Framework/Helpers/ContextHelper.ps1
|
<#
.Description # Context class for indenity details. # Provides functionality to login, create context, get token for api calls #> using namespace Microsoft.IdentityModel.Clients.ActiveDirectory class ContextHelper { static hidden [Context] $currentContext; static hidden [bool] $IsOAuthScan; static hidden [bool] $PromptForLogin; #This will be used to carry current org under current context. static hidden [string] $orgName; static hidden [bool] $IsBatchScan; static hidden [int] $PSVersion = $null; static hidden $appObj = $null; static hidden $Account = $null; static hidden $IsPATUsed = $false; ContextHelper() { if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) # this if block will be executed for OAuth based scan { [ContextHelper]::IsOAuthScan = $true } if (![ContextHelper]::PSVersion) { [ContextHelper]::PSVersion = ($global:PSVersionTable).PSVersion.major } } ContextHelper([bool] $IsBatchScan) { if(-not [string]::IsNullOrWhiteSpace($env:RefreshToken) -and -not [string]::IsNullOrWhiteSpace($env:ClientSecret)) # this if block will be executed for OAuth based scan { [ContextHelper]::IsOAuthScan = $true } [ContextHelper]::IsBatchScan=$true; if (![ContextHelper]::PSVersion) { [ContextHelper]::PSVersion = ($global:PSVersionTable).PSVersion.major } } hidden static [PSObject] GetCurrentContext() { return [ContextHelper]::GetCurrentContext($false); } hidden static [PSObject] GetCurrentContext([bool]$authNRefresh) { if( (-not [ContextHelper]::currentContext) -or $authNRefresh -or [ContextHelper]::PromptForLogin) { [ContextHelper]::IsPATUsed = $false $clientId = [Constants]::DefaultClientId ; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = [Constants]::DefaultADOResourceId; [AuthenticationContext] $ctx = $null; $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); $result = $null; if([ContextHelper]::IsOAuthScan) { # this if block will be executed for OAuth based scan $tokenInfo = [ContextHelper]::GetOAuthAccessToken() [ContextHelper]::ConvertToContextObject($tokenInfo) } else { if ([ContextHelper]::PSVersion -gt 5) { [string[]] $Scopes = "$adoResourceId/.default"; [Microsoft.Identity.Client.IPublicClientApplication] $app = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ClientId).Build(); if(![ContextHelper]::appObj) { [ContextHelper]::appObj = $app } if (![ContextHelper]::Account) { [ContextHelper]::Account = $app.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } $tokenSource = New-Object System.Threading.CancellationTokenSource $taskAuthenticationResult=$null try { if ( !$authNRefresh -and [ContextHelper]::PromptForLogin) { if ([ContextHelper]::PromptForLogin) { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } else { $AquireTokenParameters = $app.AcquireTokenSilent($Scopes, [ContextHelper]::Account) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ($taskAuthenticationResult.exception.message -like "*errors occurred*") { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } } else { if ([ContextHelper]::appObj) { $AquireTokenParameters = [ContextHelper]::appObj.AcquireTokenSilent($Scopes, [ContextHelper]::Account) } else { $AquireTokenParameters = $app.AcquireTokenSilent($Scopes, [ContextHelper]::Account) } $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ($taskAuthenticationResult.exception.message -like "*errors occurred*") { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } } catch { $AquireTokenParameters = $app.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } if ($taskAuthenticationResult.Result) { $result = $taskAuthenticationResult.Result; } if (![ContextHelper]::Account) { [ContextHelper]::Account = $app.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } [ContextHelper]::appObj = $app; } else { if ( !$authNRefresh -and [ContextHelper]::PromptForLogin) { if ([ContextHelper]::PromptForLogin) { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; [ContextHelper]::PromptForLogin = $false } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } } else { $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } } [ContextHelper]::ConvertToContextObject($result) } } return [ContextHelper]::currentContext } hidden static [PSObject] GetCurrentContext([System.Security.SecureString] $PATToken) { if(-not [ContextHelper]::currentContext) { [ContextHelper]::IsPATUsed = $true; [ContextHelper]::ConvertToContextObject($PATToken) } return [ContextHelper]::currentContext } hidden static [PSObject] GetOAuthAccessToken() { $tokenInfo = @{}; try{ $url = "https://app.vssps.visualstudio.com/oauth2/token" # exchange refresh token with new access token $body = "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=$($env:ClientSecret)&grant_type=refresh_token&assertion=$($env:RefreshToken)&redirect_uri=https://localhost/" $res = Invoke-WebRequest -Uri $url -ContentType "application/x-www-form-urlencoded" -Method POST -Body $body $response = $res.Content | ConvertFrom-Json $tokenInfo['AccessToken'] = $response.access_token $expiry = $response.expires_in $request_time = get-date $tokenInfo['ExpiresOn'] = $request_time.AddSeconds($expiry) $refreshToken = ConvertTo-SecureString $response.refresh_token -AsPlainText -Force #Update refresh token if it is expiring in next 1 day $updateTokenInKV = $false $secretName = "RefreshTokenForADOScan" $tokenSecret = Get-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName if (-not [string]::IsNullOrEmpty($tokenSecret) -and [Helpers]::CheckMember($tokenSecret,"Expires")) { if ($tokenSecret.Expires -le [DateTime]::Now.AddDays(1)) { $updateTokenInKV = $true } } else { $updateTokenInKV = $true } if ($updateTokenInKV -eq $true) { $RefreshTokenExpiresInDays = [Constants]::RefreshTokenExpiresInDays; $ExpiryDate = [DateTime]::Now.AddDays($RefreshTokenExpiresInDays) Set-AzKeyVaultSecret -VaultName $env:KeyVaultName -Name $secretName -SecretValue $refreshToken -Expires $ExpiryDate | out-null } } catch{ write-Host "Error fetching OAuth access token" Write-Host $_ return $null } return $tokenInfo } static [string] GetAccessToken([string] $resourceAppIdUri) { return [ContextHelper]::GetAccessToken() } static [string] GetAccessToken() { if([ContextHelper]::currentContext) { # Validate if token is PAT using lenght (PAT has lengh of 52), if PAT dont go to refresh login session. #TODO: Change code to find token type supplied PAT or login session token #if token expiry is within 2 min, refresh. ([ContextHelper]::currentContext.AccessToken.length -ne 52) if ( [ContextHelper]::IsPATUsed -eq $false -and ([ContextHelper]::currentContext.TokenExpireTimeLocal -le [DateTime]::Now.AddMinutes(2))) { [ContextHelper]::GetCurrentContext($true); } return [ContextHelper]::currentContext.AccessToken } else { return $null } } static [string] GetAccessToken([string] $Uri, [string] $tenantId) { $rmContext = Get-AzContext if (-not $rmContext) { throw ([SuppressedException]::new(("No Azure login found"), [SuppressedExceptionType]::InvalidOperation)) } if ([string]::IsNullOrEmpty($tenantId) -and [Helpers]::CheckMember($rmContext,"Tenant")) { $tenantId = $rmContext.Tenant.Id } $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $rmContext.Account, $rmContext.Environment, $tenantId, [System.Security.SecureString] $null, "Never", $null, $Uri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to get access token. Authentication Failed."), [SuppressedExceptionType]::Generic)) } return $authResult.AccessToken; } static [string] GetGraphAccessToken($useAzContext) { $accessToken = '' try { Write-Host "Graph access is required to evaluate some controls. Attempting to acquire graph token." -ForegroundColor Cyan # In CA mode, we use azure context to fetch the graph access token. if ($useAzContext) { #getting azure context because graph access token requires azure environment details. $Context = @(Get-AzContext -ErrorAction SilentlyContinue ) if ($Context.count -eq 0) { Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." } else { $graphUri = "https://graph.microsoft.com" $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, $graphUri); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate."), [SuppressedExceptionType]::Generic)) } $accessToken = $authResult.AccessToken; } } else { # generating graph access token using default VSTS client. $clientId = [Constants]::DefaultClientId; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = "https://graph.microsoft.com/"; if ([ContextHelper]::PSVersion -gt 5) { $result = [ContextHelper]::GetGraphAccess() } else { [AuthenticationContext] $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); [AuthenticationResult] $result = $null; $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } $accessToken = $result.AccessToken } Write-Host "Successfully acquired graph access token." -ForegroundColor Cyan } catch { Write-Host "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." -ForegroundColor Red Write-Host "Continuing without graph access." -ForegroundColor Yellow return $null } return $accessToken; } static [string] GetDataExplorerAccessToken($useAzContext) { $accessToken = '' try { Write-Host "Graph access is required to evaluate some controls. Attempting to acquire graph token." -ForegroundColor Cyan # generating graph access token using default VSTS client. $clientId = [Constants]::DefaultClientId; $replyUri = [Constants]::DefaultReplyUri; $adoResourceId = "https://help.kusto.windows.net"; if ([ContextHelper]::PSVersion -gt 5) { $result = [ContextHelper]::GetGraphAccess() } else { [AuthenticationContext] $ctx = [AuthenticationContext]::new("https://login.windows.net/common"); [AuthenticationResult] $result = $null; $PromptBehavior = [Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Auto $PlatformParameters = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters -ArgumentList $PromptBehavior $result = $ctx.AcquireTokenAsync($adoResourceId, $clientId, [Uri]::new($replyUri),$PlatformParameters).Result; } $accessToken = $result.AccessToken Write-Host "Successfully acquired graph access token." -ForegroundColor Cyan } catch { Write-Host "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." -ForegroundColor Red Write-Host "Continuing without graph access." -ForegroundColor Yellow return $null } return $accessToken; } static [string] GetLAWSAccessToken() { $accessToken = '' try { #getting azure context because graph access token requires azure environment details. $Context = @(Get-AzContext -ErrorAction SilentlyContinue ) if ($Context.count -eq 0) { Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." } else { $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, "https://api.loganalytics.io/"); if (-not ($authResult -and (-not [string]::IsNullOrWhiteSpace($authResult.AccessToken)))) { throw ([SuppressedException]::new(("Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate."), [SuppressedExceptionType]::Generic)) } $accessToken = $authResult.AccessToken; } } catch { Write-Host "Unable to acquire Graph token. The signed-in account may not have Graph permission. Control results for controls that depend on AAD group expansion may not be accurate." -ForegroundColor Red Write-Host "Continuing without graph access." -ForegroundColor Yellow return $null } return $accessToken; } hidden static [PSobject] GetGraphAccess() { $rootConfigPath = [Constants]::AzSKAppFolderPath; $azskSettings = (Get-Content -Raw -Path (Join-Path $rootConfigPath "AzSKSettings.json")) | ConvertFrom-Json if ([ContextHelper]::IsPATUsed -and $azskSettings -and $azskSettings.LASource -ne "CICD") { $Context = @(Get-AzContext -ErrorAction SilentlyContinue) if ($null -eq $Context -or $Context.count -eq 0) { Connect-AzAccount -ErrorAction Stop $Context = @(Get-AzContext -ErrorAction SilentlyContinue) } if ($null -eq $Context) { throw } else { $graphUri = "https://graph.microsoft.com" $authResult = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate( $Context.Account, $Context.Environment, $Context.Tenant.Id, [System.Security.SecureString] $null, "Never", $null, $graphUri); return $authResult; } } else { $ClientId = [Constants]::DefaultClientId [Microsoft.Identity.Client.IPublicClientApplication] $appGrapth = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ClientId).Build(); if (![ContextHelper]::Account) { [ContextHelper]::Account = $appGrapth.GetAccountsAsync().GetAwaiter().GetResult() | Select-Object -First 1 } $tokenSource = New-Object System.Threading.CancellationTokenSource $taskAuthenticationResult=$null $AquireTokenParameters = $null; [string[]] $Scopes = "https://graph.microsoft.com/.default"; $AquireTokenParameters = [ContextHelper]::appObj.AcquireTokenSilent($Scopes, [ContextHelper]::Account) try { $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) if ( [Helpers]::CheckMember($taskAuthenticationResult, "exception.message") -and ($taskAuthenticationResult.exception.message -like "*errors occurred*")) { $AquireTokenParameters = $appGrapth.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } catch { $AquireTokenParameters = $appGrapth.AcquireTokenInteractive($Scopes) $taskAuthenticationResult = $AquireTokenParameters.ExecuteAsync($tokenSource.Token) } } return $taskAuthenticationResult.result; } hidden [OrganizationContext] SetContext([string] $organizationName) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext() } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } hidden [OrganizationContext] SetContext([string] $organizationName, [System.Security.SecureString] $PATToken) { if((-not [string]::IsNullOrEmpty($organizationName))) { $OrganizationContext = [OrganizationContext]@{ OrganizationId = $organizationName; Scope = "/Organization/$organizationName"; OrganizationName = $organizationName; }; # $organizationId contains the organization name (due to framework). [ContextHelper]::orgName = $organizationName; [ContextHelper]::GetCurrentContext($PATToken) } else { throw [SuppressedException] ("OrganizationName name [$organizationName] is either malformed or incorrect.") } return $OrganizationContext; } static [void] ResetCurrentContext() { } hidden static ConvertToContextObject([PSObject] $context) { $contextObj = [Context]::new() # We do not get ADO organization id as part of current context. Hence appending org name to both id and name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName if([ContextHelper]::IsOAuthScan) { # this if block will be executed for OAuth based scan $contextObj.Account.Id = [ContextHelper]::GetOAuthUserIdentity($context.AccessToken, $contextObj.Organization.Name) $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn } else { if ([ContextHelper]::PSVersion -gt 5) { $contextObj.Account.Id = $context.Account.username } else { $contextObj.Account.Id = $context.UserInfo.DisplayableId } $contextObj.Tenant.Id = $context.TenantId $contextObj.AccessToken = $context.AccessToken $contextObj.TokenExpireTimeLocal = $context.ExpiresOn.LocalDateTime #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force } [ContextHelper]::currentContext = $contextObj } hidden static [string] GetOAuthUserIdentity($accessToken, $orgName) { $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f $orgName $headers =@{ Authorization = "Bearer $accesstoken"; "Content-Type"="application/json" }; try{ $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing $descriptor = $responseObj.authenticatedUser.descriptor $userId = ($descriptor -split '\\')[-1] return $userId } catch{ return "" } } hidden static ConvertToContextObject([System.Security.SecureString] $patToken) { $contextObj = [Context]::new() $contextObj.Account.Id = [string]::Empty $contextObj.Tenant.Id = [string]::Empty $contextObj.AccessToken = [System.Net.NetworkCredential]::new("", $patToken).Password # We do not get ADO organization Id as part of current context. Hence appending org name to both Id and Name param. $contextObj.Organization = [Organization]::new() $contextObj.Organization.Id = [ContextHelper]::orgName $contextObj.Organization.Name = [ContextHelper]::orgName #$contextObj.AccessToken = $patToken #$contextObj.AccessToken = ConvertTo-SecureString -String $context.AccessToken -asplaintext -Force [ContextHelper]::currentContext = $contextObj $apiURL = "https://dev.azure.com/{0}/_apis/connectionData" -f [ContextHelper]::orgName #Note: cannot use this WRH method below due to ordering constraints during load in Framework.ps1 #$header = [WebRequestHelper]::GetAuthHeaderFromUri($apiURL); $user = "" $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $contextObj.AccessToken))) $headers = @{ "Authorization"= ("Basic " + $base64AuthInfo); "Content-Type"="application/json" }; $responseObj = Invoke-RestMethod -Method Get -Uri $apiURL -Headers $headers -UseBasicParsing #If the token is valid, we get: "descriptor"="Microsoft.IdentityModel.Claims.ClaimsIdentity;72f988bf-86f1-41af-91ab-2d7cd011db47\xyz@microsoft.com" #Note that even for guest users, we get the host tenant (and not their native tenantId). E.g., "descriptor...;72f...47\pqr@live.com" #If the token is invalid, we get a diff object: "descriptor":"System:PublicAccess;aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" $authNUserInfo = @(($responseObj.authenticatedUser.descriptor -split ';') -split '\\') #Check if the above split resulted in 3 elements (valid token case) if ($authNUserInfo.Count -eq 3) { $contextObj.Tenant.Id = $authNUserInfo[1] $contextObj.Account.Id = $authNUserInfo[2] } elseif ([Helpers]::CheckMember($responseObj.authenticatedUser,"customDisplayName")) { $contextObj.Account.Id = $responseObj.authenticatedUser.customDisplayName; } } static [string] GetCurrentSessionUser() { $context = [ContextHelper]::GetCurrentContext() if ($null -ne $context) { return $context.Account.Id } else { return "NO_ACTIVE_SESSION" } } } # SIG # Begin signature block # MIInugYJKoZIhvcNAQcCoIInqzCCJ6cCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDdsqsSwlIm+MiC # WNbr+DW569ohZNXIUTvYJHAQ9glXAKCCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIZjzCCGYsCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBsDAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQguS6k6rKy # zFo+CNtBecyGJJIcwIxJzZqr1ehPjApN5k8wRAYKKwYBBAGCNwIBDDE2MDSgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRyAGmh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20g # MA0GCSqGSIb3DQEBAQUABIIBAGIddyTPuf3rfpg8EIE2Qjd8FlNEMx/6Mtgzr+T0 # pqFswbuE1HDVDACqxv3QG2CMManLVLgWbR0u+C4iEBQVqTzdFRbPDylRUIIBXrI7 # HCit73QV3/Ui0leQM3VzortxgC5xLMGWkdDEp8VpvdwWwYWV5bUZAqtPDEQLH6rg # wrK5+a6zpp6TfJdRtjeId4vNfR4s+pb9KQUJPEqgnn92DdHCPVjhaPfplNEKoYBf # prLm3pLG07AmaA4uJCcwGfXMiFuXaar8iW90PRC/n9+3ST7J3WHppvCp5oMHf83o # fWlfS2hxvRKulm1/7FK0TqkmGpaqeZ5e09y1a6lUHlDkJY6hghcXMIIXEwYKKwYB # BAGCNwMDATGCFwMwghb/BgkqhkiG9w0BBwKgghbwMIIW7AIBAzEPMA0GCWCGSAFl # AwQCAQUAMIIBVwYLKoZIhvcNAQkQAQSgggFGBIIBQjCCAT4CAQEGCisGAQQBhFkK # AwEwMTANBglghkgBZQMEAgEFAAQgyKN3oRy3CbTfvBbstPycgwYpHoZ17+XQMJtm # QRm1vnQCBmGVXih1shgRMjAyMTEyMTAxMDA1MDYuNlowBIACAfSggdikgdUwgdIx # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1p # Y3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhh # bGVzIFRTUyBFU046MkFENC00QjkyLUZBMDExJTAjBgNVBAMTHE1pY3Jvc29mdCBU # aW1lLVN0YW1wIFNlcnZpY2WgghFoMIIHFDCCBPygAwIBAgITMwAAAYZ45RmJ+CRL # zAABAAABhjANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg # MjAxMDAeFw0yMTEwMjgxOTI3MzlaFw0yMzAxMjYxOTI3MzlaMIHSMQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQg # SXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1Mg # RVNOOjJBRDQtNEI5Mi1GQTAxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFt # cCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwI3G2Wpv # 6B4IjAfrgfJpndPOPYO1Yd8+vlfoIxMW3gdCDT+zIbafg14pOu0t0ekUQx60p7Pa # dH4OjnqNIE1q6ldH9ntj1gIdl4Hq4rdEHTZ6JFdE24DSbVoqqR+R4Iw4w3GPbfc2 # Q3kfyyFyj+DOhmCWw/FZiTVTlT4bdejyAW6r/Jn4fr3xLjbvhITatr36VyyzgQ0Y # 4Wr73H3gUcLjYu0qiHutDDb6+p+yDBGmKFznOW8wVt7D+u2VEJoE6JlK0EpVLZus # dSzhecuUwJXxb2uygAZXlsa/fHlwW9YnlBqMHJ+im9HuK5X4x8/5B5dkuIoX5lWG # jFMbD2A6Lu/PmUB4hK0CF5G1YaUtBrME73DAKkypk7SEm3BlJXwY/GrVoXWYUGEH # yfrkLkws0RoEMpoIEgebZNKqjRynRJgR4fPCKrEhwEiTTAc4DXGci4HHOm64EQ1g # /SDHMFqIKVSxoUbkGbdKNKHhmahuIrAy4we9s7rZJskveZYZiDmtAtBt/gQojxbZ # 1vO9C11SthkrmkkTMLQf9cDzlVEBeu6KmHX2Sze6ggne3I4cy/5IULnHZ3rM4ZpJ # c0s2KpGLHaVrEQy4x/mAn4yaYfgeH3MEAWkVjy/qTDh6cDCF/gyz3TaQDtvFnAK7 # 0LqtbEvBPdBpeCG/hk9l0laYzwiyyGY/HqMCAwEAAaOCATYwggEyMB0GA1UdDgQW # BBQZtqNFA+9mdEu/h33UhHMN6whcLjAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJl # pxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAx # MCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3Rh # bXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoG # CCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4ICAQDD7mehJY3fTHKC4hj+wBWB8544 # uaJiMMIHnhK9ONTM7VraTYzx0U/TcLJ6gxw1tRzM5uu8kswJNlHNp7RedsAiwviV # QZV9AL8IbZRLJTwNehCwk+BVcY2gh3ZGZmx8uatPZrRueyhhTTD2PvFVLrfwh2li # DG/dEPNIHTKj79DlEcPIWoOCUp7p0ORMwQ95kVaibpX89pvjhPl2Fm0CBO3pXXJg # 0bydpQ5dDDTv/qb0+WYF/vNVEU/MoMEQqlUWWuXECTqx6TayJuLJ6uU7K5QyTkQ/ # l24IhGjDzf5AEZOrINYzkWVyNfUOpIxnKsWTBN2ijpZ/Tun5qrmo9vNIDT0lobgn # ulae17NaEO9oiEJJH1tQ353dhuRi+A00PR781iYlzF5JU1DrEfEyNx8CWgERi90L # KsYghZBCDjQ3DiJjfUZLqONeHrJfcmhz5/bfm8+aAaUPpZFeP0g0Iond6XNk4YiY # bWPFoofc0LwcqSALtuIAyz6f3d+UaZZsp41U4hCIoGj6hoDIuU839bo/mZ/AgESw # GxIXs0gZU6A+2qIUe60QdA969wWSzucKOisng9HCSZLF1dqc3QUawr0C0U41784K # o9vckAG3akwYuVGcs6hM/SqEhoe9jHwe4Xp81CrTB1l9+EIdukCbP0kyzx0WZzte # eiDN5rdiiQR9mBJuljCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUw # DQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhv # cml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9z # b2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw # ggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg # 4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aO # RmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41 # JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5 # LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL # 64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9 # QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj # 0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqE # UUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0 # kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435 # UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB # 3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTE # mr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwG # A1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNV # HSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNV # HQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo # 0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29m # dC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5j # cmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDAN # BgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4 # sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th54 # 2DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRX # ud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBew # VIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0 # DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+Cljd # QDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFr # DZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFh # bHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7n # tdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+ # oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6Fw # ZvKhggLXMIICQAIBATCCAQChgdikgdUwgdIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046MkFENC00Qjky # LUZBMDExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoB # ATAHBgUrDgMCGgMVAAGu2DRzWkKljmXySX1korHL4fMnoIGDMIGApH4wfDELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9z # b2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEFBQACBQDlXYWWMCIY # DzIwMjExMjEwMTU1MTUwWhgPMjAyMTEyMTExNTUxNTBaMHcwPQYKKwYBBAGEWQoE # ATEvMC0wCgIFAOVdhZYCAQAwCgIBAAICFAECAf8wBwIBAAICESQwCgIFAOVe1xYC # AQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEK # MAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQCL4cr0lJMEIpD123keIL+oEDwG # cnwKMTHNjWy4fjsuTHa3YZZKL7GgkIVjsFLQD7O4fGGT3DEo/GbYgyMesJUDrqul # QuF0rYb3hKPPikSW1Ge9c+tJQY3UTbPnIZc6PFxQx9cWLx9LkDoJsi2eitt81EFx # JTwqBwzLeR2goFgvtjGCBA0wggQJAgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w # IFBDQSAyMDEwAhMzAAABhnjlGYn4JEvMAAEAAAGGMA0GCWCGSAFlAwQCAQUAoIIB # SjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIGFz # mhKpYdUGUl1CIBuu1fKvZEHu9V7qLzhKci6saE9vMIH6BgsqhkiG9w0BCRACLzGB # 6jCB5zCB5DCBvQQgGpmI4LIsCFTGiYyfRAR7m7Fa2guxVNIw17mcAiq8Qn4wgZgw # gYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYD # VQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAYZ45RmJ+CRL # zAABAAABhjAiBCDF61Lae8ZkDgdwjwG/IlLQZOZlTiKU73bL/q8pbkemkTANBgkq # hkiG9w0BAQsFAASCAgCnp7EHweBQKlcafC0QKH1KqpINBHwMu8uITWqhOpUvoGY5 # dN+M2/yZYVUyA39QB/H5ZbopyfhYoGehQ4eurw2EJtQoA/TyBIaxiaUgbTmRlUOz # bKlvPZPZhlsdEhktun3JroU5blwhZa6lVCa46grtpi2wq44aYsnrf1ev6fMQJBMu # IYTk2wdy9cVwsIpmajiJ083vnmdjfIS681RN3lz8GX4wt+IxTK1QIc2YPc7Sb1fa # iAymNC5+1RCONv6SqWIqiq5kKHng/h7orEXovtd++rbuFhTg/duH18Maigobn+/U # z2IKDVsZ8wKmq9HLLgb7RePpfuBwvGkd2/QapOlAgDM80ftPVk+M7xckdeAazmrh # 7rKIa0UncTMcjHQC8G0O5FL5/RXEehcYe8ry4FUrZmUShW6K4v+lD4zAILVHhJKe # fbL6cYurgS4teOTQ/q+teO6W2XDUVXpHj9FACZak9vNK3ROV+b9R5SALalFB+UHk # /KylCcxZYh6L68aoImGTDXakf0luIsqQ8KKto8SSGB7QfjALJ787P0tfvhCiqALG # FjKNoDS2Oc9PfecDE4ZhyJpzHaLEQ3Xp4iHd//22iU+T1kHv+haoneMkuevm+6iU # BlVD4cMGnUAJsB9c0QLeOzuJ/N3uaZzb73anENxJqyh3NLA8rYq8cZItaNMLTg== # SIG # End signature block |