Obs/bin/ObsDep/content/Powershell/Roles/Common/CertHelpers.psm1
|
# -------------------------------------------------------------- # Copyright � Microsoft Corporation. All Rights Reserved. # Microsoft Corporation (or based on where you live, one of its affiliates) licenses this sample code for your internal testing purposes only. # Microsoft provides the following sample code AS IS without warranty of any kind. The sample code arenot supported under any Microsoft standard support program or services. # Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. # The entire risk arising out of the use or performance of the sample code remains with you. # In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever # (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) # arising out of the use of or inability to use the sample code, even if Microsoft has been advised of the possibility of such damages. # --------------------------------------------------------------- Function PrettyTime() { return "[" + (Get-Date -Format o) + "]" } Function Log($msg) { Write-Verbose $( $(PrettyTime) + " " + $msg) -Verbose } function GetSubjectName([bool] $UseManagementAddress) { if ($UseManagementAddress -eq $true) { # When IP Address is specified, we are currently looking just for IPv4 corpnet ip address # In the final design, only computer names will be used for subject names $corpIPAddresses = get-netIpAddress -AddressFamily IPv4 -PrefixOrigin Dhcp -ErrorAction Ignore if ($corpIPAddresses -ne $null -and $corpIPAddresses[0] -ne $null) { $mesg = [System.String]::Format("Using IP Address {0} for certificate subject name", $corpIPAddresses[0].IPAddress); Log $mesg return $corpIPAddresses[0].IPAddress } else { Log "Unable to find management IP address "; } } $hostFqdn = [System.Net.Dns]::GetHostByName(($env:computerName)).HostName; $mesg = [System.String]::Format("Using computer name {0} for certificate subject name", $hostFqdn); Log $mesg return $hostFqdn ; } function GenerateSelfSignedCertificate([string] $subjectName) { $cryptographicProviderName = "Microsoft Base Cryptographic Provider v1.0"; [int] $privateKeyLength = 1024; $sslServerOidString = "1.3.6.1.5.5.7.3.1"; $sslClientOidString = "1.3.6.1.5.5.7.3.2"; [int] $validityPeriodInYear = 5; $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=" + $SubjectName, 0) $mesg = [System.String]::Format("Generating certificate with subject Name {0}", $subjectName); Log $mesg #Generate Key $key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = $cryptographicProviderName $key.KeySpec = 1 #X509KeySpec.XCN_AT_KEYEXCHANGE $key.Length = $privateKeyLength $key.MachineContext = 1 $key.ExportPolicy = 0x2 #X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG $key.Create() #Configure Eku $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue($sslServerOidString) $clientauthoid = new-object -com "X509Enrollment.CObjectId.1" $clientauthoid.InitializeFromValue($sslClientOidString) $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuoids.add($clientauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids) # Set the hash algorithm to sha512 instead of the default sha1 $hashAlgorithmObject = New-Object -ComObject X509Enrollment.CObjectId $hashAlgorithmObject.InitializeFromAlgorithmName( $ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, $ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, $AlgorithmFlags.AlgorithmFlagsNone, "SHA512") #Request Cert $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = (get-date).ToUniversalTime() $cert.NotAfter = $cert.NotBefore.AddYears($validityPeriodInYear); $cert.X509Extensions.Add($ekuext) $cert.HashAlgorithm = $hashAlgorithmObject $cert.Encode() $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") Log "Successfully added cert to local machine store"; } function GivePermissionToNetworkService($targetCert) { $targetCertPrivKey = $targetCert.PrivateKey $privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" | where {$_.Name -eq $targetCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName} $privKeyAcl = Get-Acl $privKeyCertFile $permission = "NT AUTHORITY\NETWORK SERVICE","Read","Allow" $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $privKeyAcl.AddAccessRule($accessRule) Set-Acl $privKeyCertFile.FullName $privKeyAcl } Function AddCertToLocalMachineStore($certFullPath, $storeName, $securePassword) { $rootName = "LocalMachine" # create a representation of the certificate file $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 if($securePassword -eq $null) { $certificate.import($certFullPath) } else { # https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags(v=vs.110).aspx $certificate.import($certFullPath, $securePassword, "MachineKeySet,PersistKeySet") } # import into the store $store = new-object System.Security.Cryptography.X509Certificates.X509Store($storeName, $rootName) $store.open("MaxAllowed") $store.add($certificate) $store.close() } Function GetSubjectFqdnFromCertificatePath($certFullPath) { # create a representation of the certificate file $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 $certificate.import($certFullPath) return GetSubjectFqdnFromCertificate $certificate ; } Function GetSubjectFqdnFromCertificate([System.Security.Cryptography.X509Certificates.X509Certificate2] $certificate) { $mesg = [System.String]::Format("Parsing Subject Name {0} to get Subject Fqdn ", $certificate.Subject) Log $mesg $subjectFqdn = $certificate.Subject.Split('=')[1] ; return $subjectFqdn; } function Get-Certs($path){ $flags = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly" $rootName = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine" $store = New-Object System.Security.Cryptography.X509Certificates.X509Store($path, $rootName) $store.Open($flags) $certs = $store.Certificates $store.Close() return $certs } <# .Synopsis Export the Azure Stack cert to the file share #> function Export-AzSCertificateToShare { [CmdletBinding()] Param ( [Parameter(Mandatory = $true, HelpMessage="The CustomerConfiguration.xml")] [ValidateNotNull()] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertBase64String, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $ProtectedCertPwd, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertificateName, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $CertificateRoleId ) Import-Module Microsoft.AzureStack.Security.CngDpapi $clusterName = Get-ManagementClusterName $Parameters $externalCertificatesInfo = $Parameters.Roles['CertificateManagement'].PublicConfiguration.PublicInfo.ExternalCertConfigurations.Certificates | Where Type -EQ 'AzureAD' | Select -First 1 $certificateConfigXml = $externalCertificatesInfo.Certificate | Where Name -EQ $CertificateName $domainRole = $Parameters.Roles["Domain"].PublicConfiguration $domainName = $domainRole.PublicInfo.DomainConfiguration.DomainName Trace-Execution "$($MyInvocation.InvocationName) : Retreiving the cert information with cert name '$CertificateName' and cert role Id '$CertificateRoleId'..." $certificateInfo = (($externalCertificatesInfo.Certificate | Where Name -EQ $CertificateName).Consumers.Consumer | Where Name -EQ $CertificateRoleId | Select -First 1) Trace-Execution "$($MyInvocation.InvocationName) : Retrieved the unprocessed extension host cert path: $($certificateInfo.Location)" $certLocation = Get-SharePath $Parameters $certificateInfo.Location $clusterName Trace-Execution "$($MyInvocation.InvocationName) : Retrieved the extension host cert path: $certLocation" $protectToGMSA = $certificateInfo.ProtectTo if($protectToGMSA -ne $null) { Trace-Execution "$($MyInvocation.InvocationName) : ProtectTo parameter specified: $protectToGMSA" } Trace-Execution "$($MyInvocation.InvocationName) : Retreiving the Azure Stack internal CA Certificate password..." $securityInfo = $Parameters.Roles["Cloud"].PublicConfiguration.PublicInfo.SecurityInfo $certUser = $securityInfo.CACertUsers.User | Where Role -EQ "CACertificateUser" $certCredential = $Parameters.GetCredential($certUser.Credential) $exportCertPassword = $certCredential.GetNetworkCredential().SecurePassword if ($exportCertPassword.Length -eq 0) { throw "The Azure Stack internal cert password should not be empty" } Trace-Execution "$($MyInvocation.InvocationName) : Retrive the Azure Stack internal CA Certificate password." Trace-Execution "$($MyInvocation.InvocationName) : Converting cert from base64 string to binary..." $certBytes = [System.Convert]::FromBase64String($CertBase64String) Trace-Execution "$($MyInvocation.InvocationName) : Converting the protected password to local secure string..." $certPwdCipher = [System.Convert]::FromBase64String($ProtectedCertPwd) $certPwdCipherUnprotected = [Microsoft.AzureStack.Security.CngDpapi.ProtectionDescriptor]::UnprotectSecret($certPwdCipher) $certPwdString = [System.Text.Encoding]::UTF8.GetString($certPwdCipherUnprotected) $certPwd = ConvertTo-SecureString $certPwdString -AsPlainText -Force Trace-Execution "$($MyInvocation.InvocationName) : decrypting the cert with input password..." try { # SyslogClient cert location may have not been been provided. If this is the first time # processing a SyslogClient cert - by PEP cmdlet Set-SyslogClient - the path # must be checked and created before exporting the cert to the share location. # Also, doing the same for Container Registry certificate as it will be supplied # by the customer via Import-AzsContainerRegistrySslCertificate after deployment. if (($CertificateName -eq "SyslogClient") -or ($CertificateName -eq "Container Registry") -and !(Test-Path -Path $certLocation)) { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate location: $certLocation was not found" $CertSharePath = Split-Path -Path $certLocation Trace-Execution "$($MyInvocation.InvocationName) : Checking $CertificateName certificate share path: $CertSharePath" if (!(Test-Path -Path $CertSharePath)) { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was not found" Trace-Execution "$($MyInvocation.InvocationName) : Creating $CertificateName certificate share path: $CertSharePath" New-Item -Path $CertSharePath -ItemType Directory -Force -ErrorAction Stop Trace-Execution "$($MyInvocation.InvocationName) : Verifying $CertificateName certificate share path: $CertSharePath was created" if (!(Test-Path -Path $CertSharePath)) { Throw "Failed to find and create $CertificateName certificate share path: $CertSharePath" } Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was created successfully" } else { Trace-Execution "$($MyInvocation.InvocationName) : $CertificateName certificate share path: $CertSharePath was found" } } Trace-Execution "$($MyInvocation.InvocationName) : exporting the original binary to location $certLocation ..." Set-Content -Value $certBytes -Path $certLocation -Encoding Byte -Force if (!(Test-Path -Path $certLocation)) { Throw "Failed temporary creation of $CertificateName using cert bytes into $certLocation" } Trace-Execution "$($MyInvocation.InvocationName) : importing the original cert ..." $cert = Import-PfxCertificateSafe -Filepath $certLocation -CertStoreLocation cert:\LocalMachine\My -Password $certPwd -Exportable if ($null -eq $cert) { Throw "Failed local import of $CertificateName from share: $certLocation using provided certificate password" } if($protectToGMSA -ne $null) { Trace-Execution "$($MyInvocation.InvocationName) : exporting the cert binary to location $certLocation with Azure Stack internal password and $protectToGMSA account protection..." Export-PfxCertificate -Cert $cert -FilePath $certLocation -Password $exportCertPassword -ProtectTo @("$domainName\$protectToGMSA") } else { Trace-Execution "$($MyInvocation.InvocationName) : exporting the cert binary to location $certLocation with Azure Stack internal password..." Export-PfxCertificate -Cert $cert -FilePath $certLocation -Password $exportCertPassword } if (!(Test-Path -Path $certLocation)) { Throw "Failed exporting $CertificateName to certificate location $certLocation" } } catch { Remove-Item $certLocation -Force -Confirm:$false -Verbose -ErrorAction SilentlyContinue throw } } <# .Synopsis Check whether a dev cert is present indicating this is an internal lab environment. #> function Test-DevCertPresent { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [CloudEngine.Configurations.EceInterfaceParameters] $Parameters ) $invokeCommandParams = @{ ScriptBlock = { Get-ChildItem "Cert:\LocalMachine\My" | where Subject -match "microsoftazurestacksupportteam" } } # Depending on where this code is running, we can check for the dev certificate in a different location. if ($env:ComputerName -eq $Parameters.Roles["DeploymentMachine"].PublicConfiguration.Nodes.Node.Name) { $invokeCommandParams.ComputerName = $Parameters.Roles["BareMetal"].PublicConfiguration.Nodes.Node.Name | select -First 1 Trace-Execution "Testing for presence of dev certificate on $($invokeCommandParams.ComputerName)." } else { Trace-Execution "Testing for presence of dev certificate on $env:ComputerName." } if (Invoke-Command @invokeCommandParams) { Trace-Execution "Found the dev certificate, indicating this is an internal environment." return $true } Trace-Execution "Dev certificate not found." return $false } <# Workaround for NC certificates requiring CRL. Publish CRL directly to local "Root" store on NC. #> function Publish-CertificateRevocationLists([CloudEngine.Configurations.EceInterfaceParameters] $Parameters, [string[]] $computerNames, [PSCredential] $Credential) { Import-Module -Name "$PSScriptRoot\..\..\Common\StorageHelpers.psm1" -Force -DisableNameChecking -Verbose:$false | Out-Null $ErrorActionPreference = "Stop" # Prepare parameters: $ascaRole = $Parameters.Roles["ASCA"].PublicConfiguration $ASCAConfiguration = $ascaRole.PublicInfo.ASCAConfiguration $clusterName = Get-ManagementClusterName $Parameters $originCRLFolder = Get-SharePath $Parameters $ASCAConfiguration.ArtifactsDirectory $clusterName -FromNoneClusterNode $originCRL = "$originCRLFolder\*.crl" $Session = New-PSSession -ComputerName $computerNames -Credential $Credential -Authentication Credssp Invoke-Command -Session $Session -ScriptBlock { if (-not (Test-Path $using:originCRL)) { throw "Unable to access the certificate revocation list: $using:originCRL" } Trace-execution "Calling certutil to publish CRL" certutil -addstore -f Root $using:originCRL } Trace-Execution "Publication of CRL to Root store completed" } Export-ModuleMember -Function AddCertToLocalMachineStore Export-ModuleMember -Function Export-AzSCertificateToShare Export-ModuleMember -Function GenerateSelfSignedCertificate Export-ModuleMember -Function Get-Certs Export-ModuleMember -Function GetSubjectFqdnFromCertificate Export-ModuleMember -Function GetSubjectFqdnFromCertificatePath Export-ModuleMember -Function GetSubjectName Export-ModuleMember -Function GivePermissionToNetworkService Export-ModuleMember -Function Log Export-ModuleMember -Function PrettyTime Export-ModuleMember -Function Publish-CertificateRevocationLists Export-ModuleMember -Function Test-DevCertPresent # SIG # Begin signature block # MIInvwYJKoZIhvcNAQcCoIInsDCCJ6wCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA8+WUYaosYZT2o # XdDSLImsJXHDhOetkWmXzhLDrk1sfKCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGZ8wghmbAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIK/QQQlJnwcCLsYAe2/8aKZN # xwG9DZ3hwAKqdSPZTaywMEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAV1/QDvPzKNd+6tM3SJbbOeKFiXqyRlQjbUPyeD0ZprBgkQ4q7J4OEIBN # +p4GEFIXUNQaaMRYcXGlSaM832WvwuCjof3UrcTABqytBZaLgCzqSVjjsbExTdt0 # I1TDmE/+wRVhELu/vzbikdYXT7PmxVJS56YmtZY2USJwLeEW1N2ryoI1cv+5yzz8 # rpg/ILD1rP2jjQEqe54qqV2eJJ/xfTWAXyZQ+xMPru0/YqClbjZwDlPZGspwX7GN # tpTjOr+SgUQFm1njZOauQBMDaNlzeew9SxlVdsFCqgyRhG6UdB4wxDihTkUQPCvb # W8Mt92US8MW3tcndID0VahwBq7LsM6GCFykwghclBgorBgEEAYI3AwMBMYIXFTCC # FxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFZBgsq # hkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCCpUF7x+vffXL7PXkJDfJdI1q+R0U6/NxkFAOiOgTE9QQIGZr4bKiaA # GBMyMDI0MDgxOTE3Mjg0OS4zNTZaMASAAgH0oIHYpIHVMIHSMQswCQYDVQQGEwJV # UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE # ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQLEyRNaWNyb3NvZnQgSXJl # bGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNO # OkZDNDEtNEJENC1EMjIwMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAHimZmV8dzjIOsAAQAAAeIwDQYJ # KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjMx # MDEyMTkwNzI1WhcNMjUwMTEwMTkwNzI1WjCB0jELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxhbmQgT3Bl # cmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpGQzQxLTRC # RDQtRDIyMDElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCC # AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALVjtZhV+kFmb8cKQpg2mzis # DlRI978Gb2amGvbAmCd04JVGeTe/QGzM8KbQrMDol7DC7jS03JkcrPsWi9WpVwsI # ckRQ8AkX1idBG9HhyCspAavfuvz55khl7brPQx7H99UJbsE3wMmpmJasPWpgF05z # ZlvpWQDULDcIYyl5lXI4HVZ5N6MSxWO8zwWr4r9xkMmUXs7ICxDJr5a39SSePAJR # IyznaIc0WzZ6MFcTRzLLNyPBE4KrVv1LFd96FNxAzwnetSePg88EmRezr2T3HTFE # lneJXyQYd6YQ7eCIc7yllWoY03CEg9ghorp9qUKcBUfFcS4XElf3GSERnlzJsK7s # /ZGPU4daHT2jWGoYha2QCOmkgjOmBFCqQFFwFmsPrZj4eQszYxq4c4HqPnUu4hT4 # aqpvUZ3qIOXbdyU42pNL93cn0rPTTleOUsOQbgvlRdthFCBepxfb6nbsp3fcZaPB # fTbtXVa8nLQuMCBqyfsebuqnbwj+lHQfqKpivpyd7KCWACoj78XUwYqy1HyYnStT # me4T9vK6u2O/KThfROeJHiSg44ymFj+34IcFEhPogaKvNNsTVm4QbqphCyknrwBy # qorBCLH6bllRtJMJwmu7GRdTQsIx2HMKqphEtpSm1z3ufASdPrgPhsQIRFkHZGui # hL1Jjj4Lu3CbAmha0lOrAgMBAAGjggFJMIIBRTAdBgNVHQ4EFgQURIQOEdq+7Qds # lptJiCRNpXgJ2gUwHwYDVR0jBBgwFoAUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXwYD # VR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9j # cmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUyMDIwMTAoMSkuY3JsMGwG # CCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIw # MjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcD # CDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAORURDGrVRTbnulf # sg2cTsyyh7YXvhVU7NZMkITAQYsFEPVgvSviCylr5ap3ka76Yz0t/6lxuczI6w7t # Xq8n4WxUUgcj5wAhnNorhnD8ljYqbck37fggYK3+wEwLhP1PGC5tvXK0xYomU1nU # +lXOy9ZRnShI/HZdFrw2srgtsbWow9OMuADS5lg7okrXa2daCOGnxuaD1IO+65E7 # qv2O0W0sGj7AWdOjNdpexPrspL2KEcOMeJVmkk/O0ganhFzzHAnWjtNWneU11WQ6 # Bxv8OpN1fY9wzQoiycgvOOJM93od55EGeXxfF8bofLVlUE3zIikoSed+8s61NDP+ # x9RMya2mwK/Ys1xdvDlZTHndIKssfmu3vu/a+BFf2uIoycVTvBQpv/drRJD68eo4 # 01mkCRFkmy/+BmQlRrx2rapqAu5k0Nev+iUdBUKmX/iOaKZ75vuQg7hCiBA5xIm5 # ZIXDSlX47wwFar3/BgTwntMq9ra6QRAeS/o/uYWkmvqvE8Aq38QmKgTiBnWSS/uV # PcaHEyArnyFh5G+qeCGmL44MfEnFEhxc3saPmXhe6MhSgCIGJUZDA7336nQD8fn4 # y6534Lel+LuT5F5bFt0mLwd+H5GxGzObZmm/c3pEWtHv1ug7dS/Dfrcd1sn2E4gk # 4W1L1jdRBbK9xwkMmwY+CHZeMSvBMIIHcTCCBVmgAwIBAgITMwAAABXF52ueAptJ # mQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT # Cldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m # dCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNh # dGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1WhcNMzAwOTMwMTgzMjI1 # WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCCAiIwDQYJKoZIhvcNAQEB # BQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O1YLT/e6cBwfSqWxOdcjK # NVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZnhUYjDLWNE893MsAQGOhg # fWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t1w/YJlN8OWECesSq/XJp # rx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxqD89d9P6OU8/W7IVWTe/d # vI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmPfrVUj9z6BVWYbWg7mka9 # 7aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSWrAFKu75xqRdbZ2De+JKR # Hh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv231fgLrbqn427DZM9itu # qBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zbr17C89XYcz1DTsEzOUyO # ArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYctenIPDC+hIK12NvDMk2ZItb # oKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQcxWv2XFJRXRLbJbqvUAV6 # bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17aj54WcmnGrnu3tz5q4i6t # AgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQW # BBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQUn6cVXQBeYl2D9OXSZacb # UzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEwQTA/BggrBgEFBQcCARYz # aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9Eb2NzL1JlcG9zaXRvcnku # aHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA # QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2 # VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu # bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw # LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93 # d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt # MjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3hLB9nATEkW+Geckv8qW/q # XBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x5MKP+2zRoZQYIu7pZmc6 # U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74py27YP0h1AdkY3m2CDPVt # I1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1AoL8ZthISEV09J+BAljis # 9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbCHcNhcy4sa3tuPywJeBTp # kbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB9s7GdP32THJvEKt1MMU0 # sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNtyo4JvbMBV0lUZNlz138e # W0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3rsjoiV5PndLQTHa1V1QJ # sWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcVv7TOPqUxUYS8vwLBgqJ7 # Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A245oyZ1uEi6vAnQj0llOZ0 # dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lwY1NNje6CbaUFEMFxBmoQ # tB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB1TCB0jELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9zb2Z0IElyZWxh # bmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjpG # QzQxLTRCRDQtRDIyMDElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2Vy # dmljZaIjCgEBMAcGBSsOAwIaAxUAFpuZafp0bnpJdIhfiB1d8pTohm+ggYMwgYCk # fjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQD # Ex1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQUFAAIF # AOpt32gwIhgPMjAyNDA4MTkyMzEyNDBaGA8yMDI0MDgyMDIzMTI0MFowdDA6Bgor # BgEEAYRZCgQBMSwwKjAKAgUA6m3faAIBADAHAgEAAgIUbjAHAgEAAgIR8zAKAgUA # 6m8w6AIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAID # B6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GBAE2CyRyJfmmLUdCYpzL0 # lQomVGb2RfO9pJNhlxHOrrYyfp1jfXS/G4F46jnTv/LH8VVY0AtQGGcb05Z4gxeC # SrjgMOW8HUaH72Zz8xUGR7Eh66D+aQlJfh4fsu14Qrm2ldatcJVipqfOuPKASfC2 # K1zHfGKsuECmY/hFD7e3AtYlMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt # U3RhbXAgUENBIDIwMTACEzMAAAHimZmV8dzjIOsAAQAAAeIwDQYJYIZIAWUDBAIB # BQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQx # IgQgFcivCFT58uWi4oG9NPzoeupiUHPlg/Q5ON6EFv9f9m0wgfoGCyqGSIb3DQEJ # EAIvMYHqMIHnMIHkMIG9BCAriSpKEP0muMbBUETODoL4d5LU6I/bjucIZkOJCI9/ # /zCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAw # DgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x # JjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB4pmZ # lfHc4yDrAAEAAAHiMCIEIFZ14VaS0A8cNCiVy6Ud6jBj0X1yubQykLm4I4ONPROL # MA0GCSqGSIb3DQEBCwUABIICAI+vZ9HTr3j9AUzasK4//o+gBUB+b8+fZBfo8EBu # rrc0oemP8uhbFOFMdRt0M82qldIO8KQ19oRy5akAgmM066ch0JhoC0uG/HqeY/Xa # 94mKvcPaQCPXrpS2K55DlKclWJOM6AzMTYc7jmeXqASuWvT9Ce9HNcN4tK2zsuEv # omHx4NTC4VfptNXD6GF1m+tzs44BTeuwSjT0PvpAV+qpDV7W5sg/Fu1x7nNx8Trq # fyLfjpn+c8lIXnJP/vioznw9QwyDtt4ngjQ1cWF3kmlmkygUnYO2AwSTWhtLXopj # Y9gzMwEMjJYgVtgzl3UoaHbwheqAtwXdf3Lu0HuKzaUiWqhBMuf9QEeDUe1EZ5AC # nF+BCb9YUyf8pL/+Q80DIEOLuXwg6tiopH2zaRea/YgY7PUpR5MVo8UAnHlbw8aD # favZ7g9qcgnmWGzkVBZHABvNV1vTUl0XI/Va4t/lHTiIvShfxl0QVOeTVe8rD5sp # +6ih3i/kGrpf/T1i6ED5WN/cVghx2mKdNqhXeoHJ0XszE+3IwCPfPRlFoSCcb4RU # QWrEX5N+6po9m5Ma84bn7HqgmPSnuI2Yl1mg/MXcPg6V2wMzwIX5D7WoA+66NpD/ # FT+bT9qs1lcE0LldRyc3gh1fTjACKUEYAJJfUawLmukrgQHfo3dnuecg1TYtxZYN # vKZU # SIG # End signature block |