Modules/Providers/ProviderHelpers/AADConditionalAccessHelper.psm1
|
class CapHelper { <# .description Class for parsing conditional access policies (Caps) to generate a pre-processed version that can be used to generate the HTML table of the condiational access policies in the report. #> <# The following hashtables are used to map the codes used in the API output to human-friendly strings #> [System.Collections.Hashtable] $ExternalUserStrings = @{"b2bCollaborationGuest" = "B2B collaboration guest users"; "b2bCollaborationMember" = "B2B collaboration member users"; "b2bDirectConnectUser" = "B2B direct connect users"; "internalGuest" = "Local guest users"; "serviceProvider" = "Service provider users"; "otherExternalUser" = "Other external users"} [System.Collections.Hashtable] $StateStrings = @{"enabled" = "On"; "enabledForReportingButNotEnforced" = "Report-only"; "disabled" = "Off"} [System.Collections.Hashtable] $ActionStrings = @{"urn:user:registersecurityinfo" = "Register security info"; "urn:user:registerdevice" = "Register or join devices"} [System.Collections.Hashtable] $ClientAppStrings = @{"exchangeActiveSync" = "Exchange ActiveSync Clients"; "browser" = "Browser"; "mobileAppsAndDesktopClients" = "Mobile apps and desktop clients"; "other" = "Other clients"; "all" = "all"} [System.Collections.Hashtable] $GrantControlStrings = @{"mfa" = "multifactor authentication"; "compliantDevice" = "device to be marked compliant"; "domainJoinedDevice" = "Hybrid Azure AD joined device"; "approvedApplication" = "approved client app"; "compliantApplication" = "app protection policy"; "passwordChange" = "password change"} [System.Collections.Hashtable] $CondAccessAppControlStrings = @{"monitorOnly" = "Monitor only"; "blockDownloads" = "Block downloads"; "mcasConfigured" = "Use custom policy"} [string[]] GetMissingKeys([System.Object]$Obj, [string[]] $Keys) { <# .Description Returns a list of the keys in $Keys are not members of $Obj. Used to validate the structure of the conditonal access policies. .Functionality Internal #> $Missing = @() if ($null -eq $Obj) { # Note that $null needs to come first in the above check to keep the # linter happy. "$null should be on the left side of equality comparisons" return $Missing } foreach ($Key in $Keys) { $HasKey = [bool]($Obj.PSobject.Properties.name -match $Key) if (-not $HasKey) { $Missing += $Key } } return $Missing } [string[]] GetIncludedUsers([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of included users/roles used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("Conditions")) $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users")) $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("IncludeGroups", "IncludeGuestsOrExternalUsers", "IncludeRoles", "IncludeUsers")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = @() $CapIncludedUsers = $Cap.Conditions.Users.IncludeUsers if ($CapIncludedUsers -Contains "All") { $Output += "All" } elseif ($CapIncludedUsers -Contains "None") { $Output += "None" } else { # Users if ($CapIncludedUsers.Length -eq 1) { $Output += "1 specific user" } elseif ($CapIncludedUsers.Length -gt 1) { $Output += "$($CapIncludedUsers.Length) specific users" } # Roles $CapIncludedRoles = $Cap.Conditions.Users.IncludeRoles if ($Cap.Conditions.Users.IncludeRoles.Length -eq 1) { $Output += "1 specific role" } elseif ($CapIncludedRoles.Length -gt 1) { $Output += "$($CapIncludedRoles.Length) specific roles" } # Groups $CapIncludedGroups = $Cap.Conditions.Users.IncludeGroups if ($CapIncludedGroups.Length -eq 1) { $Output += "1 specific group" } elseif ($CapIncludedGroups.Length -gt 1) { $Output += "$($CapIncludedGroups.Length) specific groups" } # External/guests if ($null -ne $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) { $GuestOrExternalUserTypes = $Cap.Conditions.Users.IncludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split "," $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]}) } } return $Output } [string[]] GetExcludedUsers([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of excluded users/roles used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("Conditions")) $Missing += $this.GetMissingKeys($Cap.Conditions, @("Users")) $Missing += $this.GetMissingKeys($Cap.Conditions.Users, @("ExcludeGroups", "ExcludeGuestsOrExternalUsers", "ExcludeRoles", "ExcludeUsers")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = @() # Users $CapExcludedUsers = $Cap.Conditions.Users.ExcludeUsers if ($CapExcludedUsers.Length -eq 1) { $Output += "1 specific user" } elseif ($CapExcludedUsers.Length -gt 1) { $Output += "$($CapExcludedUsers.Length) specific users" } # Roles $CapExcludedRoles = $Cap.Conditions.Users.ExcludeRoles if ($CapExcludedRoles.Length -eq 1) { $Output += "1 specific role" } elseif ($CapExcludedRoles.Length -gt 1) { $Output += "$($CapExcludedRoles.Length) specific roles" } # Groups $CapExcludedGroups = $Cap.Conditions.Users.ExcludeGroups if ($CapExcludedGroups.Length -eq 1) { $Output += "1 specific group" } elseif ($CapExcludedGroups.Length -gt 1) { $Output += "$($CapExcludedGroups.Length) specific groups" } # External/guests if ($null -ne $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind) { $GuestOrExternalUserTypes = $Cap.Conditions.Users.ExcludeGuestsOrExternalUsers.GuestOrExternalUserTypes -Split "," $Output += @($GuestOrExternalUserTypes | ForEach-Object {$this.ExternalUserStrings[$_]}) } # If no users are excluded, rather than display an empty cell, display "None" if ($Output.Length -eq 0) { $Output += "None" } return $Output } [string[]] GetApplications([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of included/excluded applications/actions used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("Conditions")) $Missing += $this.GetMissingKeys($Cap.Conditions, @("Applications")) $Missing += $this.GetMissingKeys($Cap.Conditions.Applications, @("ApplicationFilter", "ExcludeApplications", "IncludeApplications", "IncludeAuthenticationContextClassReferences", "IncludeUserActions")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = @() $CapIncludedActions = $Cap.Conditions.Applications.IncludeUserActions $CapAppFilterMode = $Cap.Conditions.Applications.ApplicationFilter.Mode $CapIncludedApps = $Cap.Conditions.Applications.IncludeApplications if ($CapIncludedApps.Length -gt 0 -or $null -ne $CapAppFilterMode) { # For "Select what this policy applies to", "Cloud Apps" was selected $Output += "Policy applies to: apps" # Included apps: if ($CapIncludedApps -Contains "All") { $Output += "Apps included: All" } elseif ($CapIncludedApps -Contains "None") { $Output += "Apps included: None" } elseif ($CapIncludedApps.Length -eq 1) { $Output += "Apps included: 1 specific app" } elseif ($CapIncludedApps.Length -gt 1) { $Output += "Apps included: $($CapIncludedApps.Length) specific apps" } if ($CapAppFilterMode -eq "include") { $Output += "Apps included: custom application filter" } $CapExcludedApps = $Cap.Conditions.Applications.ExcludeApplications if ($CapExcludedApps.Length -eq 1) { $Output += "Apps excluded: 1 specific app" } elseif ($CapExcludedApps.Length -gt 1) { $Output += "Apps excluded: $($CapExcludedApps.Length) specific apps" } if ($CapAppFilterMode -eq "exclude") { $Output += "Apps excluded: custom application filter" } if ($CapAppFilterMode -ne "exclude" -and $CapExcludedApps.Length -eq 0) { $Output += "Apps excluded: None" } } elseif ($CapIncludedActions.Length -gt 0) { # For "Select what this policy applies to", "User actions" was selected $Output += "Policy applies to: actions" $Output += "User action: $($this.ActionStrings[$CapIncludedActions[0]])" # While "IncludeUserActions" is a list, the GUI doesn't actually let you select more than one # item at a time, hence "IncludeUserActions[0]" above } else { # For "Select what this policy applies to", "Authentication context" was selected $AuthContexts = $Cap.Conditions.Applications.IncludeAuthenticationContextClassReferences if ($AuthContexts.Length -eq 1) { $Output += "Policy applies to: 1 authentication context" } else { $Output += "Policy applies to: $($AuthContexts.Length) authentication contexts" } } return $Output } [string[]] GetConditions([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of conditions used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("Conditions")) $Missing += $this.GetMissingKeys($Cap.Conditions, @("UserRiskLevels", "SignInRiskLevels", "Platforms", "Locations", "ClientAppTypes", "Devices")) $Missing += $this.GetMissingKeys($Cap.Conditions.Platforms, @("ExcludePlatforms", "IncludePlatforms")) $Missing += $this.GetMissingKeys($Cap.Conditions.Locations, @("ExcludeLocations", "IncludeLocations")) $Missing += $this.GetMissingKeys($Cap.Conditions.Devices, @("DeviceFilter")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = @() # User risk $CapUserRiskLevels = $Cap.Conditions.UserRiskLevels if ($CapUserRiskLevels.Length -gt 0) { $Output += "User risk levels: $($CapUserRiskLevels -Join ', ')" } # Sign-in risk $CapSignInRiskLevels = $Cap.Conditions.SignInRiskLevels if ($CapSignInRiskLevels.Length -gt 0) { $Output += "Sign-in risk levels: $($CapSignInRiskLevels -Join ', ')" } # Device platforms $CapIncludedPlatforms = $Cap.Conditions.Platforms.IncludePlatforms if ($null -ne $CapIncludedPlatforms) { $Output += "Device platforms included: $($CapIncludedPlatforms -Join ', ')" $CapExcludedPlatforms = $Cap.Conditions.Platforms.ExcludePlatforms if ($CapExcludedPlatforms.Length -eq 0) { $Output += "Device platforms excluded: none" } else { $Output += "Device platforms excluded: $($CapExcludedPlatforms -Join ', ')" } } # Locations $CapIncludedLocations = $Cap.Conditions.Locations.IncludeLocations if ($null -ne $CapIncludedLocations) { if ($CapIncludedLocations -Contains "All") { $Output += "Locations included: all locations" } elseif ($CapIncludedLocations -Contains "AllTrusted") { $Output += "Locations included: all trusted locations" } elseif ($CapIncludedLocations.Length -eq 1) { $Output += "Locations included: 1 specific location" } else { $Output += "Locations included: $($CapIncludedLocations.Length) specific locations" } $CapExcludedLocations = $Cap.Conditions.Locations.ExcludeLocations if ($CapExcludedLocations -Contains "AllTrusted") { $Output += "Locations excluded: all trusted locations" } elseif ($CapExcludedLocations.Length -eq 0) { $Output += "Locations excluded: none" } elseif ($CapExcludedLocations.Length -eq 1) { $Output += "Locations excluded: 1 specific location" } else { $Output += "Locations excluded: $($CapExcludedLocations.Length) specific locations" } } # Client Apps $ClientApps += @($Cap.Conditions.ClientAppTypes | ForEach-Object {$this.ClientAppStrings[$_]}) $Output += "Client apps included: $($ClientApps -Join ', ')" # Filter for devices if ($null -ne $Cap.Conditions.Devices.DeviceFilter.Mode) { if ($Cap.Conditions.Devices.DeviceFilter.Mode -eq "include") { $Output += "Custom device filter in include mode active" } else { $Output += "Custom device filter in exclude mode active" } } return $Output } [string] GetAccessControls([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of access controls used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("GrantControls")) $Missing += $this.GetMissingKeys($Cap.GrantControls, @("AuthenticationStrength", "BuiltInControls", "CustomAuthenticationFactors", "Operator", "TermsOfUse")) $Missing += $this.GetMissingKeys($Cap.GrantControls.AuthenticationStrength, @("DisplayName")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = "" if ($null -ne $Cap.GrantControls.BuiltInControls) { if ($Cap.GrantControls.BuiltInControls -Contains "block") { $Output = "Block access" } else { $GrantControls = @($Cap.GrantControls.BuiltInControls | ForEach-Object {$this.GrantControlStrings[$_]}) if ($null -ne $Cap.GrantControls.AuthenticationStrength.DisplayName) { $GrantControls += "authentication strength ($($Cap.GrantControls.AuthenticationStrength.DisplayName))" } if ($Cap.GrantControls.TermsOfUse.Length -gt 0) { $GrantControls += "terms of use" } $Output = "Allow access but require $($GrantControls -Join ', ')" if ($GrantControls.Length -gt 1) { # If multiple access controls are in place, insert the AND or the OR # before the final access control $Output = $Output.Insert($Output.LastIndexOf(',')+1, " $($Cap.GrantControls.Operator)") } } } if ($Output -eq "") { $Output = "None" } return $Output } [string[]] GetSessionControls([System.Object]$Cap) { <# .Description Parses a given conditional access policy (Cap) to generate the list of session controls used in the policy. .Functionality Internal #> # Perform some basic validation of the CAP. If some of these values # are missing it could indicate that the API has been restructured. $Missing = @() $Missing += $this.GetMissingKeys($Cap, @("SessionControls")) $Missing += $this.GetMissingKeys($Cap.SessionControls, @("ApplicationEnforcedRestrictions", "CloudAppSecurity", "ContinuousAccessEvaluation", "DisableResilienceDefaults", "PersistentBrowser", "SignInFrequency")) $Missing += $this.GetMissingKeys($Cap.SessionControls.ApplicationEnforcedRestrictions, @("IsEnabled")) $Missing += $this.GetMissingKeys($Cap.SessionControls.CloudAppSecurity, @("CloudAppSecurityType", "IsEnabled")) $Missing += $this.GetMissingKeys($Cap.SessionControls.ContinuousAccessEvaluation, @("Mode")) $Missing += $this.GetMissingKeys($Cap.SessionControls.PersistentBrowser, @("IsEnabled", "Mode")) $Missing += $this.GetMissingKeys($Cap.SessionControls.SignInFrequency, @("IsEnabled", "FrequencyInterval", "Type", "Value")) if ($Missing.Length -gt 0) { Write-Warning "Conditional access policy structure not as expected. The following keys are missing: $($Missing -Join ', ')" return @() } # Begin processing the CAP $Output = @() if ($Cap.SessionControls.ApplicationEnforcedRestrictions.IsEnabled) { $Output += "Use app enforced restrictions" } if ($Cap.SessionControls.CloudAppSecurity.IsEnabled) { $Mode = $this.CondAccessAppControlStrings[$Cap.SessionControls.CloudAppSecurity.CloudAppSecurityType] $Output += "Use Conditional Access App Control ($($Mode))" } if ($Cap.SessionControls.SignInFrequency.IsEnabled) { if ($Cap.SessionControls.SignInFrequency.FrequencyInterval -eq "everyTime") { $Output += "Sign-in frequency (every time)" } else { $Value = $Cap.SessionControls.SignInFrequency.Value $Unit = $Cap.SessionControls.SignInFrequency.Type $Output += "Sign-in frequency (every $($Value) $($Unit))" } } if ($Cap.SessionControls.PersistentBrowser.IsEnabled) { $Mode = $Cap.SessionControls.PersistentBrowser.Mode $Output += "Persistent browser session ($($Mode) persistent)" } if ($Cap.SessionControls.ContinuousAccessEvaluation.Mode -eq "disabled") { $Output += "Customize continuous access evaluation" } if ($Cap.SessionControls.DisableResilienceDefaults) { $Output += "Disable resilience defaults" } if ($Output.Length -eq 0) { $Output += "None" } return $Output } [string] ExportCapPolicies([System.Object]$Caps) { <# .Description Parses the conditional access policies (Caps) to generate a pre-processed version that can be used to generate the HTML of the condiational access policies in the report. .Functionality Internal #> if ($Caps.Length -eq 1 -and $Caps[0].PSobject.Properties.name -match "Value" -and $Caps[0].Value.Length -eq 0) { # For some reason, when there are no conditional access policies, # we don't get an empty list. Instead we get a list with one # object containing the following: # "@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies" # "Value": [] return "[]" } $Table = @() foreach ($Cap in $Caps) { $State = $this.StateStrings[$Cap.State] $UsersIncluded = $($this.GetIncludedUsers($Cap)) -Join ", " $UsersExcluded = $($this.GetExcludedUsers($Cap)) -Join ", " $Users = @("Users included: $($UsersIncluded)", "Users excluded: $($UsersExcluded)") $Apps = $this.GetApplications($Cap) $Conditions = $this.GetConditions($Cap) $AccessControls = $this.GetAccessControls($Cap) $SessionControls = $this.GetSessionControls($Cap) $CapDetails = [pscustomobject]@{ "Name" = $Cap.DisplayName; "State" = $State; "Users" = $Users "Apps/Actions" = $Apps; "Conditions" = $Conditions; "Block/Grant Access" = $AccessControls; "Session Controls" = $SessionControls; } $Table += $CapDetails } # Sort the table by State before converting to JSON and sort the name alphabetically $StateOrder = @{ "On" = 1 "Report-Only" = 2 "Off" = 3 } $Table = $Table | Sort-Object { $StateOrder[$_.State] }, Name $CapTableJson = ConvertTo-Json $Table return $CapTableJson } } function Get-CapTracker { [CapHelper]::New() } # SIG # Begin signature block # MIIu9gYJKoZIhvcNAQcCoIIu5zCCLuMCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAOX1yVTgLgUBuV # L5hEOe5pOk60aGpRFI9pEikfHkLvt6CCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhAMM6tnPejLgA9WVhXroQvSMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjYwMTE0MDAwMDAwWhcNMjcwMTEzMjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuXYolNHqlh6smLTE592waXheZ # 8VHzxeds4pMaepGuwmjf8d1jG9wUNuJX9/qb0a1dgGz5D/EAz5NRTIin4SZYQEE8 # qvdl2yQJ5uWxXIjsFbrOyc1fWscUXw0Kt7OPLOafcEkdDoe8K0tO4h2GL3RWRzjp # uLfQhhnAmD6NT1l+ughnfmarV/ODgIn/RFR4YORlu4YP2xQX6KRxeTDslg7F+z6X # +t87/U8m8gQ9XTm5kBmteP4GcE/ytnyI+ScIxNRybzGomWIBm848XDE5yYhlYQ2R # SnCoo6M4CRqp9WFGVyoLkoPP0OlxzryKWaE1/nuPbYG/kf/rUB1OhqxvSSGwmNhs # vkkjsC0Z9H5Jy6heFdoxOu/+ZQksKoP/fMvHxuCCtkIJbV8tk0oT6MQ8EJbgsWDZ # TKhui1wxW6JIZyBOMPWoZUOouOzo2h5Cz7LBPKME5FkcUzcs47lpRlDkJco4PLcj # wJSo4XPnx3G/2DIjNEFNyfKCWfH8uW6nJjmDBiveFZ2j0YvgdQ+7MOjQnw7R/MAD # DTagrKl3rLV60+X2TY6/onKhCUuU3pMAjVbOwZ3PkzDLZnsEGRfm6hgp6014aXml # t8h4nu+uC41U8vUSGHl0vqKuzvmShLmnI+Iv0l95pmnqomuCZzRDrjEoaLPx7OxL # Dy/Id9E7yQDip4jBdQIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFN30sVU+fpfQQfPQWMhkO1qd+MxoMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQA77T42YiOx5wWPItgo+kvB+Gzb # ZFCRHRFfTAZZNQt9o/0CqNmyA2xFklX4t5Z9VNdiIOx14AnmJdQkcRdk3vsU5gby # jKEup7LTWtvcWrl6hQwGNt3l892BgUbPKsPBE+AriktVqn5yMSXVVzeboqsqAG8e # Syei0B54/QdgR4whfHvQ/qpCACsJTlJgAykXVgDPJNKnQ7wc17loLQutqF1JUcbO # XKWt1AA9Zas5q30LDZzZeK4B56yojK68CTQXN7toSRFIuZDMKKDfIZpCX8cmbaaO # DFOOu44/QWMv+Xc6+ISYGkrTTzqWhOqiXgLVBeXGn/WrOJJ8R29mZMneCpBesCLs # YII1gCFOo7Vt6mvOKxAPQ3KhJYBFEHkp+GI65koaQkO2xv50iLS0+/j2YC66uviU # MFe0JEOdXuE7Rn/OmWNSzQ+6kPNYDJQASQ974C3wUejJoMtGZEzoTbly/HufQTrd # rhcL2aC69CxSN+idTXPLC9UT3xo4sFdOw+hXkmbXtoB1GDsd5p1TWFgRbnTXDkbM # YMBWYVB6/Tk1bzwj4iTp4g0YrtB628FXPX/ko+JWZlv0Ea865S23w1uGlnDNVxIi # +8oi74G5DM66Q6ENt6+3WoRGRrdoyE6uCh1haY+oPYSgumb0ozzrp8tw89TRKVrK # KSXGBxlExEvjQ6dYwjGCGqkwghqlAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDDOrZz3oy4AP # VlYV66EL0jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDiGvOFXUyPW+UisKnuWp2uAFOw # vSxvaQjUa77msTXq9zANBgkqhkiG9w0BAQEFAASCAgCTDmlgZEFf2AZXjrWfo033 # IoGAva/PvtWdgj/XuGciIAjHJVnHe2IMpALfeq9jRW9xFOVaCMyzxvUr7mrrNUEZ # rfkvmmcL3SqCrgWGZ6fHf40rrRkdVCvOhzRi+DmH09Uyj9+Csj0F0eNfAKr4dsn8 # Th1EC6bBhogbOZReDNmy8k0LzhHKtqyH5vQ+A1G5Agw5viqwxFl21gjInE6bkNgY # KJa0tOaNQJGCyBV162uPUFI4rPTz4U3qCvJajMtcbf3eafIPupcgW/zCrCghD2vJ # ktum6Us/Qq0cDrmXwh98g2OBwiNI8ZrjT6iBc224bFi+UcmakkossCinh61Mn4g3 # piByKEzafPZrp39sTj3FD3L+4wtrEhxEIXRsoju2bPi9A8qMUyU2z7w7BsVsISGa # lJ/4eAJuAnOhVY/E5CJGR7bXuPFVJuJJJ4cbUUbAygUBzf8MdI35qS/QtdD+1AiA # vua9ujGqZU5/7IcaS5Yt1TSKG+ai9s5O/83mWloQMSy9bIw2Q7fLetwFaQevmJbd # qHebEKN5aVl8xeonVWPoBa8lKlCLTqogNWoATpiFE7R5GNfJf6Qk4a/sA4tYWTP8 # v5m2krsVN9lGqdBVHEXRc3xtdtC+MZqyrtKi352XXb7OUArpWHDhqZgQg4KkNn8F # j/w3JzyqV+BP3sO5718+tqGCF3YwghdyBgorBgEEAYI3AwMBMYIXYjCCF14GCSqG # SIb3DQEHAqCCF08wghdLAgEDMQ8wDQYJYIZIAWUDBAIBBQAwdwYLKoZIhvcNAQkQ # AQSgaARmMGQCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCCl2ghhZ+hJ # QghapApfIo4N28F0F+sMGCL/122xQ8Lz9wIQL8Y7o+NjkYeFYWqg7TdI1RgPMjAy # NjAyMjAyMTMyNDVaoIITOjCCBu0wggTVoAMCAQICEAqA7xhLjfEFgtHEdqeVdGgw # DQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0 # LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0IFRpbWVTdGFtcGlu # ZyBSU0E0MDk2IFNIQTI1NiAyMDI1IENBMTAeFw0yNTA2MDQwMDAwMDBaFw0zNjA5 # MDMyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5j # LjE7MDkGA1UEAxMyRGlnaUNlcnQgU0hBMjU2IFJTQTQwOTYgVGltZXN0YW1wIFJl # c3BvbmRlciAyMDI1IDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQ # RqwtEsae0OquYFazK1e6b1H/hnAKAd/KN8wZQjBjMqiZ3xTWcfsLwOvRxUwXcGx8 # AUjni6bz52fGTfr6PHRNv6T7zsf1Y/E3IU8kgNkeECqVQ+3bzWYesFtkepErvUSb # f+EIYLkrLKd6qJnuzK8Vcn0DvbDMemQFoxQ2Dsw4vEjoT1FpS54dNApZfKY61HAl # dytxNM89PZXUP/5wWWURK+IfxiOg8W9lKMqzdIo7VA1R0V3Zp3DjjANwqAf4lEkT # lCDQ0/fKJLKLkzGBTpx6EYevvOi7XOc4zyh1uSqgr6UnbksIcFJqLbkIXIPbcNmA # 98Oskkkrvt6lPAw/p4oDSRZreiwB7x9ykrjS6GS3NR39iTTFS+ENTqW8m6THuOmH # HjQNC3zbJ6nJ6SXiLSvw4Smz8U07hqF+8CTXaETkVWz0dVVZw7knh1WZXOLHgDvu # ndrAtuvz0D3T+dYaNcwafsVCGZKUhQPL1naFKBy1p6llN3QgshRta6Eq4B40h5av # Mcpi54wm0i2ePZD5pPIssoszQyF4//3DoK2O65Uck5Wggn8O2klETsJ7u8xEehGi # fgJYi+6I03UuT1j7FnrqVrOzaQoVJOeeStPeldYRNMmSF3voIgMFtNGh86w3ISHN # m0IaadCKCkUe2LnwJKa8TIlwCUNVwppwn4D3/Pt5pwIDAQABo4IBlTCCAZEwDAYD # VR0TAQH/BAIwADAdBgNVHQ4EFgQU5Dv88jHt/f3X85FxYxlQQ89hjOgwHwYDVR0j # BBgwFoAU729TSunkBnx6yuKQVvYv1Ensy04wDgYDVR0PAQH/BAQDAgeAMBYGA1Ud # JQEB/wQMMAoGCCsGAQUFBwMIMIGVBggrBgEFBQcBAQSBiDCBhTAkBggrBgEFBQcw # AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMF0GCCsGAQUFBzAChlFodHRwOi8v # Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRUaW1lU3RhbXBp # bmdSU0E0MDk2U0hBMjU2MjAyNUNBMS5jcnQwXwYDVR0fBFgwVjBUoFKgUIZOaHR0 # cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0VGltZVN0YW1w # aW5nUlNBNDA5NlNIQTI1NjIwMjVDQTEuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQC # MAsGCWCGSAGG/WwHATANBgkqhkiG9w0BAQsFAAOCAgEAZSqt8RwnBLmuYEHs0QhE # nmNAciH45PYiT9s1i6UKtW+FERp8FgXRGQ/YAavXzWjZhY+hIfP2JkQ38U+wtJPB # VBajYfrbIYG+Dui4I4PCvHpQuPqFgqp1PzC/ZRX4pvP/ciZmUnthfAEP1HShTrY+ # 2DE5qjzvZs7JIIgt0GCFD9ktx0LxxtRQ7vllKluHWiKk6FxRPyUPxAAYH2Vy1lNM # 4kzekd8oEARzFAWgeW3az2xejEWLNN4eKGxDJ8WDl/FQUSntbjZ80FU3i54tpx5F # /0Kr15zW/mJAxZMVBrTE2oi0fcI8VMbtoRAmaaslNXdCG1+lqvP4FbrQ6IwSBXkZ # agHLhFU9HCrG/syTRLLhAezu/3Lr00GrJzPQFnCEH1Y58678IgmfORBPC1JKkYaE # t2OdDh4GmO0/5cHelAK2/gTlQJINqDr6JfwyYHXSd+V08X1JUPvB4ILfJdmL+66G # p3CSBXG6IwXMZUXBhtCyIaehr0XkBoDIGMUG1dUtwq1qmcwbdUfcSYCn+OwncVUX # f53VJUNOaMWMts0VlRYxe5nK+At+DI96HAlXHAL5SlfYxJ7La54i71McVWRP66bW # +yERNpbJCjyCYG2j+bdpxo/1Cy4uPcU3AWVPGrbn5PhDBf3Froguzzhk++ami+r3 # Qrx5bIbY3TVzgiFI7Gq3zWcwgga0MIIEnKADAgECAhANx6xXBf8hmS5AQyIMOkmG # MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yNTA1MDcwMDAwMDBaFw0zODAxMTQyMzU5 # NTlaMGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8G # A1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBUaW1lU3RhbXBpbmcgUlNBNDA5NiBT # SEEyNTYgMjAyNSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0 # eDHTCphBcr48RsAcrHXbo0ZodLRRF51NrY0NlLWZloMsVO1DahGPNRcybEKq+Ruw # OnPhof6pvF4uGjwjqNjfEvUi6wuim5bap+0lgloM2zX4kftn5B1IpYzTqpyFQ/4B # t0mAxAHeHYNnQxqXmRinvuNgxVBdJkf77S2uPoCj7GH8BLuxBG5AvftBdsOECS1U # kxBvMgEdgkFiDNYiOTx4OtiFcMSkqTtF2hfQz3zQSku2Ws3IfDReb6e3mmdglTca # arps0wjUjsZvkgFkriK9tUKJm/s80FiocSk1VYLZlDwFt+cVFBURJg6zMUjZa/zb # CclF83bRVFLeGkuAhHiGPMvSGmhgaTzVyhYn4p0+8y9oHRaQT/aofEnS5xLrfxnG # pTXiUOeSLsJygoLPp66bkDX1ZlAeSpQl92QOMeRxykvq6gbylsXQskBBBnGy3tW/ # AMOMCZIVNSaz7BX8VtYGqLt9MmeOreGPRdtBx3yGOP+rx3rKWDEJlIqLXvJWnY0v # 5ydPpOjL6s36czwzsucuoKs7Yk/ehb//Wx+5kMqIMRvUBDx6z1ev+7psNOdgJMoi # wOrUG2ZdSoQbU2rMkpLiQ6bGRinZbI4OLu9BMIFm1UUl9VnePs6BaaeEWvjJSjNm # 2qA+sdFUeEY0qVjPKOWug/G6X5uAiynM7Bu2ayBjUwIDAQABo4IBXTCCAVkwEgYD # VR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU729TSunkBnx6yuKQVvYv1Ensy04w # HwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGG # MBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcw # AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8v # Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBD # BgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgGBmeBDAEEAjALBglghkgB # hv1sBwEwDQYJKoZIhvcNAQELBQADggIBABfO+xaAHP4HPRF2cTC9vgvItTSmf83Q # h8WIGjB/T8ObXAZz8OjuhUxjaaFdleMM0lBryPTQM2qEJPe36zwbSI/mS83afsl3 # YTj+IQhQE7jU/kXjjytJgnn0hvrV6hqWGd3rLAUt6vJy9lMDPjTLxLgXf9r5nWMQ # wr8Myb9rEVKChHyfpzee5kH0F8HABBgr0UdqirZ7bowe9Vj2AIMD8liyrukZ2iA/ # wdG2th9y1IsA0QF8dTXqvcnTmpfeQh35k5zOCPmSNq1UH410ANVko43+Cdmu4y81 # hjajV/gxdEkMx1NKU4uHQcKfZxAvBAKqMVuqte69M9J6A47OvgRaPs+2ykgcGV00 # TYr2Lr3ty9qIijanrUR3anzEwlvzZiiyfTPjLbnFRsjsYg39OlV8cipDoq7+qNNj # qFzeGxcytL5TTLL4ZaoBdqbhOhZ3ZRDUphPvSRmMThi0vw9vODRzW6AxnJll38F0 # cuJG7uEBYTptMSbhdhGQDpOXgpIUsWTjd6xpR6oaQf/DJbg3s6KCLPAlZ66RzIg9 # sC+NJpud/v4+7RWsWCiKi9EOLLHfMR2ZyJ/+xhCx9yHbxtl5TPau1j/1MIDpMPx0 # LckTetiSuEtQvLsNz3Qbp7wGWqbIiOWCnb5WqxL3/BAPvIXKUjPSxyZsq8WhbaM2 # tszWkPZPubdcMIIFjTCCBHWgAwIBAgIQDpsYjvnQLefv21DiCEAYWjANBgkqhkiG # 9w0BAQwFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkw # FwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1 # cmVkIElEIFJvb3QgQ0EwHhcNMjIwODAxMDAwMDAwWhcNMzExMTA5MjM1OTU5WjBi # MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 # d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg # RzQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAi # MGkz7MKnJS7JIT3yithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnny # yhHS5F/WBTxSD1Ifxp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE # 5nQ7bXHiLQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm # 7nfISKhmV1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5 # w3jHtrHEtWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsD # dV14Ztk6MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1Z # XUJ2h4mXaXpI8OCiEhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS0 # 0mFt6zPZxd9LBADMfRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hk # pjPRiQfhvbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m8 # 00ERElvlEFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+i # sX4KJpn15GkvmB0t9dmpsh3lGwIDAQABo4IBOjCCATYwDwYDVR0TAQH/BAUwAwEB # /zAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wHwYDVR0jBBgwFoAUReui # r/SSy4IxLVGLp6chnfNtyA8wDgYDVR0PAQH/BAQDAgGGMHkGCCsGAQUFBwEBBG0w # azAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEMGCCsGAQUF # BzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk # SURSb290Q0EuY3J0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2lj # ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwEQYDVR0gBAowCDAG # BgRVHSAAMA0GCSqGSIb3DQEBDAUAA4IBAQBwoL9DXFXnOF+go3QbPbYW1/e/Vwe9 # mqyhhyzshV6pGrsi+IcaaVQi7aSId229GhT0E0p6Ly23OO/0/4C5+KH38nLeJLxS # A8hO0Cre+i1Wz/n096wwepqLsl7Uz9FDRJtDIeuWcqFItJnLnU+nBgMTdydE1Od/ # 6Fmo8L8vC6bp8jQ87PcDx4eo0kxAGTVGamlUsLihVo7spNU96LHc/RzY9HdaXFSM # b++hUD38dglohJ9vytsgjTVgHAIDyyCwrFigDkBjxZgiwbJZ9VVrzyerbHbObyMt # 9H5xaiNrIv8SuFQtJ37YOtnwtoeW/VvRXKwYw02fc7cBqZ9Xql4o4rmUMYIDfDCC # A3gCAQEwfTBpMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4x # QTA/BgNVBAMTOERpZ2lDZXJ0IFRydXN0ZWQgRzQgVGltZVN0YW1waW5nIFJTQTQw # OTYgU0hBMjU2IDIwMjUgQ0ExAhAKgO8YS43xBYLRxHanlXRoMA0GCWCGSAFlAwQC # AQUAoIHRMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUx # DxcNMjYwMjIwMjEzMjQ1WjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBTdYjCshgot # MGvaOLFoeVIwB/tBfjAvBgkqhkiG9w0BCQQxIgQg3SHfDw3d9HFFcLV4ai5+nDVe # PNP3UVOMWaH7kzwI4a4wNwYLKoZIhvcNAQkQAi8xKDAmMCQwIgQgSqA/oizXXITF # XJOPgo5na5yuyrM/420mmqM08UYRCjMwDQYJKoZIhvcNAQEBBQAEggIAr3Q8TQXY # atZfDCa2uuqdHgl4IA8BSwcvIoRMQbhElnzHtnTV2yj2uSNbR0/ef3OK6Tlvv9/Y # tv9jPh6mQjX1HWCo9GA9CCUjb7tCdLbvlosqXu9U3esiwTC/WXe6qa7YGL0d0gcH # Tx5iKY0yVM3OOOiGHNmCFt6afS7HDO7VMJkjNOcvQ8vSfa/fDTIM3/bjT1Z2M6vG # MAOMvbjRa9ceq2SDE4P9jP/RyamahvUollteyUW7I76XEk3r+yiBvljFlMwgkYKZ # k/uL94KO71vBj9YIbeSQddNjbmBv6Zl0ZZt3rH1P4OZrvd7NrFnhR4iK5tuMxtIF # z6dZHAg7yIzt78Wt7OJOGHX4sLEjs71ivtaVLEuwpGgtgpFlO5s09cJrYDyVGGZN # c4DESv0IMKov8UP2MhD2xiJs/qmwuYP9fFugby3G1tN2St+B6jLZ+Ue/LBeFdvo5 # yQFvPeecSlJ5j7ZT7YS6tB/Ksx3ViuU+Xcfcd3rXI3O0M5PpsQeOOXc9PRtGrH5c # X/9nsehI7+sqJUcSuGQnYN78oS0bHPQpnNB63jeFd72efEa0zzEJ6iEmVnUEAM0w # ivY753h+tQNEXqmvWKnzHH79wJuorvs/ZA7Jw+xUZGeX70o2cPtBpln+oqPVZHzs # N2fT6oW88UVdRWCps0SK5f9s2g5xV51pmlY= # SIG # End signature block |