SignPath.psm1

#Requires -Version 3.0
# Also requires .NET Version 4.7.2 or above

$ServiceUnavailableRetryTimeoutInSeconds = 30
$WaitForCompletionRetryTimeoutInSeconds = 5
$DefaultHttpClientTimeoutInSeconds = 100

<#
.SYNOPSIS
  Submits a new signing request or resubmits an existing one via the SignPath REST API.
.DESCRIPTION
  The Submit-SigningRequest cmdlet creates a new signing request. The signing request will be processed by SignPath according to authorization and policy rules.
 
  CREATING A NEW SIGNING REQUEST VS. RE-SIGNING
 
  When using the -InputArtifact parameter, the specified file will be uploaded for processing.
 
  When using the -Resubmit parameter, the specified signing request will be processed again using the specified signing policy. This is especially useful for conditional signing of release candidates. See Resubmit an existing signing request for more information.
 
  DOWNLOADING THE SIGNED ARTIFACT
 
  Processing a signing request may take several minutes, or even longer if manual approval is required. You can either
 
  * your own logic to wait for processing to complete and
    download the signed artifact using the Get-SignedArtifact
    cmdlet afterwards,
  * or use the -WaitForCompletion parameter of this cmdlet
    to wait for processing and then download the
    signed artifact in a single call.
 
.EXAMPLE
  Submit-SigningRequest `
    -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN `
    -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY `
    -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION `
    -InputArtifactPath $PATH_TO_INPUT_ARTIFACT `
    -WaitForCompletion `
    -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT
.EXAMPLE
  Submit-SigningRequest `
    -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN `
    -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY `
    -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION `
    -ArtifactRetrievalLink $URL_TO_INPUT_ARTIFACT `
    -ArtifactRetrievalLinkFileName $FILE_NAME_OF_INPUT_ARTIFACT `
    -ArtifactRetrievalLinkSha256Hash $SHA256_HASH_OF_INPUT_ARTIFACT_IN_HEX_STRING_FORMAT `
    -ArtifactRetrievalLinkHttpHeaders @{
      "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_KEY1" = "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_VALUE1"
      "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_KEY2" = "$ARTIFACT_RETRIEVAL_LINK_HTTP_HEADER_VALUE2"
    } `
    -WaitForCompletion `
    -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT
.EXAMPLE
  $signingRequestID = Submit-SigningRequest `
    -OrganizationId $ORGANIZATION_ID `-ApiToken $API_TOKEN `
    -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY `
    -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION `
    -InputArtifactPath $PATH_TO_INPUT_ARTIFACT
 
 Submit a signing request and get a signing request ID withoput waiting for completion and download the signed artifact later
 
PS > Get-SignedArtifact `
    -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN `
    -SigningRequestId $signingRequestID `
    -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT
 
.EXAMPLE
  Submit-SigningRequestResubmit `
    -ApiToken $API_TOKEN -OrganizationId $ORGANIZATION_ID `
    -OriginalSigningRequestId $ORIGINAL_SIGNING_REQUEST_ID `
    -SigningPolicySlug $SIGNING_POLICY `
    -WaitForCompletion `
    -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT
.OUTPUTS
  Returns the SigningRequestId which can be used with Get-SignedArtifact.
.NOTES
  Author: SignPath GmbH
.LINK
  https://about.signpath.io/documentation/powershell/Submit-SigningRequest
#>

function Submit-SigningRequest {
  [CmdletBinding(DefaultParameterSetName = 'Submit')]
  Param(
    # URL to the SignPath REST API, e.g. 'https://app.signpath.io/api/'.
    [Parameter()]
    [ValidateNotNullOrEmpty()]
    [string] $ApiUrl = "https://app.signpath.io/api/",

    # API token you receive when adding a new CI user or generating an API token for an interactive user.
    [Parameter(Mandatory)]
    [Alias("CIUserToken")]
    [ValidateNotNullOrEmpty()]
    [string] $ApiToken,

    # ID of your SignPath organization.
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $OrganizationId,

    # ID of one of the project's artifact configurations.
    [Parameter(ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [string] $ArtifactConfigurationId,

    # ID of a project's signing policy.
    [Parameter()]
    [string] $SigningPolicyId,

    # Slug of the project.
    [Parameter(ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Alias("ProjectKey")]
    [string] $ProjectSlug,

    # Slug of one of the project's artifact configurations.
    # If not given, the default artifact configuration will be used instead.
    [Parameter(ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Alias("ArtifactConfigurationKey")]
    [string] $ArtifactConfigurationSlug,

    # Slug of one of the project's signing policies.
    [Parameter()]
    [Alias("SigningPolicyKey")]
    [string] $SigningPolicySlug,

    # Path of the artifact that you want to be signed.
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $InputArtifactPath,

    # URL where the artifact that you want to be signed will be downloaded from.
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $ArtifactRetrievalLink,

    # File name of the artifact to be signed.
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $ArtifactRetrievalLinkFileName,

    # Optional file hash (in hex string format) of the artifact to sign (used to verify the artifact download).
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $ArtifactRetrievalLinkSha256Hash,

    # Optional HTTP headers that will be used when downloading the artifact to sign.
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [Hashtable] $ArtifactRetrievalLinkHttpHeaders,

    # Optional description of the signing request.
    [Parameter()]
    [string] $Description,

    # Information about the origin of the artifact, see https://about.signpath.io/documentation/powershell#submit-signingrequest
    [Parameter(ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Hashtable] $Origin,

    # Values for parameters defined in the artifact configuration. See https://about.signpath.io/documentation/artifact-configuration#user-defined-parameters
    [Parameter(ParameterSetName = 'SubmitWithArtifact')]
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Hashtable] $Parameters,

    # Client certificate used for a secure Web API request. Not supported by SignPath.io directly, use for proxies.
    [Parameter()]
    [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate,

    # Total time in seconds that the cmdlet will wait for a single service call to succeed (across several retries). Defaults to 600 seconds.
    [Parameter()]
    [int] $ServiceUnavailableTimeoutInSeconds = 600,

    # HTTP timeout used for upload and download HTTP requests. Defaults to 300 seconds.
    [Parameter()]
    [int] $UploadAndDownloadRequestTimeoutInSeconds = 300,

    # Re-sign an existing signing request. SigningPolicySlug or SigningPolicyId reference the original project's signing policy.
    [Parameter(Mandatory, ParameterSetName = 'Resubmit')]
    [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')]
    [switch] $Resubmit,

    # ID of the signing request that should be resubmitted.
    [Parameter(Mandatory, ParameterSetName = 'Resubmit')]
    [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $OriginalSigningRequestId,

    # Wait for the signing request to complete.
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')]
    [switch] $WaitForCompletion,

    # Specifies the target path for the downloaded signed artifact. Defaults to InputArtifactPath with an added .signed extension (e.g. "Input.dll" => "Input.signed.dll").
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(Mandatory, ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Parameter(Mandatory, ParameterSetName = 'Resubmit_WaitForCompletion')]
    [ValidateNotNullOrEmpty()]
    [string] $OutputArtifactPath,

    # Maximum time in seconds that the cmdlet will wait for the signing request to complete (upload and download have no specific timeouts). Defaults to 600 seconds.
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Parameter(ParameterSetName = 'Resubmit_WaitForCompletion')]
    [int] $WaitForCompletionTimeoutInSeconds = 600,

    # Allows the cmdlet to overwrite the file at OutputArtifactPath.
    [Parameter(ParameterSetName = 'SubmitWithArtifact_WaitForCompletion')]
    [Parameter(ParameterSetName = 'SubmitWithArtifactRetrievalLink_WaitForCompletion')]
    [Parameter(ParameterSetName = 'Resubmit_WaitForCompletion')]
    [switch] $Force,

    # Timeout in seconds before the signing request gets canceled (from submission; specify 0 for no timeout). If -WaitForCompletion is specified, defaults to -WaitForCompletionTimeoutInSeconds value; otherwise: none.
    [int] $CancellationTimeoutInSeconds = -1
  )

  Set-StrictMode -Version 2.0

  $ApiUrl = GetVersionedApiUrl $ApiUrl
  Write-Verbose "Using versioned API URL: $ApiUrl"

  if ($CancellationTimeoutInSeconds -eq -1) {
    $CancellationTimeoutInSeconds = $null;
    if ($WaitForCompletion.IsPresent) {
      $CancellationTimeoutInSeconds = $WaitForCompletionTimeoutInSeconds
      # Increase wait timeout to prevent a race condition
      $WaitForCompletionTimeoutInSeconds = $WaitForCompletionTimeoutInSeconds + 30;
    }
  }

  if($Resubmit.IsPresent) {
    $resubmitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", "Resubmit"))
    $requestFactory = CreateResubmitRequestFactory `
      -url $resubmitUrl `
      -originalSigningRequestId $OriginalSigningRequestId `
      -signingPolicySlug $SigningPolicySlug `
      -description $Description `
      -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds

    return SubmitHelper "Resubmit" "Resubmitted" $requestFactory `
      -apiToken $ApiToken `
      -clientCertificate $ClientCertificate `
      -defaultHttpClientTimeoutInSeconds $DefaultHttpClientTimeoutInSeconds `
      -uploadAndDownloadRequestTimeoutInSeconds $UploadAndDownloadRequestTimeoutInSeconds `
      -waitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds `
      -waitForCompletion $WaitForCompletion.IsPresent `
      -outputArtifactPath $OutputArtifactPath `
      -force $Force.IsPresent
  } else {
    if ($InputArtifactPath) {
      if (-not $OutputArtifactPath) {
        $extension = [System.IO.Path]::GetExtension($InputArtifactPath)
        $OutputArtifactPath = [System.IO.Path]::ChangeExtension($InputArtifactPath, "signed$extension")
      }

      $InputArtifactPath = PrepareInputArtifactPath $InputArtifactPath
      Write-Verbose "Using input artifact: $InputArtifactPath"

      $hash = (Get-FileHash -Path $InputArtifactPath -Algorithm "SHA256").Hash
      Write-Host "SHA256 hash: $hash"

      $submitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests"))
      $requestFactory = CreateSubmitWithArtifactRequestFactory `
        -Url $submitUrl `
        -ArtifactConfigurationId $ArtifactConfigurationId `
        -SigningPolicyId $SigningPolicyId `
        -ProjectSlug $ProjectSlug `
        -ArtifactConfigurationSlug $ArtifactConfigurationSlug `
        -SigningPolicySlug $SigningPolicySlug `
        -Description $Description `
        -InputArtifactPath $InputArtifactPath `
        -Origin $Origin `
        -Parameters $Parameters `
        -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds
    } else {
      $submitUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", "SubmitWithArtifactRetrievalLink"))
      $requestFactory = CreateSubmitWithArtifactRetrievalLinkRequestFactory `
        -Url $submitUrl `
        -ArtifactConfigurationId $ArtifactConfigurationId `
        -SigningPolicyId $SigningPolicyId `
        -ProjectSlug $ProjectSlug `
        -ArtifactConfigurationSlug $ArtifactConfigurationSlug `
        -SigningPolicySlug $SigningPolicySlug `
        -Description $Description `
        -ArtifactRetrievalLink $ArtifactRetrievalLink `
        -ArtifactRetrievalLinkFileName $ArtifactRetrievalLinkFileName `
        -ArtifactRetrievalLinkSha256Hash $ArtifactRetrievalLinkSha256Hash `
        -ArtifactRetrievalLinkHttpHeaders $ArtifactRetrievalLinkHttpHeaders `
        -Origin $Origin `
        -Parameters $Parameters `
        -cancellationTimeoutInSeconds $CancellationTimeoutInSeconds
    }

    return SubmitHelper "Submit" "Submitted" $requestFactory `
        -apiToken $ApiToken `
        -clientCertificate $ClientCertificate `
        -defaultHttpClientTimeoutInSeconds $DefaultHttpClientTimeoutInSeconds `
        -uploadAndDownloadRequestTimeoutInSeconds $UploadAndDownloadRequestTimeoutInSeconds `
        -waitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds `
        -waitForCompletion $WaitForCompletion.IsPresent `
        -outputArtifactPath $OutputArtifactPath `
        -force $Force.IsPresent
  }
}

<#
.SYNOPSIS
    Downloads a signed artifact based on a signing request ID.
.DESCRIPTION
    The Get-SignedArtifact cmdlet waits for a given signing request to finish and downloads the resultiung artifact.
 
    If the request couldn't be downloaded in time, because the processing took to long or the request is invalid, this cmdlet will throw exceptions.
.EXAMPLE
  Get-SignedArtifact `
    -OutputArtifactPath Program.exe `
    -ApiToken /Joe3s2m7hkhVyoba4H4weqj9UxIk6nKRXGhGbH7nv4= `
    -OrganizationId 1c0ab26c-12f3-4c6e-a043-2568e133d2de `
    -SigningRequestId 711960ed-bdb8-41cd-a6bf-a10d0ae3cfcd
.EXAMPLE
  $signingRequestID = Submit-SigningRequest `
    -OrganizationId $ORGANIZATION_ID `-ApiToken $API_TOKEN `
    -ProjectSlug $PROJECT -SigningPolicySlug $SIGNING_POLICY `
    -ArtifactConfigurationSlug $ARTIFACT_CONFIGURATION `
    -InputArtifactPath $PATH_TO_INPUT_ARTIFACT
 
PS > Get-SignedArtifact `
    -OrganizationId $ORGANIZATION_ID -ApiToken $API_TOKEN `
    -SigningRequestId $signingRequestID `
    -OutputArtifactPath $PATH_TO_OUTPUT_ARTIFACT
.OUTPUTS
    Returns void but creates a file in the given OutputArtifactPath on success.
.NOTES
  Author: SignPath GmbH
.LINK
  https://about.signpath.io/documentation/powershell/Get-SignedArtifact
#>

function Get-SignedArtifact {
  [CmdletBinding()]
  Param(
    # URL to the SignPath REST API, e.g. https://app.signpath.io/api/.
    [Parameter()]
    [ValidateNotNullOrEmpty()]
    [string] $ApiUrl = "https://app.signpath.io/api/",

    # API token you receive when adding a new CI user or generating an API token for an interactive user.
    [Parameter(Mandatory)]
    [Alias("CIUserToken")]
    [ValidateNotNullOrEmpty()]
    [string] $ApiToken,

    # ID of your SignPath organization.
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $OrganizationId,

    # ID of the siging request.
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $SigningRequestId,

    # Specifies the target path for the downloaded signed artifact.
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $OutputArtifactPath,

    # Client certificate used for a secure Web API request. Not supported by SignPath.io directly, use for proxies.
    [Parameter()]
    [System.Security.Cryptography.X509Certificates.X509Certificate2] $ClientCertificate,

    # Total time in seconds that the cmdlet will wait for a single service call to succeed (across several retries). Defaults to 600 seconds.
    [Parameter()]
    [int] $ServiceUnavailableTimeoutInSeconds = 600,

    # HTTP timeout used for upload and download HTTP requests. Defaults to 300 seconds.
    [Parameter()]
    [int] $UploadAndDownloadRequestTimeoutInSeconds = 300,

    # Maximum time in seconds that the cmdlet will wait for the signing request to complete (upload and download have no specific timeouts). Defaults to 600 seconds.
    [Parameter()]
    [int] $WaitForCompletionTimeoutInSeconds = 600,

    # Allows the cmdlet to overwrite the file at OutputArtifactPath.
    [Parameter()]
    [switch] $Force
  )

  Set-StrictMode -Version 2.0

  $ApiUrl = GetVersionedApiUrl $ApiUrl
  Write-Verbose "Using versioned API URL: $ApiUrl"

  $OutputArtifactPath = PrepareOutputArtifactPath $Force $OutputArtifactPath
  Write-Verbose "Will write signed artifact to: $OutputArtifactPath"

  CreateAndUseAuthorizedHttpClient $ApiToken -ClientCertificate $ClientCertificate -Timeout $DefaultHttpClientTimeoutInSeconds {
    Param ([System.Net.Http.HttpClient] $defaultHttpClient)

    CreateAndUseAuthorizedHttpClient $ApiToken -Timeout $UploadAndDownloadRequestTimeoutInSeconds {
      Param ([System.Net.Http.HttpClient] $uploadAndDownloadHttpClient)

      $expectedSigningRequestUrl = [string]::Join("/", @($ApiUrl.Trim("/"), $OrganizationId, "SigningRequests", $SigningRequestId))

      $downloadUrl = WaitForCompletionAndRetrieveSignedArtifactDownloadLink `
        -httpClient $defaultHttpClient `
        -url $expectedSigningRequestUrl `
        -WaitForCompletionTimeoutInSeconds $WaitForCompletionTimeoutInSeconds `
        -WaitForCompletionRetryTimeoutInSeconds $WaitForCompletionRetryTimeoutInSeconds `
        -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds

      DownloadArtifact `
        -HttpClient $uploadAndDownloadHttpClient `
        -Url $downloadUrl `
        -Path $OutputArtifactPath `
        -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds
    }
  }
}

<#
.SYNOPSIS
    Gets a certificate from the specified certificate store by its Microsoft AD CS template ID.
.DESCRIPTION
    Use this cmdlet to get an X.509 certificate object enrolled using Active Directory Certificate Services (AD CS) from its template ID.
    This can be used to authenticate group memberships via mTLS client certificates:
      * Create a client certificate template in AD CS and assign it to a user or computer group
      * Use this cmdlet to select the correct certificate for mTLS authentication
      * Provide the certificate to SignPath cmdlets using the -ClientCertificate parameter
.EXAMPLE
  $certificate = Get-CertificateByMicrosoftTemplateId -Store CurrentUser -TemplateId 1.3.6.1.4.1.311.21.8.1.2.3.4.5.6.7.8
.OUTPUTS
    Returns a X509Certificate2 instance on success.
.NOTES
  Author: SignPath GmbH
.LINK
  https://about.signpath.io/documentation/powershell/Get-CertificateByMicrosoftTemplateId
#>

function Get-CertificateByMicrosoftTemplateId {
  [CmdletBinding()]
  Param(
    # The store that will be searched for the certificate.
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [System.Security.Cryptography.X509Certificates.StoreLocation] $Store,

    # The Microsoft AD CS template ID in OID format (a dotted number sequence, e.g. 1.2.3.4).
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [string] $TemplateId
  )

  $storeLocationPath = "cert:\${Store}\My"

  # Actual template data contains a ASN.1 data structure, but we don't have access to ASN.1 reader classes in PowerShell classic therefore
  # we just look for the byte sequence of the template ID (but in a string to make use of IndexOf)
  $templateIdBytes = [System.Security.Cryptography.CryptoConfig]::EncodeOID($TemplateId)
  $templateIdString = [BitConverter]::ToString($templateIdBytes)

  $matchingCertificates = @(
    Get-ChildItem $storeLocationPath `
    | ?{
      # = MS CertificateTemplate, see https://oidref.com/1.3.6.1.4.1.311.21.7
      $extension = $_.Extensions["1.3.6.1.4.1.311.21.7"]

      if ($extension -and $extension.RawData) {
        $extensionBytesString = [BitConverter]::ToString($extension.RawData)
        return $extensionBytesString.IndexOf($templateIdString) -ge 0
      }

      return $false
    }
  )

  if ($matchingCertificates.Count -eq 0) {
    throw "Cannot find any certificate in '$Store' that matches the template ID '$TemplateId'."
  } elseif ($matchingCertificates.Count -gt 1) {
    throw "Found multiple certificates in '$Store' that match the template ID '$TemplateId'."
  } else {
    return $matchingCertificates[0]
  }
}

function GetVersionedApiUrl ([string] $apiUrl) {
  $supportedApiVersion = "v1"
  return [string]::Join("/", @($apiUrl.Trim("/"), $supportedApiVersion))
}

function SubmitHelper ([string] $verb,
                       [string] $verbPastTense,
                       [ScriptBlock] $requestFactory,
                       [string] $apiToken,
                       [System.Security.Cryptography.X509Certificates.X509Certificate2] $clientCertificate,
                       [int] $defaultHttpClientTimeoutInSeconds,
                       [int] $uploadAndDownloadRequestTimeoutInSeconds,
                       [int] $waitForCompletionTimeoutInSeconds,
                       [bool] $waitForCompletion,
                       [string] $outputArtifactPath,
                       [bool] $force) {
  CreateAndUseAuthorizedHttpClient $apiToken -ClientCertificate $clientCertificate -Timeout $defaultHttpClientTimeoutInSeconds {
    Param ([System.Net.Http.HttpClient] $defaultHttpClient)

    CreateAndUseAuthorizedHttpClient $apiToken -ClientCertificate $clientCertificate -Timeout $uploadAndDownloadRequestTimeoutInSeconds {
      Param ([System.Net.Http.HttpClient] $uploadAndDownloadHttpClient)

      if ($waitForCompletion) {
        $outputArtifactPath = PrepareOutputArtifactPath $force $outputArtifactPath
        Write-Verbose "Will write output artifact to: $outputArtifactPath"
      }

      $response = $null
      try {
        Write-Verbose "$verb signing request..."
        $response = SendWithRetry `
          -HttpClient $HttpClient `
          -RequestFactory $requestFactory `
          -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds
        CheckResponse $response -ExpectLocationHeader

        $getUrl = $response.Headers.Location.AbsoluteUri
        Write-Host "$verbPastTense signing request at '$getUrl'"
      } finally {
        if ((Test-Path variable:response) -and $null -ne $response) {
          $response.Dispose()
        }
      }

      if ($waitForCompletion) {
        $downloadUrl = WaitForCompletionAndRetrieveSignedArtifactDownloadLink `
          -HttpClient $defaultHttpClient `
          -Url $getUrl `
          -WaitForCompletionTimeoutInSeconds $waitForCompletionTimeoutInSeconds `
          -WaitForCompletionRetryTimeoutInSeconds $WaitForCompletionRetryTimeoutInSeconds `
          -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds

        DownloadArtifact `
          -HttpClient $uploadAndDownloadHttpClient `
          -Url $downloadUrl `
          -Path $outputArtifactPath `
          -ServiceUnavailableRetryTimeoutInSeconds $ServiceUnavailableRetryTimeoutInSeconds
      }

      $guidRegex = "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
      $pattern = [regex]"SigningRequests/($guidRegex)"
      $getUrl -match $pattern | Out-Null
      $signingRequestId = $matches[1]
      Write-Verbose "Parsed signing request ID: $signingRequestId"
      return $signingRequestId
    }
  }
}

function CreateSubmitWithArtifactRequestFactory (
  [string] $url,
  [string] $artifactConfigurationId,
  [string] $signingPolicyId,
  [string] $projectSlug,
  [string] $artifactConfigurationSlug,
  [string] $signingPolicySlug,
  [string] $description,
  [string] $inputArtifactPath,
  [Hashtable] $origin,
  [Hashtable] $parameters,
  [Nullable[int]] $cancellationTimeoutInSeconds
) {
  return CreateSubmitRequestFactory `
    -Url $url `
    -ArtifactConfigurationId $artifactConfigurationId `
    -SigningPolicyId $signingPolicyId `
    -ProjectSlug $projectSlug `
    -ArtifactConfigurationSlug $artifactConfigurationSlug `
    -SigningPolicySlug $signingPolicySlug `
    -Description $description `
    -Origin $origin `
    -Parameters $parameters `
    -CancellationTimeoutInSeconds $cancellationTimeoutInSeconds `
    -AddAdditionalContent {
      Param ($content)

      $packageFileStream = New-Object System.IO.FileStream ($inputArtifactPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
      $streamContent = New-Object System.Net.Http.StreamContent $packageFileStream
      # PLANNED SIGN-988 This shouldn't be needed anymore
      $streamContent.Headers.ContentType = New-Object System.Net.Http.Headers.MediaTypeHeaderValue "application/octet-stream"
      $fileName = [System.IO.Path]::GetFileName($inputArtifactPath)
      $content.Add($streamContent, "Artifact", $fileName)
      Write-Verbose "Artifact: $fileName"
    }
}

function CreateSubmitWithArtifactRetrievalLinkRequestFactory (
  [string] $url,
  [string] $artifactConfigurationId,
  [string] $signingPolicyId,
  [string] $projectSlug,
  [string] $artifactConfigurationSlug,
  [string] $signingPolicySlug,
  [string] $description,
  [string] $artifactRetrievalLink,
  [string] $artifactRetrievalLinkFileName,
  [string] $artifactRetrievalLinkSha256Hash,
  [HashTable] $artifactRetrievalLinkHttpHeaders,
  [Hashtable] $origin,
  [Hashtable] $parameters,
  [Nullable[int]] $cancellationTimeoutInSeconds
) {
  return CreateSubmitRequestFactory `
    -Url $url `
    -ArtifactConfigurationId $artifactConfigurationId `
    -SigningPolicyId $signingPolicyId `
    -ProjectSlug $projectSlug `
    -ArtifactConfigurationSlug $artifactConfigurationSlug `
    -SigningPolicySlug $signingPolicySlug `
    -Description $description `
    -Origin $origin `
    -Parameters $parameters `
    -CancellationTimeoutInSeconds $cancellationTimeoutInSeconds `
    -AddAdditionalContent {
      Param ($content, $addHashTableToHttpContent)

      $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLink), "ArtifactRetrievalLink.Url")
      Write-Verbose "ArtifactRetrievalLink: $artifactRetrievalLink"

      $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLinkFileName), "ArtifactRetrievalLink.FileName")
      Write-Verbose "ArtifactRetrievalLinkFileName: $artifactRetrievalLinkFileName"

      $content.Add((New-Object System.Net.Http.StringContent $artifactRetrievalLinkSha256Hash), "ArtifactRetrievalLink.Sha256Hash")
      Write-Verbose "ArtifactRetrievalLinkSha256Hash: $artifactRetrievalLinkSha256Hash"

      if ($artifactRetrievalLinkHttpHeaders) {
        & $addHashTableToHttpContent $content $artifactRetrievalLinkHttpHeaders "ArtifactRetrievalLink.HttpHeaders"
      }
    }
}

function CreateSubmitRequestFactory (
  [string] $url,
  [string] $artifactConfigurationId,
  [string] $signingPolicyId,
  [string] $projectSlug,
  [string] $artifactConfigurationSlug,
  [string] $signingPolicySlug,
  [string] $description,
  [Hashtable] $origin,
  [Hashtable] $parameters,
  [ScriptBlock] $addAdditionalContent,
  [Nullable[int]] $cancellationTimeoutInSeconds) {
  $local:IsVerboseEnabled = $null -ne $PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent

  return {
    function AddHashTableToHttpContent ($content, $hashtable, $baseKey) {
      function AddToHttpContent ($content, $baseKey, $key, $value) {
        # All parameters ending in "File" are interpreted as streams
        if ( $key.ToLower().EndsWith("file")) {
          if ( $value.StartsWith("@")) {
            $filePath = $value.Substring(1)
            $packageFileStream = New-Object System.IO.FileStream ($filePath, [System.IO.FileMode]::Open)
            $streamContent = New-Object System.Net.Http.StreamContent $packageFileStream
            # PLANNED SIGN-988 This shouldn't be needed anymore
            $streamContent.Headers.ContentType = New-Object System.Net.Http.Headers.MediaTypeHeaderValue "application/octet-stream"
            $fileName = [System.IO.Path]::GetFileName($filePath)
            $content.Add($streamContent, "$baseKey.$key", $fileName)
            Write-Verbose "Adding file content to origin: $baseKey.$key = $fileName"
          } else {
            # IDEA: We will later on support non-file parameter values here too, for now we throw
            throw "*File origin parameters must start with @ to indicate a file path"
          }
        } else {
          $stringContent = New-Object System.Net.Http.StringContent $value
          $content.Add($stringContent, "$baseKey.$key")
          Write-Verbose "Add normal content to origin: $baseKey.$key = $value"
        }
      }

      Write-Verbose "Recursive add base key: $baseKey"
      foreach ($kvp in $hashtable.GetEnumerator()) {
        if ($kvp.Value.GetType().Name -eq "Hashtable") {
          Write-Verbose "$($kvp.Key) is a Hashtable, enter next recursion level"
          AddHashTableToHttpContent $content $kvp.Value "$baseKey.$($kvp.Key)"
        }
        else {
          AddToHttpContent $content $baseKey $kvp.Key $kvp.Value
        }
      }
    }

    if ($IsVerboseEnabled) {
      $VerbosePreference = "Continue"
    }

    $content = New-Object System.Net.Http.MultipartFormDataContent

    try {
      if ($artifactConfigurationId) {
        Write-Verbose "ArtifactConfigurationId: $artifactConfigurationId"
        $artifactConfigurationIdContent = New-Object System.Net.Http.StringContent $artifactConfigurationId
        $content.Add($artifactConfigurationIdContent, "ArtifactConfigurationId")
      }

      if ($signingPolicyId) {
        Write-Verbose "SigningPolicyId: $signingPolicyId"
        $signingPolicyIdContent = New-Object System.Net.Http.StringContent $signingPolicyId
        $content.Add($signingPolicyIdContent, "SigningPolicyId")
      }

      if ($projectSlug) {
        Write-Verbose "ProjectSlug: $projectSlug"
        $projectSlugContent = New-Object System.Net.Http.StringContent $projectSlug
        $content.Add($projectSlugContent, "ProjectSlug")
      }

      if ($artifactConfigurationSlug) {
        Write-Verbose "ArtifactConfigurationSlug: $artifactConfigurationSlug"
        $artifactConfigurationSlugContent = New-Object System.Net.Http.StringContent $artifactConfigurationSlug
        $content.Add($artifactConfigurationSlugContent, "ArtifactConfigurationSlug")
      }

      if ($signingPolicySlug) {
        Write-Verbose "SigningPolicySlug: $signingPolicySlug"
        $signingPolicySlugContent = New-Object System.Net.Http.StringContent $signingPolicySlug
        $content.Add($signingPolicySlugContent, "SigningPolicySlug")
      }

      if ($cancellationTimeoutInSeconds) {
        Write-Verbose "CancellationTimeoutInSeconds: $cancellationTimeoutInSeconds"
        $cancellationTimeoutContent = New-Object System.Net.Http.StringContent $cancellationTimeoutInSeconds
        $content.Add($cancellationTimeoutContent, "CancellationTimeoutInSeconds")
      }

      Write-Verbose "Description: $description"
      $descriptionContent = New-Object System.Net.Http.StringContent $description
      $content.Add($descriptionContent, "Description")

      $addHashTableToHttpContent = Get-Item Function:/AddHashTableToHttpContent

      . $addAdditionalContent $content $addHashTableToHttpContent

      if ($origin) {
        Write-Verbose "Adding all origin parameters..."
        AddHashTableToHttpContent $content $origin "Origin"
      }

      if ($parameters) {
        Write-Verbose "Adding all signing request parameters..."
        AddHashTableToHttpContent $content $parameters "Parameters"
      }

      $request = New-Object System.Net.Http.HttpRequestMessage Post, $url
      $request.Content = $content

      Write-Verbose "Request URL: $url"
      return $request
      # Only dispose the content in case of exceptions, otherwise the caller is responsible for disposing the whole request after it has been performed.
    } catch {
      $content.Dispose()
      throw
    }
  }.GetNewClosure()
}

function CreateResubmitRequestFactory (
  [string] $url,
  [string] $originalSigningRequestId,
  [string] $signingPolicySlug,
  [string] $description,
  [Nullable[int]] $cancellationTimeoutInSeconds
) {
  $local:IsVerboseEnabled = $null -ne $PSCmdlet.MyInvocation.BoundParameters["Verbose"] -and $PSCmdlet.MyInvocation.BoundParameters["Verbose"].IsPresent

  return {
    if ($IsVerboseEnabled) {
      $VerbosePreference = "Continue"
    }

    $content = New-Object System.Net.Http.MultipartFormDataContent

    try {

      Write-Verbose "OriginalSigningRequestId: $originalSigningRequestId"
      $originalSigningRequestIdContent = New-Object System.Net.Http.StringContent $originalSigningRequestId
      $content.Add($originalSigningRequestIdContent, "OriginalSigningRequestId")

      Write-Verbose "SigningPolicySlug: $signingPolicySlug"
      $signingPolicySlugContent = New-Object System.Net.Http.StringContent $signingPolicySlug
      $content.Add($signingPolicySlugContent, "SigningPolicySlug")

      Write-Verbose "Description: $description"
      $descriptionContent = New-Object System.Net.Http.StringContent $description
      $content.Add($descriptionContent, "Description")

      if ($cancellationTimeoutInSeconds){
        Write-Verbose "CancellationTimeoutInSeconds: $cancellationTimeoutInSeconds"
        $cancellationTimeoutContent = New-Object System.Net.Http.StringContent $cancellationTimeoutInSeconds
        $content.Add($cancellationTimeoutContent, "CancellationTimeoutInSeconds")
      }

      $request = New-Object System.Net.Http.HttpRequestMessage Post, $url
      $request.Content = $content

      Write-Verbose "Request URL: $url"
      return $request
      # Only dispose the content in case of exceptions, otherwise the caller is responsible for disposing the whole request after it has been performed.
    } catch {
      $content.Dispose()
      throw
    }
  }.GetNewClosure()
}

function GetWithRetry ([System.Net.Http.HttpClient] $httpClient, [string] $url, [int] $serviceUnavailableRetryTimeoutInSeconds) {
  $response = SendWithRetry `
    -HttpClient $httpClient `
    -RequestFactory { New-Object System.Net.Http.HttpRequestMessage Get, $url }.GetNewClosure() `
    -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds
  return $response
}

function SendWithRetry (
  [System.Net.Http.HttpClient] $httpClient,
  [ScriptBlock] $requestFactory,
  [int] $serviceUnavailableRetryTimeoutInSeconds) {

  # Implements rules from https://wiki.rubicon.eu/x/WxWZGg

  $sw = [System.Diagnostics.Stopwatch]::StartNew()
  $retry = 0

  while ($true) {
    $retryReason = $null

    if ($retry -gt 0) {
      Write-Host "Retry $retry..."
    }

    $request = $null
    try {
      Write-Verbose "Generating request..."
      $request = & $requestFactory

      $userAgentString = GetUserAgentString
      $request.Headers.Add("User-Agent", $userAgentString)

      Write-Verbose "HttpClient timeout: $($httpClient.Timeout)"
      Write-Verbose "Sending request..."
      $response = $httpClient.SendAsync($request, [System.Net.Http.HttpCompletionOption]::ResponseHeadersRead).GetAwaiter().GetResult()

      Write-Verbose "Response status code: $($response.StatusCode)"
      if ($response.StatusCode -eq 502 -or $response.StatusCode -eq 503) {
        $retryReason = "SignPath REST API is temporarily unavailable. Please try again in a few moments."
      } elseif ($response.StatusCode -eq 504) {
        $retryReason = "SignPath REST API answer time exceeded the timeout ($($HttpClient.Timeout))."
      } elseif ($response.StatusCode -eq 429) {
        $retryReason = "SignPath REST API encountered too many requests. Please try again in a few moments."
      } else {
        return $response
      }
    } catch [System.Net.Http.HttpRequestException] {
      Write-Verbose "Request failed with HttpRequestException"
      $retryReason = $_
    } catch [System.Threading.Tasks.TaskCanceledException] {
      Write-Verbose "Request failed with TaskCanceledException"
      $retryReason = "SignPath REST API answer time exceeded the timeout ($($HttpClient.Timeout))."
    } finally {
      Write-Verbose "Disposing request"
      if ($null -ne $request) {
        $request.Dispose()
      }
    }

    Write-Verbose "Retry reason: $retryReason"

    if (($sw.Elapsed.TotalSeconds + $serviceUnavailableRetryTimeoutInSeconds) -lt $ServiceUnavailableTimeoutInSeconds) {
      Write-Host "SignPath REST API call failed. Retrying in ${serviceUnavailableRetryTimeoutInSeconds}s..."
      Start-Sleep -Seconds $serviceUnavailableRetryTimeoutInSeconds
    } else {
      Write-Host "SignPath REST API could not be called successfully in $($retry + 1) tries. Aborting"
      throw $retryReason
    }

    $retry++
  }
}

function GetUserAgentString {
  $moduleName = "SignPath.PowerShellModule"
  $moduleVersion = $MyInvocation.MyCommand.ScriptBlock.Module.Version
  $operatingSystem = [System.Environment]::OSVersion.VersionString
  if ([System.Environment]::Is64BitProcess) { $architecture = "x64" } else { $architecture = "x86" }
  $powerShellVersion = "$($PSVersionTable.PSEdition) $($PSVersionTable.PSVersion)"

  return "${moduleName}/${moduleVersion} (${operatingSystem}; ${architecture}; ${powerShellVersion})"
}

function DownloadArtifact (
  [System.Net.Http.HttpClient] $httpClient,
  [string] $url,
  [string] $path,
  [int] $serviceUnavailableRetryTimeoutInSeconds) {

  $downloadResponse = $null
  $streamToWriteTo = $null
  try {
    Write-Host "Downloading signed artifact..."
    $downloadResponse = GetWithRetry `
      -HttpClient $httpClient `
      -Url $url `
      -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds
    CheckResponse $downloadResponse

    $pathWithoutFile = [System.IO.Path]::GetDirectoryName($path)
    [System.IO.Directory]::CreateDirectory($pathWithoutFile) | Out-Null

    $stream = $downloadResponse.Content.ReadAsStreamAsync().GetAwaiter().GetResult()
    $streamToWriteTo = [System.IO.File]::Open($path, 'Create')
    $stream.CopyToAsync($streamToWriteTo).GetAwaiter().GetResult() | Out-Null
    Write-Host "Downloaded signed artifact and saved at '$path'"
  } finally {
    if ((Test-Path variable:downloadResponse) -and $null -ne $downloadResponse) {
      $downloadResponse.Dispose()
    }

    if ((Test-Path variable:stream) -and $null -ne $stream) {
      $stream.Dispose()
    }

    if ((Test-Path variable:streamToWriteTo) -and $null -ne $streamToWriteTo) {
      $streamToWriteTo.Dispose()
    }
  }
}

function WaitForCompletionAndRetrieveSignedArtifactDownloadLink (
  [System.Net.Http.HttpClient] $httpClient,
  [string] $url,
  [int] $waitForCompletionTimeoutInSeconds,
  [int] $waitForCompletionRetryTimeoutInSeconds,
  [int] $serviceUnavailableRetryTimeoutInSeconds) {

  $StatusComplete = "Completed"
  $StatusFailed = "Failed"
  $StatusDenied = "Denied"
  $StatusCanceled = "Canceled"
  $WorkflowStatusArtifactRetrievalFailed = "ArtifactRetrievalFailed"

  $getResponse = $null
  try {
    $resultJson = $null
    $status = $null
    $sw = [System.Diagnostics.Stopwatch]::StartNew()
    do {
      Write-Host "Checking status... " -NoNewline

      $getResponse = GetWithRetry -HttpClient $httpClient -Url $url -ServiceUnavailableRetryTimeoutInSeconds $serviceUnavailableRetryTimeoutInSeconds

      CheckResponse $getResponse
      $resultJson = $getResponse.Content.ReadAsStringAsync().GetAwaiter().GetResult() | ConvertFrom-Json
      $status = $resultJson.status
      $workflowStatus = $resultJson.workflowStatus
      Write-Host $status

      if ($resultJson.isFinalStatus) {
        break
      }

      Write-Verbose "Waiting for $waitForCompletionRetryTimeoutInSeconds seconds until checking again..."
      Start-Sleep -Seconds $waitForCompletionRetryTimeoutInSeconds
    } while ($sw.Elapsed.TotalSeconds -lt $waitForCompletionTimeoutInSeconds)

    $timeoutExpired = $sw.Elapsed.TotalSeconds -ge $waitForCompletionTimeoutInSeconds
    if ($status -ne $StatusComplete) {
      if ($status -eq $StatusDenied) {
        throw "Terminating because signing request was denied"
      } elseif ($status -eq $StatusCanceled) {
        throw "Terminating because signing request was canceled"
      } elseif ($workflowStatus -eq $WorkflowStatusArtifactRetrievalFailed) {
        throw "Terminating because artifact retrieval failed"
      } elseif ($status -eq $StatusFailed) {
        throw "Terminating because signing request failed"
      } elseif ($timeoutExpired) {
        throw "Timeout expired while waiting for signing request to complete"
      } else {
        throw "Terminating because of unexpected signing request status: $status"
      }
    }

    if($resultJson.PSObject.Properties.Name -contains "signedArtifactLink") {
      return $resultJson.signedArtifactLink
    }

    throw "Downloading the signed artifact is not possible since the signing request's artifacts have been deleted."
  } finally {
    if ((Test-Path variable:getResponse) -and $null -ne $getResponse) {
      $getResponse.Dispose()
    }
  }
}

function CreateAndUseAuthorizedHttpClient ([string] $apiToken, [int] $timeout, [ScriptBlock] $scriptBlock, [System.Security.Cryptography.X509Certificates.X509Certificate2] $clientCertificate) {
  Add-Type -AssemblyName System.IO
  Add-Type -AssemblyName System.Net.Http

  $previousSecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol
  [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

  $httpClientHandler = New-Object System.Net.Http.HttpClientHandler
  if ($null -ne $clientCertificate) {
    if (-not $clientCertificate.HasPrivateKey) {
      throw "The given client certificate has not private key and therefore cannot be used as client certificate."
    }

    Write-Verbose "Adding HttpClient client certificate: $clientCertificate"
    $httpClientHandler.ClientCertificates.Add($clientCertificate) | Out-Null
  }

  $httpClient = New-Object System.Net.Http.HttpClient $httpClientHandler
  $httpClient.Timeout = [TimeSpan]::FromSeconds($timeout)
  $httpClient.DefaultRequestHeaders.Authorization = New-Object System.Net.Http.Headers.AuthenticationHeaderValue @("Bearer", $apiToken)

  try {
    & $scriptBlock $httpClient
  } finally {
    if ($null -ne $httpClient) {
      $httpClient.Dispose()
    }
    [System.Net.ServicePointManager]::SecurityProtocol = $previousSecurityProtocol
  }
}

function PrepareInputArtifactPath ([string] $inputArtifactPath) {
  $inputArtifactPath = NormalizePath $inputArtifactPath

  if (-not (Test-Path -Path $inputArtifactPath)) {
    throw "The input artifact path '$inputArtifactPath' does not exist"
  }
  return $inputArtifactPath
}

function PrepareOutputArtifactPath ([bool] $force, [string] $outputArtifactPath) {
  $outputArtifactPath = NormalizePath $outputArtifactPath

  if (-not $force -and (Test-Path -Path $outputArtifactPath)) {
    throw "There is already a file at '$outputArtifactPath'. If you want to overwrite it use the -Force switch"
  }
  return $outputArtifactPath
}

function NormalizePath ([string] $path) {
  if (-not [System.IO.Path]::IsPathRooted($path)) {
    return Join-Path $PWD $path
  }
  return $path
}

function CheckResponse ([System.Net.Http.HttpResponseMessage] $response, [switch] $expectLocationHeader) {
  Write-Verbose "Checking response: $response"
  if (-not $response.IsSuccessStatusCode) {
    Write-Verbose "No success response."
    $responseBody = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()

    $additionalReason = ""
    if (401 -eq $response.StatusCode) {
      $additionalReason = " Did you provide the correct API token?"
    }
    elseif(403 -eq $response.StatusCode -and -not $responseBody.Contains("feature is disabled")) {
      $additionalReason = " Did you add the user to the list of submitters in the specified signing policy? Did you provide the correct OrganizationId? In case you are using a trusted build system, did you link it to the specified project?"
    }

    $serverMessage = ""
    if ($responseBody -ne "") {
      $serverMessage = " (Server reported the following message: '" + $responseBody + "')"
    }

    $errorMessage = "Error {0} {1}.{2}{3}" -f $response.StatusCode.value__, $response.ReasonPhrase, $additionalReason, $serverMessage

    throw [System.Net.Http.HttpRequestException]$errorMessage
  }

  $hasValidLocationHeader = $response.Headers.PSObject.Properties.Name -contains "Location" -and $response.Headers.Location

  if ($expectLocationHeader.IsPresent -and -not $hasValidLocationHeader) {
    $errorMessage = "The server did not provide a location header in the response. Are you sure you are using the correct URL?"
    throw [System.Net.Http.HttpRequestException]$errorMessage
  }
}

Export-ModuleMember Submit-SigningRequest
Export-ModuleMember Get-SignedArtifact
Export-ModuleMember Get-CertificateByMicrosoftTemplateId
# SIG # Begin signature block
# MIIvZgYJKoZIhvcNAQcCoIIvVzCCL1MCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD9EKD3H/chYWR2
# uBEF3WTcuZynR34CkZaPpgSDthrK8qCCFDMwggWQMIIDeKADAgECAhAFmxtXno4h
# MuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQK
# EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNV
# BAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0z
# ODAxMTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
# AL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/z
# G6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKyunWZ
# anMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsFxl7s
# Wxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU15zHL
# 2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJBMtfb
# BHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3
# JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3c
# AORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqx
# YxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0
# viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aL
# T8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjQjBAMA8GA1Ud
# EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTs1+OC0nFdZEzf
# Lmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfEkRvDoaIAjeNk
# aA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvWVPjS
# PMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK
# 7VB6fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eB
# cg3AFDLvMFkuruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp
# 5aPNoiBB19GcZNnqJqGLFNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msg
# dDDS4Dk0EIUhFQEI6FUy3nFJ2SgXUE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vri
# RbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i7UqLvBv9R0oN32dmfrJbQdA75PQ7
# 9ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPmYQ/ShQDnUBrkG5WdGaG5
# nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1TtmlfB2/oQzxm3
# i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyBIa0H
# EEcRrYc9B9F1vM/zZn4wggawMIIEmKADAgECAhAIrUCyYNKcTJ9ezam9k67ZMA0G
# CSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ
# bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0
# IFRydXN0ZWQgUm9vdCBHNDAeFw0yMTA0MjkwMDAwMDBaFw0zNjA0MjgyMzU5NTla
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVtC9C
# 0CiteLdd1TlZG7GIQvUzjOs9gZdwxbvEhSYwn6SOaNhc9es0JAfhS0/TeEP0F9ce
# 2vnS1WcaUk8OoVf8iJnBkcyBAz5NcCRks43iCH00fUyAVxJrQ5qZ8sU7H/Lvy0da
# E6ZMswEgJfMQ04uy+wjwiuCdCcBlp/qYgEk1hz1RGeiQIXhFLqGfLOEYwhrMxe6T
# SXBCMo/7xuoc82VokaJNTIIRSFJo3hC9FFdd6BgTZcV/sk+FLEikVoQ11vkunKoA
# FdE3/hoGlMJ8yOobMubKwvSnowMOdKWvObarYBLj6Na59zHh3K3kGKDYwSNHR7Oh
# D26jq22YBoMbt2pnLdK9RBqSEIGPsDsJ18ebMlrC/2pgVItJwZPt4bRc4G/rJvmM
# 1bL5OBDm6s6R9b7T+2+TYTRcvJNFKIM2KmYoX7BzzosmJQayg9Rc9hUZTO1i4F4z
# 8ujo7AqnsAMrkbI2eb73rQgedaZlzLvjSFDzd5Ea/ttQokbIYViY9XwCFjyDKK05
# huzUtw1T0PhH5nUwjewwk3YUpltLXXRhTT8SkXbev1jLchApQfDVxW0mdmgRQRNY
# mtwmKwH0iU1Z23jPgUo+QEdfyYFQc4UQIyFZYIpkVMHMIRroOBl8ZhzNeDhFMJlP
# /2NPTLuqDQhTQXxYPUez+rbsjDIJAsxsPAxWEQIDAQABo4IBWTCCAVUwEgYDVR0T
# AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaDfg67Y7+F8Rhvv+YXsIiGX0TkIwHwYD
# VR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08wDgYDVR0PAQH/BAQDAgGGMBMG
# A1UdJQQMMAoGCCsGAQUFBwMDMHcGCCsGAQUFBwEBBGswaTAkBggrBgEFBQcwAYYY
# aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsGAQUFBzAChjVodHRwOi8vY2Fj
# ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNydDBDBgNV
# HR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
# cnVzdGVkUm9vdEc0LmNybDAcBgNVHSAEFTATMAcGBWeBDAEDMAgGBmeBDAEEATAN
# BgkqhkiG9w0BAQwFAAOCAgEAOiNEPY0Idu6PvDqZ01bgAhql+Eg08yy25nRm95Ry
# sQDKr2wwJxMSnpBEn0v9nqN8JtU3vDpdSG2V1T9J9Ce7FoFFUP2cvbaF4HZ+N3HL
# IvdaqpDP9ZNq4+sg0dVQeYiaiorBtr2hSBh+3NiAGhEZGM1hmYFW9snjdufE5Btf
# Q/g+lP92OT2e1JnPSt0o618moZVYSNUa/tcnP/2Q0XaG3RywYFzzDaju4ImhvTnh
# OE7abrs2nfvlIVNaw8rpavGiPttDuDPITzgUkpn13c5UbdldAhQfQDN8A+KVssIh
# dXNSy0bYxDQcoqVLjc1vdjcshT8azibpGL6QB7BDf5WIIIJw8MzK7/0pNVwfiThV
# 9zeKiwmhywvpMRr/LhlcOXHhvpynCgbWJme3kuZOX956rEnPLqR0kq3bPKSchh/j
# wVYbKyP/j7XqiHtwa+aguv06P0WmxOgWkVKLQcBIhEuWTatEQOON8BUozu3xGFYH
# Ki8QxAwIZDwzj64ojDzLj4gLDb879M4ee47vtevLt/B3E+bnKD+sEq6lLyJsQfmC
# XBVmzGwOysWGw/YmMwwHS6DTBwJqakAwSEs0qFEgu60bhQjiWQ1tygVQK+pKHJ6l
# /aCnHwZ05/LWUpD9r4VIIflXO7ScA+2GRfS0YW6/aOImYIbqyK+p/pQd52MbOoZW
# eE4wggfnMIIFz6ADAgECAhAFxsIaZbhUUbOgqnx1dNw2MA0GCSqGSIb3DQEBCwUA
# MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFBMD8GA1UE
# AxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEz
# ODQgMjAyMSBDQTEwHhcNMjIwODA0MDAwMDAwWhcNMjUwODA2MjM1OTU5WjCBwDET
# MBEGCysGAQQBgjc8AgEDEwJBVDEVMBMGCysGAQQBgjc8AgECEwRXaWVuMRUwEwYL
# KwYBBAGCNzwCAQETBFdpZW4xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9u
# MRAwDgYDVQQFEwc0NzU1MDZ6MQswCQYDVQQGEwJBVDENMAsGA1UEBxMEV2llbjEW
# MBQGA1UEChMNU2lnblBhdGggR21iSDEWMBQGA1UEAxMNU2lnblBhdGggR21iSDCC
# AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL6HS5wK+wIHHZ9uJUlOQn5O
# 7J443ConoGd9WICI2zmrzk/potZRcAoB0WYHu/dqK/U2IYvzDOzIFs4HjgGqJQDf
# Hx/75O3rUAv5owW53bmUjt9jrusvB0ObUNm3FrIWQYMFQJR0M3ymnGbXvDBs+hoW
# dhu12uYbmPJHm4pmsqV+Y8CBCWbJm3DyfGLD/qpOMkhjmh22h1X5G4m8+7EOWCup
# B1Fx1lmYpMu391x6ysVEe4g5E8Tus7VDeKB6aFoLiuVW3UtrucsmROY0iExrVC+h
# izGQqwFJn7gp8sxSzutZokfVXWf0dnw/1I2GIfLW5S9a9TpBz3Tz2Jh4BZs2lBXL
# lo/5+zlphlmMjiXvBoXquchQFko1DLSdXtEEeAQUVpeFsG60bDwj5X0R7UL/vZpw
# GD0s4XNUckeMwFFRTpHIxk2QbRSyZgS5Nfy5oILTtTity4IcnLf8aV4OLl7dgn39
# VfQ8hxYNfPMqn1NsbEBFuQ30maDGl8/4kCYMgLOnT19u+/wuBBCFmSSWa3Y5RyeJ
# 0LmAk3tvfoHqXR+wPVPekVwzViSQ/k7PYtq5zF4bMT/9dHpriE13absSZPfigSde
# /eyL7+kJZLYw+ZwZABwMyM/B3rLc7RJPSFCmqgyyFjc7i25iKv8Z//6884clbZ7W
# BYwLVTcIsfD/QG+0YoJlAgMBAAGjggIxMIICLTAfBgNVHSMEGDAWgBRoN+Drtjv4
# XxGG+/5hewiIZfROQjAdBgNVHQ4EFgQUxXD4yqLal5zX9MnW4OnSsnTYRH4wKgYD
# VR0RBCMwIaAfBggrBgEFBQcIA6ATMBEMD0FULVdJRU4tNDc1NTA2ejAOBgNVHQ8B
# Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwgbUGA1UdHwSBrTCBqjBToFGg
# T4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29k
# ZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5jcmwwU6BRoE+GTWh0dHA6Ly9j
# cmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNB
# NDA5NlNIQTM4NDIwMjFDQTEuY3JsMD0GA1UdIAQ2MDQwMgYFZ4EMAQMwKTAnBggr
# BgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGUBggrBgEFBQcB
# AQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFwG
# CCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRU
# cnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAMBgNV
# HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCTJY3zlB6w17Y/7FHoW1Mh+vwz
# 3L0KfOWwqvRmPZm1/SQ9dbRVepLkc1jgSvrc8CwZI0J+SoeKaAmesLHt1onvaUW2
# /o/5P9X0HeHgue0jsE+QKKjU2RxomK4DrPdDdGVoCJiR5OJMmZzUUu3tGAr3MmTU
# 6b+UeDeWG0IjT+75LW0cOHgWqcE8aZLIuw/3YB6xPXs8AAayJysbmRe4jQNLg3u8
# DAErUY1yA5eYklThko1uIwJy90GYVwz6pWEifR1sV4sitzF0EV4UO82pgVxEhJB9
# eBZ3pHTPmjXEaRHQHZudGACW7+DDIEw8979qWDOJmiDEgL0ylb49ATOWW0kyGPnh
# 4tlbgi6QB8AAzMWgM+LENT8TPli1YrKmONq5ImgIBwOMtsSOwBH+TS1VvqBxdvF8
# YZA1+VTNeeTKMCkqJbCRm3M+d076nIGjddMISkloTeVeCjGT2Bt0vyJTfCcraPYK
# A6FDQndkNuzXurBmHazf7HLL/SxrLJGRMFo10BKVdC3Ihs6m9yNI/Bj0v/Rkykix
# sPvjJPJ4I9EjhrtI9Bz4CJujLosuqH3TYWfUqbi/F1W9pnJxzCBGX25+WMX8+8q5
# NLvQ4ykrhOrphjiM3hTfYVxd0W8lDD83qrbAnbdWNPq1Vcr9JMlNIDSGWRtoZXcL
# 6t/F7az0ldN5/Vv7DzGCGokwghqFAgEBMH0waTELMAkGA1UEBhMCVVMxFzAVBgNV
# BAoTDkRpZ2lDZXJ0LCBJbmMuMUEwPwYDVQQDEzhEaWdpQ2VydCBUcnVzdGVkIEc0
# IENvZGUgU2lnbmluZyBSU0E0MDk2IFNIQTM4NCAyMDIxIENBMQIQBcbCGmW4VFGz
# oKp8dXTcNjANBglghkgBZQMEAgEFAKCBmjAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC
# NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAuBgorBgEEAYI3AgEM
# MSAwHqAcgBoAUwBpAGcAbgBQAGEAdABoAC4AcABzAG0AMTAvBgkqhkiG9w0BCQQx
# IgQgbz+BY7e/Vax496bRPoFMKOPxyvi7b6HZd6BoXA+KmZMwDQYJKoZIhvcNAQEB
# BQAEggIAeNMSV5V4ioR9lSwRSZKTjgonaJW/wrjixDmn4TyDMzTOdUWWioOQ2/qB
# +aho18GNAfeKpUSuXWq8Qs77ZCFI5CwsojUqVbvww+TIHwJEUBOJTaEIbunAQnal
# zFcYMDGPiLZZ99ISt1RBapxd53AvJ1bIHYLT7ZYD/+PQ41T9n3eUitztftArSX2w
# e+biyBQwQDWp1ecCGl3JTMkhWjdvRVAkGxADPsyFSB1Pasz4/V9D3K51tO+E6J4W
# O4HUOkDnKt8VH12ejMXK5tCCV1XMmUI1B3+xItB+eCXY+DT5PQY6XZpZRKX7VC72
# NERUVQgPdmUJxcSeQnUdu0V1YN1xTUyB6w1+zGQNTBd8AwsEvrtOwsNHTm+r+jfR
# qFB+9yRL6TmaaNM/zClsO9MPzjDn0vjJn8z7+53D2PUhGZnBEh8ZVei4KzsoM+8x
# SN0Dhk6XDMzGtHM/aMuStXK1x3Z9vtLKmRCXos1raJudo5/Dzt2CLkXs3EPbWU8R
# 6c85dTnHezf2LOg/v2v0mAnJh1D5mllVvlUfI6ebm9b0cR+31V9T3K1Fttz1wtnX
# RGRd5gNWDpTzzqnjXB1yiN8AzxUWB9m75c4XY7enqiNBNnevCZqrHr7Ec69QDYZr
# 7P0RPD19X5Vt1kyPc+EmMpSf/tex815Tp7vJVgwa1JVxe1R/6AqhghdAMIIXPAYK
# KwYBBAGCNwMDATGCFywwghcoBgkqhkiG9w0BBwKgghcZMIIXFQIBAzEPMA0GCWCG
# SAFlAwQCAQUAMHgGCyqGSIb3DQEJEAEEoGkEZzBlAgEBBglghkgBhv1sBwEwMTAN
# BglghkgBZQMEAgEFAAQgQ1JYrFuUUdajBw+Qz1x3KMy+kwWz3igbVPmDJciwXPsC
# EQCsYnsfs2AEH91uE+8kEhOAGA8yMDI0MDcxMTEwNDE0MFqgghMJMIIGwjCCBKqg
# AwIBAgIQBUSv85SdCDmmv9s/X+VhFjANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQG
# EwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0
# IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIz
# MDcxNDAwMDAwMFoXDTM0MTAxMzIzNTk1OVowSDELMAkGA1UEBhMCVVMxFzAVBgNV
# BAoTDkRpZ2lDZXJ0LCBJbmMuMSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAg
# MjAyMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKNTRYcdg45brD5U
# syPgz5/X5dLnXaEOCdwvSKOXejsqnGfcYhVYwamTEafNqrJq3RApih5iY2nTWJw1
# cb86l+uUUI8cIOrHmjsvlmbjaedp/lvD1isgHMGXlLSlUIHyz8sHpjBoyoNC2vx/
# CSSUpIIa2mq62DvKXd4ZGIX7ReoNYWyd/nFexAaaPPDFLnkPG2ZS48jWPl/aQ9OE
# 9dDH9kgtXkV1lnX+3RChG4PBuOZSlbVH13gpOWvgeFmX40QrStWVzu8IF+qCZE3/
# I+PKhu60pCFkcOvV5aDaY7Mu6QXuqvYk9R28mxyyt1/f8O52fTGZZUdVnUokL6wr
# l76f5P17cz4y7lI0+9S769SgLDSb495uZBkHNwGRDxy1Uc2qTGaDiGhiu7xBG3gZ
# beTZD+BYQfvYsSzhUa+0rRUGFOpiCBPTaR58ZE2dD9/O0V6MqqtQFcmzyrzXxDto
# RKOlO0L9c33u3Qr/eTQQfqZcClhMAD6FaXXHg2TWdc2PEnZWpST618RrIbroHzSY
# LzrqawGw9/sqhux7UjipmAmhcbJsca8+uG+W1eEQE/5hRwqM/vC2x9XH3mwk8L9C
# gsqgcT2ckpMEtGlwJw1Pt7U20clfCKRwo+wK8REuZODLIivK8SgTIUlRfgZm0zu+
# +uuRONhRB8qUt+JQofM604qDy0B7AgMBAAGjggGLMIIBhzAOBgNVHQ8BAf8EBAMC
# B4AwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAgBgNVHSAE
# GTAXMAgGBmeBDAEEAjALBglghkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2FL3Mp
# dpovdYxqII+eyG8wHQYDVR0OBBYEFKW27xPn783QZKHVVqllMaPe1eNJMFoGA1Ud
# HwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRy
# dXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcmwwgZAGCCsGAQUF
# BwEBBIGDMIGAMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20w
# WAYIKwYBBQUHMAKGTGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2Vy
# dFRydXN0ZWRHNFJTQTQwOTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcnQwDQYJKoZI
# hvcNAQELBQADggIBAIEa1t6gqbWYF7xwjU+KPGic2CX/yyzkzepdIpLsjCICqbjP
# gKjZ5+PF7SaCinEvGN1Ott5s1+FgnCvt7T1IjrhrunxdvcJhN2hJd6PrkKoS1yeF
# 844ektrCQDifXcigLiV4JZ0qBXqEKZi2V3mP2yZWK7Dzp703DNiYdk9WuVLCtp04
# qYHnbUFcjGnRuSvExnvPnPp44pMadqJpddNQ5EQSviANnqlE0PjlSXcIWiHFtM+Y
# lRpUurm8wWkZus8W8oM3NG6wQSbd3lqXTzON1I13fXVFoaVYJmoDRd7ZULVQjK9W
# vUzF4UbFKNOt50MAcN7MmJ4ZiQPq1JE3701S88lgIcRWR+3aEUuMMsOI5ljitts+
# +V+wQtaP4xeR0arAVeOGv6wnLEHQmjNKqDbUuXKWfpd5OEhfysLcPTLfddY2Z1qJ
# +Panx+VPNTwAvb6cKmx5AdzaROY63jg7B145WPR8czFVoIARyxQMfq68/qTreWWq
# aNYiyjvrmoI1VygWy2nyMpqy0tg6uLFGhmu6F/3Ed2wVbK6rr3M66ElGt9V/zLY4
# wNjsHPW2obhDLN9OTH0eaHDAdwrUAuBcYLso/zjlUlrWrBciI0707NMX+1Br/wd3
# H3GXREHJuEbTbDJ8WC9nR2XlG3O2mflrLAZG70Ee8PBf4NvZrZCARK+AEEGKMIIG
# rjCCBJagAwIBAgIQBzY3tyRUfNhHrP0oZipeWzANBgkqhkiG9w0BAQsFADBiMQsw
# CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
# ZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQw
# HhcNMjIwMzIzMDAwMDAwWhcNMzcwMzIyMjM1OTU5WjBjMQswCQYDVQQGEwJVUzEX
# MBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0
# ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMIICIjANBgkqhkiG
# 9w0BAQEFAAOCAg8AMIICCgKCAgEAxoY1BkmzwT1ySVFVxyUDxPKRN6mXUaHW0oPR
# nkyibaCwzIP5WvYRoUQVQl+kiPNo+n3znIkLf50fng8zH1ATCyZzlm34V6gCff1D
# tITaEfFzsbPuK4CEiiIY3+vaPcQXf6sZKz5C3GeO6lE98NZW1OcoLevTsbV15x8G
# ZY2UKdPZ7Gnf2ZCHRgB720RBidx8ald68Dd5n12sy+iEZLRS8nZH92GDGd1ftFQL
# IWhuNyG7QKxfst5Kfc71ORJn7w6lY2zkpsUdzTYNXNXmG6jBZHRAp8ByxbpOH7G1
# WE15/tePc5OsLDnipUjW8LAxE6lXKZYnLvWHpo9OdhVVJnCYJn+gGkcgQ+NDY4B7
# dW4nJZCYOjgRs/b2nuY7W+yB3iIU2YIqx5K/oN7jPqJz+ucfWmyU8lKVEStYdEAo
# q3NDzt9KoRxrOMUp88qqlnNCaJ+2RrOdOqPVA+C/8KI8ykLcGEh/FDTP0kyr75s9
# /g64ZCr6dSgkQe1CvwWcZklSUPRR8zZJTYsg0ixXNXkrqPNFYLwjjVj33GHek/45
# wPmyMKVM1+mYSlg+0wOI/rOP015LdhJRk8mMDDtbiiKowSYI+RQQEgN9XyO7ZONj
# 4KbhPvbCdLI/Hgl27KtdRnXiYKNYCQEoAA6EVO7O6V3IXjASvUaetdN2udIOa5kM
# 0jO0zbECAwEAAaOCAV0wggFZMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
# FLoW2W1NhS9zKXaaL3WMaiCPnshvMB8GA1UdIwQYMBaAFOzX44LScV1kTN8uZz/n
# upiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEFBQcDCDB3Bggr
# BgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNv
# bTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lD
# ZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2Ny
# bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcmwwIAYDVR0g
# BBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMA0GCSqGSIb3DQEBCwUAA4ICAQB9
# WY7Ak7ZvmKlEIgF+ZtbYIULhsBguEE0TzzBTzr8Y+8dQXeJLKftwig2qKWn8acHP
# HQfpPmDI2AvlXFvXbYf6hCAlNDFnzbYSlm/EUExiHQwIgqgWvalWzxVzjQEiJc6V
# aT9Hd/tydBTX/6tPiix6q4XNQ1/tYLaqT5Fmniye4Iqs5f2MvGQmh2ySvZ180HAK
# fO+ovHVPulr3qRCyXen/KFSJ8NWKcXZl2szwcqMj+sAngkSumScbqyQeJsG33irr
# 9p6xeZmBo1aGqwpFyd/EjaDnmPv7pp1yr8THwcFqcdnGE4AJxLafzYeHJLtPo0m5
# d2aR8XKc6UsCUqc3fpNTrDsdCEkPlM05et3/JWOZJyw9P2un8WbDQc1PtkCbISFA
# 0LcTJM3cHXg65J6t5TRxktcma+Q4c6umAU+9Pzt4rUyt+8SVe+0KXzM5h0F4ejjp
# nOHdI/0dKNPH+ejxmF/7K9h+8kaddSweJywm228Vex4Ziza4k9Tm8heZWcpw8De/
# mADfIBZPJ/tgZxahZrrdVcA6KYawmKAr7ZVBtzrVFZgxtGIJDwq9gdkT/r+k0fNX
# 2bwE+oLeMt8EifAAzV3C+dAjfwAL5HYCJtnwZXZCpimHCUcr5n8apIUP/JiW9lVU
# Kx+A+sDyDivl1vupL0QVSucTDh3bNzgaoSv27dZ8/DCCBY0wggR1oAMCAQICEA6b
# GI750C3n79tQ4ghAGFowDQYJKoZIhvcNAQEMBQAwZTELMAkGA1UEBhMCVVMxFTAT
# BgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEk
# MCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTIyMDgwMTAw
# MDAwMFoXDTMxMTEwOTIzNTk1OVowYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
# Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMY
# RGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
# MIICCgKCAgEAv+aQc2jeu+RdSjwwIjBpM+zCpyUuySE98orYWcLhKac9WKt2ms2u
# exuEDcQwH/MbpDgW61bGl20dq7J58soR0uRf1gU8Ug9SH8aeFaV+vp+pVxZZVXKv
# aJNwwrK6dZlqczKU0RBEEC7fgvMHhOZ0O21x4i0MG+4g1ckgHWMpLc7sXk7Ik/gh
# YZs06wXGXuxbGrzryc/NrDRAX7F6Zu53yEioZldXn1RYjgwrt0+nMNlW7sp7XeOt
# yU9e5TXnMcvak17cjo+A2raRmECQecN4x7axxLVqGDgDEI3Y1DekLgV9iPWCPhCR
# cKtVgkEy19sEcypukQF8IUzUvK4bA3VdeGbZOjFEmjNAvwjXWkmkwuapoGfdpCe8
# oU85tRFYF/ckXEaPZPfBaYh2mHY9WV1CdoeJl2l6SPDgohIbZpp0yt5LHucOY67m
# 1O+SkjqePdwA5EUlibaaRBkrfsCUtNJhbesz2cXfSwQAzH0clcOP9yGyshG3u3/y
# 1YxwLEFgqrFjGESVGnZifvaAsPvoZKYz0YkH4b235kOkGLimdwHhD5QMIR2yVCkl
# iWzlDlJRR3S+Jqy2QXXeeqxfjT/JvNNBERJb5RBQ6zHFynIWIgnffEx1P2PsIV/E
# IFFrb7GrhotPwtZFX50g/KEexcCPorF+CiaZ9eRpL5gdLfXZqbId5RsCAwEAAaOC
# ATowggE2MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOzX44LScV1kTN8uZz/n
# upiuHA9PMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA4GA1UdDwEB
# /wQEAwIBhjB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
# LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNl
# cnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENBLmNydDBFBgNVHR8EPjA8MDqg
# OKA2hjRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURS
# b290Q0EuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQwFAAOCAQEA
# cKC/Q1xV5zhfoKN0Gz22Ftf3v1cHvZqsoYcs7IVeqRq7IviHGmlUIu2kiHdtvRoU
# 9BNKei8ttzjv9P+Aufih9/Jy3iS8UgPITtAq3votVs/59PesMHqai7Je1M/RQ0Sb
# QyHrlnKhSLSZy51PpwYDE3cnRNTnf+hZqPC/Lwum6fI0POz3A8eHqNJMQBk1Rmpp
# VLC4oVaO7KTVPeix3P0c2PR3WlxUjG/voVA9/HYJaISfb8rbII01YBwCA8sgsKxY
# oA5AY8WYIsGyWfVVa88nq2x2zm8jLfR+cWojayL/ErhULSd+2DrZ8LaHlv1b0Vys
# GMNNn3O3AamfV6peKOK5lDGCA3YwggNyAgEBMHcwYzELMAkGA1UEBhMCVVMxFzAV
# BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVk
# IEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFtcGluZyBDQQIQBUSv85SdCDmmv9s/
# X+VhFjANBglghkgBZQMEAgEFAKCB0TAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQ
# AQQwHAYJKoZIhvcNAQkFMQ8XDTI0MDcxMTEwNDE0MFowKwYLKoZIhvcNAQkQAgwx
# HDAaMBgwFgQUZvArMsLCyQ+CXc6qisnGTxmcz0AwLwYJKoZIhvcNAQkEMSIEIHMJ
# KGIKocEk5ZoYf5Mp0mhRyiigwwcN5oqDdVUldeCaMDcGCyqGSIb3DQEJEAIvMSgw
# JjAkMCIEINL25G3tdCLM0dRAV2hBNm+CitpVmq4zFq9NGprUDHgoMA0GCSqGSIb3
# DQEBAQUABIICAD1MV/dfhpSup8Gd2D1OW/qQTMT8DMJ9ZhhguUqF4BbPZ1ybJwkX
# WFIqhbs3LzBHgaDw0xU6xh3IaxvY589neslfdqzUPyGJvmTW27YygOcQHGLN6/6u
# x3VTcF7j6nHP0rC3JsOJcDBFF3cQd804B0oe474ZaR5WmRjYXOglr+ZAcRGiQojH
# Dy2BArlUSsKfq8GRzn+rBjYlbVqlcc30l0WL4sFqhR6YUakw/ks55LcfpOVEaXiE
# trpni9o53AUcuhY6tdpZoy24Yb8xDztIAZ112mmloLGxB6jFoIG/Qok1xCjQQmUc
# Y5fhtFJ5llDXE943v8h7ZdQqyim4pX1KvJjonK3vNsEOhoU0NzHP2djDSg23DKNa
# +xPEXdJSwci8wWLucHZebcGD3xpR1mnFwDYM/hAd5D0vBk3OQAZeqWH6qGK0eluX
# f4xomkZmIYBqEDFgjcAUD3UgwR/ongxB59dwUoUc+ITq4CTsy5EXSDqm3EQssSX/
# AjfLXwrMKYCXBhDePGM981O0hIPkaZZ7gvEosJJwAjmm4vqPYYQTm0mxX0REvsNm
# DZDjLDZSXjR3KmIXIzrJua3xcsiiIOx0M0Az4pMm1q2MBfhDBJGS2E/t89CZTOPX
# CERNVRD/1SU0dylAKNwGZuSsc0y5Ar92NT58fUp1YRnUaS4YACg4uNxv
# SIG # End signature block