Private/AzStackHci.Connectivity.Helpers.ps1
|
# //////////////////////////////////////////////////////////////////////////// # Strict Mode v1 (PS 5.1 safe) - surfaces reads of uninitialised variables at runtime. Set-StrictMode -Version 1.0 # Function to test version of PowerShell # Returns $true on Windows PowerShell 5.1 and $false on PowerShell 6/7+. # Uses PSEdition ('Desktop' = Windows PowerShell, 'Core' = PowerShell 6/7+) rather than a # version-string comparison: it is the intent-revealing signal for "must be Windows PowerShell" # and avoids the magic 5.1.99999.999 upper-bound constant. Callers own the user-facing message # (this helper only returns a boolean; it never throws or writes an error). Function Test-PowerShellVersion5 { param ( [Parameter(Mandatory = $false)] [bool]$NoVerboseOutput = $false ) if (-not $NoVerboseOutput) { Write-Verbose "PowerShell version $($PSVersionTable.PSVersion.ToString()) ($($PSVersionTable.PSEdition) edition) detected." } # 'Desktop' is Windows PowerShell (5.1); 'Core' is PowerShell 6/7+. return ($PSVersionTable.PSEdition -eq 'Desktop') } # //////////////////////////////////////////////////////////////////////////// # Classify a single connectivity result row into a stable, machine-readable # category (v0.6.7). Lets integrators branch on $row.ResultCategory instead of # brittle free-text matching on $row.Note (e.g. the old config-gap heuristic # -match 'WAS NOT USED|REQUIRED TO SPECIFY'). # # Categories (mutually exclusive, evaluated in priority order): # ConfigGap - a required parameter placeholder (e.g. -KeyVaultURL) was left # unsubstituted, so the row carries the 'WAS NOT USED' / # 'REQUIRED TO SPECIFY' Note marker. This is a setup/input gap, # NOT a real network fault. # PrivateLink - the endpoint resolved to an RFC1918 private IP (Private Link). # SSLInspected - an untrusted certificate chain was seen (possible SSL inspection). # Skipped - the endpoint was never tested. Covers (a) Arc-Gateway skip rows and # skip-list rows (Layer7Status/TCPStatus literally 'Skipped'), and # (b) untested wildcard-parent placeholder rows whose Layer7Status is # still the initial EMPTY string because they never entered the # DNS/TCP/Layer7 test loop. (A genuinely tested row ALWAYS ends with a # non-empty Layer7Status - Success / Failed / N/A / 'Invalid port:' - # so an empty/whitespace value unambiguously means "not tested".) # Success - Layer7Status reported Success. # ConnectivityFailure - any other terminal state where a test ran and did not pass # (Failed, or N/A from a DNS-resolution failure, or 'Invalid port:'). # # Precedence rationale: the three "diagnostic" categories (ConfigGap, PrivateLink, # SSLInspected) describe WHY a row is special and are evaluated ahead of the generic # Success / ConnectivityFailure split, because such rows usually ALSO carry # Layer7Status='Failed' which would otherwise mask the real cause. # # NOTE on CRL/OCSP revocation-offline rows: these keep Layer7Status='Failed' + a # '- CRL/OCSP unreachable' Layer7Response marker and are DELIBERATELY left as # ConnectivityFailure here (NOT given their own category) to keep the ResultCategory # enum stable for consumers. The run-level signal for them is the CRLOfflineDetected / # CRLOfflineURLs container NoteProperties on the returned ArrayList (and JSON summary), # mirroring how SSL inspection is ALSO surfaced as a container array - integrators that # want to treat revocation-offline as a softer WARNING branch on those fields. Function Get-ConnectivityResultCategory { [CmdletBinding()] [OutputType([string])] param( [Parameter(Mandatory = $true)] [psobject]$Row, # Run-level detection lists. Publish-Results passes a snapshot of the module-scope # state ($script:SSLInspectedURLs / $script:PrivateLinkDetectedArray); unit tests # pass synthetic lists. Default to empty so the helper is fully self-contained. [AllowNull()] [string[]]$SSLInspectedURLs = @(), [AllowNull()] [string[]]$PrivateLinkURLs = @() ) # Bare property reads are safe under StrictMode v1.0 (it throws only on uninitialised # VARIABLES, not absent object properties); cast to [string] to coalesce $null to ''. $note = [string]$Row.Note $url = [string]$Row.URL $l7 = [string]$Row.Layer7Status $tcp = [string]$Row.TCPStatus # URL normalisation for the detection-list lookups (steps 2 & 3). The two run-level arrays # store the URL in DIFFERENT shapes: # * $script:PrivateLinkDetectedArray stores the bare result-row .URL (host[/path]) - it is # populated by matching $_.URL in Test-AzureLocalConnectivity, so it already aligns. # * $script:SSLInspectedURLs stores the SCHEME-PREFIXED request URL ('https://host/path') # because Test-Layer7Connectivity adds the value it actually requested. # The result-row .URL is the bare host+path with no scheme, so a raw -contains against the # SSL list silently MISSES (an SSL-inspected row then falls through to ConnectivityFailure). # Strip a leading http(s):// and any trailing '/' from BOTH the row URL and every list entry # so the comparison is scheme- and trailing-slash-insensitive. (-contains is already # case-insensitive for strings.) $normalizeUrl = { param($u) (([string]$u) -replace '^\s*https?://', '').TrimEnd('/') } $urlNorm = & $normalizeUrl $url $sslNorm = @(@($SSLInspectedURLs) | ForEach-Object { & $normalizeUrl $_ }) $plNorm = @(@($PrivateLinkURLs) | ForEach-Object { & $normalizeUrl $_ }) # 1. Config gap — required parameter placeholder was never substituted. if ($note -match 'WAS NOT USED|REQUIRED TO SPECIFY') { return 'ConfigGap' } # 2. Private Link — endpoint resolved to an RFC1918 address. if ($plNorm -and ($plNorm -contains $urlNorm)) { return 'PrivateLink' } # 3. SSL inspection — untrusted certificate chain observed (possible TLS interception). # Two signals, set in lockstep upstream (AzStackHci.Layer7.Helpers.ps1); either is authoritative: # (a) the bare row URL appears in the run-level $script:SSLInspectedURLs snapshot, OR # (b) the row's own Layer7Response carries the '- SSL Inspection detected' marker. # (b) is read straight off the row, so it survives any URL-shape drift between the snapshot # (which stores the scheme-prefixed REQUEST url, possibly a redirect target) and the row's # .URL field. A CRL/OCSP-offline row is reclassified away from this marker upstream, so it # correctly does NOT match here and stays a ConnectivityFailure. $l7Response = [string]$Row.Layer7Response if (($sslNorm -and ($sslNorm -contains $urlNorm)) -or ($l7Response -match 'SSL Inspection detected')) { return 'SSLInspected' } # 4. Skipped / not-tested. Three cases: # (a) Arc-Gateway / skip-list rows -> TCPStatus or Layer7Status literally 'Skipped'. # (b) Untested wildcard-parent / placeholder rows that never entered the test loop # -> Layer7Status is still the initial EMPTY string. A tested row always has a # non-empty Layer7Status, so empty/whitespace here means "never tested", NOT a # failure. Guard with -not IsNullOrWhiteSpace($note) is unnecessary because the # ConfigGap Note marker is already handled at step 1 above. if (($tcp -like 'Skipped*') -or ($l7 -eq 'Skipped') -or [string]::IsNullOrWhiteSpace($l7)) { return 'Skipped' } # 5. Success. if ($l7 -eq 'Success') { return 'Success' } # 6. Everything else is a terminal connectivity failure (Failed / N/A / 'Invalid port:'). return 'ConnectivityFailure' } # //////////////////////////////////////////////////////////////////////////// # This function converts a hashtable to a string representation Function Convert-HashTableToString { param ( [Parameter(Mandatory = $true)] [System.Collections.Hashtable] $HashTable ) begin { # Write-Verbose "Starting Convert-HashTableToString function" } process { $HashString = "@{" $Keys = $HashTable.keys foreach ($Key in $Keys) { $v = $HashTable[$key] if ($key -match "\s") { $HashString += "`"$key`"" + "=" + "`"$v`"" + ";" } else { $HashString += $key + "=" + "`"$v`"" + ";" } } $HashString += "}" } # End of process block end { # Write-Debug "Completed Convert-HashTableToString function" return $HashString } } # //////////////////////////////////////////////////////////////////////////// # Function to extract domains from URLs Function Get-DomainFromURL { param ( [string]$url ) begin { # Write-Verbose "Starting Get-DomainFromURL function" } process { # Remove the protocol (http:// or https://) and extract the domain and port $url = $url -replace "^https?://", "" # Check if the URL contains a port number # If the URL contains a port number, extract it if ($url -match ":(\d+)$") { $port = [int]($url -replace ".*:(\d+)$", '$1') $url = $url -replace ":(\d+)$", "" } else { $port = $null } $domain = $url -split '/' | Select-Object -First 1 return @{ Domain = $domain; Port = $port } } end { # Write-Debug "Completed Get-DomainFromURL function" } } # //////////////////////////////////////////////////////////////////////////// # Helper function to normalize URL with protocol based on port # This is a private helper function for Test-Layer7Connectivity Function Initialize-WebRequestUrl { param ( [Parameter(Mandatory=$true)] [string]$url, [Parameter(Mandatory=$true)] [int]$port ) # Check if the port is 80 for HTTP or port 443, 8084 or 8443 for HTTPS and update the URL accordingly if ($port -eq $script:PORT_HTTPS -or $port -eq $script:PORT_HTTPS_ALT1 -or $port -eq $script:PORT_HTTPS_ALT2) { if($url -notmatch "^https://") { # If the URL does not start with https://, add it $url = "https://$url" } } elseif($port -eq $script:PORT_HTTP) { if($url -notmatch "^http://") { # If the URL does not start with http://, add it $url = "http://$url" } } else { # For custom ports, use http as the default if($url -notmatch "^http") { Write-Verbose "Custom port $port detected, using http as the default" $url = "http://$url" } } return $url } # //////////////////////////////////////////////////////////////////////////// # Helper function to register a redirected URL into the RedirectedResults array # Prevents duplicates by checking both RedirectedResults and Results arrays. # Called from the redirect-handling section of Test-Layer7Connectivity. Function Add-RedirectedUrlToResults { param ( [Parameter(Mandatory=$true)] [string]$RedirectedURL, [Parameter(Mandatory=$true)] [string]$FullRedirectUrl, [Parameter(Mandatory=$true)] [int]$DestinationPort, [Parameter(Mandatory=$true)] [string]$OriginalURL, [Parameter(Mandatory=$true)] [int]$OriginalPort ) Write-HostAzS "Redirected to '$FullRedirectUrl'" -ForegroundColor Yellow # Update the Note on the original result to show the redirect target (only if not already set) $ResultsToUpdate = $script:Results | Where-Object { $_.url -eq $OriginalURL -and ($_.Port -eq $OriginalPort) } ForEach ($ResultToUpdate in $ResultsToUpdate) { if (-not($ResultToUpdate.Note -like "Redirects to *")) { if ($ResultToUpdate.Note) { $ResultToUpdate.Note = "Redirects to '$($RedirectedURL)' - $($ResultToUpdate.Note)" } else { $ResultToUpdate.Note = "Redirects to '$($RedirectedURL)'" } } } if ([string]::IsNullOrWhiteSpace($RedirectedURL)) { Write-Warning "Redirected URL is null for $FullRedirectUrl, skipping" return } # Check if the URL already exists in the Results array [bool]$RedirectExistsInResults = $false ForEach ($result in $script:Results) { if ((Get-DomainFromURL -url $result.url).Domain -eq $RedirectedURL -and ($result.Port -eq $DestinationPort)) { Write-Debug "Redirected URL already exists in Results array, skipping" $RedirectExistsInResults = $true break } } # Add to RedirectedResults if it doesn't already exist in either array # Note: -notcontains works correctly on an empty @() array, no special first-entry handling needed if (($script:RedirectedResults.url -notcontains $RedirectedURL) -and (-not($RedirectExistsInResults))) { $OriginalResult = $script:Results | Where-Object { ((Get-DomainFromURL -url $_.URL).Domain -eq (Get-DomainFromURL -url $OriginalURL).Domain) -and ($_.Port -eq $OriginalPort) } | Select-Object -First 1 $script:RedirectedResults.Add([PSCustomObject]@{ RowID = 0 MachineName = $env:COMPUTERNAME url = $RedirectedURL redirect = $FullRedirectUrl Port = $DestinationPort ArcGateway = $false IsWildcard = $false Source = "Redirect for $($OriginalResult.Source)" Note = "Redirected URL from $($OriginalURL) - $($OriginalResult.Note)" TCPStatus = "" IPAddress = "" Layer7Status = "" Layer7Response = "" Layer7ResponseTime = "" CertificateSubject = "" CertificateIssuer = "" CertificateThumbprint = "" IntermediateCertificateIssuer = "" IntermediateCertificateSubject = "" IntermediateCertificateThumbprint = "" RootCertificateIssuer = "" RootCertificateSubject = "" RootCertificateThumbprint = "" }) | Out-Null Write-Debug "Added $($script:RedirectedResults[-1]) to RedirectedResults array" } else { Write-Debug "Redirected URL $RedirectedURL already exists in RedirectedResults or Results array, skipping" } } # //////////////////////////////////////////////////////////////////////////// # Helper function to register a CRL / OCSP dependency URL as its own row in # $script:Results. Called when Get-Layer7CertificateDetails classifies an HTTPS # endpoint as "CRL/OCSP unreachable" (trusted chain, revocation offline). # # Dedupe strategy (two tiers): # - OCSP: skip if ANY existing row already covers the same host+port=80 # (the OCSP protocol uses a single host, so host match = full coverage) # - CRL: fall through to exact-URL match — different .crl files on the same # host can be blocked independently by path-based proxy filtering # When an identical URL was already added by a previous parent, the existing # row's Source is extended to list both parents. # # Rows are appended directly to $script:Results with Layer7Status = "" so the # existing remainingUrls loop in Test-AzureLocalConnectivity picks them up and # tests them as first-class endpoints. Function Add-CrlDependencyRowToResults { [CmdletBinding()] param ( [Parameter(Mandatory=$true)][ValidateSet('CRL','OCSP')][string]$Kind, [Parameter(Mandatory=$true)][string]$DependencyURL, [Parameter(Mandatory=$true)][string]$ParentURL ) if ([string]::IsNullOrWhiteSpace($DependencyURL)) { return } $parentDomain = (Get-DomainFromURL -url $ParentURL).Domain $depDomain = (Get-DomainFromURL -url $DependencyURL).Domain if ([string]::IsNullOrWhiteSpace($depDomain)) { Write-Debug "Add-CrlDependencyRowToResults: cannot parse domain from '$DependencyURL', skipping" return } # Tier 1 — dedupe against existing rows if ($Kind -eq 'OCSP') { # Host-level dedupe is sufficient for OCSP (single-host protocol) $existing = $script:Results | Where-Object { ((Get-DomainFromURL -url $_.URL).Domain -eq $depDomain) -and ($_.Port -eq $script:PORT_HTTP) } | Select-Object -First 1 if ($existing) { Write-Debug "Add-CrlDependencyRowToResults: OCSP host '$depDomain' already in Results (row URL '$($existing.URL)'), skipping duplicate" return } } else { # CRL — exact URL dedupe (different .crl paths on same host can be independently blocked) $existingSame = $script:Results | Where-Object { ($_.URL -eq $DependencyURL) -and ($_.Port -eq $script:PORT_HTTP) } | Select-Object -First 1 if ($existingSame) { # Same CRL URL already added — extend Source to reflect shared parent if ($existingSame.Source -notmatch [regex]::Escape($parentDomain)) { $existingSame.Source = "$($existingSame.Source); $parentDomain" } Write-Debug "Add-CrlDependencyRowToResults: CRL URL '$DependencyURL' already present — appended parent '$parentDomain' to Source" return } } # Tier 2 — append new row (Layer7Status="" so the remaining-URLs loop tests it) $sourcePrefix = if ($Kind -eq 'CRL') { 'CRL dependency for' } else { 'OCSP dependency for' } $script:Results.Add([PSCustomObject]@{ RowID = 0 MachineName = $env:COMPUTERNAME URL = $DependencyURL Port = $script:PORT_HTTP ArcGateway = $false IsWildcard = $false Source = "$sourcePrefix $parentDomain" Note = "Required for certificate revocation check of https://$parentDomain (HTTP port 80 must be reachable)" TCPStatus = "" IPAddress = "" Layer7Status = "" Layer7Response = "" Layer7ResponseTime = "" CertificateIssuer = "" CertificateSubject = "" CertificateThumbprint = "" IntermediateCertificateIssuer = "" IntermediateCertificateSubject = "" IntermediateCertificateThumbprint = "" RootCertificateIssuer = "" RootCertificateSubject = "" RootCertificateThumbprint = "" }) | Out-Null Write-Debug "Add-CrlDependencyRowToResults: appended $Kind dependency row '$DependencyURL' for parent '$parentDomain'" } # //////////////////////////////////////////////////////////////////////////// # Helper function to initialize ServerCertificateValidationCallback for SSL bypass # This is a private helper function for Test-Layer7Connectivity Function Initialize-CertificateCallback { # IMPORTANT: This sets a PROCESS-WIDE callback on ServicePointManager.ServerCertificateValidationCallback # that accepts all certificates. This is intentional — the module needs to connect to endpoints even when # SSL inspection replaces certificates, so it can detect and report SSL inspection to the user. # The callback is reset to $null in the end block of Test-Layer7Connectivity and Test-AzureLocalConnectivity. # Check if ServerCertificateValidationCallback class is already defined if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) { # Define the ServerCertificateValidationCallback class # This class is used to bypass SSL certificate validation, to allow for SSL inspection detection $CertCallback = @" using System; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; public class ServerCertificateValidationCallback { public static void Ignore() { if(ServicePointManager.ServerCertificateValidationCallback == null) { ServicePointManager.ServerCertificateValidationCallback += delegate ( Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors ) { return true; }; } } } "@ Add-Type $CertCallback } # Call the Ignore method to bypass SSL certificate validation. # PRECONDITION: the C# Ignore() only installs the accept-all delegate when # ServicePointManager.ServerCertificateValidationCallback is currently $null. If the # caller (or another loaded module) already set a callback, the bypass is NOT installed, # so SSL-inspection detection can be inconsistent in shared sessions. The caller # (Test-Layer7Connectivity / Test-AzureLocalConnectivity) captures and restores the # original callback in its finally block, so this never leaks across function calls. [ServerCertificateValidationCallback]::Ignore() } # //////////////////////////////////////////////////////////////////////////// # Helper to set all connectivity result fields on a URL object to skip/N/A values. # Used when a URL is skipped, wildcarded, or DNS resolution fails. Function Set-UrlObjectSkipFields { param( [Parameter(Mandatory)][PSCustomObject]$UrlObject, [Parameter(Mandatory)][string]$TCPStatus, [Parameter(Mandatory)][string]$Layer7Status, [string]$IPAddress = "N/A", [string]$Layer7Response = "N/A", [string]$Layer7ResponseTime = "N/A" ) $UrlObject.TCPStatus = $TCPStatus $UrlObject.IPAddress = $IPAddress $UrlObject.Layer7Status = $Layer7Status $UrlObject.Layer7Response = $Layer7Response $UrlObject.Layer7ResponseTime = $Layer7ResponseTime $UrlObject.CertificateIssuer = "N/A" $UrlObject.CertificateSubject = "N/A" $UrlObject.CertificateThumbprint = "N/A" $UrlObject.IntermediateCertificateIssuer = "N/A" $UrlObject.IntermediateCertificateSubject = "N/A" $UrlObject.IntermediateCertificateThumbprint = "N/A" $UrlObject.RootCertificateIssuer = "N/A" $UrlObject.RootCertificateSubject = "N/A" $UrlObject.RootCertificateThumbprint = "N/A" } # //////////////////////////////////////////////////////////////////////////// # Helper to copy connectivity test results from an Invoke-EndpointConnectivityTest # result hashtable to a URL result object. Function Copy-ConnectivityResultsToUrlObject { param( [Parameter(Mandatory)][PSCustomObject]$UrlObject, [Parameter(Mandatory)][hashtable]$TestResult ) $UrlObject.TCPStatus = $TestResult.TCPStatus $UrlObject.IPAddress = $TestResult.IPAddress $UrlObject.Layer7Status = $TestResult.Layer7Status $UrlObject.Layer7Response = $TestResult.Layer7Response $UrlObject.Layer7ResponseTime = $TestResult.Layer7ResponseTime $UrlObject.CertificateIssuer = $TestResult.CertificateIssuer $UrlObject.CertificateSubject = $TestResult.CertificateSubject $UrlObject.CertificateThumbprint = $TestResult.CertificateThumbprint $UrlObject.IntermediateCertificateIssuer = $TestResult.CertificateIntermediateIssuer $UrlObject.IntermediateCertificateSubject = $TestResult.CertificateIntermediateSubject $UrlObject.IntermediateCertificateThumbprint = $TestResult.CertificateIntermediateThumbprint $UrlObject.RootCertificateIssuer = $TestResult.CertificateRootIssuer $UrlObject.RootCertificateSubject = $TestResult.CertificateRootSubject $UrlObject.RootCertificateThumbprint = $TestResult.CertificateRootThumbprint } # SIG # Begin signature block # MIInbgYJKoZIhvcNAQcCoIInXzCCJ1sCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBnZRH1ealRbfOL # Gx91rHVWpjjedAwcRHgIB5NMmXCwEKCCDMkwggYEMIID7KADAgECAhMzAAACHPrN # xZvoL37EAAAAAAIcMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAlVTMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBD # b2RlIFNpZ25pbmcgUENBIDIwMjQwHhcNMjYwNDE2MTg1OTQxWhcNMjcwNDE1MTg1 # OTQxWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYD # VQQDExVNaWNyb3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB # DwAwggEKAoIBAQDVsZfgOKmM31HPfoWOoNEiw0SlCiIxUMC0I9NMWbucKOw/e9lP # oAoehQVu6SG65V4EPzrYsnBnFPNoi4/HoOdjhz1qkrEt4I6tEcxXU6oOeY9zGveC # /3iBeuhLYxM3M/PkcUoebF+Nednm8OkdSPoDu8imViHPQq/8CQUu0WRR4rE+dMRf # rpVqfmNi2qWCX94T4MsepijGVkwE//tJg0ryAiYdHT34LSnlG/RSBZmQRGWZ5g8j # qnKjRParSqMft1gvjuUTVgtWNZfgcLFSK5Wa0myrq8OPcgTGGsRgun+tnSS+IxDT # xVsAPH1OzvPjwomguByhUe/OcvUN0D5Wmp7xAgMBAAGjggGqMIIBpjAOBgNVHQ8B # Af8EBAMCB4AwHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYBBQUHAwMwHQYDVR0O # BBYEFNoH7a2YDjOSwpkp6DHcmUS7J+0yMFQGA1UdEQRNMEukSTBHMS0wKwYDVQQL # EyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxFjAUBgNVBAUT # DTIzMDAxMis1MDc1NjkwHwYDVR0jBBgwFoAUf1k/VCHarU/vBeXmo9ctBpQSCDEw # YAYDVR0fBFkwVzBVoFOgUYZPaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9w # cy9jcmwvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmclMjBQQ0ElMjAyMDI0LmNy # bDBtBggrBgEFBQcBAQRhMF8wXQYIKwYBBQUHMAKGUWh0dHA6Ly93d3cubWljcm9z # b2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwQ29kZSUyMFNpZ25pbmcl # MjBQQ0ElMjAyMDI0LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IC # AQAUnEqhaRXe0T3hIJjvdQErEkrA/7bByjn6t5IArODkkRjzkYwtKMc2yYj2quaN # rLutWw2YZcngKPy1b71YyDJQTy4NDRwaSh9Tw5thrk3NmcPrAHia5vtcBJ1CgtKK # 7mQbIcQ22d/N3813ayCDDFewu1+jsZmX+r/aTEqaOM4TVxVtRSkuCy8nAXKuChOK # Li/zA4XuH8iEYqIsj2YoNaeSxVmeGiERXpKdo3dDmYi0kO5w2D8VS4c3+9h6gElY # BaAAg/dYErBg27qT3vv0zRDJhJufvCNylA8S7/+8H5E/PV5cng6na9VV/w9OV3qu # uND6zdGa2EX38Glp50F9AIQk3p2xXmcvorDeM4XJ7UlWYBi6g80J1SSOQnInCYFE # msfUNn3+1AaTJKSJL83quKArTac2pKhu0Yzzzrzo6HrsRiQKzpnRBb1/dMa6P3hz # 75XbMRBctNsFhZC07WCmjExdLg2eHW5uV0TY8D5+6wozJf7vF3+WHkYPO85Z+BC6 # U4FkNbYNycZ9cE4j1tXRdyDCfml6c0HWPHjNVDObrv9lKt3qUqFpX38VCqVCyNOO # 1UcXfQiVjJw32U2WUKZjt/neJKHEBsm9kFsLuWzkQ53+qcaSaytmsCnk2gOglrlD # 5d3kKyvvAw+rzm0lT8K38P6PLxfZQHhu4W8dV7Av8N2ZmDCCBr0wggSloAMCAQIC # EzMAAAA5O7Y3Gb8GHWcAAAAAADkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBS # b290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDExMB4XDTI0MDgwODIwNTQxOFoX # DTM2MDMyMjIyMTMwNFowVzELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9zb2Z0IENvZGUgU2lnbmluZyBQ # Q0EgMjAyNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANgBnB7jOMeq # lRYHNa265v4IY9fH8TKhemHfPINe1gpLaV3dhg324WwH06LcHbpnsBukCDNitryo # 0dtS/EW6I/yEL/bLSY8hKpbfQuWusBPr9qazYcDxCW/qnjb5JsI1s8bNOg3bVATv # QVL4tcf03aTycsz8QeCdM0l/yHRObJ9QqazM1r6VPEOJ7LL+uEEb73w6QCuhs89a # 1uv1zerOYMnsneRRwCbpyW11IcggU0cRKDDq1pjVJzIbIF6+oiXXbReOsgeI8zu1 # FyQfK0fVkaya8SmVHQ/tOf23mZ4W9k0Ri22QW9p3UgSC5OUDktKxxcCmGL6tXLfO # GSWHIIV4YrTJTT6PNty5REojHJuZHArkF9VnHTERWoTjAzfI3kP+5b4alUdhgAZ7 # ttOu1bVnXfHaqPYl2rPs20ji03LOVWsh/radgE17es5hL+t6lV0eVHrVhsssROWJ # uz2MXMCt7iw7lFPG9LXKGjsmonn2gotGdHIuEg5JnJMJVmixd5LRlkmgYRZKzhxS # CwyoGIq0PhaA7Y+VPct5pCHkijcIIDm0nlkK+0KyepolcqGm0T/GYQRMhHJlGOOm # VQop36wUVUYklUy++vDWeEgEo4s7hxN6mIbf2MSIQ/iIfMZgJxC69oukMUXCrOC3 # SkE/xIkgpfl22MM1itkZ35nNXkMolU1lAgMBAAGjggFOMIIBSjAOBgNVHQ8BAf8E # BAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFH9ZP1Qh2q1P7wXl5qPX # LQaUEggxMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMB # Af8wHwYDVR0jBBgwFoAUci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0fBFMwUTBP # oE2gS4ZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMv # TWljUm9vQ2VyQXV0MjAxMV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRSMFAw # TgYIKwYBBQUHMAKGQmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMv # TWljUm9vQ2VyQXV0MjAxMV8yMDExXzAzXzIyLmNydDANBgkqhkiG9w0BAQwFAAOC # AgEAFJQfOChP7onn6fLIMKrSlN1WYKwDFgAddymOUO3FrM8d7B/W/iQ6DxXsDn7D # 5W4wMwYeLystcEqfkjz4NURRgazyMu5yRzQh4LqjA4tStTcJh1opExo7nn5PuPBY # nbu0+THSuVHTe0VTTPVhily/piFrDo3axQ9P4C+Ol5yet+2gTfekICS5xS+cYfSI # vgn0JksVBVMYVI5QFu/qhnLhsEFEUzG8fvv0hjgkO+lkpV9ty6GkN4vdnd7ya6Q6 # aR9y34aiM1qmxaxBi6OUnyNl6fkuun/diTFnYDLTppOkr/mg5WSfCiDVMNCxtj4w # PKC5OmHm1DQIt/MNokbbH3UGsFP1QbzsLocuSqLCvH09Io3fDPTmscR9Y75G4qX7 # RTX8AdBPo0I6OEojf39zuFZt0qOHm65YWQE69cZM2ueE1MB05dNNgHK9gTE7zKvK # /fg8B2qjW88MT/WF5V5uvZGtqa9FSL2RazArA+rDPuf6JGYz4HpgMZHB4S6szWSK # YBv0VisCzfxgeU+dquXW9bd0auYlOB58DPcOYKdc3Se94g+xL4pcEhbB54JOgAkw # YTu/9dLeH2pDqeJZAABVDWRQCaXfO5LgyKwKCLYXpigrZYCjUSBcr+Ve8PFWMhVT # Ql0v4q8J/AUmQN5W4n101cY2L4A7GTQG1h32HHAvfQESWP0xghn7MIIZ9wIBATBu # MFcxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # KDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMjQCEzMAAAIc # +s3Fm+gvfsQAAAAAAhwwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwG # CisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZI # hvcNAQkEMSIEIJ0ToIg0h0S8LZAfzp015i19gJyyrpxxkWg5uW78LEjLMEIGCisG # AQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEBBQAEggEAE38s7vzju5q0xXOvhKqt # mH90RprtPp1OnAXWNxz+QiWnPtrJgILqFd3yqR6Z4G5XkfNcRr72+Ds0g87jp1wl # zwpRwBGeXGDmQwY7F4XxXZJnPooxXgdBPTEEXc5jxgAwtP6dn3TRX+1M3mV5eY4b # T78F/zN9jKZ+W6zyjrSjKFhTOdhdz71aWRHw5SzBMoEBcZ+IwQ22BAmiZ8z+w+E6 # e9qlvpkQ4oKyhOZhgdzQVzLK5YRax1QJUlFbi+3VtkeZOug0rFEJ1o7RS03+Iiw4 # lb6SNUxllRxdjlK8Nj0By/d35q9wde7NkdnK76wBMM6PLyGiUQWVshv7bS82zEMA # gqGCF60wghepBgorBgEEAYI3AwMBMYIXmTCCF5UGCSqGSIb3DQEHAqCCF4YwgheC # AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFaBgsqhkiG9w0BCRABBKCCAUkEggFFMIIB # QQIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCCImhoGQIu8J1/a39kI # YGWUzRQ0XLGEG73t6dqqOkAiNgIGajYHRmEdGBMyMDI2MDcxNTE4MjU1OS45MjVa # MASAAgH0oIHZpIHWMIHTMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0 # ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjo2RjFBLTA1RTAtRDk0NzElMCMG # A1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCCEfswggcoMIIFEKAD # AgECAhMzAAACHAlVFdfDWQfRAAEAAAIcMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV # BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w # HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m # dCBUaW1lLVN0YW1wIFBDQSAyMDEwMB4XDTI1MDgxNDE4NDgzMVoXDTI2MTExMzE4 # NDgzMVowgdMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLTAr # BgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMgTGltaXRlZDEnMCUG # A1UECxMeblNoaWVsZCBUU1MgRVNOOjZGMUEtMDVFMC1EOTQ3MSUwIwYDVQQDExxN # aWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEFAAOC # Ag8AMIICCgKCAgEAow0xEAUaFIyyLIXeFzeI8IKyBON2u0Dr02ISE5p9G5CUXfnF # u2S0E1gWCMvDWpopX6lRxjmgnqaL3BtnWlBVTo8xUNRZu23ie4YBMAJB7Ut6mnqn # HVwvDJxGO4TD3SnrCd+yg35B9QFejq3o4+OByvXjynaypZyukcQaLsKQvoxE8ElH # H7zcOXEJWmU3rnXzaW/S4SH3OPhoUbTTcy6nUgKx5pRWiQ24UEPLYzcxGJjqjkz+ # GiCWGPFHDMdW86laWvmCslouQPsN2eBk8dxJcEZmW4l6p4TthoXcfexEA9YdYaMz # 10aMhZNpdsNaDtDQUMDEC3k1D1My69MXSPlUmD9xFyDlkXiVa7BCEp3XcVtqTgzH # Gwr28JD6oE7zEPYeuZOiuCBXTZSo/wk3tbDlsESbIPV6inYqrzxiMYqlxfCdzC3C # imh9/NT/Lk9/aU+Iyyc9b3OaT0dZ8wgLaVDCGELRMrqyImdFHv0MudctzW/kPsV3 # Ja9ufpKWujEiN3CW//X8hFa9j5ImNeQzcMit3MoSaoGwnbiZJX1IyibIphlqccXF # k4oTTSOQBsAUw8U0gwOnM5UJD8mBUBd65Np6NBkx2cviJ4I34GyXFCWyy5Ft1QsB # YyVfAG3KOhCfPHQf8lQzJvLr57YW0bD/xVs4Ag4gTS6KZNyFEfX9jFdRlr0CAwEA # AaOCAUkwggFFMB0GA1UdDgQWBBRa3mOCzB8u7zpvDh8MGKVYLCk7ZDAfBgNVHSME # GDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5odHRw # Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBUaW1l # LVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwGCCsG # AQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01p # Y3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB # Af8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDAN # BgkqhkiG9w0BAQsFAAOCAgEAklb6w/deaid3BujQCtWFBe0n9pkyRy+yyWEg70iD # woJ5u0e0O+4GerNzdZb1zTPsHJ8EGMyo1K7ytL21+pmdFMTl19PC8OJ5Y2p+XKUQ # y2dD+hggRMmJgDQsgbOCxHYeO+jg4t+vg61wUrovzzLkH3z0PJXXvoNuBj9Lda9C # iNMd60451Kube99ArSf6ZMj3t0p4rFbgSazDs+8TJ+8KA5GVaYjPHj9rlMuI3Wjo # hEc9apnQ6hMjMck3jlHZIwluVYeUQE0qjmApfMtTAEzbMUdY8sLTunL1GkbDSeKn # 9O7llBGnNtyM1uM9Mdv1VyWh0z/IriQKIjntqqGyoF0HvDHOFZCyUDBPLflyiu7Y # 1zQ/sPounsb96aBfQdq3h3LOn6t+m9EnNz/G6MzzWvpJk6YgTHTIqeQN/F/XpiPv # bfek3nq/PYbL3au+kBfRUHiCFXSvt6lor0HC626vUmz9ZNPOxwEWLuccomxsy3Jw # WH79vsM/7ARqoG5h6d6NahfaOuRP4XI9xtdH3Pa/NCLyQjxKXyLxzwQzjddkX2Ep # TJnlypuhPmEdea59Uz2E303LxyXSnKBvGsAnyWYAfnejr3YAiL9YrN2l2dn198Rp # A4DCm9QtZYiwC0q2fuUvui34PfPIUZByf7wHuuWu50hY9WLx1kOMI8xyo7AI6TaN # rnIwggdxMIIFWaADAgECAhMzAAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3DQEB # CwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYD # VQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAe # Fw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMyMjVaMHwxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0 # YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5OGm # TOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1V/YBf2xK4OK9uT4XYDP/XE/H # ZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1hlDc # wUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus9ja+NSZk2pg7uhp7M62A # W36MEBydUv626GIl3GoPz130/o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3KNi1w # jjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56KTesy+uDRedGbsoy1cCG # MFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74kpEeHT39IM9zfUGaRnXNxF803RKJ # 1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fzpk03dJQcNIIP # 8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5TI4CvEJoLhDqhFFG4tG9ahhaYQFz # ymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5UPkLiWHz # NgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9QBXpsxREdcu+N+VLEhReTwDwV2xo3 # xwgVGD94q0W29R6HXtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIGCSsG # AQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFCqnUv5kxJq+gpE8RjUpzxD/ # LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBTMFEG # DCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jvc29m # dC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYIKwYB # BQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8G # A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQw # VgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9j # cmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUF # BwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br # aS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwDQYJKoZIhvcNAQEL # BQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1OdfC # cTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpTTd2YurYeeNg2LpypglYAA7AF # vonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbzaN9l # 9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJw7wXsFSFQrP8DJ6LGYnn # 8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4FOmRsqlb30mjdAy87JGA0j3mSj5m # O0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY3UA8x1RtnWN0SCyx # TkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPXfx5bRAGOWhmRaw2fpCjcZxkoJLo4 # S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz/gq77EFmPWn9 # y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGConsXHRWJjXD+57XQKBqJC4822rpM # +Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328y+l7vzhw # RNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEGahC0HVUzWLOhcGbyoYIDVjCCAj4C # AQEwggEBoYHZpIHWMIHTMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0 # ZWQxJzAlBgNVBAsTHm5TaGllbGQgVFNTIEVTTjo2RjFBLTA1RTAtRDk0NzElMCMG # A1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIa # AxUAWmTiA01u5mxq/nVxiRJLMOskVGeggYMwgYCkfjB8MQswCQYDVQQGEwJVUzET # MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV # TWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T # dGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQsFAAIFAO4CIkEwIhgPMjAyNjA3MTUx # NTE0MDlaGA8yMDI2MDcxNjE1MTQwOVowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA # 7gIiQQIBADAHAgEAAgII/jAHAgEAAgISMzAKAgUA7gNzwQIBADA2BgorBgEEAYRZ # CgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0G # CSqGSIb3DQEBCwUAA4IBAQC68qgfqXAEHkcvueKbO8prR681jC9WYrXSUcNL/vKE # KpuIYD7OkwN7rKGevNaznauU3p9wWDI9jmYJsuS3+mnoY+IsVNRIGk/dHI+mz9vA # BaNtyfEObFIuG20aMy9DF8nuYhlJJ8UoBe20ll0kHe+iY+kFRCQFicKR9OWIcaUi # pnRPKGxsNssk+R8y12oKV2KJRdCu5Vfs//UIplmKffLLeWsFr1oPmtKg1TGoMZzL # 2vPswrIjywEqbz3+T0gXO3Uff+rphKhNTiD/sh8jdHxC+u96bn3jhR5Dd2zz9U66 # pRUdJUfnRxaEPi3HlAvfPUGHbBVHKyV6IpcHLPpJv56RMYIEDTCCBAkCAQEwgZMw # fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl # ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMd # TWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAIcCVUV18NZB9EAAQAA # AhwwDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRAB # BDAvBgkqhkiG9w0BCQQxIgQgOr43wE0XvVoxtDQG0KpuMAxuCOAlCiJuRxWH/HYu # G50wgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCCgIGkmNhdo7+KE7dWhI+E2 # Ctx2RLWoYvvJodCIciHHaDCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBD # QSAyMDEwAhMzAAACHAlVFdfDWQfRAAEAAAIcMCIEIEauFEcE7vRTuCJ1pLtmCL+6 # AXG4HEL8yit+izXI4ebQMA0GCSqGSIb3DQEBCwUABIICABbTK8MfQeksajViZ3wg # DtMN6HAegP0W/AIP/0sz814aojLkLqX3eyS11mfRP+zIrTdo6fkemzD/8xKYpO7j # DtTtS1zKcHSZbfidr/jytmQpQE1mAzjAaP2wAyIdWMtEwbk59igz1I3HTjsZ4z3G # kGGotrCg5HNrYVo7ltyl3Fxfch9nB/vYfvQ9EuTf0tiCfd+Vgw/wy6AasLXT+rdR # 4YOGY6LdT9pJYjnGUp74Sb0aPyW+MK/O1gND/RNKFTWR6jAE41lEt5BGWJfX1YZd # 5v9PfLekKa5N4vXuLA2CbDoCrHEfwSlYe7OB2wQzrpvGeyEUSUb5eBJhbrlJlqkP # 87cDEDKfBoGQQnMT6IoSASUllRezt522gr2eWVvao740pGpmlBIwpfjrbf6H3NZt # MUNh9Gf0yxH9d3PK2z0Vtju20HONb40yOFR3p9rUElKl5FAft/8qrO4b4dkvmSVo # rPQPlp+4mgfRhNnWWN/YrEKnj53GulRwwr+Hr2HZGEBv6C7BKRwDqpi0GUeneaUJ # Nqw0qGk0eNt172JOwbaXdQQk+JRWB/wdm2D2bVGZsRoHt6JrQ28Xsm1y3/dfx6Lh # LoPeM47qIC2AI/c8t45DQl+R9fEhRoD5cE5/UoNL9NEHHyahs2ECjp+sbSBOJIur # Zm+MWfdTJfazFGEpvqp7rDi2 # SIG # End signature block |