@microsoft/windows-admin-center-sdk
Version:
Microsoft - Windows Admin Center Shell
792 lines (789 loc) • 40.1 kB
JavaScript
import { from, of, Subject, throwError } from 'rxjs';
import { filter, map, mergeMap, take } from 'rxjs/operators';
import { ErrorExtended } from '../data/error-extended';
import { Logging } from '../diagnostics/logging';
import { RpcCredSSPOperationResultMember, RpcCredSSPOperationType, RpcCredSspResponseKey } from '../rpc/credssp/rpc-credssp-model';
import { RpcCredSspRequestClient } from '../rpc/credssp/rpc-credssp-request-client';
import { GatewayInstallationType } from '../shared/gateway-inventory/gateway-inventory';
import { GatewayInventoryCache } from '../shared/gateway-inventory/gateway-inventory-cache';
/**
* CredSPP Manager class. Handles detecting and configuring CredSSP on a set of servers.
*/
export class CredSSPManager {
rpc;
strings = MsftSme.getStrings().MsftSmeShell.Core.CredSSPManager;
watcher;
gatewayInventoryCache;
/**
* Initializes a new instance of the Authorization Manager class.
*
* @param rpc The rpc to forward auth requests to a parent window
*/
constructor(rpc) {
this.rpc = rpc;
this.watcher = new Subject();
}
initialize(appContext) {
// When in Shell do not register.
if (!this.rpc.isShell) {
this.rpc.register(RpcCredSspResponseKey.command, this.onRpcResponse.bind(this));
}
this.gatewayInventoryCache = new GatewayInventoryCache(appContext);
}
/**
* New Enable CredSSP on the passed in server.
*
* @param serverName This server on which CredSSP should be enabled
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
*/
wsmanEnableManagedServer(serverName, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('A server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableManagedServer,
serverNames: [serverName],
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* New Disable CredSSP for the passed in server.
*
* @param serverName This server on which CredSSP should be disabled
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
*/
wsmanDisableManagedServer(serverName, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('A server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.DisableManagedServer,
serverNames: [serverName],
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* New Enable CredSSP client role for the gateway and delegate to the list of servers.
*
* @param serverNames This list of servers where CredSSP should be enabled.
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
*/
wsmanEnableClientRole(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableClientRole,
serverNames: serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* New Disable CredSSP client role for the gateway and remove all delegated servers.
*
* @param serverNames This list of servers where CredSSP should be disabled
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
*/
wsmanDisableClientRole(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.DisableClientRole,
serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* Use tryGatewayLocalPowershellConfig instead which will only enable CredSSP when the gateway is making
* a double hop to a remote node. This method will enable CredSSP every time, even in cases where
* it is not needed.
*
* New Enable the server as a CredSSP server, and enable the gateway as a CredSSP client of the server.
*
* @param serverName The server where CredSSP delegation should be enabled
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
*/
wsmanEnableDelegation(serverName, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('The server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableDelegation,
serverNames: [serverName],
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* Check to see if given servers contain the gateway machine. If not, enable CredSSP on index 0 of serverNames,
* otherwise, do nothing.
*
* Note: Will only check if local runspace can be used if msft.sme.shell.localRunspace experiment key is set
* or gateway is running as WAC in Portal. Otherwise will fall back to calling {@link wsmanEnableDelegation}.
* This is because old installs of WAC do not have the necessary shell RPC endpoint or PowerShell API functionality.
*
* @param serverNames String array of server names to check for a match with the gateway server name.
* If not found, CredSSP will be enabled between the gateway machine and the server name at index 0.
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored.
* @returns GatewayLocalPowerShellConfig object if success.
* @throws If call is made from shell, serverNames is empty or contains empty values, or unable to enable CredSSP.
*/
tryGatewayLocalPowerShellConfig(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (serverNames.length === 0 || serverNames.some(serverName => MsftSme.isNullOrWhiteSpace(serverName))) {
throw new Error('The server name(s) must be provided.');
}
if (MsftSme.isExperimentEnabled('localRunspace', true)) {
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.TryGatewayLocalPowerShellConfig,
serverNames: serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Data);
}
return this.gatewayInventoryCache.query({}).pipe(take(1), mergeMap(inventory => {
if (inventory.instance.installationType === GatewayInstallationType.AzureVmExtension) {
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.TryGatewayLocalPowerShellConfig,
serverNames: serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Data);
}
// Fallback to using the old, deprecated wsmanEnableDelegation method if user is running an old version of WAC.
// Uses index 0 because if serverNames does not contain the gateway machine, the given name(s) should all be able to
// delegate credentials (by receiving the) in a double hop scenario.
return this.wsmanEnableDelegation(serverNames[0], verbose).pipe(map(response => {
if (!response) {
throw new Error(this.strings.TryGatewayLocalPowerShellConfigNotConfirmed.error);
}
const data = {
configuredServerConnectionString: serverNames[0],
powerShellOptions: { authenticationMechanism: 'Credssp' }
};
return data;
}));
}));
}
/**
* Test WSMan CredSSP connection from gateway to server(s)
*
* @param serverNames the servers to test connection to from gateway
* @param credentials explicit credentials(username and password) to be used to WSMan CredSSP test
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
* @returns true if we can safely connect to all server without isssues otherwise returns false
*/
testCredSSP(serverNames, credentials, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames.length || serverNames.some(serverName => MsftSme.isNullOrWhiteSpace(serverName))) {
throw new Error('The server name(s) must be provided.');
}
if (!credentials || !credentials.username || !credentials.password) {
throw new Error('Username and password must be provided in the options.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.TestCredSSP,
serverNames: serverNames,
credentials,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* Get the CredSSP client role configuration of the gateway, including:
* 1. Client role of gateway to delegate fresh credentials
* 2. Which servers can be delegated fresh credentials
*
* @param serverNames The list of servers to check credential delegation status
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
* @returns ClientRoleConfiguration object of the gateway client role configuration
*/
wsmanGetClientConfigurationOnGateway(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.ConfirmClientConfiguration,
serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus).pipe(map(response => response.client));
}
/**
* Get the CredSSP server role configuration of the server.
*
* @param serverName The server to get the CredSSP configuration
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
* @returns ServerRoleConfiguration object of the managed server server role configuration
*/
wsmanGetManagedServerConfiguration(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.ConfirmManagedServerConfiguration,
serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus).pipe(map(response => response.servers));
}
/**
* Get the CredSSP delegation configuration, including:
* 1. Client role of gateway to delegate fresh credentials
* 2. Which servers can be delegated fresh credentials
* 3. Server roles of each servers
*
* @param serverNames The list of servers to check credential delegation from gateway and to check server role status
* @param verbose (Optional) Specify whether a solution (if any) should be returned if CredSSP errored
* @returns ConfigurationData object of the client and server role configuation
*/
wsmanGetDelegationConfiguration(serverNames, verbose = false) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.ConfirmDelegation,
serverNames,
notificationTitle: null,
notificationId: null
}, verbose, RpcCredSSPOperationResultMember.ConfigurationStatus);
}
/**
* @deprecated
* Notification message wouldn't be displayed from this call. Display the notification by own code,
* and use wsmanEnableManagedServer instead.
*
* Enable CredSSP on the passed in server.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverName This server on which CredSSP should be enabled
* @param alertId Optional notification Id
*/
enableManagedServer(alertTitle, serverName, alertId) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('A server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableManagedServer,
serverNames: [serverName],
notificationTitle: alertTitle,
notificationId: alertId
}, false, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* Notification message wouldn't be displayed from this call. Display the notification by own code,
* and use wsmanDisableManagedServer instead.
*
* Disable CredSSP for the passed in server.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverName This server on which CredSSP should be disabled
* @param alertId Optional notification Id
*/
disableManagedServer(alertTitle, serverName, alertId) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('A server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.DisableManagedServer,
serverNames: [serverName],
notificationTitle: alertTitle,
notificationId: alertId
}, false, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* Notification message wouldn't be displayed from this call. Display the notification by own code,
* and use wsmanEnableClientRole instead.
*
* Enable CredSSP client role for the gateway and delegate to the list of servers.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverNames This list of servers where CredSSP should be enabled.
* @param alertId Optional notification Id
*/
enableClientRole(alertTitle, serverNames, alertId) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableClientRole,
serverNames: serverNames,
notificationTitle: alertTitle,
notificationId: alertId
}, false, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* Notification message wouldn't be displayed from this call. Display the notification by own code,
* and use wsmanDisableClientRole instead.
*
* Disable CredSSP client role for the gateway and remove all delegated servers.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverNames This list of servers where CredSSP should be disabled.
* @param alertId Optional notification Id
*/
disableClientRole(alertTitle, serverNames, alertId) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (!serverNames || serverNames.length < 1) {
throw new Error('At least one server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.DisableClientRole,
serverNames,
notificationTitle: alertTitle,
notificationId: alertId
}, false, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* Notification message wouldn't be displayed from this call. Display the notification by own code,
* and use wsmanEnableDelegation instead.
*
* Enable the server as a CredSSP server, and enable the gateway as a CredSSP client of the server.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverName The sever where CredSSP delegation should be enabled.
* @param alertId Optional notification Id
*/
enableDelegation(alertTitle, serverName, alertId) {
if (this.rpc.isShell) {
throw new Error('Not supported on the shell environment.');
}
if (MsftSme.isNullOrWhiteSpace(serverName)) {
throw new Error('The server name must be provided.');
}
return this.sendRequest({
requestId: MsftSme.getUniqueId(),
operation: RpcCredSSPOperationType.EnableDelegation,
serverNames: [serverName],
notificationTitle: alertTitle,
notificationId: alertId
}, false, RpcCredSSPOperationResultMember.Succeeded);
}
/**
* @deprecated
* This method is obsolete!
*
* Disable the server as a CredSSP server, and disable the gateway as a CredSSP client of the server.
*
* @param alertTitle Title for notifications raised by this servers. Should be contextual to the scenario that is using this service
* @param serverName The sever where CredSSP delegation should be disabled.
* @param alertId Optional notification Id
*/
disableDelegation() {
return of(true);
}
/**
* The RPC request to the CredSSPManagerShellService.
* @param request The requested CredSSP manager operation
* @param verbose Specify whether a solution (if any) should be returned if CredSSP errored
* @param returnProperty The property of the RPC result object to return
*/
sendRequest(request, verbose, returnProperty) {
Logging.logDebug('CredSSPManager', 'Sending request to CredSSPManagerService. Request:{0}'.format(JSON.stringify(request)));
return from(RpcCredSspRequestClient.credSspRequest(this.rpc, request))
.pipe(mergeMap(() => this.watcher), filter(result => result.requestId === request.requestId), take(1), mergeMap(result => {
// shell reports 'error' property originated from the CredSSP operation.
// the client using this API should get this error message to display to user.
if (result.error) {
if (verbose) {
const error = new ErrorExtended(result.error);
error.extendedSource = `${request.operation}-credSSPError`;
error.extended = { solutionMessage: result.solutionMessage };
return throwError(() => error);
}
else {
return throwError(() => new Error(result.error));
}
}
return of(result[returnProperty]);
}));
}
/**
* Process the RPC response from the CredSSPManagerShellService.
* @param data The requested CredSSP manager operation result.
*/
onRpcResponse(data) {
Logging.logDebug('CredSSPManager', 'Processing response from CredSSPManagerService Response:{0}'.format(JSON.stringify(data)));
this.watcher.next(data);
return Promise.resolve();
}
}
//# sourceMappingURL=credssp-manager.js.map
// SIG // Begin signature block
// SIG // MIIoKwYJKoZIhvcNAQcCoIIoHDCCKBgCAQExDzANBglg
// SIG // hkgBZQMEAgEFADB3BgorBgEEAYI3AgEEoGkwZzAyBgor
// SIG // BgEEAYI3AgEeMCQCAQEEEBDgyQbOONQRoqMAEEvTUJAC
// SIG // AQACAQACAQACAQACAQAwMTANBglghkgBZQMEAgEFAAQg
// SIG // Lg+uG34BuJMC9q27lSkO7rgAQnl64b9QIgRdVLrV8Y6g
// SIG // gg12MIIF9DCCA9ygAwIBAgITMwAABARsdAb/VysncgAA
// SIG // AAAEBDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV
// SIG // UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
// SIG // UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
// SIG // cmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBT
// SIG // aWduaW5nIFBDQSAyMDExMB4XDTI0MDkxMjIwMTExNFoX
// SIG // DTI1MDkxMTIwMTExNFowdDELMAkGA1UEBhMCVVMxEzAR
// SIG // BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
// SIG // bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
// SIG // bjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
// SIG // MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
// SIG // tCg32mOdDA6rBBnZSMwxwXegqiDEUFlvQH9Sxww07hY3
// SIG // w7L52tJxLg0mCZjcszQddI6W4NJYb5E9QM319kyyE0l8
// SIG // EvA/pgcxgljDP8E6XIlgVf6W40ms286Cr0azaA1f7vaJ
// SIG // jjNhGsMqOSSSXTZDNnfKs5ENG0bkXeB2q5hrp0qLsm/T
// SIG // WO3oFjeROZVHN2tgETswHR3WKTm6QjnXgGNj+V6rSZJO
// SIG // /WkTqc8NesAo3Up/KjMwgc0e67x9llZLxRyyMWUBE9co
// SIG // T2+pUZqYAUDZ84nR1djnMY3PMDYiA84Gw5JpceeED38O
// SIG // 0cEIvKdX8uG8oQa047+evMfDRr94MG9EWwIDAQABo4IB
// SIG // czCCAW8wHwYDVR0lBBgwFgYKKwYBBAGCN0wIAQYIKwYB
// SIG // BQUHAwMwHQYDVR0OBBYEFPIboTWxEw1PmVpZS+AzTDwo
// SIG // oxFOMEUGA1UdEQQ+MDykOjA4MR4wHAYDVQQLExVNaWNy
// SIG // b3NvZnQgQ29ycG9yYXRpb24xFjAUBgNVBAUTDTIzMDAx
// SIG // Mis1MDI5MjMwHwYDVR0jBBgwFoAUSG5k5VAF04KqFzc3
// SIG // IrVtqMp1ApUwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDov
// SIG // L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwvTWlj
// SIG // Q29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNybDBhBggr
// SIG // BgEFBQcBAQRVMFMwUQYIKwYBBQUHMAKGRWh0dHA6Ly93
// SIG // d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWlj
// SIG // Q29kU2lnUENBMjAxMV8yMDExLTA3LTA4LmNydDAMBgNV
// SIG // HRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCI5g/S
// SIG // KUFb3wdUHob6Qhnu0Hk0JCkO4925gzI8EqhS+K4umnvS
// SIG // BU3acsJ+bJprUiMimA59/5x7WhJ9F9TQYy+aD9AYwMtb
// SIG // KsQ/rst+QflfML+Rq8YTAyT/JdkIy7R/1IJUkyIS6srf
// SIG // G1AKlX8n6YeAjjEb8MI07wobQp1F1wArgl2B1mpTqHND
// SIG // lNqBjfpjySCScWjUHNbIwbDGxiFr93JoEh5AhJqzL+8m
// SIG // onaXj7elfsjzIpPnl8NyH2eXjTojYC9a2c4EiX0571Ko
// SIG // mhENF3RtR25A7/X7+gk6upuE8tyMy4sBkl2MUSF08U+E
// SIG // 2LOVcR8trhYxV1lUi9CdgEU2CxODspdcFwxdT1+G8YNc
// SIG // gzHyjx3BNSI4nOZcdSnStUpGhCXbaOIXfvtOSfQX/UwJ
// SIG // oruhCugvTnub0Wna6CQiturglCOMyIy/6hu5rMFvqk9A
// SIG // ltIJ0fSR5FwljW6PHHDJNbCWrZkaEgIn24M2mG1M/Ppb
// SIG // /iF8uRhbgJi5zWxo2nAdyDBqWvpWxYIoee/3yIWpquVY
// SIG // cYGhJp/1I1sq/nD4gBVrk1SKX7Do2xAMMO+cFETTNSJq
// SIG // fTSSsntTtuBLKRB5mw5qglHKuzapDiiBuD1Zt4QwxA/1
// SIG // kKcyQ5L7uBayG78kxlVNNbyrIOFH3HYmdH0Pv1dIX/Mq
// SIG // 7avQpAfIiLpOWwcbjzCCB3owggVioAMCAQICCmEOkNIA
// SIG // AAAAAAMwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYT
// SIG // AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
// SIG // EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
// SIG // cG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290
// SIG // IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDExMB4XDTEx
// SIG // MDcwODIwNTkwOVoXDTI2MDcwODIxMDkwOVowfjELMAkG
// SIG // A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
// SIG // BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
// SIG // dCBDb3Jwb3JhdGlvbjEoMCYGA1UEAxMfTWljcm9zb2Z0
// SIG // IENvZGUgU2lnbmluZyBQQ0EgMjAxMTCCAiIwDQYJKoZI
// SIG // hvcNAQEBBQADggIPADCCAgoCggIBAKvw+nIQHC6t2G6q
// SIG // ghBNNLrytlghn0IbKmvpWlCquAY4GgRJun/DDB7dN2vG
// SIG // EtgL8DjCmQawyDnVARQxQtOJDXlkh36UYCRsr55JnOlo
// SIG // XtLfm1OyCizDr9mpK656Ca/XllnKYBoF6WZ26DJSJhIv
// SIG // 56sIUM+zRLdd2MQuA3WraPPLbfM6XKEW9Ea64DhkrG5k
// SIG // NXimoGMPLdNAk/jj3gcN1Vx5pUkp5w2+oBN3vpQ97/vj
// SIG // K1oQH01WKKJ6cuASOrdJXtjt7UORg9l7snuGG9k+sYxd
// SIG // 6IlPhBryoS9Z5JA7La4zWMW3Pv4y07MDPbGyr5I4ftKd
// SIG // gCz1TlaRITUlwzluZH9TupwPrRkjhMv0ugOGjfdf8NBS
// SIG // v4yUh7zAIXQlXxgotswnKDglmDlKNs98sZKuHCOnqWbs
// SIG // YR9q4ShJnV+I4iVd0yFLPlLEtVc/JAPw0XpbL9Uj43Bd
// SIG // D1FGd7P4AOG8rAKCX9vAFbO9G9RVS+c5oQ/pI0m8GLhE
// SIG // fEXkwcNyeuBy5yTfv0aZxe/CHFfbg43sTUkwp6uO3+xb
// SIG // n6/83bBm4sGXgXvt1u1L50kppxMopqd9Z4DmimJ4X7Iv
// SIG // hNdXnFy/dygo8e1twyiPLI9AN0/B4YVEicQJTMXUpUMv
// SIG // dJX3bvh4IFgsE11glZo+TzOE2rCIF96eTvSWsLxGoGyY
// SIG // 0uDWiIwLAgMBAAGjggHtMIIB6TAQBgkrBgEEAYI3FQEE
// SIG // AwIBADAdBgNVHQ4EFgQUSG5k5VAF04KqFzc3IrVtqMp1
// SIG // ApUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYD
// SIG // VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
// SIG // BBgwFoAUci06AjGQQ7kUBU7h6qfHMdEjiTQwWgYDVR0f
// SIG // BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5taWNyb3NvZnQu
// SIG // Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0
// SIG // MjAxMV8yMDExXzAzXzIyLmNybDBeBggrBgEFBQcBAQRS
// SIG // MFAwTgYIKwYBBQUHMAKGQmh0dHA6Ly93d3cubWljcm9z
// SIG // b2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0MjAx
// SIG // MV8yMDExXzAzXzIyLmNydDCBnwYDVR0gBIGXMIGUMIGR
// SIG // BgkrBgEEAYI3LgMwgYMwPwYIKwYBBQUHAgEWM2h0dHA6
// SIG // Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvZG9jcy9w
// SIG // cmltYXJ5Y3BzLmh0bTBABggrBgEFBQcCAjA0HjIgHQBM
// SIG // AGUAZwBhAGwAXwBwAG8AbABpAGMAeQBfAHMAdABhAHQA
// SIG // ZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEA
// SIG // Z/KGpZjgVHkaLtPYdGcimwuWEeFjkplCln3SeQyQwWVf
// SIG // Liw++MNy0W2D/r4/6ArKO79HqaPzadtjvyI1pZddZYSQ
// SIG // fYtGUFXYDJJ80hpLHPM8QotS0LD9a+M+By4pm+Y9G6XU
// SIG // tR13lDni6WTJRD14eiPzE32mkHSDjfTLJgJGKsKKELuk
// SIG // qQUMm+1o+mgulaAqPyprWEljHwlpblqYluSD9MCP80Yr
// SIG // 3vw70L01724lruWvJ+3Q3fMOr5kol5hNDj0L8giJ1h/D
// SIG // Mhji8MUtzluetEk5CsYKwsatruWy2dsViFFFWDgycSca
// SIG // f7H0J/jeLDogaZiyWYlobm+nt3TDQAUGpgEqKD6CPxNN
// SIG // ZgvAs0314Y9/HG8VfUWnduVAKmWjw11SYobDHWM2l4bf
// SIG // 2vP48hahmifhzaWX0O5dY0HjWwechz4GdwbRBrF1HxS+
// SIG // YWG18NzGGwS+30HHDiju3mUv7Jf2oVyW2ADWoUa9WfOX
// SIG // pQlLSBCZgB/QACnFsZulP0V3HjXG0qKin3p6IvpIlR+r
// SIG // +0cjgPWe+L9rt0uX4ut1eBrs6jeZeRhL/9azI2h15q/6
// SIG // /IvrC4DqaTuv/DDtBEyO3991bWORPdGdVk5Pv4BXIqF4
// SIG // ETIheu9BCrE/+6jMpF3BoYibV3FWTkhFwELJm3ZbCoBI
// SIG // a/15n8G9bW1qyVJzEw16UM0xghoNMIIaCQIBATCBlTB+
// SIG // MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
// SIG // bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj
// SIG // cm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNy
// SIG // b3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExAhMzAAAE
// SIG // BGx0Bv9XKydyAAAAAAQEMA0GCWCGSAFlAwQCAQUAoIGu
// SIG // MBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisG
// SIG // AQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3
// SIG // DQEJBDEiBCBfkIItjBVy2W9LCFv9fdDacE0A+4LnVfJ5
// SIG // 8kRJrhQSUjBCBgorBgEEAYI3AgEMMTQwMqAUgBIATQBp
// SIG // AGMAcgBvAHMAbwBmAHShGoAYaHR0cDovL3d3dy5taWNy
// SIG // b3NvZnQuY29tMA0GCSqGSIb3DQEBAQUABIIBAEmaK4MS
// SIG // dj+bnVgNCFZR0R23upl4VoGmxJKBSZ0FK+rw9zO6a4mj
// SIG // gX0wqmuzx3S/pcM3UgV3aI2/nyivDruAVVczxXBw1E/6
// SIG // unZ1zOIW1Xbx93l+XQlOFW8B8F0j6JtnrhcMtuLolJhH
// SIG // NpLYfZxxz95xKs0JTRUnH+KGf7reewUPy2G1itXMn8Bp
// SIG // TK+75X8pN4YdXrz58zYsS2MT3seJ6ErYHT31xGU6SU4a
// SIG // GV1SWYAiLByMeSIZ7g67Thd3AuZXXNSlwEYlSKeZb854
// SIG // Mr+Wrt/fG4yqzMo4hQGCpzTKq19xrs29ZZ7uiJQivgWn
// SIG // hmaLbjmBz9dzYmMWxuoDG85aFYyhgheXMIIXkwYKKwYB
// SIG // BAGCNwMDATGCF4Mwghd/BgkqhkiG9w0BBwKgghdwMIIX
// SIG // bAIBAzEPMA0GCWCGSAFlAwQCAQUAMIIBUgYLKoZIhvcN
// SIG // AQkQAQSgggFBBIIBPTCCATkCAQEGCisGAQQBhFkKAwEw
// SIG // MTANBglghkgBZQMEAgEFAAQg8BJI99Fpw6BEJNcD89al
// SIG // eWvx0261MUMMy3oaATO3DYECBmeuM89AURgTMjAyNTAy
// SIG // MjAxNTI4MzIuMTU4WjAEgAIB9KCB0aSBzjCByzELMAkG
// SIG // A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
// SIG // BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29m
// SIG // dCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0
// SIG // IEFtZXJpY2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNo
// SIG // aWVsZCBUU1MgRVNOOkUwMDItMDVFMC1EOTQ3MSUwIwYD
// SIG // VQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl
// SIG // oIIR7TCCByAwggUIoAMCAQICEzMAAAHuBdMCMLKanacA
// SIG // AQAAAe4wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMC
// SIG // VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
// SIG // B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw
// SIG // b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt
// SIG // U3RhbXAgUENBIDIwMTAwHhcNMjMxMjA2MTg0NTQ0WhcN
// SIG // MjUwMzA1MTg0NTQ0WjCByzELMAkGA1UEBhMCVVMxEzAR
// SIG // BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
// SIG // bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
// SIG // bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3Bl
// SIG // cmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNO
// SIG // OkUwMDItMDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3Nv
// SIG // ZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG
// SIG // 9w0BAQEFAAOCAg8AMIICCgKCAgEAvvG8pdeihImvMSku
// SIG // L1S+0RDjkey82Ai1xLVoHqsjlZa87hM/gKAmuLQRhEo2
// SIG // x01xAnjDsD/Uz3imimpX01OV0ho6SYaRsefX8TCaE2Fj
// SIG // 88w9DtkQJcgZjgQZoiw10Q0CS9UbbgI7woi7pVUHojyP
// SIG // Fe/h4U0d/dU2wtW3kscF33SiamNaJ4w2sKgyQJrcLAP4
// SIG // Jql4B8BfX2VnMCkrl4mQU21OX3Jt24YZUTcOXdOC3deW
// SIG // Vs1Zf1Q6f4kXqxqNiLP9FsJ/2t3hjnR6738CG35OpVas
// SIG // GzUBNdTnnZ9rr0YylhMHq1y+9Drg2fLy88a8tMhHb0PJ
// SIG // MvlX6vJnxF0vdO2O6zfx2F+nArAtrKMlxtzsArSwO6NP
// SIG // /pCiWbjqw+R1K0s95H6oA5Zlsuu8/GWT45IgwtXWFtYz
// SIG // e+7eYkpeVqdRygaeyVPEYkSPr2NotXG+V9kRJMN1qzVv
// SIG // 426H1xLPbeG4HfslPLICp/TLVZ0OubOkBu9jP8mlGRth
// SIG // zCN9bZvZqKB9vbzwTvYwzDiLtC8M1E5CFn5YHf7xFn0z
// SIG // XD1hEI+37FrkqFbid7gasDZkUqZkA80nzGiM7srNKb1d
// SIG // YxVqrasMAnGmP1l7G/2sZMQf8wk3R0gVCfE5t4uDzPbJ
// SIG // Irp12PnEqh+fI1pKR22ywNzn7LO3viWzIypk3XI5kpG+
// SIG // aDfKlNcCAwEAAaOCAUkwggFFMB0GA1UdDgQWBBQQiM0/
// SIG // GtncIJ69+8Xftr9f3HamCDAfBgNVHSMEGDAWgBSfpxVd
// SIG // AF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQ
// SIG // hk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3Bz
// SIG // L2NybC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENB
// SIG // JTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG
// SIG // CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
// SIG // b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUt
// SIG // U3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB
// SIG // Af8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4G
// SIG // A1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEA
// SIG // d2cgL2thCjlklaQZ2JM1/H/BmY2jrOe+xfaNeAJ4fZSs
// SIG // urUt+MF6D1xMkKdb9YiO6yc2VRu66VM52stp/XLH596e
// SIG // su5GJB6rUroAhpk4ogZMIRX0gcijyNPDJJYLybyk2W+u
// SIG // 98hn6RcD40MGXiOhD4/zgLaWJE+yFF6jJItQkTCSoHmO
// SIG // MFEQnHCLo3VkZKFb+Cd6v/OyhNKj0JgEfX6jDcYyN2Qp
// SIG // VcQOMIjN7TVZUWxfUoKTp41aNz/yOafCXeNYTUlQsf/I
// SIG // 96jO2i0irQ8zhFDbPmbY4c55mYFHe/wFhw4cAR3S+e0y
// SIG // PYe54mZHzmTl53GLCsRuIK8k7IVOhurAGKW6nTBP/v4N
// SIG // bnq+1RiB1LS6t1tAJ5vJQH0vT6rYbJGbeeCRdvAh3bBa
// SIG // v+11QbRZcS/yoHEMpSTZ4mvmp4sVButMlA7dxTBkiSN+
// SIG // MRvTR7M9waaklrnhrSYUOWTdCvI7tLzVYBfg79ObIqz4
// SIG // NH7Uin/RVRAqfd6PKIBePI4fAk/wd9pc9Q+k67pOBM3M
// SIG // OxNTobTjH+wx4DzFn+ljnWJ3/h2kice2U1wibFuaDpDN
// SIG // LC4rcQaUqRnI9mI5zc5wqbBD2WrdIfune7pUWlkeURwF
// SIG // MhRUPY0WuylmjRnRC07Ppx0pWI2HkKSuUEl44oHSpS0D
// SIG // wZV/vczqBgCYaGX66Y6uJ0AwggdxMIIFWaADAgECAhMz
// SIG // AAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3DQEBCwUA
// SIG // MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
// SIG // Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV
// SIG // TWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQDEylN
// SIG // aWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
// SIG // dHkgMjAxMDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAx
// SIG // ODMyMjVaMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX
// SIG // YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
// SIG // VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV
// SIG // BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
// SIG // MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
// SIG // 5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1
// SIG // V/YBf2xK4OK9uT4XYDP/XE/HZveVU3Fa4n5KWv64NmeF
// SIG // RiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1hlDc
// SIG // wUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus
// SIG // 9ja+NSZk2pg7uhp7M62AW36MEBydUv626GIl3GoPz130
// SIG // /o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3KNi1wjjHI
// SIG // NSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56KTes
// SIG // y+uDRedGbsoy1cCGMFxPLOJiss254o2I5JasAUq7vnGp
// SIG // F1tnYN74kpEeHT39IM9zfUGaRnXNxF803RKJ1v2lIH1+
// SIG // /NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fz
// SIG // pk03dJQcNIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNO
// SIG // wTM5TI4CvEJoLhDqhFFG4tG9ahhaYQFzymeiXtcodgLi
// SIG // Mxhy16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5
// SIG // UPkLiWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9Q
// SIG // BXpsxREdcu+N+VLEhReTwDwV2xo3xwgVGD94q0W29R6H
// SIG // XtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIG
// SIG // CSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYE
// SIG // FCqnUv5kxJq+gpE8RjUpzxD/LwTuMB0GA1UdDgQWBBSf
// SIG // pxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBTMFEG
// SIG // DCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRw
// SIG // Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL0RvY3Mv
// SIG // UmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYIKwYBBQUH
// SIG // AwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYD
// SIG // VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j
// SIG // BBgwFoAU1fZWy4/oolxiaNE9lJBb186aGMQwVgYDVR0f
// SIG // BE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQu
// SIG // Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0
// SIG // XzIwMTAtMDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBK
// SIG // BggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQu
// SIG // Y29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0w
// SIG // Ni0yMy5jcnQwDQYJKoZIhvcNAQELBQADggIBAJ1Vffwq
// SIG // reEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1
// SIG // OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpT
// SIG // Td2YurYeeNg2LpypglYAA7AFvonoaeC6Ce5732pvvinL
// SIG // btg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbzaN9l
// SIG // 9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJ
// SIG // w7wXsFSFQrP8DJ6LGYnn8AtqgcKBGUIZUnWKNsIdw2Fz
// SIG // Lixre24/LAl4FOmRsqlb30mjdAy87JGA0j3mSj5mO0+7
// SIG // hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY
// SIG // 3UA8x1RtnWN0SCyxTkctwRQEcb9k+SS+c23Kjgm9swFX
// SIG // SVRk2XPXfx5bRAGOWhmRaw2fpCjcZxkoJLo4S5pu+yFU
// SIG // a2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz
// SIG // /gq77EFmPWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/
// SIG // AsGConsXHRWJjXD+57XQKBqJC4822rpM+Zv/Cuk0+CQ1
// SIG // ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328
// SIG // y+l7vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEG
// SIG // ahC0HVUzWLOhcGbyoYIDUDCCAjgCAQEwgfmhgdGkgc4w
// SIG // gcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
// SIG // dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN
// SIG // aWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1p
// SIG // Y3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAlBgNV
// SIG // BAsTHm5TaGllbGQgVFNTIEVTTjpFMDAyLTA1RTAtRDk0
// SIG // NzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAg
// SIG // U2VydmljZaIjCgEBMAcGBSsOAwIaAxUAiKOm1Tb35RcW
// SIG // 1Fgg0N2GCsujvpOggYMwgYCkfjB8MQswCQYDVQQGEwJV
// SIG // UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
// SIG // UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
// SIG // cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1T
// SIG // dGFtcCBQQ0EgMjAxMDANBgkqhkiG9w0BAQsFAAIFAOth
// SIG // Q4YwIhgPMjAyNTAyMjAwNjAwMzhaGA8yMDI1MDIyMTA2
// SIG // MDAzOFowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA62FD
// SIG // hgIBADAKAgEAAgIOWwIB/zAHAgEAAgITLjAKAgUA62KV
// SIG // BgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ
// SIG // CgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqG
// SIG // SIb3DQEBCwUAA4IBAQCJm5tqhfJNGnCU6pzufu7oSZKV
// SIG // kv+qUT6NPmaIzZj91+DmimfBb0YmUjGNsZHYZ+ZZcsRX
// SIG // kTw2s3ZNXOL4R4lwl1wsBp3LeZhHAaaHYdDY4fJAGy5F
// SIG // RPOKH2123IGxiX7HVxJ9cpcgc8n5XjhyYVLDie2DU4E4
// SIG // k+SMqAXEkt9Y+mnPhbyFkwjij9kjLMnRozEem8SSrQNk
// SIG // wpvhm3a1Nv33xw2xGJbO2QW++gn7WtZyN8hQytYCvPpE
// SIG // HQwmlEpURvW+AE3UaWklCnpbF3IlBTmJNxYxkxl2EWZP
// SIG // RJrr1zrZ3TOAUhcChoymljIQT2I5ozMrbqD0wP4/eS7q
// SIG // mD5oCPXlMYIEDTCCBAkCAQEwgZMwfDELMAkGA1UEBhMC
// SIG // VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
// SIG // B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw
// SIG // b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUt
// SIG // U3RhbXAgUENBIDIwMTACEzMAAAHuBdMCMLKanacAAQAA
// SIG // Ae4wDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJ
// SIG // AzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg
// SIG // aoLhKT0fhBRHHTRaQzIjlxNCY08Qzeiw/zja4oaUoHMw
// SIG // gfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCBPUHcU
// SIG // lYX6vlXX/gz7PuRCJAc/aAkvzkH5R5FUYX4wITCBmDCB
// SIG // gKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
// SIG // aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK
// SIG // ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMT
// SIG // HU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMz
// SIG // AAAB7gXTAjCymp2nAAEAAAHuMCIEIL8alJrYHTS+brqa
// SIG // XihIgQYMTOuyPr8/IrVb9C65hr9FMA0GCSqGSIb3DQEB
// SIG // CwUABIICAKg6QV34HtQF4pH0DnmmJioxn7+6p4oq6zVD
// SIG // KRR27Gvb0qPj/AuLbyHGl8+wgbKi/2Ot9O1oX8mtL/AZ
// SIG // 5gBVBKwyx9P4pL+OLoy2B5KoW0M+JZV1TvGsyCtnvicn
// SIG // Dg4WBqJ7UyJ+JAZD8mfxQjhQ4VtqLXMKw0Xax0DLSuIt
// SIG // 1aw4TLjwc9GjNbMb+zORnId2B8sWZsgp4EpCpAjo0vir
// SIG // VAjtjfCj3Q1snk9H+FiVmPs5H+3nSMXoXRtTOMNoPSEn
// SIG // HOQJ25Uh+fEV0f2D6HfbU3iGgmHgmdFhABV70n77hdnY
// SIG // sHkqupZpAUG0qkNiiiFkyGBFuSBLV2dXH0oD/JHuNhDk
// SIG // 39xOcrc6X1ZYznD/X2z55o97SYFIJ4HoqjumcA0QC4Mo
// SIG // BFudcmEzpLsPPTtTf5soXQvoo9bhiVl9VXU5oLe6gpNi
// SIG // ZiyFZ8DVY1w1kr2quqHuyxMHEIlQgYKPpFOHFDLlCQaO
// SIG // HRVSTY40DRx2TRZ8XOeYAqDIeQvYDKSn2350gf/NVbOe
// SIG // u9ofURJgbrA06hPhR+Tt7YvwVWsipY5Mw+R9QLqS71fK
// SIG // oSDuHJW6DOQ5pXAn11y2i3aO7ZGxzGDDRV9+eh1xISRj
// SIG // 3+SGOlcLvAowABJuZC+UoGSJZjw2T1o8jURDwtJPv3BJ
// SIG // uj4DbUF2mNG/0ArGEbh9ftFAsYk4lUGu
// SIG // End signature block