From ce62ff16fb3dd751c0d04710c5df49440ae197ed Mon Sep 17 00:00:00 2001 From: Lubos Racansky Date: Fri, 26 Jul 2024 08:43:06 +0200 Subject: [PATCH 01/21] Fix #623: Set develop version to 1.9.0-SNAPSHOT --- pom.xml | 2 +- powerauth-java-crypto/pom.xml | 2 +- powerauth-java-http/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index e46976cb..f732876e 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ io.getlime.security powerauth-crypto-parent - 1.8.0 + 1.9.0-SNAPSHOT pom 2016 diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index 5573e338..c2eccbb1 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -26,7 +26,7 @@ io.getlime.security powerauth-crypto-parent - 1.8.0 + 1.9.0-SNAPSHOT diff --git a/powerauth-java-http/pom.xml b/powerauth-java-http/pom.xml index 959baea8..c781d8c7 100644 --- a/powerauth-java-http/pom.xml +++ b/powerauth-java-http/pom.xml @@ -28,7 +28,7 @@ io.getlime.security powerauth-crypto-parent - 1.8.0 + 1.9.0-SNAPSHOT From ed57cd0801b456cd628f1077f95ace58b08a7ee5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 06:01:26 +0000 Subject: [PATCH 02/21] Bump slf4j.version from 2.0.13 to 2.0.16 Bumps `slf4j.version` from 2.0.13 to 2.0.16. Updates `org.slf4j:slf4j-api` from 2.0.13 to 2.0.16 Updates `org.slf4j:slf4j-simple` from 2.0.13 to 2.0.16 --- updated-dependencies: - dependency-name: org.slf4j:slf4j-api dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.slf4j:slf4j-simple dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f732876e..549da356 100644 --- a/pom.xml +++ b/pom.xml @@ -80,7 +80,7 @@ 3.8.0 3.3.1 3.3.1 - 2.0.13 + 2.0.16 5.10.3 From b7d38f25c1c647c508fc62c631eeb21c8d9e0bd6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 05:51:14 +0000 Subject: [PATCH 03/21] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.3.1 to 3.4.0 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.3.1...surefire-3.4.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 549da356..a722bb4b 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ 3.1.2 3.8.0 3.3.1 - 3.3.1 + 3.4.0 2.0.16 5.10.3 From 72991c151042ac8759b2ec4483b6e71de767b096 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 05:51:15 +0000 Subject: [PATCH 04/21] Bump junit.version from 5.10.3 to 5.11.0 Bumps `junit.version` from 5.10.3 to 5.11.0. Updates `org.junit.jupiter:junit-jupiter-engine` from 5.10.3 to 5.11.0 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.10.3...r5.11.0) Updates `org.junit.jupiter:junit-jupiter-params` from 5.10.3 to 5.11.0 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.10.3...r5.11.0) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter-engine dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.junit.jupiter:junit-jupiter-params dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 549da356..d9370c7b 100644 --- a/pom.xml +++ b/pom.xml @@ -81,7 +81,7 @@ 3.3.1 3.3.1 2.0.16 - 5.10.3 + 5.11.0 From fffca2c1ecce2866f867bc412780258bc390d8b7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 18:47:57 +0200 Subject: [PATCH 05/21] Bump org.apache.maven.plugins:maven-deploy-plugin from 3.1.2 to 3.1.3 (#637) Bumps [org.apache.maven.plugins:maven-deploy-plugin](https://github.com/apache/maven-deploy-plugin) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/apache/maven-deploy-plugin/releases) - [Commits](https://github.com/apache/maven-deploy-plugin/compare/maven-deploy-plugin-3.1.2...maven-deploy-plugin-3.1.3) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-deploy-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3c97f851..3deef287 100644 --- a/pom.xml +++ b/pom.xml @@ -76,7 +76,7 @@ 3.4.2 3.13.0 - 3.1.2 + 3.1.3 3.8.0 3.3.1 3.4.0 From 7532ada436ea256b924170338a1fb564ca8258cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Tue, 27 Aug 2024 18:51:33 +0200 Subject: [PATCH 06/21] Implement support for temporary keys (#632) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add initial implementation of temporary keys * Add new version 3.3 * Add optional temporary key ID to signature header * Fix default constructors * Move temporary key ID to request body * Added ECIES V3.3 test vectors generated by iOS SDK * Empty lines cleanup * Added encrypt-decrypt tests for ECIES v3.3 * Simplify check for temporary key presence in 3.3 protocol --------- Co-authored-by: Juraj Ďurech Co-authored-by: Juraj Ďurech <1719814+hvge@users.noreply.github.com> --- .../lib/encryptor/EncryptorFactory.java | 6 +- .../encryptor/ecies/ClientEciesEncryptor.java | 4 +- .../ecies/EciesRequestResponseValidator.java | 6 +- .../encryptor/ecies/ServerEciesEncryptor.java | 3 +- .../lib/encryptor/model/EncryptedRequest.java | 1 + .../encryptor/model/EncryptorParameters.java | 1 + .../powerauth/crypto/lib/util/EciesUtils.java | 78 +-- .../powerauth/crypto/lib/util/TokenUtils.java | 2 +- .../encryption/GeneralEncryptorTest.java | 455 +++++++++++++++++- .../PowerAuthSignatureFormatTest.java | 1 + .../http/PowerAuthEncryptionHttpHeader.java | 1 + .../http/validator/ValueTypeValidator.java | 2 +- 12 files changed, 511 insertions(+), 49 deletions(-) diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java index 949deabe..de00d753 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java @@ -62,7 +62,7 @@ public ClientEncryptor getClientEncryptor(EncryptorId encryptorId, EncryptorPara validateParameters(encryptorId, encryptorParameters); final ClientEncryptor encryptor; switch (encryptorParameters.getProtocolVersion()) { - case "3.2", "3.1", "3.0" -> { + case "3.3", "3.2", "3.1", "3.0" -> { encryptor = new ClientEciesEncryptor(encryptorId, encryptorParameters); } default -> { @@ -106,7 +106,7 @@ public ServerEncryptor getServerEncryptor(EncryptorId encryptorId, EncryptorPara validateParameters(encryptorId, encryptorParameters); final ServerEncryptor encryptor; switch (encryptorParameters.getProtocolVersion()) { - case "3.2", "3.1", "3.0" -> { + case "3.3", "3.2", "3.1", "3.0" -> { encryptor = new ServerEciesEncryptor(encryptorId, encryptorParameters); } default -> { @@ -154,7 +154,7 @@ public RequestResponseValidator getRequestResponseValidator(String protocolVersi throw new EncryptorException("Missing protocolVersion parameter"); } switch (protocolVersion) { - case "3.2", "3.1", "3.0" -> { + case "3.3", "3.2", "3.1", "3.0" -> { return new EciesRequestResponseValidator(protocolVersion); } default -> { diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ClientEciesEncryptor.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ClientEciesEncryptor.java index 86cd1792..461eaadf 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ClientEciesEncryptor.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ClientEciesEncryptor.java @@ -79,7 +79,8 @@ public ClientEciesEncryptor(EncryptorId encryptorId, EncryptorParameters paramet encryptorId.scope(), parameters.getProtocolVersion(), parameters.getApplicationKey(), - parameters.getActivationIdentifier() + parameters.getActivationIdentifier(), + parameters.getTemporaryKeyId() ); } @@ -156,6 +157,7 @@ public EncryptedRequest encryptRequest(byte[] data) throws EncryptorException { } return new EncryptedRequest( + encryptorParameters.getTemporaryKeyId(), base64Encoder.encodeToString(eciesCryptogram.getEphemeralPublicKey()), base64Encoder.encodeToString(eciesCryptogram.getEncryptedData()), base64Encoder.encodeToString(eciesCryptogram.getMac()), diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java index e6b14e34..444942f9 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesRequestResponseValidator.java @@ -33,7 +33,7 @@ public class EciesRequestResponseValidator implements RequestResponseValidator { /** * Protocol versions supported in this validator. */ - private final static Set supportedVersions = Set.of("3.2", "3.1", "3.0"); + private final static Set supportedVersions = Set.of("3.3", "3.2", "3.1", "3.0"); /** * Indicate that request and response must contain timestamp and nonce. This is valid for protocol V3.2+. @@ -53,8 +53,8 @@ public EciesRequestResponseValidator(String protocolVersion) throws EncryptorExc if (!supportedVersions.contains(protocolVersion)) { throw new EncryptorException("Unsupported protocol version " + protocolVersion); } - this.useTimestamp = "3.2".equals(protocolVersion); - this.useNonceForRequest = "3.2".equals(protocolVersion) || "3.1".equals(protocolVersion); + this.useTimestamp = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion); + this.useNonceForRequest = "3.3".equals(protocolVersion) || "3.2".equals(protocolVersion) || "3.1".equals(protocolVersion); } @Override diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ServerEciesEncryptor.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ServerEciesEncryptor.java index c62e2e75..d53a7c83 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ServerEciesEncryptor.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/ServerEciesEncryptor.java @@ -81,7 +81,8 @@ public ServerEciesEncryptor(EncryptorId encryptorId, EncryptorParameters paramet encryptorId.scope(), parameters.getProtocolVersion(), parameters.getApplicationKey(), - parameters.getActivationIdentifier() + parameters.getActivationIdentifier(), + parameters.getTemporaryKeyId() ); } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptedRequest.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptedRequest.java index 7b5a5e8c..567d7ead 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptedRequest.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptedRequest.java @@ -26,6 +26,7 @@ @Data @AllArgsConstructor public class EncryptedRequest { + private String temporaryKeyId; private String ephemeralPublicKey; private String encryptedData; private String mac; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptorParameters.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptorParameters.java index 4ffe51f1..a542aec8 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptorParameters.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/model/EncryptorParameters.java @@ -33,4 +33,5 @@ public class EncryptorParameters { private String protocolVersion; private String applicationKey; private String activationIdentifier; + private String temporaryKeyId; } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java index b9c15dd1..76c6039f 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java @@ -62,27 +62,47 @@ public static long generateTimestamp() { * @param protocolVersion Protocol version. * @param applicationKey Application key. * @param activationId Activation ID. + * @param temporaryKeyId Temporary key ID. * @return Derived associated data. * @throws EciesException In case that activation ID is required but is missing. */ - public static byte[] deriveAssociatedData(EncryptorScope scope, String protocolVersion, String applicationKey, String activationId) throws EciesException { + public static byte[] deriveAssociatedData(EncryptorScope scope, String protocolVersion, String applicationKey, String activationId, String temporaryKeyId) throws EciesException { if (protocolVersion == null) { throw new EciesException("Protocol version is missing"); } - if ("3.2".equals(protocolVersion)) { - if (applicationKey == null) { - throw new EciesException("Application key is missing"); + switch (protocolVersion) { + case "3.2": { + if (applicationKey == null) { + throw new EciesException("Application key is missing"); + } + if (scope == EncryptorScope.ACTIVATION_SCOPE) { + if (activationId == null) { + throw new EciesException("Activation ID is missing in ACTIVATION_SCOPE"); + } + return ByteUtils.concatStrings(protocolVersion, applicationKey, activationId); + } else { + return ByteUtils.concatStrings(protocolVersion, applicationKey); + } } - if (scope == EncryptorScope.ACTIVATION_SCOPE) { - if (activationId == null) { - throw new EciesException("Activation ID is missing in ACTIVATION_SCOPE"); + case "3.3": { + if (applicationKey == null) { + throw new EciesException("Application key is missing"); + } + if (temporaryKeyId == null) { + throw new EciesException("Missing temporary key identifier"); + } + if (scope == EncryptorScope.ACTIVATION_SCOPE) { + if (activationId == null) { + throw new EciesException("Activation ID is missing in ACTIVATION_SCOPE"); + } + return ByteUtils.concatStrings(protocolVersion, applicationKey, activationId, temporaryKeyId); + } else { + return ByteUtils.concatStrings(protocolVersion, applicationKey, temporaryKeyId); } - return ByteUtils.concatStrings(protocolVersion, applicationKey, activationId); - } else { - return ByteUtils.concatStrings(protocolVersion, applicationKey); } - } else { - return null; + default: { + return null; + } } } @@ -130,24 +150,28 @@ public static byte[] deriveSharedInfo2(String protocolVersion, byte[] sharedInfo if (sharedInfo2Base == null) { throw new EciesException("Missing sharedInfo2Base parameter"); } - if ("3.2".equals(protocolVersion)) { - if (nonce == null) { - throw new EciesException("Missing nonce parameter"); - } - if (timestamp == null) { - throw new EciesException("Missing timestamp parameter"); + switch (protocolVersion) { + case "3.3", "3.2": { + if (nonce == null) { + throw new EciesException("Missing nonce parameter"); + } + if (timestamp == null) { + throw new EciesException("Missing timestamp parameter"); + } + if (associatedData == null) { + throw new EciesException("Missing associatedData parameter"); + } + return ByteUtils.concatWithSizes( + sharedInfo2Base, + nonce, + ByteBuffer.allocate(Long.BYTES).putLong(timestamp).array(), + ephemeralPublicKey, + associatedData); } - if (associatedData == null) { - throw new EciesException("Missing associatedData parameter"); + default: { + return sharedInfo2Base; } - return ByteUtils.concatWithSizes( - sharedInfo2Base, - nonce, - ByteBuffer.allocate(Long.BYTES).putLong(timestamp).array(), - ephemeralPublicKey, - associatedData); } - return sharedInfo2Base; } } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java index 897f921f..8382d09d 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java @@ -102,7 +102,7 @@ public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, final byte[] amp = "&".getBytes(StandardCharsets.UTF_8); final byte[] data; switch (version) { - case "3.2" -> data = ByteUtils.concat(nonce, amp, timestamp, amp, version.getBytes(StandardCharsets.UTF_8)); + case "3.3", "3.2" -> data = ByteUtils.concat(nonce, amp, timestamp, amp, version.getBytes(StandardCharsets.UTF_8)); case "3.0", "3.1" -> data = ByteUtils.concat(nonce, amp, timestamp); default -> throw new GenericCryptoException("Unsupported version value was specified: " + version); } diff --git a/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/encryption/GeneralEncryptorTest.java b/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/encryption/GeneralEncryptorTest.java index 637d9509..59e6a122 100644 --- a/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/encryption/GeneralEncryptorTest.java +++ b/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/encryption/GeneralEncryptorTest.java @@ -75,6 +75,8 @@ private static class TestConfiguration { final String activationId; final KeyPair keyMasterServer; final KeyPair keyServer; + final String tempKeyApplication; + final String tempKeyActivation; } private TestConfiguration configuration; @@ -99,7 +101,9 @@ public void configureKeys() throws Exception { keyGenerator.generateRandomBytes(16), UUID.randomUUID().toString(), keyGenerator.generateKeyPair(), - keyGenerator.generateKeyPair() + keyGenerator.generateKeyPair(), + UUID.randomUUID().toString(), + UUID.randomUUID().toString() ); } @@ -385,12 +389,12 @@ void testRequestResponseObjectValidation(String version, EncryptorId encryptorId request.setEphemeralPublicKey(null); assertFalse(validator.validateEncryptedRequest(request)); - if ("3.1".equals(version) || "3.2".equals(version)) { + if ("3.1".equals(version) || "3.2".equals(version) || "3.3".equals(version)) { request = copyRequest(validRequest); request.setNonce(null); assertFalse(validator.validateEncryptedRequest(request)); } - if ("3.2".equals(version)) { + if ("3.2".equals(version) || "3.3".equals(version)) { request = copyRequest(validRequest); request.setTimestamp(null); assertFalse(validator.validateEncryptedRequest(request)); @@ -420,7 +424,7 @@ void testRequestResponseObjectValidation(String version, EncryptorId encryptorId response = copyResponse(validResponse); response.setEncryptedData(null); assertFalse(validator.validateEncryptedResponse(response)); - if ("3.2".equals(version)) { + if ("3.2".equals(version) || "3.3".equals(version)) { response = copyResponse(validResponse); response.setTimestamp(null); assertFalse(validator.validateEncryptedResponse(response)); @@ -452,8 +456,9 @@ private EncryptedResponse copyResponse(EncryptedResponse response) { * Make new instance of encrypted request object with identical values copied from the provided object. * @param request Request object to copy. * @return Copy of provided request object. - */ private EncryptedRequest copyRequest(EncryptedRequest request) { - return new EncryptedRequest(request.getEphemeralPublicKey(), request.getEncryptedData(), request.getMac(), request.getNonce(), request.getTimestamp()); + */ + private EncryptedRequest copyRequest(EncryptedRequest request) { + return new EncryptedRequest(request.getTemporaryKeyId(), request.getEphemeralPublicKey(), request.getEncryptedData(), request.getMac(), request.getNonce(), request.getTimestamp()); } /** @@ -466,6 +471,7 @@ public void testEncryptDecryptV30() throws Exception { @Override public void validateRequest(EncryptedRequest request) throws Exception { assertNotNull(request); + assertNull(request.getTemporaryKeyId()); assertNotNull(request.getEphemeralPublicKey()); assertNotNull(request.getEncryptedData()); assertNotNull(request.getMac()); @@ -494,6 +500,7 @@ public void testEncryptDecryptV31() throws Exception { @Override public void validateRequest(EncryptedRequest request) throws Exception { assertNotNull(request); + assertNull(request.getTemporaryKeyId()); assertNotNull(request.getEphemeralPublicKey()); assertNotNull(request.getEncryptedData()); assertNotNull(request.getMac()); @@ -522,6 +529,36 @@ public void testEncryptDecryptV32() throws Exception { @Override public void validateRequest(EncryptedRequest request) throws Exception { assertNotNull(request); + assertNull(request.getTemporaryKeyId()); + assertNotNull(request.getEphemeralPublicKey()); + assertNotNull(request.getEncryptedData()); + assertNotNull(request.getMac()); + assertNotNull(request.getNonce()); + assertNotNull(request.getTimestamp()); + } + + @Override + public void validateResponse(EncryptedResponse response) throws Exception { + assertNotNull(response); + assertNotNull(response.getEncryptedData()); + assertNotNull(response.getMac()); + assertNotNull(response.getNonce()); + assertNotNull(response.getTimestamp()); + } + }); + } + + /** + * Test general encrypt-decrypt routines with using protocol 3.3. + * @throws Exception In case of failure. + */ + @Test + public void testEncryptDecryptV33() throws Exception { + testGenericEncryptor("3.3", new DataValidator() { + @Override + public void validateRequest(EncryptedRequest request) throws Exception { + assertNotNull(request); + assertNotNull(request.getTemporaryKeyId()); assertNotNull(request.getEphemeralPublicKey()); assertNotNull(request.getEncryptedData()); assertNotNull(request.getMac()); @@ -658,6 +695,7 @@ public void testVectors_3_2() throws Exception { // Requests final EncryptedRequest[] encryptedRequest = { new EncryptedRequest( + null, "Avlav7hfDwCA1zJq6gyczWtUn+MhNCebikIH7rkUkoHB", "jZ1y4ZkJpvRTDHFXQ+J9jsWaFuV0AvqpUXFDCi3bH90YCutTufSamKXpEIhFfqBmhzYak2g6LBUfgmTJ7c74D+eOqGRn1EwZOcgVHKbaFjgthwSUnD8E7maEK9u5qmVdi52drt9vQ1Cye5jWn0vSTKmvSkfcQcmK42o/0r/8LXs=", "ovJWPbaRr/+9nDLwHhej1u9iNVg0OVVNNO2zI88AM9g=", @@ -665,6 +703,7 @@ public void testVectors_3_2() throws Exception { 1691762307382L ), new EncryptedRequest( + null, "A97NlW0JPLJfpG0AUvaRHRGSHh+quZu+u0c+yxsK7Xji", "qYLONkDWFpXefTKPbaKTA/PWdRYH5pk9uvGjUqSYbeK7Q0aOohK2MknTyviyNuSp", "DNlZdsM1wgH8v2mAROjj3vmQu4DI4ZJnuTBzQMrHsew=", @@ -672,6 +711,7 @@ public void testVectors_3_2() throws Exception { 1691762307384L ), new EncryptedRequest( + null, "AtSsPjiwbh3GnWYjCOejGIGg0LEbl1X6SY4f1F77PG2I", "px6h9Hu+wyH38YySO6istbinaF3ALyrBraad0qhTCJZrYrVlTv1bEnfvElBupQzGUx3SikSqaOjR+UKzj9TVfa2rw36LkSIVFZYk1gG6xW3U852ZvJpuTtw6h7WhFYks", "bySXBDU/9mDx9T8i9DFWX7Xn4O6HZK2EMLpA+ogv3eM=", @@ -679,6 +719,7 @@ public void testVectors_3_2() throws Exception { 1691762307384L ), new EncryptedRequest( + null, "AnjhcBNyzpyUs8TnvW164zfwVk6UQjof8zueumjUADlB", "rQDj9EseF9GvJY6a0YCExA==", "Mpu0lek/SXf7JvxnlEngv/Bx8nFhxi54vHVrBr0f7H8=", @@ -686,6 +727,7 @@ public void testVectors_3_2() throws Exception { 1691762307385L ), new EncryptedRequest( + null, "Aqa/2aW4VuZTXaFoc0rcc67RotG0rbiqpvontLsdoLIe", "ic3LxIfwgK9XbckAxivYvMdwuAL9nOC/Kdry4w/1xRw=", "OyQcPCU8opsBN88vCE/9Km53a8sNqamIMIwxNfOOyto=", @@ -693,6 +735,7 @@ public void testVectors_3_2() throws Exception { 1691762307385L ), new EncryptedRequest( + null, "Aomhgt+8zAMsuRYgsVJMioFFPLP6eK+4omcLfftS/PHK", "xNdtHsq28x+cFGxLGJbW6l7SscETdLRHejmXYETzU8670YyaqpiGOO5276vb3XDnxM6GjKHEztXruz8YBQzWKYqc6YVU4WqKMNHBu1A/9yKY8KGE+XsSxyrkZxoIM4oZuUp7p1ui+H87PPY8Vs/c9dMM5YUMYVUFZA1kBnzskKs=", "z05w9DN9CKWtURAr0g7D5Kya8Jvp+CQFLNz2Fy1inaI=", @@ -700,6 +743,7 @@ public void testVectors_3_2() throws Exception { 1691762307385L ), new EncryptedRequest( + null, "AoCXG9cbmKBSPP2zi3pOuJQV6dENZ751dUhEGoDqLWVB", "fqsJXWuIt2rwwsWLu8TbPnCxwha6PTGTpzmsLq/Tdynt5YcrEBk9wlRaQIXzWi0KbES20BjJbgL7JIaY2qj/XlFU+vxB+vybUnHrtpe2NaDthaYgdEecX3W1uzpyd745ogDSGe19gOqwXCFCRFLF+w==", "T/tx0z+61zPosCa2Y0oJBepFOOfn0O1lrMKkr9RSVNY=", @@ -707,6 +751,7 @@ public void testVectors_3_2() throws Exception { 1691762307386L ), new EncryptedRequest( + null, "A/5KJP3Cb8DhNjo8Cs2juYLwpswsUBJe6XXdwowIelP7", "wUXXg0vgkZjqvqIfJm7YPgk+7bwgWSttizi+uSKAE4z8dOY8zUp0uvsvsUqDIvnhisnc82IyS/kGhSg1QWyzjAdfr5rWehl+aS+e8GPIu3Ok8n0qNG9TJ1n/UxuD6Ok/WTCHsRW2QoU2I8vB6BAMUw==", "J88D9JrcVVmVlUNe5g6IzEHd3m+PqfSzBNyCfEb+UXg=", @@ -714,6 +759,7 @@ public void testVectors_3_2() throws Exception { 1691762307386L ), new EncryptedRequest( + null, "A3TP+jPFrRgQd563V8goh2wJgvRS9eMpwjo9tOivLboN", "8MjZ4+3cUC7IkwyNK09WSDMOrMpNwfHrXUM3A/19sjyOVZJIAl9HYJySlN8h9A2qrG7l0Eu6nFUwjDH8+NHfqBHCdOAnpncwgANE5GetzgA=", "pmWeeMSroONdztB05rb6932llfAJJo6+uqLvwYq01dw=", @@ -721,6 +767,7 @@ public void testVectors_3_2() throws Exception { 1691762307386L ), new EncryptedRequest( + null, "A0w7WTl0Q3vhxlyKJWV1hM1YC484mysCqhjay9uFSmvG", "K0Ep8dWNhD99yZm/mShFy53DYbTCntm582rlWwskPfcKTE7b/7gBFbXaGly1o9cmQ9Wv9RjBx8Ai4rda/KKbyMq3ZaX6ljAWFpOmqUIgMUQ=", "Zr7vEn6WBYkFFZRAvq3UdRR/OWF2uOK0ABik9fytOUo=", @@ -728,6 +775,7 @@ public void testVectors_3_2() throws Exception { 1691762307387L ), new EncryptedRequest( + null, "A4o3ZVufjyXvJnc98rvHxTbQgCpY1dwMkJs4mKkT78up", "8hYJGXgHLD8tH9sFrRlU6fxGWU/JdlSBpPkL178OFRdORMXTY/ReMRbajQD3bXKzXjmhdYR5X13fHsmiuvHIQVPRFB0ZyS43HT/uEDpWh8SWByKjNB5je6ftEySsmpKGp0KvmjXgiIRX7TiRzwJ03g==", "VX9TB4hPM7/6U/NQvBNR6VaP1loyq2ZhcmEu4NWCU7g=", @@ -735,6 +783,7 @@ public void testVectors_3_2() throws Exception { 1691762307387L ), new EncryptedRequest( + null, "AhVR4QxfHA5resv8ppMANxzZwkaWphsmtA/EENi8Swjp", "ASC8xiBSyjx8wGwf71U9Zk4nZT9w//8AafiZaT+9RtObUmb1HjguWv3Xpqejnf5kml3Z7sXDYgFemFYLklhL5A==", "8wlb+Pz3UulREpbcBV4GfiY4bePugBPV6ywgaycvrpU=", @@ -742,6 +791,7 @@ public void testVectors_3_2() throws Exception { 1691762307387L ), new EncryptedRequest( + null, "A9ok7XXLWWWtQAxERdvFv3I31D+pgZuY3cVSbjpJHLda", "+b0Ki6WcoaoGJhBrGR28zeMqS91XMmCCtO/HU3xaKNg=", "jmkaGcZ+qnrMXtD1R7YhRmJJU+d3y6/nATjNno7DA0A=", @@ -749,6 +799,7 @@ public void testVectors_3_2() throws Exception { 1691762307388L ), new EncryptedRequest( + null, "A24fQipKuaW7sOmXbpZDW+QetW/aBmS+2fkrkSdNDlQe", "GaXg6TBM+H4ru/E25gvV0g==", "xV19DEuOG+SGpT22GU55mVQqU4I7/+vgWNFKDq6tK5k=", @@ -756,6 +807,7 @@ public void testVectors_3_2() throws Exception { 1691762307388L ), new EncryptedRequest( + null, "ArzfJWjDZrjndvQg3aFxZme6w/Z5P4uV4mBClCbURJuv", "cbG2zh4dp5Ig65/Gdz97ZLm1vWeLfSUbIIoLWQXQm5pUVLkHJ55Mrl4TwdK6kTG0", "lawZCFwh0NTpNafMwC92/ndMnkryG4yxfAvp/4q1F3Y=", @@ -763,6 +815,7 @@ public void testVectors_3_2() throws Exception { 1691762307388L ), new EncryptedRequest( + null, "At3TEHVJmtO+VPUtJ/ijXYhx1BAnjcDnQRk9AbhukeWa", "4RPt1tswWfapZNWU7gFkuMyUADjsykdAQHQsMXHmghDE3l7dVYiMctKuj8RHFLAIsgI09toZelMAPRE1PLJz6g==", "JgkwHwwwoDb14zokbecDQeqmOrJxRO0Lddv1sQp0bnQ=", @@ -886,12 +939,12 @@ public void testVectors_3_2() throws Exception { final ServerEncryptor serverEncryptor; if (scope == EncryptorScope.APPLICATION_SCOPE) { serverEncryptor = encryptorFactory.getServerEncryptor(eid, - new EncryptorParameters("3.2", applicationKey, null), + new EncryptorParameters("3.2", applicationKey, null, null), new ServerEncryptorSecrets(masterServerPrivateKey, applicationSecret) ); } else { serverEncryptor = encryptorFactory.getServerEncryptor(eid, - new EncryptorParameters("3.2", applicationKey, activationId), + new EncryptorParameters("3.2", applicationKey, activationId, null), new ServerEncryptorSecrets(serverPrivateKey, applicationSecret, transportKey) ); } @@ -901,6 +954,382 @@ public void testVectors_3_2() throws Exception { } } + /** + * Test encryptor with using test vectors generated by PowerAuth Mobile SDK (iOS). The protocol version is fixed to 3.3. + * @throws Exception In case of failure. + */ + @Test + public void testVectors_3_3() throws Exception { + // Paste vectors here (generated by iOS unit tests) + // ---------------------------- + + // Shared constants + final PrivateKey masterServerPrivateKey = keyConvertor.convertBytesToPrivateKey(ByteUtils.concat(new byte[1], Base64.getDecoder().decode("oG1PJWwflQ8XRt4Nf4uzyBf0w0D4jNW22JxfImj4i5w="))); + final PublicKey masterServerPublicKey = keyConvertor.convertBytesToPublicKey(Base64.getDecoder().decode("Au12Pbz70flr9eizmYC72P3vPp/h2KWlmvcvfssF6xBt")); + final PrivateKey serverPrivateKey = keyConvertor.convertBytesToPrivateKey(ByteUtils.concat(new byte[1], Base64.getDecoder().decode("98pEwpFj60r8REpXzrflb5kzgj1aoxg1YEuKb0Kuwyk="))); + final PublicKey serverPublicKey = keyConvertor.convertBytesToPublicKey(Base64.getDecoder().decode("AjG7M9W9qNUOu51dJROO4NE+xOnqppxxyFU1Tn3FhXui")); + final String tempKeyIdApplication = "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4"; + final String tempKeyIdActivation = "1221CD15-9092-4779-A157-04DC229A63F7"; + final String activationId = "CF2E9A48-9085-4AA3-8F85-FFAFD2380609"; + final String applicationKey = "WQBeNgCHGlW58rzUlP7Ehg=="; + final String applicationSecret = "Epbv1D+tibvvkqGIyDOT5g=="; + final byte[] transportKey = Base64.getDecoder().decode("EsOk4R701klML5Ljd07Y5Q=="); + // Original request data + final byte[][] plainRequestData = { + Base64.getDecoder().decode("f+jScpA8qs2OAR2TWqnDD6W00yUYsdIGuE1nCsqKvVBDfedwA6XBHy4z/ey3"), + Base64.getDecoder().decode("5jM1pRKPJpkv16zg9A5ZcEY3KXGr3p2de1hWZVsVKXL7PIzljrl2Lxg3RfWuf9myS17OBu7d2nO7SD1Sl3U2KtJA3+B1c202TqdQEXRT"), + Base64.getDecoder().decode("K6cp8f5FyfsE3kv2HJubaJ9b5ILXAMc="), + Base64.getDecoder().decode("5p4zk5/DaPiw2oFP0LSygOJD/VDGEfPQMcI1JO1iSqO4XYUr0yeKciDFxQ5r9Ji8C8ETJKD1/5hlJGURXw=="), + Base64.getDecoder().decode("jC7527ZbuLU3ddoeSHOaE2f93sqL9IKyf9pjoIpU/6h0DowFlVmMibIyKWnL2dkDmKeIGFhh4EzvEcAnk7b5bU9Jv7ItenE3bxDu55NQXQs2XjZLqwb+gdjt6f2dZx6s3K/1+hG8zv2QYc1y5Ielnus="), + Base64.getDecoder().decode("17e8s/ckRIR52A964Vb/AXZ/Gcv4yT1RCS42ZUiwegzk"), + Base64.getDecoder().decode("6KNE7ibjx5Hx6OOeVl6FcvHBueCvds5nzUE2CBgJ/15chbQQM+Qghg02so06AgaDHEIdyuiA8wREEwHSDDwUsDbYbSZGsJcXFWZmtIutzbTsL08zg9HsjgtWc+I7IX3n6T286Q=="), + Base64.getDecoder().decode("OhwnzC44O5E8bplAyUT+HjAoJ5nuaXxpZryl17DHSmHFBRjejBznYYHCl2UUDYTpgT00j8Fvu+GtS3i9jr704r/z5XENGsb5aqitVERSiPQDWXHSeF5w/L45U535NzjJCv9gudDSXrPaP2mB"), + Base64.getDecoder().decode("EsSeJzVFi30Ph7KGBamnpavP2IVJQyXSyh3AR/YX5w9hRVsT7dEqVrCvP7WSRX5X9HCvQU3aqqB/OLVGMF8B81o08p/7WExeaf1PylcbRqomHwqBgO64LdAXa80="), + Base64.getDecoder().decode("PNhn+JpA6ivlcZXpYBM9SJgAqrGUJ1Fs422sJDJyHqPFmBaZOlyYQGM3hSexgNtU47iQyiz+qfdslFNszKiCohV1fx0C6nmH4xn96333ISVx7i8YmM+SI06LWfdb"), + Base64.getDecoder().decode("w/kWbwDE27WzyTzi/SNm7a4V7MGZaShVR9LaSaj+y0nT/6CBfdk/4POlqyXpJD31D+mL7c8z2dOFyktHNJccliODZI0="), + Base64.getDecoder().decode("QHMC/ZEQ0A1uEQtslxYtaeBCI4R8cklIjOThRuCykszKHq5cnYjARUIFLiHzDfClIwZIxaRY7qm4etYWiwzxv9pEI2y08dtWfeywaroWFUPJI+Zr5/1S79fDleYx2QYqxZnBFVogSNgg7A9eOxRtv99/u96atw=="), + Base64.getDecoder().decode("oHXR8sAoeoo+o9RzysQqiZeYkQffKDf5ab+RZNyrF9jax+eVEIhA6uOrZ784aw8CnzKqqJNRW352T1l7JbliEhhtTllzqjY3g3KMGI+vEg=="), + Base64.getDecoder().decode("rpPcobnE/XGR56rklurFfgyiGO2EMwhlM3a6rNo1DjTZcsCFGXW2e01c7T03RlkdJhihJwCwRFIA1shW6RdCi/mE1KF9X0g8Z3i5e9acegsjeL1i3xcgXUzh8j3dntsrh1N6SsY="), + Base64.getDecoder().decode("tW44GiuzI4cYlPRuRk9xSzQBkISv1BS+vIvZMGufm3acrE9w0QoUgzt1YZV0kHRVJy1+smchfK42"), + Base64.getDecoder().decode("GxTDg2vEtfGvOdhRbZI5b08gE/YL1uEk0dAYBgbmf4cywD6t0ItWtaJgTTK1OC4YAztf1WxCyG8="), + }; + // Original response data + final byte[][] plainResponseData = { + Base64.getDecoder().decode("Q0o+ObtisXK/MO/0W+DggFD6cnlhUrSCHocN3Mu1IYrFgxswSk2VELlCF3U7OzPwFS1g3vcwxTYdjCGyyAcVECODy68Dd2Tv0vLlDfYjB5D8+E75BCrYhwRbh3W3OaC0VxI8V3xh125mFx0PWRXJuxf1yKB3rtY="), + Base64.getDecoder().decode("6UfrYjWYCkBIK9Ori7qB1KEfWwz5DYGVaKYxcz8OLWpfO8xtON8xa4a9ORaTRCKbKYMHh6zloo5/Zn7bZ8YmguicAmWB1gqqwtUDyYtTMwAjyXLmKs2shftLQYtauUSkWNc="), + Base64.getDecoder().decode("GMHLlB1cZzelL0+5/JUOVnUzI44eN54zxA=="), + Base64.getDecoder().decode("qYTFk6IaB2B3roQRjIyzAzegiRSgVpPmjifyQQ7e+fWKwm8="), + Base64.getDecoder().decode("Cl0eRW9Aq7auie9qaXpYsWbES2fNmbqRM6U2sxU="), + Base64.getDecoder().decode("vhdJ0uPZVyeVEdxSo3ErO2Dogay5oL7b/cL/BRhellDBq8X67puO+50fgOAgfL0bpQMZBZh/uLgxBrGf2bVOzTpO8R6WOYxjg0FnOdb91/VbGSvTncwbX71U"), + Base64.getDecoder().decode("/QKbpOxjKicszPmiM6HjPejXRYwfVJowveYeCwYMSFb4vDP4P0jJCLqsCIAVQwzqMs0DcVjBMQgaaE9an7z+sVQ0M15xYgRqdg=="), + Base64.getDecoder().decode("x/WlUGQzvMB1zu64EYtpzq8="), + Base64.getDecoder().decode("k0+sImOGUwOb/1s8U1uI5uZ8gZaszNuU4pKWq2d775m/iAUB7f0o6kVnfDzZZvEXfEzXlKZsdzf2bE/5KJ1q2WsMhxwlbPCZ+zWzhD3lPMueXK7Sas8EOQ=="), + Base64.getDecoder().decode("qxljpcx47/22kqbxnjZhbDq6tL8nWJp9fcR/bN7/dh64rsLxeT2mQdQAdhUw8bMbUlv113sco8bI+Y0z/R4ZWlDThcLus6WZOyizKEVipIZzAteUmWww"), + Base64.getDecoder().decode("AMC6x6qz309wM6mbk85poct0k18dW4Xg0TyzqNRMOrNxdESxgdt+X7uqINrGGT80uaDuk8K5BXgd6vIGn0cnPkiW"), + Base64.getDecoder().decode("zZZA"), + Base64.getDecoder().decode("F6aVUJhxIkRBjsyPk1yH"), + Base64.getDecoder().decode("Pkl94I9MOlQmYJEXBhu0EtRPygUtB7a3GP6+uaXCu6wAF8Ky9pjUKPNvtmLtR1v1Svspml7W3EjeEWXc2Zk6bEjN6x4+Jh7ilR2c5QZOySRv72c="), + Base64.getDecoder().decode("Ggd98d/1vIPsmJqV2yry1je2eXYrHUQNiGFATp6JoKJX2w=="), + Base64.getDecoder().decode("EKHnpKeG7l8q+Q9go+QZzJVV3+mcYNWmjC9wqzoipDje6tz3yarhobMvuZhXHN3Kx9keC0V30QE="), + }; + // EncryptorIds + final EncryptorId[] encryptorIds = { + EncryptorId.APPLICATION_SCOPE_GENERIC, + EncryptorId.ACTIVATION_SCOPE_GENERIC, + EncryptorId.ACTIVATION_LAYER_2, + EncryptorId.UPGRADE, + EncryptorId.VAULT_UNLOCK, + EncryptorId.CREATE_TOKEN, + EncryptorId.CONFIRM_RECOVERY_CODE, + EncryptorId.APPLICATION_SCOPE_GENERIC, + EncryptorId.ACTIVATION_SCOPE_GENERIC, + EncryptorId.ACTIVATION_LAYER_2, + EncryptorId.UPGRADE, + EncryptorId.VAULT_UNLOCK, + EncryptorId.CREATE_TOKEN, + EncryptorId.CONFIRM_RECOVERY_CODE, + EncryptorId.APPLICATION_SCOPE_GENERIC, + EncryptorId.ACTIVATION_SCOPE_GENERIC, + }; + // Associated data + final byte[][] associatedData = { + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkRDNEODJBNkItNDdDRi00MjI1LUJCRTUtQkFEOTZGQjg0Q0E0"), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkRDNEODJBNkItNDdDRi00MjI1LUJCRTUtQkFEOTZGQjg0Q0E0"), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkRDNEODJBNkItNDdDRi00MjI1LUJCRTUtQkFEOTZGQjg0Q0E0"), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkRDNEODJBNkItNDdDRi00MjI1LUJCRTUtQkFEOTZGQjg0Q0E0"), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkRDNEODJBNkItNDdDRi00MjI1LUJCRTUtQkFEOTZGQjg0Q0E0"), + Base64.getDecoder().decode("AAAAAzMuMwAAABhXUUJlTmdDSEdsVzU4cnpVbFA3RWhnPT0AAAAkQ0YyRTlBNDgtOTA4NS00QUEzLThGODUtRkZBRkQyMzgwNjA5AAAAJDEyMjFDRDE1LTkwOTItNDc3OS1BMTU3LTA0REMyMjlBNjNGNw=="), + }; + // Envelope keys + final byte[][] envelopeKeys = { + Base64.getDecoder().decode("k074hGF+oBZMhhh6BS6CY+4/aaN5TrIwDsVEwn/WjyXWgNSqshjiANmOR36L/Shc"), + Base64.getDecoder().decode("ocMfq8QlGi+/5e/xilUCZUxqh1Z4PqZmmNgmDnm1BLZbFZuh8pFvx28zAo8moHkz"), + Base64.getDecoder().decode("XSS+JT0S8o2fXPArZZ/MY+9MqExJV5pG1lCrSJwzlY/i5irGdshKl5PN2h8mChNm"), + Base64.getDecoder().decode("8FIKg1R4BQFtlANmy0f27fWQaINgL9vlr3hLym/xt1MQ3bofjwVIYqu7wGiJD43n"), + Base64.getDecoder().decode("OaRGAw2XdkzsHzcUXj8l/uglAVVFtuzMjvR9+5+kTFIz+9SP4KDXJwugYEZ3sL6u"), + Base64.getDecoder().decode("JBm52ZtwKYBBxV7Ar5Wtf4Y9OTDv9OU2pFEv7WJYA74yMJRQcALWugqV79CG5Aqf"), + Base64.getDecoder().decode("2YtkBfXRrhUffeu98I38CCfdkR33/8c+C82j52YSIlwJ5KcauOk47WXjOczOkFsg"), + Base64.getDecoder().decode("LpfRIkzTWQYF4458Wxx3qEUvwBpRKugRHQdaC9bBp0jtkdPpRXCQKSXO8xCjZUIx"), + Base64.getDecoder().decode("eP8jZvzxPBOv7E+w39z2JsGJEXNskfxQgPV8R0X4aY9nlgyESMa8A5fbrAgh70QY"), + Base64.getDecoder().decode("kScXW3XPZF8vQzwAPs1H1kH8V7nT1TRXHpYRKI8LrnZ37VEtToEKizwxAW8YV67A"), + Base64.getDecoder().decode("1jpx3WEzDxbt2hjfTY/3rEbVTuhZagFLxhZne9l3N17jJov2hrOd2Vc8tJfKDGXC"), + Base64.getDecoder().decode("A0sds7ZIaPKsR10Q7ai/E/Y8grHSbS4WYKck4zLVEdkejcDwXpAvRfUcxg7bw+fm"), + Base64.getDecoder().decode("u1wtm4Ll21Y5FkSF9lbURDcuz425PK6HOSKWoMgUZMeMjwvBtJIdkXmtuaeaISpL"), + Base64.getDecoder().decode("l4lJ2fBE+21MU0L1impmrXOVMXw4d6CpoSLS5Wp66kojeR94cEdUg3JAgkcKyClA"), + Base64.getDecoder().decode("nxPNGpOegXx9wNc4blM250eyYKY+zZ2DGf3Zfp9irTZ7jpzcEO7fb5BAx1YnbTed"), + Base64.getDecoder().decode("7en0qGieNCkyZGT44+/pQbgebgoVWk9527ygAFOy6s3s1+XY/kiOXm6fp9ru/y9r"), + }; + // Requests + final EncryptedRequest[] encryptedRequest = { + new EncryptedRequest( + "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4", + "AjpBEi1V6hxMt6SXmn6pFuSNd6S2loTKwqa/9A5hL+lh", + "7m3Eh0RUc2S4k1sThtVQvwzK1QEiAJwxAgKmTigAqY3wPen5EO+HJG6FolSVTM0J", + "un7Wreqd91tQp1UuqrKDRwKpCIHn4dxFaD6PEay94tQ=", + "yss0YBlx0ERypDj/4HF6oQ==", + 1723109505418L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "AjJv5HtX/WOk2ajL186KJ+9GGbYYAsx/kEAcSr7Aot0k", + "/n1ijWx8rY0a9DSd8peAMbEznhyKhSGPDbmRQWwTzLErKdyFCSWMdsfyYjprK/MmYczAoJvSgHhe9FeWvg/aMpGWsykjlaGzprZ/WZT+vMA=", + "jkQZgeHwm2UVgCX3EU/SpBLZcDCoWCqke7PnZgXtz4Y=", + "lGvXPH17WpDErd277D7w1w==", + 1723109505420L + ), + new EncryptedRequest( + "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4", + "AgGQFxV3lw5VDbHHI6lTdoUOMvA+ciXc+JFI8OsY4ErK", + "Kb0IVdVE5aicv70QY6cfDnE690jVhEqhOct28y1r7G0=", + "mbyD0Z341x6pkXNwhA8Q8DQzP9Pk6E3CkYxJ+7pAauA=", + "L9wCRvnLTUkla7IAlrprEQ==", + 1723109505420L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "AgjDJvBgQubjJsc3mG/usmz1Saachm56h+L7Ao+ODS+G", + "OnI4x+FwViNe3zACnpkhLib5U8s37EKPYlcp7+EP+0R9EYYkEfQoosyavXMvcULam0TvdixhIt98xWsW6UPrDA==", + "o123KQc+4MLuxG1rlfS/uFVTsChp1mIrwokpIsXeGRE=", + "dYXDUMkh3AcATXwenSdDyg==", + 1723109505421L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "Aos8e2W2DbLD+rBNA6Mwzj+RWaETuLGo4M/sEdRtRENL", + "z2qMMLBv9dEqvv9SdZpxdoUmvPKBTlQU5MELLivW+2SZyv4cK+yT46cLEM8bdnly1f28/3nYogZaajzftXbZM2Bj8cSYBjZuQRLIbUcjz2wLtWP7BYEAk8LlS+gA3dAOrZ/lWI4MOEt1lgG0JkEHBkEpmD2s3wPSNr9t1fUJqU4=", + "bqA6SQkCfOVf5+5Bt1p6cj5PheYjeGMOb5ynF3oW2Jc=", + "C0t960Q62hxHaWnnu6sYEw==", + 1723109505421L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "A1Ph49CFAdWfQFlzYPDeaFdipYMJGY+qYWEJgphvE601", + "v5chxkMsHJanOOw/av+oRbPsk2Va226igxQ+2frT3AraTLwJxotHocnTFxyK7pNk", + "0yjA3GDiKJooZMi2hOkkD+aICpY7Slo/nzg0oTYrqJM=", + "EoNe/DqID0Isa15tzFeTYw==", + 1723109505421L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "A+5Y+goYEAPxnM5xVxLkZoJTSG5SEoa2D6U2/a//+vgS", + "gg9w0km2aG+pchUeHL5BEjDMROOcuTmDSMTBRRf9OyTwrYA6+a991jhdZiSYT6MSK52n2hd6yWvEp18NQI6VOy0gsxAzoOXfYf2Rir9rvtIcmtRC76cYDqLHA9Dl2TyrzacnOSZJRwGOePal1RM8vQ==", + "T9Y0jFGSzIsZ0YWmSZ3D4JpDP8W18ksPMIb0obUAUiM=", + "nt9/rGJ74UoCKT24QS+USw==", + 1723109505422L + ), + new EncryptedRequest( + "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4", + "A7MzuALkFpmLMUOoPfXyx+aCAKZqP0V1RnRLNKbqrCdn", + "xaMGsBQgJ5NihO8GGrjG1epaEszSDcv8Z67WBJy0olQ5sfrlx+nR112JAKIKqpDo4DApF9EOkDfi5za0DnlryvGPpiaLbngbF06QR85DFNkOUD5Gt/DuN/qbGdHYJ66AsZhAdUf8L0u5OGYbYF6ULQ==", + "hkLthp5Eti8L/EMksBU5eeJSpxAUHVZ9X/59ROyo3uE=", + "af7JpUq2cwR0Ekodu6WQQQ==", + 1723109505422L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "AyAZz2budSXg9tUr41qMRIWZYHvf8ZRg1Ky1xXfjUVzP", + "P1E456VYswsieUXDxi49WldA647JbSy5YfwS6xoJijWZ7/ml3Zx5VMJYz+X8X9Wm2+GNiyWiLURpJaTMK3lwXOEFUWUDoP0cv6du+Vz7jQgoyPvgSxpcOeb9NEiOcbgc", + "MrFSFDaBZA1sDibSzT9Si+4blDj7q5Op33FfnYFwlzo=", + "o4KfZWSYNqBjwaHqJcwYTg==", + 1723109505422L + ), + new EncryptedRequest( + "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4", + "A6tOYHM9zg9O4v/rTAiduPRfJgWLT47V/1SKVpOVfb3h", + "6E5yo1+y/Nv9A9uTr2dWijEAoOMOlCX39fdCDE5ohbBw6slMbFBIC6HUn7qBs8dBgMNJTatJEp/twGJZyaT6+WMOZRI7ec7/bOImrN9kjwkYq70gY/UHPETUyBkczYc+", + "1j6ULk0WucfGFjiN9T7oGykuh0BriYv3Y0y/FK7X+hw=", + "/KUGtLbpCgqW+KyTfP/1FQ==", + 1723109505423L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "Ajqbv+0CUuWHZQuiU1d+Z8x4sbXDB37sm0Kbjp95kzPI", + "OKr4ceWyBbLTxzZhv5RQvlG44K+n+ohw4JUbV30lC0KIypNl0uKwdzSQtK5eljKXdfYxaLSuY+Gwj/NK+xdQkdMXskLeXluey5GET23HaL4=", + "048mD+C38ojf0M0CpEU/uLuZbRLlZVFfzCCK/2f0+KI=", + "K+XqUGF5lUKgTz0yaJ9p2g==", + 1723109505423L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "A3uO4rYlQByC4ch5ylQEgFwOqYVANPLPw61DzbmT2nwH", + "VnYlfhQVaYFkCCvG6snx6bgGbHbNqS69AnBvcJ7o+vVtqtaZ13XaXWHCM3cyKW70QZs5uGuI/NWHD9pItXQpaxGkogmlixNc/EOpk7FJv04x1+SqKDFDveZgeORIFcOqX10V9BmhoqoBodUQ/Mf/19zc3/hXL6B2Py9MwnBlfxE=", + "YerKe/F5zFLkK52ebcwpcMxf3ZAmnGO+hWgBYk863UU=", + "HadtUun2ZzG8yY9ZdoMieg==", + 1723109505423L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "Arn/DbG8zpduSRv5WazPO14rRicFGzzSruSeK91TzLcz", + "Hy6BkHDntqmbV56oNTL+7aIJloEtkiZkiDZOmaxtsZQPGh2ZOcdL58M29mX0SCJ5uWEIKiQMGARtRNef4K9/ZyiKV3VdJFkzXKKs3ul5d+w=", + "5hu/DaxE7c74Pv0abvafGTi1pET/2zUaOA6QDAaRlMY=", + "z6lNafKqRONRBYwT6mfZHQ==", + 1723109505424L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "A2dQMe2lT6PNXju5qnY58dc7MrVlfeMxvmHpYZVSo1iy", + "yFi4XJ0kADIbf6xL4pShHhsAdDhmLyiHuf2uDVmGTsQDeDunVLn9E/cPOY3Pi8beTfyLMTuJs/KCYacDXkniCmzuawsftmASF14Ee2nLfUZoBhdA2HUDdKiIy+zvfrSChRx9YP0gkXE5bMRFpWgLmQ==", + "+MHylKbS+wVabW1ASOTyrVgHiSYtD7QeIP/mjWG0U8c=", + "xei7+wZwpJnRVnhsjRAEpg==", + 1723109505424L + ), + new EncryptedRequest( + "D3D82A6B-47CF-4225-BBE5-BAD96FB84CA4", + "Ai7rf1nkviyd/H4oLwjazip5ceScgTyV+B3F/GqQblen", + "ZYxobd3H7Uj1VUQQvlh+7PBBzmtCPoVKDde5rjRbHx+10WRCFjV5Uhb3ySHWLuXUrqDmTGERRDEmPNXcfkp9Sw==", + "34Xcv3x1DVaNAsDnRyBCKynDmSVgzSaI3tAWWRKU1gs=", + "34OaEzc8gcHw/TDsr5hI+A==", + 1723109505424L + ), + new EncryptedRequest( + "1221CD15-9092-4779-A157-04DC229A63F7", + "Awe+CP/SBxK4U8Szk4/2mJEI+k5J0t1Iul1FTNBNdG4K", + "Im5FJi42sIoKKuRQwyKaX/nGsRWDeDXNpE6jTyXmKENm/ulBftYmWCsDhX8uJKSi3ICtN70JtbNdOcWG+KsVAw==", + "kfqKaModZjh98LCMNOHyVdu2jr+zqIjq8Y185iTz9Qw=", + "5YS/q6v60vqPzZwW/TqOhg==", + 1723109505425L + ), + }; + // Responses + final EncryptedResponse[] encryptedResponse = { + new EncryptedResponse( + "VKUZve03Rc+8N2D2YzGeX9ZZteeQws9ZAW7N2VVZ4cj8YHpHf+X4ULpqYeGKCHfJXi4Dvt6ZbbAU4i7rImvmRH7ZdMZgyVMlsRXwyJxIhDgkr8zLQlJDJ3Nc/TL2n2YTw3ukL2vv3ZW65UcDOWi9OBnXuEFYvuAjGR7zJLDL8Z0=", + "ebBjC2k7LndYqgOgbE239Rc1yhhRRhOGL/QGk23P458=", + "mrL2R2ochtK1QFfLi9dX3Q==", + 1723109505420L + ), + new EncryptedResponse( + "qxbAsh4KlTWrfoRb2f65FUkBMfvPjJdPkc5z44rdNJ7angP/q83NTw19XurQ8N1RjA06ozqnOR4pr9KrjuWq38kyVEWEsrMsrE2rLjzcVqyoFNOBd3tPK74f/uLmbVFnqbUoKaqjn4mBIHCfgWle7g==", + "GMeP0BM62NDRxWBtHMsadAHQQzsgmfZfGU3x9piipfM=", + "beYoMVodt06E7yk2WMFiCA==", + 1723109505420L + ), + new EncryptedResponse( + "l+Yl3JfRpcr+ReXSDdTo2GVbe+c98rpfX3vODqnrpkk=", + "cRPSf7+3IA8M1zjQnGEixuFlJ5O6hsmzvWeB2xFHfCI=", + "qPtFVgDgtgJpNTzuElDoVA==", + 1723109505421L + ), + new EncryptedResponse( + "Y8KAD1G9wUpoTXpA0UKMI4PaUgS43uUFrOTBR3cCoBUdOWS4HizPdF+3SxdkbP5Z", + "QfQzM+0z0re6/AWMNOI8uP7syAeCtud+TkDt+H1X/tM=", + "A/+VbdsF+0s8HvJrBAtBCQ==", + 1723109505421L + ), + new EncryptedResponse( + "+Jqs/d97p0Qau9ixhL23cctRnUwowZuTzvA3MHsBH24=", + "AgBS0dF5RSfPlvbqgtFpMwj2QSDQUXIUcZdNUyJPzO0=", + "iu0blftcv9NCHb0mJVqRKA==", + 1723109505421L + ), + new EncryptedResponse( + "jKg+rY99pZ3gZa+h5Dfy7ohbhKKUIhKWltXrx8Az4DTyRiT8PfljuUKWD1nXYtpToAodYrI83scJ5OuoOILcxQ7/h3fLHs6KB642xaoV/od4eVMYoXqDXMraMojCsxCJ", + "8YJ8n79aFpOAawRnSfG7XlNYNdGVfP2iGKhrE2VP0ho=", + "qD/LMXJEWu8/64ZVLs3+7g==", + 1723109505422L + ), + new EncryptedResponse( + "Od0g66R5gHPqyLjaKYkiSyKg11qzpMERanBS3qlSJ13MIArCWQWgq54408xvo1hpt5V8Wgj7ITwfsJ8+AQTZOgx7Wz3a1x56x8X7ooZhIk8=", + "ndfN2p7RMwWo6JDS4ifa5kleEW8CcBjjwySh67niVZo=", + "vywPr8XZ8b2YyDtHMikmfg==", + 1723109505422L + ), + new EncryptedResponse( + "3GGQRP4u4+w/d7/KtPS8SjDa8lV7AxZhXbJKzKWwx80=", + "irvrHy2xNLjDfAeL/4dxmmSCuuDsOxXHCc95P/i/35E=", + "BMWmr4DsI8+WImCDvwB2/w==", + 1723109505422L + ), + new EncryptedResponse( + "tfMDn6+5V1Zppc4huevk3LI/dgzOuSRTYqtXJf+xB/hNzNc2hChinWIjKMh2cdWwoms3WO+boaKGnCDdVbSCDEx+nFg6T4iN6rfz4qTwaov6KdLkT04Y8hnkbi4YAyNm", + "90Vud5c9q8Xy+UgMGtq5D6vPs5Hsn0Nkmj+rUmuUcz8=", + "YNJifcT945fhcKm3aqkhag==", + 1723109505423L + ), + new EncryptedResponse( + "0fWvysKeg3naheL/A5cJjTiA+BmhZYbDkHVK63JPosXDhqZzqPrJ0/KvPE116ELpG2FzQP5LnD0Jk9eJ627p67nMhJD+jQkRFQgqKeggViiw+zEsQtp/dcIN3ZpdR+zh", + "TIe67QK7kYFlMI7tEMB5+DdqwVdAUNbje/xVyrLEwwI=", + "LdNF+2cVBklgSNtd8VgVHQ==", + 1723109505423L + ), + new EncryptedResponse( + "WKwK5/O9ebjhrec16gMbS5tuAiYSE7/7oxMRc+DU8ZU6FSNUewK8O0cVOV3sT6++6U3QgPJLbgRIBP6lZjvAUcrzXlwjNjQJEmO3816BOo8=", + "Eo0IFaMj5O9ZPfq5DCqS+6m0swuEGgoVfihAKtDTnsg=", + "miiZTny2CvOrBZkjD+eaLA==", + 1723109505423L + ), + new EncryptedResponse( + "jDmIvPflnOKjS45+cSCqaA==", + "h39gAppf4ooZoh3DlXUTg8K6hMvTeUDXjJIbrbEKefg=", + "G68hARhQVl/NlWqvqdrHAw==", + 1723109505424L + ), + new EncryptedResponse( + "JCeEIhe8hUKPbb0+FB/s1A==", + "1ZYXTaUXg8BH37PHNUYZC/qAaiu72vvbBUMMayO5ygc=", + "v4k9JUEQqmqs0avfakFRiQ==", + 1723109505424L + ), + new EncryptedResponse( + "lYITkSdxBpjIKd6YsORWZLKE21G3bbRSd+7/7CeSk0jXrtAnoyqvYfvcdx2TVtOVOlM8yAkgwuDn610ovcDW9mT5/HfvdoB1c7v8uwXwSEorpajFTT/b6tYo4fRD+lGt", + "8/r/tlMCzmHLwszOGUwBGGK9MM1Jis2R8Gmk4e17AJo=", + "WGeBG1GE8gFWSXQCUR9dKQ==", + 1723109505424L + ), + new EncryptedResponse( + "it9d1VO49uCf4G3zax9Z0IxNmTaoUb2aVHZB45b8rmd/myB8pjEhvzowwatdx5fX", + "EmyVIkCwUqH0SCRxqHWDXIjZhB23uaxLFozdlzB8f7U=", + "XAqO+IzvrQ6zsEyHQd2pyg==", + 1723109505425L + ), + new EncryptedResponse( + "pDks/WpNZ3l71+1vgVQReVIjlSC5o7Jyepka/kbj5oUqtjyO3WopHyfAB7e1exqDl6dLDwsP0TcIndKmAPPdpQ==", + "Ob1ku/gu4dFdov1GVZIRZ8dSGeh2Kt8JbFACi/k5onc=", + "9/QPax/kk/VO5mto3ufdBA==", + 1723109505425L + ), + }; + // ---------------------------- + // Start of test + + for (int i = 0; i < encryptedRequest.length; i++) { + // Prepare values for this batch + final EncryptedRequest request = encryptedRequest[i]; + final EncryptedResponse response = encryptedResponse[i]; + final EncryptorId eid = encryptorIds[i]; + final EncryptorScope scope = eid.scope(); + final byte[] sharedInfo1 = eid.getEciesSharedInfo1("3.3"); + final byte[] appSecret = applicationSecret.getBytes(StandardCharsets.UTF_8); + final byte[] envelopeKey = envelopeKeys[i]; + + // Construct Server's encryptor + final ServerEncryptor serverEncryptor; + if (scope == EncryptorScope.APPLICATION_SCOPE) { + serverEncryptor = encryptorFactory.getServerEncryptor(eid, + new EncryptorParameters("3.3", applicationKey, null, tempKeyIdApplication), + new ServerEncryptorSecrets(masterServerPrivateKey, applicationSecret) + ); + } else { + serverEncryptor = encryptorFactory.getServerEncryptor(eid, + new EncryptorParameters("3.3", applicationKey, activationId, tempKeyIdActivation), + new ServerEncryptorSecrets(serverPrivateKey, applicationSecret, transportKey) + ); + } + // Decrypt request and compare to the expected value. + final byte[] decryptedRequestData = serverEncryptor.decryptRequest(request); + assertArrayEquals(plainRequestData[i], decryptedRequestData); + } + } /** * Construct EncryptorParameters for given encryptor and protocol version. @@ -910,9 +1339,11 @@ public void testVectors_3_2() throws Exception { */ private EncryptorParameters getParametersForEncryptor(EncryptorId encryptorId, String protocolVersion) { if (encryptorId.scope() == EncryptorScope.ACTIVATION_SCOPE) { - return new EncryptorParameters(protocolVersion, configuration.applicationKey, configuration.activationId); + final String tempKeyId = "3.3".equals(protocolVersion) ? configuration.tempKeyActivation : null; + return new EncryptorParameters(protocolVersion, configuration.applicationKey, configuration.activationId, tempKeyId); } else { - return new EncryptorParameters(protocolVersion, configuration.applicationKey, null); + final String tempKeyId = "3.3".equals(protocolVersion) ? configuration.tempKeyApplication : null; + return new EncryptorParameters(protocolVersion, configuration.applicationKey, null, tempKeyId); } } @@ -925,7 +1356,7 @@ private EncryptorParameters getParametersForEncryptor(EncryptorId encryptorId, S */ private EncryptorSecrets getClientSecrets(EncryptorId encryptorId, String protocolVersion) throws Exception { final boolean appScope = encryptorId.scope() == EncryptorScope.APPLICATION_SCOPE; - if ("3.0".equals(protocolVersion) || "3.1".equals(protocolVersion) || "3.2".equals(protocolVersion)) { + if ("3.0".equals(protocolVersion) || "3.1".equals(protocolVersion) || "3.2".equals(protocolVersion) || "3.3".equals(protocolVersion)) { return new ClientEncryptorSecrets( appScope ? configuration.keyMasterServer.getPublic() : configuration.keyServer.getPublic(), configuration.applicationSecret, @@ -944,7 +1375,7 @@ private EncryptorSecrets getClientSecrets(EncryptorId encryptorId, String protoc */ private EncryptorSecrets getServerSecrets(EncryptorId encryptorId, String protocolVersion) throws Exception { final boolean appScope = encryptorId.scope() == EncryptorScope.APPLICATION_SCOPE; - if ("3.0".equals(protocolVersion) || "3.1".equals(protocolVersion) || "3.2".equals(protocolVersion)) { + if ("3.0".equals(protocolVersion) || "3.1".equals(protocolVersion) || "3.2".equals(protocolVersion) || "3.3".equals(protocolVersion)) { return new ServerEncryptorSecrets( appScope ? configuration.keyMasterServer.getPrivate() : configuration.keyServer.getPrivate(), configuration.applicationSecret, diff --git a/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/signature/PowerAuthSignatureFormatTest.java b/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/signature/PowerAuthSignatureFormatTest.java index cb7dfa50..2130bfb1 100644 --- a/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/signature/PowerAuthSignatureFormatTest.java +++ b/powerauth-java-crypto/src/test/java/io/getlime/security/powerauth/crypto/signature/PowerAuthSignatureFormatTest.java @@ -34,6 +34,7 @@ public void testValidVersions() throws Exception { assertEquals(PowerAuthSignatureFormat.DECIMAL, PowerAuthSignatureFormat.getFormatForSignatureVersion("3.0")); assertEquals(PowerAuthSignatureFormat.BASE64, PowerAuthSignatureFormat.getFormatForSignatureVersion("3.1")); assertEquals(PowerAuthSignatureFormat.BASE64, PowerAuthSignatureFormat.getFormatForSignatureVersion("3.2")); + assertEquals(PowerAuthSignatureFormat.BASE64, PowerAuthSignatureFormat.getFormatForSignatureVersion("3.3")); assertEquals(PowerAuthSignatureFormat.BASE64, PowerAuthSignatureFormat.getFormatForSignatureVersion("4.0")); } diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthEncryptionHttpHeader.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthEncryptionHttpHeader.java index 6c11ba72..886b1611 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthEncryptionHttpHeader.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthEncryptionHttpHeader.java @@ -148,4 +148,5 @@ public String getActivationId() { public String getVersion() { return version; } + } diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/ValueTypeValidator.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/ValueTypeValidator.java index 0af47f8a..ff726636 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/ValueTypeValidator.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/ValueTypeValidator.java @@ -51,7 +51,7 @@ public class ValueTypeValidator { /** * Admissible protocol versions in the header. */ - private static final Set PROTOCOL_VERSIONS = Set.of("3.2", "3.1", "3.0"); + private static final Set PROTOCOL_VERSIONS = Set.of("3.3", "3.2", "3.1", "3.0"); /** * Admissible signature types in the header. From e840a5c253bb6566d487c199a783026cbc17e4c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 05:06:49 +0000 Subject: [PATCH 07/21] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.4.0 to 3.5.0 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.4.0...surefire-3.5.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3deef287..3f59c609 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ 3.1.3 3.8.0 3.3.1 - 3.4.0 + 3.5.0 2.0.16 5.11.0 From aca5e79b39d735378012df078fb1a039065fb880 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 05:06:54 +0000 Subject: [PATCH 08/21] Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.10.0 Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.8.0 to 3.10.0. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.8.0...maven-javadoc-plugin-3.10.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 3deef287..d820d93f 100644 --- a/pom.xml +++ b/pom.xml @@ -77,7 +77,7 @@ 3.4.2 3.13.0 3.1.3 - 3.8.0 + 3.10.0 3.3.1 3.4.0 2.0.16 From 6843a3980cbc71575062f376748054665bfcb9e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Wed, 11 Sep 2024 14:47:19 +0200 Subject: [PATCH 09/21] Fix #640: Add documentation for temporary keys (#641) * Fix #640: Add documentation for temporary keys * Add note to E2E encryption * Fix typo --- docs/End-To-End-Encryption.md | 54 +++++++++++--------- docs/Standard-RESTful-API.md | 84 +++++++++++++++++++++++++++++++ docs/Temporary-Encryption-Keys.md | 70 ++++++++++++++++++++++++++ docs/_Sidebar.md | 1 + 4 files changed, 184 insertions(+), 25 deletions(-) create mode 100644 docs/Temporary-Encryption-Keys.md diff --git a/docs/End-To-End-Encryption.md b/docs/End-To-End-Encryption.md index 5bd64a46..8f87f329 100644 --- a/docs/End-To-End-Encryption.md +++ b/docs/End-To-End-Encryption.md @@ -27,6 +27,9 @@ Assume we have the following constants and variables defined in our scheme: - `KEY_EPH_PUB` - Public part of `EPH_KEYPAIR`. - `SHARED_INFO_2` - Input parameter to MAC calculation. +### Temporary Encryption Keys + +To provide required cryptographic features, such as forward secrecy, encryption uses [temporary encryption keys](./Temporary-Encryption-Keys.md) since protocol version `3.3`. ### Encryption Scope @@ -37,9 +40,9 @@ PowerAuth protocol defines two basic usage scopes for ECIES encryption: #### Application Scope -ECIES in application scope has following configuration of parameters: +ECIES in application scope has the following configuration of parameters: -- `KEY_ENC_PUB` is `KEY_SERVER_MASTER_PUBLIC` +- `KEY_ENC_PUB` is a [temporary key](./Temporary-Encryption-Keys.md) with given `TEMP_KEY_ID` identifier fetched from the server associated with a specific application version and signed with `KEY_SERVER_MASTER_PRIVATE` (to prove it was intended for the application scope). - `SHARED_INFO_1` is a pre-shared constant and is different for each endpoint (see [Pre-shared constants](#pre-shared-constants)) - `SHARED_INFO_2_BASE` is calculated from `APPLICATION_SECRET`: ```java @@ -47,7 +50,7 @@ ECIES in application scope has following configuration of parameters: ``` - `ASSOCIATED_DATA` is calculated as: ```java - byte[] ASSOCIATED_DATA = ByteUtils.concatWithSizes(VERSION, APPLICATION_KEY); + byte[] ASSOCIATED_DATA = ByteUtils.concatWithSizes(VERSION, APPLICATION_KEY, TEMP_KEY_ID); ``` @@ -56,9 +59,9 @@ Note that the `APPLICATION_SECRET` constant is in Base64 form, so we need to rei #### Activation Scope -ECIES in activation scope has following configuration of parameters: +ECIES in activation scope has the following configuration of parameters: -- `KEY_ENC_PUB` is `KEY_SERVER_PUBLIC` (e.g. key which is unique for each activation) +- `KEY_ENC_PUB` is a [temporary key](./Temporary-Encryption-Keys.md) with given `TEMP_KEY_ID` identifier fetched from the server associated with a specific application version and activation, and signed with `KEY_SERVER_PRIVATE` (the key which is unique for each activation, to prove it was intended for the activations cope). - `SHARED_INFO_1` is a pre-shared constant and is different for each endpoint (see [Pre-shared constants](#pre-shared-constants)) - `SHARED_INFO_2_BASE` is calculated from `APPLICATION_SECRET` and `KEY_TRANSPORT`: ```java @@ -66,7 +69,7 @@ ECIES in activation scope has following configuration of parameters: ``` - `ASSOCIATED_DATA` is calculated as: ```java - byte[] ASSOCIATED_DATA = ByteUtils.concatWithSizes(VERSION, APPLICATION_KEY, ACTIVATION_ID); + byte[] ASSOCIATED_DATA = ByteUtils.concatWithSizes(VERSION, APPLICATION_KEY, ACTIVATION_ID, TEMP_KEY_ID); ``` @@ -75,7 +78,7 @@ Note that the `APPLICATION_SECRET` constant is in Base64 form, so we need to rei ### ECIES Encryption -Assume we have a public key `KEY_ENC_PUB`, data `PLAINTEXT` to be encrypted, `ASSOCIATED_DATA` to be included in mac calculation and a `SHARED_INFO_1` and `SHARED_INFO_2_BASE` constants (`byte[]`) as encryption parameters. ECIES encryption works in a following way: +Assume we have a public key `KEY_ENC_PUB`, data `PLAINTEXT` to be encrypted, `ASSOCIATED_DATA` to be included in MAC calculation and a `SHARED_INFO_1` and `SHARED_INFO_2_BASE` constants (`byte[]`) as encryption parameters. ECIES encryption works in the following way: 1. Generate an ephemeral key pair: ```java @@ -111,16 +114,16 @@ Assume we have a public key `KEY_ENC_PUB`, data `PLAINTEXT` to be encrypted, `AS 1. Derive `IV` from `NONCE` and encrypt ata using AES. ```java byte[] IV = KDF_INTERNAL.derive(KEY_IV, NONCE); - byte[] DATA_ENCRYPTED = AES.encrypt(PLAINTEXT, IV, KEY_ENC) + byte[] DATA_ENCRYPTED = AES.encrypt(PLAINTEXT, IV, KEY_ENC); ``` 1. Compute the MAC of encrypted data, include `SHARED_INFO_2`. ```java byte[] DATA = Bytes.concat(DATA_ENCRYPTED, SHARED_INFO_2); - byte[] MAC = Mac.hmacSha256(KEY_MAC, DATA) + byte[] MAC = Mac.hmacSha256(KEY_MAC, DATA); ``` 1. Prepare ECIES payload. ```java - EciesPayload payload = (DATA_ENCRYPTED, MAC, KEY_EPH_PUB, NONCE, TIMESTAMP) + EciesPayload payload = (DATA_ENCRYPTED, MAC, KEY_EPH_PUB, NONCE, TIMESTAMP); ``` If this is a response encryption, then we omit `KEY_EPH_PUB` and set it to `null` in steps 3. and 9. to make the response shorter. For example, `SHARED_INFO_2` is then calculated as: @@ -140,13 +143,13 @@ Assume we have a private key `KEY_ENC_PRIV`, encrypted data as an instance of th ``` 1. Derive base secret key from the private key and ephemeral public key from the ECIES payload (in this step, we do not trim the key to 16b only, we keep all 32b). ```java - SecretKey KEY_BASE = ECDH.phase(KEY_ENC_PRIV, KEY_EPH_PUB) + SecretKey KEY_BASE = ECDH.phase(KEY_ENC_PRIV, KEY_EPH_PUB); ``` 1. Derive a secret key using X9.63 KDF function (using SHA256 internally). When calling the KDF, we use `VERSION`, `SHARED_INFO_1` together with `KEY_EPH_PUB` value (as raw `byte[]`) as an `info` parameter. ```java byte[] VERSION_BYTES = ByteUtils.encode(VERSION); byte[] INFO = Bytes.concat(VERSION_BYTES, SHARED_INFO_1, KEY_EPH_PUB); - SecretKey KEY_SECRET = KDF_X9_63_SHA256.derive(KEY_BASE, INFO, 48) + SecretKey KEY_SECRET = KDF_X9_63_SHA256.derive(KEY_BASE, INFO, 48); ``` 1. Split the 48 bytes long `KEY_SECRET` to three 16B keys. The first part is used as an encryption key `KEY_ENC`. The second part is used as MAC key `KEY_MAC`. The final part is a key for IV derivation `KEY_IV`. ```java @@ -166,7 +169,7 @@ Assume we have a private key `KEY_ENC_PRIV`, encrypted data as an instance of th 1. Decrypt the data using AES, with `IV` value derived from `NONCE`. ```java byte[] IV = KDF_INTERNAL.derive(KEY_IV, NONCE); - byte[] PLAINTEXT = AES.decrypt(DATA_ENCRYPTED, IV, KEY_ENC) + byte[] PLAINTEXT = AES.decrypt(DATA_ENCRYPTED, IV, KEY_ENC); ``` If this is a response decryption, then we omit `KEY_EPH_PUB` and set it to `null` in step 1. @@ -175,9 +178,9 @@ If this is a response decryption, then we omit `KEY_EPH_PUB` and set it to `null Practical implementation of ECIES encryption in PowerAuth accounts for a typical request-response cycle, since encrypting RESTful API requests and responses is the most common use-case. -Client implementation creates an encryptor object that allows encrypting the request and decrypting the response. When encrypting the request, encryptor object accepts a `byte[]` and a public key (for example, `MASTER_SERVER_PUBLIC_KEY`) and produces an instance of `EciesPayload` class. After it receives an encrypted response from the server, which is essentially another instance of `EciesPayload`, it is able to use the original encryption context (the shared encryption keys) to decrypt the response. +Client implementation creates an encryptor object that allows encrypting the request and decrypting the response. When encrypting the request, encryptor object accepts a `byte[]` and a [temporary public key](./Temporary-Encryption-Keys.md) . Then, it produces an instance of `EciesPayload` class. After it receives an encrypted response from the server, which is essentially another instance of `EciesPayload`, it is able to use the original encryption context (the shared encryption keys) to decrypt the response. -Server implementation creates a decryptor object that allows decrypting the original request data and encrypting the response. When server receives an encrypted request, essentially as an `EciesPayload` instance again, it uses a private key (for example, `MASTER_SERVER_PRIVATE_KEY`) to decrypt the original bytes and uses the encryption context to encrypt a response to the client. +Server implementation creates a decryptor object that allows decrypting the original request data and encrypting the response. When server receives an encrypted request, essentially as an `EciesPayload` instance again, it uses a [temporary private key](./Temporary-Encryption-Keys.md) (looked up based on the temporary key ID) to decrypt the original bytes and uses the encryption context to encrypt a response to the client. Since the client and server use the same encryption context, the ephemeral public key needs to be only sent with the request from the client. Response may only contain encrypted data and MAC value. @@ -202,6 +205,7 @@ The typical JSON encoded request is following: ```json { + "temporaryKeyId": "dc497e8a-8faa-44bc-a52a-20d8393005d2", "ephemeralPublicKey" : "A97NlW0JPLJfpG0AUvaRHRGSHh+quZu+u0c+yxsK7Xji", "encryptedData" : "qYLONkDWFpXefTKPbaKTA/PWdRYH5pk9uvGjUqSYbeK7Q0aOohK2MknTyviyNuSp", "mac" : "DNlZdsM1wgH8v2mAROjj3vmQu4DI4ZJnuTBzQMrHsew=", @@ -246,18 +250,18 @@ The response doesn't use HTTP headers. PowerAuth protocol defines following `SHARED_INFO_1` (also called as `sh1` or `sharedInfo1`) constants for its own internal purposes: -| RESTful endpoint | ECIES scope | `SHARED_INFO_1` value | -| ------------------------------------- | ------------ | --------------------- | +| RESTful endpoint | ECIES scope | `SHARED_INFO_1` value | +| ------------------------------------- | ------------ |---------------------------| | `/pa/v3/activation/create` (level 1) | application | `/pa/generic/application` | -| `/pa/v3/activation/create` (level 2) | application | `/pa/activation` | -| `/pa/v3/upgrade` | activation | `/pa/upgrade` | -| `/pa/v3/vault/unlock` | activation | `/pa/vault/unlock` | -| `/pa/v3/token/create` | activation | `/pa/token/create` | -| `/pa/v3/recovery/confirm` | activation | `/pa/recovery/confirm` | +| `/pa/v3/activation/create` (level 2) | application | `/pa/activation` | +| `/pa/v3/upgrade` | activation | `/pa/upgrade` | +| `/pa/v3/vault/unlock` | activation | `/pa/vault/unlock` | +| `/pa/v3/token/create` | activation | `/pa/token/create` | +| `/pa/v3/recovery/confirm` | activation | `/pa/recovery/confirm` | On top of that, following constants can be used for application-specific purposes: -| Purpose | ECIES scope | `SHARED_INFO_1` value | -| ---------------------------------------- | ------------ | --------------------- | +| Purpose | ECIES scope | `SHARED_INFO_1` value | +| ---------------------------------------- | ------------ |---------------------------| | Generic encryptor for application scope | application | `/pa/generic/application` | -| Generic encryptor for activation scope | activation | `/pa/generic/activation` | +| Generic encryptor for activation scope | activation | `/pa/generic/activation` | diff --git a/docs/Standard-RESTful-API.md b/docs/Standard-RESTful-API.md index 0fbef64d..eb3219cc 100644 --- a/docs/Standard-RESTful-API.md +++ b/docs/Standard-RESTful-API.md @@ -19,6 +19,7 @@ The following endpoints are published in PowerAuth Standard RESTful API (protoco - [`/pa/v3/upgrade/start`](#upgrade-start) - Start a protocol upgrade (requires encryption). - [`/pa/v3/upgrade/commit`](#upgrade-commit) - Commits a protocol upgrade (requires authentication). - [`/pa/v3/recovery/confirm`](#confirm-recovery) - Confirm a recovery code (requires authentication and encryption). +- [`/pa/v3/keystore/create`](#create-new-key-pair) - Create a new temporary key pair for ECIES encryption. ## Security Features @@ -720,3 +721,86 @@ The JSON response after the decryption: } ``` + +## Temporary Keys API + + +### Create New Key Pair + +Create a new temporary key pair with either application or activation scope, and obtain the temporary public for subsequent ECIES encryption. + + +| Request parameter | Value | +| ----------------- |------------------------------------------| +| Method | `POST` | +| Resource URI | `/pa/v3/keystore/create` | + + +#### Request + +##### Body + +The JSON request contains an encoded JWT payload (signed with `HS256`) in a standard request envelope: + +```json +{ + "requestObject": { + "jwt": "..." + } +} +``` + +The decoded content of the JWT payload is: + +```json +{ + "applicationKey" : "...", + "activationId" : "...", + "challenge" : "..." +} +``` + +If the `activationId` is present (and represents an existing activation), the payload represents request for **activation scoped** temporary public key. Otherwise, the payload represents request for **application scoped** temporary public key. The scope determines how the JWT is signed. In both cases, the JWT is signed with standard `HS256` algorithm, with the following secret key: + +- Application scope: Secret key is application secret `APP_SECRET` (decoded to raw bytes). +- Activation scope: Secret key is derived as `KDF_INTERNAL.derive(KEY_TRANSPORT, APP_SECRET)`. + +#### Response 200 + +The JSON response contains an encoded JWT payload (signed with `ES256`) in a standard request envelope: + +```json +{ + "requestObject": { + "jwt": "..." + } +} +``` + +The decoded content of the JWT payload is: + +```json +{ + "sub": "...", + "applicationKey" : "...", + "activationId" : "...", + "challenge" : "...", + "publicKey": "...", + "iat": "...", + "exp": "...", + "iat_ms": "...", + "exp_ms": "..." +} +``` + +- The `sub` claim represents temporary key ID. +- The `applicationKey`, `activationId` and `challenge` claims are the same as in the request, so that the client can validate the response from the server not only for correct signature, but also to ensure the response is related to the issued request. +- The `publicKey` claim represents Base64 encoded temporary public key. +- The `iat` and `exp` attributes are standard claims representing timestamp of JWT issue and expiration timestamp. To provide a millisecond precision, they are augmented with `iat_ms` and `exp_ms` claims. + +The issued public key can be related to either application or activation scope, based on the presence of `activationId` (see the request description for the details). In both cases, the JWT with the public key is signed using `ES256` algorithm, and the scope determines what key is used: + +- Application scope: Private key is the application-specific master server private key `KEY_SERVER_MASTER_PRIVATE`. +- Activation scope: Private key is the activation-specific server private key `KEY_SERVER_PRIVATE`. + + \ No newline at end of file diff --git a/docs/Temporary-Encryption-Keys.md b/docs/Temporary-Encryption-Keys.md new file mode 100644 index 00000000..216f80b2 --- /dev/null +++ b/docs/Temporary-Encryption-Keys.md @@ -0,0 +1,70 @@ +# Temporary Encryption Keys + +To provide better resilience of encryption via advanced features, such as forward secrecy, PowerAuth protocol supports temporary encryption keys (since protocol version 3.3). The idea is that the keys embedded in the mobile app (`KEY_SERVER_MASTER_PUBLIC`) and device specific server public key (`KEY_SERVER_PUBLIC`) are only used for signature verification, serving as trust store on the client for data signed on the server. + +Temporary encryption keys are created on the server side via PowerAuth Standard RESTful API. The server keeps the temporary encryption key pair and the client receives a public key, that can be used in a standard ECIES encryption. + +The client can request two scopes of temporary encryption keys: + +- *Application scope* - the encryption key pair was obtained based on the trust created for the application specific key pair (master server keypair). +- *Activation scope* - the encryption key pair was obtained based on the trust created for the specific activation and it's server key pair (server keypair). + +You can see more information about specific request payloads in [Standard RESTful API documentation](./Standard-RESTful-API.md#temporary-keys-api). + +## Application Scope + +The client sends request in the form of JWT, specifying two parameters: + +- `applicationKey` - key `APP_KEY` associated with the application version +- `challenge` - random challenge, used as a request reference + +The JWT is signed using `HS256` with the "application secret" (`APP_SECRET`) as the signing key. + +The server then takes the request, generates a random temporary encryption key pair associated with the application key, and sends the JWT response signed with `ES256` using `KEY_SERVER_MASTER_PRIVATE`. The JWT response contains: + +- `sub` - identifier of the key +- `applicationKey` - back reference to the original data +- `challenge` - back reference to the original data +- `publicKey` - temporary encryption public key +- `iss` / `iss_ms` - temporary key pair issuance timestamp +- `exp` / `exp_ms` - temporary key pair expiration timestamp + +The client app should process the response by verifying the signature and checking that the application key and challenge match the expected value. Then, the client app can accept the public key with given key identifier. + +## Activation Scope + +The client sends request in the form of JWT, specifying three parameters: + +- `applicationKey` - key `APP_KEY` associated with the application version +- `activationId` - identifier of the specific PowerAuth activation +- `challenge` - random challenge, used as a request reference + +The JWT is signed using `HS256` with the key derived from "application secret" (`APP_SECRET`) and transport key (`KEY_TRANSPORT`) as the signing key: + +``` +JWT_SIGN_KEY = KDF_INTERNAL.derive(KEY_TRANSPORT, APP_SECRET) +``` + +The server then takes the request, generates a random temporary encryption key pair associated with the application key and activation ID, and sends the JWT response signed with `ES256` using `KEY_SERVER_PRIVATE`. The JWT response contains: + +- `sub` - identifier of the key +- `applicationKey` - back reference to the original data +- `activationId` - back reference to the original data +- `challenge` - back reference to the original data +- `publicKey` - temporary encryption public key +- `iss` / `iss_ms` - temporary key pair issuance timestamp +- `exp` / `exp_ms` - temporary key pair expiration timestamp + +The client app should process the response by verifying the signature and checking that the application key, activation ID and challenge match the expected value. Then, the client app can accept the public key with given key identifier. + +## Impacted Use-Cases + +Besides [End-to-End Encryption](./End-To-End-Encryption.md) itself, the introduction of temporary encryption keys impacts all use-cases that implicitly rely on data encryption, such as: + +- New activations (using all supported methods) +- Obtaining and changing activation name from the mobile app. +- Secure Vault +- MAC-based Tokens +- Obtaining User Info +- Confirmation of the Recovery Codes +- Protocol upgrade \ No newline at end of file diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index d4adefdf..46ead898 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -19,6 +19,7 @@ **Encryption** - [End-To-End Encryption](./End-To-End-Encryption.md) +- [Temporary Encryption Keys](./Temporary-Encryption-Keys.md) **Other Chapters** From fe71d6ba2be879fdae38e3df39f9c322ec68ef0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Tue, 17 Sep 2024 22:18:37 +0200 Subject: [PATCH 10/21] Fix #642: Add exact list of used cryptographic standards (#643) * Fix #640: Add documentation for temporary keys * Fix #642: Add exact list of used cryptographic standards --- docs/List-of-Used-Algorithms.md | 28 +++++++++++++++++++ docs/_Sidebar.md | 1 + .../powerauth/crypto/lib/util/ByteUtils.java | 2 -- .../crypto/server/util/DataDigest.java | 2 +- .../PowerAuthRequestCanonizationUtils.java | 2 +- 5 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 docs/List-of-Used-Algorithms.md diff --git a/docs/List-of-Used-Algorithms.md b/docs/List-of-Used-Algorithms.md new file mode 100644 index 00000000..1fd02544 --- /dev/null +++ b/docs/List-of-Used-Algorithms.md @@ -0,0 +1,28 @@ +# List of Used Algorithms + +The following algorithms are used in the PowerAuth cryptography scheme. + +## PowerAuth 3 Protocol + +- Current protocol version: `3.3` + +### Cryptographic Primitives + +| Algorithm | Impacts | Note | +|---------------|----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `AES-128` | mobile, server | Symmetric encryption with 128 bit keys. Used in `AES/CBC/PKCS7Padding` or `AES/CBC/NoPadding`, depending on use-case. | +| `Argon2` | server | Iterative hash used for storing recovery PUK values associated with recovery codes (`argon2i`). | +| `CRC-16` | mobile, server | Checksum algorithm, used to add a validation to the activation code (2 bytes out of 12 are allocated for checksum). | +| `ECDH` | mobile, server | Key agreement algorithm for ECC-based Diffie-Hellman, uses `secp256r1` curve. | +| `ECDSA` | mobile, server | Asymmetric signatures based on ECC, with `secp256r1` curve and `SHA256` hash function (`SHA256withECDSA`). | +| `ECIES` | mobile, server | Asymmetric encryption scheme based on ECC, with `secp256r1` and `X9.63` (`SHA256`) KDF function. | +| `HMAC-SHA256` | mobile, server | MAC algorithm with `SHA256` as underlying has function. Used in various situations across the protocol. | +| `HMAC-SHA512` | server | MAC algorithm with `SHA256` as underlying has function. Currently only used when validating TOTP in proximity OTP feature. | +| `PBKDF2` | mobile | Derivation function, used with `HMAC-SHA1` algorithm (`PBKDF2WithHmacSHA1`) and 10 000 iterations. _Note: Used exclusively for deriving a symmetric encryption key from PIN code on a mobile device, and hence strength of the algorithm is unimportant._ | +| `SHA256` | mobile, server | Hash function. Used in various situations across the protocol. | +| `X9.63` | mobile, server | Key derivation function with `SHA256`. Used for deriving keys with random index. | + +### Algorithm Providers + +- Server-Side: [Bouncy Castle](https://www.bouncycastle.org/) +- Client-Side: [OpenSSL](https://openssl-library.org/) (libCrypto) \ No newline at end of file diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 46ead898..a653a6ac 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -27,6 +27,7 @@ - [Activation Code Format](./Activation-Code.md) - [Additional Activation OTP](./Additional-Activation-OTP.md) - [Implementation Details](./Implementation-notes.md) +- [List of Used Algorithms](./List-of-Used-Algorithms.md) - [List of Used Keys](./List-of-used-keys.md) **Tutorials** diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java index 985ce0d2..a4e785fa 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java @@ -43,9 +43,7 @@ public static byte[] concat(byte[]... arrays) { /** * Concatenate multiple byte arrays, including each component size. - * * Sample output byte array structure: [size1][array1][size2][array2] - * * In case byte array is empty, each empty component is encoded as: [0] * * @param arrays Byte arrays to join. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java index 9ff71068..bff3d5a1 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java @@ -108,7 +108,7 @@ public DataDigest(int length) throws GenericCryptoException { * @return Digest fo provided data, including seed used to compute that digest. */ public Result generateDigest(List items) { - if (items.size() == 0) { + if (items.isEmpty()) { return null; } try { diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java index bb317a52..ddaf17e8 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java @@ -95,7 +95,7 @@ public static String canonizeGetParameters(String queryString) { signatureBaseString.append(URLEncoder.encode(val, StandardCharsets.UTF_8)); } - return signatureBaseString.length() > 0 ? signatureBaseString.toString() : null; + return !signatureBaseString.isEmpty() ? signatureBaseString.toString() : null; } } From 513039060cd7e9d732bbdca33829ba40cb1e3ddf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 05:10:06 +0000 Subject: [PATCH 11/21] Bump junit.version from 5.11.0 to 5.11.1 Bumps `junit.version` from 5.11.0 to 5.11.1. Updates `org.junit.jupiter:junit-jupiter-engine` from 5.11.0 to 5.11.1 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.11.0...r5.11.1) Updates `org.junit.jupiter:junit-jupiter-params` from 5.11.0 to 5.11.1 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.11.0...r5.11.1) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter-engine dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.junit.jupiter:junit-jupiter-params dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index dbc9c1be..429e575b 100644 --- a/pom.xml +++ b/pom.xml @@ -81,7 +81,7 @@ 3.3.1 3.5.0 2.0.16 - 5.11.0 + 5.11.1 From 24ec9ca21a67a3456b808a80efc4e18af7bfd0f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 05:10:09 +0000 Subject: [PATCH 12/21] Bump com.fasterxml.jackson.core:jackson-databind from 2.17.2 to 2.18.0 Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.17.2 to 2.18.0. - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- powerauth-java-crypto/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index c2eccbb1..26942701 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -47,7 +47,7 @@ com.fasterxml.jackson.core jackson-databind - 2.17.2 + 2.18.0 test From 338eafdef75146e2f46e0a6dc7e7f1e34ef88778 Mon Sep 17 00:00:00 2001 From: Roman Strobl Date: Wed, 2 Oct 2024 16:23:01 +0800 Subject: [PATCH 13/21] Fix #651: Create PowerAuth-2024.10 page --- docs/PowerAuth-2024.10.md | 84 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 docs/PowerAuth-2024.10.md diff --git a/docs/PowerAuth-2024.10.md b/docs/PowerAuth-2024.10.md new file mode 100644 index 00000000..34456f5a --- /dev/null +++ b/docs/PowerAuth-2024.10.md @@ -0,0 +1,84 @@ +# PowerAuth 2024.10 + + +## Migration guides + +For updating to 2024.10, please follow these migration guides: + +- [PowerAuth Server - Migration from version 1.8.0 to version 1.9.0](https://github.com/wultra/powerauth-server/blob/develop/docs/PowerAuth-Server-1.9.0.md) +- [PowerAuth Push Server - Migration from version 1.8.0 to version 1.9.0](https://github.com/wultra/powerauth-push-server/blob/develop/docs/PowerAuth-Push-Server-1.9.0.md) +- [PowerAuth Web Flow - Migration from version 1.8.0 to version 1.9.0](https://github.com/wultra/powerauth-webflow/blob/develop/docs/Web-Flow-1.9.0.md) + + +## Components for version 2024.10 + + +### Back-End Applications + +| Component | Application Name | Version | Description | +|------------------------|------------------------------|---------|-------------------------------------------------------------| +| PowerAuth Server | `powerauth-java-server.war` | 1.9.0 | Core back-end component for PowerAuth stack. | +| PowerAuth Admin | `powerauth-admin.war` | 1.9.0 | Administration console for PowerAuth Server. | +| PowerAuth Push Server | `powerauth-push-server.war` | 1.9.0 | Simple to deploy push server for APNS and FCM. | +| Enrollment Server | `enrollment-server.war` | 1.9.0 | Enrollment server for PowerAuth. | +| PowerAuth Web Flow | `powerauth-webflow.war` | 1.9.0 | Central web authentication page. | +| PowerAuth Next Step | `powerauth-next-step.war` | 1.9.0 | Authorization server used for PowerAuth Web Flow component. | +| PowerAuth Data Adapter | `powerauth-data-adapter.war` | 1.9.0 | Customization component for PowerAuth Web Flow. | +| PowerAuth Tpp Engine | `powerauth-tpp-engine.war` | 1.9.0 | Third party provider registry and consent engine. | + + +### Utilities + +| Component | Application Name | Version | Description | +|-----------------------------|-----------------------------|---------|-----------------------------------------------------------------------------------| +| PowerAuth Command Line Tool | `powerauth-java-cmd.jar` | 1.9.0 | Command line tool for integration testing. | +| User Data Store | `user-data-store.war` | 1.3.0 | Server component which stores clients personal data securely. | +| Liveness Check Proxy | `liveness-check-proxy.war` | 1.0.0 | Server component which is used for biometric liveness check. | +| Mobile Utility Server | `mobile-utility-server.war` | 1.9.0 | Server component for dynamic SSL pinning, text localization, and other utilities. | +| SSL Pinning Tool | `ssl-pinning-tool.jar` | 1.9.0 | A command line utility used to sign SSL certificates for dynamic SSL pinning. | + + +### Mobile Libraries + +| Platform | Package Name | Version | Description | +|--------------------|---------------------------------------------------|---------|---------------------------------------------| +| iOS | `PowerAuth2` | 1.9.0 | A client library for iOS. | +| watchOS | `PowerAuth2ForWatch` | 1.9.0 | A limited library for watchOS. | +| iOS App Extensions | `PowerAuth2ForExtensions` | 1.9.0 | A limited library for iOS App Extensions. | +| Android | `com.wultra.android.powerauth:powerauth-sdk` | 1.9.0 | A client library for Android. | +| React Native | `react-native-powerauth-mobile-sdk` | 2.5.3 | React Native wrapper library for PowerAuth. | +| mToken SDK iOS | `WultraMobileTokenSDK` | 1.11.1 | Mobile Token SDK for the iOS platform. | +| mToken SDK Android | `com.wultra.android.mtokensdk:mtoken-sdk-android` | 1.11.1 | Mobile Token SDK for the Android platform. | + + +### Back-End Integration Libraries + +| Component | Library Name | Version | Description | +|-------------------------------------------|-----------------------------------------|---------|-------------------------------------------------------------------------------------------------| +| PowerAuth RESTful Model | `powerauth-restful-model.jar` | 1.9.0 | Model classes for request and response objects used in PowerAuth Standard RESTful API. | +| PowerAuth RESTful API Security for Spring | `powerauth-restful-security-spring.jar` | 1.9.0 | High-level integration libraries for RESTful API security, build for Spring MVC. | +| PowerAuth REST Client for Spring | `powerauth-rest-client-spring.jar` | 1.9.0 | REST service client for PowerAuth Server service. | +| PowerAuth Push Server RESTful Model | `powerauth-push-model.jar` | 1.9.0 | Model classes for request and response objects used in PowerAuth Push Server. | +| PowerAuth Push Server RESTful Client | `powerauth-push-client.jar` | 1.9.0 | Client implementation that simplifies integration with PowerAuth Push Server service. | +| PowerAuth Data Adapter RESTful Model | `powerauth-data-adapter-model.jar` | 1.9.0 | Model classes for request and response objects used in PowerAuth Data Adapter component. | +| PowerAuth Data Adapter Client | `powerauth-data-adapter-client.jar` | 1.9.0 | Client implementation that simplifies integration with PowerAuth Data Adapter custom component. | +| PowerAuth Next Step RESTful Model | `powerauth-nextstep-model.jar` | 1.9.0 | Model classes for request and response objects used in PowerAuth Next Step service. | +| PowerAuth Next Step Client | `powerauth-nextstep-client.jar` | 1.9.0 | Client implementation that simplifies integration with PowerAuth Next Step service. | +| PowerAuth Mobile Token Model | `mtoken-model.jar` | 1.9.0 | Model classes for request and response objects used in PowerAuth Mobile Token. | + + +### Technical Dependencies + +| Component | Library Name | Version | Description | +|-------------------------------------|------------------------------|---------|--------------------------------------------------------------------------------------------------| +| PowerAuth Cryptography | `powerauth-java-crypto.jar` | 1.9.0 | Core cryptography implementation of the PowerAuth protocol. | +| PowerAuth HTTP Utilities | `powerauth-java-http.jar` | 1.9.0 | Utilities used for binding PowerAuth cryptography to HTTP technology. | +| PowerAuth Command-Line Tool Library | `powerauth-java-cmd-lib.jar` | 1.9.0 | Library used for implementation of the PowerAuth Command-Line Tool app, useful for unit testing. | +| Wultra Java Networking Objects | `rest-model-base.jar` | 1.11.0 | Base classes for RESTful API networking, shared across all Wultra back-end projects. | +| Wultra REST Client | `rest-client-base.jar` | 1.11.0 | Base RESTful client implementation, shared across all Wultra back-end projects. | +| Wultra Auditing Library | `audit-base.jar` | 1.11.0 | Base auditing library, shared across all Wultra back-end projects. | + + +## Known Issues When Updating From Older Versions + +_No known issues so far._ From 03c958a97c7520f4406728c7f10597c1d9bd0aaf Mon Sep 17 00:00:00 2001 From: Roman Strobl Date: Thu, 3 Oct 2024 15:08:11 +0800 Subject: [PATCH 14/21] Fix #654: Add temporary keys into the list of keys --- docs/List-of-Used-Keys.md | 31 +++++++++++++++++++++++++++++++ docs/List-of-used-keys.md | 30 ------------------------------ docs/_Sidebar.md | 2 +- 3 files changed, 32 insertions(+), 31 deletions(-) create mode 100644 docs/List-of-Used-Keys.md delete mode 100644 docs/List-of-used-keys.md diff --git a/docs/List-of-Used-Keys.md b/docs/List-of-Used-Keys.md new file mode 100644 index 00000000..abcda3ff --- /dev/null +++ b/docs/List-of-Used-Keys.md @@ -0,0 +1,31 @@ +# List of Used Keys + +The following keys are used in the PowerAuth cryptography scheme. + +## Application Scoped Keys + +| name | created as | purpose | +|-----------------------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). | +| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). | +| `APP_KEY` | Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. | +| `APP_SECRET` | Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. | +| `KEY_ENC_TEMPORARY` | Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in application scope. The key pair enhances security by ensuring forward secrecy for encrypted data. | + +## Activation Scoped Keys + +| name | created as | purpose | +|----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `KEY_DEVICE_PRIVATE` | ECDH - private key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | +| `KEY_DEVICE_PUBLIC` | ECDH - public key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | +| `KEY_SERVER_PRIVATE` | ECDH - private key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | +| `KEY_SERVER_PUBLIC` | ECDH - public key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | +| `KEY_MASTER_SECRET` | ECDH - pre-shared | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`. | +| `KEY_SIGNATURE_POSSESSION` | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing. | +| `KEY_SIGNATURE_KNOWLEDGE` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing. | +| `KEY_SIGNATURE_BIOMETRY` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the biometry factor, deduced using KDF derivation with `INDEX = 3`, `KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3)`, used for subsequent request signing. | +| `KEY_TRANSPORT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 1000`, `KEY_TRANSPORT = KDF.derive(KEY_MASTER_SECRET, 1000)`, used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation. | +| `KEY_ENCRYPTION_VAULT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 2000`, `KEY_ENCRYPTION_VAULT = KDF.derive(KEY_MASTER_SECRET, 2000)`, used for encrypting a vault that stores the secret data, such as `KEY_DEVICE_PRIVATE`. | +| `KEY_TRANSPORT_IV` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 3000`, `KEY_ENCRYPTION_IV = KDF.derive(KEY_TRANSPORT, 3000)`, used for derivation of initial vector, that encrypts activation status blob. | +| `KEY_TRANSPORT_CTR` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 4000`, `KEY_TRANSPORT_CTR = KDF.derive(KEY_TRANSPORT, 4000)`, used for computing hash from current value of hash-based counter. | +| `KEY_ENC_TEMPORARY` | Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in activation scope. This key pair enhances security by ensuring forward secrecy for encrypted data. | diff --git a/docs/List-of-used-keys.md b/docs/List-of-used-keys.md deleted file mode 100644 index 11b322b2..00000000 --- a/docs/List-of-used-keys.md +++ /dev/null @@ -1,30 +0,0 @@ -# List of Used Keys - -The following keys are used in the PowerAuth cryptography scheme. - -## Application Scoped Keys - -| name | created as | purpose | -|-----------------------------|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). | -| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). | -| `APP_KEY` | Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. | -| `APP_SECRET` | Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. | - - -## Activation Scoped Keys - -| name | created as | purpose | -|-----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `KEY_DEVICE_PRIVATE` | ECDH - private key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | -| `KEY_DEVICE_PUBLIC` | ECDH - public key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | -| `KEY_SERVER_PRIVATE` | ECDH - private key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | -| `KEY_SERVER_PUBLIC` | ECDH - public key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | -| `KEY_MASTER_SECRET` | ECDH - pre-shared | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`. | -| `KEY_SIGNATURE_POSSESSION` | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing. | -| `KEY_SIGNATURE_KNOWLEDGE` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing. | -| `KEY_SIGNATURE_BIOMETRY` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the biometry factor, deduced using KDF derivation with `INDEX = 3`, `KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3)`, used for subsequent request signing. | -| `KEY_TRANSPORT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 1000`, `KEY_TRANSPORT = KDF.derive(KEY_MASTER_SECRET, 1000)`, used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation. | -| `KEY_ENCRYPTION_VAULT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 2000`, `KEY_ENCRYPTION_VAULT = KDF.derive(KEY_MASTER_SECRET, 2000)`, used for encrypting a vault that stores the secret data, such as `KEY_DEVICE_PRIVATE`. | -| `KEY_TRANSPORT_IV` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 3000`, `KEY_ENCRYPTION_IV = KDF.derive(KEY_TRANSPORT, 3000)`, used for derivation of initial vector, that encrypts activation status blob. | -| `KEY_TRANSPORT_CTR` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 4000`, `KEY_TRANSPORT_CTR = KDF.derive(KEY_TRANSPORT, 4000)`, used for computing hash from current value of hash-based counter. | \ No newline at end of file diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index a653a6ac..9d2cde9c 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -28,7 +28,7 @@ - [Additional Activation OTP](./Additional-Activation-OTP.md) - [Implementation Details](./Implementation-notes.md) - [List of Used Algorithms](./List-of-Used-Algorithms.md) -- [List of Used Keys](./List-of-used-keys.md) +- [List of Used Keys](./List-of-Used-Keys.md) **Tutorials** From 6b0b8a321f2032a8253e0de081df1a7f79ea5e26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20=C5=A0trobl?= Date: Fri, 4 Oct 2024 18:47:30 +0800 Subject: [PATCH 15/21] Fix #646: Update documentation for OTP validation and commit phase parameters (#653) --- docs/Activation-Code.md | 2 +- docs/Activation-via-Activation-Code.md | 4 +- docs/Activation-via-Custom-Credentials.md | 2 +- docs/Activation-via-Recovery-Code.md | 4 +- docs/Activation.md | 2 +- ...on-OTP.md => Advanced-Activation-Flows.md} | 41 +++++++++++++----- docs/_Sidebar.md | 2 +- .../images/arch_activation_lifecycle.png | Bin 85734 -> 109855 bytes 8 files changed, 39 insertions(+), 18 deletions(-) rename docs/{Additional-Activation-OTP.md => Advanced-Activation-Flows.md} (80%) diff --git a/docs/Activation-Code.md b/docs/Activation-Code.md index 6d8562a8..aeace32d 100644 --- a/docs/Activation-Code.md +++ b/docs/Activation-Code.md @@ -7,7 +7,7 @@ The PowerAuth protocol 3, defines a new version of activation code, where OTP Notes: -> 1. PowerAuth protocol V2 defines OTP as a part of activation code. It's completely unrelated to an [additional activation OTP](Additional-Activation-OTP.md). +> 1. PowerAuth protocol V2 defines OTP as a part of activation code. It's completely unrelated to an OTP described in chapter [Advanced Activation Flows](Advanced-Activation-Flows). ## Code Construction diff --git a/docs/Activation-via-Activation-Code.md b/docs/Activation-via-Activation-Code.md index ec50b05b..52216ee2 100644 --- a/docs/Activation-via-Activation-Code.md +++ b/docs/Activation-via-Activation-Code.md @@ -117,6 +117,8 @@ Finally, the last diagram shows how the Activation Code Delivery Application pro ![Activation Commit](./resources/images/sequence_activation_commit.png) +Note that the activation commit step can be skipped in case activation is committed during key exchange, as described in chapter [Advanced Activation Flows](./Advanced-Activation-Flows.md). + #### Process Description 1. PowerAuth Mobile SDK displays `H_K_DEVICE_PUBLIC`, so that a user can visually verify the device public key correctness by comparing the `H_K_DEVICE_PUBLIC` value displayed in the Master Front-End Application. @@ -141,5 +143,5 @@ Finally, the last diagram shows how the Activation Code Delivery Application pro - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Additional Activation OTP](Additional-Activation-OTP.md) +- [Advanced Activation Flows](Advanced-Activation-Flows) diff --git a/docs/Activation-via-Custom-Credentials.md b/docs/Activation-via-Custom-Credentials.md index c9a9ae4f..15c7751b 100644 --- a/docs/Activation-via-Custom-Credentials.md +++ b/docs/Activation-via-Custom-Credentials.md @@ -72,4 +72,4 @@ However, if the particular use case requires different handling, the enrollment - [Activation via Recovery Code](./Activation-via-Recovery-Code.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Additional Activation OTP](Additional-Activation-OTP.md) \ No newline at end of file +- [Advanced Activation Flows](Advanced-Activation-Flows) \ No newline at end of file diff --git a/docs/Activation-via-Recovery-Code.md b/docs/Activation-via-Recovery-Code.md index bb67a19c..914bb3eb 100644 --- a/docs/Activation-via-Recovery-Code.md +++ b/docs/Activation-via-Recovery-Code.md @@ -54,7 +54,7 @@ In the second scenario, the mobile application acts as a replacement for a typic For all cases, we recommend you to implement the following countermeasures: -- Confirm the recovery activation with an [additional activation OTP](Additional-Activation-OTP.md). +- Confirm the recovery activation with an OTP as described in chapter [Advanced Activation Flows](Advanced-Activation-Flows). - Your application should receive a push notification once the activation is recovered on another device. - You should also notify the user via other digital channel, like SMS or e-mail. - You should adequately inform the user about how sensitive Recovery Code and PUK are. @@ -248,4 +248,4 @@ The format of Recovery PUK is very simple: - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Additional Activation OTP](Additional-Activation-OTP.md) +- [Advanced Activation Flows](Advanced-Activation-Flows) diff --git a/docs/Activation.md b/docs/Activation.md index 873ba594..6db83f78 100644 --- a/docs/Activation.md +++ b/docs/Activation.md @@ -82,4 +82,4 @@ The following diagram shows transitions between activation states: - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Additional Activation OTP](Additional-Activation-OTP.md) +- [Advanced Activation Flows](Advanced-Activation-Flows) diff --git a/docs/Additional-Activation-OTP.md b/docs/Advanced-Activation-Flows.md similarity index 80% rename from docs/Additional-Activation-OTP.md rename to docs/Advanced-Activation-Flows.md index 2528ea8a..1c5fabf6 100644 --- a/docs/Additional-Activation-OTP.md +++ b/docs/Advanced-Activation-Flows.md @@ -1,22 +1,41 @@ -# Additional Activation OTP +# [Advanced Activation Flows] -This part of the documentation describes in detail how usage of additional activation OTP changes the activation process. So, before you start, you should be familiar with actors and processes defined for the [regular activation](Activation.md). +This part of the documentation describes in detail advanced customizations of the activation process: how the commit phase can be changed as well as usage of additional activation OTP. So, before you start, you should be familiar with actors and processes defined for the [regular activation](Activation.md). -The purpose of additional activation OTP is to help with the user authentication, or with the activation confirmation. The additional OTP can be used either in the early stages of the activation or later when the activation is created and waits for the confirmation in the PENDING_COMMIT state. +Following advanced activation flows are supported: +- [Changing the commit phase of the activation](#changing-the-commit-phase-without-activation-otp) +- [Verification of an additional activation OTP](#additional-user-authentication-using-activation-otp) + +By default, the activation is committed during the `PENDING_COMMIT` status. It is possible to change the activation flow, so that the activation is committed during the key exchange and so it skips the `PENDING_COMMIT` status transition completely and goes directly into `ACTIVE` state. + +The purpose of additional activation OTP is to help with the user authentication, or with the activation confirmation. The additional OTP can be used either in the early stages of the activation or later when the activation is created and waits for the confirmation in the `PENDING_COMMIT` state. We will describe each situation in detail in the separate chapters: -1. [Additional user authentication](#additional-user-authentication) +1. [Changing the commit phase](#changing-the-commit-phase) +2. [Additional user authentication using Activation OTP](#additional-user-authentication-using-activation-otp) - [Regular activation with OTP](#regular-activation-with-otp) - [Custom activation with OTP](#custom-activation-with-otp) -2. [Activation confirmation](#activation-confirmation) +3. [Activation confirmation using OTP](#activation-confirmation-using-otp) - [Confirm regular activation with OTP](#confirm-regular-activation-with-otp) - [Confirm custom activation with OTP](#confirm-custom-activation-with-otp) - [Confirm activation recovery with OTP](#confirm-activation-recovery-with-otp) -## Additional User Authentication +## Changing the Commit Phase + +As mentioned before, by default the activation is committed in the `PENDING_COMMIT` state. + +It is possible to change the activation flow, so that the `PENDING_COMMIT` state is skipped and activation becomes `ACTIVE` during key exchange. + +To do so, you can set the `commitPhase` parameter to `ON_KEY_EXCHANGE` when initializing the activation using the init activation method ([`initActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-initactivation). + +In case the `commitPhase` parameter is not specified, or the value is set to `ON_COMMIT`, the activation flow remains standard and waits for an additional commit step after the key exchange. + +The `commitPhase` can be chosen independently on the activation OTP verification. However, the OTP verification can be added as another extra option in either of the commit phases, as described below. + +## Additional User Authentication using Activation OTP In this common scenario, it's expected that the PowerAuth activation is not yet created so that the additional activation OTP can be used in the time of the activation creation as additional user authentication. @@ -25,7 +44,7 @@ In this common scenario, it's expected that the PowerAuth activation is not yet 1. User is authenticated in Master Front-End Application and initiates the activation creation process: 1. Master Front-End Application generates random activation OTP. - 1. Master Front-End Application then asks PowerAuth server to create an activation, with using this OTP ([`initActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-initactivation) method, OTP validation set to ON_KEY_EXCHANGE). + 1. Master Front-End Application then asks PowerAuth server to create an activation using the init activation method ([`initActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-initactivation), `commitPhase` parameter is set to `ON_KEY_EXCHANGE` and the `activationOtp` value is set to previously generated OTP). 1. Master Front-End Application then displays QR code, containing an activation code. 1. At the same time, Master Front-End Application initiates the delivery of activation OTP. It's recommended to deliver such code via a dedicated out-of-band channel, for example, via SMS. @@ -39,7 +58,7 @@ In this common scenario, it's expected that the PowerAuth activation is not yet 1. Intermediate Server Application receives activation with activation code and OTP: 1. The activation code and OTP are verified by the PowerAuth server in the [`prepareActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-prepareactivation) method. - 1. If the method call succeeds, the activation is set to the ACTIVE state. There's no need to wait for the confirmation. + 1. If the method call succeeds, the activation is set to the `ACTIVE` state. There's no need to wait for the confirmation. 1. In case that received OTP is wrong, the user has a limited number of retry attempts. The activation will be removed after too many failures. 1. The mobile application receives the response from the server and completes the activation on the mobile side. @@ -69,7 +88,7 @@ There are multiple ways how to implement custom activation with an additional au 1. The mobile application receives the response from the server and completes the activation on the mobile side. -## Activation Confirmation +## Activation Confirmation using OTP In this common scenario, an additional activation OTP helps with the final activation confirmation, so the OTP is required in the later stages of the activation process (during the commit). In this case, it doesn't matter how the activation process was initiated. You can confirm regular, custom and also recovery activations with the OTP. @@ -78,7 +97,7 @@ In this common scenario, an additional activation OTP helps with the final activ 1. User is authenticated in Master Front-End Application and initiates the activation creation process: 1. Master Front-End Application generates random activation OTP and keeps it temporarily in the database. - 1. Master Front-End Application then asks PowerAuth server to create an activation, with using this OTP ([`initActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-initactivation) method, OTP validation set to ON_COMMIT). + 1. Master Front-End Application then asks PowerAuth server to create an activation using the init activation method ([`initActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-initactivation) method, commit phase is not specified or set to `ON_COMMIT` and the `activationOtp` value is set to previously generated OTP). 1. Master Front-End Application then displays QR code, containing an activation code. 1. In the mobile application: @@ -116,7 +135,7 @@ There are multiple ways how to implement custom activation and confirm it with a 1. Intermediate Server Application receives a custom activation request, with username and password: 1. The username and password is verified by the Intermediate Server Application. - 1. If everything's right, then Intermediate Server Application creates activation by calling [`createActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-createactivation). The activation must be set to the PENDING_COMMIT state. + 1. If everything's right, then Intermediate Server Application creates activation by calling [`createActivation`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-createactivation). The activation must be set to the `PENDING_COMMIT` state. 1. Intermediate Server Application generates random activation OTP and update the activation record, by calling [`updateActivationOtp`](https://github.com/wultra/powerauth-server/blob/develop/docs/WebServices-Methods.md#method-updateactivationotp) method. 1. At the same time, Intermediate Server Application initiates the delivery of activation OTP. diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 9d2cde9c..dfe1a46e 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -25,7 +25,7 @@ - [Basic Definitions](./Basic-definitions.md) - [Activation Code Format](./Activation-Code.md) -- [Additional Activation OTP](./Additional-Activation-OTP.md) +- [Advanced Activation Flows](./Advanced-Activation-Flows) - [Implementation Details](./Implementation-notes.md) - [List of Used Algorithms](./List-of-Used-Algorithms.md) - [List of Used Keys](./List-of-Used-Keys.md) diff --git a/docs/resources/images/arch_activation_lifecycle.png b/docs/resources/images/arch_activation_lifecycle.png index a6b7f37338d56e090625e2beb41f602ace921e81..514bd3e11c0cea7f525e74083cf93117709621b6 100644 GIT binary patch literal 109855 zcmeFZbyQqUvp0%EaCaTt-3CvP;O-Iz7~I_@cyPA>!3hxDA-D#2w?Kg4F2U|3&-=V` z?swO{XMOkk@9edPJ>6YhUHz--+SS#2h*VLMK|>}+hJu1ZlYJ|x1_cFc2>GBRAwX(= zfNUW*@~_?+I<9IU4@yU82XiZ1Fr}-PBbXBGX=M%t<+;3;r9E%ZM5wKB+MjBD&4d?Z>dJi{%MBcOM*uTZ2X&~EU zvmk-UW&7?npsn*E)Mr88}Bge&5ft4pw?aa2LJQhPrOq*gLSEDA+ z{1sI`^-H=gZ_xMB&*s|l4SF`^Ut?4C?2B~Ezcj2%$B95^7U@@gycW8Tx-N?T|JIwWei75?rnEf7=EUFU_MO-!iYa3g_Q4NO;ysN4u9=a-V^mdt<;`j5)gd$_HgL@i>2 z$5r`_Qg05Wj?_c-G;&KtMY&D3F$}KvWNzcu2~!7|a8(!E?%VJsQcLl34UfEsr7$egS^CX++_uG7(~Wd~=*CD}uCjLTKSE?!maW@t&j zrW8nrLe72I`-48hONr5EbU;LHk$1j>NxbFDy&0-qwmIC9S(H=G&%0mt1>_gUh3?K6 zLJyYI6O(V1Q$3FL=V7YSHdqG+Ds-#*Wq1wkZ{~ZSu3?^LWb{Q66Ed9?%wRutrkd`4 zyZ`DApg0<>Q$Oas+SiXOLi?Gxdh`0Zy0YokOX6N_{%cQ*PI$eHYx#);U{)YHIZxo* z$Mp-_>ftie=&ZW4<$1<$RZAVR$4l7e2%3e$MePm*6u6uWs)I_%<_;F)r?K z#{G_S&E%+8nj{jwP?{;0-&?>IrJi!cp9&x!qs(8Sj{ z1nfy}oiLDzGAe}bMo;`m`qgcLnWcKlwy@b@JoO|xdG~0vHh$?jB$~Jxp0c&jg7%7u z0S@Vs1IEHn4=G#Vy@U-ez7k>5vC1yU?zw?9iH7{k&YXU_-6v;LDW_D)P3mr#A!*^Z zQB>#U$R>D>^J3shrSMPMd7C-Alj(X#5)CQ}Cdb4X&NcZUqQq6K(K6IE7>tOKMulXB zlwU#-0(ZO5T27CTg!J+ars!JVT}#v3wHntLE_%NeN#7`s^zmf-Q(bj@h;fudU`V~s zi;pi;Q{1^_A>jEWsRU4FWKc8Dk(lL`V1RzRUUp*O0qhuuj}EeA;l#x&olIt6=PJof zafhQCkyc4Yrlpmu8y$P=(!N4qBlo_mTB$(o7)}m2+n$x5HqZ2>Qg!A0Rv`83IJ(?9 znOX$aaUJ8bwV8a0oN-`_Ftz1vb*szlSL?0M`>)?|2AEUW@7cQ)$}UrJcK2ga@tnMt zt2MUbXX8lG3byXVm0B(Q{+WA$;71)Y`gSv1FD;Hg%RzatY{HI6lj^hEU<;eLHDl0q zn;L#JDX=hXmlfeAHHRj*HTa753b>8zoqF@u`{M#YeC8r^hv-w#eEyI*gB|ftB-%Tr zX7pDd2fCv^MfnK4ew1Ghy6X~Wwc$zTthdU-+qq;q60#vrD-_W9dGJF6v#rPDEU=(Y ziV#B}U^NH213J(cHK-xb_nVHeQ4;MZ%)kQ;EK!7p(E9SoUgLJ4;*Mr9?gG4up=kZeknJzow46#!nq8$zym2N@CL3Dt3mZe!{$ZZ~5Ga4Y=P!KE zPk~~L2jFILIbK3%u@TW|8)v}6#r#&4xNk|jGmf+gu-pP==Qo&>9_AW|l<1LODJJ__ zq#NMa_Ms}`tr`!XDQH^3SMNC^vU3$-B5JXW@otXH1sRKJxl~M|w67_DyFDb49g)Mt zPbJg*IcQ*wF^n z--K>$O2b2;i@P8L#cQ!Tk+(qK9=~Z7!BuJ=fL>fo%Sd*XNyA|rDEc*w)G-xzVr>b-|p|uP0>Sp4HzBHCn<(s38R;{*{7`@!1U8H$Pc>uaE*GV z4{wCxJcd%0Wv@1Hbix?eF~3wgHIG)y{c&BK#Pth%&#PJ4Qkt{iOt{G|S5KrRl%-Oo z;oDh*n|&TNnB(^|?C@-#1L|zo3)G)xWhB=4UFmz048p9Un9^(th_DO7jde?vzl3w< z_T5qOUhVsPLlcVBD3&>uVL;WtjZH$7t)IaAln@vWg##=5<|auqLXL8saU@8Y=50y5 z7R~)-4LW_dzi-YQbL$Mk^(W<7qS0Zs#2K>b9$j8pFEd4`V`o|}CbAuKgsRergP4$) z*{xEr@4=byYUX=x=h>ukf{l7qLaJEkM)J1_T1;XwAQkUqDbqy}5PQA`&gSG{kKGc2 zgDSfZ2&$JjoWCZ2TUC+DDSeD{)i~Fymu{N9f?w&-AcEB0#*^7q5=afxm|r%bvLU|q z6kGRnF>qQ{@DX1JgQ<(J9dDhmzs#3ZiHRA9IxX&(E6pZMIlLG%TCNtQ2Ap4Bjk9=# zYGAb}j|^MGP6q}=UY@-kzm;ib(i$lPA1JPuH*_B45SN`T)NI1fzIEDsfUeI=EAy10o9n!NTR&ykmifj&*^%dUA&SAH}x(Snq`mp4i)Sm>!+B&Lb>^T?ne3*B$y>K4t$}bNWynqZ(zrP!wILJ z1IArS@JOmO=^U2vwdt}TDk2Sj+0_DJn$I63^jjoWg>gR;m2Jf2?cx$iOufFw6ow^D z!}e1T<#FQP8Jmv_`C#pm=N)N)vuBGeCr8Bm0XKy-($ZVi;DhnE?tZ*l!A6?4@nwU) z9USAGrVa4^ib1O0l0o{Bqa@z0?oP3!$rAjcs`ySM#~>z>G*2zfml6((Ym_v45O5@e zWjkq%5|2#?Y6FWJe);=jVgM|iR>T0(tcu?aXjXY_sCVn0-UD@28!fdrzlCe6JDy7q zh3!oOtO1f6M??ng2iV?MhQC6Jdp_r<#ieFWeUY2n!bB7%Y7a(7g8?(C!=_7com<29 zhzIOg_)J=~^fr@uOTV$2Uvo?$0V#j(h713^wenp$M%0ZYMcA?dmMohJ<nm}_a<+%3hYRCLlqLyQRKqBWJ>Wu?C6DtbLHr(Y+?p?OhWbr)+1a7 zvy>KxK`Jp-A!8AOZcOq9F?0}VJXbIyyibgLF5%l4IK$U?@%jzH6f7a1(O~EW5;0V_ zbL9Z9n6Q8razKlgNd+%@$&cTQ1`G{|);2hTo;5KP1ZLlG4yJ$ZYK6rNHax{0>2IUs zEsS?)Sp&!bw~MN+nVHyR`z7}|E8(9dI?=n{#lFVo9EcXod0nZi-ZOv@XMRyZ16Tcy zf%2jqO}%+;nFPG?sS%$1E3oVmsvN zVMUxtlj6GC9kMX2qf{9AL{~it>Ge3-1X3Im%@G&E6jkD&AiyLFDui6;>oG{Ekb5Ew zHa9B@PBwlT?MmEUC`=Vct!EsUh{@`;PF|WN79fER@k!AzsO}f*b-dkauXFLYeXWU@(DGucQ#_C9_N>t7wJH=V&$QWJeK>+8`(^%#rdp8$dJz2_*7>#xoT*LclGf5_(Kd6zC?h%>;fP9bQREg$v(4XqSm`6Liys$FaXongKv zfM~TntpK8FJLEz7itWC7Y7=@Nq}C*)qc%Fx}Tc(S8H{ISLoNOwxohU_15kP+^BJFubCa0k7%q&I<4KGQ2~Ob@lz($D$KK z4=?)1k+P(|ff*R=SH@)#Y@O{a8kCxT?v~!Q9|At0E0-CoQ@g52R=njnZYHpceBWBN z5V;!p{D?qt*RMP=_5{X3XSY@se1C$Jx3nc~7mAxI+uYG(`0SQr{OQ~NqdSU1h{{>{ zF(AJ+GxsZH0q2jT$PBhOfwQcAyur|M;jpiF%#XjKtiG68ubWz$ebJM6^=dK!l$}Dc z_}C$LEc0}Fsi)`s3s1Bi(*r6F`(nUDGDEd09%{sv$qtDezaz2_SI+B^-d)1dqc~UO z8&H)1GrC9=N$e`=jTC!l6&2DoFR$@%5BBV=N?ZUSx|Vp4w^!NZu7{vh?@PedenCX( zq`%BtJk?NBnJ&^IzQZ6~WbK&7$X;@B^Tc8b#I!jjBx5Nh6S1?&u~)v_qs%HPxc;!} zRmaJ3MS3LOCdlc28C?RyP&tOqDOYH-J5UN_4Ml9p1Tbr1Z&@kXLUiBNv22M>?udP< zYNgTxY2hpdcEuMfplikm4J0E5JD$I{B=OV`In6y$(J@VzNuIb9XU1&qF|qs<@1%61 z(mGM2Fd3vrc$ZH{Sm;{n%<;g&r8@2!s5l!zrB&@1!bh?-QNrt5MJ+*B(OEw@-Kb#t z{+;7>JZ!vx*18jjo-Yfo0yS#U?!AZ9}v092mNT=RK`&_h!B zijEsFGhLXlN$z&*sPuXOpAidSSVN7|Y z3s%L&mCD`t2`piRg;+`&9u;AE{HI}1wML}(H$CLaecJ1@Ll!k-NiesQ1VHnI?&yQ_ zf=cz5G8>ZQ&lvu7t&IsFBsud&gm3HRUy|yb-vVaU(;|=R`o2q2$|9=mjH4n_($D)n zy*(wKy3@)*01;z?rS)hDZPXp3eIidwh__V_kO7w0*-`taD(G^eG4!7!!2-Z)7y7dh z##HJSwb)^X@`&p}dG!$%KChtmI27JhZJ873#ZNT$BsegGl++rp!a?zQ6`1eYzwPna z^`Z+?N+Y0oscI5S3)~L4Ykd;s7&&vp-^Vt0JMIDPOSK&q)_9-Q(&p>$w#{q;n>iN|w(>1O_9Chf}tV2hJY-OR`2kF@%XBHqKpzDWO51^G`B3V z66S@TN{Ur4&9+6bW#~beXHiCoqron_hEoFGEE_%b+LUTod!0)Da#xoqH^;6RKOga! z-I?#KbhT_!VNqZFjH+cb{A)hM9|h7sRKsh7PVQvs^u_%PmD&qB#Pcd?%P8V zwG;J_Y&G`;_$e~exm^;2yfj(EGFB$3BAGds5>aLsB1?>H{MW1TauLo|M#M)y>^t#F z0V*`MhJ-7MjaOl5KbO_hfQAHAvTSP@PwI1%h&T=mSbf+|>|?rgB@&*=mc4vD4k)K3 zM>u1Ygr8?a-b+4>7}nmT-+wTZgV&`v6tqf2A`RTic<=s@fYedJow+uu zhKow;%0Z7jTEO_>X6-J08Gfknm~0>6qLi8SgVJcJ#=A*t*#`>n=WMO#%?sXpw@xlLKv4>wquHYii&hd@>4Y5MNVG*B7G<0vwGsX&99 z&cZswXVq}=T&qv|PDiOJ-Xm|gYUXt%B`G}y&wp0GS3!_%oim#>YWFx0!EjrnKa4tE z^Yr^EFD)|#Ys<>w+sX??JeRsj<4ovQ1RF$UEm{&iwOWETUpCaaEn^(cv_fx`rSvIcS4DT;)$^1TYRzVZ!jeZ?W|v$CK-DSk9Wn|QKd?G!NU%h9)} zW(*cVTAJ3V+EYJI;|N<;Lv$k-2`j@)c{Yjav=n%2y)h(xxhb5^8k0VSg3tT4Xvr2< zQT86a(Y0!ZGrjRM!zv{O)2Pe6cGk*3f=Jfl6*`-V0T4j?0iMmouXwdQI;s|mD^I1_ z#7$r+kZSrf?pqS`^a_;3V5+Z|$lqQ=UtVRDZ0X>i8Xd#1BEg}3I(cd)6l1$y1`Hj+ zum;Pi4%%v7HyCi>Fo*C^USmR`9D+HtC8y(=Duf+^j0e#iv5x9g$528Na3m}&UCUCi zrL8Szko@J;h3Jq>cwRLpHQYDpTr`a($Ij$YKL-&+VH?1zvR++H{Oo2i`oi&+iMf6M zIe+X%NB-v>E4D{?c>J(#mrqex3Rn=mr#1XL{i|r!i*&t3-NA55Ofsb*pxvi!-olPk zE}f`)xaG`WOU%C5EGmqGpv_5a7glHX`zdm%5p4JdXGh?T7zkS%=Hx zwy!P?xG=tXY zU9;^6T}WryZ0%>y9Gmgs3qJP;I%L-77S0I?21iG~KG1SQ#Z=93C3ol{;QqZE7~0a_67Z3fYP0M7MWLyOMoBG$RZcWd9- z%E0i}H_gm!UKF$98QB2W)Kse$DIQ6584ESV_Nkw@Bb24u(W6YouX zY>>68ke-~1<|I`%DaCVy^X&Jfi+760Z)`;}@uk`UXM0qh3OI~~iwNNHBMC*Kz*q1D z&}3c|!GPA~AFFuEsl_B%`IFGK%rD%*!o6MjWT?KIXwG5q3+V8rXQCySq@z~*A--Z_ zd<7q4k9li(59=HBI2{*#=XhMSIy1!!zG4VV9R+cir6wmD}*E zq2;{9d=S*o@zqnvI~lV^dr?V7_-s(yh`u}yLH-9u_1TXku|d4VOlIp3(0!w-L3F4{ zabMgCsnOZ)Gp8IJl*zv% z#k%&BuMo{qHQtDM(o9R(DCgKHBur%Tb$x85z|6|U)zmQ?*t^22sisUKP;4NhzmDpENs&9ZtRbfvsGltjLeK7Pi=>a9;d7f_JfKq>|S*%g+!p}Iui@i?6;EVTthki^B zHH>&as;1s{=iWe4_q3vH^<>{NahJ-Ob$cKaSCEeZmvbUN?l8o97TQfRv8 zi2|q30e9AYFepDUfxu}xKNjwlC}IsOaJJYjJRkXBc|cT$U9D}>ndXtbnVQjuavri@ z%;>QMp$!e(DCymTeadVck>ep~lQI>bf)j!SFnK52(8+iOG>Gx988GpTX1X&6yiGa- zk+QK7qE(My^#(3eW8r&E=p}e(b5W&2F}lY9taSVvBFb3$(p{?S1(`7HBT{AsfxaQ9 zGG!ZVk*dHZ)!ZtX=0Rb1K!>TmHloyQzB3ioy73Z{Z|p~1isQqAv#043#DiBDr7_%B ztIS%gO}m8|UUs#*8_{D{FP&+NpCyjM`S_|;4(8n(zK;k=;e4xmIm<_1q9ubGV57w0 zcx8DSW>A5iPKAGJCiva%1#!<;H10%XiVub#=H0Kovk~s};0Joo=(o1K%WoMX0Tm&w z3wHx&he#FVoEC9b4&*=Nf+4%D9cf@?zlx9Ix?BDDI{ zG?DUDPXx7&OW79I42c$=s*hO@%IXAf z;f9I6xl>`JJ%_^!2X(pw+dDXG3U}l-9{9i9l^xU}FY=#Mo+1ZOe16iXI?$6LD9o22 z{8-zfAfdu;JzYAs`z~_`tU@a=%;Q=M40vcFZ0|NHqlncVQ-7gmIYhc#R|>zmQ_%sY zs^aZ7gDacH;l0T4$AHbAIpD_oDd^P%jTgFv8l z)T<`M#Ei7afH*ahzDUKD&30u{5LlO1ls-1YRpPr$B{O-a6I%<**=R(@*eH%nM86sV zv*GBsVrgMTQcd3Mi_njQOna>3dJW^tw>#{p1Xn5G${A8A=4A?_tqN zk6!$YsCioGSq~@up62V+RK85tCZD6z+ElX0rZXa;KbM)hdl98#o(|ml#D3OA*CZ>Z z-lezA>Gl=$kec>SlFdy>{!aC#b)xN|&FA4(p{h8m8Vhrh;YwF;Qe;PauSW9oQ8_>1k(c?*jA`0sP?$gna*9%?_aaL*i;9 z0?<)Zp?u@u45s8^<6+}qmGZQ5=K_c#QwlqqnFG}%rT@VKQW61Jy1F_7+1WijJlH(A z*&LiL*f|9S1=%^c*txh^Ar!1GUiPjaPgZ*u>fbE>;vorkF?F_bbhUD@r~J(mWa8lF zDgppN+A05*&(2X%@t^GNUH*Xr1P^vkkRv-M8wb0c9s9rcaB-D#hcNkvK>y1gE*g;6 zGuYL@E)H(areG;|u)Qnwzq2qi{bzqiH)q>F(=jt;2it<}AfzskQ91u(NEum0m4Ej5 z4S|J~o#UTg5U~G)($&iRUts-*Y`GGP@oGvhVmGUMkn0fYXH zm8`vsE6Cmy{F@boIhz%P515~qg9mJC&dSHh!^_IUZ)V0S2of-7H8l}1H!%TmbD5e6 z{u>KrXDf(Rf^7d?s^6^4AguT}%>+#aOifuqd|)0{9uUMj1WY(NSh;vPxcCG>`~oJX z=6_h3nF6I9ob5mmbz0ehEWqrJ_7;B{egh7aP>~e@aItaxt475ZJ>WPGnbRevohb+FT4rN4@{ zR)5wKCFP%00R)-;H3b)tJJ{@xoDg1rHJMt1>@C0$_wf&V{kz`ke_;zeU@l%09&TP% zelA`RD-Rb$m4XlpV>RXD;OFKwH{&t^^ZzGz7YB1!50Eoh!UBRL1S^Pr{=tfp;V(@w z{wKMICHS`*Ac(O-?BZXD3H$>w_J7Qn{kPZnd&|2I&C{}B9}n}PKEs}AD6Al{Ju zpYHGiE*|Hr!i ze}fD8UmGg0JtPeBfNYmC4`l}-TP*|=c^OHl0H`h~C>(n|DoD*M$G5sJP*5m1zdz7W znI8!um58pgic*OC$gnVibTuP7j8IUNP_mK|8lKBXYhDH#*Uy9J3mG5_6$z;>zu?u^ zWMd*VJgj+K4pI9Pt-6jY?M10S8Vc)M@pRTk-^)2HyvHBG<>KWYRg;$)p@rx6aD1nu zneO5rK)It=Y{GWBx6K)cZ9aZ+O?jC!aqHU=2G+#~{JGQ^ZHZy9{#>DK|9My4$Np3C zU+-A|mGJNKe>1)WCqA3VZEdk}R8 z{S750CG+GZC3hx5D*ZZZSAUrFo=lr|IyoYCvb+T4^8H|Th1Pj+`pO-)(6JWuc?uKj zkBEZDEKa2n!ZWeCRRjZ58)rBD8|JF6`|${`x>kn|1nV+d4q(s?Pl9pDfc;atMYt3! znt}LO_esJ$Z~y>7Q%FdN>GMOHfKH!(+4obIBMYyv5)6Mn2B60KP^qafuXcXH6rzoj zLg}`gRRPM>^m*QMo-U@PH}m}OxF#B6{W@ZP61t%o>V<8Z+L^ldsE^**N7wA?r~YW# zii|XEsl1tb;9BAn3Mw)8nOW57Z5p|-y6lt8`MK5Gnq)TvRW0zbExn$fE+OYwHY;6d zUk#W&A$rBi=+KGC@H zXgR60oLFrRT}R3`{gymQ-Qw(coVfnbiyGF%)Y5R9gPC4zME_8pas7;Pwn0Ah*$Icac`58On&9h*CUw9e112| zC--IiNk(mtdk0OG_S{bFBOO?%A)tzb?R&7yr0KeuH%t%y8XstU&uP7w%xh= zk_O9kbZZ~pCOoXsUwKj>2R>yrfxR_!+a{U?(ZrvY*Ri}W2iZ=MBW{-u)F7*aemqrc<*&O=|5n$519@Zs8&*P3Pju31M%{ zuE#e2QDuBV{pRhREx)4ohIn6xl`!`OtQG~Z^2Q7=KB*y*R^7ayj3FDL9mWA-; zIJ5Eg)8>jt2h19*&T8nes0cEeWzWSn_ z3@J0e7v8p~@~tziO>C@tZjGPVSP6AzpjLSfJ95v(SU+xiJaS`)NQs!TXTlSMn`6H7 z7^Hlyf*aSL^Vy{-VsEPH@8#Eb?v+3Md{{*kUT215=Z;HJC*R9^#m==Rh}&DOTDQSX z6LTcD$tcRkg9@uZ<}aMYlUNyqa37V_{G_qcet_2coIL821w5BrzU-Sl?-DT+bP(~S zIL)G)-!eg7bAMlUN0z~6)jNa3;G|ybMJJ16z|;C-XVg:c>n`*cAYCdwP@0SxGi zV0u`z`-P3A5hZ=xHu=Q|mpLHJm|aL>Y#DP4O#M=}er2f#-@7^-wB|+lJXfk(0?*p& zPJfX3!?p^i>s8GFlL`31rTy#F@Z_rruIiTHb~>SSZl)~O2Nu0h(kEotUZ^;&H=ZKr zMjz*nk3KgA>6+r#SP#0{D*NRqe|Wf9MU0za?nB{rpj9UihWMqD)~|sxl5MQM5L^|s(r6q z6oo1t4zeXEN2l1G>}zW_|6U`b+UyG(xBkLEAeyQCE!jy}poZ{~WNI%6uGO1Z#RLQ` z?Il_}w{w7)^W${b;d0lMqPA%^IP)0cqEB6vUV0_i=I+-_3=g?*n0{7DDA!AwglF4A zE&as%`0YVhVVm$7%F?69vU#NLnXe)3?-gy|Rg<__01Hf}1>G%EHIoNmQpa*d2&fP99$%&XRt-PccRZLhUVs1LTmfo_hl@7noO z$j}gG@@mLjY!J4k$BPb0C^-2Y+4Tc5WG;rZWyg<(f}evHg?%Hu95EAOvE^3rjX_JW zR!c<)DD=Tr&;Ez6dX4zvY94h(JDbKT-5A$YQ4aUUY{e|Gjx09U>%wwt*CtU>JAslR zy{kW#jyh}jBzEnc`O^YR$Q(MM+Rp~P7O1bvY*f{(O+cV6`LF0$N9p(M(&NY9NGQf= z9Z$9VGtx$fw3CL9F1Yx^Jhu)5du4h)YSw@BAoow{rG6RNE07;vYmQdVrRa^ybGu4o@Pzn9;TT(uUfah%qp&P{ zd+Eav5v9H}Fy`4>vK$4m{v;;;)=jPr3h;*3HL~;aJnO_JBo?iGne@Hr7rncUe}ucE%c?l_FX`*6$1_*Q0HA z9kA5CogWdu^=>$DLD zq)56xP@rnmFV?S10*3+Z`ZkzPK5%NxmWU2YN_5Q@u%oOf!v?3az5a9O!fZ=~(5%gL zt#onizu;a8idd=am<-H@9+f;hq||+&Pt$C5)W^$4h(f;Lh_Swd9MX<_5-p51>ih1d zxWCd!J|~R4Sno|Osy$znxfV9ph&Bx2&AfgyzpU;(F;dFH?J-oM8zk6et-)TX-g11! z9=}D70Ah-X=g23C;}*X=Q`7^@Xbz#B{XxhEUl$9_bGoWxk0a00g#_hP?oCfv$* zW8J$8GX=6K>RP(14-0j_j9n^Er$U$z7D+qn#^{1PwQb}E(HjKo{W)Da^dw|G`7<*P zm$df05!}j^ReJd(wU+u;F)V66n`78p8p=5x8(keb(~g(g^Kdj(KOR~sczG~g&g0?C zR!|!PdQ0)ALmYF_MssgC>jIXQRUTG|o);;Ba6Tr4{Fq3jBLCIvPZ zeOl4&^@oeQ%73oV!Lh@RwqHM{>xZv%ez97t#}Qf90>3Qx`<{236&JQGZfT}9X0Oc9 zOyXn}Fy-i{IhF1it}f>T=d1;W4C@ny+P3#~C$v-8AW`Xq&2%jbYZDc~8Ovs&k_<{d zjqR)1_;4)?YOg@&3QyD7(&UO)ixKua;pNDg;|P0Qe8PcTbbySJJ5@AaD)@1$Mq^+D z;*x&6o1=|zYACyWk;`jC2v;F%$;x(jQ16UrBTM}(N8y%CJb1tpWI7ZYf_IxRV$Tr&+ zH)c0VbcykN`2=0zQrjXJeLom*_Z(>7g#TB7e7`p77Kk=NP-EP0{$X4|j8MaBHA=sY zzwh+DVAWIeI#I99#z_|(N7-ca!WUNu&oCLC+Q^KFIPk$TfTgQ+I^C$ry(BM}jSB0} z79c^LLtdVt!FKT|aD@eh-h!|dhS=lB@{qAGd$RqHT_vpv$XTD}k38nU0mCX+cA6r!>?}< zLw6GDu&CLHbpeTTewn_=xL&<*T2J%aRx%W1;M(iWgZi|9Xi@z*1-{? zn(I)Ru4IMx#r)f(kC%%Vbm{|?jfIk#>#E%Eh@3EPZ%dY*Kb6p>DR~bzoY5&UKV-jWfyvYg8g@F89rI zNqQ^u`*f0nI=~ef%rR?lKut&mV?` zxoCnW-1+lv(XfuPZcwSkbjI>FRxm_oTgrqI*7?djo=KV-FuF&Udw=ya>$F^Bb{Gkz z^Lydjd{YWBL@7SIQA=WqeN*xA5$O%KsHsQN`YL8koYh41PH--nr0c1;2nGh=SKqWy zJMw(aHH%SABI|?VMQTTX!G!tug+1u7b+XXY?~-An_l$=aKa&0*;^9LzT&xyMFH5A~ zo|eo=DC&i+;#=1Oj@RVRIMBNI+E@O>O+LmY;iSS>Y{Y9XeC!)b@1a&ejsEx8Z*qwT z3zbft)H{Fq3fQqRo9a)SYtyNB29Ybjlc8q68+Hv|>yqYV7L^A{%n5mdAA4O<>zlt? zIB2C~35+T#$Y%zYPd&9iU1ZlIRXceernU22F%Ep4$%vD7D_T}{d8x=xDHOfsBguY~ zadsr0DRg03Yl>b_+f+SaJKCszJXme&Fdv4*PI3=<-ArbNiLi*SnB<5rK=1lM<_V*O z(*w-Hx^e`lJCfYj;z^O&SdVbohsz;bB$YA3aUUg;x|ugQiEU3@Ze)LTG8NuPWz_7V zxVp%>IC48923C%nYUi!s=e5Is(tB{;^LsI!pUAed4U{RTYR~axA3t!vnO*6s;Ed8~ zs1rkbeeG2i@y87rn6O-U*qStnyg&2q0N?Tv@d}8T6Ux{BJ|tz%#IwQF%{JLsH*hU>Ykerr#Y2_(7w}^cI4@rhho1E& zs9_@1W)6f-kvU{Ye`G93LVheqQne9#y_s2c?`mp_5Z97o4vny>JV)uUYI7TZEA+q# z#ZrE>UVedTk@~b`-?Zf?h5Mw}{^lEjJkjPQN^V7k^l15)rJRhRfq`Hm7aQ(x?%FAo z4*WK^J0K@BADI&*?hz$IA)leAenrRJUvNuMsE@=v1)+NnwoAI=rX-&8=p_;=OI7D( zysyt(*{Q1D;-E_XwGq9da(qMA?V=S^BXsTdJ$#ZNDwh_orhqQd-FFR z7Kk{?;uB79Xu41yvpvq=R<-KT7Nz6s;NQ(3igQnx#x)c+2L?A1YoMHUK~*GvJz7RH zcY1ZQu{42`8=WVk$?i+$*j#8!o(pba6p|$IoGn;UJoY*cz4Zd!n)A&aPV6&(72vp~ zY$TpTI^%$fO8nZk7$fTxNzyxlDArpzdyK$RQHwLMs~QZ%%GvSne6I*gZMg%k-75)Y zaeCLCtr%R*UJYtp1Lw_FGl=*iHI0!tV7wtH_=kabqqb*W@7$PwZcpIIoYn`_fX6@w z3*npAC@(`<&D<9#>$=U!Lo2N~7kWZe?<&)UFW`&K*qBG>0gQ z`bH`Ho_->rD<11IN9iG&$pvD>>~%l*7rN{lrH<-{S!|>=7Y89S+Xk+bS$qZCsKe!493cD-@cvXh=?#~S5s4iiinDOI5bI}gEs_28c_EYYo>YAmoJ?MU6CjH_>WA_U)U8$~2t7O=g1>s#t$Yx4P z=;@a@jzV?TcGNBof%Z#_S`px6le*vQ9---$jx013?(~~6cWc+!A6t0=1#a;a-Cy$e z=ex{CE~+y4ei#;y>&rN)a0A^VX+}>McR+XZd5USwXOC{8MDJKY4vyOP9l-QpXuHUh zspRF7)j0aFEt%tp0nf+G;d(Dbt2rU;xOa8u`;%!(ZhoA;uaVBb0Y+}M$cd&S^^6cY z+?FSQAS?T4=XMjw-(as^n^&TXz7=1w^yaY>FTkH$dND=F{entYCW9$>D7-(}gri8@ zly4`(-^rFUnEyrdC(w+i;PgZxq9i7GMXQ$a%=%a3tL_mfZU+&u-T6EZ1^Lk;Muo>b z;2LmlP#Ka{gy5@_TJ&lYl4GiIKVF8ecKtbxvT4b(N=v)B75aqhaK}0V)B9=qA`lD$ zJ-Tmb{y5$xJ?ZVKWqL`6#B)`7KSKckXLO=Pk+1$QL@C)UOx%-XZCNfrdt?IuAdT%h z1@He;0yjbaeJjDYQ|A@~C^IlvRYm2j#E68LSWZWW5Nc~{3l0v>Qd|m>2!&)q*~ISe z@0$(SYU}ETzkLJn^QRph9my?edttf&vjs@eAvtB-q2HvxX~*JIGBP4Zen7}>G2Xe* zbu-Y@?}gay?d~RKW$CL*2mzx*!^3f~u!3fOYG6X{SPAlBAl=j=Q1jJ~ot;hRmZ6~` z0je`nvWlMG-d89n6xUT)3uj_xS&@$jTPJq1)%Rgpn}lF3R#A*fU~ z!?JEnEJ&c4c*)Amopg2Ox;v2@&~y7yiGHokWALXdB(Hs*MrNv|g}=14WM*NZt>7Z8 z$q*eIJD)81S4ugQ?cV0c-d<8pj*_0V>@(WtO_I(>#uFcF)=XsSoZGEwi|$Kc=3>! zm>8QOCt%zK6&ksn%#Sk+(a9D$N6C!re-JuDz+m~lz0F)aDVVJkhDLIe*67non7nbB znv>%{detj`-@*S^{vHBu()7%X*RP)?(2BIeBoHKLXJ<{9C)1jy*&W2#{~kLn1Cj{; z;FH|yajNutEPV?`dirokHdaktJ?^u=)j{4r5L^J$h>7K5QAZ~uOZS)p(xt)hpot-&`VNg`shyM)a2=xEiFkKFA6Sd{^g7Hd-|Gv7dMtg@=QKq%LHmv3+lduYurPk?hgtB0w5V#Jx*%Z!R{%C2B0?4m=%yN|_lG znD-|*jrNLh@JNQ|Es!(yUR%x%^S5ySNSkGT@woW8f|Ut{J*Q!L`gE6Xw*KAXwol`p zA<-5y6;%)sx4A}rl1Ga{-@pK5@#Iq=39>@e^t+Uja$WK+D4b#FQ z3+Ds>GK3-|G&K8+)TJtleQ(#aE~DbvmfQwC$Ebf`wIx%q&Z4$V`0stH53z+~AwE2b zzwvIx>5`5yG=foso{QZ=m_YPKj%g+x!Sd>CozUqw9DICfXJ@X+$jFeeFf|nwaXC3; zPEO9j`i}&HIS{2$QwKwI0YT?QPDC`7-Gg*7dirix<5q@-UuURjBFA?8Z*HR6qCc63g`M%8E_11V20xX__WPV>}YSD0W>jGm>pZ6?MQ<1TW6!Y}mx#Ie<* zG(21e&dU@EJ~!`l5#8eRQ%C(nbSCa z6rG#3uDCn|{$HfMRahKbv@J|RfZ!nzToMQp++C6oAZUl+u8q691b24}K^k{=3k@_9 z+}+*XZjrtB`R~KIPk+7eHB=YXYt@=_%rVAXU4!Fsfi~pXf_#Zgy=yR8yBb8qAI;UG zI@B_En0VIp3Nb=T&ph*!cC$YYM5uG>vSlM=Qk2ajicES}slDu?+;|#OD&vZ*WokT9 z@IH+=RWLY{$rDP7-A}RE4Ay$bW2#tYHesj8{R`i2$XxwR@{r@|Dn9=SdW&jn#M~j( zaaUw}sFa#y=DLAgH+On!Lx@4`yl^Y-?|#?gXQb&>KYrM%5Axl3lmZI`j@k3UO`0cG zE;uMCKQY{m_f2UG0;By94i?t+u9MMAS}kBUfyfWn+Nf>OTZ)=kUJ+}OrW6y^5XGSB zaAIJ{E?&;{pBJEv`@p26wBpCmcieC1;Y#?AR$|YKXSb(a5e$6cJ1rn8DKDGMuGPmI zk)#XpW0R>Y_VCl~w;c2wHKh{=e-sPU=ghDQKH6c2S-3~vlql8PhLhbt-lIg=Vg7Cz z^!dH$(dO^2Gv@?0H`78K%>t=?Zlbr5;));eau;I09~C&mzsK!#nd~w+&#FF5o4agP zxtptJK_smrJmC$xZa-C^;ep4v3?$Fll$cgE5lhlc# z%<^#n)zQjX;a37HOk~Wv{^nA_ZdNts<_r(NS&BPmDOA*>eZF|d^oIByhnU2&=DC}- z$DYvre(Cj1b2etQBa=(e>x@R9?uE!!?jWe(hulM3vLmO`S55u=iZafr0aQ&rXN6RM zY!)q~7GM4_;rQjAU||=b+B@`ORY81GQ3_8yqM`8H^x8Bc0kT-e%K@i_Z>-h-%Tp?mgN_mFNIrR z=g`IG$Zb?kxr$@4je`P_jNQ~1GjOgP$=qt+Mj>W9YATzaJ|{s|x!`9Gd;XuoFxWeUwXKpEk%fLz4OvyHericwAAoI8bH%}8h_9f^uRaxa6obTT)GmcY*i(T6Dz&mtyLEr zo`P^0e6S4hleE&Zrk3{Eqc2OUn+K26bkeRLz2oAvwB!%RWE6aOF~ffp8bJa!) z1K23Aq1m>wY36y0zSFD-&$pbIWV)opU$V1&U)L&dDqeh4bzlTv)J660-yo6=pz9w_ zXeB1_M=Qm!ZJ(Tkjg_oLQ1?NIMa9HoVq?4Ru201!B`JW1+Sm8RdJ$R~5k&8a$eo>iGevEBx@v z!Cu;8dod|F{d^0@o$}gvh?&*+^lW@&8Z zG6mb$qpcW1;hvGV4;?ByT@j|EO5P9iIPUh*m9KYFj+O)PYWSL|_Ikg#4WqKfsB zUN}wUSZH$;1SHafBn?igc=}UP1`}W?FOBhSgwSRup8spFBey*#~}cMjgJ$^lCL|kWuHI4FWOZh00`+6g6w;V>LwaH$N}@ z(9S0(gVNu23mxWM_7HDZcvQCB0L5Um@|^vFyDxe zR;9ob{b28ozUQqYzu5RgBkGc^N{jm$C*L?Z?{Le6NBoe)=B}2R`Y>0rVtmTYr0A*{ zsZ7Yu?KR6Po8rXYpuPP?xvr%^Nn;BGLy4KBz-1|YdTn5_LL;mGnbE-k@ej!U+gU{m z@}r%WD&*siw)d9z5o;6M(*1E9KzHjjG5g+>PmRK5rNc3v8?!UYb_t2oxVhw}gFScI zm7GV*$~)4=dgSpRDcCA>0i_9iTQ<_@9{2i$LgQxQ`*VJ7wZ8-CEM2^!9=Al`wTQZx z)9&2XnoRdJe*ce#W)|*mw>KPLa64IX6@r<_Pf0R~!L(DeFLg^*oj3ZPI0OAO>EhVT zV}|U@?QFp5)K3gg@!RXNGUl7h!=dHQ0F`Q!Hz}Ovu5@HfNC=`Ee+jkbXy;&UN(=Dqfu2{TwH#;XFZWG>KORLCZOzXAZ;PF!-bgo%lXNJ1x(WmA++ zr+=DmGgo~oF-ZkZ9Z;+?N)^~CJWqg$xViBIl_)@GFgVd|O3BE`h-9IE8wZ}WFKfC# zMG516HaUv|g~juPRJrvq&hAhGpU&mHJQpC^npizmy^P-q?9%iKYeac4!%r8M+Mc{} zNMc9Z{v+6}#s|9XsE%wl8@THI;MMeTO zZ;J=b6ORNG%M4;l^@Dsvs#W`rZ0062-mf_a+|tYCCco=H!>P3GRK+cw>1&7SvgY?* zjN7U-(WGc3i1odH`_>Dn!vSu=AE>^8+9fd&AELZZqbLp>sA;$2Qc@ zSty5wg;8>FRR7v}Lq--cA%q8v(Y2{@T8Zsi5g)E9<=&kR%8<|{2C9S8X!h)4-Q`1L zU2Y~OPbIdKNex$67>8RUeFi5;N`KG3Izqf(u|1;cbjtJiar0EY`Is`=0M|CKyz6l` zqE@sfOH~@F#{J_mVv9tY)J~}7v`Q9ZO%nE9?Z!G_bbkWuVWkM5?TGFQFTceba(hU!2Uoqtit?9UQS*77Jlj)Nl#bex-q!ThtP|A>KC2po5 z5;J^1OrLkXyrZMzE8t`RNP^f{9H5j09-Q}7RKTLkBvX8P+)e?;!1k?>Q0p(}Pj+@^ z1m;=#lDw;;O#?NGKF(JUYRHS}-Po8Q?PWnOS5Eq6h-EIDqZT*Uyg=e^=}TT69qmGG zB2y2Wau2A^^U^Ju02flHFK6#+9Jv+DJgRP?u2SwzMAvN46F+TBWx##6VVsw9bhiC3-!r^i%3c+azYOXOc`UI!D8l3Q-8@!yzHdAO5mZ_UeI zG0Ny~#bi|U9)#7OxC^Q_p<_M@sQAwZOT5fjT;CacrtR-8(BR>jX71Ud zHV=$KxvuGDTtfdhhnWnNrvu(HMQ9k*+`pAqU{-p|rd0&nOrO+TFNyb9lhGQQ45GW@ zD5XGxc=n}}W;vTGTbj(!-&9|$58ggN6Of{Vwk=k-w^65NPH_tuZc{;A94iyU@95o} z-uMt-gl0q`VnVueVb$ew5`3i!bNAEhBn@!D zI6Xa$3=GA;PS$Pe@j1;B3pAfb4@Cnn0tlsWh-mm$21I2jQ}xc&7rE%jrymM+rhSM; zS;q#(Qk(HPL1u#0d7A5vC^3rD^1O|*7sRmVXyJu{&cjbgm|e*4!z!u1F3T0yPA5FF z#xZ}3ok67zR3>c61e`h0oTPy2pm!i;C@;mE6+XT9dV9B^0lCvgY)azTFh`Pw#3#Fis}(Vo1f?3 zTwYkd2mh-}PD=4#aHA$vzU$5?ihgThg!6e?Ul<+}#6%--c^Rq^`uzEGfD-N8wu_F8 z{8k>X{`vEBfGsC{3#>&fzYn4!e95k=@qK z*F1~6)kbo4AY#%xU!06>Lw`mk^rmOvR&==|I0DR)YVmGhK1W)R1KVSdy; zez2hr!HYV~b?y^n1%&^GD-@F999wrw9XY>qcxI}G(5Mq2gz`#^R>S|PQOaKMO`uEPS(P;gGN7|CXV;>x`0;D!D`IH#B?}r6XIoWx)5L-osn5+f z+fj1dQo1fa8s9Qi42g@q_DTzl0-cp^FN!$MlzDh7C11wId3c)4u>ya#Tp@c8;vt{Q z`w;6aGVPwcZKn&8evb2f{FdUad7&R9i|(+UA2T=;w`>^9V$Z z>@iOqalSWu(0IHf3EEchLkI#L?WxH*ZRTLz?Y62hOG?uRPoLZ;+?Ab2KF0?ulxE?{ zrwe%sKC$Ltu(8!zT_jjXh1xX{j435mc(*M0J8SQDf+Zrx40{)p%MAqjkPuo8!*>8< z4^Z%{R@{Rw$?=BsMxvCsEY>To`W{LMn*&44F4|1wZs-o|Mv{e`=g4zeuX#7SKj|8N%kGOIVw}R3$eEAxS7@~0d2X6kiDACtf=g5iYGq3G0VOT7$be`aUOU zDRURAtzoSwUF>+>Fa()3BovTx7Ss@RoPvm?oD6xj_RV^#FQB8;(G}(JXrF_>y3 zPF|nu$n`@q*gVKHlE((LWHi-748j940{S5 z*y9z5kvjX*mDGKHOavJE?fc|vdPy>-^h`i4>W&}-0ZA935jPsFf-eegDy%G{hwr?S zltBrJIh>^z2sJ+K5ayU0Rb0@9@5_BlMMaffyX_B5x^H(u)-QE88@W{=o=$uOE^Iuk zHd+}OACG9|5b{pRp`fHn{tOSHq#}lQy~UgqMcq?TU7Z-9o`D((kjntt8PE;UL!WG9 zpC`5G0Dg0BPW`j6Ft8R0U)AS{h=@c1YTM<({0ADEw}OJ2rY=vOGa9@5>b^pClX`}P z;1epMPJeXZwn)0Wy9;{#|Gg9i8yhzFY>6K^Ui#FO@`C51J8;$B!9glP!Ioc=kf*a~ z?9%X5R8(+qa9)v;$|x%*B7R|f!oENdP?X|w1B581DFc>&(n7*dKw*NLhfyX}twM+l z^z~nnk%0j0`Y#wRw21>TJV}MxJ(P!A+x|NiG{F0Q{ZZHsKTyR7P|mX`SjX`w`uO~} zzu>uWBo@RVKl!cHIFu-$MW^-*Z6D(Xcz%mzlxi3iJr`Tz|cei3ltu3{t+`#QTYP^ zn-~KLP=~spP$hZ)f1veRRcxy_8h}9P>80SwZBhdRU;dSe`XcaIKAW%qbCOI(18(qL z`AN+QAQZrPn9`NrHvJs}NkDWP%mj+E|M_s+u%RJpK0dWf$u&@5a4g1l9*Y29);^I%TY;^QzfVBk#nuOoiN~aA$ zrbPS_K5ZLUu1c9>8lN9B@6Bc|*^*MAF-j*qKFNvtxb}{I1w&jSDmw9AwE-?x4GBwIK(rckrfx^HCw&a`l@2v{X^2j6rnlcA%D#K zWsh({+)*3bytB8iD7Gr~_ogk2SP)b#;7&6ofuVCF5_IDRi2e7Jlq>-442YH1y&1OB z8K36HH|#NR4wp}hkj)scqTzwE;o1BUrOiQCS65_gtZ(OX z9X+AxnK^H8^oX#OCRXRny&es%MqBvGV};oy@SEvWj@xwpWsV#J&fU|8fxdmzmxVJg z8;7?*hqb|*=VPd7o3qkn6>OfUQSX}R&iN$=%xc~=w{H^N91Ztbe|b@xWxJ)Xar776 zK_L8A+a8Qjwok|>DapB)Yy9YROSHM|rAOaDHo%&JS{I<5?U^IGa}%YWH`V*X{@>i{ zyvAKK);H5ojg^}z7cMR~*PA9u@L?18yMbu+qIiu!)Wb^Fyg~}M_yxFf8$P@7>9Cot z;TGi-eeg@ePEkzlnO#WV@b)nx7)hd3Ge|qSFDnT9y5+IL8QuaZRIxIwaHucqG3>p- zY2ercH7+4tFhck!HY&Vv{3P?^CNxNLTE+ zHkrSr?;)`3IDOdCEOZIa9JBI0*-kcuqoGfOZn&#d<&B3O+JGMOK$i>Utlcb|Cio^? zz)bx5b58vv!5Zp{9e<~Xk#}LW&)maV^r?2wM!aC!eg6)E?5)Ygmc6f^jNquNW06HM ziW(N~apg9yqWjIll{sK1nf zrhrJz81Ghrkl?8{StuSSJBEyA=sakq0d&s+z}~Z{DaikMLSSl8(r)z8@!94<&yX=L zH?B|wqwm#1yRjh-!$!>a_I@X-`BCS58p>}WUUOBZ++2&dh7Pq2f`Z@6Mm4y*^%xsBU zFvo1GVejCr-Lt0w0X#YotOh%wr@Kl0#pUd(LORLml(-cbaCA;65_J2D@3fYAb@Q>z z;ZY9awhwak$38P9Y2a!JyGMG2*7EpxFIrkzgNxJGNT)t(_To{yd5)LVSE1~F9xVV> z9JEad@n4J@XUjei!&rIbT_V#E)Dq*)abXSu*{yB>2+P8c2dfbJ$Am;gKmp%JV&c~) zb?{5}Yme^FdUEWqY=(QK!zg%oRN&u{lS4#CQ9Z?+H#>k}jQ%&hKBWiAb!qmGm;XAz zKTq;NZtI`I`V%q4@5@*`1kn0_hdu7&rR`Hl{u`7>2!Yl)-~bY1kd3YFv-#2gPTN$! z9{U{7nfYYV0S>31ML-+Hi}#NK9SHNZG&FGR&HwW!KiK;7 z|L^5seQIiI@FV8Smw&we-U5Iz>a)-PyV1heBpN^$+0!Ar#S4AvD0@2mN+jeL7#EhU zjF|s^ptT~vmK&bqa7?~Abbq-x)D=XCRDZ>P_D7iT#ou?z0a-Ft2(b0Mr=~W23%qA7 zI(OR-Dx32}!aXfp+8`iz{P(%#*Z=3=WOMxWod9E2_}Vz^pGI5Rt%5Iro9gM(zyZ9X z2eK|4P>7lSb2q@b6;Ix)SAVY!jJ7(RWp-x#@qgDx?jthJ12+Y#O95&9$)^W^GGM-f z0>6R*-xR=)2|vy0uRr!Ww)N^>$wt6m?}S_(Ne$)hudMIv57OK_l?}?n!QJuZf%IV< z(fL(Z{v$HT`CqT!$knvmNJyCI=i~U{M&%j(`GtSWs%Kop)~}uDzOmpsco;zt0}hPt zxxIFB%C;4}v>m*k)7xk|H01dkZE8oz3IDyzbFM#Z|9$jbOS=;Sjd$j=d zIcKz7@zY|94cQW{g3{Ds;oQ7@NywHTn2%+5<+<4M^ir;-M83E=ThR9++GTZg)v zp}{bdChZDS0$L3BmTHx4=Nj^cXkACq5Yetf-y0&^=N7NDVxsFEd&nhJKOxOHYIb({ zu(#xs^w8mEv&D0gRk0RWDO9Fjhig=Y%lv(*Tcsa|xbY^shJnlL-N_<-*WfJQ=7Sd; z+k^XIFg?EbFL(Z0)9zypxwCWpRdI)kkNx3QA*f#uK1pwRxa#%IK7(rFMiBkJ^Ziwp znj-PN!=#3|r*j0%0E|5F$SYwmk$KL+ZH7k#I-i?f;3<3cMk&YzCdGMSGn-w=c{nR4 zZfw_{`_G3540LVV0CQsL^lB^*zPR&_8I8z+*s%E_S*PBLS3|pUH5_|Vgu};M>>CAd z6-MU}935Sd79P`bf`E#j`N2L2*teL1S_!W@u;)#iwDh;FwH-e~O&an^M)<}?K7Td) zgSy&h$7JE_>qjP1b(CR_54Dj$Y8*%GH=ld3qP2BI-OyEbhktqZ#W0i_`=}#!LR#m3cnU{squo#o?9p z=`-Rtgnt_J)Jibv{F>LgK5L$s2&QmElzJ|NfMRBykA_LvPnBUrObift7|Q#{BLP#8 z{6;Pk(#f|*S|{1ILC|BwluwwEk%jJc-@Mb8i=Up4e8%|7BeJQ)Dvvye?#vOCYSJB+ zO@588mp{!DnYx_^C*zx=wuhR89U2`HTiv>&r7=1zons-l_Eh~)IJ$&;I>X~`HCyF! z=zE&35bRt}9X@5A_Y9AbNtLZ@0b@4o`%ZKMt|Fs(O?=%1heD>EcIoaz3DnT}o^&PZ zGHxz1(eu?e8IA-KRqX5cX4&x5;;=*kTTZQqNQwGflKN^xre8#H(D^@an8Wf63<3R=W0{Exfpfit|Hh=0g|M1m%88Ayl3f7U4P;S2(Xsj(bkr5Rz zfHR}*DJ#c^G>1?#^R)2ZL!{RpTpp%SFpl;MeehXaco{Y^AokmG4dDJx`jj)2#jCkq zx>6w#`M|U^i^A*W)y1zY@NkwE1RQBtBz?MES;ztoTudIX#7c>Hy%8+VZ%#M(F6E%8 zClvd89!CPWW}zEN8y=8zDivqot2lI))EbE6cE+>p<<(|Ng}zXFo;GdHt`vVoo2xrm zuDx2!ii)i!%aIs)E&9;pH+Ilsmdusl!-WPu*iy?kLNb)Ytl>Ws(b?+zx*51F{YCrL zcuMszX?ZnHOCJg70t1zC8PU+%j*3KUH#IvUF(RuN@1~|T*abVt`RvK^ zFI0W~T;3qQaYZm0!))geO3E@oP_J9wTvbtyup}w5R0&Qhbc{6f$HmC1B$`4~leOR8 z3tjyD>64%wsnJmEs0>ZYxwx?L{MBWoHdX0HA(<3!n2T@TD@-)0J9wWm!(40rNitNf zJ_KBJ$*Q=_gL8Bi&H3K;xo~AKfimJ80hHA^!!ZA+60_cBC%Ms%JOpit+? zDdWSVJ!+^`Lmb5TaFbv;YH;E-_0S(atbAGK_mRnqhG((A)XVrvI0)7f#kdo<-jP1-Gv2!N(pP&pys6runowdbQ{&Opa&reL? zfRH1$Kfe-RKpUn0>U%Q`yQ@mjw(i$c-qt|;@Zkg87g5mymM?3B7#fV~bvkqn6pnP0 zUMakI`*f-mf0)g#5Cdd~kC9Dl4ga(#eCU}TU=kv3D^<{-RSTeL>sqHxE&_wCSH6gQy)y3r#s!cdRe~5Pt7I~@D8b%DmKH|lj(S4N0KA36o^owXPmvM=Ii9MdZg(9Zp2pQ zTq@#`41Ut|d8557|}Rew@0?Vz~#F*=DDsN`-_QVKC)b?Cg5r7|Y|}r2*3;;QSC@r-)r& zy|T^ryuZW0%L0y6^9tWDBq3FCqfJ*7^EQ0Ka%jDg70O*^%2VD+g+(+O98{|~MhyQ? zXJGwa5{%t?*}u7~5smIuDuIYMzr6Cha|b z2%kUDv17t>S~x{NU-*G;r9y2ey&f5-qZ@nidlvUg$d=3t{!5{BvKXm=;O)DU--df! z?#v86UKQ<$yPL20Mn7RcVw>GNkf^lJzr5g60x9V%#uwXBnkZTwZBrkf!nI!Y3rE0?H)S>>g;#L(?kfUC z(iB(bdH=_V)DLo3%m-r6$t^e6@mxkfbP!Q6#2y89%jc~Oc3+pf?an4Lb}lSMmBf`1 zLG#s11*0<8k7zZLZtPROH#ea#F5Nnri-KF!uLL9)t^?7LG+vCGcaosb4Pqc2jBg1V zppYJdRsPn(jvxm?{9+Tt!k~7#hrYqi8kGTU`_mR?QZ%Qfsr{S4rOh}wIPWc zY0jc2RqixkYXA6fR@ zGYQEk?(r`qn|;p_S0hcH3ON{%_yFWDbx~lSp2@rCq5z3{b}&!mRc$)CQ}8OPP+~M! zx^yl>D_)^0d0C|SCD0{Occr`}ktiO4B$x%OVsff_Ab_>0L6tdII7PWNmqNp$98ia$k* zZ{%q;z9W#nP%IKLS3_`PG^V+Z*)+B7T#W`5d?*;M~jd9qtKYC!ix0oH%D%wdHd6ax+*zQ^(Zs}vlMFE5pV9CAl6VLc&5 z+S8MR#4I{9Q)+#Ua!_Z>Hlw0(X-C;=QtCdPFKt?{3U)lYplNDA)84@VJskY zUl-&)?Wtz6=5%K#+HwsaFd%en^B<-srf-v)9t^fGoVM;7s|Ly`6rilNLB@C3BjuEW zpiU;G@d0)O?POeku~%WdRaE_lx|1BWaI2PXKTE}TCM=a3oM0-MFjnb@yw<)xiIvIU zl2>4mqK?X_AH3S~^^SGo(6T~m4)q;Ru~Z1YUwsYPlV&40J+MeMX2YNJ zD*WjmYn+*`%96thIMmo|&jayeHo;`^2r!4jkw9h)Z z|FPOQ=xvESc;zp$(f*>Q_&SW;a9P-SAj^1)=xnJ)5y6dwE$~&0 zC7qFO_w6iKcjc{>V7#7?R@lx^;I;9WFOE4oElFt3x+sO9RCi&^WX85OXFC!yG|x~x zJZ>W=4H14@$D?CgcPFnqffYQZZGnJuCjGnv;-X0s>d?g!tGU> zaY!IwfT$T)LS2waT~onOUns`*Lm+iei#z$DUJ{ea1>SwnnFrdes1zKDLO z2b~+V6yeXvpSr6Zv9h#ML8@t_{3Fez^)TpZ*AjtQUxii9eVeKKE%V+!cuxkj3?&#k zwaU=x7w_rrmoT`^wWn7pLvF3PJoy^2o3GwS6wwJws@Lap#?{U(H<@6cNPc#edUgD3 zr(i9InmHs;9Zi6k0BEgw_Li0Pd)PbjNp94+o#Dp;$GX;Vyfrc1#rwC13{zjvmQL0T zlIz5-tWVNsH#YnS>{eLY%e)OCnW3&F*x)d;WCVVR)(@x3WCTGvmCOvNQrHRL&azJj zxlD--1vr;Y4}?ByvF$e?FGfR)A@ol8WLD*Zpq!0-Oy z?toX@IJdJ<3W3|?-0-Z555|;Ue}3hgE>Co_A7t zlFAUe{>c>rI|+86HE{F*LPLrOAyVB6E$ z9w79dT7&Mc`~3tWZ2$=E6J&@^So2bQr$Hb)X}zqd18(j49CH}~XIobVy%b*E^)=2y zEK$o?eG6rdL5Tr0ld2W7uuMv-&En&T|KV5Eoo?wUFv?{@iMW2VokVgSm>0E;U&0`r z31?0F@~qn+x01~R6#?N|%K4{&oQ$go=k6ui`Z4ExU?Q)NWx{wz%^9~nnHgyRwX1Pa z$GcF`WkEW+IQM)96F)y(1S!5ZCS%lH92sj_xW2JRE;32>!1E3>c%@7Q$A{>V16z)F z53K4MDB{(PZm{AWMh(bN^noVtXD`Ub{E<6J6>Dz9=U|V?uM}m|mSDV6gut*_s%j2_ zt&J!W^HB*%n|*E%30pXw`k5{muh5G)Z4MgB!kPZ zi$jV4R`Bm82}1^qsOr$Kl0#6GV??OV#X(=UKo$M73+;{_q)6;mKLLcWAgiI}qX%Jb zbNjMcsZ<0%?|%A%54&AhCuZQI^D1U(_{Mp}+#mqYqc`36>B9IvIkX@gASzBUHI3VH zPY-$a^*DG#^qEj0m2jiCoZSQUDee@c1}9TVV@Xq}mY$eLVQbzHUfF4zCHCSDWbFk7 zBTXm?*QKIeF_&LZX*g1$ps=bUACyUuk95J~+fo|>zDK*Sg56Q?%)Wk=rN{@Hse2eE z@sX*>JS}Bt|K(8!l-ar=c*DHDel;lMIRq7z55buyk(1BCQmAig?kJeFtr`8^id)_9 zG?$(ayi-fHRaGF3K~FkRcBp!KF?UE~y9d`84`ns`PH)YCxTMzYpQ6MLe_$S%(J5Q! z6$I8{lFLwhb8#9n(6!D>fEXe}SA<^6;TrSkai$f%H!B&(r}ZA>{xU`4-2=O(yUW{EC8aE-2%?u&w}0|XK_-+fuqmYlaJMNFv&+RNsm}0$ zjjkxm=-YLtbP}#OOoLFvtGeHRR;ZHWYpvic99*qI2|82xBPR~3IQ`(Rp9w+tPJ)$G z&9DRlg*@Cn+X-Wy6WjJi`W%>u)#a(MaU5&R@~V<-izyjl^6s^a_^Jn3{m3ZgG zy$S{7W7alJzm2qA9oP_5v6MoZF3mLG#ph?i`SDz(FXn=l#Ag}&{eyb%IZ(jp<#vLT zvys*fXrbL6(*Y9nI9=YU*zlTzj{E95#_{@W(g$a1{bqfOM#JPlA8KHDI2Ay)D)|MfE9Ao z+If4Me})($9bOS-nV9DdJFRQDB@wzCt?0MTeXbQjEtv&-jcxq#Xv7DxsVjG4wbRb} z{ro6?cQx}n$$~b`@G=)LPm2zgmKh^RezT8w(al$agio%t2pu~7f>YlYd%l_=OsytM zJb(3l(L-{C;h?V0oen=OS0=bJIhJQXjL7N5`1?7!pf?#qdfVNrFF0>8hxlEY2I!nt z$R>U`NK07r>u_j!^2ey4uJY{3CQ&h@$Wr_fIoW8Atv|*kL~>0X;R7$dAr2MOC0}q9 z`rXO(Vp(VE=vMA&zWi9}CABopcPAr&7ExV2z3N2&Ky~|MPIHvDnQGHVU1?lseArSA z7KY}PE`1tomT`+C9-NwrVxMlFAiUf}zq-~`l6lrpVb+9u2K7}%ZQy%3qG6H*A6E>a%36_Yq;IRVptRF*u3)TsCwhy5BvJ4OP z(;k-%(4+5IgNCzCM`snSt2f2Y<4CX8nkyIMID7^ZIOVA+2e5#kzsAOXc653wrx)16 z(ce~jtk<9TaOlK!L0fx#vod>D9vs*sB!g-U2betIfD$8*<=;BvA6@339$ny9f1~lC z&bpc2MC7ttJ=8h;Ie}TaK)f4Q$vcrxhy#A8#i z^sNmy-=p%H<-MrJ%r%VZkBoT%;JzUqzM`XTiyWHX_6BRBn51X?mMf7j- zlRp}x%zOIvEX>xo7Pc4)ycfR??=@atO6qI}V%>eKq|1+uuo$5IIut9N1#QEZzC0N;>53HSn z3lc56G~&lZ*DfdA29yeG8-iSN7N2<2uq#b~og9Ohow}(iiYkS->tPLFZ|9c#t%A;1#zh*0NANfK}%bR|b( zah9^&xdDGWJ>o)JEYGkjWcAmfC_4>ly7ipT+ga6ZB!K#4be+z|MAb1lM`TExZxlbG zzXiO?d#Xu#wcWAYO@Bz0BYJq#`|UJ_q)AMoj-5TJph}R(s-QWoAu_f0XD#mbuP8)8 zkoCD`c1vRK0EU=dzS=BBFK_1~R|Ai#hz(&wmWyx`r!~i%`5pZqKLoy>l`T&!A#0M% z2E3d_Bo@NZ9`DBCC42C-&e*VlO+`4D$T5=|Af^}!K-+p(RjlsycOYc#XW?&|^LPhT ztKSvu8`Q`?!yLrWAlRhYO|SQN>~@zpV9>k1s+W1;ny7D<{@WIwn$6?Wdmmsk(d&aI zejWT`7>>uGvCE>wST;Ux5${JRpG4(B;n0-Yy@h5`Weny)V_-wSd^~Y)+Yy6wy~KIm zByVud{-kYQbgRGWQ-KP^>o>3KduAU5GWPR7Wkfm3K^NiNKD^lqqFbgRkpI15(b;Oi zKzohv6*lswKz9g0gql>>t`XW1FCoE>%M2|#w$M(*X+>n%OG1Y^f%$h#WC3x5=~oOm zIBRU{-WO6l#oC;^G5$8q;AhmE#!1*gEs=wN{mt*2aUTw`fARQ8f=S;8xeDYH9 z0kDstXXxJ?Z2jt_bTZvy-BV}elts$flNUSPITjC(1S!Sa8@&^Q@l<~(PQ+q@MM}%l zjb9*t^jK(2JV~S<)$-`!*7BrdwDibbFp=`y4v?P;p4VVQdmU~@u4-svW^mfPuP{H#Qs74(rnORJ!!F@bUY^5k?UP2UyqH8G)Y#wv~2Je^#K(j ztbeFg=h_kV+Cc-iU8nsjjX*Kf%Ql|j&BXr`|JJ?XT$;9>E7|Q&!wR@Q4k(UoU6oOd zuhl7au(l^i2fsw&?^j|2)^j1)t#yrV#i0>fv7G+ksgdiE##Ks6s=s>Sr5r>C;iu(d zO9T0rwd4l^11F_l)`c^5k2OC;v`Uwi{U+u-^bk(&QvMX1bELMKQ5ovmWV49uAH&hyRjfWZJ7>NDPE!ufVqrs`o2?w5^hH`>5kyFbVP-gc z%=)#W=Kz$=u$=jUnKUltPlXEl^9sjGj#5Uh+CuTR595RvtiJIA-MLl%XJlh(R-Qyt zcZ?;BYQ_Z<$W*qSO8xg{Z(KtO?Y6m6y){f%3QLur^0PlU?&{4NM~?AmE?kjDqoR^; z;FjT(7P#JuyKSKJff~=Mtc;!+Eo;qPJ=xGoCEh+|bE^fB*a&aVZT+3*kwT?VywP8sh#v>3)1>-=XMKJUJfcAX|Lk`$6{@%f=?2)K9?XG5MA)E&JS5 zxn2MPnsjRuEgq-^tAU?ZKKR7G?ZFoYn`NT41HUicgphHSGpR{40LBoqV!)h1?wO_o zJ<#d2Yp_zWnqhVQzsTel_d)PDiUs4hKz(bHJ=(ls`JWdc9qAC~(?m%ZS8old*Kj9{b6;Qf38Sf1 zJr=!-1Q`A&-h8rdZEX#9GSeg+R1}`_JNuGrW%^FW0%M_j*T|ro<$!(e3HPLB+_?XRIhXbzm1LYiny@GZ(yd7;)dl>8KvN`mz(xwd!XfJSz>}-g2UUb{pU>hCID{kH@!#%*ih& zPoaudUY1%UU4g@+#@D^CR2_=DtDF}rx7%NamTpuO?#%N~{tA7nPt+BkuyOs5-%w~J zP{{*I(AH!r86Z00k<w2+=_}=^~yy_?89F7Vikv5Y? zOpnWY2>iTpCQJoxLzeZF{~aGvBZP~SEiLU>jfQ5bCl+aDv`K|6xq4^ti0NXLzvjoe zD_X}a@cn!4EQ^e4-HwtGa+enuV;A4o0BjGF6aXGFrLvx$ucG0^y^>7L^2AMy+0fmw zHUwsywXeW#H%xDBRhD=~Rb2!X1G%^{Djk(L4>G~XWk}eHLSCs?40|7pqhOmKI1*Wm6D z+zIaP4ukvOyzh7Jx$EA0*7|!bRx{JnJymQ+3pJyBz?+1r7qQ^!doY`|+?) zwUEXImbL339IvT|`36^bIYk|s-5bizU|sdWrUs}AZAR&qi%)2n+DxAa!;Kpy;+*Mr zzx~lZQqFOkJZD&NcUBq1mBC_H*@xLp12BEb~~dI zMuT0B5`j=FN*2;6?_77iEkFCIgkh7R*ZpVz5YErJF@BRv17$xVZO>sI5 zB{yv)^Y1wVeuG8WW8Zzx*tc-4NB!0dkWTToviITj5r*Ofj@B2W!TiwnhB4OEd5TC^02oIY_xTAw& zyrvfZZ^lb|0-I5L02qZZzcMpPs;a8~S;CDJc-UuxWvt|?w}fd3w>j^^F*wj(b^2OS zRoWGgJl=6)N0Vl6j7c;-*y~Zx7Q-?XFxgz%Zh;95bNOz7&AFV65|xAR zpaQmBh}aveSanGZHWOJ^hSL8xh|DJ4^Z$fa-i%)~D9Eijw;{h?_xou^;=pLYSKLJ>yc^S4KQXkvY{u>-2atx^vF zO7U-;viAP1&SQHhcLPWUdOO~f{r`TpgBv|Sj|Pp@TP-EAo5kR7N?kbf{k_wBpcp93 za0>yzr=ygA(s7Zo@bDyo8W}*{yd}bX6=95(jHUW8X;FeNRL+AzEd-Re;|l@J2@3d6 zV(^>Uemnl_{14#r_QsoH`{z8@;Sb0kA~`u3NIU&E)3$jUXdT3Sl|dlB@IOG&8!q&A z{MY$^0Y-0qe><{|4zY-d-+cj!=Kt3%j2s{k2m(-$)Bm-E4LAb8@sC6B_RoKdA<-Lq z>Ys)1=nmi1l&mP=RkZYQfIf`DdayTgDAY%^;h|2bPPE*{Qq3#9-}~|c*x2jdirPb6 zU5H#vcX#WM+wqkvL<535uPYF_`}5^FmsKG*OQA0cDgm4J)dTRyxGp$}Y$#g#L~2x2 z?{wh)^X;I-?XmE9cVxUqS zhn#ZvBWp}sY=@kV!oah%9JqxrBFLewn{!$TM9@qqx$K|mpli660g1nf`^jQi%Nd$u zn3Em_Awg2@D_qOuY>nYKGg!w$ZV6N{2Wn5>f<+D)&NDnFb@H4)QyhBKCvNe=KPx{N z|C81r|9iMrdz<%?Dax7+r~&GbEX6U1GM^KNp2v{$5Xf$zj`zK}7_c0U76822^M zVpV6)(rU<>-sWY>dZ!HiBc_=4z!+YMU%LC1){*X~htCllfCW&)JT zWOO|Ep>3K84R=XQtRFsa-n5AY7}!oU@rksUKNoBBKruO!fYZ5;<<|zm{MNQK&c?Rs zx3fCJqhQo~*KxA;1$QPmSW#~bV)Ljk@vI-7YWJjp_m<2uXU5&Js~oJa%uL*j@9pdK zW#SxHkMz|S#RQgTC0^h1x3iBjclY+-zW_7}_`=(IAMbmtWmXiRncR`h;}7NL03!M! zcQ_KurqkNzz1RfDsPC_z*coqmjv`TBx(%8Zx)8yKUvjgS_BCqIW~4aRWBqph1+@sJ zgEjU4R@kC1+*6MsL7I>p9e-3DB2R%Q7|rTT?yuHin|J&n;C0G@$TXEqP_isn*EyGb zcT^1Ijw9X1-yV)ahp%mloGP|UrH!4Gz=w0r%F#n+o$ScT8Q;1x=x=HP=!{NF#RjFbazE%HY_7hrL1$-iJT6_qg zjP7e*OnNwhO{iHt;63y1B&-g!X-lF9NFwvqVQD%JBTXRJgz%wEg@TL>>K75O69Ch` zh=R3$FL+qurpBl%FjO+az2H18Vl;_M$msNk>+>`1JIdL^!`rX!{?2PjZgFM*fR!@I zYPd_uJ6l%QxBm0;`$He^e2PGthdq(_)M%f^*IzB+Z9jV16;;dBJ*Sa80s%{U&i+WA#SOFTQLzV0&k~Wj3u&u)irp9$icOyvk#F zQ6XOjhCq2U#63}J^Jq39B;TT%cE??Y?z+~qAbzNCd&e&hse7%>{=#XvdfvtcPxjNQ z-zbeZUgYUC&D^i}$HGLHu&H77yKXQr_0?BAgHpbfI|4dy?|6f6tsSH!A%T#coxR7f zwYR6f?CZ{OS<9KLzYy5OSc{q(tBz%j#-Q5P)AWUU&mrA`9mJR#OR^PE(r|IK(Tw9V z-6cvnS$(6-)VKqid2}CvwK;{9s=uc&J0?BJ_-B<9aQ*TODbpIXqvY*Ty4NMfGSF`e zcPR9~zuzX3EHE&;xKSOf_**(O%Kn=<1<7k>Au~flYOJL*5B-Q+^W_1_fU)SU=uv1+ zRl>gcg(xOA7AU;qW?-fSicha;e#O-5Am`-d$RYm#YTbGxr6GdC!k*?@=VG&mYPAh_ ziT3vRku_{>*3agKU`Gyk4qDoBiwRnT>f`&Wxve%}0~k30#+Lodms|txk+sBM6{?4# zZk%rSw@irONH%@Ph$4Y zK>*~VTk9#mB4Jv`de@m~ClJq-V4t*>X#9HF&y)5@mtdqc(Lsy|Z1{e{#}bl+l?$=2 z=1KbjtGr|V)`82JA;IXwF^;0P9_dysvlEvIYJ!pC7&S@+o{4A~SU_JxgK$i9xR`tv zl~1$j)e&FqDXkmt@s44u1LPt{$5{PO^AiU$QP52Sej_8|76y2;33rj4v?TQO_NL$T zb|rgr03>LoS?;8AsD+gN)pQ)Kx?yLxg7V!_G~d*lZlR>KrcqpCq>Rij9J^X@U9kD* z=dTMR<4?j2tlh}Mg_bUq?da@u1a;SwGl}Bl0$O~jou+8=_ywuvy7hkw8g=wuf2}gy zCZXDJK^dg>%GEdJRU<6@Wk$5IZQp7s1{5eceZ0T3Hsn>;Uw1V3*!J6^OE`Io>Rv#^ zaVWsU(bRoYsM6bLZ$u)%24Nvsbd3AE0<5gnT+Hci7$AngqR^RoE3L(PEB8M;@?MOE zaBHzka_MJI=25(JCa&fPy!XkJ)YJx+jG|w9wLPGa%lGT;la}sW*Ag9y98dr57$X;^ znGmGFtV!mEoGf_lI1NVB+4K+d{WV33{QMFZ@4j2Pb+?zK21zPlRkW^NR}>e% zMxu?fMr} zSL`L@oVxJuk@ z+X$8%T^>(dTK%};vVndIsB7chW)B`e)I1a4Dwif%;CqL?w_04RpJPRlb)TLY>rsJ{ z;c`qMy)hvrTLH*sgw$wpD#PDml8}+1f2Yaobj-EK2e3a&011M@VPUOBt2j-~-JDOW z_VqR!LL=2ngIxQvKbxt4>dG~TEfn>|(CH2xw*x_W2`S)+`V>FgZQ|g)Q(r4#IQ%?XxqG+PEg*X_B^K7uzzD%4=a{SlhpBG~bVD_dW0DzD4%{ ze>5GpVR~Aqs?q=;_iU@B`rbATBn`4e`SzxWB&>ipPZY58Lzw93LIANU5HP1mI|MW~ zaseK8aA+v61?8VuQt57(xAJJfwH%`Z$bo^w0-W7sGBh$m!N^$7WtqN6<>lqo`+Hqf zOicG$+B@{kX$5GSjo938j?ois1Q$|g%CtDIq5dg^11|XU=tZglb>J(_j=4aSQWF31 zI)NPgIp7Jv?2z~Hcp?!<+&525N*c%!4IN9##R3}W;J^;tq5K!<*gsth#lpeqpDtFG zcXvw2%+#~}JNftPKkl(VW0M5HY}TuPG`-;qFogirG8Vo6xl}$(PC)@fL+EyE9R)l+ zjoV(McKH(qug2aOOWxZ*G+v({El(3>zOAF&s=0-_8!K>U;`-uKWy^K$YCYZ*?ZOo8#gP zhJPDbPS-uS;a|v@?Uf%I8fpNLto81dR{lp6l!<_&PFB%&gAXX{-X-8ZNgx#g>)$WH zY%bRZBo2^RM5m>BhzbyL0UY7Q%7v^ZV`-aKK!^D*N7&qws{U=`Ts&aqeSr0HAitr! z@jV70UjPrjQ0R(^dJizQ0wZf0p8Cz%2fThz@0&cepxObH`08Xy9hLmw3yzK#mzU5; z>ddX^Zc)HWw(CKDA`pDQLjZ+@VT9aD!iYP1*`U`KndBU&sNdtA-q14$|5R0&03)aJ zM{fw-57=&hWE}9MG!xeA>y*5pY=v&y73pAy7{G@R93HMJ{I5K;)qz4)sDFbvp}9IzK0d-6 zcNvENO{5%G?S{%2#UrJO7hEN`l2PM-3(w!%A6#ht+Q5e9)jiO^x}J!U_@I-T=Oq~M zQcd!CEj=@(wFF#W5&VFVnRera95d-#hGSFEjN zTptCWC7Us(^LQIL86$OGM?`_iv_{9qR&&R#O$`mi?N~U?VEX~)lRFpp?`h55Qv`ac zqHv zw%m4J^;NDN8aXsAZ^wh{|1P+L7`Bb;iC?Sc^P)aj#=dptt(M_Il zYKu$lD|9W|<>udpTo?VS^urqwFWG@Y^T)@gj`VQ7-7%Ae1o}_TZhq7x2NFqhr0qo4 zP@yL?Rn#w1LSCwiYaqcB%MNDe7uI@1)q*K=w`0 zuF1%|^H8qOdn(xm746GwlxYwI-;FD`QZ;2B_buute(@4}hPf}Q{Nddjv3HAoz4I6! zNaUO}+qNQnIul_%C6VtKP{RFn^w&<;)r%HYkGP*<2d(O%Mswux!Q|$Fed7k6WT$*6 z)y1*vhux*VN{9Nnt23_byOHgMTMt)o$F0I}RcOU3?r0uUeJsgz5aTVsTn8_{^6BdW z?^!2J$w?&0*om`E7#}g)9|nOE@niaX6hHJ7n%)4PU$qE9U=bK%RnhmD$XQunh_59M zmMh;h%l!P}w=~Hj4KAXnG^9Ui3XYn9>mgq5f5NO94IaPF zNzHnIl12_05RUkhOx$5NOPHumhdJ+uZa7wtRQpOKGnEPPL);uNS}?-yt_jC_qBo|i zq9Od3YXqykdXd`0rMk8cB26?uSQ(f7c*1z+9QwJ;Z~OW6$4<%_cbaB8wtgGllO+?B z4yuIt2OKAlp5tCEF6C3X?+rM(9AH|X64mozPV4GB4^+Myc{|qbjI6?d3y0_7<0mKh ziQ)tpezpkP_^plh+c=8$Y8an>*bfKI@M!K8I&?)LLhj6%4Xct;Bcj2bIM=ALX0hK zbtTKgOR(cu6yX1rK%B6Tk`R?BVJZ0$+RfGWX3F^vtRax1)^%_F`X@AZ7p!AR)nw9e z`O>(DTebdv?le9s4=bk94yxPOawEW+i~q@ffzO_GE#s5;RG9VxOX$SZ=ct{vP~tkq z8oNncf$*`wmIp&`HM6rBA-d9O5w(g)DrwkS)-g-1p?Zr5u5ZSb&Zh{vT6XBepW6_t zBKKlBv27JD$n)aS+}Z?JGEn=+Awwp|-jl@kTvtQM(Sv-s6+b%=U=041n-u}QALLDq zDN?AGj0iTFi*YTLy2*JAT`A7EqdhC->eDGU`o=hD+hN0)o5c#wQ%rJ7nCfSWHd2yU z5lD6ZY&c=lNq2=zWAyrHfZIXlO;#6F%XZO2p;K5(lWrf}ugL)-Rg{v3d-txuWmsnS zL_+jy?r|5~D)Ig2VKkgAB3uz!N`L7E&9t@{=W&GenCA3_Gs};^Hz0HmaK0S8+~To$ z!6J%&f~8Kl>`SAuYz`;2Go>!g75oTJm!(jRvpW&ut8#Cr{!@+WDV!dBZ^+k8Cb%i# z3eD3{zp)>KR~pRZdd^RoV*>TZz&FT&{}(_g`Pvi?&}1brXu);%1Y=n5h9bg1{mBgs zD8W@U;&;1uV#&kWi#3QVIyDW=GmLTo}!8NmNlsuXOZ_bNNlevk14BYmpkW%SyB*@KbIw928;3P(XE9T-8 z(vcpFOrUPxWkEB%N-SnzftWANAO%07zZGqQm)#&zAO3wYQ2AinB|N3j**5zeOF;Jt zJ=}_QKE>e|8akum^a@d1ewbAcyFl6^V!s6kciRz^e}%`$W+J{pY*l<7G)a_AagYr! z7A#RrX?MQ<`xk6he|bNQZ)=c}qZF@VkTGQ#Gi}farX)gzV^!Lh^??4&vCr0z62!J6 zmG=u&T7w+Jr~lKA^Qz4iKQ@*;-Fn4NLew&V8)=A5ADn%<&va)a0dZpos}4$%->zNo zSa9N3UgTYwY!{Q<#NYLb7P=gu9C0oG-~`*Qy~gW*scxrulwW1EAkX#gTTjXWhGy%v+E<-01|76q~)uhn8E#>PJ=@u8BAat|v@twv05P7B^BANVE+RTjv6 zn7Wd7xBw{`V~Yq1+_4r{7#7Z9Ciur)5%XUSHm`9O^)m$ zDkMAWtZ$E7o4Sb!Cp_;bX``na^}Rz%Ob24ZC?qBJ%~+2y1b}KG^JYtr7-zQUJ-q>s zq3~KFJ=>gCysh?!BpibItR2E1t67}E4D?M6`=17O0?flZLU|p5TwP%aYIJ$uRDsl7 zEzW2np7}i5Na;?Vmt5QxH?fQ^~o%5X8|H=h05X{HaI&>oF4!hwg ze*$B0PRrEG9`x4JHq=}Fxu|hvXCBaKQfFgwZ=wD~YbzMDL;Q7acWieDSFW8MZ2&f8 zpfxSH+>6LuWvtQh=e6l^aV04~!NM#=HCx0Dt3<;5{6UnZ#ikiKwA%dQk%IIPvpK69 z^uSm|5?b9KIcj~aDU8eP`uQUjsiClp?OR+*XFZ9;7d_jvK)7LPAh^|nuq?>h?Kw2~v*_5{(zdt9&LqO7N>#Qmp(6D!Pq zs!OrQk3SFJmxZyxe~wl<6D<&&dhd={>Dbe&v|;H4DJ4ZHXxxM`QRkXJ;MmpR3ehBS zdmLM$x!SgaO{^o_M0tXoVSY)E;wqi~^wvXoJc zOUZ-J#&9RsO@`VkHb-j6I5iXV(?2DC>2s*FhMJYaFZ{vdMMh+|I6gKiHFw)EkBY*y zIJV5HY)u)0YqBy>9zuPc;)eLC+pMt(tLN z;qMRgO_R0drOx}PPA^ZDpXhMrWF+H>{6tV|JaUX%yR9)ZKNhEky@bQSDn0sI?F#>q zZ}d0}7i*MHah7|kQO7Z&6h_t41`mm@#e6^&?9*4)`yv_abk)abv=eqDg$(Ld8I%Nv#l-^j2I;q)^|?Fq-%HOBoDb+r zt8#sYB6B%4e3ZN;C%&kE)eH_Pozge6h=i?Y2bn?Xn49Cue!|DcpS`O!589|#3y;H& zCslXu(q)3g?@OcqnWbc|(m51iZijc@yJLzQRZAA(#hOIhYh7jQMibEha1gZg>JE}7 zmA5S~G;gr&wh)S+FsHv;74xEp(9)wW{SD(PM|F=hpCY57vGB2&s%8m7l>?FoWv1<% z)6j;UG=A^t=ts6O256g0%9r%6Xnb2cBp5$KXT+@b+2=?j@AEoyVu|$h8CsKk# z>|hrr(c89z0wdYL@>M;0^rV&1sNeLd)N5qp)M#!!By1e_EU8}SGsb6MgY3st8Bg_w zwtJ<6%`e}rzQD0YP(?kY2|6;URBuJvXq$Du2jMtS8!6PK3dzO%Y~p0c=tHWU#;dIN z>g1nU)j?qN{t{H)ParQZ4-h_cIiD_r;(f7zo!Nj0{rlJ!x<4CWuD5<|PliAWKjCqM zP@+xTCuWy=dW%Mn1-8b1`Fom~(votkbPIum1n=K{IW{w+wGh~r>MD64;qh7Qu(D6f`n9nAPO_MuTuV?>K>67jc=(8w(TR}6d|1!B6q)QQo5)^H%E=IV=USi?g z#?E9IbZ&^YgmPvkf2y)b zte(UT^L(N8;?ndJ_k(weF^+JMM312$haMV@iKfKFDw2?^*N{$NKfEAg_}n@k6YU#p zejI!tMP_oDmGYviDnmh7;+oZ0Zge0;{^#aC?O}sLl=y=SSL6EHZ^6|qY*r@~LMwiI zuJ%`ofQ-w7V{%(H)o2I1eAAfdYX$w1(qo!~34$zb#bT_7EO#l)P8BdeRI&>Y_M}~ZTnvBr^e!3wxcO?gsVyL z>NNwMx)u3uGc1Si(qwf8bgyI~jm31jf?nWb!f680(Nwb)L)Y+a{@KwcK z(InfZO*9nrV-Uw>L>A`h%Xb~}k_}=RQfT+o3&Sw*F+^V>CEJ?(Z8-h<`|v)EyP{Ba z9N46+>d$Zo@q@IY<*J@o?5U0^!TwkM<#)5z55btl#4BQQ`r2rEmS-QlqAXj_D+>3N zrj2hBIkMf!$xW3}U`nA^L`}*XclVhF?U#-V>2M4-t0WP1v54v}CKcyKclgXDj?f1VqE(-8w z3=~4!vPd{z)3zpONUPp_lip9WP+*|;E;Y^#KHdv#EA1ZaKxJ6D3|eUmhsH6&zY5C= zE>JicL`dNTlV^P+wq0t7+Q%1CKhs9H^VnbHPx@8x=Z+>ZX!Vs%ooI>8@=zt9{<;&& zAE0&;y|06jJIKtE?_YFQ@rnDZZY>e&wv)Ep>Ya-vdvK9Q09*g{>SPhO8;4`>P!q9t z_zKH5wJlf#iOQL?)IRha$vt5ea?DvIfr5V7^P)y-cYXJ49wReQdf2=5W%shyuBNj@ z%)rMJlTq|+Z|`?REy?HjV&SDt{a=%{A~A$Q`zu`-$R7o1Gss>~cUgjE6wOhR>zdJ5 z$%5){TM9kWS%Q!P0Ofk2pghH{__#|90Ln2ytW+SMDF=YWUUMcm^crvFT~#$T221r; zWJ8qi5nlAnCURgQsO8dJwjT=2@MEs#QnAbz8JcuDUZ+eOwiTbTNysFhUfnKkuMZly zBpyL$mkgeB6vSi9Q$<{tSWMvpBC#LF-&^Vl^%Z-TE+H~iXpFF3(?|92zdaqfM``_0 zK~;vFoP5jK^K`k%9?0jtDY!%Tk^cDpDgFMp+`CuK8m~;;=$H2w;HdG7K*aK)c4@Q< zhEO=@B>sF@?j>v%&lmFuRhSR=3)&BYP(DW$9`cAVAV(3oIbmY}Tjmr^r9oqQkML$! z3W}_XmyA#@Tf)l2Op&6=-y`_#KY+T&$I;e}SpfPVAbopu3+O9N8qL2q{BD2m2DF5a zz6ad(c)muDTqEPRenw!b+aA9ckq(#F3}djMe}Ec(m)T8`of|Ywsaj$GT}_au z_UOwT4mL(QIT9=KKcRybz`RRx_fpoR{m*X+4zE=y#0m?nmm} zaeLusUpZRtO`J*Z=8z9_S-aEqkI!B&!Yl>V_N(-t(-^)E2m_{`@hfFVo#hjd&IR#d z2OR;%$6Y>*!3NDE=Em_jiUN;FOhr|=xGbr|AP;j%(IUgmGa6Yr%{?x! zGYMtBM0e}K&yVu;6~5_LM=T{J0+X?hsw_U1r{^Tq$VG;t;Z%R7S@w%22GBT>51b$F z(Gm_t2ML#&QgdlVg&YuJfWOnc%F6Thv;4xs8qY_kUu$i_0NC}OFNJ11b7inlS)4g* z{8Hw@g?bNJ<*$^428+)JJxZk#$Rfk%D`Mfbwc^U`T?VKvm{Ku6F(=6lpA~O^ zGLOF-b|`=Am3#l)o@}9k{=@XptyNpLR)3f-Pp{fI1zL|S+$9L-d9r$Dpu+F;` z1)7jYpNXwGyK-$|hUU)tCZ>rxM++WcudlT0s%2(xHNtV6iijT<&DS1Ww(mFepYd)t ze#U^5G5dSM=g;oGcR_SD3ykhB&~Zm;hrt!$xhLIB3f`0EPIm0<-G8z2CpUI^v`lZ<|E_Hdl($0L-Yq z5?D@`35Gk=@lu0~-=yom_u3)b9Z4AnmkGwES)X357+9m>{5V?^_+>n@d)#h)fAy?6 za_@rrh+d&s0BMfzzQ^?4#Ecu>Bz${Cm{XxQF&vo8iR*LK7klHG9cL`6KEqQ}%E!ZR zdJM`Gld9CPs}j$$X+zot4P?hTZU}BDq*1q*jCl07$AhI&?Jr2*xw?=xOg2pOJXC15 zqN;gu{G~%8Z?pke+=`uFd05d-R2fNmM{&|ThB7qxMGKN5)D(7<^3Y{be(@N%pAC>X zJ-QDzGKY7QWAATNxTTy}`?t`luKTs09#D3APf?4EX@Qj2zCQAUqM~g=&0!qz@cBip zC&pAH*0B#nbs@ca{RRsqf-C%TH8gfeM@(_q@j6@D4w%2OL9(qzbPvwA>sL7v1*IKd zlHp?H;9`B8etVi?_IUm|iYBogDIk}xoBF_Urn!g1~HAgYMsG5*38sH0Y44M@D>MC_R+{(O_b4h z{14Kk`Nm4_k%N`KvD(-$_i7olT8n=g0yR&<_G_~22uCdWv0V8pXpfcs01x0DODVG$ zrEQ%rU{*`h#rv_uZr>@V0eqzecumy?*tvyPABQ_|_|0{Uck);~@O6HTeMfW+?n!`Q z%}T^E5%dgXiriTfMzFvIG^}%v1wFT!Wa=vEd_Sm*AT(z{i32I3;`>lwe-$FZ5OOwS znifZLG@Dbj6H`3d;J`06+UAhS@n{zhtV{`Ns_4Ob1BWe8+DzJn3e{{SUxnCJx zU2HM!J3=YhZt0iSNc!!`v2FHK5UmYyU+h z4+r5zAjq?sxYL@JK(DS=VcQN7#;3z?`;(;M=rWUp8S!8Y_xQv>ImFtLd$QdNQd0>- zzW*mU5O3)xlhA72$kG%A6&v#lB(}aZ-22u$BPr%-Uxs*gT-Lo;{cRP2J%PFCm1ZrOVq9@)awie4Rz zg~ug_cx@2s6=c}UoqYg%tq*v2KSp==ciDvq3Op)5WUk=uB`IoEPTFoWh3<mLNpZjD5!a zV1Xxw!6uIVm1*RAcut`f*e(6+=<-jd)i6!{^UbuWe~X8caZf`^ugU+qA>_6%j2_fq zNBx~LoTv6+ZsneFSh%A&GkzHFh+63QoPp+2TN1xxpZle2wwPxX60#QUKxA*;!evQV zREi~J3>H2WSZnBnz{SEUWA|nl_Uf|zONJd`9bWS}s`4C01;oo`f_T$*x7Std;53%E zn_qapKQBtA#o57a453g_V|~$bTz4?u5=!-cvv|u#AfH|T^KmR1?rJN3vn5H4v;5wk9_xW#3st!Fbq!-YDssYm zWoLFh4=z6l_vDb@g3N+;_%$7t!;8Ak5&ZEZE4LP}JUSI+`m23PZe!00Acu=iA%>5( zGlIAc+n)6TRbgMlQ#UDJe`%R=`tZ~H?V}^Shy_W^L7!h;!JKw{1vlC6{oHkTJe-!~ zk^!vaX-sG}8~l8nQY4Nzzp$`7B83*A4!z=J4ej5NACjtZLo^|N^n<_5u@z%buNR%E zI-x4xWjSIvkI;U`FG1QL=~sU~FG_*i|Et)S44o=bd`p&_VHR{>8_}roDbEDw7rjAL znN7v+`B7xTu~6taqeiba^E=*(xNdtse47$@&b#r)hCA97#*O2zpK96zA(#hNh}|sfOgG`^%2SPTp5y zlYDi=p{%rd$1RBNcw#oHCnDgH)Q4i+BG^b$4-d#-_!>apCs zDU}#q@qW|H+t05pl()Hy9xO$n%^RUVHcZ?DdZ8lEa1ViuowZ;19yrs6($v&i3C^eY z{e#@G$e5&~M1NyRf_ z_gm|ZplLm?&484_dfGPAxoS!VE&jp3l>M~jT*DV^$wj6~n|py$nvRtfF|!}dXN2Dok?%UqOuZ1eY>27dPrSNnhY4L zk|VjYvihr%EKR(SI0t7)b~DaP07?W^9ykr8LqBb~8A&K^#_adN$m12GikWZ6T9I5t zqaMY;Fd>bGJx^Js$LeJZ8{4t?M@1QqmYS2r`r*;iaxO-3_2uq@ylU@q|76F2Rs%w~5Zm+wv;s*Bev~ z>9GMfI=67o3}Yv;un^b5+yeUoTX$!}Sgg-6A(Dzc|N22$Ate%X&z~hCLPDTK;@+Y) z)u>9eeHp(a80-!X->b^SxE_!30CHCaX`!xwPGaBU4t;L>H3ssY8+NU^{OrYpC`Y8Z z8_-aWZvou}CRPvfTnwB&nPXaUdO1wONQ3ie(JSht#eA<=kB!v*jE3-e;mRD;qK z3iNRkuNA4b7L!QAAeh}-pDZK_x5{5L!`NM@JHX78O%_uW1WCzTnhakoqG-;-;oQUE zQ^|RL_BRuKK4;?pbHmVI%x{QirENGFhLtr(sxI10fjC%>sFMLU9_gBMWvk<~Y7OOX z=J~K>>}xae`1k)8V8+QAay*@;``m`tU_+m~xwx5ZpY}|RdX=`8y!ZfPScC}y@gJls zzU%a5ZgFyfDDfz>#;%w^zfQHBFqmvmA<%0EW#1xzx$<&PMu&@F&rs0rUD=j|zX*IA z@&5?)9WX>IG8aSSV`9+^=zewb1X zkCse$$Aa4^h}kBm*tMeRHD&eU8Hmru<2|3~iN|Uzxnut-XH&n^Cg)5uAp% zweb%pFy!XsY?h~$+3$^AT+iu2pU-Mp>zkR;5>f$9H|Eldo*Ven=cr(apf7GWg5aE_u{_a-ZFjUcavF6z`z9L-s45<|FIU z4c25)wpiC67^zkvT-JL>IJo94CRtMRlSs_Z=0OQIQGV!5LIEI6_mT2F?M`NYk~G&mvIScUOW*SSaJJs+6itTXCpXQZ zopxjO*$sa}C`u4tzG0wf4){C6o9IVK((Hsrm1V{(FhrSi`#Pf9e}j_B6Q6Cx&pcq1 zM_I7BTt)qr7+azUlcG0zgGjETpnPENmgTZem8OhGY3|hNY(TEgbYD?oIpW&#fflw{ zms3m*PaI88%WyDZ@$0CK#B;P`i?S{1$=9r6%nHV5(}SH5y`%bRr5NsNPqx5v)xwjS ztzZwH_laPY&HoE2%$_>AN8zDX{ z#PPFo1)Kfjz zO?>?PuLk}A(DZhR-qw6;&UeGtrKVL+-fv|9K57IZ;OZjJs{Go`{KBppea_NSKWxm^0N z2Gmw$3s;;rm1;6wAyqPqaU;Sk>aqrBSL*lsrUE&b7s71{pohlk5DX0#C-l@8Y|el; zBycT*mt3bIgeiLb4Ky&v7zKybJb64(3^t)@I_U6rd+&qn1*F@K`2P!VODw(qPT{!6 zXKckK9SryVKk(gs#mEde=-!Tpgrq$J=_9v7#W0)Sbd{^fh^*0GtEMHF7I;3ibE$79 z-RsqW=Zj58J4{mu8Qi#O^MB<6&_H>=*8#Bs_@Jl&AeuYr+$jPG@}cewmNn;Bazy0Y zFBz74@GWbKLR!kQxLByNEI(AdE&~-_O)0amqCG6BTOtb-@*rbiPrce#xY z+taK3$4~iE4hzZ^&#~KRJ9Nhr8Oimn5mV^nm>I$;`cg^*Fs^zVQcK_k%-0 zzqIl_6%_&Cu@$KeLQw|JTdx`pEVW1|bA)WRf4{n`OQT~VdkIy?t8*bb5=nDpIzPjZZ=NZ%x;raEaLKCM^bL7z(Q*;VQEbv`(fZAFS9s3-o6y> z-2JsSl3c-gnIH9t3X)5_nXtUlw1Qlr(PzY)0ZJmvIJtNoRMC2~BCOy`T(C91bNI8p zt}*zAuIL-yfndc(TQJk#hF1yW@(`-r)*!!ldyNc3GK*dpu?lYaCcF3*W%2XXZ2D>V z#rrG^dnWrcM=#WAlp7iMV9-mH{!Ogf*u6D5-is!^ztsPUdMVO2SB5t+Ip#YaMO@*t z1YTEh5?9uOz1m@>$rvqDhoyD2rkV|y#6~pbk5Owf*}U$kyQxNu$MSIYF<5>L`11w@ zuk;pLqvnDtyu)7i;bWxPYh(28+>UKlGkC+*Gb6IbhtJNhH(Vl0lf}2~J@?rh;9f&U z#WrqiT@%+hm{)>!TF|JNKbF$TM`nx;K@VcC84#LNB9`K^_*9@vk8X*MZWi7KfOi2| zEO!u<(L^wbMVg#6*@bNWKj1)ZJbu_(rOAl$y_FCA2Y;LSSK#=?Ur)E@<4Qs*IQ~%> zZ#%sLS_(dCxEBD?|LDm(OMaon>n-}U;`VxJ zl;JtGY(4!Hwr#aRSN6e#dK{VlibxFb@2DDGklFT5KB_{N9YYbU5)Up7qbVN~Nhrwr z$4M_3rnd>LLW?9`41G41fAFcLVq*2WV!PAP8rIrMw4qQZ<-O;+2&@Mil#_S{v`gH= zG2RA!G5a4tudj4LTcLC0_xnkxM49G+jON4@?RCk9qFwo45z0KS_MclWEE`GQVg3V6 zN-qo~dCX8qZdjvlmHPSb9J<4?`cV1vA z-<>z2>I>_AoZcb)O%-X_SKcDpl8`F1%(OQ^QxwQY)U{8XtJ>(uaSK-?`LmL|wE#ol*@e-&a!&i4;H~F^lg3!hZxmb@f zZIKojA90u}Zm@Nh>*em-rg+iOwrmZ|H9dS3 z)O3Z<@b|Bby5{4JO||{9tJ|uHh*NoRd|pf;fUEh@Cnu5|rlM@cq6JK~rbJj~8am0p zChM_gb}?AN>!s5aE;Lr$-SxuFn{pGTa0YQ2AcH(NK@HoRU6H@JH#p*qtkH6->ij12 zvGbvKD=!AV2S}h-TL>C6Cds((J@N&r{7*ocA`7v`;NftYi@}U`Mv2u|*GPq&sTJEq z%2JEZ1;vRYXg{+ZkZ(GLq{UU)4J9Mh16Tb#*nP_cbtsQ%spU@RMa)-BTng1tLIaO` z3tn63Q{MX&o*rd13i6G_8d=qM_*>3`FPn zi3ivp{Dzoo#{$6e>Vy?*54F?BFZ)2;MX=0wrw@ecL?&Ai!=*czi-zkTy$JSdP z5<6{LUNq~%lhU15qTL8LrOnPHgEUEZtjN?Yr9kO!-luZo7*H<6;B4^WDkMxTTDJ0@ zM!Dh|PD*Mp|(@W1E*^9Sf*8$j+ z3^5Q`uDc+rx!y@&)@AWOFQjui#g6-D=ySEI{_@MnET+zJ5Y z{y)CnF}kv-=^AasM#r{ocWgTy+vwQo*tTuk>Daby+sWPiJm33``{TWLjQmPY_Sxs` zwQ5z(nl`FUu%hQSu%3+(?efFXe)xpMpKSX7IOj< zp8YwS+?XGfnxixQh_Rw8)=Ca+KeGf`cv5kKlv~3+0uW@OiHXm&)}~R6V^rhEkMkJB z&fTV_2azBl%P^%ON-ex^O9~6WA|)VO!`8JRy_{4WEssaWZQ|_-xG}Ff9Uw39{RoQV z;wX30+oK|I(Ew1!-JQxjda5WSWkEk3`&~+%)4keH%R`>3@r)RRgu5dgcXY)A=&+CARC1G{qB#ugTSsC&{X?);AkyO`y8@su zfq$Obj=n%js@j;JD2)hd0|_RO%LysVs4ADZAjAL+uq#y|LFMq`VshmKW+~7;LrS&P zRee3`f?}z{);JzF$f@u>!}Tu>Kk~lC%6yBvvB-?BNk@XEhUNSbhj=F)tocIsvHWZQ z)fuh&wAQt!s+9C+5FCa$SsrDmdU3X1DY z&PR)QEDo+?JN-cVmee0G)BnpdEDez%`%}tW&F-tBE%3Eb$+`hC`IU->9%4?+bO5#tu%RiNSr_9(vx_zA`EBUTWxiZhynuz6u#p6DxTngJd(orC}hH!OC+|cDZ-xYc%s4bl_K+C zq)46jyhXiTO-mOY9p~=34gRj_w-OZ0>}VWs|6PgizHgdS;;j;2C##@TOIjG4OAVl|&_a}<~*ij4_iOi77Q)N*Gx8EHwjWV(|20CSuEy~huKoY%+d<1}@Dw5t90 zh%Py&pph7!lc}W~|70D7;;ElhEfWbAq=p@EEq7nf$te>ALDgpn%Ah2Sx>yuJ_d~-A z3UI|MBb|w$rA+iW?0fwK0~xq7s6=4%uHG6l2X?jsuUtE@|AH`iBKpx5;DsQ5^Ajb zt$tK27w=&)Fj1C)S%-i=K%PPR)92?8m#cU;vzg>eTnu~@DK%wMs! zuUMT<-kBdbKb4J$mv@|(T~8ZYJUP&zQWq2Z=SVAZzNU~oR(OPDY z4m##zWSAR1ojAH8brFJKMs-q=?P?pcPb{`-_vqA#%Cp)tCtM+a9Cqu z=%`qm%*Wi-&T=z0*g{OT-5z=9`dFe#g!af`Vy-w*P(X!AMD(F|Qd{J3Pc|*_Vz2+g zc=b=%5Ud;0w2)xQJuxDGL&>=g{Cfd8>m^;DxC_%=(nOxke4Nu)X|J{nwkl~+^VN;* zD)0=xsqaOc{LJ=Z`-6^c;*PKdqS+w|RkU{&#~}fgoQ~g0W6+v1XhJIe?=GZXQF+Oe za+g1Em9bah4Nm5A>hG(YMZ1w8B`05BXIlSP+S^z24c8q>On^1R8yPDlEb)n2o*`C|7+tiPdl-JbN_4>1YFW$y!NidDU0$FU+6rt86F zTTyhe=8`I5J&M<_c!9~M{Jz7j*#@q!3mC+OoU=712)GAWe)-KX?Y-{PbMrnCszko0 zD+cXOp}R%DtM45Kl1*~eyOKd&EjfH0DpZyrh2?u!eYhc zWb${&jQaDM5L5!P=#wQB7iVSWC4|f+R~TA@dpZ^1waqkIalJ^bOSUTXq}($lBXIa0 zzTRiMXC0#R7*KE-Fpa%h@B|hERI85@QS9->4~wkC4E6D+#m?=!UR&S9!E2J;~(J3Ri5@QUARmdcHgK5Wb_qlm&zo7n|}^YuiOj{ zc6i5gf5cH${*O!V1db(0d_-u;7An8Aoez~1iOGRPT5M_}2NTNJvwebb3K7k?vUv)- zVsFfDSn#jzKgd5oL1}OQdGx}IY>gJxf{sdPwPdDsD1RyIa=wc!kfdDGN8$iBYL) zRp@@XeoRSlNlo?>sWdEAs`KjM)g7Th($8BqlITI-8J$3-J`|3lZvk_2{?9P%dv~Ti*5m1noG_-*s_WI-K}=c zFCF_y-Z{q`Az(~y3@#rcGL2Aqi60w(WaX8J)jtMJq?KZ2s~ty0!ZTj?gJ|1AnXRu4 zU&nN|9w;0apjEHEH4ywwe2=uBg1aRVK(@Q2#6ygC2ONAijzoCKq(iWNPiD($9Lpdf zC#7x{NV6D>DM#OPGLu~Rp^Uj^&!V>ViK(!=H{%y=_Cz~7pUANoO15>dAL?hG$~Ss0}98d)On2GF`fKrVgge_o8!JU`X;|b*JI9A+Tiit6#Cpznj=ytZ_2x)lTy5CBmk(QVq<}_|i*2NTh_HK0jsIk4VarVL z+c2`W1RF|yn^IoFlN%?n+x-1;nYVa6#St!>bU{X;>eM8c5&L!~5kc>hR8?d@4;K=#+)R!_)$6l>u~dD zW!O)8P@b!-IsCf|4yVg0N#K?H0xx=~51-K}b}i3`2fT+;2q66awEVzRw#nCT#~vhT zz`QSw?>zlRpsr?6rYJr+M&Z_8`o+0HYFG@DUg)zYwqR7fa}TRC`Rc2nan|25LFm%e zwP}T%LVMe8dQuVfS+~FV8&Hk>h6(i;X*PvJbed_qBXD={ajk7yGE`ilA>^n zI}gYW4yc% z^j4u(^8@`okb&|}{`tzwsTwy{u0pu2USUxNaK)a{eCIClH}tfzirE+`oTa!QbC`{Sd=csfjZuzzMNo|K6~Q>dEQ<9L{9+2dhY)vMe*((mug>F&3` z7H}Z<^HLAhdCdsWzJW2A=*yNa7b+gVsEG9I93*O>0%NupPZUfd%mX#}X040Y!gMBb zeEAp&=Oj|0z8J8vFw3Ie#vd074zC`hc&xTUo)shnq9`6#1aw@;bpw#EJuh*NM_=;P zg%e2(mHCzVTRJn;6&v-}U7@nz;d->}!OlN;%DJ=rTO#iej3%nw!&G{cxoc4h3Zzb! zyCj!X`H+4!(WV%~$~-K99*T=3c_WY~i+4F9_m7~FEus}K7DMuP53+|qyZ!i47fL-0 znB3PQ6BwXgiMQRTrOD<9bqtp#-@@4P4Tf_tv`={xWZjoUW~2`$=oB%So`G~iY7TP+ zrsYervd3TNy4??efU=Q2q@p>+O319dH?C{(s>jNspzH#mH`meduUo$Db4(Sn1C{v6 zi;+GS_ha>ip%EP8!yYM+xPoI{b3lMm>S!sUI$$< z%C+BADZb#MS`lfzY!nNNGM$|h9`^kO{7eXxS;okg+$CDLe}%a^YcdC#ZD`?RUPeg!d^vIBlQu$#dt53k`Z$W!tdOb|+t^s>ylIVr1&D2|2tY`v;drXcEyzWlg zt=iMQtx7@a6z5{W;h;f{&_Lxe@QB{Esmm+N_auoeC>6VV8M}xv(I^*e2irMg(n?4t z_RLC74kf*8)S%NlMsnqA=~Ksk{0Q;~PiNvs@bB_F(k6%Sy`lq@s-Bv-RcTK}ZI_7` zXg7Nbup7vU4bwG;?>K7W&o}%?X@5^g)KKq}Wg^v->BfRf8UHw*B{8GlW-7BUpg_B!iRd0+nnkcEe zTP6&octFW|4TNMh7y~i_Bvhf+J59tUfW{ScTU?kW?JI08Ok!g}jQtECN6AMxZ|g(X z=B#%z@k`D1d8d~_f7j+Pil{ZEkA&!mIlCAtG@qZSY|psBPZ|Te97-ZOLE?8R#*I`m z@iD=Oeh*EYO{Dl1eTEqdU;7HIW6#7LduXCPC!L4X%HgL- zz)4A<(F){wnRb9|laR15gUtrFho>jraSI^3?jI0a};OxtAfYS)&F9OkSqv)X?1 z1jpHJNGjFKxZ^5Q5sEqCOMbR_*8A0-BKd93cTV}v9ae)!mzie{Qz6#iOHM`yI{U5X z3l3Z#4+{VlJJe?^VB4I_8~)AbeOgdc?sm|p%^ScxI!YVw9?A-NxafTgETBkOOm~{_ zOS!iL38Cp24t)-ocefFAg)Gs1OL>l5;2dt?W}&97b{%$ZemIdr{_#UyAhA9k`s}A) z6&byg9BGDjY22bUgG{XhF$`uIM0lCFG zZqzD;gfChD!v$bDJe_7r*-G}2J)u=O9~U&w6{cENT#+Vl>gPtqdase>>aGfcX>PFZ zRT;^`K@k5YF5veZB_hRwC0ObkkpU~?xH4PxKnkecMz3i3U0qjqr(+L>Fw>>F#1oFr zhn(ur8D~mLwkM39MQ{dH3W!Ra(#T&lNt3OkP~MhF`Wf{bJ6Jr?#EIPRYuuigPMqm4 z?x%Xt&*6bbS++V{Z9U?NOz-C7@ivyE^E!QvtHjWNya~%|`Q)&l*x!4=8T#6-~dI4#6IrmXe_pO-gtcQ6VW0paJ*pFYJ1K<57&Q2!cB=ZI@>=WeuKmjJZTC=?5& zLI%gO`0#u>JzqDNY%yTK05LvD2nd&8bv2T5?l&`yMNoqt-US++!ER=@)I0RCqd!(9 zhD1p&mexCvNLs1aziCW9nr#w?#ksqsCsF;Cs5}S90w1N^T;{Hd(x16sozHe9N(S0_ z+?Z`ZTXW*^P)eset5;QcV zM=jpyuLj0D-{$b^x{g7*hrF4gEslW9?Dq0IT-ytft!`-*u|A+R)tKK3r>8Y^PsT@> zlts?bI7akB%G5(t__fv1!JfAK=5k^>_2vrGETB0zFHIh8%C5-b86NyBA0t(e#Uotq zfI_wFLTaJIm{fVkc-JH6WyQ2?Kb2ekAY4_kI>@zWT6sztdax88eA%b?H4HxLpYe9L ziyFD+l)GUeh`w61T;c&KdbA;rY-+(qRxt}|4$9iM z>37P~rkDP)GhnGqid9q!YpS%0?0i|;Y=mvx3vaRP$)Br#N-qLyDM*4v1Gj(Kbbj$S z&XFS#qzKi2p+achCv|C^yT?YJZ0O!>a_cI}RHq+Ky|$+=m5*)-qs56Z6}g19nG3VU zs#H3Nw}C!Gs$fmBqGbEr{nGxx-A}qsC03)1WM0xj$VL!YLX5GcrMX7$1mjtJSVL{C7de{QPR3H)Z3)_JLnC zqdA4d)t^a5>7`5w{k>S*#0v5F5R(woi67{F--dnh-!cRQ1tH<#!T;*gBcP&+Xlkx` z;(gYCL%WiqR(d`@F z{s5&cV(W*Z(4znly9>6I#X$bmJ^!iKC)d}tlz<#~QuB(E_}`uQ;s;ONSE+iG?gNvm z@&vy4+{oQ!?1;_4%Yl5V(wm1NB@lSI`PF|e3tUfH|Di{8@AOpizwR6Qe++?NhHN=j zT>=Qef8V6cR#Wxb?#I8kk+?$occtxRqE%v>|vx_lL#hpO9~-2 zfXGDcZ!(H;;SBT}pfW6-ul5QT-jBB^db0YwY+iH83Y1ADW0xU9W0NrvR}l?#sPt`! z?JLO$TGDwS{f@<+gJ`3I*qRCIAL|LM*x*{wm$_3SmDAn?GS$(PZ@!~?& zOf~&0O@3YvGwtl`T;1QJBoIPGnJtv7H$NuRQ3^aQKA$lqv)N=8L-4z_w|R{XX#QCK zmQlEL-a(w#J#>v?;Oe;}&q&!&^m*0UzGoHTAId-ysnvCXe=tT`G+btiFMQ zFjt;O{b37t^H=?@#4I3xP4}@LvAl{mlHzdc z`DB5$N}Xjy`@ml+C}s$2=^`v^)x>c`VL>3rA-`BXq z>{M?Lcnb-dRcPhf zV4~_vwX`PB2c_C1V=ypa`5Qxa>4ya>3{8MYQFOZj++`KV0LQAx9WGCw&}k=hKu5eT6DkNM(~WCt)?N`H`!mPAa&8bBsT%}a{b3+ZJ2BGzaX)BaYYqc zTei?JG9p1$oasu4>S^?QKSBuEI?v`cSx;j~61{*?&A#0&}*U zgwa;1hh(!WN~qC_>lYOT52%*|TMii;o0?MSzcBz&3=jz-??;NupUzEcn8T!x5byAe zfya7&e_zKIhuVHA9WEcX9?ef6GTSc{73Uk6iTR$wB_?WFw!==H(mIfmnRAr?{ z9y@Jr^dk;Kc$nbam@_uwyHR_oVuu|<_qajJfl(NN+t;{7!&#>p36aL%f>rtUmd9dX z6DcFDt;lwEX~!I;rQRt z1_-Okg8tFwyB+#OnG^pe-XzxXhq$AYPzOO_7A?Jgvdh@m6N#i@dyKhu>O>@R4zo3> zq-r~IKh^saW;m!q*E5#(vy0FGwS)?O8rc*bt<>q2P1ug#SQ(&80g(m=M+fYrN&6m2 z%Ws!wU)GR}>B$a2U+CV#dFRigZ!51(>-obou3-Q0h3D4z9R-sMEb0s`E+zrY<4_Ek z{~iLkbbut(unJ`bK#X{hc~Fx;D(yfnn3r5@c8p1Dv&ki{GEq8m6G8EghyMPAAVMxS zqrZJ@DNR=vfmIUy`HqFwlTjEJu35X(=)V&`9bh>nF@}c`-C@NV;o_%_f1eL1?-)eJ zB_)lj+AtrMA-N9`v+AKooF4W6QunXylG$#q1Z1h@F@Vz%_=&=7F@%(plo`mI&WR%+ ztIFQhu!b`W4Hs$b8Ic#Uz!-V$FgLJZ)>pZW^BbrEi_nscOpIBll^WQN{KErkFGOF`P`#nwOHvn{MN`#U!iIiw*euz4wL^^0iW4UK=E zT_G<9IthM=+}K`Tw*{?^0{#cnfv>h_DM3UU2V*2FYH_G<{&Y6YZa@`n$ahh?nb}9s zI|(S!2N8qH8E_poEVxr;T69KvTakgWen-LMX9J>6Y(o$$X|VA$pT(0$bPgl1hK^n{ zMHyMAGd2%)swl)wYu$Q^5a^%`f!1qd-#b>u`ZcPohJk1TsISw2Y z&Q>{wYP1T~aO2GnCMEMzSq^ZTz%a6AUG=cqNR7%7A92sW`4yC;2DB0nbW%99_MB4@ zzuZ-8V!*;nPQ%?mrp%`}!4OuK!~QUB7Hw|-TvNnlS-0fmSN{;o~{2>bIbhj2{9PiVR+>+=V;w=c(*_WWKjy5diFcy z(`S{l4b0ZppXHqXmc>F3u#~A)4}@M=txu^B>9Xd0F~kyM8+BQU@2>L1Gq-sO>;Siz zWf=m8$6^|`BNMwd_iZaU(s&|g28w;eTuj`EfB?|b#i~Id>qS8DX=-XJ{=x481L$Ng z&Hq?;2=K=1t@#3E#=^o7J-dOGYeF)_ty5?F8tkVxHX9_vedDusVvegwY7>|ww@`x< zD@b!W1f9y5GhQDP zPI9n3ao8%L+`pTi1unrNIP+2v_$z(+wyGK|1xVi$(M7Ihky?}h)slc9c}I&ZK7hbYlUei9p7$n;su7{N#-2fgJD=+t_k{}g8odqbf1xH1JlfP`}(gP5J6CNJk+1XiW zCBJiHDrAqhZ|qn|#jhpPGpVkD%Ar^s6s#tfHy9JKEpIHgICZjc8Rhbr`^u*VTbgHd zVg3Zey+H|LB+Lk0bp}1wva2LoqVimF%2;Z?yRtR)4>C^9`JX+XthF3B1zsyMmq-t!bZ1 zTXtJgeXE>16AQPTCAz%|a=jI%AB~l6`Y7C?7Ngufbu+J6A(4)f$>-@>h zcB(p!uBf2t?(Qbh7=#i`#eZWO%g@;8slD_jJyAp5*LcXb$y#_?8ubxyds9iI)f^~{ zlPjBTYhSE@+%KeB|>RXXiLr3XyTE79I)7vGrtyG zLP6H5fG@A6@Lb`uO&rMOox0zhPlr+#RMxm!g4EEEF%m9;s*fMcg~p6YosOGag6g`P zd{eM*LG1{%L9No8WKq?)yBJK%VWFr1?Y9ktts|p9JyhIleVKl__wsiv6+B)e@?hGt zU`%5XLn*wjS&7`-P zGCfes%E`$g+#XKSy~HbM4gmlJHupF^L$ZwHTmd>vjx7+^53VAT@JMel-7n}y~mv#7_p50N5PX_Wxn8*Fj>1oZM4<} zd%-GFTkB8xNagV@7ODUPdv9IuB2NEivAuMS$@crj;`KS-{E9dTtUA~<)D9PtBW|ot z?196HQ5U)+;gR#;zEVec0gtn8+XSF>XxpAC=(a)_C>`F@G5Q58p;P>B*+vdcH zn6UtiD67>$u$JRW`vO*19pCkQvapgiLwsO?gb0Xu>`(FSz(PnZokhE+LkKV}c{T1z z+}da6)5Wv>`$C+n=7uB`Xn0)@gD)@cbLubKfI~z555c?(2Xlu+$GA#y54*KHyii+8_J0mCslH}5>s_1~Ajt&C`xJ5z0!v4b;dJN=n?N@sP z@$U(;^47?FLaOh}DPd%R*x+mh_=XUXk`@ZF^}l*%aM+Vxi8>1dLDARGPgqrW`&hWL z+<-c(J{tO~Uouk-*}Ua!iGwFq-VU9;WXaHc)?r`m#xtaxU5J z+iw15i;3*@uAl_SrYn~M)XbZzW@d|st~6X0`R?)&v9%rV(}ma>OJ-*2Fnr?RJl4OoOzp^CLj9MlOLJ=>yB=yv}OYHnm zXc-Z^pA>IlnZ*)Nv5=8+^Q`N;#*#jLVKO;#OPqod-bG`)T!4nr=zx^be!tgfHt->& zs%ZpSR?AYnPXTlfm^5D7a#WG!$0%!w45jDeFwm_eCc<#I0n$`7FVLFQuE5M`{(N#Xd@Nqnw{65h4PVw}e)| zRvGV-GSbbqMqVP!o?y)b-*ZyVFlRK8-%7lwYRu#*RPR5^$A6r_Fr@{Qp$& za3KFv!K(}vyqP}4@^p=5^OVJVuOJa-b$z?!)D1f-T7*|R#l=M zy7-D;O)$pL78&XfqnNepeR&h^)ifl@h3|8-lfOiO5yK*pj(IDgw>+Z+ickjp;t<_i zufgU>3(#S)m)7VJ?(^^5ckC}#mS!M^%vZ_%Z&khB4a>wyYrQ^#bke-w?D1= z@0?nDoJf*$RI(EehpLNEz<5b`c5Se~9})17Qcyqwtf_=)4Ep`lw!3_MzSv3sfZF}; zG@mv*;Ywe}8;M_2z^2a7Rqb|ZMNUUxHiEd6^HoO{eKdPard?@0)E>*5pkr;dS^aw~ z)xL$At==tCr~SF`A!#-_V{AI#aFp^m0_Q8O!9yl7xBCOplzNa+uhU#Am!GUCx|z;m zs6S5GvO|x50+}gxd-0yW;dm)%dCiH;uf?}ST5%_Q{CXzs?vkqhPuj{nlM(urznht5^L0Y0Hy)fYnZwu27O=tVYyX6N2EwXQ(+IYSo6%gg%@*Tuk~prr?@))F^so45>zh@a=W}-)8z=a`GT+*{7_X^#Hfb~mqDCWJ0OfbC1cQ)! zhi(Pcgo!M;!w262kG66o$KFwe4v{aoM%1=0+g7AeamlyioQ-6v+5N9NSH^=c?4y*S zO?)h;@q;z^1mcaAPf9laRb?K|Lw8r*O_9+14x(y2m#UU0^~QZ?&ZfHwc;uF)EZHUN z@Rl|+KBcUWDU1TOgI$-@owm=JMtn2|7ni)u7FZK!i@tUXrsTH|h6CdEPsZy`u~hY2 z?{pja2A(E+n$8|?=6ViP>2MpqGe#C$Hp;wR!sn4Ui_oUBgCROOpVkDUUYe29WwaTa zB~q5_W{tGbgv;s_TGa<>c4tSxpMvIl$(rf1} z5VqvOMrSsj7Rv>n`6yvjvrd?A9EC*$UVErK7`1v&@D^(IY_L)H*X?9FeMQaMKIe!r zzW^;|eZxD&YLDmN#uLD>a1{J#5*-=&6g|Rbz8UBPduuq@WZ?F8u*4ua7Q|jixX`Kxd|r(8_+TR@ftI1NgTMJ zRpvo83#$o7666C83GwyqbhiiN?t6z7I$a-pJP&L{M1DZ-1F#?Pn$sn&6X}7}_FAvt zN=&I?X{nNI6RVVxr~iHZGI{=O8RqL41@>xfN=FUXvujx*FSN;xhS8`uxgq!ZO%nN` zV7t>siH&RCC$0H|CyI9)b*zk~$-Ib*{WP_9MKM|(8k93M9GvmNSc-7gQ;3-}D1d+b zZuBEJIGtEg%=(6uQi!A3iX!T`NcxuP@F-lecXuVbNYZO*jVYoq+dwj?(5*1*b0ec1 z!r8P_xj2qDs|?8yw!Iq=Q(ax1OAlBIUT0AkWn|#|tLR%vQDtW2(Fa1C0#Rg4Y%DA! zfByUe`~d_6B-o<(>ZdFl{`>tOs?X$47ep4OKgA@QHRGKW9enV4qkO2%nO@HYqAMx> zof4{~;UoGNJCl%I=6>FzNf^wJ%GxhcptQhF&+P#v+XWmPLql^#qi}N-063@UOOwo( zy9ze6_7l*!Yp^j@%K82=@m_o|lk6YAD{L@&LE5vB7aST2*cg8E>;Cey&FTE3 zu0j*O%+^EgdZ8LvUJF$^I?S}?S2}tSR2w+*)Z>H@pTl?k-t0CZQ}^|tpr8!iA0E^F zatQvfrRr|PiJVw)WZvG3jkgqo#XC2IX|#Kv?bl;4Zm;886)V6{+_pQdv1PxuY6@6p zmEtN zTT(0T5OtlpD>+V@cE0?K%b(?UdGx9F;uFndbYv!c4pd1QwE2BILwRX?40=tSeFl+Q ztMb)y_LyWg(w&E1+!7r>g{IbNjP>pIVgZ~jnZZCLUadP1mr$U#4dq>Hw>NhivSERSf+A#RSDSmSlNsNhn?aW zeq_97oz{sYsJ#*E5#)}^TDYcQTVgRFtce(8EY3lWWjE+SjuuAY);eEl_)dPJ4=^S1 zx$%JJJWx2(Kz-xq=O0UBlU;k_GXgdjU}l-LKbmyAYSV>?iz@>xgX)F`(3`=aae#fL zs_hyuH6?d2ndQA%avIRZV`Rs5fYsBr)ayvXM@@pwGxV{WH0+jZ>k#I@Wa^Y5(euO% zui7$DviWf9{stTG-CF7I%`@F`MS-mKualR_2Q&ao0KqU}WaFP+Y%M5MDqns?sQz|# zMk6?*sI99bVrH&4E!PBWIOU<$w)3(7VM3*^J=S3Xhk{RS6oB{lNMeKt=c7eDawFXFAdC>@D*#d zIRU&f#j$_i%2oQ+)fG8nvrq1|=p(>B0|-G@(`r>*-l(`**N_}QHwXw6`iB!4!e1@> zLs81rYI04n)gCX_g*`v5lo+FEjdy(QlWUQms=Ih}CanX@zwTb6gnN1tiZW47cYfNw zbnZnofRr)>G;4L$5*@%al~c~(H*-XoH|x2o=0;DS;Jd$Cg5kDzFQ;QVcvjKzXef8f zD_$YkV-_`0@4jZ`u_r1=Ci1+@6g9v*EsH)G4=oz9S_J;qrAdpzyf%BK#R~|K3-kOJzI?+ATX0#W{kEH{zFarMo7)^NG^{x#a-(QNBWDvuM#xfE!8e9!_UL`t9b}2O%T5mHX#Tto zhy@_uK0F72>3g_k{FxWUOPN|RwXl!~5dTm?YkDrM{w3U}jwm0Mwi_vNf@-KQrZ$VQ(-k9v0#+j};;w-Fspn-h{EjBju79$s>(; zcK+JW*?g+1Q@C6EKKx4ZFpSLs3+XswofRQwsw)UwT|)^2M|;v)tg31Lc77- z=W|`^%n0rMh6|1}^&5(~j#B!jJl|yqOh)k~#)KltsX(9pfIly;o-syG$K@(654 z>_klg5eB;n<>|>}ktm53pquI^T&5?5yBs>BKze_+Npe<(7XphZbZ-yfJ6GSn`W?{M zn6OyRQrUT)lJC%M3OFW2|8F2z*G@=jYIE%l@`ki{f5WKZ0i3yv`Y0cymINjELIp{| zvMH*^58t}-nd!+;-uJ}nXG44xlBvaapX0bz`Dp>S;?~-Zd#clg!YRwUZ@f@;A}U-v zCi6jFlK&5DZyA+k)O8CZNT;+k(kt{rR5HRoJ=b2+wEk9#+!o2_K>_3Db{_KG%SFaI6KC)NtHG?uT~ zm4Q3-uSBI=YC9sU#e|jw;cNaGmYDE@8_Cz+tYglYG7rZ4d?5g*{t_S zjV`&^f3KAn=lOQ<3x-Wx;voWH2ZCFfZf6F$Sa2xP8$g(#fopo>5v18oMw+%ce~pb* zh^sXTBO3<^gW^{IJw6HFkL7ty>VFI*zd*8jfe(O&%gf8lnH}naqBi;9m2%cE^;nHm zftyZZ-Lkhyvzzv@=VICQt|}$_iT1qnA`+-(LrtqE zzq}L57&xiE*P7sICbmRBwk(cF0OWPsLZbYbw#B1Qq1ozIc!F;@0I3yL-X zFx^1^#=%jkgM{aoB?0lp|Hj<92cdBT9GY47}?p`eHs4w zQ)WGS-x(aaE*6YJXYoi+@(a`-pMYwTot?d|`P9R)Qw|8C(B@Usbh+R(0U4-&v2g`t zmPTb|L^1V=fgLO13k{MHCY-{dW<0 zFmHTISA|xNDCTbZF4{1OQWGet`aV@fS>*qaHYu|BlZuWL0@QBhTkSDQKff%do^Wke zxhd$x4zF&OQtbZv!hChH3EM6@6w@xAS~^i!gO#$(2HF@fN=Pay{;}!Y?8WlfUAz=sRM*Ua)xWVCcKAxpCy&48&IS zYkDdeFtv)GYm=&;jfLXI@T>R#;t6}Q)`tMK_zgclKe!y_qmfY_ z!i#D=KELt|&SshfHjl-`3s#0B;~o2} zWWvc8!gdQ?}f_9Y-KX&T5++r^tzk`JNK;w?8v-Po?mVx z>Sln)q{pq<)uFIhe#29|EEcZfZL_M$n*^{j(3oXoBM zX7+xGlD8pG2_~Lq5^(m@E^vnA=T^lHkTv&%N(Im-S z*odFl$quNCUo4MMgoyR?ytNrHUCKUXt?&Kj1pe z=N|^}dyto`Rn|K1tAZMJ7t+p;i;J5h`a1jPz<|_&McAcd;EUVi8+?OK0-X|^tE;Qa z(b6X!9g?q&Hu>P>Sl?UcUtL|$=;-Jcvt^%vffp?Dw$naBr(+1Qt?e=9?{U5NdhhYW zG>5_84Z5y)_n&PJ&o|nV0=bxyntFY0?Q}`IlaY}TxKUr8C$Vp<(`4uO=Z|s}sqk1B z4nvqGzQo+4m{63cwI*gqU`jcm8g=K}MnT5kyogi13*EudD+arSxMd#$nhZpsVOl?8xQ$78VI_Dr*fBQH{HDrOta`#v zw`q^=Cw*^-GKaCyEG*^$=a5zOEt*?xN`L2Y>2EgL<2R$&7I=k@+K5oX{)tXQ3?v)5 zl6!slTa z>~w!)W=6A8@4oA{e#>`jPtr-_7v)E=7j=-wxGvduaePBTD4Hp(x`EH_@LpRB{%@6u zV8|kx@!3YSqrB)x|9A`(Z#b>h>T|I)F3D*2trM=ea^8fB_nfDfnynoQ{B}i%7{D6tHkZh zM{H87QKBoXat^01ytX*=?9j=GqoSg~e8<`Gd9=?;Qdqq&;JEGAVLGP}yJ}KWcvyPr zjnT4dn2@^cujR^`Rc^r_BUIV@Im4r)RNUN2fB&j8;)bJyVqmt2GazYatT@W6P%<$^ z*41%j`q(~OW3VU7KqSGBHmd|xot-%#At6<%Gj2yj4;r0utza-|V|lKmjT|Rky}N(Z zK#Ad$Hicd{@6h?#mz!C?*0%x~j@P{|Y-coyop3Ie8!_yUf=$6w8}2eDr*!&0i_=1c z247rUj2|h<#?Jo8oR-!uS5{Os&?p=-&JiU<>Cc}n zaJY$x(cr;>W029LakQM>-CfL%z#kJ}I1CsV8I1tJ1O;xAQk82HmD<59XLPC${3lf=vwEK(skEt-}K@5G}ENgriGc=uQj_>Cq6m`2E)g@%YWP3O6uwZ!1mOh8N+1H z*cVM2J!zJglhd`>@%(tbQka()xU;h}yXYh)I6C&wpZqj3=hS46V2`&$RiS#Uw;Qod zdzc{p=jxf_aa6K`(1WTalPyxdd~M~~EwD53?WYJ^*Hf--mHoeul6>Pw?6H3sFb^eC zEN+&6E{RtnjIvzj9jNmKY=8E&SE>wE?eshCr8M;X?uI+FwY@#8hd>@^HYr1m1!f2= zPz7~$DLFYbfXaTEaX{VYAH?7HHH!-jNEt_$5eIyk5|JLETBdV#qBy;9_Y zg3F6~`8ZU}d#>%HO5=F;0+g8AtI>IJzwqIf?D-!TEsGfIYpkbz=zaE<80*8P%J**# z`nmrUbspUF7<)%XBz62NB2)>n$Hr=WqWr(jCJ^Yk{228 z%@JLgc+AUA?bn0S6tH*?JoAOjh}ujaK7U5~<|>R$9*B`sA5;Z8xn?W0haYawKgr2S z7EZ5$si3ES$G{N2)*ZrbJcRAw=t#%HV#|8GqWAtsa`NC%0t1NW9}1`4yVWc#EErmt z?Hu#mh(jo-PnL$2-q*LjU4nGyBj2|3lJITU8JO< zVl|(l1cU*=)CJ%K^t90w!D)>B{e3_nSiITKzVr}8L`00hXYKOT)@xj(qovKNs`}B? z)PyT=sLU3&6n3Iwj1^E z8QFQBn86gVWq)Ub{vpEb7TGI#?^p`CKWiuAd3_k9Lyf71dncN*k5Dm`Ugq{>PvT*O z#?qs{a!C)6*(@yc4Nh<_=WRbK)onsc9qbZK@YczqQwQ-(b0b z5mr>|@N>m|OfcQvt{IvY@yvZ=yevR6%(SLFujb{G1K&s~uK)E6YCPV_)GbqL?+WL= zZy$$=&^bK=_afqs7w2iUzMTGwkCXKEia-pZE&>UENIT zjbb&8_I;kC9UG@(e4ohz%{z)>Cv8!%DIv(CiB9nHV4L1F1B}x?jlAM@E(>S}kT_na z6p}N8^TVqR`(sm5!g>v|^YVI*S872K%*2Em-Ycr9Nx+wmmO9!OPp33CKUZ%21>unG zNA~FlGd`-b#TBh+^1p*o`RHuC=P+_kq=VL{G#aP>7$FNP(TnbZ%Zud)!kW=JGa_-w zI0*!cUj+nCb+$TM6AWpt6;2KwWu%6;&TUh(b}?WbpGF*YU;nu17mnj9K~`?HZ(Vv& zSmc?h4#-EBqdpJ7aw2snJf%@P`B&EXSLJxiXqPKY`XJ54z2h3e^Qk= zQ;*{d;*$HE2p=3=7V5VGn6Eq-f+;JI3Gv@?=d?V312qjd%0p-zj+b2LJq{>6kuo-) z5Y3HzpO|EikUp0$-ny*`KxhwpcE0C+hct)IOLKjZKuCwDnqpBGQ|?M%;;f?Zn^}oO z+%s=zPZ_(w<9_3^QHh_!WCY11(U&MjRxlT+Noh9sHCap4gNv3G?|d{S@#sKEVvX5v zeT{)39QG$ha$)t~z|o=lHEI6Q#T=v0jyY1dB&+kCAZ3t^-qXc=TW9AhH3_=eL(*D1 z2w}Vn!D!Fq_ctp3G^zFj{u=FhDkHY! z(8$PM04XvvT@veGkX3Lw~|0FF% z(9{h?NW$=v8oEJB$B#l9t;i!M*C=32S9wPd^eU;L>-n{_b@IuXS3z>um!(E~iA{AjUo($v&F-brRa@!&uWxxHxK6=2=w#5^0N z4GSKKsnvK;2a=lBfeYSQNMkwC&AHy)^`5-f54irU7?k5lxcrA!R{Nw%{oT|RyGJqG z_t$FnuV+^JPEa>{ddz-#$NRRQppTa3X3a$%DPBp`ih3{W>M2Q)dEz zLtMk6XecrqX6<~$yj4M4TN(g}wlHX|%VXf80QD-pSJZLe0YvG9gx)-yB&4QFgLEt* zApuB|y0m>*328k$vOhD^QpBxu9pk@kum*3OSuT(;Ac+Hdc%Jlfxh10?K9!m&aF|k$ zq%VcnH~9tMNyxP9w(+~ne7$Mh#iyw|#cvJds+3pccnxQsrTM7SD^b2Ux^Rs?Wo-c0 zc?7Pt+N3~qIm}+K3o9vEby;)Z)Ma8IfJI$ZRS~hSNTUn8cHn!Dz+wH)94jZQ$T~Da z@pfy6+zLM2+^ooSGB1_qI<$1&!w!YqkKkh2bAngq6-V9v1dg>f&deqKYi`oUYvVS< z9EIECNc9AA0eeF{e;l$Nk(DR%KXBh#yDZs0q*u?D^8MadC%Ipa95N7X~h22;Cik zmf-&s0b~Lr4>n`z%x4=LW&kC?6x>)}4r6u1#>EYek6%BH8&v;DN%^d)nbKLv>@V7t z-Qp)%AERkXoU-Gx1A{G+Uwy_yW2dyZ1KpTPEmEpt*P2SE5Khg5?TrzbN`1Oou9n5c zwWj((g}iQ<><->56jGn)9kP!EE3;M%4#}m zisHRVEEHb!@1%qC--w4_S{M0)vlWfTFlF}s863-aIwPXCC<1wpJTi3#($DU-6S?7Y zndR~E@qRN7k3!Nr!=M3x`amH8+%wJ1%@76iYV|hV>$wRWNCQktiIOt+?vA$-+aal! z-$%CLW~vIf{h`e=epqdsUcz{6iQbvNP_H!W?w%rATS-Yf8=@-jmnCv0MVj{Usai{R z1V%(s8yZhib==!xZ+T=p_d*JcIEUwEyCYXBo#^f$OYut?@Vah+BWGVjORH-fZu#UU zaU}ezENv)#Sri>~w z*m(SwE5xl;n#x+nE!U+t$8WJ`0R!!o1HGQ7&W%cKXC(DWb|Q)k7s2aO<KN+OSMxDpyR3ML<$ z-c|hf+(oc1tnnhlE}H?iq%#XY!5y26n|wtJ^>=-H8#HU};V|yRYOhfp3kpyB?jJt* z3*yt3dh*a$-hHjd6()_X+@D}_Col2kYUmQPYO%gye%^i(+j;BuEyq84UTfYjyKzM- zgijDAHe{M9N3gwOU-B^#hjHcaFV4ngnULwVi%##?eGLR%e7)05t587AqAL%8251EzJ-?n$fk_4^djL_+o>5*M#a4>KPz<^Jkm~<&k-FsAAy6HJOWE$ek`D@F)y~aXMcR&xZ#Kjv7w!H(<@7wI?q%P}qDibjn7%NQanMy(Q?rrdvahe^{!-ZR<>a^A z0!>ub`5>{f%iG^OuiBeUMDVoWxvESa^%v06M>e8Y#6a$)Q+cFJOicE*Nh?Z-_^d)PU!a(FXy5YM;z-=)hsZx_^uMEYx=o0U#iW+`3H1vUfcXnl z;>ce>D0gw;qK-pMmLlufd@j2@xZXsh&ln3ashwx(4(nbcgCn8$NUii!^n zr;?vOA%blG*NW?ymqt*qU84Rco~UTjjfC6PI#jU>;@UW#BZy9bJMipG1Rn{o;Dapk zS^yFwQpOOsHN9~HepAO9mZ&LJp&bJmageRz0yaCB7AbV%RCq=3|w7yIQsf;1R$ zYiepHcAWro)XYv5m^m;uCREr$#Vr?jBEPx0iH(i@BQvcNL|0B(1U0mBcz ziP z4;yv`A_B??EEr%h08_0ECmD*{_kW28IXO5oVd2b|5-v409OSF;Ykjul0WhOfRK52k zBPQp(sN&4-2M(>P@Yge#Ih%2xlhA=J{Ytg9Otnz_zF16yQ@QNNsS8%+0*hQ&+JM+Q%3Hpp%b*jQtcYOga z3#zG<_u`VK?fJ+7se^Vco;p@t>^1pk&PCl+xmmoKKV`aIO3C9foyGnQ?RS$*?=S{~ zL`Bt*aR>>+dkuc?I$`4BZ6{e<2AP=yViDM5&Rt%EBR%4G14Zk)PBTj{NU+X+<~Td|_29+R!N$)=Q&{Lzhy ze3W<9PnJt=))v>-pEus93JV5xwyAuGW;NVVI){}`TxfETkw2(p`FBieyRNPbJ=o~9 zKGDi@a@E-0=W~g~^7v@TMI8Q){1%sw*dqxK@|394h?XsF#?;VAVsf@&Yv?GE zRl3x}FTIkrYv@9T-@V=&5+E z+-k*@dcepMi2k}FncdWb&;-mcI}rAYMUf{zgQleaA{Sq>V0=Qt7X<|o5NANA<>l?A z&Px^@HOX@KE?KteH>lQ{q9(jF);)32r}fp0AB~Se)LN@Lxn@eo7aWp0G?hPJwVa7a zzlM%pa;KQn)sSEFv^0z3@n5|pt$MuU{WqR2(p4YO1hEVCeK=&`Tk;@eUGW+SJDg*u z@ny!stT3LqghPAWu=Sc*Q7_sm4xiKyu9>spX#LFJWs}H^+p3<@0O1 zOZ(gj8mFR86cQH12ydOH_4o33sCanM5!JEJ%>Qh1G zUe3NOcb1pVud6HX9V6X-wGh!JlO<)7$6eKR(QJc72UROu`Aj*NS#RgiAC`Tr&a;_K zoXps=3h;N-s1#$~q2-opCw(=WW%FO9jVcN8rz){N-^vZWvoVr+j(SbED%757eKi)r zasB(znK_(Gg4N1Stt;<@%IAA0l!^*f_x(@sm3>jf40t}GTB0ChK$wHhTxkHQ_yQ?F zZa2kp_We6u3B-u9GDh2cu!lyu3shULsxB%%wF&R32;KO4Ph{Mac_u=7^R7Rh?!iAt z3oVfP(yOR^_>xE5*2HM!k&PZ(uPv&j`69mj;xz0-LDUir&19mZ``*^pc3hrxc3H2J z;j9BZRgisfo7Tm!u&g3tp;#ly#qQD(d{?ZfTZqlY&UCWNvqY>SrQP@8+fv2^<`v2r zW^(2iIulS`6H6bIO|+27eds_w0~d0o$kqW;_3^02)lh?E2-!ehMq7{s+< zBiW?rsr^eHBDApZaAWHv47^i+GoWUOocHyE#1Z%5jp&1cfTyQB7nM$@k02El6(uF* z%|(VUU{-);78Vv(R8$1`bBwq_O2TgBQ{f-GK|+imFE64F>Rvr#bm_*&$GgpG0BNh( z4w0N0sa;22PA;lZTJOu37~Q%=?$lABskl{&jX_!!5XiGjC4l<^VjcvLozRMpDuVBt z9nZkfP}ipRBAHK>$O4cTE71oB>b-L=K<`T-kKd2HxD_GHbn15>PDd7cU(m00D)DGxPBg)XvL* z!ig(25?nwDawiZ9guF)r;L)$-Vzj^#2P~ok1i(MFVN7s7qL>&A7-9gNKu$THKK~VT z;tY~0qk0vTnay`bS&Kl7q&r7JIyyu%9W_lYEg4X6QAkFd%#UC1?3hVL;Qt0qGU~PE3Y9bmz);e%uv}Lxvn9)PRKrJNmNtBPxZQE$11WC2 z^8Bn!mYpCH%E;LG_TfV6MeNJ;$~kvp85tihY-`hklL*b!2UEFSwt*=cIt(J^AfXW$ z9-v3XtWp87(4IFxFAsx|5P2YYQ1pQa3^@SXS?=sc=4s@CC$L~+kE7{;vp*=^5ML%{ zdjAqqtN^^mLMs-k2)Y0-w{tVRsDI><7+o|05ralxmhQZMfQR?U(?oJSNO^e)077zm#Hl#FzZS?qJod9 z*Yar30JCu5!VjvAfZt>R?|PyE=*tCI>>Hl0R}2`#w?NPu2RIh68h}}HcW-W7%ocuK z3AkL|aimiiu-!6QQ%51KIxmrnR82?6N6yo&8HOS71Rm_~ZAQA2&HIgv;$WZv{Mt_S z1M5%vVNQU?pmZi|#vn{{Y_@Sy^Dl%J4C1p1 zTXNeBb22e~4>}M}FCg(hI5<__LDf?2w42MYP|gE?<8;$#^hU;(Foyb@~V z&*;VFlrHcKY>z1{*=->O*Ld%*+|}(PYq{Cd`H+r~%hW~%55-4_VM4xYgY|-Z@3?^5 zr4!xPIq%*m+mh$)4T1kg_3T6U)dd21`)>w*{zWh>X~dY0K&WJ7j2CtTQy2WpclXi* z6fv(rW%OS=pw7dTd;H|V8(}SOGQT5u+J;F#`va}1Fb2`*CdvGQ4v1;AHX#NA$NHV0 zUcOn~#7>|0tYOLGV;poI67A5lN4!ncq2_2wbXckw9=(m)ITnM@9bj^jzfYR=ye#%4 zk@0Ger%ophY|NHGU1?CAadF{_aCzgDL*|JEjWx4R+?_eoa+uc0w|%e~{Kx~%vkE%i z;3T9>`NrJ$7{%JMvG205oIK5LaAbUXZ(#`Q`E-dJp5YxXP-t&uWr zaKmQ3;ZyW^OFc9m5`ipKO0aKS5^J)3_s5fv!n1j|ydxQPq;J&RHX_yneSK8u4);|b zP&#%S1?qNm<7bN?3Qh}Gh%C>W*OWBR86T6p#<)4@i$O3o@e$=^}j^>fVq)m zc5e@NKQL|}mWF4~?YBD?hKGga1+|&Y2uxdzADz$zRyxeg*rgzJiH$uQ&1QZ1bqJ^R z|ImhtDmJ{D$s)hk>a6MB%NsmfAV$k%43s?xD!0B6%TGifrV1m=tW3abl-xa{7Cqs*4zqM^NwKme+y#R?XRoMYE^r~A z(Q=HKNE+Sm^;NAygD z|D-sT-L^K&EL+J)rqTaV!Pr4W&Fqjo zea(_OO3mFZUW!X5w)#9`!VcmzD9b_E@ovd4!@wJ!SE&G&-+^xkq=oA)oa?i%F|v5M zQHp0&l)31|8&N;n&-1!>$(nglvZ|pP4OEH8x;zo`yHtGu2~pglPqYnmec--!W*$;y`@Iy++A+@nj2k;+u9sh6$$I5VN+Wl z*+NeTcPj@{Q5?KRm-5Yu!WF~iz?gCs5qtMGsqvF$Z@2xk{Zq`LpLU z{^njzUA?RKc&FkPy6@^lx_6NyK2BUi(z$Bz9ybCec;Hwa+|U=y=n)a7FziN^GgA3u z+(x+wI#c@a77rr??yiFR9Tb?0m%aBLK2^@KgAS4cndJ4y19^G*>%o-^5XZr#zk@?V zIYmVX;l2LzR*6dA%$)P4W<=dew7F783tI^g?W^5Nv;ck+T9nfWJ*IsfxP#!Twq7Jy z=t|Cc@1kdYAoYOr#?0Ttaa#$UwakRdvEb2fWyv0Wyu6f3Kx;UAorPyjD0uS=yBHjr z(ds3)<9OGoGWUW0d4>{35jiDw7?<$br^*ugChev%l6+tjX6oldgpyx8Gxn zOjp2Y*E=h#%xx&DOa#8cCHMwy#(!a0^hw|I^n(S?X!40$gl&}hu6@4WmP}#3Sffx+ z%ax)}S-f>7F^$O|1erGkBGRo#)Et_el#5FJ=bVI@hr~~~N>183 zqj*P~2vt{4e0~wS>RhUow>t(VpKumq}rMq zBkv@$gqOhrR5joNf$`#nE6mHI++Cp71mJbO+~Ia_S%-YA@bFK-zJF4+@tnTmMk^>f zHPwdtpVh}Eo4#wU$cEqBy>c}1?we49tks5oMmzp0Hdcl=K-cDHzV^lpTJ*jAJ@KPc zBu7iioIvpc!X3(YlVwG_R$oSDvmG~M(uF_jbV7eco^M1fqDa;ksZrbO2skuhQ?!}{ zRv_x~FER=$vl@lXQj7R`zcb_ zL7h9Wv^CJ4=d+l$3MY`|=;_BIS>n#jIBTCgI8l!j`bLMh=T-!M{|j=|SlD+jxUhu} z5pMbAhO$;^$e->?qam$OghoIx-UiR)=SNUvnboXoBLo3ii(@?>JV z3%V{7M_)D<%Vef@?+@!xZ$LOQz~Nl!)3$|bRsK`dVNplr|F#*8d-piKOm5?u#-g<5 ztC`f$o{4i8lB#{WbxHy#cFjUR%&C8nSjEwrWQLMJX1$-L{r=BfqnAEGL3yV1DlHd88zV zEGkBp1lHfkwN7H0L(k|~E{bp(($5uw;DMLK+i0ee z3I4B&D`#$qYhfhxAK&39?N=xS+!4$v6jm$c`P(=&^9ogA%R}`KTP)G6yTMnq2~-DW zJHvn11m9o0pH%bpKeR-iSFtr(3V1t$KZn&WDYi(${bOQAVz&ia)$56A60um|{i9sP zO#1rDA_1tvN1dWWdw8nQ{d%9*CvdpqCd&6=`zaJ|{S@ZuGHhPK(`r=*w{+z0kSc%v z?m%pa*@CfEv2`-$y@P3MYUd>nr)$R8`tjkH<2`QNU?89+nr-MwKDpbHk`gu)rttr`M*;CYFgO_V>J5{og#|q*&HxbIjiA!xR8jfz zbUj+`b9Y`uUs8GOonInszEP=b!N@`d!pU;sdm5VlLjI;u_S>e>+YYM3~fkR3u-c5sntN;(EYZiR*-AHtSeRNlQCu zM?2XRtOoG&J17S>F@OYcVhf63P-}>A$>1`jnrdd3ZGu8;3n>=-kWJ&g)6YpzF%k9v zS)-=E2uKbO_dUor58u^7GfRO9>HY(g3NvsPqOoVBmUobt02QY(vaM2W>&1!53=~*5 zc@uYc_jqvFWL79{uhQmcz~Is+0X_-GM4(pN%R9ZaaKC1W4EF_j^0x-H$*^NHeR6l_ z1({#OkpdN{@GC&jh&K;@ad9SX7^y0QOVT*S!`F%(di(nBoI(I)@D_N%Odr1EajTw6 z*HNm1n!#v62Et+;TYWh_?mJ$$|5CtYv?PJkZ1*RE0-4vIV`F36@W4gzSWJH1YrhPt zp=uJP>kRhj$|{XdrjkC|!_Zpqxa?PcYGXUt7SuI-OFHTqw&`h+BKB1e1?H$J{pqlt zZPtgLlXIrkyr$Ck$&=vQi^OxQ4OF78V#QWk4 zsFLHTWn+tja$xPg)Nf-Y3Oo~yx1Vqk$_HZ1l@fmWjkLN|XN^<&q>C%xQRTnhV&>7~ znr$tD%AY7OqLfLJZxPv{fBL_@0E?Opf#@bZGxc6qJu;AKG%}Cn4S_2acpHwl2w$M) z8q1Phg?;(0*SAQ1|K)D$&gm2yeppiZOR!+bL0^`7jo(aFNPEBMD0k5m6i7=bP2v_D zd(^#)rP1Hve>?J%E6!9$d(gxaD!np_h6^RCEM+ucxFdUa72e2H=+jt9dsD^EM^dq$ zOEZ@-?}5+}HENPuRyI;-tDG!D4OBNk^#dV?w=*2~sz z2L8ll8@tQ5n8$^2^Y>t~mt77&g>5)EErurfa+Y~dC81C3`CsvUhTiR|+eoAHW@b?1=Gcf_(e_cP_1ht`|LrD{cqznn|Nc68=81AEI?eF$`1umS( z^>Yi@9y2IKxkpUz4zA}{R&)Lz7+w+cJRdCQ+vzz%6}LU8DQ69^C4BY|3J6q7RZ=Vv zI>9c3=dcZCoY7pnjwv;vad*_+%rfU27rw@bn=W8yrTbynAeQDdSF`b7_;ZWNEuQY$ zxca2tisW&7o#;ioO=&d z+;JMVYPzo_&jdzh4xejWJB15^W&TPlnw{m{js%jWSip zD>H0uSAciJ#^*ZZ?TEJnChJ$-?Ko}JELyX7A7f9i)dudSDUZ?xqT~`X^#vzrh4n~5 zdl)b&!=2nx!2wpR6-_o#>}7x1y33hNEGdg^$sqf#+wr_yl$bX}r78X|$L3lSBK$Y< z`}I?bjt6YK-GU_C27Tpf-9Fi(5Wn0=(VL&|IKCyiEX!WlkWRIkNUNmI>9{9qHK#t8 z&(PCO&as=sM=>#k|NYwWYWSmy7QYXVb%R$=($UxCvwm@d0BnT|@jf$qB4LTh?OOqc zE@e=3O5z`T3VF)WYcljS(Pct!hdL4EKPYqi30JQH=D&Gj1nrpV2v>Z$#;*o0svT zu1(e<3&xdN(DSNp`Ug{|_=_SaEpaq!nTn>B=qLlOeEQT+JvlZTP&XIl_iV9gpHI zk}#4&oLH=a?ye4{0r`o8gCn#uDuwV3P^P#nIw%}0b!cd4i67oPk+zERPy0&AL!)DV zIXN|<=SSJRBIH*nBo#S3A#q}Zh={7;P`YrO?e*gQMFa>Pu*TF@fU5JkRy{C_V70qQ?2{77=RrY@+<@Hf(T;%S(Yf3(C1(o7OQ+2>S^Bd)_l&=6XOi` zM~6nG(Bpe!nAq19iHt%*kVS=IcH>30$M}kH+;EAM03cFzxu&203}{=;G-I1nCR(a+gk(W&$RH}j>eFH z>-rY(4WQx$9Dk

~q1w=6vU*O(PZ|A%n0U;N@-#K#d3d_^;+$rEjRmN1>86X#+7j zBfwX8Ca za{~09@OE`=sjh>e90&wLKwxt#d^?nZ-!&(SN9HGuK(5I;zEDv+m(5FrX3PGgHXs@F z^#sbZ11=aV(Q26*Y&`P7rg-3zNoF%1Lg%^xCWfBAK7+=^_UKIQ%QGiK+!uU@4BDeb z&JF%N|H)7Zm44F%U;z*Sz>_d?U>$jg{%vl$^S?A&(=$4+J+W?&epJl_t182Sc86k)7S0sb8LTY#BoGF;jvQdVoR%I(1$w zBb=NnaNrIdAY}bLyds5QG*<*G)lmujTe_F{tcRdaP*iLyE|Fj0g!-(W(m%u!{lYc{FtWV{}0pPVCMnJe{hyq2+(Oa9cB;I#Wi{ z1v}Pq8=nS)YxM4(?|hErcje<}BOQ;0-R;May{cL>ep-G!z4t6UDJ^Ai-_Ev@TX|$u zlCge4kd|&+G2r?w2NFZRjEA-B+;5snLn*$DRJNN*MByD#U;7GvSac*_`E66v)qB88 zXX=bR6=;4YZHngd^^92~VB)}yd+s@Q_Xr6%+Bn)^F{cPcRuZw!%lYRhq-|(?JgCsJ z{G&%!>~4Zp95V%DeLc7m2sU8% zqkr9;ahfZ_2*ETN`V||I7LV${LD;SZ~#y-wO03^?JYJ|o$iLd%AZ%gE(a9RXIE|4 zMa1k$jU*ijQ6E4Ptye(EvF<=EDcU>k`c|(h&4!^?{BvMa4#F zGY&;J$Z}25`tE-sHYaN{`9nuNHhIDJ4W%HFvk5Utn|zZZe+#R+3ZA-Y6W{(HT)_dcv5W|XBOuy?Z5mCTlePfl+S zUvk%^rpAngyGQ+|Xiu|X#p>UpJZbBR<*`t2x~ovHSdUhw&%sM~> za`p>PGDCGsR#>mn6)gD<=_&j;tJgvJAJ*tU6X4CeX0h#R`GYN zWt7ecjslM%iY;i(SST`{qKQ#~hVW-ybc;l*`<1G#1NAL_nWk7EzV zb3l4~HdpP$$AWJjAUZiIlDj|B2?H~!@Uc5tGUn1*rHNCMBRgB%3>tw|e#7^mwY z3vq|cCAG`+wVMmH3I+2QuE2Mo3XqZIeRg2H`f?`tsr{hm#k+o zd<WMBP29EjcQpyZjCUryo1lhqVuH zXKr3ESUz=IeypP?$xSVP&TQvL4{aHH=6QM;v*UMT2vI9Q-HM@G&~MSxSU_4%av~M} zd+-;NuMxVnv8To{Tefj2Yr$rqPAq$R>hzc5TP1d!HWoMq{jK|Z7!zm-39(H#K^H_g zlaBL8pRJSol=1EJCnMAMhu!1JkH%=ajCOAz>_lIQ1+^vB(eL1&`bM}{^k&br@qJ#c z78lu|b8k}dXKOQPUg8gO8uC?dg*2DZqUL$KQR+7!HP~Dher;?}zvRGu^Je~q?q-r5 zB@4mC$Cpx8#s-+DW5@vp4n?6`D!^l}xbSbQD@)^w4?i)#OBu!6*AvCh2y)@Hg(r(z zLXYM&Yo=N~qgY2KORH!%Z}naWPA-!4>^-30u9Wp2mQc0+dUIRs_SImt^`MI2hy#&i}>OTSiqGb#0>{0xBgUU5ZkYlF}lj z5?iFZLAtvI>6C71>F(Gd-AMPQ8#Y~=_!d6Td%p9Iaef?sI0o#^y4Ss8<~6U0&2{=N z{21+QExL8yx+Jl0mvZ8-;l%*|$*?pg22M*$%M9~R?Aa$%{8s#qnr5_PHUWrza`DLp zhwq9T$4hsHWlj>VewqpWO_Rwo8@!!_Bri1rw%5Ay8*vhvT#@w9P)qBFwY#Tu>~Idh z)LT4;&gj-|_S0P@^ZaZzcPMq+H)<3x=j90teP~D8Uz*-zyixMRk7^)I1KK%x(q6J2t1|N_e=q!ZI?0WjyAr(jjP?0o&iqj;9uC z0#)=ZlmzylkFwf*rXKnEJyr#AjvlPW=_!vC6)R<1zgjw0Xb8Z{0F@L=B1Y2Q`niLW zN#Ye5ahEmcl3yLX4fD$rb({EDW(^>q<;I?#x-7-}ThC`!h8qsta5k|ZctsS7=8Gdc z+$iBm;wk=<@^kLz^ML0{Vn{=F^JgXt2S@a$D4I(G>4^tFM!sOHztI#;i~_FJ)5wTC zzX+O*x{cux9-DUgk0RJ=^77Fv-wX^50r2>@c%%@3zO*a7xm7;13k(PdptJjw8518L z0K#3`N2@(1PcP-L6~JiVU%I4f7BDAak8KTe{DMBV`7+=4Q2D_eY4Z2)UlKz)X>L2` ziDTz&nA1{M3Km=3EF+Wl_8z@kY5iB6-~So9Esv)k)GGBwzB4?o>nDGw30do~kHf>w$Yz0P;Lv!rC4cNGf+q$5DIA})N21Fqe`I+X7Ic|%Nv;84?w~ECkRBz zr(1`|ut_~t`ugaS(eQc~OC$Y+!~+|J4?!u*X*gPym}c0&+67aOmuKpA+vaK8GDhf` z=5+Z;FuV-9f786jt3x2*t_x7tNC1X|kjW4Wli9SXu)W08bf$}BU~cq_CNx@{TRWs- zaNsdII%=AHM(D_dBXg4o>yu)Yq>n#)SW;A|e>~Pel(wcH?n=&1`FS<%az`cAp7zt7 zP3b6U#2jh-O?&8ETmwOPT~Y>R`Nf8>Y2D_?Yl;-XxaFf$w_7t__TKY|JLP8(&nDCw zQ`|cWPr~URuB-ygimUuRSQ{y=#GZk)hk=eNwb{=ON7c_U>)sWKd{@FSAx=)9>%Mw z@YHxw?|gpr{Aut` z3R~X!o9h6QsFrW8rdCBp)4J#k-1~-;*ORpyf&3pj=Q>lkJD%}7K64bjMrJs#pRS*2 zT^`b0&f6;3vbnWShFL!@;pdM@bI6wjZFsZlMwYurwC{nVKucTx)wi@4i9|UZ+$f(m z1HF66d2M2tUhedG9;=#*CbmY&lJ@Ak+@|j3_rX_Ptnc`dD!P4UE452g(gbh4 zie6DJS3S<$(tlfbF{WJ%J(V`RWsAl2^Ul8cM&YqX*?#({wW(iZAr!u-eCjwz_WT#^ zkAQ%W>{+SI#;lx#(u0G8G%PHTP%8Aby|sMEV*a*wVjDX2bh%!QWn=XVN{C{mF=ar* zH-?5eXxV1pfNv;I_@)Cv%jemJzb8A-Xa>=`GLU^f!`&P|76B$1SpMgYil1F z839q&ubJI1MU>n(Y!#v#rp&iK&VCWXY$=@TTxVLOFKLl}T8&NM0B1A^SHT}q7i#XW z?Mr>>ne=!9>AQJpO@_%?v~j&PiefNo$ONV!OKRz#bEng3vm=35wN9c+Z+abs3&JX~ ziU$=8W~VAgv0NGQFdtF1AAH#=P7Pf<{PI}&hHr$rH*J{`L%Cw|;hdSqwZQS5JCVL+ z__)dYY(zMZI=(9%`^#Z11spL^(L@F;mT0s%;DLPj@Svlk1E_?8jC8W$rI;Y@M|+N3 z)+zgjy(q@dLwUW~x@a5EZ?HFYw3Qp!cQe>8CRf6(jJBwgCt2cS*adZz&XXSFAcwHJ zoZzh1Bv>AaPjRaAKH#Uo@at%4dEwOZjXBgMn6Q~Cr*FK5tuRVR*r?OGw_uCkMGKV> z`>`RYEV|f@`~1DZtIAx-#j$wt#!++SX3;tXt6+PJjnOsbRD7Aj3M);Odm-N_> zrNwi%B6+^8SF!DhMRfOPN#}?7(pqn1bgUe?3)TnM{q4<(JdQ>9?M7MuptSriQ{>F-*CL^iOv3?7^6=*} z$wcVfocag!-@Qc~0>#vSK`m6l%hdp)9Ags_Z!&xUlm!Yv4+KWKyMJ#qk{iwa_RjG8Z}$wiqM@2Q z_2wwdtI2r#OTG^7#`sf-pB+)DT^&jd5nqoy()x>oAa(ge{4=PI>*GHJ+-fi?G1oi2 z;VYI{x-%I&Rtg?vu(x9;*Eob_dho8Q;+41ayLod16C=8@X7O#|qUwoY+6&n`)YEZsw!Qop;H zXG(S#sdLk%ETxM6RcT$6HRc?50+e^6GtqC!gfUcBTd%u-R|#*jwP z+zu~hd2|XFBUIx+X&Xup-otb-zq7l;dmo%)ihxT0(qhPAs>fAYBSeskxQC4n>C!T8 zlF48-M99)=3_adMI~qJ11@oTv_ap3mdmrckjl!7Yf}^9K55P^*!;I>ja3l3v^(=G| z3pn(1M*@n$lzR`*ClS>f=gmpwP0S0|2Cq#ewX*(HL|0|A9IdmwqMvUFK8DoyInI~S z3Vak>qsYN;FLUd96|LaW)_HVSs(nl@r8W|0FiW{`w>q@hKkhE{g5$SfOQo$+u3<8+PRVhLfsSKX69zgn^k$;sdY@ zKmdRmK7i>3_W)27E40x8`kmQ-)74 z`bq}x+n35%47n1TeY6aBw%vN~)cw+b{1V&FSo&czH^%rX?dQ)7G-I7~$ruc=th(8i zREec94g$h~bR+*}<&Z)D#(~aq=lGmYT@k7F=(!Q8@$qJiNkg4Sm*97`MIP{616N5W z^VXPtl}j$4hSY)S`P<3GuDQ2a7_+@x+pUD)CUj=3Uo(R`y?b{f8};8}89%uBei%<7 zRdF3L$yAgq{dZ6SGlZ;8>th8`3Nev0wiut{QvUV#k>2S-Slv&#SA(6f5l5(b3PG%J zT6Oqs*`5F&eNpnjmj0M z`Rex4u4XSA|t!&HO28;Z}3bsZfwDKd-TW0ayetc_MOo7 z9kv@~!Cfy)hY&08w&7K^>vcf*UvT62FAQ&IY|)gGj~?}LU3WK1*MRkzKCc?7b?C~{ z*P-$BbikMtxI-#S31`G}neZHJ?}|O1^jv7&G7k}If@GtP*1`v>UkkZE79c%jto0Mv z*X!bg_HEhyOinJm)EJ0gw+;Mgt5osmN0;5oOhvHR&T)Lzx*v+>kg4l5O-?_Cp8Irx zlv=63t;<4dtz7EsZaB}Gd~Ah9SIM=}5{#bNb-*zxqulclj@s~U!?z(IxZY>c3q8*Y zt|Ql@DyVYxpwE%trp4VI#^Yy-(!7z;+!M{b&`UCDi$2HwTjOJ!EBWY2X|4@-lDcVv z%7to?*e|iHGCyWpbPO9Mz9g!v^`zJ{V=iRP* z0o*#Mo04Sw;KL9Xx|W;D_m1VIxNyS?Gsm0!Lnp4AKN}T>2gl+Ng^Ndf9S62(Bhz;u zU0kKq3p{l@`zbF63?85%>*U%D9;8l%2o4!(=ERZB_3b0&X!Mc~4d~lXBYzK6X`NWp zIy_?-I+(&^`FT42jBA$*nY#c6O(IQ;@0e+#G2F6QXgXJ=NT@;%H)4PZIMRkoyC;Qo zS#IP97q6u%86LaZzdMzuJfBQ*D0A8_dM$YJJns`ByUAFn6cb&CTv^PTR?`5(5Pv5g zi{at;Pb??fB9-dI5;n@E_1cO+=#plRTWQ1qzF~?^f$nIyR1<d?AuZSI!OG}aCxd;NN87!| zZ&4ms+G$T2D6w+zBiZhJUMFDG(fIUKIF-8bbYGpz70H&n&xWmgdf1Q4yTk2PpUTtI z7}?uM^S#uju4eOw^U=J6t_(aZP3yVdGjTmjtm4x?s?hu_1NO9^;-MT-)zdJUfE&o-(XJ+tXtAXIn4u#qw&wx zgq~ev=oahsh;kK8li^}lNUtr$TG`#;QUxKU?h($*<|))XF=?6g|e7=-5xMrZ6b){|oo)Dea`K~<~#seho8IE(cSowjxE zDAPD|9g;B1u9Y{sDyOH+?749I(8Ro@N zoC&MtHJs75w?B4-aF#}L(>C_w9~ClO$0PP;3l}JQP;>2CkHn0`!-%Dvygo&Cg&M!r zMnK%ITNT9xPe|~@9slTR_UE-u+U_K=tMC>QqIqD}UK-HcXmOAis%(~AEifBqpyzorhrATx6b>P2q^njPr)YsBWl~x zy7L>GPQgpA^E6T!FC#+99M}*!i$GgfZj`GRLAVOut~MuJ8Tq3k1?eIVGQCH!}e%y5@KMpB~M zur*NN_d(Pb7T=>249SDvK8raV$_6kS_A1(PtA(o)- zOiAk6t!d0>c;DdYMCO}B`{AxT%xB~}o0m66&C|;|a)UnYX`IpNB9M*bBu!n-EzQ^= zwN4s#U(L3m94(}$bK&f0zPO75@9?g9t8+uEwwFvN&pFUYeiSNeg*9|qs}*YRO(j$# zqb)9-r$KdsjqrGII&CM0(=i2Z$ShopDY9MT*e$2Auhh?o&O_){qJT8)WMEm(F@okc zDlnKpaM-QQuTrEZqBe<%<;VFa22ZvrywPW7gG>!9?CyZyykOw*$a)Q#F((M z9}9fwR9$|7aIQtD4}IDza??9pbWl1KCpM&ZJ+Cc$h_+l~iS*b+j4zl{_^`%y;5{im zzJ*i^M^WXDP%`U~i{TAJlvoP-+W^b>lOdeV<9__)=SVq^W0GphN3qBYX|i_|%V)?t zy{d1&YztVRwCT34IIIkW3m47k9AZ%2o|zJTEBN)tT(K&qiu}f3fo$k=?`6T5`nn^SZ_L=k7^;5LK-o=}h5o40Wt z6UHE<@6e;o%&*4+7qp=bH*6em9nC$Mp>5do`0(zf7w&}5tvB@T@c?&xl^dZ2zY`-G zK^xMmc;rkLYLgX5H-scDbDbSg%5{US;T(OmzEH3GmYnm-nndm1nG)UahbRo@4QDyF z9XO50Gl=U-4;+ecbk@?!P@3D3V#Y)_zM9(=Yl`|kLyGIEw6e*RfyW*Mj83leNWE5j zN7|L<3go-D+5$SSCquT{6DilrGdLp7mLh$p-%Qnyr&-K@nC3^|rw&=Rt>N&ut#;vU zH7)W`xL0^R8*S%Eck9HPL!8JjI34O(crG&a>RRebMGNJe*D?_>68v&`N2Sc8v&tE= zRq02$Ui^!rRA4DmXX;IL`8bqxex@p0q}Kn(G_e%oz}C<+p^Xqj-S-@`M7FFf$g?C; z-QJJ~E)?JG8yIc_S$5L2!CvePMjxH|I*vwBp_5PIvf)^#&J5g9v_=fA0``uM)46_a!%CdF1r+c=G{_B>;ua&IoqTSu&4<=aYO1z-904UWoO zo{&Zmbfck4IN4^&eD1u)mgnWv_cBL3$%62PmFhH=(S4Q>^5-&M$OLMTK_Z@bF1}dy z^NN}TE&=qePNaG)iq7E$9lJeq+HdxPl(&`y!H$(in=w6et^-?$xU`z;9LE!+4>gR2 zG7BubWm?_yd3d#@5IO=q7}tgE0~D0Nu&{L>96{}!i6XQ4`WR4v-ei*W`#xI4YeqF< zv$nqejJG8nWPZA;UMGTTElyuD+%^vBic7Mv`&`vz8Z0@`m}BwmcK4<>j(snP^g_EI zdbxRbrFSFeXsk;l9_1v@&dv@X0}o#Sppd1L^jO485wQQmWCD={%%Dm?z*maXmxHH6 zB@jT>e}h<>a^mC?ht+#t0`DEG{jP6f8=AC#p{BD!OI@g%y8X$pu1F|1&>FD zKLGmz_^C8U-|Y2v*+-qXuZx-Xy^}bMpK&Eg1LOTS2xK8?If0BP_}VjLeb9^mgmlmk zieS{z{xvq~j!UNCqx1PzU6(QN9a!v

36-l ze5r4mqFG-3+^)!^j3Udmx8)O$-2O4VN@fuIYyLx$2phj}E|3P)WO;AFWWa1{e-saE zVhR~)kAGjJ4!XMWn+rLApHx)*+I+>_S#wLs zqB)&-rjZ|q%&az`beAGNK?^I-TX`z3!5Zd!A-A=vZ6=y52DLh!bB#Y~QRB+w4bPdgQLXxzoUs=DXCaLSQ!!Ik;Mz$qzcx5=pIj0+* z(*}oI-CgwbW9)ZrxnEywB{;^%+M_}s2`wso6XoA}xC^!B)858uc-@8Hz2v0Fko=tz zUzYhuD_(5oSYQh=M>NM19(4rAYFGCpjB`nLi#$bgtfM*pYKBB=1kqcswY`8M3&$rx zb*`WrE1&9pg77VmKYpD*zljU$SQWf=Ox2+1psu-237hp;_HmqCv36yZZW)d`(FX20 zIG_N<3Qj8^ix}x~f3-rc`5OdZ9v`Gkn!FlmB4dh|t|SQQOks zmzuaj6dO6yn7Iv(!jlkqX0<#u5ggjKrblz-=t7hRzzfEy122ZIy0fy z6XSqKNGRyoV+gxU!`n!Ses@nJ-NbRB1R9#uZ8%Mi%4r2UPR>^AN|Tujt28$S49-6; z)L?ou(C(A_23G;*za^>Vr-KAcldm@hr|v3Dij00*r;Y`1*KwtBd#tt=Rz?M$K~~n2 z!0O7eVTDtw3SCa5itQifyXP*Ce!&dFts$RiMk%2wO1j1W)Agy077RHfRbU3WoE290jZIJ*`~jJ+9O-PRYZ?SA9m#A*VbGQR&(@TD-7 zt=G|F`CM92W}Em^1hRIvZON@@Ei7{izhj#4eC4!%C|-y;KntezVfKPP+3+$Z7sm;P zp-j>g$TUH>JMU8f!(_ZbSN=67YR|Dv3wrVZ^Z<=aasarnfMDI%_aUd$tMm^fApP+v z^rP;dE0`U~0yE^U*7$O9Y#@~{U|6=#A9{?u)y z+C<`^2Wwc0oGfZ?lkBAz7HX%SsLaM?>3!{X4af`x7}{7brqEm&<`Azd?E9Ur1)Irk z-@rYl!_0R)3>-S$rFyzo3OAU4Ne=vc;pg44+`3ncZROqSi}t=?le88wXAzGd=A1y}P4QK-`E4zabq*E)f59gjPh74vJOAOcoSZos6H4V@Usx%^N~-gK}xU zp49l(l!vdWr|p}xzZDKf1$+G2(nkL+n?DOd?ISp`rm3LP_|C|8R7)HZqH1Avr)5gla|0h7FjO#AGJgfnK*aT!phh#u*k}Nz90q&v!Tn3NaH~# zY2(H4!_?FYbbfGW24^Uti@El$V>=2sAko$QD+a_~e?*ZYTjGX-%q6EE$clyPHhZm* z-Ws*)mT8wMmnq`hRH$AbR9viBo^}l_L%cX6kf84$6be7QK*il86#b=T6$SYaj;YxU#-}7`rSg^6?dN~-K&MFpIhkWjfRhQrGBc3 z_}|&h+`rVrNUyv~|Gz*=nhGY(6Euz$9z7&8HwKJ8e^6LMka%$d4B8)4OfV<6`H#XD zo2D7)EIrwbk~t#+T2kH-##tXt$tI6=wv^Yzf7eobOJ(s0*Bi}aUz$;My^GjWASwzW z!T!Py1C*W}_EGQ=E~NDOVj!NHAcws8(}qIFh`D~$V7cC3DgtxV-w8|Ruf*|ydi31g zp7Zqa-vp4);Ld(}6-cVDBfQRVJ*M-}=?Z$-Xw~{Rm3)tC)xzdd!!qRpl%(-<*I=Cv z6Xkr*TRpn;j<1>M{lBr*5~0+gTM9afhM9Y!ZwKnv9XR{_+*f{vw+WBC!)W${o*ZEO zPMoFj+!hrA6hU6rE1j1U$3OL00I4UiXn{ir>OthelRwVqN-Vq;Ff5WJtL^_)2J0Y5rDF?|TjbqzCsn?|uO<0lXUFj`8qCM1hCxdy@rDpwpi^FfeB1a8 z$1p_=E&G#S#zg5Lt3##+$c+H;A2MM2-RHZE)9X`X27sqkh-ewgE##$SVt+;5TO5|> z#sLRwcDx|BI{c@ns}-2TNPvc^nM4E_8mf$^cAqL@BO|>*O<`?q{E8-f&X1A%%x;&s ziwiHvUYR_)H&*o+08k6~wMZaE3D^_9W|F-Egp$MmzW4z^p8**bsHFfl;q!XYuqMFk zqqWuuvM8n=lW&1W&k%o#%Yz1X2aE@dP*936_ToOP+a;l^3tEqAe*PRpAR`ETwO0i; z=>gq;K`W6>H4yStO4^~8_!q@ZWyX!n#IOBN@da2jU||0e|7W6;0Y)CT zHdc{fZaCHH1{CLSf_P_6X}(nm?jQP$ebcD~#`i<$yp`I3AA5lFz` z+c3Y6cp-cL)+C^$Lq8)k)4EO_Fk}B#%JCjIgGg@^;2KZ00N(Q8c?()l>;^BpfA7#) zkj(~$c*~ZZ$v1HnITjENdk_cg^1!DgB)#A>ulyfTz>68DlSmI06I~s;heRztyLTw+ z!E8TDOQQnfSUmqWpudq8P=CLoq8cNjqVi<30xJU2^N0so8*;OhHUH9 zkwELld@%R0FFHEuC7;v56Tv%1#r-QfQPK%T%UFCvHDcw>z|1V;EeX&4h!j99B$}W_3V|=MS}%(tEx7D3fp;0B^Ed8}c!>n)WF*oCg964x0H+st zU0@0VUm%{t_~-2nuCe&oD0O*w;tx*nd=BUi7Kaxbr_D4R9|&LJS){q6VfjHm!NuBW>j>5C2)2rsjOV_enSy0N;t>GS4( z31S)Eya@s?iUf>=dp=x}wWk0;fed!|i(Wv$?(uCraOc1+K>{VoUwNFspWu4W{NMye zuUqgc=AbZoA8Z zg%jO=1zr}MbtD={>h8`saAtvWo3^CW0bmjWUIJXqQ4VQNpYA2#g1=^GAFZhlx)r`@ z`zLkSjlu-S@goUZfoM)m4IABh_~PwbSyPL^`-3O~%3WyyIW3?x1tUG^6ihb-RB0xd zxW*HpI_sX#Hq?cP+alQyH|XEj-_X9Z%5nJkD!S%O*mym(RW@8MD!1)`|ah41^5xLy^GrgB{Y0| zq+kYaZjB`3qFD()ia`Aaka@@ffq^eyz7(cpy`O7$*)!n20wIG(E2F>M9thAj_!CcY zjnTkFL6$MMwswlJ8XUD#3YLFjP6W`Xft)-5@__RT_SU4jO&aVSU|lRY&dLPTd&7Ua zsYXC+@@T*^DFTQkSy8y!H-~bPlXXpSjP%soY`T*Z^#wQrphf3z8 zvkJNp5;*V>bW|b;E!)s565r30frT&DB~zQKLG_HMZ7|M0*CrqqsO4pt>P! z+&&I(Y+L%q7R=~6nQ|{&L3jkr&;`Z?SQog@nE)>dgb3I8Igs4o460kTqBe_#%E`%r zIlbiJQ2|2YUhvr-9LY2a62Yz7f#9RDb^|Bo9wl^t6eT5RSwtUzb2)b94tNd0a-C?L zVNc`Y@=$1Yde^9q|nI--Q zaKhEq$-rvJS!4dY(k7tK3|LYffE5M+IZCjyatKjQa8E!!2~5X5?J4c+*JJfEfLr!H zanWK>F%7m>DbQd*<9!1X62<3FqQdgHJUM{7?!G7u9Gl$H$MWvOoECHMboKPcGymb1 zq*Z{s1@`Ou`Wi)%gFl%^HWc7CF#MfdPfRG301_1bkd}(-J5X<1QTn(%_jQP1w1V-` z;?pY8Rj0R7qa5RyR1y*c2SELu7kqoC-~IGg{`(&_AI0SOnn8R_YaG0qU*8%KmVda% zN{d$raCuaP8SeMb?Ph5L1%a_P;ePY1M0JV_=GQpvk-xYyq0W=uRn)a5mAz;d=|1Oekz~%z_S+xh^ zC9vvzsNfUK9nD+fry6+yb^_>vW@lASe^va;m~4JW&BdmSP%e>vY_XmEW=}a8-qW}0q|-hS~SR?7#gm7K+n&vr_8E( z3yiiNeh^j72R9AK19uVhCP3j>vY{^g?-Hy=kYW3i2#fmWFEIMIE$#fx=P_diTS8cV ze-@NM{+OBy0Z3MlPfY+-$+AtI+wrqsX9prI1D?+!*9S?<$*?7g78v2KzkrFh^(#HV004Q01 zp=1mED4F#yYi*-!a;EF-|J8Ncj7zH~Jftoxe|+ zehuA#Mm#x?G(i_!$*8Yj$xLe(TV2W6_lFst-EKxuOQ9irZ{KN+c2K!=80OJIz2gLbO z9piriVs0S*KvS|7O-4(cSeLSUtUUP3ENsrcYFB@Z2}XydwY}D_EV1`-QJ_%CyzZYu zXbSUEu%(Cvi^ahq-=zHCA-_h|ocA`+D9XzI^=LyeMY|tz-ePj*|M^_0_6;+$pf)@v z&arg~SgBwd9HL+TyNXC!kQhfNZENd8;kKBX$u|Iqhzy{>;M9qVHg0d1g$IdbT6QRTVclOTCiR3_JY&3aLkqZ-&RwNEc?WqyAC)jp_5>5Dpb^b7Et=n z97jY!K?Wc}mjp%9B$>#wV-4D+HF3S9#n>Hce)F?(*;ds5`J%KkkUT&@HGheSjm;6~ z@vZ+5U9*ud*rf18@g9#rO*QiU!My~rERGRD*Hh9$dDed@>bFT#u)NdP)z z4G=PdmVUrNSNfH2^o#dP{MW-L|6q_kE!xYz@8h-iimZJ5Sunboo+!cF|iX zq|USx4Tv7<5~V9|hCr!(pFkqNE0KFM0ESgURdA?HP%{&cf0-?gDphV!Km_x05FtAK@}6 zmrFJ3hDCWAOZz!;v45L1p2P0W9;cPm4HJd{9GLFv6Q;nMcKVZ{fZjYXh zoBbUBJ&TFj)Pkx|;U&Uy06b-I5OnamDQxgB0*KZHIwEg$(iES;rLj^BV*8QPU9xzPZVzPIpHv%7kFH6RuGZ3&osOAiV=18WBq{HsE% z_>z5poGli1OLVI_;v=;+%y$P#W4tR{p|2`-^?*0f&+aS_Xo)YsEcm;2bA3kr^M7R{~R2>CpOU^Dle?D}G%FGg87uX?I5%_I1 z>dW0J zOZW*KA;S9_47^OB#>C$Y^F}xC6{mY%u&x)S)WKk{?xCmsw*nFiJQ|v?=K=%6`x~~Z z8?>8de34bN7y#La6~Ejdqujkk%>G zr}_B9nHu2SCjLw{Hn(*I?k}&=%Ne zvm3+`uda9?L1sK<4_Vu%~0x2voLmGNg8yQQ?uT{iyLNm z&-8{$0$`hiIM~GalpA^ zOtQBtQjst}lo8=JLlqMdaY=BZkssy;q^DU(z%vGj{uaXu$%6uKzVfwkU{ZC}|9yWSOZgY1Hseo5c*f?r`8iL)lZ;b0+RgC;0 zGJ_#-;kU`+v}%OKyT=R2-($0{`czjoZnP#E-UzN0;NPtkC?wb~s2Q)B1vwP!YOj7| z6ju&Ku$KM5QMP|-aE`ee!^U+Dta8=1W}V*^)ZF${oPXbTKlCVr1Yi_mtC^P(rK4*+ zE_B>M-ukZ z{aS4VVSo1#hhnHKJSfP|7wVjrYk&zGdW+qK&)ukO)H#^A`ezvGdl31g=t$|WGBz8nZ=r4 zL^>x~jE|=K4G(_-3gYAE&wwj?*^V~>Xg=Nxsv$GqmZM?g4ZZE;L$=K$zFNJx7re>>wTf=N7~znmOas?PeD;`= z3yJO2?lp(|0$aQFx5Pg)X0?&_u_~Oeyj3vWPUt)REK3khn5=z@>E=zV-^!(!!JuJF<@H2p7Y)jHHVO*HNAJ*4D4rg3%%p<-+F8nv4~Gd=s#dsps@5M5&e9h z&EapDqA=pNz`Rx0s|%%eG6HeY)>w0?UtGJUdlfUZo-n(wYvPSD+LT~POKUUlUUD?v zyZ79aI|kjNISf%AC%3)OyX_o&d9}haZ2^r)D&|WQ+zY)CyqKkL6rCgmDniZK|iiatOc7zP+C&hNSsw~Br%UTqlgyoP^(0TS?27aRB1go%o35XT~_oEWY zrb2JoT4}NDV##Q_CfAU5_6;U)wegQ7W&LLUsgBD${`Cc5On07Ar$|{O!se)6(b* z8+Qr=PUS%Q(6cQZkKB-r1W(Q2`SO4xV%Sf<-M5;EF1kPb7_93cTi!Qevo;ZaslD@& z!o~bSCZ7r`i(t&+j^)|_i^ES`N*{yeF1HGc=W&%9ExDA1OYMD>>#O*dHhbRth|0K4 zs5?gLBHfICO80Pu_*1+F-)uV?ZJ1Aa^~V1~lIkRBArV03YWJpT>zI50WCX!$Z<0Em zhc9&VL7E_!Q?$;ATieGt2c@PxcKgs3>eR~%4mLcOo!6iLxkIWCP>a{QTUffq8HTt% z_YSD)6z)zwAj4l$pDH4c^*U2On-YlDm)SU+)k;rROn$e{HR7kHf;i?jJ2a!(Xmzro zD6HEyUpl=Q$8mX1rDY{^#QEY@dIow|scz0zQvOZd=r$ziJ@^8F;f%O*VwIkzaD#&1Fm>E{ZA&?3C2N7PM>-UeiL@}*}N8&{rWH= zw`~D&iyS+zkf_nuJ+uL>m=GMQn6RCg*>Rgh@DI&qyVHN7W@%iD54QcL@zn%IABrXR z)ikQpA-i&ao_&5h81P;gnEY1axQt%6o&2~?U%I@*A=74g)m`q6 z)&Y6Kr0R7Ce5iMPocne5+16aMeNaa1SxQ6J*`JI?!8^dUT4kb{;@~2FcbH}DwAs^m z)#EYU>+$lv9dgTh-kdFB_wRNPKfjT1n8|*WA5~saO5Ci6jfm#-`sVI@P4f14HQPaB zM_s=Rxr%B8~>NO53`Pnv~ z&1bUY@|cSxAl*~Qp~l8}X1r0VGPxRO(ou^K7Lc`wkq&TjHX9wo-sSLA3<m_2i{wyCwcw#d-YOHCaQ+ek%$EpfBm86y$X~4pd+|FXXaGo9= z8yxyp+7y>RbGDCLRRYT|D4`n?Rwg|YA7Its8mjn z)oMrHgO7oIUn>F|5!RRWDQzHv0*n4@)|_#Hoyw6D0TxkOp#LePVPv*{zJ$K%>J+l$ z%x*h6wBM~K$!9bKaih--o9COqYrp-IVLrrhUesp^ucK$5*iV#g;MQLl6+3(P?PIlt z+CV-kWVNnShsQ2$eYbSz0CTsL12Rz0G%4NmX4DY+({BNVU4O`9OCF9UvPkY$G-<-A zbWp0ob9=E;u_h~2`qa#UK+`t4VBQ%rW>WPWeiZ!smO$^;eWN)0ET=-lvo$LZAHH~u zWU1@=66rb$q1G;YNYN~PF`s}SM~hy3AWDdYDpF%tKFiu5 z`yD6DRa<2tbSKEPfMRG3Po^jIm`hph{u^+Ss_cZDOm^F)rjo40*J6m1n}aTPv)O9T zc_*f0_8U{94ZmDP%aH1;98CV*;oXIS9dBgtutrJ+t$}1dc=ySj^Q-!qY7Q> zbi4O>rq|io>T1t<@iHdQU_~;)an=)NHhba!*JRuzf8px!i+UvO_ zLPfdNfMnhAwWYyTqJ4t%+2Q3?iI$|nTIS`_1>doDXn zZ`h7r4LINARM^be+m;tAO7;aq`=?i+iKGOaMkf+it3UE`SKB2G4OCQfCpFvHekssv z_>rZ)I@^u(n_2EpIdw`^E~P3`Q#x)RpER1tF!`xEA;`ldmvh5R&Rg00hi|CQIt@yP zQ!_*Bk7*j$#e8ei%vbUAw(V?i!rtDP!d_nd%rdRejUFP%#b>LflC*Z`uF~wbFJR2K z-7a;#3(XoRyz6dfx9FccjbTjX<_n*9kZpDtZ#>~Y*d&`e4OF-3TywTckkD;GKvJlY zygW-+Rc}O#dEoxe9>eYGcKf;Iaw|tCu4{wIxBbD+O*7mqH_Pak(*BV32H5QfG{^ik zJoJ$MmGN~Bg0*PJIe`JJ?7}HieLqW>V27VceoU77SnlMo2;1)Wp1MnJ44alN-t{G| zh4{-^cYdRjgcOXhI(G9eHvyP{vvM_~P*T0h`Fg!`iBW-wU_@$m!~fZ(+8--;-dvn; z>-5!-tfeBAw*2>MlEwJvPdUBM!sxEoR+(+lvt^18P2E|0&QUT-M6*h)8l=f9u5*#AdGSx&ghQL&d7 zc7|%{>!15{>T~6ncdnUIrb^9LQzuQiyz%~mH+R;4J!Txe_13Y?;rTK!_A_TT>z_Zh<>l#3w`V-e{Qu$0o#?*>egE%l$hjGy;<~#ePb>ZCqNS04 zk5%N);aD9S>>G4$lTOXLN$>vtUQ(>-*|p_v+VM9r|EuC^N?p5xYQ5h6O8p&|8?2&P z`evTp)2)%)vSMvsgR=dHd0CO0jk3LCFK>*E?NZq~O*QgMR8Z{YNnTOQH+pMkPhWd# z*R5k7(LWCywfyuUKkeD1sGvNL*~e09PanG+yfsR7s>;(KP0d^B4>~SpR{d&=srt8d zW~A(_!)@QZPQQA3QVeMD*=6gZ_NuJcTdnfiJjL1h^%mV#Hv?{#NUe@K+otmL*SeQC zW9GN=+sym z|MTPH&L={z4?KImWU}8Tjz6qjTW(kGm$~!yNz8}*$)7(l-cI@YCc5Zwt@mU**RD_3 zB#T}=sQEuCU&l z_?(ihUK;;>+Mhqmr$2q3+jqv%S9*Sl=+Zt(lPaI8xnJJ;SUkMQbF;`(Zq~Pl@ z`SRPT)1NO}oxZ$qIsele8`nSGr@Hsj!WE~dvCp5Wxpv*@(ChbSX>PVkUoWWs%-UUM zmTZ)`=dNeYkI$dmp=p1rH~9Ujb=7iH_Eo=|bSdm@kcy_%ucrqJ+nik0C9wmlgbKInbuk!N54 zv%wV-_Bx6ISRX*Etwr2WFVdQ I&MBb@0Nf>G%m4rY literal 85734 zcmb@uWmFtp(=MFg1RVklE;9so53Yj-PaweH?iw6|yIX<=h9C(VoZv3OH9&BJLvV+0 zAou;e&w0=J`Sn_?#p>O=ySjSss;jQ5ns5~*8LVd{&z?Maf+Z&_rS{|rA{73IjfMh0 zvu%q)?NRA{}b77bs0 zufN!(i6iZg0?60T zguy2bs`QDXqPo$}%kgz5H@Cyj0f0w|MFQs2g4s*JXTn6Dq79x$6|c)W@^$Q~j@iQz zj|fc*YQYs3Jh7;NNBwOMS8@{ps9u6AymxQAi9Fv^l2?cI+8LW@;b@Sn0p%P-Rnd{!9Zrr7oR%f^z^M-cR%0^*@1*^F5vPtIgx4$Z7sFtjiSap zMX}EIQ@R6|x=CK1XC_tac9JR@WM{=X&v5AMZR#gc1{ANWgh7gXFZgS1Ul3lELFR)c z@H2EmtGl(Mv}U`ES$kp{-{~+j!V16R$0Um;8@FC%gp8j)M$+v!5P$_^kkEqZ0VCDq`U$fW~Bd{Z@rF;5?vIi$*kK% zYQE2FWRdcv;$(6KqJ|l8+gRb^1G1Yq^&_fUsbEx-!1Y`+&!db8Xi3NL?!cxlaC8^? zfFI>L4Z2suJ3EMw%;lhbO%7hEB;+)*m$e0EuP)ohdHp)J%-dyQIxX~ zQv>uu1vT0l?JQfVyOhdYR)kKKM_}E(x6IKwaOldD<^YX`ND0iUB6PnrV1dWhJN7!r zr+MX6;L7Or1j$9@bg5(X`-*qC!frL7WAj2Lb8m`?U=q}9is!_zziW&wHq4V8P}OV#F< z78$W}@AzDm+dM?i^_1^bsuNU|gL-vhJ!uV;1&I~qvISHaK@cYLp`U#ED)x|Wfl+cY+PjMYb*;(`mX3*wW@R}qUdDs zsGP+6iZ()LCpxEG*AZlj*5vlZKaKUo$_KjAzR>$n^@~pDLdCPtHL{pv9>l5mf@Uwl zoavID=oki6Gw+tMh-{T9+Zu}4{W*>mFW8@*uOa~D6)lh5Ru;!y0!JHWpJaYgMm_yc z09RYS3h@F-jd#dSyxX=1Yz3M0o5kIh`hc|X^+X6pc-Vtg?A*Kp{Qz+boy(?I5coPkyP}=x|&p}P^wKTzgcm2DN<+EC!{hx zR;!cW7NMyNrOEx1ycM{qwvfCWmLBxNJiAS#+|<_zlXc7}Z}QbkPA8z9Eq>VxNMnlJ z;tn%%tCnUszWrd;@S->=1E>mX8YWfFq8IW4#Hwkx7-O0M<|S9|lrMR{5^?4J>hH!5 z8$JEZ@XM|IRdmviRQ8``qa+^wQL-|!cLj$U8gSzsEqktF!uyeZcG^FL6Pycm39Flm zx{4g2mWwRk@#ZZxg^HV*<dnqYQV)mA@2+-fuEA;-D=|BOYW)`B z!pxV$*wNl@PhDMBaqTLMjmk3W9r^sd850vKrWV2`LgKv@9<2^FZ$C)jg)oY>?E%*> zlr)xaiA=gfo!Ou@T+TPq zZLpDY+I?0h+suDchx0pTE{uRjHD@ZGzF7o;>8}Q~>j%wPUwtz((KpTiDmL zC^nkm#6pUD+5wwu4Pd#&kVFs+WncWe!^*C5*juCTDDo}0teynK&|2fp<70^l0HTtO zKC8sQ(}rIC(S>__^T3l4wwSi9Vj=uwA+feeF8-`5+%lGDSCqSf=~cMt32e*XIEX7& z_+^_z59^dGqQz{T@GF3bl6EXtiqTU$^BJ0ZGPCP08G?0$7*#Q7-;a(uCb5$BlF0sq ztW{y^Bn~aRc=I<-j&ek^4NWM$GaMYR> z2z0Dm5|NK^c4T--JiTM1a5rE(jho~8zI*z88V81UX^_O%<~uCD!?eMNJ^N@6Kkt+5 zKqjlDq)^>k`;1@u%F0UHxt@1!2dQ-S-NBq^NH)=%V5lil`=J$iuHI5IZL(g(-x5~K zm2Mi9V8Q8rNO(?q1~W$_ZmVyMtoLmOh6dby_^_F3f3L&_W10UfFv6%_NYi)pR>vi* z^D^%0&eST1ap@wM%SY&MD!lLzOsQ`$>ci=A0NK4vp-VPaQPspPmhqhx?+m(Vf19wh zNgnpW*>p2yGWDmw%tj4pL>)&a_C?sdy_DR}_wd(Z*V5gioSW*AQSfi)HDnPf3mFpy(xM~PS&+Utg4+Nu=w~W~*-gmq**UG{`X+yie z=#2<^qSKgW%}vlf(y5s_G2bX^vz$EvLfUD|{-4}VK)n16>cCmFM%N~!sb2JZjhh!6_B9mDp#@v6$HLrjw6h)LkSZhBfXwy&06u!%gptIYNsQypbQB_lRss6sii zv?8^x!VSo2WqaPEhC-r}q3=J$@vodjP_EMy4@|QG>-l-ATx*%93%<&?21SzFAoP7Y zM$v(9NAmVhjZOt@dbctTyN4r~CCvi=L9wHzTSXGT7n1*s2#7fyh7=^CT-jc3ss@Tv zNGNRaWV|E`g`z4gTgid1n72zRo>j0}aFz1SJ%_aY8Rrfv6Y@V2$Ix~*!fhLM$ma#GZE1)Yf;zhf^=OyY5W!C^nHl-A$FqUl2F81`bA zqFWGywg^>}SyIXnOPI<(IoUp(;s?)Yg{mqrIdzJh5lrM7=;QM0+h>Jwm|if9wQH_O zT~gsIP+Hm3P}9!fEGSHa4?YKw ztRxmEdT22UGMA*4ryd%4K~yKb!?L3I$bNjlix6@NrB(JBGbyQu=;lffHZULXRdpy% zNTOmf4n@+NNQeh}#I{ee)|AM#o1Ooq>>so+F^xDr7i?|jS^coH+RyxJ42H{nj8R&v z#n0`iUFb< zHN5DxJJ&fMm>lM%+sBRx++BK~kF_Tjerv*Y`E3^j<3;PfvIAKAk67vgzTI;txFNT_ zJ!T;};RdCE%h`Q?uEf;f=wzzqjA)5FejSWzdvt>cF zRUQNS(&F4Fh=3k49)^M6!+gP+#(Z-v_P8^04>%hXCkvLq5}*p3Ufx-d8`!=QyCJ%M z)8a=fV+o;nh}B7?yIPWJ)%+|=^CE$xbY`JQ6I#LsbrLosJ72!>=P7{B(L$IF2TW)b zUF|&p3pC%4*F<$m(b=KrD%BrQ>ncrOyyxFF78Lbb8(@W^ajw&OM-Wvr-)={VUh3FI zsc5ee!W6&D*7ov7$O>fwP%JV(R}^Y@i{fa^ z$Uc(d>Q((J%==kLf1=bUkChAilHTwsaqYwB{SAXtWv+`c{(8V*{W;USV5-OcK6(y> zuH=d83vVrk&6ge~`hEr?SAa}-=f!OIX*avGS0@H}D#$vpQgQQKyN3d>H9m(uIS%Uq zS1TE`+sjD1Am2p+^GPz!QkHzakQkqZCWnsx62?4E7qS_9)#8UbEtQnM;8%LkAJh6u zJD_qH(o?Yd@o?<}MqZa?VfwmbaoLX((wK-|ZC^*BhHg>pn@eQo-zd7z#@ap1p9*|Y zlX~w#b*BoHkF68eb|QpN-x-F-KDso_N?$v)=3WOyZqBL;S@^K#FUCY{!h@sJ;kX7_ zj76^MavVK|CbtS`=WKU|_L|LvIAvn&emImOu#&_Yi){PBxxr}!H)1Gky=RH~a>f1f z!d3d4Ej5w>ku!EC>)I|leiT*9JCMQ??$B+I|KX%;b1rVg|I;znQo0!0WecHBR zkx3O|=`Csil!*=2cY+{_YPC#wj}{oQ$APMV-8#uYcsbZLv%2=A=Z|r3e{+O>Y2o#- z6a+$BDr#4~XFcY;#}*R^<3)H|QX{6?Ef5dfL5PlhI&9{V@qN3?@&R7qwIykrM^l?t z;fG4Olr+xMh@_0ZV?hx3B`*~cIdUWz{>9CQKE^qS7lct0s?I+3F;okP<&8OPu;1SW z$)pfGC{h@TT-EZFm712EC?d65kp6vMPoI@$wH;1`x(ic)gpmc8bDOb$k?301%(z92A)RV}R%}cfw5TUUri&&; zaHCmOgD|cjoW>yxt^Dkz%F4nD&}$*$D5#9n)CfRD)^z;s&PdUG=ddQT#nSfF9$jgm z2DCMA*%|63sRpe4BOItbU=s^ok=buAdA0H~eA=kDM0(MI0gtR2ZOGe_99`Y>S^2p1 zt}{eAOJH7|7D5f?(f%V!msVfIli4tf<^bJj3m65nI+ms1#vkx`bTWD zqxp}>fM5jNOufLIaINxB9M-}CILT3E?`J|A=1pv{jsg+pueyM*TnNEP;MWO zJE(MqmsKM5jgtCvY^Y4JC|~P_rbjxw+j-{x-P53NmNMSkT^ONez0Ff@!X_3L!&r^K z;-dIO==Qnl>@mXIoj}LJyq+^xK*TT`go;XloaYRfiwUdWWUeXw6Y{kOulSaOICL7- zKu7O88V_;PYfY((%T_KB1{=w@a*+#Mc~6_KFL>8zL1V+nN_tEca~Ei~2lzY26M4bZ z6Dl0O#rT-7^QgFY1JEQfW}Rw57h%>CyS1UM*aYHB()Xu-X*)|W_G zZE9|=d~?&<`UHpeFJ2mzK29W&LPkcOQqiupBPV3j6LQ2mujgZ9V=LCK?!VHq>gDKt z1X}QiT-kw{czLHt#QkVfCUDh_w~T8GJ~nq|e~w-ZEZ zEXDBaI%J|bd3;5H*W8lV6CI+@O}D3??d868h~8kqwQuGI4S&b+Ao-JiF^e%u~oeY8%Z^DVtW4 zDbJ5VDvCc6hJ;Bj2(|-`~50A3_Bc63uns;;p2`1UEtDT8aHrFKU?M+|-1>Qdk=QvDY?^X1ZYxHCi^pnfj z3eUaiwN;yJ&)!j~e{QfN82j`ZgqxvsVOj{*<>~^KUH>a~GkE(%{M2NTLib^`NFAqu zRj}-iqHYuApA~nSiIjRP0On~V($yDjrqw_1y7_4M9&%LgBbTLcq>6#}N2{Z+19xyU|AvfnNsVQ#~>-ya01bzwp4z|d2b5#61>R`depovbXd(j5xpy&>}J$+jh1wMlP6 z2ku;(r{PHhBIu&BM)iFV9IYS^tOzRRpi#&>VD1vr2cp|}Cttocr?lgXTLD!a4J zVM-cuP59HB7UD5H_1tOZ8ERvnif$iE3;eL;Q#btv!}x+RgMKG{Cie3x_R5=^_xd_g z+|i8^;f|EKDJ<^~zGTXJ&BVCb*3ayI23(JeZB(KL+cOh+Cj?Adv#nefhLyB=njE0N zk3^Gf(qvy58#wGP7Kwe97ZkM8JG{k@zmCHP)DI%>7hnB@X_+6D^PQJ6HQ~%yQx_C< z`FgV)l8+qyFamzYj2-iE}|6TyDEKZ^*Cj@%r~Wfuh8y80nF?fig)v@kUQhosYCq}Y!9Uy>T2+)lYUK6|%I7o4 zTczdQBr8@2H-YgC_{l@XWLN^&_`;*o`U6UHef~`Hw~o3I^9RtW@7&uX4%>g%DzN8fUx`jAG|Q$2cQ|=`=QnPv16@^YLvK z4|kdW0%SC~JfDP;)6Z^TLmy7@y^BhZXlLhv!t#sWXR*4O+32thOic~)yB z=yI5=GftlS-}!nFWSzRBu~B^ns`Ju-iVVyc)1ev#JXU(Oo8sP`Qd%s=CY`O9c_CRnW-yQykb`h*plh?#WG4SB{42 z6g8WtGf8vEJDrlIXzOyI2%*^3+9@)r9h%~cBFtag%rc)zYmHAvq;Dh67%K6T{X@gf zM_P@0SgK+fRisW%US~-chE<83YV(>BRa;VzeC>I)>d(TbQ!)%l@zli~{k)hJYqz72 zJet{pH8g8r(wubf{_B+dArc~W0${;vcE(UBx;rFyt$Rw|MKP{$uskyNF|VkiT5w>T zKS>kZxH0Q-R3}FQLdHmYS*yv@>wWzcn->(w0qcyRCmhQ>FB^z-;rYajqqEyd zmn@cbuE+o4G8nC-*=W}_88_}tB(L@RV5-Ur;93*JWW7TNTH8Y}#cZ zk-f8lE8;pX)o(@b0Ko)BT6w2kAGNP%k^>gL&*e`9YbZbt3i^(e+N{l4S%RH}<%2K4JXNGK1|>DYF|A=8-v(gH2%IN!lHo z)2~?)@UEA*$uu*;vPmUe*sx9K73k8Qrzl$Ch-p`chelEdP zYs^+z`Vya}unuFp%MR60RGnH0;IwqfI1URuY=6N5vC8Zsk$`;;mGUm`T&IontibEX zn^es}D~582Oga=l?S8@{6qD5Ut}i*DtpEi{-iq5bhszD@a+O&(Z5~;gqW>mxQ{a6< zjkk^S1c>Ig>!Np@6u;9$jP!(yL;x-=Iqxq|E|F)v0X^t3BPix8>q+sf3LVnSsWi;9 zt`t9~zd5|%dj8R9pto1T*Ora>H}CvK8}e8{vR1uVfbq<5p#wp9LrRk1pHgo1&FziiqTzGVKvE{Ubpc|ErEISdWhn!qokJSCXnTbpT zm|Gob--1$rq~9Rwoj>ae$?O{2xvy&3j#}A4nzx$pcrH`tpKmQP`PW>55Bcs<9=5`G zQ&IFZpGkJ)d=kVP8cj0#k5vvKo_@t+9eqyp-qIIa=(dbJ+tjG{f@eqbY zDp`@J-F~&x0wg1iF?&n)Ivgw!$a)Iq-=6EIMm&+r{IU@(8H?I!-aX>}63MgTpxhmC zhT#`~QU8|!bI!P3#&ktApKMj5dJYT^o znK7SlV%2)cI!jG=hZltk*HuD;lwGhzw2(%}{O2n4;)JG_mb%jE>+}Ow<`ra>nqwNM zxdiNN{lBh72FWxL74lNa(iy&WLPq)FDyvhhH@+V9iT|+ixiRiiuK!LqS>rc)qKcON ze7@dAMhYDyvs4?u-np>Tgr)zR)9<@=FCWGlYkwu%>_XhVrd8|^zvOkn(cI0_GI5Rp zoc$z9s;AC}@&LqO)(hoq3GBD8;ud2|-Ks6obbPQUB@eQfnZT~HvD$&-$&%$Klhk}3 zOaYA3%tP$?zkVtw`vfX~iL#QwBNxI`(R zs{i;^*x-o^@ZEPfejCoxqh#PV!kAG+5&}BU-If<>_YnfbPX=Z6grmjuO9i?nx1+4l zLfVJB(Dj(yIxY&awyBah)dH)^Rfrfvx@A^FRO0a>$}xu7fAydD%L?{?O90feKA{l6 zs~!T0^4@S_V)Vq zwu88re#H?l3`gF7t*>+wMUStlpk_8~*m7Hfl$jrgOX=>TJnn|x8PgIf~e&=@1TwI`%tAzrb^oSPNG(H-= z<%?jIzQZhY-4K~1g> zaT&`k)aaMd9V%2X7B|v>+?8_kUuy3B9>xPDH8}a`jDgB=-#l4ZMf~WR{kR&rSAuk4 zfx}r6jTM-yjsc`(lba+qQg?C{qRQs(EV143OzWE@*X7x+_jxx zY3o?f@RjF;J%yCd83j_E#ivm(YJOJob^9MgC0royN%W-CpV_g<QuX4*QrEbU z<3eI5J7C+b=BlD&w7nh_#ovWx-IoroqldDIJELGwUoPBYu@T?QY zcORO%i0PT}kCD+UTGD#ffh83`3SaIa_U+JoVe$6+a!=3hF` zpR<1W9)<5-@Mv9?TyB2+@b;W+Mgak3ls}D zT3v7v2w+xld%?LnZQ#G~4q^WT9|LA&7|PC{8dx-HVf3H!{xYgw~!y*Ihk;* zMf;MvV%`R;X#a+2(^V&K+P0|>^H*){jL3em^frjadw8Oq^YG}v=zCaxbbaO~%L0Zb z!xPJD+q%yvTC%hx`WxXJE9|$%-)VD;$DUC3VHD6l8whBakdB*I{xtUEydbloFyywW z|MNP$ZsWlUVxD%s77l-1;Na81F_Co~x>kX6UNX(aKvb&GC0`O5R!AYl^S9WbQd)C> zO^YRWr?tZn0EPCx1`f@5;P@n3%iBr6%M+B~N;e?cla!Gpjv8ehk=B)*OA_a<7sSz# zLbGi+?S6Or;qy~qszMy$Ui;;)b#FsL_z%Sj)5jVB`)xL(dJ<^M$Kv4@I=`=B#nHWc z-=sComAGB5wD3<{R)=_b^2ZL_1scuT(gXP2Edu{I!;t$Oi1C_UxXToGMI07|r1%@{ zI^y{g`C`8Psd+eXVQg+zxSW%s`VvJZ)DVXNz(PgdJR_+&Bos4vG%i4u(~+NA>ymU|9* zK3eILfBlrsmCZn>4pUE5DJS?Hl1FRbAmvW% z`lp&{BdnBZx7Bhd>wQ$1>cQ>BT#qbfjD%UBt%b~fNqh2z!-YG9YG=JuO5}q8#q#`= znEN*Qas>_Eb@U4hAHKouU@(s?21am>(PpfcDr7`2C3vmQ746T6ILtNBPYS_F53^(J zby$->sUu9fMp)^WbPzHf%v+53ekN?vzei=(JhCtZ?o6-hTl=hEyd$N|u^n@c>uNqL zLF;a7j|pc8D?iB*5ye84&bt&)h$CwP5IJL;{;CNColjC(AIQ5~kbgQwllXBai)7m; z9$Al7uM_C_X>(Ahp5r9DAY^Lo^Lk4+h?IwiXKJH0dakx+a%$?xPwH{KyeQ<$z5Tw3 zDhG8jiaEoSzO-Vq>h4Jyr2X(#lhSk>M5^!9kaOi;aemhpJ;zsDbO3!cC_n@KBr)ix z_nSKTdg&I~c7=E63QYyX(D}cq{#@cB^~zno%okS_icphP1w}p+7f0jAw0)#mo)UwG zvLc*pc4y!GZj{Y?{etkP!T$`KWJi2v%@;puQkAqm5^lQN-p+_(wR>QNja)`$vg7Vf zy_^BJO|LTT_<=$>%QNJ^S@3{ba722zB)DgCUrcymd@}M z)|@RcnKIfH{g>MJjJ;yJI=czKOcy}t-dyQ^sKYgKxqWeF`Fh)xMasmu zMYYc7?PcuSUvd96*9YKV-=NAoS}T7mXb4wmjPLEwt^X3rYxh3wUXu`;>PinzI^nRL zw)p*SkbwaC9++8<28#es1j~C(Z&2Do4=dB~KaYg~UoEK}N>SdQcQqH^C{BBD{6}5S z>okN$dpMdKF2{6VXMFR+DvTKK@?)jW%AbBrx>*fF}cugHhS&w;OASS z!7=Wtcg)m4LzJ#>pwSugb0R9g)M%n6hX~ zKhn>q*0}ncu`A*LqkP((;nyv`LEU$DJJxYB0}jWBe(Vp0-bB#skZEUtPjidRnb)r( z4&LlsYkk+JDEP#ZzZm$THupF8-F+cejp`89``!Dlita^e8lIfOll!!j%6rlRectfl zmNt8W`(SX(bcAT_vffBR`dz-*SPQIAHNRWve0-ihyOI{d(vxyp&Wo=IWw1zQ z*|fv%Ha@y-oJgFy zd=B+oJBgCu6_%R1Ez-ZfcgO{i$w_bbYBZsJNv*rrbCHv^w)HQrT0OMC_m@27S@F_a z9<{HOnI8J4*a(Q9o^yO2ZAP4*B}JBj_N{9Qz@*^E81w3`KEb4_m(w#%a|jo@-+Sbx*dkmX$bC~hx+-MrE}7Y@Hs+LY(gy8o_oy*baqR>u%pjO^>jt=k8?lpXDwH z@O-;yQWf~;^C_#aU1`GLX~PuMKsaa!Pfurg137Z2u;`zT03Ft~5GY&2$rkKph;%a3 z8NnUhnTS?UWVA9neZbZ$=Qy-{zq=yqhO;+7BX^^`e#}Z&9*M&ZH@^7%?y-viA}bg2 zmUE727muZ(i<5Ts1L;%@C$Gt^M7Mao&aL3bU^do7-}O}!VerE;Zy@*9i%~VjwAY4} z+aGPdu`NQ&12npqN=n?S12pyy^vhn?5lJJ0Tp)H~2H%v$ZKUOXDuU(jaX9tPC2KU4 z8k*%h(`IVlZgq@r--FNUdmEG${74cOB3Th-o=|P1@@p?Bn z0O;h@rsvH9i1=PA!IiD^NrLoU4$jrxo$#Y|d!WWA(Z@cx(~uSniNx zdn%!hXf=1-lUj99&1xw+n;kP@v{3L!sGY{^HF=t1vGO!Nz`fL3kf;ey>e8e`3mO5j zF^t8+H#3GQ_CED=$C2RYrsp})H09m#Z8Dm|@TbX%ke>B>hUN{D29|N%^UqPa1*YWh z78gVMm$5abHw%RB{J>2m1WlP<@eayOeU5^jv&N1F{Te-EIir?mB?dP9q}}cJ-Rozi z;X6Yn15XyP-{dqnk|splag_O{{&mnkv}fs{<9pq3BB;LCoZ~?@C39oNYSZ4a=z`+) zLfazhy`TT1af|c;V4b$W*@KntzwWd2B|r7rt9bat`F}h*k4#+{3OvV3`j3nI9R{D{ z3Wnz>`Tl_eK4!X7@b%jjP5O{dC4xHlHitnZBoJ`^dzwhC>(10$*nkE1kpV8;|NVnQ zcASroj=n)O-@YaOKQHHF%@zM|v2s}fWhki)CPHvK^PkCFtNp?7)VJL~cqdI#w?6K_ z1qovU;{DI%)-lRR^-k3P=ew-8`};qo!2IvmQ7Y4GT5&r3?;A61CrOm*%Ko=N37MIL zn{Y(oxcUe!Ak(@PY{0U+RJa2ERo&@F$9nhwy7S&@^GrM#^oIsbLHN;EkjJOt&Cl|&>%2W#ZoKqRFlMTo4GYBj(>hDZsYVodA}}F*g6(= zQgWo)@-;^uajLi_0CLQIz026%+)C*Hlm4xb`=HWAwuXs&Jiy@e=Jxm6=bja8mWKeL z?T;?)tmnDRjtn%1JOwaQ_Q7vJ1!I8#8alGO^G$9X!}cAzOL{x9p!zdRZ+I@o)9T}N zi|BEpu|rDAibT^o%vUpiS~*UCK1{rNvRiMZdjZ;8Sl#t)J|i3#-awV=O*H(Vp$9DF z)3r&$B8)`0bI0wl=t9myyTc%~FdrG1+I_}9)RWaJv}JB`c{}cT8YHTb@ux>L?KWuf z=!Wcu28TxTkscmr*fRP&mE~uI2eW6O+nV2-G<#qTn zWJj$+%c)D5pk^~6R9nS!4->m*uial=Q*~^HZ-5(u3@(#5ma@d~!@hk_Ac9e0xP9Tq=C!)?X09L}_3Ho=-I3p~89_!<6_2mj8yW_K0h z+|^?t)JhW9C4n!6l|Xf=8Ox*0%F#F6gmjCAf}kSzg{!D~YmfX}SY!uvo7(XlKV|46pvWg;eu@1j+j=cQ4pb~{H zXS|+$muTdad>153D1apU8EpAUd*cg>R2rC(!}f9FsG|?L%hfOXUDED>`CnS}a#}Sz zoc#id+ZW)Fh6Z*EtN&L^+Din;zgsAI^NV~)XcgMVwiHDaFST`3BpQOIO}}Mm*O6e< z01f|(lvQZ-(`IeIJdKvh%toDAN8><>hQb{S>p@7~n@|>yUsFYP+r7$1M(A0g3LGXL z!MoKUmz9XaGdC~-4INENY%YT_LDei3(U)sORs6#lmb&UWnNDr8hyqr2>UI{oS@eWO z5&WvJ{)XbvZ6jF<(VWJ!fG}3!nhm!(NZ*>>n!R%fFaL8k7Er^x9ctu^F0Q!|AS64J zV0k0tLWU9&HvciuA`{ymwe-`U+6@ak-v~j?W7TQ(-(G@DT5>t?5uro=`{dHpK z()7S;!uUlHK^4V0J7IMz{^$CkMRI4ua8!6ND4~QLNBD~v<`0cVLKRbkNaSp zU|)|qy{3U57d2Mi*daGexR-Oc5`BV9+q(3vJSuSyU-(p{dHt=9$}urv6|)%0th=nPy!F*&??V*YQyVfKbm1${h=zjGE5juqBv~uCw|HGi|5MW zV|mV*Pp+DfxdI;}*J_2C|3ZzZjA&=x^r!nkiGE73$ah#5VN&aT1*_*9O*b|hmRQ_IM>*N1q$ zfBshaXmaaa5mU7TfMfDn4f;|!_E+$2%@Y+*72F*(TP;HEL6!^C>abEo91fK-C1e-r zu|z%m130q?h%tWqv+inuz{Jc9#05tDI86z2?Vk`;2n0OU#vx-M)i0DJ?o^kgqVd5z zk{>UZ8Z(~TJB(*Feezj`Q0$27Q#Vbnb*jLaD+c7sv(yjUxx)FpmG(dO z;eQV0T05FKFx~iIv-q4w^O-CRJtr@BT9sR$AqMw{h_OEeVryP+}DskTgHC)N_XiO3{}*W!>-%l=;a~ zH>j6fu)?<}^5U3L*ZmIrH*gy*1(7?8dd8WPAjF5-VVobt_?>{Tp7t$zlW&kc-a|+S(CqMu#$&FJc3u02HELB!RZN(Ti*bE6--hZ*DHTkMU>bc+HW3kS9ABhZy(Fc zuxQy%*n*`}-}-djcWdOD1uI~|&9fg+Q}%tdfY3zJn`z2)tsIqo#?FQJ$rpy!M1=L* zOKX)V*PKivw$RxF7798PFk|J@{20L*f;udZsdTW;h-P+dRUil2p=$`u%XUF_l#Tv| z0^)c;>@R5WS5)xQ#y(1RvW~-UryWv>Kw!i(o;4ROvTxengNTuD4y5Gugs)0~si(PA zZ*ZbDai^Hi1LgtOcF6T-jDK%f6BmhV zYtds8tTK@^N*2nZOV0$G*SyAG7nv~G>ypP|A*-T5i})GS`-!F35+E}<@qf2+S!%L* zU-JXnR6km<&w+|-x1X(a_$(2}2dAE?y;j_Gcfr;{6wYxwX-(+8WlyPEA&-3A@}GtM z?lK+_Yia!_R?fpiQ5xUf@h`1LP0Qba@C-DUTERnIH^oCc$W^iPj>zF4*>-H<={QiC{A3Q zlGP4TenHC&(7cm{u6F?F=*!HDs_$w=qt)V4n#|9BGdD07DnOC?Zjl%ZFxwfv-H0w& zD{irf6}v~1cI(6H;l*U|M%p5Hd}02eId?R;b~-mnlu z+~B!MhCR%pdprfs$p-7{azPMnq+ z#c)x0;VT0gyZ}uVal-(-4e45qa$Sk1##<0Tl^wd9iA##@UbaM#x0BpAW3%Wy5Q81J zWwrCM7lEN9z+yCR)@ES zV$#mkXUMkQr)I~UI~2ZYA%BwTR7B|gCYl*NU|bLJMNdR@wCMwEP{=Sk2X={yrJc)8*PJ`&E;~5AQMRRl54i_h@y$BAN;b5IpNM zrreKlS(3;j29l%;OgM%*lkjr&Svm+8P?XddnO8P1Qm8(ci% zKnEB$SCw-)tP107R3L9SVX0*pw5Hf*A&Ej5#%s&4<)yH@CgNK55t}5No~&^;=qWYC zcH@miS!Q%y)$`sf!{-5~Bt&lWojPs2>jV@)TB8&iYW`(RW+?B>P7IY8cme2xw&Ew- zHTzck;($K%b$n(n2~8Fk5{vkcqxwH%7E9!okPdDTxYi7;yA%Dn?=5@!JELILfOozm zU%E)C&gWatsIbh40?KL3UjFv9{B#(DpYRgt@~3I%v$q-4$VQV3m>CVap(5~<*R{e2 z*E&L_p67Vlbwf{V>xgj#Mao%A(`bTl<)=e)^CL9rn73~m(5TnSSfJq}3e>&sOEFGS zB4XVL=puc!92R~->N$9g*cu%KO!1?h@8aXWK?}+D|3Bv5GOCW}=^9M}!QCAWPVfZR zaBz2*;O=gLKyVJO!Civ}cXto&?(WV#B){h`@AKZZ?#KI$b!PQU_e^!wu3fd8&pK6D z4T!?K%AH~ZC`G@w1$Q03o}0R0^ijb_Qe1jt2v8X?#PQOLsdgS8v-_mq}jISOIu9)7NF|#+15KhI6{~(5MW`IiI zTG1ij+pYU1X40y|)hmtV%PzU$Gt7Szq6%l$goBuRqw`ptPtfm$cWc$+E5n*ZNj{_z za) zeiK(w6UrZQB(cLn(e?ENr@-ZnJH9Y1%}+86v8(kbrQGTP5LTQ(cZB}BPnU)g7*b7@ z=KP*H?>XePL##F?rtFAlyMO+0*SP0)fFT&Vv zeA{Ay$Z}e?X|r|Kiw%}dj>?>_4VMo}KRRsvPShrSmq<|Or5n0cU8AhnOh=5&p8e7I zgn_}?K|$gp6Z)^*Hw1+-`B4n2tu^t84LQYoqI4)b(j|Bf;Rl127c3U|&8|dmpY`Ctp;{?gU?+*W-f5 z&w{riHwV6Y57_n?ZP(a(oV`!#hXUNoazq7EYZC*srzapyat_p*Er?@3PKPg26C&8D zj?*G%lFs2Ph+z>G6)waHC>=8cH!7gxRjvAh$AIZ-A#b~tRlkVyAk1Ul7OrtcUvm8% zIPqI zvD}o6@SF-VfRwg^pB;I}n=3FSgn~2_MvvK?CSKH4Km5~WIA9swfnj`tDCb@c#}id1HAea4KKuXSUeN9Gp5+! zEL18;%xxB64v8TLG(_H+vd`xPIV$kwDaKV04#yM$}!L^Ge zY>*q_H@B}K=yB0IB@6>LKjA%6Ke+}zU_+^m-O*kWZs_EYnf`&E;g1@!4p9g}DWZ7~?H^CmSl4aK@!w$p z+WobG%+p?PnThaj{j5ah3xD-VzPUgz+`(QEB(DwY^c1PY4C; zbRyjBM58nvA+~BIY@cV}8Y=TRz=J^3hr%P&Kb+;+G*;@d`+d@A5B$kT1XBu85U1s< zwnRDw4cbz6hi5C@-!^r%COqDbH80x28Qeq>QMbFOe;irfYb$0;&^o3jc9xilS;QQ} zYw0cVk<=R$^3Al{2^ht0Z-i_bTN@ zY@rs;!C>mppO<aW|!w(g{KEnk%tj=*?v^DBdnBDr)^W+_sMSNKC>Eb z;of<*psKJnnA20?zWF5%Gl$AXSL)IJ5N;t zQePf`I22CjdZgK2Dhi}iuwHr6=DHC2vWuj#Q4V3Q=myFW#N@_pNG_8ya&tAg9IjhXOcX#ZMmr)?{N$i_@;^;iuHim}9ayFr*g@1= z<~6)fo2l@eqp3(ULXLtS5wIW^ALG+(VcdyQM`+aCS}EIFct$+y!g|+Bb?}f+AnH~6 zKf54uMYsW~7zsf4$W+wg`@qz1wS&5~6Y5s1D1T|1D3AB*vP=16Y+CMmIQ86aPXW;1 zQO>dBUtKwP2XW{D{7}3CQU5r088z^4D|%oj2LAGP9YB~h7aZ_qus2I7M*;RF+!N*@ z%xv85+t_7Z5eCo4y`4-lU^aPH(K@*ka`~npa!NvrR>3)3&g=jM9wvcJMdycd&gvb= z$;Ai|$rsh%Yh(EVfeD%>Y_|-9N?QxmbvyGCRM1hgy=+v9<$ZY1>EHoyKuwggHJACHls!}%+YB5x%^$P z9QOxCg3h!Y$U`1`qAhxr0#;f0O}w}my> z&MrBUNrXOq@0U-R7&_BBR1g~RGeB2anYS27$6}uqig3HDwQ*edjOyNZ2eJbeSJ2x}pP1FRb4i%D zY9!6o;fUudde}Bz1?lG@0mGveI$nWCaPE{kNM?wRWR#;{E$_QBVxP}6yD&;7LU2&) z2rbnsEvB=EJd8ldhH<68pY^%^hG7EBB9pmi{WK2h5|OQ=sRQB@IlrG!56NOdC&CfI zA@z~3_OW1?8K)y2u@GTXNZ#A-dg7n^ZJuJ$sKwVrcBzuJI3`Jra&jY`Tmq|T~f9q-MjV{D^8DYH4AHAh{M9?q-FqKA4cAkoumhHnpe zZYn#=#6)&pj~IwTe~6^(>9e`ObPNfg0e1Xk#Z@yOBOQ7~xtVy(I9m#+e4Zg&->vt( zTE8>mw8}bxsHcOT^c$so!OH@%wyzYy$@>vC3Jf_UT27qQ;6cRdOAI+>30 zufSdQ7D@4Rpc0#J!qbok$4PebsIGQJQmoC6W&U_0NFF#=0aZ5zor-Oc@d<_*Z&%nZ zCGwY(KaQ+W!DRx8PMM&kzzs_j7IzV{yI_*{JL&5kYK^kw-QMJG{6b~6+2dpMiE0$8 z)QPRnHsiHpd()Y=qz9SrlB=<&x zG;I*=qZ17BmajZI4>=5HWEttsxx=ehWCP_t8O*nsW{+kI#Z`YsC+dp{TneeQ(x(H4 zXJ>X&=%R8)=sm20r8N8u0{6A>tMrAv;-_I^!h4GNx#0Lpt^LPhv~nym=wP9&$nDeX zjL!$u*hAKvGvujmYTOfzC7AM7(j!Z2QeaFG`|EgFe2bpEB7KoE2AX{a)}(SWJNF+; z&2l7rAQVY*eo#&>e95vbhBn4g(f76{8hLR<;^gG)t?3DzDH_Xg2G4Sq&gpFpx=gO(K%%T(sxCQxjGfIOwI(_ia` z(|%;#(wZ61eIXM2C^VO|q#V}nz`UldsRzEH4}Lds-nBQzg=k^g5e=RK)&Wh1bt!7gav)JTiBk=vwj6@9QJTPY z`xH>4sbbHZ+xmp$sKkBu?i2T{)Z2t#IPFjvtiRXZaK>L_tH1QsV9Q@3xJDF-VKHjQEz=|t7nXmWD3 zfg6#8h`qifcf=y8Jh>8@WR*bj9U}UTV{SQB=OS2Ez5<5&_j79+t_*WN8zz-e^|WxG zs-b>z+~7ESN&O2KjBasDwc9Qr8d@Uwk1rr!WVeXUr%l1kDf!7feA1HC@C)c;K>+w)x9oq^=vex30Fdt@klStEE0s#wkJRwvGn}-Q@Wd@ zg%$}_AT5#{0;FfxS5+5dOHF3V$Qx3J;yol?()BG%x9S&KzKe)nX)Tp+Jk{#y7L=M1 zZp6j3uDm_2`xN$kk}aD#ssinlkuMN|o4!w4vZDxvf0sq$b|_3pqMZyO^xjgtHmaT( z;n^MHaa+_Nu%19R4-vKbMa?J&J${jeyadiCT?V3LR7)riV|Bb7WHJ+7ZfdZ$F#c(L zFm2)pM!N|Ffm~NJcrYMc;Drp!`?@*>K_0A}xd9;A&uB z48+oVi;Umiffi4%?&O~dZI;~@Bwlbw=!ZgNxsKs*3pj^xwI-` zsyq^}tNItTdmzkfn|8#iD85}V?p^9Pfps{fIPBr^`WzXnZ9Qoq)~Saark*O z>nd0Ftjk~+ncW4~!9 z)*u7*J@hom>8_#fa0fDQtdR*x+wOeM8F^`DexxOE9%MJ$5|H4%!9&wrG zIgHw{4xO~Bso~bKp2Pvw*bDp$&)^RNhM8c0dOmf2x%WHb8OdYCB41*rEsT6uSR1d* zf7WpqGTe(DSwj#~hAr%~og>HpPwBV~=>XVQxcd50&XaC$T|F;`**Py)v3(Mrc z6i=TWK}7ni(PSUhMdQHqbHf@vWf!my`)?+LLK42$rLIGp zji643$<_Zs->=JA@6oT2@)T{BY+Ak|WMk0U7%g^s%5sc@+nW&H(BHXz$Ae#V?IDQo zj7MK%oT5eD?y#cmQi%XPZ|`@B6K!X*+aF7v=xQ|Obt?vMo7I4^(34xd!J`7VcmKTo zWtt?-Yq73S*9il^*h;6=x92M4YDw zj=>Q&%0{M-?5uH4Dp%;woO1SfHktU+o{b9qxGm)nf^-8$BQOPY1Ab3% zM`g-s>*LUg!|;tmYKj8b7?y+aM}M?N{s{?S4h7Jv(9}cx!nS5FuKMLnWY_6HZg%5# zs!Tri%S9vqyQ`)$*`EltnRHYT9y3D$09)<>cN&d<=M*q!NyjV13|b6kxIel4%1=8B z@b1qOR{lH7H(USn&Yq>>>C``-sp^Ask%=w~^E-~USJQ^cJwT2u{UVbO#s=xNuJU#N za+^Respw9#)3Ksl?q6{h z%t-i{WP%yge*$zY0~Xfn%>F)40vjIw6+QnCJ5}+|z-RNsVdH$q+?*U+Ch)+2-H?xU z|EXSSZ{0f!>{`{-{)u?tP)V&#NB2*}{KIB<1OF`X&$9pf+P^0-gFQT$z?eF5HO#*9 z-;eP^R@zel!-9$Kj=%T$!vXK<>;3ma{;cCKKm6}&PtQZi?4vZ=$i#e`x?slRzAE>U zzx+qmKQ~(6vtgrfI-I7rdCMyec$q_ua6`1?=C@MZIlbTE8*-Dk!oU3?@7M=#bP*i({^{noVk<+IrM@C{50CVSetVtIg zfvaC0yA^YpeI?Xo_dAR=dV@#GqF*#L4iSS-#u zB2F%dX<^}TZwUlcEg+*yUkItV(%^r%hhHBnjJKe<;CqWm_tK;^ULcb%xB7$I%NccI zGfRI#BB#w{yGS`tk1w_0anrowqraAxdk~X=Zz0FK{*A{GmC9O1$9VU9Q<@jYriK>H zOY(yYzMc1w&-gJUxl9pR=C%m}><=^dQ;l*qRRW=6ZC+>EnkOJWnt2Elwa&{)zzZ|Q zJ7*XxBWxe3T_l>4ufK5qH#TE zIT`9=3Dsn1!I=CR$|@ugO4;k}q&cw-S&k3;7vp0sxE^IMgxmRFfemzhjb{w?v{?40 zf*ar2x6Ch&qKuzYi_YW;Wldi_;ht~R2&}29@(WLlJZ`KAf#+z$VP36uWfq#9+ItEyFq9lFVkmT_=#n$DjmN3u(S}B41_iL@Uo!Y8p*&qv9)ZIN3^k6 zyM@zPoG{l%txQpg0+Gc(jQHX(;Fcwq3#WgQR%UPWiX#8@wPk7d`3iJ6HsLm9ev#We ze3zJweLFe*ywMCUB|(bY4Tgg%Ds(O{F*9?lm&>9P3B#s<4esDClCDT9N9o96=vX__ z86Uix!0%=G2#fr42}e1`okJ(1gcXik_=^lz?g8g~>cePA>O=ixv$pbZapcDe(0I5v zyVRVC3SJ;ras$T4voNn$X5`OSiY;v=Vf@nKc)XQdS}-U*WwGu+>*nTmVtL_uhi2`4 z>Lf9mL~xHYolM?+^*Zvv8T`sEo})CPt5JqAR(# z!dFKae1!=-hO+Y>IPZvs3PmXvn4Eb+Pab5?E^39NaQQ;~>qv%R;9hBbzw4;+#qngX zsLOxCg`Tl#TSG_fW&6CN%j3=!FuyWx`S{`Ymg3*Z^1b^tcNkk58;gO|gFW;+Uv>qJ z(y29#OCU+BM)%N!WaZdFM8_`mPeXF^~Ek*Ph7S2ep7h+t~rz zQYq=7sPOCH+<=X;C&rv=KD3EhM9H`h+S4}@2^J@FeFwbe`}H=ZLU(OJk%J#L6JElC zS^m6X4oHSc*nBRUE$^K48;=|j*B*ZX%uQJeIdekAZYlbGPQG3-RZq{ys-sk`ckkYL zUDSbQa?@-c7t=pRUti^cUcPWFFC#UQax1o|)_&=D!fsx#@Qw09pP+=7+B2?o>~5ve zc5z6hSy@Qt;jct=Pw|+B4n)bqW*m^8Q4SuF$H&;B&`36JOu&N5xb?qHT@35hzAHGS z7Ko{aW)rT;=hv>fAnrTHLvgyy7_M(BhnbQsTTP>$BAny+awiMWHo`$YIy`y6ol4Dh zot+8tYDDNB{~iFfaXPe}hVLDXjO^1v_`eAD!wqC#hF^ z2j-gGE-3eL$~41>A|mP={4UBUw2P$N+86B!k2=4P;KN0PS7j7haZe275n=ltOj}p+ z!+8nHu_c_eeP44{Gk@N(5!2?!ueZW-j0pc6|1h?s>Rb8ni_+Tj5TvxU3_9N_aW$*$ zT*GM}%yeJ0nOhAXdqOM>!$RPU6=%02VuWy=#QEkYfj)nPm&g(-c74JPS37#*$4kk)>_14w>05qV7aE)0GUl}w?) zU-~VQ-ZO}zkqq+YM18FRgMrA`w;6ERfjq6#kJZVo z@B7g}V*>L3z-Yt)4Yg)kA}vspeQ`-fwhcqyLFTCc9(;f-DxHxT(x330UYJB+z+=wt zRu+$Uq#xn}emVb!YhKxw(mEmq$14hCuK$S~y}9<6^Un_**86kbZ6!=vc`W87C2 zkmO*3ZxW1w{k+S-f3GI}4J&HT?QlwOXwr3RrSQKoX6b0s8HIcL!LW~Vp~9BA`M%5Y zP~v~QsxL$2a+tWRg*`g~^LhP}uv6aN;YZ|PsQEvL^-GGQwDjAT>ZP_H|1r!Pbu!nz zXws9xYHSC~e@{RvUUVxR zZe7UEPWg&`{zjklZ@0I%?AO+XsEmK{J{VzyiiS~!nLs{%l1o66(UB>r`EIrfPC>w9 zz(&tn0L#*IBl9#~F#hu__A32%%g28YOel?xj)q-R@cxL&^Jf6KI$4J1{a_S4~#=A=s80;IH*CYk}6Bt=PA$4^7;r`G3o2ao{Uhe!96E5+A;p2=oG*{o2>{fH0js7NX$^hm9CH(H6~$sdHUvn z`|sgk0qHT0G=i*5B|!qt8`QD=t;D5*+XJR4?zh_~t)c^d=Q zE3pus=kyC_PY-pN2Q;8w6uenTz=r&6Kand^MG22hrsWqoD&Mea{0T@do1+re%xOZ{ z;D3UsA++t}Ni>nmv3i?rGHOp&xh;0et8^hhj#keM??C>Aps0d7xA?;p#6;7E%$~wC zIlAjF>DD`G0dH}h%LX+JNA6`eQ0Lk$uuHURiVsS?iSs=1_AZ%WhJVeS0z3gem!2D~ zuLF?S8~vP0X9{FGV75zLV&=&aC--wAk<<_U`D6X`K&;S_nvni{-?eysf@KUO@6k7O zTEDP&irkrq2;_U*$K^cXpk2sGXr@5x^9-PZQBE#7Y8~{LD$HW6+xE`7x2jxu=_%Y$ zc=EQoh`vuxsE;MExmKN}!3`e+ju$9}@SPF?o3_@60vNU6v1960xNGCVVj6@9*)Ntq z7oA|^iv~IB_y`2vI-pdS!O)vS_KXK-4X*{sNOkP%l0BM~b(KnDDQWWsU9AbgB%=F& z6{fc(y3cuI7h0QL^*~`hA()}stFaN>y)6O?**O|5wx#66`_G;0D@*zZZXx-x!V4E}H#j@)Pfa}F0bmFjHNp5Fguv=e2sAs_dWRc`q@?GytMmatS{^oB{exrryo+3XWuqgQ@pdbdB znM*C~GAMV}gA2dWV7sH27KYXtyRH;bRd#$uE~tvtVKwu|+h#jH;|H9Ihmp3+O6vJZ z1y7vhj;A%;aukc}G(qLj!~?ZnlBDw*(k@AeFupgTF_rSU&Kga53=W)FR@o_4gPc(Gjl`P|%+wyW4mU8kq(m zUo%h2_2{O2MKSc$5}<8QTiIECs*?nw`vuFbiUTm)AuDl530eG(zwkZdhaO7I84g`K zxK*9v=WR%Zt_q>BZB27fsQNuIq}r2F%T zKxMx=kuV_uU7cT7vD|f}4ubvR$W<2(V`r+(VU3c2C*>Q;5kmeO*P&41^JT!3X5;T39}_jDM~lt6>U_+z1(e;Q4G|tPT$AQDu?%=XsnChMaSOl{Pm&;?#E}gvGhAAJO+(lrjX80y&WiPZO3b5!dVHDa&&KKe7<_JoH!d?W$>X z#ot|9Ya)H=51MT3Jb96lZ+Z=-h!a;d*Vk%#tY6SIBU>ng|!g3ZQc z#g!CJ)nnps3S{9&^sJ4`Tsb>tL(o(}C3&x>D%|Q2P1|bP6*d8N*>6z5{$7BaozTfz zJ%;-Nm3AJ}VGkCsavS*3QXp8PeuL&bt7Ux6k2OmZ^mW(|M$m z{WN8HYO;3*+|OF*1!a=uqI@)Gk7@PNOcfWlSl1KhW_2cDlh-w}IAqT|k*BhE>rh}z z0I)`kshQF|!=d(k3|90VP|ZXKQwP0shX5r)4Bu_t3oah1F zuPWbIxnMK-)y9fdvg#nkupLlS&zYX9d$I9o2!0@z?iOX2VTdoI85^-kHFk|r_N-7t znuQgjU{(*Cg7aH19SSZ{ceyG7hLVQ zuA|R5xL2Z6!565L(w4Lix^=bKo%Z|^>)qte;BH-z_qm|qNIZ&d4qn){t{72afxT=_ z=v44!0O@5Bx=vuCnvE?#(F6NXI~tEd@hVppjvY_|+-lU}w5tq&DeWb5S&C{Et@H@a z_4B7%n#hG4-9XFnZhW&GO)Ig69~Cl@Ut^X#xc$=tAk&aryx03al1JEM%IgE8e7xZ| z>#uL|;AaHck8no5)tX-56J<5|8kHgE+~K-1?ei7m#a*KLIyRx!+-J)GIL_Uf)^Lu6 zPs$CF*uwaouT(4I^^y~B0|{(C2P(FaM*f}%Si}VCba{*&@TF#hMTJi8mi5aKR6DA0 zZ|6fQ1ri*cIEcL?Cidxu#-Y|`yPR?}UgllK4yH59i?KwzoKPJtwaf{2n{XhO{F3Y9&St#R8~mC%~DUy<`x$-BAk$F4yUz(?!yXq<4Vlm?pR`TfY#m~1-v z6nAsU7&jXL&i|;Ge}7DK*TH0@93k=Zgq_H}df?RwRhIwTagsK}Nfq65 z`EU|fDw^M!aV6ekpZV_K^H!sxnGX zIp{LgUpW!D9tNzOuFpm|E{Nr8fqZhF=~^PYV$cd~`1q;RK~#@m$(&p$;x?KOq;!mh zRtaOGAso8JMF5NPF=lGlvi0BHDN;dFnqN_`AuZMz_fw6ha$N6FA;m5tr*@-D;}31c z0x*<{qL6Aa_BTRK>nv$`{Q624(?gps_}3P1akjNOQmM#n;8H)X#`1~qjyTM;d+#|+k-}3Z>iQ4) zlW@mo>Q0q1T=eK?N+h2C(14Q(f~t8Dy(9C0?j|Um1~DyD@9=c?V0W_0v%V=a9!7EB zbT)!~&7af@AJQ~w=C|WZLF)U&$opCbx~kdUXxoNtO)sCO7%$)>!P!)T^ykmt9MCQ* z#2F%Z3AF7d5bmVjje&?KC`_PETL9`*H1#_Z$ z?Sp%7(y2i?g^9p!{d++sgk#}BfM#Bq<>oMfIQpXKjdb|B6?*2b3XQ}JxHpMdk>m8 zcuf%?TY&C5kElbaZT2IU#0YVx&rdiW4~tc>I{w5@{`~W4&-Xr_Bv714e|^F*t{!To z9iRsSFP+I!hTH#_x;V^lNtk}uRjIC1kzaM#Vy`%U-C&?GeO;~p7s+AU?lVQJN2|)IOd0|7fLlrR< zP8FZ=-yKjagU3bw)Lr3aR#4r#v=Vi10D~2cUAe_1MI+Bt4`*d_0cZcKVx_Xc%N@5}$xoWkwSqw=4mB3C3CltLl4Rv= z_4yW1o?eLz6S=yp)6TbIzshw$C%6uH>)kuTaP!}}RiJ;yJuqpar3aqcMB!k+%~pXh zm~gu6gQ$z59>M*JnhMsB(7UB_1ZqWOi?B{8BQHGgDK7pN1`{5VCOi^X%pELl>Uy4@ zJkT*H=UZafT0bVt8FTcdgNS(^vGlDZu;32dsVdQnZg}<^QiH?vp2zSXnfTqIhqh!F z#|fEfj;l!6>0yhz4xI4lJ-0zC|&97w8#kfLoVb<0DJyyOl=M5((adHB{ z(mOZt+YPw>jWfMf+ekh!9TY>0MOLy;fpKGSQOR^zhJiL09Xb{2lHD|lsg7^P*gal{ zayu$5y!8#@dl+^FtvMEtQyPpGMxfvw^4LqM725#JykrC^Ll?1w;z>sK`I~s5bb*** z3V(LRjtZ`u3Pm163-pkP6Eu4?NLgkxcAQR>1T#DOIM3o`y{e_YwjMdMrl)PP{Rfsq zbwXch;Z%m;Dz+>pE3yslxxtVY?mYy+VmdD3ya9xU~(GKxZb*K%~r$|0p^Qtr-n zUsG26`{r6sVYU1aACLjep0MFlNP>2k+1Dv3t)IPxwrjFZWIkZ^Zf2-U&$3T~I+R#{ zXG6ckqUi8!>~tFD$kV|_a>VEY@DxJ+HcrE~vVP!H?#rbDp)N$$*kEq=6wSf=lRGbo zZ1*tT9w4436NeFQ+w-_>HT2G>PId?Nn+1H$A?j77^DmtL%E)B|GqopKvEB=PY+)(X z#LhX3&rQ6{H9qb3YqdBEC2i^B5ivZ5CbqSSwNPR!5ft_qlo2@pgxj(CD?V zXd5Ycl1+B!TpB7%qV`O_1%)xAL@RQ79c5}nt-tP+n~Qyf%hx<`p<1q?1#3^?cds`! z4GoQ!iWtnDe(r%{7WJ2%pQp7>l6M&oN`(fu4-xBBe7(dI+u~NLeA?PI(7jBfWEcxF z+u5h<>V}qI;J$P!7_u+$g+7FSElH;VGiu)QeAiI@`}RT%wB+E2z}zW>xx+++Adxty zv6Bmu#8VLTY~6d=-e9~I>~O_rT>TCemp1-%tol9DTz40syVJw#;Qn(s!~5Wc&MffrqOSIsV_lC24{f0c=~0+or3^=mc*t27?4`Sw2& z8IJ^PCIra-#(e)oaW;0KFF$tVy2FeVxbZ3N=Yl*~F=)1Im+$x_AN&&gj0W~3LG-)N z{>j!a^LEc#^Ag~k@u@pUa;fZ!VX_bFWKbC9t|3SA|CBy_mO_own@q$quoI!z;iQ^G zx?G$MFK5LbKaL!aMh_dy0ah(wPzxgV>7aw8{k3hWzt<(SAjne@>(?>EUy$28%2@?& zh`(LOvJo|l@VKYZ9FO#td$eW)!K;w5wxaHv5fb{(Vi0}LDJd>*8-?gWR2`dU&}lTq zmsmtM*_wh#B*R{V9&F5#{(U7LP_jp-uX@rQ(d%MhWlCa9FD~Tllzx#W6;c9gVxVep z646`XVMYDUgkC`3nf2aK^=p_qxX0+_+kVB&6TTBvp~$#XFDNHh;1p3SU^Cr(oLhV- z_J46)6!*7Q-$a@s@OIzTW?j~U+CBEvu$<74g>%E(DL1VUeG)_z0rzpOic`nXMQ9|jN z6GFy+@p4Q*>qx;JiE=-+xX_7~;Za<&;F`}H-K)X@-;mcn_~87$k3LFT%2P87a^+T&AQ{Yb=T09kLnoQA%m$8 z7kPMX&)iy5c;GxOSk*#API1^3b+Khy(SY}KU9B3FSL8BtVmYeDh!-Newi*seo|`1E zwcwAsli{3ky70!d%S1UFzH5472ZIr8mqHX26kFIQQ>?BZ|QT(B5eAB_|$%}@67 zpdNWCX{)6zvbEchtIV~FE;+t(NroksHtRi#Ln6<+& zgIzm~eP>tajA6hUxLPcu#M@a;al~OiFwZmz&U3Cbe)fGOr7T6d#Iix_WfW4$w!+(U zS4}rRZDN6SueSa_n?GU7>U_wXaWuoQ!K9fVx@c=BPsv+Us^l(m4Uyjw@FZ@>y}Szt z&xq7;P(?_(E#&QW=8WOwW#3vwK>a_k68ge|gKsFkO~IP#=M2~f73g3)jlbkn2y={Y zlx>eMLo%pTvN+>6Ro0|=ck0q7|5bWn`)ybP$zY*xA`!WB!#H~lAhp!{=g+AX@Jt4PlxRj=DUH-ZmyO#tlJ_t{wm4q*nH7P+9r%P&;-GzW>_iL zEZYDss73S-4sLuy1-7{EDFj$VvVs4F^#FQ-cVWRN4Xu@|Kx-$yh906dr2@z@h^b>g z)Q=jY3~14n@NxU;=W%*01QE6pLkMBSY+7FLcChe!6*q-p)g?c4hI%KXlDd&pOGud( z|JBRT8Priq!z5Fwq!k1nRLxX$^G4N7<+aOhgjyLrm61V&>u4?Mesk_u=c%a%m=qRx zr*i4Nl=HD_%lhe50XEuUv;>Nv`_xF5<6nqD$_KAp~8{npc_(prKqh)qx`$qcGiMLuWT%aL%ux*pS)B$HN$1JK-29WW! z+V6g@#i2@NK;RyYTR-k(t6F-&-3i6_pKQ@=P^r%yywd=H_|@Fk@S=-@&_{c<4juVk zdN>A4I2wiEt?FQ%ASy46`?8NzBXOwPHJj3#SryBgZ>C-_!0IHsroUumfn-!kLBHCE z96E$;?}fEjB|P9*+=!7z3mnY*IEuuYPjs|5%(kY^&$lFB{S$lw!}~Hik2SJkY_xTq zZHl}&FauJ5y*K;Hp+qLUawuuvYPRT5(Ps@8?Mm3Y)FjzRtFm|l)HZo>9c0UwP%BSt z^fT@-fM5nmM3E3y+N*?q%zSURxq+O7;kn{9kE16+WBlYShAVAT-#;=U4E@MC<3b;Nem$6Zz^wfEh(ocrqVH3? z*;GTZ0+SQZ*X`)`G4}1uL)Ct?WP^L@PxPy<%sQ8e>P?!>xkb83Yfmlh4RAd5yK2Bi zPtRlzarr=Zlc(cxQrwEl3g!=UPLA&XD6l+w-F{*`Eo-oefm<{ugnRCC@yR0?`3>J8 z0{do2wIN3OonO^c32|Xg+0@JMNv~QgFtve&ei=!}qh!)LK=R=xNIb8XNKFa;mkWt^ zN#u_oq2;D|kewmFO%;rW#>3O&VdrMmeG;UNAtjeN)U0|$ zrJhvV;HWQbq8-HrbM#>fCL~dcxY*@LPcdO?OGLmVsB>zW`Eh{&q5pxT$g1ptJ*TE$ zFf=G-dS<-sQ)otVDoxK%+-(&4$7_wn2X737Wp;p+LT(}SlK%l^j$rCy?MszZU%O1K z3x+`qN?OpND8pW4dNz4K^8D#<(_@uvU9O+4>&wJBpjDX=oWX8R*F)DA4_;4pOdlVb zg7R>^x?035VGop_SEBn%s^zt5-J~VZ>t$D*y~5U`n3Wmb=ZnrDUM_m_8R-7nrFD|h z@8_w@r$LN8&40Kq)y?0yVUvQ4J(Vs4nq=(Bs99H?I)kS|gg4T9ktrWP`85{$z(^H- zbF##F;rBSXMpv$3H~02#^Y~@cV)(_gKlw2EiI8WOO6}2B1>=6Q=@*CX0ZarRPBb1-1kp;oy`>) z9FkHM*fLY6T#PK8(*qW=o;J6&*YiU;H#awJ*MLa;D<17_+5Mx-JEbdKzdv2b#s0A5 zitF843=Ox~+SFPFS~Fkq0`Ius38S0NjLTvff`ud!3_%s-xQbShJZ#mc4#8~XXu+Eg zQ4I8r8l2oxaL4Vz1VbDm1Eeuza9Qv?GR@LPb;os)lw<(>2;F7eKyj+$5@EKVY+R)! z?UJyDJ4-~%Q%SI&s3G%}FGi+;GO>}-v5l8gCQQHMnr-X!^9|^wWPXLEof9TvxcH(Y zN88c)3sZJS9g>{7@?wc5x$%cj%D^p|et$aB32*SQVod*7eLv}hHsNHD?I1mKX_RA} z^NZJ*%iRdcj1^**P?4azF#5N8e3HQZHBR0E=622$Q^ve$U*g`7j;Y(1Rsj#yo|D)XEjzNVsfp1*rmw&&AS zWYcp;Caq1!*c#GRO(|&9M8Hn=XPD={qY!|p^5*dv4pe6!)sFp*dG)Kto^x3{$eJ2| zV#FTs>4#h|%aG{fMHXeq0*#AdiLLN;&GY}m);q_?)%E?tSDQ9y(x9G`4jnz3%%t&wD=azcbl;_Ri8*>$ir*xxR{}a}t_}F!jY4j;{+E z!k#QTTFc}&FGm)goq$evJeCS(x&!JM6-A#IKChLlP zZXS}N^fXSZ*4ykb%_@`Z+S((!>n!r0m)EWRC&lw&sP5<_Ho805#q!-H$&^~jvI$2A zO9CPNMm&K*{6qc@2IZGMql*g@xn;Gf8#;1hP^@EQ4Ayp|jy$^3_IGMac#FrRuT~4_ zS|H&Wf@mVTYlfAmQ{0XF#D))yBdB|;4vcJmcNt<#R2}1mzZ=k;=lgO5k_%AUs83xg zVXRu5{d(^y+P(IWo7f`xq=hxKXQHlWKgac;Qa@3J`$^ea#9@`U)sxor2ZG&+-i}=Vwz4hW=h>h_Gg3FFj;|q7F|#lI-$> zgE1k-@EuC}W5$VRiAe9>?>~b|^AZLJhJL&&=ScD-hc@Y?4~2+edu9q8$LnvjhOC0l z9;{47nTNlR@cXP`mjvwxiZI%)r|m>x#}JSZ2;K!y;!(WXPuxLI++YOzy7Jl^1-tLDmO!l z;Yj0hQ6$d;X)4c_$`eOpTq1u~7PPr8wqE`z2CO$ckIYp49zOtkXU$SG-hiK$CCI)| z1J~%@W;)Ls>(mAXl30oThj5Xq(16xfvrsHv&Br8ixO8ui(s-dPXwDM^9!1-%ql zUzlHfVzmfzTo`Sv1Z0qOn(#NMCns?V+l0`?O5{69zTJT&cIq0vz{*hTPTpG<@;LwN zW0<=cU7(RN;*JMol7`$9@-5^FNbHOZh+6bz_*&;}xFs?iUP_louqm&+IxCCM^GGkC zG=WnIUZ7NqYkJg#Rw)5JalvzqArBYJQm>bvTl((BnK$ zEnU8x=JL=N!YLdvi}AJYLip=(?=%(oDgrd+xtZ4iGD&agof_x-qz(sA&{I@@tzoHN zv=8nS+oH@%lB`ZK;nO&|-IOC&%gQS%d3F1ykUh5Svr-W`q>+5<-bGUA7)i2H$Z;e{ zki`*-wg%Ccu~$6bpd zjC^u?W=ory6Wo>gnBBvsEI#}a<`Jc?zNE1Dv(^txI2@{0SfxTW`+_-hD!urO8!MVV zOS356$8DK7DgV~8w|%`Gt^IN4=INx;WM77&$$|PM%fXMVq~9<1j2vzaUkX{4LAWpa zXQqc0l&|{lQG_UV8Dz=3e#j$KAJ?N(ASb!`;az%k%Mjd+OB2=A!lw(jB5qWSI!Gl~ zq?eBF1eCW(rDO5k3P_ju@Y0OAH z;V#6M9fiB-uYV-)&c+3n=CyZPnbr*bWbO0U96?k%YA#gUZ3yV2taBgI@mi5BZ<%8k zB@>3-A91K{>_g?{iy4fhY?->O1=&SOEY zZb{&1^dZP+Bw{!uZqN)5;nk5mb=%=?&f?8RSJ ZgF!(X3!)91;rK2h?xJ3ae6^DHWKe2i9^IS`cVqMi>52&xN* z6;SEp(Z&rdd!7uv*hhG0&EUP|#_*86Tf^0hnmHcgE5f{>YRgZ`pxjU}m+{Oywj>i$ zgqS&*9kOj*y2`oK(qRr|5FRg~ixV-#7$Vx{Q&@XI1EU^@@<$-P*;|zL^CwBda&jXB zPAm2*a?2pX!uwF;1l3EcISh<3CWBAFi4vL$Aio!bfTims+8l>!hP^jBoqc{dS%k7c_Pbq7b^;;e z|Ds0%{H#I@oc;|%PdV%LEr84BkNJnSwbNb^+Y0utA(y;O76fMrj_}L9?tDJKPy!}ydU6ukn1d%i?uuzM)D9L? zQV~Zgrv_`_T8o%1jvr^$Fdv@5u1G8n;SFmA@uT1?V1sClE3y%vM^*7yPmL^c{Om=4 zka`r{sM_mCkqoy7bcid5psbl8o7mKrAh2P^u?lCvulC*#BhmrNeRK_frl&KH$JInpyeW;IaaYh832vZW@w^VRAo>G9}NA;tG5Re65KXSgwhU&|?!eF=FiP;yiO&5t9q zsJ6$iz3m*B}>o#h5Jt@k0(a=qt4~{0(HImWF=Sh`0B}AS=Sa}k_k(rHQNfyS11`^ zpRc|6ZNrVsz`>4jBWQz-OE@$`ZcrL7wQI0(J!G|*x_RQxdMiE@AEz z%8J7N1G$inKo;#WJGAeTf3zGiT~7o5@T#muE#`0p>Wn;gEq1{;UWktxcZ2ZwMo|S{ zwuuUrMdE@Pya``+4ZCMBRWgs%Z+59gHqGkE7%pvz5#mzu<9eVL**0}j#vW-D zJGKpE|JY_=Sp-NYYIZA0C#XmJm~klFvGc^+J5n_lgt=X>kLrJ_*A)8h)taS&US0E~ z61l!2z$N@3W076^*R29uUY=@xm?N=fq}+Z@R7d6BMpx+`n)ju>GkjrtSHUa0_A&z9 z(5W4yUR6svNj~iZ$s)6$=aPwGpgvi0hoi`RYuKDVYh`Zr^g`!>AUaH7zyp4@cwD*!;Vpf&H}JhwD9bo(Zwf?8t|idAs6j}v zSi7c3#Xvu0B-1HsD-VYo@##nE=cv62k}PS)Ope2FZY)(*F`CG8O z^WWf8wv)x9L*!?hEM9jKTrmhlu$wYz=|Xa4YUX(yHDS7OsqD3iO;z%MpTkn;M=hc|H{!@BzHPca<%*wME4T^6h8`t_Fw$Fk(Y)WU@>hncW{ z#?s|Am0^ZUx7NSwTH0kc0|eE8wQX7SPYbNWWBOy_XPUS^($N%!CM{!45`>~fv-!=z zgp0OWw@aQ5df$ZpdTnQ^{MFTW&wX_S751viC$PYAO7VI4xczSQdF>`KmTtJ^PaJJ- z9wJx42s#Ka{J@&w&~<2E<_h(s?0O*5S!`1GBX5-ix!`2s5w+Wg(}MQH>lu*6?3~Iz z9Ix)gqx6b?CUSIQAU><{$Gqkur5)BUVW_=)b7+$Vz=731Myrgfwe}9tT19!CRcY~i z(Dgu|R~o05|NDfxqz73VhJ zXYV7E#UmromX3Cl*To|D8$3PKHZ@#yOKpK*>Zj(Z0`jT((Day$X?Y-qkvm{l=VMhz zBEmH{%yLZ&qmJ^3m^-kZKpyzd?f}NY=(M8DJ}(aLeA6~^0l1L!^Y1DXQ8Z@P($2^@ zGGAh;vila3UX;%k&lcaYmQU8@UU9`)d#Vp`Y;`6hHavOor;8oZKnUsuo0QOheo!9h zDCRdMfNqQz=k*`sBb2h4q?c`RoA8zQdx@He)f0f8@zyJvp@H+!>#fs*I6%?$$BOFRP15geJwcz2PQNT>*o`UcyNpQH-#hiYtw*)6@Z(S+*{6F{14L)Q&}liXVO-D*u-TdBD7*r8s!;Mk|OLjj0Np-(N^}e5v#Ji75djv5}C=m zdGh3csS`QSXh7iQ9BF|HvN#1NRKC=XMTI2T&wWyoH+Ha_l|dLrP%3*+oFy1`P3c`{ zPwDl?#*@}03lIud`QXsL3V1#jMC&4L?ys89GDgn7i@UL#Vf$Ljt+Gl zBdl`0Xg(DB#eWIy1kuTxQ^N&e5gd9;U$ou;gcT!Qh++eZ$z0}!rXA``vyDCeo{43U zZPRklJgV#g?HaOM>kRA2pTEWyxicF-7msFl3Zm}iMF6x6C78_Yh?sh7PC#i)v70tL z-hd20G^p?AZG)WIV?v;g1h7^Zej?V6qQ^gB6YrH6mh(WxsToxC!}eg}sM3P(qsVzJo>E4li5YKPAx+2Q3(gir97nb0T9lLn@zMn7+%u$W(8 z)hNl4O};qjOYNE#J;zV1LFSjdCc|vbqIKNHwEO@n8IMWRA&$N}!>#>&eYEHr39z;l zyE!&#)x|LS{uGIMKU>#X;U0#h7*u!_C+he4fRu5icCKxYZ`RHOy)4HOPLTr1TH*_o z4Q&OXM_>5}Vwbq6hf`~4qxJzYh79b!8Dt{(g(uBa*-QbE;-g0qEL?N3?)hp44YJ<& zBLMi=1P_Hx7u z!;>Y*1Ztf=3k(?=*x|v^0+?E`&){@LwInayl31Oq1GOo?q}pC|yUO8dPv2Ct8q=uqvYOYjSkK{#kDCTGCO77b;Gv1%^pJ_#Fx@wj|BZkyP*t9DNP(7 zrn6tgbUoFiThSBrj%IoHYnxeqmSL_kSZ5JkIwqRq-Gp8kWA0Ut`e(*G0!OmLa+A6dFS z`_g9Ue|C;Y76R=+C2FTbSGh;$iv6 zfRm~m*W#@56xgZK3`zPUV1e~#ZOKk6J?`V{q!@A?5B~EOr)O&!>sx-F=g;c%=p0Z; z{=se(UpO;fQ?jVH_3&*rJPt@?2q4W@NoxCM*~wuL42%esS9Wp-D7{oA~ZMkGI^GUVYbuWbZ+o%AjV4E6nU(K zkM({UuaZhv$-8t*_tEo(lhHMYpr>wH9nP9ab3%^XI$Ug@Ea8CF%#K9THEV&A(uan& zJzTNp{*hbErbqSXg<2jG1A;=6d?3xXr40s*`gphgV*jyC2}F}gs636RsXsS@V|&Bg z!O4}jc0>YaG)LH1EOdAt2~)8GlAOQJb()$>EuQO zD{5@qyp)qdVWtOUw3ej2uBUkZB_ijd+;g@AMJI0Y11pfDc84w_B2;03RXf_+C8sA} zIHu@Vj-Qx>(|8!=@}ym*-n{Uew?Q4pIET46_D$-~Js|F}<^6gW<`UtpK%k4TRrMB>;i~n8E9rOVBE^n+rOZPmd zIik=9yEO5y(ntIB{QTAmafI5fGXyr|kFW-d11mO5Fi;nm0#&`jgmO2IOLsr-9u`B> zv7_OHpeW5~-Hv?EbgO4{hm|24N-btI3NcXIR$gR{b*9S_1!RmqJ{Q2h`p1{zlzGR%#uRI9Fn(>oF$h=s|2*a`WXEZzwx$11fUu9znjhxetOH1&Y zJho7x$Ca=P5>RHCfsVzc(OK!Zfll<~zSdA?&i{`{b}9w zmj(6ln)4Q5gXx_1rc0R#l#sG!07dSI_e_5s=%eaS`O!V5 z^IJ2EJeG%|1VDp?(qXh5iDhGhCputMs8ltj=OUks*;|lE-EIA*l3{ zI!ZR8!<3F_|L${I|L|*zBjJ?=BL~N)eJw~;bmWRjuqzW}5TsBT`^+&TVsLbFfp3Snzo*V93qh?KV@t%4LKKOBt^J3fIjG=i`{8g0yip4{|3au()rAp^>!HygE zls9cS6(qCD@>hLo$xa=G`jGhhHTjhn5%9C|sLIy>as&QUQMFwrrTAPX>Q6$Rw0Gv3 z35x?AE7OYYxspSiedn1qcZU(W@~99Ojv zv$^|Q7d)18$IqNJoM#S!vfMwQ@pToKxRM$}zaj;GBSpf-uGpxKZe$qq{~c)o;lOzX zT_ZJ(LphfeC+m#7$I3Nogg=#2NA`=@XC~DylH7A0v*nc*g}&_KOx_nMFwmGnNF|a9 zzZvi`u;keUpmI&uI&&~DJ!&4Z7e--xKm`i4I{)7~5x`u}$ou-EGe)f&mzqS-czDRz ze*URONH%hm>ODw<{&s=#faCRu#d;i|(Af9+Iaj)V0mM6jaZ%RbY>Kgq&y=foH7Z$F zxHk7|LR!R^B5?}nh($QyxFa{X*pndvr0JYU#^32EJ|Oz6$+A`z(%3=fa^s$O8i5`7@gL{;^h^iz-YX!aoUcOL&cg~z=X zJAF>D?E!^R+uhvI(qZ_|M{;;(qWD2@TkBA4Wl=^}*;iRx!K!J4Gej~c%}<)(!#{ZU zA_-+>A#7r#W&I@P2mh$TnC0BzufK%9Pr|(t$+R#wEf!Ti5C5r=zZy|lPDHN7$!s*rJoBh#M)xI; z0lIqN?KE_N*3~RJkVz9?mb674>9M0tOZ;6W?WaW=0#|E|m#^%%JL-*2k*^&vzqI~U zVvuJ?7XXHcsw@`|@CVkulBs18brMk8G68S%<;Q@ zp@GiUBT}lO9MzG|mR-WM44AW$`~bTz&2YG@`pW?!NWn#iZs#Q)LyG{or(_T1U7872 z&Prb{I;E1vFo_z;E0~kX@xj=K=v8~;b8;`tvV%T_739f*9>g}dRhMFiG|nkO$^e>3 zE9%k_Qn^!#;hBM-3EmKs>+jP224F+C1!#b2jG2a&{NL)+VkMQU${{Xu9tYi4DQ!!D za4V!fpcGve8Bo?Zn5Ox-QvVKq&YWvbejkcU*A_QfVDF(Q5p4#uS}H^rU=N-FV~2;) zbpjq!I5kV>PYWoobmFn>PW!Y|dqM|{oNF)iyC{c`;#oBa>}T?k^?gQr&zmr69MpI1 z`^kah;2#;Draw+nDCosY@bNi_pxaup>dV?4LuN@BS^yjeG0LqZj#__cmp0=VXc--h zez%b;Ef+*#)2m~IH!i!yXN_CEwvOMh4_pD7=$o+9D=bPD84tLUm64<*T|~e-sh?+w zi=0Gvf0K0TAC?kRnh;M%j_>u;Q++>b<)5jsvgwf3J64n#4&a|0#M zlJ`jm;r)mm{XPqNySi?ny9PdCPG=d9Xhd5#glBE}dmY(QX_1Q%LsY0xe^dG);RLMq z)8B>5%Prl-+S`FX3vI1M^+dC5J zj0MB}BBxT&{Z?HW6a9@KIe5*G(z&Ee+s>TvO7^+J_uP3RG%Eo1~%Amv|!*jQEj>#`L$n$eyX}RBBSsymwjs;p!AqnZzA-^C9n6 zdgo>RpW7mCj(i`osl^1vo;WY9L*|r%yV~PMmhMtS_897eJ?ic1BKqh)EyyM##`d{5 zv*Pgv|1ck>WLifJqI|1?OjlN)!int>mrDzc%&w=aH7(2C~g@Z(tHC@=uc5IK14tl`b9DkI~Tvy?gw3H zT9;2hLWznNq8hH5&rfo_0UR+dH}6x2eqbdc%kdJ3HMm|#`%#Ad->}HY&rMoJd?jPn z@|^1Far0^S+z7ypq0(0~Jct6ZG8wEjQ(bllnKu7A2h&bIA|QT1p*ybPD);i{rJF(B z^u6@^tT2Id&oMk*4ta?wRx`5Sa|2aN?TV)5UrYq#)fPQ=J!w9iw1`)MWXeyb)LklpH7D$&7JLE;Y0TWx7PZ}X7XhgMkkuVlp0GoH!w7g)bip>mjJ zOSKoqRWfbh@Kga0!xiY;D_bQFO5N|MK4l4o&&O#>DZl1_FX0ve?vfbF&z=kAbjN7fc!J+%#q{>)ad_&or4*2E)(N@taE!d>>q6mnE<| zy;o;_`;msHzYw()p>cUrWYbGVw{tXfNop~xAfTK+cjX}rcW8r5Zq--=zp&v73y#=l zRH`E9QIkQM)J6FO7Jp$ML`6o=gy8E+2v9rPwRXof`Yz-t&$c)BachSy82u3`p4XND zrtAT`e1wd9N~VIMvNW+WIC&l&Hz3;epAD-UM^5U9!7U_gtS3Ki_!iogFMzu+5kpfC z13M)BjYhoEfhqV!&tm?jD1Ao8-Ew5GT-HFlzgB`$-;{lFM6beAgw5T!=IBkigDxk| zBmJ!sX~={{@5KT1&_*a)lu0u(2`~m(%psJetf1nSx{uNoP6)AAn3vS1P~i(R4gN*N z4TqhHIvxuzg4>6HcstJQ0X{Ww9@BM8basU~$yftI7_&AH?a(4}P*od8UD8QWPN$hp z9Ek5TS}F&Mg+tFDKL0l|{>bj*?VkL`-*GCGZ#8|{26BzKmh@v$7~cl;p|(&wJ!t)6 z$CoJyV*2}Lx3{-Xgn^6lt!nKoz;~p@YlEGd*^JxsVy%HrKG)v@AMg?S8;mi0H&$l5 zsw0npxu<+z>7}=nHdGzz5NjQh-c2_y5mvH55(NKoE~XL4Axp3}O4ZQRbwj{mo6vF5 zfgP2Bcqvv4)NvQK7TOWNSv)Bd_Vrx=of&vR&jLRI$?tDSV-P62=d^zV(tC9(i;%Q{kPX5kplIs1n?klc#pGrUGka? zx%BNTh*IzcRE7J-)VH-!tA>Kn-hv))84z#q)5**T4qDSnRfl46zZ{*1fdhrLgDTa@zbc z{`;A)(eeW*>6!zCD{V`wn!{1e9SN?!J99N%yJ8pbZb6X?Y=M;&3rzF^cQ2==6?mEn9MTNZEKNY5Ivby8t48ORf48`TOF^E*Maq zc;11GYn_~xGt7IdFK{w%1YDdCdsw{^iI}tIU&b7wrZTz$Wibyj-71!`?pLgJ2UteFqXpr3Z6g%nZg-=$;b;Cg$+IDpt5(6QM zyHC-SNf9|EPKWj`|}Tn;wfvHAbl4Kbk_Q^`$~%B?&TVsVaO2s?M;(PE@k9o)U=&j6=@eOy{}cO=wkD@DOpmJ*ELla2Pl zx%$5`go!1dmInHS9d#{x&i-_o@gh2k!Rc^p_&83VywG>xz?n&ggYXFlyGM#R# z`Crv8a`-umc(Nkh7;~b~>-$`Uj$=RbAD7(iEl@l%ksP~CH+I-F@1Q=;+`>vKdA77D zhKx^naf=WiJ%`5@7a?t`g28F zo!rLtM6R4%+jlAKN=vPH4@?Nn3pOw8Z^HPUNxIIf37QW7d(5nf(i5cj7FasCdn zic6guEc8?8Qf7Y=tUN;O0xR4`wezZ>c21Oq&3BQ0M&l$% zZbY3<^O`U`@V`#`$|A*(O$JRC4j3UeX}I5G z&*?IDLgg~T$4bq9-h`EnAQ(OsAy*qSQjY5uG%nrL{MLzrL_LDldrhaNU8{e~|FTl$ z2jzJu{N;Uswu)%awxT>Y(fBy~uq_^=zz^7=<2GnJ%KK&9Kk-C=k)1fQl0yp+i=*tN zW4TuoBAFnjs=nsijo=}03#jRM9i)&H-z3(ph);~Ni4StSe+$q@n&clDe08(O79I;E z8&gp5+bgQC%cXpG+$Abc7{c z_swbbr~-)@;J(W6px%BXM8_kHKp}AYPk*59?EUEcW-wC_TuElss?684W?s=mT_}J z^_@a0nJ_ljOGGoV2k$L<&loJyNEf>?g%r@ByAlWRcb@!7(6nZ>aTeRC=jme5Z}}zo zCn`K))fXT=LRzUuQ~2W))uf@xo=dG>+yVQve!9^^ZuIv?=LR>hvBn}x_oxCdXCFZ3 z;f=Ms$ZriPmssyWPb~;*#B5@_BO(IPWto}%f4qTGf;XBs)I|!U4Rj(`;#F*YkdkCR z2p#dQZ~0;FdAcE z%qXS#_>UX)YH^A5HxCl}G#&@}=QvMC1ft8Nl6r5JKA%qs`i#k#u%c=0z6wFIBO~`| zEQFS{^v$?-6q-k(^psk)*T@5_k}{~S`pKk#C=?BC0oS>5OailxESl}UlKjWEm33-m zW;ZP2_tpPpc4;2Ab+bS#|Gmn6Pxh>Aqyc0nKNyoGJLO%+e~oIiwb`d-=1mE2CO3h^ zZ{ISP_wh}t%K}?-`92&zOLPcaowqW0QU=ln3fip1K3l1~?5L?Rh-5?ZS3>1t&93#62{iT|6%yiNR9(nZ`q zpwXhwxBA@W)WLz}-0Zhv^T}Xg0zVXoF45Co9l!-P{;`#OeMj3#x9l8LM&3ltNV{#V zg(JY>MWPwNEwgg2k7fjm8=bO%y%(Wx5sOzQ{PoIB#Aa{%-kRB^j|q4xHri(@#_eO! z(dBpA4a{iK>OQ_;{xne-d*cWN<)S`(iyoLQd2h3|uy9W`?Q|y!+Lb6w1u3rnS>7D7 zI(9Hcm|3+wEHKoILFU!#R-=qXHUU(z#Cp}Cwk?XAlyaKElKH4Z@6{pI&g8E*G=}uY zy`_%^A(d)QD~X&d3A_i1O9QwT(rV$RJ&{|U^WEg3+cpdHT*EgEFN@T4BQL1<{^>J& zM~!(h$v)F94}aARVstG>s_Pmg7potd(}Vfr>*V*9SicT63Ub(C_=TQyv(wW*sjj+1 z#yF5($}(t-13_X8?vM!(Vvu}D{Lw0d(U+BLWA4YikT#@EASadTxR|lC|8cWhx#W*y zCCIXBl$_ojj<^%r$-~yP?<9YHVZDe23$e+L&l!aR2~|;hYQD)BV+3yjUiAUD5|%pk zd+;y+Z)YD6_XG+D4(Pykp5!eSLv(QGeL2%xe6&fKA1AQt;bVEQh3i{9c&9gtjBD$h z;E6YAB_dKolYeD?3tSp3Iq5D$R7}Q}&2O1Yy)(>-?N*`p&*gd9kThNa8I@Dd#JbRo z9~0RmVG?|YUvS!{x$aRaAz!(o#5PY`8dwZ|5QMAPeqdNDxA6AW?*q9<=!*hL;%E$YiyP83wh z2}Ty>kof^;tRk1PNCk{I4#_HdXktnhH8NUGtSveeKwHd_8%5C8dXKEid-L zbdH<4_9y<|fBzT5`jQw8vDQQ4$Nyc2{=(pAxCqH)3jH?_oy_~+WOTuyJl0pssYD1I z$NigEM*6SSwg0dfQE@mGXZiP*|AK|TFuN*32MmGSZ%bUIK=;G-AwC$3r(R&wqK=|| z0{z(SVmtKdBXO)3;(xNyHjH|t*;(8Q{_Yz}4D6a+O7B!x)s84lfy5x+rsac!f7o^d z={n{ERQXFFs1L&d2+<+_PW(QMMxJ~xWsq6#F8Fd!L?VsC6jJayY9c+EQEym}D6VTk z@P$5cU@lhcX1GNl;o(1-=ohAa91w-?2nE9o&+WYueU+Pnj+pW*SSr*ekD3Re&l{;L z(#!vttK{W%x6l0Fq%~&~a^2a15R-}Q^WcX|$YUJjD4zV!Tds|0s7UkFPsC*MxJHS0 znoeXriz*f3FWyFpj?@c_4U-9wH9|9+(cIxx-qTE?HWUS1i$RTi(v@!+s}Iy`UXUM^yv5^qFoz4>8KNnn}BOe`$< zKYQQUEACrSt^d5xe|qxM1ThqdqGEtrwII>rWN`YFMl)h_&~@Nc;I@ZWH;f5q#&efUkzOJk8i zH39iccGS%hVY4er60Y=84mI)n#ZRcP(!4@Z?tBImNM3v7F`5h4aFW%Rn^PoL+=ROU zW8EVl?sJ$=#iun~g<=?F0d)nv9Cgyu$&h$D5@s)Y|$nFr{z7$SeLKgTg32RsCNK`)=uCQO{&#BeAgJgtgv@24QWtW zpB&}EmrtAjMt!^K0C@is^##DrZ5B+C;Um;hN>_qM>MqQFE<3T#A06A#GAab?1?{i0db}wj=$15 z^%lO1N}NteBVff#iFV=l51jK1WX3cEbH%oz#cz&8UFZ(*1!rd&eNX4Cx+Uc#$yo4# zKJV~=sPlJ|N!<{x{VC$PPw|m9_peeR9`$*LrUkkQlks!mHYocJxgjr1DE#twVXt{`V5hpa1huyOSoO!YmEl1_0?nouq$0ig zi$+I|NB(B8Z%t8WM%MTD=X~6?OIp~qks+Q@hILCi;Cdtc`^1qQ$Q+a`fM5wI2%Swa z_TG0Am0jOf5gk%jt^9>EWlHTv$1S?TL+>{`G8QR@Abq)C{aGpXAo@#lI1k^V-BSNj zkaohHD^H#TB#qlj8(_@Ft*5=#)###Yl!zSm(J-enbg*j4OTjd~1k^I@aLy;RBxMe^ z7E90N{2SsW1to{hw#Dk)jH4*lbd8eAc>*6Ya@oWp%0BHo1^vJ(=BE147Y(HfHIsjz zd#NR?Tjxlha9yJrlELv5$$&-q5>YWjWzXZb2t$Gow* zkhs!Ga%+2}-X7v18(AYxh}W~@7FN^-gkkza62KZpthJ@p)96gNIS1H&Su?fD5@6jJLU#b0!Q6XtG@Vg4cdBo z{iZfBZk|h8Xp@$_QA)ATeF;uCq$)V1&5>RC&0k#a3sJrjD%X6UFiRrk@f;V9NxSTJ z=N=u?Pmc2p=4nJMW12b=d3}I=R^e`-(@n{aE@alg_{fjEM^uG{9bpXV&HZ-x4fq_r zhwq0ii|R^dqTv~}t4r0mm(*(ac3%fd8aV*nI4$m{U8~7?PV6SnfXbjMhf>z4QUhYm zo@?HdX6j0Hk`sHNPF+grUOJ}+O~Ik3Sb8dx`{HI-S}iBnNUq2QPh$9w;SM)iN6vFM z>*2ISm`A=qqRjkXN&}E;75nD&d0X8~66)X_Why#|pZmdb6+79fMK?IhlfuXKMyat6 zo_w3^8YK5FeAptFoI`9-hNKTzc^2D|NgMtdi(@r^ua6u9Zhu~9SLR0F*0FO{OG|cF zhVT2p8q&jT7H&BUj)vy^ubw;#;-G<&rbyt$r}H4V3ud8Kyxh&kz$GI`XnF{_n#*;R zuj!;GmkhTtd6F?LCa4-Sx$-gO&jg0dTKc=3j-L-kTkaQ>f&ChY<5M35qrlP02@vk} z6-P};LGP!Oe{8^JB^>COc#$exZ0YeK3j8X{z_jVSd3U>H(N&A(Z%@kM$xW>V`dRHD zBZ428(^Lk=PIV0ZkzOqP+6xINPpf;P#WVki&?4-`&G0kz?3*=#E^H}cJ}Iwk@a(i; z6VTZerUvT0I~JCH6r3t_{ELUW9;rU()=wOSDRty^p7`qMWs6EyVP(u~6_;Myi#6gY z)`*nCRLsLTNMut96om5PG_YKFpi0J{#9mbg2ssB(I=>!!0fBf?Vrx2}&{zomVLCn`P?|vCh977&jXp57=quM>Uz~!0f-AjFT(ls~PYLuk8EW1) zf|y@;-^%i;sI^W*8Geo$jj)Wv-Ji*|9BP5{r}R3Z7;mqa|IFp8G~ivUr(`ay#}GT` z`>g<4yBqc$Ha%fzmHXCLMXZ;-z$!h8ICX&Ek0%9FiGzS+-vBO^UnvSQdxwDF1nc&F z87^Df=g^M;ZkL26#rC<+-YV=9cwz=yvXac54`0XGG>ci}#hD5&%}0r~974XFO1JRb z#X2=?i-gvag|3}eKDvfy(-H?TwJ=tfc`vUX1j@lC3hl`bXUdyBC_lc@!T7;F2DqB@ zCoj&R9E1a&sya2)(IYdt`fZoST3}_6ry}p+OjtDc)YAOnZcVU-i;uL&}j}0mfVmk8olAhjnBq_-Cwj1?i4pI z4EK@rUDJm=s$*_8%yExO!NU(_0GHxkm{SM6QQaQvvT_*&F!MiS_S7H|aeaOR%GaLJ zk%?UGipN(@It4?P15=s949AD60+(tMzYq6*ZFNHqT&ImDDw{g)DG4c%oLM?Ta3=Es zwAygym;E9K9s*D( z#&LL-B5+*4whU&Os=FGcBzpcEf2~&5&P$j+iup7QB%ET()n?id z$A0}%u>e8HrfYy!vM?k*9CCV1e!O8UT77GSmG5ivVN@8ru0S03;(Ycyn;XPNskS0-#i-+E@|IfB=t%ZnCG}onlR3+SeEZB%O zNWlneL`$oM_Bo{^SnvNY%jIQI^L8G9Q+eXN==?PZJ4K?26sS@X!D`9_c7p5?439Fb zG?E3gwj&KmBpZL~pL(?PJ&*sJOMAMrm1_t^5`AbC>{5O&(aJunVK$_d#J8)hJ>YWe7Lj3ed|wTAm{oZ$@cbtaWjv*=0d?uPb>EBiU@kHXbAt6q@5v= z0jZdi%w?}Fxm1@B(;yn|HK_x@VG)m~2jjVRWFYUf`=62J*F{czo97qtks`c|a{DT*EntP#3%gF)^z6$p;+4&i-?5jsW!A~AkC zhyTgQp1ikmD-jt&Su`2@5Z&Lcf&t^cc|s_sGzTR962*y7WkZIVb?4J#HWpOPP+wc463j$axuKN4EkCGaQGJ4-TY% zJ7YT%$Pm%kwkP0bmWcYTYafMgUw3u^YrIiNs#9@_Ulrc5M~tbAf%3l-!67^UZhH4x z(?=r>{u}^6X!@FTf-!dnCU0^wzqz*9Q7-9p)$>%+b+8!}_y-{f}CSlVYr?GfL zXU@JVw!B9hp2PG4Z?v#%B%n2|S@pbNip@FSN?Eo>xHXIa<@6S%ac%s3(Wa=4Ei9o` zuMg(>tL*2KN-KI-iDd6PriSA_l_o2zeyQSPs&%mjT-m@<+EQTuPjlF_P( zHwvD=3aby5Qs?T0C>;tsQ%H{c)^z>wJ6WY0B`n`x6zP~9KPzj{BLg1V$`$2>BlF9wdR6aIZxs5h5JXMk@PY8)mXH)aH zxFvP%Uq#963rjD9)5UHdag4s1iNa{GFTwZGfBUHQp`udUCW`K!*NCuqF*y7$Ca;Qq z&4#afs9v(9qVi=_@yzD$F1@)ZX3q)}!gU#e`gHQ#g_>)GvOHUhfVgYF3AMjCXcX*J zkq&4Tqm+ao?>&o(=46)Hr}e`~Yy7S`DN8yC+75EEm|{|7ufKiCESis$m7XcwiuSgV z5(Qad&rj z+5*MhU3)_B=XrnMd%ko2PWE21XN_Ff%$iU?Y(&U3w_G-!m>=cd`B+`&GrGX=p9}^Y z)AgHr6+>_7=0>j5qVO9}+F1XND82HP7A5*|l(<|Yb)pzbKy0}VJVkQu--mN}1oB5( zjDjBZ-z8&Zf|~f()m7M^ThF439Uo)l8!v1QE4oclBxY zJz~9?#_uK%{qoOxI)#4j@0V&1)V+XOOlUbs7FdrYxtSNX=~wLgh~k?<_sDaXbeH&$ zX^B>>d_o*V8BpC4t^Q-b&$@yL2+q5QZT0d((%;UIU}ZpX!>pRSyV3V-N4m3}mX&L3 zA{c0o=hUj$ycj5Fo#bfK0ryiRhP8?;a3o>UY~|~dLr`9t6E889k+=8E>NnO9HaIG; zp!V}vju;!Y6w%oN??}qMl&_PbL$JM;uyK|Fb;M*^fqxehuLkJ>MF}`l9SMmLdKOToq?`{gh+%cflY>IV9@i-?u9$2)r>`Z`@~VWjMnO$lA$W>Nj8JvGA0E= zyt_9lb%P=ABmG4{Mn3ECh$um(bI&-n=l(|1SEiM|NT2uYvpeW0NM5C$z2A`v$mj)g zfldOz%5Z`Fud4Qtirm&5E95k+bt4xy^%tu@k;5ZU8<&t|P|C(#&N1MYWPiXr;i6Q| z_T^_L*hAuWU5j^ld*yIKs=2`ZDa^pX_R>i^2TP)N->Xqi-+#3_4oF5GbcY&j`+e^D z+BFYbu#}6M+75L)h^^;ZtzoJ!(tO|BA-jf#hy!**D7E|e)|D9Nx~aGL)#TwkB(|K* zF*}j%&=Eoph-I~^p>CUO(FJ!D??jnruUG8Yl*I0;CCJdfeh`#T43dVwzOubq=&Dsk zlCXuZu6S!YIfp(%m++ps8|S*Gk%{1Ii8+IXd3|R_OENZQA1Ow6BCW}m-#Z382=wiH z4#Be({lnfqSK95$9aEQW%8wJW0ca5E=IK2hS8eye<}`+)#S6O@rOrlbVz_QW(o%}R zgS#)<73-NuaQC-u?CH`{@sc5nhChDWuMDjH0~dB~eVS+vA}GcKEW47AQM@XYA#81- za9HACo*3=f`_%@;GJR9q`VR~B@~utVa9f9)HP-s(((2^o$-S*%h<{^?4{Jcy*5If> z#ILq9fLc*iYZg-EUPh{IQF$=ksM_dPDx=q`HBrXFkUf|zS%6HuwjrMkXx`x)zG~2t zHQlYvqf*cAea!omg!x^pF{@uv4l7OV`lqR*p@N@o6Pkq5l4P%Nd;#)1?UX1w6dBMN z(r?4~N3l^gA^=QZz>YkcrK{HB#wx;$%s+_?tne!)*Hx<9EM}f0G-jE|C!8xjxJcnQ zA}oWCv_xVG-w6D=!U>LvR7G0AT4K;)|AdfmE>-`YY{oLiecvNzI!83Jdi|qr2E+1h zbFt;2tx1Mlqi1VTfRty@I=5^QkD*xRdji-c_<8{F{E^PIv7r|NNpQa8EYw@Jm~}02ipo6ma_cb9KX_)%#S)|syZR&DV>w9zH|=_taK$)25S{HjF6gNv7?KO=S_IvB5)onLt;wVAIci6B4r9((d+H zg{u^%2`QF=6nkbFIGiH87aTVb?8sevY)yR^)EkfTdt*V*_=#&K9JXU!9qe1^h#gtD zf3@s&*~}J;l%a`=*%xq}8c2l3Os~I{+O+qfqoH^nVFO2Qbt@AAL>w6m(N2n@YjDKK zeItfot_S|HJUs`P(Sy5?$FLBt!SiFM5Kshdm`u6h5fD^6WA22?8j~eOM-HG{_P)+m zWE#lYjEQ`%{yuq%*ASUlB>nLL%GRxxxYJaXVZBIPWc1($C=~F^6P=y|ZK&j6|5_d~ zpm-0h*Gd?i1V9CCBtGg8cO#Oucl?T+!ukNZ-ndcsHb8PcR4jH_lhEOJ9JYA;HN6q( zR~%cu9(a4^MSJxpQau944k=3LwSPH?L2dy;^u$RHYaFL{5KwMkm)51qs((Y8;mxRU z7R!k(L`#yT`bA>N7nkJ&LVUA-5xG)fd=Pmj9&KY_)lJ{*)3ta!`|S=EK(#1K^))cf zjYMoyk4E1R=dOF~4=uniFYL!*G;8F|IoQy_&WumApPGvTmuzE-^qE+vzo_@A1)j%_ zg}n)$N}}VLmCC(>j)O=SY8Hp2nM$VdzzxhnpX}f2REhA{g;Nn}=$`T-d*6e&t9jg$ zygGdP(Hx2SV+6awXLldP!~>3TNwlO~fW)tH)4{jql&sot3ML%5ET{+x9$6oAs%U6Q z-00s_>9RHM#GFaT*L2{$7KFc|pd})!ws`$^xHy<%NsA3d*@?j~qzH3rwGhmw zh?OrIbxCsANc(ekLgBDvJF`+8;EKEFu2UZ&v*7-C?I}3zbmT#&pK8~p)T@2K2313! ztQZb>eF9K@rF*mbl|LWP%S-Ksge?n668tE zRydAi{ES*5Db8`)-pWj@>QqNmYW+EeHwC8OAt(u=A-|E%7T=%WK2@K3VsGdp_kNP^ zD!GFwTkaT}OMg^82_CPrQ)<;=5t~RDbY$GM(j;Hx&8Xoiz@&qCO#x~L8KZIrtyKzXnx{{6x z_@k0AFZm?vqHZ%1z@4ERxK;4uX3OqJJ8=N-FL=3mVsS((Y=SuCi*&`-Z%jgp7r$Ec zH6ry@Qf>2lgzhjR3plm$t;NTfEFY_gm~t?4LkkgP6))!uJKJvo0f-Y~quV{aDFhMb zO;?2VN;6-M6_%7U`e_te5VqK4nxvcC;m<)N`bjV^5+=2=tdTAy#8D}?DV?rTeZrEx zx7K$aA4;KTUFuEB-&|IeFAq)@6E8#9{wyxYWj611c)(Y#4qfK43*&p0RJ60O(phPp z;>K+)0x>kxZ2AFwAen^)-zdD{*Qkh)Xh)S){b^dC@huX^=k(tPo@LOpi}i}NigX*C zex$HJtn}AdC%7pO-0y93?&uK$Iw?+fD0TYYLr8l&Y6vK$DZ*+wxp$pZ6Qdoy`p|1U zISN8X{#9BsAP|nX!#Fj~GXwp~MQ=eWHC=@Z_fIP0M^Ac!)!!-#vSVp`(A_2nH2U&7 zRhnR!&yK&Tj>uR90n+Hte#mqjLa^mj;1b5eh@&>HG4G5)pYQEUG{>gBqk@Ut0n%aIAOZK~5C~C7y#@Ve|6TFgI!)ojMBfoQ?Fa0g7=PGZT)F z91IMQ8pQYp_tjay-=3%nGz#srIq{wbkrMRX;mQCdO8vmJc@Y2h>!;r?W`Eu}wZ@!REJiD+`D5Y^b>y1K8Ox*Z7{Hr0_K@D__Qj zwXhcn zv8i~OpjR_yv@CSH|D^w8MsMnBZw_)!t8te-k;4@1FboaV)Rha%vqsjpEzUxI`Rvqt zDMz+d>)2T#7n!X)erLnJoE#W-)!ZG8(D951co2DJM8KO{$`X<0`vCN)b1KT+@S;Bf z%Hg}D{xesk9pC@Jzv+!Ee(fV15S?4(;J$f0O;4F8A?KNqBk5UWZrUe51yv4u&6cm5uqP}Kw z43~GZ=)VDCoU-yDfp@rC$hFmaUNc_RWT&vcxqZJ^k!ggmiNDO3B z@c)E`bLd3Z+n*u+bc@zwa-v`+Zqu2M2?{!}H&Twulqw@qpw>T@P6T2H-}XT!_qBfe z<{ynwjj!9Hl(25Ezq`jg4Zuw44S*R3X@S!OQgFi`Zi; z0w;v~Qu@2CmBg}RtdD#d!#nPt1TlUD!N+__i)T$5hhAN%gY7Hf5G^+5RQ1oO=yHo# z8|B)FCEv2M=1_-L5HA>6wgLQv>$uq8KUS!X4;-I==1qsix$Adr))>XS?r+c!F5w+L z7>(ofc0aB+sOG=373C>^i{*YbL`h=_2%0vdt~qHa6S2eWyp7`Op&fIe)#U6kv@|lOG2YXf|iqTe6y9RuvjCD1!)5G>&oiT z?A-?qQoDJoM^SzdsH>|xCV6Ew`}m!ki))hNR11jHM71ssx3QYf`5K-l*>h}=&v2UI zxy=wAd=IK^a^)I=B8mQ^nfbYw$=QW<>9bLbZlIG^QnVnGq@Sw)WoY8<$S2>dG0`y# zl5rL_Q6d}Bo~*Et;DD*fQt8wIac~>F(A5A(l+1h0tIC}ZhKD_MCmPB&)xXq&lQYku!ZIOcF6&I7ud2{!lVl^&6rES?>f60gbnr!YH{BXjEh zikyj>R_6{V64XBWBuCB7OIp%hl0$DH)bL6c*47R~K4tMtHkYh1g$GMinV<1~-)QzV zu(pX%>6bAFJ$Xtu7?DCU!e5BA6!J~ex9it>WO&Gz`%QekbWo*kv81OliKN?Vgkw%~ z8Jg0ab1$s%ozVa&=4&-8ihw~Py>8J1c3p0IBVk2A&=u&!ppiwj>#^Kbgn^_)DX%4X&F;>HMTDgV9F9S0MPrzL zmAhOi`V}f(>`705XviZYS5pK|Hf*ze0}E5wx4)rbc;7kzS@e999G4H;gJ|Z`U~QCA zaUB8Xv_tYKJZ&*Sd)sU>6{U9U+MPLZSZB^R!PpGUy~T7Wy5r2|qRxODNuh}lSTNQf zNq=!{O^1W|OQ1LJ!(Ou89^?&;w%c|sq`tB<95pRf7HlviU-o<9QvUH=K@qZycB%SCat@>$bK~us4+fo_H;8qQ1@Q9C3$i` z&~|fJ>D=v8NQs@BLv}?uFqvt`eHy%D0gTb}?T4tc#+H8x7mV%epn=8d0KZ!?Ucz~QgPS~W5c&pf@GN>u6YNH_Xzk&AKjr< zk%m=%Aw3yCD<(e~z=Ih`ZcrF2)dWyd=7Lq!J>fbs*u;&E!Q<&ny<070mCFLJ$Z-9s zxv$Tp6APn*td^GSUGP2? z?f-L$#)7FH)jW~A=1Le4cxPcRx4_QGx!BZ;pR>%OAHhC`zv%WzvL#TLl&cfbBhlA* zdf;|*Mvx&8+&$uQ=6L({!RbB?6{ zwZpu4^=+tqYl(#TROjSfQzk)>;-0SkGw-t>w$TqeM%pm^IDmpVh0Rj|B zn`Mh)9#gR_v@?(Zc$zjW@8G@Yf5iI&u-IEGcyed>Ob%Y(3tZVtcx>g{S3H1p~J5YK-p=^fd1XKS?T{Y48u8+63`;YS!^n;+Txf2ys1nbS^saEG9x31I%OfG)lF z-+)eD6PY4SyjC|NaEM;n@raJ`OTwDyG4|%FH)i5U=r3Ei>;dBbd~4Bs$tsXmT+%3u ze9(|d-@DXb^v+QKxxr9i7MfCTd#j;x^w^Fz61c7ww64wM9imp_tsN+@Mjn|*n6;G& zc0!YVAajlG>3wU4^k!mNV&{PV%ckY6IX-5U4O+8>XXdwXUZG5%#A5@cG4nBrMqsEZ z#>VuPdw}4zZh95DseeN>HuLWm8tU<9lOQ{58u;W#@7M_W@je# z_xWs}OtE=?UYR3nQosKQ!A9-jmcnj2#4BqxYc-R47>kn*nWdI)0HBHx+8L$86)!aZ zc6S5mRE02nvden7A%n`cZHH(!eX?K`3iKMX17I2XWld2t@?p&#%M#&83NS_27z@{; zA=P4AS6w}rYkRjM!)nfGmwwt^n4wW!K_*#bJF)r^v_DGs)v-?0OaAbYnzs^yzqDI4 z7YwLFpWjd&xb-aj{|X5G$Ra$pWtGN@`XNBoF*5H7M7?&zTgQds*46v40 zdmPeLgVUnWWWs;yIF3w}ecIU9T+efUtfxOOXzRwjV^s=$JF$VJpDkdGd0&dbFXo0%9 zJvrPh#^s)&3uZ6?qTTng?;U>Si|$&#;Lw1JOlH5at~Md5arfqBlLsrXx|DOE=uPje zq;u_Yc!oO4#$LK8U74PRK2a{r;Nx-T6R=vG5=#$JS&=Dd`Itah9Cj7mM00l1#Xq z^A*?cRH?C2UN1UHs{4^cSEypx^LFrvg7Wk+*<46K!7LD zHcDlfyHQ))^aX+sinDUvgFT+T6>Q>R{w3SkH2S@7-;o>VT7V$8JbLAHUpnK7>X)>9-iIRd zWNGVIU9`}UT0@s}FilLS|I@BVa#|wV5qlL7>Wm$5vhKCfH-lRI1`HWxy<11(Y3=J< zMV7v!oN9=gj*@B)0QB~;Nk(f%;iE8H)O6spTW%6DjuA=gy#cL_)Njllv4%I_pYA-* zEgJKqoBohxPHI6ssPU0{fNrjQSj~K>at}uR7-6a1WW@TdY@+|@WsuZ8&X55WYq5brH{XhtA9JviU|L+!2Yw~ zb%tOdLa85kbU83oIL2l+lJ0`hVh1ouv>rqF{o{j{$@8(jqd>++!xf{8A;A6GU~7pOcvHN1sC_s^95%5^f(q{5)FHh;Q+p(1_o9Sh(dxXtjlggWD?!wUf=7HyB(PR zL{;w3IUOQQ@iCdsU-46&hyy;z#t>(Te_F%k{V{HwtQumWhJdV(^K*xRzr4UW0~m05 z{vrO8G6edFJ?HiLNNn}WtVkoIah7%(B^^d~4V{M7dtw*DB+m2w+Bx}D!Eg>DM4paq z<)ZDjRmtZo2x0CEvVK?^Gb*vEUQd?r;D%1 zf|I4#CQQB;ds+g!G#Cw=ojWq??ve_yudYWC#zQ9cF_ zp=sQXJSusoKk(0CB+sfJ1xrFDzj{o^Bg~=H0du@1ORZmh@92fF>{c<(1hi7WX1BQG zD2}l|S{*bT+;OzTP9M)0kqrVXf6Y>$b=|hl-kTM@Nn^Ef)`Z#jZuAozRO8 zqWEoAOS~UA#H-?n@s{aJ_Ms?i!$%lu3S&R3vt0C=?|oL`>#PuD-Su3T?NAnu zh5HyZ=3to32UffzD(Dyg8z?s_2m;LP?ma(z6!>L`W+NZp&z8Wr=dK!#!I7Ln1(I)0 znV_YlD@F5{|3veVVxR3$%u^iTx6@~Iv6d?xW)Sr2hwkPWC`*?x82^xO`4N9H!vSN= zKf^*tZN(E%5(s^d{S~NxoNX%Z37akFg*b6WAqGW1^7_w2U zq5Zj}@6^@NrjZ9_MC&Oan3~m5R~6W@v+ar({xWBpzjJ=O2=Q@2ggmN!O>ShU5@EN? zNSqiochZR=VWm8DMOewS-16goODei($K~0}#ViwBL@M}VLc9^Ar&#@N&t0PwA7;#4 z{U|--hPLJIdi2=5f2~-@-u1pAGC^VeqV1Qrnz8)#FieJBqzh+wUmM|*lEmlbIJv#TYD2*z_7yv1Lkjk$?IKA z7!v5*kVl^vmW02UC(k#YW-{d9+<1Dw+tyPOz}?BgNTMtqz@(nDN;XSGI@~4ictn$j z=EXLVP)oJk_Cd zF)*7^w|ev(yDlF#fQu-z5I!LAV~g#;3mCw*E~FHz^obs}ly9zVvWHj~tjwPBmiI*0&C* z#MUKX7$_(4iG5A20W!o>aOJ>GC6pCr&l%sW9Js}}V!xPKjF?<~E{Z@(Ve-3v-#>Cd z#I+GuEuPCOSbO%D5x7myBAr!2@gSar?UlR|P?)mSIy=95jfC45R$lY>579GNFCT2C zCv05V4feGku}|EJo+%BU)dOQ-!UT=#_V7l785a|)O*piSZ!bf9asAkE+w5vL727vL zF;Dgau=;(bLtW?m-3EArp$J6e!0inylzVvdsC&Qyn?|(bolrcF1W;|Gt+)F}oprGo zY?;=rY8YN^+JPbxJ1-FKEraWxweD^LDB${v=J>oGeSc*qezXjKTM9$R8=% z9vlq2mz?2J*AAibb&GyH zxmefN>sjadhlmuJQBl$^4Y3(%-;(8hh|KQGu$L32T=R{V^=e6oA zBaOZn+!TG3Ubn3|GS_ed!+w%$0IRk`4|q3f?3D|rXG}l-{1ea4`BLh16J-9+vKjHL#3f>mLdG;&q zd*u)GEla6#(J;Ox@ScQ4mB03Crnyz?qGT4{;MI4q>Hi0Fb#ZSK!xPcXYIOYmak{SV zFjF=WUE%Hm96%~TCPGk!o;c6G_rn{3XUIq7t-YJG50K4=UlS(5R0VS6$iKhSq=kR+z?>FLzNndv6Wn18mwL1q7E5@`oMOpsG zm^KfT>6%f7?o{rtT}284*a&X^V`9!6D@hczs{n^|sS+_eTkf>2nDpq7@9gf&=e-}A*Eq3e z1GsW@Cb>~-?GIivH^Dbe7zS6ee==ten}SJg zEJhogi*9B*eTS^@MPKF_Y#O%dcTK&}A6klBe`=FZ=Z$~4L}oudS`{T=!z!~RpQDPk zb2Q&|JSe@A#_5Lz?83@$HfF@(OGDbD8R#Qry`429(q_|jPwwa?7dXHiW$JTfT6ed% z3JVmt`Sl%`1qqA{ez?(IZAAWM9sd_>ny|Fy=(U%-PK(uee}6UJ5-*5>3G>`~!<&}! zaK86`>Ju22uw)K6p*G$;Hn51VV(>iwj3`^Z-0570M#9ntBy(clN7{XxWYnY|^(~S> zUH`SD#sUNKmye=_lg2;iSi|3h#OU$Nrt6K@6CqvXKCtiO0hTmi-N_vA^j$r9a72G& zyQmL8#nn4NRjev2tN>1uWO$HNmB-#=0^%Jp-0nal(sH{_ot`{74vGSl3=@j-W1LUZ z3{}-d7-Jt05N!yo4BmF*mG}CkA-j4`1eP-$WNXr{+b;l1YPu-{PI_!^;F?dX_vnVd zKM@|ZLS6IWyPAOjdC&Q@k^$ete6{NVGl{qT%5nLDM(nwP9ftc-mLf~k4^M?P$ zD=`-f4n{iCgxNUTg)4q~*e))F`2t^b^VHikM+o(Yi%x`yJlJWk83&}Fk}2xypA0VA zIuTro^2$djHiTc!;Zr$m=@l(6xMEPnqEGVf_WF|w;cYBDxuoJ)v&J`VnPu#O3(7yP ziH;=a1K}~(R*H7$O+3KgIQE8H1pm<0earbnT;Trx(AGI^ zz@AnBtB!y;5N%{s!NAg6?P|bmjo~F3W4i8tC1W%RRUm!vk0lc$+lTGI`bS~@hVc$F z$#OLDE88u6Em`AI(oklkLAb3y zlL0ud27P*|C2)dDFyB>7uD`1zizsLUUh;h@0osGZHbk925?+_IO;+AK%?gqu*$aw3 zo4`R(N+)k;Z~%~{A}6?nMja1o(ECK`d1bJMI>k8nPiwZC^5X#F@(I^&iGul1Wy zAV0n{v>EzZKqAQAHX94!qbJzE_AYbVBgia%Fs;s^W~GZX1`=%N4zcL>6pc>4Bhmu6 zJYi|&wnS|w6BnF}z$GgAM7DN3c-`Ia2!SH1?O}$qyJ8LWo)N4xD!JK&Q46GBGo0rR zM^>Xz7iCzVju@N}@S7cc#}EK8TiJJz3*d4^C+dQ4mwU5*$o7G-L6S-tFz~g7hqtA| z)S56ZCE>w#yW!2Fjt<<24t029D*ItA)my!HyH&{Yg|DWisqGU1$|Ut0NtSFlmuS}w zy-bXe?y?=h28t}K7e20W6R?Vjn$ zn|k8R&38BHf_dVBqTi>Cr&5;LwS>tsscDV#N{J=<9m~v5v|h&p41iH>v{A+`LjOWY zo<)a(KP4Yd26ewn`3hsUga=nTce%SiBK$I>ui$vY!uzC&=MM zw{oDlN1%b_VvU$R;9F>N{sWd7km}f9=lp2JnBr#y&8nb9$`O(ao6|bC&Wg7{}wwnN`pX?5L?OeLcq=Vh><_r#bh}kI=W2 zbTzOBAv6C2he_QP9LkAAv--pmos1&tcEI8)sz+j44S2AcfpkEdFE7$uj`9b(po>s+mRpbt{{brXpT*#GOWN zs_LS_-aotgr#<6nUFdCM`Ob^>XmB+gEh<9hP&-wW0R!M$GX%;%hxB9%)K93&C=-|a zTW;~EeQ{DJuPk&Y z!>KV(%c7V;!e(M|HLkphzOmXGWnAaz_(m>rr_oUN>pVE*-W}QV&x3mv_{6Dyw^Bdk%9MJaDZ49sY_0x9b_$FlaSX zSp@?oxThX}ml3_-oDGL)610f>X`X3NF;XJHn`7QwA2O3wCPamtDr;-jgA)+M+I3T4 zU;C3b;~}`26k+!9gYLgvvA&W@cYTaqF0ST<6|;aYMk=#(`RB(B@{ou`{v@u5-#Yn3 zL?LqQZ#{|XGn*sI7t$*|DUgwVW{7fQ35*zaaywG+G2z&5Pcg)O|G!gTDGUo~iKbrD zt62O9web4KQ7$gVaCu-n^b~(HM@(>EV!`Fbm278ULC3!D2~4D<>+zWVCMk;gN2?HT$r0=J(GiV0*t(H4@VMKvYs)1DBQB1uLzb$&xoiVqkmGkdco>XVMjwDjPI zTW#0o28^vCkb*~IejW;~zhKH%hoMeVjwhyhYrNa&;6=BZU>Q|LQGD4^rQx8xN&WzI zt53|9Ql+#QtElkb4sVg>mNB<26RR}yC3TxH>RTQ-v;f`bqk?JU%VD?dNV6m8lk0?H z%TvIK)x3G%*Jr$u>^8UeQsv0`zkpJ zd)U0f-|nlg?_A;3ZKzb`r^YIMjJal}UFRj0bbMs6C&gzhTQ~bP^BINs_YXoUc~!71 zOeDflmW+Y%hN$#5t(ZI&6A5Dhy=ltN<^k`tEkwm0zASbc;Krx~u?BC-sOT}gyD?>v z6kww=D2BNAF~Km4GaU|`+l_M`y`N=4{6l^Q6Pp~b7R)#y=zTFM#@c4Px9P>_nPgiGK84{?EbdA$0p)~0$sxvjP5FrW>~@vdgo=2EJsh|&hl0(_+&vVW zyV1v%*6701`@a@HgHP*))GG%_qWKx| zB3Tzob*`hmpE9ULlU0CG7yY@)CLq@DDv-7(WaJEkPAfVc0j40q>A5|(M=>{+^BpGa z3~R5rHw+k$UsTL;cyKl-fpK*?IaL!*&`GTt!ASV!j z>LbdU1)&WLNv6{G$KQitRVtUWrp(jYSmibt0VWx!SY%OW4)Hi$$u7TNQ!*GA*<<%3Ue^C?K>dI-(UZn!%W6+&gK2t zDQk)g@6@mz2JMd_~+8GBJ$<5A5h|TrD0f&z;6|1Z;Eb|uk>Q9kF+8a zhDr|8f2VOa9&sJ4THQM;smPKC`3E*oGDei{kpHK1r_2iQzEH5-_+U(~?)kx9r& z#5swfZiiAqJef9UMcXq-A+VR%LxP~PPW+whg!$R{2OTK9vR*&I$dB8Ix5FIqV zi+wg0)1hY>`FF8j<>J$1cb9M9r3qqmzaK8zfAcbBmiQ0Sp4J7jEb&1HM!E@5zXBEM z6_JLwlwYoh)4VQ^Cqg>H0%C&ipoWG}0+cI;7t+gcCE{4+#lb$w<`P?f->rs5U#iO> z%+k%6k4)4Mw3<-DirPvx|_I#ZT7$6G~O&M+I2_ z*;PYEC)rq_+Yt8GdlFaV-28*nyC6=!oTeQ!JO|_40q-=&7F)X6J<&xh;-PHEmp*&3 z;?VU45Sf;mFwCCu>h3toX)WY)%Qx3=1VzBWaKLIDo33mCY#Tnj66~fm{N;)d_Pb5V zY#AaDcNQA_YLJ97Beu|@#CyCJtr?Q!U}FpMYpcT>P|d|A1_tGmV6J;Au=V#ZLx>Oj z>n@qAT~6M)eHX2iZ*i4sSLcw^9r98e!OuY^u)rFmSURv> znr^F5r!W*5)S3WYYQ-(KTLr6Agv7U^&91yLUD%hHJjkuQa>TgT%do-ve`T1#?O5QB zmL{%Q)Ey}}PRui2<79Vi>W_TQ4S-EsD z!J8O=CWe5b98s~MVTR$9&KXRY+LIrAW{CD;a0Te3XWY?h?-$DTA66V9_r)gBRBmA%j2-!4IWxXEQ%Lg7dNvGD zO)3jFy7Mu*L!JEKEImZiBOr|y+vg7fVjNQbr{*ErO}^-g!1XcBS5b3o7K5atDu|R; zE!c%ah;8Na8 zI2PRoX-XNHMe0L4QGrltQYB;6pmtbxNa5DLRJtXtdZ-bNnW5B07JAz^1!X%}He09n z25T>JNo849!qq<>#~+Zpm)tD66Tx;{@Q92s7wl~hzdQ^xh8=krLPOtkk-w$RrhArt zOFU@#{Uj0Y8@s&=8`rQlp0L|nc-nunzaqXFKqL7Hui!69mRRHY zH*h9j?p7XIfh1`|WRftP=o4#fB)cAWg~R!gM4dH^jD|@i==US|8AP44yPv2~D++#o zaG)5jF9wTm<%UT4k#Y~BsZzQga63j-EktT=C`bF!iU^5L)Qu^Z#u@Eh9qJL6L#|!m zMWcR+71D;-d_h9{sUMB}1xzj8DGH;P7z>wf44r3*l5O|jcA7Os+<(KYRo92uX@KZT zBRDkU`U2+vaR?jnGI+`_R_5#)tN8)um@4HXMVl+3a$NjO9d{M?`KN|sM77tOrkc6* zUi%0fmF6%o4eUbwP@e|qBG_;Fmy&wjXWD2E0QxN`J*3w&lL9) zPgtrgwf^6d6}v=x809h^a4Merk)m8OX&Wucx@4f|@lH8tXML<#2I1B;jJQOB;PREa z5h#wc=QR_5g*{xD>H6MnXM1MXlvZ%}XhKry^`jncOt@cvmkg62|M3~ax@sCxVtLm& zS5X2g!!;?d?kFzdo=DFz zR5hOtrCLOAofGcNTTn9denrW}=`HNj#;qm|w80Gj(LAMU(;xH>f1Ry9_ij`b(CvB1 zs~;XFv7@4`J@^C0^DzcqN%+6_z2w6xNcc-B-jfOvCYFEOt6%ye)~AROU&@x_px3PE zO%LOm{6A8R^AkG3Z|?|+o}3haPG)pHw3UlFkRY0Nk`@2+3oX%1%84LKw~rdEs>uD= z+5YfDrIikG1pVi4!n*91eBy14ugZN<6eGQy*1VDI#^Cc*!D(*2&ZSQl z!v6X20^4MTDxOt$aQ`a-eRK!^F;velDnH~r3^?(eiX5zJ4 zjWy+fe;}ZUlbKlTLM_p3rGW?oCF0!N*A&QKC-`Pe|14{fb3Amme=$cCyJbb~uj%Og z^ec4m9o!nqu}QUGfXRsl4M(&%2{K{U+=-~a2wfxO?Ue<&H z;|Yr{+i&BabVATZbO<97r^Fqa|EAEv7?+PPVv)ZVGmG^dW1#eE&TzCF*&kDPS@qMe zR4h5M)ztlfXwu#GxZwCA|e(DF*# zqf5=nuCdRrj2jy;8w92s3l~VQSS^4LZDW{#iXXPyJGKa$tm5F-9SaP~g@_jEA}r@{ zFWQv%&Mc@wW4Qbx&vB)B0!$#9_{cv(tH5-)_+B~h{}Qo5PoB!_Y)7I_G1z<77?Z_# z%E)Z*9#?P#>*E|@Sj69R5%uC3$bl0>cd+Lw0%>HttHvr?zMxJQ9^vKb{zq;+C0l1+ zSx%X)J5VKt79z2sntYg9T-;SuE0i2tO_{UG7cqKauiRbPQbxbTqpmwpCWf*xG3Aa^ zLWy2=xGlSHh!m+@v`9MqfcaGGrPNZi!d!oXD20*9A?fAnf`98AV1)rMIVxr1k@Axg z(A&b(T>`IfFCYprH;h?>ISX{Z^~a*8UxoPi>1729OTEZ*1T0beMXYhNU~6!olu~FK z^x^JR)LX_07IXQOnSY|gD|Q# z@v9J)!4lVF9cnrEz;B_dv)AEILVLs>eoQUSztiT9y*oBtBOmhdEy!}<_x}zIn-7c@ zoCtT}7R#W6^-}BBN}brU5`FfB14|v8@|mbizay$I(a<)W=G-zFj%5&~L3v>at!VUN zy2uIcjE_Ba>`U)KX#o`5d!le+$G+=Bo8RH4w)if{RDT|y3uE{PwMk_$q7)A^#9|l6 z^9!R?i~f3(Ptgd+yD^d6(0_VUQrY+2LviXO!b#FAQ?yK%rmPmtAoflhHHADxYR;9NUfqwjS6S7O(M2+!l47;mflh26bY5Iip?@=(C$#>0f5r%lo^jP zlkEfm%`R$BM{3Fux8ou*FP)*6w2+O?u$q3Cji|LJ`Q&nAS`G}@N_OK-ZvmYdqZK8B zvidlJUZ^HGwEs{|>EwPdR1+Q!HLNVh_G`h0nYG21@Ci(nHORVk~ty$k${bL{mup0amK`%qkb;%KTYu;N4&$0|zM;8v+ zA#A7W;>h$POh;M9YpX0`CUQaF6M=yQDU*}WBs`T1;%4#LBVadGy#LgW!Ws-|Sw$P1 z4GR^@d1{6uJ~y^vEbx?OD^_PMaJs$f;a-xT6t&CyK=?ld5GQE#Zn9ULl`zG9Aue1nR49+`~Cm|g0;<_sk3#E;x7@>LBu`06w(OZY*3cSiZ90< zOAeWrm-9p#(|{1E3H)D*BSIwd{ti~IN5bfg1Yu9}tDB)VvJ3of!KRCpPluH6wV}fB z!nqb@t#~6KD6tuF$Cahyi;?f`zoa;~65L%R04D0%Wr*UDpF0Wa&{CO~i$uylnk1o@ z%B^hD(v++Wlf0bB+<)`TdQo&*oR3m>`)WQ;6p2A!-__pf;UF_jXRGw*?iLSd=T(vG z{UiqT3F4CTlW+Wol2Ci6+^xJtj%eAi9_3A*Z`FCm4u^h``s)o%gr>1bTzQh=k400| z>wV^3B%yU&ssS~Ofk_jdcf|rws}`x?ylfP92~=hJ#GHl!KLtka`qk6;G?0LI9~zy$ z2cv*WO3BwZ<^M#vIfmOj{kLv&|6Q&nE20-B`QY@N0hIT;eN@2tuX_5gmJ-Iyctb!y zu-%@#4KE3tS@!gjJ;S%m!tuC-ua#4cPIrM%F1-S}a-h3x4u(XAg-kN~Vb_g8Yj)0K z$n%4Ycte7z$*`h1mEH}8%BQvb3|UYzb0h8_DG`GL5qEPsq;%~` zFJ!rWJVPC{G;KYL7xPOBS2E0$ z^J{yeQ!Ee{rO4~a37{|%ti%kOwccIdrui{x#z95P|LO-2f#+BxYq5@E|}5JZTndQe^w`Yaxc>vaXHWD|x5cU=H$?${#>BusTa z3mwKnzusTSKW>A$+5t9CE;0D2&~Adl7G0AtT6AkF_-u?YNXi{1zhTRUvFo!GzlkdI zE-70hgY!2^K7KNDAu6wzv`VX4*nx(9oLjEVS&obkw{{78&?UsE&t9bxb@>x11N2_o zM=$v!-2ZB2h$oHUm@+HMGt1{P)Ky8=X3+%Jzr{fRu|Lmnun@H{+Us$>q4(1})<#i{ z|NS#quiotJe$fxLcT|eCUKIcDuRnr+_?QS>A^dBnC`4gV^F@m*%uR1u%jpxr(u1YP zz*21NzMC-Z8~$7arrU;?+J;}{PH2Ywj0ijRf4DQ7#dOKeR^dK!eshvKX>`y9Wq{yG z8T&ke%D$7>W<4%1*gQB8l?#{lUBnpk_8GU5mi1<07%#4QKl|9$*B~GW5iQ>QKka>Y zR8w8BFQTG?ii#Aeik~1IsnV6IR4Jhcl-_F~bX33s0wNH43%vxSLnsjt5eR|MLJK`~ zLNB3&7xcULz4g|6>)!YOJO3mrJNwM+nLRVVJ$ueR3o>V|@2(i2Wh~kwi_U%yZ!6VJ zPJPtIJocB9v!Pdf393bBkPW13Umx(p5q?S=P->)RIuF-x`>OCkD+K4rthK|%Q9WL^Jqr%JM^J|g zIRtrkr-}@Js#rN&^*vo@mbUH~z_5~@Gl|QeZAtuuPIrE>BMGq#9-671Z~ZagQw!!ToP6sDAEy4(uGYaD0l95LMc8+oV{w#hTTC~vF?c4a$}vwrPCM9 zDp5G^R3;B<{8zb7hjXWeRIO9{V zJBt3wG1HqmD?6wS^rTK6^}iyi&t8nXJ#HiAa(XP6FOhzBMX4$KtD=-LFaY>`e=?tE zDkk4KzGHNYR5xPE-|MKjADpmyxrF*+IV=FC!f?EAfsq;~3Z&u#E@+pu#8Z+?{yecp z>8ovOoNe#TF7WV~V=YOT7-W1Y+eAMuhMu@FzQ9bpVT<3C&|^0fA|$E9_r=5ollPm~*50GU$ zYjVZH<0a1@inS>Kt%LIE#~KhSex#|DJ$rV4J&&;?rAUxhqVEXvq)KR+am{qc%s5j@ z^m}PslM6#M;~C=M68G7%Cx=J+lD;uk^m_Ta*9mR7^F|}y{3&vO$W^#ak2v*sty}># zG&h!Z_H(~M1ugc=$}Q*mqRVNA3TjzZUM3@Y__(cMISjW|5Y%IZghaH7q9 z$EF4BsCfqwWJaINqrP5ixfQAS{+DtjEK6QmG+hhEXRKxCETd-+%w5qdS8{B(&SmZE zXNMLzh2Lkl(556k(fs~>stvw(qnW}*N=Le?n)@&aW@>~JxngI#AcOHT2frIz_XcuJ zK`A-m_{qd6R}fz}uux5N9)y+39K6!KPb}0@tr(m?F&&3_jWIN)FL$}_@bvkbsq~%- zTV0#Io7S`#(9EYGmAZ6PgHI>N=2yw(FM2!i%H%fGcuGX3#HU(9yXhxJ=CnH!`MQnn zOuWdhl;xTyhH_OG$){;D>zlF;a~^%-f4kJG))or!ccP}YDl>Dc{7mr-bYslDUnXz$ zy{bd-tF0bk_?YS9rG!z7)2T79m50D9MX`%Ko?Hvg!k*V@vD<&IJ0R z9s;p+UyU2q*+=-bGTnPTUQux$Xa-nuQCygt>is)yZ-rF7I>aww)T+7ASlF>ELf z2HR;lSCSJekMJ#bew=9=Yeb%)4hEl2RSMOmK#j~2%cxN6qP5E>k(MnnXWgdGzm4+x zT|BYvEpr3>VyOliCdHmCScg*cd@aurA=dlwO&uz%a(Ys(6t9ESObbUQs z$`Jrq9KiSnMo;-^toFJBv~}b0-e9Q&OU)?L%vK&(N8sk_Ssx;(z5wDs<)C86oc6_F ze_dJBETas-xyU`mygIaaC`=NfP#i?~x!k0E;P=iCh~pZ@l$|{UZlH=tdyOATrASX9 z4X(de$rh3!p+WYC?c#0r)6O|IU0#Ee4$lUS?zB(G&eF`_Zu2b!Jv!|9U0@BK zF7I)W{I`nLi@`@akkV`PdmUj zg78R=a~kv^&q42&{ND6XyhXQ>Wy4wCI!GXF*x6T&s9n_#*KK#P@ zDR`sy`?acqlOb?DRPLnDj~l8D$7dT`=sn&jGza6j zoQL%S&H7HJJx;vjxb6F;j+)0l=j}6fshJe}(x})Y2WiK=^7IcJh4#$U6Fq(3P_i`{ zOVpmg!9gjL>6Io4QmK7)V5NJ-b9Zr}S>iU~-}dQN^lR%`l*YuI;bMW6226{Qn9YJG z$@NTCR>5NrEhNOYADmyx{@y&nA+bwp`y?@&&TIsiO|!a?jepr4JCjTRL( zvo)PlbK{$3REKcbHx+UeKe!V$wKA!C13h6-r2kY( zpLLwPuetyGSTk>BT)=TL1x0m4JL*v3Po67jnMETRlU&8EWO8RJPMlYHbvre2TfA^Y zTw&%-o2YF!HN4-VxM4|H$;fqOwL*101MQz=)8FM{&^hd0p2T zc3|PMrIqg#8eQbrWx5CFb%g2%nPkE>5i2))4C=t~9?2QB1W*7UxWK&Ve zgN>HcX4B$_RBa)(*1IPfW95sVR2f%59_tKYH$J`)Noe-=#aa@&Noga`;3; zs%r7Y=j4;%HS>!*7SbFX3oSNOjZfK3C+7CaZUL|VF^9`b+*(5^`iT|`&R=^Iptvnf zkx+rY8Ti|^8uCXShK!XnUtCgrwx_fSoy_rj&Cm^Qb^RRL{HpNu=mxfc3D^hA2-+E6 zlVw2AC|`cHcWCal<~sluqxpbdLs(BKARk+)=>DD-7EJ3^urTf9%l<9SA9GjbnYhrx zB{@`~bm>8p86V2&mD@}fwy2d)^KRscx}3ROk-Po$E4>Tm-n0K=+gKAnv5_RRi&@!} z_mrb9%tM{rluoW`kY@>ggUd4VTR?f2&$Ld@u-10O(mexhk*ELhnhzuaHI|LMm5P1a zkEJaNK14F)U0uw`4>Bo4^{wwlp*C<9ra?OkT-zBjs@w(6Eir*x!o^o`lGvLvj7~b2kk%*}_u0QaD z7IPeKeeB{=9eUc!5NNcZIW+=59k{an0a2W7t+H3Tv-8;~vPtb;gBNiit75ia4{cl1 z5$v8~(e^?5YDC{mQc4yR3cCWYF&L0WEwa;b&-rbfilO)Na(~aaUP<|~JAuC%=mQ6^ z;7^ITyePh#3F7Fc;2_`xUGet^r@(v_PhppW%5uZyRU5mw+QpsQmNeD1Rk^+Hj!hj6 zz6p=lKqD-S)4RY z*v0v%wPDf-&JrnDs4m;h*u7sjB}9Q=dLEp|#X_ zRd>pA@6i(PZI5aN!$+u>M);@JYSQbcIqUY{QanBk3%P z=X*&T+!GD*oXP&s;-e{7DfC|XwnIggNNcvef7w1t8mr^2Qzdo+umO$6J<;R&J$KlfJ$KoP@Juo)X=xf1sgwQITF?`rf(cUPS5J z7HV0--W)v@u$sH>8B}tjCDI>0lz(PYy0M_d?c~!4$zMY^5B}5c&)2?QcX#3{d!L(n zL>fc#*CkyWqsp;u3=b6C3EbT7)}^&g%JnNB^TC&nQp#hR(>TgJM};wjs-4P5;SnO0 z+-7{84mykN&Wz5HedDY9%cebnr^&KCpG&tuwlGT^3k#bC`8}9cx#j zn#$e`Gr;8hO~7gas#j}8p5(p&H*{A!zL&`3(Yf{#wXUhDXR4R@p~+uQ{G?_Kdkpkd zGg3=k^(L=;Fl~mTHm0-W^7}=xF8d9p>s#M75etn|z&YHgTG}0(sW3AyiIbV)=Ce-X zP%>iN>68#X@KndVt4B?-Tcj@Vn`d2iRhBrD2AG>Smp$9qm}WU3N&g(M_-D1F!p;%U zIb6A{ggLDMCKL8G<9A1wQ7!_QNnhcrraAy|!NWR_S6f~^NBL({cBKEd-p=dQCU3x^ zlYzy=i%2b$!NAZ(V?pce?TJTj?9(tID!Ct(}VAzJ3-TugJMp?g#$+KNg zm}+8?fIwB}&57Z#(^V12-4{KwuL|=#JClV3fV3?@N}jkRX#>k_c3NTI_1WM;H)ZTBr9*drv91eHx@XF2QbU(pN9AoqPfx@C# zgPf_LT+O&4x}|5T-xfNQc%+fpGjq0%r|4pb$}~ZkRB@WxtY|+|){^+bN_Ler5HWRz z55wNLtZI^;x%7L65izaHB3kLWLYm&!L(>rva}5+?;+Yq20UO`i-U8l-Q-~aorb~6# zWc1e8rSJQlSRZ+O$xVbk+CIY-Ge5PxH+NXt(sFXD?sMTj+~-2?efTrb434&7I7^A9 z`tbLjZAE}FSk~jOre+&47ECvGEzu$a^T&{kgSGsiVkqoNifg<5H<8 zGah}0DQ#l`5*!Da>i-qSG{mbI=tDphk~BQ)!xP_~7rkdXRhu8{*fJpDJ) zqke{@YBNndD$I$V`ak5KiHG*ywQedbD+3i3j^y8)dBZ4c8xd63KN}haiyGf^SXt6P zhkYM3Fz`VUf^2%BVRyE;PIzj;GL5@ZdX z62?G*^W%@E;7N?j6Ohe==;9|o5SdzS*qj#T#r7?r02_FYhBQfD-=(F!Y~CouaM3v~ zE^d=ekirK<%fZthu4^1-zQV2Nk&|0j6)xL-O$v~Dhlj^ICLqZclm#`WC47vJF)v0n zqXEHs5v?+RK-GdHQFT3KC5E#l{~H~`Y5ZFKilwpWSpWANQ&BU`As-%jo(fl<>5~oR zU(CMJ*S6y)sDey)u)MyFFC|9}*{2wyf4TCYPp7?(0RBE%jWavDf!5_U(Ul?|md!Np zu<#mih4k%>)x#dg=qCITm5J!s=eGIx!|Ay2cgifm0;V$?HbtaGFSpGVg@Z%>$uK{O zsUaJVJ7gq0Env9Vo07H^juAIFUAXA%4PAv{X%SK%x~B|FcD;l}y2dM0c`clv`;eLw z{7BIcn58i@9$=ww*;_IIn?rRdu<|PS+g(@FZ^;$WsA7*dwHu}wb3m$sf~Ue9(tG|P=91t zYG9}`M)~l4ThT)}@m8gF2$LDFwZB9nE*;;mMMg$Oikiv>{zN||pS;JX2KhqdHzaGG z%BNrZylo9B9KAu^pp=ifnXq?ck-J9Fx992>;p*y7)It?*EH|y?@$$JtSJRLmUV}Pa zhT2)KZToRPc0azrBA1juFgmr|-K*oZkY`ThF?WQD?zX67($;XAAilwvlqO+d$CM{@ zHSn}=B&+D6C+$7DEO*ZY$M*N)w78R@nQcNv=Qy$2qS|EZ+nGV zk;r=vo#CGV0kfL4A{42pZglb?*sD&m&r=51AnK_aPPsAG#FoFjeyA0{F_?zMX1=e& zseXzY+}xttT}BIG_di~m$6=FMYG3%PW#HiNcEG@ft5nWfCTCsT@+O{lzj z&9jk@ba%Hp)9*=1-{aH_s;}#o9pz{JV?12r#AE)E8uN*?l{2_Ap+OR7tGX)SX=~t9 zel}YUlqMtlp~edQkzp-1F#WSrfOWk6;(0%YpA$5kDRT`Yr6=uf(d7@}B=wVGrcUZp zLc518(*-gTj(Yu7C<~X)*~RPCwiC_2b9{yD6L zz@ov2%tyAxdUBrp8R&ult!IT5$)$Ks+$OT(BQ8Lx$cW7yhVQBF!`~)Al5if>k_(5W zh>uJ)%!4<`dLaz~$l(CvdLP_A>qp2c4f|F1(#4-R_;>RlL>j&#@UY;A0Ch z-V0>!smRb_2C1WlZD}!Y5}It;fT`Ie3X(L2m*`2V-aFFk<_ zO2u#&dEH=%hM6d>`Q1Ba3NB! z9|OW0!*@vP0U@85qzc?2iOT@un;#P?N_=|GfEFE`rO~%^hQaV$rOTX32P`jc+HsH= zFcK6tcDh1R37LGTOUavI?A%s=e}5v&rME%5Y1mnb%OoyCuaZc!VWX%~i9|IOr0Vt$${F*gjqeamz04l4`k@b$~nfI%=%kt9hXhase~ z-RJ$pPj)ph=rz{^(oa6h6LXLe!?}Zr`_}hvyfp~(jqSw7f3-9w0ofnI^QA+!mXSn~ zQYoZ_V{s^aN_o(!Uph6(Mt)RUr5j?wVj6Erm~_)YkcU~`vfHWjC*3B=IHp}K(yg!| zxjj;;Ws;RYf62HplTplBGM8UImlxSiRQ~ZLr<+g?IEj^zjdDKFF?grfiS81qHNCQr z<%T&fQuMs(vxH4IHnK00PfY92bpC2&GmE!-nwXH1XdM^rhkkdd|1nuHw2&$rD4c2q@ZGP(b;pAsDZJ6g|d2`jhcF#k92*lzTVl*TPxP9PM9@ zS~op1zGv8cPV*HKSKFrOD!+i=Zcz!t%|UrU*YbSn?~$27Iz+*_@0m;%w!&dke~2KF z3w1MlIdyIit?xURvodN0)^>r->vplPegeH2{P>y3e6*2FW`PN}lEuH7?e%;;m)hGq zj2zMacfbj&Nu0;;ek$rNmER29&{{$Qm!y8LZC;<4|ul@(n>sE0;@9oX_ISiBXoF z9AW_{NL+_v)+IRW2@bUsrkr4uJOJ*zX~KKaXA)@{<6GGwvmgf2k9ZV%?woG9O=$-X zMt#6XynV+2%wqajCv4~fN^*uMAZ#F;o0>vz7dxeI?xoo;o*4i6zh6J;&s6VJ*7wD4 z;WPYCl9>`*tYlo;Zjc=|$n$^*na4g>td^r;x6ZB9V&OAUTZ-}K?h?sZZZ1n98<3ai z-y)8m{FWXLmA#qNC)ANHRQyNR<@A^FROI5{)xX?;@D27fbO(k+uuxt&NsBIAc)|hF z$71h>^quRr?0d5m)$NWs7Xf%5jNm*p+-0*Y} zvT48@@-7+K;*E;ul}|np8VQo;ZAY~5#y)1(*X&57Q@t=SOUgM6_5Q+-*9)vELtwG) z!0RIBbC*^~?2rX_N8A$j$-3}b&|Un8psQq3<_eS1LJwzD@A_+y?rvBXbI@~ zMHel}!2{xm_)SilFCn469_HS&XMzkDUB25>Qjk|(>O<-z0WTeopL|T>CEe$5rfV~9 zVtt&gdO7T#jdwTFBPmhqqQWnwhI2wWM_y!hLKj*2wIKkJVl4-@Nz(DUh^nh-yPGCai_1S^3^iwh)Sld{54 zs-?EHCLt!n#NdP@6IKRBL;Q8R#b4(P--nZO_?w^V{3h1orR1YqEI!{q7XrGSlws-nZ$A?IWzt|_DjHS1 zL>a3W5-^3mnAG$yDH115Z*crq0+KCZ@(GuPJTH@mb}o^Nyl^BHc&C-kFAt#$uIZBb z)pcng7TR^AxX*}ZmXfrRe79sFNZ|%b!mdx`IxZ;5rX#Uctui%TK=Q+?Nzrt%| zM_a$=0qwUVk+<}MWeO&COzOMIu$CoAL4@Zyav+K07tb9a2j#>IA6lFGbn933a*JkB z_3C0}=iuYd$XNwrL>b<9%Mi-^$*21)3({?*yxyNPK?(vPTgdG0pD&lnl?3L#)%NXZ zhv7F5RK#+Yq>$x~3yTT~r?>S;aFrxjio?T?`kVefq%|{h?H>F4ZbiMRdxd>8Cq(q4 zpwk}pBthW>dwjM(Y090`-K&k>d!z!upo>s%&EGxyC@IMVDwZ(6Y+&PPsj0<~d!kbU z!Qb>EG|Y=n*_>XuZo0hMX$u+CN^|1s6&6 z@gdeH^Te8&y=1wC)eGt|o&3RnrC_ z#``vyc!T4)T^0&*_{Z<~ zYc~OA_wx1(R8vzrv9%wsQ6&Nr(h|XPSx1sscDQFQ@GyvPH`!Rs`xMlKv5|lef*7@Kg

N9!_HX$JHXb0Nn$R`|>SF(`+JSnC6js=L# zua*;0^nk{p`__JrT((YUEiJJ@ki(Y8h@T9N{0RYqa3@>Pqy`3Mx_a^3hmNM8-#sounPgX1QJ?F_#~SMB3XC8pO0)PphAS`I%>fs8!X!Zs1yNJW`kCu*1EN2b0ur`| zoTmVLFrn)4Akit)EDeJBiXZqH@IV!?dJ+t7Glogl%O|7;yOe45k2RC#l=-3*`HEXJ zBp~-6AKwIiVzA6@FOEk~kB5wF|9N^`y`@@6qa_a7UsO@VB&`>b7H7j{t}+2gLl-DX zH%rZ@Ny8+L6B+#a*JAy@P4?ZEq-s~D`D-Ra8;8{Eg`&d7dqpM3+U;Hv+>X2hFcfOK zTwgw8mnM5lgK1*c!(r#1JGVP`R>)Yr4CP4SSLXMCL?Tg zuNtu80bNi{N{aE@egd?~EAIYWO2q+3b`XlaDz@9wzjqpq&;TP>tB#P~KKeb#VCp`W+WJn? z0Vooe_gUx6aMFR)7hml8J;__ns47p$YJk4DnBR0<}{AVmf z@m5P8=%udQH1l>W4-j6oclG_a*4JAbZ?{-dKjul8>7CO$%Nq*f0#wrH6+>gE9-rG@ zE_Ai{HHdcQmCMrNnaQzB@(nS{ICqDfAP2E-s^A;^0=z{srKG|d(BzjD=OgY7Q5Zju z8+*Y^C8bj(Ohbz$T#`xuO7Fnl3?T$gD>&Y5u$(Y~X* zIu4q{Bq64LhAjD6_{j9qJeng=n#yG+rC)`~V2|8DqSp4G#Z4oku{v+f2Qs=#q%MyU zpI3OeCQrS7=Jk>O@kE2^D42x5Na%u63FCNFbz+OHuSFdA6n=G{RtwVeRC#w3cPe*O z1XoTwWj?Szc8oXQH8<8ijC83wEsIJIgk>xx7pyIC4C!mGq=Box#&H5_;bd3g=5 zF09jZaoyYLt4Dk)?GTQ!w%`$Ie7dzcJy-TZH&s-xGYm+5MPb!GkYNVB_9gip8?dFv zJ3V;muv=FY#hBF_(GY?L9G{wU!u6LFh0%ZDb=H#KiDA%e^_0@s_Sdb1vWJUofl=#6 zbLhI0EcAh68GZ_Hq-YR4vsc1TFQ5$qPUIOnRs|%SPzPu2*g8k;+HE(h60D2YjUmm3 z$(b<P4y~;jQ<=(`9x^9Ykf7FCB=nxR^7ZGPhB+)91u7<4r<@nnoVm1q(9|~eZE)yOPY~4~ zut5~QL7fI1$EpKrWDXw{mGi3k*97FmzwA`)hG)XPXRnjsDKw&mVHb`2kRVao%_}}1 zU>c%j+hU_+ymho-oUybbTc-8VFYY_$Gkmo%3u2ape5QeuXHd^R9K`n9I)N%Oj(sW z@Jm~N(|hA&MGcn0k}bFaTIVZ!b#y(tal@);QX~^w`VBT`6=?{YFxiW4ma8$3_otb^ zCk9;A8JIuz$)hP@ZHm#!@eka9AYQgN-=m~vDwQw^>WimCFbYip>OOx@lo(5_P}YUE zih6B`E{abFtj`-qy5m)TCKe`(TQ)*lTSc6_le>(s3H(_PP+0b6LUYCo9mx$9pLu(^=%Y-wjHO!pFPVR4++p>^BB~0XwqHYyC~aG(qr<`-0P}46%0aNBai;8I!O?4D zPjdl>AqT}=j)jey(|BIT*!57enf!;evO8~!QhM#ucKpN5g4C;7WV)d#5nwyNP?arv zL_tchHYr0uTG)IscnBAK>P4Ubc+3wd)pbJMZs_>D!UFbWJ3cw#BuJDl-x2#odz&I5 zS=r8M)-1jTv^ra37#5Z~wO%`ep4g}eDHj_9za*+mk|X$CyyR`Fv}AagPoojYFCJ+x zw!4Hm6~xum2;I9l2F|Os3HzoW5qizq5M=`YlFrIg-(LZRSHL~ZungHv?h~x~&=hKj zkrOrR9bdSRcHRz6I5GS3EA8uit7`1#PTGA0Vc*Y3o(TpxwE$W=69tlg<#3^HZ>QrKi5 z6{0$ROD_t8lfq14E1m%7Sxl$$PlSbN)*mzsf z1LY7*|3QG0k4>`Cd7z^!Ra;ahoNf6C&okUUnRZVdUF#mOa1e441UOU&= zj&rgOL_;S|R5>HnQ6G%`zij-ke~g^v#moMH#l^NZX-3(gnqju4BC#`#(>M_$H6gaz^?+yM!K(f9kCGl#Dn-{L zpEY##+c>DIzUf_{eW#2INX!IN8yuK^B=~5gE(BvLS1lZs^1dxb0rafCaFnSIj3yr= z_%2@;d2GA>kH+ZNY{@fS)7te=W317->7BBe$*W3;CkAY}xaFf$mCzV$=}PLl>KCTM ztxf_Qn3Sayi{Yw$a_dVe&+&p?#SVdPJirk~c{As+eNZa2t!@6EtXU<7ZD>f0lyd(Q zVo2GHKGgU13+_q12XN=n;5Ahx2hz^}-(<}BcG;i(eNsB;Pez24rZ~sxBp34UH&RxB zl-Kx+-Os-<?zf0I%Z{I@drwuGMBq}&pB{G|3`d2P8 z8|?!D^EQPA&8xji2ADF*Mw{II`0C5SllaEM9iw`YZ^Rz& z0(5PB)Og_rrZsynS~{tMSA?Jx5QsgA1rGBiu?6Lk>{m4E1*RSTn%bgzqle0Ej z&-idEd!x|LjHEMZCUCzl_~Q9SmuTRIe(VB@d%g3bZZr9NJ5Ti<(HAJqH$d7fj6z5A9&6`bTF? zJ7fF%%KKv3*~JhcqMTk^nUF)juKkE*s^LTFk0k3d=(~Z zw4vCq6M22dZeo^i+u1Dh3B+K78P;Eo1o&YqMBH(;+y$#3$@Q-bAN{Mj^No5I#T?>9 z)dw)^g9hfMn6*Sf-~0`Ll5Ik`99z}{4kG(p)$R_9s@W|bo+C?~sPH3-^TpA5VRLJQ zW@(K@?w48-(69k_lcUY|WG{;_gBhxu#i*&g_wx)!mSRgtXBw>_ESFqiYDHeUQBJA+ zBNgLtwc;g0-EnPn15=c}d#H+QzCovJEvek-b_K_wo{pDdMC!)91~HTBH1FO!?bjgC zGeAyMa!B&}=T|y-ENRjBj_F>qr7Ws&aOY)LfoB^I=q_Jd7MyRSX$34_$d|K>5zd8GsL)xQkiL=L}Om1(yi)pQ(I zJPwQ8U)EU!1k!AvH@$3!D&J+o{C(LR4d;bU2d!)hRjWjQ^@k2_zrH@oLKs_8#LT<$ zq(wVd)BeLV96q!r5$l)0=v~Oprdw+wpf~Gfv)wwTyIX>^F8m8&sl%>yzBYQS073zeTQ8k>u?B@@y zaN@wBcb9dmo|F|HtX>eEFBu}0vBl|POccFq83h9JZ&Y?T{M$&EzMt$o z*L(i)-)ldY$^X{>oD%8!+y8I-c>p0@fA9ad{V(A^GW`=={u}N8GWNgr|CjN<_y2!l t{J$Fb{~y?YLnHr{M*k~~ZT26YU2senzPj7-`uLpQOC?RkQu){K{|BWT48;Hd From a31a98ca3a2a31801764c17abe9df5ede86c37e3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 05:50:43 +0000 Subject: [PATCH 16/21] Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.0 to 3.10.1 Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.10.0 to 3.10.1. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.10.0...maven-javadoc-plugin-3.10.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 429e575b..cba6741b 100644 --- a/pom.xml +++ b/pom.xml @@ -77,7 +77,7 @@ 3.4.2 3.13.0 3.1.3 - 3.10.0 + 3.10.1 3.3.1 3.5.0 2.0.16 From 2846c06beef57517be0118ca7ccd05e4b76b5a48 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 05:50:52 +0000 Subject: [PATCH 17/21] Bump junit.version from 5.11.1 to 5.11.2 Bumps `junit.version` from 5.11.1 to 5.11.2. Updates `org.junit.jupiter:junit-jupiter-engine` from 5.11.1 to 5.11.2 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.11.1...r5.11.2) Updates `org.junit.jupiter:junit-jupiter-params` from 5.11.1 to 5.11.2 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.11.1...r5.11.2) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter-engine dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.junit.jupiter:junit-jupiter-params dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 429e575b..244bacbb 100644 --- a/pom.xml +++ b/pom.xml @@ -81,7 +81,7 @@ 3.3.1 3.5.0 2.0.16 - 5.11.1 + 5.11.2 From f2fb074e0d1e88c53d5bb31d933d4904ddeffc02 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 05:50:59 +0000 Subject: [PATCH 18/21] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.0 to 3.5.1 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.0...surefire-3.5.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 429e575b..da118706 100644 --- a/pom.xml +++ b/pom.xml @@ -79,7 +79,7 @@ 3.1.3 3.10.0 3.3.1 - 3.5.0 + 3.5.1 2.0.16 5.11.1 From 6cdf6a9d66531eb9afa21e42aa558fcfeb7e850b Mon Sep 17 00:00:00 2001 From: Lubos Racansky Date: Mon, 7 Oct 2024 08:31:57 +0200 Subject: [PATCH 19/21] Fix invalid links in the documentation A follow-up #646 --- docs/Activation-Code.md | 2 +- docs/Activation-via-Activation-Code.md | 2 +- docs/Activation-via-Custom-Credentials.md | 2 +- docs/Activation-via-Recovery-Code.md | 4 ++-- docs/Activation.md | 2 +- docs/Advanced-Activation-Flows.md | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/Activation-Code.md b/docs/Activation-Code.md index aeace32d..ca1cadb1 100644 --- a/docs/Activation-Code.md +++ b/docs/Activation-Code.md @@ -7,7 +7,7 @@ The PowerAuth protocol 3, defines a new version of activation code, where OTP Notes: -> 1. PowerAuth protocol V2 defines OTP as a part of activation code. It's completely unrelated to an OTP described in chapter [Advanced Activation Flows](Advanced-Activation-Flows). +> 1. PowerAuth protocol V2 defines OTP as a part of activation code. It's completely unrelated to an OTP described in chapter [Advanced Activation Flows](./Advanced-Activation-Flows.md). ## Code Construction diff --git a/docs/Activation-via-Activation-Code.md b/docs/Activation-via-Activation-Code.md index 52216ee2..90346749 100644 --- a/docs/Activation-via-Activation-Code.md +++ b/docs/Activation-via-Activation-Code.md @@ -143,5 +143,5 @@ Note that the activation commit step can be skipped in case activation is commit - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Advanced Activation Flows](Advanced-Activation-Flows) +- [Advanced Activation Flows](./Advanced-Activation-Flows.md) diff --git a/docs/Activation-via-Custom-Credentials.md b/docs/Activation-via-Custom-Credentials.md index 15c7751b..506fc716 100644 --- a/docs/Activation-via-Custom-Credentials.md +++ b/docs/Activation-via-Custom-Credentials.md @@ -72,4 +72,4 @@ However, if the particular use case requires different handling, the enrollment - [Activation via Recovery Code](./Activation-via-Recovery-Code.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Advanced Activation Flows](Advanced-Activation-Flows) \ No newline at end of file +- [Advanced Activation Flows](./Advanced-Activation-Flows.md) \ No newline at end of file diff --git a/docs/Activation-via-Recovery-Code.md b/docs/Activation-via-Recovery-Code.md index 914bb3eb..ee5bf2e2 100644 --- a/docs/Activation-via-Recovery-Code.md +++ b/docs/Activation-via-Recovery-Code.md @@ -54,7 +54,7 @@ In the second scenario, the mobile application acts as a replacement for a typic For all cases, we recommend you to implement the following countermeasures: -- Confirm the recovery activation with an OTP as described in chapter [Advanced Activation Flows](Advanced-Activation-Flows). +- Confirm the recovery activation with an OTP as described in chapter [Advanced Activation Flows](./Advanced-Activation-Flows.md). - Your application should receive a push notification once the activation is recovered on another device. - You should also notify the user via other digital channel, like SMS or e-mail. - You should adequately inform the user about how sensitive Recovery Code and PUK are. @@ -248,4 +248,4 @@ The format of Recovery PUK is very simple: - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Advanced Activation Flows](Advanced-Activation-Flows) +- [Advanced Activation Flows](./Advanced-Activation-Flows.md) diff --git a/docs/Activation.md b/docs/Activation.md index 6db83f78..8e00bd72 100644 --- a/docs/Activation.md +++ b/docs/Activation.md @@ -82,4 +82,4 @@ The following diagram shows transitions between activation states: - [Activation via Custom Credentials](./Activation-via-Custom-Credentials.md) - [Checking Activation Status](./Activation-Status.md) - [Key Derivation](./Key-derivation.md) -- [Advanced Activation Flows](Advanced-Activation-Flows) +- [Advanced Activation Flows](./Advanced-Activation-Flows.md) diff --git a/docs/Advanced-Activation-Flows.md b/docs/Advanced-Activation-Flows.md index 1c5fabf6..4513d664 100644 --- a/docs/Advanced-Activation-Flows.md +++ b/docs/Advanced-Activation-Flows.md @@ -1,4 +1,4 @@ -# [Advanced Activation Flows] +# Advanced Activation Flows This part of the documentation describes in detail advanced customizations of the activation process: how the commit phase can be changed as well as usage of additional activation OTP. So, before you start, you should be familiar with actors and processes defined for the [regular activation](Activation.md). From 9038799fb8424dcfb70cbcd706066dd80fd9f49e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20=C5=A0trobl?= Date: Mon, 7 Oct 2024 21:57:16 +0800 Subject: [PATCH 20/21] Fix #660: Fix documentation for iat and iat_ms in temporary keys (#661) --- docs/Temporary-Encryption-Keys.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Temporary-Encryption-Keys.md b/docs/Temporary-Encryption-Keys.md index 216f80b2..c8136993 100644 --- a/docs/Temporary-Encryption-Keys.md +++ b/docs/Temporary-Encryption-Keys.md @@ -26,7 +26,7 @@ The server then takes the request, generates a random temporary encryption key p - `applicationKey` - back reference to the original data - `challenge` - back reference to the original data - `publicKey` - temporary encryption public key -- `iss` / `iss_ms` - temporary key pair issuance timestamp +- `iat` / `iat_ms` - temporary key pair issuance timestamp - `exp` / `exp_ms` - temporary key pair expiration timestamp The client app should process the response by verifying the signature and checking that the application key and challenge match the expected value. Then, the client app can accept the public key with given key identifier. @@ -52,7 +52,7 @@ The server then takes the request, generates a random temporary encryption key p - `activationId` - back reference to the original data - `challenge` - back reference to the original data - `publicKey` - temporary encryption public key -- `iss` / `iss_ms` - temporary key pair issuance timestamp +- `iat` / `iat_ms` - temporary key pair issuance timestamp - `exp` / `exp_ms` - temporary key pair expiration timestamp The client app should process the response by verifying the signature and checking that the application key, activation ID and challenge match the expected value. Then, the client app can accept the public key with given key identifier. From e52f5dcc9cc93d3b5b3ff95213f9205dcb3b65ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Ra=C4=8Dansk=C3=BD?= Date: Thu, 10 Oct 2024 07:18:01 +0200 Subject: [PATCH 21/21] Fix #647: Set release version to 1.9.0 (#649) --- pom.xml | 2 +- powerauth-java-crypto/pom.xml | 2 +- powerauth-java-http/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 93a48eef..13f53a14 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ io.getlime.security powerauth-crypto-parent - 1.9.0-SNAPSHOT + 1.9.0 pom 2016 diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index 26942701..5b342907 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -26,7 +26,7 @@ io.getlime.security powerauth-crypto-parent - 1.9.0-SNAPSHOT + 1.9.0 diff --git a/powerauth-java-http/pom.xml b/powerauth-java-http/pom.xml index c781d8c7..4052e9f9 100644 --- a/powerauth-java-http/pom.xml +++ b/powerauth-java-http/pom.xml @@ -28,7 +28,7 @@ io.getlime.security powerauth-crypto-parent - 1.9.0-SNAPSHOT + 1.9.0