Modules/Providers/ExportAADProvider.psm1
|
function Export-AADProvider { <# .Description Gets the Azure Active Directory (AAD) settings that are relevant to the SCuBA AAD baselines using a subset of the modules under the overall Microsoft Graph PowerShell Module .Functionality Internal #> Import-Module $PSScriptRoot/ProviderHelpers/CommandTracker.psm1 $Tracker = Get-CommandTracker # The below cmdlet covers the following baselines # - 1.1 # - 2.1 # - 3.1 # - 4.2 # - 3.7 $AllPolicies = $Tracker.TryCommand("Get-MgBetaIdentityConditionalAccessPolicy") Import-Module $PSScriptRoot/ProviderHelpers/AADConditionalAccessHelper.psm1 $CapHelper = Get-CapTracker $CapTableData = $CapHelper.ExportCapPolicies($AllPolicies) # pre-processed version of the CAPs used in generating # the CAP html in the report if ($CapTableData -eq "") { # Quick sanity check, did ExportCapPolicies return something? Write-Warning "Error parsing CAP data, empty json returned from ExportCapPolicies." $CapTableData = "[]" } try { # Final sanity check, did ExportCapPolicies return valid json? ConvertFrom-Json $CapTableData -ErrorAction "Stop" | Out-Null } catch { Write-Warning "Error parsing CAP data, invalid json returned from ExportCapPolicies." $CapTableData = "[]" } $AllPolicies = ConvertTo-Json -Depth 10 @($AllPolicies) $SubscribedSku = $Tracker.TryCommand("Get-MgBetaSubscribedSku") # Get a list of the tenant's provisioned service plans - used to see if the tenant has AAD premium p2 license required for some checks # The Rego looks at the service_plans in the JSON $ServicePlans = $SubscribedSku.ServicePlans | Where-Object -Property ProvisioningStatus -eq -Value "Success" #Obtains license information for tenant and total number of active users $LicenseInfo = $SubscribedSku | Select-Object -Property Sku*, ConsumedUnits, PrepaidUnits | ConvertTo-Json -Depth 3 if ($ServicePlans) { # The RequiredServicePlan variable is used so that PIM Cmdlets are only executed if the tenant has the premium license $RequiredServicePlan = $ServicePlans | Where-Object -Property ServicePlanName -eq -Value "AAD_PREMIUM_P2" # Get-PrivilegedUser provides a list of privileged users and their role assignments. Used for 2.11 and 2.12 if ($RequiredServicePlan) { # If the tenant has the premium license then we want to also include PIM Eligible role assignments - otherwise we don't to avoid an API error $PrivilegedUsers = $Tracker.TryCommand("Get-PrivilegedUser", @{"TenantHasPremiumLicense"=$true}) } else{ $PrivilegedUsers = $Tracker.TryCommand("Get-PrivilegedUser") } $PrivilegedUsers = $PrivilegedUsers | ConvertTo-Json # The above Converto-Json call doesn't need to have the input wrapped in an # array (e.g, "ConvertTo-Json (@PrivilegedUsers)") because $PrivilegedUsers is # a dictionary, not an array, and ConvertTo-Json doesn't mess up dictionaries # like it does arrays (just observe the difference in output between # "@{} | ConvertTo-Json" and # "@() | ConvertTo-Json" ) $PrivilegedUsers = if ($null -eq $PrivilegedUsers) {"{}"} else {$PrivilegedUsers} # While ConvertTo-Json won't mess up a dict as described in the above comment, # on error, $TryCommand returns an empty list, not a dictionary. The if/else # above corrects the $null ConvertTo-Json would return in that case to an empty # dictionary # Get-PrivilegedRole provides a list of privileged roles referenced in 2.13 when checking if MFA is required for those roles # Get-PrivilegedRole provides data for 2.14 - 2.16, policies that evaluate conditions related to Azure AD PIM if ($RequiredServicePlan){ # If the tenant has the premium license then we want to also include PIM Eligible role assignments - otherwise we don't to avoid an API error $PrivilegedRoles = $Tracker.TryCommand("Get-PrivilegedRole", @{"TenantHasPremiumLicense"=$true}) } else { $PrivilegedRoles = $Tracker.TryCommand("Get-PrivilegedRole") } $PrivilegedRoles = ConvertTo-Json -Depth 10 @($PrivilegedRoles) # Depth required to get policy rule object details } else { Write-Warning "Omitting calls to Get-PrivilegedRole and Get-PrivilegedUser." $PrivilegedUsers = ConvertTo-Json @() $PrivilegedRoles = ConvertTo-Json @() $Tracker.AddUnSuccessfulCommand("Get-PrivilegedRole") $Tracker.AddUnSuccessfulCommand("Get-PrivilegedUser") } $ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans) # Checking to ensure command runs successfully $UserCount = $Tracker.TryCommand("Get-MgBetaUserCount", @{"ConsistencyLevel"='eventual'}) if(-Not $UserCount -is [int]) { $UserCount = "NaN" } # 5.1, 5.2, 8.1 & 8.3 $AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAuthorizationPolicy")) # 5.3, 5.4 $DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgBetaDirectorySetting")) ##### This block of code below supports 3.3, 3.4, 3.5 $AuthenticationMethodPolicyRootObject = $Tracker.TryCommand("Get-MgBetaPolicyAuthenticationMethodPolicy") $AuthenticationMethodFeatureSettings = @($AuthenticationMethodPolicyRootObject.AuthenticationMethodConfigurations | Where-Object { $_.Id}) # Exclude the AuthenticationMethodConfigurations so we do not duplicate it in the JSON $AuthenticationMethodPolicy = $AuthenticationMethodPolicyRootObject | ForEach-Object { $_ | Select-Object * -ExcludeProperty AuthenticationMethodConfigurations } $AuthenticationMethodObjects = @{ authentication_method_policy = $AuthenticationMethodPolicy authentication_method_feature_settings = $AuthenticationMethodFeatureSettings } $AuthenticationMethod = ConvertTo-Json -Depth 10 @($AuthenticationMethodObjects) ##### End block # 6.1 $DomainSettings = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaDomain")) $SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands()) $UnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands()) # Note the spacing and the last comma in the json is important $json = @" "conditional_access_policies": $AllPolicies, "cap_table_data": $CapTableData, "authorization_policies": $AuthZPolicies, "privileged_users": $PrivilegedUsers, "privileged_roles": $PrivilegedRoles, "service_plans": $ServicePlans, "directory_settings": $DirectorySettings, "authentication_method": $AuthenticationMethod, "domain_settings": $DomainSettings, "license_information": $LicenseInfo, "total_user_count": $UserCount, "aad_successful_commands": $SuccessfulCommands, "aad_unsuccessful_commands": $UnSuccessfulCommands, "@ $json } #"authentication_method_policy": $AuthenticationMethodPolicy, #"authentication_method_configuration": $AuthenticationMethodConfiguration, #"authentication_method_feature_settings": $AuthenticationMethodFeatureSettings, function Get-AADTenantDetail { <# .Description Gets the tenant details using the Microsoft Graph PowerShell Module .Functionality Internal #> try { $OrgInfo = Get-MgBetaOrganization -ErrorAction "Stop" $InitialDomain = $OrgInfo.VerifiedDomains | Where-Object {$_.isInitial} if (-not $InitialDomain) { $InitialDomain = "AAD: Domain Unretrievable" } $AADTenantInfo = @{ "DisplayName" = $OrgInfo.DisplayName; "DomainName" = $InitialDomain.Name; "TenantId" = $OrgInfo.Id; "AADAdditionalData" = $OrgInfo; } $AADTenantInfo = ConvertTo-Json @($AADTenantInfo) -Depth 4 $AADTenantInfo } catch { Write-Warning "Error retrieving Tenant details using Get-AADTenantDetail $($_)" $AADTenantInfo = @{ "DisplayName" = "Error retrieving Display name"; "DomainName" = "Error retrieving Domain name"; "TenantId" = "Error retrieving Tenant ID"; "AADAdditionalData" = "Error retrieving additional data"; } $AADTenantInfo = ConvertTo-Json @($AADTenantInfo) -Depth 4 $AADTenantInfo } } function Get-PrivilegedUser { <# .Description Gets the array of the highly privileged users .Functionality Internal #> param ( [ValidateNotNullOrEmpty()] [switch] $TenantHasPremiumLicense ) # A hashtable of privileged users $PrivilegedUsers = @{} $PrivilegedRoles = [ScubaConfig]::ScubaDefault('DefaultPrivilegedRoles') # Get a list of the Id values for the privileged roles in the list above. # The Id value is passed to other cmdlets to construct a list of users assigned to privileged roles. $AADRoles = Get-MgBetaDirectoryRole -All -ErrorAction Stop | Where-Object { $_.DisplayName -in $PrivilegedRoles } # Construct a list of privileged users based on the Active role assignments foreach ($Role in $AADRoles) { # Get a list of all the users and groups Actively assigned to this role $UsersAssignedRole = Get-MgBetaDirectoryRoleMember -All -ErrorAction Stop -DirectoryRoleId $Role.Id foreach ($User in $UsersAssignedRole) { $Objecttype = $User.AdditionalProperties."@odata.type" -replace "#microsoft.graph." if ($Objecttype -eq "user") { # If the user's data has not been fetched from graph, go get it if (-Not $PrivilegedUsers.ContainsKey($User.Id)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -UserId $User.Id $PrivilegedUsers[$AADUser.Id] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$User.Id].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$User.Id].roles += $Role.DisplayName } } elseif ($Objecttype -eq "group") { # In this context $User.Id is a group identifier $GroupId = $User.Id # Get all of the group members that are Active assigned to the current role $GroupMembers = Get-MgBetaGroupMember -All -ErrorAction Stop -GroupId $GroupId foreach ($GroupMember in $GroupMembers) { $Membertype = $GroupMember.AdditionalProperties."@odata.type" -replace "#microsoft.graph." if ($Membertype -eq "user") { # If the user's data has not been fetched from graph, go get it if (-Not $PrivilegedUsers.ContainsKey($GroupMember.Id)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -UserId $GroupMember.Id $PrivilegedUsers[$AADUser.Id] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$GroupMember.Id].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$GroupMember.Id].roles += $Role.DisplayName } } } # If the premium license for PIM is there, process the users that are "member" of the PIM group as Eligible if ($TenantHasPremiumLicense) { # Get the users that are assigned to the PIM group as Eligible members $PIMGroupMembers = Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilityScheduleInstance -All -ErrorAction Stop -Filter "groupId eq '$GroupId'" foreach ($GroupMember in $PIMGroupMembers) { # If the user is not a member of the PIM group (i.e. they are an owner) then skip them if ($GroupMember.AccessId -ne "member") { continue } $PIMEligibleUserId = $GroupMember.PrincipalId # If the user's data has not been fetched from graph, go get it if (-not $PrivilegedUsers.ContainsKey($PIMEligibleUserId)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -UserId $PIMEligibleUserId $PrivilegedUsers[$PIMEligibleUserId] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$PIMEligibleUserId].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$PIMEligibleUserId].roles += $Role.DisplayName } } } } } } # Process the Eligible role assignments if the premium license for PIM is there if ($TenantHasPremiumLicense) { # Get a list of all the users and groups that have Eligible assignments $AllPIMRoleAssignments = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance -All -ErrorAction Stop # Add to the list of privileged users based on Eligible assignments foreach ($Role in $AADRoles) { $PrivRoleId = $Role.RoleTemplateId # Get a list of all the users and groups Eligible assigned to this role $PIMRoleAssignments = $AllPIMRoleAssignments | Where-Object { $_.RoleDefinitionId -eq $PrivRoleId } foreach ($PIMRoleAssignment in $PIMRoleAssignments) { $UserObjectId = $PIMRoleAssignment.PrincipalId try { $UserType = "user" # If the user's data has not been fetched from graph, go get it if (-Not $PrivilegedUsers.ContainsKey($UserObjectId)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -Filter "Id eq '$UserObjectId'" $PrivilegedUsers[$AADUser.Id] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$UserObjectId].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$UserObjectId].roles += $Role.DisplayName } } # Catch the specific error which indicates Get-MgBetaUser does not find the user, therefore it is a group catch { if ($_.FullyQualifiedErrorId.Contains("Request_ResourceNotFound")) { $UserType = "group" } else { throw $_ } } # This if statement handles when the object eligible assigned to the current role is a Group if ($UserType -eq "group") { # Process the the users that are directly assigned to the group (not through PIM groups) $GroupMembers = Get-MgBetaGroupMember -All -ErrorAction Stop -GroupId $UserObjectId foreach ($GroupMember in $GroupMembers) { $Membertype = $GroupMember.AdditionalProperties."@odata.type" -replace "#microsoft.graph." if ($Membertype -eq "user") { # If the user's data has not been fetched from graph, go get it if (-Not $PrivilegedUsers.ContainsKey($GroupMember.Id)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -UserId $GroupMember.Id $PrivilegedUsers[$AADUser.Id] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$GroupMember.Id].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$GroupMember.Id].roles += $Role.DisplayName } } } # Get the users that are assigned to the PIM group as Eligible members $PIMGroupMembers = Get-MgBetaIdentityGovernancePrivilegedAccessGroupEligibilityScheduleInstance -All -ErrorAction Stop -Filter "groupId eq '$UserObjectId'" foreach ($GroupMember in $PIMGroupMembers) { # If the user is not a member of the PIM group (i.e. they are an owner) then skip them if ($GroupMember.AccessId -ne "member") { continue } $PIMEligibleUserId = $GroupMember.PrincipalId # If the user's data has not been fetched from graph, go get it if (-not $PrivilegedUsers.ContainsKey($PIMEligibleUserId)) { $AADUser = Get-MgBetaUser -ErrorAction Stop -UserId $PIMEligibleUserId $PrivilegedUsers[$PIMEligibleUserId] = @{"DisplayName"=$AADUser.DisplayName; "OnPremisesImmutableId"=$AADUser.OnPremisesImmutableId; "roles"=@()} } # If the current role has not already been added to the user's roles array then add the role if ($PrivilegedUsers[$PIMEligibleUserId].roles -notcontains $Role.DisplayName) { $PrivilegedUsers[$PIMEligibleUserId].roles += $Role.DisplayName } } } } } } $PrivilegedUsers } function AddRuleSource{ <# .NOTES Internal helper function to add a source to policy rule for reporting purposes. Source should be either PIM Group Name or Role Name #> param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string] $Source, [Parameter(Mandatory=$false)] [ValidateNotNullOrEmpty()] [string] $SourceType = "Directory Role", [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [array] $Rules ) foreach ($Rule in $Rules){ $Rule | Add-Member -Name "RuleSource" -Value $Source -MemberType NoteProperty $Rule | Add-Member -Name "RuleSourceType" -Value $SourceType -MemberType NoteProperty } } # This cache keeps track of PIM groups that we've already processed class GroupTypeCache{ static [hashtable]$CheckedGroups = @{} } function GetConfigurationsForPimGroups{ param ( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [array] $PrivilegedRoleHashtable, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [array] $AllRoleAssignments ) # Get a list of the groups that are enrolled in PIM - we want to ignore the others $PIMGroups = Get-MgBetaPrivilegedAccessResource -All -ErrorAction Stop -PrivilegedAccessId aadGroups foreach ($RoleAssignment in $AllRoleAssignments){ # Check if the assignment in current loop iteration is assigned to a privileged role $Role = $PrivilegedRoleHashtable | Where-Object RoleTemplateId -EQ $($RoleAssignment.RoleDefinitionId) # If this is a privileged role if ($Role){ # Store the Id of the object assigned to the role (could be user,group,service principal) $PrincipalId = $RoleAssignment.PrincipalId # If the current object is not a PIM group we skip it $FoundPIMGroup = $PIMGroups | Where-Object { $_.Id -eq $PrincipalId } if ($null -eq $FoundPIMGroup) { continue } # If we haven't processed the current group before, add it to the cache and proceed If ($null -eq [GroupTypeCache]::CheckedGroups[$PrincipalId]){ [GroupTypeCache]::CheckedGroups.Add($PrincipalId, $true) } # If we have processed it before, then skip it to avoid unnecessary cycles else { continue } # Get all the configuration rules for the current PIM group - get member not owner configs $PolicyAssignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -All -ErrorAction Stop -Filter "scopeId eq '$PrincipalId' and scopeType eq 'Group' and roleDefinitionId eq 'member'" | Select-Object -Property PolicyId # Add each configuration rule to the hashtable. There are usually about 17 configurations for a group. # Get the detailed configuration settings $MemberPolicyRules = Get-MgBetaPolicyRoleManagementPolicyRule -All -ErrorAction Stop -UnifiedRoleManagementPolicyId $PolicyAssignment.PolicyId # Filter for the PIM group so we can grab its name $PIMGroup = $PIMGroups | Where-Object {$_.Id -eq $PrincipalId} # $SourceGroup = Get-MgBetaGroup -Filter "id eq '$PrincipalId' " | Select-Object -Property DisplayName AddRuleSource -Source $PIMGroup.DisplayName -SourceType "PIM Group" -Rules $MemberPolicyRules $RoleRules = $Role.psobject.Properties | Where-Object {$_.Name -eq 'Rules'} if ($RoleRules){ # Appending rules $Role.Rules += $MemberPolicyRules } else { # Adding rules node if it is not already present $Role | Add-Member -Name "Rules" -Value $MemberPolicyRules -MemberType NoteProperty } } } } function GetConfigurationsForRoles{ param ( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [array] $PrivilegedRoleHashtable, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [array] $AllRoleAssignments ) # Get all the configuration settings (aka rules) for all the roles in the tenant $RolePolicyAssignments = Get-MgBetaPolicyRoleManagementPolicyAssignment -All -ErrorAction Stop -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole'" foreach ($Role in $PrivilegedRoleHashtable) { $RolePolicies = @() $RoleTemplateId = $Role.RoleTemplateId # Get a list of the configuration rules assigned to this role $PolicyAssignment = $RolePolicyAssignments | Where-Object -Property RoleDefinitionId -eq -Value $RoleTemplateId # Get the detailed configuration settings $RolePolicies = Get-MgBetaPolicyRoleManagementPolicyRule -All -ErrorAction Stop -UnifiedRoleManagementPolicyId $PolicyAssignment.PolicyId # Get a list of the users / groups assigned to this role $RoleAssignments = @($AllRoleAssignments | Where-Object { $_.RoleDefinitionId -eq $RoleTemplateId }) # Store the data that we retrieved in the Role object which is part of the hashtable that will be returned from this function $Role | Add-Member -Name "Assignments" -Value $RoleAssignments -MemberType NoteProperty $RoleRules = $Role.psobject.Properties | Where-Object {$_.Name -eq 'Rules'} AddRuleSource -Source $Role.DisplayName -SourceType "Directory Role" -Rules $RolePolicies if ($RoleRules){ $Role.Rules += $RolePolicies } else { $Role | Add-Member -Name "Rules" -Value $RolePolicies -MemberType NoteProperty } } } function Get-PrivilegedRole { <# .Description Creates an array of the highly privileged roles along with the users assigned to the role and the security policies (aka rules) applied to it .Functionality Internal #> param ( [ValidateNotNullOrEmpty()] [switch] $TenantHasPremiumLicense ) $PrivilegedRoles = [ScubaConfig]::ScubaDefault('DefaultPrivilegedRoles') # Get a list of the RoleTemplateId values for the privileged roles in the list above. # The RoleTemplateId value is passed to other cmdlets to retrieve role/group security configuration rules and user/group assignments. $PrivilegedRoleHashtable = Get-MgBetaDirectoryRoleTemplate -All -ErrorAction Stop | Where-Object { $_.DisplayName -in $PrivilegedRoles } | Select-Object "DisplayName", @{Name='RoleTemplateId'; Expression={$_.Id}} # If the tenant has the premium license then you can access the PIM service to get the role configuration policies and the active role assigments if ($TenantHasPremiumLicense) { # Clear the cache of already processed PIM groups because this is a static variable [GroupTypeCache]::CheckedGroups.Clear() # Get ALL the roles and users actively assigned to them $AllRoleAssignments = Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance -All -ErrorAction Stop # Each of the helper functions below add configuration settings (aka rules) to the role hashtable. # Get the PIM configurations for the roles GetConfigurationsForRoles -PrivilegedRoleHashtable $PrivilegedRoleHashtable -AllRoleAssignments $AllRoleAssignments # Get the PIM configurations for the groups GetConfigurationsForPimGroups -PrivilegedRoleHashtable $PrivilegedRoleHashtable -AllRoleAssignments $AllRoleAssignments } # Return the hashtable $PrivilegedRoleHashtable } # SIG # Begin signature block # MIIuvwYJKoZIhvcNAQcCoIIusDCCLqwCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDf/ac4dXQlJnFX # 5NdDywBoePYaAdXL/W2sS3WXnpbvRKCCE6MwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggdXMIIFP6ADAgECAhANkQ8dPvvR0q3Ytt4H0T3aMA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjQwMTMwMDAwMDAwWhcNMjUwMTI5MjM1OTU5WjBfMQsw # CQYDVQQGEwJVUzEdMBsGA1UECBMURGlzdHJpY3Qgb2YgQ29sdW1iaWExEzARBgNV # BAcTCldhc2hpbmd0b24xDTALBgNVBAoTBENJU0ExDTALBgNVBAMTBENJU0EwggIi # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCT1y7uJCQax8JfiDEYgpiU9URj # EXCTRqtZbDALM9rPUudiuM3mj6A1SUSAAWYv6DTsvGPvxyMI2Idg0mQunl4Ms9DJ # yVwe5k4+Anj/73Nx1AbOPYP8xRZcD10FkctKGhV0PzvrDcwU15hsQWtiepFgg+bX # fHkGMeu426oc69f43vKE43DiqKTf0/UBX/qgpj3JZvJ3zc1kilBOv4sBCksfCjbW # tLZD0tqAgBsNPo3Oy5mQG31E1eZdTNvrdTnEXacSwb3k615z7mHy7nqBUkOruZ9E # tnvC2qla+uL3ks91O/e/LnKzH9Lj1JmEBf6jwPN/MYR9Dymni4Mi3AQ8mpQMyFmi # XcSHymibSNbtTMavpdBWjFfrcvPETX7krROUOoLzMQmNgHArceSh55tgvDRdSU5c # WK3BTvK3l3mgCdgjre7XGYxV3W8apyxk5+RKfHdbv9cpRwpSuDnI8sHeqmB3fnfo # Cr1PPu4WhKegt20CobhDVybiBdhDVqUdR53ful4N/coQOEHDrIExB5nJf9Pvdrza # DyIGKAMIXD79ba5/rQEo+2cA66oJkPlvB5hEGI/jtDcYwDBgalbwB7Kc8zAAhl6+ # JvHfYpXOkppSfEQbaRXZI+LGXWQAFa5pJDfDEAyZSXprStgw594sWUOysp+UOxFe # kSA4mBr0o1jVpdaulwIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R # hvv+YXsIiGX0TkIwHQYDVR0OBBYEFAmyTB5bcWyA+8+rq540jPRLJ1nYMD4GA1Ud # IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl # cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw # gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp # Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j # cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0 # ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF # BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t # MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl # cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ # BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAh2Jnt9IPoBvOQlYQUlCP9iJ5y # XAvEWe1camOwedqMZsHEPpT2yd6+fMzPZmV3/bYJgaN2OrDS1snf62S7yc+AulVw # PAXSp1lSAiFEbZ6PFEdEBIag9B65Mp/cvRtJsIWQIc//jWqFMHpkU6r3MW9YARRu # vaIf5/0qlM4VEwn3lTf+jJdxhhyoOFTWWd3BrlMPcT06z6F6hFfyycQkZ3Y9wEJ3 # uOU9bCNLZL1HCjlKT+oI0WsgeRdbe2sYrnvv9NmDY9oEi8PEq+DGjiTgLbY5OcAX # uUogPPw6gbcuNn8Hq6FFKPIQxaksB8dF8Gw4m2lQoUWESPRF8Zaq9lmZN3+QzA79 # yskfJtAFqz3gUP5wJBdNfi/u1sGbLI0QnJQkIKfFuz7DfDPldw0gIl05BIYwZBmj # TpFRu1/+gIlP1Ul4L/wt9Lxk6pglObLsdxHP2UQrG30JaUN0gv3xZMBBByHGVVTe # cyU4qwJ0ulMdv/kjHwh+m58uOF8gHXLfyBmOjYpohN3+l0rS0qdArZMNSmLTA7N8 # n3V3AZLKB//1yhPt++gR4pCFdXmgwYDDLRxjlV0cMsG1UeSQUdI0aieh/grg5TQO # CergVXS5h3sz5U0ZQPWND41LJhA0gF2OGZNHdUc9+0dwTsfxAERrjaTdeZp0/rdZ # 9iGBoiRsS4U86S8xkDGCGnIwghpuAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQDZEPHT770dKt # 2LbeB9E92jANBglghkgBZQMEAgEFAKCBhDAYBgorBgEEAYI3AgEMMQowCKACgACh # AoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAM # BgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCDcJz23ChEH4N0XXDnyH1o+hTDu # TdFKdAKKEnTkBnVSTDANBgkqhkiG9w0BAQEFAASCAgBDfzaybVNyXUR0m529/j6+ # b7CLzlWrpvv++bLnT5GyBkpHmO8j4e+bBANih4M34/vdJAry+BH+YTgx0WpVZ+bz # yWdCKbtmus4Ww17BI5QFl7Hwn5xsN9g1Q+I2y5Y5rE4b+NoC/eJAQ2Do+ZYqaiyJ # rzrmu6/iH1zUwcMC8Zzds5IXcdwP2CCp0MzPZp3G19dNDN1KchLPLLanjYcyqtth # xSRydHIH/b8KiEi9gowASMOtcXyVpx754WOFF6SZIW/+ubcwJCFlYKg+P1WqxZob # h3dkAGDa5XFZ3yBG0llRMMuMfmuJNGlRWxqRHx9pSDSgg3Gs7T7SusMiNOlZi+Ai # nDTZmCq4aXpGm2zbvlfGyZ252ijcqurMYzyIVnaJ3RKXuRpvA7p3hpgtmoql/ivw # o96mey992VOHdOERRlwXBlaA5ij1HLBh3MBR5TnDWlGe79vgpxTz0JRhrnsoEpcM # 5yo3/t/sGI8/+66KmzBG8zcMFsUpUQHpxemBefWsM8zzK5m0n/H0+q82tEnfM642 # bb/NCSUCi0Qbts9g2AUSxVA7yFNBQ4VR8rreUQ09qDXtLmaBQVaKB6X7ue298BL0 # 2xjPTm4ZUiNSRGX1EzJN8V40jsmM8zk4OodeR5eOITq0NQr+TKu1eS9LLVHT1Xo4 # 51MQR3gpyMJ8C9mofslvTqGCFz8wghc7BgorBgEEAYI3AwMBMYIXKzCCFycGCSqG # SIb3DQEHAqCCFxgwghcUAgEDMQ8wDQYJYIZIAWUDBAIBBQAwdwYLKoZIhvcNAQkQ # AQSgaARmMGQCAQEGCWCGSAGG/WwHATAxMA0GCWCGSAFlAwQCAQUABCCR3da4jKPZ # 0HvEF+SXT+xGNDJXyMNMzgXbRIEd48BWYgIQOuGQWK88x7AO1fIbR72LXBgPMjAy # NDA2MTIxMzE0NDJaoIITCTCCBsIwggSqoAMCAQICEAVEr/OUnQg5pr/bP1/lYRYw # DQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0 # LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hB # MjU2IFRpbWVTdGFtcGluZyBDQTAeFw0yMzA3MTQwMDAwMDBaFw0zNDEwMTMyMzU5 # NTlaMEgxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjEgMB4G # A1UEAxMXRGlnaUNlcnQgVGltZXN0YW1wIDIwMjMwggIiMA0GCSqGSIb3DQEBAQUA # A4ICDwAwggIKAoICAQCjU0WHHYOOW6w+VLMj4M+f1+XS512hDgncL0ijl3o7Kpxn # 3GIVWMGpkxGnzaqyat0QKYoeYmNp01icNXG/OpfrlFCPHCDqx5o7L5Zm42nnaf5b # w9YrIBzBl5S0pVCB8s/LB6YwaMqDQtr8fwkklKSCGtpqutg7yl3eGRiF+0XqDWFs # nf5xXsQGmjzwxS55DxtmUuPI1j5f2kPThPXQx/ZILV5FdZZ1/t0QoRuDwbjmUpW1 # R9d4KTlr4HhZl+NEK0rVlc7vCBfqgmRN/yPjyobutKQhZHDr1eWg2mOzLukF7qr2 # JPUdvJscsrdf3/Dudn0xmWVHVZ1KJC+sK5e+n+T9e3M+Mu5SNPvUu+vUoCw0m+Pe # bmQZBzcBkQ8ctVHNqkxmg4hoYru8QRt4GW3k2Q/gWEH72LEs4VGvtK0VBhTqYggT # 02kefGRNnQ/fztFejKqrUBXJs8q818Q7aESjpTtC/XN97t0K/3k0EH6mXApYTAA+ # hWl1x4Nk1nXNjxJ2VqUk+tfEayG66B80mC866msBsPf7Kobse1I4qZgJoXGybHGv # PrhvltXhEBP+YUcKjP7wtsfVx95sJPC/QoLKoHE9nJKTBLRpcCcNT7e1NtHJXwik # cKPsCvERLmTgyyIryvEoEyFJUX4GZtM7vvrrkTjYUQfKlLfiUKHzOtOKg8tAewID # AQABo4IBizCCAYcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwFgYDVR0l # AQH/BAwwCgYIKwYBBQUHAwgwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9 # bAcBMB8GA1UdIwQYMBaAFLoW2W1NhS9zKXaaL3WMaiCPnshvMB0GA1UdDgQWBBSl # tu8T5+/N0GSh1VapZTGj3tXjSTBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3Js # My5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGlt # ZVN0YW1waW5nQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFgGCCsGAQUFBzAChkxodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2 # VGltZVN0YW1waW5nQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCBGtbeoKm1mBe8 # cI1PijxonNgl/8ss5M3qXSKS7IwiAqm4z4Co2efjxe0mgopxLxjdTrbebNfhYJwr # 7e09SI64a7p8Xb3CYTdoSXej65CqEtcnhfOOHpLawkA4n13IoC4leCWdKgV6hCmY # tld5j9smViuw86e9NwzYmHZPVrlSwradOKmB521BXIxp0bkrxMZ7z5z6eOKTGnai # aXXTUOREEr4gDZ6pRND45Ul3CFohxbTPmJUaVLq5vMFpGbrPFvKDNzRusEEm3d5a # l08zjdSNd311RaGlWCZqA0Xe2VC1UIyvVr1MxeFGxSjTredDAHDezJieGYkD6tSR # N+9NUvPJYCHEVkft2hFLjDLDiOZY4rbbPvlfsELWj+MXkdGqwFXjhr+sJyxB0Joz # Sqg21Llyln6XeThIX8rC3D0y33XWNmdaifj2p8flTzU8AL2+nCpseQHc2kTmOt44 # OwdeOVj0fHMxVaCAEcsUDH6uvP6k63llqmjWIso765qCNVcoFstp8jKastLYOrix # RoZruhf9xHdsFWyuq69zOuhJRrfVf8y2OMDY7Bz1tqG4QyzfTkx9HmhwwHcK1ALg # XGC7KP845VJa1qwXIiNO9OzTF/tQa/8Hdx9xl0RBybhG02wyfFgvZ0dl5Rtztpn5 # aywGRu9BHvDwX+Db2a2QgESvgBBBijCCBq4wggSWoAMCAQICEAc2N7ckVHzYR6z9 # KGYqXlswDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp # Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMY # RGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTIyMDMyMzAwMDAwMFoXDTM3MDMy # MjIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMu # MTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRp # bWVTdGFtcGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMaG # NQZJs8E9cklRVcclA8TykTepl1Gh1tKD0Z5Mom2gsMyD+Vr2EaFEFUJfpIjzaPp9 # 85yJC3+dH54PMx9QEwsmc5Zt+FeoAn39Q7SE2hHxc7Gz7iuAhIoiGN/r2j3EF3+r # GSs+QtxnjupRPfDWVtTnKC3r07G1decfBmWNlCnT2exp39mQh0YAe9tEQYncfGpX # evA3eZ9drMvohGS0UvJ2R/dhgxndX7RUCyFobjchu0CsX7LeSn3O9TkSZ+8OpWNs # 5KbFHc02DVzV5huowWR0QKfAcsW6Th+xtVhNef7Xj3OTrCw54qVI1vCwMROpVymW # Jy71h6aPTnYVVSZwmCZ/oBpHIEPjQ2OAe3VuJyWQmDo4EbP29p7mO1vsgd4iFNmC # KseSv6De4z6ic/rnH1pslPJSlRErWHRAKKtzQ87fSqEcazjFKfPKqpZzQmiftkaz # nTqj1QPgv/CiPMpC3BhIfxQ0z9JMq++bPf4OuGQq+nUoJEHtQr8FnGZJUlD0UfM2 # SU2LINIsVzV5K6jzRWC8I41Y99xh3pP+OcD5sjClTNfpmEpYPtMDiP6zj9NeS3YS # UZPJjAw7W4oiqMEmCPkUEBIDfV8ju2TjY+Cm4T72wnSyPx4JduyrXUZ14mCjWAkB # KAAOhFTuzuldyF4wEr1GnrXTdrnSDmuZDNIztM2xAgMBAAGjggFdMIIBWTASBgNV # HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS6FtltTYUvcyl2mi91jGogj57IbzAf # BgNVHSMEGDAWgBTs1+OC0nFdZEzfLmc/57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYw # EwYDVR0lBAwwCgYIKwYBBQUHAwgwdwYIKwYBBQUHAQEEazBpMCQGCCsGAQUFBzAB # hhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9j # YWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3J0MEMG # A1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy # dFRydXN0ZWRSb290RzQuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG # /WwHATANBgkqhkiG9w0BAQsFAAOCAgEAfVmOwJO2b5ipRCIBfmbW2CFC4bAYLhBN # E88wU86/GPvHUF3iSyn7cIoNqilp/GnBzx0H6T5gyNgL5Vxb122H+oQgJTQxZ822 # EpZvxFBMYh0MCIKoFr2pVs8Vc40BIiXOlWk/R3f7cnQU1/+rT4osequFzUNf7WC2 # qk+RZp4snuCKrOX9jLxkJodskr2dfNBwCnzvqLx1T7pa96kQsl3p/yhUifDVinF2 # ZdrM8HKjI/rAJ4JErpknG6skHibBt94q6/aesXmZgaNWhqsKRcnfxI2g55j7+6ad # cq/Ex8HBanHZxhOACcS2n82HhyS7T6NJuXdmkfFynOlLAlKnN36TU6w7HQhJD5TN # OXrd/yVjmScsPT9rp/Fmw0HNT7ZAmyEhQNC3EyTN3B14OuSereU0cZLXJmvkOHOr # pgFPvT87eK1MrfvElXvtCl8zOYdBeHo46Zzh3SP9HSjTx/no8Zhf+yvYfvJGnXUs # HicsJttvFXseGYs2uJPU5vIXmVnKcPA3v5gA3yAWTyf7YGcWoWa63VXAOimGsJig # K+2VQbc61RWYMbRiCQ8KvYHZE/6/pNHzV9m8BPqC3jLfBInwAM1dwvnQI38AC+R2 # AibZ8GV2QqYphwlHK+Z/GqSFD/yYlvZVVCsfgPrA8g4r5db7qS9EFUrnEw4d2zc4 # GqEr9u3WfPwwggWNMIIEdaADAgECAhAOmxiO+dAt5+/bUOIIQBhaMA0GCSqGSIb3 # DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAX # BgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3Vy # ZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBaFw0zMTExMDkyMzU5NTlaMGIx # CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 # dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH # NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIw # aTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLK # EdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4Tm # dDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembu # d8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL2pNe3I6PgNq2kZhAkHnD # eMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfbBHMqbpEBfCFM1LyuGwN1 # XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxGj2T3wWmIdph2PVld # QnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZK37AlLTS # YW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm # M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzT # QRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6Kx # fgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIBNjAPBgNVHRMBAf8EBTADAQH/ # MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzAfBgNVHSMEGDAWgBRF66Kv # 9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMCAYYweQYIKwYBBQUHAQEEbTBr # MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH # MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ # RFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNl # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNybDARBgNVHSAECjAIMAYG # BFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0NcVec4X6CjdBs9thbX979XB72a # rKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnovLbc47/T/gLn4offyct4kvFID # yE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65ZyoUi0mcudT6cGAxN3J0TU53/o # Wajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFWjuyk1T3osdz9HNj0d1pcVIxv # 76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPFmCLBsln1VWvPJ6tsds5vIy30 # fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9ztwGpn1eqXijiuZQxggN2MIID # cgIBATB3MGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7 # MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1l # U3RhbXBpbmcgQ0ECEAVEr/OUnQg5pr/bP1/lYRYwDQYJYIZIAWUDBAIBBQCggdEw # GgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA2 # MTIxMzE0NDJaMCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFGbwKzLCwskPgl3OqorJ # xk8ZnM9AMC8GCSqGSIb3DQEJBDEiBCDxcnE5IIjd80DuOo8Fqa5+TH9bo3XIat3/ # 5Wf+X1g3ozA3BgsqhkiG9w0BCRACLzEoMCYwJDAiBCDS9uRt7XQizNHUQFdoQTZv # goraVZquMxavTRqa1Ax4KDANBgkqhkiG9w0BAQEFAASCAgBfjGaqSMDoKtiHVQmj # zbxfz9m0noc6oEx4u9W8TWb/RTX9aEKRY8c69bfTMJ8m3BDctT7ox57yKjuo6jdp # s1L4oML1eEZDZrU1P+WeXmALAHyp8rC0U/C0VJMTOEeGh9xo3waERdrugXKaH9rW # avWq3lWjmnLBgt4jsbtFk7zPGrRmNVNGeCso6g7LE/THcx8xFjiXf43QD7n4cgJL # CBbjcUoNWSz92lHAC1EXMLx8+LqF8o6imJoYrC6wPm+mBOWkjm8w4xQugR8JgtWL # NZ8Fe8H1D9gkTxglOkRk8CL43qm5ztaiFdBlW1lbUMMedeLIvjjMGrGZSm5t2PAB # YNDogejuiX6dhaNwXiFZZv/4lf4sZIqwTCx8LN9nZJlRnaWidusvgIpE5GWR2vcW # ofRNdNXNY1m3LVbiQz7tJ3REPNVK8M4p+Zeq+plhC1D3P753AcLYf+r4v7gRk3iW # X++GQ59g0WNOyW9nMvM9ZSYn77WhQ2aocwwx0RnCMON+XWi/i9O5AbpO5nCX4YXn # w2ymFwH1d174uw7i9GsKKKusZbQ7qSme3snpjHShpUOMeGS6yO1hreArUbMwawjI # jydO67FwejSZqqtYggzyRvUagu9qXcfUhf6m0bxs/urbhuVuVbNS7k9XomjU+lZB # yMOIZkZcPF1cSaO3B8fURNj+ig== # SIG # End signature block |