Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1
|
Import-Module -Name $PSScriptRoot/../../Utility/Utility.psm1 -Function Invoke-GraphDirectly, ConvertFrom-GraphHashtable function Get-ResourcePermissions { param( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache, [string] $ResourceAppId ) try { if ($null -eq $ResourcePermissionCache) { $ResourcePermissionCache = @{} } if (-not $ResourcePermissionCache.ContainsKey($ResourceAppId)) { # v1.0 Graph endpoint is used here because it contains the oauth2PermissionScopes property $result = ( Invoke-GraphDirectly ` -Commandlet "Get-MgServicePrincipal" ` -M365Environment $M365Environment ` -QueryParams @{ '$filter' = "appId eq '$ResourceAppId'" '$select' = "appRoles,oauth2PermissionScopes" } ).Value $ResourcePermissionCache[$ResourceAppId] = $result } return $ResourcePermissionCache[$ResourceAppId] } catch { Write-Warning "An error occurred in Get-ResourcePermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } } function Get-RiskyPermissionsJson { process { try { $PermissionsPath = Join-Path -Path ((Get-Item -Path $PSScriptRoot).Parent.Parent.FullName) -ChildPath "Permissions" $PermissionsJson = Get-Content -Path ( Join-Path -Path (Get-Item -Path $PermissionsPath) -ChildPath "RiskyPermissions.json" ) | ConvertFrom-Json } catch { Write-Warning "An error occurred in Get-RiskyPermissionsJson: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $PermissionsJson } } function Format-Permission { <# .Description Returns an API permission from either application/service principal which maps to the list of permissions declared in RiskyPermissions.json .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [PSCustomObject] $Json, [ValidateNotNullOrEmpty()] [string] $AppDisplayName, [ValidateNotNullOrEmpty()] [string] $Id, [string] $RoleType, [string] $RoleDisplayName, [ValidateNotNullOrEmpty()] [boolean] $IsAdminConsented ) $RiskyPermissions = $Json.permissions.$AppDisplayName.PSObject.Properties.Name $Map = @() $IsRisky = $RiskyPermissions -contains $Id $Map += [PSCustomObject]@{ RoleId = $Id RoleType = if ($null -ne $RoleType) { $RoleType } else { $null } RoleDisplayName = if ($null -ne $RoleDisplayName) { $RoleDisplayName } else { $null } ApplicationDisplayName = $AppDisplayName IsAdminConsented = $IsAdminConsented IsRisky = $IsRisky } return $Map } function Format-Credentials { <# .Description Returns an array of valid/expired credentials .Functionality #Internal ##> [Diagnostics.CodeAnalysis.SuppressMessageAttribute( "PSReviewUnusedParameter", "IsFromApplication", Justification = "False positive due to variable scoping" )] param ( [Object[]] $AccessKeys, [ValidateNotNullOrEmpty()] [boolean] $IsFromApplication ) process { $ValidCredentials = @() $RequiredKeys = @("KeyId", "DisplayName", "StartDateTime", "EndDateTime") foreach ($Credential in $AccessKeys) { # Only format credentials with the correct keys $MissingKeys = $RequiredKeys | Where-Object { -not ($Credential.PSObject.Properties.Name -contains $_) } if ($MissingKeys.Count -eq 0) { # $Credential is of type PSCredential which is immutable, create a copy $CredentialCopy = $Credential | Select-Object -Property ` KeyId, DisplayName, StartDateTime, EndDateTime, ` @{ Name = "IsFromApplication"; Expression = { $IsFromApplication }} $ValidCredentials += $CredentialCopy } } if ($null -eq $AccessKeys -or $AccessKeys.Count -eq 0 -or $ValidCredentials.Count -eq 0) { return $null } return $ValidCredentials } } function Merge-Credentials { <# .Description Merge credentials from multiple resources into a single resource .Functionality #Internal ##> param ( [Object[]] $ApplicationAccessKeys, [Object[]] $ServicePrincipalAccessKeys ) # Both application/sp objects have key and federated credentials. # Conditionally merge the two together, select only application/service principal creds, or none. $MergedCredentials = @() if ($null -ne $ServicePrincipalAccessKeys -and $null -ne $ApplicationAccessKeys) { # Both objects valid $MergedCredentials = @($ServicePrincipalAccessKeys) + @($ApplicationAccessKeys) } elseif ($null -eq $ServicePrincipalAccessKeys -and $null -ne $ApplicationAccessKeys) { # Only application credentials valid $MergedCredentials = @($ApplicationAccessKeys) } elseif ($null -ne $ServicePrincipalAccessKeys -and $null -eq $ApplicationAccessKeys) { # Only service principal credentials valid $MergedCredentials = @($ServicePrincipalAccessKeys) } else { # Neither credentials are valid $MergedCredentials = $null } return $MergedCredentials } function Get-ServicePrincipalAll { <# .Description Returns all service principals in the tenant, this is used to determine if they have risky permissions. .PARAMETER M365Environment The M365 environment to use for the Graph API call. This is used to determine the correct endpoint for the API call. .EXAMPLE Get-ServicePrincipalAll -M365Environment commercial Returns all service principals in the tenant for the commercial environment. #> param ( [ValidateNotNullOrEmpty()] [string] $M365Environment ) # Initialize an empty array to store all service principals $allServicePrincipals = @() # Get the first page of results $result = Invoke-GraphDirectly -commandlet "Get-MgBetaServicePrincipal" -M365Environment $M365Environment # Add the current page of service principals to our collection if ($result.Value) { $allServicePrincipals += $result.Value } # Continue fetching next pages as long as there's a nextLink while ($result.'@odata.nextLink') { # Extract the URI from the nextLink $nextLink = $result.'@odata.nextLink' # Use the URI directly for the next request $result = Invoke-MgGraphRequest -Uri $nextLink -Method "GET" # Add the new page of results to our collection if ($result.Value) { $allServicePrincipals += $result.Value } } return $allServicePrincipals } function Get-ApplicationsWithRiskyPermissions { <# .Description Returns an array of applications where each item contains its Object ID, App ID, Display Name, Key/Password/Federated Credentials, and risky API permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache ) process { try { $RiskyPermissionsJson = Get-RiskyPermissionsJson # Get all applications in the tenant $Applications = (Invoke-GraphDirectly -commandlet "Get-MgBetaApplication" -M365Environment $M365Environment).Value $ApplicationResults = @() foreach ($App in $Applications) { # `AzureADMyOrg` = single tenant; `AzureADMultipleOrgs` = multi tenant $IsMultiTenantEnabled = $false if ($App.SignInAudience -eq "AzureADMultipleOrgs") { $IsMultiTenantEnabled = $true } # Map application permissions against RiskyPermissions.json $MappedPermissions = @() foreach ($Resource in $App.RequiredResourceAccess) { # Returns both application and delegated permissions $Roles = $Resource.ResourceAccess $ResourceAppId = $Resource.ResourceAppId $ResourceAppPermissions = Get-ResourcePermissions ` -M365Environment $M365Environment ` -ResourcePermissionCache $ResourcePermissionCache ` -ResourceAppId $ResourceAppId if ($null -eq $ResourceAppPermissions) { Write-Warning "No permissions found for resource app ID: $ResourceAppId" continue } # Additional processing is required to determine if a permission is admin consented. # Initially assume admin consent is false since we reference the application's manifest, # then update the value later when its compared to service principal permissions. $IsAdminConsented = $false # Only map on resources stored in RiskyPermissions.json file if ($RiskyPermissionsJson.resources.PSObject.Properties.Name -contains $ResourceAppId) { foreach ($Role in $Roles) { $ResourceDisplayName = $RiskyPermissionsJson.resources.$ResourceAppId $RoleId = $Role.Id if ($Role.Type -eq "Role") { $ReadableRoleType = "Application" $RoleDisplayName = ($ResourceAppPermissions.appRoles | Where-Object { $_.id -eq $RoleId }).value } else { $ReadableRoleType = "Delegated" $RoleDisplayName = ($ResourceAppPermissions.oauth2PermissionScopes | Where-Object { $_.id -eq $RoleId }).value } $MappedPermissions += Format-Permission ` -Json $RiskyPermissionsJson ` -AppDisplayName $ResourceDisplayName ` -Id $RoleId ` -RoleType $ReadableRoleType ` -RoleDisplayName $RoleDisplayName ` -IsAdminConsented $IsAdminConsented } } } # Get the application credentials via Invoke-GraphDirectly $FederatedCredentials = (Invoke-GraphDirectly -commandlet "Get-MgBetaApplicationFederatedIdentityCredential" -M365Environment $M365Environment -Id $App.Id).Value $FederatedCredentialsResults = @() if ($null -ne $FederatedCredentials) { foreach ($FederatedCredential in $FederatedCredentials) { $FederatedCredentialsResults += [PSCustomObject]@{ Id = $FederatedCredential.Id Name = $FederatedCredential.Name Description = $FederatedCredential.Description Issuer = $FederatedCredential.Issuer Subject = $FederatedCredential.Subject Audiences = $FederatedCredential.Audiences | Out-String } } } else { $FederatedCredentialsResults = $null } # Exclude applications without risky permissions if ($MappedPermissions.Count -gt 0) { $ApplicationResults += [PSCustomObject]@{ ObjectId = $App.Id AppId = $App.AppId DisplayName = $App.DisplayName IsMultiTenantEnabled = $IsMultiTenantEnabled # Credentials from application and service principal objects may get merged in other cmdlets. # Differentiate between the two by setting IsFromApplication=$true KeyCredentials = Format-Credentials -AccessKeys $App.KeyCredentials -IsFromApplication $true PasswordCredentials = Format-Credentials -AccessKeys $App.PasswordCredentials -IsFromApplication $true FederatedCredentials = $FederatedCredentialsResults Permissions = $MappedPermissions } } } } catch { Write-Warning "An error occurred in Get-ApplicationsWithRiskyPermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ApplicationResults } } function Get-ServicePrincipalsWithRiskyPermissions { <# .Description Returns an array of service principals where each item contains its Object ID, App ID, Display Name, Key/Password Credentials, and risky API permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [string] $M365Environment, [hashtable] $ResourcePermissionCache ) process { try { $RiskyPermissionsJson = Get-RiskyPermissionsJson $ServicePrincipalResults = @() # Get all service principals including ones owned by Microsoft $ServicePrincipals = Get-ServicePrincipalAll -M365Environment $M365Environment # Prepare service principal IDs for batch processing $ServicePrincipalIds = $ServicePrincipals.Id # Split the service principal IDs into chunks of 20 $Chunks = [System.Collections.Generic.List[System.Object]]::new() $ChunkSize = 20 for ($i = 0; $i -lt $ServicePrincipalIds.Count; $i += $ChunkSize) { $Chunks.Add($ServicePrincipalIds[$i..([math]::Min($i + $ChunkSize - 1, $ServicePrincipalIds.Count - 1))]) } $endpoint = '/beta/$batch' $endpoint = (Get-ScubaGearPermissions -CmdletName Connect-MgGraph -Environment $M365Environment -OutAs endpoint) + $endpoint # Process each chunk foreach ($Chunk in $Chunks) { $BatchBody = @{ Requests = @() } foreach ($ServicePrincipalId in $Chunk) { $BatchBody.Requests += @{ id = $ServicePrincipalId method = "GET" url = "/servicePrincipals/$ServicePrincipalId/appRoleAssignments" } } # Send the batch request $Response = Invoke-MgGraphRequest -Method POST -Uri $endpoint -Body ( $BatchBody | ConvertTo-Json -Depth 5 ) # Check the response if ($Response.responses) { foreach ($Result in $Response.responses) { $ServicePrincipalId = $Result.id $ServicePrincipal = $ServicePrincipals | Where-Object { $_.Id -eq $ServicePrincipalId } $MappedPermissions = @() if ($Result.status -eq 200) { $AppRoleAssignments = $Result.body.value if ($AppRoleAssignments.Count -gt 0) { foreach ($Role in $AppRoleAssignments) { $ResourceDisplayName = $Role.ResourceDisplayName $RoleId = $Role.AppRoleId # Default to true, # `Get-MgBetaServicePrincipalAppRoleAssignment` only returns admin consented permissions $IsAdminConsented = $true # Only map on resources stored in RiskyPermissions.json file if ($RiskyPermissionsJson.permissions.PSObject.Properties.Name -contains $ResourceDisplayName) { $ResourceAppId = $RiskyPermissionsJson.resources.PSObject.Properties | Where-Object { $_.Value -eq $ResourceDisplayName } | Select-Object -ExpandProperty Name $ResourceAppPermissions = Get-ResourcePermissions ` -M365Environment $M365Environment ` -ResourcePermissionCache $ResourcePermissionCache ` -ResourceAppId $ResourceAppId if ($null -eq $ResourceAppPermissions) { Write-Warning "No permissions found for resource app ID: $ResourceAppId" continue } $ReadableRoleType = $null $RoleDisplayName = $null $AppRole = $ResourceAppPermissions.appRoles | Where-Object { $_.id -eq $RoleId } if ($null -ne $AppRole) { $ReadableRoleType = "Application" $RoleDisplayName = $AppRole.value } else { $OauthScope = $ResourceAppPermissions.oauth2PermissionScopes | Where-Object { $_.id -eq $RoleId } if ($null -ne $OauthScope) { $ReadableRoleType = "Delegated" $RoleDisplayName = $OauthScope.value } } $MappedPermissions += Format-Permission ` -Json $RiskyPermissionsJson ` -AppDisplayName $ResourceDisplayName ` -Id $RoleId ` -RoleType $ReadableRoleType ` -RoleDisplayName $RoleDisplayName ` -IsAdminConsented $IsAdminConsented } } } } else { Write-Warning "Error for service principal $($Result.id): $($Result.status)" } # Exclude service principals without risky permissions if ($MappedPermissions.Count -gt 0) { $ServicePrincipalResults += [PSCustomObject]@{ ObjectId = $ServicePrincipal.Id AppId = $ServicePrincipal.AppId DisplayName = $ServicePrincipal.DisplayName SignInAudience = $ServicePrincipal.SignInAudience # Credentials from application and service principal objects may get merged in other cmdlets. # Differentiate between the two by setting IsFromApplication=$false KeyCredentials = Format-Credentials -AccessKeys $ServicePrincipal.KeyCredentials -IsFromApplication $false PasswordCredentials = Format-Credentials -AccessKeys $ServicePrincipal.PasswordCredentials -IsFromApplication $false FederatedCredentials = $ServicePrincipal.FederatedIdentityCredentials Permissions = $MappedPermissions AppOwnerOrganizationId = $ServicePrincipal.AppOwnerOrganizationId } } } } } } catch { Write-Warning "An error occurred in Get-ServicePrincipalsWithRiskyPermissions: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ServicePrincipalResults } } function Format-RiskyApplications { <# .Description Returns an aggregated JSON dataset of application objects, combining data from both applications and service principal objects. Key/Password/Federated credentials are combined into a single array, and admin consent is reflected in each object's list of associated risky permissions. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [Object[]] $RiskyApps, [ValidateNotNullOrEmpty()] [Object[]] $RiskySPs ) process { try { $Applications = @() foreach ($App in $RiskyApps) { $MatchedServicePrincipal = $RiskySPs | Where-Object { $_.AppId -eq $App.AppId } # Merge objects if an application and service principal exist with the same AppId $MergedObject = @{} if ($MatchedServicePrincipal) { # Determine if each risky permission was admin consented or not foreach ($Permission in $App.Permissions) { $ServicePrincipalRoleIds = $MatchedServicePrincipal.Permissions | Select-Object -ExpandProperty RoleId if ($ServicePrincipalRoleIds -contains $Permission.RoleId) { $Permission.IsAdminConsented = $true } } $ObjectIds = [PSCustomObject]@{ Application = $App.ObjectId ServicePrincipal = $MatchedServicePrincipal.ObjectId } $MergedKeyCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.KeyCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.KeyCredentials $MergedPasswordCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.PasswordCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.PasswordCredentials $MergedFederatedCredentials = Merge-Credentials ` -ApplicationAccessKeys $App.FederatedCredentials ` -ServicePrincipalAccessKeys $MatchedServicePrincipal.FederatedCredentials $MergedObject = [PSCustomObject]@{ ObjectId = $ObjectIds AppId = $App.AppId DisplayName = $App.DisplayName IsMultiTenantEnabled = $App.IsMultiTenantEnabled KeyCredentials = $MergedKeyCredentials PasswordCredentials = $MergedPasswordCredentials FederatedCredentials = $MergedFederatedCredentials Permissions = $App.Permissions } } else { $MergedObject = $App } $Applications += $MergedObject } } catch { Write-Warning "An error occurred in Format-RiskyApplications: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $Applications } } function Format-RiskyThirdPartyServicePrincipals { <# .Description Returns a JSON dataset of service principal objects owned by external organizations. .Functionality #Internal ##> param ( [ValidateNotNullOrEmpty()] [Object[]] $RiskySPs, [ValidateNotNullOrEmpty()] [string] $M365Environment ) process { try { $ServicePrincipals = @() $OrgInfo = (Invoke-GraphDirectly -Commandlet "Get-MgBetaOrganization" -M365Environment $M365Environment).Value foreach ($ServicePrincipal in $RiskySPs) { if ($null -eq $ServicePrincipal) { continue } # If the service principal's owner id is not the same as this tenant then it is a 3rd party principal if ($ServicePrincipal.AppOwnerOrganizationId -ne $OrgInfo.Id) { $ServicePrincipals += $ServicePrincipal } } } catch { Write-Warning "An error occurred in Format-RiskyThirdPartyServicePrincipals: $($_.Exception.Message)" Write-Warning "Stack trace: $($_.ScriptStackTrace)" throw $_ } return $ServicePrincipals } } Export-ModuleMember -Function @( "Get-ApplicationsWithRiskyPermissions", "Get-ServicePrincipalsWithRiskyPermissions", "Format-RiskyApplications", "Format-RiskyThirdPartyServicePrincipals" ) # SIG # Begin signature block # MIIuugYJKoZIhvcNAQcCoIIuqzCCLqcCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCrCLbWHcOp9hrF # PLBnV+MpbAOXKlSrYvYCgoYnU1cAJ6CCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhAP1uYgxSr4joyBpB/eZOIuMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjUwMjA4MDAwMDAwWhcNMjYwMTE1MjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCXm3O0IOQzt0tbPPKAv4IrrzOf # QjE4Mb9j1zLL1GehaE35ddnoitE7l8OmVEeTLwPH+UpI7DfynUCjLb8HGcsuHO0H # aUuVFR3FNyvGByYATUTA+bQ9UgcwCoPyL48cDmdqFzheQ/KsC+FhI4uEpYiB/6Jp # Q0UL0SUVfC8O8+1ioUXAwdMt3G8bT3x6WaEmAbGqM5yC5fd7rKZEmpLzpA6bP2Xc # QMwi6Jn1m4AvL/jJrXvPyVUK9UlbjobKjiVg6a/UBgFrq8cU7Q1w/e5ijy6XA+aC # Z7SICqimtCW4wbrvodZL0yFeZIxN9qJ24hvrVGf7P/ANTzkoGHuHLwpMIOjBrpA+ # ig3jBTjY1xE2DYgHWcKHsSHEbOxStk+qHsn2J5i9GK+nwS7GmMqIRaEwy+dbfh6l # Q2jI4PO6kPk0ePnB3jTD/bEkdbRXpuq3aUAMS4ZSESer+CnzeBLEXvHrVVs4yHrf # RPmLOX+T43FEf6iAY7Ta3ahn0icLtCtauJ9/jmMigM/l1IfaAF6E/SoCHc6G6S9F # 1ECU/nBkpThU5u2kufiGWBC8rV2V8D50QERbohnv3yWR5BTG8dX+NYjd7HdctRAj # 9al3sQ/tdyVgOHUp+9KseYJthuNnh8WCoDeho/GX65QJDSJwh5uDcvNUfpeebANU # U1GwatZ4l+EWfOc05QIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFJIsiVnihq62MAlpq96K9lNX9UCGMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQChGHY/dRc2BtvGT6mHR4bqoakC # N9hyjDA+bbxJE73T2HgI5wKVmhu2JmFZ/FHmoXE4ngnLnGS+zMEoeTEfzb/MmAxF # H+Ca/JGMDsbVf+rP+aVc1NkSpUd6u5rsR01Dimcs+pHGwpEUF1HCDFrFcl10Smcj # b8Z+tPbIETe3yvdRyoJL2Lm6k8wvC7xfgPoMzdbKWRzTCEnVQ+B53vHBSLT4D5wW # dq3yv6oj2fQ381wZQm16fLIedmiStUYfp0ZICqI3T6UiQ5w/DXYy05Z/1Njqu3PQ # l2Sy/JLDZc7hBu5YH5ia1G2IFC6S9gN34jm8qhkkoo8kihsxRBbBLiiNB0z/eH7y # jsNgyRR+Vje51Jcgte18zVQH6fRkl+HDp2nMgdgzShlKYXZzVFQvgmMu76x72P5f # bOgzmOxCZNZh0AQUo16DdbnGvloqHCbEND2JA/0QpeB0dlWKkWiotu/MaJE8/4uU # sxw5JSZPj8ya4WnrntJaY73TxXBHSd9CezT7lDShTgB1FkCSAov3aFwqyGH4hC+2 # MGp3Wzn03rkqVCzjmgNSIkCxQzJ+hEIvbk6GVK2yk+Q9eZQCkjRKY+EYwJNDsB9I # w75dWMsi2S9PFBEkKZYZFgxwVaBvnWgrfxlZMOooNADSdmq5fvTH/tjR3vIEd4QP # Dlzb9f7QLX+cvb0MjjGCGm0wghppAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQD9bmIMUq+I6M # gaQf3mTiLjANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCAqkTYeAAPDMAoRR+NTNfO8eP3u # gaYWkSMEqw1fcRqxqjANBgkqhkiG9w0BAQEFAASCAgBUXZ3fcCm4EbHedmUAJ/pI # SFe9avzO4abknQpdKotm8XakTqQaz9U2SDbMx27/KBAc8J8HSUhX+EKzP/84QKF0 # moJeaMbTMCpkLKsTy2XH6p5KiyaBD0Kw3B6lTKgUbaZ9ketIcQ61BtuFaCpmJya/ # CqV25Lb0d6rPJqd0fT5RH8svhjYgv22n73Ahvvd0n90HkFLHV7hho5gmrnS9dI9L # 0nnhTejqiSMTN3NDaHIrKxAyC4XkgAJcccanckXsCpJBlEW536VV/6PRz3kbdVX6 # X3iitD5uBXQs65beqJmB3yd95Jrq6NGBbuyClOEyKQg22Cq2Z0PHbkeW+LGmxeab # 2K/438R/XvI/faa3iNyMgxolrd7n5hMPzXxTQaTMhDed5BW2gnhHhS9ZO9cmD41V # SjC1fUsn/yB3PGnnhoZ81HVht0nzNPLbAEvadIiCwtb5iEunJAf6re5efUJQHED3 # 9sc+XDMYFb3h+EyRvs4VHtyV6NPRdg/v620ebr2kYw4Cow5DzFRqK6bivYSVCjO4 # XKJfOiRAM/MHQXC0DKxTd2RGrCHfYXPxU/j9ROgDWi2X5CzAzFnvUGPqCWpOKCCQ # DwVWOxn1FCO0IpZ4WNOtZiyDNxpna8r9tg9FFN3XX+1PQEfR+c+Bd44X5ass9IJN # ZzMpAy78VD0+1HQj/e3dnKGCFzowghc2BgorBgEEAYI3AwMBMYIXJjCCFyIGCSqG # SIb3DQEHAqCCFxMwghcPAgEDMQ8wDQYJYIZIAWUDBAIBBQAweAYLKoZIhvcNAQkQ # AQSgaQRnMGUCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCDMco1fEeDA # NXTium1Wbi84GQEVYC22SdFR7+qPVScowAIRAKVxmJJ6uhyid6mY2DfTFUYYDzIw # MjUwNzA5MDA1NTIxWqCCEwMwgga8MIIEpKADAgECAhALrma8Wrp/lYfG+ekE4zME # MA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2Vy # dCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNI # QTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMjQwOTI2MDAwMDAwWhcNMzUxMTI1MjM1 # OTU5WjBCMQswCQYDVQQGEwJVUzERMA8GA1UEChMIRGlnaUNlcnQxIDAeBgNVBAMT # F0RpZ2lDZXJ0IFRpbWVzdGFtcCAyMDI0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A # MIICCgKCAgEAvmpzn/aVIauWMLpbbeZZo7Xo/ZEfGMSIO2qZ46XB/QowIEMSvgjE # dEZ3v4vrrTHleW1JWGErrjOL0J4L0HqVR1czSzvUQ5xF7z4IQmn7dHY7yijvoQ7u # jm0u6yXF2v1CrzZopykD07/9fpAT4BxpT9vJoJqAsP8YuhRvflJ9YeHjes4fduks # THulntq9WelRWY++TFPxzZrbILRYynyEy7rS1lHQKFpXvo2GePfsMRhNf1F41nyE # g5h7iOXv+vjX0K8RhUisfqw3TTLHj1uhS66YX2LZPxS4oaf33rp9HlfqSBePejlY # eEdU740GKQM7SaVSH3TbBL8R6HwX9QVpGnXPlKdE4fBIn5BBFnV+KwPxRNUNK6lY # k2y1WSKour4hJN0SMkoaNV8hyyADiX1xuTxKaXN12HgR+8WulU2d6zhzXomJ2Ple # I9V2yfmfXSPGYanGgxzqI+ShoOGLomMd3mJt92nm7Mheng/TBeSA2z4I78JpwGpT # RHiT7yHqBiV2ngUIyCtd0pZ8zg3S7bk4QC4RrcnKJ3FbjyPAGogmoiZ33c1HG93V # p6lJ415ERcC7bFQMRbxqrMVANiav1k425zYyFMyLNyE1QulQSgDpW9rtvVcIH7Wv # G9sqYup9j8z9J1XqbBZPJ5XLln8mS8wWmdDLnBHXgYly/p1DhoQo5fkCAwEAAaOC # AYswggGHMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQM # MAoGCCsGAQUFBwMIMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATAf # BgNVHSMEGDAWgBS6FtltTYUvcyl2mi91jGogj57IbzAdBgNVHQ4EFgQUn1csA3cO # KBWQZqVjXu5Pkh92oFswWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybDMuZGln # aWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1NlRpbWVTdGFt # cGluZ0NBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwJAYIKwYBBQUHMAGGGGh0dHA6 # Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBYBggrBgEFBQcwAoZMaHR0cDovL2NhY2VydHMu # ZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0UlNBNDA5NlNIQTI1NlRpbWVT # dGFtcGluZ0NBLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAPa0eH3aZW+M4hBJH2UOR # 9hHbm04IHdEoT8/T3HuBSyZeq3jSi5GXeWP7xCKhVireKCnCs+8GZl2uVYFvQe+p # PTScVJeCZSsMo1JCoZN2mMew/L4tpqVNbSpWO9QGFwfMEy60HofN6V51sMLMXNTL # fhVqs+e8haupWiArSozyAmGH/6oMQAh078qRh6wvJNU6gnh5OruCP1QUAvVSu4kq # VOcJVozZR5RRb/zPd++PGE3qF1P3xWvYViUJLsxtvge/mzA75oBfFZSbdakHJe2B # VDGIGVNVjOp8sNt70+kEoMF+T6tptMUNlehSR7vM+C13v9+9ZOUKzfRUAYSyyEmY # tsnpltD/GWX8eM70ls1V6QG/ZOB6b6Yum1HvIiulqJ1Elesj5TMHq8CWT/xrW7tw # ipXTJ5/i5pkU5E16RSBAdOp12aw8IQhhA/vEbFkEiF2abhuFixUDobZaA0VhqAsM # HOmaT3XThZDNi5U2zHKhUs5uHHdG6BoQau75KiNbh0c+hatSF+02kULkftARjsyE # pHKsF7u5zKRbt5oK5YGwFvgc4pEVUNytmB3BpIiowOIIuDgP5M9WArHYSAR16gc0 # dP2XdkMEP5eBsX7bf/MGN4K3HP50v/01ZHo/Z5lGLvNwQ7XHBx1yomzLP8lx4Q1z # ZKDyHcp4VQJLu2kWTsKsOqQwggauMIIElqADAgECAhAHNje3JFR82Ees/ShmKl5b # MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMjAzMjMwMDAwMDBaFw0zNzAzMjIyMzU5 # NTlaMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkG # A1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3Rh # bXBpbmcgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGhjUGSbPB # PXJJUVXHJQPE8pE3qZdRodbSg9GeTKJtoLDMg/la9hGhRBVCX6SI82j6ffOciQt/ # nR+eDzMfUBMLJnOWbfhXqAJ9/UO0hNoR8XOxs+4rgISKIhjf69o9xBd/qxkrPkLc # Z47qUT3w1lbU5ygt69OxtXXnHwZljZQp09nsad/ZkIdGAHvbREGJ3HxqV3rwN3mf # XazL6IRktFLydkf3YYMZ3V+0VAshaG43IbtArF+y3kp9zvU5EmfvDqVjbOSmxR3N # Ng1c1eYbqMFkdECnwHLFuk4fsbVYTXn+149zk6wsOeKlSNbwsDETqVcplicu9Yem # j052FVUmcJgmf6AaRyBD40NjgHt1biclkJg6OBGz9vae5jtb7IHeIhTZgirHkr+g # 3uM+onP65x9abJTyUpURK1h0QCirc0PO30qhHGs4xSnzyqqWc0Jon7ZGs506o9UD # 4L/wojzKQtwYSH8UNM/STKvvmz3+DrhkKvp1KCRB7UK/BZxmSVJQ9FHzNklNiyDS # LFc1eSuo80VgvCONWPfcYd6T/jnA+bIwpUzX6ZhKWD7TA4j+s4/TXkt2ElGTyYwM # O1uKIqjBJgj5FBASA31fI7tk42PgpuE+9sJ0sj8eCXbsq11GdeJgo1gJASgADoRU # 7s7pXcheMBK9Rp6103a50g5rmQzSM7TNsQIDAQABo4IBXTCCAVkwEgYDVR0TAQH/ # BAgwBgEB/wIBADAdBgNVHQ4EFgQUuhbZbU2FL3MpdpovdYxqII+eyG8wHwYDVR0j # BBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMGA1Ud # JQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYYaHR0 # cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2FjZXJ0 # cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNVHR8E # PDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVz # dGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEw # DQYJKoZIhvcNAQELBQADggIBAH1ZjsCTtm+YqUQiAX5m1tghQuGwGC4QTRPPMFPO # vxj7x1Bd4ksp+3CKDaopafxpwc8dB+k+YMjYC+VcW9dth/qEICU0MWfNthKWb8RQ # TGIdDAiCqBa9qVbPFXONASIlzpVpP0d3+3J0FNf/q0+KLHqrhc1DX+1gtqpPkWae # LJ7giqzl/Yy8ZCaHbJK9nXzQcAp876i8dU+6WvepELJd6f8oVInw1YpxdmXazPBy # oyP6wCeCRK6ZJxurJB4mwbfeKuv2nrF5mYGjVoarCkXJ38SNoOeY+/umnXKvxMfB # wWpx2cYTgAnEtp/Nh4cku0+jSbl3ZpHxcpzpSwJSpzd+k1OsOx0ISQ+UzTl63f8l # Y5knLD0/a6fxZsNBzU+2QJshIUDQtxMkzdwdeDrknq3lNHGS1yZr5Dhzq6YBT70/ # O3itTK37xJV77QpfMzmHQXh6OOmc4d0j/R0o08f56PGYX/sr2H7yRp11LB4nLCbb # bxV7HhmLNriT1ObyF5lZynDwN7+YAN8gFk8n+2BnFqFmut1VwDophrCYoCvtlUG3 # OtUVmDG0YgkPCr2B2RP+v6TR81fZvAT6gt4y3wSJ8ADNXcL50CN/AAvkdgIm2fBl # dkKmKYcJRyvmfxqkhQ/8mJb2VVQrH4D6wPIOK+XW+6kvRBVK5xMOHds3OBqhK/bt # 1nz8MIIFjTCCBHWgAwIBAgIQDpsYjvnQLefv21DiCEAYWjANBgkqhkiG9w0BAQwF # ADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL # ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElE # IFJvb3QgQ0EwHhcNMjIwODAxMDAwMDAwWhcNMzExMTA5MjM1OTU5WjBiMQswCQYD # VQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln # aWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKn # JS7JIT3yithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/W # BTxSD1Ifxp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHi # LQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhm # V1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHE # tWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6 # MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mX # aXpI8OCiEhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZ # xd9LBADMfRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfh # vbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvl # EFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn1 # 5GkvmB0t9dmpsh3lGwIDAQABo4IBOjCCATYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV # HQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wHwYDVR0jBBgwFoAUReuir/SSy4Ix # LVGLp6chnfNtyA8wDgYDVR0PAQH/BAQDAgGGMHkGCCsGAQUFBwEBBG0wazAkBggr # BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUFBzAChjdo # dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290 # Q0EuY3J0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv # bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwEQYDVR0gBAowCDAGBgRVHSAA # MA0GCSqGSIb3DQEBDAUAA4IBAQBwoL9DXFXnOF+go3QbPbYW1/e/Vwe9mqyhhyzs # hV6pGrsi+IcaaVQi7aSId229GhT0E0p6Ly23OO/0/4C5+KH38nLeJLxSA8hO0Cre # +i1Wz/n096wwepqLsl7Uz9FDRJtDIeuWcqFItJnLnU+nBgMTdydE1Od/6Fmo8L8v # C6bp8jQ87PcDx4eo0kxAGTVGamlUsLihVo7spNU96LHc/RzY9HdaXFSMb++hUD38 # dglohJ9vytsgjTVgHAIDyyCwrFigDkBjxZgiwbJZ9VVrzyerbHbObyMt9H5xaiNr # Iv8SuFQtJ37YOtnwtoeW/VvRXKwYw02fc7cBqZ9Xql4o4rmUMYIDdjCCA3ICAQEw # dzBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNV # BAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1w # aW5nIENBAhALrma8Wrp/lYfG+ekE4zMEMA0GCWCGSAFlAwQCAQUAoIHRMBoGCSqG # SIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjUwNzA5MDA1 # NTIxWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBTb04XuYtvSPnvk9nFIUIck1YZb # RTAvBgkqhkiG9w0BCQQxIgQgJQqn0DdG5CZwpm+FMa5sBoAmeVJLV46J03RCeHfz # QcQwNwYLKoZIhvcNAQkQAi8xKDAmMCQwIgQgdnafqPJjLx9DCzojMK7WVnX+13Pb # BdZluQWTmEOPmtswDQYJKoZIhvcNAQEBBQAEggIAETSb/G7/H9keUM5OtEillQPH # UXSKRc7xcQe5km8QNHEuTSUBbliLcAjYicSwlFeibv5VcNp8GorJuP3q7nmgolOe # Ew6dtkKbyPyM6pTYAB7Ac21+c3EFsOXpAtQ2FjnxbfC+JY6Q7yZFhAqoSpNQc3hJ # Fliwi5tjETvkHKoHAw9B1Yb7uB3CtKaHwlWn3ycC30Oz2JMZmSGkwHKzaeL/l7ip # q7W4Vh2PjoSIE6AdLXeSHFVFlFxNACV1cDaOZtTCvW2b41zWk1XFaP0rly9cSSvc # OQ9hbO7lRwb77A6EzOzl7aI4MNiGuWQWAcOZxykJlhJyGriTsV3jeg3fGcaQrKvI # 9OwPjl+JaTw+DbsaieCIc2a5/Gz3/WGpWh+dHSP0KZ8rU3gLOskkEYih0k+M1v3G # U8WDI0Iifh7gktKX8BTxvLFXxeWdJpkbg7d4ydkSgEBqr4PzTYqXxlI8tqxqMCCp # O1dt3PA8RjeaLLF+9U6xmtE7UcFJh6sIzMsIQ5tEXfD7c62oHYvIXkQXxf/Dz8Gg # 24uvOJvdQZBG1gnVB55kFrhce9suuMRDOZFg3ZNcvFR75JrBiRKZg3P9bld45x+H # 1qSQl1F5XzU9SGP0YibWqpYlPhvl5n78arRmpE2js8He58waNMrTo3+bk6GwArqb # 0V7Yvx/rzB2MuI1RQhQ= # SIG # End signature block |