AffectedKeyCredentials.psm1
|
################################################################################################ # This script scans all key credentials in all apps/serviceprincipals in the specified tenant # # for credentials with property `hasExtendedValue == true` by calling Microsoft Graph # # # # Default output file path is at: $PWD\KeyCredentialsWithExtendedValue.tsv # # See sample usage at the end of this script # ################################################################################################ Set-StrictMode -Version 2.0 $IncludeExtendedProperties = $false Function Get-MSGraphEndpoint { param( [string] $Env ) switch ($Env) { "AzureCloud" { return "https://graph.microsoft.com" } "AzureChinaCloud" { return "https://microsoftgraph.chinacloudapi.cn" } "AzureUSGovernment" { return "https://graph.microsoft.us" } default { throw "$($Env) is not a valid cloud environment." } } } # Validate page size to be below the maximum page size Function Validate-PageSize { param( [int] $PageSize, [int] $MaxPageSize ) if ($PageSize -le 0 -or $PageSize -gt $MaxPageSize) { throw "$($PageSize) must be an integer between 0 and $($MaxPageSize)" } } # Remove unnecessary new line characters and whitespace in url Function Trim-Url { param( [string] $Url ) return $Url -replace '`n','' -replace '\s+', '' } Function Generate-Url { param( [string] $ObjectClass, [string] $AppId, [string] $ObjectId, [string] $Resource, [int] $PageSize ) $selectValues = "displayName,id,appId,keyCredentials" if ($IncludeExtendedProperties) { $selectValues += ",createdDateTime,identifierUris,signInAudience,web&`$expand=owners(`$select=id,userPrincipalName)" } $filterValues = "" if ($AppId) { $filterValues = "&filter=appId eq '$($AppId)'" } elseif ($ObjectId) { $filterValues = "&filter=id eq '$($ObjectId)'" } $url = "$($Resource)/beta/myorganization/$($ObjectClass)s?`$select=$($selectValues)&`$top=$($PageSize)$($filterValues)" Write-Verbose "Url Generated: $($url)" return $url } Function Parse-Owners { param( [array] $Owners ) $result = @() foreach ($owner in $Owners) { $ownerStr = "$($owner.id),$($owner.userPrincipalName)" $result += $ownerStr } return $result -Join ";" } Function Get-TotalObjectCount { param( [string] $AccessToken, [string] $ObjectClass, [string] $Resource ) $authHeader = @{ "Authorization" = "Bearer " + $AccessToken "ConsistencyLevel" = "eventual" } $url = "$($Resource)/beta/myorganization/$($ObjectClass)s/`$count" Write-Verbose "GET $($url)" try { $totalObjectCount = Invoke-RestMethod -Uri $url -Headers $authHeader -Method "GET" -Verbose:$false -ErrorAction Stop } catch { throw } Write-Verbose "Total $($ObjectClass) count: $($totalObjectCount)" return $totalObjectCount } # Make MS Graph request with retry and exponential backoff Function Make-MSGraphRequest { param( [string] $Url, [string] $ObjectClass, [string] $AccessToken, [int] $MaxRetryLimit, [int] $flatMinSeconds = 10 ) $authHeader = @{ "Authorization" = "Bearer " + $AccessToken } for ($i=1; $i -le $MaxRetryLimit; $i+=1) { try { Write-Verbose "GET $($Url)" $result = Invoke-RestMethod -Uri $Url -Headers $authHeader -Method "GET" -Verbose:$false break } catch { if ($_.Exception.Response.StatusCode.value__ -eq 429) { # Sleep then retry (Exponential backoff) $sleepDuration = [Math]::Pow(2,$i) + $flatMinSeconds Write-Verbose "Retry after sleeping for $($sleepDuration) seconds" Start-Sleep -s $sleepDuration continue } if ($_.Exception.Response.StatusCode.value__ -eq 404) { if ($AppId) { throw "$($ObjectClass) with AppId: $($AppId) not found" } if ($ObjectId) { throw "$($ObjectClass) with ObjectId: $($ObjectId) not found" } } Write-Warning "Unexpected Error. Try again later with -SkipTokenUrl '$($Url)'" throw } } if ($i -gt $MaxRetryLimit) { $Url = Trim-Url -Url $Url throw "Max backoff retry limit reached. Try again later with -SkipTokenUrl '$($Url)'" } return $result } # Main: Get all affected key credentials for the given object class in tenant Function Get-AffectedKeyCredentials { [CmdletBinding(HelpURI="https://aka.ms/aad-key-cred-scanner")] param( # The tenant ID or a verified domain where the test should happen. [Parameter(Mandatory = $true, HelpMessage = "Tenant Id (Guid) to search")] [guid] $TenantId, # The cloud environment [ValidateSet("AzureCloud", "AzureChinaCloud", "AzureUSGovernment")] [Parameter(Mandatory = $false, HelpMessage = "Cloud environment name. 'AzureCloud' by default")] [string] $Env = "AzureCloud", # The directory object class [ValidateSet("application", "servicePrincipal")] [Parameter(Mandatory = $true, HelpMessage = "The object class. Either Application or ServicePrincipal")] [string] $ObjectClass, # The application id (for singular GET) [Parameter(Mandatory = $false, HelpMessage = "The application id or application principal id of the app/sp object to query")] [guid] $AppId, # The object id (for singular GET) [Parameter(Mandatory = $false, HelpMessage = "The object id of the app/sp object to query")] [guid] $ObjectId, # The url with skip token to continue from if necessary [Parameter(Mandatory = $false, HelpMessage = "The given ms graph url containing skip token to continue from")] [string] $SkipTokenUrl = $null, # The toggle for simple/verbose output [Parameter(Mandatory = $false, HelpMessage = "Toggle for additional object properties are to be printed in the output file")] [switch] $ExtendedOutputSchema, # The toggle for scanning single/all objects in the tenant [Parameter(Mandatory = $false, HelpMessage = "Toggle to scan all objects in the tenant")] [switch] $ScanAll, # $top passed to the List Applications or List ServicePrincipals call [int] $PageSize = 200, # How long to sleep (in seconds) between paginated calls [int] $SleepInterval = 2, # Max number of retries for List Applications or List ServicePrincipals MS Graph request [int] $MaxRetryLimit = 5, # Max page size [int] $MaxPageSize = 500 ) # Validate page size Validate-PageSize -PageSize $PageSize -MaxPageSize $MaxPageSize # Get ms graph endpoint resource url $resourceUrl = Get-MSGraphEndpoint -Env $Env # Output warning message if scanning all objects # Otherwise, check if either AppId or ObjectId is specified if ($ScanAll) { Write-Warning "Are you sure you want to run the commandlet for all $($ObjectClass)s in your tenant? The commandlet may take a long time to run, and requests for a large number of $($ObjectClass)s could be throttled." -WarningAction Inquire if ($AppId -or $ObjectId) { throw "You cannot specify -AppId or -ObjectId when running in -ScanAll mode" } } else { if (!$AppId -and !$ObjectId) { throw "When scanning a single application or service principal, you must provide either an -AppId or an -ObjectId" } if ($AppId -and $ObjectId) { throw "Please provide exactly one of the following: -AppId or -ObjectId" } } # Set flag to distinguish between default schema and extended schema for output if ($ExtendedOutputSchema) { $IncludeExtendedProperties = $true } # Information about installing Az.Accounts module Write-Warning "This script requires the powershell module 'Az.Accounts' to installed." Write-Warning "If this is not installed, you will be asked to install the module." Write-Warning "Please refer: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-6.5.0" # Check if the Az Module is installed and imported if(!(Get-Module Az.Accounts)){ try{Import-Module -Name Az.Accounts -ErrorAction Stop} catch{Install-Module -Name Az.Accounts -AllowClobber -Confirm -Scope CurrentUser} } # Connect to AAD Write-Host "`nConnecting to AAD tenant..." Connect-AzAccount -Tenant $TenantId -Environment $Env -ErrorAction Stop | out-null Write-Host "Connected to $($TenantId)`n" -ForegroundColor Green # Get access token $accessToken = (Get-AzAccessToken -ResourceUrl $resourceUrl).Token # Get total number of application/service prinicpals to scan if scanning all objects in the tenant if ($ScanAll) { $totalObjectCount = Get-TotalObjectCount -AccessToken $accessToken -ObjectClass $ObjectClass -Resource $resourceUrl } # Generate the url for corresponding Microsoft Graph API endpoint $url = Generate-Url -ObjectClass $ObjectClass -AppId $AppId -ObjectId $ObjectId -Resource $resourceUrl -PageSize $PageSize if ($SkipTokenUrl) { $url = Trim-Url -Url $SkipTokenUrl } # Start key credential scan Write-Host "Starting scan..." $stopwatch = [System.Diagnostics.Stopwatch]::new() $stopwatch.Start() $scannedObjectCount = 0 $keyWithExtenededValueCount = 0 while ($null -ne $url) { $result = Make-MSGraphRequest -Url $url -ObjectClass $ObjectClass -AccessToken $accessToken -MaxRetryLimit $MaxRetryLimit # If no results are returned, then exit if (($null -eq $result) -or ($null -eq $result.Value) -or ($result.Value.Length -eq 0)) { Write-Error "No resource of type $($ObjectClass) found in tenant $($TenantId). Exiting." return } $result.Value | ForEach-Object { $reg = $_ $scannedObjectCount += 1 $displayName = $reg.displayName $appID = $reg.appId $objectID = $reg.Id Write-Verbose "Scanning key credentials for: $displayName" $reg.keyCredentials | ForEach-Object { $cred = $_ if (($cred.hasExtendedValue) -and ($cred.type -eq 'AsymmetricX509Cert') -and ($cred.usage -ne 'Sign')) { $keyWithExtenededValueCount += 1 $isExpired = $false $currentDateTime = Get-Date if ($currentDateTime -gt $cred.endDateTime) { $isExpired = $true } $out = [pscustomobject][ordered] @{ "ObjectClass" = $ObjectClass "AppId" = $appId "ObjectId" = $objectID "DisplayName" = $displayName "KeyId" = $cred.KeyId "Usage" = $cred.usage "StartDateTime" = $cred.startDateTime "EndDateTime" = $cred.endDateTime "HasExtendedValue" = $cred.hasExtendedValue "IsExpired" = $isExpired } if ($IncludeExtendedProperties) { $identifierUrisStr = "" if ($ObjectClass -eq "application") { $identifierUrisStr = $reg.identifierUris -Join "," } $ownersStr = Parse-Owners -Owners $reg.owners $homePageUrl = "" if ($reg.web) { $homePageUrl = $reg.web.homePageUrl } $out = [pscustomobject][ordered] @{ "ObjectClass" = $ObjectClass "AppId" = $appId "ObjectId" = $objectID "DisplayName" = $displayName "KeyId" = $cred.KeyId "Usage" = $cred.usage "StartDateTime" = $cred.startDateTime "EndDateTime" = $cred.endDateTime "HasExtendedValue" = $cred.hasExtendedValue "IsExpired" = $isExpired "IdentifierUris" = $identifierUrisStr "Owners" = $ownersStr "ObjectCreatedDateTime" = $reg.createdDateTime "SignInAudience" = $reg.signInAudience "HomePageUrl" = $homePageUrl } } Write-Verbose $out #output the object into the pipeline $out } } } if ($ScanAll) { $pcomplete = ($scannedObjectCount / $totalObjectCount) * 100 Write-Progress -Activity "Scanning $($ObjectClass)s" -Status "$($scannedObjectCount) of $($totalObjectCount)" -PercentComplete $pcomplete } Write-Verbose "[In-Progress] Scanned $($scannedObjectCount) $($ObjectClass)s so far. # of $($ObjectClass)s with KeyCredentials containing extended value: $($keyWithExtenededValueCount)" Start-Sleep -s $SleepInterval $url = $null if ($result | Get-Member -name '@odata.nextLink' -Membertype Properties) { $url = $result.'@odata.nextLink' } } Write-Verbose "[Finished] Scanned a total of $($scannedObjectCount) $($ObjectClass)s. # of $($ObjectClass)s with KeyCredentials containing extended value: $($keyWithExtenededValueCount)" $stopwatch.Stop() Write-Verbose "Time elapsed: $($stopwatch.ELAPSED)" Write-Host "$($ObjectClass) key credentials successfully scanned." -ForegroundColor Green } Export-ModuleMember -Function Get-AffectedKeyCredentials # Sample usage: # Import-Module AffectedKeyCredentials.psm1 # Get-AffectedKeyCredentials -TenantId <guid> -ObjectClass <String> [-AppId <guid>] [-ObjectId <guid>] [-Env <String>] [-SkipTokenUrl <String>] [-ExtendedOutputSchema] [-ScanAll] [-Verbose] # SIG # Begin signature block # MIIjkgYJKoZIhvcNAQcCoIIjgzCCI38CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBAjGubRmOmZj0A # NO+u8+Afl1nAnk24XvT2WDMFPZWRx6CCDYEwggX/MIID56ADAgECAhMzAAACUosz # qviV8znbAAAAAAJSMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjEwOTAyMTgzMjU5WhcNMjIwOTAxMTgzMjU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDQ5M+Ps/X7BNuv5B/0I6uoDwj0NJOo1KrVQqO7ggRXccklyTrWL4xMShjIou2I # sbYnF67wXzVAq5Om4oe+LfzSDOzjcb6ms00gBo0OQaqwQ1BijyJ7NvDf80I1fW9O # L76Kt0Wpc2zrGhzcHdb7upPrvxvSNNUvxK3sgw7YTt31410vpEp8yfBEl/hd8ZzA # v47DCgJ5j1zm295s1RVZHNp6MoiQFVOECm4AwK2l28i+YER1JO4IplTH44uvzX9o # RnJHaMvWzZEpozPy4jNO2DDqbcNs4zh7AWMhE1PWFVA+CHI/En5nASvCvLmuR/t8 # q4bc8XR8QIZJQSp+2U6m2ldNAgMBAAGjggF+MIIBejAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUNZJaEUGL2Guwt7ZOAu4efEYXedEw # UAYDVR0RBEkwR6RFMEMxKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVyYXRpb25zIFB1 # ZXJ0byBSaWNvMRYwFAYDVQQFEw0yMzAwMTIrNDY3NTk3MB8GA1UdIwQYMBaAFEhu # ZOVQBdOCqhc3NyK1bajKdQKVMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly93d3cu # bWljcm9zb2Z0LmNvbS9wa2lvcHMvY3JsL01pY0NvZFNpZ1BDQTIwMTFfMjAxMS0w # Ny0wOC5jcmwwYQYIKwYBBQUHAQEEVTBTMFEGCCsGAQUFBzAChkVodHRwOi8vd3d3 # Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvZFNpZ1BDQTIwMTFfMjAx # MS0wNy0wOC5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAgEAFkk3 # uSxkTEBh1NtAl7BivIEsAWdgX1qZ+EdZMYbQKasY6IhSLXRMxF1B3OKdR9K/kccp # kvNcGl8D7YyYS4mhCUMBR+VLrg3f8PUj38A9V5aiY2/Jok7WZFOAmjPRNNGnyeg7 # l0lTiThFqE+2aOs6+heegqAdelGgNJKRHLWRuhGKuLIw5lkgx9Ky+QvZrn/Ddi8u # TIgWKp+MGG8xY6PBvvjgt9jQShlnPrZ3UY8Bvwy6rynhXBaV0V0TTL0gEx7eh/K1 # o8Miaru6s/7FyqOLeUS4vTHh9TgBL5DtxCYurXbSBVtL1Fj44+Od/6cmC9mmvrti # yG709Y3Rd3YdJj2f3GJq7Y7KdWq0QYhatKhBeg4fxjhg0yut2g6aM1mxjNPrE48z # 6HWCNGu9gMK5ZudldRw4a45Z06Aoktof0CqOyTErvq0YjoE4Xpa0+87T/PVUXNqf # 7Y+qSU7+9LtLQuMYR4w3cSPjuNusvLf9gBnch5RqM7kaDtYWDgLyB42EfsxeMqwK # WwA+TVi0HrWRqfSx2olbE56hJcEkMjOSKz3sRuupFCX3UroyYf52L+2iVTrda8XW # esPG62Mnn3T8AuLfzeJFuAbfOSERx7IFZO92UPoXE1uEjL5skl1yTZB3MubgOA4F # 8KoRNhviFAEST+nG8c8uIsbZeb08SeYQMqjVEmkwggd6MIIFYqADAgECAgphDpDS # AAAAAAADMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMTIwMAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0 # ZSBBdXRob3JpdHkgMjAxMTAeFw0xMTA3MDgyMDU5MDlaFw0yNjA3MDgyMTA5MDla # MH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS # ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMT # H01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQCr8PpyEBwurdhuqoIQTTS68rZYIZ9CGypr6VpQqrgG # OBoESbp/wwwe3TdrxhLYC/A4wpkGsMg51QEUMULTiQ15ZId+lGAkbK+eSZzpaF7S # 35tTsgosw6/ZqSuuegmv15ZZymAaBelmdugyUiYSL+erCFDPs0S3XdjELgN1q2jz # y23zOlyhFvRGuuA4ZKxuZDV4pqBjDy3TQJP4494HDdVceaVJKecNvqATd76UPe/7 # 4ytaEB9NViiienLgEjq3SV7Y7e1DkYPZe7J7hhvZPrGMXeiJT4Qa8qEvWeSQOy2u # M1jFtz7+MtOzAz2xsq+SOH7SnYAs9U5WkSE1JcM5bmR/U7qcD60ZI4TL9LoDho33 # X/DQUr+MlIe8wCF0JV8YKLbMJyg4JZg5SjbPfLGSrhwjp6lm7GEfauEoSZ1fiOIl # XdMhSz5SxLVXPyQD8NF6Wy/VI+NwXQ9RRnez+ADhvKwCgl/bwBWzvRvUVUvnOaEP # 6SNJvBi4RHxF5MHDcnrgcuck379GmcXvwhxX24ON7E1JMKerjt/sW5+v/N2wZuLB # l4F77dbtS+dJKacTKKanfWeA5opieF+yL4TXV5xcv3coKPHtbcMojyyPQDdPweGF # RInECUzF1KVDL3SV9274eCBYLBNdYJWaPk8zhNqwiBfenk70lrC8RqBsmNLg1oiM # CwIDAQABo4IB7TCCAekwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFEhuZOVQ # BdOCqhc3NyK1bajKdQKVMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1Ud # DwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFHItOgIxkEO5FAVO # 4eqnxzHRI4k0MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwubWljcm9zb2Z0 # LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcmwwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vd3d3Lm1p # Y3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dDIwMTFfMjAxMV8wM18y # Mi5jcnQwgZ8GA1UdIASBlzCBlDCBkQYJKwYBBAGCNy4DMIGDMD8GCCsGAQUFBwIB # FjNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2RvY3MvcHJpbWFyeWNw # cy5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AcABvAGwAaQBjAHkA # XwBzAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAGfyhqWY # 4FR5Gi7T2HRnIpsLlhHhY5KZQpZ90nkMkMFlXy4sPvjDctFtg/6+P+gKyju/R6mj # 82nbY78iNaWXXWWEkH2LRlBV2AySfNIaSxzzPEKLUtCw/WvjPgcuKZvmPRul1LUd # d5Q54ulkyUQ9eHoj8xN9ppB0g430yyYCRirCihC7pKkFDJvtaPpoLpWgKj8qa1hJ # Yx8JaW5amJbkg/TAj/NGK978O9C9Ne9uJa7lryft0N3zDq+ZKJeYTQ49C/IIidYf # wzIY4vDFLc5bnrRJOQrGCsLGra7lstnbFYhRRVg4MnEnGn+x9Cf43iw6IGmYslmJ # aG5vp7d0w0AFBqYBKig+gj8TTWYLwLNN9eGPfxxvFX1Fp3blQCplo8NdUmKGwx1j # NpeG39rz+PIWoZon4c2ll9DuXWNB41sHnIc+BncG0QaxdR8UvmFhtfDcxhsEvt9B # xw4o7t5lL+yX9qFcltgA1qFGvVnzl6UJS0gQmYAf0AApxbGbpT9Fdx41xtKiop96 # eiL6SJUfq/tHI4D1nvi/a7dLl+LrdXga7Oo3mXkYS//WsyNodeav+vyL6wuA6mk7 # r/ww7QRMjt/fdW1jkT3RnVZOT7+AVyKheBEyIXrvQQqxP/uozKRdwaGIm1dxVk5I # RcBCyZt2WwqASGv9eZ/BvW1taslScxMNelDNMYIVZzCCFWMCAQEwgZUwfjELMAkG # A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx # HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9z # b2Z0IENvZGUgU2lnbmluZyBQQ0EgMjAxMQITMwAAAlKLM6r4lfM52wAAAAACUjAN # BglghkgBZQMEAgEFAKCBrjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIBBDAcBgor # BgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQgt9gT0L0Q # 7SOVFNZX8mgZ1T4RfoJ1J5VfyzWlPZEozu4wQgYKKwYBBAGCNwIBDDE0MDKgFIAS # AE0AaQBjAHIAbwBzAG8AZgB0oRqAGGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbTAN # BgkqhkiG9w0BAQEFAASCAQA2Wd7zbO5J4+lwS10xOG9/tjqKL5q6U2SWfDWwsQlC # 4g7zPCefGsGuALXg0OZSVVNFqOVjC+1uGThszT+0e6UTWnwLxoIkq18kiyoPOC9a # yfxLy9LcJ97qb2EPNN0fvfnong/f0PfutrLh3Jj9z4Wszj2JnqaU9xTr7Bpxyymy # 2UPk+NExZw6B0iP7rmEFn1kB6MOaF5vlaDu/qKPkz+inxqGi/VBbQFHk/thnqmkf # 8eoAtEpUbju1PycPBYUv6voONFLYU7o3/fLbFqhy1MzNbTm85Xmk+ncRvXVBDeQP # yUHahfoieU3pEUDdriWwVvbtcTFodBSZxS0qlbpdo9SYoYIS8TCCEu0GCisGAQQB # gjcDAwExghLdMIIS2QYJKoZIhvcNAQcCoIISyjCCEsYCAQMxDzANBglghkgBZQME # AgEFADCCAVUGCyqGSIb3DQEJEAEEoIIBRASCAUAwggE8AgEBBgorBgEEAYRZCgMB # MDEwDQYJYIZIAWUDBAIBBQAEIO9P38i3VEUcLSdPOeuTakbeZ5h5+wy59S62D3mN # 3E9CAgZhk++gvFAYEzIwMjExMTE3MTkwMTM4LjQzOVowBIACAfSggdSkgdEwgc4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1p # Y3Jvc29mdCBPcGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjowQTU2LUUzMjktNEQ0RDElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZaCCDkQwggT1MIID3aADAgECAhMzAAABW3ywujRnN8GnAAAA # AAFbMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MB4XDTIxMDExNDE5MDIxNloXDTIyMDQxMTE5MDIxNlowgc4xCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBPcGVy # YXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjowQTU2 # LUUzMjktNEQ0RDElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vydmlj # ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgkf6Xs9dqhesumLltn # l6lwjiD1jh+Ipz/6j5q5CQzSnbaVuo4KiCiSpr5WtqqVlD7nT/3WX6V6vcpNQV5c # dtVVwafNpLn3yF+fRNoUWh1Q9u8XGiSX8YzVS8q68JPFiRO4HMzMpLCaSjcfQZId # 6CiukyLQruKnSFwdGhMxE7GCayaQ8ZDyEPHs/C2x4AAYMFsVOssSdR8jb8fzAek3 # SNlZtVKd0Kb8io+3XkQ54MvUXV9cVL1/eDdXVVBBqOhHzoJsy+c2y/s3W+gEX8Qb # 9O/bjBkR6hIaOwEAw7Nu40/TMVfwXJ7g5R/HNXCt7c4IajNN4W+CugeysLnYbqRm # W+kCAwEAAaOCARswggEXMB0GA1UdDgQWBBRl5y01iG23UyBdTH/15TnJmLqrLjAf # BgNVHSMEGDAWgBTVYzpcijGQ80N7fEYbxTNoWoVtVTBWBgNVHR8ETzBNMEugSaBH # hkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNU # aW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF # BzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1RpbVN0 # YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsG # AQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQCnM2s7phMamc4QdVolrO1ZXRiDMUVd # gu9/yq8g7kIVl+fklUV2Vlout6+fpOqAGnewMtwenFtagVhVJ8Hau8Nwk+IAhB0B # 04DobNDw7v4KETARf8KN8gTH6B7RjHhreMDWg7icV0Dsoj8MIA8AirWlwf4nr8pK # H0n2rETseBJDWc3dbU0ITJEH1RzFhGkW7IzNPQCO165Tp7NLnXp4maZzoVx8PyiO # NO6fyDZr0yqVuh9OqWH+fPZYQ/YYFyhxy+hHWOuqYpc83Phn1vA0Ae1+Wn4bne6Z # GjPxRI6sxsMIkdBXD0HJLyN7YfSrbOVAYwjYWOHresGZuvoEaEgDRWUrMIIGcTCC # BFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJv # b3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMTAwNzAxMjEzNjU1WhcN # MjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCASIw # DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKkdDbx3EYo6IOz8E5f1+n9plGt0 # VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vwFVMnBDEfQRsalR3OCROOfGEwWbEw # RA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNFDdDq9UeBzb8kYDJYYEbyWEeGMoQe # dGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC732H8RsEnHSRnEnIaIYqvS2SJUGKx # Xf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOWRH7v0Ev9buWayrGo8noqCjHw2k4G # kbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJk3jN/LzAyURdXhacAQVPIk0CAwEA # AaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBTVYzpcijGQ80N7 # fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMC # AYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvX # zpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v # cGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYI # KwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDCBoAYDVR0g # AQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEwPQYIKwYBBQUHAgEWMWh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9DUFMvZGVmYXVsdC5odG0wQAYIKwYB # BQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABvAGwAaQBjAHkAXwBTAHQAYQB0AGUA # bQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQADggIBAAfmiFEN4sbgmD+BcQM9naOh # IW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/15/B4vceoniXj+bzta1RXCCtRgkQS # +7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRWS3TvQhDIr79/xn/yN31aPxzymXlK # kVIArzgPF/UveYFl2am1a+THzvbKegBvSzBEJCI8z+0DpZaPWSm8tv0E4XCfMkon # /VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/3cVKC5Em4jnsGUpxY517IW3DnKOi # PPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9nhquBEKDuLWAmyI4ILUl5WTs9/S/ # fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5HmoDF0M2n0O99g/DhO3EJ3110mCII # YdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv33nJ+YWtvd6mBy6cJrDm77MbL2IK0 # cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI5pgt6o3gMy4SKfXAL1QnIffIrE7a # KLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0MkvfY3v1mYovG8chr1m1rtxEPJdQ # cdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0eGTgvvM9YBS7vDaBQNdrvCScc1bN+ # NR4Iuto229Nfj950iEkSoYIC0jCCAjsCAQEwgfyhgdSkgdEwgc4xCzAJBgNVBAYT # AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD # VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKTAnBgNVBAsTIE1pY3Jvc29mdCBP # cGVyYXRpb25zIFB1ZXJ0byBSaWNvMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjow # QTU2LUUzMjktNEQ0RDElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUACrtBbqYy0r+YGLtUaFVRW/Yh7qaggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOU/v5swIhgPMjAyMTExMTcyMTUxMjNaGA8yMDIxMTExODIxNTEyM1owdzA9Bgor # BgEEAYRZCgQBMS8wLTAKAgUA5T+/mwIBADAKAgEAAgIWhQIB/zAHAgEAAgIRQTAK # AgUA5UERGwIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIB # AAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAAH8l7Fb7yNaPnnR # C4NL0awMZRS8jfii8/IhhL7VodOy3crTVD6MA7J/K2htiBy9jHI6q+cNycbHO3nc # 6se/ipuQXS6TZP+Hc9obrUnUA5bo5SiI5268o6mgtL2HNQ01e0S4yR6qelFM47ha # nScX6zbO0om7+dpyhd4MdQZqQuE4MYIDDTCCAwkCAQEwgZMwfDELMAkGA1UEBhMC # VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV # BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRp # bWUtU3RhbXAgUENBIDIwMTACEzMAAAFbfLC6NGc3wacAAAAAAVswDQYJYIZIAWUD # BAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0B # CQQxIgQgYDkwJNp78tgxCJjAn47+Q4xOGf5PceHDSdVy0WiHYawwgfoGCyqGSIb3 # DQEJEAIvMYHqMIHnMIHkMIG9BCDJIuCpKGMRh4lCGucGPHCNJ7jq9MTbe3mQ2FtS # ZLCFGTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u # MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp # b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB # W3ywujRnN8GnAAAAAAFbMCIEIPZEd1CB3sPBYn0fUsWmgd8aeldypqzExAR1vDj+ # /P7eMA0GCSqGSIb3DQEBCwUABIIBAAchtvrKoyO179j49dtzNrMpjavdOooA7S2t # lBjkFDOZVle5oRRpMrg/mMIaEKE3Gv5sDQUJQ9flE0Wgs7jtFB5L9GT0DEubEI3c # PEMyC4O9XAul9ztNJ3vhKX/1WDPJlN6gxDXj2guilmWRDaHZhlgsyDCmBVz9oxFr # C8U7QGmWvsqpcdTSEEINfo3M0kaLBRRtZ/vH/Io6pehkoW7kZJJ17UPNSuUUGrJV # AJvFUGtoUp+8ws/42nGzBtx/z48/rRbfacinUM8E/DzJF4z7G/X6I8Rw6OE2KOSA # AIARU+2JWDPIw5xzqdf+c3MFiZrH4bVWfVJqYvC/rzRa2VU6/jQ= # SIG # End signature block |