From 042cb5583053f81cd87a08fdb6bbee3d351de9c4 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Fri, 6 Sep 2024 15:43:06 -0500 Subject: [PATCH 01/26] Updated Readme, changelog and modified Alias. --- CHANGELOG.md | 5 ++++ IISU/CertificateStore.cs | 21 ++-------------- IISU/ClientPSIIManager.cs | 24 ++++++++++++++++--- .../WinIIS/WinIISInventory.cs | 21 ++-------------- IISU/JobConfigurationParser.cs | 2 +- IISU/Models/JobProperties.cs | 12 ++-------- IISU/WindowsCertStore.csproj | 7 +++--- integration-manifest.json | 6 ++--- readme_source.md | 2 +- 9 files changed, 41 insertions(+), 59 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e336168..2cca8d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +2.5.0 +* Added the Bindings to the end of the thumbprint to make the alias unique. +* Using new IISWebBindings commandlet to use additional SSL flags when binding certificate to website. +* Added multi-platform support for .Net6 and .Net8. + 2.4.4 * Fix an issue with WinRM parameters when migrating Legacy IIS Stores to the WinCert type * Fix an issue with "Delete" script in the Legacy IIS Migration that did not remove some records from dependent tables diff --git a/IISU/CertificateStore.cs b/IISU/CertificateStore.cs index 0ea35e6..75c1d0a 100644 --- a/IISU/CertificateStore.cs +++ b/IISU/CertificateStore.cs @@ -181,30 +181,13 @@ public static List GetIISBoundCertificates(Runspace runSpa if (foundCert == null) continue; - var sniValue = ""; - switch (Convert.ToInt16(binding.Properties["sniFlg"]?.Value)) - { - case 0: - sniValue = "0 - No SNI"; - break; - case 1: - sniValue = "1 - SNI Enabled"; - break; - case 2: - sniValue = "2 - Non SNI Binding"; - break; - case 3: - sniValue = "3 - SNI Binding"; - break; - } - var siteSettingsDict = new Dictionary { { "SiteName", binding.Properties["Name"]?.Value }, { "Port", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[1] }, { "IPAddress", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[0] }, { "HostName", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[2] }, - { "SniFlag", sniValue }, + { "SniFlag", binding.Properties["sniFlg"]?.Value }, { "Protocol", binding.Properties["Protocol"]?.Value } }; @@ -212,7 +195,7 @@ public static List GetIISBoundCertificates(Runspace runSpa new CurrentInventoryItem { Certificates = new[] { foundCert.CertificateData }, - Alias = thumbPrint, + Alias = thumbPrint + ":" + binding.Properties["Bindings"]?.Value.ToString(), PrivateKeyEntry = foundCert.HasPrivateKey, UseChainLevel = false, ItemStatus = OrchestratorInventoryItemStatus.Unknown, diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index dd57b4a..a1ed76b 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -27,6 +27,7 @@ using System.Net; using System.Security.Cryptography.X509Certificates; using System.Text; +using System.Text.RegularExpressions; namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { @@ -82,7 +83,7 @@ public ClientPSIIManager(ReenrollmentJobConfiguration config, string serverUsern Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"]?.ToString()[..1]; + SniFlag = MigrateSNIFlag(config.JobProperties["SniFlag"]?.ToString()); IPAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password @@ -119,7 +120,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); Protocol = config.JobProperties["Protocol"].ToString(); - SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; + SniFlag = MigrateSNIFlag(config.JobProperties["SniFlag"]?.ToString()); IPAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password @@ -407,7 +408,7 @@ public JobResult UnBindCertificate() } catch (Exception ex) { - var failureMessage = $"Unbinging for Site '{StorePath}' on server '{_runSpace.ConnectionInfo.ComputerName}' with error: '{LogHandler.FlattenException(ex)}'"; + var failureMessage = $"Unbinding for Site '{StorePath}' on server '{_runSpace.ConnectionInfo.ComputerName}' with error: '{LogHandler.FlattenException(ex)}'"; _logger.LogWarning(failureMessage); return new JobResult @@ -424,6 +425,23 @@ public JobResult UnBindCertificate() ps.Dispose(); } } + + private string MigrateSNIFlag(string SNIValue) + { + // Regex to match the numeric part at the start of the string + var match = Regex.Match(SNIValue, @"^\d+"); + + if (match.Success) + { + // If a numeric value is found, return it as an integer + return match.Value; + } + else + { + _logger.LogError($"Invalid SNI/SSL flag value: {SNIValue}"); + return SNIValue; + } + } } } diff --git a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs index 2ae070b..886c6d2 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs @@ -97,30 +97,13 @@ public List GetInventoryItems(Runspace runSpace, string st if (foundCert == null) continue; - var sniValue = ""; - switch (Convert.ToInt16(binding.Properties["sniFlg"]?.Value)) - { - case 0: - sniValue = "0 - No SNI"; - break; - case 1: - sniValue = "1 - SNI Enabled"; - break; - case 2: - sniValue = "2 - Non SNI Binding"; - break; - case 3: - sniValue = "3 - SNI Binding"; - break; - } - var siteSettingsDict = new Dictionary { { "SiteName", binding.Properties["Name"]?.Value }, { "Port", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[1] }, { "IPAddress", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[0] }, { "HostName", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[2] }, - { "SniFlag", sniValue }, + { "SniFlag", binding.Properties["sniFlg"]?.Value }, { "Protocol", binding.Properties["Protocol"]?.Value }, { "ProviderName", foundCert.CryptoServiceProvider }, { "SAN", foundCert.SAN } @@ -130,7 +113,7 @@ public List GetInventoryItems(Runspace runSpace, string st new CurrentInventoryItem { Certificates = new[] { foundCert.CertificateData }, - Alias = thumbPrint, + Alias = thumbPrint + ":" + binding.Properties["Bindings"]?.Value.ToString(), PrivateKeyEntry = foundCert.HasPrivateKey, UseChainLevel = false, ItemStatus = OrchestratorInventoryItemStatus.Unknown, diff --git a/IISU/JobConfigurationParser.cs b/IISU/JobConfigurationParser.cs index 9d7583b..ca0ffd7 100644 --- a/IISU/JobConfigurationParser.cs +++ b/IISU/JobConfigurationParser.cs @@ -66,7 +66,7 @@ public static string ParseManagementJobConfiguration(ManagementJobConfiguration if (config.JobProperties.TryGetValue("Port", out value)) managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString(); if (config.JobProperties.TryGetValue("HostName", out value)) managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString(); if (config.JobProperties.TryGetValue("Protocol", out value)) managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString(); - if (config.JobProperties.TryGetValue("SniFlag", out value)) managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString()?[..1]; + if (config.JobProperties.TryGetValue("SniFlag", out value)) managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString(); if (config.JobProperties.TryGetValue("IPAddress", out value)) managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString(); if (config.JobProperties.TryGetValue("ProviderName", out value)) managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString(); if (config.JobProperties.TryGetValue("SAN", out value)) managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString(); diff --git a/IISU/Models/JobProperties.cs b/IISU/Models/JobProperties.cs index 5fb03bf..a6ef63b 100644 --- a/IISU/Models/JobProperties.cs +++ b/IISU/Models/JobProperties.cs @@ -45,19 +45,11 @@ public JobProperties() public bool ServerUseSsl { get; set; } [JsonProperty("sniflag")] - [DefaultValue(SniFlag.None)] - public SniFlag SniFlag { get; set; } + [DefaultValue("0")] + public string SniFlag { get; set; } [JsonProperty("RestartService")] [DefaultValue(true)] public bool RestartService { get; set; } } - - internal enum SniFlag - { - None = 0, - Sni = 1, - NoneCentral = 2, - SniCentral = 3 - } } \ No newline at end of file diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index b224ebf..ab32885 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -3,7 +3,7 @@ Keyfactor.Extensions.Orchestrator.WindowsCertStore true - net6.0 + net6.0;net8.0 AnyCPU @@ -31,8 +31,9 @@ - - + + + diff --git a/integration-manifest.json b/integration-manifest.json index 87833f4..b09de75 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -258,7 +258,7 @@ { "Name": "SniFlag", "DisplayName": "SNI Support", - "Type": "MultipleChoice", + "Type": "String", "RequiredWhen": { "HasPrivateKey": false, "OnAdd": false, @@ -266,8 +266,8 @@ "OnReenrollment": false }, "DependsOn": "", - "DefaultValue": "0 - No SNI", - "Options": "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding" + "DefaultValue": "0", + "Options": "" }, { "Name": "Protocol", diff --git a/readme_source.md b/readme_source.md index 07c1a8c..f25bfb3 100644 --- a/readme_source.md +++ b/readme_source.md @@ -110,7 +110,7 @@ SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses) Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names -SniFlag | SNI Support | Multiple Choice | 0 - No SNI||Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") +SniFlag | SNI Support | String | 0 | Adding, Reenrolling |Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https") ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. From 4f4ef751316010ba137973b9abe8d407accacefc Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 6 Sep 2024 20:43:43 +0000 Subject: [PATCH 02/26] Update generated README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0353ab2..b1e73f7 100644 --- a/README.md +++ b/README.md @@ -214,7 +214,7 @@ SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses) Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names -SniFlag | SNI Support | Multiple Choice | 0 - No SNI||Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") +SniFlag | SNI Support | String | 0 | Adding, Reenrolling |Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https") ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. From da1550c6cb5143a9968dc18f1561e32f31000132 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Tue, 10 Sep 2024 16:23:47 -0500 Subject: [PATCH 03/26] Added Unit Test project. Updated code for ssl flags and adding bindings to thumbprint for unique thumbprint. --- .../workflows/keyfactor-starter-workflow.yml | 2 +- IISU/ClientPSCertStoreInventory.cs | 9 +- IISU/ClientPSCertStoreManager.cs | 13 +- IISU/ClientPSIIManager.cs | 332 ++++++++++++------ .../WinIIS/WinIISInventory.cs | 9 +- IISU/PSHelper.cs | 7 +- IISU/WindowsCertStore.csproj | 2 +- WinCertTestConsole/WinCertTestConsole.csproj | 6 +- WinCertUnitTests/UnitTestIISBinding.cs | 86 +++++ WinCertUnitTests/WinCertUnitTests.csproj | 34 ++ WindowsCertStore.sln | 10 + 11 files changed, 396 insertions(+), 114 deletions(-) create mode 100644 WinCertUnitTests/UnitTestIISBinding.cs create mode 100644 WinCertUnitTests/WinCertUnitTests.csproj diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 6d8de53..b13de78 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v2 + uses: keyfactor/actions/.github/workflows/starter.yml@dual-platform-without-doctool secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} diff --git a/IISU/ClientPSCertStoreInventory.cs b/IISU/ClientPSCertStoreInventory.cs index 0bde6f5..b3b85e1 100644 --- a/IISU/ClientPSCertStoreInventory.cs +++ b/IISU/ClientPSCertStoreInventory.cs @@ -11,6 +11,7 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. +using Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU; using Keyfactor.Logging; using Microsoft.Extensions.Logging; using System; @@ -21,9 +22,15 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { - abstract class ClientPSCertStoreInventory + public abstract class ClientPSCertStoreInventory { private ILogger _logger; + + protected ClientPSCertStoreInventory() + { + _logger = LogHandler.GetClassLogger(); + } + public ClientPSCertStoreInventory(ILogger logger) { _logger = logger; diff --git a/IISU/ClientPSCertStoreManager.cs b/IISU/ClientPSCertStoreManager.cs index 3a75960..e768f08 100644 --- a/IISU/ClientPSCertStoreManager.cs +++ b/IISU/ClientPSCertStoreManager.cs @@ -27,7 +27,7 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { - internal class ClientPSCertStoreManager + public class ClientPSCertStoreManager { private ILogger _logger; private Runspace _runspace; @@ -40,6 +40,11 @@ public X509Certificate2 X509Cert get { return x509Cert; } } + public ClientPSCertStoreManager(Runspace runSpace) + { + _logger = LogHandler.GetClassLogger(); + _runspace = runSpace; + } public ClientPSCertStoreManager(ILogger logger, Runspace runSpace, long jobNumber) { @@ -126,9 +131,9 @@ public JobResult ImportPFXFile(string filePath, string privateKeyPassword, strin { ps.Runspace = _runspace; - if (cryptoProviderName == null) + if (string.IsNullOrEmpty(cryptoProviderName)) { - if (privateKeyPassword == null) + if (string.IsNullOrEmpty(privateKeyPassword)) { // If no private key password is provided, import the pfx file directory to the store using addstore argument string script = @" @@ -179,7 +184,7 @@ public JobResult ImportPFXFile(string filePath, string privateKeyPassword, strin } else { - if (privateKeyPassword == null) + if (string.IsNullOrEmpty(privateKeyPassword)) { string script = @" param($pfxFilePath, $cspName, $storePath) diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index a1ed76b..01ebcfd 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -23,15 +23,17 @@ using System.IO; using System.Linq; using System.Management.Automation; +using System.Management.Automation.Language; using System.Management.Automation.Runspaces; using System.Net; using System.Security.Cryptography.X509Certificates; using System.Text; using System.Text.RegularExpressions; +using System.Web.Services.Description; namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { - internal class ClientPSIIManager + public class ClientPSIIManager { private string SiteName { get; set; } private string Port { get; set; } @@ -56,22 +58,30 @@ internal class ClientPSIIManager private PowerShell ps; - //public ClientPSIIManager(ILogger logger, Runspace runSpace) - //{ - // _logger = logger; - // _runSpace = runSpace; - - // ps = PowerShell.Create(); - // ps.Runspace = _runSpace; - //} - - //public ClientPSIIManager(ILogger logger, Runspace runSpace, PowerShell powerShell) - //{ - // _logger = logger; - // _runSpace = runSpace; - - // ps = powerShell; - //} + /// + /// This constructor is used for unit testing + /// + /// + /// + /// + /// + /// + /// + /// + public ClientPSIIManager(Runspace runSpace, string SiteName, string Protocol, string IPAddress, string Port, string HostName, string Thumbprint, string StorePath, string sniFlag) + { + _logger = LogHandler.GetClassLogger(); + _runSpace = runSpace; + + this.SiteName = SiteName; + this.Protocol = Protocol; + this.IPAddress = IPAddress; + this.Port = Port; + this.HostName = HostName; + this.RenewalThumbprint = Thumbprint; + this.StorePath = StorePath; + this.SniFlag = sniFlag; + } public ClientPSIIManager(ReenrollmentJobConfiguration config, string serverUsername, string serverPassword) { @@ -167,6 +177,8 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) if (RenewalThumbprint?.Length > 0) { _logger.LogTrace($"Thumbprint Length > 0 {RenewalThumbprint}"); + + // Get the bindings for all the websites ps.AddCommand("Import-Module") .AddParameter("Name", "WebAdministration") .AddStatement(); @@ -177,6 +189,10 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) ps.AddScript(searchScript).AddStatement(); _logger.LogTrace($"Search Script: {searchScript}"); var bindings = ps.Invoke(); + + bool hadPSError = false; // Flag to indicate if any website had problem with binding + List bindingSiteErrorMessage = new List(); + foreach (var binding in bindings) { if (binding.Properties["Protocol"].Value.ToString().Contains("https")) @@ -198,100 +214,114 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) if (RenewalThumbprint == bindingThumbprint) { _logger.LogTrace($"Thumbprint Match {RenewalThumbprint}={bindingThumbprint}"); - var funcScript = string.Format(@" - $ErrorActionPreference = ""Stop"" - - $IISInstalled = Get-Module -ListAvailable | where {{$_.Name -eq ""WebAdministration""}} - if($IISInstalled) {{ - Import-Module WebAdministration - Get-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -HostHeader ""{4}"" -Port ""{2}"" -Protocol ""{3}"" | - ForEach-Object {{ Remove-WebBinding -BindingInformation $_.bindingInformation }} - - New-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -HostHeader ""{4}"" -Port ""{2}"" -Protocol ""{3}"" -SslFlags ""{7}"" - Get-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -HostHeader ""{4}"" -Port ""{2}"" -Protocol ""{3}"" | - ForEach-Object {{ $_.AddSslCertificate(""{5}"", ""{6}"") }} - }}", bindingSiteName, //{0} - bindingIpAddress, //{1} - bindingPort, //{2} - bindingProtocol, //{3} - bindingHostName, //{4} - x509Cert.Thumbprint, //{5} - StorePath, //{6} - bindingSniFlg); //{7} - - _logger.LogTrace($"funcScript {funcScript}"); - ps.AddScript(funcScript); - _logger.LogTrace("funcScript added..."); - ps.Invoke(); - _logger.LogTrace("funcScript Invoked..."); - foreach (var cmd in ps.Commands.Commands) + try { - _logger.LogTrace("Logging PowerShell Command"); - _logger.LogTrace(cmd.CommandText); + Collection results = (Collection)PerformIISBinding(bindingSiteName, bindingProtocol, bindingIpAddress, bindingPort, bindingHostName, bindingSniFlg, bindingThumbprint, StorePath); + + // Check if PowerShell had any errors for this binding + if (ps.HadErrors) + { + var psError = ps.Streams.Error.ReadAll() + .Aggregate(string.Empty, (current, error) => + current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) + ? error.ErrorDetails.Message + : error.Exception != null + ? error.Exception.Message + : error.ToString()) + Environment.NewLine); + + string oops = $"PowerShell Error on Site {bindingSiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {psError}"; + bindingSiteErrorMessage.Add(oops); + hadPSError = true; + + _logger.LogTrace(oops); + } + + // Clear the commands and go to the next website + ps.Commands.Clear(); + _logger.LogTrace("Commands Cleared.."); } + catch (Exception e) + { + string oops = $"Application Exception on Site {bindingSiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {e.Message}"; + bindingSiteErrorMessage.Add(oops); + hadPSError = true; - ps.Commands.Clear(); - _logger.LogTrace("Commands Cleared.."); + _logger.LogTrace(oops); + } } } } + + if (hadPSError) + { + // Report errors and job results + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Failure, + JobHistoryId = JobHistoryID, + FailureMessage = string.Join(Environment.NewLine, bindingSiteErrorMessage) + }; + } + else + { + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = JobHistoryID, + FailureMessage = "" + }; + } } else { - var funcScript = string.Format(@" - $ErrorActionPreference = ""Stop"" - - $IISInstalled = Get-Module -ListAvailable | where {{$_.Name -eq ""WebAdministration""}} - if($IISInstalled) {{ - Import-Module WebAdministration - Get-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -Port ""{2}"" -Protocol ""{3}"" -HostHeader ""{4}"" | - ForEach-Object {{ Remove-WebBinding -BindingInformation $_.bindingInformation }} - - New-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -HostHeader ""{4}"" -Port ""{2}"" -Protocol ""{3}"" -SslFlags ""{7}"" - Get-WebBinding -Name ""{0}"" -IPAddress ""{1}"" -HostHeader ""{4}"" -Port ""{2}"" -Protocol ""{3}"" | - ForEach-Object {{ $_.AddSslCertificate(""{5}"", ""{6}"") }} - }}", SiteName, //{0} - IPAddress, //{1} - Port, //{2} - Protocol, //{3} - HostName, //{4} - x509Cert.Thumbprint, //{5} - StorePath, //{6} - Convert.ToInt16(SniFlag)); //{7} - foreach (var cmd in ps.Commands.Commands) + bool hadError = false; + string errorMessage = string.Empty; + + try { - _logger.LogTrace("Logging PowerShell Command"); - _logger.LogTrace(cmd.CommandText); - } + Collection results = (Collection)PerformIISBinding(SiteName, Protocol, IPAddress, Port, HostName, SniFlag, x509Cert.Thumbprint, StorePath); - _logger.LogTrace($"funcScript {funcScript}"); - ps.AddScript(funcScript); - _logger.LogTrace("funcScript added..."); - ps.Invoke(); - _logger.LogTrace("funcScript Invoked..."); - } + if (ps.HadErrors) + { + var psError = ps.Streams.Error.ReadAll() + .Aggregate(string.Empty, (current, error) => + current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) + ? error.ErrorDetails.Message + : error.Exception != null + ? error.Exception.Message + : error.ToString()) + Environment.NewLine); - if (ps.HadErrors) - { - var psError = ps.Streams.Error.ReadAll() - .Aggregate(string.Empty, (current, error) => current + error.ErrorDetails.Message); + errorMessage = psError; + hadError = true; + + } + } + catch (Exception e) + { + errorMessage = $"Application Exception on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {e.Message}"; + hadError = true; + _logger.LogTrace(errorMessage); + } + + if (hadError) { return new JobResult { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, - FailureMessage = - $"Site {StorePath} on server {_runSpace.ConnectionInfo.ComputerName}: {psError}" + FailureMessage = errorMessage + }; + } + else + { + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = JobHistoryID, + FailureMessage = "" }; } } - - return new JobResult - { - Result = OrchestratorJobStatusJobResult.Success, - JobHistoryId = JobHistoryID, - FailureMessage = "" - }; } catch (Exception e) { @@ -299,7 +329,7 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, - FailureMessage = $"Error Occurred in InstallCertificate {LogHandler.FlattenException(e)}" + FailureMessage = $"Application Error Occurred in BindCertificate: {LogHandler.FlattenException(e)}" }; } finally @@ -426,20 +456,120 @@ public JobResult UnBindCertificate() } } - private string MigrateSNIFlag(string SNIValue) + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + private object PerformIISBinding(string webSiteName, string protocol, string ipAddress, string port, string hostName, string sslFlags, string thumbprint, string storeName) { - // Regex to match the numeric part at the start of the string - var match = Regex.Match(SNIValue, @"^\d+"); + string funcScript = @" + param ( + $SiteName, # The name of the IIS site + $IPAddress, # The IP Address for the binding + $Port, # The port number for the binding + $Hostname, # Hostname for the binding (if any) + $Protocol, # Protocol (e.g., HTTP, HTTPS) + $Thumbprint, # Certificate thumbprint for HTTPS bindings + $StoreName, # Certificate store location (e.g., ""My"" for personal certs) + $SslFlags # SSL flags (if any) + ) + + # Set Execution Policy (optional, depending on your environment) + Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force + + # Check if the IISAdministration module is available + $module = Get-Module -Name IISAdministration -ListAvailable + + if (-not $module) { + throw ""The IISAdministration module is not installed on this system."" + } + + # Check if the IISAdministration module is already loaded + if (-not (Get-Module -Name IISAdministration)) { + try { + # Attempt to import the IISAdministration module + Import-Module IISAdministration -ErrorAction Stop + } + catch { + throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" + } + } + + # Retrieve the existing binding information + $myBinding = ""${IPAddress}:${Port}:${Hostname}"" + Write-Host ""myBinding: "" $myBinding + + $siteBindings = Get-IISSiteBinding -Name $SiteName + $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } + + Write-Host ""Binding:"" $existingBinding + + if ($null -ne $existingBinding) { + # Remove the existing binding + Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false + + Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" + } + + # Create the new binding with modified properties + $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" + + New-IISSiteBinding -Name $SiteName ` + -BindingInformation $newBindingInfo ` + -Protocol $Protocol ` + -CertificateThumbprint $Thumbprint ` + -CertStoreLocation $StoreName ` + -SslFlag $SslFlags + + Write-Host ""New binding added: $newBindingInfo"" + "; + + ps.AddScript(funcScript); + ps.AddParameter("SiteName", webSiteName); + ps.AddParameter("IPAddress", ipAddress); + ps.AddParameter("Port", port); + ps.AddParameter("Hostname", hostName); + ps.AddParameter("Protocol", protocol); + ps.AddParameter("Thumbprint", thumbprint); + ps.AddParameter("StoreName", storeName); + ps.AddParameter("SslFlags", sslFlags); + + _logger.LogTrace("funcScript added..."); + var results = ps.Invoke(); + _logger.LogTrace("funcScript Invoked..."); + + return results; + } - if (match.Success) + public static string MigrateSNIFlag(string input) + { + // Check if the input is numeric, if so, just return it as an integer + if (int.TryParse(input, out int numericValue)) { - // If a numeric value is found, return it as an integer - return match.Value; + return numericValue.ToString(); } - else + + // Handle the string cases + switch (input.ToLower()) { - _logger.LogError($"Invalid SNI/SSL flag value: {SNIValue}"); - return SNIValue; + case "0 - no sni": + return "0"; + case "1 - sni enabled": + return "1"; + case "2 - non sni binding": + return "2"; + case "3 - sni binding": + return "3"; + default: + return "0"; } } } diff --git a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs index 886c6d2..30627b9 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; using Microsoft.Extensions.Logging; @@ -25,9 +26,15 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU { - internal class WinIISInventory : ClientPSCertStoreInventory + public class WinIISInventory : ClientPSCertStoreInventory { private ILogger _logger; + + public WinIISInventory() + { + _logger = LogHandler.GetClassLogger(); + } + public WinIISInventory(ILogger logger) : base(logger) { _logger = logger; diff --git a/IISU/PSHelper.cs b/IISU/PSHelper.cs index c125751..4a44bd2 100644 --- a/IISU/PSHelper.cs +++ b/IISU/PSHelper.cs @@ -50,10 +50,13 @@ public static Runspace GetClientPsRunspace(string winRmProtocol, string clientMa if (isLocal) { - //return RunspaceFactory.CreateRunspace(); +#if NET6_0 PowerShellProcessInstance instance = new PowerShellProcessInstance(new Version(5, 1), null, null, false); Runspace rs = RunspaceFactory.CreateOutOfProcessRunspace(new TypeTable(Array.Empty()), instance); - +#elif NET8_0_OR_GREATER + InitialSessionState iss = InitialSessionState.CreateDefault(); + Runspace rs = RunspaceFactory.CreateRunspace(iss); +#endif return rs; } else diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index ab32885..24ceaf0 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -3,7 +3,7 @@ Keyfactor.Extensions.Orchestrator.WindowsCertStore true - net6.0;net8.0 + net6.0;net8.0 AnyCPU diff --git a/WinCertTestConsole/WinCertTestConsole.csproj b/WinCertTestConsole/WinCertTestConsole.csproj index 504e735..e75510b 100644 --- a/WinCertTestConsole/WinCertTestConsole.csproj +++ b/WinCertTestConsole/WinCertTestConsole.csproj @@ -1,8 +1,8 @@ - + Exe - net6.0 + net8.0 AnyCPU @@ -10,7 +10,7 @@ - + diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs new file mode 100644 index 0000000..deb5752 --- /dev/null +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -0,0 +1,86 @@ +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Extensions.Orchestrator.WindowsCertStore.IISU; +using Keyfactor.Extensions.Orchestrator.WindowsCertStore; +using System.Security.Cryptography.X509Certificates; +using System.Management.Automation.Runspaces; +using Microsoft.Extensions.Logging; +using Microsoft.VisualStudio.TestTools.UnitTesting.Logging; +using System.Net; +using System.Web.Services.Description; +using System.Management.Automation; +using Keyfactor.Orchestrators.Common.Enums; +namespace WinCertUnitTests +{ + [TestClass] + public class UnitTestIISBinding + { + [TestMethod] + public void RenewBindingCertificate() + { + string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; + string password = "8zWwF36N6cNu"; + X509Certificate2 cert = new X509Certificate2(certPath, password); + + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", cert.Thumbprint, "My", "0"); + JobResult result = IIS.BindCertificate(cert); + Assert.AreEqual("Success", result.Result.ToString()); + } + + [TestMethod] + public void BindingNewCertificate() + { + string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; + string password = "8zWwF36N6cNu"; + X509Certificate2 cert = new X509Certificate2(certPath, password); + + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "32"); + JobResult result = IIS.BindCertificate(cert); + + Assert.AreEqual("Success", result.Result.ToString()); + } + + [TestMethod] + public void AddCertificate() + { + + string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; + string password = "8zWwF36N6cNu"; + + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + rs.Open(); + + ClientPSCertStoreManager certStoreManager = new ClientPSCertStoreManager(rs); + JobResult result = certStoreManager.ImportPFXFile(certPath, password, "", "My"); + rs.Close(); + + Assert.AreEqual("Success", result.Result.ToString()); + } + + + [TestMethod] + public void GetBoundCertificates() + { + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + rs.Open(); + WinIISInventory IISInventory = new WinIISInventory(); + List certs = IISInventory.GetInventoryItems(rs, "My"); + rs.Close(); + + Assert.IsNotNull(certs); + + } + + [TestMethod] + public void OrigSNIFlagZeroReturnsZero() + { + string expectedResult = "32"; + string result = ClientPSIIManager.MigrateSNIFlag("32"); + Assert.AreEqual(expectedResult, result); + } + + } +} \ No newline at end of file diff --git a/WinCertUnitTests/WinCertUnitTests.csproj b/WinCertUnitTests/WinCertUnitTests.csproj new file mode 100644 index 0000000..82ca639 --- /dev/null +++ b/WinCertUnitTests/WinCertUnitTests.csproj @@ -0,0 +1,34 @@ + + + + net8.0 + enable + enable + + false + true + + + + + + + + + + + + + + + + + + + + + Always + + + + diff --git a/WindowsCertStore.sln b/WindowsCertStore.sln index 883ef0b..7d2f736 100644 --- a/WindowsCertStore.sln +++ b/WindowsCertStore.sln @@ -36,6 +36,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{630203 EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WinCertTestConsole", "WinCertTestConsole\WinCertTestConsole.csproj", "{D0F4A3CC-5236-4393-9C97-AE55ACE319F2}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinCertUnitTests", "WinCertUnitTests\WinCertUnitTests.csproj", "{AEE85A79-8614-447A-B14A-FD5A389C510B}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -59,6 +61,14 @@ Global {D0F4A3CC-5236-4393-9C97-AE55ACE319F2}.Release|Any CPU.ActiveCfg = Release|Any CPU {D0F4A3CC-5236-4393-9C97-AE55ACE319F2}.Release|Any CPU.Build.0 = Release|Any CPU {D0F4A3CC-5236-4393-9C97-AE55ACE319F2}.Release|x64.ActiveCfg = Release|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Debug|Any CPU.Build.0 = Debug|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Debug|x64.ActiveCfg = Debug|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Debug|x64.Build.0 = Debug|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Release|Any CPU.ActiveCfg = Release|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Release|Any CPU.Build.0 = Release|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Release|x64.ActiveCfg = Release|Any CPU + {AEE85A79-8614-447A-B14A-FD5A389C510B}.Release|x64.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE From 87a092804a25c9887bf370396971327c736a7b27 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Wed, 11 Sep 2024 17:04:52 -0500 Subject: [PATCH 04/26] Updated error messages. --- IISU/ClientPSIIManager.cs | 6 +++--- WinCertUnitTests/UnitTestIISBinding.cs | 10 +++++++++- WinCertUnitTests/WinCertUnitTests.csproj | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index 01ebcfd..985bef0 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -298,7 +298,7 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) } catch (Exception e) { - errorMessage = $"Application Exception on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {e.Message}"; + errorMessage = $"Binding attempt failed on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}, Application error: {e.Message}"; hadError = true; _logger.LogTrace(errorMessage); } @@ -309,7 +309,7 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, - FailureMessage = errorMessage + FailureMessage = $"Binding attempt failed on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {errorMessage}" }; } else @@ -569,7 +569,7 @@ public static string MigrateSNIFlag(string input) case "3 - sni binding": return "3"; default: - return "0"; + throw new Exception($"Received an invalid value '{input}' for sni/ssl Flag value"); } } } diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs index deb5752..4f58c31 100644 --- a/WinCertUnitTests/UnitTestIISBinding.cs +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -37,7 +37,7 @@ public void BindingNewCertificate() Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); - ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "32"); + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "0"); JobResult result = IIS.BindCertificate(cert); Assert.AreEqual("Success", result.Result.ToString()); @@ -82,5 +82,13 @@ public void OrigSNIFlagZeroReturnsZero() Assert.AreEqual(expectedResult, result); } + [TestMethod] + public void InvalidSNIFlagZeroThrowException() + { + string expectedResult = "32"; + string result = ClientPSIIManager.MigrateSNIFlag("32"); + Assert.AreEqual(expectedResult, result); + } + } } \ No newline at end of file diff --git a/WinCertUnitTests/WinCertUnitTests.csproj b/WinCertUnitTests/WinCertUnitTests.csproj index 82ca639..3890ded 100644 --- a/WinCertUnitTests/WinCertUnitTests.csproj +++ b/WinCertUnitTests/WinCertUnitTests.csproj @@ -1,4 +1,4 @@ - + net8.0 From a3c06be76f2c325e6af2146715369278f474069e Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Wed, 11 Sep 2024 17:06:30 -0500 Subject: [PATCH 05/26] Fixed SNI Flag value from Int to string --- IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs | 2 +- WinCertUnitTests/UnitTestIISBinding.cs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs index 30627b9..0ce7320 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/WinIISInventory.cs @@ -110,7 +110,7 @@ public List GetInventoryItems(Runspace runSpace, string st { "Port", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[1] }, { "IPAddress", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[0] }, { "HostName", binding.Properties["Bindings"]?.Value.ToString()?.Split(':')[2] }, - { "SniFlag", binding.Properties["sniFlg"]?.Value }, + { "SniFlag", binding.Properties["sniFlg"]?.Value.ToString() }, { "Protocol", binding.Properties["Protocol"]?.Value }, { "ProviderName", foundCert.CryptoServiceProvider }, { "SAN", foundCert.SAN } diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs index deb5752..6a3a795 100644 --- a/WinCertUnitTests/UnitTestIISBinding.cs +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -37,7 +37,7 @@ public void BindingNewCertificate() Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); - ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "32"); + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "3"); JobResult result = IIS.BindCertificate(cert); Assert.AreEqual("Success", result.Result.ToString()); From 118c5836bf271170973740d56a87b2fc0ca3abb5 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Thu, 12 Sep 2024 10:37:00 -0500 Subject: [PATCH 06/26] Updated some error messages and added new unit tests. --- IISU/ClientPSIIManager.cs | 30 +++++---- IISU/WindowsCertStore.csproj | 6 ++ WinCertUnitTests/CertificateHelper.cs | 52 ++++++++++++++++ WinCertUnitTests/UnitTestIISBinding.cs | 77 ++++++++++++++++++++---- WinCertUnitTests/WinCertUnitTests.csproj | 11 +--- 5 files changed, 145 insertions(+), 31 deletions(-) create mode 100644 WinCertUnitTests/CertificateHelper.cs diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index 985bef0..a2adde5 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -488,9 +488,9 @@ private object PerformIISBinding(string webSiteName, string protocol, string ipA # Check if the IISAdministration module is available $module = Get-Module -Name IISAdministration -ListAvailable - if (-not $module) { - throw ""The IISAdministration module is not installed on this system."" - } + #if (-not $module) { + #throw ""The IISAdministration module is not installed on this system."" + #} # Check if the IISAdministration module is already loaded if (-not (Get-Module -Name IISAdministration)) { @@ -522,14 +522,20 @@ private object PerformIISBinding(string webSiteName, string protocol, string ipA # Create the new binding with modified properties $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" - New-IISSiteBinding -Name $SiteName ` - -BindingInformation $newBindingInfo ` - -Protocol $Protocol ` - -CertificateThumbprint $Thumbprint ` - -CertStoreLocation $StoreName ` - -SslFlag $SslFlags - - Write-Host ""New binding added: $newBindingInfo"" + try + { + New-IISSiteBinding -Name $SiteName ` + -BindingInformation $newBindingInfo ` + -Protocol $Protocol ` + -CertificateThumbprint $Thumbprint ` + -CertStoreLocation $StoreName ` + -SslFlag $SslFlags + + Write-Host ""New binding added: $newBindingInfo"" + } + catch { + throw $_ + } "; ps.AddScript(funcScript); @@ -569,7 +575,7 @@ public static string MigrateSNIFlag(string input) case "3 - sni binding": return "3"; default: - throw new Exception($"Received an invalid value '{input}' for sni/ssl Flag value"); + throw new ArgumentOutOfRangeException($"Received an invalid value '{input}' for sni/ssl Flag value"); } } } diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index 24ceaf0..9ba8bbf 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -42,4 +42,10 @@ + + + 7.4.5 + + + diff --git a/WinCertUnitTests/CertificateHelper.cs b/WinCertUnitTests/CertificateHelper.cs new file mode 100644 index 0000000..61c73c3 --- /dev/null +++ b/WinCertUnitTests/CertificateHelper.cs @@ -0,0 +1,52 @@ +using System; +using System.IO; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; + +namespace WinCertUnitTests +{ + internal class CertificateHelper + { + public static void CreateSelfSignedCertificate(string certName, string password, string pfxPath) + { + // Set certificate subject and other properties + var distinguishedName = new X500DistinguishedName($"CN={certName}"); + + using (RSA rsa = RSA.Create(2048)) + { + // Define the certificate request + var certificateRequest = new CertificateRequest( + distinguishedName, + rsa, + HashAlgorithmName.SHA256, + RSASignaturePadding.Pkcs1); + + // Add key usage and enhanced key usage (EKU) extensions + certificateRequest.CertificateExtensions.Add( + new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, true)); + + certificateRequest.CertificateExtensions.Add( + new X509EnhancedKeyUsageExtension( + new OidCollection + { + new Oid("1.3.6.1.5.5.7.3.1") // OID for Server Authentication + }, true)); + + // Create the self-signed certificate + var startDate = DateTimeOffset.Now; + var endDate = startDate.AddYears(1); + + using (X509Certificate2 certificate = certificateRequest.CreateSelfSigned(startDate, endDate)) + { + // Export the certificate with a password to a PFX file + byte[] pfxBytes = certificate.Export(X509ContentType.Pfx, password); + + // Save to a file + File.WriteAllBytes(pfxPath, pfxBytes); + + Console.WriteLine($"Certificate created and saved at {pfxPath}"); + } + } + } + } +} diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs index 10ec418..4c76080 100644 --- a/WinCertUnitTests/UnitTestIISBinding.cs +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -6,20 +6,39 @@ using Microsoft.Extensions.Logging; using Microsoft.VisualStudio.TestTools.UnitTesting.Logging; using System.Net; -using System.Web.Services.Description; +//using System.Web.Services.Description; using System.Management.Automation; using Keyfactor.Orchestrators.Common.Enums; +using System.Security.Policy; +using Microsoft.Web.Administration; namespace WinCertUnitTests { [TestClass] public class UnitTestIISBinding { + private string certName = ""; + private string certPassword = ""; + private string pfxPath = ""; + + public UnitTestIISBinding() + { + certName = "UnitTestCertificate"; + certPassword = "lkjglj655asd"; + pfxPath = Path.Combine(Directory.GetCurrentDirectory(), "TestCertificate.pfx"); + + if (!File.Exists(pfxPath)) + { + CertificateHelper.CreateSelfSignedCertificate(certName, certPassword, pfxPath); + } + } + + [TestMethod] public void RenewBindingCertificate() { string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; string password = "8zWwF36N6cNu"; - X509Certificate2 cert = new X509Certificate2(certPath, password); + X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); @@ -33,11 +52,13 @@ public void BindingNewCertificate() { string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; string password = "8zWwF36N6cNu"; - X509Certificate2 cert = new X509Certificate2(certPath, password); + X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); - ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", "3"); + string sslFlag = "32"; + + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", sslFlag); JobResult result = IIS.BindCertificate(cert); Assert.AreEqual("Success", result.Result.ToString()); @@ -47,14 +68,14 @@ public void BindingNewCertificate() public void AddCertificate() { - string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; - string password = "8zWwF36N6cNu"; + //string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; + //string password = "8zWwF36N6cNu"; Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); rs.Open(); ClientPSCertStoreManager certStoreManager = new ClientPSCertStoreManager(rs); - JobResult result = certStoreManager.ImportPFXFile(certPath, password, "", "My"); + JobResult result = certStoreManager.ImportPFXFile(pfxPath, certPassword, "", "My"); rs.Close(); Assert.AreEqual("Success", result.Result.ToString()); @@ -83,12 +104,46 @@ public void OrigSNIFlagZeroReturnsZero() } [TestMethod] - public void InvalidSNIFlagZeroThrowException() + [ExpectedException(typeof(ArgumentOutOfRangeException))] + public void InvalidSNIFlagThrowException() { - string expectedResult = "32"; - string result = ClientPSIIManager.MigrateSNIFlag("32"); - Assert.AreEqual(expectedResult, result); + string result = ClientPSIIManager.MigrateSNIFlag("Bad value"); } + static bool TestValidSslFlag(int sslFlag) + { + try + { + using (ServerManager serverManager = new ServerManager()) + { + // Loop through all sites in IIS + foreach (Microsoft.Web.Administration.Site site in serverManager.Sites) + { + // Loop through all bindings for each site + foreach (Binding binding in site.Bindings) + { + // Check if the binding uses the HTTPS protocol + if (binding.Protocol == "https") + { + // Get the SslFlags value (stored in binding.Attributes) + int currentSslFlags = (int)binding.Attributes["sslFlags"].Value; + + // Check if the SslFlag value matches the provided one + if (currentSslFlags == sslFlag) + { + return true; // Valid SslFlag found + } + } + } + } + } + } + catch (Exception ex) + { + Console.WriteLine("Error: " + ex.Message); + } + + return false; // No matching SslFlag found + } } } \ No newline at end of file diff --git a/WinCertUnitTests/WinCertUnitTests.csproj b/WinCertUnitTests/WinCertUnitTests.csproj index 3890ded..17f1bd0 100644 --- a/WinCertUnitTests/WinCertUnitTests.csproj +++ b/WinCertUnitTests/WinCertUnitTests.csproj @@ -1,7 +1,7 @@ - + - net8.0 + net6.0 enable enable @@ -13,6 +13,7 @@ + @@ -25,10 +26,4 @@ - - - Always - - - From cdf081540b2a27db72afa98d1ec3e8e1805766e2 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Mon, 16 Sep 2024 11:22:25 -0500 Subject: [PATCH 07/26] Cleaned up some code and added unit test. --- IISU/CertificateStoreException.cs | 2 +- IISU/ClientPSIIManager.cs | 226 +++++++++++++++++++++-- IISU/WindowsCertStore.csproj | 2 +- WinCertUnitTests/UnitTestIISBinding.cs | 53 +++++- WinCertUnitTests/WinCertUnitTests.csproj | 2 +- 5 files changed, 264 insertions(+), 21 deletions(-) diff --git a/IISU/CertificateStoreException.cs b/IISU/CertificateStoreException.cs index b510548..f207566 100644 --- a/IISU/CertificateStoreException.cs +++ b/IISU/CertificateStoreException.cs @@ -18,7 +18,7 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { [Serializable] - internal class CertificateStoreException : Exception + public class CertificateStoreException : Exception { public CertificateStoreException() { diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index a2adde5..8604b1f 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -20,16 +20,10 @@ using System; using System.Collections.Generic; using System.Collections.ObjectModel; -using System.IO; using System.Linq; using System.Management.Automation; -using System.Management.Automation.Language; using System.Management.Automation.Runspaces; -using System.Net; using System.Security.Cryptography.X509Certificates; -using System.Text; -using System.Text.RegularExpressions; -using System.Web.Services.Description; namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore { @@ -229,7 +223,14 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) ? error.Exception.Message : error.ToString()) + Environment.NewLine); - string oops = $"PowerShell Error on Site {bindingSiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {psError}"; + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + string oops = $"PowerShell Error on Site {bindingSiteName} on {computerName}: {psError}"; bindingSiteErrorMessage.Add(oops); hadPSError = true; @@ -242,7 +243,14 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) } catch (Exception e) { - string oops = $"Application Exception on Site {bindingSiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {e.Message}"; + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + string oops = $"Application Exception on Site {bindingSiteName} on {computerName}: {e.Message}"; bindingSiteErrorMessage.Add(oops); hadPSError = true; @@ -298,18 +306,32 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) } catch (Exception e) { - errorMessage = $"Binding attempt failed on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}, Application error: {e.Message}"; + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + errorMessage = $"Binding attempt failed on Site {SiteName} on {computerName}, Application error: {e.Message}"; hadError = true; _logger.LogTrace(errorMessage); } if (hadError) { + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + return new JobResult { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, - FailureMessage = $"Binding attempt failed on Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName}: {errorMessage}" + FailureMessage = $"Binding attempt failed on Site {SiteName} on {computerName}: {errorMessage}" }; } else @@ -342,6 +364,81 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) public JobResult UnBindCertificate() { +#if NET8_0_OR_GREATER + bool hadError = false; + string errorMessage = string.Empty; + + try + { + _logger.MethodEntry(); + + _runSpace.Open(); + ps = PowerShell.Create(); + ps.Runspace = _runSpace; + + Collection results = (Collection)PerformIISUnBinding(SiteName, Protocol, IPAddress, Port, HostName); + + if (ps.HadErrors) + { + var psError = ps.Streams.Error.ReadAll() + .Aggregate(string.Empty, (current, error) => + current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) + ? error.ErrorDetails.Message + : error.Exception != null + ? error.Exception.Message + : error.ToString()) + Environment.NewLine); + + errorMessage = psError; + hadError = true; + + } + } + catch (Exception e) + { + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + errorMessage = $"Binding attempt failed on Site {SiteName} on {computerName}, Application error: {e.Message}"; + hadError = true; + _logger.LogTrace(errorMessage); + } + finally + { + _runSpace.Close(); + ps.Runspace.Close(); + ps.Dispose(); + } + + if (hadError) + { + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Failure, + JobHistoryId = JobHistoryID, + FailureMessage = $"Binding attempt failed on Site {SiteName} on {computerName}: {errorMessage}" + }; + } + else + { + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = JobHistoryID, + FailureMessage = "" + }; + } +#endif try { _logger.MethodEntry(); @@ -371,12 +468,20 @@ public JobResult UnBindCertificate() if (foundBindings.Count == 0) { _logger.LogTrace($"{foundBindings.Count} Bindings Found..."); + + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + return new JobResult { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, FailureMessage = - $"Site {Protocol} binding for Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName} not found." + $"Site {Protocol} binding for Site {SiteName} on {computerName} not found." }; } @@ -418,12 +523,20 @@ public JobResult UnBindCertificate() { _logger.LogTrace("PowerShell Had Errors"); var psError = ps.Streams.Error.ReadAll().Aggregate(String.Empty, (current, error) => current + error.ErrorDetails.Message); + + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + return new JobResult { Result = OrchestratorJobStatusJobResult.Failure, JobHistoryId = JobHistoryID, FailureMessage = - $"Failed to remove {Protocol} binding for Site {SiteName} on server {_runSpace.ConnectionInfo.ComputerName} not found, error {psError}" + $"Failed to remove {Protocol} binding for Site {SiteName} on {computerName} not found, error {psError}" }; } } @@ -438,7 +551,14 @@ public JobResult UnBindCertificate() } catch (Exception ex) { - var failureMessage = $"Unbinding for Site '{StorePath}' on server '{_runSpace.ConnectionInfo.ComputerName}' with error: '{LogHandler.FlattenException(ex)}'"; + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) + { + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } + + var failureMessage = $"Unbinding for Site '{StorePath}' on {computerName} with error: {LogHandler.FlattenException(ex)}"; _logger.LogWarning(failureMessage); return new JobResult @@ -456,6 +576,84 @@ public JobResult UnBindCertificate() } } + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + /// + private object PerformIISUnBinding(string webSiteName, string protocol, string ipAddress, string port, string hostName) + { + string funcScript = @" + param ( + [string]$SiteName, # Name of the site + [string]$IPAddress, # IP Address of the binding + [string]$Port, # Port number of the binding + [string]$Hostname, # Hostname (optional) + [string]$Protocol = ""https"" # Protocol (default to """"https"""") + ) + + # Set Execution Policy (optional, depending on your environment) + Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force + + # Check if the IISAdministration module is already loaded + if (-not (Get-Module -Name IISAdministration)) { + try { + # Attempt to import the IISAdministration module + Import-Module IISAdministration -ErrorAction Stop + } + catch { + throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" + } + } + + try { + # Get the bindings for the specified site + $bindings = Get-IISSiteBinding -Name $SiteName + + # Check if any bindings match the specified criteria + $matchingBindings = $bindings | Where-Object { + ($_.bindingInformation -eq ""${IPAddress}:${Port}:${Hostname}"") -and + ($_.protocol -eq $Protocol) + } + + if ($matchingBindings) { + # Unbind the matching certificates + foreach ($binding in $matchingBindings) { + Write-Host """"Removing binding: $($binding.bindingInformation) with protocol: $($binding.protocol)"""" + Write-Host """"Binding information: + Remove-IISSiteBinding -Name $SiteName -BindingInformation $binding.bindingInformation -Protocol $binding.protocol -confirm:$false + } + Write-Host """"Successfully removed the matching bindings from the site: $SiteName"""" + } else { + Write-Host """"No matching bindings found for site: $SiteName"""" + } + } + catch { + throw ""An error occurred while unbinding the certificate from site ${SiteName}: $_"" + } + "; + + ps.AddScript(funcScript); + ps.AddParameter("SiteName", webSiteName); + ps.AddParameter("IPAddress", ipAddress); + ps.AddParameter("Port", port); + ps.AddParameter("Hostname", hostName); + ps.AddParameter("Protocol", protocol); + + _logger.LogTrace("funcScript added..."); + var results = ps.Invoke(); + _logger.LogTrace("funcScript Invoked..."); + + return results; + } + /// /// /// @@ -486,7 +684,7 @@ private object PerformIISBinding(string webSiteName, string protocol, string ipA Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force # Check if the IISAdministration module is available - $module = Get-Module -Name IISAdministration -ListAvailable + #$module = Get-Module -Name IISAdministration -ListAvailable #if (-not $module) { #throw ""The IISAdministration module is not installed on this system."" diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index 9ba8bbf..e49e4d6 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -3,7 +3,7 @@ Keyfactor.Extensions.Orchestrator.WindowsCertStore true - net6.0;net8.0 + NET8.0 AnyCPU diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs index 4c76080..c6d0b18 100644 --- a/WinCertUnitTests/UnitTestIISBinding.cs +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -47,6 +47,21 @@ public void RenewBindingCertificate() Assert.AreEqual("Success", result.Result.ToString()); } + [TestMethod] + public void UnBindCertificate() + { + X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); + + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + BindingNewCertificate(); + + string sslFlag = "0"; + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", sslFlag); + JobResult result = IIS.UnBindCertificate(); + + Assert.AreEqual("Success", result.Result.ToString()); + } + [TestMethod] public void BindingNewCertificate() { @@ -56,7 +71,7 @@ public void BindingNewCertificate() Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); - string sslFlag = "32"; + string sslFlag = "0"; ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", sslFlag); JobResult result = IIS.BindCertificate(cert); @@ -65,12 +80,23 @@ public void BindingNewCertificate() } [TestMethod] - public void AddCertificate() + public void BindingNewCertificateBadSslFlag() { + X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); + + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); - //string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; - //string password = "8zWwF36N6cNu"; + string sslFlag = "909"; // known bad value + ClientPSIIManager IIS = new ClientPSIIManager(rs, "Default Web Site", "https", "*", "443", "", "", "My", sslFlag); + JobResult result = IIS.BindCertificate(cert); + + Assert.AreEqual("Failure", result.Result.ToString()); + } + + [TestMethod] + public void AddCertificate() + { Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); rs.Open(); @@ -81,6 +107,25 @@ public void AddCertificate() Assert.AreEqual("Success", result.Result.ToString()); } + [TestMethod] + public void RemoveCertificate() + { + Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); + rs.Open(); + + ClientPSCertStoreManager certStoreManager = new ClientPSCertStoreManager(rs); + try + { + certStoreManager.RemoveCertificate("0a3f880aa17c03ef2c75493497d89756cfafa165", "My"); + Assert.IsTrue(true, "Certificate was successfully removed."); + } + catch (Exception e) + { + Assert.IsFalse(false, e.Message); + } + rs.Close(); + } + [TestMethod] public void GetBoundCertificates() diff --git a/WinCertUnitTests/WinCertUnitTests.csproj b/WinCertUnitTests/WinCertUnitTests.csproj index 17f1bd0..a695663 100644 --- a/WinCertUnitTests/WinCertUnitTests.csproj +++ b/WinCertUnitTests/WinCertUnitTests.csproj @@ -1,7 +1,7 @@  - net6.0 + net8.0 enable enable From 2767e440f6a372b370e25c009a2559e3904a0767 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Fri, 20 Sep 2024 19:16:06 -0500 Subject: [PATCH 08/26] Updated code to reflect issues while testing. --- CHANGELOG.md | 3 + IISU/ClientPSIIManager.cs | 179 ++++++++++-------- IISU/ClientPsSqlManager.cs | 2 +- IISU/ImplementedStoreTypes/Win/Management.cs | 9 +- .../WinIIS/Management.cs | 9 +- .../WinSQL/Management.cs | 9 +- IISU/JobConfigurationParser.cs | 124 ++++++++---- IISU/PSHelper.cs | 14 +- IISU/Scripts/PowerShellScripts.cs | 140 ++++++++++++++ IISU/WindowsCertStore.csproj | 2 +- WinCertUnitTests/UnitTestIISBinding.cs | 4 - WinCertUnitTests/WinCertUnitTests.csproj | 2 +- 12 files changed, 364 insertions(+), 133 deletions(-) create mode 100644 IISU/Scripts/PowerShellScripts.cs diff --git a/CHANGELOG.md b/CHANGELOG.md index 2cca8d0..4a63b26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ * Added the Bindings to the end of the thumbprint to make the alias unique. * Using new IISWebBindings commandlet to use additional SSL flags when binding certificate to website. * Added multi-platform support for .Net6 and .Net8. +* Updated various PowerShell scripts to handle both .Net6 and .Net8 differences (specifically the absense of the WebAdministration module in PS SDK 7.4.x+) +* Fixed issue to update multiple websites when using the same cert. +* Removed renewal thumbprint logic to update multiple website; each job now updates its own specific certificate. 2.4.4 * Fix an issue with WinRM parameters when migrating Legacy IIS Stores to the WinCert type diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index 8604b1f..e7e3955 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -12,6 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. +using Keyfactor.Extensions.Orchestrator.WindowsCertStore.Scripts; using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; @@ -120,6 +121,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam try { + _logger.LogTrace("Setting Job Properties"); SiteName = config.JobProperties["SiteName"].ToString(); Port = config.JobProperties["Port"].ToString(); HostName = config.JobProperties["HostName"]?.ToString(); @@ -131,6 +133,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam RenewalThumbprint = ""; // A reenrollment will always be empty CertContents = ""; // Not needed for a reenrollment + _logger.LogTrace("Certificate details"); ClientMachineName = config.CertificateStoreDetails.ClientMachine; StorePath = config.CertificateStoreDetails.StorePath; @@ -142,8 +145,11 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam _logger.LogTrace($"Found Thumbprint Will Renew all Certs with this thumbprint: {RenewalThumbprint}"); } + // Establish PowerShell Runspace var jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); + _logger.LogTrace($"Job properties value: {jobProperties}"); + string winRmProtocol = jobProperties.WinRmProtocol; string winRmPort = jobProperties.WinRmPort; bool includePortInSPN = jobProperties.SpnPortFlag; @@ -153,7 +159,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam } catch (Exception e) { - throw new Exception($"Error when initiating an IIS ReEnrollment Job: {e.Message}", e.InnerException); + throw new Exception($"Error when initiating an IIS Management Job: {e.Message}", e.InnerException); } } @@ -202,7 +208,7 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) var bindingSniFlg = binding.Properties["sniFlg"]?.Value?.ToString(); _logger.LogTrace( - $"bindingSiteName: {bindingSiteName}, bindingIpAddress: {bindingIpAddress}, bindingPort: {bindingPort}, bindingHostName: {bindingHostName}, bindingProtocol: {bindingProtocol}, bindingThumbprint: {bindingThumbprint}, bindingSniFlg: {bindingSniFlg}"); + $"bindingSiteName: {bindingSiteName}, bindingIpAddress: {bindingIpAddress}, bindingPort: {bindingPort}, bindingHostName: {bindingHostName}, bindingProtocol: {bindingProtocol}, bindingThumbprint: {x509Cert.Thumbprint}, bindingSniFlg: {bindingSniFlg}"); //if the thumbprint of the renewal request matches the thumbprint of the cert in IIS, then renew it if (RenewalThumbprint == bindingThumbprint) @@ -210,7 +216,7 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) _logger.LogTrace($"Thumbprint Match {RenewalThumbprint}={bindingThumbprint}"); try { - Collection results = (Collection)PerformIISBinding(bindingSiteName, bindingProtocol, bindingIpAddress, bindingPort, bindingHostName, bindingSniFlg, bindingThumbprint, StorePath); + Collection results = (Collection)PerformIISBinding(bindingSiteName, bindingProtocol, bindingIpAddress, bindingPort, bindingHostName, bindingSniFlg, x509Cert.Thumbprint, StorePath); // Check if PowerShell had any errors for this binding if (ps.HadErrors) @@ -478,10 +484,10 @@ public JobResult UnBindCertificate() return new JobResult { - Result = OrchestratorJobStatusJobResult.Failure, + Result = OrchestratorJobStatusJobResult.Success, JobHistoryId = JobHistoryID, FailureMessage = - $"Site {Protocol} binding for Site {SiteName} on {computerName} not found." + $"No bindings we found for Site {SiteName} on {computerName}." }; } @@ -492,17 +498,15 @@ public JobResult UnBindCertificate() _logger.LogTrace(cmd.CommandText); } - ps.Commands.Clear(); - _logger.LogTrace("Cleared Commands"); - - ps.AddCommand("Import-Module") - .AddParameter("Name", "WebAdministration") - .AddStatement(); - - _logger.LogTrace("Imported WebAdministration Module"); foreach (var binding in foundBindings) { + ps.AddCommand("Import-Module") + .AddParameter("Name", "WebAdministration") + .AddStatement(); + + _logger.LogTrace("Imported WebAdministration Module"); + ps.AddCommand("Remove-WebBinding") .AddParameter("Name", SiteName) .AddParameter("BindingInformation", @@ -523,6 +527,13 @@ public JobResult UnBindCertificate() { _logger.LogTrace("PowerShell Had Errors"); var psError = ps.Streams.Error.ReadAll().Aggregate(String.Empty, (current, error) => current + error.ErrorDetails.Message); + //var psError = ps.Streams.Error.ReadAll() + // .Aggregate(string.Empty, (current, error) => + // current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) + // ? error.ErrorDetails.Message + // : error.Exception != null + // ? error.Exception.Message + // : error.ToString()) + Environment.NewLine); string computerName = string.Empty; if (_runSpace.ConnectionInfo is null) @@ -539,6 +550,7 @@ public JobResult UnBindCertificate() $"Failed to remove {Protocol} binding for Site {SiteName} on {computerName} not found, error {psError}" }; } + ps.Commands.Clear(); } return new JobResult @@ -668,73 +680,78 @@ private object PerformIISUnBinding(string webSiteName, string protocol, string i /// private object PerformIISBinding(string webSiteName, string protocol, string ipAddress, string port, string hostName, string sslFlags, string thumbprint, string storeName) { - string funcScript = @" - param ( - $SiteName, # The name of the IIS site - $IPAddress, # The IP Address for the binding - $Port, # The port number for the binding - $Hostname, # Hostname for the binding (if any) - $Protocol, # Protocol (e.g., HTTP, HTTPS) - $Thumbprint, # Certificate thumbprint for HTTPS bindings - $StoreName, # Certificate store location (e.g., ""My"" for personal certs) - $SslFlags # SSL flags (if any) - ) - - # Set Execution Policy (optional, depending on your environment) - Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - - # Check if the IISAdministration module is available - #$module = Get-Module -Name IISAdministration -ListAvailable - - #if (-not $module) { - #throw ""The IISAdministration module is not installed on this system."" - #} - - # Check if the IISAdministration module is already loaded - if (-not (Get-Module -Name IISAdministration)) { - try { - # Attempt to import the IISAdministration module - Import-Module IISAdministration -ErrorAction Stop - } - catch { - throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" - } - } - - # Retrieve the existing binding information - $myBinding = ""${IPAddress}:${Port}:${Hostname}"" - Write-Host ""myBinding: "" $myBinding - - $siteBindings = Get-IISSiteBinding -Name $SiteName - $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } - - Write-Host ""Binding:"" $existingBinding - - if ($null -ne $existingBinding) { - # Remove the existing binding - Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false - - Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" - } - - # Create the new binding with modified properties - $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" - - try - { - New-IISSiteBinding -Name $SiteName ` - -BindingInformation $newBindingInfo ` - -Protocol $Protocol ` - -CertificateThumbprint $Thumbprint ` - -CertStoreLocation $StoreName ` - -SslFlag $SslFlags - - Write-Host ""New binding added: $newBindingInfo"" - } - catch { - throw $_ - } - "; + //string funcScript = @" + // param ( + // $SiteName, # The name of the IIS site + // $IPAddress, # The IP Address for the binding + // $Port, # The port number for the binding + // $Hostname, # Hostname for the binding (if any) + // $Protocol, # Protocol (e.g., HTTP, HTTPS) + // $Thumbprint, # Certificate thumbprint for HTTPS bindings + // $StoreName, # Certificate store location (e.g., ""My"" for personal certs) + // $SslFlags # SSL flags (if any) + // ) + + // # Set Execution Policy (optional, depending on your environment) + // Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force + + // ## Check if the IISAdministration module is available + // #$module = Get-Module -Name IISAdministration -ListAvailable + + // #if (-not $module) { + // # throw ""The IISAdministration module is not installed on this system."" + // #} + + // # Check if the IISAdministration module is already loaded + // if (-not (Get-Module -Name IISAdministration)) { + // try { + // # Attempt to import the IISAdministration module + // Import-Module IISAdministration -ErrorAction Stop + // } + // catch { + // throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" + // } + // } + + // # Retrieve the existing binding information + // $myBinding = ""${IPAddress}:${Port}:${Hostname}"" + // Write-Host ""myBinding: "" $myBinding + + // $siteBindings = Get-IISSiteBinding -Name $SiteName + // $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } + + // Write-Host ""Binding:"" $existingBinding + + // if ($null -ne $existingBinding) { + // # Remove the existing binding + // Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false + + // Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" + // } + + // # Create the new binding with modified properties + // $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" + + // try + // { + // New-IISSiteBinding -Name $SiteName ` + // -BindingInformation $newBindingInfo ` + // -Protocol $Protocol ` + // -CertificateThumbprint $Thumbprint ` + // -CertStoreLocation $StoreName ` + // -SslFlag $SslFlags + + // Write-Host ""New binding added: $newBindingInfo"" + // } + // catch { + // throw $_ + // } + //"; +#if NET6_0 + string funcScript = PowerShellScripts.UpdateIISBindingsV6; +#elif NET8_0_OR_GREATER + string funcScript = PowerShellScripts.UpdateIISBindingsV8; +#endif ps.AddScript(funcScript); ps.AddParameter("SiteName", webSiteName); @@ -761,6 +778,8 @@ public static string MigrateSNIFlag(string input) return numericValue.ToString(); } + if (string.IsNullOrEmpty(input)) { throw new ArgumentNullException("SNI/SSL Flag", "The SNI or SSL Flag flag must not be empty or null."); } + // Handle the string cases switch (input.ToLower()) { diff --git a/IISU/ClientPsSqlManager.cs b/IISU/ClientPsSqlManager.cs index b36084f..a98d8b0 100644 --- a/IISU/ClientPsSqlManager.cs +++ b/IISU/ClientPsSqlManager.cs @@ -216,7 +216,7 @@ public string GetSqlInstanceValue(string instanceName,PowerShell ps) } return null; } - catch (ArgumentOutOfRangeException ex) + catch (ArgumentOutOfRangeException) { throw new Exception($"There were no SQL instances with the name: {instanceName}. Please check the spelling of the SQL instance."); } diff --git a/IISU/ImplementedStoreTypes/Win/Management.cs b/IISU/ImplementedStoreTypes/Win/Management.cs index f251c7f..d0c2b70 100644 --- a/IISU/ImplementedStoreTypes/Win/Management.cs +++ b/IISU/ImplementedStoreTypes/Win/Management.cs @@ -51,7 +51,14 @@ public JobResult ProcessJob(ManagementJobConfiguration config) _logger = LogHandler.GetClassLogger(); _logger.MethodEntry(); - _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + try + { + _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + } + catch (Exception e) + { + _logger.LogTrace(e.Message); + } string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); diff --git a/IISU/ImplementedStoreTypes/WinIIS/Management.cs b/IISU/ImplementedStoreTypes/WinIIS/Management.cs index 09877c3..c916827 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/Management.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/Management.cs @@ -48,7 +48,14 @@ public JobResult ProcessJob(ManagementJobConfiguration config) _logger = LogHandler.GetClassLogger(); _logger.MethodEntry(); - _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + try + { + _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + } + catch (Exception e) + { + _logger.LogTrace(e.Message); + } string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); diff --git a/IISU/ImplementedStoreTypes/WinSQL/Management.cs b/IISU/ImplementedStoreTypes/WinSQL/Management.cs index f13f7e5..7957146 100644 --- a/IISU/ImplementedStoreTypes/WinSQL/Management.cs +++ b/IISU/ImplementedStoreTypes/WinSQL/Management.cs @@ -47,7 +47,14 @@ public JobResult ProcessJob(ManagementJobConfiguration config) _logger = LogHandler.GetClassLogger(); _logger.MethodEntry(); - _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + try + { + _logger.LogTrace(JobConfigurationParser.ParseManagementJobConfiguration(config)); + } + catch (Exception e) + { + _logger.LogTrace(e.Message); + } string serverUserName = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server UserName", config.ServerUsername); string serverPassword = PAMUtilities.ResolvePAMField(_resolver, _logger, "Server Password", config.ServerPassword); diff --git a/IISU/JobConfigurationParser.cs b/IISU/JobConfigurationParser.cs index ca0ffd7..4d64749 100644 --- a/IISU/JobConfigurationParser.cs +++ b/IISU/JobConfigurationParser.cs @@ -33,54 +33,98 @@ public static string ParseManagementJobConfiguration(ManagementJobConfiguration IManagementJobLogger managementParser = new ManagementJobLogger(); - // JobConfiguration - managementParser.JobCancelled = config.JobCancelled; - managementParser.ServerError = config.ServerError; - managementParser.JobHistoryID = config.JobHistoryId; - managementParser.RequestStatus = config.RequestStatus; - managementParser.ServerUserName = config.ServerUsername; - managementParser.ServerPassword = "**********"; - managementParser.UseSSL = config.UseSSL; - managementParser.JobTypeID = config.JobTypeId; - managementParser.JobID = config.JobId; - managementParser.Capability = config.Capability; + try + { + // JobConfiguration + managementParser.JobCancelled = config.JobCancelled; + managementParser.ServerError = config.ServerError; + managementParser.JobHistoryID = config.JobHistoryId; + managementParser.RequestStatus = config.RequestStatus; + managementParser.ServerUserName = config.ServerUsername; + managementParser.ServerPassword = "**********"; + managementParser.UseSSL = config.UseSSL; + managementParser.JobTypeID = config.JobTypeId; + managementParser.JobID = config.JobId; + managementParser.Capability = config.Capability; - // JobProperties - JobProperties jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); - managementParser.JobConfigurationProperties = jobProperties; + } + catch (Exception e) + { + throw new Exception($"Error while paring management Job Configuration: {e.Message}"); + } - // PreviousInventoryItem - managementParser.LastInventory = config.LastInventory; + + try + { + // JobProperties + JobProperties jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); + managementParser.JobConfigurationProperties = jobProperties; + } + catch (Exception e) + { + throw new Exception($"Error while parsing management Job Properties: {e.Message}"); + } - //CertificateStore - managementParser.CertificateStoreDetails.ClientMachine = config.CertificateStoreDetails.ClientMachine; - managementParser.CertificateStoreDetails.StorePath = config.CertificateStoreDetails.StorePath; - managementParser.CertificateStoreDetails.StorePassword = "**********"; - managementParser.CertificateStoreDetails.Type = config.CertificateStoreDetails.Type; + try + { + // PreviousInventoryItem + managementParser.LastInventory = config.LastInventory; + } + catch (Exception e) + { + throw new Exception($"Error while parsing Previous Inventory Item: {e.Message}"); + } - bool isEmpty = (config.JobProperties.Count == 0); // Check if the dictionary is empty or not - if (!isEmpty) + try { - object value = ""; - if (config.JobProperties.TryGetValue("SiteName", out value)) managementParser.CertificateStoreDetailProperties.SiteName = config.JobProperties["SiteName"].ToString(); - if (config.JobProperties.TryGetValue("Port", out value)) managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString(); - if (config.JobProperties.TryGetValue("HostName", out value)) managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString(); - if (config.JobProperties.TryGetValue("Protocol", out value)) managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString(); - if (config.JobProperties.TryGetValue("SniFlag", out value)) managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString(); - if (config.JobProperties.TryGetValue("IPAddress", out value)) managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString(); - if (config.JobProperties.TryGetValue("ProviderName", out value)) managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString(); - if (config.JobProperties.TryGetValue("SAN", out value)) managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString(); + //CertificateStore + managementParser.CertificateStoreDetails.ClientMachine = config.CertificateStoreDetails.ClientMachine; + managementParser.CertificateStoreDetails.StorePath = config.CertificateStoreDetails.StorePath; + managementParser.CertificateStoreDetails.StorePassword = "**********"; + managementParser.CertificateStoreDetails.Type = config.CertificateStoreDetails.Type; + + bool isEmpty = (config.JobProperties.Count == 0); // Check if the dictionary is empty or not + if (!isEmpty) + { + object value = ""; + if (config.JobProperties.TryGetValue("SiteName", out value)) managementParser.CertificateStoreDetailProperties.SiteName = config.JobProperties["SiteName"].ToString(); + if (config.JobProperties.TryGetValue("Port", out value)) managementParser.CertificateStoreDetailProperties.Port = config.JobProperties["Port"].ToString(); + if (config.JobProperties.TryGetValue("HostName", out value)) managementParser.CertificateStoreDetailProperties.HostName = config.JobProperties["HostName"]?.ToString(); + if (config.JobProperties.TryGetValue("Protocol", out value)) managementParser.CertificateStoreDetailProperties.Protocol = config.JobProperties["Protocol"].ToString(); + if (config.JobProperties.TryGetValue("SniFlag", out value)) managementParser.CertificateStoreDetailProperties.SniFlag = config.JobProperties["SniFlag"].ToString(); + if (config.JobProperties.TryGetValue("IPAddress", out value)) managementParser.CertificateStoreDetailProperties.IPAddress = config.JobProperties["IPAddress"].ToString(); + if (config.JobProperties.TryGetValue("ProviderName", out value)) managementParser.CertificateStoreDetailProperties.ProviderName = config.JobProperties["ProviderName"]?.ToString(); + if (config.JobProperties.TryGetValue("SAN", out value)) managementParser.CertificateStoreDetailProperties.SAN = config.JobProperties["SAN"]?.ToString(); + } + } + catch (Exception e) + { + throw new Exception($"Error while parsing Certificate Store: {e.Message}"); } - // Management Base - managementParser.OperationType = config.OperationType; - managementParser.Overwrite = config.Overwrite; + try + { + // Management Base + managementParser.OperationType = config.OperationType; + managementParser.Overwrite = config.Overwrite; + } + catch (Exception e) + { + throw new Exception($"Error while parsing Management Base: {e.Message}"); + } - // JobCertificate - managementParser.JobCertificateProperties.Thumbprint = config.JobCertificate.Thumbprint; - managementParser.JobCertificateProperties.Contents = config.JobCertificate.Contents; - managementParser.JobCertificateProperties.Alias = config.JobCertificate.Alias; - managementParser.JobCertificateProperties.PrivateKeyPassword = "**********"; + try + { + // JobCertificate + managementParser.JobCertificateProperties.Thumbprint = config.JobCertificate.Thumbprint; + managementParser.JobCertificateProperties.Contents = config.JobCertificate.Contents; + managementParser.JobCertificateProperties.Alias = config.JobCertificate.Alias; + managementParser.JobCertificateProperties.PrivateKeyPassword = "**********"; + } + catch (Exception e) + { + throw new Exception($"Error while parsing Job Certificate: {e.Message}"); + } return JsonConvert.SerializeObject(managementParser); } diff --git a/IISU/PSHelper.cs b/IISU/PSHelper.cs index 4a44bd2..e1016f6 100644 --- a/IISU/PSHelper.cs +++ b/IISU/PSHelper.cs @@ -53,11 +53,19 @@ public static Runspace GetClientPsRunspace(string winRmProtocol, string clientMa #if NET6_0 PowerShellProcessInstance instance = new PowerShellProcessInstance(new Version(5, 1), null, null, false); Runspace rs = RunspaceFactory.CreateOutOfProcessRunspace(new TypeTable(Array.Empty()), instance); + return rs; #elif NET8_0_OR_GREATER - InitialSessionState iss = InitialSessionState.CreateDefault(); - Runspace rs = RunspaceFactory.CreateRunspace(iss); + try + { + InitialSessionState iss = InitialSessionState.CreateDefault(); + Runspace rs = RunspaceFactory.CreateRunspace(iss); + return rs; + } + catch (global::System.Exception) + { + throw new Exception($"An error occurred while attempting to create the PowerShell instance. This version requires .Net8 and PowerShell SDK 7.2 or greater. Please verify the version of .Net8 and PowerShell installed on your machine."); + } #endif - return rs; } else { diff --git a/IISU/Scripts/PowerShellScripts.cs b/IISU/Scripts/PowerShellScripts.cs new file mode 100644 index 0000000..3da10e3 --- /dev/null +++ b/IISU/Scripts/PowerShellScripts.cs @@ -0,0 +1,140 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; + +namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.Scripts +{ + public class PowerShellScripts + { + public const string UpdateIISBindingsV6 = @" + param ( + $SiteName, # The name of the IIS site + $IPAddress, # The IP Address for the binding + $Port, # The port number for the binding + $Hostname, # Hostname for the binding (if any) + $Protocol, # Protocol (e.g., HTTP, HTTPS) + $Thumbprint, # Certificate thumbprint for HTTPS bindings + $StoreName, # Certificate store location (e.g., ""My"" for personal certs) + $SslFlags # SSL flags (if any) + ) + + # Set Execution Policy (optional, depending on your environment) + Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force + + # Check if the WebAdministration module is available + $module = Get-Module -Name WebAdministration -ListAvailable + + if (-not $module) { + throw ""The WebAdministration module is not installed on this system."" + } + + # Check if the WebAdministration module is already loaded + if (-not (Get-Module -Name WebAdministration)) { + try { + # Attempt to import the WebAdministration module + Import-Module WebAdministration -ErrorAction Stop + } + catch { + throw ""Failed to load the WebAdministration module. Ensure it is installed and available."" + } + } + + # Retrieve the existing binding information + $myBinding = ""${IPAddress}:${Port}:${Hostname}"" + Write-Host ""myBinding: "" $myBinding + + $siteBindings = Get-IISSiteBinding -Name $SiteName + $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } + + Write-Host ""Binding:"" $existingBinding + + if ($null -ne $existingBinding) { + # Remove the existing binding + Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false + + Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" + } + + # Create the new binding with modified properties + $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" + + New-IISSiteBinding -Name $SiteName ` + -BindingInformation $newBindingInfo ` + -Protocol $Protocol ` + -CertificateThumbprint $Thumbprint ` + -CertStoreLocation $StoreName ` + -SslFlag $SslFlags + + Write-Host ""New binding added: $newBindingInfo"""; + + public const string UpdateIISBindingsV8 = @" + param ( + $SiteName, # The name of the IIS site + $IPAddress, # The IP Address for the binding + $Port, # The port number for the binding + $Hostname, # Hostname for the binding (if any) + $Protocol, # Protocol (e.g., HTTP, HTTPS) + $Thumbprint, # Certificate thumbprint for HTTPS bindings + $StoreName, # Certificate store location (e.g., ""My"" for personal certs) + $SslFlags # SSL flags (if any) + ) + + # Set Execution Policy (optional, depending on your environment) + Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force + + ## Check if the IISAdministration module is available + #$module = Get-Module -Name IISAdministration -ListAvailable + + #if (-not $module) { + # throw ""The IISAdministration module is not installed on this system."" + #} + + # Check if the IISAdministration module is already loaded + if (-not (Get-Module -Name IISAdministration)) { + try { + # Attempt to import the IISAdministration module + Import-Module IISAdministration -ErrorAction Stop + } + catch { + throw ""Failed to load the IISAdministration module. Ensure it is installed and available."" + } + } + + # Retrieve the existing binding information + $myBinding = ""${IPAddress}:${Port}:${Hostname}"" + Write-Host ""myBinding: "" $myBinding + + $siteBindings = Get-IISSiteBinding -Name $SiteName + $existingBinding = $siteBindings | Where-Object { $_.bindingInformation -eq $myBinding -and $_.protocol -eq $Protocol } + + Write-Host ""Binding:"" $existingBinding + + if ($null -ne $existingBinding) { + # Remove the existing binding + Remove-IISSiteBinding -Name $SiteName -BindingInformation $existingBinding.BindingInformation -Protocol $existingBinding.Protocol -Confirm:$false + + Write-Host ""Removed existing binding: $($existingBinding.BindingInformation)"" + } + + # Create the new binding with modified properties + $newBindingInfo = ""${IPAddress}:${Port}:${Hostname}"" + + try + { + New-IISSiteBinding -Name $SiteName ` + -BindingInformation $newBindingInfo ` + -Protocol $Protocol ` + -CertificateThumbprint $Thumbprint ` + -CertStoreLocation $StoreName ` + -SslFlag $SslFlags + + Write-Host ""New binding added: $newBindingInfo"" + } + catch { + throw $_ + }"; + + } +} diff --git a/IISU/WindowsCertStore.csproj b/IISU/WindowsCertStore.csproj index e49e4d6..6bedf26 100644 --- a/IISU/WindowsCertStore.csproj +++ b/IISU/WindowsCertStore.csproj @@ -3,7 +3,7 @@ Keyfactor.Extensions.Orchestrator.WindowsCertStore true - NET8.0 + NET6.0;NET8.0 AnyCPU diff --git a/WinCertUnitTests/UnitTestIISBinding.cs b/WinCertUnitTests/UnitTestIISBinding.cs index c6d0b18..7c17a65 100644 --- a/WinCertUnitTests/UnitTestIISBinding.cs +++ b/WinCertUnitTests/UnitTestIISBinding.cs @@ -36,8 +36,6 @@ public UnitTestIISBinding() [TestMethod] public void RenewBindingCertificate() { - string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; - string password = "8zWwF36N6cNu"; X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); @@ -65,8 +63,6 @@ public void UnBindCertificate() [TestMethod] public void BindingNewCertificate() { - string certPath = @"Assets\ManualCert_8zWwF36N6cNu.pfx"; - string password = "8zWwF36N6cNu"; X509Certificate2 cert = new X509Certificate2(pfxPath, certPassword); Runspace rs = PsHelper.GetClientPsRunspace("", "localhost", "", false, "", ""); diff --git a/WinCertUnitTests/WinCertUnitTests.csproj b/WinCertUnitTests/WinCertUnitTests.csproj index a695663..17f1bd0 100644 --- a/WinCertUnitTests/WinCertUnitTests.csproj +++ b/WinCertUnitTests/WinCertUnitTests.csproj @@ -1,7 +1,7 @@  - net8.0 + net6.0 enable enable From b236b0bd11e9d2a5d410dbbf4085bc2b58cda8c5 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Fri, 20 Sep 2024 19:33:00 -0500 Subject: [PATCH 09/26] Removed renewal logic based upon thumbprint and is now being updated by the specific management job for the specific certificate. --- IISU/ClientPSIIManager.cs | 213 +++++++++----------------------------- 1 file changed, 50 insertions(+), 163 deletions(-) diff --git a/IISU/ClientPSIIManager.cs b/IISU/ClientPSIIManager.cs index e7e3955..996b46d 100644 --- a/IISU/ClientPSIIManager.cs +++ b/IISU/ClientPSIIManager.cs @@ -130,7 +130,7 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam IPAddress = config.JobProperties["IPAddress"].ToString(); PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password - RenewalThumbprint = ""; // A reenrollment will always be empty + RenewalThumbprint = ""; // This property will not be used for renewals starting in version 2.5 CertContents = ""; // Not needed for a reenrollment _logger.LogTrace("Certificate details"); @@ -144,7 +144,10 @@ public ClientPSIIManager(ManagementJobConfiguration config, string serverUsernam RenewalThumbprint = config.JobProperties["RenewalThumbprint"].ToString(); _logger.LogTrace($"Found Thumbprint Will Renew all Certs with this thumbprint: {RenewalThumbprint}"); } - + else + { + _logger.LogTrace("No renewal Thumbprint was provided."); + } // Establish PowerShell Runspace var jobProperties = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate }); @@ -173,182 +176,66 @@ public JobResult BindCertificate(X509Certificate2 x509Cert) ps = PowerShell.Create(); ps.Runspace = _runSpace; - //if thumbprint is there it is a renewal so we have to search all the sites for that thumbprint and renew them all - if (RenewalThumbprint?.Length > 0) - { - _logger.LogTrace($"Thumbprint Length > 0 {RenewalThumbprint}"); - - // Get the bindings for all the websites - ps.AddCommand("Import-Module") - .AddParameter("Name", "WebAdministration") - .AddStatement(); - - _logger.LogTrace("WebAdministration Imported"); - var searchScript = - "Foreach($Site in get-website) { Foreach ($Bind in $Site.bindings.collection) {[pscustomobject]@{name=$Site.name;Protocol=$Bind.Protocol;Bindings=$Bind.BindingInformation;thumbprint=$Bind.certificateHash;sniFlg=$Bind.sslFlags}}}"; - ps.AddScript(searchScript).AddStatement(); - _logger.LogTrace($"Search Script: {searchScript}"); - var bindings = ps.Invoke(); + bool hadError = false; + string errorMessage = string.Empty; - bool hadPSError = false; // Flag to indicate if any website had problem with binding - List bindingSiteErrorMessage = new List(); + try + { + Collection results = (Collection)PerformIISBinding(SiteName, Protocol, IPAddress, Port, HostName, SniFlag, x509Cert.Thumbprint, StorePath); - foreach (var binding in bindings) + if (ps.HadErrors) { - if (binding.Properties["Protocol"].Value.ToString().Contains("https")) - { - _logger.LogTrace("Looping Bindings...."); - var bindingSiteName = binding.Properties["name"].Value.ToString(); - var bindingBindings = binding.Properties["Bindings"].Value.ToString()?.Split(':'); - var bindingIpAddress = bindingBindings?.Length > 0 ? bindingBindings[0] : null; - var bindingPort = bindingBindings?.Length > 1 ? bindingBindings[1] : null; - var bindingHostName = bindingBindings?.Length > 2 ? bindingBindings[2] : null; - var bindingProtocol = binding.Properties["Protocol"]?.Value?.ToString(); - var bindingThumbprint = binding.Properties["thumbprint"]?.Value?.ToString(); - var bindingSniFlg = binding.Properties["sniFlg"]?.Value?.ToString(); - - _logger.LogTrace( - $"bindingSiteName: {bindingSiteName}, bindingIpAddress: {bindingIpAddress}, bindingPort: {bindingPort}, bindingHostName: {bindingHostName}, bindingProtocol: {bindingProtocol}, bindingThumbprint: {x509Cert.Thumbprint}, bindingSniFlg: {bindingSniFlg}"); - - //if the thumbprint of the renewal request matches the thumbprint of the cert in IIS, then renew it - if (RenewalThumbprint == bindingThumbprint) - { - _logger.LogTrace($"Thumbprint Match {RenewalThumbprint}={bindingThumbprint}"); - try - { - Collection results = (Collection)PerformIISBinding(bindingSiteName, bindingProtocol, bindingIpAddress, bindingPort, bindingHostName, bindingSniFlg, x509Cert.Thumbprint, StorePath); - - // Check if PowerShell had any errors for this binding - if (ps.HadErrors) - { - var psError = ps.Streams.Error.ReadAll() - .Aggregate(string.Empty, (current, error) => - current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) - ? error.ErrorDetails.Message - : error.Exception != null - ? error.Exception.Message - : error.ToString()) + Environment.NewLine); - - string computerName = string.Empty; - if (_runSpace.ConnectionInfo is null) - { - computerName = "localMachine"; - } - else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - - string oops = $"PowerShell Error on Site {bindingSiteName} on {computerName}: {psError}"; - bindingSiteErrorMessage.Add(oops); - hadPSError = true; - - _logger.LogTrace(oops); - } - - // Clear the commands and go to the next website - ps.Commands.Clear(); - _logger.LogTrace("Commands Cleared.."); - } - catch (Exception e) - { - string computerName = string.Empty; - if (_runSpace.ConnectionInfo is null) - { - computerName = "localMachine"; - } - else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - - string oops = $"Application Exception on Site {bindingSiteName} on {computerName}: {e.Message}"; - bindingSiteErrorMessage.Add(oops); - hadPSError = true; - - _logger.LogTrace(oops); - } - } - } - } + var psError = ps.Streams.Error.ReadAll() + .Aggregate(string.Empty, (current, error) => + current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) + ? error.ErrorDetails.Message + : error.Exception != null + ? error.Exception.Message + : error.ToString()) + Environment.NewLine); + + errorMessage = psError; + hadError = true; - if (hadPSError) - { - // Report errors and job results - return new JobResult - { - Result = OrchestratorJobStatusJobResult.Failure, - JobHistoryId = JobHistoryID, - FailureMessage = string.Join(Environment.NewLine, bindingSiteErrorMessage) - }; - } - else - { - return new JobResult - { - Result = OrchestratorJobStatusJobResult.Success, - JobHistoryId = JobHistoryID, - FailureMessage = "" - }; } } - else + catch (Exception e) { - bool hadError = false; - string errorMessage = string.Empty; - - try + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) { - Collection results = (Collection)PerformIISBinding(SiteName, Protocol, IPAddress, Port, HostName, SniFlag, x509Cert.Thumbprint, StorePath); - - if (ps.HadErrors) - { - var psError = ps.Streams.Error.ReadAll() - .Aggregate(string.Empty, (current, error) => - current + (error.ErrorDetails != null && !string.IsNullOrEmpty(error.ErrorDetails.Message) - ? error.ErrorDetails.Message - : error.Exception != null - ? error.Exception.Message - : error.ToString()) + Environment.NewLine); + computerName = "localMachine"; + } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - errorMessage = psError; - hadError = true; + errorMessage = $"Binding attempt failed on Site {SiteName} on {computerName}, Application error: {e.Message}"; + hadError = true; + _logger.LogTrace(errorMessage); + } - } - } - catch (Exception e) + if (hadError) + { + string computerName = string.Empty; + if (_runSpace.ConnectionInfo is null) { - string computerName = string.Empty; - if (_runSpace.ConnectionInfo is null) - { - computerName = "localMachine"; - } - else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - - errorMessage = $"Binding attempt failed on Site {SiteName} on {computerName}, Application error: {e.Message}"; - hadError = true; - _logger.LogTrace(errorMessage); + computerName = "localMachine"; } + else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - if (hadError) + return new JobResult { - string computerName = string.Empty; - if (_runSpace.ConnectionInfo is null) - { - computerName = "localMachine"; - } - else { computerName = "Server: " + _runSpace.ConnectionInfo.ComputerName; } - - return new JobResult - { - Result = OrchestratorJobStatusJobResult.Failure, - JobHistoryId = JobHistoryID, - FailureMessage = $"Binding attempt failed on Site {SiteName} on {computerName}: {errorMessage}" - }; - } - else + Result = OrchestratorJobStatusJobResult.Failure, + JobHistoryId = JobHistoryID, + FailureMessage = $"Binding attempt failed on Site {SiteName} on {computerName}: {errorMessage}" + }; + } + else + { + return new JobResult { - return new JobResult - { - Result = OrchestratorJobStatusJobResult.Success, - JobHistoryId = JobHistoryID, - FailureMessage = "" - }; - } + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = JobHistoryID, + FailureMessage = "" + }; } } catch (Exception e) From 60b921fce4d678e0fac4530cad24928c833e52b3 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Mon, 23 Sep 2024 10:42:18 -0500 Subject: [PATCH 10/26] Added Extension Names to all implementations. --- IISU/ImplementedStoreTypes/Win/Inventory.cs | 2 +- IISU/ImplementedStoreTypes/Win/Management.cs | 2 +- IISU/ImplementedStoreTypes/Win/ReEnrollment.cs | 2 +- IISU/ImplementedStoreTypes/WinIIS/Inventory.cs | 2 +- IISU/ImplementedStoreTypes/WinIIS/Management.cs | 2 +- IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs | 2 +- IISU/ImplementedStoreTypes/WinSQL/Inventory.cs | 2 +- IISU/ImplementedStoreTypes/WinSQL/Management.cs | 2 +- IISU/ImplementedStoreTypes/WinSQL/ReEnrollment.cs | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/IISU/ImplementedStoreTypes/Win/Inventory.cs b/IISU/ImplementedStoreTypes/Win/Inventory.cs index 65f5602..c04f322 100644 --- a/IISU/ImplementedStoreTypes/Win/Inventory.cs +++ b/IISU/ImplementedStoreTypes/Win/Inventory.cs @@ -30,7 +30,7 @@ namespace Keyfactor.Extensions.Orchestrator.WindowsCertStore.WinCert public class Inventory : WinCertJobTypeBase, IInventoryJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinCertInventory"; public Inventory(IPAMSecretResolver resolver) { diff --git a/IISU/ImplementedStoreTypes/Win/Management.cs b/IISU/ImplementedStoreTypes/Win/Management.cs index d0c2b70..b897987 100644 --- a/IISU/ImplementedStoreTypes/Win/Management.cs +++ b/IISU/ImplementedStoreTypes/Win/Management.cs @@ -33,7 +33,7 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinCertManagement"; private Runspace myRunspace; diff --git a/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs b/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs index cf9abc6..8f0c4de 100644 --- a/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs +++ b/IISU/ImplementedStoreTypes/Win/ReEnrollment.cs @@ -22,7 +22,7 @@ public class ReEnrollment : WinCertJobTypeBase, IReenrollmentJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinCertReEnrollment"; public ReEnrollment(IPAMSecretResolver resolver) { diff --git a/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs b/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs index a3855ec..0255948 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/Inventory.cs @@ -27,7 +27,7 @@ public class Inventory : WinCertJobTypeBase, IInventoryJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinIISUInventory"; public Inventory(IPAMSecretResolver resolver) { diff --git a/IISU/ImplementedStoreTypes/WinIIS/Management.cs b/IISU/ImplementedStoreTypes/WinIIS/Management.cs index c916827..f917eb7 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/Management.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/Management.cs @@ -32,7 +32,7 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinIISUManagement"; private Runspace myRunspace; diff --git a/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs b/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs index 8c07b0b..109b554 100644 --- a/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs +++ b/IISU/ImplementedStoreTypes/WinIIS/ReEnrollment.cs @@ -29,7 +29,7 @@ public ReEnrollment(IPAMSecretResolver resolver) _resolver = resolver; } - public string ExtensionName => string.Empty; + public string ExtensionName => "WinIISUReEnrollment"; public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollmentCSR submitReEnrollmentUpdate) { diff --git a/IISU/ImplementedStoreTypes/WinSQL/Inventory.cs b/IISU/ImplementedStoreTypes/WinSQL/Inventory.cs index 1950a84..31511a0 100644 --- a/IISU/ImplementedStoreTypes/WinSQL/Inventory.cs +++ b/IISU/ImplementedStoreTypes/WinSQL/Inventory.cs @@ -28,7 +28,7 @@ public class Inventory : WinCertJobTypeBase, IInventoryJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinSqlInventory"; public Inventory(IPAMSecretResolver resolver) { diff --git a/IISU/ImplementedStoreTypes/WinSQL/Management.cs b/IISU/ImplementedStoreTypes/WinSQL/Management.cs index 7957146..a4d2ffe 100644 --- a/IISU/ImplementedStoreTypes/WinSQL/Management.cs +++ b/IISU/ImplementedStoreTypes/WinSQL/Management.cs @@ -29,7 +29,7 @@ public class Management : WinCertJobTypeBase, IManagementJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinSqlManagement"; private Runspace myRunspace; diff --git a/IISU/ImplementedStoreTypes/WinSQL/ReEnrollment.cs b/IISU/ImplementedStoreTypes/WinSQL/ReEnrollment.cs index c4e178f..a96782d 100644 --- a/IISU/ImplementedStoreTypes/WinSQL/ReEnrollment.cs +++ b/IISU/ImplementedStoreTypes/WinSQL/ReEnrollment.cs @@ -23,7 +23,7 @@ public class ReEnrollment : WinCertJobTypeBase, IReenrollmentJobExtension { private ILogger _logger; - public string ExtensionName => string.Empty; + public string ExtensionName => "WinSqlReEnrollment"; public ReEnrollment(IPAMSecretResolver resolver) { From f1438bd5b3d5d669b2f8a46ce7e4b24fbb0ab856 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Tue, 1 Oct 2024 16:30:48 -0500 Subject: [PATCH 11/26] Updated ReadMe document describing SNI Support changes. --- readme_source.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme_source.md b/readme_source.md index f25bfb3..23bc0ba 100644 --- a/readme_source.md +++ b/readme_source.md @@ -108,9 +108,9 @@ Name|Display Name| Type|Default Value|Required When|Description ---|---|---|---|---|--- SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IIS web site to bind certificate to IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses) -Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to -HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names -SniFlag | SNI Support | String | 0 | Adding, Reenrolling |Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") +Port | Port | String | 443 | Adding, Removing, Reenrolling|IP port for bind certificate to +HostName | Host Name | String ||| Host name (host header) to bind certificate to, leave blank for all host names +SniFlag | SNI Support | String |0| Adding, Removing, Reenrolling |A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https") ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. From aa0b9b7d7f484e38e5ba290f1334523e93c291cf Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 17 Oct 2024 12:40:10 -0700 Subject: [PATCH 12/26] chore(doctool): Boilerplate documentation and integration-manifest.json for doctool Signed-off-by: Hayden Roszell --- .../workflows/keyfactor-starter-workflow.yml | 2 +- docsource/content.md | 53 + docsource/iisu.md | 15 + docsource/wincert.md | 14 + docsource/winsql.md | 10 + integration-manifest.json | 932 +++++++++--------- 6 files changed, 582 insertions(+), 444 deletions(-) create mode 100644 docsource/content.md create mode 100644 docsource/iisu.md create mode 100644 docsource/wincert.md create mode 100644 docsource/winsql.md diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index b13de78..46f6fc9 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@dual-platform-without-doctool + uses: keyfactor/actions/.github/workflows/starter.yml@v3 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} diff --git a/docsource/content.md b/docsource/content.md new file mode 100644 index 0000000..8acf59d --- /dev/null +++ b/docsource/content.md @@ -0,0 +1,53 @@ +## Overview + +The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: + + Get-ChildItem Cert:\LocalMachine + +The returned list will contain the actual certificate store name to be used when entering store location. + +By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores. + +This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment. + +WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document. + +**Note:** +In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options: +1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type. +1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type. +1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.) + +**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** + +**Note: If Looking to use GMSA Accounts to run the Service Keyfactor Command 10.2 or greater is required for No Value checkbox to work** + +## Requirements + +### Security and Permission Considerations + +From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account. + +For customers wishing to use something other than the local administrator account, the following information may be helpful: + +* The WinCert extensions (WinCert, IISU, WinSQL) create a WinRM (remote PowerShell) session to the target server in order to manipulate the Windows Certificate Stores, perform binding (in the case of the IISU extension), or to access the registry (in the case of the WinSQL extension). + +* When the WinRM session is created, the certificate store credentials are used if they have been specified, otherwise the WinRM session is created in the context of the Universal Orchestrator (UO) Service account (which potentially could be the network service account, a regular account, or a GMSA account) + +* WinRM needs to be properly set up between the server hosting the UO and the target server. This means that a WinRM client running on the UO server when running in the context of the UO service account needs to be able to create a session on the target server using the configured credentials of the target server and any PowerShell commands running on the remote session need to have appropriate permissions. + +* Even though a given account may be in the administrators group or have administrative privileges on the target system and may be able to execute certificate and binding operations when running locally, the same account may not work when being used via WinRM. User Account Control (UAC) can get in the way and filter out administrative privledges. UAC / WinRM configuration has a LocalAccountTokenFilterPolicy setting that can be adjusted to not filter out administrative privledges for remote users, but enabling this may have other security ramifications. + +* The following list may not be exhaustive, but in general the account (when running under a remote WinRM session) needs permissions to: + - Instantiate and open a .NET X509Certificates.X509Store object for the target certificate store and be able to read and write both the certificates and related private keys. Note that ACL permissions on the stores and private keys are separate. + - Use the Import-Certificate, Get-WebSite, Get-WebBinding, and New-WebBinding PowerShell CmdLets. + - Create and delete temporary files. + - Execute certreq commands. + - Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs. + - Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding. + +## Note Regarding Client Machine + +If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection. + +Here are the settings required for each Store Type previously configured. diff --git a/docsource/iisu.md b/docsource/iisu.md new file mode 100644 index 0000000..ad9209e --- /dev/null +++ b/docsource/iisu.md @@ -0,0 +1,15 @@ +## Overview + +The IIS Bound Certificate Certificate Store Type, identified by its short name 'IISU,' is designed for the management of certificates bound to IIS (Internet Information Services) servers. This store type allows users to automate and streamline the process of adding, removing, and reenrolling certificates for IIS sites, making it significantly easier to manage web server certificates. + +### Key Features and Representation + +The IISU store type represents the IIS servers and their certificate bindings. It specifically caters to managing SSL/TLS certificates tied to IIS websites, allowing bind operations such as specifying site names, IP addresses, ports, and enabling Server Name Indication (SNI). By default, it supports job types like Inventory, Add, Remove, and Reenrollment, thereby offering comprehensive management capabilities for IIS certificates. + +### Limitations and Areas of Confusion + +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. + +- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. + +- **Custom Alias and Private Keys:** The store type does not support custom aliases for individual entries and requires private keys because IIS certificates without private keys would be invalid. diff --git a/docsource/wincert.md b/docsource/wincert.md new file mode 100644 index 0000000..9b8b74c --- /dev/null +++ b/docsource/wincert.md @@ -0,0 +1,14 @@ +## Overview + +The Windows Certificate Certificate Store Type, known by its short name 'WinCert,' enables the management of certificates within the Windows local machine certificate stores. This store type is a versatile option for general Windows certificate management and supports functionalities including inventory, add, remove, and reenrollment of certificates. + +The store type represents the various certificate stores present on a Windows Server. Users can specify these stores by entering the correct store path. To get a complete list of available certificate stores, the PowerShell command `Get-ChildItem Cert:\LocalMachine` can be executed, providing the actual certificate store names needed for configuration. + +### Key Features and Considerations + +- **Functionality:** The WinCert store type supports essential certificate management tasks, such as inventorying existing certificates, adding new certificates, removing old ones, and reenrolling certificates. + +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. + +- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. + diff --git a/docsource/winsql.md b/docsource/winsql.md new file mode 100644 index 0000000..19af1af --- /dev/null +++ b/docsource/winsql.md @@ -0,0 +1,10 @@ +## Overview + +The WinSql Certificate Store Type, referred to by its short name 'WinSql,' is designed for the management of certificates used by SQL Server instances. This store type allows users to automate the process of adding, removing, reenrolling, and inventorying certificates associated with SQL Server, thereby simplifying the management of SSL/TLS certificates for database servers. + +### Caveats and Limitations + +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. + +- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. + diff --git a/integration-manifest.json b/integration-manifest.json index b09de75..01b0885 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,448 +1,494 @@ { - "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", - "integration_type": "orchestrator", - "name": "WinCertStore Orchestrator", - "status": "production", - "link_github": true, - "release_dir": "IISU/bin/Release/net6.0", - "update_catalog": true, - "support_level": "kf-supported", - "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.", - "about": { - "orchestrator": { - "UOFramework": "10.1", - "pam_support": true, - "keyfactor_platform_version": "9.10", - "win": { - "supportsCreateStore": false, - "supportsDiscovery": false, - "supportsManagementAdd": true, - "supportsManagementRemove": true, - "supportsReenrollment": true, - "supportsInventory": true, - "platformSupport": "Unused" - }, - "linux": { - "supportsCreateStore": false, - "supportsDiscovery": false, - "supportsManagementAdd": false, - "supportsManagementRemove": false, - "supportsReenrollment": false, - "supportsInventory": false, - "platformSupport": "Unused" - }, - "store_types": [ - { - "Name": "Windows Certificate", - "ShortName": "WinCert", - "Capability": "WinCert", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": false, - "Discovery": false, - "Enrollment": true, - "Remove": true - }, - "Properties": [ - { - "Name": "spnwithport", - "DisplayName": "SPN With Port", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "false", - "Required": false + "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", + "integration_type": "orchestrator", + "name": "Windows Certificate Orchestrator", + "status": "production", + "link_github": true, + "release_dir": "IISU/bin/Release/net6.0", + "update_catalog": true, + "support_level": "kf-supported", + "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.", + "about": { + "orchestrator": { + "UOFramework": "10.1", + "pam_support": true, + "keyfactor_platform_version": "9.10", + "win": { + "supportsCreateStore": false, + "supportsDiscovery": false, + "supportsManagementAdd": true, + "supportsManagementRemove": true, + "supportsReenrollment": true, + "supportsInventory": true, + "platformSupport": "Unused" }, - { - "Name": "WinRM Protocol", - "DisplayName": "WinRM Protocol", - "Type": "MultipleChoice", - "DependsOn": "", - "DefaultValue": "https,http", - "Required": true + "linux": { + "supportsCreateStore": false, + "supportsDiscovery": false, + "supportsManagementAdd": false, + "supportsManagementRemove": false, + "supportsReenrollment": false, + "supportsInventory": false, + "platformSupport": "Unused" }, - { - "Name": "WinRM Port", - "DisplayName": "WinRM Port", - "Type": "String", - "DependsOn": "", - "DefaultValue": "5986", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": [ - { - "Name": "ProviderName", - "DisplayName": "Crypto Provider Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - } - ], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" - }, - { - "Name": "IIS Bound Certificate", - "ShortName": "IISU", - "Capability": "IISU", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": false, - "Discovery": false, - "Enrollment": true, - "Remove": true - }, - "Properties": [ - { - "Name": "spnwithport", - "DisplayName": "SPN With Port", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "false", - "Required": false - }, - { - "Name": "WinRm Protocol", - "DisplayName": "WinRm Protocol", - "Type": "MultipleChoice", - "DependsOn": "", - "DefaultValue": "https,http", - "Required": true - }, - { - "Name": "WinRm Port", - "DisplayName": "WinRm Port", - "Type": "String", - "DependsOn": "", - "DefaultValue": "5986", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": "", - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": "", - "DefaultValue": "true", - "Required": true - } - ], - "EntryParameters": [ - { - "Name": "Port", - "DisplayName": "Port", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "443", - "Options": "" - }, - { - "Name": "IPAddress", - "DisplayName": "IP Address", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": true, - "OnRemove": true, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "*", - "Options": "" - }, - { - "Name": "HostName", - "DisplayName": "Host Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - }, - { - "Name": "SiteName", - "DisplayName": "IIS Site Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": true, - "OnRemove": true, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "Default Web Site", - "Options": "" - }, - { - "Name": "SniFlag", - "DisplayName": "SNI Support", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "0", - "Options": "" - }, - { - "Name": "Protocol", - "DisplayName": "Protocol", - "Type": "MultipleChoice", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": true, - "OnRemove": true, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "https", - "Options": "https,http" - }, - { - "Name": "ProviderName", - "DisplayName": "Crypto Provider Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - } - ], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathValue": "[\"My\",\"WebHosting\"]", - "PrivateKeyAllowed": "Required", - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" - }, - { - "Name": "WinSql", - "ShortName": "WinSql", - "Capability": "WinSql", - "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": false, - "Discovery": false, - "Enrollment": false, - "Remove": true - }, - "Properties": [ - { - "Name": "WinRm Protocol", - "DisplayName": "WinRm Protocol", - "Type": "MultipleChoice", - "DependsOn": null, - "DefaultValue": "https,http", - "Required": true - }, - { - "Name": "WinRm Port", - "DisplayName": "WinRm Port", - "Type": "String", - "DependsOn": null, - "DefaultValue": "5986", - "Required": true - }, - { - "Name": "ServerUsername", - "DisplayName": "Server Username", - "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerPassword", - "DisplayName": "Server Password", - "Type": "Secret", - "DependsOn": null, - "DefaultValue": null, - "Required": false - }, - { - "Name": "ServerUseSsl", - "DisplayName": "Use SSL", - "Type": "Bool", - "DependsOn": null, - "DefaultValue": "true", - "Required": true - }, - { - "Name": "RestartService", - "DisplayName": "Restart SQL Service After Cert Installed", - "Type": "Bool", - "DependsOn": null, - "DefaultValue": "false", - "Required": true - } - ], - "EntryParameters": [ - { - "Name": "InstanceName", - "DisplayName": "Instance Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - } - }, - { - "Name": "ProviderName", - "DisplayName": "Crypto Provider Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - }, - { - "Name": "SAN", - "DisplayName": "SAN", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": true - }, - "DependsOn": "", - "DefaultValue": "", - "Options": "" - } - ], - "PasswordOptions": { - "EntrySupported": false, - "StoreRequired": false, - "Style": "Default" - }, - "StorePathValue": "My", - "PrivateKeyAllowed": "Optional", - "JobProperties": [ - "InstanceName" - ], - "ServerRequired": true, - "PowerShell": false, - "BlueprintAllowed": true, - "CustomAliasAllowed": "Forbidden" + "store_types": [ + { + "Name": "Windows Certificate", + "ShortName": "WinCert", + "Capability": "WinCert", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http", + "Required": true, + "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store." + }, + { + "Name": "IIS Bound Certificate", + "ShortName": "IISU", + "Capability": "IISU", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http", + "Required": true, + "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + } + ], + "EntryParameters": [ + { + "Name": "Port", + "DisplayName": "Port", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "443", + "Options": "", + "Description": "String value specifying the IP port to bind the certificate to for the IIS site. Example: '443' for HTTPS." + }, + { + "Name": "IPAddress", + "DisplayName": "IP Address", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "*", + "Options": "", + "Description": "String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address." + }, + { + "Name": "HostName", + "DisplayName": "Host Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'." + }, + { + "Name": "SiteName", + "DisplayName": "IIS Site Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "Default Web Site", + "Options": "", + "Description": "String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'." + }, + { + "Name": "SniFlag", + "DisplayName": "SNI Support", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "0", + "Options": "", + "Description": "A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.)" + }, + { + "Name": "Protocol", + "DisplayName": "Protocol", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": true, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "https", + "Options": "https,http", + "Description": "Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication." + }, + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server." + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "[\"My\",\"WebHosting\"]", + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store." + }, + { + "Name": "WinSql", + "ShortName": "WinSql", + "Capability": "WinSql", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "spnwithport", + "DisplayName": "SPN With Port", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false, + "Description": "Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations." + }, + { + "Name": "WinRM Protocol", + "DisplayName": "WinRM Protocol", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "https,http", + "Required": true, + "Description": "Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication." + }, + { + "Name": "WinRM Port", + "DisplayName": "WinRM Port", + "Type": "String", + "DependsOn": "", + "DefaultValue": "5986", + "Required": true, + "Description": "String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP." + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\\username'." + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'." + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true, + "Description": "Determine whether the server uses SSL or not (This field is automatically created)" + }, + { + "Name": "RestartService", + "DisplayName": "Restart SQL Service After Cert Installed", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true, + "Description": "Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation." + } + ], + "EntryParameters": [ + { + "Name": "InstanceName", + "DisplayName": "Instance Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Description": "String value specifying the SQL Server instance name to bind the certificate to. Example: 'MSSQLServer' for the default instance or 'Instance1' for a named instance." + }, + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'." + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "", + "Description": "String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs." + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Optional", + "JobProperties": [ + "InstanceName" + ], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden", + "ClientMachineDescription": "Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine).", + "StorePathDescription": "Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server." + } + ] } - ] } - } -} \ No newline at end of file +} From 92fc5e3736f0cfd1288ad07accd7f8102dda2f61 Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 17 Oct 2024 12:41:34 -0700 Subject: [PATCH 13/26] chore(ci): Add scan token Signed-off-by: Hayden Roszell --- .github/workflows/keyfactor-starter-workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 46f6fc9..64919a4 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -17,3 +17,4 @@ jobs: APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + scan_token: ${{ secrets.SAST_TOKEN }} From b767cfc99454dfeb866a20b34645899ec621e4b7 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Thu, 17 Oct 2024 19:41:36 +0000 Subject: [PATCH 14/26] Update generated docs --- README.md | 898 +++++++++++++++++++++++--------------- integration-manifest.json | 4 +- 2 files changed, 545 insertions(+), 357 deletions(-) diff --git a/README.md b/README.md index b1e73f7..1ca2178 100644 --- a/README.md +++ b/README.md @@ -1,133 +1,126 @@ +

+ Windows Certificate Universal Orchestrator Extension +

+ +

+ +Integration Status: production +Release +Issues +GitHub Downloads (all assets, all releases) +

-# WinCertStore Orchestrator - -The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS. - -#### Integration status: Production - Ready for use in production environments. - -## About the Keyfactor Universal Orchestrator Extension - -This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. - -The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. - -The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. - -## Support for WinCertStore Orchestrator - -WinCertStore Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com - -###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - ---- +

+ + + Support + + · + + Installation + + · + + License + + · + + Related Integrations + +

-### Migrating Legacy IIS Stores -If you have existing IIS stores with the built-in IIS types, and plan to upgrade to Keyfactor Command 11 or later, you will need to migrate from the legacy store types to the IISU and WinCert store type defined in this repository. +## Overview -You can find the guide and migration scripts in this repository, located here: -[Legacy IIS Migration](./Migration-Scripts/Legacy-IIS) ---- +The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: + Get-ChildItem Cert:\LocalMachine +The returned list will contain the actual certificate store name to be used when entering store location. -## Keyfactor Version Supported +By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores. -The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1 -## Platform Specific Notes +This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment. -The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. -| Operation | Win | Linux | -|-----|-----|------| -|Supports Management Add|✓ | | -|Supports Management Remove|✓ | | -|Supports Create Store| | | -|Supports Discovery| | | -|Supports Reenrollment|✓ | | -|Supports Inventory|✓ | | +WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document. +**Note:** +In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options: +1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type. +1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type. +1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.) -## PAM Integration +**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** -This orchestrator extension has the ability to connect to a variety of supported PAM providers to allow for the retrieval of various client hosted secrets right from the orchestrator server itself. This eliminates the need to set up the PAM integration on Keyfactor Command which may be in an environment that the client does not want to have access to their PAM provider. +**Note: If Looking to use GMSA Accounts to run the Service Keyfactor Command 10.2 or greater is required for No Value checkbox to work** -The secrets that this orchestrator extension supports for use with a PAM Provider are: +The Windows Certificate Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below. -|Name|Description| -|----|-----------| -|Server Username|The user id that will be used to authenticate into the server hosting the store| -|Server Password|The password that will be used to authenticate into the server hosting the store| +
Windows Certificate (WinCert) +### WinCert -It is not necessary to use a PAM Provider for all of the secrets available above. If a PAM Provider should not be used, simply enter in the actual value to be used, as normal. +The Windows Certificate Certificate Store Type, known by its short name 'WinCert,' enables the management of certificates within the Windows local machine certificate stores. This store type is a versatile option for general Windows certificate management and supports functionalities including inventory, add, remove, and reenrollment of certificates. -If a PAM Provider will be used for one of the fields above, start by referencing the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam). The GitHub repo for the PAM Provider to be used contains important information such as the format of the `json` needed. What follows is an example but does not reflect the `json` values for all PAM Providers as they have different "instance" and "initialization" parameter names and values. +The store type represents the various certificate stores present on a Windows Server. Users can specify these stores by entering the correct store path. To get a complete list of available certificate stores, the PowerShell command `Get-ChildItem Cert:\LocalMachine` can be executed, providing the actual certificate store names needed for configuration. -
General PAM Provider Configuration -

+#### Key Features and Considerations +- **Functionality:** The WinCert store type supports essential certificate management tasks, such as inventorying existing certificates, adding new certificates, removing old ones, and reenrolling certificates. +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. -### Example PAM Provider Setup +- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. +

-To use a PAM Provider to resolve a field, in this example the __Server Password__ will be resolved by the `Hashicorp-Vault` provider, first install the PAM Provider extension from the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) on the Universal Orchestrator. +
IIS Bound Certificate (IISU) -Next, complete configuration of the PAM Provider on the UO by editing the `manifest.json` of the __PAM Provider__ (e.g. located at extensions/Hashicorp-Vault/manifest.json). The "initialization" parameters need to be entered here: +### IISU -~~~ json - "Keyfactor:PAMProviders:Hashicorp-Vault:InitializationInfo": { - "Host": "http://127.0.0.1:8200", - "Path": "v1/secret/data", - "Token": "xxxxxx" - } -~~~ +The IIS Bound Certificate Certificate Store Type, identified by its short name 'IISU,' is designed for the management of certificates bound to IIS (Internet Information Services) servers. This store type allows users to automate and streamline the process of adding, removing, and reenrolling certificates for IIS sites, making it significantly easier to manage web server certificates. -After these values are entered, the Orchestrator needs to be restarted to pick up the configuration. Now the PAM Provider can be used on other Orchestrator Extensions. +#### Key Features and Representation -### Use the PAM Provider -With the PAM Provider configured as an extenion on the UO, a `json` object can be passed instead of an actual value to resolve the field with a PAM Provider. Consult the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) for the specific format of the `json` object. +The IISU store type represents the IIS servers and their certificate bindings. It specifically caters to managing SSL/TLS certificates tied to IIS websites, allowing bind operations such as specifying site names, IP addresses, ports, and enabling Server Name Indication (SNI). By default, it supports job types like Inventory, Add, Remove, and Reenrollment, thereby offering comprehensive management capabilities for IIS certificates. -To have the __Server Password__ field resolved by the `Hashicorp-Vault` provider, the corresponding `json` object from the `Hashicorp-Vault` extension needs to be copied and filed in with the correct information: +#### Limitations and Areas of Confusion -~~~ json -{"Secret":"my-kv-secret","Key":"myServerPassword"} -~~~ +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. -This text would be entered in as the value for the __Server Password__, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the __Server Password__. If PAM should not be used, just directly enter in the value for the field. -

-
+- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. +- **Custom Alias and Private Keys:** The store type does not support custom aliases for individual entries and requires private keys because IIS certificates without private keys would be invalid. +
+
WinSql (WinSql) +### WinSql ---- +The WinSql Certificate Store Type, referred to by its short name 'WinSql,' is designed for the management of certificates used by SQL Server instances. This store type allows users to automate the process of adding, removing, reenrolling, and inventorying certificates associated with SQL Server, thereby simplifying the management of SSL/TLS certificates for database servers. +#### Caveats and Limitations -# WinCertStore Orchestrator Configuration -## Overview +- **Caveats:** It's important to ensure that the Windows Remote Management (WinRM) is properly configured on the target server. The orchestrator relies on WinRM to perform its tasks, such as manipulating the Windows Certificate Stores. Misconfiguration of WinRM may lead to connection and permission issues. -The WinCertStore Orchestrator remotely manages certificates in a Windows Server local machine certificate store. Users are able to determine which store they wish to place certificates in by entering the correct store path. For a complete list of local machine cert stores you can execute the PowerShell command: +- **Limitations:** Users should be aware that for this store type to function correctly, certain permissions are necessary. While some advanced users successfully use non-administrator accounts with specific permissions, it is officially supported only with Local Administrator permissions. Complexities with interactions between Group Policy, WinRM, User Account Control, and other environmental factors may impede operations if not properly configured. +
- Get-ChildItem Cert:\LocalMachine -The returned list will contain the actual certificate store name to be used when entering store location. +## Compatibility -By default, most certificates are stored in the “Personal” (My) and “Web Hosting” (WebHosting) stores. +This integration is compatible with Keyfactor Universal Orchestrator version 10.1 and later. -This extension implements four job types: Inventory, Management Add/Remove, and Reenrollment. +## Support +The Windows Certificate Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. + +> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. -WinRM is used to remotely manage the certificate stores and IIS bindings. WinRM must be properly configured to allow the orchestrator on the server to manage the certificates. Setting up WinRM is not in the scope of this document. +## Requirements & Prerequisites -**Note:** -In version 2.0 of the IIS Orchestrator, the certificate store type has been renamed and additional parameters have been added. Prior to 2.0 the certificate store type was called “IISBin” and as of 2.0 it is called “IISU”. If you have existing certificate stores of type “IISBin”, you have three options: -1. Leave them as is and continue to manage them with a pre 2.0 IIS Orchestrator Extension. Create the new IISU certificate store type and create any new IIS stores using the new type. -1. Delete existing IIS stores. Delete the IISBin store type. Create the new IISU store type. Recreate the IIS stores using the new IISU store type. -1. Convert existing IISBin certificate stores to IISU certificate stores. There is not currently a way to do this via the Keyfactor API, so direct updates to the underlying Keyfactor SQL database is required. A SQL script (IIS-Conversion.sql) is available in the repository to do this. Hosted customers, which do not have access to the underlying database, will need to work Keyfactor support to run the conversion. On-premises customers can run the script themselves, but are strongly encouraged to ensure that a SQL backup is taken prior running the script (and also be confident that they have a tested database restoration process.) +Before installing the Windows Certificate Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. -**Note: There is an additional (and deprecated) certificate store type of “IIS” that ships with the Keyfactor platform. Migration of certificate stores from the “IIS” type to either the “IISBin” or “IISU” types is not currently supported.** -**Note: If Looking to use GMSA Accounts to run the Service Keyfactor Command 10.2 or greater is required for No Value checkbox to work** +### Security and Permission Considerations -## Security and Permission Considerations From an official support point of view, Local Administrator permissions are required on the target server. Some customers have been successful with using other accounts and granting rights to the underlying certificate and private key stores. Due to complexities with the interactions between Group Policy, WinRM, User Account Control, and other unpredictable customer environmental factors, Keyfactor cannot provide assistance with using accounts other than the local administrator account. For customers wishing to use something other than the local administrator account, the following information may be helpful: @@ -148,350 +141,545 @@ For customers wishing to use something other than the local administrator accoun - Access any Cryptographic Service Provider (CSP) referenced in re-enrollment jobs. - Read and Write values in the registry (HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server) when performing SQL Server certificate binding. -## Creating New Certificate Store Types -Currently this orchestrator handles three types of extensions: IISU for IIS servers with bound certificates, WinCert for general Windows Certificates and WinSql for managing certificates for SQL Server. -Below describes how each of these certificate store types are created and configured. -
- IISU Extension -**In Keyfactor Command create a new Certificate Store Type as specified below:** +## Create Certificate Store Types + +To use the Windows Certificate Universal Orchestrator extension, you **must** create the Certificate Store Types required for your usecase. This only needs to happen _once_ per Keyfactor Command instance. + +The Windows Certificate Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. -**Basic Settings:** +
Windows Certificate (WinCert) -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Name | IIS Bound Certificate | Display name for the store type (may be customized) -Short Name| IISU | Short display name for the store type -Custom Capability | IISU | Store type name orchestrator will register with. Check the box to allow entry of value -Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports -Needs Server | Checked | Determines if a target server name is required when creating store -Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint -Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell -Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. -Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. -![](images/IISUCertStoreBasic.png) +* **Create WinCert using kfutil**: -**Advanced Settings:** + ```shell + # Windows Certificate + kfutil store-types create WinCert + ``` -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Store Path Type | Multiple Choice | Determines what restrictions are applied to the store path field when configuring a new store. -Store Path Value | My,WebHosting | Comma separated list of options configure multiple choice. This, combined with the hostname, will determine the location used for the certificate store management and inventory. -Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. -PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) +* **Create WinCert manually in the Command UI**: +
Create WinCert manually in the Command UI -![](images/IISUCertStoreAdv.png) + Create a store type called `WinCert` with the attributes in the tables below: -**Custom Fields:** + #### Basic Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Name | Windows Certificate | Display name for the store type (may be customized) | + | Short Name | WinCert | Short display name for the store type | + | Capability | WinCert | Store type name orchestrator will register with. Check the box to allow entry of value | + | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | + | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | + | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | + | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | + | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. | + | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | -Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote -target server containing the certificate store to be managed + The Basic tab should look like this: -Name|Display Name|Type|Default Value / Options|Required|Description ----|---|---|---|---|--- -WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using -WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS -spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. -ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. -ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. -ServerUseSsl|Use SSL|Bool|true|Yes|Determine whether the server uses SSL or not (This field is automatically created) + ![WinCert Basic Tab](docsource/images/WinCert-basic-store-type-dialog.png) -*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.* + #### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | + The Advanced tab should look like this: -![](images/IISUCustomFields.png) + ![WinCert Advanced Tab](docsource/images/WinCert-advanced-store-type-dialog.png) -**Entry Parameters:** + #### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: -Entry parameters are inventoried and maintained for each entry within a certificate store. -They are typically used to support binding of a certificate to a resource. + | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + | spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked | + | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked | + | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked | + | ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked | + | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked | + | ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked | -Name|Display Name| Type|Default Value|Required When|Description ----|---|---|---|---|--- -SiteName | IIS Site Name|String|Default Web Site|Adding, Removing, Reenrolling | IIS web site to bind certificate to -IPAddress | IP Address | String | * | Adding, Removing, Reenrolling | IP address to bind certificate to (use '*' for all IP addresses) -Port | Port | String | 443 || Adding, Removing, Reenrolling|IP port for bind certificate to -HostName | Host Name | String |||| Host name (host header) to bind certificate to, leave blank for all host names -SniFlag | SNI Support | String | 0 | Adding, Reenrolling |Type of SNI for binding
(Multiple choice configuration should be entered as "0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding") -Protocol | Protocol | Multiple Choice | https| Adding, Removing, Reenrolling|Protocol to bind to (always "https").
(Multiple choice configuration should be "https") -ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. -SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. + The Custom Fields tab should look like this: -None of the above entry parameters have the "Depends On" field set. + ![WinCert Custom Fields Tab](docsource/images/WinCert-custom-fields-store-type-dialog.png) -![](images/IISUEntryParams.png) -Click Save to save the Certificate Store Type. + #### Entry Parameters Tab + + | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | + | ---- | ------------ | ---- | ------------- | ----------------------- | ---------------- | ----------------- | ------------------- | ----------- | + | ProviderName | Crypto Provider Name | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | SAN | SAN | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | + + The Entry Parameters tab should look like this: + + ![WinCert Entry Parameters Tab](docsource/images/WinCert-entry-parameters-store-type-dialog.png) + + + +
-
- SQL Server Extension -**In Keyfactor Command create a new Certificate Store Type as specified below:** +
IIS Bound Certificate (IISU) + + +* **Create IISU using kfutil**: + + ```shell + # IIS Bound Certificate + kfutil store-types create IISU + ``` -**Basic Settings:** +* **Create IISU manually in the Command UI**: +
Create IISU manually in the Command UI -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Name | Windows SQL Server Certificate| Display name for the store type (may be customized) -Short Name| WinSql | Short display name for the store type -Custom Capability | Leave Unchecked | Store type name orchestrator will register with. Check the box to allow entry of value -Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports -Needs Server | Checked | Determines if a target server name is required when creating store -Blueprint Allowed | Checked | Determines if store type may be included in an Orchestrator blueprint -Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell -Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. -Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. + Create a store type called `IISU` with the attributes in the tables below: -![](images/SQLServerCertStoreBasic.png) + #### Basic Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Name | IIS Bound Certificate | Display name for the store type (may be customized) | + | Short Name | IISU | Short display name for the store type | + | Capability | IISU | Store type name orchestrator will register with. Check the box to allow entry of value | + | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | + | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | + | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | + | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | + | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. | + | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | -**Advanced Settings:** + The Basic tab should look like this: -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Store Path Type | Fixed | Fixed to a defined path. SQL Server Supports the Personal or "My" store on the Local Machine. -Store Path Value | My | Fixed Value My on the Local Machine Store. -Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because SQL Server certificates without private keys would be useless. -PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) + ![IISU Basic Tab](docsource/images/IISU-basic-store-type-dialog.png) -![](images/SQLServerCertStoreAdvanced.png) + #### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | -**Custom Fields:** + The Advanced tab should look like this: -Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote -target server containing the certificate store to be managed + ![IISU Advanced Tab](docsource/images/IISU-advanced-store-type-dialog.png) -Name|Display Name|Type|Default Value / Options|Required|Description ----|---|---|---|---|--- -WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using -WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS -spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. -ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. -ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created). Check the No Value Checkbox when using GMSA Accounts. -ServerUseSsl|Use SSL|Bool|true|Yes|Determine whether the server uses SSL or not (This field is automatically created) -RestartService|Restart SQL Service After Cert Installed|Bool|False|Yes|If true, Orchestrator will restart the SQL Server Service after installing the certificate. + #### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: + | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + | spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked | + | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked | + | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked | + | ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked | + | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked | + | ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked | -*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.* + The Custom Fields tab should look like this: + ![IISU Custom Fields Tab](docsource/images/IISU-custom-fields-store-type-dialog.png) -![](images/SQLServerCustomFields.png) -**Entry Parameters:** -Entry parameters are inventoried and maintained for each entry within a certificate store. -They are typically used to support binding of a certificate to a resource. + #### Entry Parameters Tab -Name|Display Name| Type|Default Value|Required When|Description ----|---|---|---|---|--- -InstanceName | Instance Name|String||Not required | When enrolling leave blank or use MSSQLServer for the Default Instance, Instance Name for an Instance or MSSQLServer,Instance Name if enrolling to multiple instances plus the default instance. -ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. -SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. + | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | + | ---- | ------------ | ---- | ------------- | ----------------------- | ---------------- | ----------------- | ------------------- | ----------- | + | Port | Port | String value specifying the IP port to bind the certificate to for the IIS site. Example: '443' for HTTPS. | String | 443 | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | IPAddress | IP Address | String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address. | String | * | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | + | HostName | Host Name | String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | SiteName | IIS Site Name | String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'. | String | Default Web Site | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | + | SniFlag | SNI Support | A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) | String | 0 | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | Protocol | Protocol | Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication. | MultipleChoice | https | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | + | ProviderName | Crypto Provider Name | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | SAN | SAN | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | -![](images/SQLServerEntryParams.png) + The Entry Parameters tab should look like this: -Click Save to save the Certificate Store Type. + ![IISU Entry Parameters Tab](docsource/images/IISU-entry-parameters-store-type-dialog.png) + + +
-
- WinCert Extension -**1. In Keyfactor Command create a new Certificate Store Type using the settings below** +
WinSql (WinSql) -**Basic Settings:** -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Name | Windows Certificate | Display name for the store type (may be customized) -Short Name| WinCert | Short display name for the store type -Custom Capability | WinCert | Store type name orchestrator will register with. Check the box to allow entry of value -Supported Job Types | Inventory, Add, Remove, Reenrollment | Job types the extension supports -Needs Server | Checked | Determines if a target server name is required when creating store -Blueprint Allowed | Unchecked | Determines if store type may be included in an Orchestrator blueprint -Uses PowerShell | Unchecked | Determines if underlying implementation is PowerShell -Requires Store Password | Unchecked | Determines if a store password is required when configuring an individual store. -Supports Entry Password | Unchecked | Determines if an individual entry within a store can have a password. +* **Create WinSql using kfutil**: -![](images/WinCertBasic.png) + ```shell + # WinSql + kfutil store-types create WinSql + ``` -**Advanced Settings:** +* **Create WinSql manually in the Command UI**: +
Create WinSql manually in the Command UI -CONFIG ELEMENT | VALUE | DESCRIPTION ---|--|-- -Store Path Type | Freeform | Allows users to type in a valid certificate store. -Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. -Private Keys | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Typically the personal store would have private keys, whereas trusted root would not. -PFX Password Style | Default or Custom | "Default" - PFX password is randomly generated, "Custom" - PFX password may be specified when the enrollment job is created (Requires the *Allow Custom Password* application setting to be enabled.) + Create a store type called `WinSql` with the attributes in the tables below: -![](images/WinCertAdvanced.png) + #### Basic Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Name | WinSql | Display name for the store type (may be customized) | + | Short Name | WinSql | Short display name for the store type | + | Capability | WinSql | Store type name orchestrator will register with. Check the box to allow entry of value | + | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | + | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | + | Blueprint Allowed | ✅ Checked | Determines if store type may be included in an Orchestrator blueprint | + | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | + | Requires Store Password | 🔲 Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. | + | Supports Entry Password | 🔲 Unchecked | Determines if an individual entry within a store can have a password. | -**Custom Fields:** + The Basic tab should look like this: -Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed + ![WinSql Basic Tab](docsource/images/WinSql-basic-store-type-dialog.png) -Name|Display Name|Type|Default Value / Options|Required|Description ----|---|---|---|---|--- -WinRm Protocol|WinRm Protocol|Multiple Choice| https,http |Yes|Protocol that target server WinRM listener is using -WinRm Port|WinRm Port|String|5986|Yes| Port that target server WinRM listener is using. Typically 5985 for HTTP and 5986 for HTTPS -spnwithport|SPN With Port|Bool|false|No|Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. -ServerUsername|Server Username|Secret||No|The username to log into the target server (This field is automatically created) -ServerPassword|Server Password|Secret||No|The password that matches the username to log into the target server (This field is automatically created) -ServerUseSsl|Use SSL|Bool|True|Yes|Determine whether the server uses SSL or not (This field is automatically created) + #### Advanced Tab + | Attribute | Value | Description | + | --------- | ----- | ----- | + | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | -*Note that some of the Names in the first column above have spaces and some do not, it is important to configure the Name field exactly as above.* + The Advanced tab should look like this: -![](images/WinCertCustom.png) + ![WinSql Advanced Tab](docsource/images/WinSql-advanced-store-type-dialog.png) -**Entry Parameters:** + #### Custom Fields Tab + Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type: -Entry parameters are inventoried and maintained for each entry within a certificate store. -They are typically used to support binding of a certificate to a resource. -For the WinCert store type they are used to control how reenrollment jobs are performed. + | Name | Display Name | Description | Type | Default Value/Options | Required | + | ---- | ------------ | ---- | --------------------- | -------- | ----------- | + | spnwithport | SPN With Port | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | Bool | false | 🔲 Unchecked | + | WinRM Protocol | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | MultipleChoice | https,http | ✅ Checked | + | WinRM Port | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | String | 5986 | ✅ Checked | + | ServerUsername | Server Username | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | Secret | | 🔲 Unchecked | + | ServerPassword | Server Password | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | Secret | | 🔲 Unchecked | + | ServerUseSsl | Use SSL | Determine whether the server uses SSL or not (This field is automatically created) | Bool | true | ✅ Checked | + | RestartService | Restart SQL Service After Cert Installed | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | Bool | false | ✅ Checked | -Name|Display Name| Type|Default Value|Required When|Description ----|---|---|---|---|--- -ProviderName | Crypto Provider Name | String ||| Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. -SAN | SAN | String || Reenrolling | Specifies Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Certificate templates generally require a SAN that matches the subject of the certificate (per RFC 2818). Format is a list of = entries separated by ampersands. Examples: 'dns=www.mysite.com' for a single SAN or 'dns=www.mysite.com&dns=www.mysite2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. + The Custom Fields tab should look like this: -None of the above entry parameters have the "Depends On" field set. + ![WinSql Custom Fields Tab](docsource/images/WinSql-custom-fields-store-type-dialog.png) -![](images/WinCertEntryParams.png) -Click Save to save the Certificate Store Type. -
+ #### Entry Parameters Tab + | Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry | + | ---- | ------------ | ---- | ------------- | ----------------------- | ---------------- | ----------------- | ------------------- | ----------- | + | InstanceName | Instance Name | String value specifying the SQL Server instance name to bind the certificate to. Example: 'MSSQLServer' for the default instance or 'Instance1' for a named instance. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | ProviderName | Crypto Provider Name | Optional string value specifying the name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing private keys. Example: 'Microsoft Strong Cryptographic Provider'. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | SAN | SAN | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | -## Creating New Certificate Stores -Once the Certificate Store Types have been created, you need to create the Certificate Stores prior to using the extension. + The Entry Parameters tab should look like this: -### Note Regarding Client Machine -If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection. + ![WinSql Entry Parameters Tab](docsource/images/WinSql-entry-parameters-store-type-dialog.png) -Here are the settings required for each Store Type previously configured. -
-IISU Certificate Store - -In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. - -#### STORE CONFIGURATION -CONFIG ELEMENT |DESCRIPTION -----------------|--------------- -Category | Select IIS Bound Certificate or the customized certificate store display name from above. -Container | Optional container to associate certificate store with. -Client Machine | Contains the Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. -Store Path | Windows certificate store to manage. Choose "My" for the Personal Store or "WebHosting" for the Web Hosting Store. -Orchestrator | Select an approved orchestrator capable of managing IIS Bound Certificates (one that has declared the IISU capability) -WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) -WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) -SPN with Port | Typically False. Needed in some Kerberos configurations. -Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. -Server Password | Password to use when establishing the WinRM session to the Client Machine -Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting -Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. - -![](images/IISUAddCertStore.png) - -Click Save to save the settings for this Certificate Store -
-
-SQL Server Certificate Store - -In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. - -#### STORE CONFIGURATION -CONFIG ELEMENT |DESCRIPTION -----------------|--------------- -Category | Select SQL Server Bound Certificate or the customized certificate store display name from above. -Container | Optional container to associate certificate store with. -Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. -Store Path | Windows certificate store to manage. Fixed to "My". -Orchestrator | Select an approved orchestrator capable of managing SQL Server Bound Certificates. -WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) -WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) -SPN with Port | Typically False. Needed in some Kerberos configurations. -Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an administrator or have been granted rights to manage IIS configuration and manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. -Server Password | Password to use when establishing the WinRM session to the Client Machine -Restart SQL Service After Cert Installed | For each instance the certificate is tied to, the service for that instance will be restarted after the certificate is successfully installed. -Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting -Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. - -![](images/SQLServerAddCertStore.png) - -Click Save to save the settings for this Certificate Store +
-
-WinCert Certificate Store -In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the settings defined below. - - -#### STORE CONFIGURATION -CONFIG ELEMENT |DESCRIPTION -----------------|--------------- -Category | Select Windows Certificate or the customized certificate store display name from above. -Container | Optional container to associate certificate store with. -Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. -Store Path | Windows certificate store to manage. Store must exist in the Local Machine store on the target server. -Orchestrator | Select an approved orchestrator capable of managing Windows Certificates (one that has declared the WinCert capability) -WinRm Protocol | Protocol to use when establishing the WinRM session. (Listener on Client Machine must be configured for selected protocol.) -WinRm Port | Port WinRM listener is configured for (HTTPS default is 5986) -SPN with Port | Typically False. Needed in some Kerberos configurations. -Server Username | Account to use when establishing the WinRM session to the Client Machine. Account needs to be an admin or have been granted rights to manipulate the local machine certificate store. If no account is specified, the security context of the Orchestrator service account will be used. -Server Password | Password to use when establishing the WinRM session to the Client Machine -Use SSL | Ignored for this certificate store type. Transport encryption is determined by the WinRM Protocol Setting -Inventory Schedule | The interval that the system will use to report on what certificates are currently in the store. - -![](images/WinCertAddCertStore.png) + + +## Installation + +1. **Download the latest Windows Certificate Universal Orchestrator extension from GitHub.** + + Navigate to the [Windows Certificate Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/iis-orchestrator/releases/latest). Refer to the compatibility matrix below to determine whether the `net6.0` or `net8.0` asset should be downloaded. Then, click the corresponding asset to download the zip archive. + | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `iis-orchestrator` .NET version to download | + | --------- | ----------- | ----------- | ----------- | + | Older than `11.0.0` | | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Never` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | + | `11.6` _and_ newer | `net8.0` | | `net8.0` | + + Unzip the archive containing extension assemblies to a known location. + + > **Note** If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for `net6.0`. + +2. **Locate the Universal Orchestrator extensions directory.** + + * **Default on Windows** - `C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions` + * **Default on Linux** - `/opt/keyfactor/orchestrator/extensions` + +3. **Create a new directory for the Windows Certificate Universal Orchestrator extension inside the extensions directory.** + + Create a new directory called `iis-orchestrator`. + > The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory. + +4. **Copy the contents of the downloaded and unzipped assemblies from __step 2__ to the `iis-orchestrator` directory.** + +5. **Restart the Universal Orchestrator service.** + + Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). + + + +> The above installation steps can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). + + + +## Defining Certificate Stores + +The Windows Certificate Universal Orchestrator extension implements 3 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section. + +
Windows Certificate (WinCert) + + +* **Manually with the Command UI** + +
Create Certificate Stores manually in the UI + + 1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** + + Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. + + 2. **Add a Certificate Store.** + + Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "Windows Certificate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store. | + | Orchestrator | Select an approved orchestrator capable of managing `WinCert` certificates. Specifically, one with the `WinCert` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + + + + +
+ +* **Using kfutil** + +
Create Certificate Stores with kfutil + + 1. **Generate a CSV template for the WinCert certificate store** + + ```shell + kfutil stores import generate-template --store-type-name WinCert --outpath WinCert.csv + ``` + 2. **Populate the generated CSV file** + + Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "Windows Certificate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Windows certificate store path to manage. The store must exist in the Local Machine store on the target server, e.g., 'My' for the Personal Store or 'Root' for the Trusted Root Certification Authorities Store. | + | Orchestrator | Select an approved orchestrator capable of managing `WinCert` certificates. Specifically, one with the `WinCert` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + + + + + 3. **Import the CSV file to create the certificate stores** + + ```shell + kfutil stores import csv --store-type-name WinCert --file WinCert.csv + ``` +
+ +> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +
+
IIS Bound Certificate (IISU) + + +* **Manually with the Command UI** + +
Create Certificate Stores manually in the UI + + 1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** + + Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. + + 2. **Add a Certificate Store.** + + Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "IIS Bound Certificate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store. | + | Orchestrator | Select an approved orchestrator capable of managing `IISU` certificates. Specifically, one with the `IISU` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + + + + +
+ +* **Using kfutil** + +
Create Certificate Stores with kfutil + + 1. **Generate a CSV template for the IISU certificate store** + + ```shell + kfutil stores import generate-template --store-type-name IISU --outpath IISU.csv + ``` + 2. **Populate the generated CSV file** + + Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "IIS Bound Certificate" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the IIS certificate store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Windows certificate store path to manage. Choose 'My' for the Personal store or 'WebHosting' for the Web Hosting store. | + | Orchestrator | Select an approved orchestrator capable of managing `IISU` certificates. Specifically, one with the `IISU` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + + + + + 3. **Import the CSV file to create the certificate stores** + + ```shell + kfutil stores import csv --store-type-name IISU --file IISU.csv + ``` +
+ +> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). -## Test Cases -
-IISU - -Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot -----|------------------------|------------------------------------|--------------|----------------|------------------------- -1 |New Cert Enrollment To New Binding With KFSecret Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from KFSecret|True|![](images/TestCase1Results.gif) -2 |New Cert Enrollment To Existing Binding|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|Existing Binding From Case 1 Updated with New Cert|True|![](images/TestCase2Results.gif) -3 |New Cert Enrollment To Existing Binding Enable SNI |**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Will Update Site In Case 2 to Have Sni Enabled|True|![](images/TestCase3Results.gif) -4 |New Cert Enrollment New IP Address|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With New IP and New SNI on Same Port|True|![](images/TestCase4Results.gif) -5 |New Cert Enrollment New Host Name|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding Created With different host on Same Port and IP Address|True|![](images/TestCase5Results.gif) -6 |New Cert Enrollment Same Site New Port |**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|New Binding on different port will be created with new cert enrolled|True|![](images/TestCase6Results.gif) -7 |Remove Cert and Binding From Test Case 6|**Site Name:** FirstSite
**Port:** 4443
**IP Address:**`192.168.58.162`
**Host Name:** www.newhostname.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert and Binding From Test Case 6 Removed|True|![](images/TestCase7Results.gif) -8 |Renew Same Cert on 2 Different Sites|`SITE 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`SITE 2`
**First Site**
**Site Name:** SecondSite
**Port:** 443
**IP Address:**`*`
**Host Name:** cstiis04.cstpki.int
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both sites because it has the same thumbprint|True|![](images/TestCase8Site1.gif)![](images/TestCase8Site2.gif) -9 |Renew Same Cert on Same Site Same Binding Settings Different Hostname|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|![](images/TestCase9Binding1.gif)![](images/TestCase9Binding2.gif) -10 |Renew Single Cert on Same Site Same Binding Settings Different Hostname Different Certs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsitebinding2.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on only one binding because the other binding does not match thumbprint|True|![](images/TestCase10Binding1.gif)![](images/TestCase10Binding2.gif) -11 |Renew Same Cert on Same Site Same Binding Settings Different IPs|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.160`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|![](images/TestCase11Binding1.gif)![](images/TestCase11Binding2.gif) -12 |Renew Same Cert on Same Site Same Binding Settings Different Ports|`BINDING 1`
**Site Name:** FirstSite
**Port:** 443
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https
`BINDING 2`
**Site Name:** FirstSite
**Port:** 543
**IP Address:**`192.168.58.162`
**Host Name:** www.firstsitebinding1.com
**Sni Flag:** 1 - SNI Enabled
**Protocol:** https|Cert will be renewed on both bindings because it has the same thumbprint|True|![](images/TestCase12Binding1.gif)![](images/TestCase12Binding2.gif) -13 |ReEnrollment to Fortanix HSM|**Subject Name:** cn=www.mysite.com
**Port:** 433
**IP Address:**`*`
**Host Name:** mysite.command.local
**Site Name:**Default Web Site
**Sni Flag:** 0 - No SNI
**Protocol:** https
**Provider Name:** Fortanix KMS CNG Provider
**SAN:** dns=www.mysite.com&dns=mynewsite.com|Cert will be generated with keys stored in Fortanix HSM and the cert will be bound to the supplied site.|true|![](images/ReEnrollment1a.png)![](images/ReEnrollment1b.png) -14 |New Cert Enrollment To New Binding With Pam Creds|**Site Name:** FirstSite
**Port:** 443
**IP Address:**`*`
**Host Name:** www.firstsite.com
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Created with Enrollment Params specified creds pulled from Pam Provider|True|![](images/TestCase1Results.gif) -15 |New Cert Enrollment Default Site No HostName|**Site Name:** Default Web Site
**Port:** 443
**IP Address:**`*`
**Host Name:**
**Sni Flag:** 0 - No SNI
**Protocol:** https|New Binding Installed with no HostName|True|![](images/TestCase15Results.gif) -
-
-WinSql - -Case Number|Case Name|Enrollment Params|Expected Results|Passed|Screenshot -----|------------------------|------------------------------------|--------------|----------------|------------------------- -1 |New Cert Enrollment To Default Instance Leave Blank|**Instance Name:** |Cert will be Installed to default Instance, Service will be restarted for default instance|True|![](images/SQLTestCase1.gif) -2 |New Cert Enrollment To Default Instance MSSQLServer|**Instance Name:** MSSQLServer|Cert will be Installed to default Instance, Service will be restarted for default instance|True|![](images/SQLTestCase2.gif) -3 |New Cert Enrollment To Instance1|**Instance Name:** Instance1|Cert will be Installed to Instance1, Service will be restarted for Instance1|True|![](images/SQLTestCase3.gif) -4 |New Cert Enrollment To Instance1 and Default Instance|**Instance Name:** MSSQLServer,Instance1|Cert will be Installed to Default Instance and Instance1, Service will be restarted for Default Instance and Instance1|True|![](images/SQLTestCase4.gif) -5 |One Click Renew Cert Enrollment To Instance1 and Default Instance|N/A|Cert will be Renewed/Installed to Default Instance and Instance1, Service will be restarted for Default Instance and Instance1|True|![](images/SQLTestCase5.gif) -6 |Remove Cert From Instance1 and Default Instance|**Instance Name:** |Cert from TC5 will be Removed From Default Instance and Instance1|True|![](images/SQLTestCase6.gif) -7 |Inventory Different Certs Different Instance|N/A|2 Certs will be inventoried and each tied to its Instance|True|![](images/SQLTestCase7.gif) -8 |Inventory Same Cert Different Instance|N/A|2 Certs will be inventoried the cert will have a comma separated list of Instances|True|![](images/SQLTestCase8.gif) -9 |Inventory Against Machine Without SQL Server|N/A|Will fail with error saying it can't find SQL Server|True|![](images/SQLTestCase9.gif) - + +
WinSql (WinSql) + + +* **Manually with the Command UI** + +
Create Certificate Stores manually in the UI + + 1. **Navigate to the _Certificate Stores_ page in Keyfactor Command.** + + Log into Keyfactor Command, toggle the _Locations_ dropdown, and click _Certificate Stores_. + + 2. **Add a Certificate Store.** + + Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "WinSql" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server. | + | Orchestrator | Select an approved orchestrator capable of managing `WinSql` certificates. Specifically, one with the `WinSql` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + | RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | + + + + +
+ +* **Using kfutil** + +
Create Certificate Stores with kfutil + + 1. **Generate a CSV template for the WinSql certificate store** + + ```shell + kfutil stores import generate-template --store-type-name WinSql --outpath WinSql.csv + ``` + 2. **Populate the generated CSV file** + + Open the CSV file, and reference the table below to populate parameters for each **Attribute**. + | Attribute | Description | + | --------- | ----------- | + | Category | Select "WinSql" or the customized certificate store name from the previous step. | + | Container | Optional container to associate certificate store with. | + | Client Machine | Hostname of the Windows Server containing the SQL Server Certificate Store to be managed. If this value is a hostname, a WinRM session will be established using the credentials specified in the Server Username and Server Password fields. For more information, see [Client Machine](#note-regarding-client-machine). | + | Store Path | Fixed string value 'My' indicating the Personal store on the Local Machine. This denotes the Windows certificate store to be managed for SQL Server. | + | Orchestrator | Select an approved orchestrator capable of managing `WinSql` certificates. Specifically, one with the `WinSql` capability. | + | spnwithport | Internally set the -IncludePortInSPN option when creating the remote PowerShell connection. Needed for some Kerberos configurations. | + | WinRM Protocol | Multiple choice value specifying the protocol (https or http) that the target server's WinRM listener is using. Example: 'https' to use secure communication. | + | WinRM Port | String value specifying the port number that the target server's WinRM listener is configured to use. Example: '5986' for HTTPS or '5985' for HTTP. | + | ServerUsername | Username used to log into the target server for establishing the WinRM session. Example: 'administrator' or 'domain\username'. | + | ServerPassword | Password corresponding to the Server Username used to log into the target server for establishing the WinRM session. Example: 'P@ssw0rd123'. | + | ServerUseSsl | Determine whether the server uses SSL or not (This field is automatically created) | + | RestartService | Boolean value (true or false) indicating whether to restart the SQL Server service after installing the certificate. Example: 'true' to enable service restart after installation. | + + + + + 3. **Import the CSV file to create the certificate stores** + + ```shell + kfutil stores import csv --store-type-name WinSql --file WinSql.csv + ``` +
+ +> The content in this section can be supplimented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). + +
-When creating cert store type manually, that store property names and entry parameter names are case sensitive +## Note Regarding Client Machine + +If running as an agent (accessing stores on the server where the Universal Orchestrator Services is installed ONLY), the Client Machine can be entered, OR you can bypass a WinRM connection and access the local file system directly by adding "|LocalMachine" to the end of your value for Client Machine, for example "1.1.1.1|LocalMachine". In this instance the value to the left of the pipe (|) is ignored. It is important to make sure the values for Client Machine and Store Path together are unique for each certificate store created, as Keyfactor Command requires the Store Type you select, along with Client Machine, and Store Path together must be unique. To ensure this, it is good practice to put the full DNS or IP Address to the left of the | character when setting up a certificate store that will be accessed without a WinRM connection. + +Here are the settings required for each Store Type previously configured. + + +## License + +Apache License 2.0, see [LICENSE](LICENSE). + +## Related Integrations + +See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). \ No newline at end of file diff --git a/integration-manifest.json b/integration-manifest.json index 01b0885..d161507 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -7,7 +7,7 @@ "release_dir": "IISU/bin/Release/net6.0", "update_catalog": true, "support_level": "kf-supported", - "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) “WinCert” which manages certificates in a Windows local machine store, and 2) “IISU” which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated “IIS” cert store type that ships with Keyfactor Command. The “IISU” extension also replaces the “IISBin” certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from “IIS Orchestrator” as it now supports certificates that are not in use by IIS.", + "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) \u201cWinCert\u201d which manages certificates in a Windows local machine store, and 2) \u201cIISU\u201d which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated \u201cIIS\u201d cert store type that ships with Keyfactor Command. The \u201cIISU\u201d extension also replaces the \u201cIISBin\u201d certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from \u201cIIS Orchestrator\u201d as it now supports certificates that are not in use by IIS.", "about": { "orchestrator": { "UOFramework": "10.1", @@ -491,4 +491,4 @@ ] } } -} +} \ No newline at end of file From 0931a80f770dafba6a80bbdb486e66342ec6e678 Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 17 Oct 2024 12:54:48 -0700 Subject: [PATCH 15/26] chore(doctool): Generate screenshots Signed-off-by: Hayden Roszell --- .../images/IISU-advanced-store-type-dialog.png | Bin 0 -> 41689 bytes .../images/IISU-basic-store-type-dialog.png | Bin 0 -> 51521 bytes .../IISU-custom-fields-store-type-dialog.png | Bin 0 -> 40514 bytes .../IISU-entry-parameters-store-type-dialog.png | Bin 0 -> 43626 bytes .../WinCert-advanced-store-type-dialog.png | Bin 0 -> 41690 bytes .../images/WinCert-basic-store-type-dialog.png | Bin 0 -> 52676 bytes .../WinCert-custom-fields-store-type-dialog.png | Bin 0 -> 40514 bytes ...nCert-entry-parameters-store-type-dialog.png | Bin 0 -> 29793 bytes .../WinSql-advanced-store-type-dialog.png | Bin 0 -> 41690 bytes .../images/WinSql-basic-store-type-dialog.png | Bin 0 -> 51024 bytes .../WinSql-custom-fields-store-type-dialog.png | Bin 0 -> 44308 bytes ...inSql-entry-parameters-store-type-dialog.png | Bin 0 -> 32114 bytes 12 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docsource/images/IISU-advanced-store-type-dialog.png create mode 100644 docsource/images/IISU-basic-store-type-dialog.png create mode 100644 docsource/images/IISU-custom-fields-store-type-dialog.png create mode 100644 docsource/images/IISU-entry-parameters-store-type-dialog.png create mode 100644 docsource/images/WinCert-advanced-store-type-dialog.png create mode 100644 docsource/images/WinCert-basic-store-type-dialog.png create mode 100644 docsource/images/WinCert-custom-fields-store-type-dialog.png create mode 100644 docsource/images/WinCert-entry-parameters-store-type-dialog.png create mode 100644 docsource/images/WinSql-advanced-store-type-dialog.png create mode 100644 docsource/images/WinSql-basic-store-type-dialog.png create mode 100644 docsource/images/WinSql-custom-fields-store-type-dialog.png create mode 100644 docsource/images/WinSql-entry-parameters-store-type-dialog.png diff --git a/docsource/images/IISU-advanced-store-type-dialog.png b/docsource/images/IISU-advanced-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..18402cb6431481c590d492a50e21bc528e047187 GIT binary patch literal 41689 zcmce;bySvX+c$^>Dj^7nfPh6vOE)Ur0@4lA-3=D0fJnD=ceiwdba!`m&2jsD@B7EB zHM8cO`PS^U_S&2KzPREzkNCxT;qzWn2>m|6eIz6#bP-{G86>2ef$(p^U1a#g58Fc) z3F#@42>;s;4$&Kv_BJ?j*Dbrpdi~DZH+~_-d-@-!Cy8KV-o|<{B7liW;(P=5ed8DJ zo0M{qzcqh85>3Key_b$DEc~q6JYt%}vEZR>>#z63?$g8U&XRV^-JLN7m2ng0)(RoP zHhdzYqJp^;A9ZzKe8YTq_gNz^JKKm(g3RpV;^*>m{FL5aOC}RV5_|jMb2Zjyh(mUf z#6(2q_ZAHznGC&szJ9H~E&T6uOO>sy95yzNpAjK`KH1q_mpK856Mj1((K0sX(|Y@i z?6~qd;seY%_keHz`5i5$dx8HxsyBG}+~eQjy)XIi|2tozh&Rr^?*xM|U;VqcA7syD z5WoNKvBbNie+Sb?{^vyA*Ot=K(yHZFizSOW>ecOw9bv}0F)76bIRCjdjc8u?Sb^`4 z;^i|V*saMvfBuXc`rXe@_v+%*fQcYQGDdWNsmr)%>iU=_P}$G_N0BN+zg4f1&2c41 zhzyR$#l&;O&xVKavwcVc1q zW^r-<)H6NOK7ot9%A7=M)Stmenul*{YXla>ZuFp0zKV-P2!0 z>r#38>-Y`pX6hJR1bq?ee9AJZpE=3MN;Tw7+r>K;a})DVhOC=v1IdkS+m4oX@d|Y2 z@A1Ue-1vmyO7MECocLq%^6b{UaN*D)ed)!t`G=u(+&Mb(!mV-Fi-NhlSzBWjRAfKX zmQTH=h7$!CDSB(?iXEIm4vS=QofCiJW5P1zu6Vx-GCG)`baq}Jm&idDRqJSJeNIn* zMc{}02lJ)5Xg$MKRuO@8k z{+^`|uCVR2IO_4#{75G8`epYbGpS0lC%vK9W%no-iOD^U*o^o{)lXzL(QrM2Rp&*1 zpa_Mp%(`v0+{NNYd6$YH4F!^Cbd`BSVY&UQ?5=E)!(_B{*iUclS$`kdQDc)jyo{#d zC3?=Ax)M7e0y*gLcQ9SnD}qs9TUS@tVRPtFoA1q}>a=skuLd(317Ig&$3R-N~8%qMo{}>_U0Y z*Hh?nCCTGrNo4MJ_&DZ_Dg7`scc78F=G*~=amnwuTIsKyRGD-O%hHCfjvG?E`dNv;_iEhjg9*{?3cmc2|{NfV-pjaZR$@7K?xKKddvIckvc`2 z@^Qqsz8Jd_y&7gzs&pXP4Q#7An8K{!o_JzUB6NTMyRf&|3zKntdH3>wnA+$R+hybv z6vv4}jzKa7DU_>13p8bkwq!>EX*PV~CNH||#Pv@pT-@tgPohnb-lzX*9(pKSh_ZeO zZDpnrX7&^kak)* zb^V)#IbJr7%!KO-dFfG#=S&98kR>B2VeK1MmrFHzMukL~^t<3j22j~bmz&W!o#Q6g$7I#D#JQcS?Etj3EO5Y+t|uRLe~`(Rg<7Gyw18l zLOL&vLlHeY@w>nJ&dtn{bp6#!mu1Hx>Zz9G{(DGhaRY%k z?rHWN)ZAv;%cB3Fq!{tq#zp88gGLHROe~f3tBd^Am+Lj7Qf_8gZlBH29#4jD-HO5< z8R>Y>^NcLyK}t?jecz9t_?K*s^pWN~6Wxu5u6NH5(eC9NB2kAIN8Bl7VYE~xA(PzX zYb?J#<*+A&9AMt_4bK^?V)r(x#AT|8P}2c z1DCaOi+N?_eLb@o&6PV1C6@(r^lE3UT0 z8TQi7l++caz2}3cG-NFhk!ow69MA78*D=!)P34h5%8(-$kS+`SSyvacJX(2(M*cwX z7Cl1}_9QY>s$9#N=g-VnL%Zv14K7@!w+iw6>pOZPtE zDxv!|immY1T9}@$_V{l1){$;I&Jtds*67?AEn&U|o?( zGXaCvNI~Fj!3R?m;k38jFr&Ve;rM&1rC3t&Mi!@gNpUN19GEngTJy2v6H6pMa?@3I zV`}24FNvA$`We?wz23UzZIvC7Y*lz)X;v};vj=Xz}xo5>2N0$ti#=&NkOp2dBi zmyJn#BZZS`*fY|LVe`BVZw%e5%VmdyFoQ&^pFW5z%@kW0U8laJ2sSnL-#c5@F&NH{ zpVbQ=Hyz%bFvM#)>1d;N*$=Z~wFn;4UGw6@-~FiHXZCToiBkpr?Unp`4f~t7>aXdl zn9G#cs~(2bCzO_2&>!5Cq%A>n$)ZVTEl{dGc)A`&yihDfqT5=A5rQlda({x0=&s3J z6C`^TgV8Igt~IgTXEc`kR`eXL6u$2|n_fQZocee-Aen`RvoS^2%i${f?GLAlsCe9} zftG%j$5&?k#XJ_vE!UE1gJic^juNb=o1cu^N0g;~e4@75etWHG!NlKFK!&dMD@)9} zj-L7+3y(chthLa52Q?iOgd-!%!;($v+-{<`Z{~lw$NJu9+8D9<@<2lsCHR|=Ij_F| zW@YCEeiYl^buKvQv-^u40#iU%-tM`a7=cY5%2yl@h2Du%Vy7HI7TpmuwpO;qXzc3v z+~7>tt8dW3pz%&YN9M$F^#+o<+cnmipNU^gHS=(8(r!zN>_wS{eT40bjZ^oN?^=fn zS`NduOUcK?@oK}K;o;$!wyPY3wVbUv8dnvjYRm%44|7v)k@egNujc!5(<5Hp5-d)XSVqn|u_4zFXks+JN@Oxv`dXdH z%qm;ZF~~@s_=$$kqwUnUj3i&i&lMium7|14 z?m(|CL%!5A!Qb4a%Hz6;7uqx4lo(X`w?yR@L1~(f0lSS|VP=ISKB+ASG`(j5rTQDz z+&hQ%iDmB_e0C^m+}sIysV5{Z^`>mrCX-ZM1-S-&V)>M3mbX2lQu+M+uVXB%is$2} z{6-EtG@`j4OUysAMZ5m7TIBS+M}2-}N|@L=htTb6>to6?!4lD)gEO+fsnDh1RGP$K zG&iw|71yzv-ZEWk_{uPf7@;+7OnG|%>ha$cV^?)IcZ#=lHITUr%Q*Qu{r7mBbh*ce zh;;gj+!nu-K$fA%3b6JDXRPFGMpn%01q~!oV{F!ZE6%=SS~1YlKJ)}Y#^IXt-yG*# z-9&!Na~cY0_9S?CArnomTLxS@aogQ__hNQ-EbGU*zaV$HgfnH+Ju5s5Q4(^q!xB2; z{~4#!n51ytXZptaiKRHuA9laAq`6W6oM|SK*^e?v?B}bux=#zR<)qP#~^f)Q%7F&S=NQuC%3%QP>Kp`l^eM`>T^^=?Sb$yuc~oTRXl zJI0AMe%o9ArMd_?CnE`?wJev*6U$?}KSRCuo%M~YTw-=19-XQZCLbR17#VSHfQ-`8)ExC3aoXOz(zJ!}C|InPrtXKP4BlH;~)uo#rT@wJ^==(L!_ms*mi} zhF$$HO|2O2Uyax1?QsYQy)4l0z#ls_XiZwZH2B+zLPdxO>k3aEdruY5CtxucTWnI2 zdTtR;RVQ1T>Zh7)L{2RAsj;YJMuS8o*POa~IVnm}PE4jMVK20>UTSpEi+6NU&Wv0M zBaI#3tslGE4!x3ByBTpJsxf9~=$)8JW9Kh#voadqmdlOyr+j`lDRuGvPnE{cfA=TE zyO(zHoF5KM3|m|&jVt|i78Zly*$!W+`bm_p+h3tR`<7PTzEz*Ik+V5wA@ocpbr9Q< z<@5YGZ9inwO+shFnr|C1CImzSl7 z!(A<(S5SQx^un%tR^;`Tj3P_-^|$uOM=cI`#V;)=%+yIgbMi1mK)Y{QGe7zjq;zUk zM8Its$SN$+p1{}hbfTK5L!6aa78_?n?7ROJ|AnnzR608;_ElvBE%A|VvtCx)Ztgug z4SkM7L)E3Y*MK?*qUr&99z1y{-k`^$dv%&uz(U8GlQcH)&9lp8t1@O)pZaK|%l zX0Ltn+!?tRd}~x$;3O1<68NmvmKG(?;D*+B4OeUtoP6%B{2)D#9Qw7ati268CpqKv zUxGQp8PT_9a2|7l6i$xunWe=)f!u*;#O}BB?VXtj&;fix#WmNBRw!qG_PEmoe0hFr z@%?6{5tX)H4hve`FB@heiTskWuWZIl1boJWD0Erb1txZaJRDt@r?$A&l2UepBHWW) zL>W&)g>&i3t1hqhjfJaZ9v&dtevXDDAuNR?`r(k#@QmBo0?;=-6UaO0bi5Eu2akuCW9LHCRNpFQ*-x21$$@O zIH{zkxq0osU26Snll|CDD~9wt0x%GB904D7^xHJNbi^utR!v}&54Q{PmW34i-2q0) zA6p|R9q4&c^?a`Y)u%kX@q0r}y4BQ1rwcF_{5{pX&xpkpa@Dh$-h`@`BX-u-PF&FVxy`pvd$5LtO+G?e$?@r zGNc_d{64C0=EWRcC)LtU?A?dCNsKyEcaiE!@PtQZ zyk@3y)F^jk-x>H(W8O8hKO!u;yxctA#*qlxs3_USD6Rr(>#&CZFodzN3UyO(W(rIf|Qq4zv(75I^V!b z=84zb5Ql(TnWVbi+X#-;!}}ulRvU%LWI?{ckQ|bWl|9}+8Rs1R8?T__regbp_qyy8 z0CE5AO7Ye#H&4?n|BcR@zjBi2*9-$LCf1f!RGR0;5ov06Y~)mg${~|Fnj_yEnaUT&;d1 z`6GS?ftydJgoMH00WUjlf`=7bFS9v@Qe~&fJclwmi&U>BTt9~rt?6tlK70wO9~2m> zLiTsP$m#z5_Gu*9ihv>lBByHN82Nzqq=lTd=Io1+lgqf%f~(neU3~?sNHgC-VaFUJ%`SAbIFR+@A;{m^ulip zxm1%-oVp%EqYABzB6+%|`uv_{y2A+@{#20TsK>_jCAB_A%WD@IA=QbEydsuV!|{rZ zQ76y1TJBGksV@${ToE5p@}_zxowa=iN6Z`YQAiOw%pCrV${ zZC>Itl@N^&6E7=YND$*+W4hfiThPPHGwsT^(m7Ka4exi=w64D{`;$Re@68b>yd6&i z`qc7SNL1Fj9xpt1=Al5UeAM3zK38=o^SkC!N=;);=b$_Bx_Xs17Wy+v<2~#ss;R!H zdvQQGg^Vbkq6eCNKWefR^SH{UN ze|L%ExNhYWOs)K-^8Vx*i@VhV$Xw4)qdTbo z3==?P)(@_Fd)22KrG+qvQ+jsf0bV9T_^scgb`yOkhtCm60xO6^IyW9g3E%O_l&jC> zcn_nN5gnPtx>t-&6U`WC0>n=S(LHR}2GWad32>hmGVZYv$nV{`et*1YUo+L-`A)*( z90`W4g@e@XUOa5aH2oK`v8VI^+ldGz_nK5{3EHJ%FX?U9D)Esqy?$9p*QT@f^AdFH z=U&(MRtI|4gahEl-v{izS;N0~*l9F4J<%6j)1WdxXV~+Lz1Dimz@^-hEQ3~ z!_2J~qkU7Ok-I&|_02GJC;wW0hPuG}62NSz-AR(T7gXsxoGaJ_oc^ zk;k2!?i(FTFem|kHftv_%obPY`FrZ>sIN3Rr@PUc#)iHeaevv#+!mbHGR-S0nCTyl zx_7=wtyLRC!??XLOhTF$XrCM=-bEv^dMPXhYNFC%6LG`qSC;~jGGCiZbT$gP(Izo7 zGGtSyB*F__o_8!=*FjKp-2%x!%JT|Jp0(^|XuA(D?bgcKdUogMF(k^RB0*;t_7+); zSNF@yO)^i12~>e@(i|Fx5w>bJ2Qcg)KoC)4d}8V5pQvPcAA42@F{`+9)Pr!-L7jR2 zTkn8m6gg_`huc$-Wv@x)OiZfgwly64m$N~40QCNQ1$Sd3JKr|T>4X3z(}MvM8)a^J zmPc%C4wy`G-u6X7#U%l*hIeQyJpm z8PUIfT~{~i$#G)~h6pX~z^~ZQucC4c7B&K`Z@>t^vOh(ZA6hy&t(=|F=5v$8g6oH? zgwL%gGfp$vo;Ww4oSbv<_r%OOxTi z<$P*_g$0$n-BoUx?(EwOCHB5o{QYW`*ItY&I7PAL@Pw&=VGluHyE^JHMS&FV>k%s? z1hw_h+!Q@4I)l5|FjLs9$pX(PDRcED*#vcYXRZu_Or{24o2mORnoXo!5+x^Wr$?-}l)_dyDmRjm zOL1R%8T)i+v3P_-aW}4~d4_OCIYoT6$3$5viqUwABFnVX$45LN?akMa;ybqMl?qO1 zzTb;f1H@h|3X&=NVE}eyl|s3=m?UnksfCi>sx3Ro#93G-!~<}DEDw-oy_WM&*!D&9 zzymJ^$|U3Rn&eW?*5Rdqj1Y}3EcgvdS%T-u>2JMJ{`wi?N3%IZBxT|wG&;{Zo}%@k z_sS>;?U{aoP{bSMM?x?fU(w0sre{sMl=!Bf`_EG&|Dn(LD=_fYe_4$}xx!-q%WV9Wot^z(#wFMP9^>+VdT0Na4(R{R6ZJb+*Pre$ zCl0Tp_n4ZRIeZ_vgWj7|RGH2tQ$(D07ITgF7#J8*JKuthh4tCX3q?{=vQ%v-LoV|!1_l`$TUq^T ze0;p3vT|Rceh`yF%GoJe4W0+$Sr`yS_7Xi)jX6f`&8+lw-vht9sy!@kS zw{sfTvjeT+95n-`NXia!QqtG%S1vL#GF#H<#)7%S)>jvf@>z;+-Q2FYmGos~9wLsO z`STfZ_Kgh_b(dX%NEXxfa_eQIq79uE|JQn*;mR3?gY^v!U>^F1Og#e$FU@Pa}@Jiy)b zO?X^!1b27#KXV0EBwjfse?fdtbNFE*@Tt_21SxSYT z0X%0b{$Y?%?eTnGMwu0*i`&~hXNT)l(MK&L?lX&vwmoZBxf5qKtj&{bEW8&xU*nsu z8-1{gjEDXI{(Ud#M8%UmvUuqO!8Ga@cJMD=LO-U8~o+#jN(H&d<$#$;_mZ;=N>g{rdHa4M%q@cZWCD z3k!Sumb$vnq++2zgMw}a-|o4Eg7G(BM+hp_0ZLjiU%QDL^%n}plc!8f!6C3!;pWRv zu*fPUCa-U|{``qqVlt{7?zY-Ts$68C<)GesTBy~49P4_dl%rND`27(Lo9!A7QWUFs z3Y2@=2TF)q!{=KlXdOxgAMeSgN-idcsn<_U#lqKCQ0|bZrfjrA{!hviO)n4nrO?AF zZ8?bcmwU+R=^>&`-|k_zwzj5O@Kme!K%95?_Z#4smt&p%p^h33yuI&|iHCoJWqJGd zt;l|!NMh#{v^d|_Q zrie$>Z;TdpP+MPLT^5;7$JW=^kLT2yj+c~GR$2qb9e2C>_U+paw1B;n`GEZi>mIqx ziz>(c$1Em~Aw%HV9^&FQg}>IxD=pO@${$SsUra)^hvb6oBs(jK0R+kv(0#lE0>H8rvfCKJa(8!s z{`~pLR^|3xbo9mc5US&k=VlXSb=@(XkQ)y+$4gVi!e}?9Yp4IpL`Fw}XRAGU^!;luEvS53$qXn(hi`xlRj)WE@WywiH*Lew?e|yLUI= zKYTeiHwPg=CYOxXgcu;=esEyZ*Vh-$YEDc>Mg|v(+u5;DRa5i%@nZp+S!XPF)YfFB z^~T8S64P-(0|N>~%H-w!M8%`s88gm(ZL{*;pNO*=abHeOXWXN4NU4%B^^=n^k}(`| zO0<-e8J%HPT3XNadt&dT9bBvqWfMX@G{6DdHRt{yVC2Dl3i>~3W9;GL`|ts$hv%Gn zveI7vcx&=a+v!mgp2lC;D|NIz9pLAOzByLh(ADLqR%ti8vZA<1x=P4umS?v)#t`ro zF9DJg?=xIP9K-@z>tG68O`k+3XOKJn{(UZU_}}c)BxTq z#o7F}jt-sesp>5C>PRV`({Ip5!Z=CrXq5Tk3C+iQq;rQ0ZP(>t!406gLgIKo&8n{a zjlY#!b7oZB?hYf1Yrm5b5pw8wi2BnB;BJP6XLmWFS1C1P-iWLFin2eXVjdV8+6;GV zFkQn9VbtAQXhS372!6)rxzoiut*NaoqkHPRraZU|a?xWdUS1Myo%s;wd+!NYOww$& zCX`ku$_usi^;4lxsNmUIgWn z1BkO>|Cd0oQL(6u%r7fQw?$Yj#PA4y`xW^WG;;aA{{9fd{*+fxfO1R(ehI_tA&{!N z2P?gZYwRt@xl_In^8cW%t=&FQnwR(fbTu_DSV7%UpxkjkC4s^h3Njcn=M~H>s56CN zTq=1AfDrQVxaj+)V?`nn47$F*LPPC_kJq8ogbZb?OqZwvb_hup3nPe)QD z!R3yK-O1S*LG1DNv<5zpi$erMgVzHE=y1O&MB7eTU_vw$!QiHXF~H1qjkpgoiO3I% zEr`!PAy9+EdUk2M$ydQdX(ZjQNM=t*TaK8y_4Q0hhT4gvqm|x7@ff()yLaz`0ccSA zCQxLnl*)TPAjyg5w9o0gv@gBbchx|E5BdA3sJL&~-LIyFGJ2zkV4{$?{D#w39gP`_ z3JVKI=*r1m#o1=BUEsaDtJB!5ChbqmnLZH~+Ik1|5hgLQq=N&Sp`jrfAGcxj(Onvd}+2nG5GftDH-N7lHWTb=IdGB7fVh>Irydi8Xaqm+xN z3AR@Wqg8`>`@xU4R{r?n^RF$;%dp1(=>6|;%Y-}St#1yWG%j>qk zBqO^?59J5r9stFkj*jn;_aWs)>XZ-w^=hXO$F9!K&Yfcb*7S^wiH`fgs!w+T{7w|o z62Cu!51^uZ7<^p=lSVO~C-Hy-@ z_GL4JyU)y8Iy*0}j(wO|SyP1qh*c}?{IasB<#SX;mb+s{^L0?-+|FJ> z*JcW4e*Ibtnx1Nz#pkp%iq5XCd-v|WD(wuVQ7M2`X&_B@7ARlzjD%+CtJf8Yg^Bs5 z)NJx(zlV3U+L@Kre5$dp?^kqm^nE&!cWrq>+)f9YJ+a&yQ`J%5@#y;E`A}d@$faTz z0)>dRfc=+L zgH#F(3es6oam=+{?Yr~4zEYN|;+tCFS}ZRTkRa;e)Lp34fozpyN!B`pnwpxC(b0Up zE&@b9c_1L|u;0bn5wZ=q5_)c~jiVnS>k<@T%J1KwAZwz*N-DJ9o~kUrcidTKIq&V~ zM+!I&wB5)s4Y%_4y<5m=nmaRfXar2&&3=T0>bYzCsn453b46jihBN4jmg`i*{VKmQ z?>wdZhB=4;CpI=r5afB-8VoBK0r>YPv`!e5-T*H}L_|EVz5>AXJOygd1sGi1&5h^k z>gqNMN|>P>)nKi=I}9qtGK*(WIEZCSjdP1kN=mA%P`h*I&NnZw{vtzJe-d7GvLArC z{9vb~1?0MmtE-5xuqNQ4i89Nt3kx4Hp0H`&eFsQ_$*}J>IXOA>#5Wce^l$)U5$4st z|LPh@MDcEyXTSgp0Ovh?_)u6x1Zo9cwaOt77XKj;k%W^I2M-U=$oRN5z*hh#dBw$~ z6cpZ&v)BX#qJXF^EiIu#FUL+Q&d<#J0f>qSb_8TM;`t$`vsBA}v6znS9F3db`U~uq z#biX&fV=w8e>0<-1Qit(0fFHnN=iyU2$+3I+%I}9WMu%`@m`(003d$AJ*rN@u7^!7 zxiD!zy*N|%6}A$&xNretG4r^7ivEP{=i&OW^+GEaxTT!-TOZ-^kPM2I)g5N7$& z5h8I7hEY=hI31cgBG4aT({Qu%CL+R^#0QOi1)wFL_TF zf^61@{Ghuc(ZdF_s;a8I{QP(rl`fZu!*4{yB2!bzVOm3vMTW~?oyUePX z?hH^a*xP(pOib+J;(~&L;!j=OY>t@%P~l3uO>Ia($dCE$ZF2`3z{mgu3(co_xVX6; z7ef?IHVS)o_V()g`-8&NozgoCqGMuK$4lv;5&*Xo!avm1)GGjDv9PeJcIr{N;L0|D zf5sZzV0i9boo{2~;R!*Ypuf!kdLW~t3jiLs1Au22zC>(6hQviI$@_^9*Q*F4B%&~Cg75U>emD}cS`o}K{vY1c4(M!lUu1&tf@hJ7z{G-~~W zg0TGvnCpj!hw0trmZbncBluNQlZWm45dOQ5VCo{eD44yl&((`O)*+$3LJntxs&c}8 zeX(m?3CaTKR}!Eym;p1}+X14<8T3^FM4X|Biva-EHZwC@*?QkTJ{|>0Ot97McD9-d zz{|RLT}HOFW?PIzt~fgMY&k!@69IH3B{6cV_C%8>@0pcuXP#Z8`|aVzU?=Me`4Kch z0`dzB-<6k_M^wOU{T;p-6tu^GAWJ{PoPrFmG(C0C*g~Ma4`GxnEb6<*wf12v8C0aC zcOd8{CMN9?9o^l6iM=y(b5`Svz*(UQI7lh0T3J~EN&C~*mOkNr;+tTxza#;PW@&BR zFfb4dLQv4pp9qSkuC9*r=n*gl?KEREGg_#Uva+(^Q<={8_UDw8_hn^etE#Je4VVBo zYint}RaPc=^ym@%kRX$e)?s05%lv~}NmW(c#Dp4tbs$|9MM_Gl0Z$2}Ct%l5_cGAP z87@V|mMb0i$%u)GA*8>14PZTLQ!ih{e;i5t@dFKVtV2Q;T*yX#xER$1L+-{!@2btm zj~|0qiGL3o!Fvz&9Ubej=JVOUzP`{x>c+<_#p8y3;RyH|o{5T8BDFs-IQUy?>ay!3 zv5uUL$<->{4S*NVlamtyd(JdysVwaZ0-yt3p4m=JOtgEvO8 zy86jq{WjJdB|t^}ey--{PAarndp?0RH{IUXexFM0R2Apl06l++*<=D-?32+AwA$&A ze{Xj<%(PuasTNPo`Eaa*b@BXT1LkM<9JCAO3sB z>hLuwlhxSy@ZVu`#A%12tv%Bd^_`~yQzglk$D#c$S4)q0PG2SUF(~AyKI7s7sPhCQ zQpjLzJ3G5#wM8SPLOpbl^kOT^%X>>qRiOL&sSg2LXzl1o1in>DQ>okWXm4+iGI|J5 z9w;O_2WS6Y(lN>yQhCnUx1V8~UeS{$|1oJapV)Rb{R+qYCIzVDw8O|jEu$untqfxPPtjnGV2u|S~wvmdk8%jE#==mRsus#l8IpqT+CMy1Y78O!Y$WhbHI&NZ&j>@-^#j%E-z(?zNGF zymI?Dgcc+udKh4!LNox(^BWTaY!2Zr0AY$DH&><9AAmi6$?5U5yFSoX#>SSd4jsr;$SnXycJtOPXxG#lHPO+}j%nSDam5MtK925Ca3l z-n3rs&bA{$WWetAuo~eUisn%x?xMPE`iCbSCl@9AkV;{oA|L?7mpiD6d73v6z#Eq1 z_MJO7{=&{17z=FnTTejM_}Ju&JCLhELQ#&!1*ig$D*zXynZy7dhR#aB{ltz7SQWPG z$OxXYGMI@sJ3D(D8ChO26~v;)LPA17Gk_O1!dj%pI^8c;?gF6S2AtN%*Ea!fGYb|Q zh|t;bwiI9@1R4R2%2W4nV>BpVr{(6%=4Kc0E}!q;5nOL@vKkR661S7jP+&lR5ya>Q z&=Ifr&T;cv36Kbp=xR=$2XG%f2C$5SgJW@aUH`s$Z-*)*I{HUQNXWA{H{s#n z^{FO6tZ2{rpg8EcSy)10T@lJpgKCiI=jT)w5tBc@9M6IKP!{2NbRyQzG^tz+lpgizjYu^qH4fPZ| zB_nfZWjQ}NnORwB1zjSqqy$+L>SHmK5UdCg{I}C2|MN_<@JyV^!|Ua4mld;pxgH*O zpdM$S=E*oXDpb7>j*nA;kU_VaU0+B21E~HLVBn^vIH4y3TK^iXrO=jK2gvQp+CdA z<6_(yDAbpla@m&vYV_j%{rhOSlTN3l6$l#+nr;NW)=ii;4Q*}r7#SHG3gBbk#KadM zEiz1OSf_pfxn&v1CxX=>#3P{mp;X&YIpC)tWW&VRRDeH*5faIn=6M-z+5eCY^vsKe3HR(dqqnN9WQ?Z z;jw`y>d|jx1nFWjR^(G`JWOyTZE5+s+WA-yJOB`K0%K$Szke6=c*f4k8kUfdAWC=n z&p{9N{az~ycI9R%ztf=QY(N_O#*|fLxR?lT=qhJ|Z3wTu1JyqcKxvkrMRD+fl`E71 zwq#6BPNq3h>VO+urnMM1U}T$((i$9$gF(X636rHKGq*+VLuxt2hTH=+$zEZ{-1o z`jAn3E-|E+*$t=y(I3G&J_K&$HP3Q%PkE`=cDH`HqvP${ zw+C9;#Lm-m#<^)fB_uqD6(21%Cz-6Uy_Ms&)Timd$TD7AYYo#?7q~E!$;eO8Mr3N; zE{%wNbV6y>+Ig=}rQoAx?&FCDQ1=|c6;UiTBLcywbU+U@bE6Gw94xGKL+04uR}sqZ z#N74$qeLmH^fL4ONqd?Dtx0dQS}pxu_2olIxFC33fx@AEy0?gs&=L3_wxh_tfBy%8 zo50zFSNx$S&ad$C@x`N9{J`-A-%-TMiUA3fK2S+KK*sW!Zwb(0hyaE4KHLSuW`ppK zjXwsx7X%W0$R@y2^mZGHS9@W#nBW@1P#P^Z4s)Ge%d(hU0rdzTGf&x;klBb|R8+Kh zdG*idTjAnl7(^V6K&U`rLz<~Rp3;FfFV{T|NZ(=3huquSdj{B7(~t);u15RHK?DZt8##RnrD(Gsxd3U7O2IE7$44@l~ifM@F3+I+zCWPtPq`wjh5leQLw4(z)dE5Iy|-QN?JaEDPDhb;in+Qu z+gN?0JGwp1>CU=pi64eN`~0H%uG$!EHqhRkYdRW+C2nhP*M@TAy1v*)SS$c~f+8Z? zz_@CGLhJ&J2f@T^YHC6((9z~NHVH`&Y%K_9vwY6Z&R(_GPUYa>fbiTw3p}QGJ+nbT z--RHl$BcStKoSw2;c$z?)|1uMRcfVz+pu>7FpHO$7s~oj_WYFdwk}{O1kIJpl-~us z^D8b+W7Bc(;2`UWQdU#*DTq-RU9uol0Rn#xiZl2d2zzO6ejcCUqj2&*^3F2vbwpks zJ&0qV*e?Qq8stfdbB`422e>`~O#Wwjditscx+=KT{b1j0)n2;+?ll0e z2&;mtKCOWNy-9}l;KLG--Vo%0_NDXzP*NMf=J*35Hp15j&mg2*1;n@W<8A#$Z!8CA zXM|q>eI&zGoY_$o&^^MQ2L!u?zkl)$Og|!m@1Uw8f4u=BB}feIA>iqf!2NB3 z)(>2@L(RPmG5~Qf%xc7jGPuf1a`LcB^}fl;%aqj1TQ_g608yf)rA3JFU_Ra40YJ{E z`3H%^c8!0&*$@#AZb3Fa^pdRlYnh7OSwK9I2+cbn?Gen$$F#~adX9#(X~c=(`m9XlCvDy7|zuwKI`b{Xwc3_g4n{o(2I>>c4g{E z&JK_1HQ$uu7WA!Cn^#Ts!6peHu11HhoL|0vMa;IL3^hGHvTWtzjJzz4{ST_DKfJtz zA_(OuBTIoafXQgKe%2q!LHkLF*zp_h<*F1k_lZ8gSN@>qHW?L%j_T1rhQEwb)Pwy8 zlD=be9Cjihpde6V7)wW+EK%8=hZ)IcRT#sgqxevF=U~#Yeqzvhb;G37vvuWoH? zi-%GHGnj;zm)GquQv>VqV_{&oq@<(>hd7qoSteJVdkpk1z3Vx?%hAYiJ;tMK)u$} zOSv3yvmIQpEH)hvg?!g$h-im)l}ikn4tttRSX7cT&AYq1VIBmRkERU3tx(X?E`bLP z*e+~65hy+MedS^!fsY?ws#VxLqo>d7Y-jou5byvniVoP$N5&69hl+rgJE-Kd(yTCu z9cFG^?FP7mydw$b5X_t9n)5BH!UWYb?#VLC7r@1V|K&L!ZyCAw2=Mb8@%iQQpE+~x z&OLqMu4?TU5>Vb-T^wJ(%+Hg*L_qhzwr+TT$h}+-oPLBi4_gE0fmuWFXjDoX!LsS*_aHMnJ}H70#f!0RNFAh_0~PY>#HQhAlairE7*PQTS{Y zPod!eYR@1M~v}QbU{!8?l3~_G~b>{g4p=9+ZZ|YI4}da5wCx_zD{h z6i&;2BOH3z^680&{{?0OjdGFZ(Z=ZF+T@8VGGY#|3}uf?)Got@tm5P$w|u=8X)5a> zjq9e!8NqIwvW|%Delg)T>RCTFDhO`8)On<%NkEf!d|BCJ5|TJ8UAQ|3C#R_cl0h)i zWdY`JUVT~tc>^JTB_t*yHZH=SE<*e*qs~ro1Xc%?(a2Ocy}*%*lCs`}r5~oPirKj& zQP`+SbANwfdry}MOBiP}LY#y>7C&KkjV4Rf?%`p!jeAsAGxS)*{|_C{L%^ZeaUQ5a z%m~1(Wp%wRt^0r>cMH+t7wiVt=!SwTqV;t|-eGx3hRrN)@vDFK>#pnm;k9-VHdbRweANZzMiA^5Jr4$8U8K_@im+HGa2}r|H=R6Uthq((ahSE1boI8 zWEZ-zK?RIKtN78dT^QmnYAHY^Hm9R=xpXP76tD)(%BYwZFHvmMvz3HS&*H*?AvTuy zF&gsP>B-DSR+ALmaA4#I8JRDG%Js>e)L;OM83?Pu#85T9#P{B=b0guH*Xo`_KX=Ew0y^p<~0X%tB@rUW&>6rrGt}$ z<<^EHt=`8WWfErM=VGFwSJ$sh?jT|nSTVP_*w&j!o7YnU(hR%rIBEGP)?v|ANxV$hRInF$(2`-=D*Z7nuTsR{Z3O*Wg z=hB3-VP!L4(x7ry%L(F^FK)AOat@C%R)icOmgN8MCHp@o3_OjW;4PQ}%#&G&+hc3h zqpCAt8v6H~)zwvb%DDehYb|n6`A2D~f?sKr#{2jC&-#XY!hZdli!_t}msl_e-+e`{ zVV=tQ-kZF{w=hW)859+!(BJhhJ-=G*?-}$~Ir^2td(ME8I5;`62>L>~zJEcar?6UE z;ew^P0cUiyQR<~~IcKFvQ1gWCuv&Q6(wKod;`|vFgC;4C`;`V0WzyM)(wwF1NN?@$ z%&e`|!-^ria|4TJO?t?p)cZbg#(|en*|#%`!{_E6TJ7iLz8TW{^i3Hp5J`f7HNoVOtT8aQl*OsCSv^`?Y#w5mFwCrJZ+bSg@Fhv7=$2F(k2K7N|zui zAuZilh)O9bB4E&+(x4(CDIg^&DcvP?uE(|ZIs5z0x5r-RKmR!6ALBoJ?6t<;f^)v} zeV^xkuKS96va_?(a2tGBILcr5ooV2>U9CCs+$ZbQEZ4r;c#XVn(cZTvCBK)$|Dg@` zpPyC%)^%Ko=VRsZy;>gZatihq{)avbPU$`ptjXlb_`S-Nb`OqD1nG+h5#ANimYWgPDMBWU12j#h)Ygv`Ja;{fUd2c-a13WNR=ky7aR zApG!|{@e`7|1CWA4<9|MRhT2TPk5boZFoeZD~*Q}e5huocOZ?sb#%g+3X|TJ;Vld5 zchX@@U#qMVp@qruMX(Spzv)^OT!4UGf|ke7b|=<>haeo-+l2-265t5VmC;^Y1q01Y znW23i`b}6YJNn~tkr&`VBND7Mw-aq66f5}YnQa{)l`YN`ij2X{pH%C13KxSaJtNWS z*Xb;~x=1SKJ9pHCDenjH9zn7rnKf`yF&;R8pX|7v zqBN*MtRf&~U=kWfF9r*xCOiBlbg-hU<9uaRh=1KwPmBh4?)<< z7jB}bfg}B!OV%qP)@3jx}fnao}!} z90mpgqO*9H9fw!tH10f4{*3GP);&CW&C0-dheN6k7HKSj^PrF6P6gIxx;?!urUu?Jz@k4LF3 zJcZc|3Sl8`&mD7fqFHQV5FK%Mn128hXubW*Ux7A5Z=fRLuY7Oi)%jLruQVr0#`vLi zr;rW-g4FVOBx2xHBMQyx2lqfLaN5sXg5FrGLY1tUt(pb_4x^C;0s@w+`_0e^*_?mgwy1k>9mB3bIB-X@XaA zQPFFV85%?FIitf4GkNrAyl&M-D-u^;>wGt_%Wlrli+jkkN_{JLrZZ-2baX!><3q>@ z;BsCa*T6@Dt7)`|!M#bU5$lK@&-Y@W;H=M-2-;7WeLrev37dWV`0;Z=!Eu`@J%~c- zNNTKIyY`4lN13ZZmd}{EBcc@WyI)UgC|+46)zZ=;I5&_)SXWvhYp*(08&@>boao_c z_7H+-{`dl;Vf3;WP-h5(fqjP-8L6XuggS`YJvud|IWzKul9rL-0lEim)R(fd?Aw_T zJPrv92L=Z-qC6xhuoBt|*tylT)x%@!A<4i}vP|GQ18dX{Y6r~Pz1Oez5oq6bZ_P2k zi-hMxOLPU&Fzkvt4!0zG`+6ZrqHScFZrOseM;a!i0mxKQ93EEK8UtN$QgNs`EO7Jq zyTT;+HT>#3|JX!w;LC^sKV>#@{g`;No;Swg*XLD32Gzk;V^D`jQ6k}b_=sQLg+_$5 zGx(D(81xEDO4g^@_cfw6K#E0>!0@{vT24}z;_+{aVfwrdxOXn_;GiN;iLe=@o6f?{k5n!!{Q0@x#aSrvDkJ{LMZjGsekvN!_OIB@J4l z$B&y%(NDITD9^RZJ8?Gur%#3 zOMnT^j}tai14kzvx=VKhtr*;H?UN7}C-x#@|F6#|l*1d8=CY9)uMy@|p+}(-W9fh{}>P)4m=l zr&C~j72~hp%TwRpmN}dQ77*4}+AZ|-k}!9Sj*e>FpL1pT1dikltPLsro5-`BO^azQ zkBtQ@v5fGCIEE~m&35A4Tl3-8@lp7Yj>FB;X5BX5*t!Vl!l{sB%Lmvy(3t8D9+C*V zk2dXn3KxmDMuWLCQZ8`@gQK>I}`_E@FpyHKtLIY?zL1@ z?7Y)EoE^dG%Ec(<<9F-RO%9Vov7|--&MOKKY!^t+TS$N1($XT*I*8%NU^4*1GJ5B+ z;)>Yw_9{NvuyJDu@(eDtd>+KfjlXsWer-y$91BjdsSHFl!A?;CN1^#^U|ZP&NfP&b znLn?*BJtXw-u|&}T{}2yb%0nhZ3Z`gh0#zGA1pS+&xKsts_Tfh;Yb`MNidwLgcf&m zLrdeu=LQoeDhVhR<&eUc-rna33B3Tj%a@9Z!yFvXfjSofvIvyz=z`s~7Wj*;{ht}@T%ZtQ1IB%)z}Epb08t%F*sUAzzPN>jt*yDG3W(7yGw3aN z4OcVK^GLK1Rvt^lA311TaTc~?VP|H}T`HtQx&gufj@e|8jW{$r1_v);6&012$HupU z>B6zH;w19C;+HRXgYEWqtHy!wmw5AAiK3+~MI%Bn;1?kqw&af3aQW2q^kHO0xOHm* zSU>Z&+ID9n&72K6c4we#B1)?uPQj} z*BPEn=TPwR^73M#+PF~zmW3v$HPP2HeGu{XjWUV4X<=*}X*5^)4u^#JemMRRHuQn{ zd|6%G^XO6>a^s}2DXgC9p1kSaCfDB;r

-O$p!ys);G%376pg+VbG!7 z$Kj3G_AZzZar4;Zr?Ggn$a;sR1%R8#g8*Q-gbh%gfFemMt?gIuaFz5Vw3g3c<>J&t zNNpn`8);&Ujo-rZ;a_Hc;bvShTEc-kF1OvBk07xf)Bn!3xHz4QLzAVchgglZEAK;r zF=@4%u8fprX|p~STmFw7nx4=NjLyA=imo%Ekd6VVy}LhuYSUT&+`nP<3Lp*Cg|*-{ ze>2-^Ne!it5kZg=oCg@)l&tqBMe9iH=OFL{t^1fDH^}^`C%Oup*HAQXVeMzlcKdS~ zH0=T*kMNjk?BW9|;Ubo}tWTh+iMNjeq3Z_9Cl)YyYXZ4|-*4AO?;aW&qJS57#FGU6 z7DKxOb^QaX+T2j4J0ATw5QisZG+F+sCEJJ3l1yr5TlIL7^c#6_PedUa+1a2(%_8%P zNLYMO;8MjbVy{|g69IMs7$i`9nOIpn{S9-{|0-J#s(Y)o^gvFhF$6T|@vy1oT*PwY zpegB=Pik-p3)AwGPKRrL9c-ujz*v9KWseT%n7u$8tUJ?QR!qaCeI@2jbA2jwBe?!+zQ;`zyn0$7bM@{@ zxU{0=1Zwu$=tt;X-s|_f?967oV|niO3(IbFY%KEFbvfBXSp3ePSSA1A1vrrM?y}s0 zy)|G?m6?&H-}3ysnHc>j*&_!;sQxA-`J2pYy<~f85@#uokFDzG=bQ&EZB9J*H+&}@ z&*{+De?K=>`Wn^n;R-z-&lfL>U=ACZnD~4n;VafINy!1?U89P-eA@uEQ^)Ba4=X%r zncmXJV%dHSQYQJsFvnWGE9DU$H)CVN7tK!wq zpf@5rTvHQfwjIP3it=`iD(SNJ@0VBY^GoVfW;NS$Aa&`wM)l&2mfgJt?(+Hr{IV`g zg`#)kwlyp7(N?N>A`+WkFid}J^Onecvq5fjLdAIbU5I3cm?7kH27u@^)?bJjic3R7 z1NL|O!2EdHr#GS9qWBcW%p0GZ`RqDg%A?w--4*cM;Pc+(twPf@aj`5n%EIJSugRaC z(5e%M2U z2VnDQwD0@Igkc6w0|8l_him!1YOlIurR=RP+}Vf!t1fKb7n|F>qUexNUT~j zsX5D-8pkl9q&B)@nn$qC?5b5}I}i9C+Ro9tg`r``9z(t48!0{uV&9Z*-TZinCB04$ z53b1LVdBTo;NX>a0|YEU``mJ<`4;K%@p>D0nz!)uZ5otEr_Zp^dhy1M1K=#8<(g5h zJUl##^&L7~d66Ss3xc2t<&!^c#GqAcs~!_i{Br5~*!0l~3HJ$W(A`}CZ*K9@LhI5p;@GgB z8u)_RWC=oNS$*>DZ3KXYhd(Cg9!}g9n*m4R+=ZuiA7}_vHuVGr0E>iaS%4v=EODpv zT3eBhA308(nCsyvV8F+$uUDY68Q^dcWk4fTc>S2s%!oQ<@qA!3(!DAV&I*`xZ=ez! zIhoSOqx0=CQm%mZ88Q;_z_~zi978p;ejX4mAT>EAi{iMArPVqLF*DM zGH7X3B-H4q75EXQ7-sz{IL?7v2`qP_qA$P&!Zl26=yUTHkfTY`5Rn%6JIV|l=9B@* z6yEFYMhmd)I)t|QA5;$EQ?}nanp!D&9xKNfCYboX{b725MuHnqcp$DyHV+sX$nz`#=(mfu!#%GIc`TAWLk1X@$4hL|o;7c}0d zXJ$6C|1l#8*+?VS+2!d|GN%G=9@LonObd1#=D3 zq87aij)zK&tvYWmHfT(=IDYC3$#gz44)gNe?f_Fw^N^^A%@F$a|yn7$k|dWBz3|G``po zxLA$%if|l7b~(Vcj42v1pN_+;jAt9KzzUKa_ZR7ZOUEB&m6>lJ{An7IYequ=2ZOAp zGPVido%XZoZAt*lsjc=Uu z;C8d|-G_}qd+wr5CL3TB?jv;`e<;lF-P7MzV2-IrK)|(Li)Go;Z#L|^&Bf1gu;6j3|2D(Vio2Km$LfUTLJ@?hbtz$5bVv zf6ojQjT8MN^Od8!+A$*&rN%vU~-wKU5)yPs3|) z5pcaEdb>cMc~7?}-sT{nK0eNJZ--D+Gk|_fnZeNBWzhGbM-{cW#l^)f90&KeVUB4a zQf6|Yw>gs+tq|a~G-euMbV!t07FITQNV!4u=(Kq|kl12cHw_ED$vYd}GmaHcY;Tlt ztJ3w|kJFkQR<(ny@H^EzXy~wBMMPilR?#zw{$Z4T%*p_1D~_9jri@uY&cT69qs7?< zf-6(T=C)XXFyXegQ(e+iYkuPU!nC~+W#ZP~K_k@hPVmi8|b#R0UDhKnScK4~U#pj5a0 z3YfRDvf3oV6B#*Nfz_z}_4UV!?){_S7^Kpd*)R3wWaKwA4Hg*G_IG z4T&pT@KziG{~z#{9Qo7SauXEoU(MUDca^XIbila%n?5Zb?wUXQi_~1KE`?<6EuiYU z`a(lOI6yC;PUS5SO#^h2)ASxL?af4lBy-3vzBqPoCx(0Y6d1h&GxpmpI)~%4sC8*^ zx={zBm}cp9lo&t*PVKMzD1h!@CNH^8?#J60zr)+YRze|UBN=D_fJ^2QfqC+YYWxQz zhtYlkq@i4#>fney-jY(U$3r4_Fkgd9C^+i+L)6>xE1Hi+ooNy8a>L%Bf53k3@9sFo z&NFoc43y^QuewWSGl(pWi$Fc20V9g73z}gg#H$~Y4!^d+I*SDpuUp54LbFbV>J}N! zL1a|0SFG1EykODpfFuYDuoxMR450;EfjDIej|z(FzEQR-y;U^RF-0}Cu z3EkM;z4`+-J=k(4aG_0za6=vQ!(qUI)p>jppYIX^MV1IV(!TUW@73b4WCx554OSCv zFmZSw*GT)|;|F3#z!WtyX^xDoB9pJ$;r%>(^r$PavI#ui#)F}up~h1Kiu~Z0HIzwu z0dzTzTeNQEUV|_O25ElN0aE|Dnva0>rCXRw0rxT)CrHjF96mQwlwiMNhjpy<72md~ z8VU4z;L6p3b5zodmZi~k!()sIk4H(th0aR+xg?T_s@X7Yi2Dkrg^*#m#g#dBHV}+R zii%j?4<8Qul#pLoI1VPt8^8Xeqhp1N$VL%#vFJ?lfzx{tV8w3+qp5(YXtc{$Z8?fL zk!wjulWy+m>FLL7sOncoZ0221U`m5Tf*j^M=;6;8huN6&Ux8**%Hn*F$hI9jL}5n9 zNPt)TW|1nnAiWXAVs0$1sOZ7_5Z5BX*g#N5$SF1oyRu`Uia1zsoxSXL+!5Vnyg@TR zaV3N6TL$g24Niyxcw<%TN=lp|4!^+jS{`pTu8A3A4?kXi4e&vx_ksOo-Ld|V=N}I~ z-UTj#e+Hg6JYAg1T>9U=$WSui>uu2CpsO&`HsV2Im_P?4`zd`mFGFxAaKesb%p7jy z8H5L*i?v(i&IK%(+M+cEpLPI7PnAqe!9ZF!r8Ek+eQFE^nv4%ShE>p47w7)vR-!M; zU0Z*@GXi$#xDPQfJOGZsn6nB*)rid!!(fmkZZaKW(a{An0<=(xU>u<5EDmU!YIBsl zvu&G#%2iVh0?tgnd-u+Y1PPFGK=TTzffBFRa2!CK7*^11#u=$;_4Loy-$@tRCcm6PTcvV%8LdFtq3Tx!6+NIwd>X$z#jmGwxG4evGRD4qc3H&31U(k}(PyabggUMXhk7`X^3zolQ^MHxG` zZk4J#6TSr`HqHL0B@O#A-ddbfkBcPT|Mv{2=j~73`|A}7@_)Yl>*(j8*(l=L zTF&EN25Xfu6j-#HK!0%RJq5f+!24QV-rSe!d094wuxID|t53YJ^|o$dQz<*zzGyz_ zcPyT7aZ;t<+LByr$}41%Z|XKAo(tI6hTJ!983)V+P~V9=9u{>haZCU`4JiQ1SzOZS z!nfOt%+tM#7fO{(p8C13u8#CuvscM-+)jxtjJ=by=Ye$T-sVU40f1A-P?{E_f&=+3 zrhZ(;CRYZy%JKHzjjCYfa4e-E$?G`h=;Y*yX2f6)fhr`R zyw2QAqfQlYAOmR$8wg7PQD>JH7Zjn+0=d-CNZd!6eHBI2J+s{~E7887rm>H#?9$wNH9l8tegs>=-SDno4dk_9Lt( zBx_XPPevpWs}LkSPz@B)oTK>R$KHP^W2ciUe;0F*aYmn&k&*GEPK8!OCNe{vMfLCk_ay4%vxh@m6lT@iel58(nh1_u9kF-Ur z;pWV`mPN?_WRxM%JUKYFq~*NK#BwK7sc}gUnCCK#yVgPCJb)WcIAan!OBGZ@c}RU* zei}gkKk$-{8vmTb!;tNRWR@tSh4GwGkNe1dAx!9AqjT`+;4g`AWGMks1jmXPFs37|I0sk}r^yhE#l@u@KQfC8 z*cAZfXKStqRy|8~AuftI5a9$X0JRAMtg(c6a3FpI?Bs)ZA+AYPsQG6hU+~#Xv6A`G z2s&aFeNv^vz;=+G0CJcb>*wO)qEoh}X>tDVvZi^>Pl?d7K-pT|mZAp?TBV&z#cC_8F%$OxbvpI< zi4!j{MpLH-!!(0I@>7#l8&?`-nqO8k*;+v{#cVV^9{DJC2v|^KXOj(w9Q`xjeBxJa z5#@hB_T!tQ?U12-uI(Nw!4KdnNyZ5zFWRlfLX}D_j4Jv9&&Wh3MTX`(i*(I2s&ZIy z4&g_XQN8~&l^J8+NPJMBmR^);qTL|)^tWSY5-CV36_J{k&z_ys*4FkL!w*SAK4*3x zGr$vk%`k`v8XJ5H_sTSrQe~BVkXeIz_SnUR+(rVbMCsm{WRCZsNrLy9J!|Ct0+%(i znE>e_I3NX4z@{=nq8^hX1k?r#_==@Xe7r4+wEx1?VeIl(_7#4H7wF1-6`9Px&HU^x zwOZP~G3(lk$$Ft(*NR(`ZYR)?{X0z0ue$QK^JrV-L!-w;^Q$s>*#m9dv z%~-rxw(?YE{B};WJJgaPA-5H1;xFF>V(2z=_Wt9#}B zxT3E9rp_#kLQz>KJLSxcoF$l+Y7u1S!P5QA>c_-nDd@%W*RSV?9jf3)YP;+O#~Ik* zeNCs5?*Q#oWZLWKM8b9y4K$el`SVX;=4opYE-o2Kp-C@j8%NO|#qE3Q;_?lp!VET* z2uPPYHId#u*>L~$;dq5l#1|FDD<~)qmA5~mKQ?MYrM%~~tpmXc`03p$OvSRa@ArrbH=Maayu*FuJpL=BL~4`jnG@2!bbQ^Wd{MjjMQ zQZVjQ6bRwm+l^>|5*ze-vYC2RK#?XYutut8|FWusy-i+R{0U;WC0Sajjnun#{WPP= zmbrTMIn;icD7m9af5?1toLOu#NQD)Jdh6D9YIhGo3o?50nn7yjMHfuL@tLzbFJ*52 zUI%A|rhiX|ak`hMr^&~hFpJz`srh!Ug#~s8InQ{VjGU|S=Ja1`?rqz2$zjl@%%1hM z#rs+PTm_Sy+=#}(TA*Q>OmqEg#9WOtn`s0s+Y#yT4rQ2C|+Bn#dPW{Xzi1SeTf^gY2gK0N%Q&pM}i9S(CPU!!EKczys+Z6!aZZ8w~ku z`CLmFKzgu?O)bsn4Oago(jCeO9+017;&2RJOc!7i?3bG3mR|Er_S$F5C?BYcTU(c^ z0?Vf+C%vI(LGg@KHq4fV@ny^!fhQ}~9nR-4AH5prog1v=U{ks@gkQPSr|+Xm$qr4$ z$VGt?$J^CFH5Qi=6@3KFo9kB5=5u0Vx@7viq@*unNN6az(!T02ci=Fyu}*REDpW3R z(BPAUjq>YvuwIdq^Fb)Moi6}1L^P&@wIsDdS~|kbEsFvLe}lBCX)>I3Zvb1ZYG=Vs zyn!l4Ui25lXKc=QT7gytoS}$A=QQ#01zd)GO%XHk=jNio8Pc3EdcA{9B^*4T4hR}N z*#LNxBk$i|UeN<8CKPwlTAu|E84b}>H@8{{#$G-?a=p2GvGUW|Zl4Ve3u6%yx&|Jv z4gszXv!`ZA3%ukt4D9g^2skR90dl(raWGd*XU3?X$dL)t%a`5AxO^XIRCQOIUno9VaaT=O6Y z5G<_H_$NtA01NG@ySqFdjJKCpFeoOSrnEbWjf1(96{r)jSJ2}7cAJ_hBmBY$qUyFaj*+tBmkGD zq;75WRjgZ3nvwXuNL+p3AgzeK3Pg`Sa6-gkB95uoFNi2U>4CLY1fva`{@GZ?r0%R? zEcKYCF8D2~h(88M_U-njetS-2f^>S6W&i?u(;Q`_l9y_@R4peF{YXs!jhQ;PVY3pM7kQ#XU z%o%S~W^}au2q#2M@L-Hlm(dAa$^~Gm^S}+>rcYqfNtc;~|IuY|v1&F@r7H z%J>wpM0wz4CaWbyA`F@{bn4^ZsM^nJV4EspkJOMgmfB){0axn5h|It_f-kUO;J!~r zH;FzWq3I6REE5OERn!}>R)N*udYGA+t5Bv>&>EnkboKP;Vng8j2Ho(Kkt^slG}kWGpR){ zIc`3R#n+LDYe^2e(Qr$k0`Z%4UkrJVSp+M97_}kb)9{;ygGxNmJ8*l9eD4Vu_$mw^ zA;raJC|wNTM+uYua4NvhwK@XmKTvuQ4XZ3Lz;-%1Hs}1eU`bN6D^KH_D4#PTk}H7^ z*w>PsX+1p@gBHeGDDbBW?(XXW^Gq=OWS4m(po8OpR7qsbE+P5hi(d?dqC+m)BN)?^ z&^_L^M)Sic4v5KbIr19dvA8LlEg*Zy6j=a*TXDp`1Nj*RVq2<}fz(n~94vQu4VvO3 z3-45RAvmv@6oHdYwPgLebutPH;V{0%bphCc$cma^>RFnPF4G)WsZ)H8U{ejw$)=wI z^7i&QfZ?(zw8!U|_uBNPyacVl#u;SNFlfGN_3A}7Iy(RkHg+d>T5krCr7G2Jir#Q3 z6<-?~9#%6rBDY;Vx1ci#Ha~AAb|^)k>`=_egNNm+C~ioEkukWcV+DnBq=MRnam?KS z+7GZL(rF{s+5-3tj;8s0pUl70MTkt63ZO;h6kFpST`X;**#rLsVzxL{i~q(dE^%eP ze#SAl7kyK4y=1(#r z)($iG`9TRWk|(CqkQl-bk}scuTzgR0*EbA9FgVFIP~Hz5tu@*6lshN&lIt0}Z_K4) zHtw0GC-OoR_c%{pRP!Iwxucjov9{c1JjBkIzv?uR#-(f_H#EJy#8{ITLJ=hqADg5X0kG5kY4CykbPTj+a!Cr6- zH&;-CA+dPVs77bTWYeP?`avp}o~Tjlc4yq6-kB*h+-U2}9T9iQnSQJ;rs716!CTps zs3l_^0ZvY72+5=K0)m1nkN~T(SpcO+qUKr?HJnLZsEJXQCq7W%CYORG1iG1zAD2Sg zN3fDX?t-~uOs#~2FxCW$9iQPz2`MmlsDdf5^Z`OemCj)qS78hi_B)%nRxX)t5(P*t zYQi+B+>OhQy(nuQIFa9Zz;#%^y4N;U({N#gVg*d_fUlmxKpkVKV%k6*)jA zq~^vgP|*vkcub&s?Js)H;2r3YqEo}1ZE*7BU5v2#k)nrDXir^TYf#g+11dz-M8b2F zjWh)c@MXuFYT4E)prnJrx9LD2WyV}LPAY(6ob}|KhF|b23YK6a4WDr^;^&djceL@v zeiD~1)ga}yeed2FeEX1$wJL?uHXT)b;P{abZ{^g5`JY|2r}gv zCTt1c(@nx~@NTE4Cm@MHa?*Q4CB&NGhMv7@IVcWY0erzcV)p1lcgXaAR3fFDqZE8#J;1>~T9mmp|6cp`I!6ar6bTT1$ zZp^&Asii#Zt3BVD0VZRgk1N#zKmha#lOI-4g`<#@%3IP^MY>mTe&Hm$(6TWbb|X|DQII+*bxiGm#5!0b z;1sa%zk-Xa5C}py^R6wc`=#y#p!j8V%~#fe;8TwI0ogvE?uGli0N zT&97+{`3P@>(IDMq{z2B%~LmgRvI!n;1qY{>%_90b$_rfX=}h4a!?#x*%grEDacrW z6B75po`}K#ZV6Zkub|e$^bn18V(AvI$f}jf2h$tYlQ`_@0d-8h{stN1P#f_*%h5O! zN@zE-*1%d1lQxsEuqq0+_e%$0GGLnnHPMRF=n9Tl1b}-Y16xzjD{9yd#)hU z;wyTVj&~ec*o3~>JEYhlp*!2~DfeJmQm(=_)j~0pjLJY$-%XksTmlIS)oW%Vb;p;6 z(j7sO4}#Y>w*E9}j&hYBD?1l+$+KkZ{{=R0Y>+R)in$S=XXl-7BeM z(I3R#puo0MZRo`7YxHWbmJ;?6BK|?dkSJ|X=0 z-&t=)s%CvPUO`LV(`P?;Z1ugY)vfx?uCwbzS1Ef|_*~ixQp~Ote8_E%)fWq_>t3i% z?&ze=_UE~F)F7i=Hz0NTQccg)DxGfwG!~?`O(OPr;FpQ)O#0`eR4-)n}*creyGYQy!|;6R>MAK z6<3ktJLCP`$))m*p~IMxaAIAFwMCw9po3v+mYAKv%QxYVwwWo{d(u>PoZBldz$9)x z^n|xY_?8QfWINU8jFVaFkvT0^KW|)W{;e})&CE7(X)3YXy-ZXKh}|7l-yimKrcyei zxAst=*~@05nAlD0ud1I)pbM&$_DG(hr;iM-4=G$!bE%tJ!P{Q%581_h>$D4;d~eut)IUh} zu$!iCMURtENpoz{8$SCsDZX+qhld=x1On!jb{qQe$dCU!8NEySQX?58lVRqgm>Qe?CKrAZN83u~Wr2^D6e?N+Le ztMbX`NV00yVrD&3J8|%VY?$gLaVbw9b)|(LE6p;ZLbS5YE{Ie;aB!B2`?xnneRflv zesVUqN=n?Os?yQ^;^xBWJ4;o;vvy{4*>xp4<5#ag%UwL)efj8OP-Wuxa!o(?8ZjQV zs2krK( z&L~Xy77jmSJZgJLd|Azcsa711NAMak3-9~`+5C1%J>&X@x8L%bU!2GaRIQ(`x;!G7 zGds5C++><+j(zQTtVw64=l99cQ)UjYv#mEi{nlt`%Vr}N*kdOm;vaa8UxCSRP_C*^ zGF#YYtp0X@uy+r2a94xRM2e=HT94I2k2%{;0z{55*ca(OH5f~7nGt*X$-kxs4})uL zDJaxlyXl&7W|Otu4<70r+xtuQwnnuw1RM--jov1f#69uFz#}*(PoUqQ-Teq};g1G$ zgUdPQcE(@Fzt81U`P$#_3g6MzV>WoxYODOvS0SpV;Ada=al3^_?J>9=o!UBIsvDr& zS6Aht;ZQko)$nIq&bGj=#l;+tiKw}?nX&JcQVlz;xb=)D4PRB}n{_oCpmkyHGL;Kd zeKqex{*g1VIi0;|?5ygy_`dy7%OU!xbHkxREaGESBi=!|mtq9CssaPVl66ic9xAsw zxpzoAG%7aYjrbXPYyIgDIUOu94rLe`}WSILYY(yw|f&Y@}%oY`zZmfraK$zj&_NOkKhim#1w;3vA!h*ue$dJ{k0NQZf;ec4}6%yMY+YL&TBt=sj8+%Z_p6) z!hUa7Eqk*Qn&-6n|C|ZH)~5-k=z|6^1@>L9&;W>*N<6z4_HJ z^wl+$=W1D0r0$o}qt-tn9C{tY7DKcO@$I-x%NO(|q8V@Jjmc0``)DtI7t=s}k*B90 z`JPkL&9FpKtB87AUFa({*Z7h-S#={e8?#1W(R0SVO%|uAOl>dI=Ol@JS!y}x;GlMp zl|Gt7`X;xgPV`o}4Yi~6iIcNVt=guDI%a&+QkhNEGWBu8bbtgKAL6%w+z> zPc6KzJ3G#4=w+D44PV9xRE_qxTPvbW(;2CE`sQXa8!>LxZ4xY}P?p~kKYI%Dr{(O} zyA{8T3#Wh0Ij@)~Em?6;JUwjhQwMFwL*-AThi*Ih2ohBH3SywmYWmgk?3x{><^NvACLF4*#`@il0%{WNFy;R*PZ(m7bET0+Wu z{FCMhZQE%H!@@!Hl0aOu*?kAQuGS+cr^3QJWYlucsHUf~?e7T7qmSv)s5qsXc4sQ_k2gos70|B( zi~527^B_kIV|tYJF4?{Ti#GlG&jzx`JVb=;6Top$yybp5bN{_J_&3cttSrvR9ak<1PrV9)qNiBXfhOvM1{(u|w7HGjX`R|^E&rDlSyU&tKsThomyX3D((eB;5_bO6D7OiOO z$*L3)5h)>&l;BpJxiuP)bEm;E}B|5clt{UOl5pnK!vN16SuuB0lr zcpn}&(|ne@XZZ?B-Trb|q@<)TL*dWTMsDtHLx$-3mX@nLiA1<0#BZk;2dQ7b-Y58O zBMX0a2|IrMYK^41y42G^fT6A)hx-Qku^OkmyqBhy4rARXLJV^91%mH){~b+WXlVF) z`mhK5J*~P&O`Dfkk`db%*)JoMo^sJ^l zHGi{}zZA}n#vINh>2FQ9nsJ*eYAE2XbX8mtzOGqmPGHnE+5FZnS?(mC?u`P=-g-`n z!iz64gAN8K9@ozJwNEMn!pT@46EuF}el|VaN`!&2H`xDiyEuHy>^bpR&Fb`c7nO>| z{8l_^+-!Z<&f(!6Ey{mFW@P$jJjN%6^2@Jn2bTKAad=|O*TzZH zZB8#(%+>mZ4Gk-CjAX6Kv$03v7^O2TWFhFZ`SX-k$Y)7ApuMifkw;Ex8IO5bVnZ`5 z^vgUY4NX%|58;ChVpNIL_5|HeuS?I#WMpLE=YkfKkJiI-Z)z}#@LXjZnSs7cwGzUfmk%+GqoQ-l!e%B!7S3*l8uE z==!cF_?Q&8guI68hla3FpKhwojAW?2BfnK>eWr%%S#k>(mqnpE?zKSDGeZj-3@4nJ z)+?JB5Z4ujq;+{qDJGlH+Y(Z1Z-2N0p)Eufb#PIP*T6{2ZQOvR zIh=3_#X?*^)_6Hsj$m*x1a|DPxVSj%SnXrYTk^626&)&jY3HRORH?-*ynaWln%00J@BChVu5$Y4 zLR?cvk{=N?`^4(+az5SEI4>XfW9H|RoO**lo%Co ziKN6~mu=3*i#!i*K?auUwdZ@*;6{GtDt*&W%@;&?^UlqX2iY$ZgRVwAillZ{bXikf zyw)$1PNeXttFe+~3k!ca)G%t#zqks|zy0BG+3Ps-$$pZWTkJSCFGKr+7 z7XPT~hk=Lw<^3N!x(iO8dG`8!lXa1^xuM*qj zI<}@}qQFvA<@Rsvo9*xL?kLI162yZ>k;g@(_&x6+9c zRbrDMFo%PxUzF$$^t$DB`@;@Nu1#kVgY#PfXEaGuZSivgs8~FeMY;c+m9~p;A}QOJlkx>xiqz45&}88xqM0+idB_%w@hCk zS!!~cwvfS@SXayjO%4AF)+9|N?PT(Ae47NZTa;(=ZgTOc6wiR{G~KY@MpwRVkTVGu z6TZ$L5ZRzjEMi0taYp%Ll-|dBQI+ixDnuG?TqidxEsKttDq4QAMDd$y{J3NwSl1+o zy6(&!gT8zGMbItQhL$FBom%V=xx9v|TUqtvZF&VelcZ3dp0pJhPZ!g0+eb*~J=?x% zP0QiZ{w`kKpe-27`)I<>-DNl(>)IGy%I%@6u_}>a-I&wuK{`XVci?iH7@CDSJzxXV11 zSFb&_N!&TtRCK?CHSC77Ie&5X6>s}sWPk7eyI8fU*aJC1^Ay2Z-Xh0dI@!QyFCvq! z$cguoXu07O`8>N^RuEqQA>~nX!VRxMYL@H7^$o+=wY0kSYbxw|A4>4MIVoRB8GmnV zXnC-~z#J$!)9-v+zv3YcUC!!=J$049$JUOG$i~l9XC*aLPsNj~WKK5d8uHNi&QAq{ z)htny`**OYN9dlk*)a%)89k9z^>7tm;j@#))11Z z@vh4IZ8Ea57gf}>Ot;#f9`0E4z#ekBbTL%84>dF^2HQ&2+S?a3CK?ZNJ-60K;!M>E zOFZ-#zmKZVc}U+<*!Eq<)*@I`u-L(V@Se4{gRB`n1YGZvu*0n!`--w}Eq-xgulx-p zC@Co!&PQlhb?IL;)tzeD>BM4_{kEM)|FW9ME%0Z<(dIZ$_q2ljnq@3?s!k@ey#nSB zMch=CuMT%+FvR^eJO?#UmmbzZS6f5x;A!jx1OQIOh#)+TA z87=dGD2S}$)|x6w1npO{ZJ0G2U^?Ily(2-ok>bqm>5q5E&j#! z4LHXq9}1;4dSlC2j6u#xxw)bh_n8de%}rNXU)!SnO5^0eLD8z{J>QdVeGXR96^~c* z5RaOyPu0IOqZP%-#T`Gby~_asKzjG3&TM~%aqqw+tx7f;v}2*d6)|y78_|8+@WztL zrmt6Qn3z0;`uV~#A3Q29`|!1QoKaX+bHNr)Ax6h94Mk3Fa;QzM_6h-_ z;aZDKMGB?5>%yDSgfuS$tLpF8*DzjZ`$-3BXGmE*nXf?MJS3@!TYtjVANpFcIXggu z+rpH~lfW{IHo)AR&7jVe_p^9U7g{EuAkqu3F2P7xGbB7C^!tLp ziOxq&c4;TjIO_y4Xum%VCcwExvP(5ar+;yb9sFns4f>)`<*0$w5{uZ$h;oJ3Xj8Ky zhK~Hh%lPa5sU+VS*G%tV?>sbQ;SG%Wz<=#oo`Ina_Cp=sii%NWQ{;Hq-sWe`E+tEF zFD&a(au;FF31p7!pOm;YkZ|tFJNQyDH5H`ieqNZyMj05fHXWJ;Y>rP4mMrpdW>Kz4 zi2GB>ADr%$M#NQ50R1~yAZg6N@=ic(lJIfVY6Qgu zwv>L=TV05TE+k^q zW5fml8zK(0s2(dxodm7(@~k=?eSPGfcUM<1t-Nr4VHrx{P92(8YEv4p&ys zt^Zl53AAb^d-zgsS#j0=nHj5K>lF7hZVz>?$H6T#>M9F9DMtWo9%+o;UL7&D5e$(F zQYd{8P|=YsfN?t5;#H1?-zgat!YmFo6wnx2PDFI;QxW~k&1X3Tt>!Pc!w zI36rYWE4#&bW?FGkw{!V8ln5vY_+WX?pA4csY9WE(EM4F@UwdveGFULBEM}H(&X)F zhAwPQKS0H&!K`#`eBFaJ_ngddbY#}u_YnJ6;whf1j~h1ImRl*Kj=5|S+RTK{h^S5~ zSDoTw>HUkGgTaPQY*@0guI3qMx);^Y&r8>)A_?le@I{#>TR$GOH8y1M*k=KOJSi@p zZYzjNy;-;KsrCTxZNcO{bx$-;0&5(34XdQJU^$hNJvaGy@rlrr9RbI0uh<1oT@qX$ z$B9_+3e2Ah28CB~pof$U9vLfQz0kRzDCEXOcd6~LsUYS<7d?HZ={L)j2M_S@rUrlF zA-E}N&U(&-f>AIBtBAt3vE>grkFm^HO;VPVqK9xx;WvKy_C4IO`#*!_I)TOSa^+Z2 zrF@UOu=pzXtm{rYXa9b1#mP{5uI39-HsO)AfwBdp2@R(Yavv{O6}prJs$|PLNKrw~ zHMS4rO4YoWHzB)uE89Ok{Aqw$|3I?>YyX{;x4yS1+OeMoP&lZw$Bs;VH7Ph%GaGKK zR{0W3u&~ZfU5XLp5xeGWU-s2Wizza5dwc(Pd^yvasYwsbzNX-{^ZB=~QcgYxl@3RS z*1EnG1K$?nSe4)L-!`D4zCR5pL(e8@bEu@Yf-dIOnw8SbCa2#_d1o}%(nd&rjn(?A z!7uzHZ!9*fwPv4FI8|OdPyS*a@bC%-2gF>@*Z+uzw{{O7WP~xrU$S#W?Sx0OUuO>;`nR+@ zz(NkK^dF^A~lP9T-z$Yq_ zK1O!kty!^A)w+K#vZjkYgWAM|>@~&Py1{(ac9|J?B ztA~}zQX;+6I4TW4^^enRed5#C&Ga?s==~J2r=9=d?1+9Pua9gWNMkboP5C z0X5-dATYd%(ZY(qvg^F2^s3RpkE$^u0o7ERb zGUr-v*^HDld=z#nbew;nknvmlM%Ne(%Tso;g$wuyHjnjYH~k*L1?s@Sw2F;?;rPT%%9Qc)ZxyF#d;S`!HCN~2 zR^vYbgkI;Y0(n9&v4eISyeVT$&-J{NaXKBty z{pBgO0xrAR({f-$Nt5R<%Ffp*&o!0SC>y?d8BRXRk#V5jzS` z0*jF4o#0d(GXk5t8TYV1ihGh_mg)OPCI#)=DwLM~EQq0jF4mflmo+^+LS&qLxDl~6 zS5Y|)tQ=H)1%zEszFN&3}U79XK8 zh_m8l|J1T~EbjGXeTd!RV02+3n{vPP(89-Hks%~35tr7htg%-=eQReV#@@LsSY!0! zj@MJ|&ysUnLhdKRf)#DaAl!U>oFrn{@bb!=pU+(;+I!mCFzssg$Vsv9#av?fWEP63 zapXy_fWa>f3{tF}-nD#YFx=Hk9EEEcu8LW}v_0f<8E*~iLT`eS|2pc#S0rSVP1t>R zS$=AI)_IPxoFdtM zsBzEoR=>E2hBPgm%|Gu+4lO#b;?ho%btRXD*1gUAbF%;Un>@F*Hvv+NGU5p`J851; zb`Z?Q$`2a+{#6U09IsS6GQo*$sC1eSJ*2elrP7Ut&Ya}ydMvTV+bD*a`q*}E?<*z= zV(I!dZOZf%N;(mKWdsw+Wmk7nCj1?`_vOkZ^>4;n$_BQ~G}me>CX+?L^Gw(I#98L! zM66RMj?Y`ktvhBNouU)*M?U{4&FIZ&1p^~fTmYya?|RbaCub=q=)bz!jnVLDkSMB- zFrtOiwgt1`JmODC0i(G)Wa;{>o0WBR~ zq0h{UiV@Cn4xY|`naxMD9R(b0Y_>OD>Q##|XVj(1)vHS}LtLLV0;dCkRbO=1Xvlb+ z%iUTdA>rp=-9kNfe)EZ)f*YV8!qfS5X1z<-M=tK$#b5gx;JfDLuA95wO{L3Iqe*>2TpDNWlAE)3Tn)Q3i-(Grb6vfD%+a}ft4j*Nnwx%EOrNrRHG2W%_A*aiu<#N^~ zNJyZbEe@(8IzKT9yztdptmK`1k2UFk+kc{dy{6_dzg^?MhsM?cMT@q^b>$Y77BxWpbUYBJs_W%6FlW!iczOVG|6U_g(Bw%iJo4tjlay zscv%S_$LKiM?SQ+46Fu2=AEVHs21O$UZ>=|N$n`x@Q)6*;2x}mj!46e=U3!4RZjm(W1k`h zfgPsiaAG>RE3g94femf+D{oc+y|h&)QhUIkYu#B|+(%~eU~Zmtu!4Z`vLkP}Juf%O zdlUzsjqO_pCss`Gbb`y)6Vhl|HWY>r2i0npnrCiTs_nMWT$O<-MBzC^RK{%OjDlQ zht9;mewip#C*$8sB+fK#HSZrO8gNohRi1wAD8RF^Ad{gcV|gBWKQLbU{WOeUrVjgF^Xs5h^(O7R#!7y@4eo-)3D zh9^sq3ReHyKF@iG6%xqF$MRNd;K~Dn|BrM(twf6j$rNyiOQR zRe4U~V`t#Pd|?E0kWSha-|?5O&@~K|ONR%$!Dd!%+8WY@Wu^7M1m)`iU_G=tqj0_f zXa@In7-B7^VdPMg413>VCP942I*k86e8~UV#{AjQVfG&<^UVCR*MB@rC314||FSV9 z{!cdM|NQm;M=t1p=j$tP;`KK_eUJnXbywLaG*`w~?>xX39oYhzu>UU>EYWgj;dM84 zWo3Vfi&GL46B86FOcosn2j}qcu>R-Is~8xO-6g`p!Z&Z;^v}w=fs3cJTWINWdgvf4 zCpVLwmHe`*$}7nPj^FAOoSf>{&<_d=yN^>^Xpyg5`4a5e>B_}qt0Et4M*FFHw2u;g zbRHfaOMkKmFz~Nod3l|XTgj*<-Sr~B@%ZDH{fZACXp()8Et*?e8sO3b0s?yjr6wKZ zhbJdZlaqC=Yv4k2flXKc;?jq)^-L^0ydb&s?ES;JpE1*GYvV?13J)JPEp&b;t$UcE za(HxPI8$7t_x6_U6wUDGV$uml+uuDY=a3 zTArJWOCw-i-$w5j@$zNJta^|%R`q5hj%I~DW9|9zif0D}Dd`m4XdlL^-^+vq%3RH& zw3hw&@7cdYYro|0UmLWq^@~=i9(q-Pt}(V`Jm{jPXZB z1`X(|!^K%6-0^X711Dn(VuIP(*~r??4`&HYA)925Z zGcqy?zkPdIR8;hs76ufQZ;~SajE*LXh>YZRn31(PVkaXb`_bJUqR1MMkzo?!DYECX z@QZ4!!r_u?*5ej1Q47s`(=6Mh@NNXw?=Js|e*5-iMTJm_%_uoaSx@ivjbwLpaQs{3 z>3#Z^j*Gv2vp?QlUa+*SsjjIh@;TY3E~gc9C%kj#4#z-T-1h#co$;>(Zcm8~-;WMrQY%F0mwFcZMcz<`3FNZ_+jDPGSKzRtqJAS!zD?`BtCM1_^WqT}N!*xA`X^_nX~ zjPqL!NZyHWg5aw0+-ppg3HhYP{zOeJ5VpIavl9>Q-+i^HjgW*S;MFVaYj-_KtK2r^ zJUoQ?sPWR$)46TOgw{+NqQsA}Dl02FTy<9l3*?oR38iIZkdsXMT|6`Ml9oo7i=adc zlYL2d*K=yBApnL!?*EfG|_Q*(2dZ``<{_(9;&s22?dMMyNWyfo0~ zrlw0?2kZS7O>j5Jc@$WPBd!S(Z*6UL9>4FOhupxz!TFaJ;KwT}Di*@Cw(V?DBghf2IKbIxj)gECuE&OWmJKv#)ucjHdy%zF27bCx;`^9H6`L0*lleXhw zvlI(Xx14@U7_ev@9Hamw3_)^FPfsth`;R%FW|7eqF)=aZhU4`-uLcDLjjTC1I3$R; zu;1q3=q_A}i!p046~z zDdIka6cm^!_nl6`BGXQ4>!Cul zyPmr}_;_FPydT+IvGlzlA>!9oQF&#~_VedYqrNXsjC#}V8C{&88Es6|%*;kfkgu<= z8$qI`Rafgm&Px4CzN>Rh$X-(SyYv0q`n9^a^y0eBZEfM{@=>p*n?l0RP7cDMj)uV~ z$}0|?ve3px=_1>4k)r26i6Q7%pnS1POG`Iz&v)EYQ+qd5=U3;xoDnbU>|D}g&WC4f zXRQBWb=4Y8(t4!iJ{Dv1=le0upQHjxMsKmR2d1Q?P>Oq3RCphKgMLhihK7dj|D&^$ zES#K!82&M`JwHD$eJ4Kr(FcLBz`)Byq@*msCa=%T&bEYe*4~_Rtc0>Djm7vfARtKh z4uz=OIw_QlnW8p2l7@x`_@K|S6bl=hSV~H2W~|bQiIr6@f>u=h6!Mvgmsj=2ykn8` zvPyJxG-Fqi=#A6U)8_I?-&=u%Oyc5tC_)IW%nFCu;KTWN{XjVV`T2RIXXNhQ(P9dY zynLHy#}!P>aL8N>xaF-h6a##Zo&5odaIrguA~7-1=(f2*d0PVaxg)@-wUvNMUB0C`~FCU(*n)PaIY^?PoehnHSJn=l& zUr=R`FhLQHSGiF@6cfVo8{69CZ)<(~-0I}CI>e1885kHCT3E)OAp|C>E2UC6Q8OK!b)--r@Xp27C+qY-3OPul2pubR zS0`$8KrWIK5)pZ|w=#&s7`R{Ido)iGos`7kx-r24&pY(>YjXJJ%yL!=xp8X*5iDpg zt{^+FwB{l#bT{^$x9Z1ZW|b26P~59miBQhI=;-LO?(P+Up`~HQYIoO}h>YwyBqz(` z6mbr@Nb2i%bSoHMUlV4+z@ui_Umw4({UU%f-#&G>_$9r+~;TtWyE>tPLfz?7ra%6-Gx8c+;Q;@5SZZl2s3iger2Ml#Fay z%nnk%aeVyQ$q8Jm<#21(r9FaPLQgSCS(ftK_G|s9ICcH%2phsOn6}haauQ~NwmLidbpe5I8SWJ&a4574Qiuf}cCg@am zTBGO-c51EIP!Nv#rN)mH6ncVxz!06y(e;OMp>N(0GRp4#3!9{aH0?Zc80ndTJcc`p ze*c~w75e4N7t6IT*wMbezG*Tc_>H~2Pf&!jZBc^*8k37TmJ&~QkHmr@+z2F2l}}D~ zx+ORlx{`9n1*`^cCw2g}A0Ju4V#?lXyEa8Wwd)mP4@MvWm)_1`kbAeIsENoOG?Rj82|U({f7@Pp~Q~n zVn&<*-@P0yw_DNGE_nOqjlWa?#4&WgeJbxYt6}1VlL5lbG{Yc)-jrjSF zcnwigeSQ74eXq%Kyu?Jky<-|m%Bj6U{kC|0->U#pHfm4sq3mN}VSU-FgdWg%BgOkA z@@40s8t!`-DZF(d-kL!Wk%t2AWV zCr8zNCN5-U_qci9-aX`wcC5TsTU)E3q$F=^dj~SpAHW|eY-9^8)nR{CYi*l@m6a9i z>eU9=CbF5%os+UB} zawrsZ`~aBabY2<21JtVU_;G$|GTa;0%0M2>Ra^%4$mO)4h^hyU0KF{m5+?psakqFA zT%TsF3{IN*F5<- z6d*Ko$;e{W+1Xi_*4Tal{4NkHpm?`HyC$TkCrDHbUjCCcs9C0zBHrK1CnqPD1^_?u z?&X@wswxO1V_4dV)7$81G{(ylJ_qBL^H8ghe&4UH5C69X;gSxdMBjVs3P7q*Kv(14 zGUnV$;zumVBrG|3aDR@*EYPmJVs8ZnEV(GU$S3J?seqtI+V;-8`R8{I-Cn$Sk-%@I zUh3qtyVPsSR?vNt0^D0$OxBW*`g2AG#vd_NOZM|wrSQeo)1MGA-1?PZAw+5B4 zBTJdx`VPE zw`;Qd(IabX>&@*BPUH4>Y&UP+YHAK6q3M_NkQK=o03pcU|IT;_ ztr~5ru0W=LvAA~IPh${?0&Y5mQ1A1j#p#t594HOAlw2sFlnK0M_|?_bT+e?H0u`T* z)zE8DRk|BAQR8J5UkW~gW{oHRa~>+7lH5@G;h{ZPe48iB1eW4>k@t~fu3inbtE(&I zPXj=78a~xxw(afhLcr+NP$T=}NGu2QX)$mq{Q+ZK`l8!<{mvbHkXGznU4xU7k{){i zbwXMIWN-rThy5+BV$+6}mMaSj3rj;q%<2Vtc^vxma1d|^z~(r>1);*%7a6xr{r!tg zPfw39VQALD0RfjHA|eVc``Lk*prgFKy$jto^s0BdM7el)8bL&W_>E$%(K~+6Wr&VX zFCGD%5|J99YQj@$t@ha2gv3HaWj^{44A8c|wG{&p;~%ZL@!?@AXt%-8Cg3sHZ%#>7 zU!0%7RCbM5Q*SR3-1|_O%?ANld}=-{$aqRVb3*aMsY_xzzj*n}@-heO$~w-DZ}XQL zwO}Ju4RC4z#3nFb=yjH>M9DlR*yNmg5#m0_lB_WnApvR*E-v?gJ(d<1n?bw$^yw2u zc}BLL-rT90#Y?KZj>}1#-y`La?YH|Zw z9lh@%8uaCm>})n5Ru1#+WHujUq@|G?5E2q%U}epm_}>GA<^FxP#?dO1JH24aJ~uIu z%2rcf*JXMU7IxLz#)dKGXURM^Ha1e?01#Jv{|-^yI5I*F4+&62edhe?D(>;p6u;5G#X1%J8p7v<${0j*l&w}g*a*B7nQ)pG!cV7s}w)wEHV znwmC_ja`HDMUJ@j6Z*f`i;0N9O-M*s%B|GOC@CQYO=@#<)4b33L%4LRq@Et#$E2hj z8xm;-4i3Eh{Cs}jL<(|pSd}`?x@9Rfs7@kobx*R@p#6k|hj(16A$bd5Gc{$^efF$$ zV`Bsmrc{Osu$I&j0Wg@L_6UiJO7OY4T86&w>YRL5?M?($Lh`|b2QeYEOD9K`e;2p( zfW!lCc@YpGQ_7{QqJqvC==#ycXWmL>6iKesx2m>`5_N?pGIJ80XZX>wea?{H(6^ce zC%pq~$G=aH+SU2=JYr%xPEjXgqCae=W=hMvdHZ%Vlv^%92k`F0wv=E9=<>5EPItpY zzhFSDi@33Y2pZRr{C|9r;(sk6@>{s>#~sdh_P-8Mu`;o94_Nv4V#e9C80one&9unR zf3skgV~!);F)c(TM*8_JnvDg^wx;_w{&RC52)>gcFK%?^XS>0Dg;poVk9|&(SUsK3 zP?<8lKFzk{L#y#~Kzg$v2UYlqtpCiOgF-+o!Os6eY@&n>$i|-2B`cp3cBu4g#)vm_trh6>;pyL8vrUC zH8eDYQQ88zZ#9^IZ?w#YMh&^urO8!#UeQr_y@c1SOBV3G>-t!>&ndvM1VKAGP!YHd z8!v-2MU5h)qk9dAl^N=L_uYeQ`TBME08oJj8~^Rg#=^&Mb?Uww0#zFQ3vM=|+I;)= z?d#eJ;6eApy?ll+y)yEPZ1G?U~uAtfh=5qIYq5OUqi7#K#|b3c*(j3}_~?(PhC@6saJ z;N=w@17qU=o6#~upnxE=1<0jK85uDF1#sEdP*)EIxH664>zS5thqGfBAlm4FIjwiO zkqkKdGd@UIxj7u!PZy)W654)}*6X6Jql3V`qoX4s=Osd<$N%E(t_Mg7TDbfEuvwAa zq<93~U21rJ1$vlt2tF+e1(ovfbf?<^)VZ6a*ouifSL)7>ZvnJ2u(Q*jJy&BVYj1CV z6BmaOB>e&)SejXPa-^*UETH$|wvLX@Sgj9@g@pyBsB5lk z6_iLVEh^AYzur9nVJrbuL(jdxSM2QUfM}yoeAJKfPGUOd4`J6f0je6$wnmymb5HhI zpt_8SDR@!@mmxY+9UCMZ9z!sI#UEB6Mv_d?pFmQwcX4SM$kTzIu;OzLNTIjV$;=yW z66FssuPG*QrA{nf!N6eR;vxh|aH!OZV#4>t2Bb0+G=)dvtpB1i%``>xPo7=V;M3fK zRY0H72??Q~%Y%|Z(=E1xJLf2D+WGzpYNc&MQ5aJjB(!U7rr zg%s56Q~&z)>#rX-tRwVX{{GvyDuLy0Ii@*WXX^OLG^fJf_qSfyVGdGvu;@K%N-=x8 zdDc5PJ!3I=`=qn8GYB+$*wL=pr^OX{d3mK#fDs#-n=eC&!OO2pOGAebOCQ%G#raqe zs(jG5-@g|KqMyQz2Ez0tzwM6A#_vy6Bmc^H(|m2nzfN>KsY=Fl!R?ldd@n5o^S^3t zMsD@T|MI7dpPM)T=PkiwZoYRs|Ea|1|BDv{bz;_&YOecwIF$wut8$7X?l`Dpc@ z2gp>zpMB$7_SLw5_n$aK^8e!9!~eO$TSXHl#>NIsO&K71?BW)vtp-Pq6Mo1WV@oNS z_oP3|rK6#|Hybd4S=xp@Ltb#~_38WUWwv4kRmpuZ$qiUM20Wy{)(;gF5Ea56)O9F@ z|424-l-NsP2_P+DAo=aIfJ^6h>QGTxX$X(Lu(-I%Yoi8JNlEEle7rG0LZkqorb-9( zn!rQQ+1~tjtNhx|igS=?1Q0Zc_cT%lz|^2Mf=bAK3YF}4?ty@Lls^y_;LgTfABBg$ znc(=IADKaAupa+THZd_F2+lYUX)i5LL56!JNCen>}$+*6%gc(4M% zI)u2iMbWpNpPjgrmD-L|Pft%Hcd4wc{R$Y;TA4hZ$7NevTl4;}Wbh^(H%Kl3(2$oh zf%;*hkW_^Wg1XE@OiVnryc`CxT{buUuO?WP9Ije}4v$=e-e;G{cB~@R=M?1Hmq7GE zRtir`OT*~D994VLKZqrO-MY_&-GGLX?{ix~ zfc#mNE9kS#&`kF7o$CG3U@2`NcymFihbQp~`cdbwHH0YB@x$=Pxs`*U^=>Yv_*we- zZM9Hrfim6n=MRZWw%W$Ap6`(f(jA}_-Ui=m8rTICzJ$a?ezRhv0$};Gu(929_bT`7 zSwo@J)YK$XmBC#S{QesD|4aX0)_w#W$?`w^PYPiUl4y}6Dqd)lE!Va4dLly)v>Q$zGNb$ph!=X_Na410)DrEDTYeQ z))4LCEn#gBPnbqjxrlkcR2%%GiYgJ*W_V#%P)ux$p`6QZyO|2P<=;=AJb96pM*J=| zcDnheL{DlB{l|~jHde$pbV3!Cx+Ps*@iBG@zUx;pAV;g^+Z&tRxMXn2%}t}ZSuY4R zzS658L#d31& zDdN;Wx#Y4wh6X}X2;od^-{dOe_Clu)AQszo%YQEjE7jIcRCw_2)%K0AGJgA1NNH-C z+4+nEiIwG_W4}nR1O**rteX-<1ABO*lOX6;`ft;2RF0wFyVvrckI2X#+?fTT2i|T5 zmU>_lX**FAjO5M#{&uoe5uuj0HoWVhx;A-WtMu?;PBA{{((t_2qNGzR?AG$42+_d= z--}bdNvfcz7^t0ByJ7R-@#EkJ8Q(WfkkV!uO{k@(hwtR%gg7>flPG)OQHmdhh@dOk zJ2`T7`VU~Z5LOD7*_CO0lTv}idvS3H8;LW*Ix~z~t{wUPD zv=l1sYC=~Edq>LeI3ZM;!n4che7rCx!e-!f|2Hh0|6$}J;pbh~}p`kz{x`IN0 z3aDpIAZ-xQ(1Zi9VgNT7u;wKcVv?Td!gWDmnEesW49&DLl!)2#ZvLR27aq7#LzPZ9 zaBdDg)gtY*%6Y)Fu zR>)8Rn-u{WRxt1m1S9UY*30q7UuF}G8_>42>ieDcv?R`I`Q=ygr}s)roqH$J z^7i6XG@g!HWtR=4OK zy$No$W*uE!3m@!i4Plo+=iBO2Rq8Fb(+5|#K||lC1=J4^zW6{CV5Fm?yC&=ycyYQY z0qrRmWZ$=d$0!cnkbxVwI+dg_XJ_Zn`gOiwPJYzT^FWmGZ^gwpcsE#M!eDMB2Kft| zpBLmHMDbcN4)WYxLh$j@Na-zp%RYo?%x9(eqUU!P0=m#Tc@-9B2myimc-Jcq#GU{! zzkYvxdJEi4kTCD&7GNWq40sUNg@h6yx?ox)!OllZOAD%XFt>5*9CifKTHHN6(75a- z#6SR+1}EJEz#|ombwC5^eA=4Y&i7r_*kXJ(**_Ucq=IV*~+QtCLM7Z z-bdSGAP7Ex{v1(;SN7iD_1d2UpCJp3-@dO;!@;V8X@DkZ5M6`%ew`#rVp4$OmIe#x zCC(3-=i6hOz|ZF7(epr9(16ZE}BCA;QHhG8WMzyiWUcUwhd3cKv zPvUL=>jDA;->e4j;1~$|o>sV2eH2$!RpkInJP!7)>1{%SITfGzo4p|rZ-4#Hd_=P% z@a(&D5#ZqVW1j~PULi{d^rAW?{wg%|M-pS5wW}yo*T+(b(qAfHvx=vWmzQDQfd>#r zSBgY;U$!chi1SV0z!~t@W5jLwcM#(144PdB-K*I+>TWCeCqk~PlpyecC*L$u3$cZW zcAqmdCrZfS0j{hX24R!=uVe+Jr{&ibMJ_o}T^DssL^yj7D=`1}IrMGi)&&BQ*)Ol_JyN6%_MGFn;eR*Xo=*LsX zw8OygYb{P7lsDnxy->-n(bDF1fMvl=i3=CG;t#N zbpgJWpqR2c7~q0o3|`<~U~;jkX5!wzKRB6z(1c;@F5b9dYgS&~ zn5<;aSKugs(tyRTksr}uU;x=u4zEW;!u#pF;zbKin9od2Nk&rhBhooEcUB=GN`U&u zdn;`v7JnR*L~471317v=X1aMZG=$DG6tvFTXf{&rwMnYjqfzs-@J|=8M55$QDW^v#K!Eb2+ zPDIIXNt&l!nx>NRKrLT45e!o?f(Qx-7OxP1RKJNy)$)c!#;Ct1x!TBBPuvj}1|MG* z#z9`q_i}?D+t|@@YZCKiTXVB=wn~PWn-WC}6wA$>om-BmQq9{isnIJEaG(L9h4@gA ziGOMpSxI2Y1ERe)L@+9qm1UMc3sVd>d20o2On2`l_4W1XW;O8g@>ar_6Vx_#`__NS zcf0(3C$=N&_BA$Br)7PTMCL^fzLtza<%PvXw~jNAv->mmF#=M1wycNk(tFMS3<%wc;4(3l zIk-CBIVW76nel$uZA1#kN6*A2C;L7WoSTS8jI2YQ9Oe16Y)X_JVqqE4V?6F=TN_Q&{eEc=lPjAY@{tG_{3 zRa7n$5(OK7&)a9G*7|eByCE7Yc8%>811`ej4t&c#tj0f0wCTM$vg?EhBd(0k$jUP2 zxo#+sWzR155_7%aSsEJg11?!~we7r6yB2Ine}{8vK2}xYUD))~tk{e*glEdsGB%26WRWG1v2LmgG@O*aL7)dfH=azk6qOCk0U&OFJN`t7o zeB}yRhdZ+P1D>kDAHcm)P~`tpy@R%9+b-Ed-u*J=1tGy0z&>Cd9>+NaAQ18o9$=^V zoeN8x?IQUgb};62x|4Eo*%=+ID>f51Qo%KztcWFpDK(tW*hF#$>+jHNb@ zkKY~q4lu*CJGm1KHn8*z!9(V=8i?rWQ3mn$KG>3=Kzs%w0L5Z+^5Q%m2GPJ_+fXjG zdFIuOc-A_JG@<9;N3oPX_nd0%msJ3JEc> zdCw=bTN?SFp>iX?0LuR#G8J`u9fU){+Ub~h$d%#uBV z!BznsqQ~3HeL9HZrcT*yP?~=guQvwaR3FZS!xTs~g`WEhDqd5Rfxw3&Xr%6IrGuK) z?%Y68Zg6l!0!|<%C2fXUhSG$|T9`xh23+$iNi?49mOA+D>bY&o5R7w=qu;)_Od(ue zTKW-ql|-}Dk_={d3_9QQ!)!nZJl#uEP$xU$I2>GEGvO|pTU*f)2NaBMCD6U0sb&Hf zhQi!AVh2NoU)1xc;rT#eM6|*WA9QN@g@lEXNn2$83U2p})iXHvRXjYC#=xryou*(A z=dHZww~~{TL_xD@8Xr$;qw~TQ6cj|BIy@B=utXMUCV+E@=;$89F-HJv!}lovg(BO> zq>pP}Zms}%mIm@@0MdfY`i552bP;031qH>*|Hj*Ufc3op|HGeTW`s~gi=v_^ zl{6_1NfAdwyEG(Gw3m@llC-o@Ni?+gqCF|vOH7Xci{P=OX9l zFoLu4l92S4qn;X>_S!w)~4p>h>QFf$8O$r4Edxs?id!dzWByAwS7>9T$}TIZKqL7 zE9+am3aU@XHGnMr{$bhFbd;LxvI-4NP0cB$0$I|tJd>LZWn?}ZjC1|7Yn~3l_6k*^ z8ump{`nww!ya8q}oIM(x|)+j|z17pQ@!s)VXksJTWvw(iYI z@*OiD6*jt~Io^Hz&J$12@CdQ+uO@hp}Zl3}kT-8Aha!)}-7TdbHx2^3(U*9f)>z}MAu0voUd+XL= z5NYFmwQh#h@4jW(*-)TD&4VJc2te7owQFBPg-CWu2)+AyZ;~e+%L{lhl>NYamDsx} z0(V3P8XnbUsG*wxsE5bYg(Ve|F}xmZ!R+XI+ zLE%5vghgdV2i>z=#H4q*s=tywo8KHoKBlfncX_NY|HPZOM+(5=KZT^s+4Etl!ogd6 z)9a){V@yuHd|9rVWgC`~j{a?nJDamh`m_3g`!Oa?TYIym2P>jAVt9UrS856xohCJG zUJELX@V#siQ<8yO8AI}zMyeCe?%lLU{BwQ$MRtMZnLU3>w^JB@BvZ}ddhSkuw!^?r zjlkzmI@|NlL8+^A)EZ#Ainb0}DVtnC%pLZ9i2%!-7*qDa^q9`Lz-DzDrH-uMP4t&H zUQ(!<2t0R=xA(6li?ikQUaCcVAV1oN8T$F&skM+QaaeHIh~Tb)BLU>rJr8G2l0Evr zu7m&0g7BYuGBorZ*I)0(82jh;zp6?>>~UdqY$#elsBpQyG4_TVs92Y4fR9|l-~lWT zm=Nf;9-<>91`Wdc5O%QsMpoG3rrpPK(1|*ymMozk$^}Si(3&MCFFLXk>fSb@hM&9* zghL)m;xRP~h$O+nKF-(H0)`4R#Y-=*d_bd5TwPabqSkQmm*l|=wV+LRDnfxe2BHYn z&+a7S#sWxAVUE)2tqM#2-U_`s=qK4DidJfO?i>Z`6OQo@sr6IH)16?!cq%Wk;E7s9 zdk?pWNP5m)5b@#QYte}x+_9eW{P}ay*C%@Xrn|#mm5H! zk@mcGPy)*V(^E#>-D)?r2cq)?quS>XH)80NK%0f9-43S*(SQ=c6Tv|s1b7Nf`N+@5 z%BWuL?w^)FFStN>F~fxjdSGzc{a;0!-d#9MalD#352SWj?~ zdKUdLfjVinb74u#0VYc5X9}?3Zon_Aa&8EY4LL0N16`(LU?{q3l6eYC2{<$zyaaRy zM-=T)(1)Syd&Y2Ng(E3AL0Zw_dtuI^`lNJ_d?~7mOIW-&m@UTmQ*z^2 zHaF}#3Jl|!Xd(L_P<3Mh*v|Hb=S(QKU=nD zQ1VIn#vSi)qqcD2fabgpCRO3h$yMliZr{0+2Ynup5U3~R@W>6nzuy8?@p5tBl2LE% zmyCA@5R8<;D6|1pvcUF3pj;>xM0L{A)9F=A{%@tUQQIm@RDu9s-rlH>g9OqM=r#(_ z2-Q?RfDhX6v|*|d@VM`;D+DeH*MHEU&JMEv%{jlYfMHa3-pw^VU4(+Y1e2l~93`-v zH95Ef^oBy1E~g~w$j*66*JpG6>l4%{qR)aYjP4Syo!PDjX$ct)SQa6P%mE@imT>#l ztsL<5vzZ@1a^JFh6n}WrrkNpoG&Ej+YAyBL6ep;bUioCn3pd}%V)FU(Op)M^Ds!* zi|&^XS{WVOVh2o_NJ>T~CpnHE_nV%!#Jpd#X*VUh^$s+r*%#8yjS1x5QxO=|D01xB z3qL<+)VOaRGZD`XOrAlIufsVbhyRM=znf%@c|QXq;xyQZGw08219THFrUNX z%zltmd9}4dm4-uTS0Ldy1N9AQ{{ZGfEqqnJcW!pJD(>1juFLN=o5>}iB%mhED_kV! z!5_Kzorm*NJN5!z5-2O;f$VKa{5a9gNYWn5sEORkY&%Q^m|6?96KUMhGPDm4 z%3uJI!TGWg&?J&9iyB88Oju}WD7h$*8t21gyofFteu{9g1y*wOHkeNU zuz57Ho_+lIaYFBndZzUey)p)Xy1gL!Fz95izsI1&V^24X0u)DD z$Y+c~&#}N)!IH-z`zi+}6PJV-@@kVmqkS-3NAp3i_5>)#k!576(20umdu=^?N_V(^=2qVI=W!3!Hn_wj2% zfq~~Cbi(>M^Zf3_??0cN)(J|_H|Z|u_yoT$P~=?Ly^MboE;jT)g>=x~{2NKFvYoCp zG*%89uM1-$N7V}NsL6V5o(vxGNNXB8833J}x6)0!O1hN0+uAN@IvzCee_IqWR4p&j z1^%V`3#~*(m_6B4oj+XGV;j1HnhQM>q{~;iIvzVYT?E3of;o&(R;KAPcR5CH{uvPd z&E!R{ z566ye8+dv&xg%(uJG~AsED4-|yU;09LVWb!2o;beYhDdj6u?~`FJFF+X|xZy8K?<3 zvEJtB;M2`J>F7$kN)-*p&U~y|F5*J#Qd3ecWM!;xlk(zP1PFIv$7|DdtBcbY{fb;- zeE?^0P5l0GXkZyC?0?%refMel9pAchx7h^?)b_B&$H#+B*+wgRAw1z6M)sE2k03=& z$A7ImxZ~W@aR;?IOgm{@{PoLJiK3?P|)V$b+v0^VqfmAHuj?#91#BE zRK$I-RXF;qxzOq}j$dr{o(pA)uYU%gIIOymf%7Wuq6&-Ihyt}hP_sW$WkoUa>-gp^?5r8jW!CgFOmXOobe640g z-hOIzy_oc--OcxQxT!g8)Uv+Lp}FhU%5?gf*wj=5UnNbSGI~+wPRH`aO}#A{%FXnHlpTju@-TsgZKn@oQhlzhbgPtD z%D8-e`CC1_N(S;AHog?9kbM4of%)auOXorkV*WCKfdl)#my638Isv6@3)3`l5kJ&V zM*a{S;P$b1A9Q`WJQtnRPKKuIw#lOfe zAR?$_Y31bP2{86W7;EaQ+IRi? zh|W~Ze#(>dSFb*1iUo?>`2j5Bvl`XKJ0@*6c>7#kzHgtjq$ubW3rGovqQDA8N`1D2 z1c6<#XMT^-XdM(FPs?)$3X>2w5&mqOr@kGEW}{!7Y?&YH0G^I!&M6yG|NN^%y7?$+>iyz3N zc$)G<^zsXS_ntFH{0I2yW-L0Ox&r%guTM=)?e0bbmp4_9$LW(7`Cs63bH&GJ=;`&V zs;keXZ@@3OE08_H#X8gUeqt6(`0Z}XRn&Vx|CUJiRDk>pVcE? z*op7jv%h}y@z0H&mo26LS&u+VT!^~<N4q_T4S7n~Od?-SM%-$!uBMxi|0JnLo4s8*U{uT;KCAcq6&|zc3NM zu>4c-9j{-%Oidv)QK!0Ttp?pPiIXq?|IR&}2lVkzqgWwV@izm(h{^vqhY|R{$zfbN zdnfIN`T=hGfqkR8H?sOZu2FnDm$PGhPeanaM`S5<-+HB=)wDk2!sJcbo(_}MrW(fC zwvE!e-LwX?YqVk|v$a;ODaN)Dr&G8It0rKb~M#@ZBJiP6~hx5h338Q9byaNvtG&D9h%m9U7Vk2v%5l zHvr53XH+`Q-}Pl>H-OZza&Lh2*%YlJ6i~U4>&&2JtxvazxvLD*jr%OQ_jHZeO6k)< z&kh}x>`sYE(zq9%&a0kLg#I=U&T^s~q<~ePpUPg!uN>;O^MSi{C4lD2DxQucPZVEh zA1Eo}>*xF9D@Tc5erQOe#0#iJQDFD;j93o+0&af(>a;S0qkK2&4kN>$sH{vEnnS`! zrrE;?25at~6mjn92BVl*;GPhJoQF$~5Wr$$nP>W_P`{SHzZe3~;~UhUXz!}hc=YGc zYZFog6?6sIVJP`@@R>wBPC64nRMPkiw6=VtMVthDR}N6PwS9jDMp0#sl*e*AdtC^RoVs4?S!gb{8BvKlmb)PxKtGM67opE`&m zb8#ZZ;TtS_gr|mND9l$L&s0R|>7$}UMw{ZSChn;^Bt;5aRu8P8rZ%jPV}~Q_8ZuXi zNC)M+QZ3pvv)OS&G*eNfMB0NFNBm_3l}84tKP?bvyIGg+}orX7F`eQ@KVuvu+j z60Ng7zKF7sw5Y^(W(##Ek>z0YHrhTjxxx)A56vHLOkIfirN<_F4RV&U0O9I)x6#y% z3=eDKlWML(@QU8AD&@8gn%Id6B^6{Z3NX61@ zZ8o9+Y@@R^$dVQB2})JCU{b?V-xtaNi}^_Zn5$#*cyTn}^3q#YQ~A%?CRSH*3*+|HppcBn39&^s4bR3trm70|ca&enER zmHt)m8YW8$lmvk@^B*zGNTdVmkt>~cDX}%cMW~t-qJ-yE-pTItFSvXA_8Yi}2?hj) z7^4)58N+)6ZhJ&dqqTJOXLiFgAIn|C`~sj6u=Jsfu}$br-=6j05d1+JpUK;Q$c>TV z9HSut!QyA|)lVTvg2QzmT55cI2R!A_ja*H-!73&e=&@hE+bT;7)1=jQY$L=Kz=(Yb zu7}^egvHoD+Tqum$DrUe^PRUtKzHls=T&G}3xF;>|M<};OCUWZ1z{b8Qt9DW*B?^2OX)FOk>&76i~{5Wppx*Bj-YZ{py+3dqFuYT z4V;1|zL|hv6atz_#v+`Qi_m(F+iksnl{VbGyQP)Z^5zDt%YMzGjfQ$am~m-Ryy2|CzpCU7#0a zirFtrDE7scetUm$ul@ATHOPoCi3$M~Ut`DHZ+ZFsg?ng#fMaZu1lUC*%7lTUFpKif z-TU?Hw;J>o{H5JaaVCEp`_jTWeXm2r<&9y>i~t0*-lN#l=n*g4aG-}6Ps(^D zqc=bV1K3ULjnqW{gP9X{(upQD+9V*Ii;vwO3)bw?$)yw%QkPQ7W0^=Jza zkq*ey_8vL11@b3QD`PjV){PK^7+2)UtI_g~kpKsI_J2VUJd3_XSyGMKu{l>OdAY`$ z>*Z+;ZdX&*!J^=6!a#-Pt3qhL89_KvUnxp;)(>(e!IR%q(bce{Gxk(E((1ES$v}qo%S~*5_k(UOhGgKb9CateoG`&?68g`m1D(4Hldnv z#+sxvRI#BTiB#l6T1u>oH7qTU;U&l*cprZ&%!dSI(yW zhl|KSTGW6Ew{**38~KybsnF{But>9Y9)IOeWe4R?>)l0(fi%oaaSbBcxkGB!ZwX}N& zt!hNlkBwNmz01qrH>%JhFU)+~x4Mv*Pp9`B%}dkTxmMb_S7VEAM~$w!ID2J|8IOG* zI~1#X)$-$#&yB|6{a3Fn66yVyNrt5pPF5%wz7;`9xQ%$SyeT&|IZI+B9tcXGGwaTzUtAi zNyriO-KktdS$B(la@UcIis(H0^LT2d-@VfXI2qZhe@)M9fH!>q;x3j_#mRTKOC7dZ zJp=L#0>C-EjZFq?IkqwLJ(mVI)wX+_l`qe08(xyQZ(|Wq_MQ0pBFgdLyyIVptBrwwen8(!Uw{AVD@X|h(ZZ2h8;FH{+OAD zciDT%XT#guAN@`-=^*h9WY2x(e!BF=_*_TNnNGdMsW0NIEoMEBRN9}gR?*9%8uiG3U@%d)AUNTVN*YQ_ zBC^bvqqg zP0Nr?Cl_+sm0;-(^CN4ZO+qQRBW3X?yyFI|X_;iPkh~H$aaT380l+f+oEsMgO zSfBu1Lo~jTC?pBZ)zy^``|WvE)!h$PZ`6jt6rK$tut(t08GH-_zupE^EaXXGBgeR+3Y}k{=OlmVC4O5MrR}OBV)?DliPT8fe-Q(Snzmt@D|oSs^seJ;1@q4Dw6^A3)-DG!XP_#Q)U0PqHc3<-AJaZo8I--RA4CfoWQ2Q|?k zQHb0IB^&i&G*G*QZk9n-gAS6&6W}NIgR{8`mIV?PnFF|;h!Vh2B-n3)MhF{OB|s`< zBdpTI)A8h1e2%ICFi#CB5Kyo8!t@DONM7;TTFKJD;z54*sUIUDZyk2F%|_}@fBU7q z@dX9S4gAXCTWyjx(Q4<=$CA87LK-0ehMj|BwIc`#(g{IQTa1qJ{iX0tV7RWKw9P;s zBtjbj5fTLPZ^2q8$}e41;Y17vD;aq!AP=z-Y0poOpi&%dwrD+qSPfW8&Y^()yW{~; z+G5qShls?HZebi{F*DkA)VN_hX;OJH%TIK7S!oAzGFtKbd-8X%AS)4U6|*Hu2}2aH z*myx^7N#vC$R-4(9w`q|BtY}EN%H!2E(}OITc?#T%vsuq#kXXtl4;IBHgS<4zUzO+72`p(yEI6jb0zrIIQ4-C96GB#*Q60FYN6VMm2QkW{PE97pJ z&%GvRjPk>viU?&0x|J*`|5fm3rpDU@%NRb4l)9*^$x{IJ1a*}hBrC9fgkhZluDS)b zMq=5f07y9j2!{kRQqTpw!H+SLao(m3+81Gq!QEK5_ChF#cirVZbv|^Tu!yiv#g~Gm zUHeP|?lobB;j4;ww#ry)E&n%^qne4Jf0P3%YUgZ+mcsSTb+xXhaT9yghx&3H#ZQh*?zQODqwc(^Pvf1s(`+Vh|2e#ex`{R4;2%j zP)J;8P|&9?2A69I`rif)6}7O1Q%-1gF{3_{4@11T z*bMbzl0C=wkBV*xBA`!g4S4!!H%S7uw0r?-2p!^+=g+%gtsqP^GCh?VK^&+Qj$=$i z6;+#9V)_Tnc?t4Q?%XL6k(GO~!Jfsj;E<7uyq5m8YdwuwDFn_ST2}~Ys}hYAiC};2 z+8n$KNb-)~{hddQ!LWLxSK~_HMX?D55wyn*g{WPN%gQ?O&GUeyjsh)dHHO5&ko0cA zi=pK>ceejSQ*Kk!*izWfd?Aq|H)|x!0zV7-SKppWSnzoU8EU-E)J+b#0JwIfmdVEg z*AT1@kqBsVaBzT#Qz`l89&|;B`9XzAm4jTSGiV)Q`dt&PG0UngKN!SgW22AA)$#>M0J*?~ayb%^0Q5_u&BC~)11$(w$fu$OpbbyZ+?XO@ z26nOf1VcKsGBE3`0RjLltQ@xn6??3`98nbGYO6D>%#K?OmJv$`0$OPTGB$G>o2RM> z^|~xd}&fe4pA5SRh_~6bUU5%QcPQeDOtfi2zLF^I&wg8_S z`PKgZ{rf~I3}MMNc+!B$1p*SQwmx5m*d?MLK;>N;Zwy#uWPCgnU3XebKU3$Q1+HuS zuIMbpsaf%~zE?`!fX?vAF(xT%6^{M1YOkkCql}q|*!t+rrdMctyH#2M6NoQP>ySB# zjk_Fr&uMi0BNG$(%?qaedZTrE z{|*qY>Kz_CV-HAUW3sKCA?C}@bx15Uu7Lql%$H@eX^L6G?& zIn#lSJ@+rdm}^?AFrQt#A}?0r?P2!NZPN`>I?5KmkFL!Ne;b?E$9V>L3mAu#lx+h- zjYw)hJ0HcIMIp@^!Y5{eI5KXh_XOEIhbgF!dX{NBy+_ep%)y^ICgEmcOM|Buf0TS1 z@)8`k?{(k$aqr%})M)HdO|6)}-VpRJE-8t#AAVYQPVe-N;EWNmt2OiPJ*l6CGwehS zTBE2;|Ya z37#6?Gx8zaYd*{2&sA9!LSK~!OK8+W#&)Ln$o}vxn=ez*$|q~De?b8qBP!awcI^j8 zVd1E{+3oIqB$txhT3G3~*iLb0nK%=78(&Bj{=P@K|3rPnH#XO=^YNG-bQ#z!!Eh>x zG;&zZCRDsE7k^B8MzvjwiIbK&f8~lGcUDvG;+~(O@ANtw3u~xJrSaVYKtcjzyDD zri*M-o=Xd#+=Pdg&cr7rzE`RjX%&c{>|YXSAYxK)4WTn8zN5dVoj?-zIiV);c#ZgMm&S{)ew zlD{XPIh%%l?dPLPSE=;9XXHy0?3ZdOz5VS)-`O7+0Pt}yMD|PCL=W+{kjah0d`GKX z69E??oueVx5d{3EPu(Ia1yi?M{BRXOdDQ(k{tlaiE6ld;-rfb+vs{dyLFtCb!=(u$ zHVZ$XbcBHb2si_l1!Tx-l-wk?ngZ9$HzYSGL@R{eTAI^hejs93@=8A&%_M&-Wd;>& zf_1;W|7>|hg&uG@0Gn}0-(a%oKca3o@k3!rsO4p)9X0#;U}No%p5MQx@0UJ(>QpR_ zLW1~G8hX9I#PkF(C9=1zD1iH7vMb11DKt21IDxA;VmYjN{LZf&bhm&xDbc|+OT%Ai zvG1-YDj=wPDBu|wmi2u_MQ6Zr_#&?^u^GF8jDF848p!mXAg&Z?s^bHVK1A6C^Ex%L znk8nLCtsqC}o(igqm@LW|KlC6Iku`le^r)33^@&|WT)T_1_-y9(4Qnmr^8J_$Q}WK#5^~zCabcuhO*WJ zSL5Oj_0P{Rgv>2It_@axv0qZWDL0AYOT7F5&R`A%SbCI#xYC2;OSKqgB=MX)0Y@t8 z$ZXG3Xh3ltsFMD``(_ZeJPZP5RdnTSWq_~;VU$b|2JQ&H_G`L@3HfW#AbR%objO&^ z2BAX5&?R{$dk-Fb2CV;Eri}#{#Z4CsnhBW#pE@}zfCQ_OQ0=0*dJctcU`#FKpNPUn z4-lDyg=HyS37)0>E= z@k{qQV$zI-PHk~FSu16p|6=n_4?Wqq4ax<4lRu5-8scmZX^fTgd9U94F7}xiXNl69 zo#&q9`os!&uU5Ot*p<{WyYMYWr0VTC?XtNU%W=!;rb^R_p4kAimS8jS9y1?aeRO?L z7?ReLCB3k^rp6oJJ~lm~gMnQL5&=C6$)n1vP=2ELv%UQ@cE{qPBFU&Lbc~FpnKr4M z4-WjJ1(+gzJGwBEOlf0dvth#q%kf`Z04uaZuBMM}1X8RAphB3$ZHtJ~?OVtis5FT_ zN*8q=QjE0p^a{Wau5eU|!b5XJpR`>?9jc0Tw6yx5T>(!&MK=Ih^12+9PoI*L;jHY8 zveR!LI3mEWms@axVW+;tXNTG0yPs)QSE)-lKJ1sH_L9j5ccu)Z6Ot;NYKC^XJ_1mE zAzW?`P?nuSH+Mtpupj#|<}(p2<8l$x^$zO;Nuey_Sx?#xjHq!qnTgC87l1Px%F*y# z{P?5HUnnNWwtIIvN;c$1k;ev1pb%hqDR{1WJPye>UH#yhu*jissf5aHWNZxKVBGSJ z9MTsV7!I@qvsA$|+W2c58qi0T;&ad7HN{4MFELR7)CD0=5yb)LHlU0*0FE0(%7M{> z5-RxenD!!9y#7~ju0Ls;_37=pqG2^<%ou?0v~25Iv8Jqk&&v2UOYN8Zgv=sk(w zke@#U6BmAHdcUFFFpFWllOqWrO@!UNvN~zq#mhtIH`jw`z=KXj=Mi1G-a1M8%>|^7 zJwlf3q7^jb!_f1QFf^zYCBa)+g1WiaD{eC>o9=*>?Ut!2SC+@t_KnA&J=(bIXb$+I zIbQ^A!o@-qK(JVgFU^}_Fkd{dZDx{^H4PP*IFhUOv9o`JLeyA_aoaX&=&BPMw})l? z>g^@V47R;vcpO-m@>&)rT54DpXM1rOb8iXB{Ov!Wtv^fqYlmzOgrqiS^Ken$;Y0;7nHi>un?s`&l_ z75MVV$Vk%xe?LDN@E@Se*fFC(L7`=Tj$j$!eKo>E?L&pqhLP2iB?@WAOQNo)rNE2e zLm{FiP8CQ^1C9KFl9A&Y06zHQ7=}oGvu)UDiIx=# zEm#pGZEZz?LY{bYp{=XS32IqP9RN|=B*RCmV2{D5|AHw4G{?HjjNUuvK~C~<1LyZ?Yjtn9r;G5g_twUcSP z#BGmxdwWBs>w?wqEuz4|kD}_fQg%UNGR9$@8e#hyo=&xC9f_lefiMeV(Ry5 zDSL3t!`tsfXTCwkqtpyj6)biuaz1~)5Ac$JUhsmM8hdzpJ_MNxZ91~Ie%HpxXIj_0 zj-&DXf+H9b#Mp6Y#v7GN?apV?SHGu`xfwLDp3NeJ?!S0v7$0 zl#JO_m+a^r%s*J?dp=%{Qf8HxXVhKtLqWacr-VjW{vUVMMZ~Z_5~CC(7}Ka#)@Q0? zGk*qj0aXDz*f`uR==A7I)&y{dVQT#MkM&^+XR&#qb}@IK;(fn=1*ErAuM z=IweB8|HOQUvawhxyzTB{r39B-vg!9pH)oB{UI;!rm~TnzapIfyo&vBL$8?C=t_S6 zcpvdrcQ3C~0Ireho0?P(3#pQTkcx>qwEC2_io0)W*5YLPwm&9@b_J$ zdR0o^R;&sxa^i@w!G_hP`B9GyK9H+hRzE`OO`4*l}z4AN4xe` zo|c_`C$jpHRiE`;Z7xP{=Fi{DUS)-dTZheWH_znQw@>r>b!Yc)AEzE-Spm-U){ZAN zB||2CTpN4MiJN~kvnogNq_W_6QD-*fjX`WrFhjh0q!3#+DsMHpaN>mS?E}y88}5p7 zn>pocXjoe~VSa=EIS4aYhB71c=G(SKJy(l~x|8$GXE$>`v<$~G`xChV{aQyo{4ecZ+iSumnODFZWO4E@4UmN&8`AcU_Wt{){MxjTmAN}*C&Dj6e1s1{M%~s= zS0Z{Q@D2)C25f7I7-zSHeE_NvtOMYZ3!0iTl&YR17XWTwMn->a;UMyz(pt`T$3!d# z&YrHAj?AHKeVt~anN?g<(UsP?OuZAc9Cn2Fi5S2UZFY$Q zu)hA27PS{w=6w1JfTJ9&tZ#CACfE_uH zz6e#~HSDcm%C|ehWOWfWD2@}5L^cSih@gtQ2DlpOY)_$!Bb66X)cl%(PM;b{{%;n_ znwkP|T!4X(z^;wxBhX!;A|j*{D%Ds1{vAC%D2YTMZ|FwMQaGt#n^G^O_oMCvf=fzq zw1(G!88&6w&?6-g`=;ZYH>?Pb3PpWOK_Nmy&`F*+c5D*9fS`xB5GRqK9MoA`7#I-! zw{miF5>2^CtpyL6HzTL@^_gi>b8-WF%og_0qz+dtApekPtc>3@g7iLu(|W5_=0$5Bd>lkv!X}K{afQ zXMnB#s*m4~5*|FlS5!!-H+LS^q+qjZ!nrnIZ5tXI;GiobyA>>nkSDUD=&u#Tc~|5E z+a;D}Xko&yYiOv-c5r}(3n=7kyp>}jB2e>L0@U_2Qr6H2hI0r9%+Qju0(XK@bsr;@ z2|{vju^lQFM{&=_Fz-0&tmX8 zOzQTbF4swE>nRQY9)2+~F}8NQ_07EcuWCMjUg3yhOOd_01nHbuv#xBM3%hyg^X`3qq3iqV-hs*rXBn1%diG~K}#xZ z)=jC;bRixnz@=#3sgUviLbNc&d_X0u5CKs~!39t-1Y9s}jP?&onp66I{W=3lAk|?6 zdPSd;ks;Z%C}^O%$wiBXBA;iMYj;>r=!F9$o*E&7tO5dFPz}Zdam5lDy0MC&JISq! zGl57c8_r%@a6`|RJw81X=JN&pL(yQWtBVUYaGuqvNkT`Du8ezJ4{S=FX!L8N^IKYi z0L^}biZO7E1^4!3s#au1HWUp3CeS=89O8CFXJ^b3cI9JYW7qhi9lTgGau=-X58uF& zc|=I4c2Xs)3_&gAT5uVtVJ z5R8kbkK#3BV^=4qRRFomCq9G*^axU+v_?zSjXDw?-4XaA@i_j#64YYQvOJ?}M=BPz z%b^wnZM+)epbd16sMY90EYe0c`$|1I9|Q*OL7qFYyuxxyxz$_6j&b4Q`3SB*C<=%( zf4ObaL#f=*l1A@^{0PZ8Q5{SsG_kzr_X9@(s1%P(V;nMd7Jm%-1*a?#Qvp8O+qA&SDIUU z0%~251^ak-o}+`k1W~4^3_F^mQ*u&dhaJksJ`#DQ)DOF4_PBsVa&&XJ%AvmdZkM8V zVG`^1&78 zdJ_vRaNdE2#8O=vxGDrE5D5VKjz?HeA3b`s>Sk~VsGNNq9C5~tg4jkP7HolgG!#pL zj_QUir6YK0e!ol@QAt8L@V>dGxcDg+Cnz(CEdvIjQx#Tjy9Au^XWy`V;jS=Ca8keu zO2HbIV18A)6^X_lX1j z{O6GXjmX&zqu4Qf8xW>J`*&F>BK+^1`MGl{=DbwTi;mWxBMNqg->*f2#Z|JQ0Cy^z)m)2tiL=g9JGc&Yc5w_BZDvhYcaNt z)S!5p75`Lh$Nx>m_RlZLy}YELK6I@^qu)qf)#|T`l-(d?uD7;fDe-<$?Rix)5>L)g z95^qld+h4+fBcgBUxnX4AM^j|yZ*bsRQ5V_tIU(L+KseWMt}17Dl1#n^!4?A)A!^? zSCoT}sb@CdW_+xUAw;w*vV5$$AT5sld4<5tMBdP| z8Qbj<#l8E)&T74%+RyHOinV3uSfNSBR4LbWP~*ZSw#jGDpVgn%FICEPIA}h({oJv~ zCo{60tJJBa)f|dgEHsjKPZbn}=FRG$5AiJWau_KyejB2_?wD}c*MT5f7Al@VSFWf1 zUQe*oAT1pyuv#@LZyEZO@O^{1iP(dspl{#rMymWu3K5^uk#AEzy*L-YwImP=#M>lA zN)*@mw)qIgqb5cgD}-&b&-hQ*PIVe;7mL!(C{3)ivlAN_jSuHkooj7YZOmYh6f}#< zf9opc98}OzNUZ8Gb9c?!0#AdBZdkxHSP^XhSs59wswAx21*#9A20WUfWNVG4E z99`UL$hq@ZZ+3yj$`Y`=c&x~balajwvqxU;7e&~pBJRc00JTYnX4Lr zH~r!15YAf*06K~I150(~#0;@zK}(Cj)L{t9DRt zP{C5NBCiUxtnMXWK3c~%xiL#*<&{cn8MlvhCB6@ei6PcrK#MM7m2WlK#bdkctGAst zSId39DJy^`eRU_ZBu_n`Y&h$Ez%eXyY#DZQ<|F#^+YhOwZ39zEU@XgF7D&n3@EIl| zSKCc^pwmVrf>W3Zh@u1*4!{bmI8gAax6FO)FGw7;?lp&G2BCLLJyKNIU=ZH38rutu z$p#XYB|TP2FE1;#aW7`kaOs$&^^0i?;Hk^I$SAl_TYA${}eSy)j0;Gd?|K4l+P9MJkST@^04yW zgUcFr#;Rx=ERIMsz-g37a7_I*NBfY@rpR+qLV18a;wq9jU0#oIU#!&xa_cVbh10gsi47 zn!k{W1TyPf$jUW()3*%?;XDMK&;$<=XuIo=eS&&=dcp_ZtRzQKV4q(_!^4m23SqOz z_H=nPd(i93O~PweLo!CoVoTdNK|F|LfHor9Bi zLXc0lO;doW391-K)X~VUi7Ood4u!5K1RWy^kWH2gd_U3oz=u+Vk3WV3jNcfu<)Cg# zyqhzY>FkvFt$l!Vgk`kUA@y5($8kz%nC|eG`GwRKXIi6Tm?Te{OX+B7<$}~2jl7DG zOALKIv?@e1gZ$plU%q@ZI7%)BI|=keB`AuBND}r~48+6uG7|TJyaqT+s+deb2$66u zPyzfXthUjd3Oc$5tuScAX>f!}ak@{FGp{|HFBU(KqUD6oSvD&09z!D4R@HmJ>OgY{B5S~8hzs_QL%pMZ! z4Phw@0wyqThatAy?iaipZE#^pi8C+=pow{qv|=a%UZ_G)2jK8eNl6?C97RurI!F$1 ztI0g*koO}d5XHIX zwQF7`eozwVU>?Al061$S`8cSPu@&foVh7UN28)o3%X;X9?Faa%zQ*gz!;I#PPfIxe zP@>NfVjOaPNOw_JX?>F16P4k^vj0WEa6WCo{LJ-erlQ;Gtz$8%Y8rjhsF2AC&9cxb zq4WnO5T!QNU(b(o!d~oYLrDMIr6msr{1+;I3Nh4RFpz;3AXWpN6>`G}qk}Pp^Hl?h z7qZfv#_2whPr|E*pAz^3%pUJy30~-v&=@cQ<^c_LnmnB3QahWKRQQ5WGCYWqF?e%Z<(F|+dV>oECYjYjg)Cd>&OgJal~ zas;CspZf?k3ML~M!j0Jc-T^KllsiB=%bEts(wUh)d45E1(G zBFPcdy$O6dOim{+YTA!h|BG8n;Qt0s4bEvJUQM8I7>abrJXUSn^WJjG_rTrtlAdAe zVw#x24XoXG!6BEq##BWJ&k%HP9?mlg%_065&6lh?3O2H&2Z-8Ee>y{FK;zNM?~nZy z4#vZPr?AyjAmGgxQaW_ZRf5lWP5(U+rt9_`C)@E^462IH{@RP<4hvxZh`OF_C{dE`9viwbtU5F(M~soUfTi zeY_aHbxXFcMBUtUu7_%4b~IwtyZ!q4h^_;tu0TwUcMJYgQ(vE)69}tvL1UvoXijV6bo`Y+HqoPlAJu;ij`l( zFPNUwO9ndXL{|>osT82LFR)OPliy{+NdDKV)ooMpapZOXekZ{ESGNM7ao zYIpjOkzL)RC5EVIW#)#k;vWXXDk@cmUgD&PhLIWMy>`sYb9DfWz05qoC_YU}`6x^bAvJLxUfbERTTv zQq_y`V5VUb8dYO{(UFLmI1_QRpum+RbqhVnox!G^Semd<5f3Xaff$X^tZYWcAI@k> z$UN2_6Y^>Dw^dA|I>^mucz#CA;Q&7fUW-+C^PWAf*vJ1PO*ru$^FFIq9VQQw--sW< zrALLm54%G6C3_Oifzpj&JD_JtIxVPsN{r(2i;q3*^h2n9;M?Cw#jwvV`o|jb^A#^6 zM4o0a1P&dw1=@36AhPUOaK%x>nOw$l)TyUoKxK680X_%n%P;)MAp>UD(_a7qj_rA5 ze|rfzUaC@kr;6n-LViKww4I#tjRd~8HxK`dygPfY++l6qyX(r-Fkk0_s0~mcO;_~&!uhsw1)^6waai2%w0SN)g>IJxD!`n876&pQX zNpe3){D#w%ZDX;Eh5XqhMTmug;`i9>`HLC!?Ah}4esm_=da9Ja~%{Tq{Y2K<*wf1``Gyyb2J* z@Ra!ZE09YGx0*psL?YaPViFZmw0fp9kbV$zC!?;=_tuf1WBk+Fg^q|E9s%9m()P-y z`;){&kYEnNQgik3(;eZy$`Bct>TyL z0XPu`8Y*&31w8tX&}IY5g+q!YWuj9uL^3$q!w_g6^Bt&`UtHkme`e2Q3e(JbHj(&R zMC3JPI|Sn!_~4(wT5=Mv6a_VwycYohWk}1L#+yS=Kubi37)lh<-a)=Ug64r}nbGVTyTJ~Wadq3XC3LjMDlfO$X{wHfegzU$u)R0N5wC%hM`MdFes zdkN77;*N>O3jg4{9>ZtRV-s{pB>`s(KSDvt4+F#V-NGkLP2S6T z2$%rEMk-AR(+KkheiwU}w?2WD@hw1_SC9uZgF~I6)KBVVTGLBe?~LJkmzrM}i^n;s(4H9hOIH?dWM6w#>Ph@-g3_Af_!NS*IEt z@E*|#5KWg%*k|+}Abv?YBNBDXP^J>N8>1TK_VDmeDGYN^d8fk^aI!C zK+ZlvtP?s(!)imED@8OoaW>n4W|U)QB0`Zus4}#zJvJ4X!d*Cxs}0*bjHWM$bDu&& z7g4^MA-#_16@fiKAGT5x&OX2{#Bo7R(NKsWazYp+s5({T&YdguAdMJ#x)fq20sbgy z?iPvCWpRF{L8lxHA7%m7aAz?ci^%3EBpri6KQ-&H9e{V9Ml0h+w#t3Bb1HKP{xb;f z;>LytgA5dIFQ6VKu`Xz5i1rX{3k8A~ZNT!_mq1Brf&r>)Y^(-zNa8EN_>+U_QE%)6 z*9O4m6%wU%(7b}HLO$FvsOoTZasWs}L=fLoiR#8}ld6QAnB|YIqpL(8ZvqVd1M_+i z@pD5!FDQ5uo<_`4QeRe7HsUX%p(RrqS$ zWJBPSuw)NhPbN%(QF6tvzNLDr=166J;sG4Rvd9N`hwz1fl}rJg5fZOjWIKG_!4?vY8p7b-4sVLY2P)|RAju4A;LnV>P zV$yvzI0_8!IVQshIUmSh5p4*G6vGM%!GgP>YXDO|{mk54HJCKaE;pI5b^wsX2Ih#h z7EsJ%z&?PxYqQvXVfbMUyzZuT<3<^HLPUgATBN@Ja5;jU%t#WvbD0nx{i1rLjm z#Fv7{C zq&NfFQHnJ?p^?yz_-Dl!5q3S9Djaw(vhU-Md}iqtH`KQjJiqI-WNz+5bx57tahr)c zW(FqgXK<-NS?CZS44VVYBsN)eHp>Hj(I(_XsHKCb_4pGsrGqV*E_e<&ED!^BrrCJ8 zz>@ignTro#8RZ3eNVe~j8EXFsx&GVgvE07?`TVTzd@ow^fom_`7fcJbk6O^+eq!64 zx6C)@X?SeVU%&j*|Ms{1qdoiosdn4xdHLkJBWG{S{bZ=+X=3N+=B~816BGLv$;TaW zV;!sXQ;*pTYe&TY;h29jp5M1uO^VrP)#ZqbOfIHjG)+8{T5JwYmU-SCEeyV%O19h& zH?yDqErqS6`L8#}UQK89zqq@uu*RehNAHb=-~5^pWw)-gzu60lR4g=aE@TWuLcDnK zZ0%z-WBJfSAdE~={1Nno;nMeu3P0@s)khz-qPn(rFKf5&prNQeVPg_YakwFnP15#b z$*d^kE@O6>&&3=?QNlUtJcIro3rY|GMd~(ahfpW;Mn**mBjg!6W;>mGVOS=)ykydw zur**oyzk}pgYj%k3eJ`F`@f32@^Gs2e}9?=jhV);jGCmhkR(zUh!Ze$;9z3pqvMX+z7A5GUL$XnOS1i_ z#mSf*_|=h$1fPFQQ*!`h5NCM?wadDtOGC~djIiDAg3wJM!dr?Z=?ZdByRv&O$dHaE z$-ogSU{$0=0j~F~f+>Y%Bnok)*K2`yf#FV6^?=R}$je(JKtsp?)zPo;;)H(5j(vK# zDGqb3L?B0a0~ssP8KAXGXmCh639$*~2S)}UJjZcdnNzP%vm-X6q{k03GZ>Qi!2wZG zeBjsAkctVt##Ru_v7)3sLS`4gdL>w7l903Bz zHTc#iK=WXF+ovmim*T?K(mwTVlzI>@X8=GGJ>}~mt{{?p#_bGIpI1N71R2l$0dSdidthHLu1Kt;5;>4|*r!43Az9%9kLl z=82Oh&jZqfL}M5S40s`N{zkuCeh4ww*CI4Ka&6s||d5|!r)7tkG%;%6>N z5DpslI0ogVK^K(A97F@?Pya8{Ex5M*C@H^@?NVHSv!uWe`^Cv_WW`Res+u4shn`_2 zn1NPUh@jjj8xD!8ml7)Al&#|2UFzO?)Mij-hRm^%lMo*?R58e=iNsJVc0Z}Kh@%U> zxn7QeI12Mb5gr^AE2Q8r+H$a-=;h-IzW8@>u4G>9tvJpN!Ee8*&)oQ3daW^#U-%_jR=SEr+RxBdi15>6ZaVV&Y~<2XgKnH z;?RJN0&jGS5vqB^+t67f+SuU$#BGddFn?=_U%28C5UV)$p^uXg<&IbeTYqg`D;Xy#k>M47^y;WvDzTRU4&`` z*v7!~$%U_eAdnAeDsh63CigaN7-Pea0o>h%A%7s_04TO}*%BT*9!m|zdV!8s^=VQb z&+Ysl8Y@yo0B3*|%NL|sf{bs~s#TZ<9*Af?jr;K~2zZwP2A!>vz5ndl4V+Vj1^t}goP7fW{=ud~t4Hip@NH184WU9uEL_j@N3=&&;5N_H zDD|b$#vcHM8_bTuR=>`W%gpuJfC3ZhoZ~Q>!l6X>XpPUOMcZl(-<^lwsHchO8mkvS zZ!2^9oPuv5h4Q0n`6B~O8e)t?2tG(wv2tW|1OI-z0D#blZ`(0Z7%PvO#dWsT*vQBQ z4FC#kJt7&avbJ!fa}XnNz~&nuF9NJ1gm2eXMOstfZM=AM84CuoWp?HGPZPEYDAWk) z6CG8hlVlnSmy;!Q=-PE;Ut z6)XqgIzaw)7MC?15u`HLKpc<+u!3UzFbaND;DqxD2^RZ2}Ah3APqOEXW3jSO!vVLz-Bo z``GnlYy`0t!9meyeH;$$!ad!BUL~<7C$l@-6D*n~AB5V|;bn+|6$3yu0G*H^gdC`J zjs?qBJa>#cH~rLzxp~{M0XYf78z){0l7=H!1RfL9TM*m11Ax|I&o{_w{~hqP=Uq-X z@|RUm&6C{_qU`DE33!#X3E{$xc!s2q@MO_pCO#b~(9tK5f`l580c3&{bUw)z2JZ-! zG^oFYc5Nzgon+V+#@NECWGf&;Ol0Ne;tEz^VsqWcJ%%zJceI(^1>pzfX+mSQK!3=v z$EwA58iYU(t|}Q;14cI0bK(**YV4;I6E6H>W)jUo;L66I4z_ z;=^YmGDHUWb_5$|ppnQYg_t`u_AM`>N ztyU98<3BZElRAIZfE{^9%trx$<7<>EwZNf6MkX3HC+QO42aUX{R=(=XwFsOafWP@} z`*bL*&_^sSWhQ?T0sLfT6(QoHrK#Ci;Xvx_c=hNdD9+0$dlG60xm@zIxiT0%7YqokOahH11#d=L87m$I|% zbN9_bgZ~slQ9MUv><{kWPdPU3`d!gWCChNWqT?M=M^d+ni?eFV&iqqZcGHkr)e+ps zzJ1s~pYx{L6P{-uo;-+9m$1aqV+K+m<=*+)`=)8K&WOOlbt%k@BN!BlI~D8iWQx>kMo>h-lsiRu-}c^y_NH1T9hTsoxQKmq(;$zP?LcyQY9C7`_LU4EcDJ z^A`PQWz`WdLLu#SXk=0oXyO-JwT^42{aL-HJaP?uG(V~MhjOd0>Azs#{!baP|E|3H zUnk%`_*~@0rqQCm5~%l=stGuv&eUMh*Q>B9A|oon4wUZ`IF(NI^7bHgEt+6lp2XWLEsXprn;(ewe?{k3Waic%{BZfdF1dH6iUtaYreui{?A?rS(%nfp{%M=JA4SW z%m3pS`Rj)p-K>_yGK@XkerELJ?#!B3-BUS}zO_Z}dUw0b^o@Q_@_gztKz%xPPHWp* zO2CuL^{+Ng@ph|j9`Bv+8r$IOTlqFU`Oy=(ti^F5~}G0`}sa|MEf&N0D8R{*~93y|Q1F z^%U)rvlx2HC{foQcV|Xv=e^M&&+@?0zW$YkEJ^w=T&H&qkDPN{a>#HRnHI~lmU)|$ zYi1k!!s|zygzMv)dIiyj-kZ7>qQ@ig56yFitR6+R(&qhn*XWYvy_4ga2SUwb_b!Xi zI?Zv_St!%<-{=*d>os61DEkHZctn}v-|o&y`gv}jm*+Bn=GJIS-cvOn>+e1y_M%Lw z<>Nwaqc4AFKSy0*T$Z0>qJi$>HarN#)BNrthvz#q=~2?&eL>~IY7C1W z2`??y!==5=jLQ1NP{Yz3-RB$U8=MO4z2?^c?4^+b=fn@wKryu zS7n4T^&UUvEi6BKUTLw*Y<9yl3hdAzt-ER zoM?8tN9nZFwxQNWAmIKK2$jK@xG!Tx)Sj9X1x!Cv_ban)~j!5{2xyUI+`Si z+2%j-e)(oq$8DR`$jUQ$G8IML<1bS`OVA$kNaSr%Omf5%YrgmmW06f=%|XIc^WIS} z=bbWEKO0oXvZk(d?G)dx7QQ@hGuEcPIwG?(wK~mNk8Tt8&b6wu()yzYmDgA`SbHQn zlS?Dwh(fz%(lFnx+lBW{%5N8%EeP@%L09wP-m>$Qf(pM}MenDxO3rzWZ3(qLJ8v_y zsP1J)dYr~@YB7|jsTuU{ocH&~w@bS%I`B>GxjS^>!UdsGk-WAcL&F>meIG_)sNI4T z`%$qUQ?M98H6|_XS-NVAV@JxcjKknP5oz}UM-v6N>yyl^q=^+WIHb`+q9wGe0>7Rg zYtN~i^EJz&+Z)Fo@GtT1X`?lnNVg3H8+fyPTt2U9O1RT3SnN)tRflv0K4$NiTE$7Db3P`oOTnkjhBJXuRc zNbO|P4}8yySofTt=al&PFgN+n@kexIfAZkp*Joha>yYsJ7lfqOgPk{yy*=pl}c4cPyU32Iy3&{vGPVZMuk4Ot#QswXcr0V#p zLfe=_X?ifLE_Bg?lU?}IZMV^ z$|vc!QHRxZjn#s7gjpnq%&=+rYjlRwG&R$@nBigBPT`Q{*2Ouz`>H$j*~#LOygaso z?UKbxs=aNS!nmz%zQ%=Z86V~{Bn}<34sMr+m^?;nkmf1(zJ_BY#V}DRx7a=7nm(BR^U1t4aen>QIoS(7DtvFBFuUWiD27;Y}BlTuP6N zrqM1o7TrbNQQXbCF7jltlH>*Z529T_ l3+TyZm=s5D-+Aowif*-Ut;&rWQt%>0P4)QUT$K}n{|3p<7qtKY literal 0 HcmV?d00001 diff --git a/docsource/images/IISU-custom-fields-store-type-dialog.png b/docsource/images/IISU-custom-fields-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..cb0d115968e6ced326ccba6e1aa0b982c85dab6b GIT binary patch literal 40514 zcmb?@bx>Ac+wMan-Q6JFEnR{Ff`ou{cXxNEh#&|Eh=_D|H_}K-H%NEKSMj>Yf?-`F{m#Mjgtr|CEE`noJM)<*{RoeBABDJ!WQNuL;Ljx zBN;9!pOcaXot;m!&Cv4l%&0=Kq>!mMUK0>(t(iTLGKCm9JClfrHnoq8)VA!& zB2$BVzM9{+-U$)RgxF*zI|UR5mik_Qd8Sfbf(VLOI7yv8)q3>rSS{iFKw46(AlyjfBFh#ewptx?w?TjFamrK(#0MS4EFuty67(hC1yQ)+1QHPxA6P0eR$wlJchzOFg1@o zo9VCKF{x4Q4oGK+y5bTBGz_+|J5{$=e=tN#pM@hA*>B$#Xep^xr(x^M>{qXMtqjxA zL_&t2>N8N$2&)ob?*4*_0SCE_--(`CA`brj4Q2L)PG`OaLuBmZecXUHo3ytv1%|&1 zao?r>w!Q!tPxp12B$03~VY82G;F!c%e2s0|eyo&l!v<&R!)5mSP4Pb>aJc4|VL>~i z9>u^iU&*DVrIEv=eyTG=R)S3r2!74MREEE049&?gD!N?UO?hROOyWVSmiWkt32|Ik zg*~lO(5^1of^TnR`Kx*FwDRI~vMq}5MI(%2z> z=#%fg#R+xs!;Zywu^||f;^94Q9q_4__SfibkFId|X7B7;{o-U}=4X;B_Txl_U~nMJ zgZP5YEU*so3!&@cy3%=yCyKi=zzIc;gj{z5pDU!a&(5a$l(@&3`oa9}??;AuSYJH3 zPR)^qfWhmt0mp+*$`Tf?)nA^DSJ)ZCfB64=ye{4}$6rt9P+A?zAxcdpHeNdA+7X>a zRU)^|p0Z3#)(`8J}Z9CQ&DU^c116 z-S7S&sNLQ%g%TbPa!8nN7*ZW&PNi_pttWy4pAPxbIfwR*C*T_X1;n=)u5>!`vO3hM8ej~U-Yk0p7W zOr#86AI#dFqg@83e|}IaQ`4z*D{p5YH3-sv_h9*zD?BxluK2M}5{+!0+<}c84wVJu zvIL~mFT|3T$G(f=P^VBnJUrB@G>uZyDt`7+graN-^5<>aYrkq{8DLJj9?{-7)Mr9v za{BTTN0ML5KSq-3e&!07PlMHF3rP#ZzS7RUo3K<-(MEuirjC6R5TLs>gjhe|j4*P~ zL1KZ?V|eUI*?bm&yRx;Jeb(QY?k4AY=^ort_53%E^Xe`=jKSNh5Z%1V>~D$~xE0tk z;lsjV1I&DQ?+V3tAK-&NBs|hKu5RxrQ*+}vcf2c^%;s!EE6sfF=u{OH^a?_efW#qA zXe)Z_0fG;a(rhM!BPR&bYyJ%}gx&;gGwDf$5R&k(^g?XB+7GQ!z+CUmi%31zreL)l z+C67cXP&IbO$(M@)|H$s5QI$m-T#O{lQ3(j40=$fUaJ$_Uv?+Pv=@hkD1M#C>|(gE zoTjztB~rz$bTSUW6Y~0Fa)?B`x-^xu^w!MMHt==T9ZcXzM1gGXOIcO15%Q>xjsv5g zteWjLRq!Sj=bbA~tvmY%{mB8JR0H3|V6>0*L#Qd^q!c~5YssGg11X!?>Ac@^BuI!+H}ET-;KHjd39>ZBOY)pW|z_ zYIY#3C2uNR7hTz1VI=(BpOt=1=*z>sst;WDkkM59vPkF`;oUXVi5$zdVexroAWbks zh$!wlJwOrlcvm>&csH2Z@z6A6q1d=s&zWe|Vy(eMxb{j2G4?P#Z|_G}MF?NuZYd;( z;b`r+4qJC7ocIjM_!!>c8mU2mSP}mnvw8{()i9g1ia+sw2CLhWFpV_zZNd&BWVjI5 z1g#+<8v9X)jQzox5TpZ0U;*_5mt`>r?5*3XRH=MHN13=@-Q?553Q^XapO(bMJIeQg(w?F$p1 zG8eyXAuqlq?mP{vM551ea!d%G7YC9%EB4Df5$j1t*+1Hr2xBl-RpeoSdvyu?q@`H$ ziOqa^5t4LAdvfwa6N|S$i4<*O(uprGPmgQ@_pJQnDSnE$T}AEl%OVD&fegb}E(#}8 zZT_plzII4;20_hIQEg8yQdO5}iJuaNS>kE$6-A0|hd2+X^cnlvx^gmC1*>_;2Kg1c zx@T_riRipUB-RXrMi$9VRxW9q#r+tTbcJxB)wp|H>WHd~NP6Ibtk}Rm6g7b_e!n%G zwyDf$RlLvSRwtxhEaVE4A*raKtRV`pWwC=`7kwv{QDgC(+4wt3^M3^?1Gen(n ziU(n6hk-O-{ZSy|t6}KgqW8?8?rET{ zJAUXz6}lUExX$DLm#k6_Ky%aJ@C!-hqtis`W8#5@`xVXM31flMgrtT5^T>?)^tW{L?FdzUwpV3Idch8`U05aTYw!s3{^HF|gcw4pBPTyTdg*?LQa$(Fp# zD{eFhOlwHgSG)T8j$|QDQL?+?E>+Bd>K0>f;6f6Q1Q}~~8Lo_-DD;@;q&`4c%>qO2 z2%_nGIlPz3EkN|Obp&L3xcqqj@|rpbL`z|4WpW&m|8mPsyBtit*mihj#TKC=k1JMD zrrf165QIP^TijkK7qs}fVBPMCq7f~kqdvXBUW6^|iU9cJ7X7OC(%>;(MGe--(iY-F z$ik{8K<>~ij>B$W%gK%1F*ic?5aH3)&jiyy!YK9r^>Z{Csaav2&XHfR<|)0Lb^JlO zF?{=(C5BWuR2N1V>=bPwQB^)BL)8+IC9w^+O+LbFQyz%9%`)-*V-X)TCzthLAYgW> z_p+Rq839>MKYGG8XKS`t31a7i+t76q4E&oh-dEgTJ%*vrFukBAB}`a;IfkV?^k9f5 z;+tV)%Nz`r7BS(hCpe++8-R?*RZbt0)psY?7Xy^r?~3SikH$)&Yt$Mzv$nUaibwHHy6CA2+=qTKJ>Q@TWZM6%2f`mB+5cqc3|lsGxWFGarOabM~Giu|2n)0sNm z>U}QEw@WcQa@MyRG&3&*UbNLc%4e{F`No}AHUr{J6(YLMX^cK}Cl@K6MES5Er0Z_$6f& zRP5bx6k%oJP|71 zCDhmRRxtM{veYw!{$+)F_%~SMHDm6T*$xtbV4SO>-Qo-C%gG3)f4mAvjp+NUYRL!X z>lhQ3d*HzkZMH}+{ET76n&fOA4!Y`aNy-0icmT7AEYxny+Ri~17MUVd3 zUeOBY3hl&wAqhO|vv-JZ>ah7?M#}v#W*Sc@LiX9AZ{#H1iy`Vp{+^-HyuIG5~gDRt^Bm-O#z%GiGh;u z3o8`Vw;jTx=Ndb*G>L`BK~SkhVgps69els4pi>D|OTpw@}yK=Tfe3 z1w8yNhLNnfdf{)56|Q(}!C@C z=M>jXy)XGK!LBJqwINMqd+%K{bFqEq<#^>PvAn7uDd$3-UyD#+UMgvP!Rj%pF8F9muOKRDy&f8~aGcpbWkE!c63YlEv#^%JC}d9N#3G*2(a3o# z`9%#SKYn^=_h)fM)%jU-| zjUPM0L!=D;v7J*cCm>75>LcVL4^nQC8v$DE6Ug)>?V3nGs7fkxO z5UzK3F`z5*HOz$=_s}oa&bj9i*iMIH#tuI^dfo(=`m;jGM9#KdDKdy=PC z3+&<>_Whv^-*eK##T7hplm?VG^0qKHN^;3%Y(4DLaYoOZM(6p0PfU&nYknD`cyKJF zJcsiiND7nk6L?^e+&dB%XU1}3$mv^e`yx-OLv{C;38MF7X%tb3A$zj)-AIMo=yqp& z%ZjknluKac$Yv4l>cU}uKKfr}cYJk|J%f`_wdJSC!*5^u6WzqXGEj)+eoJwvuiUlK z@L))b4TQu{5Ljz#93Cfa4yElQ9XOfIkExf1sy`$)HsR~Ngm{~Jz5-@wUJ1sBz^~M*xzlSMi*k|Alx5okM|O6%=T_hc`Q5j6c!p51 zw-0Fnw1iLC$7ox!ClcpD&c~3UWog0U7(Rs4^msNfxFOgeUO1BB-}{3Gjbb|{(&gm( zr06YOkD19eUBK*Y+Paf0HHJN=w7aZImDmnEtQhRAdxyA&Qg`%?_*#1{C)q4Pcw&-I zdrk=7$F(Xq?PUP`aAe?enSoPndip^GoVlnC2n_CZuz;SMzF>CE27`C*+Gr_zyw%^4<-B+ts9oWs_g~i=H=e zt;jpe#LUTvfbe6vGh^^6Hji$MOAtZqC&+OaeC2cwLYC^Dd}g)*z{N?cd?3DS|<)X}dMdfqKU zc5}%bJ1kRP%@=0iaOJJj3=}-pl3_z*^PfC*TkRE#My96OJaH2WWmiF;l`kyU!gn|3 z-Uq)w!gy)!48!m5OV&o-5T~LB_aRHK)2)Swj}HPQnZU%TpX1N=5Mcf1^#ep-ld)lm zRFZl)oRe=Mcqm7BkD35%o-(o&@*+mAeQ_Q;uLnO;kTd~gJAimeXz7t8Y|UVU0uyr9 zAFxT2(4jMauNO69SENk@(6TTB-194L_VT%)NJ0E~vPr28t4=54PvTbNCKy#Bcz|RYjN_ zPl*R?4vgxEA(A(~s(;oUwCgyY*Muu}J!*P?wQdsGeEwlC<}a8YSj$iwLJF!Qr`J`x z9Naj@8yjECojCjAN0n*$xm!j=l7O^Jy^*T|xM`1QEpHuv$9`Csp|yEr*^?hmgvZO3 z<5Fb%OhD$j*i0b;AM3gJl3phOq_7;nAbY+k<9alO-Nk^g^U3B{pgmCZ;AC%BmWB1Z z<`UvpuCD|f@9#(#PAhm|PX_KK%Ri=4TV@k3>2jm^Oh1IT$=R+Cydq>c5AqCpPKD3~-0z+1Sq-PJX`7uo@=7nl|v|P3gAZ zDL*$hLy^<8N!9t1UHl#A6y;^hJUd&lgts$A;fDO|tD)5$YjkN7I6Q?xAPoR=J-vTq zjaW!|W|pU*qN|1R!wlf6&gmssccm2cc-v{q>iz)T;9@kUPe6~p@zv5w{}$4eITAVq zB+%&Z+{d0%xNzD(C^Il=riCk7EQkL{}5+fuzxiz zp$2F)Xcpzjmlht1YZl?l=S{9SHR6F_D)*=j?j8?DeICp82~UHH_5~&&uRuuE)?1`2 zuf-K;;waM2lLWd*B_+Ow_}2D`p(#ypNEJR^e2N?5A+H8Q_ALvn8m{wORdtxwK+Mld zwT}CSC2HYZ;lDdk)HN6l>G{KF3lBvyZgrowm^n%Sb3_2lQA?rwqIQ?3_XFPNxTz!Z zz_c(fv6~|nN2j_eCbcuZ^j>-zXda~hLGxW?C`hU_xFU*L$i2emn1m7ET0|*{M!XIl zNQAIC5F8}b`o`B^2V2_!t)DZ{_NL!RPQC@5wf?Gi?+Ute^fb#i4H(KTFX$98iM8?_ ztPZdmY!}b@Z>GrrOZ!gENB!{&39=Ukw5eh4N#o2NQ*kD40oYb-w&d4Ip;w@(*dUqp zDpbURsOW3B<-A3HeQQC04lkL#KE~+Ad;(~ueAvpydfo5RFH6(gyqViUc)U6@h)&)( z%O{8%oL57<#YPGzmWAY^@W9~804Av&eEY91;Ro}gzqo(gd1!&|4MrhE{8vBl|6616 z|1^+(bd17(nv@Tg#5Mo!SBj>krTwR6dHa8FS^l3!{(tIy{x<{hf2;pq-BKh0mIdon z_Z!xq$d79uFH2#eebauIsQ=PH{ci^OzjtEaTo-%P+b;@P)@UDk@bK`Q|D8Z;@xHL0 zaz8sgeXF7ZXE^f}0_3FVvoc&^>Bu!#q-@0g(cl9UPTuD_`oZk}@ z9YhoF&CSfh4i}qfSy)iFwzeFdovqJPH=JMCFVw>b3k!St_=JqkJfy!Z(V!I*qwp1@ zTv}SfLdm*081Xu7E#orjMXPUU0Hc~(SePug`YjxRHu2Z5Uy1mvC$qL%X+uA3_wYDG z={CAD#Z!vMr=}8hcXt~Of8j$$LFx2Z_M0g@DAlT1OAAl?!P#4G*a6FG&`LI6=ipH3 zYh}fh!lr}Rp!-fL0YmXSf`d-=zLh~Jh7gIp-|=TFAw$J;%k7tVAv zG&BIpXjkjC67=o;XD>i6k^OROoT$%bc71()oK1;B(G(3gH;zePd{4d8x~u=?(Q-m@ zF)MUPLH~QfPx5BD^M!?lol&?9j!%yd-f&;!^E&@jSzwcp%&oahXnbuxvhinTVM*5& zU}i=sYd)1vpIjf$mD6hVeNn345)D2vL&yy!iT+LJY=w!6zWx&Zou_u|!=+BKPF-nB zkt8y8hP&05>y0F3PNy{)$P^n-5`%JYZyc!(KCEV`?w?}J?-rZ47kjT16}$J!+Tz)C zY7Kj$@i}>UZI7%Utndj5p$+j@^75UFO&+W3>marhzI~&yov%e-U0ppsI|~U5dzm!< z@s}w8q~+!1fk8nqL?(=kj1r!ng5WjzYPFS>INWJy#uY^L^z?4Ed8!3(RaId@&pEQk z*pipzQ%XuFXvO~c@dJIDnvM?M!2jmCt*z~@?NO4lSWt2@z6=d^;O+;VrV+lfnFy}% z%1Um~sU{*KntWfXQPgnzB`r;KVtRh=sznS11;z1Tu7NKH4jTQ~czB^a z79)nY=YQ=QvuZzOWS|wO&n-=XJrqh!S5bJ#@H=xgEP$#8?xuVx(W(39b9K0K;(2^^ zC1+{LsOi7n8;6XB7TVD8qBoW}1b7P^1nOL1Ib1f^*4Mf07X*(zMLfN{R?kMo%j#;j ztp3#45C(^YRDf9PH|5R{bds|0a(3nhkHb+UM6|a{WC(j;NL-v?Qi_qu#gmOQwHb9G zHeXEZy!o2-;RBZKpGpKUVdxtX(TK9Ent%R8c4)aE*grTha&Sm!aM}J=U5y9%@Zm#y zCXc43W`>BDYCcBW!zJnc!$ZgV2`88l-Sg))e_z-jo1k4CEz4Fz}9FCXN z)bIgM4>uc3kt~{83&9j?U+s#>(J1O5>WU*3I38drqhe!22No0dI1H_-;-SNN_CqN% z8hrTrSdKK2s5fux-Jvi%0>bJ*G7B)epwk+>ubkqw zSy>G&EFzfHeo*oA*Df6lY&!4H*I}llq;^5#wAcHAvUA1=e zr|RP!;R^&1&J<} ztM_A4(tAfo&X~wZ!`H80?;q4Hn;Tc87ED8_IS(U;^brmg3*+Vi_3QOtLRWqPng|Yb(EQfMb*`kPeO@) z%a@++?(&Iz<*LoW&s7^68~J`WL?(?_eg|0~S8Kd`2OQ+9s83~iIVS-z@vnu&#Xlf+ zp_7;|H-f9GsxkrfzPPwJRI9c3?t}TL9~pFsO#E(B{5XJaM_wH=mR;z zb-A>?vO)1cz}_wVM*3DBpEjEvAAz<2j|#&h>UWDkvu#DmNn z!_`~AF66#Xlq8=A{T0;kO&&*;U_%(c&!sIts8C>je@t&~cjsoGvcRUZgvn|&0w=zY zH42gE=jR)pv0$a$-Q8J*gubw-si<@)eHHmNk|jP0qJtQc^6_J*pB9;*W8g1S?#zQ} zj6|E6QZwK(OnA{6P)|1pF^C3X;otzC?tZxN0x|G89UW&c(UlPnDXET)L4j`M(9n=6 zL`zW-%_O!0>PaAMn3vMG}hct zH(sZtrw^(#V16g$5zHLuoec#D%zt9iB2eC`OKP`G-{4ofRx3 zfE?U}goO5g@)SP1F2#_%XoWxR|5FR1;8L; zAT$u>LC;Wg*x!1`MLeEdIK}Uzhj8J@q4kCy2r^uCwvYEWLh~5Uo*5Nslo-cy)!P2y zCcwe@R#nnFApU-)_wfnHr+(jmn3ebcB${SVsG2D=NQjI?mXVQ>U`}4!{A|#>@hhnT z1_Qv4*-A6ik&G810DZyz^dA!TKDWHTYJ2J_d{;z85W{8E3BS-5&^B^uLxC?a?XhoV z6l(4c~wK=o}wU^qFjNT$O_2@ptdu^$!ho zgWBk}ds8fXhXM~f`{xfe4^LH32<5e}7)Y)s<8qWn7rRrAj*ji04g8}rGBSkBHl1Ho zR#s9azN$Cj<>d{Hh(M~Ws%mJh1GpK`XYj{Y%wXGhQWx&B8+o6Enwt89e4b&flQ>9; z8%rz@fYgG)bkHcpGUh**l(6yJ&4mJ|%FJIJk+b!?Xw#!WOzuSoPWUe zY6K|#V2fr?=rdf$o6}8tq@(J*xhub6Ww4dAVY6nrPD4ZEjeXgc@7ay7FL2iD-J&v} z;#OFUQUFXr&B*w(!%eeTD~O}*9>?c$zvJQV%ISPZ1v#wKe9@rhu6Nf*oP?P8@40k| zD2)g|KLJRL8;9aPK0csK>1>~P+6^-qG?flNJSAaCed%hKn0)l3c}asEjz$~|sy;xQ z#-N@eV_@_GJ68bQb$@?0s{0rR>!^GOH4@#2R*D^v^L@86te19(H3!i1o%`Tg(<%SxHi_dy4+LC|Fjt=4`q z8dRUM@lz0}h~YGI4)0 zkf}prVo=4N?p@T?)u}i*Fj+K;$Nr40bcC$_{Tp?%-e&?($%3wTTxQmf>+9?Gi3wbA zhlG<87f8JIf0bn8NWvy3)r+-jP*e->tZPV?{jSJ?pO#%4WB-Ja_nnzSQe9!lgkBE0N|O0c1#zSGYjV- z3=9k?;yhevfUD3#V_;zD-*g5fSb`4cZ?z?mJ#v6c&DPqH($LbX0A3Fe^x-W)POAU| z_YV$A=PPA$0+!u;{##+R`g!H0pTXHgMv56=Yha0U0QMt=zoY}@hE=y73(8Tz2US~5 zXsgTl9hFTlBq)F3w<7_SHL5ED6F_Ga5ENN{m&Cx!A@@!c)`z1%2E+>*o&s>BUb%ph ze!miexw5^D1dKYA#)A}sh~5dn0t^Irc0_J2t>T+E<1IcOwu_DU5^f67At7+_6rw0< zYHC{V->)t-xM;O_yJa3UH8rho4X4jGd-24^#;)w{qBQ6(75_ER&aJN}y1P8+0uHpN zc)w6%qlre$4d3K`01JTsdK%o?1*+G|#s)lSz(8dMkVc@ygOjrz(5d?Njl;uuQ0LYFkq84EI2?mKy1l(! zBa_3Ah?LX>6qakij4J#eykF7bfb8E6$Ob@L9ncou#zv@Q2%-^~E0jP3$_3JFx1BT{ zjuF_M4w4ZTN?59RfLLz=B_<%Xt~+BepyD21UiJcyWShQ=+F|S8{#;kQ1ov0=z2^et(M;aAH6Z5>fv=|UQQM;v~GGgnImOu~Rx+#h#gg0vb`QNcAd zJlybWEogUo0w5hA6+ubfuTy2~Ln!9^t=kO9(AL&;Ma!Ow96&k14fZl^%FHR68A3Gu zoSmHwt*oAzn3%NeeMm_O%J;J8B|!(78Xh2wmXOyb+xai7DORUvu2?~U%gV}LgdYOb zjz>VyIW<-D^3DzwlrCaoVn#N$FpvxYsctySpR!I&P7VY00Z`M<>1hIROKoi}2)|I( z0vQmW(b3Uk6((}C^YbBn>p@)M`}?*4?6!Ax!NteN8^%g9C({5$3sBthnwrf40s;c5 z-0^lW4p6XqdU`-b1lPmfGRgpz31kvLZS!61h)o!onZdq;pH*l-zxJsxCwGpGVF88< zIOCXgP5-Z7lKT1-04yT|n*&$;Ib{vL!8u{sON3%za4-?b7!A4@fc}H6`yegM&dxeY zaswCvkc^{?%iV;pLJUyeK0+_ONy8>e2e(K`ULOsAs(| zfjaTku5MOzGzw?0>+J}?MyuHE{S!FIaq(JVROa>TKWC&gSxCylKt0t~1}7wrmRg`B z9eBhsprN%M$v`#cD500By=x}{Ts96=GpHzqORv}t0&~7e2*{e9mY>T+=|Vr$8r#{$ zfmhaf@PVhoq}l#Qhe~p*UN>EHS^4>B233#QCM3)?p+L8{!Qs)oZW2s)t_LEjcH}>L zX?8L-SdHA0-4k7ACZ>l$N)w;ImYdT{@2J>huHdOd@A;}Pb#Al?X(o7dYR<$%);|8e zEbTN<4W}uA4#HS+S{AU3E7c#9ttb6GFU+gR{jqr+6@JVboHU7R`%c{%b)bjvTPkI@ z?b1(~#KP1T&4jk=vJ{bej8^O8xgIWB#9o z-T!*T1`K3mqY)p~00(M9Z6PZ3wa8wG0|NtCM6Gqd0wD?7L$13U)0PdV&cuMNhjtRKvq5#J?K2~Ddi!d!OhRbO!k?p; z!GsNz%AM&F;p=Fz$hpxt z-h4p|k{Dy}`%Q4ToB)6x0erCdl0HrpyqK7OWMn;Tp42mnEF^GJ0f&SuNg$bTArKVUN_-er&KHj4+aEl zmIXP>|CR$Hp`t?Vey|V}_oNq*kir^Ji!|Qb=z3!7sGXxP*`Oc5T1Jh}K zZp~hdj|pMK$3p^-k2!&Ig=_5OCZW!hEaV0pflLujGDY>DU83M%7 z)zOw$M)u{R1fW<|Btp(EF6B1c@#bOusD%DqBM!A4qob5kIWT~K#|1Rk5rN`qv!x;` zibtcv#KwjXBplD}Ob_hSt>w46y6`M4d)|YM9*4ooVtPS6M^A8F;R(f63v+Xbl>XId z0S1DU&z@n9)f8P#l=?TVo!yjsI0nj>00jv)IQYvI;h(G^P$afT^guTzC^pvB^>87t zr3jp0`u^-}yRGZNr{i7#G(i;4_b3;N-PBY+QYZbIJGXjouY^(STZ5eyP(dIj*1BNR zOW$i(n=qY?^+(=fG^2B8+yrb^2n~Wm0^DSo)9Hg;^&dH=rS*RO`9N}MQi9RC2`J5AceS!#wmt}7pFYi=|&nS~>0xhpTX zbtPqcFPA$`B_^h{&8Mu)0i^jIH9ru#Z6>j+*A=vaK9{`m3JR;6Q}}0u&2SbLg!kv` zn1X({bRg()DCrF!!iNFt1ah%31-(dMVj|b=`9Vb6gPncmq4m{KAD|Z{T6OlcXz1u} zDL|V;%v@M#fIPcD!Q1tcpsvIR?W4}FGQ;`HOi19kNiU$l0VZ?Rnk1PzZ*#{3XZm%M z->^OLaPskml*F-JHB~ru1@Lk8LhkvtjZGDcTr3F)QaHID*XKXV&~$lE|DO8j<|*=Z z$o^W+e&pcr%)?y0a3=Wzx52t4UKKowei#_VDcPpQ&ij1Ig0qa)>E3 zTpu2SMk0dO6&`1K?sD-y2kQ^YswTU1uFCpenSe_fXkOR5?a{-+h3x7v@bJI^hjVm0 z2wVWaF7A`=}n{Sz$rmB3pld3Rbp~ug-CEa{l@h#n$BMad9O}el$9j zN^dk_fK}|)XDetuZI)mKg_|G{dZmoeBnJNupc?}ICIhmwMDDob1HA!=WWbeImRf{& zCV!y=B}~p-RGIoY&NK4|3Xv>z_M}yF4ZLf=TjR%jk7L0*E{y#rY|O(xaY7RYMwwdB z!pc9{EvgzTX~Mkv5>v$j^m;u8a4zLT>NQq6f2mx*&e`4r`Μ?EY*kLTl^e@$s?m z?uCPcb_s!(SHmkMr8U{&r+0w$e9zC5q)+OY8EtDR0u}T-)ZWoCF=M%Mfg^j5kD?#+ ziUw8f#1HQ%R#%OPI1RDvb=$(LtJPcX`hX92P1V3{jrgHL#u{Rfh)iait>Ab`-ZYJF zNKsdYseVlQke(j%442{WIgg8@qeOptfHaUhAuIV={_W$m5$)?Ih7L!8bz5v>&r-Pr za=EtSW+3XyCp^Bh$cp!VyjNN8ot7Xx}~81{R2vLAu~KY{2JvEn?HTu0-nCLwUCR8%^$jv z&r)63M6*S4Mdz-I4K7VeS>bJsTVz%0%$xS1gfCs<(?$T2`Y`uN{<$ePG3Zb#iIl!& zY$sapq%uJRZ0RDUp5?XXv5B zw|gI;bH-Br++4WZgPI5c6A`ba;{<{MCru(X8F}Vh6Uiv~zd;eAR0!db6WF>7-eERXuQa6(ZQ!tFx@P#DiU_uI+M!N=*s?j^phSs zfLEgEz=+iazjkK%km9h8UR3@jfEPP|x0nBEyhO(BM}J+zt&+#$X);Nu%w|O*3ht9o1PNbIKaw^ z2lB|yVv};nyeCPPO3h-63+XSWU#UWF-YtVBCP&oIUl5y_<#F=ygd`>L++H34L^-qO zx76T=3Q!Obf^ARuU-6+ND*r6}NXvV!nmL2u3xkM35}G3&0f;PE1w3r*RYxZ$t0_`0 zk$V(Sl;#CxWV4Hl(WG*)f`VG=XU@*fK=FG9a3A1UxyHu!G%R~6ErZ}Z^(*R+&75EE z(#G%_bmN~Mjv#=icMydnBpAf(eF9=u|4&jP5mQEa`DmxxbEa4#E|k*J(x=g-mcDl? z+X<8b2%3jxg3y#c={Fe9o%b(g(y;y#$w#xasT7%jeo6l3f-&MIy zDGqbIJafqJV<7gA=4nie_9&t3z5rw0c7PRmyFRNA9FDt zH3zXwB{|n~6}*>5ouN?|tqMx5ufUH$J)JStv8zaE{BtGls|=JJQbkR?u%G>9H;)mx zKi^EbdN_h&Zj&ME6CU$g9Q*cqfgX1!-EQuhQUnp*e3Fp^+K6e`Q$WNxUpeX9UOMQx znM$NP<-ey_G;L1c08rA@-2Ai)lOZxHs&{B8gUh6u_{Ax;tu3#hpdf4wi?5OrKaeI| z59UfbWb-O3KLSAk)TI#G&UB_|DgV}#(^C|00ALHNG7=4r@|3g01cff^4@9P>rZ%>= z46Uu@XG#}I;ur)3kY1|nEG@!7O87A|mGYl-UnyBhO6Y+CDO0Jjpx(PJ0wSGt z&D@IMF46BgR8*8#%1>$8*(-?4nSv+e%TJEM*j;kme4Zrq^fiA6fP5wB=_szEV!&h4 zn|m>^V4t1@RB4lhxrgkuG~$ULVZ5^(1RL9Gx~joI4g|^u`dUG0=@!rk!OGzSa*KEX zy5FliJ3kZ7X4YnEs@b4R1I+0J$}$U25^V$~m-jg>*bGq-5P&Bgj+WQl99yCz_MAZg zDe!Qyk;h@lcfZkf^~m7~os^Um$do_Fry$2GA#iD;!qpuE?hoDsI(7c?K!k#T;2p}i zA&SR{Z+;r}AQpBfdwhhsy{WT*_*A4>dYu0h^;7fnH%5s1jQZK1+7gjA#$x^apLb$h zC$Pe83zBB<^281qwnSflX20~kTCCfjCj|f0J3sOC#>gqI{`5(K2@>nwAG2aL0n9RXn^aStnU9RVGcb~rOxjz+RTlZxm@xCZs{-l$OcjJvm6&Th0B32* z1m?YF_rrnv9X!y+R8>FT*v@M_@J|g-#f|lCgZ}0lTX3|C(yyAtVELJ+Cz`dZ&(YSF zlDRp(&2+Kxbny#M@9D18=AL1;Zrjnu%jm7=>L;?gveW=)@ z4%qQVYTzYA{o=kYOer7kkz>3NfVg8K-pJiAb37hyAd@_`G7hi|cCrQGPbdZNG~FFa>_qH z0h4v&Vu~{AiV%1u`;HkO?iQ0u&{N23PQ?A-wsPDoP7J7;nwnD50Sa&5ayEE1kcs*J zToQ42*GuKucDlXr33S=UVPxT8;61OaZ)$Kkoy4@P@lw~+tOD)>z+{?`8wn7Gd%*vC zQKBPmcPt!zH=jBEa@}CMXYHeLa7aFnOK+~$dmX3a75`F$(T{E~7d*Z+DT6v>w3ng` zf(Ystv6M$$p!GWx1b6p$IRJwB`0-OL#RDmYXZDj_-BmcqK0(-BHW4XMy8szmAay$@ zF&DCX;Ig)^l*5RU+e|^v#+DpwLwv2A(d`g$2ahRo42eh}E3C`1iBCB{0AfFv?d&n) zM9rKCa}hH!ucu?K1ve7rB|J0*-&)1lxuBq)om^xFCJrDo3vxnVZHZ3(qk$jocAxkz_cFIDvPhNEzop^M$#4oKHy z%HzWwE+wVK*pYi%65T0*TmBs>>AJC%6~ZJ&b!%El2{|7hpSs37F2`)7QL(zn2nv$C zC;#hX?CWbK!(+qIIi3%_^mO$4mT%kIp6G&ugA0m_yJu&Klt-!Y2np5n^+%+0n}Ni< z*%@{Q$q>4LLy=E{`z9B6Y79<6f(;8ZmcMT&kNihLGjZIy1{8&{vSm1s+NaYkwubru zNaF;Q3yzA;6p?}=gy=${NdU#c@lY3b&X+AIAAWW7f-_f6yz_gYL}jUk(~a|--8$}7 z{#J2J5KIy=-~VdwJ)ojYw{6iYtHqTKEIcD z^^CUEsJ~~Z)3QwC9@9?UG2!pu;*D?YeuQAqJ;?WqhzMEKl}@ZJ%6odWl{!_;tN1E| z?Zed-swap-C%UN82e(U$RIK~ZBc4)d@ z)3e}iOOtUyCz}7tRXNRL=;+-aqmkxxTy)in#S^vQK(Hb=^tq7;ZUvi#e z$D8(*>!P2*=`jD>GRv=bwX`0;J&vZ#a6dN(#~bZ9)!qB{aK9&ycf_Hud3Jj{{qfVR z;cqk7zZX(BvnKBV{oXAVtnu@%v{cCQx_#PyqT^#33-66_pY9|NZFqYmr_kPDROZ$7 z@V5|o%urOHfK*5G{?$NOj;nbLIZsk$ggIwGV|CB? z$uV}x*yoljxdRcF*+$h4GBP{&_$Ci0#jw8RO0x}p;q86N?c?Lr4#k$c!m&JYUy~wI z=B!(f$2}2~66+gj=9(U9_C^`aytsfkHSPBn%~iv!z=eJWSO7l#rla z;+2CE?3_7&NO0-MLdMoH*`ly^O0S+U>%2CWxk{g)EusR|>-qial`6%PTNAaE$Tk zGtcd-f*T9cWLZi|N+J%4gd(5aGtel%D=iJ|;W#X{^w9Gt<6F_&m!SAo8A&HDxY^{D z&097fY^&HJX*@nUI?BPp^Id)N3K(ZGsqEr#@e^+D)G@SAlyBa=X-wBy0TEP~sI6z9 zU)kq}7$RYZki4n-b!Eg@#MoHZ`No-3dU|@rrKLUfQQnJ-+Xh=f7HOzdsejVW6K}Re z_w%}f?EzZe)hEDYH{|55$jdV;r5g0v%~~$6Y#0ij$Y|%G(u*VU%q}73)+TDRtE;=4 z4c^=w9v<$HWlasyo|}6^W&^Pl4J6Kj(qHc5y}zH+Vt-R&f|J~jj9!VJ(?jk_-O@#a z9-AxbwSeC4;S!>bJXmh5tzGm|ns<0Sn}>tv9w5ewpq3sNkI}Nns(qXcHP`gZJ-5Pd za-2By;{E$Lh2+T%*UPTcX13OrmTsP-Vq^kP3}cw&9Jm*KztG0p?!*GJnOLwb2ORr+UdCHwsRkL1P9yCZ3)$Dh@Hc#`|fJ@RJM!DZSG zT@`34G_AGBo9M@mxHh`dt3Mi47SaMNI<(kmqp)2?<^=O0I;@?|Yeqp!e4)L(##o91&yTVfOv7rLiL(UiHs zICWVB(f%D|q~C|X>A2Gg#f0*_@vqu8dg@kGl%Fqhd%JC==w(KcuP&mM@7r0sX(|uW zsi7*%dU6Wm?&_fA+{k(byF}5D0fatu#IMk^^m1DCJQ%!v-@e-`x|8WwkGRfF9K%hi ztgM`2n0D-))QpLVovs5;Is)+=&@1YWYZor8TUiu(EyC~Wx*Xsw;!s67wP5c2Fr~5~ z`nF88B(2~tS&&u6#7NN5+YbnkuV3d>P*5N;E*BSfLjyNTtBkLc5CnRAdrO82OT7vR zxT&aEIy0<*;!l1QW@$)nPo@*Nu8*6H6+Q8z3;t%qd zeLz!-EP8Fa_Mx7hpn!FW12Z@0LZfi7HIJo`iMC@Ysg+S1P<8*SV5`)bd=o*!VQe0}Ad9dF_K_E&|5L4!Fx)DW1Nsl4K} zE}$t@I@GX>cq1<~v-+_&1*Srcf^NkMXH$K>3AQlM{nq_wy0UGzNHxw3D`$i} ziklk{sA_XbD!YAx^|UWjLTvk@a_md=B93v-?4k%c1>MVg%w=d-tn%!Jg;lKN5#xsX zbepM-S@9Wcj|Q$;XRy1tv$O`i{H!GQ&h@Fm{guU;ylnll4iCFTalf1AoJRIznclm3 zzDvbL!sVr|p2}G+*}5FcgVvB^`!2dpGr_r)aAubGO8C6?Y%QuzLT z>@j72V*dfL4p!pBYie4Ao(k@!6<)oa}3vSi0M9xA`Id$Cu*cf09OX-W=#Wbo?oPXYA%h%G5vWUX;eu|$=|!ZcE!ZTY-Q8d)NL3k z>$H9@AALo}$I4KaxRBjWhc;}bjn`{93H9?J3?IM-kVDEUDqbh_SH9ONku^GZl5`;C z+_N|?ywKxqXSwo&k<#_KKO~y>G|W!E*RROQ`8u^gMW>MCl(jmACc!g6BNUMm{+y4{ zDfWVh_p3A2%#`3vy)5$iK1nulSq|Fn#*{1lR>O9{XZv}L=%AmA{m=w}h>g)6ejJz0 zf=TR%@y>nw2%iRY{GyR{I~f_JK{_bLz6=OBNCMgP{{4H1WL`p6m1x#`eZ?9@Q$KV~ zk}2RfbVyJ^Z#s`k9!7E4B&0>E;OOudcI1cQ=HcVV>c+-ZkS^J*%rwnR4OpZLuu1>@ zsHW^>6%@qm?D(O{g}5))nQ-Ts#=SsEgiaIbRbU{F8U!JB$~N>hu8Mdl#)`(ub2-eL zL`a8LE=={$bY@MKvX%$&d3!OlWhvdcgD`GE=(N7TrnG6>wqB^~Zpq8Pts5j%k?=&2 z;7oGI@lSob?_t`Vze&`cE-H?dnR%nJvGK}*!q(3!W}?kRw`l9$;84szsIT{d-j)lOVCBFFf@E%PE<7aX`1upm3pP9YCncRFoGYSX zP&fq-3=Ft$R{QPnWm+$s9AO23b{M^7ANaiDwJHum&aG-3;^VU$K!iBbKpsO>zY2@v ztDTf3vc-5u@IF~dFNbtYitA8&;D4T*r$RW_$gIU~i9>PYb{QBTu zx|i>=GrzEKXt<=f_%5hqf{B9T&I$f~(N_IaeONTz{ryGa>{*u~_90wcWo6HYhV4#+bTF=UfUad_Y{WkJ>C;WLyhc5QeFQR|7+41&hlYSzCc1$H z{q4HD#>UccZb6~CXsQav4Ms0FRP`KA%k!-%KgP$a7*~H%fhhZyWzWm#@N*qFtZvwX zpp4?eeFv>RJq0H1zOL?5+@F?33WM8Os2AY_`WVM`^r$m>&^$VE@vlS{dT1OR9A5Dn zGmv)f+!+H$$^5(x338z)9v;-^!wjESj(c8ZSofMtSw+Xy9kvhi5C3kQv$7Y$MD)@jGP?)u=~f28w4?hl#x`GtS**tpIq11|i0$J? zTlP&>U!o@T#til&93(F6ItNhG4EgJ7uiaF2TL|jyP-u4s5XtJZH4r|QD)YJTtEFm@*DHOm5h$UZ$ ztWJ24X11H*3IW+S#X0lFJ%>&VlCBile8jny=gO7Y1yB;c;xlK)MZGAqn@u_GJa#4& zof{jtEQfBXIxX}vkB30G_??k5PX%IU9TckG)6*8SqpfI#k)0RZTwOsrWa)d*Pfko6 z=H&E(z7w$+1m0m5mM1b{qRFln|0Evt=Ctf9Mne~$49ZPD+IeSHQgl!{2b%v7Lw!sbafqpTB;62m-nT!Vc%aW<$rq zY2GJs@zSMjABVBPjLsg8mbLy-p8u5Q_m<0sr9LNYY;1m_7(DxmT>bh21f_@&)GOQ0 z#MY!5t3km-sIp-c`T5fX5>kR44KPruytQig3bIxC=)vYhmPd~sol;5P{eZYBKy3K# z!S)PZ+^HYZ*r2()*7eBXEEnngfj= zu)kPXsIFeUdh4WIM#||iW881xHlB1T%aJ4V9uDB-~%#Q)CFlnh5s#;7%4$N&hf8hVN(`n=EBj?%Znb2 zRd2rCu@V*KUQ+qiC@*i5mhrta|ET#|R=>QYJI93Sw=S^jt#@#2&Cvbxm;H*{o7WO< z?mytf-!VsHl=n4rF3YP=)+SHaoJd|Q3=lM2B>=_rcx!)%yY!z)wqb~=HaByivXVYRT~O%d zblSVQF7lqCW_t{0!Lb557x(Ws3{I`f&NifbvxcV9yzx#NZ#GVS#WPtjBUv3#a@+Ph zjYD(x66;^!W^CQ4lVMugyI=HKS)I!i6co9aCR2BGkAcBM?NxIRmmsaEn3SjFO3UjG zMa8hlRZ-FIfq^^5EJFw|2wt!e`~s_$WMiu1k`>Hht5qc>PsuC8Y9tKA2F-Bi)7=YM zoG4U~!#H)SUvHdg@QuPG-Lt0@lUz1$2z~1RC&buxvQGKLi4zd@r;4?|T_FVNP$j2Z zjXnc42460u8$6%KKm>C^!4H#KOJ&XG8lHfbkYmiuUN2s}rexy#(e6=d?}JBIAxTFj zBjv0R>*~Ba6rg^RMxFF zQ-#?K4#4);oE38W!qUiK%XjYGTZkNh!T>E(@6b>W`DjD4cKF^7pFO+V-hRo-{fhe38G6Y909r)e10N)5KeExGem+}L?W1fkDI7-Muq?s{EI1UYT4xw(*wZ}utX)psy)T1hR?^> zcimkhBX@ide18yupy5(`w|!!ERtxr;w2X{lY9E435f{(H7a^I`(bG>%PIklGNIHa| z@6V2zy~;r+qda3TZ49td)fv>)LdW7(m7 z|Jg4>QOI$FpFS#E?F!cN=%^bCci4p7LOx52i-VwRhARQI%S9qq|9Shogc0>V2utHgBp$3g0>;dSo;g^#lB=evM-p9oBz-Wn$ zF;&76YBDn0xBuQ^DFS8y%M8Sen3NQ~P`bq5 zv;Yz4@j~*duC7j$03wuSE~ulSN@*ZDOxIi`&TDnq7M2>KCyE~IQ1O+$-6_~R=rf)o z-i>7cU5&E1&qHVy^0HI+Amlrxl;R2)yM6}@G+08orcBJt31o^B1~D|J8Z)B2__b>= zGE}R#)R!HHjV<^dI#MiO3pd|@dt)6bhle~9upK)W~_s~WqxIx>>(OPSWsZP zIRnQc^7>O37g87C$sI+-xAM{PDJje_13i5BONYahB+#VPHH<1be0ZcYM~%`>Yn*u@ z)ub9W+XYP`)zj3hW<4kLhrQ(JoPJ@sLH}1?v0hQ94u<73WbsILG0Sd#Q09=qh_-B#y z)v+<*x0?U8K_M?RI=&7?2z&=V z{FIUs0Z+?U2VTm)FJP~+;a1Md%GT{|0F=QvkZynNkneEgptqX<3UF_erFjnY0-|BV zF+1kcUuOTzZEFhxAbf50svfI|os*N37>)sFy-~tQ?2^yRq!X8wUN9x>gy9YQ_mlOw zs?$_pC+Upsqz2%vC{!uWd5@rS`u_b1BVtnKS8EV~Of1qNOotA2x$_R6^+N@KB#B%> z6pb)U!f5Dvkb5&CGq@X>-M?yUYhy6N7Z@|&fB4XivXq!cAtI7v*C{724+Cl*oGAe@ zN^KO_L342`pDhM=J$q{cyDg@Wn3|ZpPaR9Dhkx%5+^}%H0rn(5V?v12EZvj%5pXHgg2pxmMIz1}dy#f{~5 z3|XzK>+ZF)kph)c}m_yX3U8BT7zlGohq zk0Am)3aM!n08(DrPm##u)YQ}%-tO$PTIKtN zSLg3DIL+UCJ=^sjm6yXpuiyDmE_vugBvHMVR8_$i&Id9P1S*5w%uoTi5I)DnvjiJ~ z>nu23eQ747-ZT}7pyFMGs=VURK>YYtw#4bIIp5_!);pK&+1+vDW%gY51x>|WYTCC{ zRAQl%ImsXVv11xbDm*PMts@C8oN%-vYU~K;;9#ARex?6)-JlP`*$LR5W+He~#`YiK z;*v$|m%)=ec7x+VVRM3!ylfh+zUS>x^k17=+4}nXS)aW<4mZ9m;rGKQUN5PvG`jH- z(oo>F#VTB!XC59Npj%tC3^$u5HuhYL(!K2?YZ~cm#pt79sCh-kl*1||Wuq@E+Xi}HUVgdoPA}au3p<^5E&Ns!*F;I{6pgK-e6~-dF`Wd#|;hIIr0%v6|x=pfCf;S zL#z1}ZJU;W8;=Hd$fu6@;r0$W@^EnITD0okyZ0ui_Sa;Oor{Q^Ly{S-I1*m}fLAG$ zj6|Wf_HWi_14yA0-`Xs!wPl}OzkY5%jq{TXCEBYj4|S+9G2s*qixd-54mfg|4ihH+ zV0etD+@+h-6j0lvGO{L6ojzv7q>^_H0v3alYd&zGVZ{2L(%%_5L%QG{Z?kaaySlpx z3|qsDR{C7Dj_h)Jvi&Yy4UNkW;@E+cN86MB#L414V+Q{t>Gu~8w`1dQy%?y%^sq~7 z?;Y>~8z>pVLm}#c#ko;)=^|nz)NiIadX~Fz@=m^SPx2x+Bi*4 z`^B@M5d-BS(%!w=P{Tp@%-wPRu$_$V#OEfLmLAr)-*qvH>o{K4L8 zO+NN#k&-X;x;<{&K0lwkhR|yBv5H4)sjcq4*d_#N^A#E5JjWEk86tOf&MrZ4m%}#- z41TNl$3VX0^^N;G)PXBt8C9n6VQ|pZt3`GKGO%$H@gA`pGgAx_vSIWGEjLXD=vp3D zqpUxK(I)8r{qgITA>SxW69T!2u)+NvxVt@6G>mv^&PL;hzy)I0uAO=BI&Y}}e=j_; zgo;W@NeK>C!1!alynfD9)I5q2>FEJP6##T%im-H&-!5hEzxB=f*$+VvZ5Cw6f!Z%$?YZAzpXATdrSAA zu9+c&(Liw8g@E*Vle=*?0~Y**1=G)O zA3BP#JArJ*PM_PUbusA~lV|F0zx~#QoPzRf{U`kMgTC9U|+lkRtd#HW>(fFYHHs3^VbL-L+`q+Egy0WQ zg@q`Z&S(_x0LwDH={q=M4j!ID_^;oO%CblW!F%tCQjs3V1cHq+B|>pVPy5N~&>g1_ zi}jo)%(iGD5#)te7%V87$D8q)U^i zRiTbFO(1bt^wDAa6-Lo%zf$9WqHi%mqQdK#_?>r@*aG9m0q?plofTtgzW=328zfwKC6~oPs1grstKZP>x z0JxG*_wtBgO(-@&$nQFEKn%Vkl%WJG7fM-vLeRX1EoTLVga|AFu`YHd#tVN1JN;d)jG}Sk`QNr zB`bk>2gu;0|M&Gm5Gs3E>?_duK&u1(q^HEvwH%grq(h?5D=MM__Y89}%9H%s+DSaU z!8O(jQWO}jDdk+@r^WAC8R=|Ax&0SKLWe;mFNaDOrs&@f~@ReKRmYY z|4}WV#4bkE51_#sn!UH&v{3V_|Zxinr~9r{1R5_x5z_C?eIa z9Xq}NMBa$HMN9}l4G;2#Xgm-%-N?v@PSEDXmVIm{J;gg$=Zi$lz=22wo%;$nKG2yX z0wNom{I0rsF1EKn$9>|u4R(d^$vs10=Axn}DDQ|dH^xp=v?Lq;s`Ge=!=xBGUSj9Zf1x*S{2Yu$u{sq>!M?l*%BReaU3=tP{7mKk2B6-z@7`Tz zXg_i=S+i`fR%K8L)(bRnI7TAnU{NE;BN(UXwG+pKSr6!ndti(f4#R$5*uL&D)Z$0Z zoOuBbX!n)xhz!JVAzX*`KUbH=(X$VukP$yn&~b2cA47~n4+HPREGG z(GAPkf2bUYX4iH`VTo(ku3csOuw$dQ>^iqkn7x$ya1%yy4OI0>Vy(Q-a&0>ZMeaT1 z3B+b9YHI2g3rsg5W_RIp*WuD{42{A)*be-Q8Vw9a9%i@|V+}M8WZo}y#T2tpSmp+e zt#-VXx^ZI%b~`b?1zC#};y9}Sb{CGEa!o9CU@6PT{axm!Q$L_)7#vdBI&MSp_bR2#@Q6<+`Y>T0!m8G zrF%M#cjtMC^do+BPP(G`y z-_*wQduE;W#kMjDNr_gGr_(0Z_d9EJ);kp5uPeTjRk+*N$K(w2Mr!L+9(SqVY8Z(7 zhThXPWH0vY`6K8k(bE$~><#}lWRKSU8*tp<0Dk*9Ltxshz`bjPzx7kW?yG;|Wr=@n z=<@@r8!=b4uMHU0*%F%_&nz8CCXoBe((LERA8X@W)6|mrpC)}elS6BogxL&7%j>oN z4$$k+6G%8rm- zR-A;7p#1lN{o4x)cXbW77Vcc@5V#1S9m0u^N{slmEkx5BOm+qTcS@mJ?U@Y%wbX+!p@acDZ4vg@BU_{b*;qTwvH;U`8L;oM@08%df z_z)9ga3&Tl*$qc_=4_;IrtYxqr$>*l`X9dwI&b3xKyEy{1H&*dTa556k%&Q~s;a7h zMTmgJ2KeW0x<<*awFdl_E=Ml!%A+l9GBfcWS?VfLVkhzGDJqH0lldwUm`FaVZB zAkQ|GBn-AaJF^%1Xh}}c(4+7A7jX?lumOWPMDN}`gn6Z#!P3185C1+qEDlZ$A4xE< z2<0RQTl3H%kMdYR1@R=C7*6?T`yM@p31WgFpe9IpVm#FJgd<2&aJpeNIyRVS2-b&F zXW{aao~{T9GhmWeI~T#{z5}bJO0iiQO*L+%-pj69jhE}&EE$9g>T%_+xmN9WQcrfjefn$QJoehs8AuYk|?^7Rcr{_HJu zN~{=ka{bmVpPTaX5s)xQ9pF%Z`1bg-1avzJP{TfTcbA87$_K>HaeQSIUNZYpxQ%!T zmrMrDTTM-LRzv?zIq2`Lr?%pCs@-2)Y{RnD`6@!Ovbl44_#=yYK3z$y18`AA#0s=}4 zV19R>UjX`yMVcNGAw&If{mPX`yLRq;Qywa!21^t)*O>{rb<6}evM^D^xaT}n3e|pm z76UJC-nj7^asLE(9(k~gK4i*L=i)b%3t_~+Vsg%PRn?Hmk;JN#Afq|vJ4KU1U(PzC zWpM&Y{j}E8=&^NMkUNy~dx}m7}0V6kAF|O+tz!3i=3sLOH9^<?TnhofQ|BbS)A#dNj`C_a*&Fm;C%+0Ch3nf{L;kF+AYNKPepk zf#kqPM`UIaxqqb-Se5oPBORRt4wM+th-#K-+AWT6-m+z;mkf#))4qHJ3c2*^k7IGE z8n@u4tJ$qizJKSZYWEZ)_cpqTUcy9N_&{OX2 zAnLgPfUo_6#ugeeC`@e8djPb^D<}xB;d+9_atiYlBSY+-b$6>HL;m&!OxtxtH~_{P z4=#gB`bG#f2*Q+3z{(YSdpm<*F)oC^pe-i}6f=-ag3W|F0lc#*tM);`!9*_rECY5( z=v78XA1pCWw27RZyzy9Ku)bFiPtm@pW%*dK2N@m-ndk*ztD#i&#$<+i@v{Y4;o&QX zfEjT)fW6n(3tvEBdVOI4@nD7{DO&oW*KaWNY8oiZ_2W>qD0h}`9AQ2<>w58;SGP@ zP72GtElwW6v9T9=HyiJs_+G>~)l&A|@Sqy~6&Yy0-(m(YA+(qu!z~0?lGUN9c4_yX zJuetGca|*$9MRvUnD{3y(DPfkpw>347 zfdY>Ga49Jcp$oH*z$Jf5O*KwfZJj}rYQ6Ik_(hjK{eOr!)a-TESmF4uVj8Amrq4Sp z>TaI&9ZK;tgmp^@A~d-bq=?fewT+BE=E!`P$MQ^-tOhh~d^hqIUysv?poTYbT{-Q0&gJV7^`(IOeh&VYA>@Wd= z0>aw8uVKYOWc*PT@HVhqZs7iYVQbjojy2W@=kQ+WvJvFtZKt%L*8;hL zrWD#v0%t!GU1M~q(bop6N>E#;?o_|wIB+qt&eGzyT+;s*9GF$ZC5+XL%~%WN7EzCP zcXyLuN@3s6Z*lyf8zJR{jFN=Jncvz<3#{GeDGcvmVFna zz!!N$mPQioHVt8fy0nG{WRk~lHQv z(kJkE2-`I}X9XeI#puiWVMg$#vxZAwy9=HZZE#GO>xF2~kn$_WN!2(I{(zVKb|V7L zWd!Iumh<{cm)Wn6czwdhvy5-}zs$caCl^itq;)<7@`6B99s^W~CKGgaYdG)Ovzr9Y z!?r#_fG@n%7^fD8`D@2fYF}4S@aM#+SmGo%C=GA9zZf>Y@eNhbmdIK#tU!s{bF*kRcIIJLymOsF$;X=&h6}>-)eWP#1no>}vIL>G8%bPGp zL{?wS{T2)N=rgnLxgO7gKqdaEOJ#yY6oR7!Y#PW3fSU;>7_-P^Aecv|4J|iB2%-TehPBTFywA7zwVmk(!|#_Ya1?t<=KvhtPyuoK}<2ZO~O%v-aQv{ZXQ#v;9dkK+twlFBNTxJT4Gg5~0FEP0HqyQUaq%FE!B= z(rI?WY*2zCYt)rU?Xc6=Du3k(g)VcGinR(P9w8XW+y5zVdl~k8sCktTFL14a0_9`I zSgB=`iXY}vIF;IFCO(!v{E^PQoZ|qm zkurKSUSL86;C0m~6BfWI&7mq(R%)6-+qP{RME~Z)2c9L~Yw@1Gs#Kt=bvv_H_($y> z<2H~|wjP<>;53^UO2~fv`OLMTVe=PR8I&dnv^s=|`i2IgzQb<0mObekr-5T=w(SqT zZQuV1z_W9{kax0|oy>>t;p=*^!HbDJbDQjoek~VprbYI2ID0tA`U6m=*?Cx_$*z!Q za!=HCzo!Re&Ih>lZh6fK7n>E)TWesl=jR?TakJb_EE*Wsd7AOXxv{h#oWSmav)}G3 zBxs0%R|{3KYCZ-^&(5X87gf5}< zl~s#wB;2IL145)QmJXb&H}0rWR+VRkv16PwSjKaB$;ei14C{qg`+uimC`Q|d>+Y8a zBe=Z_D0OoR9fM7BH`(H;C{u364q?5fZkmYcgb#C}YyGushum1<(Op-gr_X&g&u@@3rtehVG&9RB)o zSv<+f$zon%?))b)Zo3>Ba8HCKI@=ykbj)lpSo5~B>6L@Dw8S|~4>z#`rB*3u2Pe0f zu1rUYRLI>{@ddHa=W^8jTBOwQti_R(t;6>8be8ope8hdg!5JX`d`2=%)Zy+NPfr={ zLT|q^zK9`^AmkH6xJa5OwJHL#a5tCYnhIqZ9R)3ywzIeNy=Bb_olp}36>D|6#pr9s z7W0{RVtnJ}Ts(vG9jRu$r9{87*{ao0Rz)SNG=aCn<|xiULQ}KXZj=l`n68nL6llyw z{UvHe=tv>&OswE(O$z9Qy$yTPq30;0E;kvGbFe0?$j&V%J6jli=)w8JY6o+mG(pl6 z!8x-DZ&Z3bleHc5-@UFp-y4p4TfdzW@X;AJ+|A06^y$Mk-FJT4IbIMZX-|pFev&P6 zSNK+agU)l?^Mj4UV!XrAs5c!Of9e$Cx*DXmThS&_5d4j+XBq1)x8+pfF*-?hj6aqT zijzBv6q_h%FmU}=EMkt!Sl`%~()L|7kXwan{jR%Z@+xv!3rEeGzB*5SIVx*j?G#pP zORv_goTek=G&8KGjTd+(21um&GjQeviX5S)<333(8Te9QJcAq@`lvnXe$fcO&5iBL zq10|9QgsTC{bk|-8B`4oy|2^LD;#x5B%WQNl^aQ~U%CA9*N<=V^q!;oLiYPecV)kI zQ8#9;RDP(E>bN;FAMasQ^J4>P-aPs1&gM6lmfSepCEq3_sOaenFK_W!M>?MPb?4^_ zy^zNV$8;1EnAkJVu^xTwm=OD9J?T?JvtB1nb9M@kr1;CEnKL9(%5^2f%XneX?!fXa8_G8?oRv>;tcw=GhaQv^1M+uP>Nna3+HLp^nXHm80YZ`%uG+B4E3D;8*^ zg@7{^LhX1Nf6s2zM1$tr@uDY|6RRTQAf8Il!=C~_7y=$f0D@^ts&Ob3M`(&_!FBW* zo>gLpHELGxh1vL~ib}B4$|6kX-xVfBq<>e0SQ?X1KEf_6`Y{ix_lHdTiSOv1Rh)0-)#KW`m^F~I8 zh540GY|&Px5+XnmR~ttNbBLVNOthLNxKwG3{vN}Vzbr677}`okd0WbD#Mr5P8tEP+ z{4&T8%#b%UVS|F^X+hENg3^8t^~=J@jM})EgMcSxDg}^}^aPn#mO%SJJhDU^Ew9hR zA2TLv#o2qCwL>ee>{IbU=TQr%2F0s^(?XeA%7j1ZQ@r79+S zq&ZS^^{9uS7p_GlC;{Ty!yZ%LW?DqQ21fwvAh+d|l$0crXc-TZmg)~vD_oor046@v z2}HgoG6d*1r5~I+TR@cYE&}Tgu;8FecZ{9 zi3r(>e#c7C5>=EGHpq)eLBxjc;1uMgc4N2^Pz@Xr<3zau%_s*TO%=e5IXK_`7nin| zfU!)dlM?8KBc=kMfN>eqZDwVs(crV74c$bd4Rld<6KDI(1hq*iR*Dzab`QwiO2~CM zZGLvuH#POQnO9W+i?8h}0=7X^nD`%M^U~}b$cwchynts%8+pha_olay*0`Jie~p?Y z_STp5_4E`Yump_EDSGo;WR;Wx0|EljHfJG_;X*((>&LVss7wfb9oQbf)s?0Gn8eEK zUV`&o&cqI_1I;s%+@wnE`veF-l6!SYpElh>O=aKfE-7Cg(vtsU-@5f6Mn#FCT|?o9fQz)X*VwC^j^Xes z`^eH72(O8s-n=s-&^?HiwUnFb^C(uKqAuOwAyIK*$?bZ-R4_8bqvv~jZ|AI9TG0#Y(0FVoJ)oAA zll#1Ibn=T#*kpB*?&qoOrKSaiZ^8UlR9brj>4pSy(w{#JqTP#UlerCrejz=Gt=&le)HiC~XY6WfuuH&cBur^~oRMPnVUq4*|&2O={(1O`ops@f|+=O|Ii1$ zwLj4UBL3w2Pk-w_|IGjCSN}hKP-|DlbNguPb3nDyHN5uU^W&6_^&8?Q1`$85HL(R> zVIq-wFXKnS|KcAXcr2(A)od;AyKW#o5IIU~!D3eA;b?K+4gXo8asO=F#`dRe7qH@% zuS|yg9i{&Fob~_tl)pg#|G5zV{)LcBo*|JQxcxBRp2aUM!jl;Lq$Xl^x%`1d`uMc` z)MLxQYSFM}GeHFr)39;b%j>_$YiTM`zjnJ7quCr1+I+%(T)-sJO;dcL{yw|rVpw1w z`4o1Ofo9`gOjVifu)Zs`*!U`ip-{{EM>w@Xg3I*(?E=5+W;Z(+5YUp7Y5a?Uk*eo{ zFE5C27>`$eZc|2qL%AIJ-G5gg& zaJ(D>TgTcHD!gZC>cVdK%MUv`#EnjAtmN0zXJ0jPTvoD8a8i#R{O;e`ZqPq-Z>UqR z_)+BQsXTj!qoK4mM#8*ZLCXWrs4xYB;`C@KA-rOt?Sc8^BS$vFjk zo3&_FR(q^$YG&L)Sd6oGvGbkn!m}W=jyJKh)-57*AqCsSIcGYw>ps3c;vv1_G1A%} z^HR6`W503Zl#;imc%b>@&L%C>Jg+uN?jz#VoouS27MkosO2!$SvNf}G=R^WO1e9jZ zmI~O8mG~+3#VJpy>V#O9OX?~oEeg0&Q`GG$DJ|0Gi@#p&nMiedp&O?f;<$a@CfmL+ zR#!Fq2y4LY9v}0fp3aVCr?RsXDc(wjsmFGDlFqXxk4EDOf}Vv1;)w>j=BoCZPEzN( zJ}g^wA3Z%B3^CY|M zYL;flv%WnFwP`V$is>2)T0%M8pD8IU2^J-j%4Y}Xr$_3z#S*5B9H$aHmsNz#yNpf` zw_DX2n~%(=y9znkIIRNOkN)sp+J0?LHQ20KAvJb(zh9{B)ojOxn&$COLO1c{trj0D z{Fv!p&{BG*Z^>u*X^x(34gZjyplL^5eW_JOw}(`%wUQ%OUAr}uVxeX}p$guI!GLbAyx zPkNEl2UcH>itwrTw@rTIRf;hGC~P+s(sgioFp6@${k#3U^awMz;qs6P(FhTKuKVr> zU&a@WdM_E-a?TiYC*jMYN(*@DL!;(|1MQt=ZK4f3UvY^{bsFjHc^5rZEL7E#kZ7du zFPs*7nt(j=6S3?RbK%q}zR$gjQ3uZ0WJqL=_AHN5G9?^y{i(EipZPA3Z;N<^i@)rT zDq7`In{O#*8o$!0AD8J(Qzd*{%xt>TwLCN=Ao$UigG#emCSSWHD5?IZ>ln!twLr=* zx5FHt1jvs&DhCUYm+x%n)6+>eY&{_`mY^ccpra#j>TeJ)}=keK`#;^jE)kC{Iz(^%Z#p zdB&?9^kh`EP;(cYNYuTp;E9cYPV8pu8-DI&xdW4f^pkBlRh81r!a>HWwzq_Z>`d&Y z$GnU~=YPmAISwv-{=6I`(9-SGsQ2ytg@v!FWKZuLN1bTtcX7&}IiVudRm?nVP3f7i z7_Q+^6Brp{DrsvT?@6I02j&Qee{9GWwyz%Jo1IP%a%}6d7^)Q(t2JzuI*@cVXSvU> zs;`>eA-!R7objlbRkQh$E8n7Q;N&gd&DO*g7nb8ao)f&3Mdwr=c~eE!|H7rka5ah{ z*6aP*7VCbC(HahKwk6Gv^GgC|1)ZIq&so~M3by!ZEQ>IBGA%54IQbE~xWUK!CPn_z z>dyi3*jY6!*kt+-N)gFf4w-!0mPTG1v_^^(+jO!|e~T9rS19@P)onRUIksJ&1s&$5 z>l@|!Ger1>Y1qykA^zW)wJ=}45@$WxW2_aEkdq@c_mem$b_vS(OIsGl;TOtIja6KT zDz%voR|593SBOx$-UOL+Q4{~|MFgNzYK?82St250;Eh(6Q@W&>NY$mXIgTf!g=Rzf z<^tIJmWSQNyiNsmzA_FrG0(Q`^;9^QgA-lRj5gdz?hacR_MQ_rd@^)OSNUZWWl{p0 zKCVr8p+;_&GPq(@5*DXYGikn}w2jZC-<)SuEY^9pwZ3PlRjP8X>N8i-h`nuJPWuaw z=>eZGX$Jo)hD>|+PD&}A<7Dv&kHr)DR=1^6;m^Z;o#A6YrIP~GaM{I;gb%B=%_Y3F zJxYDROPp+W(P(~b!$QUnC!d}y>L1HLs6BKSNEIR~4&>FrZi*xI;Lim&ANThG)R{N@>r>5_7@eT>6GFEeqSE>d5I)19< z{Zjj_f0IvN#5qm94w{bT7|sm!WxXA-8vEGcopwL9nyt`jqdQ(!qbF;f0s|ziTxr=I z58*=fin>)0G;m?T^LEsEjUzeQ+0BiYbchMOfoBhSYXnLq2U<`91LlaDvE{R1JWSVk~1ztDOPf@;gQ?c$Hd>Ca8p}Mn!$Bq)@%6^AA2B T@bx3yY0>Kj`I0PrSyCnn&?(R--cS{Iv!8R^Ig9mpA9z3|aJ8azh+3&r# zz8_uHRky0Uf1El8SbME!O&N2{G3P#^3UU%?$OOo6aBygnpFb(V!99-w|5Uz00KbXE z3RH%Jdj}`^>4S=U+QFimJND%5pVMQAwdXO}Gt77A3Lke`aNj7NW`FzkZi-$Q=k)>d z)UUtY$kSGc%pq$yXtE#UmaINwP?3@4)(t^!9^O<{<}-bLaq%D^pAo#s%YK%Tth=?y zzMZCMYNDgU#>U13U@)g8{!*oT4*xK^d+?8%I{!7v5`nOAW`30H zf38^gQ(0LV8ZDnI8f-rSu8kEzhJ7%E@8;%au#+zM`HKT@B0CE0 zAY-@5t<|(TICZ@i5)u;Z0RinInwt2dqob5mRI2aQlSLp9h!F>YW~GT_fHo!J0%jpC zazS+3dLUvO`GpL1bhABH94X%SfVkoO!}$HklE*98C7&%sy@zwXps3?8ac!@tRKJEK zs*&=|>#rPow-(5UO+i^og?kI?l0P$i=0|?}PCoO!S^c%?vn=9fn>iZ&bG>P-Ig-@U zWpTa{0<8?^spL*xfe3xCMG?s<{N?BH0e`;_)*E;FWxvLGXlq=!;QCR7(IBy)#c~a=7QZZ(xQENwIMZ3r!sNl6 zd!ycFrk*1r_u?!e|6*o&8SoxKbW4k%R_WV-b~pn`%5v+NX11>-xs#R^b#-?CT7eZb z^~^SQmQ0jJOrHNXmnPEO^-!-Vy`}V5Rj(|)4xAWhu36FET6zdoeU4=Ro+1+i_hImW zU&v@X2n(;j+-D%S&tmIe*(XQ~NoRSgoR*d_aN0a~n!(Xx=I?_Gyh`RR^?2@N-fI3B zKfxzqIKC^((DF7y^SDa)!&B8}-fivJ5tA(1e$MC%slwA_@7qi9$EypHFqHnXn@d@0 z_Fy*}=tRp?h19!eQeo#MdaZGH;>`nd%&v+`zwF|ZV6jf9d$u){%8=1_J<|{kH*PLfr zC7(tb;;oIQi8uH2v}dm$3>&YkL@l(R_DRNTHn3KP$HSk#jw(1<=_z8PAITVu3bz^l zNs1aw<0f#EH-}T9vv+k6v2ru^@dM^sNb2b5NaA-ZQ?1lU{#>L|WQp}RTMx%1AM%tY-RYa4?q3c$cp7&sWjMeQY1>e9+JP70FQZ&9ij-~cs`(^b zSWLYA^+3=R-Lib*WrHob*G= z5lFhVZ)^v|hec`Y#k@~^UW|`J0;RQnT<=lfxG`v+i#DH}I~1Bn?y2dSDxckaQcE?Xr_O+a~m#+rv;;v z+PQR^(OgXNbCmRUFV3CC>{RBie8jsFU6C5egq9p)to-w5zZ;WMWX#4eD`$Rhy<7IK zkBlW3BrEmCcap$Bh&+@jzWfS-ZpSiJ*k4K=5FaG5no}aWQ9@U49;>^xsRett6ScT7_s zh=F2W-qksf>@gb0Ac-rY=1J0K%hv}Xjn>4xU+SD^HI%aR#P|a21s|6EBO#;rG70Pc ze8^XhB!QxE3JCs@J`-s+)o8@OH7{pcLT1%D9$_A zMMbqIuYx?QPU0#AmYw`z=TPKgcGk&6eA@S8aXuCPX(i9^zX_BG@dMZS1iQigQkMzK zwm;Qj;^)dR7{HL=t*3b7KW}z!x{@^Pygxn{yFt(|dw;yY*!*~Hxy79E$shz*zXdlO zV8ASu8z#|~@%WA1tGK?w)>88%zvBW_eA0Gf=EaD_%v9Cn%2-D=zsdkV!7E`BZFhE` z;F|47k7Xl{r22~lgA-Zny=H}jpHKl^7>qXUOYIOa~#@)dc41PW>lXtKh zGUirhIzOkKAA!JrN;Afr=p5RIfu8G;VrCq(F-<9)AO3BGcR7mb2(;jPvcvcFV)pO`g+9 z0FhP*SLBM(zorR!M?IxhN8D{i8thz`T_ZHkr~Rc3`#4sJx|Gt^6Dy#mb=Jo;$-HD; zg8^b~)JM|$L66}BWApX4G&dIKJE9sb*^XTl?=`;sID?OoiuRx#>)Yh1N@WWvZR^$CT1yeN7v^Vpbg zUFV!FgFqEatU@m8(oE9spJR5buv-5jzBCotL`p0*!1b6Ui!5xfP{XL*F5;=YdTW%6O>O#yE%C({o4+IiD-hmZA&?`Xpb8iWxa zE=}(^w9tAlY1Gq3N>8otA75Vuq4u_G_U`7G-*}%ge?qqyGG>;~viZb95SbGDQ4mDk zO3jmYcca}U>%(b`Dy9u!?A-Z#2%{=RwiB+Rx-M0Hc@f^OHbRkryu>_cukU1wma2_b z)(9&G%-MU}(G^7HYKoI4?$e7qkS?e8r(y?6vD)QM3P~ZK zAKXwyfl4u+N!0#_HQnLLwP$iX=Ez6;Y^FmSkFE9S84h^A*p4vYXH2%}T(XPC97#Nl z+@a}&a;&?L&(2BahQ|;UtqRC0?FgxbS$+U_@w!}>OcF&MHU*wQdzBkpJcT>>xdHdG z`=;f-zJ84EpID9p0{rySt$6HPo?0=et7KWpG-V`FJUqK6D2_D00&&3)s6^S5M-viS_~l;?S9e zxo^?;|Ac5a#biK4KjOsVYuGp*jw_{I6?2Xa%s;{0@nDpd^dcD?cT zOdDs$uMajBlR|$T-#DH*Q#*RKUWb4AD!~1z%b{6bhoXGjB{80)M z8T~ZzJs@u@0a4x=K!vyn`sms_G__I`(Bq?-#mbrg0RG$X=eoZC`IHJUWqf*)%|L>c zUZ+*%FE^>(W~*X&vQMu>$<2tI5*CwItaW$EM2d(`gM22O8!}X?G)lI|uC%RnXhBjS zSx)i8q`tU1%)CT6{l!noJ$o(k>|UcUyy59Fk0#iY89dJkTOaLF0zEkGdM#Mu9Jk05 z*`T|Exs1LaNYn;uTnXmHUySF;(>h2DJKZQ5c7Izg+C4lr7jO8(JSHBS(6B-fA_Zhz%S4VqJ2r7G4`%1~@TEj4Y%uP3-3R>eVt_ojCS@N+Z~owwnJQ_Y~^XX~3couP>#5!o1Luwl_(jp{6AVnr7dxM;9cj z+Qj_nJ#0QwJ+nlpn?0WLYt}4y45g|lq?(#mv)>jlWrFfO8pCEy^54~w%K_liDxhLZ zrMIho;iK%lj9={4^#7dcO9Fbq1>ngCbDXJ)`N`=22yQR|5;zt8jcD%Aw zxK8$XBzb*XiQ@*&zjUyCJQ~YokVv9<>*iENaQuvZv5NC z$rM`d$s0HOsW-e?oL0ha=F3y=F#cFo3@_nIqwY-RVf`vYh;zi(o{GlY%ll!G$LU(Y zv*l~7kzn^rQ_A%Il~HY>5|_nq&6tB`FO#7Sxg2VFM z(>Q>{$K1S}s>J6V9HJ{F%WW-*3wlps?jxhEf3kdJw&>LsC-tAQqbS+S4ZH*?Q^}-$ zsR65&lSG`vs=Gv0Xg4fQQLcNRl-7Bf&mNLVK2Q`pS zOK+ow`5G^61MU0~H#fy=ADq9Py`ObHdZT47lh?gDS<6R=MlB^hFlsSrQC*W+p3nCL z+Rfi5aGn@e1H(zm5lzK3k6$wmmM|rHNf<*ykc+R*KblqHi#8yEjz_KdgO&Pe3lz>oxJb>3vp$NXYbLWJj6pL~Wl*rNHKv<*ax2cp?E$ zGkxFKH`PR+3UfRkZORWrEvHD%+e+d>fE=)-Vsp&RG0Vv@U0%PacVOa81%AL5Ybet0 z1l6rJJpdnM#0+V4#Zjt{jE^(z(UNK$foMbMVq02vb$wcECtsG+?1XBre4&`Z&B5ijjG}SbCSrF2D^*&vh{K0M zRT;CYk39`UKoEh6H%A$AHNN>N(EBD2zHu)LFW-Ah(l%Qj7y&<6CK!qEpkQ<8C z#5TOWg0&J<+=K;O{(|#rZEaTPqt*>3=Wm-F;Wgz~WL-6*`Lcv&BN;=nRMP(}I5^SM z8rWhu2qFhF1XH*Pu-ONM=G?_97OFV!;;6N~*Yj=COC3U{#hF*&JRvU|E&4KE zfv*_Q8G5tzZt=D{|2PC4GF1fBI^RX_*s>Pw^)1Di&$$JgKT>r~68@z|m`O<&qx%;M zh>HgxRn129S%~MA;i)dRYQI{3yi*7G%Dz`i0ulO_Fw!BEnk1HKcxaWjCZTU>us$dH zX+%@>c=Zt0y4vsuYt$+${W70sF3@P(dzZ1q1Sue!#8!4MFoQ9w6nWRt<{Hv_;Mrn7B{})aNC$@F}xb7b-Tze{9*^rK zVDHT~aYp?+@%OBoK_UBY!I#eGVzkukvE$sRMQV!o_HEC%mni@CFVN)Pwf9htnQ%DW z?(o8xr1q0qb@;17hi|5K!rY!{HUqXs1M@Kl-cIAK>k}RNVwz8^h{1II47qZ zOw9hKG*vpIZYn1%VNM*-<7&1Y6z6?Wu7N3+%WnME9tzmfgq4Pv@xJCTtGgesoqsvtr9Jhsjr4lqoeO#$mXsVwnQ|#QXAU=c@zEn^DQ| z`z4~f&r`ivPnU!Q1RtEX!W=-Br&gf zx~i6@bBJWUC8j6$rim-FY^+WZK+=jyba*PfmoKlV!dW`@MuPo*%Y(&If3%+fi$5-@ zPCI?{L!xe~+_;?zA`y{GZjX88)^gk0PIhN!Z*oY6;bg6Qp$eTqvyQ!EMO})v6A;LF zcxE(Z*PYKM^r{b4SX1irlR&;YUge1Lq`HT8qfAvg3>m_@nv!z?>FID-shjy;28gL; z`ft4)Mg93RI|?B5-bU^i+}Hy43;BKGZyCJ~2>F)m4aPVLshq~02-GQjw&9VoLYRaC zaM?~8*Urgtq)73h9}c=at;`7k|K7N52-L|POApxl!7gsO;h6X3YoC}EO@6!vB(%tG z^zFx24(q?{lxCVe&a7(XQ)B;rTQIupQPWxRLM!5fUP!rK5|Dcaje;`U0V2 zRBgPqFq#x$HdQY4w=Lr?Gw=T4Ok%vbrrh+o!>`XwT5hOoq0`jR;cv&YO`8#U%w~Wf zJf8j$0lkFmR$#Mdce&F)HX|dqX848corFx@R_>a9fw*+98k3&1m``XHRt+}0Tbo_+ z!NF?>Mk8L#WyTlKbRf@;SHgPt1)-caQ%VOLI+{2V4{dI)GTy<*(o^Sy(Qk%WjhYEf zDbE%GHF%J4UF(iMS{vfE(zv@JneuJzt@Iuwj=49U5)tsx4I%gkx!a1`0Q#$k$u=T{ zt@Z2C_2bmxiqx|q0ena07qIpb2q5i!-5G!lV~))wzN!1Pwqh|df7V8E*=yYO=ssw< zc!#?nSM2(MbBS$|*8<uo5rx@Ce|0a$R_qMeo`Xq-5>>R8J}R6m4v5- z0h&=lka7`|SRQ7Bgnc&SPxh^ryi3#2d;LNo{Lwi$BwC*34MzMMUl+5tT-MiVwM zJk#cv@US_IbkW9!3Kd87R{jY6t~A<)32t^0j?QA5{pl~CTUcF8lYR;ONtAx*aOEgo zs-~!=Bd29#)~!OGG5jLPeRXT~6KHPox^FG((!rEsqDuy_jnhjP3YIPuFA09fs&Ezp z8F%-li95|91&7pQZ%ZyfFBJxnhs!Rnubb9!Hx$?Zn#J|WOa%%I7nmyRnTeFDtsia5 zoUsTOBP909JoeuEzw{q~B-~kGq+}mA zDl?q-F#-YWNN*UTxCaCj@T{W6;B49r6P#E`yqKmWFA&Y$ad|<&tjZYw;yB*OTMK-17b|B+Sy}RX{O~X_ZbMdGF`MNdw?lzP9!j^iWz5Upme}h=dBGGj4ZkFLlbR=(*h!Q{O z$+22SrhrMz3$Ck5x*S^Mo5b+<@2A$+_CkuyCp~yNu^1Eni>HS5itlAe{7|` zT+P>4NFs{pXKrrSo=>E>=-uTZn96>s)?m`9|5K=300b_$9cR98-@d&@+YnEvs9Hci`)jK<4lR;7uA zfuRn!xm%D~R&_sHWsW1#*Vosu=fhQ-K(9^*4i;J4c7E<`y7TWRa+XXI%ZFrE%gV|i$0D1{D9p`Sv|-sV5E1E_Th5hQ zYB>%5z=bSh;Q!Aqfaz?dDJPTPNjqXfgVVNN9C&3ZsW3LPLA;m0Z_m!olxwYLvy)`< z38pzyhx&ht2FJ?_-Q>0}qgBn894s^_BcY%aV-7^%v&W<0GI3bkO)GnNG(gWrgz2rO z%T)XO`&0Oc$hwww9HmkmcTODgMzzVGWdJkuM3Z9p_n8=hDLR8*bNvTKE!g=IAW`|% zURSnj>+8vUE_Bj~Oq(~`nY~L(t%aSp<4V|p`0QpsQc|RJbcld6UuKn*MD)ecR2g+6 z>vyP(}aaW-e797=9)5DHleb!uOk9Wu86~+=ObU3<=&SYF% zQ%b(4Yu%s3#n-mBdUi&0c)hP#;D9SO2gxAVu1bjEp$CvSc_3!M#coB%k<}0AO>+?Q}QrK=G%?hf>J)#s-VimJBSruCB~)&v!Srx8Yyo;+pfCk&%&= zXx9zX1w|5akL5|@f@6c@fSr=n6q2er>*dyT;GWidsI>HRq?MJGKXWx!j7S?Gx-^!owcRN62!d)LV9fw3jRHx+}&ev(zo{dV7 zvVuK~$D0v9*x`U{dF@x=fL7AGyquXK=v4_cl;WcOdAl~7hD95;Fw@jb=gw^4z`%DWdwnr+uVF#WYi47 z#KOYob)+0GkS_r73DT3*v>#h8L!hrnwHS}n57pXA;82FjdtmB5*iwK#Qd(5?Cf!AX+%QTEATqHx{TWn z>phWps0fZuP9FECy|8?t5RWkEi>1tJqf zZEXcX_KiX!DvK5wA>b=8d85mIP+ObuVxx=k!|lb!))sWHxEwm-_ZasQ<*hx4@E>Vu zI>t9CMnnDmMgTE5tfo-)_4RF=4!NR8g_nLkF(Z>bYNb$yMnp!MZuTd5KU_=?rgBF| z3*Cl*JHY*jjqT`9px3Om#s~0uemI|qghg$@mORtuCoC^;`eFdWNb&xCDDcGMm}h)K zf|#Wxox-SaCG7k`L72F>y&yzGLqo|J8A}!S+-{(zLU#x3WZE2>x27`F>B2&8Izt5GY8?L_N>YukeUdp5Abnn3(Qc$>#MB zm-DkNUfj=~J!?McKoRNgzSv5&qh?}?0%#qo?|T!tu%J^5#(E&kcV??-d~VOlfFq9E zo-$}My~kpcXsD^#EGKAtBJf4My#=bwhRFH&8Wp2x{(z7?IXla-TW+m^NPqsk0sBz zGeQ0Os_khA1Yf=TDf#N^DyVQ-)BDBNPTgTR0;gSA&9{5S2g_}l=)`=#0f-Jjd7ZXa zR#!g&C@NMjrzRu&y0*6FnejCUC}#&tEvX<>29~#mQX9bS0Pp>;%_La$tadIqjR-cM4fCh*yP^NOM$gO3JDpILXZ3)ZfC{W& zKna>@_2Fl3yJs5_ydpxxAlaBT z&)l3;*WU!Uk09U-`!b#nyI+R;8q&hzq7_4%`3T9NS(R$Z({-;fkMBLtvd$<%U%cg~)z}ntk(ayy! zLbqp4uNiPHauzlY4(yMhlqtYbF)_(0VvEhz+N3_G?TsdFGt%#a2*o5kP+*V<`~uY; zlszd27Z+7f+i=7RZ?0*j#7G-JD*mlpWYn&u_0Ogas{}>%r2;w;j{?=!&W;5Y1H)jE z-&~@;Zy_p)fCjj`X1)DS*f9XW6mLdO(g2*jkpe7ZpW&)k=o<*b%89nxkr4nK@hd9^ z1N(|O;_tC&FH@dSj0;Z^tz-4OzJ%|vpNhKOku~BlZ&b}>_jk~tNtP-E*@mW zmK+aI*A%+Z*AHV^Vv6w*5vZ`g_Ja(Ghe91UCkmDOlUR-8_5B`HSyP7~JeK=dH~sYG zw7k5$VWSqXwZ?eZQ-d)`)m#tf@<24pfeQN@?EU2kJYKK&1CV1}hS%=j-rlB{7k;R& z^uBQvE1#wZQPNLn*ZdQ39gV*JexQx zZhy4E3yRV1L}8q%VCm)6Q6VVtGASIP(ZY{-{s1zeJ2}y7KoQtKEp#@`WXHh37-&;g zQnGh($@988QeBh#{P`U(Z}Oi%A_JvIzzj*H+I325YCXU~fa^u5rl~*PdG0T_34@Tc z{C7Bg>+749&ENGmhN5(dkk#nB>a;)o{xJw))!MR{R=}12Lwg69+pJadD@_l}nvN>d z;=tX9GllJ3tXhU^}2{Nu;#CHM76@umdLS(-5uHoykK z#A|C1KRY`ctZV(6v;_LLs)v|j(IO<9)}lshV0&SHJ{87@0AhjNRUW`BO0{ap1q6r^ zq*P6PKnnpY)V_~5=3I75gMhgtvzwzI9UUFa*F}S5Io*hphXRxuud~x1PUknrkv2^; ztD4P+0$43ovr--DzXtx7l$Kuqib(ROz5Q8&RA5dH1%}}H>+Rw6;xVX>l9H0uP5-gv zX6u9{C#c%S!)d$>TGb)`{&3(`&_Jl}c_0M7?np^bFWbHQwCBu+fI%{NbGF?#GO`T} zl&jz73u~9^mVHwJp_@`tD^)wYUXONyZb*XK_;1%4kh`3It|r&R{#u)PhB|k`ad6Vm z=x9Kj1W`$a(pEcz**(uK;9xHbV0LG!lrS(bFgG`MqCOqwN&xv4#=YpS2Q%#tSIZa* zAO@rh5P_N%MuD4YCT3>Yw8$euch(6| z&=#5lKFVoZ4l?#0)WN*!>Ug(hpG07SDsZ%Y%|LNOb90Gk57U=k$_4d7}rQc}n$ZyEkfPEO`S6NGijHvp#v_%c)d1xvfmb`!kmCkct^nO-#@ zXpB)xnt>3b=lx%Ecj`w^ndtG~z#eD+AQWCJuAD&_EKJOgAfS@DYzP_}8l3m1hPEJ%AT7mn3TrQ*TJhzP z#l^*&68_*Wl$0+@)dn6P?pTv$Aa4in@4W#_AGNG;fwaYf!Q-I3rJbET>|R1XdO z9)7S`wA&YiMyOG3p_p(O92n>TNDqWT6O>VSfW`3;$lB47ukLzES6 zfrw^xKQVwX>!Yj4tOJG}93GAWZtCvkrJbN&s3LH)5eI7q0eovMl^}&<7U!XJc4>NAGUF6H~*up9y>A7D*LK#OF*4fE$&VFJ4{GBhc%ppzk~7wd}E--h90l4jzG+E@$4*q6IJ~q)fL-OWb@UjW^Es;dYWA z62y`^v;c6T+Hx}N_iq;PelXe(cw@;0q!F|e9%oze@$vs!eY{#9F0}__(A6Cs9V=0D zLAgQ&2CV5(Uc9NSt24hoS?%iXKK)A(Z4VqZ-sEOiSyffM7zD5)XVQ{U7!UNL;pyqb zL#f=`|9*->=C1%b+WFFRs$|_5;vfu*R6{t>&pwbK~ZWhLo4v zC76PT0+IzNJwd4uxCjsrRs5GAUxD!UsbJgzbaDa$0`{)1;)>WHMF4&4?d?SbLYt>2 zpQNNDXo?Wb&CSEY!cI<4E6%;j4&)!s$K}uFtjb4$%wsv?V`xYQumMEv^tIndAl8BQ z5>#h!5I`#3-Q5j9o&f@Md3gzb(5Tg4hMH9+9~@X$YccBS=>cA|Igt1@%s1V#W=`p< zx|+k=#|H@&wL0w>ut8w9zkPi_l?&wRo0_IImMl2b2(3Ikc)xu4vazx8FIx-+NF3#o z(nYV=j;W|F7(6^)a@%5hP}DDh@110?GU>Mtw))&@RGFcH#2CyJerjBH0rGcSRX=5A zAL10)QWDKAC^$Q)8i`Fv=+<>xG~N9MB;d7M%f>q=;9@iwF#$!0%LNa7gQkvx@qhIt z7B)WZSB7!rm`j#>uRme!9ZUu@Ek&N?Qjm2;%EE+P*(sV*TiBnJe#QcM`56aGsEnj! zlbXZA4=5D+1a-mgP-7GjP33zr`dwvH>&8zpq%9;!D52a?(qwNI;qZRs9XE4Zp(xNh zWAo*|!0v>sR7Xa&U;gCR_Sz3oHszCN{ZkDobN-YCOR9`4anNh-`1ZL|ASYXVG(^`$ zy7;m*VF)%^;LxPVo7|2aOV@zDCFv~DdIi*GlQ7c%sNoJc|Nn^KHlk`m?k6yjXPWNq zf1W)03K-UHKVwIvGsu;KrABG4T zk^bw0A)s6nRJRrcr=I_}fM5H+6YxvgmGAFobMx~JxKbS)9WD112*e~Mkt}OcAdI3` zjOr>XA+y%v#SdQIl%Nt?))3(0PHPSHIl#V{RCIM!&!+eD*RK%J(`Tza`4AY&r}5~S zCqo_K0jB;^DH0Fa>G=^Cr)-YT%LG2~>Ecl+dBToPTkBCSLfkmrbkOWHj{QxSK~SX&~XUoBPvr+&YvkRz6;%?KW^XAoS?3Uu)en z`XB0=nJHW+e~YN7*aA1xvag<!@Oh1E?`KH+M(pyp}k;xnA?%!1FWboqwT=O@1%`7_eli z75}rSw%{N@Kqp$DyeNwN*_<}iX59g}GhC#2KwTZis!d15_%2+@o?fBszWq1RkFZ<6 zd85mi87ReB3P72c*bN!3MK4;eKokt>4-aMUT!~AJ3bAn}mBn>Y$UZTGKCj+>)w^ck zTYxAK{F|un-qSHq9u0m0;|tAlC@wo2;5D>IBqYvz*bbe8EEJL(oUgIYusVaHO&)GD zOJhI#10w~e+O@v)-^l&+mf1HvZ6Fb!(~|)%Mlc)5QMhn_`x*wJrlb|u=@wgq>C5#A z^*vg3=;aPtKS>k?9h{sxt+|}u(}zFYU5-%{(Ug_7(I|jf2r51ss(&1f{L0#zRQOv) z0;-#VAIZgU7KlGR)6DscD~E==kU*fia`hzm)^-5@(&#GiQ3)d zz}3F7m{<&Gc!h=Ue@$3wag^6zo*!~&O;I{7w+aGXZnF62`dT+Cg!%5*Fy)v9N9D;T z?q?a9Ea}9ujjc^+&we?J@fLgpu~!@#XOj?RsC8C+ya~u7_nn^-$qvhcKv`Vb-Bq=j z{jFB&ahtsDasTw#_s@``h~Wwf-Rk3&KmFTT6%x)b3;2Jz+qJ9|7~PV-_HVa%2lTjK zziuDM@7VuY)_~HSvbJV4Hl_r=cIToTObJeoP9Yv;*7bK3uDR}9*O`yFip0HMZ=afq zN=ZY*UG^A~&f^=g-Wv@)t&~5#xOlk|Oxn6#%q*Np2`xA98I%V?5Nzy&fQt8bYltwJ zz<>jOfZHp-n z#o*2q6c67vT^t?BU0wMG_Ca&9uqbG`*fUvT%$CgK0sTJdwYq9kQB_q%GNd_%FQYIKZ@rb`RG9@dvwfL7VoF#OVFiHec~J-Wuy+36)24^O?~o(`@gIbjy) zfQb2P&)S0r;P61ug}-h2dsz3BGu7}?mKv)_YpbZl>L&ARRTYZRk`QDXd=HHiqKf_U z+G@D_7p+-wQA3m0%Eq;q{@e87)?pi+AwIf<{=I8>zor{Suwkcl``Ba`8u<{ot?!Pn zuP@AH9kN>JArCD6#A4X-ssG#*8yA<|v|kX8lCo=kXXkGl#5ZKrVx{E@axz=+WOmg2 zQf+>6*ZKTlme9`bnC|ZU>})-XpZe_lTf_N2xBoz56_6D=;W329XkE&}DPz!n8{etP zP*WVY)OA6ZHV>=;_dQWvj143b&0ICo_Cz1n_4Tdeczvp7?LjBq{GSOPFRpwF(3j!f(pCkg;Q%H*kRK*tAPqW{DmN3$#&9F@*+{E{0577E3bF=5%S zN&SM{aND{glB;~pOJ@#B0=8l`{4i?eW{3c=G4qrY6?F_ zszwI48@Bbcb(=1eWT;yo_fVER?$9!Pj`E7jMrz0|P=!kDdtX45_IUXC)(#G2yzlXg#iOsU*-;5Na_3y8${wP$Z5twy z>K2gytac)5wjNNVUN+gxtEF(;+2T|D9JRn>zob4&6$-q+Z|1w})whfNq?e~wI{({f zbC2%0smbf)Fy-kP%l_A3E8@w?0z2W>JKsf@@QOlEZel=?sWp}OJ$Ld5}6i(u0q7``5gs! zn0=*gbjDSSUrJh95&I=*Bm-ImyQ$hRSQvpo;?Ugn_}~>9vJ=+Q;*xm<8Z9tr={eGE z8>>>c11-2l#hNrgmXiE#E4u$)EtoLukN3LS$+=1vvOxv|;CRA*4^UA~P7Cq6@MbB( z?6%9-K#VruYH=v%%dNNM9XsxANb2b5*gH7f*t{#O$<8K!%jg{gy2Jz~zj|E~eEe>Z zY#l|a^qS2)1PM}NpnGUOS?eG)`khP1%d3in*3u}MR@Zg(j;*qn6MgrV&vC;(K?u#y z<)YBZ)wOmr{KQQ$lWzbR%brl8YD`EO;-*B{8HW2M$FG} z+}u}<0ahlm%WvoY9vmK)Qnx=AkMCbh`u=+QoHJ^`f=57>O&HK;QZ#+mw^6K zKISfHxBq+%*kiip&KaM@!o!=GFkG9?mo8a3@3?{;iXi z`dGow$?JSTyGYT<0qY3Bd-(B=(fs%N$p3yb;mk){$5Y^*X=_H z^7LNQJJ7`VIf!+4!}dS8U)(UgQe4&Y!TmpU-2D0D2f#{!id)+}Wmye+B&@M!-i!=A z$km0XAds=lo6yIC&>Wwr?eQQt~oL4B@fU!8*h4FFKBr!YNz9AGW~8k}AT z32`5-(}|7qyPv?le0ej;N;0hFQ?SK z%V*3RL{rnet{&SPzsn;*rXoJS`)jM9RW5jVM^)@*|F!gZN@?sLzVuJB@GLCY~#Th%@Zuq=FV3IW`VUQu2l$==nKL+f1^0 z%gaxX+z1%xmaCL(fq>$G0eO4-m3F>4OwS_8>4 z)R~v+c<@O{ ziTv^sJp%8Il>NyA55LtZ6pHZ2nkz2T4<}D4w5drVJx5@^$ z^+A`pK`|=RYx$;B*wxutrCAYvS!2*%1@SAtA4gWHtp&qA6tzi3uruV~zzX=7i`A!U9pDnO0+{d8F>W@o2dM(Y(zX4U_iz3{Zd31@PgrZy9*nrtyCumKY2NGwW z9)yB0{C(}RAbHb?{`mtv#Q+<(OlHE8Zsj_farr$KR z(t3TpF8|wgG1&R?NM(P&7u)+!R78^ za8j=s5WGJ-I%2|+`c$W!oUooB3ui5z`D6-x)d5k+X{E+$+{1u?R`jLfel0v5XwE17 z^lf!rKpvL7JP1WJINOp1AMsC0TGrU2$3_kc{0^25KAD*zw0K=T6DgmL%Xmcb@w{qZ zYX3UI?bDMS!7d_;V~CmtACR&{uMf2EB|Le!Pp7Yzsgryc!Ai~7GUM*YAv`+e_a z`Huzig$@(8XHRm~whFY^=cFuf#xAl0i)cU&vTK`__7LM8FBmd_ZlvVWQLuMb$^iCg zXqc1C%N_(YoYMhjVeO;mc94{muz(hLfLMmWf1uXPw%noU=;-c_H(?YON-&-##K+rH z3#Q)%p%%tP&|xEcUL169^eNL$;6SI_j*8s0u`mv3vfS*9jC@5^CO~I|a{YMcQv-2u zIqWLYj2>Bqn}ggoZ!e}w)ZWhy+*sE0F#egfm5J#MWnjs0uYP*fa$j)l+qwf)1@ zvz4u*_FhuIE@t7Uh^cNdkQ4G>4mek5Dl!4`b_sCJJC<=0MBcmayngd02CN7ANkFO8k-+1ze+~8@ssDgn9`)f~z7Ug;H=isLu5=rj{vK80 zk@ic0_E%BST3qyW_W16}U*i6q?Xa=h46 z<@Io8K|2iRjzZa#y=w+@HidB`O-0Qr`GHn)zHh1JNI=h3NiDiLe$vx2=S?sBJzO0$ ze8p&^@fY62#LWKwniaP11=L?WZdU>1zz*nVt(?&;MJqt8Wy3_v;M?S4KXHwL^|0&h zP%P*Dt#F`qm3jd246JJ^s^qR4NFhr^k%*fXle0M*rF+UyVoZ48prVK%q7pm$i#ix%!-ecvZCgM^O>6gh*LN1-tSp~-U zDi$}YX4-Tlr{tX36%CWQg3C|013+i3AInw!xoL~lOvW{>yRKSiHLhGqwY4M>RjXJ% zWg~F=m167rrM+il4Nl%y8k8F(k6IU#jb2mTpDOX{s6Oo8-<-5x;-2rk`#q9n*X$`k zDU9(PcW+u->LT&Yv&H(hvElCgE9+gtqNKl@K{w*#=T{lT(a*p*VlXU5tBXqpt8T(d zK%=y){6RtctOvfA;MDxuIih3aBYSLjX!*t7)~1XrWS21VlFgnH=z0-RY{*_hp2>>9Zd<9uqWZ^!sV%JrmJkG6v42VOO9x9_YgFQy++wasT- zv%W(*D=rv?l`rq+oBDeHhYvZfkZ*2vcWpb4U6MtxT;XSkxcB#tX9hAmL?9v&)Owku6w;M$Q#&0zRBfUT+TkH zrXQ*M=H0Oh_UW6`reA)<>ARGruHTSvaWTx{;3E&c(e@P8ta0zXAGX*Oo5fWdZWw9_ zgdXtJ(9+`zMIl3OI}Qt%SAEEQm^cCuw0hkZz0qeW;sOqL-@FlKN?_`*xofM*$ICkw z(s8CLneAq(d7FDchxYeaSsc6xUAt{*?+MHHF2Cg;_C(9?&%C_hR?>$6v6p9z?N4Rk zu-B~lV)8rLm4p)2Sztl#{QSa|#93M%CGK6PZXnW&fvV&0zmFW|943TAtBs%8wY72% ztYc$i8!{bc@s9e|rI}>Q@3yTd{CgC`jsrlk=KAS!Ob=n@5WmRrKI1B*uZ z*RS)i7-`v0R5r4nIwyJc0kPtCH#Hel3OL@hkn4Q+L}W`+%=uw+pPOB|^TQ#__WKe_rMt?};u4;2->HUkV&Qc`QyOlC8V<3baZZa=aa6Rb})}8 zU+JvzKl4V!y~DoK;d`inbkOTV;(8_pQ$=c${(gRvH*Zp{mzT>OEv7re-d#=gK*rj- zQj*@H{&TV2jh#@?KBrQT+0ObR+IubCh$5@Ms6=>~QbUoWZEI`Dv~yhulnB1#Gh|Ew zxUnBhZ$AbbNeyhMQzX9<8M_&U}~lT(0R)zeeKGKf~RE{|t9C{?lTS@Mi*C z;@=YB)H29n&Of9P znCP5!9zR(`O;h%@^iipauc>syG!Is+5E|WYqAMzsBi~Nnw@%FoRKhq7gFU4h9lw=7 zZK!tmvrSg|bMm8-)U?_pQ6G}mz|fEVlN?V5ro5QGMOA+mN~QSr_KghFkx@#br#G}P zdnP(^NvfwSy5eK#_y#HJm<#^L>jTF%ba&4C`rY3^VbQ%|g&lYomI*GJZ*dF9!Jx~H zCp4%vO3n{n{{GZ5dvrW z*;THP>VE5COy`m=@a=8KaCgr=VV$3~##w|KRzc-wRXH}{4aoGB9>{q#a}avGB7aIsh1d@W{3C>ij9tv>P^*ix>v8Fnk;;yU5@2k9BRryyL-@O zR_A#Sj~yf!R#sN8+uCTLB8GhP+w=xi52YjG-&x}m5>~~=#y*dT`2G8Lz2fC1M?%r6 zC;*y4AHt`k9TD4;PH=MiLvxaDRLh9!jd3ih9OOA=A3k(>akt0jgi1uy!^OePox}A= z#iPOh>C>`DH2fGcCv&#xv7fSNKLaI{>AqQeXvZ;h{@ER6(08#zsu6HP z(ekWeEuwhJDXH2yDK6Ig!%+< zYbrEoX9NUHD%CM;=HlWi9RI)^U<8Jxi;&=8pbpnQuM%3-637IWn8Gv^2Rl0sf zv;C#JsqN6v5|MT1&YdHqw45dlmfasHG4B78Yjqg!@dz*PzFQCgU?hq;k!X^VpO4Qu z@B{w-{zx-C1>H1Zq=6(#rO1I3o#W(=3z0r3Uike~5aE zl0R;dCj+o=TE${D0=~GMB+X$zT%>d}^J$OOrV0KVao`>{6=7yD* zr{~*GpD2WcgmiUvn@wBprk22ca8XLCXR1-FRF7R&RrP+8DYnlzAqs?}ez| zZ;DT6CbmF$_7%UYHzB21_npTM$@syZ0AgyUz{I=gQP2T(JkO1uEx{q}OgpKmKcGD! z1nWH3ecM4=q48JR_^k5`DsXtT{Py)L-1kymm3U>t|sxA0f@}9sSF*bvCW>%&NC5?MgIB`$-+Z6|<9MG(Fr-kJjz<+{H z5eolU&UE;GCTYV_eCFWdz<&H z`0mv4>Ot{~5)rQ2;YyFBHdIqRbDma3*Cz%Y5=PQ*Iy%TjBCu}ito8r!a@enIOh;!3 zb_o_MOD}v0=jo!_ku{tEXi{j{4xU@%Uj$kI}zF{R;CP zaj&e;l&HEJbU6Ry*z5mRbO%3+N8KsXaQx+Dtfu31)Ruga9DAh8kWyeVzpZ|3MXAx6 zfEv%o$CpV||B?&$i^7~8-B*5Rb?0gR`wHA$6|BQA3L}0G|D^Yq>M!bEt1~ak_oYQ% zQ?|Mt3Km?2^+g)4KeQf6Vt?8s|Kq}%7h0MigmNw~50w%UiPP+eWtXDfy107&q#(7 zSkjHamnjD>s$B_(2Zbh)gF>I1?3&N)czh5u7mBgGOWi97> zD8G>2L+=+WJD7Uy*>2A*|Bbw~z&$^|UAJ%FCSQJ;9F#k=6*_VlPj~L#O=$YXZX=;3wX(K0 z1%imsL{;mAi9tb0sRmVk<<30F6m5Tv<#_+W1Kkf#jyvI(Elj1jzOSv#sJf0SK`81W z8zgQ3ETiSHT9IHb-2-38X+Sap0OPYIZVSaBF0KIZ#1V3FgtQw5^JnSmaqY@^#yLZEzXRQy&Px>xm;zJl#xw!*jftWx& zsey773R74~0V+DbPmU^EvmzCmmNuMkYI3076BP^sTaO11==u5g--3OD5c7gob8&Hb z_wHS0Q}#w3R%pn@58aD(XYjEFC3z0wN+1V(wm%^6ZBRvCHFyR-6xxe+c090&;gd@R z&_`)SIT1@zYE*X>nJ~|B!nhAc7QzO3Ih1Dy7!h0-w$?$y)7Mvhr?Bvh8wITta3zJ{ z>>+siu0n(>xkU3W#qSSHLfjFQWT&ZmWy$1<5){nQ6+~jc9b@ttc5!<3S17so%=B>k zS=6&15*7lp7A`1f3F{^l#HL?TZ$sXz%N6ny;D%Lyf3R%=3|v0p;h$iow1a#ap!r%| ztSk@(7KkwLAD~PObf=*Ljt%U4b@7=7_&~Fr#_F=u%DV+X18yWeeSI8@=+JlXVbgq9 zQL!1btk>Fx4JNK|f)a2Zo`ooA>SkwWsUB)VG^hTUA$=`;Ru9g5QtjBeQ}-vlC~F9R z8ICZ*?+s{#=H3$@LtI>3K>F6of_kW%F$LoV|3RE{g|Hps60Z+8b3&{wtgU?rkmKtM z_k+674Z~!55*mC+xc9*{nxK^A+dx}=47EQuFYlCI*>)h2JL|T>XBZ5_9ZsCHnwkeO zUF$&(xn#U69H7ViB_OMXLM;o7Kp zNs+v~a#c+eND|7X4I7TCmXT94w%Mr~&t_H=Xgi%sJrj(cC$|S0rgvRt#CA9Vnh#7Zwo&Iu1`rO&a_$Z z{sCI55>(~lFBv)29dB;d81~VAaR+!wIuN!!A_=D;8oSRcIKVK1OPbza;>ZpdE$_PL zO#PbTi*EL*Zdw5?Z~g&8(eT3W;(Et|>22qT${rzNJpC$ISVQ*GyJ{wfIh%rnZ@Y*e z%~j^)zi(|_II%~m+0)Bwrz8LT^fr-|pLlBo3ZuAtm!qxc_=8O@f_{~E-nwPl9$R@u z8Yy=;FSISB?a!b86Wh?)eEB0zBJ<$iL#Htp_gjBz0f_f+GGSp5a+z`Z$k7|18KNDW zBR}vMot~r^dOMqX@`*&b;|dSatPU^&Y9i0BpPeJ-%}15m#=nVPQv!dCsLJDsfP+d(eayi8HeaKk~#o!5@h_tn$XgO^=l3xS4P z)K&g>Q?3wv(-l}5%LjKwpky#gg_hw! zZ{bnH)tX8AmZ>Yirq2(`fHR>T8x2k3phgGUd^`9|LKMl{S&#p(fDz)<@MB2d2#XFJ zZ9x}U2qNLf+wJ?a>&^)L2DCMC?%kp*}ov^5kQ9l1?Ia0upz^OB(&?$&=ma63{QeYvdOm-cciTzfT(+ zBgyig^AdGK?*AoPLN)KYet}sEKI}p9o%Z|TwNIIv!TwV1DT37)a(6#CbI|;%kX;0D z#2&@7>OP~dsdaI^Ok@LFh-MLpn|qW#Xv*AVUmEPXQt}pK}*Cp6voFhfyv;t z>RLnihX5Rj`buyNm>0sT(2Fya9_3hQv0oZs>8a2{Cj}4|)=LnN6+P|xgpJL175qNpP<3Fov~+O%nAFR=CH3fsM~XSRewEFcajP*F5F2 zFsn8im6)8IedbX+tlX|YE42FB3b;uGWP~93D7YBX*RfJs131cwG7DjtpL}J)LwufS zGN+O)aP2Ubpi!-?jud09tvBXGP0@kDiI~K|(^K_Kz$9oHPQFN`1j4fk(iu2mGYNX& zWG%9ku<&p2BLENLi5A`o3C!TnuH;*91fHN;crPkOU>L+bj22F8gO4pyvnUuzDK#}U zzwn3Zw8^a_mjdbvgrO(J;iFECx9LvGX@65$>9t4G?ln6rE2~$d zrlS{d0N$|1=(itk#J~VEA93;f-J?XPMf|q0!R~M0-g108^AwUlo}SeC?U!kBJ0<0N@N*!RE+r|wg{5mYRV!J*TAfl_#BcDTnzF~)K5AP$Idz5GR9f* z^1Ki>sO60tk$?);qwQhP(2163s}oAe)eBI}@i$I}ta6r*gqdwXl~s~LrUI~`JaCGYxLY3WZb(-phB zlt3Z@W#T`a6Iqur=}=HmsB4TB^Sp)ePXSe->6*vG?GMe_=-W ztakzhG`7>Ne24YL%7ZHMvCPKzdDPBJlg({yoL11nO#HQ@K93%4W8EQ^keViop;E`6 z{02{@6n%Y;Q}d{~EXE<94ASi_zdWAacK#Ox=}&d0rx_YPo)Y_uv)Mq$7qu)~g7_MtwXWzr7 zajoZxm}LzQXZ&TTTt;{L;a*)9wXwvs2R|g z-pz2H3H)O!)Vj8Lp~*5%)7$UDRU2L}wc5VYj-)uW_z@BOu4`k`DmGf>)b?9Ht?U7^ z@^B1zt^G=mJgD!4L^&8g#|Ip;M>#a z7SIACD!PufU(tl3-+mMS1tB7jurcxXtd~LyKi-swFU|L2&Wp|pjWD5Q<(gi7(FT!F-oQYc^mGS+6>VKwyS6sjHn&7rTD1K4cqa|_tdV|fVGe2q37+C!~*weerf-*F%- zXVUguLSkR8oV+}eCFl?n3pJKcK)?lA*&Q%A;t~k^y+Z}Kc5vi4_)NZe+%u%%PTmOq z5hGcoP_0Nl;IYJMZOa0BVRQoQ`HjBMbVI{Q%Ueb(8(;jwXeO17hNmCW3O$1XT>T|M zX2La5bKO}&0^H>C5`4Q!vV%qhrF<6_S!6!F(LVVDgo%%@?{BYgDgryM`HDA3gh6<< zT(tUx95f${x!|&aX2{gkbOj|eCckfJ$gZxyu;Bqbdg&NJ{Kw>njs!{?u=07mF&+oS zC?rH~=K+HcmWZ3JcviP)!glD(InepPraADwuObS+w7}GEWZ8g>O~ogpl%nYc3Jx6; zP?LHWv|sOATHuSYz%pu=6MB*B4nNK+ge2jxKLox6*)frggF!G9BPoHNhiC6C42ody zl>*|0Q~-JzIaEzpsnOp9J`nCEq#7Z}V%;G;hYJA;6)x0&p^|nXR|RoZM5PIL8s7+G z972mIZvnXyoIymrG5El)m~fZh4&g`y?X-Q@uD1YEys&k{r3~$77dS6O3v8|n4exN7 zH>=2RNY254_FI|OtA&LDlsu^^JD&Ps~7gGj?IBI-Xt z-z5PULJ?#ZDRazjqLO=%AyKAw+{nPdT_XBTb+r$%?yv}1e-Sy zm=DUOAL4M>b>6J0xH_rc)Y5|d04g}B-@|u3@R5u#90Z1NVh)P%l&7H1)f*NuNc0j~ z8uMO&vEB*kYEJ?Kk$F=E7LcX93x0_zjPQw@g@uxMC9h`OPI$qA$W-`)3yYPFB#fiV z$yexpabZO42i#|?%F4Hgj0l|z0 zvFmTbs`w7L7lSi)cGeCtVu+6DMW&H9qFg}61pNN{Z=gPO<9b0`I3b%VRM0sX(%3ZP z`gp#UBDlzbiXbo6MJx%ZKeZl0%nU9EVL+oNT^8&F7k-G~+_Ep7df*ty;N$fj7!WJ) zXRpw5ITTz(lSYKoP4E<)s%Qe=i=CpDbO95{$B%DeW5IIpuC(;qz<`9B8Z}OVc$B9nKygb+ zExVj=M4C40NSwTMie?e$yf;-0OS4+u&bDW6ZvKcGQ57~bcxqD$%J~0k>yP^ z@m2^uHkJtSArJ>Ag2f;e*M#9@8tz^6Obd_Hh!~ zXg-Ikm5pIEVfPVR29ETX+$}j?E0&H5HMs*52NZ z@%)DYhj&G0|GG2Ta|^&b9a&)T>Ktccq8Ah_UK_b5qFWK?3}Sh3o)GCBWgkC&j}Fwt zOfOus$UzoI3HC4%i~(*1sSKG?GypiOaU#9Jj9rY@xsJWUZ$Jj1 zT0m`zOhB_RlZzN*p-3V-kOpyNV5o^#hMywghP>T`eb>#wqO4USt&Z@bMlH{JFC%Pd zAM^uY5O5A|LrWD6IzUp*920UP(`EfZI}#)*#Xo!Ymmr=21qe-P>{Py63ud2J@zS`; z)t|AVh?W&Q2f3uz;09E(=>5<1t{3&~V|)SsJAIW}0G@dW&V4he5V)K8xB)jHu09;<XT695lMEcg?3{!jm#q&4~B*^dY%asaK~BdexQTWOkJ@j zX+}u9bHP4$Y4EE_;^6xu3r1~xn(7By;>X&=6%{Fg>JZ|L&tb0Wg?%m!L5P0S@SQ{X}q`-o!mRWw{$LrpDx7CQWYkiCpscJB~w4g0@3m2Y3FTo|q-rt%t# zY&I*>xb2dSLkx1meP4E3W#<0xa^2{Z|6TZP^W%JB+cKJ3BWwcv{dG?6Rm+s3QxCsK{F0+u_L7qy-_j_{HQ zu@>Y#N-}C8zyj%%X#swH`Wl zYy(0U@QOI1ML=1+(*Q-Kj!{dxWv4L6rn^Xl0Z9iE3#vjih@_8U{DGJ{)vGU+u;)1R zM+bstCbBQl#c4Y9AAzb%&5WPg|EvRqYy!9xI8PksJkH;%)e+~T z;1;zt6wc%qr?&tCT6YV5+@^cKgCuE4(UL~47)u2aY>AUFGN)@SUo)k&s%qP>{4|6Y zGXP1E&;jA}3c~CX?glyt?r^rIWB3D-6~zSUJ8Pc5wwI}W@O^aD8?igkF$4@Zqenyk zqlX^)V=$*DAss`Vq&jis%OtI&HBS!zHXK~IvqYK?`jpk%ffUd^qn~_-0V`6sAOc3P zGaaI|(5MiSij5mP(KnNDzCt7ArIc{w^l2iY5V)hsyoLGQFh~Lll>ZF0gE&m=zusO? zlt(nr#-pF_8rniYK}-vY8;-X9f*19B^jEpC{Uqrx{csmT(n2{zeP8+<0BK{xsj$L8p)St~G(B)W67YxRA_r+^`d**fqTrrYpqcLLNFU(ExG zIR#{io{AXaf(%>$f4;S<1+*V@blRA1gIrHXPXZ!B7%PzkIe`wo3OMlX&&GngvvDU) z{qUnZV6^dzARFc3U7V-XxD>zw4Q7m#00f!zOiY{5S%Wk$tEyV34K9M{#gT1=N%5&u zr_8d=gjFJoZFg0CrKU5!2;v-~!ZQ;eIf#Y=DOeMTEv*k81%-?KZ8s1XL*2%G0r(zI zVF_PeFhIj(zq~kuu-3DZ(yRR19*v~7q8aC@}+kEy&MK`1FDs+>dk6O5B+<8rhog)@mf zLTo=;{L5`*(IH$9|AGwV(CKZG9ygC-k>Iw2T7ox+4g>OaTd75@ttZWBbBfSXBIPgf zHQ(^i5Wy{|=35`9_F4yxFT^WEdMt^^XU2NtC6b%~Y?PQI5Q0W@dSg%<+<0&|>)1koB{j!=qj>hqKEOV%=5Y1aQsiQ%8jx|*9@oF3v9 z!4+?TPFUJlrNy^Sb?scrG^a^n zePmWYYmU#4u*7zD-iCA3Zy;70co~q!M)Nj72cV1kC9Z{Z2z@^!)dWT&y0!`P+%er7 z81=8aS~EEHrKP3f+j-g2;YX_@t1q5Ezc!fBiH8KeBtgNW$tE<*NPSjWcWa{+cTK-F zLPZ-|q~$yuCI2O0QotF0LdhvOEe&C2gJI@ZuhxDomidVq>+@Bvx)z^iVoFDn!}U@t;`v8v@Rg1M+`i<=fhb2vUOR zQ2Mm1%X|hwTA?ex9o)a%1x7U4(vU_9bW>6inty_2cdz?LwuSvPcP{^_1^7cQppsNc z4ns`(zmEGj_(uA#*}l^KQyd(-TwRxy;?zC% z{{ybw(6WPz+KV9iFs{zA$`sCg#vYw5dpGODUgR5}~2lpiyUb3xYy`#Eu55l^guEFKJ?2s&nh zl!8R@7-{{s1BZBco-TK^FP6?+8C|9&lRF$o-Oa9~w`PvpP`;k(| znqh~$Lbj~N`9+6fTDEoz^L8OtDo=WPdTTKMG-vE&-nwnA#Ti-mLS((ToUw5{#7KuA zHoNEM#&qgbwTlMEi}fJmz|BSC+XjFWPS~2g+6S8Gh&U*Nk3v0mEX%Y>4m4Y^pmV;!WkCDW zV7%|$z1s&4hqzKuzaKP0VkEw9!BC+F3~(K~Yn$O_MKCtCU@La-+}UN>5)cJn%#ou< znNOXP1x`U?v=YKyiHia!O?)?UHD!=#dm54k@fr}>3MwkGpjC~a&u<1T0*c*u{PFGU zU<;M-mdH|}JTI0O=S`rCqvkSwN)WtWH2g{^q>TuCJpqk_gq)#atW>yQ64>6pT4|wr zB$H->&8!R;((;}Ba@E@isg!(HU3Ve&J{nTlKWeo$e$5WmM>v_mmJYy@BV%fsI5$1a zERM^pA=Utv2!d=?+X`$O4||`9aF`l6j!<*oOeC+{J2-r(tds;}McjC(y9jw-9HKd~ zfnX7MBDgpyKW{Jp^0E(^OjgS>j>dC1B3iR-@y@T38E2UdY=hO4 zlpiENDc=^U;aduAv z14JPA#k78SDpcbD{PE*6P9+9$7$wrsuS5d3_oFwg25psaUG$ZaN0~%ldr<)}Nla7} z1EwD)7!ycHODlsk($7+Z4KNavBGx$bv11o8LutToBOc6hgn=Oz@z2|ODR=Kah8+m0 zYVJt$SsV3i(;!Ha{e68S@N>f*WGzTw6d+POVBSK>3CUt*D6c%RKdxPSi9wM1z1r1P zI(VJ1uwhFroZVT=h1gS+R8&ld4~qa5)?wo*B03-ahzzEgby~}F%3cQr)DRSz94A6z zy62I27aHj#EwUz7<&%_@6r2EA(5%)csVhSRs{|;ECsMeUA8I=?LXX)C#RBG+lK z?o{(A+<*@Jf|_hXwCYI{ilVZzJ~g$ql-su-@_et`p@|(1Nw|AVG*WC2W7^0b{^1fn zOR%6cRm>JRZ?TCX_+fN)b#)KC^2DZv3!_&?LKN%^WR8T}(@?HpmA;hdSr>YQpI;rM z-?UH;+m+lyAVa+l@XFyP*FB~ac@h*92acJ4C@>@>0YZ$WRrjdngDyx2I9$Ojs%p7e z#Da}Yqv`|uqq4-I#7)k%UL089v9R7mXSbMU%cbqzzFlU7uW^a)254D>R23Fug%af_ z0l1nm+(1Ype;$AQ+oX?RS4*C z{L0l{CDnILw=hq$pZXg3u78J7mRdbGy|D9P`cUV35{VQ`U&y~7|6Ag55&wVhVfs}h zlJ-!*ql*-_Il%|j_@8y*;*GP;eX+JY}Tp^N#NN1<$R$liZ@t0etVq9%+T3MwDUXrM}eFsD1FlUi@J4gFCMZ-%|BMp*D%x#-V zB$?XKgFfL$j`V-0h?#16edqgdH@;0z-@xc<7nO6slPE;%*Po%otGGO>Jv{#EwTOe| z=d*1MvDI5g^c7)-~+uJ*|{iy9wBO3bi;O2a?hs z1FcMz?6*)TpTid&pk4Qx!LcZV2YH~L5hVeaZHN((BD*|B9;Z#eoK$5Akn4qVLD69m zQ%;PNRM0XfPpZYb;6W*M7-?jJN+3>M$e=!a{HSo@LWzw9nJYvR902j={f@39@$BDW z?}b`l`Ak3^)Sn!Pe!Vo6Iad-uj-HfD^$fNvCz zJ7ROfo${f){P>MZe0tY=E6d70!#8-S-}tmt@agj6QK(sm0zZ|P%c9G3SL7hu@d zu32-8h2=7)bb;1WGyHsfY9LcK;ZbY2I^Z+KtEHPsC&ffHui_mJK=_d-ok6vGw;{>} zR!svK%lZrhY4{gExh!F*UWcI%O04*PZu2@wcx0~Y5Ls4j_oYBESciOZLtVDcAa zGJ?_xo`~s2I~I;Jg2R2I@Ie{jnMx={e$al5{5ZWt+%j|n##r+Nq{Ewuwi#^j4}J~j zO5G5Mh0lPtvAA#gS`%{(So>I0nh4l`f{*PqXs&trDZJ+R^mGH(LVey118j%^%r+bF z7N#(Tlx=EiBEEfYW;6x1=RQz11p2|gBZn_8ULgK03bb7uu56$=D*;6>20Y7?{6&dq z*A72FKSddt=eT^cru6ejn5~Bs3{f%^m0|qKzL}W9pv(gpJF8)LLo^znnVA`UMvruh zj((gPs7h#l(o9C?G2xcMzUsq>UEay55LDh2ve8X|PY9UGV1!2%7`NqT4K${tKpd%x zouugEQVbV#cTW!^WHQ8kMtffmHvoak@Tp*&DM37eFQ}0QTO8Ma2G2VWfiZ<}-wn?}BZZJSLXVPkW~pgbSZq?v%FavV<# z&_Tp&k&6l8fIDuZO926@0r(du!j~1WcMoVPV?@3vg?C2)28g;Nfh*hayuNsif@~y4 z#7c&6#i1ZU^jQN9ZTH|{0&bjQ)1Zp08FnMYUWwT7Mi^2C3%M2pwY-1|(YNO>Ru14$wl^#Jb*HMu6 zB!l%8K+eVGUQLN`3nnwJ3#%!#3oWbkQm-@1Go6NqEt0NVI& z4n5^EZ;b_U3pbE792SjuUPmJChw{MQ{kHnfb5IsE+j#W-wKjp$a;h$qk2sRM2kohFt_ zEDloND5MEU6U#T0_l7l|5mcX|)zRrl-n@A;P%B$XxYLh0wCkAaC`U_AC|;{X!6Qlq zK85J20;iwp#87W=P@VFsME;z@GTQz++>K2s7_8_nPc5Nh#6Cq6h0mb8qeBZDXL?w_ z%|#MZukzATv6}iuIy~jW2-Z5qX&*(>t-*xLhocV)Bx9)3E3~tJxI4N+RkdVZU*ABn zFT|W_u=h7p)FNsg%jbx{O+F~#@Weg{qcZnfPm+r@$C}BvR{!=}{DO_HziI}KGyQc@ z)>E<#@mns6r>iCTZ@MTx?X5?DD8cQ$F1EPWf#2kq=BG_`@sSf95>_$+4WQRH!NT{a z*+crukj$mrOHO+Ucxg6!M%KB&R(?3VuwcUBgn@xcZ2+q=WpjFP496az3-Ak?D5+K( z-lGg9;8}m1Jo_vssD)e#K?pyFmG6J%=iV; zZ|5h;M(%Hqc_eK%HMrviWy11#;)Pq+gf6vOD&5R3EGm3BGci7y-x)(rAfA_ogD}(~ z>{X@P{3_COmcm!5TmBJ>E_GSLU`ikO5=uw@p&X1vRavNLcr0J(ID!nDe7&BQNB`#Y z_$RhPNZ%uXyh4v48i9chG8qc9k?%&UNL3epp|IeSI=@3j8;=_>+?;hOC@2Uszf>(o zK|xJaj2txDG+pVq=f0=GDCqP5l$C$Zq%rD(Az=i};#nUTQ7b{*DBw&wD!qkd$pu6K z4W};yq#?K{aBYU*8jWkB?lbgbG7IBGHsQVEv}nJ=tekB9g^UAe(}oS7L2?aGHrW z7Rp__zGYrrO;XrOpMHSACHSdH z;Hr3-ZPhZad4WlO3C`RYmZt|E9-l#_9T5lmXUTE}4k8H5tu%ZJ2)MMIo;~Y-Y|uqU z76Ap*%Vg_*UsJ9a*Ef4f&o}MxX@tV}A9Gd&M%}uPU6kNm0rfeZ=d6L0F2W9lUX3NI zfq<0gB8R`EMXr0aCN_7ljRI5=ywFTjX+k1yTdF?>ao8YRNdMY3W2|FE9s$y;efY@X z7x>TA($sK^GMd8%Jm)e7j~kjdf}_m1DLon(P9h0d_9Z2=QY^|erzOML_x`p*9{2Cd zqEA9@)=NTtjJ}0Z%@ry{oYvzrGs;+=17P*ui-C+VKND`f6~qZK-+bWhtqe{Kg}!@W zfJt0ma9lS{#rntBbMv3zBzpYzCl+8M5K6qQ;qwRBQ`#9#SfR&pvRB~0PA>!B11|7f zr7gRn=uf@hqjfQV&PoNh1iv`&7l~9yc6B{^U?1r@6P^XZyXEn58#iiyz9CZ^12E~jU)#cc&~)6(s2_5y(!8CgaZ zR9TzMR4Z#&S-QcS1%$&pcdhv6!(fQG|_rKqHgBlYrhCfawl-joA zz+DK&InmMVO&q?@2X^@2cc09L^kk&~T|0<`tY3dZaNB)?MSA*+Mfwg?q9_CY{*ef% zSfO@;2+jM-pZ2w@;3aQu`a9z1S4I0P6ZO|pcj5ZP_{zUMwaUudxpEa(GxD~t{6Xxm z6=~%~AO5<|3;*x`;i9?b!Ie_U0if~gPMLD;S@}cHKYOo#N5}p3Cj4Lghw{pbUmxV7 zl~2q^?cl**ALswkJ9`+QmT`p*{NrW$1hf9Ss{S9{j10w_w&9L&t=hTKmjekL7RKLR7#Y{oeePr*+;+M8(PoP{Rl{4(;WT^NeYNg1 zZwoBQaF!p={SiRFu04seh0&<=Ud{oj5c#F9%x`nNd#dz}2IMR1%13#pj83UK|E^Wz z=-LwN>$^O^VTO6_`GH*vzPfzmp48EoiUoDmGy7?)#M}_xBS{; zUdtgLnaMiFZ?n-(^UlapqzjLWCe0g>p}>u1Euveg=i?8NWj-w#r84y2vDb=?O;wRD zKG2`qUYoK_K}xB3XXA)}y>4~(yHU#azL{zHWu+9Jso4)VqMu*#Mf6 zia=<2yleC2WTI+IIXLqhFS9xi-k8^Cl%k1xm=QR+^sy2THjBApszgaiH8{A;`&_V^ zW+?E6&5i1!nVh<#vQ=I8<2O>iNU!~QPfDP8JW(r81Ah#r5|WtOU+=?kFVj3x zU#sx>i6ZqDww&=WwyA=RJ04Kii_;d(_`jtdesf1L<#x`?Wf%RR#<95x+5rj<_k{Ud z1>L$CA8K1P4u|(g-wVI|#BLdcIO_og_%!!X=ufhBzwR4u4~|$O568xe z@tJ76*`~o0s4vt}S@}|k%pq~#WX8BM-E7`2KBPuA$Y zb`BfzmK>u%zKXN3rreuC(Y5Yeb?VHegXE><+PcW_(Inrlor~XwKPf)eiVf2`!hFqC zSzP(>;N;jAfu#=TBjRtv`{Eb*y$8nMUzu+XWa}}UA4zMgmbVy%VBv!<-FH|SC5o>%z9d~meL+i zu7h(K4CO@u39YSW#y7M$7JFU2jmysfn5|t1K@0y6^f5+UYSi66Yw>v{Q-Wls?v80w$zOv7$8Qv>PrGt;7_(zQ5m)^dOpO8sd zvjVi&>+E2i>ZY(T{OWNsFF!9bV)2m zHT1nr+=XQ^Y)IA9$x*hX8jl~1{`P{GY!(YSot%{0Iz~@;4UD~X^B#?Fpb6$3+Ow!);9S^e za(;{HU}{@^<#|_)(`pp%(m57`b7%J#W$R^9E$H9TwEHd~uH5l(qBQUDkj3+$<=&~_ z<=$n-twu4LwuTMv(h|NUVpTVDAK}=K&(|V}1Yn#IaN5Gf(F=?nDZXTvkHuh1id?*P z<;&MoHpe-{_Hd*pSho#amk!i^pAyoSniM(8LA|R{`5WUDxzh#=mUZWqfPsdT#fd%1 z&qEWPRFkOe?eY~{Y*?Jk?sRF*XG&b0C_DChO9<;>B-qB$0LJ^1aRY`BFOGHDKd*0f+@RFQ3QJ#~R zsCjUGIqMknrpCND@uqThgj}v}{hxb*|3QC~fo#FX$t?t=z6Wz;fEX)2{!aAqe9Fh?<G+9{t_x}bKWx_Q8 literal 0 HcmV?d00001 diff --git a/docsource/images/WinCert-advanced-store-type-dialog.png b/docsource/images/WinCert-advanced-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..fb418e6f83790cd2e6a6d55a8bf9b1e49c25571c GIT binary patch literal 41690 zcmc$`bx@XV+XsjRDj|x9fPh7JH>gNANOyO4TOf#lNVn46ozmUi-Q5j)+|T>I-yb`( zJNxc_GyBXuqulq!73X=xFOEweDG5RJ`*`<}kdV-Yh2F~`A>9mw|MTx6!zX@Np0Y?t z&yj@Rzy07Cy)o%v`&jO}dG}bq-(~y8FQh+S{s-!b!dRHMAHEvl$HXLZxq&U!@Y(w& zgPw&-N%y)NRH1M*sjp)S7%q}i|Dl5ZH?(MZ=GF2pUa2P&UV|{@*WEV+P zSa^PK(J+$9$lK@3m#W)B|9ozxvbB}X#>Vk8BE-)pE35M|I{wPoJc!^j>L{o|%>xySJl;(i?{C@8)ouFz{pMn$CyCvIqH z2&PoPdyablevfexm2zQf6ZJ1I`nAhszWPlhseH41&*nRu{qtW0 z>yo(!>$vsn=IR(+czqG-e9AH@pEyZKN;Krn+Qixya}x4ShHM&Z0!fYST920XaPoEL z@A1S|-}s2(hDX0uMyQ*#Ji9e7R4{Z%S8_3J@nL8kdyba0U~Am%B7ZJ-*3Lu)71__M z`D3q{(L_E*vi{n+VmoJ$<0461$Hd=1F=6R)SG>LgjE<%#9Ua%l#c~iuRXSQ)pVHFE z@%)hgV!pO83#?>*6UxBM+*nr^FR-3%C8}%nCzMf8$0tAxd8TFRuFNCGZ9}EOdmk4K z7_v_ePok(C-Ci*gX~>hjxtU0!x7+!xhSBceQQb9LKyvAk3W=REcM1l7!NI)L)r4Jb z&so~w3foSzlRi)Nk0hdRzwBRSBvwjvr`7km?jGeJF?pmCniC$W`U%e_7_CRJ>b%Me z6ejyFvu;--mj68{d%~H8#n^%V=s| zf|tB0E3pH@5QC0AgK4tgA{Y&{_4M={H;10Ie!rQRltj#E(3NODSxoZ2&c-ik%K8-nJN;?eA8EBxYK6gZ6T=M&^R`P2nMJCPCs-(WN{e~njDHT-* z5*bC0<*Mz?(=vY7oyptI+&)G6GQ zk0ZSG*~E>2e3((G!jWh5sd9$8~dK8$)r)B{R}ybViNFsmne}zx^`jbzu`}|f7V;|uyA__la#eW zWLXZfF8bwx^Bolw(RvfPY{?W-+6+uaRM||^E0?m$NOVhh(yv#p(LINxt30W=-Bs*Q zub+1_gk?st4HM_)u@dt5H}FsV?Vd)*vOA@<7SHpq+_;&!Nkw0hIz>Z8Ga&OJ^|WH@ z`Zo*nAK5q(Q?4uIr6HE&p5FV*N66%u69?%qFIT<@g)4fkCYtX5tl z);XX!8mWNCgw6kgH3KtCz_%!i_=&v!;8=3{kkZoANiX%BpO|57yO+|o1U(tS`;jG(u575vDck<1YjODRo$k+=GKy?RvA-Ta~ZCv&u?lc8I;qOe9r z+NF42kc2!)&Tg#h`|%U^lFf-O(t>BAtHH?a?)f3wy*wi%s_>$SI|VF^R?0*q5}SMt zWw)ms_XLpxEV{qqxI8T1y^X3dt({t*$P;&KXS6$LH*38OMRs^@#k4;2Gy&}o>T_cH zAYKPG&20+<^cyvNaRO)r)1NT7@paZUed5UyU+Y^xKj0c4CRncXsrh!taih$f>qzW@ z>sp!RyfX5>zWI#i%ANY+%ltVywKG<&p$lopK`UgD@|$1HIP1N(>(SNl1teERj%z!O zdTC~gYYS7Q_~0pxSo4J?Tbm}w^E%3O%(X;Pc*K#?9MiOiHD*L>#nGlP6+cYUqimCNi_0giuNdv}DKhUcH*RVSNXMb}%ZejHcKf1nZ- z)BYO8Qs}V}qNA-jzT35Rq}TR%38z47^li1{x`O)E%tMYt^A6GimiWOH$Ah#kRW_%P zL(vB}XK+@UMwZL_O@vTYx!Pz_N`=}_gLX|-+=8d&iEjOt3wv{hW+FW7-nnyNQ=UOR z0gcvJf&Xp(2Qw6*)VJQyqrR3t_V-dtwxZ;XEK2(($*sU~VA@b(!^e(GD4y`dT~FDa zsga|uIA*rou8drYoEZw5e;M1ivO zOO@9vABEJ#my}r29o&?lDMoY6q)ubaSE@O9z8*%nP$WsD*HVfRf-D?ze}aqPuIXGO z1bZceF}Y;tnrO}oYO8%~I*t~y@9#PqUq9)X(!Cpy#6r#4kgWI3@ha=>59jizKiHK6 z&HXG-ugv?4cr2HjuO(6kNp7uj{{Szjo^Gc6)hx$6C=x`;!UcYE`qmj=6`v_e!tJOF=G4qfrctd@K-?#UIYKl zijE81D7Kz;E;#6u$E$8UGeB0}9yy#CfsLNZR~(N7--%IRB_BZ)-4QjhQMSWq=xqN~ z??T&aVA#%}@lHWU=EQ0B29mn_^}{niQ@@xh=HZ;g-R5N3i&9I62)h+q=dNeIT89c+ zj>C3KNymhL)P}vn!^1J{Rypu%I9swcuFB2SnE90-C&m~G2|7m=KFHeBFJwE6eWl+BWIr2k{SdwGMZc^Fc~g=sY+mG zmCbJ-WF$@aNKN^`%5a$&9;9)e_9$Nc)`J5M&l>-xoxzHl*$sVPWwXx_W#mgs$z1z! zH@LXcsj~@>7M7n_uSuc#@{V-vUWS#OIa2s3pU|6Jks$||b;B<9l#4zOQs4ZR;EOJi zZNH%VB-d_G3&TrYb8JEj4R`zoCn@EDv*(DYFx8bMzR8pAl(&pTpU2M?p5B$CfI{v_ zr!7Oe)IIUOsZ*85Z4)Q7d%Q6rsG_G>7Xc*(8#dfK zhYks)QuRJNWYz8-_`FmT;+OhUwri7#s%`>YgFdl*$}`K`UQsE0e*V`nmexh{f2RCK z4%;=Nxt@y8Ke0o*{;^u<{IXkpeq~CC&?Ot+{c1}$c^PksV9(J7+22g?QeY}od@!1u zP{o?-SWSPKHYI#z7)2D{h9;)0EdcenC)vbJ-Q9!iZEZC~?!xlpJe~e~JkEOD<3j{G zeTD9epNk>NP-OX8dxO(gvNt2k=k0-6I64o=8KquZ7tmrmSvSMI%-ogJ&Xv98a^ovz_bS+p+-&O(#~-R&O=9=-n= zr_zw9aNcM3#^#x-X|7Fvyj{v!Ge+4ZIyOgE>_zl1_Z!7Wp#tcW34rlzn7np) zX&8*Hp&S|Ou6!{xPEHn2L54EU3fna^x0<2XWNA9l7I0h>^VeHA#%N>$CC-@!;<|RQ z{sxi(s|rNq%$$}+_MP^I_ntu+)UiAgBkamrMrQsMCAX&RV)ASXDR7z|^S?NR>CW-4K?v>v|JXr~iv@1&R+xe`Je zJHA^tcC{UPC9iff;zUGa%-+a5A%oi9U*2|QG`uy38|`n|{BB~(qSQ~7hEF~F6JlLU zyErb71}26ruaw4>dR&A=p?S8!SE_#EW$O-Cs4u>zmbGowWp89}j#&!6kVzTDvSRr( ze@@d6(R35v1;6_1MvSRpf6)yj!DE46P6de}iDVjl2cGYd#_UWKm)alv?WlXqiITyP zqnEsFy()GS{fnF7)KJZYIGVit(#V)XLdbhhtx9e`0fT|0xz7{YG_fKl+r>&jq0yZ{ zF}wstWRm}QQZ30m;`hX>uaqz^9vPdSV13s;+b3*^paBK*|}d?%E2msWPF2>i{}mi~NB|$c?!nyK-lapD{{O`qQs3OAd!S zn?J3f`Yh;&U3ag@>n|Bcmh2mB?U9aJ9`K4?T9TQo6My35VTgco-@ImV^eaf|)VdIl z+bWP%NW3kculxB#6+ycgE3+)t;|)Gc79Q5?8I1C6%jOqM|w^AnXS7y_h>Z? zI1Y_em*VIFb>KzS0rWh0_DHN=pGWWNG&i4xmNh$ZY~ZU`r|U{j%ERILz80bO7u?L> z_DOSQw(OjwjMF`M zbNDkNZ_VL67I?{=9OE-fi+=;T1JMXQZW%bZFyWyC_=JpWsvRv?&idqerxEz_{MMq> zW`!}OwthAXTHG&NW&-iN;;}DmCQNvICW9!nnOXU!_5wT{otLL}*i{me_5#A(lUxMp z&q9TAXv-=uul7xZDrFuWAj*EWh6Fw`6RUj;<&zEV#?NXYp+$KmiK)MxZ?q4Hi35;W zyW>P>Erav2n>hDs{MN?VBCWfcQ?UIceqTOcqxi0K%oHYr8uun;{A-f@*v-m^4B7)Q5Pcj0A9V~`HNNSHmjA4rz#<)P6XY!oDe}7mjPiYK zwSaV>*G1*ay?j)kvhW7q`sy_6sf`X-U@o|Os&`)yiYer%XED7ARWHsqJ&7AFFp$kr zui{iM>3tz1{W!ZJ(bCpJ*jx2-kq3BIPTyYhky^4+hI6Wz7@c&~Z}K7BrnU-#qBOjs zv9Iwj&HUWYx;pBDKQ^f&MYBC^tba8=b)+9HLvo$P`nNylFhzKsBLrC!QsVrmot`43 z4Kw^c>i3L`Iob}&rJdNjk8%E+lXS`R((lTjw zqN8pAbHPtbPe-C1<5Q^J7`Z?Kb{m}%?@3DH+)k9~1j6it8Bh%@b zDV;RRoY;2;epGvLZd?l|$;{4fe)Un_>Ujc9M^0M$p>o#HPGx*WE@ioiN=iSj`{I%W z?xml?hu^aYf1dK84sAX|^<9_^G(!;QjIdj2!b%fjtpYi+Qc?1ki@IhepE6RofmG-k zEG3Y&5vbwGXNcc5-V*J8QTz4MKGba8pMJJcovk$Z0du4_!M9^o2!L>jswho!BmGjP zy4KFnZ{@7c&pouI%#1&Gd#vN)2fo*Gr`KPS#}1{Y==&KO?CGFpfLFA`IKif+9bY#* z9Wq34D+BxGU^0p0X~=C%D89-(k3Y^6_}hg?gtqs(1s1N#5GhE0v+g(Bq(bK#Sjjl~ zHaEn?YfS51LfTA3St(KYw(JpRI8V*yh#9lX~Knox1{r&b9 zXk2aa{Jv5dgCSFFHYPs@jElr#AXw1x1`H!G?Z;lt*7IcfNK1NHCrx_|%gvkaguBdp3Nvji)7%%b42Y@&AFg+Hs1daAGxU{@s`9hg-2=MBWZ`uDj=#XmQoW z5zw2|uU(lC=+8=&7m39cN21D$uy9N9db{>7GY7y^{v?^+xj!G*(0BKyw@s?lZzSpB zrsKK$WQdC!_6&Tp=f-xItu@3&1O$(9Ec;t@Dk5yr>|v?VTNuQg>|jGSD?-M(|)=b@{@M^xK4U0014^R9Wy zkCI?6CG|~x7j;TFuMQT$8PiK$0p8D%=eVIkak346xN%1Fu3iJn@Y3K*&y+xqIz?bB z;0y0#&bH8;HnusN=3koU>RUbaQRs7GN<{6FL-T$>JnuDhwwpszly=Wg<)jyWW5~6N zi0stu7z$NrMHJEVHPx5*tkN7$*l?$UoJKu2t}m$!Fq-LIWdv0xHgXGDQjEsSH%6Vk z;%c}*R;0W-{Cq`tM8TWlopAng$6`fk^N9-xlgE+;`kmp-CQp`@mgKI2wcflz%Bi{H z;OFOO#`vkJ>pfs}sLB!axAjYJ;o2ji1kD-|6h(WhlI1_@Z@*q!1tz$>TAe5%uid=F zWhy2ZA0}K@z7QwGy~cFEVZNY`lWW$QXRULlG#cLTrfE}mUHUhjw$7U)PH6iNHRw~z zXCYCU=lZ3nYL&K7qqB$XP+8qYy@;&uC0(oo>fD2?-|y|B9KqW0AR z{uDAIc?utB_Wh{NRLu3oAyn!}ZB@H#z8xTuGC#5Fh*;YccfSZ`i^n{N=8O%#>4}nr ze`^VFM9y~fu<6cL%}XY|#&^@_J9c~sPP-F{BG}z=>q+c?%cZT2h;F&rl5IJWql6vDn67BqTr83+2%{E9K3<@v|^DwQ87u>HG= z6~~o>aa9UHBvVw548d($4ZQc@;Xvks`CQxD0FSgWQT|SvVd`q4NrdW&b8F>o3@TdTlD#{BlnQo1IMwVxNS%OK~v zuD2@Ct2!J2H|{=Q_s#0}dxssygVPgz!PWID^K(Yszu0SRwhUd%tVp7GKLmhaWH`*+ zVmaD3H5$3weO%Wx^f_m0vdL?^ZgfYjR4eu`i8`p?jh3WVav~@}Td;ndtT9U`)$Is0 z3kp^UxdSPyZB%61YF`fSHVtlbC2rKn-u%Pj3&#dJx4$baKO*|jNm*6K?9k_cmMZdi zkkWpoWeEl);O}P5B!>Co>iqle+FGhBP0r~q^v1EF&qv&!cQUpGrnSs+3-f3CN2BhY zZ&GR1#85MCFANhA=LR|?g^6`ii?3b^iGrG_bl6B(PfvcyA1U*tsaR*DfE#TRGd*24 zWlB7}!1ZPO(seB?ik^EQsjfV)fW%qzZo0O|@X~ILoSj!!UM@p|TnZ9Yb|G)!#XstP zxjBgzY0!bn(M_8|<1oTj&F27y9Rvs7t^II+4zlbuv7D)C<=nQ0Q~z=n=njD1f3IL~Y-HuxWjdeWfn<6xU}~$(Ezk0V zjcr_0J3by-BxP?aF`p0H=*;5s51{3v5vPFe^-H>LzyG2-y&XzCbz%J_C`Ysx=lYBaNdRk$p+wTRN_F^(}E zJ$-HMs29hLEodS%Gy}h4L%)c~F<9F2v%Uc%;Gx4Qvi#7}$!W#xj5eRU#6!4#xJvlk ziZTOPDQL;u%qUp`-@X+1&C(pk-$VyIOR4$|q`#B}OJWkwx(jVcMrf@AS=-VikKuAY z)xkmn%3U5Rx6F3-9Rw44r4)aYukt#GQU)h0HXoia zZt9yNXN6~Q7aQgZo7I`%86{?{z9yNVD(lFRL6FIm04#HL|3&kOv~&rnJ*-c84~2o9 zYsItFmc&x3+eNnrOF#C6HCtH5)-o~hjFCOHV)J9a8Vre&6SCJQ)L%+ws~D9VNzWm> zFTIR)y0cg`!lAeu*WEOOKck#1w%To~tQ5s)GDVhY*5TtL7N7d&OGwcjyY&hMXSDCW zg{lFfuNDPJl>IOOJF-fmTwF{Nwp7Gx^KaPpMbp58 zZwwTPCS}!0C0;GVO9AO28l4Z}Hz;KBUM8iz^+xIOGr^5!bBsvLz(r_uUbQ@h>qAn? zCpY3b(*Burk}^pW$x3%SI~yyIl$N3MY6Uk(AnF#3QrZk zYrZZC?J>mv>&%L2`@%3`6Y%k>gxy=^KnyV*-ktr+2J|+j+{99HdG!kM={xUh*8ey5 z;NAbyXZ#fyNd6zIQ7}hH^xtOVudJ-B{}`8C|2xLze|u;Dmk#Lv=85`Us_IVnmlKB9 z(Ywve%$!#Kd@~#`HuDROijEdjS0}u2;|6n{&p=z~j#QJbff2I;67f5YXagmWC z@891Rk78*Y9X%x+-0LF${!Uf(896z5p<(Y$O3DnE;wb`7d&{|odkhQ=Da?1c+4;cm;_`A^i5qM$r84WJ*)rvuO^inHnTxOE;kgB}=lWF&J zYPYikt>J7nL#9ZIc2Z(udXFnt85x-^X>=2ToMD@*3n%$Z#kcP6SKLYlGBS@4N6-BI zggE=ghN-&iE`KD8SzDRSvT@;tPP0F~en+@+y3t@=eLa|m{Xy`jSN1;bD^cJuVLw-tqCxF^!x5XBNODX^I(opWA8z$FhVOVbs^JxAnVYJL5dA zT3driN2}d9`MzQ3{rz}jVQFcojbkfxyXHC;c5-^#7(B~bZVR8=C*2-b^*>+mA@!`< zq7m^#d!phDk=?F7o^m;+>X`74Cwng_SYWd(fn>iuB|cs4)?Os=1P3Q5B*YWk&F}F~ zi!LfFx%T$=tt>77f|sirF*m23Ur>-&T--D^R^GuBBOwUu_C0=PX69pBno-1Qetv## zZtmZ%E{qTnIsK`N3s-9!8#tULy^A@C?EZ@vFB+N=JN;Hl3KPlG)069HL?=_Jz$<{~ zY{fqe0;=r~-#6oo@{+~v?e4R~b;{_YW+IQ7#YMaBHS3&-vuf6+Nj4VVi=8ij8m}9C zunJ9v{d;<(1pM&iGS<_?dwYAqm!16A0=R8srO9U)4Wt6Od_rb4dv>;-V>DJsP7(6` z3AHljlPCIQHI}pQ#tMzTR8?_5;Ju(rk&HvuglM5sDejQks`Ered&Y(tBEk`Uep&p@V~itE+1`rvpt|TH0%f zAlP2_^G#M;4gw^A;jY)0$CVd*?G25Md5*i<8yg!tJ3GJK&W|=G%CP(d_yh!y`;*0W zI>PA>)&@~oSy?&kH-r=w!?mu}Yusa2`%~uU=00a+P)hP%GSSo1uh?>Q#d5cMKYV5B z;Lu!K`-xaI^k-1et>D|;w@@&8@^l0tQyn3t74x(kxlwL%OOE9}U=$AwftFYrB z*kA4@rK5utZTxxb1Qt#v%;6@)nu5zpqOkvyG)t;wjt42Ax9e$-^K zh`No@f_5sK>#NH`i|N?9y1Mb~8nf}@(uxWjz_{b?S6{z=-GLIYcQPNaKVj1?mvK?) zwEvXF^eIFLJli8|?8b0wl^3cP>tU4TC`Y z{Akl_=p7CY&e_qXC`8l?BuJG!gKk3S!!^AX&N7{542d|NPAo~TT7x(@fp_n2N>LG47y|Qq#j(X4rSp(KGeej+tug(AYkOeeG2$LYh~=_;`{L7aW~I7)ntW( z!SUAQo7U5#MjVYEn3X!(o(}NyL*E=Ls_*RdQ>(C_U0G3FBwod5HP5x*9AgOhg7P4A z+>702Y3K5Iy1@O?85Z$vy%+jD42mE5-3wmbZ$*Q zaM?IGpzXlH_}<^Yzoezji4^?3Br<(m!UIhX+GI4hODGiDy)Mpe%YzkZ#G(f9UMbGz zwYInGY)@5Xs#iry@|=E!G7`o~ghQ?T9-h!*yjwbFxWH~*9yZ(%vMVHx_v5VUO3$BL zIn`&zMQt9?vbgp;7!gYj6%UbrIsx2Gu<`7!Cv++$=FA&$wO>&7hg2*ALqnV3ZVjia zxnUXg_7+;v2snaY@OkZYvQBGiYs=`JeqU1_Tn4%5DJ3s2k+#l!h|4`GJQmYb+pP(u z)rqnKZ3BZ8NEAwVcGh6HZ&}#QrGWUeUFKWk@@h!RXlHYY4YR*eyi!2!8tonH&nad|!Wmh*5tsIV7MQ6P{oE@OlV@s@}m$ zFX9?|%W)nQuLS)+XlrY?4V2{ON}aBz#04v;JMot}?I*{ReTRe$hR7j@o&|ZP5R6SJ zPX-V|9v&Bc-)yW)VY`{Cnts5Bu%St`@Ts(>9rl0?JsV&gdML~cChmrm#M zK&;)#*%@B!@%FR^E|05Y1VjC|2MSQ(ev^r`p0YrPs4s-ZO$lv)nd=&HA0*~wd84wIL6GulYy$ND5aIJUm-US2Dp!gn7 zmZef6@AZHvJDSrWyYJGWds{C`|vR##e_LT08bnsrYJ_IIW z&*FOxAM=xsk^<^$gC)v_b$I>yHQ7g4;ymj^HtPlNKQ!WzOwtpRlh|+ISxU8>Lfo$4 zF|KITB-6%2H1c(Q{%m}_aVr>55MC_r;ec#gp;13tKNMsc{ZYhXq7b?MhSOFajhToD z2?<5$$;n;C*=4O=;Jmx5)6k?Q?N7*=HW3!uatHMZCLy7Oqa&MvCB?oVxO z_FbxsVDK@|VO#z4=g(vm6mx5X8H!3uFvEu^ywIDW9?k-g0o<>}Q>5(YBiuThs!~D& zRb+l=wjNO}J+9r)4pzTJMd3I56C`+CUsay1WmH~Yog<1kv=fG~kU?X+vKr`h0D{@r z*fb3c48qNgjlWBzyn6BCQ#bGRGpN8oOO1;ntKH76Pxtf~7#W4d#1a9$dO68a$VF5K zJE(-ws6oH|;73yr+r}6r@H`tCkki? zrH&vt?xLYFiP3Uje=?qoP%pn07ZVHTapTZ%-M!;n6$>Ml2;2-^OJTLrqUMq%&UNoz zdl>EVT%)h)R3)ygY(E9Bhsfkub1BE7#Uu@YaE8kt7Tl6hpPHdBpf``z*MHG#4-H{o zHkXUpD;XLL-`BYN!o0boBPIBQdTl9*AV)wV-q9)-R#uCthQ7XE(b3WOX@%dl<_dB(e9h^P)Gj`$%Wo`6GITU#M`LL&5GFMWMcySa~_L2V^wVHw&{ta4^{cXx+S z3JeO;Sy6Gyv0LrC^SiD>ma_b-THsnNFA|U-s^OGf$kTx=m17CkTEpt<>XFgWJpE2Q zL_K-HFYUPB$=V*W4Y(3&ZjP;!A3p06Bw+II-yb1rqQOckaM+%zD7$yuQED~s?dL}f zI1aSk$S@7}vbMcj$Y`27Gqq@VOx{g?`1tBMYx^lLn?iF$puL7O=!ul+RKfi!lUsD0 z(tgDpM1T`pTP9fKc^D0b9gG0{`x8nhG)ixPm%_rrURPfLV0xVbHRuEkF6Qpeb9Hrf z8wDlINRD!_#=`>|m13#o3rHNqwxz_mMxDCKp04KRcMZ{!e z-Vn1`cz7a!sI9E5ph7RlPAbmN%=`t2idgIjh;GF5LriC?mi=Ne8{0V=x46{d=2Py^9DH6%_%2;UY>(N}^jgZw0Jh`3I(Y>^{D6B@os3-{i&SD^ z(qVdWruGYr61lo^0b()tync@UjP2*)`moJH%R_KWIUTli;qj0RiZZ**VVNZ>$iPRZ~8bXU=1x}zgtK4AuLI($CXo)KY{4mw>JOnh=cMH%V(Qm!xJzWU0 zT_5s;>WV}M17?+#mAQF&f1p*mULFp=5f+V1Ng;)94K)@SE`N10|A6OWr{22#!QHzv zK)GPH`L3v_=*7ha85!B%+S=J{a|NKn751Cj5P%RL^V{1Nj<$f20SFdYO!IJYb2}}D zD4c8*bnoo#)%EuWg{eEIb>v6K#H@~&&_X5vZpVlJsHmt`0K`6g_^@)P4wVb8Yzz2j ztlk}(=ib%%HWm(!AS@Krw;4bWB($^vz~goR@a)2uh!JE6T*Q`0J< z(%wE90^4=B5vQp7K?Z|%!(D)YjnG>G>@{_F2RKZ-h2b*l?+hwv+@Le+d!4OO;~x}+ z<%h>yH#|H{=OMQ&3HTYouNoUY?be5I-|2#>i>RVt_QIU&H_}+g__}hr#~YLt6CUe} zo#RT77C^re0hK`ynAzSA5J^g>s|+CE3`JZF0I;^Xx%tYLRNMG?6a+EeR+szPY6<`^ zo1%3Y*^=sQQ6jmb=+Lv}ytEDk(3OzD$f?{DNt(Q8Ub3BWc9G_{haH2Jq$lWy*9Zal zUP$P!yu3Uj17_>)@Wr5@J^c$&`U(0JM0kbSsYm)20_}YWqhMiC-#xBz2wO>~BqqKC zi*9Oa+9uxK)g_S7J2N+DJ-!H>6^ekPq_V2DwKb5mzpbrl6CNku<1P1>#39hEY;5WW z27*Bd3i|mILDAIJ)gM230!%?W)x_MK2C}5Iv^4lsrlYOxB?ZNOSy|c2s;XW?Ccw?w zT3T+Jg%cP;TTiV$%{~%RTRTVQerGj4_NRvg8l$5N;Q3B}+*fr$63>0#P zOA*oK3a5P%LPA1V(%-#?upc!km#_ZljwJl}fd(&wgRUzqPMGD5ss&fRtVFy9Tlx3^~* zFR?Iy?19``aaRz$`{HW)WV$St_$wwhgfGoLB|k#TMK|*KfBcRFD1>F4=PdI4)TPsM zCklAenoXD4pAoN77{7V9V7B2sYFU%9lk@r?;qzo#J^>RK$04bBZTF1`lTTuH(Dh|@ zQ%zsZ-ywOHBCU z<|lvk+eC8|4;9t-T+PpeSa7rEeB$BUbX#BBeM-?&)yMA!=-wBbPsYQ=J{sRZtCC$eb{mT3U8};u%Qa7)na+QoH|2(*ZQdY@(616JfYh;UDlYR2X{AoLR@aGw; z7Jgb>o^UVDo(OG4()fnT6)5BN}kxqppdQlf{P2F&NGlm zA%d~&?d^-y7LAn(^wB}mi>)Xt>n%1@f$Hn0J_Kx`rM*1?_*MyZgL6ikl)uEu_)`&nQK0bed z>!-=4Snn@YnY3OkMOm;}&L9N_1|mo?VDpbYSftj_{>HmpcIWt~+|SMG_u=As09K8& zSZQedTUvx(zIufam7t+8aCNt}mCtV?V(@FKkFtdi7XhKp`_YyA8Z}n)$RG??UY)HY zM7odgxPTgc!oqOy{Jh|d(yFSely=$KP@6vk2E|`v1aQn^KG6bAFe93lkueCwsOesg z6!9qilM0O*_a9K4uP)E0d-K70fGlah<>XK-kZ|Ko#vq=0K|#U%>2e$?H+KwRGQy8Q z6FosKM*j$4b*U?+9VFJ3;T$3Wt7$KEjf<3HUH61Ra0=(Jqkzmtnd$k%2kf8+)-~2? z2{&7{OlFf~Y;?4@%*FsH?(M&@DvnpD%d2BWl&=JSXo4Pq^wrZdPqX%>jI6BFUMnfc zE4P2c(t?CU2Mr8Vhc5^HQG>)IK zvF2n^K|%Ewr~ByVri1BnAR8vE{mWvB+cNf^C^)3Gw_sOW$}?EkD2eHYrU-HjLi1QQiP0#K6FCJsLGYBjgGPMKCZbN@df{L|gkE zphq|-OQpQ3YRBGUJM?%K(|u5qo#4JtfLgb7b}qsn$Zw<{PdUz`gGz7;Y8r?uM5UIq zH*J=?vg`>E5wLqbtcE{_qIuMSy{Imm_TgFk$wl!#gi;u&2nYc2`3|aLuI3E{@P_TU zedo@N9+CCBg-qMfLQcYP*4zP2JpfL*o%}{=ley zMCj~zTM{r40*!!1<)wGHF&dPo(|mJgbF&k8myfS6g6j=VRv{LO$o=FKBpA?N1Tne+ zbmZHgj&X|`agYd+Xsb_N25=ue1+e`1@ng%g10#UJ9{~#@(N-Ni(rNmkwbT&-?O48o z5Rr~2*UQ;nE%On+TaM~Q%Hp8Etxi>O0vRx!u8slus}Dq2z8%Vt=;$9IAt5i`+=PdN z*QXi*v7)``gXEy&W?>11eMKlg^(GM!5ryWHk&pp)5j9SZjy+i_tnOf>=yyf8LVDoRYu^qH4fPT| zB_Z)(WjQ}NnORwB0bL@uxENUz@?$X+AFK!v{I^pj{`E|=@JyUZ!|P@4m*um4Ii8+( zARlKS=Ses?%2mA&j*nA-kU_PYU0+B23#gtPFmPjIQk@->$q*U{4{&LvO=o7%hw8MP zK>8C09Ti~|KoN$d19~I1xj57SazX@)86L3uc_1d0yG{5Zq2i*VuNWDzVCU=Il|dQ? zSaqD3{m*S3rylYIW|e<%B_9dT*V5AZfzRp>IyV*;7Q!#6xje%6@$muVt)s7xd_nO2 z=FOWs`};bh`FaZr3qPZx+CiY+IXcQd*s}!AdwMvmaSs(Wp|ms{>=^(j(o0Q2Yu1*Q zNOT9|9W5=-NlBaOCMPDM2L?WX*W9DAou{-IHBktfzY|l_21U(4S%7 zu`%up6c|WOx$cVtHF|ab{(ZEZN$1m&a)b>BMK^*@>n3!Y`qtKajEs!+`S9`ggoIZh zEiz1O*ra>_xn&v1CxX=>#3P{mp_JQ@IpC)t<>u#WLze?keJdB7nklDc0z!`qtIW(y zaJWi0EfJ9HD<)F<$cSU(bd7lyHQnl(c74Jrbze3D+ zTGp^OXtlq8BN-ShTi@7T>Wo^XQ2>4D*3-{@n=6OTz+5eDZ7b)ieUiX(Bd4K(ikCNm z@Yui;_3Sq`hHx<*EA%Nc8OA%3wz8tHayixq4*-Omz}Q%SUtdwr7woL8Ve#?tBD9zP zIOxIOeQQL(uG}nn?>uNV8<5JrF=ZVYE-H*2y2=@E7sBh{Ncj&3pfJzNBs=)P$`#50 zBN>yElc`P=I^YJEYAwbM7~5r`v;+q~#vtP9fX>pLkyEW~M47If)zsOU)weh@Hl}T2 zqLN|vuU#HjtH?_RoG^HH%4f9<>IS?0##1OR+GQGf(iwvgyIm_%)QA!*O;F^{u7X&_ zcNZ=p>Rs;7J&vUQ`H`#i{(V&9f4>?$A083;KcI}BSx)rdZwfd4-@GZT?1zl6fnD^w z_@6EZ*!j;cy8eKn`~M*53~5naajeXLkmt$tYwG`%7nA>cFvyA%`zv9mkp|sh{%}M& zt%X|35Zka$w5rpxNN%!I?phLPy%r=bxTdfj;-JBRFpF>oRaC~$)v7p;Kx;#+-^YIu zyBw8u)F~_VcEPB^j;H3|YclS2R*JL5rIOO{cUNi@R&qB5SBq~MdtJs^0#RhKnCi&Y zs<*VV0yY!{)Cs`GXt^CFArrzQk7UOr_2Xm6D8d&_VMG3iz_*r?=A)K~R*<^nS?svq-D-iD6Kv zMO>lgJ~=ht@)LRkKQHVWlZXO=`ksLABWGcuNkLSO*9O$9P9hPfz%~IznUpod^^CLp z!7R`mNR>tyCtx8Ck6HU6stu%G2AVPw7KxZ9C`k*8iy=-`>6ZuKj#vV;QBGUNx2UXz zVvw#@ojiVrPQT+Rboeh4DU|zXh;9iQe``laru8V8!Y`<(&_04`X9MII3A!4>XEiI) zYWevBB$&zKiL63pYQQ7OfH2W;8NLEspfl)t2KilPzljG;mEPFtO%|abJa2sQpflr4 zSOqieoQObm-Nn72hzI|f1rS#*9Ls+poguBb;~P5VHweeH;Z!hJat=(;spSmc$^{Jd zA-(2Yd`Lf|3s423K7w_6oJDL6(F59frm`N07$P8Af%OIGXwbdwocCypn`Vt-_xc1? zzx2!JIrMk39jLn5B5PyAF23$zm^xuOCF0a(j3%=Cze*UgIyywtqLNMQ`#Z%x42d)T z%wAF(-fQ~qJs1A`GX~n-Tl?qrLsPP7falQ*xOm3dkmjBjt4_h?a(xggaJs;AZjvNF9`km^$RJS&FUp&X64D8?=xQaXF;tE!Q`@V z7X}bM&$t|WrkcQwR;qF5h6xQ~UfwuBWP2qwmwqcNhF%y1ZJ;M^oXhKZt_v7+MI+Qr zx%6?sj!-KzxFo@%|EtSjwbJtfAdDbnJQC=LG?WV2nYL4a${RuYLRcaQxCT@&EoA;| z)51d(EUn8+u%N&&jkQayD4%Q?jR%20ch{xT3lK}I0yi%6^l)AU5>Yifye@e z{lI2{>xPFvMVQ=+I_X{WcyyXb({9HEU~B={-Z`$hj)B;4DH}85z+-#6ro!J`n`a;jMt>3j9`y~Z?M{%fbwtG=E&;DQ~H}Q z3UPi8;W)dsB>`GNDcE55?%w?k6cM&B*u_JGpX!NdM2~DB5PgNGQk0P?j}SvMFgtV$ zlzLr&b|CA)7J=x9Nc)Gc1b{P%!vg@FO5dZGTecd^QVD}O4^TEw)-rMoVUP&sD;x}| zK)Zd4h76J;1RJ^R6j&i}e`OGofWpabu4iF11u=C5vEq8ZSprx2865m!$z9mN;W$eD z2xRo%APj>>iqHdS)GP1)9oF#Z1j`gbtI_dUbityAelM%2XgGZglpV1K#sg&V&q1I) zm0ES8dHGT%=!XE`;WXChi;;-n1MRDnkQ)lDDb}<`E{+^l8b29#o4>F0#9!o&=4jMV z9EL?j`8I0b_zj5yP;qqIrcjaUXopVo??(noUE*V5SaEiCcDc24d!P|Pfq~LV zaupC!FbgDYt|YgVmYNFHEkNc$dN8X6JQu9+#L#8Rpq(lbVs6Ugv|Z!w-MghpD6-FH z*Veud8dDc_YSKwbNomHBegu6YbhHHOJjAWl)&x7`$;P-Di%QzLoalrjQFcKAD?-NNroQo`IoR!mg1Yz?^l9F84diN@x1*G<_Gz1&I znlhKDBs9^x*lx?ll#>HhzNM=x83+To!9={gyzcu^)0j`63IV-sY-~hW#If8iGAR-S z$|dG%#@D}`5dw3TJjCJ2#eO%WX~iPFoE$jeK%GQG*37{c1Cw@2hS#EU7a4dL!m{SN zzSxJ+gQPkq)Vp{80x1G+1cMIm1q8e<``qOqY>I%#0>aQ?h-e$gkWIlL3GxA%$dpCJ zGsB{*t7~C-Im~$^xdCqF-zGH7f`zOm0I`LffE9lWGnEj7FX`xV2illE1_V3+kfH+x z;K=1sL4H2s?G8%$%v4(p4u`D{-s@9IAPz0v-3CApCcs`uk`ET`>W5kk4wVo{%M}jW z*?a#)4OY4vao_Z~4-PW!>3*b1rt5&8IW_vCyX3;WN%n4^6pkym#buZYm`&{f@kL;| z2Daq(?b|(-PBswjN`;0GL0K!}rGx7Kpxk!#bH@51X|1Td_Y)e`7HEJQ$4op3b7`e# zHrXw#q;BD^g@pw|3!3@zz!9_{icAsEVr-28bVh>U`X%)j!+~(;oJzTKtad*8W*SGS(^rP zPl(P0js-(TtbRcROmIO95C>}nrZmarrgF9To=_?N1(_1aalJ0X?trZ1Zq)QevKTMm zuv*wjD0IE<+ol18+)rUhBS`~ipu|F>D~`7tkWh!tXZth)}Vhk53(N z;XHhpM$UZX%gpJo98qv}Mmuzy)iQZft;;n|Ud&p6KBrmP$tV@oZA`v<_(+lJ2^bJN zySwDFp`gHm*&u$Mst$b)V9eAmtv3&lC43gs=kV_f!LSnqZwnYztt~B@@J|*2fJ|(X z52c7KsjGX}q0b1+wqmh(d%!B9Qy*58@^Yd>-zGu_FJr3zUUk(yKVVX zS_e|=eKT7$d;N(oB_%gcMT4TEM76aM00`>9&#*8-(A;2+%aX8L;(X)wtwO%GKnWaP zV}sGitMQ3IO!7UOLx3%Fi;HqwYenAP-XAhwzaQ#)px`@@4wRqux^3vW6PnIak1)YpySS#+qI`q6^1u^XT1kIG zZl6y5jKHG|?)S;bv5oER8Rb#fh!sUSJ#h?-bj}tS%Ra)42yrWFio5#=J`aqtvA2Fn z$yuR4mc4~+V{J``hc-BwiMSqHizb~W%kqHG_#olStf7}~egW`lOZUfu0vkU!!IHk% ze~$Y9cMCJe_!4^!e?!y#&x4MdHa_)h!ZWIXZ%V>&I7WuEkv9h z*~w()i~}ejHIK)5$%^3lN;VRVSF$-D+y+SW6uk?OM|8|#);mO?5B?wReP>ja*_Q3G zEVTqPVgLmtXbC8a1POv=0Ldj$f}o-xARt*XmZca7MHUcH5RjZD2NO|5at6tgC3A!W zZ*INa3+Em$!&AvIqxc0m&KJw@s)vbAE+?KJiyt;bOUtOo0*M&-tLgkHqdMflZ z;zNTeadeiLUg>%BFT1#acp;?g$#u$}Fu*v^=XIr`vV~2a3U4rc2pePrcw%dpsZ=VV zd12bJ=+cGP1&O|TX+(D=E>&*}HdD@}hQe)j2ZpXjtx7xlSWuoTzkMUDt(t{PQ?hvb zE4uyZEjJzEjwaLxDV2y*9^Puw`C!DnQbj5!;-*EJvnbPzM3!=qN42#GY%VHqB_Ox) zMVRU*;fSe2W(pRj;4{6AzNR~-95{H;jkp+4LHXs%jrR4uBkC7=J7CCy3oQ+z6@0L} zge^GWr^;xe4N9z(mwB_VM|J%Ak2Qc>4lVe&T>?hi3B&vFVAwuXJUS?1#9%=uo^6ek z%fAJsGH%}vKf)W3ouh5If|9$N#c#NTqe0+>v@a=GVfBX}mEJWYgCBr}z8FQC9XzNq z1uLZz%Xb=#$h1F*`IQ#Ha*q2y%I-B56AwMJb;o29{H=9%L zz-9HltOfm!_Xnoq!)2kT!F22lzW-M0%GA`fvEbPQH-+Vv2F^t3tk>GqWmNnXM7DqpSOE(m@XPCKd>u=7(aNzk_Rq&P zQTkyYj~ugp7tGfNT-F>iD;WiP(w@;3w=O_yd}QQt`L#EtrEc(E;jK=eKmVYh9fm-Z z2CZGTunM6fLqkRhUcC#IG3q?ZGuQ#4)w-D#QtyBMe3?Ro)8&OyiGa3wr}>Uj2nM7B zW^!`U5%MT82-V8+5;%7sb~9*%rI1+6ku?G9P}zM&AB?XXi+!1M(6=y$@#m1r@GGrd zLN`7YJ8LXTl0klu$ta{mfF$)(3VLEt(-Dnk?cFC*0vM z`{7ub!Am3>aiJiqx?kqhV%Ayf%o&(c9V)6mUVxd1u@DBkdwP_j=FkW3cA*c8IS;KHa^I7B+6gGJ14>hPEgI-ZyWjQ*^-?KJ$y z-Mc7o35^6Nq&XarTefWZefV_$}lRQKFyjPZ!JyiO6ms$lx|yP3Uj> z6|PJ!7={c`*)|BSB`3-Hn}+zs)km+q`I-0&aq8jFVS_3UO=IdEgCdbHaR*ny9>fWf z5DY3dt!14J&aXT=%y1o`O$Y%6QvbHTGtE=0_`Rqq@)~$KY^q#YME9>FY>jGXM7OUPz;;Q_oMfSw<>X?7(f` zp6{@g25|`XnVeWiXBPPIDV$OaTV11FG&43bA`57Ts3|m-1#2gXOW?@-QE}EL>q@{~ zdCR7ds&Yb9G#z}{aARU67`@#mZtcTv0h~N)JFbnRhO+y!nad(G32DO91 z0#*df?`{}Raf0-N<~<43VpcG_1EdA6{A*LuvOiFIn-}NNqko~ssEb$UMG0nZYs+gL zMD}!_nsBJNQ%PgKUAmF+*NI97;jdMPO2l<1cX|dcU6n6gr`b8P)A;kZreQ1|Jb${T z&D>mEZ*B^f2Wk{~O~HYg43-f&a0 zZuepwUr5z$dwbNZ5AyOveGkZ!Xn}&upUKV5P3m6n_XHg0cif;n{bHQN*`E>|xV_~k z)Rx;?HhV3Z`2X}mWfXlx;D!ExNt^*?6aEi8*Y)l<_t4Xj^UCcYa81!E0VcNok5t$N zA9{HaHwVH<9TpoWO1IuC+|N@+L4KkmS;^$zF#4^|dg zv)6lFT05h1OZF3hW&6pEHs9X3oW;mymIYc32V&wyWefSyf3$enZ%3util0RSVhpLW ziOEac3PK0arfKddZsytXUw1}UhSGb(OMMMI6aMBCzBh>OZ|T2W#va6p5YDJZUU>`I zl-jjI(XIIz@@=H4*11#JYh6!_Y3W zbpl`C;BODwVh8e(m@J4MPb@;B6Zv;rZVteAZyT{FQvmiH#zD0lXB3l=Qm%k>CN53z z@OQCyQUD~}-u_w)tRZ#vYQ)<`VK$^Uqyi)mnKkpw>VJapC#^HaR(r5+QUi$R5wJmy+EvCZsepIhyLjbQXv3Y_IWj}Q2VJVA) zJAhixz<`>ehIEMAX4aCfu5jdu8uZXni2oL+3A7M>SXdZ^bS-`e72OHmAGB#1NYe9& zpSvZT#b6rcvgSd%+|>%dLx^^(DVsNMCX_!`_09;lJ$M~r-k^L45%Pk218mQ0IOv6~ zzHGrUK{IA=Z|~b+0b|P1kSfsF&)=km$Q=NeB!%j~<&_CDa@%#dOcKyR1WJjRrNN|D zekgc)86%^(0#n$J5BRQk#ew~s@0-=}>ndkz-R$H8gCG1S6u|OLPREg6U0B(+s0b;vT_4W0ALPCsPT;LLeCk<^PuqC(wqf8Jii`-p{aD@&mNsv^E z;?!$VdRdx@dqk`r0MjurGt0sj0prym6urLGQkGtT94=ciZ1W7GhDUIEZ`r%I3d95V z-mC_r_c!>b;AKcN@0BF-3f^GVzbuQn)ae(mFB5wY(cR(uAqW-rZfRNByrDugFPAno z1?Ei@hG2Z6()^gex((7Lj>qnk_WZ=wjI~CKQwnPy6W}<(9e}ZR6whXb_C@6fCZwp6X z9BI9S7URB0*oX9SbIs4rMqvx~i@RFrrSKd%azvShiKzk+HV3pH8pRIxmU{6j52}@p z_w}ia&jDw_I!J84)ne1=50YP<)Wwb#3Up}`sSF*0K8QS^M|L~3R1HYsDxFV`pMTJf zrjX$>4z7*)_Nf=BR5Q4fFa2O;nT-Zw5UEtjzp$H#Hc>CyaJ+#>&w@{%0fUsqQ zoQI->527$3@@8lIQF#>4R(5d)4l9O7 zubL+e_uzmKM-`NrrC!#R;+ukjdDQ^JHyRUmLm%lcTpW*ttF3tUvbH~!BpzKi(W%Q- zNc38pSj5V(on>H;rl5ON4CE>(0i5Dp{5Q71djl6$ZhhhZ%zx$>w%{wEV~y@_Dwfy} zqV{=v>MV9Cq^Sc6Ps_0P?Rq_gZZxOt2P2P$@q9VjI+ok6aGnLhZ*&|{lOkgErPzJ< zacp4n(FAgZirS)lVn9dOs%(pXI^4;(xF2vvBR;vpk`Exnid#RZyYg)(;8WbKQ3)E| zeuKe^>7tgK`e?R6yR|zykQe6ww5I?N7Oo zoS`MK6J^PF>xSwKZdQc|<*|ph+!TZ&EZ321eT+$VP(8iHJtoE=RyGH1Vtkv$zLJ^( z%iKFMq7{|4jnk=Pbk!ET2ITrJC)G5_ZOesxsL)Ob3%A_8`ViX&1vzerLXZ>6znAz! z>@oj8Gnungtw#koMMareS;P5gqI}=OXQi*j0FT{{%217mJl(k4AmS?z$Mg8@+Hl|E zOixt>@|}8=c}H^=R2DGms;$X=ub)npsOY%<3@SQaNmO;OgM91_g}p(n1PS!#Msj<5 zenU++2{*3LWi_<}Z1)y_vi=t@0PeLwq?#Jr-Ue{lT3n;{h}=Wekbtd?}UY_MG0w8q6Orj@0$I;`d90d%*aiuyb>^zi*v z(xZ*ozs}5TqLoD_v9=v|tA0aFT}*W|gg`ap)y>Oy{ndpugJx2^2bMn)5qNX-Ri)a; zK}F>i^mpBtj`SILTe}1h?gsIJv{FFmgAzebIJj^?4>U-B!ggt8(NFwD-d?5X2R1Yk zI%~S}x+0o(F8^e$2WxU`vvu4r%C9^qx(9PJ`9EcQGPvkidPvv^ZefYrM^#3V*!V3q-i#H;IA*2%xMWDIO^7Z!a-!ECRW8tH~ZEMPI7}94>HqDrtJ1=x~ zv*yEK2M_f|#%UQIZ=nMs(=WBzV^F37DJxp&Cfdbx@l&CTJP>5L+cFa@QK0#@J z{P7bgp5Ka`X=p%>Ko=s(6Y!pJd2|D2T+`S8>8~eG$^awwNc_e1^2_nKvayfwA)b!4 zB+Y=$&COa&i&f}n=QC;L2VAe>R%ZixK!2-B-An8suE4->U5EV^hK~DvSp_$T?`f$GPI&tf=|FGn_bKXy$T-0A2NiHI4FcI^0U1$QVPBU8pP2__3qGU=_k^d3Z zDK|Rvg^Aocy3Yug?@^`C&cox5kLl^{C1DI*d!*yPLA;Sbcz}VYPfaH}yF{%!p&(GQ zLBCJD4t9y!e*EQQ@80OEbV>e2bb95P=6%}7UT=J=F?}zyT?8rW`m6r_epq(su$S)R zczTIV{jxIeva+riZ$8wLeh~8!x7_=_KgRV}iy8EH8`B)nh?&#B;hw+;JB!5VnD{_{*{B zE>uCpbB)kP5DYv7$T5QGig;2}YpGQaCK_=heuf=bH8bHV3 zesXZC`BBBAo=i7xIs!UJ5>cCo;Y21z;TMBQI%kfEP0%lDT3Og*5iZ$}9rFgCg~21| zaJF|teY@v$DaV4i9Ma%$fU~sxl5NL1d~s95LTu4J*ZG-@%s6Y?-ad3#{Z!arN87N# zQbVw{qu)KyfyymF0Qh9j`?)6c0AfB2CuxI+T1L7B96?EdPq}0^(Jl<(l$c|X>nOWC zBpZ`1Rf06R4fCq7^HO#}63iG#_TU78H!v2W`4r01Q5vhL4cUie@B{k7Q=z4&p&>Q^ z*y=b+atNRd@b|v~Nk%FAVbvgv9B5YZ2AZ0h{)5%%fOBuaf9r~N+VOD#8Cjj2u>4}tos#oZh&KI z?F_5Z*Mrqx?&%3{tU}vF`38D=J=_hFZL_+Z+n&odHwX(+P$fck#!5727&1W8Yj;_p z`8!8L8OM^4h6%u%mMk+?5F%@mTsnnx1dDD@vLRK1$%S8V6?kKEE>H(O0hOuVs*Y0u z?wWKZW9CI=AsY`W=$LxV2OrAQC-25S3E0TZdiw8KM#|&5VY~f>jxGWSh|Iqr4B0&K zaHH*XZXV;|AtKbGwihn&=9gg11AV}lD7_!iiiM!tE z-qw9=Y(HTp49XfAi18SC!*AOD1Vc2ygi50BMRjX?Z$7f~!`R1-+A9+4u*I&zJV?lB zIOS_$&y_D7EqIc=qTe#hfA(DpH4K*#j9jPuH75%E3E{KDtDeaFT^qp+nO+B zeSGx@6x>;R_I1w38NO~L~%5P0?k-K#(#py%8Q?y#VKOER})#$JOq~l%jF`PJ) z7Qx)a8fNZbTd8fjM-53>uoF2(-7M)|Qu|x&4Xdj%8C%VS4(fPi@-5q5pKwYzPfB?( zg8<10k*S7t2T0L*g@z?v-Nc(&f(b=TOqy}|IF^tY9)p{v+=464K?801&8WhMhK5jj zIB0QRhkc9m*uW%2d>e2f#q}FoAvaXPHWsI1i_QhDr$2 zJzz?Ag~XsXbQ`2*oNVIBi@g(L?+6gHs}fKXAC}AtxNlK(aB5PZ={B4Ug<+~L_Ol=f zdf*=$fOqZWEn3_ZmnV(p!K6W3taz5hgx2 z8Lxu}4&28!Y?)wB7_Kn4i_cMj&FUtsH~lP^ zm-mz^p7^BC{VMk86nr?}G6dT5pIbbs(s!5C%h{~3q=E)uGy&X(`|x7v)zsfrRQ~kx zQVdGNSA+3G_L3y;1(<#CA{2n0drvX$L5_lkjL$s>NfVPD`cN)I4NI|`*1x}D_i3ZU>QeTNQ?&8IM7 z3GVmL_jc-JM;&X2XOlQ)16r2f(DQ!va#`wq)mm7CD!&=CGsx@}CjMVskw$SQl}((; zqP2hV{Id)kKZTHu==0Hl@pW;2!T@CB_2I^3-EiD@l)`dt3S;V`YMP;(JSW$U3U`M#k!+1Zp&ajM+Q zgD%T%aPY!cN5)PhYG(G}FfaAt&d8n77K8A9)X$|24P+P(nH+?1 z1-D^-CixR(DlwjuMnn5qBg8|E{M*OKU^H-Q*lu-zZgi#dpajY9b=r>{1}LLo^35+u z7I5eKFHRJNLnE~uYZUj!qdU-O^Ea5zZDI^~1G1Ot@%z)5)9Y;Ti<>1T}7ALPidO>U1?zQyOhrB$uI1Ba~m$ zTWupFF4z_a5ER^5P6i`IO(T4!LS|ZA#=2ew;)fn^4CP_#D-&4&I?^ctJ26qoL|j4myx*&i*b|=f@o@B zOiaviG?^|_t6jG3+4BK%^oCRV`UfyN2kd$v0uSi~1vI4)-I??*0F?q6-U7tsqiOQ& zK+6cX2{-0IV4%c9c*uwg_X&1yuMqL|uj}8Q$ns|sr|xgMB0 zQNla@7_!D?dlQs6+M+y=PFu6aI`RVHqVNt3ECu3z46+GTl6J1uLy4vC&2yELAf#cI zyaQ7T-`F>B+Ssc~$>62iDq#hvBC0&h=&=|Rp&`=o;@w0s3!(0AgOWT)?d3}*C`M*lA8&UI?*)#5TtC7SLMAC0a4?Z5-+`l#tT`_y zw*mW=6I%-`yPFp;;sx^2=`&}D&3ow6^SAQzFq{7m_TRPWRJ6%9BeXmu^0z34(84zW zBW-S!4NBI&ra^7o+rekNGBX3`f$W8uT&}3*yuqRo zaJqKWp7S{Uy3W+=IlA0dkz|okW*j%~IqNRTPQQcaGKT4p!9S$I;OU7g$)u^(!UBza z$L1PNO2L4DTmKrB1Uxq?_u}Iu1YoYkT`30fMUWZRWz+n|rtm*qhN1#Vy$Kwg{8gz4 zcc4u1Up3%X7Pq(PuY{!_n704PHZ=Nz+xDYVLvDd?+cP|DFYEM!gLO|%HjAw+LJM>s zQVBb{Lk)w>Pp}<4xGu8h%O{2!)IdNsLU%u1V)GNDQLE*q<}8Mh&7khT_-oLRJ}zRW`? z_#vHj5u4JJ@0xR&3r*&l3H|!@v19vH=uyf2(2B8RyjS=n7S|c$&Cd1>;)yoo5C2hz zDlDdd7X{o8FEuj=sUjTO3Cn>E5FcS6Cbb6oR!B?lST}7n%3x>84NIw@#Rc!$eF4P%94)83ag`6r)UI&M~|Sk*mqPi!FHU#n>|7MadXqdMfEh)Ww-5#FF(Et z=l-=6Eh8F-%D+G<<&|ihZu*sua?S;Y4qsCQ-I(M^Hl$g~GEsnD2^GK9yv4&qMner7o zVa^*;C_C7(exA?d`nI5fH+&}8|0!S&!9PktHN&AX0OhoOM?j)h7z%UmprG}qP~byN zi*3~7xlm)E;@x&K3pY|GR2k+n5WAhV&1MGxC@^~IN_vZFJR$gqHBdehH!LSdlinK% z0_Kqv8SBW12*f0w%*5>MU9J#ZkeP0{s5ZsJPefMGO{MV9zdOj0EhLIV}Kxflv37@W!VugD6 z9zOm!t39v=adL95aYZ_;gNisToZV)XHyH3wu&__@J$|sTeqbN$Am8DXwieiLWa8f^ zES%HMhxvEzl99B22qn<45cdvXS_!5Sh%YbbInYQJ$2d+%<}#%94MrL^aMmFGmF^Jv zAJ?^N3oC2&v)}GMaChg)>`?=U{)mzLZ@qVbIO+8ZM5Vfaftb+Ghiziv!b#?79Og$(L4{;=uY2Q)hFFn1HW zHsvKC9*97=75%{oG!Gg>q@AO}M^Xx_=e6=}BBwnf}p)g&a4(f9#?!Mg~TDe+t(aU1)YAYaGA6w1<^LaXs6ug`mfXl~ zh@e;svR}ahV!?}QtN9@SU`+@Tf;9w2lV04K;@RrOlF9+x8V+9G&BR?XJga*3@%uN3 zy0@_fc8lG<73Bn7#XCH_8t+pLN_upaI&PCfY~~ij)QiBLs&Ni58o(D(ahQJNMotcn zcgvtN_lb*#!RxqX`}VWA49w!`2KY#uIF5NSOSF~gXVTbb$n|I_tU=2f$W!$=FVcMr zg9|7t4^$P1VOfDrU`LV3wlFclq9wHX3^IeB88%^K%S%1lf+AP{bbM z1JP3jvJ!(0bx>nLQYJ{EXDZy){vY`$974ghft5w)3ODib?buNZ5RMv-ST*4aY=<|L zvD3@`c!RkqhAz5;$RYhk1nmG_8^T>16>f;peArEqm?8*b=TDdnM8xJW`lk*(oUqz+ zkCCd2j2p#`Lt6$r`dRmmlXGH&bFu+b>Dk#MWvq|$@!h}?$+-^sf_s)rL)F5XRz1(2 zo0D@zFeJV{5Z?|L81+hnXUAe(zan}>iMPl!2;FWV<&ecu7J;HB%47T2fiKE6p>2)* zGhTKXCd2na@}9Sg=yXc9W_|6hzb7_srktgsf&C*4$QSfE7#joSMCHl(c4gBL#0dXR z7lWg_WN2Dxigug#cijGf>Y*QGlw2_XLx?-=7OsB|3ulpTF;qaeaeI%2RH4nUtyH_y z0KH*nLria1_x^9`_f6J&&5_t@kpik%z!}6#ZMKxb&urvL8gzEH4Yu9TMH@DY#~S(tmu?Cfw5pR+w;Br6c z0@%a}v?O#^a-iTXh>5Swx%V$#07B$;DOy=&ke6GDsH&*+S#}(vPy)|nI_b%SG>2R| z3#+Fp#KN4<_E05jf%+M@t56Nwrag8aC(dUT+)>U@Q4_ISpNr{}!UF=LF=gskZf;qi z>Rhm+PMw?S>FY3tFcN8_!Zd5~XY^b9ArL%6C2|U~nli#o{saWA4XRvH>uHo~1=x_j;Q>V)HD9TE*i?&~4f@x2!;+WNXLKn2j-P zJef4?;0JN)$zf<$dhH8Xu?IEQl(2_RbawVd#0fkv$g^dW%IkGq*SN1p=Poa~b;WDk-q_L1 zan`|eVCb`SjD9}Vtjdl}$u=u~N#VLzX(T40-MfGP+q+1PiHec$!rOwTHcdLefYvvI{!%;yH#2w%`&nBvuMC4xq>=Wr4+@4b_+ z8TygCajB|nB;KW;>qMC@b_mbkGBH{C?gewEeL6Fz(Htff55^*hIL-BpInSjvt08n4>0E^IaB ztMR*gDijLksN~t7D3sz|Ti4@1^v-hN-|kzz|LGsFD+E4%@H2(ty4xj0;`@6X7YyCYDK41b&<9MN!^64Z9vK-KC4K#9&`$m7OVDmLQScB^ALjz%&W$&J zt~Y9Xl?c;)BC~1sZ%x{kRclI}fD1wRMWG=|wt${O`OI|;%1kALw`rD^PX^lerE3wy zA;<8Wv}a#HP@OL{NWGXJ4ilX{(un{NMy6q%B{!x0bog-MEh(o#?)j(z8 z@;L8RY8e~7fkH`AvdN=Og?*fxpARf5DuSCR2{hRy*mdXZs`bEfN>;$ zMro{w0t~F0ABQ0V6BFOH2N<`O3{wJ^sHheo#B`W~g0ysvEN?+y2N*3&|A2r4F?F$U zKX7A0KHLhmC=Lro2uEE5R++r16Wj&3!wr~cF&J7$zBAo?dA~)uetJ2E{F`RQ!>Yi9 zY5}Cw3z$m`q2p;5ITw&o?y#Or45E@r0_dl@`v(QZ;)yWt-@Suf?~06~V)E3)Cfqv5 zKmj&j6F+b7=Kw%oFzI7n_`L{h!BycBU5nU4-W(k+D>N*JFD!pAVHr?Cdz_GvIv^R| zr3rTA2K0Mh!UJh4K76PL>YoKm2d(7|vn^(hM3BLJC=Fu~?b0+8E6U0~A!}x!gDvq= zo*G1Y60wX>^TIwV=`(|0H3V?M;49zC{#rzH6lC0oHPVRTqz>cx1TYN8q$TYfj0Zk1 zaLTz4AC@OW_VGKI9LEz_8HEUMjEfb)M!L7ikDWHwo}&y6qiCQyd?NHM+KQ9Vx%UMD zTMZ#!HCHO^ zH!?EPy3HgDH-9)OZ@d;2RRemjKyu2!NA(OlksJ+J9yI^}WU$vjM}x0mmsWCg%!mDg zap%s1(ikS<$|PjUBmM2`+sy*Nh!DASeYP_&L}En)+hTB{j37m~=Gi8{GV4mhXeUEF zHHhiBzI%dNJWAWXiHT&A%28aa%E`Io<q89)Ut^U|t7GJ)cnK7>CY}pHJZqc>4?0ASN{~zfes4}=z#@l; zsd#_{7Y~md;K)>AAfg<)F%>XT{vis)Xy{DVUq1Z?KIaqK5#W^ib{-9OjX36s@C+5e zw`A0rpF<`9frB)Jg$gr?ryr(FCl_V3jdlJ?Q{3cs20`Kv39o65L^UKk1w;X5%t01F zJA#GKXRD#wa}Z0?P&8!1d+ot;vUQM_W_+HWjt&dKD~$q08BP=b0R-yb2hg9GoyI!p z>*Esv>n?dP2R=?2@dU#VBgt?VRTeN*vWRaGRMcQ$s4sMKkRCLBN5$h?w(s5@i!63X zP*4rk5jplKHb|g7q#TX$M{*ce9SL@XQ2rwrkg1G?BxlbF#$kKxn+D9PRctKLXPv;Bdi3JjkBio+i!Pp6Jzjj7ZO;is}+v~%CdM# zA^M?bPDW17uWm>MeX5QnM$IYDQQ}~~TBAV;>E9HgDgYegh5m3(WI~mVLXA&O*o;1b z*p&ojWf-P)f2;BOaj@5ZfBp3gH%HCzDe?{Znz+f0p#3rdq@@QHd|hC+8m^1+BH;_W z2%V8mxRfT8VgeWxv~f4zStRkvFe8{F^Ki&9yXhC;qH|JG@i3ATFvVdACpM0q5->;u zOh4G!U4xTn2OWUM`fr`6huXDq*HO&cPp8pn0*(u}3aA4ixp2=) z9n;x;NKV(&TT~(?H-`7)1e2>mA7k|ta2*nw3e|7g#kmnVD0w77&c@~y+-+J{Wr|cwfOb8u-LfkcTHhW&|%+%}qqtFy3$oeGQB6$K3AUSF>}*R%OgF@;tlTIM!7} zav%b+_-2!JfT&NBa@oC$tRd^gjiWGdjW1(#(A$V#NYeiA(NT|8&Ua+Oi#%+`B7u#x}y@A>*wnV z8BF(NGqTexw1rGU_fGZW% zUaL!R6Dw}@eK{sfPZuY|mNm{@6P+xRdHcyFiRHcvt*@0rZ{6O`Vst^}c>Hiv+Lu)S zd-h+|;;(AzF8yVdqfPhAFE3x6cYq^)``*2Y#8k4d44z;X4Mblco+Vp7g^R7W{$wxEOh!dp}Y?krx)%15tI4-21llU2s zo2^tS$; z_WY^I@{g4sId$6Rb@;phCyLqe=RmiqIy)DlH446sc3drR06&Pn!ypY$?Bgu&rP>w3 zG^-5n9H(($puc|Za>^z<3jZ?PH9VL?l0+ELJ29GMfr17g0J2aMPib z>7;!Im^L!{&Jc}WGP1IDsB1|o$0LZ;?253*lGQWMUAy({oXH!S)zS2x6Fk#zcYC$! zOvD5W#MuPezz9MLJRA?M{ri7Is8InV$3t?G*E1X_>%MgZd5aF!23SRsolvM6zk9H? zHP(afp+Fy_F40gZ?#J-Jz=wgJ#i}UGMrO%zk3X&L1V`+vX)uJlsxD=$O3%D?j zAs9!0$0EXf8xI!d3rwF4;DBSvuVYCqL_$?Ng(#G-BPu3agC=Hfbgj<{zNAIn&eV{4 z!|cA6!6io4#3e=4DTv4-<~@HRtE(0{J2}DY0jzrgp@Eb-0BkK|HmJ9ifz$xymC@2h zY}^W{~8hRKMHw+wIGL6c#=t#p3 z?=kizD~`IvfNp2H6m>_xV@Jy(n3<_VzXxcIxy)B8&)ydMh9L&eLrina9ZIc{$>)Ld z2A$kLQb`7Dh*g%teN)Fgkep+@YkVWEk=jvYebs10lXLh>Zp&py?qCPxCeWVGz?Tq4 z*B%eibMm|xHnC)UZp_9ZCmbmt+n$`Np(8F;ohlI`zwJ0lbCnkiF+1OSbBFw}fpSVm zgs?QH{S?azT`8n&wJTSi!>XPD2*Ab8eufakgzA9jD5t};1C|#gybvSc`|gfUfbYt1 zLs}tdeS6A=1N91aS#FRMsA0zNB$huG$#k>rPn#~;hKetart4~(0n`|MdUgjW0AT?Q zx=n}{negZ2Xn)_!s0#?Whm>LcItLarBLD*QU)2I~g9MI-T%OwQjK`YD12_JTVK`ta zP?AP-b^Jn->!yae2jMA~ABT;Y)#-85XCeeg1Zxlms?7gh@Ub%8=f7be;b}m590ahD zdj}U|EQA;7T09eQ1`px5fl0eKwkiapLC&1mD)_j+{RuVzxdf}X8-*60`V{sDXk}pd z0?LU)@WQv(6!W2mQw3Cq?1vn3DT+3Mx)av%1Z*pUaTt@x6H@k`xOECPj$h|HA;cwP z#tU;B+u7%ZphknJxAbR?AhaM zsqqe#D;<{fdpEhECg5`NQ@p-;)CPpq#*K+q%;1koHZR)bb-+p;1f!tZII}TkiLBdu z(q0A5{gwA_&jSMj;?PKSV;rwV>inz2G}%f5BE_}zmbjTwc^u+4+jEY3@o~;?G4o|2>BJJJipKOGm!5Gx|#=%imx6q4}oT_rDqVcMv)Mkm32i^#k+V zAK>i659(^$#mKea$tcTzs$6O z)TVxo@R9}{{gt^lc6_}GgDmGn=E#(&bvA82(Bz2vqhwo_`f)|xDi>P3 zy0y6^monI^&GR40r}F?|}%P^vHz&=z9XWN2PDn=2@$a_%0dy@kG+bZu^tV?yn= ztgr=%RPkP#xe+g8-%hUCj+0aA7x4zRxdpG!PQ)9;4;~p=zI5LFLagNbg1A4HPMZjS z&BynyA1T+%I7|(fk!_i{WL6q*GHuO8>#2*LbIx|}^4fdFcLp=8*q`LRXcqC!r+&HwALjR%^tPZSF}e% zwvTO3u2AAd+H15|(oF+xgYxPVPaCAptEybI(3qb%{VHMQG*%!u)#~N2z{|tZMvWrc z#^PZwj?8DwC1p9c9JF6htQkI@kuI3jJak-gv5j42zV&idaCYGvlMi8Eh2%9p>DqR> zL?#GItXb1G>t=3iT)yJ&-(Yj3aw)+%jjC0UoYt=%%x$Sgp*(Bt>lg7)v&-sPYuory z*>d(!J`Xhs_&37eMgQ3YmcSZQ4 z{~ts@>gU+tpnR+PMweVSj@Xs5q;GR0krkEJ_N5;y4}Ti3-ejk{Som#uYU1)5qo3CT-Tq^WEg13!WO68XJdcVKw9slgSi!LqabaHHL>9{V3w1_#s)JULX#2v-6i|*D^ zUV`?wZ)SwCq-np-G&=8d`t2VLOC|U5j9ixYo4)j=JGTgO97?;yK0E3%64l=D_z!kO z_~O#UnyT6Ihr+`G3u@GL7aQ_T&IsJx6CJ)sp~KPPctc@ybil{fxWI5~h>r7snf;aa zHm)-6`ta!Y(msMo=aq2|cO*DydyYCfO%MGRKA9*e(XyIWkX)g_s;jVf;zm-++RT}D zy?B3XK6M|f8!OT$>#66QmX>v*mYlLiZCp5$cEy?3_41qAKi#Ijso~*-qZ|k`+pmkP}S@Sz&eO#H0&Gc1vx`?JtTPvm; z@Qx{{{^s$Fa#&MBW;#s1_H&!T$cG`vhMWTzX;Rh=d*@%(d>XfGa8XguER1?sJ^1Y; zQEJzv#rD@u(PQ)@Rd$|vzW!qlc#Ie?0JY&xpVIA^Mv8B)0r^;2lDUZJoIa` zvvg@uefEKWMg{KODuJ6JWY&_fIpb#Ix`vY;UE5K0xOP1d)oVLHr83VS*N_u_CwZ%{ zgUVYu=f#B*CVVXwjTWKCTk`)0AlwsO=jE1R$l^%koKw@)agvueQiUyCpbV>7SA$Ta zsAqrpz$3gThc5AwY=E!C@)uz{K4o}vK-lLGhcV+7NvFUg`7~53&N6GqQ(RnV5|RUB U2-Y$>_#s95oWj|p)0hAFZym3l)c^nh literal 0 HcmV?d00001 diff --git a/docsource/images/WinCert-basic-store-type-dialog.png b/docsource/images/WinCert-basic-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..ff825dada30a579578589b54620e028f8f4f5a1a GIT binary patch literal 52676 zcmb@u1yGjZ_cr(f(k%!G2!aZTbc+ZQii(H=A|)x^-J!IU2ndLjh=8liR)a~xea*nT$&J%8V`j+5k7e=C67X(hryp;I9TwT zU@{*C6zV$aiIlja*dkkN-Rp|%vDsb8mm;rEPUSk zVx;Gzr*CYm|0BleOXP=ptUo-}F0r;S`oCX2;c2&a_aNC3M*EHWc6RI@@3$CMYS4M# zVLfPPe$1vb@_Xv!mF4BD-8k>wzn35(g`cyy$jDm+H!qiz2#GWCzSowhlRZ2x@=Q)X zOE#xLzHq;Zhd1A9_7VC>(Vovc_%g=Lf4}~ioP0ksGwY+~3mgo5{2l3WI!5?8_RG!X zl6F$LOF(BQ=?_0k34RQpkiYCUkvx%tA7@?vo5(jSxuq_{i^3+T7z5zr#}))($j9FW zeIFwq|DlomH_meKzsHy8IYdS2Zr{F5%;vB%z&=)DmHcwwXo#f{SwznbQZh0xev^R* ztdTmk?=d&Gw$k&|<>fEG_wq_oWaT#Kq_th@P7*&k8$6Ku8DTu9M|nf6oQgH&_@!W~ zk_1i!#hs4{ZwLyX?xe-;yuf96p(OwAYmfx_e582R`Gs2rOl$87J$)!LLb~F&iVE7= z+SikGOAvQ}f7opYh=ghw<`u#zbGm)9F%LB$R5lhXK zhj>!)0rk`4lvXoQENinw97@qteKZ)-4!#C5(o|F;CD~0832%bL7(Y!-jL~Ui#W6%G z(Rn=4zDsmrOG@7{ih)|XTf!e7(@&3Cddt!_|ItZy2LtcXq64c5A9|}GPp--A?bC|A zihV0yeBGe0Gk!I#<2^s}nF)fwhvr7^g@69!6-v2UTbew$qUhfGrIm_5g*oW$MTPDy z#&17#O-%_TB_&xRpQ5_4T3uXjZV-NaML&%ahAHF@8d;CGhkK|j=sB_L7&DEjf<(H?&ZbDD-+Gr}>3st@DERy9e`B)&s zg9YRo?5I@m&DpG8tkXUXB$xfe#K`!qIW9GonSxCjrJ$g&rhBmec!2!6?6YUNTD9nW zCIgw`C+3z1uk0T&bY8pA-1wc6dr3X?sgIh?3HJU?fx`0Qo!qT@FPvdFTz!hB=sZUu z=Uo%b*K+p^`>4mBch)U`q;e&5CEw_p@NuYer9Sr>6>#o)t)z-3;9*O(BX*Uzx+-#7 zjxnsJ^Cb~BBThkU-Ku5Dz7WrH7n zjJYX%St79{m%Mr{Na~=9y<03-H+kd6&T~botE-1yF3CL(j@UwFD#;a!@A_hg zaqg4&Yz)TN^(5pZnrwXDG@jq>9_@=>jmye?yQlEt_8ra+db3QBiBKOOqipcWsHpF2B+xT5I*T~Dxafit3Tx-FK7M-h6E((LvstFSo+3T|2r^p{s#(Zf@GM*K_tt5f8kb*n^|29AijdzH#119YG#Z-!eqG;TUzHgbqtknZd!Z3D>$Ys{Us6n zsg5VQRrWe>_Na{V%k1~x)Q_s|FM|8JQLxQ3srVL>`le}w*+234t$FaLr)Ng&f?`Gaxr$w+vt3=lf^`$*;wyk#i z`!yN6+whXSh5mHivLmuB-MHgZtL7Mq+ww(O$+t#q_oYJJv$TxNJ}gu{-!l$RdWOdv zSY|g44tUFFo=brLr+vtZ&ADEaFD#-b{X$8H303oFgn)ytC^xS-ZI<-D^21U*y<2#& zIRnd~rQ3h-Sbj&?amYzYg+`6MpR1(ieSl6#5Y~vP=P&f?>h-A1m>~N%v9sYmE+p_`R z<+_A>nSZ~<+F+6P$W#{^ zD&b5BW4&WFPp6YOw}`*FZtBTMHzq2^=;-il=+)QLH951I4G4KnB7JMJ7$OWn)BR3#WU4lud$c&z)#KQ-dJUvpB%-ixN^&@wY;;6J&|JqlR%%^ z@TnOi{6uS(2TSi*R*#M|?G5YaV$hZZe_{w9If-#av;K}`VOP3-V$NXAi$A?&oV7C% zc9o{i!%_{ErV#5*QWE>cFE^Q6=tzbfmW)C%T{=p((89J|?w6pkj=W-gdVJ>O%I82# zkrRK3l2~o^kcXVQ5Njhd2HnBJrLxmQGOeFlD*i+L3}ul{%~FWtStYafieb9KkBS0x zmm=@!z>D(_gRez!FT~9@x9SoS<$rQ-rA(AKFH_iC;9;N~4~4XTXS!1fm65G}wOvVn zkw#*3`zm%-XpP0BG&-tmcdK?PFOHO};QrV9rgX-{f~2JU*^O4B- zH5CW^JQoEj*rNJxa?Cory!TBAKV8P1nli;qDB>t_zjejp*@$-(1yOBHPu%pBPKv`v zQi>O^UXrSj8}U|TZQ*hnDnQ^kHi>u zYZ4rH>bEw{6^@$2zdZ}6cj25l8!ksF`bxhhR+EY^dpC9DVx_M|FmY-rQlWZJaLEzC z)kTi8U&{yUE9W@X0pMxR;&@3o=9`cSdz*H9R{lStdYD z?aj;SEO}>tRQodh{HZ|5YGsgFM(E0_WY)lSRvywxkE?it`bCf*4jAcV}{sM@+ifn^Fa)8(1YFyp75c9K< z&e2`+=5Vy%f52z4d?{FUD%4-fwRBZ*NLcv+E5B!0I|)w=gNDXs|LO3u`ia)dDUI`h zDM(jd(>D0@3Rl{OWWAu%X8^#cMI%3PFBl0MVgh7fA;L@+OLUFIh$Ue_xxaeiz7a` zxojSLbM5b}Vb8>sbFUF4ldi+4Q*JF=W=F@nHMPS(#TTnZO;_g~bzYdzo*WUY>qCB=&Ym(-)0mmRz4X+2JpY_ZrC$&MPBmudBsOXCs8oXo&?TW z%+Ojc?x<cYoET?PS;iD{I2CSZ3+l;|!;e;N(bBpuzC-bRb7k-{Sa-?3^auNWE1z%H z6b`mhJU=Q%h;>ts>svdp^sRN_IDL(5{H_~Lzld{-pkO6&XQW7J#CzsqgL8~!4@v9p zoWPHzzmw=WIaGmY$@C&g5?Ox|3(~CBJ$+IFG-M9aB8;UT-keztGl}NAfx3@fG!P=r z$M@-5tcQ%qnYAYPePiLBV%q^r)80mmHo@nOhenmtqqT(Q9cxn~?L_;}l~5=(YU3*VdYs51G{l@N~SdW3STE+2X zkKt$vk1HhQ#KA;?q0KfED&Z=cAlcxlIdd;Cr_DMV$*FZcVlv*Vrq|e~#nRY)gErn5 zM5vQ5MAbdk$6*#U5h_!yts5c#T%>PlRqPWUOBnQ4{$^v!Y{R)2*KsKwm1rIf?7+yr zOR-gLZ~k$TP&EN*k`>FHbf*$@RCIJJ*SgQd;ldEjh|QNMg`f`lYfWu824;@lWo)*E z?6Ca4b7JDEy=L~*U$#Er?B(XlMxfD-?>9Xc!RRk-T6zW{?l**|=8Mr^s%AbInx+Cn z|68ED|LdirZllmHZ8tUSlGgRezLV3zsIX@r_Q$^@zd6vyAr5}nv?j7vH1nQEDn0}Q zwYxNlr~mn4WqIRIGd5=h_oeZZ!@7|PbZZj@cnKCS1tB&{O7rm}b9>U?AFc?IUG{>y zO5~mkO4ZJCu zU(3*{-Pxymn_ivVdTXQ`0x=g2Man$;F+pKi<{Qf^#%W_}R83A!PG=N7is~wjgt^|& z9c6cO?riCly5eLSVcUbB0s*ysidgtayC%&n1EZ8SkEF3%tb-F0t?|aY)$jRAOo8>~%8xbMg1g z&N5%3uAh&bQt6^?N#haEZQ(3R!|hIs#5(L3ivJUp6=E)wRg;#NA08DB zCd(UJ@~(6I`h(wX^WY8`(2A)bSo|w#2iw2%K0{*WH<&Zhtm`%Xj27Rf=L_gc0+J{x z83kNI6DQULup}}f06%pW!in@@kwfp%Y<=G|C9^kA(v#3!N6V8Irv^%Fcxjx5AGUO` zO0=htmpG0{=$raOA!8eIn=_S4sc7MGNLx+ZoT*_SQm%*QpRmu`RL^@*|I~=e58Re1 ztYlc9*k`$;H1*s%#J;>R>n^Q&CU`dB&~kh=X&ERM$tfdh3uD+bO*{Vf(I{&uz5DeE zPpC|}-$}_#7Cc~W`}T6NbyDVwekW3c6#4YEEY+=m>Z!#R2fJA zoD@dhp>{XP=??R==mBi2p7f#0ErO7bM?YX03 zYbJUw3+nstudK#NgzHGF>&%Je$(c zUud$l{3SIOIr@Snf`$EM;`dzIfWbf9E~~yLqQzX*oH-<$ESpeFVd)OSMJ@=m2@n&LPMz&1U7Htj?)WWP5n@-xrXJr9O#>5_PR?I zBX{igZrJ$UM~q>H7z$1*jc(P4Z8EHu=TdBcW?^e@K2(E`cnEGpk?Lv76D2D6I`6SeZo_(9= zn$Mvm&vhu0GL{#>+mT`LP8&?oPVYly376;s;Kn&ylcOEF5|EycUH3cNIqjuVn$>v& zKY+^`j~8k!&w>iVZ<*4vZAw)SgwC^LrTAi5o@B&5$y;XO%mUC+(DVz>=ko9}rlpyF z;6R*60U0yY=#~e+qz5%b?eN0nB{51I6|qPZY_1B6O%tv-XWK;skK?akwKR~52_^SW zv*M4jhEZufV~fNeTt>+~_K1MCupRl{gY!Lgf$=T}Mm+m9sJ`td5BictEVXI$PPms-_JNSj{|R~?W6lWO0ejUYBA#GdU&tp)W#|!v5D!i5BJRa z=ZX(+GJb37`K2e*9>a?btj0S<)-1c3_DXSi;I%rx-ZdQlrRTMubx^FWuPRz6r-T)B zP%IK!t6SFR*vfUL#38DZi)|39F1gznYk6S(U?pT77KBivTAIS9WybKn)4DkSJ+zEydS67(JMRLC{kvr=Shmg`VLRM6&V`;AAB#pNex9!CoVuT~ z3LluF$*lao9`^ZDV8yCV+=Cn?qZdj_Zs^bYO}@+jOzJUAR5H5Go%Z$B_>Vwr_v2%S zg1<{4+GJ%W%{WTq_$NvdOwNSH3M-ezKJeTMS+5QPwBBQ5X>zH9{)5srk%B!0P^~xc z(@wbI3fNPOlr!`XFiiq-r07O>DgNqZfG-{7e(b^9WYILy*twVVSf;hHAyG89vg`ff zgZZ+gVE6Nt$Hs=90&ybU?1`B6+4l$&x6jwz&s;M)7O*`Jm-xOIuG zr@Ec&E0I1>9Xx3td0Mt&jpE4Zvb&=Z|oq7{eRY|h!p)zpuoHTviYUFNxjkcl(~WBz~`*|52E7PHxmvX=`OclJJdci zI?X-j^9@=dFpyJg(3I_6c5`uS45t##rg_$(x71fp)4M=i3lV>FBz%S2=n=i`>NIAd zYVZ<%>rnYT?Wtc;ZJiubZPpRSXU8zbkX8)O-1^sdnm4aRXm9UU5sUa@TWu9ImQXrt zw-%TwZ;nv}xg{}|9i9N?dxPyJRw{9m)^j!Zd0BZ>wWhsJ*}$yBvj!?U?msF`%dP2hiLXw6 z4>uGRw$?YJb#>Bts^O|ApAERvj=Nw&_7m4vt+HQg?8be=W%$ehK;nA2R;8kGcgdor z9I(ewm}c$g_tp3clIt2`HYn<&>>ZV zYac(kv$M0ni0B?(n2*yff1Iq-_a5Ig_hNDmcz8a4(+>|C3ohS&7861Gy-g?3E$M0#k&cl_!&6C?M3rKDtCjd!uT z-p(GhHUA4^DF29U-&8ciEd;4b3H~O>J#iI#75IcWt{YSOK%>@2L9jd9g_nT3_hG8K z8~iw z_^*gVlN#A{??~Z*%nu$iNdo6zyknKCd9#6JBR2AO(qC9_q#kPjzH?SsPqIG91O(7l ztstkC%qFSS*P!0g8*<%sNzq(u7KlTQ&5Y!wy88^;wwlU(rl9n7F5 zh)~;1vy`PoHAUQ9iB$0^KY-K1{JtxCPv_>z2TO<y8zo(0h3n25q5u_4{ux}~A4Y$ZL6sK1arHU?AXMe!|{W4k;{YDIf z>9slj{lEAOBoJZ`G%wI7lzu304=Y$66b;^1u#1&d;Jr%W&V#GJz;m-HMe^kj@AMe% zFNKzwd$fuyiby38% zqF#j?=e~D0LTkS#dK&A>Y!HS8zGvqD{l*5gJ!6F{jKlp8cB#r-?h#Ygn_oXuq7%p> zcxNFkc(}Kxw{aa*MuEd%soiMOZ`N18?X?jbH~$b7Ga#u@y(`!{9tyAc`<~&`68GE1 z>&-!p^{@vIn%6ZpO{bMtp5hD?QAFn%3IV{%Eg0|+cL3Sucq;mzi1;)ACwEwIF%J)- zSe}`1{l8Hh|Ca^JsEP{L|7ez>k8+v+huHa6Tf6pu=$*&^pY+cE<u-Op5w6Sl*H-FMs{Hke*tcc1*_JZoK9F0aFe9Fz4Ku&>SQ6CZ^*F!E2jSByY3X$Ev{rDJI1fG?ZZsCPV zNp!-`#-Zh|>jnoYCH;ubnqAjn&nRU_ z$YP?R{9ut(@7}$`As}ejoUZRlm7}*^AG?Z8Oy~VH<>%{4Jw3glUwZhW$4fWJ$wlaj zS;-})=A$&5W*P(YwCjDbKXbCM)O>pwSb%nta9voKI^%VY`LDB-)KuNgsah&-ol6{V z%Dn69B--Qe)2xjYO4%Itz+uxYfT#J^Gk)b~vYZ4Jm zPfu5_aO8HsICD@hv&DsVG(>ajl2B3k&&jJBOIMfQGbXQ;6g@9z;XS+aQzy{yF%(jtH^L(FY?uES zH;dabdp~&bg5*&vzQ|iLpS5@ukG$T$N6*x(rn4@keg6FUQcp5= z2;F_W6#0N}-xy6t3UJNM%`Gi0YrJvENUmKA{_p|stB@7?$^M$8lha+OVZVL*#$~^% zyrx$hdFM5wpkQ%phzY!VX}nwzIuc$gDtb@4pU4`xNJyaj64Mg}NWC{7FPnx%KtISM zFL5s{?Tv{_;d!yMU4>@}qSvT{u~r7MB+KpBkm4p?f!W*F*SHN66H^<^CYnbNkByxj zvCg=)($dmsQ8!_5h^e_bZ=>EHMlKe*y1Lvt4LFdu9335}YTjW8n}H6^B5e2f5)4dw zFHBy!zO?9Dtcp~%R{Rwt`9X|BU&AZNa|zcQGU3Ine5j$J z5!}^l$fsQC%r7D$qGeyD zrz4Dm$x0UoAz|T}?fEvlV^_1W64EZw6E^*hFRxO!6I{1(n?kN-?36nFO;1JUlc(Fv zc;}9c+WAzi*T{i-jz%R34Glg@xxkQgAV)KlU9Bilt=N1d39T?PCq3&y$A$;vH)olr zPbp;Qf$`CqYYEd?{*yA(og_H}XEc)>DtdW+eO>2ZeH{8t)WKn&K%7vc6?IisFSUM{ zsap7yfJWe1LvwQ=8S`_0h&KTczyk0oIsBnZ#sAtpdw&Qmc}BfVTN5rDh}~M99ovyo zQL%tq-D13PqcKU+uOU+}X5{5n zFrBDSaXp%knpqz&pXrqoyAl!-0zF6)3&Vp$KpI5+8{UfAwblD0@SxSLtCkOZ_9heJP zJsOFo>z0pyXlTyP;ud0?yUV@ko*&!hbtbFaW=@ZG>Uw%!BD;sfP|&;wyB`Q9lxHz1 z3WxjqbCXek2RkNDl`mF-jE9SYpJPufc9XqxvNVK zA{&I++h8k?<>V;C!op^LN8XtkE44u!Wadwb%*^4|tPVu6e@+6YHL{K8BSFJxV`I}; zWH#CWwgJH+-hT3FihK_0w$z#A9HbXa)Jt`BHgA#{2(jp%{=valByiTEp4i&%-amQz z$F~I>6HXQ04yS6rF~L4(UCMI%HmL;8OL=)lB3hyA5JQ+C>0UyGMMtxEr=89q0H$D1 z$*l(*a>~=v!C~-R)O3i8+k8wYj%T(hm<&SO6$wS(^44%> zlVVJ4>_7%dUqg=z#70Jo%uGymEiH3ViG;ha#4gS@JnTZm(-rYhI*=_#7Jv2|1K{F# zo*?>W&GF=5Bd3>%!5aq;4;GyLru+l=%W}oW7d+JT%8J@rG}-0L1q?h)Opnyg!D7h3 zQY8HUE-uWqh6`^z1m}dMH7+K2aCnn2^7Fq!k-*vXkG#CX=;r435N3kdIqG^-FimRK zhIm5G&ojlI#T_aLH=?JTl4~2BmAjw7PP6Stfn&7$3kdNtvM~}ki06`$lYdtjJo|l7 znRVcDK}NcKV_E-$zkkKeFQ?Y_{n3vLRS6j`ZSU-GyB*uQZZ%St*enu31mlK{syJGR zRjzWqdwO;j_T>v6Bs7RTy62}yju&SK)2pjN2!>l;UKZZF6ZsU(2pb$*SeJy5kdPtl zG2QVNE<>*UnkoWtAg4Wi`}QUq8yl#C#pakV?v`kBL?r_uCcKt0Gd=z8NjQ@>oCwOZ z&}2|&e|4CPm$x1=pO(3K2>b@z>Jk__Eo!OVwbEfVwXm>oe^St5!dsm~dNBJQS z650cfDBZramnAUMU_D4IA0Tx96%lybLJ}tvc|cbU!0!1lcE|48P~MHs`1=_<`L0LS zaXdywMkr5%c&A4$&(+n{El>8%;$&7{ff;jIPCbZg4hjk?xR}V(#fHCtXJaGiU^Y}N z+p1}|{+Dt8Pvhp*+1ccA_l=Vx4&L4j4G#5?z-E-uzG;si4$0uMm^8NlGAS=Mn zft@bv8g{omEY$X#;Oy`FhlQ>7ga$;k%|jQbxU;jcwT+F{@}FBGM|0sqmQyJA<7H-V zKR=Tw3vO<1anPH=H+{iN7+6{Hpes{Yx8b||ZBtXzk6~eGJ`z21%{Ke1DhSk^o}Q)> zapb}xrVE;`_rpLTS$TWg8jvR@IADp>j(*l&#qr;ap#meay1F_N3JTw=y!t2<)CeJ9 zRI^Y590C&Eg7nZ|YPL37EdBB&DIn*cW-EVE@WDO8K7aNN3L<#>_HANrE|_+7babN2 z!Mc#cI;}T}a}{H7vRr~F>c#A8A7sTiE4{*CFJ3OL8n8;My}z#@yGSyHGqA9vHT|k| z-uo%=gPV~N9lA<0HW-#V#>cM#7QN@N-WMMZW8g4scHY}iyfX=?Prbx4Y2bLIz{m?u zfE0?7!_%EE1XMxD-`1v+2zOeDG58n};SGr_Q>~Z?GU~Bg8#We}4%igcUF)0hXtJC7 zWY=p+(NK@Yjg3&qR7&>-nV)|(jMzS|06q5aw^qsTkCMfqVghU)2JeC^ zymE3lABE5caO*Z14*tn6E|zw7F0(g^XlQ5wo zI|~d@zaig&DfeWl39hXSR=K&X4(DSZ9UVQEk?D=eb2~k>a^3BbW?^UdiHf2G1OlLk z2*o8J&;+&;78@G~HN~?pe7F!SB@GQ(6j`rGNJ{3JjS2w7uWSt&uBkzBR&1ifEPP>i zaTq>+{Tig#_IbHtF(ZhI8@=3NOumsJ@^>!E852OmYy*XJTU7JUH-E z=g1lGI_5%Z8)0G9#Z->Azo%zoeGN@bSUFY4tUsQ`y#Mu!2XJtnhFRaiPXEWQ*-2SI z#jyfrb@BIIUTA2908(VrtfGa@Mx7rBE4qo&E1qwxADlBY{tT7A%&6(SeCzP=um-R> z-~?%7W7dWC7%xDuNKp%!wb3M}(ih?u#eJ9kJ`NLx@YY=Oap9J?JXF-wI`CC6xbK~} z)F4np4$|rW`AWIi{Mzd3>J(@V0CM__e&|a=U8fBZ#1VpI20L?KnVre*#w2~Lpas^8 z(jXZq_~B=2b(P@Wy?b%nP$5`U9Wj0Q@PW%^-*j!3*PzooFc81JqoXJL%{?&q=W6HT zH!tHtU<}O6WE&b80p~^s7Qj0r;|_Q&5?f3stFA#g%f-V}2WUat$Osp;xxe4^4g-60 zf7GJBr3D8VhzG^yT6MZDgQ_Vo>a|?# zyf!p6lxVjyARJf$)6@mD#3d-`7aU9&LVNf9!K4R0syp964$6zV&Q2nz>>w$_aCOK~ z*hCH3^sb(eY^$1z`ge~9?MpQiQhq2w(FN67qQzttQeT6O-MsuH_N^xC>J zUUR}WuUUR%&CbqV8Y|7Wx8Db})&qtkT%3{wN0j=8s`Brm`~B2c=kDglJKJrX$!Tdg z78P5Mvg&c^c1KoDj{X$8%5DVw{1wh5Tjwz8=9idwJ^IU+I;hqlKlT^h<>Dfd4xxSL z<%IzNonHCBEQ9!oy!@}tZR0O8ws=11Dk>^3SR*6vMLpKi(Lq;JQ-gV#m4f+0jH~bN zCV~0E=eb2izNMviSy_P;{`7uqOdT4k2_T@LST~fDl`^y~EQk>-!@|Mw2Ut(W9 zm5~Vx562)T4s~8D&SN3R0|Toa9xfdbV7T<>&!4Hke^qCroV2wWBA)6MPGu`)K-5UJ zIiQJr>a)9RTT)UY^5-7IZF0P~`ucVK{jW~Wvt>0j=)i$#X=#6&DP;5mR`tuz-_f-( zNG(fS9y=YMZ;L|0#7$;qLC2wYRS7x1?sOX|J%)&32nh)(;@980b&Ev8uvtYc%~jSI z0X_Zw9dl|eU7V&PBu8>Pxp4V`|LfC~IzR_o{jW8XWTH3@fiR=D3-|Xw*UZ2R3w6~Y zBz-9f70L`$oK*bAu`}|_AsImKZIpaKAoMGE?CLZ~{(I>CbWOH=n+J$bqIK!`);Mcl^ zvs>Q4Etq&%tDDVSMDO zSF^p7ayi^JVEpEn+2g|4Yca2-+*WL5I;n@lV0?PFXoJVM(3J*yVyImXkiG4@L|w_e zz2mU2E56x)z0XGnZ%e4or>FOzRGi(9yXPQ*gNEYb=YQDtnH>@J0fz9|hZkmRRugGz zYCcYpr@d=^iCwk8Gc>eIa+Dr9N3mDQ2T}|3pZk{O_onjRe2h|4UD+q35tst7?jIN^ zsjN&j;kqM>K(G?$J>$4h>$MSnwl`%3&-HkDc(`m9o=H7?h=y`M+k0KP{}AT5Yw>64 ze%R|yroS%*rmIF1JkFhV*T-p)jFoG*qJ%I-NZf}cd02D2v$F%&cN9{Kgznx&5Vj#? zg}C2jFtM}PGhKZH8ps??L02KaH3Mz%-A&}yEzF(8F6jpkP)(uqp*D-1XecC=8uzol z)zh19q|}sBSEq%5f$&f13aO0OucJ7t4jBPh6D0C{ci(Ph1}gJs(Z=ScB~m}&;Na8* zUF9XArXJzLmPKYC?QEEzk2cl7>0#K+uN3z9CKcZgo5~d+Uxbvh)dAH6LzZlh=Emp} z*&KQRN$r**VF58%e9x>}4$EUGBXK)>+O$s0W#(iCT5a!DBb4v zwgg~))Pv-nzA~{=^$?^a6FWb=QDi>;0m9qt(P9Fe<%48;YaG<{2nMEKXJz2`R#a70mE%fQF$x99)T^+NAHluAIn1^)CrAMz z^d-3Z9?Yh`tqmWwPJ^Sza}`1umwr1HlDGl*L4L<-Z*QkN)j_Vxor&Fg0;HpcMhA6P z-LBeQN2_jwrLi^|QL{HDY~haVgdShz>WY~cY8!jAU+%}o#^S@A@bU5EnltpRAfK4f zx3#r-fv)mQR(3_*2FBh_%Bs0DJkMVfw=j< zxkE^8yRmw0D}y@Y8Zu0ucf85nYVj_E|75)^@%v$fvbo4dyIl?O|9AHb|J#J{-(62s z3-@jTJbCHTCB({vLpO%-~t(jP;8)_G{bps^(n~Jc61Pq z7F+nm#a%l;nY^g$?Ii=wZ>YkF7l{BU$Jt;(;JOokh=?Hh#3PvL8rjhw8P3{~5k!5; zE?Vo1yN3t_MD(ITQ5w#;z>i)5d#Q$ThGusMuwl9RKYn zwXEp9(ViYsWDH;g5w3S_R@43H7F7CN4(sYrG4`i(1W0|`ae49t7XaT&Rn-sRwuuH^ z@xdeZup5j&cOQQ~+=3(mjuzbA{bEfQ2n4{%ytLP@k&=)kI>aFb4LCd&5v@Nk1ohxM zkWJ0o^^sK6qxr>Fr=wE8^J@UaF3FRVJ2@5aA;ci_luuXOIM#66dzGnPdRezA=v`hO zxB8nm)ARF~yuA5MrUHnKqkX)2>lQv|j(%v_HIyevMu0(VWxP6s^f{m2+T>- z7Yw&Z$}HIJ*^?TOVhR^$3g=HF+804?%HCH8@2FT~K;E|8+|up;U*N=$Mel#8x@Y%y zxx+v$x?L>)^2H19nHe2LMHc#f4&;9A`Kz})H(J=)w2W>^^UBFlQ9Y(R{f_0F#;|Sv zh)G9xb{cqeVq(D-_I4T(D_>+TwyzWw6VuWzL243mTW}~ao5g2lZuTqd@}pqv?dAO# z7w2_;<}8-^=HESH*4HI@`Qd1}@5;;XeACSqM_Ic2i*F|d1ysa_1$_OgZoAaIudRq= z5~+ipBsaCUdipnR@UA4SCHMT}7EDb=Mv5(Zhh8DO{qmaKQa8n5cB44X){DOuyCgB6 ztno!fHGyL=TFnt<en8Klgl@89Q=HvC}cmNdZqrGu#6 z4QjZ^F6OzP9Z$zOO!PQqnvE8LiutdChmE-)s0KXbrA5k~D%G8zgoF?zS%F#D5;+X~%K8oO@RVn+*E=~Nyl%tIh* zX>T`ufds+bjqbM$*1)2SOaeI$&!36v@xBJq3^WJ>KBK3ToA!t_z_+E(BA&6p|KGS^*l}(Q%p<@ zp$Xy99#N*Kww`2ZVjKo7LuDtmjp%495V!CU^aJV?m&pJdC^g0_9H6C_Z&U@sw&~6z zm+#p7haHrZC_Zz%`2f<}Oo!lP1L!GeDA=fam`cGsG_HDqx?$`Q3Mn3B7BmzT{S6-H zJM^HQT$yy;2^Q!ZUx5$)@ns-ch@7nE=N1%rCnw*aU|02qIGb!Tn2lofnuhWk(R0~U zeo3WPW+-JzK-v{Onj>3l*z4fYN^c{#&8!w%HH^o(lD zKm9Jh8JQ)&;ox0I(8TU$c zb!&~bog>G}hSIK`Bh{Ii51Xm%;2*^3<=!ozl9G^+)IiinLz02p@h(!4!pWcyzE_o! zx&(DQ94^TC@}Q~BAbBVnavTJ35G#EUN2azc!+W#%9oY zYDEAWR}9O7XO!6h@#iUKD))SfiZXaZPe*6&v{8A$21E))jWwJC2+|)KM@L8hfFRHY zC&La?+3uDkRso=Hpz`Z&K#ES|htHrmBV)ZQ%0B4wIPd)f%A{I+EVLV_7y}8Rr2bTC&&U*zO0q51qRI$n17v5BGVpPkqXOn*L!dgaBHzNy zZBG!JEbDyBqvDYeA8#HI7?_VN2^cpv&s%rz4m-C)+{}e3v;k+v<~a{4?tq&Z^x?GS zcZs^R=>p{uR{c3vFaO>Z7vawBm7Hew=lggWkj?dhr9|rA{NZO1p{%T|rUBC|L}|L$ z8uI-Cvy?d4+up9LogPU{Pe`D*H2cZV#DvhXEB@CW#PH~4R$oAmjMM2>GdC5%fF9Tb zu;5`16HZ8<1Hx&)ta5b%pIHJ$0Q9ZIr;)6{z5W3rl8pi%EHxPnqc2M>>iq0v2iTm+ z%?Eprf~i56{-GA{1+5e|>tlDJ*fDxTaqXIHsr9@gG#8-OkIR})Z!eybK0-MhnB*i? zIPbASs9S`#6h5<&2&mmWB{uZMpr->RC$i;jry?)^$*xZkVlSPkJ${(kNC7O42O4o; zVjzZp2g@iaFXz?!O-?OfYG~v6Qz?rY35{=gz+Yc39RpmYRJI3C15phPA@lJm*lN1E zLQ~_NKS1!`1VH&R<>{5<{WTLa8<5(dFCjKdt#}(G(V5lN_OzGDcm<i$O%>D^$uoV5lepER4|m`&1B$Z!j{} zEeOQ&8NDwq7K9pH6#6|tAbAJ)S#1!~O$_)h!a$(hPq(DcCofJs26_sCiQYatn9K)i z0~iUAtcgQKk6Fl=p5=<_7=o0_rdohQNl95|yDS09jJadgtp|{TVj#f1DYw^y|LOp$ zcxyPh36Bdm*v#LxUf9ch>12?Jpb_ob;qfu_DAYqq=hmzBxmtvqJFlhdy{(N+GI;ta zp!fwy+W;cCoVMR042lU$XM6jlk|bGXX6DOeWZcxje8zo9-^4;^Tp)1Pz%3d;R|sHa z@^m7wz|!jByp6Q%f708?3BM`XL@1|n8GpaE!} z3fr~2GDr+30r9gL6eiGkQWVqWpT+Pr{t!cmtWuAwI=WrTKn9st>yes;p2ioMsgkR? zJPeDAlLZo4TwGkx`%cL|$tGYIbaeD}M_~aVlMDs$$W%Ukjf=|~M5k!#>DkJ*P(HFDDUYi|R~7ZD)l#_caQV8$ ztNN^vl-w$K*+!bjzr_sO39Eq@ORW>*g@Nxf>X6wy@|E}wFZUm68g4B;l>8nTxFfqE zKmlJTJ!$>@yKEZsc4KX8YaV=597Xv^w54SjGc5 zvn@TkjpIl^hd+7G^o?ryawR)FCt{gAmay{twn+S%$;r?g(&RT0CUA9aGfeaL>&^sE z)WzkMu!6M)tETBP~sTQ;3-CkXZJS@*A z#KK5Qx@9Atip+D2##uKQ`ODBV26<#pO@ENwMxGW>@P}+cN*a4x3Zjd@e+M}uGVKQa z|7ZR`?(K!?&@0Sl+rC@xWt=W?4tIU4t&8S7!b zeur|Q@fFks1X&@MeKv&cfPK~j+=d9@p5VFw`Vel7iqDWlPW0#|^!`o3jj9!I%w_?2!+i#R?Fj!dn{vmDXkCRQ-k~U!(~oCME_-1aIIL07+og zfC~CZM~4x}Z|JOS*M^h)-N_($ibK87weT0H}jZ}DwJeS%KT zT+EM3J$`6EESpPL37fZtl8du#+f{9wiJzx`H6*EkGypX9c6R1s`gJ9+*O@;$y3!z}-Z2)~1JPK4V4&Kv4sk`t=X(6?}P>dCQCDkaDe+ z!kyd3uO}7Rj3zk{6zvFp%5UD5t@)=Mx-88a4fNq22w;Rny|lb>zuchI)qUdY{~ldn?j% zcG1W%Wg9bdpxD~mU|cbYbPf)hjpxo{ih>T<_A3E#%5)q1g^UD36sNX%R2uPb-KUwB zP&L0<_(?18l{QZ=FNIqJe8YE7vf_Go{}pL#YkUEP@9g9oxOeANadiPTIVjo-ukNmGc9l4EU2j1)R2{JPwwQ2wSp{lnOh^IY?KdE zEiGYt$}E~ckh~!%B&332l?%tdx70tXLY}CLkR8)1EF;7EcdM-%r}y@@T73qu*C$HE z4sM}aMZci9=x}p2{hRZQ+T>%(?UI(}KAopy28Et_)Z!Dl2jWiMThA`@G1=Ot`x)zy zH@;4mHuu@%qE6lCJtj~8-X*wem#4M!J!!P*36*Z#fh%d>Ew^mGkN5gzh6506bv6&fq@`KEbEoH!~b z*45K$+obu;r;WYn3pfN*!utZX7}Z}L;6$ilYhVbAB9C*`emajCl^<2 z{=0;PgzZla3=RFloco5qDJv*+L1JQ?okzYclef0?6)4HXzBE+F!={SoISp9dk&wST_{x;%8yLBb|mFb0S( z&2&v2ks%k~mB(hAM*=n*>`jDJa>E$<8B!|J;bV`qFq1zD?G^fOU>Ss!qhL_X9xd4p z;3xni{2Q%IX;dxDuRFwS*1f1LLj!OAGez2c?U5r|V%eBU-(4l13` z)*}||aAy-ow)+rf{t}om;6iv#wy*j5P20CuK)6K#1D1ES9p;Yifuy`%OvX?6bXhZO zXsS_E$fdJ5cm>Xy?;mQQM8-vzFmB7Xw+th6zVE!Jw)7q;H2>S6lY`6y+uj*$irCKW zfHh#<=>k=Gj~(-~b53@4!V6Cq7nl6h{lCz~&^&(pSTF3uQpyY2N7N%ln^evRLg8RJ zJ7zG@=ee1uZIS9v6T@D)ZQIm;H6uIzbOdKCnTgFsRtn7Q2-ry>Cz<% zp;A?9By~!kxmHD!hl8}kjV}NDxv!USY)sUekVz9e|zx!vOXn=a2Qmy;4v zP^!??p`yiJu2GG(@g^e#>u6oZX&QRA*#H!Z zyO#nk(*Hr!L|0(lpGNRevO!99I?9_B?13{ilh@io9` z#i{1*V31I^YOKDVB#|(tYQVa7eZjMEm%$Ff6!{N-7diR;=H|Dlc{+M}JPP#QDn!`W z+oqv+ev&Q{ot-mS8%Ey#34hL%D)}z|PmdMPgarQ?NDfykSN}7UYzGbFxQPQC8c@F+ zX6@z!prx@mlPU-kGpmrS`Jl4A{1O~3WFvm?U^Vu&LLwrD>Ig}dJeS3_+L)|L;lcpaMra1Wy?&_J0C?o&~hr4~6G+{f#^TylDo#gT8kr8%uvd^Pr zrJxYpqu==nI+Ih1iU+>sVvf1~;SG4v_Ym9NDR3*kOqE|->x+T^%xm@i6i&rwQZ_a= z$=^tVtd*GZ)X#3nXUR56o?|Aa6wgUu9CI2wd>f9g@Tz#w(613o%_Xu3q;hXNjXz2P^&FW=PmCQ z5dlm%>yDgULiH(!i>SyX-!$*KyIW%F!b-bE{!q(XOvM? zT!-CwW&Y)4eyeV|aAzmTdDnJBWz)i*9H>{14d8WvTJ^DBW#8SqMenx!1 zt^f_4A0HVcU*f)y+k+Zq2?xjaU!st1paIY5A0@C{U$~JdUb}&dT zpuddGhk=+gE zdI!ExWvJ+;jKiOrq0xkdyBdZYDq<@|DOZm_H~7u<2)PWl`MkTnR8 z`+$|9MH2&syh~8f51&Ib$z&aT&En!aL_|ag@j*>PBkHm+V^-sxl_f?A4-bFBeb$p; z&w#P1-{Jyc(cFLWLcdle4cn63M$G%)K!f;msQ{qNq^=lG8qW&w*u*7>6@k`>Jo0E2 zvM+64wQ3bOmxKsyZS7koyF=4EJ5*Z@bM0pC^E6j3L9UINKF46ty&r81{HVf#yxNelBoh9i_b}NaJqvNko0~(pBAoot z2wGt%>}Z;Rp(VG1RN*+aXdtj$faSc33t@C{GZ6^`&vxh6*LWcqKG5?Rwzd}(+yd+k zoK7kD&?Nx*p^~oQ_zzF{bd`~(l(_q5n#1qp((frof7}WH5@42M+`L%^UE3)+xel~g z1h;T=bK4%1!@zb-5yJMy#zwMGQ6D>phOUQwVOYKTIoeBD94<^_)9M2pLV+JL0{402 zmM!PH9fX90&;hEy(F$S_zQ*q`Vf?{%_61q+Lj^>xLp ztgOWAMZ{lN+5=V65Xu_>N!oG5g3y*sTMNJstpix`1Gb-+F)?E$+s#$c2%+_IY`&-Xk+`awl?|m2jYpbw9M>xL8m5iz}mthj#I-!n5ZRMQgZI*u26-r6DRu#QeOcg3A(KOvb>wn57S??Xd(WeR z-f{luiI~{fuE8Grzk8NUE-VawmO7x!_>rN3!GORq+{m$fD@)7$$$gib2RBN_1=h`8 zTbd4?ncZRUuGP`6$3N07**sz~vpm`r-u~d2Q}`{uv}6rJzj0iq0cRchTTAD`GZ~A` zuAiQc^WF%t`s>&sQ=I^|>4lPb=U%_7)tnLs??k@H`u^esKHkRUTiVjyKWJhzEjT@T z97|iQvIc1O&qdb%-H;wCk>z9P3|S+gsD|uNL5}m!QF?4UCM^(eeS$VDQ=5kcDi1 z7r5QT+I0VHJ)&Zw&C4ah@fw15nGHL_2M^tG_T_Rbr0JfB=IiJ@w?Gq3SS!5Kw;DWM zznjw^!9P**;WrjN;VR*40Vrq;>c_VURFN=5hlHqtbl*Qbyc#c>g{Ez$+h1kqRT~XU1S_*2uM+V< z?*Z_RZ0zt1T6g4A!SqYK|3naj;=rjCYymoY;LtR*A&r18&?Ok+nWPXF9Y54N9I_3V z?Qr%uJ>lu58epbC19TFcDWwd(FNRult6-DLvHJoCq0+3sn3rH4 zK?rg1^7=ryNxcD$^LF#>0#pqUntgaaiT)WC4cjG#Xmpzk_m1(XzjC|tG4+fD{CL>J z3t${xjThI-vKe5Xr2s9i#n&Q8b^!O;S2{UIDOh1ERy=8;t0#}Psll|b9J2=3v5ONs zUW5nNv>kL+tm|D>_Dr8y?vy-N_VGl9c{xe1Ch11}!aN0trxomH`{* znV(CTs|hHMKHw-$ivTGH94J)OdXSUd)pa>!%6X*YuiT|M6JQ5&P&(f-5$OO)AAw6q z)gVn^hQ#^o={83sFAy^jbHjczie#GDF!);NKhAbpF_!AGtl#}Is=dsL3vW;f&jM)$ z4O4>9v2=BI76SCIB2wg9HxdJJ}+ofsddd82f?AxW2w=#2*ICnI)BI54?! zh1(T=H~@$Trf^M3jfC@~Lkwg9dwCZf&j-i0nQzY)*fXyv@1ePunx=dyMCpS2b=^>6 zlB+eo(pltzmv;R8DThU2X=`ir>B;^>rr#d}gbis*P>Ws*LgNZTMx17T+^78(CgJ!L zKY>btLP9md!(Fp|M(1Sd$gaPz^ZVYML&oPeyPb^~F35B02hLvqDxX2@1(jU(lXH6W zexQDj0|f##tq+`>vUS}`R>$80I8lJ8nH*&YT>z`VF|-m(133LYlwV*3mr>^{gN41& z{xCvygNBzBU9cw!=aX-v+c+;Pyo?FY18ex<$=z*j?vk&x@r{bwelv39IJX2XeN~Nl zr2Vn{BlBCPv8Lm93Z%}rvd6dzGnunZGbVxex(#<0)3dZ8XfHwTKZh*Gw%!n3S|gO5 z28H~8V4L2yS)@Q6MY>Ov3QzFrUtu-caAi5cb$MxGuo(^B2SPE3y;dMMAmd*O zcIf8Ly_X%kr{9~^b%syilo6SW7n_vK-=9)e1_$a3a~|`DB?nkyfedV65hN@6dUVG4 z=fCml>E4pyRkysnDh>|UPfbo9w9>>RanQ#PuR7uB-5Rm!4}0h8`oGY0jm|qcw6#JB z7205c8}y)M6S|6wj3<@j>B9pX`UiX5Ywad=0(W7*vQhzffzCZZu6g?Ag9B$jFd3%I z{`;e6iiQyN1O*1Ppp5OwV9YBn`i~L^YI4mQdZ4@HFLvlXM*;TPAz_n5@PduW@gHSf zqHPj?J*m%<9~uC4`9_PfwB)iwG>V;kW`=v@=USq!)YR9PI{mXIrLvP_oHB`q!B@=Y zOtk#IaMmI6slK<$lU;S{3H0r?&wR?S^n!`K*6>;QXm(bb{Wobk_}~2ge@B{z%16~kFMD74T9^|m8l?Jj?$f27pTgZ6S7v{Y+4F%J zSJjvC-0xjh{jR%3XPnph=WQ)K{*{O6gVJvgugckm^z#S!N1{Vkm18ysX6IdN48g+_ zY(rgxgW4^7mkm(lh-?6I7rTnV+~p<5zge|Lv*v8OQ4ZJ~qET(rTMtV}grU=EyWxyE z!P43~%S?EJ*lb%~Op+o9cy0T&1pR#@9HeFt6qs!Xp3bcn0+B&C#K;G~q+wh=AuGEH zPz5;FB0{-BLy}nWE+xgQ-iNH>Wl!flW0mE1HCL87F`P}ZsOujBj6oDf0#N!B7Rn7A z7y00^0Hp;;M6Swnh488&_t|CIy|2SNH26Uzv&1=LF; zv)z1rkMK(H7<|y-l!5#%!d5f<)2a3KHzy$9$*cp+x=yD%TDHhIIf;Y#RUA(!4SE~#J2;J{IsB?6jMr8Xo}+0;}{9!NZ@JUN}VW)JurE6!yuEcTndqmJBILaTrGacb-6X(RDy3b zJ64(=zd7IZu=Vfn0!x!gu0&=7FubsSriG z7wv%oP&TlL?vn!z0Gqa>F}u<#$;lZbS89_J_3bDg32dhnat)DaUU=T>g^aT(X5YGIf81vyr~z2;4}-IE^74iF3=sB!u_*+{Wp<1i z&&*}Xy(}CIFPHj!rf)({2QBpbYhQ`H8HoZlxa@HnNvu1M-gujtgU^LVRTR22vxd^r z(mKc>sHx)7RpasWdpuHlGcrD0i04HU z7q?1XbNnsWC2QUi3 z6t=fVfSeH0%ctzvvE-+rg-u0#ME=l;HpFL(linNi1hF2Goe=)-P%IXc2iZ$3CC#Gt zV|y$Hdwn5M(|nV3F_jw~13MpI4a?=RBuzSD8n;jPOK8hoLgzU3G^{kPj0l0RiH^dykQ7phPIChb0 zRt9twKEF;t86x8CpG^;s6Riy7G4KIaLec$7Go9Dq)051>Im{D}gM&YzNe6=1izk$5 zgwfRyW3X`*L={Be2e=i(13=34=#zE>o&%ZzUIH4N_bb24vfAH;%YPh{8v+sl0WRdD z{Lq;>qPIpsP&oE#qKyV>DvOqr%2Pca#AdnQUVwqXOs^kdPO}4Ebp#DD36_GodO!bM z26}cANfk&;5Yi zQ$@wi$9lP@ie$L&2k_j`M%96mkUaIY;g&@4UI)b=CEUJu8;Rp0j~F%-MZlDJ)i*Od zx7fZSf!b04HID+E+j7+z(-~}+L;y&jRX1SrkQ#!x zksz)PtKon8P%jtlmcavy=6fWEe11fyn=j>$E{J?Pv@Xe^LgX7oE5~6ohWn(X;q|vT z#l*J1sC|%>WPXc8uWcgWHtHAgb_xcqHMP!~oCV^D>jJ&Q=60{qC&3_CJ z>vnL)LQ`Uel#({*X>G837$afq8o%dke)AZ@PcW}Wfe<;|I)V|CW6JsuwsmIo(FuCH z$VvL`DGHFL$X`Z{E$RgltlEvG;a3f|!~;a=+- zH?nuFJ9^{@1+NWcVBATAkXecJH<-CM|yaAl1wy_)}eC^7u$Y0 zVXtl*)56eGrYq~wa$aa8`moH}2YdIjv*#c6cHkO_wt$@~6tfaWl?^*~Xz6J~pfzC# zPp9uHxnz|;%96509@nGud?3(BYrc^BkLFGZ^x(hLmJyfHKWwD8zyFJWM0d*ng=Vky z>vogyrtj}FevxT&qu9lI`(^DxR}FZY#Qt=Rd0a~Wg{0;GqO9+~X>cpcb#@vU^jZw5 zb6kzn04yw$AhLDc-6dU7r-htTrw;i&y&PqAUeqyw>#}WTrhS6e+mHyGQpl9Fe;%$9 ztMBmWyXa>p;4PDqJ~}4WYH69;tgGqk_-o!$rA8juG`vV#@VOOXZ@>aZ_L4Mui5uc=P2>G zT$yrg|NLG_c%dSY`$kA<#8scYHHDgYwjiYYbXwx9`*NbI``UuFejHPJf#y;575&eW z3`dPio6=i`<|u0(`-NVAG z)NKNmW>66rb!mK=$BGS3-uGxo?bh-})z_=L%=}oDHMM{GKF@xQ@=s+29V4Z>1$VMk zwtVlcp?asKx~=z(D=nL3Gfg+*U5=w=l~Y#E?Xf{2B0(MQZ%okI_V>>fDF5!7o;kFR z-qp!`$I`B+36(nr`XpD$88OSo@VY#`_v5TrOKB;at0MkFLSDGb+*N43`Z~o{`_6~9 znkST3m3Q6OuKnF^dHdzvL(fMjv%o5UShPyAr~3y6YH&=p$)k-W5p}Ke0rRkQ{P@@q zINqrr!SDL%WJfQR;47;OAFNUb*#G_r>6=fAEZ*40qPtwn@`6$z$Fgr%Su#uf@&{)&0vhU~52QU$V zbwKo~KYpFW#$eYBf>oCU(-6Vzdy@uwH!?CnL;LR1$Cao7gtx)q@&h_|Ltr|@^6CbE ztuF+j7DNm={kTAnTxGzjtH8)mh&3Mq@czaWE?CbD&>^5|eugrH)Hi?sH@BYVab`U_ zaZLRM_0p~ATP8331WG%-gr%s_NZ>}3=s}XJfWR{d$L_i zU2SidDQHle@-3u%%KQ=j;+h6t1<${ky2>!IKwx&{lm2HaTs=< zF)aE$e(VMb8?mquMwNmU6RDf$0*41#B%cELYKT-?S(%fc|1qFCDm1rp_@tILHod;G zth*2_hZ2s}Mj8jm9nq3npeGJ@91;bvc^qTYRZL9?08CFC{jUG$2P_uQ3y^*pNHm@d z5>5f}l5<1p0ax9coW@M4$9E;EU&aRV=vFn~lpVw)#SDuCi^%ndutt)(8saqy7N!L- zVVHb~O&rdiPRvd#F#ZBPvvUHY5$ zpMtVxy7y9-E4^RCBdMi~K9P4RR$iHTlJqHPWyz9*Ey)88CjwaxIQW-eS^SDC1p zc9+d6c&q&OD%kz)M5A45%|m3|q*x>_6*-r-Y_OLBN7*8x_~XYr@F*94{75)#j6w-o znSNMJn(4?#dOOvR%^6XpFH8b@_&^5L9^3V$w!h^1*qtlq2iaK;CtV9GM6M{$jrmSI z57KDp$O8|dcPxf)=r|E4D~D+({dy1m*`>mk7P{rgADJRzLWU)qXk*?g#T;mnFk9Z$1=S+de+)!H zP9)TX&VIPvRC3Gi|XmQ%}K$h`AgtKuyAczy$_$fzQg36hh#E z3z(UZ8%2y&m^M+gRziM9j0<@7FCPv`Y~O@z*dBabT>pnekpb7_X^3+|=ye{nnAl`q z6j}D&(|383r8VD7U~AUHRpoixsml0`Hh<533DDp^crGDqt^@BdVv=eLut*LU5wOZj z{Fii7EX?%-YHF-kHSWARSh^;TMYUt2mkwe7rL1-a5@Dvkx3pNZeDMa9)%@!ed ziod8NJo)auwuMWj#e4VGmW}FGUs4oqpGdvmX3!FMI*IYvQrljgnkw9B66)!tQ0wxp zs;X))4^PEh4;?c16p_MA7si?Gk_Q+z*mt+=FS*Iy#k+60vK=mxml~?aE!} zlqtM;FO56-Cg5032-A}q(0!8Bd&#-p95Yevpe>ou11 zM^&s+w6SYF;94!Os-UWHXjjw8i{7b4Y6`wz>`WQ-7xBuki{(rRq+h}9rv{J<*)?2>3{^DA+*3n%$IUlo@_1dSb#T8YVGjd;h({}Z_ zoU}Q2_}DUC@nVIIdTN~Nr)Z|m!L!_dT`|0O@6vUJIGrrU&54z3m6+`h2Jd>~)p(RQjU#WqL{)&--kY&d;`oV=ei_NY^JwB(^6M1jF+z=h9&XGzNd)-n*(8o>RKRjq^ z@pYFdjt)(1YR*v&$N2UvC@4~OpN_GlboRRbt3kiNJFU$Ndtv-J;iT_XS(o05>ioKg zGsCgb>f~FRNxIir|D0d9b@5W2V$o1*?cd-|3reU;oEY}7=_)J_c^PYP zEii(feZ4o6Q@Z8qs-|!IZCC-Ce*VUQK5cG#xCWrR!Vr6SU3$BV0{#dEp9s>6+zIh$ zvrRQ!-ofWn02UH2u#=P15$MT52_r#gJ&1V53Wx)@UAe-vun@cfI=w9xx_B(uc0Ns%QMYrV4JvBAU~onPN`HJ;CBm6zqHy+^4hC9mlUM> zfbBVO;310m7_fT*tL`!lmq#_cdTsd?oMs`P&&pr>6|(8XNvNFw)ss(*5>s1O_X6g@ z1vm!v;Zs0F3i`HEwDZpn?Ke8Vh&=?NFMwf%5O2vTDz31)SC|K4g!HJ^)}-E0@N)_Y zAps*nOn}&Qn{J>*broL4cVZ*cTH1T}?x`nU3^?XIM>;*QVk`2|fn|WMqrfZv5(qN7 z_i?zkp}iUBVe6}jX!z!jW)gOgHTlqjZxy_<8U>n26Y*yWvxeE|eKR!~ZUCchzMzXa zYZhKb;&a9*OO8}%C@v`x#8CliXU^!(Wildc(TWAxzl!J19WHgrDRiAnxS}PQ=S0;# z&-;P)aV9<`PQ}2wB~g!*A)J-aJvrA=Km$0LB#;7i|KhU$Oq@DC!&)To;mhMvcVH}* zQchZiWsnde=z(ZREC}KzphrUllXAGj`1=-TzP~N!ClSvA^#Ckrkzgs2KezRHnU$l1 z!#jvxv5-`-92+yOxgO`4ZHhXwZvDFUQ1&tK2HzVSp>QrpIS-8@f$st9>i?>bLr2XI zo(HpJA(R%}7g2XV$ zz`&QPzopY21h6H-o}h?39siXK5=gg1nlJE9Hbk-EL*Ou`e6TuOA>^vC{2gBCIiPP-AYnpbHlc-qQ#~6V6`= zLK6WLm6l|YB&VccOy~{>6B_;XL_pZE?cT1f+xo-{T|4uI3#WCcbj026hAPtp$QR?6 z&L>}{MPi;zTRVcei1i(@Jhjbw)&~znQDk{$eBM8s0 z7#R_;Bg3)_uJyf$gw<{4JYk7^^tMp;FVJx`|70p@Y6`|ee*$iTh+<&|lRI_l2ehhK zVtAzgLhvoDy|pfNfX81zcmu}xg?ex0bF_#D*1F$DTdr?nQUNSE!)5U(=8HZ|?$MSR z(&FhYk?*+fS7MN4$Oi?5(Bl{ARgpi1X+Z{{S3l@dorwOYmwK>nO{$ zLDSOPRjf@?j7#+FJCB*>KN`1@oX$NiExi@JC86g)#*uV|=br}*ko^L}!qM0qNM^!?AuUV~g+)bo!Jhg*dnR}Cs?-5vlq(JlqF~{!8eTsEDr<@zBE1>ZuSxw~r6+q4v^8Y$oaENK?S}#G84C zv2!m;DMuJWA$-8|SW??Cr69`50~+ixAYdDrneR(S?t8mxq`ziza+0v~n7rVsI@kPp zB`qz+00y%Uo%PHT5)uwmzac4DjT`X-K_cH9bG|pT6iK%G-|F_4c-;Jr)xapfzprf= zBR68rVgVTa?C-y1W|pX}@p+)nHD~VQP@Y?%tg_nu z{XJnB7egJ+sW;x;_eL$#^NE4C&NYX!t1IT=JHWh_S`&-w#Si}#WYyt(&bZ5}aq9K2 z&w63m5Ht;o;2zHYu`$jDIfhhQoPrW$)C`F%+E@hfNT8@A^ot5zKJuE4o8HG&8!(%* zZHi7-?hi1ysj$4q`{ePHCs%R@cw*2Z;TxC^1GuVy`(?uF3y~#^i`#H|5q8!`IXM!D zD56K2eUtq{ExFK!MvdKDin+gK3w&H{k!|9<=ovOk&4VY(f zMU^1>#CQ*Y&j(-iG}ctumM&rX__ZDK+PI&45f(bPHKf+yT=kn$oN7 zd!$F2UZ}rT%l&*qV4AJ>R8l;&BKkNV3`zwMoYHaXo!#9{PB|bfGP>YF#*>4cKmmkQc>F@= z;H8UgcWv9_3w)Hg9xN^oZ5k%btCIIab(lc=R#sZMD0cX(9J_>^Ba#K$ z+!d+dOqMn}8!|W_5tUd@_Huo5n5~{`p@FCV)frJ;mF?XN!AdqZhkxYhL{_bu)IA~z zM-!gFBK!qAlmyRg9n5(TfG(lS+J*iHhD^L`^cfctYykOrG{Q@8t_HTC0syF9InI|P zJZhSGB^uL2#l!|~9OxX3wjDRTl9p&z%O}RW#>i)>JgU6eBf}y+-~1?!r>r;A@=k8k zzS=ew##}v&n}QAF*!Zju^5G%d6A%%p@juMN?s=BzQ2 z7FVduxnH>>+1FauyxV@c)jz>R{rT{NsSMY~H|n3BASE9V{9(Py0C0Y&E}OZ#ojp=c zzNmH4Q9Z8vxbs^eE!`HJ9#M_PmwqWwssr`Q`4K_Q|4r{^cB*WS%CRyOY(7q#>|27^#{p;74UVH7) zi7LEZ=BLVtS8(LDu&ae9Y?jVGhfQM^C`{wqOLta0Hecf%^Hanm`_258PBSjNurn29 zTOO^9f|H#}cKD|!!o5R@=j$JxDgVTsd1~i{3yrVXVy&jn9Wc<*yBxeB$|71Y`6T9_ zeR4wgk0ylY1-9F0cT1Fh*jK@Frn1z8E+8yyTtOt3Ub|}{Ib_{pQ|gtqJa@~EhkGzd zuO5{jY;?GnXyRib*7;X5m$3u_qYexII@_DV*B0AlRHbkwLi)juzyCglE=A67f2OYo zeVpVwC1_mhNd zTbb+M#b4A54$&A+HvPtT#pt+hO%zQz>I2y>huU%!0OUd7y#{4+ul8@oWSrfF?(jI2 z33OV^$SHzTYa?U{Z&Oo?3ks+ZVaZsI(@VlZtR*BSDqL~>bNOWUkN)`GAzZpuV6aY_ zM$YY`&Dqg~;aF2m$Ar&^SiJ8+nL)yU09>rdhthp3zaCVOOXU4Fvao!DMtZGQ-{4>s zn2~C7~d`i+U!X%_S(v@u7?&sBtjs zwL85n4UQiQBIzOXLt=oj6BorX%|Ph|{Q2DF96P>dOm_&%U`ET=i7kqX9jalh_cN)# zQffBmqiZ70!yEPp215j2fN8;>*?jG&TDXVPX()0Cybt8DXAL_Q8VO6ACCAm`_zTdf zS)=y_;!nOAU|s|!Tfpv2&X+**kD8C6=-ASXK8l*VbR>mcTs#yQDQR)g_dvNXD15D+ zq6aTGaUwxiaVE|50vd}N1dd#Q>>l#6moWPgfD!s_CVO$1m?+42xF(67{$pL;nXH6b zW7w66=^dfXcuNe11(lWSFli85Aaw1nOS4>%?im4&ZZd#I0u)dsy73t>dX2fxVrWWn zCc`_}4{^+2KYCltbu{dvqTAq7M52P5yE`pu+R@(_0o5mlO{jV{L05wiLNwmQ6kuPS zNgkUbg|M(3$!_uaw1|rFbjj`op>(f@4_7>g=tCx^qPp4;Gz9zur2j={ma&zG zKl+;s(36)zxJ0Z^XrJK;q#{5jNh?DPYZ)0+h)Zf@9TtAu4f!Pu%T(WhaGU&h(&<+u^uAJCq9;8<&40=qkWN@|{p$3I2 zp4aNO$^7^pS`i9SkpNEaJtc%lTMAJN!SIfrpGpr^n#{WhpQCxM&OJIdM*W;X{kSO* zQIT#Kf_;4QlJfF36qHGXW9I|9eD6<|Uoj}Km?~Q|2juT#2=m7Rc?TSuMD3!%IomB@ z@91cahn_$Vy)_XvK(WaeB>*r63ycy%=mKHDTLli2W;N&;46&psL05Xo*jNq=nlg4! zvI<%`PzyAlF&4nIP>hC{1iIk-iC*ZUVnESQh%N{e*ZQ*lgG#4P{S~c-GjoV!6x6+p zZ|UEcr$%8thss`;Wvymm)9)L~f~r~&B#4;bXNYllT$eS2Yv3OgRF0KQ!MZ3*e}pTr zC1V(k6H>m`ldxsTrS95v(s!?T3uaLti`*xFty3W@71onisMAO=ZBY%8KJZ;EX@z&Yfl8t^X<#i;^gF% zQm!!rg-^QuPyTI)KrY*67$IiM3lksatd*GZpiy!|G-$QKpXVfGAk~TU3m#JZgapt5 z<9~n&;qYU%_^(YjGILyE!aHDb`%}ujOK7&Vk=p$}=V=XzmP1YvBv4$)Zo-I#$$z|_FJ=wa|D>smiPlT6*$WV8L)`0@asE!DznB6 zIO&m&j*fhEk~k0SG6-^_;KbaSTmNnicG=E|uGGciU^H;ZalJ`)C2V*0Gb6j8_5U&@ zhk1Y%QQ){IurHERd?;GkcD|oKf4L^O2#JI4eNK)GiL+$v&=`$&uFq9ZUp+&k_vHirpOgX5u0v&kjyseGRN!`4T?;lV!V0v|jl}_UQ!V*&u~TXA_Mg2g zomBXkiC+^d5@01NO(q670D$_y73vc%oYC|F$BGko;>HC4o^R-^y2&$kc>lGV<*R%t zOBIFR)6#ynR}US2rIbu9cY2I$P6#<8`fki9V1m}88Ug{mX#5xl)8XI?KG6qEN$KcR zNH8G;Ca4l*DujC)dG)$CYsrg7gDci^=vFi~cJ>Gg2t;BTCVkjSdYYM4j%G$ibmV$H zXbAkj+a~(?1AlwVoSaAx+)K-ZUjQ5%xHGrQ78`u1+V$)aAo z&fwP7FKR+tm-^Mt4Q{)Ws2!lj8@a*!4c>?1+Yq&_^TRVG*=&Bn{i#b^cj@p%TlMH3 zx#^YVYq?@ai29WeTxd(ZVs|UNu!{zK?v1fdQBhIn=IJ7n0}==QcZR6^NVjHMAN+Nn z;9yyeQ{y(f;El_R@1MwX6@?^a3~tV!KU-=&G;{M}YC4a*U(SV>N(+6CGyCFhgnK+Z zEpb9uS0!s<<}|m4>!VNpz5SGT(bn2qOh@*)unGu(EqDjORy@KSLMWj9c~br3P+sm4 z70o<<70pWpIV8&3x(lbgUPc-Qw$J1f6}#JZJYr<^4-fVTUrLFOk&aZkZ2HBzr)y}) z2PI^x2GR~-NYvyEAt(eQO!7Y9=mmY0xEjTD*JT%+ZXG!QY5grAk+6!{A6rH+C-zyI zd~6;#jf$D)tq-1x3-EKt_3qcHtQ$OgdSY@??xAynBkOXzj)WOHgyPo>H3R()lGj@@ z)RH#IqlMmYk*ThL>(jwKn8I(;$8HDweWR7X+HAWYj2ws+F7EqMzk(LR{?R6lqOiU znm(wrn3|a(8me5Vj%0W|e0V#8ffh|iG+qe2)-O2t^`dx|TVJF6nbWtD>>M|rE7h@S zb$r(b?mGZAOwg!0G%&cY&hy%)h}hg?_SHH!on4!s@EM((`>XpN8@)yUgzn2&L%}zX z*mw+wD>q5yHt0-K#!g{OAVxsoM%|i$kb^_*0T0keTs-{5q(Q=N#El>=AT`izLcaR> z4HClH04Tw)-!uEv4(BVv3q%;AZ2*x#NbvEi;K)QED1c;~AZtP|KOEEpc76|#ZA?1E z8fa|%%0?T-3M~|l)eL}ir-QK4UUbN5-X$Qgv8?~c1@t123+bahuer%v9HJDdN@B+2 z;`Za#*U|Gyl;bem=HqMlVf;Xer)JVI!qHSjybSp+r11EIk*&S`17m=9nsioUKEN3^ zBr*%acElB~pfEfN-RJ=zcGI??<&Dg#7fJRa4qPVqD@u$J>-_(TPNCsPVSzw?g_OEF z6Ud2O5)wPh`g_U}m*Gu7p9+7)ZIA$HZ7AYSGmp^=Q z%$I!#^Wy@zvu~k^j)9@HuFfBNBcZEb_8iV+{M(_Hm*>K^+BbE^V6SUKzgCNZ>$GVP^vhW;}h|7k#pcTr@R`I zQZ~rJ@udn+4-~)z30mS>p5-7S$j}jDUOl0c z&_d=8s3o4;#LOI91o#r=dROdiZxK91a^8UzVgz*haTF*!PUbs;pmHF^xn+kpTHTw=$;oNN*`9Dhz`pUW zY~I^0RbJx3A;H6XOZOt1qy#mtQ|uSVw0)Kw`ZK4^L0zGRIs$ze-n261I-YBAs#ZS= zX>pR4G8AygVL1Zq8u3cR9Ry!D^sl8&O~EAU2J$-yAW3>WrUYmwu1!zlyv`Ar{fJ8q zCkl~?K_eW)Su*1Kz!J#<2gTLu1ysH7op>fWf&|A1VR@9Gufw_qJ-vF}x|dj;q2l(8 zJUk?z=m<5V8~49j0HlB8&cdW+9ASy{#p1R$*4=;sk41D=VIdu4Ib=-mY0T|i@LCkN zrM)^zqi1I3jf4E~32zL1TaPn-$N^bQ&f4(LVA}P;`(uOY!p5*KKvbw6GD1zgk6W3T zPT)#V%^(B-dte6|WA~?vxR>By>X5Vp(Ov8yE$Q(D&f&;z}wi zkD$s$)`+x&!%?6C1$Zc-W`r9lwV4K96p5Pso6I9|d#>fp;LAZXcuzk1Q{bEDeeXSA z3(*P)3VxwC-yG;7z{!j!$piBi=uL#SJHC&&fA8L9BaM-V7u=j0AiElomnv0%Tr_|`WxZ~;@+97Z>d$WsamHroBmIIX zvgoFX@C83ZQ&U9@4>y0+Q-$X#GrfFuc(nh<^ZCV-Pr}vuJ=C98wRb(`r*-VbrDlEK>Nl^{qUjQ=U5hry8%j7gvXZS3# zV0;nQ&@g2xF1nu+nM=5f>G^*7ziLeHLGy}97X^rj z%0ZGDp)wI}rRm=2)v2i|L{UD($m@?NA)*$RlY8#67+Sj#qbbSEBI$3Dk-Gq70nNxO zZ4~V*Wx&TO24-Z85fe{i6bc}O*Q;@!H*ih_U=b8+Vq(JS_|4AASd;m2@xcJ;ND>u5 z#Qo%OlymXm+(=LrxaiT5AIH(#xnVy+k6QBOiyu@M%npN8T73**B%w>L+Ip#?cIvVtw&=5Tv{&TGyt?p0f8Hz=-7PDh@EQ&2%RXR_;#c9 z*zRFuX=N3KL#*JGJJoD~pvPpB242X5aLU)M!)6$w!O747;pMT=J$LS$6Hc6gRFR{uC$#zKHs5y^BL zuy-1>?1DAZR~?CdndW#v8E~p4IfsI)Br#KnpRNXQPFx`9F(D)%&NYI|qK#dfJw>d^ zKpzPpi%9-Zi&2a7`5OZ#et#kc@00+j`B{Ii~7n1`3fYbqG<*QfqYB>HsnY+i~=SDWXz3IJn zVrMPuG+%Sh#26qpY~@-VsdTdgm5{~E!Xkmprw#zU09*z))O*1h>@ajxZ37tWKg^!G zluDA_Fs+js_-p_ZwBHsHt;h|hLc%Wl(YgIqQ{1AWK{$hvI_U*SMEuK`1jp&`sewR0 z9USK9zWU=taL6;3waiYPzS(&dbC=Bi1n(`;1LwNU)arkIp@U-3{65zmIRajVgO)&hk!2#O$gBPAbm7 z|4dm~ z0E`JqFD=|A)5To zg8BPtVfzLT+@JG4F;kG>X3~BmLQ=)!$>hx&0Q&KAauOa+xO2l6>;<8(D$WMKJlF+b zKYM;Ci*_dG~ zC87HilJyS;jI^rQ`^mW?=!CDO2BQ;2b{+u4mBhmjKhN*htUyS?@O!k~E3~1JB4IPNVKNqW=YVM@|@kRGI+V$b;%YOK$%Z$Yd3?_T*qhv|S{38BEoE z9RGI*A<)>zKcbaR?HfanL1IPGrJqT^uI(`KvjDvq#!{I$b&}qLY7A>f6ae0J+Ydj4 zNc-smE&Csc@zejxn^_MI;E(M<8Xp#l^>CX6{#PjitiEGxAuxTReHhDaK1z?Qv`N;4`lKDY=jA||Ck;i|=$UaWOSBIvd zdtMRkv;P_|uhd1PS>Z5PE?^ZPOd)K<&_R+C$!RvA9R08tM;voTR@kniM_EugaG9ZZ z0w)Y^iVoWYl@zvme8ZM3+ec8TkOe~_(nsz9A{s>Y)gy!|kyF@Vg+%y!FNBRG*a?3r z&9o8by-nz~R(6mW5@eq1VTfvSA}I%W#Mg9B>>EN78on7h^*oc;gkyRAx)gU&sKrk zSWPsaK@NS_FA1AM+(KaHeh@M>&!qw66Ojk>RLSWUEt0WmNm$}wlJPk&pxK! zInDPz2gkuqUC2e$rz#$HVEJ%^>yt}nOBxFOczFs4%A36YfqWlHR zE){N-2AwLndy_yVMaB2aNOq=q4ouEIO#sx&L`D^U85sls%811jt;ahoT+)2YM^nQH zwY%L0;TB)%;|HWwR8;28p*9-KV-vS?Q;Vx#`Is^{=W45y4zR=(=Y=dx)Ttolz@PZo z`ul^patMCkrkFG-&C6!vqzIor6fp0IMOBgsKA+b`M5c_+QS3 zw1Y!~zDy-vE0eG(z#V{-M%Y)9_d@Me3HU!QZHS`ov1 z$;e0+T^F)Q_K%!BF*i3ya5_kZ~*RsRC&dlG-H4m`%`;sAy@0PG#nz zVf+a-Yw+%Zmv(s5}J&1_VT%0Ru^*0)s%4B%>q&X+$K0IE;W{7!?5{O6Uejt%77)cmoI` zISLY#oLkA6y`S^m?m4^j$2(`kUwe+ZvFYCzs&3u7Ri&NEtas_I&T_H+T~Mw9Es2!y z3~4exNG5LHvgPaaS4#qzsquw~Ee~0~g&W<1H+>7Y0iF;GgxtI)vZfT!;L#8)l0+$N zJLh?C`G|<6D?75`7=c`?Wsj^prud$e5QaB`$%Gq&PvfSbfed}v&ZqhM54(^(goYvr zQsM2r%7a;{@fgirDsJV%m z16m=|W6&r}nN16azzl=e>LBxM!JBe>Pa=)$o@!h8MbP2T!K?Fv*bRB=X zBsL$=nU!~@HpwwU!S7Y-HGmM=>J^EX>a=%Q%3FR0h@XlUos^`aCKw zNU1>4V)uPq5?qB_5l%qj&=mk{Y|4}cFh-2FUq9)AQ!AocD0S<@hx@xbFvR)~WXeHD zL&r!QAVh#?kveJq>9(NU9*B~vF8!G>bpGpvVfptf?sRk`^-V^cp_}+4_$V@U2*33~ zjqwYQH=c9l*BrLu~gym1Bl9jI4eVAx8e= z4l}X;F0?NDq%67kEjt)Q-te!pgQ|h4|0ovvKgQ;3)I?$mKUk&Ddpt<&jVURusK_ug z*S!5`B5Cu%QO+_k4fVt`3M;h-x~}ZI=E3vNu&t9}6Y?-B>RGLHLL>85_o%m=0@g>@l`Lqj{Hp2x=g#$yE1CU!+HSn;HQQiYWmadSU40vKquS&w zD$`Y9XiyvEs(o$!?&q)BK`?pbY{(Jz@5zoRx z;_HS}a5syJ0$`}m;`)y*-W-L(?Um2WrCb(Eeg3Tv;0{ReVw4wBFihhUP%<|HY0~K# z?kDeceobpD@B+h>21*PPvOj8SMj2fOHE1qCL}jtDhv)a2nKPW_mP1KFY(Cl*AOQ~t zh6)#pbLU1)=0t?E+lrsQ5$6D*_XI@;yxAH+5>SG{Z;ocY7oJkw@pL%&;TcdjE1*c? zBKmP8@CaEN85y~uG7;AY$mmTW=c!x?*F%^(h>;W7G%w-Kk_xlKXkG=_= zYlN-enV}u8i%OY+fYN__I`67)L?+PdC`2$WfM65_1qFf;A&-J(9z|~@WTj3(QVJGr z7sxY^Jj6byq(me5K#NB*%xXBJ3AJ-o&?u0ib|@oAPz- zz!9i6S(cB18xTT}cCskR_!-PS$*2+H8IA#F5TLzvS>-c@sQmnV3Yc|F?tUoaEs5k6 z>D&aG;~vWM0pCEME5_@lpxZ8)3j$~gma%#C0FXZzf1EACixb2J_iKSCp^)?@dUaO8 zbpWnHdA6IZ4D!&VXBCnd81zg8R&Xbr7$SZTJR})Jg6AcDQBi06ynaBMRi%(S42>b> zproV+m#lh8_7Ps@>XWN3V3W}bYy~oVfO?N?GDEs$j2>G{jh}O27a#USAClRa93O3b8yWl>*XDBF$d! z>0!u)v{+uQs3ll)0?A5*5Vq(6JL6^7ePy3gb=!ldB_{jBR-?=Y8$xac@LCVzFH$uO zi6^cX(GKB}$V^;IoDwaq^-wE*#xZPm8iY7c`pW#278S$oAgd!9M{llrdkOeua&$oC z=9J_T4iiPh=n5AL8g3@g1sl9Y%1snY&p@jL!t{X>C-ak+b+tg4bb*Z7M!Q8DkZUA% zz?7eR2#_4J3J}Mjsu-CSo4?BJiGGvc42-#87;H{9WH=B zN$Lkc>MS-C87)v_w}Em|3r4I4y2SxB79tUiV51mRJ;3^xzUo~Fb7nxXk)Ir7NCL*R z1G1si8c(tot<}#?fB6i4(s`^$g90~1Dhwx02n5BNLUnlx4`TkM^oNdeqGrMwCGC%Q zsr*K!Z~zx@c4hf-Kyu{}~th_Mq-Kw)jlI^e#Xadg5BIsW|isaLkG zJT8vV&7w-iZi)2twXxX)a}onIjXkQxT_qw?bafyBB1r@m7w%G}{AXab=D#ud_Hbh`9MFOZ99kqGqqDm}eH)@9~3G{}cRN8%#= z4Cyn0QAmYB?R1yKS){cMn%X_a_a-xaDWKGpQK|`44xz7BjLKRv00c?hOiZFcP>NWe zfO(jcV?dWgf(L{R1u)XTY5=rEsCR_cVgW(}3FpqPu4^zT2m`CaoseQj>gv*e&KM5N zFYPIOtQMt3Qtj9aj9McTQE?kk`#d7;VvMqyvhs3baB#pdAtJZLHM{O(9NV%eYwt2r zrGw5K=a;}iQm&?@Nx)V?>|29giO>eD4p_#+!-K&RuV-Wo0};zwSXmV!0)$u!-F(0d zH!d3sn~Pen?A;ldy0Ea2g-=gXWmp5OHZ&us*aZ2?X@O!r*lS!5p&dIo06-O{?$0@< zWv+e?Gx|O1LYQW(QXF4$EI=Hf$Z%)7ESw__L>x|msB!vlFpDcN`pl>Q>63$2NcJG; z{-qoBNwqCei+^U#Of6<$t5wlhZqx@hQsSF#5?cm41QMMS9~LzCe@!t(gR_SHAq`YW zwwSb4#g!y+IY=9_6!AKH2~bBAMiiwF<^0~HZ|Zp0w$jql5(%)eFr8%mywO$56mmyk zs7YZB0wo*lADJG_#T5ix50j5j_wL~3_zX>v5g81>37;8Jhta7>ed7JXo9{m=xS)zd z!;BSDIsUeJ-|kBoG8`#MwA2_^jU_aXOhDD`DbhI?NXWJv!_vDW|;tU)?$VqE>b9wL8k& zQ`YSC-{*hfhk^~G%g_0Q?CAMa-50r?yHM%7%~tC9T>jUue#i5~S&@^*WgY75AGuQT z_fwmg>ZUb!@7bdQhf@#n zg|KQfIeIj40j%Yr~v+{M{vV0BA7zxIKStVeXl%gf6E4~R~mr;wHz^^mTA6ZYYa zZ%zv>0}Ko!H&=S?mc#T4*FD9KVWXp$vRX&RDsJfE)&2YT=XU$-okD*UDT4-F9r=KO z0I#n_o5CJFGO{(6EAm>D2Wv!yBlDuwhY_OWTx&&OiscXHS*QZ~&#_M!6g^wLG1lF=| zUu?P6h!G-CGULZ(ZK8eJn9pcW?l9DP!dU|GN zOe8trTpQ-dN` zT3Y%O8pAeSki-wX2X3x@iczvXo)o7o4xrj|3T0Ld7%`C}M+~g3t<^L&LH4i`CgS1Z z$Y&_L!NZGoLcMaLpQtsP$Ie2=3(fa|U;!B;e0d06Y9vz;`AobkB2TKleFB_tLWI`w zt?L+cdI>FKFz|1*DqOY79Oj$iq2@_<=@Bc;`yW1J+qFOaRpRM3BT+ur zkv9E%o9O#&^3&GV1VMUU(tjDJrPMa7xKrEN`4uy>V>JtN2yxheEJNw3w)q&VrSIV} zt=web>6vA6;67w0`n{8GIi_$H_5O(kpT9IUe7>lgGZn{_R8&+HpJqM8ivXR8ZeuwG zpYN30B)S=&P*uGFf>*qc6%MC_KKg~88De5$VIPNO*}bbw)c74_$33LmEc@d$k4SA@ z7Z4aYyVVlO=0;fmje>&WK?PB0(&d$$NNw+&EFL@K+pDBQ%P>B0Kd~X}kcfyn>frd1 zYF&|5>2uvYRb`=wU-jmei^*-%9!8eKOcjjfu2+b-?Dhw9IFOcDZ@+c>V6y>&v4|-P z{dhb7a9zhs2Oo;sJB;N#4nNiY)~MqU~v zrwOoKlM~s_bDh48?x%mUPBU^?a|iq31@T!L6ecr9gQs4Cpff<->B`c0|Ci|)Xn4B^Y1KT2h@aiY@kpm6Z*V6#dD^V zmQg5?pMTiNL7`auwtf{}u)KB(zi!?|UdiA5?Q7qzyo-N2sB(Qdg>vtnCOD&OivE!XVHzhCilFL>d#uJ5_E!`@lZL7rppG+9}fH#WN*@On%(>cEcz ze(w32qOM7U$3F45Zgh8yndqjzO8w+8+*WgNFW;YE;~Efep7^+fS+Dp|aiKL>Wvb>6 zZhldvOPc@kRz~WJ8J{fSn;-Pv75ULLKE(3(?^=V#y0~Yf>gprs&YvRRN2~n$s*Lls zzXTXf6-o1MeOEK;+oO;>_;14eOq-td2a} zIx(64GjFqtPwCr*@A(}~dM)Kf>TZuj(Yeo+sv#qNhYX(4mSUpD_)&90sSgFHIF+ z?wdPTROmX|ki{%^+Ss~>${bz2aCUK92tDIzyQsS|qh?9!T^y^ua!V}LHfywTNc(D0 zwBwBVe&&R((-yCSA(d_Bjun|LYU+zIY7yPv7N*%{+@#H8L5!{A*qYgB%K|7HtCBo`;umNQ{*w%!uR{7OviZN2D677hMZqGbhKDGN-h2-yVzbd@T^MtdjU`5 zk(+9I*&<GYsn)Zf9I0x7cTS(DHY%DM@tZSI=#!0tb-qdRCnmaksRO6*|gBt~wxfA{u^jm*=ncC*(kmGL1$f0&y+vXPO znN>gUOf1jVlj_?4qN?+~O1$;pN>yqc({a3~r=S0#gMkxEPuwqhZqFKO>GL;UM>6u` zg3X+_xhh|Nz^7rV*D1@V>3Q2_(D6(v zuNDW6*DAHas5d|F_w!TX3;bU0f{d1Sa|Z*y(km_frcS9V25#IxDePA+(9Oy!xBa+_ zOI?>bG`@;1(G)rrk0efNm%r{|PcxB8oBTOlEr;rHw>VhgsoFoLjOY*D8LXQxy;#0= zEI~8JoGn8y(rN!%d}pApSMK;AyuYxcO-LnAzrgL2e7BV4LbJyk8`FhTJavNShN-GG zQJi~U4=^+@JI!u?mi}E^gT|D`R=V9(Ui8Z^>s6`bu>ct!%eBPNz0dg$7z`_hFxgF~ z6?L3wB~fM@O>SU~WoZI+hR?QosTHWSByE4J7vXdvF@4y$FO>B&tMj;Uw5N`k@p#nJ z3XhYTwz)BT_ay7a$C&U4sD}%&9_Q%Un$WECChiOsM>MB(J3O0A{)J;TZ9|ustFLd% zgV{AhNqor#65cHi$Mr8$Ltgti-5nX3qf7dIc__K)nt^hI*W2Ag_mpci(6indz4QrP z=j*Nz@OVitnH40sEfx>q`)aPe&6?Y~jfr*9TYRM1&3s`|NKmykQ|i zFcteNGFc4!EFnGJy4)7Q%njt44$XHt42w>y-Ikq`DqpN!sTvYP|M_9eeFv2W(@UYD zc1?e9`=%4ybJ?j`44;}ln(||*-;&Pmb?juhycCAf+^Y$rcx-Tulh$F%upB+&?WWnyA_ezV#f+`k{^MyqU+j2s4k4 z78$xP53@0qO;-=830dq*y{+I~Q8Y(cV~8;DYMf%wMo5Wc@?PBK@xDWTQ{Ac+wMan-Q6JFEnR{Ff`ou{cXxNEh#&|Eh=_D|H_}K-H%NEKSMj>Yf?-`F{m#Mjgtr|CEE`noJM)<*{RoeBABDJ!WQNuL;Ljx zBN;9!pOcaXot;m!&Cv4l%&0=Kq>!mMUK0>(t(iTLGKCm9JClfrHnoq8)VA!& zB2$BVzM9{+-U$)RgxF*zI|UR5mik_Qd8Sfbf(VLOI7yv8)q3>rSS{iFKw46(AlyjfBFh#ewptx?w?TjFamrK(#0MS4EFuty67(hC1yQ)+1QHPxA6P0eR$wlJchzOFg1@o zo9VCKF{x4Q4oGK+y5bTBGz_+|J5{$=e=tN#pM@hA*>B$#Xep^xr(x^M>{qXMtqjxA zL_&t2>N8N$2&)ob?*4*_0SCE_--(`CA`brj4Q2L)PG`OaLuBmZecXUHo3ytv1%|&1 zao?r>w!Q!tPxp12B$03~VY82G;F!c%e2s0|eyo&l!v<&R!)5mSP4Pb>aJc4|VL>~i z9>u^iU&*DVrIEv=eyTG=R)S3r2!74MREEE049&?gD!N?UO?hROOyWVSmiWkt32|Ik zg*~lO(5^1of^TnR`Kx*FwDRI~vMq}5MI(%2z> z=#%fg#R+xs!;Zywu^||f;^94Q9q_4__SfibkFId|X7B7;{o-U}=4X;B_Txl_U~nMJ zgZP5YEU*so3!&@cy3%=yCyKi=zzIc;gj{z5pDU!a&(5a$l(@&3`oa9}??;AuSYJH3 zPR)^qfWhmt0mp+*$`Tf?)nA^DSJ)ZCfB64=ye{4}$6rt9P+A?zAxcdpHeNdA+7X>a zRU)^|p0Z3#)(`8J}Z9CQ&DU^c116 z-S7S&sNLQ%g%TbPa!8nN7*ZW&PNi_pttWy4pAPxbIfwR*C*T_X1;n=)u5>!`vO3hM8ej~U-Yk0p7W zOr#86AI#dFqg@83e|}IaQ`4z*D{p5YH3-sv_h9*zD?BxluK2M}5{+!0+<}c84wVJu zvIL~mFT|3T$G(f=P^VBnJUrB@G>uZyDt`7+graN-^5<>aYrkq{8DLJj9?{-7)Mr9v za{BTTN0ML5KSq-3e&!07PlMHF3rP#ZzS7RUo3K<-(MEuirjC6R5TLs>gjhe|j4*P~ zL1KZ?V|eUI*?bm&yRx;Jeb(QY?k4AY=^ort_53%E^Xe`=jKSNh5Z%1V>~D$~xE0tk z;lsjV1I&DQ?+V3tAK-&NBs|hKu5RxrQ*+}vcf2c^%;s!EE6sfF=u{OH^a?_efW#qA zXe)Z_0fG;a(rhM!BPR&bYyJ%}gx&;gGwDf$5R&k(^g?XB+7GQ!z+CUmi%31zreL)l z+C67cXP&IbO$(M@)|H$s5QI$m-T#O{lQ3(j40=$fUaJ$_Uv?+Pv=@hkD1M#C>|(gE zoTjztB~rz$bTSUW6Y~0Fa)?B`x-^xu^w!MMHt==T9ZcXzM1gGXOIcO15%Q>xjsv5g zteWjLRq!Sj=bbA~tvmY%{mB8JR0H3|V6>0*L#Qd^q!c~5YssGg11X!?>Ac@^BuI!+H}ET-;KHjd39>ZBOY)pW|z_ zYIY#3C2uNR7hTz1VI=(BpOt=1=*z>sst;WDkkM59vPkF`;oUXVi5$zdVexroAWbks zh$!wlJwOrlcvm>&csH2Z@z6A6q1d=s&zWe|Vy(eMxb{j2G4?P#Z|_G}MF?NuZYd;( z;b`r+4qJC7ocIjM_!!>c8mU2mSP}mnvw8{()i9g1ia+sw2CLhWFpV_zZNd&BWVjI5 z1g#+<8v9X)jQzox5TpZ0U;*_5mt`>r?5*3XRH=MHN13=@-Q?553Q^XapO(bMJIeQg(w?F$p1 zG8eyXAuqlq?mP{vM551ea!d%G7YC9%EB4Df5$j1t*+1Hr2xBl-RpeoSdvyu?q@`H$ ziOqa^5t4LAdvfwa6N|S$i4<*O(uprGPmgQ@_pJQnDSnE$T}AEl%OVD&fegb}E(#}8 zZT_plzII4;20_hIQEg8yQdO5}iJuaNS>kE$6-A0|hd2+X^cnlvx^gmC1*>_;2Kg1c zx@T_riRipUB-RXrMi$9VRxW9q#r+tTbcJxB)wp|H>WHd~NP6Ibtk}Rm6g7b_e!n%G zwyDf$RlLvSRwtxhEaVE4A*raKtRV`pWwC=`7kwv{QDgC(+4wt3^M3^?1Gen(n ziU(n6hk-O-{ZSy|t6}KgqW8?8?rET{ zJAUXz6}lUExX$DLm#k6_Ky%aJ@C!-hqtis`W8#5@`xVXM31flMgrtT5^T>?)^tW{L?FdzUwpV3Idch8`U05aTYw!s3{^HF|gcw4pBPTyTdg*?LQa$(Fp# zD{eFhOlwHgSG)T8j$|QDQL?+?E>+Bd>K0>f;6f6Q1Q}~~8Lo_-DD;@;q&`4c%>qO2 z2%_nGIlPz3EkN|Obp&L3xcqqj@|rpbL`z|4WpW&m|8mPsyBtit*mihj#TKC=k1JMD zrrf165QIP^TijkK7qs}fVBPMCq7f~kqdvXBUW6^|iU9cJ7X7OC(%>;(MGe--(iY-F z$ik{8K<>~ij>B$W%gK%1F*ic?5aH3)&jiyy!YK9r^>Z{Csaav2&XHfR<|)0Lb^JlO zF?{=(C5BWuR2N1V>=bPwQB^)BL)8+IC9w^+O+LbFQyz%9%`)-*V-X)TCzthLAYgW> z_p+Rq839>MKYGG8XKS`t31a7i+t76q4E&oh-dEgTJ%*vrFukBAB}`a;IfkV?^k9f5 z;+tV)%Nz`r7BS(hCpe++8-R?*RZbt0)psY?7Xy^r?~3SikH$)&Yt$Mzv$nUaibwHHy6CA2+=qTKJ>Q@TWZM6%2f`mB+5cqc3|lsGxWFGarOabM~Giu|2n)0sNm z>U}QEw@WcQa@MyRG&3&*UbNLc%4e{F`No}AHUr{J6(YLMX^cK}Cl@K6MES5Er0Z_$6f& zRP5bx6k%oJP|71 zCDhmRRxtM{veYw!{$+)F_%~SMHDm6T*$xtbV4SO>-Qo-C%gG3)f4mAvjp+NUYRL!X z>lhQ3d*HzkZMH}+{ET76n&fOA4!Y`aNy-0icmT7AEYxny+Ri~17MUVd3 zUeOBY3hl&wAqhO|vv-JZ>ah7?M#}v#W*Sc@LiX9AZ{#H1iy`Vp{+^-HyuIG5~gDRt^Bm-O#z%GiGh;u z3o8`Vw;jTx=Ndb*G>L`BK~SkhVgps69els4pi>D|OTpw@}yK=Tfe3 z1w8yNhLNnfdf{)56|Q(}!C@C z=M>jXy)XGK!LBJqwINMqd+%K{bFqEq<#^>PvAn7uDd$3-UyD#+UMgvP!Rj%pF8F9muOKRDy&f8~aGcpbWkE!c63YlEv#^%JC}d9N#3G*2(a3o# z`9%#SKYn^=_h)fM)%jU-| zjUPM0L!=D;v7J*cCm>75>LcVL4^nQC8v$DE6Ug)>?V3nGs7fkxO z5UzK3F`z5*HOz$=_s}oa&bj9i*iMIH#tuI^dfo(=`m;jGM9#KdDKdy=PC z3+&<>_Whv^-*eK##T7hplm?VG^0qKHN^;3%Y(4DLaYoOZM(6p0PfU&nYknD`cyKJF zJcsiiND7nk6L?^e+&dB%XU1}3$mv^e`yx-OLv{C;38MF7X%tb3A$zj)-AIMo=yqp& z%ZjknluKac$Yv4l>cU}uKKfr}cYJk|J%f`_wdJSC!*5^u6WzqXGEj)+eoJwvuiUlK z@L))b4TQu{5Ljz#93Cfa4yElQ9XOfIkExf1sy`$)HsR~Ngm{~Jz5-@wUJ1sBz^~M*xzlSMi*k|Alx5okM|O6%=T_hc`Q5j6c!p51 zw-0Fnw1iLC$7ox!ClcpD&c~3UWog0U7(Rs4^msNfxFOgeUO1BB-}{3Gjbb|{(&gm( zr06YOkD19eUBK*Y+Paf0HHJN=w7aZImDmnEtQhRAdxyA&Qg`%?_*#1{C)q4Pcw&-I zdrk=7$F(Xq?PUP`aAe?enSoPndip^GoVlnC2n_CZuz;SMzF>CE27`C*+Gr_zyw%^4<-B+ts9oWs_g~i=H=e zt;jpe#LUTvfbe6vGh^^6Hji$MOAtZqC&+OaeC2cwLYC^Dd}g)*z{N?cd?3DS|<)X}dMdfqKU zc5}%bJ1kRP%@=0iaOJJj3=}-pl3_z*^PfC*TkRE#My96OJaH2WWmiF;l`kyU!gn|3 z-Uq)w!gy)!48!m5OV&o-5T~LB_aRHK)2)Swj}HPQnZU%TpX1N=5Mcf1^#ep-ld)lm zRFZl)oRe=Mcqm7BkD35%o-(o&@*+mAeQ_Q;uLnO;kTd~gJAimeXz7t8Y|UVU0uyr9 zAFxT2(4jMauNO69SENk@(6TTB-194L_VT%)NJ0E~vPr28t4=54PvTbNCKy#Bcz|RYjN_ zPl*R?4vgxEA(A(~s(;oUwCgyY*Muu}J!*P?wQdsGeEwlC<}a8YSj$iwLJF!Qr`J`x z9Naj@8yjECojCjAN0n*$xm!j=l7O^Jy^*T|xM`1QEpHuv$9`Csp|yEr*^?hmgvZO3 z<5Fb%OhD$j*i0b;AM3gJl3phOq_7;nAbY+k<9alO-Nk^g^U3B{pgmCZ;AC%BmWB1Z z<`UvpuCD|f@9#(#PAhm|PX_KK%Ri=4TV@k3>2jm^Oh1IT$=R+Cydq>c5AqCpPKD3~-0z+1Sq-PJX`7uo@=7nl|v|P3gAZ zDL*$hLy^<8N!9t1UHl#A6y;^hJUd&lgts$A;fDO|tD)5$YjkN7I6Q?xAPoR=J-vTq zjaW!|W|pU*qN|1R!wlf6&gmssccm2cc-v{q>iz)T;9@kUPe6~p@zv5w{}$4eITAVq zB+%&Z+{d0%xNzD(C^Il=riCk7EQkL{}5+fuzxiz zp$2F)Xcpzjmlht1YZl?l=S{9SHR6F_D)*=j?j8?DeICp82~UHH_5~&&uRuuE)?1`2 zuf-K;;waM2lLWd*B_+Ow_}2D`p(#ypNEJR^e2N?5A+H8Q_ALvn8m{wORdtxwK+Mld zwT}CSC2HYZ;lDdk)HN6l>G{KF3lBvyZgrowm^n%Sb3_2lQA?rwqIQ?3_XFPNxTz!Z zz_c(fv6~|nN2j_eCbcuZ^j>-zXda~hLGxW?C`hU_xFU*L$i2emn1m7ET0|*{M!XIl zNQAIC5F8}b`o`B^2V2_!t)DZ{_NL!RPQC@5wf?Gi?+Ute^fb#i4H(KTFX$98iM8?_ ztPZdmY!}b@Z>GrrOZ!gENB!{&39=Ukw5eh4N#o2NQ*kD40oYb-w&d4Ip;w@(*dUqp zDpbURsOW3B<-A3HeQQC04lkL#KE~+Ad;(~ueAvpydfo5RFH6(gyqViUc)U6@h)&)( z%O{8%oL57<#YPGzmWAY^@W9~804Av&eEY91;Ro}gzqo(gd1!&|4MrhE{8vBl|6616 z|1^+(bd17(nv@Tg#5Mo!SBj>krTwR6dHa8FS^l3!{(tIy{x<{hf2;pq-BKh0mIdon z_Z!xq$d79uFH2#eebauIsQ=PH{ci^OzjtEaTo-%P+b;@P)@UDk@bK`Q|D8Z;@xHL0 zaz8sgeXF7ZXE^f}0_3FVvoc&^>Bu!#q-@0g(cl9UPTuD_`oZk}@ z9YhoF&CSfh4i}qfSy)iFwzeFdovqJPH=JMCFVw>b3k!St_=JqkJfy!Z(V!I*qwp1@ zTv}SfLdm*081Xu7E#orjMXPUU0Hc~(SePug`YjxRHu2Z5Uy1mvC$qL%X+uA3_wYDG z={CAD#Z!vMr=}8hcXt~Of8j$$LFx2Z_M0g@DAlT1OAAl?!P#4G*a6FG&`LI6=ipH3 zYh}fh!lr}Rp!-fL0YmXSf`d-=zLh~Jh7gIp-|=TFAw$J;%k7tVAv zG&BIpXjkjC67=o;XD>i6k^OROoT$%bc71()oK1;B(G(3gH;zePd{4d8x~u=?(Q-m@ zF)MUPLH~QfPx5BD^M!?lol&?9j!%yd-f&;!^E&@jSzwcp%&oahXnbuxvhinTVM*5& zU}i=sYd)1vpIjf$mD6hVeNn345)D2vL&yy!iT+LJY=w!6zWx&Zou_u|!=+BKPF-nB zkt8y8hP&05>y0F3PNy{)$P^n-5`%JYZyc!(KCEV`?w?}J?-rZ47kjT16}$J!+Tz)C zY7Kj$@i}>UZI7%Utndj5p$+j@^75UFO&+W3>marhzI~&yov%e-U0ppsI|~U5dzm!< z@s}w8q~+!1fk8nqL?(=kj1r!ng5WjzYPFS>INWJy#uY^L^z?4Ed8!3(RaId@&pEQk z*pipzQ%XuFXvO~c@dJIDnvM?M!2jmCt*z~@?NO4lSWt2@z6=d^;O+;VrV+lfnFy}% z%1Um~sU{*KntWfXQPgnzB`r;KVtRh=sznS11;z1Tu7NKH4jTQ~czB^a z79)nY=YQ=QvuZzOWS|wO&n-=XJrqh!S5bJ#@H=xgEP$#8?xuVx(W(39b9K0K;(2^^ zC1+{LsOi7n8;6XB7TVD8qBoW}1b7P^1nOL1Ib1f^*4Mf07X*(zMLfN{R?kMo%j#;j ztp3#45C(^YRDf9PH|5R{bds|0a(3nhkHb+UM6|a{WC(j;NL-v?Qi_qu#gmOQwHb9G zHeXEZy!o2-;RBZKpGpKUVdxtX(TK9Ent%R8c4)aE*grTha&Sm!aM}J=U5y9%@Zm#y zCXc43W`>BDYCcBW!zJnc!$ZgV2`88l-Sg))e_z-jo1k4CEz4Fz}9FCXN z)bIgM4>uc3kt~{83&9j?U+s#>(J1O5>WU*3I38drqhe!22No0dI1H_-;-SNN_CqN% z8hrTrSdKK2s5fux-Jvi%0>bJ*G7B)epwk+>ubkqw zSy>G&EFzfHeo*oA*Df6lY&!4H*I}llq;^5#wAcHAvUA1=e zr|RP!;R^&1&J<} ztM_A4(tAfo&X~wZ!`H80?;q4Hn;Tc87ED8_IS(U;^brmg3*+Vi_3QOtLRWqPng|Yb(EQfMb*`kPeO@) z%a@++?(&Iz<*LoW&s7^68~J`WL?(?_eg|0~S8Kd`2OQ+9s83~iIVS-z@vnu&#Xlf+ zp_7;|H-f9GsxkrfzPPwJRI9c3?t}TL9~pFsO#E(B{5XJaM_wH=mR;z zb-A>?vO)1cz}_wVM*3DBpEjEvAAz<2j|#&h>UWDkvu#DmNn z!_`~AF66#Xlq8=A{T0;kO&&*;U_%(c&!sIts8C>je@t&~cjsoGvcRUZgvn|&0w=zY zH42gE=jR)pv0$a$-Q8J*gubw-si<@)eHHmNk|jP0qJtQc^6_J*pB9;*W8g1S?#zQ} zj6|E6QZwK(OnA{6P)|1pF^C3X;otzC?tZxN0x|G89UW&c(UlPnDXET)L4j`M(9n=6 zL`zW-%_O!0>PaAMn3vMG}hct zH(sZtrw^(#V16g$5zHLuoec#D%zt9iB2eC`OKP`G-{4ofRx3 zfE?U}goO5g@)SP1F2#_%XoWxR|5FR1;8L; zAT$u>LC;Wg*x!1`MLeEdIK}Uzhj8J@q4kCy2r^uCwvYEWLh~5Uo*5Nslo-cy)!P2y zCcwe@R#nnFApU-)_wfnHr+(jmn3ebcB${SVsG2D=NQjI?mXVQ>U`}4!{A|#>@hhnT z1_Qv4*-A6ik&G810DZyz^dA!TKDWHTYJ2J_d{;z85W{8E3BS-5&^B^uLxC?a?XhoV z6l(4c~wK=o}wU^qFjNT$O_2@ptdu^$!ho zgWBk}ds8fXhXM~f`{xfe4^LH32<5e}7)Y)s<8qWn7rRrAj*ji04g8}rGBSkBHl1Ho zR#s9azN$Cj<>d{Hh(M~Ws%mJh1GpK`XYj{Y%wXGhQWx&B8+o6Enwt89e4b&flQ>9; z8%rz@fYgG)bkHcpGUh**l(6yJ&4mJ|%FJIJk+b!?Xw#!WOzuSoPWUe zY6K|#V2fr?=rdf$o6}8tq@(J*xhub6Ww4dAVY6nrPD4ZEjeXgc@7ay7FL2iD-J&v} z;#OFUQUFXr&B*w(!%eeTD~O}*9>?c$zvJQV%ISPZ1v#wKe9@rhu6Nf*oP?P8@40k| zD2)g|KLJRL8;9aPK0csK>1>~P+6^-qG?flNJSAaCed%hKn0)l3c}asEjz$~|sy;xQ z#-N@eV_@_GJ68bQb$@?0s{0rR>!^GOH4@#2R*D^v^L@86te19(H3!i1o%`Tg(<%SxHi_dy4+LC|Fjt=4`q z8dRUM@lz0}h~YGI4)0 zkf}prVo=4N?p@T?)u}i*Fj+K;$Nr40bcC$_{Tp?%-e&?($%3wTTxQmf>+9?Gi3wbA zhlG<87f8JIf0bn8NWvy3)r+-jP*e->tZPV?{jSJ?pO#%4WB-Ja_nnzSQe9!lgkBE0N|O0c1#zSGYjV- z3=9k?;yhevfUD3#V_;zD-*g5fSb`4cZ?z?mJ#v6c&DPqH($LbX0A3Fe^x-W)POAU| z_YV$A=PPA$0+!u;{##+R`g!H0pTXHgMv56=Yha0U0QMt=zoY}@hE=y73(8Tz2US~5 zXsgTl9hFTlBq)F3w<7_SHL5ED6F_Ga5ENN{m&Cx!A@@!c)`z1%2E+>*o&s>BUb%ph ze!miexw5^D1dKYA#)A}sh~5dn0t^Irc0_J2t>T+E<1IcOwu_DU5^f67At7+_6rw0< zYHC{V->)t-xM;O_yJa3UH8rho4X4jGd-24^#;)w{qBQ6(75_ER&aJN}y1P8+0uHpN zc)w6%qlre$4d3K`01JTsdK%o?1*+G|#s)lSz(8dMkVc@ygOjrz(5d?Njl;uuQ0LYFkq84EI2?mKy1l(! zBa_3Ah?LX>6qakij4J#eykF7bfb8E6$Ob@L9ncou#zv@Q2%-^~E0jP3$_3JFx1BT{ zjuF_M4w4ZTN?59RfLLz=B_<%Xt~+BepyD21UiJcyWShQ=+F|S8{#;kQ1ov0=z2^et(M;aAH6Z5>fv=|UQQM;v~GGgnImOu~Rx+#h#gg0vb`QNcAd zJlybWEogUo0w5hA6+ubfuTy2~Ln!9^t=kO9(AL&;Ma!Ow96&k14fZl^%FHR68A3Gu zoSmHwt*oAzn3%NeeMm_O%J;J8B|!(78Xh2wmXOyb+xai7DORUvu2?~U%gV}LgdYOb zjz>VyIW<-D^3DzwlrCaoVn#N$FpvxYsctySpR!I&P7VY00Z`M<>1hIROKoi}2)|I( z0vQmW(b3Uk6((}C^YbBn>p@)M`}?*4?6!Ax!NteN8^%g9C({5$3sBthnwrf40s;c5 z-0^lW4p6XqdU`-b1lPmfGRgpz31kvLZS!61h)o!onZdq;pH*l-zxJsxCwGpGVF88< zIOCXgP5-Z7lKT1-04yT|n*&$;Ib{vL!8u{sON3%za4-?b7!A4@fc}H6`yegM&dxeY zaswCvkc^{?%iV;pLJUyeK0+_ONy8>e2e(K`ULOsAs(| zfjaTku5MOzGzw?0>+J}?MyuHE{S!FIaq(JVROa>TKWC&gSxCylKt0t~1}7wrmRg`B z9eBhsprN%M$v`#cD500By=x}{Ts96=GpHzqORv}t0&~7e2*{e9mY>T+=|Vr$8r#{$ zfmhaf@PVhoq}l#Qhe~p*UN>EHS^4>B233#QCM3)?p+L8{!Qs)oZW2s)t_LEjcH}>L zX?8L-SdHA0-4k7ACZ>l$N)w;ImYdT{@2J>huHdOd@A;}Pb#Al?X(o7dYR<$%);|8e zEbTN<4W}uA4#HS+S{AU3E7c#9ttb6GFU+gR{jqr+6@JVboHU7R`%c{%b)bjvTPkI@ z?b1(~#KP1T&4jk=vJ{bej8^O8xgIWB#9o z-T!*T1`K3mqY)p~00(M9Z6PZ3wa8wG0|NtCM6Gqd0wD?7L$13U)0PdV&cuMNhjtRKvq5#J?K2~Ddi!d!OhRbO!k?p; z!GsNz%AM&F;p=Fz$hpxt z-h4p|k{Dy}`%Q4ToB)6x0erCdl0HrpyqK7OWMn;Tp42mnEF^GJ0f&SuNg$bTArKVUN_-er&KHj4+aEl zmIXP>|CR$Hp`t?Vey|V}_oNq*kir^Ji!|Qb=z3!7sGXxP*`Oc5T1Jh}K zZp~hdj|pMK$3p^-k2!&Ig=_5OCZW!hEaV0pflLujGDY>DU83M%7 z)zOw$M)u{R1fW<|Btp(EF6B1c@#bOusD%DqBM!A4qob5kIWT~K#|1Rk5rN`qv!x;` zibtcv#KwjXBplD}Ob_hSt>w46y6`M4d)|YM9*4ooVtPS6M^A8F;R(f63v+Xbl>XId z0S1DU&z@n9)f8P#l=?TVo!yjsI0nj>00jv)IQYvI;h(G^P$afT^guTzC^pvB^>87t zr3jp0`u^-}yRGZNr{i7#G(i;4_b3;N-PBY+QYZbIJGXjouY^(STZ5eyP(dIj*1BNR zOW$i(n=qY?^+(=fG^2B8+yrb^2n~Wm0^DSo)9Hg;^&dH=rS*RO`9N}MQi9RC2`J5AceS!#wmt}7pFYi=|&nS~>0xhpTX zbtPqcFPA$`B_^h{&8Mu)0i^jIH9ru#Z6>j+*A=vaK9{`m3JR;6Q}}0u&2SbLg!kv` zn1X({bRg()DCrF!!iNFt1ah%31-(dMVj|b=`9Vb6gPncmq4m{KAD|Z{T6OlcXz1u} zDL|V;%v@M#fIPcD!Q1tcpsvIR?W4}FGQ;`HOi19kNiU$l0VZ?Rnk1PzZ*#{3XZm%M z->^OLaPskml*F-JHB~ru1@Lk8LhkvtjZGDcTr3F)QaHID*XKXV&~$lE|DO8j<|*=Z z$o^W+e&pcr%)?y0a3=Wzx52t4UKKowei#_VDcPpQ&ij1Ig0qa)>E3 zTpu2SMk0dO6&`1K?sD-y2kQ^YswTU1uFCpenSe_fXkOR5?a{-+h3x7v@bJI^hjVm0 z2wVWaF7A`=}n{Sz$rmB3pld3Rbp~ug-CEa{l@h#n$BMad9O}el$9j zN^dk_fK}|)XDetuZI)mKg_|G{dZmoeBnJNupc?}ICIhmwMDDob1HA!=WWbeImRf{& zCV!y=B}~p-RGIoY&NK4|3Xv>z_M}yF4ZLf=TjR%jk7L0*E{y#rY|O(xaY7RYMwwdB z!pc9{EvgzTX~Mkv5>v$j^m;u8a4zLT>NQq6f2mx*&e`4r`Μ?EY*kLTl^e@$s?m z?uCPcb_s!(SHmkMr8U{&r+0w$e9zC5q)+OY8EtDR0u}T-)ZWoCF=M%Mfg^j5kD?#+ ziUw8f#1HQ%R#%OPI1RDvb=$(LtJPcX`hX92P1V3{jrgHL#u{Rfh)iait>Ab`-ZYJF zNKsdYseVlQke(j%442{WIgg8@qeOptfHaUhAuIV={_W$m5$)?Ih7L!8bz5v>&r-Pr za=EtSW+3XyCp^Bh$cp!VyjNN8ot7Xx}~81{R2vLAu~KY{2JvEn?HTu0-nCLwUCR8%^$jv z&r)63M6*S4Mdz-I4K7VeS>bJsTVz%0%$xS1gfCs<(?$T2`Y`uN{<$ePG3Zb#iIl!& zY$sapq%uJRZ0RDUp5?XXv5B zw|gI;bH-Br++4WZgPI5c6A`ba;{<{MCru(X8F}Vh6Uiv~zd;eAR0!db6WF>7-eERXuQa6(ZQ!tFx@P#DiU_uI+M!N=*s?j^phSs zfLEgEz=+iazjkK%km9h8UR3@jfEPP|x0nBEyhO(BM}J+zt&+#$X);Nu%w|O*3ht9o1PNbIKaw^ z2lB|yVv};nyeCPPO3h-63+XSWU#UWF-YtVBCP&oIUl5y_<#F=ygd`>L++H34L^-qO zx76T=3Q!Obf^ARuU-6+ND*r6}NXvV!nmL2u3xkM35}G3&0f;PE1w3r*RYxZ$t0_`0 zk$V(Sl;#CxWV4Hl(WG*)f`VG=XU@*fK=FG9a3A1UxyHu!G%R~6ErZ}Z^(*R+&75EE z(#G%_bmN~Mjv#=icMydnBpAf(eF9=u|4&jP5mQEa`DmxxbEa4#E|k*J(x=g-mcDl? z+X<8b2%3jxg3y#c={Fe9o%b(g(y;y#$w#xasT7%jeo6l3f-&MIy zDGqbIJafqJV<7gA=4nie_9&t3z5rw0c7PRmyFRNA9FDt zH3zXwB{|n~6}*>5ouN?|tqMx5ufUH$J)JStv8zaE{BtGls|=JJQbkR?u%G>9H;)mx zKi^EbdN_h&Zj&ME6CU$g9Q*cqfgX1!-EQuhQUnp*e3Fp^+K6e`Q$WNxUpeX9UOMQx znM$NP<-ey_G;L1c08rA@-2Ai)lOZxHs&{B8gUh6u_{Ax;tu3#hpdf4wi?5OrKaeI| z59UfbWb-O3KLSAk)TI#G&UB_|DgV}#(^C|00ALHNG7=4r@|3g01cff^4@9P>rZ%>= z46Uu@XG#}I;ur)3kY1|nEG@!7O87A|mGYl-UnyBhO6Y+CDO0Jjpx(PJ0wSGt z&D@IMF46BgR8*8#%1>$8*(-?4nSv+e%TJEM*j;kme4Zrq^fiA6fP5wB=_szEV!&h4 zn|m>^V4t1@RB4lhxrgkuG~$ULVZ5^(1RL9Gx~joI4g|^u`dUG0=@!rk!OGzSa*KEX zy5FliJ3kZ7X4YnEs@b4R1I+0J$}$U25^V$~m-jg>*bGq-5P&Bgj+WQl99yCz_MAZg zDe!Qyk;h@lcfZkf^~m7~os^Um$do_Fry$2GA#iD;!qpuE?hoDsI(7c?K!k#T;2p}i zA&SR{Z+;r}AQpBfdwhhsy{WT*_*A4>dYu0h^;7fnH%5s1jQZK1+7gjA#$x^apLb$h zC$Pe83zBB<^281qwnSflX20~kTCCfjCj|f0J3sOC#>gqI{`5(K2@>nwAG2aL0n9RXn^aStnU9RVGcb~rOxjz+RTlZxm@xCZs{-l$OcjJvm6&Th0B32* z1m?YF_rrnv9X!y+R8>FT*v@M_@J|g-#f|lCgZ}0lTX3|C(yyAtVELJ+Cz`dZ&(YSF zlDRp(&2+Kxbny#M@9D18=AL1;Zrjnu%jm7=>L;?gveW=)@ z4%qQVYTzYA{o=kYOer7kkz>3NfVg8K-pJiAb37hyAd@_`G7hi|cCrQGPbdZNG~FFa>_qH z0h4v&Vu~{AiV%1u`;HkO?iQ0u&{N23PQ?A-wsPDoP7J7;nwnD50Sa&5ayEE1kcs*J zToQ42*GuKucDlXr33S=UVPxT8;61OaZ)$Kkoy4@P@lw~+tOD)>z+{?`8wn7Gd%*vC zQKBPmcPt!zH=jBEa@}CMXYHeLa7aFnOK+~$dmX3a75`F$(T{E~7d*Z+DT6v>w3ng` zf(Ystv6M$$p!GWx1b6p$IRJwB`0-OL#RDmYXZDj_-BmcqK0(-BHW4XMy8szmAay$@ zF&DCX;Ig)^l*5RU+e|^v#+DpwLwv2A(d`g$2ahRo42eh}E3C`1iBCB{0AfFv?d&n) zM9rKCa}hH!ucu?K1ve7rB|J0*-&)1lxuBq)om^xFCJrDo3vxnVZHZ3(qk$jocAxkz_cFIDvPhNEzop^M$#4oKHy z%HzWwE+wVK*pYi%65T0*TmBs>>AJC%6~ZJ&b!%El2{|7hpSs37F2`)7QL(zn2nv$C zC;#hX?CWbK!(+qIIi3%_^mO$4mT%kIp6G&ugA0m_yJu&Klt-!Y2np5n^+%+0n}Ni< z*%@{Q$q>4LLy=E{`z9B6Y79<6f(;8ZmcMT&kNihLGjZIy1{8&{vSm1s+NaYkwubru zNaF;Q3yzA;6p?}=gy=${NdU#c@lY3b&X+AIAAWW7f-_f6yz_gYL}jUk(~a|--8$}7 z{#J2J5KIy=-~VdwJ)ojYw{6iYtHqTKEIcD z^^CUEsJ~~Z)3QwC9@9?UG2!pu;*D?YeuQAqJ;?WqhzMEKl}@ZJ%6odWl{!_;tN1E| z?Zed-swap-C%UN82e(U$RIK~ZBc4)d@ z)3e}iOOtUyCz}7tRXNRL=;+-aqmkxxTy)in#S^vQK(Hb=^tq7;ZUvi#e z$D8(*>!P2*=`jD>GRv=bwX`0;J&vZ#a6dN(#~bZ9)!qB{aK9&ycf_Hud3Jj{{qfVR z;cqk7zZX(BvnKBV{oXAVtnu@%v{cCQx_#PyqT^#33-66_pY9|NZFqYmr_kPDROZ$7 z@V5|o%urOHfK*5G{?$NOj;nbLIZsk$ggIwGV|CB? z$uV}x*yoljxdRcF*+$h4GBP{&_$Ci0#jw8RO0x}p;q86N?c?Lr4#k$c!m&JYUy~wI z=B!(f$2}2~66+gj=9(U9_C^`aytsfkHSPBn%~iv!z=eJWSO7l#rla z;+2CE?3_7&NO0-MLdMoH*`ly^O0S+U>%2CWxk{g)EusR|>-qial`6%PTNAaE$Tk zGtcd-f*T9cWLZi|N+J%4gd(5aGtel%D=iJ|;W#X{^w9Gt<6F_&m!SAo8A&HDxY^{D z&097fY^&HJX*@nUI?BPp^Id)N3K(ZGsqEr#@e^+D)G@SAlyBa=X-wBy0TEP~sI6z9 zU)kq}7$RYZki4n-b!Eg@#MoHZ`No-3dU|@rrKLUfQQnJ-+Xh=f7HOzdsejVW6K}Re z_w%}f?EzZe)hEDYH{|55$jdV;r5g0v%~~$6Y#0ij$Y|%G(u*VU%q}73)+TDRtE;=4 z4c^=w9v<$HWlasyo|}6^W&^Pl4J6Kj(qHc5y}zH+Vt-R&f|J~jj9!VJ(?jk_-O@#a z9-AxbwSeC4;S!>bJXmh5tzGm|ns<0Sn}>tv9w5ewpq3sNkI}Nns(qXcHP`gZJ-5Pd za-2By;{E$Lh2+T%*UPTcX13OrmTsP-Vq^kP3}cw&9Jm*KztG0p?!*GJnOLwb2ORr+UdCHwsRkL1P9yCZ3)$Dh@Hc#`|fJ@RJM!DZSG zT@`34G_AGBo9M@mxHh`dt3Mi47SaMNI<(kmqp)2?<^=O0I;@?|Yeqp!e4)L(##o91&yTVfOv7rLiL(UiHs zICWVB(f%D|q~C|X>A2Gg#f0*_@vqu8dg@kGl%Fqhd%JC==w(KcuP&mM@7r0sX(|uW zsi7*%dU6Wm?&_fA+{k(byF}5D0fatu#IMk^^m1DCJQ%!v-@e-`x|8WwkGRfF9K%hi ztgM`2n0D-))QpLVovs5;Is)+=&@1YWYZor8TUiu(EyC~Wx*Xsw;!s67wP5c2Fr~5~ z`nF88B(2~tS&&u6#7NN5+YbnkuV3d>P*5N;E*BSfLjyNTtBkLc5CnRAdrO82OT7vR zxT&aEIy0<*;!l1QW@$)nPo@*Nu8*6H6+Q8z3;t%qd zeLz!-EP8Fa_Mx7hpn!FW12Z@0LZfi7HIJo`iMC@Ysg+S1P<8*SV5`)bd=o*!VQe0}Ad9dF_K_E&|5L4!Fx)DW1Nsl4K} zE}$t@I@GX>cq1<~v-+_&1*Srcf^NkMXH$K>3AQlM{nq_wy0UGzNHxw3D`$i} ziklk{sA_XbD!YAx^|UWjLTvk@a_md=B93v-?4k%c1>MVg%w=d-tn%!Jg;lKN5#xsX zbepM-S@9Wcj|Q$;XRy1tv$O`i{H!GQ&h@Fm{guU;ylnll4iCFTalf1AoJRIznclm3 zzDvbL!sVr|p2}G+*}5FcgVvB^`!2dpGr_r)aAubGO8C6?Y%QuzLT z>@j72V*dfL4p!pBYie4Ao(k@!6<)oa}3vSi0M9xA`Id$Cu*cf09OX-W=#Wbo?oPXYA%h%G5vWUX;eu|$=|!ZcE!ZTY-Q8d)NL3k z>$H9@AALo}$I4KaxRBjWhc;}bjn`{93H9?J3?IM-kVDEUDqbh_SH9ONku^GZl5`;C z+_N|?ywKxqXSwo&k<#_KKO~y>G|W!E*RROQ`8u^gMW>MCl(jmACc!g6BNUMm{+y4{ zDfWVh_p3A2%#`3vy)5$iK1nulSq|Fn#*{1lR>O9{XZv}L=%AmA{m=w}h>g)6ejJz0 zf=TR%@y>nw2%iRY{GyR{I~f_JK{_bLz6=OBNCMgP{{4H1WL`p6m1x#`eZ?9@Q$KV~ zk}2RfbVyJ^Z#s`k9!7E4B&0>E;OOudcI1cQ=HcVV>c+-ZkS^J*%rwnR4OpZLuu1>@ zsHW^>6%@qm?D(O{g}5))nQ-Ts#=SsEgiaIbRbU{F8U!JB$~N>hu8Mdl#)`(ub2-eL zL`a8LE=={$bY@MKvX%$&d3!OlWhvdcgD`GE=(N7TrnG6>wqB^~Zpq8Pts5j%k?=&2 z;7oGI@lSob?_t`Vze&`cE-H?dnR%nJvGK}*!q(3!W}?kRw`l9$;84szsIT{d-j)lOVCBFFf@E%PE<7aX`1upm3pP9YCncRFoGYSX zP&fq-3=Ft$R{QPnWm+$s9AO23b{M^7ANaiDwJHum&aG-3;^VU$K!iBbKpsO>zY2@v ztDTf3vc-5u@IF~dFNbtYitA8&;D4T*r$RW_$gIU~i9>PYb{QBTu zx|i>=GrzEKXt<=f_%5hqf{B9T&I$f~(N_IaeONTz{ryGa>{*u~_90wcWo6HYhV4#+bTF=UfUad_Y{WkJ>C;WLyhc5QeFQR|7+41&hlYSzCc1$H z{q4HD#>UccZb6~CXsQav4Ms0FRP`KA%k!-%KgP$a7*~H%fhhZyWzWm#@N*qFtZvwX zpp4?eeFv>RJq0H1zOL?5+@F?33WM8Os2AY_`WVM`^r$m>&^$VE@vlS{dT1OR9A5Dn zGmv)f+!+H$$^5(x338z)9v;-^!wjESj(c8ZSofMtSw+Xy9kvhi5C3kQv$7Y$MD)@jGP?)u=~f28w4?hl#x`GtS**tpIq11|i0$J? zTlP&>U!o@T#til&93(F6ItNhG4EgJ7uiaF2TL|jyP-u4s5XtJZH4r|QD)YJTtEFm@*DHOm5h$UZ$ ztWJ24X11H*3IW+S#X0lFJ%>&VlCBile8jny=gO7Y1yB;c;xlK)MZGAqn@u_GJa#4& zof{jtEQfBXIxX}vkB30G_??k5PX%IU9TckG)6*8SqpfI#k)0RZTwOsrWa)d*Pfko6 z=H&E(z7w$+1m0m5mM1b{qRFln|0Evt=Ctf9Mne~$49ZPD+IeSHQgl!{2b%v7Lw!sbafqpTB;62m-nT!Vc%aW<$rq zY2GJs@zSMjABVBPjLsg8mbLy-p8u5Q_m<0sr9LNYY;1m_7(DxmT>bh21f_@&)GOQ0 z#MY!5t3km-sIp-c`T5fX5>kR44KPruytQig3bIxC=)vYhmPd~sol;5P{eZYBKy3K# z!S)PZ+^HYZ*r2()*7eBXEEnngfj= zu)kPXsIFeUdh4WIM#||iW881xHlB1T%aJ4V9uDB-~%#Q)CFlnh5s#;7%4$N&hf8hVN(`n=EBj?%Znb2 zRd2rCu@V*KUQ+qiC@*i5mhrta|ET#|R=>QYJI93Sw=S^jt#@#2&Cvbxm;H*{o7WO< z?mytf-!VsHl=n4rF3YP=)+SHaoJd|Q3=lM2B>=_rcx!)%yY!z)wqb~=HaByivXVYRT~O%d zblSVQF7lqCW_t{0!Lb557x(Ws3{I`f&NifbvxcV9yzx#NZ#GVS#WPtjBUv3#a@+Ph zjYD(x66;^!W^CQ4lVMugyI=HKS)I!i6co9aCR2BGkAcBM?NxIRmmsaEn3SjFO3UjG zMa8hlRZ-FIfq^^5EJFw|2wt!e`~s_$WMiu1k`>Hht5qc>PsuC8Y9tKA2F-Bi)7=YM zoG4U~!#H)SUvHdg@QuPG-Lt0@lUz1$2z~1RC&buxvQGKLi4zd@r;4?|T_FVNP$j2Z zjXnc42460u8$6%KKm>C^!4H#KOJ&XG8lHfbkYmiuUN2s}rexy#(e6=d?}JBIAxTFj zBjv0R>*~Ba6rg^RMxFF zQ-#?K4#4);oE38W!qUiK%XjYGTZkNh!T>E(@6b>W`DjD4cKF^7pFO+V-hRo-{fhe38G6Y909r)e10N)5KeExGem+}L?W1fkDI7-Muq?s{EI1UYT4xw(*wZ}utX)psy)T1hR?^> zcimkhBX@ide18yupy5(`w|!!ERtxr;w2X{lY9E435f{(H7a^I`(bG>%PIklGNIHa| z@6V2zy~;r+qda3TZ49td)fv>)LdW7(m7 z|Jg4>QOI$FpFS#E?F!cN=%^bCci4p7LOx52i-VwRhARQI%S9qq|9Shogc0>V2utHgBp$3g0>;dSo;g^#lB=evM-p9oBz-Wn$ zF;&76YBDn0xBuQ^DFS8y%M8Sen3NQ~P`bq5 zv;Yz4@j~*duC7j$03wuSE~ulSN@*ZDOxIi`&TDnq7M2>KCyE~IQ1O+$-6_~R=rf)o z-i>7cU5&E1&qHVy^0HI+Amlrxl;R2)yM6}@G+08orcBJt31o^B1~D|J8Z)B2__b>= zGE}R#)R!HHjV<^dI#MiO3pd|@dt)6bhle~9upK)W~_s~WqxIx>>(OPSWsZP zIRnQc^7>O37g87C$sI+-xAM{PDJje_13i5BONYahB+#VPHH<1be0ZcYM~%`>Yn*u@ z)ub9W+XYP`)zj3hW<4kLhrQ(JoPJ@sLH}1?v0hQ94u<73WbsILG0Sd#Q09=qh_-B#y z)v+<*x0?U8K_M?RI=&7?2z&=V z{FIUs0Z+?U2VTm)FJP~+;a1Md%GT{|0F=QvkZynNkneEgptqX<3UF_erFjnY0-|BV zF+1kcUuOTzZEFhxAbf50svfI|os*N37>)sFy-~tQ?2^yRq!X8wUN9x>gy9YQ_mlOw zs?$_pC+Upsqz2%vC{!uWd5@rS`u_b1BVtnKS8EV~Of1qNOotA2x$_R6^+N@KB#B%> z6pb)U!f5Dvkb5&CGq@X>-M?yUYhy6N7Z@|&fB4XivXq!cAtI7v*C{724+Cl*oGAe@ zN^KO_L342`pDhM=J$q{cyDg@Wn3|ZpPaR9Dhkx%5+^}%H0rn(5V?v12EZvj%5pXHgg2pxmMIz1}dy#f{~5 z3|XzK>+ZF)kph)c}m_yX3U8BT7zlGohq zk0Am)3aM!n08(DrPm##u)YQ}%-tO$PTIKtN zSLg3DIL+UCJ=^sjm6yXpuiyDmE_vugBvHMVR8_$i&Id9P1S*5w%uoTi5I)DnvjiJ~ z>nu23eQ747-ZT}7pyFMGs=VURK>YYtw#4bIIp5_!);pK&+1+vDW%gY51x>|WYTCC{ zRAQl%ImsXVv11xbDm*PMts@C8oN%-vYU~K;;9#ARex?6)-JlP`*$LR5W+He~#`YiK z;*v$|m%)=ec7x+VVRM3!ylfh+zUS>x^k17=+4}nXS)aW<4mZ9m;rGKQUN5PvG`jH- z(oo>F#VTB!XC59Npj%tC3^$u5HuhYL(!K2?YZ~cm#pt79sCh-kl*1||Wuq@E+Xi}HUVgdoPA}au3p<^5E&Ns!*F;I{6pgK-e6~-dF`Wd#|;hIIr0%v6|x=pfCf;S zL#z1}ZJU;W8;=Hd$fu6@;r0$W@^EnITD0okyZ0ui_Sa;Oor{Q^Ly{S-I1*m}fLAG$ zj6|Wf_HWi_14yA0-`Xs!wPl}OzkY5%jq{TXCEBYj4|S+9G2s*qixd-54mfg|4ihH+ zV0etD+@+h-6j0lvGO{L6ojzv7q>^_H0v3alYd&zGVZ{2L(%%_5L%QG{Z?kaaySlpx z3|qsDR{C7Dj_h)Jvi&Yy4UNkW;@E+cN86MB#L414V+Q{t>Gu~8w`1dQy%?y%^sq~7 z?;Y>~8z>pVLm}#c#ko;)=^|nz)NiIadX~Fz@=m^SPx2x+Bi*4 z`^B@M5d-BS(%!w=P{Tp@%-wPRu$_$V#OEfLmLAr)-*qvH>o{K4L8 zO+NN#k&-X;x;<{&K0lwkhR|yBv5H4)sjcq4*d_#N^A#E5JjWEk86tOf&MrZ4m%}#- z41TNl$3VX0^^N;G)PXBt8C9n6VQ|pZt3`GKGO%$H@gA`pGgAx_vSIWGEjLXD=vp3D zqpUxK(I)8r{qgITA>SxW69T!2u)+NvxVt@6G>mv^&PL;hzy)I0uAO=BI&Y}}e=j_; zgo;W@NeK>C!1!alynfD9)I5q2>FEJP6##T%im-H&-!5hEzxB=f*$+VvZ5Cw6f!Z%$?YZAzpXATdrSAA zu9+c&(Liw8g@E*Vle=*?0~Y**1=G)O zA3BP#JArJ*PM_PUbusA~lV|F0zx~#QoPzRf{U`kMgTC9U|+lkRtd#HW>(fFYHHs3^VbL-L+`q+Egy0WQ zg@q`Z&S(_x0LwDH={q=M4j!ID_^;oO%CblW!F%tCQjs3V1cHq+B|>pVPy5N~&>g1_ zi}jo)%(iGD5#)te7%V87$D8q)U^i zRiTbFO(1bt^wDAa6-Lo%zf$9WqHi%mqQdK#_?>r@*aG9m0q?plofTtgzW=328zfwKC6~oPs1grstKZP>x z0JxG*_wtBgO(-@&$nQFEKn%Vkl%WJG7fM-vLeRX1EoTLVga|AFu`YHd#tVN1JN;d)jG}Sk`QNr zB`bk>2gu;0|M&Gm5Gs3E>?_duK&u1(q^HEvwH%grq(h?5D=MM__Y89}%9H%s+DSaU z!8O(jQWO}jDdk+@r^WAC8R=|Ax&0SKLWe;mFNaDOrs&@f~@ReKRmYY z|4}WV#4bkE51_#sn!UH&v{3V_|Zxinr~9r{1R5_x5z_C?eIa z9Xq}NMBa$HMN9}l4G;2#Xgm-%-N?v@PSEDXmVIm{J;gg$=Zi$lz=22wo%;$nKG2yX z0wNom{I0rsF1EKn$9>|u4R(d^$vs10=Axn}DDQ|dH^xp=v?Lq;s`Ge=!=xBGUSj9Zf1x*S{2Yu$u{sq>!M?l*%BReaU3=tP{7mKk2B6-z@7`Tz zXg_i=S+i`fR%K8L)(bRnI7TAnU{NE;BN(UXwG+pKSr6!ndti(f4#R$5*uL&D)Z$0Z zoOuBbX!n)xhz!JVAzX*`KUbH=(X$VukP$yn&~b2cA47~n4+HPREGG z(GAPkf2bUYX4iH`VTo(ku3csOuw$dQ>^iqkn7x$ya1%yy4OI0>Vy(Q-a&0>ZMeaT1 z3B+b9YHI2g3rsg5W_RIp*WuD{42{A)*be-Q8Vw9a9%i@|V+}M8WZo}y#T2tpSmp+e zt#-VXx^ZI%b~`b?1zC#};y9}Sb{CGEa!o9CU@6PT{axm!Q$L_)7#vdBI&MSp_bR2#@Q6<+`Y>T0!m8G zrF%M#cjtMC^do+BPP(G`y z-_*wQduE;W#kMjDNr_gGr_(0Z_d9EJ);kp5uPeTjRk+*N$K(w2Mr!L+9(SqVY8Z(7 zhThXPWH0vY`6K8k(bE$~><#}lWRKSU8*tp<0Dk*9Ltxshz`bjPzx7kW?yG;|Wr=@n z=<@@r8!=b4uMHU0*%F%_&nz8CCXoBe((LERA8X@W)6|mrpC)}elS6BogxL&7%j>oN z4$$k+6G%8rm- zR-A;7p#1lN{o4x)cXbW77Vcc@5V#1S9m0u^N{slmEkx5BOm+qTcS@mJ?U@Y%wbX+!p@acDZ4vg@BU_{b*;qTwvH;U`8L;oM@08%df z_z)9ga3&Tl*$qc_=4_;IrtYxqr$>*l`X9dwI&b3xKyEy{1H&*dTa556k%&Q~s;a7h zMTmgJ2KeW0x<<*awFdl_E=Ml!%A+l9GBfcWS?VfLVkhzGDJqH0lldwUm`FaVZB zAkQ|GBn-AaJF^%1Xh}}c(4+7A7jX?lumOWPMDN}`gn6Z#!P3185C1+qEDlZ$A4xE< z2<0RQTl3H%kMdYR1@R=C7*6?T`yM@p31WgFpe9IpVm#FJgd<2&aJpeNIyRVS2-b&F zXW{aao~{T9GhmWeI~T#{z5}bJO0iiQO*L+%-pj69jhE}&EE$9g>T%_+xmN9WQcrfjefn$QJoehs8AuYk|?^7Rcr{_HJu zN~{=ka{bmVpPTaX5s)xQ9pF%Z`1bg-1avzJP{TfTcbA87$_K>HaeQSIUNZYpxQ%!T zmrMrDTTM-LRzv?zIq2`Lr?%pCs@-2)Y{RnD`6@!Ovbl44_#=yYK3z$y18`AA#0s=}4 zV19R>UjX`yMVcNGAw&If{mPX`yLRq;Qywa!21^t)*O>{rb<6}evM^D^xaT}n3e|pm z76UJC-nj7^asLE(9(k~gK4i*L=i)b%3t_~+Vsg%PRn?Hmk;JN#Afq|vJ4KU1U(PzC zWpM&Y{j}E8=&^NMkUNy~dx}m7}0V6kAF|O+tz!3i=3sLOH9^<?TnhofQ|BbS)A#dNj`C_a*&Fm;C%+0Ch3nf{L;kF+AYNKPepk zf#kqPM`UIaxqqb-Se5oPBORRt4wM+th-#K-+AWT6-m+z;mkf#))4qHJ3c2*^k7IGE z8n@u4tJ$qizJKSZYWEZ)_cpqTUcy9N_&{OX2 zAnLgPfUo_6#ugeeC`@e8djPb^D<}xB;d+9_atiYlBSY+-b$6>HL;m&!OxtxtH~_{P z4=#gB`bG#f2*Q+3z{(YSdpm<*F)oC^pe-i}6f=-ag3W|F0lc#*tM);`!9*_rECY5( z=v78XA1pCWw27RZyzy9Ku)bFiPtm@pW%*dK2N@m-ndk*ztD#i&#$<+i@v{Y4;o&QX zfEjT)fW6n(3tvEBdVOI4@nD7{DO&oW*KaWNY8oiZ_2W>qD0h}`9AQ2<>w58;SGP@ zP72GtElwW6v9T9=HyiJs_+G>~)l&A|@Sqy~6&Yy0-(m(YA+(qu!z~0?lGUN9c4_yX zJuetGca|*$9MRvUnD{3y(DPfkpw>347 zfdY>Ga49Jcp$oH*z$Jf5O*KwfZJj}rYQ6Ik_(hjK{eOr!)a-TESmF4uVj8Amrq4Sp z>TaI&9ZK;tgmp^@A~d-bq=?fewT+BE=E!`P$MQ^-tOhh~d^hqIUysv?poTYbT{-Q0&gJV7^`(IOeh&VYA>@Wd= z0>aw8uVKYOWc*PT@HVhqZs7iYVQbjojy2W@=kQ+WvJvFtZKt%L*8;hL zrWD#v0%t!GU1M~q(bop6N>E#;?o_|wIB+qt&eGzyT+;s*9GF$ZC5+XL%~%WN7EzCP zcXyLuN@3s6Z*lyf8zJR{jFN=Jncvz<3#{GeDGcvmVFna zz!!N$mPQioHVt8fy0nG{WRk~lHQv z(kJkE2-`I}X9XeI#puiWVMg$#vxZAwy9=HZZE#GO>xF2~kn$_WN!2(I{(zVKb|V7L zWd!Iumh<{cm)Wn6czwdhvy5-}zs$caCl^itq;)<7@`6B99s^W~CKGgaYdG)Ovzr9Y z!?r#_fG@n%7^fD8`D@2fYF}4S@aM#+SmGo%C=GA9zZf>Y@eNhbmdIK#tU!s{bF*kRcIIJLymOsF$;X=&h6}>-)eWP#1no>}vIL>G8%bPGp zL{?wS{T2)N=rgnLxgO7gKqdaEOJ#yY6oR7!Y#PW3fSU;>7_-P^Aecv|4J|iB2%-TehPBTFywA7zwVmk(!|#_Ya1?t<=KvhtPyuoK}<2ZO~O%v-aQv{ZXQ#v;9dkK+twlFBNTxJT4Gg5~0FEP0HqyQUaq%FE!B= z(rI?WY*2zCYt)rU?Xc6=Du3k(g)VcGinR(P9w8XW+y5zVdl~k8sCktTFL14a0_9`I zSgB=`iXY}vIF;IFCO(!v{E^PQoZ|qm zkurKSUSL86;C0m~6BfWI&7mq(R%)6-+qP{RME~Z)2c9L~Yw@1Gs#Kt=bvv_H_($y> z<2H~|wjP<>;53^UO2~fv`OLMTVe=PR8I&dnv^s=|`i2IgzQb<0mObekr-5T=w(SqT zZQuV1z_W9{kax0|oy>>t;p=*^!HbDJbDQjoek~VprbYI2ID0tA`U6m=*?Cx_$*z!Q za!=HCzo!Re&Ih>lZh6fK7n>E)TWesl=jR?TakJb_EE*Wsd7AOXxv{h#oWSmav)}G3 zBxs0%R|{3KYCZ-^&(5X87gf5}< zl~s#wB;2IL145)QmJXb&H}0rWR+VRkv16PwSjKaB$;ei14C{qg`+uimC`Q|d>+Y8a zBe=Z_D0OoR9fM7BH`(H;C{u364q?5fZkmYcgb#C}YyGushum1<(Op-gr_X&g&u@@3rtehVG&9RB)o zSv<+f$zon%?))b)Zo3>Ba8HCKI@=ykbj)lpSo5~B>6L@Dw8S|~4>z#`rB*3u2Pe0f zu1rUYRLI>{@ddHa=W^8jTBOwQti_R(t;6>8be8ope8hdg!5JX`d`2=%)Zy+NPfr={ zLT|q^zK9`^AmkH6xJa5OwJHL#a5tCYnhIqZ9R)3ywzIeNy=Bb_olp}36>D|6#pr9s z7W0{RVtnJ}Ts(vG9jRu$r9{87*{ao0Rz)SNG=aCn<|xiULQ}KXZj=l`n68nL6llyw z{UvHe=tv>&OswE(O$z9Qy$yTPq30;0E;kvGbFe0?$j&V%J6jli=)w8JY6o+mG(pl6 z!8x-DZ&Z3bleHc5-@UFp-y4p4TfdzW@X;AJ+|A06^y$Mk-FJT4IbIMZX-|pFev&P6 zSNK+agU)l?^Mj4UV!XrAs5c!Of9e$Cx*DXmThS&_5d4j+XBq1)x8+pfF*-?hj6aqT zijzBv6q_h%FmU}=EMkt!Sl`%~()L|7kXwan{jR%Z@+xv!3rEeGzB*5SIVx*j?G#pP zORv_goTek=G&8KGjTd+(21um&GjQeviX5S)<333(8Te9QJcAq@`lvnXe$fcO&5iBL zq10|9QgsTC{bk|-8B`4oy|2^LD;#x5B%WQNl^aQ~U%CA9*N<=V^q!;oLiYPecV)kI zQ8#9;RDP(E>bN;FAMasQ^J4>P-aPs1&gM6lmfSepCEq3_sOaenFK_W!M>?MPb?4^_ zy^zNV$8;1EnAkJVu^xTwm=OD9J?T?JvtB1nb9M@kr1;CEnKL9(%5^2f%XneX?!fXa8_G8?oRv>;tcw=GhaQv^1M+uP>Nna3+HLp^nXHm80YZ`%uG+B4E3D;8*^ zg@7{^LhX1Nf6s2zM1$tr@uDY|6RRTQAf8Il!=C~_7y=$f0D@^ts&Ob3M`(&_!FBW* zo>gLpHELGxh1vL~ib}B4$|6kX-xVfBq<>e0SQ?X1KEf_6`Y{ix_lHdTiSOv1Rh)0-)#KW`m^F~I8 zh540GY|&Px5+XnmR~ttNbBLVNOthLNxKwG3{vN}Vzbr677}`okd0WbD#Mr5P8tEP+ z{4&T8%#b%UVS|F^X+hENg3^8t^~=J@jM})EgMcSxDg}^}^aPn#mO%SJJhDU^Ew9hR zA2TLv#o2qCwL>ee>{IbU=TQr%2F0s^(?XeA%7j1ZQ@r79+S zq&ZS^^{9uS7p_GlC;{Ty!yZ%LW?DqQ21fwvAh+d|l$0crXc-TZmg)~vD_oor046@v z2}HgoG6d*1r5~I+TR@cYE&}Tgu;8FecZ{9 zi3r(>e#c7C5>=EGHpq)eLBxjc;1uMgc4N2^Pz@Xr<3zau%_s*TO%=e5IXK_`7nin| zfU!)dlM?8KBc=kMfN>eqZDwVs(crV74c$bd4Rld<6KDI(1hq*iR*Dzab`QwiO2~CM zZGLvuH#POQnO9W+i?8h}0=7X^nD`%M^U~}b$cwchynts%8+pha_olay*0`Jie~p?Y z_STp5_4E`Yump_EDSGo;WR;Wx0|EljHfJG_;X*((>&LVss7wfb9oQbf)s?0Gn8eEK zUV`&o&cqI_1I;s%+@wnE`veF-l6!SYpElh>O=aKfE-7Cg(vtsU-@5f6Mn#FCT|?o9fQz)X*VwC^j^Xes z`^eH72(O8s-n=s-&^?HiwUnFb^C(uKqAuOwAyIK*$?bZ-R4_8bqvv~jZ|AI9TG0#Y(0FVoJ)oAA zll#1Ibn=T#*kpB*?&qoOrKSaiZ^8UlR9brj>4pSy(w{#JqTP#UlerCrejz=Gt=&le)HiC~XY6WfuuH&cBur^~oRMPnVUq4*|&2O={(1O`ops@f|+=O|Ii1$ zwLj4UBL3w2Pk-w_|IGjCSN}hKP-|DlbNguPb3nDyHN5uU^W&6_^&8?Q1`$85HL(R> zVIq-wFXKnS|KcAXcr2(A)od;AyKW#o5IIU~!D3eA;b?K+4gXo8asO=F#`dRe7qH@% zuS|yg9i{&Fob~_tl)pg#|G5zV{)LcBo*|JQxcxBRp2aUM!jl;Lq$Xl^x%`1d`uMc` z)MLxQYSFM}GeHFr)39;b%j>_$YiTM`zjnJ7quCr1+I+%(T)-sJO;dcL{yw|rVpw1w z`4o1Ofo9`gOjVifu)Zs`*!U`ip-{{EM>w@Xg3I*(?E=5+W;Z(+5YUp7Y5a?Uk*eo{ zFE5C27>`$eZc|2qL%AIJ-G5gg& zaJ(D>TgTcHD!gZC>cVdK%MUv`#EnjAtmN0zXJ0jPTvoD8a8i#R{O;e`ZqPq-Z>UqR z_)+BQsXTj!qoK4mM#8*ZLCXWrs4xYB;`C@KA-rOt?Sc8^BS$vFjk zo3&_FR(q^$YG&L)Sd6oGvGbkn!m}W=jyJKh)-57*AqCsSIcGYw>ps3c;vv1_G1A%} z^HR6`W503Zl#;imc%b>@&L%C>Jg+uN?jz#VoouS27MkosO2!$SvNf}G=R^WO1e9jZ zmI~O8mG~+3#VJpy>V#O9OX?~oEeg0&Q`GG$DJ|0Gi@#p&nMiedp&O?f;<$a@CfmL+ zR#!Fq2y4LY9v}0fp3aVCr?RsXDc(wjsmFGDlFqXxk4EDOf}Vv1;)w>j=BoCZPEzN( zJ}g^wA3Z%B3^CY|M zYL;flv%WnFwP`V$is>2)T0%M8pD8IU2^J-j%4Y}Xr$_3z#S*5B9H$aHmsNz#yNpf` zw_DX2n~%(=y9znkIIRNOkN)sp+J0?LHQ20KAvJb(zh9{B)ojOxn&$COLO1c{trj0D z{Fv!p&{BG*Z^>u*X^x(34gZjyplL^5eW_JOw}(`%wUQ%OUAr}uVxeX}p$guI!GLbAyx zPkNEl2UcH>itwrTw@rTIRf;hGC~P+s(sgioFp6@${k#3U^awMz;qs6P(FhTKuKVr> zU&a@WdM_E-a?TiYC*jMYN(*@DL!;(|1MQt=ZK4f3UvY^{bsFjHc^5rZEL7E#kZ7du zFPs*7nt(j=6S3?RbK%q}zR$gjQ3uZ0WJqL=_AHN5G9?^y{i(EipZPA3Z;N<^i@)rT zDq7`In{O#*8o$!0AD8J(Qzd*{%xt>TwLCN=Ao$UigG#emCSSWHD5?IZ>ln!twLr=* zx5FHt1jvs&DhCUYm+x%n)6+>eY&{_`mY^ccpra#j>TeJ)}=keK`#;^jE)kC{Iz(^%Z#p zdB&?9^kh`EP;(cYNYuTp;E9cYPV8pu8-DI&xdW4f^pkBlRh81r!a>HWwzq_Z>`d&Y z$GnU~=YPmAISwv-{=6I`(9-SGsQ2ytg@v!FWKZuLN1bTtcX7&}IiVudRm?nVP3f7i z7_Q+^6Brp{DrsvT?@6I02j&Qee{9GWwyz%Jo1IP%a%}6d7^)Q(t2JzuI*@cVXSvU> zs;`>eA-!R7objlbRkQh$E8n7Q;N&gd&DO*g7nb8ao)f&3Mdwr=c~eE!|H7rka5ah{ z*6aP*7VCbC(HahKwk6Gv^GgC|1)ZIq&so~M3by!ZEQ>IBGA%54IQbE~xWUK!CPn_z z>dyi3*jY6!*kt+-N)gFf4w-!0mPTG1v_^^(+jO!|e~T9rS19@P)onRUIksJ&1s&$5 z>l@|!Ger1>Y1qykA^zW)wJ=}45@$WxW2_aEkdq@c_mem$b_vS(OIsGl;TOtIja6KT zDz%voR|593SBOx$-UOL+Q4{~|MFgNzYK?82St250;Eh(6Q@W&>NY$mXIgTf!g=Rzf z<^tIJmWSQNyiNsmzA_FrG0(Q`^;9^QgA-lRj5gdz?hacR_MQ_rd@^)OSNUZWWl{p0 zKCVr8p+;_&GPq(@5*DXYGikn}w2jZC-<)SuEY^9pwZ3PlRjP8X>N8i-h`nuJPWuaw z=>eZGX$Jo)hD>|+PD&}A<7Dv&kHr)DR=1^6;m^Z;o#A6YrIP~GaM{I;gb%B=%_Y3F zJxYDROPp+W(P(~b!$QUnC!d}y>L1HLs6BKSNEIR~4&>FrZi*xI;Lim&ANThG)R{N@>r>5_7@eT>6GFEeqSE>d5I)19< z{Zjj_f0IvN#5qm94w{bT7|sm!WxXA-8vEGcopwL9nyt`jqdQ(!qbF;f0s|ziTxr=I z58*=fin>)0G;m?T^LEsEjUzeQ+0BiYbchMOfoBhSYXnLq2U<`91LlaDvE{R1JWSVk~1ztDOPf@;gQ?c$Hd>Ca8p}Mn!$Bq)@%6^AA2B T@bx5Au19Q61wCkQ6(g#f1<$O^5@UM zCt=tD%1B7$NRpx-R6J7l7Ti5lRPVcwFJfi94k;eJB0p6S*=j=l{yjK^6b94x)!=W`kG`DhJ>HIW8J#ofy}NtK-uFY~+t(-SH(qH1nC#96O`D7S z?LHgx&V#C^CMI+Q1e!l^1KQf&e8m!ZPVx0p(A}MToDTQ%=ld-eHw$cR<>#385$Wmj z(o?eFYb+6+?(zy}UT>}_Cfzp0hK2@7KODq;Sn7W_H~kv|`JV=e<>~6AXx9t<`|&Df zTW4otFdTK9QTHX{{^!TtloU$;HZ?6HlKt;POB26-`u96Sc9f`pZ)-Dq^(Nro?*`tA zqW=3`vgG&wJc%m?i}v5n+ED+ep;b&K3X0E_m6i1I{O$+D=0j<=(Y98}CXD|!l_{3O z;s>`q>HcgLtV+kpiEU(L1Rw3$Mt|bRi-QHCss*BEs!(?jo44PkB z4Kgw_zie$;L`O$k#lkQm*Vota!^FW?qg$_g#A`(9g4?z!H$B&*N?viDnfEuf5izGwtcyanL3c;eVPj zqOuRQRD4R*EclyWzT{EH!o8dZh>q@tz*M;j7lJX554JVVO)??ex;-J1gsq;SS&^;GuBLr9E z`H0Wn{{Dzn6&PG3>Bz=LF*qDaQx-O1WN*KeXUknrRbJlqXQZhoJFVv*gP}=}^061i zR=VgYew=vaMVFo9(v2<4+8YZeL8^XF{`9>2n-w6;zBy>RH}CP!N7JzynWRuNjD0DS zD}L77`m5}mvoQ;nGUGKAa0g1?QV<1qMQK4}Pyf$_pxd?ehku5f^tFBN7I+e32j=99 zHk#^|qJ5|zizy~G7AHsxCU@qBa2+p|TqtO%jQri@PV6UMO#S1Gc{@k<{-4;mEzJre z8qDx3{@vzjG0n1O&7HT1`99RDu^VXgJaKSwsT6Sc3^B2NG}_ww+4E#$Wirm+F(^gID^1N7Qal|!JqgCNtRtJ{^YWu5RNoJEyexe^Yi?*WZMW|4^I8=LKb)Uxz zD9?{O78fy)Aa$R|0*92XwOK@Cql{3FC-D$T4bFo@dB5SlIyMTxWvBb0!+PaQn;od3fnzHSi_EXaF z&%@#OQ;l-6Jv6^lH}M{xX8qh5ZOnW}JfHZxt;M%J@>nJDwe7I$j_NZ_}% z?Om*<3c4EdHBuupneMO? zxLzIj>V{TYZ?ez{L*M5^URmn(kG+%;5rHULTlq#2(aFZXj$8Y?<2TrB7+6}~_Px37 zsKx6cTpVV$yv5|x@bJ{-Tua)4Q!S}BR#)^Bzy6nxO=V-23i&E7q0cw`4@o6*lqNiB z8?HSp_c?g#w|3ByKo^xXK93l5^mIP*mS}jkuMC;1sH%StLQ;Ti3LZbG&rsNr+C3i!%#fLF#_Ct^=Ud(ceLh zPO$DpLJ32Qq6%2wTTsI#PuF*%(eOqkGnVT@+FSUZtZmC1W6{5)lV_Tn`hZs`#uCvbFy!;TXGG9 zpX1@1F-{)FgLHc&dp~&H8IadrU0JNi3mlDG7(IB$p7hiqH9qXQBmN>jBmKdibh)!njTkG5$>-N-&K$g9YgVXP* z4Mr>z>i8f%#3XBq>bbr2{XnXANRrwV|2eAxi6c)gI5W~yD7{veX8O8a5u=OhABUU% z&uAn|sd|rRwMB}5j&?v>76v;flO(@-*)9FB-otHYxSTiGc(Yf7k4}By;ebVhnPz+j z=Rp#gy>gn$YRBizM_#<2+|3^+;&o(+JJUa0?=HD`G;Hm_FTOMzLt)(T5^L2{R=XAi z5l7MN7n7=A7?H!@vGU)cZYr105P8QBHi>M#o{0zewI!U1P1b_j-kKWZvh&ht0&bkg z@v`Cm9rNIAo0TqD#Zwjog=$I~t-TROn#Y6BV4E!DYE4bNh;xy+3(P1$+l766Q%j3NFrf(_S@UFLs;qpfRJ0YPR0h)8p zU41lcfAxnKS4bzbuf8#ogsbibLrTBx7;;py<{x3btJYV4nJ)$;_}?)X{XI^wvm53b zdsVIphx4r($*pehw|%vQ{OMsZ0%N1b9I;j>=FYNxaPRs|G7i<}@x0{}RU`n=6R2{+ z$#R7;7&V&a&j(z{1Y(Mx_~Ke`PNuZljH{~B_l)*w8a(!Lf@D%T$4621_EU2wHSS4x zvjrW_HXp1kIILz}F-(Sk4DQXj#m9bS5b)6{`p4By?WMQz&~SB@aFqY7aW3o{pKK|) z_qZuvZI?eiw%yygh05)YHO+IEtBp_n&SNxzXu9+q=|%eGvpm#@4-|Tc#%C2rG)eB)C?BCw$kSa{D86TR=tyP_xMgxv1R-#cIvA%BF$oGZ?WS2Z}#=8u%P`A&;laR(PP$6=c#B z?)YQno8_H@@9l?7cUJqAq3MKTe={(A>MgLl&vW25rz9?0lc?O7G)$&=6M5#2zP!85 z^PR=Axdh(c%mBh&%ml_|KPBtV98ecmU*OYu3 z=tgzCLL^)Uz0n+8i20aHN+Ccb7?*sw(+3ve&x>WZeh)JS(#1iK>slopg+WaHeQKtS zxAIM{^f3oJ5wKiJvkDRTHky!5Z5jZ`+>bSCqNnIZoLB`abhB6ai zybiqY?-tDtJS@LWcvaFy_M~_B4o%kEM zq-3+AQ`=&R@%!hj`tiIWTTBd-j%?DeU$0k*mKXC*pqv5_oo(&{?Bo{Vw$@rvz6%T6 zD^@eMBwpvef4pnb3}>@GqM)2*k(YFo?`3;mv#k`rn{`JO$(nGmfjUiG&AY|RE|IN% zjvV3P+2w(p5~nlY2mGPf_k^GIfFviLrKqe{Xx={ixbY4O(|i~ZG85pe79V~s^4t+p zV2dSNH7jn*J*mo_{MQ7h+`7*)MQ1OFc%D=OkHo4fxO)FCh;Z`rnzu5q>)Qb~Fo61; z!8ezSDhFOR_%(~%SPyDxJaw~UKeg#Wv)>Yj!a;MIQE7rL9e}f#cd;Ae^ELAyEDqLs z@r`;Lc&GWSsfo+f!~IZWMr1S{Ra=noxRH~89k3G05HBQm42I?YxE{v3j@UEV_Rp&t z!{RM{JVr_?rPD7dM9w{i|{$Sg9eC&?=yKgEWgKN>_ zreVUORSBjFCL3$G7h4@uf;h$H@@XCRc-ISc%x*$M8AY7vAv3I-C1W(wseo?1B+&#t z)s^)A&lf022 zF=b_Eq%@V812Ai9_{YybCY%-%ZFMR6VaQ4DggLHsH5FYzz>xML!Y7@qc~;iZ_sah6 z#cr{(kq;keP-^_h!Aw9f9%DgkWvj4#VJ^`SyZ+?p%Q0ZIL30jYR==>pyabMS25y&# zlo6<2H0zZ$nOA&$tIx=v`pquNc6&A#-P>rbr#{l&vnabX1u{2;H0nQ`YSoTD)(ng`861QIj3iYOD zEw}Jr%0xW+*+EwKJ11qe0MB<$)*i|Yt0N$Cz9*t&nGX4!#jkybuZ$Dm+%vPcl=l0( zY#pBq;X>`CC4zJ{K`Bp*j(1o)B8s zr)yp4OB`p{)R7tJw24M2?Wv0EU&s0O*XdpL1${G}Pfg<|BbQmodZkZwWSUGo7ux#> zmfpLc-#UFuJ{;)i8$$PQeJ^Rq3l^Nig_D(nwSkx?)p}0c<z|VIhirxwq z(QSn_HQ@mWv`HMEpS1P8zBdzsK%G-fQx}Mb6Sx@+06zx|Remn~eqP9!#XLOS9KmvL z?_S>Dtm|cd3mB__?#mvV#mu~7gZwjZMY6ZLx8oO)PGl~ht*ob|Xs=+Ge{#57Na^&+ zdlGUm*lcUQEu6_dSd2kDld3Zj@VDos$Mv}2P3w9}%Kq`0`&$3Xi>*m z==^Ey?(!B*Lr{BJl5tIXohiQ73Z?S97Y`z7LT2iVx1k$D>GE^cwk2M3T!EhexsdKP zJDe=Qx;h)R^=Wd^PF=sS<(IC}vsKKW$m6s^i=*z-@l?+ou^P4*-#Y6OU$`C|)RWfO ze2;|DLFF*E4=Lus&rQ0n@p|0vWk;;*Ra4B4)KJe~J)LT-LKjEHq8h6{dDE${sMT|z zzbYx;XMEsY!@4rqTem3|VW^6P zTUUzF>H_2#^VH;G(xd*|@}sDVhJP*|Tk-%tovei`VWk$jRzty19Iz}f2T6{8?ha{&5^DHiXHmWpTnGQKbnmkB06 z?=~)cFeAGVWPRm+nDnzt!P4l0ITrw}$#Ndk7V#c~Ka~JPcZ<7l%+)jG16VV#rJY3L z^bca1RBn9TT75fb&z#s%0j&`O3?lwBHb{TV3S?fG7E>8m`6C4=X!)q*;e&i$=P%mV z=r;Kn{xBLIRX0xfkN?=c`rzo9`bthOyE1RSKn_rgt}6khA(N4M zf3kx#xwGb6E%KoV9hw729IkI0^T#vgHTV`CgCFw>E^brw<` zT;1R1RpBLW!cifp_I(!d}`Ah^7 zenO~JPNqal={MP9_}oR+Orf7r6^1HhO9!VGCrN$v8!HbU)+OTXDZg_x;<3(AE!9Zv zwi0c*(F&;dygx{Rj1v|>q%8djY ze0e*+O&}kix|PkN=NIz@xLb?;jXW>BGr=pGyJ5AQeGm`L?JzHgw`+`!!E22-3>tS5 zvB(NG&~4!-OYaGbk_H7uz7vlELTQ6saBxV<$+G6ZDy`?~ z5sohIsLEz&zvrfKk!eVDZz@+3$im_25$?-)%OB>#ACk`tfG4=EUP|ws zm3L!xurW`A*wYow>KO*(sj8+6_|>A*z^;#Q{R9p z0oE_hLA(rlrQx#HnC$20dM3Ge8ufaiAlZTO>}Zu#Km2+|7*=mN)Di}4KLU6Iti4Z2@>pMST0#Hd&<2J;P;- z8YOm>vlmu${pFCmaO2NZ-^`5l_bnoEkZAYrsnR->w@-;if;3O;+Dteq36z8iXSu4Ww21VbH&i= zlGzS(_ao|CyiEjh!n&V*1{kT-u@pgK0^EcCrG9HQZaCg4Z}7A~(3*ra z2fC&omNg394}Q95^M04s%p{7w{m1{L3x2pIE6{xMQ5r#Qe4x8-4t0KNX`!{eUoe+0 zgCdrK!HlLgxAVUmT})uD5no-l7|Og_dU>wsm3O#MaTb8<&68D%l?@{ zuhx@CQAI)AGrxJ#6;F?jijy@Y7%tTaS$K|i+_pFpemnmv^cgnkA`^PEI=hPQMnhzh z^nK1NoQf|MFhQaFgUhF$4vNaW$$evWe12}BJ5V6msBTYFU=mnyQTc5F#KeY9N`EGq}=HUv4v z%-oUC{On2FcflfhZmgD)Gb*vFnM(N%7cQBy-cXo=f~MiyV;8=wy3UrWXMEVNb^tnL zWX>y0Ko82*-hIpo3dyg-*+^Jj>cs{zApK4eC*X^8PBxX9qFN?$!FA;~pv>1dXP27` zf#(6NknHpp71u<402-1K@9E`z9t&Eb&F7cMDY%CG{(Fgr3YSu}9)D7EMp0UopbC7Y zca17in)#%7>JmDF)`RVqeOLB*(QT-~s8YarK8Cv%RjKML;=Gc}t~lyZt*zyU-!9#Y zIQ)oEP28EY;p5x(IB&}5;obej7xTG!-Y+Xg(02A_!V`n;Oq}W0-{@3LzYzl<{+EfC z#iOJhW zH*6qkbguarQKRGJ9j@~v4G0T`?)g8_YU~`^%P5=M0Ct?a;yk5 zG4&sMM!C=Kd9$AH;}0{q3%>$36`=^I^G#9M>#LI{31d`=%ZjEeXw_W6oT;B+GUJhY z9Z-*3;o6Z_%Wp9usw?Q**#D{T5f;|Vn~V*FGW=WZv%~-2C<%)EPiu=kL(Gx?U0yU+ z%clCTO68xmM(izj&1{xc`n* zvGo6M<21XmXyD?)VOB8%pYH4o@V&bp$(2tRFXE=B4;dX*YHMpF)b6CNu$|*NKUnA! zyqN#!;NZ|?8WJ3=QEfvYFLd=50|R3~rM-*S6aMz*;?Vs1bbFv$R!nia)bKGf1~Iv? zaQdUi&sdB)p8NRtBo$$VRhbWwR@*P>tzD@VX*nJ?UA!VAi)d*PPD@Ku*O^k+hlq)a zK6&}_WmPjNHnzXN|6@w=Pz#r)5;a3Z3W;#ypM{0}JDy?UA2$b6QBY7UtLt?dJ))Fz zBer;$u=?yegryO}|;iD^k*8q~4PuVQ42DJV68qQYxy1Z#g^Ih24eljQo2l+xin6icfqfSi3=OgXRXn-roe+^jY|Ho{r6sg^}d9ut82;#fz1A7?h?rzNR^V3 zQta_sH@)8kctm=+>#ka-3EMibi8mFql? zjj|@8jH+sCbixm}73Fpdd^wq!nK>}ZueGgIx!JUV7-Z^6O;oRzuQt=oN3$i7e#lV& zl1Xe^?F=EB$UK|1E}5{{wvcRaKit@xshD?Pf-vaT$0q3e0!Q{HzIc)>KJy)TQq1_c z%IezM_H-E~5-u*TOfpwk9KAaHe9m6~?AqDMX}Zco6w z&)D2NFeXOXe|NOr)!O%Zn}*MIN7U4msym!yZ96yJY^qpy-fOqWf`d>>TAG%gzI|b# zX>zDYuOzpy5RIFgd)(>_w=W?fL0Ly96b7RY4-Z#SQBhD*`T~PlhrvxvO=DwYmseMf zW|%8xWR#R%QBhHa60mOsukRKB3H-CR79VI<&^(@KUH6rZjjrWZ|02DizCPp0Le0yY zo3+EkA@D-)7#NWdpxN0>nK3de zE341ddO|!B%JTB^?|Ro=hDS~y-V3#B2I1G+W4YTSS%K@0wukAQ){{qnC?gzJ+Mary zZnggW7>IOv&~W%YG_*1$i-g}zW3s|#h7H`>uK#eYK0iOdHCsgw(81vT_6l@utj1m+ ztVCzkn|h0pH+}1NF+HLHl)yHQk2y+?OOT7G^mP4QC$ow~#CX1X^#zP)gwXXnF)^|D zskODWy2Iuh2WRIjar<1Qihgm%Zti!otD_O&5A{X#zbv z6EFg9JK}W6If0_0qRm`&7?`Z<^Zh;$>)TT$WC&OTz?8Nwkv(H$2D}`^xUicKjyKq* z%1LNw;OjQHQ2~H#Y!nc>J^HAltIN3QIQB~xY=?lKoOtf!=hlKA;j^2eNyjr#u(MYz z!kstz4S)MR`WhIBn1@osc8yAlmtdaTrlt~Djk_HF{&|Tb)@s0lg^m5OM6c=S;v!eQ zM9*fr^z-el&!X2Zq$(J?W*4EpN26%`el%|5(ET2+W<=ImQi*SaIP zcOODTz6&S3Mu{pbD=XBh3NC56Pcl!3#GCfTBh(=hKoyNDE3g=tX~3qM&ySH2Kqfu;&39J@)}HMAniD=H*qWuF#YOJLx$_ze#$fc35kVid$ic1{jw-@R_V zOAt_?p)(cch*tv$d$pAn!B9ek_KaFC<@xV2<8F;|6BO_?>fu3i;xRlY0oCT zA?uQ+uHl~_cLjxz0F*Z#wY``JPu*K=O7`t6B2p z#}vM00lgD||Di-9;tFNdu0~QltbyLHk-2P-2JFw(tnKZ|sHosHH#gfXHWFZBV#YJ+ zYMBeNv$JbfS;bB0>*(l&K|D?dxUZ&K?mI#3_4N0@6%a`I{{1-+>S3Ap!d zi(VmjHy2|$(s*jcI+mW0gZVlS50A*$*p4Jl>rbCPWq|!ppUpEIL&YfpFjG@gcfo5+ z`(CrLvjfNhu}4Qocew*AnXYrDIX^!K;5uCAY_8|M&k3Oadw4iC0|Q!|l$e$lq3vAt zdI)o~!D>g)-gKG&>8VRbfvFt;QZNdq!H}rF-d=#*c-l2~ROIBpM@O3s+n-^O3H5_v z9$LCT=N?QK##DiP8yy|>IH=qF!DUN`$E;UaBjA^sN3T4gP*fq_q4RMia275Tz2!I z1s@-boh|~5E76Cy5N^!{uSz7ww0_&va+&pf5Qp#?!C8j5(>`&2)*+w2Xog~P8}nO zf`OriU~9%uki7J=^f!U62;R^8;-E+-k*#wFGDWFO8+syWw!B^{faXB?L$T?kBHV?~;!oH1s(+IZ}p(hE40tI<*E> zwlO`~HZ$d71iVh!<-T`bRP5}^toUfbBNjH37hkYehbVZdWM>)LmqWuQZ>$w_4;{Y6ii%XS;#-YT(z`*q-5YK?5jsi>}Jd^wM ziJX@=@%QideK`l+q~4(bD?pBHt#jVQ7xryb6=Z(6sNw=34*2JIUSA11K2FzMZi zSJ>EyA)IhdxbVCI;8j{tkp+SakdPxlAh_mo`geq)sAEvX6cum+Knljf#SM_k5h+s3 z8nGzsr4Lrxt;Z4j0GrTS++18-3?<|YF4C@vPE8#EY0YA)m}F&T1?;9I?BnO*Ia&!M zLoD_RfSGdXLId-4&W`Tx=1a|xP$KSd^EA(I2wVd9Io;oS!s=C~#%#FeRP=I`eoj~w zombTRf(QU9@A#-4b8UIq4|siKK4+WRUfNbwNgw>5vAQ4V zyk^q*^!_~(U;|7bSkVRiMV=cD49ZQxA#YsyNI=|fwgtQZo9E!`3Hk`Q;c=zY)V!+SkKvIcEkPd8( zWFdGW(k19(eqLS%U=V;f$3#afZF-S<@3F=+>&xlr5IZ_L3Y-pqL^>l)r$_k5ot>Rk z=h(XwFgy_7*}1tfadBd5YOevidKdf!2r$U?sUhICuD)gZ)&R1f<(<9qvP}RxLx(Rg zK>~hkb!s`^;LdD2TUj@&TdL{cz*1aXT&Pnw>LgcQUJm9BPv56Z{HoO-xdQrd&o?y% z($f7&`h$X=-r&;1y*ntF4FM0bWSxoQ1wTJOP>>%%lG3iWF$A0{l$dvP2YGz`_VyNE z$cG0I9P{x!MVFm%6hOrQ{YSC1o~gDal87Ls;^V6y6siV$BB&T& zy#dUd*Y~zICt?uHQzDP!8&Xoz%gf8is3^njx9PF5CYp8t%NtJy`GI}`x>E{B#IOgQ zp9P(?{QSv)t!7Q_);X;FQ(-n>6|cWQuU1ITz!3W7%Rj-v!31TR!$<{_Uf?ku_0Xgna1a7qRjD`+asj~) zD0buJYKQ<(!^FbADTr%8B)%dbu;ldxLdAF>i4zA0Co(O~j?<{2`68mJNf3`ohn$%? zqODB?fhz!2)p}fF zSJw#b?fV4iV{j$Vn|n(wWHCJ^maPm73~z;n$%@pxJK+iJi8Aq5lKcDn1fVT;v;N-( zER}yEY$-a@KZbn$1DM$?+Xpz{B?Npf?+{3i1Xdh13k#OHxp}?YelJjcNGf-MBv@F# z0lEcNRImdl10=erfERd^8c?7X5JIOXnu>>q2kX@<5l>HEz-*>mT7Xozg7-0d?v-_0 z$rz6U841$;U@$JdUxB3#VA)`qQjn7)+1uO0;B;}p2!H~LFwJ8XrSIg7B%L0RzCE!1 zQ&NZ<8yg)Q9Ss4WK)4@ZD=t`Sh^CLv&N>GN!+|DT-Pm}hLNa!?J9X0bg4w{_y!-o0 zN+8c{#*fPSnDiRI=jPI+^0}51YA7z< zy?Is`Vipw!~usWV{DrtK^^w=>C=%4bNRllJ)mh>Erv6mP35rm zo3UdGU6O-fr39;|w3G#*)xbOMHf0y9!7LZ*IRWu=IhaqhZ@HUfi)jay`xJ)9mSADa zzkmO}=`4TWXJ&4W-Rsl>46Enuad+Kjn)lXHi*Q|CT~%@WB>W8QWsfHd#io||4c-D^ zku!o*t>0AJ&cR!e$%cV_6i&JVle4`a=9O26Kvk+HhmH9U=sjg!Qa0s zR2-F8Oe35sZf;zIgM%QqPk9vO00KULgtNL~TcnXtl{dl1}L4KHC2?+9*$sN37yV4^1o zU+;K502&1XsfbB}Fif0{jqN!an$4t8MoaG0ZqMK#^}Ba}3gmS`CGv!oFzoXBdeURS zge@v6>H`>;iv0-CCJjw)*E@qMtuQdZe5v8m2}~emeg;ttHn)N^Apl{8goJ>p0$eXi zDXC0QYX)zn3~ZB#h=`meXIJPBfPge0l#;=Mp7c5h2??QPVCa~eYZ!dMMt$)@^3$jH zu!&bVIA2>0ez&(j2B_@h>|9n;)7{?QUVi^Ao;!H}kfO{9t7AA^L=gwP?-P}?T@~0w zJVahvx*Z5x1R1$1E-ZXYOB)23A0Rj18XCM)*Tck(i(HGq=ZuVD;Pcr^OK`RV8dI5# zN@2%9o4@()-Mf03Q6V2Zn9~(2r`DR&YSY(Y9*-jF;l8#Xk!T?wi0>Vbnzj^S$y(I{Sa)XiLwQ z4aHa4W+{)B92mKlf_urM(<8eyei9UlVta&}%QX{O`3vz?Bx)RRpPvl>!Agvdo>V!j zWx~b5x!=A}e6C$}jApw{_x*Kt!FVqa`L~iB=fyr@FQW1{39F8UzubOli!c6yH5JDJ zk&;&bP?;F1tH242{%;^8AR~6#&$0rgoNl9O3Y`S`Sz?q>@ zhTh&@P{pdWCDO95i;gw|_@uQTb{x+_7?w9-1+?xiBTcs$D6Zr!gdGoffO&icq*kyN zWR0UOjmPme*p!YQ-NVZZ)T)wxicbXs{HBkOT0@-A8b9cgRBFk$v#g8459^|jXH6d9 zR#Es;0I~Z-z>63PQCV)aBt*#t?EF9!T@e5KUx%wIi0ljos!B~y#P9Df#29ogF$BHO zss&nZ*D$Y4cV82e5CfMFAh&b(cncQp1g76YgD(}|wJjKFBnRgUgN~!9c{Wc}!mwXr z=Q*?~e6G=_r!Oox9=yG;uCD>@cmiZhhLV1eRFO!I5-=IXJv=1(ES3xVWte{HXGka5 z?JeHXBR%tfRHYRlo+Xww!s4=Z^m?Y`8lR4S2Hs}|ayt@8&mP`4Sc??I{HYkft(IV} z7G!b`pPqxJ$=_t=t~V(Z6`NLSG3KtxKgyWe9ocpP7AatI+w=J$s=5VYVrOxRQzFk5 zBLIB{d`@ZC8rX5|eSHm*)yhgbGPj9iAX#4oo61sSqo9}r(8_k*tn6Zux7Mj>6yI}6v$JJBQcNCq+J-3oaoFtHx|LO~Ke4_Xbt(|bhDeE5n! zp4s?#DKnAZ-uL7{6x(`9sBzFT;9B&ob6@}+xW#gATsIf{Ir1v{I=T;d83+QyYJ`IX zi2Lu(&NyJNa!4BOc`#iXcIFD6I+WJLbApT+m6%8X>=i9iZ!fP`IO7GA<;~5$ z9S?4n=R;jnQxT!3A@SWkJwekm+YAw)pycR&k>^gLUJ=@3vii3NTWu&H&>fJM!T6mQ z;BaJE=DWfhUq&LXTNzMr0^YUJd3(fYfhvnW^z5ndLnA3L`e)dW8(S<;0DCCZIDToq zDi8GFrv1XtpqF`t*4*-iWllDJjcFSH@BdJcYN8~ z*B2Br*BVI1h-@$~i>*<6qEPzp+CA3|pB@=08w7`@ zkf4Kg__&=mRn`Xwq&&R$hjx;DsSrkK&4wgXupMyX7}>7&N-+Q{lNR!@P}9+M-_}>s z7+z9BM#SB9G+!}vbPR{Gd%|((PI1AIIRS&~ajEr`+&45*aDMB>pMjp0oP^gP!v4sv z(P$M-f#LIo++>YyTg?^Xf}&oXGqRxfd9%^X203_zRX3Y<6E^q|l&MU>ot8TRkOM3N z0@Yo%&A}W+6&2A>pRC!~*{mA%G&OsEwj(n_s2}oxS$>T9+(KbyZ;wGhK%m4iOiSEN z?R8qhesWDs!~o6v8 zn4VF4IM9AMrKNtr=pU}OeFtiVt2&J86c7lcZnI|DlWNKLhK!AU6eM-^WV>#{4 zvZb(ZbiMf+?!3BM4Xkg4^SwneDJiF{>+X^}H_jz!O?-fTvwua!iE2qMt>pJcDajxd z6EicXlk6U~yZ(Rv`RB*g@|{k-3yL2QNnZ{pi^T!#9+Leo3?!{a{eg_RXMX+I{jsX@ zZ73mcl4MKR#yzF9jDWP1RQbB&8ICX#^7&y!(rT`L%RLW&L#2vpa%igoIoCN}hE*^b z_;ZbkZ!z(Zo>_Y`xv2H?!>$`k*VEumrPT+V$F(>V5(6!H{bTk!x+cLYsof9&R2B zdYy{ojydjay#%u5cjS_|@to!UJ7#7HMI3-$pnMk_AEz15%*0gS>Wi@ZfVrk<&0QP4 zY6Lt#MpRU|=jMW#ho>iy?m%Lp?|k$u`Y*yz`^EbZ;s=(tLD#9bqpNGqs6x*R=Eg4( z@)P7;e}oi$_@SJ+a%sy&HCdjwLA*Yft-{YSP(Hv$lr;0ZySr<;yyR1Oy0q<^2Mg>c zCu=1;B6gw6M=SnF0vy)$>z>@)7g|K+Ny&7eXpMs2R4HEsa8Dw zn{dOoJ!d<+;&p$AEQ>!veU5;ZIo9>|N(G069G@5S9@pxXfESgC^LA*2#;2g_=79c1b02KSovGPSJEg@x3}$)fOK0=56%3vhgTS}ssBwF}%Q{3dUS zOf`MT>xj8B5@9G5REx*+y!7p+iuFefCP_7x`w-hLm{zxbi|9p_EQ~LV+t9BcK!m6Tz zH7-=mrVKY<4K}H^xALg>B`)1RMiWXeaVkY{7@xLLkzEGN?mYYgG_n|=U zzBv=Pu`n|?Yr!^iUrJ0}m;k#f3YwVSW^=v_BI?Q!qR|1_{wJvXG0Drz&)9IeZjbJl zcLSG^_Rjr;8l4y?Cnd$ENV7rS%PisGV^f~%% z^1!dtQx1@G@-^98=rHL(Oo4q2F*P;raV^h>OehybTU_D!zA#)2gz{ z`TctXF9qyykRc%0c5-x7tT6MP2&bW>)a6Q+y}y4HoejQHRZ*FS3c)fnMJz4zot&Ja z)6*Yt!${C~Taj~T9-xD}CA~YVnSo@!9Tp^j)ASAu!~q>0mqoQlUpuL@$GcJpe2ARv z>_2^D%FVJ#)44P>WYKRIoQG7ZY-W^{_5~L4@NnsQuOd-V3)0pm^Oem#IpD*nS@rhIhlQ+5XYlLQRw$W_vu6N^WlP_st$r<>eJ`C1sO2CYml5 z50A)$t(Ue_QV1_Py$=#I0~}8#1WN0al$75}%DtvRC*jhGimH(^(r>NW7a2kUY?RM~ zMGX^hjn5jj34ayc@{ zoUJ(|m+T!Hn!3Nc8UG1EuB&U868^<($c=C51FlCg_;nj~4RzN2KO7O$ z3Zl{yJZODw7lyIV|Bk{C2JtZ;Od0uncjM|DL8@vr4xXhu=SIkGmcmxSb~Xg{RoSmD ze%M(;wO-OID|4si^9p5SV?PDvHc$WB?wn{0%~Jkk(cIR}p?iL5-Y3K*jUQ{PZ59f_ zf{BZZ+dd4z>zSF+1SRH)JjJZ_y}d%yzC{?^yQ6B~=qB?d;>JkNHw~2Fa(|#;uWzsC zyY339TUnvrpceBcT&I8nL9wayk}`k_yB0|KGYsNvz)&ssXNM-LZTVeqkJpz$;WA$~ zxf;)>ksC0&j5I+yc}7r;Y2b4|P%=$hY`Xpw-R?YC{k5ok#%2fm7@LZQY&0l_hQnsd zVZn7u&}!^gSo7@#9>$P!!k3%#upr8)Os#gdlGaG2?c4ulMt(p{kxz<3)4&c1O?}04!xt4woW8eDo<8GBn6R3-e|!_?&8H5w^C_yi#s8A2Q#Ul+ zr;-F~Y6R3MT`nEUXRB@1*A9uN;*-uhS66!}Stupuf7vbA$G_#Y-N>z3)XIPe-;&#t zk)7k}C^Mb$8g_^8gMkWeI3yl=3K5f8=BFDzu(pKFl^5+uS6X4|>6jAGpeRqw^jh?0`oz^bWxP)|-zX9j7&cBWnv^nPcULg#fz4xD#y zS`iobb%A-wq7+|jc4#PCmNPj0?u&P^PlWZ-av4a;Xu5}MegN~3>t%|Ms#dI8 z6`Zh%ED3pZA|VkwJ3G)vCpWk1A?qqF-0{o+_+UzY`MoOaJ_lS%|6BO|(}1UROmy)o zS9lJEC&zWv%&l&6H_FZx639^SD&gUeHM%HaFDvY9RJ*9MukvS2CwH z>GPyk3iS*D~JN zrGSbO7oQv*4Ff0r|7!2N!wKc5*aGmgkO2#g?P1Z=1+`ejtTHfZtQxpv3fyHD76B(GxJGIxVpXrWIp z<(KqF?+)rb{m}rz0%P!h{E|<7Er>#P<83Q8?ltEvJCYRYBXaUSYFzz5btsm)vJ?0v zV|h6ysisC8mKL)!ME4VeLCT9eh3V4EG4{U@0a0p0mq1`G%Av{f==>mRyWD*+{|Uje zwRIwM3@a**uDP@HM@~*oir=*-=lCPOWi(TtV6pr9DTNO&;nD8)Un}F)U?)l8+>NssEOVXyMt)W3R z7MEX=?Q6u`zvuJ`88vvi(iOB^7S#0Llfl0=%$=q}pDxFh6C#=WyylghD>4Xs+9U1AbV|HA5 zUv2`4(LangACjwb)RXzX{q_el0W+pn?*#{T`OxC*U`fSDAIg8uYU|pP1Qqmzrd6E#b7L~w5~;krJf~ru$&U87DhqR; zJt1S#!NnyNxC!_G$ddP{;iY`)T4M=P$E#Vm$a&zMUUM`O81iKN0)FAF<5!8^c9s1z zzn4IjzSN=1onwa2<<}`~LqMDG>{pTLMGmREv)<^A2PFEzP?8G_AyXs zj!#O$FXW#qV=tHHLR_{uSZ5W?W>eoUXMf|~4snNxrKRE2_FFJpi-RRr?ga(l$_d5Z z#W1y}Im@`q0JwmGrO|Oblt7((GO{2LTj=`cyY)pEwJXjz-R$hs62-JehXQr_$Csc! ze-ND?+Dye`s$%1K=DO3xu{EAA-RrBun;r|w{Ln0zoI&O;0IdL+Xdjox3joaE78Y;u+x`BO2!`abKF=WA-RvSwv& z!%O!yTE9S$!{20xKEC`VxdyDcMCxh8$b(8LL;{^o_xYgT%O@P67#A2O7W10%_>@lC zck6r84BbWq@=YB?zk^5LO+V0tzrPm~{Q`lw`sl$P1mf;byKgjoexqiB)~SrSCly2# zly>W-;6#uJ#OpHZL$TiB_Lmo%3{FW%27Dpg{6|Qm@<6H$M{I6#&*oczJ26l2)EvR;F z36)m6y{%>01hG!?8wJPrukU$zWdy?61TE_{C<4pN^1<}@rSD};ZBuL$OSM4+4it>1 zNli@3h)UodYkUQF6q&dFV5DZ}t~*je{rqqDCH;>gX-$H1zg#(M%8ulmx$;0i(*^L2 zO*(y5+P1T=VI|g%U7!PHT>$3r>%)5s_`xEBRNz)Rh)Uy zr4L{X26DGlAcD$@*`P(hLU#I9!Pc`l$IrY;X^D{sUWD+-3Fsz4RB%vP(JSv6T?Umj z|8M{)D2QV&)pXep0k4qL-Q9iGQi|FMG!!3De1LDXHaBYk2BEK_q7udQ04b#&C71=< zb6~~s3j`zTK|ZM73#9;{H8wYMf=a*}^dWd=Z_l8}ZCgMatuB;w2}+q68fI*4_$9>0 z&$h&f(bv`nxOf!x&t5-p-~con#N8+|$61@%+6FhyOPx8>1C0k|e#;YQZ3U>dmoD8G z!LAydwo3Z?T^!!qoRpA|wLTtVXLwV(^SMlW{Q>|U3o8OgjyS?F zf>1NQdKJ>kGtnP|fD!7&u8-zGg59`EQc1}M4qQ~Yo|S0pWlp=$rT7vWS3<+XU0@d1 z+yVi-U08v33IjkkI2Wd^{RoQJQrkRHf_(h^S7Jv-N8x^s@bhP@Me?5ka-fYJ$R;uY zV}f)*CZJFt?wx?h=Ul?&%fCZr;#?kmT;b$Nby#8#A3f@aNtT8fYu~Uf;;x)1T@e^) zYF|#*Ub|c8VZNaCfDhIY^qf1k{BiubtVarK%goka4S*#hNKXzF*x(^oeD?f#ohTvM zfl{YF&XvG=GvnMHFtbqofOxMM^CeU|1-;_FK!iPLSph8EdUa|TYHf24DCRRL zj$#10IV<J2*HvRN;|Y?mC!(jys8tZF($>?@U%`A0M|PGDm5pfI0IC2(*LH0tOCj zb}tNcnG0F64&ZzG`Z{@Id6F|PSoY=&X>1MFz!4yZL2yD|p#Yvkl+CIJAjZZmIq7XNz_kvXpRyA z%G73Y1G0+g&{s#Q`n$)F0drvG>1wYqTyTx&_fc=TKD2ybz%J$4pbC`oCH`mq={K@9rwVI zX-U;(?ica<6&hvMWceyY97u(BsLjnyCsAX))8_WttR7wIA(KyBrpFNLT_L0Nxa+ zg)|`9RrB)lz`poyjL{&O%rQYLFL-SAbaYH$#GDy7>(5#^K)OLt*8QBX@45szS zEH9nGAVk?;!3E`^pg92Y$BA`^k~(hfU{jg&Gm_CAw~Ve_c?f7Q1<1%$+flZQC z2Y&AC0ZsH;^bOG;T*5(oz#OXndWA$Io`f!*JQ1Y;M{p(JP>nr3i=cAtm({Qr(a$S@ z*J2TivW@)qW7kLlQQu4JM|Ju8I_Pv#W?V+YxT#0R(jRL$NP@foT~oQWPNRMM5LRIy zbPNdHzVVvm0<@c;yiYDzCrH2g)K`6lDEP?~@6FPnyt>E504b|%TQ?m`{AT#S3t5b! zyf-kEMgVKzv_0UexE}4Ryz_f#C;)r;97SEJ%@B#v)zuX|%$If8z<`161F@WYqE?o18XLDhzCJ$Mo1>x1vloH*Q0+aM!aKJ#ot-f; z5henU%Z9^OM{%Nte&N4H3ix$eXF+amHz@KU(AsqRij>n)NZVl!(9-O=_P4c0EWzO% z9pR4b-Zsx~v>H`kA2Ij$53uR|*?-gDvL^Vq`UlbE2f4ZOBFEwAlG$ToUNkmWHFn|q zvV#YzDK~>^gafA^OMu#>Cy_`tSJW~p!HS>Y2NKi zGohvZh`ZF=_w8jkdi2w$+t3!N4H-m^Yyj1}K&B0qX+hG1GouY&z=DHT?HQ{J6wc;B zDq90u99;KEIQP6jH4>m_N6501B#l4=7`#-U19i$!v_$-h6%*}>gB=BJ2gcA_XrQJR z3XE#@!h$P==YuoAS{qfkj{@{R^KBw%=h#eWpgm1YiGKcNSzb0%1>m0)uocdUC6Xm*hWobz=vM~b?Tkvz5&{!BN&e@4z>qs1D1m~i{mbz^o z+?}QZE~{TEcsVivsi1Eq>4R#4@&O2Y(0V69qH4t+IeIjYBME^gl{kI6`+uiA(O2~J z%s|0{kl}+*9ldbNvGau-cX=HG;eDCn58?t301yrmG=ktNfK|?c#$zS}hEN|mjYu`V z9;^ugVlMsd%=C0Nv^mZ}2Tw1A6!U=_zY;3DSpeN@Lk~s)fEjrZlc1s9CIfa(88q(r z`}v*z=_dmyw}Bk%3F8)$zWN#g*pD_8vJ2d}kLvx!k;OMIE zKOAzJFY}K*2E$J`*sT z9$tFA`4HziQiJFb0H9?8BIgACgdFbyV3jx;d{usN5OkYycyh=*8bIZdp%j#6YV3=u zw1)cA+D;eL0ZEp$)F1aDa@AlKpsf-2^y&97Qn28iVBF=QGXnDHP>=eO<7B}T_CfoF z3=q+r#RK?yTW4oMae;uXp9<`Pq2ilbT&`c=-gK@;{sLvrw6qTomDd~qst$n007$Fk z!77FohvV1aLFDql3Bmc3z-=;SdsM+FL8cE6T~gBUB!Tm`wdTYvQsI%qhwX{lps`TP2Hj|9Z6~Lsago-gkYwH)Fx#5}jrvwB9(73ghNZ78ROBYe&{xivk$Q6Jh zL17A`;F$J=z>C*BkU;>aG(cLb#RT8#U6S3xrQ z{{8z4dM{o_&0bpP!jmMr&Q_wJd(;rZ-tK&h63&JLKM1qAd?oxFMD8g`)5I;*cY|kY ze^X{U*Qp;A%x#*fttmO_Kwl|yZ`cQ>Qos2nmp&3iLN-KG60i?IkeWFkqj9>JR>xDW(6jH)0^!wR@Ud*7=f`A&G=|XHMw+ z{NgZtr32ze^~)R|`2FFp;fL$HZ#?=pc*D>fqI%ASJ&GiS?q<7=;z`eTU&#GG7`DGj z>irWlpbi^hHxu~Ov#9#p-SNF%CeOS3LgU|Zpg&K)rak0gI4j_Sq^ZE?_41FVJpYN& z`5OuLKgpi{^M^WfPC|4y7u(cGz4Up#kf_?bFOL12t?0k*GqF%Lwa^Q%cf-TyKwVi4|rKL0uMS9f-heEZyi4` za#Hg@<4MWlj%6S>WHmlUNk`>$5gZm1h9 zJ)&%Krl-)QxdP3t^k^T(dq=;Kkh1h6A)0obTlzV^`N<2iGd7vCf5=CzRC&_wnLAf5 zO|uvK6^gNSQB%$_pB7cz#?56z%sGO`+QIo@o{$NxWepNXxnUyebygd_4jBHJ7rg(d z!u)W5`?nwp_0A+#^s2vqXmMXx|C}2oS<=uz1)V&mZo~2Tzw-H_el7lTK#q0-f%6pyTXf(F9j9e`5JXy<@~R~^=hZaY>T1TmFEpp z?U|^7;X5|ky6Pz@Avf~2E;19sDncw9R8xBuLM+ZEEruXJ+FBYGd`#CnQ$DVBsJ(#c zm$bE^oUO__HqxiYuTmVOuG+3Zv+f&iEaAr52VpBdX z5sq}fF+0(Cb88COgpM6cT`y~EmstHo%Mcz|k926x{h`o&-fS^8t}#Pre*MhPv*fk* zT-~nz`869&Cv;VIR5Jd4?KQ&YM}N+Jdj!)Tuvx9T*!3w}X3(P(ZfQPbInD0cA{cO5$9MbV|Hn|!#_h20H$ z(Y+zPJGY3nYkx{JHwsR2mdEW6(@Ua|eR*^LyM!n4^Zh-pqq3_e=lvJYG8Ow$k@);l zYZi+nMUthSl(R}Uwlz(svFpqlt_KXxcza?@X;uoeed{|esip?D=@V}ZnOT{Y`L-3b zO9Mf#EMOP{j=SSvVThycldT-*$a=XuuR7N@mHp<0Mpqo;oAeg((PNtf_QFb{swC;x zS|uSYm9mOu`XrKCQK&nR)-y_R#l(guCS@yLH2wyaEa~8K^NF0CLMwH`mG~k#xU5QE z12S%c@1FIAZh1}JiK?q9tk+@T$E+C-wz!F{!FBi~lRA&Zv~_`CLSqQ?691{l>}{_H z;&TiKWdkuiGj8FK67ji|x!-OUX|C9rU$?7oK5uWyUesnz<&jU3Y5Qznr~EGVP_R!& zvY=Do#mpzRvD^65OatH5o{iMCKI)WJd|ZqJag0R535-9-G4OZh;d+d)_Am((fIntkAo7f z0W?OTv7vSL?;gB-%nt~3LJWrL_#}8O>2PdjD+-yW^mRC9+9w@5>Yyv&$P9^HNF23_ z?%&yG+E5pRZ>WkUZEn!UspSd*t>i8(H-(F4>sCX~jE5bER`!&;W}s@7)T9)PtUpz9F6Kwj#0y z$At$1Z`06q+w(j^*W#S}9j@-LqYo!MUmJD|_stx3y$ApSA7A{e9nC$~jFIyON zZ)=0a*42-))hi!Qhhs+NGa{FsiDZp$ue$mB*J#BCv1)NyTxr zu*ac++}6XGs=TuMVqn)^t6VnTkM*W^33~hfZf%`RN_WvJb6w0Cd2xyH=wO`Q1--@& zwsnXEDUKc@_B0wQHhy+d~#;&FG3S)ON3sFp4JGM*B$cXi7vu`%FXr^iRPjqB9 zl@fE#Z8IPwfx#N@yH1%}EI^hcOY{OA2iyWS$w(&_E?GhfuWz6d!B3=zE(xtY1nVJ= zh7Bxn_I!n1r*2|qaWOSVb`P*H2*m!c$B!AmsfY*&=(Gu#j;c9f&kWUPFur9$oZv~#DwH$IVU@6rTvExqw>X(*@xKplX^mFopnRMoD=X4 zL9x7hd|`)-+E+*7OW38e%A2-E0`WHS11)B2j(3D6EFzRFY@#&h+S-Z1=km z&!}nQ2GJXuL>F`Akjm%K&-s=MF@pWa@ogef=rfvz$ z`j`e23MvXlMo`9{_#6f8`AOzek*9K(csc|zt@A~Lu5GO?M!Y*s0;!un^HKQPTU$ka zdC2lLQK3@U?8-#tLehI}_H#|?wmVQmmc2z!#RGf|8;<0z)IIocNwgIT5RUo@L@o`UcgK1VVpZ(r zC>e0zl{XxSMPdIEY5M|d>OuhrIR{mzOii`d#nim;(w&hwf4(lgnG+V`tt~C9y}WeW z$<0^%9iJf-GFkQTCIYRd Ld%57!)%*VqY9M!d literal 0 HcmV?d00001 diff --git a/docsource/images/WinSql-advanced-store-type-dialog.png b/docsource/images/WinSql-advanced-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..fb418e6f83790cd2e6a6d55a8bf9b1e49c25571c GIT binary patch literal 41690 zcmc$`bx@XV+XsjRDj|x9fPh7JH>gNANOyO4TOf#lNVn46ozmUi-Q5j)+|T>I-yb`( zJNxc_GyBXuqulq!73X=xFOEweDG5RJ`*`<}kdV-Yh2F~`A>9mw|MTx6!zX@Np0Y?t z&yj@Rzy07Cy)o%v`&jO}dG}bq-(~y8FQh+S{s-!b!dRHMAHEvl$HXLZxq&U!@Y(w& zgPw&-N%y)NRH1M*sjp)S7%q}i|Dl5ZH?(MZ=GF2pUa2P&UV|{@*WEV+P zSa^PK(J+$9$lK@3m#W)B|9ozxvbB}X#>Vk8BE-)pE35M|I{wPoJc!^j>L{o|%>xySJl;(i?{C@8)ouFz{pMn$CyCvIqH z2&PoPdyablevfexm2zQf6ZJ1I`nAhszWPlhseH41&*nRu{qtW0 z>yo(!>$vsn=IR(+czqG-e9AH@pEyZKN;Krn+Qixya}x4ShHM&Z0!fYST920XaPoEL z@A1S|-}s2(hDX0uMyQ*#Ji9e7R4{Z%S8_3J@nL8kdyba0U~Am%B7ZJ-*3Lu)71__M z`D3q{(L_E*vi{n+VmoJ$<0461$Hd=1F=6R)SG>LgjE<%#9Ua%l#c~iuRXSQ)pVHFE z@%)hgV!pO83#?>*6UxBM+*nr^FR-3%C8}%nCzMf8$0tAxd8TFRuFNCGZ9}EOdmk4K z7_v_ePok(C-Ci*gX~>hjxtU0!x7+!xhSBceQQb9LKyvAk3W=REcM1l7!NI)L)r4Jb z&so~w3foSzlRi)Nk0hdRzwBRSBvwjvr`7km?jGeJF?pmCniC$W`U%e_7_CRJ>b%Me z6ejyFvu;--mj68{d%~H8#n^%V=s| zf|tB0E3pH@5QC0AgK4tgA{Y&{_4M={H;10Ie!rQRltj#E(3NODSxoZ2&c-ik%K8-nJN;?eA8EBxYK6gZ6T=M&^R`P2nMJCPCs-(WN{e~njDHT-* z5*bC0<*Mz?(=vY7oyptI+&)G6GQ zk0ZSG*~E>2e3((G!jWh5sd9$8~dK8$)r)B{R}ybViNFsmne}zx^`jbzu`}|f7V;|uyA__la#eW zWLXZfF8bwx^Bolw(RvfPY{?W-+6+uaRM||^E0?m$NOVhh(yv#p(LINxt30W=-Bs*Q zub+1_gk?st4HM_)u@dt5H}FsV?Vd)*vOA@<7SHpq+_;&!Nkw0hIz>Z8Ga&OJ^|WH@ z`Zo*nAK5q(Q?4uIr6HE&p5FV*N66%u69?%qFIT<@g)4fkCYtX5tl z);XX!8mWNCgw6kgH3KtCz_%!i_=&v!;8=3{kkZoANiX%BpO|57yO+|o1U(tS`;jG(u575vDck<1YjODRo$k+=GKy?RvA-Ta~ZCv&u?lc8I;qOe9r z+NF42kc2!)&Tg#h`|%U^lFf-O(t>BAtHH?a?)f3wy*wi%s_>$SI|VF^R?0*q5}SMt zWw)ms_XLpxEV{qqxI8T1y^X3dt({t*$P;&KXS6$LH*38OMRs^@#k4;2Gy&}o>T_cH zAYKPG&20+<^cyvNaRO)r)1NT7@paZUed5UyU+Y^xKj0c4CRncXsrh!taih$f>qzW@ z>sp!RyfX5>zWI#i%ANY+%ltVywKG<&p$lopK`UgD@|$1HIP1N(>(SNl1teERj%z!O zdTC~gYYS7Q_~0pxSo4J?Tbm}w^E%3O%(X;Pc*K#?9MiOiHD*L>#nGlP6+cYUqimCNi_0giuNdv}DKhUcH*RVSNXMb}%ZejHcKf1nZ- z)BYO8Qs}V}qNA-jzT35Rq}TR%38z47^li1{x`O)E%tMYt^A6GimiWOH$Ah#kRW_%P zL(vB}XK+@UMwZL_O@vTYx!Pz_N`=}_gLX|-+=8d&iEjOt3wv{hW+FW7-nnyNQ=UOR z0gcvJf&Xp(2Qw6*)VJQyqrR3t_V-dtwxZ;XEK2(($*sU~VA@b(!^e(GD4y`dT~FDa zsga|uIA*rou8drYoEZw5e;M1ivO zOO@9vABEJ#my}r29o&?lDMoY6q)ubaSE@O9z8*%nP$WsD*HVfRf-D?ze}aqPuIXGO z1bZceF}Y;tnrO}oYO8%~I*t~y@9#PqUq9)X(!Cpy#6r#4kgWI3@ha=>59jizKiHK6 z&HXG-ugv?4cr2HjuO(6kNp7uj{{Szjo^Gc6)hx$6C=x`;!UcYE`qmj=6`v_e!tJOF=G4qfrctd@K-?#UIYKl zijE81D7Kz;E;#6u$E$8UGeB0}9yy#CfsLNZR~(N7--%IRB_BZ)-4QjhQMSWq=xqN~ z??T&aVA#%}@lHWU=EQ0B29mn_^}{niQ@@xh=HZ;g-R5N3i&9I62)h+q=dNeIT89c+ zj>C3KNymhL)P}vn!^1J{Rypu%I9swcuFB2SnE90-C&m~G2|7m=KFHeBFJwE6eWl+BWIr2k{SdwGMZc^Fc~g=sY+mG zmCbJ-WF$@aNKN^`%5a$&9;9)e_9$Nc)`J5M&l>-xoxzHl*$sVPWwXx_W#mgs$z1z! zH@LXcsj~@>7M7n_uSuc#@{V-vUWS#OIa2s3pU|6Jks$||b;B<9l#4zOQs4ZR;EOJi zZNH%VB-d_G3&TrYb8JEj4R`zoCn@EDv*(DYFx8bMzR8pAl(&pTpU2M?p5B$CfI{v_ zr!7Oe)IIUOsZ*85Z4)Q7d%Q6rsG_G>7Xc*(8#dfK zhYks)QuRJNWYz8-_`FmT;+OhUwri7#s%`>YgFdl*$}`K`UQsE0e*V`nmexh{f2RCK z4%;=Nxt@y8Ke0o*{;^u<{IXkpeq~CC&?Ot+{c1}$c^PksV9(J7+22g?QeY}od@!1u zP{o?-SWSPKHYI#z7)2D{h9;)0EdcenC)vbJ-Q9!iZEZC~?!xlpJe~e~JkEOD<3j{G zeTD9epNk>NP-OX8dxO(gvNt2k=k0-6I64o=8KquZ7tmrmSvSMI%-ogJ&Xv98a^ovz_bS+p+-&O(#~-R&O=9=-n= zr_zw9aNcM3#^#x-X|7Fvyj{v!Ge+4ZIyOgE>_zl1_Z!7Wp#tcW34rlzn7np) zX&8*Hp&S|Ou6!{xPEHn2L54EU3fna^x0<2XWNA9l7I0h>^VeHA#%N>$CC-@!;<|RQ z{sxi(s|rNq%$$}+_MP^I_ntu+)UiAgBkamrMrQsMCAX&RV)ASXDR7z|^S?NR>CW-4K?v>v|JXr~iv@1&R+xe`Je zJHA^tcC{UPC9iff;zUGa%-+a5A%oi9U*2|QG`uy38|`n|{BB~(qSQ~7hEF~F6JlLU zyErb71}26ruaw4>dR&A=p?S8!SE_#EW$O-Cs4u>zmbGowWp89}j#&!6kVzTDvSRr( ze@@d6(R35v1;6_1MvSRpf6)yj!DE46P6de}iDVjl2cGYd#_UWKm)alv?WlXqiITyP zqnEsFy()GS{fnF7)KJZYIGVit(#V)XLdbhhtx9e`0fT|0xz7{YG_fKl+r>&jq0yZ{ zF}wstWRm}QQZ30m;`hX>uaqz^9vPdSV13s;+b3*^paBK*|}d?%E2msWPF2>i{}mi~NB|$c?!nyK-lapD{{O`qQs3OAd!S zn?J3f`Yh;&U3ag@>n|Bcmh2mB?U9aJ9`K4?T9TQo6My35VTgco-@ImV^eaf|)VdIl z+bWP%NW3kculxB#6+ycgE3+)t;|)Gc79Q5?8I1C6%jOqM|w^AnXS7y_h>Z? zI1Y_em*VIFb>KzS0rWh0_DHN=pGWWNG&i4xmNh$ZY~ZU`r|U{j%ERILz80bO7u?L> z_DOSQw(OjwjMF`M zbNDkNZ_VL67I?{=9OE-fi+=;T1JMXQZW%bZFyWyC_=JpWsvRv?&idqerxEz_{MMq> zW`!}OwthAXTHG&NW&-iN;;}DmCQNvICW9!nnOXU!_5wT{otLL}*i{me_5#A(lUxMp z&q9TAXv-=uul7xZDrFuWAj*EWh6Fw`6RUj;<&zEV#?NXYp+$KmiK)MxZ?q4Hi35;W zyW>P>Erav2n>hDs{MN?VBCWfcQ?UIceqTOcqxi0K%oHYr8uun;{A-f@*v-m^4B7)Q5Pcj0A9V~`HNNSHmjA4rz#<)P6XY!oDe}7mjPiYK zwSaV>*G1*ay?j)kvhW7q`sy_6sf`X-U@o|Os&`)yiYer%XED7ARWHsqJ&7AFFp$kr zui{iM>3tz1{W!ZJ(bCpJ*jx2-kq3BIPTyYhky^4+hI6Wz7@c&~Z}K7BrnU-#qBOjs zv9Iwj&HUWYx;pBDKQ^f&MYBC^tba8=b)+9HLvo$P`nNylFhzKsBLrC!QsVrmot`43 z4Kw^c>i3L`Iob}&rJdNjk8%E+lXS`R((lTjw zqN8pAbHPtbPe-C1<5Q^J7`Z?Kb{m}%?@3DH+)k9~1j6it8Bh%@b zDV;RRoY;2;epGvLZd?l|$;{4fe)Un_>Ujc9M^0M$p>o#HPGx*WE@ioiN=iSj`{I%W z?xml?hu^aYf1dK84sAX|^<9_^G(!;QjIdj2!b%fjtpYi+Qc?1ki@IhepE6RofmG-k zEG3Y&5vbwGXNcc5-V*J8QTz4MKGba8pMJJcovk$Z0du4_!M9^o2!L>jswho!BmGjP zy4KFnZ{@7c&pouI%#1&Gd#vN)2fo*Gr`KPS#}1{Y==&KO?CGFpfLFA`IKif+9bY#* z9Wq34D+BxGU^0p0X~=C%D89-(k3Y^6_}hg?gtqs(1s1N#5GhE0v+g(Bq(bK#Sjjl~ zHaEn?YfS51LfTA3St(KYw(JpRI8V*yh#9lX~Knox1{r&b9 zXk2aa{Jv5dgCSFFHYPs@jElr#AXw1x1`H!G?Z;lt*7IcfNK1NHCrx_|%gvkaguBdp3Nvji)7%%b42Y@&AFg+Hs1daAGxU{@s`9hg-2=MBWZ`uDj=#XmQoW z5zw2|uU(lC=+8=&7m39cN21D$uy9N9db{>7GY7y^{v?^+xj!G*(0BKyw@s?lZzSpB zrsKK$WQdC!_6&Tp=f-xItu@3&1O$(9Ec;t@Dk5yr>|v?VTNuQg>|jGSD?-M(|)=b@{@M^xK4U0014^R9Wy zkCI?6CG|~x7j;TFuMQT$8PiK$0p8D%=eVIkak346xN%1Fu3iJn@Y3K*&y+xqIz?bB z;0y0#&bH8;HnusN=3koU>RUbaQRs7GN<{6FL-T$>JnuDhwwpszly=Wg<)jyWW5~6N zi0stu7z$NrMHJEVHPx5*tkN7$*l?$UoJKu2t}m$!Fq-LIWdv0xHgXGDQjEsSH%6Vk z;%c}*R;0W-{Cq`tM8TWlopAng$6`fk^N9-xlgE+;`kmp-CQp`@mgKI2wcflz%Bi{H z;OFOO#`vkJ>pfs}sLB!axAjYJ;o2ji1kD-|6h(WhlI1_@Z@*q!1tz$>TAe5%uid=F zWhy2ZA0}K@z7QwGy~cFEVZNY`lWW$QXRULlG#cLTrfE}mUHUhjw$7U)PH6iNHRw~z zXCYCU=lZ3nYL&K7qqB$XP+8qYy@;&uC0(oo>fD2?-|y|B9KqW0AR z{uDAIc?utB_Wh{NRLu3oAyn!}ZB@H#z8xTuGC#5Fh*;YccfSZ`i^n{N=8O%#>4}nr ze`^VFM9y~fu<6cL%}XY|#&^@_J9c~sPP-F{BG}z=>q+c?%cZT2h;F&rl5IJWql6vDn67BqTr83+2%{E9K3<@v|^DwQ87u>HG= z6~~o>aa9UHBvVw548d($4ZQc@;Xvks`CQxD0FSgWQT|SvVd`q4NrdW&b8F>o3@TdTlD#{BlnQo1IMwVxNS%OK~v zuD2@Ct2!J2H|{=Q_s#0}dxssygVPgz!PWID^K(Yszu0SRwhUd%tVp7GKLmhaWH`*+ zVmaD3H5$3weO%Wx^f_m0vdL?^ZgfYjR4eu`i8`p?jh3WVav~@}Td;ndtT9U`)$Is0 z3kp^UxdSPyZB%61YF`fSHVtlbC2rKn-u%Pj3&#dJx4$baKO*|jNm*6K?9k_cmMZdi zkkWpoWeEl);O}P5B!>Co>iqle+FGhBP0r~q^v1EF&qv&!cQUpGrnSs+3-f3CN2BhY zZ&GR1#85MCFANhA=LR|?g^6`ii?3b^iGrG_bl6B(PfvcyA1U*tsaR*DfE#TRGd*24 zWlB7}!1ZPO(seB?ik^EQsjfV)fW%qzZo0O|@X~ILoSj!!UM@p|TnZ9Yb|G)!#XstP zxjBgzY0!bn(M_8|<1oTj&F27y9Rvs7t^II+4zlbuv7D)C<=nQ0Q~z=n=njD1f3IL~Y-HuxWjdeWfn<6xU}~$(Ezk0V zjcr_0J3by-BxP?aF`p0H=*;5s51{3v5vPFe^-H>LzyG2-y&XzCbz%J_C`Ysx=lYBaNdRk$p+wTRN_F^(}E zJ$-HMs29hLEodS%Gy}h4L%)c~F<9F2v%Uc%;Gx4Qvi#7}$!W#xj5eRU#6!4#xJvlk ziZTOPDQL;u%qUp`-@X+1&C(pk-$VyIOR4$|q`#B}OJWkwx(jVcMrf@AS=-VikKuAY z)xkmn%3U5Rx6F3-9Rw44r4)aYukt#GQU)h0HXoia zZt9yNXN6~Q7aQgZo7I`%86{?{z9yNVD(lFRL6FIm04#HL|3&kOv~&rnJ*-c84~2o9 zYsItFmc&x3+eNnrOF#C6HCtH5)-o~hjFCOHV)J9a8Vre&6SCJQ)L%+ws~D9VNzWm> zFTIR)y0cg`!lAeu*WEOOKck#1w%To~tQ5s)GDVhY*5TtL7N7d&OGwcjyY&hMXSDCW zg{lFfuNDPJl>IOOJF-fmTwF{Nwp7Gx^KaPpMbp58 zZwwTPCS}!0C0;GVO9AO28l4Z}Hz;KBUM8iz^+xIOGr^5!bBsvLz(r_uUbQ@h>qAn? zCpY3b(*Burk}^pW$x3%SI~yyIl$N3MY6Uk(AnF#3QrZk zYrZZC?J>mv>&%L2`@%3`6Y%k>gxy=^KnyV*-ktr+2J|+j+{99HdG!kM={xUh*8ey5 z;NAbyXZ#fyNd6zIQ7}hH^xtOVudJ-B{}`8C|2xLze|u;Dmk#Lv=85`Us_IVnmlKB9 z(Ywve%$!#Kd@~#`HuDROijEdjS0}u2;|6n{&p=z~j#QJbff2I;67f5YXagmWC z@891Rk78*Y9X%x+-0LF${!Uf(896z5p<(Y$O3DnE;wb`7d&{|odkhQ=Da?1c+4;cm;_`A^i5qM$r84WJ*)rvuO^inHnTxOE;kgB}=lWF&J zYPYikt>J7nL#9ZIc2Z(udXFnt85x-^X>=2ToMD@*3n%$Z#kcP6SKLYlGBS@4N6-BI zggE=ghN-&iE`KD8SzDRSvT@;tPP0F~en+@+y3t@=eLa|m{Xy`jSN1;bD^cJuVLw-tqCxF^!x5XBNODX^I(opWA8z$FhVOVbs^JxAnVYJL5dA zT3driN2}d9`MzQ3{rz}jVQFcojbkfxyXHC;c5-^#7(B~bZVR8=C*2-b^*>+mA@!`< zq7m^#d!phDk=?F7o^m;+>X`74Cwng_SYWd(fn>iuB|cs4)?Os=1P3Q5B*YWk&F}F~ zi!LfFx%T$=tt>77f|sirF*m23Ur>-&T--D^R^GuBBOwUu_C0=PX69pBno-1Qetv## zZtmZ%E{qTnIsK`N3s-9!8#tULy^A@C?EZ@vFB+N=JN;Hl3KPlG)069HL?=_Jz$<{~ zY{fqe0;=r~-#6oo@{+~v?e4R~b;{_YW+IQ7#YMaBHS3&-vuf6+Nj4VVi=8ij8m}9C zunJ9v{d;<(1pM&iGS<_?dwYAqm!16A0=R8srO9U)4Wt6Od_rb4dv>;-V>DJsP7(6` z3AHljlPCIQHI}pQ#tMzTR8?_5;Ju(rk&HvuglM5sDejQks`Ered&Y(tBEk`Uep&p@V~itE+1`rvpt|TH0%f zAlP2_^G#M;4gw^A;jY)0$CVd*?G25Md5*i<8yg!tJ3GJK&W|=G%CP(d_yh!y`;*0W zI>PA>)&@~oSy?&kH-r=w!?mu}Yusa2`%~uU=00a+P)hP%GSSo1uh?>Q#d5cMKYV5B z;Lu!K`-xaI^k-1et>D|;w@@&8@^l0tQyn3t74x(kxlwL%OOE9}U=$AwftFYrB z*kA4@rK5utZTxxb1Qt#v%;6@)nu5zpqOkvyG)t;wjt42Ax9e$-^K zh`No@f_5sK>#NH`i|N?9y1Mb~8nf}@(uxWjz_{b?S6{z=-GLIYcQPNaKVj1?mvK?) zwEvXF^eIFLJli8|?8b0wl^3cP>tU4TC`Y z{Akl_=p7CY&e_qXC`8l?BuJG!gKk3S!!^AX&N7{542d|NPAo~TT7x(@fp_n2N>LG47y|Qq#j(X4rSp(KGeej+tug(AYkOeeG2$LYh~=_;`{L7aW~I7)ntW( z!SUAQo7U5#MjVYEn3X!(o(}NyL*E=Ls_*RdQ>(C_U0G3FBwod5HP5x*9AgOhg7P4A z+>702Y3K5Iy1@O?85Z$vy%+jD42mE5-3wmbZ$*Q zaM?IGpzXlH_}<^Yzoezji4^?3Br<(m!UIhX+GI4hODGiDy)Mpe%YzkZ#G(f9UMbGz zwYInGY)@5Xs#iry@|=E!G7`o~ghQ?T9-h!*yjwbFxWH~*9yZ(%vMVHx_v5VUO3$BL zIn`&zMQt9?vbgp;7!gYj6%UbrIsx2Gu<`7!Cv++$=FA&$wO>&7hg2*ALqnV3ZVjia zxnUXg_7+;v2snaY@OkZYvQBGiYs=`JeqU1_Tn4%5DJ3s2k+#l!h|4`GJQmYb+pP(u z)rqnKZ3BZ8NEAwVcGh6HZ&}#QrGWUeUFKWk@@h!RXlHYY4YR*eyi!2!8tonH&nad|!Wmh*5tsIV7MQ6P{oE@OlV@s@}m$ zFX9?|%W)nQuLS)+XlrY?4V2{ON}aBz#04v;JMot}?I*{ReTRe$hR7j@o&|ZP5R6SJ zPX-V|9v&Bc-)yW)VY`{Cnts5Bu%St`@Ts(>9rl0?JsV&gdML~cChmrm#M zK&;)#*%@B!@%FR^E|05Y1VjC|2MSQ(ev^r`p0YrPs4s-ZO$lv)nd=&HA0*~wd84wIL6GulYy$ND5aIJUm-US2Dp!gn7 zmZef6@AZHvJDSrWyYJGWds{C`|vR##e_LT08bnsrYJ_IIW z&*FOxAM=xsk^<^$gC)v_b$I>yHQ7g4;ymj^HtPlNKQ!WzOwtpRlh|+ISxU8>Lfo$4 zF|KITB-6%2H1c(Q{%m}_aVr>55MC_r;ec#gp;13tKNMsc{ZYhXq7b?MhSOFajhToD z2?<5$$;n;C*=4O=;Jmx5)6k?Q?N7*=HW3!uatHMZCLy7Oqa&MvCB?oVxO z_FbxsVDK@|VO#z4=g(vm6mx5X8H!3uFvEu^ywIDW9?k-g0o<>}Q>5(YBiuThs!~D& zRb+l=wjNO}J+9r)4pzTJMd3I56C`+CUsay1WmH~Yog<1kv=fG~kU?X+vKr`h0D{@r z*fb3c48qNgjlWBzyn6BCQ#bGRGpN8oOO1;ntKH76Pxtf~7#W4d#1a9$dO68a$VF5K zJE(-ws6oH|;73yr+r}6r@H`tCkki? zrH&vt?xLYFiP3Uje=?qoP%pn07ZVHTapTZ%-M!;n6$>Ml2;2-^OJTLrqUMq%&UNoz zdl>EVT%)h)R3)ygY(E9Bhsfkub1BE7#Uu@YaE8kt7Tl6hpPHdBpf``z*MHG#4-H{o zHkXUpD;XLL-`BYN!o0boBPIBQdTl9*AV)wV-q9)-R#uCthQ7XE(b3WOX@%dl<_dB(e9h^P)Gj`$%Wo`6GITU#M`LL&5GFMWMcySa~_L2V^wVHw&{ta4^{cXx+S z3JeO;Sy6Gyv0LrC^SiD>ma_b-THsnNFA|U-s^OGf$kTx=m17CkTEpt<>XFgWJpE2Q zL_K-HFYUPB$=V*W4Y(3&ZjP;!A3p06Bw+II-yb1rqQOckaM+%zD7$yuQED~s?dL}f zI1aSk$S@7}vbMcj$Y`27Gqq@VOx{g?`1tBMYx^lLn?iF$puL7O=!ul+RKfi!lUsD0 z(tgDpM1T`pTP9fKc^D0b9gG0{`x8nhG)ixPm%_rrURPfLV0xVbHRuEkF6Qpeb9Hrf z8wDlINRD!_#=`>|m13#o3rHNqwxz_mMxDCKp04KRcMZ{!e z-Vn1`cz7a!sI9E5ph7RlPAbmN%=`t2idgIjh;GF5LriC?mi=Ne8{0V=x46{d=2Py^9DH6%_%2;UY>(N}^jgZw0Jh`3I(Y>^{D6B@os3-{i&SD^ z(qVdWruGYr61lo^0b()tync@UjP2*)`moJH%R_KWIUTli;qj0RiZZ**VVNZ>$iPRZ~8bXU=1x}zgtK4AuLI($CXo)KY{4mw>JOnh=cMH%V(Qm!xJzWU0 zT_5s;>WV}M17?+#mAQF&f1p*mULFp=5f+V1Ng;)94K)@SE`N10|A6OWr{22#!QHzv zK)GPH`L3v_=*7ha85!B%+S=J{a|NKn751Cj5P%RL^V{1Nj<$f20SFdYO!IJYb2}}D zD4c8*bnoo#)%EuWg{eEIb>v6K#H@~&&_X5vZpVlJsHmt`0K`6g_^@)P4wVb8Yzz2j ztlk}(=ib%%HWm(!AS@Krw;4bWB($^vz~goR@a)2uh!JE6T*Q`0J< z(%wE90^4=B5vQp7K?Z|%!(D)YjnG>G>@{_F2RKZ-h2b*l?+hwv+@Le+d!4OO;~x}+ z<%h>yH#|H{=OMQ&3HTYouNoUY?be5I-|2#>i>RVt_QIU&H_}+g__}hr#~YLt6CUe} zo#RT77C^re0hK`ynAzSA5J^g>s|+CE3`JZF0I;^Xx%tYLRNMG?6a+EeR+szPY6<`^ zo1%3Y*^=sQQ6jmb=+Lv}ytEDk(3OzD$f?{DNt(Q8Ub3BWc9G_{haH2Jq$lWy*9Zal zUP$P!yu3Uj17_>)@Wr5@J^c$&`U(0JM0kbSsYm)20_}YWqhMiC-#xBz2wO>~BqqKC zi*9Oa+9uxK)g_S7J2N+DJ-!H>6^ekPq_V2DwKb5mzpbrl6CNku<1P1>#39hEY;5WW z27*Bd3i|mILDAIJ)gM230!%?W)x_MK2C}5Iv^4lsrlYOxB?ZNOSy|c2s;XW?Ccw?w zT3T+Jg%cP;TTiV$%{~%RTRTVQerGj4_NRvg8l$5N;Q3B}+*fr$63>0#P zOA*oK3a5P%LPA1V(%-#?upc!km#_ZljwJl}fd(&wgRUzqPMGD5ss&fRtVFy9Tlx3^~* zFR?Iy?19``aaRz$`{HW)WV$St_$wwhgfGoLB|k#TMK|*KfBcRFD1>F4=PdI4)TPsM zCklAenoXD4pAoN77{7V9V7B2sYFU%9lk@r?;qzo#J^>RK$04bBZTF1`lTTuH(Dh|@ zQ%zsZ-ywOHBCU z<|lvk+eC8|4;9t-T+PpeSa7rEeB$BUbX#BBeM-?&)yMA!=-wBbPsYQ=J{sRZtCC$eb{mT3U8};u%Qa7)na+QoH|2(*ZQdY@(616JfYh;UDlYR2X{AoLR@aGw; z7Jgb>o^UVDo(OG4()fnT6)5BN}kxqppdQlf{P2F&NGlm zA%d~&?d^-y7LAn(^wB}mi>)Xt>n%1@f$Hn0J_Kx`rM*1?_*MyZgL6ikl)uEu_)`&nQK0bed z>!-=4Snn@YnY3OkMOm;}&L9N_1|mo?VDpbYSftj_{>HmpcIWt~+|SMG_u=As09K8& zSZQedTUvx(zIufam7t+8aCNt}mCtV?V(@FKkFtdi7XhKp`_YyA8Z}n)$RG??UY)HY zM7odgxPTgc!oqOy{Jh|d(yFSely=$KP@6vk2E|`v1aQn^KG6bAFe93lkueCwsOesg z6!9qilM0O*_a9K4uP)E0d-K70fGlah<>XK-kZ|Ko#vq=0K|#U%>2e$?H+KwRGQy8Q z6FosKM*j$4b*U?+9VFJ3;T$3Wt7$KEjf<3HUH61Ra0=(Jqkzmtnd$k%2kf8+)-~2? z2{&7{OlFf~Y;?4@%*FsH?(M&@DvnpD%d2BWl&=JSXo4Pq^wrZdPqX%>jI6BFUMnfc zE4P2c(t?CU2Mr8Vhc5^HQG>)IK zvF2n^K|%Ewr~ByVri1BnAR8vE{mWvB+cNf^C^)3Gw_sOW$}?EkD2eHYrU-HjLi1QQiP0#K6FCJsLGYBjgGPMKCZbN@df{L|gkE zphq|-OQpQ3YRBGUJM?%K(|u5qo#4JtfLgb7b}qsn$Zw<{PdUz`gGz7;Y8r?uM5UIq zH*J=?vg`>E5wLqbtcE{_qIuMSy{Imm_TgFk$wl!#gi;u&2nYc2`3|aLuI3E{@P_TU zedo@N9+CCBg-qMfLQcYP*4zP2JpfL*o%}{=ley zMCj~zTM{r40*!!1<)wGHF&dPo(|mJgbF&k8myfS6g6j=VRv{LO$o=FKBpA?N1Tne+ zbmZHgj&X|`agYd+Xsb_N25=ue1+e`1@ng%g10#UJ9{~#@(N-Ni(rNmkwbT&-?O48o z5Rr~2*UQ;nE%On+TaM~Q%Hp8Etxi>O0vRx!u8slus}Dq2z8%Vt=;$9IAt5i`+=PdN z*QXi*v7)``gXEy&W?>11eMKlg^(GM!5ryWHk&pp)5j9SZjy+i_tnOf>=yyf8LVDoRYu^qH4fPT| zB_Z)(WjQ}NnORwB0bL@uxENUz@?$X+AFK!v{I^pj{`E|=@JyUZ!|P@4m*um4Ii8+( zARlKS=Ses?%2mA&j*nA-kU_PYU0+B23#gtPFmPjIQk@->$q*U{4{&LvO=o7%hw8MP zK>8C09Ti~|KoN$d19~I1xj57SazX@)86L3uc_1d0yG{5Zq2i*VuNWDzVCU=Il|dQ? zSaqD3{m*S3rylYIW|e<%B_9dT*V5AZfzRp>IyV*;7Q!#6xje%6@$muVt)s7xd_nO2 z=FOWs`};bh`FaZr3qPZx+CiY+IXcQd*s}!AdwMvmaSs(Wp|ms{>=^(j(o0Q2Yu1*Q zNOT9|9W5=-NlBaOCMPDM2L?WX*W9DAou{-IHBktfzY|l_21U(4S%7 zu`%up6c|WOx$cVtHF|ab{(ZEZN$1m&a)b>BMK^*@>n3!Y`qtKajEs!+`S9`ggoIZh zEiz1O*ra>_xn&v1CxX=>#3P{mp_JQ@IpC)t<>u#WLze?keJdB7nklDc0z!`qtIW(y zaJWi0EfJ9HD<)F<$cSU(bd7lyHQnl(c74Jrbze3D+ zTGp^OXtlq8BN-ShTi@7T>Wo^XQ2>4D*3-{@n=6OTz+5eDZ7b)ieUiX(Bd4K(ikCNm z@Yui;_3Sq`hHx<*EA%Nc8OA%3wz8tHayixq4*-Omz}Q%SUtdwr7woL8Ve#?tBD9zP zIOxIOeQQL(uG}nn?>uNV8<5JrF=ZVYE-H*2y2=@E7sBh{Ncj&3pfJzNBs=)P$`#50 zBN>yElc`P=I^YJEYAwbM7~5r`v;+q~#vtP9fX>pLkyEW~M47If)zsOU)weh@Hl}T2 zqLN|vuU#HjtH?_RoG^HH%4f9<>IS?0##1OR+GQGf(iwvgyIm_%)QA!*O;F^{u7X&_ zcNZ=p>Rs;7J&vUQ`H`#i{(V&9f4>?$A083;KcI}BSx)rdZwfd4-@GZT?1zl6fnD^w z_@6EZ*!j;cy8eKn`~M*53~5naajeXLkmt$tYwG`%7nA>cFvyA%`zv9mkp|sh{%}M& zt%X|35Zka$w5rpxNN%!I?phLPy%r=bxTdfj;-JBRFpF>oRaC~$)v7p;Kx;#+-^YIu zyBw8u)F~_VcEPB^j;H3|YclS2R*JL5rIOO{cUNi@R&qB5SBq~MdtJs^0#RhKnCi&Y zs<*VV0yY!{)Cs`GXt^CFArrzQk7UOr_2Xm6D8d&_VMG3iz_*r?=A)K~R*<^nS?svq-D-iD6Kv zMO>lgJ~=ht@)LRkKQHVWlZXO=`ksLABWGcuNkLSO*9O$9P9hPfz%~IznUpod^^CLp z!7R`mNR>tyCtx8Ck6HU6stu%G2AVPw7KxZ9C`k*8iy=-`>6ZuKj#vV;QBGUNx2UXz zVvw#@ojiVrPQT+Rboeh4DU|zXh;9iQe``laru8V8!Y`<(&_04`X9MII3A!4>XEiI) zYWevBB$&zKiL63pYQQ7OfH2W;8NLEspfl)t2KilPzljG;mEPFtO%|abJa2sQpflr4 zSOqieoQObm-Nn72hzI|f1rS#*9Ls+poguBb;~P5VHweeH;Z!hJat=(;spSmc$^{Jd zA-(2Yd`Lf|3s423K7w_6oJDL6(F59frm`N07$P8Af%OIGXwbdwocCypn`Vt-_xc1? zzx2!JIrMk39jLn5B5PyAF23$zm^xuOCF0a(j3%=Cze*UgIyywtqLNMQ`#Z%x42d)T z%wAF(-fQ~qJs1A`GX~n-Tl?qrLsPP7falQ*xOm3dkmjBjt4_h?a(xggaJs;AZjvNF9`km^$RJS&FUp&X64D8?=xQaXF;tE!Q`@V z7X}bM&$t|WrkcQwR;qF5h6xQ~UfwuBWP2qwmwqcNhF%y1ZJ;M^oXhKZt_v7+MI+Qr zx%6?sj!-KzxFo@%|EtSjwbJtfAdDbnJQC=LG?WV2nYL4a${RuYLRcaQxCT@&EoA;| z)51d(EUn8+u%N&&jkQayD4%Q?jR%20ch{xT3lK}I0yi%6^l)AU5>Yifye@e z{lI2{>xPFvMVQ=+I_X{WcyyXb({9HEU~B={-Z`$hj)B;4DH}85z+-#6ro!J`n`a;jMt>3j9`y~Z?M{%fbwtG=E&;DQ~H}Q z3UPi8;W)dsB>`GNDcE55?%w?k6cM&B*u_JGpX!NdM2~DB5PgNGQk0P?j}SvMFgtV$ zlzLr&b|CA)7J=x9Nc)Gc1b{P%!vg@FO5dZGTecd^QVD}O4^TEw)-rMoVUP&sD;x}| zK)Zd4h76J;1RJ^R6j&i}e`OGofWpabu4iF11u=C5vEq8ZSprx2865m!$z9mN;W$eD z2xRo%APj>>iqHdS)GP1)9oF#Z1j`gbtI_dUbityAelM%2XgGZglpV1K#sg&V&q1I) zm0ES8dHGT%=!XE`;WXChi;;-n1MRDnkQ)lDDb}<`E{+^l8b29#o4>F0#9!o&=4jMV z9EL?j`8I0b_zj5yP;qqIrcjaUXopVo??(noUE*V5SaEiCcDc24d!P|Pfq~LV zaupC!FbgDYt|YgVmYNFHEkNc$dN8X6JQu9+#L#8Rpq(lbVs6Ugv|Z!w-MghpD6-FH z*Veud8dDc_YSKwbNomHBegu6YbhHHOJjAWl)&x7`$;P-Di%QzLoalrjQFcKAD?-NNroQo`IoR!mg1Yz?^l9F84diN@x1*G<_Gz1&I znlhKDBs9^x*lx?ll#>HhzNM=x83+To!9={gyzcu^)0j`63IV-sY-~hW#If8iGAR-S z$|dG%#@D}`5dw3TJjCJ2#eO%WX~iPFoE$jeK%GQG*37{c1Cw@2hS#EU7a4dL!m{SN zzSxJ+gQPkq)Vp{80x1G+1cMIm1q8e<``qOqY>I%#0>aQ?h-e$gkWIlL3GxA%$dpCJ zGsB{*t7~C-Im~$^xdCqF-zGH7f`zOm0I`LffE9lWGnEj7FX`xV2illE1_V3+kfH+x z;K=1sL4H2s?G8%$%v4(p4u`D{-s@9IAPz0v-3CApCcs`uk`ET`>W5kk4wVo{%M}jW z*?a#)4OY4vao_Z~4-PW!>3*b1rt5&8IW_vCyX3;WN%n4^6pkym#buZYm`&{f@kL;| z2Daq(?b|(-PBswjN`;0GL0K!}rGx7Kpxk!#bH@51X|1Td_Y)e`7HEJQ$4op3b7`e# zHrXw#q;BD^g@pw|3!3@zz!9_{icAsEVr-28bVh>U`X%)j!+~(;oJzTKtad*8W*SGS(^rP zPl(P0js-(TtbRcROmIO95C>}nrZmarrgF9To=_?N1(_1aalJ0X?trZ1Zq)QevKTMm zuv*wjD0IE<+ol18+)rUhBS`~ipu|F>D~`7tkWh!tXZth)}Vhk53(N z;XHhpM$UZX%gpJo98qv}Mmuzy)iQZft;;n|Ud&p6KBrmP$tV@oZA`v<_(+lJ2^bJN zySwDFp`gHm*&u$Mst$b)V9eAmtv3&lC43gs=kV_f!LSnqZwnYztt~B@@J|*2fJ|(X z52c7KsjGX}q0b1+wqmh(d%!B9Qy*58@^Yd>-zGu_FJr3zUUk(yKVVX zS_e|=eKT7$d;N(oB_%gcMT4TEM76aM00`>9&#*8-(A;2+%aX8L;(X)wtwO%GKnWaP zV}sGitMQ3IO!7UOLx3%Fi;HqwYenAP-XAhwzaQ#)px`@@4wRqux^3vW6PnIak1)YpySS#+qI`q6^1u^XT1kIG zZl6y5jKHG|?)S;bv5oER8Rb#fh!sUSJ#h?-bj}tS%Ra)42yrWFio5#=J`aqtvA2Fn z$yuR4mc4~+V{J``hc-BwiMSqHizb~W%kqHG_#olStf7}~egW`lOZUfu0vkU!!IHk% ze~$Y9cMCJe_!4^!e?!y#&x4MdHa_)h!ZWIXZ%V>&I7WuEkv9h z*~w()i~}ejHIK)5$%^3lN;VRVSF$-D+y+SW6uk?OM|8|#);mO?5B?wReP>ja*_Q3G zEVTqPVgLmtXbC8a1POv=0Ldj$f}o-xARt*XmZca7MHUcH5RjZD2NO|5at6tgC3A!W zZ*INa3+Em$!&AvIqxc0m&KJw@s)vbAE+?KJiyt;bOUtOo0*M&-tLgkHqdMflZ z;zNTeadeiLUg>%BFT1#acp;?g$#u$}Fu*v^=XIr`vV~2a3U4rc2pePrcw%dpsZ=VV zd12bJ=+cGP1&O|TX+(D=E>&*}HdD@}hQe)j2ZpXjtx7xlSWuoTzkMUDt(t{PQ?hvb zE4uyZEjJzEjwaLxDV2y*9^Puw`C!DnQbj5!;-*EJvnbPzM3!=qN42#GY%VHqB_Ox) zMVRU*;fSe2W(pRj;4{6AzNR~-95{H;jkp+4LHXs%jrR4uBkC7=J7CCy3oQ+z6@0L} zge^GWr^;xe4N9z(mwB_VM|J%Ak2Qc>4lVe&T>?hi3B&vFVAwuXJUS?1#9%=uo^6ek z%fAJsGH%}vKf)W3ouh5If|9$N#c#NTqe0+>v@a=GVfBX}mEJWYgCBr}z8FQC9XzNq z1uLZz%Xb=#$h1F*`IQ#Ha*q2y%I-B56AwMJb;o29{H=9%L zz-9HltOfm!_Xnoq!)2kT!F22lzW-M0%GA`fvEbPQH-+Vv2F^t3tk>GqWmNnXM7DqpSOE(m@XPCKd>u=7(aNzk_Rq&P zQTkyYj~ugp7tGfNT-F>iD;WiP(w@;3w=O_yd}QQt`L#EtrEc(E;jK=eKmVYh9fm-Z z2CZGTunM6fLqkRhUcC#IG3q?ZGuQ#4)w-D#QtyBMe3?Ro)8&OyiGa3wr}>Uj2nM7B zW^!`U5%MT82-V8+5;%7sb~9*%rI1+6ku?G9P}zM&AB?XXi+!1M(6=y$@#m1r@GGrd zLN`7YJ8LXTl0klu$ta{mfF$)(3VLEt(-Dnk?cFC*0vM z`{7ub!Am3>aiJiqx?kqhV%Ayf%o&(c9V)6mUVxd1u@DBkdwP_j=FkW3cA*c8IS;KHa^I7B+6gGJ14>hPEgI-ZyWjQ*^-?KJ$y z-Mc7o35^6Nq&XarTefWZefV_$}lRQKFyjPZ!JyiO6ms$lx|yP3Uj> z6|PJ!7={c`*)|BSB`3-Hn}+zs)km+q`I-0&aq8jFVS_3UO=IdEgCdbHaR*ny9>fWf z5DY3dt!14J&aXT=%y1o`O$Y%6QvbHTGtE=0_`Rqq@)~$KY^q#YME9>FY>jGXM7OUPz;;Q_oMfSw<>X?7(f` zp6{@g25|`XnVeWiXBPPIDV$OaTV11FG&43bA`57Ts3|m-1#2gXOW?@-QE}EL>q@{~ zdCR7ds&Yb9G#z}{aARU67`@#mZtcTv0h~N)JFbnRhO+y!nad(G32DO91 z0#*df?`{}Raf0-N<~<43VpcG_1EdA6{A*LuvOiFIn-}NNqko~ssEb$UMG0nZYs+gL zMD}!_nsBJNQ%PgKUAmF+*NI97;jdMPO2l<1cX|dcU6n6gr`b8P)A;kZreQ1|Jb${T z&D>mEZ*B^f2Wk{~O~HYg43-f&a0 zZuepwUr5z$dwbNZ5AyOveGkZ!Xn}&upUKV5P3m6n_XHg0cif;n{bHQN*`E>|xV_~k z)Rx;?HhV3Z`2X}mWfXlx;D!ExNt^*?6aEi8*Y)l<_t4Xj^UCcYa81!E0VcNok5t$N zA9{HaHwVH<9TpoWO1IuC+|N@+L4KkmS;^$zF#4^|dg zv)6lFT05h1OZF3hW&6pEHs9X3oW;mymIYc32V&wyWefSyf3$enZ%3util0RSVhpLW ziOEac3PK0arfKddZsytXUw1}UhSGb(OMMMI6aMBCzBh>OZ|T2W#va6p5YDJZUU>`I zl-jjI(XIIz@@=H4*11#JYh6!_Y3W zbpl`C;BODwVh8e(m@J4MPb@;B6Zv;rZVteAZyT{FQvmiH#zD0lXB3l=Qm%k>CN53z z@OQCyQUD~}-u_w)tRZ#vYQ)<`VK$^Uqyi)mnKkpw>VJapC#^HaR(r5+QUi$R5wJmy+EvCZsepIhyLjbQXv3Y_IWj}Q2VJVA) zJAhixz<`>ehIEMAX4aCfu5jdu8uZXni2oL+3A7M>SXdZ^bS-`e72OHmAGB#1NYe9& zpSvZT#b6rcvgSd%+|>%dLx^^(DVsNMCX_!`_09;lJ$M~r-k^L45%Pk218mQ0IOv6~ zzHGrUK{IA=Z|~b+0b|P1kSfsF&)=km$Q=NeB!%j~<&_CDa@%#dOcKyR1WJjRrNN|D zekgc)86%^(0#n$J5BRQk#ew~s@0-=}>ndkz-R$H8gCG1S6u|OLPREg6U0B(+s0b;vT_4W0ALPCsPT;LLeCk<^PuqC(wqf8Jii`-p{aD@&mNsv^E z;?!$VdRdx@dqk`r0MjurGt0sj0prym6urLGQkGtT94=ciZ1W7GhDUIEZ`r%I3d95V z-mC_r_c!>b;AKcN@0BF-3f^GVzbuQn)ae(mFB5wY(cR(uAqW-rZfRNByrDugFPAno z1?Ei@hG2Z6()^gex((7Lj>qnk_WZ=wjI~CKQwnPy6W}<(9e}ZR6whXb_C@6fCZwp6X z9BI9S7URB0*oX9SbIs4rMqvx~i@RFrrSKd%azvShiKzk+HV3pH8pRIxmU{6j52}@p z_w}ia&jDw_I!J84)ne1=50YP<)Wwb#3Up}`sSF*0K8QS^M|L~3R1HYsDxFV`pMTJf zrjX$>4z7*)_Nf=BR5Q4fFa2O;nT-Zw5UEtjzp$H#Hc>CyaJ+#>&w@{%0fUsqQ zoQI->527$3@@8lIQF#>4R(5d)4l9O7 zubL+e_uzmKM-`NrrC!#R;+ukjdDQ^JHyRUmLm%lcTpW*ttF3tUvbH~!BpzKi(W%Q- zNc38pSj5V(on>H;rl5ON4CE>(0i5Dp{5Q71djl6$ZhhhZ%zx$>w%{wEV~y@_Dwfy} zqV{=v>MV9Cq^Sc6Ps_0P?Rq_gZZxOt2P2P$@q9VjI+ok6aGnLhZ*&|{lOkgErPzJ< zacp4n(FAgZirS)lVn9dOs%(pXI^4;(xF2vvBR;vpk`Exnid#RZyYg)(;8WbKQ3)E| zeuKe^>7tgK`e?R6yR|zykQe6ww5I?N7Oo zoS`MK6J^PF>xSwKZdQc|<*|ph+!TZ&EZ321eT+$VP(8iHJtoE=RyGH1Vtkv$zLJ^( z%iKFMq7{|4jnk=Pbk!ET2ITrJC)G5_ZOesxsL)Ob3%A_8`ViX&1vzerLXZ>6znAz! z>@oj8Gnungtw#koMMareS;P5gqI}=OXQi*j0FT{{%217mJl(k4AmS?z$Mg8@+Hl|E zOixt>@|}8=c}H^=R2DGms;$X=ub)npsOY%<3@SQaNmO;OgM91_g}p(n1PS!#Msj<5 zenU++2{*3LWi_<}Z1)y_vi=t@0PeLwq?#Jr-Ue{lT3n;{h}=Wekbtd?}UY_MG0w8q6Orj@0$I;`d90d%*aiuyb>^zi*v z(xZ*ozs}5TqLoD_v9=v|tA0aFT}*W|gg`ap)y>Oy{ndpugJx2^2bMn)5qNX-Ri)a; zK}F>i^mpBtj`SILTe}1h?gsIJv{FFmgAzebIJj^?4>U-B!ggt8(NFwD-d?5X2R1Yk zI%~S}x+0o(F8^e$2WxU`vvu4r%C9^qx(9PJ`9EcQGPvkidPvv^ZefYrM^#3V*!V3q-i#H;IA*2%xMWDIO^7Z!a-!ECRW8tH~ZEMPI7}94>HqDrtJ1=x~ zv*yEK2M_f|#%UQIZ=nMs(=WBzV^F37DJxp&Cfdbx@l&CTJP>5L+cFa@QK0#@J z{P7bgp5Ka`X=p%>Ko=s(6Y!pJd2|D2T+`S8>8~eG$^awwNc_e1^2_nKvayfwA)b!4 zB+Y=$&COa&i&f}n=QC;L2VAe>R%ZixK!2-B-An8suE4->U5EV^hK~DvSp_$T?`f$GPI&tf=|FGn_bKXy$T-0A2NiHI4FcI^0U1$QVPBU8pP2__3qGU=_k^d3Z zDK|Rvg^Aocy3Yug?@^`C&cox5kLl^{C1DI*d!*yPLA;Sbcz}VYPfaH}yF{%!p&(GQ zLBCJD4t9y!e*EQQ@80OEbV>e2bb95P=6%}7UT=J=F?}zyT?8rW`m6r_epq(su$S)R zczTIV{jxIeva+riZ$8wLeh~8!x7_=_KgRV}iy8EH8`B)nh?&#B;hw+;JB!5VnD{_{*{B zE>uCpbB)kP5DYv7$T5QGig;2}YpGQaCK_=heuf=bH8bHV3 zesXZC`BBBAo=i7xIs!UJ5>cCo;Y21z;TMBQI%kfEP0%lDT3Og*5iZ$}9rFgCg~21| zaJF|teY@v$DaV4i9Ma%$fU~sxl5NL1d~s95LTu4J*ZG-@%s6Y?-ad3#{Z!arN87N# zQbVw{qu)KyfyymF0Qh9j`?)6c0AfB2CuxI+T1L7B96?EdPq}0^(Jl<(l$c|X>nOWC zBpZ`1Rf06R4fCq7^HO#}63iG#_TU78H!v2W`4r01Q5vhL4cUie@B{k7Q=z4&p&>Q^ z*y=b+atNRd@b|v~Nk%FAVbvgv9B5YZ2AZ0h{)5%%fOBuaf9r~N+VOD#8Cjj2u>4}tos#oZh&KI z?F_5Z*Mrqx?&%3{tU}vF`38D=J=_hFZL_+Z+n&odHwX(+P$fck#!5727&1W8Yj;_p z`8!8L8OM^4h6%u%mMk+?5F%@mTsnnx1dDD@vLRK1$%S8V6?kKEE>H(O0hOuVs*Y0u z?wWKZW9CI=AsY`W=$LxV2OrAQC-25S3E0TZdiw8KM#|&5VY~f>jxGWSh|Iqr4B0&K zaHH*XZXV;|AtKbGwihn&=9gg11AV}lD7_!iiiM!tE z-qw9=Y(HTp49XfAi18SC!*AOD1Vc2ygi50BMRjX?Z$7f~!`R1-+A9+4u*I&zJV?lB zIOS_$&y_D7EqIc=qTe#hfA(DpH4K*#j9jPuH75%E3E{KDtDeaFT^qp+nO+B zeSGx@6x>;R_I1w38NO~L~%5P0?k-K#(#py%8Q?y#VKOER})#$JOq~l%jF`PJ) z7Qx)a8fNZbTd8fjM-53>uoF2(-7M)|Qu|x&4Xdj%8C%VS4(fPi@-5q5pKwYzPfB?( zg8<10k*S7t2T0L*g@z?v-Nc(&f(b=TOqy}|IF^tY9)p{v+=464K?801&8WhMhK5jj zIB0QRhkc9m*uW%2d>e2f#q}FoAvaXPHWsI1i_QhDr$2 zJzz?Ag~XsXbQ`2*oNVIBi@g(L?+6gHs}fKXAC}AtxNlK(aB5PZ={B4Ug<+~L_Ol=f zdf*=$fOqZWEn3_ZmnV(p!K6W3taz5hgx2 z8Lxu}4&28!Y?)wB7_Kn4i_cMj&FUtsH~lP^ zm-mz^p7^BC{VMk86nr?}G6dT5pIbbs(s!5C%h{~3q=E)uGy&X(`|x7v)zsfrRQ~kx zQVdGNSA+3G_L3y;1(<#CA{2n0drvX$L5_lkjL$s>NfVPD`cN)I4NI|`*1x}D_i3ZU>QeTNQ?&8IM7 z3GVmL_jc-JM;&X2XOlQ)16r2f(DQ!va#`wq)mm7CD!&=CGsx@}CjMVskw$SQl}((; zqP2hV{Id)kKZTHu==0Hl@pW;2!T@CB_2I^3-EiD@l)`dt3S;V`YMP;(JSW$U3U`M#k!+1Zp&ajM+Q zgD%T%aPY!cN5)PhYG(G}FfaAt&d8n77K8A9)X$|24P+P(nH+?1 z1-D^-CixR(DlwjuMnn5qBg8|E{M*OKU^H-Q*lu-zZgi#dpajY9b=r>{1}LLo^35+u z7I5eKFHRJNLnE~uYZUj!qdU-O^Ea5zZDI^~1G1Ot@%z)5)9Y;Ti<>1T}7ALPidO>U1?zQyOhrB$uI1Ba~m$ zTWupFF4z_a5ER^5P6i`IO(T4!LS|ZA#=2ew;)fn^4CP_#D-&4&I?^ctJ26qoL|j4myx*&i*b|=f@o@B zOiaviG?^|_t6jG3+4BK%^oCRV`UfyN2kd$v0uSi~1vI4)-I??*0F?q6-U7tsqiOQ& zK+6cX2{-0IV4%c9c*uwg_X&1yuMqL|uj}8Q$ns|sr|xgMB0 zQNla@7_!D?dlQs6+M+y=PFu6aI`RVHqVNt3ECu3z46+GTl6J1uLy4vC&2yELAf#cI zyaQ7T-`F>B+Ssc~$>62iDq#hvBC0&h=&=|Rp&`=o;@w0s3!(0AgOWT)?d3}*C`M*lA8&UI?*)#5TtC7SLMAC0a4?Z5-+`l#tT`_y zw*mW=6I%-`yPFp;;sx^2=`&}D&3ow6^SAQzFq{7m_TRPWRJ6%9BeXmu^0z34(84zW zBW-S!4NBI&ra^7o+rekNGBX3`f$W8uT&}3*yuqRo zaJqKWp7S{Uy3W+=IlA0dkz|okW*j%~IqNRTPQQcaGKT4p!9S$I;OU7g$)u^(!UBza z$L1PNO2L4DTmKrB1Uxq?_u}Iu1YoYkT`30fMUWZRWz+n|rtm*qhN1#Vy$Kwg{8gz4 zcc4u1Up3%X7Pq(PuY{!_n704PHZ=Nz+xDYVLvDd?+cP|DFYEM!gLO|%HjAw+LJM>s zQVBb{Lk)w>Pp}<4xGu8h%O{2!)IdNsLU%u1V)GNDQLE*q<}8Mh&7khT_-oLRJ}zRW`? z_#vHj5u4JJ@0xR&3r*&l3H|!@v19vH=uyf2(2B8RyjS=n7S|c$&Cd1>;)yoo5C2hz zDlDdd7X{o8FEuj=sUjTO3Cn>E5FcS6Cbb6oR!B?lST}7n%3x>84NIw@#Rc!$eF4P%94)83ag`6r)UI&M~|Sk*mqPi!FHU#n>|7MadXqdMfEh)Ww-5#FF(Et z=l-=6Eh8F-%D+G<<&|ihZu*sua?S;Y4qsCQ-I(M^Hl$g~GEsnD2^GK9yv4&qMner7o zVa^*;C_C7(exA?d`nI5fH+&}8|0!S&!9PktHN&AX0OhoOM?j)h7z%UmprG}qP~byN zi*3~7xlm)E;@x&K3pY|GR2k+n5WAhV&1MGxC@^~IN_vZFJR$gqHBdehH!LSdlinK% z0_Kqv8SBW12*f0w%*5>MU9J#ZkeP0{s5ZsJPefMGO{MV9zdOj0EhLIV}Kxflv37@W!VugD6 z9zOm!t39v=adL95aYZ_;gNisToZV)XHyH3wu&__@J$|sTeqbN$Am8DXwieiLWa8f^ zES%HMhxvEzl99B22qn<45cdvXS_!5Sh%YbbInYQJ$2d+%<}#%94MrL^aMmFGmF^Jv zAJ?^N3oC2&v)}GMaChg)>`?=U{)mzLZ@qVbIO+8ZM5Vfaftb+Ghiziv!b#?79Og$(L4{;=uY2Q)hFFn1HW zHsvKC9*97=75%{oG!Gg>q@AO}M^Xx_=e6=}BBwnf}p)g&a4(f9#?!Mg~TDe+t(aU1)YAYaGA6w1<^LaXs6ug`mfXl~ zh@e;svR}ahV!?}QtN9@SU`+@Tf;9w2lV04K;@RrOlF9+x8V+9G&BR?XJga*3@%uN3 zy0@_fc8lG<73Bn7#XCH_8t+pLN_upaI&PCfY~~ij)QiBLs&Ni58o(D(ahQJNMotcn zcgvtN_lb*#!RxqX`}VWA49w!`2KY#uIF5NSOSF~gXVTbb$n|I_tU=2f$W!$=FVcMr zg9|7t4^$P1VOfDrU`LV3wlFclq9wHX3^IeB88%^K%S%1lf+AP{bbM z1JP3jvJ!(0bx>nLQYJ{EXDZy){vY`$974ghft5w)3ODib?buNZ5RMv-ST*4aY=<|L zvD3@`c!RkqhAz5;$RYhk1nmG_8^T>16>f;peArEqm?8*b=TDdnM8xJW`lk*(oUqz+ zkCCd2j2p#`Lt6$r`dRmmlXGH&bFu+b>Dk#MWvq|$@!h}?$+-^sf_s)rL)F5XRz1(2 zo0D@zFeJV{5Z?|L81+hnXUAe(zan}>iMPl!2;FWV<&ecu7J;HB%47T2fiKE6p>2)* zGhTKXCd2na@}9Sg=yXc9W_|6hzb7_srktgsf&C*4$QSfE7#joSMCHl(c4gBL#0dXR z7lWg_WN2Dxigug#cijGf>Y*QGlw2_XLx?-=7OsB|3ulpTF;qaeaeI%2RH4nUtyH_y z0KH*nLria1_x^9`_f6J&&5_t@kpik%z!}6#ZMKxb&urvL8gzEH4Yu9TMH@DY#~S(tmu?Cfw5pR+w;Br6c z0@%a}v?O#^a-iTXh>5Swx%V$#07B$;DOy=&ke6GDsH&*+S#}(vPy)|nI_b%SG>2R| z3#+Fp#KN4<_E05jf%+M@t56Nwrag8aC(dUT+)>U@Q4_ISpNr{}!UF=LF=gskZf;qi z>Rhm+PMw?S>FY3tFcN8_!Zd5~XY^b9ArL%6C2|U~nli#o{saWA4XRvH>uHo~1=x_j;Q>V)HD9TE*i?&~4f@x2!;+WNXLKn2j-P zJef4?;0JN)$zf<$dhH8Xu?IEQl(2_RbawVd#0fkv$g^dW%IkGq*SN1p=Poa~b;WDk-q_L1 zan`|eVCb`SjD9}Vtjdl}$u=u~N#VLzX(T40-MfGP+q+1PiHec$!rOwTHcdLefYvvI{!%;yH#2w%`&nBvuMC4xq>=Wr4+@4b_+ z8TygCajB|nB;KW;>qMC@b_mbkGBH{C?gewEeL6Fz(Htff55^*hIL-BpInSjvt08n4>0E^IaB ztMR*gDijLksN~t7D3sz|Ti4@1^v-hN-|kzz|LGsFD+E4%@H2(ty4xj0;`@6X7YyCYDK41b&<9MN!^64Z9vK-KC4K#9&`$m7OVDmLQScB^ALjz%&W$&J zt~Y9Xl?c;)BC~1sZ%x{kRclI}fD1wRMWG=|wt${O`OI|;%1kALw`rD^PX^lerE3wy zA;<8Wv}a#HP@OL{NWGXJ4ilX{(un{NMy6q%B{!x0bog-MEh(o#?)j(z8 z@;L8RY8e~7fkH`AvdN=Og?*fxpARf5DuSCR2{hRy*mdXZs`bEfN>;$ zMro{w0t~F0ABQ0V6BFOH2N<`O3{wJ^sHheo#B`W~g0ysvEN?+y2N*3&|A2r4F?F$U zKX7A0KHLhmC=Lro2uEE5R++r16Wj&3!wr~cF&J7$zBAo?dA~)uetJ2E{F`RQ!>Yi9 zY5}Cw3z$m`q2p;5ITw&o?y#Or45E@r0_dl@`v(QZ;)yWt-@Suf?~06~V)E3)Cfqv5 zKmj&j6F+b7=Kw%oFzI7n_`L{h!BycBU5nU4-W(k+D>N*JFD!pAVHr?Cdz_GvIv^R| zr3rTA2K0Mh!UJh4K76PL>YoKm2d(7|vn^(hM3BLJC=Fu~?b0+8E6U0~A!}x!gDvq= zo*G1Y60wX>^TIwV=`(|0H3V?M;49zC{#rzH6lC0oHPVRTqz>cx1TYN8q$TYfj0Zk1 zaLTz4AC@OW_VGKI9LEz_8HEUMjEfb)M!L7ikDWHwo}&y6qiCQyd?NHM+KQ9Vx%UMD zTMZ#!HCHO^ zH!?EPy3HgDH-9)OZ@d;2RRemjKyu2!NA(OlksJ+J9yI^}WU$vjM}x0mmsWCg%!mDg zap%s1(ikS<$|PjUBmM2`+sy*Nh!DASeYP_&L}En)+hTB{j37m~=Gi8{GV4mhXeUEF zHHhiBzI%dNJWAWXiHT&A%28aa%E`Io<q89)Ut^U|t7GJ)cnK7>CY}pHJZqc>4?0ASN{~zfes4}=z#@l; zsd#_{7Y~md;K)>AAfg<)F%>XT{vis)Xy{DVUq1Z?KIaqK5#W^ib{-9OjX36s@C+5e zw`A0rpF<`9frB)Jg$gr?ryr(FCl_V3jdlJ?Q{3cs20`Kv39o65L^UKk1w;X5%t01F zJA#GKXRD#wa}Z0?P&8!1d+ot;vUQM_W_+HWjt&dKD~$q08BP=b0R-yb2hg9GoyI!p z>*Esv>n?dP2R=?2@dU#VBgt?VRTeN*vWRaGRMcQ$s4sMKkRCLBN5$h?w(s5@i!63X zP*4rk5jplKHb|g7q#TX$M{*ce9SL@XQ2rwrkg1G?BxlbF#$kKxn+D9PRctKLXPv;Bdi3JjkBio+i!Pp6Jzjj7ZO;is}+v~%CdM# zA^M?bPDW17uWm>MeX5QnM$IYDQQ}~~TBAV;>E9HgDgYegh5m3(WI~mVLXA&O*o;1b z*p&ojWf-P)f2;BOaj@5ZfBp3gH%HCzDe?{Znz+f0p#3rdq@@QHd|hC+8m^1+BH;_W z2%V8mxRfT8VgeWxv~f4zStRkvFe8{F^Ki&9yXhC;qH|JG@i3ATFvVdACpM0q5->;u zOh4G!U4xTn2OWUM`fr`6huXDq*HO&cPp8pn0*(u}3aA4ixp2=) z9n;x;NKV(&TT~(?H-`7)1e2>mA7k|ta2*nw3e|7g#kmnVD0w77&c@~y+-+J{Wr|cwfOb8u-LfkcTHhW&|%+%}qqtFy3$oeGQB6$K3AUSF>}*R%OgF@;tlTIM!7} zav%b+_-2!JfT&NBa@oC$tRd^gjiWGdjW1(#(A$V#NYeiA(NT|8&Ua+Oi#%+`B7u#x}y@A>*wnV z8BF(NGqTexw1rGU_fGZW% zUaL!R6Dw}@eK{sfPZuY|mNm{@6P+xRdHcyFiRHcvt*@0rZ{6O`Vst^}c>Hiv+Lu)S zd-h+|;;(AzF8yVdqfPhAFE3x6cYq^)``*2Y#8k4d44z;X4Mblco+Vp7g^R7W{$wxEOh!dp}Y?krx)%15tI4-21llU2s zo2^tS$; z_WY^I@{g4sId$6Rb@;phCyLqe=RmiqIy)DlH446sc3drR06&Pn!ypY$?Bgu&rP>w3 zG^-5n9H(($puc|Za>^z<3jZ?PH9VL?l0+ELJ29GMfr17g0J2aMPib z>7;!Im^L!{&Jc}WGP1IDsB1|o$0LZ;?253*lGQWMUAy({oXH!S)zS2x6Fk#zcYC$! zOvD5W#MuPezz9MLJRA?M{ri7Is8InV$3t?G*E1X_>%MgZd5aF!23SRsolvM6zk9H? zHP(afp+Fy_F40gZ?#J-Jz=wgJ#i}UGMrO%zk3X&L1V`+vX)uJlsxD=$O3%D?j zAs9!0$0EXf8xI!d3rwF4;DBSvuVYCqL_$?Ng(#G-BPu3agC=Hfbgj<{zNAIn&eV{4 z!|cA6!6io4#3e=4DTv4-<~@HRtE(0{J2}DY0jzrgp@Eb-0BkK|HmJ9ifz$xymC@2h zY}^W{~8hRKMHw+wIGL6c#=t#p3 z?=kizD~`IvfNp2H6m>_xV@Jy(n3<_VzXxcIxy)B8&)ydMh9L&eLrina9ZIc{$>)Ld z2A$kLQb`7Dh*g%teN)Fgkep+@YkVWEk=jvYebs10lXLh>Zp&py?qCPxCeWVGz?Tq4 z*B%eibMm|xHnC)UZp_9ZCmbmt+n$`Np(8F;ohlI`zwJ0lbCnkiF+1OSbBFw}fpSVm zgs?QH{S?azT`8n&wJTSi!>XPD2*Ab8eufakgzA9jD5t};1C|#gybvSc`|gfUfbYt1 zLs}tdeS6A=1N91aS#FRMsA0zNB$huG$#k>rPn#~;hKetart4~(0n`|MdUgjW0AT?Q zx=n}{negZ2Xn)_!s0#?Whm>LcItLarBLD*QU)2I~g9MI-T%OwQjK`YD12_JTVK`ta zP?AP-b^Jn->!yae2jMA~ABT;Y)#-85XCeeg1Zxlms?7gh@Ub%8=f7be;b}m590ahD zdj}U|EQA;7T09eQ1`px5fl0eKwkiapLC&1mD)_j+{RuVzxdf}X8-*60`V{sDXk}pd z0?LU)@WQv(6!W2mQw3Cq?1vn3DT+3Mx)av%1Z*pUaTt@x6H@k`xOECPj$h|HA;cwP z#tU;B+u7%ZphknJxAbR?AhaM zsqqe#D;<{fdpEhECg5`NQ@p-;)CPpq#*K+q%;1koHZR)bb-+p;1f!tZII}TkiLBdu z(q0A5{gwA_&jSMj;?PKSV;rwV>inz2G}%f5BE_}zmbjTwc^u+4+jEY3@o~;?G4o|2>BJJJipKOGm!5Gx|#=%imx6q4}oT_rDqVcMv)Mkm32i^#k+V zAK>i659(^$#mKea$tcTzs$6O z)TVxo@R9}{{gt^lc6_}GgDmGn=E#(&bvA82(Bz2vqhwo_`f)|xDi>P3 zy0y6^monI^&GR40r}F?|}%P^vHz&=z9XWN2PDn=2@$a_%0dy@kG+bZu^tV?yn= ztgr=%RPkP#xe+g8-%hUCj+0aA7x4zRxdpG!PQ)9;4;~p=zI5LFLagNbg1A4HPMZjS z&BynyA1T+%I7|(fk!_i{WL6q*GHuO8>#2*LbIx|}^4fdFcLp=8*q`LRXcqC!r+&HwALjR%^tPZSF}e% zwvTO3u2AAd+H15|(oF+xgYxPVPaCAptEybI(3qb%{VHMQG*%!u)#~N2z{|tZMvWrc z#^PZwj?8DwC1p9c9JF6htQkI@kuI3jJak-gv5j42zV&idaCYGvlMi8Eh2%9p>DqR> zL?#GItXb1G>t=3iT)yJ&-(Yj3aw)+%jjC0UoYt=%%x$Sgp*(Bt>lg7)v&-sPYuory z*>d(!J`Xhs_&37eMgQ3YmcSZQ4 z{~ts@>gU+tpnR+PMweVSj@Xs5q;GR0krkEJ_N5;y4}Ti3-ejk{Som#uYU1)5qo3CT-Tq^WEg13!WO68XJdcVKw9slgSi!LqabaHHL>9{V3w1_#s)JULX#2v-6i|*D^ zUV`?wZ)SwCq-np-G&=8d`t2VLOC|U5j9ixYo4)j=JGTgO97?;yK0E3%64l=D_z!kO z_~O#UnyT6Ihr+`G3u@GL7aQ_T&IsJx6CJ)sp~KPPctc@ybil{fxWI5~h>r7snf;aa zHm)-6`ta!Y(msMo=aq2|cO*DydyYCfO%MGRKA9*e(XyIWkX)g_s;jVf;zm-++RT}D zy?B3XK6M|f8!OT$>#66QmX>v*mYlLiZCp5$cEy?3_41qAKi#Ijso~*-qZ|k`+pmkP}S@Sz&eO#H0&Gc1vx`?JtTPvm; z@Qx{{{^s$Fa#&MBW;#s1_H&!T$cG`vhMWTzX;Rh=d*@%(d>XfGa8XguER1?sJ^1Y; zQEJzv#rD@u(PQ)@Rd$|vzW!qlc#Ie?0JY&xpVIA^Mv8B)0r^;2lDUZJoIa` zvvg@uefEKWMg{KODuJ6JWY&_fIpb#Ix`vY;UE5K0xOP1d)oVLHr83VS*N_u_CwZ%{ zgUVYu=f#B*CVVXwjTWKCTk`)0AlwsO=jE1R$l^%koKw@)agvueQiUyCpbV>7SA$Ta zsAqrpz$3gThc5AwY=E!C@)uz{K4o}vK-lLGhcV+7NvFUg`7~53&N6GqQ(RnV5|RUB U2-Y$>_#s95oWj|p)0hAFZym3l)c^nh literal 0 HcmV?d00001 diff --git a/docsource/images/WinSql-basic-store-type-dialog.png b/docsource/images/WinSql-basic-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..5d29a87046f84243536309ec9da58fb96b4b4045 GIT binary patch literal 51024 zcmb@u1yol3_b>PW3P=lzl%xUz3W#(H2r5WRcPfo^gMfgPhzf$VAV_zIq=o&{g+h;n{|d1& z;gc|u0A&=47WG8(p^D3w)p1vKmFKfqn;ZFfEBPC7=x^V?Wld*Z&nTa>*3cw3*QouR zW*R5j`wOT2cX8iu*`l5YT-TjdWYNlqRNg%zx~yS5`9`C2gV0cyNsLUaxNKv=)rI=A z`}~;wLMNYIr|^RI6Vv&dk)JUM>Ci2Mlb2f;R^9n0^cnV!3_#M2h!L5`I+Jv9JWyH8oO_^0D3K=S>N#gprST z2@R~R-@M(%SrlGaU-_z5xeAjtr{+V{2SB=L0%Rg)-|E?i%^~R0B z{wy^KJv|!S8~6On%A9llDk&)uQBdFni2J(k%qPPVJR8}lt7THkRGte*EzkN@gmIKReE?DUzL~)JMzhu9XFnU-FL){B zYdKIY=}Pg-nIBjScH)!|PuC_lr{~Q$U1Zf3DaS--Nhj_$FW+`2au>nh@D#?sSy?GT zAK6!xS7^weB7b{oDtw1;Un_Lp&fQE#7H28shf!riY7WNk?s8rh|Mj^~Q(YO?%1cW9 z%-oq4SJZBLzf`ef@1$GBB5#gQL$oD97?kXmQn{%e34Vevh1oeV!w2Pbp}-8)F~rQ)Na!91l*yCqBF z3735>$Sf+SQp6?hFGhzi zld7h3aPeAeqiksDEC5=L`akKl*X5 zo4oou`Sa0XE!k=Q{3U`5w=3f(r2%GwtymN3^TrFt!DXt#XlW_SJ=H|$H{_UR&Mr>< z>!-qFDqdV-%jrO&h_C3ITH|3fO0VolNJ>U9va_?ZX_qUovZ-P{36@l{@X59q`+6_- z8vXO9+{Cli4BIcN2WAypXS=iN2(#Br97WWyeIeBQ%+c&+j5>@C#uJ~0^)%p+QIOX+ zt>(4=#b5PdWsPK5U9iULN88rbA1Y3T8(uqs1Czf-hFXt z@RVLn<-3BW3W4%x&aYDV?pIh@KfF_8J|A7L>*oCsIV}wd`6@IpGAch<&FcFS=m`I@5EE2a|D043 zVU#*zOxqur>DpMi-f!;PlY&F`nQVZsHH`m4i2;MJQq!W}n~R?krEg$@W9Ce$KKhw= zGiX^&BU#cllWP7GBmS{bZb~-s_NzyJ?Ic&bQ`2&3UGwJg-ieV&7(X%KPmxo({Ig6| z{$cBS&Q@DWe2`FrPq)0ukDh_*mhy(D6~x|Bw~bnlmH8?}3B>xz>e}ee6jYToTD@3o zk8P<+^8|e@qI=L#vu3+L-WBLjI<#qE`+hjYJFOL_$Qk7~Y_WK_X}+Oik#YY%XVcJ2 zPn6h7yGoi8!(C3wKqsAgdA)c^h{^Sdee8rD5)3J)H_ljQ&yIHIsMrz@7(zqwuNLZ) z-IKgEopo?9JA5Q@wU!ri=}ra8=VOSI(chGD7pHRtAwe7F8Kd5oqg ziYVxHOFc*;;3#|Wh6sI_{4(El(!ev(_{NVr7doUj?DbK_=aBpUjgV{|dUkz4-t@w*<9RN;+VlZLi*^jAL76OELkb@swX{KNaA?t zL!;BpU+xi&EkDGwWFKkVcCvn3e`904nYEopy8a!(p-VSAKv~SLhn{wYEr}qHBnmZF zv&QMziNd4qy<8eTvZwOvV^Gz*x1OSs(+4yuXsGdHSEI%9Tx_a=D{|`tgvEhzK|!%< zRu2m`?XeywU7=ILhIk$h!l?@<7$57-l(r}@EtS}KxK?o9$f3;_@4v4zR^sM$?IVl- zM#v9Ax=D-v>#h%KrEE+~-Z$V_Ua(M6iV9@x9p=S#nYVP7SUX=N+({D;Td^a5EZ_Mf zihVyYFnZRrj_QIM^Ly)xC!Y;gPn7+i%6JBWlQQv!zoSF>^mr$w($gJXi9X)mG#$n< z$KhEbVK--D+=OwnCXPy4E`=|b{&x3fV-y;^QQ?fU)qHW5er5aMcqvPnnLVeeeIwlZ zk4P_ZQGr_Cw zx^pv6Zo+5b#$|)em|Up1ef&SM>E3y8ld#^{=<#ngui}aSk^9VSv!^PR!`0OL8M{kK z#Qa9zX_d4-B`QqxA}l#C4{L*I^}QiAqzXSp zUR!$cwGJOQA3>fsA6mj%e5`{Iz*AjTH(g<&c(5pg4XrRgR__A-o1&__q0iD52L>tk zJ3sNcpHjRDU;Dmy+X3o|s14s`l#9vmEE!LMpfPEBdHkmkiK=^s?cY;1PZToyf`a8* z2=(4HrhUXe--v=@3Fa7v_>muhhxysQw&C zGvF_grb6eSg$?m9Zf=Q66A!SzI=D3)S7+GzMtO6yFi?h7D`&y&M8IhKx7Xt8#ucv5 zoGs5b{FJebwvI;YrjG&|iG(Vcj6X4QoR6mIVMt(HlHZq(sI@9M>TN8iihuhkIqFYo z6f0Y{tQ~JvhLm8)PJ4mb3ONuH{6Ka=nsE&`_I6hE_ zv2fSp+FUkjnoG#HFBa2ya`|4ula|WACwA*|j$jU6Gm`pIwphH&#F0R z_YCq2x&2Dw@tQCHJ+vCtfEfC5O4w@fyKmy1Mx0m<>Ent|!Hydnjr)#F-Ed#0Zmt6q z*tdzVXqGuP`IDnz>y+ajIm>J=QP$0j%7^RsWP2?R*WDFx*!r_eH8Rw`KAC>{oku6= zF~p#|!SWYh+nr)*lK}Juc_zcPLeE3%e#PRYxz|2)wcI0I(?=*gir&lX3H$lZg_b=> zHh30->C0#Q9 zej2NhDzQm1n&_@HmG~}_LA%4j5SIZ@=FpC><)ro`TBoT3v~8;`O#A^r+GNk`+C@+k<|d;B-x^qSCnU-Q$cv+W72uDF6@ur0P+|#KTOg#gvq@eOM{gcim6yK^77~wg7$nBni8fa=tjzSsI=Lp zdwyZwXN{sTkOd@M`HVg3PJZ_0WG2nIwZ2U2`60lIR3hEY&3+qpqalB4j{BVcsd3z- z0dg%xd6+*sdI^B`5Amtf>IbpEW^|B{(xiTi^GlzZ+b1>aI-K3W+5{b!Qkk!67+Diw zA75`7&kQAqa++$ghsN|_+_xZkc2Xn2H`~UKp`fG?p0Ro9L-c@%HW~^tob19<&%=H0 zc?W+-o!09xnww3y41-gjf3R+imKHI0vR_zu7>rvzecM%EAk4W*v*<^jhc7WIm&?H! z)zCA52l(8AYlE2z+9$}*j`<#QuX*cOTI$yF_ST|shOoBQsJOgd&*ILcI^37TayP|I z_fm0V7okGyzZRt*uYF=THbzG!4c0qxlpNZ~dzX0ulkTV8U0uLn6}11EE&In^0qeJ$ z(Iph^zBbGDs}Mz9`qs>RKG0PSkgdr&X1pCIT`H#jbVikizgES*;Dj`Gd|1U2*+~Q} z%FWdna_ktfCJ4icWJ#mgite>rZ*n{&e1W?`a4(jf4%dQf7uymS6(o@0^SbJJ&8_YG zm*3|aqfnn8sZ8XTFRnkOZ6ns?v^ z7z3jH^Km<*OKJYe=pnDCr?C2H`vVduf6XatIZiK4Z}cugy#QC`+Ll}!c?RySa7JU? zl5!iLa_2-Rxlhb2%!6)L_b-;uN}Nk1dp_cQxYmE#zNm{V^8P_n;G{@kyrPZ4#EFr? zhW7PxWs<^8L>@G%wJK^WI14`wpx`B5r)4T4s=+Gp^9%Vn;DjOJ2{|hfEs_v)u|v8( ze@)HmaD~I_=H21}Q_EjRHaKRyl$Y?j8=`q8${N$O`azsUBWz)C^ zKKAkcL4Mz*9-%I?nWGmiBXi|%2FieGMo0-f*>*v-c7XHm=)oq2u#nN3h!^vz!~bLH`FYDMF}TJQjcf`mT#boZ{;xBNf{ z{d_y%ukA|{3>nH^%soui4{9mZ#l!@ipYRi&Yf(yM)|wuD_#Nk}pu$2~9aJQq{AXA7 zuJ=*v$)~%&*!`Yv*{+{Ps1|(I}Kl7p= z;Kr_0c6G2u=K0xwCtB|!Yc(!Lj~v8!cUKx_N~KS zU!Z6l)^yy}sx{LF{AC51LNuAGV%kCt7W93Ax&W^zw^8s?Uzi+{eM{|Ym2Vbu8$sob zhd1>ZxmpseI$rHs)QQsY9Inj$>rKk88#<7q#p^aH5crtxQqTLMtB%zylINhy zywvSeI=6vVq$-yUyjxs)D6dEO_UT8{oa*C6%0;j~2wzncJ}Il^dT`%I4a*Ewe-tDc z8Z%Th(Z<)mdv4B)`t4!F=TYU}NA6?tiIH%vlan}Dk|c)Z7wg7Jv!0@6a8c__WaOv7 z%Zak}KkwAg79DT!we(*cX!$W-8n5b7R6gUhE!K;l9{clCjAYKyz>x9L;KT$#lDJ74 zG1Eco^gx)l!}^kjP24XTR*N-9RTdRy_B{VuU+P`_b?;j0fuq6RsQUKSD>Z?|jZ67i zWP2*?d;(gtt6MG(tHU^6=eqd1x{q^IB@{DX`>N1jVjgpFWFKn}3u?_AU49r#zVFQx z`FLv45MS7{^A97vn@Zc?SIi%uc5IY%G~`+hls--C8T*@F;Bej&70qh9BwLt{l_k1|TK zV@x;Ov#j_#Tc0zSv;33$z77<=sz9&!8~~y22Yi{EglTv87Qnp3fye|tP9*a8PI)-A zjHXHsp1*Nb!?aiOY0EAtG7%$43b!>dWPOiofK4&Awu|Q4LFt{XUsfMTKU$PL$szqI z+a+NxPAW7aP~S7MTf31N=z4xPyW@|$E!Ju6T?%iiO7y`2CqCyH0dZ3NUMeGrYu7(8 z?5I+&eqp06dJyot=h8iDo^pFG8jxz68 z#w+h$d|;1(qB>ln8gX)XlvPR)%f5L!W~d!elk+?<;NzVUXFF-hq3cvfdnp62e~V)q ze_fzkGB@=bSp$bEn9lR6vj{#gl1FLUzM1RhzViqP%_}bC=7H7VW0Q z*Qc2+B{2@#L65}&@n38#=q{kQmlBY=SlS9AOiZzrV)c7!q1y_C1|vWrBr0v$aY0Tej{pep`sWZ~9m z6NgJH%0uVMvIJLTOD0nNG=tsJxRhEE};#U z(3Uvur`qzHG}YT&om3TXY8yQbEa@LD@3E~O&l3WFHZU>6tkcyk*>`zzix~Wk#=fz~ z7FHeLwsG+A^l7#%Z7oG4>wNn@+~io&Ha*MBT9Z%k^~U2L;8cAC7o zJQdn-s`N#~3X^+uxDkEzV&SfA%vGNOk#OeU z?9IcegSM}{snWYBL&ARin!ex)Gb=_x2V3*dXhSiv&*(I@P z7cVWo9#jo&HM2Q?n=yMOwjc&*`(_jFnce&%xAFMB7YZk7EtuF8lQ&D{NDq(wFoMFK z<`i@qFSKeh82{in#47F8E-lXIY%Y$*Z2Ucjt#@xcFrHH0XrZMycEJU7snTQ74%wNL zOkG*Gp(bm->J{S7`10^@VJ(B7L)MyqDY%kHfjpeOactLUlh{}+?|Zrqj~eAZw$Kz zv((R>(*07{3YrlKgGZ$cZ-aMT=;kE5g|PELT-4O~L|Ugzx{?tFo@+Jhn9y4OT8L4s zy^^PNta)nsvC(n}26rRT`d~U}#KWmkvw}OjL@D7+FUBL8jJr8xzigH5I3^BO@poO+ zP!u|ZM+VbD9RGlbS!&~lWOY~X<1Fn1oqrs$>JNr@KZUj7hGp=es;pSqgw+G#G;3X_ zm@*G4w(MtHqX&`d7X~q^I*9YS87!gd$@};3S%idF){m>BtF?Wr#|*Jc ze111vn^!&1tCdpB6xWrz3MEtacc}hLBTQl8D?kh)KYe&!@*${%99%DOIp3zdzW*Wm zmqkw1ru7}As6qur-78w|xO`Qk^*@`4j{Y@iK#JRJ*2MaLZ}%uuvXAsGyCi-WDA#Kc za8%ma%U_1Gl`my{V7wRHGueno0eb9+51~5I-2#JciGngPjG>v zbwZ2hELA={7pIQ|*u9oB!e<`v`WMda_qistqGgA96JlKD?gC=T3P~y2iril73A)UW z(s0U@?G58CrGY}w#0$%ndkc6axt21W=vsd+R_{E3*WwcZvg@&7hq ze5Wy}9jF|=GpTSp;5z7xfaE?D&win%`(6Oi0 zuo6f`OgB}!#bhk5o9h#tc~!H-E@OuZJi~HNh8x4qI7uoQNj6D@?o2Y}?jxe_jl6?{ z7N@Hs-AMkLm{bNlrZ?BPZt`)cVC&kz>EuSt!MVCD!If;z(%lK7BdNtX(+UfMt5+3u zzDwMyq6ngXi1@7@O^(JBzgyp2H`v^=4*-jApMdykH-q2gW620Iy6>OpG|MdOOf8qW zcHYz%#Vd!5ok3?XgAO``)DKJd@Bh{mqH;TS+gw??62U{@nCq`^Vic}n6AD{@iBz?c zeNhg&Q)E;m|N4yhs=|zgN2*ec&`eD6#{WNc75_JzlKdVW8maF}v!hT_M%)YB+NF;!W z&t;RgGf_0+^weW_sTa!+6aRI5yiQ0-awa_kgWdLA8%0D_Wu@Ur@ynoyh``iThU}c2 zl^l!FQmf6K9lyjxy`0g;h6a60%g~2@nA{cP&#nR@m1yeBZrxE%ukYwV&TrDyq<{3{pvYbzX}jC9L}! zlZ0tX!x?Vv?d=6Gdl@};yQP`gJRVp-XZEkhWv}*W4!JR#l~?<{%)`KdZo*|2|5^Px zQ&3n~^Y`ajnwH+5KYu0@aA1}SrwWE{by7wKHgu;Sq2~xb`fsxUt>HJXQc{k7txQc# z-D)C{f1oV0u>s3)IORuZJKbcuav?yn9j&&IU>`nBw7ZJ!XgyX(NFTTSMDx`lO5yWHpOKY@lg=oFDg4@@w~ujuR#(CbAK)U%yWJ_AT(s7piQXDpL3T)rT7sH3l{| zgwSJ@kx^7t#gvheAtNV$*{`UrjaQ*ffc#29(eU#pb`;~Yo)3Ad8XCc`U!y-xQ&Lw~ ze~|f2ST3YqqfEF2-X=rDc zJJG^?)kdvfSQtKP>hx%5^WZ>QU7d_kK4C2TBl^2{?{-%@ zTBxY1isz`N=I0Zw4CMI9GWtPmx$P|nGzJm^4@@dAC!^%C^vTL%U0qw_w40G^YH3L+ zEF^|4Yg`|%f-pxb(F}`;Aq%DCm9y8dZGL4;Njid>&tZ`WC6=RV^z$9vP>Dsf>XE$Y*)=Y+PJhjumXQ*R?gAre z$To+ip39J1v9IXp=+ui$@zdqvA=_|wR|e%R+;w%SO*_9_k(QR`6A&(GW|OE&NkAhKdQYbkF04QIGxD*ltmVMqs+U~6KtO&zhvj(Xa}ruK z$V@WW>h4QF-@PMR9WIhCI)j^7>`4omKX{&{nhbZGpPyeJbd|w&spt0USOp1t?IFGO zcx3>bd1|IP1m!bc<(vwC7HjXY+;``hu%7oBH=-slP8USst75QbcIT(A5R>XVwPB&5 zmVE_YP$Od7$5}q&Bqt|t?(e^mr2hed9|;M)vI7zfn(mjKot+_y^gF-sGqbStSVlxd zw8Ec2*!w!IjTjtl|INtGwp5{vixN*3i@v9m584%v{Qf0)eh5Z!O-;?51x5h@3W+y( zKL|xnec*2OAyL$;T?$m=ndB2B^K@$zU>`Tm;pwknVPR>*k%x(S5UsOI-x6CO_$XA) zqvSyvQBR&VWsyQ;mqtT8p@`63ll7zz-Mth z$dbh-qd9)e%gGU2+wi7Ok&=1x~eHn^|ZSQZ-)cax>PS$$Pq(+DkTU%Qj z!Xl-lq=;*m+dljqFQ`T(F^|5yFv+%MnwA-Bja16*6`rz#=sB^EP@~?CBZNX z69QsBI3#P=&01d}|vc zy|}S4Z8R~<;lfAQbWL+@QO#37{J2M1Sy=;MmB~ar%F8{D3IRok&d<-$eIT$&AaSq4 zFR|M&79-9W6?|8#Gzf}QcbScz-SO_r$e0*rU5~9tbWv^oN}1Qhv9FSmF&p3ieE2t7 zPf}a^OAMb~3N{`d9Dt6eBs}*c_^%m&K+@7On@rFtd#K7e?`LNx>HW{LY+9wV#wI4g z@Q7DvXlS-Ncqg&x{2_R+p_(Xds_Am|>h5`+?WrNxf_O>QWzg~5A2w_F@gsTSm9MX_ zVdES8*hzNXYGxFCFDN{m6xDRJv+&5tsdT8^F7$E&1qC z0E)KKdE=g3g3uj^8vp3%XqSze19M^C)(Dy#C`nt}d~94?5-b8LcnZi)?h{H;uWFa| ziUspxhWq!Gva(^83Bvv=stID2a`yp0NWl+!idPPNr;lcVi5(`iTk^N797RLychyiYB`L3Rp){5H&$<-y6zf!S$ zXVM>DY!Q(|P@-O(9iE(oY;M{nD=;IW0w_r@AfSoFIs~ayC*^*96`F(q=tchQ>Ka_tN>*6BMjP-i^yyRBF)9Iv z$0#Cz76`Ya`@vyhHD-EuVu@ft>=~LEa&}nh@SB4EvWz5YX=&ovbbxNnwVo%)hD$0b zy+_f$kBSN)dag$WrK}`JhBPl>qVNlA1K}IjD<|V0l*VI@b|t+~n~(-I4~(%-*Z^JlVg(%gfub0YGzOwl!jq zh0E*I1;Ix;$>-&9_f6iKYQ1=ofsKRHb9#PuFo~o)aD9eI+f$q821xT0WhzIj- zD5B9an?WJ9G$rJG|EN-{pzV}c4$l=j$;Xd_7$u!HCUin+M0Hm@2bECRG&G46tzSNT z_OtdsR z%i!VZi9`X4wk3ilFEg*UOKs2V`_i^69-M^6>o9r#U?I_4_jjVGUXc|PT2045fB&Gr z?a{b&{w}j&yvRMN>Kw3M9F$IMoXJam4f#O%lAh)G^^2|c;eI3f=PcJj<}fqY|NhLi z)qF#5YJY7MF5j{_-M9rL(rCEQ1REP$%*{;zj6VcnFXNI|62i@x2Ip_<)1MN0Q!ks+GyVK9<{p=-M@ZR<&GOz=Zkvd6Z8_94|%&#Ta{3 z+n-Ejrkwrf_Rh|&Pz(#a&fHMQ7dV{PwPRvqXL{0PIJmePkyDV8zIoZ3j^;A}{zj{p zriRALbI;ip{GZ169e^rHRgsX8M81EIZf0iIk+vSK>vn}n?u*!?N0+T9s)MJd^mCj_ z=hzOt&W@)cKAu&c3V0madO+<`ul3+JzE3U{K^+DYh69@Wzdo{(@mR(T7(IOWP&1lk zL)Z(>oKv{hvAegk)40_8t;FloU9I%zj0_AIs7q9^LSq_7k76C zE-n%%a^<$u=+xe)c98Leb*J07!2h}1%g87x8Tk0fq{FFx1d}ikk&yU7vCZK$JU%|o zFD;c)RVAH!Ag zp{w;HtJ=Gm80<`yx9{G)(`?^|TW*PI$;e9~mD?w*gn+Bj)A3O+C<+}L8y>QqcC(lW#ErqnzBH4t@=#j>Kpb4Ve*L9au1?h(pejH& zv1)5;ZSCzFv1mMedU})q_zi#_Y3|{XaiBy*M98?!ueF5V%+iqQ>g*%{u!v1lgyKv& zRthZkM{6q<5R->qULsJzx!dFMD0%Si+_{6K(<^)XWEGaJapy@odU|vehr^-*+zM_S zkJW3X%qE~tS`HOgLBFhyl;Cbu?-1y^uWJDamj%yq$DMwU|BS| zN+YO+-$sZWW1E~n{Kue3d|2bQVaM|wzh>D>h^_;{vY*{-8_R5qN78cdJJu)!@jx4|0 z+c{tMe3dFu9PCn47K!lYec5x%aws27(0Lu$!{xUjAqXRZ#YQ{aSW!4T%Fa8T97n2h z9~t3oNkD)dgp`++@dCO9fu8&w$4dwq(DEl)0ys-Vw4N6^h?WO#2kSW+1L7@j-W6qH&1tt#MqZMjd0fgkx$VdaY2O#0h|HyWv1AMo_T5mxz_N&Wf z04$R6+0yb@k6|a7lShM=LEMJ6wkxHjrJ8?XZEGV07I+fRON!jY*(XXIl zIE^r^Cu{Lx$%}0!buA*DnV6VXCu%57O--RJwIoXfZl0fPV4z@u@IhL@v(EtC?D7Bk z!w>7Zx(iCLDGi3D*+!(zYa!3uxQJ_JSd4P6&B zC}A#p{c0;zatf0cc`FMtgWDxFOyApqJ(5p)UkHnfi|ZR2qJy~9u6XsRcOHNW7!)=v z7MK}1W&b@g-hcR@GQBi>KYDTQ6+g_yL+*cfx(6QS5E%~-4{U$ztAKz2pwIp=9j>jd z4afCOOfGYAae>$d-Hi`r;YI)V>r^*yLQAVaDoyDJ=jnMxXOtONlAQ1hCN0c zoVS`hlIOibi(n=``=-KD;JRb#ake+OIFLhG3+7DV_$~UBiu5k^w=DN((Ky)$1)X!B^A8pU1(_Qd8KpW#Lp3ocUk(0Wde=fD%GAt8MtfL$&E-~! z;_e%!ayjJPjqXYAJCfA06aPMcR_g3I^o$lx>vju1E-l=*%yklqRdEA*W6hxKHGpTv zF!x@r$1|MBmq)y@#XHjRiP?C(N;V>^rpVhG+*N@T^jMXlFMB#^9QTRM)bFrSJ8^+A zN#4T9$id0u28K+Ev{;n*oNS$QY}QTWZIE5UhTC3n=KrhLL;ml)(Eo+EOa8~#l{7Vf z{g;s&`S{j8{hojdzt0)55Mn+iwQE1gX@%6c=Gn;$OLjn{Xmt&kFb8n z1j%RDoqKP}JSnA}^!$lZ1`-*n*bQAq%OYKOtnD`vkQLArD>{($I`5=r!;4q3k)Q1r zj@~>Hbl==MpeupO<02TkGeRyO2Z{MT3?SU zGVKrtX5w}9_eRI;%aJmPnA|@tIQq3xG zKd_cf6uAk)AJMnATQiSP&*}ESw|OWhCl}@^EhROxH>fAAuTKk1FJN)PpNBO&6yj*XAQ>sG;#o`&5ij}QO=aP$Xzm;tyDP^z}JHn45~jOe+#@_%B} zc#SY@ndp0u#KqB}1_vX~^)VT;>*q_&*Zy~LxQNLOyMIesV@e z#{7bUAAtPtz(g-FYBeuy|N9E)XDaa17W+KCx^OTJcbEHd6A}^tEH0xm`j-U`n4;P? zw_0gtK@YZo5!hYp=`OVMn+pse%Y7pTByzsNWeO|)E-VFS|L-Bl6ezr}*G9`= z%BgN*fd()L$X5#hCl2aoTiXx+DY}m4S=ZzrltdPM*o76 z$$USUd;FN&L#O%p*91^LSbfBl2P0$aH&>S!W0V0rF3Lx@#*GftlUAuEXe=}pmg@vm zd`TMV(kvg50E5;A^PM}sX=%6DCu*|D4_r?6*W5;dlY}4<$j(kkN=mvoRKOrBD@z;s zn8M==Qok-NVr!UsMq2Qs546qy7|ssx9Bj0mfZxP@vA?(14BB#QE=nHg5;_XtaTAO! zec-x7)fMKaY0#LM@Ys2VLfldV6O#bNR4IcWuP?iRTDwY49t>tvvGq6wEHlb>QVa&7 z6g4&9!iF?7HC;kt0`T3y++6b_vs#=JX{;eduJ)703J;9K<5yet!{mCq-OlZ5^Eg#}!qCG=h8y2n@sm37c;>D}@vQ z)aG(lo*}dj?z+1Ci#dwB0*u?xr3?J{@jB4Q=SHKDL7evUvS1+-b%|aGiJYu*p~N&a z$PEn*Icz3`EJsW6MK4adfa`!`NdV0iDnTbaR6ex0z}TJwgQ*cTTfW8MJ*c|rw+a7& zhhFLGw7#n$jJ0RaIbj#RVNeE}sb zs4pOU46Llez`#uf{CMaHbuniWbQ^S|-V_$zcUT`Iheo9JKq*qb6h8(QHpxSUNbuNx z;vX1jK^+njA~Be&1NN*>eZ5%x3KfV992^`DmreapGEQ_z9bnNG_B`-v4D4u63W>!! zxBI>&()Ns<1Q+BH(q{tD@Bx|HxmN@FO1;4FGAL491_lPWA!sp@fc?=iY>C7;IxTdY zt|uhqP&)~tP>?rJVBfVFhvlXMJ7xL!{fXnh$X&DkIw9$*G2FNkoE@gZ5}?9jrF3)E z6(MhK`H&qhqY}v3dcu-@>Hdp}wA70w{@0te2lcH;*nJ(Bl{PTo1jkcBBh%$i74q$4 zwaBOVbX>fF0cm(SLPAO3m@+S(JlhqMn2XQ0Y-(j{7#$^9U(bE_IgZVL^3gv(4lh|IlHbW`kj%YK!k3h6IHW``9_<-QOdjw#EA`U;NStk{!N38DdZq)bJOek3p zgpd)oPEIXxHnp(Q*d06UdbOea_VfB<<#v4b^LVu<>w*ADG)Vsh^PyF%Mo6Bkgo*Y629W*C`(~1u)>}Yg*cLD~Tgsg4fjCT+(FlkFj)_ zM-pX%Z3$pF19I$NHxg;BLK}+@Nbn^HJ7M>IT0Xw=frXR9Lw)dRV|c76VEi=Ob)r zBSCfX@@{EU7t$HsoO*~fh=ElBDM7kv{|FZ&BPM8XG9ee+oGyr`zy#gr%4@5uC^4@2 zt&8ER9nqVDjsI;H;4o(WEMhjVE#WZ{eUPRSg-qIGtG|rRfwt*XsJ;0oAp& zyOqixRsxrwfA}=?+^RrIF)ib*RM2hWNNkcQ;hmGlM(s>m3Dcf!FA-{LtIq8+ug>nJ z>K)-pd%22Ne`7cdkns$tfIfvL?ZBR2w;9hwh@R6zS5sc=_R|mf(~55)o`k4YN$ItU zU-)*vFz)&K#Q)8knZ?D&VDQ*EJ1@*eh%z!WV~dK4W{m)2xXsDgy=@Nz3ccyiFmk)n z@bK{FAXo$3sE}MVY$aM+TYCn_GzyKcSdA2;<#y?;_GKd7M7jqL`j&Zsq007ue~ui6 zcFotXUpb)oqNv?hIRRS`7&-(SrR~=*Lm-D>;FKst$UxZ585j@p4vb;H<<%>#y~=EJ z+DidjJhxUhX$n^72X;Mb8yg!i-CE%3f*||CD0xl6H-gqV;f)(N7-eI`!YH`ePAKs( z+n@0vH>za&CMKrW)cfLBz`)c%P<*lFRqYpR*HsW7-OpDk?df>oItXuY0HD_^0nKKx zQ!$_oTkIZ&e0^VaXn3`6iRv@}{5@+cGhdN#_GSJ-uu0Mqx-wpPumx^55_ZawgesgLcO9vS ztR`^%nHi%h?cJsq)v7}s$gTx_3~f=Vt`@TDaY_#SIdl7M)TdAX{g7<> zgQp)h3!jVzP}8%jeg8?*%^5JBjeJXeDPoa~MeVzBR4J~oqyQgT#&a$o2I;*{bGTq+ z%B#blHho^zn5Ay~iO<$M?`aK0-#78#dnNf$3GTURf`H~I41#HDMXSZsb7+-6^6#%> zLk_Z_q0*4=&(H46PlrcGe|xr0gs5}Z7`T7K2kD0Q)3&4?@JeX%40=&lc)W&OG$!vK ze%hMeT`Kw_NE6r{^VHPz)7`3T$afY2W2gT9eG*LE{IXkU$TT|N#&m~wfD8}w^vsGY zSs7Wnw{IrY5e7l8svLxT>1x&;$$v}Ie~tbTa+~Hjk;q{~?tsV0;euH4um7I?86ENz zlG*7*h#UL={Pn89pHPwwdE(Z_bC45Uqpu412_3GT23+<(Ftq_p0vSw$_Y1Y#6pO-0%6GNA@VYwh$2Lci zOwjM2KT-Al{n!0|)H6f~A+Ujl6m96yY806weJ$wWk@HxRfmntjyp?!y8VH>`G~jD6 z`qFIQC5%-MQ#wF*kSf`iqZMt^{s~S00R_2;$KhRW0Fe;8*%nUVkf3;XvO~hdO^vn zJ{kY|aHlL=(ED5n=A+D@9fY(@JkF06P%*NM$an#w#^B$7_zAXa+s~i+TQkkj2`e&b zCq;pzm4?kk##{i3jiK`kZ70%YekAsevL4IGm&pe?I5-#sUS+EnyoQ%53eEdjKxDVU zzyk{A)>5BDG4crt_LkcjK^aCNW(jcEbi?MiP`>=k5*g#YB z^HSh|0JlIPZ2)g?Zx{`db#Qp_k>xq!OtbXaGb2HyHoZD$IayWY>EQtb1V-nlM=IIs zk$`FAg<*aY6YoK`vR$k%FTd@6QN3{P>FMbTZR8js*Za`t%x6mkTYO?-0_Ih!>(?mp z-Ux~6RXO3qm`0m1JqO1-=mAaI$HQgly-nog!uPL4f@nfk>5Hg0b4DJ>G*mhT`Y6PQ&pnwk_SnEU{39Sc3W zNvAp_;0Q$yePB^2d|-{YPj|W&s@6#4g?{84G#-ML^cgn&=87vQZhnWwcYhbazTtFQ zRcCqr-5=)oN&;Ko(Mcdn0;esnteja`2&}6U1*xN2h7i|L-= z_)RX6uEV&n>+u{uz!U_kR*l|6iQ#ea`FJRsbDzCk*&l2p`$~vgBdGO1Ep@{ta>mxy z_cAjFInvYLfBtL|aSth()Nu7q7gx8LC5_cjX4a!`J0y&E+mvtJx;3-B{Q8?2r}oCq z{6A1?Ykwj8S6mxiV_4(x(;W!_bIXZu9pc7vas(&)7vh)ewjWsa{81f8>gCU8hDKe5 z3*XKjSQ0tNM+mbq$Avn_c9`yOh)RwN_^N#04Z2&2D5OXam0az}N=Ne|?~8|V`$kbj zu7^K4zYEVtR8_^@jlF^ViJ+~s^EY#D2xNZKA`u*6Nyb~Zl*Zag5_{5cs$RlhT)mTY zUnFgdZT?4dNHEXKx<3-eueMFb#vY*mr_zj#jX!=`YxxiOD3q1Awzt_}skypR6I)Y;kj@6g=e_B#RN|Da@yLCb`zW?$j|w8l`7 zWo2X-1O)}V3V;9pt@X*o*!bN?N1Kg-T8Aa#Xm%~<15mL8!UzAoetW=Joaw{uydzPl?4KdP$Ajo;h@En3dD<(w=@yf!;BgtfgWn;WVP>pD2(U zm|F(|2ZOdRkHEY5oal8N41l8kDPF`g7P^Rx_s|>b6CvaeLAr}tFK#W{0c^@chq(I7kMYDH7^K7WX{+r1KOu%q~ z4hOC+ZftxDDW@<}P}*t`0-++5ze-FGqG4-q&jikavK%Q61_!StW*gw5 zFhJX0HtB^c1|tVh_GZBNO@Y(2m#I~DFG6S=8|bIOOjGcucjg>qC`7A3 zcYpeDYZka#02CW!k}aHC*gT?<6!zIwfA}`AAwC%RKpado1an{*ve;rU97Z4_VSEmz zC!Rnrb9-ErmevQ1a%8Fi8C!u)JwF&NwvLV_7w2cy`y&^im+m6 z-A;N!E7{JrT=zQ|hdw5qM*nXJ{vkp&Z~Xtm@d*XZn9NQB9>eCw@>ujor)BVThhHGSbZIZ?Y;j9DhN`qd<4O57qZ z2@F#XGQ1Bg&zChSqe_xCMgm1!WDLrvItC4Viy5*$mTUqHEVG zp%wUl(Do(JShnxJFB-l^6{V39X)t6+WUMq2MSUfr45GUY|47w32N^*?*H!6?k+!{0Yo+BpUYcdeoQriHh9eaJ!w_u|4r{!N2N zPi)>m|LAXtrCRSx3t#Kf63dD^e(N8>j#ObZlVm`Q}Z!fQK^Tfu*T_2;5eLZ5haq-%o)*a`>#2nAlF3B%_GEw$- zGtX?){I@pyhwx4;{AXO)QmS71XJS|(B$WSPhA;Xi)Lrf!Reu*17r#9vwdl`tU1u}P zx4ODo_~=V_vb6coFG>m&G`jB~FWMKO==>$a z(f0n3HFgU~O?-P_L&^c1Fa|XH)SsTIJoMt{W0w3)K#KAF{?}Q1xeTk@I>Nljno1z zu31TOb#-;Mu^W!PmVyp0|Mh2Tfo2@(M9B9vAVP;maJiYtQ<_*8X*AS9k9 zpcHRGm4cDc0D@}V3bx&Q_wp+$h6CIWh0=uCbe#`l#5Vj4=we#2Xp%o!w-n3=1ZUwW z-(D6G4K)e6{)>n8?62bAEKlK`Hq>34j|z>tHwT@m6Z5?gLpReY2=hduRqI|_S-4rL z=u#}5y-q>urJdoh2^%>O6j~HIrA2e_QG&P_QbShlvd6Yvgk3xp8a~E#PQEpGbihj* zM#Of}>f!w&sPZ~BwZ1Q*JM7cbLpPzIB4Mc36HP%UCnuCjB89v)&}weQ03_VMbezRHRr7Kkg!p8; z0J`OZ*&{7{8H7I!%pN;2{UJnRH3smh$6E{UV!Z$+&%YF5MiqrULDl`4R`guVK#jO< z_Wlil?Y2S~Q4HR?&xdfIKHCM8rOvB!mX_HiB_+&6_)09Duk@=gU(QrwVL2s2#-!ul z@Yoi60L{`)!$0M|raCuEq+&w=^ajzEIP_s?pDbqhi~xv332pUCY8OKD2IM##dMVr| zHS9jm%n4nJT#5E6BR$;?Ey)sKO!#VySpBcgL-n>JWv&z3aXlV4Z_=w5SaNbMul!%S zSsm2p(fo-GgDfaT6ToyMqoWO_Lrw#;Kv8Z+=YrozJl~-iZuf0Q(eAJ$2;@j1t_`Lh zlNt8Nc}te;ffNps$wq*&fDm|~U)B+IS#_){s_F@$X zkKuiQig^#?S5JKrz-jbIYb`TCQsWywJ@{lBsIw&s4pLYguj-uWt=9a~Wo0-g``*^e z(5kg%41I0J&Bu@BTCm^^DdxbNVT_K%c!)cy)7A&{DFLJwd^9)W;>7T%(^qZC5Kk zotWinoMz+DTDVYNLBV3i@tqIx26^lFn_$L(79k*@N~E?SU3m5C%aHHw#fW(-sja2u zxI~b7hn%FOAHqB3i>jXM>^gXmd-cv+D={eGE48H>g@=R`;mUDKOOxYTT8!}0nWyTo z%*_=!L6wv3rZ`l#;;A$inaa#>|A3yqmU*OCcW?U|ak*v=U9i2EZOw#DZ9OO65vNY8 zbLVp2y=#3nhF9%}zcE%-@*JP!+US+$pEjc!0iAdY0@YHZ8`tK}ebD!oisECu)uglq z>9*seD~1Dnqs;Dycj!ZV4*PoHZ_MnM7|lrO+jyRuI-SH?Q_kP5R8HT1PZh|!7dW;F zAC6tTXWu?SNv+;c^z^=2N<2I!>GBHe^xoVoyt}@sasLaUk9FSH*Qn$P>9!2_DLp>= zIRYHmqZSd<~@ZR*Q&ucFWml#hhdq7uEdY^}NonqL<>6{YZ6>lttys z$Ex%t)}6=1en+&M-LAi2waao@huM<*ORsHZUX0*c5@G2Z8EM4MVY=|bZ>Z5`{*kmr z9z0^cmg40no#j8QlGwaCpgDi?o=tb~j$^;U%VSfgRet*tzqa^f;=UT!d)tl7x|Tfs zdr<6$1l@%jDxaTDyv++w+EdGU-aXxF(?U+pp?{F&$lcuimhFX~W28@yU7YLt~3!MhmM0!k6!y|oWZP*GMj2~ zDfnP>c8`)>;+UDl$AsM(w@YIl%6)mLLboaY(y?tVP28TG6(wuBQm8HzeG_db}~|66A3i5sC|q1~>A zB}p+I>6I7OjMwaIjdpKVo?x>oOy)RuZUgJ$M?goxSg=Q3AV6xvFAT7C`5Q-TM1T;# zhAOFbf7{fh(q?v5HrT2Fvpqx^77!BR;^Enak#PhS{(Whw=s+_eA?wx?QpV{!E32;1 zLMi`tPS=otSEra&#Mwi=O&GKQOvunltffB(+9=N4ar?SC?$+%9W8wUjh@XT2z z{nkucN7R~6!Ql>cNq4{r(%20&v>4)7x6T}{#%hy@cj%Z<4$u)T#*})xdJ?`17;plC zzF|*)kAAEK8~s_UP%IbzS4Kngs%=$t!p~TbZ@LoHQC&R#Jzt*9>c@iGsk@122hLm# zks1SX>j#cQJ?FoFxJYyw{4#q_omz|g0=A3^zJ`4s#&`5O!_dW00mkI@2&^2o{2!Ii zi-2Ko!%sj%{Xj5s>Fg@8<_LNF+o(B~tl@JQ&EB9{{9c6<_KQtTh$8*>*Qf>th4HQF&fnie+2mr1QP(U73@po@kQfkU$g$egDZ2qf0HscDE;*}>qjdCmu+Px*~*Ex)*coKcu}Di zG-9qFh?4UEPVDV?C%P&@ulWq)ifcwl*fOu96J4G%>YsyKtCJOO;MWT#27BadYj1#i zgCEiu6T{2X71L4_ZR4Re6xL3-f@&L6i!MwYpbGsl=v}|tw@G8jX4e&;PY?n%9Amv% zLK`-a$q|B>%54gww1GIr7v<(tocGq}}GaUS?R@o^%}$sGHFGjjd^i`Q<7GaiaB6cf`3c{#59-#Nj5{gK}~&jo_%W*>iX ztoRovxZ~J0{Hxu*!>hMkLxrr4?4G^_DA<4E1npCnD>9dXyu0{Z@5Yew_1z$oo!4pQ zU0=P6TL2}vrO6VUAy()#pbyfW&G+rpjZzabLD=!X>V9zMkn0Wml;+mf(}`(!se*K^ z1JHtRiEpFy!0_?7-JFnVyX|&w6HxwNkb-|72p|aEs)5vVOlG8t$G4ZKc+C=3zif6q zwN1b+=Qz53X+Kr!1bEkQvO<5;ee0b55A@${|M1v<7{JPNHdcTC11od_TU`GSjX3!K zNF#=tm48o8w1OI0_HJ&!F$5T#uVT6U)K5Z!14DAh~Kujvxog(S^!SphSD32 z?P29kFYk$YSFVldl@`wz+t}Y=Djw2wbyYIw?fCe3GOmCy0JpF&SSqKeDCULgMA0xv zMJU}@tzG-wtF{|nZMYzSk`~iV$%au0YNyU)$@}*0GX_$he5?V+C;$OHHC}k| z^20O7t!#!_3hC1KE6$=QKipI(*%GGyY}ldfY;q7(9by>+3uwGswd&#$$&)`pds-r* z;f-kOen`k}&EQ%CY68MuVw7HY+EBj;HRIGX{pgqB1)p5^;T6yl6sq~)I$^PT<2un# zlaWbL0;Wp#q~EPb<~BYLd1wA6FE-}2U8Z-kx?6iN-H;asvr#V4lR0kXr&^#-x$iWR zmVAsG2LQ-844gU;a87@(zwmo(8JxO&Q(Zb91(0_L;^Q5?8a2R%hGZq^a27f$bH-i zz6FiUBMg&JZ~Ie8#(&mVjJ(!*z8QY+k5P6p;hbO>f1l#`+OyL-! zj8JLR!nWK6b|*)>hgoESCrbV4u5x>_xzVy=C` zy<`Jt+eo7E=lf|rhvN-)05f?b6yfv+H{wXrnT3F={0Cv{4MmN`%utj7?%4{)8OFzo ziV^s@QG5)5O*!GeQFpHaNk~`j#1^<1FhAOzlfWrREC&N<1k`%%)vmDHQ3nBXp$~B% z2NI0-Oknub#3vK`_SI$VEbK8QAkFP*O5J$et<{PJ6ET@W zHijYyUf6KpRP!5S+nX^UzOAV6>&+bVa-AG&2$i!HEo+FQb&~W2{K>MNL*cGP65!D@ zi?n)Q_eSpVLsSC~nh~-Gw&H&uZNEMjaSI8`&S`0Bl30L6WuUBEF*}-Ih_*eJ1xG%E zLP6kmc>>BCe`pLk6`Xc{!X(sN;0jkWFcH0}t_}ij!S(_OIb@P*yLbP^z<5lE7}^ui z{fE#o?z*{11Th(5#*^Q_e`jA&TQc)#CvFpp4}^xS@+f3PDgfld5#`!?E`^P^T- zxfb#arN`l$qJyO_)yT-`g?as!D77FW;!&kNKX*@^Htn{*e;&ZW-q(s)us}1~XB+{! zLK1*0S0+oE)3q2kJv>eTXtOtW!^dHFa{rp)NZ2Q?{H_U~kWlC37F?1i!`{#tPr1D` z?4ea_;nbcD0s>c{;R(bX{{bZ$s?Z!PSOe|J_Wt?Y+(t|4GipcdpeZ0(*!TLh&Bldy z?xTH_hks2*h9zjCOS{^D*;4-ALwM;33Ilk=04q!H4PI6tcP|B1zRF+kGsh&(rkiCi zAS*lK)fsarCJ)Yt9p>h-f^X{r+rM{rI~S#Avp&ThTZUr~iVE5z6cE@#%7-gguPz*3 zY#y5gB#be1u+!5}1g+Si@z*IS9}-P8-sI+{Lhy@iNb1yw##gnI_$Mfii&Dl$9&0|D z3G7A@p!P_5BGLB>tjzd6CFb66~cqjYxnQT!q^#6mG|k zp$%&vhWJ_d8KE-gzWKK=i+c2kT2!oqJV35Qz>uUEf`|0ZQ6P<=Io_bnhotHo6edn% z-O1?9ApogzGPOb75Eu6)#Yu4RUaUA;J*ZAJ0!su1D!FC~W-AVU(t-}_ZiCC1XIGaQ zWR3ZF-u-7CA=i4QlkA0^n(V<4G^^ruWSe==6p!;Jk650Ogzud@=ZjKb>;x@D&N_XU z5ka^E%Opor;C{l$u?OrA9DD6hq}+q-gkdYs2l|o}87jMWHGliI4f+MZe8~z`xH*~w zGo1wz_9|-|cB-P@~N?NpUyR=wb1d4X+%b3pr&>m1W&--9%SK}e4iHW@^a z1cImEk0U*9?R;pg19(qVKT{0^BOAQsjZj;Qd>Ea%a6LJ{39mud$~aa3dK2FDjP5@9 ziQ(ou!rHgdmq`GOgVlDil8d~bkj5H#+fsNV&2KHjfD;T{TM}?k<7n$Zc6PQ?Z7lQ| z_)F7b8ycBdr$^fsEqYmr8&$+A!mv^F(5a`bEWi(1iqqhH0r)0|rY!?_nh#isk})26 z!A9}bs>^l@AN;Tb-L*UfN+N~8!ch_LY2+VtS1e4*HlPZP-AV1GI4Qu z*suT|czynKjQKD%MPsrTMrWU1qt)cCqNtQI^`vC_IFlupDK{3Rs8PR3nVoyX-@*+W z*&DmMLM?{VfnsPKGy%leei@qqMygclPv zf11ekr#m|SMJ|Ck{i8_p^7DK6N0g@VzY(R?S1mKutNHNw#SiNG=gS@a;?nEf?W(_u z=_2=A5RoNxtdzLx|D*h^#<@NWbf8t1i>{5Ealh^SWf$g8pT7P6%b*a`D60$luZPB` zcfVHBUVHY&Zaw<0nnvm?yiIDZ92#(rnKNhG)8?j*8%>JVk=3)KKF$8s>u!KQn(`^u z&DGQDs@4nlBWuw&@Ae%Lln8#Up|H2#OJjdwvfX_zl|}tlt;bvTxOm(`lO4}i;=w)N zm*4QU|JJFleDXI^7anz+f9B( zNGPCHzx!LjvGT}hlh(9-e$t!lV_pC9;E8=hJSD9C9GjV4d9IbKlGFbN5^24od60nfJu{ zGe-Jjl^}u_6q39CG>O%9;DLL+^FXC7t50Y7=QDTnXAS98%B9Ja-`C+-Ag0^&*{ec^ z$J)a$zj?%|FJ|U#X7<>*YPORs(>b0;4@Rq{ej72bXl-2+XkC(CKeoZ}TFqk1xkg?v(EI?=mSJz5i+E zQ>WT)^SM5ZXm26Ql0dJUG0_=&7p_~dVPe_)#PP|TB8yj<-O| zHQM!7)SADdB4K0Qz|2dbUAnOo9n7~897Y{h?`E7~9=SLM=dS={)|N9x??Hcs+F(+p z*qUQG$lN4Rkti<1>RmnDAIoL`YQ)-2Sm(Y#V%3~?wfUnAS&;PLs`jX>XExiQXKY3X zU1)m@E8)qL(Rb=y%?5P~XKz;6%>0?TSVA&EL}^l1c}toM^Zf&tDVv`E-Ka<{JAQzO zD~T9Eh|TO>slsb%lNG;4NG`xx?!lL|ZkatZ4!f~9TKx9$CH}}sM3*c5WJn!^HIk6S z>&Na+zgcb8mYeJ^kx~&*JZ{HfImXbwzxQ-Ztp=_MN(~eZ;vnnJ)jk+r?on6bT{L&& zy>Y3XnNk78x4N7-TJmR&mA@=${yQlI__-S!2iE6t@Mb6=*EWB(yZr1Kt9|Xw-Fh|= zM=q>iAHHEv6=PVCDKNp-DszEIP3P?_ZmH;VNKCreYKm-Z@W z7#bpqUk5o=_&(kt zAjCbnQ&YQeQqLr9g=4fhO53`Dz}7~z#zJp0xPIe+N+AZnYLoo?U1_Rv#qvav!^ zX#k3hC{a>l0w(>|5-IzES!FcjTd>R2Kl+yb3=D}z1Mw-_=J+rmnm};KM<|E@9qvP< z1G?)r$We`eVIgja%?$%1*Ro}*(C#9#ZZ_0dMtH!GNronWb-0Ol1)g(Rhy|!=mX{Aj zi+dZI*ZqKr5w$~hCZMt_g@nlBK+_X>Fd)Kui?Z$E;Q`x62!@LT_}gFY+gFhD3EHI7 zPi&#LrJgg>OM4>o$K-0ai-vMXTqayfW4F!nL9r#K9`OU$(7*ZJz55Q-lt?FXS5(n} zYS`JyV5SfzUkC`l{y5k1n_va|khY_h=`=DXv(4ABy{V%Ri(cD&O>Nqyrytk_bR+y> zn9WC*N)l!?yrdjO^Mz=r0z!}R+_W>DWPN?BT&v|Ae+i?Pqjn7ApCk+&XiX_`jT-sg z(98i~fTM-R#(2ydfV7Vz!6h7A|-eGjqr$*$~% zS@t7j%b?WJQBMKeYgiVp0DQg~FB|-8Z2uwP?MLtqok@rR33MU=qo$soQp~=xzz6^r zN5eafn8SJCBhh4toQ3tt1M>%wtFRScEh zjNZ^tQhiRNy9W^|1mZ}Ya>K`9WHZKh{Y}%u&>lSXrhu!+c7?n&+n4Q5WlO;*B9rnP6*JmC+W>WI%OB zd^s)G6)X0E%w!hxm_w?8tD7=y+Q)laIWTWL)=ibb!_!T(@uaVSO}9MunA{B>vC^Aj znSUvRP(;9)A&5c-Qc$kqk7;S5XMc=77)?_X0Bl+s0Cns8<2}CIPV}=bmp5aTZDqF2 zFW^X|6?}zQZPfAEp9vobV9dZe* zR+tzCvC|=>)5qWc8UiH3Cr^^p7Pqjzs?VJ}D&%rY$!ebsnO{prA1O6hr$JV8659hw z1up0Kv`>z~VVLM7M7IdBH|)udhWDDLq3@KJmq(P&BTRJc$zlw}70)TQn$=-kf$E zaP72#!9IXtZ!TmKP~2&!*@#f@zGe+{MI6~!hI>HRVv?I4t1&(=UTDZbG+EfR?!h#z zfH^IRf*isDFZNYQFzYLiVlyVQkl7bY=YxsZDPaHkkYKEe>+uG00Ki|w(vb=wUO(iK zxZ_e04?}*7C)$Z?(A<-12TFR(H77^HPknkkpKt?+kIr{}@dd(i2h&&WTs?R0O=-oI z8GXBNCyINdq_&U0aJ)OPa^%5$w}F?%ASw1Drj3LJAlQ?H$DsD6UtmrV0(B0O1slZq zd>bJ1d-m>qfZIXkhwv6aml6K5;@I~|t3u4ZzjFjs5u_Hum)_LSwW>w?jc3iA^@%;T z8Odr5Yqesh0L7hW&0-H)QXMMe6wb@B{aKG8x`ZiHr$VNyVV4F#6xW1R3WiLb0NnJ5)^FG5Ggh{HTjxkvCeR;)p;cx;l!Ll zxt$j~4@a%p7Yw?XhXI6AD$%6uRXZ{K~3#mBp z3%na{&>KLi;M;5bCS<7da|{oZ2_JX{wy*Ddvv6XthJS94Vo>{t?dJX%-5Wf5rs`jQ2mj>7F4YD<@%dMk7zXTRZYXU9U-Y zdAaY$N6#H!Bk(qnJ(4Bzy-91wJ?y9hUDbX7f3{g4Q)#&$;Afb&Y?oQ}tAbqh8Bu=? zkBl4uhsCZh!86}}zdg5gE9;4BVC*Bm5Xa7g(T;aRO!Ll*g!M;@Hl5?#9OY3^e_8;P z;SII@erKEpJ9fUBw7fDchb@K2`jMN~bc-Uh%!#Owak&RFFNLm6JRAtsny>Ss)^ii~ z@{th?CjKQ2?}E5^W;yl0uWxA!exh3+(BnM0HLXWu(cTb#t9s96rvD7Rk=g2Din&Rj z4${Pj|LFwd`iEP&fK&6-dg$)g7or(hPIc6PaXW#H8b&KzVWb51m(sA+ycZ;H&svI3s z%U`Q11lu~iDZT6Qm)oi}Z7-`EvJ&>mL9*NQ&d2-7!KB%Osyu1kHhX65G4AN5o21Sh zSaEsPG>y&E}G7~47!waw@BlMS19;xl9o90y81^y!tm$gx{#m+mtfmd*8=JH!g> zgGNDHkq=x9+0X#U)obZoJ^hbXmVq$qLiB`io@Cax=*jQjT!~1SFi_7B`OUWJ`jP{O zfGYGvKq5t7{;p;T3CxJBHO#}*`T~=$M&uhIl0--UY|H_c$_}fhEASnyw})E4J-sAtu!kNfGL@ecT#LU2sK;qT0bo+}^KtY_Fh zXp`xpNia)GB#iz7VyCsN0C-Qc$RGYv0SOh)s_=U=VAPW%3-#PEM>9la3ki zjiCJ8#~LB#gQ=>G0Td6<7!5EMjRZ(rPMCy;r#H|xsZ#VY`7?u2kZ?-_sjSg z4D+Bnz%6+Jf8PkRJrM7GX;^LZk-WV z;S;?`<03fZ1m`guA|x<>YNuGP!t@K|;peLhUr)(_6-CR5MzH$D2@b?(OeMD^+}>;{ z&Fx)KcR<*K`9BvQ_6`mD#*mU^r(_TAD}H{>m$~@s>*|E{ww=;#jRY3ito94dN#Z2i*bk8V76-XNOv$p6!V zB%@Wn`__z%`|3yW-<&{p#`->m?)p$o6fHE6d0U$$>GW#+QR3a4a^k5(*e~Xw4@Jn|=f1QI;8y7}m z?;SU|iM>)Dl~d&}|CbivdMaL!1Ps9|$G2<%_XOOdzu?zLXx}mJ?gGgYpP1MT%{N@D zfO0?*9^0BB&lDmNEa0N=@XBnq_-cfk&XCR2#|{tGscM<@xpht&v+n1#C z`uh6Bbn0bn0cwz1DYqRMilwC`CWdJ+KUhN8CfqLVn?9O*r2wmL0en@Mvn3QFDv|^- zub}b6-c#ZVwLODKDSBtXXzm9aU=H(wVJez*Neg}OV@stzthmH@&q#mC zgUE9%bwm^YH8#{6jr(Hfpje%}$-RYS!{Fj?Q`9`tn1JfpYuof5?wrh8(vxGo3)7Uu z*?^oa0n6HveDuXKU`j!iO7p4bh{Jn?g-r^zC&~g!kq0uMY-2uZrkQZpHhEi$OL<4pt@N?rBCT zeOU_OG`&4=*W%5mh#oRI(<=oN>xkE9j5g zxE3$ojV%g~ed>$H8B#FX0xC!Z-H7>!Z|qC!P|@xF?B-BOUO;e4@ClXREpZENh@)#N zDe?UD=^*ffQ$Pc;)SDg!=p{T(M|p~e>>^e#gH#hBH}6Av)pj5!e^8+P(Jkwc-FgcP zhEyCjJ)WZc^J7N({-?+vuOA&$j~W#D40ixXZra7^Sdmjw6wZK!lIXN!o5un{O8KDh z|99`M;tnIobT>4A-;q9nsiG03w=Tmm;LDeWOucvc`PY#qD-M(uMLrvo7}Xhsw*UY@ zE#HdO!y7ZfY;QX9>0*HXy8OID(^JPMd&jy2gdWYa`L=Xo+=(~s85TMlxG37+DPq3w z=g)$d>ezSzD;S~LK>$SoBXIFe%LZFi4AEopYC(8gBDYhTC^w5`~@g;?a*83VqifjkTI+m%lJ-6zq z{5g9RV)BdhHRt!^;FXq9moNw_@M4kf4xApyvB&yZnLAoD;7ueDhYm)NTDlH83Dn<$ z{$H}50*XEM9XZw^adB}w^7&o$rZR7CVkq^D2L%~suIYN4WTw<{L|gkn>dqzCroMWp z{*WgkB^}AKz-fmII^{lo{0ONCbPciDd_QK`0ju%@ZyP{vz6)t?(nH@DebXIfag&T-$gVA>RV#&y;C=`_K@docC6f7iy zip$#1KX5&wS6hURf|?&_M*UY@VXca++bn*;XkP91iTwKIF27#5tFF>B)$u#PXZt4a zSBGv5Fp1nVBk6*c7UtnWDQYhH*(|r5u^xiS48@~z1 zXyJzKEl=(5FRykEU#Fj`I<@R$b*yz?*M&B9mj6qs?^{+5t+a>81J2}9SeGf00Ikm3 z+}zb!F=1kaVuMyuK{J(jYyx_m7l=awS%4P@p_MRxMmw#OTfhFs+qWvHQcPo4jGg?c z?}s|N8U@Fe443O$&-P&~lvkB(jBqs`|2QriYY3GBI#ojFu&px8zNQBO0feEckQHl_ z3G{*kZAGDtHiQJ^>>|4kz;6O{&`3h*bXC54jAUQu>o}G45bHPzwNiK&13a(_b8W*e z{@h&imZd8t5B?MmYd*g@8yvkh;>F4NHfO2SMkPKBA^3Tx(YR%Lep5J`H8Hv&WV6Ld zj5_HEb!A}v(^A?S;4)x3)e?tvz$R?v!~(VkX~dnZg>+Bf=V+y_VeS!Jvqr*o!U>&R zz&d4i@Xp^l$7;FlU~vX8WrB+XQ(g`OAqe(MIma9EB9O@#JsE^g__kB%FcPfXyyF`g zF96@+4^(g>4h=WOf#P>I9G>e25J>CM-i3HH>bUSF;s#R?Y;^*lCaJ#=8hjDvX#myv zy58-;lo^2L0wX~38^G7vmX8X92MJsoLZK;;6&*($4tjqI1|cp86@v2R$Y0$VmnE&F zhbEC25xg!SVFJL*1f#D$ZfZ)FvG}BW4_T2w!eP)G@Ff$9*N58UX{<6dJOah12bC5g^ZUkrO1{8 zOq#Y~Fd{S=L7%=-0b8WQ9mq1sJqLoz4wERsqzrso>t#+w`qba*n9fR1Nbmxq1LJg4 z-+;~|6dR=!f|htvY@vBT`VlBE+T%&kT;=dOEv>n`yM#7*bnk!7n6XMiLZV^|jhB$k zh`>>lh2P9UFbBQ@f=$%G5|M2gm6<3Zh?R{T%+RzzV^9^RKON^41mo@b*40&v!c8YB zkU)-tzR0%MRi75HYWuZ~h=Ugyda`T zYlX+`@9_df)_?!~_wpOzcROvCRJ_Dy%Lqk80KzX;R&3FVQe$fbI16a<02B@kpublj zHN{XlCHs`rf_XT>2=oAo*fdDW-k~=n)&y2=(yJqZ_CCa7X!rA-tcziU8mVoVI4Nq2 z@q<2qNCVXPcnlt-{Y2~I(ZhCAve<6OtH^^&C0`894T& z6iuoOhF8#O->&lLWut9HS!Fk}XKh3m3K89GWq=9Vc!OzFKzbAL5J=Vj2oE7+=dHzb z91tVY+kcIK0675BTA`t#2$57?iUDMe$bX(^FVp6iUlWT4U3s*=7|OU@JTJtQv3ESY ziJO4;?<(GH_78A%2#?`t5VKcfqMDI^p+{q275L)i3%01cIKa?JvpEZcFPj_AS+J+! z7gXK5;~PJKy~-T@u>n3Oq;NU3h%cEv4RXwFpiyD&Gys1=QziPm;O#XKe!?EnpqGfw z55xWB0W^xcdX&< zhk7<_b7&^6gQpAHB>?2<1{{9)WZJ-?x#EBnc@GYq@QIcn_X&1;OkQNG0eu8(Tk*pS zoEwh5T*av1%I$#15ycuun z%cP`M>|GdaV5m!wFU1(K0V|(Wv`92-!5?8i&UTuS1FuaG+E6?p?sb}1kkxTQYH55z zLZLO~0xwFi_={m-lHO-iLb;ZoOm`GZg}{a8ZzjFp`fxi@{+P{8@%& z-SyS@4}K==PsqW4wHv(c6F6+7FFo(vp5>WL$iU z%&9HEbAg2a$M)~v+kF~HPd&81xLc;uB|aoEKh7uE-`_Yj>F&b%X(O7^2@^Q@;1{AF|e*4@2ubI9_1nf(H;UXwJhq0U2gG0B`XFpPwD&t^TIWAkfjW$2EH z4@|4f^^=-=UUNFkF*%%XvVXg8`}T{W7c_f9zE?R&8*j)|?z^pC9jldaYgSUmhQ8*n z5lfiKQw0R;gnHEZojJa)bzgr&esk1p{i3pH{>KNCq|_HD3MVHeHhFr*S$2-D7=1N* zCx*wux~VI!_(=8Pt(q+}T3el_&U5LRmccq1e@260Gxv-wv;E-8UKZDNv2!Bww>ORL zYJdIpGTVa27T=$j9_w8syFL`6)2ClIIkwQ=OHk<1i*th~7MU+q`&`p%rQ4gsm@&`g z*R&x6uK2{N$LYX zWzE6$#X$T}3I0aJvp0)o&YgP_VE@#kQSw38%MPc;zk0>r_Di9tXn3;!b1n|335)*q zGlkcD2q1&lPify;*}j}#!G}429Yz_VLk~yvOx|l>Y&c@wYtGLhSN!O3k@oVx6lNLm ztu%@KVN%Y$6;d3Zi8bj!OeYSraK=_g^q1=D`GCd%VcB&)PX-|JHZj(pH5a?Pxc%_b zuali7PU4%!a}TJqC8&*jThu*?Q=jI6s9$FgtzloxJO>-eJH71?3jqPl@-!j(Qt z@cHAy&ee2Yj;l^I?{$?%g2zIfXEsqiSAE6E)t0y1*KD;5F6{}Cm|Ac+_$cp6z5z(Z zHzIKi3Y7$5RW&ujbt%9MWhW8PY<~he6OxRPdmP;Pj9Fu62TZUX1Hh?3rB#bqfKb}peL&@GX<4T z0!_jhEx-#XRAoa)I*SVt6$Q z=>vdoVi0YVz#o)QZ?Q8? zOgljUtUKV%xw|cr$@Y({JKtS%7x^LV8ei8C=K?>9KH*U4SgjO<*x{@yuA43|^E9wl z_Gow*JEw2&#KWm`^yAo-tqf-BtBr_ixrHW;_HhVAMw~*26(nnY(%%^OjE*v*>I@4j z;m4?%*WVi%U=AQx4IU*WF9P{jS5upfI;9r4@gmkb7Y0Za@{%$1VoM0T$4w->5IUDf z#ZVh1LZdi=35LQ8taFQ>EBbsrg8TN{^@JTpJKo^x2v-$acnoPIZvu$>A?C0cnF1)* z1hCu10j^G5CWTz#j=FSJX@!Tqj{7^RA+W(*c-GMrp$2vVnyqmiYlzHR0v8uHfHEep z*R5MEUo#q_Ispl91yvGzb`9Ea+&N7&zv%q3X?Ta3Y4@Hz@0ppmkTWGA@lm%D3>;!Z zj3DH~FcVbEh}0NNO-nP8^};jKg0Kc6cW8?^FohKjrdZUa9FxTscM( z2M|^Qz1f^>3=hgjjs&KbxFAd;9kd#aU^EUdUR(f7pN^J1f`Qk~USI&P0L2@YeSYT7 za-kF%Al8YNP1~T)^8lfPLvvCyhtRFP#V5{y=M*eib-4FR=Xu|7{mYeHLZMUoiL-iP zzo7OQy)Fc5{`8dQ&CAA66p^wI>d*vC_!Nu-=oaf`+vq`8034)Xgt7!7ne8vq4fU`u%MP{EX^$Dzyl@ZBc=Gvxg+Zxuq-Kdx)-h84AUS})Cj^@(LTVfC1GQ)})3}9Y@erks zK}l}71?RBWF7I^tPo#~w_a)*hfc=ETy|2L$0RUUO>QemxiBcjSob0L?GytN1gY$+Q z$6%`x!CU^e!$S@RfeANCXC$@)dzXE!Wsp{O-pa?XrXB~sP24)BMbH_sy&1SF2^>6v zH+vVJ3{eBGis8JH#DQD1Qvyrtz!^eR;bFOiHEbEAgBVOOkvCxu*Qi^=AdeZc;;;j! zhI2I~E8er~`$kExU>B7VvV2Y2gPg>+?(|vS_lu`%azZU?e!+=}h<@)qE5c7rA|v`Z zxSW26;@ zHycg>;cXZ6Yd_L^po33$(G>GiDR$YmdO>bc=CG}FWz69+77mBYzm6LPBE;7?qbs%o zOTZ`}D2IH;-NTiY-V?VRvGL=8Y-K3T8=Qy2MnNYq+QWvV==nqF!1zcn792`%;1o|fksRjBN zXRnr)UbM2}x)ewzNY*Jp_vi3ge!0{zE$k@1$5^RFYx#j;L6DD`Qa z{Y<%4in6tXBCUwv1|A|=-|_k7X)S<`r{FU}5yEJ;ANL)E;$={IXld|bL59Y4gL~Z@ z#2=_o!U0Z^wl`|d2{EARfzc5q5rTwlr~2L3z%k+d;e-3s-26Cc*2U6)vg5|(j~Yco z%(onYKRBT?uvaDKSei8U4`ha2MEceN#314${hEdL+fT?YPUKvfv1>%!p;9L(>P2(2 zpZFpdRyOv#Vy$91n=U|2C+&MN>Y2Qr#zg8qTR~EZ^62hXXlySI*jS<9$k!|Tg>=PM z&jzA~=M9Rr0<6&JP;VJ-F`aW>ER=U05&QA3lP&~yq9Y`^Cor}3hd!F@!p24F;kb-n zOYyir#T@q5P#l?}-!QFN;wZrD5VMF0mh5?Sa>wAHAb9R8SEeAFK2h!S`~I?z z{bkLeap<1llO*LU3CHmophi(}BsfIEE$G+`;DSK!ka*QflIXsS=`XMkPyuSlQUW`b z@I5%^)-S}JsDX+{t^+0Dw#^$AIQwm@_ZA_=r!KOCo0(noun%7z(2&Sc9b#^K@*v3n z&@;{8?MjjQUmQED)L~l=aHTqYJY4xJ~%}X zqFEezosWzQNLDca-^$2vj?%C}t7U+<9dNN1p0y+r#MD}AYid5CoRi}M(sa&9jsAUs z8=HIw?E}kCMdD-H{MJNzr>KWWdjgbfglP`|F@W1*areUhviQdwVp*DAo-uQ+#wKgG zU*p-kuocLMuDoMdOCKn&P-6_K**I#sdsKM()^{B zZQgpL{K9c9)|j;Yk3sy@I)v@j4v89_l?)KmKZ#@KNr?^kA6sFG)_x6sY3X0_wYzPg zjS&|Yhlg+WhM06`vBt|i4Otpsb6=gE#9l+*J`F7!>idr6B2zmxhm99}Yn~;la-$$3 z_cHNZ6Lu2YA{E!%+?@&Li5nQVedXtQpb&_IVF|M6RxLH<9}a{q2pu%zNk z2N=02V$~XUUp&nM0^)RU&+V0tEE>zycxXqck9{FiK?THKp>KVA5VJLn*sSg?JY{+& zJ#Q`cs9uicNZ`B;dPYD*q=YpLc>NxLMtU4sF)TH>87Rhff*FuyqiiRD!! zq@u_Oyvb1AUBXC7<_oxTLmLjctU;$7)E$p>7^;dSQv!fSiT3EQW-pa;hlfeN+Yt^1 z=)>36=5IEyyN7rkRr9~6Q9Ry&NN?Bx8nUdiRZm4>X(2)P{(`Ez@cE2 z!Qg~poPq)i0$wY6qr0O6nQ;AY>+4szfwQ?v+YYEp`R-=m&txR7R>Voj0*Gj6go2@P zvJi2_1rd3~+nt86>j6Y27-6qL>p%ev#E0PrqLDX(u8{oW79f1pukBhH)fH zE82U?q$5EZ4uQg`Ls4=U2R_hwQskY2Z3M~;RHbrAaj*>xgTNxe!3+p{Ky}h>K}W^* z6IsF50Ibc-%)a1_gnCU7k&!eD;-}(0qr=O7zg04l;jWhUcv^OtXG**c4Gn{oTov(1 z_}8ub9l4CtS5VpTtpyM^2>kvh(hndNd8g)mefE+!bYua-&OrtlV0ecc)`J44$&iGB z3Hc6ZT|@|N0DK^e<{m6j6omFP#$ZbO2J{E z5vYg(8Zmskz<_8>L4a@&hf2dDo=z)nBn%|K&qKiJ3N(>oE!5a+`VBK z6iy>33(M~w7y%^D{za;JnAP`y$D)!3$;$~$e&jm?O#^dVprpxMtam!1m-It;JRR{9 zt`yZX)cV9rW!k`z+pV%7Fy`(kE3EhhC@>F^6!@9IpAoU%PR;=pj|Cu(FQc&H3|JL3 z258HhFz$iv)=m24AaS?)eUqgJIiK$M*3u zBzwk0_J>dC|Gt^MPp%c@ibu$o|H39EtzUE)dc^gAKXZTnTm-Egsg|L2f}SV`upb+I zLGQ5s)@en(I9alk4uu3DfWl8FTaaHK#1&DV0G`NRoI_mc>>>+f-fkX z00-yLMML7e%nb_(x_}|ILHKh-G096R*?R`2i0cxegSg6x{n@Dk| zo?{r(^3fMlk_GfL^yIR@xe-?ne@{Ga5H=D|w5fc~1M`8J5NwU1Knr6TSod7K7N?L< z%0QHX1QZ?=>(<7E`s^(4LZ>63kTx#$#9NI!-&bIm={SVL4xZp&b96L~U~L;>h`@|W znS2bo5hTx;qo(l@=W$kKwl56{=u(P{4O^#%csiNN@4y1iPkln168`Ogl-s3#7k zvEBt^|6TwMaAs^TTE;eG9LY>ABGQfyU{J>3ehrJQu)gOw24Lzyf}5~_7%E2 z^W4AX(xD|_XLISE<8ea%*#aPH$~_bZ06UGaD55?U>(4*`4_|ux>-CHb1w0gfi1Tan z?GL>&(}v)NHkwo%WQ^O^);QM^J06+WAkhPy76lihedc9d^hYiYOayT_wcbV-55a6d z$$ttDi;f&IChIeb#!qa*Fpa{07l8u`asDX!LvO(EXa|uYaRSN_?)3-V0cvc-oQ!T1 z56jNpo)}9803njaLb*(tzl^p6`}G?dGUwG-RRsXH4USuOW#Eail2X?4PC4kvDZdRn z3>!|EzH1-ZcLJaN7Rmq=ENn;|k*?(qdG((tuFn{d9N_Ia2+yKHCr;rE=3(+ZQL+js z^@?UZBAtPwuAmEO*F!t{`+y&q93ii`f~%nI2D1ri)zRZ)rjp2@aBgP4@r6DEyWs1) zQk`m>(1x*6+T}SWg8F&9Ojri{x_92S!ZJyB_wvfi$zgj~9%!tMp#z6jzx(`oQ&9rm zM5JuIs%^cC<5J*9ghIT1BtReS7d#w>;YFSh)g9ls9|(k50MILlhE!066NS^P+vnn~ zX?v}}l8M9AgPoMpp`ml5s)()S4OUf2C*61GjFxv&j-2cA{|&i0tiq-lo{8oKlh!r> zHjfX*EW#3ab~Nb*HdA9qLplwT)u-@z-a6OiSXwarQ?4)Q-_sxNv0>Sc)}N)mYuz7( z*^!+HQT=ITqRR zJ98uc|FfvBn)~2Z@#N+sWADsMd9${iIeOF|$Flu>$MuOo{q&4$i7|#-52>m|W~K+>i)#`!x)J`wO`Kp`78!z ztjG7paxr0jYiYsi{A}2}T}41{>H>a?9d$W1TP#)tCM7KtPwv$wY7l8ZIjk?Iq&|W+ zp;139EbQG_Q3<8MK(;Ys_Uz&zuMx<}Ddh_Q?`#GX8WVlquKOY10Mw(7v)m$%z8Dyy zGfUpEQeb_AkZLL1h|!vQE~Zd1p-AMFAE3s zTOG9lfJehxJHoqi-x@A5ncx=$szLchRTh`To(*I>706Gf|HwVUFrd?cwPpk+^R>Du z8`0{xoN4tas5l3aB3hMqc&7^>1tiTh0`{N}9@0Ks^3A0y$7Nk}9CnUWb5d1fpAUZ= z{)2M|Z#SpyeNU8k1}ab+dX!dxt_;jbFOVjR_OJt3L@(?zs8|%@fc=e7G+0{^xlTDk z_?09ibHKz6C#2+%1P|<36}EwDB&UMD6#%0Otn`l)`#Z=NFJq#W&;a)XOK0N15phT> z$Z{C#2)qb5IoM4)EERfqC>*BWgQ9~$>J9Xjns|PYd61EsBqKPtl8#PhKaN^P`!DoL zOb8JVVDCR!8v35j%|p{lHx*T*I@4v^Wj4@*_$UwP&LL9b2k`^70!ymPEIH0;hUSF+&W=oVGyZ`pH0Vq01BWs4)+1FDskW- z0P4J8Ple_OdB`_nJ(}O3l?r}EA4TKUPfVhAb3Yxs{u&9z4=HPTX+Qwf*6$}a^ z1w|9zoNR2`J5PV+yV26aDY+mB!VWr7k|GO;{laDmYyz{QI@4O^l}CpeGe5c(3-Nm&<`49-4n#4$E_cvG=RC<75=0P=_B zq26r7+x!eo6i8Ic*ag&yH|qp21HkH3o=~-K{yt$T+zI0+N%EohB^4I^F9Rj#>U$%K z$iq{m&IO$n^}-ncp|YFrhHZr;2>qsXMm+5!)a9!NxV*9TD&X5i-6sxPgFq2Ohz}r6 zu7wMy`aGFr$MTfcsKv3LRvjM&qckE)VU&;o%LPXGLTr)5$^Fca=J;20Se4!iPc@2P zK&gng;`9XGQ2`tULc|w&SOC)kBR`Vmq5ywG6XIbav7j;N3aPFj5E1XfiSP`xfLu7W zyIQ?JMv41NxM;h;x>32r{}y^x1CBO6`Pcd$8NUG5=j zKX^E{v7p(9Mlwmsrnh?Bw}nF)4*^#G^Pi56hCfwj*d zuNEWSRZb8?1$5vDP2RtueBbQ13CJLCg33oETZG$yoL&SoWyIpFGl=->(Ey0V+%Rmo zx_ax90!X6B1>tRh<^g>@!SSL2=7K6oMXQc1fjKQyC(FS&ZV8e7T+rBf8<8>6$JBz2 z0a=gDwaxe*$|4l$Aa`9vJ(p20qxh$M*v2U1OYcIC~p6E4b8x0F`gL!G3beEh>CY1b$y ze9^G{O9*uV22!Zi@LHetV*hv_hXhhAY5$S4h~xhz4T=EhoR9n+QV6}SC*B{a_Ck@AP~s46O*2|WFHloE0b6Sr%xSqD=7|P zzlf+N%1N@z0G$cpG!x<`U}&GpJ4bemU|^LX#HdOebcV`W9<*=Y5H#O(m^XZr^&qf;%Pujl zgvlzootP=%pQ>c0LK^mW>@1?AZV=@ZfliQG2o4RFGlein{w~2n?%s!S3E^u2Z6Wk~ z%w9+<4$K(*oCkR4a>u(8(GGGO85!a4n5Ed`%8-W;tHdA0*84DUL~PsZB?~Ypn4$_X zXzPE9ajN>gL^1&Rg%18WTyjB4G$IQ;T0KB7!d=B4I6Yt&( z<6DL`PSVKfQ0wqFh}dAPMnnKJ{KGAuD=I2J9kcm2l!fJsUoj56D`-p(Jc&eDYo4Y%)l82*#rL%K<_hPL!ufxlykVo0%&JArMl_W|$ z3YkHofwwY>OP|-(DM=PV zjwz)`cH5Bkm8TVa;lY8eIEd$vvD-te@RYfNUU3kIxs^OUoEOoTzxjq~63eJ-KcjN( z;0|+<6zhr3cbH;S?5L0sOXG82lQ*j01$CznfN6*}%7@M)RG^&#VsH)RUN}4_AwKsX z(kXy2FF_+rXzcJ&6l_58F*|I}_5oauEN&QJk2y8f5yR(n8ImPWP!D<~^=DkWdi4R=SfQU}l$7|x%ZJM9^l--xO_?7*e*4u{ z#q%Dg5m%6TSG+Hs^+m=qC_GJ!{Y#)t)1gbXWiXZML)$ZSUPPedh9sKy+7(y=j-6Vd zkF>`8@x5cxqVI71PinubMa@V&zju`$m7MGtb%?c-@9aUYGa$?b|7PW6-O$w3agNO< zuxFRuI;{>fP1~?qrT8-waa}i+y&SXHqwdrxRUZa`-bCTS!UedIk>N82Ki)l4C>=Hzgq1Z1qYwlF9si^-_{t>z z6h*IUFQujCMt^E63t>!f{oxa7m7*bD}PWN&i_jli`tC zs2l0AmX@Cr%VgsgtT?cH{{G+Zx#?c{#Ib+Xo&_s;Z07G+@@UI^T?%Xw?^+?09U{YBcbKxfntj_M{2ktTI1Zp+@CkB@{5n@C{db- zn;BG?=*qHX$QgOGW!Ko}QptlX<17{ET5#z~J4e5J@1STl?X!Ws{ZrAOZp*^*MR%Ht z%}OUzByKIy%hzXGI$KpfRJm`Wo@{hGQ`k=MaNVrHQlnt@w^TQn&FLFCB<4m>i~pJh z&Hw9m&6^Wga(#H{wRi1X)6Xke@=OGTMJfVz1?3F=Zd;KUuxp>hEbYC_>t_6S+Q^&j zQtWTnb=05F^w|*}o6R&^lRj2(#_dGsi<8ZjJ2%!v9!#Jfi!F7}P3C-+a^~ww`E)17 z27FA7IwFztab#G}xWvikns@Bo5MP})A$pp2vX?mrGh2Smj4t}swMBe!FV)4ge|zmS zKkp7{3n4wZ$&z2xX~xai#K?3rqFNz3G)yM9U6okbdVBrhp8uy)q=oV>X!zo2@( z^1H1v72LJ2>BHL{S7;u26eMDr%j%zz+FQ{5Lvn=u;(=j)Kcz4?58;N`5%Ua#`tYd* z&#FYY9p4?OJ>~AlrFWuTSh$n3f*EPWAE%NcdPkU-_M@dVujlP9vuhKZP79bX<5k;t z@VW9Y-h}3UdEV_J8^j-f9lFeru*r*Myr_1T^gYMneU)pVI{#Zuj^92T<&0&iv>-;e zWzTz+^XI=>Cp@x!$laZ&HTy)1i+P-A7S9gpny9%)-g>ZJ_*z%~jjWn1j3pQvU)z4@ zB^{4eV~k#}f0N{?sC3rP)BnJG0Mi9~-LcWOCjEgK+6;JH6FxsZ2JL;tsE7j`(_>oT9VUl9x^S*ZUn~ zxfoa?(RTl{gGqRBV!dN-zsn^_`!S8@vb~nAP2Sox{t1u8!pbiXTo~Gu>HLWvx0pwL zqIsA5<=G4xXItakyg~5P5_=Om^~6NC21BFe8TfvRU7akWKEBhrcJfCe`Jt}(_PW~V zLb_n$_cBd>Uz>H5B7t6dhu39XB6kLTKfQeBWr5wyH2dN63oGwON4yzp1I`*Pdh@Etfm~$z|&ui$?Bb zcm3M_AfE^s2q;Ll)(gRi7qY)*g+$>}XmwufULT z9XItczhnK3reI=idh|{|ZpA(aodg@U=*fXCdd$77*QGq(j3097ylLUfR~1m+e^bgU zt@HYs{N~USixzD!&i>@jd#w@@xqW^KQLeAPyTP*aV4nc5^Pilu1FQMh3NWPE^HfwX zx=@68_bq3>5|+>GvmEeI)NW-|vAnx)FS?K|UoqM!dBv{T!*yd8ZD0D}cL7c9*L*oe z>SrEDy>MVg>!mDl3J!T-o{(rDV=Fp%*NBnZ@ljgTovqzEQsKuQ4hrwl9%^<4{Y{3Y z3un%lL!F?Wk5M$Itzu5~w&6in$E$w?Q(XraYV+pZUa9tovTE%n3j@Zj`e)Y4hW+iW zXBuPjEH*r?4cEAHx40*Az1(=OrklrkFOxhPbt6ahy10vD%{)Gq8<{1a7W0;Ue!-PW zqs9E(^4WNRC1If$0-xo}@aTZPcgWckfr8doE`FQ7Ym=SU(QUm7swQviv`nj_C;Bo!t#jlb&pxn9AGmdtOL>?z8UPam8_W zvt!i?tr>~+RsK&l7c$>lFG}q<(^X$0uHzNdR{ttu^2@i|>MMTN>D2n<>}1}?H^_6h z=2mP@h9sZtkVoEFcLlRpq1s<7_;sjt}A?T#u6S~>*`e_6vkU{()p z6n1&8m?_)*r22Mpd&&`3)f<{e}CRRI^~O0 zo^sM{SciQ&2HDRbdG(ua`2ZPO&5NyKT203j%m-uNtk;jY)jfOXj6ZoS5ZRM==|-A? zm<-wUGNEbTny($;NfLo0sL>nW4z1JakjYGqIuIM^o*fYRVq7fPVme Cr{@{~ literal 0 HcmV?d00001 diff --git a/docsource/images/WinSql-custom-fields-store-type-dialog.png b/docsource/images/WinSql-custom-fields-store-type-dialog.png new file mode 100644 index 0000000000000000000000000000000000000000..54cc8623e2a2d04cea1f04ee5b977ce34c61339f GIT binary patch literal 44308 zcmb@u1yq$`v@NC29fUWP6_Gm?vn2JZO=J(-22{m zcbq%kbLbe#-hZuceRIt@*ZTdeq#%WkLV^N;K+vV%i7P`Ou(9Az1rh@INhEIY2MB}; zA}ube;+}G_=%J&s`G|Nj%!IbjX5ATuQh~&f7e;z?msB5b!4o<0*OikoVb863y2>_N zkIPB=1LHtLl1%;fCnOgCI+!m9R23NWXoGC~XLo@=h%^zEm|Bmg!>47<(wzP{{YmWf z_WpAw5c(}$zwPfCYNjz7KE5)R7!q|5)?fPAJ`x=aL>3kWEF`%$McIL%(o!BWa&o=~ z+aTyyHeRWzybzUPL z6&2#uKS>s%N}%TlKRL_9lK%JC2ubR%|E@|DDfZ&uXY3@w@BZC}(QB00f0yg}h)07A z{VZ&hUi{ycu(IBVz4-T;WY&M2=r3JDQqq@$g9EdH&5aEzTH0*gn%{N_)&I^NgAx1V zM;NnqjeqaD;mzO8ow;hOz)cPgjxyf|&%8-XCfx=+L9a{eao6;l_;-<7;T+Pm{j_l- zdDY~)sgmqHRHZ6Eb(E2dC8tLxJ&K5ol~nSTl<9+uAAhwk4;O{E7h^_SE0un`S^OK!c;a{`^EeM&Tpd5W^K%q(&<*IsRyz92mNoS zYiovVl~_d86miOdZ}s&%wlMwL>F)H}`(8D-t@EThFv=8^nYz5eDKR%5`r~nOya|I5 zI(|^I!9i=py4brLIPLJ5Fn>GU%|bJXhT08|8u{Ietz&z(Z>hNXRc7JKZ+|aBM0Zyw zglP53C)F{_l*b!BA)jq5h(X(qt^01|Y94*@r>taj&+}c_fZ6oc_nNuJeKN1Q6!mqx zMt#&TO0_i-jmA>2@>PN2ym!S4o`3WD_E(ENOhF)poG5c@+h zjxT@vwW~|w;o5FdiPi57)sVTHo;c%&7mcx~U^3pc!tzh0c8$&QWBa_swp6{Vm9ymH zTd4aQqMM%9u~{j7JEaKLP1YQz-1~^);PxEv1w202W;OUqQV6Ts6AEN!wiUHYVX9A> zwZku-yleaTAtK`L#vr2FOLxB?JZnp2>*_RRNv4d};?e%JrAwU$7doT`NX8%a9pU9~qj zrVpBtfHTL`{*jaffqX~dI$HFGcx2;PxwS^b4qw0~42a$~dtaYB2UkbJGZhbN5w>ZE zv4_ayll5YB{XAB(Lrce+Ihv>U)QF<2)fa~*rST9R8u>DAlr48&JmV?VhfiVawWpm^ z;n#;d^5@7G0lDep#-$&;9PJ5K1LavovP$Z?hKb&KJ2Ol@tka<-j*yoY6Jf>{(?a|^ zVZasJcsv?PD4|I~$I8kI!m~idG=(4ylGwoCx@h?q`y3ukH3_*gF6G)>y-DD-G0Tgr zWhMQYFTs&414My3IYA1&2DBXGty3G9ReUO{DxF>5F`WjM?GkFsU=+aW5J$<+PsYH6KK{*9R%!l|H2o7X!1*mtQA43?YrVf^u*I_HW3p;Tw$SV_O3| zS6_QFHeR})%Dc1G;=Cq#O>CT3loujd91t8wEH@;tRi!9zGrmH`^)}boJw`L4u1^IT z6Jv9@&e=r*k)dL1ekrT#tGyuK&U*tJ<0zIEh2jES{kFhh)q$iV7rqb%3odY)z0~!o z6u*F1lnS;r2>Zj*tgsM`d5yO2PK+81HRgq^t^5KmC6!l(v>bM$ep>~b4D|SW1POEi zznv|Z-c3!W!Qgx}4l62BqS`W&_rEt7uy#Hkhfgnk6J$krWc*h)7;9F0a$h}9+0vfz zB{^biLr@>?XNcwP^$-dvnn!j)?4io@+gfq58DH!xTOkNUPMZxYE9cU3l-az8h~w*- z{ecKm!!@sAJHPSD>hf;P4`>xQf_bfxSJ_UN;^M|Cc{9U9+t)G++5q{vV}W({@^f9 z4UdJgK7sI4JLf^sNtn!!ZLwG-}(Ii^`R;-xwnD>i%FqIPC0y^qCHs z4G%Gx*+@e|Ikn{e!B99Eqs~D6D&}X^I}|B((!k-Uw(rrRSn<_dK{rfZZrs_*xG?LBeVYPcS zfQX5uAvCXq5E0!ZU?2hwU)Z-J4T*SZkuDWN_TRtadKWR=aY|`qe-Nqx5jk$xWxu`A zBjTt*OcAuEv_j;L z24C;Ic1Hcn_VMO@VO7{0U(zSS%hdLUl2qA}=_JjrSAz zuJBcm~g`NBPfpa#lG>Uq2q8dAnO;J! z%g6cDNz6WvM-GlF!9h%p0LQ2TZR!fdBfa&ClO}4py)j)bG{JAkFAdVcZLL}STg)#In;1u2ZA(s4Y*WTxJvhbI{MwZNP2}C8Shv@N#BrBgZOVK5V zu@p5>hEDDWo;mC~!*cswqw47j5#X9#1S^?fR7%-C{FT4{!Nv&Jo+&g_d&;x$d8p&d z1?TE`C;AjO0sX75Q-!%jasej~>h_zpUf@Z1wpw^`biGqD#yJ+gNcSc@2_f*84p@1Y{nS@kg%I;_j^)szYb)b-(Q3^GgBQehTp2%~=6KJNqznK`^t zqH%JhF*BpxF(rzmSr6Ol?T7z9_iNd~w{3RQKM*9Fq0Di1lZAoaOP5{;1Fsj}o^{k^ z>E?j}F`cU!;nBD`tVBT<1DIJwzi>#^DY}=2hmE#6+IRRT5FbTT&zVDAjSR4>I3KtCnA2fv;w67r+v-x7ntckZW=nI|XC;vN>+zO%2K?hMyb zu-x68;G>5-Q|ls<&OF%RTgjUP)CD9v2bKN3YMsE+pCM7KMb-)>p|py)f%NS&l}Qou zCV%p{ql$XM3x^-*nL?cdtT#;o9sOtijAc?Xec77 zK`Lu%%~g)?=kP*zQSe(f0}~z}O7RwC%=SRNk#;I+mWTl8pf4afDuF=E2w>&BXz{#;TZ)Bq zO=;t19(FC5((3U2Nb6yssanC&ef)q*TKYlDk>XG2vSgpVK9jpS6Ufr`1!YKVGi`|c z!RPK{MSl?Qyz$R5aRcakr(3Ob>xb3jYzE>ybuQ(I3B48Erq`@>JHw^2NX7$*^AyVV~^pmOR~SBFVE`%CHXVy@pFrprxV9+9{8|2TW$nH8Qfp z)_TI#>!WJegr)PlmNSS0;Rk3&=|1RQ=!;F&#Di3Q1_`UTr`)9FDt;kTPhuhM0r8K? zY(dcXg%}w1hbo!ao@jYk&>k)NLY75%&JXrA?XUvt>mh1W%pYl2MTD2rw2Ha*)XIM< z2RHIi+_%^f#Nf%CvK5LyefX|lVn;38nt*9qt<_poJcFV(745d+%p9o|dhT`8H^3rs zf<^g8VC*TfcfCW6X##V`kT2w`5wY*>9*rJ(EwZfnao1||XrB!8NT_v=u{=Up!@RRS zfv8pq+Z*ni*4oD}i{kHO``>0)Jw8S3abTZ}aCYIQAEZXVWv4XQZOF%JoPawjx(og% z0}OlN`}#@sqa};qZau)_ZL1r!Aql@}m?LT$=2>lL9U&KeCK&6@NJ!gVk;LP>Ebm2U z6IwFjJIwbD!U)uz-lJ9`o${xA#R`-hn!V|`)kpw-a zy0(}!`O$o`Ky_yi#C6lHubbU5dG;IRayL+wyla zSPY&b9hIVW_iXb0cKX0(+rTvOGszq3+X-Dc&wR=h9czaRF^-0-!-zJlQUXQRU*o$O zY8LH;CvDqjZ9Mt)C4i?i-7XP5Al*qhydis2Klf=M3mep&zg5Z%allWxT_z<7UL47@ zDOM}=>zB78eu&If$#Xc9X=s5jZgpOv;O8qsdF@pA9l-^3Td zR}fj~#tSMYDqQZ3kBMiDN!La}G`B*MAi(-ExH|V61D@9u$XUrgrB=GfFh!uo4?BB% z5oHrty5pI(+tyD>$lrY6d1v{W1Zsx~2?^QE)r>BONO)}4xn{mJD4IXxiAbAkY}XFC z;myAGzM&RRuMZE}Pqe?n%hJx^hpcQUI-Kkth5QkUx@A4#_>A@n854cV(8f5xR+Iu- zfGef!h~)YPiQX;+D*sv>vU}f5zG%(%oC)vqbmb|an@X=Hf1KUg2iBjMn4*ZMG(|=- zMnkQayJU0Yjv}nEz!%Acpm#`2T6p6jdr7jXyy zdWEB+nR&vHoJ%5$39TJxK0q++>$tKC9=yC(wo6$%0lu!Aoljn27x@slDrjLNME$jM z{z9287P;JEXYk+^$_}72sF{brS5WYLKX%}Io#P{m0%b&KadX_G#kl9HE$5#nN7ARe zJsh%Bo00D0Xp2&)TgdXVb9}nKoB0xuH$H`E3c)g?ZWJWAPcJD=cQ!YJua^BNWwI-V zU~t$t#G(FL;{)XMy~U1T9b*H$=WD+9isme?+vxMR=ZTHbikoTN@VqRY?&T12`)A7a zm}J#Y+glf*p$SBB%J5N?VZ}VT=^)oTUtWrzC%*80l7LgjJ!7-9#5y1^K4oi!6Fv+B z;kO8H*#X4d6Z51;cuKB)Phxq!_b~R_!Rtkj+&=uag6li^e$J0RURH-dqA)|j2kzpm zgt3_&SLb-7*W40GhJk2CkW*H{-C2EhwL15T1Q5EMR-7*i zy5y%FYt+|Q`-mr}+E1Nvl~-7NED*CTSd(nLwUg-tLt9$^$Us`yI}fgzwQgYH8Joic z)*M*R6)Lxb!O4jmXpxfURWE$+IT7*Fwn%|OxBJK47ShHqeB<%E)$79(`H0j}Qm`{` zO9+k4&wKLnn+?pUKRR}JQbf>hQ9O<4$#y3^1 z^E{%UQGBtsnf<)nU{(XkhQxOCB|zizj~4U?6Zsz+ZN~GkUNIMn$%zjUdOsOnNVQCv z8uh<55M~7x7g}H5H718XK5tm9-dxX|+_Aq^5@@;JF1`JWsvaptXIJhE>yYtM$KB1X zoBt^>2d{}Zi!l#Ui_6c}zr73lUBEMJ zGW@8Eb-APwgmyZ}XU1kYb08r{v|UhjST0DN7E)>Yq= z69VJGvvxL4p6(u1DQL`Tq88aTTvzWnN2`;qvTEhv&AcN#O9&SP$xj{#w=cGTU4DLD z4c%2K)1mu~)UQ=@LG?K~T~aSIe<1GCsk1u~Pbnw}rLlHodD%IU~1oV%*a!w<}WTYW5Cvy1twPeTn{YR7kH}u2-CXn zm4l0_#8enn$_TYPfsvWB^^*RZidfcEN6%70_pl{`rR~|KnY0q%nK{N~cu5`Y(r{Ah z$&ymsR@HoXf=p7jHE=)|*Xgi`yT*bIw>d9a~2w9U^zJ#B)bf#yH7tNXyGcnJn%q~&Md#|QEyTVOmOwark zO1LH+@!ybPh}RJ892}Zpp{Puf{8}7%n<#$iWtBlIAV8j}R`|YHY5F|9a2zFD&Ek|z z_S2UN2B6`@4rsBMwJR%n8Y6 zf4I|P@Ww8`|BL0jfkFeCl}-gF>oV1J_K=A#fg-PcDUHvAr|o|F{*4KNqKR|8)=An( zWdH`t%J8Tje1(94G{`JBIy+xJ>Xe~udBXPL)6Y+iA1Aa41iep=wriIx%dRUmeK*v9jIwur?sk)VYLPAb5)L;5);7tNS!9LwfuC#c14Z#h2d zQ*QbhuE#AlXzq>SfF_>@%4~SBMx7;Dod65$o#)SQwZ>VT)H5@hhO7OjfJ>Ftu=|R+ z0qXLLD^Kx1+JzS7b3(C)Je(Z=nui`{O8>XUpxFOk9mfCZMA=0}DgV{2jEZ_M`=5== zuW@ns|JAz`_&?}f{!eHA|JDTkUruC#+uzT~*MRb`O{z$X5-U&7%6PoP@UJ5(5cmJu zN&R0=^51C5UMqSA?oXG7D&&qo*_xULKR(=L*)6x&XxSMWQWq2ytZZ&hPBGLZhZC~W zynKn^wEZWzvC-?BX}0n!*Q15cwM(9;W@cuJc_B96zJCv@t9vt;F8uV_rm~;_rM$fS zowRg-LT+Gdt1v7qEEPd``>K7KhM<;g;UoYTsi`S@ z7Z)4HbUYOJ65U1wDJiMzySu;vu6yB3$t+Q2WgGw=_YV*4+rp;g`=0R}_|b z_YSG$W-FPy*zIC(Qt|cR>rnQP?r=h5pyR-?Qk9#G3=CzCn=_6BHVP7hwd^~YlX@l9=+FApr6mxffqr#y2ZNC6?q05bX z?XQj&5uPP!75D6p=VD`HkM0?d>rpfxS@~@^dQ=YdfGYU~V`6mUO*6si?>Yz`z~ zQ&L9b(kU41P2@u_!NABkZ%P_HFs<(wd9gq3=FEjeEnfOI>7~&1$}_n{4tNpyfx#+^ z@iL3?9PZ#YE~}}k9n@Xvdd~|6Wo6})zXPns`%}dl&7NFx^78x*T7FvKDL_9QRr$jQ zhr3Ig^PSOWIxK|Q+1WEKKKws_{=_08LW+GianNAGLHu2YR-6V~PEM|k=&geTJNT5% zVNE=+!m*x=BN0t36N`X=;9@Eppt7DG#)l6dkb=cNR%@xKsI(0ZqQ%F@M@~^QF`=dV zToNA~9_|+(2Vx5O7Z)?b!NT|_#c0?5sV?OSVn@hVL8;b4$Ho2Td2IEX#K)(&s3`5@ zzRlwP5>a<|cO6*5#;MI@yOw~|RC34)Xzn8+Be&;&$YrydDso*^@RE_04HT!@-LV8S z3VNYepEpk3cczL-Uz4EwC&ee(%-3XkT^+61zd=Gl5fc{=YPrvmPsSo6L$k87il7vx z;IUhRg9L?!8V{!l-a1N4OaFM|Km*Fq{r&yPX)h(ujMiD*!BR76W@e^FtFIskOB6Z3 z*@>@~7D-PuB_>8_;L3_Y3a=A_$k1an2^UHzCM7q0tHZiv)8(Ai5Jh@f8JqQD1HRMN zU_f;>7Xl`Q^@*>A#Vb9pL#{WxyzRe#Bcl>9iAYGmL#TLpHT?z!1O)8wuN?yU?l0%< zz&*o;cD8qY#*Ix%nk(roVvk^7X!atEjg8f)w#4_mJjic#u`)Lgjbl_d+U$=T*>!f` zPIa^28KM68nuM*#{&0?~>7)a-Z*VY3?qw&~lq*|X2;~|P#GGa;TSLij+)t=_B1uE- zT5b@isj2IncX7a?g9i*r6ZGnsoh1g78C|8Vk0{y7$Z;~ki;ZqsAecMzwX9$wW%cMN zN>TU$kG1(6hm4Gj&8Q2htE-FXA+fNisH?^2&i-Og734#o3CF=gJuXcwQdCsb4#PHh@-!#>UUU?STEUe!e??Yy1OjQ$l@jY@>1_fF?7|UOXlon)8ZEr1_JU zaPaV}cgL;0dGE8@R_)oGw&YCA&DTdV-?~3sOvffChi7C^Ez~(Y1IR_hWr^o|y^079 zF&zCV0b&)`&iDNJ^U+d$VHI_Cp2mkcC-?Q9NCI7beV+^btv{*ZJWK9b5}U$L_f7&& z_h$&xL#V7x5RfC#f6=qBOeF|AtigQ>3U^Wl6gG1}?>`hzC)1z07_l@IAJd|1R*SCT{L{7=!6jeRBy332T5N2Lr6FCK2p4WY&}HdmeowJUw;n{38?^uBR(dkEk_}>-}m7{T}?%$3p~i( zPFA!As6*l5;l?d3EeGKF%p%z1lal%&WguTGzJJGaJ>Pi`;-P6^U{Dwp%MNmHzT6m5 zyUv~(ptog}4%jH#HP*!ZAWc6MPRiwumlvv+R?JqKS5{TMc743};I>_OKHfN%bq*4VF#)c~=srl)7CBo!yq4GIq_ zG~Cd$L$CfY46s>KR5ZYs@|W_f`Fbb1WDZjlevmNXk&&h#biB#jHYBo&iaay=!D8*u z7;POL{c$~<>t0)5pIvJ9N^ET8pKtQu92gidwrjp1(5|&5508#Er&CNb0hPhX!oni@ z?wq{`t@N%z7_3(jSSA<)pWAao00m4hUxs*ic$5S5FZ=Wfwg!OD*3M3!k&)346$Vp6 z799h~Ob{~e3;@lU-{0tnA!^FXKbMz4*_gS%IoqFH2P0Vsz+`7e#l$p+%z)(7cJ_fW z(Dy!tmz9^dIlXX)MwpoRH-s%ysV|C*x1&U_xgQ|FEGYcM#&WItQqdHqIG=;ac^!j5 z++0Cnfi5!unBE+@#13#HNzBViy2-b9VDPM`uW!(7G{IOSH0Yf^*nU5-QGy3YM`Hol z?+&P_s+Oi@$D!apz_H3>pG#Fhp8_mKj#^=&WR{^;aeOMT zQ^-)da5~^0m4E*_)>uw5)YvTxJ(%Ye6nwE+sEaMuDF1|yk6*6a=vqEmsLq+M(yzjR zKi}#n>;*7gLsOF&3Jn4RDa<-`G14z^0{Nyw-a#&W)k^h-fR%lI7ZV@fV>bAs{ZG1Z zsW2;8kLHKVdFTQ7goOJ8V2e}&f>8-r5PQ82c$%V$imyKRr@hu-bdHIYHTq$l^2y-o z@v2o*Obqthz~-&-`3nKh#p%ai+1a~qO^l3ww%jLiSwT|?wBg8weN*Zi8~2wR?N>jw zo4+rdIZfqR{Bm<6dEDh3P>2?y`2($Jq9U&W?^5ke2`^i*@S11_uWd7Zv9Jjh?E` zhoY-dM8u#q0WRq<--hdD2s$aCZjn1XAK$&ef#UTKZkr@u|G?~Q+8W!%FCTIh440Zb zAVA+nk@8?XJskU$yB=x*wj!4%K#_k*oHBTdn= ziZ!}7Fe~dhSW7Lz>wtkxn%A%Kj+?J2ri!%@&CSidFK5mBhKEbl)iRZ+0Npk!*JzE- z$;ml6Jr&i{OKUl1j_!RH+6e=GCk$}Cp{U;W7vz9#RMXHPdVzyXWPF}H;->|tdYuz@0SMRg)@7e7-8>bB z^MhI3Z*+=1;LelDo5s`j^scIfL9$M^>R&m5N;!XUYZ=XxFwo6^+!V;#at#ZZGGGf( zrYGvp^K^6LUmSgNlDkfunCYdzkdB%0eMCw z==oYQnj-Raz4sXe?8~UVJMN&X?!F@%RnE(DtJ5y~%2&KsQ_`$)bgs>vtdUJUN zJd;-?Dmc<>BksuLO|=+?<@9U~k!99%$+`xntMbEkj3H_n8^7kPM8C1J~A!eDrmT z)lff+!;+FF({YRRcXYto+SU*-oWwlhysQ*$sg zqa!0DzkBzt4d7sz?IIua4BXt@_V)H7zP>Fj)pUY_x~&WKPTMEDx#?mo37zBPxB&qH zV6R+E34?-;hmUVKo+Gcs5C_(_+p4sA%AoLr*E}GDO-)T8c`@=;3ZClSjwt{c@96Br z#=?TQxw&}*C<9O`1{eoGM4PfS!_JWQ>1o1mFXcOcOM2n7%jM#oG@d1ed3}3p1ags{ zk@2mnYMgJwH=xy^o6~B#Bv_m#Kr*YHXW2V2FOMG5wlkUqWtJcbMY2X$K)F+NZU7RE zl1ZcNpJE%$lA?}%m!U*&4@d`-W(6E6x3!3=DJ`f5F{!EO^*T}a_uk^-;vz4b?+YwO+Bv6PMu83O|Y79n9S<+Y)W z&4c*mEa2kL5HY%nwQH&HP*(T$P=dt*fEq@EgAF8LW@Kb^K3*c9ueFnslS2a(1W@er z?b50$yig2sXh0gAcRvBvv|hiR=Jk^~)}{1rEC z+06ft(c_^Ertns(y1c%;wH&y(&P(JpH<~WdedD}?RZv(+{q6V3s1#*pSs7LvWpC!? zt#!$Lme%dnH!Lx&g12HDPylFa6M;iOFnYYdA>wnU=eC}KKtR@D>*(khSXg`pku;vK zv4L1>DW{~SI&Ab|YiMb8OidA(|4C_YaM|B0ULF`g1q`?s&}RcPGX#LQK*yM~%l~FTbr0@hnfY zE=`JKHqS z>2UH-;MKa!1#L2*e;(2o84IGaQ;FtkDkO4iW1T|6`es2SG>Y%D%6^3q*MbMG}2yb>)A+Vo^ zBQQJ;sKJMXAcKL4^3R{zNPNru-+y@oSe{vx(xKNvE^npO1FFUZ(y#u*I8B4aqmd4M zlj@t7RVbqM`Jd;T5lPL#$=TSvcdEj`T6#TjY%H~Fy+1puN>waA4M!bx&sBAi?`?w` ztI2CKcbzV(=^-JdzRLPaJMrIlzQ20f*S`Xf#k4bmW%0bicDyIuRfhtTuec_w@HF9d ziZFOA5v|{nXVWc5(&K}JLx#3ybEA_~K?3k#O#bd1*|O9##$1ka#2gHJBHeIiz4HC{ zCe8om<(U6dOZR`{4fog$bex{n8raw@>bd;0+^H4)RTw1f?Mu~I^;K0TYp^t_i;CnxyIw;>!`WFi4XIuS1I(wg=n5n=scXIpRLFgn{$%a_0wfnOev68N z_(6lLag(hnsy*_)a_M?WSpXN~WsvFBAYhW9Tf7KH!LH@_ZI++g}oNYyF)E<2}-&>S=x-BWKS-%fFUrVpd<&YEODC4h@m(>FLgAvlL5ESCFUhxxi*gMtARy)1iZe8BD$75x817gZM|B zzqX#Mg2|?(CF1d=fl$@iAqm}|=tKO+#&8ans&SJa8!3*N^)F1^ex`bO-Es33D=o+P zmetgRDCE9%c#pkiWIV$2i!!J~81{Q&BC%uy5j^Cbj7(5m92USFUm6!M;E0RslgdSc z4uIMIVh$gT^8S77&SW8GP)Cw~o?1TI9<&v;30U#_m~=!) zozphAfB;`Rpb(IiwSzH}u!zX!kiES<0xnlPyba^4lGLG)zI}&sdip*d_ruFW?H|1R z@F=l5R08Bpn?&#Ke+XVjkt76yNniQdJdNWk#wC-K5mP zJ4^3SnY7MB9+$%jo4?FfZX2v*j1VvYj^cqZbb{cpIzp_9EH9(sIs(yrVPP z;AABe)M59O#yJ{1nt2hRW*PQyYK~{%A<*QSD!$_}`{SMYyB;1`Qg7r3Rc9CO{1D>f z)$Gfj)}H}}u=G*0hseKmOD7^?7tK}vMMXgH4W*(i4pP#i@#viC8?vbOQ^b?Op=cQ} zXLYy}n~sg`KvDQ~fej)6oO%>S^``Jr*Te3K{Bfn?BIq)04c(DKR{G;Uq7e(A4J5Q; zN;|MW-V9%@t{r?j#eGR!qzY3yEZ|NKaGq6%9*DX9#*S<-8C{pqL4%xNZYd zv05N&>%vdJVi1f-(rIimvauBoUfx-dT_-0yL7(pLJ&y}j7#8Y?OOH8k%xM9S-#A$K zSs@`2TvlH0Gsv|^BoQ23R$OU!d5Ix;_1Sueqgodpz-3iB5H0J~!Qrc0TNscZ9HtCW zly~rita@#~q(2xK8p41%yknl51*c&^f5?EfE0(~LM#OG}=SWhA`-&i({pxCE_WOFT zuLRE%#QEaVVwv0u^dxQUZ_lNhuGe(noR2g8h8BmOI;fUF z7YeVht0Urfvz8c669ra-&%wpu|V-52R{UL$tSx3ztI5n-I4p z-KBy}N<@^{;_qqkUx0Tem&P%fk)Bvt$=RXzKq@061Az$NpO8n92_XUIL`P@dRAXN* z+7{7D5qeYF1eam7l$>BJ9sOv3eIjbTPzSHqir9PHvKU%W5R!{&`KR8gRrCdpplT!w z9*uT>VJ#-cy?fr$K20pTuh2cCe-gH8bW}ls)k=mE8L#Jk`DA$(9GtV1h{zSfGO2+3 z$8Q6Cy!_LR==04Avd827;#6%xQnz&i1^GU92hCeigb*}hj=`M`WZ>u!8Lv3j1MMOjr&FS@_wpO}8_X)ueOYY$9O)Vi z98M%*PXIT6Y#j%?zy0SM!N1_QhP>dR8~4-A84#SA%7rJZp-*Gc-!YCzKc%aacP;)B z_x_uHaebF8TkbPYXn%DAN$(An$qot(tXuNL#XVm67A@QnElgf=m4TG8wfX{Ro99wd zz6W<7(G(;l3C_-~7hn7#r1^i$)$V%S*+ zYybh7Y-J#j+m~7%yVhm0aU$4#h)g0ftE#HnD_maTeR*llVPSWAI?e9b6{E(SoEY~k zSV!SMIcN`1T9F|gQrjLyJ}+#X(oFoVS%(+89Ds3#E)@8;R3=}Ao8RG;5+{~;v6^rI zi6D8EmQ8q?qC#&lh_1y9=QPgl!NI5N>-`wv=b~dBV>p6d2;AC##>QZAq}g9v4&mmh z_O2(NXrBwe;nfXhxDbOzue@kBnY zd4BdE7yD&%?M?AtvkOh!i+^gWD<#T*A$y z6y7f12nc~DvH+jUr{dz&N0)5n&p|=_JL7ajI=1_j?i1PX-th6Z50`2u@99p*F($OH zpN_OXK?0}4zo5i^{~nem_-u9Mw( zs;b0VeIH15d)Kd{3idCHli$fIc193al6VVKuVRdikNxKB68x`O0IE2(wy}Pck`h}Y zHUp|RWD13~9{XG9ZyM{`W@ob}_o=w(#f5%0Xa$6Yp?w8h8v| zbWRj|;bB&F&Y#JP5)Auvw;T=b8(43Go^Uk{3P4kaeQpjh?3BuAYC;1YBj8#Yudc2d zDuJ;OYMM1zB4Z+6$EtQOAbi8Z>ij|bj=R3N_mo^!UCtVf&t*^L*rkU^A?;1nj~Oeh zA4pWL&fGP!QbzGyF2_@c=^m(ciFd+5N6Sf3Q$aFiI&>E$*7*P)#n*%g|X@B(K9nvb?)r2IZwk&&AqDcx1%Zj$XP<~VBWWrCOOLD9e*v( z%b=mB`Ivu@G+R@m8zD1SdQemSP_fuzl`uJ`TIn)5sGXREumnHGJRl;GjRnVrwc!Y< zU;cCdNcBe@F7_F0e@l8aVl7*B#)SYOt|1I+cGf1K3((^q;4yn0G9a<2u4 zG~oX_Iytd%ab;Ug+eY?$OHK~_N$-4o1o2l(hR)mgl>iaa_opQQWD&qFJJo}q#>`sh zMUPMFK6N;_A3mgc*_MmCEHrt11HR7~Fj^2uy)@Ok0=I1Mg7`q^$i&pt(8e@aH-Y7L z*TNznB5>LT>v?sAzL0$ABjEuLe)K(_n{0h+l^sbIRTgx!odZpHSdI`OO_I}T!A1L} zz|jEze?s7Tp7Fb77AATs!3T5LXMrT%ZhI58-d7K=B+)2;pJx#N_%V^g2(n`3WHnG+ z!l!#MF?y2GDc42;OfW68WZt9yrs^@X2mY|e@YLpzscchnFu2R}?sXu`jGAh1pACve*aP z_Rh4+r1h1%SM)OzU2M!6{zKe|$Vf0UV%B?Ub8AzOTu7SPnkHp!{kpuI9pZgHO5*K9 zx3B@lvhfv>Ia?IDN&2TEF6cy((pB(a`1-F9{`dqY;_kXTKB`Ex}2%DBPo z^5eWVU53D+{ zsApOZKPdZ2|CN`QOXTEH@!PuaTYhA8b#(=%o3g5IaBP2A{y411Ml3s+x;UFP=fB>~ zrG!yRE`umdI0#(Q%&XyfFG8=&!Zt9W6QOm>Iy2vvcV84-J`iz)@}uB5$sSBK`%lV0+Q9cA&)>TA#=(D%w7ni2DU-I?#FQ znfimlqt3Io<~!1>4rUUvf4vAnr(B{UR?SyI+Y$E9$T0X@<#8~3CXqEj;&V^LQc?l} zAJW!F<#^`E>v{gJ+2i1#fz9oxba(og`cJxIMp0AB$jI`_(bk_`$`+}@p)9aP08uuw zwjMm+=gcK zo5hh3HLy)>w1vBW|Nac}g2V6=CYV6s1g`xrzb6=hds$@;v%ymLoyoLg~tP>^=1fH;C$pQnV{>h zCEpTWt+85Goj1c}hMlBx)0Ss>MFl1!EA5eKzsUq%8cBxd zDJi#Wg03mPj}1Rs?j13CD(qJF`D1yV#CE4kDd%f#HhWl+U$sS&@|;lcMCm_yQbY-Q z+MkHv0ccC%yI@ZE`V|T3hvdf{yPf4$;nPzGga=zpK4}`e4{i;u}$`? z&AtEd;jO7E{xd|+lLM!4VlK<7$Gg=|sg-s9*!Dm{t6>q6KkZ=j+iGC1HpPPFKiu z3f_@F>4P3UDbmv3{&@X68vD5v&Q+(y?d4(UJgf8u7#5UydVH3&u=Ibi_nuKzty{L} za+}=(<^Tc)LuC{YDLvScJGNEVQsS+7sr z=hUgHQ`M^4t9RdhuigE_t*pgbGkkN5KKkf=d_4Z(mL2V1BQz~vsle6v`hBQds!mQs zVWL7yU6%Yy=*^oqsJTzwj@UTaFY>sx(rw~3r}z@5$I6VuhmL)%+2EMoItrZ+-`1I! znYoq3!ZIx0_Ih6DLQBeGcgY*R1piCp)1m9``S|SY%yuVN)-;=c|7a`jPVJsH#;}2E zMthV^&%AKHPh?>pB8U6L4=Jav7dv}33>dz(&DaJW!NS!ev0MsWnUcI?VGO)Bx*1Lx z)n{1sXrRX18Zk4#cIwn65r^*RG9_hIvzed!DMiIN?dLWv#m;Hz>OP5N+DAh(+|R|q z@lr2MW7po@T=7oi6*j)RGg~P;Xqis3#6;%(5ifMp+}dd$y2#y*yj9;mgoOw%3$a$S zx_5S14=Z#fU-8Vao8BlY=J?)r9TZwTs=>o1WQE z%1N>n>HrpL7NTJ2X15TzJ=%WdXKo7*ziy$4h%Z_CL^k9+Nj&uJw!!rlm3)PjU2-B- zkVcl$2~Bl%6i}tnP{-B}?h|bBd9Y-!$Qt)+y7?8afItsDd)8N;C5sK-qTH9PW+^}EFm zeQ)Q(6T*IX<{D{c^sCHLVC$tGWq9Er~g_a|l&iI7MDZibN#=0RktDxR;EC zUU6_N3^t$Q{9IL`(^px#PuPAPv@*$LedA}2Gy=J; zCb79f+IT2Cbqlv%@V68b95CrR*7EhMm+dmYT&2_N4@WP%m%Qoh&ov%14IB?ER82cbcAn2X*l?UOTHmV0wvF5drhZ}lnrIcM?V z*XijI)?>m93?W)rY#^N*7FTjFbwL~@37%nEaxBH9qwjRg=wgmpf_$!Lfo;a~r*uPI z+E?P2g-YDR-|MGIASw0?x9k%}kPUN~na_POa^i>i4DFBpexDaF%44J@MJ4F9mL-PS zPo3&{RZ5q}6CTNAzcMeYsOUXd_bCi{b)YFLc*V_4DyCb}dp7o)T^>Rr9hDnKuhAOl&h&YcP zzgu7C?~VFAM#3`;JRAy{S6LZGmdo8Mcd{)xMxWM0&vfZ|IDqtBc5Y7H^tiZWmhStO z*$$8}N5$7RKKJz%-J8owT<{QkmyZt~Y_Og@SKoFQ|6O#GdFyNM0=bd551ZM%xl~lo z+ToHz{=U8qG^N%okg_3y{pjm87d~|VLs%Gkuz#G6&q&Bk$Q9rv!d*}h_3PK1^WUG= zFDy_Dw%OXg0}i^Gu2&@e)e zo_nKV8i{*mk(ZaZE<=y)=1q?~^X6O7Z??~JqCa}{sJlmFUI!rB`CAuH_x1HH4XJAF z=d{?z^ZNBlQi*j%;ODjmT7ysFF7@=ggA%HKO&$0M`~@WxR{+>pkCbqe+Aas9}461jM@TTI+@ zf^*r`z|E*CM#AH%znXu)C7w@$lhV!%JB! z-WH<8N$#wr&fBA$-CfSc4eS#tmlo+LwcbG>KY_6&HkB7D+GO)9IUFEXx-0VULW5K| zp!J~D=lGMK8+Yue1|vKsPS2uR3UqNS+}_n;ab_ZoVtBg#WaY_ClwnuK_J95|#T{oI zE*v6Y{Q|=cwY>a}U7y}jhcJm-vzJNX+OH1o~Zvly`~XVUPz zMn69mYDivwenoltGlh;+gPxQ}juduJ&3288NRwL*zD&6Tm2-n({RXPDY%DBCSXg#S zl+rC!hkJWpR8iT3lP;>fC}U|!LG-%Q?IAP7^Hh(3iuwgDCi5QgJ*fX0Gz}r1W;mu9 z86ExT{#qgGYY(>39vLp7u;b-_^VZ(Zj-MI+YAs&st9ys(WH|L?nV@_+f|5&6a0Az6 zRUP&1v@ef3ynKh+uD7=raDEMP8N?3LE?u~aWfc{l$`aC6T&S(vI`y=*Z}&=369?Ab z?)Lh%IZ#0b@up_O!P$!R_$B+3d)cliT>AB1fK?h_4xI``$+10q_ud)rUSHW@ zNM{!>GQWNv&(%#GoyP0*%9k&He*9r}qB5QGK*+cRm)DjWnm|RE%mg&WDs<#`xHrH~>q&(BrH3Xk~ zyENm+xlLwlW!!N+zJC4{ffo+(=XQ5@Z;;!yt-H``YW*QYR0emBPn#!Ii|*+-;eE>M zoQ2iv`dyJPh}Sxv6Xx#RdMNw<~pZ*L0t z`e(#Pt03p~&>d9S6*>xDR(!>fN2 zZS!JKT;&7zUG%=NdT=+=Rk|)~F`=0AYPr0_hgIR4VqG$4lZuMX+uZLwH~tV8_nuun z4U0@Gxx=2tCEkugK71cerN4P?q7vBceUnnG^fm+c9w*H%ZV&m@&u*8=J?7;i=^r3; z#JN-GE_be5O39OZE(Jf^7i0c9@7eoSh1}P!DL%;Z^ZU@7d?F>tVSZ7g)-a37wJz0o z_4@=jY2UkX1S%|d$eQt-d}?ZX@$1)ZI5o;Xe?AkVI7miI7@nlq$jEc#4umGfwA4cA zGSO?iGaV}?ArYmR04Z0U91Wj20~A$XoK~jl<;<+CVo`6w>0*Wl9^?$4{am_ZSX`K$ zE7X2@WjY4Ty64+F-wd>yXqrOd0R`?cF0L%)X?}iw^W}xHJayf@m~HQ0CJu=eD*zp=~L{GEj!$ zA%rzU!)bY%(&OT$L&eMIyg#@3`a!~MVnUR^pFTZCO;raTYFW@Qi#kiK>eu(8&6JdV zA0Pj@Fs9)!t*l!WBqq7jzw_jY6L1~$&5iev4nT|x@gpU@@I`zDf2aqX8apA2dk+EO zyW8LY@Dy3$jgt+%N!S2#AjkeSGt(4)BhN?RlRdOe;vNTF@XgK5{!rKdK}at@e*744 zN{=but?SdU(VKC=oo`5K5XnV6YxLi|F44Wk~aOX2w+ zJ5k@Ay>%)2+<>lA8rqBh-)r5?(KaN6+JzVquOGL+=R& zAZ>`a3ElA0befYfal$7x@&aJofozqq**MKtXx?jm7y}vx3kL!|ZBSB#+_0gcVcU)! z4}ybfaL;uy+?0Yc6Vbwga>UVkX1Th!_z}d`R>kntBpUp#F{h_q<>HK8>+HKpn ze<=53aq;xrcpb{Txw$#g>DD&`OLPuX3Z#YEu^PMycTX3lkDo2C9@YpiZdFxPC280V z9wp2QSZb0NE_{O->qB|D>+|Q^aDfO55oB7UpT)K#5PM4Qu-%9Z)E%f7MmTSvF(zQg z_*{?YTHw?M?JFRTV7?HSm){1Be=Jr5MIS*Z(9zN5&34`ewe*NpJ%2eou_+QaPBXE3Vm+Oy})rD7taKD$<3Pz6nOAeYe|+&6KBU91{;7m#E@sBUOH z<*;C(VcYA+I2J~^dGq%%C$a#vsB7QX*ZWLOS-?MXFFaiH;k>(>8`H^?`FftT6XWBD zI61vrS}r5S0;#}`^AxhsY}>Z(5AxufQK-Ty`Lius&PmrCi@^TZhmEK=?kq1@LXKMj zX(|Gn?)!Udk~Q*!5)+vT4+FGVfu{`=H?l!C;CxpG5rWWCnwr)i7I1KKe#F6C$KBv-L!DoDr)nU&>R{)M!B%94UC33-lC$Shfe_#J}f=lKyjFb$KauHoNa(dEWGj z$fm1v0zYpVQ!uOAWH?iatOPV`ZZ@r-8)9-j2apB=y{MrfQ_M2+F?e?ni$m&9Oj1yN zKns7{!a_7gG0O;-Q$=1L>OF&~;bMeHVvw*;(Fx*tb8Gr>!9X?jWusx6)5Yj4zujV= zK5aPW_37xRlXmqo(g{k;cGSNNOJ)%H%xkR6!O_9@7`1t%-P>HVZ#Jh_gmwlC{OA)%S)fCYdIe)%SHh<82is7dVU#&#nF@ol=VI;gcsS$HWd8e{5;lbSmqL z#M4z&P&=5(?~<9B{&uff`yJqnC7a`Z5)xEn1M;iC$R8>zz*yG~8p+kwgOae2Z;QM% zl=&CB(HHpl$fs#^th#B?0_S;@V{pf(qerWlwf;KOos8GD8En&5(T#-BEW^ZwTPHvs z1nv}EYs50F>vx>>c%Qt*R*9Qhk_~E7e3xL>w!5V3cjm{UF;yfVPB{2(%g9R z)LiaIdh-emtwQX*-%25cK!iMXvo2clZEh~lm2la(qM90rxugJ} zuE2rHmiOxqI5KE~#7VbW((gm!>JZ3Qxa19)m-uiJ%OwScvj8!G{Rf2Xe3g?__GgCt z1xeWBFWzbV#6)+^%*^c3yjZbF@ zp(#lyzZYs?fK^gad6Od(D%(72yrp)Bw`gZcS64WW9_;Iu_XrvRB2L1DtK%R)e-MXO z$(Q`Q*6@;w8yYf`Iy*b_;6{R~YZGn|TtLxj^=OGA>mg1D@LMvUf3o!u2ZsXL;rjK1 zgizXPbRHXyH5&q$`QMK$?WQ0AaF?O5rS!9K+wEVlEUm^U6 zI9812I-!>7Oc)mklO9aIBmmWDsPyllD-~h)YRr0ZfAV z_dcwF!)*Y%96)r@0NNk~%({y=huIA!F!o&hw`h&PvglL5BpfIwJpTxZoWr1wLBnxg zXJTRk8l^278X83V!G5CbnA<*%2gr|xhK7W9yQ<0^NG1bTScjWxp#E>)X2;EL&1GvL_u-*}B=e>LV?S?5EQWwk0%Fs{O0`~{q9o&Cd zn_$k008!@W`@;ia;>KyM`39yv66f;gUejC+-tsf}3xkhTxAaX_BwdhZ_Tn!5V@w}({D z?(XOtNotyu`yK}Zq@)x4437TtYwgYGZsEI zibs7%@&oi^cUrLrmUMA;CVhh&2Lx86O46%0Zy15fA3a*vX*YZlMkQI;x3D^Z!{x~x zKz@?hCLO_{qbEt6EH=OBOa{z_4$ZrI_$d3Z+l7>WY3%- z;VzXxqY8`-i`3P>o*VIt!QAe6OmNAZ!^7!;c(C>-s|Cg&ru%>fSZ!LJb}~f=$O|)StT0R9w6+>FVes9)Psg z)}RL3Wn=SCz7D(qTV(rWa=W1Q@t`Xs8^hOzm28%5pa@o_lJ> zx%M%&g^zzC7GZ|Rz1ACw#NtHhe7z<827-EK+3W1FOKNq$gMc`0<#V{NSC$v&8`B)u zzXzhcQecl(=-HE<&Xu78{t|Syk8sO2bP3J>@F5IxPEO?9&gA-Qa5}&Uw}Xb}nQR;} zC*lWuvXDZ!tzug-gj zVKUoWjL$%9y9v_3Vx-k?`w{V9a76U<^sIdkNbvQo*%1P;BJ#oJ!*wOw=GXdvj?P=J zcNn-dYuu$E1SponPqMSKlX<%DpSJpWS$Jhmi_Z4P_K2BpL_5rW{L|huBd1hQyvZQj zf{!3Bg0H`S2E3h8%4R_ixzA2k}sdda}GoU8_us5Ezc}Qr9=FW8jTl^0^8e#qhh4) zuu{8xc_7W=?1Kp03gR->v z+xO9?lG@FOT8lDjge!iO`AEvj_I=u`>C1D#MYbOn$(-R!+$N1+AE4Ul0P|H#&B$1S z;$cB1;5`UAD+zI~MfH}y({bl$B#u4OXG5xc`}VDc#lCZyE{@9!%c_~jS8}uN?l92S zepHyowo*_q(vi7JN4}N#F?#Da(Z??Nn*@CHfx%_hYF)5lxIr@dU0_bs`PKIh_^LT* z$%Ju}HHvE)7iLH9XqIAx@3~Fm5r&pK3~tzoQp z?b=?>!aO&w$n5Ds*ID~=wQ|8au)2uP-~W&FWrKmwh2JHH)!z@p=WnEBaz|HaO8p@3 z4jSp3bw^#LrGk`8TFbZK+Ac9(eE<2vgvRQ(dNhqn{=n6#OVi^#X0xG5rKyVf(ly1( zmjnAeic7l3hTBTEuX2daxdyWgoG3Ul^w!np>ecA_ziMpR#$M|mdbiN`_m_4He;I9l z@=RI^geK?P5Wg7Z3^u1f4~^2IDICc}u&%Qy2rAIvkIgwau7q}lSYeb8^A9tN?lni( zZZ$pSxMYLn^OAgE|9+RKD6Ra^cy!4HtbQH@Ap89JGvhEZ$^o5TOt1e@EJB`_BVoXX ze1g)6Yj4vv0#U0ImiE*7@(&k=${UsqPE+q;)426ZoQZ?O3kmdLxigs+v9qM3BNUav zO(P>|3rLRb{7)9Rb)uG!`6q&O2A7AWg;4yteORtG^TmA`h0K}oI8L1Rd%*%zw=}L ztH1;ZG>T+2L_~FU8S$$Jey0J@uAczSK=K_1E)`iGl*4Bd%s^9`W)1zyuZ@^+fPS}D zYo-DG)`X1@!j6s(+MPaD^fwqqlTcmJAmdZg@{3}E2YUC1}Zetx-4O)Cao_z!{Bt;vU%V?R)l=z;+NIV9ok3 z@W11sri=x*<*+;4n#_J%_U_$_Q6?C;wfP^Y+A||Lg%~>m_&L2%3SA|b1HTUsO9L@M zqK6Y7U!Lt+``pK;DEUeTus=>@Cmo&1ulvupjg&Ps_@cFg+lww23E=HH>M?em@?8+D z!JG{v$stiOvB8}mF%CoP)-AWVxMT8dV2Js}Zr(g>nm4`y$AkvfO25;}MlG!#%B#YM z)Ci*b|HXo%3JP8V*PtKp4W3k(#0S~@x*)Ga>uhpqvSu>PY57@Z7QiIH=SUe8X5`d}&$!Hp9QY$)W==Ha;2 z!cJUEd?YFpKrAo;XHdj}5 zi$QR(p1Qf^#x`*1T6jWGCY5^7_F%XfF$k%*7bdMZbX^F79C%K=LU?(q9vGezdR|1l zgyiIP-+%GRF*h*M zKeV0fdj;P=>J;<^iU7Y+!DmgAg(8Rlo29@e=)6{DvI}3`DB57snO6o6JFx^Xe{Cxb zx7%(O6?n1Tz*%B~i*|Rh3xq~sKR%!!0NnjT<-l+LV-qMIU`dpQfiO{H49jGH%_IWc zP@2u=@rdUPueXCOJpwq0LZQ3A|0%Bh#E-H(6a&zgu!CP=tmtx-{0N={P@mwHFy&|E zbxF$PQ}8F4EkRtuQ#FEjn)ms5d&AMz-DX;N^zh+75bE%#4Ih0B>Y22Fe0Bamf&82+ z(t_K7x^1Q#Rj1oVpb6+68>_*|DkLc7ElpH_yM}VP3~duWhlSH{Kphaa4?zFS{AUXX z!OeTni&SH{570P?@Oney25ufy&OSjKcA)kjK#a6`ndkP2dw>4Vss%@*YSe*HYf1nW zoBrxRAH^>&F7E5=`#I{WXcPvn zlp`FywV&s7jl4bHEryI^cKh~wl)Ip9R8j22=m~mcxr*{!0}5>h za9&6Rmz0#&y$4{F*4Jmkvk#FsdI6q$(gf1-XQkEsYIL zwU_bnn|OG5;Hf;1`btzrhGPHz{h%iQVAuY<4YW1%NLncK^Hvsy(FyPdb%Ao;W;i7~ z0NEU}F3kTz2dyen>=|jULUZNg`}=DJ%oQH92QYI@yVeyt74F&XA#A%vbBtqypY8Cn z)3!IitXsaeQY)qY(%nw)xWtiGSoiBhXTDq7DX{%fnVG&oEZlsWNJ!9znO{+8_ljg9 zPA26l&oXU-{G#AzSJy4cYQMTk@j|(mct)G?lw;xmu3p2pz=U({a=2*&=oma4!~=-M zaa~WZS^pilO4LDCrDMpD7_Agm!VEH)Q9>%$oEW^gqIWnYC7Fqtm7CY)1nY5=+F+9v znhv`SS;tSxkcyqCp!%y3*HAFLd9yC@p(o@VuaO-wni3TujBgK0>Fy?Tz1&jUM=gEu z<;=Kc_jQtM4^_*~ruM!(fsi__39P@T{f% z>d&bXRgQV>+0!?B*n|7Vty_-*Ta%-Te%AmNYN4WP+&xuHv@i1_AJDVKObiTsr=@iz zUPV?iC>0F~4ph)ksI9&68{|uca{pCM7)$(3Q}8dPM(c9NSG1Ckyn4mJs2=$?I{J!E za!T^A+tx*~#40ZdUrQ`etOp2f`Zp*_w(rqb6ARxe7 zNEmq`5u^CMyZa*oGvXu_2`-Cbj4g2&ClJ}^vNFu@OH~Kg%Yl(9FId&fQN&MMuE`rO zp~36KoCr*>As{}cpTPw^)IUBmql>T#-k-+4HhwNQ2}JUSvGLW69x zIFdcqLWMCbACYhacueWS(Xm}*gTc+YPg*8FGP7ZPXBYJ~-LH4YSmxKS-{8-}l$UVg z?wG^F@=S&TR8Kk(R&0qt5|KqS(;aXshRHQDIxda{BTuB1lzbIcRAM0n(m;#x5y*$v z00Ey+!=gd0g6r=K;)fYunShtfQP&YKfp1kn^LDom1OQUHy0PYibw_m&tIJh29f%Ky zUW%zkXg0*#%d7Tas<6WX6M4SIX-H-fWRb5~PswrDNG8BVc_I#j)aZqHKna|20xhIee6F9Ws$?)=#{&Ylh^1joa$PBu0K&vi(QTIpo$d=_ zMFqrk!Ur;U0cr7tB|j{ys58qOh*SCb-NqR4XF-KYb_|92uJeU zOCss%>F+`4($LT}7+P*5Z$Z2ZIxP8vcIw};w}h%OFE0dw^5rg!qoY1aziXE$`d%1k zbORHKi7U1+Mlis=PSZ)69LBAgxh1DSreSeiF>OU(lHP7*B0kz*(=iaubZU3;^S}?7 z${M@!;b(TqB5)0zo?d_M8$Bpo$Ycr{ZVZPaSa!l&Ap+%!dIferv9t8^^&QZ{2#wwv zrwM3bn|^VF?s+9m?nfiNYO0G@3~kt%T^h|V4feON%5 z*V<(}Ix$I(7}5C`v5Xcb25H?x;&ubv;KTsghmJlNCJLdC4Ai*rdNdqMt=he9+ZptD zh+Y8Zg_S`2fR0I%^yyE_F)_;r4<5XS%kkXX`;P|Uvj|KPXP0HB*P?(2-`IN){q4~^ zXtyx3vu^{qgTuiCSvf2$49&V{#JISS5CSz5X9_wOiV0_WIPE+vm+_z<1@~}N`o%!a z794UexY+s(JvnfFRhr}lRXmlW)XgaC0hQrTqL)Zf=>a~*(Af8wsk!E@&G=#P%%9NI z!7MQ!g2EsXpdAzVzF_@kM`oDFQ;E$ z11$}4WJoVQVPPinTO%E^GU;KvB;-8sgt>ySf?uJF$>7I)s?795bce!hx;GO77AtjK zWUD6%F|is7koGi3euPFBGR=|*PSboc)yF+6lmb_;J}lqed7`_>Q>1TN^<&%V0)E%X z=ODq+AN{C^g9GBpEHjH$tkrFD@uFLsh|5$k`+dNmpB`?8Gr8%&sJ}tbBW@4bRUma* z0;)+AL4bM$gV`xV%&dWMM|8CMx8h^N-)Yi+(Qe9y0*;mCTCZv%TF?EbG7q(x4Zbti z3ADE`N+tOFGoKiM*)_Of#@79||Nl<}ZWoJM${sO=)-0Jrqdco2>ok-e+{DB_0Hb=i zQ9*ZZrlN|2{r|j{xs{bTAt*%|@D>}2KP}OA2AD8IQ3sXCzKH)O?vp~52j=7ldXA7X z?qR*w@{(i!xwv{ui%lO%v|p(@ZTo2<7HjDn!F|`KCERQn#dYsrad-$^BwpJI2K2x2 z8H899VUmOi!-p|d7(JYHi$O&wE)&xJ{05cib@bz*A=!c9_Rvy-*TbyrOCp|s*Bs>6 zo)Sj%MF+Gl+f*~menJvm7t$Q~F1Xg1sNFY!{zXAff-12XbLWt`p~-s-ts|!7fu`OD zI1Hy?F&bhJ%Mmo#0ym0R1-7#e7^91JEyiCyg3=N77`{9C+PevlSK$KIvSfkfh2}y= z9-i5-rA6nN+B!#4Iz}oZZrAFc7DO8nHmHVSdT7sPXcs?#Ln5Lm)Q7}qeq-|bz2`R7 z+9xEa`o7?I?7sT2f*-pz^7U8=-+sDTbkV6L=gK}&G zw;M;{wA4di4#vX$Q zsgW7D;~mj7!$?bq1EASmF%=fIj2{NRt(ON!=Z8t>3eb68A`TIKS+)I~+Rm@h6cX2( z#ZOnJ;zW)kJeI>ClSJ+)e)uwG`8r08yTUQJgO)Z08Hoki>ZNyBSZ9P&djdVy5i`D~ z97L&~E7V;}n+a`~k)(&xF*MxF$GbgULtOIQ|0z!=Dft~@6ilR7xOS})tPEUBM}&nn zM7YhsoFgrP?5ie{8=j0cE$E7X0z{dR0R<5zSylpy^WL2~K_#-pj()(xj3%brqifly ze+yh92n)hk(mgmR3F?{zv&s)t9lhCw%O}xBJ%Vwe_lOQPF!E688-gW!O79p@^ptAy zAf~=%o6-Ys6AB-!Sn!O5QWcyIp#i{<#b5m*C}CdG4;Y-b~5pi7NuZ zpS;wqV&e6mnP;0&?il%6(7+a5=k9tSM<7PFYv4)2@pC*3ar}>Yk5lgO>i!Y@Q1Qa6 zkk_MM)dlW4P0lZW4@i5(Gom-5UOhZ-Q`wU=95j5#LAT^U+89@JWemC^2AD#-Wz!~k z6O&ZTx5&>%IPuL{1{LJ%?H!5PpoUOPQ*#;mTC1bJuwFDueJ9?mZms^fFZ23`KcJwI z?s8mA(X9?i05oG35V(pmCLfq6^;nqAIdneHVEbT3?Rt_iQNtCOm% z?-~ExYhLy}eq8hUx!oBK^q~2eczNHR(^8#rAd%u}oIhs}%3mp2*(TgFZMRy8U$N<= zBCZnlC9+_RyI51qLSI_y@5JRRC=mLKhBKfGhKbKo2E^1|G0n5SK&C4~kKp zoQ5vOxF!88l-GuxdGFM+O;WHTFQc|J>?+8|z9|W)FYbD(FdjQ*gboyNW<3hvsaB)3 z1h`g?_U+oaGYWiMRp2QJ3?`P6k!iHJ6JyL*ev0jn0|n&z9Onvmejc3gR)?nCn)HyiCw(1tf&&FXyTJ_|u3h006IS zVUf9k@<4ogx~qEVCd>0WT^qr>H{qf;Br3B29AAXwJo&ZMyhHOu=SBeNMz{v1p>=8+ z(Aq$18JCv)s;8EzuaV&1oZ1y%TuqzuCXl!HsC&VkN7M~zrdjGGWf$`~@4gAMzkMyM zdhE288+w4zhzMna7B4Pa&;7a~CN9o=@L+^ukDjh>Vto7sEZ6vk8NG_npP$zcDgkZV zzd*B>iHApZ@3q_aYbFq_m<}I~RGdV!#vkt(NL$jk#}s4mF6cn%ff&uCC5teT|4}@Z4L&Fj^9c zI`l!A!_#p4wr^<>?={IEwD3X;U%zv*YI&pl(1Z3o!I32nvCti<@goU% zDa5+E?atwc4VFq<0rgqq1oFvlSuc5&Wrv*BE6?3{y{S0avb@IT9h~w0jp&u zITe-1Z#Mr)p^U3AJ=!F*vSPtTBAqc#8h5^yWfD3=&l~@NXRFd>{mYNvjBDFwnve9W z;pYnsj4G2`*N{lRj0^=2TmM{8c({R5-lxQ!B~NDgw*SJ+g@y;7!ily2MfRaBZ#?O%}bfO7wYFHm~-R1>`tK-i4T^2^>mkD719#RVR zaqU_v!3eaUiH8G8(hdXTb=;0ycR=IV03qC+P7(R-aa|krIw3AjM1^#Rng=0lBc7JX zD}Rs-cW$?Rf$vJ{ebZ^vLxGw2ie2`T?w}O1Aa`>BSH}z?t+hHxO~0S?@y_*5U6UY= z!o$T$do@thy* z1a^YT$k=`0z=@|tFHu=qji7%J=!5ebuw0Vo{wYlvsi z&@eGIca&cU?M(FVoN-jDL!~v@9ah0m)BUi@<$|aSJ0N_adD)w?*02aY@HDho&_b1j ze6l&5yrd^t2Z<8mm6ZVkklLGDfta0~gqWR#=N(ZT)K)#B=V^FMI&K$HEUYY!8O>u! zCsJ>}@+3nmWjh`l%WM zl&Ha8M&wu`d;`(Ay16OAagP6{K({tb99ctB%AzK_gy*pG^Q*D?OJgig16T949`yo% za(6l*HH5J*DATjBufa)Z-Qc71bi|$+>yc{_%D{Vf8uwKOUg~pX&7V?Kw;PP1<};6O zH_0Xf{i8>ZIB}qa6uMKSw4`JR?a?M|hs7WX-DjsI{y>WJDKZ;!Qj{fk)ei$W8|s&k z?gf4H`kaBClJMOZK%ms&iet8C0yfe)4-Jhx_KQHiNd!3+x?@?1*I~V_;ywfBV}#Vs|Bcu^hVlt}ZUMP(mw#TO|Mz zHi7_x(K{)!gLFpu$YJSmR8lOgtg?7b#m43>o#WgMY|^0#kS`@C*Su3s@Fkc@b@Q^L zIekG!4cJ(WNK%l4%L9n-rlCoC#+q}1P-jZJEtiU{C?Ka^g2y&QHV)Z47M196M#k87 z%esW9mr##%wt=}ZT1fcd6ae)hM1zUooXbCd{88V0*u(x@8{kcdCKyr9yi6H?j0lA$+T zwy{)s80yPFFHD&ieAh9$V;In5HzuP_dWA9U*RuGR)L8lI&n;UlU<^G-gj<{wi zX=j&%b2=ye?jE6l+`WDK_sLprQiKVwzj$lzm|iHaS!7?0%T~nS*itQ8udowxF{u`J zScm*im7@Ig&1nZAjr{gK&11xZzamf5cKBXSbn@(di=n5V){y#-#T8vaW?~eUWob%Q z4j=9KvE|RCFWiAwt}IMV)-*B-rv~Y5L<-RCxxKEzUUUWlKB+0C{%OSv)j7468!ulP z?xc_F#Ju*&pU4gJ+y7fRO#ZsD976ZEJd0}0WIo5kDa?HeC)Jix4MM}{k#9^J`6RS2 zT)3@V8Kt&v-5d)Od;FU?y#ID5k;SZ=bjU-l{~ym{lK0jGUIiIS3?i#DSl%z!uN@m0u@$*==6 zp{PRaYDCsL8p_ZAHAZ?b5T~8z!Bn*@DYRQA#jlEad^U!P461;p+_8crU>M{PF(Po` zicj}2RbexZL@)wMWtZy`zFol?qsWLtiPEOm;d}hj6omKcMEu8=VAm3wyD#D*5H*<~ zohOPm9k*Hl_G#4CGU4_UE{&Jrv}i`9Q*9vJ*jqV!7RVI}>@*~3LJOWHc#3pJ{jBJV zL+tGGh)+4)t}GTs6g)Pb`|{DG1Ya?|@=#4){-7k0Mft5qlR;-8bW5V;kWu16n*;@p zKBQy|=;tKjgoc`~noiT@2c0(XW-u7*%pYpYP9vN+=$H*ACZ&2asGEJ--TF%FX-yu% z^z7TmguDu=N{3aOu^k$ZMKDAB zx56e$ao8Ec5F%;A*31M319Tp8h7yx@(b1(M70?RVDS2l?2u9>aqQW@hDHw@-VN>cI zjV6XvTERjhdTgUYb~)&@Q5@ivCl>L~*A+xTD_I9O6~;g?j7=abyx{A?P9=u$XA-9s zD;GXW5dpbAvX^lV7Jy~N$?UnjJ-ry!ExZsPX4|*l5>tS%=V4$?LFe5upyz!RsdbdB17yof;uG>+0%L zvZZTy4H)xyKN$v>SB{}^;qRply6~culg-Nf3EK&<9~_D6}XGiI0I<2i15fnmQGkrd^%; zv?|d)ajWR%M4yifv5kziK`g+&(bJJI}>5iXnn2oY*sKEoBJfd zEU^XKE@D5(ytp+4k&Iaas;FqJMRKjjnh@xxFf}4cAxa#MX!p^aVOBW!^&!C}&H-yW z7HbIbOdK?=t;;*8l&|6ZhB|VykupXL$&UHhz|%V#O+vV#m{1h4`d9R4F^y&UMgz4a zpxI>3Ywz?vLL=X>q>;i~V z(!k{nf~9T%%qBw4m=VDc5ZnZUEB&WLgfZ;E`325_e}F=VbuvvT#CV`Qe1# zXb)<-iOpZ?i2)Wm+S>7Ob4Xph*nr|U6Ndq0o7P^c(rI)hj84c-A0%X_r=^?#?F&EJ z>{M!gi+F6LLty1WO`0b+Fd}!lL zL(Vdce55QZ>wy6~NmxmeND}n~k%*-+g!SoXF=YQ9LVY1L&~so;&0jM#HkO9?wqGj~ zBPn1mjfY2fsH?D$np|$GgIxsY4oqX;jAmt3^%%e#BH5#~LUEVYkZEvtrzV&s(le=ek_KEOfs{ln^u}yMb1suDl?dNWHU`qp6 zXJ>hQw8NV&l-fikf$vxwif}jqTRgWWXXtCFrZj4&=S!wpwV)J$Tx>b2;e|xZI!JW?Zl^#4-u33}&_L3%6bRPUXaohZ=3NFM5dN6$q@xkhKY-$@EP<+|N%3 zt8PfWD^*>97z^z4{P}fI2UUw>g=6a03p03p=YFDlQ3ZGFN9=Dh=76r=ppeLID7Z>` z%>(frN6Ib+nh#m>Ii&Uk0)1#R5Pkf+{-L&oh*bEp)_q7sh%15omWeeJ_5DtiG~AVd zICE~x7?=@^N5R*Ig4kaT?|~(3mT%)&WpiY5b6votepW}!kvK{=4;eq;d4R9(ZHLK` zGW;~NxMFN4-%qZ`$do(FK}YBLO-Gl=EmR?8fvUzKQ4xJ>d)D)>?d1D zRh>sHn9e(gh3Guzi|ALrsq;X8JN7PAWO>TR<=L~zm1V*llGkG{%Rp+NP&Si|)|4t2 zu8$O(lv+Q~I!)u(@-C{8duLo;bgi`qEHTq5Zz^~L6I69;ntZ4{lA7j~MG4-tzP{Hg z*WoXcwRy2>pdLRW*c8b)$D92?(nsH%tO{%kJ&B=`Xnq;O@|Z9T`=lQlY*18Tn$s}Y zczIks=80cOP_ewwGQw8OEI*{l+RKAcZVHtl#U)yKx+!itu~s_U&JM zW9OOYLtad)sXXEk#}jkXvdz^a7|JsUM|OC&^^DupxK|;JGTg2#tG2tF|4LQ z0)8WZKVsrdZ7LS+b=}h5JO^v?!ct)roZa9~o&FsWJnZJgRN)io7b7P^ zzGmFrlW1#&0(p*$QsN94<1v$tOv4U-hqt$EAE!O0#qo2Gn+7DOJ8z}jl00%8{|ND~o`1$wDi^K% zNib3DSr=DI{p4DFX9|Csr)Zdi-)_7|$^DM-j{UX29%vTs#6PQ9`lr1v5I?8-{dvyB zKQ133XxD%JMgJ2o_=U7zTm2fV5Xxh#WU>II1ZnjzcmI*#7XL@O`9FGr1@US1wV&Ho zS#fSe)!!d(@~(H!@4tb!Ts`iV-zS8%c5n6Kg@P)3`1@~n$MXGG|3+JI85irG)S>_S zxvOBrwhM8=TFm%Eejf|(fi=JX@|&vvFP+K1BKQAS{D!wru=MIB_Nf2PuzI?s-!~mx z{fp;6F0TKHd;Zrt{h#=#zb~Je-=DU5Gv%A_D`<>t4VM%>tF+oHxc>j_36${$O0Hfx zy46+7GF_zpzrpS1tG2x7ATpNbYKyh_jps**hv=I*_4>phFn1)w3(BY4`Dk78oQYdI z=UL3R`ndeBSZDv|J60QJt1INM-rfJXB>#I|lD_y69MHW)GgY$cRMiuqEFpI_%lWKV zLHR$|gzIdkC~2s>HRK^PSf6Nr5jo}Fq+7zs=7t@G=1uC3#%`%U+Y?Lr6jg6^reD3< ztXf0XI*aIVJM1`H?8+teukZXuZGYyphKaiea~X(bi81v5R}$N5I$*k_-LtS|>q5<< z*!#%Hn=!Oi$xRM6oaTPPp_(a+@v_94V!H8pU{o!`)ceI)NCd^xIQ?GFosF?YWA>vN zw@T|3-0Y0N$(FeQ?ijhrcPX8d*W86tHGLc_ zqc+bL#(8YlnqE|q8<>67Gu`xzMW>Ry{OImkM=wWu0Sz9_Q)PN>aw6@Kk2YxeP81yq z@0~qb)lgn&JhL*J)7y3YUC}A2TPyK7q9Vy&Yh#VNJf9wwtns`Wfw$Y6M0soaF?8Ji zTE8&kbSZK8OR_}b@AN#)%N}lBdM8e= zd1cGQv(x6^w(8uS$h7ZYXDk&StLopLR`bF>$tk(>dwy3=Z`+SeTfck=mmA2Hfy`EB zJmHJI{^#KGGUnw?Jwu*vhH9(}lQxFY#k-ekH03O_4FqZI9e!u_r;^g;@ z95vdVY%2GPG{qi&S}4^Mm|FZn*}2HKcCCeuKku@`3fazo_ukzsY;o`JR@AU0*Oscj z=%u$$S;{*n6C!lY%Y9hdTTNp}%4~s+X!A@#@!dkI&Lze3633VgY$TRPQYeJAuGR9X zP;}e~TKcjvX0+$=#=V2%2|Njl(<8gS{Zh?OKiI(^>#w`KykMiJ{2UWTqNLkTO+CVuNkA*eR7&AK@)TQ}ToqpesFMjIXr=6PiE>uV-{pcTy zyGm}k!%MQgrh%)>#uLvA7pO+20k$jF(t=8h@@mQ8ZIU zR_wlKWxip9uWh(PE~U}%f>4gh?FZgZ)T4AJxsNXgl;#Sve|f3bbs#lMI@_S^E{($* zp^%{1%pSV%gD0zkj&>PNoTs-j)$_cBjyj1H@u<{f@tI?nd0t=s8xTwLN;4m)&==!_Qu{aad$*SOtfAuFk{u^m0N> z&`N`1e!gyqx5-Gf>M_>(i0$e>=)cAJi3qbuZrNhS%>Mc18&%Edu@&p^&cHWnp0fLs zlkS$V9A>`e>1orZ*WMvOIq>-Dp2m{%%&OEUx{hy~9$q zIG6LL#*XH~!;<{zV~>ObrejvR@?C_rEC=r-JQ02#|MY2?G?4PoXBH4t$ z#;)*aj@%*FFFucM^5?0y z%BBuvjkPOIA34W$cjB1cxZJa;?(jW>UpXdyLj&V#$wKnpQ`y-oFCQ!&mI-z8tn;+Z z)LAwOA76W51?OsK+UsC{&1XkWae_k6?dADVYm2GtPZ$hpJRVZFkJ~!D>J~^@u}OOH zAjEDo#std)AfH+Ez21B zJ0?YbyxFV!f9?5eef{;9-tLVL3ryUovU0_Sh*nnDd$(UcofHxg@$1vA1E3zzgXGWC zcY~5hRnjlrU!Tt?PFiwi3-AVy-!ZmUsS}JY7nxLFQn$N(B>q~+|NNA4)>ezD(}NcP zm&=9i_s?73T6}G~#Q#_C)^7dxp!?o`Kl^8a@25Rp{oOItpHiKEMmJgJ+ZvA^P0J+xi+V%fylQqT78nr+_u9!u%Y`^~S)x8qFuPGbXy^XK=* zZZDblCidFa_-Nm%=Vg08-r=$}dZX*Pd|%J!`|J5W)-^u+nm+yY*YyAIWiIvYjmrMD zs9M!i`S&E1Tf_NH!1B7}`QqA=^U2pkD`b*;fH79$xa9Tq_c5L~=h^)H{abTKT*B73 z$=8;M&a!`CC^*H5Mb>*LQ{z_#{*%0<=xy;WxdE7P@BUuAym`h3xDtHI>Y z^5JWMT~&wHx%-lMiLYH@E2*%w#(q}YL~gYOHJtyrRoFyw@o`S8uR7)_3%ti`+jCF{ z(dr%W@P9A=^T2_Yho7t~UQ7U<8rA_EvMBkKl9qcOv{x%{kYz36zr&MMc6zf`fxY6&DjyfP;G)0lvy#!h@fLqWdYr!M%qQ z7y6{+n!LB*;)*eG^ZWQP*3$hDRqTr|uEfix%MVmk+BCT@_2Y<;kepvwDAC1HQ)!mG zc=1BMG5wdg>1gno02e87Q`|u8_1&9_^6Vd^0&+`3r)zH03Czrg2{T4Zybgmn%ElWn zNST?DE7IkZltNw$z9ja24P84p_^zJyfnk^^W$=}if&$f>H&#cdr)CG!zK>V5JJE1+ z$BpGgZ4DDYt!ijUBKh&}_f{frZ#``Y2qRy1uZRU;C;U0FdGloIc$;< zT-q$XHDigV=%&qLsKLl+9iLwwmz2lol|0ATh}CCGOyW*1kdViq>do)&qsq?w`7~;~ zL`w$@cg3ERjI7*tSr7&OSxih!duL~4aWyHgfK8jOzQ?XOyoo2Z>5TCBm0RD~)8DEke!JW8 z@MO47h1&COfg>t;0FPPaOu)^TaWl)za@ z9cXfJSEBqBQBFJGWMY(Ho_{5+@Y<7no%F`yZ4`(pyC#c~^cNK-L!BcdBjtN5?|SOr ziXk8%JVsYvENznG9vQpNx-n*j!`NXFH9|GH-N}*KH;rq}a?)e<2HWB<;o1)owJ`{` z_GO!2IWx97DI$NqTa1@B9?V)VWj(-t2wnJn+ts{s4V6tlJbIsm2S$rV<&g103jkV}4X;S9G$jgrjc7<;0?dm1ZaycMb?U!Y8q)}Lv$`F@@! z+1A;vw()sm1cvah%GzY2*u$)@-)ty^=uREs5njzdFoSD;I8z08>EI0g9!WVyzW71ieY8Mae`z79n)#p{zAbTrXuCP{;^DVxZZm5M1rmZY3Dd)I2{uFa z$FWqx(1sjlI4Vqz29BRq4b6P~Ais-cmzS6OQ+em8)C$E(l&O?c5DmTV$gD;(Nk$D> zqFncQ8rVryX_qQEzotI>cy#7edF(9P@XQaw^zl%_2Asl z7=dcLp5?yMyeK-~`wRtlD$qZzDj&&G#(*SXJ2`JYzu{SWwn0r0vZ3tH=ux@w8JW z=Tnx#8yw6(uqD1AiLCrfi1Wbp=&YHoAI%{iW@CQ_E5=5(iN>%S@LF4{k8X z@a|WRRryuIz*64`Ky_Er3uIcc;ZsCusSlFDRMQn%Twgt%m-ij_7K3Wiv^x$4a%z_c zY37@>%+IL{NAa$mWSOY>XFDf}!k8V@Sr!m~>u%b~J&Y zK}kP>K06!7SaYd6JUv)xO=L<5W#jaBV}|G+>UNE*edH|V4Mf{`=x$>6M}KH(OP20= z@i!%>W&QDMF`=!_rPKCpSn7HmjBoXOg9p=f*{^o5inJFFQ>yy$Ot)!pjhE-od@IlN z7DF&yT{%x3_k<)zU;Ids@21BKuekRA82h~C^2mAK(Z$9c%?vEqv!L|HPpfMUZm%Zz z!VVw2)W3+Mp&5?)_#j%Z5BNE}Xyo<4oLddk*tu9BZ`k6`ePY6H3~{s+4fG6xZPDutBv!6ECKli=}hRO<2*> ze~Ntgo@Bl&dv^(gEGnT%Lxyp4Q5KttFNj>b?hQRZdjV6-x^m%-EBAx@GL(n$P~_&7 z#gK+9)MrF@r5XmayZwy=p__RnU}~Xr;OhGNbC*l&+>$%LvirxbSD9rOeZ03v>)LSj z=QaaJNexW8hU8BLc}vWZYd{oH7ZeMXcgD!P|Ai?2SgNE4jAd`lW?hi86dkDnehqtw zar3$JhCSnsG@T+H&tLD7Gx`A5CN=G*Zlc-QMk042Q7xk~H*%e*z2a=Z3DVaBGmOhR z)GX-!u8|!A&zuu(WDCMT91S&7xEAW869$!nH^13!;xiyMiE=Q-+?L&pk4@&XPbIZ! zFLS;o+_*m_YDWnvMfqN*)I_&#-@uWbGN|8rx-^0NTOPeHSIq)WK>Q&K;IhgKR*4{(e)Ckvh)OWIb}9=k&lTq@}{8 zDKJywMe~z`%7fS4J)cdkTLL9(AGY715G-LX3AiMo;|R-(@kR7-J3urdyKoEm7khTX zT~4}@SK~RXer91db|x{asNECr{zSFCo_er1WieN;LCahUxY%2;PaJQj;qlZgdb=}U zsDII(mJV`fVEg`&z#DG>!=F0YK=Sp zDG>}QSBB6>uxYwsou#Y-Qem~l`0t|G7c6;v09)_t>9_+6^I1-I50nPUHW}PH<(__S zva=l>DblgPW_!R1#~Elojp16+f}NAYil;l>t_smw#fzlE zFg;ND8rc)*9|&aSBmvH_LO&q|;yiAtHnG+wt1d0tOc0+%vCag~pY=wai#^qI zRS701*Y@%}WEp|e^x2~>t_Y5=)I;FWVby6HO?69U_C0LszOc9BqjTnSlLSu_IEwgF z4F1?UJN@10@tUqapm^{+@Hj~0jbudk_`7ou&_-l^XTDzeCqC-tVt~Jq!d!}xgma+!4pUh9^lH~L-4*I)q>P4tX zXo^g*OwM|%Nf(2=KAPw40tJ21+TTILcSEoUFAZ6Tjbi*+C&cyb>A-ngQQ5`hx}bwQ z4d(T{2v=9`)$LUYalIEy(6ZotyRL-mn}Lv)4EEyGu=oKaN^)j39w==emQ9vbj&8d9 z_lbnp`ASskRp*-qn~+dSES_FD2L9quZ0$~E>SX(ybmcaN(2^d3d51&aofi&MGx9IJ<}3JG z_U#*;SF%JZ?x+@Borm7*;1;tkW_s6*#!QKvPHXrcY-#$VZO;%@Aw8r+#K z!mwv6kp(j*Yz=iJ&d=xV6H%84))t4CIXHGX+^$g4Xs;5so>;lAOe6(_AbrY^SJX~7 zS=hO2Jcd%M!6vk``|;JNN8SOtNXH(JT}8)l;hZ<-ssFOrr90i62$lXarb-c)OoB2UD;&KeX}{rcuHnbhV$(R zNEZeDWCd*VIpEh)ZsyOQbvbq}%;BiWiq>CRwV|I{8+TtxqUAE+3`EB%T_W4sIh301 z5N5QtFZ1^7sY1U6qM`h}9CnW73sC1q9r2oD+HU;{5`8f6vq|BGt>qGJvKds`; zn-R|VzmUb}RcD=DO9XKAI#}P--Bw+~^%P$dLHH$5JLdS!AVx`S6|IFqSp&CuwG8X<#2Q-5dxIj9tCiw}68 z#NyFj$#6B^&TnxSKKp3BEh6I1*WtH5yy*_ZgQ zZy-9}aLyO%nhOL)v6vfi_JCx6NdLAy|FLlLJ-nzW0iAWIDXF|(g3XXF!;E7=ZF*%8 zI>OLBgq_^JB8W3B*5tZxkfyTo2WeWrkd9fYf2Ow zpzNk4=FjmpKo~`|T=pB(?gIn};zZR=-LcS@P^qYvEZf&%8TqKni%n3aSI36W_@$lH zYAPg=`e=)YiI@45qIVuwQ0;JeJ;dfGcLS8K1Jy<6ci#}IPpg2L{EJVtO}3Zz=1La2 zM#7kwM#@(&>e=0uthDwVar@3FLET_f!olMWtZ3COt%MACI12k11ta$|;v{ZvQyE7k ztbE(y@On0nmmJ$|S=`)oxAU>DN32BVOk{C3G<1oeT*}mXmyzGiPA2h1{<3GJ|+}CnZY@9KyCQ0CXV(s+G z+0NPNch^wpSQit>G)o3~>*C$Rzl9&&1@I<4HwG7JbGCUic?XMM-PTiQ)g$+ye?B_P zgI@Rqb8^nD?jCmLecl}2MU9Tzrlc+=xfUV|U%36`GxrWF7D$)w=*>syxSfLJIc6WE;ikXmKy}po~ zPX!Y{s|xNlui@(*9tz*YzPW&AD&!rZod^|0yqSH})}y=U*r6hQyY(V^Q>^B5hD>Uy z_6~KH_nl)Z*c_G2Go#;}C_PqX8E+;{zp1;fqHoE_7{76w>4=v`!nJDCk&&UhxO!e| z$3_~r^2Z)SxUNv64L3Bgdyp6fhe-GqO;i=sHZp!T441=M@z7tr?Zs)ba`F&iP<4kn zr`6ykU2p1#E#w+@Pu}My`5t(D&9jpQSu6v+qx%yrzy4C^u)bW)Ai=uM@~2>^vM4enBXS4)$CMsYkI@9LAC zom61g5O5vzFr$Fw;>MN+(yr2U*S{f0(dRI4qw(H4b?}UEHkGJ(x{rQ09DTmm9{?jW zD4nrfY$A4gFA_FSjuCC!CKeD?TtvZ2*ey#v0n#-P2it9c=$H~1F}DX_a8YQ ztoRpPp?bX!Dy&u>(+SBKI-g^y&ZxUOcqUhl(ZEg=GVi~jk6IxApvz;FU_ z@ITF~AZ$(Mpn8cq0x-ech&}1cUUl4GfM*Zi5&H0vH|^WJLV@q1A&a8Cya$}r04Ec! zRQ!Okln67G(|In?dxF;+{4KA6($CfKP`!CM$%71&QegA?URB}}MC9f771iR^TW$;1 zCjT0Pox%uE(5m)w8ij@i(_~An*Prk-Y0=1j&Zo}~kZBb{Gi?Lg@0l^n0l7G}$RXy!=1*%E0qU|_2E_mH1A*9VL~AIw8H5X5*A zTW7}cZ+&=a(|Uj}P<`*{+t#3vz>tNu*jx-~%GPuSDL)h%U&258UFQoz(FbVSMLrl$ zDlMX~@N<^>4(*r3LZ{o~dFZnIcPv~f#jT<^-~IiWT@EzQ+`XdE#Y!0iS#SoDc|2pE z%|&fZwy^G}3+|@q&dd#kYJdJXQ+EFx@X7S0fH0wR6a!%X-PY<8ZH}JQ9v^7?eupWj zYqrj=dsqx?Z*CPD0C^AMB$@smQ+A~c1-Jz-Z1~v+b2g8G3(zArWHXMHB9f7NDsaLku?+9ZTSrRH89`ir3<$*)5*D#GY^+Y*>8o&#Ku5Vg_l zZ%4R6pI}Cb>S+huqVV38+)K22bGwH8?flML#m3xx*xD0I9hb&>G#&XDHL`fFJzSa+ zy2$io^Kbh?gmp2CSC3O{O6*J6bS@};m4QwffyWw5&JO&hs#$oLf z83*sIfTukb-bv<1t6o{F-&IK&NJB?qAnSRKmCch5To?yM7O9z5EO&EVQ#%>SV9|ch=ISyWXdI8azE5xC;YJPVGh? zzUpj+2B$RIAMvh=0swU(|$LYCA$URoRu2?#)auUqu2Y?X1aEifVKOXkJmPP@PrFx z(+ZvJ!vsr9^#qzU@28`P*@enn7sEZz-0{JNp5fz*o8sw+%;SgpWbhsiUdLV$g}nxg zUSLHO?}1k|_hQ1MPiga~(R8R5z|ZAi=$&O98LMn&9^*k6_JONuX%?Q~XU21a$*)uQ z9`ry#7!-HG4V&5=_N`k@J2U5g`O)?RIhR{MQ3YxwS{R{k2i zUXngwdu=VrCq0|{@*4sH2a|2KLtb#NDXWbB?h9iuSRANz<2t_EY`ES!=P2+(1vaUC zjmYYJ{0tiCu-ww-DJYCamzLfn@zH0OF#Jf<_@)oBb#nOAk+HmOfuc-y;t<4$Gr++$ zw|cN1qF$7qUKn(iS-6uY#FK)Ea{gzaEfC}cRqvV8K?6leNM$As6?Oj6h0{ldab(~M zBH2qa;!3%?Hn7~N4aj*V9crr6y>QE-Fn(d8;sNCNG4e^Si(v&Y4PlAKjM^h%y#V8v!sOsy;{ z@>16Jn3D15JkMzLZHTKdimq?|Bk)PvETu~h!|!(Q?Pyd*9!-g0mcsJEwoo72Jw*JI za#loU6b{B(?Cm7(mXv8c5$FT;B7Jsxs0&vA1?E1Ov#y{d_Z?bF-u(3-Hd9C*1L?F^ zOtv?@Q3*}y(hL>#w4-mRYQ#$|6doOL*&dE06|W?ntUs;dqCiYGeQkm^`=s?2M?eoTb!&sEV*P#ROpcb8yX!m51sy zP5qRxS@Sffo54Z?D{oqf>-lUR_yJ9HuzMt8UsLZqGm~5j`Wjl$bJNs#v=BAxLxt(@ zeghMY(QfC9x|bxq%!jnV6j$NY#K+#Lt4t$nLB!8U2e85NrUnYsa1r!VX(2`92 zf38dT??uM{-(F<+3<)VXk^A}MI0AMfNg_}wXecZXUjG|TvE=`I51+O0`aM0Z+HYL3 z4tl!CP44IEqTz(nvo;XOJ0l|_Uw?mg)^=)R(DK@wsqk+&s1N?};|F}-J1nfzWq+cR zc68alfB)Ksey~hj?Fz53S>iirIBd3XmJ*g%t+6J6T^{EA{P~5?>xRLw`?aU1XR#WJ zbd|@Yb+z?^x`msqErZLF7ds*%;uQ?Gy1nhzl zPcete+uJ)REiKJ{tviBj-(x71w|Bp0$=mOPm8zv>;mXdA`8CS;ZPVGPWKcSVgqT>s zNiTH?i@DA-c$CcUPwD?X3m_Luqo#0p<4@==mcZ+Aff)$1&&tlGGUyDEhb!O*|BOyI z27-DF^IbG5W(x6nT;;B>R>PBSXBd(Odcz2~qmPb`)XSt&xRg1e_nuJ~P*!DSWlH|L zv#4_80o<(e^76X2H-fhVS((|?2xtV##cq-$zbl6L`mT;wpD-jyNyRgKeS!RrB~N%a zMnyYsVss?gd4INJdn_k`$BilY9qmd7mQMTPVsl;F&6om)ADDS$Y^;c&;M0hR2skAO zgvo4_B$i%h5YML3ZU#2g)1$XJn4&^8FNuVVY_Q%N<5aBC;?4W@>(?ooSPP&M-(q2P zbw_-ZFW5a4R@By(QB%V?I5^mHo;aTYz z6f=@oE32!t>sU0Z0*;O>*4EY`guIEL{a-yP1zW*)e`O$92NLFSdP-E7VEGy^W-TB! zBPG>Yl5wLYI{f+u29%VPAjP~()zhM*+qXtC9dzIp*Ro8`1X9G#Y2o>B+_cWirmJGJ{DZn@PQ+sev{YPDqo>DTABwzj$h ziL9~D?RUoW3e_q)%kS5Eq8ztJJ5K70FNgA#3tYE;`E$4&;A_=8F8^)yf%Amz*MQM# z6pvI}&C$TFkJ``@7!BaV`R_TvVmR(iM}YBxlN|WBcX!(}732*rhs}lc&9H-p*trF= zs6c>8>NVD(5?T5uYdshk7~^#*GnU4!-(L8B|Gu)Z(bKsoqy3s#wp44Qy^_njD!F^P_35l(3^CTQ284 zF@TQO*Vi=Kjo2zGDt%7#rFzc*zxej;sqtWP4_F!;M*Zi=SafTD{E$&&)4;^NZqA55 ze0U0lLg7(y+W|&Ows_wiou5C3*dwY@1bu7OeNRUhX1!3qe0V5ZW4-VQpy0euL-4kWMe;2U z5z$Z(CiT@xAHCbncFw;I;C7*d%gf6vR4w~PDjEADK3;68+3OL+K=SX+)r12~jC}kc zIl14eX2IBuw|8)mjFuKP_kd_7N0#W%pFd(^V!GR-S?wJi5vi%((mQc+aa}oS-o0nr zW5<`5CM)fMo=2?+vFBhh>{dIU*n-@AN2l2h?g}SYFmZOclvcCo-lw2lGIa_dkiquv zZ}=fJ0e$@sL%f&xH4DyoAelbAfBz*;+Z{3Y-oEL$6Hi=B>@nNdHq)Tlpq5z8RYycc zeFhi{_6to-P0jOi!G-61TrswthmtZ-K0}1jxE~wf`T!VHU}$I)*(Um55Rq5c*CRDH zOYnW*AP>lH12-)-wVsHNqHsH24=DH?KY(wyvbotcnk8ul92IbYXmwJl6N;ozOnQ?Tz~ zmH+J6z%KTyc8+E(N{-VWZv8>**)RWj0cuP@P>^8B)YRn+ypGq6B;LcQ8VAHxGI2nkSObYai@Qf>5oo__*Yj}{@mZe@(K$L!DAY4 zb_yDg{vhLX*nR1c9MIqu#{wNxz%Ya?H=!YeEYZMa~$1a=J9T4y`OQ*$K0^}D4NY0L- zAz84nX<1TgY6*{kXSCWGDxshd`IMrkr>7U#Cz)`)AW@#lK zuAhTtFLvA-{xygVo{0JT1Sj{}W7!X@a0e_VhJaeLXPuEoR8OX_uP=p0jdhXoQmYTb z)Xo$qC@_*~-3JQ|)aYbVrS3~w$mi#QAprq$7Y7Rk$$Vbw2@HDQ$^pIWuwoX-pUtPHxjb@7Xg2clRmXGf5ms$t#uLvpD%mY=O zl3XTPt}_HD;}!r|5Qu^H5xKPPDQyqw$9sVyADNJlx3|!s!s)p6qugOr#%R9QuJ_kx z|7dVX(P*PT;c-uC(w=GbVqs!Z4)MVX%N@5BgiEHV*Vos3HEf!)XjDrDdIkp}8-pnY zo@XPXv3%i}n3%l?M4mqz&nGn`yuF*tO-DYghq5oq_4f8gr>CdG_oZ>W4DL*mMTyT; znnf`=Zpj(#&sO#NA!A|qwEn~n?X`;e9E?cS3AMKN zJ}fK@Vnok6%1%Yq`!BH0Csc}h$14jL+%{8UE#6{dcY~vth1Nw=ViFSiAP6CSbO)yw zfLZFAn1}+th=_{1UR1MKZ(PG-%HpHyaN3;|5)%5UkY{dn`1kMcm5$)+?VPmfN;7nF z*;K>HLbck4h6>db9v6kmG^}=s1I9_c1xi$v>P5=D7Aw@$ z)E{|yQ$TFI24?^P-hx^3+#aw$G`avS=wn~`1YrUzgvO}Ur zRX4sfR%7rF{*DXM8xH) zDeVlPTfpjTdmalH+@avI1b|WohSw#{z96KkiY?%?xv9YAv;*S$Ieqih2fz)ZV`3Nq zhxWc+#}Wy{7nhJg0t)dXJ3Cg!NH@S<^X(jV&nsK7gI$0@g^ZZ4wFjb4Rmx^IG;kNF zlx$pYrfv3+r>y~Tk<9H91|snd0f7}K6hMgnM7}b{yLXWh5qhlp4ZkkK0jB@~`;nhN zEj|4MnM`uGNt&04rzej{Mg%}|KG+`f<4gy33Lyn`mx~^5*XwaJ&0gH#OkQkkXCHlw z<|bNZnL*cMMRW#Ly;WBiNElCWm4H)PyC{)Ybelig>fgTtAPH$d`jxz>n2|CzCNncL z%goM>OiYw;cdwuLopv)GLQ#AzH9-oX4Mdd#P(Si=asq%YTUt}9d z2dYlp`#Ip6;=ArpKwJGkDe1O<^-wOYw`X4{q3a|e#LC5 zR$T^`zHlqzcAd`^BoVTF*O^A&)_^7n|N0E!WRUw1j=}53@#(W?cFxY(23=u|5BD&E zbLjMwCr=*r4hJ_lSG3)8bH1Cv5A`m(^Y{0!fIfHw0vzDu^X%8JUrI_!e-944m3Nip zqU904 z`%b0XyffZT4 zy*_nycYhpW!Ber33%0D*RNvxaDuBnRA3uI)g!A=kxhx2SYS%L`P~<>V9cvQ+ zDX6;D#RnP>EKQ~9$TxsB>efp&<`Y4eOVG5%CXZ7x7A2Y`j2oSYPID~jv@0t#%) zTxK-@s39RJV54`W-tBli#7mJOAt4o7i-LYH6Eia+3QA+Pm%xKq$y8KIinN^E59PG_ zdZ3+kS#Xcf&x@)C4VfYm62t`rezO*YYnPCdljlrQ=z@BhlS2*|dt)PjI38PPXJB80 z`vQpl)76Cl3=RsTwPstZER$%t?9rk0^l3fi>2uk;OhWN1YR2eQA`me zsI5&Xw@{*31ku<@O-&6eDWL~eQS7dkva+zfJrmH|jyvOsE-shueR!drTn0t?`5!=0 z27C|HpTL%u2TU_@Ou^fx%~VQu1Pqg_n;RyR!Q=w( zsZZc&<)C?Fw=t0_@WQ2m2h$3)iYx$cmqoXnEadONc`YcoJ{SU44<>kh#N-t|$MC!! zct2(-tnz>55ch0Z68lOwi+SeMeSSTVTcJW!@2ZnTPJl>UZ1d>kT9(tfDLeSTPmDl{ zdGwcm28tV+o8QC)t=224s-DG_WW266-^Q7oCk`;q%pdK22o}5*W;xIEl$QK3HpsI5 z7YhHvPk4af+v}+qM=$foJIVj3r_Gyz-aWwluDDGnNk-f5O72`4t3-Te49yQ1d~1tQ zCc|tFUJEfJxok?pM2p@7253b#X@qbGDF}Wd^2$p0XaEa#m80y_^kL>e}6xj)#3Isnb-fkk+lE6dn3u>1cM*SW@eTLDhc4u ziQLf^>5Yx}RqE0O5IxjbYFgS>OSX)Od)~#jz<&n06dY{fv%c2&I4&ochbOakW@TkG zFbmQl4_>%>;RM|7Jxt2V@I1V{z|Wg{pT7Iq+xwohuiNc$syi2#J(=E$W1}Z7`YgEg zYMqvB4@GZDbBi4edjE5UIn2XI@jtT;`tjdJ#{ct5RYl9f@5BPVvCi|`)3ie-=zWso z{^UZrXOC#`wc9BfJ^?;(`G6DRFxL)!jXs9_MT;9s%yxk~KR*v=>u{;t{rA_r>)3M^ zTHzrR}t6iU8h=jTtKor(ZAA8y!`#nl7$dW7vMcgm~Z z`3J1C)q(FxSfUBItKVQwOq^)v$}h307sW;)lEV$}o&z@+@NH0TDs84(sbX;%8F`Jy ztH7zk_w@AP=;UD&b%PTf6Fc0^dCvFcK7@?CBX<`B@)s2JP9~>)8;VL z^jyH(n@}>&v-{hnegdn@R!{k58?wzfTq5 z-r(E1jLOIPWitFE!uM5?v+M&!sn8J$?G@ z$#k<9H7L&e7CIF_eq0{88+AfD8Rp)~%k z$)e+Vx6L&X0*lsfs(k7vI*pBucmd>b>`U?f&G|u-MRTQQtL}r~%CR9HNk_*JRMrMA zl0eJ!@o@}5@ZGMKyW-s+crh^60BKP+nK_!Ya=oa-O1OrGGdoTPsP8s4HoBQlGV|PY zJHCA@0~i3TfWW%~D4Z*V=ei8IzzTd%mTltT@7MuQ9+;=u$jm^=(A_WY7W{aepaoij;Lp0pzDnLHg=)X+o^cUyvlKZHdGOMLUQuQPYTF$ zni5`KUPL6M;)=qO5+cNwg~Yo8Q1m`BuQskbNl3hPc5Yd!2RyrVVIiZ{OLLG7c+9I^ zMK(QvP3wcQCV2&tiq8J;Z@yTsd&-0aoagZHjMu5KfUq#V!^H()5a=VFoVu+oBe))1 z$Gv>@O0VsP!~1I4xtko2)Tx$n?uxx42ib=z$s3;nuFX zu9Ml35peo3C>;(uP=}4#VX4gO;)0fp4~42n%9ucV9;ZST)4Ox~4BBul@ArB|g3F2O z>vYYM;b8LS7XE~vfoS+qC*G;sb<8#J>qE^Hi414TWfRyRq(QN#pru?k{3EXIz0Rts zrFFe@x%38hvFq8qSD+3%7|o)lRjxG>I?#9_ zdOe(5J~N{RSb+9=K%%HK$`b&dDxH@W%~{ZgC$ZiUTJ_Eu z;D3eJ)~pU2eBlL2c(_IHYz}w$!hoLRIc}E%@fjHx*LQ_yV+VZZ@`yuND&()#gt`lkTudS80W3H?eAC4RXG)5E-n7x=7)JGByhQsDdKs)%1$wZBnUZOV5{-o1YPdmMI1Oiz#Y z1+esF8+TwUARX;V8}OR3gvZF+?=A?RWva zjEBfM7P44erjBsXPURyaB9b9bO@H|EHP#4d>pxu$2awh@=%N5HmE)N&-Qa*U2JGjq`k zTpDiEqTw;2Z%GGy@XXKtVNS)nOHkdEJ_~?3$LX<)yD`8JiIPT{%@qvmtZ;wt+I;WIW)PcM!=@O0y9Ur6+__7Aa^R?EG60I-Z%U9hK=40e)}l7hp-Wqpk9&2be?IO!ij z%$O~S_CfaEZW0;1Vo6I|=I$yYF3t$7Cw1934XVH$dOR+u#sbs@XzTr+nW@{3fqR8N zJv2=GjLu?iypmZdI!^LG2P1?G@+Qo0Z*O-ra}@Fl--`X5+^uJc)}1^m&N(!4xS5m2 zHvt-z74bqRMZ2VH@qY9a$(#ij1-^|nVC&|nE3EfC;uKUe!SQ{Yskb<i;f< z$e76L>dHCz+b#UhU5#_9V6cTj@cs$_4C#ys^Z#093}t1eu@1GZ~9JZ*RVemJ^_timfO-<3{5kEzINIfr?gtA7fxd9=;`QC_JJ49wOR5upBYsIQX!HA zJoD^q%-+^kZg;YIf=~&VxQ;hxW^V585D(!iMYbeqP+Wn-3IWZw-Ksc;JM!JfXsQP+o5C@b;J)c*Ktqn6sNAP4lJB<5}Q^2KCPZcYs`lJ5aK4VBte)c6CNC# zSWoow@p4|5l57_@Waj~T8;QGd++3Th+SB6?9I!iVVB6LA75OCrYZ^l9jQ+M-GV%{h z<-m`}1$usZ8U@1jm}79c`R-IuNZU6mD(ah$4<-gi=D1?c*${op@Ruj-JHYO`*{eX^ znW=~i3PP$fU!Rj05{o0LI=0Htxz$f>)TkP*fZk^ShaeAhm||3-B_oULHq@mP-clD- z?WFP3(kd4~nu_-JEX5;}l9KfGts`2}z?-Ih!S&nOt+asGarTW}6LEVZK%~^nuUosue~>Nm~{UE7p+$cjdd8YH1$JNh?+X#c^+S zdn6+V2^qf(Sp|{uQH*K-8y$vl;Uo+ z>y(yamErb>s&kuy@k%A}NS}^R@*hR0KCF<5TT<7SYi)71j*Q6rzarg9nJCx`2aD{e zytnT{#m6Uee4Iog9*ose+}*9WGg;&j8h)wO@Esf(S9D(u^{YRhoEy&&T_@~AzCz1U28!GZx8NEjU(Bgj`&$+!9U)H z_MqO}Y*lOXfO7nHnFj=1exc$pDJf>R?<86jPk_@Tx=_q3@cIIxy^|fd4xPnFqEJ&)v(kCr|K#KX z0!A0}qjZ6<8T=uKoxfk7)i=8wnlqZ0sgBoy)8TmRpAys(ZniSe%r&QKOYZZA>9jEL zJp9u$x+p&~f7bE77LM6<^{5#IharlAgx`T3UgnnOij|eQP!w9kS6eOR7Zyr^KL@gX z*caCW_5s+aQ}K)j>swp7$_0zX7cT8F`}%X~tI+C>##^4p=P^c+^)0k%;jw#XS5_)j zV`|#bopTa@{HRp`X)Xc==z{yM6)uxuE>MrfL;MfmESJ+H>w_D&>+dgLcc#n6UJxBh zSDLNn@HJ7R(Sma`arG`O#j{Q~=lk^H%Bc>{B$jal#)=O|c+tt8s^l`M!vVPw^{ZhG z<7Eb-Ue`nP`8-2fNC$KLvU`C%Lv;&xtOTpTXraqH5!g)wgkbVGdKHB5MAek@*!h$S zYQtg^%+z#^K|IET_~ACkZMFrfQ-!W05`qnyN3uJvy>@P{uDPP&sW&&fu3#(kbRKL8 zq06hj0=tFh6dJ&iH(HHxnwH?r==*Jmw~NU8M@}5p98xhw z+)Z++#gxp9C0oa$cg|f|HQ2?6#d2ZLIfpF7|!su3VvcfCG)^ z$m;A*C;SAbY$jdj)8lGt>V2I@z7j!|K&Kd3+f`OD2xtW6Sxhmg(Zu#{macXwDXHf2 zdBG^RZ6leOm_ou*K)--@z6Sa|KqRi{}` zj*jI1Tv*i~)DzBDTNMa?7PR1LILs-z0kAgm$FIb+?M4>EPH}xM@LjMlIQiy&S|SPX zniQN$vI>Ij@ON=SyoNd0op+)49{11krDM9jNsMaP(3Y^p0-yf$|Frj=QBh{wwq@I` z-6onwMG>JTh=NiEvIH}hiUbLQ1T#r8NDeKnVgMv72#6pV3WOp^(nf+HIY}%eXCzA~ z>dsHkc(2d7=e~RHz3<(3#vAWP_b9CN?QieB)?9PVxvSG6AkO5Xv~7X;m-k}aoSb{& zEWNK=PxvFo_oi`qARXvTH4!n#!SbMmE!9p?6|(z^YD;ska`wes<>!o+C+3^o83 zeSTqM5!^kf@fWp8Jkb-;tdo1^O+M< z=Z&=DA@vLhb~xRdX_iI~U!1LCbL6SA8VhLj3jJwTE>^R1b6L;oox?< z3Up0QAIB)YK#{R{N3T}jFZ7^+((fAtw!aG3Y)1;U8FvX4OJpAZsWo%=!Gq`dU-GYs zE!5X_u(KQRIy6?hnma!R3ejffD)IGPdqOI1h@8`Q*|Yf!&9(5M$wPoft(4A96kopv zO1Hq-bk}_c5w-XbwSNBPmw1crodZ)6G}~a7Z@ui?27%+KqR0z0l1|*7(C~ zv;`D?RGDqAi-SSEB$SVqw=6RX_@O8sH`ew>nYtS*9aCIipqJ&mP+j`T!Lf)w^T*n% zvi1s{80J)lwZg*eXpCzj;}oHeaz3llTe&f8wM*C@G|5u|P9x48EHUYLAuBqfoTEMR zF|F0k3Bg27_F6O0Dte&}V;wl zoo78((Z*kXQR%(Z8!7Kq+FsZ$yBClQoukQ_nSg?V0!vHF`iNuliwT7@!*VqlNz6v( z@>r_T5ywhw`JRyx)zM?sYuBzNCVhF?WYl)~*u7r@f`j8bJ2zNbSg31iX1CCcHB1;t zZvJ5|TBEJ2!3j`si-EJ%u#$~xUfhW)%N%0ElEXr4(rvAf-CiLix>v!3!5EfyJ$?EC zHWDLkv@*`{qV!x1AFxNfjj`U#C{7K)*94PK`p=31-K`s2L^`F|79OHZmL|V!z$3uAcj$^K^p}>-+sa zo{5kwOd9HBj>|LRqN0wqELDgbHRb1>^x|kI@va<-&M>JdD$)dU$?w#)B)w^fNQw23 z@p;oAOeRxX1lEw`9IOafU|rGLIDQ8N;avQ?ZuPai-2Ss`3DuPhyEm~+qv zR*3Lu$3c-0o077R1``HSSFosYAo{&13nKtg8zmGWlq8gQK(nF~1}jJko*vSQn6A7& zZ%obRiq@#9sv1D=hHOoMDX3hg>(47T zNQ48yzzhMNG1%@M$u0Wi@y0I39K9)Tt|I}u^wPSz^AN;qKpe<~*uy z0!2drSBB4qv85I|7_!6|p>v#jBmH3q$Zld!IDy zVPR>48jD}e^xppc`zNQTRgWM4{YFLbOTw1Xy6_$81FH|M6h${qTnuv<+D+I)1O()v zKlS5lx2lrSO1bnKG3dqd0zLHvH9hB<0KVO_vbr$DfF-Df)XLw_FA~ZiEf(1?ohO10 z!7t2!G#~JtN`sI~Gf90DJG(Jt+_(}ABcpg?rPM^q3(3gj6G}y$_gD6m}jLu!5|Hf@au$W1(!_3f2$WDg|`K6XtFjPDcWtzo- zo_XNy9mEF}x8VN$%8)suNd_VR3yg21wI0euo24%n>$i!Wr4}r|jw)j(bki+4wp6I7 zUsi;O3yF%-BsI2@E_rz5dSGM;&;{TV>SC26M@k&p%?sDRhI(nV#Pf$$tI7%^CwU)Y z5fB9(So1-w)$?c1K7!CP0cs^Z>ue#7Ae4&6=Nl5rT#Of19OSIkNstIbZ9mkO zorW7?{nkQm>cc^!x@b=s?JCsK?#|Rc$ML)va3IZQIad9Z4<0-~6C()9ml)_%)vz-; zL<}C+*4FY-#`EUFlEM5k;P+X8a4rrE@DO&7S(coH@LJ4tc@Vh?E8V(3)D{`-#8Bc!P zm2RNiJ7>k6;sSm6Vinb8CP7Ov(8AKP7VeN~7+HwxnjM5vFB$?T2yJ+PBq$&msm?E7 z3JP#YN=YFB(`7f1$z&PW9iHVm2CP}Pt{$VLqS%Q$6C}KV(GTY)hMV>yufEa>Sz;^3 z@v0skiS7u;d8n<1=miB~&a;|dBi{Z8fE};EBs3K)6Dz6JJ0y1_tRjt2Gz9=pzj}2b zZ>sVT3@v_AwquFV+o08`fETD^J2hZ!YXxoMhJ{Ed#9>Vs@C{^iJtW72QIM6DHEK!@g{9{?#%I!&rA%xCDAowx414}C5DL3a z2R7zR2z{w|c@b6yW8xwnJbF|QPaE1@=ewQQ7aZOrCL5qzMO*|7YsFsM6JR_!qb05_ z`64p1x4SzM%BXUT1*&%?TnZcp4S9~X2uSg8XrO*K2o01&bU{13w5dr0Vb2JP!j;q& zr01!c8@Oe!4A;jU3%%jhntQ^Bb>*YJr*pM>B2yiDWv%7q2KfiG^=Gh#9lB~XJ*8yX zFp=Oh<7dBr;^)VUh66uPyR-=wmy-?%$kVQ6zB%}0Lq z^W6};9fLFR^x3mu*W^Bk3$A#xso2Qo=7I+&@JPOgchkLLaqUUl%Z^z&2^TMDcy2im zMZ7T%UMfKmk#qt<#76G)CeAnYeDJ6~wzM=l-w@D5N+ zfM4oP=Ge&pb@(-Y7yg%IV62@5I-Qn2;7~#;8ruqS(KjUCq^u&i6&Nad1_yV;wmJXh z%K)q`jfk_`uFb}%4`DX68CS0L^dhkd9l%W z9Kttn>*K?AGObGfS_es^%m@VA4@e-o3j9o+X;o{G{%jlGv*4IdGJU)hoNt@ExS&Z318X^m`#a{_Z2Uq^eelPIxyR6*7V*_z^3!f z3PQ-*^6L6S=W$(2%U6h2LW+ut2pbSvkKOK0(@H`esbX%P5`8W-9;O|N3UF0lRX7zW z7?H6)>ugBHt+x|5u3sO7UBgFptEW}pht#SZcr_Pi)~;D2V%)gr8%8WByWa2p$q7%_ zz+Xm#s@*8)WlW4Q(#UMD>|C3bTHs=jpQ0c@C_tB1flHoqdzj0D;o=O;35igEqfH~Y zbLYvy!9n)rdnc3rE@ad*S(IVYo!|TNBkZYQKs>y>qK>mS33Ll23{Osg>iqb2Ha1?2 z^2G7u2GEfM`W;D2B9q>5;x=Q5GvjpTZL_pMe}B*gavF%?>WLR3AcQ3lRf?W0>SDa%V+9r=aCAK28UZ8mc~rnV1ITDa zJC+I9fs?|EN=kDU}q2F2+D>n9C@cfq5~pk0&e<7K^8TD zS2jT2PD9lyXx1$^-{VJsCy<0RsF@)fK0Mq+rHY}mm}zvC`_QdKLjGLz?%ghCZudo^ zOBWlvD-`uK)TqG+^}QHL3s_vBqX)n;aX=wV>Go-dxT#u4eT&|1R#-qK#_AFOP>kc@m3j$1X8|Ie|mkE`>nZmkaL>&NS%- z@$J>kMPL2jfSJbZ;tP_v669MT!)`pm7_im=tA~6$b zlxA3WQc-&1chmwg$OxFE_vq3%h zRUz7va`_l-zji6?eUU(}13(;!2l7z$OSvp%5nl&{tO$!qf~9sl-pem8F20^an!rJrXl*i$zxhmMcTNesXrU5!jexM4~Z#TS7xTibrBbUIT^E2s}7g zdjdIGErV_)JU!k4#Vv4FImV3>xTT!Fr0^L+ze@~?XafS7ef;=w=S6YS;X;E+?=RVH z?P#dN6>|^g#5aIkTeJ?TQ170&4GA$CAcxZ7JKz@(ForXX0HU;E2mw#UFQv?cqrsrI zEJT5+yc$+CBThQ%VG$TpwVEO_uCMz3du{7ng3VG=s{SF!6-=t*v-O-3N+{N7Ui~pZ z73oF|g2WwETi*O9aBI?%PJr8jp6jQ50i=QLKK8 zU2tEuKECc1=l1QR%=}I}_<2B|SmxQvQ5%E62*Ov#-3BsdVmu6(E z0HnWG)0_&Ib=|1BJd4@?43!VrZaD%?{-*8QlSuAWtN~GoLbS+{^J6}QGPGEL~3enC1P!hj+ zB)-KuCg7O{a?GsX8t`c|*h)=y47g?xWQ{(iTn14V>FfY6r6}A7fPBQv6S0CX4prZ2 z1qBd*CN?nnI4{rlYrVR5A0oyi@S_9w1#q%N#Ia%82HIY$&Nsgyg(*X|7cdb<81_9m zL{A?%a%9bh4H@CNycAe*USN8O&IXi?gCGbZakZW$;x0>ej6U&#ROa%q9#e}L1rf&K zlj!Z~sh7}GaCGN~tp8NF%R<~;7Vczl88#yyl|fyLbFm8&OCOwgp5t7gySqD7ViB!4j+u9nX&g3A{pBA%;4}@5B(pqtXA=-89Y$$Q8#is@r!2J6 zm!pwIh|&*C>3O2b?=)@;W(d;J-eo@)T}AvW3Z-q+Cix3{4$8>rU^e{|5{zl(M0t#A z3M~ckcl-F&@*Bc|%Q2r)US5?@C*EG)RP^0V zA}EWSK7%WfO`1#48ywUVmE)mxmRM>4xjdQ zcR!Z*or*7m_vw$NcQ2=2z!WO+|N1gGQ;!XqPK`)!FjpbJLauQEg<uyXlfIX4(>EdRb?iy>%ag)C{U*qw42J)Q(!fipwEs zdF`Orx-6%Pzk%!Q{}5c)PX3t`Ue@7y{*~0o0{z7NsyguSi`}T4 zxsv_-e2|Fuy_}racWfFwb{y;JJUoYw6UhWEO77|ou$=UdKD!0nr}vp)0kWK8c!^0Z z`@{q>%2HmG2XBf*?2nJ(gEGCiV{WZj5hU#$q<_YfYjd2aG4lv9a_v>YOL?ClqPEY< z*;ds**5~rx%vIbURy+8LcjhT{S{5=$Bqg>D`x4(G8g2rcgTz~oRy3SYDqt2FlW3j* z0}sGSn{L;Nf}b0H`H*Z0Sy{mK@0q*$PP-dh@tOfh#hrz^<$$PZpcjs<6^?% zEo6~6aX1EQ3XutqzmT(+FGujbhs_)fGPum3b$JSQlT49mFc+cz%i5#0TxG)}mw#`z=lI9Fpmm-Gd*+=;s&v_^ucnrSC-B!)6f`qS0NSkxT5 ztSl^Q2&M>N!vF^$D9AWHKcYS0@-qiVJdTVwL%i6@DVJ|INIy_6h(dm7{vp?^p|%G! zBl0brTj0=3MBxO^!=V|zQJ`rPP~aojgL_Cw2do4?A=WRrlC%!9k*bxX1*I9D_n&SxW8gAJ&dIZZ*pp6&wASdJHj{`sxul9Ag53$U47<-@UbGm{i|%XN>44 zfj}h0O48EHi>x}>rfQciU840`kF^od#q!oIb!+Q%a2|UoT6qpM{DMdlx<0Vi3c+yt zzHvRNdY?z>+8_Tl*F}T>dbBxB9tVl2Ub_~BlIT|o(iDX@4@5DOLuZ^L*s62q&YfrB zHuzbzon@#D-?z;CYj#Y!3R0d;Y-}(D^Fi`}9+D!|%8;$s!4xe@a8Nj8!vPtPr~!=O zh1Gg(9rr3NEn%;5N3K2kX0<5Mf-ft$y-pZ)!C_C&QEECkk5mCqOvAt@g#Ko8b2Cz> z&Pp#XQuRiU(kUGL@~@K@kv0jM(#&OQ+nsy&T3z86jRyNcppJ&X-jR_+QR7AeI98so%CO0o4E)TQyKh4Mb&_z63a12G%J*KcDCjKv>0Lhe+q?Ip(Fhi7hiz-MBY9JyVDWJP7j;aYmbK!?6+h$vRcqPUJ2b@jUyPr_5l()C% zmEG6(jb94$_rJzu;ypt!{{^bfTU@{fZGb@&lxj4pI8@ouKQ*o+RsX!^;e%io#VEwD z%D&#MRY5`F8ZldI?qBJf5bByFCD@!_&rr)3@;0_hu&`0YwSj(&r;E8aO9bPZjPi= ztUNB`ljQuR@*@5S4@q!P{F(w*|2YM);>WQ5CM|u-4ga+#PF+@J{rWWrQ1Z4ll_ zRG0typzq&oA^sCQv3rjo&sU18_&wa+M6Q0+Fm&qc1J3`3+x8b=@E@K5-a98we0|dg z3C+;2xA94;*7o~EulC8`>DB%d+~{vt6@`ZM*N*O1fdsa1>qR|*_v-_z|L{$?`rr4C zjhi=p+aKN6Z2q!djBNP6E*!5vcc}lN8y)rH#qDo5;aevix&IqX{DAYrzQU$Ak8mL1 zpYMu)VBjxbH*T8U#FcN`i_5Na#kWTisl-p)*&O{d)ckjD&HvW%{FN-=AG!no*?0K- z@q*{un4cw{`?mfsBzb*%@L!8x|JjZBkF7zK3+N^j!R1>_;oYmP^WU&nPgeGX@&9R! zvXZL;{|WAu=5UT1Z;1-W6;7<$tlRa*iq~Q~XV;5vz@H*McMY-}M(>Y&4Z%x$EY5zd zTmG5n_OB|ue`nkM|8WqT;Q#Di`+s;oG(#M*N1k6^5?oLlT@Z`QzE_i&%)Rl&%VF;1 z14#vQycHtBqRS;=T9#fWsfWz32h+1IOFHpYw7cObjN60n*@0e z5v!9A(2DA-)CxR=U%OU5>Ek--cX6^U#&fd|C)-!f;vZPiowr-Qw|n2*+dp^Tt+#hm z**Uq^*i0YW=uUyYNmZSnKQLIOkfF=&=jRin&!ru= zBFQz?j7XkC9~u>YV!~P^}t@oS0tjTu7xpP z=t&#;Duh$IllD-}Tl%2##V(iXUzzfv`TgA1lNX{FPX69PWot~xTly|fO+`Cek7;q6 zZ!lCmU)^5w4woIz>#|8M2cu_eCLe6dH1+1(v)SbSqB84>0vhwt;OsTOWcnTdK!4-n zFL&@8F^zY*!)h?_>4g%Op>Xc;Mq9nHOg*woA(v+8cAKFKf%){no8hJjvFj@69rGHS z`kHd@O_b9P&Ga}6O@FTIrtx3R?>etr{U+9UreD)oRaZUY!Q>j5eYTI51D4qrtAxfY zQ@qD53AErQsI46eK1KC{(u-PO%TTGnq(Nn}agmT-Gj;0o!R`PXDGgWG`7`T1a@D=m zR|f>C4dl3vHI+WepBaXF3=6P1-nX&OH&mYbu-Uvxb< z(>fSSgW`KMXSGppQ$gKx*7ngR$2lr}Ao;0Ju!M=5?3dO|wZNJ~JjZ2SxEz)<#~bao zk);>%U6_+598wuEoJkujr_5{W^P;0XE{N}*9N+^7$=_{{i9_lz*c|2b$Lo`W?EjpRQ+;YE7j$t zZ`T2Sr;yl>i>uDWKT14b@@l%Axt*W#dQ`)mM*iec8MZr}yg2goyU`^LUxxnpY@|ZL zZBcWRPujg7OM;!g%$eCt`R7m0&M3tgx5PJjhNinzGzvCNm^Gbtb+U@@lgZMeEGjm~ zp_@ZAIh;PI4i?e(ntqSr+w;TeopCk`iyCPn7DJv6 z&K(Zz3*{j_odz}itC@ThOT$lm`s@h~ZPm(j=AuW3L+_ai7sCgpTezYdm%|nqWTx)* z?0d7}^=k{93nbO!)EW1z89EKTxw=k7OH1qUQ#$gwhFa1>^OtXWzqo1^Yss+6+(Bv5 z=8oE*c}Ki2UhK!&uj~5{-khNjKeAC<=qF3dTdGZ5qxH$|R7x=HP{>G`T@ zSMNM3({aR^G3e7EC~-0Isp}RpWueoI9+w`aO)ju1uskrCeswBBu-rCXs`TX@KSoSO zrgw-6Gvsxd_?z>J9dm)TilIJy{G)O&cdrah~EVYODUbfHP|aHn9f^j`_87Y^{?Y&&$qknKawt;3*cqAh$R! zxz(P7b-}JXxt<@tQ_z?&URkZj#Ze+uXa4&z+fAKfS3d|D+Q4PCmY(vYQWV4w|N1C_buk;gs~--l0k7-hFM7XJ-y- z_k}q%=U9z0id{yyZkEIphOVa8+2}lSrA;_kjnc)LF@}!YZFEkU+1Q&_eQ~np5RljR z<_MwZGd<+$;>bRvHw+h-?Ezd79`W&g9FJL96R7I=<)++bWYNRHNPxd8U_n0K2{?X= z4V7FJf&Xilx>l1e*tvI4ZQ%?L;<_4v@NnU0ZrS{Y9?8>NPPFH{=iFk+SbO%>muDAN zlHRy8WKxU6i1!gm*${=0n+S@;fBWPA$IH@Rn@~?z0eT&*$@Yo VA;nGICcq&i%87HwlaF4y{V!SRSkC|e literal 0 HcmV?d00001 From 8b7474d6bfd4dc2596f9f2964da4f00b72c1930d Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky Date: Fri, 15 Nov 2024 10:19:13 +0000 Subject: [PATCH 16/26] update migration script and add new script for changing SniFlag to SSL Flags --- .../IISU Sni Flag 2.5 upgrade script.sql | 80 +++++++++++++++++++ .../Legacy-IIS/CreateIISUCertStoreType.sql | 10 +-- 2 files changed, 85 insertions(+), 5 deletions(-) create mode 100644 Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql diff --git a/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql b/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql new file mode 100644 index 0000000..4122385 --- /dev/null +++ b/Migration-Scripts/IISU Sni Flag 2.5 upgrade script.sql @@ -0,0 +1,80 @@ +SET NOCOUNT ON + +BEGIN TRY + BEGIN TRANSACTION + + DECLARE @IISUShortName VARCHAR(50) = 'IISU' + DECLARE @SniFlagParameter VARCHAR(50) = 'SniFlag' + + DECLARE @StoreTypeId INT + + -- get store type id + SELECT @StoreTypeId = storetypes.[StoreType] + FROM [cms_agents].[CertStoreTypes] AS storetypes + WHERE @IISUShortName = storetypes.[ShortName] + + -- get list of cert stores guids of that type + SELECT certstores.[Id] + INTO #StoreGuids + FROM [cms_agents].[CertStores] AS certstores + WHERE @StoreTypeId = certstores.[CertStoreType] + + -- get list of certstoreinventoryitems matching on store guid + SELECT inventory.[Id], inventory.[EntryParameters] + INTO #InventoryItems + FROM [cms_agents].[CertStoreInventoryItems] AS inventory + INNER JOIN #StoreGuids ON #StoreGuids.[Id] = inventory.[CertStoreId] + + -- update entry parameters to new setting + UPDATE [cms_agents].[CertStoreTypeEntryParameters] + SET [DisplayName] = 'SSL Flags', + [Type] = '0', + [DefaultValue] = '0', + [Options] = NULL + WHERE [StoreTypeId] = @StoreTypeId + AND [Name] = @SniFlagParameter + + -- perform batch processing on certstoreinventoryitems to alter their EntryParameters to change the SNiFlag value to be a simple character instead of lots of text + -- replace 0 - No SNI + UPDATE inventoryitems + SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '0 - No SNI', '0') + FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems + INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id] + WHERE inventoryitems.[EntryParameters] LIKE '%0 - No SNI%' + + -- replace 1 - SNI Enabled + UPDATE inventoryitems + SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '1 - SNI Enabled', '1') + FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems + INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id] + WHERE inventoryitems.[EntryParameters] LIKE '%1 - SNI Enabled%' + + -- replace 2 - Non SNI Binding + UPDATE inventoryitems + SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '2 - Non SNI Binding', '2') + FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems + INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id] + WHERE inventoryitems.[EntryParameters] LIKE '%2 - Non SNI Binding%' + + -- replace 3 - SNI Binding + UPDATE inventoryitems + SET inventoryitems.[EntryParameters] = REPLACE(inventory.[EntryParameters], '3 - SNI Binding', '3') + FROM [cms_agents].[CertStoreInventoryItems] AS inventoryitems + INNER JOIN #InventoryItems ON inventoryitems.[Id] = #InventoryItems.[Id] + WHERE inventoryitems.[EntryParameters] LIKE '%3 - SNI Binding%' + + COMMIT TRANSACTION +END TRY + +BEGIN CATCH + IF (@@TRANCOUNT > 0) + BEGIN + ROLLBACK TRANSACTION; + END + + SELECT + ERROR_MESSAGE() AS ErrorMessage, + ERROR_SEVERITY() AS Severity, + ERROR_STATE() AS ErrorState; +END CATCH + diff --git a/Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql b/Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql index c48a372..4d6fc16 100644 --- a/Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql +++ b/Migration-Scripts/Legacy-IIS/CreateIISUCertStoreType.sql @@ -358,14 +358,14 @@ BEGIN TRY ) VALUES ( - @current_storetype_id, -- StoreTypeId + @current_storetype_id, -- StoreTypeId 'SniFlag', -- Name - 'SNI Support', -- DisplayName - 2, -- Type + 'SSL Flags', -- DisplayName + 0, -- Type 14, -- RequiredWhen NULL, -- DependsOn - '0 - No SNI', -- DefaultValue - '0 - No SNI,1 - SNI Enabled,2 - Non SNI Binding,3 - SNI Binding' -- Options + '0', -- DefaultValue + NULL -- Options ); -- create Protocol entry parameter From 68865ebf99ac57253ac0274d7abe840212fb7586 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 15 Nov 2024 10:20:38 +0000 Subject: [PATCH 17/26] Update generated docs --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1ca2178..7e45c19 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat

Windows Certificate (WinCert) + ### WinCert The Windows Certificate Certificate Store Type, known by its short name 'WinCert,' enables the management of certificates within the Windows local machine certificate stores. This store type is a versatile option for general Windows certificate management and supports functionalities including inventory, add, remove, and reenrollment of certificates. @@ -74,6 +75,7 @@ The store type represents the various certificate stores present on a Windows Se
IIS Bound Certificate (IISU) + ### IISU The IIS Bound Certificate Certificate Store Type, identified by its short name 'IISU,' is designed for the management of certificates bound to IIS (Internet Information Services) servers. This store type allows users to automate and streamline the process of adding, removing, and reenrolling certificates for IIS sites, making it significantly easier to manage web server certificates. @@ -93,6 +95,7 @@ The IISU store type represents the IIS servers and their certificate bindings. I
WinSql (WinSql) + ### WinSql The WinSql Certificate Store Type, referred to by its short name 'WinSql,' is designed for the management of certificates used by SQL Server instances. This store type allows users to automate the process of adding, removing, reenrolling, and inventorying certificates associated with SQL Server, thereby simplifying the management of SSL/TLS certificates for database servers. @@ -172,7 +175,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | - | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment | | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | @@ -253,7 +256,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | | Supports Discovery | 🔲 Unchecked | Indicates that the Store Type supports Discovery | - | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Reenrollment | ✅ Checked | Indicates that the Store Type supports Reenrollment | | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | From 5837a3401657183732825f132bf05ff1aee43735 Mon Sep 17 00:00:00 2001 From: Macey Dobrowsky <11599974+doebrowsk@users.noreply.github.com> Date: Mon, 25 Nov 2024 14:18:06 -0500 Subject: [PATCH 18/26] update SSL Flags name in integration manifest --- integration-manifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration-manifest.json b/integration-manifest.json index d161507..36d25da 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -277,7 +277,7 @@ }, { "Name": "SniFlag", - "DisplayName": "SNI Support", + "DisplayName": "SSL Flags", "Type": "String", "RequiredWhen": { "HasPrivateKey": false, @@ -491,4 +491,4 @@ ] } } -} \ No newline at end of file +} From 2ba68407a767ef77464b6c6c555b8d8d10245179 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 25 Nov 2024 19:19:23 +0000 Subject: [PATCH 19/26] Update generated docs --- README.md | 2 +- integration-manifest.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7e45c19..66f826d 100644 --- a/README.md +++ b/README.md @@ -305,7 +305,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | IPAddress | IP Address | String value specifying the IP address to bind the certificate to for the IIS site. Example: '*' for all IP addresses or '192.168.1.1' for a specific IP address. | String | * | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | | HostName | Host Name | String value specifying the host name (host header) to bind the certificate to for the IIS site. Leave blank for all host names or enter a specific hostname such as 'www.example.com'. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | | SiteName | IIS Site Name | String value specifying the name of the IIS web site to bind the certificate to. Example: 'Default Web Site' or any custom site name such as 'MyWebsite'. | String | Default Web Site | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | - | SniFlag | SNI Support | A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) | String | 0 | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | + | SniFlag | SSL Flags | A 128-Bit Flag that determines what type of SSL settings you wish to use. The default is 0, meaning No SNI. For more information, check IIS documentation for the appropriate bit setting.) | String | 0 | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | | Protocol | Protocol | Multiple choice value specifying the protocol to bind to. Example: 'https' for secure communication. | MultipleChoice | https | 🔲 Unchecked | ✅ Checked | ✅ Checked | ✅ Checked | | ProviderName | Crypto Provider Name | Name of the Windows cryptographic provider to use during reenrollment jobs when generating and storing the private keys. If not specified, defaults to 'Microsoft Strong Cryptographic Provider'. This value would typically be specified when leveraging a Hardware Security Module (HSM). The specified cryptographic provider must be available on the target server being managed. The list of installed cryptographic providers can be obtained by running 'certutil -csplist' on the target Server. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | | SAN | SAN | String value specifying the Subject Alternative Name (SAN) to be used when performing reenrollment jobs. Format as a list of = entries separated by ampersands; Example: 'dns=www.example.com&dns=www.example2.com' for multiple SANs. Can be made optional if RFC 2818 is disabled on the CA. | String | | 🔲 Unchecked | 🔲 Unchecked | 🔲 Unchecked | ✅ Checked | diff --git a/integration-manifest.json b/integration-manifest.json index 36d25da..b617ff7 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -491,4 +491,4 @@ ] } } -} +} \ No newline at end of file From 12f1910833b83b9808279eee8776be4c7572afe5 Mon Sep 17 00:00:00 2001 From: Mikey Henderson <4452096+fiddlermikey@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:24:53 -0800 Subject: [PATCH 20/26] Update keyfactor-starter-workflow.yml --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 64919a4..a4649f2 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v3 + uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From c9d3cb57a6826eddb236bc8f95bb57daf3f26702 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 27 Nov 2024 19:26:03 +0000 Subject: [PATCH 21/26] Update generated docs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 66f826d..c928b28 100644 --- a/README.md +++ b/README.md @@ -412,7 +412,7 @@ The Windows Certificate Universal Orchestrator extension implements 3 Certificat | --------- | ----------- | ----------- | ----------- | | Older than `11.0.0` | | | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Never` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | | `11.6` _and_ newer | `net8.0` | | `net8.0` | From fb27d4ad724cb43b3e4fce38762d2a2a01ec1752 Mon Sep 17 00:00:00 2001 From: Mikey Henderson <4452096+fiddlermikey@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:45:23 -0800 Subject: [PATCH 22/26] Update integration-manifest.json Add release_project property --- integration-manifest.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index b617ff7..8737b9a 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -5,6 +5,7 @@ "status": "production", "link_github": true, "release_dir": "IISU/bin/Release/net6.0", + "release_project": "iis-orchestrator/blob/main/IISU/WindowsCertStore.csproj", "update_catalog": true, "support_level": "kf-supported", "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) \u201cWinCert\u201d which manages certificates in a Windows local machine store, and 2) \u201cIISU\u201d which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated \u201cIIS\u201d cert store type that ships with Keyfactor Command. The \u201cIISU\u201d extension also replaces the \u201cIISBin\u201d certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from \u201cIIS Orchestrator\u201d as it now supports certificates that are not in use by IIS.", @@ -491,4 +492,4 @@ ] } } -} \ No newline at end of file +} From 17d55f68e7daed309b2ec25b156c3b348f16c7aa Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 27 Nov 2024 19:46:42 +0000 Subject: [PATCH 23/26] Update generated docs --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index 8737b9a..4743049 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -492,4 +492,4 @@ ] } } -} +} \ No newline at end of file From 3c3ef839518f0cb5c30b9cd48d16c1752de063e0 Mon Sep 17 00:00:00 2001 From: Mikey Henderson <4452096+fiddlermikey@users.noreply.github.com> Date: Wed, 27 Nov 2024 11:51:59 -0800 Subject: [PATCH 24/26] fix release_project property --- integration-manifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integration-manifest.json b/integration-manifest.json index 4743049..7b8fa1b 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -5,7 +5,7 @@ "status": "production", "link_github": true, "release_dir": "IISU/bin/Release/net6.0", - "release_project": "iis-orchestrator/blob/main/IISU/WindowsCertStore.csproj", + "release_project": "IISU/WindowsCertStore.csproj", "update_catalog": true, "support_level": "kf-supported", "description": "The Windows Certificate Store Orchestrator Extension implements two certificate store types. 1) \u201cWinCert\u201d which manages certificates in a Windows local machine store, and 2) \u201cIISU\u201d which manages certificates and their bindings in a Windows local machine store that are bound to Internet Information Server (IIS) websites. These extensions replace the now deprecated \u201cIIS\u201d cert store type that ships with Keyfactor Command. The \u201cIISU\u201d extension also replaces the \u201cIISBin\u201d certificate store type from prior versions of this repository. This orchestrator extension is in the process of being renamed from \u201cIIS Orchestrator\u201d as it now supports certificates that are not in use by IIS.", @@ -492,4 +492,4 @@ ] } } -} \ No newline at end of file +} From 0bb56dcdbb498b54731bd2ec97e0cbb44f5fbe6c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Wed, 27 Nov 2024 19:53:11 +0000 Subject: [PATCH 25/26] Update generated docs --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index 7b8fa1b..3ee7541 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -492,4 +492,4 @@ ] } } -} +} \ No newline at end of file From d340184511a44f03cb69b9d2c86a54b7ee856b7e Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Wed, 27 Nov 2024 12:06:11 -0800 Subject: [PATCH 26/26] fix release_dir property --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index 3ee7541..4b555b0 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -4,7 +4,7 @@ "name": "Windows Certificate Orchestrator", "status": "production", "link_github": true, - "release_dir": "IISU/bin/Release/net6.0", + "release_dir": "IISU/bin/Release", "release_project": "IISU/WindowsCertStore.csproj", "update_catalog": true, "support_level": "kf-supported",