PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB` ELF>2@@8@l4l4 88%8%F8S <<%<%  $$PtdQtdRtd88%8%((GNU P):}>b @( H`E PQ* )RXbcfhjpqrvxz{}~cSrT2Eq^qXź|XvY͉atg7BEЉ(JccU`mBgPDV{oVk0@$RG,vٹ~E};. Cm Xg  w   d = &   V01  <}| 8 w   tK(k Wu bZ\ + L9y|b  ?* 2ONH{\e '/U.jQg` bc< X ?AQ,P% 28 + c    S J b   *nn |s z) N @>]u l= f zs= 8  rL&s P, ?a5 B  r1 Or , "  =\Za H ABX^KIlDoX8  2E'2v L R"'# 'Y J.y P+Y l  y  -t  ,Z'l   oBf'6 v " 7I @  0S'( ' p!  <%! u q  +Y W -k| Z v4  3;%X  @__gmon_start___init_fini_ITM_deregisterTMCloneTable_ITM_registerTMCloneTable__cxa_finalize_Jv_RegisterClasses_Py_NoneStructPyTuple_TypePyExc_TypeErrorPyErr_FormatSECOID_DestroyAlgorithmIDPyString_FromStringAndSizestrlenPyList_NewPyList_SetItemPyObject_AsReadBuffer__stack_chk_failSECOID_FindOIDTagPyInt_FromLong_PyArg_ParseTupleAndKeywords_SizeTPyTuple_SizePyMem_FreePORT_NewArena_PyObject_CallMethod_SizeTPORT_FreeArenaPyNumber_LshiftPyNumber_OrPyObject_StrPyString_FromFormatPyTuple_NewPyTuple_SetItemPyList_AppendPyList_SizePyList_GetItemPySequence_SizePySequence_GetItem_Py_ZeroStruct_Py_TrueStructPyExc_ValueErrorPyErr_SetStringPyString_ConcatAndDelmallocmemmovePyErr_NoMemoryPyExc_MemoryErrorPyString_FromStringPyString_FormatKEYPQGParams_format_linesSECKEY_DestroyPublicKeyPyBool_TypePyType_IsSubtypePyEval_SaveThreadPyString_AsStringCERT_ImportCertsPyEval_RestoreThreadCERT_DupCertificateCERT_DestroyCertArrayPyObject_CheckReadBufferCERT_GetDefaultCertDBPyList_SortstrcasecmpPyUnicodeUCS4_AsUTF8StringPyInt_AsLongstrncasecmp__ctype_b_locPyDict_GetItemSEC_StringToOIDSECITEM_FreeItemPyExc_KeyError_Py_BuildValue_SizeT_PyArg_ParseTuple_SizeT__snprintf_chkPyTuple_GetSliceCERT_CheckOCSPStatusCERT_VerifyCertificateCERT_DestroyCertificateCERT_VerifyCertificateNowCERT_IsCACertPyBool_FromLongCERT_CheckCertValidTimesPR_NowPORT_ArenaAllocSECITEM_CopyItemNSS_FindCertKEATypePORT_ZAllocCERT_DecodeTrustStringPORT_FreeCERT_ChangeCertTrustPORT_GetErrorPK11_AuthenticatePK11_GetInternalKeySlotSECKEY_DestroyPrivateKeyPyObject_MallocPyObject_InitPK11_KeyGenPK11_GetKeyLengthPK11_GetMechanismPK11_UnwrapSymKeyPK11_FreeSymKeyPK11_GetBestKeyLengthPK11_GetBestWrapMechanismPK11_GetDisabledReasonNSS_IsInitializedPK11_FreeSlotSEC_DestroyCrlCERT_DestroyNameCERT_AsciiToNameCERT_NameTemplateSEC_ASN1EncodeItemSEC_FindCrlByNamePORT_SetErrorCERT_CreateAVACERT_GetAVATagCERT_DecodeAVAValueCERT_RFC1485_EscapeAndQuoteCERT_GetOidStringPR_smprintf_freePyTuple_GetItemCERT_CreateRDNCERT_CopyRDNCERT_CreateNamePORT_ArenaMarkPORT_ArenaZAllocPORT_ArenaUnmarkPORT_ArenaReleaseCERT_CopyNameCERT_GetNextGeneralNamePyObject_SizePyExc_SystemErrorPyDict_SetItemPyModule_TypePyModule_GetDictPyModule_GetNameCERT_MakeCANicknamestrncmpPySys_WriteStderrSECITEM_ZfreeItemSEC_PKCS12DecoderFinishNSS_ShutdownContextSECITEM_ArenaDupItemCERT_SequenceOfCertExtensionTemplateSEC_ASN1DecodeItemPK11_DigestFinal_PyString_ResizePK11_CipherOpPK11_DestroyContextPORT_SetUCS2_ASCIIConversionFunctionPK11_IsFIPSPK11_FindCertsFromNicknameCERT_FilterCertListForUserCertsSEC_PKCS12CreateExportContextSEC_PKCS12AddPasswordIntegritySEC_PKCS12AddCertAndKeySEC_PKCS12CreateUnencryptedSafeSEC_PKCS12CreatePasswordPrivSafeCERT_DestroyCertListSEC_PKCS12DestroyExportContextSEC_PKCS12EncodePORT_UCS2_UTF8ConversionSECITEM_DupItemPyThreadState_GetDictPyDict_GetItemStringPyDict_SetItemStringPyDict_NewPyExc_RuntimeErrorSEC_PKCS5IsAlgorithmPBEAlgTagSEC_PKCS5GetPBEAlgorithmSEC_PKCS12EnableCipherstrstrstrchrNSSBase64_DecodeBufferCERT_DecodeDERCrlWithFlagsPK11_ImportCRLPK11_GetPadMechanismPK11_GetBlockSizePK11_GetIVLengthPK11_MechanismToAlgtagPK11_AlgtagToMechanismPK11_ImportSymKeyPK11_CreateContextBySymKeyPK11_LogoutAllHASH_ResultLenByOidTagPK11_HashBufSECOID_FindOIDByTagPyMem_Malloc__ctype_tolower_locCERT_GetCertNicknamesCERT_FreeNicknamesPK11_GenerateRandomPK11_FindKeyByAnyCertnss_DumpCertificateCacheInfoNSS_ShutdownNSS_InitContextNSS_InitializeNSS_NoDB_InitNSS_InitReadWriteNSS_InitNSS_GetVersionPyExc_AttributeErrorSECOID_FindOIDCERT_DecodeOidSequenceCERT_DestroyOidSequencePR_smprintfPR_IsNetAddrTypePR_NetAddrToStringPyExc_IndexErrorPyNumber_AsSsize_tPySlice_TypePySlice_GetIndicesExPyErr_OccurredPyUnicodeUCS4_DecodeUTF8DER_GeneralizedTimeToTimePR_GMTParametersPR_ExplodeTimePR_FormatTimeDER_UTCTimeToTimePyFloat_FromDoublePyUnicodeUCS4_DecodeUTF16PyUnicodeUCS4_DecodeUTF32CERT_DerNameToAsciimemcmpSEC_FindCrlByDERCertPK11_FindCertFromNicknameCERT_GetCommonNamePyFloat_TypePyFloat_AsDoubleCERT_VerifyCertNameNSS_CmpCertChainWCANamesCERT_FreeDistNamesPK11_GetTokenNamePK11_GetSlotNamePK11_ExtractKeyValuePK11_GetKeyDataPK11_WrapSymKeyPK11_DerivePK11_LogoutPK11_UserEnableSlotPK11_UserDisableSlotPK11_HasRootCertsPK11_IsDisabledPK11_ProtectedAuthenticationPathPK11_IsLoggedInPK11_IsRemovablePK11_IsFriendlyPK11_NeedUserInitPK11_NeedLoginPK11_IsInternalPK11_IsReadOnlyPK11_IsPresentPK11_IsHWSEC_DeletePermCRLCERT_NameToAsciiSECITEM_CompareItemCERT_GetCertUidCERT_GetDomainComponentNameCERT_GetOrgUnitNameCERT_GetOrgNameCERT_GetStateNameCERT_GetLocalityNameCERT_GetCountryNameCERT_GetCertEmailAddressCERT_AddRDNCERT_CompareNameCERT_DecodeGeneralNameCERT_DecodeAuthInfoAccessExtensionCERT_DecodeAuthKeyIDCERT_DecodeBasicConstraintValuePyGILState_EnsurePyObject_CallObjectPyGILState_ReleasePyErr_PrintPORT_AllocPORT_StrdupPyString_SizeSEC_PKCS12DecoderValidateBagsSEC_PKCS12DecoderImportBagsPyObject_IsTruePK11_FinalizePK11_DigestOpPK11_DigestBeginPK11_CloneContextPK11_DigestKeyCERT_DisableOCSPDefaultResponderCERT_EnableOCSPDefaultResponderCERT_ClearOCSPCacheCERT_SetOCSPTimeoutCERT_SetOCSPFailureModeCERT_OCSPCacheSettingsCERT_DisableOCSPCheckingCERT_EnableOCSPCheckingCERT_GetUsePKIXForValidationCERT_SetUsePKIXForValidationPyCallable_CheckSEC_PKCS12SetPreferredCipherPK11_TokenExistsPK11_NeedPWInitPK11_GenerateNewParamPK11_ParamFromAlgidPK11_ParamFromIVPK11_CreateDigestContextPK11_SetPasswordFuncPyDict_DelItemStringNSS_UnregisterShutdownNSS_RegisterShutdownNSS_VersionCheckSECKEY_PublicKeyStrengthPK11_PubWrapSymKeyPK11_ListCertsPK11_FindCertsFromEmailAddressPK11_ListCertsInSlotCERT_GetCertChainFromCertPyFile_FromStringPyObject_GetAttrStringCERT_SignedDataTemplateCERT_CertificateRequestTemplateCERT_VerifySignedDataWithPublicKeyInfoPyString_UTF8PyList_TypePyString_AsStringAndSizeCRLDistributionPt_format_linesCERT_SetOCSPDefaultResponderCERT_CopyAVAAlgorithmID_new_from_SECAlgorithmIDSECOID_CopyAlgorithmIDsecuPBEV2ParamsSEC_QuickDERDecodeItemSECOID_GetAlgorithmTagsecuPBEParamsTempsecuKDF2ParamsSECKEY_RSAPSSParamsTemplateSECOID_AlgorithmIDTemplateSECITEM_AllocItemSEC_PKCS12DecoderStartSEC_PKCS12DecoderUpdateSEC_PKCS12DecoderVerifySEC_PKCS12DecoderIterateInitSEC_PKCS12DecoderIterateNext_PyObject_CallFunction_SizeTKEYPQGParams_init_from_SECKEYPQGParamsKEYPQGParams_new_from_SECKEYPQGParamsRSAPublicKey_new_from_SECKEYRSAPublicKeyDSAPublicKey_new_from_SECKEYDSAPublicKeySignedData_new_from_SECItemPublicKey_new_from_SECKEYPublicKeyPK11_GenerateKeyPairSubjectPublicKeyInfo_new_from_CERTSubjectPublicKeyInfoSECKEY_ExtractPublicKeyCertDB_new_from_CERTCertDBHandleCertificateExtension_new_from_CERTCertExtensionAVA_new_from_CERTAVARDN_new_from_CERTRDNDN_new_from_CERTNamePyNumber_AddGeneralName_new_from_CERTGeneralNameCERT_DecodeAltNameExtension_PyString_JoinPK11Slot_new_from_PK11SlotInfoPK11_GetSlotFromKeyPK11_FindSlotByNamePK11_GetInternalSlotPK11_GetBestSlotPK11_ReferenceSlotCRLDistributionPt_new_from_CRLDistributionPointCERT_DecodeCRLDistributionPointsCRLDistributionPts_new_from_SECItemAuthorityInfoAccesses_new_from_SECItemAuthKeyID_new_from_CERTAuthKeyIDAuthKeyID_new_from_SECItemBasicConstraints_new_from_SECIteminitnssPyImport_ImportModulePyCObject_TypePyCObject_AsVoidPtrPyCapsule_ImportPy_InitModule4_64PyType_ReadyrindexPyModule_AddObjectPyCObject_FromVoidPtrPyModule_AddIntConstantPyModule_AddStringConstantlibnspr4.solibssl3.solibnss3.solibsmime3.solibpython2.7.so.1.0libpthread.so.0libc.so.6_edata__bss_start_endNSS_3.2GLIBC_2.3GLIBC_2.4GLIBC_2.2.5GLIBC_2.3.4NSS_3.10NSS_3.11.1NSS_3.12.9NSS_3.12.5NSS_3.13NSS_3.5NSS_3.7NSS_3.8NSS_3.9NSS_3.9.2NSS_3.11.7NSS_3.2.1NSS_3.12NSS_3.4NSS_3.3NSS_3.14NSS_3.6                                  B&kIPii sii }ui ti 0pdB&k |d}d}dsdE&G&H&I&I& |d H& rd pd D& C&"B&ktd*F&38%p38%039%(9%@9%``9%x9%=9%dJ9%9% 9%%9%:% :%"8:%(P:%+h:%5:%>:%:%N:%ۈ:%R:%`;%k(;%y@;%ߢp;%p;%@&tH&}P&X&`&?Q&t&}&&&&?Q&sZ&&&Ɣ&̔&ה&ݔ &ה(&0&@&H&P&@]X&p&x&8`&&@]&&&W&\&&Ta& &0&?Q8& P&?QX& p&?Qx& &?Q& &U&DV&&&$&/&;&sZ&ה0&2@&2P&2`&2p&ה&D&ה&sZ&ה&H&Z&k&{&&&&ԕ&& &ה0&D@&ה`&Tah&p&W&ה&&ה& &(&ה&ה&4&ה&G & 0& @&]P&ה`& p&b&\&V&b& &b& &k& &k&  &ה0&Z8&\P&?QX& p&rx&&{&&&ה&ה&{&& &ה &sZ(&20&8&P&UX&\p&ה&ה&ה&ה&ה&&&BP&ה& && &(&@&sZH&\`&הp&x&&ה&&@^'&a'&_'&:'&i'&@P&<&g&h&&& &(&^0&j8&H@&EH&_P&V`&̖h&@x&%&`&@&%&`&& %&ܖ&_&%&iY&&%&RY&&% &(&8&%@&@YH& X&%`&$Yh&0 x&%&& &%&^&{&%& & &%&t`&& &&`& & & &`(&8& &@&aH&`X&&`&\h&Px&`&&Y& &&&X&&&&&&&V&&X&&S&&J&M&& &X(&8&`&@&XH&X&Q&`&\h&PWx&P&&\&V&O&&\&U&N&&\&U&`M&&ta&p&&&VK&c&@& &08(&`@8& &@&j`H&`X&%`&JUh&x&%&@U&&%&U`&Ћ&%&&U&0&%&9&0&%'T'0'% 'V('08'%@'tH'0X'%`'h'0x'%''б'%'P8'а'%'T'Я'%'S'Ю'%'''% 'Cf('P#8' %@'ϗH'#X'%`'h'"x'`%'f'!'%'''%'X''%'`''%'=`' '% '-`('p8'`%@'`H'X'%`'`h'0x'%'tX' '%'DX''%'4X'0'%'#X''%' X'0'% 'W(' 8'%@'H'X' %`'_h'x'@%''0'%'W'@' %'Fa'P'%'W''%']'``'% '](' a8'%@'ZH'X'@%`'leh' x'%'4Q'Д'|%'kN'@'@z%'O''w%'O'p'u%'|W'p'`s% '&(' 8'r%@'@H'X'`p%`'Sh'px'%'R'p'%'gW'p'`%'x8'`'&'V''_%'\'@N']% '\('`8' ]%@'_H'X'[%`'_h'x'Z%'_''@X%'e_'p'@U%'K_'' T%'8_'p'@S%'x'0'R% '('8'@O%@'H'X'L%`'8h'Ёx'@K%'PA'PR'-K'' & 'a('8'&`'˜h'Jx'Ș''H 'p '& '` ' '`' ' ' 'pD` '-Kh 'x ' & 'a ' '& ' 'P '8 'f 'J '8 '  'J( ' 9x ' ' '^ ' ' ' '`& '@ 'AH '` 'P ''X '' '` '@ 'N '` '&h '0{x ' & '-K '0 ' & 'a ' '& '6'@8' ^h''&''?''' ''''L'?'-K'' &'a''&'\'J'P9']'  '90'O8'`?H'9X'`'p?p':'_'?'P:'m'?':'0'X'@^'&''''{' &''Nh'1'`&'''`''''}'C'-K',' &'a' '&'H'0'|':'Z'J'* '0'k8',@'pH';X'{`',h'p'X''`,''X''0,'0'X'','p'X'ԕ'+''X '('+0'8'XH'P'p+X'0`'X'ę'X'`^('`P'&'@''''''`'T@'-KH'X' &`'ah'@x'&'S''ߙ'g'\'' ''8;'$ '0'p;@'UH'X';'/'X'@'('P'&'''''''@M'0V@'P?X''-K'' &'a''&'E'i'N('b0' J@'<P'ޟX'ph'kx'''0<''@?8']h']'&''' ''''t'`C'-K' d' &'a''&'''<''J '<x''PX''` ' &H '!'P '`'X '!' ' t 'T!'-K!'!' & !'a(!'@8!'&@!'}eH!'X!'`&!'-!'`&!'0=!'ǚ!'"!'0="'՚0"' ?h"'#'"'"'"&"'>"'>"'$'(#'r8#'>#'`N#'$'-K$'$' & $'a($'8$'&x$'$'0X$' %'#&H%'&'P%''X%'`&'%'L%'T&'-K&'d&' & &'a(&'8&'&`&'h&'hx&'&'0&'J&'P=&';&'`&'F&'c&'`!&'=X''lp''p>'']''('''''#&''>('0>(('@)'0(''8(' 'h('*x('=('@N('@@)'-KH)'pX)' &`)'ah)'x)'&)')'X)'(*'`P*' $&*'~'*'`'*'@+'*'PL*'S@+'H+'X+'=+'+_+'@+'0&+'_+'+' 0&+'+'@+'/&,' _,','/& ,'V(,'08,'@.&@,'H,'`X,',&`,'h,'@x,'+&,'O],'[,'@6&,';],'@Z,'4&,'*V,','2& -'(-'8-'ΛH-'P-'Y`-'p-'DVx-'-'-'W-'!-'W.'.'_.'M& .' (.'P_8.'L&@.'H.'_X.'@L&`.'%h.'^x.'K&.'1.'^.'@K&.'<.'P^.'J&.'K.'^.'J&.'W.'].'I&/'d/'`]/'C& /'>(/' ]8/'H&@/'qH/'\X/' H&`/'}h/'\x/'G&/'/'/'F&/'/'`\/'`E&/'/' \/'D&/'U/'/'`B&0'0'[0'B& 0'(0'80'A&@0';VH0'X0'@@&`0'Vh0'x0'@>&0'Qc0'P0'`9&0'`0'0'8&0'؜0'Y0'1'1'Y 1'x1'1'W1' g1'3'2'`V&H2'`3'P2''X2'3'2'o3'a3'`3']h3'ex3'V&3'Z3'g3'0>3'3'3'X>3'`T3'0T4'>4'  4'P"04'>p4'@=x4'4'@=4'5']5'h5'k& 5'!^(5'n85'j&`5',h5'nx5'?5';5'T5'`?5':5'Pn5'?5'G5' n5'@6'U6'm6'h@(6'`06'm@6'@P6'iX6'mh6'Ax6'w6'`m6'pA6'6'0m6'A6'=6'P 7'=87'7']7'g7't&7' 7'h7'(B7'@U7'8'XB8'V8'h(8'B88'@8'iP8'B8'8'P9'}&9'@:'9''9'@'9'<9'<@:'H:' `X:'}&:':'0;'@~&h;''p;''x;'';'<;'`< <'"M(<'8<' &@<'UH<'X<'&`<'ʝh<'x<'&<'؝<'@Y<'`&<']<'X<'@&<' ]<'X<'&<'U<'@<'&='U='@='& ='U(='@8='&@='UH='`X='&`='vUh='0x='&='\U='p='&='.a='P='&='ec='='@&='-K='=' &>'a>'@>'&@>'H>':X>'Bh>'p>'p:>'C>'>':>'C>'>'`:>'PD>'S>'>'D?'3?'S ?'G0?'8?'@H?'DX?'g`?'[p?'[?'ǚ?'[?'o?'?'P?'D?'?'?'E?'@'E@'8E @'(@'pS8@'`EH@'P@'@S`@'Ep@'Оx@'S@'F@'@'@'pF@'@'@'F@'@'A'GA' A'(A'8;8A'$@A' PA'p;`A']hA'pJxA'`GA'A'<B'PHB' pB'&xB'`;B';B'`C'B'`'B'C'B' <B'0;`C'-KhC'-xC' &C'aC'C'&C'ZC'@C'5C'GC'D'GD' D';(D'P8D'@U@D'IPD'G`D'VhD' ;xD'lD'SVD'PD'&D'\D'`OD'`&8E'PE':xE'\E' E'@&E'9E'@:F'F'F' 'F' G'HF':XF'9F'-KF'_F' &F'aF'F'& G'a(G'98G'aHG'PG'9`G'G'G'PwG'\(H'PH'&XH'8`H'@9H'@I'H'`'H'I'H'9H' C@I'-KHI' XI' &`I'ahI'xI'&I'џI'`JI'HI'ڟI'I'I'iI'J'8HJ' J'`0J'8HJ'J'@WJ'\K'0K'&8K' @K' 8hK' L'pK''xK'L'K'8K'`P L'-K(L'J8L' &@L'aHL'XL'&L'[L'7L'`HL'sZL'7L'HL'aL'7L'HL'M'8M'xM';M'7M'\M'`N'&N'6 N'07HN'O'PN''XN'`O'N'7N'6O'-KO'tO' & O'a(O'@8O'&`O'PhO'6xO'HO'_O'6O'[O'lP'`68P'p\hP' P'@&P'5P'6P'Q'P' 'P'Q'Q'6Q'5Q'-KQ'PrQ' &Q'aQ'Q'&Q'Q'p5Q'R'R'5 R'xR'R'WR'P\R'S'&HS' 'PS'`'XS'T'S'S'0OT'T'phT' I(T'0T'h@T'HIPT'BPXT'hhT'pIT'T'`5(U']PU'@&U''U''U'@V'U'KU'B@V'rHV'JPV'*XV'ĠhV'ߠpV'JxV')V'V' V'AW'\HW'pW' &xW'4W'5W'`X'W''W'X'W'P5W'B`X'-KhX'xX' &X'aX'X'&X'X'4X'$X'AUX'IY'IY'k`Y'(Y'I8Y'@@Y'4PY'IY'4Y'(Y'4Y''Y'`E Z'&(Z'&0Z'`4`Z'ZhZ'xZ'&Z'KZ'[Z'@&Z'\JZ'KZ'`&Z'KZ'eZ'`&['\['PJ['J(['g0['@J@['0JP['sZX['PEh['W['{N['N['N['N['N['N['N['N\'O\'O \'$O(\'8O8\'?O@\'UOP\'PX\'^Oh\'.Mp\'CM\'UM\'hM\'xM\'M\'M\'M\'M\'M\'M\'M\'N]'N]' N]'1N(]'j0]'j@]'kH]'rX]'k`]'p]'0"x]']':k]'Hk]'X"]']'"]']'a]'Sk]'Ρ^'"^'ޡ^'ok ^'X^'p^'^'8&(_'.'0_'`'8_'0'h_'Kx_'`=_'`'8`'p]h`'``'~&`' <'`' '`'@>'a'wa'0<a'%a':0b' &hb'D'pb''xb''b';b':8c'4Pc'c''c'c' &d''d' 'd'`'Xd'Qd'Jd' e'@oe'b(e'4'0e'p4'He'bpe'Z&e'5'e''e'`5'e'Pe' Sxf'Uf'Wf'kf'@f' 7'f'6'g'l&Hg'7'Pg' 'Xg'`'g'`g'Rh'a0h'pWPh'0kXh'pih'u&h''h''h'7'(i'8i'@Ri'mi'gi'PDi'0\j'Y'j'Y'(j'C@j' Z'Pj'`&j'`Z'j'@'j'['j'ij' 4Xk'}pk'`k'^k'^k'+&(l'+'0l''8l''hl'=xl'=l'm'8m'0]hm'P]m'1&m','m' 'm' -'n'=n'n'n'n'n'n'n'¢n'Ǣo'ʢo'͢(o'Т8o'ӢHo'֢Xo'٢ho'ܢxo'o'o'o'o'o'o'o'o' p'p'(p'8p'Hp'"Xp''hp',xp'1p'ep'6p'8p';p'=p'?p'Ap'Cq'Fq'h\(q'H8q'JHq'LXq'Nhq'oRxq'Pq'q'aq'q'q'q'q'Ţq' r'Rr'Pl(r'V8r'RHr'TXr'Vhr'Kxr'Xr'[r'r' r'%r'*r'ߢr'r's'~us'U(s']8s':Hs'Xs'>hs'xs'dJs's'_s'~s'ls'Fs's'as'ct'ot'(t'e8t'gHt'iXt'YZht'lxt't'nt'Ȣt'ˢt'pt'Zt'Pt'עt'FUu'iu'a(u'ߔ8u'ՓHu'fXu'hu'Ѣxu'du'Qu'ru'ڢu'Tu'Ju'Tu'Ԣu' v'Rv'Y(v't8v'vHv'xXv'zhv'|xv'~v'v'v'v'v'v'v'v'w'w'(w'8w'Hw'Xw'ģhw'ɣxw'Σw'ӣw'أw'ݣw'w'w'w'w'x'x'(x'8x' Hx'Xx'hx'xx'x'#x'(x'-x'2x'7x'<x'Ax'Fy'Ky'P(y'U8y'ZHy'_Xy'dhy'ixy'ny'sy'xy'}y'y'y'y'y'z'z'(z'8z'Hz'Xz'hz'xz'z'äz'Ȥz'ͤz'Ҥz'פz'ܤz'z'{'{'({'8{'H{'X{'h{' x{'{'{'{'{'"{''{',{'1{'6|';|'@(|'E8|'JH|'OX|'Th|'Yx|'^|'c|'h|'m|'r|'w|'||'|'}'}'(}'8}'H}'X}'h}'x}'}'}'}'}'¥}'ǥ}'̥}'ѥ}'֥~'ۥ~'(~'8~'H~'X~'h~'x~'~'-K~' &~'a~'@~'&~'}e~'~'`'&~'Z~'%~'`$& '-K8' &@'aH'X'&;%/;%/<%/?%/>% >%>%>%?% ?%#?%$ ?%W(?%b0?%c8?%j@?%nH?%oP?%X?%`?%k('kh?%p?%yx?%?%v?%?%?%?%?%?%?%?%~'?%#?%)?%E?%?%W?%_@% @%(@%0@%8@%@@%H@%P@% X@% `@% h@% p@%x@%@%@%@%@%~@%@%@%@%@%@%@%@%@%@%@%!@%"A%qA%%A%&A%' A%((A%)0A%*8A%{@A%+HA%,PA%-XA%.`A%0hA%1pA%2xA%zA%xA%3A%4A%5A%6A%7A%8A%9A%:A%;A%<A%=A%>A%?A%@A%AB%BB%CB%DB%E B%F(B%G0B%H8B%I@B%JHB%KPB%LXB%M`B%NhB%OpB%PxB%QB%RB%SB%TB%UB%VB%XB%YB%ZB%[B%\B%]B%^B%_B%`B%aB%dC%eC%fC%gC%h C%i(C%k0C%l8C%m@C%pHC%qPC%rXC%s`C%thC%upC%vxC%wC%xC%dC%yC%zC%{C%|C%}C%~C%C%C%C%C%C%C%C%D%D%eD%D% D%j(D%0D%8D%@D%HD%PD%XD%`D%hD%pD%xD%D%D%D%D%D%D%D%D%D%sD%D%D%D%D%D%D%E%E%E%E% E%(E%0E%8E%@E%HE%PE%XE%`E%hE%pE%xE%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%E%F%F%F%F% F%(F%0F%8F%@F%HF%PF%XF%`F%hF%pF%xF%F%tF%F%F%F%F%F%F%}F%F%F%F%F%F%F%F%G%G%G%G% G%(G%0G%8G%@G%HG%PG%XG%`G%hG%pG%xG%G%G%G%G%G%pG%G%G%G%G%G%|G%wG%G%G%G%H%H%H% H%  H% (H% 0H% 8H%@H%HH%PH%XH%`H%hH%pH%xH%H%H%H%H%H%H%H%H%H%H% H%!H%"H%mH%$H%%H%&I%'I%(I%*I%+ I%f(I%,0I%-8I%.@I%/HI%0PI%1XI%2`I%3hI%4pI%5xI%6I%7I%8I%9I%:I%;I%bI%<I%=I%>I%uI%?I%@I%AI%BI%CI%nJ%DJ%FJ%GJ%H J%I(J%J0J%K8J%L@J%MHJ%NPJ%OXJ%P`J%QhJ%RpJ%SxJ%TJ%UJ%VJ%WJ%J%XJ%YJ%ZJ%[J%\J%]J%^J%`J%aHH]"$Ht H5"$%"$@%"$h%"$h%"$h%"$h%"$h%"$h%"$h%"$hp%"$h`%"$h P%"$h @%"$h 0%"$h %"$h %"$h%z"$h%r"$h%j"$h%b"$h%Z"$h%R"$h%J"$h%B"$h%:"$hp%2"$h`%*"$hP%""$h@%"$h0%"$h % "$h%"$h%!$h%!$h %!$h!%!$h"%!$h#%!$h$%!$h%%!$h&%!$h'p%!$h(`%!$h)P%!$h*@%!$h+0%!$h, %!$h-%!$h.%z!$h/%r!$h0%j!$h1%b!$h2%Z!$h3%R!$h4%J!$h5%B!$h6%:!$h7p%2!$h8`%*!$h9P%"!$h:@%!$h;0%!$h< % !$h=%!$h>% $h?% $h@% $hA% $hB% $hC% $hD% $hE% $hF% $hGp% $hH`% $hIP% $hJ@% $hK0% $hL % $hM% $hN%z $hO%r $hP%j $hQ%b $hR%Z $hS%R $hT%J $hU%B $hV%: $hWp%2 $hX`%* $hYP%" $hZ@% $h[0% $h\ % $h]% $h^%$h_%$h`%$ha%$hb%$hc%$hd%$he%$hf%$hgp%$hh`%$hiP%$hj@%$hk0%$hl %$hm%$hn%z$ho%r$hp%j$hq%b$hr%Z$hs%R$ht%J$hu%B$hv%:$hwp%2$hx`%*$hyP%"$hz@%$h{0%$h| % $h}%$h~%$h%$h%$h%$h%$h%$h%$h%$h%$hp%$h`%$hP%$h@%$h0%$h %$h%$h%z$h%r$h%j$h%b$h%Z$h%R$h%J$h%B$h%:$hp%2$h`%*$hP%"$h@%$h0%$h % $h%$h%$h%$h%$h%$h%$h%$h%$h%$h%$hp%$h`%$hP%$h@%$h0%$h %$h%$h%z$h%r$h%j$h%b$h%Z$h%R$h%J$h%B$h%:$hp%2$h`%*$hP%"$h@%$h0%$h % $h%$h%$h%$h%$h%$h%$h%$h%$h%$h%$hp%$h`%$hP%$h@%$h0%$h %$h%$h%z$h%r$h%j$h%b$h%Z$h%R$h%J$h%B$h%:$hp%2$h`%*$hP%"$h@%$h0%$h % $h%$h%$h%$h%$h%$h%$h%$h%$h%$h%$hp%$h`%$hP%$h@%$h0%$h %$h%$h%z$h%r$h%j$h%b$h%Z$h%R$h%J$h%B$h%:$hp%2$h`%*$hP%"$h@%$h0%$h % $h%$h%$h%$h%$h%$h%$h%$h%$h%$h%$hp%$h`%$h P%$h @%$h 0%$h  %$h %$h%z$h%r$h%j$h%b$h%Z$h%R$h%J$h%B$h%:$hp%2$h`%*$hP%"$h@%$h0%$h % $h%$h%$h%$h %$h!%$h"%$h#%$h$%$h%%$h&%$h'p%$h(`%$h)P%$h*@%$h+0%$h, %$h-%$h.%z$h/%r$h0%j$h1%b$h2%Z$h3%R$h4%J$h5%B$h6%:$h7p%2$h8`%*$h9P%"$h:@%$h;0%$h< % $h=%$h>%$h?%$h@%$hA%$hB%$hC%$hD%$hE%$hF%$hGp%$hH`%$hIP%$hJ@%$hK0%$hL %$hM%$hN%z$hO%r$hP%j$hQ%b$hR%Z$hS%R$hT%J$hU%B$hV%:$hWp%2$hX`%*$hYPHL&H=L&UH)HHw]H $Ht]@HL&H=L&UH)HHHH?HHu]H $Ht]H@=IL&u'H= $UHt H="$h] L&fffff.H=p$t&HG $HtUH=Z$H]WKf.HtcHWHtZOvRBAxL)1HWOƸ9rA)1L‰OHWDÐHH10Ht@@ H@@(Hf.HtHfffff.G fff.HG@HHG@HGHHHGHATIUHSHH@Ht HՅu!H{H1Ht[HL]A\f.[]A\ff.SHH@HtHC@H/t%H{HHtHCHH/uHGP01[HGP01ffff.HGH@HGHHGHGHHGHH10HtH@H@HATIUHSHHHt HՅu!H{1Ht[HL]A\f.[]A\ff.SHHHtHCH/t%H{HtHCH/uHGP01[HGP0SHHCH[H@fD1ffff.HGHHGHGHHGHH10HtH@H@HATIUHSHHHt HՅu!H{1Ht[HL]A\f.[]A\ff.SHHHtHCH/t%H{HtHCH/uHGP01[HGP0SHHCH[H@fD1ffff.HGxHHGxHHHffff.HHHffff.HHHffff.SHHxHtHCxH/HHtHǃH/t\HHtHǃH/t/HHtHǃH/uHGP01[HGP0fDHGP0fDHGP0jff.1ffff.ATIUHSHHHt HՅu!H{ 1Ht[HL]A\f.[]A\ff.SHHHtHCH/t%H{ HtHC H/uHGP01[HGP01ffff.HGHHGHG HHG HH10HtH@H@ HATIUHSHHHt HՅu!H{ 1Ht[HL]A\f.[]A\ff.SHHHtHCH/t%H{ HtHC H/uHGP01[HGP0SHHCH[H@fD1ffff.HH10HtH@Hffffff.HGH@1ffff.HGHHGHGHHGHH10HtH@H@@ HATIUHSHHHt HՅu!H{1Ht[HL]A\f.[]A\ff.SHHHtHCH/t%H{HtHCH/uHGP01[HGP0SHHCH[H@fD1ffff.HH10HtH@Hffffff.HH10HtH@Hffffff.1ffff.S11HH=%%HtHX[HH10HtH@Hffffff.1ffff.HGHtH1H:t@HH<u1Dfffff.HW 1H:t@HH<uÐHH10HtH@Hffffff.1ffff.HH10HtH@Hffffff.1ffff.HH10HtH@Hffffff.HHHt H1DHGHtHGHHQHHt1DHHPHR01HSHHCH[H@fDHH10HtH@Hffffff.HHHt H1DHGHtHGHHQHHt1DHHPHR01HSHHCH[H@fDHGH@HG@ff.HGHHGHG HHG HG(HHG(HG0HHG0HH10Ht.@@H@H@ H@(H@0HfSHHHtHCH/tuH{ HtHC H/tNH{(HtHC(H/t'H{0HtHC0H/uHGP01[DHGP0HGP0HGP0SHWHCH[H@fDHH10HtH@H@H@ Hffffff.H HHt H1DHG HtHG HHQHHt1DHHPHR01HGfff.HGuCH;=#tJHHHH#H5HPH#H811HH>HSH'H{1HCH[H@ff.HH10HHtNHx0@@@un1@HuF@u(uHB@HBHHH1HfGtH@tfDHfD@Hx@/Z1HfORfffff.HH10HtH@H@HHH10HtH@H@ H@Hffffff.HH10HtH@Hffffff.H1H0HHtCHxP@@@uf1Hu?u"uFPHHfD1HfGtHtH닐@HxOk1HfObfffff.H1H0HHtHH HQHHtH[ÐHSHD$HR0HD$H[fD1fff.SH dH%(HD$1HH$HGHD$HGHHD$1uHZHL$dH3 %(uH [@ff.HHHHHHxHHGHH=Hp1HGHH=Hp1HGHH=Hp1gHGHH=vHp1GHGHH=VHp1'HGHH=6Hp1HGHH=Hp1HGHH=Hp1HWwH=1ff.HGHH=Hp1HGHH=Hp1gHGHOHH=FHp1CHGHH=VHp1'GWH5IH=MH>HD1HGHH=Hp1HGHH=Hp1HGHH=Hp1HGHH=Hp1wHGHH=Hp1WHGHH=fHp17HGHH=FHp1AUAATUSHHHH=F1HIHtHCHHtvHHHHtzIc21HHUMtLH@Ht HH+HH[]A\A]DE1sHHHz@1fff.1 fAWH %AVAUATUHHHHJSH(dH%(HD$1LD$D$td1.HHtUHEHLmMt0|$H51HItHHt|I,$tM1H+t]HtHmt)1HL$dH3 %(H([]A\A]A^A_@HEHP0@ID$L1P0fHCHP0@D$HtH5KLH1HI`HE1HI~!fLLIHHM9uI.ImHE HHm HL$HH51H;HIHE1dHI~#@LLI HH.M9uImtQHEHPHHHUHUH\$HR0HD$IFLP0;fIELP05IELP0AWAAVAUATIUSHHFHu{HHIt#1LDXH H1LLE1H+u HCHP0MtI,$u ID$LP0HL[]A\A]A^A_HI$HIhHItM~1HL9tHLHHt41HDHtBHHLH+uHCHP0fImNIELP0?fDImIELP0 ImIELP0fff.H(HH R%HLL$HdH%(HD$1LD$ D$ 1tHt$|$ +HL$dH3 %(uH(fD蛾ff.AUH W%IHHHATUSH(dH%(HD$1LD$D$m1θHHAEHW#H|$H5HHIHH!u}H+AuH=1HH}|$H5{HHItRHHu+HHPHHHuTHSHl$HR0HD$>I,$uID$LP0fDH+u HCHP0Hmu HEHP01HL$dH3 %(u4H([]A\A]f.H#@HCHP0fff.UH H%1SHHHHH8dH%(HD$(1HLL$LD$D$HD$HCHD$HCHD$HC HD$ 1tCHCH|$HD$HCHD$HC HD$ Hu4HL$T$t$ H|$-HHL$(dH3 %(HuH8[]H#H5H8:SH0dH%(HD$(1HHD$HD$HGHD$HGH|$HD$ ubD$ vYHT$pH HzH|$1҉t$ {HD$t5H=1H|$HHD$fDH#HHL$(dH3 %(uH0["fSHHHtnHCH[H@ffff.ATHUHS1AH=&1&HHttECEC EHEHHCt"UHuHDc(H[]A\H+t[]A\9fHCHP0@1fff.H1EDH015DHH1%DH Hfffff.H fH fAUATIUSHHcHItPAD$~Y1DHHLrA9l$~8ID$HcݾH[H<~HuImt"1H[]A\A]DHL[]A\A]fIELP01fH 2fATH %USHHHHH0dH%(HD$(1HD$LL$ LD$HD$D$H$1Ld$C(MHl$ D$HCk xEHEHHHCt3HL1HL$(dH3 %(ueH0[]A\DHCH#H5HH81fDCC 1HCfD@AUATIUSHhHt$8HT$@HL$HLD$PLL$XdH%(HD$(1uH1Ht%%uI91Ҁx%HHuHȼHIH$1HD$HD$HD$0HD$ /\@HT$ D$HHLHHH9t/D$0rHT$HBHD$fDH?L`HHtHLHH HQHHt^IMHQHIUt5HL$(dH3 %(uZHh[]A\A]fImu IELP01IUHD$LR0HD$fHSHD$HR0HD$1.fffff.AWAVAAUATUSH1H蕰HIsH{H HIH1bHHD$ffDHH;l$tUHL躷1HDHHINHL裹#H+uHCHHP0H;l$uIEHPLHIUu@IULd$LR0HD$*fDHu HEHP0I,$u ID$LP01H[]A\A]A^A_DHHHtH=HH1HHEHHHEtH1HDHHtHL跸t{HmH_H+UHCHP0I,$RBI/uIGLP0ImIELP0I,$HHPLHHHSLd$HR0HD$fHEHP0HEHP0:fAVH ׊%AUIHHHATUSH dH%(HD$1LD$D$苼tc1HHtTI}1]HHt;|$H5H1CHItHHPtdI,$AHmt:H+t$1HL$dH3 %(lH []A\A]A^ÐHCHP0@HEHP0H+ufDD$H}pHItHmL1˻HI~"HLHqHH薶L9uI,$I}01[HH5|$H5?1=HIHHFD$H}pHIHmFL1HI~$DHLHHHL9uI,$I}H1HH|$H51HI`HH薵BD$H}p.HI1HmL1mHI~HLHHH;L9uI$HPHHI$IT$H\$LR0HD$@ID$LP0ID$LP0ZHEHP0 HEHP0ID$LP0}HEHP07fffff.AVH W%AUATIHHHUSH dH%(HD$1LD$D$;t_1蠪HHtPID$HIl$Ht7|$H51HItHHttImt]Hmt>H+t(1HL$dH3 %(H []A\A]A^DHCHP0@HEHP0H+ufDIELP0@D$H}p(HIwHmL1gHI~&HLH HH.L9uImt_ID$HIl$H|$H51HIHHt=I,$ID$LP0IELP0HEHP0@D$H}pAHIHmtgL1脷HI~#@HLH)HHNL9uI$HPHHI$KIT$H\$LR0HD$1HEHP0֭fDAWH %IHHH1AVAUATUSH(dH%(HD$1LD$D$詶1 HHIGHMoML$HH51L=HIH1gHI~&HLH HH.L9uI,$NIm3IGHMoMt:|$H51HHtHHݰtiH+Imt@Hmt)1HL$dH3 %( H([]A\A]A^A_@HEHP0@IELP0HmuDD$I}pHItImL1SHI~"HLHHHL9uI$HPHHI$BIT$Hl$LR0HD$(IELP0ID$LP0HCHP0IELP0Umffff.SHH{άHCH[H@ffff.AUL %H %ATUSHHHHCHdH%(H$1HD$HLD$0HD$0HD$8HD$@HD$ HHD$HHD$PHD$XHD$HD$@HD$H#HD$HD$8H$1蛳HD$0HHxH5J%H9t耷(HD$0LhHT$8HLbHT$@H_1H;#@Ll$PȵH|$HI1Ht$HL$PLD$XLHD$$A艷Luz荦HD$XH8萩HC1HHT$HHtHHHHH tXH|$XHt H$dH3%(HĘ[]A\A]D11l&fH|$HHGP0fH|$0H|$0HT$hHt$`HD$`quMHD$`Ll$pHD$xHD$h$DE11f蛮Iv"fD1&H#H5H8裨YfAUFATUSH1迢HItN诳IMkLLImuIELP0tK\IMLLūImuIELP0@tCFH=IMLLsImxtC.H=被IM~LL+ImXtK|IM8LLImuIELP0@ @tJ㿃@#IMLL茪Imu IELP0ÀtS>H=M貪IMLL;ImuIELP0f.tKH=ZHH6HLHmu HEHP0ftImIELP0@H=tIc@H=\I@I,$MID$LP0H1[]A\A]DH=I@H#H5HH81H1[]A\A]f IfDH=輡I@ƨI/fDH=&茡I[@IELP0H=dI@IELP0fH= 4I\@H=I@H=yI@H=NIu@H=]ԠI@H=d輠I@ƧIfDH=Y茠I@ 薧IGfD@~IlH@H=4IUH=$ HHCHP0fHHH m%HLL$H dH%(HD$1I$D$L1t t$<$HL$dH3 %(uHff.AUFATUSH@1_HICÀtN9OIMLL踞ImuIELP0@tK㿃N@IMhLLeImuIELP0@ tC߃H=#芞IMLLImtC?~H=BIMLL˝ImtKNIMLL腝ImuIELP0@tJMäIM/LL,Imu IELP0tSH=uRIMLLۜImuIELP0f.ǀtKfH=HIMLL胜Imu IELP0f@tK翃O.H= 誜HH6HL3Hmu HEHP0ft@辔IfDH=脍I@Hi#H5lH81nyffIfDNIfDH=I@IELP0f\H=ʷΌIMbLLWImIELP0DH= 茌I@IELP0jH=dIH=lPIH=4I@H=I@@&IwfDH=ilI II֒IH={袋I谒IH=9l|I芒HH=;lVIH=VBHIELP0HCHP0)HEHP0vfDAWAVAUATUHSH8HdH%(HD$(1HHEHQHIA)H#fDHDk EH;L贁uEHEHPDHHUuHHUD$ HR0D$ 4H5%H9t 輒H}軄Ht$(dH34%(QH8[]A\A]A^A_HȄHHmHIHEHPHHUuSfDH舁fDH=LI\$WIEE1E1D;EtU薔HIBD{AHCEt*IHDJuHDBH uE~ AE9LHHH5 1H1=HIH=:%HrH>H葀H+AI,$"ID$LP0fA.D{AH@AH\$11LHD$D$ HHÂA"1H~H+:A} HKHCufHHDJ uHCHP0HEH5hHPH#H81腐`HHHi#H5H81XH+u HCHP0I,$>ID$LAP0Hmu HEHP0H#H5gLH81qHmt>1H}Hƞ#H5gLH81ʏ@HCHP0HEHP0DUHcSH蠍HHH=%H%Ht@H HQHHtHH[]fDHSHD$HR0HD$f.H)#H5dH81H+uHCHP0fDH1[]UHSHHHtJH=+%H{HtVH HQHHtHH[]@HSHD$HR0HD$fHi#H5۰H81fDH+u HCHP0HY#H5ðHH81E1뎐USHAHHtIH=Z%HʃHtUH HQHHtHH[]HSHD$HR0HD$fH#H5+H8j1fDH+u HCHP0H#H5*fH81薍1fUHSH蒋HHtJH=%HHtVH HQHHtHH[]@HSHD$HR0HD$fH #H5{H81fDH+u HCHP0H#H5eHH811뎐UHSH(dH%(HD$1HHD$H==1HHHL$H"H5H1~~H} Ht{HD$HE HHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @H Htj{HE 1뱸H HQHHuHSD$ HR0D$ H#H5dD$ H:\~D$ f~fffff.UHSH(dH%(HD$1HHD$H=1NjHHHL$HH5H1>~H}(HtzHD$HE(HHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @H(Ht*zHE(1뱸H HQHHuHSD$ HR0D$ H#H5cD$ H:}D$ f|fffff.UHSH(dH%(HD$1HHD$H=1臊HHHL$HH5JH1~H}0HtGyHD$HE0HHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @H0HtxHE01뱸H HQHHuHSD$ HR0D$ H?#H5bD$ H:{D$ f{fffff.UHSH(dH%(HD$1HHD$H=}1GHHHL$HbH5 H1辂~H}8HtxHD$HE8HHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @H8HtwHE81뱸H HQHHuHSD$ HR0D$ H#H5aD$ H:zD$ fNzfffff.UHSH(dH%(HD$1HHD$H==1HHHL$H"H5ʽH1~~H}@HtvHD$HE@HHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @H@HtjvHE@1뱸H HQHHuHSD$ HR0D$ H#H5`D$ H:\yD$ fyfffff.UHSH(dH%(HD$1HHD$H=1džHHHL$HH5H1>~H}HHtuHD$HEHHHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @HHHt*uHEH1뱸H HQHHuHSD$ HR0D$ H#H5_D$ H:xD$ fwfffff.UHSH(dH%(HD$1HHD$H=1臅HHHL$HH5JH1~~H}PHtGtHD$HEPHHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @HPHtsHEP1뱸H HQHHuHSD$ HR0D$ H?#H5^D$ H:vD$ fvfffff.UHSH(dH%(HD$1HHD$H=}1GHHHL$HbH5 H1}~H}XHtsHD$HEXHHP1HHtHL$dH3 %(H([]fHSD$ HR0D$ @HXHtrHEX1뱸H HQHHuHSD$ HR0D$ H#H5]D$ H:uD$ fNufffff.SHH5nH dH%(HD$1HT$|H|$H5Ĥ11{HHH=%H/xHtJH HQHHtHHL$dH3 %(ucH [ÐHSHD$HR0HD$f.H|$zHH#H5-]H81 H+u HCHP01Otffffff.HHH5dH%(HD$1H{1t H<$HL$dH3 %(uH@sff.HHH5dH%(HD$1HZ{1t7L $AHEJcHH=f xHL$dH3 %(u{HfDH=H=H=H=H=%LPP1,nH=%prff.HHH5:dH%(HD$1HZz1t7L $AHEJcHH=f wHL$dH3 %(u{HfDH=}H=H=H=5H=i%LPP1,mH=E%pqff.SHH5XH dH%(HD$1HT$WyH|$H5d11xHHH=g%HtHtJH HQHHtHHL$dH3 %(ucH [ÐHSHD$HR0HD$f.H|$VwHH#H5YH81~H+u HCHP01pffffff.HHH5sdH%(HD$1HZx1t<$ HL$dH3 %(uHDpff.SHH5/H dH%(HD$1HT$wH|$H511:wHHH=%HosHtJH HQHHtHHL$dH3 %(ucH [ÐHSHD$HR0HD$f.H|$uHH\#H5H81K}H+u HCHP01offffff.ATHH5cU1SH dH%(HD$1HT$vt?Ld$DzHHt_H=%HzrHtcH HQHHt&HHHL$dH3 %(HuiH []A\HSHD$HR0HD$HS#H5ŞH8oH+u HCHP0HK#H5D1H815|nfffff.SHH5}WH dH%(HD$1HT$uH|$H511:uHHH=%HoqHtJH HQHHtHHL$dH3 %(ucH [ÐHSHD$HR0HD$f.H|$sHH\#H5ԟH81K{H+u HCHP01mffffff.ATHH5U1SH dH%(HD$1HT$tt?Ld$LxHHt_H=%HzpHtcH HQHHt&HHHL$dH3 %(HuiH []A\HSHD$HR0HD$HS#H5ŜH8mH+u HCHP0HK#H5UL1H815zlfffff.SHH5UH dH%(HD$1HT$sH|$H511:sHHH='%HooHtJH HQHHtHHL$dH3 %(ucH [ÐHSHD$HR0HD$f.H|$qHH\#H5 H81KyH+u HCHP01kffffff.HHH5dH%(HD$1Hr1t H<$HL$dH3 %(uH@+kff.HHH5dH%(HD$1Hrt6H<$}Pv%HcvHL$dH3 %(uH1jHHH5:dH%(HD$1H*rt6H<$ Pv%nHL$dH3 %(uHf1GjAUIHATUSHH8dH%(HD$(1HD$HD$ vwHI 1HpHHL$LL$ LH%H5o1H^qHEu6HP1HHUHL$(dH3 %(H8[]A\A]@HHHEHLoHuHHD$IuHT$ HHxcHt#eH+tx11V%vfeH+teHޅ#HRDHH@HEHP0bHUHD$HR0HD$HCHP0yHCHP0hffffff.AVAUIHATUHSHPdH%(HD$H1HD$ HD$(HD$0HD$8HD$@uHIL1HnHHD$0L#HL$ LL$(H%H5HD$HHHD$HD$8H$1boHHHHHLLt$(2nH=%11H菖HHtw2sIHD$ 1L;5A#IuILD$0HL$8HxHD$@HD$HEH$fLt{cH+u HCHP01H|$@1E%HHHHt11HL$HdH3 %(u{HP[]A\A]A^fHEHHCHP0@{cH+t5Ht$@H=oH1tDHCHP0fHCHP0_fffffff.AVAUIHATUHSHPdH%(HD$H1HD$ HD$(HD$0HD$8HD$@isHI\1H}lHHD$0L΂#HL$ LL$(H%H5HD$HZHHD$HD$8H$12mHu;HP1HH HL$HdH3 %(1HP[]A\A]A^HHHH#E1H9D$(HLAkHpHHD$ IuLD$0HL$8IDHxHD$@H$HD$cHt'aH+t|11|$@1%>{aH+teH|$@KpfDHEHHCHP01HSHD$HR0HD$HCHP0uHCHP0/dffffff.SHHHt>iHCH[H@ffff.UHSHH_ HtfDH;HthH[ HuH}1eHEHH@H[]SHHHthHCH[H@ffff.AVAUIHATUHSH@dH%(HD$81HD$HD$ HD$(HD$0pHI51HiHHD$(L#HL$LL$ H%H5ǕH$H1qjHu:HP1HHHL$8dH3 %( H@[]A\A]A^HHHHY#E1H9D$ HLAhHnHHD$IuHL$(LL$0IDHx `Ht)^H+t~11|$01N%Qf^H+teH|$0m.fDHEHHCHP0AHSHD$HR0HD$HCHP0sHCHP0affffff.SH h7%HHHHQHdH%(HD$1I$D$Mjti$HD$H{1HEm $u!HceHL$dH3 %(u5H[\$HcdH=ܓH1n1`Hc dHcdHcdHcwdSHHHLH 86%H0HT$LL$ D$dH%(HD$(1H$H1HD$ 9itEHt$ Ht+H{T$bkHL$(dH3 %(uH0[Ð{_HD$ HƐ1_AWAVIAUATUSHHGHZ`bHI HhHHsL(H@LbEHEHuHH[]A\A]A^A_@HcLH4RHMhHHEEE1@AD9eMcLLaHxHHƥ%H9tH5%ktA{(u;HEK HSLH4bHu|HHHuHCHP0@H {#Hz%H5HH81lH+tG1L1`f.Hz#H5G1H8h^HHHuHCHP0H1L1,`\111%HHjHhiAWAVIHAUATUHSHHHjz#dH%(HD$81HD$ HD$(H\$0jHI91HcIHD$0HT$ L LD$(H H5DH$L1dIEu=HHIEL1HL$8dH3 %(HH[]A\A]A^A_HHIEHD$(HaLxHD$0H9_H@HD$HL&c IkHH Ht$ HPiAtIHt$ H= F1}%Imt_HfZE1HH'HEIgIvHLHD$'[AuPH|$XImuIELP0IELP0HD$(HffDIELP0e=uH|$LkAtJH=1%w+ZA ;aIdHD$IvHLRZA'11E%[AVAUIHATUHSH dH%(HD$1HD$=hHI1HQaHHw#HL$H51H1bHu:HP1HHHL$dH3 %(3H []A\A]A^HHHHD$HE1H;w#AHL`HeI}HDHziHt3VH+H=1 %XHEHVH+tuHv#H-DHCHP0HD$HV6fDHSHD$HR0HD$HCHP0mE1$HCHP0|,Yfff.SHHHtZHCH[H@ffff.SHH=5%YH5 %HSHtHX[fDAUIHATUHSH8dH%(HD$(1fHI1H_HHT$LL$LD$ H S{H51H_Hu;HP1HHHL$(dH3 %(H8[]A\A]f.HHHt|LH^HcHL$ I1I}Ht$IHHAL$HER`HHLtgTH+t|HfHEHHCHP0ufHSHD$HR0HD$TH+t%11s%fDHCHP0uHCHP0Wffffff.HHaHbHHbHHwbSL %HHH5H`HL$,HT$0LD$8dH%(HD$X1HL$HL$HHD$PHL$HL$@HL$HL$PH $H Fy]t]HD$P1H{LL$HLD$@HHHD$8HpHD$,HEHt$0$sYHt&HH\$XdH3%(uH`[1@1%UfSHHHt~^HCH[H@ffff.SHHH5HdH%(HD$1H]1tH{H4$^Hc aHL$dH3 %(uH[;Uff.HHZHH`HH\H`SHSt H{ WHCH[H@fSHHHtOHCH[H@ffff.SHHsVH{Ht1VHCH[H@fAUH )%IHHHATU1SH(dH%(HD$1LL$ LD$D$ 6]t{H|$8THHH p#11HSHIHtnUI}T$ LiRHHþLtaO11H=i%j%HtHXHHL$dH3 %(Hu@H([]A\A]f[U11%H@N11%H?Sffffff.HSHVHN<ADBLQyYAAE9ELQDBIA[L҉ML1fHHHJH L9uMTE)E~9HAv/I)ЉG1AIEHG1[f._[1뭿_[f.AUH &%ATIHHHUSH(dH%(HD$1LL$LD$HD$HD$ZH|$LHl$HEHM#HEHWHI)Lh#u@EIEH D9uAPI|$LOWHID$t1Ht Hm1HL$dH3 %(H([]A\A]LH=;%HtHmuHEHP0@뮐H|$PHHVHH)m#H5z:H810^H+uHCHP0cfD (fDHOHHEHP0,HD$H5=:H@HPHl#H81] Pffff.HH[H[ATUSHHdH%(H$1H$=[)HJf#u fDtlHJ 9ut]H*HtUH{]HHtmHHPHUH߾JH=91\%:fHPHHt^H{']HHucH]H=1 %H$dH34%(u4H[]A\fH=фDSH=91۷%NHHPHTtBH]7HIH=:H1HvXHHHEZH߾IH=1HHAXHHtH\H!H\1f.AWAVAUATUSH8dH%(H$(1HHD$~HHrL+HD$HAHl$ HD$MMfLD$ Y)H d#u@Hq 9uL9ME1I}E[HIHHPHeSL@HMLHIDEtFH=1VHHD$ MtLU[HLkME1@H=g1VHtH|$H(JH|$uMtL[1/L@MHIE1H=MPH$(dH3%(H8[]A\A]A^A_HD$MtLZH=1%MtLuZLGH=Q61%MKLHD$AZHD$gH=51%S~Kfffff.HwAWAVAUATUHSHHHdH%(H$1MH}1HHLHxIHL5%L9tLXILyNH HD$01H$fDHH H9l$0IELHH@hPHxIL9tH5+%WH{11LHIMIT$H{HTN4I,$HT$@L|@oID$HHT$8LP0H HT$8Z@H tHHXfHHH9uH$LL$hLD$`HL$XHT$PHt$HHD$ H$H|$@HD$H$HD$HD$xHD$HD$pH$1IHu711%}HOHHtm811IHGHPHHS HC1H$dH3 %(1HĨ[]A\A]A^A_116%I,$@IEHHPHXe#H5y3H81WVyDHHHRHH=j|%KID$H53HHHHd#H81UI,$VID$LP0HT$@0Hd#HL$0H53 H81U1.%GAWAVAUATUHSHH9HI-I2R`HIRKHHH@PHCPHCXA$A$tBIT$HsHKAEuAILH F1H[]A\A]A^A_f.IT$8Hs8H_KAt`ILHOHD[]A\A]A^A_@IT$HsHKAuIT$ Hs HKAaIT$HsHgLAAAuT0fAWAVAUATUHSH(dH%(HD$1HHt$HIPMH$HD$E11Ll$9@HD$HSPHPLHIVPHPHCXIFPEI9ItpLt$LLHuHuH\$HIHD$H4$HHhNHL$dH3 %(uLHHj|$1H~HH@HLFH+H|$1DLuH=u1LKHHD$1Hڍx}HIHLEJH+H<$HCHHD$HiH5iHߍH16HHHtvHE1cJHI~"LHI PLH.EM9uHmH+L;t$L HmuHEHP0H+u HCHP0I,$u ID$LP01HL$dH3 %(uqH([]A\A]A^A_DHCHP0HCHP0mHEHP0SHCHP0WLImjIELP0[@fffff.AVIAUIATIUSHvDHHtzH5o1H1FHHLgKHIt_HLBHH[#H5E+LH81 MH+HmI,$tLH[]A\A]A^fH+tRHmuHEHP0fH+uHCHP0fDID$LP0H[]A\A]A^HCHP0@HEHP0nfHCHP0KLHLJ*H HQHHtCHMHQHHUtJI $HQHI$IT$D$ LR0D$ DHSD$ HR0D$ @HUD$ HR0D$ fff.AWAVAUIATIUSHH(HH5>Z#HL$LD$LL$H9t KHLHH!LQBHIH5om1H1DHIL>IHItnLH@HHJAHHY#H5i)LH81JI.I/ImtQH([]A\A]A^A_I.tJI/uIGLP0I.uIFLP0fDIELP0IFLP0@IGLP0qfIFLP0OLLHH.H|$LLzHH|$LLbHH|$HH{Htk?HCXHCH[H@fSHHs?HCH[H@fAWAVAUATUSHHGxLML1fH8t HHu>HIHD$fDMeMj11H=(0%Z1%HHHXHxLHS=HC8=E8IT$H'H:1HH<uH4H}HE@hHD$IHL[]A\A]A^A_1@IFLP0;H%HH[]A\A]A^A_ÿDAT11USHH HHT$D$dH%(HD$1[6uIl$1AL1HHD$H@=H{HT$ H6t1HT$H*tN11%HL$dH3 %(uHH []A\t$ L9tH|$E3x!HD$f.H|$HGP0f16ATUSHHH5jH0dH%(HD$(1HL$ HT$HD$D$=H{DL$ HT$LD$114uOl$1LcL0HHD$txH %?%HtHhHHL$8dH3 %(HuHH[]fD11֑%H(@ATHUHSH`dH%(HD$X15HI@1H.HHD$%Ht}Hh?@HEHHCHP0QHSHD$(HR0HD$(#H+t511%fDHCHP0n1fHCHP0&ffffff.HHH5[dH%(HD$1H-1tH<$91H1HL$dH3 %(uH'&H8HL IdH%(HD$(1HD$ HLD$H $HU[H$1.t@HD$ H|$1HPHHEL!Hcd1HL$(dH3 %(uH81@%ff.HHH5ZdH%(HD$1H,1tH<$0Hc0HL$dH3 %(uH'%SHH5Z1HdH%(HD$1H,tH<$)Ht#0HHL$dH3 %(Hu&H[fHYA#H$H5VZH81D2$ffff.SHH5GZ1HdH%(HD$1H,t<$.H9t)H/HHL$dH3 %(Hu)H[DH@#H$H5YH811$DATHUHSHPdH%(HD$H1M1HI1Ha*HHD$@HL$ LL$0LD$(H3_%H5YHD$Hj%HHD$HD$8H$1+Hu1HP1HHHL$HdH3 %(HP[]A\fHHHt|LH)H.IHD$ HL$8T$0Ht$(IHxHD$@L@#HHLtfH+t{HofDHEHHCHP0ufHSHD$HR0HD$(KH+t%11%fDHCHP0vHCHP0?"ffffff.SHH $HHcH`dH%(HD$X1HD$8LL$(LD$ HD$@HD$HHD$HDHD$PHD$HD$0HD$Hk%H$1*HD$8HT$@Ht$(H|$ HHHHD$0HDHP{*HHt[11H=i%*k%HtHXH\$XdH3%(u=H`[H=#H5H8j!1fD1@11F%!H)H=#HHUHH5VSH(dH%(HD$1HL$LD$HHD$HD$<(<$!th1HHH&HtvHT$L$HƋ<$%H؅t11w%H\$dH3%(upH([]ÐH$H-M%(Ht!Hp H=11@LPH=|%PAٹP1H5|%AWHH $HHUAVAUATUSH8dH%(HD$(1HULL$ LD$HD$ 1(1Hl$HH|$ IHDHD$LHHc.HI9H\$ E1H;l$L%L=DEEHL$ H9D:HfD:HH9uA0_.HHE06w IcLL{H:#HH+T$H5= HH81+1Ht$(dH34%(~H8[]A\A]A^A_H9tfDHDEE6LLHHL(Hf-HUHHEH$dH3 %(Hu?HĐ[]A\@H11lf.1@11~%?@UHH $HHLSHxdH%(HD$h1HD$`LL$@HD$@HD$HHD$PHD$0HD$XHD$XHD$`HD$(HLEHD$ HD$PHD$H6EHD$HD$HHD$H EH$I1 DD$`HL$XHHT$PHt$HH|$@!usHsH|$@HtH|$HHtH|$PHtvH|$XHtgu#H41#HHL$hdH3 %(uHx[]Ð1@11f}%~$@S1HHuH0#H[[11H}%ffff.SHHCH5]JHdH%(HD$1HB1҅t1WH<$HHu4OH<$vHG0#HH\$dH3%(Hu%H[fH<$B11p|%H.fffff.SHHHCH5IHdH%(HD$1H1҅t1H<$HHu4H<$H/#HH\$dH3%(Hu%H[fkH<$11{%H~fffff.USH%HHHHtHH[]Hd{%H1[]1HHcHDHHHiHHHHHHHHH|ALBH=o%HPP1 Hno%HfSHGHxuHC HHC [f HSHH=.#H5FH8HR11[@SHGHxuHCHHC[fHSHH-#H56H8HR1X1[@HHGxHH$@AUH W$ATUHHHH8SHdH%(HD$1LD$D$m-1 HHHEI܃xPHHcHfD1HNHH|$H5GHKHIHHHEIHHHEu HEHP0fHL$dH3 %(LH[]A\A]fD|$H5pF1vKHItHHCI,$1H+HtHmuHEHP0fDE1p|$H5F1KHItHHuD$H} Hw7H5N7H1HI{H1HI~(fHLHHHL9uIEIHHIEIELP0f.HCHP0 ID$L1P0fDI,$ID$LP0DD$H}H6H5o6H1HIH1HIEfDHLHHHL9u ATIUHSHHxHt HՅuIHHt LՅu4HHt LՅuH1Ht[HL]A\D[]A\ATIUHSHHHt HՅuAH{ Ht LՅu/H{(Ht LՅuH{01Ht[HL]A\fD[]A\ff.HH;=x)#tvHWHu,Ht1Ht$ Ht$HHHÐHH>H(#HRH5H811HDHff.H(dH%(HD$1HH$HGHD$HGHHD$1u#HD$Ht1T$t)8t$H= 4@HL$dH3 %(uH(H=3 DUSHe HHt%HHHHt*HH[]HH=UA[]fD1UHSHHDHMLV%I1fHHAHL9uH1nHtbH}Hp$tFLV%LL@HILtDHHVuHL9uH[]11USHHrHtHx H[]fDH HHt HHHHH[]HHH >[]10Hf.SH dH%(HD$1HH$HGHD$HGHHD$1uH:HL$dH3 %(uH [@{ ff.HHHHHH7 H.HcHH=@ @SH HHHHp$H=@1H HQHHuHSHD$HR0HD$H[H=?, @H=? @H=? @H=Q @H=? @H=? @H=? @H=?1GHH=O?[ ffffff.AWAVAUATUSHHaGVHK, HIfHHH9QE1HAH9uIc HIM}I?HtG1ۃA u8HtHLHIcHIH8H1[]A\A]A^A_1Ho%HH=>[]A\A]A^A_1f.SH h$HHHH=HdH%(HD$1LD$D$1t t$H{HL$dH3 %(uH[fH8HLL%dH%(HD$(1HD$HLL$ H=H $D$H$11tHD$ t$HxZHL$(dH3 %(uH8D;ff.HGHHtxH!#H@HGHHtxH!#H@HGHHt8ifH!#H@HGHt8@HGH5<HPH!#H81HGHt'HHHtHHD1HÐHGH5G<HPH #H81HGHt'HH;HtHHD1HÐHGH5;HPHb #H81pHG Ht'HHHtHHD1HÐHGH5;HPH #H81 AWH $AVAUATUSH8H|$LD$$HdH%(HD$(1HH+D$$W tl1HHt]HD$Hx H=5;HHD$1|$$1HI>HHtHH tHH+]Hmt'1HL$(dH3 %(H8[]A\A]A^A_fHEHP0@L(HD$HH1HD$LsH=:1L|$$1HIR>HIhHH[LH|$H>IŋD$$H*H5v*LH1HHHE1 HI~$DLHIHHM9uH+Mt ImIFH9D$dL;t$L HCHP0HmMImuIELP0Hmgf|$$11#=HH9HH,pIELP0JfHCHP0"H@HGHt'P0tHx(t Hx 6Ha#H@HGH58HPH#H81HGHtHHGH5O8HPH#H81 ATUHSHudH%(H$x1HHHt8H}H 31"H$xdH3%(HĀ[]A\HE @f$HHPHHT$HD$uSLd$pHLuLuhHEf $D$HD$f$D$D$AWI׉AVAUATIUSH(HH9HFDD$ HHIL1E11%DAAt H~IHHL9t u*@HALLD$HILD$MMM $1E1Au A)I@ttIHtk|$ v"D$ uxHt$LL$L|$ uaIc?Ht$LL$w Ht$HLHNHL$Ht$LL$IIM9aLH([]A\A]A^A_H#T$ H5>H81 I.tF1H([]A\A]A^A_DHt$LL$e@IHt$LL$IIFLP011[Hdffffff.SH X$HHHH 5HdH%(HD$1LD$D$1t$H{DD$H6% HxvHL$dH3 %(uH[[ff.HGHt/PtHxt1H?AH#H@HGH54HPH#H81 Hu HGHG HH#H5H8HHf.SH dH%(HD$1HH$HGHD$HGHHD$z u&Ht$H|$GHT$dH3%(u!H [ÐH#H5:H8z11HdH%(HD$1Hx?G H9}7HGH|$0D$HT$dH3%(u&HH#H53H81fUSHHHHdH%(HD$81HFHP`HtGt>H0t4He#H0HHHHfH;#s HL$ HT$LL$0LD$(gHt$0HH|$(1H[HHtVH H|$0HL$~14 @4HHL$(H9T$0H!HPH-#H5H81,1H\$8dH3%(uZHH[]HD$FH1Ht$Hu͋C HHH{H|$H=A/1ff.HStMHFtHHrHC1[f.HPHe#H5NH81d[HF#H5H8[HStEHFtHHC1[HPH#H5>H81[H#H5H8[HSt?HFtHHC1[H#H5*H82[Ht#H5H8[fffff.H(dH%(HD$1HH$HGHD$HGHHD$u't$H|$1HL$dH3 %(u!H(fH#H5H81ASH_XHtHH1H[H#H[SH_PHtHH1H[pH#H[SH_HHtHH1H[@H#H[SH_@HtHnH1H[Ha#H[SH_8HtH>H1H[H1#H[SH_0HtHH1H[H#H[SH_(HtHH1H[H#H[SH_ HtHH1H[PH#H[AUH $ATIHHHUSH(dH%(HD$1LD$D$r1HH_Ic|$XHHB|$H5-HI1HIHHRJH+pIc|$HH|$H5p-H0HIHHH+-1LHH|$H56-H0HIyHHH+1LBHHL|$H5,HS0HI'HH\TH+1LHH|$H5,H0HIHH H+u HCHP01L8HH|$H5w,H/HI}HHH+@1LHHP|$H5@,HW/HI+HH`XH+u HCHP01L.HH|$H5+H.HIHHH+u HCHP01LHH|$H5+H.HItHHH+u HCHP01L"HHtP|$H5+HW.HIt/HHdI,$uID$LP0f.H+tRHmt#1HL$dH3 %(u~H([]A\A]fDHEHP0@ImuIELP0DHCHP0HmuDHCHP0HCHP0HCHP0nHCHP0EHHPHHHHHSHl$HR0HD$/HCHP0AWAVAUIATUSHHHcHHjIc}HHU1LHIG1LHIY1L_HH1LH$HIH $E1LHL$H$HIL$HL$}1LHL$HD$iHHD$L$LL$HL$e1LHIL$LL$HL$1LHIL$LL$HL$tH=niHHD$ L$LL$HL$L HIL$LL$HL$LT$ 1HHLT$8LL$ LD$HL$H$OL$HEHھL6L$HLLL$I$LLHL$L$IHLHL$LD$L$HLHL$0LLD$LD$LL$ L$ILLD$(LLL$LL$L$HT$ILLL$ lHD$L$LHLOL$IL L7L$LT$8IELLL\$LT$HH$LT$L\$LL$ LD$(HL$0QI*MI+ICHL$ LLL$LD$P0HmHL$ LL$LD$ueHEHL$ HLL$LD$P0HL$ LL$LD$;E1E1HD$E1E11E1E11H$HtHmtHt H+Mt I,$Mt I.WHt H) Mt I(Mt I)HT$HtHHD$HHHtDMtI/t)MtImu IELP0H$HH[]A\A]A^A_IGLP0@HBHP0@ID$HL$ LLL$LD$P0HL$ LL$LD$$fHCHL$ HLL$LD$P0HL$ LL$LD$IALP0I@LL$LP0LL$HALL$HLD$P0LL$LD$DIFHL$ LLL$LD$P0HL$ LL$LD$|E1E1HD$E1E1fDE1E1HD$E1E11E1fE1E1HD$E1E11@E1E1HD$E1E1IBL\$(LHL$ LL$LD$P0L\$(HL$ LL$LD$fE1E1HD$[@E1E1LH$UHSHH|$HD$dH%(H$1.t*HK#HH$dH3 %(uKHĸ[]fHl$H|$H5#H\$@HH+$HHd+H뢐 ff.UHSHH|$HD$dH%(H$1~t*H#HH$dH3 %(uKHĸ[]fHl$H|$H5#H\$@HRH{$HHd{H뢐[ff.HHdH%(HD$1H$ tJ t5H#H5g"H8OHT$dH3%(H$u%HfDHfDHUSHdH%(H$1_H5#HHH\$0hH$HdHH H$dH3 %(u HĨ[]WHHǀpHHh`HHHǀH*Hfffff.HHHhH*Hfffff.SH?Ht;HH[HtHH[Zf.H;Ht HH/t [fHG[H@0DH8dH%(HD$(1HD$ HD$HGHD$HGH|$HD$ 0uTt$ @u*H|$HL$ 1aHT$(dH3%(uCH8@Hy#H5rH8"1fDHY#H52H81fH8dH%(HD$(1HD$ HD$HGHD$HGH|$HD$ puTt$ @u*H|$HL$ 1HT$(dH3%(uCH8@H#H5H8b1fDH#H5H8B1fUSH8dH%(HD$(1HtmwtfLGMt]Aunà u(HLD$HD$HGH|$HD$ H=1H=HL$(dH3 %(^H8[]ÐH I1L/D<wHRkHcHKD@+zfDjfDZfDJH1( 7(H_#H")@[ fDt$ H|$H `1IHHHeH=H‰1BHMHQHHUtHHUHD$HR0HD$DUSHHHdH%(HD$81HGH $HOHD$ HL$ Ht)Hj#HH\$8dH3%(HH[]1HH|$Hl$ 0)ЉHHD$L$AHHV|$H$Ht$HD$ HD$Ht$(HD$0FxPT$0D$9sD$01wXD$0tT11DDHD 9ȉT$0w‰T$0DwH 1HH1]ffff.AWHL4)%HH $H[AVAUATUSHHdH%(HD$81H LL$(HD$(D$ D$$HD$0HD$0HD$HD$$HD$HD$ H$1H\$(1EHIHktyH{<GHDhHcH@|$ 1LHHt*HLLt(H+uHCHP0fDI.u IFLP01HL$8dH3 %( HH[]A\A]A^A_HIDMIE^L1tHIgf.HL9tTHL|$ 1HHHIOHLLH+uHCHHP0L9uIEHPLHIUIULt$LR0HD$fHI(HIH$LHT$0t$$HIH=MdI@HIHIHIHIHxIxHIhHIXs HL$0T$$?I?I,$ID$LP0LG(t@t+tHDw HH 1H_UHSH9HHt!H)HHHH[]@HG%H1[]1ffff.UHSHHH~H59%%H9t ot{H}HtBU K u(tD9rPHt;HsHt2H[]79ʸvH[]H{ufH1[]fHI"H5-H8ATIH5$%USHHH9tFu;H;L"tBHCH%H50HHH"H81[]A\@I$[]A\@I$[]A\fffff.ATIH5#%USHHH9tF!u;H;"tBHCH#%H5HHHU"H81[[]A\@I$[]A\@I$[]A\fffff.ATIH5D%USHHH9tFu;H;,"tBHCHO#%H5HHH"H81[]A\@I$[]A\@I$[]A\fffff.ATIH5&%USHHH9tFu;H;"tBHCH%%H5HHH5"H81;[]A\@I$[]A\@I$[]A\fffff.AWAVAUATAUSH(H|$1Ht$HHt5H51D5HHtHHBtFHmt'H+t1H([]A\A]A^A_HCHP0@HEHP0H+ufD1\HHtHD$HD0HD$L(DHƿL9HHHISHmL1AL$HHD$ $xHH;l$teHL:<$1HIHIHH#cI/uIGLP0f11B%@Im\H5U1DHHHHw1HHfHD$HD8HD$L(DHƿLHC HFHI HmLE1IAD$M$IM9LL<$1HHHIHHHmuHEHP0fDI.wIFLP0hHEHP0IELP011xA%IEHPHHIU$IUH$LR0H$ I,$ID$LP0HEHP0fAWH $AVAUIHHH=ATUSH(dH%(HD$1LD$D$tc1HHtTIHIHt7|$H51mHItHHztvI,$t_Hmt@H+t*1HL$dH3 %(H([]A\A]A^A_DHCHP0@HEHP0H+ufDID$LP0D$HdH5;HH1HIfHE1HI~!fLLIHHM9uI.Hm|$H51ZHHHHcIHIHH HHIHmOLE1zHHD$IL;d$ttLLHŋD$1HxHIZHHHmuHEHP0IFLP0fHEHP0I.IExT$Hp HxIHML1QHI~(fHLHHHL9uI$HPHHI$IT$H\$LR0HD$I/mIGLP0^HEHP0IFLP09sHHHH ¦$HLL$LD$dH%(HD$81H D$HD$HHD$H5%HxH9t6t2HD$HxT$HwHHL$8dH3 %(uyHHH|$tFH|$HT$Ht$HD$%u!HD$H|$ HD$(HD$D$01H"H5H81wZf.UHHHLo%H ة$S1H8HT$LL$ D$dH%(HD$(1H$H HD$ t?HD$ H}T$HpHxxHHt@11H=$$HtHhHHL$(dH3 %(HuH8[]f11;%H|fff.AT1A1UHH=%S%HHt=EuHhH[]A\@HHHCu[]A\1HR;%1fff.HDATHUHSH dH%(HD$1HD$4HI1HHHHT$H5 1H/Hu8HP1HHHL$dH3 %(H []A\fHHHtdLHHH|$HIHHLtaH+tv1Hf.HEH>HCHP0@HSHD$HR0HD$A{H+t%119% fDHCHP0{HCHP0offffff.USHHH_ x(Ht#1HuCHtH9t6HH[ H9}H"H5kH8SH1[]f.11H=$7$HHt2H;HEHCHECE HCHE0HE8HE(HH[]ff.HGHHtx3'HQ"H@HGHHtx'H!"H@HGHHt8&@H"H@USHHHǘJHHt"HzHHHH[]DH"HH[]fffff.HHHtHH"fHa"HHHGHt8MHGH5wHPH"H81ATIH5"USHHH9tFau;HCuNH;"teHPH"H5{H81[]A\fH߽H,[I$]A\H@E[I$]A\f.KI$SHH5H dH%(HD$1HL$HT$HD$HD$tl1@HHtXHpHtKL$HT$Hƿu!Ht$dH34%(Hu"H [11.6%HА1SHH5H dH%(HD$1HL$HT$HD$HD$@tl1 0HHtXHHtKL$HT$Hƿu!Ht$dH34%(Hu"H [11n5%HА1'SHH5RH dH%(HD$1HL$HT$HD$HD$tl1pHHtXHHtKL$HT$HƿUu!Ht$dH34%(Hu"H [114%HА1gSHH5H dH%(HD$1HL$HT$HD$HD$tl1HHtXH0HtKL$HT$Hƿu!Ht$dH34%(Hu"H [113%HА1SHHH5HdH%(HD$1H1҅tH{H4$t'H"HHL$dH3 %(HuH[H"H&fDUHHH5~SHdH%(HD$1HH$taH<$ jHHtPH}H|H߉t&H"HHL$dH3 %(uH[]@Hq"H1ffffff.USHHHHt!HHHHH[]@Hi2%H1[]1DHHHtHHfH"HHHHcHtHHbfH"HHSHHSuH{Ht!pHx[4@[11H1%f[H=1SL %HHH5HPHL$(HT$LD$ dH%(HD$H1H $H HD$(tkHD$(1HSH\$0HHHD$ IHxHHEH|$u&H H\$HdH3%(uHP[110%@1SHHH5*H@HL$HT$LL$(dH%(HD$81HL$HL$0LD$ H $H Et\HD$ 1H{DL$LD$0Ht$HHHHEHL$(=Ht0H nH\$8dH3%(u"H@[f.1@10%fHHuH"HHH/%H=@1HfHHtHP"HHH/%H=H@HHtH"HHHY/%H=H@HHuH0"HHH"HHHHSuH"HHH"HHHHuH"HHHA"HHSHHHHKH HQHHt4uHY"HH[H"HH[HSD$ HR0D$ @HHuH"HHH"HHHH#uH"HHHQ"HHHHӿuH"HHH"HHHHsuH@"HHH"HHHHuH"HHH"HHHHuH"HHHQ"HHHHsuH"HHH"HHHHuH@"HHH"HHUSHHH߉蓿uH"HH[]DH"HH[]fDHHuHP"HHH+%11HSHL5 %HH $H H@dH%(HD$81HD$LL$D$H$1#1t8HD$H\$ HHpnu9DD$t$0H{H}$HL$8dH3 %(uH@[D11*%SHLu%HH $HtH@dH%(HD$81HD$LL$D$H$1c1t8HD$H\$ HHpmu9DD$t$0H{H$HL$8dH3 %(uH@[D11*%USHHoHt$H1@HH9HuHH[]HGH5HPH"H81H@Ht3USHpHHt0HHHuHH[]H=I@HH=5[]fDHf.H wmHGHc HHHHwHH韴HH鋿HH+HH+H "H5H81 1HfDATHUSHHH@HHu0HItHmtQHtHHPHHtM[]LA\DHu HDHP$Hu$H=1HmIuHEHP0@HCHP0[]LA\fDE1ff.AUH $ATIHHHUSH(dH%(HD$1LD$D$}1޸HHI|$HϳHH|$H53H HItxHH-HmID$Hx0|HHtK|$H5HHIt)HHI,$uID$LP0@HmtQH+t#1HL$dH3 %(H([]A\A]fHCHP0@ImuIELP0DHEHP0H+ufDHEHPHHHUuHUH\$HR0HD$rHEHP0ܼfff.SH x$HHHHHdH%(HD$1LD$D$H{HT$HCHcH? fHL$dH3 %(H[fDfHH f˲fHq"H5H81x1@1yfHCH5HPH2"H81@K薻fDSHHHtHt1[HCH5w[HPH"H81HCHH=~[Hp1Nfffff.HGHtHHGH5HPHz"H81USHHH5 HdH%(HD$1HU1҅tQH<$64ō@v3HCHt*HHu f 9t7HtH;HuH"HHL$dH3 %(HuH[]@H"H.fffff.ATUSHHH5GHdH%(HD$1H1҅thH<$t3ō@vJHtDLc Mt;I$Ht2HHu;9tGHtH;HuIuH"HHL$dH3 %(HuH[]A\fH9"HNfffff.SHHSiHt[@HCHH=^[Hp1.fffff.fffff.ATHHU„HSHu6HtҸt[]A\HHt1x[]A\Du-HtfHuH{su[]1A\HxhHImhMHH@tdu{Hs$I|$$I$HPHI$t&HHPHHt$15(ID$LP0HCHP0ЄuI,$u ID$LP0@uH+u HCHP0H-"H5>H8ַfff.UHSHHH~H5$H9t t+HsH}^EH[]f.H"H5dH8ZUHSHHH~H5$H9t CHuHKHH@HHHH:1HH<uA@HH:1f.HH<uA9BHH)Hu-3Ht&HuHt=ugHHtH;Hu1H[]@@@1fDfDE1>1dfE렄H-"H5H8εq@HHcHtHHfH1"HHHHHtHH¹fH"HHHHHtHH钹fH"HHHH3HtHHbfH"HHHH3HtHH2fHq"HHHHSHtHHfHA"HHHH蓲HtHHҸfH"HHHHHtHH颸fH"HHSH$HHH5YHdH%(HD$1Ho1҅t H$H{HpHu$H"HH\$dH3%(HuH[11%H|fff.UHSHHH~H5i$H9t tHHsH}[]H"H5H8ZH[]fffff.UL$HH $HHSHnHdH%(HD$1I߻tH$H}1HpȹHHEt1HL$dH3 %(uH[]1%uDAWHAVAUATUSHH8H|$(H?HtHH/HHD$ H|$ HɾHIE1H8IK<uLMHHD$E1M'K11H=t$HD$$HHtcHhH%8HHD$CHItHT$HH軵tgHt$HHC211%H+H|$ 1肳HL$HHD$HHHH8[]A\A]A^A_ÐHD$IvHHP;uHD$Iv0HHP0icHt$HLs良H|$LHI蕷M9HD$(HL$H8HHtH/tAH|$ 1Ų1H8[]A\A]A^A_@HCHP0HGP0@HGP0H|$ 1}1fH|$HGP0H=1H%H|$ 1D1SHHD$9H|$ 1ffffff.SH $HHHHEH@dH%(HD$81LD$HD$衸HD$HHxH5P$H9t膼t2HD$HpH{HL$8dH3 %(H@[fDH|$tQH|$HT$Ht$HD$uu)HD$Ht$ HD$(HD$D$01@HJ"H5[H8a蜮fff.ULx$HH $HHSH%HdH%(HD$1IotH$H}HpHHEt1HL$dH3 %(uH[]H=A%fUL$HH ΁$HHSHHdH%(HD$1I߶tH$H}Hpʰu1HL$dH3 %(uH[]H=|1%uDSH跪Ht"H5HCHt$HH[2fH"H5H8j1[fDAWIAVAUIATUSHHԭH=AHH\Ht sL5"ILQHIe HH1LHrLHbHH跲HHH@H= 1E1AC1H+'Ht Hm7Ht H*D@E}LH[]A\A]A^A_f.H{H ~IfDH8Hd1HHHD$ҬHT$HJHuH;["H=#H=o"H9xH=ƠfIHP1HI2IVHD$LR0HD$fHBHP0HCHT$HP0HT$HEHT$HP0HT$H=1E1A蹦@H=)1E1A虦ԫ1LhH身D袦1bE1H;A"AHu E11 teHHT$HIHT$tRHHT$HH蠱HT$IFHHT$AFH=fHXH螨HT$@AWAVAUATUHSHzH=D$*HHD$HHEH=+1A^虪L豮HHHI 1HHE1IA~5IcH5HLHHӯEGAMcM9H|$HHHH@H;"HpH=1A衤Imu IELP0H+tmHtHmtn|$襤HD[]A\A]A^A_HȵL`L謭HHH=11E1/D1E1H+uHCHP0뇐HEHP0E1H;-"AAIf.A|D諭Ht1|$E1;H=ɝ1E1蟣ڨH=艣SHH=cH5lHH{H;HEuH{Eu)H"H[@[H=1HW%D[H=1H?%DHH裬uH"HHH %11HSHH$H5HdH%(HD$1HH$*1҅t,?H$HHzu3H3H4"HH\$dH3%(HuH[11f%H$@HStKHH_t3uC1[H"H5H8"[C[HX"H5H8[fSH x$HHHHHdH%(H$1H$LL$PLD$HHD$HHD$PHD$8H$HD$XHD$`HD$hHD$0H$HD$pHD$xHDŽ$HD$(HD$xHDŽ$HDŽ$HD$ HD$pHD$HD$hHD$HD$`HD$HD$XH$1ҭBHt$HHt1Hv%Ht$PHt1HIHt$XHt1H%Ht$`Ht1H?&Ht$hHt1Hb'Ht$pHt1H(Ht$xHt1H)t{H$Ht1H*t_H$Ht1H+tCH$1Ht1H-H$dH3 %(uHĠ[\fff.HH裠uH"HHHY %11HSHHH5\H dH%(HD$1HT$HL$HD$v1҅t!H{T$Ht$莯u*H"HH\$dH3%(HuH [fD11 %H|fff.HHuH0"HHHy %11HUH$HHH5S1HdH%(HD$1H蜩t.H}ߝHHtW11H=l$$Ht!HhHHT$dH3%(Hu6H[]H)"H5H$H8ҡ11 %H|fff.SH$HHH5HdH%(HD$1Hߨ1҅t H$H{Hp訡u$H"HH\$dH3%(HuH[11. %Hfff.HHL$HH xs$HdH%(HD$1IH$tMH$HtLHxKu'HX"HHL$dH3 %(u.H11 %@1@3H9fHHL$HH r$HqdH%(HD$1IH$tMH$HtLHx蛡u'H"HHL$dH3 %(u.H11%@1@胥H艟fHGuHD"HHH%11Hffffff.HHH5dH%(HD$1HT$踦1҅t|$ u%Hֻ"HHL$dH3 %(HuHf11%H̞fff.HHH5KdH%(HD$1HT$81҅t|$艜u%HV"HHL$dH3 %(HuHf11%HLfff.H(HH5dH%(HD$1HT$ HL$LD$讥1҅t T$t$|$ תu#Hĺ"HHt$dH34%(HuH(11%H輝fff.HHLr$HH (p$H^dH%(HD$1IH$葦tMH$HtLHx苩u'H("HHL$dH3 %(u.H11^%@1@H fHHL$HH ho$HdH%(HD$1IH$tMH$HtLHxu'Hx"HHL$dH3 %(u.H11%@1@SHYfH׫uHt"HHH "HHSHH5HdH%(HD$1HT$藣1҅t+|ËD$1@9u=u)H"HHL$dH3 %(Hu*H[DH"H11%H脛@H藦uH"HHH9"HHHHH5ʒdH%(HD$1Hʢt\H<$t9H4$H=kx;Hַ"HHL$dH3 %(u$HDHi"H5H8 1H(HH5jdH%(HD$1HT$HL$ 31҅t%D$ H|$1@臣u#HD"HHL$dH3 %(HuH(11~%HH<$=Pv-莟Ht)HHL$dH3 %(uH@1@1$fD[ff.HHH5dH%(HD$1Hʝt>H<$Pv-Ht)Hx 萚HL$dH3 %(uH1@1$fD˕ff.HHH5tdH%(HD$1HH$2tdH<$腟tAH4$H=>fxCH=AH2"HHL$dH3 %(u HÐHɱ"H5PH8j1!SHgHt&H5HHtHH[Bf1[H]"H5yH8[ffffff.ATHUHSHdH%(HD$1H$HI01HHH5I1HHHu3HHH1HL$dH3 %(H[]A\@HHHHL訚H<$H-հ"HH9DH=hHItH= H衣I,$H4$H=FdSH=H/d$p$HHM@IEh 聘HHCC(ȜHHD$ H|$HKHPHD$Hp赛Ht.詍H+u HCHP011$Hf.{HL$(dH3 %(HuHH HQHHtfH[]H5HHt$HHMHQHHUtktH닐Hi"H5H8 H1[]ÐHSHD$HR0HD$H[]DH+uHCHP01cfHUD$HR0D$~fSHH Y$HHH@dH%(HD$81LL$LD$D$@H|$~HHHNjD$ug"HD$(HCH|$ 1D$ D$0HtNH HQHHuHSHD$HR0HD$HL$8dH3 %(u?H@[軍Hc\HuH+t1@HCHP01UDAVH 7Z$AUATIHHHUSH@dH%(HD$81LD$HD$*HL$H6HyH5$H9t?HL$HHI|$fHID$xIT$I\$HHHH~"I|$ĉ\It$xI|$HHp"裉;ID$x1HHp0( Ml$xM$M(IHH+HuDHH+HH0=uHEI}HHH"L1HT$8dH3%(H@[]A\A]A^H|$H;=d"t腐H|$HT$Ht$HD$uPHD$Hl$ HD$(HD$D$0zIDŽ$1iD11N$PFxH=A}1!$#Hh"H5|H8 1$訄HOHutfHHHH"HIHH5|H811HfDAWHH [$HHAVAUE1ATUSHLQ"dH%(H$1HD$\LL$`HD$`D$\HD$hH$1HD$pSH|$`IHHHD$HHHD$MHD$xH\$E1HD$ HD$hHD$(H$HD$0HD$pHD$8$E1IHD$HBiHHHyMHDŽ$HD$xtFH5L蜊HIHT$ Ht$(HN=I/u IGLP0H|$HtCH5tOHI}HT$0Ht$8HI/u IGLP0HD$xIH HCH$HCHCHcD$\HHkM9H|$`LHD$hHD$xHD$pHDŽ$HH@HMIH@H1HIHeHHD$@ӂHD$IHT$@SDI/u IGLP0H|$E1k~H$dH3 %(L}HĘ[]A\A]A^A_HHD$@VHIFHT$@HD$HHH"H5yLH81舎kHl"H5yLLH81eHHHHE"H5yLH81A$HH""H5yLH81HD$E1LPDHD$L1HHHxLtHxIII9~HH\$McHt L;u6IQHHHH L;BuH~t HvH9HLHI9HHHHHLL9~DH8t HH+pHpH H9uI9~IIH|$HHD$1HfHHPH HpHT2HPHH9uHq1zHHD$ H菅MIL|$Il$E1fDH|$`LHD$hHD$p!IIGIHD$xIWHcHH$IO1@A HH9HD$xLHHL4 @HC L9uH$u(I9}A III M9JLl$ LϾH5<HHH艄IL$HD$pL9s'LHfDHrHL9@quH)IHlH+bHCHP0SLϾHL$LL$H5H肅HIIL\$xHD$hLL$HL$L9s'HHDHDRHL9DVuH)HMI.IFHL$LLL$P0HL$LL$}LlIFH5 wLHHH"H81ÊIcHD$H5*wLH@HHH"H81莊q{IŐp1X@|ff.ATIHH T$UHHH}SH dH%(HD$1LL$LD$D$D$菅t$H=1UHH1HLHHtwH+T$H=1HHHt`11HHt?H HQHH|HMHQHHUuMHUHD$HR0HD$7DH+u HCHP0HtHmuHEHP0f.1HL$dH3 %(u=H []A\DHSHD$HR0HD$kHCHP0<{fff.HHHH= [ff.H!$HH= 18HHHH="ff.HH$H=o"1HHHH=@ff.H$HH=1HHHH=ff.Ha$HH=o1xHHHH=@[ff.H!$HH=18HHHH=Piff.H$HH=/i1HHHH=ff.H$HH=1HHHH=Bff.Ha$HH=oB1xHHHH=PV[ff.H!$HH=/V18HHHH=Zff.H$HH=Y1HHHH=ff.H$HH=1HHHH=p"ff.HH^$H=O"1xHHHH=2[ff.H!$HH=218HHHH=@5ff.H$HH=51HHHH=ff.H$HH=߸1HHHH=@eff.Ha$HH=e1xHHHH=[ff.HHHH=s;ff.H$HH=_s1HHHH="ff.H$HH="1HHHH=ff.HHHH=pYff.Ha$HH=OY1xHHHH=-[ff.H!$HH=,18ATHH$H5MpUSH dH%(HD$1LL$LD$HH$HD$HD$;}1҅H|$H5m0}HHt_H|$H5}HHt*H{HI|{H$HHzL虁umHmu HEHP0HtH+t1H"HHHL$dH3 %(Hu?H []A\HCHP0H"HHfD11$Ht@ATI0UHSLxHHt4LHHxu"IT$HsHxu H[]A\D[]1A\fAWAVAUATIUSHdH%(H$1H~u1ILAuHPHLELwH I1HL=-$fDHH I9~}ID$LHH@hPHxHL9tH5$À+HuI~.pHHT$@HD@HmuHEHHT$8HP0H HT$8~fDH tHHXfHHH9uH$I~LL$`LD$XHL$PHT$HHD$(H$Ht$@HD$ H$HD$HD$xHD$HD$pHD$HD$hH$1XtHIF1H$dH3 %(HĨ[]A\A]A^A_11$Hmt9HEH5mHHHH׎"H81HmuHEHP0yHT$@HH"H5l H81Eq11$kf.AT11UHH=ϥ$SH$HHtfL`1HLru7H蚶HHC@tIH}1膶HHCHt5HH[]A\Ð11$H+u HCHP01H[]A\1LHD$IqHHPHHuHSHR0HD$fAWAVAUATUHSHdH%(H$1t$s1HIHkHHlH|$1Hɍ"H<$L4$HHLLjLHx~|$H5M1HgHI}HHptXD$H̘H5HD$ 1wHI9HE1H%MeI$.H=hA$IE Imu IELP0A@Me(I$fMe0I$fI>SHtH5H=`$HHD$(11[LD$(IHQHIuIPHD$(LR0HD$(HIE W+eIH=֛1A$E1H=1$[DATLgUH1SHLVH{HUL_uTLc01LVH{HU L_u2LcH1LVH{HU8Ld_1҅HD[]HA\@[1]HA\fDATH 2$IHHHUSHdH%(H$1HD$ LL$LD$HD$HD$H$1HD$ cHD$HHxH5e$H9tgsHD$HXHT$HHzH51$H9tggHT$HjHL$ HHyH5$H9t3gHL$ HH|$H|$H|$ HDŽ$HH$LH$HCH$HCH$HEH$HEH$HEH$HH$HAH$HAH$[HH$dH3%(6H[]A\H|$Hu"H5TH86Y1fH|$cH|$H$Ht$pHD$p>V&HD$pHT$H\$0HD$8H$H҉D$@ADHL$ 1H`1wfH|$VcH|$H$Ht$pHD$pUHD$pHl$PHD$XH$D$`fDH|$ bH|$ H$Ht$(HD$(NUu:HD$(HL$pHD$xH$$1?fDfDH|$ hH5m"LYHHs"H5RH8WHs"H5RH8_WHs"H5RH8?WVU11HH=$SH$HHt-HHYHtHH[]@H HQHHtH1[]HSHD$HR0HD$f.AT11IH=$UH$HHtNI|$1QHHEt(I|$ 1NHHA}|$H5"HH蓏HI_HHW4Ht H+AE==s=AE1H5^|$"HHHH+WD$IU 1xHHHHVIEHx`|$H5E}HH诎HItHHVuXHtH+u HCHP0IU(|$H5lHHtGHHyVu2IU0H5DI,$uID$LP0fDHtH+t5Hmu HEHP01HL$dH3 %(H[]A\A]HCHP0@H5ӈ|$轍HHtHHU"zDHCHP0$fH51ҋ|$nHHEHHwUH';DH5 @H5^Qffffff.U11HH=u$SHw$HHt?HhEt:t HH[]H} MHHC uH HQHHt1H} ZHHCu@HSHD$HR0HD$f.AUIHATUHSHHdH%(HD$81HD$0]HI1HVHL$(HT$ LL$LD$H5HH1Wu7Ht H+H1HL$8dH3 %(HH[]A\A]Ht H+`LH1VHHD$ H OHu1H:%[IċD$T$I}E1Ht$ HL$0H$AE1AHMHHLKHt H+H|$0qTHH11H=f$g$HIHh*THHH1HULHUHfHCHP0HEHL$(HT$ LL$LD$H51HHUiH+HCHP0fHl$(H5$H}H9tF[Hl$(HHl$(H5}$H}H9t[uH|$ HHD$(L%}$HH@LhHSHH6j"H5IMLH81/[HmHEHP0DHCHP0V+J11$e@H|$ HHD$(L%7$HH@LhfHi"H$H5aIMLH81Z Lffffff.AT11IH=@o$UHmp$HHteI|$ZHHEtbLVHIt"HRHHE tiHH]A\fD11$HmuHEHP0DH1]A\fDHMHQHHUuHUHD$HR0HD$뛐LHD$MHEHPHHUuHUHR0HD$hfffff.HHǨPNHxH0CNS11HH=$$HtHX[HQHtHHLfDHQh"HHAT11IH=pj$USk$HHtg LSHHHEtGI|$0 8HHHEt,ID$ HHtAT$(tE H[]A\Hmt1H[]A\HEHP0H[]A\fDATH !$USHHHHXHdH%(HD$1ISt}H<$ AtlHCH(Hu!fHItA9tgHtH+HuD9HHt_HYPHHf"H5FH81WH+t*1HL$dH3 %(u2H[]A\DHPYHCHP0H<$)IHIffffff.ATUHSH@OHIt^H}@~a11DHU01H<艎Ht3HHLFPHH9]@~,}8uHEHHHH(|$H5!H蕄HIHHL.H+\It$@H=1iRHH|$1H?HIHHHLH+I|$@E1hDID$0JHHLEHD$GHHt$HCHH1H8t HH<uHwDLJH'I.}IEHL`GH5EHI.u IFLP01fHCH?H1H8tHH<uHL$ HT$LL$0LD$(L @xH|$0H2;HItH|$0Ld$1DLd$(HH9l$0LHHHLFuIm3IELP01DfL:H\"H5GH8J@1IEH5<HPH}\"H81M1@LIFLP0t1I:1f1/@?ff.AU11ATUSHH=,$HdH%(H$1D$HItdHtoH+Ht^HuHtULd$01 DHtV QHuIHt5I};HI$u13$Im11HcӃHD0 ~H$I}LL$PLD$HHL$@HT$8HD$(HD$xHt$0HD$ HD$pHD$HD$hHD$HD$`HD$HD$XH$1 @HIEt7LH$dH3 %(u*HĘ[]A\A]DIELP0111 >ff.HHx1HW Ht(H:Ht 1Hu =DH9t3HH1HfHGAWAVIAUATUSHHHH~dH%(HD$81HW`HtOtFH0tCHHH5tzHDuHI4HH=AH+OID$H=t~~hH=Z|H=[hI|$(豝HHt)HH5zHuID$LP0f.1[]A\A]A^DH= t H=I|$eHItH@HP%DHI$HHI$tHH5yHDtHIt.HH<I,$uID$LP0fH+FHCHP07ImuIELP0DHCHP0fIt$H=xH|AHH>HI|$(HHHH5xfDH+uHCHP0HID$LP0HHǘBAWH ' $AVAUATUSH8H<$LD$$HdH%(HD$(1HH_D$$?1 1HHt8|$$H5 v1orHHtHH|:HmE1E11E1Ht H+Mt ImHt HmMtI,$tCMtI/t(1HL$(dH3 %(jH8[]A\A]A^A_IGLP0@ID$LP0HCHP0rIELP0rHEHP0rHEHE1P0(fDH$H@HHD$_kHHD$@HILD$LHHD$2HILD$LL$>H=]LHHD$1LL$LD$|HILT$LD$LL$pD$$H5GvLLD$LT$LL$xpHHLL$LT$LD$0HH8LL$LT$LD$I(OI)I*mI.TH$H@HHD$/jHH=]HHHD$1{HILD$D$$H5yuLLD$LL$xoHHLL$LD$VHH7LL$LD$I(+I)H$H@H HD$AHHD$D$$H5l1ҍxIoHHLD$t#HHQ7LD$HmE1E1E1E1DE11E1I(tZMtI)toMtI*t4MI.IFLP0E1E1f.IBLP0@I@LT$LL $P0LT$L $fIAL$LP0L$zfE1E1E1JE1BHEE1HHHE*HELD$HLT$L $P0L $LT$LD$I@LT$LLL$P0LT$LL$IFLP0IBLP0IALT$LP0LT$aHmBHELD$HL $E1E1P0E1L $LD$pc1IALP0I@LL$LP0LL$L$HEHE1E1P0E1E1L$ D$$HYH5YLLD$H17HHLD$HE1:HILD$~)LHLD$I?HH4M9LD$uHmI(H$H@HPHD$tHH+LD$LLD$E1q*LD$HD$L;t$}yLLLD$(INjD$$1LxbHLD$HHLD$HD$*LL$LD$/I/uIGLD$LP0LD$IImtNE1HmuHEL$HP0L$IHPHHI#IPH$LR0H$ IELD$LE1P0LD$L9RH9I@E1eE1E1ZImuIELD$LP0LD$111LD$aHILD$HH)LD$uHE1E11I.IFL$LE11E1P0L$fAWAVIAUAATIUSHHH0HHtH5fHD`HHPHL(%H+cI$HP0HHH5fHD`HHHL(H+I$Hhl;HII<$HǀP;HHH=DfHL1lHHI/ HmH5eHD_HHtUHL'u.HHPLHHuLHIHHGHmLHIfH3H=RH1HHt:|$1HKHIt$HH|ImfDI,$u ID$LP0HI/IGLP01IFLP0ID$LP0HEHP0!HmLE1HIfIM9LLHŋD$1HxJHIqHHuHmuHEHP0I1HHIIFLP0IELP0I$HPHHI$IT$H\$LR0HD$HEHP0f.AWAVAUATIUSH(HH=PHILHH+HLHI1LHD$]HHLD$H HILD$1L HILD$H I1LD$MLLD$pLHD$cLHD$VHL$HT$H== H1+LD$l@E11MtI$HSHI$tH([]A\A]A^A_fDIT$HD$LR0HD$H([]A\A]A^A_@E1E1E11E11IMHQHIUHtH HQHHMtIHQHI HtHuHVHHUMtIHQHIMI7HVHI IWHD$LR0HD$@E1E11CHSLD$HHD$R0LD$HD$JDHUHD$HR0HD$^IVHD$LR0HD$VIULD$LHD$R0LD$HD$DIPHD$LR0HD$E1E1E111~fDHGHH=F3HpH(1[]A\A]A^A_ fE1E1E118E11.fDATIUSHo1HHuNfHH9tH L9u[]A\HfDHi'"H5H8 []1A\HGH5bB[]HPH&"A\H81HGHtHx(HtfH&"H@AWH #AVAUIHHH]2ATUSH(dH%(HD$1LD$D$to1>HHt`IEHtyH &"H5E11H81 HmHt H+MtI,$t&1HL$dH3 %(1H([]A\A]A^A_ÐID$LP0HxHHk|$H5KHDHILHH H+F1LHH|$H57JHDHIHH H+8IEHB$A HxxH HH|$H5QKH9DHIHHB HHPHHHHSHl$HR0HD$IE1HHIVIFLP0GHEHP0@HCHP0?E11fDL3HHtHpH=FJ1yHI|$1HOCHIHHX I,$HE1 HHD$2IL;t$ LHIċD$1LxBHIt2HH uYI,$uID$LP0HLE1I.HCHP0ID$LP0EIE1HHIIGLP0HCHP0IEE1HHIEIELP0f.AWIAVAUATUSH8HH=HX HHIeH%""H5E1H81)E1E1E1E1E11HD$Mt ImHt HmMt I)Mt I,$ MtI.tEMtI/tZMtI+toHtH+ttHD$H8[]A\A]A^A_E1_IFL\$LP0L\$f.IGL\$LP0L\$f.ICLP0HCHP0}IEL\$LLL$P0L\$LL$DHEL\$HLL$P0L\$LL$DIAL\$LP0L\$ID$L\$LP0L\$fDH HHHD$1HHLT$0HE1 H=vH1 LT$I1LLL$LT$XHILT$LL$HHILT$LL$IH=$A Hx/HILT$LL$YHHLL$LT$THIHD$LT$LL$teHLT$(LL$HD$  LHD$LL$HD$LHL$HT$H=EH1 LL$L\$ LT$(HD$M I*IBL\$LLL$P0L\$LL$fDLHI?HHtHHH@H=1EH1 E1IX@HGHH=&*HpH81[]A\A]A^A_ fE1HD$+E1E1E1HD$ E1E1E1E1E1E1HD$E1E1HD$fff.HGHx0 S11HH=<$=$HtHX[HH HKHtHHz"H5HD$H:&HD$ffffff.UHH0H5DS1HdH%(HD$1HH$7t*H<$HHH<$t6yHHtAHHT$dH3%(HuCH[]CH4$H=C1hi$HH"H5H8Ufffff.HG HtH*HtHHi$1HHJ"H5H81HHtHHtHHh$1HH"H5[H81ATHUHSH dH%(HD$1 HI1HHHT$H5B1HHu1HP1HHHL$dH3 %(H []A\fHHHLHPHh H|$HIHHLt}XH+HHuH"H5KH81e@HEH%HCHP0qHSHD$HR0HD$(H+t%113g$fDHCHP0cHCHP0ffffff.AWIAVAAUATUHSHtH=e;D$ $PHI#HHE6H=1AZLHH)LyHIHx4L1HIcE1AHHI~-IcHHLHHAOALcM9HLHHH@HE1H;-e"tH=L1}HHPHHtnHtHEHPHHUth|$ LH[]A\A]A^A_DH L`LHHH=1E1DHCHP0@HEHP0@H5z?HE1~HIEHHBImI'IELP0DH=)1E11}AD;Ht|$ x1H=J5AV11AUIH=$ATUSH dH%(HD$1($HHHhHhHIHItPAU11HLHt'HIUIt$HID$t~f.LHHC=11c$H+1HL$dH3 %(H []A\A]A^fD@IUHpH蠳uIUIt$H;sIEpIt$pHHH$IExHD$IHD$D$4AA$IU(HtIt$(H诱LcLH8HHCHP0\fff.AVIAUATUSH?HHtIH/HIHHHHH1H:t HH<u@HHL#1I<$Hu!L@HHHHII.HtH/t'1L1[]A\A]A^fHGP0@HGP0HEHP0[]A\A]A^H"H5H8B1L81L'XfSL>$HH .#HHHH|;dH%(HD$1I¸tH$H{Hp9HL$dH3 %(uH[kff.U11HH=#SH#HHt+HxHHx HH[]ÐH+uHCP0H1[H]U11HH=A#SHn#HHt+HxHbDHx HH[]ÐH+uHCP0H1[H]AV11AUIH=>#ATUSl#HHtYHhH@HIHItLHHt6LHHC11a_$H+t[[]A\A]1A^IUIt$H華uIU It$ H*uLcLHH[]A\A]A^HCHP0fff.U11HH=Q#SH~#HHtFHxH2HHCtHH[]H=#1^$H+u HCHP01HH[]fff.U11HH=Q#SH~#HHt=HxH"uHH[]@1H=^$H+u HCHP01HH[]DAWH '#AVAUATIHHHUSHHdH%(HD$81LD$D$11HHID$HxHH|$H5+HA0HIUHHJH+PIc|$ HHtf|$H57H/HIHHH+ID$Hx?H{HcHE1E11Hmu HEHP0Ht H+MtImtlMtI,$uID$LP0D1HL$8dH3 %(HH[]A\A]A^A_IE1E1HHIwIFLP0hIELP0@HCHP0iE1E1=I|$HHHL$H?H5H1HItHE1HI~LLIeHHM9uImHHPHHHHl$HSHR0HD$|$H551.HHmHH"dH+PHCHE1E11P0AI|$HKHHL$HCH5H1HIHE1HILLIaHHM9uI|$HHHL$HH5H1HI:HE1?HILLIHH M9uzI|$HHH%L$HIH5 H1HIHE1HI!LLIgHHM9u|$H5241P,HHHHY7It$H=D 1HIr11HHHI,$u ID$LP0D$Hލx9/HIH1HI~HLHHHL9uIEHPHHIU6Hl$IULR0HD$|$H5.31Y+HHHHb@It$H=M1HI{11H,HH I,$u ID$LP0D$HލxB.HIH1HI$HLHHHL9u@|$H5".1*HHHHmIt$H|$ HH|$ 8yt$0H|$(H 0"HIzHE1HIffIM9WLLHËD$1Hڍx)HIHHH+uHCHP0룋|$H5m11)HHHHxIt$H=1OHI11H+HHCI,$u ID$LP0D$Hލxz,HIH14HI\HLHHHL9u8H}HCHP0HCHP0IELP0AIt$H=1sHI11HHHtkI,$u ID$LP0D$Hލx+HIt:H1`HIHLHHH*L9udE1`E1DSE11II.uIFLE11P0/H8"H5E1E11H8 @UH=y/SHHHt0H5j/HGHHtOHPH;"tbH(tH+tH[]HR0H+uHCHH@0H[]fH+uHCHH@0H[]HH HHT$HPHT$HPHS$HPH@ HmHS$HS$ H+u HCHP0H=,\1pH"H5"#H='\1AHS$HH1HHRS$HH=1$$H=1$.H0$H0$HpHH=$H=$.H$H$HpHH=$VH=$.Hx$sHl$HpH@H=$dH=$.H$3H$HpHH=Y$$H=]$.H8$H,$HpHH=$H=$.Hx$Hl$HpHH=y$VH=}$.HX$sHL$HpH@H=Y $dH=] $.H8 $3H, $HpHH= $$H= $.Hx $Hl $HpHH=&$H=&$.H&$H&$HpHH=$VH=$.H$sH$HpH@H=$$dH=$$.Hx$$3Hl$$HpHH=#$H=#.H#H#HpHH=#H=#.H#H#HpHH=9"$VH=="$.H"$sH "$HpH@H=0$dH=0$.Hx0$3Hl0$HpHH=.$$H=.$.H.$H.$HpHH=#H=#.H#H#HpHH=9#VH==#.H#sH #HpH@H=#dH=#.H#3H#HpHH=y#$H=}#.HX#HL#HpHH=9*$H==*$.H*$H *$HpHH=Y($VH=]($.H8($sH,($HpH@H=y&$dH=}&$.HX&$3HL&$HpHH=#$H=#.H#H#HpHH=#H=#.Hx#Hl#HpHH=#VH=#.H#sH#HpH@H=Y#dH=]#.H8#3H,#HpHH=#$H=#.H#H#HpHH=#H=#.H#H#HpHH=#VH=#.H#sH#HpH@H=#dH=#.Hx#3Hl#HpHH=#$H=#.H#H#HpHH=#H=#.H#H#HpHH="$VH="$.H!$sH!$HpH@H=y#1"H5V%HH HHH52%HHtvHHHA!H %H5H81[[]fDHmt0H+HCHH@0H[]@HEHP0HEHP0H5$HYKHH5$HHHH5$HKHtTH.HHt!H m$H5FH81AZ[]HHHF!H5!H81][]H5+$1HH!HH5 $HHtUHHH!H #H5H81AX[]6HnHH!H5H81A[[]H5#H HHH5}#H#HtTHHHL!H W#H5H81[[]HHH!H5H81AY[]zH5#HxHHH5"HHtTHqHH!H "H5H81AZ[] HCHH!H5dH81][]H5"HHaHH5k"HHtUHHH"!H E"H5H81AX[]vHHH!H5H81A[[]OH5"H[MHHH5!HcHtTHFHH!H !H5^H81[[]HHH_!H5:H81AY[]H5}!HH6HH5W!HHtTHHH!H 1!H5H81AZ[]KHHH!H5H81][]%H5 H1#HHH5 H9HtUHHHb!H H54H81AX[]HHH4!H5H81A[[]H5d HH HH5I HHtTHHH!H # H5H81[[]!HYHH!H5zH81AY[]H5HHvHH5HHtTHHH7!H H5 H81AZ[]HHH !H5H81][]eH5T HqcHHH57HyHtUH\HH!H H5tH81AX[]H.HHt!H5OH81A[[]H5HHKHH5HHtTHHH !H H5H81[[]aHHH!H5 H81AY[]:H5EHF8HHH52HNHtTH1HHw!H H5IH81AZ[]HHHI!H5$ H81][]H51HH$HH5HHtUHHH!H H5H81AX[]9HqHH!H5 H81A[[]H5JHHHH5.H&HtTH HHO!H H5!H81[[]HHH"!H5 H81AY[]}H5H{HHH5HHtTHtHH!H H5H81AZ[]HFHH!H5g H81][]H5HHHdHH5*HHtUHHH%!H H5H81AX[]yHHH!H5 H81A[[]RH5H^PHHH5HfHtTHIHH!H H5aH81[[]HHHb!H5= H81AY[]H5AHH9HH5+HHtTHHH!H H5H81AZ[]NHHH!H5 H81][](H5H4&HHH5HHHH5%HTHtTH7HH}!H H5OH81AZ[]H HHO!H5*H81][]H5HH'HH5HHtUHHH!H H5H81AX[]HQHtUH4HHz!H H5LH81AX[]οHHHL!H5'H81A[[]駿H5H賭H#HH5H軸HtTH螵HH!H H5H81[[]9HqHH!H5H81AY[]H5Y1H!H葿HH5@H)HtTH HHR!H H5$H81AZ[]馾H޴HH$!H5H81][]逾H5H茬~HHH5H蔷HtUHwHH!H H5H81AX[]HIHH!H5jH81A[[]H5UHHfHH5HHtTHHH'!H nH5H81[[]|H贳HH!H5H81AY[]UH5,HaSHѽHH5&HiHtTHLHH!H H5dH81AZ[]HHHd!H5?H81][]H5@H̪HHtTH!HHg!H H59H81[[]鼻HHH:!H5H81AY[]镻H5H衩HHH5H詴HtTH茱HH!H H5H81AZ[]&H^HH!H5H81][]H5mH H|HH5_HHtUHHH=!H 9H5H81AX[]鑺HɰHH!H5H81A[[]jH5HvhHHH5H~HtTHaHH!H H5yH81[[]H4HHz!H5UH81AY[]չH5HHQHH5qHHtTH̯HH!H KH5H81AZ[]fH螯HH!H5H81][]@H5 HL>H輹HH5HTHtUH7HH}!H oH5OH81AX[]ѸH HHO!H5*H81A[[]骸H5,H趦H&HH5֎H辱HtTH衮HH!H H5H81[[]HtTH!HHg!H H59H81[[]鼴HHH:!H5H81AY[]镴H5H衢HHH5H詭HtTH茪HH!H aH5H81AZ[]&H^HH!H5H81][]H5H H|HH5HHtUHHH=!H H5H81AX[]鑳HɩHH!H5H81A[[]jH5 HvhHHH5H~HtTHaHH!H qH5yH81[[]H4HHz!H5UH81AY[]ղH5/@HӹHQHH5HHtTH̨HH!H H5H81AZ[]fH螨HH!H5H81][]@H5HL>H輲HH5HTHtUH7HH}!H ~H5OH81AX[]ѱH HHO!H5*H81A[[]骱H5;H趟詭HH $蔭HIH ${L $H H51HeTL [ $L\ $H H5HQe#L * $L+ $H H5H eL $L $H SH5HdL $L $H "H5uHdL $L $H H5bHd_L f $Lg $H H5YH\d.L 5 $L6 $H H5H+dL  $L $H ^H5 Hc̶L $L $H -H5 Hc蜫HH $臫HIH $nL $H H5yHrcDL [ $L\ $H wH5VHAcL * $L+ $H FH54HcL $L $H H5HbL $L $H H5HbL $L $H H5H}bOL f $Lg $H H5HLbL 5 $L6 $H QH5HbL  $L $H H5c Ha轩HH$訩HIH$L$H "H5 1HahL $L$H H5 Hea7L n$Lo$H H5H4aL =$L>$H H5HaճL $L $H aH5H`L $L$H 0H5H`sL $L$H H5aHp`BL y$Lz$H H5BH?`L H$LI$H H5(H`L $L$H lH5 H_L $L$H ;H5 H_~L $L$H H5 H{_ML $L$H H5 HJ_L S$LT$H H5 H_L "$L#$H wH5xH^L $L$H FH5]H^L $L$H H5AH^XL $L$H H5HU^'L ^$L_$H H5 H$^L -$L.$H H5!H]ŰL $L$H QH50H]L $L$H H51H]cL $L$H H52H`]2L i$Lj$H H5t3H/]L 8$L9$H H5X@H\ЯL $L$H \H5;AH\L $L$H +H5BH\nL $L$H H5CHk\=L t$Lu$H H5DH:\ L C$LD$H H5EH \ۮL $L$H gH5FH[L $L$H 6H5GH[yL $L$H H5Hv[HL $L$H H5_HE[L N$LO$H H5:H[L $L$H rH5HZL $L$H AH5HZL $L$H H5HZSL $L$H H5HPZ"L Y$LZ$H H5HZL ($L)$H }H5h HYL $L$H LH5G!HYL $L$H H5""HY^L $L$H H5#H[Y-L d$Le$H H5$H*YL 3$L4$H H5%HX˫L $L$H WH50HXL #L#H &H5z1HXiL #L#H H5Z2HfX8L o#Lp#H H563H5XL >#L?#H H54HX֪L #L#H bH55HWL #L#H 1H56HWtL #L#H H5@HqWCL z#L{#H H5AH@WL I#LJ#H H5nBHWL #L#H mH5JCHVL #L#H <H5&DHVL #L#H H5 EH|VNL #L#H H5PHKVL T#LU#H H5QHVL ##L$#H xH5RHUL #L#H GH5SHUL #L#H H5\HUYL #L#H H53HVU(L _#L`#H H5H%UL .#L/#H H5HTƧL #L#H RH5HTL #L#H !H5HTdL #L#H H5 HaT3L j#Lk#H H5c!H0TL 9#L:#H H5A"HSѦL #L #H ]H5'0HSL #L#H ,H51HSoL #L#H H52HlS>L u#Lv#H H5@H;S L D#LE#H H5AH SܥL #L#H hH5BHRL #L#H 7H5yPHRzL #L#H H5SQHwRIL #L#H H52RHFRL O#LP#H H5`HRL #L#H sH5aHQL #L#H BH5bHQL #L#H H5pHQTL #L#H H5qHQQ#L Z#L[#H H5rrH QL )#L*#H ~H5YUHPL #L#H MH53VHPL #L#H H5WHP_L #L#H H5H\P.L e#Lf#H H5H+PL 4#L5#H H5HO̢L #L#H XH5HOL #L#H 'H5mHOjL #L#H H5QHgO9L p#Lq#H H51H6OL ?#L@#H H5HOסL #L#H cH5HNL #L#H 2H5HNuL #L#H H5HrNDL {#L|#H H5HANL J#LK#H H5o HNL #L#H nH5P HML #L#H =H53!HML #L#H H5!H}MOL #L#H H5"HLML U#LV#H H5"HML $#L%#H yH5#HLL #L#H HH5#HLL #L#H H5g$HLZL #L#H H5L$HWL)L `#La#H H53%H&LL /#L0#H H5%HKǞL #L#H SH50HKL #L#H "H51HKeL #L#H H52HbK4L k#Ll#H H53H1KL :#L;#H H5g4HKҝL #L #H ^H5J5HJL #L#H -H5)@HJpL #L#H H5 AHmJ?L v#Lw#H H5BHHEL #L#H oH5'HDL #L#H >H5 HDL #L#H H5H~DPL #L#H H5HMDL V#LW#H H5HDL %#L&#H zH5HCL #L#H IH5HCL #L#H H5hHC[L #L#H H5PHXC*L a#Lb#H H54H'CL 0#L1#H H5HBȕL #L#H TH5HBL #L#H #H5HBfL #L#H H5HcB5L l#Lm#H H5H2BL ;#L<#H H5HBӔL #L #H _H5HAL #L#H .H5mHAqL #L#H H5HnA@L w#Lx#H H5&H=AL F#LG#H H5yH AޓL #L#H jH5pH@L #L#H 9H5H@|L #L#H H5Hy@KL #L#H H5gHH@L Q#LR#H H5BH@L #L!#H uH5&H?L #L#H DH5H?L #L#H H5H?VL #L#H H5HS?%L \#L]#H H5H"?L +#L,#H H5H>ÑL #L#H OH5rH>L #L#H H5SH>aL #L#H H54 H^>0L g#Lh#H H5 H->L 6#L7#H H5H=ΐL #L#H ZH5H=L #L#H )H5 H=lL #L#H H50Hi=;L r#Ls#H H51H8= L A#LB#H H5m2H=ُL #L#H eH5L3H<L #L#H 4H5,4H<wL #L#H H5 5Ht<FL }#L~#H H56HC<L L#LM#H H5@H<L #L#H pH5@H;L #L#H ?H5AH;L #L#H H5nBH;QL #L#H H5LPHN; L W#LX#H H5,QH;L &#L'#H {H5RH:L #L#H JH5`H:L #L#H H5aH:\L #L#H H5bHY:+L b#Lc#H H5cH(:L 1#L2#H H5dH9ɌL #L#H UH5beH9L #L#H $H5BpH9gL #L#H H5Hd96L m#Ln#H H5H39L <#L=#H H5H9ԋL #L #H `H5H8L #L#H /H5H8rL #L#H H5qHo8AL x#Ly#H ͿH5PH>8L G#LH#H H54H 8ߊL #L#H kH5H7L #L#H :H5H7}L #L#H H5PHz7LL #L#H ؾH5QHI7L R#LS#H H5RH7L !#L"#H vH5zSH6L #L#H EH5ZTH6L #L#H H5BUH6WL #L#H H5&VHT6&L ]#L^#H H5WH#6L ,#L-#H H5PH5ĈL #L#H PH5QH5L #L#H H5RH5bL #L#H H5SH_51L h#Li#H H5tTH.5L 7#L8#H H5XUH4χL #L#H [H58VH4L #L#H *H5!WH4mL #L#H H5 Hj4#vL 7#L8#H H5[H #uL #L#H fH5FH"uL #L#H 5H50H"}uL #L#H H5@Hz"LuL s#Lt#H ӻH5HI"ujHHb#ujHIHB#tL=#H H51H!tL #L#H H5H!tL #L#H fH5H!etL #L#H 5H5_Hb!4tL {#L|#H H5:H1!tL J#LK#H ӿH5H!sL #L#H H5H sL #L#H qH5пH psL #L#H @H5Hm ?sL #L#H H5 H< sL U#LV#H ޾H5v H rL $#L%#H H5U HrL #L#H |H54 H{rL #L#H KH5 HxJrL #L#H H5HGrL `#La#H H5]HqL /#L0#H H5HqL #L#H H5]HqL #L#H VH5]HUqL #L#H %H5]HR$qL k#Ll#H H5]H!pL :#L;#H üH5]HpL #L #H H5]HpL #L#H aH5]H`pL #L#H 0H55H]/pL v#Lw#H H5H,oL E#LF#H λH5HoL #L#H H5ݼHoL #L#H lH5\HkoL #L#H ;H5Hh:oL #L#H H5H7 oL P#LQ#H ٺH5oHnL #L #H H5\ HnL #L#H wH5)!HvnL #L#H FH5"HsEnL #L#H H5#HBnL [#L\#H H5v[$HmL *#L+#H H5e[%HmL #L#H H5\[&HmL #L#H QH5S['H~PmL #L#H H5R[(HMmL f#Lg#H H5)HlL 5#L6#H H5ۺ*HlL #L#H H5ú+HlL #L#H \H5,H[lL #L#H +H5-HX*lL q#Lr#H H5TZ.H'kL @#LA#H ɷH5P/HkL #L#H H580HkL ޿#L߿#H gH51HfkL #L#H 6H52Hc5kL |#L}#H H5ݹ3H2kL K#LL#H ԶH54HjL #L#H H55HjL #L#H rH56HqjL #L#H AH5z7Hn@jL #L#H H5_8H=jL V#LW#H ߵH5D9H iL %#L&#H H5%:HiL #L#H }H5;H|iL ý#LĽ#H LH5W<HyKiL #L#H H5W=HHiL a#Lb#H H5W>HhL 0#L1#H H5X?HhL #L#H H5E@HhL μ#Lϼ#H WH5AWAHVhL #L#H &H58WBHS%hL l#Lm#H H5/WCH"gL ;#L<#H ijH5WDHgL #L #H H5 WEHgL ٻ#Lڻ#H bH5WFHagL #L#H 1H5VGH^0gL w#Lx#H H5VHH-fL F#LG#H ϲH5VIHfL #L#H H5VJHfL #L#H mH5GKHlfL #L#H <H5VLHi;fL #L#H H5VMH8 fL Q#LR#H ڱH5VNHeL #L!#H H5VOHeL #L#H xH5nPHweL #L#H GH5YQHtFeL #L#H H5VRHCeL \#L]#H H5SHdL +#L,#H H5THdL #L#H H5UUHdL ɸ#Lʸ#H RH5VHQdL #L#H !H5WHN dL g#Lh#H H5:UXHcL 6#L7#H H5^YHcL #L#H H5UZHcL Է#Lշ#H ]H5[H\cL #L#H ,H5\HY+cL r#Ls#H H5]H(bL A#LB#H ʮH5س^HbL #L#H H5_HbL ߶#L#H hH5`HgbL #L#H 7H5aHd6bL }#L~#H H5{bH3bL L#LM#H խH5^cHaL #L#H H5BdHaL #L#H sH5 eHraL #L#H BH5fHoAaL #L#H H5gH>aL W#LX#H H5ղhH `L &#L'#H H5iH `L #L#H ~H5jH }`L Ĵ#LŴ#H MH5kHz L`L #L#H H5ulHI `L b#Lc#H H5}QmH _L 1#L2#H H51nH _L #L#H H5CQoH _L ϳ#Lг#H XH5pH W_L #L#H 'H5 QqHT &_L m#Ln#H H5rH# ^L <#L=#H ŪH5PsH ^L #L #H H5PtH ^L ڲ#L۲#H cH5PuH b^L #L#H 2H5PvH_ 1^L x#Ly#H H5PwH. ^L G#LH#H ЩH5PxH ]L #L#H H5PyH ]L #L#H nH5PzH m]L #L#H =H5P{Hj <]L #L#H H5ׯ|H9  ]L R#LS#H ۨH5P}H \L !#L"#H H5P~H \L #L#H yH5aH x\L #L#H HH5jPHu G\L #L#H H5aPHD \L ]#L^#H H5H [L ,#L-#H H5'PH[L #L#H H5H[L ʯ#L˯#H SH5HR[L #L#H "H5hHO![L h#Li#H H5RHZL 7#L8#H H5ZOHZL #L#H H5QOHZL ծ#L֮#H ^H5ڭH]ZL #L#H -H5OHZ,ZL s#Lt#H H5OH)YL B#LC#H ˥H5NHYL #L#H H5NHYL #L#H iH5NHhYL #L#H 8H5NHe7YL ~#L#H H5NH4YL M#LN#H ֤H5NHXL #L#H H5NHXL #L#H tH5NHsXL #L#H CH5NHpBXL #L#H H5NH?XL X#LY#H H5{HWL '#L(#H H5aHWL #L#H H5KH~WL ū#Lƫ#H NH5NH{MWL #L#H H5MHJWL c#Ld#H H5MHVL 2#L3#H H5NHVL #L#H H5 NHVL Ъ#LѪ#H YH5NHXVL #L#H (H5NHU'VL n#Lo#H H5 NH$UL =#L>#H ơH5HUL #L #H H5MHUL ۩#Lܩ#H dH5gHcUL #L#H 3H5TH`2UL y#Lz#H H5tMH/UL H#LI#H ѠH5cMHTL #L#H H5ިHTL #L#H oH5ŨHnTL #L#H >H5Hk=TL #L#H H5H: TL S#LT#H ܟH5}H SL "#L##H H5gHSL #L#H zH54LHySL #L#H IH5HvHSL #L#H H5KHESL ^#L_#H H5էHRL -#L.#H H5KHRL #L#H H5KHRL ˦#L̦#H TH5_HSRL #L#H #H5HHP"RL i#Lj#H H5LKHQL 8#L9#H H5HQL #L#H H5HQL ֥#Lץ#H _H5ŦH^QL #L#H .H5H[-QL t#Lu#H H5H*PL C#LD#H ̜H5nHPL #L#H H5QHPL #L#H jH5IHiPL #L#H 9H5 Hf8PL #L#H H5H5PL N#LO#H כH5ȥHOL #L#H H5XIHOL #L#H uH5WIHtOL #L#H DH5VIHqCOL #L#H H5H@OL Y#LZ#H H5HNL (#L)#H H5HNL #L#H H5HHNL Ƣ#LǢ#H OH5HH|NNL #L#H H5HHKNL d#Le#H H5HHML 3#L4#H H5HHML #L#H H5HHML ѡ#Lҡ#H ZH5|HHYML #L#H )H5kHHV(ML o#Lp#H H5ZHH%LL >#L?#H ǘH5IHHLL #L#H H5HLL ܠ#Lݠ#H eH5ʢHdLL #L#H 4H5Ha3LL z#L{#H H5H0LL I#LJ#H җH5HKL #L#H H5nHKL #L#H pH5WHoKL #L#H ?H5@Hl>KL #L#H H5)H; KL T#LU#H ݖH5H JL ##L$#H H5HJL #L#H {H5HzJL #Lž#H JH5͡HwIJL #L#H H5EHFJL _#L`#H H5EHIL .#L/#H H5EHIL #L#H H5EHIL ̝#L͝#H UH5wEHTIL #L#H $H5fEHQ#IL j#Lk#H H5UEH HL 9#L:#H ”H5DEHHL #L #H H53EHHL ל#L؜#H `H5"EH_HL #L#H /H5EH\.HL u#Lv#H H5EH+GL D#LE#H ͓H5DHGL #L#H H5DHGL #L#H kH5DHjGL #L#H :H5DHg9GL #L#H H5DH6GL O#LP#H ؒH5DHFL #L#H H5DHFL #L#H vH5xDHuFL #L#H EH5HrDFL #L#H H5˝HAFL Z#L[#H H5HEL )#L*#H H5HEL #L#H H5HEL Ǚ#Lș#H PH5oH}OEL #L#H H5XHLEL e#Lf#H H5AHDL 4#L5#H H5*HDL #L#H H5HDL Ҙ#LӘ#H [H5HZDL #L#H *H5HW)DL p#Lq#H H5ΜH&CL ?#L@#H ȏH5HCL #L#H H5HCL ݗ#Lޗ#H fH5HeCL #L#H 5H5rHb4CL {#L|#H H5[H1CL J#LK#H ӎH5@HBL #L#H H5HBL #L#H qH5HpBL #L#H @H5ߛHm?BL #L#H H5ɛH<BL U#LV#H ލH5 H AL $#L%#H H5 HAL #L#H |H5{ H{AL •#LÕ#H KH5f HxJAL #L#H H5L HGAL `#La#H H5+?H@L /#L0#H H5H@L #L#H H5H@L ͔#LΔ#H VH5КHU@L #L#H %H5>HR$@L k#Ll#H H5~>H!?L :#L;#H ËH5>H?L #L #H H5>H?L ؓ#Lٓ#H aH5>H`?L #L#H 0H5z>H]/?L v#Lw#H H5q>H,>L E#LF#H ΊH5h>H>L #L#H H5_>H>L #L#H lH5V>Hk>L #L#H ;H5͘Hh:>L #L#H H5H7 >L P#LQ#H ىH5=H=L #L #H H5=H=L #L#H wH5< Hv=L #L#H FH5$!HsE=L #L#H H5 "HB=L [#L\#H H5#H!H RH5H81AX[]0HJ&HH>!H5kVH81A[[]/H5R1H6Hj0HH5RH)HtTH%HH+>!H jRH5 H81[[]/H%HH=!H5UH81AY[]Y/H5(RHeW6H/HH5RHm(HtTHP%HH=!H QH5h H81AZ[].H"%HHh=!H5CUH81][].H5QH5H@/HH5QH'HtUH$HH=!H uQH5 H81AX[]U.H$HH(%d least significant bits unused)not enough memory to copy buffer of size %zd into SecItemdata must be SecItem or buffer compatibleUnsupported representation kind (%d)KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATIONDigital Signature or Non-RepudiationKU_KEY_AGREEMENT_OR_ENCIPHERMENTKey Agreement or Data EnciphermentNS_CERT_TYPE_OBJECT_SIGNING_CAEXT_KEY_USAGE_STATUS_RESPONDERcertificateUsageSSLServerWithStepUpcertificateUsageEmailRecipientcertificateUsageUserCertImportcertificateUsageProtectedObjectSignercertificateUsageStatusResponderfailed to convert oid string "%s" to SECItemcould not convert "%s" to OID tagoid must be a string, an integer, or a SecItem, not %.200sGeneralName type name not found: %uPKCS12 cipher name not found: %ldThe manufacturer_id attribute value must be a string or unicodeThe library_description attribute value must be a string or unicodeThe crypto_token_description attribute value must be a string or unicodeThe db_token_description attribute value must be a string or unicodeThe fips_token_description attribute value must be a string or unicodeThe crypto_slot_description attribute value must be a string or unicodeThe db_slot_description attribute value must be a string or unicodeThe fips_slot_description attribute value must be a string or unicodePKCS12 cipher name not found: %sGeneralName type name not found: %sS:pk11_attribute_type_from_nameattribute type name not found: %luS:key_mechanism_type_from_namecert distnames must be a list or tupleitem must be a %s containing a DistNamecannot decode trust string '%s'unable to convert "%s" to known OIDAVA value must be a string, not %.200scould not create AVA, oid tag = %d, value = "%s"cannot convert AVA type to OID stringunable to escape AVA value stringmust be an RDN object or list or tuple of RDN objects, not %.200sto many RDN items, maximum is %d, received %zditem %zd must be an RDN object, not %.200sCRL Distribution Points: [%zd total]Authority Information Access: [%zd total]lookup dict already contains %s_AddIntConstantWithLookup() needs module as first argmodule '%s' already contains %sPKCS12_default_nickname_collision_callback: CERT_MakeCANickname() returned existing nickname failed to find certs for nickname = "%s"no certs with keys for nickname = "%s"export context creation failedPKCS12 add password integrity failedkey or cert safe creation failedcannot create thread local data dictcannot store thread local data dictcannot store object in thread local data dictFailed to enable %s (%lx) pkcs12 cipherFailed to %s %s (%lx) pkcs12 cipherno line ending after PEM BEGINkkO!|O&:create_context_by_sym_keyunable to create PK11Context objectunable to determine resulting hash length for hash_alg = %sinvalid hexadecimal string beginning at offset %td "%s"byte count must be non-negativewhen '%.50s' object has key_type=%s there is no attribute 'dsa'when '%.50s' object has key_type=%s there is no attribute 'rsa'must be a string or None, not %.200sAccessing non-existent segmentmalformed raw ascii string bufferSecItem indices must be integers, not %.200sCannot delete the public_exponent attributepublic_exponent must be a integer, not %.200sCannot delete the key_size attributekey_size must be a integer, not %.200sCannot delete the min_password_len attributeThe min_password_len attribute value must be an integermalformed raw ASN.1 BMP string bufferpassword_required=%s, min_password_len=%s, manufacturer_id=%s, library_description=%s, crypto_token_description=%s, db_token_description=%s, fips_token_description=%s, crypto_slot_description=%s, db_slot_description=%s, fips_slot_description=%sraw ASN.1 BMP string length must be multiple of 2malformed raw ASN.1 Universal string bufferraw ASN.1 Universal string length must be multiple of 4O!|iiz:der_universal_secitem_fmt_linesCertVerifyLog index out of rangemust be int, float or None, not %.50sFailed to convert AVA value to stringcannot decode Authority Access Info extensioncannot decode Basic ConstraintsPKCS12 nickname collision callback undefined PKCS12 nickname collision callback: out of memory exception in PKCS12 nickname collision callback Error, PKCS12 nickname collision callback expected tuple result with 2 values. Error, PKCS12 nickname collision callback expected 1st returned item to be string or None. Error, PKCS12 nickname collision callback expected 2nd returned item to be boolean. Error, shutdown callback expected args to be tuple shutdown callback: out of memory exception in shutdown callback Error, shutdown callback expected int result, not %.50s PKCS12 decode validate bags failedPKCS12 decode import bags failedCannot delete the password_required attributeThe password_required attribute value must be a boolean|O!:disable_ocsp_default_responder|O!:enable_ocsp_default_responderO:pkcs12_set_nickname_collision_callbackli:pkcs12_set_preferred_cipherBad file, must be pathname or file like object with read() methoddata must be SecItem, buffer compatible or NoneCERT_GetCertificateRequestExtensions failed%s must be a string, not %.200sline_fmt_tuples[%zd] must be a tuple, not %.200sline_fmt_tuples[%zd] tuple must have 1-3 items, not %zd itemsitem[0] in the tuple at line_fmt_tuples[%zd] list must be an integer, not %.200sitem[0] in the tuple at line_fmt_tuples[%zd] list must be a non-negative integer, not %lditem[1] in the tuple at line_fmt_tuples[%zd] list must be a string, not %.200sitem[2] in the tuple at line_fmt_tuples[%zd] list must be a string, not %.200sO!OO:set_ocsp_default_responderto many AVA items, maximum is %d, received %zditem %zd must be an AVA object, not %.200sInvalid mask generation algorithm parameterspassword conversion to UCS2 failedprime must be SecItem or buffer compatiblesubprime must be SecItem or buffer compatiblebase must be SecItem or buffer compatibleprime, subprime and base must all be provided or none of them provided, not a mixcannot decode DER encoded signed datakey_params for %s mechanism must be %.50s, not %.50sno extension with OID %s foundCertAttribute index out of rangeindices must be integers or strings, not %.200sSigned Extensions: (%zd total)ID: %s, Serial Number: %s, Issuer: [%s]GeneralName index out of rangeunknown distribution point type (%d), expected generalName or relativeDistinguishedNameRelative Distinguished Name: %sunable to create PK11Slot objectPK11 password callback undefined Error, PK11 password callback expected args to be tuple PK11 password callback: out of memory exception in PK11 password callback Error, PK11 password callback expected string result or None. Failed to parse CRL Distribution Point ExtensioncertUsageProtectedObjectSignercertificateUsageCheckAllUsagescrlEntryReasonAffiliationChangedcrlEntryReasonCessationOfOperationcrlEntryReasoncertificatedHoldcrlEntryReasonPrivilegeWithdrawnCKM_WTLS_MASTER_KEY_DERIVE_DH_ECCCKM_WTLS_SERVER_KEY_AND_MAC_DERIVECKM_WTLS_CLIENT_KEY_AND_MAC_DERIVECKA_HASH_OF_SUBJECT_PUBLIC_KEYSEC_OID_ISO_SHA_WITH_RSA_SIGNATURESEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTIONSEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTIONSEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTIONSEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTIONSEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBCSEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBCSEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBCSEC_OID_PKCS7_SIGNED_ENVELOPED_DATASEC_OID_PKCS9_UNSTRUCTURED_NAMESEC_OID_PKCS9_COUNTER_SIGNATURESEC_OID_PKCS9_CHALLENGE_PASSWORDSEC_OID_PKCS9_UNSTRUCTURED_ADDRESSSEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTESSEC_OID_PKCS9_SMIME_CAPABILITIESSEC_OID_AVA_ORGANIZATIONAL_UNIT_NAMESEC_OID_NS_CERT_EXT_NETSCAPE_OKSEC_OID_NS_CERT_EXT_ISSUER_LOGOSEC_OID_NS_CERT_EXT_SUBJECT_LOGOSEC_OID_NS_CERT_EXT_REVOCATION_URLSEC_OID_NS_CERT_EXT_CA_REVOCATION_URLSEC_OID_NS_CERT_EXT_CA_CRL_URLSEC_OID_NS_CERT_EXT_CA_CERT_URLSEC_OID_NS_CERT_EXT_CERT_RENEWAL_URLSEC_OID_NS_CERT_EXT_CA_POLICY_URLSEC_OID_NS_CERT_EXT_HOMEPAGE_URLSEC_OID_NS_CERT_EXT_ENTITY_LOGOSEC_OID_NS_CERT_EXT_USER_PICTURESEC_OID_NS_CERT_EXT_SSL_SERVER_NAMESEC_OID_NS_CERT_EXT_LOST_PASSWORD_URLSEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIMESEC_OID_NS_KEY_USAGE_GOVT_APPROVEDSEC_OID_X509_SUBJECT_DIRECTORY_ATTRSEC_OID_X509_PRIVATE_KEY_USAGE_PERIODSEC_OID_X509_BASIC_CONSTRAINTSSEC_OID_X509_CERTIFICATE_POLICIESSEC_OID_X509_POLICY_CONSTRAINTSSEC_OID_PKCS12_PKCS8_KEY_SHROUDINGSEC_OID_PKCS12_CERT_AND_CRL_BAG_IDSEC_OID_PKCS12_X509_CERT_CRL_BAGSEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBCSEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBCSEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBCSEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DESSEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGESTSEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGESTSEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGESTSEC_OID_PKIX_CPS_POINTER_QUALIFIERSEC_OID_PKIX_USER_NOTICE_QUALIFIERSEC_OID_PKIX_OCSP_BASIC_RESPONSESEC_OID_PKIX_OCSP_ARCHIVE_CUTOFFSEC_OID_PKIX_OCSP_SERVICE_LOCATORSEC_OID_PKIX_REGCTRL_AUTHENTICATORSEC_OID_PKIX_REGCTRL_PKIPUBINFOSEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONSSEC_OID_PKIX_REGCTRL_OLD_CERT_IDSEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEYSEC_OID_PKIX_REGINFO_UTF8_PAIRSSEC_OID_PKIX_REGINFO_CERT_REQUESTSEC_OID_EXT_KEY_USAGE_SERVER_AUTHSEC_OID_EXT_KEY_USAGE_CLIENT_AUTHSEC_OID_EXT_KEY_USAGE_CODE_SIGNSEC_OID_EXT_KEY_USAGE_EMAIL_PROTECTSEC_OID_EXT_KEY_USAGE_TIME_STAMPSEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBCSEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBCSEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBCSEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBCSEC_OID_PKCS12_SAFE_CONTENTS_IDSEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_IDSEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_IDSEC_OID_PKCS12_V1_SECRET_BAG_IDSEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_IDSEC_OID_X942_DIFFIE_HELMAN_KEYSEC_OID_NETSCAPE_RECOVERY_REQUESTSEC_OID_NS_CERT_EXT_SCOPE_OF_USESEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMANSEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCESEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCESEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTIONSEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTIONSEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTIONSEC_OID_ANSIX962_EC_PUBLIC_KEYSEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURESEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGESTSEC_OID_ANSIX962_EC_PRIME192V1SEC_OID_ANSIX962_EC_PRIME192V2SEC_OID_ANSIX962_EC_PRIME192V3SEC_OID_ANSIX962_EC_PRIME239V1SEC_OID_ANSIX962_EC_PRIME239V2SEC_OID_ANSIX962_EC_PRIME239V3SEC_OID_ANSIX962_EC_PRIME256V1SEC_OID_ANSIX962_EC_C2PNB163V1SEC_OID_ANSIX962_EC_C2PNB163V2SEC_OID_ANSIX962_EC_C2PNB163V3SEC_OID_ANSIX962_EC_C2PNB176V1SEC_OID_ANSIX962_EC_C2TNB191V1SEC_OID_ANSIX962_EC_C2TNB191V2SEC_OID_ANSIX962_EC_C2TNB191V3SEC_OID_ANSIX962_EC_C2ONB191V4SEC_OID_ANSIX962_EC_C2ONB191V5SEC_OID_ANSIX962_EC_C2PNB208W1SEC_OID_ANSIX962_EC_C2TNB239V1SEC_OID_ANSIX962_EC_C2TNB239V2SEC_OID_ANSIX962_EC_C2TNB239V3SEC_OID_ANSIX962_EC_C2ONB239V4SEC_OID_ANSIX962_EC_C2ONB239V5SEC_OID_ANSIX962_EC_C2PNB272W1SEC_OID_ANSIX962_EC_C2PNB304W1SEC_OID_ANSIX962_EC_C2TNB359V1SEC_OID_ANSIX962_EC_C2PNB368W1SEC_OID_ANSIX962_EC_C2TNB431R1SEC_OID_NETSCAPE_AOLSCREENNAMESEC_OID_AVA_GENERATION_QUALIFIERSEC_OID_PKCS9_EXTENSION_REQUESTSEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGESTSEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGESTSEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURESEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURESEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURESEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURESEC_OID_X509_HOLD_INSTRUCTION_CODESEC_OID_X509_DELTA_CRL_INDICATORSEC_OID_X509_ISSUING_DISTRIBUTION_POINTSEC_OID_X509_INHIBIT_ANY_POLICYSEC_OID_X509_SUBJECT_INFO_ACCESSSEC_OID_ISO_SHA1_WITH_RSA_SIGNATUREocspMode_FailureIsVerificationFailureocspMode_FailureIsNotAVerificationFailureder_universal_secitem_fmt_linescert_general_name_type_from_namepkcs12_set_nickname_collision_callbackdisable_ocsp_default_responderreturns the certificate as a `Certificate` objectreturns the error code as an integerreturns the chain position as an integerSEC OID tag indicating what type of PKCS12 item this isboolean indicating if this is a cert with a private keysigned certificate DER data as SecItem object, or None if does not existcertificate as Certificate object, or None if does not existfriendly_name as unicode object, or None if does not existshroud algorithm id certificate as AlgorithmID object, or None if does not existboolean indicating if a password is requiredmanufacturer id (max 32 chars)certificate public info as SubjectPublicKeyInfo objectcertificate extensions as a tuple of CertificateExtension objectscertificate request attributes as a tuple of CertAttribute objectstype TAG as a enumerated constant (e.g. tag) tuple of CertificateExtension objects if type_tag == SEC_OID_PKCS9_EXTENSION_REQUEST else tuple of SecItem objectsreturns boolean, True if certificate is a certificate authority (i.e. CA)returns max path length constraint as an integerReturns the key id as a SecItemmethod TAG as a enumerated constant (e.g. tag) location as a `nss.GeneralName` objectreturns the CRL Issuer as a `GeneralName` object if defined, returns None if not definedhas_protected_authentication_pathReturns the general name as a stringReturns the general name type enumerated constantReturns the general name type enumerated constant as a stringReturns the type of the general name as a string (e.g. "URI")Returns the email address member as a string. Returns None if not found.Returns the common name member (i.e. CN) as a string. Returns None if not found.Returns the country name member (i.e. C) as a string. Returns None if not found.Returns the locality name member (i.e. L) as a string. Returns None if not found.Returns the state name member (i.e. ST) as a string. Returns None if not found.Returns the organization name member (i.e. O) as a string. Returns None if not found.Returns the organizational unit name member (i.e. OU) as a string. Returns None if not found.Returns the domain component name member (i.e. DC) as a string. Returns None if not found.Returns the certificate uid member (i.e. UID) as a string. Returns None if not found.The OID (e.g. type) of the AVA as a SecItemThe OID tag enumerated constant (i.e. SEC_OID_AVA_*) of the AVA's typeThe value of the AVA as a SecItemThe value of the AVA as a UTF-8 encoded stringcertificate not valid before this time (floating point value expressed as microseconds since the epoch, midnight January 1st 1970 UTC)certificate not valid before this time (string value expressed, UTC)certificate not valid after this time (floating point value expressed as microseconds since the epoch, midnight January 1st 1970, UTC)certificate not valid after this time (string value expressed, UTC)certificate subject as a `DN` objectcertificate issuer as a `DN` objectcertificate signature algorithmcertificate signature as SignedData objectraw certificate DER data as data buffercertificate SSL trust flags as array of strings, or None if trust is not definedcertificate email trust flags as array of strings, or None if trust is not definedcertificate object signing trust flags as array of strings, or None if trust is not definedcertificate SSL trust flags as integer bitmask, or None if not definedcertificate email trust flags as integer bitmask, or None if not definedcertificate object signing trust flags as integer bitmask, or None if not definedinteger bitmask of NS_CERT_TYPE_* flags, see `nss.cert_type_flags()`extension is critical flag (boolean)oid of extension as a enumerated constant (e.g. tag)key type (e.g. rsaKey, dsaKey, etc.) as an intRSA key as a RSAPublicKey objectoriginal der encoded ASN1 signed data as a SecItem objectsigned data as a SecItem objectsignature algorithm as a AlgorithmID objectDSA P,Q,G params as a KEYPQGParams objectkey prime value, also known as pkey subprime value, also known as qkey base value, also known as galgorithm id TAG as a enumerated constant (e.g. tag)algorithm id as string descriptionalgorithm parameters as SecItemthe SecItem type (si* constant)number of octets in SecItem buffer|iz:to_hex|O|ik:RSAGenParamsO|i:CRLDistributionPt:AuthorityInfoAccessO|i:PKCS12DecodeItemO|i:CertAttributeO|iz:cert_data_to_hexutcfromtimestamp(d)<%s object at %p>TrueFalseis_ca=%s path_len=%d%s:|i:format_linesPublic Key Algorithm(i)iO:make_line_fmt_tuplesIs CAPath Length|iz:der_to_hexmalformed ASN.1 DER data|z#i:SecItem%d (%#x)SubPrimeBaseModulusExponentPublic ValueO|O!O!O&:CertificateCERTDB_TERMINAL_RECORDTerminal RecordCERTDB_TRUSTEDTrustedCERTDB_SEND_WARNWarn When SendingCERTDB_VALID_CAValid CACERTDB_TRUSTED_CACERTDB_NS_TRUSTED_CANetscape Trusted CACERTDB_USERCERTDB_TRUSTED_CLIENT_CATrusted Client CACERTDB_GOVT_APPROVED_CAStep-upunknown bit flags %#xi|i:trust_flagsKU_DIGITAL_SIGNATUREDigital SignatureKU_NON_REPUDIATIONNon-RepudiationKU_KEY_ENCIPHERMENTKey EnciphermentKU_DATA_ENCIPHERMENTData EnciphermentKU_KEY_AGREEMENTKey AgreementKU_KEY_CERT_SIGNCertificate SigningKU_CRL_SIGNCRL SigningKU_ENCIPHER_ONLYEncipher OnlyKU_NS_GOVT_APPROVEDGovernment Approvedi|i:key_usage_flagsNS_CERT_TYPE_SSL_CLIENTSSL ClientNS_CERT_TYPE_SSL_SERVERSSL ServerNS_CERT_TYPE_EMAILEmailNS_CERT_TYPE_OBJECT_SIGNINGObject SigningNS_CERT_TYPE_RESERVEDReservedNS_CERT_TYPE_SSL_CASSL CANS_CERT_TYPE_EMAIL_CAEmail CAObject Signing CAEXT_KEY_USAGE_TIME_STAMPKey Usage TimestampKey Usage Status Responderi|i:cert_type_flagsi:nss_init_flagsNSS_INIT_READONLYRead OnlyNSS_INIT_NOCERTDBNo Certificate DatabaseNSS_INIT_NOMODDBNo Module DatabaseNSS_INIT_FORCEOPENForce OpenNSS_INIT_NOROOTINITNo Root InitNSS_INIT_OPTIMIZESPACEOptimize SpaceNSS_INIT_PK11THREADSAFEPK11 Thread SafeNSS_INIT_PK11RELOADPK11 ReloadNSS_INIT_NOPK11FINALIZENo PK11 FinalizeNSS_INIT_RESERVEDi|i:cert_usage_flagscertificateUsageSSLClientcertificateUsageSSLServerSSL Server With StepUpcertificateUsageSSLCAcertificateUsageEmailSignerEmail SignerEmail RecipientcertificateUsageObjectSignerUser Certificate ImportcertificateUsageVerifyCAVerify CAProtected Object SignercertificateUsageAnyCAAny CAOID.loweroid tag name not found: %soid tag not found: %#xunable to create objectmechanism name not found: %lu(O)utf-8S:pkcs12_cipher_from_namek:pkcs12_cipher_namePK11_DIS_NONEPK11_DIS_USER_SELECTEDPK11_DIS_COULD_NOT_INIT_TOKENPK11_DIS_TOKEN_VERIFY_FAILEDPK11_DIS_TOKEN_NOT_PRESENTk:pk11_disabled_reason_nameunknown(%#x)no reasonuser disabledcould not initialize tokencould not verify tokentoken not presentk:pk11_disabled_reason_strS:general_name_type_from_namek:general_name_type_nameS:crl_reason_from_nameCRL reason name not found: %sk:crl_reason_nameCRL reason name not found: %uattribute name not found: %sk:pk11_attribute_type_namemechanism name not found: %sk:key_mechanism_type_nameO:oid_tagO:oid_tag_nameO!O&:check_ocsp_statusO!O!lO&:verify_with_logKNO!O!lO&:verifyO!O!l:verify_now|i:is_ca_certNI|O&i:check_valid_timessO&O&:set_trust_attributesUnable to authenticate|O!:authenticatekO&i:key_genkO&O!kki:unwrap_sym_keyk:get_best_key_lengths|i:find_crl_by_nameOO:AVAunable to decode AVA value+%s=%scannot parse X500 name "%s"Point [%zd]:Info [%zd]:module '%s' has no __dict__t#:cipher_opeses#|IIO!:pkcs12_exportcert does not have a slotadd cert and key failedPKCS12 encode failedcannot get thread stateO|i:pkcs12_map_cipherli:pkcs12_enable_cipher-----BEGIN-----ENDno PEM END foundCould not base64 decodes:base64_to_binaryO!|ii:decode_der_crlO!O!siii:import_crlk:get_pad_mechanismk|O&:get_block_sizek:get_iv_lengthk:mechanism_to_algtagmechanism not found: %#lxk:algtag_to_mechanismalgtag not found: %#lxO!kkkO!:import_sym_keykt#:hash_buf ,: s|s:read_hexO!i:get_cert_nicknamesi:generate_randomO!:find_key_by_any_cert|esesesesO!k:nss_init_context|esesesesk:nss_initializees:nss_init_read_writees:nss_initRSAFortezzaDiffie HelmanKey Exchange AlgorithmElliptic CurveRSA Public KeyDSA Public KeyKey TypeOther Name (%s)Other NameRFC822 NameDNS nameX400 AddressDirectory NameEDI PartyIP AddressRegistered IDunknown type [%d]missing DER encoded OID dataunable to decode OID sequence|i:get_oid_sequenceO!|i:x509_ext_key_usage%s is uninitialized%d PKCS12 Decode ItemsItem %d|i:get_reasonsSecItem index out of rangePassword RequiredMinimum Password LengthManufacturer IDLibrary DescriptionCrypto Token DescriptionDatabase Token DescriptionFIPS Token DescriptionCrypto Slot DescriptionDatabase Slot DescriptionFIPS Slot Descriptionunknown sec ANS.1 time type[%d] %s(null)Bad type, must be SecItemFingerprint (MD5)Fingerprint (SHA1)Signature AlgorithmO|i:fingerprint_format_linesO!|i:find_crl_by_certs:find_cert_from_nicknamet#:sha512_digestt#:sha256_digestt#:sha1_digestt#:md5_digests:verify_hostnameO:has_signer_in_ca_nameskO&O!:wrap_sym_keykO&kki:derivefailed to logout of slotunable to enable slotunable to disable slotO!|i:x509_key_usageO!|i:x509_cert_type%s: %sMethodLocationO|i:get_nameO:has_keyBad type, must be AVABad type, must be RDNO!:add_rdnBad type, must be DNO!:GeneralNameO:AuthorityInfoAccessesO!:AuthKeyIDcannot decode AuthKeyIDO!:BasicConstraintsnickname_collision_callbackshutdown callback undefined O!:nss_shutdown_context|OOOOOOOOOO:InitParameterst#:digest_opO!:clone_contextO!:digest_keyI:set_ocsp_timeouti:set_ocsp_failure_modeiII:set_ocsp_cache_settings|O!:disable_ocsp_checking|O!:enable_ocsp_checkingi:set_use_pkix_for_validationcallback must be callablek:pk11_token_existsk|O&:generate_new_paramO!:param_from_algidk|O&:param_from_ivk:create_digest_contextO:oid_dotted_decimalO:oid_strO:set_password_callbackO:set_shutdown_callbackshutdown_callback_argss:nss_version_checkkO!O!:pub_wrap_sym_keyi:list_certss:find_certs_from_email_addrs:find_certs_from_nickname|O&i:get_cert_chainreadO|i:read_der_from_file|O:CertificateRequestO!|i:indented_formatlabel|ii:formatOiurlKDFCipherSaltIteration CountKey LengthKDF AlgorithmEncryptiondefault, SHA-1Hash algorithmdefault, MGF1Mask AlgorithmMask hash algorithmdefault, 20Salt lengthRaw Parameter DataOes|O&:PKCS12DecoderPKCS12 decoder start failedPKCS12 decoding failedPKCS12 decode not verifiedPKCS12 item iteration failedOOO:KEYPQGParamsCertificate (has private key)Friendly NameEncryption algorithmKey (shrouded)unknown bag typekOii:generate_key_pairO:get_extensionValues (%zd total)Value [%zd]RDN index out of rangeoid name unknown: "%s"oid unknownoid name not found: "%s"oid not foundUnknown error code %ld (%#lx)[%s] %sErrorInadequate Key UsageInadequate Cert TypeIssuerVersionSerial NumberValidityNot BeforeNot AfterSubjectSubject Public Key InfoCertificate Trust FlagsSSL FlagsEmail FlagsObject Signing Flags[%s] - [%s]Validation ErrorsCertificate at chain depth %uValidation Error #%zdDepthAttributes: (%zd total)Attribute [%zd]O!|i:x509_alt_name|i:get_general_namesKey IDGeneral Names: [%zd total], Relative Distinguished NameReasonsGeneral Name List: [%s]%s, Issuer: %s, Reasons: [%s]es:find_slot_by_namecould not find slot name "%s"k:get_best_slotPK11 password callback resultO!:CRLDistributionPtsCriticalUsagesTypesNamesnss.error_C_APIOCTETS_PER_LINE_DEFAULTHEX_SEPARATOR_DEFAULTAsObjectAsStringAsTypeStringAsTypeEnumAsLabeledStringAsEnumAsEnumNameAsEnumDescriptionAsIndexAsDottedDecimalgeneralNamerelativeDistinguishedNamePK11CertListUniquePK11CertListUserPK11CertListRootUniquePK11CertListCAPK11CertListCAUniquePK11CertListUserUniquePK11CertListAllcertUsageSSLClientcertUsageSSLServercertUsageSSLServerWithStepUpcertUsageSSLCAcertUsageEmailSignercertUsageEmailRecipientcertUsageObjectSignercertUsageUserCertImportcertUsageVerifyCAcertUsageStatusRespondercertUsageAnyCANSS_INIT_COOPERATEssl_kea_nullssl_kea_rsassl_kea_dhssl_kea_fortezzassl_kea_ecdhnullKeyrsaKeydsaKeyfortezzaKeydhKeykeaKeyecKeySEC_CERT_NICKNAMES_ALLSEC_CERT_NICKNAMES_USERSEC_CERT_NICKNAMES_SERVERSEC_CERT_NICKNAMES_CASEC_CRL_TYPESEC_KRL_TYPECRL_DECODE_DEFAULT_OPTIONSCRL_DECODE_DONT_COPY_DERCRL_DECODE_SKIP_ENTRIESCRL_DECODE_KEEP_BAD_CRLCRL_DECODE_ADOPT_HEAP_DERCRL_IMPORT_DEFAULT_OPTIONSCRL_IMPORT_BYPASS_CHECKSsecCertTimeValidsecCertTimeExpiredsecCertTimeNotValidYetKU_ALLcrlEntrycrlEntryReasonUnspecifiedcrlEntryReasonKeyCompromisecrlEntryReasonCaCompromisecrlEntryReasonSupersededcrlEntryReasonRemoveFromCRLcrlEntryReasonAaCompromisecertOtherNamecertRFC822NamecertDNSNamecertX400AddresscertDirectoryNamecertEDIPartyNamecertURIcertIPAddresscertRegisterIDCKM_CKM_RSA_PKCS_KEY_PAIR_GENCKM_RSA_PKCSCKM_RSA_9796CKM_RSA_X_509CKM_MD2_RSA_PKCSCKM_MD5_RSA_PKCSCKM_SHA1_RSA_PKCSCKM_RIPEMD128_RSA_PKCSCKM_RIPEMD160_RSA_PKCSCKM_RSA_PKCS_OAEPCKM_RSA_X9_31_KEY_PAIR_GENCKM_RSA_X9_31CKM_SHA1_RSA_X9_31CKM_RSA_PKCS_PSSCKM_SHA1_RSA_PKCS_PSSCKM_DSA_KEY_PAIR_GENCKM_DSACKM_DSA_SHA1CKM_DH_PKCS_KEY_PAIR_GENCKM_DH_PKCS_DERIVECKM_X9_42_DH_KEY_PAIR_GENCKM_X9_42_DH_DERIVECKM_X9_42_DH_HYBRID_DERIVECKM_X9_42_MQV_DERIVECKM_SHA256_RSA_PKCSCKM_SHA384_RSA_PKCSCKM_SHA512_RSA_PKCSCKM_SHA256_RSA_PKCS_PSSCKM_SHA384_RSA_PKCS_PSSCKM_SHA512_RSA_PKCS_PSSCKM_SHA224_RSA_PKCSCKM_SHA224_RSA_PKCS_PSSCKM_RC2_KEY_GENCKM_RC2_ECBCKM_RC2_CBCCKM_RC2_MACCKM_RC2_MAC_GENERALCKM_RC2_CBC_PADCKM_RC4_KEY_GENCKM_RC4CKM_DES_KEY_GENCKM_DES_ECBCKM_DES_CBCCKM_DES_MACCKM_DES_MAC_GENERALCKM_DES_CBC_PADCKM_DES2_KEY_GENCKM_DES3_KEY_GENCKM_DES3_ECBCKM_DES3_CBCCKM_DES3_MACCKM_DES3_MAC_GENERALCKM_DES3_CBC_PADCKM_CDMF_KEY_GENCKM_CDMF_ECBCKM_CDMF_CBCCKM_CDMF_MACCKM_CDMF_MAC_GENERALCKM_CDMF_CBC_PADCKM_DES_OFB64CKM_DES_OFB8CKM_DES_CFB64CKM_DES_CFB8CKM_MD2CKM_MD2_HMACCKM_MD2_HMAC_GENERALCKM_MD5CKM_MD5_HMACCKM_MD5_HMAC_GENERALCKM_SHA_1CKM_SHA_1_HMACCKM_SHA_1_HMAC_GENERALCKM_RIPEMD128CKM_RIPEMD128_HMACCKM_RIPEMD128_HMAC_GENERALCKM_RIPEMD160CKM_RIPEMD160_HMACCKM_RIPEMD160_HMAC_GENERALCKM_SHA256CKM_SHA256_HMACCKM_SHA256_HMAC_GENERALCKM_SHA384CKM_SHA384_HMACCKM_SHA384_HMAC_GENERALCKM_SHA512CKM_SHA512_HMACCKM_SHA512_HMAC_GENERALCKM_SHA224CKM_SHA224_HMACCKM_SHA224_HMAC_GENERALCKM_CAST_KEY_GENCKM_CAST_ECBCKM_CAST_CBCCKM_CAST_MACCKM_CAST_MAC_GENERALCKM_CAST_CBC_PADCKM_CAST3_KEY_GENCKM_CAST3_ECBCKM_CAST3_CBCCKM_CAST3_MACCKM_CAST3_MAC_GENERALCKM_CAST3_CBC_PADCKM_CAST5_KEY_GENCKM_CAST128_KEY_GENCKM_CAST5_ECBCKM_CAST128_ECBCKM_CAST5_CBCCKM_CAST128_CBCCKM_CAST5_MACCKM_CAST128_MACCKM_CAST5_MAC_GENERALCKM_CAST128_MAC_GENERALCKM_CAST5_CBC_PADCKM_CAST128_CBC_PADCKM_RC5_KEY_GENCKM_RC5_ECBCKM_RC5_CBCCKM_RC5_MACCKM_RC5_MAC_GENERALCKM_RC5_CBC_PADCKM_IDEA_KEY_GENCKM_IDEA_ECBCKM_IDEA_CBCCKM_IDEA_MACCKM_IDEA_MAC_GENERALCKM_IDEA_CBC_PADCKM_GENERIC_SECRET_KEY_GENCKM_CONCATENATE_BASE_AND_KEYCKM_CONCATENATE_BASE_AND_DATACKM_CONCATENATE_DATA_AND_BASECKM_XOR_BASE_AND_DATACKM_EXTRACT_KEY_FROM_KEYCKM_SSL3_PRE_MASTER_KEY_GENCKM_SSL3_MASTER_KEY_DERIVECKM_SSL3_KEY_AND_MAC_DERIVECKM_SSL3_MASTER_KEY_DERIVE_DHCKM_TLS_PRE_MASTER_KEY_GENCKM_TLS_MASTER_KEY_DERIVECKM_TLS_KEY_AND_MAC_DERIVECKM_TLS_MASTER_KEY_DERIVE_DHCKM_TLS_PRFCKM_SSL3_MD5_MACCKM_SSL3_SHA1_MACCKM_MD5_KEY_DERIVATIONCKM_MD2_KEY_DERIVATIONCKM_SHA1_KEY_DERIVATIONCKM_SHA256_KEY_DERIVATIONCKM_SHA384_KEY_DERIVATIONCKM_SHA512_KEY_DERIVATIONCKM_SHA224_KEY_DERIVATIONCKM_PBE_MD2_DES_CBCCKM_PBE_MD5_DES_CBCCKM_PBE_MD5_CAST_CBCCKM_PBE_MD5_CAST3_CBCCKM_PBE_MD5_CAST5_CBCCKM_PBE_MD5_CAST128_CBCCKM_PBE_SHA1_CAST5_CBCCKM_PBE_SHA1_CAST128_CBCCKM_PBE_SHA1_RC4_128CKM_PBE_SHA1_RC4_40CKM_PBE_SHA1_DES3_EDE_CBCCKM_PBE_SHA1_DES2_EDE_CBCCKM_PBE_SHA1_RC2_128_CBCCKM_PBE_SHA1_RC2_40_CBCCKM_PKCS5_PBKD2CKM_PBA_SHA1_WITH_SHA1_HMACCKM_WTLS_PRE_MASTER_KEY_GENCKM_WTLS_MASTER_KEY_DERIVECKM_WTLS_PRFCKM_KEY_WRAP_LYNKSCKM_KEY_WRAP_SET_OAEPCKM_CMS_SIGCKM_SKIPJACK_KEY_GENCKM_SKIPJACK_ECB64CKM_SKIPJACK_CBC64CKM_SKIPJACK_OFB64CKM_SKIPJACK_CFB64CKM_SKIPJACK_CFB32CKM_SKIPJACK_CFB16CKM_SKIPJACK_CFB8CKM_SKIPJACK_WRAPCKM_SKIPJACK_PRIVATE_WRAPCKM_SKIPJACK_RELAYXCKM_KEA_KEY_PAIR_GENCKM_KEA_KEY_DERIVECKM_FORTEZZA_TIMESTAMPCKM_BATON_KEY_GENCKM_BATON_ECB128CKM_BATON_ECB96CKM_BATON_CBC128CKM_BATON_COUNTERCKM_BATON_SHUFFLECKM_BATON_WRAPCKM_ECDSA_KEY_PAIR_GENCKM_EC_KEY_PAIR_GENCKM_ECDSACKM_ECDSA_SHA1CKM_ECDH1_DERIVECKM_ECDH1_COFACTOR_DERIVECKM_ECMQV_DERIVECKM_JUNIPER_KEY_GENCKM_JUNIPER_ECB128CKM_JUNIPER_CBC128CKM_JUNIPER_COUNTERCKM_JUNIPER_SHUFFLECKM_JUNIPER_WRAPCKM_FASTHASHCKM_AES_KEY_GENCKM_AES_ECBCKM_AES_CBCCKM_AES_MACCKM_AES_MAC_GENERALCKM_AES_CBC_PADCKM_BLOWFISH_KEY_GENCKM_BLOWFISH_CBCCKM_TWOFISH_KEY_GENCKM_TWOFISH_CBCCKM_CAMELLIA_KEY_GENCKM_CAMELLIA_ECBCKM_CAMELLIA_CBCCKM_CAMELLIA_MACCKM_CAMELLIA_MAC_GENERALCKM_CAMELLIA_CBC_PADCKM_CAMELLIA_ECB_ENCRYPT_DATACKM_CAMELLIA_CBC_ENCRYPT_DATACKM_SEED_KEY_GENCKM_SEED_ECBCKM_SEED_CBCCKM_SEED_MACCKM_SEED_MAC_GENERALCKM_SEED_CBC_PADCKM_SEED_ECB_ENCRYPT_DATACKM_SEED_CBC_ENCRYPT_DATACKM_DES_ECB_ENCRYPT_DATACKM_DES_CBC_ENCRYPT_DATACKM_DES3_ECB_ENCRYPT_DATACKM_DES3_CBC_ENCRYPT_DATACKM_AES_ECB_ENCRYPT_DATACKM_AES_CBC_ENCRYPT_DATACKM_DSA_PARAMETER_GENCKM_DH_PKCS_PARAMETER_GENCKM_X9_42_DH_PARAMETER_GENCKA_CKA_CLASSCKA_TOKENCKA_PRIVATECKA_LABELCKA_APPLICATIONCKA_VALUECKA_OBJECT_IDCKA_CERTIFICATE_TYPECKA_ISSUERCKA_SERIAL_NUMBERCKA_AC_ISSUERCKA_OWNERCKA_ATTR_TYPESCKA_TRUSTEDCKA_CERTIFICATE_CATEGORYCKA_JAVA_MIDP_SECURITY_DOMAINCKA_URLCKA_HASH_OF_ISSUER_PUBLIC_KEYCKA_CHECK_VALUECKA_KEY_TYPECKA_SUBJECTCKA_IDCKA_SENSITIVECKA_ENCRYPTCKA_DECRYPTCKA_WRAPCKA_UNWRAPCKA_SIGNCKA_SIGN_RECOVERCKA_VERIFYCKA_VERIFY_RECOVERCKA_DERIVECKA_START_DATECKA_END_DATECKA_MODULUSCKA_MODULUS_BITSCKA_PUBLIC_EXPONENTCKA_PRIVATE_EXPONENTCKA_PRIME_1CKA_PRIME_2CKA_EXPONENT_1CKA_EXPONENT_2CKA_COEFFICIENTCKA_PRIMECKA_SUBPRIMECKA_BASECKA_PRIME_BITSCKA_SUBPRIME_BITSCKA_SUB_PRIME_BITSCKA_VALUE_BITSCKA_VALUE_LENCKA_EXTRACTABLECKA_LOCALCKA_NEVER_EXTRACTABLECKA_ALWAYS_SENSITIVECKA_KEY_GEN_MECHANISMCKA_MODIFIABLECKA_ECDSA_PARAMSCKA_EC_PARAMSCKA_EC_POINTCKA_SECONDARY_AUTHCKA_AUTH_PIN_FLAGSCKA_ALWAYS_AUTHENTICATECKA_WRAP_WITH_TRUSTEDCKA_WRAP_TEMPLATECKA_UNWRAP_TEMPLATECKA_HW_FEATURE_TYPECKA_RESET_ON_INITCKA_HAS_RESETCKA_PIXEL_XCKA_PIXEL_YCKA_RESOLUTIONCKA_CHAR_ROWSCKA_CHAR_COLUMNSCKA_COLORCKA_BITS_PER_PIXELCKA_CHAR_SETSCKA_ENCODING_METHODSCKA_MIME_TYPESCKA_MECHANISM_TYPECKA_REQUIRED_CMS_ATTRIBUTESCKA_DEFAULT_CMS_ATTRIBUTESCKA_SUPPORTED_CMS_ATTRIBUTESCKA_ALLOWED_MECHANISMSCKA_VENDOR_DEFINEDSEC_OID_SEC_OID_UNKNOWNSEC_OID_MD2SEC_OID_MD4SEC_OID_MD5SEC_OID_SHA1SEC_OID_RC2_CBCSEC_OID_RC4SEC_OID_DES_EDE3_CBCSEC_OID_RC5_CBC_PADSEC_OID_DES_ECBSEC_OID_DES_CBCSEC_OID_DES_OFBSEC_OID_DES_CFBSEC_OID_DES_MACSEC_OID_DES_EDESEC_OID_PKCS1_RSA_ENCRYPTIONSEC_OID_PKCS7SEC_OID_PKCS7_DATASEC_OID_PKCS7_SIGNED_DATASEC_OID_PKCS7_ENVELOPED_DATASEC_OID_PKCS7_DIGESTED_DATASEC_OID_PKCS7_ENCRYPTED_DATASEC_OID_PKCS9_EMAIL_ADDRESSSEC_OID_PKCS9_CONTENT_TYPESEC_OID_PKCS9_MESSAGE_DIGESTSEC_OID_PKCS9_SIGNING_TIMESEC_OID_AVA_COMMON_NAMESEC_OID_AVA_COUNTRY_NAMESEC_OID_AVA_LOCALITYSEC_OID_AVA_STATE_OR_PROVINCESEC_OID_AVA_ORGANIZATION_NAMESEC_OID_AVA_DN_QUALIFIERSEC_OID_AVA_DCSEC_OID_NS_TYPE_GIFSEC_OID_NS_TYPE_JPEGSEC_OID_NS_TYPE_URLSEC_OID_NS_TYPE_HTMLSEC_OID_NS_TYPE_CERT_SEQUENCESEC_OID_MISSI_KEA_DSS_OLDSEC_OID_MISSI_DSS_OLDSEC_OID_MISSI_KEA_DSSSEC_OID_MISSI_DSSSEC_OID_MISSI_KEASEC_OID_MISSI_ALT_KEASEC_OID_NS_CERT_EXT_CERT_TYPESEC_OID_NS_CERT_EXT_BASE_URLSEC_OID_NS_CERT_EXT_COMMENTSEC_OID_X509_SUBJECT_KEY_IDSEC_OID_X509_KEY_USAGESEC_OID_X509_SUBJECT_ALT_NAMESEC_OID_X509_ISSUER_ALT_NAMESEC_OID_X509_NAME_CONSTRAINTSSEC_OID_X509_CRL_DIST_POINTSSEC_OID_X509_POLICY_MAPPINGSSEC_OID_X509_AUTH_KEY_IDSEC_OID_X509_EXT_KEY_USAGESEC_OID_X509_AUTH_INFO_ACCESSSEC_OID_X509_CRL_NUMBERSEC_OID_X509_REASON_CODESEC_OID_X509_INVALID_DATESEC_OID_X500_RSA_ENCRYPTIONSEC_OID_RFC1274_UIDSEC_OID_RFC1274_MAILSEC_OID_PKCS12SEC_OID_PKCS12_MODE_IDSSEC_OID_PKCS12_ESPVK_IDSSEC_OID_PKCS12_BAG_IDSSEC_OID_PKCS12_CERT_BAG_IDSSEC_OID_PKCS12_OIDSSEC_OID_PKCS12_PBE_IDSSEC_OID_PKCS12_SIGNATURE_IDSSEC_OID_PKCS12_ENVELOPING_IDSSEC_OID_PKCS12_KEY_BAG_IDSEC_OID_PKCS12_SECRET_BAG_IDSEC_OID_PKCS12_SDSI_CERT_BAGSEC_OID_ANSIX9_DSA_SIGNATURESEC_OID_VERISIGN_USER_NOTICESSEC_OID_PKIX_OCSPSEC_OID_PKIX_OCSP_NONCESEC_OID_PKIX_OCSP_CRLSEC_OID_PKIX_OCSP_RESPONSESEC_OID_PKIX_OCSP_NO_CHECKSEC_OID_PKIX_REGCTRL_REGTOKENSEC_OID_OCSP_RESPONDERSEC_OID_NETSCAPE_SMIME_KEASEC_OID_FORTEZZA_SKIPJACKSEC_OID_PKCS12_V1_KEY_BAG_IDSEC_OID_PKCS12_V1_CERT_BAG_IDSEC_OID_PKCS12_V1_CRL_BAG_IDSEC_OID_PKCS9_X509_CERTSEC_OID_PKCS9_SDSI_CERTSEC_OID_PKCS9_X509_CRLSEC_OID_PKCS9_FRIENDLY_NAMESEC_OID_PKCS9_LOCAL_KEY_IDSEC_OID_BOGUS_KEY_USAGESEC_OID_NETSCAPE_NICKNAMESEC_OID_CERT_RENEWAL_LOCATORSEC_OID_CMS_3DES_KEY_WRAPSEC_OID_CMS_RC2_KEY_WRAPSEC_OID_AES_128_ECBSEC_OID_AES_128_CBCSEC_OID_AES_192_ECBSEC_OID_AES_192_CBCSEC_OID_AES_256_ECBSEC_OID_AES_256_CBCSEC_OID_SDN702_DSA_SIGNATURESEC_OID_SHA256SEC_OID_SHA384SEC_OID_SHA512SEC_OID_AES_128_KEY_WRAPSEC_OID_AES_192_KEY_WRAPSEC_OID_AES_256_KEY_WRAPSEC_OID_SECG_EC_SECP112R1SEC_OID_SECG_EC_SECP112R2SEC_OID_SECG_EC_SECP128R1SEC_OID_SECG_EC_SECP128R2SEC_OID_SECG_EC_SECP160K1SEC_OID_SECG_EC_SECP160R1SEC_OID_SECG_EC_SECP160R2SEC_OID_SECG_EC_SECP192K1SEC_OID_SECG_EC_SECP224K1SEC_OID_SECG_EC_SECP224R1SEC_OID_SECG_EC_SECP256K1SEC_OID_SECG_EC_SECP384R1SEC_OID_SECG_EC_SECP521R1SEC_OID_SECG_EC_SECT113R1SEC_OID_SECG_EC_SECT113R2SEC_OID_SECG_EC_SECT131R1SEC_OID_SECG_EC_SECT131R2SEC_OID_SECG_EC_SECT163K1SEC_OID_SECG_EC_SECT163R1SEC_OID_SECG_EC_SECT163R2SEC_OID_SECG_EC_SECT193R1SEC_OID_SECG_EC_SECT193R2SEC_OID_SECG_EC_SECT233K1SEC_OID_SECG_EC_SECT233R1SEC_OID_SECG_EC_SECT239K1SEC_OID_SECG_EC_SECT283K1SEC_OID_SECG_EC_SECT283R1SEC_OID_SECG_EC_SECT409K1SEC_OID_SECG_EC_SECT409R1SEC_OID_SECG_EC_SECT571K1SEC_OID_SECG_EC_SECT571R1SEC_OID_AVA_SURNAMESEC_OID_AVA_SERIAL_NUMBERSEC_OID_AVA_STREET_ADDRESSSEC_OID_AVA_TITLESEC_OID_AVA_POSTAL_ADDRESSSEC_OID_AVA_POSTAL_CODESEC_OID_AVA_POST_OFFICE_BOXSEC_OID_AVA_GIVEN_NAMESEC_OID_AVA_INITIALSSEC_OID_AVA_HOUSE_IDENTIFIERSEC_OID_AVA_PSEUDONYMSEC_OID_PKIX_CA_ISSUERSSEC_OID_X509_CERT_ISSUERSEC_OID_X509_FRESHEST_CRLSEC_OID_CAMELLIA_128_CBCSEC_OID_CAMELLIA_192_CBCSEC_OID_CAMELLIA_256_CBCSEC_OID_PKCS5_PBKDF2SEC_OID_PKCS5_PBES2SEC_OID_PKCS5_PBMAC1SEC_OID_HMAC_SHA1SEC_OID_HMAC_SHA224SEC_OID_HMAC_SHA256SEC_OID_HMAC_SHA384SEC_OID_HMAC_SHA512SEC_OID_PKIX_TIMESTAMPINGSEC_OID_PKIX_CA_REPOSITORYSEC_OID_SECG_EC_SECP192R1SEC_OID_SECG_EC_SECP256R1SEC_OID_PKCS12_KEY_USAGEPK11_OriginNULLPK11_OriginDerivePK11_OriginGeneratedPK11_OriginFortezzaHackPK11_OriginUnwrapPKCS12_PKCS12_RC2_CBC_40PKCS12_RC2_CBC_128PKCS12_RC4_40PKCS12_RC4_128PKCS12_DES_56PKCS12_DES_EDE3_168datetime.datetime_CAPInss.nsscert_dircert_prefixkey_prefixsecmod_nameinit_paramsoctets_per_lineseparatorinputseparatorslevelobjoperationsec_paramdecode_optionsasciirepr_kindpkcs12_passwordkey_ciphercert_cipherpin_argsargpassword_requiredmin_password_lenmanufacturer_idlibrary_descriptioncrypto_token_descriptiondb_token_descriptionfips_token_descriptioncrypto_slot_descriptiondb_slot_descriptionfips_slot_descriptionbasic_constraintsauth_key_idauth_info_accessescrl_dist_pt_extensionarg1sec_itembitstrkey_sizetimeallow_overridereturn_cert_typeusagespermsubprimelines_pairsindent_lennss_get_versionnss_is_initializednss_init_nodbnss_shutdowndump_certificate_cache_infoget_default_certdbkey_mechanism_type_from_namepk11_attribute_type_from_namecert_crl_reason_namecert_crl_reason_from_namecert_general_name_type_namepk11_logout_allget_internal_slotget_internal_key_slotcreate_context_by_sym_keyneed_pw_initis_fipspkcs12_enable_all_cipherspkcs12_set_preferred_cipherget_use_pkix_for_validationclear_ocsp_cacheset_ocsp_default_responderenable_ocsp_default_respondercountnumber of validation errorsnss.nss.CertVerifyLogNodecertificatedepthnss.nss.PKCS12Decoderdatabase_importnss.nss.PKCS12DecodeItemsigned_cert_derfriendly_nameshroud_algorithm_idnss.nss.InitContextnss.nss.InitParametersminimum password lengthnss.nss.CertificateRequestsubject as an `DN` objectversion as integersubject_public_key_infoextensionsnss.nss.CertAttributetype_oidtype OID as SecItemtype_tagtype as string descriptionvaluesnss.nss.BasicConstraintsis_capath_lennss.nss.AuthKeyIDserial_numbernss.nss.AuthorityInfoAccessesnss.nss.AuthorityInfoAccessmethod_oidmethod OID as SecItemmethod_tagmethod_strmethod as string descriptionlocationnss.nss.CRLDistributionPtsnss.nss.CRLDistributionPointissuerdigest_beginfinalizedigest_finalCK_MECHANISM_TYPE mechanismkey_datakey datakey lengthis_hwis_presentis_read_onlyis_internalneed_loginneed_user_initis_friendlyis_removableis_logged_inis_disabledhas_root_certsget_disabled_reasonuser_disableuser_enablelogoutget_best_wrap_mechanismslot_nameslot nametoken_nametoken namenss.nss.GeneralNametype_enumtype_stringemail_addresscountry_namelocality_namestate_nameorg_nameorg_unit_namedc_namecert_uidvalue_strnss.nss.SignedCRLdelete_permanentlynss.nss.PrivateKeyfind_kea_typemake_ca_nicknamevalid_not_beforevalid_not_before_strvalid_not_aftervalid_not_after_strsubject_common_namecertificate subjectcertificate versioncertificate serial numbersignature_algorithmsigned_datader_datassl_trust_stremail_trust_strsigning_trust_strssl_trust_flagsemail_trust_flagssigning_trust_flagsnss.nss.CertificateExtensionname of extensioncriticaloid of extension as SecItemextension data as SecItemnss.nss.SubjectPublicKeyInfopublic_keyPublicKey objectnss.nss.PublicKeykey_typekey_type_strkey type as a stringdsanss.nss.SignedDatasignaturesignature as a SecItem objectnss.nss.DSAPublicKeypqg_paramsDSA public_valuenss.nss.RSAPublicKeyRSA modulusRSA exponentnss.nss.KEYPQGParamsnss.nss.RSAGenParamskey size in bits (integer)public_exponentpublic exponent (integer)nss.nss.AlgorithmIDid_oidalgorithm id OID as SecItemparametersget_integercontents of SecItem bufferKey CompromiseCA CompromiseAffiliation ChangedCessation Of OperationCertificate On HoldRemove From CRLPrivilege WithdrawnAA Compromisenss.nss.PK11Slotnss.nss.Certificatenss.nss.CertDBnss.nss.CertVerifyLognss.nss.DNnss.nss.RDNnss.nss.AVAnss.nss.SecItemnss.nss.PK11Contextnss.nss.PK11SymKey\x00\x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F!\"#$%&\'(*+,-/;<=\?@JQVWZ[\\^`cqz{|}~\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFFCNOUdnQualifierserialNumbertitleSNgivenNameinitialsgenerationQualifierpostalAddresspostalCodepostOfficeBoxhouseIdentifier l ^^^^~^w^p^i^b^[^e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]e]T^M^F^?^8^^]]]]^]]](^#^\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\^^^^]^h0h@hPh`hphh jjk j j j j j jqpHqqqXqhqxqqpTJ5"`Jڔϔ,{B`T 8:Ѷ5ڗ֥7bJ!D)3Y<5v':pD5G|Dþ#eLJȓAk h䨵i?zJP"3S$hwhh]r; se}R)4D% ?`Hۭagר-;p,,Tl܇ ,|̈<܈Tl <܉ , D\,t\,<4\L|d|\l $,<\<<>|<\>>>??@L? Al?E?F?G,@HT@I@ K@LL@LAMDAO|A PAPA QAQB,R,BSdB,UBLUB|VB|Y$C|[dC|\C<^C\^C^ D`DD btD\bD cDcD dEd4E,eTE|etEeEhE iF|iAt,*AT|L*8BBB B(A0A8DP@ 8C0A(B BBBF { 8D0A(B BBBH n 8A0A(B BBBA 4*BEA G@  AABD 4+#BAA QP  AABB <+(A^L\+BIB B(D0D8G% 8A0A(B BBBC ,+AAD`y AAG <+BED A(D0D (A ABBF $,AX0Z AD 4D,@ABAF Dp  AABD 4|,X BKA D@d  AABF ,,@ 1AHG@ AAB ,P eD Y A ,- A\F` AAG 44-P BDD D  AABI l-(YD O A -hD@| H -YD O A $-(AP K AC $-AP P AF 4.BDD Dp  AABC $T.)AXp AD |.DT,.-AKD@ AAB L.BVB B(A0A8DpP 8A0A(B BBBA </PBEA D(D` (A ABBJ 4T/BKA D0  AABG 4/BDD D@  AABC /`DT/hCAe J F4/BUA G  AABE ,40PlAUD2 AAB d0CAg H F$0AU f AC $0HAU f AC 40PAAD a DAL PCA 1a$1LA\ C kD1LA\ C kd1 DP<|1 BIA Q(D@ (A ABBG 41"mBDD N GBG AAB41#eBDD E GBH AAB,28#h cU bL2#D0p D 4l2($YAAD l AAD D HAK ,2P$ADG  AAA <2$oAAG R AAK g DAD DKA3%$,3%eAD0U AA T3P% l3H% 3@% 38% ,30%!qH JA DH|30&BBB B(A0A8D@  8A0A(B BBBD j 8C0A(B BBBA R8H0A(B BBB$d4'nA[ K AA 4'D@v A 48(,4P(,4h(,4(0 5(PMU F F,5(PMU F FL5(PMU F FLl5()BIB B(A0A8Dp 8A0A(B BBBC 5+P5+845,BFD G ]  AABD d$6,BGB B(D0A8D`` 8A0A(B BBBH h 8A0A(B BBBF $6.A[ b AA 6/X6X/6Ta$6/AD0X AB  7/wD L H ,,780AAJ`. AAD $\71pDa K b A \$71hD` D b A \$782bD` D \ A \72D0Y C 72-AZ E L82-AZ E L483-AZ E LT83-AZ E Lt8 3-AZ E L803-AZ E L8@3-AZ E L8P3-AZ E L<8`3BIQ A(DP (A ABBG L497pBBB E(A0A8DT 8A0A(B BBBA ,9=ADGO AAC ,9`>ADGO AAC 9>D U G ,:@?yAAGh AAA 4:?L:?d:?"DY|:?"DY$:?[A` O V J E:?D@o E :@D@o E ,:(A AADP AAB ,,;CAAD`d AAD L\;hDHB]B B(A0A8D 8A0A(B BBBD 4;hGIED d DAE KCAD;GADG F AAL M AAA T CAH D,<HHBKA H CBE J CBA LCBDt<HBKA H CBE J CBA LCBD<HBKA H CBE J CBA LCBD= IBKA H CBE J CBA LCBLL=hI~BBB B(D0A8D`T 8A0A(B BBBA L=LmBIB R(A0A8D` 8A0A(B BBBF =ODP D , >PAXFP AAJ 4<>hQdBHK [ ABE R ABS t>Q 4>QBDD D@  AABJ 4>RAAD K CAK ODA>xS,?S,,?S,4D?SRAAD o DAF OAA|?S0DU G O?S0D?TBKA J CBC S GBD L GBK $?xTAN0 AI $$@UAN0 AI $L@UAN0 AI $t@@VAN0 AI $@VzAQ Q AD ,@0WAND0n AAE 4@WKAAD h DAE KCA,AW0DU G OLAW0DU G O$lAWOAf I A O A$AXAX` AD $AXAQP AK A`Y>D\ H TBY<D\ H R$BY<D\ H RDBY8D\ H OdBY8D\ H OBZ8D\ H O,B ZlAG o AH O AH B`Z8D\ H OBZ8D\ H OCZ8D\ H O4CZ8D\ H OTCZ8D\ H OtC[8D\ H OC [8D\ H OC@[8D\ H O4C`[JAAD j AAF OAA Dx[9D\ H O$,D[A_P AF $TD0\A_P AF ,|D\\AAD j AAA <D\ZFAD dDAT DHAD]4E]Dd H H P H H H H H H a< 8D0A(B BBBD $Jo{AJ E A W AJ@p9D\ H O$J`pAU i AH ,KpnD` D \ D H A \$LKqTA^$ AD tKPs9D\ H O$KpsAQ0f AG Ks9D\ H O,KtAUF0a AAA $ LtAX U AA 4LuD t H TLuD t H tL v1DX D OL@vtD Y C LvtD Y C LwD0k A LpwD t H MxD t H 4Mx0DX D O$TMxAN b AF |My0DX D OM(yD f F MyD0k A MzrD W E Mhz0DX D ONxzD@ E BBE E(D0A8DP 8A0A(B BBBJ L_BIB B(A0A8Dp 8A0A(B BBBK < `(BIQ A(D@ (A ABBH L` Ld`BIR B(A0A8D` 8A0A(B BBBH 4`0AMD @ DAI ` DAK d`EBBB B(A0D8D@ 8A0A(B BBBE m 8D0A(B BBBF ,TaA\FP AAB LaPBBD A(D0] (A ABBH ~(A ABB$amA[ J AA La~BBD A(D0I (A ABBL O(A ABB$LbA[ M AF LtbBIB R(A0A8D` 8A0A(B BBBK |b0ZBBB B(D0A8D`. 8A0A(B BBBG Y 8A0A(B BBBE  8C0A(B BBBN DDcBDA p ABN W ADA LAMcX,LcpBIB R(A0A8D` 8A0A(B BBBB dc0BEB B(A0A8Dp 8A0A(B BBBA  8C0A(B BBBN \dh td` A^d`AD Z A ,dARF0e AAH d0ID[ A M B e`ID[ A M B 4$eBDD D@{  AABC L\eBEE B(A0D8DPa 8A0A(B BBBF De8BFL A(A0DP 0A(A BBBG denBEB A(A0 (A BBGE ^ (A BBBC k (A BBGA $\fuA[ O AA 4f0YAOD e DAB QCD4fXYAOD e DAB QCDLfBFL A(A0h (A BBDI } (A BBBD 4Dg tAOD g DAH fDA4|ghkAOD b DAE eDALg, BIB B(Q0A8Du 8A0A(B BBBD hIAHD A AAH [ AAK U AAI  AAK ` AAF  AAE _ AAE e AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE e AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE d AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE d AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE d AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE e AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE e AAE ` AAE d AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE e AAE ` AAE g AAE ` AAE e AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE ~ AAE ` AAE e AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE h AAE ` AAE d AAE ` AAE h AAE _ AAE h AAE ` AAE g AAE ` AAE h AAE _ AAE e AAE ` AAE I AAX `AAp303`@) =, dJ@- @. /%*@+ "@ (@ +@  5@  >@ 0Ncۈb R  `(  k(  y@ ߢp;%xH0x %9I  l8%8%oP' ; @%p hK oIooFo9<%&6FVfv&6FVfv&6FVfv  & 6 F V f v         !!&!6!F!V!f!v!!!!!!!!!""&"6"F"V"f"v"""""""""##&#6#F#V#f#v#########$$&$6$F$V$f$v$$$$$$$$$%%&%6%F%V%f%v%%%%%%%%%&&&&6&F&V&f&v&&&&&&&&&''&'6'F'V'f'v'''''''''((&(6(F(V(f(v((((((((())&)6)F)V)f)v)))))))))**&*6*F*V*f*v*********++&+6+F+V+f+v+++++++++,,&,6,F,V,f,v,,,,,,,,,--&-6-F-V-f-v---------..&.6.F.V.f.v.........//&/6/F/V/f/v/////////00&060F0V0f0v00000000011&161F1V1f1v11111111122&262F2V2f2v22222This module implements the NSS functions disable_ocsp_default_responder(certdb=get_default_certdb()) :Parameters: certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. Turns off use of a default responder when OCSP checking. (Does nothing if use of a default responder is not enabled.) enable_ocsp_default_responder(certdb=get_default_certdb()) :Parameters: certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. Turns on use of a default responder when OCSP checking. If OCSP checking is already enabled, this will make subsequent checks go directly to the default responder. (The location of the responder and the nickname of the responder cert must already be specified.) If OCSP checking is not enabled, this will be recorded and take effect whenever it is enabled. set_ocsp_default_responder(certdb, url, nickname) :Parameters: certdb : CertDB object CertDB certificate database object. url : string The location of the default responder (e.g. "http://foo.com:80/ocsp") Note that the location will not be tested until the first attempt to send a request there. nickname : string The nickname of the cert to trust (expected) to sign the OCSP responses. If the corresponding cert cannot be found, SECFailure is returned. Specify the location and cert of the default responder. If OCSP checking is already enabled and use of a default responder is also already enabled, all OCSP checking from now on will go directly to the specified responder. If OCSP checking is not enabled, or if it is enabled but use of a default responder is not enabled, the information will be recorded and take effect whenever both are enabled. clear_ocsp_cache() Removes all items currently stored in the OCSP cache. set_ocsp_timeout(seconds) :Parameters: seconds : int Maximum number of seconds NSS will wait for an OCSP response. Configure the maximum time NSS will wait for an OCSP response. set_ocsp_failure_mode(failure_mode) :Parameters: failure_mode : int A ocspMode_Failure* constant Set the desired behaviour on OCSP failures. failure_mode may be one of: - ocspMode_FailureIsVerificationFailure - ocspMode_FailureIsNotAVerificationFailure set_ocsp_cache_settings(max_cache_entries, min_secs_till_next_fetch, max_secs_till_next_fetch) :Parameters: max_cache_entries : int Maximum number of cache entries. Special values, -1 disables the cache, 0 indicates unlimited cache entries. min_secs_till_next_fetch : int Whenever an OCSP request was attempted or completed over the network, wait at least this number of seconds before trying to fetch again. max_secs_till_next_fetch : int The maximum age of a cached response we allow, until we try to fetch an updated response, even if the OCSP responder expects that a newer information update will not be available yet. Sets parameters that control NSS' internal OCSP cache. disable_ocsp_checking(certdb=get_default_certdb()) :Parameters: certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. Turns off OCSP checking for the given certificate database. It will raise an exception with SEC_ERROR_OCSP_NOT_ENABLED as the error code if OCSP checking is not enabled. It is safe to call it when OCSP checking is disabled, you can just ignore the exception if it is easier to just call it than to remember if it was enabled. enable_ocsp_checking(certdb=get_default_certdb()) :Parameters: certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. Turns on OCSP checking for the given certificate database. set_use_pkix_for_validation(flag) -> prev_flag :Parameters: flag : boolean Boolean flag, True to enable PKIX validation, False to disable PKIX validation. Sets the flag to enable or disable the use of PKIX for certificate validation. Returns the previous value of the flag. See also: `get_use_pkix_for_validation`. get_use_pkix_for_validation() -> flag Returns the current value of the flag used to enable or disable the use of PKIX for certificate validation. See also: `set_use_pkix_for_validation`. fingerprint_format_lines(data, level=0) -> :Parameters: data : SecItem or str or any buffer compatible object Data to initialize the certificate request from, must be in DER format level : integer Initial indentation level, all subsequent indents are relative to this starting level. Generates digests of data (i.e. fingerprint) and formats it into line tuples for text output. pkcs12_export(nickname, pkcs12_password, key_cipher=SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC, cert_cipher=SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC, pin_args=None) :Parameters: nickname : string Certificate nickname to search for. pkcs12_password : string The password used to protect the pkcs12_file. key_cipher : int A SEC OID TAG enumerated constant selecting the encryption for the private key (see below). Also see `nss.pkcs12_map_cipher()` for an alternative method to select the encryption cipher. cert_cipher : int A SEC OID TAG enumerated constant selecting the encryption for the certificates (see below). Also see `nss.pkcs12_map_cipher()` for an alternative method to select the encryption cipher. pin_args : tuple Extra parameters which will be passed to the password callback function. pkcs12_export() is used to export a certificate and private key pair from the NSS database in a protected manner. It produces the binary content of what is typically called a .p12 file (e.g. PKCS12). This function does not write the file, if you want to write a .p12 file you must write it's output to a file, for example: :: pkcs12_data = nss.pkcs12_export(nickname, pkcs12_file_password) f = open(p12_file_path, 'w') f.write(pkcs12_data) f.close() Password Based Encryption ------------------------- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password based encryption is used to protect private keys (i.e. key_cipher) on export to a PKCS #12 file and also the entire package when allowed (i.e. cert_cipher). If no algorithm is specified it defaults to using 'PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC' for private key encryption. For historical export control reasons 'PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC' is the default for the overall package encryption when not in FIPS mode and no package encryption when in FIPS mode. The private key is always protected with strong encryption by default. A list of ciphers follows, the term is the SEC OID TAG followd by a friendly description. * symmetric CBC ciphers for PKCS #5 V2: SEC_OID_DES_CBC DES-CBC. SEC_OID_RC2_CBC RC2-CBC. SEC_OID_RC5_CBC_PAD RC5-CBCPad. SEC_OID_DES_EDE3_CBC DES-EDE3-CBC. SEC_OID_AES_128_CBC AES-128-CBC. SEC_OID_AES_192_CBC AES-192-CBC. SEC_OID_AES_256_CBC AES-256-CBC. SEC_OID_CAMELLIA_128_CBC CAMELLIA-128-CBC. SEC_OID_CAMELLIA_192_CBC CAMELLIA-192-CBC. SEC_OID_CAMELLIA_256_CBC CAMELLIA-256-CBC. * PKCS #12 PBE Ciphers: SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 PKCS #12 PBE With SHA-1 and 128 Bit RC4. SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 PKCS #12 PBE With SHA-1 and 40 Bit RC4. SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC PKCS #12 PBE With SHA-1 and Triple DES-CBC. SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC PKCS #12 PBE With SHA-1 and 128 Bit RC2 CBC. SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC PKCS #12 PBE With SHA-1 and 40 Bit RC2 CBC. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC PKCS #12 V2 PBE With SHA-1 And 2KEY Triple DES-CBC. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC. SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC. * PKCS #5 PBE Ciphers: SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC. SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC. SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC. pkcs12_set_preferred_cipher(cipher, enabled) :Parameters: cipher : integer The PKCS12 cipher suite enumeration (e.g. `PKCS12_DES_EDE3_168`, etc.) enabled : bool or int True enables, False disables This function enables or disables the preferred flag on a PKCS cipher. The default preferred cipher is `PKCS12_RC2_CBC_40`. The cipher may be one of: - `PKCS12_RC2_CBC_40` - `PKCS12_RC2_CBC_128` - `PKCS12_RC4_40` - `PKCS12_RC4_128` - `PKCS12_DES_56` - `PKCS12_DES_EDE3_168` pkcs12_enable_all_ciphers() Enables all PKCS12 ciphers, which are: - `PKCS12_RC2_CBC_40` - `PKCS12_RC2_CBC_128` - `PKCS12_RC4_40` - `PKCS12_RC4_128` - `PKCS12_DES_56` - `PKCS12_DES_EDE3_168` pkcs12_enable_cipher(cipher, enabled) :Parameters: cipher : integer The PKCS12 cipher suite enumeration (e.g. `PKCS12_DES_EDE3_168`, etc.) enabled : bool or int True enables, False disables The cipher may be one of: - PKCS12_RC2_CBC_40 - PKCS12_RC2_CBC_128 - PKCS12_RC4_40 - PKCS12_RC4_128 - PKCS12_DES_56 - PKCS12_DES_EDE3_168 nss_init_flags(flags, repr_kind=AsEnumName) -> ['flag_name', ...] :Parameters: flags : int NSS_INIT* bit flags repr_kind : RepresentationKind constant Specifies what the contents of the returned list will be. May be one of: AsEnum The enumerated constant as an integer value. AsEnumName The name of the enumerated constant as a string. AsEnumDescription A friendly human readable description of the enumerated constant as a string. Given an integer with NSS_INIT* (e.g. nss.NSS_INIT_READONLY) bit flags return a sorted list of their string names. cert_type_flags(flags, repr_kind=AsEnumName) -> ['flag_name', ...] :Parameters: flags : int KU_* bit flags repr_kind : RepresentationKind constant Specifies what the contents of the returned list will be. May be one of: AsEnum The enumerated constant as an integer value. AsEnumName The name of the enumerated constant as a string. AsEnumDescription A friendly human readable description of the enumerated constant as a string. Given an integer with NS_CERT_TYPE_* (e.g. nss.NS_CERT_TYPE_SSL_SERVER) bit flags return a sorted list of their string names. key_usage_flags(flags, repr_kind=AsEnumName) -> ['flag_name', ...] :Parameters: flags : int KU_* bit flags repr_kind : RepresentationKind constant Specifies what the contents of the returned list will be. May be one of: AsEnum The enumerated constant as an integer value. AsEnumName The name of the enumerated constant as a string. AsEnumDescription A friendly human readable description of the enumerated constant as a string. Given an integer with KU_* (e.g. nss.KU_DIGITAL_SIGNATURE) bit flags return a sorted list of their string names. cert_usage_flags(flags, repr_kind=AsEnumDescription) -> ['flag_name', ...] :Parameters: flags : int certificateUsage* bit flags repr_kind : RepresentationKind constant Specifies what the contents of the returned list will be. May be one of: AsEnum The enumerated constant as an integer value. AsEnumName The name of the enumerated constant as a string. AsEnumDescription A friendly human readable description of the enumerated constant as a string. Given an integer with certificateUsage* (e.g. nss.certificateUsageSSLServer) bit flags return a sorted list of their string names. general_name_type_from_name(name) -> int :Parameters: name : string name of CERTGeneralNameType constant Given the name of a CERTGeneralNameType constant return it's integer constant The string comparison is case insensitive and will match with or without the cert prefix general_name_type_name(type) -> string :Parameters: type : int CERTGeneralNameType constant Given a CERTGeneralNameType constant return it's name as a string pkcs12_map_cipher(cipher, key_length=0) -> int :Parameters: cipher : may be one of integer, string or SecItem May be one of: * integer:: A SEC OID enumeration constant, also known as a tag (i.e. SEC_OID_*) for example SEC_OID_DES_EDE3_CBC. * string:: A string for the tag name (e.g. 'SEC_OID_DES_EDE3_CBC') The 'SEC_OID\_' prefix is optional. A string in dotted decimal representation, for example 'OID.2.5.4.3'. The 'OID.' prefix is optional. Case is not significant. * SecItem:: A SecItem object encapsulating the OID in DER format. key_length : int The number of bits in the key. If zero a default will be selected. Given an cipher and optionally a key length, map that to a PKCS12 encryption method returned as a SEC_OID tag. pkcs12_cipher_from_name(name) -> int :Parameters: name : string name of PKCS12_* constant Given the name of a PKCS12_* constant return it's integer constant The string comparison is case insensitive and will match with or without the PKCS12\_ prefix pkcs12_cipher_name(cipher) -> string :Parameters: cipher : int PKCS12_* constant Given a PKCS12_* constant return it's name as a string crl_reason_from_name(name) -> int :Parameters: name : string name of CERTCRLEntryReasonCode constant Given the name of a CERTCRLEntryReasonCode constant return it's integer constant The string comparison is case insensitive and will match with or without the crlEntry prefix crl_reason_name(reason) -> string :Parameters: reason : int CERTCRLEntryReasonCode constant Given a CERTCRLEntryReasonCode constant return it's name as a string x509_alt_name(sec_item, repr_kind=AsString) -> (SecItem, ...) :Parameters: sec_item : SecItem object A SecItem containing a DER encoded alternative name extension. repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject The general name as a nss.GeneralName object AsString The general name as a string. (e.g. "http://crl.geotrust.com/crls/secureca.crl") AsTypeString The general name type as a string. (e.g. "URI") AsTypeEnum The general name type as a general name type enumerated constant. (e.g. nss.certURI ) AsLabeledString The general name as a string with it's type prepended. (e.g. "URI: http://crl.geotrust.com/crls/secureca.crl" Return a tuple of GeneralNames according the representation kind. x509_ext_key_usage(sec_item, repr_kind=AsString) -> (obj, ...) :Parameters: sec_item : SecItem object A SecItem containing a DER encoded sequence of OID's repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject Each extended key usage will be a SecItem object embedding the OID in DER format. AsString Each extended key usage will be a descriptive string. (e.g. "TLS Web Server Authentication Certificate") AsDottedDecimal Each extended key usage will be OID rendered as a dotted decimal string. (e.g. "OID.1.3.6.1.5.5.7.3.1") AsEnum Each extended key usage will be OID tag enumeration constant (int). (e.g. nss.SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) Return a tuple of OID's according the representation kind. x509_cert_type(bitstr, repr_kind=AsEnumDescription) -> (str, ...) :Parameters: bitstr : SecItem object A SecItem containing a DER encoded bit string. repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsEnum The enumerated constant. (e.g. nss.NS_CERT_TYPE_SSL_SERVER) AsEnumDescription A friendly human readable description of the enumerated constant as a string. (e.g. "SSL Server") AsIndex The bit position within the bit string. Return a tuple of string name for each enabled bit in the key usage bit string. x509_key_usage(bitstr, repr_kind=AsEnumDescription) -> (str, ...) :Parameters: bitstr : SecItem object A SecItem containing a DER encoded bit string. repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsEnum The enumerated constant. (e.g. nss.KU_DIGITAL_SIGNATURE) AsEnumDescription A friendly human readable description of the enumerated constant as a string. (e.g. "Digital Signature") AsIndex The bit position within the bit string. Return a tuple of string name for each enabled bit in the key usage bit string. base64_to_binary(text) -> SecItem :Parameters: text : string string containing base64 data. Convert the base64 encoded data to binary data. The text is assumed to contain base64 text. The base64 text may optionally be wrapped in a PEM header and footer. Returns a SecItem containg the binary data. read_der_from_file(file, ascii=False) -> SecItem :Parameters: file : file name or file object If string treat as file path to open and read, if file object read from file object. ascii : boolean If True treat file contents as ascii data. If PEM delimiters are found strip them. Then base64 decode the contents. Read the contents of a file and return as a SecItem object. If file is a string then treat it as a file pathname and open and read the contents of that file. If file is a file object then read the contents from the file object If the file contents begin with a PEM header then treat the the file as PEM encoded and decode the payload into DER form. Otherwise the file contents is assumed to already be in DER form. The returned SecItem contains the DER contents of the file. decode_der_crl(der_crl, type=SEC_CRL_TYPE, decode_options=CRL_DECODE_DEFAULT_OPTIONS) -> SignedCRL :Parameters: der_crl : SecItem object DER encoded CRL data encapsulated in a SECItem. type : int revocation list type may be one of: - SEC_CRL_TYPE - SEC_KRL_TYPE decode_options : int bit-wise OR of the following flags: - CRL_DECODE_DONT_COPY_DER - CRL_DECODE_SKIP_ENTRIES - CRL_DECODE_KEEP_BAD_CRL - CRL_DECODE_ADOPT_HEAP_DER or use CRL_DECODE_DEFAULT_OPTIONS import_crl(slot, der_crl, url, type, import_options, decode_options, [user_data1, ...]) -> SignedCRL :Parameters: slot : PK11Slot object designated PK11 slot der_crl : SecItem object signed DER CRL data encapsulated in a SecItem object. url : string URL of the CRL type : int revocation list type may be one of: - SEC_CRL_TYPE - SEC_KRL_TYPE import_options : int bit-wise OR of the following flags: - CRL_IMPORT_BYPASS_CHECKS or use CRL_IMPORT_DEFAULT_OPTIONS decode_options : int bit-wise OR of the following flags: - CRL_DECODE_DONT_COPY_DER - CRL_DECODE_SKIP_ENTRIES - CRL_DECODE_KEEP_BAD_CRL - CRL_DECODE_ADOPT_HEAP_DER or use CRL_DECODE_DEFAULT_OPTIONS user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function get_pad_mechanism(mechanism) -> int :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Determine appropriate mechanism to use when padding is required. If the mechanism does not map to a padding mechanism return the mechanism. get_block_size(mechanism, sec_param=None) -> int :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sec_param : SecItem object or None mechanism parameters used to build this context or None. Get the mechanism block size get_iv_length(mechanism) -> algtag :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Returns the length of the mechanism's initialization vector. mechanism_to_algtag(mechanism) -> algtag :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Returns the algtag given key mechanism enumeration constant (CKM_*) Throws an KeyError exception if the mechanism is invalid. algtag_to_mechanism(algtag) -> mechanism :Parameters: algtag : int algorithm tag (e.g. SEC_OID_*) Returns the key mechanism enumeration constant (CKM_*) given an algorithm tag. Throws a KeyError exception if the algorithm tag is invalid. generate_new_param(mechanism, sym_key=None) -> SecItem :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sym_key : PK11SymKey object or None symmetric key or None Return a SecItem containing a encryption param. param_from_algid(algid) -> SecItem :Parameters: algid : AlgorithmID object algorithm id Return a SecItem containing a encryption param derived from a AlgorithmID. param_from_iv(mechanism, iv=None) -> SecItem :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) iv : SecItem object initialization vector. If there is no initialization vector you may also pass None or an empty SecItem object (e.g. SecItem()) Return a SecItem to be used as the initialization vector for encryption/decryption. create_digest_context(hash_alg) -> PK11Context :Parameters: hash_alg : int hash algorithm enumeration (SEC_OID_*) e.g.: SEC_OID_MD5, SEC_OID_SHA1, SEC_OID_SHA256, SEC_OID_SHA512, etc. Create a context for performing digest (hash) operations) pub_wrap_sym_key(mechanism, pub_key, sym_key) -> SecItem :Parameters: mechanism : int CK_MECHANISM_TYPE enumerated constant pub_key : `PublicKey` object Public key used to wrap. sym_key : `PK11SymKey` object Symmetric key that will be wrapped. :returns: Wrapped symmetric key as SecItem Wraps a public key wrap (which only RSA can do). import_sym_key(slot, mechanism, origin, operation, key_data, [user_data1, ...]) -> PK11SymKey :Parameters: slot : PK11Slot object designated PK11 slot mechanism : int key mechanism enumeration constant (CKM_*) origin : int PK11 origin enumeration (PK11Origin*) e.g. PK11_OriginDerive, PK11_OriginUnwrap, etc. operation : int type of operation this context will be doing. A (CKA_*) constant (e.g. CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_DIGEST) key_data: SecItem object key data encapsulated in a SECItem used to build the symmetric key. user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Create a PK11SymKey from data) create_context_by_sym_key(mechanism, operation, sym_key, sec_param=None) -> PK11Context :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) operation : int type of operation this context will be doing. A (CKA_*) constant (e.g. CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_DIGEST) sym_key : PK11SymKey object symmetric key sec_param : SecItem object or None mechanism parameters used to build this context or None. Create a context from a symmetric key) find_slot_by_name(name) -> `PK11Slot` :Parameters: name : string slot name Given a slot name return a `PK11Slot` object. get_internal_key_slot() -> PK11Slot Get the default internal key slot. get_internal_slot() -> PK11Slot Get the default internal slot. get_best_slot(mechanism, [user_data1, ...]) -> PK11Slot :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Find the best slot which supports the given mechanism. pk11_logout_all() Logout of every slot for all modules. pk11_disabled_reason_name(reason) -> string :Parameters: reason : int PK11 slot disabled reason constant (PK11_DIS_*) Given a PK11 slot disabled reason constant (PK11_DIS_*) return the constant as a string. pk11_disabled_reason_str(reason) -> string :Parameters: reason : int PK11 slot disabled reason constant (PK11_DIS_*) Given a PK11 slot disabled reason constant (PK11_DIS_*) return a descriptive string pk11_attribute_type_from_name(name) -> int :Parameters: name : string name of PK11 attribute type constant (CKA_*) Given the name of a PK11 attribute type constant (CKA_*) return it's integer constant The string comparison is case insensitive and will match with or without the CKA\_ prefix pk11_attribute_type_name(type) -> string :Parameters: type : int PK11 attribute type constant (CKA_*) Given a PK11 attribute type constant (CKA_*) return it's name as a string key_mechanism_type_from_name(name) -> int :Parameters: name : string name of key mechanism enumeration constant (CKM_*) Given the name of a key mechanism enumeration constant (CKM_*) return it's integer constant The string comparison is case insensitive and will match with or without the CKM\_ prefix key_mechanism_type_name(mechanism) -> string :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Given a key mechanism enumeration constant (CKM_*) return it's name as a string oid_dotted_decimal(oid) -> string :Parameters: oid : may be one of integer, string, SecItem May be one of: * integer:: A SEC OID enumeration constant, also known as a tag (i.e. SEC_OID_*) for example SEC_OID_AVA_COMMON_NAME. * string:: A string in dotted decimal representation, for example 'OID.2.5.4.3'. The 'OID.' prefix is optional. Or a string for the tag name (e.g. 'SEC_OID_AVA_COMMON_NAME') The 'SEC_OID\_' prefix is optional. Or one of the canonical abbreviations (e.g. 'cn'). Case is not significant. * SecItem:: A SecItem object encapsulating the OID in DER format. Given an oid return it's tag constant as a string. oid_tag(oid) -> int :Parameters: oid : may be one of integer, string, SecItem May be one of: * integer:: A SEC OID enumeration constant, also known as a tag (i.e. SEC_OID_*) for example SEC_OID_AVA_COMMON_NAME. * string:: A string in dotted decimal representation, for example 'OID.2.5.4.3'. The 'OID.' prefix is optional. Or a string for the tag name (e.g. 'SEC_OID_AVA_COMMON_NAME') The 'SEC_OID\_' prefix is optional. Or one of the canonical abbreviations (e.g. 'cn'). Case is not significant. * SecItem:: A SecItem object encapsulating the OID in DER format. Given an oid return it's tag constant. oid_tag_name(oid) -> string :Parameters: oid : may be one of integer, string, SecItem May be one of: * integer:: A SEC OID enumeration constant, also known as a tag (i.e. SEC_OID_*) for example SEC_OID_AVA_COMMON_NAME. * string:: A string in dotted decimal representation, for example 'OID.2.5.4.3'. The 'OID.' prefix is optional. Or a string for the tag name (e.g. 'SEC_OID_AVA_COMMON_NAME') The 'SEC_OID\_' prefix is optional. Or one of the canonical abbreviations (e.g. 'cn'). Case is not significant. * SecItem:: A SecItem object encapsulating the OID in DER format. Given an oid return it's tag constant as a string. oid_str(oid) -> string :Parameters: oid : may be one of integer, string, SecItem May be one of: * integer:: A SEC OID enumeration constant, also known as a tag (i.e. SEC_OID_*) for example SEC_OID_AVA_COMMON_NAME. * string:: A string in dotted decimal representation, for example 'OID.2.5.4.3'. The 'OID.' prefix is optional. Or a string for the tag name (e.g. 'SEC_OID_AVA_COMMON_NAME') The 'SEC_OID\_' prefix is optional. Or one of the canonical abbreviations (e.g. 'cn'). Case is not significant. * SecItem:: A SecItem object encapsulating the OID in DER format. Given an oid return it's description as a string. dump_certificate_cache_info() Dump the contents of the certificate cache and the temporary cert store to stdout. Use this as a debugging aid to detect leaked references of certs at shutdown time. For example if `nss.nss_shutdown()` throws a SEC_ERROR_BUSY exception. nss_shutdown() Closes the key and certificate databases that were opened by nss_init(). NSS can only shutdown successfully if all NSS objects have been released, otherwise nss_shutdown will fail with the error code SEC_ERROR_BUSY. Here are some tips to make sure nss_shutdown will succeed. [1]_ * If the process is a SSL client make sure you call `ssl.clear_session_cache`. * If the process is a SSL server make sure you call `ssl.shutdown_server_session_id_cache()`. * Make sure all sockets have been closed, open SSL sockets hold references NSS objects. * Explicitly delete Python objects which contain NSS objects using the del command. [2]_ * Use `nss.dump_certificate_cache_info()` to provide information about which cached objects may still persist and be responsible for preventing a full NSS shutdown. .. [1] If the leaked objects are subsequently released after nss_shutdown is called NSS can be reinitialized with the various NSS initialization routines. In this cass teh SEC_ERROR_BUSY error can be thought of as an informatiive warning. .. [2] This Python binding to NSS wraps each NSS object inside a Python object. Like NSS objects Python objects are reference counted. When the last reference to the Python object disappears the Python object is destroyed. The destructor for a Python object wrapping an NSS object releases the NSS reference to the NSS object. Thus if any Python objects which wrap NSS objects remain "live" nss_shutdown will fail. Python objects are typically released by the Python interpretor when the variable holding the object is assigned a new object or when the variable holding the object goes out of scope. This means you may need to manually delete some objects using the del command rather relying on Python's automatic garbage collection. Consider this example: def foo(): nss.nss_init(certdir) sock = ssl.SSLSocket() nss.nss_shutdown() When nss_shutown() is called the sock object is still alive and holds references to NSS objects. The sock object won't be released by Python until it goes out of scope when the function exits. Thus the shutdown will fail with SEC_ERROR_BUSY. But you can explicitly force the sock object to be released by explictily deleting it, for example: def foo(): nss.nss_init(certdir) sock = ssl.SSLSocket() del sock nss.nss_shutdown() Another way to avoid this issue is to arrange your code such that nss_shutdown is called from a location in your code which is not in scope for any NSS objects created. This also implies you shouldn't assign NSS objects to globals. nss_shutdown_context(context) -> :Parameters: context : `InitContext` object A `InitContext` returned from a previous call to `nss_init_context`. Shutdown NSS for the users of this context. When all contexts have been shutdown NSS will fully shutdown. nss_init_context(cert_dir=None, cert_prefix=None, key_prefix=None, secmod_name=None, init_params=None, flags=0) -> `InitContext` :Parameters: cert_dir : string Pathname of the directory where the certificate, key, and security module databases reside. cert_prefix : string Prefix added to the beginning of the certificate database, for example,"https-server1-". key_prefix : string Prefix added to the beginning of the key database, for example, "https-server1-". secmod_name : string Name of the security module database, usually "secmod.db". init_params : `InitContext` object Object with a set of initialization parameters. See `InitContext`. flags Bit flags that specify how NSS should be initialized. `nss_init_context()` initializes NSS within a context and returns a `InitContext` object. Contexts are used when multiple entities within a single process wish to use NSS without colliding such as libraries. You must hold onto the returned InitContext object and call shutdown on it when you are done. The context will automatically be shutdown when the InitContext object is destroyed if you have not already shut it down. By default `nss_initialize()` and `nss_init_context()` open the internal PK11 slot (see `get_internal_slot()`) in Read Write (RW) mode as opposed to `nss_init()` which opens it in Read Only (RO) mode. If you want RO mode you pass the `NSS_INIT_READONLY` flag. The flags parameter is a bitwise OR of the following flags: NSS_INIT_READONLY Open the databases read only. NSS_INIT_NOCERTDB Don't open the cert DB and key DB's, just initialize the volatile certdb. NSS_INIT_NOMODDB Don't open the security module DB, just initialize the PKCS #11 module. NSS_INIT_FORCEOPEN Continue to force initializations even if the databases cannot be opened. NSS_INIT_NOROOTINIT Don't try to look for the root certs module automatically. NSS_INIT_OPTIMIZESPACE Optimize for space instead of speed. Use smaller tables and caches. NSS_INIT_PK11THREADSAFE Only load PKCS#11 modules that are thread-safe, i.e., that support locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe, don't serialize its calls; just don't load it instead. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, the Java SunPKCS11 provider. NSS_INIT_PK11RELOAD Ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, Java SunPKCS11 provider. NSS_INIT_NOPK11FINALIZE Never call C_Finalize on any PKCS#11 module. This may be necessary in order to ensure continuous operation and proper shutdown sequence if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, Java SunPKCS11 provider. The following limitation applies when this is set : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need for C_Finalize. This call will be emulated instead. NSS_INIT_RESERVED Currently has no effect, but may be used in the future to trigger better cooperation between PKCS#11 modules used by both NSS and the Java SunPKCS11 provider. This should occur after a new flag is defined for C_Initialize by the PKCS#11 working group. NSS_INIT_COOPERATE Sets the above four recommended options for applications that use both NSS and the Java SunPKCS11 provider. Hint: You can obtain a printable representation of the flags via `nss_init_flags`. nss_initialize(cert_dir=None, cert_prefix=None, key_prefix=None, secmod_name=None, flags=0) :Parameters: cert_dir : string Pathname of the directory where the certificate, key, and security module databases reside. cert_prefix : string Prefix added to the beginning of the certificate database, for example,"https-server1-". key_prefix : string Prefix added to the beginning of the key database, for example, "https-server1-". secmod_name : string Name of the security module database, usually "secmod.db". flags Bit flags that specify how NSS should be initialized. `nss_initialize()` initializes NSS. It is more flexible than `nss_init()`, `nss_init_read_write()`, and `nss_init_nodb()`. If any of those simpler NSS initialization functions suffices for your needs, call that instead. By default `nss_initialize()` and `nss_init_context()` open the internal PK11 slot (see `get_internal_slot()`) in Read Write (RW) mode as opposed to `nss_init()` which opens it in Read Only (RO) mode. If you want RO mode you pass the `NSS_INIT_READONLY` flag. The flags parameter is a bitwise OR of the following flags: NSS_INIT_READONLY Open the databases read only. NSS_INIT_NOCERTDB Don't open the cert DB and key DB's, just initialize the volatile certdb. NSS_INIT_NOMODDB Don't open the security module DB, just initialize the PKCS #11 module. NSS_INIT_FORCEOPEN Continue to force initializations even if the databases cannot be opened. NSS_INIT_NOROOTINIT Don't try to look for the root certs module automatically. NSS_INIT_OPTIMIZESPACE Optimize for space instead of speed. Use smaller tables and caches. NSS_INIT_PK11THREADSAFE Only load PKCS#11 modules that are thread-safe, i.e., that support locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe, don't serialize its calls; just don't load it instead. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, the Java SunPKCS11 provider. NSS_INIT_PK11RELOAD Ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, Java SunPKCS11 provider. NSS_INIT_NOPK11FINALIZE Never call C_Finalize on any PKCS#11 module. This may be necessary in order to ensure continuous operation and proper shutdown sequence if another piece of code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, Java SunPKCS11 provider. The following limitation applies when this is set : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need for C_Finalize. This call will be emulated instead. NSS_INIT_RESERVED Currently has no effect, but may be used in the future to trigger better cooperation between PKCS#11 modules used by both NSS and the Java SunPKCS11 provider. This should occur after a new flag is defined for C_Initialize by the PKCS#11 working group. NSS_INIT_COOPERATE Sets the above four recommended options for applications that use both NSS and the Java SunPKCS11 provider. Hint: You can obtain a printable representation of the flags via `nss_init_flags`. nss_init_nodb() Performs tasks required to run Network Security Services without setting up configuration files. Important: This NSS function is not intended for use with SSL, which requires that the certificate and key database files be opened. nss_init_nodb opens only the temporary database and the internal PKCS #112 module. Unlike nss_init, nss_init_nodb allows applications that do not have access to storage for databases to run raw crypto, hashing, and certificate functions. nss_init_nodb is not idempotent, so call it only once. The policy flags for all cipher suites are turned off by default, disallowing all cipher suites. Therefore, an application cannot use NSS to perform any cryptographic operations until after it enables appropriate cipher suites by calling one of the SSL Export Policy Functions. nss_init_read_write(cert_dir) :Parameters: cert_dir : string Pathname of the directory where the certificate, key, and security module databases reside. Sets up configuration files and performs other tasks required to run Network Security Services. `nss.nss_init_read_write()` differs from `nss.nss_init()` because the internal PK11 slot (see `nss.get_internal_slot()`) is created in Read Write (RW) mode as opposed to Read Only (RO) mode. nss_init(cert_dir) :Parameters: cert_dir : string Pathname of the directory where the certificate, key, and security module databases reside. Sets up configuration files and performs other tasks required to run Network Security Services. `nss.nss_init()` differs from `nss.nss_init_read_write()` because the internal PK11 slot (see `nss.get_internal_slot()`) is created in Read Only (RO) mode as opposed to Read Write (RW) mode. nss_is_initialized() --> bool Returns whether Network Security Services has already been initialized or not. set_shutdown_callback(callback, [user_data1, ...]) :Parameters: callback : function pointer or None The callback function. If None cancel the previous callback user_dataN : object zero or more caller supplied parameters which will be passed to the shutdown callback function Defines a callback function which is invoked when NSS is shutdown. If the callback is None the previous callback is cancelled. After NSS is shutdown the shutdown callback is cancelled, you must reset the shutdown callback again after initializing NSS. The callback has the signature:: shutdown_callback(nss_data, [user_data1, ...]) -> bool nss_data dict of NSS values (currently empty) user_dataN zero or more caller supplied optional parameters The callback should return True for success. If it returns False the NSS shutdown function will complete but will result in an error. nss_version_check(version) --> bool :Parameters: version : string Required version Return a boolean that indicates whether the underlying NSS library will perform as the caller expects. The the version parameter is a string identifier of the NSS library. That string will be compared against a string that represents the actual build version of the NSS library. Return True if supplied version is compatible, False otherwise. nss_get_version() -> string Return a string of the NSS library version pk11_is_fips() -> bool Returns True if the internal module has FIPS enabled, False otherwise. pk11_token_exists(mechanism) -> bool :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Return True if a token is available which can perform the desired mechanism, False otherwise. pk11_need_pw_init() -> bool Returns True if the internal slot needs to be initialized, False otherwise. The internal slot token should be initalized if: The token is not initialized `PK11Slot.need_login()` == True and `PK11Slot.need_user_init()` == True Or The token has a NULL password. `PK11Slot.need_login()` == False and `PK11Slot.need_user_init()` == False +------------------+------------------------+---------------------+ |CKF_LOGIN_REQUIRED|CKF_USER_PIN_INITIALIZED|CKF_TOKEN_INITIALIZED| +==================+========================+=====================+ | False | False | True | +------------------+------------------------+---------------------+ | True | False | False | +------------------+------------------------+---------------------+ | False | True | True | +------------------+------------------------+---------------------+ | True | True | True | +------------------+------------------------+---------------------+ `PK11Slot.need_login()` == CKF_LOGIN_REQUIRED `PK11Slot.need_user_init()` == !CKF_USER_PIN_INITIALIZED generate_random(num_bytes) -> string :Parameters: num_bytes : integer Number of num_bytes to generate (must be non-negative) Generates random data.. find_key_by_any_cert(cert, [user_data1, ...]) -> Certificate :Parameters: cert : Certificate object certificate whose private key is being searched for user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Finds the private key associated with a specified certificate in any available slot. find_cert_from_nickname(nickname, [user_data1, ...]) -> Certificate :Parameters: nickname : string certificate nickname to search for user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function A nickname is an alias for a certificate subject. There may be multiple certificates with the same subject, and hence the same nickname. This function will return the newest certificate that matches the subject, based on the NotBefore / NotAfter fields of the certificate. find_certs_from_nickname(email, [user_data1, ...]) -> (`Certificate`, ...) :Parameters: nickname : string certificate nickname. user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Given a certificate nickname return a tuple of `Certificate` objects matching that nickname. find_certs_from_email_addr(email, [user_data1, ...]) -> (`Certificate`, ...) :Parameters: email : string email address. user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Given an email address return a tuple of `Certificate` objects containing that address. list_certs(type, [user_data1, ...]) -> (`Certificate`, ...) :Parameters: type : int PK11CertList* enumerated constant. user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Given the type of certificates to list return a tuple of `Certificate` objects matching that type. set_password_callback(callback) :Parameters: callback : function pointer The callback function Defines a callback function used by the NSS libraries whenever information protected by a password needs to be retrieved from the key or certificate databases. Many tokens keep track of the number of attempts to enter a password and do not allow further attempts after a certain point. Therefore, if the retry argument is True, indicating that the password was tried and is wrong, the callback function should return None to indicate that it is unsuccessful, rather than attempting to return the same password again. Failing to terminate when the retry argument is True can result in an endless loop. The user_dataN arguments can also be used to keep track of the number of times the callback has been invoked. Several functions in the NSS libraries use the password callback function to obtain the password before performing operations that involve the protected information. The extra user_dataN parameters to the password callback function is application-defined and can be used for any purpose. When NSS libraries call the password callback function the value they pass for the user_dataN arguments is determined by `ssl.SSLSocket.set_pkcs11_pin_arg()`. The callback has the signature:: password_callback(slot, retry, [user_data1, ...]) -> string or None slot PK11Slot object retry boolean indicating if this is a retry. This implies that the callback has previously returned the wrong password. user_dataN zero or more caller supplied optional parameters The callback should return a string or None to indicate a valid password cannot be supplied. Returning None will prevent the callback from being invoked again. CertVerifyLog() An object which collects diagnostic information during certification validation. CertVerifyLogNode() An object detailing specific diagnostic information concerning a single failure during certification validation. These are collected in a `CertVerifyLog` object. PKCS12Decoder(file, password, slot=None) :Parameters: file : file name or file object pkcs12 input data. * If string treat as file path to open and read. * If file object read from the file object. password : string The password protecting the PKCS12 contents slot : `PK11Slot` object The PK11 slot to use. If None defaults to internal slot, see `nss.get_internal_key_slot()` import() Import the contents of the `PKCS12Decoder` object into the current NSS database. During import if the certificate(s) in the `PKCS12Decoder` object does not have a nickname or there is a collision with an existing nickname then a callback will be invoked to provide a new nickname. See `pkcs12_set_nickname_collision_callback`. pkcs12_set_nickname_collision_callback(callback) :Parameters: callback : function pointer The callback function When importing a certificate via a `PKCS12Decoder` object and the nickname is not set or collides with an existing nickname in the NSS database then this callback is invoked to resolve the problem. If no nickname collision callback has been set then an internal default callback will be used instead which calls the NSS function CERT_MakeCANickname (available in the Python binding as `Certificate.make_ca_nickname()`). The callback has the signature:: nickname_collision_callback(old_nickname, cert) --> new_nickname, cancel old_nickname the preious nickname or None if previous did not exist cert the `Certificate` object being imported. The callback returns 2 values, the new nickname, and a boolean. new_nickname The new nickname to try or None cancel boolean indicating if collision resolution should be cancelled An object representing an item in a PKCS12 collection. Also known as a "bag"An object representing NSSInitContextshutdown() Shutdown NSS for this context. An object representing NSS Initialization ParametersCertificateRequest(data=None) :Parameters: data : SecItem or str or any buffer compatible object Data to initialize the certificate request from, must be in DER format An object representing a certificate requestCertAttribute() An object representing CertAttribute. An object representing X509 Basic Constraints ExtensionAn object representing Authentication Key ID extensionget_general_names(repr_kind=AsString) -> (general_name, ...) :Parameters: repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject The general name as a nss.GeneralName object AsString The general name as a string. (e.g. "http://crl.geotrust.com/crls/secureca.crl") AsTypeString The general name type as a string. (e.g. "URI") AsTypeEnum The general name type as a general name type enumerated constant. (e.g. nss.certURI ) AsLabeledString The general name as a string with it's type prepended. (e.g. "URI: http://crl.geotrust.com/crls/secureca.crl" Returns a tuple of general names in the authentication key id extension for the issuer. If the issuer was not defined then the returned tuple will be empty. You may specify how the each member of the tuple is represented, by default it will be as a string. AuthorityInfoAccesses(data) :Parameters: data : SecItem or str or any buffer compatible object Data to initialize the Authority Information Access from, must be in DER format An object representing AuthorityInfoAccess Extension. AuthorityInfoAccess() An object representing AuthorityInfoAccess. An object representing CRL Distribution Points listAn object representing a CRL Distribution Pointget_reasons(repr_kind=AsEnumDescription) -> (reason, ...) :Parameters: repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsEnum The enumerated constant. (e.g. nss.crlEntryReasonCaCompromise) AsEnumDescription A friendly human readable description of the enumerated constant as a string. (e.g. "CA Compromise") AsIndex The bit position within the bit string. Returns a tuple of reasons in the CRL Distribution Point. If no reasons were defined the returned tuple will be empty. You may specify how the each member of the tuple is represented, by default it will be as a string. get_general_names(repr_kind=AsString) -> (general_name, ...) :Parameters: repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject The general name as a nss.GeneralName object AsString The general name as a string. (e.g. "http://crl.geotrust.com/crls/secureca.crl") AsTypeString The general name type as a string. (e.g. "URI") AsTypeEnum The general name type as a general name type enumerated constant. (e.g. nss.certURI ) AsLabeledString The general name as a string with it's type prepended. (e.g. "URI: http://crl.geotrust.com/crls/secureca.crl" Returns a tuple of general names in the CRL Distribution Point. If the distribution point type is not nss.generalName or the list was empty then the returned tuple will be empty. You may specify how the each member of the tuple is represented, by default it will be as a string. digest_final() -> data Completes the multi-part cryptographic operation in progress on this context and returns any final data which may have been pending in the context (i.e. the output data is flushed from the context). If there was no final data the returned data buffer will have a length of zero. finalize() Clean up cipher operation so that any pending multi-part operations have been flushed. Any pending output which would have been available as a result of the flush is discarded. The context is left in a state available for reuse. WARNING: Currently context reuse only works for digest contexts not encryption/decryption contexts cipher_op(data) -> data :Parameters: data : any read buffer compatible object (e.g. buffer or string) raw data to compute digest from Execute a digest/signature operation. digest_op(data) :Parameters: data : any read buffer compatible object (e.g. buffer or string) raw data to compute digest from Execute a digest/signature operation. digest_begin() Start a new digesting or Mac'ing operation on this context. clone_context(context) -> PK11Context :Parameters: context : PK11Context object The PK11Context to be cloned Create a new PK11Context which is clone of the supplied context. digest_key(sym_key) :Parameters: sym_key : PK11SymKey object symmetric key Continues a multiple-part message-digesting operation by digesting the value of a secret key. Holds a hash, encryption or signing context for multi-part operations. unwrap_sym_key(mechanism, sec_param, wrapped_key, target, operation, key_size) -> PK11SymKey :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sec_param : SecItem object or None mechanism parameters or None. wrapped_key : SecItem object the symmetric key to unwrap target : int key mechanism enumeration constant (CKM_*) operation : int type of operation. A (CKA_*) constant (e.g. CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_DIGEST) key_size : int key size. Unwrap (decrypt) the supplied wrapped key. Return the unwrapped key as a PK11SymKey. wrap_sym_key(mechanism, sec_param, sym_key) -> SecItem :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sec_param : SecItem object or None mechanism parameters or None. sym_key : PK11SymKey object the symmetric key to wrap Wrap (encrypt) the supplied sym_key using the mechanism and parameter. Return the wrapped key as a SecItem. derive(mechanism, sec_param, target, operation, key_size) -> PK11SymKey :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sec_param : SecItem object or None mechanism parameters or None. target : int key mechanism enumeration constant (CKM_*) operation : int type of operation. A (CKA_*) constant (e.g. CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_DIGEST) key_size : int key size. Derive a new key from this key. Return a key which can do exactly one operation, it is ephemeral (session key). An object representing a PKCS #11 Slotlist_certs() -> (`Certificate`, ...) Returns a tuple of `Certificate` objects found in the slot. generate_key_pair(mechanism, key_params, token, sensitive, [user_data1, ...]) -> public_key, private_key :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) key_params : SecItem object or None SecItem key parameters. None is also valid. token : bool If true the key is a token object otherwise it's a session object. sensitive : bool If a key is sensitive, certain attributes of the key cannot be revealed in plaintext outside the token. It is also more expensive to move between tokens. user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Generate a public and private key pair. Example:: # Generate a DSA key pair key_params = nss.KEYPQGParams() mechanism = nss.CKM_DSA_KEY_PAIR_GEN slot = nss.get_best_slot(mechanism) pub_key, priv_key = slot.generate_key_pair(mechanism, key_params, False, False) # Generate a DSA key pair key_params = nss.RSAGenParams() mechanism = nss.CKM_RSA_PKCS_KEY_PAIR_GEN slot = nss.get_best_slot(mechanism) pub_key, priv_key = slot.generate_key_pair(mechanism, key_params, False, False) key_gen(mechanism, sec_param, key_size, [user_data1, ...]) -> PK11SymKey object :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) sec_param : SecItem object or None SecItem key parameters. None is also valid. key_size : int key length (use get_best_key_length()) user_dataN : object ... zero or more caller supplied parameters which will be passed to the password callback function Generate a symmetric key. get_best_key_length(mechanism) -> length :Parameters: mechanism : int key mechanism enumeration constant (CKM_*) Return the best key length for this slot and mechanism. A zero result means that token knows how long the key should be, the result is typically used with key_gen(), token_key_gen(), or token_key_gen_with_flags() get_best_wrap_mechanism() -> mechanism Find the best key wrap mechanism for this slot. logout()l Logs a user out of a session destroying any objects allocated on their behalf. authenticate(load_certs=False, [user_data1, ...]) -> :Parameters: load_certs : bool If True load certificates after authenticating. Checks to see if token needs to be logged in. If so it invokes the password callback (set via `nss.set_password_callback()`) passing the optional user_data parameters to the password callback. is_logged_in([user_data1, ...]) -> bool :Parameters: user_data1 : object ... zero or more caller supplied parameters which will be passed to the password callback function Return True if token is logged in, False otherwise. user_enable() Allow all mechanisms that are ON before `PK11Slot.user_disable()` was called to be available again. Sets disable reason to PK11_DIS_NONE. user_disable() Prevents the slot from being used, and sets disable reason to PK11_DIS_USER_SELECTED. Mechanisms that were on continue to stay on. Therefore, when the slot is enabled again via `PK11Slot.user_enable()`, it will remember what mechanisms needs to be turned on. get_disabled_reason() -> integer Returns a diabled reason enumerated constant (i.e. PK11_DIS_*). May be one of: * PK11_DIS_NONE * PK11_DIS_USER_SELECTED * PK11_DIS_COULD_NOT_INIT_TOKEN * PK11_DIS_TOKEN_VERIFY_FAILED * PK11_DIS_TOKEN_NOT_PRESENT has_root_certs() -> bool Returns True if the slot contains the root certificate , False otherwise. is_disabled() -> bool Returns True if the slot is disabled, False otherwise. has_protected_authentication_path() -> bool Returns True if token has a "protected authentication path", whereby a user can log into the token without passing a PIN through the library, False otherwise. An example might be a token with an integrated key pad. is_removable() -> bool Returns True if the token is removable, False otherwise. is_friendly() -> bool Returns True if the slot allows certificates to be read without logging in to the token, False otherwise. need_user_init() -> bool Returns True if the slot needs to be logged into by the user by providing their pin, False otherwise. need_login() -> bool Returns True if there are some cryptographic functions that a user must be logged in to perform, False otherwise. is_internal() -> bool Returns True if the the slot is internal, False otherwise. is_read_only() -> bool Returns True if the the slot is read-only, False otherwise. is_present() -> bool Returns True if the slot's token present, False otherwise. is_hw() -> bool Returns True if the slot is implemented in hardware, False otherwise. sha512_digest(data) --> digest :Parameters: data : buffer or string buffer the digest will be computed for Returns 64 octet SHA512 digest data as buffer object. Note, if a hexidecimal string representation is desired then pass result to data_to_hex() sha256_digest(data) --> digest :Parameters: data : buffer or string buffer the digest will be computed for Returns 32 octet SHA256 digest data as buffer object. Note, if a hexidecimal string representation is desired then pass result to data_to_hex() sha1_digest(data) --> digest :Parameters: data : buffer or string buffer the digest will be computed for Returns 20 octet SHA1 digest data as buffer object. Note, if a hexidecimal string representation is desired then pass result to data_to_hex() md5_digest(data) --> digest :Parameters: data : buffer or string buffer the digest will be computed for Returns 16 octet MD5 digest data as buffer object. Note, if a hexidecimal string representation is desired then pass result to data_to_hex() hash_buf(hash_alg, data) --> digest :Parameters: hash_alg : int hash algorithm enumeration (SEC_OID_*) e.g.: SEC_OID_MD5, SEC_OID_SHA1, SEC_OID_SHA256, SEC_OID_SHA512, etc. data : buffer or string buffer the digest will be computed for Computes a digest according to the hash_alg type. Return the digest data as buffer object. Note, if a hexidecimal string representation is desired then pass result to data_to_hex() get_cert_nicknames(certdb, what, [user_data1, ...]) -> name0, ... :Parameters: certdb : CertDB object CertDB certificate database object what : integer one of: - SEC_CERT_NICKNAMES_ALL - SEC_CERT_NICKNAMES_USER - SEC_CERT_NICKNAMES_SERVER - SEC_CERT_NICKNAMES_CA user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function Returns a tuple of the nicknames of the certificates in a specified certificate database. get_default_certdb() Returns the default certificate database as a CertDB object An object representing a GeneralName or list of GeneralNames. get_name(repr_kind=AsString) -> :Parameters: repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject The general name as a nss.GeneralName object AsString The general name as a string. (e.g. "http://crl.geotrust.com/crls/secureca.crl") AsTypeString The general name type as a string. (e.g. "URI") AsTypeEnum The general name type as a general name type enumerated constant. (e.g. nss.certURI ) AsLabeledString The general name as a string with it's type prepended. (e.g. "URI: http://crl.geotrust.com/crls/secureca.crl" Returns the value of the GeneralName according to the representation type parameter. An object representing an X501 Distinguished Name (e.g DN). DN objects contain an ordered list of `RDN` objects. The DN object constructor may be invoked with a string representing an X500 name. Zero or more `RDN` objects, or you may optionally pass a list or tuple of `RDN` objects. Examples:: DN() DN('CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US') DN(rdn0, ...) DN([rdn0, rdn1]) **The string representation of a Distinguished Name (DN) has reverse ordering from it's sequential components.** The ordering is a requirement of the relevant RFC's. When a Distinguished Name is rendered as a string it is ordered from most specific to least specific. However it's components (RDN's) as a sequence are ordered from least specific to most specific. DN objects contain an ordered list of `RDN` objects. The DN object has both sequence and mapping behaviors with respect to the RDN's they contain. Thus you can index an RDN by position, by name, or by SecItem (if it's an OID). You can iterate over the list, get it's length or take a slice. If you index by string the string may be either a canonical name for the RDN type (e.g. 'cn') or the dotted-decimal notation for the OID (e.g. 2.5.4.3). There may be multiple RDN's in a DN whose type matches (e.g. OU=engineering, OU=boston). It is not common to have more than one RDN in a DN with the same type. However because of the possiblity of being multi-valued when indexing by type a list is always returned containing the matching RDN's. Thus:: dn = nss.DN('OU=engineering') dn['ou'] returns [RDN('OU=engineering') dn = nss.DN('OU=engineering, OU=boston') dn['ou'] returns [RDN('OU=boston'), RDN('OU=engineering')] Note the reverse ordering between string representation and RDN sequencing Note, if you use properties to access the RDN values (e.g. name.common_name, name.org_unit_name) the string value is returned or None if not found. If the item was multi-valued then the most appropriate item will be selected and returned as a string value. Note it is not possible to index by oid tag (e.g. nss.SEC_OID_AVA_COMMON_NAME) because oid tags are integers and it's impossible to distinguish between an integer representing the n'th member of the sequence and the integer representing the oid tag. In this case positional indexing wins (e.g. rdn[0] means the first element). Examples:: subject_name = 'CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US' name = nss.DN(subject_name) str(name) returns 'CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US' name[0] returns an `RDN` object with the value C=US name['cn'] returns a list comprised of an `RDN` object with the value CN=www.redhat.com name['2.5.4.3'] returns a list comprised of an `RDN` object with the value CN=www.redhat.com because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn) name.common_name returns the string www.redhat.com common_name is easy shorthand property, it only retuns a single string value or None, if it was multi-valued the most appropriate item is selected. name.has_key('cn') returns True because the DN has a common name RDN name.has_key('2.5.4.3') returns True because the DN has a common name RDN because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn) cn_rdn = nss.RDN(nss.AVA('cn', 'www.redhat.com')) ou_rdn = nss.RDN(nss.AVA('ou', 'Web Operations')) name = nss.DN(cn_rdn) name is a DN with one RDN (e.g. CN=www.redhat.com) len(name) returns 1 because there is one RDN in it name.add_rdn(ou_rdn) name name is now a DN with two RDN's (e.g. OU=Web Operations,CN=www.redhat.com) len(name) returns 2 because there are now two RDN's in it list(name) returns a list with the two RDN's in it name[:] same as list(name) for rdn in name: iterate over each RDN in name name = nss.DN(cn_rdn, ou_rdn) This is an alternate way to build the above DN add_rdn(rdn) :Parameters: rdn : RDN object The rnd to add to the name Adds a RDN to the name. has_key(arg) -> bool :Parameters: arg : string or integer canonical name (e.g. 'cn') or oid dotted-decimal or SEC_OID_* enumeration constant return True if Name has an AVA whose oid can be identified by arg. An object representing an X501 Relative Distinguished Name (e.g. RDN). RDN objects contain an ordered list of `AVA` objects. Examples:: RDN() RDN(nss.AVA('cn', 'www.redhat.com')) RDN([ava0, ava1]) The RDN object constructor may be invoked with zero or more `AVA` objects, or you may optionally pass a list or tuple of `AVA` objects. RDN objects contain an ordered list of `AVA` objects. The RDN object has both sequence and mapping behaviors with respect to the AVA's they contain. Thus you can index an AVA by position, by name, or by SecItem (if it's an OID). You can iterate over the list, get it's length or take a slice. If you index by string the string may be either a canonical name for the AVA type (e.g. 'cn') or the dotted-decimal notation for the OID (e.g. 2.5.4.3). There may be multiple AVA's in a RDN whose type matches (e.g. OU=engineering+OU=boston). It is not common to have more than one AVA in a RDN with the same type. However because of the possiblity of being multi-valued when indexing by type a list is always returned containing the matching AVA's. Thus:: rdn = nss.RDN(nss.AVA('OU', 'engineering')) rdn['ou'] returns [AVA('OU=engineering') rdn = nss.RDN(nss.AVA('OU', 'engineering'), nss.AVA('OU', 'boston')) rdn['ou'] returns [AVA('OU=boston'), AVA('OU=engineering')] Examples:: rdn = nss.RDN(nss.AVA('cn', 'www.redhat.com')) str(rdn) returns 'CN=www.redhat.com' rdn[0] returns an `AVA` object with the value C=US rdn['cn'] returns a list comprised of an `AVA` object with the value CN=www.redhat.com rdn['2.5.4.3'] returns a list comprised of an `AVA` object with the value CN=www.redhat.com because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn) rdn.has_key('cn') returns True because the RDN has a common name RDN rdn.has_key('2.5.4.3') returns True because the RDN has a common name AVA because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn) len(rdn) returns 1 because there is one `AVA` object in it list(rdn) returns a list of each `AVA` object in it has_key(arg) -> bool :Parameters: arg : string or integer canonical name (e.g. 'cn') or oid dotted-decimal or SEC_OID_* enumeration constant return True if RDN has an AVA whose oid can be identified by arg. An object representing an AVA (attribute value assertion). AVA(type, value) :Parameters: type : may be one of integer, string, SecItem What kind of attribute is being created. May be one of: * integer: A SEC OID enumeration constant (i.e. SEC_OID_*) for example SEC_OID_AVA_COMMON_NAME. * string: A string either as the ava name, for example 'cn' or as the dotted decimal representation, for example 'OID.2.5.4.3'. Case is not significant for either form. * SecItem: A SecItem object encapsulating the OID in DER format. value : string The value of the AVA, must be a string. RDN's (Relative Distinguished Name) are composed from AVA's. An `RDN` is a sequence of AVA's. An example of an AVA is "CN=www.redhat.com" where CN is the X500 directory abbrevation for "Common Name". An AVA is composed of two items: type Specifies the attribute (e.g. CN). AVA types are specified by predefined OID's (Object Identifiers). For example the OID of CN is 2.5.4.3 ({joint-iso-itu-t(2) ds(5) attributeType(4) commonName(3)}) OID's in NSS are encapsulated in a SecItem as a DER encoded OID. Because DER encoded OID's are less than ideal mechanisms by which to specify an item NSS has mapped each OID to a integral enumerated constant called an OID tag (i.e. SEC_OID_*). Many of the NSS API's will accept an OID tag number instead of DER encoded OID in a SecItem. One can easily convert between DER encoded OID's, tags, and their string representation in dotted-decimal format. The enumerated OID constants are the most efficient in most cases. value The value of the attribute (e.g. 'www.redhat.com'). Examples:: The AVA cn=www.redhat.com can be created in any of the follow ways: ava = nss.AVA('cn', 'www.redhat.com') ava = nss.AVA(nss.SEC_OID_AVA_COMMON_NAME, 'www.redhat.com') ava = nss.AVA('2.5.4.3', 'www.redhat.com') ava = nss.AVA('OID.2.5.4.3', 'www.redhat.com') An object representing a signed certificate revocation listdelete_permanently() Permanently remove the CRL from the database. An object representing a Private KeyCertificate(data, certdb=get_default_certdb(), perm=False, nickname=None) :Parameters: data : SecItem or str or any buffer compatible object Data to initialize the certificate from, must be in DER format certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. perm : bool True if certificate should be permantely stored in the certdb. nickname : string certificate nickname. An X509 Certificate object. The Certificate is initialized from the supplied DER data. The Certificate is added to the NSS temporary database. If perm is True then the Certificate is also permanently written into certdb. get_cert_chain(time=now, usages=certUsageAnyCA) -> (`Certificate`, ...) :Parameters: time : number or None an optional point in time as number of microseconds since the NSPR epoch, midnight (00:00:00) 1 January 1970 UTC, either as an integer or a float. If time is None the current time is used. usages : integer a certUsage* enumerated constant Returns a tuple of `Certificate` objects. get_extension(oid) -> `CertificateExtension` Given an oid identifying the extension try to locate it in the certificate and return it as generic `CertificateExtension` object. If the extension is not present raise a KeyError. The generic `CertificateExtension` object is not terribly useful on it's own, howerver it's value property can be used to intialize instances of a class representing the extension. Or it may be passed to functions that convert the value into some other usable format. Although one might believe this function should do these conversions for you automatically there are too many possible variations. Plus one might simple be interested to know if an extension is present or not. So why perform conversion work that might not be needed or might not be in the format needed? Therefore this function is just one simple element in a larger toolbox. Below are some suggestions on how to convert the generic `CertificateExtension` object (this list may not be complete). SEC_OID_PKCS12_KEY_USAGE `x509_key_usage()` SEC_OID_X509_SUBJECT_KEY_ID `SecItem.der_to_hex()` SEC_OID_X509_CRL_DIST_POINTS `CRLDistributionPts()` case SEC_OID_X509_AUTH_KEY_ID `AuthKeyID()` SEC_OID_X509_EXT_KEY_USAGE `x509_ext_key_usage()` SEC_OID_X509_BASIC_CONSTRAINTS `BasicConstraints()` SEC_OID_X509_SUBJECT_ALT_NAME `x509_alt_name()` SEC_OID_X509_ISSUER_ALT_NAME `x509_alt_name()` :Parameters: oid : may be one of integer, string, SecItem The OID of the certification extension to retreive May be one of: * integer: A SEC OID enumeration constant (i.e. SEC_OID\_*) for example SEC_OID_X509_BASIC_CONSTRAINTS. * string: A string either the OID name, with or without the SEC_OID\_ prefix (e.g. "SEC_OID_X509_BASIC_CONSTRAINTS" or "X509_BASIC_CONSTRAINTS") or as the dotted decimal representation, for example 'OID.2 5 29 19'. Case is not significant for either form. * SecItem: A SecItem object encapsulating the OID in DER format. :returns: generic `CertificateExtension` object check_ocsp_status(certdb, time, [user_data1, ...]) -> boolean :Parameters: certdb : CertDB object CertDB certificate database object. time : number or None Time for which status is to be determined. Time as number of microseconds since the NSPR epoch, midnight (00:00:00) 1 January 1970 UTC, either as an integer or a float. If time is None the current time is used. user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function Checks the status of a certificate via OCSP. Will only check status for a certificate that has an AIA (Authority Information Access) extension for OCSP or when a "default responder" is specified and enabled. (If no AIA extension for OCSP and no default responder in place, the cert is considered to have a good status. Returns True if an approved OCSP responder knows the cert and returns a non-revoked status for it. Otherwise a `error.NSPRError` is raised and it's error_code property may be one of the following: - SEC_ERROR_OCSP_BAD_HTTP_RESPONSE - SEC_ERROR_OCSP_FUTURE_RESPONSE - SEC_ERROR_OCSP_MALFORMED_REQUEST - SEC_ERROR_OCSP_MALFORMED_RESPONSE - SEC_ERROR_OCSP_OLD_RESPONSE - SEC_ERROR_OCSP_REQUEST_NEEDS_SIG - SEC_ERROR_OCSP_SERVER_ERROR - SEC_ERROR_OCSP_TRY_SERVER_LATER - SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST - SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE - SEC_ERROR_OCSP_UNKNOWN_CERT - SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS - SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE - SEC_ERROR_BAD_SIGNATURE - SEC_ERROR_CERT_BAD_ACCESS_LOCATION - SEC_ERROR_INVALID_TIME - SEC_ERROR_REVOKED_CERTIFICATE - SEC_ERROR_UNKNOWN_ISSUER - SEC_ERROR_UNKNOWN_SIGNER Other errors are possible failures in cert verification (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when verifying the signer's cert, or other low-level problems. verify_with_log(certdb, check_sig, required_usages, time, [user_data1, ...]) -> valid_usages, log :Parameters: certdb : CertDB object CertDB certificate database object check_sig : bool True if certificate signatures should be checked required_usages : integer A bitfield of all cert usages that are required for verification to succeed. If zero return all possible valid usages. time : number or None an optional point in time as number of microseconds since the NSPR epoch, midnight (00:00:00) 1 January 1970 UTC, either as an integer or a float. If time is None the current time is used. user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function Verify a certificate by checking if it's valid and that we trust the issuer. Possible usage bitfield values are: - certificateUsageCheckAllUsages - certificateUsageSSLClient - certificateUsageSSLServer - certificateUsageSSLServerWithStepUp - certificateUsageSSLCA - certificateUsageEmailSigner - certificateUsageEmailRecipient - certificateUsageObjectSigner - certificateUsageUserCertImport - certificateUsageVerifyCA - certificateUsageProtectedObjectSigner - certificateUsageStatusResponder - certificateUsageAnyCA Returns valid_usages, a bitfield of certificate usages and a `nss.CertVerifyLog` object with diagnostic information detailing the reasons for a validation failure. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via `cert_usage_flags`. Note: See the `Certificate.verify` documentation for details on how the Certificate verification functions handle errors. verify(certdb, check_sig, required_usages, time, [user_data1, ...]) -> valid_usages :Parameters: certdb : CertDB object CertDB certificate database object check_sig : bool True if certificate signatures should be checked required_usages : integer A bitfield of all cert usages that are required for verification to succeed. If zero return all possible valid usages. time : number or None an optional point in time as number of microseconds since the NSPR epoch, midnight (00:00:00) 1 January 1970 UTC, either as an integer or a float. If time is None the current time is used. user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function Verify a certificate by checking if it's valid and that we trust the issuer. Possible usage bitfield values are: - certificateUsageCheckAllUsages - certificateUsageSSLClient - certificateUsageSSLServer - certificateUsageSSLServerWithStepUp - certificateUsageSSLCA - certificateUsageEmailSigner - certificateUsageEmailRecipient - certificateUsageObjectSigner - certificateUsageUserCertImport - certificateUsageVerifyCA - certificateUsageProtectedObjectSigner - certificateUsageStatusResponder - certificateUsageAnyCA Returns valid_usages, a bitfield of certificate usages. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via `cert_usage_flags`. Note: Anytime a NSPR or NSS function returns an error in python-nss it raises a NSPRError exception. When an exception is raised the normal return values are discarded because the flow of control continues at the first except block prepared to catch the exception. Normally this is what is desired because the return values would be invalid due to the error. However the certificate verification functions are an exception (no pun intended). An error might be returned indicating the cert failed verification but you may still need access to the returned usage bitmask and the log (if using the log variant). To handle this a special error exception `CertVerifyError` (derived from `NSPRError`) is defined which in addition to the normal NSPRError fields will also contain the returned usages and optionally the CertVerifyLog object. If no exception is raised these are returned as normal return values. verify_now(certdb, check_sig, required_usages, [user_data1, ...]) -> valid_usages :Parameters: certdb : CertDB object CertDB certificate database object check_sig : bool True if certificate signatures should be checked required_usages : integer A bitfield of all cert usages that are required for verification to succeed. If zero return all possible valid usages. user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function Verify a certificate by checking if it's valid and that we trust the issuer. Possible usage bitfield values are: - certificateUsageCheckAllUsages - certificateUsageSSLClient - certificateUsageSSLServer - certificateUsageSSLServerWithStepUp - certificateUsageSSLCA - certificateUsageEmailSigner - certificateUsageEmailRecipient - certificateUsageObjectSigner - certificateUsageUserCertImport - certificateUsageVerifyCA - certificateUsageProtectedObjectSigner - certificateUsageStatusResponder - certificateUsageAnyCA Returns valid_usages, a bitfield of certificate usages. If required_usages is non-zero, the returned bitmap is only for those required usages, otherwise it is for all possible usages. Hint: You can obtain a printable representation of the usage flags via `cert_usage_flags`. Note: See the `Certificate.verify` documentation for details on how the Certificate verification functions handle errors. is_ca_cert(return_cert_type=False) -> boolean is_ca_cert(True) -> boolean, cert_type :Parameters: return_cert_type : boolean If True returns both boolean result and certficate type bitmask. If False return only boolean result Returns True if the cert is a CA cert, False otherwise. The function optionally can return a bitmask of NS_CERT_TYPE_* flags if return_cert_type is True. This is the updated cert type after applying logic in the context of deciding if the cert is a CA cert or not. Hint: the cert_type value can be converted to text with `nss.cert_type_flags()`. Hint: the unmodified cert type flags can be obtained with the `Certificate.cert_type` property. check_valid_times(time=now, allow_override=False) --> validity :Parameters: time : number or None an optional point in time as number of microseconds since the NSPR epoch, midnight (00:00:00) 1 January 1970 UTC, either as an integer or a float. If time is None the current time is used. allow_override : bool If True then check to see if the invalidity has been overridden by the user, defaults to False. Checks whether a specified time is within a certificate's validity period. Returns one of: - secCertTimeValid - secCertTimeExpired - secCertTimeNotValidYet has_signer_in_ca_names(ca_names) -> bool :Parameters: ca_names : (SecItem, ...) Sequence of CA distinguished names. Each item in the sequence must be a SecItem object containing a distinguished name. Returns True if any of the signers in the certificate chain for a specified certificate are in the list of CA names, False otherwise. verify_hostname(hostname) -> bool A restricted regular expression syntax is used to test if the common name specified in the subject DN of the certificate is a match, returning True if so, False otherwise. The regular expression systax is: \* matches anything \? matches one character \\ (backslash) escapes a special character \$ matches the end of the string [abc] matches one occurrence of a, b, or c. The only character that needs to be escaped in this is ], all others are not special. [a-z] matches any character between a and z [^az] matches any character except a or z \~ followed by another shell expression removes any pattern matching the shell expression from the match list (foo|bar) matches either the substring foo or the substring bar. These can be shell expressions as well. make_ca_nickname() -> string Returns a nickname for the certificate guaranteed to be unique within the the current NSS database. The nickname is composed thusly: A. Establish a name by trying in order: 1. subject's common name (i.e. CN) 2. subject's organizational unit name (i.e. OU) B. Establish a realm by trying in order: 1. issuer's organization name (i.e. O) 2. issuer's distinguished name (i.e. DN) 3. set to "Unknown CA" C. If name exists the nickname will be "name - realm", else the nickname will be "realm" D. Then the nickname will be tested for existence in the database. If it does not exist it will be returned as the nickname. Else a loop is entered where the nickname will have " #%d" appended to it where %d is an integer beginning at 1. The generated nickname is tested for existence in the dabase until a unique name is found. find_kea_type() -> kea_type Returns key exchange type of the keys in an SSL server certificate. May be one of the following: - ssl_kea_null - ssl_kea_rsa - ssl_kea_dh - ssl_kea_fortezza (deprecated) - ssl_kea_ecdh set_trust_attributes(trust, certdb, slot, [user_data1, ...]) :Parameters: string : trust NSS trust string certdb : CertDB object or None CertDB certificate database object, if None then the default certdb will be supplied by calling `nss.get_default_certdb()`. slot : `PK11Slot` object The PK11 slot to use. If None defaults to internal slot, see `nss.get_internal_key_slot()` user_dataN : object zero or more caller supplied parameters which will be passed to the password callback function trust_flags(flags, repr_kind=AsEnumDescription) -> ['flag_name', ...] :Parameters: flags : int certificate trust integer bitmask repr_kind : RepresentationKind constant Specifies what the contents of the returned list will be. May be one of: AsEnum The enumerated constant as an integer value. AsEnumName The name of the enumerated constant as a string. AsEnumDescription A friendly human readable description of the enumerated constant as a string. Given an integer with trust flags encoded as a bitmask return a sorted list of their values as specified in the repr_kind This is a class method. An object representing a certificate extensionAn object representing a Certificate Databasefind_crl_by_cert(cert, type=SEC_CRL_TYPE) -> SignedCRL object :Parameters: cert : Certificate object certificate used to lookup the CRL. type : int revocation list type may be one of: - SEC_CRL_TYPE - SEC_KRL_TYPE Returns a SignedCRL object found in the database given a certificate and revocation list type. find_crl_by_name(name, type=SEC_CRL_TYPE) -> SignedCRL object :Parameters: name : string name to lookup type : int revocation list type may be one of: - SEC_CRL_TYPE - SEC_KRL_TYPE Returns a SignedCRL object found in the database given a name and revocation list type. An object representing a Subject Public KeyAn object representing a Public KeyA object representing a signatureA object representing a DSA Public KeyAn object representing an RSA Public KeyKEYPQGParams(prime=None, subprime=None, base=None) :Parameters: prime : SecItem or str or any buffer compatible object or None prime (also known as p) subprime : SecItem or str or any buffer compatible object or None subprime (also known as q) base : SecItem or str or any buffer compatible object or None base (also known as g) An object representing DSA key parameters - prime (also known as p) - subprime (also known as q) - base (also known as g) If no parameters are passed the default PQG the KeyPQGParams will be intialized to default values. If you pass any initialization parameters then they must all be passed. RSAGenParams(key_size=1024, public_exponent=0x10001) :Parameters: key_size : integer RSA key size in bits. public_exponent : integer public exponent. An object representing RSAGenParams. An object representing a signature algorithmSecItem(data=None, type=siBuffer) :Parameters: data : any read buffer compatible object (e.g. buffer or string) raw data to initialize from type : int SECItemType constant (e.g. si*) Encoded data. Used internally by NSS der_to_hex(octets_per_line=0, separator=':') -> string or list of strings :Parameters: octets_per_line : integer Number of octets formatted on one line, if 0 then return a single string instead of an array of lines separator : string String used to seperate each octet If None it will be as if the empty string had been passed and no separator will be used. Interpret the SecItem as containing DER encoded data consisting of a triplet (e.g. TLV). This function skips the type and length components and returns the value component as a hexadecimal string or a list of hexidecimal strings with a maximum of octets_per_line in each list element. See data_to_hex() for a more detailed explanation. to_hex(octets_per_line=0, separator=':') -> string or list of strings :Parameters: octets_per_line : integer Number of octets formatted on one line, if 0 then return a single string instead of an array of lines separator : string String used to seperate each octet If None it will be as if the empty string had been passed and no separator will be used. Equivalent to calling data_to_hex(sec_item) get_integer() -> int or long If the SecItem contains an ASN.1 integer in DER format return a Python integer (or long) get_oid_sequence(repr_kind=AsString) -> (obj, ...) :Parameters: repr_kind : RepresentationKind constant Specifies what the contents of the returned tuple will be. May be one of: AsObject Each extended key usage will be a SecItem object embedding the OID in DER format. AsString Each extended key usage will be a descriptive string. (e.g. "TLS Web Server Authentication Certificate") AsDottedDecimal Each extended key usage will be OID rendered as a dotted decimal string. (e.g. "OID.1.3.6.1.5.5.7.3.1") AsEnum Each extended key usage will be OID tag enumeration constant (int). (e.g. nss.SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) Return a tuple of OID's according the representation kind. der_universal_secitem_fmt_lines(sec_item, level=0, octets_per_line=0, separator=':') -> list of (indent, string) tuples :Parameters: sec_item : SecItem object A SecItem containing a DER encoded ASN1 universal type level : integer Initial indentation level, all subsequent indents are relative to this starting level. octets_per_line : integer Number of octets formatted on one line, if 0 then return a single string instead of an array of lines separator : string String used to seperate each octet If None it will be as if the empty string had been passed and no separator will be used. Given a SecItem in DER format which encodes a ASN.1 universal type convert the item to a string and return a list of (indent, string) tuples. read_hex(input, separators=" ,:\t\n") -> buffer :Parameters: input : string string containing hexadecimal data separators : string or None string containing set of separator characters Any character encountered during parsing which is in this string will be skipped and considered a separator between pairs of hexadecimal characters. Parse a string containing hexadecimal data and return a buffer object containing the binary octets. Each octet in the string is represented as a pair of case insensitive hexadecimal characters (0123456789abcdef). Each octet must be a pair of characters. Octets may optionally be preceded by 0x or 0X. Octets may be separated by separator characters specified in the separators string. The separators string is a set of characters. Any character in the separators character set will be ignored when it occurs between octets. If no separators should be considered then pass an empty string. Using the default separators each of these strings is valid input representing the same 8 octet sequence: 01, 23, 45, 67, 89, ab, cd, ef 01, 23, 45, 67, 89, AB, CD, EF 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef 01:23:45:67:89:ab:cd:ef 0123456789abcdef 01 23 45 67 89 ab cd ef 0x010x230x450x670x890xab0xcd0xef data_to_hex(data, octets_per_line=0, separator=':') -> string or list of strings :Parameters: data : buffer Binary data octets_per_line : integer Number of octets formatted on one line, if 0 then return a single string instead of an array of lines separator : string String used to seperate each octet If None it will be as if the empty string had been passed and no separator will be used. Format the binary data as hex string(s). Either a list of strings is returned or a single string. If octets_per_line is greater than zero then a list of strings will be returned where each string contains octets_per_line number of octets (except for the last string in the list which will contain the remainder of the octets). Returning a list of "lines" makes it convenient for a caller to format a block of hexadecimal data with line wrapping. If octets_per_line is greater than zero indicating a list result is desired a list is always returned even if the number of octets would produce only a single line. If octets_per_line is zero then a single string is returned, (no line splitting is performed). This is the default. The separator string is used to separate each octet. If None it will be as if the empty string had been passed and no separator will be used. %a %b %d %H:%M:%S %Y UTCindented_format(line_fmt_tuples, indent_len=4) -> string The function supports the display of complex objects which may be composed of other complex objects. There is often a need to output section headers or single strings and lists of pairs (the attribute in this discussion is called a label), or even blank lines. All of these items should line up in columns at different indentation levels in order to visually see the structure. It would not be flexible enough to have object formatting routines which simply returned a single string with all the indentation and formatting pre-applied. The indentation width may not be what is desired. Or more importantly you might not be outputting to text display. It might be a GUI which desires to display the information. Most GUI's want to handle each string seperately and control indentation and the visibility of each item (e.g. a tree control). At the same time we want to satisfy the need for easy and simple text output. This routine will do that, e.g.: print indented_format(obj.format_lines()) To accomodate necessary flexibility the object formatting methods (format_lines()) return a list of tuples. Each tuple represents a single line with the first tuple item being the indentation level for the line. There may be 0,1 or 2 additional strings in the tuple which are to be output on the line. A single string are usually one of two things, either a section header or data that has been continuted onto multiple lines. Two strings usually represent a pair with the first string being a label (e.g. attribute name). Each tuple may be: (int,) 1-value tuple, no strings, e.g. blank line. (int, string) 2-value tuple, output string at indent level. (int, string, string) 3-value tuple, first string is a label, second string is a value. Starting at the indent level output the label, then follow with the value. By keeping the label separate from the value the ouput formatter may elect to align the values in vertical columns for adjacent lines. Example:: # This list of tuples, [(0, 'Constraints'), (1, 'min:', '0') (1, 'max:', '100'), (1, 'Filter Data'), (2, 'ab bc de f0 12 34 56 78 9a bc de f0') (2, '12 34 56 78 9a bc de f0 12 34 56 78') ] # would product this output Constraints min: 0 max: 100 Filter Data: ab bc de f0 12 34 56 78 9a bc de f0 12 34 56 78 9a bc de f0 12 34 56 78 :Parameters: line_fmt_tuples : [(level, ...),...] A list of tuples. First tuple value is the indentation level followed by optional strings for the line. indent_len : int Number of space characters repeated for each level and prepended to the line string. make_line_fmt_tuples(level, obj) -> [(level, str), ...] :Parameters: obj : object If obj is a tuple or list then each member will be wrapped in a 2-tuple of (level, str). If obj is a scalar object then obj will be wrapped in a 2-tuple of (level, obj) level : integer Initial indentation level, all subsequent indents are relative to this starting level. Return a list of line formatted tuples sutible to passing to `indented_format()`. Each tuple consists of a integer level value and a string object. This is equivalent to: [(level, str(x)) for x in obj]. As a special case convenience if obj is a scalar object (i.e. not a list or tuple) then [(level, str(obj))] will be returned. format_lines(level=0) -> [(level, string),...] :Parameters: level : integer Initial indentation level, all subsequent indents are relative to this starting level. Formats the object into a sequence of lines with indent level information. The return value is a list where each list item is a tuple. The first item in the tuple is an integer representing the indentation level for that line. Any remaining items in the tuple are strings to be output on that line. The output of this function can be formatted into a single string by calling `nss.nss.indented_format()`, e.g.: print indented_format(obj.format_lines()) The reason this function returns a tuple as opposed to an single indented string is to support other text formatting systems such as GUI's with indentation controls. See `nss.nss.indented_format()` for a complete explanation. format(level=0, indent=' ') -> string) :Parameters: level : integer Initial indentation level, all subsequent indents are relative to this starting level. indent : string string replicated once for each indent level then prepended to output line This is equivalent to: indented_format(obj.format_lines()) on an object providing a format_lines() method. t}?Qt}?QsZƔ̔הݔה@]8`@]W\Ta?Q ?Q ?Q ?Q UDV$/;sZה2222הDהsZהHZk{ԕהDהTaWהה (הה4הG  ]ה b\Vb b k k הZ\?Q r{הה{ הsZ2U\הההההBPה sZ\הה@^'a'_':'i'@P<gh^jHE_V̖@%`@%` %ܖ_%iY%RY%%@Y %$Y0 % %^{%  %t` &`  &` &a`&\P`&Y &X&&V&XS&JM&X`&XQ&\PWP&\VO&\UN&\U`M&tap&VKc@&08`@ &j``%JU%@U%U`Ћ%&U0%90%T0%V0%t0%0%б%P8а%TЯ%SЮ%%CfP# %ϗ#%"`%f!%%X%`%=` %-`p`%`%`0%tX %DX%4X0%#X% X0%W % %_@%0%W@ %FaP%W%]``%] a%Z@%le %4QД|%kN@@z%Ow%Opu%|Wp`s%& r%@`p%Sp%Rp%gWp`%x8`&V_%\@N]%\` ]%_[%_Z%_@X%e_p@U%K_ T%8_p@S%x0R%@O%L%8Ё@K%PAPR-K &a&˜JȘ@&` '`' 'pD-K &a&P8fJ8 J 9(^ 'E`&@A` '''`@N&0{ &-K0 &a&68@ ^E&?' ''L?-K &a&\JP9] 9O`?9p?:_?P:m?:@^&'{ &`N1`&'`''}C-K, &a &H0|:ZJ*k,p;{,X`,X0,0X,pXԕ+X+Xp+0XęX`^`&@'''`T-K &a@&Sߙg\ 8;$p;U;/PX@'&'''@M0VP?-K &a&EiNb J<ޟpk0<@?]]&' ''t`C-K d &a&<J< PX` &!'`'!' tT-K &a@&}e`&-`&0=ǚ"0=՚ ?#'E"&>>$'r>`N-K &a& 0X #&&''`&'LT-Kd &a&h0JP=;`Fc`!=lp>]('E#&>0>@)'' '*=@N@-Kp &a& X` $&~'`'@+'PLS=+_@0&_ 0&@/& _/&V0@.&`,&@+&O][@6&;]@Z4&*V2&ΛYDVW!W_M& P_L&_@L&%^K&1^@K&<P^J&K^J&W]I&d`]C&> ]H&q\ H&}\G&F&`\`E& \D&U`B&[B&A&;V@@&V@>&QcP`9&`8&؜YY W g3'`V&`3''3'oa]eV&Zg0>X>`T0T> P">@=@=]hk&!^nj&,n?;T`?:Pn?G n@Umh@`m@imAw`mpA0mA=P=]gt& h(B@UXBVhBiB}&@:''@'<< `}&@~&'''<`<"M &U&ʝ&؝@Y`&]X@& ]X&U@&U@&U@&U`&vU0&\Up&.aP&ec@&-K &a@&:Bp:C:C`:PDSD3SG@Dg[[ǚ[oPDEE8EpS`E@SEОSFpFFG 8;$ p;]pJ`G(<P E&`;;`C'`'C' <0;-K- &a&Z@5GG ;P@UIGV ;lSVP&\`O`&(:\ E@&9@:F' ' G':9-K_ &a&a9a9(Pw\E&8@9@I'`'I'9 C-K  &a&џ`JHڟi8H`8H@W\E&  8 L''L'8`P-KJ &a&[7`HsZ7Ha7H8; 7\`E&607O''`O'76-Kt &a@&P6H_6[l `6p\ E@&56Q' 'Q'65-KPr &a&p55`WP\& '`'T'0Oph IhHIBPhpI `5]@&''@V'KBrJ*ĠߠJ) PA\E &45`X''X'P5B-K &a&4$AUIIk`I@4I4(4'`E&&`4Z&K[@&\JK`&Ke`&\PJJg@J0JsZPEW{NN@NN NNNNOO$O8O?OUOP^O.MCM@UMhM xMMMMMMMMNN N1Njjkrk0":kHkX""aSkΡ "ޡ ok8&.'`'0'K`=p]`~& <' '@>'w0<%: &D''';:40' &' '`'QJ( @ob4'p4'bZ&5''`5'P SU Wk@ 7'6'l&7' '`'`Ra pW0kpiu&''7'@Rm0gPD0\Y'Y'C Z'`&`Z'@'['i 4}`^^+&+'''==0]P]1&,' ' -'=¢Ǣʢ͢ТӢ֢٢ܢ "',1e68;=?ACFh\HJLNoRPaŢ RPlVRTVKX[ %*ߢ~uU]:>dJ_~lFacoegiYZlnȢˢpZPעFUiaߔՓfѢdQrڢTJTԢ RYtvxz|~ģɣΣӣأݣ #(-27<AFKPUZ_dinsx}äȤͤҤפܤ "',16;@EJOTY^chmrw|¥ǥ̥ѥ֥ۥ-K &a@&}e`'&Z%`$&-K &a&nss.so.debug\)7zXZִF!t/u]?Eh=ڊ2Ns"U :Sw,nyhj4AY )7(Mvh&$@!:\Y>.\V{k 81o!_(u?N#Ы_v_/װHG {,P"B$뉴dwBVҴ ڬaZ*w AW|ݝ R!)Iyb B{]{cm<~YQIc`#R,IMW*rcЈ`P` G-LXjSfC#a;)1)ĢMx鯁p]E@h䔽+ S|E^ # Uw݇""tpsdkO/sW xby`DgڒJbepruPa^oNRtv@ ̘Eb0-߱+d"tR!E$ClHI|:ahp{cy9s}㜫]yvk%OB4v$G`8k4/ZSb,#+5yk}6GQA\O8C+yk;JA ~cs t)ZTDCP8tĆ*>2/ڶ[nr$WbIwYPpkiy^7{]TX;B*x}b8ty|-~V:Af=uwf]Hx=@YNsK9\)g&)ouP$I't"tUbUSV4ꉼ, *Ý۠©7e^5u:+bU`Pb7޲v&WΠ"YM,kfGH^`SԭvF>vDE88i衡2~3h!Ǒ4B~ DEa G_DX1"È7shs{!jZ iw6OFXԼ}{s9f%jV47(jxDI>%)`] kJMXӎPHjG XڝAξlռΗSe/FR|DGZg!l ^ BU {J z]>U4)U\/kħĪ#_i1Mhl:Gk(Kp(X)a-;YB{V$'+1U)ugAd@65 <΃2WL&I9\^YJp=< 3Z|HdDk@JfR%s.>FDZӆ > EnԤ!rrT0.r/jbB:ynHH=7gޛMnWH|m mŐAOTM]!ohX(lnقju]˘=+sŸ})CNGQ]jXY1xcܛ 7|hiK6~=4lVٴ.VϥG!1lENIf;􏑒f@t?uj,?()G! I*\l\YO3@ zE݅nGZ;n~tJRDLLIvW?Urw࿥6."@mtkSf%R(,[F%|30HY1L9*oPDaJV.E"wo辢M ߧER֭w8$P^CVbJrei=oD 6)r:2_>?$h{QJSOg{..YHZU܏[?˰2J{{vۣhVF\"U:Pq`e1[SzɥTR oA<=Jvl2~~DFt5v<,(z:-N^tť1}NT <XT(6m6t؞/<jϥմ8n",1wm!3ҌT.)SfuGLj-b Z}L]lSC=r.ۓHأXx- %b1> |Er(agn-E\STg*"JF I ('>C'>/FEF_x&V"|zݓ!ؚ?#(K>,;{z6yaU΄]` ҏEo܈6S+ 4ζ^M҆JV P25K;A+yMZZNt a:>^ɽyRjK&K\_BMmcR2Ըs 흌YOV^#=׿Mp`nGXVVe4s_Aj/*IJXBN6O](oazM}&$ʴdJx`%o9) UqYVdTdd_87|?^,}w*0t]K^RPVXd)ASgψ+**#!(.u4iu/;FJ@B",滯 I{&&ϗ:M9TK&@ib2{ ƢI|WzlZȄL+psQyOH⃀e47kXJYnZr?9ޗRxL9M pxH M4IyِE9D@2aMiJ7˦fvZ] X:ӈc6թ^|u݋iJFH*A6" &ĕ(s)@i;_ɹM`U^9UàŚ=w):? ot~LIAtsBi';3+wo׍;ͻS!пi(ImOa:u\JtҪ2 MG|./M`}K09ˡmMGN-$C,/a-<;3PaԻ`'L{Ӳ,1wO6Q/IE;vξclkc*/OpT~C\IB6C?6"ͻuu;@.jٽm$/Љo`7z 3 |:Z* p^ox6iUX)sZ+\Tb30O ߝ J^k5IX@_xyu@(:J+J:S``QsxCa[XD%gTQ93>6j_囊F2[ *MYwÊ<9ιe  em#k\ٚ=3E]Hq\ ^Dqu\븮7%B 8F+EzBJNZAƒ;gsތϛҒ`ĸ q`c'FaۏtOyg#M MZVnϦ""n@7͠{!|:##~b"9C-h -TH*wUNuT\2Z럘4.'+ tz`KPU[TۯrAq1Igz}l44jA`s)Fh'PY$?oTRjI|m n’.`e#q:!0A]Aخ:Y ְmTjVpD@JgPk(R(ҕF qWlR*Xb#[ nj͋@<ޔA vK{DP_Z،;]7Bk{DY/zӮĕ2ۄGM`cu M9D O?!v\ %8ߒ MI>-J՚pyFD2pSοtLNpܰ^%{|a7f vf< cXPhgI"l0CZ/yNDTtM2CgRmf:Ŧl{Ȫ'r(R4&KcǣLi=) zIoaMV7,a4z|iTǽD+b;ZSʟ~J=;8Ds`L+yA7L>W$"S)| q&,%۝vw晻vǏW V*W)):S3a EPM }o*WoˆDžj(eSEDX f'7)J]tcY@tu`%:LU5h87K914']*?zvIY0:!GGI%˼(Yz~En<(.ٳl|K7W>]AuS,-(h_ IͰL&L8 p6r{1Q?Wr{**얃7ϸK{Tdkب<"y)ڥj.⻠䆀֯ xR"CpΚz[NKע[`3̚Gv8N lX9 ft(Jߥ_aѴ6IwLEj RT4vO*\=*v{{ DR }I DŘ!Mk |Xt4I9;ҏc) ٻ.gʆ!\@G(dMSd3rhsÃ2,9cb-L " \\oe3L`fy4fgYZ.shstrtab.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.data.rel.ro.dynamic.got.got.plt.data.bss.gnu_debuglink.gnu_debugdata $o( `$0P'P';8oFFEoIIThKhK^p  hcn22tll z s8%88%88%89%9 <%< >%>@%@ K%K4 ' X