Obs/bin/ObsDep/content/Powershell/Roles/Common/CertHelpers.psm1
# -------------------------------------------------------------- # Copyright � Microsoft Corporation. All Rights Reserved. # Microsoft Corporation (or based on where you live, one of its affiliates) licenses this sample code for your internal testing purposes only. # Microsoft provides the following sample code AS IS without warranty of any kind. The sample code arenot supported under any Microsoft standard support program or services. # Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample code remains with you. # In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever # (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) # arising out of the use of or inability to use the sample code, even if Microsoft has been advised of the possibility of such damages. # --------------------------------------------------------------- Function PrettyTime() { return "[" + (Get-Date -Format o) + "]" } Function Log($msg) { Write-Verbose $( $(PrettyTime) + " " + $msg) -Verbose } function GetSubjectName([bool] $UseManagementAddress) { if ($UseManagementAddress -eq $true) { # When IP Address is specified, we are currently looking just for IPv4 corpnet ip address # In the final design, only computer names will be used for subject names $corpIPAddresses = get-netIpAddress -AddressFamily IPv4 -PrefixOrigin Dhcp -ErrorAction Ignore if ($corpIPAddresses -ne $null -and $corpIPAddresses[0] -ne $null) { $mesg = [System.String]::Format("Using IP Address {0} for certificate subject name", $corpIPAddresses[0].IPAddress); Log $mesg return $corpIPAddresses[0].IPAddress } else { Log "Unable to find management IP address "; } } $hostFqdn = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName; $mesg = [System.String]::Format("Using computer name {0} for certificate subject name", $hostFqdn); Log $mesg return $hostFqdn ; } function GenerateSelfSignedCertificate([string] $subjectName) { $cryptographicProviderName = "Microsoft Base Cryptographic Provider v1.0"; [int] $privateKeyLength = 1024; $sslServerOidString = "1.3.6.1.5.5.7.3.1"; $sslClientOidString = "1.3.6.1.5.5.7.3.2"; [int] $validityPeriodInYear = 5; $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=" + $SubjectName, 0) $mesg = [System.String]::Format("Generating certificate with subject Name {0}", $subjectName); Log $mesg #Generate Key $key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = $cryptographicProviderName $key.KeySpec = 1 #X509KeySpec.XCN_AT_KEYEXCHANGE $key.Length = $privateKeyLength $key.MachineContext = 1 $key.ExportPolicy = 0x2 #X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG $key.Create() #Configure Eku $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue($sslServerOidString) $clientauthoid = new-object -com "X509Enrollment.CObjectId.1" $clientauthoid.InitializeFromValue($sslClientOidString) $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuoids.add($clientauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids) # Set the hash algorithm to sha512 instead of the default sha1 $hashAlgorithmObject = New-Object -ComObject X509Enrollment.CObjectId $hashAlgorithmObject.InitializeFromAlgorithmName( $ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, $ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, $AlgorithmFlags.AlgorithmFlagsNone, "SHA512") #Request Cert $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = (get-date).ToUniversalTime() $cert.NotAfter = $cert.NotBefore.AddYears($validityPeriodInYear); $cert.X509Extensions.Add($ekuext) $cert.HashAlgorithm = $hashAlgorithmObject $cert.Encode() $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") Log "Successfully added cert to local machine store"; } function GivePermissionToNetworkService($targetCert) { $targetCertPrivKey = $targetCert.PrivateKey $privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | where {$_.Name -eq $targetCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName} $privKeyAcl = Get-Acl $privKeyCertFile $permission = "NT AUTHORITY\NETWORK SERVICE","Read","Allow" $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $privKeyAcl.AddAccessRule($accessRule) Set-Acl $privKeyCertFile.FullName $privKeyAcl } Function AddCertToLocalMachineStore($certFullPath, $storeName, $securePassword) { $rootName = "LocalMachine" # create a representation of the certificate file $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 if($securePassword -eq $null) { $certificate.import($certFullPath) } else { # https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx $certificate.import($certFullPath, $securePassword, "MachineKeySet,PersistKeySet") } # import into the store $store = new-object System.Security.Cryptography.X509Certificates.X509Store($storeName, $rootName) $store.open("MaxAllowed") $store.add($certificate) $store.close() } Function GetSubjectFqdnFromCertificatePath($certFullPath) { # create a representation of the certificate file $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.import($certFullPath) return GetSubjectFqdnFromCertificate $certificate ; } Function GetSubjectFqdnFromCertificate([System.Security.Cryptography.X509Certificates.X509Certificate2] $certificate) { $mesg = [System.String]::Format("Parsing Subject Name {0} to get Subject Fqdn ", $certificate.Subject) Log $mesg $subjectFqdn = $certificate.Subject.Split('=')[1] ; return $subjectFqdn; } function Get-Certs($path){ $flags = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly" $rootName = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine" $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($path, $rootName) $store.Open($flags) $certs = $store.Certificates $store.Close() return $certs } <# .Synopsis Export the Azure Stack cert to the file share #> function Export-AzSCertificateToShare { [CmdletBinding()] Param ( [Parameter(Mandatory = $true, HelpMessage="The CustomerConfiguration.xml")] [ValidateNotNull()] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertBase64String, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $ProtectedCertPwd, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertificateName, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertificateRoleId ) Import-Module Microsoft.AzureStack.Security.CngDpapi $clusterName = Get-ManagementClusterName $Parameters $externalCertificatesInfo = $Parameters.Roles['CertificateManagement'].PublicConfiguration.PublicInfo.ExternalCertConfigurations.Certificates | Where Type -EQ 'AzureAD' | Select -First 1 $certificateConfigXml = $externalCertificatesInfo.Certificate | Where Name -EQ $CertificateName $domainRole = $Parameters.Roles["Domain"].PublicConfiguration $domainName = $domainRole.PublicInfo.DomainConfiguration.DomainName Trace-Execution "$($MyInvocation.InvocationName) : Retreiving the cert information with cert name '$CertificateName' and cert role Id '$CertificateRoleId'..." $certificateInfo = (($externalCertificatesInfo.Certificate | Where Name -EQ $CertificateName).Consumers.Consumer | Where Name -EQ $CertificateRoleId | Select -First 1) Trace-Execution "$($MyInvocation.InvocationName) : Retrieved the unprocessed extension host cert path: $($certificateInfo.Location)" $certLocation = Get-SharePath $Parameters $certificateInfo.Location $clusterName Trace-Execution "$($MyInvocation.InvocationName) : Retrieved the extension host cert path: $certLocation" $protectToGMSA = $certificateInfo.ProtectTo if($protectToGMSA -ne $null) { Trace-Execution "$($MyInvocation.InvocationName) : ProtectTo parameter specified: $protectToGMSA" } Trace-Execution "$($MyInvocation.InvocationName) : Retreiving the Azure Stack internal CA Certificate password..." $securityInfo = $Parameters.Roles["Cloud"].PublicConfiguration.PublicInfo.SecurityInfo $certUser = $securityInfo.CACertUsers.User | Where Role -EQ "CACertificateUser" $certCredential = $Parameters.GetCredential($certUser.Credential) $exportCertPassword = $certCredential.GetNetworkCredential().SecurePassword if ($exportCertPassword.Length -eq 0) { throw "The Azure Stack internal cert password should not be empty" } Trace-Execution "$($MyInvocation.InvocationName) : Retrive the Azure Stack internal CA Certificate password." Trace-Execution "$($MyInvocation.InvocationName) : Converting cert from base64 string to binary..." $certBytes = [System.Convert]::FromBase64String($CertBase64String) Trace-Execution "$($MyInvocation.InvocationName) : Converting the protected password to local secure string..." $certPwdCipher = [System.Convert]::FromBase64String($ProtectedCertPwd) $certPwdCipherUnprotected = [Microsoft.AzureStack.Security.CngDpapi.ProtectionDescriptor]::UnprotectSecret($certPwdCipher) $certPwdString = [System.Text.Encoding]::UTF8.GetString($certPwdCipherUnprotected) $certPwd = ConvertTo-SecureString $certPwdString -AsPlainText -Force Trace-Execution "$($MyInvocation.InvocationName) : decrypting the cert with input password..." try { # SyslogClient cert location may have not been been provided. If this is the first time # processing a SyslogClient cert - by PEP cmdlet Set-SyslogClient - the path # must be checked and created before exporting the cert to the share location. # Also, doing the same for Container Registry certificate as it will be supplied # by the customer via Import-AzsContainerRegistrySslCertificate after deployment. if (($CertificateName -eq "SyslogClient") -or ($CertificateName -eq "Container Registry") -and !(Test-Path -Path $certLocation)) { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate location: $certLocation was not found" $CertSharePath = Split-Path -Path $certLocation Trace-Execution "$($MyInvocation.InvocationName) : Checking $CertificateName certificate share path: $CertSharePath" if (!(Test-Path -Path $CertSharePath)) { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was not found" Trace-Execution "$($MyInvocation.InvocationName) : Creating $CertificateName certificate share path: $CertSharePath" New-Item -Path $CertSharePath -ItemType Directory -Force -ErrorAction Stop Trace-Execution "$($MyInvocation.InvocationName) : Verifying $CertificateName certificate share path: $CertSharePath was created" if (!(Test-Path -Path $CertSharePath)) { Throw "Failed to find and create $CertificateName certificate share path: $CertSharePath" } Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was created successfully" } else { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was found" } } Trace-Execution "$($MyInvocation.InvocationName) : exporting the original binary to location $certLocation ..." Set-Content -Value $certBytes -Path $certLocation -Encoding Byte -Force if (!(Test-Path -Path $certLocation)) { Throw "Failed temporary creation of $CertificateName using cert bytes into $certLocation" } Trace-Execution "$($MyInvocation.InvocationName) : importing the original cert ..." $cert = Import-PfxCertificateSafe -Filepath $certLocation -CertStoreLocation cert:\LocalMachine\My -Password $certPwd -Exportable if ($null -eq $cert) { Throw "Failed local import of $CertificateName from share: $certLocation using provided certificate password" } if($protectToGMSA -ne $null) { Trace-Execution "$($MyInvocation.InvocationName) : exporting the cert binary to location $certLocation with Azure Stack internal password and $protectToGMSA account protection..." Export-PfxCertificate -Cert $cert -FilePath $certLocation -Password $exportCertPassword -ProtectTo @("$domainName\$protectToGMSA") } else { Trace-Execution "$($MyInvocation.InvocationName) : exporting the cert binary to location $certLocation with Azure Stack internal password..." Export-PfxCertificate -Cert $cert -FilePath $certLocation -Password $exportCertPassword } if (!(Test-Path -Path $certLocation)) { Throw "Failed exporting $CertificateName to certificate location $certLocation" } } catch { Remove-Item $certLocation -Force -Confirm:$false -Verbose -ErrorAction SilentlyContinue throw } } <# .Synopsis Check whether a dev cert is present indicating this is an internal lab environment. #> function Test-DevCertPresent { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters ) $invokeCommandParams = @{ ScriptBlock = { Get-ChildItem "Cert:\LocalMachine\My" | where Subject -match "microsoftazurestacksupportteam" } } # Depending on where this code is running, we can check for the dev certificate in a different location. if ($env:ComputerName -eq $Parameters.Roles["DeploymentMachine"].PublicConfiguration.Nodes.Node.Name) { $invokeCommandParams.ComputerName = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node.Name | select -First 1 Trace-Execution "Testing for presence of dev certificate on $($invokeCommandParams.ComputerName)." } else { Trace-Execution "Testing for presence of dev certificate on $env:ComputerName." } if (Invoke-Command @invokeCommandParams) { Trace-Execution "Found the dev certificate, indicating this is an internal environment." return $true } Trace-Execution "Dev certificate not found." return $false } <# Workaround for NC certificates requiring CRL. Publish CRL directly to local "Root" store on NC. #> function Publish-CertificateRevocationLists([CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [string[]] $computerNames, [PSCredential] $Credential) { Import-Module -Name "$PSScriptRoot\..\..\Common\StorageHelpers.psm1" -Force -DisableNameChecking -Verbose:$false | Out-Null $ErrorActionPreference = "Stop" # Prepare parameters: $ascaRole = $Parameters.Roles["ASCA"].PublicConfiguration $ASCAConfiguration = $ascaRole.PublicInfo.ASCAConfiguration $clusterName = Get-ManagementClusterName $Parameters $originCRLFolder = Get-SharePath $Parameters $ASCAConfiguration.ArtifactsDirectory $clusterName -FromNoneClusterNode $originCRL = "$originCRLFolder\*.crl" $Session = New-PSSession -ComputerName $computerNames -Credential $Credential -Authentication Credssp Invoke-Command -Session $Session -ScriptBlock { if (-not (Test-Path $using:originCRL)) { throw "Unable to access the certificate revocation list: $using:originCRL" } Trace-execution "Calling certutil to publish CRL" certutil -addstore -f Root $using:originCRL } Trace-Execution "Publication of CRL to Root store completed" } Export-ModuleMember -Function AddCertToLocalMachineStore Export-ModuleMember -Function Export-AzSCertificateToShare Export-ModuleMember -Function GenerateSelfSignedCertificate Export-ModuleMember -Function Get-Certs Export-ModuleMember -Function GetSubjectFqdnFromCertificate Export-ModuleMember -Function GetSubjectFqdnFromCertificatePath Export-ModuleMember -Function GetSubjectName Export-ModuleMember -Function GivePermissionToNetworkService Export-ModuleMember -Function Log Export-ModuleMember -Function PrettyTime Export-ModuleMember -Function Publish-CertificateRevocationLists Export-ModuleMember -Function Test-DevCertPresent # SIG # Begin signature block # MIIoPAYJKoZIhvcNAQcCoIIoLTCCKCkCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA8+WUYaosYZT2o # XdDSLImsJXHDhOetkWmXzhLDrk1sfKCCDYUwggYDMIID66ADAgECAhMzAAADri01 # UchTj1UdAAAAAAOuMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwODU5WhcNMjQxMTE0MTkwODU5WjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQD0IPymNjfDEKg+YyE6SjDvJwKW1+pieqTjAY0CnOHZ1Nj5irGjNZPMlQ4HfxXG # yAVCZcEWE4x2sZgam872R1s0+TAelOtbqFmoW4suJHAYoTHhkznNVKpscm5fZ899 # QnReZv5WtWwbD8HAFXbPPStW2JKCqPcZ54Y6wbuWV9bKtKPImqbkMcTejTgEAj82 # 6GQc6/Th66Koka8cUIvz59e/IP04DGrh9wkq2jIFvQ8EDegw1B4KyJTIs76+hmpV # M5SwBZjRs3liOQrierkNVo11WuujB3kBf2CbPoP9MlOyyezqkMIbTRj4OHeKlamd # WaSFhwHLJRIQpfc8sLwOSIBBAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQUhx/vdKmXhwc4WiWXbsf0I53h8T8w # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzUwMTgzNjAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AGrJYDUS7s8o0yNprGXRXuAnRcHKxSjFmW4wclcUTYsQZkhnbMwthWM6cAYb/h2W # 5GNKtlmj/y/CThe3y/o0EH2h+jwfU/9eJ0fK1ZO/2WD0xi777qU+a7l8KjMPdwjY # 0tk9bYEGEZfYPRHy1AGPQVuZlG4i5ymJDsMrcIcqV8pxzsw/yk/O4y/nlOjHz4oV # APU0br5t9tgD8E08GSDi3I6H57Ftod9w26h0MlQiOr10Xqhr5iPLS7SlQwj8HW37 # ybqsmjQpKhmWul6xiXSNGGm36GarHy4Q1egYlxhlUnk3ZKSr3QtWIo1GGL03hT57 # xzjL25fKiZQX/q+II8nuG5M0Qmjvl6Egltr4hZ3e3FQRzRHfLoNPq3ELpxbWdH8t # Nuj0j/x9Crnfwbki8n57mJKI5JVWRWTSLmbTcDDLkTZlJLg9V1BIJwXGY3i2kR9i # 5HsADL8YlW0gMWVSlKB1eiSlK6LmFi0rVH16dde+j5T/EaQtFz6qngN7d1lvO7uk # 6rtX+MLKG4LDRsQgBTi6sIYiKntMjoYFHMPvI/OMUip5ljtLitVbkFGfagSqmbxK # 7rJMhC8wiTzHanBg1Rrbff1niBbnFbbV4UDmYumjs1FIpFCazk6AADXxoKCo5TsO # zSHqr9gHgGYQC2hMyX9MGLIpowYCURx3L7kUiGbOiMwaMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGg0wghoJAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAAOuLTVRyFOPVR0AAAAA # A64wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIK/Q # QQlJnwcCLsYAe2/8aKZNxwG9DZ3hwAKqdSPZTaywMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEAtbHmNaKPZ0Satpdx6wIa6U2IvO/HjnXqCfNj # WRQT673BXFSuqQ6OylXups2YlVuMDpH2j1lDrPtZSLWvPEmyYdSqkkOfRM1Kt/QM # kSPuyen2oklHIv+TVFTkC5ZVIQTnWyPLyxYVe/5IbslSzI0wX9a3Iyb9sPy5qWoq # 327p/s2ypKZitcStD+xMnsoPbJkMpMaWj3lrsumvaD7x01y36gGMQSIwXGkLFTfP # PvkTJDc1texOAnYWuhi9KzPta2PJPDFp28Z5dazQyxClFCGTFZSaOlkptuW7gRoR # k7jYtgS8nndxi8SmGBs122Qc3kG2QQs6WrIn+uwtEgnAx2j/+aGCF5cwgheTBgor # BgEEAYI3AwMBMYIXgzCCF38GCSqGSIb3DQEHAqCCF3AwghdsAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFSBgsqhkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCBLzNooezF2IsXYQGan2luvsVSQzJlywb0W # gK52sq/U7QIGZeeoE98sGBMyMDI0MDMxMTE4MTgzOS4xNzlaMASAAgH0oIHRpIHO # MIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL # ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxk # IFRTUyBFU046MzcwMy0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1l # LVN0YW1wIFNlcnZpY2WgghHtMIIHIDCCBQigAwIBAgITMwAAAeqaJHLVWT9hYwAB # AAAB6jANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz # aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv # cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx # MDAeFw0yMzEyMDYxODQ1MzBaFw0yNTAzMDUxODQ1MzBaMIHLMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1l # cmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046MzcwMy0w # NUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2Uw # ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1C1/xSD8gB9X7Ludoo2rW # b2ksqaF65QtJkbQpmsc6G4bg5MOv6WP/uJ4XOJvKX/c1t0ej4oWBqdGD6VbjXX4T # 0KfylTulrzKtgxnxZh7q1uD0Dy/w5G0DJDPb6oxQrz6vMV2Z3y9ZxjfZqBnDfqGo # n/4VDHnZhdas22svSC5GHywsQ2J90MM7L4ecY8TnLI85kXXTVESb09txL2tHMYrB # +KHCy08ds36an7IcOGfRmhHbFoPa5om9YGpVKS8xeT7EAwW7WbXL/lo5p9KRRIjA # lsBBHD1TdGBucrGC3TQXSTp9s7DjkvvNFuUa0BKsz6UiCLxJGQSZhd2iOJTEfJ1f # xYk2nY6SCKsV+VmtV5aiPzY/sWoFY542+zzrAPr4elrvr9uB6ci/Kci//EOERZEU # TBPXME/ia+t8jrT2y3ug15MSCVuhOsNrmuZFwaRCrRED0yz4V9wlMTGHIJW55iNM # 3HPVJJ19vOSvrCP9lsEcEwWZIQ1FCyPOnkM1fs7880dahAa5UmPqMk5WEKxzDPVp # 081X5RQ6HGVUz6ZdgQ0jcT59EG+CKDPRD6mx8ovzIpS/r/wEHPKt5kOhYrjyQHXc # 9KHKTWfXpAVj1Syqt5X4nr+Mpeubv+N/PjQEPr0iYJDjSzJrqILhBs5pytb6vyR8 # HUVMp+mAA4rXjOw42vkHfQIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFCuBRSWiUebp # F0BU1MTIcosFblleMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMF8G # A1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMv # Y3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNybDBs # BggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUy # MDIwMTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUH # AwgwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQAog61WXj9+/nxV # bX3G37KgvyoNAnuu2w3HoWZj3H0YCeQ3b9KSZThVThW4iFcHrKnhFMBbXJX4uQI5 # 3kOWSaWCaV3xCznpRt3c4/gSn3dvO/1GP3MJkpJfgo56CgS9zLOiP31kfmpUdPqe # kZb4ivMR6LoPb5HNlq0WbBpzFbtsTjNrTyfqqcqAwc6r99Df2UQTqDa0vzwpA8Cx # iAg2KlbPyMwBOPcr9hJT8sGpX/ZhLDh11dZcbUAzXHo1RJorSSftVa9hLWnzxGzE # GafPUwLmoETihOGLqIQlCpvr94Hiak0Gq0wY6lduUQjk/lxZ4EzAw/cGMek8J3Qd # iNS8u9ujYh1B7NLr6t3IglfScDV3bdVWet1itTUoKVRLIivRDwAT7dRH13Cq32j2 # JG5BYu/XitRE8cdzaJmDVBzYhlPl9QXvC+6qR8I6NIN/9914bTq/S4g6FF4f1dix # UxE4qlfUPMixGr0Ft4/S0P4fwmhs+WHRn62PB4j3zCHixKJCsRn9IR3ExBQKQdMi # 5auiqB6xQBADUf+F7hSKZfbA8sFSFreLSqhvj+qUQF84NcxuaxpbJWVpsO18IL4Q # bt45Cz/QMa7EmMGNn7a8MM3uTQOlQy0u6c/jq111i1JqMjayTceQZNMBMM5EMc5D # r5m3T4bDj9WTNLgP8SFe3EqTaWVMOTCCB3EwggVZoAMCAQICEzMAAAAVxedrngKb # SZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI # EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv # ZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmlj # YXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIy # NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT # B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE # AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEB # AQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXI # yjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjo # YH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1y # aa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v # 3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pG # ve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg3viS # kR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYr # bqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlM # jgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSL # W6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AF # emzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIu # rQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIE # FgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWn # G1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEW # M2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5 # Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBi # AEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV # 9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3Js # Lm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAx # MC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2 # LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv # 6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZn # OlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1 # bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4 # rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU # 6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDF # NLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/ # HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2tVdU # CbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKi # excdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTm # dHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZq # ELQdVTNYs6FwZvKhggNQMIICOAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJp # Y2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjM3MDMtMDVF # MC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloiMK # AQEwBwYFKw4DAhoDFQCJ2x7cQfjpRskJ8UGIctOCkmEkj6CBgzCBgKR+MHwxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv # c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6ZlmfjAi # GA8yMDI0MDMxMTExMTYxNFoYDzIwMjQwMzEyMTExNjE0WjB3MD0GCisGAQQBhFkK # BAExLzAtMAoCBQDpmWZ+AgEAMAoCAQACAg8eAgH/MAcCAQACAhL0MAoCBQDpmrf+ # AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSCh # CjAIAgEAAgMBhqAwDQYJKoZIhvcNAQELBQADggEBAAAcbAXx8X0tBj9wnmikwjVT # d98uRHkrqMk8xsgKo9QRCrKyzXvEfty8jd+gKj/X5NZ47Kc4Vkb+9ZZMuijML3be # MeFmdrmJNBtQm2JnCmOHR0ZjGpTOVGpBz3+hs0Ukl4IpQNbgVN45u1J0ty5yekJp # ExdK/K99neHjcDh43kmR7W9ItwZWSySQU0MGHq5cV/rqPjscnausfTtKWzG3ZFep # aSHqS3kKSWXSvAW43kulKjyWgkzCUDTnrQMQrfksuBWe7FXcKgO04JACLyP595bO # xZumEHYkjkMco+uqXVzXKt+vwhlWRFvUuBN+/Ian3sLf3xs98sfFF+zG3tTGfBkx # ggQNMIIECQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv # bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 # aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAA # AeqaJHLVWT9hYwABAAAB6jANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkD # MQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCBfEZ7pGqoyER7pxWz4a3lJ # 3e0R527VfwKe5QpEmBTWwDCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EICmP # odXjZDR4iwg0ltLANXBh5G1uKqKIvq8sjKekuGZ4MIGYMIGApH4wfDELMAkGA1UE # BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc # BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 # IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAHqmiRy1Vk/YWMAAQAAAeowIgQg4iGe # ly1SmvrVSgxEk2f1t3oBbsL8vnFhQYpEzDqDlmUwDQYJKoZIhvcNAQELBQAEggIA # N2VfyYgDTZKkzzQt402+q6LkAnzvR/51j4v1CEn5o33tW61uhd/r37QeQlCcL+R0 # PBOHRiLsfCqPXu5BrXk6af6Ly6qKFaZgyzZVKZO+GNRgt5F0pgZDqvLiwVIVKCXP # 3eLlJvQnM6xr1OdupEQINbXI+TwMsnwuYJRHtXhPu/PHV8uAOCD5Ba+KcD30NDm3 # 9WhBvpsprdfeSYGOeGPu9/p/qUMPDExzTtpPoeuw1k8OuMT54/q4cNK5tNGdKJHZ # kmPVi019T9+2g4dgygaPLQELwG77hDT2EOjyuSf9E7pjSq1eaQYERuDVclfJxRrd # wYb3C++xgLWqe+huItTmYyx5UN+OklXzDHw8BDc+C8tUyD0J1fL1V2RyI5hw4Jmz # 8J5danYP3Rs1JbxhI5KLlZtK6PoaHaO7SCBCa3Z0c043L2RLVRGUAtyTsAdvf+wX # A2e0a57NdvHYRb87vc18ckH7c+KGJ2OcWpWKD7Ua326JUp4yuwKEXidwAjop5GdV # hzD9tmlPSCyAJRXceGXiO0VUsTV1j9incvVliWy7/V68XiH008c+xPBkGyIsZiFG # K9PdT5+4IBM3zg81aLNb5p7Oej3jvny//E1Kg93ndOILPJqKkxfCirAeFEMWFlXn # uG6dSrMEZ2wvHU7M/6ucKUBQnsHl5gWHLPejSjuISS0= # SIG # End signature block |