SignPath.psm1
#Requires -Version 3.0 # Also requires .NET Version 4.7.2 or above $ServiceUnavailableRetryTimeoutInSeconds = 30 $WaitForCompletionRetryTimeoutInSeconds = 5 $DefaultHttpClientTimeoutInSeconds = 100 <# .SYNOPSIS Submits a new signing request or resubmits an existing one via the SignPath REST API. .DESCRIPTION The Submit-SigningRequest cmdlet creates a new signing request. The signing request will be processed by SignPath according to authorization and policy rules. CREATING A NEW SIGNING REQUEST VS. RE-SIGNING When using the -InputArtifact parameter, the specified file will be uploaded for processing. When using the -Resubmit parameter, the specified signing request will be processed again using the specified signing policy. This is especially useful for conditional signing of release candidates. See Resubmit an existing signing request for more information. DOWNLOADING THE SIGNED ARTIFACT Processing a signing request may take several minutes, or even longer if manual approval is required. You can either * your own logic to wait for processing to complete and download the signed artifact using the Get-SignedArtifact cmdlet afterwards, * or use the -WaitForCompletion parameter of this cmdlet to wait for processing and then download the signed artifact in a single call. .EXAMPLE Submit-SigningRequest ` -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN ` -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY ` -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION ` -InputArtifactPath $PATH_TO_INPUT_ARTIFACT ` -WaitForCompletion ` -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT .EXAMPLE Submit-SigningRequest ` -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN ` -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY ` -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION ` -ArtifactRetrievalLink $URL_TO_INPUT_ARTIFACT ` -ArtifactRetrievalLinkFileName $FILE_NAME_OF_INPUT_ARTIFACT ` -ArtifactRetrievalLinkSha256Hash $SHA256_HASH_OF_INPUT_ARTIFACT_IN_HEX_STRING_FORMAT ` -ArtifactRetrievalLinkHttpHeaders @{ "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_KEY1" = "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_VALUE1" "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_KEY2" = "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_VALUE2" } ` -WaitForCompletion ` -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT .EXAMPLE $signingRequestID = Submit-SigningRequest ` -OrganizationId $ORGANIZATION_ID `-ApiToken $API_TOKEN ` -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY ` -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION ` -InputArtifactPath $PATH_TO_INPUT_ARTIFACT Submit a signing request and get a signing request ID withoput waiting for completion and download the signed artifact later PS > Get-SignedArtifact ` -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN ` -SigningRequestId $signingRequestID ` -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT .EXAMPLE Submit-SigningRequestResubmit ` -ApiToken $API_TOKEN -OrganizationId $ORGANIZATION_ID ` -OriginalSigningRequestId $ORIGINAL_SIGNING_REQUEST_ID ` -SigningPolicySlug $SIGNING_POLICY ` -WaitForCompletion ` -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT .OUTPUTS Returns the SigningRequestId which can be used with Get-SignedArtifact. .NOTES Author: SignPath GmbH .LINK https://about.signpath.io/documentation/powershell/Submit-SigningRequest #> function Submit-SigningRequest { [CmdletBinding(DefaultParameterSetName = 'Submit')] Param( # URL to the SignPath REST API, e.g. 'https://app.signpath.io/api/'. [Parameter()] [ValidateNotNullOrEmpty()] [string] $ApiUrl = "https://app.signpath.io/api/", # API token you receive when adding a new CI user or generating an API token for an interactive user. [Parameter(Mandatory)] [Alias("CIUserToken")] [ValidateNotNullOrEmpty()] [string] $ApiToken, # ID of your SignPath organization. [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $OrganizationId, # ID of one of the project's artifact configurations. [Parameter(ParameterSetName = 'SubmitWithArtifact')] [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [string] $ArtifactConfigurationId, # ID of a project's signing policy. [Parameter()] [string] $SigningPolicyId, # Slug of the project. [Parameter(ParameterSetName = 'SubmitWithArtifact')] [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Alias("ProjectKey")] [string] $ProjectSlug, # Slug of one of the project's artifact configurations. # If not given, the default artifact configuration will be used instead. [Parameter(ParameterSetName = 'SubmitWithArtifact')] [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Alias("ArtifactConfigurationKey")] [string] $ArtifactConfigurationSlug, # Slug of one of the project's signing policies. [Parameter()] [Alias("SigningPolicyKey")] [string] $SigningPolicySlug, # Path of the artifact that you want to be signed. [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact')] [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $InputArtifactPath, # URL where the artifact that you want to be signed will be downloaded from. [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $ArtifactRetrievalLink, # File name of the artifact to be signed. [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $ArtifactRetrievalLinkFileName, # Optional file hash (in hex string format) of the artifact to sign (used to verify the artifact download). [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $ArtifactRetrievalLinkSha256Hash, # Optional HTTP headers that will be used when downloading the artifact to sign. [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [ValidateNotNullOrEmpty()] [Hashtable] $ArtifactRetrievalLinkHttpHeaders, # Optional description of the signing request. [Parameter()] [string] $Description, # Information about the origin of the artifact, see https://about.signpath.io/documentation/powershell#submit-signingrequest [Parameter(ParameterSetName = 'SubmitWithArtifact')] [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Hashtable] $Origin, # Values for parameters defined in the artifact configuration. See https://about.signpath.io/documentation/artifact-configuration#user-defined-parameters [Parameter(ParameterSetName = 'SubmitWithArtifact')] [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Hashtable] $Parameters, # Client certificate used for a secure Web API request. Not supported by SignPath.io directly, use for proxies. [Parameter()] [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate, # Total time in seconds that the cmdlet will wait for a single service call to succeed (across several retries). Defaults to 600 seconds. [Parameter()] [int] $ServiceUnavailableTimeoutInSeconds = 600, # HTTP timeout used for upload and download HTTP requests. Defaults to 300 seconds. [Parameter()] [int] $UploadAndDownloadRequestTimeoutInSeconds = 300, # Re-sign an existing signing request. SigningPolicySlug or SigningPolicyId reference the original project's signing policy. [Parameter(Mandatory, ParameterSetName = 'Resubmit')] [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')] [switch] $Resubmit, # ID of the signing request that should be resubmitted. [Parameter(Mandatory, ParameterSetName = 'Resubmit')] [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $OriginalSigningRequestId, # Wait for the signing request to complete. [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')] [switch] $WaitForCompletion, # Specifies the target path for the downloaded signed artifact. Defaults to InputArtifactPath with an added .signed extension (e.g. "Input.dll" => "Input.signed.dll"). [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')] [ValidateNotNullOrEmpty()] [string] $OutputArtifactPath, # Maximum time in seconds that the cmdlet will wait for the signing request to complete (upload and download have no specific timeouts). Defaults to 600 seconds. [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Parameter(ParameterSetName = 'Resubmit_WaitForCompletion')] [int] $WaitForCompletionTimeoutInSeconds = 600, # Allows the cmdlet to overwrite the file at OutputArtifactPath. [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')] [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')] [Parameter(ParameterSetName = 'Resubmit_WaitForCompletion')] [switch] $Force, # Timeout in seconds before the signing request gets canceled (from submission; specify 0 for no timeout). If -WaitForCompletion is specified, defaults to -WaitForCompletionTimeoutInSeconds value; otherwise: none. [int] $CancellationTimeoutInSeconds = -1 ) Set-StrictMode -Version 2.0 $ApiUrl = GetVersionedApiUrl $ApiUrl Write-Verbose "Using versioned API URL: $ApiUrl" if ($CancellationTimeoutInSeconds -eq -1) { $CancellationTimeoutInSeconds = $null; if ($WaitForCompletion.IsPresent) { $CancellationTimeoutInSeconds = $WaitForCompletionTimeoutInSeconds # Increase wait timeout to prevent a race condition $WaitForCompletionTimeoutInSeconds = $WaitForCompletionTimeoutInSeconds + 30; } } if($Resubmit.IsPresent) { $resubmitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", "Resubmit")) $requestFactory = CreateResubmitRequestFactory ` -url $resubmitUrl ` -originalSigningRequestId $OriginalSigningRequestId ` -signingPolicySlug $SigningPolicySlug ` -description $Description ` -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds return SubmitHelper "Resubmit" "Resubmitted" $requestFactory ` -apiToken $ApiToken ` -clientCertificate $ClientCertificate ` -defaultHttpClientTimeoutInSeconds $DefaultHttpClientTimeoutInSeconds ` -uploadAndDownloadRequestTimeoutInSeconds $UploadAndDownloadRequestTimeoutInSeconds ` -waitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds ` -waitForCompletion $WaitForCompletion.IsPresent ` -outputArtifactPath $OutputArtifactPath ` -force $Force.IsPresent } else { if ($InputArtifactPath) { if (-not $OutputArtifactPath) { $extension = [System.IO.Path]::GetExtension($InputArtifactPath) $OutputArtifactPath = [System.IO.Path]::ChangeExtension($InputArtifactPath, "signed$extension") } $InputArtifactPath = PrepareInputArtifactPath $InputArtifactPath Write-Verbose "Using input artifact: $InputArtifactPath" $hash = (Get-FileHash -Path $InputArtifactPath -Algorithm "SHA256").Hash Write-Host "SHA256 hash: $hash" $submitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests")) $requestFactory = CreateSubmitWithArtifactRequestFactory ` -Url $submitUrl ` -ArtifactConfigurationId $ArtifactConfigurationId ` -SigningPolicyId $SigningPolicyId ` -ProjectSlug $ProjectSlug ` -ArtifactConfigurationSlug $ArtifactConfigurationSlug ` -SigningPolicySlug $SigningPolicySlug ` -Description $Description ` -InputArtifactPath $InputArtifactPath ` -Origin $Origin ` -Parameters $Parameters ` -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds } else { $submitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", "SubmitWithArtifactRetrievalLink")) $requestFactory = CreateSubmitWithArtifactRetrievalLinkRequestFactory ` -Url $submitUrl ` -ArtifactConfigurationId $ArtifactConfigurationId ` -SigningPolicyId $SigningPolicyId ` -ProjectSlug $ProjectSlug ` -ArtifactConfigurationSlug $ArtifactConfigurationSlug ` -SigningPolicySlug $SigningPolicySlug ` -Description $Description ` -ArtifactRetrievalLink $ArtifactRetrievalLink ` -ArtifactRetrievalLinkFileName $ArtifactRetrievalLinkFileName ` -ArtifactRetrievalLinkSha256Hash $ArtifactRetrievalLinkSha256Hash ` -ArtifactRetrievalLinkHttpHeaders $ArtifactRetrievalLinkHttpHeaders ` -Origin $Origin ` -Parameters $Parameters ` -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds } return SubmitHelper "Submit" "Submitted" $requestFactory ` -apiToken $ApiToken ` -clientCertificate $ClientCertificate ` -defaultHttpClientTimeoutInSeconds $DefaultHttpClientTimeoutInSeconds ` -uploadAndDownloadRequestTimeoutInSeconds $UploadAndDownloadRequestTimeoutInSeconds ` -waitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds ` -waitForCompletion $WaitForCompletion.IsPresent ` -outputArtifactPath $OutputArtifactPath ` -force $Force.IsPresent } } <# .SYNOPSIS Downloads a signed artifact based on a signing request ID. .DESCRIPTION The Get-SignedArtifact cmdlet waits for a given signing request to finish and downloads the resultiung artifact. If the request couldn't be downloaded in time, because the processing took to long or the request is invalid, this cmdlet will throw exceptions. .EXAMPLE Get-SignedArtifact ` -OutputArtifactPath Program.exe ` -ApiToken /Joe3s2m7hkhVyoba4H4weqj9UxIk6nKRXGhGbH7nv4= ` -OrganizationId 1c0ab26c-12f3-4c6e-a043-2568e133d2de ` -SigningRequestId 711960ed-bdb8-41cd-a6bf-a10d0ae3cfcd .EXAMPLE $signingRequestID = Submit-SigningRequest ` -OrganizationId $ORGANIZATION_ID `-ApiToken $API_TOKEN ` -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY ` -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION ` -InputArtifactPath $PATH_TO_INPUT_ARTIFACT PS > Get-SignedArtifact ` -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN ` -SigningRequestId $signingRequestID ` -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT .OUTPUTS Returns void but creates a file in the given OutputArtifactPath on success. .NOTES Author: SignPath GmbH .LINK https://about.signpath.io/documentation/powershell/Get-SignedArtifact #> function Get-SignedArtifact { [CmdletBinding()] Param( # URL to the SignPath REST API, e.g. https://app.signpath.io/api/. [Parameter()] [ValidateNotNullOrEmpty()] [string] $ApiUrl = "https://app.signpath.io/api/", # API token you receive when adding a new CI user or generating an API token for an interactive user. [Parameter(Mandatory)] [Alias("CIUserToken")] [ValidateNotNullOrEmpty()] [string] $ApiToken, # ID of your SignPath organization. [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $OrganizationId, # ID of the siging request. [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $SigningRequestId, # Specifies the target path for the downloaded signed artifact. [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $OutputArtifactPath, # Client certificate used for a secure Web API request. Not supported by SignPath.io directly, use for proxies. [Parameter()] [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate, # Total time in seconds that the cmdlet will wait for a single service call to succeed (across several retries). Defaults to 600 seconds. [Parameter()] [int] $ServiceUnavailableTimeoutInSeconds = 600, # HTTP timeout used for upload and download HTTP requests. Defaults to 300 seconds. [Parameter()] [int] $UploadAndDownloadRequestTimeoutInSeconds = 300, # Maximum time in seconds that the cmdlet will wait for the signing request to complete (upload and download have no specific timeouts). Defaults to 600 seconds. [Parameter()] [int] $WaitForCompletionTimeoutInSeconds = 600, # Allows the cmdlet to overwrite the file at OutputArtifactPath. [Parameter()] [switch] $Force ) Set-StrictMode -Version 2.0 $ApiUrl = GetVersionedApiUrl $ApiUrl Write-Verbose "Using versioned API URL: $ApiUrl" $OutputArtifactPath = PrepareOutputArtifactPath $Force $OutputArtifactPath Write-Verbose "Will write signed artifact to: $OutputArtifactPath" CreateAndUseAuthorizedHttpClient $ApiToken -ClientCertificate $ClientCertificate -Timeout $DefaultHttpClientTimeoutInSeconds { Param ([System.Net.Http.HttpClient] $defaultHttpClient) CreateAndUseAuthorizedHttpClient $ApiToken -Timeout $UploadAndDownloadRequestTimeoutInSeconds { Param ([System.Net.Http.HttpClient] $uploadAndDownloadHttpClient) $expectedSigningRequestUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", $SigningRequestId)) $downloadUrl = WaitForCompletionAndRetrieveSignedArtifactDownloadLink ` -httpClient $defaultHttpClient ` -url $expectedSigningRequestUrl ` -WaitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds ` -WaitForCompletionRetryTimeoutInSeconds $WaitForCompletionRetryTimeoutInSeconds ` -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds DownloadArtifact ` -HttpClient $uploadAndDownloadHttpClient ` -Url $downloadUrl ` -Path $OutputArtifactPath ` -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds } } } <# .SYNOPSIS Gets a certificate from the specified certificate store by its Microsoft AD CS template ID. .DESCRIPTION Use this cmdlet to get an X.509 certificate object enrolled using Active Directory Certificate Services (AD CS) from its template ID. This can be used to authenticate group memberships via mTLS client certificates: * Create a client certificate template in AD CS and assign it to a user or computer group * Use this cmdlet to select the correct certificate for mTLS authentication * Provide the certificate to SignPath cmdlets using the -ClientCertificate parameter .EXAMPLE $certificate = Get-CertificateByMicrosoftTemplateId -Store CurrentUser -TemplateId 1.3.6.1.4.1.311.21.8.1.2.3.4.5.6.7.8 .OUTPUTS Returns a X509Certificate2 instance on success. .NOTES Author: SignPath GmbH .LINK https://about.signpath.io/documentation/powershell/Get-CertificateByMicrosoftTemplateId #> function Get-CertificateByMicrosoftTemplateId { [CmdletBinding()] Param( # The store that will be searched for the certificate. [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [System.Security.Cryptography.X509Certificates.StoreLocation] $Store, # The Microsoft AD CS template ID in OID format (a dotted number sequence, e.g. 1.2.3.4). [Parameter(Mandatory)] [ValidateNotNullOrEmpty()] [string] $TemplateId ) $storeLocationPath = "cert:\${Store}\My" # Actual template data contains a ASN.1 data structure, but we don't have access to ASN.1 reader classes in PowerShell classic therefore # we just look for the byte sequence of the template ID (but in a string to make use of IndexOf) $templateIdBytes = [System.Security.Cryptography.CryptoConfig]::EncodeOID($TemplateId) $templateIdString = [BitConverter]::ToString($templateIdBytes) $matchingCertificates = @( Get-ChildItem $storeLocationPath ` | ?{ # = MS CertificateTemplate, see https://oidref.com/1.3.6.1.4.1.311.21.7 $extension = $_.Extensions["1.3.6.1.4.1.311.21.7"] if ($extension -and $extension.RawData) { $extensionBytesString = [BitConverter]::ToString($extension.RawData) return $extensionBytesString.IndexOf($templateIdString) -ge 0 } return $false } ) if ($matchingCertificates.Count -eq 0) { throw "Cannot find any certificate in '$Store' that matches the template ID '$TemplateId'." } elseif ($matchingCertificates.Count -gt 1) { throw "Found multiple certificates in '$Store' that match the template ID '$TemplateId'." } else { return $matchingCertificates[0] } } function GetVersionedApiUrl ([string] $apiUrl) { $supportedApiVersion = "v1" return [string]::Join("/", @($apiUrl.Trim("/"), $supportedApiVersion)) } function SubmitHelper ([string] $verb, [string] $verbPastTense, [ScriptBlock] $requestFactory, [string] $apiToken, [System.Security.Cryptography.X509Certificates.X509Certificate2] $clientCertificate, [int] $defaultHttpClientTimeoutInSeconds, [int] $uploadAndDownloadRequestTimeoutInSeconds, [int] $waitForCompletionTimeoutInSeconds, [bool] $waitForCompletion, [string] $outputArtifactPath, [bool] $force) { CreateAndUseAuthorizedHttpClient $apiToken -ClientCertificate $clientCertificate -Timeout $defaultHttpClientTimeoutInSeconds { Param ([System.Net.Http.HttpClient] $defaultHttpClient) CreateAndUseAuthorizedHttpClient $apiToken -ClientCertificate $clientCertificate -Timeout $uploadAndDownloadRequestTimeoutInSeconds { Param ([System.Net.Http.HttpClient] $uploadAndDownloadHttpClient) if ($waitForCompletion) { $outputArtifactPath = PrepareOutputArtifactPath $force $outputArtifactPath Write-Verbose "Will write output artifact to: $outputArtifactPath" } $response = $null try { Write-Verbose "$verb signing request..." $response = SendWithRetry ` -HttpClient $HttpClient ` -RequestFactory $requestFactory ` -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds CheckResponse $response -ExpectLocationHeader $getUrl = $response.Headers.Location.AbsoluteUri Write-Host "$verbPastTense signing request at '$getUrl'" } finally { if ((Test-Path variable:response) -and $null -ne $response) { $response.Dispose() } } if ($waitForCompletion) { $downloadUrl = WaitForCompletionAndRetrieveSignedArtifactDownloadLink ` -HttpClient $defaultHttpClient ` -Url $getUrl ` -WaitForCompletionTimeoutInSeconds $waitForCompletionTimeoutInSeconds ` -WaitForCompletionRetryTimeoutInSeconds $WaitForCompletionRetryTimeoutInSeconds ` -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds DownloadArtifact ` -HttpClient $uploadAndDownloadHttpClient ` -Url $downloadUrl ` -Path $outputArtifactPath ` -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds } $guidRegex = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" $pattern = [regex]"SigningRequests/($guidRegex)" $getUrl -match $pattern | Out-Null $signingRequestId = $matches[1] Write-Verbose "Parsed signing request ID: $signingRequestId" return $signingRequestId } } } function CreateSubmitWithArtifactRequestFactory ( [string] $url, [string] $artifactConfigurationId, [string] $signingPolicyId, [string] $projectSlug, [string] $artifactConfigurationSlug, [string] $signingPolicySlug, [string] $description, [string] $inputArtifactPath, [Hashtable] $origin, [Hashtable] $parameters, [Nullable[int]] $cancellationTimeoutInSeconds ) { return CreateSubmitRequestFactory ` -Url $url ` -ArtifactConfigurationId $artifactConfigurationId ` -SigningPolicyId $signingPolicyId ` -ProjectSlug $projectSlug ` -ArtifactConfigurationSlug $artifactConfigurationSlug ` -SigningPolicySlug $signingPolicySlug ` -Description $description ` -Origin $origin ` -Parameters $parameters ` -CancellationTimeoutInSeconds $cancellationTimeoutInSeconds ` -AddAdditionalContent { Param ($content) $packageFileStream = New-Object System.IO.FileStream ($inputArtifactPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) $streamContent = New-Object System.Net.Http.StreamContent $packageFileStream # PLANNED SIGN-988 This shouldn't be needed anymore $streamContent.Headers.ContentType = New-Object System.Net.Http.Headers.MediaTypeHeaderValue "application/octet-stream" $fileName = [System.IO.Path]::GetFileName($inputArtifactPath) $content.Add($streamContent, "Artifact", $fileName) Write-Verbose "Artifact: $fileName" } } function CreateSubmitWithArtifactRetrievalLinkRequestFactory ( [string] $url, [string] $artifactConfigurationId, [string] $signingPolicyId, [string] $projectSlug, [string] $artifactConfigurationSlug, [string] $signingPolicySlug, [string] $description, [string] $artifactRetrievalLink, [string] $artifactRetrievalLinkFileName, [string] $artifactRetrievalLinkSha256Hash, [HashTable] $artifactRetrievalLinkHttpHeaders, [Hashtable] $origin, [Hashtable] $parameters, [Nullable[int]] $cancellationTimeoutInSeconds ) { return CreateSubmitRequestFactory ` -Url $url ` -ArtifactConfigurationId $artifactConfigurationId ` -SigningPolicyId $signingPolicyId ` -ProjectSlug $projectSlug ` -ArtifactConfigurationSlug $artifactConfigurationSlug ` -SigningPolicySlug $signingPolicySlug ` -Description $description ` -Origin $origin ` -Parameters $parameters ` -CancellationTimeoutInSeconds $cancellationTimeoutInSeconds ` -AddAdditionalContent { Param ($content, $addHashTableToHttpContent) $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLink), "ArtifactRetrievalLink.Url") Write-Verbose "ArtifactRetrievalLink: $artifactRetrievalLink" $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLinkFileName), "ArtifactRetrievalLink.FileName") Write-Verbose "ArtifactRetrievalLinkFileName: $artifactRetrievalLinkFileName" $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLinkSha256Hash), "ArtifactRetrievalLink.Sha256Hash") Write-Verbose "ArtifactRetrievalLinkSha256Hash: $artifactRetrievalLinkSha256Hash" if ($artifactRetrievalLinkHttpHeaders) { & $addHashTableToHttpContent $content $artifactRetrievalLinkHttpHeaders "ArtifactRetrievalLink.HttpHeaders" } } } function CreateSubmitRequestFactory ( [string] $url, [string] $artifactConfigurationId, [string] $signingPolicyId, [string] $projectSlug, [string] $artifactConfigurationSlug, [string] $signingPolicySlug, [string] $description, [Hashtable] $origin, [Hashtable] $parameters, [ScriptBlock] $addAdditionalContent, [Nullable[int]] $cancellationTimeoutInSeconds) { $local:IsVerboseEnabled = $null -ne $PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent return { function AddHashTableToHttpContent ($content, $hashtable, $baseKey) { function AddToHttpContent ($content, $baseKey, $key, $value) { # All parameters ending in "File" are interpreted as streams if ( $key.ToLower().EndsWith("file")) { if ( $value.StartsWith("@")) { $filePath = $value.Substring(1) $packageFileStream = New-Object System.IO.FileStream ($filePath, [System.IO.FileMode]::Open) $streamContent = New-Object System.Net.Http.StreamContent $packageFileStream # PLANNED SIGN-988 This shouldn't be needed anymore $streamContent.Headers.ContentType = New-Object System.Net.Http.Headers.MediaTypeHeaderValue "application/octet-stream" $fileName = [System.IO.Path]::GetFileName($filePath) $content.Add($streamContent, "$baseKey.$key", $fileName) Write-Verbose "Adding file content to origin: $baseKey.$key = $fileName" } else { # IDEA: We will later on support non-file parameter values here too, for now we throw throw "*File origin parameters must start with @ to indicate a file path" } } else { $stringContent = New-Object System.Net.Http.StringContent $value $content.Add($stringContent, "$baseKey.$key") Write-Verbose "Add normal content to origin: $baseKey.$key = $value" } } Write-Verbose "Recursive add base key: $baseKey" foreach ($kvp in $hashtable.GetEnumerator()) { if ($kvp.Value.GetType().Name -eq "Hashtable") { Write-Verbose "$($kvp.Key) is a Hashtable, enter next recursion level" AddHashTableToHttpContent $content $kvp.Value "$baseKey.$($kvp.Key)" } else { AddToHttpContent $content $baseKey $kvp.Key $kvp.Value } } } if ($IsVerboseEnabled) { $VerbosePreference = "Continue" } $content = New-Object System.Net.Http.MultipartFormDataContent try { if ($artifactConfigurationId) { Write-Verbose "ArtifactConfigurationId: $artifactConfigurationId" $artifactConfigurationIdContent = New-Object System.Net.Http.StringContent $artifactConfigurationId $content.Add($artifactConfigurationIdContent, "ArtifactConfigurationId") } if ($signingPolicyId) { Write-Verbose "SigningPolicyId: $signingPolicyId" $signingPolicyIdContent = New-Object System.Net.Http.StringContent $signingPolicyId $content.Add($signingPolicyIdContent, "SigningPolicyId") } if ($projectSlug) { Write-Verbose "ProjectSlug: $projectSlug" $projectSlugContent = New-Object System.Net.Http.StringContent $projectSlug $content.Add($projectSlugContent, "ProjectSlug") } if ($artifactConfigurationSlug) { Write-Verbose "ArtifactConfigurationSlug: $artifactConfigurationSlug" $artifactConfigurationSlugContent = New-Object System.Net.Http.StringContent $artifactConfigurationSlug $content.Add($artifactConfigurationSlugContent, "ArtifactConfigurationSlug") } if ($signingPolicySlug) { Write-Verbose "SigningPolicySlug: $signingPolicySlug" $signingPolicySlugContent = New-Object System.Net.Http.StringContent $signingPolicySlug $content.Add($signingPolicySlugContent, "SigningPolicySlug") } if ($cancellationTimeoutInSeconds) { Write-Verbose "CancellationTimeoutInSeconds: $cancellationTimeoutInSeconds" $cancellationTimeoutContent = New-Object System.Net.Http.StringContent $cancellationTimeoutInSeconds $content.Add($cancellationTimeoutContent, "CancellationTimeoutInSeconds") } Write-Verbose "Description: $description" $descriptionContent = New-Object System.Net.Http.StringContent $description $content.Add($descriptionContent, "Description") $addHashTableToHttpContent = Get-Item Function:/AddHashTableToHttpContent . $addAdditionalContent $content $addHashTableToHttpContent if ($origin) { Write-Verbose "Adding all origin parameters..." AddHashTableToHttpContent $content $origin "Origin" } if ($parameters) { Write-Verbose "Adding all signing request parameters..." AddHashTableToHttpContent $content $parameters "Parameters" } $request = New-Object System.Net.Http.HttpRequestMessage Post, $url $request.Content = $content Write-Verbose "Request URL: $url" return $request # Only dispose the content in case of exceptions, otherwise the caller is responsible for disposing the whole request after it has been performed. } catch { $content.Dispose() throw } }.GetNewClosure() } function CreateResubmitRequestFactory ( [string] $url, [string] $originalSigningRequestId, [string] $signingPolicySlug, [string] $description, [Nullable[int]] $cancellationTimeoutInSeconds ) { $local:IsVerboseEnabled = $null -ne $PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent return { if ($IsVerboseEnabled) { $VerbosePreference = "Continue" } $content = New-Object System.Net.Http.MultipartFormDataContent try { Write-Verbose "OriginalSigningRequestId: $originalSigningRequestId" $originalSigningRequestIdContent = New-Object System.Net.Http.StringContent $originalSigningRequestId $content.Add($originalSigningRequestIdContent, "OriginalSigningRequestId") Write-Verbose "SigningPolicySlug: $signingPolicySlug" $signingPolicySlugContent = New-Object System.Net.Http.StringContent $signingPolicySlug $content.Add($signingPolicySlugContent, "SigningPolicySlug") Write-Verbose "Description: $description" $descriptionContent = New-Object System.Net.Http.StringContent $description $content.Add($descriptionContent, "Description") if ($cancellationTimeoutInSeconds){ Write-Verbose "CancellationTimeoutInSeconds: $cancellationTimeoutInSeconds" $cancellationTimeoutContent = New-Object System.Net.Http.StringContent $cancellationTimeoutInSeconds $content.Add($cancellationTimeoutContent, "CancellationTimeoutInSeconds") } $request = New-Object System.Net.Http.HttpRequestMessage Post, $url $request.Content = $content Write-Verbose "Request URL: $url" return $request # Only dispose the content in case of exceptions, otherwise the caller is responsible for disposing the whole request after it has been performed. } catch { $content.Dispose() throw } }.GetNewClosure() } function GetWithRetry ([System.Net.Http.HttpClient] $httpClient, [string] $url, [int] $serviceUnavailableRetryTimeoutInSeconds) { $response = SendWithRetry ` -HttpClient $httpClient ` -RequestFactory { New-Object System.Net.Http.HttpRequestMessage Get, $url }.GetNewClosure() ` -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds return $response } function SendWithRetry ( [System.Net.Http.HttpClient] $httpClient, [ScriptBlock] $requestFactory, [int] $serviceUnavailableRetryTimeoutInSeconds) { # Implements rules from https://wiki.rubicon.eu/x/WxWZGg $sw = [System.Diagnostics.Stopwatch]::StartNew() $retry = 0 while ($true) { $retryReason = $null if ($retry -gt 0) { Write-Host "Retry $retry..." } $request = $null try { Write-Verbose "Generating request..." $request = & $requestFactory $userAgentString = GetUserAgentString $request.Headers.Add("User-Agent", $userAgentString) Write-Verbose "HttpClient timeout: $($httpClient.Timeout)" Write-Verbose "Sending request..." $response = $httpClient.SendAsync($request, [System.Net.Http.HttpCompletionOption]::ResponseHeadersRead).GetAwaiter().GetResult() Write-Verbose "Response status code: $($response.StatusCode)" if ($response.StatusCode -eq 502 -or $response.StatusCode -eq 503) { $retryReason = "SignPath REST API is temporarily unavailable. Please try again in a few moments." } elseif ($response.StatusCode -eq 504) { $retryReason = "SignPath REST API answer time exceeded the timeout ($($HttpClient.Timeout))." } elseif ($response.StatusCode -eq 429) { $retryReason = "SignPath REST API encountered too many requests. Please try again in a few moments." } else { return $response } } catch [System.Net.Http.HttpRequestException] { Write-Verbose "Request failed with HttpRequestException" $retryReason = $_ } catch [System.Threading.Tasks.TaskCanceledException] { Write-Verbose "Request failed with TaskCanceledException" $retryReason = "SignPath REST API answer time exceeded the timeout ($($HttpClient.Timeout))." } finally { Write-Verbose "Disposing request" if ($null -ne $request) { $request.Dispose() } } Write-Verbose "Retry reason: $retryReason" if (($sw.Elapsed.TotalSeconds + $serviceUnavailableRetryTimeoutInSeconds) -lt $ServiceUnavailableTimeoutInSeconds) { Write-Host "SignPath REST API call failed. Retrying in ${serviceUnavailableRetryTimeoutInSeconds}s..." Start-Sleep -Seconds $serviceUnavailableRetryTimeoutInSeconds } else { Write-Host "SignPath REST API could not be called successfully in $($retry + 1) tries. Aborting" throw $retryReason } $retry++ } } function GetUserAgentString { $moduleName = "SignPath.PowerShellModule" $moduleVersion = $MyInvocation.MyCommand.ScriptBlock.Module.Version $operatingSystem = [System.Environment]::OSVersion.VersionString if ([System.Environment]::Is64BitProcess) { $architecture = "x64" } else { $architecture = "x86" } $powerShellVersion = "$($PSVersionTable.PSEdition) $($PSVersionTable.PSVersion)" return "${moduleName}/${moduleVersion} (${operatingSystem}; ${architecture}; ${powerShellVersion})" } function DownloadArtifact ( [System.Net.Http.HttpClient] $httpClient, [string] $url, [string] $path, [int] $serviceUnavailableRetryTimeoutInSeconds) { $downloadResponse = $null $streamToWriteTo = $null try { Write-Host "Downloading signed artifact..." $downloadResponse = GetWithRetry ` -HttpClient $httpClient ` -Url $url ` -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds CheckResponse $downloadResponse $pathWithoutFile = [System.IO.Path]::GetDirectoryName($path) [System.IO.Directory]::CreateDirectory($pathWithoutFile) | Out-Null $stream = $downloadResponse.Content.ReadAsStreamAsync().GetAwaiter().GetResult() $streamToWriteTo = [System.IO.File]::Open($path, 'Create') $stream.CopyToAsync($streamToWriteTo).GetAwaiter().GetResult() | Out-Null Write-Host "Downloaded signed artifact and saved at '$path'" } finally { if ((Test-Path variable:downloadResponse) -and $null -ne $downloadResponse) { $downloadResponse.Dispose() } if ((Test-Path variable:stream) -and $null -ne $stream) { $stream.Dispose() } if ((Test-Path variable:streamToWriteTo) -and $null -ne $streamToWriteTo) { $streamToWriteTo.Dispose() } } } function WaitForCompletionAndRetrieveSignedArtifactDownloadLink ( [System.Net.Http.HttpClient] $httpClient, [string] $url, [int] $waitForCompletionTimeoutInSeconds, [int] $waitForCompletionRetryTimeoutInSeconds, [int] $serviceUnavailableRetryTimeoutInSeconds) { $StatusComplete = "Completed" $StatusFailed = "Failed" $StatusDenied = "Denied" $StatusCanceled = "Canceled" $WorkflowStatusArtifactRetrievalFailed = "ArtifactRetrievalFailed" $getResponse = $null try { $resultJson = $null $status = $null $sw = [System.Diagnostics.Stopwatch]::StartNew() do { Write-Host "Checking status... " -NoNewline $getResponse = GetWithRetry -HttpClient $httpClient -Url $url -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds CheckResponse $getResponse $resultJson = $getResponse.Content.ReadAsStringAsync().GetAwaiter().GetResult() | ConvertFrom-Json $status = $resultJson.status $workflowStatus = $resultJson.workflowStatus Write-Host $status if ($resultJson.isFinalStatus) { break } Write-Verbose "Waiting for $waitForCompletionRetryTimeoutInSeconds seconds until checking again..." Start-Sleep -Seconds $waitForCompletionRetryTimeoutInSeconds } while ($sw.Elapsed.TotalSeconds -lt $waitForCompletionTimeoutInSeconds) $timeoutExpired = $sw.Elapsed.TotalSeconds -ge $waitForCompletionTimeoutInSeconds if ($status -ne $StatusComplete) { if ($status -eq $StatusDenied) { throw "Terminating because signing request was denied" } elseif ($status -eq $StatusCanceled) { throw "Terminating because signing request was canceled" } elseif ($workflowStatus -eq $WorkflowStatusArtifactRetrievalFailed) { throw "Terminating because artifact retrieval failed" } elseif ($status -eq $StatusFailed) { throw "Terminating because signing request failed" } elseif ($timeoutExpired) { throw "Timeout expired while waiting for signing request to complete" } else { throw "Terminating because of unexpected signing request status: $status" } } if($resultJson.PSObject.Properties.Name -contains "signedArtifactLink") { return $resultJson.signedArtifactLink } throw "Downloading the signed artifact is not possible since the signing request's artifacts have been deleted." } finally { if ((Test-Path variable:getResponse) -and $null -ne $getResponse) { $getResponse.Dispose() } } } function CreateAndUseAuthorizedHttpClient ([string] $apiToken, [int] $timeout, [ScriptBlock] $scriptBlock, [System.Security.Cryptography.X509Certificates.X509Certificate2] $clientCertificate) { Add-Type -AssemblyName System.IO Add-Type -AssemblyName System.Net.Http $previousSecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 $httpClientHandler = New-Object System.Net.Http.HttpClientHandler if ($null -ne $clientCertificate) { if (-not $clientCertificate.HasPrivateKey) { throw "The given client certificate has not private key and therefore cannot be used as client certificate." } Write-Verbose "Adding HttpClient client certificate: $clientCertificate" $httpClientHandler.ClientCertificates.Add($clientCertificate) | Out-Null } $httpClient = New-Object System.Net.Http.HttpClient $httpClientHandler $httpClient.Timeout = [TimeSpan]::FromSeconds($timeout) $httpClient.DefaultRequestHeaders.Authorization = New-Object System.Net.Http.Headers.AuthenticationHeaderValue @("Bearer", $apiToken) try { & $scriptBlock $httpClient } finally { if ($null -ne $httpClient) { $httpClient.Dispose() } [System.Net.ServicePointManager]::SecurityProtocol = $previousSecurityProtocol } } function PrepareInputArtifactPath ([string] $inputArtifactPath) { $inputArtifactPath = NormalizePath $inputArtifactPath if (-not (Test-Path -Path $inputArtifactPath)) { throw "The input artifact path '$inputArtifactPath' does not exist" } return $inputArtifactPath } function PrepareOutputArtifactPath ([bool] $force, [string] $outputArtifactPath) { $outputArtifactPath = NormalizePath $outputArtifactPath if (-not $force -and (Test-Path -Path $outputArtifactPath)) { throw "There is already a file at '$outputArtifactPath'. If you want to overwrite it use the -Force switch" } return $outputArtifactPath } function NormalizePath ([string] $path) { if (-not [System.IO.Path]::IsPathRooted($path)) { return Join-Path $PWD $path } return $path } function CheckResponse ([System.Net.Http.HttpResponseMessage] $response, [switch] $expectLocationHeader) { Write-Verbose "Checking response: $response" if (-not $response.IsSuccessStatusCode) { Write-Verbose "No success response." $responseBody = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult() $additionalReason = "" if (401 -eq $response.StatusCode) { $additionalReason = " Did you provide the correct API token?" } elseif(403 -eq $response.StatusCode -and -not $responseBody.Contains("feature is disabled")) { $additionalReason = " Did you add the user to the list of submitters in the specified signing policy? Did you provide the correct OrganizationId? In case you are using a trusted build system, did you link it to the specified project?" } $serverMessage = "" if ($responseBody -ne "") { $serverMessage = " (Server reported the following message: '" + $responseBody + "')" } $errorMessage = "Error {0} {1}.{2}{3}" -f $response.StatusCode.value__, $response.ReasonPhrase, $additionalReason, $serverMessage throw [System.Net.Http.HttpRequestException]$errorMessage } $hasValidLocationHeader = $response.Headers.PSObject.Properties.Name -contains "Location" -and $response.Headers.Location if ($expectLocationHeader.IsPresent -and -not $hasValidLocationHeader) { $errorMessage = "The server did not provide a location header in the response. Are you sure you are using the correct URL?" throw [System.Net.Http.HttpRequestException]$errorMessage } } Export-ModuleMember Submit-SigningRequest Export-ModuleMember Get-SignedArtifact Export-ModuleMember Get-CertificateByMicrosoftTemplateId # SIG # Begin signature block # MIIvZgYJKoZIhvcNAQcCoIIvVzCCL1MCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD9EKD3H/chYWR2 # uBEF3WTcuZynR34CkZaPpgSDthrK8qCCFDMwggWQMIIDeKADAgECAhAFmxtXno4h # MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV # BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z # ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB # AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z # G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ # anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s # Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL # 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb # BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3 # JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c # AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx # YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0 # viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL # T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud # EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf # Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk # aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS # PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK # 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB # cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp # 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg # dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri # RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7 # 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5 # nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3 # i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H # EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G # CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ # bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0 # IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C # 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce # 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da # E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T # SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA # FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh # D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM # 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z # 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05 # huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY # mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP # /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T # AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD # VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY # aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj # ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV # HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN # BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry # sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL # IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf # Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh # OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh # dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV # 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j # wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH # Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC # XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l # /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW # eE4wggfnMIIFz6ADAgECAhAFxsIaZbhUUbOgqnx1dNw2MA0GCSqGSIb3DQEBCwUA # MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE # AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz # ODQgMjAyMSBDQTEwHhcNMjIwODA0MDAwMDAwWhcNMjUwODA2MjM1OTU5WjCBwDET # MBEGCysGAQQBgjc8AgEDEwJBVDEVMBMGCysGAQQBgjc8AgECEwRXaWVuMRUwEwYL # KwYBBAGCNzwCAQETBFdpZW4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u # MRAwDgYDVQQFEwc0NzU1MDZ6MQswCQYDVQQGEwJBVDENMAsGA1UEBxMEV2llbjEW # MBQGA1UEChMNU2lnblBhdGggR21iSDEWMBQGA1UEAxMNU2lnblBhdGggR21iSDCC # AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6HS5wK+wIHHZ9uJUlOQn5O # 7J443ConoGd9WICI2zmrzk/potZRcAoB0WYHu/dqK/U2IYvzDOzIFs4HjgGqJQDf # Hx/75O3rUAv5owW53bmUjt9jrusvB0ObUNm3FrIWQYMFQJR0M3ymnGbXvDBs+hoW # dhu12uYbmPJHm4pmsqV+Y8CBCWbJm3DyfGLD/qpOMkhjmh22h1X5G4m8+7EOWCup # B1Fx1lmYpMu391x6ysVEe4g5E8Tus7VDeKB6aFoLiuVW3UtrucsmROY0iExrVC+h # izGQqwFJn7gp8sxSzutZokfVXWf0dnw/1I2GIfLW5S9a9TpBz3Tz2Jh4BZs2lBXL # lo/5+zlphlmMjiXvBoXquchQFko1DLSdXtEEeAQUVpeFsG60bDwj5X0R7UL/vZpw # GD0s4XNUckeMwFFRTpHIxk2QbRSyZgS5Nfy5oILTtTity4IcnLf8aV4OLl7dgn39 # VfQ8hxYNfPMqn1NsbEBFuQ30maDGl8/4kCYMgLOnT19u+/wuBBCFmSSWa3Y5RyeJ # 0LmAk3tvfoHqXR+wPVPekVwzViSQ/k7PYtq5zF4bMT/9dHpriE13absSZPfigSde # /eyL7+kJZLYw+ZwZABwMyM/B3rLc7RJPSFCmqgyyFjc7i25iKv8Z//6884clbZ7W # BYwLVTcIsfD/QG+0YoJlAgMBAAGjggIxMIICLTAfBgNVHSMEGDAWgBRoN+Drtjv4 # XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUxXD4yqLal5zX9MnW4OnSsnTYRH4wKgYD # VR0RBCMwIaAfBggrBgEFBQcIA6ATMBEMD0FULVdJRU4tNDc1NTA2ejAOBgNVHQ8B # Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGg # T4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29k # ZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9j # cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNB # NDA5NlNIQTM4NDIwMjFDQTEuY3JsMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggr # BgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcB # AQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwG # CCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRU # cnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAMBgNV # HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCTJY3zlB6w17Y/7FHoW1Mh+vwz # 3L0KfOWwqvRmPZm1/SQ9dbRVepLkc1jgSvrc8CwZI0J+SoeKaAmesLHt1onvaUW2 # /o/5P9X0HeHgue0jsE+QKKjU2RxomK4DrPdDdGVoCJiR5OJMmZzUUu3tGAr3MmTU # 6b+UeDeWG0IjT+75LW0cOHgWqcE8aZLIuw/3YB6xPXs8AAayJysbmRe4jQNLg3u8 # DAErUY1yA5eYklThko1uIwJy90GYVwz6pWEifR1sV4sitzF0EV4UO82pgVxEhJB9 # eBZ3pHTPmjXEaRHQHZudGACW7+DDIEw8979qWDOJmiDEgL0ylb49ATOWW0kyGPnh # 4tlbgi6QB8AAzMWgM+LENT8TPli1YrKmONq5ImgIBwOMtsSOwBH+TS1VvqBxdvF8 # YZA1+VTNeeTKMCkqJbCRm3M+d076nIGjddMISkloTeVeCjGT2Bt0vyJTfCcraPYK # A6FDQndkNuzXurBmHazf7HLL/SxrLJGRMFo10BKVdC3Ihs6m9yNI/Bj0v/Rkykix # sPvjJPJ4I9EjhrtI9Bz4CJujLosuqH3TYWfUqbi/F1W9pnJxzCBGX25+WMX8+8q5 # NLvQ4ykrhOrphjiM3hTfYVxd0W8lDD83qrbAnbdWNPq1Vcr9JMlNIDSGWRtoZXcL # 6t/F7az0ldN5/Vv7DzGCGokwghqFAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0 # IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQBcbCGmW4VFGz # oKp8dXTcNjANBglghkgBZQMEAgEFAKCBmjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC # NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAuBgorBgEEAYI3AgEM # MSAwHqAcgBoAUwBpAGcAbgBQAGEAdABoAC4AcABzAG0AMTAvBgkqhkiG9w0BCQQx # IgQgbz+BY7e/Vax496bRPoFMKOPxyvi7b6HZd6BoXA+KmZMwDQYJKoZIhvcNAQEB # BQAEggIAeNMSV5V4ioR9lSwRSZKTjgonaJW/wrjixDmn4TyDMzTOdUWWioOQ2/qB # +aho18GNAfeKpUSuXWq8Qs77ZCFI5CwsojUqVbvww+TIHwJEUBOJTaEIbunAQnal # zFcYMDGPiLZZ99ISt1RBapxd53AvJ1bIHYLT7ZYD/+PQ41T9n3eUitztftArSX2w # e+biyBQwQDWp1ecCGl3JTMkhWjdvRVAkGxADPsyFSB1Pasz4/V9D3K51tO+E6J4W # O4HUOkDnKt8VH12ejMXK5tCCV1XMmUI1B3+xItB+eCXY+DT5PQY6XZpZRKX7VC72 # NERUVQgPdmUJxcSeQnUdu0V1YN1xTUyB6w1+zGQNTBd8AwsEvrtOwsNHTm+r+jfR # qFB+9yRL6TmaaNM/zClsO9MPzjDn0vjJn8z7+53D2PUhGZnBEh8ZVei4KzsoM+8x # SN0Dhk6XDMzGtHM/aMuStXK1x3Z9vtLKmRCXos1raJudo5/Dzt2CLkXs3EPbWU8R # 6c85dTnHezf2LOg/v2v0mAnJh1D5mllVvlUfI6ebm9b0cR+31V9T3K1Fttz1wtnX # RGRd5gNWDpTzzqnjXB1yiN8AzxUWB9m75c4XY7enqiNBNnevCZqrHr7Ec69QDYZr # 7P0RPD19X5Vt1kyPc+EmMpSf/tex815Tp7vJVgwa1JVxe1R/6AqhghdAMIIXPAYK # KwYBBAGCNwMDATGCFywwghcoBgkqhkiG9w0BBwKgghcZMIIXFQIBAzEPMA0GCWCG # SAFlAwQCAQUAMHgGCyqGSIb3DQEJEAEEoGkEZzBlAgEBBglghkgBhv1sBwEwMTAN # BglghkgBZQMEAgEFAAQgQ1JYrFuUUdajBw+Qz1x3KMy+kwWz3igbVPmDJciwXPsC # EQCsYnsfs2AEH91uE+8kEhOAGA8yMDI0MDcxMTEwNDE0MFqgghMJMIIGwjCCBKqg # AwIBAgIQBUSv85SdCDmmv9s/X+VhFjANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQG # EwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0 # IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIz # MDcxNDAwMDAwMFoXDTM0MTAxMzIzNTk1OVowSDELMAkGA1UEBhMCVVMxFzAVBgNV # BAoTDkRpZ2lDZXJ0LCBJbmMuMSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAg # MjAyMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKNTRYcdg45brD5U # syPgz5/X5dLnXaEOCdwvSKOXejsqnGfcYhVYwamTEafNqrJq3RApih5iY2nTWJw1 # cb86l+uUUI8cIOrHmjsvlmbjaedp/lvD1isgHMGXlLSlUIHyz8sHpjBoyoNC2vx/ # CSSUpIIa2mq62DvKXd4ZGIX7ReoNYWyd/nFexAaaPPDFLnkPG2ZS48jWPl/aQ9OE # 9dDH9kgtXkV1lnX+3RChG4PBuOZSlbVH13gpOWvgeFmX40QrStWVzu8IF+qCZE3/ # I+PKhu60pCFkcOvV5aDaY7Mu6QXuqvYk9R28mxyyt1/f8O52fTGZZUdVnUokL6wr # l76f5P17cz4y7lI0+9S769SgLDSb495uZBkHNwGRDxy1Uc2qTGaDiGhiu7xBG3gZ # beTZD+BYQfvYsSzhUa+0rRUGFOpiCBPTaR58ZE2dD9/O0V6MqqtQFcmzyrzXxDto # RKOlO0L9c33u3Qr/eTQQfqZcClhMAD6FaXXHg2TWdc2PEnZWpST618RrIbroHzSY # LzrqawGw9/sqhux7UjipmAmhcbJsca8+uG+W1eEQE/5hRwqM/vC2x9XH3mwk8L9C # gsqgcT2ckpMEtGlwJw1Pt7U20clfCKRwo+wK8REuZODLIivK8SgTIUlRfgZm0zu+ # +uuRONhRB8qUt+JQofM604qDy0B7AgMBAAGjggGLMIIBhzAOBgNVHQ8BAf8EBAMC # B4AwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAgBgNVHSAE # GTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2FL3Mp # dpovdYxqII+eyG8wHQYDVR0OBBYEFKW27xPn783QZKHVVqllMaPe1eNJMFoGA1Ud # HwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRy # dXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcmwwgZAGCCsGAQUF # BwEBBIGDMIGAMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w # WAYIKwYBBQUHMAKGTGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy # dFRydXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcnQwDQYJKoZI # hvcNAQELBQADggIBAIEa1t6gqbWYF7xwjU+KPGic2CX/yyzkzepdIpLsjCICqbjP # gKjZ5+PF7SaCinEvGN1Ott5s1+FgnCvt7T1IjrhrunxdvcJhN2hJd6PrkKoS1yeF # 844ektrCQDifXcigLiV4JZ0qBXqEKZi2V3mP2yZWK7Dzp703DNiYdk9WuVLCtp04 # qYHnbUFcjGnRuSvExnvPnPp44pMadqJpddNQ5EQSviANnqlE0PjlSXcIWiHFtM+Y # lRpUurm8wWkZus8W8oM3NG6wQSbd3lqXTzON1I13fXVFoaVYJmoDRd7ZULVQjK9W # vUzF4UbFKNOt50MAcN7MmJ4ZiQPq1JE3701S88lgIcRWR+3aEUuMMsOI5ljitts+ # +V+wQtaP4xeR0arAVeOGv6wnLEHQmjNKqDbUuXKWfpd5OEhfysLcPTLfddY2Z1qJ # +Panx+VPNTwAvb6cKmx5AdzaROY63jg7B145WPR8czFVoIARyxQMfq68/qTreWWq # aNYiyjvrmoI1VygWy2nyMpqy0tg6uLFGhmu6F/3Ed2wVbK6rr3M66ElGt9V/zLY4 # wNjsHPW2obhDLN9OTH0eaHDAdwrUAuBcYLso/zjlUlrWrBciI0707NMX+1Br/wd3 # H3GXREHJuEbTbDJ8WC9nR2XlG3O2mflrLAZG70Ee8PBf4NvZrZCARK+AEEGKMIIG # rjCCBJagAwIBAgIQBzY3tyRUfNhHrP0oZipeWzANBgkqhkiG9w0BAQsFADBiMQsw # CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu # ZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQw # HhcNMjIwMzIzMDAwMDAwWhcNMzcwMzIyMjM1OTU5WjBjMQswCQYDVQQGEwJVUzEX # MBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0 # ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAxoY1BkmzwT1ySVFVxyUDxPKRN6mXUaHW0oPR # nkyibaCwzIP5WvYRoUQVQl+kiPNo+n3znIkLf50fng8zH1ATCyZzlm34V6gCff1D # tITaEfFzsbPuK4CEiiIY3+vaPcQXf6sZKz5C3GeO6lE98NZW1OcoLevTsbV15x8G # ZY2UKdPZ7Gnf2ZCHRgB720RBidx8ald68Dd5n12sy+iEZLRS8nZH92GDGd1ftFQL # IWhuNyG7QKxfst5Kfc71ORJn7w6lY2zkpsUdzTYNXNXmG6jBZHRAp8ByxbpOH7G1 # WE15/tePc5OsLDnipUjW8LAxE6lXKZYnLvWHpo9OdhVVJnCYJn+gGkcgQ+NDY4B7 # dW4nJZCYOjgRs/b2nuY7W+yB3iIU2YIqx5K/oN7jPqJz+ucfWmyU8lKVEStYdEAo # q3NDzt9KoRxrOMUp88qqlnNCaJ+2RrOdOqPVA+C/8KI8ykLcGEh/FDTP0kyr75s9 # /g64ZCr6dSgkQe1CvwWcZklSUPRR8zZJTYsg0ixXNXkrqPNFYLwjjVj33GHek/45 # wPmyMKVM1+mYSlg+0wOI/rOP015LdhJRk8mMDDtbiiKowSYI+RQQEgN9XyO7ZONj # 4KbhPvbCdLI/Hgl27KtdRnXiYKNYCQEoAA6EVO7O6V3IXjASvUaetdN2udIOa5kM # 0jO0zbECAwEAAaOCAV0wggFZMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE # FLoW2W1NhS9zKXaaL3WMaiCPnshvMB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/n # upiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDCDB3Bggr # BgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv # bTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD # ZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2Ny # bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcmwwIAYDVR0g # BBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQB9 # WY7Ak7ZvmKlEIgF+ZtbYIULhsBguEE0TzzBTzr8Y+8dQXeJLKftwig2qKWn8acHP # HQfpPmDI2AvlXFvXbYf6hCAlNDFnzbYSlm/EUExiHQwIgqgWvalWzxVzjQEiJc6V # aT9Hd/tydBTX/6tPiix6q4XNQ1/tYLaqT5Fmniye4Iqs5f2MvGQmh2ySvZ180HAK # fO+ovHVPulr3qRCyXen/KFSJ8NWKcXZl2szwcqMj+sAngkSumScbqyQeJsG33irr # 9p6xeZmBo1aGqwpFyd/EjaDnmPv7pp1yr8THwcFqcdnGE4AJxLafzYeHJLtPo0m5 # d2aR8XKc6UsCUqc3fpNTrDsdCEkPlM05et3/JWOZJyw9P2un8WbDQc1PtkCbISFA # 0LcTJM3cHXg65J6t5TRxktcma+Q4c6umAU+9Pzt4rUyt+8SVe+0KXzM5h0F4ejjp # nOHdI/0dKNPH+ejxmF/7K9h+8kaddSweJywm228Vex4Ziza4k9Tm8heZWcpw8De/ # mADfIBZPJ/tgZxahZrrdVcA6KYawmKAr7ZVBtzrVFZgxtGIJDwq9gdkT/r+k0fNX # 2bwE+oLeMt8EifAAzV3C+dAjfwAL5HYCJtnwZXZCpimHCUcr5n8apIUP/JiW9lVU # Kx+A+sDyDivl1vupL0QVSucTDh3bNzgaoSv27dZ8/DCCBY0wggR1oAMCAQICEA6b # GI750C3n79tQ4ghAGFowDQYJKoZIhvcNAQEMBQAwZTELMAkGA1UEBhMCVVMxFTAT # BgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk # MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTIyMDgwMTAw # MDAwMFoXDTMxMTEwOTIzNTk1OVowYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp # Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMY # RGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A # MIICCgKCAgEAv+aQc2jeu+RdSjwwIjBpM+zCpyUuySE98orYWcLhKac9WKt2ms2u # exuEDcQwH/MbpDgW61bGl20dq7J58soR0uRf1gU8Ug9SH8aeFaV+vp+pVxZZVXKv # aJNwwrK6dZlqczKU0RBEEC7fgvMHhOZ0O21x4i0MG+4g1ckgHWMpLc7sXk7Ik/gh # YZs06wXGXuxbGrzryc/NrDRAX7F6Zu53yEioZldXn1RYjgwrt0+nMNlW7sp7XeOt # yU9e5TXnMcvak17cjo+A2raRmECQecN4x7axxLVqGDgDEI3Y1DekLgV9iPWCPhCR # cKtVgkEy19sEcypukQF8IUzUvK4bA3VdeGbZOjFEmjNAvwjXWkmkwuapoGfdpCe8 # oU85tRFYF/ckXEaPZPfBaYh2mHY9WV1CdoeJl2l6SPDgohIbZpp0yt5LHucOY67m # 1O+SkjqePdwA5EUlibaaRBkrfsCUtNJhbesz2cXfSwQAzH0clcOP9yGyshG3u3/y # 1YxwLEFgqrFjGESVGnZifvaAsPvoZKYz0YkH4b235kOkGLimdwHhD5QMIR2yVCkl # iWzlDlJRR3S+Jqy2QXXeeqxfjT/JvNNBERJb5RBQ6zHFynIWIgnffEx1P2PsIV/E # IFFrb7GrhotPwtZFX50g/KEexcCPorF+CiaZ9eRpL5gdLfXZqbId5RsCAwEAAaOC # ATowggE2MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOzX44LScV1kTN8uZz/n # upiuHA9PMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA4GA1UdDwEB # /wQEAwIBhjB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw # LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNl # cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDBFBgNVHR8EPjA8MDqg # OKA2hjRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURS # b290Q0EuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQwFAAOCAQEA # cKC/Q1xV5zhfoKN0Gz22Ftf3v1cHvZqsoYcs7IVeqRq7IviHGmlUIu2kiHdtvRoU # 9BNKei8ttzjv9P+Aufih9/Jy3iS8UgPITtAq3votVs/59PesMHqai7Je1M/RQ0Sb # QyHrlnKhSLSZy51PpwYDE3cnRNTnf+hZqPC/Lwum6fI0POz3A8eHqNJMQBk1Rmpp # VLC4oVaO7KTVPeix3P0c2PR3WlxUjG/voVA9/HYJaISfb8rbII01YBwCA8sgsKxY # oA5AY8WYIsGyWfVVa88nq2x2zm8jLfR+cWojayL/ErhULSd+2DrZ8LaHlv1b0Vys # GMNNn3O3AamfV6peKOK5lDGCA3YwggNyAgEBMHcwYzELMAkGA1UEBhMCVVMxFzAV # BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVk # IEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFtcGluZyBDQQIQBUSv85SdCDmmv9s/ # X+VhFjANBglghkgBZQMEAgEFAKCB0TAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQ # AQQwHAYJKoZIhvcNAQkFMQ8XDTI0MDcxMTEwNDE0MFowKwYLKoZIhvcNAQkQAgwx # HDAaMBgwFgQUZvArMsLCyQ+CXc6qisnGTxmcz0AwLwYJKoZIhvcNAQkEMSIEIHMJ # KGIKocEk5ZoYf5Mp0mhRyiigwwcN5oqDdVUldeCaMDcGCyqGSIb3DQEJEAIvMSgw # JjAkMCIEINL25G3tdCLM0dRAV2hBNm+CitpVmq4zFq9NGprUDHgoMA0GCSqGSIb3 # DQEBAQUABIICAD1MV/dfhpSup8Gd2D1OW/qQTMT8DMJ9ZhhguUqF4BbPZ1ybJwkX # WFIqhbs3LzBHgaDw0xU6xh3IaxvY589neslfdqzUPyGJvmTW27YygOcQHGLN6/6u # x3VTcF7j6nHP0rC3JsOJcDBFF3cQd804B0oe474ZaR5WmRjYXOglr+ZAcRGiQojH # Dy2BArlUSsKfq8GRzn+rBjYlbVqlcc30l0WL4sFqhR6YUakw/ks55LcfpOVEaXiE # trpni9o53AUcuhY6tdpZoy24Yb8xDztIAZ112mmloLGxB6jFoIG/Qok1xCjQQmUc # Y5fhtFJ5llDXE943v8h7ZdQqyim4pX1KvJjonK3vNsEOhoU0NzHP2djDSg23DKNa # +xPEXdJSwci8wWLucHZebcGD3xpR1mnFwDYM/hAd5D0vBk3OQAZeqWH6qGK0eluX # f4xomkZmIYBqEDFgjcAUD3UgwR/ongxB59dwUoUc+ITq4CTsy5EXSDqm3EQssSX/ # AjfLXwrMKYCXBhDePGM981O0hIPkaZZ7gvEosJJwAjmm4vqPYYQTm0mxX0REvsNm # DZDjLDZSXjR3KmIXIzrJua3xcsiiIOx0M0Az4pMm1q2MBfhDBJGS2E/t89CZTOPX # CERNVRD/1SU0dylAKNwGZuSsc0y5Ar92NT58fUp1YRnUaS4YACg4uNxv # SIG # End signature block |