�

N�hGU����dZd
dl
Z
d
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlmZ
d
dl	m
Z

d
dlmZ
d
dlm
Z

d
d	lmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
dlmZ
d
dlmZ
d
dlmZ
d
dlm Z 
d
dlm!Z!
d
dlm"Z"
d
dl#m$Z$
d
dl%m&Z'
d
dl(m)Z)
d
dl(m*Z*
d
dl(m+Z+
d
dl,m-Z-
erd
dl.m/Z/
d
dl0m1Z1
d
dl2m3Z3
d
dl4m5Z5
ejle7�
Z8			dWd e9d!ee:d"e:d#e:d$e:d%e;d&e+jxfd'�Z=	dXd(e+jxd)ee>e:e?e:fd*ee:d+e;d%e;d&e+j�fd,�ZAd-eBd&e;fd.�ZCd-eBd(eBd&e;fd/�ZDd0e:d1eBd&eEe'j�e+j�e>e:ffd2�ZG		dYd3e9d"e:d#ee:d&eBfd4�ZHd(ee:eBfd&e;fd5�ZId6e*j�d&dfd7�ZKd6e*j�d&dfd8�ZLd9eed:d;eed<d=fd>eBd?eBd@ej�d&df
dA�ZNdBe:dCe:d&dfdD�ZOd6e*j�d&dfdE�ZPe'j�j�f
dFeBdGee'j�e9fd&e>e:fdH�ZRe'j�j�f
dFeBdGee'j�e9fd&e>e:fdI�ZSe'j�j�f
d-eBdGee'j�e9fd&e>e:fdJ�ZTdBe:d&e
jfdK�ZUdBe:d&e
jfdL�ZVdMe:d&e:fdN�ZWej�dOej��ZZdPe:d&eEe:e:ffdQ�Z[dBe:d&e9fdR�Z\	dZdSe>e:dTe:dUe;d&e:fdV�Z]y)[z�Certbot client crypto utility functions.

.. todo:: Make the transition to use PSS rather than PKCS1_v1_5 when the server
    is capable of handling the signatures.

�N)
�Optional)
�
TYPE_CHECKING)
�Union)
�x509)
�InvalidSignature)
�UnsupportedAlgorithm)
�default_backend)
�hashes)
�
serialization)
�ec)
�rsa)
�DSAPublicKey)
�ECDSA)
�EllipticCurvePublicKey)
�PKCS1v15)
�RSAPublicKey)
�Encoding)
�NoEncryption)
�
PrivateFormat)
�SSL)
�crypto_util)
�errors)
�
interfaces)
�util)
�os)
�Ed448PublicKey)
�Ed25519PublicKey)
�
X448PublicKey)
�X25519PublicKey�key_size�key_dir�key_type�elliptic_curve�keyname�strict_permissions�returnc�D�	t
||x
s
d
|��}d}|
r�t
j|
d|�
t
jtjj|
|�d	d
�\}	}|	5
|	j|�

ddd�
|dk(rtjd||�
ntjd
||�
t
j||�S#t$r=}tjdd��
tj	dt|�
�
|�
d}~w
wxYw
#1s
w
Y

��xYw
)a$Initializes and saves a privkey.

    Inits key and saves it in PEM format on the filesystem.

    .. note:: keyname is the attempted filename, it may be different if a file
        already exists at the path.

    :param int key_size: key size in bits if key size is rsa.
    :param str key_dir: Optional key save directory.
    :param str key_type: Key Type [rsa, ecdsa]
    :param str elliptic_curve: Name of the elliptic curve if key type is ecdsa.
    :param str keyname: Filename of key
    :param bool strict_permissions: If true and key_dir exists, an exception is raised if
        the directory doesn't have 0700 permissions or isn't owned by the current user.

    :returns: Key
    :rtype: :class:`certbot.util.Key`

    :raises ValueError: If unable to generate the key given key_size.

    �	secp256r1)�bitsr#r"�T�
�exc_infoz&Encountered error while making key: %sNi�
i�
�wbr
z Generating RSA key (%d bits): %sz"Generating ECDSA key (%d bits): %s)�make_key�
ValueError�logger�debug�error�strr�make_or_verify_dir�unique_filer�path�join�write�Key)
r r!r"r#r$r%�key_pem�err�key_path�key_fs
          ��/build/snapcraft-certbot-c9561b03ef7f16aa90eb6754ca5f17a1/parts/certbot/install/lib/python3.12/site-packages/certbot/crypto_util.py�generate_keyr?3s���0���.�*G�K�RZ�
���H�������0B�C��*�*��G�G�L�L��'�*�E�4�
9���x�
�
	!��K�K�� �
	!��u���L�L�;�X�x�P��L�L�=�x��R��8�8�H�g�&�&��%�����R�$��'����=�s�3�x�H��	����
	!�
	!�s#�C
�)D�
	D�8D�D�D�privkey�namesr6�must_staplec�
�t
j|j|
|�
�}d}|r�tj|d|�
tj
tjj|d�dd�\}}|5
|j|�

ddd�
tjd|�
tj||d�S#1s
w
Y

�6xYw
)	aCInitialize a CSR with the given private key.

    :param privkey: Key to include in the CSR
    :type privkey: :class:`certbot.util.Key`
    :param set names: `str` names to include in the CSR
    :param str path: Optional certificate save directory.
    :param bool must_staple: If true, include the TLS Feature extension "OCSP Must-Staple"
    :param bool strict_permissions: If true and path exists, an exception is raised if
        the directory doesn't have 0755 permissions or isn't owned by the current user.

    :returns: CSR
    :rtype: :class:`certbot.util.CSR`

    )
rBNi�
zcsr-certbot.pemi�
r-zCreating CSR: %s�pem)
�acme_crypto_util�make_csrrDrr4r5rr6r7r8r0r1�CSR)r@rAr6rBr%�csr_pem�csr_filename�csr_fs        r>�generate_csrrKds��� �'�'����U��
5�G��L������e�-?�@�"�.�.��G�G�L�L��0�1�5�$�
@
���|�
�
	!��K�K�� �
	!����'��6��8�8�L�'�5�1�1�	
	!�
	!�s�8B?�?C�csrc
��	t
j|�
}
|
jS#ttf$r
t
j
d
d��
YywxYw
)z�Validate CSR.

    Check if `csr` is a valid CSR with a correct self-signed signature.

    :param bytes csr: CSR in PEM.

    :returns: Validity of CSR.
    :rtype: bool

    r*Tr+F)r�load_pem_x509_csr�is_signature_validr/�	TypeErrorr0r1)rL�reqs  r>�	valid_csrrR�sJ����$�$�S�)���%�%�%���	�"�����R�$��'���s� #�&A�
Ac��t
j|�
}tj|
d
��}|jx
r!
|j�|j�k(S)z�Does private key correspond to the subject public key in the CSR?

    :param bytes csr: CSR in PEM.
    :param bytes privkey: Private key file contents (PEM)

    :returns: Correspondence of private key to CSR subject public key.
    :rtype: bool

    N�
�password)rrNr�load_pem_private_keyrO�
public_key)rLr@rQ�pkeys    r>�csr_matches_pubkeyrY�sJ���
 �
 ��
%�C��-�-�g��E�D��!�!�K�c�n�n�&6�$�/�/�:K�&K�K��csrfile�datac��
�	t
j|
�
}tj|j|j�}|jtjj�
}tjjt!j"||d��|fS#t$rK
	t
j|
�
}n1#t$r%
t	j
d
j
|�
�
�
wxYw
Y��wxYw
)a9
Import a CSR file, which can be either PEM or DER.

    :param str csrfile: CSR filename
    :param bytes data: contents of the CSR file

    :returns: (`acme_crypto_util.Format.PEM`,
               util.CSR object representing the CSR,
               list of domains requested in the CSR)
    :rtype: tuple

    zFailed to parse CSR file: {0}rD)�filer\�form)r�load_der_x509_csrr/rNr�Error�formatrE�%get_names_from_subject_and_extensions�subject�
extensions�public_bytesrr�PEM�FormatrrG)r[r\rL�domains�data_pems     r>�import_csr_filerk�s���P
��$�$�T�*���D�D�S�[�[�RU�R`�R`�a�G����
� 6� 6� :� :�;�H����#�#����g�H�5�9������P
�	P
��(�(��.�C���
	P
��,�,�>�E�E�g�N�O�O�
	P
��
�P
�s)�B�	C1�'B=�<
C1�=.C+�+C1�0
C1r)c�d�|
d
k(rA|dkr$t
jdj|�
�
�
tjd|��}n�|
dk(r�|st
jd�
�
	|j�}|dvr]t
t|j��}|st
jd	|���
�
tj|�t��
�}n$t
jdj|�
�
�
n$t
jd
j|
�
�
�
|jtjtj t#���S#t$r%
t
jdj|�
�
�
t$r$}|t
jt|�
�
�d}~w
wxYw
)a�
Generate PEM encoded RSA|EC key.

    :param int bits: Number of bits if key_type=rsa. At least 2048 for RSA.
    :param str key_type: The type of key to generate, but be rsa or ecdsa
    :param str elliptic_curve: The elliptic curve to use.

    :returns: new RSA or ECDSA key in PEM form with specified number of bits
              or of type ec_curve when key_type ecdsa is used.
    :rtype: bytes

    r
�zUnsupported RSA key length: {}i

)�public_exponentr �ecdsaz3When key_type == ecdsa, elliptic_curve must be set.)�	SECP256R1�	SECP384R1�	SECP521R1zInvalid curve type: )�curve�backendzUnsupported elliptic curve: {}Nz0Invalid key_type specified: {}.  Use [rsa|ecdsa])�encodingrb�encryption_algorithm)rrarbr
�generate_private_key�upper�getattrrr	rPrr3�
private_bytesrrgr�PKCS8r)r)r"r#�key�namers�
es       r>r.r.�sz
���5���$�;��,�,�?�F�F�t�L�M�M��&�&�u�t�L��	�W�	���,�,�T�U�U�	.�!�'�'�)�D��>�>���N�$8�$8�$:�;��� �,�,�)=�n�=M�'N�O�O��-�-��'�+�-���
�l�l�#C�#J�#J�>�#Z�[�[���l�l�M�T�T�U]�^�_�_��������"�"�)�^�����
�
	X
��,�,�?�F�F�~�V�W�W�#�
	.�����c�!�f�-�-��
	.�s�$BE�5F/�F*�*F/c
��t
|t�r|j�}	tj|d
��
y#t
$r
YywxYw
)z�Is valid RSA private key?

    :param privkey: Private key file contents in PEM

    :returns: Validity of private key.
    :rtype: bool

    NrTTF)�
isinstancer3�encoderrVr/)
r@s
 r>�
valid_privkeyr��sH���'�3���.�.�"����*�*�7�T�B����
��
�s�:�	A�
A�renewable_certc
�p�t
|�

t|�

t|j|j�
y
)a�
For checking that your certs were not corrupted on disk.

    Several things are checked:
        1. Signature verification for the cert.
        2. That fullchain matches cert and chain when concatenated.
        3. Check that the private key matches the certificate.

    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If verification fails.
    N)�verify_renewable_cert_sig�verify_fullchain�verify_cert_matches_priv_key�	cert_pathr<)
r�s
 r>�verify_renewable_certr�
s*���n�-��^�$� ��!9�!9�>�;R�;R�SrZc
��	t
|jd
�5}
tj|
j	�t��}ddd�
t
|jd
�5}tj|j	�t��}ddd�
j�}jsJ�
t||j|j|j�
y#1s
w
Y

��xYw
#1s
w
Y

�`xYw
#tttf$rK}dj|j|�}t j#|�

t%j&|�
�
d}~w
wxYw
)z�Verifies the signature of a RenewableCert object.

    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If signature verification fails.
    �rbNzbverifying the signature of the certificate located at {0} has failed.                 Details: {1})�open�
chain_pathr�load_pem_x509_certificate�readr	r�rW�signature_hash_algorithm�verify_signed_payload�	signature�tbs_certificate_bytes�OSErrorr/rrbr0�	exceptionrra)r��
chain_file�chain�	cert_file�cert�pkr~�	error_strs        r>r�r� 
s%
��
&�
�.�+�+�T�
2�
	Y
�j��2�2�:�?�?�3D�o�FW�X�E�
	Y
�
�.�*�*�D�
1�
	W
�Y��1�1�)�.�.�2B�O�DU�V�D�
	W
�
�
�
�
���,�,�,�,��b�$�.�.�$�2L�2L� $� =� =�
	?�

	Y
�
	Y
��
	W
�
	W
��
�Z�!1�2�&�
�$�f�^�%=�%=�q�A�	�����#��l�l�9�%�%��	&�sH�C;�-C#�C;�#-C/�AC;�#C,�(C;�/C8�4C;�;E�AE�ErWrrrrr��payloadr�c���t
|t�r|j|
|t�|�
yt
|t�r|j|
|t|�
�
yt
jd
�
�
)a�
Check the signature of a payload.

    :param RSAPublicKey/EllipticCurvePublicKey public_key: the public_key to check signature
    :param bytes signature: the signature bytes
    :param bytes payload: the payload bytes
    :param hashes.HashAlgorithm signature_hash_algorithm: algorithm used to hash the payload

    :raises InvalidSignature: If signature verification fails.
    :raises errors.Error: If public key type is not supported
    zUnsupported public key type.N)r�r�verifyrrrrra)rWr�r�r�s    r>r�r�8
sb���*�l�+�����w��
�,D�	
�
�J� 6�	7�����w��&>� ?�	
��l�l�9�:�:rZr�r<c�l
�	t
jtj�
}|j|�

|j	|
�

|j�
y#ttjf$rB}d
j||
|�}tj|�

tj|�
�
d}~w
wxYw
)z� Verifies that the private key and cert match.

    :param str cert_path: path to a cert in PEM format
    :param str key_path: path to a private key file

    :raises errors.Error: If they don't match.
    z�verifying the certificate located at {0} matches the                 private key located at {1} has failed.                 Details: {2}N)r�Context�
TLS_METHOD�use_certificate_file�use_privatekey_file�check_privatekeyr�rarbr0r�r)r�r<�contextr~r�s     r>r�r�S
s���&��+�+�c�n�n�-���$�$�Y�/��#�#�H�-�� � �"���S�Y�Y��&��$�f�Y� �!�
%�	�	����#��l�l�9�%�%��
&�s�AA�B3�1=B.�.B3c
��	t
|j�
5}
|
j�}d
d
d
�
t
|j�
5}|j�}d
d
d
�
t
|j�
5}|j�}d
d
d
�
zk7r2d}|j|j�
}tj|�
�
y
#1s
w
Y

��xYw
#1s
w
Y

�~xYw
#1s
w
Y

�\xYw
#t$r@}dj|�
}tj|�

tj|�
�
d
}~w
tj$r}|�
d
}~w
wxYw
)z� Verifies that fullchain is indeed cert concatenated with chain.

    :param renewable_cert: cert to verify
    :type renewable_cert: certbot.interfaces.RenewableCert

    :raises errors.Error: If cert and chain do not combine to fullchain.
    Nz.fullchain does not match cert + chain for {0}!z8reading one of cert, chain, or fullchain has failed: {0})r�r�r�r��fullchain_pathrb�lineagenamerrar�r0r�)	r�r�r�r�r��fullchain_file�	fullchainr�r~s	         r>r�r�i
s(
���
�.�+�+�
,�
	&�
��O�O�%�E�
	&�
�.�*�*�
+�
	$�y��>�>�#�D�
	$�
�.�/�/�
0�
	.�N�&�+�+�-�I�
	.��5�L�Y�&�H�I�!�(�(��)C�)C�D�I��,�,�y�)�)�'�

	&�
	&��
	$�
	$��
	.�
	.���&�N�U�U�VW�X�	�����#��l�l�9�%�%���<�<�
����
�sj�C+�C�C+�C�C+�3C�AC+�C�C+�C�C+�C(�$C+�+	E�4;D/�/E�E�Er��typc��
�t
j|
�
}
|
tjjk(rtj|�
}n4|
tjj
k(sJ�
tj|�
}	|jjtj�
}|jjtj�
S#tj$r
gcYSwxYw
)
z�Get a list of Subject Alternative Names from a certificate.

    :param str cert: Certificate (encoded).
    :param Format typ: Which format the `cert` bytes are in.

    :returns: A list of Subject Alternative Names.
    :rtype: list

    )rErhrgrr��DER�load_der_x509_certificatere�get_extension_for_class�SubjectAlternativeName�ExtensionNotFound�value�get_values_for_type�DNSName)r�r��	x509_cert�san_exts    r>�get_sans_from_certr��
s����
!�
!�#�
&�C�
��%�%�)�)�)��2�2�4�8�	��&�-�-�1�1�1�1�1��2�2�4�8�	���&�&�>�>��'�'�
���=�=�,�,�T�\�\�:�:���!�!�
��	�
�s�>)C�C(�'
C(c�N
�t
j|
�
}
|
tjjk(rtj|�
}n4|
tjj
k(sJ�
tj|�
}t
j|j|j�S)
z�Get a list of domains from a cert, including the CN if it is set.

    :param str cert: Certificate (encoded).
    :param Format typ: Which format the `cert` bytes are in.

    :returns: A list of domain names.
    :rtype: list

    )
rErhrgrr�r�r�rcrdre)r�r�r�s   r>�get_names_from_certr��
s����
!�
!�#�
&�C�
��%�%�)�)�)��2�2�4�8�	��&�-�-�1�1�1�1�1��2�2�4�8�	��A�A����9�/�/��rZc�N
�t
j|
�
}
|
tjjk(rtj|�
}n4|
tjj
k(sJ�
tj|�
}t
j|j|j�S)
z�Get a list of domains from a CSR, including the CN if it is set.

    :param str csr: CSR (encoded).
    :param acme_crypto_util.Format typ: Which format the `csr` bytes are in.
    :returns: A list of domain names.
    :rtype: list

    )
rErhrgrrNr�r`rcrdre)rLr��x509_reqs   r>�get_names_from_reqr��
s����
!�
!�#�
&�C�
��%�%�)�)�)��)�)�#�.���&�-�-�1�1�1�1�1��)�)�#�.���A�A����(�-�-��rZc
��t
|d
�5}
tj|
j��
}ddd�
|jS#1s
w
Y

jSxYw
)z�When does the cert at cert_path start being valid?

    :param str cert_path: path to a cert in PEM format

    :returns: the notBefore value from the cert at cert_path
    :rtype: :class:`datetime.datetime`

    r�N)r�rr�r��not_valid_before_utc�r��
fr�s   r>�	notBeforer��
sN��
�i��	�
8�!��-�-�a�f�f�h�7��
8��$�$�$�
8��$�$�$���$A�Ac
��t
|d
�5}
tj|
j��
}ddd�
|jS#1s
w
Y

jSxYw
)z�When does the cert at cert_path stop being valid?

    :param str cert_path: path to a cert in PEM format

    :returns: the notAfter value from the cert at cert_path
    :rtype: :class:`datetime.datetime`

    r�N)r�rr�r��not_valid_after_utcr�s   r>�notAfterr��
sN��
�i��	�
8�!��-�-�a�f�f�h�7��
8��#�#�#�
8��#�#�#�r��filenamec
�
�t
j�}
t|d
�5}|
j|j	�jd�
�

ddd�
|
j
�S#1s
w
Y

|
j
�SxYw
)aN
Compute a sha256sum of a file.

    NB: In given file, platform specific newlines characters will be converted
    into their equivalent unicode counterparts before calculating the hash.

    :param str filename: path to the file whose hash will be computed

    :returns: sha256 digest of the file in hexadecimal
    :rtype: str
    �
rzUTF-8N)�hashlib�sha256r��updater�r��	hexdigest)r�r��file_ds   r>�	sha256sumr��
sg���^�^�
�F�	
�h��	�
5���
�
�f�k�k�m�*�*�7�3�4�
5������
5������s�/A(�(Bs@-----BEGIN CERTIFICATE-----
?
.+?
?
-----END CERTIFICATE-----
?
�
fullchain_pemc
�x
�tj|j��
}
t|
�
d
krt	j
d�
�
g}|
D]U}t
j|�
}|jtj�
}|j|j��

�W|ddj|dd�
fS)a
Split fullchain_pem into cert_pem and chain_pem

    :param str fullchain_pem: concatenated cert + chain

    :returns: tuple of string cert_pem and chain_pem
    :rtype: tuple

    :raises errors.Error: If there are less than 2 certificates in the chain.

    �zPfailed to parse fullchain into cert and chain: less than 2 certificates in chainrr*�
N)�CERT_PEM_REGEX�findallr��lenrrarr�rfrrg�append�decoder7)r��certs�certs_normalized�cert_pemr�s     r>�cert_and_chain_from_fullchainr�s���
�"�"�=�#7�#7�#9�:�E�
�5�z�A�~��l�l�
?�
@
�
	@
�
#%���3���-�-�h�7���$�$�X�\�\�2�������� 1�2�3�
�Q�����)9�!�"�)=�!>�?�?rZc
��t
|d
�5}
tj|
j��
}ddd�
|jS#1s
w
Y

jSxYw
)z�Retrieve the serial number of a certificate from certificate path

    :param str cert_path: path to a cert in PEM format

    :returns: serial number of the certificate
    :rtype: int
    r�N)r�rr�r��
serial_numberr�s   r>�get_serial_from_certr�$sN��
�i��	�
8�!��-�-�a�f�f�h�7��
8�����
8�����r��
fullchains�	issuer_cn�warn_on_no_matchc�j
�|D]�}tj|j��
}tj|d
t��}|jjtjj�
}|s
�}|dj|
k(s
��|c
S|rtjd|
�
|dS)a'Chooses the first certificate chain from fullchains whose topmost
    intermediate has an Issuer Common Name matching issuer_cn (in other words
    the first chain which chains to a root whose name matches issuer_cn).

    :param fullchains: The list of fullchains in PEM chain format.
    :type fullchains: `list` of `str`
    :param `str` issuer_cn: The exact Subject Common Name to match against any
        issuer in the certificate chain.

    :returns: The best-matching fullchain, PEM-encoded, or the first if none match.
    :rtype: `str`
    ���rz�Certbot has been configured to prefer certificate chains with issuer '%s', but no chain from the CA matched this issuer. Using the default certificate chain instead.)
r�r�r�rr�r	�issuer�get_attributes_for_oid�NameOID�COMMON_NAMEr�r0�warning)r�r�r�r�r��top_cert�
top_issuer_cns       r>�find_chain_with_issuerr�1s�������&�&�u�|�|�~�6���1�1�%��)�_�=N�O�� ���>�>�t�|�|�?W�?W�X�
��]�1�-�3�3�y�@��L������=�>G�	I
��a�=�rZ)r
r(zkey-certbot.pemT)FT)rmr
N)
F)^�__doc__�datetimer��logging�re�typingrrr�cryptographyr�cryptography.exceptionsrr�cryptography.hazmat.backendsr	�cryptography.hazmat.primitivesr
r�)cryptography.hazmat.primitives.asymmetricrr
�-cryptography.hazmat.primitives.asymmetric.dsar�,cryptography.hazmat.primitives.asymmetric.ecrr�1cryptography.hazmat.primitives.asymmetric.paddingr�-cryptography.hazmat.primitives.asymmetric.rsar�,cryptography.hazmat.primitives.serializationrrr�OpenSSLr�acmerrE�certbotrrr�certbot.compatr�/cryptography.hazmat.primitives.asymmetric.ed448r�1cryptography.hazmat.primitives.asymmetric.ed25519r�.cryptography.hazmat.primitives.asymmetric.x448r�0cryptography.hazmat.primitives.asymmetric.x25519r�	getLogger�__name__r0�intr3�boolr9r?�list�setrGrK�bytesrRrY�tuplerhrkr.r��
RenewableCertr�r��
HashAlgorithmr�r�r�rgr�r�r�r�r�r��compile�DOTALLr�r�r�r��rZr>�<module>r

s7�


�
�
���	�� ���4�8�8�1�8�8�9�F�>�O�F�F�A�E�F��0������N�R�L�P�	��	�	�8�	$��
I
N
�CT�,0�.
'�3�.
'��#��.
'�#�.
'�!$�.
'�=@�.
'�%)�.
'�59�X�X�.
'�d
H
L
�
2�$�(�(�
2�5��c��C��H�1D�+E�
2�X�VY�]�
2�"�
2�@D�
2�PT�PX�PX�
2�J

�5�
�T�
�&
L
�E�
L
�E�
L
�d�
L
�
�
�
��
�
��"�"�D�H�H�d�3�i�7�8�
�B
05�-1�,
�3�,
��,
�%�c�]�,
�6;�,
�^

�5��e��,�
��
�&
T
�*�*B�*B�
T
�t�
T
�$
&�j�.F�.F�
&�4�
&�0
;�e�L�:L�N^�,B�L�,=��-O
�'P
�
;�&+�
;�6;�
;�5;�4H�4H�	
;�N
R
�	
;�6
&�C�
&�3�
&�4�
&�,
�Z�%=�%=�
�$�
�8=M
�<S�<S�<W�<W�
;�
�
;��,�3�3�S�8�9�
;�	�#�Y�
;�<=M
�<S�<S�<W�<W�
�
�
��,�3�3�S�8�9�
�	�#�Y�
�0<L
�;R�;R�;V�;V�
�	�
��+�2�2�C�7�8�
�	�#�Y�
�,
%��
%��!2�!2�
%�
$��
$�� 1� 1�
$�
��
��
�$������I�I���
@
��
@
��s�C�x��
@
�>

�C�

�C�

�5:�
�t�C�y�
�S�
�-1�
�>A�
rZ