+        final Path bcfks = getDataPath("/certs/cert-all/certs.bcfks");
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(bcfks, BCFKS_PASS, BCFKS, BCFKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(bcfks));
+        assertKeysLoaded(keyConfig, "cert1", "cert2");
+    }
+
+    public void testKeyManagerFailsWithIncorrectJksStorePassword() throws Exception {
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(
             jks,
             P12_PASS,
-            "jks",
+            JKS,
             "key-pass".toCharArray(),
             KeyManagerFactory.getDefaultAlgorithm()
         );
@@ -109,37 +119,61 @@ public void testKeyManagerFailsWithIncorrectStorePassword() throws Exception {
         assertPasswordIsIncorrect(keyConfig, jks);
     }
 
-    public void testKeyManagerFailsWithIncorrectKeyPassword() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+    public void testKeyManagerFailsWithIncorrectBcfksStorePassword() throws Exception {
+        final Path bcfks = getDataPath("/certs/cert-all/certs.bcfks");
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(bcfks, P12_PASS, BCFKS, BCFKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(bcfks));
+        assertPasswordIsIncorrect(keyConfig, bcfks);
+    }
+
+    public void testKeyManagerFailsWithIncorrectJksKeyPassword() throws Exception {
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, JKS_PASS, "jks", JKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, JKS_PASS, JKS, JKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(jks));
         assertPasswordIsIncorrect(keyConfig, jks);
     }
 
+    public void testKeyManagerFailsWithIncorrectBcfksKeyPassword() throws Exception {
+        final Path bcfks = getDataPath("/certs/cert-all/certs.bcfks");
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(
+            bcfks,
+            BCFKS_PASS,
+            BCFKS,
+            "nonsense".toCharArray(),
+            KeyManagerFactory.getDefaultAlgorithm()
+        );
+        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(bcfks));
+        assertPasswordIsIncorrect(keyConfig, bcfks);
+    }
+
     public void testKeyManagerFailsWithMissingKeystoreFile() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path path = getDataPath("/certs/cert-all/certs.jks").getParent().resolve("dne.jks");
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(path, JKS_PASS, "jks", JKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(path, JKS_PASS, JKS, JKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(path));
         assertFileNotFound(keyConfig, path);
     }
 
-    public void testMissingKeyEntriesFailsWithMeaningfulMessage() throws Exception {
+    public void testMissingKeyEntriesFailsForJksWithMeaningfulMessage() throws Exception {
+        final Path ks = getDataPath("/certs/ca-all/ca.jks");
+        final char[] password = JKS_PASS;
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, JKS, password, KeyManagerFactory.getDefaultAlgorithm());
+        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertNoPrivateKeyEntries(keyConfig, ks);
+    }
+
+    public void testMissingKeyEntriesFailsForP12WithMeaningfulMessage() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
-        final Path ks;
-        final char[] password;
-        final String type;
-        if (randomBoolean()) {
-            type = "PKCS12";
-            ks = getDataPath("/certs/ca-all/ca.p12");
-            password = P12_PASS;
-        } else {
-            type = "jks";
-            ks = getDataPath("/certs/ca-all/ca.jks");
-            password = JKS_PASS;
-        }
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, type, password, KeyManagerFactory.getDefaultAlgorithm());
+        final Path ks = getDataPath("/certs/ca-all/ca.p12");
+        final char[] password = P12_PASS;
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, PKCS_12, password, KeyManagerFactory.getDefaultAlgorithm());
+        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertNoPrivateKeyEntries(keyConfig, ks);
+    }
+
+    public void testMissingKeyEntriesFailsForBcfksWithMeaningfulMessage() throws Exception {
+        final Path ks = getDataPath("/certs/ca-all/ca.bcfks");
+        final char[] password = BCFKS_PASS;
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, BCFKS, password, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertNoPrivateKeyEntries(keyConfig, ks);
     }
@@ -152,7 +186,7 @@ public void testKeyConfigReloadsFileContents() throws Exception {
 
         final Path p12 = createTempFile("cert", ".p12");
 
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, "PKCS12", P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, PKCS_12, P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
 
         Files.copy(cert1, p12, StandardCopyOption.REPLACE_EXISTING);
         assertKeysLoaded(keyConfig, "cert1");
@@ -211,7 +245,10 @@ private void assertPasswordIsIncorrect(StoreKeyConfig keyConfig, Path key) {
             assertThat(exception.getMessage(), containsString("password"));
         } else {
             assertThat(exception.getCause(), instanceOf(IOException.class));
-            assertThat(exception.getCause().getMessage(), containsString("password"));
+            assertThat(
+                exception.getCause().getMessage(),
+                anyOf(containsString("Keystore was tampered with, or password was incorrect"), containsString("BCFKS KeyStore corrupted"))
+            );
         }
     }
 
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
index 5609f0fa2c877..5bceb5aef80cf 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
@@ -49,6 +49,9 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import static org.opensearch.common.crypto.KeyStoreType.BCFKS;
+import static org.opensearch.common.crypto.KeyStoreType.JKS;
+import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.nullValue;
 
@@ -56,20 +59,20 @@ public class StoreTrustConfigTests extends OpenSearchTestCase {
 
     private static final char[] P12_PASS = "p12-pass".toCharArray();
     private static final char[] JKS_PASS = "jks-pass".toCharArray();
+    private static final char[] BCFKS_PASS = "bcfks-pass".toCharArray();
     private static final String DEFAULT_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
 
     public void testBuildTrustConfigFromPKCS12() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca1/ca.p12");
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, "PKCS12", DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, PKCS_12, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertCertificateChain(trustConfig, "CN=Test CA 1");
     }
 
     public void testBuildTrustConfigFromJKS() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca-all/ca.jks");
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, JKS_PASS, "jks", DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, JKS_PASS, JKS, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertCertificateChain(trustConfig, "CN=Test CA 1", "CN=Test CA 2", "CN=Test CA 3");
     }
@@ -78,7 +81,7 @@ public void testBadKeyStoreFormatFails() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = createTempFile("ca", ".p12");
         Files.write(ks, randomByteArrayOfLength(128), StandardOpenOption.APPEND);
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], randomFrom("PKCS12", "jks"), DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], randomFrom(PKCS_12, JKS), DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertInvalidFileFormat(trustConfig, ks);
     }
@@ -86,33 +89,40 @@ public void testBadKeyStoreFormatFails() throws Exception {
     public void testMissingKeyStoreFailsWithMeaningfulMessage() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca-all/ca.p12").getParent().resolve("keystore.dne");
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], randomFrom("PKCS12", "jks"), DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], randomFrom(PKCS_12, JKS), DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertFileNotFound(trustConfig, ks);
     }
 
     public void testIncorrectPasswordFailsWithMeaningfulMessage() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca1/ca.p12");
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], "PKCS12", DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], PKCS_12, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertPasswordIsIncorrect(trustConfig, ks);
     }
 
-    public void testMissingTrustEntriesFailsWithMeaningfulMessage() throws Exception {
+    public void testMissingTrustEntriesFailsForJksKeystoreWithMeaningfulMessage() throws Exception {
+        final char[] password = JKS_PASS;
+        final Path ks = getDataPath("/certs/cert-all/certs.jks");
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, JKS, DEFAULT_ALGORITHM);
+        assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertNoCertificateEntries(trustConfig, ks);
+    }
+
+    public void testMissingTrustEntriesFailsForP12KeystoreWithMeaningfulMessage() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
-        final Path ks;
-        final char[] password;
-        final String type;
-        if (randomBoolean()) {
-            type = "PKCS12";
-            ks = getDataPath("/certs/cert-all/certs.p12");
-            password = P12_PASS;
-        } else {
-            type = "jks";
-            ks = getDataPath("/certs/cert-all/certs.jks");
-            password = JKS_PASS;
-        }
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, type, DEFAULT_ALGORITHM);
+        final Path ks = getDataPath("/certs/cert-all/certs.p12");
+        final char[] password = P12_PASS;
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, PKCS_12, DEFAULT_ALGORITHM);
+        assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertNoCertificateEntries(trustConfig, ks);
+    }
+
+    public void testMissingTrustEntriesFailsForBcfksKeystoreWithMeaningfulMessage() throws Exception {
+        final Path ks = getDataPath("/certs/cert-all/certs.bcfks");
+        final char[] password = BCFKS_PASS;
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, BCFKS, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertNoCertificateEntries(trustConfig, ks);
     }
@@ -124,7 +134,7 @@ public void testTrustConfigReloadsKeysStoreContents() throws Exception {
 
         final Path ks = createTempFile("ca", "p12");
 
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, "PKCS12", DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, PKCS_12, DEFAULT_ALGORITHM);
 
         Files.copy(ks1, ks, StandardCopyOption.REPLACE_EXISTING);
         assertCertificateChain(trustConfig, "CN=Test CA 1");
diff --git a/libs/ssl-config/src/test/resources/certs/README.md b/libs/ssl-config/src/test/resources/certs/README.md
new file mode 100644
index 0000000000000..dbbe840dd5431
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/README.md
@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+#
+# This is README describes how the certificates in this directory were created.
+# This file can also be executed as a script
+#
+
+# 1. Create first CA PEM ("ca1")
+
+opensearch-certutil ca --pem --out ca1.zip --days 9999 --ca-dn "CN=Test CA 1"
+unzip ca1.zip
+mv ca ca1
+
+# 2. Create first CA PEM ("ca2")
+
+opensearch-certutil ca --pem --out ca2.zip --days 9999 --ca-dn "CN=Test CA 2"
+unzip ca2.zip
+mv ca ca2
+
+# 3. Create first CA PEM ("ca3")
+
+opensearch-certutil ca --pem --out ca3.zip --days 9999 --ca-dn "CN=Test CA 3"
+unzip ca3.zip
+mv ca ca3
+
+# 4. Create "cert1-pkcs1" PEM
+
+opensearch-certutil cert --pem --out cert1-pkcs1.zip --name cert1 --ip 127.0.0.1 --dns localhost --days 9999 --ca-key ca1/ca.key --ca-cert ca1/ca.crt
+unzip cert1.zip
+
+# 5. Create "cert2-pkcs1" PEM (same as cert1, but with a password)
+
+opensearch-certutil cert --pem --out cert2-pkcs1.zip --name cert2 --ip 127.0.0.1 --dns localhost --days 9999 --ca-key ca1/ca.key --ca-cert ca1/ca.crt --pass "c2-pass"
+unzip cert2.zip
+
+# 6. Create "cert1" PEM
+
+```bash
+openssl genpkey -algorithm RSA -out cert1/cert1.key
+openssl req -new \
+    -key cert1/cert1.key \
+    -subj "/CN=cert1" \
+    -out cert1/cert1.csr
+openssl x509 -req \
+    -in cert1/cert1.csr \
+    -CA ca1/ca.crt \
+    -CAkey ca1/ca.key \
+    -CAcreateserial \
+    -out cert1/cert1.crt \
+    -days 3650 \
+    -sha256 \
+    -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
+rm cert1/cert1.csr
+```
+
+# 7. Create "cert2" PEM (same as cert1, but with a password)
+
+```bash
+openssl genpkey -algorithm RSA -out cert2/cert2.key -aes256 -pass pass:"$KEY_PW"
+openssl req -new \
+-key cert2/cert2.key \
+-subj "/CN=cert2" \
+-out cert2/cert2.csr \
+-passin pass:"$KEY_PW"
+openssl x509 -req \
+-in cert2/cert2.csr \
+-CA ca1/ca.crt \
+-CAkey ca1/ca.key \
+-CAcreateserial \
+-out cert2/cert2.crt \
+-days 3650 \
+-sha256 \
+-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") \
+-passin pass:"$KEY_PW"
+rm cert2/cert2.csr
+```
+
+# 8. Convert CAs to PKCS#12
+
+for n in 1 2 3
+do
+    keytool -importcert -file ca${n}/ca.crt -alias ca -keystore ca${n}/ca.p12 -storetype PKCS12 -storepass p12-pass -v
+    keytool -importcert -file ca${n}/ca.crt -alias ca${n} -keystore ca-all/ca.p12 -storetype PKCS12 -storepass p12-pass -v
+done
+
+# 9. Convert CAs to JKS
+
+for n in 1 2 3
+do
+    keytool -importcert -file ca${n}/ca.crt -alias ca${n} -keystore ca-all/ca.jks -storetype jks -storepass jks-pass -v
+done
+
+# 10. Convert CAs to BCFKS
+
+for n in 1 2 3
+do
+    keytool -importcert -file ca${n}/ca.crt -alias ca${n} -keystore ca-all/ca.bcfks -storetype BCFKS -storepass bcfks-pass -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $LIB_PATH/bc-fips-2.0.0.jar -v
+done
+
+# 11. Convert Certs to PKCS#12
+
+for Cert in cert1 cert2
+do
+    openssl pkcs12 -export -out $Cert/$Cert.p12 -inkey $Cert/$Cert.key -in $Cert/$Cert.crt -name $Cert -passout pass:p12-pass
+done
+
+# 12. Import Certs into single PKCS#12 keystore
+
+for Cert in cert1 cert2
+do
+    keytool -importkeystore -noprompt \
+            -srckeystore $Cert/$Cert.p12 -srcstoretype PKCS12 -srcstorepass p12-pass  \
+            -destkeystore cert-all/certs.p12 -deststoretype PKCS12 -deststorepass p12-pass
+done
+
+# 13. Import Certs into single JKS keystore with separate key-password
+
+for Cert in cert1 cert2
+do
+    keytool -importkeystore -noprompt \
+            -srckeystore $Cert/$Cert.p12 -srcstoretype PKCS12 -srcstorepass p12-pass  \
+            -destkeystore cert-all/certs.jks -deststoretype jks -deststorepass jks-pass
+    keytool -keypasswd -keystore cert-all/certs.jks -alias $Cert -keypass p12-pass -new key-pass -storepass jks-pass
+done
+
+# 14. Import Certs into single BCFKS keystore with separate key-password
+
+for Cert in cert1 cert2
+do
+    keytool -importkeystore -noprompt \
+            -srckeystore $Cert/$Cert.p12 \
+            -srcstoretype PKCS12 \
+            -srcstorepass p12-pass \
+            -destkeystore cert-all/certs.bcfks \
+            -deststoretype BCFKS \
+            -deststorepass bcfks-pass \
+            -providername BCFIPS \
+            -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+            -providerpath $LIB_PATH/bc-fips-2.0.0.jar
+    keytool -keypasswd -noprompt \
+            -keystore cert-all/certs.bcfks \
+            -alias $Cert \
+            -keypass p12-pass \
+            -new bcfks-pass \
+            -storepass bcfks-pass \
+            -storetype BCFKS \
+            -providername BCFIPS \
+            -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+            -providerpath $LIB_PATH/bc-fips-2.0.0.jar
+done
+
+# 15. Create a mimic of the first CA ("ca1b") for testing certificates with the same name but different keys
+
+opensearch-certutil ca --pem --out ${PWD}/ca1-b.zip --days 9999 --ca-dn "CN=Test CA 1"
+unzip ca1-b.zip
+mv ca ca1-b
diff --git a/libs/ssl-config/src/test/resources/certs/README.txt b/libs/ssl-config/src/test/resources/certs/README.txt
deleted file mode 100644
index 09910e99a132e..0000000000000
--- a/libs/ssl-config/src/test/resources/certs/README.txt
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is README describes how the certificates in this directory were created.
-# This file can also be executed as a script
-#
-
-# 1. Create first CA PEM ("ca1")
-
-opensearch-certutil ca --pem --out ca1.zip --days 9999 --ca-dn "CN=Test CA 1"
-unzip ca1.zip
-mv ca ca1
-
-# 2. Create first CA PEM ("ca2")
-
-opensearch-certutil ca --pem --out ca2.zip --days 9999 --ca-dn "CN=Test CA 2"
-unzip ca2.zip
-mv ca ca2
-
-# 3. Create first CA PEM ("ca3")
-
-opensearch-certutil ca --pem --out ca3.zip --days 9999 --ca-dn "CN=Test CA 3"
-unzip ca3.zip
-mv ca ca3
-
-# 4. Create "cert1" PEM
-
-opensearch-certutil cert --pem --out cert1.zip --name cert1 --ip 127.0.0.1 --dns localhost --days 9999 --ca-key ca1/ca.key --ca-cert ca1/ca.crt
-unzip cert1.zip
-
-# 5. Create "cert2" PEM (same as cert1, but with a password)
-
-opensearch-certutil cert --pem --out cert2.zip --name cert2 --ip 127.0.0.1 --dns localhost --days 9999 --ca-key ca1/ca.key --ca-cert ca1/ca.crt --pass "c2-pass"
-unzip cert2.zip
-
-# 6. Convert CAs to PKCS#12
-
-for n in 1 2 3
-do
-    keytool -importcert -file ca${n}/ca.crt -alias ca -keystore ca${n}/ca.p12 -storetype PKCS12 -storepass p12-pass -v
-    keytool -importcert -file ca${n}/ca.crt -alias ca${n} -keystore ca-all/ca.p12 -storetype PKCS12 -storepass p12-pass -v
-done
-
-# 7. Convert CAs to JKS
-
-for n in 1 2 3
-do
-    keytool -importcert -file ca${n}/ca.crt -alias ca${n} -keystore ca-all/ca.jks -storetype jks -storepass jks-pass -v
-done
-
-# 8. Convert Certs to PKCS#12
-
-for Cert in cert1 cert2
-do
-    openssl pkcs12 -export -out $Cert/$Cert.p12 -inkey $Cert/$Cert.key -in $Cert/$Cert.crt -name $Cert -passout pass:p12-pass
-done
-
-# 9. Import Certs into single PKCS#12 keystore
-
-for Cert in cert1 cert2
-do
-    keytool -importkeystore -noprompt \
-            -srckeystore $Cert/$Cert.p12 -srcstoretype PKCS12 -srcstorepass p12-pass  \
-            -destkeystore cert-all/certs.p12 -deststoretype PKCS12 -deststorepass p12-pass
-done
-
-# 10. Import Certs into single JKS keystore with separate key-password
-
-for Cert in cert1 cert2
-do
-    keytool -importkeystore -noprompt \
-            -srckeystore $Cert/$Cert.p12 -srcstoretype PKCS12 -srcstorepass p12-pass  \
-            -destkeystore cert-all/certs.jks -deststoretype jks -deststorepass jks-pass
-    keytool -keypasswd -keystore cert-all/certs.jks -alias $Cert -keypass p12-pass -new key-pass -storepass jks-pass
-done
-
-# 11. Create a mimic of the first CA ("ca1b") for testing certificates with the same name but different keys
-
-opensearch-certutil ca --pem --out ${PWD}/ca1-b.zip --days 9999 --ca-dn "CN=Test CA 1"
-unzip ca1-b.zip
-mv ca ca1-b
-
-# 12. Convert certifcate keys to pkcs8
-
-openssl pkcs8 -topk8 -inform PEM -in cert1/cert1.key -outform PEM -out cert1/cert1-pkcs8.key -nocrypt
-openssl pkcs8 -topk8 -inform PEM -in cert2/cert2.key -outform PEM -out cert2/cert2-pkcs8.key -passin pass:"c2-pass" -passout pass:"c2-pass"
diff --git a/libs/ssl-config/src/test/resources/certs/ca-all/ca.bcfks b/libs/ssl-config/src/test/resources/certs/ca-all/ca.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..f27717d0ce67aa8d1beb0c87410c9201633c1f95
GIT binary patch
literal 2909
zcmV-j3!?Nef(uzNf(o24fs_UbDuzgg_YDCB4KRU*Fk}V^Duzgg_YDCB3@}#&K(eq?
zjmcH3l^<V*=S?+G`C(SP8~Eub4czv!Vn1WJg<6gHG!4T)fkcz+FK*?LIwQ|BSIVil
zqseO$6SSB%-~s|b00IFZFboC=Duzgg_YDFI1pqJ}1_@w>NC9O71OYEF5d;iO;wj=<
z)nG*}|8K|w0SE+w3ITPGJDz1zW|9h%)JHj^_6tQkz&Lh4#&g?u_`}s^2H7KMdVzc_
z$n~BVc?buaD4Ybjn@ORANinu}qYsd@GM9u69~=N(x-?v@K!Iz}1e@;GA_Zc1xxp1C
zH)c(HU;V;ej-RyAR*3=!@f|UMHzmskQxk^<O<5O7WK{Z+yKoez`W4%uIfnK}#Cy+`
zF=XSeY&&W~Mv%@{RPXNo5ab|*S<fXhx@eM_%%LdGCz$n)hZ#_@g;7jK<-WhX7E|Yh
zM8|9j2a+pV{F8hs;wPxLKqLolLL~y_@ynBGA(xYDDrJrOlhjfzrv8?VO^iiW^9x1B
zLS^NKw{*|<3=53-UZ&^nI!371Z?q(A-mLM%#d1^4V@eB1cA7Sz7LPE*LBBDuw)fX+
z+f~&;33lAt8c)WW3!sC5<}{knYuP~E?g~*0QK#KKq6eL?g1336Jz<t8q0yue`~aEX
z>qK3hbWt?d>N5pANnZ%Sfso#m^c5Nhu8W0BYf4XU%mgP!ypJSf_xyrb*I2_XU+0!x
z;X&@s;tBA-`7}B4bFCsQs}jhQArpt00J~|qK3VQ-y?e(hEOZ~4zs7+U0hFWs+$3#(
z&Q;&x`8XDyCuFA2HW-lE3L-7`$C*E-`PaS$jEUVVy#?~7(GxU69vmiT%$j{sgAa45
zVi>O!9=`Tf{tsJ1Ffj1rbaibDRxLHVOZVW(?JnJ;k%)LcQ+G*ia@woH2i=S&kV<f0
zjwMuPiQi|a&wHesv(;M_!d4wG%pE%T=t85oIJFp!x{rhdRG#7CT>@ZrFdLAx7(2!G
zB6F8eclS-<{BCx#^J&&gQ|Xy^%#sE`Py#^5N_JvuOx=?f{OMVKY^J(9VQ?(?5@Xn(
z?gdz`FB7Q++z89f4<)I^7HV{;Y4hYpj-M0TSW=ecfHcHcnqRk?4IH3>?<dgs8?f0W
ziI3LCHZ!Q7dD17@V=c&)vYLpR;RF)}M7;lK@ZgX_@rm$wxD$yC{8%Dyi{1X&7drdf
zVM!{Haqx%oFUO=9mhn)_ycl`POYwS%s$$uP)!cSV1?2xXLD#h5Ec{Fjpiuvfa{Pes
zU2hLV>y!S4l2hpQbCy$;+xf`sIglb+r8L3mot5p*kpGhE1Q;EF3@Hrf9>$y*mS91u
ztKmAbAiL_$*5u0K$*HN-gNV>Ieb#d&V(G{i-TH84??6qAB}==CV4QwiR1>}imzqoL
z$0eoW=*5yO^s9+vI2M*3@_Q20bNJg$CZgZ@AEF+St%YpV2LX!L-zwWI&yGta93KGu
z>nO0CUJY$-$Isk75!8hD11n47b}Hwy{Jbmu!+IUHGhJ4fw@ZxN9U+;S+z>nTuKyHq
zY+pFi=Q`wriT;Gd-F!uiwzQ|k{#obN8K9+~!1qexT2thy492PYhehfdZOs1q65I#j
zsM8&vTpV)XXNk)rSwtvOR8haygG_nUXiCg`3W-39i^YG+Jv3QXWi&wJhPDoi0@6mj
zUe)0D{cnBa**Q!Av|(p3$J*&{`V&_)3{sk>B+<gMiQgI>ea9{gzDCsRNF~x2)HC7_
z8re;JRitCKk!QsRI%Z^vrpFiXRDLUTg@%(pZOAED;sgYvD1mhnozhtw^L(WK`8?fQ
zeRth}3?$_d2A1lUFhQ>Wb1*Fi^S+Q2mbL})mXN4}J9V%#-EVg?_@MVrXQDSquFh=r
zt5IpMydbX{Adj>|yfB`H@!0h%vNm%bT)mG&lY6c-ZiZ|&YEJ;>fYE<iRpkK5_l5zR
z|M!Z%1~ovn4R^`naL#WXp4DXrD?1+&K#!D7B~jY`3Th^LMQ1SNKb0_sJ~urQ6eGQ}
z_?D*qPvB1IdY~H@AVTIJBY+j>+lsifQy>Y4l-<+%3ueM151)+76CW_2U)9Md=B$Rk
zb?JX+aLVzxvatGQd`0}@r@yh=&t!`%I$yj>c5p48?!*kmQBx}z+-V|~l06g{k(c_t
zo{E9Ye{M6Gf9VGEv0hERB7PjYJj{htVXX>S6we{3^oyc10~w!=&{aiFfi6)tH4Qb?
zWPU;n)Xzmdg+69fp(l4R7H`znV^!Gbrim79G(F-7B^!UQt#GLdV8*DKxZ;^zT3~!M
z?2oxPM5ZCO+|t)PlA1MK`Uu`&1#r%fxn4gSe|(@=p`1X?%paX$CVBL8{G(M~Ui)x%
zPAUT-qRds1EiCY11%>pg{cTo8AT$}v?4j2SgV!05HWg+w3ovFkAa4d`gob==@78Vn
zU7WN7$Q=k3ph(h(j!sz2YfT%kAxQAX=DR3Q?!JglX~OA$1wR(hcaCz=U#NLpaeU^O
z3hj>@D4>`_C{K?3nHPpp4L3J?e`<c?20_;!^u4P<pg0u*>M(TR+{P5Tb)L8s9j8~?
zh0Dgv76i9;^_=`}!5&t}MJD=-B|Le)P!ph>JC3h;vpjG@eFBllH83{0_M~B{?Qap_
zYD|Ns+(y1^e-bfZT2MJ)`>0FyuMNs$DsI+o+>ru1rZ~7W6xa_^cA%w)zeU=iLIA;i
zluC=0k02Ocb$lzi$Hk%xCB)_aye!|#2sl`5fY++TdS<`}<e&TQ3NOm%-4G74n>D5X
z9~X59dk%UyU>N<#a5{(7_JrvE#d8BE&&($;6Ph4A1U6|Qyz-ZJaugs7O}M#D^EL&K
z?orbQEr<H<pUFv8dFea?45Ti99-$G70MKYa)llhI+75kpwN<UHGnQN4bLLT-eqR{*
zNP6lXkj|TJAIp*Ry-3D*DfUf=+Ni!O<Ff^8{9BiurROMay(b86RG9CSkeAW9IpNvE
zilGYGO_X+5(4coqOxm-^UzQt}hx6iVaYJ9oIc#PPlZKaBz{WuK+sfYMbUP|ohx0^s
zqX&K#o?2=#T@apqQ|gLAyb#gkGpbBo+`}Uo3T}tpi@v_5nmwNv`S40dLp!W~ja>ex
zl}e`px1Hu5{~fjorf>nrsaw1hz|OC!26Jr>lcW?Ny&^^~zUqjZj?qQ_A^VUjh&e7E
zKP66UAXKwZfc~0bNkgio?p!s^9+Iao$z-%7E#nprOR43-s5WP<Ehhhxg5L_q^MRdK
zSX6I}#ENWoqB+w3XpB&`@23y5MQfE3z&}C;vHjc*$J(O@>w-E!iiyL0N=g&l_A`Ee
zO8TU_qD;+zqB|}^O{rQ$E=Foiwm>X>I&4nzyGQj@-@;|neY;3`NP_xoGFna*7=AV&
z`Z1}zeOBFxSz%Z)SUq$prp$lAdsh?WHdBn|!SmmNHETgHF1rf;@{*dR#KqW~W10fC
zy4bIvn#=JxvrRa|K1b%JKtQGpcf}Evyv>sEpK3?VC&`-hBH?Xa@F!(=1^p=Nt8l@-
z`;Fys@%(_@<d@bFc;&;&<JhX5f~e(%GLEz`fwnLV1_&yKNQU<f0t*EIFk}V^Duzgg
z_YDCB3@}#&KrxR#7+rCp=CwF`E6)yz6XGv!vj|~z(sTr}*iQl8llgg5a(__AS_L>o
zE5Rg;3XX#}$m^fvlKb=oW-D^OKmr0l00IF(FboC=Duzgg_YDFI1pov<H?}$@kZ$Y3
z;~P(+2YUfRu~BN!>e9GTc+ge$wCNt?J-<Q%Ev0zJiC~o=@jKN(UeZ`7y$b@eEQH-4
H!jazN33_{I

literal 0
HcmV?d00001

diff --git a/libs/ssl-config/src/test/resources/certs/cert-all/certs.bcfks b/libs/ssl-config/src/test/resources/certs/cert-all/certs.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..1eab5af506b2c643aca321c6e8c59ff7322d8c50
GIT binary patch
literal 4901
zcmZA5Rag^%!hqooHcCReK^o~&k?u)%3P_4dBcRfwLsCL&bjL<BdLoS=A>G|wBgVNn
z7yt90%kS#De}#g{S%iYg?1Z4nIQTr_Z^EyMfM6maXt<Ew|23hIF-UHETqkn`mVEV2
z8gkg&u+5^U5!^OQj#XZlxut57RkD6WsO$dPd-sgv#@PG=cLUj4!WRBZ+UZ1!V$*zY
zau#<iEI9xc@R<-H4&Hx1SWmzJAtoGrtME5Kdu$L;P>2*nSQo<gOpLSNJ<08A4GV||
z3ML((&#*&9dXV4fzd^LsJtPoWZx`$dRA~?IeZ4YzE21zSfmlAAQl=w%{X2*(*Z3+Z
z{ljtEA*g-Ls;9r4aOV6hj5Ir{KkQ<B96pbK73sqEg}&4iEvm+J0*_$n$c|i=u>aem
zI%nFUB;&pm=j1p*u!h?Au6ATkeOuF^LLyd*nzeN_8=6+u+EZRBDL18g5{xtYOm-8i
z3+g}BGJqf9!XwfBxTb*PhwY$<S3lbLK$0%`!K=aKQ~MbK?JGf@xL;;W@nfxNk_4CG
zs=*EXtg{=&=*dPl_s%{cSK56CG&e5B+`W6%2}RUZ^(sOr$9b=UoglnYu^%g)1zzT>
zkfHTMa`?QRpHlrkZkmM<U%wwEZXn5=k)BUFh}EtnBH883=gZ*>L=p?_+8VYCtcUSy
z2BtZiNzUnJRc_4q>Ez^ZxPfY4a+^MSRq+_x<DO@1qf^RibX&@A!F(lt8`g9X0+Q;t
zRr1|JWfhReWK}LRT!`=+aKT!oF$bD5R3TG-<5LZ*iDb``O>6|Ih#)z5WhcAEEP9wy
zlw~<qroXGzwaS#Ca_^!0%PKX|mxQl4VKk5Pmiw~eOQhpi9$yQ#>(r(sa<_yg?Q~s9
z&$H>9@0IXJ8g{LEJJjrX-4H+04MqYfaC{b)yX6ZADP;0lWY*VlWUC^sq|&CvnEk=1
zQ^7lb6Wz6(OwsffRoui9f>w$O{U8O^Fv^wAwLi&DD`~{KE`GsM96m>W1^9&CvFd~y
z%E#!y_rB+~kI^!&!g*10lVa4TV?W4Y#m=gBkmpVlEY2i<K<x9yR3aYu?qYPJIuk!8
z;lm;<F?#hgBn<m_iNJWjs^t=J7x}X1b9R53+Aq)G=SiZ`k$~6oq+)UI=6#nj0#)oV
zRMYPYN@z{TW^S))7lJtu4t7br+>q`7=1N5+4w7IzMDXYe#bK@TKYUINHg`@Do!gEM
z)Le{7@&?ij5ZCMO!%^K_VXZ8uwxeRoPdt6osrJNbD*G$lQSBME5+i`tSLR20k&D>=
z;#~hK592+b<vmcj@`w#xT(@sq)PxRPj4u$dD9!99=5K5Dg45Kq>-U*;$l{2!C9J9F
zH`pIo)Ke4zyg*!cn%3pkIaNjrK;|p8KAI&h%nKyxgmm5CZ+al&yXi|!V<t*2PNZ>$
z!Z+!_zM|4W|MM^zAbih%_Sb!#F9-d5Nfx-vLGq9bus?*UJHE0vU%9jdmFhFyUaa9l
z$34+d8?+-ee7Paxpjmsj_@{ShJUYHm*L{`$WvQun9IbC4jODI!;m#VESn#K{PLgh|
zYpvJxNhA-IqZX1hC{+m|VCE`)KPCzmA@i0br%Km~GjX6UMLdVS)W_;jk`2BU)w%5f
zJE@@Tk`}()OJpFC2*K2EMXp~V@O_l4|Em(!RZ;?_YB==wCs-#Whgng>)S>TN;}rg*
z%P8W}tGKt8D6YnP5P)O@5<!`alT0@3dM>K12ky^D!?*SpUe3EqrsBf*JJImYc_LEy
ztPI;PRI)==4od*@3&2(5KH-Vy0c?4!py*M_x|ek?BsB&a{;LN~yR{=%kupWym*;G1
zruSI?UM)d@_kvSwk%L*}aCOW=`w^K{H_ER+Df98o-J4?=N2bSQEuSvSmaDz9bazaw
z%(<iiCIL0&4>3V99Xvx`4CHGp>h3yk^1YG_&`*gB*9mDxV~mQa40GB@xqFjreX<<8
z^5t^r%zln4zG>&2!D42hV%O_<=Xw%C#-`nFouftIVjx?@CEjoyQ31C9F__J|EZ+Mq
zqF-3hB019O6gRynN$K}nz5Bn1Qz@7jJHz6<o_!k)VU6C*A1i1s9Oqzjg^<J=gXY`W
zNKG};(2aNP-RV-tGlhQ`u0KsfiV_c~b4CG!VZ0+e27V+f+EJPJ)cMKZaD3S&OUKq(
z!hUInC#LY}mSQ$)9jz4=c;JUj>~jYdtp`s3?gZFqI>!b1i)>3G7@gkEad#3%#7Vb~
zS~aAQN`#2^pp{@fBw((^#nY5!rBr51Cgu)+$_7T$ik{J_P}BwBJ&ks|X6&aAos*_x
z3HNd<ziS(Ne^?r>D<)E6?O6uo{4Me%d3`AW80NqaKNm#FzB#s#hiycc-jRMLY4H@!
zB^nj49o6y(>3DA`E(fy5CM{DGJZrmKSzdk2@BC0yd~a;1WQzZn?h&WUI@X4QlE3(b
z+w<&MtM5|Sd1>D!VM7bA3!nPkynw;=`rq%v<5?1}L$5>HZ}7qMdh@yS3=fbNtYH(*
zZlw82D8TwqSakGvaWB7o#X%ksIoGBRk({;;au2*T2kv+%-z&y?Gt#iM8UZ^Q-J;&R
z;Anag2rR?wAk}6H!@Mn<D2kM#n%{|vam`bn!q}pKXz=Y#0(T58<gPbDG@Sj@wim0y
zEL%DAvSCA1I4X-(qvcT6w^Q%{YlzX3xMsv9b+cy4F)Kz$nvkzOZcA~zLCGzb!x=)N
zKF^0?ZNFpm^x$Qcc)P$Mbk)l_B3EPb{xfA*r>gn&Q8Y(uu5K6miHgnon9n0sS$5}n
zuwB`nolRPQTnxFc;T*3A=DQXx(a#~`^-P#qZ`(`r`;P;TJ2fIn)Yh>4{wmAn`*_2I
zcXo<iB`g|m;Ak3jOCAYQ>_YDWqS{Noyf&OC@ZqucNFwIdP1>xJ)QR}Br#^i8D!S!b
zkR1Da1Jf}ltFJtDiqMj^PnCNZu8Su!gf`0eBV4E58mR@0@`JJZ`9sA|AzZpIn25g|
z26plCP5VX(#!2E8{NT+Z%Bk-|_h(*l6|D3jClvSxJEzh@kPBt3!8T~SnXhfn6NL3l
zm}U-ZVHIQrK{5f`CJci*FHd;~zMxi^lvQXd;AFf3?&Jg7A3L12y%>SJN6AxE9j4$>
zXF;@;v<iR3mTV&q0ZNm$rLE_zd(QZoV7Mo*#;}Vk&pXBq5`>^tZQdrID|><<>O!lW
z;^k^7r_o4EY)BFzmhIEF{IczIrwdwlB$E{$B0-T!Pe)&cksSPrx+23mJLl%Dw$lr;
zofQtw<$V3iZ@WdGEFy7~yB{q|I&F>RahGMM=84A(S;sqz^`6aw5yU|&1%JEPwuWUn
zLt{Ou>E8tlC6&tkmIJ|uF{3Bi4Kb<RpMy8)iLhKt5zOXk?pRc5Tu)IcHrR0Jd>mdh
zV8-WN)5ppS{LMfFLMYXgSHWP`-<>(7J#{TjuMznNRQ9tRWs(a>-=Tn0XBI%7pwG2O
zhJ`!CQPgV1G_ztV{k1^+?D*TTA=<$E2==(0qtoB{dqpUvj=k`<IqE*sl(7VULqYsK
zdlic>py-*qqc#A($lS(dv?JkTW&BXkBTT6jz+5vvk@4FaFR$>Qz>;MSWd?k8;`KU#
z@`%6>n_7^%gU3eR#^5BjJd+Q(Lz$mPZYQMZ9D`zd&jwS@ESnUCFv1#9A!|=*|9KS7
zmfY^XOaEq=^-sz1*%QvEh5(TRMN8O7rK;n-f#RLOt+PRfDJ3*m9sJ8BRLOZm7Sz<A
zHsUpk<uNuVrF{4Lsivj04sue(XC>V#p8u_ocXnUb`>U^?Mc%#Us5s<&oYb0i=sBzp
zRO^$Vi}fKw=&)_J`l>P>NWhW6fY9*j?cPy~mR;)iB~+bqwpS*E!z;^*WZ=W`&WD!C
zewj2<VAnR=lxG#taJW{8>sM%}$CyX(7v#?KtlW-ju_BPxLFvb%hz46~Ri>@I0!bol
zwfc++&A8L(=QQ^Q=F}m?6a6+}I;o&&`k<SW%S32S>ay%e-&B|w{#_7(qt(sl6yvQ6
zb_1GXs%54<UnQB5MY@z@o3*-q@mB%tek*rD2`Bb`U!Y+DyXk%zwX<u$o{AMMy7#=z
z6V+djGkk#7=)cuzwlkdzt&G#e3~+P)x$}XiVKRbVn`0;PkAo2!sr?^o?6!^%VqaKd
zz7knQ=U3RhwdC^L(f6R{lfO~K??{!`)h+A-#lX&zsgUd7Q5M$E3&}<w6KRLdq}<dZ
zqJ^~<@9>gvl6f3+si;=3x}8T@nx<@L%UrsPndS>@BYwX3j0+#7NWEA#ap*?Uk3kik
zzE>*)s{rf^R}<<9skg-vHhKaN44udB6w6i4L4Sreih1R!Da-9TRayG<v*D^50#vF5
z+6IBR%~ZsYS8h!MpMM#Bqzk|kvYEOM`$4$#`Fx!f6G0H{=2#&Nt+ub1H%M*>T%L-`
zPrnDuv{yZ?KMtB5^mYvj9_+}m0y(J+*jLo^Z!3JqCdFS38#T*RNf7;A3b~clNCzBV
zd`fu0vOTBjjp!&iIW%?_3BN)gO3{2CXE|*fYDWe<2oH+AZTmhQ7Cf<85Wn*rWSo#m
zt>c6`;F01+kxK?<DxKE(?s+YaCui&K23qe8c;jVRMob;x+%Y%zwx2nSy(_-<!p@Y9
z=?SCaK{5?jVBA_?=ceG}jx}Ut9tpO6Y>!WC+T5$-=zTIL&`^!?wls=YDFVEm;hfTP
zFLAYV)L9iy0g)^rtIKywVblrNv=nEBJ1NBI=%96bI{i)++Q3BfCdMc9hb_LkkV|;%
zE|xhfGpj9B!VY0jZNFf%+lE|5ed_v_AjEW+u>E7TB{aKoZsF(gP^}DNyNjAG_VVca
z8zXXhq*8w)_#t#aS8=Nz7^=sv-7oG2`}YhLyV&^`1;uWp6c8iG5`Gxx=<$BOmdxy<
z6>2GV8^|i<D9j)6oUV-9y9bf<cdG8jWU9MZvT1bYu<ejjDz9L|HmcW?A}?A0k}aS<
zz)64zKe?yT`&YB)!b2gJaiQ?3Xl46A@9S&T@l5P~^|LJuEK^7o4ZxJLEx8kf)OtK^
zeky_|3}fJAH?*>eJr7BgbiF2|7cw$^7B|1qL77Fdc~P~<&%RG$=B0v}UT2<BbU0C7
zc0fL-T=^t>=c4uQ!&jdfAEOd111ae`$vGqXb{o{%9c$~sUMgPhgb$nWQJ5E>o`Z$o
z^jQLV1FRuiAqg+*l`F2Z#Yd^7wC5kE-*P%0CP5H(FEIF}v!?M8HD>Y}Q`+<6zx1aG
z*_sRGN=`^_g{yz60C3T3^+!-W2I$!uWgU*Odgu$r9fe&u?UMarzMHa_#jPp(4XKO-
zL%BN4`QbUnA<DG_LqN`EP)S2W1w_0KTf8FM4!^WG+OmSe{oLuEXzF;ZWZ>9|#`yna
z!-G(nWc^%N_GdF&SeCV!ZYfN4d8w#p*@ozQVWh;5P8Q!$m((vy(-!AA%wN#Sl^DMY
z3aN?d&rsjHG@e@20$hRL%OI=ea``!Dm{}Zjd};9XvH$8aF+alJrg+2d@VXP8H@wsw
zy;LovX~O<|34sn6u7qaBRJ{=VE_`8h6kzFavTlk0jr$alek>Vebk62a1|s4X&$`rQ
zZ>e3_+1gP!jq$~Dj2frV%^g6GB$aP=tbmqN5Y0ixakjJ^*@xFO;E)TFQu?ALxUxgu
zx7Q%`!Y_Hmt6uj%W%UC1(<q4bsZ;<BVLv*oWChP!dr$JBocEu8IT#X{wWHbqY=%9m
z#7SisRlx>Gw;5)Ny)%D;kKK-EuH+4v?biMBVn3C9?SQJrkD71^_~a@4YM8sRUllOj
z!Q=Lr`CUXIcXgoGTfr+zHwr4pT~VZ3A*0ajCuF@-nAMIZW3SR9Yc)3^5$fqG>Gg-I
zQ;@omj!q{sjkwS}q(tG!jxcKosKdigjaPtX3!J9T$tr_0niZOAOvmxiV9dp|+G1*o
zbjAdAEzV^1ck$q{km?+Bo|%*#^C`y|bn`Gj;?hxgdtaeU)>qo-AWwaSYT6US?kZ;l
zH6}ZCg>O(D9o#xc^qj%a;?(!$Uo8gjpAhxPQZBrQsQU9lj2joDLmIc(J5mf=<3txp
z?TM|oZbk*1KfH2m$9dAGu+7mUO$U$#ZHwHfr6(#<r>bdx5P2aJiQ;k&^e+xvk7Dwi
zvRFv|<<YX0=!8|NCw64^z{5};&Egupjsf12mJq(&E>m}fqgUE7syNK^xDVnx=G=PS
zV=pJBoQzu|YrEeG8mD|Dsh3jB_H_cGW`&@Q|D!+uYfOub`w|E2w`2I>k}$l|1o?VI
zmxW?TQ`pP_XWZn+$g4;wCO`Pxzn^>q?*lxo4ywso&OOdYbKR|Fb|1$G&;PG6$^HKe
zNY2`C7%E4tGVa#;kJZ?1OBMg-+gF6LTVA{O;HKOqvG|M2VCZY__1GOt9wpq$sAMar
TnX~Eyn=bsqtlq$;INbjLB$s?i

literal 0
HcmV?d00001

diff --git a/libs/ssl-config/src/test/resources/certs/cert-all/certs.p12 b/libs/ssl-config/src/test/resources/certs/cert-all/certs.p12
index b971a1e39c83baeea8e4fab3cf6b76804047ee48..73912976ca7cc61d310d02f1f8805d35ea75f612 100644
GIT binary patch
literal 4895
zcmbW3WmFW5mxp2Kl5WYNq#R%<k?xf4l%cz1Xc%EgiJ^s|QyL^CrKALgkdhRT?h?>-
z&+fkevtM@i?5BI~^E>x`y5~6;1S6*hpkshwWV6_K+;A264G}sHdI5}V5EDk$_ZN48
zU<9)NEg}%agc0!n#oQnmRth%3e@+qNqXP<HSTcX%OOX9P6Ietb6Oh=yT0#&HCWUP!
zdbLH??rrjRMQCf5Us)|p_FDjelLUay3?jtF{f~_RJS;R212&#DTm{_@0~4JalVs59
zOUL->49>IJx9~XGZhuS|<`ngy?V1`<bJbpqA}Z=bPUr0a`+e#q6QD-l2Ce-*&u1pJ
zi;C2C!=EP%klbBnBED3ZqV~MJlIbMczIY2_C~I-<zZx;gm!66a_ad9{k-bPs_=1e}
zdEbQ9y@?Tzb=#WUh-njrh<l9O8A#m5Xx`l^gAM_w(7RJOOaF+zrhAIRi_~aKWw$bg
zMR7mpiz|mh?N~Hg6#7@6xTsdL-$XIUX$LM+5}J)fs#Wa1)@j(;z>SYn`F_>sZLIEB
z62SqlOjq!GYG#jdSaXZD0FM?e<mZWG1Ja0#g$3`t&$%bjg_zPQ>Qz<tR6gSway4lv
zKBQh_r|K{-sL(7H63D@S*E1J}x>>DgIf4xH54b{pNX2u7dudW(<JW9Lm!q<tzZ=4c
zfp&06)r9aeC)=?aEF)714__uUzskWE@35dV7m!VFFi&`TlaZ55QjvDXkJVnjRq;hj
zC+-L+#A#vI>Y=WG9^hz3%QM9#GC}f|kavMIhHq5+cWb19HowMddyAl<Kq4F4EPpS3
zf15Pvpu2=%hgu&O>$;BUtf&f>N@lKCZn>2HLwQ$V6npQ$0}(*;JUg~=bQA4PvNdLD
zfm|5qwRdOntvv~sqYdK9_Gd8OA^_~`SicplMfjOl&2q!Fdg{&msm<i~W#cd8v}#!{
z-RlA6eB7B_1b$tX3bzL($fJYtQS->@mX`V^Y3Kof-wJa;f^FM9wuYJ1Ms1o?K0=l0
z#unEY9glTqU5oYS&exA(5`@jLc<x9V-yv1$+3E&#?}8#U$}@JQ<{xG&9-Y#!w(eiP
zq+>_wLK<x<;MaowX7G@RczCQmw3o%s<KCMUXIo|_59U@7c(bB7-TF92`4g_ehZ$|-
z?(=NxBZi0SN6HAqczx4w(^OX9qZ##SNZ|oRm%+kmf%7i%Eu%#YRe1()T*Vvp_J;R$
zTA-AACDiwIYxThj=6Ur&L;34BRHN~Eb7_W{O;jy%U(wk*%oK~(5vCLcVYL0rL0xSz
zNqHbEW5?IL=J=;yvGs{I;c!w<A#P0Y@JLuX$ZJOZyA|F?&gktY{%$J%d4}&u+-TZt
z%ooLJ@i$c7=62A%46x}|4H_pec3;$w1TBOIK&M_*e#D)zX8KNoD4cLDX+@oRw}xJ+
zi90G`eSNf*W~!gJH`y^9Kwsn$^?r<AJN%3et28xX+=a-b(^=s**`LNe)#ghGS>9`o
z)`R*oU+`;or1rR(q;1KUUYIDJ3oeoJ{J2ugg4a5tk%hK0lh8h;C1bSMH}zu5Pfe<`
zk%hhJYrS&`tfR`__I)RH*TiRH$aDH(hwDNSJPt%WpKkO{FNa1Eh9kx8*Ki;?M0SjH
z*dkPZ$|1wF%Fdb?mvZgfAD2Wf2RLM6jT}I&Dx1c*x}>xfr^81a{Ba0KFRa?$?UMa4
z;*V)c_PgHQJW?`6Rm~`e19uZ{Klba8=Mye5*H~uLV3D7}SBRBMRkcD(G2$&-(!z~I
zieKxF$ReXsB-ifMpV#<&L%LRZq9eO9QiZ$Y5<KUQ$&<ci864W~`CnnPWoD{2^ADFN
zax^~JTm`t!sO9VwjmBc^`U_;14ngUTRxbtjXn|)7p)K7*EDKb`;;BDo)z)vhOz;Nd
ze!hSdi1r^{;!y|?GUB7zqS>K&qxqr<fLQ(&Q3_CClIc6S*)a=<3WCK%gvG!jAW_l(
zx0Ja|$2@11y$K8647gNE$c@22_m}-&q%1ZUXOpOu<d!=wNgh<(Tl()(Hg0FBm~#`;
z5gPXWdo$&oR3g0{6)WYvRyWyS7+|N5PcK7aw2!@*XcP|1NOo1VebYVSo#qC?we*i!
zm?$rg-?O#-TD8)QRi8&mS$@<wonGuGZh~J3bYukPXY+rr=R2vx!<BCxT6Xvta`BPM
zTCXcje+a)Gf)i(bPRUy7`3~)lc@M7I`o1nz-s>C@HrXA-Lm?++fRJa(eXVdxz}m^#
z^D6Bs`U7S0BK%&a*`kU&bHX6s>E0Hfj8Pr0E;WDHyKm(CI^|e9YYaZbybdktS=Pl;
zg-f{h;tWbQ{Lh+6%Ns=AY%T>Y=tI&|TA3X22Uq?{Gg1wXgp5KZoXbpG=gE69kWMvB
zx2f>^c~gmySb1bGN~}Z>hl3A}9V=Yh>efbWG-wnFbny(#he|GA)3je~uZ07fx;KfY
zJR!{^W?PQiwugl#Ku;U*VfZnZ<KopDS<tFcC{Z9!ADqDL^~n~Oa%&JH^OJHJTxLEf
z%~C;_pBW<!zkyv>_8dxvVZ2~A`he+HNyrj|Azg}6Ft+cdv~IClsIKAuCSps>S5K8F
zKTcAXOEc=|GRhJr^9WNYUE{C#r7xUO(LS8Yugz1$j9{9PG-*-uKH;Ce0PWDcYc^Z9
zOre{9?7t=|_T|7?=rF>u<sQM<`C{<Jh1~`3bO~pz@!njVdapxxPA5DqGsbdgq0DXO
z&{9A%s6V~@4(Yc#|HQ8hjxi({uC`NN|J!PCbEjkcC~i3#uIf1~TAaGO1wOlP!_<H8
z*Nbr8<Ezj?^EC6*5_&zE5qTKV8JYScVG1o|wG3>`*s;h39Hp(yNlsdwkIv;&&<nka
z_gebUuHe9Ge?IWI&;7&dBqMQ2{D2@^6IW76=7D_s@wgrXAu%E*t(cy+D<=rleZ4^2
zdtR2y*QO+KD#7yDYl5sCmhomv2{_zLpbk?2BxD%Q9STEExPZ$U9%Xf-L=RwQ*x{DT
z12JCYbe|W4Pj!-QX7SdKXK&i8U3X%l#@IMV3P0FzE%I{nb!jezh@i6L`St<44vUe7
z1deyzdY^h=*il)N0$44zE0nSyz-oSzF<onUV?R+BeCf@epFHmS*WZ#fkYjNY7cuMo
zqT2kmnv8||W1%j)_;ci<ZAd7$QNZVB*{F2+SyQ@WLzVol1oh_6EBS9!z_hESkMv<G
zLGK3lmAIof_|u7M^7kBQ{f(;>7^h9!`@h{8G=$$n;}58KG7=3Lf7xYA*5kqtqo3Gc
z$xm`^;yh;MNzb@wJ5~R(*3wZ%8i2>^8uA5Q*WEH6Z_@l0+(__@?<okFjMXxe@C~Qu
zYsgD#j?E{qB)o22amc|9a&E%|`@ycX6DupvtWRis#OQN8*ct31$kNV(=?ZJ+Jk9p3
zrHkXFSO+9@FZP}nP&TPgf1Q<m0bLNh;@UXV&=y1l^Yh;@1M>lW)nyYFWn%scA3^n3
zt4)R#Dunn)f=?oK>djcil004nf_H8|={G=&VfhFlzYQzHGmULZ`W!}{*^7Ap!6$lj
zNYA16M^OqTOJpH~8}8w$qrD?VP!jb%<<BX0bie1cYo73S#)<0u#vHxgHTD;W?orK<
z&V0?6BTs!KzjjumiO6-HFtokj0;MqInp@cYk5U%=-=r)g1_r@!eE%^w4t4<y$L=q(
z0idJ(EvElU&_U0z@&D_gM#l!xV^Y+d&KUY&<%n=a21;XugX=4myzBrNX#LvZFdSyR
zm5C5NeEsP8I{-Ja7F%2e#Xv!E=0**RU=|=$e^c2Zx=$`r<)WsF_Cij>!ucxtxTrfs
zLF{pJxk9-T$d_4KaJXt5<vh=}->+7hIG|V87dj#m>I0`Jc}}RSkJ4<g^Y5um3PRLc
zC5jzdMPn3S11V@wb^dLdtu2w|MPVm$bmP93Mu%5YKmjN_Wg7<<8=%CK_Te^R3cwWe
z`a^T`&n(Dr=e0Ot$*uSdBFLGJ@G9I#O9`52TCWl>wD0W{Z33rNhp7s&o{Q}?q<!sN
zPm$3MA^X$iE)8MzR*AW_UfS|K<|Mhv29UHiqAkyvae|ljkWQfn=jAO2vh?wAZsDH5
z1h2<@n&y6h{qENAtxDE2B8Fp)R=-OLrPDZx9C|gpm*=VK`8<Vdl)?l<gjDjSPNu;l
zNI%hQ>aggwz>0Y=UqE7yi#LI4UX?J`_x@<8+fOkhUSt<&|M>hfB^`>#efJ^vR^x>J
zWyJ34nX@{ltyzI|`a>+FJ@^Y*>b>2xY5DZqc5G*Lt@fACM;xC_#>Ob0J}<Hj#KRSB
zW|}uFOU|JYMasU(FfAdPX>e;TwpnTm=&#A_Umbx~v91yc)X}9z=W&A7WQyzN1KJvY
z^S{?9+f=^EGwM)zJ41RwOz~iR)pbBH2J)HcGi0iw0EgY}zuk4Sadf8t{Pyw7)LuZ}
z4vwa!<4}jhFV&ZUaq75yf=fgm653_`QXRz(a<b|P=?EFkV471o)L#L8m}zu+Js(v}
zi+^;OwMcdq$0v5k4gmq&+>=8h)=D%ksZh&*mYanN3FiY7is30G9H>&%^kiOmzV|E(
z^g~(9X{Ctw%;|zV#=<A-{G<B|cSQ+)hhb;~62V?<7`;z5<L-evMmSHrYEn^A*$0cD
zibz_;tHfQj#~PGJ!{1Mh11QhyzJV7QfhXe18-5L?K}Y2pxS?F&U&tP2gevZl+^Fg0
zwyW`;-vhdXLt-W-zHNEY6hF$rEw!dhyCN|gu;L`AS9=@xJ`CBNrfG#}P~G@~>u&Oc
ze~g%7<@QmBdN{L|KctD@QAj~tI{!~vHJH1{oNWo^#4H;?gl)|+QI`o5%I!?^C?K&S
zhMzhExu_Qob*+&|+xbjNK9RH4bvYwuhr}_c2G-l2<Zq^T%z!hn$Y`U`F}Ey?uMN?!
zMwynziq7|d85SI(XrA)~&PI7hU-Nk9ry-dy-^<>4=g%e8*{AGr9<EilnTCS+318z_
z;*d{|OOq*sSlGTA`rj|Vy8mK>&Iz0Z^leJ+N^P1)e}f8HEn6-^q8rA!vmkg716noa
zdWO__j-hh}gSO+ux8<%oO!+pg%G4U#X?vUxChqg~$`I|(ZntZCx`m-^M}eBM>A7e@
z;sKbSlKf8?4GMJ~x(BEC5Odw5Y6|pT=!Mg~?iZVblNDbDg8#UD<Kzq;0%^cLg>%<_
zTAm8d^qA-Hou*95H6M8KapP4)P<Zwg0k!Q$M=Y^&0QRe{qKMBP#~9)cp4PK<S`ynK
z1t~>x4hO5&m4)-ZW78C1x~Dg><MfgvBy5F5Rgl(}bLc$F(TnX?T2jlJuknX##YUvB
zfhM9R?!oP%BdiyMc(~a_8H|KgtCP4tuyK??x@E9$)^&F?)n=!^&oWkyP6z6ACEK{|
zP<?YYVwjR?!Z(+-Y#@?QfvS*<wLxDs?GZAR_8XR~!$4`5030$R3eV|Xk61u9a3%wZ
z*|}R#<vF(91|rVcZd6I6=@=HZSt{9NmSlKFBqWVnvwRMyT@z9rV7?z|V<T!(?Zrc;
zxMuf^GVCGQ-#?FDwt*OXyL1TcTjvt}8RBuMJnOm{yN+xuV4!+u9qCK>p?*NafMaBX
z1!RlT7v0tF^RDDF<Y}QWHWt{c`5HnTAAg;g)6DA|37j#dCgo&kAp>o5pPcea3L!vj
zs@y+HJ+V4gQ-DF~8cC*?7xqya$uBx_D>^5|gFiFg3V*(UZrUN1-D1dQJV=K=&-#q#
zrb8@$hDF3sP?vWS$=ABHniu)bkgFa#xt{IfMrzj);{S?5OJ3)6{GK_+LG7!hwTP{)
zei-Vfqqo{9w_>!f<DXJ9VC^))aG;<0s>v7V%qjGa9G9nQ4uP-z++)6&E=Kp#`GT8r
zd_b*cMOVUxHo7(Ise{B&Bk`l3gz(nySf4cLZ2YgjgZ=9YPWi}%+x~IQaAFL_a?%vy
z&O~B`tgVS&>IACK>%satLjaKVz)Kfv%1tKR@hx^<1ikZ!VzFFN@@l9|@W*=FvR>&^
ze@JAZ#_tbSH$KHO8-c63J}4PW^rYsFhaL(mJ}bCX^%;Hws0)jFId%}W=#59tOJxyd
z)l_RQ!}{29aAuM8NnZV!>GjX=9wh>Nn8W_65=mlm0bqWySDqWNZ0~{CGT^oz^%)2x
z1!4i=VPo+;!2r-<p<z-~L9cI?zwo|t8RxhMM!g@RB4l32q#zOD3`)tWO=XIjH-cQQ
Pz9X(_$_HSe!wdcmeWC%(

delta 4649
zcmb7^RZtWRxQ1!ir9(OdB&1xrq+^K%q(nfFl?G{v1(t>Vk#3|rT_l91k(3bW64;;a
zR(e6|IHzXL<(co|oq67Qzssk9H;o4YLeeDT;o|=d9U_20gjNKW9G4ik5J@9XfTWTB
zi^V}mVDtZ}fG7eau=Fo31R)6_M5O<{A_L;$6(R|4Ku7{C=qVBKfAHVuECh4{pAT9d
z+HY+ukCdi|lYeY=lN^fR;o~5BUl1S(1~IU@opAU{CswZbJcqN!uwA6_^<)(p9RtCY
zYg~~?Ev1^i(ttc%bu2J?YeH3utxZIHv|{_zWAd#^Iyy#ghDh4?YiW;)W^1sUz*85^
z$Oyq)pnnQy*O9{Hz>cY5lsAuQ3iBt2&D3>|-f2N}O$PX`FyEZPbP6FR;YkE5>Z#1_
zci>x%jKTS(!NsT6TC-XV44gTASvZ$YK@l$dLArTWY(=2)cqvhK{!fg`)yl%F7F$h=
zA^!E%0aMB%<_+>@70#H`ti4}#Hl|wPmyzq950YY|<!xtR8(_Pz{<{`k{TSSRw!p{=
zS95OTu6ZKMSZthIH7mkGm~v?3Y6lS18<>z>CXfIrbGHzwmESt@b<Pzj38Pq?<CaWF
zq_Iq|<9gPFLbU8SZGR#SLKYHwuqD8nmOIj_(w>lh``o2v2H|mXc!|^CNe9fp`o%(Z
zbl>ac_;Ry16mMqgY8ezoe`0EOJDmNIx&WC_b)Zeh>Ghx|)kEy-c%{X6zg+3aLK=p2
zeHqjnQ!iK;#CZC1j>N=k0H;LCFU<8jm0<jN2X#zFm#o{iAm&`0t@eLEZ82{vDVHyQ
zN&RxKPEsG$LZhkwDsj7iXVZ39i`u2hspT7?*L_sZhiBwWpq=B9Isi9Z=BuG3^)cs}
za(PT}h07?YzYd{OcXwaUv$7NDT(iMBbpsFZz)(5&999wUJ~#dtE_cr}^UKK$rEmR0
zsyEN|Q)Kw2&&{4A`0?3wj%DF^GcQFl4#J^DO#z%bXV-pJ)L{3iPhQ7L=vV|wr+-6D
zGtbzk?lx4wo4u~F{DtQ{3U=V3tjAhW`mFXbw_G--RTn}RGPLIPLcekf=RSLyRsWMV
z@jKeJJA88Q>OT8_^4KeXujP*K=uCXe!r7zLfCO1IHu}O<iM%b2H?TVm6MzQKeN#8G
zrCQmybw?&eOcbtp4cVntX}bKbiWSt!d*qxty|4W;Gw_4n(rXyi9$2Q$@K9}^sYTZ~
zY+b$wF;5^Cexw$fBuDei#98$Z|7P<b=Cof)*2(7m(fa7$zS*iErlc8a+CgLPCii+{
z!k<Ma1y))$nZXifTDg0jV+uF%2QWc)wF}%+78xcCJ0y&<Fk{iQUnC@#C%L*eC0|-@
zZAriHp4ytMVtV^!OXKz87^~bq#sS76Y9;=;D@YMxm3pC1yo=uxGz9rHGR#0rPbf`D
z-aen1+V3wM=mHBbPp4(zGKl#wO8bF&>__9dPkH##IIwr({iLY+#2vF^i7HQY;T0e~
z25NU6e*u2S8$hP%!R*k?`O&#l?71S52owmb2_qEVSCnh~ARP*yHgcp;E4%FZZT1fx
zG{XU5|7KLYrrZZQm*RNx484tyJwE(orW<}?h}X9XE?yW_RPrKM3M+^54KnRGB>d#+
z_vlU1bhw5ecbCV|XxD)Th~1vTBtntwggGX)IW8D}t6lGM{1265rihh`7{E{`ZUm8@
z0Zd9G^_}SR{7-u+;D^1P{S|0e-~gCv<B1vR0Fy0v^2DY)>DT7ejB#p%I57aqtu9x_
z&mkvw3DSf6<oY<b4ozDcAIDr~6I!;vghg_^m}fb4bNM2NwNviSV?uQfTYM^V-Bm2k
zVbn1HOeI?Uh$%INPy!(-Atfmz1_Fuxz5j<QPo&7?n5{|@?O1JvjXV3%Z{eIQe^vQk
zrUZokMlBPRJRy#I%xit><e5T5ukFXNEkl3352b-eG^`-!OfRTOuGpr`5NF>rb<q_#
z-2h?UhKH(nKbiPgGmD#YkjG*~Ai0LYv~YfPYRvHF5<g+_3e3{G+C9vEqb*9)-i$uL
z{Vl(NpU9(tV?%8%!}|{Jm@}b1^1hbnf86sj-~Eyt00}sumzn1lp>}xZoFxm5JXf)6
zmp{H*VvTkSDUNVP4*2L<5y|ga*ndtU$y-^zseEr7QD6MAE{Vum4+>{*;@!W-*WGjW
zx>$~h(rR98X1zqw|GMucK1?@`Z9yAorFG4vSD;7UxAIf~a;BeWQue%(=f<ho50~h{
zyex#5bw7-6`F)M+!Dbss<Q2zTVYN$0jXrkF_xcLCO^h+_EZ@b=BMM~-anoHQlxx@Z
zC{4I?*eyFkn1$Jarjl2Q>pb{h8ue&K!|n5&N`)V~_HSpZz?q+Uw=M}?btmMLfPzg=
zqVkXMo%*Q@d*ae>BdF9p&ANmZ7y|rv*GRsESc^_(J(lHT((T0imM={cGW43j7Bl0Y
z-8wd|JwA6A9MTKVM%+9Su({p0;th({bb=QsNM%qGdCoG;!G`Y;!2yjD=dTWPy|GXE
zvLfPKt$CYjS!c&c0y2zksRr6zI?s}Rax3kx<-09c)4_DLqd60~m+5vA4X2a`U~xWm
zEgn2deIK(H8?*`Q7W-U|dG317&opxk$CT4QuVBYY@L1Q65gg?gWH&b#shs!Ir4)PL
zS@tg9zP3pkdgLROdC@Tw&-EkZHJ`OCfD+`G2{`yxr(US3w?U#hBL)9HAws#`9$FZs
z-?M=#sz5BZb!)r{j484iDnqpS)-j||ZT0|$Zyicp)0J7m<$MzORf>eOm494mS8VLm
z!-ozIUTMv=BH&iL>eX1gSQP++ctK=h=$in`goMPSx@n=g>&~PZRUgwW0s=#~y75PQ
zCxZB31P(NCGK7)IHM1wZ5Xy1xf9@t|^=2l!yv2CV?qB6&*)~4Uyzh}GN{m_sGqGsm
z{9XJst;x>!{Nc-05_O(wV~?C+yV%R`CbudwSG*(g2o4xAuXf2KRpN0{@V1APIU}ZZ
z&jU)TU0m&l5Q^H|&*;{kG6ad?gGsun-p~(jexHa`sp<R{<d5oXnv3HAuW$?ay>Y7z
zT9va#h|XxQz-+>O;11%flZl}D%H7p&|C{b+RY?WN(KPkf&9XYw3T|k^$7i!rc>qj<
zNFoZ6l522`|L?{#HiGAFnHH21Eoau=WyOBx)8BS~FS0PU*#cevobTWq+2Q+VEsbBc
z)Jf*1_6nJ)v~yXuU6?`&+IAX*HvK=fl4zVT=wBjT>sc1<LRU7A4OALA?$@<<9GWY#
z_ud_#2=$u>=vIkznyrt{iLO11cz?#Lmxc2nEEpzvuUSYUcO{*Ge^_JLa|8#4Uc5l~
zmukuO@3ESQDlDTKr+#9J*)mP4j3idPZ6R{6;j+#E=B`>9en+&y)tNX)P72AMOe|QD
z`+ds&$Lwo`y|$Him|4b(35YmYX%ULu5Fw6LiR@dg9C=|~xrD@x8+p9#;$&deMe~AJ
z9KIZzW!^L?e{&bJU@kt>JCW~X&xlk0fM9`YWqR5zG?SF)m#6ZPN|61pDkY`FQyod=
z5ig3Aj2qvx!R7?ytujqHX%pPPF#M+kLy^Rf)1-%wpU*+wr5L@e?1Kfz_L%=h5706<
za4am~=`txRzR#QYekVy(*peO9ib<uc<oub*sGx81BS|Asx~IS6+V_%=p3Eqc?uLtc
zN7<d1<&?p33=>_nqh(<$CHAnyLIp)MYvtOi1ssa|XE&4kFSila_M``(xW}klueD)9
zz_n4;qf)`f*0|R-kJxzU&g{xSCc_wqGPA6rl<uMpN_5)cHOD{BHti~ZvXM3udY4#A
z2QHJ{=<KnR_ey8%2!Y4n3Vxn|FvT9Bd%ad?YS`8`k#2U`5J?|;J0fAvd<-Hlu?e5G
zqZ*&|HR`Es`)Q@hubT4(`xqLbHf`Nn^pFZpcb5*^)#J|lcGwftcXS1x48dzsN~k;`
z|I}#$FNP&wMzRRBHfgh*^=vmaxBBZj?mbU55pB+5KMr18vjT8-_T!&C7`E&{`<0C&
zzwmx*{y0g+u!U6~<XkCabPTa3b2vK!&CPQYBi?Y!zFuORve&^J%V7(dF>*q%G`mG-
zqIlo*rmX0m;c&0Du>iNK)QiFI<oiikFf5iu&r%rPd7*b>)9%pshptM4sqmVkk15P+
z_)oRdmn!=qyx!VA>naeF;O)bLi<mfdx)IR|=G9yimv@qA@+ouNEP~R!scijGfm#HL
zqh#k0OwLFrE}~Gb<ULASsa6!MjoW0uG%nH^P#lR0yLBsQB3rP1@7XQujy^Bk*c-7M
z1Gw>d>u{y$eTHI|M3<yTKQul!4l}w{r#~s*bJ&%wW=&r%JwVb}>kb8)vEv{&zQS@M
zfJlgcJ+zOV6P)0I*x*q%M{1$H^~I9U1d$^_2D7}Yt(7Z`*5i_98HV%5*v_@fvyR;)
z9UsCf{ltxrt5-^){`j-c5WHhL7@u99_}4DpCN8O0nL3y6(cVvs1e@O|sGr_D8LyCm
zM1Fhbfc*XK4k3Qoc<}qhB>q`{!u)@e%!Z&(#Dw8Z^6|Hbn;FM_QQXyjik!jV<cIXf
zCl71Fu8nHk8I5OCbf0fKexp<eg(G7R!5`l=2{u3C4(#LU?_gvJYV-;lomZf!imnWm
z2>i&!Y6zSS2_SVpjDHPGjr)EHw(<q9hV4l9Y+tml#Vib?Uy52YbyLAVhpZ=e$(X|@
z=tdcfk7IigPxh;B6k{>gWD8LujA3O@5bphMtWM&3;1hGjj_VSMl<#j|86u8wib;w$
z%ZP_wPfTWMbEf?SkV%B!Q(d%Gi`i(a`6X+B_*eQ-rFe4Oz;e}2^^#`TQH18SiFJ#Z
zHB1V~3pV<yekDMuqqjw3&H||+kW#(+urDUZVy1<-gM_Or3_wM{v4DFm_T?JF+@U_p
z%eLqlK6}s7O^DT3gTkL(S#@z`rMcIuVg($A@+MP1j3|5bcQnO;46k0`^N|}Z%!{Wy
zc`K7WVudeodM{=0@uuHZuFAKD#Z6KF@L}ePYoXG4rbWGASNso8zPBjkz6Ik)C8<rL
z9bkbNYW=eoZvNa~u4(=%4yQ&<bdwSt)D&Et{FA{Z8XsCQE$I8%iClw_d43(or+rJz
zz4KUd$G{D4YhJC>PU*^s@^r3Mdnrjo)|h)hQ&#U@-{}{v-7u?U>U0e-R9usOy!AGZ
zwTJ>Y;Mh1&Xt7Hz<Z;$fUn+$0vq|P5ZjcY67-wurq>R?NC@L29(j(X?BXA_&jv5(U
zB^sIhbB=Mv1>oezQ=tW!cYjLw6?;XdFApn6-=l5h(vHqiMr)Os7Q*MG%z>dPb@l0I
zLw4lix(b6m60k1K_PIZR*{BU6uTyED6POkii7M@M-`@q&M4KeC!{(Z*j*G_;I|vf9
z`@t!a67fEvyU?g~(kI#Ue2~blM^P!)FDeslI|oPNo#<PUIn1Hd53UmdQ*)=5S^`P{
z{9z_8cynr$voc-Bac9PYG>Q75q?c}7a#>Bk8=vcgX<!D#zs5MnD{b8P#z>;xMi7@#
z>!_lYnX{*i1V7i=`-?X!^>?1wzX+lMu;q?j^sh5JvdwtqQVlC1F{1#&b-}Z;QMd_<
znmC?9TOYAnQ}+E`Wb_SZWJfTQ+wV6K3$#h%Gxo;1*u5j;i+|D>pufiNNa*z@qn}rP
zT#y+C{d(l)yWsgQ?qR~$aoY+hZGZUOMOgJE8ce|bg9bQf?}j<rpm%4{Pe#=4mOZ;g
zGp{*+0E-#H#>bzM*$8&B)#>9VWHa^QKE+bFqXYIF8#+-oUQC`6wG$=&!QVrvynNQn
z6+mUvaQ-l`a<phE06m1Yyb{lR7k(qdGcmPHmxDc2V$poz`-`xW5kg06X!TV1xos{{
zlWa$DTt>Cfr4B$irtY}67LgrAdvWrQK}&9&RRAkBVKlLOpj`+chjn9^t-hPONH43<
z#W)N(1>#=sF@le1uLY{?J2u%mL3%NeFvYaR3mBLT)cM=4gt#FTqzK{!0f-0%De&=_
z32_MM>cPH@V?z&p!Q9?8YBl=PJ<o1w2<ZB@h@d>#@fp{(<yAUl4mlC^zhl|(@Npvw
F{{wtQ=5hc4

diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.crt b/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.crt
new file mode 100644
index 0000000000000..51f39295f62e3
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIUCYPL1cogC+8WOfSZytklHmrHQh4wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTE5MDEwMzA3NDA0MloXDTQ2MDUy
+MDA3NDA0MlowEDEOMAwGA1UEAxMFY2VydDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCWz6ITDTlkTLueB30Jx0+7sWHdlM5ObZjWhMQ1eyJD0gYU/gkH
+2C88IN/PtSv04tzFS6PA4KPDLIyaAhczPlGElSansiui//CpieCI4tt5c2BgVo3X
+dJaylYoW3CRILUrlSBOMUmJCQEokverxMrz8DeppNxRfj99pQkoxUkmFMZj/C7XN
+VYrTttdF1li5FUtWJxw234OUfum3PQIzz6YTmoPtLrJ2fB8I4CH8R5hwGcryhBSA
+qq8pgy61aTPCgEBZ1c4Dvl65X8dG2QEVPjwMZnnbGjvlZefOgkmAWJ1VjihA3GVg
+O2mx4tB4D2x5K/OAxh2foZkDVhqJfBkOblLnAgMBAAGjaTBnMB0GA1UdDgQWBBRM
+RZ6Qlozj5hWTqf3+oTznFyZTsDAfBgNVHSMEGDAWgBSHd+NjwqkE6hVMEnltx6cT
++D11lzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCQYDVR0TBAIwADANBgkq
+hkiG9w0BAQsFAAOCAQEAOTUJ64T6kO2H51j2bKIof4ij4yoDD86gLmUF7qXB2Wt4
+tMDCqs9+5VnRzSWY1652mpwPClcK/MfE26PR6DUunoES+8VSbARWh0OB6zsAAWyp
+WJ4RxlfYdNpJZjpx3umLGj4yeCh0iOhfoArBUT3vaJJrea+rTro4UFE2Z29uWALr
+NvjKZ0Qrn1DMP3N9b7y81dR9RMlzeqk5tlPhAqhHzQM0hDdFKA5uIFn71QQpd5SI
+y8MpllWFGGq/+5m7FD0t71GQ/m5xCyfUiqQU31Nj3ThU21SPHBqZIZvQ/na/OaAf
+GySn+0ZHAvyNRTL2y2Fk/YAY68kgx2E44H5YSqbFJA==
+-----END CERTIFICATE-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.key b/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.key
new file mode 100644
index 0000000000000..461ae5ee31ba7
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAls+iEw05ZEy7ngd9CcdPu7Fh3ZTOTm2Y1oTENXsiQ9IGFP4J
+B9gvPCDfz7Ur9OLcxUujwOCjwyyMmgIXMz5RhJUmp7Irov/wqYngiOLbeXNgYFaN
+13SWspWKFtwkSC1K5UgTjFJiQkBKJL3q8TK8/A3qaTcUX4/faUJKMVJJhTGY/wu1
+zVWK07bXRdZYuRVLViccNt+DlH7ptz0CM8+mE5qD7S6ydnwfCOAh/EeYcBnK8oQU
+gKqvKYMutWkzwoBAWdXOA75euV/HRtkBFT48DGZ52xo75WXnzoJJgFidVY4oQNxl
+YDtpseLQeA9seSvzgMYdn6GZA1YaiXwZDm5S5wIDAQABAoIBABCilJEfa045/JQA
+5XT3rD7a4R2s9VjHVA2NlYsEqxHqD8uu/dYEraknQyjJJjEb+Rg2MLjszoOP3W57
+fo2jeSBzx1DGIXQYYTaCQ+c1htoNtPrLcVfrv1exkQrWe5YOkO1blvRqffYq20LU
+RB8Y5qmy60Fx1uh3mUAmFML9/agYVJo4yCxnNDrMg9UjF4bn/39uOf6C7mEVJRTl
+7ET5wcbdl10EOWW2m60hJOQLSOY9N1eafFEO+V2Xb80PC2t3Mqt5+T7n0CKCx/p9
+4F7QAz+hsfksY3oTUUXwL0KoJTLdJrjCoG4mWJ/Re3qEKJqmMfT4XpJKrF7HfgcK
+RCyH06kCgYEA/5TVQK4G1Dc4LnSCmCb+ECQvmGRBtK6Alh3Txb4IwGHDGMfC8W4O
+gt03A8ZE92pjITHd1+cLykKBsmaVmEtiyD7YL5G3mumR1YdMFEBSZdxOTeD95+aL
+YxTofPsDIUIPSFecRWwri7TyYcvUGyDchL0vDc6Gp95/ZFFgt26uxAsCgYEAlw7e
+g2McHws9cSAfouULbKbf6jXzy21t6CeqJGID/kjdUws63prcQvmFtFHWrv3rKO09
+hgb3Kd3gUz8t9tAD3F718bSZwzLASwO5ujPHZQVRTotutgCGeKPgXqzyVWeo45ji
+4DfQl53jG0aA1DzoZSA3/owcuX6CVGPLzQnhehUCgYAHe9UuuqnKhv9nJNQ6HlIs
+KNMX9D+USdPMEX2E+caJ05MB47+KkD1uiYm125VjZUMX0rz7OHG472+ayLQyrGpt
+EKIF6o9kwtgZV4fbw/Jltyi30RG+O5rzQMZ5+mOiEqwd4yrZQYyY36iFQpGoZbLv
+VBbPoa+BtNsoFdXuKRiG9wKBgBjJhdXFc53ceE6R2N8f+onvsBp8k+6znC9WIuMp
+ekJFrpur4hMZEj+jNj9qlnHMlMP4efn+NpyWHfNLEL3JUHje1Di/S+Pt9gPZLqbR
+TEzVXIwo8RfIakhti6m9c150ThBazA/C2OWoMNYO8aDiBbhiWw3X6/a8PaKfZZfV
+oTwpAoGASCTx55uThl9rN+XDKFXN500K4r+Q9OBOEkfDuDUERpBohUfoy8dO5eiT
+mGiqx5P0hoxEC70vnw5fJz4ZpSJ7LcpCfq2TezknJP3MZKwTdBM/pODSPMU5YCW4
+T9ocEQui5PKOTLlVo1QKrG8w6f/YMfZuGa9zP/LmTLZEado9nuk=
+-----END RSA PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs8.key b/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs8.key
deleted file mode 100644
index 1e8f219eecee7..0000000000000
--- a/libs/ssl-config/src/test/resources/certs/cert1/cert1-pkcs8.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCWz6ITDTlkTLue
-B30Jx0+7sWHdlM5ObZjWhMQ1eyJD0gYU/gkH2C88IN/PtSv04tzFS6PA4KPDLIya
-AhczPlGElSansiui//CpieCI4tt5c2BgVo3XdJaylYoW3CRILUrlSBOMUmJCQEok
-verxMrz8DeppNxRfj99pQkoxUkmFMZj/C7XNVYrTttdF1li5FUtWJxw234OUfum3
-PQIzz6YTmoPtLrJ2fB8I4CH8R5hwGcryhBSAqq8pgy61aTPCgEBZ1c4Dvl65X8dG
-2QEVPjwMZnnbGjvlZefOgkmAWJ1VjihA3GVgO2mx4tB4D2x5K/OAxh2foZkDVhqJ
-fBkOblLnAgMBAAECggEAEKKUkR9rTjn8lADldPesPtrhHaz1WMdUDY2ViwSrEeoP
-y6791gStqSdDKMkmMRv5GDYwuOzOg4/dbnt+jaN5IHPHUMYhdBhhNoJD5zWG2g20
-+stxV+u/V7GRCtZ7lg6Q7VuW9Gp99irbQtREHxjmqbLrQXHW6HeZQCYUwv39qBhU
-mjjILGc0OsyD1SMXhuf/f245/oLuYRUlFOXsRPnBxt2XXQQ5ZbabrSEk5AtI5j03
-V5p8UQ75XZdvzQ8La3cyq3n5PufQIoLH+n3gXtADP6Gx+SxjehNRRfAvQqglMt0m
-uMKgbiZYn9F7eoQomqYx9PhekkqsXsd+BwpELIfTqQKBgQD/lNVArgbUNzgudIKY
-Jv4QJC+YZEG0roCWHdPFvgjAYcMYx8Lxbg6C3TcDxkT3amMhMd3X5wvKQoGyZpWY
-S2LIPtgvkbea6ZHVh0wUQFJl3E5N4P3n5otjFOh8+wMhQg9IV5xFbCuLtPJhy9Qb
-INyEvS8Nzoan3n9kUWC3bq7ECwKBgQCXDt6DYxwfCz1xIB+i5Qtspt/qNfPLbW3o
-J6okYgP+SN1TCzremtxC+YW0Udau/eso7T2GBvcp3eBTPy320APcXvXxtJnDMsBL
-A7m6M8dlBVFOi262AIZ4o+BerPJVZ6jjmOLgN9CXneMbRoDUPOhlIDf+jBy5foJU
-Y8vNCeF6FQKBgAd71S66qcqG/2ck1DoeUiwo0xf0P5RJ08wRfYT5xonTkwHjv4qQ
-PW6JibXblWNlQxfSvPs4cbjvb5rItDKsam0QogXqj2TC2BlXh9vD8mW3KLfREb47
-mvNAxnn6Y6ISrB3jKtlBjJjfqIVCkahlsu9UFs+hr4G02ygV1e4pGIb3AoGAGMmF
-1cVzndx4TpHY3x/6ie+wGnyT7rOcL1Yi4yl6QkWum6viExkSP6M2P2qWccyUw/h5
-+f42nJYd80sQvclQeN7UOL9L4+32A9kuptFMTNVcjCjxF8hqSG2Lqb1zXnROEFrM
-D8LY5agw1g7xoOIFuGJbDdfr9rw9op9ll9WhPCkCgYBIJPHnm5OGX2s35cMoVc3n
-TQriv5D04E4SR8O4NQRGkGiFR+jLx07l6JOYaKrHk/SGjEQLvS+fDl8nPhmlInst
-ykJ+rZN7OSck/cxkrBN0Ez+k4NI8xTlgJbhP2hwRC6Lk8o5MuVWjVAqsbzDp/9gx
-9m4Zr3M/8uZMtkRp2j2e6Q==
------END PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1.crt b/libs/ssl-config/src/test/resources/certs/cert1/cert1.crt
index 51f39295f62e3..576de3bb28fb4 100644
--- a/libs/ssl-config/src/test/resources/certs/cert1/cert1.crt
+++ b/libs/ssl-config/src/test/resources/certs/cert1/cert1.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDGzCCAgOgAwIBAgIUCYPL1cogC+8WOfSZytklHmrHQh4wDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTE5MDEwMzA3NDA0MloXDTQ2MDUy
-MDA3NDA0MlowEDEOMAwGA1UEAxMFY2VydDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCWz6ITDTlkTLueB30Jx0+7sWHdlM5ObZjWhMQ1eyJD0gYU/gkH
-2C88IN/PtSv04tzFS6PA4KPDLIyaAhczPlGElSansiui//CpieCI4tt5c2BgVo3X
-dJaylYoW3CRILUrlSBOMUmJCQEokverxMrz8DeppNxRfj99pQkoxUkmFMZj/C7XN
-VYrTttdF1li5FUtWJxw234OUfum3PQIzz6YTmoPtLrJ2fB8I4CH8R5hwGcryhBSA
-qq8pgy61aTPCgEBZ1c4Dvl65X8dG2QEVPjwMZnnbGjvlZefOgkmAWJ1VjihA3GVg
-O2mx4tB4D2x5K/OAxh2foZkDVhqJfBkOblLnAgMBAAGjaTBnMB0GA1UdDgQWBBRM
-RZ6Qlozj5hWTqf3+oTznFyZTsDAfBgNVHSMEGDAWgBSHd+NjwqkE6hVMEnltx6cT
-+D11lzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCQYDVR0TBAIwADANBgkq
-hkiG9w0BAQsFAAOCAQEAOTUJ64T6kO2H51j2bKIof4ij4yoDD86gLmUF7qXB2Wt4
-tMDCqs9+5VnRzSWY1652mpwPClcK/MfE26PR6DUunoES+8VSbARWh0OB6zsAAWyp
-WJ4RxlfYdNpJZjpx3umLGj4yeCh0iOhfoArBUT3vaJJrea+rTro4UFE2Z29uWALr
-NvjKZ0Qrn1DMP3N9b7y81dR9RMlzeqk5tlPhAqhHzQM0hDdFKA5uIFn71QQpd5SI
-y8MpllWFGGq/+5m7FD0t71GQ/m5xCyfUiqQU31Nj3ThU21SPHBqZIZvQ/na/OaAf
-GySn+0ZHAvyNRTL2y2Fk/YAY68kgx2E44H5YSqbFJA==
+MIIDEDCCAfigAwIBAgIULU6478tMe6npOywF6dj4+azLeJEwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTI0MDgyOTA5MzE0OFoXDTM0MDgy
+NzA5MzE0OFowEDEOMAwGA1UEAwwFY2VydDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC+9V4E9sliTrt7NgkpG95rrXntGcybvp/EwDjaHbVyagQ34aMT
+gjhKRhzmGzwX7YkeYpob8JmMOwyurxur0KOpSQZMcUM7QneO16EV/8otRwWfyApF
+AzD7gANdTyRcnO9h3aUEBJvvve4fDFleqnj9AexGBIqyHRcA8hjYTjIIKGQbgFIi
+7DvS/405AinDU6sAQt70+pZ3P5pHF6AsHhEhma5+cX/I7q4XIJxaLwpsh8ySWq2P
+FMaJxMKoLXhuNALZ/n5Ur1grDZG91cPF+vpJu4qV9zjalLHASM6u+CK+roFT8P3n
+P98viKDLaFzEwjqoKkVoIY/73ESiuHOi7KQVAgMBAAGjXjBcMBoGA1UdEQQTMBGC
+CWxvY2FsaG9zdIcEfwAAATAdBgNVHQ4EFgQUL0u1Ps+kFvjYsf0T6rXPc7H0ls8w
+HwYDVR0jBBgwFoAUh3fjY8KpBOoVTBJ5bcenE/g9dZcwDQYJKoZIhvcNAQELBQAD
+ggEBAGRPhduypDVICV0q7nEaK6MUsF//W826rYvy9ePZzAAcx99si1UyAyLFFKRA
+GtmkTiyO98AWqO7g5ztSuaN+5RxzSjPtcmOIgO2lu7nWLHO2Mr5uG1m6ssjGvQBz
+IjXL9F2+oJeiOllQ/kSvTO8J0nUnz5EJi9JVwHMIb0GCfHrB01rp1UKfbPzXYnFz
+t3oWro4idhgVpoBp+RNxRV6Z/7fMNBdc5acZFLTpRThs88CQRx5XqRl/X9FSrsbR
+nuFwg8jc7taHhMOxMPQ+GPM9hZ4fGLfF3WSqRuyypMR8ztxXi3VmnSgvLhQ8OSz8
+yM3mR4IpH+oys6uyqvcxvtY7Qk8=
 -----END CERTIFICATE-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1.key b/libs/ssl-config/src/test/resources/certs/cert1/cert1.key
index 461ae5ee31ba7..b7ad0d595d7b7 100644
--- a/libs/ssl-config/src/test/resources/certs/cert1/cert1.key
+++ b/libs/ssl-config/src/test/resources/certs/cert1/cert1.key
@@ -1,27 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAls+iEw05ZEy7ngd9CcdPu7Fh3ZTOTm2Y1oTENXsiQ9IGFP4J
-B9gvPCDfz7Ur9OLcxUujwOCjwyyMmgIXMz5RhJUmp7Irov/wqYngiOLbeXNgYFaN
-13SWspWKFtwkSC1K5UgTjFJiQkBKJL3q8TK8/A3qaTcUX4/faUJKMVJJhTGY/wu1
-zVWK07bXRdZYuRVLViccNt+DlH7ptz0CM8+mE5qD7S6ydnwfCOAh/EeYcBnK8oQU
-gKqvKYMutWkzwoBAWdXOA75euV/HRtkBFT48DGZ52xo75WXnzoJJgFidVY4oQNxl
-YDtpseLQeA9seSvzgMYdn6GZA1YaiXwZDm5S5wIDAQABAoIBABCilJEfa045/JQA
-5XT3rD7a4R2s9VjHVA2NlYsEqxHqD8uu/dYEraknQyjJJjEb+Rg2MLjszoOP3W57
-fo2jeSBzx1DGIXQYYTaCQ+c1htoNtPrLcVfrv1exkQrWe5YOkO1blvRqffYq20LU
-RB8Y5qmy60Fx1uh3mUAmFML9/agYVJo4yCxnNDrMg9UjF4bn/39uOf6C7mEVJRTl
-7ET5wcbdl10EOWW2m60hJOQLSOY9N1eafFEO+V2Xb80PC2t3Mqt5+T7n0CKCx/p9
-4F7QAz+hsfksY3oTUUXwL0KoJTLdJrjCoG4mWJ/Re3qEKJqmMfT4XpJKrF7HfgcK
-RCyH06kCgYEA/5TVQK4G1Dc4LnSCmCb+ECQvmGRBtK6Alh3Txb4IwGHDGMfC8W4O
-gt03A8ZE92pjITHd1+cLykKBsmaVmEtiyD7YL5G3mumR1YdMFEBSZdxOTeD95+aL
-YxTofPsDIUIPSFecRWwri7TyYcvUGyDchL0vDc6Gp95/ZFFgt26uxAsCgYEAlw7e
-g2McHws9cSAfouULbKbf6jXzy21t6CeqJGID/kjdUws63prcQvmFtFHWrv3rKO09
-hgb3Kd3gUz8t9tAD3F718bSZwzLASwO5ujPHZQVRTotutgCGeKPgXqzyVWeo45ji
-4DfQl53jG0aA1DzoZSA3/owcuX6CVGPLzQnhehUCgYAHe9UuuqnKhv9nJNQ6HlIs
-KNMX9D+USdPMEX2E+caJ05MB47+KkD1uiYm125VjZUMX0rz7OHG472+ayLQyrGpt
-EKIF6o9kwtgZV4fbw/Jltyi30RG+O5rzQMZ5+mOiEqwd4yrZQYyY36iFQpGoZbLv
-VBbPoa+BtNsoFdXuKRiG9wKBgBjJhdXFc53ceE6R2N8f+onvsBp8k+6znC9WIuMp
-ekJFrpur4hMZEj+jNj9qlnHMlMP4efn+NpyWHfNLEL3JUHje1Di/S+Pt9gPZLqbR
-TEzVXIwo8RfIakhti6m9c150ThBazA/C2OWoMNYO8aDiBbhiWw3X6/a8PaKfZZfV
-oTwpAoGASCTx55uThl9rN+XDKFXN500K4r+Q9OBOEkfDuDUERpBohUfoy8dO5eiT
-mGiqx5P0hoxEC70vnw5fJz4ZpSJ7LcpCfq2TezknJP3MZKwTdBM/pODSPMU5YCW4
-T9ocEQui5PKOTLlVo1QKrG8w6f/YMfZuGa9zP/LmTLZEado9nuk=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+9V4E9sliTrt7
+NgkpG95rrXntGcybvp/EwDjaHbVyagQ34aMTgjhKRhzmGzwX7YkeYpob8JmMOwyu
+rxur0KOpSQZMcUM7QneO16EV/8otRwWfyApFAzD7gANdTyRcnO9h3aUEBJvvve4f
+DFleqnj9AexGBIqyHRcA8hjYTjIIKGQbgFIi7DvS/405AinDU6sAQt70+pZ3P5pH
+F6AsHhEhma5+cX/I7q4XIJxaLwpsh8ySWq2PFMaJxMKoLXhuNALZ/n5Ur1grDZG9
+1cPF+vpJu4qV9zjalLHASM6u+CK+roFT8P3nP98viKDLaFzEwjqoKkVoIY/73ESi
+uHOi7KQVAgMBAAECggEABuyt3p82WUbCnKqudVup2py9TaBAX6tvbrqLtTkbkc0P
+XxljCPuRX/wf4yY8rR9zd/MaZIX6g2/Gu3TlG3ti2+omfNIknnsAC+F82WffpHmt
+VghyeuMtPQl81b7fci5Mre9UIwupve1Uu7J+cSTcY0xVDYrvnprYcTPWO83GGa6R
+NbYqZFMwqFer/emaIzLAVb4LWmmgpLN9Ki28s05j9CVyRvobevg3HLikhJKziEj/
+hq6RVY7wavdqGmWD20nRzTLVlwb3xLhd041oFhRxGd/KwWFzBqgfJCDEo31KeKJu
+8h1YMX93NRP01Ny1l4HNOr1T/GvcJ4FbBn/EMFeq5wKBgQDrV13/A1i1yCFsCBee
+kDblk3RpAwRo4w7+BJKpiX+6K+ZqT0mH+KaNtDd9MulxaJqFEeVsblKB4ILbIWhV
+EcihGpdN43hED69r/bBpFSYmWAptzSRJ8sAn3X6n4p0TJ4yHSOi249/Y/yZ8lO1f
+FepcYSI9R8Io8Tm/yp9ECzwnQwKBgQDPuJ8OEy3xtN7ZAjV1aFa4xLheFumDxkQf
+VrpMbkGQQ3xj+GRngy+cbzef9wr8Y8uwx7SlkItVNOHqx0hQyWoiIt6DdN8XlmzK
+5XJAn6WSk7dmcoRcSQhtotAZ86C1ATHbZCP7hHZM50bYBPpgYuk9ZBwmvxAcg0gj
+KAzU4R31xwKBgCesSsQ6pDHA0yGLG7A3T4nUGcO6JnwoCtb3nmHGNCoGTImPZC3v
+1OP+hXwtoPzlTWcxZSOqVW5fkq+uKhBtNw0xlmAjAJs4qbHiymJslknQfbGU65Er
+wwj1ZeyXXzNjb2U+/TwXnhzOpoZJ9Noar69zEHqUJj8Qq1ORrNejrThRAoGAciwy
+EJRuLmqSColyRMRC1nAaPm0tkOaLTwZmg9geZWMSnghLd7Hdm4ht9JjfCvb3YIWE
+P3SBgSX9/wPmNbFfir/Lukmkzdw6lBMlh2u4oCZdKgxLwEXMQia5Z2pHrPWpJ8OV
+G4wlUgPVJqsly5DSTpIV/x4JhwKJxfkfhGrwAsUCgYALt60wjxSkhFKTMB6+jViY
+Nso8Tdn4VIxCd6LsMpGgIyfbYyEsBgs3HypjfkSurAfW7VgsLoZqfIgTPSG9RVhY
+7I87ST2/qVa0Hd6i4SeoB6PQwiowkplkdN6486tGev1lbWpMAeQAkJ2NPmSDNL4M
+0j367yIVK4mvUArXQZhEqA==
+-----END PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert1/cert1.p12 b/libs/ssl-config/src/test/resources/certs/cert1/cert1.p12
index 2635a887bc87e4b0c7eab4a4609caf53fa701a27..af4918e031995a3b12e6b0c42682d86dc078ddb8 100644
GIT binary patch
literal 2606
zcmai$XE+-Q7srzb65>jgB34Vx5(yn<t&7syHEXZhB(1BeR?Kn{tM;bUUPW6mtB4gr
z?b4+PimFxPy3hMQ?Z^A!Jm)#T|A+JG{GNlxGl+qJG-y0@kq#;rc{6g42}lpj$3sWK
zc<9g>?nmRnh~E)iJ|4_?hUh^+z*z(QPJn2eUjr=@+7ONTJ;KmPFkD$t_3l^R4itZz
z$*}wUm#ZKU1b~LoLH@TD1f>O_dFY_FkvD-(G+>|@7=G0CAr&ZLM(Og~$y@|ojR?Wh
z5WJ9XK}?^W1bLX&NlVi`6lyEY%2qBXF(*pql|TXN@YF1ZT~p#|L|2H}GT_;P<hI|m
zq&pi#zTp&tOPy_M)f3<xYV>h-#q`_|kw=g<uDaUkW&AyEy~*LYh$?~j#QRYz+gF+P
z%(QLnWoQDlE;){6#C#}?Ol7T=|Ej^V*tVe^b!GmFCz-`OoO52>wb)$R)i5lCYiKjl
zbd4!%JX>_0VXEH8xFjAfa0sv0Q36uq3oWV{!KpVKj?2v_>O<I93U}yZL}7c*`6X`e
z2i~?lR+UPxy4IY^QP-@O-a8mpSxhtG*H^~r75y_Y#xAm`-nhbaiOr=!fXceuu!j(-
zsP?DN0wckk3Zv-Q8O5cTp-=022U$ktAc<oD=C$~NZqJ1Zm1_zI!Hiwv#dnP%Nc$MO
zm7Uk!c5}*OS$}2Rr<1}P%<$V9v|Fu6S)p@{^*UxYE`JAZhu>O9j4SL25*EMdSH-ZK
z+{O@U-}9k1VqB8Hst9O9g?l}0H#zg@SZwVr-A+0R1s|Lc*<l2-Kcl*b5Vw&%L-=M{
zz-HIREhSuhjb()+*-(dDt|D}dx%Qhg^yu;Ii(TNMEuH;KYm@4u<E293msP9sy^=a<
zC-?N#s#&9=aaGB^-@1)xlpGY*Glzrj1Vyx0#a6Hke7BQ)giKr~@LQx(A{>kqLyJ<W
zb|3W%^AO3m{1^%SnWot#)a08M&ia@jBMc#pQ+z~>prA{rYRR!~td)&0Px|rMSz?Zj
zYMa4-7eU{V7G!l$gk54!A2>nD>WNKXYTC;ExP;<z6iuOz5efY9xq?p1fhpxn+DcFq
zScpfEV_qxv=Tz~Z=(z8MMPnuA!mp?tZ~<l1K>vvC*-VO~ANCSoP0)}WDKTUF>5F7?
zNs~loQ$Ozwrr}y~60uu+;U~OOB|}Lt5W2Ux3XWZVoq7KA9p(w=DnNp78Sj&>k3~6g
zjJCT?ChX_*q9nY-+uS2V&$-ylk;@56$~f-o<wMBsCqFNBU8_Iq97)`-6?G6-4&Pb_
z@=SRT$RKq(eG?!qG269#PXdm7=gWo<8Ry8<=(pAs%koUy!s}p5-)8spgf66*?^B&e
zt;*<DHQwilvTavm!|uzENGy?d0?bjLpA_@SxJ{1B@KP8^DUW4Ax>AMIc_{`}-82^e
zORaLjd3AA9*Pp`#wt6V;t>T_o3eKsy9E3a*2W{!EJO5W4wCP|xZOR!YoYmiSjQ@8E
zi~$Hb3uVvX)&CO3f-{Z6xXYmStI(gMq`oNA{}jd0V<LZQG~sTtOk$nzG;s@z2a`RR
zc}PQvy&|SIXpRt(q!<Q`Xh){U3;w#V>aSTtIqOLD(09VOX6oZS+<r)wN6GcP%d+lK
zoy1TV!ZH2FyB0H0A&17EZyIqM2FLejzTS3t=gn}AgTy8wRAiz?qHLpmZqin_&z^!Y
zm0~p{xB+5)!`sXMg%WehAX{rm>jlNUV;{llXHThPo#+4N`eROBnRl#Vi7b?q-zFw4
z`532S^DuC>Ds)s(eG$zX3LV*n8FyP%(|yQIQw#Af$;Up=;-fquG}cF?=uQh{Y>khP
zkC?M*_TGq8lw-yMk9)B-qj6Trs83OgdX8lMeDPSP_Sf$93Aywm@ZbSmCwsSw8vwZ{
zJao=dN!%^46m%giV{dkB#(QP;ft-{2sBGlDH!Tkr6(<KxS`uc<4)tCN?<-3uO&>YM
zpx~Z8t<*8T1Fs{hwO15}LI1Ym)-?pO@cc9aHr05n*6CTv>o^Kg>NtQd+f?$Xz>&jO
ziJQe__b7XX!0ZRH7H>3Dij%Yk*Lqzc<UiI9FRFzv9=PeXruxtr!<-uK8nEHs4B)5p
z7}Y~KOQq#ISaVfZX7=wWR(_{^xxN3)^BumfO{dJ<<#19RrD;X`R@{#p5h;6RJFZdS
z;Xd1YK8NLGJ5OhCY>JQxc1G@FAjwRiN_7`IBII+jtQTzT&NUqz9^QzHj|Rbw0<}t>
z_z~46n9A-mf8+Y(q@+RT&oIM0STlNSYp%)Ks>bDe^sw;tiQ4orp7Sdg`rc+v+2MjD
zdZw6yWW;E@h0IN3oBE^>V^=Cm;b9lJuir@yzPzn;)E6=!8A>`TxE)#Ets;X;bKPxC
zgRy29(r-E0hH1veM^AfH*+h#v35%*K&vApYJ;Kr2Ow6dzAh~b_Z=@n5gcpgF9->gY
zTgcQ}4%v4`yNu<r#InhCqx0;~+mh^8L6janY;sy+MW2lRfX2t^H_P8&PVNij;^gel
z0T8YWa@w1B3$|VR+tNd9d?WI9mBM(r^5RlYJ|8SNR0}1&Fn*p8(cwp~NO-ccDMmDL
z6$YkvnrALm9m#IB2VCx-IGuO0mD$m49eRig;q%X5%=uttd$G&=N8~)=-t0Z1aQDT7
z8R+(rJmOmIQd{S@)4X^r_p21m1)vMuV$_g9lTXe`UB;Swhp-&MAGYi@9jvagw&t=m
zvN3p5Yjr5mQfVrv^9ExR=SRCLww%9IeX*oFD?9O5_Y#Q#tq*h)gb&0I2u4IhK^Wxn
zFdeH_O0HvPv~%!`Kp#z<?phbV*|D)hav#@X<5xLMaWhyKx^D@C8#!Trdah<(3J`ox
zPsFwJ9J68rK9ENBg=Zvc*8lpV|M0k&;kE43aUDv#rlSSBHt))MT#-(Dgt(4%v+N6H
zWXM{{!i0}YsEJ#$y9xcn0Z};Rk|R^VoAYg24x+6gLdI5H`{4%411>b0m(`|DdLq2T
z1(dtVBCDLQp2G`pFKF>Dag&Rp;3yH!+J)e(qE~nk-uqt~>Y8I&X7e)N{W+PN9=2fh
zgGC?GNI}z3rEN<pHZ48f8ddU5G5p0}tCq|>V`gMkOaIUb49)4+HG}$CNVr7vcyfH8
z7iL#s=F9jr_-x`dn^~>03|W7=^eFIfwA62)XWTU~bk7^3jOP3$S|}?9#>)V305}0~
zfCm5!THtrYhPeP{4T5rBi8paJD7dy=Fp;JnG0}iUp;gcrG}EsS3k0MEfG_f9^-Bj{
r3=QjCh}WU@uze|v3vm|9b3n;kj)b?Anzw)<Q*uOx7+$j4zZU)n-yp9L

delta 2438
zcmV;133>Le6qpl#FoFq`0s#Xsf(cp%2`Yw2hW8Bt2LYgh2}=Zm2}dx32}3Y~1K$P-
zDuzgg_YDCD2B3li&@h4n%mM)bFoFZc1_>&LNQU<f0S5sv90m$1hDe6@4FL=R1~3i;
z2=qE786(;DBLV^l0Dyu6n5s-}$h8a0bb;CM|DTriIks4TX^7@ZxosM0A;IyFHE{nX
z?$3*WTTBCS^@^Vx-}Sk;wm&l9x0}ivOtkKUu@_8NZ&{!nTnVX1!Gsd((>Zju4r)&f
z&2dtI$@s64Id_;%s=O&W5h}x?WkJvOc<>jpS7uHW1V<ICbM~Otg5_Z7V-CB^wIEZl
z=l)*zDTOD0I;d`z{qYHAjM6I6pyux6fDGIZ^C5bULg)30cn}%9Ub6!ji;IumJ4N#E
zQeOgfmypt}FT?|o`jlT#$uPy<T~eFGoP!%|!1g0!@w}yoRdDgP=Oj_>MuRb^k0eHf
zZI%BJ=22B}?XSz$t9QtR3TX8kfY&7)N<3QM*;pxmG9qG4|5pM$XOKPNVbpIcn{7rJ
zn4Oq9((#jSa%^HRd-{g`3aOqn&SW^EXyD~K7PW|^id)iRt$${V|FeKV0Nh~f;J2B_
z2sAzq)`y+he!)}jQtIeLPX7O0oN|lX>a0r0Yzd<SJ70L%3GwsAqn11bouxh<b`t$h
zsbEomcvf4Qs-V?MDdE@Uf{CD4N;ZGq)WSOk?07Y^*j7~vQayL39{GcMr8o+OW4SiH
z-=v-G24+!bQt8b$_+XwyZ7C6RRi}#$?p30NCl)w<C`Alw$G}Y`;^x`#u$~ipJUy-X
zA8DV(ufxIGu7BiOO?hdIRQ`D$rs4=uTz?vWZfOw#`3!uYIkrUO-ifGG4RNOzWB+A@
zY^iX-%$U}xP5XaJKs4NP_|-%d(K!p9RIu}#9Wb|OMPoYY|A+@T%gn}^NrDoh_iPJ0
z+37%S*FuILa2qr7CniUtxC<B^YoF(Z2^0gy6C7TvEsg5jaVB9(`iSP!)04xQiHO{P
zKH5j=hlK0XC8(vE$y4HDn6}M9m2v2a@qkuL2}Ms2XewQY@5)43%y5r>BRO*a-j&nb
zyXe*f<c|@P0Fqod@G3-~KYtalu26{^qcj~CHK?Dylj|Rn;r2dk?=3HTA?s$($~@b9
zBEk3GlG{2C07r2@sU(jJk(!4FnW$@js8(VBKt~qEH;}E4?h`7JR^IJ4STqv|MLTy!
zTtr~z1XBI!!7JG3p9G)i<$(JQF0gZ6kwI@uupeSWi*jZU4<4+3zG!=>E(}%+&6Tn-
zRU15FI8t~Fjj2mtYxZIUC&|GyK9(YrFr(GzHQKBmzOaBt%T20l3WskV1zy~LvQ6F^
z+f@zH5oSP3&@h4pTm}g$hDe6@4FLxMpn?TW1cC)gFoFd|FoFd^1`8^NNQU<f0SpQO
z0-%Bf?l6J`>M$Gz3Mz(3hW8Bt3;_c$4g?6R8xnly_&N##0tf&Ef&|END#(^(cD0wB
z0QDvJ>-5rs32x=svnL?-8wd4&Jubl}`!i5t8A}&1Tz*7PSNfY=^#XR>qjpyvNR6$i
zU8MenH#rSRFSa}#?WIVUNf=atDiRX^Xx^RiH6#>v5EtE`$r*CX8~kD;G>;=dSdcLI
zDt2}E%dYStwbwXXtgE8Swx`l@P_`tDl4R`@3sK6`Ju|H&j1cJV{*^<2P#iQRde{r!
zUKhzOns;QBE4_-mpz{(QCn4p!VIaZ=e%+N34>IAwC$c*#cC0ZZiore9`sB#UBQ%!t
zK<M)!b(gntAtNhz`4jBapidgQmKx4Wc`dxG!9<5g(wWb))|*q<_k<R*@FQp(tLAxN
zsbZmm6%NmSup!J&lVF;EI1^N1at46w+=hDYcGBtlw|klvLIT9^72*`&QfMH>G<8b!
zYE5xut8zNsW_gKP=85jrU_pLd*DFEv)2CI?G<k^apeG0moM;Z*08|o#1|a3$q_VPm
zMtIb%AkQF{2qIxaLn*{Wt;EC%z7Wp;QPsvi7%ieZt{=b79larcXroWv9bn`X{vbn@
z`Tem?nFCJGK#|%vS?9M<%K8Jqy2j(bRg&(&%SGlm?iqgz$2o_I33-0UKaXUN3xTKI
zpja6oQ<;2P4c)lIlRe*XR5?p0;V3$NXHj-j;oc`zl~d@4lLph9ZrTyU7b}dw$RGVP
zf;Tl@d$+WR-77?YFeEGjlNpg3Sda>1_Lg;ctPgHJDp4j0>~c8(NX<Scc`Gk*D`K~9
z$~u5^|H(YGkF^Zf9OVcEPcz&#b>}?~C&=%^!oU=I!(pg9E9B%+7Mhk_P8i{n;%djK
z5SUSvExm~}is}QuPS$+vJD#t4kr#pzx+%P4zHyYXIHaL}4N^q{U-B#4CX0rouawn;
zj^_@q<~zz9dOPH8K=H4hgQy^65@Q8>3Q`%n`x*o^H{n6THxga`U>vP^MTb^&^x7jp
z%SqIWrZ=lUi4bOFZg*&NcJz0-&x9M4XA_X~c#A8tu2QvGzdfp`Ls*OJ1l$lke=0y~
zagn;PL^8>L4lH&Y3jUXowbU|Fe^b=xof1K_hLHusjPoD{$ntru>II$@*dDN33LYQ#
zi@OKg1+DS7S7!~SXJ-ywByBe5n=<TXd!6hZBp_MvvZHO{JKL#>S|mG{ABI4ZoLW(&
zC+k|3yRGyK*2xjL4>2*ATE=2q)HlxbLj5A71}n^eBd#N`?68gM)|66u+tu9zFLJxg
zL{0=N?Dd@gaxPlM@m*HCxQp}GGbnI+Z0D+}P=P{LOT5(06-nt<$_XSSsDXPmlMwe(
zvkp=6DZUR7t+={KKG}EF$2NBB9Hj}<a>hfd-{X}x+;PwjJ7@Z<pc_-KRfGHaXh&<Z
zOV-kVJ4mhBRSuP2r^^bUyvW`=q)tk46VT}qSuzwLa6#~=8;rNSV@5?dLuBrvl)a$|
z{WR<JjT8HombobX5l?1)d;k|-C+8Bfuq#*2jR3~giGU8&yEaOD4wzs!x;>O5#Az0t
zK#EVP<=Ae<#839T!%t~~#qGXi<qT<`jUnJQp(u?=>7s?jwO0i_d`z;HWXXY09^Z53
zk%@d#bj|nOn@rqtp_=l+|DaYw6vp6Ov!vmXPm`$$E=N1-<A|nXVt7jZY*DEI31Ot+
z08lV7Fd;Ar1_dh)0|FWa00b0Q$Purwb<zwo4-FcY@31%Q19ce$2*f@3Zf=w^umS=I
E0PEOs?EnA(

diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.crt b/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.crt
new file mode 100644
index 0000000000000..3b7ca01e48bae
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIULGiQ5jnAntO91sS7Al5aUv8/jg8wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTE5MDEwMzA3NDE1NVoXDTQ2MDUy
+MDA3NDE1NVowEDEOMAwGA1UEAxMFY2VydDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDQbV6x3P9sstd5zKkjOylk+/X1j0vI6C93HwkF3d9NwhMoV1zq
+aSj2SmAQCz4mIjMlAFR9mm6F+3sb8xkMFJD2Mypc5dW6TS5krhbhJdMpoVbceZtS
+yuIsvQi1GT2Uwyu89doDiUNBIANqaexrK5x2S/Fy4L8dNl1x2k6PJi6zVpvbnNLV
+TSbuSMp3oY23PpX/m6wzJlCYicO8ucMhPwmC0OL9WJNKny4vuEPdiV6/LwCVS4Vr
+UpfNqgXLzRMJEbx7C2QEG7T6o2g2101oANBuPaDZcwIQ//EI3IkT10JcABIbwsdj
+/Oqj0cf7iEW1IfJWx+kRVT8NfEA5QjL1KQ4HAgMBAAGjaTBnMB0GA1UdDgQWBBS+
+/gUxdwfGB0XcPHsbM6Qw50S2OTAfBgNVHSMEGDAWgBSHd+NjwqkE6hVMEnltx6cT
++D11lzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCQYDVR0TBAIwADANBgkq
+hkiG9w0BAQsFAAOCAQEAiztFGa3uZVb6Fs8evN4CU+hPFYdhF57lEfT6Xa1OUD1B
+5e5rDOZfVloy4gzLdtNCS9lieTgB7Yc3wDUCm0cS48JCMxykSRTI6M0Fmofsgd5d
+OKR7CB+jR1Egj6nZren62XCgqjuJ+dbP4DinY6TifFzFX1vOD4RTb0mEn2WHL/JB
+DnDxOETmBtKFyueprMtXkTO23dXsYXQeo2Gyih+t5ksqMnxCW2GFkkOqrOUQY8CF
+6CVmmb9UCYk3f3Av9TedqJ8Cmoe+HSP0R2oxpnc7cd1v37QPxWgHETro9zS4FBrt
+6KgNTP99b+aLxeeuMKJuRVR+TCZPuyYbBzUfp2ZZOg==
+-----END CERTIFICATE-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.key b/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.key
new file mode 100644
index 0000000000000..1384b2daf309a
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs1.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,68F4EFD94D4D9BDF
+
+TL01d1JqaN0P1sb8284jOGpLn42cubkLY7JPj+bmpL2PEH9cT2xo7MM5cwvNSbPX
+nuZ1CMFSFqAyxulh/rfZwU1BumKLiwM+ep0A/lWwKJEor+ancCBdkIHWfSg3Jc0i
++nHhL3e7+W+XRfSlafQQkhFkeOXs0hSa4WYX6tymvMAf8OLAenKB/0MOvKjd6EOu
+ZIvnBxAjAaDoRr4X4izIVlNmsIbvYARW9WjjcK2FZhNn+WLLTkfwEkl0glRl440L
+ET9qAjoH7j5KL5yKw5h2HhALSLaXdiAfCGvhpU4K0Afpb225mvR/uL3HLpJEGKKb
+DuoK99zvjHqReq1YndIR688ioc0O4dUvujZKgn8OR2JvGJVSc+mgaIWadfs2aADz
+CJIlqnSJa1EW6qm6knLJwieEBoNHbeFszrCKrYdy7uicys9PR1XsoMrOly+HhVnR
+PChA3gV6AVIjyMAUkFLg4NAHjgDbb81lu8ENFmlJcjgVeXDMykrpBmhzmhSPtOEb
+6bdQCKuA7zXIpJCmP66ZSuNHxikrfqLJjXW3PojLuCx5nfO0akpxjSeyLHzv/YXV
+YxnpLJxMybG1KUHyDHRmDrd+UPzLnh52O/g9NoiAlluUcblH+BKer18dJdGSl95G
+P+Ted08S0yP2niNz6XHv5KbztzsP73n0w82akCQB8ZAsGJ0CNw7S7N6tWam/UkMN
+tvM9nFCjvwah1funu8nj9QyWrzac6ngPP0s8tcKG0ahLEJYn7Hx2Oqn7K39fbMkX
+UOJVNEBQP2Anf5dJMfYPEI0xihv3ec1RxpipOm9DKQ878jxnqxgZxa+Pab9j/JxQ
+j+BGaoOnYj2jHBnt4nCP75F0BEZaGxsZX2MjJySK+5jy2WW3JRC/E0qPkL6oBvT2
+3e37fep4XKSjqR9lSYjW+AlAVw2uPkwxDp5sD7XFGsH3SM1qj54NWwljpKXnOTbQ
+Xws18VEiWsQ3kD7ft11w8/67Bb27TsWEJRo1vCC4KsYBCyjEOrp13aJxpSiNI24W
+oSmrQTsCco1Yrxfs0noNu0FzfJHV6qmHR7ps0fj+AWJyquYbIEK1762+r2uutgSg
+ZVaPWLkm9uq5K5rNXsj3w1L1CK4YcDre0yt+Kg4Pt3OQR2lF8CpABguA3gR9kO2g
+9N8hAfiOq5MDliU+9r6Cr/dPkdzV0Eo971HdfaLD7S/pjSP37fcTcOpDhwNt3UcK
+amhR/Zm8Ll414zc/iNiVTcu6+chzSY9Yhwfa8A/XuIfoqMrTiaBMPlxe0tNKaKVs
+09d6U5JoTQJcnei/4ODkIIYOzsmMtHgKtmeg86AB8yeLNgqWCrJi+Fxnha+cJ9No
++STMQP4vS8qgRe5XkRGaAZBHyPAwxOou1Iu167LjlFFl0YSYUZTChha5XBG2Uhm8
+FeIH1Ip+83fxMoyiYROOdeMuLXtQIndA3fmjduBEO0kPtAwQ2xfH4g59XnnSL97S
+9AslnPnUWzDR0zBr4GQBNAKLaMIFGzhDZEzaooYetoeDYSczil/Rf1D6wyM6Cgjq
+BK7c0kNum9uXaDbYCh6spzYua0j1noqsBTm9V25178lNbkQ6yAPdeYCxRmUXHtXk
+-----END RSA PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs8.key b/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs8.key
deleted file mode 100644
index 5463978f1c885..0000000000000
--- a/libs/ssl-config/src/test/resources/certs/cert2/cert2-pkcs8.key
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIE6TAbBgkqhkiG9w0BBQMwDgQI3LMAczRe1pICAggABIIEyIfF+k/Z7mEPN+gu
-rrV4slxmFjnIzyjoOsWbFBN9j5W8kZGewzWvjnYAzVMVeMUXXW27EMOC818aF8Ry
-20BUVkmGNAUFVEslayeF0/S2sYR9xBPqYGLF0DI2VDTBIn8zrTdvQ0DYuuLf4g3W
-nY69paCGSVjP24xrnEck+X6PjwIQ89MsJlVLn2chPEetvgu2jB+OdRneSA+lqBSW
-2sDuKeXAmYdm3nCVz9do6T22OC9PUkzICGUvMyhYO4CD9dI3FFHa4ncKsr4+htfp
-p3eppDczSneDKTPmGJg41UrEVdfENvqYLbYrX2ZZRnWUeuLsGbZUsWyfMT5TT2yz
-sZXSS9+WRF8IDDhzKjsoSpsuNwMj8KMmc4oIrBNPysI+Bv0sQzPBlMJkHJ+Swb+W
-I2wWC7NS7cwGFEEzwXKYAYI/34e/fAa+oOHd/aNdpGDhhnRyG+Eut3GbojlODiXN
-ntLhDIZ+lQclJEkmxP2QfhIvjqkNBkPv+8Xt2Ami3ueF2iNj9PxQHUdx3aht1VMg
-uVNLc0qLl98fDYx7+U2q5Y4L1mViZrCwGW+lcaY6a8hscPuasqW9aolFTE95YLVU
-yFeUOZlUh1g5FYepISESR5jm5k9wf/WV2cp/KyAzCftdx2iRQtgvyQtSITFtthDa
-kR7jI/T/HE2aPqiEcd0Sx+66aSH2JspseJ4VsLGkpg2lU0FPtPaAsl8lIhlfdoDA
-43kOPKe5q2YT4QaUNZJROAuyJAlRbE8+LNlfAlZCm0UTQhgiXPzkEuVQFM4DNplq
-FkBZnW4R/hD2rP81oy/SISxIANTyAB0FfCRxrvSRP6xe0XMYTIqsUVt9gpszI6AY
-B+KTKlJR68cI8Gs1Jq6otn1ExAlCX45mwfaFO6Be89U0YNCZXdJ0X66SFNPmsMrg
-eNbRLGziUhyoVUuPEhLXrxtuaGUO0LdHDSCQQGVNKCwNKbcWOE1clYWcJ1Lj0a7T
-BTb4y1Nqt7LOHm5En5RtSaourgEKvi6PS2EcemBSUG4xSSP1pEoV/nQnvl2PFsG7
-182571HDc7FRZplzE4fhRKetS5WUuKax2FIqljQXS0CJZwV65boJwfJ2FosxdHj4
-eZK/wYHxi8R8LQB478bLqp3xZt28/EhsMjtLy/nO9SZfSy7Ajgq2mk2w4HZke23K
-qv6JY8/ofu5nBp0QSJIPQj35arkxXnEYjzgqJD1IIDNckt3jRSpeX3OMfmVWDXus
-a/wEwNaBACo5lgUYAwzXiPFyLEa6RkbD04z55GqsIjwZhIKrC1glyb0gmtxyY/N8
-QfPaSc4aXgUQK2mrgsR22eKf735MhM0pHOykErJzrIV92lRfSuQvfIoqTeFV0fWY
-Yxns7HEIBln7/9udgZpf+EWnzM3kpPjRX1iYNtAsMAKEMrK/lnt3jZTkKY2Drem5
-NGjtEWNmzKOLH/S0TLcpHldoDJGdno7CytNGasrkFTaDLEhF68QI85zbMmyotKiZ
-FKooG78oyxWCYqqPJ9vVBGwsMNfDMJP56T9UNhL72FwNqzSCaEcAUlDm2zCiQWKd
-NpOfYzRx8uLp7UyzXbl959GjHWfTA74Yidug13eSHRgKwLXLuro05awG8yNXeDeL
-wDswgDyKmlV7JDJjQw==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2.crt b/libs/ssl-config/src/test/resources/certs/cert2/cert2.crt
index 3b7ca01e48bae..6438d1e56e906 100644
--- a/libs/ssl-config/src/test/resources/certs/cert2/cert2.crt
+++ b/libs/ssl-config/src/test/resources/certs/cert2/cert2.crt
@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIDGzCCAgOgAwIBAgIULGiQ5jnAntO91sS7Al5aUv8/jg8wDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTE5MDEwMzA3NDE1NVoXDTQ2MDUy
-MDA3NDE1NVowEDEOMAwGA1UEAxMFY2VydDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDQbV6x3P9sstd5zKkjOylk+/X1j0vI6C93HwkF3d9NwhMoV1zq
-aSj2SmAQCz4mIjMlAFR9mm6F+3sb8xkMFJD2Mypc5dW6TS5krhbhJdMpoVbceZtS
-yuIsvQi1GT2Uwyu89doDiUNBIANqaexrK5x2S/Fy4L8dNl1x2k6PJi6zVpvbnNLV
-TSbuSMp3oY23PpX/m6wzJlCYicO8ucMhPwmC0OL9WJNKny4vuEPdiV6/LwCVS4Vr
-UpfNqgXLzRMJEbx7C2QEG7T6o2g2101oANBuPaDZcwIQ//EI3IkT10JcABIbwsdj
-/Oqj0cf7iEW1IfJWx+kRVT8NfEA5QjL1KQ4HAgMBAAGjaTBnMB0GA1UdDgQWBBS+
-/gUxdwfGB0XcPHsbM6Qw50S2OTAfBgNVHSMEGDAWgBSHd+NjwqkE6hVMEnltx6cT
-+D11lzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwCQYDVR0TBAIwADANBgkq
-hkiG9w0BAQsFAAOCAQEAiztFGa3uZVb6Fs8evN4CU+hPFYdhF57lEfT6Xa1OUD1B
-5e5rDOZfVloy4gzLdtNCS9lieTgB7Yc3wDUCm0cS48JCMxykSRTI6M0Fmofsgd5d
-OKR7CB+jR1Egj6nZren62XCgqjuJ+dbP4DinY6TifFzFX1vOD4RTb0mEn2WHL/JB
-DnDxOETmBtKFyueprMtXkTO23dXsYXQeo2Gyih+t5ksqMnxCW2GFkkOqrOUQY8CF
-6CVmmb9UCYk3f3Av9TedqJ8Cmoe+HSP0R2oxpnc7cd1v37QPxWgHETro9zS4FBrt
-6KgNTP99b+aLxeeuMKJuRVR+TCZPuyYbBzUfp2ZZOg==
+MIIDEDCCAfigAwIBAgIULU6478tMe6npOywF6dj4+azLeJIwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTI0MDgyOTA5MzE0OFoXDTM0MDgy
+NzA5MzE0OFowEDEOMAwGA1UEAwwFY2VydDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCKWDmVjvSYQmq5bY2XX9HIJajm9ly5hm9iG+M8pxWLtzH4FNYX
+2VlwoP/aROMmbAPL4EH1jdKaD0hUKDRZOJAr33zm9qGsIB16dAk47HY7mR6OwObC
+VVhVMgVPBDLb8rgwKThlET+Hos3E6a3oUU1mVqur+EGu5wlXYyR+b9d0fl/oizV1
+uEtFLLvGVhBg5Md0vAjgE2JRidBzFRXUaAPSwmxZHFMwcZSTAd3Jfn8OE8TizkE6
+NVh9jrsQMTubp9eMbRaYZBzscKxGKU2/+IC99UENVJg09LGa4wg+96lpDx3bNQxN
+HbXBVcaNufjWNtofHZ8Yxzl9w+tooftvAvVdAgMBAAGjXjBcMBoGA1UdEQQTMBGC
+CWxvY2FsaG9zdIcEfwAAATAdBgNVHQ4EFgQUfw8Izdeensd4lhKbY8hzG655o3ow
+HwYDVR0jBBgwFoAUh3fjY8KpBOoVTBJ5bcenE/g9dZcwDQYJKoZIhvcNAQELBQAD
+ggEBAAC2tOJGQUCfMnRZA+sX4mX8F6oxpAwsBEgTN9dY6JqJkmx7rFpTXVi170Md
+VUascZdRXVlvBVfMt3rulDO1LWU7+LeWYLXp6EHhvGiPO8+3bwEwfGFpovLgvYmT
+kdCa9km83w7qreuQTayu9ZoU5UbLKTygdQCs3wwgq/td744/moLgbiUQJL3P5r8f
+RSPTID9XsdVo5qFSdFLXm8VaJExfcsvxZRL1KX+76WWNI77zo/uWnqnIvlFiLWSD
+UXUfX1ItcaeeNLA++gI+hC1Rfx/jeH77AcyEIuVIRIN89+9vxer9KBVhE3F7xQ8d
+iWSLz1sb6baSGdvkDhbzkuA8Y/I=
 -----END CERTIFICATE-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2.key b/libs/ssl-config/src/test/resources/certs/cert2/cert2.key
index 1384b2daf309a..6d631e7ddffdd 100644
--- a/libs/ssl-config/src/test/resources/certs/cert2/cert2.key
+++ b/libs/ssl-config/src/test/resources/certs/cert2/cert2.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,68F4EFD94D4D9BDF
-
-TL01d1JqaN0P1sb8284jOGpLn42cubkLY7JPj+bmpL2PEH9cT2xo7MM5cwvNSbPX
-nuZ1CMFSFqAyxulh/rfZwU1BumKLiwM+ep0A/lWwKJEor+ancCBdkIHWfSg3Jc0i
-+nHhL3e7+W+XRfSlafQQkhFkeOXs0hSa4WYX6tymvMAf8OLAenKB/0MOvKjd6EOu
-ZIvnBxAjAaDoRr4X4izIVlNmsIbvYARW9WjjcK2FZhNn+WLLTkfwEkl0glRl440L
-ET9qAjoH7j5KL5yKw5h2HhALSLaXdiAfCGvhpU4K0Afpb225mvR/uL3HLpJEGKKb
-DuoK99zvjHqReq1YndIR688ioc0O4dUvujZKgn8OR2JvGJVSc+mgaIWadfs2aADz
-CJIlqnSJa1EW6qm6knLJwieEBoNHbeFszrCKrYdy7uicys9PR1XsoMrOly+HhVnR
-PChA3gV6AVIjyMAUkFLg4NAHjgDbb81lu8ENFmlJcjgVeXDMykrpBmhzmhSPtOEb
-6bdQCKuA7zXIpJCmP66ZSuNHxikrfqLJjXW3PojLuCx5nfO0akpxjSeyLHzv/YXV
-YxnpLJxMybG1KUHyDHRmDrd+UPzLnh52O/g9NoiAlluUcblH+BKer18dJdGSl95G
-P+Ted08S0yP2niNz6XHv5KbztzsP73n0w82akCQB8ZAsGJ0CNw7S7N6tWam/UkMN
-tvM9nFCjvwah1funu8nj9QyWrzac6ngPP0s8tcKG0ahLEJYn7Hx2Oqn7K39fbMkX
-UOJVNEBQP2Anf5dJMfYPEI0xihv3ec1RxpipOm9DKQ878jxnqxgZxa+Pab9j/JxQ
-j+BGaoOnYj2jHBnt4nCP75F0BEZaGxsZX2MjJySK+5jy2WW3JRC/E0qPkL6oBvT2
-3e37fep4XKSjqR9lSYjW+AlAVw2uPkwxDp5sD7XFGsH3SM1qj54NWwljpKXnOTbQ
-Xws18VEiWsQ3kD7ft11w8/67Bb27TsWEJRo1vCC4KsYBCyjEOrp13aJxpSiNI24W
-oSmrQTsCco1Yrxfs0noNu0FzfJHV6qmHR7ps0fj+AWJyquYbIEK1762+r2uutgSg
-ZVaPWLkm9uq5K5rNXsj3w1L1CK4YcDre0yt+Kg4Pt3OQR2lF8CpABguA3gR9kO2g
-9N8hAfiOq5MDliU+9r6Cr/dPkdzV0Eo971HdfaLD7S/pjSP37fcTcOpDhwNt3UcK
-amhR/Zm8Ll414zc/iNiVTcu6+chzSY9Yhwfa8A/XuIfoqMrTiaBMPlxe0tNKaKVs
-09d6U5JoTQJcnei/4ODkIIYOzsmMtHgKtmeg86AB8yeLNgqWCrJi+Fxnha+cJ9No
-+STMQP4vS8qgRe5XkRGaAZBHyPAwxOou1Iu167LjlFFl0YSYUZTChha5XBG2Uhm8
-FeIH1Ip+83fxMoyiYROOdeMuLXtQIndA3fmjduBEO0kPtAwQ2xfH4g59XnnSL97S
-9AslnPnUWzDR0zBr4GQBNAKLaMIFGzhDZEzaooYetoeDYSczil/Rf1D6wyM6Cgjq
-BK7c0kNum9uXaDbYCh6spzYua0j1noqsBTm9V25178lNbkQ6yAPdeYCxRmUXHtXk
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQmZ6ZHPPGAIJiIR8A
+rWSsNQICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEDnJhtyOur+FM/85
+ikBGVwMEggTQADlZDyF6ebcLYgXSJI2rCmtDoeHM8Fan9o8gu3zru3ISPtKTxijl
+l0pyj+CPR56kk4RAGQSUwyYt3itWFKmXcZuTQLIJOKaKYJsSgwoIq3rkU6hU1qYE
+TNTALBvfeokGrw9RT/ODfKUd8GmTWQqPEZbZGfj57uV029x4x8zf4CayDdS+7ABW
+d9ulWAcjauE/+n4xAlUoch/rcostqt0/ZVZnHSQ39DLtB9u5OCCO4Fv9x5VGnutL
+yAAWYxrhupwlHkY9gz7hgpKle0VIrfdZUaHQBz0he2w/t6Iv9Y69wTuimKOqtI35
+v68Xo3qwiIaklnf7GkqNoDZ3O4uvaMlapqQ9Pv0w8dFRcf3MfOkXZTut1qWuJBz/
+8WdbmCKp6jq8hjTXeX1xb5/9zFd0N7VtmEwwx+K5FwLHjSc0Xd5sgWe24wcB3Xkt
+fwCO+vLAZ0kaYeqj171BH+d4wyhaVH6YOviHI6vbs95Eb0jA8fjsf6PMZkL69dcC
+vWT3Tda9OOVfMhNRzhR8rAOPMOkAbFNYggxrPyaaEQrEs9wEFBLzHwub6n79n1qm
+u54BariExLxwBbr8GgLc6NlD8/a2ycwHKHO3qTLt+lX1RK8lFvoktdMbWUCZKVQz
+jt02eYfVadNzF2F0atFMnOHYsP6txSKbgF5pcK4FRrdkkEf8N5zR6YHGmlwjBMxi
+xdbCVU2AbsFpDhQ5rLJDQFwo9KfuefUTWBKLAboqtSzpwY/g3svD8mu0vcJWnSIy
+SrNJTgjxsWSOkVFKYmYLLYgnAD3zToeVVmnvfyaG6NjH7Zb+PFher8LwXW7CwFYt
+sNhBaGyAn2DXqD/gVvbr6V8zNYEYQ3wVdLyORYRbYV3ds02sYUpxperGqSIbxMUn
+Wm3Rw6GsYrqIQ7p5ZSQ0l54sNaTHAIUXlDa/R4uISpUu7td/SquUM4a9N1r5hDRw
+s/TK+eCBFQZweGrk+rsUpXxfJ+EYpUtUPkOH5d3QSpqqWdGxmwDBQlvMX5N6JKiu
+5bRhnH7ntoysdDqOoDmg8IZM7BCf9dFzie3wvieBB1plfZubz++Nyuzc1OA9k3r0
+68BYTYKrfrj46rQq1XoIusl36Xn1bIWK2peoIzazdZC7wB0ZeAd+8BvPp2FkBnrI
+YyJm4nuyw/TlI9wIkX9CkJI4keVRvQzRPFe6WtSpB80PKEzJ22Hq7CemRdHMxuBG
+KUkuyAACmJcJJ1UwOiPL9kGjVwgm0RRVwpZswvU8IFA2CfpiyhANOd4U3TtuMxz4
+SnRc86f21oL5dZ8HPg5rKSzOlEo8qzI4bvXyrNoyTSAuQcarveFpgURo+ocMkNlm
+p7DaVVfjjAbjEmmPl8eKy7ssLT1NO2FEwedbhDkcsvG3UIy5TvfJcifXwi8ovRiJ
++MAPJ47jv+y7D1MXPw+0uZRPgDG8czYaNKeEl4xLaJY0O7rLDYaQyqerTVg/vaqS
+IE+um0LE0Yg/pEFpniFI/HUv7TmPdpX1GnTj10+KOY6xwgyZQMmPxQ0FbI3cydAe
++MQtCzTQYVrKDOVOH3GE6OM0e7/xn9vkjrKFI8Yqe2ZFCR8mZ91Wj9O7Pyp9Vw+9
+N1FKCq3aqnS3UroPPWdz0hP2FsKwOf6Pxpj3j52QTnpx7gyLGoAqcaU=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/cert2/cert2.p12 b/libs/ssl-config/src/test/resources/certs/cert2/cert2.p12
index 269e855f7709843933975c58237541d8cec052b3..5222f8cf3c691aba8d5a8226c2f1fa5ce8fe5c1f 100644
GIT binary patch
literal 2606
zcmai$S5y;-5{5}g0*OIDNJP3IH3$g;0jYvgWM!pSY04^y3P_Vqq$@2#D4|KQ&@@Xi
z6hjp$q4yGc5fBhCbY<Cd@6pG7m@{X-|6!iyJA=l-B!K`%G!8lqfl5Z`M(nZxm;gCA
zXfFr{?L5J4XdH<9cLd47fli$uCLn;}q%r(X0BE~k1DFMEgvR_H;pht>HpRG+Y?!9{
z^IR|uGE%kU3<NSWpy3ea|7`_A!3=0V2-H487vRJQ0!V_`TuRe++-JltJKH5E!SBLC
zLvV}<-nGgm!+dzi2yN|)8*S*IBea<c|NbLw0;oUq*L!T7^U%=&%JT#7OZuqhB^Gnl
zppn|I{nY7cjLDzxDtgWpx5k4qj)QTF@5sBEs55-hGY~~%?rq9J3tMADuE~Sqb<gFH
zZ+4U8Aw#8UYRlir-5{ulqe{P~2jeq^kTl-nNzSiz&8NSaoI4&U_|}uZuPR|&eRFm!
zpi;^04l-Yqr9grvxlN5KF?=~|r$S(ppz>AWmgZpxk=pg1X4c>ePya$*dQZ0N$C02)
z2--1-g9v@W`qm<jd6mr<vq$*=qlGGkEwJ87yEjDO|8Q&#E0sJ_Y#`0ekeJ>gbLB`{
z{F4(it~?rrEkExOg4>3w1CF{Z6c3|xGdJ6@uY~zg+nw$D?6Yi&(j+S3))H^=Tvj<|
zeD1yMs4(MlByN)P{LayyJU%9Q#I{kPX`MP&yjCOMZJ8@v_wc#ao?MFP!D@G3ajo|1
z)X)A=w?D@mLz%Ee#G11#Nm-WP6-)POGUt-b3!biAZ?k9n_#z(4%~xgdP&{&z0Kl`P
zU81oWh>Jvxt(4UY4uvM2tG8HwOU8@6ENVumdt|n!`wFRZuX1<#h269b@;@zo5OM%F
zQH@j1^NKd~zL39GoD8wKgCJya>C^F7IPrDtLG`19QwB}Ms*RBe!Lt-iNr1Hcbx)}j
zcO4J=>{5}UTqmspx3q-Y^8k9@?UbXmTixyp0>i!v$@?sf%{J5uQToHa>DfvzWT3yU
zkwX7j`qILz_J^|Lhed}W1)mDYQ`SG?%a6RGD`)_vyF^A*T4jU7+99?TyygWFvgusx
z#ISQ5A<L{f43nz@00Xk7i(TCJO4ij<0%DcYe*z^E)=8m(&osKZpq<{Ci99<|EO>G~
z!p~}Dj}jW^QrXVzyBSjfciNH}i59E9mkX>a8h`gk@8MIQfE%iT-s)N5rxs9B(Fn7T
zaHL`QQ?FFJPiIx~I(oY*n5liN4haoHf5F;Y2NLfe8akF?BPeN8J8B3Gj}!%5=1=+8
z;2h$NveZlk^J~Z6HPR9fr@iZ^Du<5tF4CC09OJQf{U#6jMco~whtY=VV3G9$KUaUm
zTh;)81psR6e8um=$iWVVy&~Y2m5At-xhp|Q5vZvpV)>jy>~^EzutSQDE55a7$GSe@
zMtJG2Pj^+DqE^g`2-So))MDIP1wsx~U|_c)Uqa)+uYcY7zv2L=f^guZ6P$2T&mpJ&
z?-V!;06YnmPN4jMiK2Tmc;91;_d<4$W|HbpGyne-g(E;1DuZzpYqt4N{1q}P2*QDS
z7;i>Y+q#3q{La^tSivO4t^0*(>}=EBi)(K2FvCksPf~3}?}WeZx9Fr-NQGX5*Q*Rt
z19y&}X1C6&_8UYR>{T?$JZ^24d^^kggY{dkW800qa(UJp;aSPM*BjUBvIBUGQyQ2!
zqxiwV%l^x$*`HUIfMBdKq<=8l<})u3@_UAfZi9oap4s0N4xvXpTYbE{YPQ$pUu`Ql
zErz_`?UHrHieDaCZO@Vt%$b+5v3wKPDrfY${FG{fTu-r``w}VR@Bx0r5wRtCJ-(*d
z;0diE@$$0!SG^9}3%l~-K1<CBH37+0Bth@0IhN&g!dR(uR@qg{Y#FB&4(;**b(c35
z<1Ftmty*rZ!L>~{dtvlzkgd{=sL<ig^Dj=*naYWO{oOy7xN$Z7VeOh%dXxz=H}C46
zH#gn|q-~nyv-H^K%oH}~_>V<mH=+4%>`V?pAeK<nK_3N3Yt09<P0Lp*6J&2E&u=G=
zH#|xA={0E|+zoF`nX>jlHb1x@=S4;)izy`S=BR7mK<UPAN<(9O1_BclKLvACsDHP0
zI|z4d4}4b0KUenC?aNlWZmd9Sc%YG<EU77ET8R>DDfS>|z!QMv7&$K*#+nbzu$!8V
z47%5q{RVHV2O0$zHXg>p3iE~6#k3#yz>uizp(wS_=2>|Y6vp0FyGV+|MI`x6blS|A
zsr?@kI;#5i>W@+cRFB`06iQ;g<yE&bw<w8cPZPfsc5cS^78ZQr)R$6!l__3BMp!<Y
zFut7pj$G@9ny{T0SXciNp}_>@Z2MZ$*Hkh)Hdmw<85jk+t#BsCOSjpZc3bOxD|0*-
zwgENq_zRJr<a_ZAbt+m%-jGX$9(*=RpsWrmL?h@cugV@s)8I|qp4W(GR}B!s4MHXN
zCftlUTzs&FK3tSR;5e@QBF!l&gMf);kZFJlwL8Z&?-)ae=)kZA_)d_L09nfNNq=)t
z3!+lnoLLF6S7r4QT9rBEr-?0?YMDXla?{kJBRP+=ty02T;;UY?acZ2?3hlFc2GIFP
z&A@YSG9D;LS`Ah-A<)A0fMXEW|8a$9r~1U+gRT~05G2TPF`76<S~Ekn>Jaac!cfY(
z<*I^Q7uw$XiUgfIR>8Bs>M$N%q{P&;EX_|)f}cTP<CO~y$danwutzBBM^RNcrQqhU
zi0S(_i^<XAi>CgY*~s-feyaKX**hh#I;-Kzsa-!z%K9_bD~*(w<qh-OJ9Zu7b*fPl
z+9<qp`2L1yFpM*xPG)3(5WZlfkrcl^?gMFo#ZQQ4`Nx13jM@tzb*7W!QgMRlX_`1T
zQ3aoVoJtnW5jGH+2W`MkJsE9*w5L7q)ktKy6<}p(M?L6PryS<?yQZ3ZFQz_Z{o#aj
zOeph~aJDqln>_tJ8QV)HRi245KhUJqew0pmviIrKFrfw-T<<9;hbY^6?%+RbB!a~^
z>xG;pdf(bu=pQPOn1?$y>V<X4H)5}&+~jhtglVB8I`?-AbEod=BVs71>RwZ;g_Y{a
z{*1^BDTj2hXzJvV^#EP<z&57u&_|^jm_WsB^uDim(njrDbD4j2aoYmbS2S5+N`g_y
zCG~v`Yrji9eHzWOPq`xOGIuI-Et$eECx!XW68=_0VKmU^eu);!iGlOO7;ZB-F?cX|
zGRUHZe@6%m62$56tX|+No!-PuFQ!=m3!VAMi8AObXbhU=*M|iJfEhr7sZlv~qeJ)g
p#rfr~@!O;GZs^nO4Sa|9SrZyNGWpCAAZDkMBk|eoA(wwG{0}>p)Gz=5

delta 2438
zcmV;133>Le6qpl#FoFq`0s#Xsf(cp%2`Yw2hW8Bt2LYgh2}=Zm2}dx32}3Y~1K$P-
zDuzgg_YDCD2B3li&@h4n%mM)bFoFZc1_>&LNQU<f0S5sv90m$1hDe6@4FL=R1~3i;
z2=E)?I)D)YYXSlY0Dyu6m_YO!(+ZhN0`FK-$`-;L4-=GsYGmPGc>{4$JmO{9AnAxe
z%pE9Du}mEHoN27Q=W*6s6Ro{so@{L#X}!H4N;*$z_hJAXG!zyA@0GM4$^|As$Ba^!
z;XSa!%p$x+$x0J^$|SYjEn5BlS5W6Ibtw7Ok~>U*Iewul+*yTwq+)-Ot$S$rQzT2W
z701@Qzw1GNSYyMHY=J@{3u%8ZuNI>%*65q#tD!VMqfj%w;ro)L+Gn8R?ye&)tsK|_
zy=t>GI}}%Rq{_x-`1rrkVSk7{n5=Q9eSEs}EL=|M<11ILj1-1u>KAY>#2Ap4Y!6%I
z%V0xkxPC(9VOs9HDHGaDktpKK=DZeuT^$OBDZ5dB`j%-X(~EV@mj!hj3n#21)H0A1
znRnXL|LitM%vVg~R7o;k1E76rL@xvVA{A>ZquL$WENfz0c?``|y=RiAC<WXHIqV{8
zvbanyVYGmI&~_7;E49?8N8Q$kH<ORqKVn}7pn4~;UalS(<Y2pKQtg)({(VGl>PC5i
zKVk-dm&Xe*EGAvC3eJkEAn`{d-q7(=Kw<#f8wm?lnE19;?y2@o*_8>zTsE?CVcIOx
zC>qd#F%Y*^{nYOMLT^`9maETFAz7|ML3&2I7-%>IxP(Bvg|`lWfY5dFNQNs@Dw)w>
ze#3gH&U;Yz+hfH8$JT<7Kqpv8H<BZ@#RHOm_={7mJwCK{hO?Pkt8qdSb?JIaP@|wa
zOjJp!ts~>5O+#kDw)$7LqFltH8Pn~Jd~N4}(3mI2a*oF#tp(v=g;n!4;Ew=PriKU&
zb0{20!r08ZwA_{tI!@S9ycsk2XlL)v(W}_ZJ~t1cgT#}OkAHLkULrdU*1eWjebgy`
z5LLb;y7L9I2jo4tN(7YdnCJx<K)aPH%w>VL=B>4X+z?a-iN?Ajfj7AOa7<VQ80j`>
z*6#rD#-HuK&|l$33)p@*?60<6#lQ+N&8%E-j{*tA?tON3N&ku<738Grt^wSc$mC4G
z$cD;p@mWytimb?L$Mam^s0A!jC(~PhRLuq)dZ1Sl9be$C6b6Z&zzw;mNmO{8RhQ@I
z>h>*t{n|$s5}tXeH5&+Vui}_dVe)WLT`ijAJ#EatZwKdQ!IuV2%p+fcga28mcn|1c
zyPb@{!B0)C;2C%Ix7$(E6`1EtlK$|fO<#p=NGTXuCPTDfy$zID@gx3eZI8HrxS97o
zobON$DDHXY)i8nuTm}g$hDe6@4FLxMpn?TW1cC)gFoFd|FoFd^1`8^NNQU<f0SpQO
z0-%Bf?l6J`>M$Gz3Mz(3hW8Bt3;_c$4g?6XOYnNQTJuE$0tf&Ef&|DK32U6pmoc+)
z3GEu~2Kp!%Y?s5n$^hS7<u5#cHFa|fmJp+c$&0hshzsBG<ncT#GHoW!T_nD#BfByE
z79|#SzC>=@sy3N5NC(DIt;j(9g}Ylg={C1fRmvr~%${VYBaZo_MbVfD99!bE7NzR%
z5Kd#Wou{d&?>gMzVCJS?oH=@0c6`BV_q@Uvq`8)!<vLDH$nXuf)i*zXnD-<4o3{HQ
zHF=Pb=2joN&-)SDInb=cOZgikxwQJUD0sQB$YR8oX><=KaC;HD-_2qpG#D<Y>w)(C
zA9;5urF@31Xv9%=8qQ5M7I1`N1*Xt@qpY(S(kt3EXW>@8oz@G|29aC;3T5RJdB($h
z5KaloUq8Ia!F}8BkRq&qYmN>7hdRM3xDl4jC?(q_5of<Rc_81Gzt&mx{Y2`z0dVBl
zdm3elh>s8^rk_W5SI4E?ODyXzG?3fn0_m2KfskgZe~v_Qa5#s><ctK#^n>aQVAu@m
z6Jj?F5LV<Zn;ArE@?e6w>IZxHZxE1dc^+MlznCvV@a{L*3<(B*DG#kQOmhXiU(%39
zWcN1AX%|d9m~IT1-tz^m0>~f64u^_YFW?g|<;1;YZ|P7c;5EIXAg#*yxT_g3M5z~S
zvq}PEn<&N$crVW7dhKjtO~hGWx67u?7Jvry@81Y%rf8xiC+#V$%mmUn4-Q|lFmutB
zla#6i#+pZmJyCCep)E~0d)yzfW2alUl}en_4k}PZSCM>{OTtwN5~ZVj*_Lp;_`0z2
z(Xh>7U*KIFU<XSv9QuSs<DIh76O}mxbJY+ti+4Z&y3q4KN$2ajt>0un1F0N!EAml{
z?|#Off5UFyQr);NU~pE!y%9H(KmZnfe61!fjb5C=BWY)Ud=_c2cOgzjDx89elDYdy
zfy6zX6p$*%%8j`1<nfT&d7~LN_S=8q4j1;DZnr9F=Ko~BG-hz8{45TU+%eY$I4unf
zP1{F<hXfqLg<J82WH2MyOf1;3!9CS8N$#kC&{SSI@g@e6Lg$*#)sds=ukSq}_6BuO
zWJrCf4p6y&xpC42dGz54RDQG*z1fNn<tn%`k|TnttE6H11%5yT((UUGh%QZN_Hhdu
zB6HsabH*=GF9WZ>`gN%gS^+fVvuguBpZi#T7DDwn;ZA~NL$h9r3zV-t9&`rB9=SwA
zTjgXpFZ-ugz!n$oz-!UpChPrPIT0ruJN78EZAUME=a8`@!`~k&M95{U!0QmhfaDOL
z1YuV)^Oj7|uA?|4TCt`M0J6hG+z3gOgxv!^ZzItdP5OxphuAJdyDH@@P<Co%=~#|p
z&o+OPq7r!)&BuO$<wz9PVpXR<3hyi)H9`d#Z*_riw!iFUIUzHyE7A#r4w6f8x*MtK
z2?gSRAD2?-#rnP1U4TEVu@NT77XFu$sSDHcD~0P+1#N!%iz<Exun1@+95%0ER+?}g
zkz;RvgDvrJsu%N59bqmuNrLfvjDSvP=Cl5y0lcWd#zqFnyAV5v(iA<{yTM_yGBoz4
z+RcEaekqLcM)g@c$?O)MD#0m367=fq`V0j%fn2DLk8@Mh>qoRB<<kmJ-+>UAr>3A&
zo{q{TC6&iE%c02Z_#^Uy#e!gUDl}S5KG@rlTa&2?E=L($fBS6PWQ#G?>=~AZ65$LL
z|2{A=Fd;Ar1_dh)0|FWa00b20bFT$JkH{yYoH6LjuRN%@20#4-2;8v43FM87R00AB
E018}lU;qFB

diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/README.md b/libs/ssl-config/src/test/resources/certs/pem-utils/README.md
index 28602ac097f78..f116410329c81 100644
--- a/libs/ssl-config/src/test/resources/certs/pem-utils/README.md
+++ b/libs/ssl-config/src/test/resources/certs/pem-utils/README.md
@@ -98,7 +98,7 @@ Create a `CA` keypair for testing
 
 Generate Certificates signed with our CA for testing
 
-     openssl req -new -newkey rsa:2048 -keyout n2.c2.key -reqexts SAN -extensions SAN \
+    openssl req -new -newkey rsa:2048 -keyout n2.c2.key -reqexts SAN -extensions SAN \
              -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=otherName.1:2.5.4.3;UTF8:node2.cluster2"))\
              -out n2.c2.csr
 
@@ -123,3 +123,71 @@ and the respective certificates
     openssl req -x509 -extensions v3_req -key private_secp256r1.pem -out certificate_secp256r1.pem -days 1460 -config openssl_config.cnf
     openssl req -x509 -extensions v3_req -key private_secp384r1.pem -out certificate_secp384r1.pem -days 1460 -config openssl_config.cnf
     openssl req -x509 -extensions v3_req -key private_secp521r1.pem -out certificate_secp521r1.pem -days 1460 -config openssl_config.cnf
+
+# Generate encrypted keys with PBKDF2 standard (OpenSSL v3.3.1)
+In approved-only mode BC-FIPS supports PBKDF2 standard only. 
+PKCS#12 (requires PBE), JKS or JCEKS keystores are supported in general operation mode. 
+
+## RSA PKCS#8
+openssl genrsa -out key-temp.pem 2048
+openssl pkcs8 -in key-temp.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out key_PKCS8_enc_pbkdf2.pem
+
+## DSA
+openssl genpkey -genparam -algorithm DSA -out param_temp.pem -pkeyopt pbits:2048 -pkeyopt qbits:224 -pkeyopt digest:SHA256 -pkeyopt gindex:1 -text
+openssl genpkey -paramfile param_temp.pem -out key_DSA_enc_pbkdf2.pem -aes256 -pass stdin
+
+## EC
+openssl genpkey -algorithm EC -out key_EC_enc_pbkdf2.pem -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -pass stdin
+
+```bash
+export KEY_PW='6!6428DQXwPpi7@$ggeg/='
+export LIB_PATH="/path/to/lib/folder"
+
+for key_file in key*pbkdf2.pem; do
+    # generate self-signed certificate
+    openssl req -x509 -key "$key_file" -sha256 -days 3650 -subj "/CN=OpenSearch Test Node" -passin pass:"$KEY_PW" \
+        -addext "subjectAltName=DNS:localhost,DNS:localhost.localdomain,DNS:localhost4,DNS:localhost4.localdomain4,DNS:localhost6,DNS:localhost6.localdomain6,IP:127.0.0.1,IP:0:0:0:0:0:0:0:1" \
+        -out ca_temp.pem
+    if [ $? -ne 0 ]; then
+        echo "An error occurred while generating cert for $key_file"
+        exit 1
+    fi
+    # create a new P12 keystore with key + cert
+    algo=$(echo "$key_file" | sed -n 's/key_\(.*\)_enc_pbkdf2.pem/\1/p')
+    openssl pkcs12 -export -inkey "$key_file" -in ca_temp.pem -name "testnode_${algo}_pbkdf2" -out testnode.p12 \
+        -passin pass:"$KEY_PW" \
+        -passout pass:"$STORE_PW"
+    if [ $? -ne 0 ]; then
+        echo "An error occurred while adding key + cert to P12 keystore for $key_file"
+        exit 1
+    fi
+    # migrate from P12 to BCFKS keystore (keytool 21.0.2)
+    keytool -importkeystore -noprompt \
+        -srckeystore testnode.p12 \
+        -srcstoretype PKCS12 \
+        -srcstorepass "$STORE_PW" \
+        -destkeystore testnode.bcfks \
+        -deststoretype BCFKS \
+        -deststorepass "$STORE_PW" \
+        -providername BCFIPS \
+        -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+        -providerpath $LIB_PATH/bc-fips-2.0.0.jar
+    if [ $? -ne 0 ]; then
+        echo "An error occurred while migrating to BCFKS for $key_file"
+        exit 1
+    fi
+    # import from P12 to JKS keystore (keytool 21.0.2)
+    keytool -importkeystore -noprompt \
+        -srckeystore testnode.p12 \
+        -srcstoretype PKCS12 \
+        -srcstorepass "$STORE_PW" \
+        -destkeystore testnode.jks \
+        -deststoretype JKS \
+        -deststorepass "$STORE_PW"
+    if [ $? -ne 0 ]; then
+        echo "An error occurred while migrating to JKS for $key_file"
+        exit 1
+    fi
+done
+rm ca_temp.pem testnode.p12
+```
diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/key_DSA_enc_pbkdf2.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/key_DSA_enc_pbkdf2.pem
new file mode 100644
index 0000000000000..bb1655d2e9548
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/pem-utils/key_DSA_enc_pbkdf2.pem
@@ -0,0 +1,18 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIC1TBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ9WLcmXfK4mQgb8z0
+VEFgnAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEGUh9m77oFyis8j5
+VedmDqIEggJwymDZJmHaNgIiJAI/psd+hR4n03oMwUaV72DmQewEdMhI2sEy36WU
+Pup7X8VmRLb4tyiSiEUlh8FIX3cMpQ11e1j/lwW7wF+W3Qb6CHcMu8FCz3LN/CS4
+M+sQttfXiHh70qZvRx0SNaJo8A+e8HRGmYrbz6VqdlslSdB4fDT8Igls45rDZbch
+LJlHQfy9XQSgCFR6J+6/6Q8GyW07+WnkuYnbixN8ZdZ4jPE5mrZYMMQrQY0l4ThG
+vpb7U6VnWepDnXgeNWZTjHVLSAx3bbLUpbwotJnZISyTlRCxFSnunrRIkgaWPNMr
+qE78FfE8I8Y/3Ft3AURgM+o/AvgyNCNM9g6DCqjaYpuaK0aJpdvaez9BiiANosBq
+Powto+vuaDyYVIEhZ+GbokkvXx9muzvyA3KpqN1dg18au7Mqpkrenrw7Z5J8TnS2
+Pv686vSxCmisInC7c7uQYVxhze7fYMDUsyvWNPNUUrYnqrVtZtjD+VjkuZHJrBnL
+haz5xQ0cw7pPY9r8R1y5jxMCVKxMBvbOsQJ+MBqGXseYmeB8qBBMYVdC+bNdEzga
+rWD6FCX/k0PH2nP6KaU3qWLh3ueEtwTh0KO4yXgKyiLzF1KXoF93+4i9hX2w+t/W
+Y5jgNErriqrW5WOQFDrSlVmMx1dLNFzM1cB7TKygZrzytULAYAg/0el8Gjbw7nKP
+HInVUFKWhpNipEhDCGnGKoBvSz88AYAHS2I4fnFg3AfZCWEkkKJg++Y4Wip4+KTC
+XjECqMqv6hwNbvMf3JkmqTPZVh8MtLIAiR1rUIWdZMq18+4vnHtW0FXzLb2nYn3u
+ZrtXtOGxpBUY
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/key_EC_enc_pbkdf2.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/key_EC_enc_pbkdf2.pem
new file mode 100644
index 0000000000000..b851058d17217
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/pem-utils/key_EC_enc_pbkdf2.pem
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDA0+sj4ekT4h5OgmLaj
+idCmLthqOUDdUNf67bBLjRSapUedsBIqSCx2u5E9ca2uGXKhZANiAAS6mhP+8zyk
+CYIaOgF35O1KeRxrPsvWfm8tb5+KjuepPI+WR33xiBQcnYfeNrYMgP000Ifk8gfS
+mv5aCHa5dBdgTzixsupMng0R8/jLPtS73Fzhi6G+KlRIe58c0xcVB5o=
+-----END PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/key_PKCS8_enc_pbkdf2.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/key_PKCS8_enc_pbkdf2.pem
new file mode 100644
index 0000000000000..445d50f1cafe2
--- /dev/null
+++ b/libs/ssl-config/src/test/resources/certs/pem-utils/key_PKCS8_enc_pbkdf2.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ86A6gbRa4DZIX+cz
+TSf/DAICCAAwDAYIKoZIhvcNAgsFADAdBglghkgBZQMEASoEEABJ5byRdWBpd1Ho
+U/5ukYAEggTQoJkyyzwsns3QvYy4hIuwge7G867QPSCnHXhKInOYNDgbTnf36ia/
+eO5PELfEW0sW6ZZt/D9h28vssT0RI4PTyCQCv3DaVym6f9JbmnfvJePlaWkheieN
+j2Y1gth4fEFWKQK6Px3hkZCCjc1LGrSSKoqy3YhWlxbjrj0UfCpF60MY0TLcegZ1
+Zdl4HVjROcDpSBC/OyWb9LXtyUM5NJVEjHqr138iP/S/qtkn7kovJEVqUSIZd2T9
+BQwzCDzZD8Rl3W/ivZnCn/3lHkDl2JgQ9gVXrk1QhtKy0XF8z1lrKbYPkCL4nXR7
+2qOScFSvF/JjbmhxlnfjyrpCv4ckcvT/+KFvbNQP1p8/OFfIsapG6wTz2XGcwgA/
+c4uxrnB/110KO2m1zexsasxRTfvyHaTIPHl6NNh565cjieqdvp5KbzZBs9eJA19e
+NTeLVbXYZA5Ols0FF9cG5eeU7NPVFVMS7UILHnq9v+i1eKO1VPUWmCZhR8Sje0M2
+DpzSnQmrErVaH/lbZ9ZOklFhpL+UvW+g8IBSLLdCo+MlyOr/Ydr0HiADBb5zSiUo
+iWOrzgA9lLDG7VSHrpTU0I+PE+QctLVTPX2f+S+/pErnQ7Y+DE+OOsM37jGt8Zsi
+r+XcxxTZUmiakr6fUDEVG0NxbErTRgpHdSoT3RFgcs37MlrC88JbOs1cOiwma7/e
+56gqx/3uHJWyPKjVC/RUfIqsSpTx1EjqHeGYnJ9DTW+Yft+d7/HEZOr0Nl+3Qmoa
+b6Bxw+5c6Of7HYhEKoi37l7O1//bmrs0pURPWPmawPZtlfwd03ifFTZDOvn8cKEL
+TUFHBYd3V8kNmqRI/oUq28gk7uFd0Wby4epXcSVgSX2hAloSMYGfzcUU5u38v18J
+JxYgg3DyJAMH3V/GHV98XU0zscbaTKreKMUaXduDS3ktk9maq6Mne/fpI/ZZP7pr
+C7c1RJWKbSSdwAchQCMcIHUSZjA0iI7dIde9VP8e1DlErdWch3i7wdJQV4YqMM8v
+3sR3fV31vkZcSUDRCcBJPlNd/j6+AaIU0zVt3yWUUSCExSAOCybrlu0JPCSjjyOu
+Kkp0xEa6xt240QA+PyeUl7aov1wKZ1P95aek0y1AJy9SmcBUwBBVaeG+ETO/C5gv
+g6VqjG18BX6ulzJsOsLnQCxvbQajB/eF7dvex2OzU+jPUPuvZ1IRu4SHw88eyGz6
+r8RzQ1d7sCr+kV6pWXrEaNnwyFhOhwdNMxaYwSUItrfb3+4jPDoHa/di0sJ4Dkr/
+UVuqnc7TAdW9x+PTtUWMQfaX7S8o6XDNXkhcWznhNP7OmkQpT2K5kkaGfLeHKRbz
+7NHCwRXEm49ZPfDCnI9kddnejU60vDHW1uBGH2S5kn71noAe7R07s9qeKW50eLOf
+Pe9BlOPb205gnibRYjjj0pUZ1YJwD4rkiXaX/fXHkPpgpyUEbw3tAZW+FqXUZSaW
+TwAj41oXms0VoaUi/TcvsIDjnldVvZ0MkHUwMtfOvHb/lbrafHKoTHIuBbRAHSNf
+uQXvBDwiq2uv3v0EZdz4mouqcp8aNZmunVHu7c22HCaf4s608BIq4FBqrq6XRdqo
+cAOcq+WGk+F/helMKaRWo737062tq3dlhtRpGLXbZUcYThUNY4SjR6Q=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/testnode.bcfks b/libs/ssl-config/src/test/resources/certs/pem-utils/testnode.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..8d1a016d790b10dfe792cbaa4abf1582116aebec
GIT binary patch
literal 6009
zcmZA5Wjq`J<G^w4aAMlDGi{t2Q-_J^>6{!+$8^V-iD{-!Pj`3UPIq^X(;f4?cwYQJ
z|L5iJ)$je6H-y5SH-x;IH#i9kha+4e{1zV-6Q4IYoY(UI8px}Q0m*A9^gsE-)fhgn
z)uc*I6~9Qj^O!z`ie&`Y3ZfNF)fAz*SQ{%H^d|g4E#8VucoXkQAaO51mo9Y$uZ1h-
zo}!^aP|#2rc!5}e|9;T$Fj08vuy9Pn6;QvRW1#ZzzQO<!{1Z2CSbJ%DH@H5Jh6=z4
zA*U_quRdWoNj5WYEfkoMr?Gh8ryM|8BWGiPlap+D9><13XY32UC|RS}OTk3=YCfxU
z`dv|yDq5&28qiQ$jr2<b58s=RMg67fG5tf3!zZLsdQkUb<XCr$`q_tbrNZ3#wC#iP
zdhgly;V|J09BmN6YIGRlUG(cK=R8<4$v&|$+DST9S%yJjO!$f!Q^9_y9g#LiI9;_`
ztZFn&Cq40FWSt`#p)Wp|l<3kmC@fK-!84cLq32?5^VGeBB4$Vr_9B)oY+?|{h_Q6o
zAED$Kie~O;yQCLom*j5SmmV;EQ&aAn@ax1bGo&xgw+fS7YcA#i<4ie)+wu4@srJ&;
zql*iR@q!o-9kr&KTeNkY$691sbvqMp_s7L7TJsa$&$m>?d4`MkU5^(+Uk>byPm?4Q
zT8ib$AXOb`hS?TEbsvIeg1S=6KW;Wv*3O8|?rE@m*GlMNBpnw!s5kw|${iH!q?yhs
zF(kCbi-LutAGuTALq))+&0cRs&4ick+KT8AIFxa+-Hp;ZU#=dZGcGQSG}emC9$t-3
zX2iI_)}25li?3Iz<-YwUAJ#O}A+`erp1xs^YT?M$`lpZ5+Vd-&+03SsMY&O`Iat;(
zP09XK*JGCJD9ruv{J}z>%MYM*4RX>tD8XY<X2xw`yY{!mG9*oaiiE2f(#tQavh_&g
zE^YO@?jLZ;a{T=6b4__hq*K*^Ghvgz&Vag-;_5TvBCUf$PBLv4TNvtGuo~|6uD7a?
zz4RDeKU8|U^NF3Kl|z|AYp3w!S;gmXD6Hy}%3Ex{2WG0b4eRp~dZ6|JHZ35KMVJKi
zu0a3dWW+I43gGSmiWB+*s9d+kS1({^{hX`ir){>Keu^Uarb4g7-Z&~A&@P}<;lwo1
z3w%^^o$fB-!j*m@zQ|2NpcmDO7CDq=i&13ivl6Bg5EgY$>@FiQGfU=fTF@m)qU#er
z*8d2#cZ~fMy%lCVBMp94zHaztyGn?=tO*?t)BeI}%*%Fd@Zmk<&Qp=3>V+Vl?eJfV
zT@LTv#tY47wUbv-E5C32@@+_gtVWhHD;%p8>_9tAG4VEk<`&WBonL`VURBHtpZ<CV
zEGnZqyRF|2nM;jT9!5;%MYqHo8I>7)!%cwcf~o(y`Hq(KKe-OT{ARX?o!AEMI*IE8
z@O9W1u)q0lGz~M4G(6G3Tu*P^Q@Qa9WU4>v(P+o46D$o-@P87ZO)TmRpNo#q!{5HF
z;9<+AF2udeihzX}4t>w8h%!}Rs`n~7@Fs?w8t$`zvPV`HdH4VrHpP1HARN5mW;7;>
zC-J!SQbbIwzYcu(=q0`&3YG$a%m4Z#fA#2{^4lIsK=b0)`QBqwy>73@L1WRv-P7S!
zoS^I9>e;}VJNP&0)#_KO^j7}|s$dFC>(P>7jX36qhG72q-s_Jau*CkPZY#mtWw_7t
zUo5G@$#(BFi|+v(V>>E-TX9`te7mI~N)!82+FyRZYIByF66<e3>A68f#1&`eiu_0l
zpG{`q2DrP_xcN+2-z<O4NlOy4h_OuSA8=S3BAZS!_{+W~uUTRDcx4vf^?d)eQ;V5X
zOEQG;ex>JZQ736UEf}6FXs;!q-*dhpYdf5Lp2F$qtJ16;`L0Gou<S0rL-tm$^vGm)
z-B9;5<rT`Xn7n5u_x8S&vimb?PG%|p&cS(lOS)T-1mgxIU^{;YqhAgj0OG%fk$+98
z`bg;GcR=bAn~wwFEa;I!!cfP>P?9pG*!YW%nk2A9M8cFwdR8bi<f6sS0TL5EbekvO
zv=rj-6{o6eANKSC*uRU@%{Ps9fvH$JFRT%2q|?srZ{+p{KIU8iJg-#)xUW<*xAO{i
zk@GD+w(#->yIH4esMQrn^o_4<*Et)=rcwl*D;My!ZiJYC`lPopHRG=;yqnssvCEpO
zMDo3bJ~*iM!jv+L$&~Mx3(JElJ91p}P0hGbYNZjqgIJ3lW43Z7IvS3wk9YXl43=aw
zc&|0nG2(fMZF%X9ZwmXYlZL5axY5zB`=3RPM7Zft&|Vt3&ibj}o$5?T^t?<Kc*cWU
zQ;}a2n^bxQQCmGIQ<)(+SH;mpXjreWgrD>LdUeZMJEGs1-G$RVlq~pp*<;eIWi?oV
zPdw1}6TzeFn6yZ|$m{Q{laWMhID(Kaq|8#%B!e5N9d4uF7!+Im=U@Khw+a;+xfXl{
zL-L%=bQJnoyX9ehc|}Gf2q$v<Q94ov^|jYhU->8C1Z;1%oD$#F{Y??=NOAnA{NC75
zx?qrzr^eElHIa2>9p|A`UFM7S06T_6R!#LR9pz~FJWx#;nGrapT@3$X-^8CR_-BRR
z@EcvQ*aW%Z49`TKmK3n@-Y&ZShZ-4yX1`<wzF>BOa;5Tj&o1UFLfA#2Z>vf6Kg1-7
z+zNfr(Jh^kO?3{aUhC!>=_*R`ITJV(e(SJJ8#A=4YRJmL317wRq(<4F)~Qs=$wPd(
zhZ;L%lcd=|kK7Qj1w*$$NAE%_=wFKNr4wnTm93^!)p-;Ec1JjJan{Jgr2hH!6zT_1
zzI*Nj#L@hswXeE`%NyS(^=Z`m?Cm~ZW=K*B>y0Ka*0)pKS8gZ%*btZqG`+h&iXl{D
zd>dEdy4_VS-KI>GaooVyCmW*~JY|5IS0KCy!TDzWFf!?XP=4gb&4?U|xd_6Jeugtw
ze_wm>9b#h9-g$aoA*`i}0}-#;8%@!^YXQ3d)HzFugr4pZknD<=hdms+1ml)QlBx^E
zgMMHtuj*0GE15Ba*6THYb#0|P7Y=%`{hB&XmVGgx+gz!$!Jp*DPv5H;kc|*x`_NgK
z9+13+{sU4dfN5@|vGLc_DWR(MZa!*~f`P%Lc%Pt1--M&z_ZQp#v+*tSscgQwaGK%V
zn5~_#y7@%r@t9YEMOf=Tw5;-gyBG=mwHX!4H0w!7?Fl$kcCC}C1~Vg=WOB=WvJ%jd
zT($4)g{YDGJW`yw9@eLJEmY;l&BA)q7<`i=4nw1WJzJjdNnFXa%Ws2!a4@-NjnSP+
zjxC}jIgw3;`zPx7UuGB39_dM5J3q0^?62UvhGSgsB+rbiL^udyu?5X4(p`2^oZDoq
z6oC=(1NnT^g^GY$sOQE#5Sl&tT&|loyAgyYzt<YBRp3GCWA;jNkAsP7enfvDJB#G@
zQWzr3m*TV-8e!N)qNnQ#SH0uxDQF_v5=fW<U#`U2q4svIRREv;qiCwJs94Tk9BRZ2
zyG5Ud=k(61YCliN+ue%tBLzd2ul=7@vuJ*z3reL&?8tNo)Q9%=m-zdFb4;$@`=2;h
ziQU9t**W9Y6O!Z^z(cZ-`x~D7b@fqrGMT#=hkq<=6YV$@JKuX*q4-DvP`~mE{Z43p
z;ze{9eGrsi)hOy<WS%{B+A-YxJ^pRp16-%?9wxsNFP-NEjI*7<NfW(9YP!#TY#Uj%
zu@DO|&r*?jfp@!KWBEID9R>UgYP7&9<IrXdGL!tetfyy%z}ku1>gfFf3>FGD+<oVq
zY;4<8DdsliKtWCT6qkA7&AHMb9#k!ekuP#pBQCJA%zNy?z&YdV`w>HKNv5~-Gw|b8
zYmC}+I<2xMfjW<7Fxw%=@Jk&rv^VhIviN-Wt*qLi2O~<*je_m6%8_4M@V*jy=P|2Y
zOk0wbjM)XcOd-z6i%a=Wuo)ON|Cch6M~R~Meq7K7gq7(ALwuHHGqfc#m$gZs+Ish$
z$?s|NZf{poU@^oJe|$qDuom9*aV%<^uIw!&l}`ig7b&MOnAy+=4H^;$3(z6Y&!88;
z{cFo%8?<=A(a|l%+MX(D0oRq-4PURYnTLDQ>mB8d^wU&wZU?)^{<J5`)4Ly~!3qqq
zZd1`4DbuOtwu2c{9(Y{!#GA*YnY`7T`%T@Uk@75ADV2R49wZ;~WC&nd2}KIeS%f*>
z-<HsG!a7_rL`Y@Lg_Yi{B5q1-Av+L3-W#)omb>Tfn4{SCA%|nXcY4@}gL}q9p&95Y
zcU~Z*Hb*wVUii@JlcvdZgbFu~%gY?SqJzz6j6HS-aKkrl1I&g}udaSa0TgNO3PaK0
z82CmXz<eVJHrHWc5Vwp>TYl^qLc#Nj5J@nOwKDu+9j(KOW-G;_sHj$Yd~cST&E3R`
z?s|<PPIHr3R;_AA-DtpHlWzG7vBC2kM}CPPe)nc354lfnbH(5QOY#d=4-;B5>|4A0
zLsCF19G*}zc!nZVXs+x08o?E~ul$a!yLK8>!Sob_^Y{-2G)$WXc!~4}rhVX;ODM<e
z|CZ(SnzC%E`NT8p(t&j|2-GH%)nb7~pdNGE*2wx+<*QVwBDhjs+RlNnhxL_wDJdw*
zkt_9>n37o1vGwQ$Qz8O!kmlgmH=P;cG%pG8(2|O|VmP3C=jq<kU*&OUHhSt5NpyEJ
zFil_l?V(A1%g<=(vNL2;l99}OnJSUoVIEif{mZvRCkXKZoUK<M#28!>hf&^n3agiB
z7C-$#Dte<!y0k;HCp9Cso)1j<NrCQ<#e`eTs0oiqH{7Ii;}cU0JLR5E;joyR#Fnf6
zF<yi_!P$U%RhOYOf7Is%_<d%bAKK{1wA2$Em)ie4YW!#Uc9P5el^RXzRsz4*O4qQ(
z-#CvlRb11=avQ(+Q%ao6gcgC{zSh>G3+H{zm6vcy2Ay54#|lwpw?gH`UQ5PtX><8n
zGUCV_wS0H27&hZl^$pZ6`p4)T)t!q{{}s+EmzGL{><t|)S@G2Gmq_+%Fw0oj{HXr$
zP{)=oy;NZiRw7BfQZ-M~+;d~y_ff3QaH-Bf8QQn+pfA4<XEkM;{Uy|E)gG3@MGd0S
zXaFPa&1!b|U%lz@n+LY99CM=`wvI^B3K@{}JQiOEZqVBv0&_V&fIKX~kwF>iG@YB&
zMaDWx3^#5lN)+Tv1pi1is?*xPrxHQC*n1_ta}WpQbYDB{Ey1DuQ&^+Ts?m!JZBlp)
zs3dQKIWmgHYciHBq$RGBzt165wRd2o>aeZsu~p_v3^9_|GNe};a;^*8L@dji>+0iA
z*Iau25{epdB{xvosLz<jiLYv$eLgPUdX_KtP{nxbnAK(ZB&2(#;R2UgoU##tXdS=W
zH0_<!mZ_UG&Qa2LroY_1)tUz~U?v=S(5>m-m>sWjefgQ(R;wtmeL*Qv<j?_0>5-hg
zhkqbJaw>NEA{=ZM_Jwbo(vUSePyT8jP%fH5h|F{A<lhrTumKXsGJR?M0K*zyMlmHV
zu<G*;eWi0(8L2<@>GoSsl)($6fD}5J);9sAjd7Fg$UVh)#e#Y(7w0QfN1^=gn@F`H
z`wBr#B1;=8zn52>#2PrW?Pe0c72W!{o;YdFREiZDQ)8%DuZLN(^b2_k!bZhqjx7UY
zEO6SBI=&=^I6XDJhKNChY9OUABUR9GM&(B&=<+9D2Joa<j=ie2!g`FB(J(XwSNdM2
zE&<g!iY85WZrA+raE<G3bGh{<jR@1lHgI+DX?4-|rN#V?*wJ1dy%VpBLX={fYkxvE
z5lq4j_xkMS03vZMqxa7<mcpb>fcK$Ge#S~>aXI}B661CDau%b>;jp*s;=yt%McVDW
zZuJ<cZmaBcbIvOuvk*|92fdQnv&>&|cOuqU8$6YCJ--#Zc1xt?>Ub>e`60oQXKXG7
zt&8M&yQ9bkZdKC`ytf^*)Ezkxg8!4*SDjgF8+>rLkJvdsD8|Qx?_UZHM1nZPi%LW`
z5kxaP0|?eU3AMj8EZH4DH3F=>f~d}}_%r-A&MyS9bL*ew5|U8H(_D_8({>h{BIiR=
zM2zEfNm19ha&vz>_&l~n3G6r0^d)3p<dWDY9IF>pH8kgqKJZaFZ_k!Pn>(uSwiypS
zWocssSc>WEfCg@-WJI=&$V`Ua8*eV1SOqa!-9h*anT+lB5ODApYb&A0$GtEDnK{Xj
z$4_R98Ef#Y9`^Mv<Jg|vT+Yoo4;vTRXX7(l%7u2cN{QamP<0WAlEU#-=~~m_TOE{H
zY(@2`CEW&G%SqVl_`{lYOwFkS0{t@e0eiv2JS_CebPLg!4ctD{Q*|r&Kd*ENBqm;3
zY?(Z{fn&Z|Tztk}9uMsKQ6nhg`Kw3_g8N7}c)$mQAW?Z7x`-7WvPy-YC%B<VFCgBV
z%e+pz%3^hzGtixoJ5m@ubZd!BG5wrr2x=roGXQ6m17b+cK*lFh4Z>I>i>g7=Q_m83
zv?k?FFOMbA^RFYA_Aka8pR<0*qLHSKbVb0^McyW0{sz$rBxC8F3NiWU(?n_0Zv08|
zg&zE){NRRzg+ei+CS1wI{!9?5@rh_Hc7X(NrN}t!7O)^1#V5^!dVf~Krg9+V8PE&W
z^0{I8hZa5hi1|_SmAX&AA<}MTc;BM89_2i<{soIVWx2gn0x!py1l_zeD!z3^vP2G~
zrFkufR-+^tK`<R|16kjSlC5YfH#Sn4q{|(rTi3yM$ZkotDhT=HhL5vgs*{_Y4cLY5
zI(ZTwW?`a>Sy?Ppl*pTA!QytzgZ~PACaE|wkXG?ArUc#rxbZ&v7-F11&JuCOHISt&
zFPlANjECkeOVML={)QOonNy}7VTs777n&{6QaRi9zHWcU5@+8pA%K`V>Zt5_#&Gz(
zZv^&R&0v;5>34aW(uDk{^X#x$-a~GLoO}uCv|wvvjZe0ki*&b<vGlNmYj~OGdyZpM
zs;Ixud1AJOLwgh+j@oV9pB^BndkVOz0$C5&uk|R&f~YYxo;a~<O(j-f#`>eCXWit~
zCS;l&<6b`a{AiIk$pz396H1q`f1w$9TU08ejC3agfLyj7Jjzx6tX}$&xY5OP6C{pA
zR@N}wasZNL2VIS|mMmrGJS+1O2Rs;Q(QLa{_7ssmV4klT7_ZLZc6Wo{*`Qs4Ti#zG
zxit7I{Xi;qf!qXBnHM)9bVdvEKH4B741U>NFPe1}`o7xhDoe!PsCb1Yc?!>f#X};Y
zi~5j>tJM0ec=(pWk!3<}uE6K(3DBH(p1?t*Ir9YUTv$vGI69+A>%Z{X6r&VjS<ssP
zFt>nXkV2U!ry%<vPAS9y<XbhElzS|QT=j9v!7eskTcQc*$e?5vh9Bc7l`K+eJ~00@
z{7&8RT_=mOdf0#6X4N7`gaIUdhm+Iz5%cjYdH@n?Bu{BR!;djkURY_YpYrvMhJsT{
zmT9~93(?yTR#!)UxtrV=IyfCy3sNy=xPCL=l&9+Z=UeO*==t84;odeXlUeH-_T161
zR4=waAH^RpyTv)#U<*Q{b@?}E(2mY+#Miqr5`^a$6TqW?HZ~1&X)kZVWa(aSLN7I<
z!GDOjir&(`M6H3Qzps#HV6RqNT?6=ME(712^1wzCEWL|q;`uMgsn>DA0DmNJwAQTb
z3>fu<)G6Q|2DnI5%!zJ!EY9%{quKa-i1<M4v9_CTkl9hs@yIBgPd`A&B#$4=gDp|H
zHnw;gL*#-@S+F0Qzcjiws4F=PjVG}f6KO<k<tH1n6mGK(DR18zT<2Wi4Q~7&QT|`I
zw)0}RP8OzZ2DL?e7GDCU_FJaY^`V*Y4g+($U-2Y#Mt&(KTt9|!KcDd>i{czW0<WKR
z!<e*4pW#2Dh6Cuk|8;A~|G!{BfKGdoGG<ZW6BV60T!mS#+nDN+;$KJTGe}Q!Hi0f8
lgfzI>9`o>BN)~AnE|bVkoob);{br5V*369Ql>FA?e*n~zjZgpp

literal 0
HcmV?d00001

diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/testnode.jks b/libs/ssl-config/src/test/resources/certs/pem-utils/testnode.jks
index ebe6146124e8fd607e46a1a3129bdf9b4de0370d..25363b6d8a5a4b3d791e1216c32b169ff39a1bf9 100644
GIT binary patch
delta 4840
zcma)<cQ9S++Q4^FW9wT9TaaMuw%&X1B}DH85ka&d$zrP!H98>((W1Ag(Z$xHNA&0|
zg4hXy>z?n-ottyc%y<7-v*wxinRm@R@B8~b&x%*y^@LsQUF?BCAjs82RKq})3#q|C
zFQGMkMCLdEmA9jp_XBqaM{5sPdoM9-4?9<fy8<8(IKfpwWDW$vxj><DPEjztYg~9>
z955$@91O-m<7^uHOt;!myc05muo0Y-o`(>JpTp#z)yLC(18cQ)tq6*~aG0EVGV^H@
zA-UNt0pi-Jb|y{TUP@mW{B|KRAkD8IpQx}|+Y8u}{R-v6*NY+wNTRb-)f}1_NEiw~
zuuI|dli}iEM6B?z5U??K=3QPEcNZA&cFDwy7-CF0_B-KPL@&gR5Ic9y8}Qc58mw1<
z*QPs*4g0x$FR(wA8T`E1+6LK-D^%%Kzi-s^P_VVu6G$5ixUej=OvQg1w4%CRBDn;-
z&;@vx6m>*+=MAl!eARnkmYRA>evA&!zIM)07MR~5=Yn|VN}6%XH1(!rB3`?JoYKDu
z08L@}=B^nq$*F;qOh^o80h*a-qg5h>YJ^cJ)&}Wg7JcRyd0oKyMr}Wwzk^$p71&p<
zyP!H*seCVdu<G7APnd38RklU*v7@<O3}9X>utHZNb9^|nC3clXm^bQ~%ER6c^*U%y
z)#Dr1>mQ;w$c{%6L~Ibr#&V?Yk@Hk6xi8EL))+=dwK}57Lv)q;{j*fWmsOffsH+t#
zN}Jos(5O<B28!pHn%>UP<(dGjMdRS}X_0#y);ee<ctNM&Ybv!-;Rg<?R^4Ct0G_ib
z1=8UMl?zt)=xF{>vgoAryo=jk-d^9%_f((JEwFHu4~yEkrL?k2W#>D6H_oC$mJd4(
zrDou0)I`y?aTa-AJZE_ou{5VyZ+e42?B&cDf4Ck=D;TWbU|j2F6)@^anaY;l>6vT$
zR@gG5*NY9lkPx8tvw1#TX-X{zC@&-c;Zf2mmx5^2y@gHPj5Tld6wmsjnKbWC%rw5e
zR!foZhzVsm7G*y*$v|2l;t@Mwlx8x?S=Ed6k87@FOWs+qkMnKr0(ZURaA6@So_BN?
zJhS}XSo#zVtvaCU**kZoer3#*+|?z-5nvR9T%=E=q%%-xPf&WZ%rc;X=t6r~l8-MI
zuX=?zR;b-AQfTItCQZpprttn=VH$e^CWoS`eD_D!7kM;gs+=ixg-9?m<XgTCdmDFd
zA)^wqf-E>1%Fch>yjVKGVLmRfR%FC7DzI-5Gm>kkk+HWT?rebf54&ELzwy0?7SiW)
za6Fbx%1Q-GzmiWzSYN0BXw&;on)x4A&>K{_V?!0E`Xum@kqJn-K`e_NImfJrJAJQ#
z<*|BiMvGq%@|Fs1J%l?Q9p}mMtma))O-qRUSIAFA%SKvxbkc0KjSpfUS2Tof%ZnKO
zLoA<=Ne-;;;kd%Q_`NJ|<5}+kJA17eVy>f~$@#s;cDzK$&}t5_wD6cT|AQRoT=(-D
zgSYxx`7iH_(s}C$Lg&4_9~E!a`v8X8T12u%_(=Uey0BaE8bficDc$9JccUE4J<JiA
zm=<}m9IE^8d*VPT{`m88tvA)W&3|}MVP&3_MksT>9%bm$O7L&VV}H&6gpi$6l{=*Z
zj}j<!#cUW^f5LDBbs=g!A~DjZ)D3Z1mu^W@lN3smWen_QM);T(#eCQ-PfySd+7#mJ
zOpWHBpAq@uA>UIHuC*RM4~%dd!?oW9cah``wT^_w_314h&xp-Z^GIbp?xIIl+Jc{i
ze;&-V;oi{cK@6rF97`|O(wP6s>l!odwJ0v;$bR{_sb_@{NM?bv+C*ga5~UV1q^V%D
z;{>&*JG}9`Xh=eQ@0jJi@fo{s@O&@C3iJKSo?sBJ39m3p90Y<kpwQ476dID51BHMg
z5IB>X$Afl*;aDqL{hk<oMqwv~pHwJfJVMTJweTOrU@#Fb2*t?HfTG8P8sR`;a9t0_
z2e%z<Wgpr*GZ|hfm`Uf#!KfQF!~#MnF@AA=VSWLAQ8OB1!GDLMe};eGA+doL1vKb2
z9{e2p<_;l9qd3k&JiWjyE(|#cn-ks24*lq(>pKlooj+aOnm<_kjxBG}SnkeydHRx;
zUOX;e(yulRJ6$$q?>6bCG;N%vu;)c7f2)CF?zz^UN6zN8lC{2yiATD{#e9TLoJB9z
zPOGOf$rjAM9D0r-hdQQfx*MNePynpO%vt*~7H1SZdY=AuHsk}Hwz2&5v_X;Yx5`<(
zL}w2inKsDBOAN&t)TNP;3NCz_tQ{6Sz0(if1za#Iw0*n3K6M(On)>aZ$)9y+$lf~&
z@-6N7RkoqeE#SW%{dM0xI&J3l>xJr6ZIS!)1QqkjlJ5o-OVZ!clizQr&z!fi_yK`}
zLEzWH>!{!r6vI`88Ax!bao{lqosG0cT4d$>4BI~JEW2qjV~<gc|6aa@LyMvg`sW1F
ze<x6a!IwC=DCpHIks0y^P;j~{u3&Eg`?)>!vEb#FNI*eS;ivZDd3jmx#s^77Zb|Pc
zQ+Sz4+j#9tQlK*y>s?8V$cRe>oe4o#kPKG>smLM6IPQ=8&zrIt5)VLbmzJ~DrEBlH
zY7*Ti#pzvb9iI;E40irdDUTw}%knjmi{NC<Po8sQ0<vGyztV`X1ZwD><L~qjogF5n
za_bsH-8v<e3M&F#@?F+I{MOClhN4<hIlKF}ztxLB;~ej-qs1iVy`b{Bo+xaWIrf}a
zLno%L1H(m>Z#K`m-Sozjf*=tO9M7H2G#?~rLumGW!786`{Y#<VXKc~y5-jGnrSYiC
zZ8)!!U@fr}vRAh;33$}_$MvW9&$QrZ|J$g*FLkwkj0!&d%cKyz46l6Oi`B^wjmT{1
z*;Eqfnvk25E8Dl$WokxdCft>$=PQ~~B`86+h3H;iyFb#MsJ;3;$*}w$yZUy@4HQ7W
zOcnKBvjCWo^7wWWQS<5aW4h4<OMeR0$JiF~+c9rK_9c_btESS|4kb_hbHB7(NvUsH
zPSF{gJwYlq@`btOe!koa5&q({>i|Wj+N+&BELSdjeUO7~rsgafV|q9J!ie{B#YUy`
zP#Z1>0hOn61~offR?@gyeDUdx7>vuKtPGT))ZGMd#yf`%EHj(e`)NhLvX)d7Uiwmu
zacTv`%HV4k{$>V<)0GwMQE2e?pJqVte6xSgetC^6+NCR7(-5SBxzs^j!y~vd!>}|C
z6!Led9c}+=1>nE6ApE-)gw6i{9ehz_c=&&O5CX=-<qF0D-GthKaGEkGFOH=03DI;C
zV87Kp4S$5I%)r!BcOLgwQL!7vQgJD&PYxpCh%6vtL8KlQbT0HUV)YPzEaSqAz_-zx
z#zt4Hs(M>1o0$CQ=YY&a^PI)<^V~L0L$$zHh;bS!{EWXLnSiK+%}B-y2R~*dJinp%
zhH3PO{x>B5F@f|Sm`nuztA<b~5Xu39;&oHb0NA1BN8e7uh^+#=0j|Zn4VGedElt;6
zS<~xP=Z~;%tH_xtw9o6SIo!)YLs0nU70#4{kh}-Hd=`_}v_2%KW(Cv`mw8!o8f#RL
z4S__7s5CA4PM;D#>@W19&d2%Vs9}FlP!q?vhf~u`ag7iFgDC$4hJ%;wZ)9-6uO{#8
zt2>eL7c|h2NQbjZ*>_GfZNY;MdW%gL=Vc_1!wh~tPAU*uZZG$;r;YXs-DOps9~#SG
z*XY?3LD#Y8Qbc!rhWN_&WW#|l_f!6hZUoB&FdRV^^=@V+cs%JX#>cYKW?c<Uog-s+
zTYbmy=B4v-Z1xcgT3e9S`Hobq!OsryOvS+Xb}p^pNw$qy6AxH)8-HQt02%%x<O8}>
zQYp1bYp-BU>H_o<9SZIp>(4Q0>1%a#V?#F7CV6y8zcD2tI*{ybzv*B*o)sn)6JSpQ
zz#Ze|MZEe#a`aV&PyGwN-mL6TAX~f{-ds$PC{Y!kH1e>uZbOWIg<IhD@ak$G&w+Ec
zUkt?Y<fIoKCqclk5sL|lAwqwz6{eA>$`EdBJBw)H^Pvq&tt+>b>%K@Q3EYACs!iUb
zc$!Kwboh#ATup$Phb>IO3CxUgI0$hAMkMpA_!pmqE=HIPe<nunA{2yqV;V7=&j=LQ
zB^7vNt4HYKIb+3xlk=<DGZ)kDAC;Bh`l36sOxh=>hGlwJoLPRYrmTte_bFF?z)9Y!
zed6@^J@Xz**+VH|HkD3sz2zDMAPsZw;!bs-)IT^=IT@Ry&UKn>x)vEy2jk=iI*Z>T
z)R9h4ht($+4lUg#J>%L9)PiA*3OO?ujnn=5W!u)DG6BPHYi#eZEn@k6Y1$*oQOg-t
zJ(Fj0dPFGKvGgOR)u#;`>JP0Lx@;8_6Oe)<%W6kPi17)bM_ECFFUOx9V9e*b*&<e3
zq~Xb=2_a(pjlMb>Dq(p6_L0g!hu5CjPuFr7i9^o!&CiDXMHo<z`@TmbRS!J>qZf03
zkPzn@f2%PvVmh+w?$><)1AfAa20rkyxue({OKT4Gmij>hzgY~I428ypUH$qs{b?~n
z)nAM;pL45m<|miv8V%<7g4O#_M0kWY;c8&O5&A!R?7uZ8^t;A{{s)brp^8@^3ICtU
z#Bjh@0XqZ@zT$7%sy^4;vEvJRTdDWr+u1|7GWAJ-_6@|atW#Et*K^zPlPB2rfUreU
zx={^L&AjnQ?`A&4aFgt3nGsO6;Rc^v-U?6q`oJh*%x0%82Z><BQ7egS2Yj|}eUj)|
zV%K7-W73NQzjm&~Pi@CNC(Y5jddHq4RaM-qTypBpfa;-;BF;UMz|xDk7Hxa{MN6_r
z#w!md#Ws#HQI5QLW<f?8a~>H|0b45`7_BJsu5^pKI>gpkzuRzyJ*TvlHOS+a)2*2C
zN{~HIR)*H@9nCklr8|pSkIMV>1nZ2w(M?Zxi?N={Z7@}oZ19MXk<P5P!ouQh(Hd#m
zha;3)fJ>#SBZL8TbWWOfH0gWvl%#o4f4Xd3L(-=-J=P9>TJKqWRVI*9SnooRJZ*wo
zBV}8EP^5X2$D;IT)O9582!4pQtc^u&i``TH{5uTXh75HVZAQmy)35Ay2v1(I5@vj3
zR-Hs$*3d>ylm_(bw$IOGT<2|_8_zR0yTelmM3{cGx276HvIOmaEvBuHt2sqG>gU>u
zc(bju->|tWF;0itmKaxiY?k=u8r78ZjTlzj4Xu8v!P?V-E`-rekiduP*iOz~=sCYv
zsY5WSMCc>w(Ss@i+iBIY^5)1}d8^a-VH*6g6&&3Jp{wZ-QjMs-FY(^#-RRMxX??bR
zz;6(5N+Tp=)=Fn)xNo?zLTOa|theWD5mqtL=iLy#--G*PEmK>q{hy&|Fdpct6kt#;
z=al7#DgBWb5<G!z7(4}2+y3a=2$gp^!mKwmsLM7b0+Nle3kHT23j;&5stZhX)F@;B
zv?iuGF(W*^E~P}K+v{x&cKU<iCzoOXNl(yu=h~MB9cktV+H@b>$|B*751xvgO_&84
zGM+5&QDTnwRR_2PcRdEHiF+Mo!=w6hrwmOD9W6EGiI%cHI!80Px8q5D*R-gT57-IK
zsr=ww0axR2DRs8lB@?E&N1#BYJs(+FOnYaWZJ}vIM%>n@cylT9wZ`NVx0;zTp!Koz
zFaw<~4VhUz9c;h)jh{0g8_)F$cRZxrK*84cm-9`(&X*(0fprIL!cclpcU|>Fw)5Y5
zvu?BkOJL1AlUxZpYRn9h;B>fz?zi6jj|o?;nfR~sa-#O1X81!4P+1U43W87zVcJ`=
z%Oq8X>_7u5$7xwUWZ&D`Z&|@ycT<2MblGXX(i{=#h91VJ%_iB0XP;AHJD1IaCWK^m
nYC7qApjD);(3*by6Da%(R_|zqTDCDzngfQ85S!LdJaGRPIGcAF

delta 77
zcmV-T0J8t=aga$2{_Xzl0000200008vmY_Q1GBFJ{R6Y#H2DLwrv_jIu@RgCvv(W^
j3A11=!UMB^7xe@b>~lBQV-e5ldhPAzVKh9cG#>Gr$^{`1

diff --git a/modules/ingest-common/src/test/java/org/opensearch/ingest/common/DateProcessorTests.java b/modules/ingest-common/src/test/java/org/opensearch/ingest/common/DateProcessorTests.java
index 8a4f3b4a898b4..eeb942166eeec 100644
--- a/modules/ingest-common/src/test/java/org/opensearch/ingest/common/DateProcessorTests.java
+++ b/modules/ingest-common/src/test/java/org/opensearch/ingest/common/DateProcessorTests.java
@@ -164,7 +164,6 @@ public void testInvalidJavaPattern() {
     }
 
     public void testJavaPatternLocale() {
-        assumeFalse("Can't run in a FIPS JVM, Joda parse date error", inFipsJvm());
         DateProcessor dateProcessor = new DateProcessor(
             randomAlphaOfLength(10),
             null,
diff --git a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
index c553effc65ab5..92313e27f0544 100644
--- a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
+++ b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
@@ -45,6 +45,7 @@
 import org.apache.hc.core5.util.Timeout;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.action.DocWriteRequest;
 import org.opensearch.action.bulk.BackoffPolicy;
 import org.opensearch.action.bulk.BulkItemResponse;
@@ -182,7 +183,14 @@ private ActionListener<BulkByScrollResponse> getRemoteReindexWrapperListener(
     }
 
     static RestClient buildRestClient(RemoteInfo remoteInfo, ReindexSslConfig sslConfig, long taskId, List<Thread> threadCollector) {
-        return buildRestClient(remoteInfo, sslConfig, taskId, threadCollector, Optional.empty());
+        return buildRestClient(
+            remoteInfo,
+            sslConfig,
+            taskId,
+            threadCollector,
+            Optional.empty(),
+            CryptoServicesRegistrar.isInApprovedOnlyMode()
+        );
     }
 
     /**
@@ -199,7 +207,8 @@ static RestClient buildRestClient(
         ReindexSslConfig sslConfig,
         long taskId,
         List<Thread> threadCollector,
-        Optional<HttpRequestInterceptor> restInterceptor
+        Optional<HttpRequestInterceptor> restInterceptor,
+        boolean isFipsEnabled
     ) {
         Header[] clientHeaders = new Header[remoteInfo.getHeaders().size()];
         int i = 0;
@@ -226,11 +235,16 @@ static RestClient buildRestClient(
             }
             // Stick the task id in the thread name so we can track down tasks from stack traces
             AtomicInteger threads = new AtomicInteger();
-            c.setThreadFactory(r -> {
-                String name = "es-client-" + taskId + "-" + threads.getAndIncrement();
-                Thread t = new Thread(r, name);
-                threadCollector.add(t);
-                return t;
+            c.setThreadFactory((Runnable r) -> {
+                Runnable runnable = () -> {
+                    if (isFipsEnabled) {
+                        CryptoServicesRegistrar.setApprovedOnlyMode(true);
+                    }
+                    r.run();
+                };
+                var thread = new Thread(runnable, "os-client-" + taskId + "-" + threads.getAndIncrement());
+                threadCollector.add(thread);
+                return thread;
             });
             // Limit ourselves to one reactor thread because for now the search process is single threaded.
             c.setIOReactorConfig(IOReactorConfig.custom().setIoThreadCount(1).build());
@@ -313,7 +327,14 @@ protected ScrollableHitSource buildScrollableResultSource(BackoffPolicy backoffP
                 RemoteInfo remoteInfo = mainRequest.getRemoteInfo();
                 createdThreads = synchronizedList(new ArrayList<>());
                 assert sslConfig != null : "Reindex ssl config must be set";
-                RestClient restClient = buildRestClient(remoteInfo, sslConfig, task.getId(), createdThreads, this.interceptor);
+                RestClient restClient = buildRestClient(
+                    remoteInfo,
+                    sslConfig,
+                    task.getId(),
+                    createdThreads,
+                    this.interceptor,
+                    CryptoServicesRegistrar.isInApprovedOnlyMode()
+                );
                 return new RemoteScrollableHitSource(
                     logger,
                     backoffPolicy,
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
index 2e14df4628283..7fbd6044d9b18 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
@@ -77,7 +77,7 @@ public void testBuildRestClient() throws Exception {
                 assertBusy(() -> assertThat(threads, hasSize(2)));
                 int i = 0;
                 for (Thread thread : threads) {
-                    assertEquals("es-client-" + taskId + "-" + i, thread.getName());
+                    assertEquals("os-client-" + taskId + "-" + i, thread.getName());
                     i++;
                 }
             } finally {
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
index 4fa84f88af35f..36b6edaa9c703 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
@@ -37,6 +37,7 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 
+import org.opensearch.client.FipsEnabledThreadFactory;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
@@ -70,6 +71,10 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.concurrent.Executor;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 
@@ -84,6 +89,7 @@
 @SuppressForbidden(reason = "use http server")
 public class ReindexRestClientSslTests extends OpenSearchTestCase {
 
+    private static final String STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/="; // has to be at least 112 bit long.
     private static HttpsServer server;
     private static Consumer<HttpsExchange> handler = ignore -> {};
 
@@ -93,6 +99,9 @@ public static void setupHttpServer() throws Exception {
         SSLContext sslContext = buildServerSslContext();
         server = HttpsServer.create(address, 0);
         server.setHttpsConfigurator(new ClientAuthHttpsConfigurator(sslContext));
+        var threadFactory = new FipsEnabledThreadFactory("test-httpserver-dispatcher", inFipsJvm());
+        Executor executor = Executors.newFixedThreadPool(1, threadFactory);
+        server.setExecutor(executor);
         server.start();
         server.createContext("/", http -> {
             assert http instanceof HttpsExchange;
@@ -108,18 +117,31 @@ public static void setupHttpServer() throws Exception {
 
     @AfterClass
     public static void shutdownHttpServer() {
-        server.stop(0);
-        server = null;
-        handler = null;
+        if (server != null) {
+            server.stop(0); // Stop the server
+            Executor executor = server.getExecutor();
+            if (executor instanceof ExecutorService) {
+                ((ExecutorService) executor).shutdown(); // Shutdown the executor
+                try {
+                    if (!((ExecutorService) executor).awaitTermination(15, TimeUnit.SECONDS)) {
+                        ((ExecutorService) executor).shutdownNow(); // Force shutdown if not terminated
+                    }
+                } catch (InterruptedException ex) {
+                    ((ExecutorService) executor).shutdownNow(); // Force shutdown on interruption
+                    Thread.currentThread().interrupt();
+                }
+            }
+            server = null;
+            handler = null;
+        }
     }
 
     private static SSLContext buildServerSslContext() throws Exception {
         final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        final char[] password = "http-password".toCharArray();
 
         final Path cert = PathUtils.get(ReindexRestClientSslTests.class.getResource("http/http.crt").toURI());
         final Path key = PathUtils.get(ReindexRestClientSslTests.class.getResource("http/http.key").toURI());
-        final X509ExtendedKeyManager keyManager = new PemKeyConfig(cert, key, password).createKeyManager();
+        final X509ExtendedKeyManager keyManager = new PemKeyConfig(cert, key, STRONG_PRIVATE_SECRET.toCharArray()).createKeyManager();
 
         final Path ca = PathUtils.get(ReindexRestClientSslTests.class.getResource("ca.pem").toURI());
         final X509ExtendedTrustManager trustManager = new PemTrustConfig(Collections.singletonList(ca)).createTrustManager();
@@ -164,7 +186,6 @@ public void testClientSucceedsWithCertificateAuthorities() throws IOException {
     }
 
     public void testClientSucceedsWithVerificationDisabled() throws IOException {
-        assumeFalse("Cannot disable verification in FIPS JVM", inFipsJvm());
         final List<Thread> threads = new ArrayList<>();
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
@@ -172,10 +193,21 @@ public void testClientSucceedsWithVerificationDisabled() throws IOException {
             .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         final Environment environment = TestEnvironment.newEnvironment(settings);
-        final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
-        try (RestClient client = Reindexer.buildRestClient(getRemoteInfo(), ssl, 1L, threads)) {
-            final Response response = client.performRequest(new Request("GET", "/"));
-            assertThat(response.getStatusLine().getStatusCode(), Matchers.is(200));
+
+        if (inFipsJvm()) {
+            try {
+                new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
+                fail("expected IllegalStateException");
+            } catch (Exception e) {
+                assertThat(e, Matchers.instanceOf(IllegalStateException.class));
+                assertThat(e.getMessage(), Matchers.containsString("The use of TrustEverythingConfig is not permitted in FIPS mode"));
+            }
+        } else {
+            final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
+            try (RestClient client = Reindexer.buildRestClient(getRemoteInfo(), ssl, 1L, threads)) {
+                final Response response = client.performRequest(new Request("GET", "/"));
+                assertThat(response.getStatusLine().getStatusCode(), Matchers.is(200));
+            }
         }
     }
 
@@ -189,7 +221,7 @@ public void testClientPassesClientCertificate() throws IOException {
             .putList("reindex.ssl.certificate_authorities", ca.toString())
             .put("reindex.ssl.certificate", cert)
             .put("reindex.ssl.key", key)
-            .put("reindex.ssl.key_passphrase", "client-password")
+            .put("reindex.ssl.key_passphrase", STRONG_PRIVATE_SECRET)
             .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         AtomicReference<Certificate[]> clientCertificates = new AtomicReference<>();
@@ -211,8 +243,8 @@ public void testClientPassesClientCertificate() throws IOException {
             assertThat(certs, Matchers.arrayWithSize(1));
             assertThat(certs[0], Matchers.instanceOf(X509Certificate.class));
             final X509Certificate clientCert = (X509Certificate) certs[0];
-            assertThat(clientCert.getSubjectDN().getName(), Matchers.is("CN=client"));
-            assertThat(clientCert.getIssuerDN().getName(), Matchers.is("CN=Elastic Certificate Tool Autogenerated CA"));
+            assertThat(clientCert.getSubjectDN().getName(), Matchers.is("CN=localhost,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"));
+            assertThat(clientCert.getIssuerDN().getName(), Matchers.is("CN=OpenSearch Test Node"));
         }
     }
 
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.md b/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.md
new file mode 100644
index 0000000000000..f2ff25d41a890
--- /dev/null
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.md
@@ -0,0 +1,48 @@
+# generate self-signed CA key + cert
+```bash
+export KEY_PW='6!6428DQXwPpi7@$ggeg/='
+openssl genpkey -algorithm RSA -out ca.key -aes256 -pass pass:"$KEY_PW"
+openssl req -x509 -key ca.key -sha256 -days 3650 -subj "/CN=OpenSearch Test Node" -passin pass:"$KEY_PW" \
+    -addext "subjectAltName=DNS:localhost,DNS:localhost.localdomain,DNS:localhost4,DNS:localhost4.localdomain4,DNS:localhost6,DNS:localhost6.localdomain6,IP:127.0.0.1,IP:0:0:0:0:0:0:0:1" \
+    -out ca.pem
+```
+# generate client key + cert
+```bash
+export NAME='client'
+openssl genpkey -algorithm RSA -out "$NAME".key -aes256 -pass pass:"$KEY_PW"
+openssl req -new \
+    -key "$NAME".key \
+    -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=localhost" \
+    -out "$NAME".csr \
+    -passin pass:"$KEY_PW"
+openssl x509 -req \
+    -in "$NAME".csr \
+    -CA ../ca.pem \
+    -CAkey ../ca.key \
+    -CAcreateserial \
+    -out "$NAME".crt \
+    -days 3650 \
+    -sha256 \
+    -passin pass:"$KEY_PW"
+rm "$NAME".csr
+```
+# repeat the same for server key + cert
+```bash
+export NAME='http'
+openssl genpkey -algorithm RSA -out "$NAME".key -aes256 -pass pass:"$KEY_PW"
+openssl req -new \
+    -key "$NAME".key \
+    -subj "/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=localhost" \
+    -out "$NAME".csr \
+    -passin pass:"$KEY_PW"
+openssl x509 -req \
+    -in "$NAME".csr \
+    -CA ../ca.pem \
+    -CAkey ../ca.key \
+    -CAcreateserial \
+    -out "$NAME".crt \
+    -days 3650 \
+    -sha256 \
+    -passin pass:"$KEY_PW"
+rm "$NAME".csr
+```
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.txt b/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.txt
deleted file mode 100644
index efd5e4c20ffd3..0000000000000
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/README.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-# ca.p12
-
-
-# ca.pem
-
-openssl pkcs12 -info -in ./ca.p12 -nokeys -out ca.pem -passin "pass:ca-password"
-
-# http.p12
-
-unzip http.zip
-rm http.zip
-
-# client.p12
-
-unzip client.zip
-rm client.zip
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.key b/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.key
new file mode 100644
index 0000000000000..a04c18c994359
--- /dev/null
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ8TSOq343U8BV3rEt
+vOpSPQICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEFXKi3C3VJzsGiCw
+Lh2zY40EggTQwtBoa+e+J/UAA/mVv50rVH7oqvs5t9wRfznrldPtUgTR7r06TxNB
+DXN1spBSmJjrohC3RbEO4169YqCwAk2HsptENM3MV5A9EwTuXPVBW/ic2SDOwmiP
+wvRRKUujjaYZTfVeVJi0LqnCtyv7/hc33MJ3IMeNefEwmYRH3u/ktp+NBXZPEp1G
+sdbPLpCxUqtq8zE84ev+RyURbErWVvjI8ma20Hn2gACkQazYTSVMVMxvj4+m0oBd
+hzQ54GjRypm6Tc+CkJXGbCp+3sCONUqKARZYo+oiL5wEdGTLOcCwaCZxVkftDZ4V
+oGrHVlgFrYgADaOuokjMf178ymMJX1+kTYze/k/ajXHd8qBKRD1X49dDhrHjnlhV
+2sGOTKk16fBXSoM/q4vfmBKkd+BxDcdbsDkLDdT266XBy9hdRnL6e3Qk6ag6i0dB
+faJwyXHIhiS87nFLpYeXY47DABBvmKVqafdHJDab7GYmLb+2J33EbmQX+tMgKrI+
+l5FjPX0Lz6/c74M6jYGHhbii3fZKGzb9BwWCEG7eIMONfv7IoaP2HI/P5G1WheQ+
+Ocd4lsb+pCmy+tzQcB7+GtWX0sG4ugCTsKIofN9ZmkvdQsvQvjT/oubDtBXUMgIL
+/6GpYr7f535wD8jp4qHjSNyiNf93XiepxUsKBh0xvcGRRfhEjrZhnDm8DYP014bL
+HhWzPVUgQwDJMa92wzsqFpXCujhLDb3BzLZLCGWDUkDsPjX2hUzNRWw+nN0FEwkD
+ezxZOpK7m/ZfZi0rI94oYpmanwLNH5tvwr7pKLJ2SAP2WTNYRtff7vgeKOmgDG97
+pSm49phrSdM/VbwWgoPHpGxn6De5mfp+52dz5sCZMP0tsYMa947z2VDAU9f7+AQL
+V73HGQKu8eny2ofOvQiKMK7sVo9dDvf6O4fGUCZh55YmQYzNq1cYh5lgQgPJ/CDb
+c2mUVhwPfd4gvmKzBQ+nxjo5Jbh0vJwqOxk0SMCwWqQW5+Y9mdcDseyJwL7iyiTd
+xyN9rUdro86foF85Xja+MZ0hVW/q1xwrZSiunWuvg0uaGMdSuknn7skLnKrdbfIU
+RocweZPetFxzCm7XeikCaKucoNLNSPjAKW13doZSOc4OxS4hXep211dGVvK43XwX
+B6xp8WtquZaGk01J789H1XU/sz6AssuCrMvql0Gd/GeFz+Ql9dMd4bH2ZzjpRcWL
+FMZvsxXzqp5zodsn/j26h+WKZYmLSnxvE+WjQHyECt1JgSyYD2I84CxKj9I5ezX7
+1PIc3/OPl14p+ni/lfx6UM5WmbrHcuLM5a2ml/9e+HQci2xDNflkCiRQ1jcXYSB4
+p5mAaxSPbC33mi7jvBtUF1Yk9CiIRW941pKhn5YSj4bEMs6h8tB4M9wfXn9HPe/X
+0KdYFMzf5sc9nmDZt2A1EoZexYwMk56wVQ7gnekw9ECCs6OLUmXkAmKojvbNXG0C
++t0W3LSoFsMM6vnINVooK+dQgRLqXFe57HY8j7zTmFh69Kh3/Cv24gQ21xwPYB6y
+A9AVrrxRUV4Nlqkw5A4kVKXRry9/xj5DGgZ4SI2rJZ3vhfD2jiLFnl+JBT/Cw2xL
+NL32subXNGqY4ymnq1HSG3SO/Jgh21XZL8rl2kZ+QiT7QvRVFWefRdA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.pem b/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.pem
index ee758ca3e6370..615f00e468ae6 100644
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.pem
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/ca.pem
@@ -1,25 +1,22 @@
-Bag Attributes
-    friendlyName: ca
-    localKeyID: 54 69 6D 65 20 31 35 34 37 30 38 36 32 32 39 31 30 37 
-subject=/CN=Elastic Certificate Tool Autogenerated CA
-issuer=/CN=Elastic Certificate Tool Autogenerated CA
 -----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUacmv5ElKJ1cs9n61tEpy5KM3Dv0wDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMTkwMTEwMDIxMDI5WhcNNDYwNTI3MDIxMDI5WjA0MTIwMAYD
-VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0rA35tPl0FN+BPk2YfmET9
-MvDWFLvfL2Z1aw1q1vnd12K9zumjN6veilHA2Iw/P4LG/mkQZvY4bDPgibRD7hbE
-vwPoju4vr614tw60+FlkpO6HezYo2I3cni1//Gehhs5EW2P3g7Lw7UNCOAfcR2QQ
-p/dtwXYWzXHY9jTevQSv2q/x5jWKZT4ltaQExzvXAcxRGqyWV6d5vol3KH/GpCSI
-SQvRmRVNQGXhxi66MjCglGAM2oicd1qCUDCrljdFD/RQ1UzqIJRTXZQKOno1/Em9
-xR0Cd5KQapqttPusAO6uZblMO2Ru+XjCD6Y0o41eCDbkd0xA3/wgP3MD5n41yncC
-AwEAAaNTMFEwHQYDVR0OBBYEFJTry9da5RZbbELYCaWVVFllSm8DMB8GA1UdIwQY
-MBaAFJTry9da5RZbbELYCaWVVFllSm8DMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBADA6qhC35PwuL7LRddbhjjW8U/cCmG9m7AIvH6N+Mw/k76gt
-tJkEDxztMHUG+A2IPyEcYm7MLr1D8xEQYsq0x4pzFcQnMSQDv4WTK35vRxMtaqwA
-WZTyA+DibBknbaP1z3gNhR9A0TKx4cPagN3OYFvAi/24abf8qS6D/bcOiPDQ4oPb
-DVhmhqt5zduDM+Xsf6d4nsA6sf9+4AzneaZKGAMgCXgo4mYeP7M4nMQk0L3ao9Ts
-+Usr8WRxc4xHGyb09fsXWSz7ZmiJ6iXK2NvRUq46WCINLONLzNkx29WEKQpI3wh4
-kyx6wF9lwBF06P1raFIBMeMOCkqDc+nj7A91PEA=
+MIIDszCCApugAwIBAgIUOpUOL6Dz5+T+y+SIDknp8nOB2x4wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUT3BlblNlYXJjaCBUZXN0IE5vZGUwHhcNMjQwODI3MTgy
+MDE2WhcNMzQwODI1MTgyMDE2WjAfMR0wGwYDVQQDDBRPcGVuU2VhcmNoIFRlc3Qg
+Tm9kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2bmzHyMB705hS2
+Vu02WaTz7iWU11aVlNwAEVWIpjarDsk1IeICYe2vtv7e9qAp5IAMC6y9Db4XAx6A
+PKJHZ5XcrWKpJqanMUwMi7dJ7wLWauMlx4WdyWSdJ3KRVO0Xzdr6My6dV+LCiiYX
+cQCFYzEQYX02kU8M8NZ3J9t5OK3MF8/f0gta5vMs/1akPJzTMYyLva+hcNyGC9pW
+Ly0w2kWxqze00KjT8wnmUz3h6gxxRwwdocsyZ1AE635anRu2MuAo94sA8kwQdl6z
+cKtTzlzbLmrBQzusnuQtJCKGzvH+uBGodFpQhi5JpYVbuSvqI1Lumg7RA524cb0t
+OKnijBECAwEAAaOB5jCB4zAdBgNVHQ4EFgQU41fNVZMW0Kc5nmv53kKTINZT0CMw
+HwYDVR0jBBgwFoAU41fNVZMW0Kc5nmv53kKTINZT0CMwDwYDVR0TAQH/BAUwAwEB
+/zCBjwYDVR0RBIGHMIGEgglsb2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFp
+boIKbG9jYWxob3N0NIIXbG9jYWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9z
+dDaCF2xvY2FsaG9zdDYubG9jYWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAA
+AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBObbHtMsaa0XTJAlJk4DE9kHgZoxF8ImFI
+c1huhnCr2X+XkKxYDF/QUA1XRDWI9S4/6xBDKZdD+RhZ6ds3CbG4JVtoJa1Vvjla
+dk11uirkKCqbYrdyc/+KeLS4ruYhG/JoqycTp/G5aCrThZgIgf0jm4peJwd9nqaz
++yjP4L4sDR4rfdLIsk96hPKDImD+5uuJ9KqMj8DO589uqJwhTehfPcNfL4hVdQ66
+IEKK6HM5DMXYzRFr7yAseKZbXngn5QJ+ZBldikP0hgGFYbT1kbNtFOqwpYNvgGvr
+ptei46poM3WCB04puszm62E4Jora6rxaLwWGp+6TWELLwUUs9so7
 -----END CERTIFICATE-----
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.crt b/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.crt
index 337d24e2493ac..9111fb215a448 100644
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.crt
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.crt
@@ -1,19 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDIDCCAgigAwIBAgIUNOREYZadZ2EVkJ1m8Y9jnVmWmtAwDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMTkwMTEwMDIxMDMyWhcNNDYwNTI3MDIxMDMyWjARMQ8wDQYD
-VQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCP2LE
-nws2+ZIwSQ3IvIhVfrueUmNt7Y5TdhhwO32p2wC4ZA62J9L8klAzt7R+izcL/qbF
-65inbXM0A7ge/2wZ09kbqBk5uS8jDetJS8lQmWVZDHfVi8g/yDMWklz2mQYleYmU
-HPyIplai3P3KBoT8HurzHw2C953EZ2HiANFnGoEPZZ5ytcT2WenxuU5kSXSxuDyn
-8/dCVHEQL1Yipr2LQKYQAHotjo56OhyL9KS5YPjzSFREeyRfQinssTmpGFsua/PK
-Vqj+hRdkaqRfiqPq3wxn8oOSpZLQe58O1e7OlqgjkPuZdjZ0pQ7KJj7N3fUQNSeg
-2VC2tk8zv/C/Qr2bAgMBAAGjTTBLMB0GA1UdDgQWBBQziDNuD83ZLwEt1e1txYJu
-oSseEDAfBgNVHSMEGDAWgBSU68vXWuUWW2xC2AmllVRZZUpvAzAJBgNVHRMEAjAA
-MA0GCSqGSIb3DQEBCwUAA4IBAQAPpyWyR4w6GvfvPmA1nk1qd7fsQ1AucrYweIJx
-dTeXg3Ps1bcgNq9Us9xtsKmsoKD8UhtPN6e8W8MkMmri+MSzlEemE+pJZrjHEudi
-Sj0AFVOK6jaE0lerbCnTQZvYH+J9Eb1i9RP7XHRShkR4MWgy2BzlENk9/LRbr84W
-Yf5TuM9+ApiiiOoX9UfSGBzNnqwhJNpG9yJ+HnQSqTnJJc/wL0211zLme9I/nhf0
-kQx6mPedJ3gGoJ8gqz38djIrhJDxq+0Bd9SsdlR6yT+1+bY7hinYx2eLV91AybZ4
-x07Kyl174DD41PYaE1AtoLlrMrQ5BG7Md50Am+XXOR1X1dkZ
+MIIDUTCCAjmgAwIBAgIURxNp9ImDloxqOPNAP0ySBZN/BDQwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUT3BlblNlYXJjaCBUZXN0IE5vZGUwHhcNMjQwODI4MTA0
+MzUwWhcNMzQwODI2MTA0MzUwWjBiMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT05U
+QVJJTzEQMA4GA1UEBwwHVE9ST05UTzEMMAoGA1UECgwDT1JHMQ0wCwYDVQQLDARV
+TklUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCp7qyGufu1cQYWJJGZ04XulVdwsKytMeLNSDHT90ratfsAy5WP3CRy
+fug0E6nB7eykSHnE8aYomrghJIL0oP3v7b7vV/iasZ17Q2uiY67fQb4s6Rvrcov5
+R7ak5/B22uslDrDY0BaSWKCxHREb55rMhVWlVTXpm91kdGvo4Q61Gcxe45mweKR8
+UMbUlNuXrW/xwTwYI4pdDxha2ZXgTBrBJXppEh/KQp0rdy4Be3KG5IbqrH/Bh6cG
+4CZ/di0i6xWxAhQOlOKlcTHpMAtXx0eBjha/Y9+p3/7z9fmE/JsYozw56r75CPDG
+VpNiSDoPMPed4uhpbXQVYeCTUe3Hh8WRAgMBAAGjQjBAMB0GA1UdDgQWBBTm5Cel
+/aWnBGFDUnZKNYs+BVFHFzAfBgNVHSMEGDAWgBTjV81VkxbQpzmea/neQpMg1lPQ
+IzANBgkqhkiG9w0BAQsFAAOCAQEAjaXJN+NyS74cDTAtjVqo4e+h2K/LfYyIpdYp
+mTDi+wRBlprJUDl18TK26c0hV6T4MN8QxqoqCXoEVJZWDjBYOUsl3OfSgPpT0aww
+3Z/mIPOLb9mR1zOO9tXZhgNdFCLRRepiLyPRsRVQ3K3klle42DHaEIOUlwtqAArF
+d9MKg9PShrRjqJwlm8vL3E8KjNeC8gAvebF3e7ADIatXjRK5Rc/LQhgPCaCZKSDF
+w36AhGBnXsCgi3IR00E9CWOsC2UVeAhgHHaN1oJjuLfFupG/2Vx6Ii+PAgueE7ec
+VWQeasxHihc0VjEYtSiNlYO6A8rcH7lg+0OCzGr97DC+zfFZwQ==
 -----END CERTIFICATE-----
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.key b/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.key
index 95e11f79cea24..ca0c6ba868047 100644
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.key
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/client/client.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,81AB10154C04B38F
-
-0L6Buvpeg6QHh/mbYp/3bXDCsu0k0j5xPdIGWd6NCOdb24OQFsOjeA2WuPqs0WWF
-gzVrjh984biS3IqeglEr6X6PfVJ0QOgBkq0XgSBXhuoRJL/302N9oPGsf8T8oW9t
-pqR/JIB2L7lMbJlJYSjMl0YQT3hWpo2BlrtSIc/GWOKfjDNWc9BL+oHvKJwql1lb
-n4yMvYFYJDqgzgxa3r4IIQNsCn3SP+gqbTx9vF6StOIroV51BdSL4IGWRvqnMJrh
-ybk1EHSLR1oGcONLU4Ksi33UxdImG70SsnoH/NnInDvV2bxmxmgf5SfYKtxFhoxz
-0hISKTMTerPGtRQ5p8wtEi/ULKyInK+qF3tLgZa+S5VbByjDnUo2dCcbDDSkH5pO
-uczJ2bs1kJegpCrUueJdbi9OX2upmF+tJb9+5hzFTvey8dUWTEpdiN0xbp4BLfNd
-Yp4sMHZovsDJKIjDb0NbXRgLeFh1ijlLPhKwIXWTF3BaCKcSw34Qv22YPwn3qNuw
-0KuUPAo0B65R/hoJguvtks8QAXe0S1jZS/fAlQCoIB0TIduy1qkyje+AnSW+1RL0
-ysBxLqbvRUqWlgnu7/28V4FD8JNu3O+UGBEelXlfokLgCBZ6lSys2d3Zy/XVBnG0
-cPl59if+fxKaMWlhFvMLFBup1Y4a/1zA7Sx6kkhvawekHr40NcG4kLHJ+O6UoM4d
-/ibnbfIksLNkuo/nwoEcKp7W6SxafV0hROdxClkGKild66rnHtk4IGATjaBqt9nr
-FuO3vRtLuUMS+/4kpvhMwl0RhX2/i6xgV+klWNYNu1JTGDFvdG3qfiY2w88EIbGe
-rn8JEvRtaH/XNeGdhBwbuObvTifiHyYzA1i5Zh8zvE2+Dthlk19jbBoOUx//LOi2
-JrNkAsqQCF4HXh7n9HWA/ZrKTP7Xvkig6Vf7M2Y/tO361LSJfzKcRFLpl0P2ntEv
-XwFOqTvOURERTVr4sBLOVPRAhIs3yvkI5xfurXzbRWtSeLgrMoDgJlXIQbuXd8sq
-zIBLqvYf2bcroB66XJqX1IFWEstym/NHGcbrwjR5Fn2p3YAtXnIbw8VhHwV+LIOl
-ky/wH9vbnML/DE81qFqRe8vNZw2sGn9skOyU/QvKeV1NRHYZSV3hMx82bPnjgFeB
-ilzkb8FEPOAOJ0m44Q3C9eUoazJT8aCuRIAgSL43se1E2pFlIXQTfYRARaWEkSf9
-0hXqQJc17b+Hj0ire3PUqbG3+/l1qMhhIHwq7Kuyy2neTuW/DXbXp2AMv/bLcnHH
-apVeRZaYXVSnGXJNk2CeRnCs8OGir8g5zkH+fmVb9knt6TL2oFIsQqULyrLolhfe
-6Q8mLzq/sd+w+VuN1n/5+RQqOJZWEkLFzQPx8wTqeTB19OE0gjncrqzCHq7INqRe
-tGClWOj/yL0Sciu3ctVGz1VAbgeBKnLdKm2TX4oFB4OG4E7GMXIL7hGxjtjLAVMW
-XNc3ZYNQra+iPqJtFxnmbrF2Sn0Wr0hcAT1V0A0TRKe/n0lpUrfhTy/q4DUlOVKG
-qdCsTGoYXObpUWU5G9GyCVWWRJyrTxJcBZ9KWJu9Y/aMFzoa2n0HQw==
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQO04hOVF1REJsgAkP
+xkFZ/gICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEENoXPnjByIDKjwqz
+3+WRgNsEggTQuv3EOfjFwF8f0fac2GjJJxN3L2b88CeKxbjTL/6kQ1bvWSI1+L45
+0zP6CQ+5lI3N9/0YFoCWX5y57e+OXafAWivkUp/LiGkYWcRnqGVhZgSQTFQP9rly
++3PUDLlM5FuGylKvoqYmTIBud1puBiChYj0FKImOyHgPH3/GEGbTSrtvCSZkCw72
+XkkF32/OtSbqTuGlGgl+pGLTtnS2+RhgiCzXMCtvHJqjhAh22J7uoYYqk02QKEme
+GMWM4anxmLPBr/Rw04NrlEfgRl8mTIhgrgwKV/mwfK++kqboWpzfXPs/S4KHJxmv
+WvVcxHovoyovBA87C8cY4Qz/PZzm9vZr/+hQCF0OJgvZejWiUiuRJ9HgeteKTEMo
+CrOlyZXcaMHPCa8CK6U+lUBwTZbAAzMYSazfaf8524yDGksOA4J/KGC3uvviYW09
+hTaqhq0yGqBUe5mrgEEhSV2vIpjK6MKxMtvjKvc1fjfrYIL9BGiiHOCGaljQTQAA
+yLZqQwlj//v4om3onR6HOfZeYsQxzH5zNFSIJa96/kBBWG9Q0ZMmqEqB52rNUT28
+ZapjaqqRkos/rBdvzDQzlyx+NjZnOsueEkC+cX/1psIoE+6vLbonMrlzl+SSqtxB
+EuSD7dekZ7o3eQLzRI13ohRtzMv4ojWMpr769WsQ4KKflK7pLVdIYFZbL0Q44s/w
+Bc9ByiwSGymhEO6uqqfBT1baj19yTrc3FU/jaJyIsRNs/EAc7c6nPejiiwxtE7Ex
+oVSwbKoD2CXB/DYlenenBGvuP1jyHSkQqv2YWdL1bm9Rp8DNJ+HG0OP913fTuE3V
+7ScOt2ZnR2B+VWN3Eu8MdiX16vi/ub/4H1HihANw/W5HSwuW88V7fGcbSzRWxyCN
+5Od7b5y2zAD/tl+x4GXFZ9k+di2sZc7W6zzVqHr55nfxvsFvHt5dWipTxZFdVhRh
+tXhGnYCfr1gKN4FdTW/MuYa3otHL4gVpnVdQ10C48bCljCaVdep/AhC5dj0GaTyx
+VJBzzD5vp6zt6jsfjI059+zVyR5zxhEKeotURVTqzhz08TOHCkyQP0KRQ+U5ve80
+9cj1odt43JBXFq5w9/aUQWG6ZnBJQup/zlDdGncPd0+3Eh0WoQyDh/XlFosrxt7L
+QF9SqN9oTIp9Fgr6yOFrDOamQAb6f+5Ms5XNegHmlqSkGcpJxf2JBNinrY4drrQ8
+GuVCQ94GhjdGMdSM8Vv8Yi+8RHyqn6R2hjiY4PX+86J+xFNOGr5RiXk8NUp5kM5s
+ZfffpB0ELlgBQzEv2PV9hdh66M8EGjyQl4ItzXg3JhbiXOKAQLbpPOD22zcZsmm2
+r5E4vgRwYfHnmwqJsrIcvMK1m4USlGuwJYP5ExuwE4xdsaUNwKEd3gZAXzhV1YKn
+HyBfJFwYJsBR+l9G9kt/ZWpEd2DNnfss7ujQYTHGQ6WT1zbKbCsb8aE1CNXXs93C
+DtuMUvG+BRTwuSAtvWTf+XPcTjgTrrAKQq2tmsbDe3CEgW5r/4+OL6s3nxI/mVVg
+4jOcUZ0bePBvu+4/jIRqlx2MZIFRp+vvR4RiQ0wYBcihW7Wed8y+ZWdHxg6eUlJP
+WXwdmXsz+NFMXpJvBX0OgntVzxEdJAyGEeBArBJPAKmcbR3JfDWMQ8M=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.crt b/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.crt
index 309ade87fbd78..317991a707a16 100644
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.crt
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.crt
@@ -1,22 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDsjCCApqgAwIBAgIUXxlg/0/g3UYekXWBRpkHM84EYfIwDQYJKoZIhvcNAQEL
-BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
-cmF0ZWQgQ0EwHhcNMTkwMTEwMDIxMDMwWhcNNDYwNTI3MDIxMDMwWjAPMQ0wCwYD
-VQQDEwRodHRwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi8VQaSR6
-uqgT1Rkw+a39OSXcXuhJBVdoO+AyYPK7hdUTxj1aqnXkKeAiNGpe/J+uXZ837Spy
-rmBZS3k6S5hLEceF2xug8yrR7RYEZ+JvGlRgg/jj+61gGbHAD314+vvu0YUo06YG
-wbz9AnjJA/sMbsCp3iSzWIkwZBZcCoZ/YsG4I89LSjYL3YmRi2193WMX6/OfQYMN
-Fkv61r/iwBEkgJ14cUSYe3norGuQfZuXSh5kI5D5R7q7Bmb0um+jzY/l62kj3oR1
-YWo3g6DdU/Bc/3/KmEEVXIfdTonMBMyL8PvYORoMKrYdph3E8e39ZQhPeBJNJKw0
-XzsZFzIUlTw0kQIDAQABo4HgMIHdMB0GA1UdDgQWBBTiqknjZLa5E1BneHRvTkNa
-Bm4nNTAfBgNVHSMEGDAWgBSU68vXWuUWW2xC2AmllVRZZUpvAzCBjwYDVR0RBIGH
-MIGEgglsb2NhbGhvc3SCF2xvY2FsaG9zdDYubG9jYWxkb21haW42hwR/AAABhxAA
-AAAAAAAAAAAAAAAAAAABggpsb2NhbGhvc3Q0ggpsb2NhbGhvc3Q2ghVsb2NhbGhv
-c3QubG9jYWxkb21haW6CF2xvY2FsaG9zdDQubG9jYWxkb21haW40MAkGA1UdEwQC
-MAAwDQYJKoZIhvcNAQELBQADggEBAIZr8EhhCbNyc6iHzUJ/NrUGht5RDHUKN9WU
-2fd+SJlWijQYGoFW6LfabmYxIVPAFtYzUiA378NFoOZZ4kdC3gQng8izvS2UDcO6
-cAG5q/dxop3VXqcLeK3NpH2jd83M8VZaOThPj/F07eTkVX+sGu+7VL5Lc/XPe8JS
-HhH2QtcTPGPpzPnWOUMLpRy4mh5sDyeftWr2PTFgMXFD6dtzDvaklGJvr1TmcOVb
-BFYyVyXRq6v8YsrRPp0GIl+X3zd3KgwUMuEzRKkJgeI1lZRjmHMIyFcqxlwMaHpv
-r1XUmz02ycy6t3n+2kCgfU6HnjbeFh55KzNCEv8TXQFg8Z8YpDA=
+MIIDUTCCAjmgAwIBAgIURxNp9ImDloxqOPNAP0ySBZN/BDUwDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUT3BlblNlYXJjaCBUZXN0IE5vZGUwHhcNMjQwODI4MTA0
+NDE1WhcNMzQwODI2MTA0NDE1WjBiMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT05U
+QVJJTzEQMA4GA1UEBwwHVE9ST05UTzEMMAoGA1UECgwDT1JHMQ0wCwYDVQQLDARV
+TklUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCk1Ot2RGbUS3yJchvdtrcGJPoR8cTTUfVVMMRT+btXayllbLQd/cHV
+jP1DxauXiLQs77R3NGfPs/Sk7fGQh6p/4F52F5wlNqG/Hq0MquqjXEo/ey8i+p5Y
+zTB8v2Hv6RwN0HLB2uiAUOWjHvddiz36nfPmQ5jlF+IsR36KMb6AWHaB60kUabZL
+vPOrtw7KZMkHRC+3tXvvepNe3uAKTIOEeHJneNNc76ShPnjANev7ONpNHgvMTJDY
+nbNtDL2WnHvnyEwIgWLOnJ1WgOAsiSpebPqibi+25FirFKGTB2qp2NfU+tCoK7hG
+1nPfPSCxBEqhwoJOywft2AxhDoicvo+HAgMBAAGjQjBAMB0GA1UdDgQWBBQ2Dr4v
+2/aWi1JSmXfRITKOTlwa+DAfBgNVHSMEGDAWgBTjV81VkxbQpzmea/neQpMg1lPQ
+IzANBgkqhkiG9w0BAQsFAAOCAQEAXEmxgNViixLWVQx9EgWscxaiI4d4OFd7Dfb/
+11qRtKoobEuSK5lOhDim8hZfs+iueKHuT/bRJ59Yu/p4GS+ZeJRgEXfCdY9S3Zeb
+qGCi/IBRT1oq4vD3OSWA88C3I+pGXRb7R3fvtIcfy42o1FdHAg3MOlRx7fZHtAdE
+GJ4SRsKTex7phWvKZ14R+wj45B8dA8Ty6/6nzPqb5+SLa5w37jU/gdew2cW2lEaN
+tZb/aj1l5LmxXje3mvVag5SR2ussDrARcRu+uW7qYq0IzzQDxyzwpEWPC/QsgEme
+9GFPd3xNu4tSoM0arrK8xjNtEh4P2gokhNJwy+vDGvKMrrWjVg==
 -----END CERTIFICATE-----
diff --git a/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.key b/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.key
index 8b8d3b4083c67..68b61c6d6e03e 100644
--- a/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.key
+++ b/modules/reindex/src/test/resources/org/opensearch/index/reindex/http/http.key
@@ -1,30 +1,30 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,127A4142FA81C5A1
-
-dP6oSAUl47KCnP0YZSX108qcX5s2nVGpD0qtnVQg89mLVFd7IxpKQaIuODSadRTo
-AD0KINITy3ZwUr/TTJgERu88baBsTHv3PLEe7TpQI2DGGDz3aZfO9e6Jvglbdi5b
-CBLaxRXGGhhH9YH0E87Lp3JEwg4udWmlNahGIhbqNheZNTtDKt+Lx80TyyIml2r/
-GAhjT4UPvIRrATFAcL/3EKOjRqvb6SeGnZu21n2TSmsBEr02gC0Ox3qmsnRM3kvU
-jCuUzWTzJSQLXZwZuMtv5srOSFAbU8EklFXNhWJU/7GBy215aAAW48hCzkPMVEbg
-oeH4nuze/Uulih9UxJGCBIpvfTnksyMRGP/zdy1mnKuqQk+yI0n7JWMJL8QoDQc8
-XvzqOmKLdBVezmzOVP/PyMAhYWetILh/1UesjyJot2hwSXPAxqBHPVA9bnmel6CQ
-VccNSwaK120yT5YhkUMFc0AmUpztzNMQzJ10g1dW+Qsr+n4vtFmAuTvBgogNNVXn
-eX1hbbiXGO1Fw4OMu6qTJ4T/P+VFb0CxoxETWeqdjcs4LGbeqF68nayEsW0ZzhbI
-W5c+JAbW18Kb+k/KzKZTtJEXBw6B/2FMe9x9z3BIpVhplM2KsNk7joWnumD8LfUT
-ORRHUPV7bkdiDsn2CRaevubDQiChcjsdLWhG7JLm54ttyif7/X7htGOXPZLDLK8B
-Vxe09B006f7lM0tXEx8BLFDNroMLlrxB4K5MlwWpS3LLqy4zDbHka2I3s/ST/BD4
-0EURHefiXJkR6bRsfGCl3JDk0EakcUXM+Ob5/2rC/rPXO2pC0ksiQ2DSBm7ak9om
-vlC7dIzVipL0LZTd4SUDJyvmK4Ws6V98O5b+79To6oZnVs5CjvcmpSFVePZa5gm/
-DB8LOpW4jklz+ybJtHJRbEIzmpfwpizThto/zLbhPRyvJkagJfWgXI0j+jjKZj+w
-sy1V8S44aXJ3GX9p4d/Grnx6WGvEJSV0na7m3YQCPEi5sUgr+EMizGUYstSSUPtU
-XhxQRZ95K2cKORul9vzG3zZqqvi73Ju5vu9DLmmlI00sLzyVGFtvkuhrF2p7XclM
-GU/rMOeMClMb6qyCzldSs84Anhlh/6mYri6uYPhIGvxqtH44FTbu1APvZp0s2rVm
-ueClHG78lat+oqWFpbA8+peT0dMPdSKDAFDiHsGoeWCIoCF44a84bJX35OZk+Y4a
-+fDFuSiKYBMfAgqf/ZNzV4+ySka7dWdRQ2TDgIuxnvFV1NgC/ir3/mPgkf0xZU5d
-w8T+TW6T8PmJfHnW4nxgHaqgxMoEoPm8zn0HNpRFKwsDYRFfobpCXnoyx50JXxa4
-jg095zlp8X0JwconlGJB1gfeqvS2I50WEDR+2ZtDf7fUEnQ3LYJzP4lSwiSKiQsQ
-MPjy0SMQnqmWijylLYKunTl3Uh2DdYg4MOON662H3TxQW8TCYwK2maKujwS9VFLN
-GtRGlLrOtrOfHBSwDCujFjqEmQBsF/y2C6XfMoNq6xi5NzREGmNXYrHbLvl2Njwm
-WB1ouB4JzmEmb1QNwxkllBAaUp1SJGhW2+fYOe0zjWOP9R4sUq4rRw==
------END RSA PRIVATE KEY-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQprhRDFFTnmWmHgAB
+ULpI4wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEEuzT8itQgHZfKb/
+ReywEdIEggTQD117YFYRhSSivErIhTKQSuofhH/ZgW6nYnKlcDT08bgNQjbEg94a
+QZqsPl9D6tfcmg7XlNTEiQpnSnsh6LrrhQbNkt3PvJxfUUy0ATVXXdH538RcPLAC
+K2NHi1iwSbnqdcBU+/Be8M1F9e9P5hx6HbJGEF/JIkpWDDmOoCGvlwfH0PSiliY4
+uqxsmekvNgz2GBhELZj4sEJ7C7/I26vOuzS6suDn6xGF8JZIg8i7upamUgLoBtG/
+waxlmfTx+hkYFDQGcy9jvkV043sK/hLTOycUGhmS1ybQSf9ANbsM8RjOIq6QxpIZ
+wtV/7EzqDWYradQBRrhAP24yzEj6H1cTr8yMmD6JuxvGZ7uQpTCRiFopB6TgK+x+
+2HqEgeRyBz4hU0i22kyGHC9sSG9WwKhmXhfcBtzJi3JABbkeg9LarwOzbh51DaxN
+/gTop4UYRTYbJB9bhcIU0Y5xPSSphphCWmGuBU6CinsBj1w+UBP137GzgnXvV6PL
+S8tai963P38Oafw/T2IyFTyAkuHJJ5MjVc71Q+vYLzfu4SfBdSIb1oFPT4otNwHP
+NbPvTYq0DWnHFNeIc5vmLJJTWVemBTkxvHr+WfU8meFsjxZT05gzgOk+5BZFya5h
+oV53mYQYPSyJiBUz0icHyyzUWaEHQLXHrmE6i+kW7+b4lrhi7KV1AMGRSJXUS9/Q
+I7NuCQG3+iCyMd+CupvsiK7xjOytgCstwWIGeHlSmYwS+txi1wpbBJ4X6NQLlHyy
+KZoFxyWTKtEdX1QKioBxeoKVy5G5LOh7S/jd9jEsZ2C8snFnDbNHALBmXIH3fshA
+bo4keel427V6W3f9/u0nT1RWrYiBK12XJiS3/kXg8krln1Xb/MkgTKmLEZF+VDXO
+Y3QwAICNM6/235siHuQG+uJ/WoL9xd1R22/+2mxNy1Rdhd49n8GFg0Kjsbmd+hL9
+aMwRU09SNNPCwdAIHmoMCIYS6uTX1bcGSzMir16JepmIYQllwdOoLk2nxtBCaHwj
+ZLYO21W+iFgo4TwXzkuaI2q3Ll0n79BJUVdOnz8hBCq0Ox7sTEY7g1vQGHIsBx98
+PYZmaaXVh+u2chHKrwp6L9mRikXQiNWwtqTH/kp7BydRnYIcaP27SCM8HbaYfV/x
+02FjBbpZ7u1PwS3jlGmcxE/qTd+cLkk3pm7WPPMlOnMh/X5N3/OpznUgJnVRtGqk
+uDy4HSE5vEhHDp0F67R0ph8/HfIBamvJIoonYzoC2iEMgL4yqL0x44SOCioXScgz
+hluYX1kQRfyXWjoP+vBBOUapwYDwk1gGXap5iQjtiVq6FN8DspckHRVI5B1voVIC
+37Mn2OXH9JloObouLYMRa1dDm7h+/3Cb9UAhKpOjpLc1apA49+Rjtq1gBExhac74
+9SwrcQJdRx0NDJjoMHKrGUFkg/W+R7OTad7+l98M473nWuV3mzJDXcuxmam9llRI
+2O+1QsV5hjd4/zCtIka+pOALp+cVSmktTjKNh105asX7d4XIxtg3M+FJWTEODZfy
+VulvKri/rkrbCBwMQyj3TpF4AkVjhSM2P5j7LRsivfGc8VL00OqYJp9pYfav38gs
+EpYOmaDEV/Ls744WSJJo5Qq0EpDclBTFjky6kZx7RDfySUzfN/Nhv6A=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index d57252950620a..ffcc982c758b9 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -10,6 +10,8 @@
 
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.OpenSearchException;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.network.NetworkAddress;
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
@@ -121,7 +123,7 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStore.getInstance("PKCS12");
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
                     keyStore.load(
                         SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.p12"),
                         "password".toCharArray()
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index ff52e6e178692..2008c6a2e9a3a 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -10,6 +10,8 @@
 
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
@@ -77,7 +79,7 @@ public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(
             @Override
             public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStore.getInstance("PKCS12");
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
                     keyStore.load(
                         SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.p12"),
                         "password".toCharArray()
diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index a4a2e672f3afe..3105967cd9001 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -41,6 +41,8 @@
 import org.apache.logging.log4j.LogManager;
 import org.opensearch.cloud.azure.classic.management.AzureComputeService;
 import org.opensearch.common.SuppressForbidden;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.util.FileSystemUtils;
@@ -109,7 +111,10 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
     public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() {
         @Override
         protected void before() {
-            assumeFalse("Can't run in a FIPS JVM because none of the supported Keystore types can be used", inFipsJvm());
+            assumeFalse(
+                "Can't run in a FIPS JVM because none of the supported Keystore types can be used",
+                Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))
+            );
         }
     };
 
@@ -278,7 +283,7 @@ public static void startHttpd() throws Exception {
 
     private static SSLContext getSSLContext() throws Exception {
         char[] passphrase = "keypass".toCharArray();
-        KeyStore ks = KeyStore.getInstance("JKS");
+        KeyStore ks = KeyStoreFactory.getInstance(KeyStoreType.JKS);
         try (InputStream stream = AzureDiscoveryClusterFormationTests.class.getResourceAsStream("/test-node.jks")) {
             assertNotNull("can't find keystore file", stream);
             ks.load(stream, passphrase);
diff --git a/plugins/repository-gcs/build.gradle b/plugins/repository-gcs/build.gradle
index d4c870e1ca2b2..58bfe4a3dde51 100644
--- a/plugins/repository-gcs/build.gradle
+++ b/plugins/repository-gcs/build.gradle
@@ -246,7 +246,7 @@ def encodedCredentials = {
 task createServiceAccountFile() {
   doLast {
     KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA")
-    keyPairGenerator.initialize(1024)
+    keyPairGenerator.initialize(2048)
     KeyPair keyPair = keyPairGenerator.generateKeyPair()
     String encodedKey = Base64.getEncoder().encodeToString(keyPair.private.getEncoded())
 
diff --git a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
index 83a4146c99b99..b39e0de08eba7 100644
--- a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
@@ -36,6 +36,7 @@
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.util.SecurityUtils;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
 import com.google.cloud.ServiceOptions;
@@ -46,10 +47,13 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.common.collect.MapBuilder;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.core.common.Strings;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.Authenticator;
 import java.net.PasswordAuthentication;
 import java.net.Proxy;
@@ -185,9 +189,12 @@ public HttpRequestInitializer getHttpRequestInitializer(ServiceOptions<?, ?> ser
     private HttpTransport createHttpTransport(final GoogleCloudStorageClientSettings clientSettings) throws IOException {
         return SocketAccess.doPrivilegedIOException(() -> {
             final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
-            // requires java.lang.RuntimePermission "setFactory"
-            // Pin the TLS trust certificates.
-            builder.trustCertificates(GoogleUtils.getCertificateTrustStore());
+            // use the JKS trustStore format instead of PKCS#12 to ensure compatibility with BC-FIPS
+            var certTrustStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
+            InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks");
+            SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
+
+            builder.trustCertificates(certTrustStore);
             final ProxySettings proxySettings = clientSettings.getProxySettings();
             if (proxySettings != ProxySettings.NO_PROXY_SETTINGS) {
                 if (proxySettings.isAuthenticated()) {
diff --git a/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/GoogleCloudStorageServiceTests.java b/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/GoogleCloudStorageServiceTests.java
index b620f212df413..5406e41e5f03d 100644
--- a/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/GoogleCloudStorageServiceTests.java
+++ b/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/GoogleCloudStorageServiceTests.java
@@ -188,7 +188,7 @@ public void testClientsAreNotSharedAcrossRepositories() throws Exception {
 
     private byte[] serviceAccountFileContent(String projectId) throws Exception {
         final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
-        keyPairGenerator.initialize(1024);
+        keyPairGenerator.initialize(2048);
         final KeyPair keyPair = keyPairGenerator.generateKeyPair();
         final String encodedKey = Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded());
         final XContentBuilder serviceAccountBuilder = jsonBuilder().startObject()
diff --git a/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/TestUtils.java b/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/TestUtils.java
index 648955c079b3e..ba7422e6cf811 100644
--- a/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/TestUtils.java
+++ b/plugins/repository-gcs/src/test/java/org/opensearch/repositories/gcs/TestUtils.java
@@ -50,7 +50,7 @@ private TestUtils() {}
     static byte[] createServiceAccount(final Random random) {
         try {
             final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
-            keyPairGenerator.initialize(1024);
+            keyPairGenerator.initialize(2048);
             final String privateKey = Base64.getEncoder().encodeToString(keyPairGenerator.generateKeyPair().getPrivate().getEncoded());
 
             final ByteArrayOutputStream out = new ByteArrayOutputStream();
diff --git a/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
index 42eac9fdf4961..04ef48f61c95c 100644
--- a/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
+++ b/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
@@ -48,6 +48,8 @@
 import org.apache.http.util.EntityUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -95,7 +97,7 @@ private static HttpResponse execute(Request request, String username, String pas
             try (InputStream inStream = Files.newInputStream(caCert)) {
                 CertificateFactory cf = CertificateFactory.getInstance("X.509");
                 X509Certificate cert = (X509Certificate) cf.generateCertificate(inStream);
-                KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
+                KeyStore truststore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
                 truststore.load(null, null);
                 truststore.setCertificateEntry("myClusterCA", cert);
                 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
diff --git a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
index 81fb1309df310..a151864610521 100644
--- a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
+++ b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
@@ -40,10 +40,13 @@
 import org.apache.lucene.store.IOContext;
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.NIOFSDirectory;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.cli.ExitCodes;
 import org.opensearch.cli.UserException;
 import org.opensearch.common.Randomness;
 import org.opensearch.common.SetOnce;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.hash.MessageDigests;
 import org.opensearch.core.common.settings.SecureString;
 
@@ -448,8 +451,11 @@ private byte[] encrypt(char[] password, byte[] salt, byte[] iv) throws GeneralSe
     }
 
     private void decryptLegacyEntries() throws GeneralSecurityException, IOException {
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            throw new SecurityException("Legacy KeyStore formats v1 & v2 are not supported in FIPS JVM");
+        }
         // v1 and v2 keystores never had passwords actually used, so we always use an empty password
-        KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
+        KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
         Map<String, EntryType> settingTypes = new HashMap<>();
         ByteArrayInputStream inputBytes = new ByteArrayInputStream(dataBytes);
         try (DataInputStream input = new DataInputStream(inputBytes)) {
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index fb3d62ab432db..04982aa8986d7 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -97,11 +97,13 @@ grant codeBase "${codebase.reactor-core}" {
 grant {
     permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
     permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission java.lang.RuntimePermission "closeClassLoader";
     permission java.lang.RuntimePermission "getProtectionDomain";
-    permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
     permission java.io.FilePermission "${java.home}/lib/security/cacerts", "read";
+    permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+    permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
     permission java.security.SecurityPermission "getProperty.keystore.type.compat";
     permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
@@ -109,7 +111,6 @@ grant {
     permission java.util.PropertyPermission "java.runtime.name", "read";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-    permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
 };
 
 //// Everything else:
diff --git a/test/framework/src/main/java/org/opensearch/test/OpenSearchIntegTestCase.java b/test/framework/src/main/java/org/opensearch/test/OpenSearchIntegTestCase.java
index 318549f676edf..e2dbec151742d 100644
--- a/test/framework/src/main/java/org/opensearch/test/OpenSearchIntegTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/OpenSearchIntegTestCase.java
@@ -2399,10 +2399,6 @@ public static String resolveCustomDataPath(String index) {
         return getIndexResponse.getSettings().get(index).get(IndexMetadata.SETTING_DATA_PATH);
     }
 
-    public static boolean inFipsJvm() {
-        return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP));
-    }
-
     /**
      * On Debian 8 the "memory" subsystem is not mounted by default
      * when cgroups are enabled, and this confuses many versions of
diff --git a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
index b180187303a60..4572e3c59b1de 100644
--- a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
@@ -61,6 +61,7 @@
 import org.apache.lucene.tests.util.TestRuleMarkFailure;
 import org.apache.lucene.tests.util.TestUtil;
 import org.apache.lucene.tests.util.TimeUnits;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.Version;
 import org.opensearch.bootstrap.BootstrapForTesting;
 import org.opensearch.client.Client;
@@ -362,6 +363,12 @@ protected void afterIfSuccessful() throws Exception {}
     // setup mock filesystems for this test run. we change PathUtils
     // so that all accesses are plumbed thru any mock wrappers
 
+    @BeforeClass
+    public static void setFipsJvm() throws Exception {
+        var runInApprovedMode = Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP));
+        CryptoServicesRegistrar.setApprovedOnlyMode(runInApprovedMode);
+    }
+
     @BeforeClass
     public static void setFileSystem() throws Exception {
         PathUtilsForTesting.setup();
@@ -1758,7 +1765,7 @@ private static boolean isUnusableLocale() {
     }
 
     public static boolean inFipsJvm() {
-        return Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP));
+        return CryptoServicesRegistrar.isInApprovedOnlyMode();
     }
 
     /**
diff --git a/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java b/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
index 8c612d258f183..d7b29b57f3934 100644
--- a/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
@@ -60,6 +60,7 @@
 import org.opensearch.client.WarningsHandler;
 import org.opensearch.common.CheckedRunnable;
 import org.opensearch.common.SetOnce;
+import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.io.PathUtils;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.common.unit.TimeValue;
@@ -841,8 +842,7 @@ protected static void configureClient(RestClientBuilder builder, Settings settin
                 throw new IllegalStateException(TRUSTSTORE_PATH + " is set but points to a non-existing file");
             }
             try {
-                final String keyStoreType = keystorePath.endsWith(".p12") ? "PKCS12" : "jks";
-                KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+                KeyStore keyStore = KeyStoreFactory.getInstanceBasedOnFileExtension(keystorePath);
                 try (InputStream is = Files.newInputStream(path)) {
                     keyStore.load(is, keystorePass.toCharArray());
                 }

From 32586d41c8a7e6329b285fc35941510690ec9d16 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Mon, 23 Sep 2024 11:12:07 +0200
Subject: [PATCH 07/21] fixing additional tests.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../client/FipsEnabledThreadFactory.java      | 36 -------------------
 .../opensearch/client/RestClientBuilder.java  | 12 ++++++-
 .../client/RestClientBuilderIntegTests.java   | 13 +++++--
 .../licenses/bcpg-fips-2.0.8.jar.sha1         |  1 +
 .../licenses/bcpg-fips-2.0.9.jar.sha1         |  1 -
 .../common/crypto/KeyStoreType.java           |  3 ++
 .../common/ssl/SslConfigurationLoader.java    |  6 ++--
 .../reindex/ReindexRestClientSslTests.java    | 14 ++++++--
 .../netty4/Netty4ClientYamlTestSuiteIT.java   |  5 ---
 .../reactor/netty4/ReactorHttpClient.java     | 13 ++++++-
 .../nodes.reload_secure_settings/10_basic.yml |  3 ++
 .../action/admin/ReloadSecureSettingsIT.java  | 14 +++++---
 .../org/opensearch/bootstrap/security.policy  |  1 +
 .../junit/listeners/ReproduceInfoPrinter.java |  2 ++
 14 files changed, 67 insertions(+), 57 deletions(-)
 delete mode 100644 client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
 create mode 100644 distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.8.jar.sha1
 delete mode 100644 distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.9.jar.sha1

diff --git a/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java b/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
deleted file mode 100644
index 2efdc48c70f59..0000000000000
--- a/client/rest/src/main/java/org/opensearch/client/FipsEnabledThreadFactory.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- */
-
-package org.opensearch.client;
-
-import org.apache.hc.core5.concurrent.DefaultThreadFactory;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-
-import java.util.concurrent.ThreadFactory;
-
-public class FipsEnabledThreadFactory implements ThreadFactory {
-
-    private final ThreadFactory defaultFactory;
-    private final boolean isFipsEnabled;
-
-    public FipsEnabledThreadFactory(String namePrefix, boolean isFipsEnabled) {
-        this.defaultFactory = new DefaultThreadFactory(namePrefix);
-        this.isFipsEnabled = isFipsEnabled;
-    }
-
-    @Override
-    public Thread newThread(final Runnable target) {
-        return defaultFactory.newThread(() -> {
-            if (isFipsEnabled) {
-                CryptoServicesRegistrar.setApprovedOnlyMode(true);
-            }
-            target.run();
-        });
-    }
-
-}
diff --git a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
index 0a46da6e1e8b0..325c7b0c0fbb8 100644
--- a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
+++ b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
@@ -332,10 +332,20 @@ public TlsDetails create(final SSLEngine sslEngine) {
                 .setTlsStrategy(tlsStrategy)
                 .build();
 
+            var inFipsJvm = CryptoServicesRegistrar.isInApprovedOnlyMode();
+
             HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create()
                 .setDefaultRequestConfig(requestConfigBuilder.build())
                 .setConnectionManager(connectionManager)
-                .setThreadFactory(new FipsEnabledThreadFactory("os-client-dispatcher", CryptoServicesRegistrar.isInApprovedOnlyMode()))
+                .setThreadFactory((Runnable r) -> {
+                    Runnable runnable = () -> {
+                        if (inFipsJvm) {
+                            CryptoServicesRegistrar.setApprovedOnlyMode(true);
+                        }
+                        r.run();
+                    };
+                    return new Thread(runnable, "os-client-dispatcher");
+                })
                 .setTargetAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
                 .disableAutomaticRetries();
             if (httpClientConfigCallback != null) {
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index db578ebb196ac..aab9e008ca708 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -39,6 +39,7 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
 import org.junit.AfterClass;
@@ -79,8 +80,16 @@ public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
         httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
         httpsServer.createContext("/", new ResponseHandler());
-        var threadFactory = new FipsEnabledThreadFactory("test-httpserver-dispatch", inFipsJvm());
-        Executor executor = Executors.newFixedThreadPool(1, threadFactory);
+        var inFipsJvm = inFipsJvm();
+        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
+            Runnable runnable = () -> {
+                if (inFipsJvm) {
+                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
+                }
+                r.run();
+            };
+            return new Thread(runnable, "test-httpserver-dispatcher");
+        });
         httpsServer.setExecutor(executor);
         httpsServer.start();
     }
diff --git a/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.8.jar.sha1 b/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.8.jar.sha1
new file mode 100644
index 0000000000000..758ee2fdf9de6
--- /dev/null
+++ b/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.8.jar.sha1
@@ -0,0 +1 @@
+51c2f633e0c32d10de1ebab4c86f93310ff820f8
\ No newline at end of file
diff --git a/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.9.jar.sha1 b/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.9.jar.sha1
deleted file mode 100644
index 20cdbf6dc8aa8..0000000000000
--- a/distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.9.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-f69719ef8dbf34d5f906ce480496446b2fd2ae27
\ No newline at end of file
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
index d92b8067d3368..2b458d431215f 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
@@ -13,6 +13,9 @@
 import java.util.Map;
 import java.util.stream.Stream;
 
+/**
+ * Enum representing the types of KeyStores supported by {@link KeyStoreFactory}.
+ */
 public enum KeyStoreType {
 
     JKS("JKS"),
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
index 4deeed2bbc45e..98bc97c1c8787 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
@@ -247,8 +247,7 @@ private SslTrustConfig buildTrustConfig(Path basePath, SslVerificationMode verif
         if (trustStorePath != null) {
             final char[] password = resolvePasswordSetting(TRUSTSTORE_SECURE_PASSWORD, TRUSTSTORE_LEGACY_PASSWORD);
             final Optional<String> maybeStoreType = Optional.ofNullable(resolveSetting(TRUSTSTORE_TYPE, Function.identity(), null));
-            final KeyStoreType storeType = maybeStoreType
-                .map(KeyStoreType::getByJcaName)
+            final KeyStoreType storeType = maybeStoreType.map(KeyStoreType::getByJcaName)
                 .orElse(inferStoreType(trustStorePath.toString().toLowerCase(Locale.ROOT)));
 
             final String algorithm = resolveSetting(TRUSTSTORE_ALGORITHM, Function.identity(), TrustManagerFactory.getDefaultAlgorithm());
@@ -291,8 +290,7 @@ private SslKeyConfig buildKeyConfig(Path basePath) {
             }
 
             final Optional<String> maybeStoreType = Optional.ofNullable(resolveSetting(KEYSTORE_TYPE, Function.identity(), null));
-            final KeyStoreType storeType = maybeStoreType
-                .map(KeyStoreType::getByJcaName)
+            final KeyStoreType storeType = maybeStoreType.map(KeyStoreType::getByJcaName)
                 .orElse(inferStoreType(keyStorePath.toString().toLowerCase(Locale.ROOT)));
 
             final String algorithm = resolveSetting(KEYSTORE_ALGORITHM, Function.identity(), KeyManagerFactory.getDefaultAlgorithm());
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
index 36b6edaa9c703..2fc7ab1654d41 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
@@ -37,7 +37,7 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 
-import org.opensearch.client.FipsEnabledThreadFactory;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
@@ -99,8 +99,16 @@ public static void setupHttpServer() throws Exception {
         SSLContext sslContext = buildServerSslContext();
         server = HttpsServer.create(address, 0);
         server.setHttpsConfigurator(new ClientAuthHttpsConfigurator(sslContext));
-        var threadFactory = new FipsEnabledThreadFactory("test-httpserver-dispatcher", inFipsJvm());
-        Executor executor = Executors.newFixedThreadPool(1, threadFactory);
+        var inFipsJvm = inFipsJvm();
+        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
+            Runnable runnable = () -> {
+                if (inFipsJvm) {
+                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
+                }
+                r.run();
+            };
+            return new Thread(runnable, "test-httpserver-dispatcher");
+        });
         server.setExecutor(executor);
         server.start();
         server.createContext("/", http -> {
diff --git a/modules/transport-netty4/src/yamlRestTest/java/org/opensearch/http/netty4/Netty4ClientYamlTestSuiteIT.java b/modules/transport-netty4/src/yamlRestTest/java/org/opensearch/http/netty4/Netty4ClientYamlTestSuiteIT.java
index 45693078174a8..9c10dc98202eb 100644
--- a/modules/transport-netty4/src/yamlRestTest/java/org/opensearch/http/netty4/Netty4ClientYamlTestSuiteIT.java
+++ b/modules/transport-netty4/src/yamlRestTest/java/org/opensearch/http/netty4/Netty4ClientYamlTestSuiteIT.java
@@ -39,15 +39,10 @@
 import org.apache.lucene.tests.util.TimeUnits;
 import org.opensearch.test.rest.yaml.ClientYamlTestCandidate;
 import org.opensearch.test.rest.yaml.OpenSearchClientYamlSuiteTestCase;
-import org.junit.BeforeClass;
 
 //TODO: This is a *temporary* workaround to ensure a timeout does not mask other problems
 @TimeoutSuite(millis = 30 * TimeUnits.MINUTE)
 public class Netty4ClientYamlTestSuiteIT extends OpenSearchClientYamlSuiteTestCase {
-    @BeforeClass
-    public static void muteInFips() {
-        assumeFalse("We run with DEFAULT distribution in FIPS mode and default to security4 instead of netty4", inFipsJvm());
-    }
 
     public Netty4ClientYamlTestSuiteIT(@Name("yaml") ClientYamlTestCandidate testCandidate) {
         super(testCandidate);
diff --git a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
index 8d20650d76583..33ba9168e7d6a 100644
--- a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
+++ b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
@@ -13,6 +13,7 @@
 
 package org.opensearch.http.reactor.netty4;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.ToXContent;
@@ -65,6 +66,7 @@
 public class ReactorHttpClient implements Closeable {
     private final boolean compression;
     private final boolean secure;
+    private final boolean fipsEnabled;
 
     static Collection<String> returnHttpResponseBodies(Collection<FullHttpResponse> responses) {
         List<String> list = new ArrayList<>(responses.size());
@@ -85,6 +87,7 @@ static Collection<String> returnOpaqueIds(Collection<FullHttpResponse> responses
     public ReactorHttpClient(boolean compression, boolean secure) {
         this.compression = compression;
         this.secure = secure;
+        this.fipsEnabled = CryptoServicesRegistrar.isInApprovedOnlyMode();
     }
 
     public static ReactorHttpClient create() {
@@ -183,7 +186,15 @@ private List<FullHttpResponse> sendRequests(
         final Collection<FullHttpRequest> requests,
         boolean ordered
     ) {
-        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1);
+        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1, (Runnable r) -> {
+            Runnable runnable = () -> {
+                if (fipsEnabled) {
+                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
+                }
+                r.run();
+            };
+            return new Thread(runnable);
+        });
         try {
             final HttpClient client = createClient(remoteAddress, eventLoopGroup);
 
diff --git a/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml b/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml
index 0866c71b87e12..6b5c75fdd76ab 100644
--- a/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml
+++ b/rest-api-spec/src/main/resources/rest-api-spec/test/nodes.reload_secure_settings/10_basic.yml
@@ -24,6 +24,9 @@ setup:
 
 ---
 "node_reload_secure_settings test correct(empty) password":
+  - skip:
+      version: "3.0.0 - "
+      reason: "Running this test in active FIPS mode is not supported"
 
   - do:
       nodes.reload_secure_settings: {}
diff --git a/server/src/internalClusterTest/java/org/opensearch/action/admin/ReloadSecureSettingsIT.java b/server/src/internalClusterTest/java/org/opensearch/action/admin/ReloadSecureSettingsIT.java
index c81d491719e4b..2bb14e09beaf6 100644
--- a/server/src/internalClusterTest/java/org/opensearch/action/admin/ReloadSecureSettingsIT.java
+++ b/server/src/internalClusterTest/java/org/opensearch/action/admin/ReloadSecureSettingsIT.java
@@ -68,6 +68,9 @@
 @OpenSearchIntegTestCase.ClusterScope(minNumDataNodes = 2)
 public class ReloadSecureSettingsIT extends OpenSearchIntegTestCase {
 
+    // Minimal required characters to fulfill the requirement of 112 bit strong passwords
+    protected static final int MIN_112_BIT_STRONG = 14;
+
     public void testMissingKeystoreFile() throws Exception {
         final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class);
         final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class)
@@ -182,7 +185,7 @@ public void testReloadAllNodesWithPasswordWithoutTLSFails() throws Exception {
         final Environment environment = internalCluster().getInstance(Environment.class);
         final AtomicReference<AssertionError> reloadSettingsError = new AtomicReference<>();
         final int initialReloadCount = mockReloadablePlugin.getReloadCount();
-        final char[] password = randomAlphaOfLength(12).toCharArray();
+        final char[] password = randomAlphaOfLength(MIN_112_BIT_STRONG).toCharArray();
         writeEmptyKeystore(environment, password);
         final CountDownLatch latch = new CountDownLatch(1);
         client().admin()
@@ -229,7 +232,7 @@ public void onFailure(Exception e) {
     public void testReloadLocalNodeWithPasswordWithoutTLSSucceeds() throws Exception {
         final Environment environment = internalCluster().getInstance(Environment.class);
         final AtomicReference<AssertionError> reloadSettingsError = new AtomicReference<>();
-        final char[] password = randomAlphaOfLength(12).toCharArray();
+        final char[] password = randomAlphaOfLength(MIN_112_BIT_STRONG).toCharArray();
         writeEmptyKeystore(environment, password);
         final CountDownLatch latch = new CountDownLatch(1);
         client().admin()
@@ -275,14 +278,15 @@ public void testWrongKeystorePassword() throws Exception {
         final Environment environment = internalCluster().getInstance(Environment.class);
         final AtomicReference<AssertionError> reloadSettingsError = new AtomicReference<>();
         final int initialReloadCount = mockReloadablePlugin.getReloadCount();
+        final char[] password = inFipsJvm() ? randomAlphaOfLength(MIN_112_BIT_STRONG).toCharArray() : new char[0];
         // "some" keystore should be present in this case
-        writeEmptyKeystore(environment, new char[0]);
+        writeEmptyKeystore(environment, password);
         final CountDownLatch latch = new CountDownLatch(1);
         client().admin()
             .cluster()
             .prepareReloadSecureSettings()
             .setNodesIds("_local")
-            .setSecureStorePassword(new SecureString(new char[] { 'W', 'r', 'o', 'n', 'g' }))
+            .setSecureStorePassword(new SecureString("thewrongkeystorepassword".toCharArray()))
             .execute(new ActionListener<NodesReloadSecureSettingsResponse>() {
                 @Override
                 public void onResponse(NodesReloadSecureSettingsResponse nodesReloadResponse) {
@@ -316,6 +320,7 @@ public void onFailure(Exception e) {
     }
 
     public void testMisbehavingPlugin() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         final Environment environment = internalCluster().getInstance(Environment.class);
         final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class);
         final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class)
@@ -382,6 +387,7 @@ public void onFailure(Exception e) {
     }
 
     public void testReloadWhileKeystoreChanged() throws Exception {
+        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm());
         final PluginsService pluginsService = internalCluster().getInstance(PluginsService.class);
         final MockReloadablePlugin mockReloadablePlugin = pluginsService.filterPlugins(MockReloadablePlugin.class)
             .stream()
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index 04982aa8986d7..d6251acf07d4e 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -109,6 +109,7 @@ grant {
     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
     permission java.util.PropertyPermission "java.runtime.name", "read";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
 };
diff --git a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
index e2d59773a76cb..2b5f3fdc3e6b4 100644
--- a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
+++ b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
@@ -194,6 +194,8 @@ private ReproduceErrorMessageBuilder appendESProperties() {
             appendOpt("tests.timezone", TimeZone.getDefault().getID());
             appendOpt("runtime.java", Integer.toString(Runtime.version().version().get(0)));
             appendOpt(OpenSearchTestCase.FIPS_SYSPROP, System.getProperty(OpenSearchTestCase.FIPS_SYSPROP));
+            appendOpt("org.bouncycastle.jca.enable_jks", "true");
+            appendOpt("org.bouncycastle.rsa.allow_multi_use", "true");
             return this;
         }
 

From 24510e789dbf7b8dabee96c357174b01a71e8944 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Fri, 18 Oct 2024 14:54:57 +0200
Subject: [PATCH 08/21] Configure FIPS mode through global ENV VAR instead of
 thread-based.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../gradle/info/GlobalBuildInfoPlugin.java    |   7 +++-
 .../gradle/testclusters/OpenSearchNode.java   |   9 ++++-
 .../opensearch/client/RestClientBuilder.java  |  12 ------
 .../client/RestClientBuilderIntegTests.java   |  13 ------
 .../opensearch/client/RestClientTestCase.java |  12 ------
 .../tools/launchers/SystemJvmOptions.java     |  11 +++++-
 .../opensearch/index/reindex/Reindexer.java   |  37 ++++--------------
 ...ReindexFromRemoteBuildRestClientTests.java |   2 +-
 .../reindex/ReindexRestClientSslTests.java    |  13 ------
 .../SecureNetty4HttpServerTransportTests.java |   4 +-
 .../ssl/SimpleSecureNetty4TransportTests.java |   6 ++-
 .../src/test/resources/README.txt             |   8 ++--
 .../src/test/resources/netty4-secure.jks      | Bin 0 -> 2790 bytes
 .../AzureDiscoveryClusterFormationTests.java  |  13 ------
 plugins/repository-s3/build.gradle            |  14 ++++++-
 .../reactor/netty4/ReactorHttpClient.java     |  13 +-----
 .../org/opensearch/bootstrap/Bootstrap.java   |  13 ++----
 .../common/settings/ClusterSettings.java      |   1 -
 .../common/settings/FipsSettings.java         |  20 ----------
 .../java/fixture/s3/S3HttpFixtureWithEC2.java |   4 +-
 .../opensearch/test/OpenSearchTestCase.java   |   8 ----
 .../junit/listeners/ReproduceInfoPrinter.java |   3 --
 22 files changed, 60 insertions(+), 163 deletions(-)
 create mode 100644 modules/transport-netty4/src/test/resources/netty4-secure.jks
 delete mode 100644 server/src/main/java/org/opensearch/common/settings/FipsSettings.java

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index 570ab4a9f70e1..adf6f6878d322 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -77,6 +77,7 @@ public class GlobalBuildInfoPlugin implements Plugin<Project> {
     private static final Logger LOGGER = Logging.getLogger(GlobalBuildInfoPlugin.class);
     private static final String DEFAULT_LEGACY_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/LegacyESVersion.java";
     private static final String DEFAULT_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/Version.java";
+    protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
     private static Integer _defaultParallel = null;
 
     private final JvmMetadataDetector jvmMetadataDetector;
@@ -112,6 +113,8 @@ public void apply(Project project) {
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
+            var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
+            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2");
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);
@@ -129,7 +132,7 @@ public void apply(Project project) {
             params.setIsCi(System.getenv("JENKINS_URL") != null);
             params.setIsInternal(isInternal);
             params.setDefaultParallel(findDefaultParallel(project));
-            params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
+            params.setInFipsJvm(inFipsJvm);
             params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
             if (isInternal) {
                 params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -179,7 +182,7 @@ private void logGlobalBuildInfo() {
             LOGGER.quiet("  JAVA_HOME             : " + gradleJvm.getJavaHome());
         }
         LOGGER.quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
-        LOGGER.quiet("  In FIPS 140 mode      : " + BuildParams.isInFipsJvm());
+        LOGGER.quiet("  Crypto Standard       : " + Optional.ofNullable(System.getenv(OPENSEARCH_CRYPTO_STANDARD)).orElse("any-supported"));
         LOGGER.quiet("=======================================");
     }
 
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index aaa2daef2a158..254cf345f50fd 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -556,7 +556,7 @@ public synchronized void start() {
         if (keystoreSettings.isEmpty() == false || keystoreFiles.isEmpty() == false) {
             logToProcessStdout("Adding " + keystoreSettings.size() + " keystore settings and " + keystoreFiles.size() + " keystore files");
 
-            keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", "-x", key));
+            keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", key));
 
             for (Map.Entry<String, File> entry : keystoreFiles.entrySet()) {
                 File file = entry.getValue();
@@ -738,7 +738,12 @@ private void runOpenSearchBinScriptWithInput(String input, String tool, CharSequ
     }
 
     private void runKeystoreCommandWithPassword(String keystorePassword, String input, CharSequence... args) {
-        final String actualInput = keystorePassword.length() > 0 ? keystorePassword + "\n" + input : input;
+        final String actualInput;
+        if (keystorePassword.length() > 0) {
+            actualInput = keystorePassword + "\n" + input + "\n" + input;
+        } else {
+            actualInput = input + "\n" + input;
+        }
         runOpenSearchBinScriptWithInput(actualInput, "opensearch-keystore", args);
     }
 
diff --git a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
index 325c7b0c0fbb8..3e38f9ae95dec 100644
--- a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
+++ b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
@@ -48,7 +48,6 @@
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -332,20 +331,9 @@ public TlsDetails create(final SSLEngine sslEngine) {
                 .setTlsStrategy(tlsStrategy)
                 .build();
 
-            var inFipsJvm = CryptoServicesRegistrar.isInApprovedOnlyMode();
-
             HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create()
                 .setDefaultRequestConfig(requestConfigBuilder.build())
                 .setConnectionManager(connectionManager)
-                .setThreadFactory((Runnable r) -> {
-                    Runnable runnable = () -> {
-                        if (inFipsJvm) {
-                            CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                        }
-                        r.run();
-                    };
-                    return new Thread(runnable, "os-client-dispatcher");
-                })
                 .setTargetAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
                 .disableAutomaticRetries();
             if (httpClientConfigCallback != null) {
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index aab9e008ca708..c1e89664dc405 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -39,7 +39,6 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
 import org.junit.AfterClass;
@@ -60,7 +59,6 @@
 import java.security.SecureRandom;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -80,17 +78,6 @@ public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
         httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
         httpsServer.createContext("/", new ResponseHandler());
-        var inFipsJvm = inFipsJvm();
-        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (inFipsJvm) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable, "test-httpserver-dispatcher");
-        });
-        httpsServer.setExecutor(executor);
         httpsServer.start();
     }
 
diff --git a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
index e7c17e81dabed..49ee3373a071e 100644
--- a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
+++ b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
@@ -45,8 +45,6 @@
 import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite;
 
 import org.apache.hc.core5.http.Header;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.junit.BeforeClass;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -127,14 +125,4 @@ private static void addValueToListEntry(final Map<String, List<String>> map, fin
         values.add(value);
     }
 
-    @BeforeClass
-    public static void setFipsJvm() {
-        boolean isFipsEnabled = Boolean.parseBoolean(System.getProperty("tests.fips.enabled", "false"));
-        CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
-    }
-
-    public static boolean inFipsJvm() {
-        return CryptoServicesRegistrar.isInApprovedOnlyMode();
-    }
-
 }
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 030dc15aa67fe..2d10fac45efda 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -78,7 +78,8 @@ static List<String> systemJvmOptions(final Path config) {
                 // log4j 2
                 "-Dlog4j.shutdownHookEnabled=false",
                 "-Dlog4j2.disable.jmx=true",
-                // security manager
+                // security settings
+                enableFips(),
                 allowSecurityManagerOption(),
                 loadJavaSecurityProperties(config),
                 javaLocaleProviders()
@@ -86,6 +87,14 @@ static List<String> systemJvmOptions(final Path config) {
         ).stream().filter(e -> e.isEmpty() == false).collect(Collectors.toList());
     }
 
+    private static String enableFips() {
+        var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+            return "-Dorg.bouncycastle.fips.approved_only=true";
+        }
+        return "";
+    }
+
     private static String loadJavaSecurityProperties(final Path config) {
         var securityFile = config.resolve("fips_java.security");
         return "-Djava.security.properties=" + securityFile.toAbsolutePath();
diff --git a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
index 92313e27f0544..c553effc65ab5 100644
--- a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
+++ b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
@@ -45,7 +45,6 @@
 import org.apache.hc.core5.util.Timeout;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.action.DocWriteRequest;
 import org.opensearch.action.bulk.BackoffPolicy;
 import org.opensearch.action.bulk.BulkItemResponse;
@@ -183,14 +182,7 @@ private ActionListener<BulkByScrollResponse> getRemoteReindexWrapperListener(
     }
 
     static RestClient buildRestClient(RemoteInfo remoteInfo, ReindexSslConfig sslConfig, long taskId, List<Thread> threadCollector) {
-        return buildRestClient(
-            remoteInfo,
-            sslConfig,
-            taskId,
-            threadCollector,
-            Optional.empty(),
-            CryptoServicesRegistrar.isInApprovedOnlyMode()
-        );
+        return buildRestClient(remoteInfo, sslConfig, taskId, threadCollector, Optional.empty());
     }
 
     /**
@@ -207,8 +199,7 @@ static RestClient buildRestClient(
         ReindexSslConfig sslConfig,
         long taskId,
         List<Thread> threadCollector,
-        Optional<HttpRequestInterceptor> restInterceptor,
-        boolean isFipsEnabled
+        Optional<HttpRequestInterceptor> restInterceptor
     ) {
         Header[] clientHeaders = new Header[remoteInfo.getHeaders().size()];
         int i = 0;
@@ -235,16 +226,11 @@ static RestClient buildRestClient(
             }
             // Stick the task id in the thread name so we can track down tasks from stack traces
             AtomicInteger threads = new AtomicInteger();
-            c.setThreadFactory((Runnable r) -> {
-                Runnable runnable = () -> {
-                    if (isFipsEnabled) {
-                        CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                    }
-                    r.run();
-                };
-                var thread = new Thread(runnable, "os-client-" + taskId + "-" + threads.getAndIncrement());
-                threadCollector.add(thread);
-                return thread;
+            c.setThreadFactory(r -> {
+                String name = "es-client-" + taskId + "-" + threads.getAndIncrement();
+                Thread t = new Thread(r, name);
+                threadCollector.add(t);
+                return t;
             });
             // Limit ourselves to one reactor thread because for now the search process is single threaded.
             c.setIOReactorConfig(IOReactorConfig.custom().setIoThreadCount(1).build());
@@ -327,14 +313,7 @@ protected ScrollableHitSource buildScrollableResultSource(BackoffPolicy backoffP
                 RemoteInfo remoteInfo = mainRequest.getRemoteInfo();
                 createdThreads = synchronizedList(new ArrayList<>());
                 assert sslConfig != null : "Reindex ssl config must be set";
-                RestClient restClient = buildRestClient(
-                    remoteInfo,
-                    sslConfig,
-                    task.getId(),
-                    createdThreads,
-                    this.interceptor,
-                    CryptoServicesRegistrar.isInApprovedOnlyMode()
-                );
+                RestClient restClient = buildRestClient(remoteInfo, sslConfig, task.getId(), createdThreads, this.interceptor);
                 return new RemoteScrollableHitSource(
                     logger,
                     backoffPolicy,
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
index 7fbd6044d9b18..2e14df4628283 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
@@ -77,7 +77,7 @@ public void testBuildRestClient() throws Exception {
                 assertBusy(() -> assertThat(threads, hasSize(2)));
                 int i = 0;
                 for (Thread thread : threads) {
-                    assertEquals("os-client-" + taskId + "-" + i, thread.getName());
+                    assertEquals("es-client-" + taskId + "-" + i, thread.getName());
                     i++;
                 }
             } finally {
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
index 2fc7ab1654d41..35fdcd07626d1 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
@@ -37,7 +37,6 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
@@ -73,7 +72,6 @@
 import java.util.List;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
@@ -99,17 +97,6 @@ public static void setupHttpServer() throws Exception {
         SSLContext sslContext = buildServerSslContext();
         server = HttpsServer.create(address, 0);
         server.setHttpsConfigurator(new ClientAuthHttpsConfigurator(sslContext));
-        var inFipsJvm = inFipsJvm();
-        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (inFipsJvm) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable, "test-httpserver-dispatcher");
-        });
-        server.setExecutor(executor);
         server.start();
         server.createContext("/", http -> {
             assert http instanceof HttpsExchange;
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index ffcc982c758b9..6383705149521 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -123,9 +123,9 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
                     keyStore.load(
-                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.jks"),
                         "password".toCharArray()
                     );
 
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index 2008c6a2e9a3a..2502a77af50e0 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -8,6 +8,7 @@
 
 package org.opensearch.transport.netty4.ssl;
 
+import org.apache.lucene.tests.util.LuceneTestCase;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.crypto.KeyStoreFactory;
@@ -66,6 +67,7 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
 
+@LuceneTestCase.AwaitsFix(bugUrl = "")
 public class SimpleSecureNetty4TransportTests extends AbstractSimpleTransportTestCase {
     @Override
     protected Transport build(Settings settings, final Version version, ClusterSettings clusterSettings, boolean doHandshake) {
@@ -79,9 +81,9 @@ public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(
             @Override
             public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
                     keyStore.load(
-                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.jks"),
                         "password".toCharArray()
                     );
 
diff --git a/modules/transport-netty4/src/test/resources/README.txt b/modules/transport-netty4/src/test/resources/README.txt
index c8cec5d3803a4..a1a226c5ba674 100644
--- a/modules/transport-netty4/src/test/resources/README.txt
+++ b/modules/transport-netty4/src/test/resources/README.txt
@@ -6,12 +6,12 @@
 
 # 1. Create certificate key
 
-openssl req  -x509  -sha256  -newkey rsa:2048  -keyout certificate.key  -out certificate.crt  -days 1024  -nodes
+openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes
 
 # 2. Export the certificate in pkcs12 format
 
-openssl pkcs12  -export  -in certificate.crt  -inkey certificate.key  -out server.p12  -name netty4-secure -password pass:password
+openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out netty4-secure.p12 -name netty4-secure -password pass:password
 
-# 3. Import the certificate into JDK keystore (PKCS12 type)
+# 3. Migrate from P12 to JKS keystore
 
-keytool -importkeystore -srcstorepass password  -destkeystore netty4-secure.jks -srckeystore server.p12  -srcstoretype PKCS12  -alias netty4-secure  -deststorepass password
\ No newline at end of file
+keytool -importkeystore -srcstorepass password -destkeystore netty4-secure.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias netty4-secure -deststorepass password
diff --git a/modules/transport-netty4/src/test/resources/netty4-secure.jks b/modules/transport-netty4/src/test/resources/netty4-secure.jks
new file mode 100644
index 0000000000000000000000000000000000000000..d158f1fe60ef73fdaa610ce8e92a398e4212f20a
GIT binary patch
literal 2790
zcma)8X*3iJ7oHh2)?sX;WXaaZmJwqg46+ka_BC6!A^TFM5wgdOC0<LGnNi464U#EE
zh{UUrH3_fmszKRa-}%1Nd%j=acka38p8Gt{z32XV&PC$c=RiOvB%VE!nN2puBxQ#a
z$O5duv)=&Y*<+94NF*N8@n00A9*l?79>X=qd7qi%KT}Y4AgBTl(K`mUk-ontAe=}?
zr20QC6e$PhuQRA+wPk$uN9jOn;!$q5=g=n-Kp<&u5Ks&WWoG^NMi3hWfD~b7^GGoP
z`Y?fkvS9A{!8?Y%8<2fUu0fIjW?&VJ2fqh)3}j;6$q9Y_t~a&<Oj>jy@dvjG*E~+K
zS1}_M>h0|x&TB-EkHyZ|8cAg85*~L;#*kRNa;-V)(UELqUvA-4a6oOcvFO<56{>z}
zs92oD4Bv;_R6~b)E_4vaDlm4dn$psMU6BU!WV<b|2*q;8Esz3(mQ%ApqL`8Ws!Ac~
zkTndIvXXf!qm-gL6*j1OkJ`X6q6|$a88e%Gd`?@#X_C#o+wI3bv4FbQT%4eZ4$v1J
z1Z*VBjwKP*`8LVi?$D+o`P5y-lJQd!>vv0v=Y_PF$LW>Cu=wPSGxnK0ZJ6u&--oko
zxsFiwhRsu}R7J&J*DVhNjy2lG3(uE5Yc*X-G_FcozQZW`k(v0TdfGCMQk2E07K!xk
zten6bIRqNSIK>Z8Kcvq{82WfTWN=&RYvtrRkohrc`$D!2Q8=1h#8<3j=;LPD=wX}a
zu1cmN#AL@HC$*daa66Ga?7VJ82b64}%=x3-bgC^=Jwl-K-!t7rSI1ALh1##E`8%ds
zCW_wv>TD@8f6WRuynY_bfhrHzJDYF*m`>NOmU!<OY<3B<-Bb6CwzNM%yM*p+fu(P-
zgJbiX%Iy?cu%GXiLhY=*-!(?q#q@k4XLyUL^N5Ek?;iPT1@_%ea#b}@c_{1((cm`7
zv}C~kNGrdWcOmpAn(g%(L+_$=04mP~TXs+NqG+Q?l(XCr>~wkRX@6JP(`v10<&9Qy
z?AJJEnOBPmN$Z`5*Vs<$>dUNTXm&~{c)tYLSv^iqdXZE8cKsGf0iIUZEuzkmILxAd
zpdT*%m-J?c@i*36ZJJ5nB5R97dadu_e#8LW;A*2FqWX9+Gm1j*@Cmw+D(SUZt#S#2
zculg&D*N-V;qTMU#ASn(cOgdXmS?X^&V6NTdPnd6Q+}<R)OqXeW*#w}be2A)T^7`<
zzWg}$K$UVDu?I6zFzp>Rm;tlj=eZ5uZA&&YR|B^b!_*Q0o*ANxvqsa(Q!*)Xhmhvy
zx>Hx!eM*a<@qN-lKL%?1q{U>YRKfDe3(D;Kai*w>CkJq^IRl%cgjFU&d~0d!=QV?!
zotqc>oWFsTyxLoTjyAiNPs0cmuM|O&xJ$2RsRJ6}7X7OBPxDry*0b&2mtQb;K^-(~
zxhilZME7e<;45lTcX5UAK?Q>aRi;T+cXx;OI|cxuCWNoE1T-zm%4iQGKV2>_I(pZr
zLeM+Z_%UCcR?Fq-!W@>o?(6ZBjkdnOmZe{1xGVI&k`J$SJg`bF<b5*t%%u)%h}Zr>
zS<3Ae?6{4|5tz@4gasjZ@4emP^~k~ATud%JEJD*N)^$S7P{DkeSMOYQEq2DW_^E&o
zAQg&;k4B$DE(=>bth~I-GmBL8GmQSD>>l4832`k&aVh>YZiA;Xxz-=2426w)TC3qV
z<;|t(rPwO;c}F7ovlprG3srU`7THeZ?SGyHjHEgijVyUyCvXZ}dkZqH$s6))U@G{e
zb^T{Vq1PmNq2?;%m;LBK$!M@PE+>khyd<?#ySvx%)s?iK-?+N0*1lag9=wcAbCPXQ
zxlbEXUnqFsB8CQ?-Kg68u3{-FCfQ=vI%_NJY~dj+U*p%M+is-}R@uf1hfWfwW=M-`
zX0fIVE4t}QN>)gj-*(ByuOuvb3J?PD0Yn@}EI<XI00=+st^y(f*8x6A@qeUnC4Mlk
z-L+sJF(tM0>L`>lN=X@cUImE<H~ki|FjwHgmB&yS2naYXh5s<X|7F^fbJu;AfDRup
z5ne7xrRe;j?OxCS$F!Lp&-u^uiBA~XlrENdJ{Q2@!D6rf%Cg?1>zy6kG3B#2lV9-n
z7_b3_9lSv;SSODbk!~nOI~fy74wR-7#XpP)nABwTP&`8X-h>QN%_u&QGx>0_LXA#g
zP0Ne)K|${v{GjVb?Lo^_dj0g$0MB$93QZEdPcyt&mHPC7##?5Jt7&$z{epQY;#nsC
zp&%}(mnQWSABKq@%Ga=v5=>!eTJoG{N);hKeA&6YRu23nm9Uz&>uDN4yyq&3BC{=*
z6fnmJUG~AC3E4>B0Pu?kp5|()@-xZv`+>9MFLSem5`HqOarlEiBSi7sbC(^u-Eg29
z*N3og<WEbPjY|QDh}SA((UxX=T}v;Y5^lzIY`|Hsh$a?aM7dXw4S)GUZ$AITlk<Wq
zYw-R4eol!hv@8qIHpFQxhVkUYNa3q$9lM-aKF?7(sYsESCYhLQQ@I_NakZJ?%yVx5
zV%2xt)4+OLGkzYL+uI_g`JNnWO2X!0`cH~;DDRAA<3@!>`iN~KdhPZfo(FE`YIS@R
z3;=PTE(hG0AyiIsZC1EJu^fSnp8=!i1$#9&4RBq$I)Z!Wa*L*|TGz`GV)S;{k6s+@
zY^(Y)UZuHk-dsS#-Wnns(ibcIzXXiPJLjAXnC+PZKNL7V9#av<22m?MJn{MEkz?_r
zBzz+jSL;F;FP(Jgk&w-~I-~+~8Xcqw)z_YC4+t*&E?I+D?dfN|U}&y$=G-=WUf&lc
z%lD0KMV>q@I=>!ZiLt#)B~=X868ZvHL4IW8NYzHB2NI;myFYa!UyJ3lq(E2{wUF!Q
z3NWuGvx0wGR#yihN<g<}O)w*JLbjF!%iwQJgF94(H9cgz3!KF7;}p$Y_RR!#YURKN
zsZw;oV!p1s7F?0_Fp^_i>w=@$(-{$dZ-3aOaQ=g(M;dLKe2u|yn-1F*lK#YvAl;_)
zn<#EKX#8$?c{L0U6DPmH+;@jRLR@+f?Ie@S)7aRjf}<kyDYNnz3m5t2t;>yn1R=)s
zqbn$7bO<rLvfsBTq$J(9KHIlh)hK(d&E6toXdJEXB*R*7P2@Fp^XA>wL<kEM*@k0o
zZ_oM_09oqbTkx)&VR80notg({Zf!}d3kcJiz$WQBtj(5U4GZq$$#N`f2|J2xstCzk
z-6V1C-7f5=R6ltkiFw_+{s3NS6~6n?by7<1O}Ea5keQe6D&tl&mQ;IiRNzl1woF(t
zmM9Sv(&uvJ0{@9>9o6cf{-)iTcRs0=j6J!NizTwjdIZx%vGxQgM)6tbtI5l7wOrAH
z!>moW3=5Zxc$-#nnVs#CcYG(mA-ti^`1hhxN;x=fE51TQo;NWw+s1^OI?)y~t9-V+
z7rT0>X#&|TCz@RAqd>4H#NCvWHe`!=Zm!zICXOE_S5xaRJo+3LWLJkxDg+=ckxEF;
z-@hLS2mye_4hdz4(AL&E*06X*{#)}k{rdM7m;Cf?N)16*tj5fF!TeGWznL&`bkf*{
Sr$&KCjn%F1%tQWVQGWyU;r0Fi

literal 0
HcmV?d00001

diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index 3105967cd9001..771de6de486d6 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -55,8 +55,6 @@
 import org.opensearch.transport.TransportSettings;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
-import org.junit.ClassRule;
-import org.junit.rules.ExternalResource;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -107,17 +105,6 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
 
     private static Path keyStoreFile;
 
-    @ClassRule
-    public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() {
-        @Override
-        protected void before() {
-            assumeFalse(
-                "Can't run in a FIPS JVM because none of the supported Keystore types can be used",
-                Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))
-            );
-        }
-    };
-
     @BeforeClass
     public static void setupKeyStore() throws IOException {
         Path tempDir = createTempDir();
diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle
index 6e84edddcc252..dc1e9c99ce2ed 100644
--- a/plugins/repository-s3/build.gradle
+++ b/plugins/repository-s3/build.gradle
@@ -34,6 +34,7 @@ import org.opensearch.gradle.test.RestIntegTestTask
 import org.opensearch.gradle.test.TestTask
 import org.opensearch.gradle.test.rest.YamlRestTestPlugin
 import org.opensearch.gradle.test.InternalClusterTestPlugin
+import org.opensearch.gradle.testclusters.OpenSearchCluster
 
 import static org.opensearch.gradle.PropertyNormalization.IGNORE_VALUE
 
@@ -143,6 +144,13 @@ def fixtureAddress = { fixture, name, port ->
   'http://127.0.0.1:' + ephemeralPort
 }
 
+def applyFipsConfig(OpenSearchCluster cluster) {
+  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') {
+    cluster.keystorePassword 'notarealpasswordphrase'
+    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-2'
+  }
+}
+
 // We test against two repositories, one which uses the usual two-part "permanent" credentials and
 // the other which uses three-part "temporary" or "session" credentials.
 
@@ -260,6 +268,7 @@ yamlRestTest {
 }
 
 testClusters.yamlRestTest {
+  applyFipsConfig(delegate)
   keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
   keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
 
@@ -292,7 +301,7 @@ testClusters.yamlRestTest {
     setting 's3.client.integration_test_eks.region', { "us-east-2" }, IGNORE_VALUE
 
     // to redirect InstanceProfileCredentialsProvider to custom auth point
-    systemProperty "aws.ec2MetadataServiceEndpointOverride", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ec2', '80')}" }, IGNORE_VALUE
+    systemProperty "aws.ec2MetadataServiceEndpoint", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ec2', '80')}" }, IGNORE_VALUE
     // to redirect AWSSecurityTokenServiceClient to custom auth point
     systemProperty "aws.stsEndpointOverride", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-eks', '80')}/eks_credentials_endpoint" }, IGNORE_VALUE
   } else {
@@ -323,6 +332,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestMinio)
 
   testClusters.yamlRestTestMinio {
+    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
     keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
     setting 's3.client.integration_test_permanent.endpoint', { "${-> fixtureAddress('minio-fixture', 'minio-fixture', '9000')}" }, IGNORE_VALUE
@@ -351,6 +361,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestECS)
 
   testClusters.yamlRestTestECS {
+    applyFipsConfig(delegate)
     setting 's3.client.integration_test_ecs.endpoint', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}" }, IGNORE_VALUE
     plugin tasks.bundlePlugin.archiveFile
     environment 'AWS_CONTAINER_CREDENTIALS_FULL_URI', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}/ecs_credentials_endpoint" }, IGNORE_VALUE
@@ -378,6 +389,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestEKS)
 
   testClusters.yamlRestTestEKS {
+    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_eks.role_arn', "arn:aws:iam::000000000000:role/test"
     keystore 's3.client.integration_test_eks.role_session_name', "s3-test"
     keystore 's3.client.integration_test_eks.access_key', "access_key"
diff --git a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
index 33ba9168e7d6a..8d20650d76583 100644
--- a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
+++ b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
@@ -13,7 +13,6 @@
 
 package org.opensearch.http.reactor.netty4;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.ToXContent;
@@ -66,7 +65,6 @@
 public class ReactorHttpClient implements Closeable {
     private final boolean compression;
     private final boolean secure;
-    private final boolean fipsEnabled;
 
     static Collection<String> returnHttpResponseBodies(Collection<FullHttpResponse> responses) {
         List<String> list = new ArrayList<>(responses.size());
@@ -87,7 +85,6 @@ static Collection<String> returnOpaqueIds(Collection<FullHttpResponse> responses
     public ReactorHttpClient(boolean compression, boolean secure) {
         this.compression = compression;
         this.secure = secure;
-        this.fipsEnabled = CryptoServicesRegistrar.isInApprovedOnlyMode();
     }
 
     public static ReactorHttpClient create() {
@@ -186,15 +183,7 @@ private List<FullHttpResponse> sendRequests(
         final Collection<FullHttpRequest> requests,
         boolean ordered
     ) {
-        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (fipsEnabled) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable);
-        });
+        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1);
         try {
             final HttpClient client = createClient(remoteAddress, eventLoopGroup);
 
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 69816e435c48f..f0f2d72e6f2fa 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -40,7 +40,6 @@
 import org.apache.logging.log4j.core.config.Configurator;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.StringHelper;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.OpenSearchException;
 import org.opensearch.Version;
 import org.opensearch.cli.Terminal;
@@ -53,7 +52,6 @@
 import org.opensearch.common.logging.LogConfigurator;
 import org.opensearch.common.logging.Loggers;
 import org.opensearch.common.network.IfConfig;
-import org.opensearch.common.settings.FipsSettings;
 import org.opensearch.common.settings.KeyStoreWrapper;
 import org.opensearch.common.settings.SecureSettings;
 import org.opensearch.common.settings.Settings;
@@ -198,14 +196,9 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
             BootstrapSettings.CTRLHANDLER_SETTING.get(settings)
         );
 
-        var isFipsEnabled = FipsSettings.FIPS_ENABLED.get(settings);
-        try {
-            var isRunningInFipsMode = CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
-            if (isRunningInFipsMode) {
-                LogManager.getLogger(Bootstrap.class).info("running in FIPS mode");
-            }
-        } catch (Exception e) {
-            throw new BootstrapException(e);
+        var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+            LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-2 mode");
         }
 
         // initialize probes before the security manager is installed
diff --git a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
index cf2d459d7a1c8..f8c5d8e3b2480 100644
--- a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
+++ b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
@@ -673,7 +673,6 @@ public void apply(Settings value, Settings current, Settings previous) {
                 ClusterManagerTaskThrottler.THRESHOLD_SETTINGS,
                 ClusterManagerTaskThrottler.BASE_DELAY_SETTINGS,
                 ClusterManagerTaskThrottler.MAX_DELAY_SETTINGS,
-                FipsSettings.FIPS_ENABLED,
                 // Settings related to search backpressure
                 SearchBackpressureSettings.SETTING_MODE,
 
diff --git a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
deleted file mode 100644
index 9f667b1497a2e..0000000000000
--- a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- */
-
-package org.opensearch.common.settings;
-
-import org.opensearch.common.settings.Setting.Property;
-
-/**
- * Settings used for NIST FIPS 140-2 compliance
- */
-public class FipsSettings {
-
-    public static final Setting<Boolean> FIPS_ENABLED = Setting.boolSetting("fips.approved", false, Property.NodeScope);
-
-}
diff --git a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
index 9e02f9ee86744..cf6ce7d014199 100644
--- a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
+++ b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
@@ -90,9 +90,9 @@ protected HttpHandler createHandler(final String[] args) {
     protected String buildCredentialResponse(final String ec2AccessKey, final String ec2SessionToken) {
         return "{"
             + "\"AccessKeyId\": \"" + ec2AccessKey + "\","
-            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME) + "\","
+            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_INSTANT) + "\","
             + "\"RoleArn\": \"arn\","
-            + "\"SecretAccessKey\": \"secret\","
+            + "\"SecretAccessKey\": \"secret_key\","
             + "\"Token\": \"" + ec2SessionToken + "\""
             + "}";
     }
diff --git a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
index 4572e3c59b1de..153a64a23642c 100644
--- a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
@@ -254,8 +254,6 @@ public void tearDown() throws Exception {
 
     public static final String DEFAULT_TEST_WORKER_ID = "--not-gradle--";
 
-    public static final String FIPS_SYSPROP = "tests.fips.enabled";
-
     static {
         TEST_WORKER_VM_ID = System.getProperty(TEST_WORKER_SYS_PROPERTY, DEFAULT_TEST_WORKER_ID);
         setTestSysProps();
@@ -363,12 +361,6 @@ protected void afterIfSuccessful() throws Exception {}
     // setup mock filesystems for this test run. we change PathUtils
     // so that all accesses are plumbed thru any mock wrappers
 
-    @BeforeClass
-    public static void setFipsJvm() throws Exception {
-        var runInApprovedMode = Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP));
-        CryptoServicesRegistrar.setApprovedOnlyMode(runInApprovedMode);
-    }
-
     @BeforeClass
     public static void setFileSystem() throws Exception {
         PathUtilsForTesting.setup();
diff --git a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
index 2b5f3fdc3e6b4..42ae6a57b829a 100644
--- a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
+++ b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
@@ -193,9 +193,6 @@ private ReproduceErrorMessageBuilder appendESProperties() {
             appendOpt("tests.locale", Locale.getDefault().toLanguageTag());
             appendOpt("tests.timezone", TimeZone.getDefault().getID());
             appendOpt("runtime.java", Integer.toString(Runtime.version().version().get(0)));
-            appendOpt(OpenSearchTestCase.FIPS_SYSPROP, System.getProperty(OpenSearchTestCase.FIPS_SYSPROP));
-            appendOpt("org.bouncycastle.jca.enable_jks", "true");
-            appendOpt("org.bouncycastle.rsa.allow_multi_use", "true");
             return this;
         }
 

From 5562d1fdb8db37d7f9a3cb63e23ca5c7d13cf037 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 24 Oct 2024 11:45:53 +0200
Subject: [PATCH 09/21] write some additional unit tests.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 build.gradle                                  |  11 +-
 .../gradle/OpenSearchTestBasePlugin.java      |   3 +-
 distribution/src/config/fips_java.security    |  12 +-
 distribution/src/config/java.security         |  58 +++++++
 .../cli/keystore/KeyStoreWrapperTests.java    | 154 +++++++++++-------
 .../tools/launchers/SystemJvmOptions.java     |  17 +-
 .../common/crypto/KeyStoreType.java           |   4 +-
 .../common/crypto/KeyStoreFactoryTests.java   |  77 +++++++++
 .../org/opensearch/common/ssl/PemUtils.java   |   4 +-
 .../common/ssl/SslConfiguration.java          |   3 -
 .../common/ssl/PemTrustConfigTests.java       |   4 +-
 .../opensearch/common/ssl/PemUtilsTests.java  |   4 +
 .../ssl/SslConfigurationLoaderTests.java      |   8 +
 .../common/ssl/SslConfigurationTests.java     |  78 +++++++++
 .../common/ssl/SslDiagnosticsTests.java       |  12 ++
 .../src/test/resources/certs/README.md        |  17 ++
 .../test/resources/certs/cert-all/empty.jks   | Bin 0 -> 32 bytes
 .../shiro/realm/BCryptPasswordMatcher.java    |   1 -
 .../realm/BCryptPasswordMatcherTests.java     |  19 +++
 19 files changed, 406 insertions(+), 80 deletions(-)
 create mode 100644 distribution/src/config/java.security
 create mode 100644 libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
 create mode 100644 libs/ssl-config/src/test/resources/certs/cert-all/empty.jks

diff --git a/build.gradle b/build.gradle
index 80b60306a0917..e6416fbbde5aa 100644
--- a/build.gradle
+++ b/build.gradle
@@ -471,8 +471,8 @@ gradle.projectsEvaluated {
   }
 }
 
-// test retry configuration
 subprojects {
+  // test retry configuration
   tasks.withType(Test).configureEach {
     develocity.testRetry {
       if (BuildParams.isCi()) {
@@ -558,6 +558,15 @@ subprojects {
       }
     }
   }
+
+  // test with FIPS-140-2 enabled
+  plugins.withType(JavaPlugin).configureEach {
+    tasks.withType(Test).configureEach { testTask ->
+      if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') {
+        testTask.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
+      }
+    }
+  }
 }
 
 // eclipse configuration
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
index 3161343ee1148..cf2cad686f3ac 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
@@ -164,9 +164,10 @@ public void execute(Task t) {
                 test.systemProperty("tests.seed", BuildParams.getTestSeed());
             }
 
+            var securityFile = BuildParams.isInFipsJvm() ? "fips_java.security" : "java.security";
             test.systemProperty(
                 "java.security.properties",
-                project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/fips_java.security"
+                project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/" + securityFile
             );
 
             // don't track these as inputs since they contain absolute paths and break cache relocatability
diff --git a/distribution/src/config/fips_java.security b/distribution/src/config/fips_java.security
index fc1608c8df1bd..bf160a0055a59 100644
--- a/distribution/src/config/fips_java.security
+++ b/distribution/src/config/fips_java.security
@@ -1,27 +1,34 @@
-# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
+# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode
 
 security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
 security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
 security.provider.3=SUN
 security.provider.4=SunJGSS
+
 securerandom.source=file:/dev/urandom
 securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
 securerandom.drbg.config=
+
 login.configuration.provider=sun.security.provider.ConfigFile
 policy.provider=sun.security.provider.PolicyFile
 policy.expandProperties=true
 policy.allowSystemProperty=true
 policy.ignoreIdentityScope=false
 keystore.type.compat=true
+
 package.access=sun.misc.,\
                sun.reflect.
 package.definition=sun.misc.,\
                    sun.reflect.
+
 security.overridePropertiesFile=true
+
 ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
+
 networkaddress.cache.negative.ttl=10
 krb5.kdc.bad.policy = tryLast
+
 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224
 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 2048, DSA keySize < 2048
 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
@@ -31,7 +38,9 @@ jdk.tls.legacyAlgorithms= \
         RC4_128, RC4_40, DES_CBC, DES40_CBC, \
         3DES_EDE_CBC
 jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
+
 crypto.policy=unlimited
+
 jdk.xml.dsig.secureValidationPolicy=\
     disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
     disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
@@ -45,5 +54,6 @@ jdk.xml.dsig.secureValidationPolicy=\
     minKeySize EC 224,\
     noDuplicateIds,\
     noRetrievalMethodLoops
+
 jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
   java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
diff --git a/distribution/src/config/java.security b/distribution/src/config/java.security
new file mode 100644
index 0000000000000..5ddbbde240f8f
--- /dev/null
+++ b/distribution/src/config/java.security
@@ -0,0 +1,58 @@
+# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJSSEProvider in non-approved mode
+
+security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
+security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
+security.provider.3=SUN
+security.provider.4=SunJGSS
+
+securerandom.source=file:/dev/urandom
+securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
+securerandom.drbg.config=
+
+login.configuration.provider=sun.security.provider.ConfigFile
+policy.provider=sun.security.provider.PolicyFile
+policy.expandProperties=true
+policy.allowSystemProperty=true
+policy.ignoreIdentityScope=false
+keystore.type.compat=true
+
+package.access=sun.misc.,\
+               sun.reflect.
+package.definition=sun.misc.,\
+                   sun.reflect.
+
+security.overridePropertiesFile=true
+
+ssl.KeyManagerFactory.algorithm=PKIX
+ssl.TrustManagerFactory.algorithm=PKIX
+
+networkaddress.cache.negative.ttl=10
+krb5.kdc.bad.policy = tryLast
+
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
+jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, DES40_CBC, RC4_40
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
+        3DES_EDE_CBC
+jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
+
+crypto.policy=unlimited
+
+jdk.xml.dsig.secureValidationPolicy=\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
+    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
+    maxTransforms 5,\
+    maxReferences 30,\
+    disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
+    minKeySize EC 224,\
+    noDuplicateIds,\
+    noRetrievalMethodLoops
+
+jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep;\
+  java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index c8c0b8f8b3928..9f20dec124549 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -70,8 +70,13 @@
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
@@ -364,31 +369,24 @@ public void testIllegalSettingName() throws Exception {
         assertTrue(e.getMessage().contains("does not match the allowed setting name pattern"));
     }
 
-    public void testBackcompatV1() throws Exception {
-        assumeFalse("Can't run in a FIPS JVM as PBE is not available", inFipsJvm());
-        Path configDir = env.configDir();
-        NIOFSDirectory directory = new NIOFSDirectory(configDir);
-        try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, "opensearch.keystore", IOContext.DEFAULT)) {
-            CodecUtil.writeHeader(output, "opensearch.keystore", 1);
-            output.writeByte((byte) 0); // hasPassword = false
-            output.writeString("PKCS12");
-            output.writeString("PBE");
+    public void testFailLoadV1KeystoresInFipsJvm() throws Exception {
+        assumeTrue("Test in FIPS JVM", inFipsJvm());
 
-            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
-            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
-            keystore.load(null, null);
-            SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
-            KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
-            keystore.setEntry("string_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
+        Exception e = assertThrows(SecurityException.class, () -> generateV1());
+        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS, JKS keystores are allowed in FIPS JVM"));
+    }
 
-            ByteArrayOutputStream keystoreBytesStream = new ByteArrayOutputStream();
-            keystore.store(keystoreBytesStream, new char[0]);
-            byte[] keystoreBytes = keystoreBytesStream.toByteArray();
-            output.writeInt(keystoreBytes.length);
-            output.writeBytes(keystoreBytes, keystoreBytes.length);
-            CodecUtil.writeFooter(output);
-        }
+    public void testFailLoadV2KeystoresInFipsJvm() throws Exception {
+        assumeTrue("Test in FIPS JVM", inFipsJvm());
+
+        Exception e = assertThrows(SecurityException.class, () -> generateV2());
+        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS, JKS keystores are allowed in FIPS JVM"));
+    }
 
+    public void testBackcompatV1() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM as PBE is not available", inFipsJvm());
+        generateV1();
+        Path configDir = env.configDir();
         KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
         keystore.decrypt(new char[0]);
         SecureString testValue = keystore.getString("string_setting");
@@ -397,47 +395,8 @@ public void testBackcompatV1() throws Exception {
 
     public void testBackcompatV2() throws Exception {
         assumeFalse("Can't run in a FIPS JVM as PBE is not available", inFipsJvm());
+        byte[] fileBytes = generateV2();
         Path configDir = env.configDir();
-        NIOFSDirectory directory = new NIOFSDirectory(configDir);
-        byte[] fileBytes = new byte[20];
-        random().nextBytes(fileBytes);
-        try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, "opensearch.keystore", IOContext.DEFAULT)) {
-
-            CodecUtil.writeHeader(output, "opensearch.keystore", 2);
-            output.writeByte((byte) 0); // hasPassword = false
-            output.writeString("PKCS12");
-            output.writeString("PBE"); // string algo
-            output.writeString("PBE"); // file algo
-
-            output.writeVInt(2); // num settings
-            output.writeString("string_setting");
-            output.writeString("STRING");
-            output.writeString("file_setting");
-            output.writeString("FILE");
-
-            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
-            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
-            keystore.load(null, null);
-            SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
-            KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
-            keystore.setEntry("string_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
-
-            byte[] base64Bytes = Base64.getEncoder().encode(fileBytes);
-            char[] chars = new char[base64Bytes.length];
-            for (int i = 0; i < chars.length; ++i) {
-                chars[i] = (char) base64Bytes[i]; // PBE only stores the lower 8 bits, so this narrowing is ok
-            }
-            secretKey = secretFactory.generateSecret(new PBEKeySpec(chars));
-            keystore.setEntry("file_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
-
-            ByteArrayOutputStream keystoreBytesStream = new ByteArrayOutputStream();
-            keystore.store(keystoreBytesStream, new char[0]);
-            byte[] keystoreBytes = keystoreBytesStream.toByteArray();
-            output.writeInt(keystoreBytes.length);
-            output.writeBytes(keystoreBytes, keystoreBytes.length);
-            CodecUtil.writeFooter(output);
-        }
-
         KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
         keystore.decrypt(new char[0]);
         SecureString testValue = keystore.getString("string_setting");
@@ -497,6 +456,77 @@ public void testLegacyV3() throws GeneralSecurityException, IOException {
         assertThat(toByteArray(wrapper.getFile("file_setting")), equalTo("file_value".getBytes(StandardCharsets.UTF_8)));
     }
 
+    private void generateV1() throws IOException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException,
+        InvalidKeySpecException, KeyStoreException {
+        Path configDir = env.configDir();
+        NIOFSDirectory directory = new NIOFSDirectory(configDir);
+        try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, "opensearch.keystore", IOContext.DEFAULT)) {
+            CodecUtil.writeHeader(output, "opensearch.keystore", 1);
+            output.writeByte((byte) 0); // hasPassword = false
+            output.writeString("PKCS12");
+            output.writeString("PBE");
+
+            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
+            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
+            keystore.load(null, null);
+            SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
+            KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
+            keystore.setEntry("string_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
+
+            ByteArrayOutputStream keystoreBytesStream = new ByteArrayOutputStream();
+            keystore.store(keystoreBytesStream, new char[0]);
+            byte[] keystoreBytes = keystoreBytesStream.toByteArray();
+            output.writeInt(keystoreBytes.length);
+            output.writeBytes(keystoreBytes, keystoreBytes.length);
+            CodecUtil.writeFooter(output);
+        }
+    }
+
+    private byte[] generateV2() throws Exception {
+        Path configDir = env.configDir();
+        NIOFSDirectory directory = new NIOFSDirectory(configDir);
+        byte[] fileBytes = new byte[20];
+        random().nextBytes(fileBytes);
+        try (IndexOutput output = EndiannessReverserUtil.createOutput(directory, "opensearch.keystore", IOContext.DEFAULT)) {
+
+            CodecUtil.writeHeader(output, "opensearch.keystore", 2);
+            output.writeByte((byte) 0); // hasPassword = false
+            output.writeString("PKCS12");
+            output.writeString("PBE"); // string algo
+            output.writeString("PBE"); // file algo
+
+            output.writeVInt(2); // num settings
+            output.writeString("string_setting");
+            output.writeString("STRING");
+            output.writeString("file_setting");
+            output.writeString("FILE");
+
+            SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
+            KeyStore keystore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN");
+            keystore.load(null, null);
+            SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
+            KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
+            keystore.setEntry("string_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
+
+            byte[] base64Bytes = Base64.getEncoder().encode(fileBytes);
+            char[] chars = new char[base64Bytes.length];
+            for (int i = 0; i < chars.length; ++i) {
+                chars[i] = (char) base64Bytes[i]; // PBE only stores the lower 8 bits, so this narrowing is ok
+            }
+            secretKey = secretFactory.generateSecret(new PBEKeySpec(chars));
+            keystore.setEntry("file_setting", new KeyStore.SecretKeyEntry(secretKey), protectionParameter);
+
+            ByteArrayOutputStream keystoreBytesStream = new ByteArrayOutputStream();
+            keystore.store(keystoreBytesStream, new char[0]);
+            byte[] keystoreBytes = keystoreBytesStream.toByteArray();
+            output.writeInt(keystoreBytes.length);
+            output.writeBytes(keystoreBytes, keystoreBytes.length);
+            CodecUtil.writeFooter(output);
+        }
+
+        return fileBytes;
+    }
+
     private byte[] toByteArray(final InputStream is) throws IOException {
         final ByteArrayOutputStream os = new ByteArrayOutputStream();
         final byte[] buffer = new byte[1024];
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 2d10fac45efda..45e10b461d1db 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -40,6 +40,9 @@
 
 final class SystemJvmOptions {
 
+    protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
+    protected static final String FIPS_140_2 = "FIPS-140-2";
+
     static List<String> systemJvmOptions(final Path config) {
         return Collections.unmodifiableList(
             Arrays.asList(
@@ -88,16 +91,22 @@ static List<String> systemJvmOptions(final Path config) {
     }
 
     private static String enableFips() {
-        var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
-        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
+        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_2)) {
             return "-Dorg.bouncycastle.fips.approved_only=true";
         }
         return "";
     }
 
     private static String loadJavaSecurityProperties(final Path config) {
-        var securityFile = config.resolve("fips_java.security");
-        return "-Djava.security.properties=" + securityFile.toAbsolutePath();
+        String securityFile;
+        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
+        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_2)) {
+            securityFile = "fips_java.security";
+        } else {
+            securityFile = "java.security";
+        }
+        return "-Djava.security.properties=" + config.resolve(securityFile).toAbsolutePath();
     }
 
     private static String allowSecurityManagerOption() {
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
index 2b458d431215f..2c1ba85e8235d 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
@@ -21,15 +21,13 @@ public enum KeyStoreType {
     JKS("JKS"),
     PKCS_12("PKCS12"),
     PKCS_11("PKCS11"),
-    BKS("BKS"),
     BCFKS("BCFKS");
 
-    private static final Map<KeyStoreType, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>();
+    static final Map<KeyStoreType, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>();
 
     static {
         TYPE_TO_EXTENSION_MAP.put(JKS, List.of(".jks", ".ks"));
         TYPE_TO_EXTENSION_MAP.put(PKCS_12, List.of(".p12", ".pkcs12", ".pfx"));
-        TYPE_TO_EXTENSION_MAP.put(BKS, List.of(".bks")); // Bouncy Castle Keystore
         TYPE_TO_EXTENSION_MAP.put(BCFKS, List.of(".bcfks")); // Bouncy Castle FIPS Keystore
     }
 
diff --git a/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java b/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
new file mode 100644
index 0000000000000..2ed3a2fafa867
--- /dev/null
+++ b/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
@@ -0,0 +1,77 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.common.crypto;
+
+import com.carrotsearch.randomizedtesting.generators.RandomStrings;
+
+import org.opensearch.test.OpenSearchTestCase;
+
+import static org.hamcrest.Matchers.equalTo;
+
+public class KeyStoreFactoryTests extends OpenSearchTestCase {
+
+    public void testPKCS12KeyStore() {
+        assumeFalse("Can't run in a FIPS JVM as PBE is not available", inFipsJvm());
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12).getType(), equalTo("PKCS12"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12).getProvider().getName(), equalTo("BCFIPS"));
+
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "BCFIPS").getType(), equalTo("PKCS12"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "BCFIPS").getProvider().getName(), equalTo("BCFIPS"));
+
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN").getType(), equalTo("PKCS12"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12, "SUN").getProvider().getName(), equalTo("SUN"));
+
+        KeyStoreType.TYPE_TO_EXTENSION_MAP.get(KeyStoreType.PKCS_12).forEach(extension -> {
+            var keyStore = KeyStoreFactory.getInstanceBasedOnFileExtension(createRandomFileName(extension));
+            assertThat(keyStore.getType(), equalTo(KeyStoreType.PKCS_12.getJcaName()));
+        });
+    }
+
+    public void testJKSKeyStore() {
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS).getType(), equalTo("JKS"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS).getProvider().getName(), equalTo("SUN"));
+
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS, "SUN").getType(), equalTo("JKS"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS, "SUN").getProvider().getName(), equalTo("SUN"));
+
+        assertThrows("BCFKS not found", SecurityException.class, () -> KeyStoreFactory.getInstance(KeyStoreType.JKS, "BCFIPS"));
+
+        KeyStoreType.TYPE_TO_EXTENSION_MAP.get(KeyStoreType.JKS).forEach(extension -> {
+            var keyStore = KeyStoreFactory.getInstanceBasedOnFileExtension(createRandomFileName(extension));
+            assertThat(keyStore.getType(), equalTo(KeyStoreType.JKS.getJcaName()));
+        });
+    }
+
+    public void testBCFIPSKeyStore() {
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS).getType(), equalTo("BCFKS"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS).getProvider().getName(), equalTo("BCFIPS"));
+
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "BCFIPS").getType(), equalTo("BCFKS"));
+        assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "BCFIPS").getProvider().getName(), equalTo("BCFIPS"));
+
+        assertThrows("BCFKS not found", SecurityException.class, () -> KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "SUN"));
+
+        KeyStoreType.TYPE_TO_EXTENSION_MAP.get(KeyStoreType.BCFKS).forEach(extension -> {
+            var keyStore = KeyStoreFactory.getInstanceBasedOnFileExtension(createRandomFileName(extension));
+            assertThat(keyStore.getType(), equalTo(KeyStoreType.BCFKS.getJcaName()));
+        });
+    }
+
+    public void testUnknownKeyStoreType() {
+        assertThrows(
+            "Unknown keystore type for file path: keystore.unknown",
+            IllegalArgumentException.class,
+            () -> KeyStoreFactory.getInstanceBasedOnFileExtension(createRandomFileName("unknown"))
+        );
+    }
+
+    private String createRandomFileName(String extension) {
+        return RandomStrings.randomAsciiAlphanumOfLengthBetween(random(), 0, 10) + "." + extension;
+    }
+}
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
index 3a1b369c64902..dd5b67cbcbbb8 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
@@ -62,7 +62,7 @@ final class PemUtils {
 
     private static final String BCFIPS = "BCFIPS";
 
-    private PemUtils() {
+    PemUtils() {
         throw new IllegalStateException("Utility class should not be instantiated");
     }
 
@@ -87,7 +87,7 @@ static List<Certificate> readCertificates(Collection<Path> certPaths) throws Cer
             try (InputStream input = Files.newInputStream(path)) {
                 final Collection<? extends Certificate> parsed = certFactory.generateCertificates(input);
                 if (parsed.isEmpty()) {
-                    throw new SslConfigException("failed to parse any certificates from [" + path.toAbsolutePath() + "]");
+                    throw new SslConfigException("Failed to parse any certificate from [" + path.toAbsolutePath() + "]");
                 }
                 certificates.addAll(parsed);
             }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
index 909b8facd68b5..224699660b65b 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java
@@ -164,9 +164,6 @@ public SSLContext createSslContext() {
      * {@link #getSupportedProtocols() configured protocols}.
      */
     private String contextProtocol() {
-        if (supportedProtocols.isEmpty()) {
-            throw new SslConfigException("no SSL/TLS protocols have been configured");
-        }
         if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
             if (!new HashSet<>(SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS).containsAll(supportedProtocols)) {
                 throw new SslConfigException(
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
index 543021e0b1252..3d66c2157b754 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java
@@ -138,14 +138,14 @@ private void assertEmptyFile(PemTrustConfig trustConfig, Path file) {
         final SslConfigException exception = expectThrows(SslConfigException.class, trustConfig::createTrustManager);
         logger.info("failure", exception);
         assertThat(exception.getMessage(), Matchers.containsString(file.toAbsolutePath().toString()));
-        assertThat(exception.getMessage(), Matchers.containsString("failed to parse any certificates"));
+        assertThat(exception.getMessage(), Matchers.containsString("Failed to parse any certificate from"));
     }
 
     private void assertFailedToParse(PemTrustConfig trustConfig, Path file) {
         final SslConfigException exception = expectThrows(SslConfigException.class, trustConfig::createTrustManager);
         logger.info("failure", exception);
         assertThat(exception.getMessage(), Matchers.containsString(file.toAbsolutePath().toString()));
-        assertThat(exception.getMessage(), Matchers.containsString("failed to parse any certificates"));
+        assertThat(exception.getMessage(), Matchers.containsString("Failed to parse any certificate from"));
     }
 
     private void assertFileNotFound(PemTrustConfig trustConfig, Path file) {
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
index 7ab684fea0670..0aa0213d54111 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
@@ -59,6 +59,10 @@ public class PemUtilsTests extends OpenSearchTestCase {
     private static final Supplier<char[]> TESTNODE_PASSWORD = "testnode"::toCharArray;
     private static final Supplier<char[]> STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/="::toCharArray; // has to be at least 112 bit long.
 
+    public void testInstantiateWithDefaultConstructor() {
+        assertThrows("Utility class should not be instantiated", IllegalStateException.class, PemUtils::new);
+    }
+
     public void testReadPKCS8RsaKey() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         Key key = getKeyFromKeystore("RSA", KeyStoreType.JKS);
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
index bb46c086fbedc..f4c42231ab96a 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
@@ -100,6 +100,14 @@ public void testBasicConfigurationOptions() {
         if (verificationMode == SslVerificationMode.NONE) {
             final SslTrustConfig trustConfig = configuration.getTrustConfig();
             assertThat(trustConfig, instanceOf(TrustEverythingConfig.class));
+
+            if (inFipsJvm()) {
+                assertThrows(
+                    "The use of TrustEverythingConfig is not permitted in FIPS mode. This issue may be caused by the 'ssl.verification_mode=NONE' setting.",
+                    IllegalStateException.class,
+                    trustConfig::createTrustManager
+                );
+            }
         }
     }
 
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
index 9281d9612d806..ce846381c6e5e 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
@@ -42,10 +42,12 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 
 import org.mockito.Mockito;
 
 import static org.opensearch.common.ssl.SslConfigurationLoader.DEFAULT_CIPHERS;
+import static org.opensearch.common.ssl.SslConfigurationLoader.FIPS_APPROVED_PROTOCOLS;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -204,4 +206,80 @@ public void testBuildSslContext() {
         Mockito.verifyNoMoreInteractions(trustConfig, keyConfig);
     }
 
+    public void testCreateSslContextWithUnsupportedProtocols() {
+        assumeFalse("Test not in FIPS JVM", inFipsJvm());
+        final SslTrustConfig trustConfig = Mockito.mock(SslTrustConfig.class);
+        final SslKeyConfig keyConfig = Mockito.mock(SslKeyConfig.class);
+        SslConfiguration configuration = new SslConfiguration(
+            trustConfig,
+            keyConfig,
+            randomFrom(SslVerificationMode.values()),
+            randomFrom(SslClientAuthenticationMode.values()),
+            DEFAULT_CIPHERS,
+            Collections.singletonList("DTLSv1.2")
+        );
+
+        Exception e = assertThrows(SslConfigException.class, configuration::createSslContext);
+        assertThat(
+            e.getMessage(),
+            containsString("no supported SSL/TLS protocol was found in the configured supported protocols: [DTLSv1.2]")
+        );
+    }
+
+    public void testNotSupportedProtocolsInFipsJvm() {
+        assumeTrue("Test in FIPS JVM", inFipsJvm());
+        final SslTrustConfig trustConfig = Mockito.mock(SslTrustConfig.class);
+        final SslKeyConfig keyConfig = Mockito.mock(SslKeyConfig.class);
+        final String protocol = randomFrom(List.of("TLSv1.1", "TLSv1", "SSLv3", "SSLv2Hello", "SSLv2"));
+        final SslConfiguration configuration = new SslConfiguration(
+            trustConfig,
+            keyConfig,
+            randomFrom(SslVerificationMode.values()),
+            randomFrom(SslClientAuthenticationMode.values()),
+            DEFAULT_CIPHERS,
+            Collections.singletonList(protocol)
+        );
+
+        Mockito.when(trustConfig.createTrustManager()).thenReturn(null);
+        Mockito.when(keyConfig.createKeyManager()).thenReturn(null);
+        var exception = assertThrows(SslConfigException.class, configuration::createSslContext);
+        assertThat(
+            exception.getMessage(),
+            equalTo(
+                String.format(Locale.ROOT, "in FIPS mode only the following SSL/TLS protocols are allowed: [%s]", FIPS_APPROVED_PROTOCOLS)
+            )
+        );
+    }
+
+    public void testInitValuesExist() {
+        final SslTrustConfig trustConfig = Mockito.mock(SslTrustConfig.class);
+        final SslKeyConfig keyConfig = Mockito.mock(SslKeyConfig.class);
+
+        assertThrows(
+            "cannot configure SSL/TLS without any supported cipher suites",
+            SslConfigException.class,
+            () -> new SslConfiguration(
+                trustConfig,
+                keyConfig,
+                SslVerificationMode.CERTIFICATE,
+                SslClientAuthenticationMode.REQUIRED,
+                Collections.emptyList(),
+                List.of("SSLv2")
+            )
+        );
+
+        assertThrows(
+            "cannot configure SSL/TLS without any supported protocols",
+            SslConfigException.class,
+            () -> new SslConfiguration(
+                trustConfig,
+                keyConfig,
+                SslVerificationMode.CERTIFICATE,
+                SslClientAuthenticationMode.REQUIRED,
+                DEFAULT_CIPHERS,
+                Collections.emptyList()
+            )
+        );
+    }
+
 }
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
index b733b6536f5cb..31a4082f0609a 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslDiagnosticsTests.java
@@ -52,6 +52,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -70,6 +71,17 @@ public class SslDiagnosticsTests extends OpenSearchTestCase {
     private static final byte[] MOCK_ENCODING_4 = { 0x64, 0x65, 0x66, 0x67, 0x68, 0x69 };
     private static final String MOCK_FINGERPRINT_4 = "5d96965bfae50bf2be0d6259eb87a6cc9f5d0b26";
 
+    public void testTrustEmptyStore() {
+        var fileName = "cert-all/empty.jks";
+        var exception = assertThrows(SslConfigException.class, () -> loadCertificate(fileName));
+        assertThat(
+            exception.getMessage(),
+            Matchers.equalTo(
+                String.format(Locale.ROOT, "Failed to parse any certificate from [%s]", getDataPath("/certs/" + fileName).toAbsolutePath())
+            )
+        );
+    }
+
     public void testDiagnosticMessageWhenServerProvidesAFullCertChainThatIsTrusted() throws Exception {
         X509Certificate[] chain = loadCertChain("cert1/cert1.crt", "ca1/ca.crt");
         final SSLSession session = session("192.168.1.1");
diff --git a/libs/ssl-config/src/test/resources/certs/README.md b/libs/ssl-config/src/test/resources/certs/README.md
index dbbe840dd5431..e363e287c9521 100644
--- a/libs/ssl-config/src/test/resources/certs/README.md
+++ b/libs/ssl-config/src/test/resources/certs/README.md
@@ -153,3 +153,20 @@ done
 opensearch-certutil ca --pem --out ${PWD}/ca1-b.zip --days 9999 --ca-dn "CN=Test CA 1"
 unzip ca1-b.zip
 mv ca ca1-b
+
+# 16. Create empty KeyStore
+
+```bash
+keytool -genkeypair \
+        -alias temp \
+        -storetype JKS \
+        -keyalg rsa \
+        -storepass storePassword \
+        -keypass secretPassword \
+        -keystore cert-all/empty.jks \
+        -dname "CN=foo,DC=example,DC=com"
+keytool -delete \
+        -alias temp \
+        -storepass storePassword \
+        -keystore cert-all/empty.jks
+```
diff --git a/libs/ssl-config/src/test/resources/certs/cert-all/empty.jks b/libs/ssl-config/src/test/resources/certs/cert-all/empty.jks
new file mode 100644
index 0000000000000000000000000000000000000000..1327d550f61fd92422fecc4cb63ad35cdd2bc6d4
GIT binary patch
literal 32
mcmezO_TO6u1_mY|W{?e7XzyD5dU}}5KBM|+P4StVO0xjX8Vs@k

literal 0
HcmV?d00001

diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
index a1945bab6a4ed..45bf634de1ec1 100644
--- a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
@@ -38,7 +38,6 @@ public class BCryptPasswordMatcher implements CredentialsMatcher {
     public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
         final UsernamePasswordToken userToken = (UsernamePasswordToken) token;
         return check(userToken.getPassword(), (String) info.getCredentials());
-
     }
 
     private boolean check(char[] password, String hash) {
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
index 91e88ed1bf701..304903e27c953 100644
--- a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
@@ -41,4 +41,23 @@ public void testCredentialDoNotMatch() {
 
         assertThat(result, equalTo(false));
     }
+
+    public void testEmptyPassword() {
+        final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+        when(token.getPassword()).thenReturn(randomFrom("".toCharArray(), null));
+        final AuthenticationInfo info = mock(AuthenticationInfo.class);
+
+        Exception e = assertThrows(IllegalStateException.class, () -> new BCryptPasswordMatcher().doCredentialsMatch(token, info));
+        assertThat(e.getMessage(), equalTo("Password cannot be empty or null"));
+    }
+
+    public void testEmptyHash() {
+        final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+        when(token.getPassword()).thenReturn("HashedPassword".toCharArray());
+        final AuthenticationInfo info = mock(AuthenticationInfo.class);
+        when(info.getCredentials()).thenReturn(randomFrom("", null));
+
+        Exception e = assertThrows(IllegalStateException.class, () -> new BCryptPasswordMatcher().doCredentialsMatch(token, info));
+        assertThat(e.getMessage(), equalTo("Hash cannot be empty or null"));
+    }
 }

From 71ef8d93f82b837ed2db6a4269a1bb1d2a2a9d24 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Mon, 28 Oct 2024 17:07:48 +0100
Subject: [PATCH 10/21] test SystemJvmOptions.java & replace FIPS-140-2 by
 FIPS-140-3

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 build.gradle                                  |  4 +-
 .../gradle/info/GlobalBuildInfoPlugin.java    |  9 +-
 distribution/tools/launchers/build.gradle     |  1 +
 .../tools/launchers/JvmOptionsParser.java     |  2 +-
 .../tools/launchers/SystemJvmOptions.java     | 33 ++++---
 .../launchers/SystemJvmOptionsTests.java      | 86 +++++++++++++++++++
 plugins/repository-s3/build.gradle            |  4 +-
 .../org/opensearch/bootstrap/Bootstrap.java   |  4 +-
 8 files changed, 121 insertions(+), 22 deletions(-)
 create mode 100644 distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java

diff --git a/build.gradle b/build.gradle
index e6416fbbde5aa..27e1bde68b4f6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -559,10 +559,10 @@ subprojects {
     }
   }
 
-  // test with FIPS-140-2 enabled
+  // test with FIPS-140-3 enabled
   plugins.withType(JavaPlugin).configureEach {
     tasks.withType(Test).configureEach { testTask ->
-      if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') {
+      if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
         testTask.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
       }
     }
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index adf6f6878d322..41ef9d11d7062 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -114,7 +114,7 @@ public void apply(Project project) {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
             var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2");
+            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-3");
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);
@@ -166,6 +166,7 @@ private void logGlobalBuildInfo() {
         final String osArch = System.getProperty("os.arch");
         final Jvm gradleJvm = Jvm.current();
         final String gradleJvmDetails = getJavaInstallation(gradleJvm.getJavaHome()).getDisplayName();
+        final String cryptStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
 
         LOGGER.quiet("=======================================");
         LOGGER.quiet("OpenSearch Build Hamster says Hello!");
@@ -182,7 +183,11 @@ private void logGlobalBuildInfo() {
             LOGGER.quiet("  JAVA_HOME             : " + gradleJvm.getJavaHome());
         }
         LOGGER.quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
-        LOGGER.quiet("  Crypto Standard       : " + Optional.ofNullable(System.getenv(OPENSEARCH_CRYPTO_STANDARD)).orElse("any-supported"));
+        if (cryptStandard != null && cryptStandard.equals("FIPS-140-3")) {
+            LOGGER.quiet("  Crypto Standard       : FIPS-140-3");
+        } else {
+            LOGGER.quiet("  Crypto Standard       : any-supported");
+        }
         LOGGER.quiet("=======================================");
     }
 
diff --git a/distribution/tools/launchers/build.gradle b/distribution/tools/launchers/build.gradle
index aee205a24dea3..76e447953c95d 100644
--- a/distribution/tools/launchers/build.gradle
+++ b/distribution/tools/launchers/build.gradle
@@ -36,6 +36,7 @@ dependencies {
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"
   testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}"
+  testImplementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
 }
 
 base {
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
index 8ab3a65090b2b..88654e8826a4c 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/JvmOptionsParser.java
@@ -148,7 +148,7 @@ private List<String> jvmOptions(final Path config, final String opensearchJavaOp
 
         final List<String> substitutedJvmOptions = substitutePlaceholders(jvmOptions, Collections.unmodifiableMap(substitutions));
         final List<String> ergonomicJvmOptions = JvmErgonomics.choose(substitutedJvmOptions);
-        final List<String> systemJvmOptions = SystemJvmOptions.systemJvmOptions(config);
+        final List<String> systemJvmOptions = SystemJvmOptions.systemJvmOptions(config, Runtime.version());
         final List<String> finalJvmOptions = new ArrayList<>(
             systemJvmOptions.size() + substitutedJvmOptions.size() + ergonomicJvmOptions.size()
         );
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 45e10b461d1db..15b38e50fee4e 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.tools.launchers;
 
+import java.io.FileNotFoundException;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.Collections;
@@ -40,10 +42,10 @@
 
 final class SystemJvmOptions {
 
-    protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
-    protected static final String FIPS_140_2 = "FIPS-140-2";
+    static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
+    static final String FIPS_140_3 = "FIPS-140-3";
 
-    static List<String> systemJvmOptions(final Path config) {
+    static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeVersion) throws FileNotFoundException {
         return Collections.unmodifiableList(
             Arrays.asList(
                 /*
@@ -72,7 +74,7 @@ static List<String> systemJvmOptions(final Path config) {
                  */
                 "-XX:-OmitStackTraceInFastThrow",
                 // enable helpful NullPointerExceptions (https://openjdk.java.net/jeps/358), if they are supported
-                maybeShowCodeDetailsInExceptionMessages(),
+                maybeShowCodeDetailsInExceptionMessages(runtimeVersion),
                 // flags to configure Netty
                 "-Dio.netty.noUnsafe=true",
                 "-Dio.netty.noKeySetOptimization=true",
@@ -83,7 +85,7 @@ static List<String> systemJvmOptions(final Path config) {
                 "-Dlog4j2.disable.jmx=true",
                 // security settings
                 enableFips(),
-                allowSecurityManagerOption(),
+                allowSecurityManagerOption(runtimeVersion),
                 loadJavaSecurityProperties(config),
                 javaLocaleProviders()
             )
@@ -92,33 +94,38 @@ static List<String> systemJvmOptions(final Path config) {
 
     private static String enableFips() {
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_2)) {
+        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
             return "-Dorg.bouncycastle.fips.approved_only=true";
         }
         return "";
     }
 
-    private static String loadJavaSecurityProperties(final Path config) {
+    private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException {
         String securityFile;
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_2)) {
+        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
             securityFile = "fips_java.security";
         } else {
             securityFile = "java.security";
         }
-        return "-Djava.security.properties=" + config.resolve(securityFile).toAbsolutePath();
+        var securityFilePath = config.resolve(securityFile);
+
+        if (!Files.exists(securityFilePath)) {
+            throw new FileNotFoundException("Security file not found: " + securityFilePath.toAbsolutePath());
+        }
+        return "-Djava.security.properties=" + securityFilePath.toAbsolutePath();
     }
 
-    private static String allowSecurityManagerOption() {
-        if (Runtime.version().feature() > 17) {
+    private static String allowSecurityManagerOption(Runtime.Version runtimeVersion) {
+        if (runtimeVersion.feature() > 17) {
             return "-Djava.security.manager=allow";
         } else {
             return "";
         }
     }
 
-    private static String maybeShowCodeDetailsInExceptionMessages() {
-        if (Runtime.version().feature() >= 14) {
+    private static String maybeShowCodeDetailsInExceptionMessages(Runtime.Version runtimeVersion) {
+        if (runtimeVersion.feature() >= 14) {
             return "-XX:+ShowCodeDetailsInExceptionMessages";
         } else {
             return "";
diff --git a/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java b/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java
new file mode 100644
index 0000000000000..1ef0ddc810276
--- /dev/null
+++ b/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java
@@ -0,0 +1,86 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.tools.launchers;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.junit.After;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.not;
+import static org.junit.Assert.assertThrows;
+
+public class SystemJvmOptionsTests extends LaunchersTestCase {
+
+    private static final String FILE_NAME = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "fips_java.security" : "java.security";
+    private static final int MIN_RUNTIME_VERSION = 11;
+    private static final int MAX_RUNTIME_VERSION = 21;
+
+    private Path tempFile;
+
+    @After
+    public void tearDown() throws IOException {
+        Files.deleteIfExists(tempFile);
+    }
+
+    public void testSetJavaSecurityProperties() throws Exception {
+        createSecurityFile(FILE_NAME);
+        var jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir(), Runtime.version());
+        assertThat(jvmOptions, hasItem("-Djava.security.properties=" + globalTempDir().toAbsolutePath() + "/" + FILE_NAME));
+    }
+
+    public void testFailSetJavaSecurityProperties() throws Exception {
+        createSecurityFile("unknown.security");
+        assertThrows(
+            FileNotFoundException.class,
+            () -> SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), Runtime.version())
+        );
+    }
+
+    public void testFipsOption() throws Exception {
+        createSecurityFile(FILE_NAME);
+        var jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), Runtime.version());
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            assertThat(jvmOptions, hasItem("-Dorg.bouncycastle.fips.approved_only=true"));
+        } else {
+            assertThat(jvmOptions, not(hasItem("-Dorg.bouncycastle.fips.approved_only=true")));
+        }
+    }
+
+    public void testSecurityManagerOption() throws Exception {
+        createSecurityFile(FILE_NAME);
+        var runtimeVersion = Runtime.Version.parse(String.valueOf(randomIntBetween(MIN_RUNTIME_VERSION, 17)));
+        var jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), runtimeVersion);
+        assertThat(jvmOptions, not(hasItem("-Djava.security.manager=allow")));
+
+        runtimeVersion = Runtime.Version.parse(String.valueOf(randomIntBetween(18, MAX_RUNTIME_VERSION)));
+        jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), runtimeVersion);
+        assertThat(jvmOptions, hasItem("-Djava.security.manager=allow"));
+    }
+
+    public void testShowCodeDetailsOption() throws Exception {
+        createSecurityFile(FILE_NAME);
+        var runtimeVersion = Runtime.Version.parse(String.valueOf(randomIntBetween(MIN_RUNTIME_VERSION, 13)));
+        var jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), runtimeVersion);
+        assertThat(jvmOptions, not(hasItem("-XX:+ShowCodeDetailsInExceptionMessages")));
+
+        runtimeVersion = Runtime.Version.parse(String.valueOf(randomIntBetween(14, MAX_RUNTIME_VERSION)));
+        jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), runtimeVersion);
+        assertThat(jvmOptions, hasItem("-XX:+ShowCodeDetailsInExceptionMessages"));
+    }
+
+    private void createSecurityFile(String fileName) throws Exception {
+        tempFile = Files.createFile(globalTempDir().resolve(fileName));
+    }
+}
diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle
index dc1e9c99ce2ed..2a303f9a01656 100644
--- a/plugins/repository-s3/build.gradle
+++ b/plugins/repository-s3/build.gradle
@@ -145,9 +145,9 @@ def fixtureAddress = { fixture, name, port ->
 }
 
 def applyFipsConfig(OpenSearchCluster cluster) {
-  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') {
+  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
     cluster.keystorePassword 'notarealpasswordphrase'
-    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-2'
+    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-3'
   }
 }
 
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index f0f2d72e6f2fa..424677ce96066 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -197,8 +197,8 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         );
 
         var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
-        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
-            LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-2 mode");
+        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-3")) {
+            LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
         }
 
         // initialize probes before the security manager is installed

From 48325537cee24c7848e89ed393a853f4c4dd37cf Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Fri, 8 Nov 2024 09:22:55 +0100
Subject: [PATCH 11/21] categorize JKS keystore as untrusted

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../client/RestClientBuilderIntegTests.java   |  21 +--------
 .../cli/keystore/KeyStoreWrapperTests.java    |   7 +--
 .../launchers/SystemJvmOptionsTests.java      |   5 ++-
 .../common/crypto/KeyStoreFactory.java        |  21 +++++++--
 .../common/crypto/KeyStoreType.java           |   9 +---
 .../common/crypto/KeyStoreFactoryTests.java   |   5 +--
 .../opensearch/common/ssl/KeyStoreUtil.java   |  10 +++--
 .../org/opensearch/common/ssl/PemUtils.java   |   2 +-
 .../opensearch/common/ssl/PemUtilsTests.java  |   7 ++-
 .../ssl/SslConfigurationLoaderTests.java      |   2 +-
 .../common/ssl/SslConfigurationTests.java     |   2 +-
 .../common/ssl/StoreKeyConfigTests.java       |  10 +++--
 .../common/ssl/StoreTrustConfigTests.java     |  36 +++++++++++----
 modules/transport-netty4/build.gradle         |   2 +
 .../SecureNetty4HttpServerTransportTests.java |   4 +-
 .../src/test/resources/README.md              |  42 ++++++++++++++++++
 .../src/test/resources/README.txt             |  17 -------
 .../src/test/resources/netty4-secure.bcfks    | Bin 0 -> 2787 bytes
 .../AzureDiscoveryClusterFormationTests.java  |  10 +++++
 plugins/repository-gcs/build.gradle           |   4 ++
 .../gcs/GoogleCloudStorageService.java        |   7 ++-
 .../src/main/resources/README.md              |  19 ++++++++
 .../src/main/resources/google.bcfks           | Bin 0 -> 73692 bytes
 .../org/opensearch/bootstrap/security.policy  |   1 -
 .../bootstrap/test-framework.policy           |   1 -
 .../java/fixture/s3/S3HttpFixtureWithEC2.java |   2 +-
 26 files changed, 159 insertions(+), 87 deletions(-)
 create mode 100644 modules/transport-netty4/src/test/resources/README.md
 delete mode 100644 modules/transport-netty4/src/test/resources/README.txt
 create mode 100644 modules/transport-netty4/src/test/resources/netty4-secure.bcfks
 create mode 100644 plugins/repository-gcs/src/main/resources/README.md
 create mode 100644 plugins/repository-gcs/src/main/resources/google.bcfks

diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index c1e89664dc405..e48648964f3f6 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -57,9 +57,6 @@
 import java.security.KeyStore;
 import java.security.PrivilegedAction;
 import java.security.SecureRandom;
-import java.util.concurrent.Executor;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.TimeUnit;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
@@ -91,22 +88,8 @@ public void handle(HttpExchange httpExchange) throws IOException {
 
     @AfterClass
     public static void stopHttpServers() throws IOException {
-        if (httpsServer != null) {
-            httpsServer.stop(0); // Stop the server
-            Executor executor = httpsServer.getExecutor();
-            if (executor instanceof ExecutorService) {
-                ((ExecutorService) executor).shutdown(); // Shutdown the executor
-                try {
-                    if (!((ExecutorService) executor).awaitTermination(15, TimeUnit.SECONDS)) {
-                        ((ExecutorService) executor).shutdownNow(); // Force shutdown if not terminated
-                    }
-                } catch (InterruptedException ex) {
-                    ((ExecutorService) executor).shutdownNow(); // Force shutdown on interruption
-                    Thread.currentThread().interrupt();
-                }
-            }
-            httpsServer = null;
-        }
+        httpsServer.stop(0);
+        httpsServer = null;
     }
 
     public void testBuilderUsesDefaultSSLContext() throws Exception {
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index 9f20dec124549..a8962b06317f2 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -93,7 +93,8 @@
 
 public class KeyStoreWrapperTests extends OpenSearchTestCase {
 
-    Supplier<char[]> passphraseSupplier = () -> inFipsJvm() ? "6!6428DQXwPpi7@$ggeg/=".toCharArray() : new char[0];
+    String STRONG_PASSWORD = "6!6428DQXwPpi7@$ggeg/="; // has to be at least 112 bit long.
+    Supplier<char[]> passphraseSupplier = () -> inFipsJvm() ? STRONG_PASSWORD.toCharArray() : new char[0];
     Environment env;
     List<FileSystem> fileSystems = new ArrayList<>();
 
@@ -373,14 +374,14 @@ public void testFailLoadV1KeystoresInFipsJvm() throws Exception {
         assumeTrue("Test in FIPS JVM", inFipsJvm());
 
         Exception e = assertThrows(SecurityException.class, () -> generateV1());
-        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS, JKS keystores are allowed in FIPS JVM"));
+        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS keystores are allowed in FIPS JVM"));
     }
 
     public void testFailLoadV2KeystoresInFipsJvm() throws Exception {
         assumeTrue("Test in FIPS JVM", inFipsJvm());
 
         Exception e = assertThrows(SecurityException.class, () -> generateV2());
-        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS, JKS keystores are allowed in FIPS JVM"));
+        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS keystores are allowed in FIPS JVM"));
     }
 
     public void testBackcompatV1() throws Exception {
diff --git a/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java b/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java
index 1ef0ddc810276..fb9f0bcbd5936 100644
--- a/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java
+++ b/distribution/tools/launchers/src/test/java/org/opensearch/tools/launchers/SystemJvmOptionsTests.java
@@ -51,10 +51,11 @@ public void testFailSetJavaSecurityProperties() throws Exception {
     public void testFipsOption() throws Exception {
         createSecurityFile(FILE_NAME);
         var jvmOptions = SystemJvmOptions.systemJvmOptions(globalTempDir().toAbsolutePath(), Runtime.version());
+        var fipsProperty = "-Dorg.bouncycastle.fips.approved_only=true";
         if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
-            assertThat(jvmOptions, hasItem("-Dorg.bouncycastle.fips.approved_only=true"));
+            assertThat(jvmOptions, hasItem(fipsProperty));
         } else {
-            assertThat(jvmOptions, not(hasItem("-Dorg.bouncycastle.fips.approved_only=true")));
+            assertThat(jvmOptions, not(hasItem(fipsProperty)));
         }
     }
 
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
index ee2d1b92c855a..4cd6e9922ab27 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
@@ -13,6 +13,7 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchProviderException;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 import static org.opensearch.common.crypto.KeyStoreType.SECURE_KEYSTORE_TYPES;
@@ -25,8 +26,10 @@
  */
 public final class KeyStoreFactory {
 
+    private static final String FIPS_PROVIDER = "BCFIPS";
+
     /**
-     * Make a best guess about the "type" (see {@link KeyStore#getType()}) of the keystore file located at the given {@code Path}.
+     * Makes best guess about the "type" (see {@link KeyStore#getType()}) of the keystore file located at the given {@code Path}.
      * This method only references the <em>file name</em> of the keystore, it does not look at its contents.
      */
     public static KeyStore getInstanceBasedOnFileExtension(String filePath) {
@@ -37,10 +40,20 @@ public static KeyStore getInstance(KeyStoreType type) {
         return getInstance(type, null);
     }
 
+    /**
+     * Creates KeyStore instance with submitted provider and type. In FIPS enabled environment the parameters are limited to FIPS supported
+     * KeyStore-Types (see {@link KeyStoreType#SECURE_KEYSTORE_TYPES}) and also FIPS provider (see {@link KeyStoreFactory#FIPS_PROVIDER}).
+     */
     public static KeyStore getInstance(KeyStoreType type, String provider) {
-        if (CryptoServicesRegistrar.isInApprovedOnlyMode() && !SECURE_KEYSTORE_TYPES.contains(type)) {
-            var secureKeyStoreNames = SECURE_KEYSTORE_TYPES.stream().map(KeyStoreType::name).collect(Collectors.joining(", "));
-            throw new SecurityException("Only " + secureKeyStoreNames + " keystores are allowed in FIPS JVM");
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+            if (!SECURE_KEYSTORE_TYPES.contains(type)) {
+                var secureKeyStoreNames = SECURE_KEYSTORE_TYPES.stream().map(KeyStoreType::name).collect(Collectors.joining(", "));
+                throw new SecurityException("Only " + secureKeyStoreNames + " keystores are allowed in FIPS JVM");
+            }
+            if (provider != null && !Objects.equals(provider, FIPS_PROVIDER)) {
+                throw new SecurityException("FIPS JVM does not support creation of KeyStore with any other provider than " + FIPS_PROVIDER);
+            }
+            provider = FIPS_PROVIDER;
         }
 
         try {
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
index 2c1ba85e8235d..6654ee9cef40f 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
@@ -23,7 +23,7 @@ public enum KeyStoreType {
     PKCS_11("PKCS11"),
     BCFKS("BCFKS");
 
-    static final Map<KeyStoreType, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>();
+    public static final Map<KeyStoreType, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>();
 
     static {
         TYPE_TO_EXTENSION_MAP.put(JKS, List.of(".jks", ".ks"));
@@ -35,9 +35,8 @@ public enum KeyStoreType {
      * Specifies KeyStore formats that are appropriate for use in a FIPS-compliant JVM:
      * - BCFKS KeyStore is specifically designed for FIPS compliance.
      * - PKCS#11 is vendor-specific and requires proper configuration to operate in FIPS mode.
-     * - JKS can be used under FIPS with restrictions: it may contain only certificates, and it will be readable but not writable.
      */
-    public static final List<KeyStoreType> SECURE_KEYSTORE_TYPES = List.of(PKCS_11, BCFKS, JKS);
+    public static final List<KeyStoreType> SECURE_KEYSTORE_TYPES = List.of(PKCS_11, BCFKS);
 
     private final String jcaName;
 
@@ -62,8 +61,4 @@ public static KeyStoreType getByJcaName(String value) {
         return Stream.of(KeyStoreType.values()).filter(type -> type.getJcaName().equals(value)).findFirst().orElse(null);
     }
 
-    public static String getExtensionsByType(KeyStoreType type) {
-        return TYPE_TO_EXTENSION_MAP.get(type).get(0);
-    }
-
 }
diff --git a/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java b/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
index 2ed3a2fafa867..32b5ecfbcd23c 100644
--- a/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
+++ b/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
@@ -17,7 +17,7 @@
 public class KeyStoreFactoryTests extends OpenSearchTestCase {
 
     public void testPKCS12KeyStore() {
-        assumeFalse("Can't run in a FIPS JVM as PBE is not available", inFipsJvm());
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12).getType(), equalTo("PKCS12"));
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.PKCS_12).getProvider().getName(), equalTo("BCFIPS"));
 
@@ -34,6 +34,7 @@ public void testPKCS12KeyStore() {
     }
 
     public void testJKSKeyStore() {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS).getType(), equalTo("JKS"));
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.JKS).getProvider().getName(), equalTo("SUN"));
 
@@ -55,8 +56,6 @@ public void testBCFIPSKeyStore() {
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "BCFIPS").getType(), equalTo("BCFKS"));
         assertThat(KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "BCFIPS").getProvider().getName(), equalTo("BCFIPS"));
 
-        assertThrows("BCFKS not found", SecurityException.class, () -> KeyStoreFactory.getInstance(KeyStoreType.BCFKS, "SUN"));
-
         KeyStoreType.TYPE_TO_EXTENSION_MAP.get(KeyStoreType.BCFKS).forEach(extension -> {
             var keyStore = KeyStoreFactory.getInstanceBasedOnFileExtension(createRandomFileName(extension));
             assertThat(keyStore.getType(), equalTo(KeyStoreType.BCFKS.getJcaName()));
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
index e0bef21ed4242..4d45e8df14130 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
@@ -54,6 +54,7 @@
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.util.Collection;
+import java.util.Objects;
 
 /**
  * A variety of utility methods for working with or constructing {@link KeyStore} instances.
@@ -83,10 +84,11 @@ static KeyStore readKeyStore(Path path, KeyStoreType type, char[] password) thro
             }
             return keyStore;
         } catch (IOException e) {
-            throw new SslConfigException(
-                "cannot read a [" + type + "] keystore from [" + path.toAbsolutePath() + "] - " + e.getMessage(),
-                e
-            );
+            var finalMessage = e.getMessage();
+            if (Objects.equals(e.getMessage(), "BCFKS KeyStore corrupted: MAC calculation failed.")) {
+                finalMessage = "incorrect password or corrupt file.";
+            }
+            throw new SslConfigException("cannot read a [" + type + "] keystore from [" + path.toAbsolutePath() + "] - " + finalMessage, e);
         }
     }
 
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
index dd5b67cbcbbb8..9dddac3b88ed1 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java
@@ -68,7 +68,7 @@ final class PemUtils {
 
     /**
      * Creates a {@link PrivateKey} from the contents of a file. Supports PKCS#1, PKCS#8
-     * encoded formats of encrypted and plaintext RSA, DSA and EC(secp256r1) keys
+     * encoded formats of encrypted and plaintext RSA, DSA and EC(secp256r1) keys.
      *
      * @param keyPath           the path for the key file
      * @param passwordSupplier A password supplier for the potentially encrypted (password protected) key
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
index 0aa0213d54111..a0d15258ed3ca 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
@@ -32,7 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.test.OpenSearchTestCase;
@@ -182,7 +181,7 @@ public void testReadOpenSslDsaKeyWithParams() throws Exception {
     }
 
     public void testReadEncryptedOpenSslDsaKey() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        assumeFalse("Can't run in a FIPS JVM, PBKDF-OPENSSL KeySpec is not available", inFipsJvm());
         Key key = getKeyFromKeystore("DSA", KeyStoreType.JKS);
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
@@ -286,11 +285,11 @@ public void testReadEmptyFile() {
     }
 
     private Key getKeyFromKeystore(String algo) throws Exception {
-        return getKeyFromKeystore(algo, CryptoServicesRegistrar.isInApprovedOnlyMode() ? KeyStoreType.BCFKS : KeyStoreType.JKS);
+        return getKeyFromKeystore(algo, inFipsJvm() ? KeyStoreType.BCFKS : KeyStoreType.JKS);
     }
 
     private Key getKeyFromKeystore(String algo, KeyStoreType keyStoreType) throws Exception {
-        var keystorePath = getDataPath("/certs/pem-utils/testnode" + KeyStoreType.getExtensionsByType(keyStoreType));
+        var keystorePath = getDataPath("/certs/pem-utils/testnode" + KeyStoreType.TYPE_TO_EXTENSION_MAP.get(keyStoreType).get(0));
         var alias = "testnode_" + algo.toLowerCase(Locale.ROOT);
         var password = "testnode".toCharArray();
         try (var in = Files.newInputStream(keystorePath)) {
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
index f4c42231ab96a..2aef139eba7a0 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationLoaderTests.java
@@ -242,7 +242,7 @@ public void testLoadKeysFromBCFKS() {
     }
 
     public void testLoadKeysFromPKCS12() {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        assumeFalse("Can't use PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Settings.Builder builder = Settings.builder().put("test.ssl.keystore.path", "cert-all/certs.p12");
         if (randomBoolean()) {
             builder.put("test.ssl.keystore.password", "p12-pass");
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
index ce846381c6e5e..410238e57984c 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/SslConfigurationTests.java
@@ -246,7 +246,7 @@ public void testNotSupportedProtocolsInFipsJvm() {
         assertThat(
             exception.getMessage(),
             equalTo(
-                String.format(Locale.ROOT, "in FIPS mode only the following SSL/TLS protocols are allowed: [%s]", FIPS_APPROVED_PROTOCOLS)
+                String.format(Locale.ROOT, "in FIPS mode only the following SSL/TLS protocols are allowed: %s", FIPS_APPROVED_PROTOCOLS)
             )
         );
     }
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
index 5c7a23445a877..6df03f72a0be8 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
@@ -71,7 +71,7 @@ public class StoreKeyConfigTests extends OpenSearchTestCase {
     private static final char[] BCFKS_PASS = "bcfks-pass".toCharArray();
 
     public void testLoadSingleKeyPKCS12() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        assumeFalse("Can't use PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path p12 = getDataPath("/certs/cert1/cert1.p12");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(p12, P12_PASS, PKCS_12, P12_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(p12));
@@ -87,6 +87,7 @@ public void testLoadMultipleKeyPKCS12() throws Exception {
     }
 
     public void testLoadMultipleKeyJksWithSeparateKeyPassword() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(
             jks,
@@ -107,6 +108,7 @@ public void testLoadMultipleKeyBcfks() throws CertificateParsingException {
     }
 
     public void testKeyManagerFailsWithIncorrectJksStorePassword() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(
             jks,
@@ -127,6 +129,7 @@ public void testKeyManagerFailsWithIncorrectBcfksStorePassword() throws Exceptio
     }
 
     public void testKeyManagerFailsWithIncorrectJksKeyPassword() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
         final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, JKS_PASS, JKS, JKS_PASS, KeyManagerFactory.getDefaultAlgorithm());
         assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(jks));
@@ -154,6 +157,7 @@ public void testKeyManagerFailsWithMissingKeystoreFile() throws Exception {
     }
 
     public void testMissingKeyEntriesFailsForJksWithMeaningfulMessage() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca-all/ca.jks");
         final char[] password = JKS_PASS;
         final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, JKS, password, KeyManagerFactory.getDefaultAlgorithm());
@@ -162,7 +166,7 @@ public void testMissingKeyEntriesFailsForJksWithMeaningfulMessage() throws Excep
     }
 
     public void testMissingKeyEntriesFailsForP12WithMeaningfulMessage() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        assumeFalse("Can't use PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca-all/ca.p12");
         final char[] password = P12_PASS;
         final StoreKeyConfig keyConfig = new StoreKeyConfig(ks, password, PKCS_12, password, KeyManagerFactory.getDefaultAlgorithm());
@@ -179,7 +183,7 @@ public void testMissingKeyEntriesFailsForBcfksWithMeaningfulMessage() throws Exc
     }
 
     public void testKeyConfigReloadsFileContents() throws Exception {
-        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
+        assumeFalse("Can't use PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path cert1 = getDataPath("/certs/cert1/cert1.p12");
         final Path cert2 = getDataPath("/certs/cert2/cert2.p12");
         final Path jks = getDataPath("/certs/cert-all/certs.jks");
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
index 5bceb5aef80cf..3ba0c39e9d7e6 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
@@ -62,7 +62,7 @@ public class StoreTrustConfigTests extends OpenSearchTestCase {
     private static final char[] BCFKS_PASS = "bcfks-pass".toCharArray();
     private static final String DEFAULT_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
 
-    public void testBuildTrustConfigFromPKCS12() throws Exception {
+    public void testBuildTrustConfigFromP12() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca1/ca.p12");
         final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, PKCS_12, DEFAULT_ALGORITHM);
@@ -70,13 +70,21 @@ public void testBuildTrustConfigFromPKCS12() throws Exception {
         assertCertificateChain(trustConfig, "CN=Test CA 1");
     }
 
-    public void testBuildTrustConfigFromJKS() throws Exception {
+    public void testBuildTrustConfigFromJks() throws Exception {
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca-all/ca.jks");
         final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, JKS_PASS, JKS, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertCertificateChain(trustConfig, "CN=Test CA 1", "CN=Test CA 2", "CN=Test CA 3");
     }
 
+    public void testBuildTrustConfigFromBcfks() throws Exception {
+        final Path ks = getDataPath("/certs/ca-all/ca.bcfks");
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, BCFKS_PASS, BCFKS, DEFAULT_ALGORITHM);
+        assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertCertificateChain(trustConfig, "CN=Test CA 1", "CN=Test CA 2", "CN=Test CA 3");
+    }
+
     public void testBadKeyStoreFormatFails() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = createTempFile("ca", ".p12");
@@ -94,7 +102,7 @@ public void testMissingKeyStoreFailsWithMeaningfulMessage() throws Exception {
         assertFileNotFound(trustConfig, ks);
     }
 
-    public void testIncorrectPasswordFailsWithMeaningfulMessage() throws Exception {
+    public void testIncorrectPasswordFailsForP12WithMeaningfulMessage() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/ca1/ca.p12");
         final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, new char[0], PKCS_12, DEFAULT_ALGORITHM);
@@ -102,10 +110,22 @@ public void testIncorrectPasswordFailsWithMeaningfulMessage() throws Exception {
         assertPasswordIsIncorrect(trustConfig, ks);
     }
 
+    public void testIncorrectPasswordFailsForBcfksWithMeaningfulMessage() throws Exception {
+        final Path ks = getDataPath("/certs/cert-all/certs.bcfks");
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(
+            ks,
+            randomAlphaOfLengthBetween(6, 8).toCharArray(),
+            BCFKS,
+            DEFAULT_ALGORITHM
+        );
+        assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
+        assertPasswordIsIncorrect(trustConfig, ks);
+    }
+
     public void testMissingTrustEntriesFailsForJksKeystoreWithMeaningfulMessage() throws Exception {
-        final char[] password = JKS_PASS;
+        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/cert-all/certs.jks");
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, JKS, DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, JKS_PASS, JKS, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertNoCertificateEntries(trustConfig, ks);
     }
@@ -113,16 +133,14 @@ public void testMissingTrustEntriesFailsForJksKeystoreWithMeaningfulMessage() th
     public void testMissingTrustEntriesFailsForP12KeystoreWithMeaningfulMessage() throws Exception {
         assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
         final Path ks = getDataPath("/certs/cert-all/certs.p12");
-        final char[] password = P12_PASS;
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, PKCS_12, DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, P12_PASS, PKCS_12, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertNoCertificateEntries(trustConfig, ks);
     }
 
     public void testMissingTrustEntriesFailsForBcfksKeystoreWithMeaningfulMessage() throws Exception {
         final Path ks = getDataPath("/certs/cert-all/certs.bcfks");
-        final char[] password = BCFKS_PASS;
-        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, password, BCFKS, DEFAULT_ALGORITHM);
+        final StoreTrustConfig trustConfig = new StoreTrustConfig(ks, BCFKS_PASS, BCFKS, DEFAULT_ALGORITHM);
         assertThat(trustConfig.getDependentFiles(), Matchers.containsInAnyOrder(ks));
         assertNoCertificateEntries(trustConfig, ks);
     }
diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle
index 89d3f03032d9f..25f713f19758d 100644
--- a/modules/transport-netty4/build.gradle
+++ b/modules/transport-netty4/build.gradle
@@ -79,6 +79,8 @@ tasks.named("dependencyLicenses").configure {
 
 forbiddenPatterns {
   exclude '**/*.p12'
+  exclude '**/*.jks'
+  exclude '**/*.bcfks'
 }
 
 test {
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index 6383705149521..0a801a0f58f02 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -123,9 +123,9 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
                     keyStore.load(
-                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.jks"),
+                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.bcfks"),
                         "password".toCharArray()
                     );
 
diff --git a/modules/transport-netty4/src/test/resources/README.md b/modules/transport-netty4/src/test/resources/README.md
new file mode 100644
index 0000000000000..5b74bd85e7c4a
--- /dev/null
+++ b/modules/transport-netty4/src/test/resources/README.md
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# This is README describes how the certificates in this directory were created.
+# This file can also be executed as a script
+#
+
+# 1. Create certificate key
+
+`openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes`
+
+# 2. Export the certificate in pkcs12 format
+
+`openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out netty4-secure.p12 -name netty4-secure -password pass:password`
+
+# 3. Migrate from P12 to JKS keystore
+
+```
+keytool -importkeystore -noprompt \
+    -srckeystore netty4-secure.p12 \
+    -srcstoretype PKCS12 \
+    -srcstorepass password \
+    -alias netty4-secure \
+    -destkeystore netty4-secure.jks \ 
+    -deststoretype JKS \
+    -deststorepass password
+```
+
+# 4. Migrate from P12 to BCFIPS keystore
+
+```
+keytool -importkeystore -noprompt \
+    -srckeystore netty4-secure.p12 \
+    -srcstoretype PKCS12 \
+    -srcstorepass password \
+    -alias netty4-secure \
+    -destkeystore netty4-secure.bcfks \
+    -deststoretype BCFKS \
+    -deststorepass password \
+    -providername BCFIPS \
+    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+    -providerpath $LIB_PATH/bc-fips-2.0.0.jar
+```
diff --git a/modules/transport-netty4/src/test/resources/README.txt b/modules/transport-netty4/src/test/resources/README.txt
deleted file mode 100644
index a1a226c5ba674..0000000000000
--- a/modules/transport-netty4/src/test/resources/README.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is README describes how the certificates in this directory were created.
-# This file can also be executed as a script
-#
-
-# 1. Create certificate key
-
-openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes
-
-# 2. Export the certificate in pkcs12 format
-
-openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out netty4-secure.p12 -name netty4-secure -password pass:password
-
-# 3. Migrate from P12 to JKS keystore
-
-keytool -importkeystore -srcstorepass password -destkeystore netty4-secure.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias netty4-secure -deststorepass password
diff --git a/modules/transport-netty4/src/test/resources/netty4-secure.bcfks b/modules/transport-netty4/src/test/resources/netty4-secure.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..034f2a133172943d9a698aaa9215418285413d5e
GIT binary patch
literal 2787
zcmV<93LNz?f(qX-f(jxqfs_UbDuzgg_YDCB4KRU*Fk}V^Duzgg_YDCB3@}#&Kr7D!
zGWt%6<rD)s9jR@s`$qNpH%$-fMC6N-(uKVl%ECnZ+8H@}to9?7Qt$|j!D))s>86=$
z^LLnoDMA~iq5=Xy00IFZFboC=Duzgg_YDFI1pqJ}1_@w>NC9O71OYEF5d;i&<F1Wt
z3l;|$dgWRI0SE+w35V%IM_-w}_`^bpD~QYC?woU|Z9!UkVpiS9rO%I3On2ta&lt&-
z(~QrxqVC<qaobO`ZwR2bPUTJd)wu;l*Q0f=uXD$!&wxLou)rzBsH+B?`Dlti=MH>y
zb=YsUg%sXrj=kpdlR{#Rof7d1O_pGMI#Z^#&Ho&AmCx{MGYNE4AVGGFps8RFjc?^X
z7%PmBVd>jDKdD3&Cl@H1VX717HTzsrEEJ*?1GaRv^BL|gDs*lO*PcH@f@IO(8~dZ$
z!Iq(_&U#AF{6P4$D%s3Nh|+zYc3&ifwVVGjb4>ct4#1S*MJ%}&VxY!t2Wpl+M_#>`
z_&miRGp2&VDpvL-sjsV1{1#koe;S^JbIcXCw$gIRXHuM!6Tp9rS=J52+a2D9lM6N~
zf54Ymx=+wJq{C*2dG#}AIEa)>+xq_{amDzH`H6uw(jI4-nPx=<tA_@yVuj?@b?Oq$
zYw{4#xrm)fkI=!)CMR>t{)JO@b_DH4y~0YR=e<_f+tOq<&usq)O1e^sJw}@j%%J(`
zspvY2f<PxOViz8fPcPCaKU`l(L;ZNt@Q@g;5>b(E^jcEY9i<}7suD`wWqd;Vf*!0R
zc69UsO(E;u>~{Y$?&{p`P$>u1n0MBGG+k`hypfJF#mqoOjni+MJMRPIFTV0COtO({
zKITds=E4+TE4VpqdLp04t+=xF5Xl&a#xqCpIO(nBX#GNzah37vTgmC3OL3QFn?`F;
z4y`4U*G&jIVCeArYSAENkX*-|HDojPYH@DK+qN~34#xHxs-{4iJtFfsb+D^75{7p^
zI4Mo;bVKfiqS!YK*E%fu*-YcNt5=q*RK}VUD#;(XqbjE_-{OlI1Ub#%@;IhMlzo5U
zANI>ZNt#{e2{wzm;b#xkRQVZevvvm5wUm0&bmCC=@JJIJYqo&WL`=IBx5>(l{=yId
ze|4V4HJ;eoJFZw0NDy)veCzRrX<;$OOWQ)b^B0M^>$iR{%b8wXT+2KEt>?a)lN{ud
zh~(d*f2acHZXVfK_uM=|TEIi^EAEgB{29K0Dagap`KVO$KW-VMOh1M39J8FPXfPaq
zH!d+FU~({!-F$dDZ$hD+ObI(NFG^jJ^6>pFZv$UrkV;K<2&coc<=*>yFqy?!4e{v5
zfHbni4|l=d*gC=BEU6?6!}Qesno>w7tZ`)Viyy!xL{fhxV&0jSwBXBS@kU>FDWVG>
zT2Kw!SUe%pJh$il4-S~Q=;B9H)u%aC4M5T3E4tyB=pt}Ea}<z2zBxvc=ztb`#L2SP
zHTR=A(*C0tJA(fQG*!^it!EhAd9J19qO^M*swkNgJYp^iOOW`eF#|#zW7YamLQqVK
zCPZ<iZz*4XAul?vX{+KTbBvqAtdr=geQB&ND!*;KvR)5b2xVZbeIy^EKs0a%CS!cR
z?%-e74zYa*Qw~VS&eH)AK$Qmg_dUBFHOvwAEIL7po*?lzS$Gcf4cJ^4Y?A`Muy^~-
zktt!oQG-W#BPmb=d7Tl}=8KzScHEs={?y{i@KnYUOkJ9BX+68+N{gzh9%qi&k>vc#
zM(pOK_0+cX85=-gyEg>gqY;ocyBI;Hlh8foGFZ)+^GFg%5r#q32(A#5DtJsVUm3@S
z5GafLZZ#@rt`b3QYl5ChcICesVUMPfokKo5E}vGOA5bYT$u)X76!R^)yY7LXCIL(9
z*X0!&U!1p`(BZTCup^rsMA&<772=91tF<YFj?@pJ*#X<k&{WXg{`;5pYNwiS{-RRU
z9qcwH<Fm4&h6s@@QNFWI2vmJNF&kmNyW3mDP`+F2+M}s7#kJLLJ@BlKaRgFcXBx5i
z=7T0!62Yd($Ng&9n^lhK_b!uwf;18tTEQfGiA7!0aeUE!smCN$lEZ~}yfMP)Ly_HV
z=N<ef@#Sop%S9Av)&LUVTp`^kd(54aH3Is`ZuN&*c4LZ=Z*dg&Wnw2_PwjI(R8rfN
zkUV=?0sHYn!{+0$?MQV+Ir|WCPz5JqGO%YJ<|U!FfOw)2=YIU@jJn{zUoMz+`5MI2
zeAu2g&e93ZX)Qj(mlPM2)S09!7NSP4@FhsNjJQuiM4Sud<S`KY`hH<BFe6ie2)MNQ
zzD*(Li>;PF&SNv75cpc={fF>^A3`+@MijqY%+BV?ccj*BEMuY-_21kk>Jn4Y&n%Es
zdZB_lU!p815#0*(V)x(ZND;$Aa3{y0NCXuGtK_)wY7--&v^??Ab0P<KGqA<i7THfT
zDRv;=LCzPO;-_$2_edr#Zrtu8PPI&Fbll<0_#6+Ov>xO!x5hDBU*WRX6QfDip1hxD
zBE@TB;0PGQ!~b#YJ8deK#^E>p-t&Gno<Wlb)qm6v>OJ!LHHt2A^;405f}t6we)To6
z@9)p3Jum!T78^K5KZx3L%7ryepuTV9lt>7D2+M|d#5L@{86R)ITY6KYmjDwZmi8H2
zi>nNwx55s1XWTQL)twGJShMb=t7h?iQyd1(_+nq?tozfd8f>BzVh6%14NZ!@b6i@6
z2Ois}Gj$2eHDnNz&baz$Ahgv5VTU6pL0%}jH4d0%79>xW`c||-KEm%8$p>4!_88CA
z8C<?3hv2ix00cQtV8p;Iy#kZmPK$3H;0V^A-+iyzuTqYasqCv66OiN(``tfhr@%Hb
zWEc&1crd%FOS7Ab6Zp3GP;tK$GQ7PK?z3cf%beR+b#2R{FC|h9Amqr0vSZc+8A!rJ
zH|2*~lAQ=lTpr98|J84Jc(@0RHKjEfQ1@4l-_wPIuM*wZ<v%{fDUsnnM1=(UsUrxu
zb;oG?eH;Hn@1>|e5%PUohkXf(A(4w+VbuN>?}uR%eRyKx-HsvoDQc>*QkRjvkLXIA
zhPR7`mIh8K8pn~YLH4?F^HI_GEJMC$Jwq<__%vyYLzNoKtO{9hwWo`%0Ca)(TJt{Y
z^X@fObPw3YtC4DUJ&bi*kE0ckEY?`3H6;R&S|=sJP-EvCA!m}&t#-G-n9Rn*M)f*m
z2o+9OT=j<xv`b`<nJAPWd6N-c12p9uYqE~)h%k$vAnz3?@E@%~AYu_-$G0AvUIv&X
zAj)H9{QFbcwU}ElcwkWD0>D4Noyvcp7??>5!~QWrK{Fo}<r_CibK7h)W>GqzuV&+u
zWI(f3H=esUewhtvdpi;O>f6=nquH=S^MiDADN}js6Z2@mU8;jiKa0&DH7-aJ$c!g|
zPh^Uj8k1E)a4><kFboC=Duzgg_YDFI1pqK)1_>&LNQU<f0R;>&R|G&CFHh1)H>fHp
z{jKK0JtZ<)ym@81FIW#Xd&ww?+6UE?jNz6kGbCou%M=J~KwTx6OQBtvA3SwBB6um1
zDMdK~0zd!)0YESe1_&yKNQU<f0t*EI1V9LDXXsmR25P5}3Xe(BDgT^;+OYil^Q_3X
pEJzDvQyyj)>U$EXUUG4kO*)0_!m~yJdORz`i^1MQx1K<$cEvcIKw$s?

literal 0
HcmV?d00001

diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index 771de6de486d6..f48b20d52f601 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -55,6 +55,8 @@
 import org.opensearch.transport.TransportSettings;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.rules.ExternalResource;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -105,6 +107,14 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
 
     private static Path keyStoreFile;
 
+    @ClassRule
+    public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() {
+        @Override
+        protected void before() {
+            assumeFalse("Can't run in a FIPS JVM because none of the supported Keystore types can be used", inFipsJvm());
+        }
+    };
+
     @BeforeClass
     public static void setupKeyStore() throws IOException {
         Path tempDir = createTempDir();
diff --git a/plugins/repository-gcs/build.gradle b/plugins/repository-gcs/build.gradle
index 58bfe4a3dde51..7b8ce9d709685 100644
--- a/plugins/repository-gcs/build.gradle
+++ b/plugins/repository-gcs/build.gradle
@@ -242,6 +242,10 @@ def encodedCredentials = {
   Base64.encoder.encodeToString(Files.readAllBytes(serviceAccountFile.toPath()))
 }
 
+forbiddenPatterns {
+  exclude '**/*.bcfks'
+}
+
 /** A service account file that points to the Google Cloud Storage service emulated by the fixture **/
 task createServiceAccountFile() {
   doLast {
diff --git a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
index b39e0de08eba7..80d3f70614ea1 100644
--- a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
@@ -32,7 +32,6 @@
 
 package org.opensearch.repositories.gcs;
 
-import com.google.api.client.googleapis.GoogleUtils;
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
@@ -189,9 +188,9 @@ public HttpRequestInitializer getHttpRequestInitializer(ServiceOptions<?, ?> ser
     private HttpTransport createHttpTransport(final GoogleCloudStorageClientSettings clientSettings) throws IOException {
         return SocketAccess.doPrivilegedIOException(() -> {
             final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
-            // use the JKS trustStore format instead of PKCS#12 to ensure compatibility with BC-FIPS
-            var certTrustStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
-            InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks");
+            // use the BCFIPS trustStore format instead of PKCS#12 to ensure compatibility with BC-FIPS
+            var certTrustStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+            InputStream keyStoreStream = getClass().getResourceAsStream("/google.bcfks");
             SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
 
             builder.trustCertificates(certTrustStore);
diff --git a/plugins/repository-gcs/src/main/resources/README.md b/plugins/repository-gcs/src/main/resources/README.md
new file mode 100644
index 0000000000000..bda781bcea537
--- /dev/null
+++ b/plugins/repository-gcs/src/main/resources/README.md
@@ -0,0 +1,19 @@
+#
+# This is README describes how the certificates in this directory were created.
+# This file can also be executed as a script.
+# google-api-java-client provides its own trusted certificates inside google keystore which comes in JKS or PKCS#12 formats.
+# Since BCFIPS requires its own BCFKS format this script creates it.
+#
+
+```
+keytool -importkeystore -noprompt \
+    -srckeystore $KEY_STORE_PATH/google.p12 \
+    -srcstoretype PKCS12 \
+    -srcstorepass notasecret \
+    -destkeystore google.bcfks \
+    -deststoretype BCFKS \
+    -deststorepass notasecret \
+    -providername BCFIPS \
+    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
+    -providerpath $LIB_PATH/bc-fips-2.0.0.jar
+```
diff --git a/plugins/repository-gcs/src/main/resources/google.bcfks b/plugins/repository-gcs/src/main/resources/google.bcfks
new file mode 100644
index 0000000000000000000000000000000000000000..13202c5c21eb3f53a5e50b3e4c1c71c0aeb09823
GIT binary patch
literal 73692
zcmV(%K;pkJg8?7cFoOXf88CsA1_>&LNQU<f0R;^(frc<-1_>&LNQU<f0R;>&R|G&8
zFxORVc;k8so5QSwi!*^tpOfUw;@1}x(yL&cd_{7tx94Q+wq}F1mpYLJ@4NUT8@WyX
z4_N2r?xWa_@H9*U0zd!)0U$681_&yKNQU<f0t*EIFdha8V1`HmWdj5OFE9}V47!!i
z?CTgNdBmeWLIME@1cLz{eSDx%E_gm(tVTD*;o^2qeuFBMr1@(eS6+3?T7ECAk|?c3
z^XBE<q*SEw3R}E@80qMsuIH#J(cAc9WIQt)#C8tWcxCh|Ji&M$p3E5wJ<c!yweTxY
zH76n^Z{g8cgsG(c6IcWp(ao-{u7+sNjFJ<%R~&Cpi1DsU9S?_IyjuW}mN3?kj_ZNK
zV!x#5rv$-$ktTa@4Om|4x;I=4q=G6MuA=l<5Y19qZ=jR9dP29ONSq1EE3$IA-J~rl
z?B=H62vvT(MWuNaJWa7WyJAIA-bc6r&nAxSfml5>g7Q%^+Nbgb;MXLPhx_kq!DLJ&
z(UW(*O4b-(X(uwW?*y=ZFfL>IGvzi4uQm%BfnsKyF$~`7G#!`Z)#j<S{RjAr#XgW&
z@-@Z>cJIZV_#3DJFBIAy)lIw&Iozw=+kU5d39VEwV}wfDL<;;t?)^KXL{;61+oF&p
ztnLuiAZXDDbFjL^m3`xfV8#n=EfaJi?v1YE{WD{?i-AuYd&oYb-zPt^*jU1F{gcw(
z-uxNAy&_W5c)jrHk1<-M)N330Xg!SZKFRcRwi%e9-i};mXk5ra1D}eQ2M+TV6Fnv=
zJHG<bCN69I2}EAly9_`AqgX}&pOe1w?$U{W;U!pgvn?Qq>>w2({f#cjursyX(pVU`
z*0ifAZUdzywD$I3Fd*8fsgaCxD-c4=$_-a<-YVLNJ|<QRWD+1#FKIf1V8HE6&n*Ya
zm85k{c{BU>nwd8&bf+}g*UsRYH2FMEw4;|Gn4SFu0R~1xrA{#)NL;%{SG*2*m-#f>
zzaYZgw@KuA9SO^|a*&I8Cf|f*h!S$brluKk{u>H+bODVW5sWjH_|S{Uy@&(RTjSut
zkxQ)M*ar){z+&^`?g@TGwygDGloNIn@MG2EDAN=ETZ>afIZLdfji&>A|09_JS+$X8
zoG{=m($vWehpQPI4nNk-o;=22lz3lWCjht(;h7$Xyh~BrU|8a&v0DVTi%XSt{;%hm
zRR5Rkutr08mZ9QTh7S3Efe9Yz`I#{?$)_$vpm=t{-C*hUc)D^bS$u!E(uVHTxb1Og
z%NF*7UhqD^8K4_(53zVHDp@89@tn&5T<GwpBP5k_h(-!E&W@w>C1nrC>-9SE-JTro
zHTZ{wUx%L+$gSBaN=efbL3t_?b6FCJNB6mS3n@Kw9^E3YQ_zTC=*RFq`N!7MJ5!`$
zN^rWL?Xn}PN=u6vKRX<#B>o-VWHp1mfUK>dSMvl@EM#8fQ9tzklAk~c8#gv5(`Y-|
z{ZSN;n8K3y_uWN60D@loTm3_^oyUM6t2z4^rqy0MvB4p;-TW%fmZ6+w9!Fu4k~y40
zC%OS*@X?U$cYF4t;;%((m?_etMkA)ZVMZk5#Co0fAvM89B|hT@8pHaDZinl_Kmx(K
z%;&#6Q=5S2BOWAK(B{Qqq;|&@fLiz)3g@iO<Jmz;JpFG8F$cyqx*mypR+~#ss)q?k
z^Oh{G+B|IdQo#UXWcB_Z;+uSm?LzTRd$wmJAE8>-WjV}0@?<jzO`*AUnCk*ua1KbS
zUWSE|9-v^;KVExCxL;sB`iXCnI^ij`kG7pZe3wk+rIz!U37a=s{&O>yo@W8R;!t7L
zY4kiZt33G%o0PQH>*;M1wZ$Q8o}M3RmjET0P_#E+@}3tnxAyP9=Nqo;CcR$O!^AH<
z`=Wd3nmhC-F`eOZhrpKVF-rn?eY2G~cQgj4`nA%}CMGd&(Y%h~y)YCDvg}?WMd++T
zu#hW;myauroOJ@7xQ)9Fh5ElN)*K;qwrCYb-||1?=mTK?)gGS(`}FTFP1C@Kb<^S)
zC177qt-z+TtKd8Hv4f!JH~1ngG2VW(_}`xgm-3>d&L<b4d-)aAWV&(+e*fmhx18`0
zV!LwNqXyP0<QI@@Dt^D_!GsUQB`j7&RroQ3hmNsIV3#L(CfN0idRRzFkYhj#LcaG~
zPJ9kaw_g{1B7y?fa-*<n$Zfj4HWrH{9f>rZ#ueH)&-tFBy;`3^38YQBIk=(zl|(wf
zt6n?K8f8i0I#IWTO<nY{4T!b8n8pBWQiltCH{}eDK{{R#%#`B&Z#x=DT4rL;-#1Z9
zZT5DRvw?rbI@rQF`TBg-lgpA>L;V6``cGWvSWBI_y~6DKy>qOTa>`JCPh^NV;pcIq
zs_j;jRHqGt^5{mV95!%<=X#Q-$N0y9F_u<))-b~@VPCa_5x<1u_V?my_?2%Lp*&t1
zCXT;yB^7+}%3;LS*~cfrN-wWd4o4Bt399+T0F64rMvZHwZ|pxHlB*)f0GIWww1f7F
zEX>y7d&&OHNH6a^WVN5>@!f~ZmJsL4hx@EfLBm-?l3e2PFoaaIP97x{3R%vuWiNG{
zztBY^0}r-_JKt9y73}H(N~;NLA_a1}74Ay%E3r8_Qt|%70vE@|1es{Y3AH^r5n(e(
z?K;@w6d~RGNAbHhWVsh`So<H^78cRg1Cv6;lc=6o+rah%UJb~Tl#B`d{R>o4eb0%0
zp4gty8S*tzNp=Fi@&^6EUJ;qSQzJfmKx44tjaXS|YGQ|WXn^0>;vkkU$rGw4el(fx
zu@BxEsa9l*^7IHNXE`3YBdjNwX%;fyZ8j->j&bC9e%Uyz)6U*W?5xqXz>!owT{%&C
z?up=UT{+%hpwIRA6@62D7-tJ!ug(^Y<JYhH-3q~Ceq{yn$SiVHTsiM~2U;}&U?+uk
zHwrPRi2g9x20M)eBB~AAoY9e(`1`1kI2sr2Zp+n<AYcuda@x&B>hrWIG8c$Q+1H(8
zt_(1-d9}nfyWND}z5QtC<r7qi!&?9lk1IsO%ThxsXf@F47fGRX1_y2$Za*;2c?%bl
z&>6tt3kWp#M1czF6{W3D&h=&BMMX}1J7|&}Wai>yXT8aD^vDC=OGauxE#A{?ZN)g)
z!-CUdb}UVNUdClx`M*2d4v7qKNY%gF4de{RR@AZ~9v&pC*An45&${OZMtnAUqI`U0
z+^f`Ab{qn_Xn451d#Gh#pe+QR-eE;e$DmRk@NoIP`S7$^WZ8g-#w<p(tad|=`n%53
zaE0k;L#vb5)eZIc=yTkvO1gcf{drM>1w2n2;cL(pl`&WU2ScP&O6_@GKg7Xj65pdT
zy1o+fGQ;45ndVou2RXAkSlc%84&xHC`)-mz0a*^ITQ91jL(Uif?NDX#1($cxLyjUz
zwC}bNrX;gC$SSWazWsPO5;wpGP+#=z)nD?a102md)VYO6)X7Agd7%=xGfc?c)L^<e
z9Qy^F{Ok2<pYk3J0imXrg%Y;~l0HwKQ+_WK246j!PeBgydQ9HENx<_2+koj)oi2TW
z$t5sMroXbSBPKlQ__jd^`NVNQ7KdVE*-*9I(4`qzgCQC_^=c!^CK43aj+qEU*lpb5
zs~s;)`p`WX70Xk@;QWMBe~s;;UwA=2INp1pL1ZtJR5u(LTEB+Om_1XOmi<O@<81a9
z6v~3XpPorX(K8mhcI^UBs#wuE{2E-B(H%jls@EfqB}OPbyc2LP4kaLQjR@bXu$2Zq
zL|$aNqh}tKh}RO2>i4I}#dtvXv3z)M_1J>R@+bBrvbfID*m~?*hgb@LAe|xvqVT6!
z8sIgbiPK0NCZZX1kV|&QwFB+ikF0AP`d)F%>J+Hpkxs*&*afWT4L<P5SK+gBGg%<1
z{-WCfm$7LO#h3_1Im5sFB*6Koc+}J90S?<Kr3{rsG2e__;!Z(xLOjA6(uBZ%z<ZD>
zRdVNz9B6YZ_3Ltlg^VW+sHZgM9>KChq&l9Q)ormnDHh2d(;ddVo-vj`C|AQEceLbK
zBB!FdwlA}pT)3N?`=Vr&D#NP(qIo7*03ZH0!@<)~)CKrd|EQ0-{v=DQUDa=0#5cLw
zbL5*2su8gv{@ped`uuip`n}(&mldF5vfK1n#DzSPs_wp<TbrwvSRZMrM}-8aqnr80
z8OzvJs2)e7k;#Z>XXcnu4l&}^krM7hvojC@h8^zA>R-x_C{{5F02TroE&HUvV@?0q
z$vbma?KLkulHG4u>5dm35|k{59Ley;f$|4`Z5;-d5k_ZIfNykO#DGxO;WHcyzP-vU
zC|o4BKnzp8x#d}w`0wFr0456$#y`ooiBofp%_(cZLCC>b02qfMk5gzIlIihvuU$7Y
z=@PmjYPDmrl#h3+7aV(Y%liX06m1GQFBu3<;GeAP|145T`XBv8R!E1`p%Mlx4jJv@
zM87nnZq?|{itKTT;z8_SajrOX5Zy{uC+?YFLtBkQT|@Z*Jd?D%3`0=41tV4xk`<#m
z<esMYewgDLmn(N5>s<f6B<lQr3au`gaJ`5oEMDE^njapQf)e+hv-f}f>a6fU7@)21
z_KH)0gS*gF2xLt~wx*3otsd$~AW-`&dNtb334zjH1sSM9TfB0=^=A!OFII>F8<-Ey
z+k{788A+TPzJJJqTWweC_UDatIK+@1i?d;IJFXL<;+2P_@QjiSk$Pk;7qB2TW?X#b
z5y552K4DD6VP2Vw%SGIP`0U7C%|5Z|l5t8y%$JS|8>LR7@*l-K8@M^uJ!<CCo81%~
ziuuNP8|AlbJh8W+>ql4L&E#cmr;a`~w8orl^DgZ;%bESG?vfG;B+*vD%&*jiNIo87
z1QDglN(l?;Na#!CVjQBx!PB*G3}-z^MxaW-y#`Gx@0)|hSSa5+4dly3!XpimANFAS
zV4PI6?4~-A=g-4TFfg}RJDsF>tsVxiE~QXT-O*gJ<B0#!A#U0Ci!t_`Sd6I4dsZw;
z0=c!tp^6%8;aVKOC(M;{cj}z&QW=-vQmaeqzdPw<%$*0sE@5~0nSns9W7djVXEvXK
zKge7Teiq|{RK^@Iygi&F!$-@s{arD64xoOBeRaT#P2#sIfhYWTbHCXcNibfBjiDYB
z{$Ah~FuGwaK{S0#<n{EQYF>NM+H{+3L*j5Ek17Us$)6v=$Z?&{-FXXl&UKtg@p%$Q
z%UnonwsyYhO03~rJ@U5l$T8(-)H1=EQF4qi#1fDwzAp15jUHrulmr8yx$BP5q9Yb$
zGca#|6x7H_^k;&)aZ@r=A0a*BpNbY@$zZoIA!_9a@^hWJ%2sCJTwrIdtE*=(%v|+M
zkg}%FX7%(<1V>@I1!m-68MIvwGlv!lIK4IrLDICY%SJS`Uhw4-K1SV3#mnt?k0TCx
zr3R;<qpKzpqDk_?^APyBnx9cm2TWQ*9Gk28hR&vSu>zg2jq6%s8jJwL%r_tBT7G3D
z!iLTd;K0&=`s$+}a+%)ZCn)97fkoqp#j7nwUA}CmC~Ws$;LCspE@6KPUjOlnt$?^(
z3a~g2)9ssj&<j-VIBJLuYJ7-q7u7PlQC1b^4@&D#R~;@5PsgawSS5X?=KBa0VthjD
zP(Wmeqp!1o0P+15E0%tXQCtk_h-rd`o)+2}-__ht9<oxw5EIdVod|KMLx9Cz$z!Fv
zl|I<WU0CLQIdzY`=+gid*k*_8C9daI`}E_<TA=PZaZTHy`(E?AuYwR<5~Fjrq)l#+
zjJUg>M=O++OwjXU)NDpH+OoUNjF$FMzZ&Ov;Dh9Ns8#G7vN(EoJ}J$De~CV$r}R9m
zl87d$48%9<a=gMp6@%c!RWRbb0@sskgqdr5zKS#QzBG?#Ma=-)B}rfgIvj^~3T06<
zBuXvnC_OS=>t>=zk2t-)Kl02F6XS^zh7`Lr6!Uh7;=P3gU7F!)p?s<>!U$9Ha0P+{
z1aI@y<Cte$Sz}vTZAkGJgM8S-xA$y7y%AHi+wKv{#5i;W_2I=L^OHTvMu&$Krvx3^
zxdw}YR~MB{ChZL4CXo~=Ek+1YVRm)ajJYvBd3eZ<4_aNP&#S8<L;c-$lhb)IGXorP
zr}|{=RLhI&fP)p<*ce8FO_>|@Ntqw+GHS+A4}UOq7&TBfbJU=dq$WkqpvIwFXS(IS
z6vZtl8w1}LI?SuiW1<WDJ@`EPRh6vk!_pzPTLVoG(&IuDm&kZP`LJ>}9KUu~F14~M
zkI9InNRZai6T!vuzz(RJJysqUzF#`xk&kaDk2z<Ypj*+w{#7YswomeO(b)?Hi^SMr
zd}~r0xZTm}R{V64clf9TheHZpLD5$~1ZW+v$(3fXy#RhuO?Ej^VRcYNg5PFW2<FX5
z#o$gByyQ9H65-ERz~Sy!c?R2RgV{|>)o%8(tKImQDK+;=&fAo5u>7?vqmM0eK#5Mf
zMO<cesn$LtSW}`AkE3|xT3$uo{G-z6@tSh{$PUA5j@;%y8Fxr+gdOGR!JFBV_S1~2
zEqr0vUEtbL{(d;tWZZA7&>!5GCeNkbZz~<m&xLO=<q@QD8v46%l!@xaM)Y=iMcuD6
z16I=PuYYsn#WF%*8&MhE|CzvzQQNeUBy8k?;Ncknm`pN^AFP2aLVnHvSa7O({4P%y
zH^??$517)7F1lrgr&`4c*=uq;l`?auf68^cJFfN)2M^j<rC8Bh#mqN>Xu^*oas-`I
z(fLeEdh*_3gMyI1I8YoQ`sB{b7Um)3R%-n_q=7Lj^uB<wr185@6<XN?<<MgQ?vg<h
zi#Q-Qcifq^9jvQ9iEvUXVNbEapfo6KeSDOeHO(PEM8Mp1ZJ3gi2iaalp4)HT#=(w~
zz)riE1w^WhN#3&TLJ32b=eU5U-T~KdeE-%fnT2!;Lj)d2hBj(|`)RY5kNAOs5)2MD
z`I}_c65tZhmz9c3vx4;${|v?2uT30z`GMv1F9)szI`Soha~jmXjThU^&#2hSYO>9e
zxvJIUZ<+~LMfsfh<`-^k(Bg)wBm?1@WJa2V3PslaFBe^5LPOL*uSb)##SFb&m08q0
ztkldV$-rr*l>?@;7fgZ1Io6s<GtiSblhO6Qjta?xdafVxZU3{0A;lJBnLbh0;!=pu
z$k98!_NufV)sp??`hQoAf_F~0to(=`dmf9T6n4*85IlsV$k?76@E($?+S%+O$SHj%
zzFbnKclZ?~z*+|)Pe32L4?6U*dwF^NDG|5L^i&kl&zn^=BJ|@Z@DiBCId-G$dT<{8
z$;%%4dy<7OBW#eYv!J6_>;VA7L8etOOI$YWY`x+=`&Pk^MlEFafuLQw6uewvOan3F
zi&Yuc3GKlpc<4q>AZx;~b#4Wii2I`qP_@^TeZ4XSWfL8^@UPbjJv(lsnG6@+$#s&3
z$u0}D33v(3YM1fZ58fZwqFbruaR}Z#^vwRby#<ZT=%Xsjdfr?6t!Yj*C;p<mTz$dy
zoK*}pqIm)G^9MVz^Quv(&dc^cex}wH-Bd=au_muK%yX-w6r~p2-(H?(O(^N`w&C;=
zq@oBp(D|{4D+fA$266>&%ruHXf1VnPy|F}YtxzZ~ZYeKR1f8y-)CED|$ODAo#Lx|K
zO85-KScD>eM?LtJH`id9qHO<XQ$Bl&Qu$;yE5kWcrn6=-bKhhO7dh_2LiRnK$Yjmn
zq`hRW5dVYL%#$d1UTj?64K)IAkHABmsS=af&mVNm%69sGLvtB(L=E8_S$&@Gjs_Bi
z5Dhy-d~{Lc+C@pFy&8l@5U*&<ONzUE?pfVpu*dO_{8?Q{oKw036iKdil{p!sXNiv8
zWP?l4F=Vq8GmogeIY71iEVzXq<PPoF$L<;Zu!A^eg|N@dnK!Z7XkNS-YZOu5<U1db
zt9H}WL|yS6cbJsm7!$Vv^R+|>FRNEctg*}0{!%7A&MwAWfNjH@YmZ@>UbCGN3vC6(
zU`5NpdsrLII(n7iSh#K_s>Z%<$XH?8g3ECBm<K}cM@#zV`tO$$(-MDKWBS$mA_BuE
z$~i>+U@aWE;Kc_97W*!&mV!suVhB?swh_2+u;5G1;<_HZejoXjXF5t3Nh9UT{k=1_
z^jE(cKqoB<yk}^bq;=|EartdT^@nvOt4@U3m8QB6Z-YK}UQHFTqELh6bIpqv=B@fq
z*`Es$D-=^fk|gSvL!Fm~J_`Qk0Nnltnd0peK0vA-@=fk})=Ha|o#^4T>^wM#vv_ne
zA_G;^H(#UhC81*!CNgfj4n2F#*IhFl__xkT1R)s(Oc20%gZ3>HrFvjsV}-@~-4Q@t
zZtt}vdoWZ{Ic*lPk)Sd+*uBqG&*fAU6>#NK*E8kCN4S-24UyEl(A{>6r~`M>yZ~^i
zhejSLaPY4CbBXo5(4!N$YD*M;MH||MhU#_dU(%-4E{`{^m;3q^^|5Uv>w=|F5M{(Z
z+Qd*G^N<}k$>P!#W<V;l*d)fE#|%3UACqZ0O`L`CH0fu~Qumltt0KLo#X484DwT*$
z0a**wz*XcqiT@VKIsG+X@FZ=7)gqLgt@`1d>&7rZg$49xJir|0AfL!=XM~x!?z8yV
zvDZ4&^YVTq?!bg4u_E9F0u|q>4TYT4U}jF6(g#24D!;(o7`F)fO{-J`%>0w&?R8JJ
z7=4Vih<0d=i@K+QE4BOquoJAz;;)meYq=ICg)-D=j0^|GlnT1E?`V;6ql5N!?ix{|
z2RAly=u@4~IZ9cN0T9IiOY{!lVS>RpT9=Chs4Y2VX++=OhEdI;mq*XiXC8E-7EBI2
z{E2D&i&ex)KrW;O*9!6wCbsi2Qvt;5cc#DiI<>pKfomzLTQ;Zmh!SU!S`o|3V2{1m
zFAhzm95<^B!m|)2l6h=PAe0nywK;l*1?1H_(&A!2>LqGpTg3{gaJOg1a67F91E4=4
z7d(K;^_@1hEM@mo_x~wV-{Ob7goWMdMg_V}-pz_nUcC8)pA<rlu<zSeyS9<27&-wJ
z2q_T*^PyO2OT=6c8t5Q}cc3;1v!k1i;p{aV>43~x8_g)a#%UIZpl=<cY_dnfE~=Eg
z4L&33E&fpN4@@7;I^>|AUyoJPYVj~KCd@cC(#>VRyDlf(yqlgSO25(ozJmN92Q=VN
z#H8L9#Zpj4?i>t>AhDbVIW;|d3<D#DP@>{W6)|y`$z0AvOtao4W#}U7BK8$@k@0ku
z2y)*tB$q<;>m{s$UPwLzg)awT1({dJ<W2Z5ov4GhJ#wP&P~LR^4gWti(V7RM&64IS
z_H&YJYFb_U7g}4a+455bkq7fke>wzzZ<fQ*h~y7n7N$}nKt4WSlP`r8&*FV)TS0SI
zO?~G>+}3;3NGti+M>9uWg*MtD0OfX6&(W~~De-R7Oky|tE{V~9pwH%KOLygDRBsE8
z&jvh0)#0!59XUPK3VyBxRW7po+h?pp@B}~tYGQG6vxUs!M8;o<jb_}Cl)!)@B|HRp
z>auKaGlVef>uE5Y?3&oMUYjBl(QK$%GRu0o;p0b{e=D&$%};rgdx)$%RGX@?V9dti
z-5HJVN?3OZbR;yt^$~0$h+3MbGKe|TJ*?V41(Yo!4My1hH8HcNYmVR^F~+t8yd?e6
za`8yfYElj^3V1p-xk*AJB9LL3Yr23C79t&~Kn|Wv>2GfYh}EVA|Jo@H1i_ynbA>-m
z>bLfx+lQEzo_4`6m?ahL*4-SKJ&!|aI0@K+S8HqWVn^dcgTOr9OEBvNZEv|9V@V&*
zC^BbpR2QILkX7`&I}5#<HKf&X$PrCRRNwu^P}w6}8#M98FuleNC4k`q;AYSOIGoRH
zfit3vqJvktyDld@>qXPhoLhMa-vq)@HwlO>CHQ)j-AfJ&yid^m^+JABA^mG`pel&Z
zZs96;T4hias%Is>(=H`(X=Yeakn=z`_eXlYtbvi`8fVMzfb`xj18z~qL9`><oA@x~
zHkbyqwDx|cF_bW*-VEL8P$YrL@)TK3o7<YWC{IMMcJ};*+5Zc>Y6iT*Vm)=;_W_HX
zH|laBB2%N;Dlhj>Ros_C8G#$+#<c)xEXE7Tyl1qd^gB+5b{vO1t2@^Ra0>uaAP|of
zP^k9Rf22e>eI@XsfJB*7M7%kpng%`(JuJWa(yIQ+nX}gSnh#RxBbC$F+;JT2q`xGf
zb7(YN*d$v*X(w+=QPw@ofRET3@N#Jy=8e^8*V(;t@e~;TDW2PLz`>8h?K^hh)WbD}
znu28GafmpBbgNA7;-~GI&o^t$n*LBM>ZVfFDEI|hBM_z0CjT94o7o_D-~JV=7JhK0
ziujP4jShFrf7~trxt>#qp+}#uNeP<RgQ-+HO}W9Lb1GmzmHsn@FPuW59$}bz!-@N{
z3bDVP&%@x|Yg6@YIlt_@is7HPI6FY?JL|Z9pP)4~4t`e8a7}mKYW@#OU7&YmaOnz?
z!}MNHQxzs~2`>pCw?rX19EDE<!@`MO!_J&grp?_GY`h?#E3F#!45nU;aN^CcC*^X^
zh?A%0N3nLfvl}=~QH|$$f(d{J?dfzFNEr82QV0;#HV|=?U5Px%rdQ1D$7EKJZ1`z^
z4tU(>Sj^C&utnJlpG-@g&&$ryN4`M(*^zPxKB`n$lGh!uVhBin*@x;udSgujbWs~V
zAjxs4VLM9sMMql4LE{=T{gUkT^4|U;+ZN298e-adrZ11xt(T=9E!(?jf1*Bxw-I?W
zww?<?EtMd-TMS8L(eKh;q0oQ@6pr-3mkCdeV@G?6N=%lx%(gT=DutVv)&_jc=R2o?
zGA<eVR;@deD=w*KNp)+KFc9M9+J`|b>!u<IX%Ir(p{5dG9j%2(&mlWJ1AeCN1SWWi
zN}%a;9q^*H{n)*Am4I_m?nT;Fc+}Wj?J$+pp+>8V+1NFw-NaE}fqTa5>GjINFP=np
z<cI}mgt&>;9o965MzJINfT2RztHSYWUWxl?CM6fkm^u5K;|!66vv&b;I#IjS<~z6M
z9SB#yo`2&jUklI39#(%l0Wno$EuTcU9|_#;?pDP^e8G}zV2hptp|`?uv6>|X%~Y(b
z?(un`St)__i((?MG!eDC8h;TUckXHM#hC|-sqvm3gKRB&q<ytkA<x_wyGg5G9c^S5
z$%Bgd{Z$s-g_3o>5sx27IE+bmJ7O0AQv)d6O(?RJs7v_1K#emAyvkNPw12h(`NX<I
z^c#ERm+-n3*uhLq=dh>QBIW9guQffWBDjT9V1+A6#QMwzdnrtM7Vba^q?cU<bmnPz
z4LU3)ci|+<N^GEt6zdPHd@g^{xROvdU9?=n+6wmx9byzASfRq4w-T8Xhw;zYRq&8A
z)-tSSCrjpN=fI68D9H&ja<e;a6)(jao(0Aj{L$w5ks56^y;;}4IRul!&9z3lpFygW
zp|Quk2G?xVZ|KLU+NT%$7#pUHo%&m$sT%#P3e0AMB6!-n28cw;m5Nd=-Q90<)i!CC
zHNI+;>mlz3QjVmb(dSmbie5mHp7NqY$n|yIB4_9~SiQmu#p5>Q#a8BolBqmS^#tLi
zENmhFC2L_BxZhF%wlC2fRsIe!a5sDXs8H<4o8vt0_ivP3`do36TB*OW2jf~0ZWTtK
z&aR?HSly{0VxA_TOcI?ql;<)06=2Eg^lAwak_3!QRe8*8s-5m9F=N4EEos_!b~ocL
z8%P>7iJ6vtS*G;AO!2fA(Va1~d^=pfnRVcf!Mm^Pb-(C#=hM!M7KEd68-A&D-GD;=
zUMq<q`&B2joHHq&un>t6`Mdrp9LaroF6}#iTK4Tcc|P6Q1G*!oB?7bgym)c_QHhO9
zVNJ8S-pNeL?t6htU-MUaojxU)p(;4seVQ&-YN{4=!5P>*NLbrehVkXYs*r$8k=v?0
zH~p=maaKj^&}!~?X7^y#q*%nW0{vi<f>a_`V{9?{wX9sb4rO3c3DIc&8y86`^Gs63
zr6d;Zc>vp$)I{%pzPdw`U;!rNOAMf(13*m))(@a2rTo?%mr$RSi*Z5pIhszGa*soA
z5JqpOrQg3Xozj0jIL)P6=paLB_nAP`3L%*^Pi&a8?;LIC(J3_8*d}RBl5Lw%nusNS
zU7jO(Z}laEoiZ5_sibw2Xh@%A&Q2~~At=016-q>q^^sWH)lvD{->ks9o1Dmqj1MMY
zloT(B>b3Q>mV5s|aS7AT^5(Ye#&{4A^uCK$X>jJ+OqtBuw7Fj}SB~u$X>qQ<o>r(F
z#(A3T`#|%ICSfwh{fp~PlHt|<B!qvz^8(*i?xnl6j9Br>WE#-+KkmTCWM<d-U~H|-
zTE)a}Z#@)BR%y{S6-`{YzT3THSUd~aOYb=~_uuPB(`-TZ_j?s64C_y2$?&7;WLj5f
zfohvL&@D1=DSSxTMNY<I=Kk;nI`T=gH!~o33~6+%R+n3%MLBW>GRlmP!tW+M+)<I1
z9tI#qqVq4%U9`Jl3G+WCGKTu~@(+gUte#H#Ivxjd=2IK}peY@~D~=|`^LA7H-trUy
zWyr>LW9LdMA2*k}b#vJ_DGeyaY%dfvF)+m_aSwz{K<Es}A3&I_q|ZgpRoIX}-ubWY
zll%trQs9I=mI?q$M?%xtq%=t0;+@kkMXGUTo{Ms`191qN!~Von#`0Wd+ynJ*wi!xD
z*Iu8{Tn{lgk-|hy058dP9uQlqaw5<1K}6m&Ga+y_2htH4K)SNL^~_F!Fp~CGY*!)v
zbZW!^KBngVuY<Vy>5LgTuhW=2@^uhfqFfL+BDD#025{@`@;UPrZtqWgp=v9MY(!Bl
z#P8G2cXZy5Af9?POM2x+MEr`<#|oFIclA)Qt74eX{E+jm-jKy?Sov+Mi)f`!_Y1Gl
zDf9iA-piwLXn|sy029eQ|LCL$cZfYsO_$r?KeMI$UqD|@?QANxo*(3osqFrS>X0b;
zj649*T3tSMpW^$ATklCEkS~QV>rLFLIs*{ZQTg5jEbtg8pR|!KXl2Y_UX%hPUMICC
z1y9QtAqm8yeJ@$G#@wmGYivO#eP}tc+XuFr7yRyGzwI+5w6sP$tgyNjKYlIcPf>8*
z=n<6nM}l8fn*u`xIg|=EeN(cz2Z{^K<$K<$=HWktd>5~2aB6y`O(q1P<dk^zS4uWA
zPpE<GsG`cyOhe9Im`-FDo?x?S>f$<`qKg+QC%D3%hk;E|@_HAal-k%7h(x=>tS%KJ
zt=JeXjJggB?eeTodn0I-&HJG9wygvuV~(h30O`~o14DvM(l!U>WnIw~ur38-_Ff}{
zZayA*DD;81C92ITlOZQ)9*N<Z;AKmk?=%p&l;4;d@l#>7_YTA9huFbixE~M5v>s^{
z)@NI4Al;L(<xR!-6|l3%nI>Ls6eN@PDNt+$p5r)EqPL9mBBs?U1oCfQ(aM3~X&thj
z8WV&op9OD{PZ|siM1{ff{N=QSY{r%wQH?4drrHze$5Fbgl2vK~g3C|bMgPKTaaVqR
z8S`RiWKG|&hdQ1J-I67=v3uik4#>SNB&>SF3S|6@XWw4vq|K{Vnu(QDKs3?3dvcSH
zZH@TwR1aUP_<1D#7h*fkDThi?9az;~_hL4NCKO(%!y>_J>UE0!E_yB@PeaayejpE6
zkGiFOh(xx{*QIBtTB=CW0Tp7?`#_mdqWu3Hulw`|D=(;Czm27<9k@M@Y=ZG#5bKRn
zoZ-?EAQBdZURh9fB}l&mBfvc(cJ>l?($MsBq-bZlN9iw>P<AzIEB-zC^DWO@8NsJo
z`u3IXS(QvoIw=61e$w}}&6K-_p5x3GXXGXgM<{DPE4K8Gc^4h7P2F^F>B9(AG;CpQ
zu`6A0O34oix1~IJQK(#l3_ASyx;qXM#>?DxHjKpZME_58<;a}tOXi`4*`@H>PsSE?
z53EEZHC+&)#CeM!|N27Pmq^L=znP(s=d~zu(*96|5C#6~U1GJDGK~W)w&$Ii`9(W#
z4bsg=ML{o#8^`o)&F~OA)G>v?#rcMK<t0<6TJdX<!=)8&lcmgpI(P8#Gr{$K(WFkz
zkJXM$=ZyUcqlxaZzdhA#<W+p#3VQTp$=8h$?)Ex}9EM$hG&}0Z6cXL%X1DO2uRc6f
zD+rC^DiBp4t{+T4yno@?Yj?(2xqIiBskTA{%*+w9kmD_4l?A}d(s&9iX<d2k&)K>|
z&51i%T^}0s!-pNv2@#5~HE^0Jc2lzR(8R%21Kn+w(9);@6h?|Jl_4Ju$*bJIHR)T}
zhn|BoLSoqDm*IXJv<Zda4|-;COA^_>?$`EFEb1@u``RQ?EDM+5)xl-Q<9rXVTdqF|
z4DH2iGqIU(g6X;@OH_wxOm$u?)IZKi5ys2#PDtbpbSFLz=RW^}w`UKckP`;B8xL&)
zR6(he_73r(C>J(2YA<7IZT3(ObO&ovURu`%eo|GgUcbEG7gx*5aXqQY*vZ0INEjIQ
z^@X9w#QzFjz#(l{oPAE&7u4+rvg0t9cH@}NA#r+ILJs$hQ%wd{HS0WF0-j1?a6hIM
zpf}b@jsbQJ-vyt&p&kVF@o9f7N!-O{%{7ltdku6`Rfb;uDaFjSH4(Z6%y)7kov?-@
z*rNsF)~E8Xc+yAvE=?k(?YX5FSmp)8;&xH~JzGFE^8Uqbl>#g}L5h{iV;c*r?q81Z
zQ+8Pa1LdL0AV!<UlThgcjW?Sh_Bz^&5|UW`W06z*$yTImF&KcEZ~9*iXf;y=eU)Z`
zS?el<;XXjOZEw>2U`2j_t7-ly?=a{uIw{oSiiVqRk9?7zhyqcTQSU=s9J~;Xd54#(
ztpA14G&V!$Fbn%>6_s@xDF~&pfj6l($?g64)zeI|tIX?1q0H@v$#MQUe(4ldWHA{9
z#W2#qG0x>0d^kYjQ%8VqI5rfKMGCaQ(z+se%b|x!lQlr*wu_~lJi`7*Q{$op>7nMp
z)^Iba4MRML$Ct(IcNK#9iW?P%ka#RHFVR3jw^T-s5Nd;C{YuBBEOu;~ElPcN(os$a
zT6leN5Ump@4sPvL-X47ydrvLUtD~<(6CNg`<x)SKm47&oP<3r5mu9X3=flKbsf!i&
z4%!hUL>I2Vs34+Mt)mlboq-d|dC*wT+39ijm=`DiUcD&%{`%L)>E7J=$1kVC76PA~
ziHe*}sEkl93)_fDUkW5BvdP529=M4BgYb>7Nv$i+pj9FFq-Q<1GF~`+-3(bZPAp@t
zEEP}VVCQL@pr^!^ij&GT0m5$EStRz7V>W<D;klestft_+!eAbGhZ^AOPR6XM>*KbZ
z@-UAnc1cJeDyGAzoKkX5T=CYZ<h2gyp|$RMdgh3R*c_$*$XBHhn9j1JQwDkcXC`0!
zHSZ0$u9+#M4jauLh{*aWYU)lBpDq><*ErP5ESj~EyZWfMvXP-To}({JOVF4B^s(WY
zF$%Q&7(-ZH4T58ON5pQTGt@rDH1v140u;hG6D8Tazz$hYC`5Hhz4PxQnJL3td=gjm
zB`<I@ZB_J*2ooXa+6+@QxW_q}&7eaDObi*9t4B+hOCF)#{uu@W=hToOqhBmIBzG~i
zu3!`0<h|{z>U-~R7^;_60j%Y!=E<hRpmXutT_9TtB>TzAv@m`;{$<ZNI5&2RhdI2>
z8rI0LQxQt{V7lcL4c6aO0s{8BpfN$?fBoEM%`MqfV%Lb^v3JYtW8vzpif>q|Y5+Am
zG{NY48v`*fg-K|a!yU04=$AuiTcm4K#3quwI!jXT*AVs!abvEz++w@ir4Spl%pzN+
zpd@p1Hp@eFwbZgUTHwNyCh~Q=lnjP|4Ltto!T@|scW4GM_PMI<1l+V&W_|e}Tc>l&
zb(3~h2&-d}pRQ;($y3UWv|@C@vo6?BN#Fk$YXvNt$d^tULjDfurFM&I|7TwM^fyv0
zj*UhVtfUTBNlJFCUvdd?6Y1Ih^fY3sv$N7ngH{dKKA~xcqh$n4=8^@XGJtWteUS+K
z6%l&++ujnHo&)9_ODjdhl4;n+A{3IAL&-v~yUPzYV*N)Fv1;$UNWeB7wawNj>>wO6
zDa@KCWnyfZr3M<#o~;{Z!1<Oce8iWB9`WbB&F{k`L+Tg)n17dY;_Nqz08FbW4S{Kl
zUFA-sO<}1|?R=J!<m!lj&lPUj7oB{ZSX(TyPy3CS?E~)o*dP~S|Hs$2&P>_yyj3Gt
z+WsmD)hn~l+f=xgn@`b!LGmkytrBI>Rw6LeV*h1Xv)WVTXv;UN`W?Wag#kwSA%#bD
z<^kWzkZ%Sjbg=>xZnptKt4A;|Uc77z^ozfPQ<0#5t`+>u(q))@bKa<k1Cv2mlx%Z#
zS&Sbl`QP_4EHJ4CBwXnpZgycaD{&Ic<TtgXca?g2Q_JuE8R7Q^IWKWlPOCs!iAlY!
zynt_+MsWzknZ3IE2W`|(0VR|{^Jw;r=GV&<Qn6bzX65%<ix_n79c<!$3=u5~VL+OP
zzDMy#9zh);h@vqEU~C43s?)r%if6Qdp&l*C?zJA?z!c@tF~)Jkz!z&GDVGI0tDY|J
zk{$g<d<`9wsJn=>5I)_)f2%1F0|jPH0UW1IY*5jYVPzn$%1L$+hn{mBAy)$ZnUByO
zU(P*=3F7!%ZMS_&Eu6z@|LR9y-+cde{XTgy#clHqKdpc4W8Bty?{(bBZI`a+{FQCV
zXC+7+XwN!joI{kOr^0nUVyVD0-+-%sde8+y1;<x(dV>{boK*Q{pp!L~7_lW(gj@2S
zO8`=Y6jdC;<J@f80z{^+zPo9(sx)a+Wt?U0DI=O=Y8Ctja4)v&fYh>SuL6pJw`GP;
zYCpKSBJusK^~gUw3v1)EJ}@^=K=36~q%Lb+-de=NUq?o@^0v_k>v2o|)-OY4J;jAx
zj(W9F?RUTVYx1$g0`s4O!V+1_7^Gm%)VR0rE@=<O@FQ+eq0Ef!uf4&915yQgWb1xR
zUVu6}f2GIo+=48aV6<i=#8Z3q97mG2??QgAQtSJw$nucgkyp+K0ojwAaUCZ00Lfz{
zoLFHJxLlb@J)`(42}@~Xc?+%qjb}}mRO~U-03>oog>0+97oH;C)2rv_Zrwl?16~DZ
zwRS(IW9i-xFO%2pnD*ytB4wTLE6p9@Mg;<W)|!W+cL4I&5<FdgkkJN_1GKJIZ44Mu
z1Bqj|VUN0NnIDMfso(ia-RNuKeKhcF(%y4}vA~%)^5cr~#uA_#8KA(b+wWkK*kIba
zl5b%-!L$*qGeoD&Sthc+%0mqc6c5||HqF*iVSBlw&xHyz@5uay3i^G~Y|eD!S(1~e
z_m5tKmAwf#0@%$<bpC}k=iP)x)Rbk;{GY=ZcAKqF-11tJNPEEmYHzn0mC?ObSSh_R
z1BjofX#-Ix9mAl#Fx_f5zWTR1a{&_{Qn8uHpsxlRfT-qpvx$sO6}=dFWOxbRTIjUc
zsQ6wIwmBbQh0J@;z)MpT&_6|EuYV<w2J^f$G_fHDgYiaFYe2{T9`BYF9pxYsU!Ux<
zpIXHpjfZgdEtjxhJ73*JI>?s{*+^=_BzbYvO<Yr1Lhd;(A%3Q%6H8uFLz%{b-P;g}
zcf8Cn#B!L3t5y!$>F=Pj^b2a%XS|hhvU;m`e1Y8%@K~kg(4(~8^AfU|-%8<v@k63B
zz)3n7YO6c#(W`jb_G_I}@{j~U>CTTRCaU28<2AMbvj<1Be<=fMe94i0j|oO}nqG~$
ze|EkyDo=kY2v@AqeIVywX+O?&&-O!kTM%dco+Zm&M3i!Ov6{!j@mp=0dkEyz0%C-A
zW_B8MIu5Mm;_*=xk%!p}>sfyDr#8U8x|7kO$5Yv`ui^%6lQ%xsdLT5qYik35=9a90
zmm#Dyz$}iLb@Nv-SYzr=4w_A)lWbOrP$8tHXt1VhS+mi6;FA|0uOi7}zN?~heQ_d)
zzO20_*>EejZCL0OiB544@H8tn48!K7W(}MG^u2ffac()*7IBESK+7?_0|x~OHK4xo
z3}BcL%&~!i*y}*9VqIGE=AjRIq@a0U2)0rIJ8rr`XEz8Yhk%T}e+-;c!;p>#c`~xM
zKfX?RUdhQ~enoKkQS7|`q8w;hi(YQp+{QFs1qqTy5TsZedt7iI?|CpxANSh2Dv1z@
z-3R{5d(aRqIM{!EJ}!dGetfz7h;>2k3HIyCk;FV(;VGiFTZ;tAqWWX{sN!v(?BS5c
z^ykGqcz60+|ARe~wvHJBSnxcU>ZC0c@Ok`4-%sAcIPAB;uTKbKoNoV*1+8+evc-g`
zOKW((<01y6@)=<dAMza#6H?4eQ|GKsG2n}#n>y5qi^}{_byue8`sy@ytFHQX9IFg#
z9WXNnJT`YO&^)^o3Q(+J4*GrV&((amo%W;VrvgcAzTMk;+B{gfhCNjVg~_}frH@gN
zx7H){9~RM4UQz+>FR9NwfD6bIO^I6V3$PegOhb(iDrI(J0OOy3()k=UWF5#X3&oN>
z;$8&8%3F@n9esGP^4vI>W)Ch28IhlC&Y~k67v2WY>AUY=aTk6|VfZOsf#&pCG!Mg)
zeCwV?eYQ~RfK1lOY-aSD-vG&wJm6rWhsfK)$;@v_l5*-`BWv3-qKjBM|85#2?$rqY
z=Pay9@nW*)%tcb1(`7n4B2{#*NJM%9_M+7nQrXwuzt%d=SWZ8e!^B!5^M|41Bt}aO
z^_lVLDMdZO;@^54!0{{5C7dJa6dX%Vi0RKF6FL7T#ttEEK#cj$XD-<&t+_@@YXl)(
zK>Q2R(Un5<u0lml#<<4t3ZbN3XP3(Zy(r?V8C9q&U!P!9Q`Yu~_{TF1K!aN*(teFH
zUf`U~t;Sif>1Vg_DcX9#A&i&_9zx4%nwKp9SdO;^l~9bK3tuJ8V%`2s<EkI%Cibu?
z)W`ybj%O9pwk38nCabS9?Veg!#o-+Df(0q>oU~TGdj-^a-PM6&BW%A@JM=R^P$0cV
z{syBJ(fsU5YPlC7RU@R#v@6CySPF#~9#$+$m0{%F7FYQ4ALnQFnkL!D%N1@^o~vR<
zho?^7p}KzdozJ-hD{68_q!^3nSwkBU?zG)<xYicvj8=qF1$o(_lkyJZ(9xa%r$I6p
zvpJ1y$Zt82L-oF^B&?pt{TDmMxS0u6@?G8s$rXTHQU8hbPHjHZDs(@qCdx>RSh%Jk
z^ea$|n0!t$_+jxV7sfRmfLI1yJ6V~kcRz86Kef9s4lhfY=F9tYNB=FG!#2Bd^~eu`
za2w>T5c4JOiX+Pt?H4=9e~0!Ui&Qut4sQILJM<ip%(|{XN-^eT|2fkg*)`{{PQFOV
z-Q(W=BrnSOurdKc#YqXEFmMb4!c+BEg~QPdOdOjOn7o6A-2kiJ0U&$qxCRQf#NUJ1
zx-TStSpd<WdWUC9vAWD}aL|IXsV-J<AnAd-a9Vfu48b9NUm7Uh=W86g8Z_ysg@pY~
zf_qC_c<0y666f)RUjy&9yHyP@V8LVRt<k&%lQ0RNl=9ExI#Wlk48o~f070K7Z`E{m
z=)>c5sZazXbd8W_i;b^$z`1|UIOyZXvzu(HcLP(KV8}m$P0S=NDZ9Y?bNUKjtZRHh
zE<$7nj^NMc5c84772iN)jJ{VL$QbvC+z!FYSxSV(bPMU3u|fg4TF#zz()?G@lV5b3
za+M9Zmn~CCz~;1<O82ck*2TxXiqM(uj^<T|nG&kxs-Ko^qp4Dj=ep$b8>d|qElWe!
z;KbN8a<HPSx-Vmk1FKtRJ_r{f&KGBY+edS(GzT$ul;*zU*H?mCO!69-;tf7lAdStn
z@%F#PAT#mclWT`_JpS+{XMaYt^Ut}kSBy4xSFfG1LJ1wQ(&a03JTXPF!i$_1j)c?A
zF!h(W#pl1*^s;9PbiNjRZK1HUd&Pl~9c_6Xsn5%%*5YmhDy7$*aDf}1)O>jhUmVF?
zz14tKF9oQ7$vyVW^+<6eW`D@uO)0D{>ZSDX{LX#G<wds@=4p6;%4tH!q8yztM1|G0
zrmhm5sn<7-Ns``h`3lxXC9Ws^X{+0b!KD*#>%WUWAid*G5QFE1U04yhqRei(ExJ+U
zo8zkdmyAW$ZRbmY#->DrWj$V0WON~mjspS157ZuJ7PyMRIJw}r_2F$^K~15~_WWB@
zDWv@PUhIBXdS%!+K#S?@Z5sNt$1(siAxG6SK!?Ge3e=qlHE5GJ-&F`)4z2dR(B5iY
ze{qv>Z(JDC8R?xK6Vt!Q%&yfd>@ueQc_%GA34h!4Y>kXiGAgBAaO*bK^Hzg2_84Z~
zlU;cxp|%zAqv%+8d`j*yhl?Op5m~O0lMUTT<dPh3W`)F|=6$=WNL)DkZV-~DkNG4w
z6$h*eyBc!zH7zVFE^Mi=tPXyM&W2S9>gQI|qlj^(N-r3#`>Aw2NnO>rEFUK0RuYT5
zj<voMm>X3ux2#xtm<*~`hwQh!K&PcFJ*0sj$~Pxt`Z3w$j-c3)R-Eyg!{pTyyh2cX
zc>K|*r5YBOss~XJ3>9Y|&z<$Fv#NO})<4!`TFsqVt1i70_9zd74t0qG(3ZF-C$$su
zmaJr>R}~}`70#AXxNj7ts!{|hr!^{Mg#GN2aGQAtq}nEVk2{g3qT*DS9L?p&OZ5yB
zy6nzkaMA-Z-k3F^>S5}CjQ$vaAhRoNvbeKkHeX3k?-a+bcV&{dY@x>wyZY+UwB`<P
z%LduixO1IFPTseSpEbjIV#Hf*E;-)feWL~jH?E{td(+g4jRN)|aKUwAG}avevf`+E
zs;gLg{CQtBRUKkmLx6%I)Atex>49~SY6zGHoulYZ^^KWV4$gn8n}bTBDU2f}wj>hR
zy%Pkua}kZl3KA$6&}Z;aWoWcCo%&|ZZ8-Y`g1c~v#A886*(QreeBl#bgX@D`Z|7F%
zLI90ul~P0>uXmmw>#H7NJ)XO|0h0eLSR?g2)vOC;5RGQ(F#x0lZ(2QZ#U_p=4=5e=
zZKp!oDwaSUXw6;nwqp)3D1b(K@c|1FC%CnPeNBkHI7-M$>ebpD8zaT8N!b)i=;<Rc
z&$|Ev#QWGJ#NmZ@m@{8s3;(#TU{2`#FIH=*-0E^!5IT4F6sv6;8%}o~;8sj?#ZKe=
zOO!jB>f}I2wAvGYI!uyV3q;1_51rA;>lCswm{OfKeL-6~sdSnqp=24@NH+l6IH2~-
z-8B}`kI#PrvVN5`SbaFmG2%JZnfRQJE2eBX=pp(Z9{oT#=dwB9;284$3~Rqd%o$_H
z%g980<)(?fVfFiu_FtlfSfm6ZT_E^3=jcN@vC`hT*XZ>{o`-gk_d&~e;Z#tL22Ogc
z#n+Wg(&-zi%f?vXk?eqH$k3+Zxj_OtJQY_)+4K}4o0wc0UtLWYGx+A$6SZ#E0Jx>u
zA1C4<T!rZ6xvgTz`*2wOHA~s~nVOIP8p!9BUw{<0$MB`@d1t%|*35JyybBC~t|5!L
zugc@o8S6HuYq(-4Q3w0sk4fa(_VDddj5<{8*rvb($HLy)%-J(*(TOO;NKDQn$$lBW
zhuJ@n)NvhoLEf8sZ}~qQ*V}Hot%UBnI^ApY?~RBl2Ds@T!la_tdmsOZE#mRzHHxCb
zMD*1HNHjG`6=ad|$*;}|)D`#mXjVk;sYR%dm_m7J=q&yt$AM#@sP@G({d3l)1zqsl
z%s}GW%xqNbSB6}8(Nv0azJbgWhDHf+c5C&HBCKfC(BE?+%5Fzu^y2+}flotVd$dI}
zi8FH9%=u<;uKbvIwp6&x3(NR!T{3W8378_A;Di~M0;aE0ZY+8506{>$zq1!c4x4#^
z0IhwAF?a#8F~3_9-?~zMa(njYnsnlLx-3qKr~)Ac$BkLQd2QdPNrY=9?42oJ(kDFl
z1p*66uXLo;4dW9UlQ3D&8U80<2iVe_NDXl~C!<zcD3o=|ScY~aesr@O!t|&+1HQd^
z?DZ7(C}9)3>D)hUb`z&V8xmPr_Kc!Z5KZJ$YQsvwJdVyL8XEN0;QxN1*Lfd^$U9@e
z(-Nr5Y~Le4=S(u{>TDu7=ik!iMhDI>e934dvXms56u-2b9Ef8eDGotMp-MgUCP~Vk
zJ9jjv<|!dws=K-+*@A38;7W^`fX^Itfwl>epE~#CMMRiCuh<a^P-=d!3fw-7W!luh
z7yo}C`2p7orYMu7FvGDs#z9@#*VP&?$iF;rT?WZ}qN*_%lJ{-${%7k@2!XoMRv`Zt
z?>)BQ293C_a(uU?q*Fyu#QMyE?7Qs3asf3Q%wn<gCR6GYkV&xN`~oZcM+o+HK(ec{
z3RWg&etixD5gZiYpA(rNA~U*hMXxSbu@#D-KepOM#T$T#f-kWLo_7+Fu!wup4?SZR
zQ&xX)81?$oaN!uyYk%frQkh_NP?YX_mme>8+0zm-(?5n%UA~Hx<oo~*#~V(u^tG+M
zd1n7(p&AoHx-<1*jxX3+tOL)(QpiSL-l<vs8MyBPY3WECvaX!LuX{lYc%g7SZCov5
zZ$yL%;SWU1Pl7Pa=3Yu^(pWk7RW|ciV@Sz0T-ZyLJgxbC?{as|fQamiP574=Z>CMw
zz8QkrEA)3Lds<SR3ik-$%?7@lPpJNJYCNF|-WmOCZjHwlz|RS{55-%(8AOMfFoKO|
z4_!tiwD2C6D{*O0Fks@(1u|CYx$rWSJ7bq2junH#;aHW=y!d$RSagb!Ei+zP!SQ6~
z7d8fxOTx;?t%lKDLkONeH_3}*R;g$Yf3iX93x>l6S!qo4u(!o9a)#OJjn^TI%8lj(
zTrVtY#u3@j4HyeqLJhX+fi_G^1aIv65wW@M;r@2@LWg%VF`MkpFT7;RR-IEwPaZ;5
z>lnq4_#^hQH}=y)!Fw4d=AY;)(Jx{`w+th5Db$5y7yFa-CMalSY$;^y&+@=<Y4d4~
z?@f|P<36cAxne7;<Yl-vWBw=mMQlLtm@k568pl(}jL57WU|8_8tjq9+D@|+s3K(>d
zXX+i}1L|`Ecx22<_97c^ldtA8>d9Z$`D~8FGdsAZfdcW$>4PXJH*RYIhU<^ySPhB2
zL^6=3+2mEapg6Wbug9#E1Dtgp6^iN9_1bmeWKL5W?(IHY@~nYPXtdTw@qmVKg_pV%
zR9Z44b&DM%84r*}LlAe%`zi0%>D2T;Lw#=5VS>T6ewT{D#-dHcwQG^<pBghwBY~vu
zJx!T;vC9sWRV#6r(1Q1M880@buRP4ZroBc)Dyo~e!zU3!9FV48hw!y_GkQ3Y{iC!6
zEWnVN=l0U*y^yU)&Pk9aIcd7@Q9U0PGyBfp-ocR#!h)z8=FtN{lh9Vb*?c%(4hxc|
zf%=~%>iw~UEeT>`T~XAqi&%!Q3Gv%Y9F8%f(3{t_J&LT1infSj4K~5ffQz^0zs<(J
z$RayB^fKEVXeiqp>zYoNc|=LqrS53d1s3gO0uqX%uREnG*}=!D%R%+slVAk%9-}7b
zHO-7f^`w@boMYBRZK>++DO%}fcuG)&BdiME`X_fZ(ZgWx`fEW6hH$^<qsqQxTxc8?
zqf$&E=JKb1Gcjn3sxV7n3$N7aR?B7!+@0Rx#uOc!v$+ayfNQpnfwU2X&05e=hrub4
zgUJoj00SJHFme@ekyoe$M?5r{b@3BNvT%_aLj}S%wjtMRLpqtiLt`?2*L)1^hl@;R
zMxzP2w-CHnCM@VA?@ndZzvtxihr+VO+EJGuxaJ<WdD4|VdVsw84U-=P+tWKo8z?xq
z5dwja0L<Bk6|ux{K$CB>gX-QWk(Vc9bcD?a8j4j~&@OX!IiNGAIk5L8s+{dJz)C<_
z6xl9L4mHSsaIX5bl4FELFMY~jvR65YzJ{3S_i|-+WzX#?Ln}+2bj>2pdCw=>Ibugd
zCLG|;oT}22ZjLE9U+mNOO|<&kO_FFAUq`1=ztf8m`KeTa>*6Ea_j*+Tt(ldoa%CCs
zrci(da=Br${RZ&%qn-n6Bp4w+EV6B7nhMP*a+|!$H0=pf{7L0A5i`P!5^=`((hNn&
zZ=kIMZe`4I%QO0dSWy5eKEE9F`$5HqpQg1)rbJc#+hz&gJ}&h^s|Wp)3LI6Tu|7A?
zg_w%7EG|GFi-nR)w(^~S9?HCoz!qx!Od`=xAQUNzzG0M-z6tSZQXy=#lpfwH;jnu6
zrCD*D@B1ODvr}_RSm$`QzUAQl)2hDQR}l~(9yD;6Cno*ks`yT;2RBqVwI)_pOs_iG
z-n!aTSdnrgS)(T=4{FPY%W1fF7_^fCQbo;AI>bX=GpN6BLVUjB0?6+mz}zDf%pq^Q
zjDiA_^S>eo@I!nv3El#?h*VQu!Ft{g$;axNNPbb|lCN0#8qWPO{)s@3_sWQOtzsZP
z;@Lkt483@%QDs!m-DR@9V>II#W@6rf(9^BkLPcwKBD_dwA`2pkgx70Gm_V_bJ_bip
zJzgT{nk`ftoVD{DQaWfWImkq!djLHzKD^?3GILFDj@8Hq?Lnn_y<o58x3P=q`QyHH
z`wF5Qu@8&mk0oOL`Fgybz8Q9s%8s&3X5I%dO_MIT+~o3tW+u#ltWzqRn9wqk-7Rj3
zt^NIv=nQbD=!e|3speYkv<9;|b!SG^K!eqBs88koeoVv;Q@>;;Ki4F%&avrw&43=X
zRF`m`khYOQ+*0U~Ht<=WRJX3@kL>D|rT{L@v8Xgvg6sx8yt+7I*aTR3w`t@;-q_X^
z=!@5L&`*TB#k)SvDdY<uc*7|Wq^j#CvIb0GgRl&srSy$pqnw9bn|;!N`zj1;i<@XP
zo8nzCE1I$oYrH}Vf}^eXL+ye~vCO~tl~-z!7+Phm#SK}lk{Wsdx!OjOgn`GKLZl~{
zCUe}e`fqGrTglw^gG!gj_V?yBk(rgJTt$5Nf~2Yp7?KRAh=D?whoh;_<sR$6w}>iC
zW)S=DQ7wQ#*bziq9*KM+U{QDtY`CUWMP{!;^h~hGtQ<)ADV_QK?deOl9Fazz@<DgY
zz@xJNbf8}!#r{wPv^;v%v$+NYb$Iur19V0ps59M3i-~{4<nNr6DwFODDyW(~AX~Fj
zd^IN5T`BiZcY$9SX1pm^I2sW#!x=bJJ;#S6P0ajTU>m!WDiTGreO+5?tp2pGvJNV)
z+2KdOeg}wD%gr@k4{z99o7|6O&{nCP(dpXA!x)XT6ydF&EifAB21o{964de^JdS_}
zC^WJd6k1*?RZvir2d19$=1Dt7h~D53&VDQu-fA`w&N*gPG)l(RWlJynycf)E;x{W`
z%>~}}a2}S|I7CkS-P|sHIkNDav877ErjyLbza44W6%WunCJt2c2FwEjWL59w-Q<`~
z>gljyVTB4PDY#pfBv|BLR7NngRjoUM;Tx?Pe??hjQYF#Z7|Z8bI)s}I=1bVH@e~+u
zMQZTu$8nB=`$csEYTp~k@1lsnWpewV?I+l=v_eMZXUF$iWt>oa%z!XLz@HrPBxs0X
zi&EDv<3(1pQT_=LAyb_GPrBOFv8tL^#T1_YkDdZXk_EGIP6Ef3NYOHqpUPhL(?A8o
zyJ`LCMEqV}@L@0)5)a(7{bJ%cRCJUK=C}nZqt-KQnbQO50tdaNxOJj~odB|!7-lPt
zbA_N!7>LJZQ<%HEDa{xRCHJ3NeR~kk4(>(;)fh?s0^}Q@UEF!1iTNO98MymOBk;-p
z#t;$OVWl^HujOP2*=v8fyO;xt%gwfRG<kyUjV><iH?UMp>5jJA6);oJLGR2QBAPtR
zvxg#CH>FyjAH)p#L7_N>T%Im|nE=Q}33v1(+M8Z`PxI|K(#He)u~4w4jkG}m@u^X!
zMCCh1US*VGK_0tn6Mp2B>DZC2O(S%a6#Sztx9t-^u0J&6lDj<*sTmo>emDrtGqkB^
z_Hy+8$I3lrg?eUK_rgoSu49qWtlVF9b`63)1x+1=f9nNuh!K7zf;Ttx&MnLHf#Lyi
zuYMxyYF+7q;?MCN_pjpl(AP;z>tc?zvwf4wRd+{JuGKqWI%wNE${T#fr4(^?<#2(9
ziim1qI@Hc8FW}GK)`^J<HiQK5%l=sq57jHHjd?a#06T&WaI$Nab2zxhT3o$ex*q_S
zCqWs#qu@rr!Zd5HkoR~)6>pp6DtYXMgVr|WmJ<K6pMJ@8{0-Zi$R%eA(n;`zutc<<
zgVpXP$F;&IG3xGK&{RKui6T)Dyge5a1E2~G^Vz%5&F(wEmNagD{H=6rNkai?d#Go3
znflC`L{uJ?2`E_58=%#mEZ76!3G}>asO?$qzm*DmDzr*)daAyH(d&epB7=<RZv}q2
zhc)s;5iyn|Mfo5Ifg0#hoamYL<BCe!Dcv3~XA#iw@D3r}-c_LU(xq#0=_^;DijZ<r
z4SGy1&j7t_%r~B2%qP#qthw%uAv)@ORAT(f(kbW4K(0q=!(Ja<U)@yJAOig1?m$)!
z`k5s?2aQ`py<qj9#c+V8!bHxfTVO|GJ0~NZ;a()=LY+^rTRCu5*y16`A>QqeDv$m<
zFzdgwF$2sd6{<mQx}-^ZD9<q$z@rfS3W*-T1pXziH-I5%$lr*$eeg=v>OJ1-GCm^@
z{=X|4pq?Iwey|KV^3Ei=wi9W#bVyoqkGobEpHzElKj+D3QIITq(@7eFyc*`b_>Zl;
zO_XWjBnjWF@L479XJ;%>^P7|w+r7r#@JZInx9ujE`oO~?GE}ob=6N-ogdm8xYEy;}
zdWCG9;m4OJ+OQatM6t-rOl_S|Z(yn>eZGR_##;$R@(gV~kyn0fxgUieQA;usf8Ac;
zRDJgLV^uaX^9;ns%s}>q05IE;xx!io{0@vQx_g1cmR9SO3f4+h^2@W*{I1%a9DUYw
zh_K5nX`mu*7>XSP8;3Y=*l4Cg#Dj)toMU9!5U&k+mp@HPS+G^Ew3-qI#>5!XIXp+R
z{A}|CKN`w-CF<AE8;F0`T1b0VGX6iXSK~5Q6X>+bZPd}kH`FTo>cA5LDm52^YlbAV
zVY3%*jjSJbA=2qe31LzMgq}_KOY$Ck+|V3aOsa~vxVfqGx?Mcz`SUp-RwEC|nTI&;
z!W4QJ2P8%jJd*t10+c>fZO4wkc_&!(VB6d04-amX(OcgtA@HAL4?)W=*j3B^L~9)9
z$^tg|ptkpDm`4dr?LY9@NcQ}4!1FgCUAza*$fzgAZ({Cf3q|KI{P;1;>md?Cg;T1T
z-I8yL8vV2a4E*tf0hE@(?qUEvicf6i$&-O@giwCt&9(DMkZx++*6OZSFN^N{B9)90
zFZ+NOOSKEj(o(phZi*FvCzKX|aF?U2Za3f&e;;7)T|4SQYs)c@VfRq%53PDBDHxoN
zK3PmQVl`&Ta1$rUgyU8kO995tID2)s!fJ{vK*X2OV1z4(A^Dgi>^267*mlsCu7b>A
zN29d;^663{Em=L+UU>YhilN#-U_bjSm1M2_A@a*qr;(1G$-IM2qf18<v1%}VRls`{
z?RBEvgL*XCyv1roq9$H}Cq&HK(Tk3!yZTn{Ph(9QOZ-`Dy%X00z=icNYal7#aOHp?
zsCFehs@LIdYGy3&;iY<4`f9|ZnQ$>8YQp^Tey0WFmhbx%1{~YWK*Pvw&iI;7UfAa|
zEhB*g6DeN5hT+i-`uE)r!42{SxKcX}MZ}jo>S*XREj3RKF1S<@7=-4+9VV>f!s(v;
zuA800=cPemRMN{3;jO1A81<sLSv-?thynUv_82{R$bfL&q3*Y5OILrR)0o7Bs$^Fn
zlj0NvPXx=C7#W2H1zv!{iVXX#Ugn;F-FYV|3q;py?F!a7YP4<G_Cn*rq4QSI!cY<?
z&xd=%e{OA8CE^D=3$%)fmqqhX@5V#%ANE{V>-rvww<>cLVu>ColQ>ATClcph5Pxeq
z1#>>Pa6z6}bw*FF+fiMY{@p6zp5J6lNO8;Fi^P+Fi#C9lui9AwAw8HErPq%Eh8S89
z=oKuZlFQSZ%9fKwwsSG;BJy7J)#bUKR|>>SZ~3-3=8`@GTSe97tWjizSTk4Q`|7`;
z1%w{#pPYhB9~7ft6xudKq3PeRJ-Sas>gK+bC$M|c<P)ubf!)SQjm4CRzO8KTVrpYU
zhZzZdlT1P$3wp^kv4E>-4~_{`VZ9?)@f))5@8EZz93axouyS1I0OhgcAeT-svvI+b
z5xW?5J(i|-f$QZezDtb!Uca6w;z4fn=r&dn4Sy9d9-(OvyUe5Xdpr^6@^mR%|CbZM
z`7-4x@`A#(x^rj-4fa{?pak-vmli_mG1G{4O6g6cSzTg5A<!1);NFJm{wRh8N?;re
zq9}!&4*@x@*Xi9=<7ubeF}zX?a5`c#!B;9tbJgTJn6`=bxv23zi~-@zh!Q4~C1n{y
zyi_J55G69V$Fc>XrSJSYK77I74DMp@fxUV5;V;e#K~ae-cdo%6&oJ-HWUPa@>fj50
zB8>-@VqJvAL-F^hGMg~TN-`CKHPiI)<tNt|zsQS4U1Aw`)rDEYa(@w$d3sD_9RhsK
z#5g9_=c=qKfGiO9Yc5qD<$uOjtj~j4Q+Bo0V5YJB;Jx8@aQW_CExj&ovaA!jUKwsD
zgJmw}X5so~wv^`<QOVu#3xbz9POvyc%5|lj4u&bP@GqkmD~YylEanU)_AW;21eI5N
zpMmbZI7<X~J&qwy0aXf}FL&$>(x^kuinDtDvk$5gxSGAR!Ol$_cO3ZGj0yl*&R%rM
zSynO_#U@x5L+Z=@H}++RNs+2B?x5sW=o+XG*UVqt24Uj@S35M+HK-~juH!KbNeG}c
zaJW`)#g*EvUbo)elARGwL0++XBSsj<Mua?YxK@$0iSc8KdD$pEuN15D(iKq|>rOoB
z<>?KRs<Nm!8WE>-Gvv8oa#i;y4wM?5zjBHxE)`RDAbcCY5M(FYebP1DizZyoBD#Ot
z7zqw<tX==K(#d|1PZ+O-^nS70m!%*)+VFF2R}0e(cEJPev$DJhW~O6NU?CfA!il8c
zk*D&1HjO)hx}x^aMrR>;!3IItMhu*rtBCjMd5`lxpAw=`B#Zp?lUi~@e!R|%jUp0-
z7`ETVJs<l!ZTUa$DQwbh$&ANh;4iZ~cc4LccgLT%WxK<qF%h<lVo3$TB|vwMMj{$-
z%wRyTxyxDZ^*e25$5Bpri?;6GBxCtK>~%@*(1ml+)NfVqCW9FjG~()IMSzm^(c8bR
z_z9=O)q*fe53*ps)Fl#{^t+8Rv~f$T2yWMMJ{|sIfTv1@JkQGO+LxtZjqz*4J==zP
z&(uaw2u)nXgGZ(5w>^h%o(Ma$eY|I8C9Thd!hu!5vXvw1hotnwZ7^c9aIGpyqZ^GM
z<){&<(54zMyyw6qpbCuD&n0pBv|p`~q@K0^EM?S|?I{y#vLcMfEG=l;$yvN%W`Yk)
zr%i5j_knh<Z?F2tj6nPfprImriV##Rqk8JKeyo}vQ>Y>M4A0s6URc$Rae9~aJtGoQ
zH_I!wWwsZ)Baw}(aQBa_Eba3Er%gj!_lcI&v#)i~^?8{dG=03N5%vCg=qj*|O4?Cm
zo(mi0jgz0$mmeHk&##Fg;DQ?R`glwz^1u)@!0S)u6oznncZb=P+z^1b&mC!ir4#Fr
z*yZ&J_X+wFFQkT7i0X8V-p=JbEX-f3F7^iIFNI~mJ2kve)sj{GFK9hG4NZlNSCO-Z
z$ie=wn^xTr8x%-24@Lkzc@@8eSVp>HFv<zYme41A>wt_<__y|OPcb_)B^T&D0M$8g
zj@OZ8AM*M!Z{`8|JaO?T@pg9QP3YJqJ&W$e%)4ji7CK-XH`4NC{SDe(2K?v4eH^05
zcjB%X)_HDadwuDVtUrSopKnf5MK6@;hxwhX6!27E*LT$S7MFAG(2}5?z8If~f+1+A
z2DHCba&SzQvb%~dh;8$_%I%T<3{u_QW(@ZnmlXOvqR$@BLy&Da<+87&YdlHI-BVm6
zJE0qwm0J{DS@(Z>7oKLf33}tW0aqa~;J_Cs$ntG&`oiH&<}$Y6aWdZt+fAc2q3nF%
zWwd1KoK2+zUuHSo@wEFwNt6sK_%LbK-!)LRX9$Nhl-srL#0a2@K|X&BGoJVSfg;&c
ztSOme5V{pRK@pJg*pZ~{tZ^yLO#f6qFKlS%1t46fuNuPI&QlYOms#Go%<%MY>HXhr
zR=i`BE2G$(WtI2TKU0}Ne4YM;u^0XH8ILy7bDPalNtV3%xOTLB0#tTILWLYME8D&&
zxVr=+J4!I?Ct-fgxAMWzV7)Kn)YZyJdt+w@RI47Ym6?reL5t5XR=bYF50#4ImTKSM
zh5V7ZTl>BmVBbq?51lfd`kS?=UdZX@E`D}n2VGDxq122kf0X6jeOW@T0cERI-uLP*
z59rMWvOPqrpJRsVeF>IFx<2IeV9lk}0Phy>IA0#<@m~@{#V(?dP4v%?pQ5&m?t-2t
zNh&e^#c|YUY%cN>8MM(?oHDeyF_nQGweqRSp?-xr`_Wav+QVkGM9Z7{o-iHByz7h$
z7ZF+#ZZshdHIvq8J(J$hPKAB(<0gvb;aYT+6XzG$VQIW1N)w89`EO2NMWuE6Qw}+p
zSSqdUaHSw3`q@Tg)!=<)e;iumbWvt-(`t<E+?{whJ=F3DJ&c=>SeaFlaTFjZX*u-l
z;vmyiI(zQ(3^E`du^Xnj4G3LDD%Qq`wLlZ-PJJ(?!JHCRNY>!66KfgkHB0VtzMnF)
z>c{{}UeiFdkBUKLN4a5P)M`d3mA&2=utD4k%rJ>jTO6HVW_ADSnWU&pB(}x~FK2o%
zt;H$?R;jn=OJC`vs~SyhwxBdi<fIJi#c<f3@-12G2I8!Y7(m9`x6-4K7%IWtz#&`8
zT?(MLj$I<o%e0ce**o~Fgmul~!sZ>m0|2nf@yoyQwtx2(M;bzH0r@4}Td*`iVpI(Q
zon@H=P{mV<8}g!r+C6zfu40uP8`e~WP1Me1$AjkW+%gNsNG5p#wQu^EX$wmQIb>Y0
zHW|DKUdWc?)UO!Y;@MgrxjiVh#(7K;w5ykPE(t6`EGIVKFp+?LaUIkh$6;s;J7GN8
z>%(3`?k=<+mj-+)RQ3T~cus@!N0O<cXdNX*?KIqS1&{@w13;#EnEWFyblCsOTw>`B
z=v~?+Ss%bcpO=A2a`p@(Sx;Eut1jF57cyQjW;UqQqY2fMJI*>0^~>+1nyNTMf)&ot
zM(P=q;|bgOj;!|`W$d&K>2!EBWk5AR5^=DZyjoWr8I*@YW^H(@wR^TW&C6LcERI*c
zoDjOl8F;4{!m*w=AKt=kE2@p|Rw8V^#8z*&Hhl~Yj$GUMTm8oc%qsjK#})!an@{#T
zRXyebVLE~h6RaGD#9<b1<63dVkC=FBj7Rr7Kumvs>8phpm$9WehwdZHtSKROB74tt
zF^Cb9OWK0{>MSetZyim|uXQZC^0d)N^Y*eBQ8K27bC%h;J}~xBjKuj8^?%p%HmN>;
z<SI2x06?510M!Q)-I+05@R79$NT-^;B#2ArZmw;h17nvM-kwyU)p{35fmOg2CH;aY
zmH76&CC`)oTl$_7#$K>oWXHiiUAlEwE^cXC83)kT?cfD7#~8f@Gk%tTyx_M$ZGmZ1
zMS;L$2DxVMmu!Sem3Gglu;slG0|pI26I5Jeu-y3cgb=(^@g?!wmbDc^<emT2Sz1xz
z@{)Fmy%<JmQP-1?q$DIpwvzKK&S2Gg`Vtj?OXb3Dn6<M4j6VVE-LGBv(e)kr{s<#6
zEZ5TMJaB+WP8Pr!pg#V(k=(H{xYiI8Rd>`u13#J5_XKjS79tqYYEeCA!h!LOcXH{X
za9(H6i}k8Ims(U922QJAr+yDprq6)$)flocUC<d=AbSea8C$x(w+?KMoRU9p<TFB6
z|NcFxAeeFV!T~n15`mlZ@XzV9<V2p)K)Lj4DzODP^F_4<in-~cQ0ujrU>$926yk!`
zzS@4JI%CXOe-!mh_?u}%uXnK)$RM#?>=+KXc+i_k(tQH^^B6%*d@H$qZ_$<s5Jq(s
zNrgkqwwL&<oRIfmBU^}Qh>?jjD{k{)mi)^Nil|@(IP^Oc2*YDtFhWQDS}U`lz)PWt
zgc0eI`76>d`paUXtMte00wqn`Oo<;0SWBvcp2@PyagbEg9bN_Y!Ds5<G7t4c7?XUn
z;wZ8JT}5IqTJUGZ`?P$W4k+e=^i~5PUpr}}aq9idLS~7>AZ$*r7dg27_iF1L3`fm2
zsdz+yhTdZu^e%Ni3y9~*6;YJr<e&_vd1<3X^({qGWY8q;B!V*)Ecp|gf4vkiT9g!7
zA|M6t{hbAYon-a?vRy<&h&C+m&`**1fotZCbb>+>RI#Y;d@eb+XFT1Ly0DlO#liQY
zzpcZcH_M_|y**mRJ-!HnLXE|&D#WJzfKmtPa)&bpN9HcUycNM3Vw7ZDt-1&_avRs%
z%fT-Ct-+L-9YMbj+y)gG*5;jFVw1s_wrkOX#4md4v!+Tm5(ViD87VdDHQie#V<ov2
zy`jfpSAnxUQgy>@3nS0MLRC8;zI+`|<_6lR^RClzGF-r#9A%m*2c#oQKnfaZ#3jxA
zn5Av7*DHl5DTb_+A(Iq6F=3wpN{yzhdmW8)x-&^+-|5GB(@UOIHTDsf$q{l8mr>bA
zDr1qaEa*-FsZX;>0vouFeC^S7#2dV3S$@QB{fP)$_fmQ4U@)|+dTp7gNc?3!@WSlU
zjlu1H(yqRngR4^LVy)fFyGgn2h-Ty^<=;XrQiCW$_=uON@tcQ1Iddc2RE5ZRVNJzr
zO+4^wb>6F3+y3)7*A)p?oweq=gg~IP=YBV;e;-afxmKT8!lJJruIXI*VBDSkzDuRV
z|B8A~xS_(bd$ez`JHIhXx1l6aoY2fdnvw+YNlbi69mu_YEi<~F+t^)6;9K1e|MDK(
zngpO>0WhUnH0We9Blt(S%LyO*uF)2irWOS0_^Z}gz1>H7={%;W`dTR>_w1932vISy
zV*O;t{i+~~33GxROm(CWY$Y<}`Qd&bw0(Dd=3bP_Nh2*?!+|pbOFE9;arJgxppP|y
z-~8qDB`6WK6*|3TbgMV(ciJ>apGyB^BSeA0wx+xvQaPBH&Idh<7b@YJ0npakDtd~y
zi-2ldyrgS~@o$rpX?+48Y_Mg7odwCaCETa1Xy%|Z1KLS+%d~+!B;*<RDs(@0P0R>|
z&vaDt5JB1~%90CTu1MriE7mA25*T@0An{*9@LkBBtAyeDt)UtRSzxV}e96lE!p&?h
zO`mzoNPVErU(HdYOz~?yYSS%|0~cJ)Fj>0b^RYZ1ft|x_uQAJ5@-cw6!n~={fEtcZ
z2H5=!dcD&%T?&1qI3+pDNr@FRxUZQlC2P9~72u^&&%wDaR46g8{`SXOua8G7G1rbL
z$GXv0D?_PT!M_()hA+k#jk;Acwmbr<$`b`Jq2#BT8*_Ak0aA1-soA&5h1Ov6xTxhm
z^#m)tkeo3#xJTWmy4S>Ii_n_I3dadMaox^MXr&KtD7d}ltz~o}Tr##^Z*50a6*n0l
zJj_f;kr2vKut0v`2&EJo!PU+}VQ(6&UVENs)likm&CXrJ<lm)m+;Xks;{t-&`wm;=
z!$_&8eJaK{&PUKI=Tvb6YDi}xo;H@dvE^4(6qRC~qK*|kHk{;22RiD-OC*rSeu*~g
zt1o})U@y&ytujAFCommk=cB4L();DbAtB_`W?m)$te<V&wjC3iPtNPJfr^IppO-Ot
z{rB76!JL{ijg0<nRSm^Sn2@D4nYLqIGlhxgoyIAN_1p)LYY>iR#3Qr$P=kBkR&xnl
zs%WUt)!s|_ms@8XKGVdX=I-wy@H^rkt>{#_JB1+T4ak;_<Q>3YGe3sJ#xx9X@IsDT
zHC+gO5EXU`1TpAYYFaawfS-MV1LyR(!o`^gjc3>m|4(M)7~@H20=z)sF+iVPB+Qy3
zgmj`<)xx(l#$?0zim^zfe0MWQP`sn%XOvG)krb;tu+bPe?uMdGlN}e=0vQg|=sIBm
zo#b=Q4JjamPp}ALR>?A~|G5cT3B^FgQO7bHiqxkp8~7-%+&MMbXhp_QWFQxESWIYu
zClvi#22E5^Y1IiYX&$N`0f=By|2h~39G6bt^f!@dBm$Y9MzUYEm;GSj+&RM-2(FZ?
zh*wWl?7EGrq&+5!Q|52FNy5&_t|-mU2G4ivFdi#vS=@8CCal{9C4@jBe*{=Xx$b{7
zZC~DVS<?S3b@I+i4;n8Q^KYlt-S?%yYt2$`{yaaM;lW`g!6nsg*nUn9+P_88?Gj22
zqNsHGhB?{iH{(}d=GDycbzinYP)F#HE1oDJHAK>&lIMI2;Il$E<6~qA)rvUotAd)F
zEGo=wXs;h)4ApV`V@!HA1L$&X`^;Hzq@p{$Bd`CbjMrt2hMYizDGgO%)1*18S&@FA
zNfwAj0Rr@pkliem1G?MF&@94;6H}<g%SeD{yU%aQ!n$nNiCX0)E+S9T8G4pRZg;?O
z((q1nb=x{Qhi~+Ba|YcM>oQr~7J|;f2_>m0Se~9b%rePHFC{@IS$Al`DCn@f15nju
zye6ansvmZJmY!8;qI)X3#Oc6GDQ5m_*HyQAI({;`7%}(U%g;@2lxZQ8l^Q)SVVIY(
z*msjvw~JA#P1T2(mIdSwspKrqr_#1Nt!F8kU@Q6csoo@`@kS;5K4FvwTfrgnKj99|
zy~<?cvTG7<eqq1`(L-9<-wDcXrmlJ5i{v*Mlm@ku|H}Ht<$$2bF~;7>h3lyfeP9^D
z{Zrs8rmUJtzC;9qC&8!CJ>@WPH04Y%ga&O@xk^Z#^LT{Y<_bB4slVp-Hk{_UYHE*X
zapDGXQ+9bR=EviVakL{`d*ssa(_PK76c}m?akpQ<R_CG9Zz661yb7n~8m-O%x4{tn
zVxrCF?_eHi#pKH!`?<<CssGI)OycSbU#SVgN4a_|uqT1v_j<N{N(TsXKAE4tAqx~Y
z{3oa563gd8q~fAGhAdWjb#y~;XKtI@9S}@ye%IIjdZtX|k5Hc<!g_2`9X=+iEA)=G
zmAM)3fLjJ#MyvA=r7s%8)%k+$0w#~SBwszg8Gk`wqN(I|%r_QSB~ke8H^Ld@`8iY2
ziT8@n_XO1P{z!p-J2)h;L7C|Ywk~iA2l9Y1t4`?JPzB~W&S&G{XMz#-G8X!L_lZ0<
zh)%e5W|%1lque#Y?vL9fK~g#6voIgI^0$IUh+Z-ej2OUdcp47n6@kffeV}jw@Xl7~
zs_$asRXy{0&~`RTl#?8_^0>mQ_&A3!^QbK3tQ**rPb=LORk%uIBcC^qK=A{cAG6Nd
z|AA6xn9CG8t69F<Qxiq6Pqn(TET{S87w#?3$W$ym@j#_;Bm&VY#9_O}lEH-3+CLp7
zBt^o2R)pMfRjHm~pFjhaXc)KC>!}g0=22!<s%A6;8c+s9&=D#w=8C*#bh1C5NOG!Q
z$t|(uXwn435`^3l6P~p5D!5(dU<IoS?QJCTykx55M-X~i94UOrw~e=Aq0x@1gPucL
z`a-f6JI#5-R1vac5CE)^s%>WJggO#^1S|cC!cQc<A^{)@4@wk4*ET=@|99pIcUWaj
zbOnVaV~%<FC6mXH1GECzQDjBl=4O}M*!&46yli-FRGKgVEEKML5&67cJXiG|r+$aJ
zZ^kjw2q5(lv>OYIu`1g}oVY`*x3TWTuz`cBmVd&uMcq#$all}L5~0I9T?MThU9W)d
z$OC~e5)|=e0T?VQCGJe_wxh?!73#$eGQvZ;G)*-CrD@^4!sYc>QM1E-bdJbTR#0n8
z#Va)7_Pr$l^R?`<6PLgUO<yS-8v&B@t#V0=ZWWL6_7%q<Uh&2mX}bjTkXBP$*D5jP
zi4c)f1g(Q$q4EkHxT6SyG?^6TA?}xW8?hiE&K9NEG?UyYSDv~B{w8Xb*)6^z@$s7<
z7Sw0LLq#LBGKA52F}VgoV3HfS)f7#_BoXt#Kn7+o3e2$7H4{Ok69Kc=pyo9{gli-B
zz3n32{e%I}gg$^YC~i#ct9U{xsi@v)o<=BWwgfYz9G&0STqYYwAmX$|;+Dnqt8Zv^
zXwX=~<>BFPuU=~HL%o0F^AZ~S(0@*&@X=k~Rfrp(PC)Yr?NUAw>4|(4N7J|<1Y$8z
z8NLbZf-EP@IIF!L63=7mI<#vNk;!B7%SUd-%0r9HF59=UAH^SU$oD0<Y#mXwHn)lz
zqrRI&nX~rjX@}LY?FUfY0?Z50Jf=@=IO-|=sPwRGzWvidy{wRGyFOM+zvG>;Im1y|
zQFfvNPhsYBJ0kKI1n7HAJ8#u|##?sJr_R%ct81>h{O)?_K}Dkp`@TXR2N4nNLOB8v
z?V-W!|7k>5eLPe!v^^!U?bJobig^4xBDn~S5MRCnj6Ou?n$;<G74iQwuHJEtZ1>DZ
z_x;8@jPCOH-%Uhu4H^ehwo*kB|NhRhs1`h@|1%D|02qT)FP&ok)o8nF)p5$Xo>G;J
z>cv2aUa1Q#OD^diQhv>q)0~_YW&SRUy*wym_8GeZD0Z%k)xhNOkdAKtF|sYfp7DpX
z4~5MkoQ-Aj_HbEw+^w%>Jk9SO>eGe6UaAH^d22d%PaAqwvQjB%Djf4CA`SEh_Jx!w
zSLqC|{5v}M%st&Dj;dtf_pmE~hS80WMp=H6IUz*@($llj((jfj-E>ZsW_sVD<(c7z
z*yr8+s8UL@1vhAdtPDvbOV%T}R2mX3&$FhX(n!Jw$Z_#hV$P@_sBV4by42=De2G~3
zTlE+l#+}1!0Mv{)q*ntrrw}!*zDP7r#ktc>xe&SMraQ%3Oc~m%R%pYYzq?g|_&w3|
z>5wO+#@J#oC|N$sZJQ?{(-587Jw%E2b&q7y%$M0do3c*UYLP`)WeAns)-iL$=z>n;
z;bEuJ#d#^ES`ExEi55eO8;(st=}{V~ad8M{L#G5J%1Od39lx2MmfVW`pYKN2wV&eL
zailXd6*>qOS(F|ttNIP2x)R=y1(~H4nJN#mOY>Kl?e^gXVVwooA30{a9&z_W0)O?e
zl&(x?WjL{MDYSo#bF&zX9Y|ilZ}$ZU5&sBQ364BZW9#^vA$tN0=f!YFp5cUIq{&s@
zl<&c;UN%h9=1~7Jwd+cR_u+tYPgPVpMzvi@5&%Y*U&oef^0$OYTI0C~@}5hPTnd{~
z!}!nLz84%5a!*N>>DLFNMwF6uF+W0E_=7ztAqF6X;t+FJmd(}U(kkcodE!fbV}>rW
z38cpla0!EREnHteJdIfVjqhSNnQhWqkkP;nlA7~F343G&eO){U1<Fg;D<BnXjVXBm
zI3&To4j>1r_waw}d+bxxRXp+#4N2iHc`wMBePK61(cW~JF@&6mpC4RZ0?S^6w82P|
zEFIq2G34yq>1-lG7M-HbGbNh|^pFV_0f(yT+PQavpI=9Txa}*6{qS3r$6Zs9=A`W<
z?%%ARRT6%Q9uhh&u3K3H%0TOwu6(iTCB6-dk66kd2OLv)89?##BSY(<{r32!{B6{3
zJKqLmOd1kuHgCuEFqnKW$hIvt*l;z^^ocQ7fA%UH6dzm+JUbJ9f56F#3&(zw7~g(K
zH@>7y*n5IzMZ-=j({UQ*Ti)HzX6f39DEJ;Ynfx%MuIO57Q2S?s42w@+1gY$&o$Hp1
ze71#2U|c9|-TM~-&UM#OxI{rm1K3K~9cCMah-?~UP3k(tSaT_!bFNkKF<+YLa}$HL
z9E`dwI1s<1rh@eTx5NzSSM%S4SZnYTc=+h+OQC88!d`3HgTMae>tlK<&|1>!i%>Ak
zCgLr9U11*zS~3iHd%)F!$xv}ZLte?NqK$MiN<2^glzUpFfcqt45MV+?6_@q~J%`U+
zM-kikLI}ib;+FDB_u{BeLtsNcF*wc30bn5PQGBp#gi#%9&?|XBp|EgoDu&I0bE6Sv
z645`f8~M>SKk($SWFFZFxee<h@@eDrV@y%K{*5Y<7sGJ{Su;Ipx(E&bgYPbgg*d<g
zf>Z~^DxfBHK?;KMACItHs_dlQq-bepv9chkP9(cRr)iBSm&im<s~?i7%19-An~fQC
z21*BDuECt?O;W^%(ZjG#EU$7)RJ7e@z1<3!0b>uX(~bG_BKf}Nz`i%ee7k0zYSEa=
zYIzO?chX9d4Wl-R9a&j@P1lNPG!AG~TU&#L@*bk)YQMw}#Xj{tE}#Bh@vpx=%780J
z3aT>|LUqUDVipwQ-fb&aTY|V<ulMN{;P~*EnK`I|YwUec4S|F@krs`CUSQ5<wa@}J
zepS3U{|Ux4w+pt{Z0*=n1i%1p(ehRXK%aKZY{BpF=mm)`8#~c9Hbt;tr1nrJZF_}o
zrfsr4t!*Cu3Vr5gK<v&H@T5FXc8;sC6&m&MEN#U2?c7H9-#b5AEFr)Gw~LC5!a}ZR
z;A@>~VsG3MkMSKbyA(3y&JL3k!3vLDH^cy29Q?5f(jO<W3%EdeO%C7A<4_&9qlr3K
zlT}*Pf-9QWTYbB#ip?+H*lr+vjTx0CQuNfm8c+7DZEjPLFe3h0zM}qP)fN};cyf&$
zW0@RV7y<=zd<`XK`Kn`!VPLX=efls6UTMJGeu+Ho6KgfS?fS2nE4nS{$r1O`WKoE&
z30cV!5O)y2B9{jUm)EHlF=ouonXn}WvGK!cB^XV=-nE%@0NR~(hn`M0ixWeFeCY-N
z)BX@wG#`1487AnZQF${NMdess(X$N4ES(<{Z|x3E0Lo*DjSZA+`dTKUnvxWygl$oS
znOVVi_;q!y3!Ps;<U`UP#aB0^YUQ_3*%if0IywOZ$L!~Nd<30B*5c~@8I5(2>-!q%
z4tJvH*syEE?c43<5_u@L<Gq0g!F_YCP<D3;`(3@2JhnW*<ni5uR$|mqp72CFa)VJy
zb|zX9G;s1+j{}Z>1}*dgoN&$!KK&v+$A$mZMy+r)<WcTPYlInx7^DWN0he+m0j1O~
z<_WE6DYftpV2)9v;zvJYdMJhrET7fw-{*)Zx*=%Le57ynWVH+l#jKv8)fiN%DgHLk
zSe!2!z)~You%^copRx5P<y4DEHkVTWpPN;iink3jJe?lBoPqOWPoH9k*H^om7mL#r
zKvfm6Tp1uy7*WziHTXpCJ>fb%tplng-L>OFMynn$>a~dRlC5O%Gs~SyOm!g%Gbp-S
z8d^m&p8^RGuSBQjEU<^JLA0)Md@Yq&r(YG+%;kz7iygT+x!^+rDO?>~MttKc`GQ}r
zQUCQ9HtDim1#@5Ovr_`I8=v_~3`{{NVVDeQU{JGqrxnMmJIOSoo4!PLvKsd!(bQM~
z#{taXdkPhwX(Ou0O31AfSn?VI!yqSMh#U;HlVo%^-P_fu_ZP3w26sRZ6@k@078)_x
z;BEbpnWt|Y#b!zNiB&M+xc04ko{&w}Xgv~C^=>Me<kP&l|H?emR`BcIK&YX@bty$A
zn*+325p=1iX5VA0{fv4-sJ37dU8xJW#%y8z9SF&M2#BG`(In#jCWl-;UC()i_9DTN
z7=TYOg$2lfxhJ@BW2f;;nCq}@p)*i#E9T@6u=oL;ECf<dblC`ilWPUfnAW9C;VYf*
zNcFLgnsLdku4M1Y(Myi1;*)|FRDZ8$%LTUIvh(@!`#C3+>|aMJ;_HZdp}oy5+sy;*
z4>!BxNBj|ZwerXRj(-~u#>}SHsp&JCcJ>=?rT!K746`FpNV~GtPCqH$FCu9(lTv@q
zo>3wKqfhAeWnA4hXiW<VdGf(MyjP+NqYE~Cf{BQbvg-PYnbJO=Bs_dh-{M$IwB=Z-
zKhMIPy~s6tE~=OplW_AsmRzSzL*}1_9mR&`{VtKMi9v_;|0^ZNH7b35*@EHSpNKJ3
zpi1}kokB|(bBS8HbMuh+eVFPR<c8m5E^QYPQU12_0Rlu?E^vmh{LkiWSYG=(1aois
zwVBQ|JxA>WYODEhWd6cg<;rG>r_lT>UuG_|sZxbb2dBQU5!_vCwb?_HWtILB`fkA^
zB28HcsyePJz0X^#=yYWaAM?-aTM3qhd2hq)|8~~x+t&xM#7g;RqKZx{vryGfB+n?U
zfTBM39saM5OKa_y#9XX7m|HZ{%%mc{1}bD-7<Mk|!lmtfqWH02?doL+XmF9M7m7Nu
z&S(HKPU2fjVao#rd*oZ2q$)mZvW&v74OTpY283KLPqPb3G$1|}WqJEGC(`sfOjeZn
zTtBPr(HLBL@tWqxC6@FY3`==tOK<UA3PR-?hhkTxH3!NgSYXI(`0CwJskHdHc#)0-
z$h{E{p0e<itQz-HBdoT43Jz+NPo+{S+rOjM^f9+wSpSH4jMjK*Om~=x+Ksh`P<4cD
zxZ^9YF1O6|I{WqB^CzM5ai8Ktq7v%D`Zox3Hu;|3(jxx=agX3%LIJTAD>x=&?Wuia
zD$Y&!Xag$igp+Y&x}V#b*YKMRK5ezhlv2wpKpIA@F3h_i)})K_JC9DZ>plz%bG@UM
zpB+E~6Ho_W_ORrpi07*9nfP&riU$PymSW$B%agCKO0g0L^J)+L!oQks)9}$S*Y?G^
z4fMj4DXgF<n(xGl())rs0t1P&x3418*VD?WjQxgO-uWqO>4yf+QILtiHs+{qcPpA@
z7_(G`F8MG<&0$sgG@<F(AZ1><jTxQBf&gvs#MspZbIr=IR50quR0lQElNaMqf7SZe
zOy1*2c>NRwk#oTQA=L5HY62Iqkb3?+$F$FOcph1)9;P8Y&&U*{+dh04b(uX#`JLgD
z$KE0*#D#z!2o{O*ht8u}hvjq+V-9{!T)3NKVX-Y%x&2Ss3;iFGRwQFswcgu9QS2-5
z`XJ!2Zr8#XOVM)McO-}t$ixMK5{x1k>p60(%m=9?ZvY3**t*k*gORWW8rn^|_;t!A
z`88NPSj7%Q+H9gOAd%ha=7_JOv-Lu?kax;`(^F-0El-lSF>Kj^Gyt(FR17c?Yz44c
zS!d4sveDijk8WE^&V6nBf#^>5PnNIs6DeyC<wDux#}K}%BJ#_{X)3H#!GFvbvC>D~
zYv~u()&xVOfr;*e5jwMI%J9b1otu2k+RrBIRHUR*n`m#H%#ck3)kJ-ItPM*)X3X!S
z16+D6aZBHJ<5e97qOk~mn2I*B<=++1H<kB-JJ$n)79C9qq1VH)lSWCvof5;mu|GA;
z+QzX2H7`+#a&*d=`0)wP4JJK!L$uM?dx)tLLP&^^4|~A^!(wbC-!LS;cUmJOXSl8%
zQn~VQskI!aIruMIAu_#ZNB2y4%S_j5U+?cXxv75v#H}Az1<vIHJZ};0fWO15n2s)M
zOIAot)e|m;gGZbQC~=jXF8sp%j#aSvS2ZY@E4u!G+Znm%r(H6O@HjV$It14-V|~7M
zp)C##F(|CNRXRru8r+9}k3q8A+4Kaby(z)~zBc6}za%Ggl&eb1zEW?kST{v2cxVuN
zfBtduFm7)qktz1SOBo^!fF&F<SN)}<h={{n82`|9=p;d7d#7_cc%e&jFolcd<V3Vb
zAptMigCMLS9^UkOMF7LvPI<`Qxqj^~!n^0wZ4q!Y4A8WcKi%A|KnYv2U^Zb1ziA=n
z=?UxgJbMI(9F+=3JFU*3ePpSe;R_NOu$zg8rmkfg#nX!-IcRQO(cNRg+l*K9<kOo5
z6v@gE%J)yG`|R1g4=UL;Bsv<Stqe^Zl2h2y(WkRDCHfW7{3_ahQ+V}<+mL6cCoR?V
zx8~5vJ<`orm^N;Td6j7c1=u-GRx;7(+n87w8Zne|!(s0+&>nIH^EV+PD>qyVA~<qy
z!wP)h1W`X}uDuvZl69{@c<;e)i4IYkh+Eh<w~M38f+(tLyKKddBF;$^$?m1vEE-7^
z%q56z454Qtr5ZsW-RwZePICbXwFqopn%sac8=ge;a`kgniy&Ly`i{c155f$}Ym{Sy
zD$m%GW&)kBD4kw@P+&B54=m(TU+55X6I#DDp*~@C5p~PoVl!aNj??`}Jmlz*t7iQy
zv*75zR9oA$#F@{`>B-bA<CoMKz1TXy!cr53j{H)Y>8Wq9a~Js>inQ%*28yc>J}Y0W
zh^t24^tmil=iJ!d8@ol*Y3}n5bvf0GyS21vplT<|5HfC-vNYKASb(~K)z3z%*lr0^
zg^cH3QxCY6NdR(GN#yt#$gZ12``3fHM~F1VvyxxTQA8rgFXP-LkA_m^2`aQ47wifm
z+nz<H%OG-15G`^0Xyn1880zgZV$2<~ed@oK9^>D)gWZ*(EA)=~m=WZ^4t82JlvZqo
zr}I~7hpZ-wvoNc4#P}N8DC<|9ytksPFS-VPT64Zw3rIE`?p?zHZ)XOxY3|woa0Y<S
zQRn*h*|n|gE!;gFnsVRlH@B&cPHusz`VR|{!&Z*r1{bM@RQ@rcz(2MrC*!Ax&ZcH6
zB@vH(av%Sd7YFmD1NUs(!e~LOkI8#q-!}>Q`*Ay1VxZCAI%VU#=8;cyAlVFViKEa;
zg(kY|+#b~#fPbMHqVv*hkBLdhGdOuHva^s6D+>~(xiQIIXT?FzT09hr0SachcCUOH
zaWdaZtD`C$2#qm)A>ENd4kX)h5>82Ca9wfwsOc2<mtg>!?BC2A!y<Guo2}8b)F+mc
ztPT@eqh<Op4}1ucwu;#aM!@iP7Rq_BZLbsp%qhb&YCpQw&uEFMhUOvqurBq-HPQ2a
zO39`SNF%Ewz4=stS*;{Se&Ed^V9_UhT1R5U?7JBE1cCZwdeIhTOFNjoNpmE58x49i
z=Y8WTmgb@c`~@XdO+X4`G}q7h5k{^)gn(baq~nfz$QB_7IAsOtv=otFx15oYMuW=i
zDQhN<y3-v^GCe+=W~EGNHzWSTXXkWr%RNSMmd~mz!~iwV>>~wQN0Ob6ljmwK*OW+H
zV2><26*?Q>=#9=jM0K~8hx8P6$t9gRxlaIkNa&WsmBzk&*}iQ2lr6o=RHVD-9yX+(
z>J!-6u37UkT;~;mW7Q<;(7tS#IO&c*_p?TooL6ixGXH>aO<H;SdD~ezuPlf18onG|
zWp|%Vm^_q|@F$<Gm)%zdb=`8^{;F%KOvdmTs=}zVsN3;Yo}hho9cm_!S51^0X1md=
zC<WNL$=E2(|KDnxn1y>T8eJc*U0;0tig&C1dbZteDRQ$WNB~4^!sdLesf2Wb2WO>(
zO4%ti<HQ`~i8v%tX!)Ao8Cx4KfQOcEP_Y76ff$aP-DUG%_c`aF#)d0}>9R3PiwRi5
zeRwsA(ub(>MIq{t8t~%+W)samM_qppWUIJ#n-bOl&>l+_6h!#yA?PouT6bK@t6a<2
zW>|rh&7unpRaB{pstI5ty}-Y-_KmcEsV3Sg34I=maY`i#_=4_Lmhd2_%H2jt;)kJ~
zjm?qI0T&%khbt#h21OAXIV8j|Ss!(-7&tF#L!#|u2%SFr#`jegyMoMFw6$z&)?$Nu
zm0_JJ$mtTMoT)xHS3@Onz8kb3s9KLi<!YXEP%`b70AhTrQ#NNb{4S|%t>TkvSRt1u
zIX6O$t<)sagA9~Q;ARxC4IohaV)h$1)~YRUW$SqFqlH(apN6Oq)u3=s+^E8~E-nV*
zul_WAhwAln+VcQ2K+M12#w;`{N7a|x7M)|wfcw(_l+<)tI6uR>ADU3<HE{C$=$mk1
z0yY!r22{`>+|+pg75K%Ji-?&Q1*JEK7<${5Af@_f1V^rB{S!~uxibpsQ4)l%VTEq!
z$OR5Mlqw9aC<v=9+Qy-W#AJAa<KZ(s>w*SVAF0FCU#IIRPPveuGw}VFiRFwSoXj_x
zT-?+|60cM2_rB|5z`XMU5)AZVok}&(Pq-85TtfE9|36orkI!b^krHslJ982VB-!_c
z&sW%3QmEdK=s6g75u%!G11~%o-njQ}QoB6pKiwtVoW~>{P|wEleFC!=0&TPkN@#Yq
zmfMBC<o^_x*PP`uxp6}PHWgrTp24cT=gt!3_i4#}Nkmo=vcMmfjqxyi))tpXvm`Q&
zrLM!;^_~4?sw)fAJ4)w{R?=#a@vlbr26^W!UOj^9;40Y!xok$jTE{3jHmXPw%sqsv
zeaBrT83n=;_nH6e=ERxGZ7T?iI3j5*r~$h31t2}uF-5Htu!BzgL9005y<nzQ4*P7B
z{y$u=h0tK~?&(eWy&9?WM^UB;k)DR1aH2#3qM&g8jpHM!88$FPU{zornxanf1Axb3
zvi#wMjmB|3LGKg9U<|ujy4TgPLEfy1$0Z2(RSNo(!stEYt&qfF+gM?Rid<a-XCRP3
z!?gR>$q)Nav6t24_D*%6jv_QoMp@oq^=Jv9CR9vH;A)>S;FGd#TDw;Z()eNF!|D^%
zW@HEC=GT237q(eNAf`qEa~0n6yf;so9`@XW5-I)GU?;E4|D6-#9{PVI>W>0R*d6KX
zH*q4i=YfvhJ;nnwv>_?G!Q#-8N3czD&gFw7MH`rfdjcz{i4!IAl*#8F6H09e`YG`d
zF%xjC!iy=i?(S;6!|88655E7P0chV<$m(DVJfd(EF8dcs@@L$w9hKj&5s8(5`i52d
zO{dlcWoktIfK+*b2rAZY0tl(k9R2AGY=xR*<YtCLIeQE0wCZA1BN`Q?fg=6j0;KJe
zRi`Qt!7#YO%~2xE%uD}kb;{7eq6k$I_3wTN5DG%EUeUq)@}L&d!^ih`8y|<-QA=`P
zSp381+iZyPy4O}Hn6=}dZ!S-O5i*lqfgsIHfY+duQ$k>#PMm>!JHJ(C;#x)-I4qW7
z!U6W`oURTCI~};&**-ID8=(RPMwqU5nxFIiG{EPW<}QJ_8+uOp665k3N@})=5ZLFp
zR240*ib9I&PgmZrMdfUP<b>9^sWwcsU)&D_WE5Y4|F}34a6KJpA2r%S>*n?;GsDnp
zgymQY*Hz@57mGG}5vWOfmzzt*t4-*(Kt@N73CqZFQ2J6oh$&e)Mbwid*IP|q?$bln
zCkG;}y1Ed-hSVEa_;K`j_Kqz26J<z%i}tG?jxQKtH9*y=j_!d3HaKkv-;-=kfYGS_
zySVthKFXl&sxVkFbxtJjE}{-(#?2*~t+?fZGm|)jt{)RKJ%;qO3Zq~*2S*z+QT&i?
zDBDP6x$3u3m|AY@-}s2N!WCN?&(b*To$h%*RA_#VPNzWiWWKEPV}hmPYTy_lC8%jM
z-i;Ia>c=QFOcw_vT)9{vknV+)_}yE@QuoU1Oxxy&kDlyl^F`aZmL4MBp;NP`OCZ0L
zDU)8Z3hWuefolYjk{M4D)mHv92g+^hN;HjKV_qr(Teh^@<|zI(WuCyDn^sI(Hw}aR
zo@vw-t!F;<0u?3GgM=WT%obN-0cwfIjtP-RguH)W=XRZ3R_GHsP;p^d)rnoJ%@Ag&
z54c21JgMku#J#PKd-d;?%vZG9sWb}QAZ1jCR>^^a4sFew@r{hypb6uJY{{YRZ}(V8
zB1kX!Z_8k*j<IIaxel`ScJy#!*>+BVXMOm-l0*Z1!e!hjdOft(n}Mk=wi`#*4sibK
z57jrLSo{=TGv|tHyaLL{y?Fy+sV<HurFmWdKE5_YAjd(C2dtxG=kYRk12OtoBHr&E
zUwF*F2}&AZ)yR2?$#n_mZ|v+GW-J>zqKsmVN3}$8;F+iZvOo6$lasP?ByYg@?7!YC
zrb*g?y*BqHI<kbRwvN3hUfuGWzLm;5;a4cHM;|~_+WZR44nqR>DWT@jV8al2TVM2^
zlF+hJvS6dL?<cF4d2qla@Y2c3=F0xUUdf1AY%F{W$`$NbOX2Wu+3)y*scOV1prKZn
zl6bWSw=XyV_``D(Ggee#e7A0DQQAx$g4ZaCgso&A{BtL$|6(F%NVjYPG9}`At!&7d
z2Q<uwB2osonboSKUt*C1lLFN9XV9hM%b$6sOQWP6nYp?vJoZ+Ce4ECS6+#}%&oT`2
z>96$on$neZ;}J$Kg%%qWg3VLv(vo8IzqXXfz(%h@4hRoQMCd32Mbpm1aGRE$w9RmB
z)8Z+Mbl-8P0-?=7={zY`mDp!+uK~!eNb+6RXLRQ#7E2UXuzqaI>AC`s@<KobX9`?w
zLEl6@tun5*+qq;DpX^7;LMsc|)`Tk5#>-Q9BSIKqr};+E`@&G>8WUKGO~J`T1K=ao
zfU!}2_VVTmo|ywCbRQB`@3^fk2A%k<l9E^)Y-(Ge`x|R^4!pr=yNIAahH{(z-IOd5
zR;dIwQZfY@_v1Xr=7eyHTi2`V=XkyQe;KkB##A*ReM6SFQ$n&R?)`SaL%bG?K4@*m
zx(~p~SyTPFu)0<0AM1PuQ!h_DpLf`-=&=+5F<GPSBshF4=JGME6<hu=>aJtV$PHlW
zOvg>zqqJ#k?5c*=zXcZBPEml@&XMNoj+(f6V!+eg)Yeog;ErEI)<@)P(jPT@OeK}a
zN5rT|a>uA1^xV=1$wiTpFdkB+1QNJ7!-o~V^iV<@4*FW|OZPi0)!e;nrEAq5i6^y{
zgW=!8*vSDmV6)LJaB-i{ieB6CU$)GWQ|!AkWzw4B8|&Vti|&N&7_ChP?)-Mg2~}(n
zDy|ea>@HD0Xs0a}99enJ%|ldPJ#G=yyPF_;Gys2h=pwAE^Cub$>_wPCZawpm#phG2
zEa4qe&UoNqcHv?n2OuL<Q(L+x(Npzws_qPtd+`zC3^u?XcI5AbJ0%rxK>MQycjq|6
z)1|N!3PTPq_8TrDU&|`i+&{|0Jzl#Fjd9M@B2Q;P3~tg!>1oxO>_vWiJg}7lwiRXY
zeu}ohRi7ZlJ*E_*)QDiO1IXoyYRrw7L4PJikVFEBbrgl)J$r7!(0_TRwm3NjNQL&h
zGqk8c5@5iKr({*^PU)i>D%dpnZ|bjLGlpsHuddfl+34Km+4Kift$3-Mz)Hco_(QYp
zaWrl{coF!~TU~5Wf1Oekq`A(=LL_Meo(m~!sbT*~v~oH^C7R&V<@T@SVvD$&2f_r~
z&Q3(#k1!#<(RG8Vu@JPd$G-8LAX<;|Y?HD<M{;=lWaio&hfwut!dX$0dIi-s1!I{a
za0|`EU@gRuXlTRqmNK->|IyRIWR|7co!=fg6GhII0q;C#7Aw~FaO*f#PHx}x<<9O0
zzzyuRE`@d!BuGBFahv(n0>xT}Y{)DKyk27_jew7XuV&T5hsz<^zcQ)#5RoP#(Ec@H
zwB}Wmb$V1m0j^{}zcfP}d;CS@4k8zDs{_B0LI3#-s~X2T=cc;Mh^kY-)^;$NTQ3JN
zuqt=)(}lb-KLS9f^>oX@LXZ>|DG`aj@7n)!j;l$zELq}5pO25yE@AL%mG+{GZCfIt
zoP|6N`o=UOJ%AvEQt!9EnFbM$97wS?O7w|AhwJh_uN=Q75RHbkeB^e>6#!ZJC-#;;
zYyOZy(DYw)RCUS6oLO`#FZO?SX;HoEWuKVHpx|vK|57CAz#^{diR0<MIATr-(r)es
zD}ELYwufpv5T0Ce7#iJO`}+EYq0$nS-=5iw`q5>*GZ&p(%`8)Y^H@!p2a$Ts9oB6u
z@@)s2Z7$@HB2S6R#4&cL_2fdfF_W8ZmU<&=isY&Xi}s4oasc+84D$4Wwj*LGPuCk7
z<4&dkRYDYo5T0t)VHgZq@ik9Q?wvn8appwT#ewX9RNch&vmM!*DKyp7gn&df(;uD<
zwyHs;i|8QD2!t?Nx?Z}QjCBXB-o_BZ<_7nY_uH8gbttt0uI(F6TbGf2dTM0QrEgEE
z5{FD{`$g{CFyKW}>5JtMW8^Lobs9Izli*m9IkTP1oB&7_7HT%^NQZX3MoczLW?Cna
z#&%!XZY0@nJv<X$>>@EM%k=hvyFt9my<hK*z#HdLrb0WlZAfE_V~3MnFD;qR0J)Vr
z3zvuU9uE=d&;cW${_Cp8RhB>T*N&qbkv)=Fqf)^qE^COi$qY$Wr5H$|De>bxQAQ%o
zp>$tZ-!A^We?nA5m-()SetX=W)cgh^8bi+0Vf;za$^mfCmkbr(0NDM}W@VETAoNHx
z%tZP(l1E!k>K)=yX_v=idX0;}``~|+{BYtWE7{JgO{V%sz1e{S2Z-v}tKjjLWqXn|
z>d;3^e~_C!w0QYJK`bE8fIQQ2*Rh9cz4mOI9Bo|g?M|#R7AT7WUJT^>-14LH>l9`4
z2A4E1fn5KjX!Uumqfac^iF<3gav0Te#@(PEyF7l?tNfqOCzHwaMRN{@=)V_SSbOT3
z=#u&uB_~%sgM87KSvL~(%0hLmd~UnnpGM8-hR158J`eku)U^P&Djh*l-obtf>xdGP
z>g=rIOp=L&J1L4M<1BFtK;3X1{w(ct^n$By(r}f#qlnOAw=AxgKZ)R?ru?foqVT))
zaPx#iqE^4bXfxg0ALy=5PI$PYkdxO<J`7UoBTe?q`+d@(icMbKqdR3J1KSV|TDtyV
za@9ggFV;}iWx&!q&#wK+wrdWwTpu%Q|HM`}S-8O_zI{I)XVU40{6ovo3zEr&*dPFe
z2FgWUEF+1t*u@2#iaAc^`K<JlDI=1_sp<w<lb4Z|wK%L7Y6Xv@;(-0^?wDO6RB4r=
zjbjhEO*-(3K+0O98<o5+qoo-645Vg<Nol*j%9-|sa_S>Fw!-_PNZxV1qP#XqZE619
zY#e=Q&sSrNme+Hfd-Wr2KsFz{VA)AH<qkNhFA4qO-ATBrdkA+$mcCrGb%A=KPlZ_T
za-?{R{==yKcwD<|9yHM4>Ucki$%<PZmwv3vV6gbTP6V=Glx${ANWe#8!Eio&ziCB-
z2|6owG7ne{*Q~AuJKQemWjO+8T;5(nh)`eNVwTeOl?_xACVMgOc!8-%qaihMX&mN%
zaL?#@@!=@__%sJg02T3~D=5rPP!W|*M||~5U-i9%-$boYpg?K$;YogsI+8{t6vvX~
zQpRYC_>dbIiX%#&7EiP@qse(fG|sL#G_aAjsN!sj)?h6LPCDTd?kL<hL`%$ui)-M(
zS`@8Lo<XI0F@4h*I->Lc(tD(CS_i+dobo4ysia)=8LEy!4Dd<N{qSTG>Ar&I^B2_S
zjL~|t<%k0TD6ft2L(QK~HAYa;bsm7jYgAC+bb9UumAG>O9kHzg!$+t`TK9~$8E7p-
zpCl)D0oS0#T2n3{LSwzTlUBgphZ0={*D7)=Ngxe=LkZUatQYfdw>lUbA2lS$#Ubec
zeINB&8($gY8huv`2%G09ZxhCi6p{m#12T~uEqoX-twJ0WGc-V@@wSkPI&UO!YuX-=
ztuy{OK<OHKCe01&D2Sx^pztqJ`=(%!3s+1^jd6I|ne?#6eHDl@q-+yqaSm4D7L97N
z#IJFqsfZgn-FDcHjHA!?eq8f5PrHJ$B=m(gr2_DL`wc1QrQiH!!PcaI>WAAq9lEP`
z>*bnsvud4qj<;{vyAYgCVjD_Vu_&jQ6BwG*e`z5?=w`id0mxY^AS{j-?SfM(yhmb?
z*$|TI1a40o&1R7uW^J=#88(58n^w&eI~9hO9KgRW_c(@32xBJ%I`N6(g$IG}&V^XD
z#h4#AN%nL0?}xUeg!Qu_0_wOtoy<z)T!IH)SuBLGy`+suC_BonyL%bS_B)6YOQ)@Y
z!*fa8CsWjrfO?W?os3)1#}Z~n_3?%en<GGoCRhanBaB55$5DZQqk|g5m7<<0S7P}h
zm_vULP49pI#-MEu?BVf&XLV*ApZeXeBP=TDFVy>4<Zb)*42|L1axx_K+>~XD10{t|
zfE})g0)gD3E&N7It$JWQ3Lf0p=kjVuo5@>&oyW2Ffktr_&7iSX5tonzh6H1Gz2n58
z-py0pD?y|WGxFkxoPz#75)=z4@#$W{<gc2dRP_HJBrC^KiJbYD@!`gb=GzjN68YiH
z$BDlzc!lTV-**(}bv&d?gHV5oX7|2iTj0r1eCQz#pHRJVaZ^F5a43v`A%wTsp8<h1
z@FrX6woh!ZWwfy4@cz<{$ZdW>Rd<()jy0y}4&`z!K*DER%;4<cK$7##1*s)1j%mx)
z&32e3N}{L#5qoaSbVg#{H0$8;=85naHn6GiT;PecWw;8^1g8y%9kld!3(RQ?VFqS6
zP~u6JOq0x{>Zoa-AKuYfBJgNf2_0r?{HuC(bM<9^@Y`x4Pbhpg*#xfG)!~ZJSN^bo
zYe>~ZQSC#+2Ba3AO&*$9iCjvs9}zoQ7-QQo5Y*GHCf_waxlpztl{l7Ig{mCqfr}yo
z`LrCoP-3xVKsO+|)v5y#zV}_txAX8{o@tm^TKy~r2(p7_TiBy8&wNg`g{G(dbLAt!
z){zzuCyX0iNnTM{Cs}SO8|h~ecK!-5R2l^Oy(pkS8zN@HA=^*;$j^Q2Y&HTc_x_@<
z08kDApS`40Xat}2io{XnGf%CP4xw`Cfer7a+;;u{Pu}peD)BL%hfcf7FY9J6B$!%L
zX<|9k-|acnM2?rNVfWw9^8g2rzrOzZo9t*=Z@V$f<M7nKn=)b4E`f?QJ}_&M3m|SV
zIUB#7NU|n95hRR6?>XEEijX6#N%l^TrnozDqWuo*=Rl8L!&3>zO^S*8c}kXgYBg$^
zk37aKNd{6!zBqA^HO<#nLJM2aYvm<2esn;d9<G}zH|5cTJZudKy1iVOTbzK_B^G`V
zH{0&cH;~X{aYkx53?4Fs>pYu*AnPyIQ&ayunS9pnHqF_u2fX7ohp20sUef7`{YdII
ziyZ{s3G|7D*n~~@&+#ejPl{E;AiWm_(M^&naDdP2u*L_1LFCS@u!#q%X#KyFWg2mP
z;IN-Hs(z~dh$GyUyP-8FgqbB3h+0>aJ#%q>Ptg^Qk7QyV`VC@ePzy@d&Dk4VP@t3?
z{Mb+4TMFS#EcZ|-sX6YTX2f5GJ^^`<Z{Zf?S-6P9WCd->w?r52udcl%EoS<Ho=NDx
zN5B%REePqS-qQ=?h%T>&?S<^wLlsVn=C}nmi!`h(F{-WB#_}@LGWFc7Z7-pqN&*Ma
z2T=Kk*XL62`XBtVk<GqvaEG8yRvq;|rRCv&i8Ft3p~=iB*+ubm9(XW|S5VqjBaDqm
zL~?-s`au!2bKQ-SDaQs-BQ-e|v^4Dm1!wk3r`>7+*gNPa<Kz^VGuQ49KM;L73aXXq
z>0V+w;L!-K=DI!ROT>cLv#qmVYt8CAVE{+EG}xJsh(kS$srrjfzsYfU9m6t70UymS
zv08P+zw5K}cWRbWxDn>7ds*B{!m+<FfSxs;KU(ibfS)j%!H59V#B!~f_sv0T1x{Qq
zo1w_Ww9jwT)$$=)UOZdTLmNu+bv2?<eiSVo@%z~eY#*KlLBZjAt6pvHkY3&6ldF(9
zz3iBLTb0IH*6$OqYe#E~)NT{RfZtdW5s0myq}-k}nGkD%!7;keK<vu}V2@!%^IuMy
z0qbw3(73KoJQ>$(oKY6dhCzoW(B_FA$^NSHt~uK78oH#kV-;5!D2{Ayl*%UQ0DDe7
z45y>o%d7A>*WN3_mj<7;HIQtZCm}BB*`j01VcS*cdLToL)nBn=4|SV2s!pr4rTc9#
z|5uuYdNg;Az1&P|bm-t@M|X629Ts4tO|pV|1FTgxiVl-Y<2l+1R7HENXWduwm;IKj
z>Wq0>MDDQ+92^9etC031zC+$gJWs?r>=2u*CRck)_R9&94nKIyt2gEpddKe$^&Dfe
zFujt!a4VQH>l>8=4`X*rHloR}1hdcWc-4@3S5xV;5yJ+6lr43o`sG)UexOwuyT<x@
zbaB2iAsm}Ra&%3+vs0!|vCb?~mB`%Y<j9M8ho<!zkQ*)u^@YX=KK<iTfF3TL9HHxs
z=&{AryGd4-S&z?6d^yznpVzTnTlu5?IFwpV>*UFGG4-_>52N$fF|mS*YGx*&R9fdT
zvzqo2_@1-J{}?Svt~4^Yy-&O0q@kd^ZrJ+Z3erh}71ANT1c9-x#JY9H+rPqioJj@8
zLTV<+xOID*W;yFB^L&+;i#<xHCuDgAS?FWMcX62lhFbn<%f$xs4KLO99=mz`ll*)#
zSbF!9i5yJ}$3h3<&!nw!`avVX&ex_&`@EZ5MX{y8-6fKkLLfiN3FBAKFb@o0xrpKU
zUI{hhbg=}WaU*%gtjlCD+-)v~OG+%&t3@yFA>!DCY}vP_llABqzDL>ke)~Bk8~<an
zkhrjsY8;&`fd+qx=na*+)&xSX%vgk=o|3Pt2oK>gzEpAKp6Mxg$Uqtch)e%=);hyU
z8Rqp7ZLLMrw9XNY8!Fw4`eMO5pV(Nq_*j>r=2w%qSVaV@Oe~%#rXOuPJ5I1Sp?H&H
z3J-{X{so9AV#h+UCH&kh=!L43<9;8W4Y~3I=Y{X8aaG<MD+x9)=*sw8NpD%aFCkTz
z$1$$Zn~XuHRlm@!-Fk1<=RUpL7#814l?Y>itZflk&FkzzfdD0oosuULoK&<;b*aEg
zc|ta*K3&pYw&1=!FYJ@7Yu*aTN3@RCh#H^@dY*aE?gE-)c}de`Py61P2H6n!ZDq3v
zI@02{1?p*~P}?Vl>(Z%l9ZTKK{TX(jn39_&Og>F0$04e=&&6;%pj>pNhstbLc%O7z
zZX~ad=dXg-;-3Uh*88ZeiN*5HZ|#zkJXXZn{b{60N^`xFCI%hErq&a`m|vDL7UOav
zDsTrG5M@I74=m<4xxYoAbIvb~1Vp{Fx+hCDab5!B$gNdwb+CM71m1p_fuMzTKKd2t
zR-IGAT8Xs9r63;+!-lG?3fGuRP$Ea1?rGn3w)E!nne614#=lr-i?*6-5EhO;9g{2J
zY4TbiIYlLh8yIbFJQj~FIuRt(<{32AckMT7p95-Kr?x}7gM`Y~iYZg|uiIXzh;CYb
z3HjqP#EQUIFt=7*)J(oBS&U0s2@f~c5s;!G{dcXToSFv|?2XBCUnCZU{STa-1Vr?t
z*s9wNkbR{#TMcKd4xBt1)YaA*jr7m=f4U!-Q+i-_i_y{ZHMQHAx0=3<RU|5Ec;1u>
zJ2@8vo41X*qK3qxsq0_9`f$rK_TDRWPPt@+Zbg6p?I~ir6VVc-U(|pccy8{7Og|lS
zI)NyW&d)kwxW)&9QRVoutNQP#vk>2o_>0y}gbK{YpQ{!+s~*S}A)@H<Du;X4j{!`Y
z#zd8seL0NLa`8g;loqj_x%@k!h(cD&8r6M7W$#i`Vwio_w2;esvZ<<SBh{h+s*PqR
z<r(C|Z)Dtl8yoJ!%j|Hb8D9`_y)sme=t0A{2k4fgz8UdFopJ-T2GJ|!Xt+fqr>5J4
zS}cIzkQT%+YXMU?hJ;Z+V?s%xDyP}Z!!2L|`I~!3zSmBi)pCF;qqx6koJf>c63y0g
zkQW3)G7icj9~TjGMvnv*!#A&FR&ixIw3YZyxIZotJZl&7UC6S7`WAeeRf^mt_>B;h
zkCN~u7<n#2K?!J_HWYM|FQ0x}r1D1~%ZW&`-kLWd-^mU+%sg;2{>yA`Uwa{36DqGI
zYc)G^`Uyt|k*gL&^PyV_5Cw0s@%AhOc6;;2-5aLporwoqgXtD8{Rh2aWIyJP^W!j#
z?(9%)G@Z~h_X8VezL5qaD}%sJKk||?ywggKM=;y*MPNVJL5Z(kCMZ4ei!bw(%or3s
z2Y}<bE635#?R))jm~R%qS!fxHM;PVlO!~P-$WlQ_;VA^m#Tq&Twd6|w$w0P%%&vwR
zp8Bg8e=;@)0cIrjy`(6R)oJb0&(@-?W|)Ci?_vNLlk9^dBPT|A-zB3~*-@HS3N=EP
zp$w~CTwh5=UXRw*Vc&2N@`72i+Cj7+MJt0;9H<VFCry~tUYKHxAh$)|$jaVEFi=7M
zbV6H#+EF4{Jf9QjN8uZv<HzR5qv?VX!#5^puYRw3Dj*_XCaO$wBy1AHNUtH@;@KOt
zkpCIagL<h1Y+6nae{s1VkM&3fUcj`7aIzv75m;4jO~M(3S3)s#+7ZWu(4)kUij=R}
zCeHhhYFGA+0}(s?7AxCrSS(p7K{QJ%=(W&jE(z(Txr6g8Z$PZ4ll(5Q58<wUA({<_
zW_5{y@LdHKQ5;EKObsHSB;sr+BVQp21o1?WQbVqkatSQY8;SoZShe9(NZwmddt%6a
z9dQ+W?2C>MhkAy`D3zMv6fsLP4nObi&uA{UaLy7Oi<Y&ILt$(W5qL3P5Dg4GF7qKj
zd7=m6MSZ6Gd+3su^gEMYoo?~vf!$9%6|Gh~Z3xV{!kg6bt~}*Xu!dDF2#|ZZpJ3Gs
zd+?I^G=AeGWKRMwH)0!}|J;4@;~tE|>RsvXtkM_3PvU%G%0=8!cO+EzRybhCq1ro(
z-G!5Wo!{rmPYYv(@yu#3y<BdXZVH>(jL=`lqGU>J{WBvdGFryY2nmg(RNGfsE#S-f
zwJixzs6$E370*eC_<2S&iX!F7>^8b@hR0A+L-uX|wo5eTufY0PPYJL0WK?q5+0U4x
z(wRpqw>eDldj@T39V=4$z882yGlkA(6HlQ#3xj{>GWWEhV7%E3<3@We@Xj70BFi|}
z|5(5iZX_(zF|5M5GLGms8Z0P&6~$hc?KOAvzue-Oxqn6K`(|1c!pRIQafb#n>BH`G
z(5hCpUKxf?&8h9>(H=iC^BOfHi6o<Srv14b+H0F4lEbo6Sp+khE!3x4Xi(=o8wOyf
zL^$*<6P8@#a8Ue}nY{gTtC8@tMlhBygvaO9p(F4<u46-O!_VOFAW}+l2yN8KGkk|a
zh$&acxDOgxvAb@@HVl_uVR^MBw;orko6I#y63GzpI_6GDhkf@^c%7T-OCuDt54^|}
z`W3@FC{`nqE3v99?<A4w6gZ@@?9JK}lscLl!1p28Na6X{N8lzD2eohp-zSFs=#e;`
z1N$qUO1$kC-rY~XoZ07seWCmXndVT>oAhN^u-mAJgQz1orkE&ijz}!v{(%CTe7b!v
zhoP@OS=?&VI|M=_ck-(o*8RFS^M)A29JHBX{67=eZj@AW`*NF}4$4HefIvRy1t<G&
zvF3$viFimcFIKp<+88nc#sWj2)p)Gyp+dg|wI_E6k)EuN^}eevr_Jnt_Y+py1Li%6
z8w<i?5enuR=TO2}0F&BozF~r1D81i3R$tzVKb}QW3bX_2aG^v9jcWSIkVkr55>ezu
zFC#f&>IC~))@0>I?K&T$5?SpG?nqI=UF)VowVz5C5MN6)X|DQITP}Yz$q@UsbJwWk
zVDSt7Gke+q>w-?gfKV-5#xR!j`LptLV2^?DI2xetf=*pCsSf}_Np~Eb(vkF2zca&W
zXZ-Rp7e3w(@w@Xg6C*L{mZdm{_-(Nb_chHyBTBYJVd|U3I@)bvjx~;3*VywJ7ph?U
zGv|{R`{kmkvaWPKSTa|h<aoQUj=}K4$IHqh{JgDdYuJTvXWnPLspAJ;U&i8o%!RV6
zZe+QzuON;~jT8k7UM7Kw1u4w;QzZ0nCJ(BJIuT5zMl{Kf_0i1m*)Z3pr!qwCtn9dB
z<x@E%4}){TN1Y>f(G~pRtTM$FtBxO3b<ymngD1|<7;njkHPp8pym~ocStqU<ue$D|
z)wzvQMP$#sG^e|fC;uL;u_M;-v}zQTBsY|fm~j%lW8noPj_;(q{i!Rt3UUZc-Yp|h
zUxMUQZJtug{tfuy5><q@C08Fu^W-kB1+EC{H7M}vhH2o-D>e5)%f!nub00}In@GQM
zpwqRs_BMJ*%(AlUl^QOEu9DQ9+PwT&tmDYGaCrYn*#;Kj%N^8NRR*iOWi3K|WCFAX
zKZ>gk_PQhL-;Bjo>vkj1R7DhBIFg%H5|zB2b+XW>{ZDA*fO-2`JRH*?WFq}-qxpKZ
z-uVOfV^$c_=<ozuyfN?x81h6kRIp!-`x~>Uq4Ci?_8NH{6q#og{rJQ01oysjY1Ok+
z!#!A<#%r2KnYf3uf(a1?UN!)$T25dL-LU+<OX5d^>*Q^dT&BU|a1=UcnXgg%fxY+5
zOodCUDcn#FE?S3-cc}#g{MJL81Zf<r#XS)Mq)c~X+UJJm@2=U0i9K+wgr--0B%wEq
z*z%-l3duZMT!WGj(JfZ?HIWQ0H32&q8wZXJEN~D~ygC(dd&UC-v7e`PCXVa|U+5CO
zxxR&bpo+%<PWbC=n7Tg7hZd5>23$G(0UtIqS+J}Z?Pi3JF)~^J+I%hWtD)Ja<4&V}
zCPrl3ssV|=7krsGJG$|-0Q$ORYBpwftjDcVysevRXtoNj+{%y>Qx_Y{3B^urIf&pR
ztoCuR7cf?ASd&Pe-m-ey=Zv3;QrdHg1{d9U^aoBPuXXuZCXEFk_8`5NJ6g7ONDUKO
zNijiu!Xr$xFc)Of{<D><=6!CJdyf`a+<U;15VWkT0Iu4V@3#TA`xY?>yHdI@9ZLV4
zff0LywrYPsYn>-f`_D;Rh|y$TZW!W76Xnc15&Q%Now;*-%NSI3dM}LzqH{kt6b6Qm
z>y&|Nm>Ha3$HVFDz-O7Em);DXJ@e?aXz(^`GvxOi+w+t~VI``(q&R2C>_u*KA!Mn^
zKxT57y|`GBtB0XI;$m9tE}sB5$u<`UN-(8^sz4CQUn!yCnO6XP)Nqi=3shA~fYJ+}
z#Vx`_NG>=IU|EfeXgDZ&gi%&WAoo_ha6IYv4UHxo|Hs_=h}2<t&2rB~^f!4MMNv2$
zW+1TMN_Ppt@E>dSL$rdR@o5CdsaZce$cG@=1K&8*6+?I*jD^40t0lJkr{$U3@{!K9
z7R?W!FsR?L8o!n0#cQe>oS|8fV3z5k7T!ZEkd>?Q^2(iihmbcM3u70LX#zliBRcos
zF3hZTTEJ^h$nUs=wx+}01;bwnS^+Tn5Tnt7=q?!|F|W{fzf^^)Vcid0?*&g(1j7AD
zA7KG8W4E0#{A_{(8BDxL%1ih+ql}f~Tv*^kfOAm(NM@k8kBZMi0C`;2g0$-|op56W
zsm?pfRJe(ub0=CiIU>hZckT9*HB<os56jA$evDAUbKt{`GORKb(DWQgg1kgN<4Ch;
zOu%|b;g}radG5kuhXgVbpZ;uceX<}=DllXI(bCkRsB|6JV;+?!MYDsIkz*hmxwHwu
zuMiA^RWyz^^0tKTluVb0ap&1SZym&C4j(r@@br!tVBpRuFtX5dPMgM=CTG->YI^s3
z5lA}QCzFz`I`*X`Qwca!Zd^EJiBfITANlF$jP~K1M|iD`Z<1Ba2~r}$kq+|a>BLGG
z9zImE4%hk1dW_4*O98B@(pqHNT@Q{-W--FDL`gD#Xq=rVpeCUHhKlmYs8GMW(&Ql0
z-3OLk_6?*1adU_0`PiBpY2!>S!~uYE`W|meiAZmOL&40lCjt(fMCJnZHUro-i1_&I
zqyW3!6H*cLm+xRB<D5<T)~<^}AH=8W=I5>|1aU-OE;`H|`TKt}q3yg4Ga;e(6Ch+L
z^!?lckg2F~w$e*g4YNTwxkN)o-CR#bALP%^I(W(D6W!tpn6SB1@YM=+UH?z_Gu_y>
zU-B&j)Axjp%Fr0=LUc~MOYX%uJ2P}6fVTmI$Z2pM9RSYFtN6U>T+zfnknxgFo<@qM
zZ*htD<1IV9tdah{fEXs@89&xE`iuZ~kGa`e)_V3Ym(PKX@Qc<?lN}mQOfOKJd`^5*
zhly`YB^lyDVEb{G&jxsHmJiy=>apOpT&n~^EyV)@O2ag;s|iCsnZ{3Xmgzb*gt`5%
zeUgf<NV)-XU<&YB6~fasKz=;O>>Z~AN+GmTp*4(xWF<pSU&6_@ea%LY6=!%zl~5m)
zAb)K1Gr2d6bGgm&vh`G;?%7_|{#DRgFnT?wO+_?}^no5F9<Qk*(ps588BvTPm-A4Q
zjB6G>2@Ar^X~Nq$C7vxImOJwiEGtrrO^icDvK!2z-N!frk4h}|G<1yWx5FL!EHGRf
zEb$Ra8KUfp&qZy=9ZoM)=u8%$40!VOAK*k<ZpYG<NU-UV9VTlv>QpU+#zbu@uhK=S
z!5~6Up79$xG7_raTpmU6w^a6y2Woh5){-*cc*p3?d^m-$Y4V<WFeC4E?z!i*<fgh+
zmjV+htXY@>3kz%SOtaZPsWRM9B(M-e2ALHJ%M2t;7_YBL6kPrQ&w<Qk6bRXG_+R(Q
z_D>g`vGi|mm9x@_&e0*`30;egkZY$9<Jx-4f$G8_VxJ1#DpILEjFluJI8RddHgXkd
z=$3oaZ#x0#w|*1f4H#%BY*&FTDHTsL3MbW2@e6oXqmwV!_AHWWoajI2;1eoz`+O=L
zwT=5{=;BJsa?J~$XYCf~o~%7=JQZ2){6fUob=RL9TfnMBmCB@FY-;qZ(#zP?f<w;#
z2P&3~57RpJkdMX9j(19{cEO_^t`J{AehQw_6?TQGK@Dpvm`E%xOfhrK*?opw**`^3
z$y`MkTtlI`O335iNA@?UhBP%Bx?0L{gV2JKi%Cm~mhswe`PZm+;iMTY6aeL42dm96
zx;xvwL0Ky!oxmdj7^od)t0A6?cI!b+f5h0`+X((CNkO|Q3b3nD({A=07;Jg^?Ove*
zwgcM2@;UnoCvRlDOy#79lKT0?241;v0~4_#ou?1ngucKQ`C%p6wtd<iq+_3?4@u&@
zWxO1mU2TT+FjaJw1`?6YX6RV(exefTGpKc_&t+^pW)XXXHwx)S74M1sMSa$UP!PWo
z5pD+hAYRjc(m+NBkyB5LK=u}ZmT=Fr?B`Wk6GW;eFdqST1md)f`i2aBTuGv_<YNi?
zeaWQo-W3=SI-J45YNBX7x1Y<xg#&3jzLmMlTQZAld((xlZf7tm^}xouxpBzy3vbXv
zIIct#2XN{xtu{&L^c-4v{It3aXu+J*oOKz6+@e;DLX0yxf6z=1=wtvUN%8!HyUjwo
z5oJd+5=`2HC@1V~f3w_Dj@PHgwhU~L&0l~+5_jU>Jz#Q!pa*ox=d}nlVB__)L263l
z;2md7JaF-oLmk{&A%9*QUU=y$IM|tQFxV@NcS8MGv*#fb6B9BkfmdEuAQzo63ei$v
zpeAzTe3mWEL#YN%oxOqurcMH#f()b%J`d=|C^-u_4aGiS6G-o>^S2DCEn5WmMNRh>
z*`0%m2H`C13|9z$sOPnxFDA<fG1BBJ^LI4B_6P2c8}~;!Wle+od65C!*tM2lPwai7
ztmw6IToASH^j4X{jvxijlJY;dCFcAEOPnQ}jvOGxf;itc!LsgO$cgRJ_)fMKndBnl
zkaFi~e?!bNk!YVa5-0#qkYKv5Z9#uq=6NGao~8zoKC-Ak!{r=c3V3vmQiJ8FC>KM7
zM+|ZLeZ$s6aRf&nwq_>~^UyAQ>^s>_bt@K7At$s{F%6|=2GpjF*|l0&k7p0`kbyV;
z|3-3K!!CasqwwEJrUpBVk{RkqiEzei4a7RbC>-7HqeMY$RT6?Amup=ycUBdS0>`xU
zqoLYFg(ohhN!t?>d_dtzhO$tt=nhI1M|_QIK=u*$rLG5Hs}E~}TQghZ1xeICAcQ)>
z6|)9Wo-dilAB&5%o%_Ag3vf)J=6f-Suuqdm&cE-i*QYPn8~mZ=lWzJP)cSe29akHF
zt@B+qBYvlFBaU8UlXo*!4?+r`VhGg(c%y{8gMC25vydJtSf?wAn0AV;f3-Jw5S4+S
zy42iU5l=-EX|VN*!``WWXPL-oY9*%C=gY8tHSDD*fgc1u9oS3niwM49O4csK(HR!z
z`0h~BTw~=M8dKnO2ZLL^4)E@#^6KjpN%VSaBD}YF8vYcs;0+2fm1?cy5HSS<EwG<f
zKnH<q`-$85%$EJU)1z)ces<6(Ae2S{Aw;Y#^VldWp&84V@TLLQZH4)e4jye4vJYmI
zXG?HuG#Nj9o4gU8jLU`e%g1(ft<;~D)>-J@=|o0Z0h=yB_IeLqLO8dA`K-%o_G<$@
z<S|Y}?QZEpS6KKU<0eSuo%s(4+D@fNmVwN&n^=<$G^@1@aeKb1o3|pyNK>g{%A?V|
zNp{d+c$Em1L<oe6r+vr#f$XQ%nCG7_mtLbqAq^4%y!(bYFDwZtT0--*0T_H;=<p1&
zL`s~q6>=pZKU>pPe3$gchchmg8>E1aQGOB&>C!n>Ah%0a%6#-tiNK!aJ8UsmyHTsp
zwylE`TM2yn;l<q4;pOhaw9BtXO~@m$u~DQN3LzcUys4X~sOs*w_5R<G@W5!BF$zs#
z8>|g2v|?bI48wKKL9TU~Yq$#zsXCCq4=L|=fyz!YCpm&gHF6>WAB&U-Jr+Htr-`>8
zPVhkN@W?gGPmyxocW(Uu*X3yyux}651EHB)KmN|3C+Z|WH1hS69G~p&;k0x)*g@15
z!8%y~g&I{4(5Q_4*LG&0yi3D94d7d#{;rQs`qm*X(iO7B6+ldi8*z++&jLrCYKJ8G
zdsAPpu|nI;gK(7A6$t%ThlQo1MpyAJ&e+*}c-}w$SYFr~u7wB)+;emSp1TI8B|(vK
zZncv!hl7+>J}fcv8~(frMTGLw{QeO|2&zSudf?AUL`kwmh1geIpNft!O<ZKge$mR7
zbWb}n!O<3Hn_ZLe+K)~6Ht)V|z9-Y%iv))pxJV|{T-*KWro7;tz>4cMRY#o9J_c}c
zn7}IslCPYHaD*|WO9R@#RpaZWBR_oWqIA$;do%5D#VIB5(e^Y;8>xF0Bm&6?p#E?1
z^>)`Lfbj*lsu%Vm_}3vcJm078HToMr?s2Wmt!7JEO+}rR3sV`X9j4aGRbVla3F4>O
zV~;tHwHgeQb!zi`6dtblv%3(b^J+p~lZWrwQZvzSz2YzhX<%ZHgDbnpMyo490a1Gk
ze%qMYmhj#P+w)RcKQ}tM8t>%Vk59>4^Wl{K&(rgtN44B>4>*cuTyp=N@#qCG7fruB
z@mB?aa08?%9L&{Ji762EqgqkggIUs7uL7+62`TuKDf=xpROO*8{hje8R3r<k;n8gs
zVJ^3X`X2#}y8#i4G4@+${JXLTdijV7Se)n-Io^-h{F&G!0qgJBC(lH5@!x27BnsR^
z1)j3w>|zCem7?H7VJe%%hnD-MuI<3xqZjB6Xo-tXb>%zo6wYOh{*s07n2rxz7G>rT
z{CTW8i|KfEqlq}P`VASxJgp!o1mr5z_?OgU(N*7=^L8|ppu$X;3xyO6WNTF@EA)OD
zp&n;R$*n6nm<BU`dR3v1mq%f$wDxJE_abgV87O{wkm8HW(n;X(3aw22q}=OCW6Xw^
zv#$_U>e5e`H7zQfr4zhDhRTM^I_b;PK|o*W=w|kLs-5+P%T+7EziU8{L?ob3!rmZK
z8ng}?4Et#5*ne$hxk1D~`wTB{<X|7Y2I?|#!+MFrtVu-@po3nbGOzBjA$;d4T6y8i
zC~7Pjzm!}=hy^8JA6}3Qrn>Xg77gtG64cNYwUQ+db!bw6Pe@yGL^w;`yO=!7-VJ*-
z<_0OfI@~52_fxCKz^$WwUZPA>SV<I%ph(Z4Evb)^x5GS73i)C~Kvg!pJH$WHm&PDS
zzzPdr75kJRb`3_62#HJEDhplp#7*8~m|89Kp>5plfR*Q66Sl30KY6HcE(9d|a^<d+
zNs$&RD*lee-HU*uPh7@c9jFn=Js7Chyo9?K%*B|DtGKEU|J8``eFG^yDfvl-Qs9BQ
z$Hi>YLNCQ0)9Ej74)CpMpN6av=${bU3!N*+qr;y(qxPNa7H$0IIY|Y@K50G}Gu~uI
z%!Dm71(#$7@1zXOSk&0?ykO)&K=yl_{NsRv{(xk2tIvg!M0O2>&eWg;HBe5jM}4KL
z!T?T6eL6gi_hgwtQ@b9pAx>R632tTWo8A!2NfLNivq7%)wCv;oSq)r4&|;HxwmuB9
zrP>_gqfdsIq0u$ngw@H#B$Q>g6`V@I0k@Bmj~!(+Y)ESh$ZBTQ$AxXMRy<{A{5Fgo
zPYhZl&+n-K+A@6hkYUsx<{j~Wn}CaCd&p&o-$z;2i}FKSvOA7rpIF(r+;}vvfx%db
z1#(<+$_vZ_egzqBvSg|!uu-)u918-jk^MBo)2TykdD$=AGfg%{DrlKf>;S_D5RCj>
zkwC=wH0q_@IDpXJ*_ok$-Vp1LvmM1jD|1u^aa~~4DM7TtO<TXi7=4cj0~*iXHVUp%
zsXW27{~Hw?)!)LA71H`>+vX5{or!PW4GtsphUsQ@Qx*JWKG;iQ)o_iS%LxKnja+K+
zviSZ5#sk+j(o&FrG>6|bxq*$Z?W8G9ZI8{qB?m@WV}8ls<@j00ZbiQzpD8PSJzxA2
zM}Bx?r4nZMWj3gj<zHiNNW3B7>W2-b^`cggwrJJRY-xGC15%TpBv{eFU+4Tn{3mXP
z<njS>kIYErL&u~0L|VYy(iQPgAPPVBCRH<@4c!1e?Qqg}Pj94VUDf;h!6M0)3W*Xz
zi1UNm)iCSjy9<50Z&|2vza@wscVeJZ1Oc!R-ACZ9;@K}b<{$d#s2607)gXf7I!hpB
z-o7j7&}4-v{lgMnt8tN+bekY$$uDBIof#RyTVbZ8%`SDc!c_R2xo~(BjCCW1fXHmz
zc~N#<J)3-3mnZwfRy~YDm~B*tfd(yBsYUGm+lx@059}YHa^HtHwIFYTIv-NI-Ov<-
z)2703;7w8kza}iz6!>P8*#0|ohHt5@UZn`asSvN8a7IN&;*`ogjO0&8vsZOD85fk&
zV*rN-W&F7K9Eee;Sjm;<V~~p;3?O^r8MhdjWN~F>tr9{1f;yj9Tw^jzbJ=?d5C?ea
zh7SWx5&u`Z*yH|!l5>n(`TPv1_RY#6wvu^7RU~^14H^rO+N1GO$IV_AYBaZ>!fBt>
z5q?MiLdS~bK6J0nTgm->(~;Q1B?M1>smhAr#KH%gGvGUxpEe2uK}C=c8Dqpg(;I0|
z!VK-9;0^X(b^FUlFO8gup(kP`Y_*pAJxM85DP`<+-#7^V1Yb#XhrQ5>son)4Sb>so
zlziq6qSxujE=h$f!a@L7`u>q_x4yo?>~ApKmypY%5P&~hhCP!RXllCS#_*{G$$75g
z5Vc<B0Aw??4f-~7#j!NNY2gEi?9#s@LP1Gx+|1(=CFK(vz%M!j8&p%ld7@LELI&a7
zAGgP(mxDK8{@7Ph!WGaOh|tKY^2I*S>}@041DXy||IUWB(~~VzHp8Wb79jM#m9P?e
zPBcY!iQ`9C$fHCNQW0iiA?7m~(yAr@ARLzwIXnzjz&#%{u)Vyo^`T0O`vu_Iq=xVE
z=bAj&iD_TPx5j0Xra&jvFL*zxYJ!kp0CY&u{&nO3_jtgcW^0ZvrZ`tyy<I8b0C=;=
z*OC~8<z}*7eqw&eeD0Qb7}UNB#0%h?7!aYX_Im+kr(Fw14!u)B6o#avdx?-<{!c&2
zbum_nqg5B{gKQ~>&#?4Wffwp*A1?GLt{gHawj)Rbc}9-AJt9PJom^6imW4sFY1WEX
z+1gjuQ@&pq-q>?&GSb`??(th|BWbW0ymaS8B)w5{Y`Qep+fo<9(UN8vZ6qC4AG@9k
ztM4U*xM5^QHQA!HMAY3$_3>Log=22KIC?)+AYOsmf!#?qaq}Jzq=+UGIB@N`;vRu>
z?-EEL8VD$Fx3w<C3pTmcOA55?4Ki{%r)D#^0AtkJ^+cEQaV$O+eh&Ks@Qk=vJsIb^
zDg&oZ@v+i;dvIDI{C>)Rw5Pw2a3*Im&-)hDpj+f^Crb^k-IdpQN<rbH38+B}?{GwB
z1sXI}G$E5~HwnF%9IpTSYeRjIve-We(ZKT2;*Qd#*E1Z;wt37vL;9}4gtM^2xPy!Q
zMvw7u+qkHh=Ur4KwA6iA-g$SzvOfYJ5r|x<fYYn$GQ$%G?ozoW+-EDZY->FJgbEu0
zdEbng=sDl%^6xjIm!C3DA_@<vcMWcQ<rb|wZ?B&rdtb$Y7>ZqWesYt}l~NNr;8X(b
zV1aY0X2FJq3P^*OhW-<n2bVtyJagG3H#jI=R@MZJ52r^A*sZ~n1Y2hYg82X};eo`F
zg2Ih_Otk=!2LGX()*YGb3r-$o2Gw!{2wO%w&m>q=4$_&>wg;cp3EsI@U@agsqymS$
z*RqReg--@4e9u0AbW23S<xq}uj2?Zo`)`=UT7Ay>1}_M(h1Y{_)F<MSDgk7`xm0p(
z|4qK9(8+rFF95d`mOQdZW_v#ip??|@lU0(60Exx9hL;2lW-~atJ<8-VmJyGw?7+R8
zn579)lI*|8wfsqqxYIY6xhkBqwbFHlFRF6no_-}mbDte!h33@5Boe0j_B1@_T~X4J
z?L6w)5nig-#-0ez`JLaRiW>6Dzg;#*8asP^L1+;r2(`@xjKDOv#UqHjaAs<3Z-*pK
zL=_1@gX3cbjCl?Oe)>acv*NF}j`EZ$tNfj+&H*lUtc3hdPxWE?qp#$XHw{J&x7*_6
znOtk@pS#genMk|H7-(5rdx|$;>ub-B_1#>jYmqlc@|54_RjP{w=?Jl4#nO~!$|2q}
zxC!$H)*+911%xS3_L-1*1Ez5LsHc&io7=twl>hHxl03LOY|S^bG5R=i9y7>RL6W)8
zWW<moGmW~HxFDWSnkO&!33QN^CVvvK2!{HLsc&RMOiQDGFLr(jrlx*3(M|bzU?Sp<
zG%H0WJ(A$Wnf>T!PMycB($5Lr&=X%^ri=vAVUDy0$ze{_OOnQau%B~s4hlP?X!p}m
z_N&+BhK&sD<5LAGCQ1<j;9TG0PZKh@HFrK%P?>23tHlHb3or?Xs)o>L?TS<}<p}D_
zei>S>CLsOs(1JwSBlgtX>D}P$e@>2rOKa1`FeKepRPH?w)#LvTJCB}HCD(+xEXADh
zA12L(yA4FLL3V@0OHw5>x0{st-fO9rl@oNLfJf4)ZzfX54|%-fRZ=z39e5(GqVxR$
zOHL{|!nM!1%n-RNP+YI&g^`gEFJdM3*^r_ythX)Tt9pJd2AuXlTId9Oz@f2)X>x`)
z?NTmfhjt?hJ`iNDek!SPRe+fVqxtT|7LGi0{*+uIf!SL0LTWC=dfklxC(lFyR~z)+
zK5EWSq6E|#Xhg(~a;<y!(oNb)ZGXx~Y7r`TPvqx6OLP|=I9Q1o8kwA}feQyc+cpl4
zoA^16D-Wv{pxCH4g)=6{uto&3+ZojD>t8`kwC+gq?nIa`*ARc^E!e-eS*b87r&f?D
z<TgGCY~Sxp!mN7#CB%e3(8tP~NU>JYy4s~tqjAkWjV-|FH95+rP@^gy{n?gv4XXe%
zeHL%={yB4%T<6@FM11tymsEjva=tRSG`K0?j#0=my5vlMf10x?<&t=GLk}F-r}2Z0
zBNtF0UR0BO0%?9(yymGeAdRWsk_1?C%Jg_{24Ki3LlO%!DPk(kY$9`k#DSkfDtg!<
z$4vYbsVwT&d4v*Xk4&vhdh-b|iiL=Hw4*@UBF@-XHEJ23NdgwHhG{^jHPZHzg*+VW
z`orb8xZUM7f#)B2U`NSsh`<0ZK+wPBnxjc^WW`BLT?Y&&9YAzRq3SlFj%+TU%_UTq
zt{oi4qh{_(Jr0TI45#|Egi+X7w3Bl;(#`yw^RR@U#9wT+UjTvR71Y0RT3yP~!b;nf
z@!QUuHEOff1CP1{@RTiIQWee^OBpCmA`iJuk2byfi&1=>d*mf%Vj!3esxibej3rnB
zE0QS+Pb@idE~iVSmRpc#q<1a7Z5JCXc9Q<MNnS?{Ap&JK;R}g!VM{X4XTP){A(2Jy
zQJivkA0x1j9TJ!|ZxN7smiprLD=KhyKPt#*k&dyZa01;+BN0amb9c@r0?z7zpd9U^
z>ydaps7x`s4H>Eu*QPZl9(CkfeNsVWEloWa=)y%8jYgNR6V|NZlkg+&x)=KF_@O0=
zHvkR@aJ1j17QDf4?1LeXNfvJsrZq@v;8pQHdt<GeV=>Y`a$c!`WYW8sDvXd9)Gh|9
z1m8;TZ!|HoaMJdDfrBA%DL`r!v?yrHDN-w{n0J`)74#^}C0rd+B#9$a!krWPRp#59
zFPc`6M*Ls6$8_sV>q%s_xdLxw+{g0kTO!rCVM6HelKNV6lej5G4Elr?@XCJUk(<tD
zf+UX>;@Ia0gb$39al!|*N;ft{a^EcH0X@KPbN-RX=5`;xnx&aXBwa>Lf0ikWfHa>M
zDmlYxoMVGMT&DHBM>>b7Sj<i*2$nXcg^U-k4E3l1tIJ-Q=)z-GDC*eJ8&JRmv<aCU
z6jKnjd)MlCHfpEqPkOZJ84k1dj1Qg*9**wzt6n>bS`_LR)%Vpve%k0NyPW;wGnp$P
z?l^8KbT?Xx6BaU&s7K^_Z567Qu3zWPJ`G4q;#7SlZp2Q<agj8H9FzE=y`+xI$<N63
z%FeMF9#FH;|L>ahq4|hDRFWlf@lCZ3f*FPzl_@A_kJk*u1ou4<wT2b8!Z58%_aNKl
zmBoX?3c>0r^r;|1d#BY64?q|5BhXTh&5`UR&N}11g8i(%-Hd02#0eaO18zk6DilvZ
zqcWJOX=>^wy~PCy;Gv7Yr%INS3R&Y5(jB0FH{Z_Tts3aFhyG#(UK>p}eUEbj7`v`w
z_SYeNvGdU^JaAb_(V>tQxPyI{KMN{J(9F0hNb>Qy#EmktGrWDmLW)#9?Xa+;6eHf)
zN~Y{ALU8L|=9mt&vLj0m0MiIsO@xLzsY(9dbCqjv5cx$-$eUBBP_x!)7JA31*@8Ro
z1EPdWWY=WhvA<JuZv-b)0m$@%5<P04huMY*&2sk|e$jBSjoVr)zfp;pp@;`!_5Iw#
zO(9$EU2RRN*RBW9V5@{n;&RY64s;=`ZVBAQ&toZl80*70$5`@HYDR-0l@CX9e@I)-
zvPz>?Mc;3co&yzs>~aW7Vaw9=q^6}b<FUiZYep`SOB$Cm@Svt%vvt5v4UCvYV<jI7
zW;X$K*+hW9`G$!j8DrIf%!$YlvsURBRRHpTkYXm&bb?CA?F4I#gNai9=SxpRLzoN)
z#t#EVd}wrpvc&K0?0A#W*g-S|+ika+L6<%okF{|%mY<$HS$pa)0Lg~EM@Ay0WTuZv
z=}nbrsbCX}^P_0zJ<~4q>T{!_3M*p<jShRg9T9~kL};0)8EhK*cZFnZP0dQ)f~Ld=
z{|AnmJOWMEMq~fn*_9t%eg@`;(PM60tDHJbKuI}=kf+&)$KKO5x}$@Eb_Ru4i4O!D
z%>|XRqZ8cBlo_yhPu@{k-1+k=V$2c9BO{eIE;Uk{b`cVO$S?Krsg`$Dauaub1!7dG
zXa$1&g1ddD`Lm=p-!h~XNl5Fpy-*G{J^S+3+0zFZ0eCx%p#xmGTEV~-0(nNdtibNV
zc)K+}@}nshdcnPZo<0k~KR3;T&NAO5{>hztQPE&&2$^52K)gncGT(+|K_@yc77U>q
z8L{}q0xd?)?_#}(3Im%_s+6}TAw|<@<(b-wkDRp<+*T6k$RW7x19%(m$JDJDse!{n
zD}$5A_z*DlseJq`rm}a%)3+{Z&vdXI0x)I>%~3&=nJ$przaH9mdz10dm|!uJ!n$n5
ze*;Wn8@!>UW9q-=Gth@&V7#yDg4}a)qT|AR@p~m2t~)QGBF7Q0yAu-}5`^uhYCzZ6
zX9#|0A75akDS!Rd&bdlfeKhG>Y81$~+8V>zi$k}SzEcN9soJ9$Y~S&2YouJ6%w^O0
zG!Xor`(a>RryN|y^~dovwL#gDeJO*W>mc_6vn5)!@xKYkdrrnVG(n>QQ+ypvvL)5w
zS_X5Wfv&QTB+C-ZV%9O96%E_Ze%9u~4WBlkn|u$mR^y+<b0cdiZxbIQ23$yR&LK}B
z7nWfG)^st{O`O97Edm+sQ#;y5M15HJ)17S&J&8U#g_dZ;cbNIlA`tI(AK%<Xhw1ti
z&wB=1uO`~{9l>I2IX%{5pGiNst?;@bl21w7%!9E6f~QAPbBetlQhs)yCsYu9v>zUb
z4eJ61q};Z6B=_=HJv0o{CzY;%*XNRZu!~ldhcrf(p!E~X4k)UdpSSoK4`eBdXq3nX
zw->k3%?I-7$QuudS9}EukUax(O4J~TfXA^q*|2bcdd_XdNgGUrIV?*>rglFBml{OR
zQw$(i220(fr^)kz?!^QSWJ2%Ga{GOa+<6ZK=e^)>1$>d7_q5p7>|kpxzE}4<?Iq=r
z>TFU}Y65l}MYi>Ow*6UzK@?)Qq8!BFTDZ|cAbKGWviP#Xbc>0%r`J?(uN(|yO;i=4
z<nwz*byDMYn$+_ld&i!uf&QqWzXu(!3-L9NiiHl67Ui11%@-@M3`7aZyd$9X;$0`L
z0cPKs$E$h2qDf?eCus?}chZkWA;z1E-1+i!M%E<yV{C@~C4x7C@Hq&T(nBJ*@ir|W
zi1GUDQN%Uatf4=!1*o`c+{D-T5k*jEfaAR+L*PDn_s>WUq?|7U9SBw{$Y0js8h-=A
zZn|{Gr)7VMtoT~{r)+@>hCcH2iggFxDfC^Yd|#HIas}hQuAF1yur>CQ9XT~}BdqlR
zT7YGvciF0*!Pg+RS*fqn5y&S6N3W`j;xE|fUIQ=dV#FIc{$yZZH>xG9Y}qLgHgL8A
z>3J)p>!YPMVZv5UTD(DpPh8fIvxm03F|6fX_}621CfK6$wO{jOx$RAoXQ&@C%Rwf$
zievAow$1O=$|OrYQQg(&a?F_oZH8?vN#fCTd9<nwQ<|+9ZjW7G0L_n3zN*q(=wmTx
zv_d^QMCb@tLa(6984TSpR8r1k7nPaA=iJ<tzNHHvPEj<EKUE4{Fbq(vYw)wCb_=2`
z({xO#%24{ZOK2cE0r*>{TpBQqCoT)md4}SFRefNpl+r=uZ}D^A%LA5@WR!b&p?3=z
z_PLj#O7k?AIn@VVpEEbVZVO4NP#&6PwgSlDd>R-vo_N$YZJAlM1am4YAoRhkF+oV=
z&<2d%++p;m?iNG=jcZ`00~u6XYNe$m^a09F<Y{C|N)E$MC*9cy*1jaZfj>;3aXoH%
z9ZrF&A9vPVy#^rzE!{*&==ovMqmhnme~Xni&+WK_%XvSm9G|_eBe(Q0B)iva1{j1(
zw??0jk_k&3g$@z%)T+<$o9uqwxRt^Il4rYX^OpN<n1XA){9BY}ZN#>Kq>%J?2fcKs
z=SMNEW{vcEu3+x=+Y(E}>DFope5{8P@yHQqtiYuCfcSN$0YZ-tB}_oI+M0wUWa+bx
zdR#NfY>A@|NU{nwOR8Oj45W#4uRG+~IDUC4n(RbqmD)IOpKi+8D*?HXB=~pwei_M@
zTIp1lDbtmxR9}?zW}H=H&uL>rZZtEx^uqDNYD1GgHF~#1$S|$c>Bl|o!=?`ML13o~
zK`U&@m>a}|{u`+eKp^r~U*8%`8C}#*s02aKOAW__YtL#~ZTsLu?<!Ra+>(}k#YOHZ
zJ;)uaW8Fb*_Ah2u8$SEd1fD6jNZ%>P^%sxa>#XV3#^5QaHg(m6gS&cpNNfJYOv%eD
zi#igMRPe_c{^n%AJQ`z&nwvPll8?44j@epTEyDX!z&=d`j$B|2?!@<lI+3FyJr~+a
zewQOCz?xzuB_4$1l1ZpxsryAoT}32LEB}huMx<Qqg3eL&lj%5p%fas4!yB$PVzU$s
z=sd!~Be^I*dex&JwX<xIX|nC1m|T)>GDhc|Dk_I_&qc+&!(fkbqfwu&f;j;weH}(~
z0HvXMg&x*x|J7RK-{6d{H}~nD<#Ax&OPA~o<u&@-MKaH4qP*S?-F^%qK)GNGvc)HV
zfcnOGymZPl68;gbQ3wCH&^!(Rr~B|$bN`e2?Z=bH6PC#3ug_9Q5CVq(f*KWufYIVF
zsnpKx^A_(Wxtt?lL;|^r6JCf3tR6eHr;1K!;Gr=>sw46tRtwFN+{Gh4RQ7{atk#VA
z)bk#z<(krcR)ja8;c)x)jsyhbUgxB)PYbP)<U6aHcXD0U$p~^F&0z^ksSV|ku*uVv
z!J*2u7_Zn2{l5X^UqE7q)7d(!>8xfidm6FDL1$?A2<5TuH!1?ZCC4!-Q(J0PHxq(<
zJjAi}pYnc6#)?1SdoZlk$wBDeB({$AOeq@)KymAAxy}Y-z(g6%a;;(<T;FLwnVLYa
zl+l1VvWVI0znX`XMIOQ@<HL!pIf>$t`f3mkxp?;a2RA3d5e7Im*+O{%jXf-a%*s34
zx)p&-RwBUtFj--)OFkK`^n~672=8#e0oOd2!#>bzS65dPRe-Kr5>LY6TBELcE*s-O
zvvZthX_{h|Wnk}h-g)k=VZYdfepQr32DWorCDhv}YS$!Bpd(`eQ;fX`Y}N)%rkO6d
zSw@Q-g;hf(h%QcVUtMoe=+M||zNxx|BNm~8aVA8i%{W^-N;qY}!I@0%DeXrwndCc#
zuXHWcneyDgFdiQnwyfXt6Bgh{!jlB`)(hxPSdW`CwA@E<w+KPR#)++;%C3(_N-HG!
z*d-2zm&_pA&>vv48*iC45%R)i4T@0_@sf2!ybE!d(k+C0%yRZFR7N%Y6GXHaV6#KY
z?DQPN=p#%e0eDXl&}kr`2W7{shsxLt|6g-3X>{EPe<Y`tq!*$+Pa9=3c+Zd93uf^W
zXgy*}CVK=4LUO4bfA9|OZD#_xYOjDzdk`tz)nrucXz|}-eR0wiXcn34?9lp%u6_|=
z+C<qy4q_+SZ#bKoE5h|OWwBe+ZgTf`j0qBMjd16%Y!YPHCQvUN9?c<dvWj7P2YxbH
zsBEW`*wi-hpz@hUk7oJ4t^i@JLrzH?dA^4g(Pnre6|-~8fDnN`yOv^nH(^`koxH??
zW3OG7i@K8Fo+6a~XR>ATp!beCWA<!7Hu%4!V%voA{g56^dUR3JF8x+n5&EYgVR<Nw
zLR+{_&iS!KC|$F?#*D2RrUnbpP#AjtDEh!RjthwVr5_H=eD1d_e*5`J!C|;=z=}kM
z>11mOALozvCTta@%u<t+&ufD~V#$}bu!iG4kS}&;H!hpAA^Pb1?g7p3$;Rw8913M^
z95F==(gne<*N@_b_3Cb8_|Jtus#s37f4tAQM!C9Ept8s178cmdU_HWjH;$paFm*4p
z&?QQ&qp<yV05LA^YK=T+v^-5k_H|?xg?nlld-M|c+lT=P8>2bS7y`P^@bsW+b0iv{
z_jroOi5~DlmlYG(I%7ZPg{5QLp&@e<v;rDUwcyO{`=F{t0q)(QYHEu-aqu8ZfKm0M
zgO+<9B-(&He?liJX9l#3U$4hI%VSC>9AbB;8KQ>tmB#fVm1yjXyMp_|Svn%Y`Mi|-
zUt#@dP8gfg!lP$0m~FSyhOnsjBh;EtU^R7(CZ8YU$Nop1kQ(oXDaMy_CN);P0<#g@
z73Rz=fJvFxX5{vF0WNday_m$oY>&;qsAXiSsE!&7&Ha2(=2nsr_u{tO(RVJai5fUI
zT4KA_rv@&))=0u{e$16Me{_KaA)#>_a}K9mjmd1RpiXmh-0FobY>cb&47b)3+l_Y%
z_?#IXntiS>F#2Yym4`+dL$GyV+mb{OX<40T{GaDyDqs8wyC@O**gb%tE@>?)wdP~m
zCD@Mev#I-X>bcZc&dg0vAZHGn(2ygDUQI<aV2!un>(2m617hh|g~bO7I|^J}F(ISF
zF$iY_EiA6wcxmk_KXgY^?4@->NI>P2R8b!_CJ@mK?TV#9RA5$KiT39Xd=p-J-<9%3
z%;ltv4#+2VAzp&Nk|ER-v?40$<m-6iBM<{d2^__ADo!az^I>~?R4+`5P@**2WKqHH
z1@Ck|)`6gHgEDA9AX3yO?~;9>W5!-72|3Wq*N%vR%)h9X@c59HW)|hPsm)Ials?v%
z<V-6T2*xs(o)P(5hIRoS-eX!*wRa5{7DPK(RX#9NlO2J(`MBATr4Y6G+Z~0)s1d3P
zUL2+}B>H^^d~%k)hxl%YcHA)BE4lHLnd`@7JC-Vo)c&n$N#=-u;cCHew@BlD>H0*Y
zef&bQJJ2WINuS<vMr>wLlWB<pu6!mQORLu7g17xa$9bfPh}4yDFR#w{w?ABa<WfLA
zoed!z4k=MVXMg<bJ<o;8G(j+_{$7z!!U)az@MrrX35WBxfF3)5798wFd!9MwOB>No
zMsn~o)HiG~Oo^Z_Ub};72T`aIgshWzr^v!lcC?CIsXO;QP=aoi6|etpzh6rkzdQcz
zyO(sXLW3=1{hOmIe5L|uz_YqPDlp_-Zu%F}Y(}4P?X|K1yj$}+qJ2JG7<9lE-9(&H
zvD8PrMZ=)<qca0c@MoX0KTM2t2xmL$#eXhIhVnK`8UVTdnIGdlTK6W^a7w6odpjy^
z=w|Y)W*2i!EDC<N0e><SD!BkImb;jQa$vXO?ERD>fvvkD?GF8ussL(`h71zg(O2ym
zMyDDu`N`rMK9?&3b8cPR;}!wrI`gQq{ekdOKCrUn37%Kbk6>OM%p}ohqozFUkZ6#i
zvoiF7;}Jg99rSRK3Pazy85=3^XBew8!yjfv810unOgGj*N+>PfCdtMhjoBTCqbZBB
z(nJo>3+qdFUBEYj_y3p&F{a(8I**qN$=ULZqx=-?&eQx5T10?R(nr?rgndjU#Qo67
zz+lI*vyLrU#o&mw;6btbthTIC+<+(=7&BEWT$Gv10iqirPwrx@XJg!n?qbSYy!MTx
z>@$pKj76A_i{MZ)YI!HGGYk6*X~`EaX6{eoZF4~q)N4c7%Tjzvsa?+e<@k_`d9-Cx
z2QPQly;{q!aP#>FV*=mlh5_+((j<g$xgZ+RQiGk{JtZDoP{Z-0UQiAuqHu=8$7!G(
z-B5r<rJaR=%Cvp!#_<EM;4T+YAU4X4cD^=8kYv|x7ZZjC@%l#>3?Oo>R|o~L<9-JZ
zqM2xT4i1`sE9`yD@u|oFSnnaO^uWaAuIt<C_B~cU6PnZKS%|;l(vPEXSg+twrk)#C
zONA`O7s{*NiqKb=V~5$J!~PVWzitFSVU}^f6T_B0LPcG(sf8;}2|TieJocN23I6&o
zI`{Uw(!dOxqtafqeF*mt>JjQtdcQc)5C9_?IP(O}>3M7_@fWk^rK`Hf_954(EqNsu
zTX_RMd7IH}c=-bBR0-i++H}3Ov_)^`-m=-Nma4lQ>9Lw105K*1dURE%?kguc(GB^|
z?e71=pV;s7_CZEs#mYDj5}kZ=z5^nBYl_D#`Ox*%^E8Wm<H@T=e7zS7<=2;p*8vU=
z*16nLt)3!+>>|@)a=@0d!*>D^wFZ3R6NQ5rCs)@>Cq1sPku6SO70=f8M9HZD*r19+
z$hHhxzH6jc!N{O_#Uzcb^1a6J>9ml%cZ5CNy-2vqn#3bCi`N>smyhcX&|h}O8Vx+g
z5cyx^QM2>u$Ry_G5h~Ps3o_{)mM~-%Pq)aJwHKf`-9l`J+sB2cY}MH`g^lfsI}(`@
z$;Fr!^{Q(j;;>=5il*Nt6L=Yg(wD(IZ*X%7kM~;A{9bL}-bGC#P3zZz*GIErdwI7v
zQ@>x)aTZHoRk;^8lD=wy%omN-3LiNWBG$%hKfp`$)v*&%Ie|5Bd~M*COAnfl(W4vU
zHG<}#h8^Vj($3=VV0MK0kd+_0df~)sSs1bfj9QmcEy!7U!uCARv4cn_vm7!5oYB=p
zP-)eNpT9`~Xgag$x0B`_98$+%dXs_-^k_Tm;W~TE|MNg{4ie()_YkE@$#HTqB<hCP
zPZgD?X5NV-@7`Ou(~cFud#?Gc<v3h958BM*aljT-e;wUBB=gw*r~^QNJA7c#DV^C|
zpF=+UppWf6ZQk%qIp1I-=R2||8)rCd+Bl@hL{+eN5CTtp?_3jPLG1@%uqq*_t&}Yk
zlw(g!6>MBiBi7JiWpmh&BWkpx^aHWTB3tfcOe4QUeW8Gr)vUYoy-V>hUy4aNGEYZv
zr9ahA@7^L3{AN57bFv?K4HLZ=e-2c?uGH9YK6tU^o6h61juXw&*$#c<dc*tYXyZ=n
z>5-`fxS`pI0=q8QqPFIvBSvgPu=_Aa<jJTR!2f^8)ymG|M>LYi%cJo7N1oE2jdMgS
zp0VlzWS-*^qJF4vtPnHc2lmj25+Yrk^gd1ARDgCSUgp$J59A`QTJxV&VCmVlQLJ5y
z5XKPwA2ig`FuJ(9HDp_e_agY_U}EB@#n<NLsu^5-@ZyDer=RhwV#a22Ix54=v=nKy
zMV>U_fC<-4vtEeXj4xlz!j7lET>ayh?_Yy!v}eX2UZL0G#7HhTijlIbQDE}N60Lg6
z0w2;Z5`Z(V{!bn}DuLIF<lLL+n@xYY8zJW(t@4m#epWn;P4BS<-HfBx8*_SiGA&QQ
zrW?A9#J0<&18Una7>g3UDCstUB7&?WEv|IEYJzxvE=yM;sRWGM(6=&$eVr@r$<JBE
ztRK8mN}ut3`cU|6wH>C6^DOQrf44M`GYvi%iWEg}ExbR_)wT&;d~-8Y7PItiN(H{r
z0fRB=orYaGK1TSET`}?9xh%%`-hJaWvPF@!9I4~41}5)@CRD`xxM9*VZGWG@F2qqC
z-Ikx>WBbp6Lib+|H1E*P8cXND(RFFN+ceN@4(r?^lR<QiS*U<hLLq@4WhU;g-Q<Qb
zDZO=h5Ov8%Hb=e0w)orO^gv^i%1t1RbhT_p1#$U7U7QSx@!vAvWok%bDmsXRHnl2~
zi)`-tnzTTRL~SH?OLP<p(@0CtRq8?^5h2CeYg@-O%b`(-d;@ev)ZSYbUTf+M3ppcV
z+C(M)FXW1xebS6qQs!9`Pq<6xry+zs?yR~`f)Y-&YF<hA6gEcB3D+&AK)WGZO+a;?
z<E52NYev8~1}!$*+9x}VN4I?B(zb!5@<7JP!C{lnKw;MD%sLJ56WB^ype83MZ#qWl
z=JhDepyVY)`7`rj3sO&P?{6^csLBrGLystGELHAoN=#I_KwZ09UX{wMXZ?7zuTr1+
zYnP?{pLugI?X5$rB8pbGbhtxT4(3vv`_EKs2I(>n>g7-<A)1dvemMTdfFjQiRf}(%
zG$bf3VI%N^X4*Vt${(nT{@L!}W0OE}G+rGvagfBTK!R}vVa%HA9(@$el9XCDw2;EW
z*@t%n;oTWYLplTpuYQISM7s=>Es*c2fz{sV0-RpJ9ow!6JyzotJ})m8_E`=6=fEzC
zkQ`g%02bQfM#2c&pc6NVv7hyLTPaCPxyOXC3oE;@JW_l2d7>hR4`w^{fNOrnAovJa
z*k}476ul1ohS0}MoXm^pUHH%pgFkJ0HbgC}LK-V{3RipeF?y+LWmAsfMDo+ha<dz?
z$;cweT8N`%y5Q(+X$$j%K-u!X>h%>etgd!?oP|ad%BBS@4<AV`(N#3{co(f0V=N&^
zE<0@9LhA~>05C-kh(|0D=Q<oY6h2g_?INbSsOiV-M%0dAH`MW-b|cU0YcLFzA_M;D
zhvm^0oZqqsh(U^MpauPX*Xy+FQUx>62y_Vno=HXDxnSQfZ63kL<BG!Dm$PRRaunYz
z8W^V51J(9lwsCDLz2#UtN>#Xa0ftGf91ZN6Hp|6UCa4M&u5|=A26pVZFwIYu%L3(t
z2{fjdYK#}vhdRA!jI^+=!<KMcfDmkl4N9!0->+wGpuWtR(DoBXH633XHHUnt)snay
zQL3v`N<3$EPb#7R*OMGr&+t!+xA%~N|M3#8M6AM^8-Dl9aJ?U*((9RYt@ff*HNr(b
z9LpdNqy+6Pqk-G@^U|%W+Q6|QtKOZvA(PIgdK?$W{w2MY?3B_|8c(rw5Y8LSjd2?>
zx@*qk9%vlLanN%PR;~}sM&A;nRWTUfo;E)#pM;Z(e(uW`h>$K2Ag9M7^zrx3@st24
z{oIs%3DN{4Hm8btYT@($y5cORK891J(&{I%s+&7^d%l(yI<h-4$>JKC{gbH2?PzKB
zp#8862OAYoQu$+Biv*1dmvg$Bk-cpOS;zQA7B)|_wwHTL^Qp8GL#lbg69}*X5V}t7
z!&=`a#%@hInwE;s7d>?DWTjQ3|M_t0R~4*vNJBPgDwnO}Z47E8|Hi|Z=ll35y?ER!
zw*FERZ$Kqx9I(y7K#A;ImKm$7*$}QX5nHn7IJSmVUj<{eyx!ncl2n`p1>hy~zFMu%
zz6hX3-`~0|7@+k@bcV$`C2Gy!8eZPt4<yX~D}6eu9JyU!p3<5Xh8!f+i{!r7&jwaW
z<3y(2w4z?8v=>fBzg^1ZZ?hQv@p!vu2|o+k`I-Rd=kv`k&n9l6`%{0v?%81J9nIJ8
z!7st(Hu0N6bU#$U*w=ql%ydmQq*O$D;gK1`n|+Xw+`7MsJ^z_7*1MAPAJjVWOFb5<
zfGUG|%d);(R1zVFuOoI5x8Hy8vN1cX871rSR&F#PIUO;%B>u9d?kfupWoFJeE!Q%}
zPV)c$jBH7{f@&UJ3`^zE?-hQ7egg__L`RbUd?B<T215tIG5+#JC$U`5>gVluBviCa
zNy4&Aybl;Tm`@twmkKXvqzQ3*z%^mU6nX=smO>lw;SAk=4DczlnwTjd<X(`T@xqa#
zZZt@j<w@3^99DXPdBkZ>Nx(elKJGhYDr59b);8C>kr8~a=PIkeND^D%7MzbdZ}<C=
z_BGDtqfRFnY5HUCSXu=v;Mn%0MIrj7r+iXI`S&0g4H<G}Qo#PNJ<~YAR7Q>!f6CHW
zL8&L7yz@&E5mr5Zx66XLaz2IV>6^t{gK_qW+)?o&GVQc!VL}sZ0h~uyK>ES*vQUTs
zI}0IIv5CN6<iR8HG}8W<(NE2DlPezf`MHL{nb=B+HgK8=4~w3%9&uyR3~SDwLXi|s
zztX<T5++%P5!@hl>E<*5gCbA3es+wfe()sReis8PB0`nF1KaeX)AF}05Akg3C)hNv
zfoVLcFmy!}Tk*E0<$)Y3&r=(X0auF5@V=xZF-6!#DwS&X*%)NsKtT=rfHtEk^zfv{
zK}V4FapZGt(DM;9_+0s4TW4N>>@XloviIJWMA459r`I#Zsm-axmIe~Hfod4QHMRiG
zkgb`z64V+AZ!;-G+B8iw<j*gDe#6b?i9ZZ$f&do-Kp-~%WE&>ac16@OLRJ|||IU9z
zxhrsAfX&j(kXg)tQQuE{L1KPokSv^`Bqu3jm%(Yp|9;VLXyBWJ^_~7r2~5-gGG^Bn
z+AR212)Z2Cok_YF4%%VMZ0FR#{L9`f4Rf>5nwy?lJ3Au3@2GSj5$9j?9BS-6^672D
zO$~w>UuYJipS_FCJ3RiQtUE0PNUX{Jbps)Zwh)M{3~@Y6dcvunC=pVbiwwV^G?u_A
z+j!W8(wO|A0ExANScY|kKk{BW#4ceUxX>%+<(XJ+C@40yAOS_hGV`BiZyuQ**=i|5
z<8l>TB?ui02b6m`D1vGFN9jEUZ;<bV#41Jng&}Jfb6_B<^XAfI0ux_L`<9%8V_=U%
z2wf95?hHvl6xPS?R`>MUNa9P8sb&cNJlk0;>ZddPk`IM9H>hQ-D=;@kX)!#sVVi=Y
zlxRha<358CX#>a<I(PbfB2l)XT|v7GPx|}T&dcKnCmUe>K&i67E%72F(99uD@}iQ3
zg9*>}LA_vO)wsNKRi7?X76Fn~5=$67W$^>xeDjV*&X;zO*5ZUkvX#&0{+@BlM1KWL
ze)dA}fodU)hua)e_&SqsD<uU>9W|{cLr#s9r<)tJUICi(No5k3027K&+QLiCIsWw1
zZj|V(SE4`AC~l-xWj7CjR$YC|*Pq9EB?#tU?Hu^Y8*1Ad(=<X3Nnlm#fi`s75YEn?
z!yL)}O5vAwB*5Y7OFRTBc0<LSo%L%j4q9)ZhP2YfH-e>Y0_J?eVmOkh>nwFi<!mBO
zmEgvSyNnjXk!klM=<ot7$AX*0r1Yx;2C2#v`h9QiTY%p*Z3API<;COPp2bCg+&0jR
z<eEShIe71+P;s@=O<mTG2kC_}=6A&s$wmduY!iPEjl9Er1)9v?Gq|jYI={aQIW9|>
z)EOH1BGL{Ic@7-<v&Sg!ug&D=&P2m&mA@e2h<Xbsug&kuPSfgc{@gzT6FPpYEx#{L
zW4>eo+*XDH<7oe_i|X8zl;!3cC$8$5nvce$B%0pP0(!_c^3nSB`!?B<E#(p}qQV!Z
zDJN1#ugLs4wL#tAvE4_?pJUFffc)MM?aFi1>!-e^)KvX`lAw+?{GOj%?zpt+vL}Pd
zR3NwFU;xKH3O0F%<7>Q?SgrI^KVM<rvIH!FCbSM|%A9+_A_B9b;9Ed8Ma3BR(VH07
z4gL*rH~F%}R<CB)CR~sp%ydC)ybs}n_YU%DQO`Q@swqK~tC-HfEmZ70V#BECF9f|V
z>I9xm5mS}DdneQ+c=Xn~7Wyll%FfvB;;;$PEjq7%{+|0af!9H$ladu^-5F{CdVngY
z{dj`$c%&Cyx)orwzNF^n(|`AGiVpR+2IdRxUjcDq_du8SifwUUi16QZ_OG>q;ah3f
z3#HGMOX6UQ7Eyhmd<s`US9GO-?HYiIl|58R+WBuOEqmz(_K{@FmO8!RW=q%O<*3bV
zFYsf4*%vVYDqGf5O+%Znp>|svU)MLnSyLYh!4s-;hsW5Z$K;qYK8~-%qA@4h;QiBm
zX^gfJ^qVI3z}<VF6R=n}BAHw{lHC+o4k5+&VykwCLFE_!XMP-(jl85HuuMB4RyAXC
z*Ats*4}S(K6|P#I!MAhm1QpYsQ@o$Oz%>Y|OMd2yuU|fz0fP$D#zo@~%#8OX59{>f
zgXIccC5@oVVXE3nN{T}i6&lhPg+4BtxU9txi)>Ov#gZkotd@f0O+(G^f!}#y?G$=@
zw)vn7ei)qViG$Pi9F#**ZnoGxQOAZz%}E3RWiVW!iY|MA4?8n^T&KG?LMYInHgep)
zEl_%W^7~c)!++Kj@`p!Mx(ZIId(5YowuLk|3)K66E{aC5ZBum8r%txvS~Gz=I8(>=
zx9?0o7a8Oi5%_(pVb!!izTk6J_QfCI<yXV*gx!0ek-3m`v9Yq6Kfi2&_AegS{};FD
z^>1A@iv`Ki${u&$k4sh<)?KQc#zfX}(K&lAuSJ=6K=waJ`E#*nPlgmY3T!^7Hq9?r
z#vb61ck$JrA~26_+bghTU+QeOTjCqr0e7f5JK69DUNWP~50WZ;?@K0>lf9AAjc~i{
zhZ<aGNu;t?b{+dRvJ<gd$NCjG2TZ$Zl-5{`+o6Z&-5M67bh1b6vA&*dUsxcLSFvqF
zm8xD{|1uVEMxwi0VJghOygNtAa*2nbr8)U`UJK}>#Rc~;kP!5}<$-nSO8M8>6G&LV
z%1>|F47+@}YPs`RA#ZNuT|ewl735_}n`6>fV2qt<e90M6%PjmGB})NG)yOr-<KUL+
zOjDjb%C63ut2%=zm=6d5$NCIYHB(!-FK3ud4qzbw2TJyT97<JSr5U*;d<i~#-8#l)
zvDt{<tV0cI$WNLbOmx7y)s0d^nm?I{5=cNyCaVN5%5S53!xT}KeaGIa+KP525+a8m
z-AEliLygH8^7$@0q9yiuZ{CQOzIfG~j8pcRWmRw&_B|%4Sz{3w!V0*TWr;9edwM^<
zZC(^GXp4@PRQ)8<H6!syR?@Oze0)Pe^f|Pymw`aubfBKFk+p&!MMow*efl2826Z4?
z0!U#3BMhtV*>TS&Ns3~r!Bl2c30Ji|3wgctN(0_SipO2CnM`dA?)d&j7*!BWh?=oZ
zS$Lh=+tEpW$O4n-4*QzigQzzyDK%s*0Ee5Q2im_evMgw0aD#uv>G9P#r-X^}ULjB}
zh{-JE%*II)9OX=HiAdPRGHuFqKnouSw>`F_JCN$lY-<v=zJLB_0SwOVw*Xi!%GFSD
zTNH*aG4p2+Gu=D)gMmt+7RwjH=FKz&7~5soM&UDnVLf-THs3J@Ha}|%Wzi6r&`cKO
za)MEq6{2b-<f0A@!V{O`TDL<feOxJRV>ZM$L4?!(hNhWA|79YhfdpMb4BZ02BX!!=
zK~ZuON{9lw(psX}!pHGTwqIsf916V@VaO2MLkXKH1rC*I<Em(7Il~A@wMvLN$^Bvg
z8kNnCV>1TL1*p?ja8(F(^iWZLLLA*1?&%)akGuo`dY?VKG{1}nMCCg6O*RFioL^Hy
zC?1cSw*Q>~TMBv*rSVX)sUjy_Dq0Vuul)Nhe7@;F&xDSS61os(WLO>;n1St3LEZwD
zrd9X1+9RAZ&^P-;H$svF?ndurcUKoz$94O6uM{80Udp|bDt7|YnD2=b@p8vo&}d0J
z4;RnQz+B$mw(NVrUYGEvJlE44)W3#=$~!{|{qf+B+WZ97Wg`-$c1;ndbg5`P;|@2C
zTRG)z{cx#ZCkOkimrFe{9PN7&Uy3Za&i*v}r>z`Q1p)b-M1^b=KUov>Uw7x{>rT5z
z-__l!nT!x|=O!n4Gj4cB*fp4xk>Zi1#TSdrN)l54BwE`gIVnXu5P{6P+|z$a^+Pu&
z<5>YFfIFA0nEZx+o+BX~YBU4;)S1sRkTNU;yFZLqfx#E9wz6K4E$SY%N?$kf-lMdw
z{Ik{Z5?@?|-tZAx>jt-{h!n+sj^$ltzJaDjsJN6AmA)He`fw&yOJHoaAR!v8)=_)I
zO_7!owAlf?6oSN7`9+J}Xr22BaC?QefIqu~4g!()g9kZ(NGV!PG0TklA{bLi)aBkc
zX}8<?jaTk9go+Z1uhk7T#_9Cui<Yr<jt~IX2{MqJBUy?Qn1#%{P=6K@1ps06A{L3M
za(9V}T6Q#$t%I!+ti3Hqkx!Dl^idoZ#D)%i<+;>nrC^S_&m8nlcE^*l&&@7NzJ+9^
z9h9uiwr_-F+uge956wbBU7e7MD0bj4vTO>+lse7iTT9juqG`WN`^dfQM&lL_J0i<C
ze&!?yE6-nvLt8eao)58HuU-4_>|q=TET?_RUjHCR)7MSg<0PtdzeLji2sF;Vq{|7+
zWB&CGye4_FnhluPSTESPm-wvXA$_2z6vH?qX_i^JgXQd<9uLv^-ER2v0i8jPxZzfw
z1mb(=t^L(zTEy_Qm&2TMU7$n4{~f0Sq{ro&I8uL{MCD>XR37E<?Kq8j0wl2lAGOpL
z2b|i0j#dEU=3HS+QG>jkU)3(i_c5XIUZAc9q(H|SSUqN?-&be6?+Y-Nl8+1j>G%mk
zqqOJ=MVeMtO7FWHr>ieHc^c`#)%yQ}ew+&W%7sleFx~2*EVWoE6X=I{FK`-7)q+k=
zfKN5phjKB3LD@;FSY^O@gck8D$O;KA0(#{}<<q6tZ=$|~SFo)F2K8AQ6NX$v+<6{m
z8<i(%Oo=~-%6*!))hab=sw_oN-PZUR29W)Ptf#rQziUnbuH4Xad{%&4dSjDpTvNPQ
z5aqBRWdjVj!t5%|d^)Yvy_1y8T79p`qByjUMwI_yl<`fl?Lt}JIVAm?Uceh)hw-8M
z3-au&A%a*n@q6Lj>!ZRgGFr}yG?&R1kC{KM2PPri5qv;gUQJIRY3w8<**Olq{UW#u
zV-;U9Fsi)vOW^ug!_|N!;j~G77HM*n0pcJjNGc!Jmt3`nZ>gFW`Xl*mNAF65l~gff
zbcv#&4~w$F`*!MhisDfhLGL#ir6?%u2k<m=u%j}VI<>98SQnrE2odh&01R<=(#jQu
zuN3<~x}^j4NzKg(xOdD9KQbd~b*5XtyFpj1QY+LPOEZFD(6TsmR`bqUk$uhwp3k0w
zY!!18(E#PEU?d9*Y1cTcySxe63mjA@w$2WMKgz)E07g~ntQ#cK7U~k&>9*098}JpL
zz2U`ryfOUUs*3XBvfMFBQlk4LMpg&=(*9(jb)R@?_XX)Nq^PPaoWlY3B$t@?mopLJ
zUM_Z_Zte`Cc_S}j2MYI-N$6jN4Gl5<oX_^(%+0vf+>8x4%UYUFkyb?Lv;8b;sB~X+
z9XtPk_<Wau_yayXo)_K+bu_8v?(nRpgepx!SDq6vPLoZ+#Cwe55wv4*g^mD`TMt4-
zu?eybQU}W=A^_bN7|fB>Z-HJGiLxJ@xJ4gaLDXy(%v7i1aIeET+v>EU*6!tJSN9*Y
zBzU0(PB_vW>mCFeNOj+=%#lzgU70tt@4hIAWuob!5^-Q!_3|8>m3OZW(!J-&c8s%Q
zRSCuyXA77d<48O)@9hCYJF5r}fFw>aJ-HhWx#R*)dv4)PbTe>Z$DVvlnF(1GXz13-
z?7Ye^Q~=-7Ny*>x9^eu(68D@`nC-H-5qD5@(ZM=(&rH^`qR9q#ibgq{x_gaRVtOsZ
zbue~?u5)&L&<J$ywhF0)Nt^n=Q2~Nozr{CJEY+E91C%Y0R>lc02|QhqS+0cvLQEl1
zX1ypKiacl8&35p{HWb>Ve+3*(zTu9dilc-s`-AChXvSFa90|NLX9Mj{yfp=)nmRk5
zj1&OsZ51D<io4{u1Is*@iJMV~3&vy02kK_Y)C`SgKkK*yX_~8zOlbT+%%e}qH;TyC
zu<uyUyMrFayQnnPq2`<0v8^mk`{vqVe6)r|4xDcgpB{mklE4(xrh&{R6(Qdw4mrH4
z*WK)U9K;K-qE|Z_PVh)_vl3>z%?wFlpfXw$*FGLaYR3#G;JHMigD-_zlvu1#HOz)U
zDjd{LoGuH5%qk)hz2@6*9PSj$i6+RPMsL!M{!F)VjikxO$^1Kcs+KP|oE~rc(x~x8
zVi|&&>Cb3|d%fv6<g&`T95x4!ED9!2n%EBb!@S^QuAg$>BsEDW$mH~mgCuqh)~p=U
zLN_EJc;Ggq)mqc{lNxuK<nwkMVG_QS6(A5&AiJgA`?s2Mtd08gx;MP!crG2ns8zIq
z=otgP7lXrPs8?XrY9=3Lkw3W`qKqn{`5k99Via!<T5@fB9xf4D3Jb)s0p$9B+e;ls
zJl&)F?MYFYb2oKTX{_g>+I8?lkaO3u224P_=IMnJDL|x(!dKw`t;&IFx~w2Q$OQmT
zbPR#Uy2<p?3-!F0#q5LsR9m>B%uf!=Bt`-`1_r?j|468BQN4NRr~)@)s;<aVpLA3!
zyd5Q`=F)Ny`#(0%#z>~xVg-`Cs`}s>(TyQA&Llj}o=n#mxMwhls`_upv1vkFG_8|T
zR5|^2*XI@>tqa|3W#22$Kx4^mB$dhIRGS^MU`lk@3~rN!ME$~7=(y(M6@2K*_muue
z^Og>%n4=vxumHxf^Jv&fZI3XPhsA<U5Hzpk4!zoArg?^P0+w;9Rb)&3mzwLw>0&^(
zXvrXV<|CwN@7%c$`5sz}x(eSl*9<r<W+9HXTB6{ucCdm0%5T9gWvS(Rt7joy$@)PI
z&}4nSbNt7oXdN!T8eJzU>ulCUW(@TrhakX8We<B!4n-(vA(P@zzHh%V30ZX%nD>%9
zxGe+!=Y1X5x(L#AKq+;+N4CqR<|0;bq5JX9@F^L!gRd3d*#^w0Ij#Fn;U<w8<_N~)
zy7zNtpe}D=HcCE^K$66#RDr!)KK`h|P#LnuiS_tU+Xkz-RJaK(XQF*VImaP?k@UH5
z*8Tr2;^DZANue$i1~lOSg_Weh6V)M$czHU<S)pLV+Ko1IvVtvD0KglOCCZNeu6e9I
zW@^R7xn_yZLHc5A^G6uvT^<t+tUD&L=HDE6$l{rUajO@=;Yu?($<7D%V~9zjx+@!R
zg3jE|s{ZzP(nC8Y&~?AxF|IFaK7B_YM*nGM`NDZO?X&lL5U8?#Hl?m=GmJ0-D_gQz
zv=cNGa%y@!jlAhWlRcnRV~LQ_t_ukV`PC~r%Bb9Di}JV}&4#nMq&HU7{zXC(6@K*v
zudYOdz*wB)+q8jbCzaEEWrmn*T_PXEte|NSk<ijaM`cMkDrwrJ(nLRm>=GX0r2Ob~
z)WYn=rYuAA;|JmO;WmB75+pfim#lYdaA(S*#F=DkC>HN51#-T$swLgmib14vS0`mE
zd^I?m@ei<YO3Ig>``!kF4Tt+7axenq=x6bkqIw+rhVoEJfzDuOyxb;`=w_|$?#)i4
ziPG|Kce?yM6R>}10P7+mo8S(Ke55{2qx)e!@u`aQT!Gx^(B2)WIO(m1rXFeG(njoO
zP8+l83`#OD10Mo_)kW2~;uWdqRRl2FG<Smnf=_>*Ag>F@%1scU!_V*Dc;k?MPU`jZ
zPDnOf-;uqnMb{(~Is!?TePJBYr*3Gbiq%1SvXdTl@D{PK*cY&B!S4+J;3tniWeeFD
z*S~kga#6YZF2szPWyTztSepX}-_fj%L>oLIC<P~x&*Ei3D7^E0jFMK0!@4Y!T|<#~
z^}Jgd1+qYV)!Li8b|JbrHb;~e#;-TA#w-N&7!U3~@Qc%GTM`S0AT$VOJJ&$jhh^NB
zkWmz!{+)Z18^Y74oU{X686j0d$(k4>PrOpt^P%YIc(3n*gx`&*^w;HkOskZ(zQsPN
zj`9^#lF*MXDCW}fV-7iI{!?3-Hm5*v*kMG?LVdXQsF&;tPZH^sU3i!zg7mi%w7234
z;4?VDwh!0iUxN<~=RbaX_yd9^(yx3YS_@qVL~;l(27Vfthx?dlM~##M#joTN?Hk-U
zOktT7hOjjJ;ouvXJ||_U?Vp2VS-_k5U@!bN@DfDy?|DHL&jgf|N>^ABc|iz>@%P@-
zcJjYiJ$43*K|v+%8XTF&{1wrrE);5rNxfwrHrPg;xp`t0PTX>3w3`;gpezSKBCL~V
zEn)&8qw4%i=$l&b<!46vXU(H0^GS{dL)q_#yXSZaQ>!D|iZdoYXEkv&Rw!$sv?8+k
z!fQ6_9n-d-fwo{O%50Qgd22>wCgI6|>iqI`Ij3}I8*fV+`W0~gDZL5Y?!Jx??=R`9
z<X6nLV%{y-n?#F$f9&`tW38glI0jRR{iKEBajz9OI(F852b}m;j&YmmLTUvHyPwjk
zFKA>eQ%$qc%Hy}A7jT$xv2i8n>Q|(_)h2f8Pm=x2#!(h<a|+|M#0|#sA~iepo#kNH
zv)!Zy*lmG8?J}AdmVYn)LDCk4YiW?&0T8D8@o=R++`JQnKQC~vtoFl4nODH$kJp-9
z8T0kjN~(p6!59mUSPN7(9XRHYpMa1L^55^bFsxrp%@nj5uTAT-iwC9Flc~wrU6T;#
z?~GZqFt@SFF)Za33|p27He&ADb>*c=8I<Sa`Q(HWSg7Xb5D1#@945{{&uB-3f(myL
zD8I?_@ddAs3VTFZwm4<&ZoY!^K@moKG-BzgsPRzE3OME7#1y5O;0E8~9~Ao2qvzL*
zXIGlsXGLeP3jxNftW6*&?K(-lUO1*YN)@k5zpG%ZT=`pZ>1<df34gj-v1{@&-h_*-
z-bYK~oS4B1Uh%h;V)nyO%G!se3kkqc&cQD9E?=kh=wQb4TMlk0s`cqhz_oBwd?@^7
z#kC;6i@HNVQ3Vv_yaQD}z~j=Ny8tRP;Tunsa)85*;&EBPg{x|gByvUv-VM80u8=YM
z669%x%KP!SP_wiE*)&VFK3+VYQbF#Uc7t#^F572fa<36LCL!hU&EqM3;L2J3JKq%q
zv(t`DrPnzYB;z;aNBn8E$LDCI%<^A(AYyfq_t4<!XC+hG)3V{jeo9_dDHiIQVRF<G
z#WSe4Y(z3dQ9gh6j4U71^t*8Nj9Xg=STy(~75bWhfe6A_UJWH_a))*vlm_}oKzgvj
zhFzKXlYm`14K=-(y7=#CSxJs$CCPoot@7j%|H^Aoqhf}i_GW?*!McJWgp|~*lLIX>
z_>kQLB`YEZ!af5H${7!9h3`=h%<dT(ZnCcSnTW%7+uUsBzro!UDXj@VRTRP>pw((m
zwC*#?{(gt(H;J7j<Acw7Xa*}|qNnMKV}U%?=7|=D#;oyQ90HY3tZF<%gQ4$H2P?IT
zkej_%JZo#$`<`hZuubg{ZCTu9&icO9Hv)A)qs~rrfwV+kd-XgMLfq0ZMwD(_BV?pq
z1slg%JX#TcUS%L>8ZCP2V+y4YTEg#haNoMZ!2B9&@z4PndZb~~>z2T&(j{C$uo++I
z8})&32y1{}r+Sb8B=;Qa`U|$XKV?JNJ)FXp|J485U4x0XI=>gVK+}@}K*U}r^xh~n
zZY5BEl2RrYUVV-r8ZPCLgFSoi-io>paN*L`?nf4H1arZu3TID~tU*pKt(LWstQI87
z3N1rkYg#AEr55HBaDgl#1P#I)-3L$X(SaJz2ezw21NT-6fXF*0#%{r8q=9{k-d|tK
zo>GE+e8S>@M-K_4Q@B6?ltwF6WxY%zItvxMyL12lX|m^TK1vm25OM#e(y4o;ya($l
z77f=a9mTb#vkjpho4Yx(S+)Tl9nm<g?kOaOh|gTb?zrV*oBIy<#|)ww@WSBj;qAMI
zdhH-t8M(l3Q$?n+lq7s)^UbnrhX~MM^)O%YVe1n@M=!PTCX;$SzMHi~F_`SwVshWH
zkE5YDZu*m2>H3Wu%%5djv2kWr5Q^6jtvOl!cKxW8wa(T05ITLYhP;7B*1RGR7bkv=
zr2^3H)VTh{`ztj%i0RNGGYNMCrCohfL3>By(N(&chOg;K%J0=qXzcC#nQ>_~<ZS&7
z1&=Z`QAD^WaH>C$Gyu_}iF@Pv`qOepji4put2O?>m&J`DFrQ2A@tUQw5lWm}%Ll|o
zv)nH!nNKA?*_nQ^fRhbL+|-uGbAVS8*hZ-Rjhsdm%AiTrC)M35kI|5|(cx<LED-$9
zkDJ#G<V-N~%xhn-Hi5dILn;K<uwp>l{_X%Ad~W6;l~cK2mH-CEa(CJ-MW<qc2^rgE
zN<=lhkw#|Iwm!ZWjKXx;9DMbmC+peSgYv>=ba*b>;iZfV)w?(V7CtQ*q44{5(lu`y
z)3E|S{0iX;x(4u_&iV;?Vs~lX-Pi=+NH^2&mamNBM=PAa!nbOD1-AG=9)42jwnnmh
zO!QXma=p+?)4#o9)!vp#J8;k>!pLW;F!E|#_QjOX4%)FE^z<r!&c>A-1>456);kC+
zr7LHF9~4CH9GEt2YW;DJ2G_xMo;&tWLydo22hl||r!WjN9>&}omUl(eT79*HOuCE1
zK3fDe_WI&XKxd3Vgg(`5VC$%~UAnRxE7&ZQn2M}zvs)Kc(n%|g?Mo_x)L_<fD7KzC
zhIGG>{Hgq+aU^jg!2a5KUSNk0`v)tK_Xl)46WIqiOPN<+6Le*wgY^8#vK4q}Im*<7
z#LIx_6thjM4_NAvp#(KpoRYLRyiPIsUW>y5%J_7(HkV3YT39$tKC18Zn6Ak9F^hQ1
zKNrY|8rgK4v3QAxty>!4uCX<~JZ3xC!$}f+6plA&n+>*LD736|j&3=6D`4i^f_pCm
z?0`e}(7E`eS*+wdvtp%4$~}3Ws%`-sALHQPBM8us<eHL_t=3;!;vF(SN~pQ&+eU)7
zUurm#KLOBXL=YE(o%k0t$MUdw+XtVWfhw}vRQhQ3+9{xIHbVAqeR)*o+Mr7kCynTj
zpcctI)uhiD8L1inP9oxgA{1;9I9KV?jj}JTNv2$Q#u>nIOwcx9es4V{KIg+bE#iE3
z(5>8oA%&tcI`r1@&N8o8%~n@5!;mXz5D(8lG&P!l%|hHo$9!|>8iq9;7NXy~ZpQ<%
zEhKiX^~C2=3K?$dD|b(okYn)=mEd<lx<ZVL#b+I~_aXkklf4h*BB9E6h+#^~xIb+S
z0sp;!%ke%N!ByyGhjw7`#^}Q62B?AMXD)|&w(x+vDZ49T$nkX|DXUQ_b9f$lTTja=
z`oL_ta8V92u3VIN(ZuYn{*Eiw2A<ynO0WPdE;<$>*-@F2?RME6cza>67RxJ`X%b?<
zpMU)yXS6IXP^}2@3Y!BYZN_t7tpqQ{b`ro-2G4Lq*AJ!itkAIWhENo`8x$oKJ!uy%
zj}U{Ic^Rsl=eOe7Y{n9t4%1Xcg}Cm`1kgcv@QJ=Y&=-Eu>#Qd1#`=im0bcR!k9P|E
zQavYn!MJGW*5f5}O&sNrl=xx4qFnZid9Zt31$$s2=*=8Bfz|6PkX?xNDv@x4M@44|
zOecokx3SFh!`iu(prnyfJ#<r_7m7z(!nL6@KqPZ75ixB(31ya1B;8+CIcQjRBx4vR
zC+`Ot@hxzj_)LEI=ifk0sYuSM#}^(k<KB$ncf2))@<WOrfXs(cG1&MbfkWj*)XG1d
zZZmj2kK3d?sHQA+xzr~$+@ec8a~rxIfr-CNK>ynx&6^CRaqD9Btd>EYAu*I>!_^JD
zVE-`Tp7BZgaLsAkj_xX};)N3ROKt^X61v^6x~H3XnDq{6#;qFj8q^uZx0ZzztQnMQ
z&~leC^%DeTY<Po2V6*I0mattvm+{W09M5j^6ge^x4)ca|P^LfF&(1Or5G^!*YMBOM
zm1W-Yyh|zG9q|SQ`7gwb#g(<Ut>;D;Z9>lx5$PE&XLmXFOr2B$TU(*c<<i~}3)}E_
z|JT==X&8?2RXVmH|81SSzkP)Hg#~Xz{0o<baM`Vtyk}g`ZV{+aD4Xq(T94MMCHw&5
z;eYpHJr?EAB>F!LTTp6b^~wb_L<M8ZAt(_MNSEC@7f9#Ywim&^i&Sq?aH@7>Dl+}Z
z;&yHaUKCT004LlSA_zT$Hs_*8*|^J~41V&XVl5pqFbjv~>5_K7iZdP8+i%SYe({yg
zsC69EAw=f&p6~Z72Sn8cSvv^_Wc`Uq$m&3jzG0$b(Or>X%EP%vS?quwEG6`6X{#9~
z*Uvwz>81_^rvjeiZCsJR!_ZrtLO0iJ%l1$eAkUf2(a{)E%I$w6f8zzwWpE++Gv84T
z_&#Q-S7s^9a)q97L`0CTgA*Lma0h#%gj%sEG<*9dV4~rue-uB|?ON9{Zl{#QN3^}H
zQy)OXEFF(CV9#kEckm;Lag=j>Zvk%1*OF_P&LEd#gqQ$zZuo)MNIVxjPj4w5^cnQH
zNzy+a8-OeRft%13!m5~lAtI7J=S~*Wnta>o<H;gGUlZqpm{fXlK9%=V($^u`4sd>0
zKc6=A%kvxN@TcltJ3F}#QNU8XA48t~l64KymB0k7IY^UOw&Pk5?S>rF*4U-b#(b%p
zq%llBk;Nm`1Qwq0+iq?_r-p0`&+8JM*hi%7PCI!5zo0_1#rx>#ISPhVuX&iK;2yr^
z%{t)f3wOhDhAQs<wq08qea>!?X?b^We1rXsYz`2Hv8>%C$D(*uV(fn3n%sH4ieR$4
z>1Uy~kN>1wbOHKDo?9P_L{Fn}RRwl+jt!YoywwD1>pxURiSr?lh*3<P2gK(j*DHTF
z@><#m88}6i&!}BPDoO+XW+WmBdk=xQ+s(IYc?x695lFQT<RB=fRgK}OZ~|qNFv-Cc
zc%8~6M?<YfPbD=Z-(QtPIinxR^nEO9=Fxy}H+?s}?`ozH1&_XgIy|-*Bk`eZbd^3p
z#zoM{Iacx~m3J9LlWH4rpWrVRTrr<u5Hmi-hwvu_+{sqJQ~)8-;Nok{`GUaIXEwvh
z8Dax0PcugO3Kk*fBHmfr;9Wj$X-(D4X+}xF_Nq~$Vy%3(f$O*UpO<YrINUDCr<sxx
zVVQGu8(1&?E6gm3`V^jmc0CioY)jRdk{8!${h!CDJYxM1{rODaFkFPsjl&T@IpSXp
z-mXHSj0q76`UAQFG<WzpE*nH5F2hxdu&%2r@8WyefOeAwq(sWsxHm9J6n$nZ#B+Sf
zKlP3eD|SA^bRzG9PJ3M{s)NnvD9g(}5u-&4F?2Dxdc4LZIorZJRfBH^k9;F5ABkFu
zi3<ww<$V_ssMJ9Ds|%JFgbL1|u*XhX!_HjzGd!B^_<&%pl%r%vsTtA&<nKgA;L#gO
z+uCYUA90`*p@%Z9AD4~9#{NB5Z4gSIX@F*JNW8Bg=x%_m1D48lbeZpOC-^xkzD+LF
zle^u(Lfd--A8l1hcIQ?|zD$8-c~+b3*tPVPSV+Q=@iy;E>2vo8j@B@({J1&`_DwO2
z9$XcwX3~hqM`sH8svTE~p3}Rnr^u9%l8elY-MXi36^3;yO^|zGna{b#^}>`8s1&3%
zd(<W)_8;|6gaTF8o+oFBa3FmFX%RNBIh+LMotVq`2_ZT6jswu`!{(|&1r<Kbuy+hx
z_~ySKmDrB#?@P0?s;O6)KrA)fVs&CjMUTEXMIcPE(sbi1OJ^56Ym|iBx(?`xiVtel
z+aYKG)OA10*dQe}Ql9RcoHs>vZsgyo9ss9(#uHd9%kfaf+4lI$pu>g-HQ~g%4NtRN
zpM(}Zd=BV@;~GHLF`71N022+5AAfY-uOVGE?P<Pc=>+Q_Sr^eDom=dxK3utWzCEu7
z8XR9-!4R*rJcUbL-iUx`Qxx=UK<kNq2<}S31YmW}4Pr70XXU`0ZiaK6;f1$NDEUwH
z<X7+^Lg^zz;Yf{=Bzx~CbN3>(d{6Y(d`QCQxS)h403>kDe@}V3hzNH{i|C8>(S<H*
zFDp39ufn35<VBib;M7DbYwIF$h_*T^B}AG`j3R>PlzwmZ{TPQF=nKnVjZta?9zOJj
zrD}Ami44jihJj!5nbn0wqANOEd=p-7$14L3Rq7|LUP;=K`hbN&lbAr#$Ba3lw<Tbb
zS?A$~eh>cRds!S^Lo#}d=|=A!>euWl>6_|ckGB|d+#DJ&35I4@rb~kD&1)%MVAUn9
zi_PCdm`C|ZeA@zkX(2>_)3TmQvW!vb3NE%OzB9o(#r{*eA7WP_^W$v>=(@+zxLQKe
zN<hK?OqPo|gmOkR?kSzivin~~S?`4I4*b1a!FEw%JbXGhYzZ@SWI!2qJ*YFj8Q7wY
zS#D@BR0BW7z)Tx2{dN{sZjr}$0rct7C%^xSYM50wImoG&im^$9{lZa1+-=Y+Q{M2#
zP@exau{;4&Disu;6DY_-s@D)<IB6Jv)D--8y||Z?9C}>tz;X+3n#Mh?^vqjw>)|K%
zQS`RTokN~vxc8&(oB#Oxl^cfw49SE6ff$<FH+Jp2JvWJ$rc~);+D6ex&Wdqv?0az1
zeH*WO0eLp7v%VN61%Rq_FoZu&X}Z9Dt+EAaH};{GJ6f(?oFG*)(^Z_Z?*@Mg(g@Bd
zP+%orVVw`Hp59vrQhBEc_}Ss^nh-ws8)ACeP{%;r!cC&6EsYJL(~uwmlZ<I5^H{ex
zLw=a9j6c;&65507(>;j$OWcVcR(@xP>lbB$@!{)Drtp|=7a*l4Q$VIRbT#jhw9DIv
zSz-sq6dM|;!EMdpy73+3FOJ;MGj<KBV@9Oi9wFU>MOP-+`U6?7@o-|JgCqGII{T5^
ze1tw%VH$ppT1I|{t*)qgebu;Xs&u0!Ob?XKGyl)U%;>3X4!!kK7|l=198sIXcW4t-
z32FZNF^FMndR`z@$A4|JXn}|~`tYS0w|OFlnPn&%lA!YmOA4)J88UFj`#~KcF>9!;
z;%*Z>7*UrP&~H0<#|`*GF#V}>!*1YbeZ3|n@}EjV2$;a&nsH8jxLpW&f6X@U-1R~^
z3Q!>uEsKB{L9aqx?N?Cu1AbnCOpe%xd1}Yj$Uq;di2TrU5x`3Q(t_Q`gWru@y27N&
zWH98ObHD5_0iXTuChRcP6dfEu+yZ3dKbo%cSG_Q+CzYFb#k&F;?{0bmxY@LR7mAd!
zxywZR3dVChG@q`>M#+p5awP^6TS3<FL@va<U=B9)?pb0+RS#ZepJ(nC@zW7rt)i-{
z!dvNL6|Pmx9`wf0bXFi#nffT~Kf#Zy`@uV!)lk#$;Gxu4oKkxM;`?@~KJH&^rI{LP
z<)N=2mOZ?~x=mcsQZZKq+4>+(2j=RgS%A=8uw6O8uFxCH(i`fAvhQW5?|v*F=<qZt
zr9{3mGKH0X^Y`T39jRdD=wlqnyhZnLH*A2$dO?m1KHGpRMQY2UsdT;jlLZA#Q&+m_
z1dT(0s4_<Ys@SKrfI7}E>$2H&3qmDc%EFA1e;%U<opT!5ab-nCL2I!W;iHhq*%&op
zjKUqvmR3DaQ^3#Sq=D=~F2d3Ac#wIN{-8t>6sgkKBZqJZvj?&rP*cwgO1=1szv1Kb
zY^a2p_^To=V+^l5$;l7@drchVL^Q?sI=i?pUG7i>ma{`s4N*wmgy1%Sr8a678ZekX
zgDX}t$oUTfBV@;K13{+w%4vj&+o>{A(wN`pc(Vg8f#Zh$|J87x`UzJkXX|x1L#9!G
z_6lie69%nC{T%*53KeF>a*0WOB9WNb2TZ2$8GL9|g0226;d*(Gp8wV-ZJ|5Pd7(}$
z?;e%n-Kk}18mrt&DJ&AS8HFZ%VYj7ch-1&R3#Zchc?p$a@&1glO!gqJEs~8R^7<XZ
z>k>V4UepVw(y^t$@=QewFzq7qM<vnGJ|f-2qs;@#pp3ZEN4UTkDcu{YXWp~O4o-?Q
z_80VTj2xVBd$yn{vV}PXb~=c5!5_sItsya$0b(_%Y%pADaV#r)E;Vbr?i~ilL%OIA
zqy|IQWjR1;b}o@PrDq7r%Zm^!Nl*qtHu;VL<@419HV^q8jQG(mK6I;yG^2gAR*Mul
zM1#2|NCTDBK1P4_XL__6BHu9+`m9zECf$|eNo3E2&R#V664_Q5re()hpfF5$l8qdS
zQoIjr<X`sD0ixD?E)~sL=jU+;OF|nAd+ibac@NKy=Ld`bEDe^`?hNvHCj;+=;EKI&
z4SS(NardMS-<k&m72U79w2-MA+U18UAu?|9WwT>NvLV!Z8-?cvox;c3i=fdZ^KMr(
zil>GEfw^)xnVyR{lGYzmx)8<~xr<Fy70jKT)0jttad9`QMg_bEUN{7Z+BK<D;?i!0
zwym;9{-*~QV>{CS7#i%XJvOIY|DkS8ha`SgA1jr9jdeJgW@#Q`g}`w&pOH3vK5OX(
z2}|aq;(V{N5O%f7_OOD9fs{)w!qmMu6I<KRYUQS`ky2iXgA5$30wF007W&&rRL2~?
zB7bwYykfwC1kb{{0zRr}3`!|i>j0EC$>q#&;|fR~DsXMxb6~B8vqJ!-^gu{4k2k`C
zFkhpomBwTGUn>&$+?7Tc^y2d5(k{PP?t<V2RPV*%(cqcH(};z6XkcqPFlKo<_;oAe
zWY?;&OM()>)qK521rOVj!uf#Ex?hDIoGpW<xN>;NC2zH}fM1ekpB^0B_cdVKhe)l=
z5P$j3*zn!v35DxR$?2W8s7SgMCFK~FV5kx0vjW6Q=nBezjsx0Ur2E^=V6E@PiqV1(
zP?*(O2~*pHMo3aJ3#^7ZD1K5D%c+yjMA98r@j{k9FGh-sb1zNr={s^jS9?dn=)3eN
zvvc6TneODE)LFXeRuVqz`44q>#-dIycHsWPDOG>5fKrq~7~6|{O~g{J#AexgpYMd^
z9Je1vy>IX|0jX--Sy9v7Y$Xn5KAXHT-e|8zAWG=Gu3JuSyhEskRTN{r>ajg9AR)?}
z(5g~)#zL;&`0@<@bgovBxDwTbqb>8CmQ^%}$=(ZCYP?Y*O7%ax4MAa*)O^+?n?LFp
zN!oNb5fc2_OEy#oVv9RtcVT02&pb0!&NK+ihI5v7aU%dTE?ThgOb}2><Y3y%NoCnH
z$bO4FTi}5F05gq~QR5GuiJm*Fc|myIWLu1P$%Xb+@P%GYTf@I8Pla#A8f(5!^?T*@
zWH`_WGiK+pP0$5m6IpZn6HQ^fR=&V+5B~*7eD{0v_?0l7bD4EyPeyuvGR6AiwY5dO
z)T^Lk+#pMsGgSNd-M+^;f+tLf7${$sczDuKEX^;$i;%~p;+5szk(6jJ0>;#eK(Or}
zw^HhQ(<S}o_`_J=`@!XTpXXS6gn66Qi0ivVZP77X)6F~}PS^J`f@C?B(PBo)%2i{`
zjax*ZD7`Ze?^_|1!Srw8egBg(+V{o&clXMg)Sz>b&Q=jr6W^r|?*{WEhTM*6DGlSG
zoDlOQPAhkB@iMVN#f_6r-{!P6j_VF;-%J;xOC$TKkCbnYkZcp`ou|09^Fj8*m!{qp
zjZKzwElO<L+~j+<*w9ZU(+X>v;>vgPVG_|KmPjw>@P&qvOfC~5L9&a;{AjEj(fXMK
z-t4U*oL2EtOFSfXB-%6loFDO`qN!FY8Qm?O`x2Pz1ZzzLusHXzhY?5F{1c_!U3jm-
zDD0AkxoU6ilmHtP1Fj(<le|U61_aQO>G`{PgW&HM-0VzA%J#M#8xApHF&OmBq;4{B
zukaen#W!XA@9jTe?4jnmwBHV^N5MNO@xt*q)8*I*ub=+%M?$gMy%c~UdJ$tYG2Nwj
zKI~C^u0#<2qhh%l=QcErZ}E48zqVU~@er{-P#WN(71&F^q`P?4N5$5(1wxFM3~iov
zhtNowDaS9gNFmdMzmX{RLaOy9_i8aSZG1&9V$XkH7I51Loe>Wyh@D1SZ-AabgdF}x
zDm<JYvfZ|GDDWF7fLg;jqZG2rAL1|#dD9!3^qk^rE}f#hzLuV)oyDtQWO}rar($h7
zD>F&r4DedQl-KIg00SjW132*2gS!jxABmy?sTZnbFBFdd7|PizkxKc>nuo{A!Zir4
zD6sYWz#Mzq^)shj^Z3V_eLsNtQae<5&QXTL3}pV^_5x63mzQ{-xE`iPnDK%<i@=Ue
za~|hyd+!=vhqds4z(?Yl%+-m;z7>_xr*RZ~s!-*thHsCSDXy)kY}=#{pPpkp2ve?8
zWnmaG(y9*`2F+uc4pqA<s3;SQ2uqq?kL~K)1WM2nkO}A^Dvt+9Sh|w+3>l0H*+qdi
zh#w2+9GR7D+tL!~X8hf$%yUr}$R~M!p+QbQh_zVGksyD&XfP8C6Pb5rkvljukpNgt
zj*wLEEw#gsVrszY>_oi$krua+X1aDpUrzR~?dEVS{&q@(la^N#w-MUJ_U)>>nhmKy
z*1Is;_ol(L*#3jqlOG*^!CC*l857drXP&GF;g2DqS29=GYW?K#OE=d3o8i=!?wJ#N
zNb+<XOkh;~`x^1vgc~C{)pE>T-;P70*7ybW$+>G|%6v7OhnvZO69VKP;WHu!_w_Y>
zbt&_GN`6zGm29X`ootRZ7+=pKB>yjb%Ve5tNC6LJEvuM2hGhU<Zq+%$+~Oh2lJXdK
z0D%bl5P671wnoE?cAfF_ttTe(1eq3oHeA%(=asJ0m;z7SYoRXNiE+mabxh}$x)8zP
zG-Q83@-oXF{wQh@2Mph9459dtgEHOKCq^@&4DK%U!}vGHQVUUkm@Xthlr1X7kLyY}
zWNYz2>|AxU(~Wm{)6B9+YlhtM4;sehuAUrvoy+0EK&DG=>AFRXDkfK~yIIt+S;DcL
z=jg8K-F(`vkSq?C0YQ@S&(rqGa>k85Lyck`+2!Z|iqO^YK9Y!FH&jj=qz7%~fStY$
zp>|or;n*y3>ra=D7W_YUli=YCZk^`ipp|MwNr|x=g*Tqri?A;9$2vfPPiFz2o$a~N
z{dPG6QVB?B0<9|CTpphO3V8j$;4Feh8~7|~_WTWu2+gOdSnvAGG69IYdX8En6U%I}
zJ*<$WzAxtRuscjL1t`?Iwn^i)5^$`Pk6N6FO=&e4wDHu>Z)Sex|Lq}@6ZGERHK(}2
z!Z_%y46HFW7?xQ?Ij+;TT5ca$x3zw&<7Zs;NJYG`U*4H^eG%ZSTQPL)MDyQ{R*9cL
z1f<{T3BeEtszlLs815=2=;vE%*9^*-lUr~<!vE{3Xx`EAhSdgc{1nR13630ge4qiq
zJy*)$uB^O8{lp}pyc{(4y`d2aOe?51`Q3sLGWs<6M{{mrzCWC0#Q$X1FUQ!_X&Gis
zmPo1s@<?zs(0|%UeyCJNtwnRAAcK|PW8sq?YJSKF$$WGJmIA8gS$S?fJ{Vjc*zU#6
zh{)jh(`~|{-Ul|2dRdO|90o`{MXZtWez%j8lg1-t&1A>oEu#AH<AWgt05&lk911VB
zO21?YAV^NAZiFySn&2efbG4|BRW2CyJRYmcPN$lhE}TEwCchobku0rswc?TmvzJ&p
zO(30U0Ea1ze&1kR88X)U#OaNKp^QL5lT3mObmx3gOj*Px@HJ=jlQeS1b_y;k8kCf`
znp^&hn6iJYFDZ6_6#&vj1joOte5fNxFRXcD9D9Tl`e@nx!E_u%D|0XI<To%>$_k`Y
z@mQf}2le`{&WM+351}NFyeT6c)ul(KC(ExXX&}i{lAJ-wFz<2Vz_lA`A@j+AY<6C*
zd32A%&QG8pCz)#>A@ml#&hlQqu<>clo454-zpf!HW<8+fl-1M?tNVWqAA#k7xVMGB
zh=l+wP=j_^rQI+wB3&&6N4#7rZAgOMiFY*dHi0=yh<p{FwAbI4vKP+ti%!}+cP435
zu(&e=I;9Fm6y=KK^SNb}Vwv0;yD2vjmuR{uYOp6$so!e;C;nHJlv805v&wH<j?oet
z?~6r$&fe)n5G*6|s|-;){FYqi$_1G0vP`0oeTyQ&>3?%KWGwVD6g-EYG_^S1=fYdV
zwyqg1WH?y_oYjeJGba-9mbD0C)|5rqU$BabPzAK%2_VyBbG$m0r~zow>DuSQdyEBB
zPVl&YZHT1%cA>sI)jj#W5EMpyv7a4y!ZJbC-L^6Cuf~5F-`JkO2qyXvE1UL$@F|+N
zcu#(c-nh{&cZ<wIRJMYR=N*kfm4V$?ag!d<-M%+F04bQ{%BBI5*!`L%aungW>SPC$
z9;;`8rol%`%p2c>wdWLSukWLEu21F_;SEYRs#p+QV|J^H#h*`Hw0CZNPBA7202*aC
zEkGiIQ-?vtR2J2@$|SCc6m!|iljH@NxPPu&S;@L)(61B|Z}$#~W`Q<HLeG8FDe3fF
z(%)41KJKQ>4cm2|oaPq4Zn}x!<h<ul$*32#X8KN%xZ5B#rsiHjn~F|9o{}NRMFc5u
zAfbuZ++iR!1ILEmBeRxO&%{GTvtdCE?q)6@i@b+7C40XeE^g-XNm-qE8hvYjaVwh2
ziUN!cYoCqi^i>=FXlhuQouO97A8XPJd%z0U!eA@O_OS}}*PZh`SJuYQ7R%CQ8)8HQ
zxkP^D?@alf;Veg>B(P!I(B2PP;dpyio4iYX-n5U_P|%JY2Tc8B20@8<rHZJv1dU^y
zo($2gIRTl5<tO4JeI&(j$V$Z2Ul&yh1ruANjn+8>jwY2B{cUr63|4h6R{XX9gl)J7
zDdfNU#3eN78urmyte2g0R{zi_EoYmh*OnFjK>#Zylj}1_ylD(2r$7z@QZ(n#C;pJy
zawsHl)S)!7?V+#oT)4ZLcy*lCjl7+;*iG%O=%M(W#EsEXYE$@I02!ps&CS-wGVek?
zmCBMv2w`oT+Ur=(6;Lr~AhQ2w_CeBCGLpT3PrEVi9U9*jmTnkvJ4Vbqjyml>S_(@~
z1A)}#K1_50L1*<U;3lQ2X*%z>p8yvGCKBz^E;_}=WENGtdJh*z;_Z}8&zvhw8+s?b
z$~0vW`@(akBZ-f!==e-ReI9siqL$NrVz1jf!29=+BEzU~;uh@Z!W+a|43YAQ`=fB~
z*oJO#OxG7A{O4YnZsbUNrly6xTNHCyp{fm&U}U^EIG-A>zXhg6l#IpZZG$Ro<jDK4
zQRZJ)2z3XY(E8yz{nlG9@KN3I8zxe!Wzhb+xp#EoT)P6f%^8LAPo@A&Zgsn%Vd962
z;(e&}wY@C%iKX6&3GlaRphhM2d6vv2qP3-gT8V%8_pXiFzcwm#BzcA)&{oyL4XSJr
zYYUy_0%b6PwlE9^2r7n1hW8Bu3k3i$WCjT;hDe6@4FLrVFjoXXfn|T!-}b!`z=_wx
z4gc@bruJ|@_Ly};3|m%YYs*BBvH(5aFGp|SbHLgUEFv9X4G<fq;5bv+^)fyi`LhhB
z0s=q)0s%lU3<d})hDe6@4FU@V00cmNX39s*(B?;Xczb~8^OdkaX-wn#D_j@MBEARy
ml|Uu5cUC4qn;AEm@c!u8vPM#1tmp=sz(2Q@87IkNE-atg-&uJ8

literal 0
HcmV?d00001

diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index d6251acf07d4e..04982aa8986d7 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -109,7 +109,6 @@ grant {
     permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
     permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
     permission java.util.PropertyPermission "java.runtime.name", "read";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
 };
diff --git a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
index 8492c9f12fdd8..e1a3b4618035e 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
@@ -167,5 +167,4 @@ grant {
   permission org.opensearch.secure_sm.ThreadContextPermission "markAsSystemContext";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashAndMergeHeaders";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashWithOrigin";
-  permission org.bouncycastle.crypto.CryptoServicesPermission "changeToApprovedModeEnabled";
 };
diff --git a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
index cf6ce7d014199..6a901e686b8c5 100644
--- a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
+++ b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
@@ -90,7 +90,7 @@ protected HttpHandler createHandler(final String[] args) {
     protected String buildCredentialResponse(final String ec2AccessKey, final String ec2SessionToken) {
         return "{"
             + "\"AccessKeyId\": \"" + ec2AccessKey + "\","
-            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_INSTANT) + "\","
+            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME) + "\","
             + "\"RoleArn\": \"arn\","
             + "\"SecretAccessKey\": \"secret_key\","
             + "\"Token\": \"" + ec2SessionToken + "\""

From 183891dec413bb4ef287911b23fb3fdc6405386d Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 14 Nov 2024 10:51:32 +0100
Subject: [PATCH 12/21] general exclusion of keystore binaries and certificates
 from fobiddenPattern

Signed-off-by: Iwan Igonin <iigonin@sternad.de>

# Conflicts:
#	CHANGELOG-3.0.md
---
 CHANGELOG-3.0.md                                         | 1 +
 buildSrc/build.gradle                                    | 4 ----
 .../gradle/precommit/ForbiddenPatternsTask.java          | 5 +++++
 client/rest/build.gradle                                 | 5 -----
 libs/ssl-config/build.gradle                             | 8 --------
 modules/reindex/build.gradle                             | 5 -----
 modules/transport-netty4/build.gradle                    | 6 ------
 plugins/ingest-attachment/build.gradle                   | 9 ---------
 plugins/repository-gcs/build.gradle                      | 4 ----
 qa/smoke-test-plugins/build.gradle                       | 5 -----
 10 files changed, 6 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
index 14874ceb7c393..bfeb71d401514 100644
--- a/CHANGELOG-3.0.md
+++ b/CHANGELOG-3.0.md
@@ -16,6 +16,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Views, simplify data access and manipulation by providing a virtual layer over one or more indices ([#11957](https://github.com/opensearch-project/OpenSearch/pull/11957))
 - Added pull-based Ingestion (APIs, for ingestion source, a Kafka plugin, and IngestionEngine that pulls data from the ingestion source) ([#16958](https://github.com/opensearch-project/OpenSearch/pull/16958))
 - Added ConfigurationUtils to core for the ease of configuration parsing [#17223](https://github.com/opensearch-project/OpenSearch/pull/17223)
+- Support for FIPS-140-3 compliance through environment variable ([#3420](https://github.com/opensearch-project/OpenSearch/pull/14912))
 
 ### Dependencies
 - Update Apache Lucene to 10.1.0 ([#16366](https://github.com/opensearch-project/OpenSearch/pull/16366))
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 38e4f6afb1cf5..7b22d612bc267 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -231,12 +231,8 @@ if (project != rootProject) {
 
   forbiddenPatterns {
     exclude '**/*.wav'
-    exclude '**/*.p12'
-    exclude '**/*.jks'
-    exclude '**/*.crt'
     // the file that actually defines nocommit
     exclude '**/ForbiddenPatternsTask.java'
-    exclude '**/*.bcfks'
   }
 
   testingConventions {
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/precommit/ForbiddenPatternsTask.java b/buildSrc/src/main/java/org/opensearch/gradle/precommit/ForbiddenPatternsTask.java
index 1790b32fb2f36..fbf96483443ee 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/precommit/ForbiddenPatternsTask.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/precommit/ForbiddenPatternsTask.java
@@ -83,8 +83,13 @@ public class ForbiddenPatternsTask extends DefaultTask {
         .exclude("**/*.ico")
         .exclude("**/*.jar")
         .exclude("**/*.zip")
+        .exclude("**/*.p12")
         .exclude("**/*.jks")
         .exclude("**/*.crt")
+        .exclude("**/*.der")
+        .exclude("**/*.pem")
+        .exclude("**/*.key")
+        .exclude("**/*.bcfks")
         .exclude("**/*.keystore")
         .exclude("**/*.png");
 
diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 87cf3d460752f..3bd74d7ec7734 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -84,11 +84,6 @@ tasks.withType(CheckForbiddenApis).configureEach {
   replaceSignatureFiles('jdk-signatures', 'http-signatures')
 }
 
-forbiddenPatterns {
-  exclude '**/*.bcfks'
-  exclude '**/*.der'
-}
-
 tasks.named('forbiddenApisTest').configure {
   //we are using jdk-internal instead of jdk-non-portable to allow for com.sun.net.httpserver.* usage
   bundledSignatures -= 'jdk-non-portable'
diff --git a/libs/ssl-config/build.gradle b/libs/ssl-config/build.gradle
index 8d09782b04b89..ee2c153690b43 100644
--- a/libs/ssl-config/build.gradle
+++ b/libs/ssl-config/build.gradle
@@ -58,14 +58,6 @@ tasks.named("dependencyLicenses").configure {
   mapping from: /bc.*/, to: 'bouncycastle'
 }
 
-forbiddenPatterns {
-  exclude '**/*.key'
-  exclude '**/*.pem'
-  exclude '**/*.p12'
-  exclude '**/*.jks'
-  exclude '**/*.bcfks'
-}
-
 tasks.test {
     if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
         jvmArgs += ["--add-opens", "java.base/java.security.cert=ALL-UNNAMED"]
diff --git a/modules/reindex/build.gradle b/modules/reindex/build.gradle
index a44e1004d93ad..00931848d0644 100644
--- a/modules/reindex/build.gradle
+++ b/modules/reindex/build.gradle
@@ -87,11 +87,6 @@ thirdPartyAudit.ignoreMissingClasses(
   'org.apache.log.Logger',
 )
 
-forbiddenPatterns {
-  // PKCS#12 file are not UTF-8
-  exclude '**/*.p12'
-}
-
 tasks.named("bundlePlugin").configure {
   dependsOn("copyParentJoinMetadata")
   dependsOn("copyTransportNetty4Metadata")
diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle
index 25f713f19758d..4e68a4ce17f73 100644
--- a/modules/transport-netty4/build.gradle
+++ b/modules/transport-netty4/build.gradle
@@ -77,12 +77,6 @@ tasks.named("dependencyLicenses").configure {
   mapping from: /netty-.*/, to: 'netty'
 }
 
-forbiddenPatterns {
-  exclude '**/*.p12'
-  exclude '**/*.jks'
-  exclude '**/*.bcfks'
-}
-
 test {
   /*
    * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
index 47a15b75234dc..97a78261f85ba 100644
--- a/plugins/ingest-attachment/build.gradle
+++ b/plugins/ingest-attachment/build.gradle
@@ -142,12 +142,3 @@ thirdPartyAudit {
     'com.google.common.util.concurrent.AbstractFuture$UnsafeAtomicHelper$1'
   )
 }
-
-if (BuildParams.inFipsJvm) {
-  // FIPS JVM includes many classes from bouncycastle which count as jar hell for the third party audit,
-  // rather than provide a long list of exclusions, disable the check on FIPS.
-  jarHell.enabled = false
-  test.enabled = false
-  yamlRestTest.enabled = false;
-  testingConventions.enabled = false;
-}
diff --git a/plugins/repository-gcs/build.gradle b/plugins/repository-gcs/build.gradle
index 7b8ce9d709685..58bfe4a3dde51 100644
--- a/plugins/repository-gcs/build.gradle
+++ b/plugins/repository-gcs/build.gradle
@@ -242,10 +242,6 @@ def encodedCredentials = {
   Base64.encoder.encodeToString(Files.readAllBytes(serviceAccountFile.toPath()))
 }
 
-forbiddenPatterns {
-  exclude '**/*.bcfks'
-}
-
 /** A service account file that points to the Google Cloud Storage service emulated by the fixture **/
 task createServiceAccountFile() {
   doLast {
diff --git a/qa/smoke-test-plugins/build.gradle b/qa/smoke-test-plugins/build.gradle
index 6abba5577d605..fd0821f5685e5 100644
--- a/qa/smoke-test-plugins/build.gradle
+++ b/qa/smoke-test-plugins/build.gradle
@@ -29,7 +29,6 @@
  */
 
 import org.opensearch.gradle.MavenFilteringHack
-import org.opensearch.gradle.info.BuildParams
 
 apply plugin: 'opensearch.testclusters'
 apply plugin: 'opensearch.standalone-rest-test'
@@ -40,10 +39,6 @@ int pluginsCount = 0
 
 testClusters.integTest {
   project(':plugins').getChildProjects().each { pluginName, pluginProject ->
-    if (BuildParams.inFipsJvm && pluginName == "ingest-attachment"){
-      //Do not attempt to install ingest-attachment in FIPS 140 as it is not supported (it depends on non-FIPS BouncyCastle
-      return
-    }
     plugin pluginProject.path
     pluginsCount += 1
   }

From 5cc787d6e2915b93ba17e03322a8e09cdcc8c1c8 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Tue, 19 Nov 2024 10:54:58 +0100
Subject: [PATCH 13/21] Kerberos, forbiddenApis, SecureRandom, SunJCE,
 AzureTests

Summery:
- replace unsecure kerberos crypto algorithms
- add 'java.security.KeyStore' to forbidden-apis
- instantiate and use SecureRandom from BCFIPS library
- exclude SunJCE from security providers list at runtime, when running in FIPS JVM
- exclude Azure tests when running in FIPS JVM

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../gradle/http/WaitForHttpResource.java      |  14 +-
 .../gradle/testclusters/OpenSearchNode.java   |   2 +-
 .../resources/forbidden/jdk-signatures.txt    |   6 +
 distribution/src/config/fips_java.security    |   4 -
 .../cli/keystore/KeyStoreWrapperTests.java    |  20 +-
 libs/common/build.gradle                      |   5 +
 .../licenses/bcpkix-fips-2.0.7.jar.sha1       |   1 +
 libs/common/licenses/bouncycastle-LICENSE.txt |  14 ++
 libs/common/licenses/bouncycastle-NOTICE.txt  |   1 +
 .../opensearch/common/SecureRandomHolder.java |   4 +-
 .../common/crypto/KeyStoreFactory.java        |   5 +
 modules/transport-netty4/build.gradle         |  11 --
 .../index/analysis/IcuAnalyzerTests.java      |   5 +
 plugins/repository-azure/build.gradle         |  11 +-
 plugins/repository-s3/build.gradle            |  11 --
 .../s3/S3BlobStoreRepositoryTests.java        |   2 +-
 .../opensearch/repositories/s3/S3Service.java |   5 +-
 .../s3/S3BlobContainerRetriesTests.java       |   5 +-
 plugins/transport-reactor-netty4/build.gradle |  11 --
 ...ReactorNetty4HttpServerTransportTests.java |  16 +-
 .../src/test/resources/README.txt             |  14 --
 .../src/test/resources/certificate.crt        |  22 ---
 .../src/test/resources/certificate.key        |  28 ---
 server/licenses/bcpkix-fips-2.0.7.jar.sha1    |   1 +
 .../org/opensearch/bootstrap/Bootstrap.java   |   3 +
 .../bootstrap/SecureRandomInitializer.java    |  46 +++++
 .../bootstrap/SecurityProviderManager.java    |  48 +++++
 .../org/opensearch/common/Randomness.java     |  17 --
 .../common/settings/KeyStoreWrapper.java      |  16 +-
 .../org/opensearch/bootstrap/security.policy  |   6 +-
 .../SecureRandomInitializerTests.java         |  62 +++++++
 .../SecurityProviderManagerTests.java         | 171 ++++++++++++++++++
 .../org/opensearch/bootstrap/test.policy      |   1 +
 .../resources/provision/kdc.conf.template     |   7 +-
 .../resources/provision/krb5.conf.template    |  13 +-
 .../bootstrap/BootstrapForTesting.java        |  19 ++
 .../org/opensearch/test/KeyStoreUtils.java    |  70 +++++++
 37 files changed, 525 insertions(+), 172 deletions(-)
 create mode 100644 libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1
 create mode 100644 libs/common/licenses/bouncycastle-LICENSE.txt
 create mode 100644 libs/common/licenses/bouncycastle-NOTICE.txt
 delete mode 100644 plugins/transport-reactor-netty4/src/test/resources/README.txt
 delete mode 100644 plugins/transport-reactor-netty4/src/test/resources/certificate.crt
 delete mode 100644 plugins/transport-reactor-netty4/src/test/resources/certificate.key
 create mode 100644 server/licenses/bcpkix-fips-2.0.7.jar.sha1
 create mode 100644 server/src/main/java/org/opensearch/bootstrap/SecureRandomInitializer.java
 create mode 100644 server/src/main/java/org/opensearch/bootstrap/SecurityProviderManager.java
 create mode 100644 server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
 create mode 100644 server/src/test/java/org/opensearch/bootstrap/SecurityProviderManagerTests.java
 create mode 100644 test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
index 54c544a299b84..62f2621be7924 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
@@ -32,8 +32,10 @@
 
 package org.opensearch.gradle.http;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.gradle.api.logging.Logger;
 import org.gradle.api.logging.Logging;
+import org.gradle.internal.impldep.com.jcraft.jsch.annotations.SuppressForbiddenApi;
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManager;
@@ -51,7 +53,6 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
-import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.util.Arrays;
@@ -216,7 +217,7 @@ KeyStore buildTrustStore() throws GeneralSecurityException, IOException {
     }
 
     private KeyStore buildTrustStoreFromFile() throws GeneralSecurityException, IOException {
-        KeyStore keyStore = KeyStore.getInstance(trustStoreFile.getName().endsWith(".jks") ? "JKS" : "PKCS12");
+        var keyStore = getKeyStoreInstance(trustStoreFile.getName().endsWith(".jks") ? "JKS" : "PKCS12");
         try (InputStream input = new FileInputStream(trustStoreFile)) {
             keyStore.load(input, trustStorePassword == null ? null : trustStorePassword.toCharArray());
         }
@@ -224,7 +225,7 @@ private KeyStore buildTrustStoreFromFile() throws GeneralSecurityException, IOEx
     }
 
     private KeyStore buildTrustStoreFromCA() throws GeneralSecurityException, IOException {
-        final KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
+        var store = getKeyStoreInstance(KeyStore.getDefaultType());
         store.load(null, null);
         final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
         int counter = 0;
@@ -239,12 +240,17 @@ private KeyStore buildTrustStoreFromCA() throws GeneralSecurityException, IOExce
         return store;
     }
 
+    @SuppressForbiddenApi("runs exclusively in test-context without KeyStoreFactory on classpath.")
+    private KeyStore getKeyStoreInstance(String type) throws KeyStoreException {
+        return KeyStore.getInstance(type);
+    }
+
     private SSLContext createSslContext(KeyStore trustStore) throws GeneralSecurityException {
         checkForTrustEntry(trustStore);
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(trustStore);
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom());
+        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), CryptoServicesRegistrar.getSecureRandom());
         return sslContext;
     }
 
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index 254cf345f50fd..c7af3d0a155f7 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -548,7 +548,7 @@ public synchronized void start() {
 
         logToProcessStdout("Creating opensearch keystore with password set to [" + keystorePassword + "]");
         if (keystorePassword.length() > 0) {
-            runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword, "opensearch-keystore", "create", "-p");
+            runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword + "\n", "opensearch-keystore", "create", "-p");
         } else {
             runOpenSearchBinScript("opensearch-keystore", "-v", "create");
         }
diff --git a/buildSrc/src/main/resources/forbidden/jdk-signatures.txt b/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
index b2fd479dce5ff..646f9a474524a 100644
--- a/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
+++ b/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
@@ -37,6 +37,12 @@ java.nio.file.Path#toFile()
 java.nio.file.Files#createTempDirectory(java.lang.String,java.nio.file.attribute.FileAttribute[])
 java.nio.file.Files#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute[])
 
+@defaultMessage Use org.opensearch.common.crypto.KeyStoreFactory instead of java.security.KeyStore
+java.security.KeyStore#getInstance(java.lang.String)
+java.security.KeyStore#getInstance(java.lang.String,java.lang.String)
+java.security.KeyStore#getInstance(java.lang.String,java.security.Provider)
+java.security.KeyStore#getInstance(java.io.File,char[])
+
 @defaultMessage Don't use java serialization - this can break BWC without noticing it
 java.io.ObjectOutputStream
 java.io.ObjectOutput
diff --git a/distribution/src/config/fips_java.security b/distribution/src/config/fips_java.security
index bf160a0055a59..2e5bf13cf8d0e 100644
--- a/distribution/src/config/fips_java.security
+++ b/distribution/src/config/fips_java.security
@@ -5,10 +5,6 @@ security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips
 security.provider.3=SUN
 security.provider.4=SunJGSS
 
-securerandom.source=file:/dev/urandom
-securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
-securerandom.drbg.config=
-
 login.configuration.provider=sun.security.provider.ConfigFile
 policy.provider=sun.security.provider.PolicyFile
 policy.expandProperties=true
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index a8962b06317f2..43af00622954b 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -38,10 +38,10 @@
 import org.apache.lucene.store.IOContext;
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.NIOFSDirectory;
-import org.opensearch.common.Randomness;
-import org.opensearch.common.settings.KeyStoreWrapper;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.settings.KeyStoreWrapper;
 import org.opensearch.common.util.io.IOUtils;
 import org.opensearch.core.common.settings.SecureString;
 import org.opensearch.env.Environment;
@@ -206,7 +206,7 @@ public void testFailWhenCannotConsumeSecretStream() throws Exception {
         try (IndexOutput indexOutput = directory.createOutput("opensearch.keystore", IOContext.DEFAULT)) {
             CodecUtil.writeHeader(indexOutput, "opensearch.keystore", 3);
             indexOutput.writeByte((byte) 0); // No password
-            SecureRandom random = Randomness.createSecure();
+            SecureRandom random = CryptoServicesRegistrar.getSecureRandom();
             byte[] salt = new byte[64];
             random.nextBytes(salt);
             byte[] iv = new byte[12];
@@ -234,7 +234,7 @@ public void testFailWhenCannotConsumeEncryptedBytesStream() throws Exception {
         try (IndexOutput indexOutput = directory.createOutput("opensearch.keystore", IOContext.DEFAULT)) {
             CodecUtil.writeHeader(indexOutput, "opensearch.keystore", 3);
             indexOutput.writeByte((byte) 0); // No password
-            SecureRandom random = Randomness.createSecure();
+            SecureRandom random = CryptoServicesRegistrar.getSecureRandom();
             byte[] salt = new byte[64];
             random.nextBytes(salt);
             byte[] iv = new byte[12];
@@ -263,7 +263,7 @@ public void testFailWhenSecretStreamNotConsumed() throws Exception {
         try (IndexOutput indexOutput = directory.createOutput("opensearch.keystore", IOContext.DEFAULT)) {
             CodecUtil.writeHeader(indexOutput, "opensearch.keystore", 3);
             indexOutput.writeByte((byte) 0); // No password
-            SecureRandom random = Randomness.createSecure();
+            SecureRandom random = CryptoServicesRegistrar.getSecureRandom();
             byte[] salt = new byte[64];
             random.nextBytes(salt);
             byte[] iv = new byte[12];
@@ -290,7 +290,7 @@ public void testFailWhenEncryptedBytesStreamIsNotConsumed() throws Exception {
         try (IndexOutput indexOutput = directory.createOutput("opensearch.keystore", IOContext.DEFAULT)) {
             CodecUtil.writeHeader(indexOutput, "opensearch.keystore", 3);
             indexOutput.writeByte((byte) 0); // No password
-            SecureRandom random = Randomness.createSecure();
+            SecureRandom random = CryptoServicesRegistrar.getSecureRandom();
             byte[] salt = new byte[64];
             random.nextBytes(salt);
             byte[] iv = new byte[12];
@@ -373,15 +373,15 @@ public void testIllegalSettingName() throws Exception {
     public void testFailLoadV1KeystoresInFipsJvm() throws Exception {
         assumeTrue("Test in FIPS JVM", inFipsJvm());
 
-        Exception e = assertThrows(SecurityException.class, () -> generateV1());
-        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS keystores are allowed in FIPS JVM"));
+        Exception e = assertThrows(NoSuchProviderException.class, this::generateV1);
+        assertThat(e.getMessage(), containsString("no such provider: SunJCE"));
     }
 
     public void testFailLoadV2KeystoresInFipsJvm() throws Exception {
         assumeTrue("Test in FIPS JVM", inFipsJvm());
 
-        Exception e = assertThrows(SecurityException.class, () -> generateV2());
-        assertThat(e.getMessage(), containsString("Only PKCS_11, BCFKS keystores are allowed in FIPS JVM"));
+        Exception e = assertThrows(NoSuchProviderException.class, this::generateV2);
+        assertThat(e.getMessage(), containsString("no such provider: SunJCE"));
     }
 
     public void testBackcompatV1() throws Exception {
diff --git a/libs/common/build.gradle b/libs/common/build.gradle
index 909d7c5ebe209..e9de44f894296 100644
--- a/libs/common/build.gradle
+++ b/libs/common/build.gradle
@@ -27,6 +27,7 @@ dependencies {
   compileOnly "com.google.code.findbugs:jsr305:3.0.2"
   compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+  api "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
 
   /*******
    *  !!!! NO THIRD PARTY DEPENDENCIES !!!!
@@ -53,6 +54,10 @@ tasks.named('forbiddenApisMain').configure {
   ignoreSignaturesOfMissingClasses = true
 }
 
+tasks.named("dependencyLicenses").configure {
+    mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 compileJava {
   options.compilerArgs += ['--add-modules', 'jdk.incubator.vector']
   options.compilerArgs -= '-Werror' // use of incubator modules is reported as a warning
diff --git a/libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1 b/libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1
new file mode 100644
index 0000000000000..ff463e602ad88
--- /dev/null
+++ b/libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1
@@ -0,0 +1 @@
+01eea0f325315ca6295b0a6926ff862d8001cdf9
diff --git a/libs/common/licenses/bouncycastle-LICENSE.txt b/libs/common/licenses/bouncycastle-LICENSE.txt
new file mode 100644
index 0000000000000..5c7c14696849d
--- /dev/null
+++ b/libs/common/licenses/bouncycastle-LICENSE.txt
@@ -0,0 +1,14 @@
+Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
+Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/libs/common/licenses/bouncycastle-NOTICE.txt b/libs/common/licenses/bouncycastle-NOTICE.txt
new file mode 100644
index 0000000000000..8b137891791fe
--- /dev/null
+++ b/libs/common/licenses/bouncycastle-NOTICE.txt
@@ -0,0 +1 @@
+
diff --git a/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java b/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
index 14844293b3274..990f6968a57a2 100644
--- a/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
+++ b/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.common;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+
 import java.security.SecureRandom;
 
 /**
@@ -41,5 +43,5 @@
  */
 class SecureRandomHolder {
     // class loading is atomic - this is a lazy & safe singleton to be used by this package
-    public static final SecureRandom INSTANCE = new SecureRandom();
+    public static final SecureRandom INSTANCE = CryptoServicesRegistrar.getSecureRandom();
 }
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
index 4cd6e9922ab27..a07c4b64b1a36 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
+++ b/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
@@ -9,6 +9,7 @@
 package org.opensearch.common.crypto;
 
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.opensearch.common.SuppressForbidden;
 
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -55,7 +56,11 @@ public static KeyStore getInstance(KeyStoreType type, String provider) {
             }
             provider = FIPS_PROVIDER;
         }
+        return get(type, provider);
+    }
 
+    @SuppressForbidden(reason = "centralized instantiation of a KeyStore")
+    private static KeyStore get(KeyStoreType type, String provider) {
         try {
             if (provider == null) {
                 return KeyStore.getInstance(type.getJcaName());
diff --git a/modules/transport-netty4/build.gradle b/modules/transport-netty4/build.gradle
index 4e68a4ce17f73..95e9ee2e80f8c 100644
--- a/modules/transport-netty4/build.gradle
+++ b/modules/transport-netty4/build.gradle
@@ -147,17 +147,6 @@ thirdPartyAudit {
     'io.netty.internal.tcnative.SSLContext',
     'io.netty.internal.tcnative.SSLPrivateKeyMethod',
 
-    // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
-    'org.bouncycastle.cert.X509v3CertificateBuilder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
-    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
-    'org.bouncycastle.openssl.PEMEncryptedKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-    'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder',
-    'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder',
-    'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo',
-
     // from io.netty.handler.ssl.JettyNpnSslEngine (netty)
     'org.eclipse.jetty.npn.NextProtoNego$ClientProvider',
     'org.eclipse.jetty.npn.NextProtoNego$ServerProvider',
diff --git a/plugins/analysis-icu/src/test/java/org/opensearch/index/analysis/IcuAnalyzerTests.java b/plugins/analysis-icu/src/test/java/org/opensearch/index/analysis/IcuAnalyzerTests.java
index c363bc6eb43f8..c74dbb22bc21e 100644
--- a/plugins/analysis-icu/src/test/java/org/opensearch/index/analysis/IcuAnalyzerTests.java
+++ b/plugins/analysis-icu/src/test/java/org/opensearch/index/analysis/IcuAnalyzerTests.java
@@ -35,6 +35,7 @@
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
 import org.opensearch.Version;
+import org.opensearch.bootstrap.SecureRandomInitializer;
 import org.opensearch.cluster.metadata.IndexMetadata;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.index.IndexSettings;
@@ -47,6 +48,10 @@
 
 public class IcuAnalyzerTests extends BaseTokenStreamTestCase {
 
+    static {
+        SecureRandomInitializer.init();
+    }
+
     public void testMixedAlphabetTokenization() throws IOException {
 
         Settings settings = Settings.builder().put(IndexMetadata.SETTING_VERSION_CREATED, Version.CURRENT).build();
diff --git a/plugins/repository-azure/build.gradle b/plugins/repository-azure/build.gradle
index 5dae37d80ca6a..3e0e5e23c59f1 100644
--- a/plugins/repository-azure/build.gradle
+++ b/plugins/repository-azure/build.gradle
@@ -213,13 +213,6 @@ thirdPartyAudit {
     // Worth nothing that, the latest dependency "net.shibboleth.utilities:java-support:8.0.0" has many vulnerabilities.
     // Hence ignored.
     'net.shibboleth.utilities.java.support.xml.SerializeSupport',
-    'org.bouncycastle.cert.X509CertificateHolder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder',
-    'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
-    'org.bouncycastle.openssl.PEMKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
     'org.cryptomator.siv.SivMode',
     'org.opensaml.core.config.InitializationException',
     'org.opensaml.core.config.InitializationService',
@@ -310,6 +303,10 @@ Map<String, Object> expansions = [
   'base_path': azureBasePath + "_integration_tests"
 ]
 
+tasks.withType(Test).configureEach {
+  onlyIf { BuildParams.inFipsJvm == false }
+}
+
 processYamlRestTestResources {
   inputs.properties(expansions)
   MavenFilteringHack.filter(it, expansions)
diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle
index 2a303f9a01656..1832b6a165cc1 100644
--- a/plugins/repository-s3/build.gradle
+++ b/plugins/repository-s3/build.gradle
@@ -486,17 +486,6 @@ thirdPartyAudit {
     'net.jpountz.xxhash.XXHash32',
     'net.jpountz.xxhash.XXHashFactory',
 
-    // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
-    'org.bouncycastle.cert.X509v3CertificateBuilder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
-    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
-    'org.bouncycastle.openssl.PEMEncryptedKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-    'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder',
-    'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder',
-    'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo',
-
     'org.conscrypt.AllocatedBuffer',
     'org.conscrypt.BufferAllocator',
     'org.conscrypt.Conscrypt',
diff --git a/plugins/repository-s3/src/internalClusterTest/java/org/opensearch/repositories/s3/S3BlobStoreRepositoryTests.java b/plugins/repository-s3/src/internalClusterTest/java/org/opensearch/repositories/s3/S3BlobStoreRepositoryTests.java
index 5bea51706cfae..689023f81658a 100644
--- a/plugins/repository-s3/src/internalClusterTest/java/org/opensearch/repositories/s3/S3BlobStoreRepositoryTests.java
+++ b/plugins/repository-s3/src/internalClusterTest/java/org/opensearch/repositories/s3/S3BlobStoreRepositoryTests.java
@@ -144,7 +144,7 @@ protected HttpHandler createErroneousHttpHandler(final HttpHandler delegate) {
     protected Settings nodeSettings(int nodeOrdinal) {
         final MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "access");
-        secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "secret");
+        secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "secret_password");
 
         final Settings.Builder builder = Settings.builder()
             .put(ThreadPool.ESTIMATED_TIME_INTERVAL_SETTING.getKey(), 0) // We have tests that verify an exact wait time
diff --git a/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java b/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java
index 3d5e121778ba9..e17234f6921e0 100644
--- a/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java
+++ b/plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java
@@ -64,6 +64,7 @@
 import org.apache.http.protocol.HttpContext;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.cluster.metadata.RepositoryMetadata;
 import org.opensearch.common.Nullable;
 import org.opensearch.common.SuppressForbidden;
@@ -88,7 +89,6 @@
 import java.nio.file.Path;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.time.Duration;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
@@ -341,7 +341,8 @@ private static SSLConnectionSocketFactory createSocksSslConnectionSocketFactory(
         // This part was taken from AWS settings
         try {
             final SSLContext sslCtx = SSLContext.getInstance("TLS");
-            sslCtx.init(SystemPropertyTlsKeyManagersProvider.create().keyManagers(), null, new SecureRandom());
+            sslCtx.init(SystemPropertyTlsKeyManagersProvider.create().keyManagers(), null, CryptoServicesRegistrar.getSecureRandom());
+
             return new SdkTlsSocketFactory(sslCtx, new DefaultHostnameVerifier()) {
                 @Override
                 public Socket createSocket(final HttpContext ctx) throws IOException {
diff --git a/plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerRetriesTests.java b/plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerRetriesTests.java
index 96ef28d24c14f..dbecc7c7eb417 100644
--- a/plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerRetriesTests.java
+++ b/plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3BlobContainerRetriesTests.java
@@ -222,7 +222,10 @@ protected AsyncMultiStreamBlobContainer createBlobContainer(
 
         final MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "access");
-        secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(), "secret");
+        secureSettings.setString(
+            S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace(clientName).getKey(),
+            "secret_password"
+        );
         clientSettings.setSecureSettings(secureSettings);
         service.refreshAndClearCache(S3ClientSettings.load(clientSettings.build(), configPath()));
         asyncService.refreshAndClearCache(S3ClientSettings.load(clientSettings.build(), configPath()));
diff --git a/plugins/transport-reactor-netty4/build.gradle b/plugins/transport-reactor-netty4/build.gradle
index 12ae5ce99632e..8456abeb1d5e3 100644
--- a/plugins/transport-reactor-netty4/build.gradle
+++ b/plugins/transport-reactor-netty4/build.gradle
@@ -110,17 +110,6 @@ thirdPartyAudit {
     'io.netty.internal.tcnative.SSLContext',
     'io.netty.internal.tcnative.SSLPrivateKeyMethod',
 
-    // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
-    'org.bouncycastle.cert.X509v3CertificateBuilder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
-    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
-    'org.bouncycastle.openssl.PEMEncryptedKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-    'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder',
-    'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder',
-    'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo',
-
     // from io.netty.handler.ssl.JettyNpnSslEngine (netty)
     'org.eclipse.jetty.npn.NextProtoNego$ClientProvider',
     'org.eclipse.jetty.npn.NextProtoNego$ServerProvider',
diff --git a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java
index ac7687d551766..06d272e350a76 100644
--- a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java
+++ b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ssl/SecureReactorNetty4HttpServerTransportTests.java
@@ -35,6 +35,7 @@
 import org.opensearch.rest.RestChannel;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.telemetry.tracing.noop.NoopTracer;
+import org.opensearch.test.KeyStoreUtils;
 import org.opensearch.test.OpenSearchTestCase;
 import org.opensearch.test.rest.FakeRestRequest;
 import org.opensearch.threadpool.TestThreadPool;
@@ -44,10 +45,10 @@
 import org.junit.After;
 import org.junit.Before;
 
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 
-import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.Optional;
@@ -85,6 +86,7 @@
 import static org.opensearch.core.rest.RestStatus.OK;
 import static org.opensearch.http.HttpTransportSettings.SETTING_CORS_ALLOW_ORIGIN;
 import static org.opensearch.http.HttpTransportSettings.SETTING_CORS_ENABLED;
+import static org.opensearch.test.KeyStoreUtils.KEYSTORE_PASSWORD;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 
@@ -115,12 +117,14 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 try {
-                    SSLEngine engine = SslContextBuilder.forServer(
-                        SecureReactorNetty4HttpServerTransportTests.class.getResourceAsStream("/certificate.crt"),
-                        SecureReactorNetty4HttpServerTransportTests.class.getResourceAsStream("/certificate.key")
-                    ).trustManager(InsecureTrustManagerFactory.INSTANCE).build().newEngine(NettyAllocator.getAllocator());
+                    var keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
+                    keyManagerFactory.init(KeyStoreUtils.createServerKeyStore(), KEYSTORE_PASSWORD);
+                    SSLEngine engine = SslContextBuilder.forServer(keyManagerFactory)
+                        .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                        .build()
+                        .newEngine(NettyAllocator.getAllocator());
                     return Optional.of(engine);
-                } catch (final IOException ex) {
+                } catch (final Exception ex) {
                     throw new SSLException(ex);
                 }
             }
diff --git a/plugins/transport-reactor-netty4/src/test/resources/README.txt b/plugins/transport-reactor-netty4/src/test/resources/README.txt
deleted file mode 100644
index a4353cee45a97..0000000000000
--- a/plugins/transport-reactor-netty4/src/test/resources/README.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is README describes how the certificates in this directory were created.
-# This file can also be executed as a script
-#
-
-# 1. Create certificate key
-
-openssl req  -x509  -sha256  -newkey rsa:2048  -keyout certificate.key  -out certificate.crt  -days 1024  -nodes
-
-# 2. Export the certificate in pkcs12 format
-
-openssl pkcs12  -export  -in certificate.crt  -inkey certificate.key  -out server.p12  -name netty4-secure -password pass:password
-
diff --git a/plugins/transport-reactor-netty4/src/test/resources/certificate.crt b/plugins/transport-reactor-netty4/src/test/resources/certificate.crt
deleted file mode 100644
index 54c78fdbcf6de..0000000000000
--- a/plugins/transport-reactor-netty4/src/test/resources/certificate.crt
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDkzCCAnugAwIBAgIUddAawr5zygcd+Dcn9WVDpO4BJ7YwDQYJKoZIhvcNAQEL
-BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X
-DTI0MDMxNDE5NDQzOVoXDTI3MDEwMjE5NDQzOVowWTELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAzjOKkg6Iba5zfZ8b/RYw+PGmGEfbdGuuF10Wz4Jmx/Nk4VfDLxdh
-TW8VllUL2JD7uPkjABj7pW3awAbvIJ+VGbKqfBr1Nsz0mPPzhT8cfuMH/FDZgQs3
-4HuqDKr0LfC1Kw5E3WF0GVMBDNu0U+nKoeqySeYjGdxDnd3W4cqK5AnUxL0RnIny
-Bw7ZuhcU55XndH/Xauro/2EpvJduDsWMdqt7ZfIf1TOmaiQHK+82yb/drVaJbczK
-uTpn1Kv2bnzkQEckgq+z1dLNOOyvP2xf+nsziw5ilJe92e5GJOUJYFAlEgUAGpfD
-dv6j/gTRYvdJCJItOQEQtektNCAZsoc0wwIDAQABo1MwUTAdBgNVHQ4EFgQUzHts
-wIt+zhB/R4U4Do2P6rr0YhkwHwYDVR0jBBgwFoAUzHtswIt+zhB/R4U4Do2P6rr0
-YhkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAveh870jJX7vt
-oLCrdugsyo79pR4f7Nr1kUy3jJrfoaoUmrjiiiHWgT22fGwp7j1GZF2mVfo8YVaK
-63YNn5gB2NNZhguPOFC4AdvHRYOKRBOaOvWK8oq7BcJ//18JYI/pPnpgkYvJjqv4
-gFKaZX9qWtujHpAmKiVGs7pwYGNXfixPHRNV4owcfHMIH5dhbbqT49j94xVpjbXs
-OymKtFl4kpCE/0LzKFrFcuu55Am1VLBHx2cPpHLOipgUcF5BHFlQ8AXiCMOwfPAw
-d22mLB6Gt1oVEpyvQHYd3e04FetEXQ9E8T+NKWZx/8Ucf+IWBYmZBRxch6O83xgk
-bAbGzqkbzQ==
------END CERTIFICATE-----
diff --git a/plugins/transport-reactor-netty4/src/test/resources/certificate.key b/plugins/transport-reactor-netty4/src/test/resources/certificate.key
deleted file mode 100644
index 228350180935d..0000000000000
--- a/plugins/transport-reactor-netty4/src/test/resources/certificate.key
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOM4qSDohtrnN9
-nxv9FjD48aYYR9t0a64XXRbPgmbH82ThV8MvF2FNbxWWVQvYkPu4+SMAGPulbdrA
-Bu8gn5UZsqp8GvU2zPSY8/OFPxx+4wf8UNmBCzfge6oMqvQt8LUrDkTdYXQZUwEM
-27RT6cqh6rJJ5iMZ3EOd3dbhyorkCdTEvRGcifIHDtm6FxTnled0f9dq6uj/YSm8
-l24OxYx2q3tl8h/VM6ZqJAcr7zbJv92tVoltzMq5OmfUq/ZufORARySCr7PV0s04
-7K8/bF/6ezOLDmKUl73Z7kYk5QlgUCUSBQAal8N2/qP+BNFi90kIki05ARC16S00
-IBmyhzTDAgMBAAECggEAVOdiElvLjyX6xeoC00YU6hxOIMdNtHU2HMamwtDV01UD
-38mMQ9KjrQelYt4n34drLrHe2IZw75/5J4JzagJrmUY47psHBwaDXItuZRokeJaw
-zhLYTEs7OcKRtV+a5WOspUrdzi33aQoFb67zZG3qkpsZyFXrdBV+/fy/Iv+MCvLH
-xR0jQ5mzE3cw20R7S4nddChBA/y8oKGOo6QRf2SznC1jL/+yolHvJPEn1v8AUxYm
-BMPHxj1O0c4M4IxnJQ3Y5Jy9OaFMyMsFlF1hVhc/3LDDxDyOuBsVsFDicojyrRea
-GKngIke0yezy7Wo4NUcp8YQhafonpWVsSJJdOUotcQKBgQD0rihFBXVtcG1d/Vy7
-FvLHrmccD56JNV744LSn2CDM7W1IulNbDUZINdCFqL91u5LpxozeE1FPY1nhwncJ
-N7V7XYCaSLCuV1YJzRmUCjnzk2RyopGpzWog3f9uUFGgrk1HGbNAv99k/REya6Iu
-IRSkuQhaJOj3bRXzonh0K4GjewKBgQDXvamtCioOUMSP8vq919YMkBw7F+z/fr0p
-pamO8HL9eewAUg6N92JQ9kobSo/GptdmdHIjs8LqnS5C3H13GX5Qlf5GskOlCpla
-V55ElaSp0gvKwWE168U7gQH4etPQAXXJrOGFaGbPj9W81hTUud7HVE88KYdfWTBo
-I7TuE25tWQKBgBRjcr2Vn9xXsvVTCGgamG5lLPhcoNREGz7X0pXt34XT/vhBdnKu
-331i5pZMom+YCrzqK5DRwUPBPpseTjb5amj2OKIijn5ojqXQbmI0m/GdBZC71TF2
-CXLlrMQvcy3VeGEFVjd+BYpvwAAYkfIQFZ1IQdbpHnSHpX2guzLK8UmDAoGBANUy
-PIcf0EetUVHfkCIjNQfdMcjD8BTcLhsF9vWmcDxFTA9VB8ULf0D64mjt2f85yQsa
-b+EQN8KZ6alxMxuLOeRxFYLPj0F9o+Y/R8wHBV48kCKhz2r1v0b6SfQ/jSm1B61x
-BrxLW64qOdIOzS8bLyhUDKkrcPesr8V548aRtUKhAoGBAKlNJFd8BCGKD9Td+3dE
-oP1iHTX5XZ+cQIqL0e+GMQlK4HnQP566DFZU5/GHNNAfmyxd5iSRwhTqPMHRAmOb
-pqQwsyufx0dFeIBxeSO3Z6jW5h2sl4nBipZpw9bzv6EBL1xRr0SfMNZzdnf4JFzc
-0htGo/VO93Z2pv8w7uGUz1nN
------END PRIVATE KEY-----
diff --git a/server/licenses/bcpkix-fips-2.0.7.jar.sha1 b/server/licenses/bcpkix-fips-2.0.7.jar.sha1
new file mode 100644
index 0000000000000..5df930b54fe44
--- /dev/null
+++ b/server/licenses/bcpkix-fips-2.0.7.jar.sha1
@@ -0,0 +1 @@
+01eea0f325315ca6295b0a6926ff862d8001cdf9
\ No newline at end of file
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 424677ce96066..650bca01f0359 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -196,9 +196,12 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
             BootstrapSettings.CTRLHANDLER_SETTING.get(settings)
         );
 
+        SecureRandomInitializer.init();
+
         var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
         if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-3")) {
             LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
+            SecurityProviderManager.excludeSunJCE();
         }
 
         // initialize probes before the security manager is installed
diff --git a/server/src/main/java/org/opensearch/bootstrap/SecureRandomInitializer.java b/server/src/main/java/org/opensearch/bootstrap/SecureRandomInitializer.java
new file mode 100644
index 0000000000000..633694556847c
--- /dev/null
+++ b/server/src/main/java/org/opensearch/bootstrap/SecureRandomInitializer.java
@@ -0,0 +1,46 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.bootstrap;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.fips.FipsDRBG;
+import org.bouncycastle.crypto.util.BasicEntropySourceProvider;
+
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
+/**
+ * Instantiates {@link SecureRandom}
+ */
+public class SecureRandomInitializer {
+
+    private SecureRandomInitializer() {}
+
+    /**
+     * Instantiates a new {@link SecureRandom} if it is not already set. The specific implementation used depends on whether the JVM
+     * is running in a FIPS-approved mode or not. An instance of {@link SecureRandom} can be obtained from
+     * {@link CryptoServicesRegistrar#getSecureRandom()}
+     */
+    public static void init() {
+        CryptoServicesRegistrar.setSecureRandom(CryptoServicesRegistrar.getSecureRandomIfSet(SecureRandomInitializer::getSecureRandom));
+    }
+
+    private static SecureRandom getSecureRandom() {
+        try {
+            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+                var entropySource = SecureRandom.getInstance("DEFAULT", "BCFIPS");
+                return FipsDRBG.SHA512_HMAC.fromEntropySource(new BasicEntropySourceProvider(entropySource, true)).build(null, true);
+            }
+            return SecureRandom.getInstanceStrong();
+        } catch (GeneralSecurityException e) {
+            throw new SecurityException("Failed to instantiate SecureRandom: " + e.getMessage(), e);
+        }
+    }
+
+}
diff --git a/server/src/main/java/org/opensearch/bootstrap/SecurityProviderManager.java b/server/src/main/java/org/opensearch/bootstrap/SecurityProviderManager.java
new file mode 100644
index 0000000000000..0b53d48b88f55
--- /dev/null
+++ b/server/src/main/java/org/opensearch/bootstrap/SecurityProviderManager.java
@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.bootstrap;
+
+import java.security.Security;
+
+/**
+ * Provides additional control over declared security providers in 'java.security' file.
+ */
+public class SecurityProviderManager {
+
+    public static final String SUN_JCE = "SunJCE";
+
+    private SecurityProviderManager() {
+        // singleton constructor
+    }
+
+    /**
+     * Removes the SunJCE provider from the list of installed security providers. This method is intended to be used when running
+     * in a FIPS JVM and when the security file specifies additional configuration, instead of a complete replacement.
+     */
+    public static void excludeSunJCE() {
+        Security.removeProvider(SUN_JCE);
+    }
+
+    /**
+     * Returns the position at which the provider is found by its name, otherwise returns -1.
+     * Provider's position starts by 1 and will not always represent the configured value at 'java.security' file.
+     */
+    public static int getPosition(String providerName) {
+        var provider = java.security.Security.getProvider(providerName);
+        if (provider != null) {
+            var providers = java.security.Security.getProviders();
+            for (int i = 0; i < providers.length; i++) {
+                if (providers[i].getName().equals(providerName)) {
+                    return i + 1; // provider positions starts at 1
+                }
+            }
+        }
+        return -1;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/common/Randomness.java b/server/src/main/java/org/opensearch/common/Randomness.java
index 221bc95c41f31..479d3b195bee6 100644
--- a/server/src/main/java/org/opensearch/common/Randomness.java
+++ b/server/src/main/java/org/opensearch/common/Randomness.java
@@ -36,7 +36,6 @@
 import org.opensearch.common.settings.Settings;
 
 import java.lang.reflect.Method;
-import java.security.SecureRandom;
 import java.util.Collections;
 import java.util.List;
 import java.util.Random;
@@ -125,22 +124,6 @@ public static Random get() {
         }
     }
 
-    /**
-     * Provides a secure source of randomness.
-     * <p>
-     * This acts exactly similar to {@link #get()}, but returning a new {@link SecureRandom}.
-     */
-    public static SecureRandom createSecure() {
-        if (currentMethod != null && getRandomMethod != null) {
-            // tests, so just use a seed from the non secure random
-            byte[] seed = new byte[16];
-            get().nextBytes(seed);
-            return new SecureRandom(seed);
-        } else {
-            return new SecureRandom();
-        }
-    }
-
     @SuppressForbidden(reason = "ThreadLocalRandom is okay when not running tests")
     private static Random getWithoutSeed() {
         assert currentMethod == null && getRandomMethod == null : "running under tests but tried to create non-reproducible random";
diff --git a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
index a151864610521..de35e95090122 100644
--- a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
+++ b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
@@ -41,9 +41,9 @@
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.NIOFSDirectory;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.opensearch.bootstrap.SecureRandomInitializer;
 import org.opensearch.cli.ExitCodes;
 import org.opensearch.cli.UserException;
-import org.opensearch.common.Randomness;
 import org.opensearch.common.SetOnce;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
@@ -78,7 +78,6 @@
 import java.nio.file.attribute.PosixFilePermissions;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Enumeration;
@@ -122,6 +121,11 @@ private static class Entry {
         }
     }
 
+    static {
+        // Instantiates new SecureRandom if caller is KeyStoreCli, otherwise obtains the existent.
+        SecureRandomInitializer.init();
+    }
+
     /**
      * A regex for the valid characters that a setting name in the keystore may use.
      */
@@ -221,11 +225,10 @@ public static KeyStoreWrapper create() {
     /** Add the bootstrap seed setting, which may be used as a unique, secure, random value by the node */
     public static void addBootstrapSeed(KeyStoreWrapper wrapper) {
         assert wrapper.getSettingNames().contains(SEED_SETTING.getKey()) == false;
-        SecureRandom random = Randomness.createSecure();
         int passwordLength = 20; // Generate 20 character passwords
         char[] characters = new char[passwordLength];
         for (int i = 0; i < passwordLength; ++i) {
-            characters[i] = SEED_CHARS[random.nextInt(SEED_CHARS.length)];
+            characters[i] = SEED_CHARS[CryptoServicesRegistrar.getSecureRandom().nextInt(SEED_CHARS.length)];
         }
         wrapper.setString(SEED_SETTING.getKey(), characters);
         Arrays.fill(characters, (char) 0);
@@ -538,15 +541,14 @@ public synchronized void save(Path configDir, char[] password) throws Exception
             output.writeByte(password.length == 0 ? (byte) 0 : (byte) 1);
 
             // new cipher params
-            SecureRandom random = Randomness.createSecure();
             // use 64 bytes salt, which surpasses that recommended by OWASP
             // see https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
             byte[] salt = new byte[64];
-            random.nextBytes(salt);
+            CryptoServicesRegistrar.getSecureRandom().nextBytes(salt);
             // use 96 bits (12 bytes) for IV as recommended by NIST
             // see http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf section 5.2.1.1
             byte[] iv = new byte[12];
-            random.nextBytes(iv);
+            CryptoServicesRegistrar.getSecureRandom().nextBytes(iv);
             // encrypted data
             byte[] encryptedBytes = encrypt(password, salt, iv);
 
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index 04982aa8986d7..9c61ec1ddad27 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -101,14 +101,14 @@ grant {
     permission java.lang.RuntimePermission "getProtectionDomain";
     permission java.io.FilePermission "${java.home}/lib/security/cacerts", "read";
     permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
-    permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+    permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
     permission java.security.SecurityPermission "getProperty.keystore.type.compat";
     permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
-    permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
-    permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
+    permission java.security.SecurityPermission "removeProvider.SunJCE";
     permission java.util.PropertyPermission "java.runtime.name", "read";
+    permission org.bouncycastle.crypto.CryptoServicesPermission "defaultRandomConfig";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
     permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
 };
diff --git a/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java b/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
new file mode 100644
index 0000000000000..865347438c8e5
--- /dev/null
+++ b/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
@@ -0,0 +1,62 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.bootstrap;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.fips.FipsSecureRandom;
+import org.opensearch.test.OpenSearchTestCase;
+import org.junit.BeforeClass;
+
+import java.security.SecureRandom;
+import java.util.Arrays;
+
+public class SecureRandomInitializerTests extends OpenSearchTestCase {
+
+    @BeforeClass
+    public static void setup() {
+        // Reset the global state if your CryptoServicesRegistrar allows it.
+        // If there's a method to unset or reset the SecureRandom, call it here.
+        // If not, the following lines are hypothetical and depend on your actual implementation.
+        CryptoServicesRegistrar.setSecureRandom(null);
+    }
+
+    public void testInitInNonFipsMode() {
+        // given
+        assertThrows(IllegalStateException.class, CryptoServicesRegistrar::getSecureRandom);
+
+        // when
+        SecureRandomInitializer.init();
+        SecureRandom secureRandom = CryptoServicesRegistrar.getSecureRandom();
+
+        // then
+        assertNotNull("SecureRandom should be initialized in non-FIPS mode", secureRandom);
+        byte[] randomBytes = new byte[16];
+        secureRandom.nextBytes(randomBytes);
+        assertEquals(inFipsJvm() ? "BCFIPS_RNG" : "SUN", secureRandom.getProvider().getName());
+        // BCFIPS 'DEFAULT' RNG algorithm defaults to 'HMAC-DRBG-SHA512'
+        assertEquals(inFipsJvm() ? "HMAC-DRBG-SHA512" : "NativePRNGBlocking", secureRandom.getAlgorithm());
+        assertEquals(inFipsJvm() ? FipsSecureRandom.class : SecureRandom.class, secureRandom.getClass());
+        assertFalse("Random bytes should not be all zeros", allZeros(randomBytes));
+
+        byte[] seed1 = secureRandom.generateSeed(16);
+        byte[] seed2 = secureRandom.generateSeed(16);
+        assertNotNull(seed1);
+        assertNotNull(seed2);
+        assertFalse("Seeds should not be identical", Arrays.equals(seed1, seed2));
+    }
+
+    private boolean allZeros(byte[] data) {
+        for (byte b : data) {
+            if (b != 0) {
+                return false;
+            }
+        }
+        return true;
+    }
+}
diff --git a/server/src/test/java/org/opensearch/bootstrap/SecurityProviderManagerTests.java b/server/src/test/java/org/opensearch/bootstrap/SecurityProviderManagerTests.java
new file mode 100644
index 0000000000000..2a92f35abae5b
--- /dev/null
+++ b/server/src/test/java/org/opensearch/bootstrap/SecurityProviderManagerTests.java
@@ -0,0 +1,171 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.bootstrap;
+
+import org.opensearch.test.OpenSearchTestCase;
+import org.junit.AfterClass;
+import org.junit.Before;
+
+import javax.crypto.Cipher;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+import java.util.Arrays;
+import java.util.Locale;
+
+import static org.opensearch.bootstrap.BootstrapForTesting.sunJceInsertFunction;
+
+public class SecurityProviderManagerTests extends OpenSearchTestCase {
+
+    private static final String BC_FIPS = "BCFIPS";
+    private static final String SUN_JCE = "SunJCE";
+
+    // BCFIPS will only provide legacy ciphers when running in general mode, otherwise approved-only mode forbids the use.
+    private static final String MODE_DEPENDENT_CIPHER_PROVIDER = inFipsJvm() ? SUN_JCE : BC_FIPS;
+
+    private static final String AES = "AES";
+    private static final String RC_4 = "RC4";
+    private static final String TRIPLE_DES = "DESedeWrap";
+    private static final String DES = "DES";
+    private static final String PBE = "PBE";
+    private static final String BLOWFISH = "Blowfish";
+
+    @Before
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        var notInstalled = Arrays.stream(Security.getProviders()).noneMatch(provider -> SUN_JCE.equals(provider.getName()));
+        if (notInstalled && sunJceInsertFunction != null) {
+            sunJceInsertFunction.get();
+        }
+        assumeTrue(
+            String.format(
+                Locale.ROOT,
+                "SunJCE provider has to be initially installed through '%s' file",
+                System.getProperty("java.security.properties", "UNDEFINED")
+            ),
+            Arrays.stream(Security.getProviders()).anyMatch(provider -> SUN_JCE.equals(provider.getName()))
+        );
+    }
+
+    @AfterClass
+    // restore the same state as before running the tests.
+    public static void removeSunJCE() {
+        if (inFipsJvm()) {
+            SecurityProviderManager.excludeSunJCE();
+        }
+    }
+
+    public void testCipherRC4() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(RC_4);
+        assertEquals(RC_4, cipher.getAlgorithm());
+        assertEquals(MODE_DEPENDENT_CIPHER_PROVIDER, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        if (inFipsJvm()) {
+            expectThrows(NoSuchAlgorithmException.class, () -> Cipher.getInstance(RC_4));
+        } else {
+            cipher = Cipher.getInstance(RC_4);
+            assertEquals(RC_4, cipher.getAlgorithm());
+            assertEquals(BC_FIPS, cipher.getProvider().getName());
+        }
+    }
+
+    public void testCipherAES() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(AES);
+        assertEquals(AES, cipher.getAlgorithm());
+        assertEquals(BC_FIPS, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        cipher = Cipher.getInstance(AES);
+        assertEquals(AES, cipher.getAlgorithm());
+        assertEquals(BC_FIPS, cipher.getProvider().getName());
+    }
+
+    public void testCipher3Des() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(TRIPLE_DES);
+        assertEquals(TRIPLE_DES, cipher.getAlgorithm());
+        assertEquals(BC_FIPS, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        cipher = Cipher.getInstance(TRIPLE_DES);
+        assertEquals(TRIPLE_DES, cipher.getAlgorithm());
+        assertEquals(BC_FIPS, cipher.getProvider().getName());
+    }
+
+    public void testCipherDes() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(DES);
+        assertEquals(DES, cipher.getAlgorithm());
+        assertEquals(MODE_DEPENDENT_CIPHER_PROVIDER, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        if (inFipsJvm()) {
+            expectThrows(NoSuchAlgorithmException.class, () -> Cipher.getInstance(DES));
+        } else {
+            cipher = Cipher.getInstance(DES);
+            assertEquals(DES, cipher.getAlgorithm());
+            assertEquals(BC_FIPS, cipher.getProvider().getName());
+        }
+    }
+
+    public void testCipherPBE() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(PBE);
+        assertEquals(PBE, cipher.getAlgorithm());
+        assertEquals(SUN_JCE, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        expectThrows(NoSuchAlgorithmException.class, () -> Cipher.getInstance(PBE));
+    }
+
+    public void testCipherBlowfish() throws Exception {
+        // given
+        var cipher = Cipher.getInstance(BLOWFISH);
+        assertEquals(BLOWFISH, cipher.getAlgorithm());
+        assertEquals(MODE_DEPENDENT_CIPHER_PROVIDER, cipher.getProvider().getName());
+
+        // when
+        SecurityProviderManager.excludeSunJCE();
+
+        // then
+        if (inFipsJvm()) {
+            expectThrows(NoSuchAlgorithmException.class, () -> Cipher.getInstance(BLOWFISH));
+        } else {
+            cipher = Cipher.getInstance(BLOWFISH);
+            assertEquals(BLOWFISH, cipher.getAlgorithm());
+            assertEquals(BC_FIPS, cipher.getProvider().getName());
+        }
+    }
+
+    public void testGetPosition() {
+        assertTrue(SUN_JCE + " is installed", SecurityProviderManager.getPosition(SUN_JCE) > 0);
+        SecurityProviderManager.excludeSunJCE();
+        assertTrue(SUN_JCE + " is uninstalled", SecurityProviderManager.getPosition(SUN_JCE) < 0);
+    }
+
+}
diff --git a/server/src/test/resources/org/opensearch/bootstrap/test.policy b/server/src/test/resources/org/opensearch/bootstrap/test.policy
index c2b5a8e9c0a4e..fe319686c38a6 100644
--- a/server/src/test/resources/org/opensearch/bootstrap/test.policy
+++ b/server/src/test/resources/org/opensearch/bootstrap/test.policy
@@ -10,4 +10,5 @@ grant {
   // allow to test Security policy and codebases
   permission java.util.PropertyPermission "*", "read,write";
   permission java.security.SecurityPermission "createPolicy.JavaPolicy";
+  permission java.security.SecurityPermission "insertProvider";
 };
diff --git a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template
index 22909ddf60013..69be28f4548c3 100644
--- a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template
+++ b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/kdc.conf.template
@@ -16,8 +16,8 @@
 # under the License.
 
 [kdcdefaults]
-    kdc_listen = 88
-    kdc_tcp_listen = 88
+    kdc_ports = 88
+    kdc_tcp_ports = 88
 
 [realms]
     ${REALM_NAME} = {
@@ -25,8 +25,7 @@
         max_life = 12h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = aes256-cts
-        # remove aes256-cts:normal since unlimited strength policy needs installed for java to use it.
-        supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
     }
 
 [logging]
diff --git a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template
index 207fe939fb7a5..a87c5b50d5cf3 100644
--- a/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template
+++ b/test/fixtures/krb5kdc-fixture/src/main/resources/provision/krb5.conf.template
@@ -33,18 +33,15 @@
     dns_canonicalize_hostname = false
     dns_lookup_kdc = false
     dns_lookup_realm = false
-    dns_uri_lookup = false
     forwardable = true
     ignore_acceptor_hostname = true
     rdns = false
-    default_tgs_enctypes = rc4-hmac
-    default_tkt_enctypes = rc4-hmac
-    permitted_enctypes = rc4-hmac
+    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
     # udp_preference_limit = 1
-    kdc_timeout = 3000
     canonicalize = true
-    # See please https://seanjmullan.org/blog/2021/09/14/jdk17 (deprecate 3DES and RC4 in Kerberos)
-    allow_weak_crypto = true
+    allow_weak_crypto = false
 
 [realms]
     ${REALM_NAME} = {
@@ -52,6 +49,8 @@
         kdc = 127.0.0.1:${MAPPED_PORT}
         admin_server = ${KDC_NAME}:749
         default_domain = ${BUILD_ZONE}
+        master_key_type = aes256-cts
+        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
     }
 
 [domain_realm]
diff --git a/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java b/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java
index 76c7ce0628aac..1a5f18e8c0920 100644
--- a/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java
+++ b/test/framework/src/main/java/org/opensearch/bootstrap/BootstrapForTesting.java
@@ -37,6 +37,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.tests.util.LuceneTestCase;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.Booleans;
 import org.opensearch.common.SuppressForbidden;
 import org.opensearch.common.bootstrap.JarHell;
@@ -73,8 +74,10 @@
 import java.util.Optional;
 import java.util.Properties;
 import java.util.Set;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
+import static org.opensearch.bootstrap.SecurityProviderManager.SUN_JCE;
 import static com.carrotsearch.randomizedtesting.RandomizedTest.systemPropertyAsBoolean;
 
 /**
@@ -125,6 +128,20 @@ public class BootstrapForTesting {
         // Log ifconfig output before SecurityManager is installed
         IfConfig.logIfNecessary();
 
+        SecureRandomInitializer.init();
+
+        var sunJceProvider = java.security.Security.getProvider(SUN_JCE);
+        if (sunJceProvider != null) {
+            sunJceInsertFunction = () -> java.security.Security.insertProviderAt(
+                sunJceProvider,
+                SecurityProviderManager.getPosition(SUN_JCE)
+            );
+
+            if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
+                SecurityProviderManager.excludeSunJCE();
+            }
+        }
+
         // install security manager if requested
         if (systemPropertyAsBoolean("tests.security.manager", true)) {
             try {
@@ -202,6 +219,8 @@ public boolean implies(ProtectionDomain domain, Permission permission) {
         }
     }
 
+    static Supplier<Integer> sunJceInsertFunction;
+
     /** Add the codebase url of the given classname to the codebases map, if the class exists. */
     private static void addClassCodebase(Map<String, URL> codebases, String name, String classname) {
         try {
diff --git a/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java b/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java
new file mode 100644
index 0000000000000..90a5ce2768a30
--- /dev/null
+++ b/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java
@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.test;
+
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.crypto.KeyStoreType;
+
+import javax.security.auth.x500.X500Principal;
+import javax.security.auth.x500.X500PrivateCredential;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+
+public class KeyStoreUtils {
+
+    public static final char[] KEYSTORE_PASSWORD = "keystore_password".toCharArray();
+
+    public static KeyStore createServerKeyStore() throws Exception {
+        var serverCred = createCredential();
+        var keyStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+        keyStore.load(null, null);
+        keyStore.setKeyEntry(
+            serverCred.getAlias(),
+            serverCred.getPrivateKey(),
+            KEYSTORE_PASSWORD,
+            new X509Certificate[] { serverCred.getCertificate() }
+        );
+        return keyStore;
+    }
+
+    private static X500PrivateCredential createCredential() throws Exception {
+        var keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(2048);
+        var keyPair = keyPairGenerator.generateKeyPair();
+        var rootCert = new JcaX509CertificateConverter().getCertificate(generateCert(keyPair));
+        return new X500PrivateCredential(rootCert, keyPair.getPrivate(), "server-ca");
+    }
+
+    private static X509CertificateHolder generateCert(KeyPair pair) throws Exception {
+        var baseTime = System.currentTimeMillis();
+        // 10 years in milliseconds
+        var validityPeriod = 10L * 365 * 24 * 60 * 60 * 1000;
+
+        var certBuilder = new JcaX509v1CertificateBuilder(
+            new X500Principal("CN=Test CA Certificate"),
+            BigInteger.valueOf(1),
+            new Date(baseTime),
+            new Date(baseTime + validityPeriod),
+            new X500Principal("CN=Test CA Certificate"),
+            pair.getPublic()
+        );
+        var signer = new JcaContentSignerBuilder("SHA256withRSA").build(pair.getPrivate());
+        return certBuilder.build(signer);
+    }
+
+}

From fe86126221546032fe08c24a71b2eb967db18899 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 9 Jan 2025 17:09:54 +0100
Subject: [PATCH 14/21] remove BC libs from 'libs:common'; revert
 SecureRandomHolder

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../gradle/info/GlobalBuildInfoPlugin.java    |  2 +-
 .../resources/forbidden/jdk-signatures.txt    |  2 +-
 client/rest/build.gradle                      | 71 +++++++++++++++++--
 client/rest/licenses/bc-fips-2.0.0.jar.sha1   |  1 -
 .../rest/licenses/bctls-fips-2.0.19.jar.sha1  |  2 +-
 .../rest/licenses/bcutil-fips-2.0.3.jar.sha1  |  1 -
 .../client/RestClientBuilderIntegTests.java   |  4 +-
 .../RestClientDocumentation.java              |  4 +-
 .../keystore/AddFileKeyStoreCommandTests.java |  3 +-
 .../keystore/CreateKeyStoreCommandTests.java  | 12 ++--
 .../cli/keystore/KeyStoreWrapperTests.java    |  4 +-
 .../keystore/ListKeyStoreCommandTests.java    |  9 +--
 .../tools/launchers/SystemJvmOptions.java     |  4 +-
 libs/common/build.gradle                      |  8 ---
 .../opensearch/common/SecureRandomHolder.java |  4 +-
 .../common/ssl/DefaultJdkTrustConfig.java     |  2 -
 .../common/ssl}/KeyStoreFactory.java          |  6 +-
 .../opensearch/common/ssl}/KeyStoreType.java  |  2 +-
 .../opensearch/common/ssl/KeyStoreUtil.java   |  2 -
 .../common/ssl/SslConfigurationLoader.java    |  4 +-
 .../opensearch/common/ssl/StoreKeyConfig.java |  2 -
 .../common/ssl/StoreTrustConfig.java          |  2 -
 .../common/ssl}/KeyStoreFactoryTests.java     |  2 +-
 .../opensearch/common/ssl/PemUtilsTests.java  |  2 -
 .../common/ssl/StoreKeyConfigTests.java       |  6 +-
 .../common/ssl/StoreTrustConfigTests.java     |  6 +-
 .../SecureNetty4HttpServerTransportTests.java |  4 +-
 .../ssl/SimpleSecureNetty4TransportTests.java |  4 +-
 .../AzureDiscoveryClusterFormationTests.java  |  4 +-
 .../gcs/GoogleCloudStorageService.java        |  4 +-
 plugins/transport-grpc/build.gradle           | 11 ---
 qa/os/build.gradle                            |  1 +
 .../packaging/util/ServerUtils.java           |  4 +-
 server/build.gradle                           |  1 +
 .../org/opensearch/bootstrap/Bootstrap.java   |  2 +-
 .../common/settings/KeyStoreWrapper.java      |  4 +-
 test/framework/build.gradle                   |  1 +
 .../licenses/bcpkix-fips-2.0.7.jar.sha1       |  0
 .../licenses/bouncycastle-LICENSE.txt         |  0
 .../licenses/bouncycastle-NOTICE.txt          |  0
 .../org/opensearch/test/KeyStoreUtils.java    |  4 +-
 .../test/rest/OpenSearchRestTestCase.java     |  2 +-
 42 files changed, 117 insertions(+), 96 deletions(-)
 delete mode 100644 client/rest/licenses/bc-fips-2.0.0.jar.sha1
 delete mode 100644 client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
 rename libs/{common/src/main/java/org/opensearch/common/crypto => ssl-config/src/main/java/org/opensearch/common/ssl}/KeyStoreFactory.java (93%)
 rename libs/{common/src/main/java/org/opensearch/common/crypto => ssl-config/src/main/java/org/opensearch/common/ssl}/KeyStoreType.java (98%)
 rename libs/{common/src/test/java/org/opensearch/common/crypto => ssl-config/src/test/java/org/opensearch/common/ssl}/KeyStoreFactoryTests.java (98%)
 rename {libs/common => test/framework}/licenses/bcpkix-fips-2.0.7.jar.sha1 (100%)
 rename {libs/common => test/framework}/licenses/bouncycastle-LICENSE.txt (100%)
 rename {libs/common => test/framework}/licenses/bouncycastle-NOTICE.txt (100%)

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index 41ef9d11d7062..6f55174e8d0f5 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -114,7 +114,7 @@ public void apply(Project project) {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
             var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-3");
+            var inFipsJvm = "FIPS-140-3".equals(cryptoStandard);
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);
diff --git a/buildSrc/src/main/resources/forbidden/jdk-signatures.txt b/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
index 646f9a474524a..1ece009c57ecd 100644
--- a/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
+++ b/buildSrc/src/main/resources/forbidden/jdk-signatures.txt
@@ -37,7 +37,7 @@ java.nio.file.Path#toFile()
 java.nio.file.Files#createTempDirectory(java.lang.String,java.nio.file.attribute.FileAttribute[])
 java.nio.file.Files#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute[])
 
-@defaultMessage Use org.opensearch.common.crypto.KeyStoreFactory instead of java.security.KeyStore
+@defaultMessage Use org.opensearch.common.ssl.KeyStoreFactory instead of java.security.KeyStore
 java.security.KeyStore#getInstance(java.lang.String)
 java.security.KeyStore#getInstance(java.lang.String,java.lang.String)
 java.security.KeyStore#getInstance(java.lang.String,java.security.Provider)
diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 3bd74d7ec7734..5ba3feb3a87e0 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -51,16 +51,15 @@ dependencies {
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "org.slf4j:slf4j-api:${versions.slf4j}"
-  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
-  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+
 
   // reactor
   api "io.projectreactor:reactor-core:${versions.reactor}"
   api "org.reactivestreams:reactive-streams:${versions.reactivestreams}"
 
   testImplementation project(":client:test")
-  testImplementation project(':libs:opensearch-common')
+  testImplementation project(':libs:opensearch-ssl-config')
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"
   testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}"
@@ -72,7 +71,6 @@ dependencies {
   testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
-  testImplementation "commons-io:commons-io:${versions.commonsio}"
 }
 
 tasks.named("dependencyLicenses").configure {
@@ -143,7 +141,70 @@ thirdPartyAudit {
       'io.micrometer.core.instrument.composite.CompositeMeterRegistry',
       'io.micrometer.core.instrument.search.Search',
       'reactor.blockhound.BlockHound$Builder',
-      'reactor.blockhound.integration.BlockHoundIntegration'
+      'reactor.blockhound.integration.BlockHoundIntegration',
+      'org.bouncycastle.asn1.ASN1Encodable',
+      'org.bouncycastle.asn1.ASN1InputStream',
+      'org.bouncycastle.asn1.ASN1Integer',
+      'org.bouncycastle.asn1.ASN1Object',
+      'org.bouncycastle.asn1.ASN1ObjectIdentifier',
+      'org.bouncycastle.asn1.ASN1OctetString',
+      'org.bouncycastle.asn1.ASN1Primitive',
+      'org.bouncycastle.asn1.ASN1Sequence',
+      'org.bouncycastle.asn1.ASN1String',
+      'org.bouncycastle.asn1.DERBitString',
+      'org.bouncycastle.asn1.DERNull',
+      'org.bouncycastle.asn1.bsi.BSIObjectIdentifiers',
+      'org.bouncycastle.asn1.cms.GCMParameters',
+      'org.bouncycastle.asn1.eac.EACObjectIdentifiers',
+      'org.bouncycastle.asn1.edec.EdECObjectIdentifiers',
+      'org.bouncycastle.asn1.nist.NISTObjectIdentifiers',
+      'org.bouncycastle.asn1.ocsp.OCSPResponse',
+      'org.bouncycastle.asn1.ocsp.ResponderID',
+      'org.bouncycastle.asn1.oiw.OIWObjectIdentifiers',
+      'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers',
+      'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
+      'org.bouncycastle.asn1.pkcs.RSASSAPSSparams',
+      'org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers',
+      'org.bouncycastle.asn1.x500.AttributeTypeAndValue',
+      'org.bouncycastle.asn1.x500.RDN',
+      'org.bouncycastle.asn1.x500.X500Name',
+      'org.bouncycastle.asn1.x500.style.BCStyle',
+      'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
+      'org.bouncycastle.asn1.x509.Certificate',
+      'org.bouncycastle.asn1.x509.DigestInfo',
+      'org.bouncycastle.asn1.x509.Extensions',
+      'org.bouncycastle.asn1.x509.KeyPurposeId',
+      'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
+      'org.bouncycastle.asn1.x509.X509ObjectIdentifiers',
+      'org.bouncycastle.asn1.x9.ECNamedCurveTable',
+      'org.bouncycastle.asn1.x9.X9ObjectIdentifiers',
+      'org.bouncycastle.crypto.KDFCalculator',
+      'org.bouncycastle.crypto.fips.FipsDRBG',
+      'org.bouncycastle.crypto.fips.FipsDRBG$Base',
+      'org.bouncycastle.crypto.fips.FipsDRBG$Builder',
+      'org.bouncycastle.crypto.fips.FipsKDF',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSOperatorFactory',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSPRF',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSParametersBuilder',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSParametersWithPRFBuilder',
+      'org.bouncycastle.crypto.fips.FipsNonceGenerator',
+      'org.bouncycastle.crypto.fips.FipsSecureRandom',
+      'org.bouncycastle.jcajce.io.OutputStreamFactory',
+      'org.bouncycastle.jcajce.spec.DHDomainParameterSpec',
+      'org.bouncycastle.jcajce.util.JcaJceHelper',
+      'org.bouncycastle.math.ec.ECCurve',
+      'org.bouncycastle.math.ec.ECFieldElement',
+      'org.bouncycastle.math.ec.ECPoint',
+      'org.bouncycastle.util.Arrays',
+      'org.bouncycastle.util.BigIntegers',
+      'org.bouncycastle.util.IPAddress',
+      'org.bouncycastle.util.Integers',
+      'org.bouncycastle.util.Pack',
+      'org.bouncycastle.util.Shorts',
+      'org.bouncycastle.util.Strings',
+      'org.bouncycastle.util.Times',
+      'org.bouncycastle.util.encoders.Hex',
+      'org.bouncycastle.util.io.Streams'
    )
    ignoreViolations(
       'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
diff --git a/client/rest/licenses/bc-fips-2.0.0.jar.sha1 b/client/rest/licenses/bc-fips-2.0.0.jar.sha1
deleted file mode 100644
index d635985983ebc..0000000000000
--- a/client/rest/licenses/bc-fips-2.0.0.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab
diff --git a/client/rest/licenses/bctls-fips-2.0.19.jar.sha1 b/client/rest/licenses/bctls-fips-2.0.19.jar.sha1
index 2c7aff0e46a13..387635e9e1594 100644
--- a/client/rest/licenses/bctls-fips-2.0.19.jar.sha1
+++ b/client/rest/licenses/bctls-fips-2.0.19.jar.sha1
@@ -1 +1 @@
-9cc33650ede63bc1a8281ed5c8e1da314d50bc76
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76
\ No newline at end of file
diff --git a/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1 b/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
deleted file mode 100644
index d553536576656..0000000000000
--- a/client/rest/licenses/bcutil-fips-2.0.3.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-a1857cd639295b10cc90e6d31ecbc523cdafcc19
\ No newline at end of file
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index e48648964f3f6..e7c83dcf68e94 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -39,8 +39,8 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
diff --git a/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java b/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
index 60cbf689d8853..4a642cc6fe300 100644
--- a/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
+++ b/client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java
@@ -67,7 +67,7 @@
 import org.opensearch.client.RestClient;
 import org.opensearch.client.RestClientBuilder;
 import org.opensearch.client.RestClientBuilder.HttpClientConfigCallback;
-import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreFactory;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -85,7 +85,7 @@
 import java.util.Iterator;
 import java.util.concurrent.CountDownLatch;
 
-import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+import static org.opensearch.common.ssl.KeyStoreType.PKCS_12;
 
 /**
  * This class is used to generate the Java low-level REST client documentation.
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
index b09e2a921f5fc..e017ac2241fc9 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddFileKeyStoreCommandTests.java
@@ -95,8 +95,7 @@ public void testMissingCreateWithEmptyPasswordWithoutPromptIfForced() throws Exc
     }
 
     public void testMissingNoCreate() throws Exception {
-        var password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        var password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addTextInput("n"); // explicit no
         execute("foo");
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
index 11755400cb16b..1596f24c024fd 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/CreateKeyStoreCommandTests.java
@@ -58,8 +58,7 @@ protected Environment createEnv(Map<String, String> settings) throws UserExcepti
     }
 
     public void testNotMatchingPasswords() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput("notthekeystorepasswordyouarelookingfor");
         UserException e = expectThrows(UserException.class, () -> execute(randomFrom("-p", "--password")));
@@ -75,8 +74,7 @@ public void testDefaultNotPromptForPassword() throws Exception {
     }
 
     public void testPosix() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
         execute(randomFrom("-p", "--password"));
@@ -85,8 +83,7 @@ public void testPosix() throws Exception {
     }
 
     public void testNotPosix() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
         env = setupEnv(false, fileSystems);
@@ -96,8 +93,7 @@ public void testNotPosix() throws Exception {
     }
 
     public void testOverwrite() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
 
         Path keystoreFile = KeyStoreWrapper.keystorePath(env.configDir());
         byte[] content = "not a keystore".getBytes(StandardCharsets.UTF_8);
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
index 43af00622954b..63bb6be3b13f8 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java
@@ -39,9 +39,9 @@
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.NIOFSDirectory;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.settings.KeyStoreWrapper;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.common.util.io.IOUtils;
 import org.opensearch.core.common.settings.SecureString;
 import org.opensearch.env.Environment;
diff --git a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
index 63e9bbbdf7849..4ca5e88c47b30 100644
--- a/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java
@@ -61,8 +61,7 @@ public void testMissing() throws Exception {
     }
 
     public void testEmpty() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password);
         terminal.addSecretInput(password);
         execute();
@@ -70,8 +69,7 @@ public void testEmpty() throws Exception {
     }
 
     public void testOne() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password, "foo", "bar");
         terminal.addSecretInput(password);
         execute();
@@ -79,8 +77,7 @@ public void testOne() throws Exception {
     }
 
     public void testMultiple() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password, "foo", "1", "baz", "2", "bar", "3");
         terminal.addSecretInput(password);
         execute();
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 15b38e50fee4e..60e3085e864b3 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -94,7 +94,7 @@ static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeV
 
     private static String enableFips() {
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
+        if (FIPS_140_3.equals(cryptoStandard)) {
             return "-Dorg.bouncycastle.fips.approved_only=true";
         }
         return "";
@@ -103,7 +103,7 @@ private static String enableFips() {
     private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException {
         String securityFile;
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
+        if (FIPS_140_3.equals(cryptoStandard)) {
             securityFile = "fips_java.security";
         } else {
             securityFile = "java.security";
diff --git a/libs/common/build.gradle b/libs/common/build.gradle
index e9de44f894296..41c145bc890fb 100644
--- a/libs/common/build.gradle
+++ b/libs/common/build.gradle
@@ -25,10 +25,6 @@ base {
 dependencies {
   // This dependency is used only by :libs:core for null-checking interop with other tools
   compileOnly "com.google.code.findbugs:jsr305:3.0.2"
-  compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
-  compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
-  api "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
-
   /*******
    *  !!!! NO THIRD PARTY DEPENDENCIES !!!!
    *******/
@@ -54,10 +50,6 @@ tasks.named('forbiddenApisMain').configure {
   ignoreSignaturesOfMissingClasses = true
 }
 
-tasks.named("dependencyLicenses").configure {
-    mapping from: /bc.*/, to: 'bouncycastle'
-}
-
 compileJava {
   options.compilerArgs += ['--add-modules', 'jdk.incubator.vector']
   options.compilerArgs -= '-Werror' // use of incubator modules is reported as a warning
diff --git a/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java b/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
index 990f6968a57a2..14844293b3274 100644
--- a/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
+++ b/libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java
@@ -32,8 +32,6 @@
 
 package org.opensearch.common;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-
 import java.security.SecureRandom;
 
 /**
@@ -43,5 +41,5 @@
  */
 class SecureRandomHolder {
     // class loading is atomic - this is a lazy & safe singleton to be used by this package
-    public static final SecureRandom INSTANCE = CryptoServicesRegistrar.getSecureRandom();
+    public static final SecureRandom INSTANCE = new SecureRandom();
 }
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
index d82716085b504..4b26c123ac026 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java
@@ -33,8 +33,6 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreFactory.java
similarity index 93%
rename from libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
rename to libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreFactory.java
index a07c4b64b1a36..2cc41065aecdd 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreFactory.java
@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.SuppressForbidden;
@@ -17,8 +17,8 @@
 import java.util.Objects;
 import java.util.stream.Collectors;
 
-import static org.opensearch.common.crypto.KeyStoreType.SECURE_KEYSTORE_TYPES;
-import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
+import static org.opensearch.common.ssl.KeyStoreType.SECURE_KEYSTORE_TYPES;
+import static org.opensearch.common.ssl.KeyStoreType.inferStoreType;
 
 /**
  * Restricts types of keystores to PKCS#11 and BCFKS when running in FIPS JVM.
diff --git a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreType.java
similarity index 98%
rename from libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
rename to libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreType.java
index 6654ee9cef40f..df106f1b5017e 100644
--- a/libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreType.java
@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import java.util.HashMap;
 import java.util.List;
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
index 4d45e8df14130..48d890c25525d 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java
@@ -33,8 +33,6 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
index 98bc97c1c8787..3733b1bcaecc7 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java
@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.crypto.Cipher;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -49,7 +47,7 @@
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
-import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
+import static org.opensearch.common.ssl.KeyStoreType.inferStoreType;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CIPHERS;
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
index c60e4d1b0f65a..858f68b3f19a2 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java
@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
 
diff --git a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
index 138fff71b8a3d..709ea1adc9acb 100644
--- a/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
+++ b/libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java
@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.net.ssl.X509ExtendedTrustManager;
 
 import java.nio.file.Path;
diff --git a/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/KeyStoreFactoryTests.java
similarity index 98%
rename from libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
rename to libs/ssl-config/src/test/java/org/opensearch/common/ssl/KeyStoreFactoryTests.java
index 32b5ecfbcd23c..07d3ebfaa8fba 100644
--- a/libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/KeyStoreFactoryTests.java
@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import com.carrotsearch.randomizedtesting.generators.RandomStrings;
 
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
index a0d15258ed3ca..71bb51a4edd9e 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java
@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.test.OpenSearchTestCase;
 
 import java.nio.file.Files;
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
index 6df03f72a0be8..1fd1828f1039c 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreKeyConfigTests.java
@@ -48,9 +48,9 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 
-import static org.opensearch.common.crypto.KeyStoreType.BCFKS;
-import static org.opensearch.common.crypto.KeyStoreType.JKS;
-import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+import static org.opensearch.common.ssl.KeyStoreType.BCFKS;
+import static org.opensearch.common.ssl.KeyStoreType.JKS;
+import static org.opensearch.common.ssl.KeyStoreType.PKCS_12;
 import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.containsInAnyOrder;
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
index 3ba0c39e9d7e6..0614e36ccfb1d 100644
--- a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java
@@ -49,9 +49,9 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static org.opensearch.common.crypto.KeyStoreType.BCFKS;
-import static org.opensearch.common.crypto.KeyStoreType.JKS;
-import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+import static org.opensearch.common.ssl.KeyStoreType.BCFKS;
+import static org.opensearch.common.ssl.KeyStoreType.JKS;
+import static org.opensearch.common.ssl.KeyStoreType.PKCS_12;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.nullValue;
 
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index 0a801a0f58f02..949b5e4ddd303 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -10,13 +10,13 @@
 
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.OpenSearchException;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.network.NetworkAddress;
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.util.MockBigArrays;
 import org.opensearch.common.util.MockPageCacheRecycler;
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index 2502a77af50e0..c4272e03d27b5 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -11,11 +11,11 @@
 import org.apache.lucene.tests.util.LuceneTestCase;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.network.NetworkService;
 import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.common.util.PageCacheRecycler;
 import org.opensearch.common.util.io.IOUtils;
 import org.opensearch.common.util.net.NetUtils;
diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index f48b20d52f601..fcc116f993181 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -41,10 +41,10 @@
 import org.apache.logging.log4j.LogManager;
 import org.opensearch.cloud.azure.classic.management.AzureComputeService;
 import org.opensearch.common.SuppressForbidden;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.core.util.FileSystemUtils;
 import org.opensearch.discovery.DiscoveryModule;
 import org.opensearch.env.Environment;
diff --git a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
index 80d3f70614ea1..4d6c6e2e425a2 100644
--- a/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
@@ -46,8 +46,8 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.message.ParameterizedMessage;
 import org.opensearch.common.collect.MapBuilder;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.core.common.Strings;
 
diff --git a/plugins/transport-grpc/build.gradle b/plugins/transport-grpc/build.gradle
index 5c6bc8efe1098..c94b71f2e0b6c 100644
--- a/plugins/transport-grpc/build.gradle
+++ b/plugins/transport-grpc/build.gradle
@@ -51,17 +51,6 @@ thirdPartyAudit {
     'org.apache.log4j.Level',
     'org.apache.log4j.Logger',
 
-    // from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
-    'org.bouncycastle.cert.X509v3CertificateBuilder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
-    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
-    'org.bouncycastle.openssl.PEMEncryptedKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-    'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder',
-    'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder',
-    'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo',
-
     // from io.netty.handler.ssl.JettyNpnSslEngine (netty)
     'org.eclipse.jetty.npn.NextProtoNego$ClientProvider',
     'org.eclipse.jetty.npn.NextProtoNego$ServerProvider',
diff --git a/qa/os/build.gradle b/qa/os/build.gradle
index 082ed5277575a..0ab861e96d79a 100644
--- a/qa/os/build.gradle
+++ b/qa/os/build.gradle
@@ -49,6 +49,7 @@ dependencies {
 
   api project(':libs:opensearch-common')
   api project(':libs:opensearch-core')
+  api project(':libs:opensearch-ssl-config')
 
   testImplementation "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}"
   testImplementation "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
diff --git a/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java b/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
index 04ef48f61c95c..4c6e0319c7b1c 100644
--- a/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
+++ b/qa/os/src/test/java/org/opensearch/packaging/util/ServerUtils.java
@@ -48,8 +48,8 @@
 import org.apache.http.util.EntityUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
diff --git a/server/build.gradle b/server/build.gradle
index f12dfaaba91de..04332d816d7a4 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -69,6 +69,7 @@ dependencies {
   api project(":libs:opensearch-geo")
   api project(":libs:opensearch-telemetry")
   api project(":libs:opensearch-task-commons")
+  api project(":libs:opensearch-ssl-config")
 
   compileOnly project(':libs:opensearch-plugin-classloader')
   testRuntimeOnly project(':libs:opensearch-plugin-classloader')
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 650bca01f0359..455a06293a0fe 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -199,7 +199,7 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         SecureRandomInitializer.init();
 
         var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
-        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-3")) {
+        if ("FIPS-140-3".equals(cryptoStandard)) {
             LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
             SecurityProviderManager.excludeSunJCE();
         }
diff --git a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
index de35e95090122..dae5c78b9645f 100644
--- a/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
+++ b/server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java
@@ -45,9 +45,9 @@
 import org.opensearch.cli.ExitCodes;
 import org.opensearch.cli.UserException;
 import org.opensearch.common.SetOnce;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 import org.opensearch.common.hash.MessageDigests;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.core.common.settings.SecureString;
 
 import javax.crypto.AEADBadTagException;
diff --git a/test/framework/build.gradle b/test/framework/build.gradle
index 84a536fdf62c8..dea05f42a7532 100644
--- a/test/framework/build.gradle
+++ b/test/framework/build.gradle
@@ -49,6 +49,7 @@ dependencies {
   api "org.mockito:mockito-core:${versions.mockito}"
   api "net.bytebuddy:byte-buddy:${versions.bytebuddy}"
   api "org.objenesis:objenesis:${versions.objenesis}"
+  api "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
 
   annotationProcessor "org.apache.logging.log4j:log4j-core:${versions.log4j}"
 }
diff --git a/libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1 b/test/framework/licenses/bcpkix-fips-2.0.7.jar.sha1
similarity index 100%
rename from libs/common/licenses/bcpkix-fips-2.0.7.jar.sha1
rename to test/framework/licenses/bcpkix-fips-2.0.7.jar.sha1
diff --git a/libs/common/licenses/bouncycastle-LICENSE.txt b/test/framework/licenses/bouncycastle-LICENSE.txt
similarity index 100%
rename from libs/common/licenses/bouncycastle-LICENSE.txt
rename to test/framework/licenses/bouncycastle-LICENSE.txt
diff --git a/libs/common/licenses/bouncycastle-NOTICE.txt b/test/framework/licenses/bouncycastle-NOTICE.txt
similarity index 100%
rename from libs/common/licenses/bouncycastle-NOTICE.txt
rename to test/framework/licenses/bouncycastle-NOTICE.txt
diff --git a/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java b/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java
index 90a5ce2768a30..d30528f9da132 100644
--- a/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java
+++ b/test/framework/src/main/java/org/opensearch/test/KeyStoreUtils.java
@@ -12,8 +12,8 @@
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 
 import javax.security.auth.x500.X500Principal;
 import javax.security.auth.x500.X500PrivateCredential;
diff --git a/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java b/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
index d7b29b57f3934..32af1e39628e2 100644
--- a/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/rest/OpenSearchRestTestCase.java
@@ -60,9 +60,9 @@
 import org.opensearch.client.WarningsHandler;
 import org.opensearch.common.CheckedRunnable;
 import org.opensearch.common.SetOnce;
-import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.io.PathUtils;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.common.ssl.KeyStoreFactory;
 import org.opensearch.common.unit.TimeValue;
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.util.io.IOUtils;

From 945ec7d14b46d8c4d251e1683b20ad0449a9a9b4 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Thu, 16 Jan 2025 20:54:45 +0100
Subject: [PATCH 15/21] loosen some direct BC dependencies

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 build.gradle                                  |  2 +-
 buildSrc/build.gradle                         |  5 +-
 .../gradle/SecureRandomProvider.java          | 46 +++++++++++++++++++
 .../gradle/http/WaitForHttpResource.java      |  9 ++--
 .../gradle/info/FipsBuildParams.java          | 25 ++++++++++
 .../gradle/info/GlobalBuildInfoPlugin.java    | 10 ++--
 client/rest/build.gradle                      | 15 ++++--
 .../client/RestClientBuilderIntegTests.java   |  2 +-
 .../HeapBufferedAsyncEntityConsumerTests.java | 18 ++++----
 client/test/build.gradle                      |  8 +---
 10 files changed, 105 insertions(+), 35 deletions(-)
 create mode 100644 buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
 create mode 100644 buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java

diff --git a/build.gradle b/build.gradle
index 27e1bde68b4f6..d8dea5e5a9908 100644
--- a/build.gradle
+++ b/build.gradle
@@ -562,7 +562,7 @@ subprojects {
   // test with FIPS-140-3 enabled
   plugins.withType(JavaPlugin).configureEach {
     tasks.withType(Test).configureEach { testTask ->
-      if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
+      if (BuildParams.inFipsJvm == true) {
         testTask.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
       }
     }
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 7b22d612bc267..75b3215dbaff7 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -123,8 +123,9 @@ dependencies {
   api 'org.jruby.joni:joni:2.2.1'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
   api "org.ajoberstar.grgit:grgit-core:5.2.1"
-  api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"
-
+  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
+    api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"
+  }
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
   testFixturesApi "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${props.getProperty('randomizedrunner')}"
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java b/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
new file mode 100644
index 0000000000000..efcdc44249e61
--- /dev/null
+++ b/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
@@ -0,0 +1,46 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.gradle;
+
+import org.opensearch.gradle.info.FipsBuildParams;
+
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
+public class SecureRandomProvider {
+
+    private final static MethodHandle MH_BC_SECURE_RANDOM;
+
+    static {
+        MethodHandle mh = null;
+        if (FipsBuildParams.isInFipsMode()) {
+            try {
+                final Class<?> cryptoServicesRegistrarClass = Class.forName("org.bouncycastle.crypto.CryptoServicesRegistrar");
+                mh = MethodHandles.publicLookup()
+                    .findStatic(cryptoServicesRegistrarClass, "getSecureRandom", MethodType.methodType(SecureRandom.class));
+            } catch (final Throwable ex) {
+                throw new SecurityException("Unable to find org.bouncycastle.crypto.CryptoServicesRegistrar instance", ex);
+            }
+        }
+        MH_BC_SECURE_RANDOM = mh;
+    }
+
+    public static SecureRandom getSecureRandom() throws GeneralSecurityException {
+        if (MH_BC_SECURE_RANDOM == null) {
+            return new SecureRandom();
+        } else try {
+            return (SecureRandom) MH_BC_SECURE_RANDOM.invoke();
+        } catch (final Throwable ex) {
+            throw new GeneralSecurityException(ex);
+        }
+    }
+}
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
index 62f2621be7924..c13c120d058ef 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
@@ -32,10 +32,11 @@
 
 package org.opensearch.gradle.http;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import de.thetaphi.forbiddenapis.SuppressForbidden;
+
+import org.opensearch.gradle.SecureRandomProvider;
 import org.gradle.api.logging.Logger;
 import org.gradle.api.logging.Logging;
-import org.gradle.internal.impldep.com.jcraft.jsch.annotations.SuppressForbiddenApi;
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManager;
@@ -240,7 +241,7 @@ private KeyStore buildTrustStoreFromCA() throws GeneralSecurityException, IOExce
         return store;
     }
 
-    @SuppressForbiddenApi("runs exclusively in test-context without KeyStoreFactory on classpath.")
+    @SuppressForbidden
     private KeyStore getKeyStoreInstance(String type) throws KeyStoreException {
         return KeyStore.getInstance(type);
     }
@@ -250,7 +251,7 @@ private SSLContext createSslContext(KeyStore trustStore) throws GeneralSecurityE
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(trustStore);
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), CryptoServicesRegistrar.getSecureRandom());
+        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), SecureRandomProvider.getSecureRandom());
         return sslContext;
     }
 
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
new file mode 100644
index 0000000000000..965702b8dc011
--- /dev/null
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.gradle.info;
+
+public class FipsBuildParams {
+
+    private static final String FIPS_MODE = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+
+    private FipsBuildParams() {}
+
+    public static boolean isInFipsMode() {
+        return "FIPS-140-3".equals(FIPS_MODE);
+    }
+
+    public static String getFipsMode() {
+        return FIPS_MODE;
+    }
+
+}
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index 6f55174e8d0f5..fe354097640f7 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -77,7 +77,6 @@ public class GlobalBuildInfoPlugin implements Plugin<Project> {
     private static final Logger LOGGER = Logging.getLogger(GlobalBuildInfoPlugin.class);
     private static final String DEFAULT_LEGACY_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/LegacyESVersion.java";
     private static final String DEFAULT_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/Version.java";
-    protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
     private static Integer _defaultParallel = null;
 
     private final JvmMetadataDetector jvmMetadataDetector;
@@ -113,8 +112,6 @@ public void apply(Project project) {
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
-            var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-            var inFipsJvm = "FIPS-140-3".equals(cryptoStandard);
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);
@@ -132,7 +129,7 @@ public void apply(Project project) {
             params.setIsCi(System.getenv("JENKINS_URL") != null);
             params.setIsInternal(isInternal);
             params.setDefaultParallel(findDefaultParallel(project));
-            params.setInFipsJvm(inFipsJvm);
+            params.setInFipsJvm(FipsBuildParams.isInFipsMode());
             params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
             if (isInternal) {
                 params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -166,7 +163,6 @@ private void logGlobalBuildInfo() {
         final String osArch = System.getProperty("os.arch");
         final Jvm gradleJvm = Jvm.current();
         final String gradleJvmDetails = getJavaInstallation(gradleJvm.getJavaHome()).getDisplayName();
-        final String cryptStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
 
         LOGGER.quiet("=======================================");
         LOGGER.quiet("OpenSearch Build Hamster says Hello!");
@@ -183,8 +179,8 @@ private void logGlobalBuildInfo() {
             LOGGER.quiet("  JAVA_HOME             : " + gradleJvm.getJavaHome());
         }
         LOGGER.quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
-        if (cryptStandard != null && cryptStandard.equals("FIPS-140-3")) {
-            LOGGER.quiet("  Crypto Standard       : FIPS-140-3");
+        if (FipsBuildParams.isInFipsMode()) {
+            LOGGER.quiet("  Crypto Standard       : " + FipsBuildParams.getFipsMode());
         } else {
             LOGGER.quiet("  Crypto Standard       : any-supported");
         }
diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index 5ba3feb3a87e0..d3955602360b6 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -34,8 +34,8 @@ apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
 
 java {
-  targetCompatibility = JavaVersion.VERSION_11
-  sourceCompatibility = JavaVersion.VERSION_11
+  targetCompatibility = JavaVersion.VERSION_1_8
+  sourceCompatibility = JavaVersion.VERSION_1_8
 }
 
 base {
@@ -51,15 +51,13 @@ dependencies {
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "org.slf4j:slf4j-api:${versions.slf4j}"
-  api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
-
+  runtimeOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
 
   // reactor
   api "io.projectreactor:reactor-core:${versions.reactor}"
   api "org.reactivestreams:reactive-streams:${versions.reactivestreams}"
 
   testImplementation project(":client:test")
-  testImplementation project(':libs:opensearch-ssl-config')
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"
   testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}"
@@ -80,6 +78,7 @@ tasks.named("dependencyLicenses").configure {
 tasks.withType(CheckForbiddenApis).configureEach {
   //client does not depend on server, so only jdk and http signatures should be checked
   replaceSignatureFiles('jdk-signatures', 'http-signatures')
+  classpath += files(project(':libs:opensearch-ssl-config').jar.archiveFile)
 }
 
 tasks.named('forbiddenApisTest').configure {
@@ -212,8 +211,14 @@ thirdPartyAudit {
 }
 
 tasks.withType(JavaCompile) {
+  classpath += files(project(':libs:opensearch-ssl-config').jar.archiveFile)
   // Suppressing '[options] target value 8 is obsolete and will be removed in a future release'
   configure(options) {
     options.compilerArgs << '-Xlint:-options'
+    options.compilerArgs -= '-Werror' // use of incubator modules is reported as a warning
   }
 }
+
+tasks.withType(Test).configureEach {
+  classpath += files(project(':libs:opensearch-ssl-config').jar.archiveFile)
+}
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index e7c83dcf68e94..82a37ac29b545 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -138,7 +138,7 @@ private static SSLContext getSslContext(boolean server) throws Exception {
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             tmf.init(trustStore);
 
-            var sslContextBuilder = SSLContextBuilder.create()
+            SSLContextBuilder sslContextBuilder = SSLContextBuilder.create()
                 .setProvider("BCJSSE")
                 .setProtocol(getProtocol())
                 .setSecureRandom(secureRandom);
diff --git a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
index 6a4b176edd011..fdfe49ca901c9 100644
--- a/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/nio/HeapBufferedAsyncEntityConsumerTests.java
@@ -35,34 +35,34 @@ public void tearDown() {
     }
 
     public void testConsumerAllocatesBufferLimit() throws IOException {
-        consumer.consume(randomByteBufferOfLength(1000).flip());
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(1000));
     }
 
     public void testConsumerAllocatesEmptyBuffer() throws IOException {
-        consumer.consume(ByteBuffer.allocate(0).flip());
+        consumer.consume((ByteBuffer) ByteBuffer.allocate(0).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(0));
     }
 
     public void testConsumerExpandsBufferLimits() throws IOException {
-        consumer.consume(randomByteBufferOfLength(1000).flip());
-        consumer.consume(randomByteBufferOfLength(2000).flip());
-        consumer.consume(randomByteBufferOfLength(3000).flip());
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(1000).flip());
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(2000).flip());
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(3000).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(6000));
     }
 
     public void testConsumerAllocatesLimit() throws IOException {
-        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
         assertThat(consumer.getBuffer().capacity(), equalTo(BUFFER_LIMIT));
     }
 
     public void testConsumerFailsToAllocateOverLimit() throws IOException {
-        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
+        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT + 1).flip()));
     }
 
     public void testConsumerFailsToExpandOverLimit() throws IOException {
-        consumer.consume(randomByteBufferOfLength(BUFFER_LIMIT).flip());
-        assertThrows(ContentTooLongException.class, () -> consumer.consume(randomByteBufferOfLength(1).flip()));
+        consumer.consume((ByteBuffer) randomByteBufferOfLength(BUFFER_LIMIT).flip());
+        assertThrows(ContentTooLongException.class, () -> consumer.consume((ByteBuffer) randomByteBufferOfLength(1).flip()));
     }
 
     private static ByteBuffer randomByteBufferOfLength(int length) {
diff --git a/client/test/build.gradle b/client/test/build.gradle
index 4c59fc1a07d99..f877bcd08d773 100644
--- a/client/test/build.gradle
+++ b/client/test/build.gradle
@@ -43,12 +43,8 @@ dependencies {
   api "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   api "junit:junit:${versions.junit}"
   api "org.hamcrest:hamcrest:${versions.hamcrest}"
-  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
-  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
-}
-
-tasks.named("dependencyLicenses").configure {
-  mapping from: /bc.*/, to: 'bouncycastle'
+  runtimeOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  runtimeOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 }
 
 tasks.named('forbiddenApisMain').configure {

From cfa5d7946762138ba4f5e1e224381addcbbb3ef2 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Mon, 27 Jan 2025 10:33:05 +0100
Subject: [PATCH 16/21] set default testcluster password for all project
 modules

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 build.gradle                                  |  9 +++-
 buildSrc/build.gradle                         |  3 --
 .../gradle/SecureRandomProvider.java          | 46 -------------------
 .../gradle/http/WaitForHttpResource.java      |  4 +-
 .../gradle/info/FipsBuildParams.java          |  8 +++-
 .../gradle/testclusters/OpenSearchNode.java   |  8 ++++
 distribution/src/bin/opensearch-cli           |  6 +++
 distribution/src/bin/opensearch-cli.bat       |  6 +++
 .../ssl/TrustEverythingConfigTests.java       | 30 ++++++++++++
 .../shiro/realm/BCryptPasswordMatcher.java    |  1 +
 .../realm/BCryptPasswordMatcherTests.java     | 20 ++++++--
 plugins/repository-s3/build.gradle            | 11 -----
 .../SecureRandomInitializerTests.java         |  3 --
 13 files changed, 83 insertions(+), 72 deletions(-)
 delete mode 100644 buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
 create mode 100644 libs/ssl-config/src/test/java/org/opensearch/common/ssl/TrustEverythingConfigTests.java

diff --git a/build.gradle b/build.gradle
index d8dea5e5a9908..cc7b5ed029364 100644
--- a/build.gradle
+++ b/build.gradle
@@ -562,11 +562,18 @@ subprojects {
   // test with FIPS-140-3 enabled
   plugins.withType(JavaPlugin).configureEach {
     tasks.withType(Test).configureEach { testTask ->
-      if (BuildParams.inFipsJvm == true) {
+      if (BuildParams.inFipsJvm) {
         testTask.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
       }
     }
   }
+  plugins.withId('opensearch.testclusters') {
+    testClusters.configureEach {
+      if (BuildParams.inFipsJvm) {
+        keystorePassword 'notarealpasswordphrase'
+      }
+    }
+  }
 }
 
 // eclipse configuration
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 75b3215dbaff7..737c03d8086d7 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -123,9 +123,6 @@ dependencies {
   api 'org.jruby.joni:joni:2.2.1'
   api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
   api "org.ajoberstar.grgit:grgit-core:5.2.1"
-  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
-    api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"
-  }
 
   testFixturesApi "junit:junit:${props.getProperty('junit')}"
   testFixturesApi "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${props.getProperty('randomizedrunner')}"
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java b/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
deleted file mode 100644
index efcdc44249e61..0000000000000
--- a/buildSrc/src/main/java/org/opensearch/gradle/SecureRandomProvider.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- */
-
-package org.opensearch.gradle;
-
-import org.opensearch.gradle.info.FipsBuildParams;
-
-import java.lang.invoke.MethodHandle;
-import java.lang.invoke.MethodHandles;
-import java.lang.invoke.MethodType;
-import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
-
-public class SecureRandomProvider {
-
-    private final static MethodHandle MH_BC_SECURE_RANDOM;
-
-    static {
-        MethodHandle mh = null;
-        if (FipsBuildParams.isInFipsMode()) {
-            try {
-                final Class<?> cryptoServicesRegistrarClass = Class.forName("org.bouncycastle.crypto.CryptoServicesRegistrar");
-                mh = MethodHandles.publicLookup()
-                    .findStatic(cryptoServicesRegistrarClass, "getSecureRandom", MethodType.methodType(SecureRandom.class));
-            } catch (final Throwable ex) {
-                throw new SecurityException("Unable to find org.bouncycastle.crypto.CryptoServicesRegistrar instance", ex);
-            }
-        }
-        MH_BC_SECURE_RANDOM = mh;
-    }
-
-    public static SecureRandom getSecureRandom() throws GeneralSecurityException {
-        if (MH_BC_SECURE_RANDOM == null) {
-            return new SecureRandom();
-        } else try {
-            return (SecureRandom) MH_BC_SECURE_RANDOM.invoke();
-        } catch (final Throwable ex) {
-            throw new GeneralSecurityException(ex);
-        }
-    }
-}
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
index c13c120d058ef..75f02007a5221 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/http/WaitForHttpResource.java
@@ -34,7 +34,6 @@
 
 import de.thetaphi.forbiddenapis.SuppressForbidden;
 
-import org.opensearch.gradle.SecureRandomProvider;
 import org.gradle.api.logging.Logger;
 import org.gradle.api.logging.Logging;
 
@@ -54,6 +53,7 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.util.Arrays;
@@ -251,7 +251,7 @@ private SSLContext createSslContext(KeyStore trustStore) throws GeneralSecurityE
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(trustStore);
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), SecureRandomProvider.getSecureRandom());
+        sslContext.init(new KeyManager[0], tmf.getTrustManagers(), new SecureRandom());
         return sslContext;
     }
 
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
index 965702b8dc011..3c1852afdcc3d 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
@@ -10,7 +10,9 @@
 
 public class FipsBuildParams {
 
-    private static final String FIPS_MODE = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+    private static final String FIPS_BUILD_PARAM = "OPENSEARCH_CRYPTO_STANDARD";
+
+    private static final String FIPS_MODE = System.getenv(FIPS_BUILD_PARAM);
 
     private FipsBuildParams() {}
 
@@ -22,4 +24,8 @@ public static String getFipsMode() {
         return FIPS_MODE;
     }
 
+    public static String getFipsBuildParam() {
+        return FIPS_BUILD_PARAM;
+    }
+
 }
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index c7af3d0a155f7..4472dcc1dfb80 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -46,6 +46,7 @@
 import org.opensearch.gradle.Version;
 import org.opensearch.gradle.VersionProperties;
 import org.opensearch.gradle.info.BuildParams;
+import org.opensearch.gradle.info.FipsBuildParams;
 import org.gradle.api.Action;
 import org.gradle.api.Named;
 import org.gradle.api.NamedDomainObjectContainer;
@@ -546,6 +547,10 @@ public synchronized void start() {
             logToProcessStdout("installed plugins");
         }
 
+        if (FipsBuildParams.isInFipsMode() && keystorePassword.isEmpty()) {
+            throw new TestClustersException("Can not start " + this + " in FIPS JVM, missing keystore password");
+        }
+
         logToProcessStdout("Creating opensearch keystore with password set to [" + keystorePassword + "]");
         if (keystorePassword.length() > 0) {
             runOpenSearchBinScriptWithInput(keystorePassword + "\n" + keystorePassword + "\n", "opensearch-keystore", "create", "-p");
@@ -791,6 +796,9 @@ private Map<String, String> getOpenSearchEnvironment() {
         // Override the system hostname variables for testing
         defaultEnv.put("HOSTNAME", HOSTNAME_OVERRIDE);
         defaultEnv.put("COMPUTERNAME", COMPUTERNAME_OVERRIDE);
+        if (FipsBuildParams.isInFipsMode()) {
+            defaultEnv.put(FipsBuildParams.getFipsBuildParam(), FipsBuildParams.getFipsMode());
+        }
 
         Set<String> commonKeys = new HashSet<>(environment.keySet());
         commonKeys.retainAll(defaultEnv.keySet());
diff --git a/distribution/src/bin/opensearch-cli b/distribution/src/bin/opensearch-cli
index 19f5d3e46d6c4..0e7cbc23a31d6 100644
--- a/distribution/src/bin/opensearch-cli
+++ b/distribution/src/bin/opensearch-cli
@@ -20,6 +20,12 @@ done
 # avoid stealing many CPU cycles; a user can override by setting OPENSEARCH_JAVA_OPTS
 OPENSEARCH_JAVA_OPTS="-Xms4m -Xmx64m -XX:+UseSerialGC ${OPENSEARCH_JAVA_OPTS}"
 
+if [ "$OPENSEARCH_CRYPTO_STANDARD" = "FIPS-140-3" ]; then
+  OPENSEARCH_JAVA_OPTS="-Dorg.bouncycastle.fips.approved_only=true \
+                        -Djava.security.properties=${OPENSEARCH_PATH_CONF}/fips_java.security \
+                        ${OPENSEARCH_JAVA_OPTS}"
+fi
+
 exec \
   "$JAVA" \
   "$XSHARE" \
diff --git a/distribution/src/bin/opensearch-cli.bat b/distribution/src/bin/opensearch-cli.bat
index f080346a4478a..4eb17d146393d 100644
--- a/distribution/src/bin/opensearch-cli.bat
+++ b/distribution/src/bin/opensearch-cli.bat
@@ -16,6 +16,12 @@ rem use a small heap size for the CLI tools, and thus the serial collector to
 rem avoid stealing many CPU cycles; a user can override by setting OPENSEARCH_JAVA_OPTS
 set OPENSEARCH_JAVA_OPTS=-Xms4m -Xmx64m -XX:+UseSerialGC %OPENSEARCH_JAVA_OPTS%
 
+if "%OPENSEARCH_CRYPTO_STANDARD%"=="FIPS-140-3" (
+    set OPENSEARCH_JAVA_OPTS=-Dorg.bouncycastle.fips.approved_only=true ^
+                             -Djava.security.properties="%OPENSEARCH_PATH_CONF%\fips_java.security" ^
+                             %OPENSEARCH_JAVA_OPTS%
+)
+
 "%JAVA%" ^
   %OPENSEARCH_JAVA_OPTS% ^
   -Dopensearch.path.home="%OPENSEARCH_HOME%" ^
diff --git a/libs/ssl-config/src/test/java/org/opensearch/common/ssl/TrustEverythingConfigTests.java b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/TrustEverythingConfigTests.java
new file mode 100644
index 0000000000000..1ea237954d41e
--- /dev/null
+++ b/libs/ssl-config/src/test/java/org/opensearch/common/ssl/TrustEverythingConfigTests.java
@@ -0,0 +1,30 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.common.ssl;
+
+import org.opensearch.test.OpenSearchTestCase;
+
+import static org.hamcrest.Matchers.containsString;
+
+public class TrustEverythingConfigTests extends OpenSearchTestCase {
+
+    public void testGetDependentFiles() {
+        assertTrue(TrustEverythingConfig.TRUST_EVERYTHING.getDependentFiles().isEmpty());
+    }
+
+    public void testCreateTrustManager() {
+        if (inFipsJvm()) {
+            Exception e = assertThrows(IllegalStateException.class, TrustEverythingConfig.TRUST_EVERYTHING::createTrustManager);
+            assertThat(e.getMessage(), containsString("not permitted in FIPS mode"));
+        } else {
+            var trustManager = TrustEverythingConfig.TRUST_EVERYTHING.createTrustManager();
+            assertNotNull(trustManager);
+        }
+    }
+}
diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
index 45bf634de1ec1..55e3e3414ac2c 100644
--- a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
+++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
@@ -40,6 +40,7 @@ public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo
         return check(userToken.getPassword(), (String) info.getCredentials());
     }
 
+    @SuppressWarnings("removal")
     private boolean check(char[] password, String hash) {
         if (password == null || password.length == 0) {
             throw new IllegalStateException("Password cannot be empty or null");
diff --git a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
index 304903e27c953..451f0eae06234 100644
--- a/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
+++ b/plugins/identity-shiro/src/test/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcherTests.java
@@ -43,12 +43,22 @@ public void testCredentialDoNotMatch() {
     }
 
     public void testEmptyPassword() {
-        final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
-        when(token.getPassword()).thenReturn(randomFrom("".toCharArray(), null));
-        final AuthenticationInfo info = mock(AuthenticationInfo.class);
+        {
+            final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+            when(token.getPassword()).thenReturn(null);
+            final AuthenticationInfo info = mock(AuthenticationInfo.class);
 
-        Exception e = assertThrows(IllegalStateException.class, () -> new BCryptPasswordMatcher().doCredentialsMatch(token, info));
-        assertThat(e.getMessage(), equalTo("Password cannot be empty or null"));
+            Exception e = assertThrows(IllegalStateException.class, () -> new BCryptPasswordMatcher().doCredentialsMatch(token, info));
+            assertThat(e.getMessage(), equalTo("Password cannot be empty or null"));
+        }
+        {
+            final UsernamePasswordToken token = mock(UsernamePasswordToken.class);
+            when(token.getPassword()).thenReturn("".toCharArray());
+            final AuthenticationInfo info = mock(AuthenticationInfo.class);
+
+            Exception e = assertThrows(IllegalStateException.class, () -> new BCryptPasswordMatcher().doCredentialsMatch(token, info));
+            assertThat(e.getMessage(), equalTo("Password cannot be empty or null"));
+        }
     }
 
     public void testEmptyHash() {
diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle
index 1832b6a165cc1..17e694e8eab04 100644
--- a/plugins/repository-s3/build.gradle
+++ b/plugins/repository-s3/build.gradle
@@ -144,13 +144,6 @@ def fixtureAddress = { fixture, name, port ->
   'http://127.0.0.1:' + ephemeralPort
 }
 
-def applyFipsConfig(OpenSearchCluster cluster) {
-  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-3') {
-    cluster.keystorePassword 'notarealpasswordphrase'
-    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-3'
-  }
-}
-
 // We test against two repositories, one which uses the usual two-part "permanent" credentials and
 // the other which uses three-part "temporary" or "session" credentials.
 
@@ -268,7 +261,6 @@ yamlRestTest {
 }
 
 testClusters.yamlRestTest {
-  applyFipsConfig(delegate)
   keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
   keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
 
@@ -332,7 +324,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestMinio)
 
   testClusters.yamlRestTestMinio {
-    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
     keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
     setting 's3.client.integration_test_permanent.endpoint', { "${-> fixtureAddress('minio-fixture', 'minio-fixture', '9000')}" }, IGNORE_VALUE
@@ -361,7 +352,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestECS)
 
   testClusters.yamlRestTestECS {
-    applyFipsConfig(delegate)
     setting 's3.client.integration_test_ecs.endpoint', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}" }, IGNORE_VALUE
     plugin tasks.bundlePlugin.archiveFile
     environment 'AWS_CONTAINER_CREDENTIALS_FULL_URI', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}/ecs_credentials_endpoint" }, IGNORE_VALUE
@@ -389,7 +379,6 @@ if (useFixture) {
   check.dependsOn(yamlRestTestEKS)
 
   testClusters.yamlRestTestEKS {
-    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_eks.role_arn', "arn:aws:iam::000000000000:role/test"
     keystore 's3.client.integration_test_eks.role_session_name', "s3-test"
     keystore 's3.client.integration_test_eks.access_key', "access_key"
diff --git a/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java b/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
index 865347438c8e5..34dc60030c40c 100644
--- a/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
+++ b/server/src/test/java/org/opensearch/bootstrap/SecureRandomInitializerTests.java
@@ -20,9 +20,6 @@ public class SecureRandomInitializerTests extends OpenSearchTestCase {
 
     @BeforeClass
     public static void setup() {
-        // Reset the global state if your CryptoServicesRegistrar allows it.
-        // If there's a method to unset or reset the SecureRandom, call it here.
-        // If not, the following lines are hypothetical and depend on your actual implementation.
         CryptoServicesRegistrar.setSecureRandom(null);
     }
 

From b6097729db3ab9e70309e9fc596e09e9e15047c9 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Fri, 31 Jan 2025 13:20:56 +0100
Subject: [PATCH 17/21] build with 'crypto.standard' gradle build parameter

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../gradle/info/FipsBuildParams.java          | 20 +++++++++++--------
 .../gradle/info/GlobalBuildInfoPlugin.java    |  2 ++
 .../gradle/testclusters/OpenSearchNode.java   |  2 +-
 .../tools/launchers/SystemJvmOptions.java     | 16 ++++-----------
 .../org/opensearch/bootstrap/Bootstrap.java   |  2 +-
 .../bootstrap/test-framework.policy           |  1 +
 6 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
index 3c1852afdcc3d..83aba1af2152d 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java
@@ -8,24 +8,28 @@
 
 package org.opensearch.gradle.info;
 
+import java.util.function.Function;
+
 public class FipsBuildParams {
 
-    private static final String FIPS_BUILD_PARAM = "OPENSEARCH_CRYPTO_STANDARD";
+    public static final String FIPS_BUILD_PARAM = "crypto.standard";
+
+    public static final String FIPS_ENV_VAR = "OPENSEARCH_CRYPTO_STANDARD";
+
+    private static String fipsMode;
 
-    private static final String FIPS_MODE = System.getenv(FIPS_BUILD_PARAM);
+    public static void init(Function<String, Object> fipsValue) {
+        fipsMode = (String) fipsValue.apply(FIPS_BUILD_PARAM);
+    }
 
     private FipsBuildParams() {}
 
     public static boolean isInFipsMode() {
-        return "FIPS-140-3".equals(FIPS_MODE);
+        return "FIPS-140-3".equals(fipsMode);
     }
 
     public static String getFipsMode() {
-        return FIPS_MODE;
-    }
-
-    public static String getFipsBuildParam() {
-        return FIPS_BUILD_PARAM;
+        return fipsMode;
     }
 
 }
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index fe354097640f7..4c3a09c394278 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -109,6 +109,8 @@ public void apply(Project project) {
         File rootDir = project.getRootDir();
         GitInfo gitInfo = gitInfo(rootDir);
 
+        FipsBuildParams.init(project::findProperty);
+
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index 4472dcc1dfb80..e86496766abf9 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -797,7 +797,7 @@ private Map<String, String> getOpenSearchEnvironment() {
         defaultEnv.put("HOSTNAME", HOSTNAME_OVERRIDE);
         defaultEnv.put("COMPUTERNAME", COMPUTERNAME_OVERRIDE);
         if (FipsBuildParams.isInFipsMode()) {
-            defaultEnv.put(FipsBuildParams.getFipsBuildParam(), FipsBuildParams.getFipsMode());
+            defaultEnv.put(FipsBuildParams.FIPS_ENV_VAR, FipsBuildParams.getFipsMode());
         }
 
         Set<String> commonKeys = new HashSet<>(environment.keySet());
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 60e3085e864b3..5349c81a8a851 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -44,6 +44,8 @@ final class SystemJvmOptions {
 
     static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
     static final String FIPS_140_3 = "FIPS-140-3";
+    static final boolean IS_IN_FIPS_JVM = FIPS_140_3.equals(System.getenv(OPENSEARCH_CRYPTO_STANDARD))
+        || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"));
 
     static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeVersion) throws FileNotFoundException {
         return Collections.unmodifiableList(
@@ -93,21 +95,11 @@ static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeV
     }
 
     private static String enableFips() {
-        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (FIPS_140_3.equals(cryptoStandard)) {
-            return "-Dorg.bouncycastle.fips.approved_only=true";
-        }
-        return "";
+        return IS_IN_FIPS_JVM ? "-Dorg.bouncycastle.fips.approved_only=true" : "";
     }
 
     private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException {
-        String securityFile;
-        var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (FIPS_140_3.equals(cryptoStandard)) {
-            securityFile = "fips_java.security";
-        } else {
-            securityFile = "java.security";
-        }
+        String securityFile = IS_IN_FIPS_JVM ? "fips_java.security" : "java.security";
         var securityFilePath = config.resolve(securityFile);
 
         if (!Files.exists(securityFilePath)) {
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 455a06293a0fe..b3068338c0c8a 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -199,7 +199,7 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
         SecureRandomInitializer.init();
 
         var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
-        if ("FIPS-140-3".equals(cryptoStandard)) {
+        if ("FIPS-140-3".equals(cryptoStandard) || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"))) {
             LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
             SecurityProviderManager.excludeSunJCE();
         }
diff --git a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
index e1a3b4618035e..78f302e9b23db 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
@@ -167,4 +167,5 @@ grant {
   permission org.opensearch.secure_sm.ThreadContextPermission "markAsSystemContext";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashAndMergeHeaders";
   permission org.opensearch.secure_sm.ThreadContextPermission "stashWithOrigin";
+  permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
 };

From f88d5a5b8868d1a2ac2af35f2c3577c384da562c Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Tue, 4 Feb 2025 15:08:57 +0100
Subject: [PATCH 18/21] run REST-tests with JKS & BCFKS keystores

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
---
 .../precommit/TestingConventionsTasks.java    |  13 +++++-
 client/rest/build.gradle                      |   5 +++
 .../client/RestClientBuilderIntegTests.java   |  22 ++++++----
 .../client/RestClientFipsAwareTestCase.java   |  26 ++++++++++++
 .../src/test/resources/test_truststore.jks    | Bin 0 -> 1097 bytes
 client/rest/src/test/resources/testks.jks     | Bin 0 -> 2381 bytes
 client/test/build.gradle                      |   2 +-
 .../opensearch/client/RestClientTestCase.java |   5 +++
 gradle/libs.versions.toml                     |   3 ++
 .../ssl/SimpleSecureNetty4TransportTests.java |   8 ++--
 server/build.gradle                           |   6 +--
 .../org/opensearch/bootstrap/security.policy  |  38 +++++++++---------
 12 files changed, 91 insertions(+), 37 deletions(-)
 create mode 100644 client/rest/src/test/java/org/opensearch/client/RestClientFipsAwareTestCase.java
 create mode 100644 client/rest/src/test/resources/test_truststore.jks
 create mode 100644 client/rest/src/test/resources/testks.jks

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/precommit/TestingConventionsTasks.java b/buildSrc/src/main/java/org/opensearch/gradle/precommit/TestingConventionsTasks.java
index 9c1285914a03e..d6812704fc8f3 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/precommit/TestingConventionsTasks.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/precommit/TestingConventionsTasks.java
@@ -40,6 +40,7 @@
 import org.gradle.api.NamedDomainObjectContainer;
 import org.gradle.api.Project;
 import org.gradle.api.Task;
+import org.gradle.api.file.ConfigurableFileCollection;
 import org.gradle.api.file.FileCollection;
 import org.gradle.api.file.FileTree;
 import org.gradle.api.plugins.jvm.JvmTestSuite;
@@ -87,6 +88,7 @@ public class TestingConventionsTasks extends DefaultTask {
 
     private final NamedDomainObjectContainer<TestingConventionRule> naming;
     private final Project project;
+    private final ConfigurableFileCollection extraClassPath = getProject().files();
 
     @Inject
     public TestingConventionsTasks(Project project) {
@@ -398,7 +400,16 @@ private boolean isAnnotated(Method method, Class<?> annotation) {
 
     @Classpath
     public FileCollection getTestsClassPath() {
-        return Util.getJavaTestSourceSet(project).get().getRuntimeClasspath();
+        return Util.getJavaTestSourceSet(project).get().getRuntimeClasspath().plus(extraClassPath);
+    }
+
+    @Classpath
+    public ConfigurableFileCollection getExtraClassPath() {
+        return extraClassPath;
+    }
+
+    public void addExtraClassPath(Object... paths) {
+        extraClassPath.from(paths);
     }
 
     private Map<String, File> walkPathAndLoadClasses(File testRoot) {
diff --git a/client/rest/build.gradle b/client/rest/build.gradle
index d3955602360b6..fe950a8db8730 100644
--- a/client/rest/build.gradle
+++ b/client/rest/build.gradle
@@ -29,6 +29,7 @@
  */
 
 import de.thetaphi.forbiddenapis.gradle.CheckForbiddenApis
+import org.opensearch.gradle.precommit.TestingConventionsTasks
 
 apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
@@ -222,3 +223,7 @@ tasks.withType(JavaCompile) {
 tasks.withType(Test).configureEach {
   classpath += files(project(':libs:opensearch-ssl-config').jar.archiveFile)
 }
+
+tasks.named("testingConventions", TestingConventionsTasks).configure {
+  addExtraClassPath(project(":libs:opensearch-ssl-config").jar.archiveFile)
+}
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index 82a37ac29b545..96b87be327e93 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -66,14 +66,14 @@
 /**
  * Integration test to validate the builder builds a client with the correct configuration
  */
-public class RestClientBuilderIntegTests extends RestClientTestCase {
+public class RestClientBuilderIntegTests extends RestClientTestCase implements RestClientFipsAwareTestCase {
 
     private static HttpsServer httpsServer;
 
     @BeforeClass
     public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
-        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true, KeyStoreType.BCFKS)));
         httpsServer.createContext("/", new ResponseHandler());
         httpsServer.start();
     }
@@ -93,6 +93,11 @@ public static void stopHttpServers() throws IOException {
     }
 
     public void testBuilderUsesDefaultSSLContext() throws Exception {
+        makeRequest();
+    }
+
+    @Override
+    public void makeRequest(KeyStoreType keyStoreType) throws Exception {
         final SSLContext defaultSSLContext = SSLContext.getDefault();
         try {
             try (RestClient client = buildRestClient()) {
@@ -104,7 +109,7 @@ public void testBuilderUsesDefaultSSLContext() throws Exception {
                 }
             }
 
-            SSLContext.setDefault(getSslContext(false));
+            SSLContext.setDefault(getSslContext(false, keyStoreType));
             try (RestClient client = buildRestClient()) {
                 Response response = client.performRequest(new Request("GET", "/"));
                 assertEquals(200, response.getStatusLine().getStatusCode());
@@ -119,21 +124,22 @@ private RestClient buildRestClient() {
         return RestClient.builder(new HttpHost("https", address.getHostString(), address.getPort())).build();
     }
 
-    private static SSLContext getSslContext(boolean server) throws Exception {
+    private static SSLContext getSslContext(boolean server, KeyStoreType keyStoreType) throws Exception {
         SSLContext sslContext;
         char[] password = "password".toCharArray();
         SecureRandom secureRandom = SecureRandom.getInstance("DEFAULT", "BCFIPS");
+        String fileExtension = KeyStoreType.TYPE_TO_EXTENSION_MAP.get(keyStoreType).get(0);
 
         try (
-            InputStream trustStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test_truststore.bcfks");
-            InputStream keyStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/testks.bcfks")
+            InputStream trustStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test_truststore" + fileExtension);
+            InputStream keyStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/testks" + fileExtension)
         ) {
-            KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+            KeyStore keyStore = KeyStoreFactory.getInstance(keyStoreType);
             keyStore.load(keyStoreFile, password);
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
             kmf.init(keyStore, password);
 
-            KeyStore trustStore = KeyStoreFactory.getInstance(KeyStoreType.BCFKS);
+            KeyStore trustStore = KeyStoreFactory.getInstance(keyStoreType);
             trustStore.load(trustStoreFile, password);
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             tmf.init(trustStore);
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientFipsAwareTestCase.java b/client/rest/src/test/java/org/opensearch/client/RestClientFipsAwareTestCase.java
new file mode 100644
index 0000000000000..2f8e4718da5f8
--- /dev/null
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientFipsAwareTestCase.java
@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.client;
+
+import org.opensearch.common.ssl.KeyStoreType;
+
+import static org.opensearch.client.RestClientTestCase.inFipsJvm;
+
+public interface RestClientFipsAwareTestCase {
+
+    default void makeRequest() throws Exception {
+        if (inFipsJvm()) {
+            makeRequest(KeyStoreType.BCFKS);
+        } else {
+            makeRequest(KeyStoreType.JKS);
+        }
+    }
+
+    void makeRequest(KeyStoreType keyStoreType) throws Exception;
+}
diff --git a/client/rest/src/test/resources/test_truststore.jks b/client/rest/src/test/resources/test_truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..d27635fec5040d63969f7d124d499fa1b4788d1b
GIT binary patch
literal 1097
zcmezO_TO6u1_mY|W(3pRB}JvhC8;UNsYN9~vAkwc`ArP05qhQumJAFmtOiXij0R0i
zFBdQ~F)}f+SnhC6G2mt6)N1o+`_9YA$j!=NkZ#Crz{$oO%EBhh6dDZUa0oLwI~s}^
zh=63+g?WAROY=$+GxHR}GE>V91q}E=;#|V)sX2+oC7H>FyawDL5pH3YlGNf7Lm>kJ
z5SLk)6U0@>%TGx)kQ3)MG&e9eG&eLeG%_`d66ZAnaZRCI`Z=VDQ3*K^7+D#Zn;7{S
z44N3Zn3@<F8Rk~!Npvu*UVZJX!}kZJPZHv{?2a{W-7kAh_U9z?btYUXK_a`3e~sR8
ztJ-hsvSr&3H{=z3wbENt{i$oYfPtad8tLWUtDb4~CToW-oBH+@b79%^s~)M!ag{9!
z)s~xgc)Hm9Z0xx&&LYzhu}nGj;M`~L4tK5Y50VeiX<y%UgYlO6qc8SyhqZ5cZgp^a
zVsN6Z+5FP)$4r|H^jUV>9EiBm+{dKY&Mx?Dh3UI&DWy9-kNdy3Y1&zCVq0?3+gn8M
zW^BmU&9hebbM`WL%SM>)H`p6)xX$#V^e3^_c|yKH+g&^_eww-4(bN0WeUHXpj<24|
z8#s44{mgM{<-E<DxMtGBY(pkyMh3>kjav*FHySkd1LILvkfpKRps}T$r5>2Z+690q
z4;e5vapvSFC+1}27nd}N!kKztR!V*@FxfP5!G%ql#1U*{H6}=k%#akBAuBR7kOeu2
zk420{B!;(W5m!xu6HAtD?Gnzr*6g$93L!@<Fm(eXmXRSpV9Lc_<@x_#zdfmYZjp~*
zSA=OwV)?QYCcGKR^63i|#m{zbHBCMk>ePE8)StWekcf6T@8>!Hn2u@bR@rlREmQe3
z*E!m4Dbw#AUFZ2b>f&VICND7KS>ox+=yy2j@n+^nCE4?htut-6e$*Az+UNcJvug@p
zxy3{0kBJ}Or$o&-*t0S9IK#8deQaWSimx8m{Sg0s=1fG3q~-m^ZtGbxL!O1KZ8*=P
zSUgEB^1BHS@5>p<cLj8gJh&?w*2HOk_)u7Mc+B6UZ`Ph(XxF5x(Rug$3Etq0P(4l8
zxQQ?OG!z#6_5bp90tdsMS63uOXH=O^cpNx4C{yj&uBMD*S2^D4yiah-h<=r^aoP!&
R<*x6;`XrcdUEQFS1^|>hh28)F

literal 0
HcmV?d00001

diff --git a/client/rest/src/test/resources/testks.jks b/client/rest/src/test/resources/testks.jks
new file mode 100644
index 0000000000000000000000000000000000000000..cd706db5e3834f4b44493530bca17697f32d8de2
GIT binary patch
literal 2381
zcmcgt`9IYA8vlOB80%QF%P^K4yYI*ll4T;A?8cHMVh&T*Y{!}zYjf<S$aSr8vgFuz
z(iF1B4W;Ztgb<F9!@2jK>o2&U*Xwz`-tYJ4{loKmp6B&EKURON0ssIz4)Cv__YA&G
z3_fNKX6Ang002D<qQHMZYzSsq1PBLZV4NUG55Ot#<=_{tQ#G%rrPFumiBPzvU%+Ce
z#o}Z)+>BTG4J7uREh5mJ7*;DV;dAlA=s5+KPl4wULQJdoL8~Pe7D3^*Cpn+O9sr03
zISo5KN{!m#CIL0)yz>t}H?Dji7ewQeMTpah_;lIM9lfx^{MI46EY=H2Gb87zSV!L9
zBNwGc)hcRNP-{ZbigjTAb+b#asOW1;eDvzR6aB?nZ0b51o)HL=(P6?em8T=Dtimf@
zkw!zNEH-cfeLsno#O=RbxSvAmmq_5eGP;=CTVxI0y~COhkJiND1UdLS2Ol7#CcE^d
zL>{Nth-L14Z4j+X`yfibe=ag4rVlxJp#US7Q|y@QX^G~`3fl?pyl5Y^R8rIQWW4Id
zQ{z=r`vr-qyIpkx)5AVH*xUo_`4Nx4b(N?wT{OYbRG2-rc<pTqw#u`Oi=x&eL=*Z|
zvL3yhq0`y9ALyu%FJEc+uv~jfx20S~Wwo4VzVyhRe$@sQ)G1>bCh$ubPg4`&+@r5D
zzPUX@zCiejz)?}CTe3&^u7rVdbjjY6C5l<H#aw@TcZ&~wl=mdNU5I%@pwoN7+|oWb
z@3c^ldotaePq$RYELTbtF+VcA-;q8T+~LOQ(*km^2Vd-(MJ{UgF02|x-6e~ui!*E2
zP=P+!j6-6xnyJL_CMs>@V4|cw6<vXss3L!4Knu}e8CTny6rR=dkks}}eJ|yIp30uz
zAjsIA`6`}CG#TXg8v<C}Dktmd`+t6Q@IhMRK+QcO^6^AYaDi<jYp0umUQI4ML*!wO
zq80dtcbz3<|H`KiVlD83$Z#chtYBQ6YNp?XTfg^y?NG`p1;-Z(>NVPj+>;MVdCH6G
z;*UbVqziZ{8{q|$yRDA6AbU?YM#cWH7~gF>>!8r(I*ID&@IdyK9Vh)mhm9(9QprF*
zTcmmB5ofTGhE^wgc6e}~gaOj0+F~@7<CmPSX0<Y!Me#cnv+U-4VJL1v@(Ps7EIIWJ
z)H<ryoPMV7_fF_3-4v^J=0qF#Qu^0mWwEQRy)Wa-9u4R|YHTItWx24dtgOeZMhRv0
zJriDiT-!Eo276ttd9B|<h_i9VR>M8SRe&>AqUy`aoNh?gL%tOLG=Z`F!b~nE6fm|g
zn~sp%GU*wT?a;|Lx{14y5rz@Zi*Ei`1^Asfnk+f1QoG!rBKWDm!N)n4tjm$w;#(Ms
z*y4S9lR%xR<uyyRaa(Y_HJin1qhr|BNL`w8eL0b$<yp5xJ7X$025<IK^t{|v@lC{8
zy)TWnA65Qp<0kj*a@$NLh27sqo6RHmaU%SgqJ@@|*BQ)_&M;D(fY5gLbg$IR)U0um
z(_uV$-^@m@+*B%>>-qfN9B<|yeOK)-bH747=ZNpA3?IQ6RWFHIE8S<zx$65SB2Rm<
zDlgHeDhEqQzzs7GWZ9p;F_2SI5f>gO`efbu{fcV~?x(fP{fMBSHJgUi@HE~B!hGqp
zOO=HE;j=bw>XQc_Lz$N7+B!oz5O}9z4<B1RWAE^-m$u;0(ba&kwj>>`!sl^^yX__=
zt-G_fDHBHnrXd?sZVgtfT~YRfOVPRZGOfh@@i4+lcQw=8yf9tQ<v|R5x4h6;BK(as
z>pirKyrJ1>K}mXUYH+n6o>({TY+<a~<X4vZzTG`@(O1%_Ev07~m}3SF|GgM(6tIvQ
z0Kn;w7a|BzV4rj8U?2<zS8KqzLP!LYOsqldE)oP;=mE$L!vZlO=m>BG7mQ%>U&6=*
z!|7mnA?}kO1}>zLcYv3_Gsz2WMIr`aIF6U>vChoJK=g3-^C!7rkPyp>!omgjC;Itg
z&OjU|l#Yw(grdE?U5St|9}=SqsbW+yDi|fK%5^@Z(h0@>hyMQ(p@3qii*S4+=qMmN
z08v0@7zG4@>`*WMc%Za&v|oF7I$+-EMoqJWYD_z76t$P8`b?SG)ttMjYum12Jk&V7
zsHmP6>E*Mnu22@bNiF7pFuY}Fi}583GKns-grfA-Wjf!$M<WJAamV0jbf{W&gW=_i
zd*p;EKDbc4O_4aUBYR<uMlDS?7crHKtDwFE$5m&)X$jM0#|>+>b?2e(*eKQE{W(|_
zqzG@m_}u1gR1!=yj)8OGH|*MNL9vesbIH50(wEe#5QVStcy5LF4wl>1k4ux85&=BQ
z2HOs`T4SDJht6*D#{Bb)k$L@P!=cU0W*tNP=9B^XyUy|_5eP@s-Sg0mVfsMlT$VO-
z8v~;Q0kD8v1Cc8sa`JH>QJipc97K+egWo;Aws9QCLw5Rs6ebUE7iSN5Z$Ezu&)-nt
zFXZa&c|0~0=D%fS3g7?mX^-+LlgcTR%4w4dggQxx4bBVawnyH{XAX1Hh2PQ)FJzj~
zV0fH;=5%9^r~A0EAmDBKU?@>M=V)d1wfsQ-HBPDx*3~(vs9PE7?jqurC(74<uNLdl
zLC{U?CYZ1!zTlR%MsEG%2dq;@K17R!S|o9hjkD8#0^4t(4zkBbIHFcva#dIh4fQ}{
z+ReFYx>^6*Ip;M<nzbA9oHA|r#VtKowxA0$xDDrxb=T_|9SN1hE?|MwhTv5YU7m~h
zgKxjD&n8+xZK^=O0#34Auq=-pWEJ&GleFDcW<`F^aGBtcdpSM9V?|+7rM<ASv$j8c
z^`*Qw?-E5`>fXd)H`2nLpdhX1nEE+M3Y~js@@+eX5olR{E5MTxf=!t-%Qh!Tb~aJm
hJ4YDT<kp>Z?{bYj5Ah4y>@bn_^A>sIjjET5{u3>b{aXM4

literal 0
HcmV?d00001

diff --git a/client/test/build.gradle b/client/test/build.gradle
index f877bcd08d773..afecaf685c51c 100644
--- a/client/test/build.gradle
+++ b/client/test/build.gradle
@@ -43,7 +43,7 @@ dependencies {
   api "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   api "junit:junit:${versions.junit}"
   api "org.hamcrest:hamcrest:${versions.hamcrest}"
-  runtimeOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   runtimeOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 }
 
diff --git a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
index 49ee3373a071e..9d52ee4cb3da7 100644
--- a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
+++ b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
@@ -45,6 +45,7 @@
 import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite;
 
 import org.apache.hc.core5.http.Header;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -116,6 +117,10 @@ protected static void assertHeaders(
         assertTrue("some headers that were sent weren't returned " + expectedHeaders, expectedHeaders.isEmpty());
     }
 
+    protected static boolean inFipsJvm() {
+        return CryptoServicesRegistrar.isInApprovedOnlyMode();
+    }
+
     private static void addValueToListEntry(final Map<String, List<String>> map, final String name, final String value) {
         List<String> values = map.get(name);
         if (values == null) {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 9dc0f5ad58d69..b8cd22663603f 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -119,6 +119,9 @@ reactorcore = { group = "org.reactivestreams", name = "reactive-streams", versio
 roaringbitmap = { group = "org.roaringbitmap", name = "RoaringBitmap", version.ref = "roaringbitmap" }
 spatial4j = { group = "org.locationtech.spatial4j", name = "spatial4j", version.ref = "spatial4j" }
 tdigest = { group = "com.tdunning", name = "t-digest", version.ref = "tdigest" }
+bcjce = { group = "org.bouncycastle", name = "bc-fips", version.ref = "bouncycastle_jce" }
+bctls = { group = "org.bouncycastle", name = "bctls-fips", version.ref = "bouncycastle_tls" }
+bcutil = { group = "org.bouncycastle", name = "bcutil-fips", version.ref = "bouncycastle_util" }
 
 [bundles]
 lucene = [
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index c4272e03d27b5..c938052d321ca 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -8,7 +8,6 @@
 
 package org.opensearch.transport.netty4.ssl;
 
-import org.apache.lucene.tests.util.LuceneTestCase;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.network.NetworkService;
@@ -67,7 +66,6 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "")
 public class SimpleSecureNetty4TransportTests extends AbstractSimpleTransportTestCase {
     @Override
     protected Transport build(Settings settings, final Version version, ClusterSettings clusterSettings, boolean doHandshake) {
@@ -81,9 +79,11 @@ public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(
             @Override
             public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
+                    var keyStoreType = inFipsJvm() ? KeyStoreType.BCFKS : KeyStoreType.JKS;
+                    var fileExtension = KeyStoreType.TYPE_TO_EXTENSION_MAP.get(keyStoreType).get(0);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(keyStoreType);
                     keyStore.load(
-                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.jks"),
+                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure" + fileExtension),
                         "password".toCharArray()
                     );
 
diff --git a/server/build.gradle b/server/build.gradle
index 04332d816d7a4..b55a0b47a0850 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -116,9 +116,9 @@ dependencies {
   api libs.roaringbitmap
 
   // bouncyCastle
-  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
-  api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
-  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+  api libs.bcjce
+  api libs.bctls
+  api libs.bcutil
 
   testImplementation 'org.awaitility:awaitility:4.2.2'
   testImplementation(project(":test:framework")) {
diff --git a/server/src/main/resources/org/opensearch/bootstrap/security.policy b/server/src/main/resources/org/opensearch/bootstrap/security.policy
index 9c61ec1ddad27..7d416afa2bd24 100644
--- a/server/src/main/resources/org/opensearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/opensearch/bootstrap/security.policy
@@ -93,26 +93,6 @@ grant codeBase "${codebase.reactor-core}" {
   permission java.net.SocketPermission "*", "connect,resolve";
 };
 
-// security
-grant {
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
-    permission java.lang.RuntimePermission "accessDeclaredMembers";
-    permission java.lang.RuntimePermission "closeClassLoader";
-    permission java.lang.RuntimePermission "getProtectionDomain";
-    permission java.io.FilePermission "${java.home}/lib/security/cacerts", "read";
-    permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
-    permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-    permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-    permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
-    permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-    permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
-    permission java.security.SecurityPermission "removeProvider.SunJCE";
-    permission java.util.PropertyPermission "java.runtime.name", "read";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "defaultRandomConfig";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
-    permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
-};
-
 //// Everything else:
 
 grant {
@@ -215,4 +195,22 @@ grant {
   permission java.io.FilePermission "/sys/fs/cgroup/cpuacct/-", "read";
   permission java.io.FilePermission "/sys/fs/cgroup/memory", "read";
   permission java.io.FilePermission "/sys/fs/cgroup/memory/-", "read";
+
+  // security
+  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
+  permission java.lang.RuntimePermission "accessDeclaredMembers";
+  permission java.lang.RuntimePermission "closeClassLoader";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "${java.home}/lib/security/cacerts", "read";
+  permission java.io.FilePermission "${java.home}/lib/security/jssecacerts", "read";
+  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
+  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.*";
+  permission java.security.SecurityPermission "removeProvider.SunJCE";
+  permission java.util.PropertyPermission "java.runtime.name", "read";
+  permission org.bouncycastle.crypto.CryptoServicesPermission "defaultRandomConfig";
+  permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
+  permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
 };

From 5c97dd677db82c8a731cc17d2afde050d16f823c Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 11 Feb 2025 20:37:19 -0500
Subject: [PATCH 19/21] Explicitly call closeConnectionChannel

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../opensearch/transport/AbstractSimpleTransportTestCase.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/framework/src/main/java/org/opensearch/transport/AbstractSimpleTransportTestCase.java b/test/framework/src/main/java/org/opensearch/transport/AbstractSimpleTransportTestCase.java
index e43b0756e2f2b..f810950dd81b1 100644
--- a/test/framework/src/main/java/org/opensearch/transport/AbstractSimpleTransportTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/transport/AbstractSimpleTransportTestCase.java
@@ -3122,6 +3122,7 @@ public TransportResponse read(final StreamInput in) {
                     }
                 }
             );
+            closeConnectionChannel(connection);
             assertThat(te.get(), not(nullValue()));
 
             if (failToSendException instanceof IllegalStateException) {

From c583753850950c64a0bdaa294e2f5b6a98214c6c Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 11 Feb 2025 20:43:50 -0500
Subject: [PATCH 20/21] Run on fork

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/gradle-check.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/gradle-check.yml b/.github/workflows/gradle-check.yml
index 577ab0c79535b..0cb58c3f6d278 100644
--- a/.github/workflows/gradle-check.yml
+++ b/.github/workflows/gradle-check.yml
@@ -33,7 +33,7 @@ jobs:
 
   gradle-check:
     needs: check-files
-    if: github.repository == 'opensearch-project/OpenSearch' && needs.check-files.outputs.RUN_GRADLE_CHECK == 'true'
+    if: needs.check-files.outputs.RUN_GRADLE_CHECK == 'true'
     permissions:
       contents: read # to fetch code (actions/checkout)
       pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)

From 2ebf326ea900ccd0a0e41c89b449923ae5cd78a4 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Tue, 11 Feb 2025 20:47:23 -0500
Subject: [PATCH 21/21] Remove if

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .github/workflows/gradle-check.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/gradle-check.yml b/.github/workflows/gradle-check.yml
index 0cb58c3f6d278..685f33ee443e0 100644
--- a/.github/workflows/gradle-check.yml
+++ b/.github/workflows/gradle-check.yml
@@ -33,7 +33,6 @@ jobs:
 
   gradle-check:
     needs: check-files
-    if: needs.check-files.outputs.RUN_GRADLE_CHECK == 'true'
     permissions:
       contents: read # to fetch code (actions/checkout)
       pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)